Apply by doing: cd /usr/src patch -p0 < 005_pf.patch Then build and install a new kernel. Index: sys/net/pf_ioctl.c =================================================================== RCS file: /cvs/src/sys/net/pf_ioctl.c,v retrieving revision 1.235 retrieving revision 1.235.2.1 diff -u -r1.235 -r1.235.2.1 --- sys/net/pf_ioctl.c 30 Jun 2010 18:10:55 -0000 1.235 +++ sys/net/pf_ioctl.c 16 Dec 2010 11:11:18 -0000 1.235.2.1 @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.235 2010/06/30 18:10:55 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.235.2.1 2010/12/16 11:11:18 stephan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -111,6 +111,9 @@ int pf_kif_setup(char *, struct pfi_kif **); void pf_addr_copyout(struct pf_addr_wrap *); void pf_trans_set_commit(void); +void pf_pool_copyin(struct pf_pool *, struct pf_pool *); +int pf_rule_copyin(struct pf_rule *, struct pf_rule *, + struct pf_ruleset *); struct pf_rule pf_default_rule, pf_default_rule_new; struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk"); @@ -1011,21 +1014,17 @@ error = EBUSY; break; } - rule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL); + rule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL|PR_ZERO); if (rule == NULL) { error = ENOMEM; break; } - bcopy(&pr->rule, rule, sizeof(struct pf_rule)); + if ((error = pf_rule_copyin(&pr->rule, rule, ruleset))) { + pool_put(&pf_rule_pl, rule); + break; + } rule->cuid = p->p_cred->p_ruid; rule->cpid = p->p_pid; - rule->anchor = NULL; - rule->kif = NULL; - rule->rcv_kif = NULL; - /* initialize refcounting */ - rule->states_cur = 0; - rule->src_nodes = 0; - rule->entries.tqe_prev = NULL; switch (rule->af) { case 0: @@ -1054,48 +1053,6 @@ rule->dst.addr.type == PF_ADDR_NONE) error = EINVAL; - if (pf_kif_setup(rule->ifname, &rule->kif)) - error = EINVAL; - if (pf_kif_setup(rule->rcv_ifname, &rule->rcv_kif)) - error = EINVAL; - if (pf_kif_setup(rule->rdr.ifname, &rule->rdr.kif)) - error = EINVAL; - if (pf_kif_setup(rule->nat.ifname, &rule->nat.kif)) - error = EINVAL; - if (pf_kif_setup(rule->route.ifname, &rule->route.kif)) - error = EINVAL; - - if (rule->rtableid > 0 && !rtable_exists(rule->rtableid)) - error = EBUSY; - -#ifdef ALTQ - /* set queue IDs */ - if (rule->qname[0] != 0) { - if ((rule->qid = pf_qname2qid(rule->qname)) == 0) - error = EBUSY; - else if (rule->pqname[0] != 0) { - if ((rule->pqid = - pf_qname2qid(rule->pqname)) == 0) - error = EBUSY; - } else - rule->pqid = rule->qid; - } -#endif - if (rule->tagname[0]) - if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0) - error = EBUSY; - if (rule->match_tagname[0]) - if ((rule->match_tag = - pf_tagname2tag(rule->match_tagname)) == 0) - error = EBUSY; - if (rule->rt && !rule->direction) - error = EINVAL; -#if NPFLOG > 0 - if (!rule->log) - rule->logif = 0; - if (rule->logif >= PFLOGIFS_MAX) - error = EINVAL; -#endif if (pf_addr_setup(ruleset, &rule->src.addr, rule->af)) error = EINVAL; if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af)) @@ -1108,22 +1065,13 @@ error = EINVAL; if (pf_anchor_setup(rule, ruleset, pr->anchor_call)) error = EINVAL; - - if (rule->overload_tblname[0]) { - if ((rule->overload_tbl = pfr_attach_table(ruleset, - rule->overload_tblname, 0)) == NULL) - error = EINVAL; - else - rule->overload_tbl->pfrkt_flags |= - PFR_TFLAG_ACTIVE; - } + if (rule->rt && !rule->direction) + error = EINVAL; if (error) { pf_rm_rule(NULL, rule); break; } - rule->evaluations = rule->packets[0] = rule->packets[1] = - rule->bytes[0] = rule->bytes[1] = 0; TAILQ_INSERT_TAIL(ruleset->rules.inactive.ptr, rule, entries); ruleset->rules.inactive.rcount++; @@ -1232,17 +1180,15 @@ } if (pcr->action != PF_CHANGE_REMOVE) { - newrule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL); + newrule = pool_get(&pf_rule_pl, + PR_WAITOK|PR_LIMITFAIL|PR_ZERO); if (newrule == NULL) { error = ENOMEM; break; } - bcopy(&pcr->rule, newrule, sizeof(struct pf_rule)); + pf_rule_copyin(&pcr->rule, newrule, ruleset); newrule->cuid = p->p_cred->p_ruid; newrule->cpid = p->p_pid; - /* initialize refcounting */ - newrule->states_cur = 0; - newrule->entries.tqe_prev = NULL; switch (newrule->af) { case 0: @@ -1261,51 +1207,8 @@ goto fail; } - if (pf_kif_setup(newrule->ifname, &newrule->kif)) - error = EINVAL; - if (pf_kif_setup(newrule->rcv_ifname, &newrule->rcv_kif)) - error = EINVAL; - if (pf_kif_setup(newrule->rdr.ifname, &newrule->rdr.kif)) - error = EINVAL; - if (pf_kif_setup(newrule->nat.ifname, &newrule->nat.kif)) - error = EINVAL; - if (pf_kif_setup(newrule->route.ifname, &newrule->route.kif)) - error = EINVAL; - - if (newrule->rtableid > 0 && - !rtable_exists(newrule->rtableid)) - error = EBUSY; - -#ifdef ALTQ - /* set queue IDs */ - if (newrule->qname[0] != 0) { - if ((newrule->qid = - pf_qname2qid(newrule->qname)) == 0) - error = EBUSY; - else if (newrule->pqname[0] != 0) { - if ((newrule->pqid = - pf_qname2qid(newrule->pqname)) == 0) - error = EBUSY; - } else - newrule->pqid = newrule->qid; - } -#endif /* ALTQ */ - if (newrule->tagname[0]) - if ((newrule->tag = - pf_tagname2tag(newrule->tagname)) == 0) - error = EBUSY; - if (newrule->match_tagname[0]) - if ((newrule->match_tag = pf_tagname2tag( - newrule->match_tagname)) == 0) - error = EBUSY; if (newrule->rt && !newrule->direction) error = EINVAL; -#if NPFLOG > 0 - if (!newrule->log) - newrule->logif = 0; - if (newrule->logif >= PFLOGIFS_MAX) - error = EINVAL; -#endif if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af)) error = EINVAL; if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af)) @@ -1319,23 +1222,10 @@ if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call)) error = EINVAL; - if (newrule->overload_tblname[0]) { - if ((newrule->overload_tbl = pfr_attach_table( - ruleset, newrule->overload_tblname, 0)) == - NULL) - error = EINVAL; - else - newrule->overload_tbl->pfrkt_flags |= - PFR_TFLAG_ACTIVE; - } - if (error) { pf_rm_rule(NULL, newrule); break; } - newrule->evaluations = 0; - newrule->packets[0] = newrule->packets[1] = 0; - newrule->bytes[0] = newrule->bytes[1] = 0; } if (pcr->action == PF_CHANGE_ADD_HEAD) @@ -1753,6 +1643,7 @@ break; } bcopy(&pa->altq, altq, sizeof(struct pf_altq)); + altq->altq_disc = NULL; /* * if this is for a queue, find the discipline and @@ -1764,7 +1655,6 @@ pool_put(&pf_altq_pl, altq); break; } - altq->altq_disc = NULL; TAILQ_FOREACH(a, pf_altqs_inactive, entries) { if (strncmp(a->ifname, altq->ifname, IFNAMSIZ) == 0 && a->qname[0] == 0) { @@ -2569,4 +2459,136 @@ pf_status.hostid = pf_trans_set.hostid; if (pf_trans_set.mask & PF_TSET_REASS) pf_status.reass = pf_trans_set.reass; +} + +void +pf_pool_copyin(struct pf_pool *from, struct pf_pool *to) +{ + bcopy(from, to, sizeof(*to)); + to->kif = NULL; +} + +int +pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, + struct pf_ruleset *ruleset) +{ + int i; + + to->src = from->src; + to->dst = from->dst; + + /* XXX union skip[] */ + + strlcpy(to->label, from->label, sizeof(to->label)); + strlcpy(to->ifname, from->ifname, sizeof(to->ifname)); + strlcpy(to->rcv_ifname, from->rcv_ifname, sizeof(to->rcv_ifname)); + strlcpy(to->qname, from->qname, sizeof(to->qname)); + strlcpy(to->pqname, from->pqname, sizeof(to->pqname)); + strlcpy(to->tagname, from->tagname, sizeof(to->tagname)); + strlcpy(to->match_tagname, from->match_tagname, + sizeof(to->match_tagname)); + strlcpy(to->overload_tblname, from->overload_tblname, + sizeof(to->overload_tblname)); + + pf_pool_copyin(&from->nat, &to->nat); + pf_pool_copyin(&from->rdr, &to->rdr); + pf_pool_copyin(&from->route, &to->route); + + if (pf_kif_setup(to->ifname, &to->kif)) + return (EINVAL); + if (pf_kif_setup(to->rcv_ifname, &to->rcv_kif)) + return (EINVAL); + if (to->overload_tblname[0]) { + if ((to->overload_tbl = pfr_attach_table(ruleset, + to->overload_tblname, 0)) == NULL) + return (EINVAL); + else + to->overload_tbl->pfrkt_flags |= PFR_TFLAG_ACTIVE; + } + + if (pf_kif_setup(to->rdr.ifname, &to->rdr.kif)) + return (EINVAL); + if (pf_kif_setup(to->nat.ifname, &to->nat.kif)) + return (EINVAL); + if (pf_kif_setup(to->route.ifname, &to->route.kif)) + return (EINVAL); + + to->os_fingerprint = from->os_fingerprint; + + to->rtableid = from->rtableid; + if (to->rtableid > 0 && !rtable_exists(to->rtableid)) + return (EBUSY); + + for (i = 0; i < PFTM_MAX; i++) + to->timeout[i] = from->timeout[i]; + to->states_tot = from->states_tot; + to->max_states = from->max_states; + to->max_src_nodes = from->max_src_nodes; + to->max_src_states = from->max_src_states; + to->max_src_conn = from->max_src_conn; + to->max_src_conn_rate.limit = from->max_src_conn_rate.limit; + to->max_src_conn_rate.seconds = from->max_src_conn_rate.seconds; + +#ifdef ALTQ + /* set queue IDs */ + if (to->qname[0] != 0) { + if ((to->qid = pf_qname2qid(to->qname)) == 0) + return (EBUSY); + else if (to->pqname[0] != 0) { + if ((to->pqid = pf_qname2qid(to->pqname)) == 0) + return (EBUSY); + } else + to->pqid = to->qid; + } +#endif + to->rt_listid = from->rt_listid; + to->prob = from->prob; + to->return_icmp = from->return_icmp; + to->return_icmp6 = from->return_icmp6; + to->max_mss = from->max_mss; + if (to->tagname[0]) + if ((to->tag = pf_tagname2tag(to->tagname)) == 0) + return (EBUSY); + if (to->match_tagname[0]) + if ((to->match_tag = pf_tagname2tag(to->match_tagname)) == 0) + return (EBUSY); + to->scrub_flags = from->scrub_flags; + to->uid = from->uid; + to->gid = from->gid; + to->rule_flag = from->rule_flag; + to->action = from->action; + to->direction = from->direction; + to->log = from->log; + to->logif = from->logif; +#if NPFLOG > 0 + if (!to->log) + to->logif = 0; + if (to->logif >= PFLOGIFS_MAX) + return (EINVAL); +#endif + to->quick = from->quick; + to->ifnot = from->ifnot; + to->match_tag_not = from->match_tag_not; + to->keep_state = from->keep_state; + to->af = from->af; + to->proto = from->proto; + to->type = from->type; + to->code = from->code; + to->flags = from->flags; + to->flagset = from->flagset; + to->min_ttl = from->min_ttl; + to->allow_opts = from->allow_opts; + to->rt = from->rt; + to->return_ttl = from->return_ttl; + to->tos = from->tos; + to->set_tos = from->set_tos; + to->anchor_relative = from->anchor_relative; /* XXX */ + to->anchor_wildcard = from->anchor_wildcard; /* XXX */ + to->flush = from->flush; + to->divert.addr = from->divert.addr; + to->divert.port = from->divert.port; + to->divert_packet.addr = from->divert_packet.addr; + to->divert_packet.port = from->divert_packet.port; + + return (0); }