The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c72fb110e47f5a52e64683a8759a11eb69b34bd3
commit c72fb110e47f5a52e64683a8759a11eb69b34bd3 Author: Kristof Provost <[email protected]> AuthorDate: 2026-01-06 21:33:31 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2026-01-14 06:44:39 +0000 pf: convert state limiter interface to netlink This is a new feature with new ioctl calls, so we can safely remove them right now. Sponsored by: Rubicon Communications, LLC ("Netgate") --- lib/libpfctl/libpfctl.c | 314 +++++++++++++++++++++++++++++++++++ lib/libpfctl/libpfctl.h | 99 +++++++++++ sbin/pfctl/pfctl.c | 189 +++++++++------------ sbin/pfctl/pfctl_parser.c | 4 +- sbin/pfctl/pfctl_parser.h | 8 +- sys/net/pfvar.h | 108 +++++------- sys/netpfil/pf/pf_ioctl.c | 163 ++----------------- sys/netpfil/pf/pf_nl.c | 407 ++++++++++++++++++++++++++++++++++++++++++++++ sys/netpfil/pf/pf_nl.h | 79 +++++++++ 9 files changed, 1035 insertions(+), 336 deletions(-) diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index c3fdaf70ad0d..a5abe1cadd64 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -3915,3 +3915,317 @@ pfctl_clr_astats(struct pfctl_handle *h, const struct pfr_table *tbl, return (ret); } +static void +snl_add_msg_attr_limit_rate(struct snl_writer *nw, uint32_t type, + const struct pfctl_limit_rate *rate) +{ + int off; + + off = snl_add_msg_attr_nested(nw, type); + + snl_add_msg_attr_u32(nw, PF_LR_LIMIT, rate->limit); + snl_add_msg_attr_u32(nw, PF_LR_SECONDS, rate->seconds); + + snl_end_attr_nested(nw, off); +} + +#define _OUT(_field) offsetof(struct pfctl_limit_rate, _field) +static const struct snl_attr_parser ap_limit_rate[] = { + { .type = PF_LR_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, + { .type = PF_LR_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 }, +}; +SNL_DECLARE_ATTR_PARSER(limit_rate_parser, ap_limit_rate); +#undef _OUT + +#define _OUT(_field) offsetof(struct pfctl_state_lim, _field) +static struct snl_attr_parser ap_statelim[] = { + { .type = PF_SL_NAME, .off = _OUT(name), .arg_u32 = PF_STATELIM_NAME_LEN, .cb = snl_attr_copy_string }, + { .type = PF_SL_ID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, + { .type = PF_SL_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, + { .type = PF_SL_RATE, .off = _OUT(rate), .arg = &limit_rate_parser, .cb = snl_attr_get_nested }, + { .type = PF_SL_DESCR, .off = _OUT(description), .arg_u32 = PF_STATELIM_DESCR_LEN, .cb = snl_attr_copy_string }, + { .type = PF_SL_INUSE, .off = _OUT(inuse), .cb = snl_attr_get_uint32 }, + { .type = PF_SL_ADMITTED, .off = _OUT(admitted), .cb = snl_attr_get_uint64 }, + { .type = PF_SL_HARDLIMITED, .off = _OUT(hardlimited), .cb = snl_attr_get_uint64 }, + { .type = PF_SL_RATELIMITED, .off = _OUT(ratelimited), .cb = snl_attr_get_uint64 }, +}; +#undef _OUT +SNL_DECLARE_PARSER(statelim_parser, struct genlmsghdr, snl_f_p_empty, ap_statelim); + +int +pfctl_state_limiter_nget(struct pfctl_handle *h, struct pfctl_state_lim *lim) +{ + struct snl_writer nw; + struct snl_errmsg_data e = {}; + struct nlmsghdr *hdr; + uint32_t seq_id; + int family_id; + + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); + if (family_id == 0) + return (ENOTSUP); + + snl_init_writer(&h->ss, &nw); + hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_STATE_LIMITER_NGET); + + snl_add_msg_attr_u32(&nw, PF_SL_ID, lim->id); + + if ((hdr = snl_finalize_msg(&nw)) == NULL) + return (ENXIO); + seq_id = hdr->nlmsg_seq; + + if (! snl_send_message(&h->ss, hdr)) + return (ENXIO); + + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { + if (! snl_parse_nlmsg(&h->ss, hdr, &statelim_parser, lim)) + continue; + } + + return (e.error); +} + +int +pfctl_state_limiter_add(struct pfctl_handle *h, struct pfctl_state_lim *lim) +{ + struct snl_writer nw; + struct snl_errmsg_data e = {}; + struct nlmsghdr *hdr; + uint32_t seq_id; + int family_id; + + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); + if (family_id == 0) + return (ENOTSUP); + + snl_init_writer(&h->ss, &nw); + hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_STATE_LIMITER_ADD); + + snl_add_msg_attr_u32(&nw, PF_SL_ID, lim->id); + snl_add_msg_attr_u32(&nw, PF_SL_TICKET, lim->ticket); + snl_add_msg_attr_string(&nw, PF_SL_NAME, lim->name); + snl_add_msg_attr_u32(&nw, PF_SL_LIMIT, lim->limit); + snl_add_msg_attr_limit_rate(&nw, PF_SL_RATE, &lim->rate); + snl_add_msg_attr_string(&nw, PF_SL_DESCR, lim->description); + + if ((hdr = snl_finalize_msg(&nw)) == NULL) + return (ENXIO); + seq_id = hdr->nlmsg_seq; + + if (! snl_send_message(&h->ss, hdr)) + return (ENXIO); + + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { + if (! snl_parse_nlmsg(&h->ss, hdr, &statelim_parser, &lim)) + continue; + } + + return (e.error); +} + +#define _OUT(_field) offsetof(struct pfctl_source_lim, _field) +static struct snl_attr_parser ap_sourcelim[] = { + { .type = PF_SCL_NAME, .off = _OUT(name), .arg_u32 = PF_SOURCELIM_NAME_LEN, .cb = snl_attr_copy_string }, + { .type = PF_SCL_ID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_ENTRIES, .off = _OUT(entries), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_RATE, .off = _OUT(rate), .arg = &limit_rate_parser, .cb = snl_attr_get_nested }, + { .type = PF_SCL_OVERLOAD_TBL_NAME, .off = _OUT(overload_tblname), .arg_u32 = PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string }, + { .type = PF_SCL_OVERLOAD_HIGH_WM, .off = _OUT(overload_hwm), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_OVERLOAD_LOW_WM, .off = _OUT(overload_lwm), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_INET_PREFIX, .off = _OUT(inet_prefix), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_INET6_PREFIX, .off = _OUT(inet6_prefix), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_DESCR, .off = _OUT(description), .arg_u32 = PF_SOURCELIM_DESCR_LEN, .cb = snl_attr_copy_string }, + { .type = PF_SCL_NENTRIES, .off = _OUT(nentries), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_INUSE, .off = _OUT(inuse), .cb = snl_attr_get_uint32 }, + { .type = PF_SCL_ADDR_ALLOCS, .off = _OUT(addrallocs), .cb = snl_attr_get_uint64 }, + { .type = PF_SCL_ADDR_NOMEM, .off = _OUT(addrnomem), .cb = snl_attr_get_uint64 }, + { .type = PF_SCL_ADMITTED, .off = _OUT(admitted), .cb = snl_attr_get_uint64 }, + { .type = PF_SCL_ADDRLIMITED, .off = _OUT(addrlimited), .cb = snl_attr_get_uint64 }, + { .type = PF_SCL_HARDLIMITED, .off = _OUT(hardlimited), .cb = snl_attr_get_uint64 }, + { .type = PF_SCL_RATELIMITED, .off = _OUT(ratelimited), .cb = snl_attr_get_uint64 }, +}; +#undef _OUT +SNL_DECLARE_PARSER(sourcelim_parser, struct genlmsghdr, snl_f_p_empty, ap_sourcelim); + +int +pfctl_source_limiter_add(struct pfctl_handle *h, struct pfctl_source_lim *lim) +{ + struct snl_writer nw; + struct snl_errmsg_data e = {}; + struct nlmsghdr *hdr; + uint32_t seq_id; + int family_id; + + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); + if (family_id == 0) + return (ENOTSUP); + + snl_init_writer(&h->ss, &nw); + hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SOURCE_LIMITER_ADD); + + snl_add_msg_attr_u32(&nw, PF_SCL_TICKET, lim->ticket); + snl_add_msg_attr_string(&nw, PF_SCL_NAME, lim->name); + snl_add_msg_attr_u32(&nw, PF_SCL_ID, lim->id); + snl_add_msg_attr_u32(&nw, PF_SCL_ENTRIES, lim->entries); + snl_add_msg_attr_u32(&nw, PF_SCL_LIMIT, lim->limit); + snl_add_msg_attr_limit_rate(&nw, PF_SCL_RATE, &lim->rate); + snl_add_msg_attr_string(&nw, PF_SCL_OVERLOAD_TBL_NAME, lim->overload_tblname); + snl_add_msg_attr_u32(&nw, PF_SCL_OVERLOAD_HIGH_WM, lim->overload_hwm); + snl_add_msg_attr_u32(&nw, PF_SCL_OVERLOAD_LOW_WM, lim->overload_lwm); + snl_add_msg_attr_u32(&nw, PF_SCL_INET_PREFIX, lim->inet_prefix); + snl_add_msg_attr_u32(&nw, PF_SCL_INET6_PREFIX, lim->inet6_prefix); + snl_add_msg_attr_string(&nw, PF_SCL_DESCR, lim->description); + + if ((hdr = snl_finalize_msg(&nw)) == NULL) + return (ENXIO); + seq_id = hdr->nlmsg_seq; + + if (! snl_send_message(&h->ss, hdr)) + return (ENXIO); + + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { + if (! snl_parse_nlmsg(&h->ss, hdr, &sourcelim_parser, &lim)) + continue; + } + + return (e.error); +} + +static int +_pfctl_source_limiter_get(struct pfctl_handle *h, int cmd, struct pfctl_source_lim *lim) +{ + struct snl_writer nw; + struct snl_errmsg_data e = {}; + struct nlmsghdr *hdr; + uint32_t seq_id; + int family_id; + + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); + if (family_id == 0) + return (ENOTSUP); + + snl_init_writer(&h->ss, &nw); + hdr = snl_create_genl_msg_request(&nw, family_id, cmd); + + snl_add_msg_attr_u32(&nw, PF_SCL_ID, lim->id); + + if ((hdr = snl_finalize_msg(&nw)) == NULL) + return (ENXIO); + seq_id = hdr->nlmsg_seq; + + if (! snl_send_message(&h->ss, hdr)) + return (ENXIO); + + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { + if (! snl_parse_nlmsg(&h->ss, hdr, &sourcelim_parser, lim)) + continue; + } + + return (e.error); +} + +int +pfctl_source_limiter_get(struct pfctl_handle *h, struct pfctl_source_lim *lim) +{ + return (_pfctl_source_limiter_get(h, PFNL_CMD_SOURCE_LIMITER_GET, lim)); +} + +int +pfctl_source_limiter_nget(struct pfctl_handle *h, struct pfctl_source_lim *lim) +{ + return (_pfctl_source_limiter_get(h, PFNL_CMD_SOURCE_LIMITER_NGET, lim)); +} + +#define _OUT(_field) offsetof(struct pfctl_source, _field) +static struct snl_attr_parser ap_source[] = { + { .type = PF_SRC_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, + { .type = PF_SRC_RDOMAIN, .off = _OUT(rdomain), .cb = snl_attr_get_uint32 }, + { .type = PF_SRC_ADDR, .off = _OUT(addr), .cb = snl_attr_get_in6_addr }, + { .type = PF_SRC_INUSE, .off = _OUT(inuse), .cb = snl_attr_get_uint32 }, + { .type = PF_SRC_ADMITTED, .off = _OUT(admitted), .cb = snl_attr_get_uint64 }, + { .type = PF_SRC_HARDLIMITED, .off = _OUT(hardlimited), .cb = snl_attr_get_uint64 }, + { .type = PF_SRC_RATELIMITED, .off = _OUT(ratelimited), .cb = snl_attr_get_uint64 }, + { .type = PF_SRC_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, + { .type = PF_SRC_INET_PREFIX, .off = _OUT(inet_prefix), .cb = snl_attr_get_uint32 }, + {. type = PF_SRC_INET6_PREFIX, .off = _OUT(inet6_prefix), .cb = snl_attr_get_uint32 }, +}; +#undef _OUT +SNL_DECLARE_PARSER(source_parser, struct genlmsghdr, snl_f_p_empty, ap_source); + +int +pfctl_source_get(struct pfctl_handle *h, int id, pfctl_get_source_fn fn, void *arg) +{ + struct snl_writer nw; + struct snl_errmsg_data e = {}; + struct nlmsghdr *hdr; + uint32_t seq_id; + int family_id, error; + + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); + if (family_id == 0) + return (ENOTSUP); + + snl_init_writer(&h->ss, &nw); + hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SOURCE_NGET); + + snl_add_msg_attr_u32(&nw, PF_SRC_ID, id); + + if ((hdr = snl_finalize_msg(&nw)) == NULL) + return (ENXIO); + seq_id = hdr->nlmsg_seq; + + if (! snl_send_message(&h->ss, hdr)) + return (ENXIO); + + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { + struct pfctl_source src; + + if (! snl_parse_nlmsg(&h->ss, hdr, &source_parser, &src)) + continue; + + error = fn(&src, arg); + if (error != 0) { + e.error = error; + break; + } + } + + return (e.error); +} + +int +pfctl_source_clear(struct pfctl_handle *h, struct pfctl_source_clear *kill) +{ + struct snl_writer nw; + struct snl_errmsg_data e = {}; + struct nlmsghdr *hdr; + uint32_t seq_id; + int family_id; + + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); + if (family_id == 0) + return (ENOTSUP); + + snl_init_writer(&h->ss, &nw); + hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SOURCE_CLEAR); + + snl_add_msg_attr_string(&nw, PF_SC_NAME, kill->name); + snl_add_msg_attr_u32(&nw, PF_SC_ID, kill->id); + snl_add_msg_attr_u32(&nw, PF_SC_RDOMAIN, kill->rdomain); + snl_add_msg_attr_u8(&nw, PF_SC_AF, kill->af); + snl_add_msg_attr_ip6(&nw, PF_SC_ADDR, &kill->addr.v6); + + if ((hdr = snl_finalize_msg(&nw)) == NULL) + return (ENXIO); + seq_id = hdr->nlmsg_seq; + + if (! snl_send_message(&h->ss, hdr)) + return (ENXIO); + + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { + } + + return (e.error); +} + diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index 785ac2bc7fd7..670688893a6a 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -592,4 +592,103 @@ int pfctl_get_astats(struct pfctl_handle *h, const struct pfr_table *tbl, int pfctl_clr_astats(struct pfctl_handle *h, const struct pfr_table *tbl, struct pfr_addr *addr, int size, int *nzero, int flags); +struct pfctl_limit_rate { + unsigned int limit; + unsigned int seconds; +}; + +struct pfctl_state_lim { + uint32_t ticket; + char name[PF_STATELIM_NAME_LEN]; + uint32_t id; + unsigned int limit; + + struct pfctl_limit_rate rate; + + char description[PF_STATELIM_DESCR_LEN]; + + unsigned int inuse; + uint64_t admitted; + uint64_t hardlimited; + uint64_t ratelimited; +}; + +int pfctl_state_limiter_nget(struct pfctl_handle *h, struct pfctl_state_lim *lim); +int pfctl_state_limiter_add(struct pfctl_handle *h, struct pfctl_state_lim *lim); + +struct pfctl_source_lim { + uint32_t ticket; + + char name[PF_SOURCELIM_NAME_LEN]; + uint32_t id; + + /* limit on the total number of address entries */ + unsigned int entries; + + /* limit on the number of states per address entry */ + unsigned int limit; + + /* rate limit on the creation of states by an address entry */ + struct pfctl_limit_rate rate; + + /* + * when the number of states on an entry exceeds hwm, add + * the address to the specified table. when the number of + * states goes below lwm, remove it from the table. + */ + char overload_tblname[PF_TABLE_NAME_SIZE]; + unsigned int overload_hwm; + unsigned int overload_lwm; + + /* + * mask addresses before they're used for entries. /64s + * everywhere for inet6 makes it easy to use too much memory. + */ + unsigned int inet_prefix; + unsigned int inet6_prefix; + + char description[PF_SOURCELIM_DESCR_LEN]; + + unsigned int nentries; + unsigned int inuse; + + uint64_t addrallocs; + uint64_t addrnomem; + uint64_t admitted; + uint64_t addrlimited; + uint64_t hardlimited; + uint64_t ratelimited; +}; + +int pfctl_source_limiter_get(struct pfctl_handle *h, struct pfctl_source_lim *lim); +int pfctl_source_limiter_nget(struct pfctl_handle *h, struct pfctl_source_lim *lim); +int pfctl_source_limiter_add(struct pfctl_handle *h, struct pfctl_source_lim *lim); + +struct pfctl_source { + sa_family_t af; + unsigned int rdomain; + struct pf_addr addr; + + unsigned int inet_prefix; + unsigned int inet6_prefix; + + unsigned int limit; + unsigned int inuse; + uint64_t admitted; + uint64_t hardlimited; + uint64_t ratelimited; +}; +typedef int (*pfctl_get_source_fn)(struct pfctl_source *, void *); +int pfctl_source_get(struct pfctl_handle *h, int id, + pfctl_get_source_fn fn, void *arg); + +struct pfctl_source_clear { + char name[PF_SOURCELIM_NAME_LEN]; + uint32_t id; + sa_family_t af; + unsigned int rdomain; + struct pf_addr addr; +}; +int pfctl_source_clear(struct pfctl_handle *h, struct pfctl_source_clear *); + #endif diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 04deccf7e890..256868a399d2 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -126,7 +126,7 @@ int pfctl_ruleset_trans(struct pfctl *, char *, struct pfctl_anchor *, bool); void pfctl_load_statelims(struct pfctl *); void pfctl_load_statelim(struct pfctl *, struct pfctl_statelim *); void pfctl_load_sourcelims(struct pfctl *); -void pfctl_load_sourcelim(struct pfctl *, struct pfctl_sourcelim *); +void pfctl_load_sourcelim(struct pfctl *, struct pfctl_source_lim *); int pfctl_eth_ruleset_trans(struct pfctl *, char *, struct pfctl_eth_anchor *); int pfctl_load_eth_ruleset(struct pfctl *, char *, @@ -1260,8 +1260,9 @@ pfctl_print_title(char *title) int pfctl_show_statelims(int dev, enum pfctl_show format) { - struct pfioc_statelim stlim; + struct pfctl_state_lim stlim; uint32_t id = PF_STATELIM_ID_MIN; + int error; if (format == PFCTL_SHOW_LABELS) { printf("%3s %8s/%-8s %5s/%-5s %8s %8s %8s\n", "ID", "USE", @@ -1272,12 +1273,13 @@ pfctl_show_statelims(int dev, enum pfctl_show format) memset(&stlim, 0, sizeof(stlim)); stlim.id = id; - if (ioctl(dev, DIOCGETNSTATELIM, &stlim) == -1) { - if (errno == ENOENT) { + error = pfctl_state_limiter_nget(pfh, &stlim); + if (error != 0) { + if (error == ENOENT) { /* we're done */ return (0); } - warn("DIOCGETNSTATELIM %u", stlim.id); + warnc(error, "DIOCGETNSTATELIM %u", stlim.id); return (-1); } @@ -1323,100 +1325,51 @@ pf_addr_inc(struct pf_addr *addr) } static int -pfctl_show_sources(int dev, const struct pfioc_sourcelim *srlim, - enum pfctl_show format, int opts) +pfctl_print_source(struct pfctl_source *e, void *arg) { - struct pfioc_source sr = { .id = srlim->id }; - struct pfioc_source_entry *entries, *e; - unsigned int nentries; - size_t len, used; - - if (format != PFCTL_SHOW_LABELS) - errx(1, "%s format is not PFCTL_SHOW_LABELS", __func__); - - nentries = srlim->nentries; - if (nentries == 0) - return (0); - if (nentries > 128) /* arbitrary */ - nentries = 128; - - entries = reallocarray(NULL, nentries, sizeof(*entries)); - if (entries == NULL) - err(1, "alloc %u source limiter entries", nentries); - - len = nentries * sizeof(*entries); - - e = entries; - - /* start from af 0 address 0 */ - memset(e, 0, sizeof(*e)); - - sr.entry_size = sizeof(*e); - sr.key = e; - - for (;;) { - sr.entries = entries; - sr.entrieslen = len; - - if (ioctl(dev, DIOCGETNSOURCE, &sr) == -1) { - switch (errno) { - case ESRCH: /* can't find the sourcelim */ - case ENOENT: /* no more sources */ - return (0); /* we're done */ - } - warn("DIOCGETNSOURCE %u", sr.id); - return (-1); - } - - used = 0; - if (sr.entrieslen > len) - errx(1, "DIOCGETNSOURCE used too much buffer"); - - e = entries; - for (;;) { - if (used > sr.entrieslen) - errx(1, "DIOCGETNSOURCE weird entrieslen"); - - print_addr_str(e->af, &e->addr); - switch (e->af) { - case AF_INET: - printf("/%u ", sr.inet_prefix); - break; - case AF_INET6: - printf("/%u ", sr.inet6_prefix); - break; - default: - printf("/af? "); - break; - } - printf("rdomain %u ", e->rdomain); + print_addr_str(e->af, &e->addr); + switch (e->af) { + case AF_INET: + printf("/%u ", e->inet_prefix); + break; + case AF_INET6: + printf("/%u ", e->inet6_prefix); + break; + default: + printf("/af? "); + break; + } + printf("rdomain %u ", e->rdomain); - printf("inuse %u/%u ", e->inuse, sr.limit); - printf("admit %ju hardlim %ju ratelim %ju\n", - e->admitted, e->hardlimited, e->ratelimited); + printf("inuse %u/%u ", e->inuse, e->limit); + printf("admit %ju hardlim %ju ratelim %ju\n", + e->admitted, e->hardlimited, e->ratelimited); - used += sizeof(*e); - if (used == sr.entrieslen) - break; + return (0); +} - e++; - } +static int +pfctl_show_sources(int dev, const struct pfctl_source_lim *srlim, + enum pfctl_show format, int opts) +{ + int error; - /* reuse the last entry as the next key */ - e->af += pf_addr_inc(&e->addr); - sr.key = e; - } + if (format != PFCTL_SHOW_LABELS) + errx(1, "%s format is not PFCTL_SHOW_LABELS", __func__); - return (0); + error = pfctl_source_get(pfh, srlim->id, pfctl_print_source, NULL); + if (error != 0) + warnc(error, "DIOCGETNSOURCE %u", srlim->id); + return (error); } int pfctl_show_sourcelims(int dev, enum pfctl_show format, int opts, const char *idopt) { - struct pfioc_sourcelim srlim; + struct pfctl_source_lim srlim; uint32_t id = PF_SOURCELIM_ID_MIN; - unsigned long cmd = DIOCGETNSOURCELIM; + int error; if (idopt != NULL) { const char *errstr; @@ -1425,8 +1378,6 @@ pfctl_show_sourcelims(int dev, enum pfctl_show format, int opts, &errstr); if (errstr != NULL) errx(1, "source limiter id: %s", errstr); - - cmd = DIOCGETSOURCELIM; } if (format == PFCTL_SHOW_LABELS) { @@ -1439,12 +1390,18 @@ pfctl_show_sourcelims(int dev, enum pfctl_show format, int opts, memset(&srlim, 0, sizeof(srlim)); srlim.id = id; - if (ioctl(dev, cmd, &srlim) == -1) { - if (errno == ESRCH) { + if (idopt != NULL) { + error = pfctl_source_limiter_get(pfh, &srlim); + } else { + error = pfctl_source_limiter_nget(pfh, &srlim); + } + + if (error != 0) { + if (error == ESRCH) { /* we're done */ return (0); } - warn("DIOCGETNSOURCELIM %u", srlim.id); + warnc(error, "DIOCGETNSOURCELIM %u", srlim.id); return (-1); } @@ -1485,7 +1442,7 @@ pfctl_show_sourcelims(int dev, enum pfctl_show format, int opts, void pfctl_kill_source(int dev, const char *idopt, const char *source, int opts) { - struct pfioc_source_kill ioc; + struct pfctl_source_clear clear = { 0 }; unsigned int id; const char *errstr; struct addrinfo hints, *res; @@ -1508,22 +1465,22 @@ pfctl_kill_source(int dev, const char *idopt, const char *source, int opts) if (error != 0) errx(1, "source limiter address: %s", gai_strerror(error)); - ioc.id = id; - ioc.af = res->ai_family; - copy_satopfaddr(&ioc.addr, res->ai_addr); - ioc.rmstates = 0; + clear.id = id; + clear.af = res->ai_family; + copy_satopfaddr(&clear.addr, res->ai_addr); freeaddrinfo(res); - if (ioctl(dev, DIOCCLRSOURCE, &ioc) == -1) { - switch (errno) { - case ESRCH: - errx(1, "source limiter %u not found", id); - case ENOENT: - errx(1, "source limiter %u: %s not found", id, source); - default: - err(1, "kill source limiter %u entry %s", id, source); - } + error = pfctl_source_clear(pfh, &clear); + switch (error) { + case 0: + break; + case ESRCH: + errx(1, "source limiter %u not found", id); + case ENOENT: + errx(1, "source limiter %u: %s not found", id, source); + default: + err(1, "kill source limiter %u entry %s", id, source); } } @@ -2325,14 +2282,17 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a, bool d void pfctl_load_statelim(struct pfctl *pf, struct pfctl_statelim *stlim) { + int error; + if (pf->opts & PF_OPT_VERBOSE) print_statelim(&stlim->ioc); if (pf->opts & PF_OPT_NOACTION) return; - if (ioctl(pf->dev, DIOCADDSTATELIM, &stlim->ioc) == -1) { - err(1, "DIOCADDSTATELIM %s id %u", stlim->ioc.name, + error = pfctl_state_limiter_add(pf->h, &stlim->ioc); + if (error) { + errc(1, error, "DIOCADDSTATELIM %s id %u", stlim->ioc.name, stlim->ioc.id); } } @@ -2356,17 +2316,20 @@ pfctl_load_statelims(struct pfctl *pf) } void -pfctl_load_sourcelim(struct pfctl *pf, struct pfctl_sourcelim *srlim) +pfctl_load_sourcelim(struct pfctl *pf, struct pfctl_source_lim *srlim) { + int error; + if (pf->opts & PF_OPT_VERBOSE) - print_sourcelim(&srlim->ioc); + print_sourcelim(srlim); if (pf->opts & PF_OPT_NOACTION) return; - if (ioctl(pf->dev, DIOCADDSOURCELIM, &srlim->ioc) == -1) { - err(1, "DIOCADDSOURCELIM %s id %u", srlim->ioc.name, - srlim->ioc.id); + error = pfctl_source_limiter_add(pf->h, srlim); + if (error != 0) { + errc(1, error, "DIOCADDSOURCELIM %s id %u", srlim->name, + srlim->id); } } @@ -2382,7 +2345,7 @@ pfctl_load_sourcelims(struct pfctl *pf) RB_FOREACH(srlim, pfctl_sourcelim_ids, &pf->sourcelim_ids) { srlim->ioc.ticket = ticket; - pfctl_load_sourcelim(pf, srlim); + pfctl_load_sourcelim(pf, &srlim->ioc); } /* Don't free the sourcelims because we're about to exit anyway. */ diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 617d3f8e0733..25d52f4ec823 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -856,7 +856,7 @@ print_eth_rule(struct pfctl_eth_rule *r, const char *anchor_call, } void -print_statelim(const struct pfioc_statelim *ioc) +print_statelim(const struct pfctl_state_lim *ioc) { printf("state limiter %s id %u limit %u", ioc->name, ioc->id, ioc->limit); @@ -867,7 +867,7 @@ print_statelim(const struct pfioc_statelim *ioc) } void -print_sourcelim(const struct pfioc_sourcelim *ioc) +print_sourcelim(const struct pfctl_source_lim *ioc) { printf("source limiter %s id %u limit %u states %u", ioc->name, ioc->id, ioc->entries, ioc->limit); diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 6d0417cde061..8934238da148 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -76,7 +76,7 @@ struct pfr_buffer; /* forward definition */ struct pfctl_statelim { - struct pfioc_statelim ioc; + struct pfctl_state_lim ioc; RB_ENTRY(pfctl_statelim) entry; }; @@ -84,7 +84,7 @@ RB_HEAD(pfctl_statelim_ids, pfctl_statelim); RB_HEAD(pfctl_statelim_nms, pfctl_statelim); struct pfctl_sourcelim { - struct pfioc_sourcelim ioc; + struct pfctl_source_lim ioc; RB_ENTRY(pfctl_sourcelim) entry; }; @@ -343,8 +343,8 @@ int pfctl_load_anchors(int, struct pfctl *); void print_pool(struct pfctl_pool *, u_int16_t, u_int16_t, int); void print_src_node(struct pfctl_src_node *, int); -void print_statelim(const struct pfioc_statelim *); -void print_sourcelim(const struct pfioc_sourcelim *); +void print_statelim(const struct pfctl_state_lim *); +void print_sourcelim(const struct pfctl_source_lim *); void print_eth_rule(struct pfctl_eth_rule *, const char *, int); void print_rule(struct pfctl_rule *, const char *, int, int); void print_tabledef(const char *, int, int, struct node_tinithead *); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 025a30378f1f..5329c5ebdd9e 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1205,6 +1205,11 @@ struct pf_kstate { * State limiter */ +struct pf_limiter_rate { + unsigned int limit; + unsigned int seconds; +}; + struct pf_statelim { RB_ENTRY(pf_statelim) pfstlim_id_tree; RB_ENTRY(pf_statelim) pfstlim_nm_tree; @@ -1217,10 +1222,7 @@ struct pf_statelim { /* config */ unsigned int pfstlim_limit; - struct { - unsigned int limit; - unsigned int seconds; - } pfstlim_rate; + struct pf_limiter_rate pfstlim_rate; /* run state */ struct mtx pfstlim_lock; @@ -1340,10 +1342,7 @@ struct pf_sourcelim { unsigned int pfsrlim_ipv4_prefix; unsigned int pfsrlim_ipv6_prefix; - struct { - unsigned int limit; - unsigned int seconds; - } pfsrlim_rate; + struct pf_limiter_rate pfsrlim_rate; struct { char name[PF_TABLE_NAME_SIZE]; @@ -2074,25 +2073,29 @@ enum pf_syncookies_mode { #define PF_SYNCOOKIES_HIWATPCT 25 #define PF_SYNCOOKIES_LOWATPCT (PF_SYNCOOKIES_HIWATPCT / 2) +#define PF_STATELIM_ID_NONE 0 +#define PF_STATELIM_ID_MIN 1 +#define PF_STATELIM_ID_MAX 255 /* fits in pf_state uint8_t */ +#define PF_STATELIM_LIMIT_MIN 1 +#define PF_STATELIM_LIMIT_MAX (1 << 24) /* pf is pretty scalable */ + +#define PF_SOURCELIM_ID_NONE 0 +#define PF_SOURCELIM_ID_MIN 1 +#define PF_SOURCELIM_ID_MAX 255 /* fits in pf_state uint8_t */ + +#ifdef _KERNEL + struct pfioc_statelim { uint32_t ticket; char name[PF_STATELIM_NAME_LEN]; uint32_t id; -#define PF_STATELIM_ID_NONE 0 -#define PF_STATELIM_ID_MIN 1 -#define PF_STATELIM_ID_MAX 255 /* fits in pf_state uint8_t */ /* limit on the total number of states */ unsigned int limit; -#define PF_STATELIM_LIMIT_MIN 1 -#define PF_STATELIM_LIMIT_MAX (1 << 24) /* pf is pretty scalable */ /* rate limit on the creation of states */ - struct { - unsigned int limit; - unsigned int seconds; - } rate; + struct pf_limiter_rate rate; char description[PF_STATELIM_DESCR_LEN]; @@ -2108,9 +2111,6 @@ struct pfioc_sourcelim { char name[PF_SOURCELIM_NAME_LEN]; uint32_t id; -#define PF_SOURCELIM_ID_NONE 0 -#define PF_SOURCELIM_ID_MIN 1 -#define PF_SOURCELIM_ID_MAX 255 /* fits in pf_state uint8_t */ /* limit on the total number of address entries */ unsigned int entries; @@ -2119,10 +2119,7 @@ struct pfioc_sourcelim { unsigned int limit; /* rate limit on the creation of states by an address entry */ - struct { - unsigned int limit; - unsigned int seconds; - } rate; + struct pf_limiter_rate rate; /* * when the number of states on an entry exceeds hwm, add @@ -2154,37 +2151,6 @@ struct pfioc_sourcelim { uint64_t ratelimited; /* counter */ }; -struct pfioc_source_entry { - sa_family_t af; - unsigned int rdomain; - struct pf_addr addr; - - /* stats */ - - unsigned int inuse; /* gauge */ - uint64_t admitted; /* counter */ - uint64_t hardlimited; /* counter */ - uint64_t ratelimited; /* counter */ -}; - -struct pfioc_source { - char name[PF_SOURCELIM_NAME_LEN]; - uint32_t id; - - /* copied from the parent source limiter */ - - unsigned int inet_prefix; - unsigned int inet6_prefix; - unsigned int limit; - - /* source entries */ - size_t entry_size; /* sizeof(struct pfioc_source_entry) */ - - struct pfioc_source_entry *key; - struct pfioc_source_entry *entries; - size_t entrieslen; /* bytes */ -}; - struct pfioc_source_kill { char name[PF_SOURCELIM_NAME_LEN]; uint32_t id; @@ -2195,7 +2161,28 @@ struct pfioc_source_kill { unsigned int rmstates; /* kill the states too? */ }; -#ifdef _KERNEL +int pf_statelim_add(const struct pfioc_statelim *); +struct pf_statelim *pf_statelim_rb_find(struct pf_statelim_id_tree *, + struct pf_statelim *); +struct pf_statelim *pf_statelim_rb_nfind(struct pf_statelim_id_tree *, + struct pf_statelim *); +int pf_statelim_get(struct pfioc_statelim *, + struct pf_statelim *(*rbt_op)(struct pf_statelim_id_tree *, + struct pf_statelim *)); +int pf_sourcelim_add(const struct pfioc_sourcelim *); +struct pf_sourcelim *pf_sourcelim_rb_find(struct pf_sourcelim_id_tree *, + struct pf_sourcelim *); +struct pf_sourcelim *pf_sourcelim_rb_nfind(struct pf_sourcelim_id_tree *, + struct pf_sourcelim *); +int pf_sourcelim_get(struct pfioc_sourcelim *, + struct pf_sourcelim *(*rbt_op)(struct pf_sourcelim_id_tree *, + struct pf_sourcelim *)); +struct pf_source *pf_source_rb_find(struct pf_source_ioc_tree *, + struct pf_source *); +struct pf_source *pf_source_rb_nfind(struct pf_source_ioc_tree *, + struct pf_source *); +int pf_source_clr(struct pfioc_source_kill *); + struct pf_kstatus { counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */ counter_u64_t lcounters[KLCNT_MAX]; /* limit counters */ *** 810 LINES SKIPPED ***
