Page MenuHomeFreeBSD
Differential D27707 Diff 81706 sys/netpfil/pf/pf_ioctl.c

Changeset View

Standalone View

View Options

sys/netpfil/pf/pf_ioctl.c

Show First 20 LinesShow All 110 Lines▼ Show 20 Lines
static int pf_rollback_rules(u_int32_t, int, char *); static int pf_rollback_rules(u_int32_t, int, char *);
static int pf_setup_pfsync_matching(struct pf_ruleset *); static int pf_setup_pfsync_matching(struct pf_ruleset *);
static void pf_hash_rule(MD5_CTX *, struct pf_rule *); static void pf_hash_rule(MD5_CTX *, struct pf_rule *);
static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *); static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
static int pf_commit_rules(u_int32_t, int, char *); static int pf_commit_rules(u_int32_t, int, char *);
static int pf_addr_setup(struct pf_ruleset *, static int pf_addr_setup(struct pf_ruleset *,
struct pf_addr_wrap *, sa_family_t); struct pf_addr_wrap *, sa_family_t);
static void pf_addr_copyout(struct pf_addr_wrap *); static void pf_addr_copyout(struct pf_addr_wrap *);
static void pf_src_node_copy(const struct pf_ksrc_node *,
struct pf_src_node *);
#ifdef ALTQ #ifdef ALTQ
static int pf_export_kaltq(struct pf_altq *, static int pf_export_kaltq(struct pf_altq *,
struct pfioc_altq_v1 *, size_t); struct pfioc_altq_v1 *, size_t);
static int pf_import_kaltq(struct pfioc_altq_v1 *, static int pf_import_kaltq(struct pfioc_altq_v1 *,
struct pf_altq *, size_t); struct pf_altq *, size_t);
#endif /* ALTQ */ #endif /* ALTQ */
VNET_DEFINE(struct pf_rule, pf_default_rule); VNET_DEFINE(struct pf_rule, pf_default_rule);
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Lines
struct cdev *pf_dev; struct cdev *pf_dev;
/* /*
* XXX - These are new and need to be checked when moveing to a new version * XXX - These are new and need to be checked when moveing to a new version
*/ */
static void pf_clear_states(void); static void pf_clear_states(void);
static int pf_clear_tables(void); static int pf_clear_tables(void);
static void pf_clear_srcnodes(struct pf_src_node *); static void pf_clear_srcnodes(struct pf_ksrc_node *);
static void pf_kill_srcnodes(struct pfioc_src_node_kill *); static void pf_kill_srcnodes(struct pfioc_src_node_kill *);
static void pf_tbladdr_copyout(struct pf_addr_wrap *); static void pf_tbladdr_copyout(struct pf_addr_wrap *);
/* /*
* Wrapper functions for pfil(9) hooks * Wrapper functions for pfil(9) hooks
*/ */
#ifdef INET #ifdef INET
static pfil_return_t pf_check_in(struct mbuf **m, struct ifnet *ifp, static pfil_return_t pf_check_in(struct mbuf **m, struct ifnet *ifp,
▲ Show 20 LinesShow All 938 Lines▼ Show 20 Lines case PF_ADDR_DYNIFTL:
pfi_dynaddr_copyout(addr); pfi_dynaddr_copyout(addr);
break; break;
case PF_ADDR_TABLE: case PF_ADDR_TABLE:
pf_tbladdr_copyout(addr); pf_tbladdr_copyout(addr);
break; break;
} }
} }
static void
pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out)
{
int secs = time_uptime, diff;
bzero(out, sizeof(struct pf_src_node));
bcopy(&in->addr, &out->addr, sizeof(struct pf_addr));
bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr));
if (in->rule.ptr != NULL)
out->rule.nr = in->rule.ptr->nr;
bcopy(&in->bytes, &out->bytes, sizeof(u_int64_t) * 2);
bcopy(&in->packets, &out->packets, sizeof(u_int64_t) * 2);
out->states = in->states;
out->conn = in->conn;
out->af = in->af;
out->ruletype = in->ruletype;
out->creation = secs - in->creation;
if (out->expire > secs)
out->expire -= secs;
else
out->expire = 0;
/* Adjust the connection rate estimate. */
diff = secs - in->conn_rate.last;
if (diff >= in->conn_rate.seconds)
out->conn_rate.count = 0;
else
out->conn_rate.count -=
in->conn_rate.count * diff /
in->conn_rate.seconds;
}
#ifdef ALTQ #ifdef ALTQ
/* /*
* Handle export of struct pf_kaltq to user binaries that may be using any * Handle export of struct pf_kaltq to user binaries that may be using any
* version of struct pf_altq. * version of struct pf_altq.
*/ */
static int static int
pf_export_kaltq(struct pf_altq *q, struct pfioc_altq_v1 *pa, size_t ioc_size) pf_export_kaltq(struct pf_altq *q, struct pfioc_altq_v1 *pa, size_t ioc_size)
{ {
▲ Show 20 LinesShow All 2,603 Lines▼ Show 20 Lines#endif /* ALTQ */
PF_RULES_WUNLOCK(); PF_RULES_WUNLOCK();
free(ioes, M_TEMP); free(ioes, M_TEMP);
break; break;
} }
case DIOCGETSRCNODES: { case DIOCGETSRCNODES: {
struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr; struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr;
struct pf_srchash *sh; struct pf_srchash *sh;
struct pf_src_node *n, *p, *pstore; struct pf_ksrc_node *n;
struct pf_src_node *p, *pstore;
uint32_t i, nr = 0; uint32_t i, nr = 0;
for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
i++, sh++) { i++, sh++) {
PF_HASHROW_LOCK(sh); PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry) LIST_FOREACH(n, &sh->nodes, entry)
nr++; nr++;
PF_HASHROW_UNLOCK(sh); PF_HASHROW_UNLOCK(sh);
Show All 9 Lines case DIOCGETSRCNODES: {
nr = 0; nr = 0;
p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO); p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO);
for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
i++, sh++) { i++, sh++) {
PF_HASHROW_LOCK(sh); PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry) { LIST_FOREACH(n, &sh->nodes, entry) {
int secs = time_uptime, diff;
if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len) if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len)
break; break;
bcopy(n, p, sizeof(struct pf_src_node)); pf_src_node_copy(n, p);
if (n->rule.ptr != NULL)
p->rule.nr = n->rule.ptr->nr;
p->creation = secs - p->creation;
if (p->expire > secs)
p->expire -= secs;
else
p->expire = 0;
/* Adjust the connection rate estimate. */
diff = secs - n->conn_rate.last;
if (diff >= n->conn_rate.seconds)
p->conn_rate.count = 0;
else
p->conn_rate.count -=
n->conn_rate.count * diff /
n->conn_rate.seconds;
p++; p++;
nr++; nr++;
} }
PF_HASHROW_UNLOCK(sh); PF_HASHROW_UNLOCK(sh);
} }
error = copyout(pstore, psn->psn_src_nodes, error = copyout(pstore, psn->psn_src_nodes,
sizeof(struct pf_src_node) * nr); sizeof(struct pf_src_node) * nr);
if (error) { if (error) {
▲ Show 20 LinesShow All 208 Lines▼ Show 20 Linespf_clear_tables(void)
error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel, error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel,
io.pfrio_flags); io.pfrio_flags);
return (error); return (error);
} }
static void static void
pf_clear_srcnodes(struct pf_src_node *n) pf_clear_srcnodes(struct pf_ksrc_node *n)
{ {
struct pf_state *s; struct pf_state *s;
int i; int i;
for (i = 0; i <= pf_hashmask; i++) { for (i = 0; i <= pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i]; struct pf_idhash *ih = &V_pf_idhash[i];
PF_HASHROW_LOCK(ih); PF_HASHROW_LOCK(ih);
Show All 23 Lines if (n == NULL) {
n->expire = 1; n->expire = 1;
n->states = 0; n->states = 0;
} }
} }
static void static void
pf_kill_srcnodes(struct pfioc_src_node_kill *psnk) pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
{ {
struct pf_src_node_list kill; struct pf_ksrc_node_list kill;
LIST_INIT(&kill); LIST_INIT(&kill);
for (int i = 0; i <= pf_srchashmask; i++) { for (int i = 0; i <= pf_srchashmask; i++) {
struct pf_srchash *sh = &V_pf_srchash[i]; struct pf_srchash *sh = &V_pf_srchash[i];
struct pf_src_node *sn, *tmp; struct pf_ksrc_node *sn, *tmp;
PF_HASHROW_LOCK(sh); PF_HASHROW_LOCK(sh);
LIST_FOREACH_SAFE(sn, &sh->nodes, entry, tmp) LIST_FOREACH_SAFE(sn, &sh->nodes, entry, tmp)
if (PF_MATCHA(psnk->psnk_src.neg, if (PF_MATCHA(psnk->psnk_src.neg,
&psnk->psnk_src.addr.v.a.addr, &psnk->psnk_src.addr.v.a.addr,
&psnk->psnk_src.addr.v.a.mask, &psnk->psnk_src.addr.v.a.mask,
&sn->addr, sn->af) && &sn->addr, sn->af) &&
PF_MATCHA(psnk->psnk_dst.neg, PF_MATCHA(psnk->psnk_dst.neg,
▲ Show 20 LinesShow All 434 LinesShow Last 20 Lines