1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2023 Alexander V. Chernikov <melifaro@FreeBSD.org>
5 * Copyright (c) 2023 Rubicon Communications, LLC (Netgate)
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 */
29 #include <sys/cdefs.h>
30 #include "opt_inet.h"
31 #include "opt_inet6.h"
32
33 #include <sys/param.h>
34 #include <sys/malloc.h>
35 #include <sys/mbuf.h>
36 #include <sys/priv.h>
37 #include <sys/socket.h>
38 #include <sys/ucred.h>
39
40 #include <net/pfvar.h>
41
42 #include <netlink/netlink.h>
43 #include <netlink/netlink_ctl.h>
44 #include <netlink/netlink_generic.h>
45 #include <netlink/netlink_message_writer.h>
46
47 #include <netpfil/pf/pf_nl.h>
48
49 #define DEBUG_MOD_NAME nl_pf
50 #define DEBUG_MAX_LEVEL LOG_DEBUG3
51 #include <netlink/netlink_debug.h>
52 _DECLARE_DEBUG(LOG_DEBUG);
53
54 static bool nlattr_add_pf_threshold(struct nl_writer *, int,
55 struct pf_kthreshold *);
56
57 struct nl_parsed_state {
58 uint8_t version;
59 uint32_t id;
60 uint32_t creatorid;
61 char ifname[IFNAMSIZ];
62 uint16_t proto;
63 sa_family_t af;
64 struct pf_addr addr;
65 struct pf_addr mask;
66 };
67
68 #define _IN(_field) offsetof(struct genlmsghdr, _field)
69 #define _OUT(_field) offsetof(struct nl_parsed_state, _field)
70 static const struct nlattr_parser nla_p_state[] = {
71 { .type = PF_ST_ID, .off = _OUT(id), .cb = nlattr_get_uint32 },
72 { .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = nlattr_get_uint32 },
73 { .type = PF_ST_IFNAME, .arg = (const void *)IFNAMSIZ, .off = _OUT(ifname), .cb = nlattr_get_chara },
74 { .type = PF_ST_AF, .off = _OUT(af), .cb = nlattr_get_uint8 },
75 { .type = PF_ST_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint16 },
76 { .type = PF_ST_FILTER_ADDR, .off = _OUT(addr), .cb = nlattr_get_in6_addr },
77 { .type = PF_ST_FILTER_MASK, .off = _OUT(mask), .cb = nlattr_get_in6_addr },
78 };
79 static const struct nlfield_parser nlf_p_generic[] = {
80 { .off_in = _IN(version), .off_out = _OUT(version), .cb = nlf_get_u8 },
81 };
82 #undef _IN
83 #undef _OUT
84 NL_DECLARE_PARSER(state_parser, struct genlmsghdr, nlf_p_generic, nla_p_state);
85
86 static void
dump_addr(struct nl_writer * nw,int attr,const struct pf_addr * addr,int af)87 dump_addr(struct nl_writer *nw, int attr, const struct pf_addr *addr, int af)
88 {
89 switch (af) {
90 case AF_INET:
91 nlattr_add(nw, attr, 4, &addr->v4);
92 break;
93 case AF_INET6:
94 nlattr_add(nw, attr, 16, &addr->v6);
95 break;
96 };
97 }
98
99 static bool
dump_state_peer(struct nl_writer * nw,int attr,const struct pf_state_peer * peer)100 dump_state_peer(struct nl_writer *nw, int attr, const struct pf_state_peer *peer)
101 {
102 int off = nlattr_add_nested(nw, attr);
103 if (off == 0)
104 return (false);
105
106 nlattr_add_u32(nw, PF_STP_SEQLO, peer->seqlo);
107 nlattr_add_u32(nw, PF_STP_SEQHI, peer->seqhi);
108 nlattr_add_u32(nw, PF_STP_SEQDIFF, peer->seqdiff);
109 nlattr_add_u16(nw, PF_STP_MAX_WIN, peer->max_win);
110 nlattr_add_u16(nw, PF_STP_MSS, peer->mss);
111 nlattr_add_u8(nw, PF_STP_STATE, peer->state);
112 nlattr_add_u8(nw, PF_STP_WSCALE, peer->wscale);
113
114 if (peer->scrub != NULL) {
115 struct pf_state_scrub *sc = peer->scrub;
116 uint16_t pfss_flags = sc->pfss_flags & PFSS_TIMESTAMP;
117
118 nlattr_add_u16(nw, PF_STP_PFSS_FLAGS, pfss_flags);
119 nlattr_add_u32(nw, PF_STP_PFSS_TS_MOD, sc->pfss_ts_mod);
120 nlattr_add_u8(nw, PF_STP_PFSS_TTL, sc->pfss_ttl);
121 nlattr_add_u8(nw, PF_STP_SCRUB_FLAG, PFSYNC_SCRUB_FLAG_VALID);
122 }
123 nlattr_set_len(nw, off);
124
125 return (true);
126 }
127
128 static bool
dump_state_key(struct nl_writer * nw,int attr,const struct pf_state_key * key)129 dump_state_key(struct nl_writer *nw, int attr, const struct pf_state_key *key)
130 {
131 int off = nlattr_add_nested(nw, attr);
132 if (off == 0)
133 return (false);
134
135 dump_addr(nw, PF_STK_ADDR0, &key->addr[0], key->af);
136 dump_addr(nw, PF_STK_ADDR1, &key->addr[1], key->af);
137 nlattr_add_u16(nw, PF_STK_PORT0, key->port[0]);
138 nlattr_add_u16(nw, PF_STK_PORT1, key->port[1]);
139 nlattr_add_u8(nw, PF_STK_AF, key->af);
140 nlattr_add_u16(nw, PF_STK_PROTO, key->proto);
141
142 nlattr_set_len(nw, off);
143
144 return (true);
145 }
146
147 static int
dump_state(struct nlpcb * nlp,const struct nlmsghdr * hdr,struct pf_kstate * s,struct nl_pstate * npt)148 dump_state(struct nlpcb *nlp, const struct nlmsghdr *hdr, struct pf_kstate *s,
149 struct nl_pstate *npt)
150 {
151 struct nl_writer *nw = npt->nw;
152 int error = 0;
153 int af;
154 struct pf_state_key *key;
155
156 PF_STATE_LOCK_ASSERT(s);
157
158 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
159 goto enomem;
160
161 struct genlmsghdr *ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
162 ghdr_new->cmd = PFNL_CMD_GETSTATES;
163 ghdr_new->version = 0;
164 ghdr_new->reserved = 0;
165
166 nlattr_add_u64(nw, PF_ST_VERSION, PF_STATE_VERSION);
167
168 key = s->key[PF_SK_WIRE];
169 if (!dump_state_key(nw, PF_ST_KEY_WIRE, key))
170 goto enomem;
171 key = s->key[PF_SK_STACK];
172 if (!dump_state_key(nw, PF_ST_KEY_STACK, key))
173 goto enomem;
174
175 af = s->key[PF_SK_WIRE]->af;
176 nlattr_add_u8(nw, PF_ST_PROTO, s->key[PF_SK_WIRE]->proto);
177 nlattr_add_u8(nw, PF_ST_AF, af);
178
179 nlattr_add_string(nw, PF_ST_IFNAME, s->kif->pfik_name);
180 nlattr_add_string(nw, PF_ST_ORIG_IFNAME, s->orig_kif->pfik_name);
181 dump_addr(nw, PF_ST_RT_ADDR, &s->act.rt_addr, s->act.rt_af);
182 nlattr_add_u32(nw, PF_ST_CREATION, time_uptime - (s->creation / 1000));
183 uint32_t expire = pf_state_expires(s);
184 if (expire > time_uptime)
185 expire = expire - time_uptime;
186 nlattr_add_u32(nw, PF_ST_EXPIRE, expire);
187 nlattr_add_u8(nw, PF_ST_DIRECTION, s->direction);
188 nlattr_add_u8(nw, PF_ST_LOG, s->act.log);
189 nlattr_add_u8(nw, PF_ST_TIMEOUT, s->timeout);
190 nlattr_add_u16(nw, PF_ST_STATE_FLAGS, s->state_flags);
191 uint8_t sync_flags = 0;
192 if (s->sns[PF_SN_LIMIT] != NULL)
193 sync_flags |= PFSYNC_FLAG_SRCNODE;
194 if (s->sns[PF_SN_NAT] != NULL || s->sns[PF_SN_ROUTE])
195 sync_flags |= PFSYNC_FLAG_NATSRCNODE;
196 nlattr_add_u8(nw, PF_ST_SYNC_FLAGS, sync_flags);
197 nlattr_add_u64(nw, PF_ST_ID, s->id);
198 nlattr_add_u32(nw, PF_ST_CREATORID, htonl(s->creatorid));
199
200 nlattr_add_u32(nw, PF_ST_RULE, s->rule ? s->rule->nr : -1);
201 nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor ? s->anchor->nr : -1);
202 nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule ? s->nat_rule->nr : -1);
203
204 nlattr_add_u64(nw, PF_ST_PACKETS0, s->packets[0]);
205 nlattr_add_u64(nw, PF_ST_PACKETS1, s->packets[1]);
206 nlattr_add_u64(nw, PF_ST_BYTES0, s->bytes[0]);
207 nlattr_add_u64(nw, PF_ST_BYTES1, s->bytes[1]);
208 nlattr_add_u32(nw, PF_ST_RTABLEID, s->act.rtableid);
209 nlattr_add_u8(nw, PF_ST_MIN_TTL, s->act.min_ttl);
210 nlattr_add_u16(nw, PF_ST_MAX_MSS, s->act.max_mss);
211 nlattr_add_u16(nw, PF_ST_DNPIPE, s->act.dnpipe);
212 nlattr_add_u16(nw, PF_ST_DNRPIPE, s->act.dnrpipe);
213 nlattr_add_u8(nw, PF_ST_RT, s->act.rt);
214 if (s->act.rt_kif != NULL)
215 nlattr_add_string(nw, PF_ST_RT_IFNAME, s->act.rt_kif->pfik_name);
216 uint8_t src_node_flags = 0;
217 if (s->sns[PF_SN_LIMIT] != NULL) {
218 src_node_flags |= PFSTATE_SRC_NODE_LIMIT;
219 if (s->sns[PF_SN_LIMIT]->rule == &V_pf_default_rule)
220 src_node_flags |= PFSTATE_SRC_NODE_LIMIT_GLOBAL;
221 }
222 if (s->sns[PF_SN_NAT] != NULL)
223 src_node_flags |= PFSTATE_SRC_NODE_NAT;
224 if (s->sns[PF_SN_ROUTE] != NULL)
225 src_node_flags |= PFSTATE_SRC_NODE_ROUTE;
226 nlattr_add_u8(nw, PF_ST_SRC_NODE_FLAGS, src_node_flags);
227 nlattr_add_u8(nw, PF_ST_RT_AF, s->act.rt_af);
228
229 if (!dump_state_peer(nw, PF_ST_PEER_SRC, &s->src))
230 goto enomem;
231 if (!dump_state_peer(nw, PF_ST_PEER_DST, &s->dst))
232 goto enomem;
233
234 if (nlmsg_end(nw))
235 return (0);
236
237 enomem:
238 error = ENOMEM;
239 nlmsg_abort(nw);
240 return (error);
241 }
242
243 static int
handle_dumpstates(struct nlpcb * nlp,struct nl_parsed_state * attrs,struct nlmsghdr * hdr,struct nl_pstate * npt)244 handle_dumpstates(struct nlpcb *nlp, struct nl_parsed_state *attrs,
245 struct nlmsghdr *hdr, struct nl_pstate *npt)
246 {
247 int error = 0;
248
249 hdr->nlmsg_flags |= NLM_F_MULTI;
250
251 for (int i = 0; i <= V_pf_hashmask; i++) {
252 struct pf_idhash *ih = &V_pf_idhash[i];
253 struct pf_kstate *s;
254
255 if (LIST_EMPTY(&ih->states))
256 continue;
257
258 PF_HASHROW_LOCK(ih);
259 LIST_FOREACH(s, &ih->states, entry) {
260 sa_family_t af = s->key[PF_SK_WIRE]->af;
261
262 if (s->timeout == PFTM_UNLINKED)
263 continue;
264
265 /* Filter */
266 if (attrs->creatorid != 0 && s->creatorid != attrs->creatorid)
267 continue;
268 if (attrs->ifname[0] != 0 &&
269 strncmp(attrs->ifname, s->kif->pfik_name, IFNAMSIZ) != 0)
270 continue;
271 if (attrs->proto != 0 && s->key[PF_SK_WIRE]->proto != attrs->proto)
272 continue;
273 if (attrs->af != 0 && af != attrs->af)
274 continue;
275 if (pf_match_addr(1, &s->key[PF_SK_WIRE]->addr[0],
276 &attrs->mask, &attrs->addr, af) &&
277 pf_match_addr(1, &s->key[PF_SK_WIRE]->addr[1],
278 &attrs->mask, &attrs->addr, af) &&
279 pf_match_addr(1, &s->key[PF_SK_STACK]->addr[0],
280 &attrs->mask, &attrs->addr, af) &&
281 pf_match_addr(1, &s->key[PF_SK_STACK]->addr[1],
282 &attrs->mask, &attrs->addr, af))
283 continue;
284
285 error = dump_state(nlp, hdr, s, npt);
286 if (error != 0)
287 break;
288 }
289 PF_HASHROW_UNLOCK(ih);
290 }
291
292 if (!nlmsg_end_dump(npt->nw, error, hdr)) {
293 NL_LOG(LOG_DEBUG, "Unable to finalize the dump");
294 return (ENOMEM);
295 }
296
297 return (error);
298 }
299
300 static int
handle_getstate(struct nlpcb * nlp,struct nl_parsed_state * attrs,struct nlmsghdr * hdr,struct nl_pstate * npt)301 handle_getstate(struct nlpcb *nlp, struct nl_parsed_state *attrs,
302 struct nlmsghdr *hdr, struct nl_pstate *npt)
303 {
304 struct pf_kstate *s;
305 int ret;
306
307 s = pf_find_state_byid(attrs->id, attrs->creatorid);
308 if (s == NULL)
309 return (ENOENT);
310 ret = dump_state(nlp, hdr, s, npt);
311 PF_STATE_UNLOCK(s);
312
313 return (ret);
314 }
315
316 static int
dump_creatorid(struct nlpcb * nlp,const struct nlmsghdr * hdr,uint32_t creator,struct nl_pstate * npt)317 dump_creatorid(struct nlpcb *nlp, const struct nlmsghdr *hdr, uint32_t creator,
318 struct nl_pstate *npt)
319 {
320 struct nl_writer *nw = npt->nw;
321
322 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
323 goto enomem;
324
325 struct genlmsghdr *ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
326 ghdr_new->cmd = PFNL_CMD_GETCREATORS;
327 ghdr_new->version = 0;
328 ghdr_new->reserved = 0;
329
330 nlattr_add_u32(nw, PF_ST_CREATORID, htonl(creator));
331
332 if (nlmsg_end(nw))
333 return (0);
334
335 enomem:
336 nlmsg_abort(nw);
337 return (ENOMEM);
338 }
339
340 static int
pf_handle_getstates(struct nlmsghdr * hdr,struct nl_pstate * npt)341 pf_handle_getstates(struct nlmsghdr *hdr, struct nl_pstate *npt)
342 {
343 int error;
344
345 struct nl_parsed_state attrs = {};
346 error = nl_parse_nlmsg(hdr, &state_parser, npt, &attrs);
347 if (error != 0)
348 return (error);
349
350 if (attrs.id != 0)
351 error = handle_getstate(npt->nlp, &attrs, hdr, npt);
352 else
353 error = handle_dumpstates(npt->nlp, &attrs, hdr, npt);
354
355 return (error);
356 }
357
358 static int
pf_handle_getcreators(struct nlmsghdr * hdr,struct nl_pstate * npt)359 pf_handle_getcreators(struct nlmsghdr *hdr, struct nl_pstate *npt)
360 {
361 uint32_t creators[16];
362 int error = 0;
363
364 bzero(creators, sizeof(creators));
365
366 for (int i = 0; i < V_pf_hashmask; i++) {
367 struct pf_idhash *ih = &V_pf_idhash[i];
368 struct pf_kstate *s;
369
370 if (LIST_EMPTY(&ih->states))
371 continue;
372
373 PF_HASHROW_LOCK(ih);
374 LIST_FOREACH(s, &ih->states, entry) {
375 int j;
376 if (s->timeout == PFTM_UNLINKED)
377 continue;
378
379 for (j = 0; j < nitems(creators); j++) {
380 if (creators[j] == s->creatorid)
381 break;
382 if (creators[j] == 0) {
383 creators[j] = s->creatorid;
384 break;
385 }
386 }
387 if (j == nitems(creators))
388 printf("Warning: too many creators!\n");
389 }
390 PF_HASHROW_UNLOCK(ih);
391 }
392
393 hdr->nlmsg_flags |= NLM_F_MULTI;
394 for (int i = 0; i < nitems(creators); i++) {
395 if (creators[i] == 0)
396 break;
397 error = dump_creatorid(npt->nlp, hdr, creators[i], npt);
398 }
399
400 if (!nlmsg_end_dump(npt->nw, error, hdr)) {
401 NL_LOG(LOG_DEBUG, "Unable to finalize the dump");
402 return (ENOMEM);
403 }
404
405 return (error);
406 }
407
408 static int
pf_handle_start(struct nlmsghdr * hdr __unused,struct nl_pstate * npt __unused)409 pf_handle_start(struct nlmsghdr *hdr __unused, struct nl_pstate *npt __unused)
410 {
411 return (pf_start());
412 }
413
414 static int
pf_handle_stop(struct nlmsghdr * hdr __unused,struct nl_pstate * npt __unused)415 pf_handle_stop(struct nlmsghdr *hdr __unused, struct nl_pstate *npt __unused)
416 {
417 return (pf_stop());
418 }
419
420 #define _OUT(_field) offsetof(struct pf_addr_wrap, _field)
421 static const struct nlattr_parser nla_p_addr_wrap[] = {
422 { .type = PF_AT_ADDR, .off = _OUT(v.a.addr), .cb = nlattr_get_in6_addr },
423 { .type = PF_AT_MASK, .off = _OUT(v.a.mask), .cb = nlattr_get_in6_addr },
424 { .type = PF_AT_IFNAME, .off = _OUT(v.ifname), .arg = (void *)IFNAMSIZ,.cb = nlattr_get_chara },
425 { .type = PF_AT_TABLENAME, .off = _OUT(v.tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara },
426 { .type = PF_AT_TYPE, .off = _OUT(type), .cb = nlattr_get_uint8 },
427 { .type = PF_AT_IFLAGS, .off = _OUT(iflags), .cb = nlattr_get_uint8 },
428 };
429 NL_DECLARE_ATTR_PARSER(addr_wrap_parser, nla_p_addr_wrap);
430 #undef _OUT
431
432 static bool
nlattr_add_addr_wrap(struct nl_writer * nw,int attrtype,struct pf_addr_wrap * a)433 nlattr_add_addr_wrap(struct nl_writer *nw, int attrtype, struct pf_addr_wrap *a)
434 {
435 int off = nlattr_add_nested(nw, attrtype);
436
437 nlattr_add_in6_addr(nw, PF_AT_ADDR, &a->v.a.addr.v6);
438 nlattr_add_in6_addr(nw, PF_AT_MASK, &a->v.a.mask.v6);
439 nlattr_add_u8(nw, PF_AT_TYPE, a->type);
440 nlattr_add_u8(nw, PF_AT_IFLAGS, a->iflags);
441
442 if (a->type == PF_ADDR_DYNIFTL) {
443 nlattr_add_string(nw, PF_AT_IFNAME, a->v.ifname);
444 nlattr_add_u32(nw, PF_AT_DYNCNT, a->p.dyncnt);
445 } else if (a->type == PF_ADDR_TABLE) {
446 nlattr_add_string(nw, PF_AT_TABLENAME, a->v.tblname);
447 nlattr_add_u32(nw, PF_AT_TBLCNT, a->p.tblcnt);
448 }
449
450 nlattr_set_len(nw, off);
451
452 return (true);
453 }
454
455 #define _OUT(_field) offsetof(struct pf_rule_addr, _field)
456 static const struct nlattr_parser nla_p_ruleaddr[] = {
457 { .type = PF_RAT_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = nlattr_get_nested },
458 { .type = PF_RAT_SRC_PORT, .off = _OUT(port[0]), .cb = nlattr_get_uint16 },
459 { .type = PF_RAT_DST_PORT, .off = _OUT(port[1]), .cb = nlattr_get_uint16 },
460 { .type = PF_RAT_NEG, .off = _OUT(neg), .cb = nlattr_get_uint8 },
461 { .type = PF_RAT_OP, .off = _OUT(port_op), .cb = nlattr_get_uint8 },
462 };
463 NL_DECLARE_ATTR_PARSER(rule_addr_parser, nla_p_ruleaddr);
464 #undef _OUT
465
466 static bool
nlattr_add_rule_addr(struct nl_writer * nw,int attrtype,struct pf_rule_addr * r)467 nlattr_add_rule_addr(struct nl_writer *nw, int attrtype, struct pf_rule_addr *r)
468 {
469 struct pf_addr_wrap aw = {0};
470 int off = nlattr_add_nested(nw, attrtype);
471
472 bcopy(&(r->addr), &aw, sizeof(struct pf_addr_wrap));
473 pf_addr_copyout(&aw);
474
475 nlattr_add_addr_wrap(nw, PF_RAT_ADDR, &aw);
476 nlattr_add_u16(nw, PF_RAT_SRC_PORT, r->port[0]);
477 nlattr_add_u16(nw, PF_RAT_DST_PORT, r->port[1]);
478 nlattr_add_u8(nw, PF_RAT_NEG, r->neg);
479 nlattr_add_u8(nw, PF_RAT_OP, r->port_op);
480
481 nlattr_set_len(nw, off);
482
483 return (true);
484 }
485
486 #define _OUT(_field) offsetof(struct pf_mape_portset, _field)
487 static const struct nlattr_parser nla_p_mape_portset[] = {
488 { .type = PF_MET_OFFSET, .off = _OUT(offset), .cb = nlattr_get_uint8 },
489 { .type = PF_MET_PSID_LEN, .off = _OUT(psidlen), .cb = nlattr_get_uint8 },
490 {. type = PF_MET_PSID, .off = _OUT(psid), .cb = nlattr_get_uint16 },
491 };
492 NL_DECLARE_ATTR_PARSER(mape_portset_parser, nla_p_mape_portset);
493 #undef _OUT
494
495 static bool
nlattr_add_mape_portset(struct nl_writer * nw,int attrtype,const struct pf_mape_portset * m)496 nlattr_add_mape_portset(struct nl_writer *nw, int attrtype, const struct pf_mape_portset *m)
497 {
498 int off = nlattr_add_nested(nw, attrtype);
499
500 nlattr_add_u8(nw, PF_MET_OFFSET, m->offset);
501 nlattr_add_u8(nw, PF_MET_PSID_LEN, m->psidlen);
502 nlattr_add_u16(nw, PF_MET_PSID, m->psid);
503
504 nlattr_set_len(nw, off);
505
506 return (true);
507 }
508
509 struct nl_parsed_labels
510 {
511 char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
512 uint32_t i;
513 };
514
515 static int
nlattr_get_pf_rule_labels(struct nlattr * nla,struct nl_pstate * npt,const void * arg,void * target)516 nlattr_get_pf_rule_labels(struct nlattr *nla, struct nl_pstate *npt,
517 const void *arg, void *target)
518 {
519 struct nl_parsed_labels *l = (struct nl_parsed_labels *)target;
520 int ret;
521
522 if (l->i >= PF_RULE_MAX_LABEL_COUNT)
523 return (E2BIG);
524
525 ret = nlattr_get_chara(nla, npt, (void *)PF_RULE_LABEL_SIZE,
526 l->labels[l->i]);
527 if (ret == 0)
528 l->i++;
529
530 return (ret);
531 }
532
533 #define _OUT(_field) offsetof(struct nl_parsed_labels, _field)
534 static const struct nlattr_parser nla_p_labels[] = {
535 { .type = PF_LT_LABEL, .off = 0, .cb = nlattr_get_pf_rule_labels },
536 };
537 NL_DECLARE_ATTR_PARSER(rule_labels_parser, nla_p_labels);
538 #undef _OUT
539
540 static int
nlattr_get_nested_pf_rule_labels(struct nlattr * nla,struct nl_pstate * npt,const void * arg,void * target)541 nlattr_get_nested_pf_rule_labels(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target)
542 {
543 struct nl_parsed_labels parsed_labels = { };
544 int error;
545
546 /* Assumes target points to the beginning of the structure */
547 error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), &rule_labels_parser, npt, &parsed_labels);
548 if (error != 0)
549 return (error);
550
551 memcpy(target, parsed_labels.labels, sizeof(parsed_labels.labels));
552
553 return (0);
554 }
555
556 static bool
nlattr_add_labels(struct nl_writer * nw,int attrtype,const struct pf_krule * r)557 nlattr_add_labels(struct nl_writer *nw, int attrtype, const struct pf_krule *r)
558 {
559 int off = nlattr_add_nested(nw, attrtype);
560 int i = 0;
561
562 while (r->label[i][0] != 0
563 && i < PF_RULE_MAX_LABEL_COUNT) {
564 nlattr_add_string(nw, PF_LT_LABEL, r->label[i]);
565 i++;
566 }
567
568 nlattr_set_len(nw, off);
569
570 return (true);
571 }
572
573 #define _OUT(_field) offsetof(struct pf_kpool, _field)
574 static const struct nlattr_parser nla_p_pool[] = {
575 { .type = PF_PT_KEY, .off = _OUT(key), .arg = (void *)sizeof(struct pf_poolhashkey), .cb = nlattr_get_bytes },
576 { .type = PF_PT_COUNTER, .off = _OUT(counter), .cb = nlattr_get_in6_addr },
577 { .type = PF_PT_TBLIDX, .off = _OUT(tblidx), .cb = nlattr_get_uint32 },
578 { .type = PF_PT_PROXY_SRC_PORT, .off = _OUT(proxy_port[0]), .cb = nlattr_get_uint16 },
579 { .type = PF_PT_PROXY_DST_PORT, .off = _OUT(proxy_port[1]), .cb = nlattr_get_uint16 },
580 { .type = PF_PT_OPTS, .off = _OUT(opts), .cb = nlattr_get_uint8 },
581 { .type = PF_PT_MAPE, .off = _OUT(mape), .arg = &mape_portset_parser, .cb = nlattr_get_nested },
582 };
583 NL_DECLARE_ATTR_PARSER(pool_parser, nla_p_pool);
584 #undef _OUT
585
586 static bool
nlattr_add_pool(struct nl_writer * nw,int attrtype,const struct pf_kpool * pool)587 nlattr_add_pool(struct nl_writer *nw, int attrtype, const struct pf_kpool *pool)
588 {
589 int off = nlattr_add_nested(nw, attrtype);
590
591 nlattr_add(nw, PF_PT_KEY, sizeof(struct pf_poolhashkey), &pool->key);
592 nlattr_add_in6_addr(nw, PF_PT_COUNTER, (const struct in6_addr *)&pool->counter);
593 nlattr_add_u32(nw, PF_PT_TBLIDX, pool->tblidx);
594 nlattr_add_u16(nw, PF_PT_PROXY_SRC_PORT, pool->proxy_port[0]);
595 nlattr_add_u16(nw, PF_PT_PROXY_DST_PORT, pool->proxy_port[1]);
596 nlattr_add_u8(nw, PF_PT_OPTS, pool->opts);
597 nlattr_add_mape_portset(nw, PF_PT_MAPE, &pool->mape);
598
599 nlattr_set_len(nw, off);
600
601 return (true);
602 }
603
604 #define _OUT(_field) offsetof(struct pf_rule_uid, _field)
605 static const struct nlattr_parser nla_p_rule_uid[] = {
606 { .type = PF_RUT_UID_LOW, .off = _OUT(uid[0]), .cb = nlattr_get_uint32 },
607 { .type = PF_RUT_UID_HIGH, .off = _OUT(uid[1]), .cb = nlattr_get_uint32 },
608 { .type = PF_RUT_OP, .off = _OUT(op), .cb = nlattr_get_uint8 },
609 };
610 NL_DECLARE_ATTR_PARSER(rule_uid_parser, nla_p_rule_uid);
611 #undef _OUT
612
613 static bool
nlattr_add_rule_uid(struct nl_writer * nw,int attrtype,const struct pf_rule_uid * u)614 nlattr_add_rule_uid(struct nl_writer *nw, int attrtype, const struct pf_rule_uid *u)
615 {
616 int off = nlattr_add_nested(nw, attrtype);
617
618 nlattr_add_u32(nw, PF_RUT_UID_LOW, u->uid[0]);
619 nlattr_add_u32(nw, PF_RUT_UID_HIGH, u->uid[1]);
620 nlattr_add_u8(nw, PF_RUT_OP, u->op);
621
622 nlattr_set_len(nw, off);
623
624 return (true);
625 }
626
627 struct nl_parsed_timeouts
628 {
629 uint32_t timeouts[PFTM_MAX];
630 uint32_t i;
631 };
632
633 static int
nlattr_get_pf_timeout(struct nlattr * nla,struct nl_pstate * npt,const void * arg,void * target)634 nlattr_get_pf_timeout(struct nlattr *nla, struct nl_pstate *npt,
635 const void *arg, void *target)
636 {
637 struct nl_parsed_timeouts *t = (struct nl_parsed_timeouts *)target;
638 int ret;
639
640 if (t->i >= PFTM_MAX)
641 return (E2BIG);
642
643 ret = nlattr_get_uint32(nla, npt, NULL, &t->timeouts[t->i]);
644 if (ret == 0)
645 t->i++;
646
647 return (ret);
648 }
649
650 #define _OUT(_field) offsetof(struct nl_parsed_timeout, _field)
651 static const struct nlattr_parser nla_p_timeouts[] = {
652 { .type = PF_TT_TIMEOUT, .off = 0, .cb = nlattr_get_pf_timeout },
653 };
654 NL_DECLARE_ATTR_PARSER(timeout_parser, nla_p_timeouts);
655 #undef _OUT
656
657 static int
nlattr_get_nested_timeouts(struct nlattr * nla,struct nl_pstate * npt,const void * arg,void * target)658 nlattr_get_nested_timeouts(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target)
659 {
660 struct nl_parsed_timeouts parsed_timeouts = { };
661 int error;
662
663 /* Assumes target points to the beginning of the structure */
664 error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), &timeout_parser, npt, &parsed_timeouts);
665 if (error != 0)
666 return (error);
667
668 memcpy(target, parsed_timeouts.timeouts, sizeof(parsed_timeouts.timeouts));
669
670 return (0);
671 }
672
673 static bool
nlattr_add_timeout(struct nl_writer * nw,int attrtype,uint32_t * timeout)674 nlattr_add_timeout(struct nl_writer *nw, int attrtype, uint32_t *timeout)
675 {
676 int off = nlattr_add_nested(nw, attrtype);
677
678 for (int i = 0; i < PFTM_MAX; i++)
679 nlattr_add_u32(nw, PF_RT_TIMEOUT, timeout[i]);
680
681 nlattr_set_len(nw, off);
682
683 return (true);
684 }
685
686 #define _OUT(_field) offsetof(struct pf_kthreshold, _field)
687 static const struct nlattr_parser nla_p_threshold[] = {
688 { .type = PF_TH_LIMIT, .off = _OUT(limit), .cb = nlattr_get_uint32 },
689 { .type = PF_TH_SECONDS, .off = _OUT(seconds), .cb = nlattr_get_uint32 },
690 };
691 NL_DECLARE_ATTR_PARSER(threshold_parser, nla_p_threshold);
692 #undef _OUT
693
694 #define _OUT(_field) offsetof(struct pf_krule, _field)
695 static const struct nlattr_parser nla_p_rule[] = {
696 { .type = PF_RT_SRC, .off = _OUT(src), .arg = &rule_addr_parser,.cb = nlattr_get_nested },
697 { .type = PF_RT_DST, .off = _OUT(dst), .arg = &rule_addr_parser,.cb = nlattr_get_nested },
698 { .type = PF_RT_RIDENTIFIER, .off = _OUT(ridentifier), .cb = nlattr_get_uint32 },
699 { .type = PF_RT_LABELS, .off = _OUT(label), .arg = &rule_labels_parser,.cb = nlattr_get_nested_pf_rule_labels },
700 { .type = PF_RT_IFNAME, .off = _OUT(ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara },
701 { .type = PF_RT_QNAME, .off = _OUT(qname), .arg = (void *)PF_QNAME_SIZE, .cb = nlattr_get_chara },
702 { .type = PF_RT_PQNAME, .off = _OUT(pqname), .arg = (void *)PF_QNAME_SIZE, .cb = nlattr_get_chara },
703 { .type = PF_RT_TAGNAME, .off = _OUT(tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara },
704 { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara },
705 { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara },
706 { .type = PF_RT_RPOOL_RDR, .off = _OUT(rdr), .arg = &pool_parser, .cb = nlattr_get_nested },
707 { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(os_fingerprint), .cb = nlattr_get_uint32 },
708 { .type = PF_RT_RTABLEID, .off = _OUT(rtableid), .cb = nlattr_get_uint32 },
709 { .type = PF_RT_TIMEOUT, .off = _OUT(timeout), .arg = &timeout_parser, .cb = nlattr_get_nested_timeouts },
710 { .type = PF_RT_MAX_STATES, .off = _OUT(max_states), .cb = nlattr_get_uint32 },
711 { .type = PF_RT_MAX_SRC_NODES, .off = _OUT(max_src_nodes), .cb = nlattr_get_uint32 },
712 { .type = PF_RT_MAX_SRC_STATES, .off = _OUT(max_src_states), .cb = nlattr_get_uint32 },
713 { .type = PF_RT_MAX_SRC_CONN_RATE_LIMIT, .off = _OUT(max_src_conn_rate.limit), .cb = nlattr_get_uint32 },
714 { .type = PF_RT_MAX_SRC_CONN_RATE_SECS, .off = _OUT(max_src_conn_rate.seconds), .cb = nlattr_get_uint32 },
715 { .type = PF_RT_DNPIPE, .off = _OUT(dnpipe), .cb = nlattr_get_uint16 },
716 { .type = PF_RT_DNRPIPE, .off = _OUT(dnrpipe), .cb = nlattr_get_uint16 },
717 { .type = PF_RT_DNFLAGS, .off = _OUT(free_flags), .cb = nlattr_get_uint32 },
718 { .type = PF_RT_NR, .off = _OUT(nr), .cb = nlattr_get_uint32 },
719 { .type = PF_RT_PROB, .off = _OUT(prob), .cb = nlattr_get_uint32 },
720 { .type = PF_RT_CUID, .off = _OUT(cuid), .cb = nlattr_get_uint32 },
721 {. type = PF_RT_CPID, .off = _OUT(cpid), .cb = nlattr_get_uint32 },
722 { .type = PF_RT_RETURN_ICMP, .off = _OUT(return_icmp), .cb = nlattr_get_uint16 },
723 { .type = PF_RT_RETURN_ICMP6, .off = _OUT(return_icmp6), .cb = nlattr_get_uint16 },
724 { .type = PF_RT_MAX_MSS, .off = _OUT(max_mss), .cb = nlattr_get_uint16 },
725 { .type = PF_RT_SCRUB_FLAGS, .off = _OUT(scrub_flags), .cb = nlattr_get_uint16 },
726 { .type = PF_RT_UID, .off = _OUT(uid), .arg = &rule_uid_parser, .cb = nlattr_get_nested },
727 { .type = PF_RT_GID, .off = _OUT(gid), .arg = &rule_uid_parser, .cb = nlattr_get_nested },
728 { .type = PF_RT_RULE_FLAG, .off = _OUT(rule_flag), .cb = nlattr_get_uint32 },
729 { .type = PF_RT_ACTION, .off = _OUT(action), .cb = nlattr_get_uint8 },
730 { .type = PF_RT_DIRECTION, .off = _OUT(direction), .cb = nlattr_get_uint8 },
731 { .type = PF_RT_LOG, .off = _OUT(log), .cb = nlattr_get_uint8 },
732 { .type = PF_RT_LOGIF, .off = _OUT(logif), .cb = nlattr_get_uint8 },
733 { .type = PF_RT_QUICK, .off = _OUT(quick), .cb = nlattr_get_uint8 },
734 { .type = PF_RT_IF_NOT, .off = _OUT(ifnot), .cb = nlattr_get_uint8 },
735 { .type = PF_RT_MATCH_TAG_NOT, .off = _OUT(match_tag_not), .cb = nlattr_get_uint8 },
736 { .type = PF_RT_NATPASS, .off = _OUT(natpass), .cb = nlattr_get_uint8 },
737 { .type = PF_RT_KEEP_STATE, .off = _OUT(keep_state), .cb = nlattr_get_uint8 },
738 { .type = PF_RT_AF, .off = _OUT(af), .cb = nlattr_get_uint8 },
739 { .type = PF_RT_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint8 },
740 { .type = PF_RT_TYPE, .off = _OUT(type), .cb = nlattr_get_uint8 },
741 { .type = PF_RT_CODE, .off = _OUT(code), .cb = nlattr_get_uint8 },
742 { .type = PF_RT_FLAGS, .off = _OUT(flags), .cb = nlattr_get_uint8 },
743 { .type = PF_RT_FLAGSET, .off = _OUT(flagset), .cb = nlattr_get_uint8 },
744 { .type = PF_RT_MIN_TTL, .off = _OUT(min_ttl), .cb = nlattr_get_uint8 },
745 { .type = PF_RT_ALLOW_OPTS, .off = _OUT(allow_opts), .cb = nlattr_get_uint8 },
746 { .type = PF_RT_RT, .off = _OUT(rt), .cb = nlattr_get_uint8 },
747 { .type = PF_RT_RETURN_TTL, .off = _OUT(return_ttl), .cb = nlattr_get_uint8 },
748 { .type = PF_RT_TOS, .off = _OUT(tos), .cb = nlattr_get_uint8 },
749 { .type = PF_RT_SET_TOS, .off = _OUT(set_tos), .cb = nlattr_get_uint8 },
750 { .type = PF_RT_ANCHOR_RELATIVE, .off = _OUT(anchor_relative), .cb = nlattr_get_uint8 },
751 { .type = PF_RT_ANCHOR_WILDCARD, .off = _OUT(anchor_wildcard), .cb = nlattr_get_uint8 },
752 { .type = PF_RT_FLUSH, .off = _OUT(flush), .cb = nlattr_get_uint8 },
753 { .type = PF_RT_PRIO, .off = _OUT(prio), .cb = nlattr_get_uint8 },
754 { .type = PF_RT_SET_PRIO, .off = _OUT(set_prio[0]), .cb = nlattr_get_uint8 },
755 { .type = PF_RT_SET_PRIO_REPLY, .off = _OUT(set_prio[1]), .cb = nlattr_get_uint8 },
756 { .type = PF_RT_DIVERT_ADDRESS, .off = _OUT(divert.addr), .cb = nlattr_get_in6_addr },
757 { .type = PF_RT_DIVERT_PORT, .off = _OUT(divert.port), .cb = nlattr_get_uint16 },
758 { .type = PF_RT_RCV_IFNAME, .off = _OUT(rcv_ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara },
759 { .type = PF_RT_MAX_SRC_CONN, .off = _OUT(max_src_conn), .cb = nlattr_get_uint32 },
760 { .type = PF_RT_RPOOL_NAT, .off = _OUT(nat), .arg = &pool_parser, .cb = nlattr_get_nested },
761 { .type = PF_RT_NAF, .off = _OUT(naf), .cb = nlattr_get_uint8 },
762 { .type = PF_RT_RPOOL_RT, .off = _OUT(route), .arg = &pool_parser, .cb = nlattr_get_nested },
763 { .type = PF_RT_RCV_IFNOT, .off = _OUT(rcvifnot), .cb = nlattr_get_bool },
764 { .type = PF_RT_PKTRATE, .off = _OUT(pktrate), .arg = &threshold_parser, .cb = nlattr_get_nested },
765 { .type = PF_RT_MAX_PKT_SIZE, .off = _OUT(max_pkt_size), .cb = nlattr_get_uint16 },
766 };
767 NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule);
768 #undef _OUT
769 struct nl_parsed_addrule {
770 struct pf_krule *rule;
771 uint32_t ticket;
772 uint32_t pool_ticket;
773 char *anchor;
774 char *anchor_call;
775 };
776 #define _OUT(_field) offsetof(struct nl_parsed_addrule, _field)
777 static const struct nlattr_parser nla_p_addrule[] = {
778 { .type = PF_ART_TICKET, .off = _OUT(ticket), .cb = nlattr_get_uint32 },
779 { .type = PF_ART_POOL_TICKET, .off = _OUT(pool_ticket), .cb = nlattr_get_uint32 },
780 { .type = PF_ART_ANCHOR, .off = _OUT(anchor), .cb = nlattr_get_string },
781 { .type = PF_ART_ANCHOR_CALL, .off = _OUT(anchor_call), .cb = nlattr_get_string },
782 { .type = PF_ART_RULE, .off = _OUT(rule), .arg = &rule_parser, .cb = nlattr_get_nested_ptr }
783 };
784 #undef _OUT
785 NL_DECLARE_PARSER(addrule_parser, struct genlmsghdr, nlf_p_empty, nla_p_addrule);
786
787 static int
pf_handle_addrule(struct nlmsghdr * hdr,struct nl_pstate * npt)788 pf_handle_addrule(struct nlmsghdr *hdr, struct nl_pstate *npt)
789 {
790 int error;
791 struct nl_parsed_addrule attrs = {};
792
793 attrs.rule = pf_krule_alloc();
794
795 error = nl_parse_nlmsg(hdr, &addrule_parser, npt, &attrs);
796 if (error != 0) {
797 pf_free_rule(attrs.rule);
798 return (error);
799 }
800
801 error = pf_ioctl_addrule(attrs.rule, attrs.ticket, attrs.pool_ticket,
802 attrs.anchor, attrs.anchor_call, nlp_get_cred(npt->nlp)->cr_uid,
803 hdr->nlmsg_pid);
804
805 return (error);
806 }
807
808 #define _OUT(_field) offsetof(struct pfioc_rule, _field)
809 static const struct nlattr_parser nla_p_getrules[] = {
810 { .type = PF_GR_ANCHOR, .off = _OUT(anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
811 { .type = PF_GR_ACTION, .off = _OUT(rule.action), .cb = nlattr_get_uint8 },
812 };
813 #undef _OUT
814 NL_DECLARE_PARSER(getrules_parser, struct genlmsghdr, nlf_p_empty, nla_p_getrules);
815
816 static int
pf_handle_getrules(struct nlmsghdr * hdr,struct nl_pstate * npt)817 pf_handle_getrules(struct nlmsghdr *hdr, struct nl_pstate *npt)
818 {
819 struct pfioc_rule attrs = {};
820 int error;
821 struct nl_writer *nw = npt->nw;
822 struct genlmsghdr *ghdr_new;
823
824 error = nl_parse_nlmsg(hdr, &getrules_parser, npt, &attrs);
825 if (error != 0)
826 return (error);
827
828 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
829 return (ENOMEM);
830
831 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
832 ghdr_new->cmd = PFNL_CMD_GETRULES;
833 ghdr_new->version = 0;
834 ghdr_new->reserved = 0;
835
836 error = pf_ioctl_getrules(&attrs);
837 if (error != 0)
838 goto out;
839
840 nlattr_add_u32(nw, PF_GR_NR, attrs.nr);
841 nlattr_add_u32(nw, PF_GR_TICKET, attrs.ticket);
842
843 if (!nlmsg_end(nw)) {
844 error = ENOMEM;
845 goto out;
846 }
847
848 return (0);
849
850 out:
851 nlmsg_abort(nw);
852 return (error);
853 }
854
855 struct nl_parsed_get_rule {
856 char anchor[MAXPATHLEN];
857 uint8_t action;
858 uint32_t nr;
859 uint32_t ticket;
860 uint8_t clear;
861 };
862 #define _OUT(_field) offsetof(struct nl_parsed_get_rule, _field)
863 static const struct nlattr_parser nla_p_getrule[] = {
864 { .type = PF_GR_ANCHOR, .off = _OUT(anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
865 { .type = PF_GR_ACTION, .off = _OUT(action), .cb = nlattr_get_uint8 },
866 { .type = PF_GR_NR, .off = _OUT(nr), .cb = nlattr_get_uint32 },
867 { .type = PF_GR_TICKET, .off = _OUT(ticket), .cb = nlattr_get_uint32 },
868 { .type = PF_GR_CLEAR, .off = _OUT(clear), .cb = nlattr_get_uint8 },
869 };
870 #undef _OUT
871 NL_DECLARE_PARSER(getrule_parser, struct genlmsghdr, nlf_p_empty, nla_p_getrule);
872
873 static int
pf_handle_getrule(struct nlmsghdr * hdr,struct nl_pstate * npt)874 pf_handle_getrule(struct nlmsghdr *hdr, struct nl_pstate *npt)
875 {
876 char anchor_call[MAXPATHLEN];
877 struct nl_parsed_get_rule attrs = {};
878 struct nl_writer *nw = npt->nw;
879 struct genlmsghdr *ghdr_new;
880 struct pf_kruleset *ruleset;
881 struct pf_krule *rule;
882 u_int64_t src_nodes_total = 0;
883 int rs_num;
884 int error;
885
886 error = nl_parse_nlmsg(hdr, &getrule_parser, npt, &attrs);
887 if (error != 0)
888 return (error);
889
890 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
891 return (ENOMEM);
892
893 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
894 ghdr_new->cmd = PFNL_CMD_GETRULE;
895 ghdr_new->version = 0;
896 ghdr_new->reserved = 0;
897
898 PF_RULES_WLOCK();
899 ruleset = pf_find_kruleset(attrs.anchor);
900 if (ruleset == NULL) {
901 PF_RULES_WUNLOCK();
902 error = ENOENT;
903 goto out;
904 }
905
906 rs_num = pf_get_ruleset_number(attrs.action);
907 if (rs_num >= PF_RULESET_MAX) {
908 PF_RULES_WUNLOCK();
909 error = EINVAL;
910 goto out;
911 }
912
913 if (attrs.ticket != ruleset->rules[rs_num].active.ticket) {
914 PF_RULES_WUNLOCK();
915 error = EBUSY;
916 goto out;
917 }
918
919 rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
920 while ((rule != NULL) && (rule->nr != attrs.nr))
921 rule = TAILQ_NEXT(rule, entries);
922 if (rule == NULL) {
923 PF_RULES_WUNLOCK();
924 error = EBUSY;
925 goto out;
926 }
927
928 nlattr_add_rule_addr(nw, PF_RT_SRC, &rule->src);
929 nlattr_add_rule_addr(nw, PF_RT_DST, &rule->dst);
930 nlattr_add_u32(nw, PF_RT_RIDENTIFIER, rule->ridentifier);
931 nlattr_add_labels(nw, PF_RT_LABELS, rule);
932 nlattr_add_string(nw, PF_RT_IFNAME, rule->ifname);
933 nlattr_add_string(nw, PF_RT_QNAME, rule->qname);
934 nlattr_add_string(nw, PF_RT_PQNAME, rule->pqname);
935 nlattr_add_string(nw, PF_RT_TAGNAME, rule->tagname);
936 nlattr_add_string(nw, PF_RT_MATCH_TAGNAME, rule->match_tagname);
937 nlattr_add_string(nw, PF_RT_OVERLOAD_TBLNAME, rule->overload_tblname);
938 nlattr_add_pool(nw, PF_RT_RPOOL_RDR, &rule->rdr);
939 nlattr_add_pool(nw, PF_RT_RPOOL_NAT, &rule->nat);
940 nlattr_add_pool(nw, PF_RT_RPOOL_RT, &rule->route);
941 nlattr_add_u32(nw, PF_RT_OS_FINGERPRINT, rule->os_fingerprint);
942 nlattr_add_u32(nw, PF_RT_RTABLEID, rule->rtableid);
943 nlattr_add_timeout(nw, PF_RT_TIMEOUT, rule->timeout);
944 nlattr_add_u32(nw, PF_RT_MAX_STATES, rule->max_states);
945 nlattr_add_u32(nw, PF_RT_MAX_SRC_NODES, rule->max_src_nodes);
946 nlattr_add_u32(nw, PF_RT_MAX_SRC_STATES, rule->max_src_states);
947 nlattr_add_u32(nw, PF_RT_MAX_SRC_CONN, rule->max_src_conn);
948 nlattr_add_u32(nw, PF_RT_MAX_SRC_CONN_RATE_LIMIT, rule->max_src_conn_rate.limit);
949 nlattr_add_u32(nw, PF_RT_MAX_SRC_CONN_RATE_SECS, rule->max_src_conn_rate.seconds);
950 nlattr_add_u16(nw, PF_RT_MAX_PKT_SIZE, rule->max_pkt_size);
951
952 nlattr_add_u16(nw, PF_RT_DNPIPE, rule->dnpipe);
953 nlattr_add_u16(nw, PF_RT_DNRPIPE, rule->dnrpipe);
954 nlattr_add_u32(nw, PF_RT_DNFLAGS, rule->free_flags);
955
956 nlattr_add_u32(nw, PF_RT_NR, rule->nr);
957 nlattr_add_u32(nw, PF_RT_PROB, rule->prob);
958 nlattr_add_u32(nw, PF_RT_CUID, rule->cuid);
959 nlattr_add_u32(nw, PF_RT_CPID, rule->cpid);
960
961 nlattr_add_u16(nw, PF_RT_RETURN_ICMP, rule->return_icmp);
962 nlattr_add_u16(nw, PF_RT_RETURN_ICMP6, rule->return_icmp6);
963 nlattr_add_u16(nw, PF_RT_RETURN_ICMP6, rule->return_icmp6);
964 nlattr_add_u16(nw, PF_RT_MAX_MSS, rule->max_mss);
965 nlattr_add_u16(nw, PF_RT_SCRUB_FLAGS, rule->scrub_flags);
966
967 nlattr_add_rule_uid(nw, PF_RT_UID, &rule->uid);
968 nlattr_add_rule_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&rule->gid);
969
970 nlattr_add_string(nw, PF_RT_RCV_IFNAME, rule->rcv_ifname);
971 nlattr_add_bool(nw, PF_RT_RCV_IFNOT, rule->rcvifnot);
972
973 nlattr_add_u32(nw, PF_RT_RULE_FLAG, rule->rule_flag);
974 nlattr_add_u8(nw, PF_RT_ACTION, rule->action);
975 nlattr_add_u8(nw, PF_RT_DIRECTION, rule->direction);
976 nlattr_add_u8(nw, PF_RT_LOG, rule->log);
977 nlattr_add_u8(nw, PF_RT_LOGIF, rule->logif);
978 nlattr_add_u8(nw, PF_RT_QUICK, rule->quick);
979 nlattr_add_u8(nw, PF_RT_IF_NOT, rule->ifnot);
980 nlattr_add_u8(nw, PF_RT_MATCH_TAG_NOT, rule->match_tag_not);
981 nlattr_add_u8(nw, PF_RT_NATPASS, rule->natpass);
982 nlattr_add_u8(nw, PF_RT_KEEP_STATE, rule->keep_state);
983
984 nlattr_add_u8(nw, PF_RT_AF, rule->af);
985 nlattr_add_u8(nw, PF_RT_NAF, rule->naf);
986 nlattr_add_u8(nw, PF_RT_PROTO, rule->proto);
987 nlattr_add_u8(nw, PF_RT_TYPE, rule->type);
988 nlattr_add_u8(nw, PF_RT_CODE, rule->code);
989 nlattr_add_u8(nw, PF_RT_FLAGS, rule->flags);
990 nlattr_add_u8(nw, PF_RT_FLAGSET, rule->flagset);
991 nlattr_add_u8(nw, PF_RT_MIN_TTL, rule->min_ttl);
992 nlattr_add_u8(nw, PF_RT_ALLOW_OPTS, rule->allow_opts);
993 nlattr_add_u8(nw, PF_RT_RT, rule->rt);
994 nlattr_add_u8(nw, PF_RT_RETURN_TTL, rule->return_ttl);
995 nlattr_add_u8(nw, PF_RT_TOS, rule->tos);
996 nlattr_add_u8(nw, PF_RT_SET_TOS, rule->set_tos);
997 nlattr_add_u8(nw, PF_RT_ANCHOR_RELATIVE, rule->anchor_relative);
998 nlattr_add_u8(nw, PF_RT_ANCHOR_WILDCARD, rule->anchor_wildcard);
999 nlattr_add_u8(nw, PF_RT_FLUSH, rule->flush);
1000 nlattr_add_u8(nw, PF_RT_PRIO, rule->prio);
1001 nlattr_add_u8(nw, PF_RT_SET_PRIO, rule->set_prio[0]);
1002 nlattr_add_u8(nw, PF_RT_SET_PRIO_REPLY, rule->set_prio[1]);
1003
1004 nlattr_add_in6_addr(nw, PF_RT_DIVERT_ADDRESS, &rule->divert.addr.v6);
1005 nlattr_add_u16(nw, PF_RT_DIVERT_PORT, rule->divert.port);
1006
1007 nlattr_add_u64(nw, PF_RT_PACKETS_IN, pf_counter_u64_fetch(&rule->packets[0]));
1008 nlattr_add_u64(nw, PF_RT_PACKETS_OUT, pf_counter_u64_fetch(&rule->packets[1]));
1009 nlattr_add_u64(nw, PF_RT_BYTES_IN, pf_counter_u64_fetch(&rule->bytes[0]));
1010 nlattr_add_u64(nw, PF_RT_BYTES_OUT, pf_counter_u64_fetch(&rule->bytes[1]));
1011 nlattr_add_u64(nw, PF_RT_EVALUATIONS, pf_counter_u64_fetch(&rule->evaluations));
1012 nlattr_add_u64(nw, PF_RT_TIMESTAMP, pf_get_timestamp(rule));
1013 nlattr_add_u64(nw, PF_RT_STATES_CUR, counter_u64_fetch(rule->states_cur));
1014 nlattr_add_u64(nw, PF_RT_STATES_TOTAL, counter_u64_fetch(rule->states_tot));
1015 for (pf_sn_types_t sn_type=0; sn_type<PF_SN_MAX; sn_type++)
1016 src_nodes_total += counter_u64_fetch(rule->src_nodes[sn_type]);
1017 nlattr_add_u64(nw, PF_RT_SRC_NODES, src_nodes_total);
1018 nlattr_add_u64(nw, PF_RT_SRC_NODES_LIMIT, counter_u64_fetch(rule->src_nodes[PF_SN_LIMIT]));
1019 nlattr_add_u64(nw, PF_RT_SRC_NODES_NAT, counter_u64_fetch(rule->src_nodes[PF_SN_NAT]));
1020 nlattr_add_u64(nw, PF_RT_SRC_NODES_ROUTE, counter_u64_fetch(rule->src_nodes[PF_SN_ROUTE]));
1021 nlattr_add_pf_threshold(nw, PF_RT_PKTRATE, &rule->pktrate);
1022
1023 error = pf_kanchor_copyout(ruleset, rule, anchor_call, sizeof(anchor_call));
1024 MPASS(error == 0);
1025
1026 nlattr_add_string(nw, PF_RT_ANCHOR_CALL, anchor_call);
1027
1028 if (attrs.clear)
1029 pf_krule_clear_counters(rule);
1030
1031 PF_RULES_WUNLOCK();
1032
1033 if (!nlmsg_end(nw)) {
1034 error = ENOMEM;
1035 goto out;
1036 }
1037
1038 return (0);
1039 out:
1040 nlmsg_abort(nw);
1041 return (error);
1042 }
1043
1044 #define _OUT(_field) offsetof(struct pf_kstate_kill, _field)
1045 static const struct nlattr_parser nla_p_clear_states[] = {
1046 { .type = PF_CS_CMP_ID, .off = _OUT(psk_pfcmp.id), .cb = nlattr_get_uint64 },
1047 { .type = PF_CS_CMP_CREATORID, .off = _OUT(psk_pfcmp.creatorid), .cb = nlattr_get_uint32 },
1048 { .type = PF_CS_CMP_DIR, .off = _OUT(psk_pfcmp.direction), .cb = nlattr_get_uint8 },
1049 { .type = PF_CS_AF, .off = _OUT(psk_af), .cb = nlattr_get_uint8 },
1050 { .type = PF_CS_PROTO, .off = _OUT(psk_proto), .cb = nlattr_get_uint8 },
1051 { .type = PF_CS_SRC, .off = _OUT(psk_src), .arg = &rule_addr_parser, .cb = nlattr_get_nested },
1052 { .type = PF_CS_DST, .off = _OUT(psk_dst), .arg = &rule_addr_parser, .cb = nlattr_get_nested },
1053 { .type = PF_CS_RT_ADDR, .off = _OUT(psk_rt_addr), .arg = &rule_addr_parser, .cb = nlattr_get_nested },
1054 { .type = PF_CS_IFNAME, .off = _OUT(psk_ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara },
1055 { .type = PF_CS_LABEL, .off = _OUT(psk_label), .arg = (void *)PF_RULE_LABEL_SIZE, .cb = nlattr_get_chara },
1056 { .type = PF_CS_KILL_MATCH, .off = _OUT(psk_kill_match), .cb = nlattr_get_bool },
1057 { .type = PF_CS_NAT, .off = _OUT(psk_nat), .cb = nlattr_get_bool },
1058 };
1059 #undef _OUT
1060 NL_DECLARE_PARSER(clear_states_parser, struct genlmsghdr, nlf_p_empty, nla_p_clear_states);
1061
1062 static int
pf_handle_killclear_states(struct nlmsghdr * hdr,struct nl_pstate * npt,int cmd)1063 pf_handle_killclear_states(struct nlmsghdr *hdr, struct nl_pstate *npt, int cmd)
1064 {
1065 struct pf_kstate_kill kill = {};
1066 struct epoch_tracker et;
1067 struct nl_writer *nw = npt->nw;
1068 struct genlmsghdr *ghdr_new;
1069 int error;
1070 unsigned int killed = 0;
1071
1072 error = nl_parse_nlmsg(hdr, &clear_states_parser, npt, &kill);
1073 if (error != 0)
1074 return (error);
1075
1076 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1077 return (ENOMEM);
1078
1079 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1080 ghdr_new->cmd = cmd;
1081 ghdr_new->version = 0;
1082 ghdr_new->reserved = 0;
1083
1084 NET_EPOCH_ENTER(et);
1085 if (cmd == PFNL_CMD_KILLSTATES)
1086 pf_killstates(&kill, &killed);
1087 else
1088 killed = pf_clear_states(&kill);
1089 NET_EPOCH_EXIT(et);
1090
1091 nlattr_add_u32(nw, PF_CS_KILLED, killed);
1092
1093 if (! nlmsg_end(nw)) {
1094 error = ENOMEM;
1095 goto out;
1096 }
1097
1098 return (0);
1099
1100 out:
1101 nlmsg_abort(nw);
1102 return (error);
1103 }
1104
1105 static int
pf_handle_clear_states(struct nlmsghdr * hdr,struct nl_pstate * npt)1106 pf_handle_clear_states(struct nlmsghdr *hdr, struct nl_pstate *npt)
1107 {
1108 return (pf_handle_killclear_states(hdr, npt, PFNL_CMD_CLRSTATES));
1109 }
1110
1111 static int
pf_handle_kill_states(struct nlmsghdr * hdr,struct nl_pstate * npt)1112 pf_handle_kill_states(struct nlmsghdr *hdr, struct nl_pstate *npt)
1113 {
1114 return (pf_handle_killclear_states(hdr, npt, PFNL_CMD_KILLSTATES));
1115 }
1116
1117 struct nl_parsed_set_statusif {
1118 char ifname[IFNAMSIZ];
1119 };
1120 #define _OUT(_field) offsetof(struct nl_parsed_set_statusif, _field)
1121 static const struct nlattr_parser nla_p_set_statusif[] = {
1122 { .type = PF_SS_IFNAME, .off = _OUT(ifname), .arg = (const void *)IFNAMSIZ, .cb = nlattr_get_chara },
1123 };
1124 #undef _OUT
1125 NL_DECLARE_PARSER(set_statusif_parser, struct genlmsghdr, nlf_p_empty, nla_p_set_statusif);
1126
1127 static int
pf_handle_set_statusif(struct nlmsghdr * hdr,struct nl_pstate * npt)1128 pf_handle_set_statusif(struct nlmsghdr *hdr, struct nl_pstate *npt)
1129 {
1130 int error;
1131 struct nl_parsed_set_statusif attrs = {};
1132
1133 error = nl_parse_nlmsg(hdr, &set_statusif_parser, npt, &attrs);
1134 if (error != 0)
1135 return (error);
1136
1137 PF_RULES_WLOCK();
1138 strlcpy(V_pf_status.ifname, attrs.ifname, IFNAMSIZ);
1139 PF_RULES_WUNLOCK();
1140
1141 return (0);
1142 }
1143
1144 static bool
nlattr_add_counters(struct nl_writer * nw,int attr,size_t number,char ** names,counter_u64_t * counters)1145 nlattr_add_counters(struct nl_writer *nw, int attr, size_t number, char **names,
1146 counter_u64_t *counters)
1147 {
1148 for (int i = 0; i < number; i++) {
1149 int off = nlattr_add_nested(nw, attr);
1150 nlattr_add_u32(nw, PF_C_ID, i);
1151 nlattr_add_string(nw, PF_C_NAME, names[i]);
1152 nlattr_add_u64(nw, PF_C_COUNTER, counter_u64_fetch(counters[i]));
1153 nlattr_set_len(nw, off);
1154 }
1155
1156 return (true);
1157 }
1158
1159 static bool
nlattr_add_fcounters(struct nl_writer * nw,int attr,size_t number,char ** names,struct pf_counter_u64 * counters)1160 nlattr_add_fcounters(struct nl_writer *nw, int attr, size_t number, char **names,
1161 struct pf_counter_u64 *counters)
1162 {
1163 for (int i = 0; i < number; i++) {
1164 int off = nlattr_add_nested(nw, attr);
1165 nlattr_add_u32(nw, PF_C_ID, i);
1166 nlattr_add_string(nw, PF_C_NAME, names[i]);
1167 nlattr_add_u64(nw, PF_C_COUNTER, pf_counter_u64_fetch(&counters[i]));
1168 nlattr_set_len(nw, off);
1169 }
1170
1171 return (true);
1172 }
1173
1174 static bool
nlattr_add_u64_array(struct nl_writer * nw,int attr,size_t number,uint64_t * array)1175 nlattr_add_u64_array(struct nl_writer *nw, int attr, size_t number, uint64_t *array)
1176 {
1177 int off = nlattr_add_nested(nw, attr);
1178
1179 for (size_t i = 0; i < number; i++)
1180 nlattr_add_u64(nw, 0, array[i]);
1181
1182 nlattr_set_len(nw, off);
1183
1184 return (true);
1185 }
1186
1187 static int
pf_handle_get_status(struct nlmsghdr * hdr,struct nl_pstate * npt)1188 pf_handle_get_status(struct nlmsghdr *hdr, struct nl_pstate *npt)
1189 {
1190 struct pf_status s;
1191 struct nl_writer *nw = npt->nw;
1192 struct genlmsghdr *ghdr_new;
1193 char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
1194 char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
1195 char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
1196 time_t since;
1197 int error;
1198
1199 PF_RULES_RLOCK_TRACKER;
1200
1201 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1202 return (ENOMEM);
1203
1204 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1205 ghdr_new->cmd = PFNL_CMD_GET_STATUS;
1206 ghdr_new->version = 0;
1207 ghdr_new->reserved = 0;
1208
1209 since = time_second - (time_uptime - V_pf_status.since);
1210
1211 PF_RULES_RLOCK();
1212
1213 nlattr_add_string(nw, PF_GS_IFNAME, V_pf_status.ifname);
1214 nlattr_add_bool(nw, PF_GS_RUNNING, V_pf_status.running);
1215 nlattr_add_u32(nw, PF_GS_SINCE, since);
1216 nlattr_add_u32(nw, PF_GS_DEBUG, V_pf_status.debug);
1217 nlattr_add_u32(nw, PF_GS_HOSTID, ntohl(V_pf_status.hostid));
1218 nlattr_add_u32(nw, PF_GS_STATES, V_pf_status.states);
1219 nlattr_add_u32(nw, PF_GS_SRC_NODES, V_pf_status.src_nodes);
1220 nlattr_add_u32(nw, PF_GS_REASSEMBLE, V_pf_status.reass);
1221 nlattr_add_u32(nw, PF_GS_SYNCOOKIES_ACTIVE, V_pf_status.syncookies_active);
1222
1223 nlattr_add_counters(nw, PF_GS_COUNTERS, PFRES_MAX, pf_reasons,
1224 V_pf_status.counters);
1225 nlattr_add_counters(nw, PF_GS_LCOUNTERS, KLCNT_MAX, pf_lcounter,
1226 V_pf_status.lcounters);
1227 nlattr_add_fcounters(nw, PF_GS_FCOUNTERS, FCNT_MAX, pf_fcounter,
1228 V_pf_status.fcounters);
1229 nlattr_add_counters(nw, PF_GS_SCOUNTERS, SCNT_MAX, pf_fcounter,
1230 V_pf_status.scounters);
1231
1232 pfi_update_status(V_pf_status.ifname, &s);
1233 nlattr_add_u64_array(nw, PF_GS_BCOUNTERS, 2 * 2, (uint64_t *)s.bcounters);
1234 nlattr_add_u64_array(nw, PF_GS_PCOUNTERS, 2 * 2 * 2, (uint64_t *)s.pcounters);
1235
1236 nlattr_add(nw, PF_GS_CHKSUM, PF_MD5_DIGEST_LENGTH, V_pf_status.pf_chksum);
1237
1238 PF_RULES_RUNLOCK();
1239
1240 if (!nlmsg_end(nw)) {
1241 error = ENOMEM;
1242 goto out;
1243 }
1244
1245 return (0);
1246
1247 out:
1248 nlmsg_abort(nw);
1249 return (error);
1250 }
1251
1252 static int
pf_handle_clear_status(struct nlmsghdr * hdr,struct nl_pstate * npt)1253 pf_handle_clear_status(struct nlmsghdr *hdr, struct nl_pstate *npt)
1254 {
1255 pf_ioctl_clear_status();
1256
1257 return (0);
1258 }
1259
1260 #define _OUT(_field) offsetof(struct pfioc_natlook, _field)
1261 static const struct nlattr_parser nla_p_natlook[] = {
1262 { .type = PF_NL_AF, .off = _OUT(af), .cb = nlattr_get_uint8 },
1263 { .type = PF_NL_DIRECTION, .off = _OUT(direction), .cb = nlattr_get_uint8 },
1264 { .type = PF_NL_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint8 },
1265 { .type = PF_NL_SRC_ADDR, .off = _OUT(saddr), .cb = nlattr_get_in6_addr },
1266 { .type = PF_NL_DST_ADDR, .off = _OUT(daddr), .cb = nlattr_get_in6_addr },
1267 { .type = PF_NL_SRC_PORT, .off = _OUT(sport), .cb = nlattr_get_uint16 },
1268 { .type = PF_NL_DST_PORT, .off = _OUT(dport), .cb = nlattr_get_uint16 },
1269 };
1270 #undef _OUT
1271 NL_DECLARE_PARSER(natlook_parser, struct genlmsghdr, nlf_p_empty, nla_p_natlook);
1272
1273 static int
pf_handle_natlook(struct nlmsghdr * hdr,struct nl_pstate * npt)1274 pf_handle_natlook(struct nlmsghdr *hdr, struct nl_pstate *npt)
1275 {
1276 struct pfioc_natlook attrs = {};
1277 struct nl_writer *nw = npt->nw;
1278 struct genlmsghdr *ghdr_new;
1279 int error;
1280
1281 error = nl_parse_nlmsg(hdr, &natlook_parser, npt, &attrs);
1282 if (error != 0)
1283 return (error);
1284
1285 error = pf_ioctl_natlook(&attrs);
1286 if (error != 0)
1287 return (error);
1288
1289 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1290 return (ENOMEM);
1291
1292 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1293 ghdr_new->cmd = PFNL_CMD_NATLOOK;
1294 ghdr_new->version = 0;
1295 ghdr_new->reserved = 0;
1296
1297 nlattr_add_in6_addr(nw, PF_NL_SRC_ADDR, &attrs.rsaddr.v6);
1298 nlattr_add_in6_addr(nw, PF_NL_DST_ADDR, &attrs.rdaddr.v6);
1299 nlattr_add_u16(nw, PF_NL_SRC_PORT, attrs.rsport);
1300 nlattr_add_u16(nw, PF_NL_DST_PORT, attrs.rdport);
1301
1302 if (!nlmsg_end(nw)) {
1303 nlmsg_abort(nw);
1304 return (ENOMEM);
1305 }
1306
1307 return (0);
1308 }
1309
1310 struct pf_nl_set_debug
1311 {
1312 uint32_t level;
1313 };
1314 #define _OUT(_field) offsetof(struct pf_nl_set_debug, _field)
1315 static const struct nlattr_parser nla_p_set_debug[] = {
1316 { .type = PF_SD_LEVEL, .off = _OUT(level), .cb = nlattr_get_uint32 },
1317 };
1318 #undef _OUT
1319 NL_DECLARE_PARSER(set_debug_parser, struct genlmsghdr, nlf_p_empty, nla_p_set_debug);
1320
1321 static int
pf_handle_set_debug(struct nlmsghdr * hdr,struct nl_pstate * npt)1322 pf_handle_set_debug(struct nlmsghdr *hdr, struct nl_pstate *npt)
1323 {
1324 struct pf_nl_set_debug attrs = {};
1325 int error;
1326
1327 error = nl_parse_nlmsg(hdr, &set_debug_parser, npt, &attrs);
1328 if (error != 0)
1329 return (error);
1330
1331 PF_RULES_WLOCK();
1332 V_pf_status.debug = attrs.level;
1333 PF_RULES_WUNLOCK();
1334
1335 return (0);
1336 }
1337
1338 struct pf_nl_set_timeout
1339 {
1340 uint32_t timeout;
1341 uint32_t seconds;
1342 };
1343 #define _OUT(_field) offsetof(struct pf_nl_set_timeout, _field)
1344 static const struct nlattr_parser nla_p_set_timeout[] = {
1345 { .type = PF_TO_TIMEOUT, .off = _OUT(timeout), .cb = nlattr_get_uint32 },
1346 { .type = PF_TO_SECONDS, .off = _OUT(seconds), .cb = nlattr_get_uint32 },
1347 };
1348 #undef _OUT
1349 NL_DECLARE_PARSER(set_timeout_parser, struct genlmsghdr, nlf_p_empty, nla_p_set_timeout);
1350
1351 static int
pf_handle_set_timeout(struct nlmsghdr * hdr,struct nl_pstate * npt)1352 pf_handle_set_timeout(struct nlmsghdr *hdr, struct nl_pstate *npt)
1353 {
1354 struct pf_nl_set_timeout attrs = {};
1355 int error;
1356
1357 error = nl_parse_nlmsg(hdr, &set_timeout_parser, npt, &attrs);
1358 if (error != 0)
1359 return (error);
1360
1361 return (pf_ioctl_set_timeout(attrs.timeout, attrs.seconds, NULL));
1362 }
1363
1364 static int
pf_handle_get_timeout(struct nlmsghdr * hdr,struct nl_pstate * npt)1365 pf_handle_get_timeout(struct nlmsghdr *hdr, struct nl_pstate *npt)
1366 {
1367 struct pf_nl_set_timeout attrs = {};
1368 struct nl_writer *nw = npt->nw;
1369 struct genlmsghdr *ghdr_new;
1370 int error;
1371
1372 error = nl_parse_nlmsg(hdr, &set_timeout_parser, npt, &attrs);
1373 if (error != 0)
1374 return (error);
1375
1376 error = pf_ioctl_get_timeout(attrs.timeout, &attrs.seconds);
1377 if (error != 0)
1378 return (error);
1379
1380 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1381 return (ENOMEM);
1382
1383 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1384 ghdr_new->cmd = PFNL_CMD_GET_TIMEOUT;
1385 ghdr_new->version = 0;
1386 ghdr_new->reserved = 0;
1387
1388 nlattr_add_u32(nw, PF_TO_SECONDS, attrs.seconds);
1389
1390 if (!nlmsg_end(nw)) {
1391 nlmsg_abort(nw);
1392 return (ENOMEM);
1393 }
1394
1395 return (0);
1396 }
1397
1398 struct pf_nl_set_limit
1399 {
1400 uint32_t index;
1401 uint32_t limit;
1402 };
1403 #define _OUT(_field) offsetof(struct pf_nl_set_limit, _field)
1404 static const struct nlattr_parser nla_p_set_limit[] = {
1405 { .type = PF_LI_INDEX, .off = _OUT(index), .cb = nlattr_get_uint32 },
1406 { .type = PF_LI_LIMIT, .off = _OUT(limit), .cb = nlattr_get_uint32 },
1407 };
1408 #undef _OUT
1409 NL_DECLARE_PARSER(set_limit_parser, struct genlmsghdr, nlf_p_empty, nla_p_set_limit);
1410
1411 static int
pf_handle_set_limit(struct nlmsghdr * hdr,struct nl_pstate * npt)1412 pf_handle_set_limit(struct nlmsghdr *hdr, struct nl_pstate *npt)
1413 {
1414 struct pf_nl_set_limit attrs = {};
1415 int error;
1416
1417 error = nl_parse_nlmsg(hdr, &set_limit_parser, npt, &attrs);
1418 if (error != 0)
1419 return (error);
1420
1421 return (pf_ioctl_set_limit(attrs.index, attrs.limit, NULL));
1422 }
1423
1424 static int
pf_handle_get_limit(struct nlmsghdr * hdr,struct nl_pstate * npt)1425 pf_handle_get_limit(struct nlmsghdr *hdr, struct nl_pstate *npt)
1426 {
1427 struct pf_nl_set_limit attrs = {};
1428 struct nl_writer *nw = npt->nw;
1429 struct genlmsghdr *ghdr_new;
1430 int error;
1431
1432 error = nl_parse_nlmsg(hdr, &set_limit_parser, npt, &attrs);
1433 if (error != 0)
1434 return (error);
1435
1436 error = pf_ioctl_get_limit(attrs.index, &attrs.limit);
1437 if (error != 0)
1438 return (error);
1439
1440 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1441 return (ENOMEM);
1442
1443 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1444 ghdr_new->cmd = PFNL_CMD_GET_LIMIT;
1445 ghdr_new->version = 0;
1446 ghdr_new->reserved = 0;
1447
1448 nlattr_add_u32(nw, PF_LI_LIMIT, attrs.limit);
1449
1450 if (!nlmsg_end(nw)) {
1451 nlmsg_abort(nw);
1452 return (ENOMEM);
1453 }
1454
1455 return (0);
1456 }
1457
1458 static int
pf_handle_begin_addrs(struct nlmsghdr * hdr,struct nl_pstate * npt)1459 pf_handle_begin_addrs(struct nlmsghdr *hdr, struct nl_pstate *npt)
1460 {
1461 struct nl_writer *nw = npt->nw;
1462 struct genlmsghdr *ghdr_new;
1463 uint32_t ticket;
1464 int error;
1465
1466 error = pf_ioctl_begin_addrs(&ticket);
1467 if (error != 0)
1468 return (error);
1469
1470 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1471 return (ENOMEM);
1472
1473 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1474 ghdr_new->cmd = PFNL_CMD_BEGIN_ADDRS;
1475 ghdr_new->version = 0;
1476 ghdr_new->reserved = 0;
1477
1478 nlattr_add_u32(nw, PF_BA_TICKET, ticket);
1479
1480 if (!nlmsg_end(nw)) {
1481 nlmsg_abort(nw);
1482 return (ENOMEM);
1483 }
1484
1485 return (0);
1486 }
1487
1488 static bool
nlattr_add_pool_addr(struct nl_writer * nw,int attrtype,struct pf_pooladdr * a)1489 nlattr_add_pool_addr(struct nl_writer *nw, int attrtype, struct pf_pooladdr *a)
1490 {
1491 int off;
1492
1493 off = nlattr_add_nested(nw, attrtype);
1494
1495 nlattr_add_addr_wrap(nw, PF_PA_ADDR, &a->addr);
1496 nlattr_add_string(nw, PF_PA_IFNAME, a->ifname);
1497
1498 nlattr_set_len(nw, off);
1499
1500 return (true);
1501 }
1502
1503 #define _OUT(_field) offsetof(struct pf_pooladdr, _field)
1504 static const struct nlattr_parser nla_p_pool_addr[] = {
1505 { .type = PF_PA_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = nlattr_get_nested },
1506 { .type = PF_PA_IFNAME, .off = _OUT(ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara },
1507 };
1508 NL_DECLARE_ATTR_PARSER(pool_addr_parser, nla_p_pool_addr);
1509 #undef _OUT
1510
1511 #define _OUT(_field) offsetof(struct pf_nl_pooladdr, _field)
1512 static const struct nlattr_parser nla_p_add_addr[] = {
1513 { .type = PF_AA_ACTION, .off = _OUT(action), .cb = nlattr_get_uint32 },
1514 { .type = PF_AA_TICKET, .off = _OUT(ticket), .cb = nlattr_get_uint32 },
1515 { .type = PF_AA_NR, .off = _OUT(nr), .cb = nlattr_get_uint32 },
1516 { .type = PF_AA_R_NUM, .off = _OUT(r_num), .cb = nlattr_get_uint32 },
1517 { .type = PF_AA_R_ACTION, .off = _OUT(r_action), .cb = nlattr_get_uint8 },
1518 { .type = PF_AA_R_LAST, .off = _OUT(r_last), .cb = nlattr_get_uint8 },
1519 { .type = PF_AA_AF, .off = _OUT(af), .cb = nlattr_get_uint8 },
1520 { .type = PF_AA_ANCHOR, .off = _OUT(anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
1521 { .type = PF_AA_ADDR, .off = _OUT(addr), .arg = &pool_addr_parser, .cb = nlattr_get_nested },
1522 { .type = PF_AA_WHICH, .off = _OUT(which), .cb = nlattr_get_uint32 },
1523 };
1524 #undef _OUT
1525 NL_DECLARE_PARSER(add_addr_parser, struct genlmsghdr, nlf_p_empty, nla_p_add_addr);
1526
1527 static int
pf_handle_add_addr(struct nlmsghdr * hdr,struct nl_pstate * npt)1528 pf_handle_add_addr(struct nlmsghdr *hdr, struct nl_pstate *npt)
1529 {
1530 struct pf_nl_pooladdr attrs = { 0 };
1531 int error;
1532
1533 error = nl_parse_nlmsg(hdr, &add_addr_parser, npt, &attrs);
1534 if (error != 0)
1535 return (error);
1536
1537 if (attrs.which == 0)
1538 attrs.which = PF_RDR;
1539
1540 error = pf_ioctl_add_addr(&attrs);
1541
1542 return (error);
1543 }
1544
1545 static int
pf_handle_get_addrs(struct nlmsghdr * hdr,struct nl_pstate * npt)1546 pf_handle_get_addrs(struct nlmsghdr *hdr, struct nl_pstate *npt)
1547 {
1548 struct pf_nl_pooladdr attrs = { 0 };
1549 struct nl_writer *nw = npt->nw;
1550 struct genlmsghdr *ghdr_new;
1551 int error;
1552
1553 error = nl_parse_nlmsg(hdr, &add_addr_parser, npt, &attrs);
1554 if (error != 0)
1555 return (error);
1556
1557 if (attrs.which == 0)
1558 attrs.which = PF_RDR;
1559
1560 error = pf_ioctl_get_addrs(&attrs);
1561 if (error != 0)
1562 return (error);
1563
1564 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1565 return (ENOMEM);
1566
1567 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1568 ghdr_new->cmd = PFNL_CMD_GET_ADDRS;
1569 ghdr_new->version = 0;
1570 ghdr_new->reserved = 0;
1571
1572 nlattr_add_u32(nw, PF_AA_NR, attrs.nr);
1573
1574 if (!nlmsg_end(nw)) {
1575 nlmsg_abort(nw);
1576 return (ENOMEM);
1577 }
1578
1579 return (error);
1580 }
1581
1582 static int
pf_handle_get_addr(struct nlmsghdr * hdr,struct nl_pstate * npt)1583 pf_handle_get_addr(struct nlmsghdr *hdr, struct nl_pstate *npt)
1584 {
1585 struct pf_nl_pooladdr attrs = { 0 };
1586 struct nl_writer *nw = npt->nw;
1587 struct genlmsghdr *ghdr_new;
1588 int error;
1589
1590 error = nl_parse_nlmsg(hdr, &add_addr_parser, npt, &attrs);
1591 if (error != 0)
1592 return (error);
1593
1594 if (attrs.which == 0)
1595 attrs.which = PF_RDR;
1596
1597 error = pf_ioctl_get_addr(&attrs);
1598 if (error != 0)
1599 return (error);
1600
1601 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1602 return (ENOMEM);
1603
1604 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1605 ghdr_new->cmd = PFNL_CMD_GET_ADDR;
1606 ghdr_new->version = 0;
1607 ghdr_new->reserved = 0;
1608
1609 nlattr_add_u32(nw, PF_AA_ACTION, attrs.action);
1610 nlattr_add_u32(nw, PF_AA_TICKET, attrs.ticket);
1611 nlattr_add_u32(nw, PF_AA_NR, attrs.nr);
1612 nlattr_add_u32(nw, PF_AA_R_NUM, attrs.r_num);
1613 nlattr_add_u8(nw, PF_AA_R_ACTION, attrs.r_action);
1614 nlattr_add_u8(nw, PF_AA_R_LAST, attrs.r_last);
1615 nlattr_add_u8(nw, PF_AA_AF, attrs.af);
1616 nlattr_add_string(nw, PF_AA_ANCHOR, attrs.anchor);
1617 nlattr_add_pool_addr(nw, PF_AA_ADDR, &attrs.addr);
1618
1619 if (!nlmsg_end(nw)) {
1620 nlmsg_abort(nw);
1621 return (ENOMEM);
1622 }
1623
1624 return (0);
1625 }
1626
1627 #define _OUT(_field) offsetof(struct pfioc_ruleset, _field)
1628 static const struct nlattr_parser nla_p_ruleset[] = {
1629 { .type = PF_RS_PATH, .off = _OUT(path), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
1630 { .type = PF_RS_NR, .off = _OUT(nr), .cb = nlattr_get_uint32 },
1631 };
1632 NL_DECLARE_PARSER(ruleset_parser, struct genlmsghdr, nlf_p_empty, nla_p_ruleset);
1633 #undef _OUT
1634
1635 static int
pf_handle_get_rulesets(struct nlmsghdr * hdr,struct nl_pstate * npt)1636 pf_handle_get_rulesets(struct nlmsghdr *hdr, struct nl_pstate *npt)
1637 {
1638 struct pfioc_ruleset attrs = { 0 };
1639 struct nl_writer *nw = npt->nw;
1640 struct genlmsghdr *ghdr_new;
1641 int error;
1642
1643 error = nl_parse_nlmsg(hdr, &ruleset_parser, npt, &attrs);
1644 if (error != 0)
1645 return (error);
1646
1647 error = pf_ioctl_get_rulesets(&attrs);
1648 if (error != 0)
1649 return (error);
1650
1651 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1652 return (ENOMEM);
1653
1654 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1655 ghdr_new->cmd = PFNL_CMD_GET_RULESETS;
1656 ghdr_new->version = 0;
1657 ghdr_new->reserved = 0;
1658
1659 nlattr_add_u32(nw, PF_RS_NR, attrs.nr);
1660
1661 if (!nlmsg_end(nw)) {
1662 nlmsg_abort(nw);
1663 return (ENOMEM);
1664 }
1665
1666 return (0);
1667 }
1668
1669 static int
pf_handle_get_ruleset(struct nlmsghdr * hdr,struct nl_pstate * npt)1670 pf_handle_get_ruleset(struct nlmsghdr *hdr, struct nl_pstate *npt)
1671 {
1672 struct pfioc_ruleset attrs = { 0 };
1673 struct nl_writer *nw = npt->nw;
1674 struct genlmsghdr *ghdr_new;
1675 int error;
1676
1677 error = nl_parse_nlmsg(hdr, &ruleset_parser, npt, &attrs);
1678 if (error)
1679 return (error);
1680
1681 error = pf_ioctl_get_ruleset(&attrs);
1682 if (error != 0)
1683 return (error);
1684
1685 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1686 return (ENOMEM);
1687
1688 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1689 ghdr_new->cmd = PFNL_CMD_GET_RULESET;
1690 ghdr_new->version = 0;
1691 ghdr_new->reserved = 0;
1692
1693 nlattr_add_string(nw, PF_RS_NAME, attrs.name);
1694
1695 if (!nlmsg_end(nw)) {
1696 nlmsg_abort(nw);
1697 return (ENOMEM);
1698 }
1699
1700 return (0);
1701 }
1702
1703 static bool
nlattr_add_pf_threshold(struct nl_writer * nw,int attrtype,struct pf_kthreshold * t)1704 nlattr_add_pf_threshold(struct nl_writer *nw, int attrtype,
1705 struct pf_kthreshold *t)
1706 {
1707 int off = nlattr_add_nested(nw, attrtype);
1708 int conn_rate_count = 0;
1709
1710 /* Adjust the connection rate estimate. */
1711 if (t->cr != NULL)
1712 conn_rate_count = counter_rate_get(t->cr);
1713
1714 nlattr_add_u32(nw, PF_TH_LIMIT, t->limit);
1715 nlattr_add_u32(nw, PF_TH_SECONDS, t->seconds);
1716 nlattr_add_u32(nw, PF_TH_COUNT, conn_rate_count);
1717
1718 nlattr_set_len(nw, off);
1719
1720 return (true);
1721 }
1722
1723 static int
pf_handle_get_srcnodes(struct nlmsghdr * hdr,struct nl_pstate * npt)1724 pf_handle_get_srcnodes(struct nlmsghdr *hdr, struct nl_pstate *npt)
1725 {
1726 struct nl_writer *nw = npt->nw;
1727 struct genlmsghdr *ghdr_new;
1728 struct pf_ksrc_node *n;
1729 struct pf_srchash *sh;
1730 int i;
1731 int secs;
1732
1733 hdr->nlmsg_flags |= NLM_F_MULTI;
1734
1735 for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask;
1736 i++, sh++) {
1737 /* Avoid locking empty rows. */
1738 if (LIST_EMPTY(&sh->nodes))
1739 continue;
1740
1741 PF_HASHROW_LOCK(sh);
1742 secs = time_uptime;
1743
1744 LIST_FOREACH(n, &sh->nodes, entry) {
1745 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr))) {
1746 nlmsg_abort(nw);
1747 return (ENOMEM);
1748 }
1749
1750 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1751 ghdr_new->cmd = PFNL_CMD_GET_SRCNODES;
1752 ghdr_new->version = 0;
1753 ghdr_new->reserved = 0;
1754
1755 nlattr_add_in6_addr(nw, PF_SN_ADDR, &n->addr.v6);
1756 nlattr_add_in6_addr(nw, PF_SN_RADDR, &n->raddr.v6);
1757 nlattr_add_u32(nw, PF_SN_RULE_NR, n->rule->nr);
1758 nlattr_add_u64(nw, PF_SN_BYTES_IN, counter_u64_fetch(n->bytes[0]));
1759 nlattr_add_u64(nw, PF_SN_BYTES_OUT, counter_u64_fetch(n->bytes[1]));
1760 nlattr_add_u64(nw, PF_SN_PACKETS_IN, counter_u64_fetch(n->packets[0]));
1761 nlattr_add_u64(nw, PF_SN_PACKETS_OUT, counter_u64_fetch(n->packets[1]));
1762 nlattr_add_u32(nw, PF_SN_STATES, n->states);
1763 nlattr_add_u32(nw, PF_SN_CONNECTIONS, n->conn);
1764 nlattr_add_u8(nw, PF_SN_AF, n->af);
1765 nlattr_add_u8(nw, PF_SN_RAF, n->raf);
1766 nlattr_add_u8(nw, PF_SN_RULE_TYPE, n->ruletype);
1767
1768 nlattr_add_u64(nw, PF_SN_CREATION, secs - n->creation);
1769 if (n->expire > secs)
1770 nlattr_add_u64(nw, PF_SN_EXPIRE, n->expire - secs);
1771 else
1772 nlattr_add_u64(nw, PF_SN_EXPIRE, 0);
1773
1774 nlattr_add_pf_threshold(nw, PF_SN_CONNECTION_RATE,
1775 &n->conn_rate);
1776
1777 nlattr_add_u8(nw, PF_SN_NODE_TYPE, n->type);
1778
1779 if (!nlmsg_end(nw)) {
1780 PF_HASHROW_UNLOCK(sh);
1781 nlmsg_abort(nw);
1782 return (ENOMEM);
1783 }
1784 }
1785 PF_HASHROW_UNLOCK(sh);
1786 }
1787
1788 return (0);
1789 }
1790
1791 #define _OUT(_field) offsetof(struct pfioc_table, _field)
1792 static const struct nlattr_parser nla_p_table[] = {
1793 { .type = PF_T_ANCHOR, .off = _OUT(pfrio_table.pfrt_anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
1794 { .type = PF_T_NAME, .off = _OUT(pfrio_table.pfrt_name), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara },
1795 { .type = PF_T_TABLE_FLAGS, .off = _OUT(pfrio_table.pfrt_flags), .cb = nlattr_get_uint32 },
1796 { .type = PF_T_FLAGS, .off = _OUT(pfrio_flags), .cb = nlattr_get_uint32 },
1797 };
1798 static const struct nlfield_parser nlf_p_table[] = {};
1799 NL_DECLARE_PARSER(table_parser, struct genlmsghdr, nlf_p_table, nla_p_table);
1800 #undef _OUT
1801 static int
pf_handle_clear_tables(struct nlmsghdr * hdr,struct nl_pstate * npt)1802 pf_handle_clear_tables(struct nlmsghdr *hdr, struct nl_pstate *npt)
1803 {
1804 struct pfioc_table attrs = { 0 };
1805 struct nl_writer *nw = npt->nw;
1806 struct genlmsghdr *ghdr_new;
1807 int ndel = 0;
1808 int error;
1809
1810 error = nl_parse_nlmsg(hdr, &table_parser, npt, &attrs);
1811 if (error != 0)
1812 return (error);
1813
1814 PF_RULES_WLOCK();
1815 error = pfr_clr_tables(&attrs.pfrio_table, &ndel, attrs.pfrio_flags | PFR_FLAG_USERIOCTL);
1816 PF_RULES_WUNLOCK();
1817 if (error != 0)
1818 return (error);
1819
1820 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1821 return (ENOMEM);
1822
1823 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1824 ghdr_new->cmd = PFNL_CMD_CLEAR_TABLES;
1825 ghdr_new->version = 0;
1826 ghdr_new->reserved = 0;
1827
1828 nlattr_add_u32(nw, PF_T_NBR_DELETED, ndel);
1829
1830 if (!nlmsg_end(nw)) {
1831 nlmsg_abort(nw);
1832 return (ENOMEM);
1833 }
1834
1835 return (0);
1836 }
1837
1838 static int
pf_handle_add_table(struct nlmsghdr * hdr,struct nl_pstate * npt)1839 pf_handle_add_table(struct nlmsghdr *hdr, struct nl_pstate *npt)
1840 {
1841 struct pfioc_table attrs = { 0 };
1842 struct nl_writer *nw = npt->nw;
1843 struct genlmsghdr *ghdr_new;
1844 int error;
1845
1846 error = nl_parse_nlmsg(hdr, &table_parser, npt, &attrs);
1847 if (error != 0)
1848 return (error);
1849
1850 PF_RULES_WLOCK();
1851 error = pfr_add_tables(&attrs.pfrio_table, 1, &attrs.pfrio_nadd,
1852 attrs.pfrio_flags | PFR_FLAG_USERIOCTL);
1853 PF_RULES_WUNLOCK();
1854 if (error != 0)
1855 return (error);
1856
1857 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1858 return (ENOMEM);
1859
1860 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1861 ghdr_new->cmd = PFNL_CMD_ADD_TABLE;
1862 ghdr_new->version = 0;
1863 ghdr_new->reserved = 0;
1864
1865 nlattr_add_u32(nw, PF_T_NBR_ADDED, attrs.pfrio_nadd);
1866
1867 if (!nlmsg_end(nw)) {
1868 nlmsg_abort(nw);
1869 return (ENOMEM);
1870 }
1871
1872 return (0);
1873 }
1874
1875 static int
pf_handle_del_table(struct nlmsghdr * hdr,struct nl_pstate * npt)1876 pf_handle_del_table(struct nlmsghdr *hdr, struct nl_pstate *npt)
1877 {
1878 struct pfioc_table attrs = { 0 };
1879 struct nl_writer *nw = npt->nw;
1880 struct genlmsghdr *ghdr_new;
1881 int error;
1882
1883 error = nl_parse_nlmsg(hdr, &table_parser, npt, &attrs);
1884 if (error != 0)
1885 return (error);
1886
1887 PF_RULES_WLOCK();
1888 error = pfr_del_tables(&attrs.pfrio_table, 1, &attrs.pfrio_ndel,
1889 attrs.pfrio_flags | PFR_FLAG_USERIOCTL);
1890 PF_RULES_WUNLOCK();
1891 if (error != 0)
1892 return (error);
1893
1894 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
1895 return (ENOMEM);
1896
1897 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1898 ghdr_new->cmd = PFNL_CMD_ADD_TABLE;
1899 ghdr_new->version = 0;
1900 ghdr_new->reserved = 0;
1901
1902 nlattr_add_u32(nw, PF_T_NBR_DELETED, attrs.pfrio_ndel);
1903
1904 if (!nlmsg_end(nw)) {
1905 nlmsg_abort(nw);
1906 return (ENOMEM);
1907 }
1908
1909 return (0);
1910 }
1911
1912 static bool
nlattr_add_pfr_table(struct nl_writer * nw,int attrtype,struct pfr_table * t)1913 nlattr_add_pfr_table(struct nl_writer *nw, int attrtype,
1914 struct pfr_table *t)
1915 {
1916 int off = nlattr_add_nested(nw, attrtype);
1917
1918 nlattr_add_string(nw, PF_T_ANCHOR, t->pfrt_anchor);
1919 nlattr_add_string(nw, PF_T_NAME, t->pfrt_name);
1920 nlattr_add_u32(nw, PF_T_TABLE_FLAGS, t->pfrt_flags);
1921
1922 nlattr_set_len(nw, off);
1923
1924 return (true);
1925 }
1926
1927 static int
pf_handle_get_tstats(struct nlmsghdr * hdr,struct nl_pstate * npt)1928 pf_handle_get_tstats(struct nlmsghdr *hdr, struct nl_pstate *npt)
1929 {
1930 struct pfioc_table attrs = { 0 };
1931 struct nl_writer *nw = npt->nw;
1932 struct genlmsghdr *ghdr_new;
1933 struct pfr_tstats *pfrtstats;
1934 int error;
1935 int n;
1936
1937 PF_RULES_RLOCK_TRACKER;
1938
1939 error = nl_parse_nlmsg(hdr, &table_parser, npt, &attrs);
1940 if (error != 0)
1941 return (error);
1942
1943 PF_TABLE_STATS_LOCK();
1944 PF_RULES_RLOCK();
1945
1946 n = pfr_table_count(&attrs.pfrio_table, attrs.pfrio_flags);
1947 pfrtstats = mallocarray(n,
1948 sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT | M_ZERO);
1949
1950 error = pfr_get_tstats(&attrs.pfrio_table, pfrtstats,
1951 &n, attrs.pfrio_flags | PFR_FLAG_USERIOCTL);
1952
1953 PF_RULES_RUNLOCK();
1954 PF_TABLE_STATS_UNLOCK();
1955
1956 if (error == 0) {
1957 hdr->nlmsg_flags |= NLM_F_MULTI;
1958
1959 for (int i = 0; i < n; i++) {
1960 uint64_t refcnt[PFR_REFCNT_MAX];
1961
1962 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr))) {
1963 error = ENOMEM;
1964 break;
1965 }
1966
1967 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
1968 ghdr_new->cmd = PFNL_CMD_GET_TSTATS;
1969 ghdr_new->version = 0;
1970 ghdr_new->reserved = 0;
1971
1972 nlattr_add_pfr_table(nw, PF_TS_TABLE,
1973 &pfrtstats[i].pfrts_t);
1974 nlattr_add_u64_array(nw, PF_TS_PACKETS,
1975 PFR_DIR_MAX * PFR_OP_TABLE_MAX,
1976 (uint64_t *)pfrtstats[i].pfrts_packets);
1977 nlattr_add_u64_array(nw, PF_TS_BYTES,
1978 PFR_DIR_MAX * PFR_OP_TABLE_MAX,
1979 (uint64_t *)pfrtstats[i].pfrts_bytes);
1980 nlattr_add_u64(nw, PF_TS_MATCH,
1981 pfrtstats[i].pfrts_match);
1982 nlattr_add_u64(nw, PF_TS_NOMATCH,
1983 pfrtstats[i].pfrts_nomatch);
1984 nlattr_add_u64(nw, PF_TS_TZERO,
1985 pfrtstats[i].pfrts_tzero);
1986 nlattr_add_u64(nw, PF_TS_CNT, pfrtstats[i].pfrts_cnt);
1987
1988 for (int j = 0; j < PFR_REFCNT_MAX; j++)
1989 refcnt[j] = pfrtstats[i].pfrts_refcnt[j];
1990
1991 nlattr_add_u64_array(nw, PF_TS_REFCNT, PFR_REFCNT_MAX,
1992 refcnt);
1993
1994 if (! nlmsg_end(nw)) {
1995 error = ENOMEM;
1996 break;
1997 }
1998 }
1999 }
2000 free(pfrtstats, M_TEMP);
2001
2002 if (!nlmsg_end_dump(npt->nw, error, hdr)) {
2003 NL_LOG(LOG_DEBUG, "Unable to finalize the dump");
2004 return (ENOMEM);
2005 }
2006
2007 return (error);
2008 }
2009
2010 static int
pf_handle_clear_tstats(struct nlmsghdr * hdr,struct nl_pstate * npt)2011 pf_handle_clear_tstats(struct nlmsghdr *hdr, struct nl_pstate *npt)
2012 {
2013 struct pfioc_table attrs = { 0 };
2014 struct nl_writer *nw = npt->nw;
2015 struct genlmsghdr *ghdr_new;
2016 int error;
2017 int nzero;
2018
2019 PF_RULES_RLOCK_TRACKER;
2020
2021 error = nl_parse_nlmsg(hdr, &table_parser, npt, &attrs);
2022 if (error != 0)
2023 return (error);
2024
2025 PF_TABLE_STATS_LOCK();
2026 PF_RULES_RLOCK();
2027 error = pfr_clr_tstats(&attrs.pfrio_table, 1,
2028 &nzero, attrs.pfrio_flags | PFR_FLAG_USERIOCTL);
2029 PF_RULES_RUNLOCK();
2030 PF_TABLE_STATS_UNLOCK();
2031
2032 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
2033 return (ENOMEM);
2034
2035 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
2036 ghdr_new->cmd = PFNL_CMD_CLR_TSTATS;
2037 ghdr_new->version = 0;
2038 ghdr_new->reserved = 0;
2039
2040 nlattr_add_u64(nw, PF_TS_NZERO, nzero);
2041
2042 if (! nlmsg_end(nw))
2043 error = ENOMEM;
2044
2045 return (error);
2046 }
2047
2048 static int
pf_handle_clear_addrs(struct nlmsghdr * hdr,struct nl_pstate * npt)2049 pf_handle_clear_addrs(struct nlmsghdr *hdr, struct nl_pstate *npt)
2050 {
2051 struct pfioc_table attrs = { 0 };
2052 struct nl_writer *nw = npt->nw;
2053 struct genlmsghdr *ghdr_new;
2054 int error;
2055 int ndel;
2056
2057 error = nl_parse_nlmsg(hdr, &table_parser, npt, &attrs);
2058 if (error != 0)
2059 return (error);
2060
2061 PF_RULES_WLOCK();
2062 error = pfr_clr_addrs(&attrs.pfrio_table, &ndel,
2063 attrs.pfrio_flags | PFR_FLAG_USERIOCTL);
2064 PF_RULES_WUNLOCK();
2065
2066 if (error)
2067 return (error);
2068
2069 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
2070 return (ENOMEM);
2071
2072 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
2073 ghdr_new->cmd = PFNL_CMD_CLR_ADDRS;
2074 ghdr_new->version = 0;
2075 ghdr_new->reserved = 0;
2076
2077 nlattr_add_u64(nw, PF_T_NBR_DELETED, ndel);
2078
2079 if (!nlmsg_end(nw))
2080 return (ENOMEM);
2081
2082 return (error);
2083 }
2084
2085 static const struct nlhdr_parser *all_parsers[] = {
2086 &state_parser,
2087 &addrule_parser,
2088 &getrules_parser,
2089 &clear_states_parser,
2090 &set_statusif_parser,
2091 &natlook_parser,
2092 &set_debug_parser,
2093 &set_timeout_parser,
2094 &set_limit_parser,
2095 &pool_addr_parser,
2096 &add_addr_parser,
2097 &ruleset_parser,
2098 &table_parser,
2099 };
2100
2101 static uint16_t family_id;
2102
2103 static const struct genl_cmd pf_cmds[] = {
2104 {
2105 .cmd_num = PFNL_CMD_GETSTATES,
2106 .cmd_name = "GETSTATES",
2107 .cmd_cb = pf_handle_getstates,
2108 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2109 .cmd_priv = PRIV_NETINET_PF,
2110 },
2111 {
2112 .cmd_num = PFNL_CMD_GETCREATORS,
2113 .cmd_name = "GETCREATORS",
2114 .cmd_cb = pf_handle_getcreators,
2115 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2116 .cmd_priv = PRIV_NETINET_PF,
2117 },
2118 {
2119 .cmd_num = PFNL_CMD_START,
2120 .cmd_name = "START",
2121 .cmd_cb = pf_handle_start,
2122 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2123 .cmd_priv = PRIV_NETINET_PF,
2124 },
2125 {
2126 .cmd_num = PFNL_CMD_STOP,
2127 .cmd_name = "STOP",
2128 .cmd_cb = pf_handle_stop,
2129 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2130 .cmd_priv = PRIV_NETINET_PF,
2131 },
2132 {
2133 .cmd_num = PFNL_CMD_ADDRULE,
2134 .cmd_name = "ADDRULE",
2135 .cmd_cb = pf_handle_addrule,
2136 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2137 .cmd_priv = PRIV_NETINET_PF,
2138 },
2139 {
2140 .cmd_num = PFNL_CMD_GETRULES,
2141 .cmd_name = "GETRULES",
2142 .cmd_cb = pf_handle_getrules,
2143 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2144 .cmd_priv = PRIV_NETINET_PF,
2145 },
2146 {
2147 .cmd_num = PFNL_CMD_GETRULE,
2148 .cmd_name = "GETRULE",
2149 .cmd_cb = pf_handle_getrule,
2150 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2151 .cmd_priv = PRIV_NETINET_PF,
2152 },
2153 {
2154 .cmd_num = PFNL_CMD_CLRSTATES,
2155 .cmd_name = "CLRSTATES",
2156 .cmd_cb = pf_handle_clear_states,
2157 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2158 .cmd_priv = PRIV_NETINET_PF,
2159 },
2160 {
2161 .cmd_num = PFNL_CMD_KILLSTATES,
2162 .cmd_name = "KILLSTATES",
2163 .cmd_cb = pf_handle_kill_states,
2164 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2165 .cmd_priv = PRIV_NETINET_PF,
2166 },
2167 {
2168 .cmd_num = PFNL_CMD_SET_STATUSIF,
2169 .cmd_name = "SETSTATUSIF",
2170 .cmd_cb = pf_handle_set_statusif,
2171 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2172 .cmd_priv = PRIV_NETINET_PF,
2173 },
2174 {
2175 .cmd_num = PFNL_CMD_GET_STATUS,
2176 .cmd_name = "GETSTATUS",
2177 .cmd_cb = pf_handle_get_status,
2178 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2179 .cmd_priv = PRIV_NETINET_PF,
2180 },
2181 {
2182 .cmd_num = PFNL_CMD_CLEAR_STATUS,
2183 .cmd_name = "CLEARSTATUS",
2184 .cmd_cb = pf_handle_clear_status,
2185 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2186 .cmd_priv = PRIV_NETINET_PF,
2187 },
2188 {
2189 .cmd_num = PFNL_CMD_NATLOOK,
2190 .cmd_name = "NATLOOK",
2191 .cmd_cb = pf_handle_natlook,
2192 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2193 .cmd_priv = PRIV_NETINET_PF,
2194 },
2195 {
2196 .cmd_num = PFNL_CMD_SET_DEBUG,
2197 .cmd_name = "SET_DEBUG",
2198 .cmd_cb = pf_handle_set_debug,
2199 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2200 .cmd_priv = PRIV_NETINET_PF,
2201 },
2202 {
2203 .cmd_num = PFNL_CMD_SET_TIMEOUT,
2204 .cmd_name = "SET_TIMEOUT",
2205 .cmd_cb = pf_handle_set_timeout,
2206 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2207 .cmd_priv = PRIV_NETINET_PF,
2208 },
2209 {
2210 .cmd_num = PFNL_CMD_GET_TIMEOUT,
2211 .cmd_name = "GET_TIMEOUT",
2212 .cmd_cb = pf_handle_get_timeout,
2213 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2214 .cmd_priv = PRIV_NETINET_PF,
2215 },
2216 {
2217 .cmd_num = PFNL_CMD_SET_LIMIT,
2218 .cmd_name = "SET_LIMIT",
2219 .cmd_cb = pf_handle_set_limit,
2220 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2221 .cmd_priv = PRIV_NETINET_PF,
2222 },
2223 {
2224 .cmd_num = PFNL_CMD_GET_LIMIT,
2225 .cmd_name = "GET_LIMIT",
2226 .cmd_cb = pf_handle_get_limit,
2227 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2228 .cmd_priv = PRIV_NETINET_PF,
2229 },
2230 {
2231 .cmd_num = PFNL_CMD_BEGIN_ADDRS,
2232 .cmd_name = "BEGIN_ADDRS",
2233 .cmd_cb = pf_handle_begin_addrs,
2234 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2235 .cmd_priv = PRIV_NETINET_PF,
2236 },
2237 {
2238 .cmd_num = PFNL_CMD_ADD_ADDR,
2239 .cmd_name = "ADD_ADDR",
2240 .cmd_cb = pf_handle_add_addr,
2241 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2242 .cmd_priv = PRIV_NETINET_PF,
2243 },
2244 {
2245 .cmd_num = PFNL_CMD_GET_ADDRS,
2246 .cmd_name = "GET_ADDRS",
2247 .cmd_cb = pf_handle_get_addrs,
2248 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2249 .cmd_priv = PRIV_NETINET_PF,
2250 },
2251 {
2252 .cmd_num = PFNL_CMD_GET_ADDR,
2253 .cmd_name = "GET_ADDRS",
2254 .cmd_cb = pf_handle_get_addr,
2255 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2256 .cmd_priv = PRIV_NETINET_PF,
2257 },
2258 {
2259 .cmd_num = PFNL_CMD_GET_RULESETS,
2260 .cmd_name = "GET_RULESETS",
2261 .cmd_cb = pf_handle_get_rulesets,
2262 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2263 .cmd_priv = PRIV_NETINET_PF,
2264 },
2265 {
2266 .cmd_num = PFNL_CMD_GET_RULESET,
2267 .cmd_name = "GET_RULESET",
2268 .cmd_cb = pf_handle_get_ruleset,
2269 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2270 .cmd_priv = PRIV_NETINET_PF,
2271 },
2272 {
2273 .cmd_num = PFNL_CMD_GET_SRCNODES,
2274 .cmd_name = "GET_SRCNODES",
2275 .cmd_cb = pf_handle_get_srcnodes,
2276 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2277 .cmd_priv = PRIV_NETINET_PF,
2278 },
2279 {
2280 .cmd_num = PFNL_CMD_CLEAR_TABLES,
2281 .cmd_name = "CLEAR_TABLES",
2282 .cmd_cb = pf_handle_clear_tables,
2283 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2284 .cmd_priv = PRIV_NETINET_PF,
2285 },
2286 {
2287 .cmd_num = PFNL_CMD_ADD_TABLE,
2288 .cmd_name = "ADD_TABLE",
2289 .cmd_cb = pf_handle_add_table,
2290 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2291 .cmd_priv = PRIV_NETINET_PF,
2292 },
2293 {
2294 .cmd_num = PFNL_CMD_DEL_TABLE,
2295 .cmd_name = "DEL_TABLE",
2296 .cmd_cb = pf_handle_del_table,
2297 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2298 .cmd_priv = PRIV_NETINET_PF,
2299 },
2300 {
2301 .cmd_num = PFNL_CMD_GET_TSTATS,
2302 .cmd_name = "GET_TSTATS",
2303 .cmd_cb = pf_handle_get_tstats,
2304 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
2305 .cmd_priv = PRIV_NETINET_PF,
2306 },
2307 {
2308 .cmd_num = PFNL_CMD_CLR_TSTATS,
2309 .cmd_name = "CLR_TSTATS",
2310 .cmd_cb = pf_handle_clear_tstats,
2311 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2312 .cmd_priv = PRIV_NETINET_PF,
2313 },
2314 {
2315 .cmd_num = PFNL_CMD_CLR_ADDRS,
2316 .cmd_name = "CRL_ADDRS",
2317 .cmd_cb = pf_handle_clear_addrs,
2318 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
2319 .cmd_priv = PRIV_NETINET_PF,
2320 },
2321 };
2322
2323 void
pf_nl_register(void)2324 pf_nl_register(void)
2325 {
2326 NL_VERIFY_PARSERS(all_parsers);
2327
2328 family_id = genl_register_family(PFNL_FAMILY_NAME, 0, 2, PFNL_CMD_MAX);
2329 genl_register_cmds(family_id, pf_cmds, nitems(pf_cmds));
2330 }
2331
2332 void
pf_nl_unregister(void)2333 pf_nl_unregister(void)
2334 {
2335 genl_unregister_family(family_id);
2336 }
2337