Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/pf/pf_ioctl.c
| Show First 20 Lines • Show All 1,551 Lines • ▼ Show 20 Lines | pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule) | ||||
| bcopy(&krule->divert, &rule->divert, sizeof(krule->divert)); | bcopy(&krule->divert, &rule->divert, sizeof(krule->divert)); | ||||
| rule->u_states_cur = counter_u64_fetch(krule->states_cur); | rule->u_states_cur = counter_u64_fetch(krule->states_cur); | ||||
| rule->u_states_tot = counter_u64_fetch(krule->states_tot); | rule->u_states_tot = counter_u64_fetch(krule->states_tot); | ||||
| rule->u_src_nodes = counter_u64_fetch(krule->src_nodes); | rule->u_src_nodes = counter_u64_fetch(krule->src_nodes); | ||||
| } | } | ||||
| static void | static int | ||||
| pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) | pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) | ||||
| { | { | ||||
| #ifndef INET | |||||
| if (rule->af == AF_INET) { | |||||
| return (EAFNOSUPPORT); | |||||
| } | |||||
| #endif /* INET */ | |||||
| #ifndef INET6 | |||||
| if (rule->af == AF_INET6) { | |||||
| return (EAFNOSUPPORT); | |||||
| } | |||||
| #endif /* INET6 */ | |||||
donner: I'd reverse this logic.
#ifdef INET
if (rule->af == AF_INET) ;
else… | |||||
Done Inline ActionsEven more clever approach switch (rule->af) {
#ifdef INET
case AF_INET: break;
#endif
#ifdef INET6
case AF_INET6: break;
#endif
default: return (EAFNOSUPPORT);
}donner: Even more clever approach
switch (rule->af) {
#ifdef INET
case AF_INET: break… | |||||
Done Inline ActionsI like the suggestion, but it turns out not to work. We don't always specify an address family (i.e. rule->af can be 0) kp: I like the suggestion, but it turns out not to work. We don't always specify an address family… | |||||
| if (rule->src.addr.type != PF_ADDR_ADDRMASK && | |||||
| rule->src.addr.type != PF_ADDR_DYNIFTL && | |||||
| rule->src.addr.type != PF_ADDR_TABLE) { | |||||
| return (EINVAL); | |||||
| } | |||||
| if (rule->src.addr.p.dyn != NULL) { | |||||
| return (EINVAL); | |||||
| } | |||||
| if (rule->dst.addr.type != PF_ADDR_ADDRMASK && | |||||
| rule->dst.addr.type != PF_ADDR_DYNIFTL && | |||||
| rule->dst.addr.type != PF_ADDR_TABLE) { | |||||
| return (EINVAL); | |||||
| } | |||||
| if (rule->dst.addr.p.dyn != NULL) { | |||||
| return (EINVAL); | |||||
| } | |||||
| bzero(krule, sizeof(*krule)); | bzero(krule, sizeof(*krule)); | ||||
| bcopy(&rule->src, &krule->src, sizeof(rule->src)); | bcopy(&rule->src, &krule->src, sizeof(rule->src)); | ||||
| bcopy(&rule->dst, &krule->dst, sizeof(rule->dst)); | bcopy(&rule->dst, &krule->dst, sizeof(rule->dst)); | ||||
| strlcpy(krule->label, rule->label, sizeof(rule->label)); | strlcpy(krule->label, rule->label, sizeof(rule->label)); | ||||
| strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname)); | strlcpy(krule->ifname, rule->ifname, sizeof(rule->ifname)); | ||||
| strlcpy(krule->qname, rule->qname, sizeof(rule->qname)); | strlcpy(krule->qname, rule->qname, sizeof(rule->qname)); | ||||
| ▲ Show 20 Lines • Show All 64 Lines • ▼ Show 20 Lines | #endif /* INET6 */ | ||||
| krule->anchor_wildcard = rule->anchor_wildcard; | krule->anchor_wildcard = rule->anchor_wildcard; | ||||
| krule->flush = rule->flush; | krule->flush = rule->flush; | ||||
| krule->prio = rule->prio; | krule->prio = rule->prio; | ||||
| krule->set_prio[0] = rule->set_prio[0]; | krule->set_prio[0] = rule->set_prio[0]; | ||||
| krule->set_prio[1] = rule->set_prio[1]; | krule->set_prio[1] = rule->set_prio[1]; | ||||
| bcopy(&rule->divert, &krule->divert, sizeof(krule->divert)); | bcopy(&rule->divert, &krule->divert, sizeof(krule->divert)); | ||||
| return (0); | |||||
| } | } | ||||
| static int | static int | ||||
| pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td) | pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td) | ||||
| { | { | ||||
| int error = 0; | int error = 0; | ||||
| PF_RULES_RLOCK_TRACKER; | PF_RULES_RLOCK_TRACKER; | ||||
| ▲ Show 20 Lines • Show All 158 Lines • ▼ Show 20 Lines | case DIOCADDRULE: { | ||||
| struct pf_kpooladdr *pa; | struct pf_kpooladdr *pa; | ||||
| struct pfi_kkif *kif = NULL; | struct pfi_kkif *kif = NULL; | ||||
| int rs_num; | int rs_num; | ||||
| if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { | if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { | ||||
| error = EINVAL; | error = EINVAL; | ||||
| break; | break; | ||||
| } | } | ||||
| if (pr->rule.src.addr.p.dyn != NULL || | |||||
| pr->rule.dst.addr.p.dyn != NULL) { | rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK); | ||||
| error = EINVAL; | error = pf_rule_to_krule(&pr->rule, rule); | ||||
| if (error != 0) { | |||||
| free(rule, M_PFRULE); | |||||
| break; | break; | ||||
| } | } | ||||
| #ifndef INET | |||||
| if (pr->rule.af == AF_INET) { | |||||
| error = EAFNOSUPPORT; | |||||
| break; | |||||
| } | |||||
| #endif /* INET */ | |||||
| #ifndef INET6 | |||||
| if (pr->rule.af == AF_INET6) { | |||||
| error = EAFNOSUPPORT; | |||||
| break; | |||||
| } | |||||
| #endif /* INET6 */ | |||||
| rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK); | |||||
| pf_rule_to_krule(&pr->rule, rule); | |||||
| if (rule->ifname[0]) | if (rule->ifname[0]) | ||||
| kif = pf_kkif_create(M_WAITOK); | kif = pf_kkif_create(M_WAITOK); | ||||
| rule->evaluations = counter_u64_alloc(M_WAITOK); | rule->evaluations = counter_u64_alloc(M_WAITOK); | ||||
| for (int i = 0; i < 2; i++) { | for (int i = 0; i < 2; i++) { | ||||
| rule->packets[i] = counter_u64_alloc(M_WAITOK); | rule->packets[i] = counter_u64_alloc(M_WAITOK); | ||||
| rule->bytes[i] = counter_u64_alloc(M_WAITOK); | rule->bytes[i] = counter_u64_alloc(M_WAITOK); | ||||
| } | } | ||||
| rule->states_cur = counter_u64_alloc(M_WAITOK); | rule->states_cur = counter_u64_alloc(M_WAITOK); | ||||
| ▲ Show 20 Lines • Show All 238 Lines • ▼ Show 20 Lines | if (pcr->action < PF_CHANGE_ADD_HEAD || | ||||
| break; | break; | ||||
| } | } | ||||
| if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { | if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { | ||||
| error = EINVAL; | error = EINVAL; | ||||
| break; | break; | ||||
| } | } | ||||
| if (pcr->action != PF_CHANGE_REMOVE) { | if (pcr->action != PF_CHANGE_REMOVE) { | ||||
| #ifndef INET | newrule = malloc(sizeof(*newrule), M_PFRULE, M_WAITOK); | ||||
| if (pcr->rule.af == AF_INET) { | error = pf_rule_to_krule(&pcr->rule, newrule); | ||||
| error = EAFNOSUPPORT; | if (error != 0) { | ||||
| free(newrule, M_PFRULE); | |||||
| break; | break; | ||||
| } | } | ||||
| #endif /* INET */ | |||||
| #ifndef INET6 | |||||
| if (pcr->rule.af == AF_INET6) { | |||||
| error = EAFNOSUPPORT; | |||||
| break; | |||||
| } | |||||
| #endif /* INET6 */ | |||||
| newrule = malloc(sizeof(*newrule), M_PFRULE, M_WAITOK); | |||||
| pf_rule_to_krule(&pcr->rule, newrule); | |||||
| if (newrule->ifname[0]) | if (newrule->ifname[0]) | ||||
| kif = pf_kkif_create(M_WAITOK); | kif = pf_kkif_create(M_WAITOK); | ||||
| newrule->evaluations = counter_u64_alloc(M_WAITOK); | newrule->evaluations = counter_u64_alloc(M_WAITOK); | ||||
| for (int i = 0; i < 2; i++) { | for (int i = 0; i < 2; i++) { | ||||
| newrule->packets[i] = | newrule->packets[i] = | ||||
| counter_u64_alloc(M_WAITOK); | counter_u64_alloc(M_WAITOK); | ||||
| newrule->bytes[i] = | newrule->bytes[i] = | ||||
| ▲ Show 20 Lines • Show All 2,682 Lines • Show Last 20 Lines | |||||
I'd reverse this logic.
#ifdef INET if (rule->af == AF_INET) ; else #endif #ifdef INET6 if (rule->af == AF_INET6) ; else #endif return (EAFNOSUPPORT);So each family only tests it's own positive case. And all other families fail automatically.
But your approach has the charm, that it does not generate any code, if all families are supported.