Lines Matching full:rule
176 "Size of pf(4) rule tag hashtable");
210 "Make the default rule drop all packets.");
343 /* default rule should never be garbage collected */
405 * scrub rule functionality is hopefully removed some day in future.
436 struct pf_krule *rule;
452 rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
455 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
461 rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
464 rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
467 while ((rule != NULL) && (rule->nr != rule_number))
468 rule = TAILQ_NEXT(rule, entries);
470 if (rule == NULL)
475 return (&rule->rdr);
477 return (&rule->nat);
479 return (&rule->route);
520 pf_unlink_rule_locked(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
526 TAILQ_REMOVE(rulequeue, rule, entries);
528 rule->rule_ref |= PFRULE_REFS;
529 TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries);
533 pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
539 pf_unlink_rule_locked(rulequeue, rule);
544 pf_free_eth_rule(struct pf_keth_rule *rule)
548 if (rule == NULL)
551 if (rule->tag)
552 tag_unref(&V_pf_tags, rule->tag);
553 if (rule->match_tag)
554 tag_unref(&V_pf_tags, rule->match_tag);
556 pf_qid_unref(rule->qid);
559 if (rule->bridge_to)
560 pfi_kkif_unref(rule->bridge_to);
561 if (rule->kif)
562 pfi_kkif_unref(rule->kif);
564 if (rule->ipsrc.addr.type == PF_ADDR_TABLE)
565 pfr_detach_table(rule->ipsrc.addr.p.tbl);
566 if (rule->ipdst.addr.type == PF_ADDR_TABLE)
567 pfr_detach_table(rule->ipdst.addr.p.tbl);
569 counter_u64_free(rule->evaluations);
571 counter_u64_free(rule->packets[i]);
572 counter_u64_free(rule->bytes[i]);
574 uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp);
575 pf_keth_anchor_remove(rule);
577 free(rule, M_PFRULE);
581 pf_free_rule(struct pf_krule *rule)
587 if (rule->tag)
588 tag_unref(&V_pf_tags, rule->tag);
589 if (rule->match_tag)
590 tag_unref(&V_pf_tags, rule->match_tag);
592 if (rule->pqid != rule->qid)
593 pf_qid_unref(rule->pqid);
594 pf_qid_unref(rule->qid);
596 switch (rule->src.addr.type) {
598 pfi_dynaddr_remove(rule->src.addr.p.dyn);
601 pfr_detach_table(rule->src.addr.p.tbl);
604 switch (rule->dst.addr.type) {
606 pfi_dynaddr_remove(rule->dst.addr.p.dyn);
609 pfr_detach_table(rule->dst.addr.p.tbl);
612 if (rule->overload_tbl)
613 pfr_detach_table(rule->overload_tbl);
614 if (rule->kif)
615 pfi_kkif_unref(rule->kif);
616 if (rule->rcv_kif)
617 pfi_kkif_unref(rule->rcv_kif);
618 pf_kanchor_remove(rule);
619 pf_empty_kpool(&rule->rdr.list);
620 pf_empty_kpool(&rule->nat.list);
621 pf_empty_kpool(&rule->route.list);
623 pf_krule_free(rule);
774 struct pf_keth_rule *rule, *tmp;
784 TAILQ_FOREACH_SAFE(rule, rs->inactive.rules, entries,
786 TAILQ_REMOVE(rs->inactive.rules, rule,
788 pf_free_eth_rule(rule);
817 struct pf_keth_rule *rule, *tmp;
831 TAILQ_FOREACH_SAFE(rule, rs->inactive.rules, entries,
833 TAILQ_REMOVE(rs->inactive.rules, rule, entries);
834 pf_free_eth_rule(rule);
1223 struct pf_krule *rule;
1240 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1241 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
1253 struct pf_krule *rule;
1263 while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1264 pf_unlink_rule(rs->rules[rs_num].inactive.ptr, rule);
1313 pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule)
1318 pf_hash_rule_addr(ctx, &rule->src);
1319 pf_hash_rule_addr(ctx, &rule->dst);
1321 PF_MD5_UPD_STR(rule, label[i]);
1322 PF_MD5_UPD_STR(rule, ifname);
1323 PF_MD5_UPD_STR(rule, rcv_ifname);
1324 PF_MD5_UPD_STR(rule, match_tagname);
1325 PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
1326 PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1327 PF_MD5_UPD_HTONL(rule, prob, y);
1328 PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1329 PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1330 PF_MD5_UPD(rule, uid.op);
1331 PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1332 PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1333 PF_MD5_UPD(rule, gid.op);
1334 PF_MD5_UPD_HTONL(rule, rule_flag, y);
1335 PF_MD5_UPD(rule, action);
1336 PF_MD5_UPD(rule, direction);
1337 PF_MD5_UPD(rule, af);
1338 PF_MD5_UPD(rule, quick);
1339 PF_MD5_UPD(rule, ifnot);
1340 PF_MD5_UPD(rule, match_tag_not);
1341 PF_MD5_UPD(rule, natpass);
1342 PF_MD5_UPD(rule, keep_state);
1343 PF_MD5_UPD(rule, proto);
1344 PF_MD5_UPD(rule, type);
1345 PF_MD5_UPD(rule, code);
1346 PF_MD5_UPD(rule, flags);
1347 PF_MD5_UPD(rule, flagset);
1348 PF_MD5_UPD(rule, allow_opts);
1349 PF_MD5_UPD(rule, rt);
1350 PF_MD5_UPD(rule, tos);
1351 PF_MD5_UPD(rule, scrub_flags);
1352 PF_MD5_UPD(rule, min_ttl);
1353 PF_MD5_UPD(rule, set_tos);
1354 if (rule->anchor != NULL)
1355 PF_MD5_UPD_STR(rule, anchor->path);
1359 pf_hash_rule(struct pf_krule *rule)
1364 pf_hash_rule_rolling(&ctx, rule);
1365 MD5Final(rule->md5sum, &ctx);
1379 struct pf_krule *rule, **old_array, *old_rule;
1418 TAILQ_FOREACH(rule, rs->rules[rs_num].active.ptr,
1420 old_rule = RB_FIND(pf_krule_global, old_tree, rule);
1425 pf_counter_u64_rollup_protected(&rule->evaluations,
1427 pf_counter_u64_rollup_protected(&rule->packets[0],
1429 pf_counter_u64_rollup_protected(&rule->packets[1],
1431 pf_counter_u64_rollup_protected(&rule->bytes[0],
1433 pf_counter_u64_rollup_protected(&rule->bytes[1],
1448 /* Purge the old rule list. */
1450 while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1451 pf_unlink_rule_locked(old_rules, rule);
1468 struct pf_krule *rule;
1492 TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1494 pf_hash_rule_rolling(&ctx, rule);
1495 (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1566 if (in->rule != NULL)
1567 out->rule.nr = in->rule->nr;
1837 struct pf_krule *rule;
1839 rule = malloc(sizeof(struct pf_krule), M_PFRULE, M_WAITOK | M_ZERO);
1840 mtx_init(&rule->nat.mtx, "pf_krule_nat_pool", NULL, MTX_DEF);
1841 mtx_init(&rule->rdr.mtx, "pf_krule_rdr_pool", NULL, MTX_DEF);
1842 mtx_init(&rule->route.mtx, "pf_krule_route_pool", NULL, MTX_DEF);
1843 rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone,
1845 return (rule);
1849 pf_krule_free(struct pf_krule *rule)
1855 if (rule == NULL)
1859 if (rule->allrulelinked) {
1863 LIST_REMOVE(rule, allrulelist);
1870 pf_counter_u64_deinit(&rule->evaluations);
1872 pf_counter_u64_deinit(&rule->packets[i]);
1873 pf_counter_u64_deinit(&rule->bytes[i]);
1875 counter_u64_free(rule->states_cur);
1876 counter_u64_free(rule->states_tot);
1877 counter_u64_free(rule->src_nodes);
1878 uma_zfree_pcpu(pf_timestamp_pcpu_zone, rule->timestamp);
1880 mtx_destroy(&rule->nat.mtx);
1881 mtx_destroy(&rule->rdr.mtx);
1882 mtx_destroy(&rule->route.mtx);
1883 free(rule, M_PFRULE);
1887 pf_krule_clear_counters(struct pf_krule *rule)
1889 pf_counter_u64_zero(&rule->evaluations);
1891 pf_counter_u64_zero(&rule->packets[i]);
1892 pf_counter_u64_zero(&rule->bytes[i]);
1894 counter_u64_zero(rule->states_tot);
1936 pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
1941 if (rule->af == AF_INET) {
1946 if (rule->af == AF_INET6) {
1951 ret = pf_check_rule_addr(&rule->src);
1954 ret = pf_check_rule_addr(&rule->dst);
1958 bcopy(&rule->src, &krule->src, sizeof(rule->src));
1959 bcopy(&rule->dst, &krule->dst, sizeof(rule->dst));
1961 ret = pf_user_strcpy(krule->label[0], rule->label, sizeof(rule->label));
1964 ret = pf_user_strcpy(krule->ifname, rule->ifname, sizeof(rule->ifname));
1967 ret = pf_user_strcpy(krule->qname, rule->qname, sizeof(rule->qname));
1970 ret = pf_user_strcpy(krule->pqname, rule->pqname, sizeof(rule->pqname));
1973 ret = pf_user_strcpy(krule->tagname, rule->tagname,
1974 sizeof(rule->tagname));
1977 ret = pf_user_strcpy(krule->match_tagname, rule->match_tagname,
1978 sizeof(rule->match_tagname));
1981 ret = pf_user_strcpy(krule->overload_tblname, rule->overload_tblname,
1982 sizeof(rule->overload_tblname));
1986 pf_pool_to_kpool(&rule->rpool, &krule->rdr);
1991 krule->os_fingerprint = rule->os_fingerprint;
1993 krule->rtableid = rule->rtableid;
1995 bcopy(rule->timeout, krule->timeout, sizeof(rule->timeout));
1996 krule->max_states = rule->max_states;
1997 krule->max_src_nodes = rule->max_src_nodes;
1998 krule->max_src_states = rule->max_src_states;
1999 krule->max_src_conn = rule->max_src_conn;
2000 krule->max_src_conn_rate.limit = rule->max_src_conn_rate.limit;
2001 krule->max_src_conn_rate.seconds = rule->max_src_conn_rate.seconds;
2002 krule->qid = rule->qid;
2003 krule->pqid = rule->pqid;
2004 krule->nr = rule->nr;
2005 krule->prob = rule->prob;
2006 krule->cuid = rule->cuid;
2007 krule->cpid = rule->cpid;
2009 krule->return_icmp = rule->return_icmp;
2010 krule->return_icmp6 = rule->return_icmp6;
2011 krule->max_mss = rule->max_mss;
2012 krule->tag = rule->tag;
2013 krule->match_tag = rule->match_tag;
2014 krule->scrub_flags = rule->scrub_flags;
2016 bcopy(&rule->uid, &krule->uid, sizeof(krule->uid));
2017 bcopy(&rule->gid, &krule->gid, sizeof(krule->gid));
2019 krule->rule_flag = rule->rule_flag;
2020 krule->action = rule->action;
2021 krule->direction = rule->direction;
2022 krule->log = rule->log;
2023 krule->logif = rule->logif;
2024 krule->quick = rule->quick;
2025 krule->ifnot = rule->ifnot;
2026 krule->match_tag_not = rule->match_tag_not;
2027 krule->natpass = rule->natpass;
2029 krule->keep_state = rule->keep_state;
2030 krule->af = rule->af;
2031 krule->proto = rule->proto;
2032 krule->type = rule->type;
2033 krule->code = rule->code;
2034 krule->flags = rule->flags;
2035 krule->flagset = rule->flagset;
2036 krule->min_ttl = rule->min_ttl;
2037 krule->allow_opts = rule->allow_opts;
2038 krule->rt = rule->rt;
2039 krule->return_ttl = rule->return_ttl;
2040 krule->tos = rule->tos;
2041 krule->set_tos = rule->set_tos;
2043 krule->flush = rule->flush;
2044 krule->prio = rule->prio;
2045 krule->set_prio[0] = rule->set_prio[0];
2046 krule->set_prio[1] = rule->set_prio[1];
2048 bcopy(&rule->divert, &krule->divert, sizeof(krule->divert));
2066 rs_num = pf_get_ruleset_number(pr->rule.action);
2084 pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
2095 if ((rule->return_icmp >> 8) > ICMP_MAXTYPE) {
2102 if (rule->ifname[0])
2104 if (rule->rcv_ifname[0])
2106 pf_counter_u64_init(&rule->evaluations, M_WAITOK);
2108 pf_counter_u64_init(&rule->packets[i], M_WAITOK);
2109 pf_counter_u64_init(&rule->bytes[i], M_WAITOK);
2111 rule->states_cur = counter_u64_alloc(M_WAITOK);
2112 rule->states_tot = counter_u64_alloc(M_WAITOK);
2113 rule->src_nodes = counter_u64_alloc(M_WAITOK);
2114 rule->cuid = uid;
2115 rule->cpid = pid;
2116 TAILQ_INIT(&rule->rdr.list);
2117 TAILQ_INIT(&rule->nat.list);
2118 TAILQ_INIT(&rule->route.list);
2123 LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist);
2124 MPASS(!rule->allrulelinked);
2125 rule->allrulelinked = true;
2131 rs_num = pf_get_ruleset_number(rule->action);
2160 rule->nr = tail->nr + 1;
2162 rule->nr = 0;
2163 if (rule->ifname[0]) {
2164 rule->kif = pfi_kkif_attach(kif, rule->ifname);
2166 pfi_kkif_ref(rule->kif);
2168 rule->kif = NULL;
2170 if (rule->rcv_ifname[0]) {
2171 rule->rcv_kif = pfi_kkif_attach(rcv_kif, rule->rcv_ifname);
2173 pfi_kkif_ref(rule->rcv_kif);
2175 rule->rcv_kif = NULL;
2177 if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs)
2182 if (rule->qname[0] != 0) {
2183 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
2185 else if (rule->pqname[0] != 0) {
2186 if ((rule->pqid =
2187 pf_qname2qid(rule->pqname)) == 0)
2190 rule->pqid = rule->qid;
2193 if (rule->tagname[0])
2194 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
2196 if (rule->match_tagname[0])
2197 if ((rule->match_tag =
2198 pf_tagname2tag(rule->match_tagname)) == 0)
2200 if (rule->rt && !rule->direction)
2202 if (!rule->log)
2203 rule->logif = 0;
2204 if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
2206 if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
2208 if (pf_kanchor_setup(rule, ruleset, anchor_call))
2210 if (rule->scrub_flags & PFSTATE_SETPRIO &&
2211 (rule->set_prio[0] > PF_PRIO_MAX ||
2212 rule->set_prio[1] > PF_PRIO_MAX))
2224 rule->overload_tbl = NULL;
2225 if (rule->overload_tblname[0]) {
2226 if ((rule->overload_tbl = pfr_attach_table(ruleset,
2227 rule->overload_tblname)) == NULL)
2230 rule->overload_tbl->pfrkt_flags |=
2234 pf_mv_kpool(&V_pf_pabuf[0], &rule->nat.list);
2235 pf_mv_kpool(&V_pf_pabuf[1], &rule->rdr.list);
2236 pf_mv_kpool(&V_pf_pabuf[2], &rule->route.list);
2237 if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
2238 (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
2239 (rule->rt > PF_NOPFROUTE)) &&
2240 (TAILQ_FIRST(&rule->rdr.list) == NULL &&
2241 TAILQ_FIRST(&rule->route.list) == NULL))
2244 if (rule->action == PF_PASS && rule->rdr.opts & PF_POOL_STICKYADDR &&
2245 !rule->keep_state) {
2250 pf_free_rule(rule);
2251 rule = NULL;
2255 rule->nat.cur = TAILQ_FIRST(&rule->nat.list);
2256 rule->rdr.cur = TAILQ_FIRST(&rule->rdr.list);
2257 rule->route.cur = TAILQ_FIRST(&rule->route.list);
2259 rule, entries);
2263 pf_hash_rule(rule);
2264 if (RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule) != NULL) {
2266 TAILQ_REMOVE(ruleset->rules[rs_num].inactive.ptr, rule, entries);
2268 pf_free_rule(rule);
2269 rule = NULL;
2283 pf_krule_free(rule);
2288 pf_label_match(const struct pf_krule *rule, const char *label)
2292 while (*rule->label[i]) {
2293 if (strcmp(rule->label[i], label) == 0)
2382 ! pf_label_match(s->rule, psk->psk_label))
3024 struct pf_keth_rule *rule = NULL;
3076 rule = TAILQ_FIRST(rs->active.rules);
3077 while ((rule != NULL) && (rule->nr != nr))
3078 rule = TAILQ_NEXT(rule, entries);
3079 if (rule == NULL) {
3083 /* Make sure rule can't go away. */
3086 nvl = pf_keth_rule_to_nveth_rule(rule);
3087 if (pf_keth_anchor_nvcopyout(rs, rule, nvl)) {
3106 counter_u64_zero(rule->evaluations);
3108 counter_u64_zero(rule->packets[i]);
3109 counter_u64_zero(rule->bytes[i]);
3124 struct pf_keth_rule *rule = NULL, *tail = NULL;
3164 rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);
3165 rule->timestamp = NULL;
3167 error = pf_nveth_rule_to_keth_rule(nvl, rule);
3171 if (rule->ifname[0])
3173 if (rule->bridge_to_name[0])
3175 rule->evaluations = counter_u64_alloc(M_WAITOK);
3177 rule->packets[i] = counter_u64_alloc(M_WAITOK);
3178 rule->bytes[i] = counter_u64_alloc(M_WAITOK);
3180 rule->timestamp = uma_zalloc_pcpu(pf_timestamp_pcpu_zone,
3185 if (rule->ifname[0]) {
3186 rule->kif = pfi_kkif_attach(kif, rule->ifname);
3187 pfi_kkif_ref(rule->kif);
3189 rule->kif = NULL;
3190 if (rule->bridge_to_name[0]) {
3191 rule->bridge_to = pfi_kkif_attach(bridge_to_kif,
3192 rule->bridge_to_name);
3193 pfi_kkif_ref(rule->bridge_to);
3195 rule->bridge_to = NULL;
3199 if (rule->qname[0] != 0) {
3200 if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
3203 rule->qid = rule->qid;
3206 if (rule->tagname[0])
3207 if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
3209 if (rule->match_tagname[0])
3210 if ((rule->match_tag = pf_tagname2tag(
3211 rule->match_tagname)) == 0)
3214 if (error == 0 && rule->ipdst.addr.type == PF_ADDR_TABLE)
3215 error = pf_eth_addr_setup(ruleset, &rule->ipdst.addr);
3216 if (error == 0 && rule->ipsrc.addr.type == PF_ADDR_TABLE)
3217 error = pf_eth_addr_setup(ruleset, &rule->ipsrc.addr);
3220 pf_free_eth_rule(rule);
3225 if (pf_keth_anchor_setup(rule, ruleset, anchor_call)) {
3226 pf_free_eth_rule(rule);
3233 rule->nr = tail->nr + 1;
3235 rule->nr = 0;
3237 TAILQ_INSERT_TAIL(ruleset->inactive.rules, rule, entries);
3424 struct pf_krule *rule = NULL;
3450 if (! nvlist_exists_nvlist(nvl, "rule"))
3453 rule = pf_krule_alloc();
3454 error = pf_nvrule_to_krule(nvlist_get_nvlist(nvl, "rule"),
3455 rule);
3467 /* Frees rule on error */
3468 error = pf_ioctl_addrule(rule, ticket, pool_ticket, anchor,
3477 pf_krule_free(rule);
3485 struct pf_krule *rule;
3487 rule = pf_krule_alloc();
3488 error = pf_rule_to_krule(&pr->rule, rule);
3490 pf_krule_free(rule);
3496 /* Frees rule on error */
3497 error = pf_ioctl_addrule(rule, pr->ticket, pr->pool_ticket,
3518 struct pf_krule *rule;
3579 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
3580 while ((rule != NULL) && (rule->nr != nr))
3581 rule = TAILQ_NEXT(rule, entries);
3582 if (rule == NULL) {
3587 nvrule = pf_krule_to_nvrule(rule);
3596 nvlist_add_nvlist(nvl, "rule", nvrule);
3599 if (pf_kanchor_nvcopyout(ruleset, rule, nvl)) {
3621 pf_krule_clear_counters(rule);
3652 if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3659 error = pf_rule_to_krule(&pcr->rule, newrule);
3702 rs_num = pf_get_ruleset_number(pcr->rule.action);
3709 * As a result it is possible the rule tree will not
4213 struct pf_krule *rule;
4216 TAILQ_FOREACH(rule,
4218 pf_counter_u64_zero(&rule->evaluations);
4220 pf_counter_u64_zero(&rule->packets[i]);
4221 pf_counter_u64_zero(&rule->bytes[i]);
5707 if (st->rule == NULL)
5708 sp->pfs_1301.rule = htonl(-1);
5710 sp->pfs_1301.rule = htonl(st->rule->nr);
5773 if (st->rule == NULL)
5774 sp->rule = htonl(-1);
5776 sp->rule = htonl(st->rule->nr);
6370 * explicit anchor rule or they may be left empty
6395 * explicit anchor rule or they may be left empty