Lines Matching full:rule
175 "Size of pf(4) rule tag hashtable");
209 "Make the default rule drop all packets.");
340 /* default rule should never be garbage collected */ in pfattach_vnet()
403 * scrub rule functionality is hopefully removed some day in future. in pfattach_vnet()
434 struct pf_krule *rule; in pf_get_kpool() local
450 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, in pf_get_kpool()
453 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); in pf_get_kpool()
459 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, in pf_get_kpool()
462 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr); in pf_get_kpool()
465 while ((rule != NULL) && (rule->nr != rule_number)) in pf_get_kpool()
466 rule = TAILQ_NEXT(rule, entries); in pf_get_kpool()
468 if (rule == NULL) in pf_get_kpool()
473 return (&rule->rdr); in pf_get_kpool()
475 return (&rule->nat); in pf_get_kpool()
477 return (&rule->route); in pf_get_kpool()
518 pf_unlink_rule_locked(struct pf_krulequeue *rulequeue, struct pf_krule *rule) in pf_unlink_rule_locked() argument
524 TAILQ_REMOVE(rulequeue, rule, entries); in pf_unlink_rule_locked()
526 rule->rule_ref |= PFRULE_REFS; in pf_unlink_rule_locked()
527 TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries); in pf_unlink_rule_locked()
531 pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule) in pf_unlink_rule() argument
537 pf_unlink_rule_locked(rulequeue, rule); in pf_unlink_rule()
542 pf_free_eth_rule(struct pf_keth_rule *rule) in pf_free_eth_rule() argument
546 if (rule == NULL) in pf_free_eth_rule()
549 if (rule->tag) in pf_free_eth_rule()
550 tag_unref(&V_pf_tags, rule->tag); in pf_free_eth_rule()
551 if (rule->match_tag) in pf_free_eth_rule()
552 tag_unref(&V_pf_tags, rule->match_tag); in pf_free_eth_rule()
554 pf_qid_unref(rule->qid); in pf_free_eth_rule()
557 if (rule->bridge_to) in pf_free_eth_rule()
558 pfi_kkif_unref(rule->bridge_to); in pf_free_eth_rule()
559 if (rule->kif) in pf_free_eth_rule()
560 pfi_kkif_unref(rule->kif); in pf_free_eth_rule()
562 if (rule->ipsrc.addr.type == PF_ADDR_TABLE) in pf_free_eth_rule()
563 pfr_detach_table(rule->ipsrc.addr.p.tbl); in pf_free_eth_rule()
564 if (rule->ipdst.addr.type == PF_ADDR_TABLE) in pf_free_eth_rule()
565 pfr_detach_table(rule->ipdst.addr.p.tbl); in pf_free_eth_rule()
567 counter_u64_free(rule->evaluations); in pf_free_eth_rule()
569 counter_u64_free(rule->packets[i]); in pf_free_eth_rule()
570 counter_u64_free(rule->bytes[i]); in pf_free_eth_rule()
572 uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp); in pf_free_eth_rule()
573 pf_keth_anchor_remove(rule); in pf_free_eth_rule()
575 free(rule, M_PFRULE); in pf_free_eth_rule()
579 pf_free_rule(struct pf_krule *rule) in pf_free_rule() argument
585 if (rule->tag) in pf_free_rule()
586 tag_unref(&V_pf_tags, rule->tag); in pf_free_rule()
587 if (rule->match_tag) in pf_free_rule()
588 tag_unref(&V_pf_tags, rule->match_tag); in pf_free_rule()
590 if (rule->pqid != rule->qid) in pf_free_rule()
591 pf_qid_unref(rule->pqid); in pf_free_rule()
592 pf_qid_unref(rule->qid); in pf_free_rule()
594 switch (rule->src.addr.type) { in pf_free_rule()
596 pfi_dynaddr_remove(rule->src.addr.p.dyn); in pf_free_rule()
599 pfr_detach_table(rule->src.addr.p.tbl); in pf_free_rule()
602 switch (rule->dst.addr.type) { in pf_free_rule()
604 pfi_dynaddr_remove(rule->dst.addr.p.dyn); in pf_free_rule()
607 pfr_detach_table(rule->dst.addr.p.tbl); in pf_free_rule()
610 if (rule->overload_tbl) in pf_free_rule()
611 pfr_detach_table(rule->overload_tbl); in pf_free_rule()
612 if (rule->kif) in pf_free_rule()
613 pfi_kkif_unref(rule->kif); in pf_free_rule()
614 if (rule->rcv_kif) in pf_free_rule()
615 pfi_kkif_unref(rule->rcv_kif); in pf_free_rule()
616 pf_remove_kanchor(rule); in pf_free_rule()
617 pf_empty_kpool(&rule->rdr.list); in pf_free_rule()
618 pf_empty_kpool(&rule->nat.list); in pf_free_rule()
619 pf_empty_kpool(&rule->route.list); in pf_free_rule()
621 pf_krule_free(rule); in pf_free_rule()
772 struct pf_keth_rule *rule, *tmp; in pf_begin_eth() local
782 TAILQ_FOREACH_SAFE(rule, rs->inactive.rules, entries, in pf_begin_eth()
784 TAILQ_REMOVE(rs->inactive.rules, rule, in pf_begin_eth()
786 pf_free_eth_rule(rule); in pf_begin_eth()
798 struct pf_keth_rule *rule, *tmp; in pf_rollback_eth() local
812 TAILQ_FOREACH_SAFE(rule, rs->inactive.rules, entries, in pf_rollback_eth()
814 TAILQ_REMOVE(rs->inactive.rules, rule, entries); in pf_rollback_eth()
815 pf_free_eth_rule(rule); in pf_rollback_eth()
1201 struct pf_krule *rule; in pf_begin_rules() local
1218 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { in pf_begin_rules()
1219 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule); in pf_begin_rules()
1231 struct pf_krule *rule; in pf_rollback_rules() local
1241 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { in pf_rollback_rules()
1242 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule); in pf_rollback_rules()
1293 pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule) in pf_hash_rule_rolling() argument
1298 pf_hash_rule_addr(ctx, &rule->src); in pf_hash_rule_rolling()
1299 pf_hash_rule_addr(ctx, &rule->dst); in pf_hash_rule_rolling()
1301 PF_MD5_UPD_STR(rule, label[i]); in pf_hash_rule_rolling()
1302 PF_MD5_UPD_STR(rule, ifname); in pf_hash_rule_rolling()
1303 PF_MD5_UPD_STR(rule, rcv_ifname); in pf_hash_rule_rolling()
1304 PF_MD5_UPD_STR(rule, match_tagname); in pf_hash_rule_rolling()
1305 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ in pf_hash_rule_rolling()
1306 PF_MD5_UPD_HTONL(rule, os_fingerprint, y); in pf_hash_rule_rolling()
1307 PF_MD5_UPD_HTONL(rule, prob, y); in pf_hash_rule_rolling()
1308 PF_MD5_UPD_HTONL(rule, uid.uid[0], y); in pf_hash_rule_rolling()
1309 PF_MD5_UPD_HTONL(rule, uid.uid[1], y); in pf_hash_rule_rolling()
1310 PF_MD5_UPD(rule, uid.op); in pf_hash_rule_rolling()
1311 PF_MD5_UPD_HTONL(rule, gid.gid[0], y); in pf_hash_rule_rolling()
1312 PF_MD5_UPD_HTONL(rule, gid.gid[1], y); in pf_hash_rule_rolling()
1313 PF_MD5_UPD(rule, gid.op); in pf_hash_rule_rolling()
1314 PF_MD5_UPD_HTONL(rule, rule_flag, y); in pf_hash_rule_rolling()
1315 PF_MD5_UPD(rule, action); in pf_hash_rule_rolling()
1316 PF_MD5_UPD(rule, direction); in pf_hash_rule_rolling()
1317 PF_MD5_UPD(rule, af); in pf_hash_rule_rolling()
1318 PF_MD5_UPD(rule, quick); in pf_hash_rule_rolling()
1319 PF_MD5_UPD(rule, ifnot); in pf_hash_rule_rolling()
1320 PF_MD5_UPD(rule, rcvifnot); in pf_hash_rule_rolling()
1321 PF_MD5_UPD(rule, match_tag_not); in pf_hash_rule_rolling()
1322 PF_MD5_UPD(rule, natpass); in pf_hash_rule_rolling()
1323 PF_MD5_UPD(rule, keep_state); in pf_hash_rule_rolling()
1324 PF_MD5_UPD(rule, proto); in pf_hash_rule_rolling()
1325 PF_MD5_UPD(rule, type); in pf_hash_rule_rolling()
1326 PF_MD5_UPD(rule, code); in pf_hash_rule_rolling()
1327 PF_MD5_UPD(rule, flags); in pf_hash_rule_rolling()
1328 PF_MD5_UPD(rule, flagset); in pf_hash_rule_rolling()
1329 PF_MD5_UPD(rule, allow_opts); in pf_hash_rule_rolling()
1330 PF_MD5_UPD(rule, rt); in pf_hash_rule_rolling()
1331 PF_MD5_UPD(rule, tos); in pf_hash_rule_rolling()
1332 PF_MD5_UPD(rule, scrub_flags); in pf_hash_rule_rolling()
1333 PF_MD5_UPD(rule, min_ttl); in pf_hash_rule_rolling()
1334 PF_MD5_UPD(rule, set_tos); in pf_hash_rule_rolling()
1335 if (rule->anchor != NULL) in pf_hash_rule_rolling()
1336 PF_MD5_UPD_STR(rule, anchor->path); in pf_hash_rule_rolling()
1340 pf_hash_rule(struct pf_krule *rule) in pf_hash_rule() argument
1345 pf_hash_rule_rolling(&ctx, rule); in pf_hash_rule()
1346 MD5Final(rule->md5sum, &ctx); in pf_hash_rule()
1360 struct pf_krule *rule, *old_rule; in pf_commit_rules() local
1396 TAILQ_FOREACH(rule, rs->rules[rs_num].active.ptr, in pf_commit_rules()
1398 old_rule = RB_FIND(pf_krule_global, old_tree, rule); in pf_commit_rules()
1403 pf_counter_u64_rollup_protected(&rule->evaluations, in pf_commit_rules()
1405 pf_counter_u64_rollup_protected(&rule->packets[0], in pf_commit_rules()
1407 pf_counter_u64_rollup_protected(&rule->packets[1], in pf_commit_rules()
1409 pf_counter_u64_rollup_protected(&rule->bytes[0], in pf_commit_rules()
1411 pf_counter_u64_rollup_protected(&rule->bytes[1], in pf_commit_rules()
1425 /* Purge the old rule list. */ in pf_commit_rules()
1427 while ((rule = TAILQ_FIRST(old_rules)) != NULL) in pf_commit_rules()
1428 pf_unlink_rule_locked(old_rules, rule); in pf_commit_rules()
1442 struct pf_krule *rule; in pf_setup_pfsync_matching() local
1453 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr, in pf_setup_pfsync_matching()
1455 pf_hash_rule_rolling(&ctx, rule); in pf_setup_pfsync_matching()
1527 if (in->rule != NULL) in pf_src_node_copy()
1528 out->rule.nr = in->rule->nr; in pf_src_node_copy()
1795 struct pf_krule *rule; in pf_krule_alloc() local
1797 rule = malloc(sizeof(struct pf_krule), M_PFRULE, M_WAITOK | M_ZERO); in pf_krule_alloc()
1798 mtx_init(&rule->nat.mtx, "pf_krule_nat_pool", NULL, MTX_DEF); in pf_krule_alloc()
1799 mtx_init(&rule->rdr.mtx, "pf_krule_rdr_pool", NULL, MTX_DEF); in pf_krule_alloc()
1800 mtx_init(&rule->route.mtx, "pf_krule_route_pool", NULL, MTX_DEF); in pf_krule_alloc()
1801 rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone, in pf_krule_alloc()
1803 return (rule); in pf_krule_alloc()
1807 pf_krule_free(struct pf_krule *rule) in pf_krule_free() argument
1813 if (rule == NULL) in pf_krule_free()
1817 if (rule->allrulelinked) { in pf_krule_free()
1821 LIST_REMOVE(rule, allrulelist); in pf_krule_free()
1828 pf_counter_u64_deinit(&rule->evaluations); in pf_krule_free()
1830 pf_counter_u64_deinit(&rule->packets[i]); in pf_krule_free()
1831 pf_counter_u64_deinit(&rule->bytes[i]); in pf_krule_free()
1833 counter_u64_free(rule->states_cur); in pf_krule_free()
1834 counter_u64_free(rule->states_tot); in pf_krule_free()
1836 counter_u64_free(rule->src_nodes[sn_type]); in pf_krule_free()
1837 uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp); in pf_krule_free()
1839 mtx_destroy(&rule->nat.mtx); in pf_krule_free()
1840 mtx_destroy(&rule->rdr.mtx); in pf_krule_free()
1841 mtx_destroy(&rule->route.mtx); in pf_krule_free()
1842 free(rule, M_PFRULE); in pf_krule_free()
1846 pf_krule_clear_counters(struct pf_krule *rule) in pf_krule_clear_counters() argument
1848 pf_counter_u64_zero(&rule->evaluations); in pf_krule_clear_counters()
1850 pf_counter_u64_zero(&rule->packets[i]); in pf_krule_clear_counters()
1851 pf_counter_u64_zero(&rule->bytes[i]); in pf_krule_clear_counters()
1853 counter_u64_zero(rule->states_tot); in pf_krule_clear_counters()
1895 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) in pf_rule_to_krule() argument
1900 if (rule->af == AF_INET) { in pf_rule_to_krule()
1905 if (rule->af == AF_INET6) { in pf_rule_to_krule()
1910 ret = pf_check_rule_addr(&rule->src); in pf_rule_to_krule()
1913 ret = pf_check_rule_addr(&rule->dst); in pf_rule_to_krule()
1917 bcopy(&rule->src, &krule->src, sizeof(rule->src)); in pf_rule_to_krule()
1918 bcopy(&rule->dst, &krule->dst, sizeof(rule->dst)); in pf_rule_to_krule()
1920 ret = pf_user_strcpy(krule->label[0], rule->label, sizeof(rule->label)); in pf_rule_to_krule()
1923 ret = pf_user_strcpy(krule->ifname, rule->ifname, sizeof(rule->ifname)); in pf_rule_to_krule()
1926 ret = pf_user_strcpy(krule->qname, rule->qname, sizeof(rule->qname)); in pf_rule_to_krule()
1929 ret = pf_user_strcpy(krule->pqname, rule->pqname, sizeof(rule->pqname)); in pf_rule_to_krule()
1932 ret = pf_user_strcpy(krule->tagname, rule->tagname, in pf_rule_to_krule()
1933 sizeof(rule->tagname)); in pf_rule_to_krule()
1936 ret = pf_user_strcpy(krule->match_tagname, rule->match_tagname, in pf_rule_to_krule()
1937 sizeof(rule->match_tagname)); in pf_rule_to_krule()
1940 ret = pf_user_strcpy(krule->overload_tblname, rule->overload_tblname, in pf_rule_to_krule()
1941 sizeof(rule->overload_tblname)); in pf_rule_to_krule()
1945 pf_pool_to_kpool(&rule->rpool, &krule->rdr); in pf_rule_to_krule()
1950 krule->os_fingerprint = rule->os_fingerprint; in pf_rule_to_krule()
1952 krule->rtableid = rule->rtableid; in pf_rule_to_krule()
1954 bcopy(rule->timeout, krule->timeout, sizeof(rule->timeout)); in pf_rule_to_krule()
1955 krule->max_states = rule->max_states; in pf_rule_to_krule()
1956 krule->max_src_nodes = rule->max_src_nodes; in pf_rule_to_krule()
1957 krule->max_src_states = rule->max_src_states; in pf_rule_to_krule()
1958 krule->max_src_conn = rule->max_src_conn; in pf_rule_to_krule()
1959 krule->max_src_conn_rate.limit = rule->max_src_conn_rate.limit; in pf_rule_to_krule()
1960 krule->max_src_conn_rate.seconds = rule->max_src_conn_rate.seconds; in pf_rule_to_krule()
1961 krule->qid = rule->qid; in pf_rule_to_krule()
1962 krule->pqid = rule->pqid; in pf_rule_to_krule()
1963 krule->nr = rule->nr; in pf_rule_to_krule()
1964 krule->prob = rule->prob; in pf_rule_to_krule()
1965 krule->cuid = rule->cuid; in pf_rule_to_krule()
1966 krule->cpid = rule->cpid; in pf_rule_to_krule()
1968 krule->return_icmp = rule->return_icmp; in pf_rule_to_krule()
1969 krule->return_icmp6 = rule->return_icmp6; in pf_rule_to_krule()
1970 krule->max_mss = rule->max_mss; in pf_rule_to_krule()
1971 krule->tag = rule->tag; in pf_rule_to_krule()
1972 krule->match_tag = rule->match_tag; in pf_rule_to_krule()
1973 krule->scrub_flags = rule->scrub_flags; in pf_rule_to_krule()
1975 bcopy(&rule->uid, &krule->uid, sizeof(krule->uid)); in pf_rule_to_krule()
1976 bcopy(&rule->gid, &krule->gid, sizeof(krule->gid)); in pf_rule_to_krule()
1978 krule->rule_flag = rule->rule_flag; in pf_rule_to_krule()
1979 krule->action = rule->action; in pf_rule_to_krule()
1980 krule->direction = rule->direction; in pf_rule_to_krule()
1981 krule->log = rule->log; in pf_rule_to_krule()
1982 krule->logif = rule->logif; in pf_rule_to_krule()
1983 krule->quick = rule->quick; in pf_rule_to_krule()
1984 krule->ifnot = rule->ifnot; in pf_rule_to_krule()
1985 krule->match_tag_not = rule->match_tag_not; in pf_rule_to_krule()
1986 krule->natpass = rule->natpass; in pf_rule_to_krule()
1988 krule->keep_state = rule->keep_state; in pf_rule_to_krule()
1989 krule->af = rule->af; in pf_rule_to_krule()
1990 krule->proto = rule->proto; in pf_rule_to_krule()
1991 krule->type = rule->type; in pf_rule_to_krule()
1992 krule->code = rule->code; in pf_rule_to_krule()
1993 krule->flags = rule->flags; in pf_rule_to_krule()
1994 krule->flagset = rule->flagset; in pf_rule_to_krule()
1995 krule->min_ttl = rule->min_ttl; in pf_rule_to_krule()
1996 krule->allow_opts = rule->allow_opts; in pf_rule_to_krule()
1997 krule->rt = rule->rt; in pf_rule_to_krule()
1998 krule->return_ttl = rule->return_ttl; in pf_rule_to_krule()
1999 krule->tos = rule->tos; in pf_rule_to_krule()
2000 krule->set_tos = rule->set_tos; in pf_rule_to_krule()
2002 krule->flush = rule->flush; in pf_rule_to_krule()
2003 krule->prio = rule->prio; in pf_rule_to_krule()
2004 krule->set_prio[0] = rule->set_prio[0]; in pf_rule_to_krule()
2005 krule->set_prio[1] = rule->set_prio[1]; in pf_rule_to_krule()
2007 bcopy(&rule->divert, &krule->divert, sizeof(krule->divert)); in pf_rule_to_krule()
2025 rs_num = pf_get_ruleset_number(pr->rule.action); in pf_ioctl_getrules()
2084 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, in pf_ioctl_addrule() argument
2098 if ((rule->return_icmp >> 8) > ICMP_MAXTYPE) in pf_ioctl_addrule()
2101 if ((error = pf_rule_checkaf(rule))) in pf_ioctl_addrule()
2103 if (pf_validate_range(rule->src.port_op, rule->src.port)) in pf_ioctl_addrule()
2105 if (pf_validate_range(rule->dst.port_op, rule->dst.port)) in pf_ioctl_addrule()
2108 if (rule->ifname[0]) in pf_ioctl_addrule()
2110 if (rule->rcv_ifname[0]) in pf_ioctl_addrule()
2112 pf_counter_u64_init(&rule->evaluations, M_WAITOK); in pf_ioctl_addrule()
2114 pf_counter_u64_init(&rule->packets[i], M_WAITOK); in pf_ioctl_addrule()
2115 pf_counter_u64_init(&rule->bytes[i], M_WAITOK); in pf_ioctl_addrule()
2117 rule->states_cur = counter_u64_alloc(M_WAITOK); in pf_ioctl_addrule()
2118 rule->states_tot = counter_u64_alloc(M_WAITOK); in pf_ioctl_addrule()
2120 rule->src_nodes[sn_type] = counter_u64_alloc(M_WAITOK); in pf_ioctl_addrule()
2121 rule->cuid = uid; in pf_ioctl_addrule()
2122 rule->cpid = pid; in pf_ioctl_addrule()
2123 TAILQ_INIT(&rule->rdr.list); in pf_ioctl_addrule()
2124 TAILQ_INIT(&rule->nat.list); in pf_ioctl_addrule()
2125 TAILQ_INIT(&rule->route.list); in pf_ioctl_addrule()
2130 LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist); in pf_ioctl_addrule()
2131 MPASS(!rule->allrulelinked); in pf_ioctl_addrule()
2132 rule->allrulelinked = true; in pf_ioctl_addrule()
2138 rs_num = pf_get_ruleset_number(rule->action); in pf_ioctl_addrule()
2167 rule->nr = tail->nr + 1; in pf_ioctl_addrule()
2169 rule->nr = 0; in pf_ioctl_addrule()
2170 if (rule->ifname[0]) { in pf_ioctl_addrule()
2171 rule->kif = pfi_kkif_attach(kif, rule->ifname); in pf_ioctl_addrule()
2173 pfi_kkif_ref(rule->kif); in pf_ioctl_addrule()
2175 rule->kif = NULL; in pf_ioctl_addrule()
2177 if (rule->rcv_ifname[0]) { in pf_ioctl_addrule()
2178 rule->rcv_kif = pfi_kkif_attach(rcv_kif, rule->rcv_ifname); in pf_ioctl_addrule()
2180 pfi_kkif_ref(rule->rcv_kif); in pf_ioctl_addrule()
2182 rule->rcv_kif = NULL; in pf_ioctl_addrule()
2184 if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs) in pf_ioctl_addrule()
2188 if (rule->qname[0] != 0) { in pf_ioctl_addrule()
2189 if ((rule->qid = pf_qname2qid(rule->qname)) == 0) in pf_ioctl_addrule()
2191 else if (rule->pqname[0] != 0) { in pf_ioctl_addrule()
2192 if ((rule->pqid = in pf_ioctl_addrule()
2193 pf_qname2qid(rule->pqname)) == 0) in pf_ioctl_addrule()
2196 rule->pqid = rule->qid; in pf_ioctl_addrule()
2199 if (rule->tagname[0]) in pf_ioctl_addrule()
2200 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0) in pf_ioctl_addrule()
2202 if (rule->match_tagname[0]) in pf_ioctl_addrule()
2203 if ((rule->match_tag = in pf_ioctl_addrule()
2204 pf_tagname2tag(rule->match_tagname)) == 0) in pf_ioctl_addrule()
2206 if (rule->rt && !rule->direction) in pf_ioctl_addrule()
2208 if (!rule->log) in pf_ioctl_addrule()
2209 rule->logif = 0; in pf_ioctl_addrule()
2210 if (! pf_init_threshold(&rule->pktrate, rule->pktrate.limit, in pf_ioctl_addrule()
2211 rule->pktrate.seconds)) in pf_ioctl_addrule()
2213 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af)) in pf_ioctl_addrule()
2215 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af)) in pf_ioctl_addrule()
2217 if (pf_kanchor_setup(rule, ruleset, anchor_call)) in pf_ioctl_addrule()
2219 if (rule->scrub_flags & PFSTATE_SETPRIO && in pf_ioctl_addrule()
2220 (rule->set_prio[0] > PF_PRIO_MAX || in pf_ioctl_addrule()
2221 rule->set_prio[1] > PF_PRIO_MAX)) in pf_ioctl_addrule()
2233 rule->overload_tbl = NULL; in pf_ioctl_addrule()
2234 if (rule->overload_tblname[0]) { in pf_ioctl_addrule()
2235 if ((rule->overload_tbl = pfr_attach_table(ruleset, in pf_ioctl_addrule()
2236 rule->overload_tblname)) == NULL) in pf_ioctl_addrule()
2239 rule->overload_tbl->pfrkt_flags |= in pf_ioctl_addrule()
2243 pf_mv_kpool(&V_pf_pabuf[0], &rule->nat.list); in pf_ioctl_addrule()
2250 if (rule->rt > PF_NOPFROUTE && TAILQ_EMPTY(&V_pf_pabuf[2])) { in pf_ioctl_addrule()
2251 pf_mv_kpool(&V_pf_pabuf[1], &rule->route.list); in pf_ioctl_addrule()
2253 pf_mv_kpool(&V_pf_pabuf[1], &rule->rdr.list); in pf_ioctl_addrule()
2254 pf_mv_kpool(&V_pf_pabuf[2], &rule->route.list); in pf_ioctl_addrule()
2257 if (((rule->action == PF_NAT) || (rule->action == PF_RDR) || in pf_ioctl_addrule()
2258 (rule->action == PF_BINAT)) && rule->anchor == NULL && in pf_ioctl_addrule()
2259 TAILQ_FIRST(&rule->rdr.list) == NULL) { in pf_ioctl_addrule()
2263 if (rule->rt > PF_NOPFROUTE && (TAILQ_FIRST(&rule->route.list) == NULL)) { in pf_ioctl_addrule()
2267 if (rule->action == PF_PASS && (rule->rdr.opts & PF_POOL_STICKYADDR || in pf_ioctl_addrule()
2268 rule->nat.opts & PF_POOL_STICKYADDR) && !rule->keep_state) { in pf_ioctl_addrule()
2274 rule->nat.cur = TAILQ_FIRST(&rule->nat.list); in pf_ioctl_addrule()
2275 rule->rdr.cur = TAILQ_FIRST(&rule->rdr.list); in pf_ioctl_addrule()
2276 rule->route.cur = TAILQ_FIRST(&rule->route.list); in pf_ioctl_addrule()
2278 rule, entries); in pf_ioctl_addrule()
2282 pf_hash_rule(rule); in pf_ioctl_addrule()
2283 if (RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule) != NULL) { in pf_ioctl_addrule()
2285 TAILQ_REMOVE(ruleset->rules[rs_num].inactive.ptr, rule, entries); in pf_ioctl_addrule()
2287 pf_free_rule(rule); in pf_ioctl_addrule()
2288 rule = NULL; in pf_ioctl_addrule()
2303 pf_krule_free(rule); in pf_ioctl_addrule()
2308 pf_label_match(const struct pf_krule *rule, const char *label) in pf_label_match() argument
2312 while (*rule->label[i]) { in pf_label_match()
2313 if (strcmp(rule->label[i], label) == 0) in pf_label_match()
2404 ! pf_label_match(s->rule, psk->psk_label)) in pf_killstates_row()
3133 struct pf_keth_rule *rule = NULL; in pfioctl() local
3185 rule = TAILQ_FIRST(rs->active.rules); in pfioctl()
3186 while ((rule != NULL) && (rule->nr != nr)) in pfioctl()
3187 rule = TAILQ_NEXT(rule, entries); in pfioctl()
3188 if (rule == NULL) { in pfioctl()
3192 /* Make sure rule can't go away. */ in pfioctl()
3195 nvl = pf_keth_rule_to_nveth_rule(rule); in pfioctl()
3196 if (pf_keth_anchor_nvcopyout(rs, rule, nvl)) { in pfioctl()
3215 counter_u64_zero(rule->evaluations); in pfioctl()
3217 counter_u64_zero(rule->packets[i]); in pfioctl()
3218 counter_u64_zero(rule->bytes[i]); in pfioctl()
3233 struct pf_keth_rule *rule = NULL, *tail = NULL; in pfioctl() local
3273 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK); in pfioctl()
3274 rule->timestamp = NULL; in pfioctl()
3276 error = pf_nveth_rule_to_keth_rule(nvl, rule); in pfioctl()
3280 if (rule->ifname[0]) in pfioctl()
3282 if (rule->bridge_to_name[0]) in pfioctl()
3284 rule->evaluations = counter_u64_alloc(M_WAITOK); in pfioctl()
3286 rule->packets[i] = counter_u64_alloc(M_WAITOK); in pfioctl()
3287 rule->bytes[i] = counter_u64_alloc(M_WAITOK); in pfioctl()
3289 rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone, in pfioctl()
3294 if (rule->ifname[0]) { in pfioctl()
3295 rule->kif = pfi_kkif_attach(kif, rule->ifname); in pfioctl()
3296 pfi_kkif_ref(rule->kif); in pfioctl()
3298 rule->kif = NULL; in pfioctl()
3299 if (rule->bridge_to_name[0]) { in pfioctl()
3300 rule->bridge_to = pfi_kkif_attach(bridge_to_kif, in pfioctl()
3301 rule->bridge_to_name); in pfioctl()
3302 pfi_kkif_ref(rule->bridge_to); in pfioctl()
3304 rule->bridge_to = NULL; in pfioctl()
3308 if (rule->qname[0] != 0) { in pfioctl()
3309 if ((rule->qid = pf_qname2qid(rule->qname)) == 0) in pfioctl()
3312 rule->qid = rule->qid; in pfioctl()
3315 if (rule->tagname[0]) in pfioctl()
3316 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0) in pfioctl()
3318 if (rule->match_tagname[0]) in pfioctl()
3319 if ((rule->match_tag = pf_tagname2tag( in pfioctl()
3320 rule->match_tagname)) == 0) in pfioctl()
3323 if (error == 0 && rule->ipdst.addr.type == PF_ADDR_TABLE) in pfioctl()
3324 error = pf_eth_addr_setup(ruleset, &rule->ipdst.addr); in pfioctl()
3325 if (error == 0 && rule->ipsrc.addr.type == PF_ADDR_TABLE) in pfioctl()
3326 error = pf_eth_addr_setup(ruleset, &rule->ipsrc.addr); in pfioctl()
3329 pf_free_eth_rule(rule); in pfioctl()
3334 if (pf_keth_anchor_setup(rule, ruleset, anchor_call)) { in pfioctl()
3335 pf_free_eth_rule(rule); in pfioctl()
3342 rule->nr = tail->nr + 1; in pfioctl()
3344 rule->nr = 0; in pfioctl()
3346 TAILQ_INSERT_TAIL(ruleset->inactive.rules, rule, entries); in pfioctl()
3533 struct pf_krule *rule = NULL; in pfioctl() local
3559 if (! nvlist_exists_nvlist(nvl, "rule")) in pfioctl()
3562 rule = pf_krule_alloc(); in pfioctl()
3563 error = pf_nvrule_to_krule(nvlist_get_nvlist(nvl, "rule"), in pfioctl()
3564 rule); in pfioctl()
3576 /* Frees rule on error */ in pfioctl()
3577 error = pf_ioctl_addrule(rule, ticket, pool_ticket, anchor, in pfioctl()
3586 pf_krule_free(rule); in pfioctl()
3594 struct pf_krule *rule; in pfioctl() local
3596 rule = pf_krule_alloc(); in pfioctl()
3597 error = pf_rule_to_krule(&pr->rule, rule); in pfioctl()
3599 pf_krule_free(rule); in pfioctl()
3605 /* Frees rule on error */ in pfioctl()
3606 error = pf_ioctl_addrule(rule, pr->ticket, pr->pool_ticket, in pfioctl()
3627 struct pf_krule *rule; in pfioctl() local
3688 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); in pfioctl()
3689 while ((rule != NULL) && (rule->nr != nr)) in pfioctl()
3690 rule = TAILQ_NEXT(rule, entries); in pfioctl()
3691 if (rule == NULL) { in pfioctl()
3696 nvrule = pf_krule_to_nvrule(rule); in pfioctl()
3705 nvlist_add_nvlist(nvl, "rule", nvrule); in pfioctl()
3708 if (pf_kanchor_nvcopyout(ruleset, rule, nvl)) { in pfioctl()
3730 pf_krule_clear_counters(rule); in pfioctl()
3761 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { in pfioctl()
3768 error = pf_rule_to_krule(&pcr->rule, newrule); in pfioctl()
3816 rs_num = pf_get_ruleset_number(pcr->rule.action); in pfioctl()
3823 * As a result it is possible the rule tree will not in pfioctl()
4286 struct pf_krule *rule; in pfioctl() local
4289 TAILQ_FOREACH(rule, in pfioctl()
4291 pf_counter_u64_zero(&rule->evaluations); in pfioctl()
4293 pf_counter_u64_zero(&rule->packets[i]); in pfioctl()
4294 pf_counter_u64_zero(&rule->bytes[i]); in pfioctl()
5783 if (st->rule == NULL) in pfsync_state_export()
5784 sp->pfs_1301.rule = htonl(-1); in pfsync_state_export()
5786 sp->pfs_1301.rule = htonl(st->rule->nr); in pfsync_state_export()
5848 if (st->rule == NULL) in pf_state_export()
5849 sp->rule = htonl(-1); in pf_state_export()
5851 sp->rule = htonl(st->rule->nr); in pf_state_export()
6452 * explicit anchor rule or they may be left empty in shutdown_pf()
6477 * explicit anchor rule or they may be left empty in shutdown_pf()