git: e055cd8e7a2c - stable/12 - libpfctl: Switch to pfctl_rule
Kristof Provost
kp at FreeBSD.org
Fri May 7 15:25:50 UTC 2021
The branch stable/12 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=e055cd8e7a2c6ba5a96ec095290ad4893bb38f88
commit e055cd8e7a2c6ba5a96ec095290ad4893bb38f88
Author: Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-04-08 08:31:46 +0000
Commit: Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-05-07 08:16:01 +0000
libpfctl: Switch to pfctl_rule
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644
(cherry picked from commit e9eb09414a8de8f3329f51b48c90a5e5ac8f09cf)
---
contrib/pf/ftp-proxy/filter.c | 100 +++++++++++----------
contrib/pf/tftp-proxy/filter.c | 90 ++++++++++---------
lib/libpfctl/libpfctl.c | 10 +--
lib/libpfctl/libpfctl.h | 143 +++++++++++++++++++++++++++++-
sbin/pfctl/parse.y | 52 +++++------
sbin/pfctl/pf_ruleset.c | 63 ++++++-------
sbin/pfctl/pfctl.c | 91 ++++++++++---------
sbin/pfctl/pfctl.h | 14 +--
sbin/pfctl/pfctl_optimize.c | 82 ++++++++---------
sbin/pfctl/pfctl_parser.c | 2 +-
sbin/pfctl/pfctl_parser.h | 14 +--
usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c | 17 ++--
12 files changed, 416 insertions(+), 262 deletions(-)
diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c
index db3735565dac..dad6324808bc 100644
--- a/contrib/pf/ftp-proxy/filter.c
+++ b/contrib/pf/ftp-proxy/filter.c
@@ -50,7 +50,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
struct sockaddr_in6 *);
static struct pfioc_pooladdr pfp;
-static struct pfioc_rule pfr;
+static struct pfctl_rule pfrule;
+static char pfanchor[PF_ANCHOR_NAME_SIZE];
+static char pfanchor_call[PF_ANCHOR_NAME_SIZE];
+static uint32_t pfticket;
+static uint32_t pfpool_ticket;
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
static int dev, rule_log;
@@ -68,9 +72,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1)
return (-1);
- pfr.rule.direction = dir;
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ pfrule.direction = dir;
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
return (0);
@@ -99,14 +103,14 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
&satosin6(nat)->sin6_addr.s6_addr, 16);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
}
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
- pfr.rule.rpool.proxy_port[0] = nat_range_low;
- pfr.rule.rpool.proxy_port[1] = nat_range_high;
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ pfrule.rpool.proxy_port[0] = nat_range_low;
+ pfrule.rpool.proxy_port[1] = nat_range_high;
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
return (0);
@@ -134,13 +138,13 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
&satosin6(rdr)->sin6_addr.s6_addr, 16);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
}
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
- pfr.rule.rpool.proxy_port[0] = rdr_port;
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ pfrule.rpool.proxy_port[0] = rdr_port;
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
return (0);
@@ -237,21 +241,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
memset(&pfp, 0, sizeof pfp);
- memset(&pfr, 0, sizeof pfr);
+ memset(&pfrule, 0, sizeof pfrule);
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
- strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
+ strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE);
switch (rs_num) {
case PF_RULESET_FILTER:
- pfr.ticket = pfte[TRANS_FILTER].ticket;
+ pfticket = pfte[TRANS_FILTER].ticket;
break;
case PF_RULESET_NAT:
- pfr.ticket = pfte[TRANS_NAT].ticket;
+ pfticket = pfte[TRANS_NAT].ticket;
break;
case PF_RULESET_RDR:
- pfr.ticket = pfte[TRANS_RDR].ticket;
+ pfticket = pfte[TRANS_RDR].ticket;
break;
default:
errno = EINVAL;
@@ -259,30 +263,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
return (-1);
- pfr.pool_ticket = pfp.ticket;
+ pfpool_ticket = pfp.ticket;
/* Generic for all rule types. */
- pfr.rule.af = src->sa_family;
- pfr.rule.proto = IPPROTO_TCP;
- pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
- pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
+ pfrule.af = src->sa_family;
+ pfrule.proto = IPPROTO_TCP;
+ pfrule.src.addr.type = PF_ADDR_ADDRMASK;
+ pfrule.dst.addr.type = PF_ADDR_ADDRMASK;
if (src->sa_family == AF_INET) {
- memcpy(&pfr.rule.src.addr.v.a.addr.v4,
+ memcpy(&pfrule.src.addr.v.a.addr.v4,
&satosin(src)->sin_addr.s_addr, 4);
- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
- memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4);
+ memcpy(&pfrule.dst.addr.v.a.addr.v4,
&satosin(dst)->sin_addr.s_addr, 4);
- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4);
} else {
- memcpy(&pfr.rule.src.addr.v.a.addr.v6,
+ memcpy(&pfrule.src.addr.v.a.addr.v6,
&satosin6(src)->sin6_addr.s6_addr, 16);
- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
- memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16);
+ memcpy(&pfrule.dst.addr.v.a.addr.v6,
&satosin6(dst)->sin6_addr.s6_addr, 16);
- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16);
}
- pfr.rule.dst.port_op = PF_OP_EQ;
- pfr.rule.dst.port[0] = htons(d_port);
+ pfrule.dst.port_op = PF_OP_EQ;
+ pfrule.dst.port[0] = htons(d_port);
switch (rs_num) {
case PF_RULESET_FILTER:
@@ -291,32 +295,32 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
* from $src to $dst port = $d_port flags S/SA keep state
* (max 1) [queue qname] [tag tagname]
*/
- pfr.rule.action = PF_PASS;
- pfr.rule.quick = 1;
- pfr.rule.log = rule_log;
- pfr.rule.keep_state = 1;
- pfr.rule.flags = TH_SYN;
- pfr.rule.flagset = (TH_SYN|TH_ACK);
- pfr.rule.max_states = 1;
+ pfrule.action = PF_PASS;
+ pfrule.quick = 1;
+ pfrule.log = rule_log;
+ pfrule.keep_state = 1;
+ pfrule.flags = TH_SYN;
+ pfrule.flagset = (TH_SYN|TH_ACK);
+ pfrule.max_states = 1;
if (qname != NULL)
- strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
+ strlcpy(pfrule.qname, qname, sizeof pfrule.qname);
if (tagname != NULL) {
- pfr.rule.quick = 0;
- strlcpy(pfr.rule.tagname, tagname,
- sizeof pfr.rule.tagname);
+ pfrule.quick = 0;
+ strlcpy(pfrule.tagname, tagname,
+ sizeof pfrule.tagname);
}
break;
case PF_RULESET_NAT:
/*
* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
*/
- pfr.rule.action = PF_NAT;
+ pfrule.action = PF_NAT;
break;
case PF_RULESET_RDR:
/*
* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
*/
- pfr.rule.action = PF_RDR;
+ pfrule.action = PF_RDR;
break;
default:
errno = EINVAL;
diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c
index 0b87d568809f..1689d3465fd3 100644
--- a/contrib/pf/tftp-proxy/filter.c
+++ b/contrib/pf/tftp-proxy/filter.c
@@ -54,7 +54,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
struct sockaddr_in6 *, u_int8_t);
static struct pfioc_pooladdr pfp;
-static struct pfioc_rule pfr;
+static struct pfctl_rule pfrule;
+static uint32_t pfticket;
+static uint32_t pfpool_ticket;
+static char pfanchor[PF_ANCHOR_NAME_SIZE];
+static char pfanchor_call[PF_ANCHOR_NAME_SIZE];
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
static int dev, rule_log;
@@ -72,9 +76,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1)
return (-1);
- pfr.rule.direction = dir;
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ pfrule.direction = dir;
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
return (0);
@@ -106,10 +110,10 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
return (-1);
- pfr.rule.rpool.proxy_port[0] = nat_range_low;
- pfr.rule.rpool.proxy_port[1] = nat_range_high;
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ pfrule.rpool.proxy_port[0] = nat_range_low;
+ pfrule.rpool.proxy_port[1] = nat_range_high;
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
return (0);
@@ -140,9 +144,9 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
return (-1);
- pfr.rule.rpool.proxy_port[0] = rdr_port;
- if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
- pfr.ticket, pfr.pool_ticket))
+ pfrule.rpool.proxy_port[0] = rdr_port;
+ if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+ pfticket, pfpool_ticket))
return (-1);
return (0);
@@ -244,21 +248,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
memset(&pfp, 0, sizeof pfp);
- memset(&pfr, 0, sizeof pfr);
+ memset(&pfrule, 0, sizeof pfrule);
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
- strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
+ strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE);
switch (rs_num) {
case PF_RULESET_FILTER:
- pfr.ticket = pfte[TRANS_FILTER].ticket;
+ pfticket = pfte[TRANS_FILTER].ticket;
break;
case PF_RULESET_NAT:
- pfr.ticket = pfte[TRANS_NAT].ticket;
+ pfticket = pfte[TRANS_NAT].ticket;
break;
case PF_RULESET_RDR:
- pfr.ticket = pfte[TRANS_RDR].ticket;
+ pfticket = pfte[TRANS_RDR].ticket;
break;
default:
errno = EINVAL;
@@ -266,30 +270,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
return (-1);
- pfr.pool_ticket = pfp.ticket;
+ pfpool_ticket = pfp.ticket;
/* Generic for all rule types. */
- pfr.rule.af = src->sa_family;
- pfr.rule.proto = proto;
- pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
- pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
+ pfrule.af = src->sa_family;
+ pfrule.proto = proto;
+ pfrule.src.addr.type = PF_ADDR_ADDRMASK;
+ pfrule.dst.addr.type = PF_ADDR_ADDRMASK;
if (src->sa_family == AF_INET) {
- memcpy(&pfr.rule.src.addr.v.a.addr.v4,
+ memcpy(&pfrule.src.addr.v.a.addr.v4,
&satosin(src)->sin_addr.s_addr, 4);
- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
- memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4);
+ memcpy(&pfrule.dst.addr.v.a.addr.v4,
&satosin(dst)->sin_addr.s_addr, 4);
- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4);
} else {
- memcpy(&pfr.rule.src.addr.v.a.addr.v6,
+ memcpy(&pfrule.src.addr.v.a.addr.v6,
&satosin6(src)->sin6_addr.s6_addr, 16);
- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
- memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16);
+ memcpy(&pfrule.dst.addr.v.a.addr.v6,
&satosin6(dst)->sin6_addr.s6_addr, 16);
- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16);
}
- pfr.rule.dst.port_op = PF_OP_EQ;
- pfr.rule.dst.port[0] = htons(d_port);
+ pfrule.dst.port_op = PF_OP_EQ;
+ pfrule.dst.port[0] = htons(d_port);
switch (rs_num) {
case PF_RULESET_FILTER:
@@ -298,34 +302,34 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
* from $src to $dst port = $d_port flags S/SAFR keep state
* (max 1) [queue qname]
*/
- pfr.rule.action = PF_PASS;
- pfr.rule.quick = 1;
- pfr.rule.log = rule_log;
- pfr.rule.keep_state = 1;
+ pfrule.action = PF_PASS;
+ pfrule.quick = 1;
+ pfrule.log = rule_log;
+ pfrule.keep_state = 1;
#ifdef __FreeBSD__
- pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
- pfr.rule.flagset = (proto == IPPROTO_TCP ?
+ pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
+ pfrule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
#else
- pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
- pfr.rule.flagset = (proto == IPPROTO_TCP ?
+ pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
+ pfrule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL);
#endif
- pfr.rule.max_states = 1;
+ pfrule.max_states = 1;
if (qname != NULL)
- strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
+ strlcpy(pfrule.qname, qname, sizeof pfrule.qname);
break;
case PF_RULESET_NAT:
/*
* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
*/
- pfr.rule.action = PF_NAT;
+ pfrule.action = PF_NAT;
break;
case PF_RULESET_RDR:
/*
* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
*/
- pfr.rule.action = PF_RDR;
+ pfrule.action = PF_RDR;
break;
default:
errno = EINVAL;
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index e0d429112f5b..dc174d8d5b72 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -256,7 +256,7 @@ pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
static void
pfctl_nv_add_divert(nvlist_t *nvparent, const char *name,
- const struct pf_rule *r)
+ const struct pfctl_rule *r)
{
nvlist_t *nvl = nvlist_create(0);
@@ -267,14 +267,14 @@ pfctl_nv_add_divert(nvlist_t *nvparent, const char *name,
}
static void
-pf_nvdivert_to_divert(const nvlist_t *nvl, struct pf_rule *rule)
+pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule)
{
pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr);
rule->divert.port = nvlist_get_number(nvl, "port");
}
static void
-pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule)
+pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule)
{
const uint64_t *skip;
size_t skipcount;
@@ -373,7 +373,7 @@ pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule)
}
int
-pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor,
+pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket)
{
struct pfioc_nv nv;
@@ -482,7 +482,7 @@ pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor,
int
pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
- u_int32_t ruleset, struct pf_rule *rule, char *anchor_call)
+ u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
{
struct pfioc_nv nv;
nvlist_t *nvl;
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index 65ff2179f23d..996830619489 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -36,10 +36,147 @@
#include <netpfil/pf/pf.h>
+struct pfctl_anchor;
+
+struct pfctl_rule {
+ struct pf_rule_addr src;
+ struct pf_rule_addr dst;
+ union pf_rule_ptr skip[PF_SKIP_COUNT];
+ char label[PF_RULE_LABEL_SIZE];
+ char ifname[IFNAMSIZ];
+ char qname[PF_QNAME_SIZE];
+ char pqname[PF_QNAME_SIZE];
+ char tagname[PF_TAG_NAME_SIZE];
+ char match_tagname[PF_TAG_NAME_SIZE];
+
+ char overload_tblname[PF_TABLE_NAME_SIZE];
+
+ TAILQ_ENTRY(pfctl_rule) entries;
+ struct pf_pool rpool;
+
+ u_int64_t evaluations;
+ u_int64_t packets[2];
+ u_int64_t bytes[2];
+
+ struct pfi_kif *kif;
+ struct pfctl_anchor *anchor;
+ struct pfr_ktable *overload_tbl;
+
+ pf_osfp_t os_fingerprint;
+
+ int rtableid;
+ u_int32_t timeout[PFTM_MAX];
+ u_int32_t max_states;
+ u_int32_t max_src_nodes;
+ u_int32_t max_src_states;
+ u_int32_t max_src_conn;
+ struct {
+ u_int32_t limit;
+ u_int32_t seconds;
+ } max_src_conn_rate;
+ u_int32_t qid;
+ u_int32_t pqid;
+ u_int32_t nr;
+ u_int32_t prob;
+ uid_t cuid;
+ pid_t cpid;
+
+ counter_u64_t states_cur;
+ counter_u64_t states_tot;
+ counter_u64_t src_nodes;
+
+ u_int16_t return_icmp;
+ u_int16_t return_icmp6;
+ u_int16_t max_mss;
+ u_int16_t tag;
+ u_int16_t match_tag;
+ u_int16_t scrub_flags;
+
+ struct pf_rule_uid uid;
+ struct pf_rule_gid gid;
+
+ u_int32_t rule_flag;
+ u_int8_t action;
+ u_int8_t direction;
+ u_int8_t log;
+ u_int8_t logif;
+ u_int8_t quick;
+ u_int8_t ifnot;
+ u_int8_t match_tag_not;
+ u_int8_t natpass;
+
+ u_int8_t keep_state;
+ sa_family_t af;
+ u_int8_t proto;
+ u_int8_t type;
+ u_int8_t code;
+ u_int8_t flags;
+ u_int8_t flagset;
+ u_int8_t min_ttl;
+ u_int8_t allow_opts;
+ u_int8_t rt;
+ u_int8_t return_ttl;
+ u_int8_t tos;
+ u_int8_t set_tos;
+ u_int8_t anchor_relative;
+ u_int8_t anchor_wildcard;
+
+ u_int8_t flush;
+ u_int8_t prio;
+ u_int8_t set_prio[2];
+
+ struct {
+ struct pf_addr addr;
+ u_int16_t port;
+ } divert;
+
+ uint64_t u_states_cur;
+ uint64_t u_states_tot;
+ uint64_t u_src_nodes;
+};
+
+TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
+
+struct pfctl_ruleset {
+ struct {
+ struct pfctl_rulequeue queues[2];
+ struct {
+ struct pfctl_rulequeue *ptr;
+ struct pfctl_rule **ptr_array;
+ u_int32_t rcount;
+ u_int32_t ticket;
+ int open;
+ } active, inactive;
+ } rules[PF_RULESET_MAX];
+ struct pfctl_anchor *anchor;
+ u_int32_t tticket;
+ int tables;
+ int topen;
+};
+
+RB_HEAD(pfctl_anchor_global, pfctl_anchor);
+RB_HEAD(pfctl_anchor_node, pfctl_anchor);
+struct pfctl_anchor {
+ RB_ENTRY(pfctl_anchor) entry_global;
+ RB_ENTRY(pfctl_anchor) entry_node;
+ struct pfctl_anchor *parent;
+ struct pfctl_anchor_node children;
+ char name[PF_ANCHOR_NAME_SIZE];
+ char path[MAXPATHLEN];
+ struct pfctl_ruleset ruleset;
+ int refcnt; /* anchor rules */
+ int match; /* XXX: used for pfctl black magic */
+};
+RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
+ pf_anchor_compare);
+RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
+ pf_anchor_compare);
+
int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
- const char *anchor, u_int32_t ruleset, struct pf_rule *rule,
+ const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
char *anchor_call);
-int pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor,
- const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket);
+int pfctl_add_rule(int dev, const struct pfctl_rule *r,
+ const char *anchor, const char *anchor_call, u_int32_t ticket,
+ u_int32_t pool_ticket);
#endif
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 56c1f82e39a0..ff4eca03f4cf 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -317,10 +317,10 @@ static struct node_state_opt *keep_state_defaults = NULL;
int disallow_table(struct node_host *, const char *);
int disallow_urpf_failed(struct node_host *, const char *);
int disallow_alias(struct node_host *, const char *);
-int rule_consistent(struct pf_rule *, int);
-int filter_consistent(struct pf_rule *, int);
-int nat_consistent(struct pf_rule *);
-int rdr_consistent(struct pf_rule *);
+int rule_consistent(struct pfctl_rule *, int);
+int filter_consistent(struct pfctl_rule *, int);
+int nat_consistent(struct pfctl_rule *);
+int rdr_consistent(struct pfctl_rule *);
int process_tabledef(char *, struct table_opts *);
void expand_label_str(char *, size_t, const char *, const char *);
void expand_label_if(const char *, char *, size_t, const char *);
@@ -333,7 +333,7 @@ void expand_label_nr(const char *, char *, size_t);
void expand_label(char *, size_t, const char *, u_int8_t,
struct node_host *, struct node_port *, struct node_host *,
struct node_port *, u_int8_t);
-void expand_rule(struct pf_rule *, struct node_if *,
+void expand_rule(struct pfctl_rule *, struct node_if *,
struct node_host *, struct node_proto *, struct node_os *,
struct node_host *, struct node_port *, struct node_host *,
struct node_port *, struct node_uid *, struct node_gid *,
@@ -348,10 +348,10 @@ int expand_skip_interface(struct node_if *);
int check_rulestate(int);
int getservice(char *);
-int rule_label(struct pf_rule *, char *);
+int rule_label(struct pfctl_rule *, char *);
int rt_tableid_max(void);
-void mv_rules(struct pf_ruleset *, struct pf_ruleset *);
+void mv_rules(struct pfctl_ruleset *, struct pfctl_ruleset *);
void decide_address_family(struct node_host *, sa_family_t *);
void remove_invalid_hosts(struct node_host **, sa_family_t *);
int invalid_redirect(struct node_host *, sa_family_t);
@@ -780,7 +780,7 @@ pfa_anchorlist : /* empty */
pfa_anchor : '{'
{
char ta[PF_ANCHOR_NAME_SIZE];
- struct pf_ruleset *rs;
+ struct pfctl_ruleset *rs;
/* steping into a brace anchor */
pf->asd++;
@@ -806,7 +806,7 @@ pfa_anchor : '{'
anchorrule : ANCHOR anchorname dir quick interface af proto fromto
filter_opts pfa_anchor
{
- struct pf_rule r;
+ struct pfctl_rule r;
struct node_proto *proto;
if (check_rulestate(PFCTL_STATE_FILTER)) {
@@ -825,7 +825,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
memset(&r, 0, sizeof(r));
if (pf->astack[pf->asd + 1]) {
/* move inline rules into relative location */
- pf_anchor_setup(&r,
+ pfctl_anchor_setup(&r,
&pf->astack[pf->asd]->ruleset,
$2 ? $2 : pf->alast->name);
@@ -938,7 +938,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
pf->astack[pf->asd + 1] = NULL;
}
| NATANCHOR string interface af proto fromto rtable {
- struct pf_rule r;
+ struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT)) {
free($2);
@@ -959,7 +959,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
free($2);
}
| RDRANCHOR string interface af proto fromto rtable {
- struct pf_rule r;
+ struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT)) {
free($2);
@@ -1001,7 +1001,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
free($2);
}
| BINATANCHOR string interface af proto fromto rtable {
- struct pf_rule r;
+ struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT)) {
free($2);
@@ -1079,7 +1079,7 @@ scrubaction : no SCRUB {
scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
{
- struct pf_rule r;
+ struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_SCRUB))
YYERROR;
@@ -1239,7 +1239,7 @@ fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
;
antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
- struct pf_rule r;
+ struct pfctl_rule r;
struct node_host *h = NULL, *hh;
struct node_if *i, *j;
@@ -2014,7 +2014,7 @@ qassign_item : STRING {
pfrule : action dir logquick interface route af proto fromto
filter_opts
{
- struct pf_rule r;
+ struct pfctl_rule r;
struct node_state_opt *o;
struct node_proto *proto;
int srctrack = 0;
@@ -4063,7 +4063,7 @@ nataction : no NAT natpasslog {
natrule : nataction interface af proto fromto tag tagged rtable
redirpool pool_opts
{
- struct pf_rule r;
+ struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT))
YYERROR;
@@ -4222,7 +4222,7 @@ natrule : nataction interface af proto fromto tag tagged rtable
binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag
tagged rtable redirection
{
- struct pf_rule binat;
+ struct pfctl_rule binat;
struct pf_pooladdr *pa;
if (check_rulestate(PFCTL_STATE_NAT))
@@ -4607,7 +4607,7 @@ disallow_alias(struct node_host *h, const char *fmt)
}
int
-rule_consistent(struct pf_rule *r, int anchor_call)
+rule_consistent(struct pfctl_rule *r, int anchor_call)
{
int problems = 0;
@@ -4635,7 +4635,7 @@ rule_consistent(struct pf_rule *r, int anchor_call)
}
int
-filter_consistent(struct pf_rule *r, int anchor_call)
+filter_consistent(struct pfctl_rule *r, int anchor_call)
{
int problems = 0;
@@ -4698,13 +4698,13 @@ filter_consistent(struct pf_rule *r, int anchor_call)
}
int
-nat_consistent(struct pf_rule *r)
+nat_consistent(struct pfctl_rule *r)
{
return (0); /* yeah! */
}
int
-rdr_consistent(struct pf_rule *r)
+rdr_consistent(struct pfctl_rule *r)
{
int problems = 0;
@@ -5240,7 +5240,7 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces,
}
void
-expand_rule(struct pf_rule *r,
+expand_rule(struct pfctl_rule *r,
struct node_if *interfaces, struct node_host *rpool_hosts,
struct node_proto *protos, struct node_os *src_oses,
struct node_host *src_hosts, struct node_port *src_ports,
@@ -6072,10 +6072,10 @@ symget(const char *nam)
}
void
-mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst)
+mv_rules(struct pfctl_ruleset *src, struct pfctl_ruleset *dst)
{
int i;
- struct pf_rule *r;
+ struct pfctl_rule *r;
for (i = 0; i < PF_RULESET_MAX; ++i) {
while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
@@ -6206,7 +6206,7 @@ getservice(char *n)
}
int
-rule_label(struct pf_rule *r, char *s)
+rule_label(struct pfctl_rule *r, char *s)
{
if (s) {
if (strlcpy(r->label, s, sizeof(r->label)) >=
diff --git a/sbin/pfctl/pf_ruleset.c b/sbin/pfctl/pf_ruleset.c
index baac1deb4fa7..f5cddf481871 100644
--- a/sbin/pfctl/pf_ruleset.c
+++ b/sbin/pfctl/pf_ruleset.c
@@ -73,22 +73,23 @@ __FBSDID("$FreeBSD$");
#define DPFPRINTF(format, x...) ((void)0)
#endif /* PFDEBUG */
-struct pf_anchor_global pf_anchors;
-struct pf_anchor pf_main_anchor;
+struct pfctl_anchor_global pf_anchors;
+struct pfctl_anchor pf_main_anchor;
#undef V_pf_anchors
#define V_pf_anchors pf_anchors
#undef pf_main_ruleset
#define pf_main_ruleset pf_main_anchor.ruleset
-static __inline int pf_anchor_compare(struct pf_anchor *,
- struct pf_anchor *);
-static struct pf_anchor *pf_find_anchor(const char *);
+static __inline int pf_anchor_compare(struct pfctl_anchor *,
+ struct pfctl_anchor *);
+static struct pfctl_anchor *pf_find_anchor(const char *);
-RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
-RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
+RB_GENERATE(pfctl_anchor_global, pfctl_anchor, entry_global,
+ pf_anchor_compare);
+RB_GENERATE(pfctl_anchor_node, pfctl_anchor, entry_node, pf_anchor_compare);
static __inline int
-pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b)
+pf_anchor_compare(struct pfctl_anchor *a, struct pfctl_anchor *b)
{
int c = strcmp(a->path, b->path);
@@ -126,11 +127,11 @@ pf_get_ruleset_number(u_int8_t action)
}
void
-pf_init_ruleset(struct pf_ruleset *ruleset)
+pf_init_ruleset(struct pfctl_ruleset *ruleset)
{
int i;
- memset(ruleset, 0, sizeof(struct pf_ruleset));
+ memset(ruleset, 0, sizeof(struct pfctl_ruleset));
for (i = 0; i < PF_RULESET_MAX; i++) {
TAILQ_INIT(&ruleset->rules[i].queues[0]);
TAILQ_INIT(&ruleset->rules[i].queues[1]);
@@ -139,24 +140,24 @@ pf_init_ruleset(struct pf_ruleset *ruleset)
}
}
-static struct pf_anchor *
+static struct pfctl_anchor *
pf_find_anchor(const char *path)
{
- struct pf_anchor *key, *found;
+ struct pfctl_anchor *key, *found;
- key = (struct pf_anchor *)rs_malloc(sizeof(*key));
+ key = (struct pfctl_anchor *)rs_malloc(sizeof(*key));
if (key == NULL)
return (NULL);
strlcpy(key->path, path, sizeof(key->path));
- found = RB_FIND(pf_anchor_global, &V_pf_anchors, key);
+ found = RB_FIND(pfctl_anchor_global, &V_pf_anchors, key);
rs_free(key);
return (found);
}
-struct pf_ruleset *
+struct pfctl_ruleset *
pf_find_ruleset(const char *path)
{
- struct pf_anchor *anchor;
+ struct pfctl_anchor *anchor;
while (*path == '/')
path++;
@@ -169,12 +170,12 @@ pf_find_ruleset(const char *path)
return (&anchor->ruleset);
}
-struct pf_ruleset *
+struct pfctl_ruleset *
pf_find_or_create_ruleset(const char *path)
{
char *p, *q, *r;
- struct pf_ruleset *ruleset;
- struct pf_anchor *anchor = NULL, *dup, *parent = NULL;
+ struct pfctl_ruleset *ruleset;
+ struct pfctl_anchor *anchor = NULL, *dup, *parent = NULL;
if (path[0] == 0)
return (&pf_main_ruleset);
@@ -212,7 +213,7 @@ pf_find_or_create_ruleset(const char *path)
rs_free(p);
return (NULL);
}
- anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor));
+ anchor = (struct pfctl_anchor *)rs_malloc(sizeof(*anchor));
if (anchor == NULL) {
rs_free(p);
return (NULL);
@@ -225,7 +226,7 @@ pf_find_or_create_ruleset(const char *path)
strlcat(anchor->path, "/", sizeof(anchor->path));
}
strlcat(anchor->path, anchor->name, sizeof(anchor->path));
- if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) !=
+ if ((dup = RB_INSERT(pfctl_anchor_global, &V_pf_anchors, anchor)) !=
NULL) {
printf("pf_find_or_create_ruleset: RB_INSERT1 "
"'%s' '%s' collides with '%s' '%s'\n",
@@ -236,13 +237,13 @@ pf_find_or_create_ruleset(const char *path)
}
if (parent != NULL) {
anchor->parent = parent;
- if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
+ if ((dup = RB_INSERT(pfctl_anchor_node, &parent->children,
anchor)) != NULL) {
printf("pf_find_or_create_ruleset: "
"RB_INSERT2 '%s' '%s' collides with "
"'%s' '%s'\n", anchor->path, anchor->name,
dup->path, dup->name);
- RB_REMOVE(pf_anchor_global, &V_pf_anchors,
+ RB_REMOVE(pfctl_anchor_global, &V_pf_anchors,
anchor);
rs_free(anchor);
rs_free(p);
@@ -262,9 +263,9 @@ pf_find_or_create_ruleset(const char *path)
}
void
-pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
+pf_remove_if_empty_ruleset(struct pfctl_ruleset *ruleset)
{
- struct pf_anchor *parent;
+ struct pfctl_anchor *parent;
int i;
while (ruleset != NULL) {
@@ -278,9 +279,9 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
!TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
ruleset->rules[i].inactive.open)
return;
- RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor);
+ RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, ruleset->anchor);
if ((parent = ruleset->anchor->parent) != NULL)
- RB_REMOVE(pf_anchor_node, &parent->children,
+ RB_REMOVE(pfctl_anchor_node, &parent->children,
ruleset->anchor);
rs_free(ruleset->anchor);
if (parent == NULL)
@@ -289,11 +290,11 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
}
}
int
-pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
+pfctl_anchor_setup(struct pfctl_rule *r, const struct pfctl_ruleset *s,
const char *name)
{
char *p, *path;
- struct pf_ruleset *ruleset;
+ struct pfctl_ruleset *ruleset;
r->anchor = NULL;
r->anchor_relative = 0;
@@ -314,7 +315,7 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
strlcpy(path, s->anchor->path, MAXPATHLEN);
while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
if (!path[0]) {
- printf("pf_anchor_setup: .. beyond root\n");
+ printf("pfctl_anchor_setup: .. beyond root\n");
*** 690 LINES SKIPPED ***
More information about the dev-commits-src-branches
mailing list