1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2003 Cedric Berger
6 * Copyright (c) 2005 Henning Brauer <henning@openbsd.org>
7 * Copyright (c) 2005 Ryan McBride <mcbride@openbsd.org>
8 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org>
9 * All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 *
15 * - Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * - Redistributions in binary form must reproduce the above
18 * copyright notice, this list of conditions and the following
19 * disclaimer in the documentation and/or other materials provided
20 * with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
25 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
26 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
28 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
30 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
32 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 *
35 * $OpenBSD: pf_if.c,v 1.54 2008/06/14 16:55:28 mk Exp $
36 */
37
38 #include <sys/cdefs.h>
39 #include "opt_inet.h"
40 #include "opt_inet6.h"
41
42 #include <sys/param.h>
43 #include <sys/kernel.h>
44 #include <sys/eventhandler.h>
45 #include <sys/lock.h>
46 #include <sys/mbuf.h>
47 #include <sys/socket.h>
48
49 #include <net/if.h>
50 #include <net/if_var.h>
51 #include <net/if_private.h>
52 #include <net/vnet.h>
53 #include <net/pfvar.h>
54 #include <net/route.h>
55
56 VNET_DEFINE(struct pfi_kkif *, pfi_all);
57 VNET_DEFINE_STATIC(long, pfi_update);
58 #define V_pfi_update VNET(pfi_update)
59 #define PFI_BUFFER_MAX 0x10000
60
61 VNET_DECLARE(int, pf_vnet_active);
62 #define V_pf_vnet_active VNET(pf_vnet_active)
63
64 VNET_DEFINE_STATIC(struct pfr_addr *, pfi_buffer);
65 VNET_DEFINE_STATIC(int, pfi_buffer_cnt);
66 VNET_DEFINE_STATIC(int, pfi_buffer_max);
67 #define V_pfi_buffer VNET(pfi_buffer)
68 #define V_pfi_buffer_cnt VNET(pfi_buffer_cnt)
69 #define V_pfi_buffer_max VNET(pfi_buffer_max)
70
71 #ifdef PF_WANT_32_TO_64_COUNTER
72 VNET_DEFINE(struct allkiflist_head, pf_allkiflist);
73 VNET_DEFINE(size_t, pf_allkifcount);
74 VNET_DEFINE(struct pfi_kkif *, pf_kifmarker);
75 #endif
76
77 eventhandler_tag pfi_attach_cookie;
78 eventhandler_tag pfi_detach_cookie;
79 eventhandler_tag pfi_attach_group_cookie;
80 eventhandler_tag pfi_change_group_cookie;
81 eventhandler_tag pfi_detach_group_cookie;
82 eventhandler_tag pfi_ifaddr_event_cookie;
83
84 static void pfi_attach_ifnet(struct ifnet *, struct pfi_kkif *);
85 static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kkif *);
86
87 static void pfi_kkif_update(struct pfi_kkif *);
88 static void pfi_dynaddr_update(struct pfi_dynaddr *dyn);
89 static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int,
90 int);
91 static void pfi_instance_add(struct ifnet *, int, int);
92 static void pfi_address_add(struct sockaddr *, int, int);
93 static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *);
94 static int pfi_skip_if(const char *, struct pfi_kkif *);
95 static int pfi_unmask(void *);
96 static void pfi_attach_ifnet_event(void * __unused, struct ifnet *);
97 static void pfi_detach_ifnet_event(void * __unused, struct ifnet *);
98 static void pfi_attach_group_event(void * __unused, struct ifg_group *);
99 static void pfi_change_group_event(void * __unused, char *);
100 static void pfi_detach_group_event(void * __unused, struct ifg_group *);
101 static void pfi_ifaddr_event(void * __unused, struct ifnet *);
102
103 RB_HEAD(pfi_ifhead, pfi_kkif);
104 static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare);
105 static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare);
106 VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs);
107 #define V_pfi_ifs VNET(pfi_ifs)
108
109 #define PFI_BUFFER_MAX 0x10000
110 MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database");
111
112 LIST_HEAD(pfi_list, pfi_kkif);
113 VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs);
114 #define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs)
115 static struct mtx pfi_unlnkdkifs_mtx;
116 MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unlnkdkifs_mtx, "pf unlinked interfaces",
117 MTX_DEF);
118
119 void
pfi_initialize_vnet(void)120 pfi_initialize_vnet(void)
121 {
122 struct pfi_list kifs = LIST_HEAD_INITIALIZER();
123 struct epoch_tracker et;
124 struct pfi_kkif *kif;
125 struct ifg_group *ifg;
126 struct ifnet *ifp;
127 int nkifs;
128
129 V_pfi_buffer_max = 64;
130 V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer),
131 PFI_MTYPE, M_WAITOK);
132
133 nkifs = 1; /* one for V_pfi_all */
134 IFNET_RLOCK();
135 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next)
136 nkifs++;
137 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link)
138 nkifs++;
139
140 for (int n = 0; n < nkifs; n++) {
141 kif = pf_kkif_create(M_WAITOK);
142 LIST_INSERT_HEAD(&kifs, kif, pfik_list);
143 }
144
145 NET_EPOCH_ENTER(et);
146 PF_RULES_WLOCK();
147 kif = LIST_FIRST(&kifs);
148 LIST_REMOVE(kif, pfik_list);
149 V_pfi_all = pfi_kkif_attach(kif, IFG_ALL);
150 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) {
151 kif = LIST_FIRST(&kifs);
152 LIST_REMOVE(kif, pfik_list);
153 pfi_attach_ifgroup(ifg, kif);
154 }
155 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) {
156 kif = LIST_FIRST(&kifs);
157 LIST_REMOVE(kif, pfik_list);
158 pfi_attach_ifnet(ifp, kif);
159 }
160 PF_RULES_WUNLOCK();
161 NET_EPOCH_EXIT(et);
162 IFNET_RUNLOCK();
163
164 MPASS(LIST_EMPTY(&kifs));
165 }
166
167 void
pfi_initialize(void)168 pfi_initialize(void)
169 {
170
171 pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event,
172 pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY);
173 pfi_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event,
174 pfi_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY);
175 pfi_attach_group_cookie = EVENTHANDLER_REGISTER(group_attach_event,
176 pfi_attach_group_event, NULL, EVENTHANDLER_PRI_ANY);
177 pfi_change_group_cookie = EVENTHANDLER_REGISTER(group_change_event,
178 pfi_change_group_event, NULL, EVENTHANDLER_PRI_ANY);
179 pfi_detach_group_cookie = EVENTHANDLER_REGISTER(group_detach_event,
180 pfi_detach_group_event, NULL, EVENTHANDLER_PRI_ANY);
181 pfi_ifaddr_event_cookie = EVENTHANDLER_REGISTER(ifaddr_event,
182 pfi_ifaddr_event, NULL, EVENTHANDLER_PRI_ANY);
183 }
184
185 void
pfi_cleanup_vnet(void)186 pfi_cleanup_vnet(void)
187 {
188 struct pfi_kkif *kif;
189
190 PF_RULES_WASSERT();
191
192 V_pfi_all = NULL;
193 while ((kif = RB_MIN(pfi_ifhead, &V_pfi_ifs))) {
194 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif);
195 if (kif->pfik_group)
196 kif->pfik_group->ifg_pf_kif = NULL;
197 if (kif->pfik_ifp) {
198 if_rele(kif->pfik_ifp);
199 kif->pfik_ifp->if_pf_kif = NULL;
200 }
201 pf_kkif_free(kif);
202 }
203
204 mtx_lock(&pfi_unlnkdkifs_mtx);
205 while ((kif = LIST_FIRST(&V_pfi_unlinked_kifs))) {
206 LIST_REMOVE(kif, pfik_list);
207 pf_kkif_free(kif);
208 }
209 mtx_unlock(&pfi_unlnkdkifs_mtx);
210
211 free(V_pfi_buffer, PFI_MTYPE);
212 }
213
214 void
pfi_cleanup(void)215 pfi_cleanup(void)
216 {
217
218 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie);
219 EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie);
220 EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie);
221 EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie);
222 EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie);
223 EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie);
224 }
225
226 struct pfi_kkif*
pf_kkif_create(int flags)227 pf_kkif_create(int flags)
228 {
229 struct pfi_kkif *kif;
230 #ifdef PF_WANT_32_TO_64_COUNTER
231 bool wowned;
232 #endif
233
234 kif = malloc(sizeof(*kif), PFI_MTYPE, flags | M_ZERO);
235 if (! kif)
236 return (kif);
237
238 for (int i = 0; i < 2; i++) {
239 for (int j = 0; j < 2; j++) {
240 for (int k = 0; k < 2; k++) {
241 if (pf_counter_u64_init(&kif->pfik_packets[i][j][k], flags) != 0) {
242 pf_kkif_free(kif);
243 return (NULL);
244 }
245
246 if (pf_counter_u64_init(&kif->pfik_bytes[i][j][k], flags) != 0) {
247 pf_kkif_free(kif);
248 return (NULL);
249 }
250 }
251 }
252 }
253
254 #ifdef PF_WANT_32_TO_64_COUNTER
255 wowned = PF_RULES_WOWNED();
256 if (!wowned)
257 PF_RULES_WLOCK();
258 LIST_INSERT_HEAD(&V_pf_allkiflist, kif, pfik_allkiflist);
259 V_pf_allkifcount++;
260 if (!wowned)
261 PF_RULES_WUNLOCK();
262 #endif
263
264 return (kif);
265 }
266
267 void
pf_kkif_free(struct pfi_kkif * kif)268 pf_kkif_free(struct pfi_kkif *kif)
269 {
270 #ifdef PF_WANT_32_TO_64_COUNTER
271 bool wowned;
272 #endif
273
274 if (! kif)
275 return;
276
277 #ifdef PF_WANT_32_TO_64_COUNTER
278 wowned = PF_RULES_WOWNED();
279 if (!wowned)
280 PF_RULES_WLOCK();
281 LIST_REMOVE(kif, pfik_allkiflist);
282 V_pf_allkifcount--;
283 if (!wowned)
284 PF_RULES_WUNLOCK();
285 #endif
286
287 for (int i = 0; i < 2; i++) {
288 for (int j = 0; j < 2; j++) {
289 for (int k = 0; k < 2; k++) {
290 pf_counter_u64_deinit(&kif->pfik_packets[i][j][k]);
291 pf_counter_u64_deinit(&kif->pfik_bytes[i][j][k]);
292 }
293 }
294 }
295
296 free(kif, PFI_MTYPE);
297 }
298
299 void
pf_kkif_zero(struct pfi_kkif * kif)300 pf_kkif_zero(struct pfi_kkif *kif)
301 {
302
303 for (int i = 0; i < 2; i++) {
304 for (int j = 0; j < 2; j++) {
305 for (int k = 0; k < 2; k++) {
306 pf_counter_u64_zero(&kif->pfik_packets[i][j][k]);
307 pf_counter_u64_zero(&kif->pfik_bytes[i][j][k]);
308 }
309 }
310 }
311 kif->pfik_tzero = time_second;
312 }
313
314 struct pfi_kkif *
pfi_kkif_find(const char * kif_name)315 pfi_kkif_find(const char *kif_name)
316 {
317 struct pfi_kif_cmp s;
318
319 PF_RULES_ASSERT();
320
321 memset(&s, 0, sizeof(s));
322 strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name));
323
324 return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s));
325 }
326
327 struct pfi_kkif *
pfi_kkif_attach(struct pfi_kkif * kif,const char * kif_name)328 pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name)
329 {
330 struct pfi_kkif *kif1;
331
332 PF_RULES_WASSERT();
333 KASSERT(kif != NULL, ("%s: null kif", __func__));
334
335 kif1 = pfi_kkif_find(kif_name);
336 if (kif1 != NULL) {
337 pf_kkif_free(kif);
338 return (kif1);
339 }
340
341 pf_kkif_zero(kif);
342 strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name));
343 /*
344 * It seems that the value of time_second is in unintialzied state
345 * when pf sets interface statistics clear time in boot phase if pf
346 * was statically linked to kernel. Instead of setting the bogus
347 * time value have pfi_get_ifaces handle this case. In
348 * pfi_get_ifaces it uses time_second if it sees the time is 0.
349 */
350 kif->pfik_tzero = time_second > 1 ? time_second : 0;
351 TAILQ_INIT(&kif->pfik_dynaddrs);
352
353 RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif);
354
355 return (kif);
356 }
357
358 void
pfi_kkif_ref(struct pfi_kkif * kif)359 pfi_kkif_ref(struct pfi_kkif *kif)
360 {
361
362 PF_RULES_WASSERT();
363 kif->pfik_rulerefs++;
364 }
365
366 static void
pfi_kkif_remove_if_unref(struct pfi_kkif * kif)367 pfi_kkif_remove_if_unref(struct pfi_kkif *kif)
368 {
369
370 PF_RULES_WASSERT();
371
372 if (kif->pfik_rulerefs > 0)
373 return;
374
375 /* kif referencing an existing ifnet or group or holding flags should
376 * exist. */
377 if (kif->pfik_ifp != NULL || kif->pfik_group != NULL ||
378 kif == V_pfi_all || kif->pfik_flags != 0)
379 return;
380
381 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif);
382
383 kif->pfik_flags |= PFI_IFLAG_REFS;
384
385 mtx_lock(&pfi_unlnkdkifs_mtx);
386 LIST_INSERT_HEAD(&V_pfi_unlinked_kifs, kif, pfik_list);
387 mtx_unlock(&pfi_unlnkdkifs_mtx);
388 }
389
390 void
pfi_kkif_unref(struct pfi_kkif * kif)391 pfi_kkif_unref(struct pfi_kkif *kif)
392 {
393
394 PF_RULES_WASSERT();
395 KASSERT(kif->pfik_rulerefs > 0, ("%s: %p has zero refs", __func__, kif));
396
397 kif->pfik_rulerefs--;
398
399 pfi_kkif_remove_if_unref(kif);
400 }
401
402 void
pfi_kkif_purge(void)403 pfi_kkif_purge(void)
404 {
405 struct pfi_kkif *kif, *kif1;
406
407 /*
408 * Do naive mark-and-sweep garbage collecting of old kifs.
409 * Reference flag is raised by pf_purge_expired_states().
410 */
411 mtx_lock(&pfi_unlnkdkifs_mtx);
412 LIST_FOREACH_SAFE(kif, &V_pfi_unlinked_kifs, pfik_list, kif1) {
413 if (!(kif->pfik_flags & PFI_IFLAG_REFS)) {
414 LIST_REMOVE(kif, pfik_list);
415 pf_kkif_free(kif);
416 } else
417 kif->pfik_flags &= ~PFI_IFLAG_REFS;
418 }
419 mtx_unlock(&pfi_unlnkdkifs_mtx);
420 }
421
422 int
pfi_kkif_match(struct pfi_kkif * rule_kif,struct pfi_kkif * packet_kif)423 pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif)
424 {
425 struct ifg_list *p;
426
427 NET_EPOCH_ASSERT();
428
429 if (rule_kif == NULL || rule_kif == packet_kif)
430 return (1);
431
432 if (rule_kif->pfik_group != NULL) {
433 CK_STAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next)
434 if (p->ifgl_group == rule_kif->pfik_group)
435 return (1);
436 }
437
438 return (0);
439 }
440
441 static void
pfi_attach_ifnet(struct ifnet * ifp,struct pfi_kkif * kif)442 pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kkif *kif)
443 {
444
445 PF_RULES_WASSERT();
446
447 V_pfi_update++;
448 kif = pfi_kkif_attach(kif, ifp->if_xname);
449 if_ref(ifp);
450 kif->pfik_ifp = ifp;
451 ifp->if_pf_kif = kif;
452 pfi_kkif_update(kif);
453 }
454
455 static void
pfi_attach_ifgroup(struct ifg_group * ifg,struct pfi_kkif * kif)456 pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kkif *kif)
457 {
458
459 PF_RULES_WASSERT();
460
461 V_pfi_update++;
462 kif = pfi_kkif_attach(kif, ifg->ifg_group);
463 kif->pfik_group = ifg;
464 ifg->ifg_pf_kif = kif;
465 }
466
467 int
pfi_match_addr(struct pfi_dynaddr * dyn,struct pf_addr * a,sa_family_t af)468 pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af)
469 {
470 switch (af) {
471 #ifdef INET
472 case AF_INET:
473 switch (dyn->pfid_acnt4) {
474 case 0:
475 return (0);
476 case 1:
477 return (PF_MATCHA(0, &dyn->pfid_addr4,
478 &dyn->pfid_mask4, a, AF_INET));
479 default:
480 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET));
481 }
482 break;
483 #endif /* INET */
484 #ifdef INET6
485 case AF_INET6:
486 switch (dyn->pfid_acnt6) {
487 case 0:
488 return (0);
489 case 1:
490 return (PF_MATCHA(0, &dyn->pfid_addr6,
491 &dyn->pfid_mask6, a, AF_INET6));
492 default:
493 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET6));
494 }
495 break;
496 #endif /* INET6 */
497 default:
498 return (0);
499 }
500 }
501
502 int
pfi_dynaddr_setup(struct pf_addr_wrap * aw,sa_family_t af)503 pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
504 {
505 struct epoch_tracker et;
506 struct pfi_dynaddr *dyn;
507 char tblname[PF_TABLE_NAME_SIZE];
508 struct pf_kruleset *ruleset = NULL;
509 struct pfi_kkif *kif;
510 int rv = 0;
511
512 PF_RULES_WASSERT();
513 KASSERT(aw->type == PF_ADDR_DYNIFTL, ("%s: type %u",
514 __func__, aw->type));
515 KASSERT(aw->p.dyn == NULL, ("%s: dyn is %p", __func__, aw->p.dyn));
516
517 if ((dyn = malloc(sizeof(*dyn), PFI_MTYPE, M_NOWAIT | M_ZERO)) == NULL)
518 return (ENOMEM);
519
520 if ((kif = pf_kkif_create(M_NOWAIT)) == NULL) {
521 free(dyn, PFI_MTYPE);
522 return (ENOMEM);
523 }
524
525 if (!strcmp(aw->v.ifname, "self"))
526 dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL);
527 else
528 dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname);
529 kif = NULL;
530 pfi_kkif_ref(dyn->pfid_kif);
531
532 dyn->pfid_net = pfi_unmask(&aw->v.a.mask);
533 if (af == AF_INET && dyn->pfid_net == 32)
534 dyn->pfid_net = 128;
535 strlcpy(tblname, aw->v.ifname, sizeof(tblname));
536 if (aw->iflags & PFI_AFLAG_NETWORK)
537 strlcat(tblname, ":network", sizeof(tblname));
538 if (aw->iflags & PFI_AFLAG_BROADCAST)
539 strlcat(tblname, ":broadcast", sizeof(tblname));
540 if (aw->iflags & PFI_AFLAG_PEER)
541 strlcat(tblname, ":peer", sizeof(tblname));
542 if (aw->iflags & PFI_AFLAG_NOALIAS)
543 strlcat(tblname, ":0", sizeof(tblname));
544 if (dyn->pfid_net != 128)
545 snprintf(tblname + strlen(tblname),
546 sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net);
547 if ((ruleset = pf_find_or_create_kruleset(PF_RESERVED_ANCHOR)) == NULL) {
548 rv = ENOMEM;
549 goto _bad;
550 }
551
552 if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) {
553 rv = ENOMEM;
554 goto _bad;
555 }
556
557 dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE;
558 dyn->pfid_iflags = aw->iflags;
559 dyn->pfid_af = af;
560
561 TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
562 aw->p.dyn = dyn;
563 NET_EPOCH_ENTER(et);
564 pfi_kkif_update(dyn->pfid_kif);
565 NET_EPOCH_EXIT(et);
566
567 return (0);
568
569 _bad:
570 if (dyn->pfid_kt != NULL)
571 pfr_detach_table(dyn->pfid_kt);
572 if (ruleset != NULL)
573 pf_remove_if_empty_kruleset(ruleset);
574 pfi_kkif_unref(dyn->pfid_kif);
575 free(dyn, PFI_MTYPE);
576
577 return (rv);
578 }
579
580 static void
pfi_kkif_update(struct pfi_kkif * kif)581 pfi_kkif_update(struct pfi_kkif *kif)
582 {
583 struct ifg_list *ifgl;
584 struct ifg_member *ifgm;
585 struct pfi_dynaddr *p;
586 struct pfi_kkif *tmpkif;
587
588 NET_EPOCH_ASSERT();
589 PF_RULES_WASSERT();
590
591 /* update all dynaddr */
592 TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry)
593 pfi_dynaddr_update(p);
594
595 /* Apply group flags to new members. */
596 if (kif->pfik_group != NULL) {
597 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members,
598 ifgm_next) {
599 tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif;
600 if (tmpkif == NULL)
601 continue;
602
603 tmpkif->pfik_flags |= kif->pfik_flags;
604 }
605 }
606
607 /* again for all groups kif is member of */
608 if (kif->pfik_ifp != NULL) {
609 CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next)
610 pfi_kkif_update((struct pfi_kkif *)
611 ifgl->ifgl_group->ifg_pf_kif);
612 }
613 }
614
615 static void
pfi_dynaddr_update(struct pfi_dynaddr * dyn)616 pfi_dynaddr_update(struct pfi_dynaddr *dyn)
617 {
618 struct pfi_kkif *kif;
619 struct pfr_ktable *kt;
620
621 PF_RULES_WASSERT();
622 KASSERT(dyn && dyn->pfid_kif && dyn->pfid_kt,
623 ("%s: bad argument", __func__));
624
625 kif = dyn->pfid_kif;
626 kt = dyn->pfid_kt;
627
628 if (kt->pfrkt_larg != V_pfi_update) {
629 /* this table needs to be brought up-to-date */
630 pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags);
631 kt->pfrkt_larg = V_pfi_update;
632 }
633 pfr_dynaddr_update(kt, dyn);
634 }
635
636 static void
pfi_table_update(struct pfr_ktable * kt,struct pfi_kkif * kif,int net,int flags)637 pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int flags)
638 {
639 int e, size2 = 0;
640 struct ifg_member *ifgm;
641
642 NET_EPOCH_ASSERT();
643
644 V_pfi_buffer_cnt = 0;
645
646 if (kif->pfik_ifp != NULL)
647 pfi_instance_add(kif->pfik_ifp, net, flags);
648 else if (kif->pfik_group != NULL) {
649 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next)
650 pfi_instance_add(ifgm->ifgm_ifp, net, flags);
651 }
652
653 if ((e = pfr_set_addrs(&kt->pfrkt_t, V_pfi_buffer, V_pfi_buffer_cnt, &size2,
654 NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK)))
655 printf("%s: cannot set %d new addresses into table %s: %d\n",
656 __func__, V_pfi_buffer_cnt, kt->pfrkt_name, e);
657 }
658
659 static void
pfi_instance_add(struct ifnet * ifp,int net,int flags)660 pfi_instance_add(struct ifnet *ifp, int net, int flags)
661 {
662 struct ifaddr *ia;
663 int got4 = 0, got6 = 0;
664 int net2, af;
665
666 NET_EPOCH_ASSERT();
667
668 CK_STAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
669 if (ia->ifa_addr == NULL)
670 continue;
671 af = ia->ifa_addr->sa_family;
672 if (af != AF_INET && af != AF_INET6)
673 continue;
674 /*
675 * XXX: For point-to-point interfaces, (ifname:0) and IPv4,
676 * jump over addresses without a proper route to work
677 * around a problem with ppp not fully removing the
678 * address used during IPCP.
679 */
680 if ((ifp->if_flags & IFF_POINTOPOINT) &&
681 !(ia->ifa_flags & IFA_ROUTE) &&
682 (flags & PFI_AFLAG_NOALIAS) && (af == AF_INET))
683 continue;
684 if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6)
685 continue;
686 if ((flags & PFI_AFLAG_BROADCAST) &&
687 !(ifp->if_flags & IFF_BROADCAST))
688 continue;
689 if ((flags & PFI_AFLAG_PEER) &&
690 !(ifp->if_flags & IFF_POINTOPOINT))
691 continue;
692 if ((flags & (PFI_AFLAG_NETWORK | PFI_AFLAG_NOALIAS)) &&
693 af == AF_INET6 &&
694 IN6_IS_ADDR_LINKLOCAL(
695 &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
696 continue;
697 if (flags & PFI_AFLAG_NOALIAS) {
698 if (af == AF_INET && got4)
699 continue;
700 if (af == AF_INET6 && got6)
701 continue;
702 }
703 if (af == AF_INET)
704 got4 = 1;
705 else if (af == AF_INET6)
706 got6 = 1;
707 net2 = net;
708 if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) {
709 if (af == AF_INET)
710 net2 = pfi_unmask(&((struct sockaddr_in *)
711 ia->ifa_netmask)->sin_addr);
712 else if (af == AF_INET6)
713 net2 = pfi_unmask(&((struct sockaddr_in6 *)
714 ia->ifa_netmask)->sin6_addr);
715 }
716 if (af == AF_INET && net2 > 32)
717 net2 = 32;
718 if (flags & PFI_AFLAG_BROADCAST)
719 pfi_address_add(ia->ifa_broadaddr, af, net2);
720 else if (flags & PFI_AFLAG_PEER)
721 pfi_address_add(ia->ifa_dstaddr, af, net2);
722 else
723 pfi_address_add(ia->ifa_addr, af, net2);
724 }
725 }
726
727 static void
pfi_address_add(struct sockaddr * sa,int af,int net)728 pfi_address_add(struct sockaddr *sa, int af, int net)
729 {
730 struct pfr_addr *p;
731 int i;
732
733 if (V_pfi_buffer_cnt >= V_pfi_buffer_max) {
734 int new_max = V_pfi_buffer_max * 2;
735
736 if (new_max > PFI_BUFFER_MAX) {
737 printf("%s: address buffer full (%d/%d)\n", __func__,
738 V_pfi_buffer_cnt, PFI_BUFFER_MAX);
739 return;
740 }
741 p = malloc(new_max * sizeof(*V_pfi_buffer), PFI_MTYPE,
742 M_NOWAIT);
743 if (p == NULL) {
744 printf("%s: no memory to grow buffer (%d/%d)\n",
745 __func__, V_pfi_buffer_cnt, PFI_BUFFER_MAX);
746 return;
747 }
748 memcpy(p, V_pfi_buffer, V_pfi_buffer_max * sizeof(*V_pfi_buffer));
749 /* no need to zero buffer */
750 free(V_pfi_buffer, PFI_MTYPE);
751 V_pfi_buffer = p;
752 V_pfi_buffer_max = new_max;
753 }
754 if (af == AF_INET && net > 32)
755 net = 128;
756 p = V_pfi_buffer + V_pfi_buffer_cnt++;
757 memset(p, 0, sizeof(*p));
758 p->pfra_af = af;
759 p->pfra_net = net;
760 if (af == AF_INET)
761 p->pfra_ip4addr = ((struct sockaddr_in *)sa)->sin_addr;
762 else if (af == AF_INET6) {
763 p->pfra_ip6addr = ((struct sockaddr_in6 *)sa)->sin6_addr;
764 if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr))
765 p->pfra_ip6addr.s6_addr16[1] = 0;
766 }
767 /* mask network address bits */
768 if (net < 128)
769 ((caddr_t)p)[p->pfra_net/8] &= ~(0xFF >> (p->pfra_net%8));
770 for (i = (p->pfra_net+7)/8; i < sizeof(p->pfra_u); i++)
771 ((caddr_t)p)[i] = 0;
772 }
773
774 void
pfi_dynaddr_remove(struct pfi_dynaddr * dyn)775 pfi_dynaddr_remove(struct pfi_dynaddr *dyn)
776 {
777
778 KASSERT(dyn->pfid_kif != NULL, ("%s: null pfid_kif", __func__));
779 KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__));
780
781 TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry);
782 pfi_kkif_unref(dyn->pfid_kif);
783 pfr_detach_table(dyn->pfid_kt);
784 free(dyn, PFI_MTYPE);
785 }
786
787 void
pfi_dynaddr_copyout(struct pf_addr_wrap * aw)788 pfi_dynaddr_copyout(struct pf_addr_wrap *aw)
789 {
790
791 KASSERT(aw->type == PF_ADDR_DYNIFTL,
792 ("%s: type %u", __func__, aw->type));
793
794 if (aw->p.dyn == NULL || aw->p.dyn->pfid_kif == NULL)
795 return;
796 aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6;
797 }
798
799 static int
pfi_kkif_compare(struct pfi_kkif * p,struct pfi_kkif * q)800 pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q)
801 {
802 return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ));
803 }
804
805 void
pfi_update_status(const char * name,struct pf_status * pfs)806 pfi_update_status(const char *name, struct pf_status *pfs)
807 {
808 struct pfi_kkif *p;
809 struct pfi_kif_cmp key;
810 struct ifg_member p_member, *ifgm;
811 CK_STAILQ_HEAD(, ifg_member) ifg_members;
812 int i, j, k;
813
814 if (pfs) {
815 memset(pfs->pcounters, 0, sizeof(pfs->pcounters));
816 memset(pfs->bcounters, 0, sizeof(pfs->bcounters));
817 }
818
819 strlcpy(key.pfik_name, name, sizeof(key.pfik_name));
820 p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key);
821 if (p == NULL) {
822 return;
823 }
824
825 if (p->pfik_group != NULL) {
826 memcpy(&ifg_members, &p->pfik_group->ifg_members,
827 sizeof(ifg_members));
828 } else {
829 /* build a temporary list for p only */
830 memset(&p_member, 0, sizeof(p_member));
831 p_member.ifgm_ifp = p->pfik_ifp;
832 CK_STAILQ_INIT(&ifg_members);
833 CK_STAILQ_INSERT_TAIL(&ifg_members, &p_member, ifgm_next);
834 }
835 CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) {
836 if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL)
837 continue;
838 p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif;
839
840 /* just clear statistics */
841 if (pfs == NULL) {
842 pf_kkif_zero(p);
843 continue;
844 }
845 for (i = 0; i < 2; i++)
846 for (j = 0; j < 2; j++)
847 for (k = 0; k < 2; k++) {
848 pfs->pcounters[i][j][k] +=
849 pf_counter_u64_fetch(&p->pfik_packets[i][j][k]);
850 pfs->bcounters[i][j] +=
851 pf_counter_u64_fetch(&p->pfik_bytes[i][j][k]);
852 }
853 }
854 }
855
856 static void
pf_kkif_to_kif(struct pfi_kkif * kkif,struct pfi_kif * kif)857 pf_kkif_to_kif(struct pfi_kkif *kkif, struct pfi_kif *kif)
858 {
859
860 memset(kif, 0, sizeof(*kif));
861 strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name));
862 for (int i = 0; i < 2; i++) {
863 for (int j = 0; j < 2; j++) {
864 for (int k = 0; k < 2; k++) {
865 kif->pfik_packets[i][j][k] =
866 pf_counter_u64_fetch(&kkif->pfik_packets[i][j][k]);
867 kif->pfik_bytes[i][j][k] =
868 pf_counter_u64_fetch(&kkif->pfik_bytes[i][j][k]);
869 }
870 }
871 }
872 kif->pfik_flags = kkif->pfik_flags;
873 kif->pfik_tzero = kkif->pfik_tzero;
874 kif->pfik_rulerefs = kkif->pfik_rulerefs;
875 /*
876 * Userspace relies on this pointer to decide if this is a group or
877 * not. We don't want to share the actual pointer, because it's
878 * useless to userspace and leaks kernel memory layout information.
879 * So instead we provide 0xfeedcode as 'true' and NULL as 'false'.
880 */
881 kif->pfik_group =
882 kkif->pfik_group ? (struct ifg_group *)0xfeedc0de : NULL;
883 }
884
885 void
pfi_get_ifaces(const char * name,struct pfi_kif * buf,int * size)886 pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size)
887 {
888 struct epoch_tracker et;
889 struct pfi_kkif *p, *nextp;
890 int n = 0;
891
892 NET_EPOCH_ENTER(et);
893 for (p = RB_MIN(pfi_ifhead, &V_pfi_ifs); p; p = nextp) {
894 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p);
895 if (pfi_skip_if(name, p))
896 continue;
897 if (*size <= n++)
898 break;
899 if (!p->pfik_tzero)
900 p->pfik_tzero = time_second;
901 pf_kkif_to_kif(p, buf++);
902 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p);
903 }
904 *size = n;
905 NET_EPOCH_EXIT(et);
906 }
907
908 static int
pfi_skip_if(const char * filter,struct pfi_kkif * p)909 pfi_skip_if(const char *filter, struct pfi_kkif *p)
910 {
911 struct ifg_list *i;
912 int n;
913
914 NET_EPOCH_ASSERT();
915
916 if (filter == NULL || !*filter)
917 return (0);
918 if (!strcmp(p->pfik_name, filter))
919 return (0); /* exact match */
920 n = strlen(filter);
921 if (n < 1 || n >= IFNAMSIZ)
922 return (1); /* sanity check */
923 if (filter[n-1] >= '0' && filter[n-1] <= '9')
924 return (1); /* group names may not end in a digit */
925 if (p->pfik_ifp == NULL)
926 return (1);
927 CK_STAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next)
928 if (!strncmp(i->ifgl_group->ifg_group, filter, IFNAMSIZ))
929 return (0); /* iface is in group "filter" */
930 return (1);
931 }
932
933 int
pfi_set_flags(const char * name,int flags)934 pfi_set_flags(const char *name, int flags)
935 {
936 struct epoch_tracker et;
937 struct pfi_kkif *p, *kif;
938
939 kif = pf_kkif_create(M_NOWAIT);
940 if (kif == NULL)
941 return (ENOMEM);
942
943 NET_EPOCH_ENTER(et);
944
945 kif = pfi_kkif_attach(kif, name);
946
947 RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) {
948 if (pfi_skip_if(name, p))
949 continue;
950 p->pfik_flags |= flags;
951 }
952 NET_EPOCH_EXIT(et);
953 return (0);
954 }
955
956 int
pfi_clear_flags(const char * name,int flags)957 pfi_clear_flags(const char *name, int flags)
958 {
959 struct epoch_tracker et;
960 struct pfi_kkif *p, *tmp;
961
962 NET_EPOCH_ENTER(et);
963 RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) {
964 if (pfi_skip_if(name, p))
965 continue;
966 p->pfik_flags &= ~flags;
967
968 if (p->pfik_ifp == NULL && p->pfik_group == NULL &&
969 p->pfik_flags == 0 && p->pfik_rulerefs == 0) {
970 /* Delete this kif. */
971 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
972 pf_kkif_free(p);
973 }
974 }
975 NET_EPOCH_EXIT(et);
976 return (0);
977 }
978
979 /* from pf_print_state.c */
980 static int
pfi_unmask(void * addr)981 pfi_unmask(void *addr)
982 {
983 struct pf_addr *m = addr;
984 int i = 31, j = 0, b = 0;
985 u_int32_t tmp;
986
987 while (j < 4 && m->addr32[j] == 0xffffffff) {
988 b += 32;
989 j++;
990 }
991 if (j < 4) {
992 tmp = ntohl(m->addr32[j]);
993 for (i = 31; tmp & (1 << i); --i)
994 b++;
995 }
996 return (b);
997 }
998
999 static void
pfi_attach_ifnet_event(void * arg __unused,struct ifnet * ifp)1000 pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp)
1001 {
1002 struct epoch_tracker et;
1003 struct pfi_kkif *kif;
1004
1005 if (V_pf_vnet_active == 0) {
1006 /* Avoid teardown race in the least expensive way. */
1007 return;
1008 }
1009 kif = pf_kkif_create(M_NOWAIT);
1010 NET_EPOCH_ENTER(et);
1011 PF_RULES_WLOCK();
1012 pfi_attach_ifnet(ifp, kif);
1013 #ifdef ALTQ
1014 pf_altq_ifnet_event(ifp, 0);
1015 #endif
1016 PF_RULES_WUNLOCK();
1017 NET_EPOCH_EXIT(et);
1018 }
1019
1020 static void
pfi_detach_ifnet_event(void * arg __unused,struct ifnet * ifp)1021 pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp)
1022 {
1023 struct epoch_tracker et;
1024 struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif;
1025
1026 if (pfsync_detach_ifnet_ptr)
1027 pfsync_detach_ifnet_ptr(ifp);
1028
1029 if (kif == NULL)
1030 return;
1031
1032 if (V_pf_vnet_active == 0) {
1033 /* Avoid teardown race in the least expensive way. */
1034 return;
1035 }
1036
1037 NET_EPOCH_ENTER(et);
1038 PF_RULES_WLOCK();
1039 V_pfi_update++;
1040 pfi_kkif_update(kif);
1041
1042 if (kif->pfik_ifp)
1043 if_rele(kif->pfik_ifp);
1044
1045 kif->pfik_ifp = NULL;
1046 ifp->if_pf_kif = NULL;
1047 #ifdef ALTQ
1048 pf_altq_ifnet_event(ifp, 1);
1049 #endif
1050 pfi_kkif_remove_if_unref(kif);
1051
1052 PF_RULES_WUNLOCK();
1053 NET_EPOCH_EXIT(et);
1054 }
1055
1056 static void
pfi_attach_group_event(void * arg __unused,struct ifg_group * ifg)1057 pfi_attach_group_event(void *arg __unused, struct ifg_group *ifg)
1058 {
1059 struct epoch_tracker et;
1060 struct pfi_kkif *kif;
1061
1062 if (V_pf_vnet_active == 0) {
1063 /* Avoid teardown race in the least expensive way. */
1064 return;
1065 }
1066 kif = pf_kkif_create(M_WAITOK);
1067 NET_EPOCH_ENTER(et);
1068 PF_RULES_WLOCK();
1069 pfi_attach_ifgroup(ifg, kif);
1070 PF_RULES_WUNLOCK();
1071 NET_EPOCH_EXIT(et);
1072 }
1073
1074 static void
pfi_change_group_event(void * arg __unused,char * gname)1075 pfi_change_group_event(void *arg __unused, char *gname)
1076 {
1077 struct epoch_tracker et;
1078 struct pfi_kkif *kif;
1079
1080 if (V_pf_vnet_active == 0) {
1081 /* Avoid teardown race in the least expensive way. */
1082 return;
1083 }
1084
1085 kif = pf_kkif_create(M_WAITOK);
1086 NET_EPOCH_ENTER(et);
1087 PF_RULES_WLOCK();
1088 V_pfi_update++;
1089 kif = pfi_kkif_attach(kif, gname);
1090 pfi_kkif_update(kif);
1091 PF_RULES_WUNLOCK();
1092 NET_EPOCH_EXIT(et);
1093 }
1094
1095 static void
pfi_detach_group_event(void * arg __unused,struct ifg_group * ifg)1096 pfi_detach_group_event(void *arg __unused, struct ifg_group *ifg)
1097 {
1098 struct pfi_kkif *kif = (struct pfi_kkif *)ifg->ifg_pf_kif;
1099
1100 if (kif == NULL)
1101 return;
1102
1103 if (V_pf_vnet_active == 0) {
1104 /* Avoid teardown race in the least expensive way. */
1105 return;
1106 }
1107 PF_RULES_WLOCK();
1108 V_pfi_update++;
1109
1110 kif->pfik_group = NULL;
1111 ifg->ifg_pf_kif = NULL;
1112
1113 pfi_kkif_remove_if_unref(kif);
1114 PF_RULES_WUNLOCK();
1115 }
1116
1117 static void
pfi_ifaddr_event(void * arg __unused,struct ifnet * ifp)1118 pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp)
1119 {
1120
1121 KASSERT(ifp, ("ifp == NULL"));
1122
1123 if (ifp->if_pf_kif == NULL)
1124 return;
1125
1126 if (V_pf_vnet_active == 0) {
1127 /* Avoid teardown race in the least expensive way. */
1128 return;
1129 }
1130 PF_RULES_WLOCK();
1131 if (ifp->if_pf_kif) {
1132 struct epoch_tracker et;
1133
1134 V_pfi_update++;
1135 NET_EPOCH_ENTER(et);
1136 pfi_kkif_update(ifp->if_pf_kif);
1137 NET_EPOCH_EXIT(et);
1138 }
1139 PF_RULES_WUNLOCK();
1140 }
1141