UnivNautes

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y

index 4925416..ce0867c 100644

--- a/sbin/pfctl/parse.y

+++ b/sbin/pfctl/parse.y

@@ -234,6 +234,7 @@ struct filter_opts {

 	u_int32_t		 tos;

 	u_int32_t		 dscp;

 	u_int32_t		 prob;

+	u_int32_t		 tracker;

 	struct {

 		int			 action;

 		struct node_state_opt	*options;

@@ -263,6 +264,7 @@ struct filter_opts {

 struct antispoof_opts {

 	char			*label;

+	u_int32_t		 tracker;

 	u_int			 rtableid;

 } antispoof_opts;

@@ -462,7 +464,7 @@ int	parseport(char *, struct range *r, int);

 %token	RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE

 %token	ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF

 %token	MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL SCHEDULE

-%token	NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE

+%token	NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DSCP DROP TABLE TRACKER

 %token	REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR

 %token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID

 %token	REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID

@@ -1245,6 +1247,7 @@ antispoof	: ANTISPOOF logquick antispoof_ifspc af antispoof_opts {

 				if (rule_label(&r, $5.label))

 					YYERROR;

 				r.rtableid = $5.rtableid;

+				r.cuid = $5.tracker;

 				j = calloc(1, sizeof(struct node_if));

 				if (j == NULL)

 					err(1, "antispoof: calloc");

@@ -1294,6 +1297,7 @@ antispoof	: ANTISPOOF logquick antispoof_ifspc af antispoof_opts {

 					r.logif = $2.logif;

 					r.quick = $2.quick;

 					r.af = $4;

+					r.cuid = $5.tracker;

 					if (rule_label(&r, $5.label))

 						YYERROR;

 					r.rtableid = $5.rtableid;

@@ -1355,6 +1359,9 @@ antispoof_opt	: label	{

 			}

 			antispoof_opts.label = $1;

 		}

+		| TRACKER number {

+			antispoof_opts.tracker = $2;

+		}

 		| RTABLE NUMBER				{

 			if ($2 < 0 || $2 > rt_tableid_max()) {

 				yyerror("invalid rtable id");

@@ -2064,6 +2071,8 @@ pfrule		: action dir logquick interface route af proto fromto

 			if  (rule_schedule(&r, $9.schedule))

 				YYERROR;

 			free($9.schedule);

+			if ($9.tracker)

+				r.cuid = $9.tracker;

 			r.flags = $9.flags.b1;

 			r.flagset = $9.flags.b2;

 			if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) {

@@ -2514,6 +2523,9 @@ filter_opt	: USER uids {

 			filter_opts.keep.action = $1.action;

 			filter_opts.keep.options = $1.options;

 		}

+		| TRACKER number {

+			filter_opts.tracker = $2;

+		}

 		| FRAGMENT {

 			filter_opts.fragment = 1;

 		}

@@ -5743,6 +5755,7 @@ lookup(char *s)

 		{ "timeout",		TIMEOUT},

 		{ "to",			TO},

 		{ "tos",		TOS},

+		{ "tracker",		TRACKER},

 		{ "ttl",		TTL},

 		{ "upperlimit",		UPPERLIMIT},

 		{ "urpf-failed",	URPFFAILED},

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c

index 1e957f6..d26c6ad 100644

--- a/sbin/pfctl/pfctl.c

+++ b/sbin/pfctl/pfctl.c

@@ -825,10 +825,17 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts)

 			    (unsigned long long)(rule->bytes[0] +

 			    rule->bytes[1]), (uintmax_t)rule->u_states_cur);

 		if (!(opts & PF_OPT_DEBUG))

+#ifdef PF_USER_INFO

 			printf("  [ Inserted: uid %u pid %u "

 			    "State Creations: %-6ju]\n",

 			    (unsigned)rule->cuid, (unsigned)rule->cpid,

 			    (uintmax_t)rule->u_states_tot);

+#else

+			printf("  [ Inserted: pid %u "

+			    "State Creations: %-6ju]\n",

+			    (unsigned)rule->cpid,

+			    (uintmax_t)rule->states_tot);

+#endif

 	}

 }

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c

index aebb631..d316352 100644

--- a/sbin/pfctl/pfctl_parser.c

+++ b/sbin/pfctl/pfctl_parser.c

@@ -736,7 +736,11 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)

 	int	i, opts;

 	if (verbose)

+#ifdef PF_USER_INFO

 		printf("@%d ", r->nr);

+#else

+		printf("@%d(%u) ", r->nr, r->cuid);

+#endif

 	if (r->action == PF_MATCH)

 		printf("match");

 	else if (r->action > PF_NORDR)

diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h

index 0faeb7d..326b551 100644

--- a/sys/net/if_pflog.h

+++ b/sys/net/if_pflog.h

@@ -40,10 +40,14 @@ struct pfloghdr {

 	char		ruleset[PFLOG_RULESET_NAME_SIZE];

 	u_int32_t	rulenr;

 	u_int32_t	subrulenr;

+#ifdef PF_USER_INFO

 	uid_t		uid;

 	pid_t		pid;

 	uid_t		rule_uid;

 	pid_t		rule_pid;

+#else

+	u_int32_t	ridentifier;

+#endif

 	u_int8_t	dir;

 	u_int8_t	pad[3];

 };

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h

index 9ae1992..1201dfc 100644

--- a/sys/net/pfvar.h

+++ b/sys/net/pfvar.h

@@ -546,7 +546,11 @@ struct pf_rule {

 	u_int32_t		 rt_listid;

 	u_int32_t		 nr;

 	u_int32_t		 prob;

+#ifdef PF_USER_INFO

 	uid_t			 cuid;

+#else

+	u_int32_t		 cuid;

+#endif

 	pid_t			 cpid;

 	counter_u64_t		 states_cur;

@@ -1143,11 +1147,13 @@ struct pfi_kif {

 #define PFI_IFLAG_SKIP		0x0100	/* skip filtering on interface */

 struct pf_pdesc {

+#ifdef PF_USER_INFO

 	struct {

 		int	 done;

 		uid_t	 uid;

 		gid_t	 gid;

 	}		 lookup;

+#endif

 	u_int64_t	 tot_len;	/* Make Mickey money */

 	union {

 		struct tcphdr		*tcp;

diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c

index 1efd5e2..5c22806 100644

--- a/sys/netpfil/pf/if_pflog.c

+++ b/sys/netpfil/pf/if_pflog.c

@@ -209,7 +209,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,

 		return (0);

 	bzero(&hdr, sizeof(hdr));

-	hdr.length = PFLOG_REAL_HDRLEN;

+	hdr.length = PFLOG_HDRLEN;

 	hdr.af = af;

 	hdr.action = rm->action;

 	hdr.reason = reason;

@@ -218,13 +218,16 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,

 	if (am == NULL) {

 		hdr.rulenr = htonl(rm->nr);

 		hdr.subrulenr =  1;

+		hdr.ridentifier = rm->cuid;

 	} else {

 		hdr.rulenr = htonl(am->nr);

 		hdr.subrulenr = htonl(rm->nr);

+		hdr.ridentifier = rm->cuid;

 		if (ruleset != NULL && ruleset->anchor != NULL)

 			strlcpy(hdr.ruleset, ruleset->anchor->name,

 			    sizeof(hdr.ruleset));

 	}

+#ifdef PF_USER_INFO

 	/*

 	 * XXXGL: we avoid pf_socket_lookup() when we are holding

 	 * state lock, since this leads to unsafe LOR.

@@ -239,6 +242,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,

 	hdr.pid = NO_PID;

 	hdr.rule_uid = rm->cuid;

 	hdr.rule_pid = rm->cpid;

+#endif

 	hdr.dir = dir;

 #ifdef INET

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c

index 4767882..9f0ebac 100644

--- a/sys/netpfil/pf/pf.c

+++ b/sys/netpfil/pf/pf.c

@@ -2763,6 +2763,7 @@ pf_match_ieee8021q_pcp(u_int8_t op, u_int8_t pcp1, u_int8_t pcp2,

 	return (pf_match(op, pcp1, pcp2, mpcp));

 }

+#ifdef PF_USER_INFO

 static int

 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)

 {

@@ -2778,6 +2779,7 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)

 		return (0);

 	return (pf_match(op, a1, a2, g));

 }

+#endif

 int

 pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag)

@@ -2986,6 +2988,7 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a)

 		a->flags |= PFRULE_DN_IS_PIPE;

 }

+#ifdef PF_USER_INFO

 int

 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)

 {

@@ -3065,6 +3068,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)

 	return (1);

 }

+#endif

 static u_int8_t

 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)

@@ -3283,12 +3287,14 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,

 	PF_RULES_RASSERT();

+#ifdef PF_USER_INFO

 	if (inp != NULL) {

 		INP_LOCK_ASSERT(inp);

 		pd->lookup.uid = inp->inp_cred->cr_uid;

 		pd->lookup.gid = inp->inp_cred->cr_groups[0];

 		pd->lookup.done = 1;

 	}

+#endif

 	switch (pd->proto) {

 	case IPPROTO_TCP:

@@ -3510,6 +3516,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,

 		    (r->flagset & th->th_flags) != r->flags)

 			r = TAILQ_NEXT(r, entries);

 		/* tcp/udp only. uid.op always 0 in other cases */

+#ifdef PF_USER_INFO

 		else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =

 		    pf_socket_lookup(direction, pd, m), 1)) &&

 		    !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],

@@ -3521,6 +3528,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,

 		    !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],

 		    pd->lookup.gid))

 			r = TAILQ_NEXT(r, entries);

+#endif

 		else if (r->ieee8021q_pcp.op &&

 		    !pf_match_ieee8021q_pcp(r->ieee8021q_pcp.op,

 		    r->ieee8021q_pcp.pcp[0], r->ieee8021q_pcp.pcp[1], m))

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c

index 38bb576..9b1c070 100644

--- a/sys/netpfil/pf/pf_ioctl.c

+++ b/sys/netpfil/pf/pf_ioctl.c

@@ -1161,7 +1161,9 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td

 		rule->states_cur = counter_u64_alloc(M_WAITOK);

 		rule->states_tot = counter_u64_alloc(M_WAITOK);

 		rule->src_nodes = counter_u64_alloc(M_WAITOK);

+#ifdef PF_USER_INFO

 		rule->cuid = td->td_ucred->cr_ruid;

+#endif

 		rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;

 		TAILQ_INIT(&rule->rpool.list);

@@ -1187,7 +1189,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td

 			    V_ticket_pabuf));

 			ERROUT(EBUSY);

 		}

-

 		tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,

 		    pf_rulequeue);

 		if (tail)

@@ -1266,8 +1267,29 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td

 		}

 		rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);

+#ifndef PF_USER_INFO

+		if (rule->cuid) {

+			tail = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);

+			while ((tail != NULL) && (tail->cuid != rule->cuid))

+				tail = TAILQ_NEXT(tail, entries);

+			if (tail != NULL) {

+				rule->evaluations = tail->evaluations;

+				rule->packets[0] = tail->packets[0];

+				rule->packets[1] = tail->packets[1];

+				rule->bytes[0] = tail->bytes[0];

+				rule->bytes[1] = tail->bytes[1];

+			} else {

+				rule->evaluations = rule->packets[0] = rule->packets[1] =

+				    rule->bytes[0] = rule->bytes[1] = 0;

+			}

+		} else {

+			rule->evaluations = rule->packets[0] = rule->packets[1] =

+			    rule->bytes[0] = rule->bytes[1] = 0;

+		}

+#else

 		rule->evaluations = rule->packets[0] = rule->packets[1] =

 		    rule->bytes[0] = rule->bytes[1] = 0;

+#endif

 		TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,

 		    rule, entries);

 		ruleset->rules[rs_num].inactive.rcount++;

@@ -1417,7 +1439,9 @@ DIOCADDRULE_error:

 			newrule->states_cur = counter_u64_alloc(M_WAITOK);

 			newrule->states_tot = counter_u64_alloc(M_WAITOK);

 			newrule->src_nodes = counter_u64_alloc(M_WAITOK);

+#ifdef PF_USER_INFO

 			newrule->cuid = td->td_ucred->cr_ruid;

+#endif

 			newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;

 			TAILQ_INIT(&newrule->rpool.list);

 		}