diff options
| author | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:30:45 -0600 |
|---|---|---|
| committer | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:30:45 -0600 |
| commit | 0f16ea0b5fa8b7d7f86ff21ea9c1a7e1fd27f45a (patch) | |
| tree | f200cf69fa7b71dbea4861aa5308aada07eee0b9 | |
| parent | 6c23910924a53e1b7887a29314f9a095810291f9 (diff) | |
| download | FreeBSD-src-0f16ea0b5fa8b7d7f86ff21ea9c1a7e1fd27f45a.zip FreeBSD-src-0f16ea0b5fa8b7d7f86ff21ea9c1a7e1fd27f45a.tar.gz | |
Importing pfSense patch pf_static_tracker.diff
| -rw-r--r-- | sbin/pfctl/parse.y | 15 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 7 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 | ||||
| -rw-r--r-- | sys/net/if_pflog.h | 4 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 6 | ||||
| -rw-r--r-- | sys/netpfil/pf/if_pflog.c | 6 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf.c | 8 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 26 |
8 files changed, 73 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 41ba1c3..8ec9384 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -234,6 +234,7 @@ struct filter_opts { u_int32_t tos; u_int32_t dscp; u_int32_t prob; + u_int32_t tracker; struct { int action; struct node_state_opt *options; @@ -263,6 +264,7 @@ struct filter_opts { struct antispoof_opts { char *label; + u_int32_t tracker; u_int rtableid; } antispoof_opts; @@ -462,7 +464,7 @@ int parseport(char *, struct range *r, int); %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL SCHEDULE -%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE +%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE TRACKER %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID @@ -1245,6 +1247,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; + r.cuid = $5.tracker; j = calloc(1, sizeof(struct node_if)); if (j == NULL) err(1, "antispoof: calloc"); @@ -1294,6 +1297,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { r.logif = $2.logif; r.quick = $2.quick; r.af = $4; + r.cuid = $5.tracker; if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; @@ -1355,6 +1359,9 @@ antispoof_opt : label { } antispoof_opts.label = $1; } + | TRACKER number { + antispoof_opts.tracker = $2; + } | RTABLE NUMBER { if ($2 < 0 || $2 > rt_tableid_max()) { yyerror("invalid rtable id"); @@ -2064,6 +2071,8 @@ pfrule : action dir logquick interface route af proto fromto if (rule_schedule(&r, $9.schedule)) YYERROR; free($9.schedule); + if ($9.tracker) + r.cuid = $9.tracker; r.flags = $9.flags.b1; r.flagset = $9.flags.b2; if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { @@ -2514,6 +2523,9 @@ filter_opt : USER uids { filter_opts.keep.action = $1.action; filter_opts.keep.options = $1.options; } + | TRACKER number { + filter_opts.tracker = $2; + } | FRAGMENT { filter_opts.fragment = 1; } @@ -5752,6 +5764,7 @@ lookup(char *s) { "timeout", TIMEOUT}, { "to", TO}, { "tos", TOS}, + { "tracker", TRACKER}, { "ttl", TTL}, { "upperlimit", UPPERLIMIT}, { "urpf-failed", URPFFAILED}, diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 1e957f6..6fd5020 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -825,10 +825,17 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts) (unsigned long long)(rule->bytes[0] + rule->bytes[1]), (uintmax_t)rule->u_states_cur); if (!(opts & PF_OPT_DEBUG)) +#ifdef PF_USER_INFO printf(" [ Inserted: uid %u pid %u " "State Creations: %-6ju]\n", (unsigned)rule->cuid, (unsigned)rule->cpid, (uintmax_t)rule->u_states_tot); +#else + printf(" [ Inserted: pid %u " + "State Creations: %-6ju]\n", + (unsigned)rule->cpid, + (uintmax_t)rule->states_tot); +#endif } } diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 2bc6be7..8121293 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -736,7 +736,11 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) int i, opts; if (verbose) +#ifdef PF_USER_INFO printf("@%d ", r->nr); +#else + printf("@%d(%u) ", r->nr, r->cuid); +#endif if (r->action == PF_MATCH) printf("match"); else if (r->action > PF_NORDR) diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 0faeb7d..326b551 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -40,10 +40,14 @@ struct pfloghdr { char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; +#ifdef PF_USER_INFO uid_t uid; pid_t pid; uid_t rule_uid; pid_t rule_pid; +#else + u_int32_t ridentifier; +#endif u_int8_t dir; u_int8_t pad[3]; }; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index bc56066..90f90df 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -546,7 +546,11 @@ struct pf_rule { u_int32_t rt_listid; u_int32_t nr; u_int32_t prob; +#ifdef PF_USER_INFO uid_t cuid; +#else + u_int32_t cuid; +#endif pid_t cpid; counter_u64_t states_cur; @@ -1143,11 +1147,13 @@ struct pfi_kif { #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ struct pf_pdesc { +#ifdef PF_USER_INFO struct { int done; uid_t uid; gid_t gid; } lookup; +#endif u_int64_t tot_len; /* Make Mickey money */ union { struct tcphdr *tcp; diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 1efd5e2..5c22806 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -209,7 +209,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, return (0); bzero(&hdr, sizeof(hdr)); - hdr.length = PFLOG_REAL_HDRLEN; + hdr.length = PFLOG_HDRLEN; hdr.af = af; hdr.action = rm->action; hdr.reason = reason; @@ -218,13 +218,16 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, if (am == NULL) { hdr.rulenr = htonl(rm->nr); hdr.subrulenr = 1; + hdr.ridentifier = rm->cuid; } else { hdr.rulenr = htonl(am->nr); hdr.subrulenr = htonl(rm->nr); + hdr.ridentifier = rm->cuid; if (ruleset != NULL && ruleset->anchor != NULL) strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } +#ifdef PF_USER_INFO /* * XXXGL: we avoid pf_socket_lookup() when we are holding * state lock, since this leads to unsafe LOR. @@ -239,6 +242,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, hdr.pid = NO_PID; hdr.rule_uid = rm->cuid; hdr.rule_pid = rm->cpid; +#endif hdr.dir = dir; #ifdef INET diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 978809d..40e5eea 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -2782,6 +2782,7 @@ pf_match_ieee8021q_pcp(u_int8_t op, u_int8_t pcp1, u_int8_t pcp2, return (pf_match(op, pcp1, pcp2, mpcp)); } +#ifdef PF_USER_INFO static int pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) { @@ -2797,6 +2798,7 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) return (0); return (pf_match(op, a1, a2, g)); } +#endif int pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag) @@ -3005,6 +3007,7 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a) a->flags |= PFRULE_DN_IS_PIPE; } +#ifdef PF_USER_INFO int pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) { @@ -3084,6 +3087,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) return (1); } +#endif static u_int8_t pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) @@ -3275,12 +3279,14 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, PF_RULES_RASSERT(); +#ifdef PF_USER_INFO if (inp != NULL) { INP_LOCK_ASSERT(inp); pd->lookup.uid = inp->inp_cred->cr_uid; pd->lookup.gid = inp->inp_cred->cr_groups[0]; pd->lookup.done = 1; } +#endif switch (pd->proto) { case IPPROTO_TCP: @@ -3502,6 +3508,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, (r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); /* tcp/udp only. uid.op always 0 in other cases */ +#ifdef PF_USER_INFO else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = pf_socket_lookup(direction, pd, m), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], @@ -3513,6 +3520,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], pd->lookup.gid)) r = TAILQ_NEXT(r, entries); +#endif else if (r->ieee8021q_pcp.op && !pf_match_ieee8021q_pcp(r->ieee8021q_pcp.op, r->ieee8021q_pcp.pcp[0], r->ieee8021q_pcp.pcp[1], m)) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 68f30d6..fcb6e8f 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1170,7 +1170,9 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td rule->states_cur = counter_u64_alloc(M_WAITOK); rule->states_tot = counter_u64_alloc(M_WAITOK); rule->src_nodes = counter_u64_alloc(M_WAITOK); +#ifdef PF_USER_INFO rule->cuid = td->td_ucred->cr_ruid; +#endif rule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&rule->rpool.list); @@ -1196,7 +1198,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td V_ticket_pabuf)); ERROUT(EBUSY); } - tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, pf_rulequeue); if (tail) @@ -1275,8 +1276,29 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td } rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); +#ifndef PF_USER_INFO + if (rule->cuid) { + tail = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); + while ((tail != NULL) && (tail->cuid != rule->cuid)) + tail = TAILQ_NEXT(tail, entries); + if (tail != NULL) { + rule->evaluations = tail->evaluations; + rule->packets[0] = tail->packets[0]; + rule->packets[1] = tail->packets[1]; + rule->bytes[0] = tail->bytes[0]; + rule->bytes[1] = tail->bytes[1]; + } else { + rule->evaluations = rule->packets[0] = rule->packets[1] = + rule->bytes[0] = rule->bytes[1] = 0; + } + } else { + rule->evaluations = rule->packets[0] = rule->packets[1] = + rule->bytes[0] = rule->bytes[1] = 0; + } +#else rule->evaluations = rule->packets[0] = rule->packets[1] = rule->bytes[0] = rule->bytes[1] = 0; +#endif TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); ruleset->rules[rs_num].inactive.rcount++; @@ -1426,7 +1448,9 @@ DIOCADDRULE_error: newrule->states_cur = counter_u64_alloc(M_WAITOK); newrule->states_tot = counter_u64_alloc(M_WAITOK); newrule->src_nodes = counter_u64_alloc(M_WAITOK); +#ifdef PF_USER_INFO newrule->cuid = td->td_ucred->cr_ruid; +#endif newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&newrule->rpool.list); } |
