140 npf_ruleset_unlink(npf_ruleset_t *rlset, npf_rule_t *rl)
142 	if (NPF_DYNAMIC_GROUP_P(rl->r_attr)) {
143 		LIST_REMOVE(rl, r_dentry);
145 	if (NPF_DYNAMIC_RULE_P(rl->r_attr)) {
146 		npf_rule_t *rg = rl->r_parent;
147 		TAILQ_REMOVE(&rg->r_subset, rl, r_entry);
149 	LIST_REMOVE(rl, r_aentry);
156 	npf_rule_t *rl;
158 	while ((rl = LIST_FIRST(&rlset->rs_all)) != NULL) {
159 		npf_ruleset_unlink(rlset, rl);
160 		npf_rule_free(rl);
171 npf_ruleset_insert(npf_ruleset_t *rlset, npf_rule_t *rl)
177 	LIST_INSERT_HEAD(&rlset->rs_all, rl, r_aentry);
178 	if (NPF_DYNAMIC_GROUP_P(rl->r_attr)) {
179 		LIST_INSERT_HEAD(&rlset->rs_dynamic, rl, r_dentry);
182 	rlset->rs_rules[n] = rl;
185 	if (rl->r_skip_to < ++n) {
186 		rl->r_skip_to = n;
193 	npf_rule_t *rl;
197 	LIST_FOREACH(rl, &rlset->rs_dynamic, r_dentry) {
198 		KASSERT(NPF_DYNAMIC_GROUP_P(rl->r_attr));
199 		if (strncmp(rl->r_name, name, NPF_RULE_MAXNAMELEN) == 0)
202 	return rl;
206 npf_ruleset_add(npf_ruleset_t *rlset, const char *rname, npf_rule_t *rl)
215 	if (!NPF_DYNAMIC_RULE_P(rl->r_attr)) {
220 	rl->r_id = ++rlset->rs_idcnt;
221 	rl->r_parent = rg;
227 	if ((priocmd = rl->r_priority) < 0) {
228 		rl->r_priority = 0;
234 			if (rl->r_priority <= it->r_priority)
238 			TAILQ_INSERT_BEFORE(it, rl, r_entry);
240 			TAILQ_INSERT_HEAD(&rg->r_subset, rl, r_entry);
246 			if (rl->r_priority < it->r_priority)
250 			TAILQ_INSERT_BEFORE(it, rl, r_entry);
252 			TAILQ_INSERT_TAIL(&rg->r_subset, rl, r_entry);
258 	LIST_INSERT_HEAD(&rlset->rs_all, rl, r_aentry);
265 	npf_rule_t *rg, *rl;
270 	TAILQ_FOREACH(rl, &rg->r_subset, r_entry) {
272 		if (rl->r_id == id) {
273 			npf_ruleset_unlink(rlset, rl);
274 			LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry);
285 	npf_rule_t *rg, *rl;
294 	TAILQ_FOREACH_REVERSE(rl, &rg->r_subset, npf_ruleq, r_entry) {
296 		if (memcmp(rl->r_key, key, len) == 0) {
297 			npf_ruleset_unlink(rlset, rl);
298 			LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry);
310 	npf_rule_t *rg, *rl;
323 	TAILQ_FOREACH(rl, &rg->r_subset, r_entry) {
324 		if (rl->r_dict && !prop_array_add(rules, rl->r_dict)) {
342 	npf_rule_t *rg, *rl;
347 	while ((rl = TAILQ_FIRST(&rg->r_subset)) != NULL) {
348 		npf_ruleset_unlink(rlset, rl);
349 		LIST_INSERT_HEAD(&rlset->rs_gc, rl, r_aentry);
357 	npf_rule_t *rl;
359 	while ((rl = LIST_FIRST(&rlset->rs_gc)) != NULL) {
360 		LIST_REMOVE(rl, r_aentry);
361 		npf_rule_free(rl);
378 		npf_rule_t *arg, *rl;
392 		TAILQ_FOREACH(rl, &rg->r_subset, r_entry) {
393 			LIST_REMOVE(rl, r_aentry);
394 			LIST_INSERT_HEAD(&rlset->rs_all, rl, r_aentry);
395 			rl->r_parent = rg;
409 	npf_rule_t *rl;
412 	LIST_FOREACH(rl, &rlset->rs_all, r_aentry) {
413 		if (npf_nat_matchpolicy(rl->r_natp, mnp))
416 	return rl;
423 	npf_rule_t *rl;
426 	LIST_FOREACH(rl, &rlset->rs_all, r_aentry) {
432 		np = rl->r_natp;
438 	return rl;
448 	npf_rule_t *rl;
451 	LIST_FOREACH(rl, &rlset->rs_all, r_aentry) {
452 		if ((np = rl->r_natp) != NULL) {
468 	npf_rule_t *rl, *arl;
471 	LIST_FOREACH(rl, &nrlset->rs_all, r_aentry) {
472 		np = rl->r_natp;
479 		rl->r_natp = anp;
492 	npf_rule_t *rl;
496 	rl = kmem_zalloc(sizeof(npf_rule_t), KM_SLEEP);
497 	TAILQ_INIT(&rl->r_subset);
498 	rl->r_natp = NULL;
502 		strlcpy(rl->r_name, rname, NPF_RULE_MAXNAMELEN);
504 		rl->r_name[0] = '\0';
508 	prop_dictionary_get_uint32(rldict, "attributes", &rl->r_attr);
509 	prop_dictionary_get_int32(rldict, "priority", &rl->r_priority);
510 	prop_dictionary_get_uint32(rldict, "interface", &rl->r_ifid);
513 	prop_dictionary_get_uint32(rldict, "skip-to", &rl->r_skip_to);
522 			kmem_free(rl, sizeof(npf_rule_t));
525 		memcpy(rl->r_key, key, len);
528 	if (NPF_DYNAMIC_RULE_P(rl->r_attr)) {
529 		rl->r_dict = prop_dictionary_copy(rldict);
532 	return rl;
541 npf_rule_setcode(npf_rule_t *rl, const int type, void *code, size_t size)
543 	rl->r_type = type;
544 	rl->r_code = code;
545 	rl->r_clen = size;
552 npf_rule_setrproc(npf_rule_t *rl, npf_rproc_t *rp)
555 	rl->r_rproc = rp;
562 npf_rule_free(npf_rule_t *rl)
564 	npf_natpolicy_t *np = rl->r_natp;
565 	npf_rproc_t *rp = rl->r_rproc;
575 	if (rl->r_code) {
577 		kmem_free(rl->r_code, rl->r_clen);
579 	if (rl->r_dict) {
581 		prop_object_release(rl->r_dict);
583 	kmem_free(rl, sizeof(npf_rule_t));
593 npf_rule_getid(const npf_rule_t *rl)
595 	KASSERT(NPF_DYNAMIC_RULE_P(rl->r_attr));
596 	return rl->r_id;
600 npf_rule_getrproc(npf_rule_t *rl)
602 	npf_rproc_t *rp = rl->r_rproc;
611 npf_rule_getnat(const npf_rule_t *rl)
613 	return rl->r_natp;
621 npf_rule_setnat(npf_rule_t *rl, npf_natpolicy_t *np)
624 	KASSERT(rl->r_natp == NULL);
625 	rl->r_natp = np;
633 npf_rule_inspect(npf_cache_t *npc, nbuf_t *nbuf, const npf_rule_t *rl,
640 	if (rl->r_ifid && rl->r_ifid != ifp->if_index) {
645 	if ((rl->r_attr & NPF_RULE_DIMASK) != NPF_RULE_DIMASK) {
646 		if ((rl->r_attr & di_mask) == 0)
651 	if ((code = rl->r_code) == NULL) {
655 	switch (rl->r_type) {
677 	npf_rule_t *final_rl = NULL, *rl;
681 	TAILQ_FOREACH(rl, &drl->r_subset, r_entry) {
682 		if (!npf_rule_inspect(npc, nbuf, rl, di_mask, layer)) {
685 		if (rl->r_attr & NPF_RULE_FINAL) {
686 			return rl;
688 		final_rl = rl;
713 		npf_rule_t *rl = rlset->rs_rules[n];
714 		const u_int skip_to = rl->r_skip_to;
715 		const uint32_t attr = rl->r_attr;
718 		KASSERT(!final_rl || rl->r_priority >= final_rl->r_priority);
727 		if (!npf_rule_inspect(npc, nbuf, rl, di_mask, layer)) {
737 			rl = npf_rule_reinspect(npc, nbuf, rl, di_mask, layer);
738 			if (rl != NULL) {
739 				final_rl = rl;
746 			final_rl = rl;
766 npf_rule_conclude(const npf_rule_t *rl, int *retfl)
769 	*retfl = rl->r_attr;
770 	return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH;
776 npf_rulenc_dump(const npf_rule_t *rl)
778 	const uint32_t *op = rl->r_code;
779 	size_t n = rl->r_clen;
786 	printf("-> %s\n", (rl->r_attr & NPF_RULE_PASS) ? "pass" : "block");

Indexes created Sun Jun 23 19:15:37 MDT 2024