1 /*
2 * Copyright (c) 2007-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $apfw: pf_if.c,v 1.4 2008/08/27 00:01:32 jhw Exp $ */
30 /* $OpenBSD: pf_if.c,v 1.46 2006/12/13 09:01:59 itojun Exp $ */
31
32 /*
33 * Copyright 2005 Henning Brauer <[email protected]>
34 * Copyright 2005 Ryan McBride <[email protected]>
35 * Copyright (c) 2001 Daniel Hartmeier
36 * Copyright (c) 2003 Cedric Berger
37 * All rights reserved.
38 *
39 * Redistribution and use in source and binary forms, with or without
40 * modification, are permitted provided that the following conditions
41 * are met:
42 *
43 * - Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * - Redistributions in binary form must reproduce the above
46 * copyright notice, this list of conditions and the following
47 * disclaimer in the documentation and/or other materials provided
48 * with the distribution.
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
51 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
52 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
53 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
54 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
55 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
56 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
58 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
60 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
61 * POSSIBILITY OF SUCH DAMAGE.
62 */
63
64 #include <sys/param.h>
65 #include <sys/systm.h>
66 #include <sys/mbuf.h>
67 #include <sys/filio.h>
68 #include <sys/socket.h>
69 #include <sys/socketvar.h>
70 #include <sys/kernel.h>
71 #include <sys/time.h>
72 #include <sys/malloc.h>
73
74 #include <net/if.h>
75 #include <net/if_types.h>
76 #include <net/if_var.h>
77
78 #include <netinet/in.h>
79 #include <netinet/in_var.h>
80 #include <netinet/in_systm.h>
81 #include <netinet/ip.h>
82 #include <netinet/ip_var.h>
83
84 #include <netinet/ip6.h>
85
86 #include <net/pfvar.h>
87
88 struct pfi_kif *pfi_all = NULL;
89
90 static struct pool pfi_addr_pl;
91 static struct pfi_ifhead pfi_ifs;
92 static u_int32_t pfi_update = 1;
93 static struct pfr_addr *pfi_buffer;
94 static int pfi_buffer_cnt;
95 static int pfi_buffer_max;
96
97 __private_extern__ void pfi_kifaddr_update(void *);
98
99 static void pfi_kif_update(struct pfi_kif *);
100 static void pfi_dynaddr_update(struct pfi_dynaddr *dyn);
101 static void pfi_table_update(struct pfr_ktable *, struct pfi_kif *, uint8_t, int);
102 static void pfi_instance_add(struct ifnet *, uint8_t, int);
103 static void pfi_address_add(struct sockaddr *, uint8_t, uint8_t);
104 static int pfi_if_compare(struct pfi_kif *, struct pfi_kif *);
105 static int pfi_skip_if(const char *, struct pfi_kif *);
106 static uint8_t pfi_unmask(void *);
107
108 RB_PROTOTYPE_SC(static, pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
109 RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
110
111 #define PFI_BUFFER_MAX 0x10000
112 #define PFI_MTYPE M_IFADDR
113
114 #define IFG_ALL "ALL"
115
116 void
pfi_initialize(void)117 pfi_initialize(void)
118 {
119 if (pfi_all != NULL) { /* already initialized */
120 return;
121 }
122
123 pool_init(&pfi_addr_pl, sizeof(struct pfi_dynaddr), 0, 0, 0,
124 "pfiaddrpl", NULL);
125 pfi_buffer_max = 64;
126 pfi_buffer = (struct pfr_addr *)kalloc_data(pfi_buffer_max * sizeof(*pfi_buffer),
127 Z_WAITOK);
128
129 if ((pfi_all = pfi_kif_get(IFG_ALL)) == NULL) {
130 panic("pfi_kif_get for pfi_all failed");
131 }
132 }
133
134 #if 0
135 void
136 pfi_destroy(void)
137 {
138 pool_destroy(&pfi_addr_pl);
139 kfree_data(pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
140 }
141 #endif
142
143 struct pfi_kif *
pfi_kif_get(const char * kif_name)144 pfi_kif_get(const char *kif_name)
145 {
146 struct pfi_kif *kif;
147 struct pfi_kif s;
148
149 bzero(&s.pfik_name, sizeof(s.pfik_name));
150 strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name));
151 kif = RB_FIND(pfi_ifhead, &pfi_ifs, &s);
152 if (kif != NULL) {
153 return kif;
154 }
155
156 /* create new one */
157 if ((kif = kalloc_type(struct pfi_kif, Z_WAITOK | Z_ZERO)) == NULL) {
158 return NULL;
159 }
160
161 strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name));
162 kif->pfik_tzero = pf_calendar_time_second();
163 TAILQ_INIT(&kif->pfik_dynaddrs);
164
165 RB_INSERT(pfi_ifhead, &pfi_ifs, kif);
166 return kif;
167 }
168
169 void
pfi_kif_ref(struct pfi_kif * kif,enum pfi_kif_refs what)170 pfi_kif_ref(struct pfi_kif *kif, enum pfi_kif_refs what)
171 {
172 switch (what) {
173 case PFI_KIF_REF_RULE:
174 kif->pfik_rules++;
175 break;
176 case PFI_KIF_REF_STATE:
177 kif->pfik_states++;
178 break;
179 default:
180 panic("pfi_kif_ref with unknown type");
181 }
182 }
183
184 void
pfi_kif_unref(struct pfi_kif * kif,enum pfi_kif_refs what)185 pfi_kif_unref(struct pfi_kif *kif, enum pfi_kif_refs what)
186 {
187 if (kif == NULL) {
188 return;
189 }
190
191 switch (what) {
192 case PFI_KIF_REF_NONE:
193 break;
194 case PFI_KIF_REF_RULE:
195 if (kif->pfik_rules <= 0) {
196 printf("pfi_kif_unref: rules refcount <= 0\n");
197 return;
198 }
199 kif->pfik_rules--;
200 break;
201 case PFI_KIF_REF_STATE:
202 if (kif->pfik_states <= 0) {
203 printf("pfi_kif_unref: state refcount <= 0\n");
204 return;
205 }
206 kif->pfik_states--;
207 break;
208 default:
209 panic("pfi_kif_unref with unknown type");
210 }
211
212 if (kif->pfik_ifp != NULL || kif == pfi_all) {
213 return;
214 }
215
216 if (kif->pfik_rules || kif->pfik_states) {
217 return;
218 }
219
220 RB_REMOVE(pfi_ifhead, &pfi_ifs, kif);
221 kfree_type(struct pfi_kif, kif);
222 }
223
224 int
pfi_kif_match(struct pfi_kif * rule_kif,struct pfi_kif * packet_kif)225 pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
226 {
227 if (rule_kif == NULL || rule_kif == packet_kif) {
228 return 1;
229 }
230
231 return 0;
232 }
233
234 void
pfi_attach_ifnet(struct ifnet * ifp)235 pfi_attach_ifnet(struct ifnet *ifp)
236 {
237 struct pfi_kif *kif;
238
239 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
240
241 pfi_update++;
242 if ((kif = pfi_kif_get(if_name(ifp))) == NULL) {
243 panic("pfi_kif_get failed");
244 }
245
246 ifnet_lock_exclusive(ifp);
247 kif->pfik_ifp = ifp;
248 ifp->if_pf_kif = kif;
249 ifnet_lock_done(ifp);
250
251 pfi_kif_update(kif);
252 }
253
254 /*
255 * Caller holds ifnet lock as writer (exclusive);
256 */
257 void
pfi_detach_ifnet(struct ifnet * ifp)258 pfi_detach_ifnet(struct ifnet *ifp)
259 {
260 struct pfi_kif *kif;
261
262 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
263
264 if ((kif = (struct pfi_kif *)ifp->if_pf_kif) == NULL) {
265 return;
266 }
267
268 pfi_update++;
269 pfi_kif_update(kif);
270
271 ifnet_lock_exclusive(ifp);
272 kif->pfik_ifp = NULL;
273 ifp->if_pf_kif = NULL;
274 ifnet_lock_done(ifp);
275
276 pfi_kif_unref(kif, PFI_KIF_REF_NONE);
277 }
278
279 int
pfi_match_addr(struct pfi_dynaddr * dyn,struct pf_addr * a,sa_family_t af)280 pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af)
281 {
282 switch (af) {
283 #if INET
284 case AF_INET:
285 switch (dyn->pfid_acnt4) {
286 case 0:
287 return 0;
288 case 1:
289 return PF_MATCHA(0, &dyn->pfid_addr4,
290 &dyn->pfid_mask4, a, AF_INET);
291 default:
292 return pfr_match_addr(dyn->pfid_kt, a, AF_INET);
293 }
294 #endif /* INET */
295 case AF_INET6:
296 switch (dyn->pfid_acnt6) {
297 case 0:
298 return 0;
299 case 1:
300 return PF_MATCHA(0, &dyn->pfid_addr6,
301 &dyn->pfid_mask6, a, AF_INET6);
302 default:
303 return pfr_match_addr(dyn->pfid_kt, a, AF_INET6);
304 }
305 default:
306 return 0;
307 }
308 }
309
310 int
pfi_dynaddr_setup(struct pf_addr_wrap * aw,sa_family_t af)311 pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
312 {
313 struct pfi_dynaddr *dyn;
314 char tblname[PF_TABLE_NAME_SIZE];
315 struct pf_ruleset *ruleset = NULL;
316 int rv = 0;
317
318 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
319
320 if (aw->type != PF_ADDR_DYNIFTL) {
321 return 0;
322 }
323 if ((dyn = pool_get(&pfi_addr_pl, PR_WAITOK)) == NULL) {
324 return 1;
325 }
326 bzero(dyn, sizeof(*dyn));
327
328 if (strcmp(aw->v.ifname, "self") == 0) {
329 dyn->pfid_kif = pfi_kif_get(IFG_ALL);
330 } else {
331 dyn->pfid_kif = pfi_kif_get(aw->v.ifname);
332 }
333 if (dyn->pfid_kif == NULL) {
334 rv = 1;
335 goto _bad;
336 }
337 pfi_kif_ref(dyn->pfid_kif, PFI_KIF_REF_RULE);
338
339 dyn->pfid_net = pfi_unmask(&aw->v.a.mask);
340 if (af == AF_INET && dyn->pfid_net == 32) {
341 dyn->pfid_net = 128;
342 }
343 strlcpy(tblname, aw->v.ifname, sizeof(tblname));
344 if (aw->iflags & PFI_AFLAG_NETWORK) {
345 strlcat(tblname, ":network", sizeof(tblname));
346 }
347 if (aw->iflags & PFI_AFLAG_BROADCAST) {
348 strlcat(tblname, ":broadcast", sizeof(tblname));
349 }
350 if (aw->iflags & PFI_AFLAG_PEER) {
351 strlcat(tblname, ":peer", sizeof(tblname));
352 }
353 if (aw->iflags & PFI_AFLAG_NOALIAS) {
354 strlcat(tblname, ":0", sizeof(tblname));
355 }
356 if (dyn->pfid_net != 128) {
357 snprintf(tblname + strlen(tblname),
358 sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net);
359 }
360 if ((ruleset = pf_find_or_create_ruleset(PF_RESERVED_ANCHOR)) == NULL) {
361 rv = 1;
362 goto _bad;
363 }
364
365 if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) {
366 rv = 1;
367 goto _bad;
368 }
369
370 dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE;
371 dyn->pfid_iflags = aw->iflags;
372 dyn->pfid_af = af;
373
374 TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
375 aw->p.dyn = dyn;
376 pfi_kif_update(dyn->pfid_kif);
377 return 0;
378
379 _bad:
380 if (dyn->pfid_kt != NULL) {
381 pfr_detach_table(dyn->pfid_kt);
382 }
383 if (ruleset != NULL) {
384 pf_remove_if_empty_ruleset(ruleset);
385 }
386 if (dyn->pfid_kif != NULL) {
387 pfi_kif_unref(dyn->pfid_kif, PFI_KIF_REF_RULE);
388 }
389 pool_put(&pfi_addr_pl, dyn);
390 return rv;
391 }
392
393 void
pfi_kif_update(struct pfi_kif * kif)394 pfi_kif_update(struct pfi_kif *kif)
395 {
396 struct pfi_dynaddr *p;
397
398 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
399
400 /* update all dynaddr */
401 TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry)
402 pfi_dynaddr_update(p);
403 }
404
405 void
pfi_dynaddr_update(struct pfi_dynaddr * dyn)406 pfi_dynaddr_update(struct pfi_dynaddr *dyn)
407 {
408 struct pfi_kif *kif;
409 struct pfr_ktable *kt;
410
411 if (dyn == NULL || dyn->pfid_kif == NULL || dyn->pfid_kt == NULL) {
412 panic("pfi_dynaddr_update");
413 }
414
415 kif = dyn->pfid_kif;
416 kt = dyn->pfid_kt;
417
418 if (kt->pfrkt_larg != pfi_update) {
419 /* this table needs to be brought up-to-date */
420 pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags);
421 kt->pfrkt_larg = pfi_update;
422 }
423 pfr_dynaddr_update(kt, dyn);
424 }
425
426 void
pfi_table_update(struct pfr_ktable * kt,struct pfi_kif * kif,uint8_t net,int flags)427 pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, uint8_t net, int flags)
428 {
429 int e, size2 = 0;
430
431 pfi_buffer_cnt = 0;
432
433 if (kif->pfik_ifp != NULL) {
434 pfi_instance_add(kif->pfik_ifp, net, flags);
435 }
436
437 if ((e = pfr_set_addrs(&kt->pfrkt_t, CAST_USER_ADDR_T(pfi_buffer),
438 pfi_buffer_cnt, &size2, NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) {
439 printf("pfi_table_update: cannot set %d new addresses "
440 "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e);
441 }
442 }
443
444 void
pfi_instance_add(struct ifnet * ifp,uint8_t net,int flags)445 pfi_instance_add(struct ifnet *ifp, uint8_t net, int flags)
446 {
447 struct ifaddr *ia;
448 int got4 = 0, got6 = 0;
449 uint8_t net2, af;
450
451 if (ifp == NULL) {
452 return;
453 }
454 ifnet_lock_shared(ifp);
455 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
456 IFA_LOCK(ia);
457 if (ia->ifa_addr == NULL) {
458 IFA_UNLOCK(ia);
459 continue;
460 }
461 af = ia->ifa_addr->sa_family;
462 if (af != AF_INET && af != AF_INET6) {
463 IFA_UNLOCK(ia);
464 continue;
465 }
466 if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6) {
467 IFA_UNLOCK(ia);
468 continue;
469 }
470 if ((flags & PFI_AFLAG_BROADCAST) &&
471 !(ifp->if_flags & IFF_BROADCAST)) {
472 IFA_UNLOCK(ia);
473 continue;
474 }
475 if ((flags & PFI_AFLAG_PEER) &&
476 !(ifp->if_flags & IFF_POINTOPOINT)) {
477 IFA_UNLOCK(ia);
478 continue;
479 }
480 if ((af == AF_INET6) &&
481 IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)
482 (void *)ia->ifa_addr)->sin6_addr)) {
483 IFA_UNLOCK(ia);
484 continue;
485 }
486 if ((af == AF_INET6) &&
487 (((struct in6_ifaddr *)ia)->ia6_flags &
488 (IN6_IFF_ANYCAST | IN6_IFF_NOTREADY | IN6_IFF_DETACHED |
489 IN6_IFF_CLAT46 | IN6_IFF_TEMPORARY | IN6_IFF_DEPRECATED))) {
490 IFA_UNLOCK(ia);
491 continue;
492 }
493 if (flags & PFI_AFLAG_NOALIAS) {
494 if (af == AF_INET && got4) {
495 IFA_UNLOCK(ia);
496 continue;
497 }
498 if (af == AF_INET6 && got6) {
499 IFA_UNLOCK(ia);
500 continue;
501 }
502 }
503 if (af == AF_INET) {
504 got4 = 1;
505 } else if (af == AF_INET6) {
506 got6 = 1;
507 }
508 net2 = net;
509 if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) {
510 if (af == AF_INET) {
511 net2 = pfi_unmask(&((struct sockaddr_in *)
512 (void *)ia->ifa_netmask)->sin_addr);
513 } else if (af == AF_INET6) {
514 net2 = pfi_unmask(&((struct sockaddr_in6 *)
515 (void *)ia->ifa_netmask)->sin6_addr);
516 }
517 }
518 if (af == AF_INET && net2 > 32) {
519 net2 = 32;
520 }
521 if (flags & PFI_AFLAG_BROADCAST) {
522 pfi_address_add(ia->ifa_broadaddr, af, net2);
523 } else if (flags & PFI_AFLAG_PEER) {
524 pfi_address_add(ia->ifa_dstaddr, af, net2);
525 } else {
526 pfi_address_add(ia->ifa_addr, af, net2);
527 }
528 IFA_UNLOCK(ia);
529 }
530 ifnet_lock_done(ifp);
531 }
532
533 void
pfi_address_add(struct sockaddr * sa,uint8_t af,uint8_t net)534 pfi_address_add(struct sockaddr *sa, uint8_t af, uint8_t net)
535 {
536 struct pfr_addr *p;
537 int i;
538
539 if (pfi_buffer_cnt >= pfi_buffer_max) {
540 int new_max = pfi_buffer_max * 2;
541
542 if (new_max > PFI_BUFFER_MAX) {
543 printf("pfi_address_add: address buffer full (%d/%d)\n",
544 pfi_buffer_cnt, PFI_BUFFER_MAX);
545 return;
546 }
547 p = (struct pfr_addr *)kalloc_data(new_max * sizeof(*pfi_buffer),
548 Z_WAITOK);
549 if (p == NULL) {
550 printf("pfi_address_add: no memory to grow buffer "
551 "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX);
552 return;
553 }
554 memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
555 /* no need to zero buffer */
556 kfree_data(pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
557 pfi_buffer = p;
558 pfi_buffer_max = new_max;
559 }
560 if (af == AF_INET && net > 32) {
561 net = 128;
562 }
563 p = pfi_buffer + pfi_buffer_cnt++;
564 bzero(p, sizeof(*p));
565 p->pfra_af = af;
566 p->pfra_net = net;
567 if (af == AF_INET) {
568 p->pfra_ip4addr = ((struct sockaddr_in *)(void *)sa)->sin_addr;
569 } else if (af == AF_INET6) {
570 p->pfra_ip6addr =
571 ((struct sockaddr_in6 *)(void *)sa)->sin6_addr;
572 if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr)) {
573 p->pfra_ip6addr.s6_addr16[1] = 0;
574 }
575 }
576 /* mask network address bits */
577 if (net < 128) {
578 ((caddr_t)p)[p->pfra_net / 8] &= ~(0xFF >> (p->pfra_net % 8));
579 }
580 for (i = (p->pfra_net + 7) / 8; i < (int)sizeof(p->pfra_u); i++) {
581 ((caddr_t)p)[i] = 0;
582 }
583 }
584
585 void
pfi_dynaddr_remove(struct pf_addr_wrap * aw)586 pfi_dynaddr_remove(struct pf_addr_wrap *aw)
587 {
588 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL ||
589 aw->p.dyn->pfid_kif == NULL || aw->p.dyn->pfid_kt == NULL) {
590 return;
591 }
592
593 TAILQ_REMOVE(&aw->p.dyn->pfid_kif->pfik_dynaddrs, aw->p.dyn, entry);
594 pfi_kif_unref(aw->p.dyn->pfid_kif, PFI_KIF_REF_RULE);
595 aw->p.dyn->pfid_kif = NULL;
596 pfr_detach_table(aw->p.dyn->pfid_kt);
597 aw->p.dyn->pfid_kt = NULL;
598 pool_put(&pfi_addr_pl, aw->p.dyn);
599 aw->p.dyn = NULL;
600 }
601
602 void
pfi_dynaddr_copyout(struct pf_addr_wrap * aw)603 pfi_dynaddr_copyout(struct pf_addr_wrap *aw)
604 {
605 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL ||
606 aw->p.dyn->pfid_kif == NULL) {
607 return;
608 }
609 aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6;
610 }
611
612 void
pfi_kifaddr_update(void * v)613 pfi_kifaddr_update(void *v)
614 {
615 struct pfi_kif *kif = (struct pfi_kif *)v;
616
617 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
618
619 pfi_update++;
620 pfi_kif_update(kif);
621 }
622
623 int
pfi_if_compare(struct pfi_kif * p,struct pfi_kif * q)624 pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q)
625 {
626 return strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ - 1);
627 }
628
629 void
pfi_update_status(const char * name,struct pf_status * pfs)630 pfi_update_status(const char *name, struct pf_status *pfs)
631 {
632 struct pfi_kif *p;
633 struct pfi_kif key;
634 int i, j, k;
635
636 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
637
638 bzero(&key.pfik_name, sizeof(key.pfik_name));
639 strlcpy(key.pfik_name, name, sizeof(key.pfik_name));
640 p = RB_FIND(pfi_ifhead, &pfi_ifs, &key);
641 if (p == NULL) {
642 return;
643 }
644
645 if (pfs != NULL) {
646 bzero(pfs->pcounters, sizeof(pfs->pcounters));
647 bzero(pfs->bcounters, sizeof(pfs->bcounters));
648 for (i = 0; i < 2; i++) {
649 for (j = 0; j < 2; j++) {
650 for (k = 0; k < 2; k++) {
651 pfs->pcounters[i][j][k] +=
652 p->pfik_packets[i][j][k];
653 pfs->bcounters[i][j] +=
654 p->pfik_bytes[i][j][k];
655 }
656 }
657 }
658 } else {
659 /* just clear statistics */
660 bzero(p->pfik_packets, sizeof(p->pfik_packets));
661 bzero(p->pfik_bytes, sizeof(p->pfik_bytes));
662 p->pfik_tzero = pf_calendar_time_second();
663 }
664 }
665
666 int
pfi_get_ifaces(const char * name,user_addr_t buf,int * size)667 pfi_get_ifaces(const char *name, user_addr_t buf, int *size)
668 {
669 struct pfi_kif *p, *nextp;
670 int n = 0;
671
672 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
673
674 for (p = RB_MIN(pfi_ifhead, &pfi_ifs); p; p = nextp) {
675 nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p);
676 if (pfi_skip_if(name, p)) {
677 continue;
678 }
679 if (*size > n++) {
680 struct pfi_uif u;
681
682 if (!p->pfik_tzero) {
683 p->pfik_tzero = pf_calendar_time_second();
684 }
685 pfi_kif_ref(p, PFI_KIF_REF_RULE);
686
687 /* return the user space version of pfi_kif */
688 bzero(&u, sizeof(u));
689 bcopy(p->pfik_name, &u.pfik_name, sizeof(u.pfik_name));
690 bcopy(p->pfik_packets, &u.pfik_packets,
691 sizeof(u.pfik_packets));
692 bcopy(p->pfik_bytes, &u.pfik_bytes,
693 sizeof(u.pfik_bytes));
694 u.pfik_tzero = p->pfik_tzero;
695 u.pfik_flags = p->pfik_flags;
696 u.pfik_states = p->pfik_states;
697 u.pfik_rules = p->pfik_rules;
698
699 if (copyout(&u, buf, sizeof(u))) {
700 pfi_kif_unref(p, PFI_KIF_REF_RULE);
701 return EFAULT;
702 }
703 buf += sizeof(u);
704 nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p);
705 pfi_kif_unref(p, PFI_KIF_REF_RULE);
706 }
707 }
708 *size = n;
709 return 0;
710 }
711
712 int
pfi_skip_if(const char * filter,struct pfi_kif * p)713 pfi_skip_if(const char *filter, struct pfi_kif *p)
714 {
715 size_t n;
716
717 if (filter == NULL || !*filter) {
718 return 0;
719 }
720 if (strcmp(p->pfik_name, filter) == 0) {
721 return 0; /* exact match */
722 }
723 n = strlen(filter);
724 if (n < 1 || n >= IFNAMSIZ) {
725 return 1; /* sanity check */
726 }
727 if (filter[n - 1] >= '0' && filter[n - 1] <= '9') {
728 return 1; /* only do exact match in that case */
729 }
730 if (strncmp(p->pfik_name, filter, n)) {
731 return 1; /* prefix doesn't match */
732 }
733 return p->pfik_name[n] < '0' || p->pfik_name[n] > '9';
734 }
735
736 int
pfi_set_flags(const char * name,int flags)737 pfi_set_flags(const char *name, int flags)
738 {
739 struct pfi_kif *p;
740
741 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
742
743 RB_FOREACH(p, pfi_ifhead, &pfi_ifs) {
744 if (pfi_skip_if(name, p)) {
745 continue;
746 }
747 p->pfik_flags |= flags;
748 }
749 return 0;
750 }
751
752 int
pfi_clear_flags(const char * name,int flags)753 pfi_clear_flags(const char *name, int flags)
754 {
755 struct pfi_kif *p;
756
757 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
758
759 RB_FOREACH(p, pfi_ifhead, &pfi_ifs) {
760 if (pfi_skip_if(name, p)) {
761 continue;
762 }
763 p->pfik_flags &= ~flags;
764 }
765 return 0;
766 }
767
768 /* from pf_print_state.c */
769 uint8_t
pfi_unmask(void * addr)770 pfi_unmask(void *addr)
771 {
772 struct pf_addr *m = addr;
773 int i = 31, j = 0, b = 0;
774 u_int32_t tmp;
775
776 while (j < 4 && m->addr32[j] == 0xffffffff) {
777 b += 32;
778 j++;
779 }
780 if (j < 4) {
781 tmp = ntohl(m->addr32[j]);
782 for (i = 31; tmp & (1 << i); --i) {
783 b++;
784 }
785 }
786 VERIFY(b >= 0 && b <= UINT8_MAX);
787 return (uint8_t)b;
788 }
789