Split ruleset manipulation functions out into pf_ruleset.c to allow them to

be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.

2 minor changes aside from cut-n-paste and #define portability magic:

- instead of defining the global pf_main_ruleset, define pf_main_anchor
  (which contains the pf_main_ruleset)

- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
  passed an empty anchor name.

ok henning dhartmei

1 files changed, 1 insertions, 315 deletions

diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index f3b929dcc76..6fa1b199cb8 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.170 2006/10/25 11:26:47 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.171 2006/10/27 13:56:51 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -91,13 +91,6 @@ int			 pfopen(dev_t, int, int, struct proc *);
 int			 pfclose(dev_t, int, int, struct proc *);
 struct pf_pool		*pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
 			    u_int8_t, u_int8_t, u_int8_t);
-int			 pf_get_ruleset_number(u_int8_t);
-void			 pf_init_ruleset(struct pf_ruleset *);
-int			 pf_anchor_setup(struct pf_rule *,
-			    const struct pf_ruleset *, const char *);
-int			 pf_anchor_copyout(const struct pf_ruleset *,
-			    const struct pf_rule *, struct pfioc_rule *);
-void			 pf_anchor_remove(struct pf_rule *);
 
 void			 pf_mv_pool(struct pf_palist *, struct pf_palist *);
 void			 pf_empty_pool(struct pf_palist *);
@@ -276,313 +269,6 @@ pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
 	return (&rule->rpool);
 }
 
-int
-pf_get_ruleset_number(u_int8_t action)
-{
-	switch (action) {
-	case PF_SCRUB:
-	case PF_NOSCRUB:
-		return (PF_RULESET_SCRUB);
-		break;
-	case PF_PASS:
-	case PF_DROP:
-		return (PF_RULESET_FILTER);
-		break;
-	case PF_NAT:
-	case PF_NONAT:
-		return (PF_RULESET_NAT);
-		break;
-	case PF_BINAT:
-	case PF_NOBINAT:
-		return (PF_RULESET_BINAT);
-		break;
-	case PF_RDR:
-	case PF_NORDR:
-		return (PF_RULESET_RDR);
-		break;
-	default:
-		return (PF_RULESET_MAX);
-		break;
-	}
-}
-
-void
-pf_init_ruleset(struct pf_ruleset *ruleset)
-{
-	int	i;
-
-	memset(ruleset, 0, sizeof(struct pf_ruleset));
-	for (i = 0; i < PF_RULESET_MAX; i++) {
-		TAILQ_INIT(&ruleset->rules[i].queues[0]);
-		TAILQ_INIT(&ruleset->rules[i].queues[1]);
-		ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
-		ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
-	}
-}
-
-struct pf_anchor *
-pf_find_anchor(const char *path)
-{
-	struct pf_anchor	*key, *found;
-
-	key = (struct pf_anchor *)malloc(sizeof(*key), M_TEMP, M_WAITOK);
-	memset(key, 0, sizeof(*key));
-	strlcpy(key->path, path, sizeof(key->path));
-	found = RB_FIND(pf_anchor_global, &pf_anchors, key);
-	free(key, M_TEMP);
-	return (found);
-}
-
-struct pf_ruleset *
-pf_find_ruleset(const char *path)
-{
-	struct pf_anchor	*anchor;
-
-	while (*path == '/')
-		path++;
-	if (!*path)
-		return (&pf_main_ruleset);
-	anchor = pf_find_anchor(path);
-	if (anchor == NULL)
-		return (NULL);
-	else
-		return (&anchor->ruleset);
-}
-
-struct pf_ruleset *
-pf_find_or_create_ruleset(const char *path)
-{
-	char			*p, *q, *r;
-	struct pf_ruleset	*ruleset;
-	struct pf_anchor	*anchor, *dup, *parent = NULL;
-
-	while (*path == '/')
-		path++;
-	ruleset = pf_find_ruleset(path);
-	if (ruleset != NULL)
-		return (ruleset);
-	p = (char *)malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
-	bzero(p, MAXPATHLEN);
-	strlcpy(p, path, MAXPATHLEN);
-	while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
-		*q = 0;
-		if ((ruleset = pf_find_ruleset(p)) != NULL) {
-			parent = ruleset->anchor;
-			break;
-		}
-	}
-	if (q == NULL)
-		q = p;
-	else
-		q++;
-	strlcpy(p, path, MAXPATHLEN);
-	if (!*q) {
-		free(p, M_TEMP);
-		return (NULL);
-	}
-	while ((r = strchr(q, '/')) != NULL || *q) {
-		if (r != NULL)
-			*r = 0;
-		if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE ||
-		    (parent != NULL && strlen(parent->path) >=
-		    MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) {
-			free(p, M_TEMP);
-			return (NULL);
-		}
-		anchor = (struct pf_anchor *)malloc(sizeof(*anchor), M_TEMP,
-		    M_NOWAIT);
-		if (anchor == NULL) {
-			free(p, M_TEMP);
-			return (NULL);
-		}
-		memset(anchor, 0, sizeof(*anchor));
-		RB_INIT(&anchor->children);
-		strlcpy(anchor->name, q, sizeof(anchor->name));
-		if (parent != NULL) {
-			strlcpy(anchor->path, parent->path,
-			    sizeof(anchor->path));
-			strlcat(anchor->path, "/", sizeof(anchor->path));
-		}
-		strlcat(anchor->path, anchor->name, sizeof(anchor->path));
-		if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) !=
-		    NULL) {
-			printf("pf_find_or_create_ruleset: RB_INSERT1 "
-			    "'%s' '%s' collides with '%s' '%s'\n",
-			    anchor->path, anchor->name, dup->path, dup->name);
-			free(anchor, M_TEMP);
-			free(p, M_TEMP);
-			return (NULL);
-		}
-		if (parent != NULL) {
-			anchor->parent = parent;
-			if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
-			    anchor)) != NULL) {
-				printf("pf_find_or_create_ruleset: "
-				    "RB_INSERT2 '%s' '%s' collides with "
-				    "'%s' '%s'\n", anchor->path, anchor->name,
-				    dup->path, dup->name);
-				RB_REMOVE(pf_anchor_global, &pf_anchors,
-				    anchor);
-				free(anchor, M_TEMP);
-				free(p, M_TEMP);
-				return (NULL);
-			}
-		}
-		pf_init_ruleset(&anchor->ruleset);
-		anchor->ruleset.anchor = anchor;
-		parent = anchor;
-		if (r != NULL)
-			q = r + 1;
-		else
-			*q = 0;
-	}
-	free(p, M_TEMP);
-	return (&anchor->ruleset);
-}
-
-void
-pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
-{
-	struct pf_anchor	*parent;
-	int			 i;
-
-	while (ruleset != NULL) {
-		if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
-		    !RB_EMPTY(&ruleset->anchor->children) ||
-		    ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
-		    ruleset->topen)
-			return;
-		for (i = 0; i < PF_RULESET_MAX; ++i)
-			if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
-			    !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
-			    ruleset->rules[i].inactive.open)
-				return;
-		RB_REMOVE(pf_anchor_global, &pf_anchors, ruleset->anchor);
-		if ((parent = ruleset->anchor->parent) != NULL)
-			RB_REMOVE(pf_anchor_node, &parent->children,
-			    ruleset->anchor);
-		free(ruleset->anchor, M_TEMP);
-		if (parent == NULL)
-			return;
-		ruleset = &parent->ruleset;
-	}
-}
-
-int
-pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
-    const char *name)
-{
-	char			*p, *path;
-	struct pf_ruleset	*ruleset;
-
-	r->anchor = NULL;
-	r->anchor_relative = 0;
-	r->anchor_wildcard = 0;
-	if (!name[0])
-		return (0);
-	path = (char *)malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
-	bzero(path, MAXPATHLEN);
-	if (name[0] == '/')
-		strlcpy(path, name + 1, MAXPATHLEN);
-	else {
-		/* relative path */
-		r->anchor_relative = 1;
-		if (s->anchor == NULL || !s->anchor->path[0])
-			path[0] = 0;
-		else
-			strlcpy(path, s->anchor->path, MAXPATHLEN);
-		while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
-			if (!path[0]) {
-				printf("pf_anchor_setup: .. beyond root\n");
-				free(path, M_TEMP);
-				return (1);
-			}
-			if ((p = strrchr(path, '/')) != NULL)
-				*p = 0;
-			else
-				path[0] = 0;
-			r->anchor_relative++;
-			name += 3;
-		}
-		if (path[0])
-			strlcat(path, "/", MAXPATHLEN);
-		strlcat(path, name, MAXPATHLEN);
-	}
-	if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) {
-		r->anchor_wildcard = 1;
-		*p = 0;
-	}
-	ruleset = pf_find_or_create_ruleset(path);
-	free(path, M_TEMP);
-	if (ruleset == NULL || ruleset->anchor == NULL) {
-		printf("pf_anchor_setup: ruleset\n");
-		return (1);
-	}
-	r->anchor = ruleset->anchor;
-	r->anchor->refcnt++;
-	return (0);
-}
-
-int
-pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r,
-    struct pfioc_rule *pr)
-{
-	pr->anchor_call[0] = 0;
-	if (r->anchor == NULL)
-		return (0);
-	if (!r->anchor_relative) {
-		strlcpy(pr->anchor_call, "/", sizeof(pr->anchor_call));
-		strlcat(pr->anchor_call, r->anchor->path,
-		    sizeof(pr->anchor_call));
-	} else {
-		char	*a, *p;
-		int	 i;
-
-		a = (char *)malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
-		bzero(a, MAXPATHLEN);
-		if (rs->anchor == NULL)
-			a[0] = 0;
-		else
-			strlcpy(a, rs->anchor->path, MAXPATHLEN);
-		for (i = 1; i < r->anchor_relative; ++i) {
-			if ((p = strrchr(a, '/')) == NULL)
-				p = a;
-			*p = 0;
-			strlcat(pr->anchor_call, "../",
-			    sizeof(pr->anchor_call));
-		}
-		if (strncmp(a, r->anchor->path, strlen(a))) {
-			printf("pf_anchor_copyout: '%s' '%s'\n", a,
-			    r->anchor->path);
-			free(a, M_TEMP);
-			return (1);
-		}
-		if (strlen(r->anchor->path) > strlen(a))
-			strlcat(pr->anchor_call, r->anchor->path + (a[0] ?
-			    strlen(a) + 1 : 0), sizeof(pr->anchor_call));
-		free(a, M_TEMP);
-	}
-	if (r->anchor_wildcard)
-		strlcat(pr->anchor_call, pr->anchor_call[0] ? "/*" : "*",
-		    sizeof(pr->anchor_call));
-	return (0);
-}
-
-void
-pf_anchor_remove(struct pf_rule *r)
-{
-	if (r->anchor == NULL)
-		return;
-	if (r->anchor->refcnt <= 0) {
-		printf("pf_anchor_remove: broken refcount\n");
-		r->anchor = NULL;
-		return;
-	}
-	if (!--r->anchor->refcnt)
-		pf_remove_if_empty_ruleset(&r->anchor->ruleset);
-	r->anchor = NULL;
-}
-
 void
 pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb)
 {