1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2003 Cedric Berger 6 * Copyright (c) 2005 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2005 Ryan McBride <mcbride@openbsd.org> 8 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * - Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * - Redistributions in binary form must reproduce the above 18 * copyright notice, this list of conditions and the following 19 * disclaimer in the documentation and/or other materials provided 20 * with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 28 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 30 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 32 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $OpenBSD: pf_if.c,v 1.54 2008/06/14 16:55:28 mk Exp $ 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include "opt_inet.h" 42 #include "opt_inet6.h" 43 44 #include <sys/param.h> 45 #include <sys/kernel.h> 46 #include <sys/eventhandler.h> 47 #include <sys/lock.h> 48 #include <sys/mbuf.h> 49 #include <sys/socket.h> 50 51 #include <net/if.h> 52 #include <net/if_var.h> 53 #include <net/vnet.h> 54 #include <net/pfvar.h> 55 #include <net/route.h> 56 57 VNET_DEFINE(struct pfi_kkif *, pfi_all); 58 VNET_DEFINE_STATIC(long, pfi_update); 59 #define V_pfi_update VNET(pfi_update) 60 #define PFI_BUFFER_MAX 0x10000 61 62 VNET_DECLARE(int, pf_vnet_active); 63 #define V_pf_vnet_active VNET(pf_vnet_active) 64 65 VNET_DEFINE_STATIC(struct pfr_addr *, pfi_buffer); 66 VNET_DEFINE_STATIC(int, pfi_buffer_cnt); 67 VNET_DEFINE_STATIC(int, pfi_buffer_max); 68 #define V_pfi_buffer VNET(pfi_buffer) 69 #define V_pfi_buffer_cnt VNET(pfi_buffer_cnt) 70 #define V_pfi_buffer_max VNET(pfi_buffer_max) 71 72 #ifdef PF_WANT_32_TO_64_COUNTER 73 VNET_DEFINE(struct allkiflist_head, pf_allkiflist); 74 VNET_DEFINE(size_t, pf_allkifcount); 75 VNET_DEFINE(struct pfi_kkif *, pf_kifmarker); 76 #endif 77 78 eventhandler_tag pfi_attach_cookie; 79 eventhandler_tag pfi_detach_cookie; 80 eventhandler_tag pfi_attach_group_cookie; 81 eventhandler_tag pfi_change_group_cookie; 82 eventhandler_tag pfi_detach_group_cookie; 83 eventhandler_tag pfi_ifaddr_event_cookie; 84 85 static void pfi_attach_ifnet(struct ifnet *, struct pfi_kkif *); 86 static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kkif *); 87 88 static void pfi_kkif_update(struct pfi_kkif *); 89 static void pfi_dynaddr_update(struct pfi_dynaddr *dyn); 90 static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int, 91 int); 92 static void pfi_instance_add(struct ifnet *, int, int); 93 static void pfi_address_add(struct sockaddr *, int, int); 94 static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *); 95 static int pfi_skip_if(const char *, struct pfi_kkif *); 96 static int pfi_unmask(void *); 97 static void pfi_attach_ifnet_event(void * __unused, struct ifnet *); 98 static void pfi_detach_ifnet_event(void * __unused, struct ifnet *); 99 static void pfi_attach_group_event(void * __unused, struct ifg_group *); 100 static void pfi_change_group_event(void * __unused, char *); 101 static void pfi_detach_group_event(void * __unused, struct ifg_group *); 102 static void pfi_ifaddr_event(void * __unused, struct ifnet *); 103 104 RB_HEAD(pfi_ifhead, pfi_kkif); 105 static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); 106 static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); 107 VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs); 108 #define V_pfi_ifs VNET(pfi_ifs) 109 110 #define PFI_BUFFER_MAX 0x10000 111 MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database"); 112 113 LIST_HEAD(pfi_list, pfi_kkif); 114 VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs); 115 #define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs) 116 static struct mtx pfi_unlnkdkifs_mtx; 117 MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unlnkdkifs_mtx, "pf unlinked interfaces", 118 MTX_DEF); 119 120 void 121 pfi_initialize_vnet(void) 122 { 123 struct pfi_list kifs = LIST_HEAD_INITIALIZER(); 124 struct epoch_tracker et; 125 struct pfi_kkif *kif; 126 struct ifg_group *ifg; 127 struct ifnet *ifp; 128 int nkifs; 129 130 V_pfi_buffer_max = 64; 131 V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer), 132 PFI_MTYPE, M_WAITOK); 133 134 nkifs = 1; /* one for V_pfi_all */ 135 IFNET_RLOCK(); 136 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) 137 nkifs++; 138 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) 139 nkifs++; 140 141 for (int n = 0; n < nkifs; n++) { 142 kif = pf_kkif_create(M_WAITOK); 143 LIST_INSERT_HEAD(&kifs, kif, pfik_list); 144 } 145 146 NET_EPOCH_ENTER(et); 147 PF_RULES_WLOCK(); 148 kif = LIST_FIRST(&kifs); 149 LIST_REMOVE(kif, pfik_list); 150 V_pfi_all = pfi_kkif_attach(kif, IFG_ALL); 151 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) { 152 kif = LIST_FIRST(&kifs); 153 LIST_REMOVE(kif, pfik_list); 154 pfi_attach_ifgroup(ifg, kif); 155 } 156 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) { 157 kif = LIST_FIRST(&kifs); 158 LIST_REMOVE(kif, pfik_list); 159 pfi_attach_ifnet(ifp, kif); 160 } 161 PF_RULES_WUNLOCK(); 162 NET_EPOCH_EXIT(et); 163 IFNET_RUNLOCK(); 164 165 MPASS(LIST_EMPTY(&kifs)); 166 } 167 168 void 169 pfi_initialize(void) 170 { 171 172 pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event, 173 pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); 174 pfi_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event, 175 pfi_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); 176 pfi_attach_group_cookie = EVENTHANDLER_REGISTER(group_attach_event, 177 pfi_attach_group_event, NULL, EVENTHANDLER_PRI_ANY); 178 pfi_change_group_cookie = EVENTHANDLER_REGISTER(group_change_event, 179 pfi_change_group_event, NULL, EVENTHANDLER_PRI_ANY); 180 pfi_detach_group_cookie = EVENTHANDLER_REGISTER(group_detach_event, 181 pfi_detach_group_event, NULL, EVENTHANDLER_PRI_ANY); 182 pfi_ifaddr_event_cookie = EVENTHANDLER_REGISTER(ifaddr_event, 183 pfi_ifaddr_event, NULL, EVENTHANDLER_PRI_ANY); 184 } 185 186 void 187 pfi_cleanup_vnet(void) 188 { 189 struct pfi_kkif *kif; 190 191 PF_RULES_WASSERT(); 192 193 V_pfi_all = NULL; 194 while ((kif = RB_MIN(pfi_ifhead, &V_pfi_ifs))) { 195 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); 196 if (kif->pfik_group) 197 kif->pfik_group->ifg_pf_kif = NULL; 198 if (kif->pfik_ifp) { 199 if_rele(kif->pfik_ifp); 200 kif->pfik_ifp->if_pf_kif = NULL; 201 } 202 pf_kkif_free(kif); 203 } 204 205 mtx_lock(&pfi_unlnkdkifs_mtx); 206 while ((kif = LIST_FIRST(&V_pfi_unlinked_kifs))) { 207 LIST_REMOVE(kif, pfik_list); 208 pf_kkif_free(kif); 209 } 210 mtx_unlock(&pfi_unlnkdkifs_mtx); 211 212 free(V_pfi_buffer, PFI_MTYPE); 213 } 214 215 void 216 pfi_cleanup(void) 217 { 218 219 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie); 220 EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie); 221 EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie); 222 EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie); 223 EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie); 224 EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); 225 } 226 227 struct pfi_kkif* 228 pf_kkif_create(int flags) 229 { 230 struct pfi_kkif *kif; 231 #ifdef PF_WANT_32_TO_64_COUNTER 232 bool wowned; 233 #endif 234 235 kif = malloc(sizeof(*kif), PFI_MTYPE, flags | M_ZERO); 236 if (! kif) 237 return (kif); 238 239 for (int i = 0; i < 2; i++) { 240 for (int j = 0; j < 2; j++) { 241 for (int k = 0; k < 2; k++) { 242 if (pf_counter_u64_init(&kif->pfik_packets[i][j][k], flags) != 0) { 243 pf_kkif_free(kif); 244 return (NULL); 245 } 246 247 if (pf_counter_u64_init(&kif->pfik_bytes[i][j][k], flags) != 0) { 248 pf_kkif_free(kif); 249 return (NULL); 250 } 251 } 252 } 253 } 254 255 #ifdef PF_WANT_32_TO_64_COUNTER 256 wowned = PF_RULES_WOWNED(); 257 if (!wowned) 258 PF_RULES_WLOCK(); 259 LIST_INSERT_HEAD(&V_pf_allkiflist, kif, pfik_allkiflist); 260 V_pf_allkifcount++; 261 if (!wowned) 262 PF_RULES_WUNLOCK(); 263 #endif 264 265 return (kif); 266 } 267 268 void 269 pf_kkif_free(struct pfi_kkif *kif) 270 { 271 #ifdef PF_WANT_32_TO_64_COUNTER 272 bool wowned; 273 #endif 274 275 if (! kif) 276 return; 277 278 #ifdef PF_WANT_32_TO_64_COUNTER 279 wowned = PF_RULES_WOWNED(); 280 if (!wowned) 281 PF_RULES_WLOCK(); 282 LIST_REMOVE(kif, pfik_allkiflist); 283 V_pf_allkifcount--; 284 if (!wowned) 285 PF_RULES_WUNLOCK(); 286 #endif 287 288 for (int i = 0; i < 2; i++) { 289 for (int j = 0; j < 2; j++) { 290 for (int k = 0; k < 2; k++) { 291 pf_counter_u64_deinit(&kif->pfik_packets[i][j][k]); 292 pf_counter_u64_deinit(&kif->pfik_bytes[i][j][k]); 293 } 294 } 295 } 296 297 free(kif, PFI_MTYPE); 298 } 299 300 void 301 pf_kkif_zero(struct pfi_kkif *kif) 302 { 303 304 for (int i = 0; i < 2; i++) { 305 for (int j = 0; j < 2; j++) { 306 for (int k = 0; k < 2; k++) { 307 pf_counter_u64_zero(&kif->pfik_packets[i][j][k]); 308 pf_counter_u64_zero(&kif->pfik_bytes[i][j][k]); 309 } 310 } 311 } 312 kif->pfik_tzero = time_second; 313 } 314 315 struct pfi_kkif * 316 pfi_kkif_find(const char *kif_name) 317 { 318 struct pfi_kif_cmp s; 319 320 PF_RULES_ASSERT(); 321 322 bzero(&s, sizeof(s)); 323 strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name)); 324 325 return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s)); 326 } 327 328 struct pfi_kkif * 329 pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name) 330 { 331 struct pfi_kkif *kif1; 332 333 PF_RULES_WASSERT(); 334 KASSERT(kif != NULL, ("%s: null kif", __func__)); 335 336 kif1 = pfi_kkif_find(kif_name); 337 if (kif1 != NULL) { 338 pf_kkif_free(kif); 339 return (kif1); 340 } 341 342 pf_kkif_zero(kif); 343 strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name)); 344 /* 345 * It seems that the value of time_second is in unintialzied state 346 * when pf sets interface statistics clear time in boot phase if pf 347 * was statically linked to kernel. Instead of setting the bogus 348 * time value have pfi_get_ifaces handle this case. In 349 * pfi_get_ifaces it uses time_second if it sees the time is 0. 350 */ 351 kif->pfik_tzero = time_second > 1 ? time_second : 0; 352 TAILQ_INIT(&kif->pfik_dynaddrs); 353 354 RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif); 355 356 return (kif); 357 } 358 359 void 360 pfi_kkif_ref(struct pfi_kkif *kif) 361 { 362 363 PF_RULES_WASSERT(); 364 kif->pfik_rulerefs++; 365 } 366 367 void 368 pfi_kkif_unref(struct pfi_kkif *kif) 369 { 370 371 PF_RULES_WASSERT(); 372 KASSERT(kif->pfik_rulerefs > 0, ("%s: %p has zero refs", __func__, kif)); 373 374 kif->pfik_rulerefs--; 375 376 if (kif->pfik_rulerefs > 0) 377 return; 378 379 /* kif referencing an existing ifnet or group or holding flags should 380 * exist. */ 381 if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || 382 kif == V_pfi_all || kif->pfik_flags != 0) 383 return; 384 385 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); 386 387 kif->pfik_flags |= PFI_IFLAG_REFS; 388 389 mtx_lock(&pfi_unlnkdkifs_mtx); 390 LIST_INSERT_HEAD(&V_pfi_unlinked_kifs, kif, pfik_list); 391 mtx_unlock(&pfi_unlnkdkifs_mtx); 392 } 393 394 void 395 pfi_kkif_purge(void) 396 { 397 struct pfi_kkif *kif, *kif1; 398 399 /* 400 * Do naive mark-and-sweep garbage collecting of old kifs. 401 * Reference flag is raised by pf_purge_expired_states(). 402 */ 403 mtx_lock(&pfi_unlnkdkifs_mtx); 404 LIST_FOREACH_SAFE(kif, &V_pfi_unlinked_kifs, pfik_list, kif1) { 405 if (!(kif->pfik_flags & PFI_IFLAG_REFS)) { 406 LIST_REMOVE(kif, pfik_list); 407 pf_kkif_free(kif); 408 } else 409 kif->pfik_flags &= ~PFI_IFLAG_REFS; 410 } 411 mtx_unlock(&pfi_unlnkdkifs_mtx); 412 } 413 414 int 415 pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif) 416 { 417 struct ifg_list *p; 418 419 NET_EPOCH_ASSERT(); 420 421 if (rule_kif == NULL || rule_kif == packet_kif) 422 return (1); 423 424 if (rule_kif->pfik_group != NULL) { 425 CK_STAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next) 426 if (p->ifgl_group == rule_kif->pfik_group) 427 return (1); 428 } 429 430 return (0); 431 } 432 433 static void 434 pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kkif *kif) 435 { 436 437 PF_RULES_WASSERT(); 438 439 V_pfi_update++; 440 kif = pfi_kkif_attach(kif, ifp->if_xname); 441 if_ref(ifp); 442 kif->pfik_ifp = ifp; 443 ifp->if_pf_kif = kif; 444 pfi_kkif_update(kif); 445 } 446 447 static void 448 pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kkif *kif) 449 { 450 451 PF_RULES_WASSERT(); 452 453 V_pfi_update++; 454 kif = pfi_kkif_attach(kif, ifg->ifg_group); 455 kif->pfik_group = ifg; 456 ifg->ifg_pf_kif = kif; 457 } 458 459 int 460 pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af) 461 { 462 switch (af) { 463 #ifdef INET 464 case AF_INET: 465 switch (dyn->pfid_acnt4) { 466 case 0: 467 return (0); 468 case 1: 469 return (PF_MATCHA(0, &dyn->pfid_addr4, 470 &dyn->pfid_mask4, a, AF_INET)); 471 default: 472 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET)); 473 } 474 break; 475 #endif /* INET */ 476 #ifdef INET6 477 case AF_INET6: 478 switch (dyn->pfid_acnt6) { 479 case 0: 480 return (0); 481 case 1: 482 return (PF_MATCHA(0, &dyn->pfid_addr6, 483 &dyn->pfid_mask6, a, AF_INET6)); 484 default: 485 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET6)); 486 } 487 break; 488 #endif /* INET6 */ 489 default: 490 return (0); 491 } 492 } 493 494 int 495 pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) 496 { 497 struct epoch_tracker et; 498 struct pfi_dynaddr *dyn; 499 char tblname[PF_TABLE_NAME_SIZE]; 500 struct pf_kruleset *ruleset = NULL; 501 struct pfi_kkif *kif; 502 int rv = 0; 503 504 PF_RULES_WASSERT(); 505 KASSERT(aw->type == PF_ADDR_DYNIFTL, ("%s: type %u", 506 __func__, aw->type)); 507 KASSERT(aw->p.dyn == NULL, ("%s: dyn is %p", __func__, aw->p.dyn)); 508 509 if ((dyn = malloc(sizeof(*dyn), PFI_MTYPE, M_NOWAIT | M_ZERO)) == NULL) 510 return (ENOMEM); 511 512 if ((kif = pf_kkif_create(M_NOWAIT)) == NULL) { 513 free(dyn, PFI_MTYPE); 514 return (ENOMEM); 515 } 516 517 if (!strcmp(aw->v.ifname, "self")) 518 dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL); 519 else 520 dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname); 521 kif = NULL; 522 pfi_kkif_ref(dyn->pfid_kif); 523 524 dyn->pfid_net = pfi_unmask(&aw->v.a.mask); 525 if (af == AF_INET && dyn->pfid_net == 32) 526 dyn->pfid_net = 128; 527 strlcpy(tblname, aw->v.ifname, sizeof(tblname)); 528 if (aw->iflags & PFI_AFLAG_NETWORK) 529 strlcat(tblname, ":network", sizeof(tblname)); 530 if (aw->iflags & PFI_AFLAG_BROADCAST) 531 strlcat(tblname, ":broadcast", sizeof(tblname)); 532 if (aw->iflags & PFI_AFLAG_PEER) 533 strlcat(tblname, ":peer", sizeof(tblname)); 534 if (aw->iflags & PFI_AFLAG_NOALIAS) 535 strlcat(tblname, ":0", sizeof(tblname)); 536 if (dyn->pfid_net != 128) 537 snprintf(tblname + strlen(tblname), 538 sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net); 539 if ((ruleset = pf_find_or_create_kruleset(PF_RESERVED_ANCHOR)) == NULL) { 540 rv = ENOMEM; 541 goto _bad; 542 } 543 544 if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) { 545 rv = ENOMEM; 546 goto _bad; 547 } 548 549 dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE; 550 dyn->pfid_iflags = aw->iflags; 551 dyn->pfid_af = af; 552 553 TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); 554 aw->p.dyn = dyn; 555 NET_EPOCH_ENTER(et); 556 pfi_kkif_update(dyn->pfid_kif); 557 NET_EPOCH_EXIT(et); 558 559 return (0); 560 561 _bad: 562 if (dyn->pfid_kt != NULL) 563 pfr_detach_table(dyn->pfid_kt); 564 if (ruleset != NULL) 565 pf_remove_if_empty_kruleset(ruleset); 566 if (dyn->pfid_kif != NULL) 567 pfi_kkif_unref(dyn->pfid_kif); 568 free(dyn, PFI_MTYPE); 569 570 return (rv); 571 } 572 573 static void 574 pfi_kkif_update(struct pfi_kkif *kif) 575 { 576 struct ifg_list *ifgl; 577 struct ifg_member *ifgm; 578 struct pfi_dynaddr *p; 579 struct pfi_kkif *tmpkif; 580 581 NET_EPOCH_ASSERT(); 582 PF_RULES_WASSERT(); 583 584 /* update all dynaddr */ 585 TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry) 586 pfi_dynaddr_update(p); 587 588 /* Apply group flags to new members. */ 589 if (kif->pfik_group != NULL) { 590 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, 591 ifgm_next) { 592 tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; 593 if (tmpkif == NULL) 594 continue; 595 596 tmpkif->pfik_flags |= kif->pfik_flags; 597 } 598 } 599 600 /* again for all groups kif is member of */ 601 if (kif->pfik_ifp != NULL) { 602 CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next) 603 pfi_kkif_update((struct pfi_kkif *) 604 ifgl->ifgl_group->ifg_pf_kif); 605 } 606 } 607 608 static void 609 pfi_dynaddr_update(struct pfi_dynaddr *dyn) 610 { 611 struct pfi_kkif *kif; 612 struct pfr_ktable *kt; 613 614 PF_RULES_WASSERT(); 615 KASSERT(dyn && dyn->pfid_kif && dyn->pfid_kt, 616 ("%s: bad argument", __func__)); 617 618 kif = dyn->pfid_kif; 619 kt = dyn->pfid_kt; 620 621 if (kt->pfrkt_larg != V_pfi_update) { 622 /* this table needs to be brought up-to-date */ 623 pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags); 624 kt->pfrkt_larg = V_pfi_update; 625 } 626 pfr_dynaddr_update(kt, dyn); 627 } 628 629 static void 630 pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int flags) 631 { 632 int e, size2 = 0; 633 struct ifg_member *ifgm; 634 635 NET_EPOCH_ASSERT(); 636 637 V_pfi_buffer_cnt = 0; 638 639 if (kif->pfik_ifp != NULL) 640 pfi_instance_add(kif->pfik_ifp, net, flags); 641 else if (kif->pfik_group != NULL) { 642 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next) 643 pfi_instance_add(ifgm->ifgm_ifp, net, flags); 644 } 645 646 if ((e = pfr_set_addrs(&kt->pfrkt_t, V_pfi_buffer, V_pfi_buffer_cnt, &size2, 647 NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) 648 printf("%s: cannot set %d new addresses into table %s: %d\n", 649 __func__, V_pfi_buffer_cnt, kt->pfrkt_name, e); 650 } 651 652 static void 653 pfi_instance_add(struct ifnet *ifp, int net, int flags) 654 { 655 struct ifaddr *ia; 656 int got4 = 0, got6 = 0; 657 int net2, af; 658 659 NET_EPOCH_ASSERT(); 660 661 CK_STAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { 662 if (ia->ifa_addr == NULL) 663 continue; 664 af = ia->ifa_addr->sa_family; 665 if (af != AF_INET && af != AF_INET6) 666 continue; 667 /* 668 * XXX: For point-to-point interfaces, (ifname:0) and IPv4, 669 * jump over addresses without a proper route to work 670 * around a problem with ppp not fully removing the 671 * address used during IPCP. 672 */ 673 if ((ifp->if_flags & IFF_POINTOPOINT) && 674 !(ia->ifa_flags & IFA_ROUTE) && 675 (flags & PFI_AFLAG_NOALIAS) && (af == AF_INET)) 676 continue; 677 if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6) 678 continue; 679 if ((flags & PFI_AFLAG_BROADCAST) && 680 !(ifp->if_flags & IFF_BROADCAST)) 681 continue; 682 if ((flags & PFI_AFLAG_PEER) && 683 !(ifp->if_flags & IFF_POINTOPOINT)) 684 continue; 685 if ((flags & (PFI_AFLAG_NETWORK | PFI_AFLAG_NOALIAS)) && 686 af == AF_INET6 && 687 IN6_IS_ADDR_LINKLOCAL( 688 &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr)) 689 continue; 690 if (flags & PFI_AFLAG_NOALIAS) { 691 if (af == AF_INET && got4) 692 continue; 693 if (af == AF_INET6 && got6) 694 continue; 695 } 696 if (af == AF_INET) 697 got4 = 1; 698 else if (af == AF_INET6) 699 got6 = 1; 700 net2 = net; 701 if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) { 702 if (af == AF_INET) 703 net2 = pfi_unmask(&((struct sockaddr_in *) 704 ia->ifa_netmask)->sin_addr); 705 else if (af == AF_INET6) 706 net2 = pfi_unmask(&((struct sockaddr_in6 *) 707 ia->ifa_netmask)->sin6_addr); 708 } 709 if (af == AF_INET && net2 > 32) 710 net2 = 32; 711 if (flags & PFI_AFLAG_BROADCAST) 712 pfi_address_add(ia->ifa_broadaddr, af, net2); 713 else if (flags & PFI_AFLAG_PEER) 714 pfi_address_add(ia->ifa_dstaddr, af, net2); 715 else 716 pfi_address_add(ia->ifa_addr, af, net2); 717 } 718 } 719 720 static void 721 pfi_address_add(struct sockaddr *sa, int af, int net) 722 { 723 struct pfr_addr *p; 724 int i; 725 726 if (V_pfi_buffer_cnt >= V_pfi_buffer_max) { 727 int new_max = V_pfi_buffer_max * 2; 728 729 if (new_max > PFI_BUFFER_MAX) { 730 printf("%s: address buffer full (%d/%d)\n", __func__, 731 V_pfi_buffer_cnt, PFI_BUFFER_MAX); 732 return; 733 } 734 p = malloc(new_max * sizeof(*V_pfi_buffer), PFI_MTYPE, 735 M_NOWAIT); 736 if (p == NULL) { 737 printf("%s: no memory to grow buffer (%d/%d)\n", 738 __func__, V_pfi_buffer_cnt, PFI_BUFFER_MAX); 739 return; 740 } 741 memcpy(p, V_pfi_buffer, V_pfi_buffer_max * sizeof(*V_pfi_buffer)); 742 /* no need to zero buffer */ 743 free(V_pfi_buffer, PFI_MTYPE); 744 V_pfi_buffer = p; 745 V_pfi_buffer_max = new_max; 746 } 747 if (af == AF_INET && net > 32) 748 net = 128; 749 p = V_pfi_buffer + V_pfi_buffer_cnt++; 750 bzero(p, sizeof(*p)); 751 p->pfra_af = af; 752 p->pfra_net = net; 753 if (af == AF_INET) 754 p->pfra_ip4addr = ((struct sockaddr_in *)sa)->sin_addr; 755 else if (af == AF_INET6) { 756 p->pfra_ip6addr = ((struct sockaddr_in6 *)sa)->sin6_addr; 757 if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr)) 758 p->pfra_ip6addr.s6_addr16[1] = 0; 759 } 760 /* mask network address bits */ 761 if (net < 128) 762 ((caddr_t)p)[p->pfra_net/8] &= ~(0xFF >> (p->pfra_net%8)); 763 for (i = (p->pfra_net+7)/8; i < sizeof(p->pfra_u); i++) 764 ((caddr_t)p)[i] = 0; 765 } 766 767 void 768 pfi_dynaddr_remove(struct pfi_dynaddr *dyn) 769 { 770 771 KASSERT(dyn->pfid_kif != NULL, ("%s: null pfid_kif", __func__)); 772 KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__)); 773 774 TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); 775 pfi_kkif_unref(dyn->pfid_kif); 776 pfr_detach_table(dyn->pfid_kt); 777 free(dyn, PFI_MTYPE); 778 } 779 780 void 781 pfi_dynaddr_copyout(struct pf_addr_wrap *aw) 782 { 783 784 KASSERT(aw->type == PF_ADDR_DYNIFTL, 785 ("%s: type %u", __func__, aw->type)); 786 787 if (aw->p.dyn == NULL || aw->p.dyn->pfid_kif == NULL) 788 return; 789 aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6; 790 } 791 792 static int 793 pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q) 794 { 795 return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ)); 796 } 797 798 void 799 pfi_update_status(const char *name, struct pf_status *pfs) 800 { 801 struct pfi_kkif *p; 802 struct pfi_kif_cmp key; 803 struct ifg_member p_member, *ifgm; 804 CK_STAILQ_HEAD(, ifg_member) ifg_members; 805 int i, j, k; 806 807 strlcpy(key.pfik_name, name, sizeof(key.pfik_name)); 808 p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key); 809 if (p == NULL) 810 return; 811 812 if (p->pfik_group != NULL) { 813 bcopy(&p->pfik_group->ifg_members, &ifg_members, 814 sizeof(ifg_members)); 815 } else { 816 /* build a temporary list for p only */ 817 bzero(&p_member, sizeof(p_member)); 818 p_member.ifgm_ifp = p->pfik_ifp; 819 CK_STAILQ_INIT(&ifg_members); 820 CK_STAILQ_INSERT_TAIL(&ifg_members, &p_member, ifgm_next); 821 } 822 if (pfs) { 823 bzero(pfs->pcounters, sizeof(pfs->pcounters)); 824 bzero(pfs->bcounters, sizeof(pfs->bcounters)); 825 } 826 CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) { 827 if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL) 828 continue; 829 p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; 830 831 /* just clear statistics */ 832 if (pfs == NULL) { 833 pf_kkif_zero(p); 834 continue; 835 } 836 for (i = 0; i < 2; i++) 837 for (j = 0; j < 2; j++) 838 for (k = 0; k < 2; k++) { 839 pfs->pcounters[i][j][k] += 840 pf_counter_u64_fetch(&p->pfik_packets[i][j][k]); 841 pfs->bcounters[i][j] += 842 pf_counter_u64_fetch(&p->pfik_bytes[i][j][k]); 843 } 844 } 845 } 846 847 static void 848 pf_kkif_to_kif(struct pfi_kkif *kkif, struct pfi_kif *kif) 849 { 850 851 bzero(kif, sizeof(*kif)); 852 strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name)); 853 for (int i = 0; i < 2; i++) { 854 for (int j = 0; j < 2; j++) { 855 for (int k = 0; k < 2; k++) { 856 kif->pfik_packets[i][j][k] = 857 pf_counter_u64_fetch(&kkif->pfik_packets[i][j][k]); 858 kif->pfik_bytes[i][j][k] = 859 pf_counter_u64_fetch(&kkif->pfik_bytes[i][j][k]); 860 } 861 } 862 } 863 kif->pfik_flags = kkif->pfik_flags; 864 kif->pfik_tzero = kkif->pfik_tzero; 865 kif->pfik_rulerefs = kkif->pfik_rulerefs; 866 /* 867 * Userspace relies on this pointer to decide if this is a group or 868 * not. We don't want to share the actual pointer, because it's 869 * useless to userspace and leaks kernel memory layout information. 870 * So instead we provide 0xfeedcode as 'true' and NULL as 'false'. 871 */ 872 kif->pfik_group = 873 kkif->pfik_group ? (struct ifg_group *)0xfeedc0de : NULL; 874 } 875 876 void 877 pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) 878 { 879 struct epoch_tracker et; 880 struct pfi_kkif *p, *nextp; 881 int n = 0; 882 883 NET_EPOCH_ENTER(et); 884 for (p = RB_MIN(pfi_ifhead, &V_pfi_ifs); p; p = nextp) { 885 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); 886 if (pfi_skip_if(name, p)) 887 continue; 888 if (*size <= n++) 889 break; 890 if (!p->pfik_tzero) 891 p->pfik_tzero = time_second; 892 pf_kkif_to_kif(p, buf++); 893 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); 894 } 895 *size = n; 896 NET_EPOCH_EXIT(et); 897 } 898 899 static int 900 pfi_skip_if(const char *filter, struct pfi_kkif *p) 901 { 902 struct ifg_list *i; 903 int n; 904 905 NET_EPOCH_ASSERT(); 906 907 if (filter == NULL || !*filter) 908 return (0); 909 if (!strcmp(p->pfik_name, filter)) 910 return (0); /* exact match */ 911 n = strlen(filter); 912 if (n < 1 || n >= IFNAMSIZ) 913 return (1); /* sanity check */ 914 if (filter[n-1] >= '0' && filter[n-1] <= '9') 915 return (1); /* group names may not end in a digit */ 916 if (p->pfik_ifp == NULL) 917 return (1); 918 CK_STAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next) 919 if (!strncmp(i->ifgl_group->ifg_group, filter, IFNAMSIZ)) 920 return (0); /* iface is in group "filter" */ 921 return (1); 922 } 923 924 int 925 pfi_set_flags(const char *name, int flags) 926 { 927 struct epoch_tracker et; 928 struct pfi_kkif *p, *kif; 929 930 kif = pf_kkif_create(M_NOWAIT); 931 if (kif == NULL) 932 return (ENOMEM); 933 934 NET_EPOCH_ENTER(et); 935 936 kif = pfi_kkif_attach(kif, name); 937 938 RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) { 939 if (pfi_skip_if(name, p)) 940 continue; 941 p->pfik_flags |= flags; 942 } 943 NET_EPOCH_EXIT(et); 944 return (0); 945 } 946 947 int 948 pfi_clear_flags(const char *name, int flags) 949 { 950 struct epoch_tracker et; 951 struct pfi_kkif *p, *tmp; 952 953 NET_EPOCH_ENTER(et); 954 RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) { 955 if (pfi_skip_if(name, p)) 956 continue; 957 p->pfik_flags &= ~flags; 958 959 if (p->pfik_ifp == NULL && p->pfik_group == NULL && 960 p->pfik_flags == 0 && p->pfik_rulerefs == 0) { 961 /* Delete this kif. */ 962 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p); 963 pf_kkif_free(p); 964 } 965 } 966 NET_EPOCH_EXIT(et); 967 return (0); 968 } 969 970 /* from pf_print_state.c */ 971 static int 972 pfi_unmask(void *addr) 973 { 974 struct pf_addr *m = addr; 975 int i = 31, j = 0, b = 0; 976 u_int32_t tmp; 977 978 while (j < 4 && m->addr32[j] == 0xffffffff) { 979 b += 32; 980 j++; 981 } 982 if (j < 4) { 983 tmp = ntohl(m->addr32[j]); 984 for (i = 31; tmp & (1 << i); --i) 985 b++; 986 } 987 return (b); 988 } 989 990 static void 991 pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) 992 { 993 struct epoch_tracker et; 994 struct pfi_kkif *kif; 995 996 if (V_pf_vnet_active == 0) { 997 /* Avoid teardown race in the least expensive way. */ 998 return; 999 } 1000 kif = pf_kkif_create(M_NOWAIT); 1001 NET_EPOCH_ENTER(et); 1002 PF_RULES_WLOCK(); 1003 pfi_attach_ifnet(ifp, kif); 1004 #ifdef ALTQ 1005 pf_altq_ifnet_event(ifp, 0); 1006 #endif 1007 PF_RULES_WUNLOCK(); 1008 NET_EPOCH_EXIT(et); 1009 } 1010 1011 static void 1012 pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) 1013 { 1014 struct epoch_tracker et; 1015 struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif; 1016 1017 if (pfsync_detach_ifnet_ptr) 1018 pfsync_detach_ifnet_ptr(ifp); 1019 1020 if (kif == NULL) 1021 return; 1022 1023 if (V_pf_vnet_active == 0) { 1024 /* Avoid teardown race in the least expensive way. */ 1025 return; 1026 } 1027 1028 NET_EPOCH_ENTER(et); 1029 PF_RULES_WLOCK(); 1030 V_pfi_update++; 1031 pfi_kkif_update(kif); 1032 1033 if (kif->pfik_ifp) 1034 if_rele(kif->pfik_ifp); 1035 1036 kif->pfik_ifp = NULL; 1037 ifp->if_pf_kif = NULL; 1038 #ifdef ALTQ 1039 pf_altq_ifnet_event(ifp, 1); 1040 #endif 1041 PF_RULES_WUNLOCK(); 1042 NET_EPOCH_EXIT(et); 1043 } 1044 1045 static void 1046 pfi_attach_group_event(void *arg __unused, struct ifg_group *ifg) 1047 { 1048 struct epoch_tracker et; 1049 struct pfi_kkif *kif; 1050 1051 if (V_pf_vnet_active == 0) { 1052 /* Avoid teardown race in the least expensive way. */ 1053 return; 1054 } 1055 kif = pf_kkif_create(M_WAITOK); 1056 NET_EPOCH_ENTER(et); 1057 PF_RULES_WLOCK(); 1058 pfi_attach_ifgroup(ifg, kif); 1059 PF_RULES_WUNLOCK(); 1060 NET_EPOCH_EXIT(et); 1061 } 1062 1063 static void 1064 pfi_change_group_event(void *arg __unused, char *gname) 1065 { 1066 struct epoch_tracker et; 1067 struct pfi_kkif *kif; 1068 1069 if (V_pf_vnet_active == 0) { 1070 /* Avoid teardown race in the least expensive way. */ 1071 return; 1072 } 1073 1074 kif = pf_kkif_create(M_WAITOK); 1075 NET_EPOCH_ENTER(et); 1076 PF_RULES_WLOCK(); 1077 V_pfi_update++; 1078 kif = pfi_kkif_attach(kif, gname); 1079 pfi_kkif_update(kif); 1080 PF_RULES_WUNLOCK(); 1081 NET_EPOCH_EXIT(et); 1082 } 1083 1084 static void 1085 pfi_detach_group_event(void *arg __unused, struct ifg_group *ifg) 1086 { 1087 struct pfi_kkif *kif = (struct pfi_kkif *)ifg->ifg_pf_kif; 1088 1089 if (kif == NULL) 1090 return; 1091 1092 if (V_pf_vnet_active == 0) { 1093 /* Avoid teardown race in the least expensive way. */ 1094 return; 1095 } 1096 PF_RULES_WLOCK(); 1097 V_pfi_update++; 1098 1099 kif->pfik_group = NULL; 1100 ifg->ifg_pf_kif = NULL; 1101 PF_RULES_WUNLOCK(); 1102 } 1103 1104 static void 1105 pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp) 1106 { 1107 1108 KASSERT(ifp, ("ifp == NULL")); 1109 1110 if (ifp->if_pf_kif == NULL) 1111 return; 1112 1113 if (V_pf_vnet_active == 0) { 1114 /* Avoid teardown race in the least expensive way. */ 1115 return; 1116 } 1117 PF_RULES_WLOCK(); 1118 if (ifp->if_pf_kif) { 1119 struct epoch_tracker et; 1120 1121 V_pfi_update++; 1122 NET_EPOCH_ENTER(et); 1123 pfi_kkif_update(ifp->if_pf_kif); 1124 NET_EPOCH_EXIT(et); 1125 } 1126 PF_RULES_WUNLOCK(); 1127 } 1128