Lines Matching refs:rule
691 struct pf_rule *__single rule; in pf_get_pool() local
709 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, in pf_get_pool()
712 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); in pf_get_pool()
720 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, in pf_get_pool()
723 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr); in pf_get_pool()
727 while ((rule != NULL) && (rule->nr != rule_number)) { in pf_get_pool()
728 rule = TAILQ_NEXT(rule, entries); in pf_get_pool()
731 if (rule == NULL) { in pf_get_pool()
735 p = &rule->rpool; in pf_get_pool()
772 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) in pf_rm_rule() argument
775 if (rule->states <= 0) { in pf_rm_rule()
781 pf_tbladdr_remove(&rule->src.addr); in pf_rm_rule()
782 pf_tbladdr_remove(&rule->dst.addr); in pf_rm_rule()
783 if (rule->overload_tbl) { in pf_rm_rule()
784 pfr_detach_table(rule->overload_tbl); in pf_rm_rule()
787 TAILQ_REMOVE(rulequeue, rule, entries); in pf_rm_rule()
788 rule->entries.tqe_prev = NULL; in pf_rm_rule()
789 rule->nr = -1; in pf_rm_rule()
792 if (rule->states > 0 || rule->src_nodes > 0 || in pf_rm_rule()
793 rule->entries.tqe_prev != NULL) { in pf_rm_rule()
796 pf_tag_unref(rule->tag); in pf_rm_rule()
797 pf_tag_unref(rule->match_tag); in pf_rm_rule()
798 pf_rtlabel_remove(&rule->src.addr); in pf_rm_rule()
799 pf_rtlabel_remove(&rule->dst.addr); in pf_rm_rule()
800 pfi_dynaddr_remove(&rule->src.addr); in pf_rm_rule()
801 pfi_dynaddr_remove(&rule->dst.addr); in pf_rm_rule()
803 pf_tbladdr_remove(&rule->src.addr); in pf_rm_rule()
804 pf_tbladdr_remove(&rule->dst.addr); in pf_rm_rule()
805 if (rule->overload_tbl) { in pf_rm_rule()
806 pfr_detach_table(rule->overload_tbl); in pf_rm_rule()
809 pfi_kif_unref(rule->kif, PFI_KIF_REF_RULE); in pf_rm_rule()
810 pf_anchor_remove(rule); in pf_rm_rule()
811 pf_empty_pool(&rule->rpool.list); in pf_rm_rule()
812 pool_put(&pf_rule_pl, rule); in pf_rm_rule()
966 struct pf_rule *rule; in pf_begin_rules() local
975 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { in pf_begin_rules()
976 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); in pf_begin_rules()
990 struct pf_rule *__single rule; in pf_rollback_rules() local
1002 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { in pf_rollback_rules()
1003 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); in pf_rollback_rules()
1070 pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule) in pf_hash_rule() argument
1075 pf_hash_rule_addr(ctx, &rule->src, rule->proto); in pf_hash_rule()
1076 pf_hash_rule_addr(ctx, &rule->dst, rule->proto); in pf_hash_rule()
1077 PF_MD5_UPD_STRBUF(rule, label); in pf_hash_rule()
1078 PF_MD5_UPD_STRBUF(rule, ifname); in pf_hash_rule()
1079 PF_MD5_UPD_STRBUF(rule, match_tagname); in pf_hash_rule()
1080 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ in pf_hash_rule()
1081 PF_MD5_UPD_HTONL(rule, os_fingerprint, y); in pf_hash_rule()
1082 PF_MD5_UPD_HTONL(rule, prob, y); in pf_hash_rule()
1083 PF_MD5_UPD_HTONL(rule, uid.uid[0], y); in pf_hash_rule()
1084 PF_MD5_UPD_HTONL(rule, uid.uid[1], y); in pf_hash_rule()
1085 PF_MD5_UPD(rule, uid.op); in pf_hash_rule()
1086 PF_MD5_UPD_HTONL(rule, gid.gid[0], y); in pf_hash_rule()
1087 PF_MD5_UPD_HTONL(rule, gid.gid[1], y); in pf_hash_rule()
1088 PF_MD5_UPD(rule, gid.op); in pf_hash_rule()
1089 PF_MD5_UPD_HTONL(rule, rule_flag, y); in pf_hash_rule()
1090 PF_MD5_UPD(rule, action); in pf_hash_rule()
1091 PF_MD5_UPD(rule, direction); in pf_hash_rule()
1092 PF_MD5_UPD(rule, af); in pf_hash_rule()
1093 PF_MD5_UPD(rule, quick); in pf_hash_rule()
1094 PF_MD5_UPD(rule, ifnot); in pf_hash_rule()
1095 PF_MD5_UPD(rule, match_tag_not); in pf_hash_rule()
1096 PF_MD5_UPD(rule, natpass); in pf_hash_rule()
1097 PF_MD5_UPD(rule, keep_state); in pf_hash_rule()
1098 PF_MD5_UPD(rule, proto); in pf_hash_rule()
1099 PF_MD5_UPD(rule, type); in pf_hash_rule()
1100 PF_MD5_UPD(rule, code); in pf_hash_rule()
1101 PF_MD5_UPD(rule, flags); in pf_hash_rule()
1102 PF_MD5_UPD(rule, flagset); in pf_hash_rule()
1103 PF_MD5_UPD(rule, allow_opts); in pf_hash_rule()
1104 PF_MD5_UPD(rule, rt); in pf_hash_rule()
1105 PF_MD5_UPD(rule, tos); in pf_hash_rule()
1112 struct pf_rule *rule, **old_array, *r; in pf_commit_rules() local
1175 while ((rule = TAILQ_FIRST(old_rules)) != NULL) { in pf_commit_rules()
1176 pf_rm_rule(old_rules, rule); in pf_commit_rules()
1290 sp->rule = s->rule.ptr->nr; in pf_state_export()
1348 s->rule.ptr = &pf_default_rule; in pf_state_import()
1387 struct pf_rule *rule; in pf_setup_pfsync_matching() local
1411 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr, in pf_setup_pfsync_matching()
1413 pf_hash_rule(&ctx, rule); in pf_setup_pfsync_matching()
1414 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule; in pf_setup_pfsync_matching()
1823 struct pf_rule *rule; in pfioctl() local
1825 TAILQ_FOREACH(rule, in pfioctl()
1827 rule->evaluations = 0; in pfioctl()
1828 rule->packets[0] = rule->packets[1] = 0; in pfioctl()
1829 rule->bytes[0] = rule->bytes[1] = 0; in pfioctl()
2466 pf_expire_states_and_src_nodes(struct pf_rule *rule) in pf_expire_states_and_src_nodes() argument
2475 if (state->rule.ptr == rule) { in pf_expire_states_and_src_nodes()
2484 if (sn->rule.ptr != rule) { in pf_expire_states_and_src_nodes()
2509 struct pf_rule *rule) in pf_delete_rule_from_ruleset() argument
2514 pf_expire_states_and_src_nodes(rule); in pf_delete_rule_from_ruleset()
2516 pf_rm_rule(ruleset->rules[rs_num].active.ptr, rule); in pf_delete_rule_from_ruleset()
2545 struct pf_rule *rule = NULL; in pf_delete_rule_by_ticket() local
2552 __unsafe_null_terminated_from_indexable(pr->rule.owner), is_anchor, &error)) == NULL) { in pf_delete_rule_by_ticket()
2556 for (i = 0; i < PF_RULESET_MAX && rule == NULL; i++) { in pf_delete_rule_by_ticket()
2557 rule = TAILQ_FIRST(ruleset->rules[i].active.ptr); in pf_delete_rule_by_ticket()
2558 while (rule && (rule->ticket != pr->rule.ticket)) { in pf_delete_rule_by_ticket()
2559 rule = TAILQ_NEXT(rule, entries); in pf_delete_rule_by_ticket()
2562 if (rule == NULL) { in pf_delete_rule_by_ticket()
2569 if (strbufcmp(rule->owner, pr->rule.owner)) { in pf_delete_rule_by_ticket()
2575 if (rule->anchor && (ruleset != &pf_main_ruleset) && in pf_delete_rule_by_ticket()
2579 struct pf_rule *delete_rule = rule; in pf_delete_rule_by_ticket()
2589 rule = TAILQ_FIRST(ruleset->rules[i].active.ptr); in pf_delete_rule_by_ticket()
2590 while (rule && in pf_delete_rule_by_ticket()
2591 (rule->anchor != delete_ruleset->anchor)) { in pf_delete_rule_by_ticket()
2592 rule = TAILQ_NEXT(rule, entries); in pf_delete_rule_by_ticket()
2594 if (rule == NULL) { in pf_delete_rule_by_ticket()
2603 if ((rule->rule_flag & PFRULE_PFM) ^ req_dev) { in pf_delete_rule_by_ticket()
2604 if (rule->ticket != pr->rule.ticket) { in pf_delete_rule_by_ticket()
2626 if ((rule->rule_flag & PFRULE_PFM) ^ req_dev) { in pf_delete_rule_by_ticket()
2630 if (rule->rule_flag & PFRULE_PFM) { in pf_delete_rule_by_ticket()
2634 rule); in pf_delete_rule_by_ticket()
2654 struct pf_rule *__single rule, *__single next; in pf_delete_rule_by_owner() local
2658 rule = TAILQ_FIRST(pf_main_ruleset.rules[rs].active.ptr); in pf_delete_rule_by_owner()
2660 while (rule) { in pf_delete_rule_by_owner()
2661 next = TAILQ_NEXT(rule, entries); in pf_delete_rule_by_owner()
2666 if ((rule->rule_flag & PFRULE_PFM) ^ req_dev) { in pf_delete_rule_by_owner()
2667 rule = next; in pf_delete_rule_by_owner()
2668 } else if (rule->anchor) { in pf_delete_rule_by_owner()
2669 if (((strlcmp(rule->owner, owner, sizeof(rule->owner))) == 0) || in pf_delete_rule_by_owner()
2670 ((strbufcmp(rule->owner, "")) == 0)) { in pf_delete_rule_by_owner()
2671 if (rule->anchor->ruleset.rules[rs].active.rcount > 0) { in pf_delete_rule_by_owner()
2678 &rule->anchor->ruleset; in pf_delete_rule_by_owner()
2679 rule = TAILQ_FIRST(ruleset->rules[rs].active.ptr); in pf_delete_rule_by_owner()
2682 if (rule->rule_flag & in pf_delete_rule_by_owner()
2686 pf_delete_rule_from_ruleset(ruleset, rs, rule); in pf_delete_rule_by_owner()
2688 rule = next; in pf_delete_rule_by_owner()
2691 rule = next; in pf_delete_rule_by_owner()
2694 if (((strlcmp(rule->owner, owner, sizeof(rule->owner))) == 0)) { in pf_delete_rule_by_owner()
2696 if (rule->rule_flag & PFRULE_PFM) { in pf_delete_rule_by_owner()
2700 rs, rule); in pf_delete_rule_by_owner()
2703 rule = next; in pf_delete_rule_by_owner()
2705 if (rule == NULL) { in pf_delete_rule_by_owner()
2712 rs, &rule); in pf_delete_rule_by_owner()
2724 struct pf_rule *rule = *rule_ptr; in pf_deleterule_anchor_step_out() local
2731 rule = TAILQ_FIRST(ruleset->rules[rs].active.ptr); in pf_deleterule_anchor_step_out()
2732 while (rule && (rule->anchor != rs_copy->anchor)) { in pf_deleterule_anchor_step_out()
2733 rule = TAILQ_NEXT(rule, entries); in pf_deleterule_anchor_step_out()
2735 if (rule == NULL) { in pf_deleterule_anchor_step_out()
2738 if (rule->anchor->ruleset.rules[rs].active.rcount > 0) { in pf_deleterule_anchor_step_out()
2739 rule = TAILQ_NEXT(rule, entries); in pf_deleterule_anchor_step_out()
2743 *rule_ptr = rule; in pf_deleterule_anchor_step_out()
2754 pf_rule_setup(struct pfioc_rule *pr, struct pf_rule *rule, in pf_rule_setup() argument
2760 if (rule->ifname[0]) { in pf_rule_setup()
2761 rule->kif = pfi_kif_get(__unsafe_null_terminated_from_indexable(rule->ifname)); in pf_rule_setup()
2762 if (rule->kif == NULL) { in pf_rule_setup()
2763 pool_put(&pf_rule_pl, rule); in pf_rule_setup()
2766 pfi_kif_ref(rule->kif, PFI_KIF_REF_RULE); in pf_rule_setup()
2768 if (rule->tagname[0]) { in pf_rule_setup()
2769 if ((rule->tag = pf_tagname2tag(__unsafe_null_terminated_from_indexable(rule->tagname))) == 0) { in pf_rule_setup()
2773 if (rule->match_tagname[0]) { in pf_rule_setup()
2774 if ((rule->match_tag = in pf_rule_setup()
2775 pf_tagname2tag(__unsafe_null_terminated_from_indexable(rule->match_tagname))) == 0) { in pf_rule_setup()
2779 if (rule->rt && !rule->direction) { in pf_rule_setup()
2783 if (!rule->log) { in pf_rule_setup()
2784 rule->logif = 0; in pf_rule_setup()
2786 if (rule->logif >= PFLOGIFS_MAX) { in pf_rule_setup()
2790 pf_addrwrap_setup(&rule->src.addr); in pf_rule_setup()
2791 pf_addrwrap_setup(&rule->dst.addr); in pf_rule_setup()
2792 if (pf_rtlabel_add(&rule->src.addr) || in pf_rule_setup()
2793 pf_rtlabel_add(&rule->dst.addr)) { in pf_rule_setup()
2796 if (pfi_dynaddr_setup(&rule->src.addr, rule->af)) { in pf_rule_setup()
2799 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af)) { in pf_rule_setup()
2802 if (pf_tbladdr_setup(ruleset, &rule->src.addr)) { in pf_rule_setup()
2805 if (pf_tbladdr_setup(ruleset, &rule->dst.addr)) { in pf_rule_setup()
2808 if (pf_anchor_setup(rule, ruleset, pr->anchor_call, sizeof(pr->anchor_call))) { in pf_rule_setup()
2816 if (rule->overload_tblname[0]) { in pf_rule_setup()
2817 if ((rule->overload_tbl = pfr_attach_table(ruleset, in pf_rule_setup()
2818 __unsafe_null_terminated_from_indexable(rule->overload_tblname))) == NULL) { in pf_rule_setup()
2821 rule->overload_tbl->pfrkt_flags |= in pf_rule_setup()
2826 pf_mv_pool(&pf_pabuf, &rule->rpool.list); in pf_rule_setup()
2828 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || in pf_rule_setup()
2829 (rule->action == PF_BINAT) || (rule->action == PF_NAT64)) && in pf_rule_setup()
2830 rule->anchor == NULL) || in pf_rule_setup()
2831 (rule->rt > PF_FASTROUTE)) && in pf_rule_setup()
2832 (TAILQ_FIRST(&rule->rpool.list) == NULL)) { in pf_rule_setup()
2837 pf_rm_rule(NULL, rule); in pf_rule_setup()
2843 rule->rpool.af = (rule->action == PF_NAT64) ? AF_INET: rule->af; in pf_rule_setup()
2844 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); in pf_rule_setup()
2845 rule->evaluations = rule->packets[0] = rule->packets[1] = in pf_rule_setup()
2846 rule->bytes[0] = rule->bytes[1] = 0; in pf_rule_setup()
2860 struct pf_rule *__single rule, *__single tail; in pfioctl_ioc_rule() local
2870 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
2875 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
2887 rule = pool_get(&pf_rule_pl, PR_WAITOK); in pfioctl_ioc_rule()
2888 if (rule == NULL) { in pfioctl_ioc_rule()
2892 pf_rule_copyin(&pr->rule, rule, p, minordev); in pfioctl_ioc_rule()
2894 if (rule->af == AF_INET) { in pfioctl_ioc_rule()
2895 pool_put(&pf_rule_pl, rule); in pfioctl_ioc_rule()
2903 rule->nr = tail->nr + 1; in pfioctl_ioc_rule()
2905 rule->nr = 0; in pfioctl_ioc_rule()
2908 if ((error = pf_rule_setup(pr, rule, ruleset))) { in pfioctl_ioc_rule()
2912 rule, entries); in pfioctl_ioc_rule()
2914 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
2918 if (rule->action == PF_NAT64) { in pfioctl_ioc_rule()
2924 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
2930 if (rule->action == PF_DUMMYNET) { in pfioctl_ioc_rule()
2937 if (rule->direction == PF_IN) { in pfioctl_ioc_rule()
2939 } else if (rule->direction == PF_OUT) { in pfioctl_ioc_rule()
2944 dn_event.dn_event_rule_config.af = rule->af; in pfioctl_ioc_rule()
2945 dn_event.dn_event_rule_config.proto = rule->proto; in pfioctl_ioc_rule()
2946 dn_event.dn_event_rule_config.src_port = rule->src.xport.range.port[0]; in pfioctl_ioc_rule()
2947 dn_event.dn_event_rule_config.dst_port = rule->dst.xport.range.port[0]; in pfioctl_ioc_rule()
2948 strbufcpy(dn_event.dn_event_rule_config.ifname, rule->ifname); in pfioctl_ioc_rule()
2967 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
2984 struct pf_rule *__single rule; in pfioctl_ioc_rule() local
2994 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
3003 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); in pfioctl_ioc_rule()
3004 while ((rule != NULL) && (rule->nr != pr->nr)) { in pfioctl_ioc_rule()
3005 rule = TAILQ_NEXT(rule, entries); in pfioctl_ioc_rule()
3007 if (rule == NULL) { in pfioctl_ioc_rule()
3011 pf_rule_copyout(rule, &pr->rule); in pfioctl_ioc_rule()
3012 if (pf_anchor_copyout(ruleset, rule, pr)) { in pfioctl_ioc_rule()
3016 pfi_dynaddr_copyout(&pr->rule.src.addr); in pfioctl_ioc_rule()
3017 pfi_dynaddr_copyout(&pr->rule.dst.addr); in pfioctl_ioc_rule()
3018 pf_tbladdr_copyout(&pr->rule.src.addr); in pfioctl_ioc_rule()
3019 pf_tbladdr_copyout(&pr->rule.dst.addr); in pfioctl_ioc_rule()
3020 pf_rtlabel_copyout(&pr->rule.src.addr); in pfioctl_ioc_rule()
3021 pf_rtlabel_copyout(&pr->rule.dst.addr); in pfioctl_ioc_rule()
3023 if (rule->skip[i].ptr == NULL) { in pfioctl_ioc_rule()
3024 pr->rule.skip[i].nr = -1; in pfioctl_ioc_rule()
3026 pr->rule.skip[i].nr = in pfioctl_ioc_rule()
3027 rule->skip[i].ptr->nr; in pfioctl_ioc_rule()
3032 rule->evaluations = 0; in pfioctl_ioc_rule()
3033 rule->packets[0] = rule->packets[1] = 0; in pfioctl_ioc_rule()
3034 rule->bytes[0] = rule->bytes[1] = 0; in pfioctl_ioc_rule()
3065 rs_num = pf_get_ruleset_number(pcr->rule.action); in pfioctl_ioc_rule()
3080 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
3092 pf_rule_copyin(&pcr->rule, newrule, p, minordev); in pfioctl_ioc_rule()
3248 struct pf_rule *__single rule, *__single tail, *__single r; in pfioctl_ioc_rule() local
3257 __unsafe_null_terminated_from_indexable(pr->rule.owner), is_anchor, &error)) == NULL) { in pfioctl_ioc_rule()
3261 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
3266 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
3278 if (((strbufcmp(pr->rule.owner, in pfioctl_ioc_rule()
3294 rule = pool_get(&pf_rule_pl, PR_WAITOK); in pfioctl_ioc_rule()
3295 if (rule == NULL) { in pfioctl_ioc_rule()
3299 pf_rule_copyin(&pr->rule, rule, p, minordev); in pfioctl_ioc_rule()
3301 if (rule->af == AF_INET) { in pfioctl_ioc_rule()
3302 pool_put(&pf_rule_pl, rule); in pfioctl_ioc_rule()
3308 while ((r != NULL) && (rule->priority >= (unsigned)r->priority)) { in pfioctl_ioc_rule()
3315 rule->nr = tail->nr + 1; in pfioctl_ioc_rule()
3317 rule->nr = 0; in pfioctl_ioc_rule()
3320 rule->nr = r->nr; in pfioctl_ioc_rule()
3323 if ((error = pf_rule_setup(pr, rule, ruleset))) { in pfioctl_ioc_rule()
3327 if (rule->anchor != NULL) { in pfioctl_ioc_rule()
3328 strbufcpy(rule->anchor->owner, rule->owner); in pfioctl_ioc_rule()
3332 TAILQ_INSERT_BEFORE(r, rule, entries); in pfioctl_ioc_rule()
3338 rule, entries); in pfioctl_ioc_rule()
3348 rule->ticket = VM_KERNEL_ADDRHASH((u_int64_t)(uintptr_t)rule); in pfioctl_ioc_rule()
3350 pr->rule.ticket = rule->ticket; in pfioctl_ioc_rule()
3351 pf_rule_copyout(rule, &pr->rule); in pfioctl_ioc_rule()
3352 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
3355 if (rule->action == PF_NAT64) { in pfioctl_ioc_rule()
3361 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
3376 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
3386 if (pr->rule.ticket) { in pfioctl_ioc_rule()
3391 pf_delete_rule_by_owner(__unsafe_null_terminated_from_indexable(pr->rule.owner), req_dev); in pfioctl_ioc_rule()
3394 if (pr->rule.action == PF_NAT64) { in pfioctl_ioc_rule()
3449 ((NULL == s->rule.ptr) || in pfioctl_ioc_state_kill()
3450 strbufcmp(psk->psk_ownername, s->rule.ptr->owner))) { in pfioctl_ioc_state_kill()
3491 ((NULL == s->rule.ptr) || in pfioctl_ioc_state_kill()
3492 strbufcmp(psk->psk_ownername, s->rule.ptr->owner))) { in pfioctl_ioc_state_kill()
4430 if (n->rule.ptr != NULL) { in pfioctl_ioc_src_nodes()
4431 pstore->rule.nr = n->rule.ptr->nr; in pfioctl_ioc_src_nodes()