From ae2d82548e03e3028f9752c263ff4a49c932b794 Mon Sep 17 00:00:00 2001 From: Ryan Thomas McBride Date: Tue, 12 Jan 2010 03:20:52 +0000 Subject: First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio --- sys/net/pfvar.h | 109 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 57 insertions(+), 52 deletions(-) (limited to 'sys/net/pfvar.h') diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 596e44f9277..81f2b3c59f5 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.303 2009/12/24 04:24:19 dlg Exp $ */ +/* $OpenBSD: pfvar.h,v 1.304 2010/01/12 03:20:51 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -113,7 +113,7 @@ enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED, - PF_ADDR_RANGE }; + PF_ADDR_RANGE, PF_ADDR_NONE }; #define PF_POOL_TYPEMASK 0x0f #define PF_POOL_STICKYADDR 0x20 #define PF_WSCALE_FLAG 0x80 @@ -361,15 +361,6 @@ struct pf_rule_addr { u_int8_t port_op; }; -struct pf_pooladdr { - struct pf_addr_wrap addr; - TAILQ_ENTRY(pf_pooladdr) entries; - char ifname[IFNAMSIZ]; - struct pfi_kif *kif; -}; - -TAILQ_HEAD(pf_palist, pf_pooladdr); - struct pf_poolhashkey { union { u_int8_t key8[16]; @@ -382,10 +373,11 @@ struct pf_poolhashkey { }; struct pf_pool { - struct pf_palist list; - struct pf_pooladdr *cur; + struct pf_addr_wrap addr; struct pf_poolhashkey key; - struct pf_addr counter; + struct pf_addr counter; + char ifname[IFNAMSIZ]; + struct pfi_kif *kif; int tblidx; u_int16_t proxy_port[2]; u_int8_t port_op; @@ -993,10 +985,13 @@ struct pfr_addr { struct in_addr _pfra_ip4addr; struct in6_addr _pfra_ip6addr; } pfra_u; + char pfra_ifname[IFNAMSIZ]; u_int8_t pfra_af; u_int8_t pfra_net; u_int8_t pfra_not; u_int8_t pfra_fback; + u_int8_t pfra_type; + u_int8_t pad[7]; }; #define pfra_ip4addr pfra_u._pfra_ip4addr #define pfra_ip6addr pfra_u._pfra_ip6addr @@ -1033,26 +1028,53 @@ struct pfr_kcounters { }; SLIST_HEAD(pfr_kentryworkq, pfr_kentry); +struct _pfr_kentry { + struct radix_node _pfrke_node[2]; + union sockaddr_union _pfrke_sa; + SLIST_ENTRY(pfr_kentry) _pfrke_workq; + struct pfr_kcounters *_pfrke_counters; + long _pfrke_tzero; + u_int8_t _pfrke_af; + u_int8_t _pfrke_net; + u_int8_t _pfrke_flags; + u_int8_t _pfrke_type; +}; +#define PFRKE_FLAG_NOT 0x01 +#define PFRKE_FLAG_MARK 0x02 + +/* pfrke_type */ +enum { PFRKE_PLAIN, PFRKE_ROUTE, PFRKE_MAX }; + struct pfr_kentry { - struct radix_node pfrke_node[2]; - union sockaddr_union pfrke_sa; - SLIST_ENTRY(pfr_kentry) pfrke_workq; union { - - struct pfr_kcounters *pfrke_counters; -#if 0 - struct pfr_kroute *pfrke_route; -#endif + struct _pfr_kentry _ke; } u; - long pfrke_tzero; - u_int8_t pfrke_af; - u_int8_t pfrke_net; - u_int8_t pfrke_not; - u_int8_t pfrke_mark; }; -#define pfrke_counters u.pfrke_counters -#define pfrke_route u.pfrke_route +#define pfrke_node u._ke._pfrke_node +#define pfrke_sa u._ke._pfrke_sa +#define pfrke_workq u._ke._pfrke_workq +#define pfrke_counters u._ke._pfrke_counters +#define pfrke_tzero u._ke._pfrke_tzero +#define pfrke_af u._ke._pfrke_af +#define pfrke_net u._ke._pfrke_net +#define pfrke_flags u._ke._pfrke_flags +#define pfrke_type u._ke._pfrke_type + +struct pfr_kentry_route { + union { + struct _pfr_kentry _ke; + } u; + struct pfi_kif *kif; +}; + +struct pfr_kentry_all { + union { + struct _pfr_kentry _ke; + struct pfr_kentry_route kr; + } u; +}; +#define pfrke_rkif u.kr.kif SLIST_HEAD(pfr_ktableworkq, pfr_ktable); RB_HEAD(pfr_ktablehead, pfr_ktable); @@ -1111,13 +1133,15 @@ struct pfi_kif { struct ifg_group *pfik_group; int pfik_states; int pfik_rules; + int pfik_routes; TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; }; enum pfi_kif_refs { PFI_KIF_REF_NONE, PFI_KIF_REF_STATE, - PFI_KIF_REF_RULE + PFI_KIF_REF_RULE, + PFI_KIF_REF_ROUTE }; #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ @@ -1390,24 +1414,9 @@ struct pf_divert { * ioctl parameter structures */ -struct pfioc_pooladdr { - u_int32_t action; - u_int32_t ticket; - u_int32_t nr; - u_int32_t r_num; - u_int8_t r_action; - u_int8_t r_last; - u_int8_t af; - u_int8_t which; - u_int8_t pad[3]; - char anchor[MAXPATHLEN]; - struct pf_pooladdr addr; -}; - struct pfioc_rule { u_int32_t action; u_int32_t ticket; - u_int32_t pool_ticket; u_int32_t nr; char anchor[MAXPATHLEN]; char anchor_call[MAXPATHLEN]; @@ -1592,12 +1601,7 @@ struct pfioc_iface { #define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq) #define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq) #define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats) -#define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr) -#define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr) -#define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr) -#define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr) -#define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr) -/* XXX cut 55 - 57 */ +/* XXX cut 51 - 57 */ #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset) #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset) #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table) @@ -1758,7 +1762,8 @@ int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, u_int64_t, int, int, int); int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, - struct pf_addr **, struct pf_addr **, sa_family_t); + struct pf_addr **, struct pf_addr **, struct pfi_kif **, + sa_family_t); void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); struct pfr_ktable * pfr_attach_table(struct pf_ruleset *, char *, int); -- cgit v1.2.3