search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / pf / sbin / pfctl / pfctl_optimize.c
blob0f133508596d748081019f569a614afc8ef6a380
1 /* $NetBSD$ */
2 /* $OpenBSD: pfctl_optimize.c,v 1.13 2006/10/31 14:17:45 mcbride Exp $ */
3
4 /*
5 * Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/types.h>
21 #include <sys/ioctl.h>
22 #include <sys/socket.h>
23
24 #include <net/if.h>
25 #include <net/pfvar.h>
26
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
29
30 #include <assert.h>
31 #include <ctype.h>
32 #include <err.h>
33 #include <errno.h>
34 #include <stddef.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38
39 #include "pfctl_parser.h"
40 #include "pfctl.h"
41
42 /* The size at which a table becomes faster than individual rules */
43 #define TABLE_THRESHOLD 6
44
45
46 /* #define OPT_DEBUG 1 */
47 #ifdef OPT_DEBUG
48 # define DEBUG(str, v...) \
49 printf("%s: " str "\n", __FUNCTION__ , ## v)
50 #else
51 # define DEBUG(str, v...) ((void)0)
52 #endif
53
54
55 /*
56 * A container that lets us sort a superblock to optimize the skip step jumps
57 */
58 struct pf_skip_step {
59 int ps_count; /* number of items */
60 TAILQ_HEAD( , pf_opt_rule) ps_rules;
61 TAILQ_ENTRY(pf_skip_step) ps_entry;
62 };
63
64
65 /*
66 * A superblock is a block of adjacent rules of similar action. If there
67 * are five PASS rules in a row, they all become members of a superblock.
68 * Once we have a superblock, we are free to re-order any rules within it
69 * in order to improve performance; if a packet is passed, it doesn't matter
70 * who passed it.
71 */
72 struct superblock {
73 TAILQ_HEAD( , pf_opt_rule) sb_rules;
74 TAILQ_ENTRY(superblock) sb_entry;
75 struct superblock *sb_profiled_block;
76 TAILQ_HEAD(skiplist, pf_skip_step) sb_skipsteps[PF_SKIP_COUNT];
77 };
78 TAILQ_HEAD(superblocks, superblock);
79
80
81 /*
82 * Description of the PF rule structure.
83 */
84 enum {
85 BARRIER, /* the presence of the field puts the rule in it's own block */
86 BREAK, /* the field may not differ between rules in a superblock */
87 NOMERGE, /* the field may not differ between rules when combined */
88 COMBINED, /* the field may itself be combined with other rules */
89 DC, /* we just don't care about the field */
90 NEVER}; /* we should never see this field set?!? */
91 struct pf_rule_field {
92 const char *prf_name;
93 int prf_type;
94 size_t prf_offset;
95 size_t prf_size;
96 } pf_rule_desc[] = {
97 #define PF_RULE_FIELD(field, ty) \
98 {#field, \
99 ty, \
100 offsetof(struct pf_rule, field), \
101 sizeof(((struct pf_rule *)0)->field)}
102
103
104 /*
105 * The presence of these fields in a rule put the rule in it's own
106 * superblock. Thus it will not be optimized. It also prevents the
107 * rule from being re-ordered at all.
108 */
109 PF_RULE_FIELD(label, BARRIER),
110 PF_RULE_FIELD(prob, BARRIER),
111 PF_RULE_FIELD(max_states, BARRIER),
112 PF_RULE_FIELD(max_src_nodes, BARRIER),
113 PF_RULE_FIELD(max_src_states, BARRIER),
114 PF_RULE_FIELD(max_src_conn, BARRIER),
115 PF_RULE_FIELD(max_src_conn_rate, BARRIER),
116 PF_RULE_FIELD(anchor, BARRIER), /* for now */
117
118 /*
119 * These fields must be the same between all rules in the same superblock.
120 * These rules are allowed to be re-ordered but only among like rules.
121 * For instance we can re-order all 'tag "foo"' rules because they have the
122 * same tag. But we can not re-order between a 'tag "foo"' and a
123 * 'tag "bar"' since that would change the meaning of the ruleset.
124 */
125 PF_RULE_FIELD(tagname, BREAK),
126 PF_RULE_FIELD(keep_state, BREAK),
127 PF_RULE_FIELD(qname, BREAK),
128 PF_RULE_FIELD(pqname, BREAK),
129 PF_RULE_FIELD(rt, BREAK),
130 PF_RULE_FIELD(allow_opts, BREAK),
131 PF_RULE_FIELD(rule_flag, BREAK),
132 PF_RULE_FIELD(action, BREAK),
133 PF_RULE_FIELD(log, BREAK),
134 PF_RULE_FIELD(quick, BREAK),
135 PF_RULE_FIELD(return_ttl, BREAK),
136 PF_RULE_FIELD(overload_tblname, BREAK),
137 PF_RULE_FIELD(flush, BREAK),
138 PF_RULE_FIELD(rpool, BREAK),
139 PF_RULE_FIELD(logif, BREAK),
140
141 /*
142 * Any fields not listed in this structure act as BREAK fields
143 */
144
145
146 /*
147 * These fields must not differ when we merge two rules together but
148 * their difference isn't enough to put the rules in different superblocks.
149 * There are no problems re-ordering any rules with these fields.
150 */
151 PF_RULE_FIELD(af, NOMERGE),
152 PF_RULE_FIELD(ifnot, NOMERGE),
153 PF_RULE_FIELD(ifname, NOMERGE), /* hack for IF groups */
154 PF_RULE_FIELD(match_tag_not, NOMERGE),
155 PF_RULE_FIELD(match_tagname, NOMERGE),
156 PF_RULE_FIELD(os_fingerprint, NOMERGE),
157 PF_RULE_FIELD(timeout, NOMERGE),
158 PF_RULE_FIELD(return_icmp, NOMERGE),
159 PF_RULE_FIELD(return_icmp6, NOMERGE),
160 PF_RULE_FIELD(uid, NOMERGE),
161 PF_RULE_FIELD(gid, NOMERGE),
162 PF_RULE_FIELD(direction, NOMERGE),
163 PF_RULE_FIELD(proto, NOMERGE),
164 PF_RULE_FIELD(type, NOMERGE),
165 PF_RULE_FIELD(code, NOMERGE),
166 PF_RULE_FIELD(flags, NOMERGE),
167 PF_RULE_FIELD(flagset, NOMERGE),
168 PF_RULE_FIELD(tos, NOMERGE),
169 PF_RULE_FIELD(src.port, NOMERGE),
170 PF_RULE_FIELD(dst.port, NOMERGE),
171 PF_RULE_FIELD(src.port_op, NOMERGE),
172 PF_RULE_FIELD(dst.port_op, NOMERGE),
173 PF_RULE_FIELD(src.neg, NOMERGE),
174 PF_RULE_FIELD(dst.neg, NOMERGE),
175
176 /* These fields can be merged */
177 PF_RULE_FIELD(src.addr, COMBINED),
178 PF_RULE_FIELD(dst.addr, COMBINED),
179
180 /* We just don't care about these fields. They're set by the kernel */
181 PF_RULE_FIELD(skip, DC),
182 PF_RULE_FIELD(evaluations, DC),
183 PF_RULE_FIELD(packets, DC),
184 PF_RULE_FIELD(bytes, DC),
185 PF_RULE_FIELD(kif, DC),
186 PF_RULE_FIELD(states, DC),
187 PF_RULE_FIELD(src_nodes, DC),
188 PF_RULE_FIELD(nr, DC),
189 PF_RULE_FIELD(entries, DC),
190 PF_RULE_FIELD(qid, DC),
191 PF_RULE_FIELD(pqid, DC),
192 PF_RULE_FIELD(anchor_relative, DC),
193 PF_RULE_FIELD(anchor_wildcard, DC),
194 PF_RULE_FIELD(tag, DC),
195 PF_RULE_FIELD(match_tag, DC),
196 PF_RULE_FIELD(overload_tbl, DC),
197
198 /* These fields should never be set in a PASS/BLOCK rule */
199 PF_RULE_FIELD(natpass, NEVER),
200 PF_RULE_FIELD(max_mss, NEVER),
201 PF_RULE_FIELD(min_ttl, NEVER),
202 };
203
204
205
206 int add_opt_table(struct pfctl *, struct pf_opt_tbl **, sa_family_t,
207 struct pf_rule_addr *);
208 int addrs_combineable(struct pf_rule_addr *, struct pf_rule_addr *);
209 int addrs_equal(struct pf_rule_addr *, struct pf_rule_addr *);
210 int block_feedback(struct pfctl *, struct superblock *);
211 int combine_rules(struct pfctl *, struct superblock *);
212 void comparable_rule(struct pf_rule *, const struct pf_rule *, int);
213 int construct_superblocks(struct pfctl *, struct pf_opt_queue *,
214 struct superblocks *);
215 void exclude_supersets(struct pf_rule *, struct pf_rule *);
216 int interface_group(const char *);
217 int load_feedback_profile(struct pfctl *, struct superblocks *);
218 int optimize_superblock(struct pfctl *, struct superblock *);
219 int pf_opt_create_table(struct pfctl *, struct pf_opt_tbl *);
220 void remove_from_skipsteps(struct skiplist *, struct superblock *,
221 struct pf_opt_rule *, struct pf_skip_step *);
222 int remove_identical_rules(struct pfctl *, struct superblock *);
223 int reorder_rules(struct pfctl *, struct superblock *, int);
224 int rules_combineable(struct pf_rule *, struct pf_rule *);
225 void skip_append(struct superblock *, int, struct pf_skip_step *,
226 struct pf_opt_rule *);
227 int skip_compare(int, struct pf_skip_step *, struct pf_opt_rule *);
228 void skip_init(void);
229 int skip_cmp_af(struct pf_rule *, struct pf_rule *);
230 int skip_cmp_dir(struct pf_rule *, struct pf_rule *);
231 int skip_cmp_dst_addr(struct pf_rule *, struct pf_rule *);
232 int skip_cmp_dst_port(struct pf_rule *, struct pf_rule *);
233 int skip_cmp_ifp(struct pf_rule *, struct pf_rule *);
234 int skip_cmp_proto(struct pf_rule *, struct pf_rule *);
235 int skip_cmp_src_addr(struct pf_rule *, struct pf_rule *);
236 int skip_cmp_src_port(struct pf_rule *, struct pf_rule *);
237 int superblock_inclusive(struct superblock *, struct pf_opt_rule *);
238 void superblock_free(struct pfctl *, struct superblock *);
239
240
241 int (*skip_comparitors[PF_SKIP_COUNT])(struct pf_rule *, struct pf_rule *);
242 const char *skip_comparitors_names[PF_SKIP_COUNT];
243 #define PF_SKIP_COMPARITORS { \
244 { "ifp", PF_SKIP_IFP, skip_cmp_ifp }, \
245 { "dir", PF_SKIP_DIR, skip_cmp_dir }, \
246 { "af", PF_SKIP_AF, skip_cmp_af }, \
247 { "proto", PF_SKIP_PROTO, skip_cmp_proto }, \
248 { "saddr", PF_SKIP_SRC_ADDR, skip_cmp_src_addr }, \
249 { "sport", PF_SKIP_SRC_PORT, skip_cmp_src_port }, \
250 { "daddr", PF_SKIP_DST_ADDR, skip_cmp_dst_addr }, \
251 { "dport", PF_SKIP_DST_PORT, skip_cmp_dst_port } \
252 }
253
254 struct pfr_buffer table_buffer;
255 int table_identifier;
256
257
258 int
259 pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs)
260 {
261 struct superblocks superblocks;
262 struct pf_opt_queue opt_queue;
263 struct superblock *block;
264 struct pf_opt_rule *por;
265 struct pf_rule *r;
266 struct pf_rulequeue *old_rules;
267
268 DEBUG("optimizing ruleset");
269 memset(&table_buffer, 0, sizeof(table_buffer));
270 skip_init();
271 TAILQ_INIT(&opt_queue);
272
273 old_rules = rs->rules[PF_RULESET_FILTER].active.ptr;
274 rs->rules[PF_RULESET_FILTER].active.ptr =
275 rs->rules[PF_RULESET_FILTER].inactive.ptr;
276 rs->rules[PF_RULESET_FILTER].inactive.ptr = old_rules;
277
278 /*
279 * XXX expanding the pf_opt_rule format throughout pfctl might allow
280 * us to avoid all this copying.
281 */
282 while ((r = TAILQ_FIRST(rs->rules[PF_RULESET_FILTER].inactive.ptr))
283 != NULL) {
284 TAILQ_REMOVE(rs->rules[PF_RULESET_FILTER].inactive.ptr, r,
285 entries);
286 if ((por = calloc(1, sizeof(*por))) == NULL)
287 err(1, "calloc");
288 memcpy(&por->por_rule, r, sizeof(*r));
289 if (TAILQ_FIRST(&r->rpool.list) != NULL) {
290 TAILQ_INIT(&por->por_rule.rpool.list);
291 pfctl_move_pool(&r->rpool, &por->por_rule.rpool);
292 } else
293 bzero(&por->por_rule.rpool,
294 sizeof(por->por_rule.rpool));
295
296
297 TAILQ_INSERT_TAIL(&opt_queue, por, por_entry);
298 }
299
300 TAILQ_INIT(&superblocks);
301 if (construct_superblocks(pf, &opt_queue, &superblocks))
302 goto error;
303
304 if (pf->optimize & PF_OPTIMIZE_PROFILE) {
305 if (load_feedback_profile(pf, &superblocks))
306 goto error;
307 }
308
309 TAILQ_FOREACH(block, &superblocks, sb_entry) {
310 if (optimize_superblock(pf, block))
311 goto error;
312 }
313
314 rs->anchor->refcnt = 0;
315 while ((block = TAILQ_FIRST(&superblocks))) {
316 TAILQ_REMOVE(&superblocks, block, sb_entry);
317
318 while ((por = TAILQ_FIRST(&block->sb_rules))) {
319 TAILQ_REMOVE(&block->sb_rules, por, por_entry);
320 por->por_rule.nr = rs->anchor->refcnt++;
321 if ((r = calloc(1, sizeof(*r))) == NULL)
322 err(1, "calloc");
323 memcpy(r, &por->por_rule, sizeof(*r));
324 TAILQ_INIT(&r->rpool.list);
325 pfctl_move_pool(&por->por_rule.rpool, &r->rpool);
326 TAILQ_INSERT_TAIL(
327 rs->rules[PF_RULESET_FILTER].active.ptr,
328 r, entries);
329 free(por);
330 }
331 free(block);
332 }
333
334 return (0);
335
336 error:
337 while ((por = TAILQ_FIRST(&opt_queue))) {
338 TAILQ_REMOVE(&opt_queue, por, por_entry);
339 if (por->por_src_tbl) {
340 pfr_buf_clear(por->por_src_tbl->pt_buf);
341 free(por->por_src_tbl->pt_buf);
342 free(por->por_src_tbl);
343 }
344 if (por->por_dst_tbl) {
345 pfr_buf_clear(por->por_dst_tbl->pt_buf);
346 free(por->por_dst_tbl->pt_buf);
347 free(por->por_dst_tbl);
348 }
349 free(por);
350 }
351 while ((block = TAILQ_FIRST(&superblocks))) {
352 TAILQ_REMOVE(&superblocks, block, sb_entry);
353 superblock_free(pf, block);
354 }
355 return (1);
356 }
357
358
359 /*
360 * Go ahead and optimize a superblock
361 */
362 int
363 optimize_superblock(struct pfctl *pf, struct superblock *block)
364 {
365 #ifdef OPT_DEBUG
366 struct pf_opt_rule *por;
367 #endif /* OPT_DEBUG */
368
369 /* We have a few optimization passes:
370 * 1) remove duplicate rules or rules that are a subset of other
371 * rules
372 * 2) combine otherwise identical rules with different IP addresses
373 * into a single rule and put the addresses in a table.
374 * 3) re-order the rules to improve kernel skip steps
375 * 4) re-order the 'quick' rules based on feedback from the
376 * active ruleset statistics
377 *
378 * XXX combine_rules() doesn't combine v4 and v6 rules. would just
379 * have to keep af in the table container, make af 'COMBINE' and
380 * twiddle the af on the merged rule
381 * XXX maybe add a weighting to the metric on skipsteps when doing
382 * reordering. sometimes two sequential tables will be better
383 * that four consecutive interfaces.
384 * XXX need to adjust the skipstep count of everything after PROTO,
385 * since they aren't actually checked on a proto mismatch in
386 * pf_test_{tcp, udp, icmp}()
387 * XXX should i treat proto=0, af=0 or dir=0 special in skepstep
388 * calculation since they are a DC?
389 * XXX keep last skiplist of last superblock to influence this
390 * superblock. '5 inet6 log' should make '3 inet6' come before '4
391 * inet' in the next superblock.
392 * XXX would be useful to add tables for ports
393 * XXX we can also re-order some mutually exclusive superblocks to
394 * try merging superblocks before any of these optimization passes.
395 * for instance a single 'log in' rule in the middle of non-logging
396 * out rules.
397 */
398
399 /* shortcut. there will be alot of 1-rule superblocks */
400 if (!TAILQ_NEXT(TAILQ_FIRST(&block->sb_rules), por_entry))
401 return (0);
402
403 #ifdef OPT_DEBUG
404 printf("--- Superblock ---\n");
405 TAILQ_FOREACH(por, &block->sb_rules, por_entry) {
406 printf(" ");
407 print_rule(&por->por_rule, por->por_rule.anchor ?
408 por->por_rule.anchor->name : "", 1);
409 }
410 #endif /* OPT_DEBUG */
411
412
413 if (remove_identical_rules(pf, block))
414 return (1);
415 if (combine_rules(pf, block))
416 return (1);
417 if ((pf->optimize & PF_OPTIMIZE_PROFILE) &&
418 TAILQ_FIRST(&block->sb_rules)->por_rule.quick &&
419 block->sb_profiled_block) {
420 if (block_feedback(pf, block))
421 return (1);
422 } else if (reorder_rules(pf, block, 0)) {
423 return (1);
424 }
425
426 /*
427 * Don't add any optimization passes below reorder_rules(). It will
428 * have divided superblocks into smaller blocks for further refinement
429 * and doesn't put them back together again. What once was a true
430 * superblock might have been split into multiple superblocks.
431 */
432
433 #ifdef OPT_DEBUG
434 printf("--- END Superblock ---\n");
435 #endif /* OPT_DEBUG */
436 return (0);
437 }
438
439
440 /*
441 * Optimization pass #1: remove identical rules
442 */
443 int
444 remove_identical_rules(struct pfctl *pf, struct superblock *block)
445 {
446 struct pf_opt_rule *por1, *por2, *por_next, *por2_next;
447 struct pf_rule a, a2, b, b2;
448
449 for (por1 = TAILQ_FIRST(&block->sb_rules); por1; por1 = por_next) {
450 por_next = TAILQ_NEXT(por1, por_entry);
451 for (por2 = por_next; por2; por2 = por2_next) {
452 por2_next = TAILQ_NEXT(por2, por_entry);
453 comparable_rule(&a, &por1->por_rule, DC);
454 comparable_rule(&b, &por2->por_rule, DC);
455 memcpy(&a2, &a, sizeof(a2));
456 memcpy(&b2, &b, sizeof(b2));
457
458 exclude_supersets(&a, &b);
459 exclude_supersets(&b2, &a2);
460 if (memcmp(&a, &b, sizeof(a)) == 0) {
461 DEBUG("removing identical rule nr%d = *nr%d*",
462 por1->por_rule.nr, por2->por_rule.nr);
463 TAILQ_REMOVE(&block->sb_rules, por2, por_entry);
464 if (por_next == por2)
465 por_next = TAILQ_NEXT(por1, por_entry);
466 free(por2);
467 } else if (memcmp(&a2, &b2, sizeof(a2)) == 0) {
468 DEBUG("removing identical rule *nr%d* = nr%d",
469 por1->por_rule.nr, por2->por_rule.nr);
470 TAILQ_REMOVE(&block->sb_rules, por1, por_entry);
471 free(por1);
472 break;
473 }
474 }
475 }
476
477 return (0);
478 }
479
480
481 /*
482 * Optimization pass #2: combine similar rules with different addresses
483 * into a single rule and a table
484 */
485 int
486 combine_rules(struct pfctl *pf, struct superblock *block)
487 {
488 struct pf_opt_rule *p1, *p2, *por_next;
489 int src_eq, dst_eq;
490
491 if ((pf->loadopt & PFCTL_FLAG_TABLE) == 0) {
492 warnx("Must enable table loading for optimizations");
493 return (1);
494 }
495
496 /* First we make a pass to combine the rules. O(n log n) */
497 TAILQ_FOREACH(p1, &block->sb_rules, por_entry) {
498 for (p2 = TAILQ_NEXT(p1, por_entry); p2; p2 = por_next) {
499 por_next = TAILQ_NEXT(p2, por_entry);
500
501 src_eq = addrs_equal(&p1->por_rule.src,
502 &p2->por_rule.src);
503 dst_eq = addrs_equal(&p1->por_rule.dst,
504 &p2->por_rule.dst);
505
506 if (src_eq && !dst_eq && p1->por_src_tbl == NULL &&
507 p2->por_dst_tbl == NULL &&
508 p2->por_src_tbl == NULL &&
509 rules_combineable(&p1->por_rule, &p2->por_rule) &&
510 addrs_combineable(&p1->por_rule.dst,
511 &p2->por_rule.dst)) {
512 DEBUG("can combine rules nr%d = nr%d",
513 p1->por_rule.nr, p2->por_rule.nr);
514 if (p1->por_dst_tbl == NULL &&
515 add_opt_table(pf, &p1->por_dst_tbl,
516 p1->por_rule.af, &p1->por_rule.dst))
517 return (1);
518 if (add_opt_table(pf, &p1->por_dst_tbl,
519 p1->por_rule.af, &p2->por_rule.dst))
520 return (1);
521 p2->por_dst_tbl = p1->por_dst_tbl;
522 if (p1->por_dst_tbl->pt_rulecount >=
523 TABLE_THRESHOLD) {
524 TAILQ_REMOVE(&block->sb_rules, p2,
525 por_entry);
526 free(p2);
527 }
528 } else if (!src_eq && dst_eq && p1->por_dst_tbl == NULL
529 && p2->por_src_tbl == NULL &&
530 p2->por_dst_tbl == NULL &&
531 rules_combineable(&p1->por_rule, &p2->por_rule) &&
532 addrs_combineable(&p1->por_rule.src,
533 &p2->por_rule.src)) {
534 DEBUG("can combine rules nr%d = nr%d",
535 p1->por_rule.nr, p2->por_rule.nr);
536 if (p1->por_src_tbl == NULL &&
537 add_opt_table(pf, &p1->por_src_tbl,
538 p1->por_rule.af, &p1->por_rule.src))
539 return (1);
540 if (add_opt_table(pf, &p1->por_src_tbl,
541 p1->por_rule.af, &p2->por_rule.src))
542 return (1);
543 p2->por_src_tbl = p1->por_src_tbl;
544 if (p1->por_src_tbl->pt_rulecount >=
545 TABLE_THRESHOLD) {
546 TAILQ_REMOVE(&block->sb_rules, p2,
547 por_entry);
548 free(p2);
549 }
550 }
551 }
552 }
553
554
555 /*
556 * Then we make a final pass to create a valid table name and
557 * insert the name into the rules.
558 */
559 for (p1 = TAILQ_FIRST(&block->sb_rules); p1; p1 = por_next) {
560 por_next = TAILQ_NEXT(p1, por_entry);
561 assert(p1->por_src_tbl == NULL || p1->por_dst_tbl == NULL);
562
563 if (p1->por_src_tbl && p1->por_src_tbl->pt_rulecount >=
564 TABLE_THRESHOLD) {
565 if (p1->por_src_tbl->pt_generated) {
566 /* This rule is included in a table */
567 TAILQ_REMOVE(&block->sb_rules, p1, por_entry);
568 free(p1);
569 continue;
570 }
571 p1->por_src_tbl->pt_generated = 1;
572
573 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
574 pf_opt_create_table(pf, p1->por_src_tbl))
575 return (1);
576
577 pf->tdirty = 1;
578
579 if (pf->opts & PF_OPT_VERBOSE)
580 print_tabledef(p1->por_src_tbl->pt_name,
581 PFR_TFLAG_CONST, 1,
582 &p1->por_src_tbl->pt_nodes);
583
584 memset(&p1->por_rule.src.addr, 0,
585 sizeof(p1->por_rule.src.addr));
586 p1->por_rule.src.addr.type = PF_ADDR_TABLE;
587 strlcpy(p1->por_rule.src.addr.v.tblname,
588 p1->por_src_tbl->pt_name,
589 sizeof(p1->por_rule.src.addr.v.tblname));
590
591 pfr_buf_clear(p1->por_src_tbl->pt_buf);
592 free(p1->por_src_tbl->pt_buf);
593 p1->por_src_tbl->pt_buf = NULL;
594 }
595 if (p1->por_dst_tbl && p1->por_dst_tbl->pt_rulecount >=
596 TABLE_THRESHOLD) {
597 if (p1->por_dst_tbl->pt_generated) {
598 /* This rule is included in a table */
599 TAILQ_REMOVE(&block->sb_rules, p1, por_entry);
600 free(p1);
601 continue;
602 }
603 p1->por_dst_tbl->pt_generated = 1;
604
605 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
606 pf_opt_create_table(pf, p1->por_dst_tbl))
607 return (1);
608 pf->tdirty = 1;
609
610 if (pf->opts & PF_OPT_VERBOSE)
611 print_tabledef(p1->por_dst_tbl->pt_name,
612 PFR_TFLAG_CONST, 1,
613 &p1->por_dst_tbl->pt_nodes);
614
615 memset(&p1->por_rule.dst.addr, 0,
616 sizeof(p1->por_rule.dst.addr));
617 p1->por_rule.dst.addr.type = PF_ADDR_TABLE;
618 strlcpy(p1->por_rule.dst.addr.v.tblname,
619 p1->por_dst_tbl->pt_name,
620 sizeof(p1->por_rule.dst.addr.v.tblname));
621
622 pfr_buf_clear(p1->por_dst_tbl->pt_buf);
623 free(p1->por_dst_tbl->pt_buf);
624 p1->por_dst_tbl->pt_buf = NULL;
625 }
626 }
627
628 return (0);
629 }
630
631
632 /*
633 * Optimization pass #3: re-order rules to improve skip steps
634 */
635 int
636 reorder_rules(struct pfctl *pf, struct superblock *block, int depth)
637 {
638 struct superblock *newblock;
639 struct pf_skip_step *skiplist;
640 struct pf_opt_rule *por;
641 int i, largest, largest_list = -1, rule_count = 0;
642 TAILQ_HEAD( , pf_opt_rule) head;
643
644 /*
645 * Calculate the best-case skip steps. We put each rule in a list
646 * of other rules with common fields
647 */
648 for (i = 0; i < PF_SKIP_COUNT; i++) {
649 TAILQ_FOREACH(por, &block->sb_rules, por_entry) {
650 TAILQ_FOREACH(skiplist, &block->sb_skipsteps[i],
651 ps_entry) {
652 if (skip_compare(i, skiplist, por) == 0)
653 break;
654 }
655 if (skiplist == NULL) {
656 if ((skiplist = calloc(1, sizeof(*skiplist))) ==
657 NULL)
658 err(1, "calloc");
659 TAILQ_INIT(&skiplist->ps_rules);
660 TAILQ_INSERT_TAIL(&block->sb_skipsteps[i],
661 skiplist, ps_entry);
662 }
663 skip_append(block, i, skiplist, por);
664 }
665 }
666
667 TAILQ_FOREACH(por, &block->sb_rules, por_entry)
668 rule_count++;
669
670 /*
671 * Now we're going to ignore any fields that are identical between
672 * all of the rules in the superblock and those fields which differ
673 * between every rule in the superblock.
674 */
675 largest = 0;
676 for (i = 0; i < PF_SKIP_COUNT; i++) {
677 skiplist = TAILQ_FIRST(&block->sb_skipsteps[i]);
678 if (skiplist->ps_count == rule_count) {
679 DEBUG("(%d) original skipstep '%s' is all rules",
680 depth, skip_comparitors_names[i]);
681 skiplist->ps_count = 0;
682 } else if (skiplist->ps_count == 1) {
683 skiplist->ps_count = 0;
684 } else {
685 DEBUG("(%d) original skipstep '%s' largest jump is %d",
686 depth, skip_comparitors_names[i],
687 skiplist->ps_count);
688 if (skiplist->ps_count > largest)
689 largest = skiplist->ps_count;
690 }
691 }
692 if (largest == 0) {
693 /* Ugh. There is NO commonality in the superblock on which
694 * optimize the skipsteps optimization.
695 */
696 goto done;
697 }
698
699 /*
700 * Now we're going to empty the superblock rule list and re-create
701 * it based on a more optimal skipstep order.
702 */
703 TAILQ_INIT(&head);
704 while ((por = TAILQ_FIRST(&block->sb_rules))) {
705 TAILQ_REMOVE(&block->sb_rules, por, por_entry);
706 TAILQ_INSERT_TAIL(&head, por, por_entry);
707 }
708
709
710 while (!TAILQ_EMPTY(&head)) {
711 largest = 1;
712
713 /*
714 * Find the most useful skip steps remaining
715 */
716 for (i = 0; i < PF_SKIP_COUNT; i++) {
717 skiplist = TAILQ_FIRST(&block->sb_skipsteps[i]);
718 if (skiplist->ps_count > largest) {
719 largest = skiplist->ps_count;
720 largest_list = i;
721 }
722 }
723
724 if (largest <= 1) {
725 /*
726 * Nothing useful left. Leave remaining rules in order.
727 */
728 DEBUG("(%d) no more commonality for skip steps", depth);
729 while ((por = TAILQ_FIRST(&head))) {
730 TAILQ_REMOVE(&head, por, por_entry);
731 TAILQ_INSERT_TAIL(&block->sb_rules, por,
732 por_entry);
733 }
734 } else {
735 /*
736 * There is commonality. Extract those common rules
737 * and place them in the ruleset adjacent to each
738 * other.
739 */
740 skiplist = TAILQ_FIRST(&block->sb_skipsteps[
741 largest_list]);
742 DEBUG("(%d) skipstep '%s' largest jump is %d @ #%d",
743 depth, skip_comparitors_names[largest_list],
744 largest, TAILQ_FIRST(&TAILQ_FIRST(&block->
745 sb_skipsteps [largest_list])->ps_rules)->
746 por_rule.nr);
747 TAILQ_REMOVE(&block->sb_skipsteps[largest_list],
748 skiplist, ps_entry);
749
750
751 /*
752 * There may be further commonality inside these
753 * rules. So we'll split them off into they're own
754 * superblock and pass it back into the optimizer.
755 */
756 if (skiplist->ps_count > 2) {
757 if ((newblock = calloc(1, sizeof(*newblock)))
758 == NULL) {
759 warn("calloc");
760 return (1);
761 }
762 TAILQ_INIT(&newblock->sb_rules);
763 for (i = 0; i < PF_SKIP_COUNT; i++)
764 TAILQ_INIT(&newblock->sb_skipsteps[i]);
765 TAILQ_INSERT_BEFORE(block, newblock, sb_entry);
766 DEBUG("(%d) splitting off %d rules from superblock @ #%d",
767 depth, skiplist->ps_count,
768 TAILQ_FIRST(&skiplist->ps_rules)->
769 por_rule.nr);
770 } else {
771 newblock = block;
772 }
773
774 while ((por = TAILQ_FIRST(&skiplist->ps_rules))) {
775 TAILQ_REMOVE(&head, por, por_entry);
776 TAILQ_REMOVE(&skiplist->ps_rules, por,
777 por_skip_entry[largest_list]);
778 TAILQ_INSERT_TAIL(&newblock->sb_rules, por,
779 por_entry);
780
781 /* Remove this rule from all other skiplists */
782 remove_from_skipsteps(&block->sb_skipsteps[
783 largest_list], block, por, skiplist);
784 }
785 free(skiplist);
786 if (newblock != block)
787 if (reorder_rules(pf, newblock, depth + 1))
788 return (1);
789 }
790 }
791
792 done:
793 for (i = 0; i < PF_SKIP_COUNT; i++) {
794 while ((skiplist = TAILQ_FIRST(&block->sb_skipsteps[i]))) {
795 TAILQ_REMOVE(&block->sb_skipsteps[i], skiplist,
796 ps_entry);
797 free(skiplist);
798 }
799 }
800
801 return (0);
802 }
803
804
805 /*
806 * Optimization pass #4: re-order 'quick' rules based on feedback from the
807 * currently running ruleset
808 */
809 int
810 block_feedback(struct pfctl *pf, struct superblock *block)
811 {
812 TAILQ_HEAD( , pf_opt_rule) queue;
813 struct pf_opt_rule *por1, *por2;
814 u_int64_t total_count = 0;
815 struct pf_rule a, b;
816
817
818 /*
819 * Walk through all of the profiled superblock's rules and copy
820 * the counters onto our rules.
821 */
822 TAILQ_FOREACH(por1, &block->sb_profiled_block->sb_rules, por_entry) {
823 comparable_rule(&a, &por1->por_rule, DC);
824 total_count += por1->por_rule.packets[0] +
825 por1->por_rule.packets[1];
826 TAILQ_FOREACH(por2, &block->sb_rules, por_entry) {
827 if (por2->por_profile_count)
828 continue;
829 comparable_rule(&b, &por2->por_rule, DC);
830 if (memcmp(&a, &b, sizeof(a)) == 0) {
831 por2->por_profile_count =
832 por1->por_rule.packets[0] +
833 por1->por_rule.packets[1];
834 break;
835 }
836 }
837 }
838 superblock_free(pf, block->sb_profiled_block);
839 block->sb_profiled_block = NULL;
840
841 /*
842 * Now we pull all of the rules off the superblock and re-insert them
843 * in sorted order.
844 */
845
846 TAILQ_INIT(&queue);
847 while ((por1 = TAILQ_FIRST(&block->sb_rules)) != NULL) {
848 TAILQ_REMOVE(&block->sb_rules, por1, por_entry);
849 TAILQ_INSERT_TAIL(&queue, por1, por_entry);
850 }
851
852 while ((por1 = TAILQ_FIRST(&queue)) != NULL) {
853 TAILQ_REMOVE(&queue, por1, por_entry);
854 /* XXX I should sort all of the unused rules based on skip steps */
855 TAILQ_FOREACH(por2, &block->sb_rules, por_entry) {
856 if (por1->por_profile_count > por2->por_profile_count) {
857 TAILQ_INSERT_BEFORE(por2, por1, por_entry);
858 break;
859 }
860 }
861 if (por2 == TAILQ_END(&block->sb_rules))
862 TAILQ_INSERT_TAIL(&block->sb_rules, por1, por_entry);
863 }
864
865 return (0);
866 }
867
868
869 /*
870 * Load the current ruleset from the kernel and try to associate them with
871 * the ruleset we're optimizing.
872 */
873 int
874 load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks)
875 {
876 struct superblock *block, *blockcur;
877 struct superblocks prof_superblocks;
878 struct pf_opt_rule *por;
879 struct pf_opt_queue queue;
880 struct pfioc_rule pr;
881 struct pf_rule a, b;
882 int nr, mnr;
883
884 TAILQ_INIT(&queue);
885 TAILQ_INIT(&prof_superblocks);
886
887 memset(&pr, 0, sizeof(pr));
888 pr.rule.action = PF_PASS;
889 if (ioctl(pf->dev, DIOCGETRULES, &pr)) {
890 warn("DIOCGETRULES");
891 return (1);
892 }
893 mnr = pr.nr;
894
895 DEBUG("Loading %d active rules for a feedback profile", mnr);
896 for (nr = 0; nr < mnr; ++nr) {
897 struct pf_ruleset *rs;
898 if ((por = calloc(1, sizeof(*por))) == NULL) {
899 warn("calloc");
900 return (1);
901 }
902 pr.nr = nr;
903 if (ioctl(pf->dev, DIOCGETRULE, &pr)) {
904 warn("DIOCGETRULES");
905 return (1);
906 }
907 memcpy(&por->por_rule, &pr.rule, sizeof(por->por_rule));
908 rs = pf_find_or_create_ruleset(pr.anchor_call);
909 por->por_rule.anchor = rs->anchor;
910 if (TAILQ_EMPTY(&por->por_rule.rpool.list))
911 memset(&por->por_rule.rpool, 0,
912 sizeof(por->por_rule.rpool));
913 TAILQ_INSERT_TAIL(&queue, por, por_entry);
914
915 /* XXX pfctl_get_pool(pf->dev, &pr.rule.rpool, nr, pr.ticket,
916 * PF_PASS, pf->anchor) ???
917 * ... pfctl_clear_pool(&pr.rule.rpool)
918 */
919 }
920
921 if (construct_superblocks(pf, &queue, &prof_superblocks))
922 return (1);
923
924
925 /*
926 * Now we try to associate the active ruleset's superblocks with
927 * the superblocks we're compiling.
928 */
929 block = TAILQ_FIRST(superblocks);
930 blockcur = TAILQ_FIRST(&prof_superblocks);
931 while (block && blockcur) {
932 comparable_rule(&a, &TAILQ_FIRST(&block->sb_rules)->por_rule,
933 BREAK);
934 comparable_rule(&b, &TAILQ_FIRST(&blockcur->sb_rules)->por_rule,
935 BREAK);
936 if (memcmp(&a, &b, sizeof(a)) == 0) {
937 /* The two superblocks lined up */
938 block->sb_profiled_block = blockcur;
939 } else {
940 DEBUG("superblocks don't line up between #%d and #%d",
941 TAILQ_FIRST(&block->sb_rules)->por_rule.nr,
942 TAILQ_FIRST(&blockcur->sb_rules)->por_rule.nr);
943 break;
944 }
945 block = TAILQ_NEXT(block, sb_entry);
946 blockcur = TAILQ_NEXT(blockcur, sb_entry);
947 }
948
949
950
951 /* Free any superblocks we couldn't link */
952 while (blockcur) {
953 block = TAILQ_NEXT(blockcur, sb_entry);
954 superblock_free(pf, blockcur);
955 blockcur = block;
956 }
957 return (0);
958 }
959
960
961 /*
962 * Compare a rule to a skiplist to see if the rule is a member
963 */
964 int
965 skip_compare(int skipnum, struct pf_skip_step *skiplist,
966 struct pf_opt_rule *por)
967 {
968 struct pf_rule *a, *b;
969 if (skipnum >= PF_SKIP_COUNT || skipnum < 0)
970 errx(1, "skip_compare() out of bounds");
971 a = &por->por_rule;
972 b = &TAILQ_FIRST(&skiplist->ps_rules)->por_rule;
973
974 return ((skip_comparitors[skipnum])(a, b));
975 }
976
977
978 /*
979 * Add a rule to a skiplist
980 */
981 void
982 skip_append(struct superblock *superblock, int skipnum,
983 struct pf_skip_step *skiplist, struct pf_opt_rule *por)
984 {
985 struct pf_skip_step *prev;
986
987 skiplist->ps_count++;
988 TAILQ_INSERT_TAIL(&skiplist->ps_rules, por, por_skip_entry[skipnum]);
989
990 /* Keep the list of skiplists sorted by whichever is larger */
991 while ((prev = TAILQ_PREV(skiplist, skiplist, ps_entry)) &&
992 prev->ps_count < skiplist->ps_count) {
993 TAILQ_REMOVE(&superblock->sb_skipsteps[skipnum],
994 skiplist, ps_entry);
995 TAILQ_INSERT_BEFORE(prev, skiplist, ps_entry);
996 }
997 }
998
999
1000 /*
1001 * Remove a rule from the other skiplist calculations.
1002 */
1003 void
1004 remove_from_skipsteps(struct skiplist *head, struct superblock *block,
1005 struct pf_opt_rule *por, struct pf_skip_step *active_list)
1006 {
1007 struct pf_skip_step *sk, *next;
1008 struct pf_opt_rule *p2;
1009 int i, found;
1010
1011 for (i = 0; i < PF_SKIP_COUNT; i++) {
1012 sk = TAILQ_FIRST(&block->sb_skipsteps[i]);
1013 if (sk == NULL || sk == active_list || sk->ps_count <= 1)
1014 continue;
1015 found = 0;
1016 do {
1017 TAILQ_FOREACH(p2, &sk->ps_rules, por_skip_entry[i])
1018 if (p2 == por) {
1019 TAILQ_REMOVE(&sk->ps_rules, p2,
1020 por_skip_entry[i]);
1021 found = 1;
1022 sk->ps_count--;
1023 break;
1024 }
1025 } while (!found && (sk = TAILQ_NEXT(sk, ps_entry)));
1026 if (found && sk) {
1027 /* Does this change the sorting order? */
1028 while ((next = TAILQ_NEXT(sk, ps_entry)) &&
1029 next->ps_count > sk->ps_count) {
1030 TAILQ_REMOVE(head, sk, ps_entry);
1031 TAILQ_INSERT_AFTER(head, next, sk, ps_entry);
1032 }
1033 #ifdef OPT_DEBUG
1034 next = TAILQ_NEXT(sk, ps_entry);
1035 assert(next == NULL || next->ps_count <= sk->ps_count);
1036 #endif /* OPT_DEBUG */
1037 }
1038 }
1039 }
1040
1041
1042 /* Compare two rules AF field for skiplist construction */
1043 int
1044 skip_cmp_af(struct pf_rule *a, struct pf_rule *b)
1045 {
1046 if (a->af != b->af || a->af == 0)
1047 return (1);
1048 return (0);
1049 }
1050
1051 /* Compare two rules DIRECTION field for skiplist construction */
1052 int
1053 skip_cmp_dir(struct pf_rule *a, struct pf_rule *b)
1054 {
1055 if (a->direction == 0 || a->direction != b->direction)
1056 return (1);
1057 return (0);
1058 }
1059
1060 /* Compare two rules DST Address field for skiplist construction */
1061 int
1062 skip_cmp_dst_addr(struct pf_rule *a, struct pf_rule *b)
1063 {
1064 if (a->dst.neg != b->dst.neg ||
1065 a->dst.addr.type != b->dst.addr.type)
1066 return (1);
1067 /* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0
1068 * && (a->proto == IPPROTO_TCP || a->proto == IPPROTO_UDP ||
1069 * a->proto == IPPROTO_ICMP
1070 * return (1);
1071 */
1072 switch (a->dst.addr.type) {
1073 case PF_ADDR_ADDRMASK:
1074 if (memcmp(&a->dst.addr.v.a.addr, &b->dst.addr.v.a.addr,
1075 sizeof(a->dst.addr.v.a.addr)) ||
1076 memcmp(&a->dst.addr.v.a.mask, &b->dst.addr.v.a.mask,
1077 sizeof(a->dst.addr.v.a.mask)) ||
1078 (a->dst.addr.v.a.addr.addr32[0] == 0 &&
1079 a->dst.addr.v.a.addr.addr32[1] == 0 &&
1080 a->dst.addr.v.a.addr.addr32[2] == 0 &&
1081 a->dst.addr.v.a.addr.addr32[3] == 0))
1082 return (1);
1083 return (0);
1084 case PF_ADDR_DYNIFTL:
1085 if (strcmp(a->dst.addr.v.ifname, b->dst.addr.v.ifname) != 0 ||
1086 a->dst.addr.iflags != a->dst.addr.iflags ||
1087 memcmp(&a->dst.addr.v.a.mask, &b->dst.addr.v.a.mask,
1088 sizeof(a->dst.addr.v.a.mask)))
1089 return (1);
1090 return (0);
1091 case PF_ADDR_NOROUTE:
1092 case PF_ADDR_URPFFAILED:
1093 return (0);
1094 case PF_ADDR_TABLE:
1095 return (strcmp(a->dst.addr.v.tblname, b->dst.addr.v.tblname));
1096 }
1097 return (1);
1098 }
1099
1100 /* Compare two rules DST port field for skiplist construction */
1101 int
1102 skip_cmp_dst_port(struct pf_rule *a, struct pf_rule *b)
1103 {
1104 /* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0
1105 * && (a->proto == IPPROTO_TCP || a->proto == IPPROTO_UDP ||
1106 * a->proto == IPPROTO_ICMP
1107 * return (1);
1108 */
1109 if (a->dst.port_op == PF_OP_NONE || a->dst.port_op != b->dst.port_op ||
1110 a->dst.port[0] != b->dst.port[0] ||
1111 a->dst.port[1] != b->dst.port[1])
1112 return (1);
1113 return (0);
1114 }
1115
1116 /* Compare two rules IFP field for skiplist construction */
1117 int
1118 skip_cmp_ifp(struct pf_rule *a, struct pf_rule *b)
1119 {
1120 if (strcmp(a->ifname, b->ifname) || a->ifname[0] == '\0')
1121 return (1);
1122 return (a->ifnot != b->ifnot);
1123 }
1124
1125 /* Compare two rules PROTO field for skiplist construction */
1126 int
1127 skip_cmp_proto(struct pf_rule *a, struct pf_rule *b)
1128 {
1129 return (a->proto != b->proto || a->proto == 0);
1130 }
1131
1132 /* Compare two rules SRC addr field for skiplist construction */
1133 int
1134 skip_cmp_src_addr(struct pf_rule *a, struct pf_rule *b)
1135 {
1136 if (a->src.neg != b->src.neg ||
1137 a->src.addr.type != b->src.addr.type)
1138 return (1);
1139 /* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0
1140 * && (a->proto == IPPROTO_TCP || a->proto == IPPROTO_UDP ||
1141 * a->proto == IPPROTO_ICMP
1142 * return (1);
1143 */
1144 switch (a->src.addr.type) {
1145 case PF_ADDR_ADDRMASK:
1146 if (memcmp(&a->src.addr.v.a.addr, &b->src.addr.v.a.addr,
1147 sizeof(a->src.addr.v.a.addr)) ||
1148 memcmp(&a->src.addr.v.a.mask, &b->src.addr.v.a.mask,
1149 sizeof(a->src.addr.v.a.mask)) ||
1150 (a->src.addr.v.a.addr.addr32[0] == 0 &&
1151 a->src.addr.v.a.addr.addr32[1] == 0 &&
1152 a->src.addr.v.a.addr.addr32[2] == 0 &&
1153 a->src.addr.v.a.addr.addr32[3] == 0))
1154 return (1);
1155 return (0);
1156 case PF_ADDR_DYNIFTL:
1157 if (strcmp(a->src.addr.v.ifname, b->src.addr.v.ifname) != 0 ||
1158 a->src.addr.iflags != a->src.addr.iflags ||
1159 memcmp(&a->src.addr.v.a.mask, &b->src.addr.v.a.mask,
1160 sizeof(a->src.addr.v.a.mask)))
1161 return (1);
1162 return (0);
1163 case PF_ADDR_NOROUTE:
1164 case PF_ADDR_URPFFAILED:
1165 return (0);
1166 case PF_ADDR_TABLE:
1167 return (strcmp(a->src.addr.v.tblname, b->src.addr.v.tblname));
1168 }
1169 return (1);
1170 }
1171
1172 /* Compare two rules SRC port field for skiplist construction */
1173 int
1174 skip_cmp_src_port(struct pf_rule *a, struct pf_rule *b)
1175 {
1176 if (a->src.port_op == PF_OP_NONE || a->src.port_op != b->src.port_op ||
1177 a->src.port[0] != b->src.port[0] ||
1178 a->src.port[1] != b->src.port[1])
1179 return (1);
1180 /* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0
1181 * && (a->proto == IPPROTO_TCP || a->proto == IPPROTO_UDP ||
1182 * a->proto == IPPROTO_ICMP
1183 * return (1);
1184 */
1185 return (0);
1186 }
1187
1188
1189 void
1190 skip_init(void)
1191 {
1192 struct {
1193 char *name;
1194 int skipnum;
1195 int (*func)(struct pf_rule *, struct pf_rule *);
1196 } comps[] = PF_SKIP_COMPARITORS;
1197 int skipnum, i;
1198
1199 for (skipnum = 0; skipnum < PF_SKIP_COUNT; skipnum++) {
1200 for (i = 0; i < sizeof(comps)/sizeof(*comps); i++)
1201 if (comps[i].skipnum == skipnum) {
1202 skip_comparitors[skipnum] = comps[i].func;
1203 skip_comparitors_names[skipnum] = comps[i].name;
1204 }
1205 }
1206 for (skipnum = 0; skipnum < PF_SKIP_COUNT; skipnum++)
1207 if (skip_comparitors[skipnum] == NULL)
1208 errx(1, "Need to add skip step comparitor to pfctl?!");
1209 }
1210
1211 /*
1212 * Add a host/netmask to a table
1213 */
1214 int
1215 add_opt_table(struct pfctl *pf, struct pf_opt_tbl **tbl, sa_family_t af,
1216 struct pf_rule_addr *addr)
1217 {
1218 #ifdef OPT_DEBUG
1219 char buf[128];
1220 #endif /* OPT_DEBUG */
1221 static int tablenum = 0;
1222 struct node_host node_host;
1223
1224 if (*tbl == NULL) {
1225 if ((*tbl = calloc(1, sizeof(**tbl))) == NULL ||
1226 ((*tbl)->pt_buf = calloc(1, sizeof(*(*tbl)->pt_buf))) ==
1227 NULL)
1228 err(1, "calloc");
1229 (*tbl)->pt_buf->pfrb_type = PFRB_ADDRS;
1230 SIMPLEQ_INIT(&(*tbl)->pt_nodes);
1231
1232 /* This is just a temporary table name */
1233 snprintf((*tbl)->pt_name, sizeof((*tbl)->pt_name), "%s%d",
1234 PF_OPT_TABLE_PREFIX, tablenum++);
1235 DEBUG("creating table <%s>", (*tbl)->pt_name);
1236 }
1237
1238 memset(&node_host, 0, sizeof(node_host));
1239 node_host.af = af;
1240 node_host.addr = addr->addr;
1241
1242 #ifdef OPT_DEBUG
1243 DEBUG("<%s> adding %s/%d", (*tbl)->pt_name, inet_ntop(af,
1244 &node_host.addr.v.a.addr, buf, sizeof(buf)),
1245 unmask(&node_host.addr.v.a.mask, af));
1246 #endif /* OPT_DEBUG */
1247
1248 if (append_addr_host((*tbl)->pt_buf, &node_host, 0, 0)) {
1249 warn("failed to add host");
1250 return (1);
1251 }
1252 if (pf->opts & PF_OPT_VERBOSE) {
1253 struct node_tinit *ti;
1254
1255 if ((ti = calloc(1, sizeof(*ti))) == NULL)
1256 err(1, "malloc");
1257 if ((ti->host = malloc(sizeof(*ti->host))) == NULL)
1258 err(1, "malloc");
1259 memcpy(ti->host, &node_host, sizeof(*ti->host));
1260 SIMPLEQ_INSERT_TAIL(&(*tbl)->pt_nodes, ti, entries);
1261 }
1262
1263 (*tbl)->pt_rulecount++;
1264 if ((*tbl)->pt_rulecount == TABLE_THRESHOLD)
1265 DEBUG("table <%s> now faster than skip steps", (*tbl)->pt_name);
1266
1267 return (0);
1268 }
1269
1270
1271 /*
1272 * Do the dirty work of choosing an unused table name and creating it.
1273 * (be careful with the table name, it might already be used in another anchor)
1274 */
1275 int
1276 pf_opt_create_table(struct pfctl *pf, struct pf_opt_tbl *tbl)
1277 {
1278 static int tablenum;
1279 struct pfr_table *t;
1280
1281 if (table_buffer.pfrb_type == 0) {
1282 /* Initialize the list of tables */
1283 table_buffer.pfrb_type = PFRB_TABLES;
1284 for (;;) {
1285 pfr_buf_grow(&table_buffer, table_buffer.pfrb_size);
1286 table_buffer.pfrb_size = table_buffer.pfrb_msize;
1287 if (pfr_get_tables(NULL, table_buffer.pfrb_caddr,
1288 &table_buffer.pfrb_size, PFR_FLAG_ALLRSETS))
1289 err(1, "pfr_get_tables");
1290 if (table_buffer.pfrb_size <= table_buffer.pfrb_msize)
1291 break;
1292 }
1293 table_identifier = arc4random();
1294 }
1295
1296 /* XXX would be *really* nice to avoid duplicating identical tables */
1297
1298 /* Now we have to pick a table name that isn't used */
1299 again:
1300 DEBUG("translating temporary table <%s> to <%s%x_%d>", tbl->pt_name,
1301 PF_OPT_TABLE_PREFIX, table_identifier, tablenum);
1302 snprintf(tbl->pt_name, sizeof(tbl->pt_name), "%s%x_%d",
1303 PF_OPT_TABLE_PREFIX, table_identifier, tablenum);
1304 PFRB_FOREACH(t, &table_buffer) {
1305 if (strcasecmp(t->pfrt_name, tbl->pt_name) == 0) {
1306 /* Collision. Try again */
1307 DEBUG("wow, table <%s> in use. trying again",
1308 tbl->pt_name);
1309 table_identifier = arc4random();
1310 goto again;
1311 }
1312 }
1313 tablenum++;
1314
1315
1316 if (pfctl_define_table(tbl->pt_name, PFR_TFLAG_CONST, 1,
1317 pf->anchor->name, tbl->pt_buf, pf->anchor->ruleset.tticket)) {
1318 warn("failed to create table %s", tbl->pt_name);
1319 return (1);
1320 }
1321 return (0);
1322 }
1323
1324 /*
1325 * Partition the flat ruleset into a list of distinct superblocks
1326 */
1327 int
1328 construct_superblocks(struct pfctl *pf, struct pf_opt_queue *opt_queue,
1329 struct superblocks *superblocks)
1330 {
1331 struct superblock *block = NULL;
1332 struct pf_opt_rule *por;
1333 int i;
1334
1335 while (!TAILQ_EMPTY(opt_queue)) {
1336 por = TAILQ_FIRST(opt_queue);
1337 TAILQ_REMOVE(opt_queue, por, por_entry);
1338 if (block == NULL || !superblock_inclusive(block, por)) {
1339 if ((block = calloc(1, sizeof(*block))) == NULL) {
1340 warn("calloc");
1341 return (1);
1342 }
1343 TAILQ_INIT(&block->sb_rules);
1344 for (i = 0; i < PF_SKIP_COUNT; i++)
1345 TAILQ_INIT(&block->sb_skipsteps[i]);
1346 TAILQ_INSERT_TAIL(superblocks, block, sb_entry);
1347 }
1348 TAILQ_INSERT_TAIL(&block->sb_rules, por, por_entry);
1349 }
1350
1351 return (0);
1352 }
1353
1354
1355 /*
1356 * Compare two rule addresses
1357 */
1358 int
1359 addrs_equal(struct pf_rule_addr *a, struct pf_rule_addr *b)
1360 {
1361 if (a->neg != b->neg)
1362 return (0);
1363 return (memcmp(&a->addr, &b->addr, sizeof(a->addr)) == 0);
1364 }
1365
1366
1367 /*
1368 * The addresses are not equal, but can we combine them into one table?
1369 */
1370 int
1371 addrs_combineable(struct pf_rule_addr *a, struct pf_rule_addr *b)
1372 {
1373 if (a->addr.type != PF_ADDR_ADDRMASK ||
1374 b->addr.type != PF_ADDR_ADDRMASK)
1375 return (0);
1376 if (a->neg != b->neg || a->port_op != b->port_op ||
1377 a->port[0] != b->port[0] || a->port[1] != b->port[1])
1378 return (0);
1379 return (1);
1380 }
1381
1382
1383 /*
1384 * Are we allowed to combine these two rules
1385 */
1386 int
1387 rules_combineable(struct pf_rule *p1, struct pf_rule *p2)
1388 {
1389 struct pf_rule a, b;
1390
1391 comparable_rule(&a, p1, COMBINED);
1392 comparable_rule(&b, p2, COMBINED);
1393 return (memcmp(&a, &b, sizeof(a)) == 0);
1394 }
1395
1396
1397 /*
1398 * Can a rule be included inside a superblock
1399 */
1400 int
1401 superblock_inclusive(struct superblock *block, struct pf_opt_rule *por)
1402 {
1403 struct pf_rule a, b;
1404 int i, j;
1405
1406 /* First check for hard breaks */
1407 for (i = 0; i < sizeof(pf_rule_desc)/sizeof(*pf_rule_desc); i++) {
1408 if (pf_rule_desc[i].prf_type == BARRIER) {
1409 for (j = 0; j < pf_rule_desc[i].prf_size; j++)
1410 if (((char *)&por->por_rule)[j +
1411 pf_rule_desc[i].prf_offset] != 0)
1412 return (0);
1413 }
1414 }
1415
1416 /* per-rule src-track is also a hard break */
1417 if (por->por_rule.rule_flag & PFRULE_RULESRCTRACK)
1418 return (0);
1419
1420 /*
1421 * Have to handle interface groups seperately. Consider the following
1422 * rules:
1423 * block on EXTIFS to any port 22
1424 * pass on em0 to any port 22
1425 * (where EXTIFS is an arbitrary interface group)
1426 * The optimizer may decide to re-order the pass rule in front of the
1427 * block rule. But what if EXTIFS includes em0??? Such a reordering
1428 * would change the meaning of the ruleset.
1429 * We can't just lookup the EXTIFS group and check if em0 is a member
1430 * because the user is allowed to add interfaces to a group during
1431 * runtime.
1432 * Ergo interface groups become a defacto superblock break :-(
1433 */
1434 if (interface_group(por->por_rule.ifname) ||
1435 interface_group(TAILQ_FIRST(&block->sb_rules)->por_rule.ifname)) {
1436 if (strcasecmp(por->por_rule.ifname,
1437 TAILQ_FIRST(&block->sb_rules)->por_rule.ifname) != 0)
1438 return (0);
1439 }
1440
1441 comparable_rule(&a, &TAILQ_FIRST(&block->sb_rules)->por_rule, NOMERGE);
1442 comparable_rule(&b, &por->por_rule, NOMERGE);
1443 if (memcmp(&a, &b, sizeof(a)) == 0)
1444 return (1);
1445
1446 #ifdef OPT_DEBUG
1447 for (i = 0; i < sizeof(por->por_rule); i++) {
1448 int closest = -1;
1449 if (((u_int8_t *)&a)[i] != ((u_int8_t *)&b)[i]) {
1450 for (j = 0; j < sizeof(pf_rule_desc) /
1451 sizeof(*pf_rule_desc); j++) {
1452 if (i >= pf_rule_desc[j].prf_offset &&
1453 i < pf_rule_desc[j].prf_offset +
1454 pf_rule_desc[j].prf_size) {
1455 DEBUG("superblock break @ %d due to %s",
1456 por->por_rule.nr,
1457 pf_rule_desc[j].prf_name);
1458 return (0);
1459 }
1460 if (i > pf_rule_desc[j].prf_offset) {
1461 if (closest == -1 ||
1462 i-pf_rule_desc[j].prf_offset <
1463 i-pf_rule_desc[closest].prf_offset)
1464 closest = j;
1465 }
1466 }
1467
1468 if (closest >= 0)
1469 DEBUG("superblock break @ %d on %s+%xh",
1470 por->por_rule.nr,
1471 pf_rule_desc[closest].prf_name,
1472 i - pf_rule_desc[closest].prf_offset -
1473 pf_rule_desc[closest].prf_size);
1474 else
1475 DEBUG("superblock break @ %d on field @ %d",
1476 por->por_rule.nr, i);
1477 return (0);
1478 }
1479 }
1480 #endif /* OPT_DEBUG */
1481
1482 return (0);
1483 }
1484
1485
1486 /*
1487 * Figure out if an interface name is an actual interface or actually a
1488 * group of interfaces.
1489 */
1490 int
1491 interface_group(const char *ifname)
1492 {
1493 if (ifname == NULL || !ifname[0])
1494 return (0);
1495
1496 /* Real interfaces must end in a number, interface groups do not */
1497 if (isdigit((unsigned char)ifname[strlen(ifname) - 1]))
1498 return (0);
1499 else
1500 return (1);
1501 }
1502
1503
1504 /*
1505 * Make a rule that can directly compared by memcmp()
1506 */
1507 void
1508 comparable_rule(struct pf_rule *dst, const struct pf_rule *src, int type)
1509 {
1510 int i;
1511 /*
1512 * To simplify the comparison, we just zero out the fields that are
1513 * allowed to be different and then do a simple memcmp()
1514 */
1515 memcpy(dst, src, sizeof(*dst));
1516 for (i = 0; i < sizeof(pf_rule_desc)/sizeof(*pf_rule_desc); i++)
1517 if (pf_rule_desc[i].prf_type >= type) {
1518 #ifdef OPT_DEBUG
1519 assert(pf_rule_desc[i].prf_type != NEVER ||
1520 *(((char *)dst) + pf_rule_desc[i].prf_offset) == 0);
1521 #endif /* OPT_DEBUG */
1522 memset(((char *)dst) + pf_rule_desc[i].prf_offset, 0,
1523 pf_rule_desc[i].prf_size);
1524 }
1525 }
1526
1527
1528 /*
1529 * Remove superset information from two rules so we can directly compare them
1530 * with memcmp()
1531 */
1532 void
1533 exclude_supersets(struct pf_rule *super, struct pf_rule *sub)
1534 {
1535 if (super->ifname[0] == '\0')
1536 memset(sub->ifname, 0, sizeof(sub->ifname));
1537 if (super->direction == PF_INOUT)
1538 sub->direction = PF_INOUT;
1539 if ((super->proto == 0 || super->proto == sub->proto) &&
1540 super->flags == 0 && super->flagset == 0 && (sub->flags ||
1541 sub->flagset)) {
1542 sub->flags = super->flags;
1543 sub->flagset = super->flagset;
1544 }
1545 if (super->proto == 0)
1546 sub->proto = 0;
1547
1548 if (super->src.port_op == 0) {
1549 sub->src.port_op = 0;
1550 sub->src.port[0] = 0;
1551 sub->src.port[1] = 0;
1552 }
1553 if (super->dst.port_op == 0) {
1554 sub->dst.port_op = 0;
1555 sub->dst.port[0] = 0;
1556 sub->dst.port[1] = 0;
1557 }
1558
1559 if (super->src.addr.type == PF_ADDR_ADDRMASK && !super->src.neg &&
1560 !sub->src.neg && super->src.addr.v.a.mask.addr32[0] == 0 &&
1561 super->src.addr.v.a.mask.addr32[1] == 0 &&
1562 super->src.addr.v.a.mask.addr32[2] == 0 &&
1563 super->src.addr.v.a.mask.addr32[3] == 0)
1564 memset(&sub->src.addr, 0, sizeof(sub->src.addr));
1565 else if (super->src.addr.type == PF_ADDR_ADDRMASK &&
1566 sub->src.addr.type == PF_ADDR_ADDRMASK &&
1567 super->src.neg == sub->src.neg &&
1568 super->af == sub->af &&
1569 unmask(&super->src.addr.v.a.mask, super->af) <
1570 unmask(&sub->src.addr.v.a.mask, sub->af) &&
1571 super->src.addr.v.a.addr.addr32[0] ==
1572 (sub->src.addr.v.a.addr.addr32[0] &
1573 super->src.addr.v.a.mask.addr32[0]) &&
1574 super->src.addr.v.a.addr.addr32[1] ==
1575 (sub->src.addr.v.a.addr.addr32[1] &
1576 super->src.addr.v.a.mask.addr32[1]) &&
1577 super->src.addr.v.a.addr.addr32[2] ==
1578 (sub->src.addr.v.a.addr.addr32[2] &
1579 super->src.addr.v.a.mask.addr32[2]) &&
1580 super->src.addr.v.a.addr.addr32[3] ==
1581 (sub->src.addr.v.a.addr.addr32[3] &
1582 super->src.addr.v.a.mask.addr32[3])) {
1583 /* sub->src.addr is a subset of super->src.addr/mask */
1584 memcpy(&sub->src.addr, &super->src.addr, sizeof(sub->src.addr));
1585 }
1586
1587 if (super->dst.addr.type == PF_ADDR_ADDRMASK && !super->dst.neg &&
1588 !sub->dst.neg && super->dst.addr.v.a.mask.addr32[0] == 0 &&
1589 super->dst.addr.v.a.mask.addr32[1] == 0 &&
1590 super->dst.addr.v.a.mask.addr32[2] == 0 &&
1591 super->dst.addr.v.a.mask.addr32[3] == 0)
1592 memset(&sub->dst.addr, 0, sizeof(sub->dst.addr));
1593 else if (super->dst.addr.type == PF_ADDR_ADDRMASK &&
1594 sub->dst.addr.type == PF_ADDR_ADDRMASK &&
1595 super->dst.neg == sub->dst.neg &&
1596 super->af == sub->af &&
1597 unmask(&super->dst.addr.v.a.mask, super->af) <
1598 unmask(&sub->dst.addr.v.a.mask, sub->af) &&
1599 super->dst.addr.v.a.addr.addr32[0] ==
1600 (sub->dst.addr.v.a.addr.addr32[0] &
1601 super->dst.addr.v.a.mask.addr32[0]) &&
1602 super->dst.addr.v.a.addr.addr32[1] ==
1603 (sub->dst.addr.v.a.addr.addr32[1] &
1604 super->dst.addr.v.a.mask.addr32[1]) &&
1605 super->dst.addr.v.a.addr.addr32[2] ==
1606 (sub->dst.addr.v.a.addr.addr32[2] &
1607 super->dst.addr.v.a.mask.addr32[2]) &&
1608 super->dst.addr.v.a.addr.addr32[3] ==
1609 (sub->dst.addr.v.a.addr.addr32[3] &
1610 super->dst.addr.v.a.mask.addr32[3])) {
1611 /* sub->dst.addr is a subset of super->dst.addr/mask */
1612 memcpy(&sub->dst.addr, &super->dst.addr, sizeof(sub->dst.addr));
1613 }
1614
1615 if (super->af == 0)
1616 sub->af = 0;
1617 }
1618
1619
1620 void
1621 superblock_free(struct pfctl *pf, struct superblock *block)
1622 {
1623 struct pf_opt_rule *por;
1624 while ((por = TAILQ_FIRST(&block->sb_rules))) {
1625 TAILQ_REMOVE(&block->sb_rules, por, por_entry);
1626 if (por->por_src_tbl) {
1627 if (por->por_src_tbl->pt_buf) {
1628 pfr_buf_clear(por->por_src_tbl->pt_buf);
1629 free(por->por_src_tbl->pt_buf);
1630 }
1631 free(por->por_src_tbl);
1632 }
1633 if (por->por_dst_tbl) {
1634 if (por->por_dst_tbl->pt_buf) {
1635 pfr_buf_clear(por->por_dst_tbl->pt_buf);
1636 free(por->por_dst_tbl->pt_buf);
1637 }
1638 free(por->por_dst_tbl);
1639 }
1640 free(por);
1641 }
1642 if (block->sb_profiled_block)
1643 superblock_free(pf, block->sb_profiled_block);
1644 free(block);
1645 }
1646
NetBSD on the FriendlyARM MINI2440