1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2003 Cedric Berger 6 * Copyright (c) 2005 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2005 Ryan McBride <mcbride@openbsd.org> 8 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * - Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * - Redistributions in binary form must reproduce the above 18 * copyright notice, this list of conditions and the following 19 * disclaimer in the documentation and/or other materials provided 20 * with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 28 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 30 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 32 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $OpenBSD: pf_if.c,v 1.54 2008/06/14 16:55:28 mk Exp $ 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include "opt_inet.h" 42 #include "opt_inet6.h" 43 44 #include <sys/param.h> 45 #include <sys/kernel.h> 46 #include <sys/eventhandler.h> 47 #include <sys/lock.h> 48 #include <sys/mbuf.h> 49 #include <sys/socket.h> 50 51 #include <net/if.h> 52 #include <net/if_var.h> 53 #include <net/vnet.h> 54 #include <net/pfvar.h> 55 #include <net/route.h> 56 57 VNET_DEFINE(struct pfi_kkif *, pfi_all); 58 VNET_DEFINE_STATIC(long, pfi_update); 59 #define V_pfi_update VNET(pfi_update) 60 #define PFI_BUFFER_MAX 0x10000 61 62 VNET_DECLARE(int, pf_vnet_active); 63 #define V_pf_vnet_active VNET(pf_vnet_active) 64 65 VNET_DEFINE_STATIC(struct pfr_addr *, pfi_buffer); 66 VNET_DEFINE_STATIC(int, pfi_buffer_cnt); 67 VNET_DEFINE_STATIC(int, pfi_buffer_max); 68 #define V_pfi_buffer VNET(pfi_buffer) 69 #define V_pfi_buffer_cnt VNET(pfi_buffer_cnt) 70 #define V_pfi_buffer_max VNET(pfi_buffer_max) 71 72 #ifdef PF_WANT_32_TO_64_COUNTER 73 VNET_DEFINE(struct allkiflist_head, pf_allkiflist); 74 VNET_DEFINE(size_t, pf_allkifcount); 75 VNET_DEFINE(struct pfi_kkif *, pf_kifmarker); 76 #endif 77 78 eventhandler_tag pfi_attach_cookie; 79 eventhandler_tag pfi_detach_cookie; 80 eventhandler_tag pfi_attach_group_cookie; 81 eventhandler_tag pfi_change_group_cookie; 82 eventhandler_tag pfi_detach_group_cookie; 83 eventhandler_tag pfi_ifaddr_event_cookie; 84 85 static void pfi_attach_ifnet(struct ifnet *, struct pfi_kkif *); 86 static void pfi_attach_ifgroup(struct ifg_group *, struct pfi_kkif *); 87 88 static void pfi_kkif_update(struct pfi_kkif *); 89 static void pfi_dynaddr_update(struct pfi_dynaddr *dyn); 90 static void pfi_table_update(struct pfr_ktable *, struct pfi_kkif *, int, 91 int); 92 static void pfi_instance_add(struct ifnet *, int, int); 93 static void pfi_address_add(struct sockaddr *, int, int); 94 static int pfi_kkif_compare(struct pfi_kkif *, struct pfi_kkif *); 95 static int pfi_skip_if(const char *, struct pfi_kkif *); 96 static int pfi_unmask(void *); 97 static void pfi_attach_ifnet_event(void * __unused, struct ifnet *); 98 static void pfi_detach_ifnet_event(void * __unused, struct ifnet *); 99 static void pfi_attach_group_event(void * __unused, struct ifg_group *); 100 static void pfi_change_group_event(void * __unused, char *); 101 static void pfi_detach_group_event(void * __unused, struct ifg_group *); 102 static void pfi_ifaddr_event(void * __unused, struct ifnet *); 103 104 RB_HEAD(pfi_ifhead, pfi_kkif); 105 static RB_PROTOTYPE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); 106 static RB_GENERATE(pfi_ifhead, pfi_kkif, pfik_tree, pfi_kkif_compare); 107 VNET_DEFINE_STATIC(struct pfi_ifhead, pfi_ifs); 108 #define V_pfi_ifs VNET(pfi_ifs) 109 110 #define PFI_BUFFER_MAX 0x10000 111 MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interface database"); 112 113 LIST_HEAD(pfi_list, pfi_kkif); 114 VNET_DEFINE_STATIC(struct pfi_list, pfi_unlinked_kifs); 115 #define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs) 116 static struct mtx pfi_unlnkdkifs_mtx; 117 MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unlnkdkifs_mtx, "pf unlinked interfaces", 118 MTX_DEF); 119 120 void 121 pfi_initialize_vnet(void) 122 { 123 struct pfi_list kifs = LIST_HEAD_INITIALIZER(); 124 struct epoch_tracker et; 125 struct pfi_kkif *kif; 126 struct ifg_group *ifg; 127 struct ifnet *ifp; 128 int nkifs; 129 130 V_pfi_buffer_max = 64; 131 V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer), 132 PFI_MTYPE, M_WAITOK); 133 134 nkifs = 1; /* one for V_pfi_all */ 135 IFNET_RLOCK(); 136 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) 137 nkifs++; 138 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) 139 nkifs++; 140 141 for (int n = 0; n < nkifs; n++) { 142 kif = pf_kkif_create(M_WAITOK); 143 LIST_INSERT_HEAD(&kifs, kif, pfik_list); 144 } 145 146 NET_EPOCH_ENTER(et); 147 PF_RULES_WLOCK(); 148 kif = LIST_FIRST(&kifs); 149 LIST_REMOVE(kif, pfik_list); 150 V_pfi_all = pfi_kkif_attach(kif, IFG_ALL); 151 CK_STAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) { 152 kif = LIST_FIRST(&kifs); 153 LIST_REMOVE(kif, pfik_list); 154 pfi_attach_ifgroup(ifg, kif); 155 } 156 CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) { 157 kif = LIST_FIRST(&kifs); 158 LIST_REMOVE(kif, pfik_list); 159 pfi_attach_ifnet(ifp, kif); 160 } 161 PF_RULES_WUNLOCK(); 162 NET_EPOCH_EXIT(et); 163 IFNET_RUNLOCK(); 164 165 MPASS(LIST_EMPTY(&kifs)); 166 } 167 168 void 169 pfi_initialize(void) 170 { 171 172 pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event, 173 pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); 174 pfi_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event, 175 pfi_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); 176 pfi_attach_group_cookie = EVENTHANDLER_REGISTER(group_attach_event, 177 pfi_attach_group_event, NULL, EVENTHANDLER_PRI_ANY); 178 pfi_change_group_cookie = EVENTHANDLER_REGISTER(group_change_event, 179 pfi_change_group_event, NULL, EVENTHANDLER_PRI_ANY); 180 pfi_detach_group_cookie = EVENTHANDLER_REGISTER(group_detach_event, 181 pfi_detach_group_event, NULL, EVENTHANDLER_PRI_ANY); 182 pfi_ifaddr_event_cookie = EVENTHANDLER_REGISTER(ifaddr_event, 183 pfi_ifaddr_event, NULL, EVENTHANDLER_PRI_ANY); 184 } 185 186 void 187 pfi_cleanup_vnet(void) 188 { 189 struct pfi_kkif *kif; 190 191 PF_RULES_WASSERT(); 192 193 V_pfi_all = NULL; 194 while ((kif = RB_MIN(pfi_ifhead, &V_pfi_ifs))) { 195 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); 196 if (kif->pfik_group) 197 kif->pfik_group->ifg_pf_kif = NULL; 198 if (kif->pfik_ifp) { 199 if_rele(kif->pfik_ifp); 200 kif->pfik_ifp->if_pf_kif = NULL; 201 } 202 pf_kkif_free(kif); 203 } 204 205 mtx_lock(&pfi_unlnkdkifs_mtx); 206 while ((kif = LIST_FIRST(&V_pfi_unlinked_kifs))) { 207 LIST_REMOVE(kif, pfik_list); 208 pf_kkif_free(kif); 209 } 210 mtx_unlock(&pfi_unlnkdkifs_mtx); 211 212 free(V_pfi_buffer, PFI_MTYPE); 213 } 214 215 void 216 pfi_cleanup(void) 217 { 218 219 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie); 220 EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie); 221 EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie); 222 EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie); 223 EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie); 224 EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); 225 } 226 227 struct pfi_kkif* 228 pf_kkif_create(int flags) 229 { 230 struct pfi_kkif *kif; 231 #ifdef PF_WANT_32_TO_64_COUNTER 232 bool wowned; 233 #endif 234 235 kif = malloc(sizeof(*kif), PFI_MTYPE, flags | M_ZERO); 236 if (! kif) 237 return (kif); 238 239 for (int i = 0; i < 2; i++) { 240 for (int j = 0; j < 2; j++) { 241 for (int k = 0; k < 2; k++) { 242 if (pf_counter_u64_init(&kif->pfik_packets[i][j][k], flags) != 0) { 243 pf_kkif_free(kif); 244 return (NULL); 245 } 246 247 if (pf_counter_u64_init(&kif->pfik_bytes[i][j][k], flags) != 0) { 248 pf_kkif_free(kif); 249 return (NULL); 250 } 251 } 252 } 253 } 254 255 #ifdef PF_WANT_32_TO_64_COUNTER 256 wowned = PF_RULES_WOWNED(); 257 if (!wowned) 258 PF_RULES_WLOCK(); 259 LIST_INSERT_HEAD(&V_pf_allkiflist, kif, pfik_allkiflist); 260 V_pf_allkifcount++; 261 if (!wowned) 262 PF_RULES_WUNLOCK(); 263 #endif 264 265 return (kif); 266 } 267 268 void 269 pf_kkif_free(struct pfi_kkif *kif) 270 { 271 #ifdef PF_WANT_32_TO_64_COUNTER 272 bool wowned; 273 #endif 274 275 if (! kif) 276 return; 277 278 #ifdef PF_WANT_32_TO_64_COUNTER 279 wowned = PF_RULES_WOWNED(); 280 if (!wowned) 281 PF_RULES_WLOCK(); 282 LIST_REMOVE(kif, pfik_allkiflist); 283 V_pf_allkifcount--; 284 if (!wowned) 285 PF_RULES_WUNLOCK(); 286 #endif 287 288 for (int i = 0; i < 2; i++) { 289 for (int j = 0; j < 2; j++) { 290 for (int k = 0; k < 2; k++) { 291 pf_counter_u64_deinit(&kif->pfik_packets[i][j][k]); 292 pf_counter_u64_deinit(&kif->pfik_bytes[i][j][k]); 293 } 294 } 295 } 296 297 free(kif, PFI_MTYPE); 298 } 299 300 void 301 pf_kkif_zero(struct pfi_kkif *kif) 302 { 303 304 for (int i = 0; i < 2; i++) { 305 for (int j = 0; j < 2; j++) { 306 for (int k = 0; k < 2; k++) { 307 pf_counter_u64_zero(&kif->pfik_packets[i][j][k]); 308 pf_counter_u64_zero(&kif->pfik_bytes[i][j][k]); 309 } 310 } 311 } 312 kif->pfik_tzero = time_second; 313 } 314 315 struct pfi_kkif * 316 pfi_kkif_find(const char *kif_name) 317 { 318 struct pfi_kif_cmp s; 319 320 PF_RULES_ASSERT(); 321 322 bzero(&s, sizeof(s)); 323 strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name)); 324 325 return (RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&s)); 326 } 327 328 struct pfi_kkif * 329 pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name) 330 { 331 struct pfi_kkif *kif1; 332 333 PF_RULES_WASSERT(); 334 KASSERT(kif != NULL, ("%s: null kif", __func__)); 335 336 kif1 = pfi_kkif_find(kif_name); 337 if (kif1 != NULL) { 338 pf_kkif_free(kif); 339 return (kif1); 340 } 341 342 pf_kkif_zero(kif); 343 strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name)); 344 /* 345 * It seems that the value of time_second is in unintialzied state 346 * when pf sets interface statistics clear time in boot phase if pf 347 * was statically linked to kernel. Instead of setting the bogus 348 * time value have pfi_get_ifaces handle this case. In 349 * pfi_get_ifaces it uses time_second if it sees the time is 0. 350 */ 351 kif->pfik_tzero = time_second > 1 ? time_second : 0; 352 TAILQ_INIT(&kif->pfik_dynaddrs); 353 354 RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif); 355 356 return (kif); 357 } 358 359 void 360 pfi_kkif_ref(struct pfi_kkif *kif) 361 { 362 363 PF_RULES_WASSERT(); 364 kif->pfik_rulerefs++; 365 } 366 367 void 368 pfi_kkif_unref(struct pfi_kkif *kif) 369 { 370 371 PF_RULES_WASSERT(); 372 KASSERT(kif->pfik_rulerefs > 0, ("%s: %p has zero refs", __func__, kif)); 373 374 kif->pfik_rulerefs--; 375 376 if (kif->pfik_rulerefs > 0) 377 return; 378 379 /* kif referencing an existing ifnet or group or holding flags should 380 * exist. */ 381 if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || 382 kif == V_pfi_all || kif->pfik_flags != 0) 383 return; 384 385 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); 386 387 kif->pfik_flags |= PFI_IFLAG_REFS; 388 389 mtx_lock(&pfi_unlnkdkifs_mtx); 390 LIST_INSERT_HEAD(&V_pfi_unlinked_kifs, kif, pfik_list); 391 mtx_unlock(&pfi_unlnkdkifs_mtx); 392 } 393 394 void 395 pfi_kkif_purge(void) 396 { 397 struct pfi_kkif *kif, *kif1; 398 399 /* 400 * Do naive mark-and-sweep garbage collecting of old kifs. 401 * Reference flag is raised by pf_purge_expired_states(). 402 */ 403 mtx_lock(&pfi_unlnkdkifs_mtx); 404 LIST_FOREACH_SAFE(kif, &V_pfi_unlinked_kifs, pfik_list, kif1) { 405 if (!(kif->pfik_flags & PFI_IFLAG_REFS)) { 406 LIST_REMOVE(kif, pfik_list); 407 pf_kkif_free(kif); 408 } else 409 kif->pfik_flags &= ~PFI_IFLAG_REFS; 410 } 411 mtx_unlock(&pfi_unlnkdkifs_mtx); 412 } 413 414 int 415 pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif) 416 { 417 struct ifg_list *p; 418 419 NET_EPOCH_ASSERT(); 420 421 if (rule_kif == NULL || rule_kif == packet_kif) 422 return (1); 423 424 if (rule_kif->pfik_group != NULL) { 425 CK_STAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next) 426 if (p->ifgl_group == rule_kif->pfik_group) 427 return (1); 428 } 429 430 return (0); 431 } 432 433 static void 434 pfi_attach_ifnet(struct ifnet *ifp, struct pfi_kkif *kif) 435 { 436 437 PF_RULES_WASSERT(); 438 439 V_pfi_update++; 440 kif = pfi_kkif_attach(kif, ifp->if_xname); 441 if_ref(ifp); 442 kif->pfik_ifp = ifp; 443 ifp->if_pf_kif = kif; 444 pfi_kkif_update(kif); 445 } 446 447 static void 448 pfi_attach_ifgroup(struct ifg_group *ifg, struct pfi_kkif *kif) 449 { 450 451 PF_RULES_WASSERT(); 452 453 V_pfi_update++; 454 kif = pfi_kkif_attach(kif, ifg->ifg_group); 455 kif->pfik_group = ifg; 456 ifg->ifg_pf_kif = kif; 457 } 458 459 int 460 pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af) 461 { 462 switch (af) { 463 #ifdef INET 464 case AF_INET: 465 switch (dyn->pfid_acnt4) { 466 case 0: 467 return (0); 468 case 1: 469 return (PF_MATCHA(0, &dyn->pfid_addr4, 470 &dyn->pfid_mask4, a, AF_INET)); 471 default: 472 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET)); 473 } 474 break; 475 #endif /* INET */ 476 #ifdef INET6 477 case AF_INET6: 478 switch (dyn->pfid_acnt6) { 479 case 0: 480 return (0); 481 case 1: 482 return (PF_MATCHA(0, &dyn->pfid_addr6, 483 &dyn->pfid_mask6, a, AF_INET6)); 484 default: 485 return (pfr_match_addr(dyn->pfid_kt, a, AF_INET6)); 486 } 487 break; 488 #endif /* INET6 */ 489 default: 490 return (0); 491 } 492 } 493 494 int 495 pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) 496 { 497 struct epoch_tracker et; 498 struct pfi_dynaddr *dyn; 499 char tblname[PF_TABLE_NAME_SIZE]; 500 struct pf_kruleset *ruleset = NULL; 501 struct pfi_kkif *kif; 502 int rv = 0; 503 504 PF_RULES_WASSERT(); 505 KASSERT(aw->type == PF_ADDR_DYNIFTL, ("%s: type %u", 506 __func__, aw->type)); 507 KASSERT(aw->p.dyn == NULL, ("%s: dyn is %p", __func__, aw->p.dyn)); 508 509 if ((dyn = malloc(sizeof(*dyn), PFI_MTYPE, M_NOWAIT | M_ZERO)) == NULL) 510 return (ENOMEM); 511 512 if ((kif = pf_kkif_create(M_NOWAIT)) == NULL) { 513 free(dyn, PFI_MTYPE); 514 return (ENOMEM); 515 } 516 517 if (!strcmp(aw->v.ifname, "self")) 518 dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL); 519 else 520 dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname); 521 kif = NULL; 522 pfi_kkif_ref(dyn->pfid_kif); 523 524 dyn->pfid_net = pfi_unmask(&aw->v.a.mask); 525 if (af == AF_INET && dyn->pfid_net == 32) 526 dyn->pfid_net = 128; 527 strlcpy(tblname, aw->v.ifname, sizeof(tblname)); 528 if (aw->iflags & PFI_AFLAG_NETWORK) 529 strlcat(tblname, ":network", sizeof(tblname)); 530 if (aw->iflags & PFI_AFLAG_BROADCAST) 531 strlcat(tblname, ":broadcast", sizeof(tblname)); 532 if (aw->iflags & PFI_AFLAG_PEER) 533 strlcat(tblname, ":peer", sizeof(tblname)); 534 if (aw->iflags & PFI_AFLAG_NOALIAS) 535 strlcat(tblname, ":0", sizeof(tblname)); 536 if (dyn->pfid_net != 128) 537 snprintf(tblname + strlen(tblname), 538 sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net); 539 if ((ruleset = pf_find_or_create_kruleset(PF_RESERVED_ANCHOR)) == NULL) { 540 rv = ENOMEM; 541 goto _bad; 542 } 543 544 if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) { 545 rv = ENOMEM; 546 goto _bad; 547 } 548 549 dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE; 550 dyn->pfid_iflags = aw->iflags; 551 dyn->pfid_af = af; 552 553 TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); 554 aw->p.dyn = dyn; 555 NET_EPOCH_ENTER(et); 556 pfi_kkif_update(dyn->pfid_kif); 557 NET_EPOCH_EXIT(et); 558 559 return (0); 560 561 _bad: 562 if (dyn->pfid_kt != NULL) 563 pfr_detach_table(dyn->pfid_kt); 564 if (ruleset != NULL) 565 pf_remove_if_empty_kruleset(ruleset); 566 pfi_kkif_unref(dyn->pfid_kif); 567 free(dyn, PFI_MTYPE); 568 569 return (rv); 570 } 571 572 static void 573 pfi_kkif_update(struct pfi_kkif *kif) 574 { 575 struct ifg_list *ifgl; 576 struct ifg_member *ifgm; 577 struct pfi_dynaddr *p; 578 struct pfi_kkif *tmpkif; 579 580 NET_EPOCH_ASSERT(); 581 PF_RULES_WASSERT(); 582 583 /* update all dynaddr */ 584 TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry) 585 pfi_dynaddr_update(p); 586 587 /* Apply group flags to new members. */ 588 if (kif->pfik_group != NULL) { 589 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, 590 ifgm_next) { 591 tmpkif = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; 592 if (tmpkif == NULL) 593 continue; 594 595 tmpkif->pfik_flags |= kif->pfik_flags; 596 } 597 } 598 599 /* again for all groups kif is member of */ 600 if (kif->pfik_ifp != NULL) { 601 CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next) 602 pfi_kkif_update((struct pfi_kkif *) 603 ifgl->ifgl_group->ifg_pf_kif); 604 } 605 } 606 607 static void 608 pfi_dynaddr_update(struct pfi_dynaddr *dyn) 609 { 610 struct pfi_kkif *kif; 611 struct pfr_ktable *kt; 612 613 PF_RULES_WASSERT(); 614 KASSERT(dyn && dyn->pfid_kif && dyn->pfid_kt, 615 ("%s: bad argument", __func__)); 616 617 kif = dyn->pfid_kif; 618 kt = dyn->pfid_kt; 619 620 if (kt->pfrkt_larg != V_pfi_update) { 621 /* this table needs to be brought up-to-date */ 622 pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags); 623 kt->pfrkt_larg = V_pfi_update; 624 } 625 pfr_dynaddr_update(kt, dyn); 626 } 627 628 static void 629 pfi_table_update(struct pfr_ktable *kt, struct pfi_kkif *kif, int net, int flags) 630 { 631 int e, size2 = 0; 632 struct ifg_member *ifgm; 633 634 NET_EPOCH_ASSERT(); 635 636 V_pfi_buffer_cnt = 0; 637 638 if (kif->pfik_ifp != NULL) 639 pfi_instance_add(kif->pfik_ifp, net, flags); 640 else if (kif->pfik_group != NULL) { 641 CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next) 642 pfi_instance_add(ifgm->ifgm_ifp, net, flags); 643 } 644 645 if ((e = pfr_set_addrs(&kt->pfrkt_t, V_pfi_buffer, V_pfi_buffer_cnt, &size2, 646 NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) 647 printf("%s: cannot set %d new addresses into table %s: %d\n", 648 __func__, V_pfi_buffer_cnt, kt->pfrkt_name, e); 649 } 650 651 static void 652 pfi_instance_add(struct ifnet *ifp, int net, int flags) 653 { 654 struct ifaddr *ia; 655 int got4 = 0, got6 = 0; 656 int net2, af; 657 658 NET_EPOCH_ASSERT(); 659 660 CK_STAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { 661 if (ia->ifa_addr == NULL) 662 continue; 663 af = ia->ifa_addr->sa_family; 664 if (af != AF_INET && af != AF_INET6) 665 continue; 666 /* 667 * XXX: For point-to-point interfaces, (ifname:0) and IPv4, 668 * jump over addresses without a proper route to work 669 * around a problem with ppp not fully removing the 670 * address used during IPCP. 671 */ 672 if ((ifp->if_flags & IFF_POINTOPOINT) && 673 !(ia->ifa_flags & IFA_ROUTE) && 674 (flags & PFI_AFLAG_NOALIAS) && (af == AF_INET)) 675 continue; 676 if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6) 677 continue; 678 if ((flags & PFI_AFLAG_BROADCAST) && 679 !(ifp->if_flags & IFF_BROADCAST)) 680 continue; 681 if ((flags & PFI_AFLAG_PEER) && 682 !(ifp->if_flags & IFF_POINTOPOINT)) 683 continue; 684 if ((flags & (PFI_AFLAG_NETWORK | PFI_AFLAG_NOALIAS)) && 685 af == AF_INET6 && 686 IN6_IS_ADDR_LINKLOCAL( 687 &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr)) 688 continue; 689 if (flags & PFI_AFLAG_NOALIAS) { 690 if (af == AF_INET && got4) 691 continue; 692 if (af == AF_INET6 && got6) 693 continue; 694 } 695 if (af == AF_INET) 696 got4 = 1; 697 else if (af == AF_INET6) 698 got6 = 1; 699 net2 = net; 700 if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) { 701 if (af == AF_INET) 702 net2 = pfi_unmask(&((struct sockaddr_in *) 703 ia->ifa_netmask)->sin_addr); 704 else if (af == AF_INET6) 705 net2 = pfi_unmask(&((struct sockaddr_in6 *) 706 ia->ifa_netmask)->sin6_addr); 707 } 708 if (af == AF_INET && net2 > 32) 709 net2 = 32; 710 if (flags & PFI_AFLAG_BROADCAST) 711 pfi_address_add(ia->ifa_broadaddr, af, net2); 712 else if (flags & PFI_AFLAG_PEER) 713 pfi_address_add(ia->ifa_dstaddr, af, net2); 714 else 715 pfi_address_add(ia->ifa_addr, af, net2); 716 } 717 } 718 719 static void 720 pfi_address_add(struct sockaddr *sa, int af, int net) 721 { 722 struct pfr_addr *p; 723 int i; 724 725 if (V_pfi_buffer_cnt >= V_pfi_buffer_max) { 726 int new_max = V_pfi_buffer_max * 2; 727 728 if (new_max > PFI_BUFFER_MAX) { 729 printf("%s: address buffer full (%d/%d)\n", __func__, 730 V_pfi_buffer_cnt, PFI_BUFFER_MAX); 731 return; 732 } 733 p = malloc(new_max * sizeof(*V_pfi_buffer), PFI_MTYPE, 734 M_NOWAIT); 735 if (p == NULL) { 736 printf("%s: no memory to grow buffer (%d/%d)\n", 737 __func__, V_pfi_buffer_cnt, PFI_BUFFER_MAX); 738 return; 739 } 740 memcpy(p, V_pfi_buffer, V_pfi_buffer_max * sizeof(*V_pfi_buffer)); 741 /* no need to zero buffer */ 742 free(V_pfi_buffer, PFI_MTYPE); 743 V_pfi_buffer = p; 744 V_pfi_buffer_max = new_max; 745 } 746 if (af == AF_INET && net > 32) 747 net = 128; 748 p = V_pfi_buffer + V_pfi_buffer_cnt++; 749 bzero(p, sizeof(*p)); 750 p->pfra_af = af; 751 p->pfra_net = net; 752 if (af == AF_INET) 753 p->pfra_ip4addr = ((struct sockaddr_in *)sa)->sin_addr; 754 else if (af == AF_INET6) { 755 p->pfra_ip6addr = ((struct sockaddr_in6 *)sa)->sin6_addr; 756 if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr)) 757 p->pfra_ip6addr.s6_addr16[1] = 0; 758 } 759 /* mask network address bits */ 760 if (net < 128) 761 ((caddr_t)p)[p->pfra_net/8] &= ~(0xFF >> (p->pfra_net%8)); 762 for (i = (p->pfra_net+7)/8; i < sizeof(p->pfra_u); i++) 763 ((caddr_t)p)[i] = 0; 764 } 765 766 void 767 pfi_dynaddr_remove(struct pfi_dynaddr *dyn) 768 { 769 770 KASSERT(dyn->pfid_kif != NULL, ("%s: null pfid_kif", __func__)); 771 KASSERT(dyn->pfid_kt != NULL, ("%s: null pfid_kt", __func__)); 772 773 TAILQ_REMOVE(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); 774 pfi_kkif_unref(dyn->pfid_kif); 775 pfr_detach_table(dyn->pfid_kt); 776 free(dyn, PFI_MTYPE); 777 } 778 779 void 780 pfi_dynaddr_copyout(struct pf_addr_wrap *aw) 781 { 782 783 KASSERT(aw->type == PF_ADDR_DYNIFTL, 784 ("%s: type %u", __func__, aw->type)); 785 786 if (aw->p.dyn == NULL || aw->p.dyn->pfid_kif == NULL) 787 return; 788 aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6; 789 } 790 791 static int 792 pfi_kkif_compare(struct pfi_kkif *p, struct pfi_kkif *q) 793 { 794 return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ)); 795 } 796 797 void 798 pfi_update_status(const char *name, struct pf_status *pfs) 799 { 800 struct pfi_kkif *p; 801 struct pfi_kif_cmp key; 802 struct ifg_member p_member, *ifgm; 803 CK_STAILQ_HEAD(, ifg_member) ifg_members; 804 int i, j, k; 805 806 strlcpy(key.pfik_name, name, sizeof(key.pfik_name)); 807 p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kkif *)&key); 808 if (p == NULL) 809 return; 810 811 if (p->pfik_group != NULL) { 812 bcopy(&p->pfik_group->ifg_members, &ifg_members, 813 sizeof(ifg_members)); 814 } else { 815 /* build a temporary list for p only */ 816 bzero(&p_member, sizeof(p_member)); 817 p_member.ifgm_ifp = p->pfik_ifp; 818 CK_STAILQ_INIT(&ifg_members); 819 CK_STAILQ_INSERT_TAIL(&ifg_members, &p_member, ifgm_next); 820 } 821 if (pfs) { 822 bzero(pfs->pcounters, sizeof(pfs->pcounters)); 823 bzero(pfs->bcounters, sizeof(pfs->bcounters)); 824 } 825 CK_STAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) { 826 if (ifgm->ifgm_ifp == NULL || ifgm->ifgm_ifp->if_pf_kif == NULL) 827 continue; 828 p = (struct pfi_kkif *)ifgm->ifgm_ifp->if_pf_kif; 829 830 /* just clear statistics */ 831 if (pfs == NULL) { 832 pf_kkif_zero(p); 833 continue; 834 } 835 for (i = 0; i < 2; i++) 836 for (j = 0; j < 2; j++) 837 for (k = 0; k < 2; k++) { 838 pfs->pcounters[i][j][k] += 839 pf_counter_u64_fetch(&p->pfik_packets[i][j][k]); 840 pfs->bcounters[i][j] += 841 pf_counter_u64_fetch(&p->pfik_bytes[i][j][k]); 842 } 843 } 844 } 845 846 static void 847 pf_kkif_to_kif(struct pfi_kkif *kkif, struct pfi_kif *kif) 848 { 849 850 bzero(kif, sizeof(*kif)); 851 strlcpy(kif->pfik_name, kkif->pfik_name, sizeof(kif->pfik_name)); 852 for (int i = 0; i < 2; i++) { 853 for (int j = 0; j < 2; j++) { 854 for (int k = 0; k < 2; k++) { 855 kif->pfik_packets[i][j][k] = 856 pf_counter_u64_fetch(&kkif->pfik_packets[i][j][k]); 857 kif->pfik_bytes[i][j][k] = 858 pf_counter_u64_fetch(&kkif->pfik_bytes[i][j][k]); 859 } 860 } 861 } 862 kif->pfik_flags = kkif->pfik_flags; 863 kif->pfik_tzero = kkif->pfik_tzero; 864 kif->pfik_rulerefs = kkif->pfik_rulerefs; 865 /* 866 * Userspace relies on this pointer to decide if this is a group or 867 * not. We don't want to share the actual pointer, because it's 868 * useless to userspace and leaks kernel memory layout information. 869 * So instead we provide 0xfeedcode as 'true' and NULL as 'false'. 870 */ 871 kif->pfik_group = 872 kkif->pfik_group ? (struct ifg_group *)0xfeedc0de : NULL; 873 } 874 875 void 876 pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) 877 { 878 struct epoch_tracker et; 879 struct pfi_kkif *p, *nextp; 880 int n = 0; 881 882 NET_EPOCH_ENTER(et); 883 for (p = RB_MIN(pfi_ifhead, &V_pfi_ifs); p; p = nextp) { 884 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); 885 if (pfi_skip_if(name, p)) 886 continue; 887 if (*size <= n++) 888 break; 889 if (!p->pfik_tzero) 890 p->pfik_tzero = time_second; 891 pf_kkif_to_kif(p, buf++); 892 nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); 893 } 894 *size = n; 895 NET_EPOCH_EXIT(et); 896 } 897 898 static int 899 pfi_skip_if(const char *filter, struct pfi_kkif *p) 900 { 901 struct ifg_list *i; 902 int n; 903 904 NET_EPOCH_ASSERT(); 905 906 if (filter == NULL || !*filter) 907 return (0); 908 if (!strcmp(p->pfik_name, filter)) 909 return (0); /* exact match */ 910 n = strlen(filter); 911 if (n < 1 || n >= IFNAMSIZ) 912 return (1); /* sanity check */ 913 if (filter[n-1] >= '0' && filter[n-1] <= '9') 914 return (1); /* group names may not end in a digit */ 915 if (p->pfik_ifp == NULL) 916 return (1); 917 CK_STAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next) 918 if (!strncmp(i->ifgl_group->ifg_group, filter, IFNAMSIZ)) 919 return (0); /* iface is in group "filter" */ 920 return (1); 921 } 922 923 int 924 pfi_set_flags(const char *name, int flags) 925 { 926 struct epoch_tracker et; 927 struct pfi_kkif *p, *kif; 928 929 kif = pf_kkif_create(M_NOWAIT); 930 if (kif == NULL) 931 return (ENOMEM); 932 933 NET_EPOCH_ENTER(et); 934 935 kif = pfi_kkif_attach(kif, name); 936 937 RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) { 938 if (pfi_skip_if(name, p)) 939 continue; 940 p->pfik_flags |= flags; 941 } 942 NET_EPOCH_EXIT(et); 943 return (0); 944 } 945 946 int 947 pfi_clear_flags(const char *name, int flags) 948 { 949 struct epoch_tracker et; 950 struct pfi_kkif *p, *tmp; 951 952 NET_EPOCH_ENTER(et); 953 RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) { 954 if (pfi_skip_if(name, p)) 955 continue; 956 p->pfik_flags &= ~flags; 957 958 if (p->pfik_ifp == NULL && p->pfik_group == NULL && 959 p->pfik_flags == 0 && p->pfik_rulerefs == 0) { 960 /* Delete this kif. */ 961 RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p); 962 pf_kkif_free(p); 963 } 964 } 965 NET_EPOCH_EXIT(et); 966 return (0); 967 } 968 969 /* from pf_print_state.c */ 970 static int 971 pfi_unmask(void *addr) 972 { 973 struct pf_addr *m = addr; 974 int i = 31, j = 0, b = 0; 975 u_int32_t tmp; 976 977 while (j < 4 && m->addr32[j] == 0xffffffff) { 978 b += 32; 979 j++; 980 } 981 if (j < 4) { 982 tmp = ntohl(m->addr32[j]); 983 for (i = 31; tmp & (1 << i); --i) 984 b++; 985 } 986 return (b); 987 } 988 989 static void 990 pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) 991 { 992 struct epoch_tracker et; 993 struct pfi_kkif *kif; 994 995 if (V_pf_vnet_active == 0) { 996 /* Avoid teardown race in the least expensive way. */ 997 return; 998 } 999 kif = pf_kkif_create(M_NOWAIT); 1000 NET_EPOCH_ENTER(et); 1001 PF_RULES_WLOCK(); 1002 pfi_attach_ifnet(ifp, kif); 1003 #ifdef ALTQ 1004 pf_altq_ifnet_event(ifp, 0); 1005 #endif 1006 PF_RULES_WUNLOCK(); 1007 NET_EPOCH_EXIT(et); 1008 } 1009 1010 static void 1011 pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) 1012 { 1013 struct epoch_tracker et; 1014 struct pfi_kkif *kif = (struct pfi_kkif *)ifp->if_pf_kif; 1015 1016 if (pfsync_detach_ifnet_ptr) 1017 pfsync_detach_ifnet_ptr(ifp); 1018 1019 if (kif == NULL) 1020 return; 1021 1022 if (V_pf_vnet_active == 0) { 1023 /* Avoid teardown race in the least expensive way. */ 1024 return; 1025 } 1026 1027 NET_EPOCH_ENTER(et); 1028 PF_RULES_WLOCK(); 1029 V_pfi_update++; 1030 pfi_kkif_update(kif); 1031 1032 if (kif->pfik_ifp) 1033 if_rele(kif->pfik_ifp); 1034 1035 kif->pfik_ifp = NULL; 1036 ifp->if_pf_kif = NULL; 1037 #ifdef ALTQ 1038 pf_altq_ifnet_event(ifp, 1); 1039 #endif 1040 PF_RULES_WUNLOCK(); 1041 NET_EPOCH_EXIT(et); 1042 } 1043 1044 static void 1045 pfi_attach_group_event(void *arg __unused, struct ifg_group *ifg) 1046 { 1047 struct epoch_tracker et; 1048 struct pfi_kkif *kif; 1049 1050 if (V_pf_vnet_active == 0) { 1051 /* Avoid teardown race in the least expensive way. */ 1052 return; 1053 } 1054 kif = pf_kkif_create(M_WAITOK); 1055 NET_EPOCH_ENTER(et); 1056 PF_RULES_WLOCK(); 1057 pfi_attach_ifgroup(ifg, kif); 1058 PF_RULES_WUNLOCK(); 1059 NET_EPOCH_EXIT(et); 1060 } 1061 1062 static void 1063 pfi_change_group_event(void *arg __unused, char *gname) 1064 { 1065 struct epoch_tracker et; 1066 struct pfi_kkif *kif; 1067 1068 if (V_pf_vnet_active == 0) { 1069 /* Avoid teardown race in the least expensive way. */ 1070 return; 1071 } 1072 1073 kif = pf_kkif_create(M_WAITOK); 1074 NET_EPOCH_ENTER(et); 1075 PF_RULES_WLOCK(); 1076 V_pfi_update++; 1077 kif = pfi_kkif_attach(kif, gname); 1078 pfi_kkif_update(kif); 1079 PF_RULES_WUNLOCK(); 1080 NET_EPOCH_EXIT(et); 1081 } 1082 1083 static void 1084 pfi_detach_group_event(void *arg __unused, struct ifg_group *ifg) 1085 { 1086 struct pfi_kkif *kif = (struct pfi_kkif *)ifg->ifg_pf_kif; 1087 1088 if (kif == NULL) 1089 return; 1090 1091 if (V_pf_vnet_active == 0) { 1092 /* Avoid teardown race in the least expensive way. */ 1093 return; 1094 } 1095 PF_RULES_WLOCK(); 1096 V_pfi_update++; 1097 1098 kif->pfik_group = NULL; 1099 ifg->ifg_pf_kif = NULL; 1100 PF_RULES_WUNLOCK(); 1101 } 1102 1103 static void 1104 pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp) 1105 { 1106 1107 KASSERT(ifp, ("ifp == NULL")); 1108 1109 if (ifp->if_pf_kif == NULL) 1110 return; 1111 1112 if (V_pf_vnet_active == 0) { 1113 /* Avoid teardown race in the least expensive way. */ 1114 return; 1115 } 1116 PF_RULES_WLOCK(); 1117 if (ifp->if_pf_kif) { 1118 struct epoch_tracker et; 1119 1120 V_pfi_update++; 1121 NET_EPOCH_ENTER(et); 1122 pfi_kkif_update(ifp->if_pf_kif); 1123 NET_EPOCH_EXIT(et); 1124 } 1125 PF_RULES_WUNLOCK(); 1126 } 1127