Date: Tue, 5 Jan 2021 22:37:54 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 320c11165b6b - main - pf: Split pfi_kif into a user and kernel space structure Message-ID: <202101052237.105MbsvF081491@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=320c11165b6b1113b34f9e156cbf85b5ed0aa5eb commit 320c11165b6b1113b34f9e156cbf85b5ed0aa5eb Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2020-12-12 14:14:56 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-01-05 22:35:37 +0000 pf: Split pfi_kif into a user and kernel space structure No functional change. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D27761 --- sys/net/pfvar.h | 74 ++++++++++++++--------- sys/netpfil/pf/if_pflog.c | 2 +- sys/netpfil/pf/if_pfsync.c | 6 +- sys/netpfil/pf/pf.c | 62 +++++++++---------- sys/netpfil/pf/pf.h | 23 +++++++ sys/netpfil/pf/pf_if.c | 146 ++++++++++++++++++++++++++------------------- sys/netpfil/pf/pf_ioctl.c | 112 ++++++++++++++++++++-------------- sys/netpfil/pf/pf_lb.c | 12 ++-- sys/netpfil/pf/pf_norm.c | 12 ++-- 9 files changed, 264 insertions(+), 185 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index e1fc60d6f1a7..d72d06490040 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -66,7 +66,7 @@ struct pfi_dynaddr { struct pf_addr pfid_addr6; struct pf_addr pfid_mask6; struct pfr_ktable *pfid_kt; - struct pfi_kif *pfid_kif; + struct pfi_kkif *pfid_kif; int pfid_net; /* mask or 128 */ int pfid_acnt4; /* address count IPv4 */ int pfid_acnt6; /* address count IPv6 */ @@ -294,6 +294,25 @@ extern struct sx pf_end_lock; #ifdef _KERNEL +struct pf_kpooladdr { + struct pf_addr_wrap addr; + TAILQ_ENTRY(pf_kpooladdr) entries; + char ifname[IFNAMSIZ]; + struct pfi_kkif *kif; +}; + +TAILQ_HEAD(pf_kpalist, pf_kpooladdr); + +struct pf_kpool { + struct pf_kpalist list; + struct pf_kpooladdr *cur; + struct pf_poolhashkey key; + struct pf_addr counter; + int tblidx; + u_int16_t proxy_port[2]; + u_int8_t opts; +}; + union pf_krule_ptr { struct pf_krule *ptr; u_int32_t nr; @@ -313,13 +332,13 @@ struct pf_krule { char overload_tblname[PF_TABLE_NAME_SIZE]; TAILQ_ENTRY(pf_krule) entries; - struct pf_pool rpool; + struct pf_kpool rpool; counter_u64_t evaluations; counter_u64_t packets[2]; counter_u64_t bytes[2]; - struct pfi_kif *kif; + struct pfi_kkif *kif; struct pf_kanchor *anchor; struct pfr_ktable *overload_tbl; @@ -398,7 +417,7 @@ struct pf_ksrc_node { struct pf_addr addr; struct pf_addr raddr; union pf_krule_ptr rule; - struct pfi_kif *kif; + struct pfi_kkif *kif; counter_u64_t bytes[2]; counter_u64_t packets[2]; u_int32_t states; @@ -500,8 +519,8 @@ struct pf_state { union pf_krule_ptr nat_rule; struct pf_addr rt_addr; struct pf_state_key *key[2]; /* addresses stack and wire */ - struct pfi_kif *kif; - struct pfi_kif *rt_kif; + struct pfi_kkif *kif; + struct pfi_kkif *rt_kif; struct pf_ksrc_node *src_node; struct pf_ksrc_node *nat_src_node; counter_u64_t packets[2]; @@ -606,7 +625,7 @@ void pfsync_state_export(struct pfsync_state *, /* pflog */ struct pf_kruleset; struct pf_pdesc; -typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t, +typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t, u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *, struct pf_pdesc *, int); extern pflog_packet_t *pflog_packet_ptr; @@ -851,16 +870,12 @@ struct pfr_ktable { #define pfrkt_tzero pfrkt_kts.pfrkts_tzero #endif -/* keep synced with pfi_kif, used in RB_FIND */ -struct pfi_kif_cmp { - char pfik_name[IFNAMSIZ]; -}; - -struct pfi_kif { +#ifdef _KERNEL +struct pfi_kkif { char pfik_name[IFNAMSIZ]; union { - RB_ENTRY(pfi_kif) _pfik_tree; - LIST_ENTRY(pfi_kif) _pfik_list; + RB_ENTRY(pfi_kkif) _pfik_tree; + LIST_ENTRY(pfi_kkif) _pfik_list; } _pfik_glue; #define pfik_tree _pfik_glue._pfik_tree #define pfik_list _pfik_glue._pfik_list @@ -873,6 +888,7 @@ struct pfi_kif { u_int pfik_rulerefs; TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; }; +#endif #define PFI_IFLAG_REFS 0x0001 /* has state references */ #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ @@ -1379,7 +1395,7 @@ VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]); TAILQ_HEAD(pf_altqqueue, pf_altq); VNET_DECLARE(struct pf_altqqueue, pf_altqs[4]); #define V_pf_altqs VNET(pf_altqs) -VNET_DECLARE(struct pf_palist, pf_pabuf); +VNET_DECLARE(struct pf_kpalist, pf_pabuf); #define V_pf_pabuf VNET(pf_pabuf) VNET_DECLARE(u_int32_t, ticket_altqs_active); @@ -1428,7 +1444,7 @@ extern void pf_purge_expired_src_nodes(void); extern int pf_unlink_state(struct pf_state *, u_int); #define PF_ENTER_LOCKED 0x00000001 #define PF_RETURN_LOCKED 0x00000002 -extern int pf_state_insert(struct pfi_kif *, +extern int pf_state_insert(struct pfi_kkif *, struct pf_state_key *, struct pf_state_key *, struct pf_state *); @@ -1476,13 +1492,13 @@ void pf_free_rule(struct pf_krule *); #ifdef INET int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *); -int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *, +int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *, struct pf_pdesc *); #endif /* INET */ #ifdef INET6 int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *); -int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *, +int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *, struct pf_pdesc *); void pf_poolmask(struct pf_addr *, struct pf_addr*, struct pf_addr *, struct pf_addr *, u_int8_t); @@ -1510,7 +1526,7 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); void pf_normalize_init(void); void pf_normalize_cleanup(void); -int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, +int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void *, struct pf_pdesc *); void pf_normalize_tcp_cleanup(struct pf_state *); int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, @@ -1522,7 +1538,7 @@ u_int32_t pf_state_expires(const struct pf_state *); void pf_purge_expired_fragments(void); void pf_purge_fragments(uint32_t); -int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *, +int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *, int); int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *); struct pf_state_key *pf_alloc_state_key(int); @@ -1565,19 +1581,19 @@ int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, int *, u_int32_t, int); MALLOC_DECLARE(PFI_MTYPE); -VNET_DECLARE(struct pfi_kif *, pfi_all); +VNET_DECLARE(struct pfi_kkif *, pfi_all); #define V_pfi_all VNET(pfi_all) void pfi_initialize(void); void pfi_initialize_vnet(void); void pfi_cleanup(void); void pfi_cleanup_vnet(void); -void pfi_kif_ref(struct pfi_kif *); -void pfi_kif_unref(struct pfi_kif *); -struct pfi_kif *pfi_kif_find(const char *); -struct pfi_kif *pfi_kif_attach(struct pfi_kif *, const char *); -int pfi_kif_match(struct pfi_kif *, struct pfi_kif *); -void pfi_kif_purge(void); +void pfi_kkif_ref(struct pfi_kkif *); +void pfi_kkif_unref(struct pfi_kkif *); +struct pfi_kkif *pfi_kkif_find(const char *); +struct pfi_kkif *pfi_kkif_attach(struct pfi_kkif *, const char *); +int pfi_kkif_match(struct pfi_kkif *, struct pfi_kkif *); +void pfi_kkif_purge(void); int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, sa_family_t); int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); @@ -1651,7 +1667,7 @@ int pf_map_addr(u_int8_t, struct pf_krule *, struct pf_addr *, struct pf_addr *, struct pf_addr *, struct pf_ksrc_node **); struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *, - int, int, struct pfi_kif *, struct pf_ksrc_node **, + int, int, struct pfi_kkif *, struct pf_ksrc_node **, struct pf_state_key **, struct pf_state_key **, struct pf_addr *, struct pf_addr *, uint16_t, uint16_t, struct pf_kanchor_stackframe *); diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 030f75c2507e..9eb168b9a74f 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -201,7 +201,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } static int -pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, +pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am, struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) { diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index 83ca4b969636..1cdb365c98df 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -464,7 +464,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) struct pf_state *st = NULL; struct pf_state_key *skw = NULL, *sks = NULL; struct pf_krule *r = NULL; - struct pfi_kif *kif; + struct pfi_kkif *kif; int error; PF_RULES_RASSERT(); @@ -476,7 +476,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) return (EINVAL); } - if ((kif = pfi_kif_find(sp->ifname)) == NULL) { + if ((kif = pfi_kkif_find(sp->ifname)) == NULL) { if (V_pf_status.debug >= PF_DEBUG_MISC) printf("%s: unknown interface: %s\n", __func__, sp->ifname); @@ -764,7 +764,7 @@ pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) creatorid = clr[i].creatorid; if (clr[i].ifname[0] != '\0' && - pfi_kif_find(clr[i].ifname) == NULL) + pfi_kkif_find(clr[i].ifname) == NULL) continue; for (int i = 0; i <= pf_hashmask; i++) { diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 8ace1c5fe281..6f4ccb99ad1f 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -118,7 +118,7 @@ __FBSDID("$FreeBSD$"); /* state tables */ VNET_DEFINE(struct pf_altqqueue, pf_altqs[4]); -VNET_DEFINE(struct pf_palist, pf_pabuf); +VNET_DEFINE(struct pf_kpalist, pf_pabuf); VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active); VNET_DEFINE(struct pf_altqqueue *, pf_altq_ifs_active); VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive); @@ -244,38 +244,38 @@ static void pf_state_key_detach(struct pf_state *, int); static int pf_state_key_ctor(void *, int, void *, int); static u_int32_t pf_tcp_iss(struct pf_pdesc *); static int pf_test_rule(struct pf_krule **, struct pf_state **, - int, struct pfi_kif *, struct mbuf *, int, + int, struct pfi_kkif *, struct mbuf *, int, struct pf_pdesc *, struct pf_krule **, struct pf_kruleset **, struct inpcb *); static int pf_create_state(struct pf_krule *, struct pf_krule *, struct pf_krule *, struct pf_pdesc *, struct pf_ksrc_node *, struct pf_state_key *, struct pf_state_key *, struct mbuf *, int, - u_int16_t, u_int16_t, int *, struct pfi_kif *, + u_int16_t, u_int16_t, int *, struct pfi_kkif *, struct pf_state **, int, u_int16_t, u_int16_t, int); static int pf_test_fragment(struct pf_krule **, int, - struct pfi_kif *, struct mbuf *, void *, + struct pfi_kkif *, struct mbuf *, void *, struct pf_pdesc *, struct pf_krule **, struct pf_kruleset **); static int pf_tcp_track_full(struct pf_state_peer *, struct pf_state_peer *, struct pf_state **, - struct pfi_kif *, struct mbuf *, int, + struct pfi_kkif *, struct mbuf *, int, struct pf_pdesc *, u_short *, int *); static int pf_tcp_track_sloppy(struct pf_state_peer *, struct pf_state_peer *, struct pf_state **, struct pf_pdesc *, u_short *); static int pf_test_state_tcp(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, int, + struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); static int pf_test_state_udp(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, int, + struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *); static int pf_test_state_icmp(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, int, + struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); static int pf_test_state_other(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, struct pf_pdesc *); + struct pfi_kkif *, struct mbuf *, struct pf_pdesc *); static u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); static u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, @@ -290,7 +290,7 @@ static int pf_addr_wrap_neq(struct pf_addr_wrap *, struct pf_addr_wrap *); static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *, u_int8_t, bool, u_int8_t); -static struct pf_state *pf_find_state(struct pfi_kif *, +static struct pf_state *pf_find_state(struct pfi_kkif *, struct pf_state_key_cmp *, u_int); static int pf_src_connlimit(struct pf_state **); static void pf_overload_task(void *v, int pending); @@ -1255,7 +1255,7 @@ pf_state_key_clone(struct pf_state_key *orig) } int -pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw, +pf_state_insert(struct pfi_kkif *kif, struct pf_state_key *skw, struct pf_state_key *sks, struct pf_state *s) { struct pf_idhash *ih; @@ -1341,7 +1341,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid) * Returns with ID hash slot locked on success. */ static struct pf_state * -pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir) +pf_find_state(struct pfi_kkif *kif, struct pf_state_key_cmp *key, u_int dir) { struct pf_keyhash *kh; struct pf_state_key *sk; @@ -1538,7 +1538,7 @@ pf_purge_thread(void *unused __unused) pf_purge_expired_fragments(); pf_purge_expired_src_nodes(); pf_purge_unlinked_rules(); - pfi_kif_purge(); + pfi_kkif_purge(); } CURVNET_RESTORE(); } @@ -1561,7 +1561,7 @@ pf_unload_vnet_purge(void) * raise them, and then second run frees. */ pf_purge_unlinked_rules(); - pfi_kif_purge(); + pfi_kkif_purge(); /* * Now purge everything. @@ -1575,7 +1575,7 @@ pf_unload_vnet_purge(void) * thus should be successfully freed. */ pf_purge_unlinked_rules(); - pfi_kif_purge(); + pfi_kkif_purge(); } u_int32_t @@ -2602,7 +2602,7 @@ pf_send_tcp(struct mbuf *replyto, const struct pf_krule *r, sa_family_t af, static void pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, struct pf_state_key *sk, int off, struct mbuf *m, struct tcphdr *th, - struct pfi_kif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen, + struct pfi_kkif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen, u_short *reason) { struct pf_addr * const saddr = pd->src; @@ -3325,7 +3325,7 @@ pf_tcp_iss(struct pf_pdesc *pd) static int pf_test_rule(struct pf_krule **rm, struct pf_state **sm, int direction, - struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, + struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp) { struct pf_krule *nr = NULL; @@ -3538,7 +3538,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_state **sm, int direction, while (r != NULL) { counter_u64_add(r->evaluations, 1); - if (pfi_kif_match(r->kif, kif) == r->ifnot) + if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) r = r->skip[PF_SKIP_DIR].ptr; @@ -3701,7 +3701,7 @@ static int pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk, struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport, - u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm, + u_int16_t dport, int *rewrite, struct pfi_kkif *kif, struct pf_state **sm, int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen) { struct pf_state *s = NULL; @@ -3960,7 +3960,7 @@ csfailed: } static int -pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif, +pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am, struct pf_kruleset **rsm) { @@ -3978,7 +3978,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { counter_u64_add(r->evaluations, 1); - if (pfi_kif_match(r->kif, kif) == r->ifnot) + if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) r = r->skip[PF_SKIP_DIR].ptr; @@ -4056,7 +4056,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif, static int pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, - struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off, + struct pf_state **state, struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, u_short *reason, int *copyback) { struct tcphdr *th = pd->hdr.tcp; @@ -4453,7 +4453,7 @@ pf_tcp_track_sloppy(struct pf_state_peer *src, struct pf_state_peer *dst, } static int -pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, +pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kkif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason) { @@ -4621,7 +4621,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, } static int -pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, +pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kkif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; @@ -4688,7 +4688,7 @@ pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, } static int -pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, +pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kkif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason) { struct pf_addr *saddr = pd->src, *daddr = pd->dst; @@ -5292,7 +5292,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, } static int -pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, +pf_test_state_other(struct pf_state **state, int direction, struct pfi_kkif *kif, struct mbuf *m, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; @@ -5424,7 +5424,7 @@ pf_pull_hdr(struct mbuf *m, int off, void *p, int len, } int -pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif, +pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif, int rtableid) { struct ifnet *ifp; @@ -5888,7 +5888,7 @@ pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t a int pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) { - struct pfi_kif *kif; + struct pfi_kkif *kif; u_short action, reason = 0, log = 0; struct mbuf *m = *m0; struct ip *h = NULL; @@ -5908,7 +5908,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * memset(&pd, 0, sizeof(pd)); - kif = (struct pfi_kif *)ifp->if_pf_kif; + kif = (struct pfi_kkif *)ifp->if_pf_kif; if (kif == NULL) { DPFPRINTF(PF_DEBUG_URGENT, @@ -6280,7 +6280,7 @@ done: int pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) { - struct pfi_kif *kif; + struct pfi_kkif *kif; u_short action, reason = 0, log = 0; struct mbuf *m = *m0, *n = NULL; struct m_tag *mtag; @@ -6303,7 +6303,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb if (pd.pf_mtag && pd.pf_mtag->flags & PF_TAG_GENERATED) return (PF_PASS); - kif = (struct pfi_kif *)ifp->if_pf_kif; + kif = (struct pfi_kkif *)ifp->if_pf_kif; if (kif == NULL) { DPFPRINTF(PF_DEBUG_URGENT, ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname)); diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index 4e73d815aece..511c60f5abd1 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -189,6 +189,29 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, struct pf_rule; +/* keep synced with pfi_kif, used in RB_FIND */ +struct pfi_kif_cmp { + char pfik_name[IFNAMSIZ]; +}; + +struct pfi_kif { + char pfik_name[IFNAMSIZ]; + union { + RB_ENTRY(pfi_kif) _pfik_tree; + LIST_ENTRY(pfi_kif) _pfik_list; + } _pfik_glue; +#define pfik_tree _pfik_glue._pfik_tree +#define pfik_list _pfik_glue._pfik_list + u_int64_t pfik_packets[2][2][2]; + u_int64_t pfik_bytes[2][2][2]; + u_int32_t pfik_tzero; + u_int pfik_flags; + struct ifnet *pfik_ifp; + struct ifg_group *pfik_group; + u_int pfik_rulerefs; + TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; +}; + struct pf_status { uint64_t counters[PFRES_MAX]; uint64_t lcounters[LCNT_MAX]; diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c index f8862a9416b5..aa10f0cc9a54 100644 --- a/sys/netpfil/pf/pf_if.c +++ b/sys/netpfil/pf/pf_if.c @@ -54,7 +54,7 @@ __FBSDID("$FreeBSD$"); #include <net/pfvar.h> #include <net/route.h> -VNET_DEFINE(struct pfi_kif *, pfi_all); +VNET_DEFINE(struct pfi_kkif *, pfi_all); VNET_DEFINE_STATIC(long, pfi_update); #define V_pfi_update VNET(pfi_update) #define PFI_BUFFER_MAX 0x10000 @@ -76,17 +76,17 @@ eventhandler_tag pfi_change_group_cookie; eventhandler_tag pfi_detach_group_cookie; eventhandler_tag pfi_ifaddr_event_cookie; -static void pfi_attach_ifnet(struct ifnet *, struct pfi_kif *); -static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kif *); +static void pfi_attach_ifnet(struct ifnet *, struct pfi_kkif *); +static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kkif *); -static void pfi_kif_update(struct pfi_kif *); +static void pfi_kkif_update(struct pfi_kkif *); static void pfi_dynaddr_update(struct pfi_dynaddr *dyn); -static void pfi_table_update(struct pfr_ktable *, struct pfi_kif *, int, +static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int, int); static void pfi_instance_add(struct ifnet *, int, int); static void pfi_address_add(struct sockaddr *, int, int); -static int pfi_if_compare(struct pfi_kif *, struct pfi_kif *); -static int pfi_skip_if(const char *, struct pfi_kif *); +static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *); +static int pfi_skip_if(const char *, struct pfi_kkif *); static int pfi_unmask(void *); static void pfi_attach_ifnet_event(void * __unused, struct ifnet *); static void pfi_detach_ifnet_event(void * __unused, struct ifnet *); @@ -95,16 +95,16 @@ static void pfi_change_group_event(void * __unused, char *); static void pfi_detach_group_event(void * __unused, struct ifg_group *); static void pfi_ifaddr_event(void * __unused, struct ifnet *); -RB_HEAD(pfi_ifhead, pfi_kif); -static RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); -static RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); +RB_HEAD(pfi_ifhead, pfi_kkif); +static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); +static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs); #define V_pfi_ifs VNET(pfi_ifs) #define PFI_BUFFER_MAX 0x10000 MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database"); -LIST_HEAD(pfi_list, pfi_kif); +LIST_HEAD(pfi_list, pfi_kkif); VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs); #define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs) static struct mtx pfi_unlnkdkifs_mtx; @@ -116,7 +116,7 @@ pfi_initialize_vnet(void) { struct pfi_list kifs = LIST_HEAD_INITIALIZER(); struct epoch_tracker et; - struct pfi_kif *kif; + struct pfi_kkif *kif; struct ifg_group *ifg; struct ifnet *ifp; int nkifs; @@ -141,7 +141,7 @@ pfi_initialize_vnet(void) PF_RULES_WLOCK(); kif = LIST_FIRST(&kifs); LIST_REMOVE(kif, pfik_list); - V_pfi_all = pfi_kif_attach(kif, IFG_ALL); + V_pfi_all = pfi_kkif_attach(kif, IFG_ALL); CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) { kif = LIST_FIRST(&kifs); LIST_REMOVE(kif, pfik_list); @@ -180,7 +180,7 @@ pfi_initialize(void) void pfi_cleanup_vnet(void) { - struct pfi_kif *kif; + struct pfi_kkif *kif; PF_RULES_WASSERT(); @@ -218,8 +218,8 @@ pfi_cleanup(void) EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); } -struct pfi_kif * -pfi_kif_find(const char *kif_name) +struct pfi_kkif * +pfi_kkif_find(const char *kif_name) { struct pfi_kif_cmp s; @@ -228,18 +228,18 @@ pfi_kif_find(const char *kif_name) bzero(&s, sizeof(s)); strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name)); - return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&s)); + return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s)); } -struct pfi_kif * -pfi_kif_attach(struct pfi_kif *kif, const char *kif_name) +struct pfi_kkif * +pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name) { - struct pfi_kif *kif1; + struct pfi_kkif *kif1; PF_RULES_WASSERT(); KASSERT(kif != NULL, ("%s: null kif", __func__)); - kif1 = pfi_kif_find(kif_name); + kif1 = pfi_kkif_find(kif_name); if (kif1 != NULL) { free(kif, PFI_MTYPE); return (kif1); @@ -263,7 +263,7 @@ pfi_kif_attach(struct pfi_kif *kif, const char *kif_name) } void -pfi_kif_ref(struct pfi_kif *kif) +pfi_kkif_ref(struct pfi_kkif *kif) { PF_RULES_WASSERT(); @@ -271,7 +271,7 @@ pfi_kif_ref(struct pfi_kif *kif) } void -pfi_kif_unref(struct pfi_kif *kif) +pfi_kkif_unref(struct pfi_kkif *kif) { PF_RULES_WASSERT(); @@ -298,9 +298,9 @@ pfi_kif_unref(struct pfi_kif *kif) } void -pfi_kif_purge(void) +pfi_kkif_purge(void) { - struct pfi_kif *kif, *kif1; + struct pfi_kkif *kif, *kif1; /* * Do naive mark-and-sweep garbage collecting of old kifs. @@ -318,7 +318,7 @@ pfi_kif_purge(void) } int -pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif) +pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif) { struct ifg_list *p; @@ -337,27 +337,27 @@ pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif) } static void -pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kif *kif) +pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kkif *kif) { PF_RULES_WASSERT(); V_pfi_update++; - kif = pfi_kif_attach(kif, ifp->if_xname); + kif = pfi_kkif_attach(kif, ifp->if_xname); if_ref(ifp); kif->pfik_ifp = ifp; ifp->if_pf_kif = kif; - pfi_kif_update(kif); + pfi_kkif_update(kif); } static void -pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kif *kif) +pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kkif *kif) { PF_RULES_WASSERT(); V_pfi_update++; - kif = pfi_kif_attach(kif, ifg->ifg_group); + kif = pfi_kkif_attach(kif, ifg->ifg_group); kif->pfik_group = ifg; ifg->ifg_pf_kif = kif; } @@ -404,7 +404,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) struct pfi_dynaddr *dyn; char tblname[PF_TABLE_NAME_SIZE]; struct pf_kruleset *ruleset = NULL; - struct pfi_kif *kif; + struct pfi_kkif *kif; int rv = 0; PF_RULES_WASSERT(); @@ -421,10 +421,10 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) } if (!strcmp(aw->v.ifname, "self")) - dyn->pfid_kif = pfi_kif_attach(kif, IFG_ALL); + dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL); else - dyn->pfid_kif = pfi_kif_attach(kif, aw->v.ifname); - pfi_kif_ref(dyn->pfid_kif); + dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname); + pfi_kkif_ref(dyn->pfid_kif); dyn->pfid_net = pfi_unmask(&aw->v.a.mask); if (af == AF_INET && dyn->pfid_net == 32) @@ -458,7 +458,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); aw->p.dyn = dyn; NET_EPOCH_ENTER(et); - pfi_kif_update(dyn->pfid_kif); + pfi_kkif_update(dyn->pfid_kif); NET_EPOCH_EXIT(et); return (0); @@ -469,19 +469,19 @@ _bad: if (ruleset != NULL) pf_remove_if_empty_kruleset(ruleset); if (dyn->pfid_kif != NULL) - pfi_kif_unref(dyn->pfid_kif); + pfi_kkif_unref(dyn->pfid_kif); free(dyn, PFI_MTYPE); return (rv); } static void -pfi_kif_update(struct pfi_kif *kif) +pfi_kkif_update(struct pfi_kkif *kif) { struct ifg_list *ifgl; struct ifg_member *ifgm; struct pfi_dynaddr *p; - struct pfi_kif *tmpkif; + struct pfi_kkif *tmpkif; NET_EPOCH_ASSERT(); PF_RULES_WASSERT(); @@ -494,7 +494,7 @@ pfi_kif_update(struct pfi_kif *kif) if (kif->pfik_group != NULL) { CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next) { - tmpkif = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif; + tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; if (tmpkif == NULL) continue; @@ -505,7 +505,7 @@ pfi_kif_update(struct pfi_kif *kif) /* again for all groups kif is member of */ if (kif->pfik_ifp != NULL) { CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next) - pfi_kif_update((struct pfi_kif *) + pfi_kkif_update((struct pfi_kkif *) ifgl->ifgl_group->ifg_pf_kif); } } @@ -513,7 +513,7 @@ pfi_kif_update(struct pfi_kif *kif) static void pfi_dynaddr_update(struct pfi_dynaddr *dyn) { - struct pfi_kif *kif; + struct pfi_kkif *kif; struct pfr_ktable *kt; PF_RULES_WASSERT(); @@ -532,7 +532,7 @@ pfi_dynaddr_update(struct pfi_dynaddr *dyn) } static void -pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags) +pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int flags) { int e, size2 = 0; struct ifg_member *ifgm; @@ -677,7 +677,7 @@ pfi_dynaddr_remove(struct pfi_dynaddr *dyn) KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__)); TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); - pfi_kif_unref(dyn->pfid_kif); + pfi_kkif_unref(dyn->pfid_kif); pfr_detach_table(dyn->pfid_kt); free(dyn, PFI_MTYPE); } @@ -695,7 +695,7 @@ pfi_dynaddr_copyout(struct pf_addr_wrap *aw) } static int -pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q) +pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q) { return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ)); } @@ -703,14 +703,14 @@ pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q) void pfi_update_status(const char *name, struct pf_status *pfs) { - struct pfi_kif *p; + struct pfi_kkif *p; struct pfi_kif_cmp key; struct ifg_member p_member, *ifgm; CK_STAILQ_HEAD(, ifg_member) ifg_members; int i, j, k; strlcpy(key.pfik_name, name, sizeof(key.pfik_name)); - p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&key); + p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key); if (p == NULL) return; @@ -731,7 +731,7 @@ pfi_update_status(const char *name, struct pf_status *pfs) CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) { if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL) continue; - p = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif; + p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; /* just clear statistics */ if (pfs == NULL) { @@ -751,11 +751,31 @@ pfi_update_status(const char *name, struct pf_status *pfs) } } +static void +pf_kkif_to_kif(const struct pfi_kkif *kkif, struct pfi_kif *kif) +{ + + bzero(kif, sizeof(*kif)); + strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name)); + for (int i = 0; i < 2; i++) { + for (int j = 0; j < 2; j++) { + for (int k = 0; k < 2; k++) { + kif->pfik_packets[i][j][k] = + kkif->pfik_packets[i][j][k]; + kif->pfik_bytes[i][j][k] = + kkif->pfik_bytes[i][j][k]; + } + } + } + kif->pfik_tzero = kkif->pfik_tzero; + kif->pfik_rulerefs = kkif->pfik_rulerefs; +} + void pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) { struct epoch_tracker et; - struct pfi_kif *p, *nextp; + struct pfi_kkif *p, *nextp; int n = 0; NET_EPOCH_ENTER(et); @@ -767,7 +787,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) break; if (!p->pfik_tzero) p->pfik_tzero = time_second; - bcopy(p, buf++, sizeof(*buf)); + pf_kkif_to_kif(p, buf++); nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); } *size = n; @@ -775,7 +795,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) } static int -pfi_skip_if(const char *filter, struct pfi_kif *p) +pfi_skip_if(const char *filter, struct pfi_kkif *p) { struct ifg_list *i; int n; @@ -803,7 +823,7 @@ int pfi_set_flags(const char *name, int flags) { struct epoch_tracker et; - struct pfi_kif *p, *kif; + struct pfi_kkif *p, *kif; kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT); if (kif == NULL) @@ -811,7 +831,7 @@ pfi_set_flags(const char *name, int flags) NET_EPOCH_ENTER(et); - kif = pfi_kif_attach(kif, name); + kif = pfi_kkif_attach(kif, name); RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) { if (pfi_skip_if(name, p)) @@ -826,7 +846,7 @@ int pfi_clear_flags(const char *name, int flags) { struct epoch_tracker et; - struct pfi_kif *p, *tmp; + struct pfi_kkif *p, *tmp; NET_EPOCH_ENTER(et); RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) { @@ -869,7 +889,7 @@ static void pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) { struct epoch_tracker et; - struct pfi_kif *kif; + struct pfi_kkif *kif; if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ @@ -890,7 +910,7 @@ static void pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) { struct epoch_tracker et; - struct pfi_kif *kif = (struct pfi_kif *)ifp->if_pf_kif; + struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif; *** 496 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101052237.105MbsvF081491>