From nobody Mon Jul 7 15:07:53 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bbSKQ1sDcz61w9v; Mon, 07 Jul 2025 15:07:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bbSKP5CkZz3w8L; Mon, 07 Jul 2025 15:07:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1751900873; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qSWrJ2pDzGoefLNHjJBQ8D8i7YHjVK+R6TQ19OD8fbU=; b=cL6+M+zteeOIp4a59KE6/yZzb8lgGv/CMyk3pCL7R/13oAHi8Rh6XNZkh6VUd5hMkGACtW 0DxX9k/B1XElRtQaVHMnQZmpcKfBuGdI95nziuW3ztGulFlejDYhy3AVGy6nakAWs/QbEq NkQts3kCyqoQLd4lzqPSAyW6qf2hqC/0tBSLGqpL3t9pQWFbN3BfPomUGqiagcC9AZo/35 Vh8aqvdbWy4iKrBcwFs8isxIK/FxUnuDSOLyFpL+BfdDRpT2P8/o8qb7TT6pxWduNKiHbp AMg/dXw/ladzBZjiCVaRhynS5ko4ETjNT5CM2pMIQn1F/9dzFtYaKVFNw57rBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1751900873; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qSWrJ2pDzGoefLNHjJBQ8D8i7YHjVK+R6TQ19OD8fbU=; b=NuEACjibVjI7IBXOC0vaIqkzS70owar/ldkdcQso8LGkfjiohtwcZcHe+u0sAbTMWuR6Ie wtlouEoVfH2Gn9pPlHjr5PA0FGol8e0eqeNjzqliE4kI5D7CBg/EUUO8vgAOdz0+3/UHrI 1b5rbpOT8vFOkWvDgd+7zINzGkGqlthEh4m8t8Qk1aoyn+1e9iT+0kbsres5dfInftEWuN dz52LwObqnC01psJoH4+TEfKexEOZPTpT8aHQNhIaqp/QA3F34FE5hmO/10kigC6HbH7+v U2AL3ncXaBZd2hzsSxu8af/8LXsQDdrIRsL3NF9TtbF1rUlbDdyNGtFhfxO6Kg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1751900873; a=rsa-sha256; cv=none; b=Ct1Q+IrjuKV7twGXtMPOXSylpcmpDlv6hqWKNeBLvjHAigWK6yKeOK+6DWL2SQ//AGqX9P yvUddiAiacPuIQp58FIDnC06JhWmdjNLFythgRCu7uSZXEZzg/OGBsFJOO97seoAFt+Fvg FH77aue1dlmu0qoPxpfsbyLrLsjfFPqWM+6teSGxQFuDy6SKOzzaOqzxq+iw68AcQgIhXE /4ch1ZYbCGFqFsoSchWUAKe3+zS/I+Gv/yRjg4532JZONjoX4PC5zQM8IG/CnC+kLfamOg MYuEP1qv3M4I75kFS+qjoyNG41B1x6YYb+hFCk5Mz9Kx5SazRgIvre4pD9LDdw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bbSKP4llZzwGy; Mon, 07 Jul 2025 15:07:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 567F7rgD016552; Mon, 7 Jul 2025 15:07:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 567F7rPh016547; Mon, 7 Jul 2025 15:07:53 GMT (envelope-from git) Date: Mon, 7 Jul 2025 15:07:53 GMT Message-Id: <202507071507.567F7rPh016547@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 058422752727 - main - pfctl: Simplify lookups when killing entries List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0584227527271b18fb3164522c0362a5df2f3732 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0584227527271b18fb3164522c0362a5df2f3732 commit 0584227527271b18fb3164522c0362a5df2f3732 Author: Kristof Provost AuthorDate: 2025-07-02 09:41:58 +0000 Commit: Kristof Provost CommitDate: 2025-07-07 15:06:49 +0000 pfctl: Simplify lookups when killing entries Killing source tracking or state entries by hostname or CIDR would pass given keys twice to getaddrinfo(3): once to resolve/parse and again to parse the numerical address in case a prefix was specified. Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask in one go and return the list of IPs to the callers. This notably simplifies both logic and sanity checks around prefix length and address family. While here, also pass -N along such that -k and -K can be restricted to not use DNS. Discussed with procter sashan, OK sashan Obtained from: OpenBSD, kn , 4a32e6d5fb Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.c | 86 +++++++++++++++++++++--------------------------------- 1 file changed, 34 insertions(+), 52 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index f133a106c69c..10183084ceec 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -77,7 +77,8 @@ void pfctl_flush_nat(int, int, char *); int pfctl_clear_altq(int, int); void pfctl_clear_src_nodes(int, int); void pfctl_clear_iface_states(int, const char *, int); -void pfctl_addrprefix(char *, struct pf_addr *); +struct addrinfo * + pfctl_addrprefix(char *, struct pf_addr *, int); void pfctl_kill_src_nodes(int, int); void pfctl_net_kill_states(int, const char *, int); void pfctl_gateway_kill_states(int, const char *, int); @@ -539,35 +540,36 @@ pfctl_clear_iface_states(int dev, const char *iface, int opts) fprintf(stderr, "%d states cleared\n", killed); } -void -pfctl_addrprefix(char *addr, struct pf_addr *mask) +struct addrinfo * +pfctl_addrprefix(char *addr, struct pf_addr *mask, int numeric) { char *p; const char *errstr; int prefix, ret_ga, q, r; struct addrinfo hints, *res; - if ((p = strchr(addr, '/')) == NULL) - return; - - *p++ = '\0'; - prefix = strtonum(p, 0, 128, &errstr); - if (errstr) - errx(1, "prefix is %s: %s", errstr, p); - bzero(&hints, sizeof(hints)); - /* prefix only with numeric addresses */ - hints.ai_flags |= AI_NUMERICHOST; + hints.ai_socktype = SOCK_DGRAM; /* dummy */ + if (numeric) + hints.ai_flags = AI_NUMERICHOST; + + if ((p = strchr(addr, '/')) != NULL) { + *p++ = '\0'; + /* prefix only with numeric addresses */ + hints.ai_flags |= AI_NUMERICHOST; + } if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) { errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); /* NOTREACHED */ } - if (res->ai_family == AF_INET && prefix > 32) - errx(1, "prefix too long for AF_INET"); - else if (res->ai_family == AF_INET6 && prefix > 128) - errx(1, "prefix too long for AF_INET6"); + if (p == NULL) + return (res); + + prefix = strtonum(p, 0, res->ai_family == AF_INET6 ? 128 : 32, &errstr); + if (errstr) + errx(1, "prefix is %s: %s", errstr, p); q = prefix >> 3; r = prefix & 7; @@ -586,7 +588,8 @@ pfctl_addrprefix(char *addr, struct pf_addr *mask) (0xff00 >> r) & 0xff; break; } - freeaddrinfo(res); + + return (res); } void @@ -596,7 +599,6 @@ pfctl_kill_src_nodes(int dev, int opts) struct addrinfo *res[2], *resp[2]; struct sockaddr last_src, last_dst; int killed, sources, dests; - int ret_ga; killed = sources = dests = 0; @@ -606,12 +608,9 @@ pfctl_kill_src_nodes(int dev, int opts) memset(&last_src, 0xff, sizeof(last_src)); memset(&last_dst, 0xff, sizeof(last_dst)); - pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask); + res[0] = pfctl_addrprefix(src_node_kill[0], + &psnk.psnk_src.addr.v.a.mask, (opts & PF_OPT_NODNS)); - if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) { - errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); - /* NOTREACHED */ - } for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) { if (resp[0]->ai_addr == NULL) continue; @@ -638,14 +637,9 @@ pfctl_kill_src_nodes(int dev, int opts) memset(&psnk.psnk_dst.addr.v.a.mask, 0xff, sizeof(psnk.psnk_dst.addr.v.a.mask)); memset(&last_dst, 0xff, sizeof(last_dst)); - pfctl_addrprefix(src_node_kill[1], - &psnk.psnk_dst.addr.v.a.mask); - if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL, - &res[1]))) { - errx(1, "getaddrinfo: %s", - gai_strerror(ret_ga)); - /* NOTREACHED */ - } + res[1] = pfctl_addrprefix(src_node_kill[1], + &psnk.psnk_dst.addr.v.a.mask, + (opts & PF_OPT_NODNS)); for (resp[1] = res[1]; resp[1]; resp[1] = resp[1]->ai_next) { if (resp[1]->ai_addr == NULL) @@ -699,7 +693,7 @@ pfctl_net_kill_states(int dev, const char *iface, int opts) struct sockaddr last_src, last_dst; unsigned int newkilled; int killed, sources, dests; - int ret_ga, ret; + int ret; killed = sources = dests = 0; @@ -718,15 +712,12 @@ pfctl_net_kill_states(int dev, const char *iface, int opts) state_killers = 1; } - pfctl_addrprefix(state_kill[0], &kill.src.addr.v.a.mask); + res[0] = pfctl_addrprefix(state_kill[0], + &kill.src.addr.v.a.mask, (opts & PF_OPT_NODNS)); if (opts & PF_OPT_KILLMATCH) kill.kill_match = true; - if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) { - errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); - /* NOTREACHED */ - } for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) { if (resp[0]->ai_addr == NULL) continue; @@ -753,14 +744,9 @@ pfctl_net_kill_states(int dev, const char *iface, int opts) memset(&kill.dst.addr.v.a.mask, 0xff, sizeof(kill.dst.addr.v.a.mask)); memset(&last_dst, 0xff, sizeof(last_dst)); - pfctl_addrprefix(state_kill[1], - &kill.dst.addr.v.a.mask); - if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, - &res[1]))) { - errx(1, "getaddrinfo: %s", - gai_strerror(ret_ga)); - /* NOTREACHED */ - } + res[1] = pfctl_addrprefix(state_kill[1], + &kill.dst.addr.v.a.mask, + (opts & PF_OPT_NODNS)); for (resp[1] = res[1]; resp[1]; resp[1] = resp[1]->ai_next) { if (resp[1]->ai_addr == NULL) @@ -814,7 +800,6 @@ pfctl_gateway_kill_states(int dev, const char *iface, int opts) struct sockaddr last_src; unsigned int newkilled; int killed = 0; - int ret_ga; if (state_killers != 2 || (strlen(state_kill[1]) == 0)) { warnx("no gateway specified"); @@ -832,12 +817,9 @@ pfctl_gateway_kill_states(int dev, const char *iface, int opts) if (opts & PF_OPT_KILLMATCH) kill.kill_match = true; - pfctl_addrprefix(state_kill[1], &kill.rt_addr.addr.v.a.mask); + res = pfctl_addrprefix(state_kill[1], &kill.rt_addr.addr.v.a.mask, + (opts & PF_OPT_NODNS)); - if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, &res))) { - errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); - /* NOTREACHED */ - } for (resp = res; resp; resp = resp->ai_next) { if (resp->ai_addr == NULL) continue;