The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e5c64b2662ffddd6593099d9333fc7f1cea0f785
commit e5c64b2662ffddd6593099d9333fc7f1cea0f785 Author: Kajetan Staszkiewicz <[email protected]> AuthorDate: 2024-10-02 12:21:47 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2024-10-02 17:53:26 +0000 pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs There is no need for the union pf_krule_ptr for kernel-only structs like pf_kstate and pf_ksrc_node. The rules are always accessed by pointer. The rule numbers are a leftover from using the same structure for pfctl(8) and pf(4). Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D46868 --- sys/net/pfvar.h | 15 ++-- sys/netpfil/pf/if_pfsync.c | 8 +- sys/netpfil/pf/pf.c | 180 ++++++++++++++++++++++----------------------- sys/netpfil/pf/pf_ioctl.c | 30 ++++---- sys/netpfil/pf/pf_lb.c | 16 ++-- sys/netpfil/pf/pf_nl.c | 6 +- sys/netpfil/pf/pf_norm.c | 58 +++++++-------- sys/netpfil/pf/pf_nv.c | 8 +- sys/netpfil/pf/pflow.c | 6 +- 9 files changed, 161 insertions(+), 166 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 53bc77d14537..b5d56ab45ce7 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -761,18 +761,13 @@ struct pf_keth_rule { uint32_t ridentifier; }; -union pf_krule_ptr { - struct pf_krule *ptr; - u_int32_t nr; -}; - RB_HEAD(pf_krule_global, pf_krule); RB_PROTOTYPE(pf_krule_global, pf_krule, entry_global, pf_krule_compare); struct pf_krule { struct pf_rule_addr src; struct pf_rule_addr dst; - union pf_krule_ptr skip[PF_SKIP_COUNT]; + struct pf_krule *skip[PF_SKIP_COUNT]; char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; uint32_t ridentifier; char ifname[IFNAMSIZ]; @@ -889,7 +884,7 @@ struct pf_ksrc_node { struct pf_addr addr; struct pf_addr raddr; struct pf_krule_slist match_rules; - union pf_krule_ptr rule; + struct pf_krule *rule; struct pfi_kkif *rkif; counter_u64_t bytes[2]; counter_u64_t packets[2]; @@ -1089,9 +1084,9 @@ struct pf_kstate { struct pf_state_peer src; struct pf_state_peer dst; struct pf_krule_slist match_rules; - union pf_krule_ptr rule; - union pf_krule_ptr anchor; - union pf_krule_ptr nat_rule; + struct pf_krule *rule; + struct pf_krule *anchor; + struct pf_krule *nat_rule; struct pf_addr rt_addr; struct pf_state_key *key[2]; /* addresses stack and wire */ struct pf_udp_mapping *udp_mapping; diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index 82a42c874a8f..0dd1b480b313 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -702,9 +702,9 @@ pfsync_state_import(union pfsync_state_union *sp, int flags, int msg_version) pf_state_peer_ntoh(&sp->pfs_1301.src, &st->src); pf_state_peer_ntoh(&sp->pfs_1301.dst, &st->dst); - st->rule.ptr = r; - st->nat_rule.ptr = NULL; - st->anchor.ptr = NULL; + st->rule = r; + st->nat_rule = NULL; + st->anchor = NULL; st->pfsync_time = time_uptime; st->sync_state = PFSYNC_S_NONE; @@ -1974,7 +1974,7 @@ pfsync_insert_state(struct pf_kstate *st) if (st->state_flags & PFSTATE_NOSYNC) return; - if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || + if ((st->rule->rule_flag & PFRULE_NOSYNC) || st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC) { st->state_flags |= PFSTATE_NOSYNC; return; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index b28503112db6..b5a18c37a89b 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -436,14 +436,14 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k) SDT_PROBE2(pf, ip, , bound_iface, st, k); /* Floating unless otherwise specified. */ - if (! (st->rule.ptr->rule_flag & PFRULE_IFBOUND)) + if (! (st->rule->rule_flag & PFRULE_IFBOUND)) return (V_pfi_all); /* * Initially set to all, because we don't know what interface we'll be * sending this out when we create the state. */ - if (st->rule.ptr->rt == PF_REPLYTO) + if (st->rule->rt == PF_REPLYTO) return (V_pfi_all); /* Don't overrule the interface for states created on incoming packets. */ @@ -461,15 +461,15 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k) #define STATE_INC_COUNTERS(s) \ do { \ struct pf_krule_item *mrm; \ - counter_u64_add(s->rule.ptr->states_cur, 1); \ - counter_u64_add(s->rule.ptr->states_tot, 1); \ - if (s->anchor.ptr != NULL) { \ - counter_u64_add(s->anchor.ptr->states_cur, 1); \ - counter_u64_add(s->anchor.ptr->states_tot, 1); \ + counter_u64_add(s->rule->states_cur, 1); \ + counter_u64_add(s->rule->states_tot, 1); \ + if (s->anchor != NULL) { \ + counter_u64_add(s->anchor->states_cur, 1); \ + counter_u64_add(s->anchor->states_tot, 1); \ } \ - if (s->nat_rule.ptr != NULL) { \ - counter_u64_add(s->nat_rule.ptr->states_cur, 1);\ - counter_u64_add(s->nat_rule.ptr->states_tot, 1);\ + if (s->nat_rule != NULL) { \ + counter_u64_add(s->nat_rule->states_cur, 1);\ + counter_u64_add(s->nat_rule->states_tot, 1);\ } \ SLIST_FOREACH(mrm, &s->match_rules, entry) { \ counter_u64_add(mrm->r->states_cur, 1); \ @@ -480,11 +480,11 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k) #define STATE_DEC_COUNTERS(s) \ do { \ struct pf_krule_item *mrm; \ - if (s->nat_rule.ptr != NULL) \ - counter_u64_add(s->nat_rule.ptr->states_cur, -1);\ - if (s->anchor.ptr != NULL) \ - counter_u64_add(s->anchor.ptr->states_cur, -1); \ - counter_u64_add(s->rule.ptr->states_cur, -1); \ + if (s->nat_rule != NULL) \ + counter_u64_add(s->nat_rule->states_cur, -1);\ + if (s->anchor != NULL) \ + counter_u64_add(s->anchor->states_cur, -1); \ + counter_u64_add(s->rule->states_cur, -1); \ SLIST_FOREACH(mrm, &s->match_rules, entry) \ counter_u64_add(mrm->r->states_cur, -1); \ } while (0) @@ -828,14 +828,14 @@ pf_src_connlimit(struct pf_kstate **state) (*state)->src.tcp_est = 1; pf_add_threshold(&(*state)->src_node->conn_rate); - if ((*state)->rule.ptr->max_src_conn && - (*state)->rule.ptr->max_src_conn < + if ((*state)->rule->max_src_conn && + (*state)->rule->max_src_conn < (*state)->src_node->conn) { counter_u64_add(V_pf_status.lcounters[LCNT_SRCCONN], 1); bad++; } - if ((*state)->rule.ptr->max_src_conn_rate.limit && + if ((*state)->rule->max_src_conn_rate.limit && pf_check_threshold(&(*state)->src_node->conn_rate)) { counter_u64_add(V_pf_status.lcounters[LCNT_SRCCONNRATE], 1); bad++; @@ -848,7 +848,7 @@ pf_src_connlimit(struct pf_kstate **state) (*state)->timeout = PFTM_PURGE; pf_set_protostate(*state, PF_PEER_BOTH, TCPS_CLOSED); - if ((*state)->rule.ptr->overload_tbl == NULL) + if ((*state)->rule->overload_tbl == NULL) return (1); /* Schedule overloading and flushing task. */ @@ -858,7 +858,7 @@ pf_src_connlimit(struct pf_kstate **state) bcopy(&(*state)->src_node->addr, &pfoe->addr, sizeof(pfoe->addr)); pfoe->af = (*state)->key[PF_SK_WIRE]->af; - pfoe->rule = (*state)->rule.ptr; + pfoe->rule = (*state)->rule; pfoe->dir = (*state)->direction; PF_OVERLOADQ_LOCK(); SLIST_INSERT_HEAD(&V_pf_overloadqueue, pfoe, next); @@ -941,7 +941,7 @@ pf_overload_task(void *v, int pending) SLIST_FOREACH(pfoe, &queue, next) if (sk->af == pfoe->af && ((pfoe->rule->flush & PF_FLUSH_GLOBAL) || - pfoe->rule == s->rule.ptr) && + pfoe->rule == s->rule) && ((pfoe->dir == PF_OUT && PF_AEQ(&pfoe->addr, &sk->addr[1], sk->af)) || (pfoe->dir == PF_IN && @@ -976,7 +976,7 @@ pf_find_src_node(struct pf_addr *src, struct pf_krule *rule, sa_family_t af, *sh = &V_pf_srchash[pf_hashsrc(src, af)]; PF_HASHROW_LOCK(*sh); LIST_FOREACH(n, &(*sh)->nodes, entry) - if (n->rule.ptr == rule && n->af == af && + if (n->rule == rule && n->af == af && ((af == AF_INET && n->addr.v4.s_addr == src->v4.s_addr) || (af == AF_INET6 && bcmp(&n->addr, src, sizeof(*src)) == 0))) break; @@ -1053,14 +1053,14 @@ pf_insert_src_node(struct pf_ksrc_node **sn, struct pf_krule *rule, (*sn)->lock = &sh->lock; (*sn)->af = af; - (*sn)->rule.ptr = rule; + (*sn)->rule = rule; PF_ACPY(&(*sn)->addr, src, af); LIST_INSERT_HEAD(&sh->nodes, *sn, entry); (*sn)->creation = time_uptime; (*sn)->ruletype = rule->action; (*sn)->states = 1; - if ((*sn)->rule.ptr != NULL) - counter_u64_add((*sn)->rule.ptr->src_nodes, 1); + if ((*sn)->rule != NULL) + counter_u64_add((*sn)->rule->src_nodes, 1); PF_HASHROW_UNLOCK(sh); counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_INSERT], 1); } else { @@ -1082,8 +1082,8 @@ pf_unlink_src_node(struct pf_ksrc_node *src) PF_SRC_NODE_LOCK_ASSERT(src); LIST_REMOVE(src, entry); - if (src->rule.ptr) - counter_u64_add(src->rule.ptr->src_nodes, -1); + if (src->rule) + counter_u64_add(src->rule->src_nodes, -1); } u_int @@ -2481,13 +2481,13 @@ pf_state_expires(const struct pf_kstate *state) ("pf_state_expires: timeout == PFTM_UNLINKED")); KASSERT((state->timeout < PFTM_MAX), ("pf_state_expires: timeout > PFTM_MAX")); - timeout = state->rule.ptr->timeout[state->timeout]; + timeout = state->rule->timeout[state->timeout]; if (!timeout) timeout = V_pf_default_rule.timeout[state->timeout]; - start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; - if (start && state->rule.ptr != &V_pf_default_rule) { - end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; - states = counter_u64_fetch(state->rule.ptr->states_cur); + start = state->rule->timeout[PFTM_ADAPTIVE_START]; + if (start && state->rule != &V_pf_default_rule) { + end = state->rule->timeout[PFTM_ADAPTIVE_END]; + states = counter_u64_fetch(state->rule->states_cur); } else { start = V_pf_default_rule.timeout[PFTM_ADAPTIVE_START]; end = V_pf_default_rule.timeout[PFTM_ADAPTIVE_END]; @@ -2520,8 +2520,8 @@ pf_purge_expired_src_nodes(void) if (cur->states == 0 && cur->expire <= time_uptime) { pf_unlink_src_node(cur); LIST_INSERT_HEAD(&freelist, cur, entry); - } else if (cur->rule.ptr != NULL) - cur->rule.ptr->rule_ref |= PFRULE_REFS; + } else if (cur->rule != NULL) + cur->rule->rule_ref |= PFRULE_REFS; PF_HASHROW_UNLOCK(sh); } @@ -2536,8 +2536,8 @@ pf_src_tree_remove_state(struct pf_kstate *s) struct pf_ksrc_node *sn; uint32_t timeout; - timeout = s->rule.ptr->timeout[PFTM_SRC_NODE] ? - s->rule.ptr->timeout[PFTM_SRC_NODE] : + timeout = s->rule->timeout[PFTM_SRC_NODE] ? + s->rule->timeout[PFTM_SRC_NODE] : V_pf_default_rule.timeout[PFTM_SRC_NODE]; if (s->src_node != NULL) { @@ -2584,7 +2584,7 @@ pf_unlink_state(struct pf_kstate *s) if (s->src.state == PF_TCPS_PROXY_DST) { /* XXX wire key the right one? */ - pf_send_tcp(s->rule.ptr, s->key[PF_SK_WIRE]->af, + pf_send_tcp(s->rule, s->key[PF_SK_WIRE]->af, &s->key[PF_SK_WIRE]->addr[1], &s->key[PF_SK_WIRE]->addr[0], s->key[PF_SK_WIRE]->port[1], @@ -2674,11 +2674,11 @@ relock: pf_unlink_state(s); goto relock; } - s->rule.ptr->rule_ref |= PFRULE_REFS; - if (s->nat_rule.ptr != NULL) - s->nat_rule.ptr->rule_ref |= PFRULE_REFS; - if (s->anchor.ptr != NULL) - s->anchor.ptr->rule_ref |= PFRULE_REFS; + s->rule->rule_ref |= PFRULE_REFS; + if (s->nat_rule != NULL) + s->nat_rule->rule_ref |= PFRULE_REFS; + if (s->anchor != NULL) + s->anchor->rule_ref |= PFRULE_REFS; s->kif->pfik_flags |= PFI_IFLAG_REFS; SLIST_FOREACH(mrm, &s->match_rules, entry) mrm->r->rule_ref |= PFRULE_REFS; @@ -2901,8 +2901,8 @@ pf_print_state_parts(struct pf_kstate *s, printf("]"); } printf(" %u:%u", s->src.state, s->dst.state); - if (s->rule.ptr) - printf(" @%d", s->rule.ptr->nr); + if (s->rule) + printf(" @%d", s->rule->nr); } } @@ -2932,7 +2932,7 @@ pf_print_flags(u_int8_t f) #define PF_SET_SKIP_STEPS(i) \ do { \ while (head[i] != cur) { \ - head[i]->skip[i].ptr = cur; \ + head[i]->skip[i] = cur; \ head[i] = TAILQ_NEXT(head[i], entries); \ } \ } while (0) @@ -5136,19 +5136,19 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif, while (r != NULL) { pf_counter_u64_add(&r->evaluations, 1); PF_TEST_ATTRIB(pfi_kkif_match(r->kif, kif) == r->ifnot, - r->skip[PF_SKIP_IFP].ptr); + r->skip[PF_SKIP_IFP]); PF_TEST_ATTRIB(r->direction && r->direction != pd->dir, - r->skip[PF_SKIP_DIR].ptr); + r->skip[PF_SKIP_DIR]); PF_TEST_ATTRIB(r->af && r->af != af, - r->skip[PF_SKIP_AF].ptr); + r->skip[PF_SKIP_AF]); PF_TEST_ATTRIB(r->proto && r->proto != pd->proto, - r->skip[PF_SKIP_PROTO].ptr); + r->skip[PF_SKIP_PROTO]); PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.neg, kif, M_GETFIB(m)), - r->skip[PF_SKIP_SRC_ADDR].ptr); + r->skip[PF_SKIP_SRC_ADDR]); PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.neg, NULL, M_GETFIB(m)), - r->skip[PF_SKIP_DST_ADDR].ptr); + r->skip[PF_SKIP_DST_ADDR]); switch (pd->virtual_proto) { case PF_VPROTO_FRAGMENT: /* tcp/udp only. port_op always 0 in other cases */ @@ -5173,11 +5173,11 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif, /* tcp/udp only. port_op always 0 in other cases */ PF_TEST_ATTRIB(r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], sport), - r->skip[PF_SKIP_SRC_PORT].ptr); + r->skip[PF_SKIP_SRC_PORT]); /* tcp/udp only. port_op always 0 in other cases */ PF_TEST_ATTRIB(r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], dport), - r->skip[PF_SKIP_DST_PORT].ptr); + r->skip[PF_SKIP_DST_PORT]); /* tcp/udp only. uid.op always 0 in other cases */ PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done = pf_socket_lookup(pd, m), 1)) && @@ -5401,9 +5401,9 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, REASON_SET(&reason, PFRES_MEMORY); goto csfailed; } - s->rule.ptr = r; - s->nat_rule.ptr = nr; - s->anchor.ptr = a; + s->rule = r; + s->nat_rule = nr; + s->anchor = a; bcopy(match_rules, &s->match_rules, sizeof(s->match_rules)); memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions)); @@ -5936,11 +5936,11 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, (*state)->src.state == TCPS_SYN_SENT) { /* Send RST for state mismatches during handshake */ if (!(th->th_flags & TH_RST)) - pf_send_tcp((*state)->rule.ptr, pd->af, + pf_send_tcp((*state)->rule, pd->af, pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), 0, TH_RST, 0, 0, - (*state)->rule.ptr->return_ttl, true, 0, 0, + (*state)->rule->return_ttl, true, 0, 0, (*state)->act.rtableid); src->seqlo = 0; src->seqhi = 1; @@ -6074,7 +6074,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) REASON_SET(reason, PFRES_SYNPROXY); return (PF_DROP); } - pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, + pf_send_tcp((*state)->rule, pd->af, pd->dst, pd->src, th->th_dport, th->th_sport, (*state)->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, true, 0, 0, @@ -6105,7 +6105,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) (*state)->src.max_win = MAX(ntohs(th->th_win), 1); if ((*state)->dst.seqhi == 1) (*state)->dst.seqhi = htonl(arc4random()); - pf_send_tcp((*state)->rule.ptr, pd->af, + pf_send_tcp((*state)->rule, pd->af, &sk->addr[pd->sidx], &sk->addr[pd->didx], sk->port[pd->sidx], sk->port[pd->didx], (*state)->dst.seqhi, 0, TH_SYN, 0, @@ -6121,12 +6121,12 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) } else { (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); (*state)->dst.seqlo = ntohl(th->th_seq); - pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, + pf_send_tcp((*state)->rule, pd->af, pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ntohl(th->th_seq) + 1, TH_ACK, (*state)->src.max_win, 0, 0, false, (*state)->tag, 0, (*state)->act.rtableid); - pf_send_tcp((*state)->rule.ptr, pd->af, + pf_send_tcp((*state)->rule, pd->af, &sk->addr[pd->sidx], &sk->addr[pd->didx], sk->port[pd->sidx], sk->port[pd->didx], (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, @@ -6875,7 +6875,7 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, return (-1); /* Is this ICMP message flowing in right direction? */ - if ((*state)->rule.ptr->type && + if ((*state)->rule->type && (((!inner && (*state)->direction == direction) || (inner && (*state)->direction != direction)) ? PF_IN : PF_OUT) != icmp_dir) { @@ -7899,7 +7899,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, error = EMSGSIZE; KMOD_IPSTAT_INC(ips_cantfrag); if (r_rt != PF_DUPTO) { - if (s && s->nat_rule.ptr != NULL) + if (s && s->nat_rule != NULL) PACKET_UNDO_NAT(m0, pd, (ip->ip_hl << 2) + (ip_off & IP_OFFMASK), s); @@ -8112,7 +8112,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, else { in6_ifstat_inc(ifp, ifs6_in_toobig); if (r_rt != PF_DUPTO) { - if (s && s->nat_rule.ptr != NULL) + if (s && s->nat_rule != NULL) PACKET_UNDO_NAT(m0, pd, ((caddr_t)ip6 - m0->m_data) + sizeof(struct ip6_hdr), s); @@ -8431,8 +8431,8 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, sizeof(struct sockaddr_in6)); } - if (s != NULL && s->nat_rule.ptr != NULL && - s->nat_rule.ptr->action == PF_RDR && + if (s != NULL && s->nat_rule != NULL && + s->nat_rule->action == PF_RDR && ( #ifdef INET (pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) || @@ -8795,10 +8795,10 @@ pf_counters_inc(int action, struct pf_pdesc *pd, if (s != NULL) { struct pf_krule_item *ri; - if (s->nat_rule.ptr != NULL) { - pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx], + if (s->nat_rule != NULL) { + pf_counter_u64_add_protected(&s->nat_rule->packets[dirndx], 1); - pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add_protected(&s->nat_rule->bytes[dirndx], pd->tot_len); } if (s->src_node != NULL) { @@ -8824,9 +8824,9 @@ pf_counters_inc(int action, struct pf_pdesc *pd, } tr = r; - if (s != NULL && s->nat_rule.ptr != NULL && + if (s != NULL && s->nat_rule != NULL && r == &V_pf_default_rule) - tr = s->nat_rule.ptr; + tr = s->nat_rule; if (tr->src.addr.type == PF_ADDR_TABLE) pfr_update_stats(tr->src.addr.p.tbl, @@ -9024,8 +9024,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; + r = s->rule; + a = s->anchor; } else if (s == NULL) { /* Validate remote SYN|ACK, re-create original SYN if * valid. */ @@ -9072,8 +9072,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; + r = s->rule; + a = s->anchor; } else if (s == NULL) action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp, hdrlen); @@ -9089,8 +9089,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; + r = s->rule; + a = s->anchor; } else if (s == NULL) { action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp, hdrlen); @@ -9109,8 +9109,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; + r = s->rule; + a = s->anchor; } else if (s == NULL) action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp, hdrlen); @@ -9128,8 +9128,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; + r = s->rule; + a = s->anchor; } else if (s == NULL) action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp, hdrlen); @@ -9141,8 +9141,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; + r = s->rule; + a = s->anchor; } else if (s == NULL) action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp, hdrlen); @@ -9224,9 +9224,9 @@ done: * see tcp_input() and in_pcblookup_listen(). */ if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || - pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && - (s->nat_rule.ptr->action == PF_RDR || - s->nat_rule.ptr->action == PF_BINAT) && + pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL && + (s->nat_rule->action == PF_RDR || + s->nat_rule->action == PF_BINAT) && pf_is_loopback(af, pd.dst)) m->m_flags |= M_SKIP_FIREWALL; @@ -9284,9 +9284,9 @@ done: struct pf_krule *lr; struct pf_krule_item *ri; - if (s != NULL && s->nat_rule.ptr != NULL && - s->nat_rule.ptr->log & PF_LOG_ALL) - lr = s->nat_rule.ptr; + if (s != NULL && s->nat_rule != NULL && + s->nat_rule->log & PF_LOG_ALL) + lr = s->nat_rule; else lr = r; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 6e2fcd358b68..8081960933a2 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1551,8 +1551,8 @@ pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out) bcopy(&in->addr, &out->addr, sizeof(struct pf_addr)); bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr)); - if (in->rule.ptr != NULL) - out->rule.nr = in->rule.ptr->nr; + if (in->rule != NULL) + out->rule.nr = in->rule->nr; for (int i = 0; i < 2; i++) { out->bytes[i] = counter_u64_fetch(in->bytes[i]); @@ -2355,7 +2355,7 @@ relock_DIOCKILLSTATES: continue; if (psk->psk_label[0] && - ! pf_label_match(s->rule.ptr, psk->psk_label)) + ! pf_label_match(s->rule, psk->psk_label)) continue; if (psk->psk_ifname[0] && strcmp(psk->psk_ifname, @@ -5613,18 +5613,18 @@ pfsync_state_export(union pfsync_state_union *sp, struct pf_kstate *st, int msg_ pf_state_peer_hton(&st->src, &sp->pfs_1301.src); pf_state_peer_hton(&st->dst, &sp->pfs_1301.dst); - if (st->rule.ptr == NULL) + if (st->rule == NULL) sp->pfs_1301.rule = htonl(-1); else - sp->pfs_1301.rule = htonl(st->rule.ptr->nr); - if (st->anchor.ptr == NULL) + sp->pfs_1301.rule = htonl(st->rule->nr); + if (st->anchor == NULL) sp->pfs_1301.anchor = htonl(-1); else - sp->pfs_1301.anchor = htonl(st->anchor.ptr->nr); - if (st->nat_rule.ptr == NULL) + sp->pfs_1301.anchor = htonl(st->anchor->nr); + if (st->nat_rule == NULL) sp->pfs_1301.nat_rule = htonl(-1); else - sp->pfs_1301.nat_rule = htonl(st->nat_rule.ptr->nr); + sp->pfs_1301.nat_rule = htonl(st->nat_rule->nr); pf_state_counter_hton(st->packets[0], sp->pfs_1301.packets[0]); pf_state_counter_hton(st->packets[1], sp->pfs_1301.packets[1]); @@ -5679,18 +5679,18 @@ pf_state_export(struct pf_state_export *sp, struct pf_kstate *st) pf_state_peer_hton(&st->src, &sp->src); pf_state_peer_hton(&st->dst, &sp->dst); - if (st->rule.ptr == NULL) + if (st->rule == NULL) sp->rule = htonl(-1); else - sp->rule = htonl(st->rule.ptr->nr); - if (st->anchor.ptr == NULL) + sp->rule = htonl(st->rule->nr); + if (st->anchor == NULL) sp->anchor = htonl(-1); else - sp->anchor = htonl(st->anchor.ptr->nr); - if (st->nat_rule.ptr == NULL) + sp->anchor = htonl(st->anchor->nr); + if (st->nat_rule == NULL) sp->nat_rule = htonl(-1); else - sp->nat_rule = htonl(st->nat_rule.ptr->nr); + sp->nat_rule = htonl(st->nat_rule->nr); sp->packets[0] = st->packets[0]; sp->packets[1] = st->packets[1]; diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 007e8606ee8a..16fbcd49b3c8 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -158,32 +158,32 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; + r = r->skip[PF_SKIP_IFP]; else if (r->direction && r->direction != pd->dir) - r = r->skip[PF_SKIP_DIR].ptr; + r = r->skip[PF_SKIP_DIR]; else if (r->af && r->af != pd->af) - r = r->skip[PF_SKIP_AF].ptr; + r = r->skip[PF_SKIP_AF]; else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; + r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->neg, kif, M_GETFIB(m))) r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : - PF_SKIP_DST_ADDR].ptr; + PF_SKIP_DST_ADDR]; else if (src->port_op && !pf_match_port(src->port_op, src->port[0], src->port[1], sport)) r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : - PF_SKIP_DST_PORT].ptr; + PF_SKIP_DST_PORT]; else if (dst != NULL && PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; + r = r->skip[PF_SKIP_DST_ADDR]; else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0, NULL, M_GETFIB(m))) r = TAILQ_NEXT(r, entries); else if (dst != NULL && dst->port_op && !pf_match_port(dst->port_op, dst->port[0], dst->port[1], dport)) - r = r->skip[PF_SKIP_DST_PORT].ptr; + r = r->skip[PF_SKIP_DST_PORT]; else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0)) r = TAILQ_NEXT(r, entries); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index ca90e0b5b140..15fe341ce57e 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -192,9 +192,9 @@ dump_state(struct nlpcb *nlp, const struct nlmsghdr *hdr, struct pf_kstate *s, nlattr_add_u64(nw, PF_ST_ID, s->id); nlattr_add_u32(nw, PF_ST_CREATORID, htonl(s->creatorid)); - nlattr_add_u32(nw, PF_ST_RULE, s->rule.ptr ? s->rule.ptr->nr : -1); - nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor.ptr ? s->anchor.ptr->nr : -1); - nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1); + nlattr_add_u32(nw, PF_ST_RULE, s->rule ? s->rule->nr : -1); + nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor ? s->anchor->nr : -1); + nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule ? s->nat_rule->nr : -1); nlattr_add_u64(nw, PF_ST_PACKETS0, s->packets[0]); nlattr_add_u64(nw, PF_ST_PACKETS1, s->packets[1]); diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index d1a1e84db9dc..18a9cff2a5c2 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1079,21 +1079,21 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason, while (r != NULL) { pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; + r = r->skip[PF_SKIP_IFP]; else if (r->direction && r->direction != pd->dir) - r = r->skip[PF_SKIP_DIR].ptr; + r = r->skip[PF_SKIP_DIR]; else if (r->af && r->af != AF_INET) - r = r->skip[PF_SKIP_AF].ptr; + r = r->skip[PF_SKIP_AF]; else if (r->proto && r->proto != h->ip_p) - r = r->skip[PF_SKIP_PROTO].ptr; + r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, (struct pf_addr *)&h->ip_src.s_addr, AF_INET, r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; + r = r->skip[PF_SKIP_SRC_ADDR]; else if (PF_MISMATCHAW(&r->dst.addr, (struct pf_addr *)&h->ip_dst.s_addr, AF_INET, r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; + r = r->skip[PF_SKIP_DST_ADDR]; else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0)) r = TAILQ_NEXT(r, entries); @@ -1242,23 +1242,23 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif, while (r != NULL) { pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; + r = r->skip[PF_SKIP_IFP]; else if (r->direction && r->direction != pd->dir) - r = r->skip[PF_SKIP_DIR].ptr; + r = r->skip[PF_SKIP_DIR]; else if (r->af && r->af != AF_INET6) - r = r->skip[PF_SKIP_AF].ptr; + r = r->skip[PF_SKIP_AF]; #if 0 /* header chain! */ else if (r->proto && r->proto != h->ip6_nxt) - r = r->skip[PF_SKIP_PROTO].ptr; + r = r->skip[PF_SKIP_PROTO]; #endif else if (PF_MISMATCHAW(&r->src.addr, (struct pf_addr *)&h->ip6_src, AF_INET6, r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; + r = r->skip[PF_SKIP_SRC_ADDR]; else if (PF_MISMATCHAW(&r->dst.addr, (struct pf_addr *)&h->ip6_dst, AF_INET6, r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; + r = r->skip[PF_SKIP_DST_ADDR]; else break; } @@ -1406,25 +1406,25 @@ pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, int ipoff, while (r != NULL) { pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; + r = r->skip[PF_SKIP_IFP]; else if (r->direction && r->direction != pd->dir) - r = r->skip[PF_SKIP_DIR].ptr; + r = r->skip[PF_SKIP_DIR]; else if (r->af && r->af != af) - r = r->skip[PF_SKIP_AF].ptr; + r = r->skip[PF_SKIP_AF]; else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; + r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; + r = r->skip[PF_SKIP_SRC_ADDR]; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], th->th_sport)) - r = r->skip[PF_SKIP_SRC_PORT].ptr; + r = r->skip[PF_SKIP_SRC_PORT]; else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; + r = r->skip[PF_SKIP_DST_ADDR]; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], th->th_dport)) - r = r->skip[PF_SKIP_DST_PORT].ptr; + r = r->skip[PF_SKIP_DST_PORT]; else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) @@ -1855,7 +1855,7 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, * packet got delayed in transit for much longer than * this packet. */ - if ((ts_fudge = state->rule.ptr->timeout[PFTM_TS_DIFF]) == 0) + if ((ts_fudge = state->rule->timeout[PFTM_TS_DIFF]) == 0) ts_fudge = V_pf_default_rule.timeout[PFTM_TS_DIFF]; /* Calculate max ticks since the last timestamp */ @@ -2212,25 +2212,25 @@ pf_normalize_sctp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff, while (r != NULL) { pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; + r = r->skip[PF_SKIP_IFP]; else if (r->direction && r->direction != dir) - r = r->skip[PF_SKIP_DIR].ptr; + r = r->skip[PF_SKIP_DIR]; else if (r->af && r->af != af) - r = r->skip[PF_SKIP_AF].ptr; + r = r->skip[PF_SKIP_AF]; else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; + r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; + r = r->skip[PF_SKIP_SRC_ADDR]; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], sh->src_port)) - r = r->skip[PF_SKIP_SRC_PORT].ptr; + r = r->skip[PF_SKIP_SRC_PORT]; else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; + r = r->skip[PF_SKIP_DST_ADDR]; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], sh->dest_port)) - r = r->skip[PF_SKIP_DST_PORT].ptr; + r = r->skip[PF_SKIP_DST_PORT]; else { rm = r; break; diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c index 016fe52f54d8..87c2211a84e0 100644 --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -703,7 +703,7 @@ pf_krule_to_nvrule(struct pf_krule *rule) for (int i = 0; i < PF_SKIP_COUNT; i++) { nvlist_append_number_array(nvl, "skip", - rule->skip[i].ptr ? rule->skip[i].ptr->nr : -1); + rule->skip[i] ? rule->skip[i]->nr : -1); } for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) { @@ -969,11 +969,11 @@ pf_state_to_nvstate(const struct pf_kstate *s) nvlist_add_nvlist(nvl, "rt_addr", tmp); nvlist_destroy(tmp); - nvlist_add_number(nvl, "rule", s->rule.ptr ? s->rule.ptr->nr : -1); + nvlist_add_number(nvl, "rule", s->rule ? s->rule->nr : -1); nvlist_add_number(nvl, "anchor", - s->anchor.ptr ? s->anchor.ptr->nr : -1); + s->anchor ? s->anchor->nr : -1); nvlist_add_number(nvl, "nat_rule", - s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1); + s->nat_rule ? s->nat_rule->nr : -1); nvlist_add_number(nvl, "creation", s->creation / 1000); expire = pf_state_expires(s); diff --git a/sys/netpfil/pf/pflow.c b/sys/netpfil/pf/pflow.c index a437f0259af5..8157ddc1c751 100644 --- a/sys/netpfil/pf/pflow.c +++ b/sys/netpfil/pf/pflow.c @@ -641,7 +641,7 @@ copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2, htonl(st->expire); flow1->tcp_flags = flow2->tcp_flags = 0; flow1->protocol = flow2->protocol = sk->proto; - flow1->tos = flow2->tos = st->rule.ptr->tos; + flow1->tos = flow2->tos = st->rule->tos; } static void @@ -678,7 +678,7 @@ copy_flow_ipfix_4_data(struct pflow_ipfix_flow4 *flow1, (pf_get_uptime() - st->expire))); flow1->protocol = flow2->protocol = sk->proto; - flow1->tos = flow2->tos = st->rule.ptr->tos; + flow1->tos = flow2->tos = st->rule->tos; } static void @@ -717,7 +717,7 @@ copy_flow_ipfix_6_data(struct pflow_ipfix_flow6 *flow1, (pf_get_uptime() - st->expire))); flow1->protocol = flow2->protocol = sk->proto; - flow1->tos = flow2->tos = st->rule.ptr->tos; + flow1->tos = flow2->tos = st->rule->tos; } static void
