1 /*
2 * Copyright (c) 2007-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $apfw: pf_if.c,v 1.4 2008/08/27 00:01:32 jhw Exp $ */
30 /* $OpenBSD: pf_if.c,v 1.46 2006/12/13 09:01:59 itojun Exp $ */
31
32 /*
33 * Copyright 2005 Henning Brauer <[email protected]>
34 * Copyright 2005 Ryan McBride <[email protected]>
35 * Copyright (c) 2001 Daniel Hartmeier
36 * Copyright (c) 2003 Cedric Berger
37 * All rights reserved.
38 *
39 * Redistribution and use in source and binary forms, with or without
40 * modification, are permitted provided that the following conditions
41 * are met:
42 *
43 * - Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * - Redistributions in binary form must reproduce the above
46 * copyright notice, this list of conditions and the following
47 * disclaimer in the documentation and/or other materials provided
48 * with the distribution.
49 *
50 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
51 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
52 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
53 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
54 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
55 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
56 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
58 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
60 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
61 * POSSIBILITY OF SUCH DAMAGE.
62 */
63
64 #include <sys/param.h>
65 #include <sys/systm.h>
66 #include <sys/mbuf.h>
67 #include <sys/filio.h>
68 #include <sys/socket.h>
69 #include <sys/socketvar.h>
70 #include <sys/kernel.h>
71 #include <sys/time.h>
72 #include <sys/malloc.h>
73
74 #include <net/if.h>
75 #include <net/if_types.h>
76 #include <net/if_var.h>
77
78 #include <netinet/in.h>
79 #include <netinet/in_var.h>
80 #include <netinet/in_systm.h>
81 #include <netinet/ip.h>
82 #include <netinet/ip_var.h>
83
84 #include <netinet/ip6.h>
85
86 #include <net/pfvar.h>
87
88 struct pfi_kif *pfi_all = NULL;
89
90 static struct pool pfi_addr_pl;
91 static struct pfi_ifhead pfi_ifs;
92 static u_int32_t pfi_update = 1;
93 static int pfi_buffer_max;
94 static struct pfr_addr *__counted_by(pfi_buffer_max) pfi_buffer;
95 static int pfi_buffer_cnt;
96
97 __private_extern__ void pfi_kifaddr_update(void *);
98
99 static void pfi_kif_update(struct pfi_kif *);
100 static void pfi_dynaddr_update(struct pfi_dynaddr *dyn);
101 static void pfi_table_update(struct pfr_ktable *, struct pfi_kif *, uint8_t, int);
102 static void pfi_instance_add(struct ifnet *, uint8_t, int);
103 static void pfi_address_add(struct sockaddr *, uint8_t, uint8_t);
104 static int pfi_if_compare(struct pfi_kif *, struct pfi_kif *);
105 static int pfi_skip_if(const char *, struct pfi_kif *);
106 static uint8_t pfi_unmask(void *);
107
108 RB_PROTOTYPE_SC(static, pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
109 RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
110
111 #define PFI_BUFFER_MAX 0x10000
112
113 #define IFG_ALL "ALL"
114
115 void
pfi_initialize(void)116 pfi_initialize(void)
117 {
118 if (pfi_all != NULL) { /* already initialized */
119 return;
120 }
121
122 pool_init(&pfi_addr_pl, sizeof(struct pfi_dynaddr), 0, 0, 0,
123 "pfiaddrpl", NULL);
124 pfi_buffer = (struct pfr_addr *)kalloc_data(64 * sizeof(*pfi_buffer),
125 Z_WAITOK);
126 pfi_buffer_max = 64;
127
128 if ((pfi_all = pfi_kif_get(IFG_ALL)) == NULL) {
129 panic("pfi_kif_get for pfi_all failed");
130 }
131 }
132
133 #if 0
134 void
135 pfi_destroy(void)
136 {
137 pool_destroy(&pfi_addr_pl);
138 kfree_data(pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
139 }
140 #endif
141
142 struct pfi_kif *
pfi_kif_get(const char * kif_name)143 pfi_kif_get(const char *kif_name)
144 {
145 struct pfi_kif *__single kif;
146 struct pfi_kif s;
147
148 bzero(&s.pfik_name, sizeof(s.pfik_name));
149 strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name));
150 kif = RB_FIND(pfi_ifhead, &pfi_ifs, &s);
151 if (kif != NULL) {
152 return kif;
153 }
154
155 /* create new one */
156 if ((kif = kalloc_type(struct pfi_kif, Z_WAITOK | Z_ZERO)) == NULL) {
157 return NULL;
158 }
159
160 strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name));
161 kif->pfik_tzero = pf_calendar_time_second();
162 TAILQ_INIT(&kif->pfik_dynaddrs);
163
164 RB_INSERT(pfi_ifhead, &pfi_ifs, kif);
165 return kif;
166 }
167
168 void
pfi_kif_ref(struct pfi_kif * kif,enum pfi_kif_refs what)169 pfi_kif_ref(struct pfi_kif *kif, enum pfi_kif_refs what)
170 {
171 switch (what) {
172 case PFI_KIF_REF_RULE:
173 kif->pfik_rules++;
174 break;
175 case PFI_KIF_REF_STATE:
176 kif->pfik_states++;
177 break;
178 default:
179 panic("pfi_kif_ref with unknown type");
180 }
181 }
182
183 void
pfi_kif_unref(struct pfi_kif * kif,enum pfi_kif_refs what)184 pfi_kif_unref(struct pfi_kif *kif, enum pfi_kif_refs what)
185 {
186 if (kif == NULL) {
187 return;
188 }
189
190 switch (what) {
191 case PFI_KIF_REF_NONE:
192 break;
193 case PFI_KIF_REF_RULE:
194 if (kif->pfik_rules <= 0) {
195 printf("pfi_kif_unref: rules refcount <= 0\n");
196 return;
197 }
198 kif->pfik_rules--;
199 break;
200 case PFI_KIF_REF_STATE:
201 if (kif->pfik_states <= 0) {
202 printf("pfi_kif_unref: state refcount <= 0\n");
203 return;
204 }
205 kif->pfik_states--;
206 break;
207 default:
208 panic("pfi_kif_unref with unknown type");
209 }
210
211 if (kif->pfik_ifp != NULL || kif == pfi_all) {
212 return;
213 }
214
215 if (kif->pfik_rules || kif->pfik_states) {
216 return;
217 }
218
219 RB_REMOVE(pfi_ifhead, &pfi_ifs, kif);
220 kfree_type(struct pfi_kif, kif);
221 }
222
223 int
pfi_kif_match(struct pfi_kif * rule_kif,struct pfi_kif * packet_kif)224 pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
225 {
226 if (rule_kif == NULL || rule_kif == packet_kif) {
227 return 1;
228 }
229
230 return 0;
231 }
232
233 void
pfi_attach_ifnet(struct ifnet * ifp)234 pfi_attach_ifnet(struct ifnet *ifp)
235 {
236 struct pfi_kif *kif;
237
238 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
239
240 pfi_update++;
241 if ((kif = pfi_kif_get(if_name(ifp))) == NULL) {
242 panic("pfi_kif_get failed");
243 }
244
245 ifnet_lock_exclusive(ifp);
246 kif->pfik_ifp = ifp;
247 ifp->if_pf_kif = kif;
248 ifnet_lock_done(ifp);
249
250 pfi_kif_update(kif);
251 }
252
253 /*
254 * Caller holds ifnet lock as writer (exclusive);
255 */
256 void
pfi_detach_ifnet(struct ifnet * ifp)257 pfi_detach_ifnet(struct ifnet *ifp)
258 {
259 struct pfi_kif *kif;
260
261 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
262
263 if ((kif = (struct pfi_kif *)ifp->if_pf_kif) == NULL) {
264 return;
265 }
266
267 pfi_update++;
268 pfi_kif_update(kif);
269
270 ifnet_lock_exclusive(ifp);
271 kif->pfik_ifp = NULL;
272 ifp->if_pf_kif = NULL;
273 ifnet_lock_done(ifp);
274
275 pfi_kif_unref(kif, PFI_KIF_REF_NONE);
276 }
277
278 int
pfi_match_addr(struct pfi_dynaddr * dyn,struct pf_addr * a,sa_family_t af)279 pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af)
280 {
281 switch (af) {
282 #if INET
283 case AF_INET:
284 switch (dyn->pfid_acnt4) {
285 case 0:
286 return 0;
287 case 1:
288 return PF_MATCHA(0, &dyn->pfid_addr4,
289 &dyn->pfid_mask4, a, AF_INET);
290 default:
291 return pfr_match_addr(dyn->pfid_kt, a, AF_INET);
292 }
293 #endif /* INET */
294 case AF_INET6:
295 switch (dyn->pfid_acnt6) {
296 case 0:
297 return 0;
298 case 1:
299 return PF_MATCHA(0, &dyn->pfid_addr6,
300 &dyn->pfid_mask6, a, AF_INET6);
301 default:
302 return pfr_match_addr(dyn->pfid_kt, a, AF_INET6);
303 }
304 default:
305 return 0;
306 }
307 }
308
309 int
pfi_dynaddr_setup(struct pf_addr_wrap * aw,sa_family_t af)310 pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
311 {
312 struct pfi_dynaddr *__single dyn;
313 char tblnamebuf[PF_TABLE_NAME_SIZE];
314 const char *__null_terminated tblname = NULL;
315 struct pf_ruleset *__single ruleset = NULL;
316 int rv = 0;
317
318 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
319
320 if (aw->type != PF_ADDR_DYNIFTL) {
321 return 0;
322 }
323 if ((dyn = pool_get(&pfi_addr_pl, PR_WAITOK)) == NULL) {
324 return 1;
325 }
326 bzero(dyn, sizeof(*dyn));
327
328 if (strlcmp(aw->v.ifname, "self", sizeof(aw->v.ifname)) == 0) {
329 dyn->pfid_kif = pfi_kif_get(IFG_ALL);
330 } else {
331 dyn->pfid_kif = pfi_kif_get(__unsafe_null_terminated_from_indexable(aw->v.ifname));
332 }
333 if (dyn->pfid_kif == NULL) {
334 rv = 1;
335 goto _bad;
336 }
337 pfi_kif_ref(dyn->pfid_kif, PFI_KIF_REF_RULE);
338
339 dyn->pfid_net = pfi_unmask(&aw->v.a.mask);
340 if (af == AF_INET && dyn->pfid_net == 32) {
341 dyn->pfid_net = 128;
342 }
343 strbufcpy(tblnamebuf, aw->v.ifname);
344 if (aw->iflags & PFI_AFLAG_NETWORK) {
345 strlcat(tblnamebuf, ":network", sizeof(tblnamebuf));
346 }
347 if (aw->iflags & PFI_AFLAG_BROADCAST) {
348 strlcat(tblnamebuf, ":broadcast", sizeof(tblnamebuf));
349 }
350 if (aw->iflags & PFI_AFLAG_PEER) {
351 strlcat(tblnamebuf, ":peer", sizeof(tblnamebuf));
352 }
353 if (aw->iflags & PFI_AFLAG_NOALIAS) {
354 strlcat(tblnamebuf, ":0", sizeof(tblnamebuf));
355 }
356 if (dyn->pfid_net == 128) {
357 tblname = __unsafe_null_terminated_from_indexable(tblnamebuf);
358 } else {
359 tblname = tsnprintf(tblnamebuf + strbuflen(tblnamebuf),
360 sizeof(tblnamebuf) - strbuflen(tblnamebuf), "/%d", dyn->pfid_net);
361 }
362 if ((ruleset = pf_find_or_create_ruleset(PF_RESERVED_ANCHOR)) == NULL) {
363 rv = 1;
364 goto _bad;
365 }
366
367 if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) {
368 rv = 1;
369 goto _bad;
370 }
371
372 dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE;
373 dyn->pfid_iflags = aw->iflags;
374 dyn->pfid_af = af;
375
376 TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
377 aw->p.dyn = dyn;
378 pfi_kif_update(dyn->pfid_kif);
379 return 0;
380
381 _bad:
382 if (dyn->pfid_kt != NULL) {
383 pfr_detach_table(dyn->pfid_kt);
384 }
385 if (ruleset != NULL) {
386 pf_release_ruleset(ruleset);
387 }
388 if (dyn->pfid_kif != NULL) {
389 pfi_kif_unref(dyn->pfid_kif, PFI_KIF_REF_RULE);
390 }
391 pool_put(&pfi_addr_pl, dyn);
392 return rv;
393 }
394
395 void
pfi_kif_update(struct pfi_kif * kif)396 pfi_kif_update(struct pfi_kif *kif)
397 {
398 struct pfi_dynaddr *p;
399
400 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
401
402 /* update all dynaddr */
403 TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry)
404 pfi_dynaddr_update(p);
405 }
406
407 void
pfi_dynaddr_update(struct pfi_dynaddr * dyn)408 pfi_dynaddr_update(struct pfi_dynaddr *dyn)
409 {
410 struct pfi_kif *kif;
411 struct pfr_ktable *kt;
412
413 if (dyn == NULL || dyn->pfid_kif == NULL || dyn->pfid_kt == NULL) {
414 panic("pfi_dynaddr_update");
415 }
416
417 kif = dyn->pfid_kif;
418 kt = dyn->pfid_kt;
419
420 if (kt->pfrkt_larg != pfi_update) {
421 /* this table needs to be brought up-to-date */
422 pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags);
423 kt->pfrkt_larg = pfi_update;
424 }
425 pfr_dynaddr_update(kt, dyn);
426 }
427
428 void
pfi_table_update(struct pfr_ktable * kt,struct pfi_kif * kif,uint8_t net,int flags)429 pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, uint8_t net, int flags)
430 {
431 int e, size2 = 0;
432
433 pfi_buffer_cnt = 0;
434
435 if (kif->pfik_ifp != NULL) {
436 pfi_instance_add(kif->pfik_ifp, net, flags);
437 }
438
439 if ((e = pfr_set_addrs(&kt->pfrkt_t, CAST_USER_ADDR_T(pfi_buffer),
440 pfi_buffer_cnt, &size2, NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) {
441 printf("pfi_table_update: cannot set %d new addresses "
442 "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e);
443 }
444 }
445
446 void
pfi_instance_add(struct ifnet * ifp,uint8_t net,int flags)447 pfi_instance_add(struct ifnet *ifp, uint8_t net, int flags)
448 {
449 struct ifaddr *__single ia;
450 int got4 = 0, got6 = 0;
451 uint8_t net2, af;
452
453 if (ifp == NULL) {
454 return;
455 }
456 ifnet_lock_shared(ifp);
457 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
458 IFA_LOCK(ia);
459 if (ia->ifa_addr == NULL) {
460 IFA_UNLOCK(ia);
461 continue;
462 }
463 af = ia->ifa_addr->sa_family;
464 if (af != AF_INET && af != AF_INET6) {
465 IFA_UNLOCK(ia);
466 continue;
467 }
468 if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6) {
469 IFA_UNLOCK(ia);
470 continue;
471 }
472 if ((flags & PFI_AFLAG_BROADCAST) &&
473 !(ifp->if_flags & IFF_BROADCAST)) {
474 IFA_UNLOCK(ia);
475 continue;
476 }
477 if ((flags & PFI_AFLAG_PEER) &&
478 !(ifp->if_flags & IFF_POINTOPOINT)) {
479 IFA_UNLOCK(ia);
480 continue;
481 }
482 if ((af == AF_INET6) &&
483 IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)
484 (void *)ia->ifa_addr)->sin6_addr)) {
485 IFA_UNLOCK(ia);
486 continue;
487 }
488 if ((af == AF_INET6) &&
489 ((ifatoia6(ia))->ia6_flags &
490 (IN6_IFF_ANYCAST | IN6_IFF_NOTREADY | IN6_IFF_DETACHED |
491 IN6_IFF_CLAT46 | IN6_IFF_TEMPORARY | IN6_IFF_DEPRECATED))) {
492 IFA_UNLOCK(ia);
493 continue;
494 }
495 if (flags & PFI_AFLAG_NOALIAS) {
496 if (af == AF_INET && got4) {
497 IFA_UNLOCK(ia);
498 continue;
499 }
500 if (af == AF_INET6 && got6) {
501 IFA_UNLOCK(ia);
502 continue;
503 }
504 }
505 if (af == AF_INET) {
506 got4 = 1;
507 } else if (af == AF_INET6) {
508 got6 = 1;
509 }
510 net2 = net;
511 if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) {
512 if (af == AF_INET) {
513 net2 = pfi_unmask(&((struct sockaddr_in *)
514 (void *)ia->ifa_netmask)->sin_addr);
515 } else if (af == AF_INET6) {
516 net2 = pfi_unmask(&((struct sockaddr_in6 *)
517 (void *)ia->ifa_netmask)->sin6_addr);
518 }
519 }
520 if (af == AF_INET && net2 > 32) {
521 net2 = 32;
522 }
523 if (flags & PFI_AFLAG_BROADCAST) {
524 pfi_address_add(ia->ifa_broadaddr, af, net2);
525 } else if (flags & PFI_AFLAG_PEER) {
526 pfi_address_add(ia->ifa_dstaddr, af, net2);
527 } else {
528 pfi_address_add(ia->ifa_addr, af, net2);
529 }
530 IFA_UNLOCK(ia);
531 }
532 ifnet_lock_done(ifp);
533 }
534
535 void
pfi_address_add(struct sockaddr * sa,uint8_t af,uint8_t net)536 pfi_address_add(struct sockaddr *sa, uint8_t af, uint8_t net)
537 {
538 struct pfr_addr *p;
539 int i;
540
541 if (pfi_buffer_cnt >= pfi_buffer_max) {
542 int new_max = pfi_buffer_max * 2;
543
544 if (new_max > PFI_BUFFER_MAX) {
545 printf("pfi_address_add: address buffer full (%d/%d)\n",
546 pfi_buffer_cnt, PFI_BUFFER_MAX);
547 return;
548 }
549 p = (struct pfr_addr *)kalloc_data(new_max * sizeof(*pfi_buffer),
550 Z_WAITOK);
551 if (p == NULL) {
552 printf("pfi_address_add: no memory to grow buffer "
553 "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX);
554 return;
555 }
556 memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
557 /* no need to zero buffer */
558 kfree_data_counted_by(pfi_buffer, pfi_buffer_max);
559 pfi_buffer = p;
560 pfi_buffer_max = new_max;
561 }
562 if (af == AF_INET && net > 32) {
563 net = 128;
564 }
565 p = pfi_buffer + pfi_buffer_cnt++;
566 bzero(p, sizeof(*p));
567 p->pfra_af = af;
568 p->pfra_net = net;
569 if (af == AF_INET) {
570 p->pfra_ip4addr = ((struct sockaddr_in *)(void *)sa)->sin_addr;
571 } else if (af == AF_INET6) {
572 p->pfra_ip6addr =
573 ((struct sockaddr_in6 *)(void *)sa)->sin6_addr;
574 if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr)) {
575 p->pfra_ip6addr.s6_addr16[1] = 0;
576 }
577 }
578 /* mask network address bits */
579 if (net < 128) {
580 ((caddr_t)p)[p->pfra_net / 8] &= ~(0xFF >> (p->pfra_net % 8));
581 }
582 for (i = (p->pfra_net + 7) / 8; i < (int)sizeof(p->pfra_u); i++) {
583 ((caddr_t)p)[i] = 0;
584 }
585 }
586
587 void
pfi_dynaddr_remove(struct pf_addr_wrap * aw)588 pfi_dynaddr_remove(struct pf_addr_wrap *aw)
589 {
590 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL ||
591 aw->p.dyn->pfid_kif == NULL || aw->p.dyn->pfid_kt == NULL) {
592 return;
593 }
594
595 TAILQ_REMOVE(&aw->p.dyn->pfid_kif->pfik_dynaddrs, aw->p.dyn, entry);
596 pfi_kif_unref(aw->p.dyn->pfid_kif, PFI_KIF_REF_RULE);
597 aw->p.dyn->pfid_kif = NULL;
598 pfr_detach_table(aw->p.dyn->pfid_kt);
599 aw->p.dyn->pfid_kt = NULL;
600 pool_put(&pfi_addr_pl, aw->p.dyn);
601 aw->p.dyn = NULL;
602 }
603
604 void
pfi_dynaddr_copyout(struct pf_addr_wrap * aw)605 pfi_dynaddr_copyout(struct pf_addr_wrap *aw)
606 {
607 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL ||
608 aw->p.dyn->pfid_kif == NULL) {
609 return;
610 }
611 aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6;
612 }
613
614 void
pfi_kifaddr_update(void * v)615 pfi_kifaddr_update(void *v)
616 {
617 struct pfi_kif *kif = (struct pfi_kif *)v;
618
619 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
620
621 pfi_update++;
622 pfi_kif_update(kif);
623 }
624
625 int
pfi_if_compare(struct pfi_kif * p,struct pfi_kif * q)626 pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q)
627 {
628 return strbufcmp(p->pfik_name, q->pfik_name);
629 }
630
631 void
pfi_update_status(const char * __null_terminated name,struct pf_status * pfs)632 pfi_update_status(const char *__null_terminated name, struct pf_status *pfs)
633 {
634 struct pfi_kif *p;
635 struct pfi_kif key;
636 int i, j, k;
637
638 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
639
640 bzero(&key.pfik_name, sizeof(key.pfik_name));
641 strlcpy(key.pfik_name, name, sizeof(key.pfik_name));
642 p = RB_FIND(pfi_ifhead, &pfi_ifs, &key);
643 if (p == NULL) {
644 return;
645 }
646
647 if (pfs != NULL) {
648 bzero(pfs->pcounters, sizeof(pfs->pcounters));
649 bzero(pfs->bcounters, sizeof(pfs->bcounters));
650 for (i = 0; i < 2; i++) {
651 for (j = 0; j < 2; j++) {
652 for (k = 0; k < 2; k++) {
653 pfs->pcounters[i][j][k] +=
654 p->pfik_packets[i][j][k];
655 pfs->bcounters[i][j] +=
656 p->pfik_bytes[i][j][k];
657 }
658 }
659 }
660 } else {
661 /* just clear statistics */
662 bzero(p->pfik_packets, sizeof(p->pfik_packets));
663 bzero(p->pfik_bytes, sizeof(p->pfik_bytes));
664 p->pfik_tzero = pf_calendar_time_second();
665 }
666 }
667
668 int
pfi_get_ifaces(const char * name,user_addr_t buf,int * size)669 pfi_get_ifaces(const char *name, user_addr_t buf, int *size)
670 {
671 struct pfi_kif *__single p, *__single nextp;
672 int n = 0;
673
674 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
675
676 for (p = RB_MIN(pfi_ifhead, &pfi_ifs); p; p = nextp) {
677 nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p);
678 if (pfi_skip_if(name, p)) {
679 continue;
680 }
681 if (*size > n++) {
682 struct pfi_uif u;
683
684 if (!p->pfik_tzero) {
685 p->pfik_tzero = pf_calendar_time_second();
686 }
687 pfi_kif_ref(p, PFI_KIF_REF_RULE);
688
689 /* return the user space version of pfi_kif */
690 bzero(&u, sizeof(u));
691 bcopy(p->pfik_name, &u.pfik_name, sizeof(u.pfik_name));
692 bcopy(p->pfik_packets, &u.pfik_packets,
693 sizeof(u.pfik_packets));
694 bcopy(p->pfik_bytes, &u.pfik_bytes,
695 sizeof(u.pfik_bytes));
696 u.pfik_tzero = p->pfik_tzero;
697 u.pfik_flags = p->pfik_flags;
698 u.pfik_states = p->pfik_states;
699 u.pfik_rules = p->pfik_rules;
700
701 if (copyout(&u, buf, sizeof(u))) {
702 pfi_kif_unref(p, PFI_KIF_REF_RULE);
703 return EFAULT;
704 }
705 buf += sizeof(u);
706 nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p);
707 pfi_kif_unref(p, PFI_KIF_REF_RULE);
708 }
709 }
710 *size = n;
711 return 0;
712 }
713
714 int
pfi_skip_if(const char * filter,struct pfi_kif * p)715 pfi_skip_if(const char *filter, struct pfi_kif *p)
716 {
717 size_t n;
718
719 if (filter == NULL || !*filter) {
720 return 0;
721 }
722 if (strlcmp(p->pfik_name, filter, sizeof(p->pfik_name)) == 0) {
723 return 0; /* exact match */
724 }
725 n = strlen(filter);
726 if (n < 1 || n >= IFNAMSIZ) {
727 return 1; /* sanity check */
728 }
729 char const * fp = __null_terminated_to_indexable(filter);
730 if (fp[n - 1] >= '0' && fp[n - 1] <= '9') {
731 return 1; /* only do exact match in that case */
732 }
733 if (strlcmp(p->pfik_name, filter, sizeof(p->pfik_name))) {
734 return 1; /* prefix doesn't match */
735 }
736 return p->pfik_name[n] < '0' || p->pfik_name[n] > '9';
737 }
738
739 int
pfi_set_flags(const char * name,int flags)740 pfi_set_flags(const char *name, int flags)
741 {
742 struct pfi_kif *p;
743
744 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
745
746 RB_FOREACH(p, pfi_ifhead, &pfi_ifs) {
747 if (pfi_skip_if(name, p)) {
748 continue;
749 }
750 p->pfik_flags |= flags;
751 }
752 return 0;
753 }
754
755 int
pfi_clear_flags(const char * name,int flags)756 pfi_clear_flags(const char *name, int flags)
757 {
758 struct pfi_kif *p;
759
760 LCK_MTX_ASSERT(&pf_lock, LCK_MTX_ASSERT_OWNED);
761
762 RB_FOREACH(p, pfi_ifhead, &pfi_ifs) {
763 if (pfi_skip_if(name, p)) {
764 continue;
765 }
766 p->pfik_flags &= ~flags;
767 }
768 return 0;
769 }
770
771 /* from pf_print_state.c */
772 uint8_t
pfi_unmask(void * addr)773 pfi_unmask(void *addr)
774 {
775 struct pf_addr *__single m = addr;
776 int i = 31, j = 0, b = 0;
777 u_int32_t tmp;
778
779 while (j < 4 && m->addr32[j] == 0xffffffff) {
780 b += 32;
781 j++;
782 }
783 if (j < 4) {
784 tmp = ntohl(m->addr32[j]);
785 for (i = 31; tmp & (1 << i); --i) {
786 b++;
787 }
788 }
789 VERIFY(b >= 0 && b <= UINT8_MAX);
790 return (uint8_t)b;
791 }
792