diff options
author | Kristof Provost <kp@FreeBSD.org> | 2025-01-22 15:55:19 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2025-01-24 10:20:31 +0000 |
commit | 3bf6554017b78f03bb779a5a3115034243e5c6c7 (patch) | |
tree | 676010b783c8fd4e3004609e5d50cf82356b02f6 | |
parent | 06a6ec55fbd01a372778870cb5039341bdea9e38 (diff) |
pf: remove PFLOGIFS_MAX
There was a limit on the number of pflog interfaces - 16. remove that.
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke
Obtained from: OpenBSD, henning <henning@openbsd.org>, ab0a082ea6
Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r-- | sys/net/if_pflog.h | 2 | ||||
-rw-r--r-- | sys/netpfil/pf/if_pflog.c | 48 | ||||
-rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 4 |
3 files changed, 38 insertions, 16 deletions
diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 9734ca245eda..dc22c05cdea0 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -33,8 +33,6 @@ #include <net/if.h> -#define PFLOGIFS_MAX 16 - #define PFLOG_RULESET_NAME_SIZE 16 struct pfloghdr { diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 3cd7cd1f2ddc..f325d0001799 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -88,6 +88,7 @@ static int pflogoutput(struct ifnet *, struct mbuf *, const struct sockaddr *, struct route *); static void pflogattach(int); +static int pflogifs_resize(size_t); static int pflogioctl(struct ifnet *, u_long, caddr_t); static void pflogstart(struct ifnet *); static int pflog_clone_create(struct if_clone *, char *, size_t, @@ -99,22 +100,18 @@ static const char pflogname[] = "pflog"; VNET_DEFINE_STATIC(struct if_clone *, pflog_cloner); #define V_pflog_cloner VNET(pflog_cloner) -VNET_DEFINE(struct ifnet *, pflogifs[PFLOGIFS_MAX]); /* for fast access */ +VNET_DEFINE_STATIC(int, npflogifs) = 0; +#define V_npflogifs VNET(npflogifs) +VNET_DEFINE(struct ifnet **, pflogifs); /* for fast access */ #define V_pflogifs VNET(pflogifs) static void pflogattach(int npflog __unused) { - int i; - - for (i = 0; i < PFLOGIFS_MAX; i++) - V_pflogifs[i] = NULL; - struct if_clone_addreq req = { .create_f = pflog_clone_create, .destroy_f = pflog_clone_destroy, .flags = IFC_F_AUTOUNIT | IFC_F_LIMITUNIT, - .maxunit = PFLOGIFS_MAX - 1, }; V_pflog_cloner = ifc_attach_cloner(pflogname, &req); struct ifc_data ifd = { .unit = 0 }; @@ -122,13 +119,39 @@ pflogattach(int npflog __unused) } static int +pflogifs_resize(size_t n) +{ + struct ifnet **p; + int i; + + if (n > SIZE_MAX / sizeof(struct ifnet *)) + return (EINVAL); + if (n == 0) + p = NULL; + else if ((p = malloc(n * sizeof(struct ifnet *), M_DEVBUF, + M_NOWAIT | M_ZERO)) == NULL) + return (ENOMEM); + for (i = 0; i < n; i++) { + if (i < V_npflogifs) + p[i] = V_pflogifs[i]; + else + p[i] = NULL; + } + + if (V_pflogifs) + free(V_pflogifs, M_DEVBUF); + V_pflogifs = p; + V_npflogifs = n; + + return (0); +} + +static int pflog_clone_create(struct if_clone *ifc, char *name, size_t maxlen, struct ifc_data *ifd, struct ifnet **ifpp) { struct ifnet *ifp; - MPASS(ifd->unit < PFLOGIFS_MAX); - ifp = if_alloc(IFT_PFLOG); if_initname(ifp, pflogname, ifd->unit); ifp->if_mtu = PFLOGMTU; @@ -141,6 +164,11 @@ pflog_clone_create(struct if_clone *ifc, char *name, size_t maxlen, bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN); + if (ifd->unit + 1 > V_npflogifs && + pflogifs_resize(ifd->unit + 1) != 0) { + pflog_clone_destroy(ifc, ifp, IFC_F_FORCE); + return (ENOMEM); + } V_pflogifs[ifd->unit] = ifp; *ifpp = ifp; @@ -155,7 +183,7 @@ pflog_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags) if (ifp->if_dunit == 0 && (flags & IFC_F_FORCE) == 0) return (EINVAL); - for (i = 0; i < PFLOGIFS_MAX; i++) + for (i = 0; i < V_npflogifs; i++) if (V_pflogifs[i] == ifp) V_pflogifs[i] = NULL; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 340e7c25a501..a45db33f38dc 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2201,8 +2201,6 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, error = EINVAL; if (!rule->log) rule->logif = 0; - if (rule->logif >= PFLOGIFS_MAX) - error = EINVAL; if (pf_addr_setup(ruleset, &rule->src.addr, rule->af)) error = ENOMEM; if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af)) @@ -3767,8 +3765,6 @@ DIOCGETRULENV_error: error = EINVAL; if (!newrule->log) newrule->logif = 0; - if (newrule->logif >= PFLOGIFS_MAX) - error = EINVAL; if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af)) error = ENOMEM; if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af)) |