diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2016-01-28 05:56:09 -0600 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2016-01-28 05:56:09 -0600 |
commit | 5c82541da7e1c32c093de140d0c173418ee9c545 (patch) | |
tree | 62715df97fe66ca00111fcf838760d1326653264 | |
parent | 6d77218901c68616c2f97486c813b9a78c48046a (diff) | |
download | FreeBSD-src-5c82541da7e1c32c093de140d0c173418ee9c545.zip FreeBSD-src-5c82541da7e1c32c093de140d0c173418ee9c545.tar.gz |
Revert "Importing pfSense patch pf_static_tracker.diff"
This reverts commit 9068fb423dfecae0f8b611d4bc558dd6cb2e2bd7.
-rw-r--r-- | sbin/pfctl/parse.y | 15 | ||||
-rw-r--r-- | sbin/pfctl/pfctl.c | 7 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 | ||||
-rw-r--r-- | sys/net/if_pflog.h | 4 | ||||
-rw-r--r-- | sys/net/pfvar.h | 6 | ||||
-rw-r--r-- | sys/netpfil/pf/if_pflog.c | 6 | ||||
-rw-r--r-- | sys/netpfil/pf/pf.c | 8 | ||||
-rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 26 |
8 files changed, 3 insertions, 73 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b5577e2..1ee564f 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -234,7 +234,6 @@ struct filter_opts { u_int32_t tos; u_int32_t dscp; u_int32_t prob; - u_int32_t tracker; struct { int action; struct node_state_opt *options; @@ -264,7 +263,6 @@ struct filter_opts { struct antispoof_opts { char *label; - u_int32_t tracker; u_int rtableid; } antispoof_opts; @@ -463,7 +461,7 @@ int parseport(char *, struct range *r, int); %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL SCHEDULE -%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE TRACKER +%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID @@ -1246,7 +1244,6 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; - r.cuid = $5.tracker; j = calloc(1, sizeof(struct node_if)); if (j == NULL) err(1, "antispoof: calloc"); @@ -1296,7 +1293,6 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { r.logif = $2.logif; r.quick = $2.quick; r.af = $4; - r.cuid = $5.tracker; if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; @@ -1358,9 +1354,6 @@ antispoof_opt : label { } antispoof_opts.label = $1; } - | TRACKER number { - antispoof_opts.tracker = $2; - } | RTABLE NUMBER { if ($2 < 0 || $2 > rt_tableid_max()) { yyerror("invalid rtable id"); @@ -2070,8 +2063,6 @@ pfrule : action dir logquick interface route af proto fromto if (rule_schedule(&r, $9.schedule)) YYERROR; free($9.schedule); - if ($9.tracker) - r.cuid = $9.tracker; r.flags = $9.flags.b1; r.flagset = $9.flags.b2; if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { @@ -2522,9 +2513,6 @@ filter_opt : USER uids { filter_opts.keep.action = $1.action; filter_opts.keep.options = $1.options; } - | TRACKER number { - filter_opts.tracker = $2; - } | FRAGMENT { filter_opts.fragment = 1; } @@ -5761,7 +5749,6 @@ lookup(char *s) { "timeout", TIMEOUT}, { "to", TO}, { "tos", TOS}, - { "tracker", TRACKER}, { "ttl", TTL}, { "upperlimit", UPPERLIMIT}, { "urpf-failed", URPFFAILED}, diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index d606b62b..3a93fa2 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -825,17 +825,10 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts) (unsigned long long)(rule->bytes[0] + rule->bytes[1]), (uintmax_t)rule->u_states_cur); if (!(opts & PF_OPT_DEBUG)) -#ifdef PF_USER_INFO printf(" [ Inserted: uid %u pid %u " "State Creations: %-6ju]\n", (unsigned)rule->cuid, (unsigned)rule->cpid, (uintmax_t)rule->u_states_tot); -#else - printf(" [ Inserted: pid %u " - "State Creations: %-6ju]\n", - (unsigned)rule->cpid, - (uintmax_t)rule->states_tot); -#endif } } diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 5b03a93..b4fe20a 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -736,11 +736,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) int i, opts; if (verbose) -#ifdef PF_USER_INFO printf("@%d ", r->nr); -#else - printf("@%d(%u) ", r->nr, r->cuid); -#endif if (r->action == PF_MATCH) printf("match"); else if (r->action > PF_NORDR) diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 326b551..0faeb7d 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -40,14 +40,10 @@ struct pfloghdr { char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; -#ifdef PF_USER_INFO uid_t uid; pid_t pid; uid_t rule_uid; pid_t rule_pid; -#else - u_int32_t ridentifier; -#endif u_int8_t dir; u_int8_t pad[3]; }; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index e46bb69..2936771 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -547,11 +547,7 @@ struct pf_rule { u_int32_t rt_listid; u_int32_t nr; u_int32_t prob; -#ifdef PF_USER_INFO uid_t cuid; -#else - u_int32_t cuid; -#endif pid_t cpid; counter_u64_t states_cur; @@ -1148,13 +1144,11 @@ struct pfi_kif { #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ struct pf_pdesc { -#ifdef PF_USER_INFO struct { int done; uid_t uid; gid_t gid; } lookup; -#endif u_int64_t tot_len; /* Make Mickey money */ union { struct tcphdr *tcp; diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 5c22806..1efd5e2 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -209,7 +209,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, return (0); bzero(&hdr, sizeof(hdr)); - hdr.length = PFLOG_HDRLEN; + hdr.length = PFLOG_REAL_HDRLEN; hdr.af = af; hdr.action = rm->action; hdr.reason = reason; @@ -218,16 +218,13 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, if (am == NULL) { hdr.rulenr = htonl(rm->nr); hdr.subrulenr = 1; - hdr.ridentifier = rm->cuid; } else { hdr.rulenr = htonl(am->nr); hdr.subrulenr = htonl(rm->nr); - hdr.ridentifier = rm->cuid; if (ruleset != NULL && ruleset->anchor != NULL) strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } -#ifdef PF_USER_INFO /* * XXXGL: we avoid pf_socket_lookup() when we are holding * state lock, since this leads to unsafe LOR. @@ -242,7 +239,6 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, hdr.pid = NO_PID; hdr.rule_uid = rm->cuid; hdr.rule_pid = rm->cpid; -#endif hdr.dir = dir; #ifdef INET diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index eed1ac8..89a2716 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -2851,7 +2851,6 @@ pf_match_ieee8021q_pcp(u_int8_t op, u_int8_t pcp1, u_int8_t pcp2, return (pf_match(op, pcp1, pcp2, mpcp)); } -#ifdef PF_USER_INFO static int pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) { @@ -2867,7 +2866,6 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) return (0); return (pf_match(op, a1, a2, g)); } -#endif int pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag) @@ -3076,7 +3074,6 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a) a->flags |= PFRULE_DN_IS_PIPE; } -#ifdef PF_USER_INFO int pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) { @@ -3156,7 +3153,6 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) return (1); } -#endif static u_int8_t pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) @@ -3348,14 +3344,12 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, PF_RULES_RASSERT(); -#ifdef PF_USER_INFO if (inp != NULL) { INP_LOCK_ASSERT(inp); pd->lookup.uid = inp->inp_cred->cr_uid; pd->lookup.gid = inp->inp_cred->cr_groups[0]; pd->lookup.done = 1; } -#endif switch (pd->proto) { case IPPROTO_TCP: @@ -3578,7 +3572,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, (r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); /* tcp/udp only. uid.op always 0 in other cases */ -#ifdef PF_USER_INFO else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = pf_socket_lookup(direction, pd, m), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], @@ -3590,7 +3583,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], pd->lookup.gid)) r = TAILQ_NEXT(r, entries); -#endif else if (r->ieee8021q_pcp.op && !pf_match_ieee8021q_pcp(r->ieee8021q_pcp.op, r->ieee8021q_pcp.pcp[0], r->ieee8021q_pcp.pcp[1], m)) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 146a56f..cacae58 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1168,9 +1168,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td rule->states_cur = counter_u64_alloc(M_WAITOK); rule->states_tot = counter_u64_alloc(M_WAITOK); rule->src_nodes = counter_u64_alloc(M_WAITOK); -#ifdef PF_USER_INFO rule->cuid = td->td_ucred->cr_ruid; -#endif rule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&rule->rpool.list); @@ -1196,6 +1194,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td V_ticket_pabuf)); ERROUT(EBUSY); } + tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, pf_rulequeue); if (tail) @@ -1274,29 +1273,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td } rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); -#ifndef PF_USER_INFO - if (rule->cuid) { - tail = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); - while ((tail != NULL) && (tail->cuid != rule->cuid)) - tail = TAILQ_NEXT(tail, entries); - if (tail != NULL) { - rule->evaluations = tail->evaluations; - rule->packets[0] = tail->packets[0]; - rule->packets[1] = tail->packets[1]; - rule->bytes[0] = tail->bytes[0]; - rule->bytes[1] = tail->bytes[1]; - } else { - rule->evaluations = rule->packets[0] = rule->packets[1] = - rule->bytes[0] = rule->bytes[1] = 0; - } - } else { - rule->evaluations = rule->packets[0] = rule->packets[1] = - rule->bytes[0] = rule->bytes[1] = 0; - } -#else rule->evaluations = rule->packets[0] = rule->packets[1] = rule->bytes[0] = rule->bytes[1] = 0; -#endif TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); ruleset->rules[rs_num].inactive.rcount++; @@ -1446,9 +1424,7 @@ DIOCADDRULE_error: newrule->states_cur = counter_u64_alloc(M_WAITOK); newrule->states_tot = counter_u64_alloc(M_WAITOK); newrule->src_nodes = counter_u64_alloc(M_WAITOK); -#ifdef PF_USER_INFO newrule->cuid = td->td_ucred->cr_ruid; -#endif newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&newrule->rpool.list); } |