The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=051f0103dc196ac29d7ec2e1f1c3f99a295cae64
commit 051f0103dc196ac29d7ec2e1f1c3f99a295cae64
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2020-12-12 14:14:56 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2021-01-20 14:16:05 +0000
pf: Split pfi_kif into a user and kernel space structure
No functional change.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27761
(cherry picked from commit 320c11165b6b1113b34f9e156cbf85b5ed0aa5eb)
---
sys/net/pfvar.h | 74 ++++++++++++++----------
sys/netpfil/pf/if_pflog.c | 2 +-
sys/netpfil/pf/if_pfsync.c | 6 +-
sys/netpfil/pf/pf.c | 62 ++++++++++----------
sys/netpfil/pf/pf.h | 23 ++++++++
sys/netpfil/pf/pf_if.c | 138 ++++++++++++++++++++++++++-------------------
sys/netpfil/pf/pf_ioctl.c | 113 ++++++++++++++++++++++---------------
sys/netpfil/pf/pf_lb.c | 12 ++--
sys/netpfil/pf/pf_norm.c | 12 ++--
9 files changed, 260 insertions(+), 182 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 636ea8c5e02c..a58da4e4cc46 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -66,7 +66,7 @@ struct pfi_dynaddr {
struct pf_addr pfid_addr6;
struct pf_addr pfid_mask6;
struct pfr_ktable *pfid_kt;
- struct pfi_kif *pfid_kif;
+ struct pfi_kkif *pfid_kif;
int pfid_net; /* mask or 128 */
int pfid_acnt4; /* address count IPv4 */
int pfid_acnt6; /* address count IPv6 */
@@ -294,6 +294,25 @@ extern struct sx pf_end_lock;
#ifdef _KERNEL
+struct pf_kpooladdr {
+ struct pf_addr_wrap addr;
+ TAILQ_ENTRY(pf_kpooladdr) entries;
+ char ifname[IFNAMSIZ];
+ struct pfi_kkif *kif;
+};
+
+TAILQ_HEAD(pf_kpalist, pf_kpooladdr);
+
+struct pf_kpool {
+ struct pf_kpalist list;
+ struct pf_kpooladdr *cur;
+ struct pf_poolhashkey key;
+ struct pf_addr counter;
+ int tblidx;
+ u_int16_t proxy_port[2];
+ u_int8_t opts;
+};
+
union pf_krule_ptr {
struct pf_krule *ptr;
u_int32_t nr;
@@ -313,13 +332,13 @@ struct pf_krule {
char overload_tblname[PF_TABLE_NAME_SIZE];
TAILQ_ENTRY(pf_krule) entries;
- struct pf_pool rpool;
+ struct pf_kpool rpool;
counter_u64_t evaluations;
counter_u64_t packets[2];
counter_u64_t bytes[2];
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
struct pf_kanchor *anchor;
struct pfr_ktable *overload_tbl;
@@ -398,7 +417,7 @@ struct pf_ksrc_node {
struct pf_addr addr;
struct pf_addr raddr;
union pf_krule_ptr rule;
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
counter_u64_t bytes[2];
counter_u64_t packets[2];
u_int32_t states;
@@ -500,8 +519,8 @@ struct pf_state {
union pf_krule_ptr nat_rule;
struct pf_addr rt_addr;
struct pf_state_key *key[2]; /* addresses stack and wire */
- struct pfi_kif *kif;
- struct pfi_kif *rt_kif;
+ struct pfi_kkif *kif;
+ struct pfi_kkif *rt_kif;
struct pf_ksrc_node *src_node;
struct pf_ksrc_node *nat_src_node;
counter_u64_t packets[2];
@@ -606,7 +625,7 @@ void pfsync_state_export(struct
pfsync_state *,
/* pflog */
struct pf_kruleset;
struct pf_pdesc;
-typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t,
+typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t,
u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *,
struct pf_kruleset *, struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr;
@@ -851,16 +870,12 @@ struct pfr_ktable {
#define pfrkt_tzero pfrkt_kts.pfrkts_tzero
#endif
-/* keep synced with pfi_kif, used in RB_FIND */
-struct pfi_kif_cmp {
- char pfik_name[IFNAMSIZ];
-};
-
-struct pfi_kif {
+#ifdef _KERNEL
+struct pfi_kkif {
char pfik_name[IFNAMSIZ];
union {
- RB_ENTRY(pfi_kif) _pfik_tree;
- LIST_ENTRY(pfi_kif) _pfik_list;
+ RB_ENTRY(pfi_kkif) _pfik_tree;
+ LIST_ENTRY(pfi_kkif) _pfik_list;
} _pfik_glue;
#define pfik_tree _pfik_glue._pfik_tree
#define pfik_list _pfik_glue._pfik_list
@@ -873,6 +888,7 @@ struct pfi_kif {
u_int pfik_rulerefs;
TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
};
+#endif
#define PFI_IFLAG_REFS 0x0001 /* has state references */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
@@ -1367,7 +1383,7 @@ VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]);
TAILQ_HEAD(pf_altqqueue, pf_altq);
VNET_DECLARE(struct pf_altqqueue, pf_altqs[4]);
#define V_pf_altqs VNET(pf_altqs)
-VNET_DECLARE(struct pf_palist, pf_pabuf);
+VNET_DECLARE(struct pf_kpalist, pf_pabuf);
#define V_pf_pabuf VNET(pf_pabuf)
VNET_DECLARE(u_int32_t, ticket_altqs_active);
@@ -1416,7 +1432,7 @@ extern void
pf_purge_expired_src_nodes(void);
extern int pf_unlink_state(struct pf_state *, u_int);
#define PF_ENTER_LOCKED 0x00000001
#define PF_RETURN_LOCKED 0x00000002
-extern int pf_state_insert(struct pfi_kif *,
+extern int pf_state_insert(struct pfi_kkif *,
struct pf_state_key *,
struct pf_state_key *,
struct pf_state *);
@@ -1464,13 +1480,13 @@ void pf_free_rule(struct
pf_krule *);
#ifdef INET
int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
-int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
+int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
#endif /* INET */
#ifdef INET6
int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
-int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
+int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
void pf_poolmask(struct pf_addr *, struct pf_addr*,
struct pf_addr *, struct pf_addr *, u_int8_t);
@@ -1498,7 +1514,7 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t,
u_int16_t);
void pf_normalize_init(void);
void pf_normalize_cleanup(void);
-int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
+int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void
*,
struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_state *);
int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
@@ -1510,7 +1526,7 @@ u_int32_t
pf_state_expires(const struct pf_state *);
void pf_purge_expired_fragments(void);
void pf_purge_fragments(uint32_t);
-int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
+int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *,
int);
int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);
struct pf_state_key *pf_alloc_state_key(int);
@@ -1553,19 +1569,19 @@ int pfr_ina_define(struct pfr_table *, struct
pfr_addr *, int, int *,
int *, u_int32_t, int);
MALLOC_DECLARE(PFI_MTYPE);
-VNET_DECLARE(struct pfi_kif *, pfi_all);
+VNET_DECLARE(struct pfi_kkif *, pfi_all);
#define V_pfi_all VNET(pfi_all)
void pfi_initialize(void);
void pfi_initialize_vnet(void);
void pfi_cleanup(void);
void pfi_cleanup_vnet(void);
-void pfi_kif_ref(struct pfi_kif *);
-void pfi_kif_unref(struct pfi_kif *);
-struct pfi_kif *pfi_kif_find(const char *);
-struct pfi_kif *pfi_kif_attach(struct pfi_kif *, const char *);
-int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
-void pfi_kif_purge(void);
+void pfi_kkif_ref(struct pfi_kkif *);
+void pfi_kkif_unref(struct pfi_kkif *);
+struct pfi_kkif *pfi_kkif_find(const char *);
+struct pfi_kkif *pfi_kkif_attach(struct pfi_kkif *, const char *);
+int pfi_kkif_match(struct pfi_kkif *, struct pfi_kkif *);
+void pfi_kkif_purge(void);
int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
sa_family_t);
int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
@@ -1639,7 +1655,7 @@ int pf_map_addr(u_int8_t, struct
pf_krule *,
struct pf_addr *, struct pf_addr *,
struct pf_addr *, struct pf_ksrc_node **);
struct pf_krule *pf_get_translation(struct pf_pdesc *, struct
mbuf *,
- int, int, struct pfi_kif *, struct pf_ksrc_node **,
+ int, int, struct pfi_kkif *, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *,
uint16_t, uint16_t, struct pf_kanchor_stackframe *);
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
index 030f75c2507e..9eb168b9a74f 100644
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -201,7 +201,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
}
static int
-pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
+pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t
dir,
u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 0d0e62cf1b8b..a9950350cb29 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -465,7 +465,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
struct pf_state *st = NULL;
struct pf_state_key *skw = NULL, *sks = NULL;
struct pf_krule *r = NULL;
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
int error;
PF_RULES_RASSERT();
@@ -477,7 +477,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
return (EINVAL);
}
- if ((kif = pfi_kif_find(sp->ifname)) == NULL) {
+ if ((kif = pfi_kkif_find(sp->ifname)) == NULL) {
if (V_pf_status.debug >= PF_DEBUG_MISC)
printf("%s: unknown interface: %s\n", __func__,
sp->ifname);
@@ -765,7 +765,7 @@ pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf *m, int
offset, int count)
creatorid = clr[i].creatorid;
if (clr[i].ifname[0] != '\0' &&
- pfi_kif_find(clr[i].ifname) == NULL)
+ pfi_kkif_find(clr[i].ifname) == NULL)
continue;
for (int i = 0; i <= pf_hashmask; i++) {
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index c2cc2ba55196..f1c26342577f 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -119,7 +119,7 @@ __FBSDID("$FreeBSD$");
/* state tables */
VNET_DEFINE(struct pf_altqqueue, pf_altqs[4]);
-VNET_DEFINE(struct pf_palist, pf_pabuf);
+VNET_DEFINE(struct pf_kpalist, pf_pabuf);
VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active);
VNET_DEFINE(struct pf_altqqueue *, pf_altq_ifs_active);
VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive);
@@ -245,38 +245,38 @@ static void pf_state_key_detach(struct
pf_state *, int);
static int pf_state_key_ctor(void *, int, void *, int);
static u_int32_t pf_tcp_iss(struct pf_pdesc *);
static int pf_test_rule(struct pf_krule **, struct pf_state **,
- int, struct pfi_kif *, struct mbuf *, int,
+ int, struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **, struct inpcb *);
static int pf_create_state(struct pf_krule *, struct pf_krule *,
struct pf_krule *, struct pf_pdesc *,
struct pf_ksrc_node *, struct pf_state_key *,
struct pf_state_key *, struct mbuf *, int,
- u_int16_t, u_int16_t, int *, struct pfi_kif *,
+ u_int16_t, u_int16_t, int *, struct pfi_kkif *,
struct pf_state **, int, u_int16_t, u_int16_t,
int);
static int pf_test_fragment(struct pf_krule **, int,
- struct pfi_kif *, struct mbuf *, void *,
+ struct pfi_kkif *, struct mbuf *, void *,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **);
static int pf_tcp_track_full(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
- struct pfi_kif *, struct mbuf *, int,
+ struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, u_short *, int *);
static int pf_tcp_track_sloppy(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
struct pf_pdesc *, u_short *);
static int pf_test_state_tcp(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *, int,
+ struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static int pf_test_state_udp(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *, int,
+ struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *);
static int pf_test_state_icmp(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *, int,
+ struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static int pf_test_state_other(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *, struct pf_pdesc *);
+ struct pfi_kkif *, struct mbuf *, struct pf_pdesc
*);
static u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
sa_family_t);
static u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
@@ -291,7 +291,7 @@ static int pf_addr_wrap_neq(struct pf_addr_wrap *,
struct pf_addr_wrap *);
static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *,
u_int8_t,
bool, u_int8_t);
-static struct pf_state *pf_find_state(struct pfi_kif *,
+static struct pf_state *pf_find_state(struct pfi_kkif *,
struct pf_state_key_cmp *, u_int);
static int pf_src_connlimit(struct pf_state **);
static void pf_overload_task(void *v, int pending);
@@ -1255,7 +1255,7 @@ pf_state_key_clone(struct pf_state_key *orig)
}
int
-pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
+pf_state_insert(struct pfi_kkif *kif, struct pf_state_key *skw,
struct pf_state_key *sks, struct pf_state *s)
{
struct pf_idhash *ih;
@@ -1341,7 +1341,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid)
* Returns with ID hash slot locked on success.
*/
static struct pf_state *
-pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir)
+pf_find_state(struct pfi_kkif *kif, struct pf_state_key_cmp *key, u_int dir)
{
struct pf_keyhash *kh;
struct pf_state_key *sk;
@@ -1535,7 +1535,7 @@ pf_purge_thread(void *unused __unused)
pf_purge_expired_fragments();
pf_purge_expired_src_nodes();
pf_purge_unlinked_rules();
- pfi_kif_purge();
+ pfi_kkif_purge();
}
CURVNET_RESTORE();
}
@@ -1558,7 +1558,7 @@ pf_unload_vnet_purge(void)
* raise them, and then second run frees.
*/
pf_purge_unlinked_rules();
- pfi_kif_purge();
+ pfi_kkif_purge();
/*
* Now purge everything.
@@ -1572,7 +1572,7 @@ pf_unload_vnet_purge(void)
* thus should be successfully freed.
*/
pf_purge_unlinked_rules();
- pfi_kif_purge();
+ pfi_kkif_purge();
}
@@ -2603,7 +2603,7 @@ pf_send_tcp(struct mbuf *replyto, const struct pf_krule
*r, sa_family_t af,
static void
pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
struct pf_state_key *sk, int off, struct mbuf *m, struct tcphdr *th,
- struct pfi_kif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
+ struct pfi_kkif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
u_short *reason)
{
struct pf_addr * const saddr = pd->src;
@@ -3326,7 +3326,7 @@ pf_tcp_iss(struct pf_pdesc *pd)
static int
pf_test_rule(struct pf_krule **rm, struct pf_state **sm, int direction,
- struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
+ struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp)
{
struct pf_krule *nr = NULL;
@@ -3539,7 +3539,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_state **sm,
int direction,
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
- if (pfi_kif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
@@ -3702,7 +3702,7 @@ static int
pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk,
struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,
- u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
+ u_int16_t dport, int *rewrite, struct pfi_kkif *kif, struct pf_state **sm,
int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen)
{
struct pf_state *s = NULL;
@@ -3960,7 +3960,7 @@ csfailed:
}
static int
-pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif,
+pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm)
{
@@ -3978,7 +3978,7 @@ pf_test_fragment(struct pf_krule **rm, int direction,
struct pfi_kif *kif,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
counter_u64_add(r->evaluations, 1);
- if (pfi_kif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
r = r->skip[PF_SKIP_DIR].ptr;
@@ -4056,7 +4056,7 @@ pf_test_fragment(struct pf_krule **rm, int direction,
struct pfi_kif *kif,
static int
pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
- struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off,
+ struct pf_state **state, struct pfi_kkif *kif, struct mbuf *m, int off,
struct pf_pdesc *pd, u_short *reason, int *copyback)
{
struct tcphdr *th = pd->hdr.tcp;
@@ -4456,7 +4456,7 @@ pf_tcp_track_sloppy(struct pf_state_peer *src, struct
pf_state_peer *dst,
}
static int
-pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
+pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
u_short *reason)
{
@@ -4624,7 +4624,7 @@ pf_test_state_tcp(struct pf_state **state, int direction,
struct pfi_kif *kif,
}
static int
-pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
+pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@@ -4691,7 +4691,7 @@ pf_test_state_udp(struct pf_state **state, int direction,
struct pfi_kif *kif,
}
static int
-pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
+pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kkif
*kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
@@ -5296,7 +5296,7 @@ pf_test_state_icmp(struct pf_state **state, int
direction, struct pfi_kif *kif,
}
static int
-pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif
*kif,
+pf_test_state_other(struct pf_state **state, int direction, struct pfi_kkif
*kif,
struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@@ -5526,7 +5526,7 @@ out:
#endif
int
-pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif,
+pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif,
int rtableid)
{
#ifdef INET
@@ -6018,7 +6018,7 @@ pf_check_proto_cksum(struct mbuf *m, int off, int len,
u_int8_t p, sa_family_t a
int
pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
*inp)
{
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0;
struct ip *h = NULL;
@@ -6038,7 +6038,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0, struct inpcb *
memset(&pd, 0, sizeof(pd));
- kif = (struct pfi_kif *)ifp->if_pf_kif;
+ kif = (struct pfi_kkif *)ifp->if_pf_kif;
if (kif == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
@@ -6413,7 +6413,7 @@ done:
int
pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct
inpcb *inp)
{
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0, *n = NULL;
struct m_tag *mtag;
@@ -6436,7 +6436,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0, struct inpcb
if (pd.pf_mtag && pd.pf_mtag->flags & PF_TAG_GENERATED)
return (PF_PASS);
- kif = (struct pfi_kif *)ifp->if_pf_kif;
+ kif = (struct pfi_kkif *)ifp->if_pf_kif;
if (kif == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 4e73d815aece..511c60f5abd1 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -189,6 +189,29 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE,
PF_ADDR_DYNIFTL,
struct pf_rule;
+/* keep synced with pfi_kif, used in RB_FIND */
+struct pfi_kif_cmp {
+ char pfik_name[IFNAMSIZ];
+};
+
+struct pfi_kif {
+ char pfik_name[IFNAMSIZ];
+ union {
+ RB_ENTRY(pfi_kif) _pfik_tree;
+ LIST_ENTRY(pfi_kif) _pfik_list;
+ } _pfik_glue;
+#define pfik_tree _pfik_glue._pfik_tree
+#define pfik_list _pfik_glue._pfik_list
+ u_int64_t pfik_packets[2][2][2];
+ u_int64_t pfik_bytes[2][2][2];
+ u_int32_t pfik_tzero;
+ u_int pfik_flags;
+ struct ifnet *pfik_ifp;
+ struct ifg_group *pfik_group;
+ u_int pfik_rulerefs;
+ TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
+};
+
struct pf_status {
uint64_t counters[PFRES_MAX];
uint64_t lcounters[LCNT_MAX];
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index fa43ca292ae1..a0148395340f 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -54,7 +54,7 @@ __FBSDID("$FreeBSD$");
#include <net/pfvar.h>
#include <net/route.h>
-VNET_DEFINE(struct pfi_kif *, pfi_all);
+VNET_DEFINE(struct pfi_kkif *, pfi_all);
VNET_DEFINE_STATIC(long, pfi_update);
#define V_pfi_update VNET(pfi_update)
#define PFI_BUFFER_MAX 0x10000
@@ -79,14 +79,14 @@ eventhandler_tag pfi_ifaddr_event_cookie;
static void pfi_attach_ifnet(struct ifnet *);
static void pfi_attach_ifgroup(struct ifg_group *);
-static void pfi_kif_update(struct pfi_kif *);
+static void pfi_kkif_update(struct pfi_kkif *);
static void pfi_dynaddr_update(struct pfi_dynaddr *dyn);
-static void pfi_table_update(struct pfr_ktable *, struct pfi_kif *, int,
+static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int,
int);
static void pfi_instance_add(struct ifnet *, int, int);
static void pfi_address_add(struct sockaddr *, int, int);
-static int pfi_if_compare(struct pfi_kif *, struct pfi_kif *);
-static int pfi_skip_if(const char *, struct pfi_kif *);
+static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *);
+static int pfi_skip_if(const char *, struct pfi_kkif *);
static int pfi_unmask(void *);
static void pfi_attach_ifnet_event(void * __unused, struct ifnet *);
static void pfi_detach_ifnet_event(void * __unused, struct ifnet *);
@@ -95,16 +95,16 @@ static void pfi_change_group_event(void * __unused, char
*);
static void pfi_detach_group_event(void * __unused, struct ifg_group *);
static void pfi_ifaddr_event(void * __unused, struct ifnet *);
-RB_HEAD(pfi_ifhead, pfi_kif);
-static RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
-static RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
+RB_HEAD(pfi_ifhead, pfi_kkif);
+static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare);
+static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare);
VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs);
#define V_pfi_ifs VNET(pfi_ifs)
#define PFI_BUFFER_MAX 0x10000
MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database");
-LIST_HEAD(pfi_list, pfi_kif);
+LIST_HEAD(pfi_list, pfi_kkif);
VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs);
#define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs)
static struct mtx pfi_unlnkdkifs_mtx;
@@ -116,7 +116,7 @@ pfi_initialize_vnet(void)
{
struct ifg_group *ifg;
struct ifnet *ifp;
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
V_pfi_buffer_max = 64;
V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer),
@@ -124,7 +124,7 @@ pfi_initialize_vnet(void)
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
PF_RULES_WLOCK();
- V_pfi_all = pfi_kif_attach(kif, IFG_ALL);
+ V_pfi_all = pfi_kkif_attach(kif, IFG_ALL);
PF_RULES_WUNLOCK();
IFNET_RLOCK();
@@ -156,7 +156,7 @@ pfi_initialize(void)
void
pfi_cleanup_vnet(void)
{
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
PF_RULES_WASSERT();
@@ -194,8 +194,8 @@ pfi_cleanup(void)
EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie);
}
-struct pfi_kif *
-pfi_kif_find(const char *kif_name)
+struct pfi_kkif *
+pfi_kkif_find(const char *kif_name)
{
struct pfi_kif_cmp s;
@@ -204,18 +204,18 @@ pfi_kif_find(const char *kif_name)
bzero(&s, sizeof(s));
strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name));
- return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&s));
+ return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s));
}
-struct pfi_kif *
-pfi_kif_attach(struct pfi_kif *kif, const char *kif_name)
+struct pfi_kkif *
+pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name)
{
- struct pfi_kif *kif1;
+ struct pfi_kkif *kif1;
PF_RULES_WASSERT();
KASSERT(kif != NULL, ("%s: null kif", __func__));
- kif1 = pfi_kif_find(kif_name);
+ kif1 = pfi_kkif_find(kif_name);
if (kif1 != NULL) {
free(kif, PFI_MTYPE);
return (kif1);
@@ -239,7 +239,7 @@ pfi_kif_attach(struct pfi_kif *kif, const char *kif_name)
}
void
-pfi_kif_ref(struct pfi_kif *kif)
+pfi_kkif_ref(struct pfi_kkif *kif)
{
PF_RULES_WASSERT();
@@ -247,7 +247,7 @@ pfi_kif_ref(struct pfi_kif *kif)
}
void
-pfi_kif_unref(struct pfi_kif *kif)
+pfi_kkif_unref(struct pfi_kkif *kif)
{
PF_RULES_WASSERT();
@@ -274,9 +274,9 @@ pfi_kif_unref(struct pfi_kif *kif)
}
void
-pfi_kif_purge(void)
+pfi_kkif_purge(void)
{
- struct pfi_kif *kif, *kif1;
+ struct pfi_kkif *kif, *kif1;
/*
* Do naive mark-and-sweep garbage collecting of old kifs.
@@ -294,7 +294,7 @@ pfi_kif_purge(void)
}
int
-pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
+pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif)
{
struct ifg_list *p;
@@ -318,33 +318,33 @@ pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif
*packet_kif)
static void
pfi_attach_ifnet(struct ifnet *ifp)
{
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
PF_RULES_WLOCK();
V_pfi_update++;
- kif = pfi_kif_attach(kif, ifp->if_xname);
+ kif = pfi_kkif_attach(kif, ifp->if_xname);
if_ref(ifp);
kif->pfik_ifp = ifp;
ifp->if_pf_kif = kif;
- pfi_kif_update(kif);
+ pfi_kkif_update(kif);
PF_RULES_WUNLOCK();
}
static void
pfi_attach_ifgroup(struct ifg_group *ifg)
{
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
PF_RULES_WLOCK();
V_pfi_update++;
- kif = pfi_kif_attach(kif, ifg->ifg_group);
+ kif = pfi_kkif_attach(kif, ifg->ifg_group);
kif->pfik_group = ifg;
ifg->ifg_pf_kif = kif;
@@ -392,7 +392,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
struct pfi_dynaddr *dyn;
char tblname[PF_TABLE_NAME_SIZE];
struct pf_kruleset *ruleset = NULL;
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
int rv = 0;
PF_RULES_WASSERT();
@@ -409,10 +409,10 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
}
if (!strcmp(aw->v.ifname, "self"))
- dyn->pfid_kif = pfi_kif_attach(kif, IFG_ALL);
+ dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL);
else
- dyn->pfid_kif = pfi_kif_attach(kif, aw->v.ifname);
- pfi_kif_ref(dyn->pfid_kif);
+ dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname);
+ pfi_kkif_ref(dyn->pfid_kif);
dyn->pfid_net = pfi_unmask(&aw->v.a.mask);
if (af == AF_INET && dyn->pfid_net == 32)
@@ -445,7 +445,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
aw->p.dyn = dyn;
- pfi_kif_update(dyn->pfid_kif);
+ pfi_kkif_update(dyn->pfid_kif);
return (0);
@@ -455,19 +455,19 @@ _bad:
if (ruleset != NULL)
pf_remove_if_empty_kruleset(ruleset);
if (dyn->pfid_kif != NULL)
- pfi_kif_unref(dyn->pfid_kif);
+ pfi_kkif_unref(dyn->pfid_kif);
free(dyn, PFI_MTYPE);
return (rv);
}
static void
-pfi_kif_update(struct pfi_kif *kif)
+pfi_kkif_update(struct pfi_kkif *kif)
{
struct ifg_list *ifgl;
struct ifg_member *ifgm;
struct pfi_dynaddr *p;
- struct pfi_kif *tmpkif;
+ struct pfi_kkif *tmpkif;
PF_RULES_WASSERT();
@@ -479,7 +479,7 @@ pfi_kif_update(struct pfi_kif *kif)
if (kif->pfik_group != NULL) {
CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members,
ifgm_next) {
- tmpkif = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif;
+ tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif;
if (tmpkif == NULL)
continue;
@@ -491,7 +491,7 @@ pfi_kif_update(struct pfi_kif *kif)
if (kif->pfik_ifp != NULL) {
IF_ADDR_RLOCK(kif->pfik_ifp);
CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next)
- pfi_kif_update((struct pfi_kif *)
+ pfi_kkif_update((struct pfi_kkif *)
ifgl->ifgl_group->ifg_pf_kif);
IF_ADDR_RUNLOCK(kif->pfik_ifp);
}
@@ -500,7 +500,7 @@ pfi_kif_update(struct pfi_kif *kif)
static void
pfi_dynaddr_update(struct pfi_dynaddr *dyn)
{
- struct pfi_kif *kif;
+ struct pfi_kkif *kif;
struct pfr_ktable *kt;
PF_RULES_WASSERT();
@@ -519,7 +519,7 @@ pfi_dynaddr_update(struct pfi_dynaddr *dyn)
}
static void
-pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int
flags)
+pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int
flags)
{
int e, size2 = 0;
struct ifg_member *ifgm;
@@ -663,7 +663,7 @@ pfi_dynaddr_remove(struct pfi_dynaddr *dyn)
KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__));
TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
- pfi_kif_unref(dyn->pfid_kif);
+ pfi_kkif_unref(dyn->pfid_kif);
pfr_detach_table(dyn->pfid_kt);
free(dyn, PFI_MTYPE);
}
@@ -681,7 +681,7 @@ pfi_dynaddr_copyout(struct pf_addr_wrap *aw)
}
static int
-pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q)
+pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q)
{
return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ));
}
@@ -689,14 +689,14 @@ pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q)
void
pfi_update_status(const char *name, struct pf_status *pfs)
{
- struct pfi_kif *p;
+ struct pfi_kkif *p;
struct pfi_kif_cmp key;
struct ifg_member p_member, *ifgm;
CK_STAILQ_HEAD(, ifg_member) ifg_members;
int i, j, k;
strlcpy(key.pfik_name, name, sizeof(key.pfik_name));
- p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&key);
+ p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key);
if (p == NULL)
return;
@@ -717,7 +717,7 @@ pfi_update_status(const char *name, struct pf_status *pfs)
CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) {
if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL)
continue;
- p = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif;
+ p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif;
/* just clear statistics */
if (pfs == NULL) {
@@ -737,10 +737,30 @@ pfi_update_status(const char *name, struct pf_status *pfs)
}
}
+static void
+pf_kkif_to_kif(const struct pfi_kkif *kkif, struct pfi_kif *kif)
+{
+
+ bzero(kif, sizeof(*kif));
+ strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name));
+ for (int i = 0; i < 2; i++) {
+ for (int j = 0; j < 2; j++) {
+ for (int k = 0; k < 2; k++) {
+ kif->pfik_packets[i][j][k] =
+ kkif->pfik_packets[i][j][k];
+ kif->pfik_bytes[i][j][k] =
+ kkif->pfik_bytes[i][j][k];
+ }
+ }
+ }
+ kif->pfik_tzero = kkif->pfik_tzero;
+ kif->pfik_rulerefs = kkif->pfik_rulerefs;
+}
+
void
pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size)
{
- struct pfi_kif *p, *nextp;
+ struct pfi_kkif *p, *nextp;
int n = 0;
for (p = RB_MIN(pfi_ifhead, &V_pfi_ifs); p; p = nextp) {
@@ -751,14 +771,14 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, int
*size)
break;
if (!p->pfik_tzero)
p->pfik_tzero = time_second;
- bcopy(p, buf++, sizeof(*buf));
+ pf_kkif_to_kif(p, buf++);
nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p);
}
*size = n;
}
static int
-pfi_skip_if(const char *filter, struct pfi_kif *p)
+pfi_skip_if(const char *filter, struct pfi_kkif *p)
{
struct ifg_list *i;
int n;
@@ -789,13 +809,13 @@ pfi_skip_if(const char *filter, struct pfi_kif *p)
int
pfi_set_flags(const char *name, int flags)
{
- struct pfi_kif *p, *kif;
+ struct pfi_kkif *p, *kif;
kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT);
if (kif == NULL)
return (ENOMEM);
- kif = pfi_kif_attach(kif, name);
+ kif = pfi_kkif_attach(kif, name);
RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) {
if (pfi_skip_if(name, p))
@@ -808,7 +828,7 @@ pfi_set_flags(const char *name, int flags)
int
pfi_clear_flags(const char *name, int flags)
{
- struct pfi_kif *p, *tmp;
+ struct pfi_kkif *p, *tmp;
RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) {
if (pfi_skip_if(name, p))
@@ -864,7 +884,7 @@ pfi_attach_ifnet_event(void *arg __unused, struct ifnet
*ifp)
static void
pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp)
{
- struct pfi_kif *kif = (struct pfi_kif *)ifp->if_pf_kif;
+ struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif;
if (pfsync_detach_ifnet_ptr)
pfsync_detach_ifnet_ptr(ifp);
@@ -879,7 +899,7 @@ pfi_detach_ifnet_event(void *arg __unused, struct ifnet
*ifp)
PF_RULES_WLOCK();
V_pfi_update++;
- pfi_kif_update(kif);
+ pfi_kkif_update(kif);
if (kif->pfik_ifp)
*** 477 LINES SKIPPED ***
_______________________________________________
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
