aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2025-01-22 15:55:19 +0000
committerKristof Provost <kp@FreeBSD.org>2025-01-24 10:20:31 +0000
commit3bf6554017b78f03bb779a5a3115034243e5c6c7 (patch)
tree676010b783c8fd4e3004609e5d50cf82356b02f6
parent06a6ec55fbd01a372778870cb5039341bdea9e38 (diff)
pf: remove PFLOGIFS_MAX
There was a limit on the number of pflog interfaces - 16. remove that. mostly by dynamically allocating pflogifs instead of making that a static array. ok claudio zinke Obtained from: OpenBSD, henning <henning@openbsd.org>, ab0a082ea6 Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r--sys/net/if_pflog.h2
-rw-r--r--sys/netpfil/pf/if_pflog.c48
-rw-r--r--sys/netpfil/pf/pf_ioctl.c4
3 files changed, 38 insertions, 16 deletions
diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 9734ca245eda..dc22c05cdea0 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -33,8 +33,6 @@
#include <net/if.h>
-#define PFLOGIFS_MAX 16
-
#define PFLOG_RULESET_NAME_SIZE 16
struct pfloghdr {
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
index 3cd7cd1f2ddc..f325d0001799 100644
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -88,6 +88,7 @@
static int pflogoutput(struct ifnet *, struct mbuf *,
const struct sockaddr *, struct route *);
static void pflogattach(int);
+static int pflogifs_resize(size_t);
static int pflogioctl(struct ifnet *, u_long, caddr_t);
static void pflogstart(struct ifnet *);
static int pflog_clone_create(struct if_clone *, char *, size_t,
@@ -99,22 +100,18 @@ static const char pflogname[] = "pflog";
VNET_DEFINE_STATIC(struct if_clone *, pflog_cloner);
#define V_pflog_cloner VNET(pflog_cloner)
-VNET_DEFINE(struct ifnet *, pflogifs[PFLOGIFS_MAX]); /* for fast access */
+VNET_DEFINE_STATIC(int, npflogifs) = 0;
+#define V_npflogifs VNET(npflogifs)
+VNET_DEFINE(struct ifnet **, pflogifs); /* for fast access */
#define V_pflogifs VNET(pflogifs)
static void
pflogattach(int npflog __unused)
{
- int i;
-
- for (i = 0; i < PFLOGIFS_MAX; i++)
- V_pflogifs[i] = NULL;
-
struct if_clone_addreq req = {
.create_f = pflog_clone_create,
.destroy_f = pflog_clone_destroy,
.flags = IFC_F_AUTOUNIT | IFC_F_LIMITUNIT,
- .maxunit = PFLOGIFS_MAX - 1,
};
V_pflog_cloner = ifc_attach_cloner(pflogname, &req);
struct ifc_data ifd = { .unit = 0 };
@@ -122,13 +119,39 @@ pflogattach(int npflog __unused)
}
static int
+pflogifs_resize(size_t n)
+{
+ struct ifnet **p;
+ int i;
+
+ if (n > SIZE_MAX / sizeof(struct ifnet *))
+ return (EINVAL);
+ if (n == 0)
+ p = NULL;
+ else if ((p = malloc(n * sizeof(struct ifnet *), M_DEVBUF,
+ M_NOWAIT | M_ZERO)) == NULL)
+ return (ENOMEM);
+ for (i = 0; i < n; i++) {
+ if (i < V_npflogifs)
+ p[i] = V_pflogifs[i];
+ else
+ p[i] = NULL;
+ }
+
+ if (V_pflogifs)
+ free(V_pflogifs, M_DEVBUF);
+ V_pflogifs = p;
+ V_npflogifs = n;
+
+ return (0);
+}
+
+static int
pflog_clone_create(struct if_clone *ifc, char *name, size_t maxlen,
struct ifc_data *ifd, struct ifnet **ifpp)
{
struct ifnet *ifp;
- MPASS(ifd->unit < PFLOGIFS_MAX);
-
ifp = if_alloc(IFT_PFLOG);
if_initname(ifp, pflogname, ifd->unit);
ifp->if_mtu = PFLOGMTU;
@@ -141,6 +164,11 @@ pflog_clone_create(struct if_clone *ifc, char *name, size_t maxlen,
bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN);
+ if (ifd->unit + 1 > V_npflogifs &&
+ pflogifs_resize(ifd->unit + 1) != 0) {
+ pflog_clone_destroy(ifc, ifp, IFC_F_FORCE);
+ return (ENOMEM);
+ }
V_pflogifs[ifd->unit] = ifp;
*ifpp = ifp;
@@ -155,7 +183,7 @@ pflog_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags)
if (ifp->if_dunit == 0 && (flags & IFC_F_FORCE) == 0)
return (EINVAL);
- for (i = 0; i < PFLOGIFS_MAX; i++)
+ for (i = 0; i < V_npflogifs; i++)
if (V_pflogifs[i] == ifp)
V_pflogifs[i] = NULL;
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 340e7c25a501..a45db33f38dc 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2201,8 +2201,6 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
error = EINVAL;
if (!rule->log)
rule->logif = 0;
- if (rule->logif >= PFLOGIFS_MAX)
- error = EINVAL;
if (pf_addr_setup(ruleset, &rule->src.addr, rule->af))
error = ENOMEM;
if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af))
@@ -3767,8 +3765,6 @@ DIOCGETRULENV_error:
error = EINVAL;
if (!newrule->log)
newrule->logif = 0;
- if (newrule->logif >= PFLOGIFS_MAX)
- error = EINVAL;
if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af))
error = ENOMEM;
if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af))