git: e5c64b2662ff - main - pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 02 Oct 2024 17:53:44 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=e5c64b2662ffddd6593099d9333fc7f1cea0f785
commit e5c64b2662ffddd6593099d9333fc7f1cea0f785
Author: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
AuthorDate: 2024-10-02 12:21:47 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-10-02 17:53:26 +0000
pf: replace union pf_krule_ptr with struct pf_krule in in-kernel structs
There is no need for the union pf_krule_ptr for kernel-only structs like
pf_kstate and pf_ksrc_node. The rules are always accessed by pointer. The rule
numbers are a leftover from using the same structure for pfctl(8) and pf(4).
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46868
---
sys/net/pfvar.h | 15 ++--
sys/netpfil/pf/if_pfsync.c | 8 +-
sys/netpfil/pf/pf.c | 180 ++++++++++++++++++++++-----------------------
sys/netpfil/pf/pf_ioctl.c | 30 ++++----
sys/netpfil/pf/pf_lb.c | 16 ++--
sys/netpfil/pf/pf_nl.c | 6 +-
sys/netpfil/pf/pf_norm.c | 58 +++++++--------
sys/netpfil/pf/pf_nv.c | 8 +-
sys/netpfil/pf/pflow.c | 6 +-
9 files changed, 161 insertions(+), 166 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 53bc77d14537..b5d56ab45ce7 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -761,18 +761,13 @@ struct pf_keth_rule {
uint32_t ridentifier;
};
-union pf_krule_ptr {
- struct pf_krule *ptr;
- u_int32_t nr;
-};
-
RB_HEAD(pf_krule_global, pf_krule);
RB_PROTOTYPE(pf_krule_global, pf_krule, entry_global, pf_krule_compare);
struct pf_krule {
struct pf_rule_addr src;
struct pf_rule_addr dst;
- union pf_krule_ptr skip[PF_SKIP_COUNT];
+ struct pf_krule *skip[PF_SKIP_COUNT];
char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
uint32_t ridentifier;
char ifname[IFNAMSIZ];
@@ -889,7 +884,7 @@ struct pf_ksrc_node {
struct pf_addr addr;
struct pf_addr raddr;
struct pf_krule_slist match_rules;
- union pf_krule_ptr rule;
+ struct pf_krule *rule;
struct pfi_kkif *rkif;
counter_u64_t bytes[2];
counter_u64_t packets[2];
@@ -1089,9 +1084,9 @@ struct pf_kstate {
struct pf_state_peer src;
struct pf_state_peer dst;
struct pf_krule_slist match_rules;
- union pf_krule_ptr rule;
- union pf_krule_ptr anchor;
- union pf_krule_ptr nat_rule;
+ struct pf_krule *rule;
+ struct pf_krule *anchor;
+ struct pf_krule *nat_rule;
struct pf_addr rt_addr;
struct pf_state_key *key[2]; /* addresses stack and wire */
struct pf_udp_mapping *udp_mapping;
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 82a42c874a8f..0dd1b480b313 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -702,9 +702,9 @@ pfsync_state_import(union pfsync_state_union *sp, int flags, int msg_version)
pf_state_peer_ntoh(&sp->pfs_1301.src, &st->src);
pf_state_peer_ntoh(&sp->pfs_1301.dst, &st->dst);
- st->rule.ptr = r;
- st->nat_rule.ptr = NULL;
- st->anchor.ptr = NULL;
+ st->rule = r;
+ st->nat_rule = NULL;
+ st->anchor = NULL;
st->pfsync_time = time_uptime;
st->sync_state = PFSYNC_S_NONE;
@@ -1974,7 +1974,7 @@ pfsync_insert_state(struct pf_kstate *st)
if (st->state_flags & PFSTATE_NOSYNC)
return;
- if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) ||
+ if ((st->rule->rule_flag & PFRULE_NOSYNC) ||
st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC) {
st->state_flags |= PFSTATE_NOSYNC;
return;
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index b28503112db6..b5a18c37a89b 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -436,14 +436,14 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k)
SDT_PROBE2(pf, ip, , bound_iface, st, k);
/* Floating unless otherwise specified. */
- if (! (st->rule.ptr->rule_flag & PFRULE_IFBOUND))
+ if (! (st->rule->rule_flag & PFRULE_IFBOUND))
return (V_pfi_all);
/*
* Initially set to all, because we don't know what interface we'll be
* sending this out when we create the state.
*/
- if (st->rule.ptr->rt == PF_REPLYTO)
+ if (st->rule->rt == PF_REPLYTO)
return (V_pfi_all);
/* Don't overrule the interface for states created on incoming packets. */
@@ -461,15 +461,15 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k)
#define STATE_INC_COUNTERS(s) \
do { \
struct pf_krule_item *mrm; \
- counter_u64_add(s->rule.ptr->states_cur, 1); \
- counter_u64_add(s->rule.ptr->states_tot, 1); \
- if (s->anchor.ptr != NULL) { \
- counter_u64_add(s->anchor.ptr->states_cur, 1); \
- counter_u64_add(s->anchor.ptr->states_tot, 1); \
+ counter_u64_add(s->rule->states_cur, 1); \
+ counter_u64_add(s->rule->states_tot, 1); \
+ if (s->anchor != NULL) { \
+ counter_u64_add(s->anchor->states_cur, 1); \
+ counter_u64_add(s->anchor->states_tot, 1); \
} \
- if (s->nat_rule.ptr != NULL) { \
- counter_u64_add(s->nat_rule.ptr->states_cur, 1);\
- counter_u64_add(s->nat_rule.ptr->states_tot, 1);\
+ if (s->nat_rule != NULL) { \
+ counter_u64_add(s->nat_rule->states_cur, 1);\
+ counter_u64_add(s->nat_rule->states_tot, 1);\
} \
SLIST_FOREACH(mrm, &s->match_rules, entry) { \
counter_u64_add(mrm->r->states_cur, 1); \
@@ -480,11 +480,11 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k)
#define STATE_DEC_COUNTERS(s) \
do { \
struct pf_krule_item *mrm; \
- if (s->nat_rule.ptr != NULL) \
- counter_u64_add(s->nat_rule.ptr->states_cur, -1);\
- if (s->anchor.ptr != NULL) \
- counter_u64_add(s->anchor.ptr->states_cur, -1); \
- counter_u64_add(s->rule.ptr->states_cur, -1); \
+ if (s->nat_rule != NULL) \
+ counter_u64_add(s->nat_rule->states_cur, -1);\
+ if (s->anchor != NULL) \
+ counter_u64_add(s->anchor->states_cur, -1); \
+ counter_u64_add(s->rule->states_cur, -1); \
SLIST_FOREACH(mrm, &s->match_rules, entry) \
counter_u64_add(mrm->r->states_cur, -1); \
} while (0)
@@ -828,14 +828,14 @@ pf_src_connlimit(struct pf_kstate **state)
(*state)->src.tcp_est = 1;
pf_add_threshold(&(*state)->src_node->conn_rate);
- if ((*state)->rule.ptr->max_src_conn &&
- (*state)->rule.ptr->max_src_conn <
+ if ((*state)->rule->max_src_conn &&
+ (*state)->rule->max_src_conn <
(*state)->src_node->conn) {
counter_u64_add(V_pf_status.lcounters[LCNT_SRCCONN], 1);
bad++;
}
- if ((*state)->rule.ptr->max_src_conn_rate.limit &&
+ if ((*state)->rule->max_src_conn_rate.limit &&
pf_check_threshold(&(*state)->src_node->conn_rate)) {
counter_u64_add(V_pf_status.lcounters[LCNT_SRCCONNRATE], 1);
bad++;
@@ -848,7 +848,7 @@ pf_src_connlimit(struct pf_kstate **state)
(*state)->timeout = PFTM_PURGE;
pf_set_protostate(*state, PF_PEER_BOTH, TCPS_CLOSED);
- if ((*state)->rule.ptr->overload_tbl == NULL)
+ if ((*state)->rule->overload_tbl == NULL)
return (1);
/* Schedule overloading and flushing task. */
@@ -858,7 +858,7 @@ pf_src_connlimit(struct pf_kstate **state)
bcopy(&(*state)->src_node->addr, &pfoe->addr, sizeof(pfoe->addr));
pfoe->af = (*state)->key[PF_SK_WIRE]->af;
- pfoe->rule = (*state)->rule.ptr;
+ pfoe->rule = (*state)->rule;
pfoe->dir = (*state)->direction;
PF_OVERLOADQ_LOCK();
SLIST_INSERT_HEAD(&V_pf_overloadqueue, pfoe, next);
@@ -941,7 +941,7 @@ pf_overload_task(void *v, int pending)
SLIST_FOREACH(pfoe, &queue, next)
if (sk->af == pfoe->af &&
((pfoe->rule->flush & PF_FLUSH_GLOBAL) ||
- pfoe->rule == s->rule.ptr) &&
+ pfoe->rule == s->rule) &&
((pfoe->dir == PF_OUT &&
PF_AEQ(&pfoe->addr, &sk->addr[1], sk->af)) ||
(pfoe->dir == PF_IN &&
@@ -976,7 +976,7 @@ pf_find_src_node(struct pf_addr *src, struct pf_krule *rule, sa_family_t af,
*sh = &V_pf_srchash[pf_hashsrc(src, af)];
PF_HASHROW_LOCK(*sh);
LIST_FOREACH(n, &(*sh)->nodes, entry)
- if (n->rule.ptr == rule && n->af == af &&
+ if (n->rule == rule && n->af == af &&
((af == AF_INET && n->addr.v4.s_addr == src->v4.s_addr) ||
(af == AF_INET6 && bcmp(&n->addr, src, sizeof(*src)) == 0)))
break;
@@ -1053,14 +1053,14 @@ pf_insert_src_node(struct pf_ksrc_node **sn, struct pf_krule *rule,
(*sn)->lock = &sh->lock;
(*sn)->af = af;
- (*sn)->rule.ptr = rule;
+ (*sn)->rule = rule;
PF_ACPY(&(*sn)->addr, src, af);
LIST_INSERT_HEAD(&sh->nodes, *sn, entry);
(*sn)->creation = time_uptime;
(*sn)->ruletype = rule->action;
(*sn)->states = 1;
- if ((*sn)->rule.ptr != NULL)
- counter_u64_add((*sn)->rule.ptr->src_nodes, 1);
+ if ((*sn)->rule != NULL)
+ counter_u64_add((*sn)->rule->src_nodes, 1);
PF_HASHROW_UNLOCK(sh);
counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_INSERT], 1);
} else {
@@ -1082,8 +1082,8 @@ pf_unlink_src_node(struct pf_ksrc_node *src)
PF_SRC_NODE_LOCK_ASSERT(src);
LIST_REMOVE(src, entry);
- if (src->rule.ptr)
- counter_u64_add(src->rule.ptr->src_nodes, -1);
+ if (src->rule)
+ counter_u64_add(src->rule->src_nodes, -1);
}
u_int
@@ -2481,13 +2481,13 @@ pf_state_expires(const struct pf_kstate *state)
("pf_state_expires: timeout == PFTM_UNLINKED"));
KASSERT((state->timeout < PFTM_MAX),
("pf_state_expires: timeout > PFTM_MAX"));
- timeout = state->rule.ptr->timeout[state->timeout];
+ timeout = state->rule->timeout[state->timeout];
if (!timeout)
timeout = V_pf_default_rule.timeout[state->timeout];
- start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
- if (start && state->rule.ptr != &V_pf_default_rule) {
- end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
- states = counter_u64_fetch(state->rule.ptr->states_cur);
+ start = state->rule->timeout[PFTM_ADAPTIVE_START];
+ if (start && state->rule != &V_pf_default_rule) {
+ end = state->rule->timeout[PFTM_ADAPTIVE_END];
+ states = counter_u64_fetch(state->rule->states_cur);
} else {
start = V_pf_default_rule.timeout[PFTM_ADAPTIVE_START];
end = V_pf_default_rule.timeout[PFTM_ADAPTIVE_END];
@@ -2520,8 +2520,8 @@ pf_purge_expired_src_nodes(void)
if (cur->states == 0 && cur->expire <= time_uptime) {
pf_unlink_src_node(cur);
LIST_INSERT_HEAD(&freelist, cur, entry);
- } else if (cur->rule.ptr != NULL)
- cur->rule.ptr->rule_ref |= PFRULE_REFS;
+ } else if (cur->rule != NULL)
+ cur->rule->rule_ref |= PFRULE_REFS;
PF_HASHROW_UNLOCK(sh);
}
@@ -2536,8 +2536,8 @@ pf_src_tree_remove_state(struct pf_kstate *s)
struct pf_ksrc_node *sn;
uint32_t timeout;
- timeout = s->rule.ptr->timeout[PFTM_SRC_NODE] ?
- s->rule.ptr->timeout[PFTM_SRC_NODE] :
+ timeout = s->rule->timeout[PFTM_SRC_NODE] ?
+ s->rule->timeout[PFTM_SRC_NODE] :
V_pf_default_rule.timeout[PFTM_SRC_NODE];
if (s->src_node != NULL) {
@@ -2584,7 +2584,7 @@ pf_unlink_state(struct pf_kstate *s)
if (s->src.state == PF_TCPS_PROXY_DST) {
/* XXX wire key the right one? */
- pf_send_tcp(s->rule.ptr, s->key[PF_SK_WIRE]->af,
+ pf_send_tcp(s->rule, s->key[PF_SK_WIRE]->af,
&s->key[PF_SK_WIRE]->addr[1],
&s->key[PF_SK_WIRE]->addr[0],
s->key[PF_SK_WIRE]->port[1],
@@ -2674,11 +2674,11 @@ relock:
pf_unlink_state(s);
goto relock;
}
- s->rule.ptr->rule_ref |= PFRULE_REFS;
- if (s->nat_rule.ptr != NULL)
- s->nat_rule.ptr->rule_ref |= PFRULE_REFS;
- if (s->anchor.ptr != NULL)
- s->anchor.ptr->rule_ref |= PFRULE_REFS;
+ s->rule->rule_ref |= PFRULE_REFS;
+ if (s->nat_rule != NULL)
+ s->nat_rule->rule_ref |= PFRULE_REFS;
+ if (s->anchor != NULL)
+ s->anchor->rule_ref |= PFRULE_REFS;
s->kif->pfik_flags |= PFI_IFLAG_REFS;
SLIST_FOREACH(mrm, &s->match_rules, entry)
mrm->r->rule_ref |= PFRULE_REFS;
@@ -2901,8 +2901,8 @@ pf_print_state_parts(struct pf_kstate *s,
printf("]");
}
printf(" %u:%u", s->src.state, s->dst.state);
- if (s->rule.ptr)
- printf(" @%d", s->rule.ptr->nr);
+ if (s->rule)
+ printf(" @%d", s->rule->nr);
}
}
@@ -2932,7 +2932,7 @@ pf_print_flags(u_int8_t f)
#define PF_SET_SKIP_STEPS(i) \
do { \
while (head[i] != cur) { \
- head[i]->skip[i].ptr = cur; \
+ head[i]->skip[i] = cur; \
head[i] = TAILQ_NEXT(head[i], entries); \
} \
} while (0)
@@ -5136,19 +5136,19 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
PF_TEST_ATTRIB(pfi_kkif_match(r->kif, kif) == r->ifnot,
- r->skip[PF_SKIP_IFP].ptr);
+ r->skip[PF_SKIP_IFP]);
PF_TEST_ATTRIB(r->direction && r->direction != pd->dir,
- r->skip[PF_SKIP_DIR].ptr);
+ r->skip[PF_SKIP_DIR]);
PF_TEST_ATTRIB(r->af && r->af != af,
- r->skip[PF_SKIP_AF].ptr);
+ r->skip[PF_SKIP_AF]);
PF_TEST_ATTRIB(r->proto && r->proto != pd->proto,
- r->skip[PF_SKIP_PROTO].ptr);
+ r->skip[PF_SKIP_PROTO]);
PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, saddr, af,
r->src.neg, kif, M_GETFIB(m)),
- r->skip[PF_SKIP_SRC_ADDR].ptr);
+ r->skip[PF_SKIP_SRC_ADDR]);
PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, daddr, af,
r->dst.neg, NULL, M_GETFIB(m)),
- r->skip[PF_SKIP_DST_ADDR].ptr);
+ r->skip[PF_SKIP_DST_ADDR]);
switch (pd->virtual_proto) {
case PF_VPROTO_FRAGMENT:
/* tcp/udp only. port_op always 0 in other cases */
@@ -5173,11 +5173,11 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
/* tcp/udp only. port_op always 0 in other cases */
PF_TEST_ATTRIB(r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], sport),
- r->skip[PF_SKIP_SRC_PORT].ptr);
+ r->skip[PF_SKIP_SRC_PORT]);
/* tcp/udp only. port_op always 0 in other cases */
PF_TEST_ATTRIB(r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], dport),
- r->skip[PF_SKIP_DST_PORT].ptr);
+ r->skip[PF_SKIP_DST_PORT]);
/* tcp/udp only. uid.op always 0 in other cases */
PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done =
pf_socket_lookup(pd, m), 1)) &&
@@ -5401,9 +5401,9 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
REASON_SET(&reason, PFRES_MEMORY);
goto csfailed;
}
- s->rule.ptr = r;
- s->nat_rule.ptr = nr;
- s->anchor.ptr = a;
+ s->rule = r;
+ s->nat_rule = nr;
+ s->anchor = a;
bcopy(match_rules, &s->match_rules, sizeof(s->match_rules));
memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions));
@@ -5936,11 +5936,11 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif,
(*state)->src.state == TCPS_SYN_SENT) {
/* Send RST for state mismatches during handshake */
if (!(th->th_flags & TH_RST))
- pf_send_tcp((*state)->rule.ptr, pd->af,
+ pf_send_tcp((*state)->rule, pd->af,
pd->dst, pd->src, th->th_dport,
th->th_sport, ntohl(th->th_ack), 0,
TH_RST, 0, 0,
- (*state)->rule.ptr->return_ttl, true, 0, 0,
+ (*state)->rule->return_ttl, true, 0, 0,
(*state)->act.rtableid);
src->seqlo = 0;
src->seqhi = 1;
@@ -6074,7 +6074,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_DROP);
}
- pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
+ pf_send_tcp((*state)->rule, pd->af, pd->dst,
pd->src, th->th_dport, th->th_sport,
(*state)->src.seqhi, ntohl(th->th_seq) + 1,
TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, true, 0, 0,
@@ -6105,7 +6105,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
(*state)->src.max_win = MAX(ntohs(th->th_win), 1);
if ((*state)->dst.seqhi == 1)
(*state)->dst.seqhi = htonl(arc4random());
- pf_send_tcp((*state)->rule.ptr, pd->af,
+ pf_send_tcp((*state)->rule, pd->af,
&sk->addr[pd->sidx], &sk->addr[pd->didx],
sk->port[pd->sidx], sk->port[pd->didx],
(*state)->dst.seqhi, 0, TH_SYN, 0,
@@ -6121,12 +6121,12 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
} else {
(*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
(*state)->dst.seqlo = ntohl(th->th_seq);
- pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
+ pf_send_tcp((*state)->rule, pd->af, pd->dst,
pd->src, th->th_dport, th->th_sport,
ntohl(th->th_ack), ntohl(th->th_seq) + 1,
TH_ACK, (*state)->src.max_win, 0, 0, false,
(*state)->tag, 0, (*state)->act.rtableid);
- pf_send_tcp((*state)->rule.ptr, pd->af,
+ pf_send_tcp((*state)->rule, pd->af,
&sk->addr[pd->sidx], &sk->addr[pd->didx],
sk->port[pd->sidx], sk->port[pd->didx],
(*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
@@ -6875,7 +6875,7 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
return (-1);
/* Is this ICMP message flowing in right direction? */
- if ((*state)->rule.ptr->type &&
+ if ((*state)->rule->type &&
(((!inner && (*state)->direction == direction) ||
(inner && (*state)->direction != direction)) ?
PF_IN : PF_OUT) != icmp_dir) {
@@ -7899,7 +7899,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
error = EMSGSIZE;
KMOD_IPSTAT_INC(ips_cantfrag);
if (r_rt != PF_DUPTO) {
- if (s && s->nat_rule.ptr != NULL)
+ if (s && s->nat_rule != NULL)
PACKET_UNDO_NAT(m0, pd,
(ip->ip_hl << 2) + (ip_off & IP_OFFMASK),
s);
@@ -8112,7 +8112,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
else {
in6_ifstat_inc(ifp, ifs6_in_toobig);
if (r_rt != PF_DUPTO) {
- if (s && s->nat_rule.ptr != NULL)
+ if (s && s->nat_rule != NULL)
PACKET_UNDO_NAT(m0, pd,
((caddr_t)ip6 - m0->m_data) +
sizeof(struct ip6_hdr), s);
@@ -8431,8 +8431,8 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s,
sizeof(struct sockaddr_in6));
}
- if (s != NULL && s->nat_rule.ptr != NULL &&
- s->nat_rule.ptr->action == PF_RDR &&
+ if (s != NULL && s->nat_rule != NULL &&
+ s->nat_rule->action == PF_RDR &&
(
#ifdef INET
(pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) ||
@@ -8795,10 +8795,10 @@ pf_counters_inc(int action, struct pf_pdesc *pd,
if (s != NULL) {
struct pf_krule_item *ri;
- if (s->nat_rule.ptr != NULL) {
- pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx],
+ if (s->nat_rule != NULL) {
+ pf_counter_u64_add_protected(&s->nat_rule->packets[dirndx],
1);
- pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx],
+ pf_counter_u64_add_protected(&s->nat_rule->bytes[dirndx],
pd->tot_len);
}
if (s->src_node != NULL) {
@@ -8824,9 +8824,9 @@ pf_counters_inc(int action, struct pf_pdesc *pd,
}
tr = r;
- if (s != NULL && s->nat_rule.ptr != NULL &&
+ if (s != NULL && s->nat_rule != NULL &&
r == &V_pf_default_rule)
- tr = s->nat_rule.ptr;
+ tr = s->nat_rule;
if (tr->src.addr.type == PF_ADDR_TABLE)
pfr_update_stats(tr->src.addr.p.tbl,
@@ -9024,8 +9024,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
+ r = s->rule;
+ a = s->anchor;
} else if (s == NULL) {
/* Validate remote SYN|ACK, re-create original SYN if
* valid. */
@@ -9072,8 +9072,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
+ r = s->rule;
+ a = s->anchor;
} else if (s == NULL)
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp, hdrlen);
@@ -9089,8 +9089,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
+ r = s->rule;
+ a = s->anchor;
} else if (s == NULL) {
action = pf_test_rule(&r, &s, kif, m, off,
&pd, &a, &ruleset, inp, hdrlen);
@@ -9109,8 +9109,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
+ r = s->rule;
+ a = s->anchor;
} else if (s == NULL)
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp, hdrlen);
@@ -9128,8 +9128,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
+ r = s->rule;
+ a = s->anchor;
} else if (s == NULL)
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp, hdrlen);
@@ -9141,8 +9141,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
+ r = s->rule;
+ a = s->anchor;
} else if (s == NULL)
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp, hdrlen);
@@ -9224,9 +9224,9 @@ done:
* see tcp_input() and in_pcblookup_listen().
*/
if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
- pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
- (s->nat_rule.ptr->action == PF_RDR ||
- s->nat_rule.ptr->action == PF_BINAT) &&
+ pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL &&
+ (s->nat_rule->action == PF_RDR ||
+ s->nat_rule->action == PF_BINAT) &&
pf_is_loopback(af, pd.dst))
m->m_flags |= M_SKIP_FIREWALL;
@@ -9284,9 +9284,9 @@ done:
struct pf_krule *lr;
struct pf_krule_item *ri;
- if (s != NULL && s->nat_rule.ptr != NULL &&
- s->nat_rule.ptr->log & PF_LOG_ALL)
- lr = s->nat_rule.ptr;
+ if (s != NULL && s->nat_rule != NULL &&
+ s->nat_rule->log & PF_LOG_ALL)
+ lr = s->nat_rule;
else
lr = r;
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 6e2fcd358b68..8081960933a2 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1551,8 +1551,8 @@ pf_src_node_copy(const struct pf_ksrc_node *in, struct pf_src_node *out)
bcopy(&in->addr, &out->addr, sizeof(struct pf_addr));
bcopy(&in->raddr, &out->raddr, sizeof(struct pf_addr));
- if (in->rule.ptr != NULL)
- out->rule.nr = in->rule.ptr->nr;
+ if (in->rule != NULL)
+ out->rule.nr = in->rule->nr;
for (int i = 0; i < 2; i++) {
out->bytes[i] = counter_u64_fetch(in->bytes[i]);
@@ -2355,7 +2355,7 @@ relock_DIOCKILLSTATES:
continue;
if (psk->psk_label[0] &&
- ! pf_label_match(s->rule.ptr, psk->psk_label))
+ ! pf_label_match(s->rule, psk->psk_label))
continue;
if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
@@ -5613,18 +5613,18 @@ pfsync_state_export(union pfsync_state_union *sp, struct pf_kstate *st, int msg_
pf_state_peer_hton(&st->src, &sp->pfs_1301.src);
pf_state_peer_hton(&st->dst, &sp->pfs_1301.dst);
- if (st->rule.ptr == NULL)
+ if (st->rule == NULL)
sp->pfs_1301.rule = htonl(-1);
else
- sp->pfs_1301.rule = htonl(st->rule.ptr->nr);
- if (st->anchor.ptr == NULL)
+ sp->pfs_1301.rule = htonl(st->rule->nr);
+ if (st->anchor == NULL)
sp->pfs_1301.anchor = htonl(-1);
else
- sp->pfs_1301.anchor = htonl(st->anchor.ptr->nr);
- if (st->nat_rule.ptr == NULL)
+ sp->pfs_1301.anchor = htonl(st->anchor->nr);
+ if (st->nat_rule == NULL)
sp->pfs_1301.nat_rule = htonl(-1);
else
- sp->pfs_1301.nat_rule = htonl(st->nat_rule.ptr->nr);
+ sp->pfs_1301.nat_rule = htonl(st->nat_rule->nr);
pf_state_counter_hton(st->packets[0], sp->pfs_1301.packets[0]);
pf_state_counter_hton(st->packets[1], sp->pfs_1301.packets[1]);
@@ -5679,18 +5679,18 @@ pf_state_export(struct pf_state_export *sp, struct pf_kstate *st)
pf_state_peer_hton(&st->src, &sp->src);
pf_state_peer_hton(&st->dst, &sp->dst);
- if (st->rule.ptr == NULL)
+ if (st->rule == NULL)
sp->rule = htonl(-1);
else
- sp->rule = htonl(st->rule.ptr->nr);
- if (st->anchor.ptr == NULL)
+ sp->rule = htonl(st->rule->nr);
+ if (st->anchor == NULL)
sp->anchor = htonl(-1);
else
- sp->anchor = htonl(st->anchor.ptr->nr);
- if (st->nat_rule.ptr == NULL)
+ sp->anchor = htonl(st->anchor->nr);
+ if (st->nat_rule == NULL)
sp->nat_rule = htonl(-1);
else
- sp->nat_rule = htonl(st->nat_rule.ptr->nr);
+ sp->nat_rule = htonl(st->nat_rule->nr);
sp->packets[0] = st->packets[0];
sp->packets[1] = st->packets[1];
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 007e8606ee8a..16fbcd49b3c8 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -158,32 +158,32 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
+ r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
- r = r->skip[PF_SKIP_DIR].ptr;
+ r = r->skip[PF_SKIP_DIR];
else if (r->af && r->af != pd->af)
- r = r->skip[PF_SKIP_AF].ptr;
+ r = r->skip[PF_SKIP_AF];
else if (r->proto && r->proto != pd->proto)
- r = r->skip[PF_SKIP_PROTO].ptr;
+ r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
src->neg, kif, M_GETFIB(m)))
r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
- PF_SKIP_DST_ADDR].ptr;
+ PF_SKIP_DST_ADDR];
else if (src->port_op && !pf_match_port(src->port_op,
src->port[0], src->port[1], sport))
r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
- PF_SKIP_DST_PORT].ptr;
+ PF_SKIP_DST_PORT];
else if (dst != NULL &&
PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL,
M_GETFIB(m)))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
+ r = r->skip[PF_SKIP_DST_ADDR];
else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
0, NULL, M_GETFIB(m)))
r = TAILQ_NEXT(r, entries);
else if (dst != NULL && dst->port_op &&
!pf_match_port(dst->port_op, dst->port[0],
dst->port[1], dport))
- r = r->skip[PF_SKIP_DST_PORT].ptr;
+ r = r->skip[PF_SKIP_DST_PORT];
else if (r->match_tag && !pf_match_tag(m, r, &tag,
pd->pf_mtag ? pd->pf_mtag->tag : 0))
r = TAILQ_NEXT(r, entries);
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index ca90e0b5b140..15fe341ce57e 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -192,9 +192,9 @@ dump_state(struct nlpcb *nlp, const struct nlmsghdr *hdr, struct pf_kstate *s,
nlattr_add_u64(nw, PF_ST_ID, s->id);
nlattr_add_u32(nw, PF_ST_CREATORID, htonl(s->creatorid));
- nlattr_add_u32(nw, PF_ST_RULE, s->rule.ptr ? s->rule.ptr->nr : -1);
- nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor.ptr ? s->anchor.ptr->nr : -1);
- nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1);
+ nlattr_add_u32(nw, PF_ST_RULE, s->rule ? s->rule->nr : -1);
+ nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor ? s->anchor->nr : -1);
+ nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule ? s->nat_rule->nr : -1);
nlattr_add_u64(nw, PF_ST_PACKETS0, s->packets[0]);
nlattr_add_u64(nw, PF_ST_PACKETS1, s->packets[1]);
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index d1a1e84db9dc..18a9cff2a5c2 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1079,21 +1079,21 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
+ r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
- r = r->skip[PF_SKIP_DIR].ptr;
+ r = r->skip[PF_SKIP_DIR];
else if (r->af && r->af != AF_INET)
- r = r->skip[PF_SKIP_AF].ptr;
+ r = r->skip[PF_SKIP_AF];
else if (r->proto && r->proto != h->ip_p)
- r = r->skip[PF_SKIP_PROTO].ptr;
+ r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr,
(struct pf_addr *)&h->ip_src.s_addr, AF_INET,
r->src.neg, kif, M_GETFIB(m)))
- r = r->skip[PF_SKIP_SRC_ADDR].ptr;
+ r = r->skip[PF_SKIP_SRC_ADDR];
else if (PF_MISMATCHAW(&r->dst.addr,
(struct pf_addr *)&h->ip_dst.s_addr, AF_INET,
r->dst.neg, NULL, M_GETFIB(m)))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
+ r = r->skip[PF_SKIP_DST_ADDR];
else if (r->match_tag && !pf_match_tag(m, r, &tag,
pd->pf_mtag ? pd->pf_mtag->tag : 0))
r = TAILQ_NEXT(r, entries);
@@ -1242,23 +1242,23 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
+ r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
- r = r->skip[PF_SKIP_DIR].ptr;
+ r = r->skip[PF_SKIP_DIR];
else if (r->af && r->af != AF_INET6)
- r = r->skip[PF_SKIP_AF].ptr;
+ r = r->skip[PF_SKIP_AF];
#if 0 /* header chain! */
else if (r->proto && r->proto != h->ip6_nxt)
- r = r->skip[PF_SKIP_PROTO].ptr;
+ r = r->skip[PF_SKIP_PROTO];
#endif
else if (PF_MISMATCHAW(&r->src.addr,
(struct pf_addr *)&h->ip6_src, AF_INET6,
r->src.neg, kif, M_GETFIB(m)))
- r = r->skip[PF_SKIP_SRC_ADDR].ptr;
+ r = r->skip[PF_SKIP_SRC_ADDR];
else if (PF_MISMATCHAW(&r->dst.addr,
(struct pf_addr *)&h->ip6_dst, AF_INET6,
r->dst.neg, NULL, M_GETFIB(m)))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
+ r = r->skip[PF_SKIP_DST_ADDR];
else
break;
}
@@ -1406,25 +1406,25 @@ pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, int ipoff,
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
+ r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
- r = r->skip[PF_SKIP_DIR].ptr;
+ r = r->skip[PF_SKIP_DIR];
else if (r->af && r->af != af)
- r = r->skip[PF_SKIP_AF].ptr;
+ r = r->skip[PF_SKIP_AF];
else if (r->proto && r->proto != pd->proto)
- r = r->skip[PF_SKIP_PROTO].ptr;
+ r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
r->src.neg, kif, M_GETFIB(m)))
- r = r->skip[PF_SKIP_SRC_ADDR].ptr;
+ r = r->skip[PF_SKIP_SRC_ADDR];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], th->th_sport))
- r = r->skip[PF_SKIP_SRC_PORT].ptr;
+ r = r->skip[PF_SKIP_SRC_PORT];
else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
r->dst.neg, NULL, M_GETFIB(m)))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
+ r = r->skip[PF_SKIP_DST_ADDR];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], th->th_dport))
- r = r->skip[PF_SKIP_DST_PORT].ptr;
+ r = r->skip[PF_SKIP_DST_PORT];
else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
pf_osfp_fingerprint(pd, m, off, th),
r->os_fingerprint))
@@ -1855,7 +1855,7 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
* packet got delayed in transit for much longer than
* this packet.
*/
- if ((ts_fudge = state->rule.ptr->timeout[PFTM_TS_DIFF]) == 0)
+ if ((ts_fudge = state->rule->timeout[PFTM_TS_DIFF]) == 0)
ts_fudge = V_pf_default_rule.timeout[PFTM_TS_DIFF];
/* Calculate max ticks since the last timestamp */
@@ -2212,25 +2212,25 @@ pf_normalize_sctp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
+ r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != dir)
- r = r->skip[PF_SKIP_DIR].ptr;
+ r = r->skip[PF_SKIP_DIR];
else if (r->af && r->af != af)
- r = r->skip[PF_SKIP_AF].ptr;
+ r = r->skip[PF_SKIP_AF];
else if (r->proto && r->proto != pd->proto)
- r = r->skip[PF_SKIP_PROTO].ptr;
+ r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
r->src.neg, kif, M_GETFIB(m)))
- r = r->skip[PF_SKIP_SRC_ADDR].ptr;
+ r = r->skip[PF_SKIP_SRC_ADDR];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], sh->src_port))
- r = r->skip[PF_SKIP_SRC_PORT].ptr;
+ r = r->skip[PF_SKIP_SRC_PORT];
else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
r->dst.neg, NULL, M_GETFIB(m)))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
+ r = r->skip[PF_SKIP_DST_ADDR];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], sh->dest_port))
- r = r->skip[PF_SKIP_DST_PORT].ptr;
+ r = r->skip[PF_SKIP_DST_PORT];
else {
rm = r;
break;
diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c
index 016fe52f54d8..87c2211a84e0 100644
--- a/sys/netpfil/pf/pf_nv.c
+++ b/sys/netpfil/pf/pf_nv.c
@@ -703,7 +703,7 @@ pf_krule_to_nvrule(struct pf_krule *rule)
for (int i = 0; i < PF_SKIP_COUNT; i++) {
nvlist_append_number_array(nvl, "skip",
- rule->skip[i].ptr ? rule->skip[i].ptr->nr : -1);
+ rule->skip[i] ? rule->skip[i]->nr : -1);
}
for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) {
@@ -969,11 +969,11 @@ pf_state_to_nvstate(const struct pf_kstate *s)
nvlist_add_nvlist(nvl, "rt_addr", tmp);
nvlist_destroy(tmp);
- nvlist_add_number(nvl, "rule", s->rule.ptr ? s->rule.ptr->nr : -1);
+ nvlist_add_number(nvl, "rule", s->rule ? s->rule->nr : -1);
nvlist_add_number(nvl, "anchor",
- s->anchor.ptr ? s->anchor.ptr->nr : -1);
+ s->anchor ? s->anchor->nr : -1);
nvlist_add_number(nvl, "nat_rule",
- s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1);
+ s->nat_rule ? s->nat_rule->nr : -1);
nvlist_add_number(nvl, "creation", s->creation / 1000);
expire = pf_state_expires(s);
diff --git a/sys/netpfil/pf/pflow.c b/sys/netpfil/pf/pflow.c
index a437f0259af5..8157ddc1c751 100644
--- a/sys/netpfil/pf/pflow.c
+++ b/sys/netpfil/pf/pflow.c
@@ -641,7 +641,7 @@ copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2,
htonl(st->expire);
flow1->tcp_flags = flow2->tcp_flags = 0;
flow1->protocol = flow2->protocol = sk->proto;
- flow1->tos = flow2->tos = st->rule.ptr->tos;
+ flow1->tos = flow2->tos = st->rule->tos;
}
static void
@@ -678,7 +678,7 @@ copy_flow_ipfix_4_data(struct pflow_ipfix_flow4 *flow1,
(pf_get_uptime() - st->expire)));
flow1->protocol = flow2->protocol = sk->proto;
- flow1->tos = flow2->tos = st->rule.ptr->tos;
+ flow1->tos = flow2->tos = st->rule->tos;
}
static void
@@ -717,7 +717,7 @@ copy_flow_ipfix_6_data(struct pflow_ipfix_flow6 *flow1,
(pf_get_uptime() - st->expire)));
flow1->protocol = flow2->protocol = sk->proto;
- flow1->tos = flow2->tos = st->rule.ptr->tos;
+ flow1->tos = flow2->tos = st->rule->tos;
}
static void