diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 26 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 45 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_optimize.c | 20 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 10 | ||||
| -rw-r--r-- | sys/net/if_pfsync.c | 7 | ||||
| -rw-r--r-- | sys/net/pf.c | 22 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 250 | ||||
| -rw-r--r-- | sys/net/pf_ruleset.c | 51 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 17 |
9 files changed, 166 insertions, 282 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index ee20d3bd532..e3606d331f4 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.574 2009/11/09 14:31:58 jsg Exp $ */ +/* $OpenBSD: parse.y,v 1.575 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -5425,23 +5425,17 @@ symget(const char *nam) void mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst) { - int i; struct pf_rule *r; - for (i = 0; i < PF_RULESET_MAX; ++i) { - while ((r = TAILQ_FIRST(src->rules[i].active.ptr)) - != NULL) { - TAILQ_REMOVE(src->rules[i].active.ptr, r, entries); - TAILQ_INSERT_TAIL(dst->rules[i].active.ptr, r, entries); - dst->anchor->match++; - } - src->anchor->match = 0; - while ((r = TAILQ_FIRST(src->rules[i].inactive.ptr)) - != NULL) { - TAILQ_REMOVE(src->rules[i].inactive.ptr, r, entries); - TAILQ_INSERT_TAIL(dst->rules[i].inactive.ptr, - r, entries); - } + while ((r = TAILQ_FIRST(src->rules.active.ptr)) != NULL) { + TAILQ_REMOVE(src->rules.active.ptr, r, entries); + TAILQ_INSERT_TAIL(dst->rules.active.ptr, r, entries); + dst->anchor->match++; + } + src->anchor->match = 0; + while ((r = TAILQ_FIRST(src->rules.inactive.ptr)) != NULL) { + TAILQ_REMOVE(src->rules.inactive.ptr, r, entries); + TAILQ_INSERT_TAIL(dst->rules.inactive.ptr, r, entries); } } diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index ea1b1592ff4..cab5c0b490b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.289 2009/10/28 20:11:01 jsg Exp $ */ +/* $OpenBSD: pfctl.c,v 1.290 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -91,8 +91,7 @@ void pfctl_debug(int, u_int32_t, int); int pfctl_test_altqsupport(int, int); int pfctl_show_anchors(int, int, char *); int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *); -int pfctl_load_ruleset(struct pfctl *, char *, - struct pf_ruleset *, int, int); +int pfctl_load_ruleset(struct pfctl *, char *, struct pf_ruleset *, int); int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int); const char *pfctl_lookup_option(char *, const char **); void pfctl_state_store(int, const char *); @@ -312,7 +311,7 @@ pfctl_clear_rules(int dev, int opts, char *anchorname) memset(&t, 0, sizeof(t)); t.pfrb_type = PFRB_TRANS; - if (pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) || + if (pfctl_add_trans(&t, PF_TRANS_RULESET, anchorname) || pfctl_trans(dev, &t, DIOCXBEGIN, 0) || pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) err(1, "pfctl_clear_rules"); @@ -330,7 +329,7 @@ pfctl_clear_altq(int dev, int opts) return (-1); memset(&t, 0, sizeof(t)); t.pfrb_type = PFRB_TRANS; - if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") || + if (pfctl_add_trans(&t, PF_TRANS_ALTQ, "") || pfctl_trans(dev, &t, DIOCXBEGIN, 0) || pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) err(1, "pfctl_clear_altq"); @@ -1089,18 +1088,11 @@ pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af, int which) int pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call) { - u_int8_t rs_num; struct pf_rule *rule; struct pf_ruleset *rs; char *p; - rs_num = pf_get_ruleset_number(r->action == PF_MATCH ? PF_PASS : - r->action); - if (rs_num == PF_RULESET_MAX) - errx(1, "Invalid rule type %d", r->action); - rs = &pf->anchor->ruleset; - if (anchor_call[0] && r->anchor == NULL) { /* * Don't make non-brace anchors part of the main anchor pool. @@ -1134,7 +1126,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call) TAILQ_INIT(&rule->route.list); pfctl_move_pool(&r->route, &rule->route); - TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries); + TAILQ_INSERT_TAIL(rs->rules.active.ptr, rule, entries); return (0); } @@ -1145,15 +1137,15 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a) if (a == pf->astack[0] && ((altqsupport && (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) { - if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path)) + if (pfctl_add_trans(pf->trans, PF_TRANS_ALTQ, path)) return (2); } if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) { - if (pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path)) + if (pfctl_add_trans(pf->trans, PF_TRANS_RULESET, path)) return (3); } if (pf->loadopt & PFCTL_FLAG_TABLE) - if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path)) + if (pfctl_add_trans(pf->trans, PF_TRANS_TABLE, path)) return (4); if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize)) return (5); @@ -1163,7 +1155,7 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a) int pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, - int rs_num, int depth) + int depth) { struct pf_rule *r; int error, len = strlen(path); @@ -1177,7 +1169,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name); if (depth) { - if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) { + if (TAILQ_FIRST(rs->rules.active.ptr) != NULL) { brace++; if (pf->opts & PF_OPT_VERBOSE) printf(" {\n"); @@ -1193,16 +1185,16 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, } - if (pf->optimize && rs_num == PF_RULESET_FILTER) + if (pf->optimize) pfctl_optimize_ruleset(pf, rs); - while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) { - TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries); + while ((r = TAILQ_FIRST(rs->rules.active.ptr)) != NULL) { + TAILQ_REMOVE(rs->rules.active.ptr, r, entries); if ((error = pfctl_load_rule(pf, path, r, depth))) goto error; if (r->anchor) { if ((error = pfctl_load_ruleset(pf, path, - &r->anchor->ruleset, rs_num, depth + 1))) + &r->anchor->ruleset, depth + 1))) goto error; } else if (pf->opts & PF_OPT_VERBOSE) printf("\n"); @@ -1224,7 +1216,6 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, int pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) { - u_int8_t rs_num = pf_get_ruleset_number(r->action); char *name; struct pfioc_rule pr; int len = strlen(path); @@ -1232,7 +1223,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) bzero(&pr, sizeof(pr)); /* set up anchor before adding to path for anchor_call */ if ((pf->opts & PF_OPT_NOACTION) == 0) - pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path); + pr.ticket = pfctl_get_ticket(pf->trans, PF_TRANS_RULESET, path); if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor)) errx(1, "pfctl_load_rule: strlcpy"); @@ -1375,10 +1366,10 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, ERRX("pfctl_rules"); if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ)) pa.ticket = - pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname); + pfctl_get_ticket(t, PF_TRANS_ALTQ, anchorname); if (pf.loadopt & PFCTL_FLAG_TABLE) pf.astack[0]->ruleset.tticket = - pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname); + pfctl_get_ticket(t, PF_TRANS_TABLE, anchorname); } if (parse_config(filename, &pf) < 0) { @@ -1390,7 +1381,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, } if ((pf.loadopt & PFCTL_FLAG_FILTER && - pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) { + pfctl_load_ruleset(&pf, path, rs, 0))) { if ((opts & PF_OPT_NOACTION) == 0) ERRX("Unable to load rules into kernel"); else diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index 666e69f8b30..b17b7986822 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_optimize.c,v 1.20 2009/10/28 20:11:01 jsg Exp $ */ +/* $OpenBSD: pfctl_optimize.c,v 1.21 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org> @@ -273,19 +273,16 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs) skip_init(); TAILQ_INIT(&opt_queue); - old_rules = rs->rules[PF_RULESET_FILTER].active.ptr; - rs->rules[PF_RULESET_FILTER].active.ptr = - rs->rules[PF_RULESET_FILTER].inactive.ptr; - rs->rules[PF_RULESET_FILTER].inactive.ptr = old_rules; + old_rules = rs->rules.active.ptr; + rs->rules.active.ptr = rs->rules.inactive.ptr; + rs->rules.inactive.ptr = old_rules; /* * XXX expanding the pf_opt_rule format throughout pfctl might allow * us to avoid all this copying. */ - while ((r = TAILQ_FIRST(rs->rules[PF_RULESET_FILTER].inactive.ptr)) - != NULL) { - TAILQ_REMOVE(rs->rules[PF_RULESET_FILTER].inactive.ptr, r, - entries); + while ((r = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) { + TAILQ_REMOVE(rs->rules.inactive.ptr, r, entries); if ((por = calloc(1, sizeof(*por))) == NULL) err(1, "calloc"); memcpy(&por->por_rule, r, sizeof(*r)); @@ -308,7 +305,6 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs) bzero(&por->por_rule.route, sizeof(por->por_rule.route)); - TAILQ_INSERT_TAIL(&opt_queue, por, por_entry); } @@ -342,9 +338,7 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs) pfctl_move_pool(&por->por_rule.rdr, &r->rdr); pfctl_move_pool(&por->por_rule.nat, &r->nat); pfctl_move_pool(&por->por_rule.route, &r->route); - TAILQ_INSERT_TAIL( - rs->rules[PF_RULESET_FILTER].active.ptr, - r, entries); + TAILQ_INSERT_TAIL(rs->rules.active.ptr, r, entries); free(por); } free(block); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 72906cb2f31..b7715b3cf77 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.250 2009/10/28 20:11:01 jsg Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.251 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1712,12 +1712,12 @@ append_addr_host(struct pfr_buffer *b, struct node_host *n, int test, int not) } int -pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor) +pfctl_add_trans(struct pfr_buffer *buf, int type, const char *anchor) { struct pfioc_trans_e trans; bzero(&trans, sizeof(trans)); - trans.rs_num = rs_num; + trans.type = type; if (strlcpy(trans.anchor, anchor, sizeof(trans.anchor)) >= sizeof(trans.anchor)) errx(1, "pfctl_add_trans: strlcpy"); @@ -1726,12 +1726,12 @@ pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor) } u_int32_t -pfctl_get_ticket(struct pfr_buffer *buf, int rs_num, const char *anchor) +pfctl_get_ticket(struct pfr_buffer *buf, int type, const char *anchor) { struct pfioc_trans_e *p; PFRB_FOREACH(p, buf) - if (rs_num == p->rs_num && !strcmp(anchor, p->anchor)) + if (type == p->type && !strcmp(anchor, p->anchor)) return (p->ticket); errx(1, "pfctl_get_ticket: assertion failed"); } diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 0d39b3e6891..5d2e1ebd1f8 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.131 2009/11/12 06:53:24 deraadt Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.132 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -492,9 +492,8 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) */ if (sp->rule != htonl(-1) && sp->anchor == htonl(-1) && (flags & (PFSYNC_SI_IOCTL | PFSYNC_SI_CKSUM)) && ntohl(sp->rule) < - pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount) - r = pf_main_ruleset.rules[ - PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)]; + pf_main_ruleset.rules.active.rcount) + r = pf_main_ruleset.rules.active.ptr_array[ntohl(sp->rule)]; else r = &pf_default_rule; diff --git a/sys/net/pf.c b/sys/net/pf.c index 4467652c878..552bf56e423 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.669 2009/11/21 20:54:27 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.670 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2251,7 +2251,7 @@ pf_tag_packet(struct mbuf *m, int tag, int rtableid) } void -pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n, +pf_step_into_anchor(int *depth, struct pf_ruleset **rs, struct pf_rule **r, struct pf_rule **a, int *match) { struct pf_anchor_stackframe *f; @@ -2282,11 +2282,11 @@ pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n, f->child = NULL; *rs = &(*r)->anchor->ruleset; } - *r = TAILQ_FIRST((*rs)->rules[n].active.ptr); + *r = TAILQ_FIRST((*rs)->rules.active.ptr); } int -pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n, +pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, struct pf_rule **r, struct pf_rule **a, int *match) { struct pf_anchor_stackframe *f; @@ -2305,7 +2305,7 @@ pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n, f->child = RB_NEXT(pf_anchor_node, f->parent, f->child); if (f->child != NULL) { *rs = &f->child->ruleset; - *r = TAILQ_FIRST((*rs)->rules[n].active.ptr); + *r = TAILQ_FIRST((*rs)->rules.active.ptr); if (*r == NULL) continue; else @@ -2763,7 +2763,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, pd->osport = sport; pd->odport = dport; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr); while (r != NULL) { r->evaluations++; if (pfi_kif_match(r->kif, kif) == r->ifnot) @@ -2853,10 +2853,10 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); } else pf_step_into_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match); + &r, &a, &match); } if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match)) + &r, &a, &match)) break; } r = *rm; @@ -3300,7 +3300,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, int asd = 0; int match = 0; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr); while (r != NULL) { r->evaluations++; if (pfi_kif_match(r->kif, kif) == r->ifnot) @@ -3347,10 +3347,10 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, r = TAILQ_NEXT(r, entries); } else pf_step_into_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match); + &r, &a, &match); } if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match)) + &r, &a, &match)) break; } r = *rm; diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 5817b570942..0602a298466 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.225 2009/11/11 10:31:44 jsg Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.226 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -104,12 +104,12 @@ int pf_commit_altq(u_int32_t); int pf_enable_altq(struct pf_altq *); int pf_disable_altq(struct pf_altq *); #endif /* ALTQ */ -int pf_begin_rules(u_int32_t *, int, const char *); -int pf_rollback_rules(u_int32_t, int, char *); +int pf_begin_rules(u_int32_t *, const char *); +int pf_rollback_rules(u_int32_t, char *); int pf_setup_pfsync_matching(struct pf_ruleset *); void pf_hash_rule(MD5_CTX *, struct pf_rule *); void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *); -int pf_commit_rules(u_int32_t, int, char *); +int pf_commit_rules(u_int32_t, char *); int pf_addr_setup(struct pf_ruleset *, struct pf_addr_wrap *, sa_family_t); void pf_addr_copyout(struct pf_addr_wrap *); @@ -264,32 +264,26 @@ pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action, { struct pf_ruleset *ruleset; struct pf_rule *rule; - int rs_num; ruleset = pf_find_ruleset(anchor); if (ruleset == NULL) return (NULL); - rs_num = pf_get_ruleset_number(rule_action); - if (rs_num >= PF_RULESET_MAX) - return (NULL); if (active) { - if (check_ticket && ticket != - ruleset->rules[rs_num].active.ticket) + if (check_ticket && ticket != ruleset->rules.active.ticket) return (NULL); if (r_last) - rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, + rule = TAILQ_LAST(ruleset->rules.active.ptr, pf_rulequeue); else - rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); + rule = TAILQ_FIRST(ruleset->rules.active.ptr); } else { - if (check_ticket && ticket != - ruleset->rules[rs_num].inactive.ticket) + if (check_ticket && ticket != ruleset->rules.inactive.ticket) return (NULL); if (r_last) - rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, + rule = TAILQ_LAST(ruleset->rules.inactive.ptr, pf_rulequeue); else - rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr); + rule = TAILQ_FIRST(ruleset->rules.inactive.ptr); } if (!r_last) { while ((rule != NULL) && (rule->nr != rule_number)) @@ -689,42 +683,37 @@ pf_disable_altq(struct pf_altq *altq) #endif /* ALTQ */ int -pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor) +pf_begin_rules(u_int32_t *ticket, const char *anchor) { struct pf_ruleset *rs; struct pf_rule *rule; - if (rs_num < 0 || rs_num >= PF_RULESET_MAX) - return (EINVAL); - rs = pf_find_or_create_ruleset(anchor); - if (rs == NULL) + if ((rs = pf_find_or_create_ruleset(anchor)) == NULL) return (EINVAL); - while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { - pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); - rs->rules[rs_num].inactive.rcount--; + while ((rule = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) { + pf_rm_rule(rs->rules.inactive.ptr, rule); + rs->rules.inactive.rcount--; } - *ticket = ++rs->rules[rs_num].inactive.ticket; - rs->rules[rs_num].inactive.open = 1; + *ticket = ++rs->rules.inactive.ticket; + rs->rules.inactive.open = 1; return (0); } int -pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor) +pf_rollback_rules(u_int32_t ticket, char *anchor) { struct pf_ruleset *rs; struct pf_rule *rule; - if (rs_num < 0 || rs_num >= PF_RULESET_MAX) - return (EINVAL); rs = pf_find_ruleset(anchor); - if (rs == NULL || !rs->rules[rs_num].inactive.open || - rs->rules[rs_num].inactive.ticket != ticket) + if (rs == NULL || !rs->rules.inactive.open || + rs->rules.inactive.ticket != ticket) return (0); - while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { - pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); - rs->rules[rs_num].inactive.rcount--; + while ((rule = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) { + pf_rm_rule(rs->rules.inactive.ptr, rule); + rs->rules.inactive.rcount--; } - rs->rules[rs_num].inactive.open = 0; + rs->rules.inactive.open = 0; return (0); } @@ -812,7 +801,7 @@ pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule) } int -pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) +pf_commit_rules(u_int32_t ticket, char *anchor) { struct pf_ruleset *rs; struct pf_rule *rule, **old_array; @@ -820,11 +809,9 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) int s, error; u_int32_t old_rcount; - if (rs_num < 0 || rs_num >= PF_RULESET_MAX) - return (EINVAL); rs = pf_find_ruleset(anchor); - if (rs == NULL || !rs->rules[rs_num].inactive.open || - ticket != rs->rules[rs_num].inactive.ticket) + if (rs == NULL || !rs->rules.inactive.open || + ticket != rs->rules.inactive.ticket) return (EBUSY); /* Calculate checksum for the main ruleset */ @@ -836,33 +823,29 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) /* Swap rules, keep the old. */ s = splsoftnet(); - old_rules = rs->rules[rs_num].active.ptr; - old_rcount = rs->rules[rs_num].active.rcount; - old_array = rs->rules[rs_num].active.ptr_array; + old_rules = rs->rules.active.ptr; + old_rcount = rs->rules.active.rcount; + old_array = rs->rules.active.ptr_array; - rs->rules[rs_num].active.ptr = - rs->rules[rs_num].inactive.ptr; - rs->rules[rs_num].active.ptr_array = - rs->rules[rs_num].inactive.ptr_array; - rs->rules[rs_num].active.rcount = - rs->rules[rs_num].inactive.rcount; - rs->rules[rs_num].inactive.ptr = old_rules; - rs->rules[rs_num].inactive.ptr_array = old_array; - rs->rules[rs_num].inactive.rcount = old_rcount; + rs->rules.active.ptr = rs->rules.inactive.ptr; + rs->rules.active.ptr_array = rs->rules.inactive.ptr_array; + rs->rules.active.rcount = rs->rules.inactive.rcount; + rs->rules.inactive.ptr = old_rules; + rs->rules.inactive.ptr_array = old_array; + rs->rules.inactive.rcount = old_rcount; - rs->rules[rs_num].active.ticket = - rs->rules[rs_num].inactive.ticket; - pf_calc_skip_steps(rs->rules[rs_num].active.ptr); + rs->rules.active.ticket = rs->rules.inactive.ticket; + pf_calc_skip_steps(rs->rules.active.ptr); /* Purge the old rule list. */ while ((rule = TAILQ_FIRST(old_rules)) != NULL) pf_rm_rule(old_rules, rule); - if (rs->rules[rs_num].inactive.ptr_array) - free(rs->rules[rs_num].inactive.ptr_array, M_TEMP); - rs->rules[rs_num].inactive.ptr_array = NULL; - rs->rules[rs_num].inactive.rcount = 0; - rs->rules[rs_num].inactive.open = 0; + if (rs->rules.inactive.ptr_array) + free(rs->rules.inactive.ptr_array, M_TEMP); + rs->rules.inactive.ptr_array = NULL; + rs->rules.inactive.rcount = 0; + rs->rules.inactive.open = 0; pf_remove_if_empty_ruleset(rs); splx(s); return (0); @@ -873,30 +856,24 @@ pf_setup_pfsync_matching(struct pf_ruleset *rs) { MD5_CTX ctx; struct pf_rule *rule; - int rs_cnt; u_int8_t digest[PF_MD5_DIGEST_LENGTH]; MD5Init(&ctx); - for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) { - if (rs->rules[rs_cnt].inactive.ptr_array) - free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP); - rs->rules[rs_cnt].inactive.ptr_array = NULL; + if (rs->rules.inactive.ptr_array) + free(rs->rules.inactive.ptr_array, M_TEMP); + rs->rules.inactive.ptr_array = NULL; - if (rs->rules[rs_cnt].inactive.rcount) { - rs->rules[rs_cnt].inactive.ptr_array = - malloc(sizeof(caddr_t) * - rs->rules[rs_cnt].inactive.rcount, - M_TEMP, M_NOWAIT); + if (rs->rules.inactive.rcount) { + rs->rules.inactive.ptr_array = malloc(sizeof(caddr_t) * + rs->rules.inactive.rcount, M_TEMP, M_NOWAIT); - if (!rs->rules[rs_cnt].inactive.ptr_array) - return (ENOMEM); - } + if (!rs->rules.inactive.ptr_array) + return (ENOMEM); + } - TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr, - entries) { - pf_hash_rule(&ctx, rule); - (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule; - } + TAILQ_FOREACH(rule, rs->rules.inactive.ptr, entries) { + pf_hash_rule(&ctx, rule); + (rs->rules.inactive.ptr_array)[rule->nr] = rule; } MD5Final(digest, &ctx); @@ -1069,7 +1046,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pf_ruleset *ruleset; struct pf_rule *rule, *tail; struct pf_pooladdr *pa; - int rs_num; pr->anchor[sizeof(pr->anchor) - 1] = 0; ruleset = pf_find_ruleset(pr->anchor); @@ -1077,16 +1053,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; break; } - rs_num = pf_get_ruleset_number(pr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { error = EINVAL; break; } - if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) { + if (pr->ticket != ruleset->rules.inactive.ticket) { error = EBUSY; break; } @@ -1128,8 +1099,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EAFNOSUPPORT; goto fail; } - - tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, + tail = TAILQ_LAST(ruleset->rules.inactive.ptr, pf_rulequeue); if (tail) rule->nr = tail->nr + 1; @@ -1221,9 +1191,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) rule->route.cur = TAILQ_FIRST(&rule->route.list); rule->evaluations = rule->packets[0] = rule->packets[1] = rule->bytes[0] = rule->bytes[1] = 0; - TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, + TAILQ_INSERT_TAIL(ruleset->rules.inactive.ptr, rule, entries); - ruleset->rules[rs_num].inactive.rcount++; + ruleset->rules.inactive.rcount++; break; } @@ -1231,7 +1201,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pfioc_rule *pr = (struct pfioc_rule *)addr; struct pf_ruleset *ruleset; struct pf_rule *tail; - int rs_num; pr->anchor[sizeof(pr->anchor) - 1] = 0; ruleset = pf_find_ruleset(pr->anchor); @@ -1239,18 +1208,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; break; } - rs_num = pf_get_ruleset_number(pr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } - tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, - pf_rulequeue); + tail = TAILQ_LAST(ruleset->rules.active.ptr, pf_rulequeue); if (tail) pr->nr = tail->nr + 1; else pr->nr = 0; - pr->ticket = ruleset->rules[rs_num].active.ticket; + pr->ticket = ruleset->rules.active.ticket; break; } @@ -1258,7 +1221,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pfioc_rule *pr = (struct pfioc_rule *)addr; struct pf_ruleset *ruleset; struct pf_rule *rule; - int rs_num, i; + int i; pr->anchor[sizeof(pr->anchor) - 1] = 0; ruleset = pf_find_ruleset(pr->anchor); @@ -1266,16 +1229,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; break; } - rs_num = pf_get_ruleset_number(pr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } - if (pr->ticket != ruleset->rules[rs_num].active.ticket) { + if (pr->ticket != ruleset->rules.active.ticket) { error = EBUSY; break; } - rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); + rule = TAILQ_FIRST(ruleset->rules.active.ptr); while ((rule != NULL) && (rule->nr != pr->nr)) rule = TAILQ_NEXT(rule, entries); if (rule == NULL) { @@ -1310,7 +1268,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pf_ruleset *ruleset; struct pf_rule *oldrule = NULL, *newrule = NULL; u_int32_t nr = 0; - int rs_num; if (!(pcr->action == PF_CHANGE_REMOVE || pcr->action == PF_CHANGE_GET_TICKET) && @@ -1329,18 +1286,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; break; } - rs_num = pf_get_ruleset_number(pcr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } if (pcr->action == PF_CHANGE_GET_TICKET) { - pcr->ticket = ++ruleset->rules[rs_num].active.ticket; + pcr->ticket = ++ruleset->rules.active.ticket; break; } else { if (pcr->ticket != - ruleset->rules[rs_num].active.ticket) { + ruleset->rules.active.ticket) { error = EINVAL; break; } @@ -1481,14 +1433,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) pf_empty_pool(&pf_pabuf[2]); if (pcr->action == PF_CHANGE_ADD_HEAD) - oldrule = TAILQ_FIRST( - ruleset->rules[rs_num].active.ptr); + oldrule = TAILQ_FIRST(ruleset->rules.active.ptr); else if (pcr->action == PF_CHANGE_ADD_TAIL) - oldrule = TAILQ_LAST( - ruleset->rules[rs_num].active.ptr, pf_rulequeue); + oldrule = TAILQ_LAST(ruleset->rules.active.ptr, + pf_rulequeue); else { - oldrule = TAILQ_FIRST( - ruleset->rules[rs_num].active.ptr); + oldrule = TAILQ_FIRST(ruleset->rules.active.ptr); while ((oldrule != NULL) && (oldrule->nr != pcr->nr)) oldrule = TAILQ_NEXT(oldrule, entries); if (oldrule == NULL) { @@ -1500,31 +1450,30 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } if (pcr->action == PF_CHANGE_REMOVE) { - pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule); - ruleset->rules[rs_num].active.rcount--; + pf_rm_rule(ruleset->rules.active.ptr, oldrule); + ruleset->rules.active.rcount--; } else { if (oldrule == NULL) TAILQ_INSERT_TAIL( - ruleset->rules[rs_num].active.ptr, + ruleset->rules.active.ptr, newrule, entries); else if (pcr->action == PF_CHANGE_ADD_HEAD || pcr->action == PF_CHANGE_ADD_BEFORE) TAILQ_INSERT_BEFORE(oldrule, newrule, entries); else TAILQ_INSERT_AFTER( - ruleset->rules[rs_num].active.ptr, + ruleset->rules.active.ptr, oldrule, newrule, entries); - ruleset->rules[rs_num].active.rcount++; + ruleset->rules.active.rcount++; } nr = 0; - TAILQ_FOREACH(oldrule, - ruleset->rules[rs_num].active.ptr, entries) + TAILQ_FOREACH(oldrule, ruleset->rules.active.ptr, entries) oldrule->nr = nr++; - ruleset->rules[rs_num].active.ticket++; + ruleset->rules.active.ticket++; - pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr); + pf_calc_skip_steps(ruleset->rules.active.ptr); pf_remove_if_empty_ruleset(ruleset); break; @@ -1834,7 +1783,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pf_rule *rule; TAILQ_FOREACH(rule, - ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) { + ruleset->rules.active.ptr, entries) { rule->evaluations = 0; rule->packets[0] = rule->packets[1] = 0; rule->bytes[0] = rule->bytes[1] = 0; @@ -2534,9 +2483,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } - switch (ioe->rs_num) { + switch (ioe->type) { #ifdef ALTQ - case PF_RULESET_ALTQ: + case PF_TRANS_ALTQ: if (ioe->anchor[0]) { free(table, M_TEMP); free(ioe, M_TEMP); @@ -2550,7 +2499,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } break; #endif /* ALTQ */ - case PF_RULESET_TABLE: + case PF_TRANS_TABLE: bzero(table, sizeof(*table)); strlcpy(table->pfrt_anchor, ioe->anchor, sizeof(table->pfrt_anchor)); @@ -2563,7 +2512,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; default: if ((error = pf_begin_rules(&ioe->ticket, - ioe->rs_num, ioe->anchor))) { + ioe->anchor))) { free(table, M_TEMP); free(ioe, M_TEMP); goto fail; @@ -2601,9 +2550,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } - switch (ioe->rs_num) { + switch (ioe->type) { #ifdef ALTQ - case PF_RULESET_ALTQ: + case PF_TRANS_ALTQ: if (ioe->anchor[0]) { free(table, M_TEMP); free(ioe, M_TEMP); @@ -2617,7 +2566,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } break; #endif /* ALTQ */ - case PF_RULESET_TABLE: + case PF_TRANS_TABLE: bzero(table, sizeof(*table)); strlcpy(table->pfrt_anchor, ioe->anchor, sizeof(table->pfrt_anchor)); @@ -2630,7 +2579,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; default: if ((error = pf_rollback_rules(ioe->ticket, - ioe->rs_num, ioe->anchor))) { + ioe->anchor))) { free(table, M_TEMP); free(ioe, M_TEMP); goto fail; /* really bad */ @@ -2664,9 +2613,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } - switch (ioe->rs_num) { + switch (ioe->type) { #ifdef ALTQ - case PF_RULESET_ALTQ: + case PF_TRANS_ALTQ: if (ioe->anchor[0]) { free(table, M_TEMP); free(ioe, M_TEMP); @@ -2682,7 +2631,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } break; #endif /* ALTQ */ - case PF_RULESET_TABLE: + case PF_TRANS_TABLE: rs = pf_find_ruleset(ioe->anchor); if (rs == NULL || !rs->topen || ioe->ticket != rs->tticket) { @@ -2693,17 +2642,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } break; default: - if (ioe->rs_num < 0 || ioe->rs_num >= - PF_RULESET_MAX) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EINVAL; - goto fail; - } rs = pf_find_ruleset(ioe->anchor); if (rs == NULL || - !rs->rules[ioe->rs_num].inactive.open || - rs->rules[ioe->rs_num].inactive.ticket != + !rs->rules.inactive.open || + rs->rules.inactive.ticket != ioe->ticket) { free(table, M_TEMP); free(ioe, M_TEMP); @@ -2734,9 +2676,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EFAULT; goto fail; } - switch (ioe->rs_num) { + switch (ioe->type) { #ifdef ALTQ - case PF_RULESET_ALTQ: + case PF_TRANS_ALTQ: if ((error = pf_commit_altq(ioe->ticket))) { free(table, M_TEMP); free(ioe, M_TEMP); @@ -2744,7 +2686,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } break; #endif /* ALTQ */ - case PF_RULESET_TABLE: + case PF_TRANS_TABLE: bzero(table, sizeof(*table)); strlcpy(table->pfrt_anchor, ioe->anchor, sizeof(table->pfrt_anchor)); @@ -2757,7 +2699,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; default: if ((error = pf_commit_rules(ioe->ticket, - ioe->rs_num, ioe->anchor))) { + ioe->anchor))) { free(table, M_TEMP); free(ioe, M_TEMP); goto fail; /* really bad */ diff --git a/sys/net/pf_ruleset.c b/sys/net/pf_ruleset.c index 2cc57e52394..313462fc7e6 100644 --- a/sys/net/pf_ruleset.c +++ b/sys/net/pf_ruleset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ruleset.c,v 1.4 2009/04/06 12:05:55 henning Exp $ */ +/* $OpenBSD: pf_ruleset.c,v 1.5 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -98,45 +98,14 @@ pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b) return (c ? (c < 0 ? -1 : 1) : 0); } -int -pf_get_ruleset_number(u_int8_t action) -{ - switch (action) { - case PF_PASS: - case PF_MATCH: - case PF_DROP: - return (PF_RULESET_FILTER); - break; - case PF_NAT: - case PF_NONAT: - return (PF_RULESET_NAT); - break; - case PF_BINAT: - case PF_NOBINAT: - return (PF_RULESET_BINAT); - break; - case PF_RDR: - case PF_NORDR: - return (PF_RULESET_RDR); - break; - default: - return (PF_RULESET_MAX); - break; - } -} - void pf_init_ruleset(struct pf_ruleset *ruleset) { - int i; - memset(ruleset, 0, sizeof(struct pf_ruleset)); - for (i = 0; i < PF_RULESET_MAX; i++) { - TAILQ_INIT(&ruleset->rules[i].queues[0]); - TAILQ_INIT(&ruleset->rules[i].queues[1]); - ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0]; - ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1]; - } + TAILQ_INIT(&ruleset->rules.queues[0]); + TAILQ_INIT(&ruleset->rules.queues[1]); + ruleset->rules.active.ptr = &ruleset->rules.queues[0]; + ruleset->rules.inactive.ptr = &ruleset->rules.queues[1]; } struct pf_anchor * @@ -265,7 +234,6 @@ void pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) { struct pf_anchor *parent; - int i; while (ruleset != NULL) { if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL || @@ -273,11 +241,10 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) ruleset->anchor->refcnt > 0 || ruleset->tables > 0 || ruleset->topen) return; - for (i = 0; i < PF_RULESET_MAX; ++i) - if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) || - !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) || - ruleset->rules[i].inactive.open) - return; + if (!TAILQ_EMPTY(ruleset->rules.active.ptr) || + !TAILQ_EMPTY(ruleset->rules.inactive.ptr) || + ruleset->rules.inactive.open) + return; RB_REMOVE(pf_anchor_global, &pf_anchors, ruleset->anchor); if ((parent = ruleset->anchor->parent) != NULL) RB_REMOVE(pf_anchor_node, &parent->children, diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 06fc9b39af3..398eb806c94 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.298 2009/11/03 17:41:02 claudio Exp $ */ +/* $OpenBSD: pfvar.h,v 1.299 2009/11/22 22:34:50 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -61,8 +61,7 @@ enum { PF_INOUT, PF_IN, PF_OUT }; enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER, PF_MATCH, PF_DIVERT, PF_RT }; -enum { PF_RULESET_FILTER, PF_RULESET_NAT, PF_RULESET_BINAT, - PF_RULESET_RDR, PF_RULESET_MAX }; +enum { PF_TRANS_RULESET, PF_TRANS_ALTQ, PF_TRANS_TABLE }; enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; @@ -935,7 +934,7 @@ struct pf_ruleset { u_int32_t ticket; int open; } active, inactive; - } rules[PF_RULESET_MAX]; + } rules; struct pf_anchor *anchor; u_int32_t tticket; int tables; @@ -1503,13 +1502,11 @@ struct pfioc_ruleset { char name[PF_ANCHOR_NAME_SIZE]; }; -#define PF_RULESET_ALTQ (PF_RULESET_MAX) -#define PF_RULESET_TABLE (PF_RULESET_MAX+1) struct pfioc_trans { int size; /* number of elements */ int esize; /* size of each element in bytes */ struct pfioc_trans_e { - int rs_num; + int type; char anchor[MAXPATHLEN]; u_int32_t ticket; } *array; @@ -1743,6 +1740,7 @@ int pf_socket_lookup(int, struct pf_pdesc *); struct pf_state_key *pf_alloc_state_key(int); void pf_pkt_addr_changed(struct mbuf *); int pf_state_key_attach(struct pf_state_key *, struct pf_state *, int); + void pfr_initialize(void); int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, @@ -1831,7 +1829,6 @@ extern struct pf_anchor pf_main_anchor; #define pf_main_ruleset pf_main_anchor.ruleset /* these ruleset functions can be linked into userland programs (pfctl) */ -int pf_get_ruleset_number(u_int8_t); void pf_init_ruleset(struct pf_ruleset *); int pf_anchor_setup(struct pf_rule *, const struct pf_ruleset *, const char *); @@ -1871,10 +1868,10 @@ struct pf_os_fingerprint * #ifdef _KERNEL void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); -void pf_step_into_anchor(int *, struct pf_ruleset **, int, +void pf_step_into_anchor(int *, struct pf_ruleset **, struct pf_rule **, struct pf_rule **, int *); int pf_step_out_of_anchor(int *, struct pf_ruleset **, - int, struct pf_rule **, struct pf_rule **, + struct pf_rule **, struct pf_rule **, int *); int pf_get_transaddr(struct pf_rule *, struct pf_pdesc *, |