Lines Matching refs:rule
692 struct pf_rule *__single rule; in pf_get_pool() local
710 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, in pf_get_pool()
713 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); in pf_get_pool()
721 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, in pf_get_pool()
724 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr); in pf_get_pool()
728 while ((rule != NULL) && (rule->nr != rule_number)) { in pf_get_pool()
729 rule = TAILQ_NEXT(rule, entries); in pf_get_pool()
732 if (rule == NULL) { in pf_get_pool()
736 p = &rule->rpool; in pf_get_pool()
773 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) in pf_rm_rule() argument
776 if (rule->states <= 0) { in pf_rm_rule()
782 pf_tbladdr_remove(&rule->src.addr); in pf_rm_rule()
783 pf_tbladdr_remove(&rule->dst.addr); in pf_rm_rule()
784 if (rule->overload_tbl) { in pf_rm_rule()
785 pfr_detach_table(rule->overload_tbl); in pf_rm_rule()
788 TAILQ_REMOVE(rulequeue, rule, entries); in pf_rm_rule()
789 rule->entries.tqe_prev = NULL; in pf_rm_rule()
790 rule->nr = -1; in pf_rm_rule()
793 if (rule->states > 0 || rule->src_nodes > 0 || in pf_rm_rule()
794 rule->entries.tqe_prev != NULL) { in pf_rm_rule()
797 pf_tag_unref(rule->tag); in pf_rm_rule()
798 pf_tag_unref(rule->match_tag); in pf_rm_rule()
799 pf_rtlabel_remove(&rule->src.addr); in pf_rm_rule()
800 pf_rtlabel_remove(&rule->dst.addr); in pf_rm_rule()
801 pfi_dynaddr_remove(&rule->src.addr); in pf_rm_rule()
802 pfi_dynaddr_remove(&rule->dst.addr); in pf_rm_rule()
804 pf_tbladdr_remove(&rule->src.addr); in pf_rm_rule()
805 pf_tbladdr_remove(&rule->dst.addr); in pf_rm_rule()
806 if (rule->overload_tbl) { in pf_rm_rule()
807 pfr_detach_table(rule->overload_tbl); in pf_rm_rule()
810 pfi_kif_unref(rule->kif, PFI_KIF_REF_RULE); in pf_rm_rule()
811 pf_anchor_remove(rule); in pf_rm_rule()
812 pf_empty_pool(&rule->rpool.list); in pf_rm_rule()
813 pool_put(&pf_rule_pl, rule); in pf_rm_rule()
967 struct pf_rule *rule; in pf_begin_rules() local
976 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { in pf_begin_rules()
977 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); in pf_begin_rules()
991 struct pf_rule *__single rule; in pf_rollback_rules() local
1003 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { in pf_rollback_rules()
1004 pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); in pf_rollback_rules()
1071 pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule) in pf_hash_rule() argument
1076 pf_hash_rule_addr(ctx, &rule->src, rule->proto); in pf_hash_rule()
1077 pf_hash_rule_addr(ctx, &rule->dst, rule->proto); in pf_hash_rule()
1078 PF_MD5_UPD_STRBUF(rule, label); in pf_hash_rule()
1079 PF_MD5_UPD_STRBUF(rule, ifname); in pf_hash_rule()
1080 PF_MD5_UPD_STRBUF(rule, match_tagname); in pf_hash_rule()
1081 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ in pf_hash_rule()
1082 PF_MD5_UPD_HTONL(rule, os_fingerprint, y); in pf_hash_rule()
1083 PF_MD5_UPD_HTONL(rule, prob, y); in pf_hash_rule()
1084 PF_MD5_UPD_HTONL(rule, uid.uid[0], y); in pf_hash_rule()
1085 PF_MD5_UPD_HTONL(rule, uid.uid[1], y); in pf_hash_rule()
1086 PF_MD5_UPD(rule, uid.op); in pf_hash_rule()
1087 PF_MD5_UPD_HTONL(rule, gid.gid[0], y); in pf_hash_rule()
1088 PF_MD5_UPD_HTONL(rule, gid.gid[1], y); in pf_hash_rule()
1089 PF_MD5_UPD(rule, gid.op); in pf_hash_rule()
1090 PF_MD5_UPD_HTONL(rule, rule_flag, y); in pf_hash_rule()
1091 PF_MD5_UPD(rule, action); in pf_hash_rule()
1092 PF_MD5_UPD(rule, direction); in pf_hash_rule()
1093 PF_MD5_UPD(rule, af); in pf_hash_rule()
1094 PF_MD5_UPD(rule, quick); in pf_hash_rule()
1095 PF_MD5_UPD(rule, ifnot); in pf_hash_rule()
1096 PF_MD5_UPD(rule, match_tag_not); in pf_hash_rule()
1097 PF_MD5_UPD(rule, natpass); in pf_hash_rule()
1098 PF_MD5_UPD(rule, keep_state); in pf_hash_rule()
1099 PF_MD5_UPD(rule, proto); in pf_hash_rule()
1100 PF_MD5_UPD(rule, type); in pf_hash_rule()
1101 PF_MD5_UPD(rule, code); in pf_hash_rule()
1102 PF_MD5_UPD(rule, flags); in pf_hash_rule()
1103 PF_MD5_UPD(rule, flagset); in pf_hash_rule()
1104 PF_MD5_UPD(rule, allow_opts); in pf_hash_rule()
1105 PF_MD5_UPD(rule, rt); in pf_hash_rule()
1106 PF_MD5_UPD(rule, tos); in pf_hash_rule()
1113 struct pf_rule *rule, **old_array, *r; in pf_commit_rules() local
1176 while ((rule = TAILQ_FIRST(old_rules)) != NULL) { in pf_commit_rules()
1177 pf_rm_rule(old_rules, rule); in pf_commit_rules()
1291 sp->rule = s->rule.ptr->nr; in pf_state_export()
1349 s->rule.ptr = &pf_default_rule; in pf_state_import()
1388 struct pf_rule *rule; in pf_setup_pfsync_matching() local
1412 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr, in pf_setup_pfsync_matching()
1414 pf_hash_rule(&ctx, rule); in pf_setup_pfsync_matching()
1415 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule; in pf_setup_pfsync_matching()
1824 struct pf_rule *rule; in pfioctl() local
1826 TAILQ_FOREACH(rule, in pfioctl()
1828 rule->evaluations = 0; in pfioctl()
1829 rule->packets[0] = rule->packets[1] = 0; in pfioctl()
1830 rule->bytes[0] = rule->bytes[1] = 0; in pfioctl()
2467 pf_expire_states_and_src_nodes(struct pf_rule *rule) in pf_expire_states_and_src_nodes() argument
2476 if (state->rule.ptr == rule) { in pf_expire_states_and_src_nodes()
2485 if (sn->rule.ptr != rule) { in pf_expire_states_and_src_nodes()
2510 struct pf_rule *rule) in pf_delete_rule_from_ruleset() argument
2515 pf_expire_states_and_src_nodes(rule); in pf_delete_rule_from_ruleset()
2517 pf_rm_rule(ruleset->rules[rs_num].active.ptr, rule); in pf_delete_rule_from_ruleset()
2546 struct pf_rule *rule = NULL; in pf_delete_rule_by_ticket() local
2553 __unsafe_null_terminated_from_indexable(pr->rule.owner), is_anchor, &error)) == NULL) { in pf_delete_rule_by_ticket()
2557 for (i = 0; i < PF_RULESET_MAX && rule == NULL; i++) { in pf_delete_rule_by_ticket()
2558 rule = TAILQ_FIRST(ruleset->rules[i].active.ptr); in pf_delete_rule_by_ticket()
2559 while (rule && (rule->ticket != pr->rule.ticket)) { in pf_delete_rule_by_ticket()
2560 rule = TAILQ_NEXT(rule, entries); in pf_delete_rule_by_ticket()
2563 if (rule == NULL) { in pf_delete_rule_by_ticket()
2570 if (strbufcmp(rule->owner, pr->rule.owner)) { in pf_delete_rule_by_ticket()
2576 if (rule->anchor && (ruleset != &pf_main_ruleset) && in pf_delete_rule_by_ticket()
2580 struct pf_rule *delete_rule = rule; in pf_delete_rule_by_ticket()
2590 rule = TAILQ_FIRST(ruleset->rules[i].active.ptr); in pf_delete_rule_by_ticket()
2591 while (rule && in pf_delete_rule_by_ticket()
2592 (rule->anchor != delete_ruleset->anchor)) { in pf_delete_rule_by_ticket()
2593 rule = TAILQ_NEXT(rule, entries); in pf_delete_rule_by_ticket()
2595 if (rule == NULL) { in pf_delete_rule_by_ticket()
2604 if ((rule->rule_flag & PFRULE_PFM) ^ req_dev) { in pf_delete_rule_by_ticket()
2605 if (rule->ticket != pr->rule.ticket) { in pf_delete_rule_by_ticket()
2627 if ((rule->rule_flag & PFRULE_PFM) ^ req_dev) { in pf_delete_rule_by_ticket()
2631 if (rule->rule_flag & PFRULE_PFM) { in pf_delete_rule_by_ticket()
2635 rule); in pf_delete_rule_by_ticket()
2655 struct pf_rule *__single rule, *__single next; in pf_delete_rule_by_owner() local
2659 rule = TAILQ_FIRST(pf_main_ruleset.rules[rs].active.ptr); in pf_delete_rule_by_owner()
2661 while (rule) { in pf_delete_rule_by_owner()
2662 next = TAILQ_NEXT(rule, entries); in pf_delete_rule_by_owner()
2667 if ((rule->rule_flag & PFRULE_PFM) ^ req_dev) { in pf_delete_rule_by_owner()
2668 rule = next; in pf_delete_rule_by_owner()
2669 } else if (rule->anchor) { in pf_delete_rule_by_owner()
2670 if (((strlcmp(rule->owner, owner, sizeof(rule->owner))) == 0) || in pf_delete_rule_by_owner()
2671 ((strbufcmp(rule->owner, "")) == 0)) { in pf_delete_rule_by_owner()
2672 if (rule->anchor->ruleset.rules[rs].active.rcount > 0) { in pf_delete_rule_by_owner()
2679 &rule->anchor->ruleset; in pf_delete_rule_by_owner()
2680 rule = TAILQ_FIRST(ruleset->rules[rs].active.ptr); in pf_delete_rule_by_owner()
2683 if (rule->rule_flag & in pf_delete_rule_by_owner()
2687 pf_delete_rule_from_ruleset(ruleset, rs, rule); in pf_delete_rule_by_owner()
2689 rule = next; in pf_delete_rule_by_owner()
2692 rule = next; in pf_delete_rule_by_owner()
2695 if (((strlcmp(rule->owner, owner, sizeof(rule->owner))) == 0)) { in pf_delete_rule_by_owner()
2697 if (rule->rule_flag & PFRULE_PFM) { in pf_delete_rule_by_owner()
2701 rs, rule); in pf_delete_rule_by_owner()
2704 rule = next; in pf_delete_rule_by_owner()
2706 if (rule == NULL) { in pf_delete_rule_by_owner()
2713 rs, &rule); in pf_delete_rule_by_owner()
2725 struct pf_rule *rule = *rule_ptr; in pf_deleterule_anchor_step_out() local
2732 rule = TAILQ_FIRST(ruleset->rules[rs].active.ptr); in pf_deleterule_anchor_step_out()
2733 while (rule && (rule->anchor != rs_copy->anchor)) { in pf_deleterule_anchor_step_out()
2734 rule = TAILQ_NEXT(rule, entries); in pf_deleterule_anchor_step_out()
2736 if (rule == NULL) { in pf_deleterule_anchor_step_out()
2739 if (rule->anchor->ruleset.rules[rs].active.rcount > 0) { in pf_deleterule_anchor_step_out()
2740 rule = TAILQ_NEXT(rule, entries); in pf_deleterule_anchor_step_out()
2744 *rule_ptr = rule; in pf_deleterule_anchor_step_out()
2755 pf_rule_setup(struct pfioc_rule *pr, struct pf_rule *rule, in pf_rule_setup() argument
2761 if (rule->ifname[0]) { in pf_rule_setup()
2762 rule->kif = pfi_kif_get(__unsafe_null_terminated_from_indexable(rule->ifname)); in pf_rule_setup()
2763 if (rule->kif == NULL) { in pf_rule_setup()
2764 pool_put(&pf_rule_pl, rule); in pf_rule_setup()
2767 pfi_kif_ref(rule->kif, PFI_KIF_REF_RULE); in pf_rule_setup()
2769 if (rule->tagname[0]) { in pf_rule_setup()
2770 if ((rule->tag = pf_tagname2tag(__unsafe_null_terminated_from_indexable(rule->tagname))) == 0) { in pf_rule_setup()
2774 if (rule->match_tagname[0]) { in pf_rule_setup()
2775 if ((rule->match_tag = in pf_rule_setup()
2776 pf_tagname2tag(__unsafe_null_terminated_from_indexable(rule->match_tagname))) == 0) { in pf_rule_setup()
2780 if (rule->rt && !rule->direction) { in pf_rule_setup()
2784 if (!rule->log) { in pf_rule_setup()
2785 rule->logif = 0; in pf_rule_setup()
2787 if (rule->logif >= PFLOGIFS_MAX) { in pf_rule_setup()
2791 pf_addrwrap_setup(&rule->src.addr); in pf_rule_setup()
2792 pf_addrwrap_setup(&rule->dst.addr); in pf_rule_setup()
2793 if (pf_rtlabel_add(&rule->src.addr) || in pf_rule_setup()
2794 pf_rtlabel_add(&rule->dst.addr)) { in pf_rule_setup()
2797 if (pfi_dynaddr_setup(&rule->src.addr, rule->af)) { in pf_rule_setup()
2800 if (pfi_dynaddr_setup(&rule->dst.addr, rule->af)) { in pf_rule_setup()
2803 if (pf_tbladdr_setup(ruleset, &rule->src.addr)) { in pf_rule_setup()
2806 if (pf_tbladdr_setup(ruleset, &rule->dst.addr)) { in pf_rule_setup()
2809 if (pf_anchor_setup(rule, ruleset, pr->anchor_call, sizeof(pr->anchor_call))) { in pf_rule_setup()
2817 if (rule->overload_tblname[0]) { in pf_rule_setup()
2818 if ((rule->overload_tbl = pfr_attach_table(ruleset, in pf_rule_setup()
2819 __unsafe_null_terminated_from_indexable(rule->overload_tblname))) == NULL) { in pf_rule_setup()
2822 rule->overload_tbl->pfrkt_flags |= in pf_rule_setup()
2827 pf_mv_pool(&pf_pabuf, &rule->rpool.list); in pf_rule_setup()
2829 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || in pf_rule_setup()
2830 (rule->action == PF_BINAT) || (rule->action == PF_NAT64)) && in pf_rule_setup()
2831 rule->anchor == NULL) || in pf_rule_setup()
2832 (rule->rt > PF_FASTROUTE)) && in pf_rule_setup()
2833 (TAILQ_FIRST(&rule->rpool.list) == NULL)) { in pf_rule_setup()
2838 pf_rm_rule(NULL, rule); in pf_rule_setup()
2844 rule->rpool.af = (rule->action == PF_NAT64) ? AF_INET: rule->af; in pf_rule_setup()
2845 rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); in pf_rule_setup()
2846 rule->evaluations = rule->packets[0] = rule->packets[1] = in pf_rule_setup()
2847 rule->bytes[0] = rule->bytes[1] = 0; in pf_rule_setup()
2861 struct pf_rule *__single rule, *__single tail; in pfioctl_ioc_rule() local
2871 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
2876 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
2888 rule = pool_get(&pf_rule_pl, PR_WAITOK); in pfioctl_ioc_rule()
2889 if (rule == NULL) { in pfioctl_ioc_rule()
2893 pf_rule_copyin(&pr->rule, rule, p, minordev); in pfioctl_ioc_rule()
2895 if (rule->af == AF_INET) { in pfioctl_ioc_rule()
2896 pool_put(&pf_rule_pl, rule); in pfioctl_ioc_rule()
2904 rule->nr = tail->nr + 1; in pfioctl_ioc_rule()
2906 rule->nr = 0; in pfioctl_ioc_rule()
2909 if ((error = pf_rule_setup(pr, rule, ruleset))) { in pfioctl_ioc_rule()
2913 rule, entries); in pfioctl_ioc_rule()
2915 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
2919 if (rule->action == PF_NAT64) { in pfioctl_ioc_rule()
2925 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
2931 if (rule->action == PF_DUMMYNET) { in pfioctl_ioc_rule()
2938 if (rule->direction == PF_IN) { in pfioctl_ioc_rule()
2940 } else if (rule->direction == PF_OUT) { in pfioctl_ioc_rule()
2945 dn_event.dn_event_rule_config.af = rule->af; in pfioctl_ioc_rule()
2946 dn_event.dn_event_rule_config.proto = rule->proto; in pfioctl_ioc_rule()
2947 dn_event.dn_event_rule_config.src_port = rule->src.xport.range.port[0]; in pfioctl_ioc_rule()
2948 dn_event.dn_event_rule_config.dst_port = rule->dst.xport.range.port[0]; in pfioctl_ioc_rule()
2949 strbufcpy(dn_event.dn_event_rule_config.ifname, rule->ifname); in pfioctl_ioc_rule()
2968 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
2985 struct pf_rule *__single rule; in pfioctl_ioc_rule() local
2995 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
3004 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); in pfioctl_ioc_rule()
3005 while ((rule != NULL) && (rule->nr != pr->nr)) { in pfioctl_ioc_rule()
3006 rule = TAILQ_NEXT(rule, entries); in pfioctl_ioc_rule()
3008 if (rule == NULL) { in pfioctl_ioc_rule()
3012 pf_rule_copyout(rule, &pr->rule); in pfioctl_ioc_rule()
3013 if (pf_anchor_copyout(ruleset, rule, pr)) { in pfioctl_ioc_rule()
3017 pfi_dynaddr_copyout(&pr->rule.src.addr); in pfioctl_ioc_rule()
3018 pfi_dynaddr_copyout(&pr->rule.dst.addr); in pfioctl_ioc_rule()
3019 pf_tbladdr_copyout(&pr->rule.src.addr); in pfioctl_ioc_rule()
3020 pf_tbladdr_copyout(&pr->rule.dst.addr); in pfioctl_ioc_rule()
3021 pf_rtlabel_copyout(&pr->rule.src.addr); in pfioctl_ioc_rule()
3022 pf_rtlabel_copyout(&pr->rule.dst.addr); in pfioctl_ioc_rule()
3024 if (rule->skip[i].ptr == NULL) { in pfioctl_ioc_rule()
3025 pr->rule.skip[i].nr = -1; in pfioctl_ioc_rule()
3027 pr->rule.skip[i].nr = in pfioctl_ioc_rule()
3028 rule->skip[i].ptr->nr; in pfioctl_ioc_rule()
3033 rule->evaluations = 0; in pfioctl_ioc_rule()
3034 rule->packets[0] = rule->packets[1] = 0; in pfioctl_ioc_rule()
3035 rule->bytes[0] = rule->bytes[1] = 0; in pfioctl_ioc_rule()
3066 rs_num = pf_get_ruleset_number(pcr->rule.action); in pfioctl_ioc_rule()
3081 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
3093 pf_rule_copyin(&pcr->rule, newrule, p, minordev); in pfioctl_ioc_rule()
3249 struct pf_rule *__single rule, *__single tail, *__single r; in pfioctl_ioc_rule() local
3258 __unsafe_null_terminated_from_indexable(pr->rule.owner), is_anchor, &error)) == NULL) { in pfioctl_ioc_rule()
3262 rs_num = pf_get_ruleset_number(pr->rule.action); in pfioctl_ioc_rule()
3267 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
3279 if (((strbufcmp(pr->rule.owner, in pfioctl_ioc_rule()
3295 rule = pool_get(&pf_rule_pl, PR_WAITOK); in pfioctl_ioc_rule()
3296 if (rule == NULL) { in pfioctl_ioc_rule()
3300 pf_rule_copyin(&pr->rule, rule, p, minordev); in pfioctl_ioc_rule()
3302 if (rule->af == AF_INET) { in pfioctl_ioc_rule()
3303 pool_put(&pf_rule_pl, rule); in pfioctl_ioc_rule()
3309 while ((r != NULL) && (rule->priority >= (unsigned)r->priority)) { in pfioctl_ioc_rule()
3316 rule->nr = tail->nr + 1; in pfioctl_ioc_rule()
3318 rule->nr = 0; in pfioctl_ioc_rule()
3321 rule->nr = r->nr; in pfioctl_ioc_rule()
3324 if ((error = pf_rule_setup(pr, rule, ruleset))) { in pfioctl_ioc_rule()
3328 if (rule->anchor != NULL) { in pfioctl_ioc_rule()
3329 strbufcpy(rule->anchor->owner, rule->owner); in pfioctl_ioc_rule()
3333 TAILQ_INSERT_BEFORE(r, rule, entries); in pfioctl_ioc_rule()
3339 rule, entries); in pfioctl_ioc_rule()
3349 rule->ticket = VM_KERNEL_ADDRHASH((u_int64_t)(uintptr_t)rule); in pfioctl_ioc_rule()
3351 pr->rule.ticket = rule->ticket; in pfioctl_ioc_rule()
3352 pf_rule_copyout(rule, &pr->rule); in pfioctl_ioc_rule()
3353 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
3356 if (rule->action == PF_NAT64) { in pfioctl_ioc_rule()
3362 if (rule->rule_flag & PFRULE_PFM) { in pfioctl_ioc_rule()
3377 if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl_ioc_rule()
3387 if (pr->rule.ticket) { in pfioctl_ioc_rule()
3392 pf_delete_rule_by_owner(__unsafe_null_terminated_from_indexable(pr->rule.owner), req_dev); in pfioctl_ioc_rule()
3395 if (pr->rule.action == PF_NAT64) { in pfioctl_ioc_rule()
3450 ((NULL == s->rule.ptr) || in pfioctl_ioc_state_kill()
3451 strbufcmp(psk->psk_ownername, s->rule.ptr->owner))) { in pfioctl_ioc_state_kill()
3492 ((NULL == s->rule.ptr) || in pfioctl_ioc_state_kill()
3493 strbufcmp(psk->psk_ownername, s->rule.ptr->owner))) { in pfioctl_ioc_state_kill()
4431 if (n->rule.ptr != NULL) { in pfioctl_ioc_src_nodes()
4432 pstore->rule.nr = n->rule.ptr->nr; in pfioctl_ioc_src_nodes()