summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2009-11-22 22:34:51 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2009-11-22 22:34:51 +0000
commit45185d600bccff75c24b3fde89e16836acacd32d (patch)
treef4192e56dbe3f195b849ce4ef9f54b66a1850d40
parent6ab5ecb654c7126805dbc40561f2759f83cc00e0 (diff)
cleanup after the NAT changes. we used to have multiple rulesets (scrub,
NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Diffstat
-rw-r--r--sbin/pfctl/parse.y26
-rw-r--r--sbin/pfctl/pfctl.c45
-rw-r--r--sbin/pfctl/pfctl_optimize.c20
-rw-r--r--sbin/pfctl/pfctl_parser.c10
-rw-r--r--sys/net/if_pfsync.c7
-rw-r--r--sys/net/pf.c22
-rw-r--r--sys/net/pf_ioctl.c250
-rw-r--r--sys/net/pf_ruleset.c51
-rw-r--r--sys/net/pfvar.h17
9 files changed, 166 insertions, 282 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index ee20d3bd532..e3606d331f4 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.574 2009/11/09 14:31:58 jsg Exp $ */
+/* $OpenBSD: parse.y,v 1.575 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -5425,23 +5425,17 @@ symget(const char *nam)
void
mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst)
{
- int i;
struct pf_rule *r;
- for (i = 0; i < PF_RULESET_MAX; ++i) {
- while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
- != NULL) {
- TAILQ_REMOVE(src->rules[i].active.ptr, r, entries);
- TAILQ_INSERT_TAIL(dst->rules[i].active.ptr, r, entries);
- dst->anchor->match++;
- }
- src->anchor->match = 0;
- while ((r = TAILQ_FIRST(src->rules[i].inactive.ptr))
- != NULL) {
- TAILQ_REMOVE(src->rules[i].inactive.ptr, r, entries);
- TAILQ_INSERT_TAIL(dst->rules[i].inactive.ptr,
- r, entries);
- }
+ while ((r = TAILQ_FIRST(src->rules.active.ptr)) != NULL) {
+ TAILQ_REMOVE(src->rules.active.ptr, r, entries);
+ TAILQ_INSERT_TAIL(dst->rules.active.ptr, r, entries);
+ dst->anchor->match++;
+ }
+ src->anchor->match = 0;
+ while ((r = TAILQ_FIRST(src->rules.inactive.ptr)) != NULL) {
+ TAILQ_REMOVE(src->rules.inactive.ptr, r, entries);
+ TAILQ_INSERT_TAIL(dst->rules.inactive.ptr, r, entries);
}
}
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index ea1b1592ff4..cab5c0b490b 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.289 2009/10/28 20:11:01 jsg Exp $ */
+/* $OpenBSD: pfctl.c,v 1.290 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -91,8 +91,7 @@ void pfctl_debug(int, u_int32_t, int);
int pfctl_test_altqsupport(int, int);
int pfctl_show_anchors(int, int, char *);
int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *);
-int pfctl_load_ruleset(struct pfctl *, char *,
- struct pf_ruleset *, int, int);
+int pfctl_load_ruleset(struct pfctl *, char *, struct pf_ruleset *, int);
int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int);
const char *pfctl_lookup_option(char *, const char **);
void pfctl_state_store(int, const char *);
@@ -312,7 +311,7 @@ pfctl_clear_rules(int dev, int opts, char *anchorname)
memset(&t, 0, sizeof(t));
t.pfrb_type = PFRB_TRANS;
- if (pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
+ if (pfctl_add_trans(&t, PF_TRANS_RULESET, anchorname) ||
pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
err(1, "pfctl_clear_rules");
@@ -330,7 +329,7 @@ pfctl_clear_altq(int dev, int opts)
return (-1);
memset(&t, 0, sizeof(t));
t.pfrb_type = PFRB_TRANS;
- if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
+ if (pfctl_add_trans(&t, PF_TRANS_ALTQ, "") ||
pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
err(1, "pfctl_clear_altq");
@@ -1089,18 +1088,11 @@ pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af, int which)
int
pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
{
- u_int8_t rs_num;
struct pf_rule *rule;
struct pf_ruleset *rs;
char *p;
- rs_num = pf_get_ruleset_number(r->action == PF_MATCH ? PF_PASS :
- r->action);
- if (rs_num == PF_RULESET_MAX)
- errx(1, "Invalid rule type %d", r->action);
-
rs = &pf->anchor->ruleset;
-
if (anchor_call[0] && r->anchor == NULL) {
/*
* Don't make non-brace anchors part of the main anchor pool.
@@ -1134,7 +1126,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
TAILQ_INIT(&rule->route.list);
pfctl_move_pool(&r->route, &rule->route);
- TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
+ TAILQ_INSERT_TAIL(rs->rules.active.ptr, rule, entries);
return (0);
}
@@ -1145,15 +1137,15 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
if (a == pf->astack[0] && ((altqsupport &&
(pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
- if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
+ if (pfctl_add_trans(pf->trans, PF_TRANS_ALTQ, path))
return (2);
}
if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
- if (pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
+ if (pfctl_add_trans(pf->trans, PF_TRANS_RULESET, path))
return (3);
}
if (pf->loadopt & PFCTL_FLAG_TABLE)
- if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
+ if (pfctl_add_trans(pf->trans, PF_TRANS_TABLE, path))
return (4);
if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
return (5);
@@ -1163,7 +1155,7 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
int
pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
- int rs_num, int depth)
+ int depth)
{
struct pf_rule *r;
int error, len = strlen(path);
@@ -1177,7 +1169,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
if (depth) {
- if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
+ if (TAILQ_FIRST(rs->rules.active.ptr) != NULL) {
brace++;
if (pf->opts & PF_OPT_VERBOSE)
printf(" {\n");
@@ -1193,16 +1185,16 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
}
- if (pf->optimize && rs_num == PF_RULESET_FILTER)
+ if (pf->optimize)
pfctl_optimize_ruleset(pf, rs);
- while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
- TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
+ while ((r = TAILQ_FIRST(rs->rules.active.ptr)) != NULL) {
+ TAILQ_REMOVE(rs->rules.active.ptr, r, entries);
if ((error = pfctl_load_rule(pf, path, r, depth)))
goto error;
if (r->anchor) {
if ((error = pfctl_load_ruleset(pf, path,
- &r->anchor->ruleset, rs_num, depth + 1)))
+ &r->anchor->ruleset, depth + 1)))
goto error;
} else if (pf->opts & PF_OPT_VERBOSE)
printf("\n");
@@ -1224,7 +1216,6 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
int
pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
{
- u_int8_t rs_num = pf_get_ruleset_number(r->action);
char *name;
struct pfioc_rule pr;
int len = strlen(path);
@@ -1232,7 +1223,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
bzero(&pr, sizeof(pr));
/* set up anchor before adding to path for anchor_call */
if ((pf->opts & PF_OPT_NOACTION) == 0)
- pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path);
+ pr.ticket = pfctl_get_ticket(pf->trans, PF_TRANS_RULESET, path);
if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor))
errx(1, "pfctl_load_rule: strlcpy");
@@ -1375,10 +1366,10 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
ERRX("pfctl_rules");
if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
pa.ticket =
- pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
+ pfctl_get_ticket(t, PF_TRANS_ALTQ, anchorname);
if (pf.loadopt & PFCTL_FLAG_TABLE)
pf.astack[0]->ruleset.tticket =
- pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
+ pfctl_get_ticket(t, PF_TRANS_TABLE, anchorname);
}
if (parse_config(filename, &pf) < 0) {
@@ -1390,7 +1381,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
}
if ((pf.loadopt & PFCTL_FLAG_FILTER &&
- pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
+ pfctl_load_ruleset(&pf, path, rs, 0))) {
if ((opts & PF_OPT_NOACTION) == 0)
ERRX("Unable to load rules into kernel");
else
diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c
index 666e69f8b30..b17b7986822 100644
--- a/sbin/pfctl/pfctl_optimize.c
+++ b/sbin/pfctl/pfctl_optimize.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_optimize.c,v 1.20 2009/10/28 20:11:01 jsg Exp $ */
+/* $OpenBSD: pfctl_optimize.c,v 1.21 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>
@@ -273,19 +273,16 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs)
skip_init();
TAILQ_INIT(&opt_queue);
- old_rules = rs->rules[PF_RULESET_FILTER].active.ptr;
- rs->rules[PF_RULESET_FILTER].active.ptr =
- rs->rules[PF_RULESET_FILTER].inactive.ptr;
- rs->rules[PF_RULESET_FILTER].inactive.ptr = old_rules;
+ old_rules = rs->rules.active.ptr;
+ rs->rules.active.ptr = rs->rules.inactive.ptr;
+ rs->rules.inactive.ptr = old_rules;
/*
* XXX expanding the pf_opt_rule format throughout pfctl might allow
* us to avoid all this copying.
*/
- while ((r = TAILQ_FIRST(rs->rules[PF_RULESET_FILTER].inactive.ptr))
- != NULL) {
- TAILQ_REMOVE(rs->rules[PF_RULESET_FILTER].inactive.ptr, r,
- entries);
+ while ((r = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) {
+ TAILQ_REMOVE(rs->rules.inactive.ptr, r, entries);
if ((por = calloc(1, sizeof(*por))) == NULL)
err(1, "calloc");
memcpy(&por->por_rule, r, sizeof(*r));
@@ -308,7 +305,6 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs)
bzero(&por->por_rule.route,
sizeof(por->por_rule.route));
-
TAILQ_INSERT_TAIL(&opt_queue, por, por_entry);
}
@@ -342,9 +338,7 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs)
pfctl_move_pool(&por->por_rule.rdr, &r->rdr);
pfctl_move_pool(&por->por_rule.nat, &r->nat);
pfctl_move_pool(&por->por_rule.route, &r->route);
- TAILQ_INSERT_TAIL(
- rs->rules[PF_RULESET_FILTER].active.ptr,
- r, entries);
+ TAILQ_INSERT_TAIL(rs->rules.active.ptr, r, entries);
free(por);
}
free(block);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 72906cb2f31..b7715b3cf77 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.250 2009/10/28 20:11:01 jsg Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.251 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1712,12 +1712,12 @@ append_addr_host(struct pfr_buffer *b, struct node_host *n, int test, int not)
}
int
-pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor)
+pfctl_add_trans(struct pfr_buffer *buf, int type, const char *anchor)
{
struct pfioc_trans_e trans;
bzero(&trans, sizeof(trans));
- trans.rs_num = rs_num;
+ trans.type = type;
if (strlcpy(trans.anchor, anchor,
sizeof(trans.anchor)) >= sizeof(trans.anchor))
errx(1, "pfctl_add_trans: strlcpy");
@@ -1726,12 +1726,12 @@ pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor)
}
u_int32_t
-pfctl_get_ticket(struct pfr_buffer *buf, int rs_num, const char *anchor)
+pfctl_get_ticket(struct pfr_buffer *buf, int type, const char *anchor)
{
struct pfioc_trans_e *p;
PFRB_FOREACH(p, buf)
- if (rs_num == p->rs_num && !strcmp(anchor, p->anchor))
+ if (type == p->type && !strcmp(anchor, p->anchor))
return (p->ticket);
errx(1, "pfctl_get_ticket: assertion failed");
}
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 0d39b3e6891..5d2e1ebd1f8 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pfsync.c,v 1.131 2009/11/12 06:53:24 deraadt Exp $ */
+/* $OpenBSD: if_pfsync.c,v 1.132 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2002 Michael Shalayeff
@@ -492,9 +492,8 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
*/
if (sp->rule != htonl(-1) && sp->anchor == htonl(-1) &&
(flags & (PFSYNC_SI_IOCTL | PFSYNC_SI_CKSUM)) && ntohl(sp->rule) <
- pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount)
- r = pf_main_ruleset.rules[
- PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)];
+ pf_main_ruleset.rules.active.rcount)
+ r = pf_main_ruleset.rules.active.ptr_array[ntohl(sp->rule)];
else
r = &pf_default_rule;
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 4467652c878..552bf56e423 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.669 2009/11/21 20:54:27 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.670 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2251,7 +2251,7 @@ pf_tag_packet(struct mbuf *m, int tag, int rtableid)
}
void
-pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
+pf_step_into_anchor(int *depth, struct pf_ruleset **rs,
struct pf_rule **r, struct pf_rule **a, int *match)
{
struct pf_anchor_stackframe *f;
@@ -2282,11 +2282,11 @@ pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
f->child = NULL;
*rs = &(*r)->anchor->ruleset;
}
- *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
+ *r = TAILQ_FIRST((*rs)->rules.active.ptr);
}
int
-pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
+pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs,
struct pf_rule **r, struct pf_rule **a, int *match)
{
struct pf_anchor_stackframe *f;
@@ -2305,7 +2305,7 @@ pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
if (f->child != NULL) {
*rs = &f->child->ruleset;
- *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
+ *r = TAILQ_FIRST((*rs)->rules.active.ptr);
if (*r == NULL)
continue;
else
@@ -2763,7 +2763,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
pd->osport = sport;
pd->odport = dport;
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr);
while (r != NULL) {
r->evaluations++;
if (pfi_kif_match(r->kif, kif) == r->ifnot)
@@ -2853,10 +2853,10 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
r = TAILQ_NEXT(r, entries);
} else
pf_step_into_anchor(&asd, &ruleset,
- PF_RULESET_FILTER, &r, &a, &match);
+ &r, &a, &match);
}
if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
- PF_RULESET_FILTER, &r, &a, &match))
+ &r, &a, &match))
break;
}
r = *rm;
@@ -3300,7 +3300,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
int asd = 0;
int match = 0;
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr);
while (r != NULL) {
r->evaluations++;
if (pfi_kif_match(r->kif, kif) == r->ifnot)
@@ -3347,10 +3347,10 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
r = TAILQ_NEXT(r, entries);
} else
pf_step_into_anchor(&asd, &ruleset,
- PF_RULESET_FILTER, &r, &a, &match);
+ &r, &a, &match);
}
if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
- PF_RULESET_FILTER, &r, &a, &match))
+ &r, &a, &match))
break;
}
r = *rm;
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 5817b570942..0602a298466 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.225 2009/11/11 10:31:44 jsg Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.226 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -104,12 +104,12 @@ int pf_commit_altq(u_int32_t);
int pf_enable_altq(struct pf_altq *);
int pf_disable_altq(struct pf_altq *);
#endif /* ALTQ */
-int pf_begin_rules(u_int32_t *, int, const char *);
-int pf_rollback_rules(u_int32_t, int, char *);
+int pf_begin_rules(u_int32_t *, const char *);
+int pf_rollback_rules(u_int32_t, char *);
int pf_setup_pfsync_matching(struct pf_ruleset *);
void pf_hash_rule(MD5_CTX *, struct pf_rule *);
void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
-int pf_commit_rules(u_int32_t, int, char *);
+int pf_commit_rules(u_int32_t, char *);
int pf_addr_setup(struct pf_ruleset *,
struct pf_addr_wrap *, sa_family_t);
void pf_addr_copyout(struct pf_addr_wrap *);
@@ -264,32 +264,26 @@ pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
{
struct pf_ruleset *ruleset;
struct pf_rule *rule;
- int rs_num;
ruleset = pf_find_ruleset(anchor);
if (ruleset == NULL)
return (NULL);
- rs_num = pf_get_ruleset_number(rule_action);
- if (rs_num >= PF_RULESET_MAX)
- return (NULL);
if (active) {
- if (check_ticket && ticket !=
- ruleset->rules[rs_num].active.ticket)
+ if (check_ticket && ticket != ruleset->rules.active.ticket)
return (NULL);
if (r_last)
- rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
+ rule = TAILQ_LAST(ruleset->rules.active.ptr,
pf_rulequeue);
else
- rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
+ rule = TAILQ_FIRST(ruleset->rules.active.ptr);
} else {
- if (check_ticket && ticket !=
- ruleset->rules[rs_num].inactive.ticket)
+ if (check_ticket && ticket != ruleset->rules.inactive.ticket)
return (NULL);
if (r_last)
- rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
+ rule = TAILQ_LAST(ruleset->rules.inactive.ptr,
pf_rulequeue);
else
- rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr);
+ rule = TAILQ_FIRST(ruleset->rules.inactive.ptr);
}
if (!r_last) {
while ((rule != NULL) && (rule->nr != rule_number))
@@ -689,42 +683,37 @@ pf_disable_altq(struct pf_altq *altq)
#endif /* ALTQ */
int
-pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor)
+pf_begin_rules(u_int32_t *ticket, const char *anchor)
{
struct pf_ruleset *rs;
struct pf_rule *rule;
- if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
- return (EINVAL);
- rs = pf_find_or_create_ruleset(anchor);
- if (rs == NULL)
+ if ((rs = pf_find_or_create_ruleset(anchor)) == NULL)
return (EINVAL);
- while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
- pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
- rs->rules[rs_num].inactive.rcount--;
+ while ((rule = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) {
+ pf_rm_rule(rs->rules.inactive.ptr, rule);
+ rs->rules.inactive.rcount--;
}
- *ticket = ++rs->rules[rs_num].inactive.ticket;
- rs->rules[rs_num].inactive.open = 1;
+ *ticket = ++rs->rules.inactive.ticket;
+ rs->rules.inactive.open = 1;
return (0);
}
int
-pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor)
+pf_rollback_rules(u_int32_t ticket, char *anchor)
{
struct pf_ruleset *rs;
struct pf_rule *rule;
- if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
- return (EINVAL);
rs = pf_find_ruleset(anchor);
- if (rs == NULL || !rs->rules[rs_num].inactive.open ||
- rs->rules[rs_num].inactive.ticket != ticket)
+ if (rs == NULL || !rs->rules.inactive.open ||
+ rs->rules.inactive.ticket != ticket)
return (0);
- while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) {
- pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule);
- rs->rules[rs_num].inactive.rcount--;
+ while ((rule = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) {
+ pf_rm_rule(rs->rules.inactive.ptr, rule);
+ rs->rules.inactive.rcount--;
}
- rs->rules[rs_num].inactive.open = 0;
+ rs->rules.inactive.open = 0;
return (0);
}
@@ -812,7 +801,7 @@ pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule)
}
int
-pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
+pf_commit_rules(u_int32_t ticket, char *anchor)
{
struct pf_ruleset *rs;
struct pf_rule *rule, **old_array;
@@ -820,11 +809,9 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
int s, error;
u_int32_t old_rcount;
- if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
- return (EINVAL);
rs = pf_find_ruleset(anchor);
- if (rs == NULL || !rs->rules[rs_num].inactive.open ||
- ticket != rs->rules[rs_num].inactive.ticket)
+ if (rs == NULL || !rs->rules.inactive.open ||
+ ticket != rs->rules.inactive.ticket)
return (EBUSY);
/* Calculate checksum for the main ruleset */
@@ -836,33 +823,29 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
/* Swap rules, keep the old. */
s = splsoftnet();
- old_rules = rs->rules[rs_num].active.ptr;
- old_rcount = rs->rules[rs_num].active.rcount;
- old_array = rs->rules[rs_num].active.ptr_array;
+ old_rules = rs->rules.active.ptr;
+ old_rcount = rs->rules.active.rcount;
+ old_array = rs->rules.active.ptr_array;
- rs->rules[rs_num].active.ptr =
- rs->rules[rs_num].inactive.ptr;
- rs->rules[rs_num].active.ptr_array =
- rs->rules[rs_num].inactive.ptr_array;
- rs->rules[rs_num].active.rcount =
- rs->rules[rs_num].inactive.rcount;
- rs->rules[rs_num].inactive.ptr = old_rules;
- rs->rules[rs_num].inactive.ptr_array = old_array;
- rs->rules[rs_num].inactive.rcount = old_rcount;
+ rs->rules.active.ptr = rs->rules.inactive.ptr;
+ rs->rules.active.ptr_array = rs->rules.inactive.ptr_array;
+ rs->rules.active.rcount = rs->rules.inactive.rcount;
+ rs->rules.inactive.ptr = old_rules;
+ rs->rules.inactive.ptr_array = old_array;
+ rs->rules.inactive.rcount = old_rcount;
- rs->rules[rs_num].active.ticket =
- rs->rules[rs_num].inactive.ticket;
- pf_calc_skip_steps(rs->rules[rs_num].active.ptr);
+ rs->rules.active.ticket = rs->rules.inactive.ticket;
+ pf_calc_skip_steps(rs->rules.active.ptr);
/* Purge the old rule list. */
while ((rule = TAILQ_FIRST(old_rules)) != NULL)
pf_rm_rule(old_rules, rule);
- if (rs->rules[rs_num].inactive.ptr_array)
- free(rs->rules[rs_num].inactive.ptr_array, M_TEMP);
- rs->rules[rs_num].inactive.ptr_array = NULL;
- rs->rules[rs_num].inactive.rcount = 0;
- rs->rules[rs_num].inactive.open = 0;
+ if (rs->rules.inactive.ptr_array)
+ free(rs->rules.inactive.ptr_array, M_TEMP);
+ rs->rules.inactive.ptr_array = NULL;
+ rs->rules.inactive.rcount = 0;
+ rs->rules.inactive.open = 0;
pf_remove_if_empty_ruleset(rs);
splx(s);
return (0);
@@ -873,30 +856,24 @@ pf_setup_pfsync_matching(struct pf_ruleset *rs)
{
MD5_CTX ctx;
struct pf_rule *rule;
- int rs_cnt;
u_int8_t digest[PF_MD5_DIGEST_LENGTH];
MD5Init(&ctx);
- for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) {
- if (rs->rules[rs_cnt].inactive.ptr_array)
- free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP);
- rs->rules[rs_cnt].inactive.ptr_array = NULL;
+ if (rs->rules.inactive.ptr_array)
+ free(rs->rules.inactive.ptr_array, M_TEMP);
+ rs->rules.inactive.ptr_array = NULL;
- if (rs->rules[rs_cnt].inactive.rcount) {
- rs->rules[rs_cnt].inactive.ptr_array =
- malloc(sizeof(caddr_t) *
- rs->rules[rs_cnt].inactive.rcount,
- M_TEMP, M_NOWAIT);
+ if (rs->rules.inactive.rcount) {
+ rs->rules.inactive.ptr_array = malloc(sizeof(caddr_t) *
+ rs->rules.inactive.rcount, M_TEMP, M_NOWAIT);
- if (!rs->rules[rs_cnt].inactive.ptr_array)
- return (ENOMEM);
- }
+ if (!rs->rules.inactive.ptr_array)
+ return (ENOMEM);
+ }
- TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
- entries) {
- pf_hash_rule(&ctx, rule);
- (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
- }
+ TAILQ_FOREACH(rule, rs->rules.inactive.ptr, entries) {
+ pf_hash_rule(&ctx, rule);
+ (rs->rules.inactive.ptr_array)[rule->nr] = rule;
}
MD5Final(digest, &ctx);
@@ -1069,7 +1046,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
struct pf_ruleset *ruleset;
struct pf_rule *rule, *tail;
struct pf_pooladdr *pa;
- int rs_num;
pr->anchor[sizeof(pr->anchor) - 1] = 0;
ruleset = pf_find_ruleset(pr->anchor);
@@ -1077,16 +1053,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EINVAL;
break;
}
- rs_num = pf_get_ruleset_number(pr->rule.action);
- if (rs_num >= PF_RULESET_MAX) {
- error = EINVAL;
- break;
- }
if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) {
error = EINVAL;
break;
}
- if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
+ if (pr->ticket != ruleset->rules.inactive.ticket) {
error = EBUSY;
break;
}
@@ -1128,8 +1099,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EAFNOSUPPORT;
goto fail;
}
-
- tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
+ tail = TAILQ_LAST(ruleset->rules.inactive.ptr,
pf_rulequeue);
if (tail)
rule->nr = tail->nr + 1;
@@ -1221,9 +1191,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
rule->route.cur = TAILQ_FIRST(&rule->route.list);
rule->evaluations = rule->packets[0] = rule->packets[1] =
rule->bytes[0] = rule->bytes[1] = 0;
- TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
+ TAILQ_INSERT_TAIL(ruleset->rules.inactive.ptr,
rule, entries);
- ruleset->rules[rs_num].inactive.rcount++;
+ ruleset->rules.inactive.rcount++;
break;
}
@@ -1231,7 +1201,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
struct pfioc_rule *pr = (struct pfioc_rule *)addr;
struct pf_ruleset *ruleset;
struct pf_rule *tail;
- int rs_num;
pr->anchor[sizeof(pr->anchor) - 1] = 0;
ruleset = pf_find_ruleset(pr->anchor);
@@ -1239,18 +1208,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EINVAL;
break;
}
- rs_num = pf_get_ruleset_number(pr->rule.action);
- if (rs_num >= PF_RULESET_MAX) {
- error = EINVAL;
- break;
- }
- tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
- pf_rulequeue);
+ tail = TAILQ_LAST(ruleset->rules.active.ptr, pf_rulequeue);
if (tail)
pr->nr = tail->nr + 1;
else
pr->nr = 0;
- pr->ticket = ruleset->rules[rs_num].active.ticket;
+ pr->ticket = ruleset->rules.active.ticket;
break;
}
@@ -1258,7 +1221,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
struct pfioc_rule *pr = (struct pfioc_rule *)addr;
struct pf_ruleset *ruleset;
struct pf_rule *rule;
- int rs_num, i;
+ int i;
pr->anchor[sizeof(pr->anchor) - 1] = 0;
ruleset = pf_find_ruleset(pr->anchor);
@@ -1266,16 +1229,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EINVAL;
break;
}
- rs_num = pf_get_ruleset_number(pr->rule.action);
- if (rs_num >= PF_RULESET_MAX) {
- error = EINVAL;
- break;
- }
- if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
+ if (pr->ticket != ruleset->rules.active.ticket) {
error = EBUSY;
break;
}
- rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
+ rule = TAILQ_FIRST(ruleset->rules.active.ptr);
while ((rule != NULL) && (rule->nr != pr->nr))
rule = TAILQ_NEXT(rule, entries);
if (rule == NULL) {
@@ -1310,7 +1268,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
struct pf_ruleset *ruleset;
struct pf_rule *oldrule = NULL, *newrule = NULL;
u_int32_t nr = 0;
- int rs_num;
if (!(pcr->action == PF_CHANGE_REMOVE ||
pcr->action == PF_CHANGE_GET_TICKET) &&
@@ -1329,18 +1286,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EINVAL;
break;
}
- rs_num = pf_get_ruleset_number(pcr->rule.action);
- if (rs_num >= PF_RULESET_MAX) {
- error = EINVAL;
- break;
- }
if (pcr->action == PF_CHANGE_GET_TICKET) {
- pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
+ pcr->ticket = ++ruleset->rules.active.ticket;
break;
} else {
if (pcr->ticket !=
- ruleset->rules[rs_num].active.ticket) {
+ ruleset->rules.active.ticket) {
error = EINVAL;
break;
}
@@ -1481,14 +1433,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
pf_empty_pool(&pf_pabuf[2]);
if (pcr->action == PF_CHANGE_ADD_HEAD)
- oldrule = TAILQ_FIRST(
- ruleset->rules[rs_num].active.ptr);
+ oldrule = TAILQ_FIRST(ruleset->rules.active.ptr);
else if (pcr->action == PF_CHANGE_ADD_TAIL)
- oldrule = TAILQ_LAST(
- ruleset->rules[rs_num].active.ptr, pf_rulequeue);
+ oldrule = TAILQ_LAST(ruleset->rules.active.ptr,
+ pf_rulequeue);
else {
- oldrule = TAILQ_FIRST(
- ruleset->rules[rs_num].active.ptr);
+ oldrule = TAILQ_FIRST(ruleset->rules.active.ptr);
while ((oldrule != NULL) && (oldrule->nr != pcr->nr))
oldrule = TAILQ_NEXT(oldrule, entries);
if (oldrule == NULL) {
@@ -1500,31 +1450,30 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
if (pcr->action == PF_CHANGE_REMOVE) {
- pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
- ruleset->rules[rs_num].active.rcount--;
+ pf_rm_rule(ruleset->rules.active.ptr, oldrule);
+ ruleset->rules.active.rcount--;
} else {
if (oldrule == NULL)
TAILQ_INSERT_TAIL(
- ruleset->rules[rs_num].active.ptr,
+ ruleset->rules.active.ptr,
newrule, entries);
else if (pcr->action == PF_CHANGE_ADD_HEAD ||
pcr->action == PF_CHANGE_ADD_BEFORE)
TAILQ_INSERT_BEFORE(oldrule, newrule, entries);
else
TAILQ_INSERT_AFTER(
- ruleset->rules[rs_num].active.ptr,
+ ruleset->rules.active.ptr,
oldrule, newrule, entries);
- ruleset->rules[rs_num].active.rcount++;
+ ruleset->rules.active.rcount++;
}
nr = 0;
- TAILQ_FOREACH(oldrule,
- ruleset->rules[rs_num].active.ptr, entries)
+ TAILQ_FOREACH(oldrule, ruleset->rules.active.ptr, entries)
oldrule->nr = nr++;
- ruleset->rules[rs_num].active.ticket++;
+ ruleset->rules.active.ticket++;
- pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr);
+ pf_calc_skip_steps(ruleset->rules.active.ptr);
pf_remove_if_empty_ruleset(ruleset);
break;
@@ -1834,7 +1783,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
struct pf_rule *rule;
TAILQ_FOREACH(rule,
- ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
+ ruleset->rules.active.ptr, entries) {
rule->evaluations = 0;
rule->packets[0] = rule->packets[1] = 0;
rule->bytes[0] = rule->bytes[1] = 0;
@@ -2534,9 +2483,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
- switch (ioe->rs_num) {
+ switch (ioe->type) {
#ifdef ALTQ
- case PF_RULESET_ALTQ:
+ case PF_TRANS_ALTQ:
if (ioe->anchor[0]) {
free(table, M_TEMP);
free(ioe, M_TEMP);
@@ -2550,7 +2499,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
break;
#endif /* ALTQ */
- case PF_RULESET_TABLE:
+ case PF_TRANS_TABLE:
bzero(table, sizeof(*table));
strlcpy(table->pfrt_anchor, ioe->anchor,
sizeof(table->pfrt_anchor));
@@ -2563,7 +2512,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
default:
if ((error = pf_begin_rules(&ioe->ticket,
- ioe->rs_num, ioe->anchor))) {
+ ioe->anchor))) {
free(table, M_TEMP);
free(ioe, M_TEMP);
goto fail;
@@ -2601,9 +2550,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
- switch (ioe->rs_num) {
+ switch (ioe->type) {
#ifdef ALTQ
- case PF_RULESET_ALTQ:
+ case PF_TRANS_ALTQ:
if (ioe->anchor[0]) {
free(table, M_TEMP);
free(ioe, M_TEMP);
@@ -2617,7 +2566,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
break;
#endif /* ALTQ */
- case PF_RULESET_TABLE:
+ case PF_TRANS_TABLE:
bzero(table, sizeof(*table));
strlcpy(table->pfrt_anchor, ioe->anchor,
sizeof(table->pfrt_anchor));
@@ -2630,7 +2579,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
default:
if ((error = pf_rollback_rules(ioe->ticket,
- ioe->rs_num, ioe->anchor))) {
+ ioe->anchor))) {
free(table, M_TEMP);
free(ioe, M_TEMP);
goto fail; /* really bad */
@@ -2664,9 +2613,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
- switch (ioe->rs_num) {
+ switch (ioe->type) {
#ifdef ALTQ
- case PF_RULESET_ALTQ:
+ case PF_TRANS_ALTQ:
if (ioe->anchor[0]) {
free(table, M_TEMP);
free(ioe, M_TEMP);
@@ -2682,7 +2631,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
break;
#endif /* ALTQ */
- case PF_RULESET_TABLE:
+ case PF_TRANS_TABLE:
rs = pf_find_ruleset(ioe->anchor);
if (rs == NULL || !rs->topen || ioe->ticket !=
rs->tticket) {
@@ -2693,17 +2642,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
break;
default:
- if (ioe->rs_num < 0 || ioe->rs_num >=
- PF_RULESET_MAX) {
- free(table, M_TEMP);
- free(ioe, M_TEMP);
- error = EINVAL;
- goto fail;
- }
rs = pf_find_ruleset(ioe->anchor);
if (rs == NULL ||
- !rs->rules[ioe->rs_num].inactive.open ||
- rs->rules[ioe->rs_num].inactive.ticket !=
+ !rs->rules.inactive.open ||
+ rs->rules.inactive.ticket !=
ioe->ticket) {
free(table, M_TEMP);
free(ioe, M_TEMP);
@@ -2734,9 +2676,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
error = EFAULT;
goto fail;
}
- switch (ioe->rs_num) {
+ switch (ioe->type) {
#ifdef ALTQ
- case PF_RULESET_ALTQ:
+ case PF_TRANS_ALTQ:
if ((error = pf_commit_altq(ioe->ticket))) {
free(table, M_TEMP);
free(ioe, M_TEMP);
@@ -2744,7 +2686,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
}
break;
#endif /* ALTQ */
- case PF_RULESET_TABLE:
+ case PF_TRANS_TABLE:
bzero(table, sizeof(*table));
strlcpy(table->pfrt_anchor, ioe->anchor,
sizeof(table->pfrt_anchor));
@@ -2757,7 +2699,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
default:
if ((error = pf_commit_rules(ioe->ticket,
- ioe->rs_num, ioe->anchor))) {
+ ioe->anchor))) {
free(table, M_TEMP);
free(ioe, M_TEMP);
goto fail; /* really bad */
diff --git a/sys/net/pf_ruleset.c b/sys/net/pf_ruleset.c
index 2cc57e52394..313462fc7e6 100644
--- a/sys/net/pf_ruleset.c
+++ b/sys/net/pf_ruleset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ruleset.c,v 1.4 2009/04/06 12:05:55 henning Exp $ */
+/* $OpenBSD: pf_ruleset.c,v 1.5 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -98,45 +98,14 @@ pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b)
return (c ? (c < 0 ? -1 : 1) : 0);
}
-int
-pf_get_ruleset_number(u_int8_t action)
-{
- switch (action) {
- case PF_PASS:
- case PF_MATCH:
- case PF_DROP:
- return (PF_RULESET_FILTER);
- break;
- case PF_NAT:
- case PF_NONAT:
- return (PF_RULESET_NAT);
- break;
- case PF_BINAT:
- case PF_NOBINAT:
- return (PF_RULESET_BINAT);
- break;
- case PF_RDR:
- case PF_NORDR:
- return (PF_RULESET_RDR);
- break;
- default:
- return (PF_RULESET_MAX);
- break;
- }
-}
-
void
pf_init_ruleset(struct pf_ruleset *ruleset)
{
- int i;
-
memset(ruleset, 0, sizeof(struct pf_ruleset));
- for (i = 0; i < PF_RULESET_MAX; i++) {
- TAILQ_INIT(&ruleset->rules[i].queues[0]);
- TAILQ_INIT(&ruleset->rules[i].queues[1]);
- ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
- ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
- }
+ TAILQ_INIT(&ruleset->rules.queues[0]);
+ TAILQ_INIT(&ruleset->rules.queues[1]);
+ ruleset->rules.active.ptr = &ruleset->rules.queues[0];
+ ruleset->rules.inactive.ptr = &ruleset->rules.queues[1];
}
struct pf_anchor *
@@ -265,7 +234,6 @@ void
pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
{
struct pf_anchor *parent;
- int i;
while (ruleset != NULL) {
if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
@@ -273,11 +241,10 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
ruleset->topen)
return;
- for (i = 0; i < PF_RULESET_MAX; ++i)
- if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
- !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
- ruleset->rules[i].inactive.open)
- return;
+ if (!TAILQ_EMPTY(ruleset->rules.active.ptr) ||
+ !TAILQ_EMPTY(ruleset->rules.inactive.ptr) ||
+ ruleset->rules.inactive.open)
+ return;
RB_REMOVE(pf_anchor_global, &pf_anchors, ruleset->anchor);
if ((parent = ruleset->anchor->parent) != NULL)
RB_REMOVE(pf_anchor_node, &parent->children,
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 06fc9b39af3..398eb806c94 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.298 2009/11/03 17:41:02 claudio Exp $ */
+/* $OpenBSD: pfvar.h,v 1.299 2009/11/22 22:34:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -61,8 +61,7 @@ enum { PF_INOUT, PF_IN, PF_OUT };
enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER,
PF_MATCH, PF_DIVERT, PF_RT };
-enum { PF_RULESET_FILTER, PF_RULESET_NAT, PF_RULESET_BINAT,
- PF_RULESET_RDR, PF_RULESET_MAX };
+enum { PF_TRANS_RULESET, PF_TRANS_ALTQ, PF_TRANS_TABLE };
enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
@@ -935,7 +934,7 @@ struct pf_ruleset {
u_int32_t ticket;
int open;
} active, inactive;
- } rules[PF_RULESET_MAX];
+ } rules;
struct pf_anchor *anchor;
u_int32_t tticket;
int tables;
@@ -1503,13 +1502,11 @@ struct pfioc_ruleset {
char name[PF_ANCHOR_NAME_SIZE];
};
-#define PF_RULESET_ALTQ (PF_RULESET_MAX)
-#define PF_RULESET_TABLE (PF_RULESET_MAX+1)
struct pfioc_trans {
int size; /* number of elements */
int esize; /* size of each element in bytes */
struct pfioc_trans_e {
- int rs_num;
+ int type;
char anchor[MAXPATHLEN];
u_int32_t ticket;
} *array;
@@ -1743,6 +1740,7 @@ int pf_socket_lookup(int, struct pf_pdesc *);
struct pf_state_key *pf_alloc_state_key(int);
void pf_pkt_addr_changed(struct mbuf *);
int pf_state_key_attach(struct pf_state_key *, struct pf_state *, int);
+
void pfr_initialize(void);
int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
@@ -1831,7 +1829,6 @@ extern struct pf_anchor pf_main_anchor;
#define pf_main_ruleset pf_main_anchor.ruleset
/* these ruleset functions can be linked into userland programs (pfctl) */
-int pf_get_ruleset_number(u_int8_t);
void pf_init_ruleset(struct pf_ruleset *);
int pf_anchor_setup(struct pf_rule *,
const struct pf_ruleset *, const char *);
@@ -1871,10 +1868,10 @@ struct pf_os_fingerprint *
#ifdef _KERNEL
void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
-void pf_step_into_anchor(int *, struct pf_ruleset **, int,
+void pf_step_into_anchor(int *, struct pf_ruleset **,
struct pf_rule **, struct pf_rule **, int *);
int pf_step_out_of_anchor(int *, struct pf_ruleset **,
- int, struct pf_rule **, struct pf_rule **,
+ struct pf_rule **, struct pf_rule **,
int *);
int pf_get_transaddr(struct pf_rule *, struct pf_pdesc *,
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 21:14:08 +0000