510 	/* default rule should never be garbage collected */
694 	struct pf_rule		*rule;
708 			rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
711 			rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
717 			rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
720 			rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
723 		while ((rule != NULL) && (rule->nr != rule_number))
724 			rule = TAILQ_NEXT(rule, entries);
726 	if (rule == NULL)
729 	return (&rule->rpool);
758 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
761 		if (rule->states <= 0) {
764 			 * the rule to make sure the table code does not delete
767 			pf_tbladdr_remove(&rule->src.addr);
768 			pf_tbladdr_remove(&rule->dst.addr);
769 			if (rule->overload_tbl)
770 				pfr_detach_table(rule->overload_tbl);
772 		TAILQ_REMOVE(rulequeue, rule, entries);
773 		rule->entries.tqe_prev = NULL;
774 		rule->nr = -1;
777 	if (rule->states > 0 || rule->src_nodes > 0 ||
778 	    rule->entries.tqe_prev != NULL)
780 	pf_tag_unref(rule->tag);
781 	pf_tag_unref(rule->match_tag);
784 		if (rule->pqid != rule->qid)
785 			pf_qid_unref(rule->pqid);
786 		pf_qid_unref(rule->qid);
789 	pf_rtlabel_remove(&rule->src.addr);
790 	pf_rtlabel_remove(&rule->dst.addr);
791 	pfi_dynaddr_remove(&rule->src.addr);
792 	pfi_dynaddr_remove(&rule->dst.addr);
794 		pf_tbladdr_remove(&rule->src.addr);
795 		pf_tbladdr_remove(&rule->dst.addr);
796 		if (rule->overload_tbl)
797 			pfr_detach_table(rule->overload_tbl);
799 	pfi_kif_unref(rule->kif, PFI_KIF_REF_RULE);
800 	pf_anchor_remove(rule);
801 	pf_empty_pool(&rule->rpool.list);
802 	pool_put(&pf_rule_pl, rule);
1163 	struct pf_rule		*rule;
1170 	while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1171 		pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
1183 	struct pf_rule		*rule;
1191 	while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
1192 		pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
1253 pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule)
1258 	pf_hash_rule_addr(ctx, &rule->src, rule->proto);
1259 	pf_hash_rule_addr(ctx, &rule->dst, rule->proto);
1260 	PF_MD5_UPD_STR(rule, label);
1261 	PF_MD5_UPD_STR(rule, ifname);
1262 	PF_MD5_UPD_STR(rule, match_tagname);
1263 	PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
1264 	PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
1265 	PF_MD5_UPD_HTONL(rule, prob, y);
1266 	PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
1267 	PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
1268 	PF_MD5_UPD(rule, uid.op);
1269 	PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
1270 	PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
1271 	PF_MD5_UPD(rule, gid.op);
1272 	PF_MD5_UPD_HTONL(rule, rule_flag, y);
1273 	PF_MD5_UPD(rule, action);
1274 	PF_MD5_UPD(rule, direction);
1275 	PF_MD5_UPD(rule, af);
1276 	PF_MD5_UPD(rule, quick);
1277 	PF_MD5_UPD(rule, ifnot);
1278 	PF_MD5_UPD(rule, match_tag_not);
1279 	PF_MD5_UPD(rule, natpass);
1280 	PF_MD5_UPD(rule, keep_state);
1281 	PF_MD5_UPD(rule, proto);
1282 	PF_MD5_UPD(rule, type);
1283 	PF_MD5_UPD(rule, code);
1284 	PF_MD5_UPD(rule, flags);
1285 	PF_MD5_UPD(rule, flagset);
1286 	PF_MD5_UPD(rule, allow_opts);
1287 	PF_MD5_UPD(rule, rt);
1288 	PF_MD5_UPD(rule, tos);
1295 	struct pf_rule		*rule, **old_array;
1336 	/* Purge the old rule list. */
1337 	while ((rule = TAILQ_FIRST(old_rules)) != NULL)
1338 		pf_rm_rule(old_rules, rule);
1426 	sp->rule = s->rule.ptr->nr;
1478 	s->rule.ptr = &pf_default_rule;
1516 	struct pf_rule		*rule;
1540 		TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
1542 			pf_hash_rule(&ctx, rule);
1543 			(rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
1954 		struct pf_rule		*rule;
1956 		TAILQ_FOREACH(rule,
1958 			rule->evaluations = 0;
1959 			rule->packets[0] = rule->packets[1] = 0;
1960 			rule->bytes[0] = rule->bytes[1] = 0;
2748 pf_expire_states_and_src_nodes(struct pf_rule *rule)
2757 		if (state->rule.ptr == rule)
2765 		if (sn->rule.ptr != rule)
2786     struct pf_rule *rule)
2791 	pf_expire_states_and_src_nodes(rule);
2793 	pf_rm_rule(ruleset->rules[rs_num].active.ptr, rule);
2817 	struct pf_rule		*rule;
2824 	    pr->rule.owner, is_anchor, &error)) == NULL)
2827 	rs_num = pf_get_ruleset_number(pr->rule.action);
2832 	if (pr->rule.ticket) {
2833 		rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2834 		while (rule && (rule->ticket != pr->rule.ticket))
2835 			rule = TAILQ_NEXT(rule, entries);
2836 		if (rule == NULL)
2839 		if (strcmp(rule->owner, pr->rule.owner))
2843 		if (rule->anchor && (ruleset != &pf_main_ruleset) &&
2846 			/* set rule & ruleset to parent and repeat */
2847 			struct pf_rule *delete_rule = rule;
2856 			rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
2857 			while (rule &&
2858 			    (rule->anchor != delete_ruleset->anchor))
2859 				rule = TAILQ_NEXT(rule, entries);
2860 			if (rule == NULL)
2861 				panic("%s: rule not found!", __func__);
2873 			if (rule->rule_flag & PFRULE_PFM)
2876 			    rule);
2888 	struct pf_rule		*rule, *next;
2892 		rule = TAILQ_FIRST(pf_main_ruleset.rules[rs].active.ptr);
2894 		while (rule) {
2895 			next = TAILQ_NEXT(rule, entries);
2896 			if (rule->anchor) {
2897 				if (((strcmp(rule->owner, owner)) == 0) ||
2898 				    ((strcmp(rule->owner, "")) == 0)) {
2899 					if (rule->anchor->ruleset.rules[rs].active.rcount > 0) {
2906 						    &rule->anchor->ruleset;
2907 						rule = TAILQ_FIRST(ruleset->rules[rs].active.ptr);
2910 						if (rule->rule_flag &
2913 						pf_delete_rule_from_ruleset(ruleset, rs, rule);
2915 						rule = next;
2918 					rule = next;
2920 				if (((strcmp(rule->owner, owner)) == 0)) {
2921 					/* delete rule */
2922 					if (rule->rule_flag & PFRULE_PFM)
2925 					    rs, rule);
2928 				rule = next;
2930 			if (rule == NULL) {
2937 					    rs, &rule);
2948 	struct pf_rule *rule = *rule_ptr;
2955 	rule = TAILQ_FIRST(ruleset->rules[rs].active.ptr);
2956 	while (rule && (rule->anchor != rs_copy->anchor))
2957 		rule = TAILQ_NEXT(rule, entries);
2958 	if (rule == NULL)
2959 		panic("%s: parent rule of anchor not found!", __func__);
2960 	if (rule->anchor->ruleset.rules[rs].active.rcount > 0)
2961 		rule = TAILQ_NEXT(rule, entries);
2964 	*rule_ptr = rule;
2968 pf_rule_setup(struct pfioc_rule *pr, struct pf_rule *rule,
2973 	if (rule->ifname[0]) {
2974 		rule->kif = pfi_kif_get(rule->ifname);
2975 		if (rule->kif == NULL) {
2976 			pool_put(&pf_rule_pl, rule);
2979 		pfi_kif_ref(rule->kif, PFI_KIF_REF_RULE);
2983 	if (altq_allowed && rule->qname[0] != '\0') {
2984 		if ((rule->qid = pf_qname2qid(rule->qname)) == 0)
2986 		else if (rule->pqname[0] != '\0') {
2987 			if ((rule->pqid =
2988 			    pf_qname2qid(rule->pqname)) == 0)
2991 			rule->pqid = rule->qid;
2994 	if (rule->tagname[0])
2995 		if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0)
2997 	if (rule->match_tagname[0])
2998 		if ((rule->match_tag =
2999 		    pf_tagname2tag(rule->match_tagname)) == 0)
3001 	if (rule->rt && !rule->direction)
3004 	if (!rule->log)
3005 		rule->logif = 0;
3006 	if (rule->logif >= PFLOGIFS_MAX)
3009 	if (pf_rtlabel_add(&rule->src.addr) ||
3010 	    pf_rtlabel_add(&rule->dst.addr))
3012 	if (pfi_dynaddr_setup(&rule->src.addr, rule->af))
3014 	if (pfi_dynaddr_setup(&rule->dst.addr, rule->af))
3016 	if (pf_tbladdr_setup(ruleset, &rule->src.addr))
3018 	if (pf_tbladdr_setup(ruleset, &rule->dst.addr))
3020 	if (pf_anchor_setup(rule, ruleset, pr->anchor_call))
3026 	if (rule->overload_tblname[0]) {
3027 		if ((rule->overload_tbl = pfr_attach_table(ruleset,
3028 		    rule->overload_tblname)) == NULL)
3031 			rule->overload_tbl->pfrkt_flags |=
3035 	pf_mv_pool(&pf_pabuf, &rule->rpool.list);
3036 	if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
3037 	    (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
3038 	    (rule->rt > PF_FASTROUTE)) &&
3039 	    (TAILQ_FIRST(&rule->rpool.list) == NULL))
3043 		pf_rm_rule(NULL, rule);
3046 	rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
3047 	rule->evaluations = rule->packets[0] = rule->packets[1] =
3048 	    rule->bytes[0] = rule->bytes[1] = 0;
3061 		struct pf_rule		*rule, *tail;
3071 		rs_num = pf_get_ruleset_number(pr->rule.action);
3076 		if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3088 		rule = pool_get(&pf_rule_pl, PR_WAITOK);
3089 		if (rule == NULL) {
3093 		pf_rule_copyin(&pr->rule, rule, p, minordev);
3095 		if (rule->af == AF_INET) {
3096 			pool_put(&pf_rule_pl, rule);
3102 		if (rule->af == AF_INET6) {
3103 			pool_put(&pf_rule_pl, rule);
3111 			rule->nr = tail->nr + 1;
3113 			rule->nr = 0;
3115 		if ((error = pf_rule_setup(pr, rule, ruleset)))
3119 		    rule, entries);
3121 		if (rule->rule_flag & PFRULE_PFM)
3138 		rs_num = pf_get_ruleset_number(pr->rule.action);
3155 		struct pf_rule		*rule;
3165 		rs_num = pf_get_ruleset_number(pr->rule.action);
3174 		rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
3175 		while ((rule != NULL) && (rule->nr != pr->nr))
3176 			rule = TAILQ_NEXT(rule, entries);
3177 		if (rule == NULL) {
3181 		pf_rule_copyout(rule, &pr->rule);
3182 		if (pf_anchor_copyout(ruleset, rule, pr)) {
3186 		pfi_dynaddr_copyout(&pr->rule.src.addr);
3187 		pfi_dynaddr_copyout(&pr->rule.dst.addr);
3188 		pf_tbladdr_copyout(&pr->rule.src.addr);
3189 		pf_tbladdr_copyout(&pr->rule.dst.addr);
3190 		pf_rtlabel_copyout(&pr->rule.src.addr);
3191 		pf_rtlabel_copyout(&pr->rule.dst.addr);
3193 			if (rule->skip[i].ptr == NULL)
3194 				pr->rule.skip[i].nr = -1;
3196 				pr->rule.skip[i].nr =
3197 				    rule->skip[i].ptr->nr;
3200 			rule->evaluations = 0;
3201 			rule->packets[0] = rule->packets[1] = 0;
3202 			rule->bytes[0] = rule->bytes[1] = 0;
3234 		rs_num = pf_get_ruleset_number(pcr->rule.action);
3249 			if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3261 			pf_rule_copyin(&pcr->rule, newrule, p, minordev);
3416 		struct pf_rule		*rule, *tail, *r;
3425 		    pr->rule.owner, is_anchor, &error)) == NULL)
3428 		rs_num = pf_get_ruleset_number(pr->rule.action);
3433 		if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3438 		/* make sure this anchor rule doesn't exist already */
3445 					if (((strcmp(pr->rule.owner,
3457 		rule = pool_get(&pf_rule_pl, PR_WAITOK);
3458 		if (rule == NULL) {
3462 		pf_rule_copyin(&pr->rule, rule, p, minordev);
3464 		if (rule->af == AF_INET) {
3465 			pool_put(&pf_rule_pl, rule);
3471 		if (rule->af == AF_INET6) {
3472 			pool_put(&pf_rule_pl, rule);
3479 		while ((r != NULL) && (rule->priority >= (unsigned)r->priority))
3485 				rule->nr = tail->nr + 1;
3487 				rule->nr = 0;
3489 			rule->nr = r->nr;
3492 		if ((error = pf_rule_setup(pr, rule, ruleset)))
3495 		if (rule->anchor != NULL)
3496 			strncpy(rule->anchor->owner, rule->owner,
3500 			TAILQ_INSERT_BEFORE(r, rule, entries);
3505 			    rule, entries);
3513 		rule->ticket = ruleset->rules[rs_num].active.ticket;
3515 		pr->rule.ticket = rule->ticket;
3516 		pf_rule_copyout(rule, &pr->rule);
3517 		if (rule->rule_flag & PFRULE_PFM)
3526 		if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
3531 		if (pr->rule.ticket) {
3535 			pf_delete_rule_by_owner(pr->rule.owner);
4562 			if (n->rule.ptr != NULL)
4563 				pstore->rule.nr = n->rule.ptr->nr;

Indexes created Wed Sep 11 23:09:49 MDT 2024