1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2003 Cedric Berger 6 * Copyright (c) 2005 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2005 Ryan McBride <mcbride@openbsd.org> 8 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * - Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * - Redistributions in binary form must reproduce the above 18 * copyright notice, this list of conditions and the following 19 * disclaimer in the documentation and/or other materials provided 20 * with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 28 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 30 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 32 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $OpenBSD: pf_if.c,v 1.54 2008/06/14 16:55:28 mk Exp $ 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include "opt_inet.h" 42 #include "opt_inet6.h" 43 44 #include <sys/param.h> 45 #include <sys/kernel.h> 46 #include <sys/eventhandler.h> 47 #include <sys/lock.h> 48 #include <sys/mbuf.h> 49 #include <sys/socket.h> 50 51 #include <net/if.h> 52 #include <net/if_var.h> 53 #include <net/if_private.h> 54 #include <net/vnet.h> 55 #include <net/pfvar.h> 56 #include <net/route.h> 57 58 VNET_DEFINE(struct pfi_kkif *, pfi_all); 59 VNET_DEFINE_STATIC(long, pfi_update); 60 #define V_pfi_update VNET(pfi_update) 61 #define PFI_BUFFER_MAX 0x10000 62 63 VNET_DECLARE(int, pf_vnet_active); 64 #define V_pf_vnet_active VNET(pf_vnet_active) 65 66 VNET_DEFINE_STATIC(struct pfr_addr *, pfi_buffer); 67 VNET_DEFINE_STATIC(int, pfi_buffer_cnt); 68 VNET_DEFINE_STATIC(int, pfi_buffer_max); 69 #define V_pfi_buffer VNET(pfi_buffer) 70 #define V_pfi_buffer_cnt VNET(pfi_buffer_cnt) 71 #define V_pfi_buffer_max VNET(pfi_buffer_max) 72 73 #ifdef PF_WANT_32_TO_64_COUNTER 74 VNET_DEFINE(struct allkiflist_head, pf_allkiflist); 75 VNET_DEFINE(size_t, pf_allkifcount); 76 VNET_DEFINE(struct pfi_kkif *, pf_kifmarker); 77 #endif 78 79 eventhandler_tag pfi_attach_cookie; 80 eventhandler_tag pfi_detach_cookie; 81 eventhandler_tag pfi_attach_group_cookie; 82 eventhandler_tag pfi_change_group_cookie; 83 eventhandler_tag pfi_detach_group_cookie; 84 eventhandler_tag pfi_ifaddr_event_cookie; 85 86 static void pfi_attach_ifnet(struct ifnet *, struct pfi_kkif *); 87 static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kkif *); 88 89 static void pfi_kkif_update(struct pfi_kkif *); 90 static void pfi_dynaddr_update(struct pfi_dynaddr *dyn); 91 static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int, 92 int); 93 static void pfi_instance_add(struct ifnet *, int, int); 94 static void pfi_address_add(struct sockaddr *, int, int); 95 static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *); 96 static int pfi_skip_if(const char *, struct pfi_kkif *); 97 static int pfi_unmask(void *); 98 static void pfi_attach_ifnet_event(void * __unused, struct ifnet *); 99 static void pfi_detach_ifnet_event(void * __unused, struct ifnet *); 100 static void pfi_attach_group_event(void * __unused, struct ifg_group *); 101 static void pfi_change_group_event(void * __unused, char *); 102 static void pfi_detach_group_event(void * __unused, struct ifg_group *); 103 static void pfi_ifaddr_event(void * __unused, struct ifnet *); 104 105 RB_HEAD(pfi_ifhead, pfi_kkif); 106 static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); 107 static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); 108 VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs); 109 #define V_pfi_ifs VNET(pfi_ifs) 110 111 #define PFI_BUFFER_MAX 0x10000 112 MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database"); 113 114 LIST_HEAD(pfi_list, pfi_kkif); 115 VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs); 116 #define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs) 117 static struct mtx pfi_unlnkdkifs_mtx; 118 MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unlnkdkifs_mtx, "pf unlinked interfaces", 119 MTX_DEF); 120 121 void 122 pfi_initialize_vnet(void) 123 { 124 struct pfi_list kifs = LIST_HEAD_INITIALIZER(); 125 struct epoch_tracker et; 126 struct pfi_kkif *kif; 127 struct ifg_group *ifg; 128 struct ifnet *ifp; 129 int nkifs; 130 131 V_pfi_buffer_max = 64; 132 V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer), 133 PFI_MTYPE, M_WAITOK); 134 135 nkifs = 1; /* one for V_pfi_all */ 136 IFNET_RLOCK(); 137 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) 138 nkifs++; 139 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) 140 nkifs++; 141 142 for (int n = 0; n < nkifs; n++) { 143 kif = pf_kkif_create(M_WAITOK); 144 LIST_INSERT_HEAD(&kifs, kif, pfik_list); 145 } 146 147 NET_EPOCH_ENTER(et); 148 PF_RULES_WLOCK(); 149 kif = LIST_FIRST(&kifs); 150 LIST_REMOVE(kif, pfik_list); 151 V_pfi_all = pfi_kkif_attach(kif, IFG_ALL); 152 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) { 153 kif = LIST_FIRST(&kifs); 154 LIST_REMOVE(kif, pfik_list); 155 pfi_attach_ifgroup(ifg, kif); 156 } 157 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) { 158 kif = LIST_FIRST(&kifs); 159 LIST_REMOVE(kif, pfik_list); 160 pfi_attach_ifnet(ifp, kif); 161 } 162 PF_RULES_WUNLOCK(); 163 NET_EPOCH_EXIT(et); 164 IFNET_RUNLOCK(); 165 166 MPASS(LIST_EMPTY(&kifs)); 167 } 168 169 void 170 pfi_initialize(void) 171 { 172 173 pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event, 174 pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); 175 pfi_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event, 176 pfi_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); 177 pfi_attach_group_cookie = EVENTHANDLER_REGISTER(group_attach_event, 178 pfi_attach_group_event, NULL, EVENTHANDLER_PRI_ANY); 179 pfi_change_group_cookie = EVENTHANDLER_REGISTER(group_change_event, 180 pfi_change_group_event, NULL, EVENTHANDLER_PRI_ANY); 181 pfi_detach_group_cookie = EVENTHANDLER_REGISTER(group_detach_event, 182 pfi_detach_group_event, NULL, EVENTHANDLER_PRI_ANY); 183 pfi_ifaddr_event_cookie = EVENTHANDLER_REGISTER(ifaddr_event, 184 pfi_ifaddr_event, NULL, EVENTHANDLER_PRI_ANY); 185 } 186 187 void 188 pfi_cleanup_vnet(void) 189 { 190 struct pfi_kkif *kif; 191 192 PF_RULES_WASSERT(); 193 194 V_pfi_all = NULL; 195 while ((kif = RB_MIN(pfi_ifhead, &V_pfi_ifs))) { 196 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); 197 if (kif->pfik_group) 198 kif->pfik_group->ifg_pf_kif = NULL; 199 if (kif->pfik_ifp) { 200 if_rele(kif->pfik_ifp); 201 kif->pfik_ifp->if_pf_kif = NULL; 202 } 203 pf_kkif_free(kif); 204 } 205 206 mtx_lock(&pfi_unlnkdkifs_mtx); 207 while ((kif = LIST_FIRST(&V_pfi_unlinked_kifs))) { 208 LIST_REMOVE(kif, pfik_list); 209 pf_kkif_free(kif); 210 } 211 mtx_unlock(&pfi_unlnkdkifs_mtx); 212 213 free(V_pfi_buffer, PFI_MTYPE); 214 } 215 216 void 217 pfi_cleanup(void) 218 { 219 220 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie); 221 EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie); 222 EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie); 223 EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie); 224 EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie); 225 EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); 226 } 227 228 struct pfi_kkif* 229 pf_kkif_create(int flags) 230 { 231 struct pfi_kkif *kif; 232 #ifdef PF_WANT_32_TO_64_COUNTER 233 bool wowned; 234 #endif 235 236 kif = malloc(sizeof(*kif), PFI_MTYPE, flags | M_ZERO); 237 if (! kif) 238 return (kif); 239 240 for (int i = 0; i < 2; i++) { 241 for (int j = 0; j < 2; j++) { 242 for (int k = 0; k < 2; k++) { 243 if (pf_counter_u64_init(&kif->pfik_packets[i][j][k], flags) != 0) { 244 pf_kkif_free(kif); 245 return (NULL); 246 } 247 248 if (pf_counter_u64_init(&kif->pfik_bytes[i][j][k], flags) != 0) { 249 pf_kkif_free(kif); 250 return (NULL); 251 } 252 } 253 } 254 } 255 256 #ifdef PF_WANT_32_TO_64_COUNTER 257 wowned = PF_RULES_WOWNED(); 258 if (!wowned) 259 PF_RULES_WLOCK(); 260 LIST_INSERT_HEAD(&V_pf_allkiflist, kif, pfik_allkiflist); 261 V_pf_allkifcount++; 262 if (!wowned) 263 PF_RULES_WUNLOCK(); 264 #endif 265 266 return (kif); 267 } 268 269 void 270 pf_kkif_free(struct pfi_kkif *kif) 271 { 272 #ifdef PF_WANT_32_TO_64_COUNTER 273 bool wowned; 274 #endif 275 276 if (! kif) 277 return; 278 279 #ifdef PF_WANT_32_TO_64_COUNTER 280 wowned = PF_RULES_WOWNED(); 281 if (!wowned) 282 PF_RULES_WLOCK(); 283 LIST_REMOVE(kif, pfik_allkiflist); 284 V_pf_allkifcount--; 285 if (!wowned) 286 PF_RULES_WUNLOCK(); 287 #endif 288 289 for (int i = 0; i < 2; i++) { 290 for (int j = 0; j < 2; j++) { 291 for (int k = 0; k < 2; k++) { 292 pf_counter_u64_deinit(&kif->pfik_packets[i][j][k]); 293 pf_counter_u64_deinit(&kif->pfik_bytes[i][j][k]); 294 } 295 } 296 } 297 298 free(kif, PFI_MTYPE); 299 } 300 301 void 302 pf_kkif_zero(struct pfi_kkif *kif) 303 { 304 305 for (int i = 0; i < 2; i++) { 306 for (int j = 0; j < 2; j++) { 307 for (int k = 0; k < 2; k++) { 308 pf_counter_u64_zero(&kif->pfik_packets[i][j][k]); 309 pf_counter_u64_zero(&kif->pfik_bytes[i][j][k]); 310 } 311 } 312 } 313 kif->pfik_tzero = time_second; 314 } 315 316 struct pfi_kkif * 317 pfi_kkif_find(const char *kif_name) 318 { 319 struct pfi_kif_cmp s; 320 321 PF_RULES_ASSERT(); 322 323 memset(&s, 0, sizeof(s)); 324 strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name)); 325 326 return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s)); 327 } 328 329 struct pfi_kkif * 330 pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name) 331 { 332 struct pfi_kkif *kif1; 333 334 PF_RULES_WASSERT(); 335 KASSERT(kif != NULL, ("%s: null kif", __func__)); 336 337 kif1 = pfi_kkif_find(kif_name); 338 if (kif1 != NULL) { 339 pf_kkif_free(kif); 340 return (kif1); 341 } 342 343 pf_kkif_zero(kif); 344 strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name)); 345 /* 346 * It seems that the value of time_second is in unintialzied state 347 * when pf sets interface statistics clear time in boot phase if pf 348 * was statically linked to kernel. Instead of setting the bogus 349 * time value have pfi_get_ifaces handle this case. In 350 * pfi_get_ifaces it uses time_second if it sees the time is 0. 351 */ 352 kif->pfik_tzero = time_second > 1 ? time_second : 0; 353 TAILQ_INIT(&kif->pfik_dynaddrs); 354 355 RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif); 356 357 return (kif); 358 } 359 360 void 361 pfi_kkif_ref(struct pfi_kkif *kif) 362 { 363 364 PF_RULES_WASSERT(); 365 kif->pfik_rulerefs++; 366 } 367 368 static void 369 pfi_kkif_remove_if_unref(struct pfi_kkif *kif) 370 { 371 372 PF_RULES_WASSERT(); 373 374 if (kif->pfik_rulerefs > 0) 375 return; 376 377 /* kif referencing an existing ifnet or group or holding flags should 378 * exist. */ 379 if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || 380 kif == V_pfi_all || kif->pfik_flags != 0) 381 return; 382 383 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); 384 385 kif->pfik_flags |= PFI_IFLAG_REFS; 386 387 mtx_lock(&pfi_unlnkdkifs_mtx); 388 LIST_INSERT_HEAD(&V_pfi_unlinked_kifs, kif, pfik_list); 389 mtx_unlock(&pfi_unlnkdkifs_mtx); 390 } 391 392 void 393 pfi_kkif_unref(struct pfi_kkif *kif) 394 { 395 396 PF_RULES_WASSERT(); 397 KASSERT(kif->pfik_rulerefs > 0, ("%s: %p has zero refs", __func__, kif)); 398 399 kif->pfik_rulerefs--; 400 401 pfi_kkif_remove_if_unref(kif); 402 } 403 404 void 405 pfi_kkif_purge(void) 406 { 407 struct pfi_kkif *kif, *kif1; 408 409 /* 410 * Do naive mark-and-sweep garbage collecting of old kifs. 411 * Reference flag is raised by pf_purge_expired_states(). 412 */ 413 mtx_lock(&pfi_unlnkdkifs_mtx); 414 LIST_FOREACH_SAFE(kif, &V_pfi_unlinked_kifs, pfik_list, kif1) { 415 if (!(kif->pfik_flags & PFI_IFLAG_REFS)) { 416 LIST_REMOVE(kif, pfik_list); 417 pf_kkif_free(kif); 418 } else 419 kif->pfik_flags &= ~PFI_IFLAG_REFS; 420 } 421 mtx_unlock(&pfi_unlnkdkifs_mtx); 422 } 423 424 int 425 pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif) 426 { 427 struct ifg_list *p; 428 429 NET_EPOCH_ASSERT(); 430 431 if (rule_kif == NULL || rule_kif == packet_kif) 432 return (1); 433 434 if (rule_kif->pfik_group != NULL) { 435 CK_STAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next) 436 if (p->ifgl_group == rule_kif->pfik_group) 437 return (1); 438 } 439 440 return (0); 441 } 442 443 static void 444 pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kkif *kif) 445 { 446 447 PF_RULES_WASSERT(); 448 449 V_pfi_update++; 450 kif = pfi_kkif_attach(kif, ifp->if_xname); 451 if_ref(ifp); 452 kif->pfik_ifp = ifp; 453 ifp->if_pf_kif = kif; 454 pfi_kkif_update(kif); 455 } 456 457 static void 458 pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kkif *kif) 459 { 460 461 PF_RULES_WASSERT(); 462 463 V_pfi_update++; 464 kif = pfi_kkif_attach(kif, ifg->ifg_group); 465 kif->pfik_group = ifg; 466 ifg->ifg_pf_kif = kif; 467 } 468 469 int 470 pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af) 471 { 472 switch (af) { 473 #ifdef INET 474 case AF_INET: 475 switch (dyn->pfid_acnt4) { 476 case 0: 477 return (0); 478 case 1: 479 return (PF_MATCHA(0, &dyn->pfid_addr4, 480 &dyn->pfid_mask4, a, AF_INET)); 481 default: 482 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET)); 483 } 484 break; 485 #endif /* INET */ 486 #ifdef INET6 487 case AF_INET6: 488 switch (dyn->pfid_acnt6) { 489 case 0: 490 return (0); 491 case 1: 492 return (PF_MATCHA(0, &dyn->pfid_addr6, 493 &dyn->pfid_mask6, a, AF_INET6)); 494 default: 495 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET6)); 496 } 497 break; 498 #endif /* INET6 */ 499 default: 500 return (0); 501 } 502 } 503 504 int 505 pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) 506 { 507 struct epoch_tracker et; 508 struct pfi_dynaddr *dyn; 509 char tblname[PF_TABLE_NAME_SIZE]; 510 struct pf_kruleset *ruleset = NULL; 511 struct pfi_kkif *kif; 512 int rv = 0; 513 514 PF_RULES_WASSERT(); 515 KASSERT(aw->type == PF_ADDR_DYNIFTL, ("%s: type %u", 516 __func__, aw->type)); 517 KASSERT(aw->p.dyn == NULL, ("%s: dyn is %p", __func__, aw->p.dyn)); 518 519 if ((dyn = malloc(sizeof(*dyn), PFI_MTYPE, M_NOWAIT | M_ZERO)) == NULL) 520 return (ENOMEM); 521 522 if ((kif = pf_kkif_create(M_NOWAIT)) == NULL) { 523 free(dyn, PFI_MTYPE); 524 return (ENOMEM); 525 } 526 527 if (!strcmp(aw->v.ifname, "self")) 528 dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL); 529 else 530 dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname); 531 kif = NULL; 532 pfi_kkif_ref(dyn->pfid_kif); 533 534 dyn->pfid_net = pfi_unmask(&aw->v.a.mask); 535 if (af == AF_INET && dyn->pfid_net == 32) 536 dyn->pfid_net = 128; 537 strlcpy(tblname, aw->v.ifname, sizeof(tblname)); 538 if (aw->iflags & PFI_AFLAG_NETWORK) 539 strlcat(tblname, ":network", sizeof(tblname)); 540 if (aw->iflags & PFI_AFLAG_BROADCAST) 541 strlcat(tblname, ":broadcast", sizeof(tblname)); 542 if (aw->iflags & PFI_AFLAG_PEER) 543 strlcat(tblname, ":peer", sizeof(tblname)); 544 if (aw->iflags & PFI_AFLAG_NOALIAS) 545 strlcat(tblname, ":0", sizeof(tblname)); 546 if (dyn->pfid_net != 128) 547 snprintf(tblname + strlen(tblname), 548 sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net); 549 if ((ruleset = pf_find_or_create_kruleset(PF_RESERVED_ANCHOR)) == NULL) { 550 rv = ENOMEM; 551 goto _bad; 552 } 553 554 if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) { 555 rv = ENOMEM; 556 goto _bad; 557 } 558 559 dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE; 560 dyn->pfid_iflags = aw->iflags; 561 dyn->pfid_af = af; 562 563 TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); 564 aw->p.dyn = dyn; 565 NET_EPOCH_ENTER(et); 566 pfi_kkif_update(dyn->pfid_kif); 567 NET_EPOCH_EXIT(et); 568 569 return (0); 570 571 _bad: 572 if (dyn->pfid_kt != NULL) 573 pfr_detach_table(dyn->pfid_kt); 574 if (ruleset != NULL) 575 pf_remove_if_empty_kruleset(ruleset); 576 pfi_kkif_unref(dyn->pfid_kif); 577 free(dyn, PFI_MTYPE); 578 579 return (rv); 580 } 581 582 static void 583 pfi_kkif_update(struct pfi_kkif *kif) 584 { 585 struct ifg_list *ifgl; 586 struct ifg_member *ifgm; 587 struct pfi_dynaddr *p; 588 struct pfi_kkif *tmpkif; 589 590 NET_EPOCH_ASSERT(); 591 PF_RULES_WASSERT(); 592 593 /* update all dynaddr */ 594 TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry) 595 pfi_dynaddr_update(p); 596 597 /* Apply group flags to new members. */ 598 if (kif->pfik_group != NULL) { 599 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, 600 ifgm_next) { 601 tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; 602 if (tmpkif == NULL) 603 continue; 604 605 tmpkif->pfik_flags |= kif->pfik_flags; 606 } 607 } 608 609 /* again for all groups kif is member of */ 610 if (kif->pfik_ifp != NULL) { 611 CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next) 612 pfi_kkif_update((struct pfi_kkif *) 613 ifgl->ifgl_group->ifg_pf_kif); 614 } 615 } 616 617 static void 618 pfi_dynaddr_update(struct pfi_dynaddr *dyn) 619 { 620 struct pfi_kkif *kif; 621 struct pfr_ktable *kt; 622 623 PF_RULES_WASSERT(); 624 KASSERT(dyn && dyn->pfid_kif && dyn->pfid_kt, 625 ("%s: bad argument", __func__)); 626 627 kif = dyn->pfid_kif; 628 kt = dyn->pfid_kt; 629 630 if (kt->pfrkt_larg != V_pfi_update) { 631 /* this table needs to be brought up-to-date */ 632 pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags); 633 kt->pfrkt_larg = V_pfi_update; 634 } 635 pfr_dynaddr_update(kt, dyn); 636 } 637 638 static void 639 pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int flags) 640 { 641 int e, size2 = 0; 642 struct ifg_member *ifgm; 643 644 NET_EPOCH_ASSERT(); 645 646 V_pfi_buffer_cnt = 0; 647 648 if (kif->pfik_ifp != NULL) 649 pfi_instance_add(kif->pfik_ifp, net, flags); 650 else if (kif->pfik_group != NULL) { 651 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next) 652 pfi_instance_add(ifgm->ifgm_ifp, net, flags); 653 } 654 655 if ((e = pfr_set_addrs(&kt->pfrkt_t, V_pfi_buffer, V_pfi_buffer_cnt, &size2, 656 NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) 657 printf("%s: cannot set %d new addresses into table %s: %d\n", 658 __func__, V_pfi_buffer_cnt, kt->pfrkt_name, e); 659 } 660 661 static void 662 pfi_instance_add(struct ifnet *ifp, int net, int flags) 663 { 664 struct ifaddr *ia; 665 int got4 = 0, got6 = 0; 666 int net2, af; 667 668 NET_EPOCH_ASSERT(); 669 670 CK_STAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { 671 if (ia->ifa_addr == NULL) 672 continue; 673 af = ia->ifa_addr->sa_family; 674 if (af != AF_INET && af != AF_INET6) 675 continue; 676 /* 677 * XXX: For point-to-point interfaces, (ifname:0) and IPv4, 678 * jump over addresses without a proper route to work 679 * around a problem with ppp not fully removing the 680 * address used during IPCP. 681 */ 682 if ((ifp->if_flags & IFF_POINTOPOINT) && 683 !(ia->ifa_flags & IFA_ROUTE) && 684 (flags & PFI_AFLAG_NOALIAS) && (af == AF_INET)) 685 continue; 686 if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6) 687 continue; 688 if ((flags & PFI_AFLAG_BROADCAST) && 689 !(ifp->if_flags & IFF_BROADCAST)) 690 continue; 691 if ((flags & PFI_AFLAG_PEER) && 692 !(ifp->if_flags & IFF_POINTOPOINT)) 693 continue; 694 if ((flags & (PFI_AFLAG_NETWORK | PFI_AFLAG_NOALIAS)) && 695 af == AF_INET6 && 696 IN6_IS_ADDR_LINKLOCAL( 697 &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr)) 698 continue; 699 if (flags & PFI_AFLAG_NOALIAS) { 700 if (af == AF_INET && got4) 701 continue; 702 if (af == AF_INET6 && got6) 703 continue; 704 } 705 if (af == AF_INET) 706 got4 = 1; 707 else if (af == AF_INET6) 708 got6 = 1; 709 net2 = net; 710 if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) { 711 if (af == AF_INET) 712 net2 = pfi_unmask(&((struct sockaddr_in *) 713 ia->ifa_netmask)->sin_addr); 714 else if (af == AF_INET6) 715 net2 = pfi_unmask(&((struct sockaddr_in6 *) 716 ia->ifa_netmask)->sin6_addr); 717 } 718 if (af == AF_INET && net2 > 32) 719 net2 = 32; 720 if (flags & PFI_AFLAG_BROADCAST) 721 pfi_address_add(ia->ifa_broadaddr, af, net2); 722 else if (flags & PFI_AFLAG_PEER) 723 pfi_address_add(ia->ifa_dstaddr, af, net2); 724 else 725 pfi_address_add(ia->ifa_addr, af, net2); 726 } 727 } 728 729 static void 730 pfi_address_add(struct sockaddr *sa, int af, int net) 731 { 732 struct pfr_addr *p; 733 int i; 734 735 if (V_pfi_buffer_cnt >= V_pfi_buffer_max) { 736 int new_max = V_pfi_buffer_max * 2; 737 738 if (new_max > PFI_BUFFER_MAX) { 739 printf("%s: address buffer full (%d/%d)\n", __func__, 740 V_pfi_buffer_cnt, PFI_BUFFER_MAX); 741 return; 742 } 743 p = malloc(new_max * sizeof(*V_pfi_buffer), PFI_MTYPE, 744 M_NOWAIT); 745 if (p == NULL) { 746 printf("%s: no memory to grow buffer (%d/%d)\n", 747 __func__, V_pfi_buffer_cnt, PFI_BUFFER_MAX); 748 return; 749 } 750 memcpy(p, V_pfi_buffer, V_pfi_buffer_max * sizeof(*V_pfi_buffer)); 751 /* no need to zero buffer */ 752 free(V_pfi_buffer, PFI_MTYPE); 753 V_pfi_buffer = p; 754 V_pfi_buffer_max = new_max; 755 } 756 if (af == AF_INET && net > 32) 757 net = 128; 758 p = V_pfi_buffer + V_pfi_buffer_cnt++; 759 memset(p, 0, sizeof(*p)); 760 p->pfra_af = af; 761 p->pfra_net = net; 762 if (af == AF_INET) 763 p->pfra_ip4addr = ((struct sockaddr_in *)sa)->sin_addr; 764 else if (af == AF_INET6) { 765 p->pfra_ip6addr = ((struct sockaddr_in6 *)sa)->sin6_addr; 766 if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr)) 767 p->pfra_ip6addr.s6_addr16[1] = 0; 768 } 769 /* mask network address bits */ 770 if (net < 128) 771 ((caddr_t)p)[p->pfra_net/8] &= ~(0xFF >> (p->pfra_net%8)); 772 for (i = (p->pfra_net+7)/8; i < sizeof(p->pfra_u); i++) 773 ((caddr_t)p)[i] = 0; 774 } 775 776 void 777 pfi_dynaddr_remove(struct pfi_dynaddr *dyn) 778 { 779 780 KASSERT(dyn->pfid_kif != NULL, ("%s: null pfid_kif", __func__)); 781 KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__)); 782 783 TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); 784 pfi_kkif_unref(dyn->pfid_kif); 785 pfr_detach_table(dyn->pfid_kt); 786 free(dyn, PFI_MTYPE); 787 } 788 789 void 790 pfi_dynaddr_copyout(struct pf_addr_wrap *aw) 791 { 792 793 KASSERT(aw->type == PF_ADDR_DYNIFTL, 794 ("%s: type %u", __func__, aw->type)); 795 796 if (aw->p.dyn == NULL || aw->p.dyn->pfid_kif == NULL) 797 return; 798 aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6; 799 } 800 801 static int 802 pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q) 803 { 804 return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ)); 805 } 806 807 void 808 pfi_update_status(const char *name, struct pf_status *pfs) 809 { 810 struct pfi_kkif *p; 811 struct pfi_kif_cmp key; 812 struct ifg_member p_member, *ifgm; 813 CK_STAILQ_HEAD(, ifg_member) ifg_members; 814 int i, j, k; 815 816 if (pfs) { 817 memset(pfs->pcounters, 0, sizeof(pfs->pcounters)); 818 memset(pfs->bcounters, 0, sizeof(pfs->bcounters)); 819 } 820 821 strlcpy(key.pfik_name, name, sizeof(key.pfik_name)); 822 p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key); 823 if (p == NULL) { 824 return; 825 } 826 827 if (p->pfik_group != NULL) { 828 memcpy(&ifg_members, &p->pfik_group->ifg_members, 829 sizeof(ifg_members)); 830 } else { 831 /* build a temporary list for p only */ 832 memset(&p_member, 0, sizeof(p_member)); 833 p_member.ifgm_ifp = p->pfik_ifp; 834 CK_STAILQ_INIT(&ifg_members); 835 CK_STAILQ_INSERT_TAIL(&ifg_members, &p_member, ifgm_next); 836 } 837 CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) { 838 if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL) 839 continue; 840 p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; 841 842 /* just clear statistics */ 843 if (pfs == NULL) { 844 pf_kkif_zero(p); 845 continue; 846 } 847 for (i = 0; i < 2; i++) 848 for (j = 0; j < 2; j++) 849 for (k = 0; k < 2; k++) { 850 pfs->pcounters[i][j][k] += 851 pf_counter_u64_fetch(&p->pfik_packets[i][j][k]); 852 pfs->bcounters[i][j] += 853 pf_counter_u64_fetch(&p->pfik_bytes[i][j][k]); 854 } 855 } 856 } 857 858 static void 859 pf_kkif_to_kif(struct pfi_kkif *kkif, struct pfi_kif *kif) 860 { 861 862 memset(kif, 0, sizeof(*kif)); 863 strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name)); 864 for (int i = 0; i < 2; i++) { 865 for (int j = 0; j < 2; j++) { 866 for (int k = 0; k < 2; k++) { 867 kif->pfik_packets[i][j][k] = 868 pf_counter_u64_fetch(&kkif->pfik_packets[i][j][k]); 869 kif->pfik_bytes[i][j][k] = 870 pf_counter_u64_fetch(&kkif->pfik_bytes[i][j][k]); 871 } 872 } 873 } 874 kif->pfik_flags = kkif->pfik_flags; 875 kif->pfik_tzero = kkif->pfik_tzero; 876 kif->pfik_rulerefs = kkif->pfik_rulerefs; 877 /* 878 * Userspace relies on this pointer to decide if this is a group or 879 * not. We don't want to share the actual pointer, because it's 880 * useless to userspace and leaks kernel memory layout information. 881 * So instead we provide 0xfeedcode as 'true' and NULL as 'false'. 882 */ 883 kif->pfik_group = 884 kkif->pfik_group ? (struct ifg_group *)0xfeedc0de : NULL; 885 } 886 887 void 888 pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) 889 { 890 struct epoch_tracker et; 891 struct pfi_kkif *p, *nextp; 892 int n = 0; 893 894 NET_EPOCH_ENTER(et); 895 for (p = RB_MIN(pfi_ifhead, &V_pfi_ifs); p; p = nextp) { 896 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); 897 if (pfi_skip_if(name, p)) 898 continue; 899 if (*size <= n++) 900 break; 901 if (!p->pfik_tzero) 902 p->pfik_tzero = time_second; 903 pf_kkif_to_kif(p, buf++); 904 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); 905 } 906 *size = n; 907 NET_EPOCH_EXIT(et); 908 } 909 910 static int 911 pfi_skip_if(const char *filter, struct pfi_kkif *p) 912 { 913 struct ifg_list *i; 914 int n; 915 916 NET_EPOCH_ASSERT(); 917 918 if (filter == NULL || !*filter) 919 return (0); 920 if (!strcmp(p->pfik_name, filter)) 921 return (0); /* exact match */ 922 n = strlen(filter); 923 if (n < 1 || n >= IFNAMSIZ) 924 return (1); /* sanity check */ 925 if (filter[n-1] >= '0' && filter[n-1] <= '9') 926 return (1); /* group names may not end in a digit */ 927 if (p->pfik_ifp == NULL) 928 return (1); 929 CK_STAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next) 930 if (!strncmp(i->ifgl_group->ifg_group, filter, IFNAMSIZ)) 931 return (0); /* iface is in group "filter" */ 932 return (1); 933 } 934 935 int 936 pfi_set_flags(const char *name, int flags) 937 { 938 struct epoch_tracker et; 939 struct pfi_kkif *p, *kif; 940 941 kif = pf_kkif_create(M_NOWAIT); 942 if (kif == NULL) 943 return (ENOMEM); 944 945 NET_EPOCH_ENTER(et); 946 947 kif = pfi_kkif_attach(kif, name); 948 949 RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) { 950 if (pfi_skip_if(name, p)) 951 continue; 952 p->pfik_flags |= flags; 953 } 954 NET_EPOCH_EXIT(et); 955 return (0); 956 } 957 958 int 959 pfi_clear_flags(const char *name, int flags) 960 { 961 struct epoch_tracker et; 962 struct pfi_kkif *p, *tmp; 963 964 NET_EPOCH_ENTER(et); 965 RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) { 966 if (pfi_skip_if(name, p)) 967 continue; 968 p->pfik_flags &= ~flags; 969 970 if (p->pfik_ifp == NULL && p->pfik_group == NULL && 971 p->pfik_flags == 0 && p->pfik_rulerefs == 0) { 972 /* Delete this kif. */ 973 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p); 974 pf_kkif_free(p); 975 } 976 } 977 NET_EPOCH_EXIT(et); 978 return (0); 979 } 980 981 /* from pf_print_state.c */ 982 static int 983 pfi_unmask(void *addr) 984 { 985 struct pf_addr *m = addr; 986 int i = 31, j = 0, b = 0; 987 u_int32_t tmp; 988 989 while (j < 4 && m->addr32[j] == 0xffffffff) { 990 b += 32; 991 j++; 992 } 993 if (j < 4) { 994 tmp = ntohl(m->addr32[j]); 995 for (i = 31; tmp & (1 << i); --i) 996 b++; 997 } 998 return (b); 999 } 1000 1001 static void 1002 pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) 1003 { 1004 struct epoch_tracker et; 1005 struct pfi_kkif *kif; 1006 1007 if (V_pf_vnet_active == 0) { 1008 /* Avoid teardown race in the least expensive way. */ 1009 return; 1010 } 1011 kif = pf_kkif_create(M_NOWAIT); 1012 NET_EPOCH_ENTER(et); 1013 PF_RULES_WLOCK(); 1014 pfi_attach_ifnet(ifp, kif); 1015 #ifdef ALTQ 1016 pf_altq_ifnet_event(ifp, 0); 1017 #endif 1018 PF_RULES_WUNLOCK(); 1019 NET_EPOCH_EXIT(et); 1020 } 1021 1022 static void 1023 pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) 1024 { 1025 struct epoch_tracker et; 1026 struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif; 1027 1028 if (pfsync_detach_ifnet_ptr) 1029 pfsync_detach_ifnet_ptr(ifp); 1030 1031 if (kif == NULL) 1032 return; 1033 1034 if (V_pf_vnet_active == 0) { 1035 /* Avoid teardown race in the least expensive way. */ 1036 return; 1037 } 1038 1039 NET_EPOCH_ENTER(et); 1040 PF_RULES_WLOCK(); 1041 V_pfi_update++; 1042 pfi_kkif_update(kif); 1043 1044 if (kif->pfik_ifp) 1045 if_rele(kif->pfik_ifp); 1046 1047 kif->pfik_ifp = NULL; 1048 ifp->if_pf_kif = NULL; 1049 #ifdef ALTQ 1050 pf_altq_ifnet_event(ifp, 1); 1051 #endif 1052 pfi_kkif_remove_if_unref(kif); 1053 1054 PF_RULES_WUNLOCK(); 1055 NET_EPOCH_EXIT(et); 1056 } 1057 1058 static void 1059 pfi_attach_group_event(void *arg __unused, struct ifg_group *ifg) 1060 { 1061 struct epoch_tracker et; 1062 struct pfi_kkif *kif; 1063 1064 if (V_pf_vnet_active == 0) { 1065 /* Avoid teardown race in the least expensive way. */ 1066 return; 1067 } 1068 kif = pf_kkif_create(M_WAITOK); 1069 NET_EPOCH_ENTER(et); 1070 PF_RULES_WLOCK(); 1071 pfi_attach_ifgroup(ifg, kif); 1072 PF_RULES_WUNLOCK(); 1073 NET_EPOCH_EXIT(et); 1074 } 1075 1076 static void 1077 pfi_change_group_event(void *arg __unused, char *gname) 1078 { 1079 struct epoch_tracker et; 1080 struct pfi_kkif *kif; 1081 1082 if (V_pf_vnet_active == 0) { 1083 /* Avoid teardown race in the least expensive way. */ 1084 return; 1085 } 1086 1087 kif = pf_kkif_create(M_WAITOK); 1088 NET_EPOCH_ENTER(et); 1089 PF_RULES_WLOCK(); 1090 V_pfi_update++; 1091 kif = pfi_kkif_attach(kif, gname); 1092 pfi_kkif_update(kif); 1093 PF_RULES_WUNLOCK(); 1094 NET_EPOCH_EXIT(et); 1095 } 1096 1097 static void 1098 pfi_detach_group_event(void *arg __unused, struct ifg_group *ifg) 1099 { 1100 struct pfi_kkif *kif = (struct pfi_kkif *)ifg->ifg_pf_kif; 1101 1102 if (kif == NULL) 1103 return; 1104 1105 if (V_pf_vnet_active == 0) { 1106 /* Avoid teardown race in the least expensive way. */ 1107 return; 1108 } 1109 PF_RULES_WLOCK(); 1110 V_pfi_update++; 1111 1112 kif->pfik_group = NULL; 1113 ifg->ifg_pf_kif = NULL; 1114 1115 pfi_kkif_remove_if_unref(kif); 1116 PF_RULES_WUNLOCK(); 1117 } 1118 1119 static void 1120 pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp) 1121 { 1122 1123 KASSERT(ifp, ("ifp == NULL")); 1124 1125 if (ifp->if_pf_kif == NULL) 1126 return; 1127 1128 if (V_pf_vnet_active == 0) { 1129 /* Avoid teardown race in the least expensive way. */ 1130 return; 1131 } 1132 PF_RULES_WLOCK(); 1133 if (ifp->if_pf_kif) { 1134 struct epoch_tracker et; 1135 1136 V_pfi_update++; 1137 NET_EPOCH_ENTER(et); 1138 pfi_kkif_update(ifp->if_pf_kif); 1139 NET_EPOCH_EXIT(et); 1140 } 1141 PF_RULES_WUNLOCK(); 1142 } 1143