git: 3bf6554017b7 - main - pf: remove PFLOGIFS_MAX

Kristof Provost Fri, 24 Jan 2025 02:26:54 -0800

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=3bf6554017b78f03bb779a5a3115034243e5c6c7


commit 3bf6554017b78f03bb779a5a3115034243e5c6c7
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-01-22 15:55:19 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-01-24 10:20:31 +0000

    pf: remove PFLOGIFS_MAX
    
    There was a limit on the number of pflog interfaces - 16. remove that.
    mostly by dynamically allocating pflogifs instead of making that a static
    array. ok claudio zinke
    
    Obtained from:  OpenBSD, henning <henn...@openbsd.org>, ab0a082ea6
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/if_pflog.h        |  2 --
 sys/netpfil/pf/if_pflog.c | 48 +++++++++++++++++++++++++++++++++++++----------
 sys/netpfil/pf/pf_ioctl.c |  4 ----
 3 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 9734ca245eda..dc22c05cdea0 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -33,8 +33,6 @@
 
 #include <net/if.h>
 
-#define        PFLOGIFS_MAX    16
-
 #define        PFLOG_RULESET_NAME_SIZE 16
 
 struct pfloghdr {
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
index 3cd7cd1f2ddc..f325d0001799 100644
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -88,6 +88,7 @@
 static int     pflogoutput(struct ifnet *, struct mbuf *,
                    const struct sockaddr *, struct route *);
 static void    pflogattach(int);
+static int     pflogifs_resize(size_t);
 static int     pflogioctl(struct ifnet *, u_long, caddr_t);
 static void    pflogstart(struct ifnet *);
 static int     pflog_clone_create(struct if_clone *, char *, size_t,
@@ -99,36 +100,58 @@ static const char pflogname[] = "pflog";
 VNET_DEFINE_STATIC(struct if_clone *, pflog_cloner);
 #define        V_pflog_cloner          VNET(pflog_cloner)
 
-VNET_DEFINE(struct ifnet *, pflogifs[PFLOGIFS_MAX]);   /* for fast access */
+VNET_DEFINE_STATIC(int, npflogifs) = 0;
+#define        V_npflogifs             VNET(npflogifs)
+VNET_DEFINE(struct ifnet **, pflogifs);        /* for fast access */
 #define        V_pflogifs              VNET(pflogifs)
 
 static void
 pflogattach(int npflog __unused)
 {
-       int i;
-
-       for (i = 0; i < PFLOGIFS_MAX; i++)
-               V_pflogifs[i] = NULL;
-
        struct if_clone_addreq req = {
                .create_f = pflog_clone_create,
                .destroy_f = pflog_clone_destroy,
                .flags = IFC_F_AUTOUNIT | IFC_F_LIMITUNIT,
-               .maxunit = PFLOGIFS_MAX - 1,
        };
        V_pflog_cloner = ifc_attach_cloner(pflogname, &req);
        struct ifc_data ifd = { .unit = 0 };
        ifc_create_ifp(pflogname, &ifd, NULL);
 }
 
+static int
+pflogifs_resize(size_t n)
+{
+       struct ifnet **p;
+       int i;
+
+       if (n > SIZE_MAX / sizeof(struct ifnet *))
+               return (EINVAL);
+       if (n == 0)
+               p = NULL;
+       else if ((p = malloc(n * sizeof(struct ifnet *), M_DEVBUF,
+           M_NOWAIT | M_ZERO)) == NULL)
+               return (ENOMEM);
+       for (i = 0; i < n; i++) {
+               if (i < V_npflogifs)
+                       p[i] = V_pflogifs[i];
+               else
+                       p[i] = NULL;
+       }
+
+       if (V_pflogifs)
+               free(V_pflogifs, M_DEVBUF);
+       V_pflogifs = p;
+       V_npflogifs = n;
+
+       return (0);
+}
+
 static int
 pflog_clone_create(struct if_clone *ifc, char *name, size_t maxlen,
     struct ifc_data *ifd, struct ifnet **ifpp)
 {
        struct ifnet *ifp;
 
-       MPASS(ifd->unit < PFLOGIFS_MAX);
-
        ifp = if_alloc(IFT_PFLOG);
        if_initname(ifp, pflogname, ifd->unit);
        ifp->if_mtu = PFLOGMTU;
@@ -141,6 +164,11 @@ pflog_clone_create(struct if_clone *ifc, char *name, 
size_t maxlen,
 
        bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN);
 
+       if (ifd->unit + 1 > V_npflogifs &&
+           pflogifs_resize(ifd->unit + 1) != 0) {
+               pflog_clone_destroy(ifc, ifp, IFC_F_FORCE);
+               return (ENOMEM);
+       }
        V_pflogifs[ifd->unit] = ifp;
        *ifpp = ifp;
 
@@ -155,7 +183,7 @@ pflog_clone_destroy(struct if_clone *ifc, struct ifnet 
*ifp, uint32_t flags)
        if (ifp->if_dunit == 0 && (flags & IFC_F_FORCE) == 0)
                return (EINVAL);
 
-       for (i = 0; i < PFLOGIFS_MAX; i++)
+       for (i = 0; i < V_npflogifs; i++)
                if (V_pflogifs[i] == ifp)
                        V_pflogifs[i] = NULL;
 
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 340e7c25a501..a45db33f38dc 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2201,8 +2201,6 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
                error = EINVAL;
        if (!rule->log)
                rule->logif = 0;
-       if (rule->logif >= PFLOGIFS_MAX)
-               error = EINVAL;
        if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
                error = ENOMEM;
        if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
@@ -3767,8 +3765,6 @@ DIOCGETRULENV_error:
                                error = EINVAL;
                        if (!newrule->log)
                                newrule->logif = 0;
-                       if (newrule->logif >= PFLOGIFS_MAX)
-                               error = EINVAL;
                        if (pf_addr_setup(ruleset, &newrule->src.addr, 
newrule->af))
                                error = ENOMEM;
                        if (pf_addr_setup(ruleset, &newrule->dst.addr, 
newrule->af))

git: 3bf6554017b7 - main - pf: remove PFLOGIFS_MAX

Reply via email to