1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33
34 #include <sys/ioctl.h>
35 #include <sys/nv.h>
36 #include <sys/queue.h>
37 #include <sys/types.h>
38
39 #include <net/if.h>
40 #include <net/pfvar.h>
41 #include <netinet/in.h>
42
43 #include <netpfil/pf/pf_nl.h>
44 #include <netlink/netlink.h>
45 #include <netlink/netlink_generic.h>
46 #include <netlink/netlink_snl.h>
47 #include <netlink/netlink_snl_generic.h>
48 #include <netlink/netlink_snl_route.h>
49
50 #include <assert.h>
51 #include <err.h>
52 #include <errno.h>
53 #include <fcntl.h>
54 #include <stdlib.h>
55 #include <string.h>
56
57 #include "libpfctl.h"
58
59 struct pfctl_handle {
60 int fd;
61 struct snl_state ss;
62 };
63
64 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = {
65 "never",
66 "always",
67 "adaptive"
68 };
69
70 static int _pfctl_clear_states(int , const struct pfctl_kill *,
71 unsigned int *, uint64_t);
72
73 struct pfctl_handle *
pfctl_open(const char * pf_device)74 pfctl_open(const char *pf_device)
75 {
76 struct pfctl_handle *h;
77
78 h = calloc(1, sizeof(struct pfctl_handle));
79 h->fd = -1;
80
81 h->fd = open(pf_device, O_RDWR);
82 if (h->fd < 0)
83 goto error;
84
85 if (!snl_init(&h->ss, NETLINK_GENERIC))
86 goto error;
87
88 return (h);
89 error:
90 close(h->fd);
91 snl_free(&h->ss);
92 free(h);
93
94 return (NULL);
95 }
96
97 void
pfctl_close(struct pfctl_handle * h)98 pfctl_close(struct pfctl_handle *h)
99 {
100 close(h->fd);
101 snl_free(&h->ss);
102 free(h);
103 }
104
105 int
pfctl_fd(struct pfctl_handle * h)106 pfctl_fd(struct pfctl_handle *h)
107 {
108 return (h->fd);
109 }
110
111 static int
pfctl_do_netlink_cmd(struct pfctl_handle * h,uint cmd)112 pfctl_do_netlink_cmd(struct pfctl_handle *h, uint cmd)
113 {
114 struct snl_errmsg_data e = {};
115 struct snl_writer nw;
116 struct nlmsghdr *hdr;
117 uint32_t seq_id;
118 int family_id;
119
120 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
121 if (family_id == 0)
122 return (ENOTSUP);
123
124 snl_init_writer(&h->ss, &nw);
125 hdr = snl_create_genl_msg_request(&nw, family_id, cmd);
126
127 hdr = snl_finalize_msg(&nw);
128 if (hdr == NULL)
129 return (ENOMEM);
130 seq_id = hdr->nlmsg_seq;
131
132 snl_send_message(&h->ss, hdr);
133
134 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
135 }
136
137 return (e.error);
138 }
139
140 static int
pfctl_do_ioctl(int dev,uint cmd,size_t size,nvlist_t ** nvl)141 pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
142 {
143 struct pfioc_nv nv;
144 void *data;
145 size_t nvlen;
146 int ret;
147
148 data = nvlist_pack(*nvl, &nvlen);
149 if (nvlen > size)
150 size = nvlen;
151
152 retry:
153 nv.data = malloc(size);
154 if (nv.data == NULL) {
155 ret = ENOMEM;
156 goto out;
157 }
158
159 memcpy(nv.data, data, nvlen);
160
161 nv.len = nvlen;
162 nv.size = size;
163
164 ret = ioctl(dev, cmd, &nv);
165 if (ret == -1 && errno == ENOSPC) {
166 size *= 2;
167 free(nv.data);
168 goto retry;
169 }
170
171 nvlist_destroy(*nvl);
172 *nvl = NULL;
173
174 if (ret == 0) {
175 *nvl = nvlist_unpack(nv.data, nv.len, 0);
176 if (*nvl == NULL) {
177 ret = EIO;
178 goto out;
179 }
180 } else {
181 ret = errno;
182 }
183
184 out:
185 free(data);
186 free(nv.data);
187
188 return (ret);
189 }
190
191 static void
pf_nvuint_8_array(const nvlist_t * nvl,const char * name,size_t maxelems,uint8_t * numbers,size_t * nelems)192 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems,
193 uint8_t *numbers, size_t *nelems)
194 {
195 const uint64_t *tmp;
196 size_t elems;
197
198 tmp = nvlist_get_number_array(nvl, name, &elems);
199 assert(elems <= maxelems);
200
201 for (size_t i = 0; i < elems; i++)
202 numbers[i] = tmp[i];
203
204 if (nelems)
205 *nelems = elems;
206 }
207
208 static void
pf_nvuint_16_array(const nvlist_t * nvl,const char * name,size_t maxelems,uint16_t * numbers,size_t * nelems)209 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems,
210 uint16_t *numbers, size_t *nelems)
211 {
212 const uint64_t *tmp;
213 size_t elems;
214
215 tmp = nvlist_get_number_array(nvl, name, &elems);
216 assert(elems <= maxelems);
217
218 for (size_t i = 0; i < elems; i++)
219 numbers[i] = tmp[i];
220
221 if (nelems)
222 *nelems = elems;
223 }
224
225 static void
pf_nvuint_32_array(const nvlist_t * nvl,const char * name,size_t maxelems,uint32_t * numbers,size_t * nelems)226 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems,
227 uint32_t *numbers, size_t *nelems)
228 {
229 const uint64_t *tmp;
230 size_t elems;
231
232 tmp = nvlist_get_number_array(nvl, name, &elems);
233
234 for (size_t i = 0; i < elems && i < maxelems; i++)
235 numbers[i] = tmp[i];
236
237 if (nelems)
238 *nelems = elems;
239 }
240
241 static void
pf_nvuint_64_array(const nvlist_t * nvl,const char * name,size_t maxelems,uint64_t * numbers,size_t * nelems)242 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems,
243 uint64_t *numbers, size_t *nelems)
244 {
245 const uint64_t *tmp;
246 size_t elems;
247
248 tmp = nvlist_get_number_array(nvl, name, &elems);
249 assert(elems <= maxelems);
250
251 for (size_t i = 0; i < elems; i++)
252 numbers[i] = tmp[i];
253
254 if (nelems)
255 *nelems = elems;
256 }
257
258 int
pfctl_startstop(struct pfctl_handle * h,int start)259 pfctl_startstop(struct pfctl_handle *h, int start)
260 {
261 return (pfctl_do_netlink_cmd(h, start ? PFNL_CMD_START : PFNL_CMD_STOP));
262 }
263
264 static void
_pfctl_get_status_counters(const nvlist_t * nvl,struct pfctl_status_counters * counters)265 _pfctl_get_status_counters(const nvlist_t *nvl,
266 struct pfctl_status_counters *counters)
267 {
268 const uint64_t *ids, *counts;
269 const char *const *names;
270 size_t id_len, counter_len, names_len;
271
272 ids = nvlist_get_number_array(nvl, "ids", &id_len);
273 counts = nvlist_get_number_array(nvl, "counters", &counter_len);
274 names = nvlist_get_string_array(nvl, "names", &names_len);
275 assert(id_len == counter_len);
276 assert(counter_len == names_len);
277
278 TAILQ_INIT(counters);
279
280 for (size_t i = 0; i < id_len; i++) {
281 struct pfctl_status_counter *c;
282
283 c = malloc(sizeof(*c));
284 if (c == NULL)
285 continue;
286
287 c->id = ids[i];
288 c->counter = counts[i];
289 c->name = strdup(names[i]);
290
291 TAILQ_INSERT_TAIL(counters, c, entry);
292 }
293 }
294
295 #define _OUT(_field) offsetof(struct pfctl_status_counter, _field)
296 static const struct snl_attr_parser ap_counter[] = {
297 { .type = PF_C_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_uint64 },
298 { .type = PF_C_NAME, .off = _OUT(name), .cb = snl_attr_get_string },
299 { .type = PF_C_ID, .off = _OUT(id), .cb = snl_attr_get_uint32 },
300 };
301 SNL_DECLARE_ATTR_PARSER(counter_parser, ap_counter);
302 #undef _OUT
303
304 static bool
snl_attr_get_counters(struct snl_state * ss,struct nlattr * nla,const void * arg __unused,void * target)305 snl_attr_get_counters(struct snl_state *ss, struct nlattr *nla,
306 const void *arg __unused, void *target)
307 {
308 struct pfctl_status_counter counter = {};
309 struct pfctl_status_counter *c;
310 bool error;
311
312 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &counter_parser, &counter);
313 if (! error)
314 return (error);
315
316 c = malloc(sizeof(*c));
317 if (c == NULL)
318 return (false);
319
320 c->id = counter.id;
321 c->counter = counter.counter;
322 c->name = strdup(counter.name);
323
324 TAILQ_INSERT_TAIL((struct pfctl_status_counters *)target, c, entry);
325
326 return (error);
327 }
328
329 struct snl_uint64_array {
330 uint64_t *array;
331 size_t count;
332 size_t max;
333 };
334 static bool
snl_attr_get_uint64_element(struct snl_state * ss,struct nlattr * nla,const void * arg,void * target)335 snl_attr_get_uint64_element(struct snl_state *ss, struct nlattr *nla,
336 const void *arg, void *target)
337 {
338 bool error;
339 uint64_t value;
340 struct snl_uint64_array *t = (struct snl_uint64_array *)target;
341
342 if (t->count >= t->max)
343 return (false);
344
345 error = snl_attr_get_uint64(ss, nla, arg, &value);
346 if (! error)
347 return (error);
348
349 t->array[t->count++] = value;
350
351 return (true);
352 }
353
354 static const struct snl_attr_parser ap_array[] = {
355 { .cb = snl_attr_get_uint64_element },
356 };
357 SNL_DECLARE_ATTR_PARSER(array_parser, ap_array);
358 static bool
snl_attr_get_uint64_array(struct snl_state * ss,struct nlattr * nla,const void * arg,void * target)359 snl_attr_get_uint64_array(struct snl_state *ss, struct nlattr *nla,
360 const void *arg, void *target)
361 {
362 struct snl_uint64_array a = {
363 .array = target,
364 .count = 0,
365 .max = (size_t)arg,
366 };
367 bool error;
368
369 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &array_parser, &a);
370 if (! error)
371 return (error);
372
373 return (true);
374 }
375
376 #define _OUT(_field) offsetof(struct pfctl_status, _field)
377 static const struct snl_attr_parser ap_getstatus[] = {
378 { .type = PF_GS_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb = snl_attr_copy_string },
379 { .type = PF_GS_RUNNING, .off = _OUT(running), .cb = snl_attr_get_bool },
380 { .type = PF_GS_SINCE, .off = _OUT(since), .cb = snl_attr_get_uint32 },
381 { .type = PF_GS_DEBUG, .off = _OUT(debug), .cb = snl_attr_get_uint32 },
382 { .type = PF_GS_HOSTID, .off = _OUT(hostid), .cb = snl_attr_get_uint32 },
383 { .type = PF_GS_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32 },
384 { .type = PF_GS_SRC_NODES, .off = _OUT(src_nodes), .cb = snl_attr_get_uint32 },
385 { .type = PF_GS_REASSEMBLE, .off = _OUT(reass), .cb = snl_attr_get_uint32 },
386 { .type = PF_GS_SYNCOOKIES_ACTIVE, .off = _OUT(syncookies_active), .cb = snl_attr_get_uint32 },
387 { .type = PF_GS_COUNTERS, .off = _OUT(counters), .cb = snl_attr_get_counters },
388 { .type = PF_GS_LCOUNTERS, .off = _OUT(lcounters), .cb = snl_attr_get_counters },
389 { .type = PF_GS_FCOUNTERS, .off = _OUT(fcounters), .cb = snl_attr_get_counters },
390 { .type = PF_GS_SCOUNTERS, .off = _OUT(scounters), .cb = snl_attr_get_counters },
391 { .type = PF_GS_CHKSUM, .off = _OUT(pf_chksum), .arg_u32 = PF_MD5_DIGEST_LENGTH, .cb = snl_attr_get_bytes },
392 { .type = PF_GS_BCOUNTERS, .off = _OUT(bcounters), .arg_u32 = 2 * 2, .cb = snl_attr_get_uint64_array },
393 { .type = PF_GS_PCOUNTERS, .off = _OUT(pcounters), .arg_u32 = 2 * 2 * 2, .cb = snl_attr_get_uint64_array },
394 { .type = PF_GS_NCOUNTERS, .off = _OUT(ncounters), .cb = snl_attr_get_counters },
395 { .type = PF_GS_FRAGMENTS, .off = _OUT(fragments), .cb = snl_attr_get_uint64 },
396 };
397 SNL_DECLARE_PARSER(getstatus_parser, struct genlmsghdr, snl_f_p_empty, ap_getstatus);
398 #undef _OUT
399
400 struct pfctl_status *
pfctl_get_status_h(struct pfctl_handle * h)401 pfctl_get_status_h(struct pfctl_handle *h)
402 {
403 struct pfctl_status *status;
404 struct snl_errmsg_data e = {};
405 struct nlmsghdr *hdr;
406 struct snl_writer nw;
407 uint32_t seq_id;
408 int family_id;
409
410 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
411 if (family_id == 0)
412 return (NULL);
413
414 snl_init_writer(&h->ss, &nw);
415 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_STATUS);
416 hdr->nlmsg_flags |= NLM_F_DUMP;
417
418 hdr = snl_finalize_msg(&nw);
419 if (hdr == NULL) {
420 return (NULL);
421 }
422
423 seq_id = hdr->nlmsg_seq;
424 if (! snl_send_message(&h->ss, hdr))
425 return (NULL);
426
427 status = calloc(1, sizeof(*status));
428 if (status == NULL)
429 return (NULL);
430 TAILQ_INIT(&status->counters);
431 TAILQ_INIT(&status->lcounters);
432 TAILQ_INIT(&status->fcounters);
433 TAILQ_INIT(&status->scounters);
434 TAILQ_INIT(&status->ncounters);
435
436 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
437 if (! snl_parse_nlmsg(&h->ss, hdr, &getstatus_parser, status))
438 continue;
439 }
440
441 return (status);
442 }
443
444 struct pfctl_status *
pfctl_get_status(int dev)445 pfctl_get_status(int dev)
446 {
447 struct pfctl_status *status;
448 nvlist_t *nvl;
449 size_t len;
450 const void *chksum;
451
452 status = calloc(1, sizeof(*status));
453 if (status == NULL)
454 return (NULL);
455
456 nvl = nvlist_create(0);
457
458 if (pfctl_do_ioctl(dev, DIOCGETSTATUSNV, 4096, &nvl)) {
459 nvlist_destroy(nvl);
460 free(status);
461 return (NULL);
462 }
463
464 status->running = nvlist_get_bool(nvl, "running");
465 status->since = nvlist_get_number(nvl, "since");
466 status->debug = nvlist_get_number(nvl, "debug");
467 status->hostid = ntohl(nvlist_get_number(nvl, "hostid"));
468 status->states = nvlist_get_number(nvl, "states");
469 status->src_nodes = nvlist_get_number(nvl, "src_nodes");
470 status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active");
471 status->reass = nvlist_get_number(nvl, "reass");
472
473 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"),
474 IFNAMSIZ);
475 chksum = nvlist_get_binary(nvl, "chksum", &len);
476 assert(len == PF_MD5_DIGEST_LENGTH);
477 memcpy(status->pf_chksum, chksum, len);
478
479 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"),
480 &status->counters);
481 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"),
482 &status->lcounters);
483 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"),
484 &status->fcounters);
485 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"),
486 &status->scounters);
487
488 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 2,
489 (uint64_t *)status->pcounters, NULL);
490 pf_nvuint_64_array(nvl, "bcounters", 2 * 2,
491 (uint64_t *)status->bcounters, NULL);
492
493 nvlist_destroy(nvl);
494
495 return (status);
496 }
497 int
pfctl_clear_status(struct pfctl_handle * h)498 pfctl_clear_status(struct pfctl_handle *h)
499 {
500 return (pfctl_do_netlink_cmd(h, PFNL_CMD_CLEAR_STATUS));
501 }
502
503 static uint64_t
_pfctl_status_counter(struct pfctl_status_counters * counters,uint64_t id)504 _pfctl_status_counter(struct pfctl_status_counters *counters, uint64_t id)
505 {
506 struct pfctl_status_counter *c;
507
508 TAILQ_FOREACH(c, counters, entry) {
509 if (c->id == id)
510 return (c->counter);
511 }
512
513 return (0);
514 }
515
516 uint64_t
pfctl_status_counter(struct pfctl_status * status,int id)517 pfctl_status_counter(struct pfctl_status *status, int id)
518 {
519 return (_pfctl_status_counter(&status->counters, id));
520 }
521
522 uint64_t
pfctl_status_lcounter(struct pfctl_status * status,int id)523 pfctl_status_lcounter(struct pfctl_status *status, int id)
524 {
525 return (_pfctl_status_counter(&status->lcounters, id));
526 }
527
528 uint64_t
pfctl_status_fcounter(struct pfctl_status * status,int id)529 pfctl_status_fcounter(struct pfctl_status *status, int id)
530 {
531 return (_pfctl_status_counter(&status->fcounters, id));
532 }
533
534 uint64_t
pfctl_status_scounter(struct pfctl_status * status,int id)535 pfctl_status_scounter(struct pfctl_status *status, int id)
536 {
537 return (_pfctl_status_counter(&status->scounters, id));
538 }
539
540 void
pfctl_free_status(struct pfctl_status * status)541 pfctl_free_status(struct pfctl_status *status)
542 {
543 struct pfctl_status_counter *c, *tmp;
544
545 if (status == NULL)
546 return;
547
548 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) {
549 free(c->name);
550 free(c);
551 }
552 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) {
553 free(c->name);
554 free(c);
555 }
556 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) {
557 free(c->name);
558 free(c);
559 }
560 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) {
561 free(c->name);
562 free(c);
563 }
564
565 free(status);
566 }
567
568 static void
pfctl_nv_add_addr(nvlist_t * nvparent,const char * name,const struct pf_addr * addr)569 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name,
570 const struct pf_addr *addr)
571 {
572 nvlist_t *nvl = nvlist_create(0);
573
574 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr));
575
576 nvlist_add_nvlist(nvparent, name, nvl);
577 nvlist_destroy(nvl);
578 }
579
580 static void
pf_nvaddr_to_addr(const nvlist_t * nvl,struct pf_addr * addr)581 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr)
582 {
583 size_t len;
584 const void *data;
585
586 data = nvlist_get_binary(nvl, "addr", &len);
587 assert(len == sizeof(struct pf_addr));
588 memcpy(addr, data, len);
589 }
590
591 static void
pfctl_nv_add_addr_wrap(nvlist_t * nvparent,const char * name,const struct pf_addr_wrap * addr)592 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name,
593 const struct pf_addr_wrap *addr)
594 {
595 nvlist_t *nvl = nvlist_create(0);
596
597 nvlist_add_number(nvl, "type", addr->type);
598 nvlist_add_number(nvl, "iflags", addr->iflags);
599 if (addr->type == PF_ADDR_DYNIFTL)
600 nvlist_add_string(nvl, "ifname", addr->v.ifname);
601 if (addr->type == PF_ADDR_TABLE)
602 nvlist_add_string(nvl, "tblname", addr->v.tblname);
603 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
604 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
605
606 nvlist_add_nvlist(nvparent, name, nvl);
607 nvlist_destroy(nvl);
608 }
609
610 static void
pf_nvaddr_wrap_to_addr_wrap(const nvlist_t * nvl,struct pf_addr_wrap * addr)611 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
612 {
613 bzero(addr, sizeof(*addr));
614
615 addr->type = nvlist_get_number(nvl, "type");
616 addr->iflags = nvlist_get_number(nvl, "iflags");
617 if (addr->type == PF_ADDR_DYNIFTL) {
618 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"),
619 IFNAMSIZ);
620 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt");
621 }
622 if (addr->type == PF_ADDR_TABLE) {
623 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
624 PF_TABLE_NAME_SIZE);
625 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt");
626 }
627
628 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr);
629 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
630 }
631
632 static void
pfctl_nv_add_rule_addr(nvlist_t * nvparent,const char * name,const struct pf_rule_addr * addr)633 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name,
634 const struct pf_rule_addr *addr)
635 {
636 uint64_t ports[2];
637 nvlist_t *nvl = nvlist_create(0);
638
639 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr);
640 ports[0] = addr->port[0];
641 ports[1] = addr->port[1];
642 nvlist_add_number_array(nvl, "port", ports, 2);
643 nvlist_add_number(nvl, "neg", addr->neg);
644 nvlist_add_number(nvl, "port_op", addr->port_op);
645
646 nvlist_add_nvlist(nvparent, name, nvl);
647 nvlist_destroy(nvl);
648 }
649
650 static void
pf_nvrule_addr_to_rule_addr(const nvlist_t * nvl,struct pf_rule_addr * addr)651 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
652 {
653 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr);
654
655 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL);
656 addr->neg = nvlist_get_number(nvl, "neg");
657 addr->port_op = nvlist_get_number(nvl, "port_op");
658 }
659
660 static void
pf_nvmape_to_mape(const nvlist_t * nvl,struct pf_mape_portset * mape)661 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
662 {
663 mape->offset = nvlist_get_number(nvl, "offset");
664 mape->psidlen = nvlist_get_number(nvl, "psidlen");
665 mape->psid = nvlist_get_number(nvl, "psid");
666 }
667
668 static void
pf_nvpool_to_pool(const nvlist_t * nvl,struct pfctl_pool * pool)669 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool)
670 {
671 size_t len;
672 const void *data;
673
674 data = nvlist_get_binary(nvl, "key", &len);
675 assert(len == sizeof(pool->key));
676 memcpy(&pool->key, data, len);
677
678 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter);
679
680 pool->tblidx = nvlist_get_number(nvl, "tblidx");
681 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL);
682 pool->opts = nvlist_get_number(nvl, "opts");
683
684 if (nvlist_exists_nvlist(nvl, "mape"))
685 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape);
686 }
687
688 static void
pf_nvrule_uid_to_rule_uid(const nvlist_t * nvl,struct pf_rule_uid * uid)689 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
690 {
691 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL);
692 uid->op = nvlist_get_number(nvl, "op");
693 }
694
695 static void
pf_nvdivert_to_divert(const nvlist_t * nvl,struct pfctl_rule * rule)696 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule)
697 {
698 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr);
699 rule->divert.port = nvlist_get_number(nvl, "port");
700 }
701
702 static void
pf_nvrule_to_rule(const nvlist_t * nvl,struct pfctl_rule * rule)703 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule)
704 {
705 const uint64_t *skip;
706 const char *const *labels;
707 size_t skipcount, labelcount;
708
709 rule->nr = nvlist_get_number(nvl, "nr");
710
711 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src);
712 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst);
713
714 skip = nvlist_get_number_array(nvl, "skip", &skipcount);
715 assert(skip);
716 assert(skipcount == PF_SKIP_COUNT);
717 for (int i = 0; i < PF_SKIP_COUNT; i++)
718 rule->skip[i].nr = skip[i];
719
720 labels = nvlist_get_string_array(nvl, "labels", &labelcount);
721 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT);
722 for (size_t i = 0; i < labelcount; i++)
723 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE);
724 rule->ridentifier = nvlist_get_number(nvl, "ridentifier");
725 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
726 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE);
727 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE);
728 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"),
729 PF_TAG_NAME_SIZE);
730 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"),
731 PF_TAG_NAME_SIZE);
732
733 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"),
734 PF_TABLE_NAME_SIZE);
735
736 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rdr);
737
738 rule->evaluations = nvlist_get_number(nvl, "evaluations");
739 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL);
740 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL);
741
742 if (nvlist_exists_number(nvl, "timestamp")) {
743 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp");
744 }
745
746 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint");
747
748 rule->rtableid = nvlist_get_number(nvl, "rtableid");
749 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL);
750 rule->max_states = nvlist_get_number(nvl, "max_states");
751 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes");
752 rule->max_src_states = nvlist_get_number(nvl, "max_src_states");
753 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn");
754 rule->max_src_conn_rate.limit =
755 nvlist_get_number(nvl, "max_src_conn_rate.limit");
756 rule->max_src_conn_rate.seconds =
757 nvlist_get_number(nvl, "max_src_conn_rate.seconds");
758 rule->qid = nvlist_get_number(nvl, "qid");
759 rule->pqid = nvlist_get_number(nvl, "pqid");
760 rule->dnpipe = nvlist_get_number(nvl, "dnpipe");
761 rule->dnrpipe = nvlist_get_number(nvl, "dnrpipe");
762 rule->free_flags = nvlist_get_number(nvl, "dnflags");
763 rule->prob = nvlist_get_number(nvl, "prob");
764 rule->cuid = nvlist_get_number(nvl, "cuid");
765 rule->cpid = nvlist_get_number(nvl, "cpid");
766
767 rule->return_icmp = nvlist_get_number(nvl, "return_icmp");
768 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6");
769 rule->max_mss = nvlist_get_number(nvl, "max_mss");
770 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags");
771
772 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid);
773 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"),
774 (struct pf_rule_uid *)&rule->gid);
775
776 rule->rule_flag = nvlist_get_number(nvl, "rule_flag");
777 rule->action = nvlist_get_number(nvl, "action");
778 rule->direction = nvlist_get_number(nvl, "direction");
779 rule->log = nvlist_get_number(nvl, "log");
780 rule->logif = nvlist_get_number(nvl, "logif");
781 rule->quick = nvlist_get_number(nvl, "quick");
782 rule->ifnot = nvlist_get_number(nvl, "ifnot");
783 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not");
784 rule->natpass = nvlist_get_number(nvl, "natpass");
785
786 rule->keep_state = nvlist_get_number(nvl, "keep_state");
787 rule->af = nvlist_get_number(nvl, "af");
788 rule->proto = nvlist_get_number(nvl, "proto");
789 rule->type = nvlist_get_number(nvl, "type");
790 rule->code = nvlist_get_number(nvl, "code");
791 rule->flags = nvlist_get_number(nvl, "flags");
792 rule->flagset = nvlist_get_number(nvl, "flagset");
793 rule->min_ttl = nvlist_get_number(nvl, "min_ttl");
794 rule->allow_opts = nvlist_get_number(nvl, "allow_opts");
795 rule->rt = nvlist_get_number(nvl, "rt");
796 rule->return_ttl = nvlist_get_number(nvl, "return_ttl");
797 rule->tos = nvlist_get_number(nvl, "tos");
798 rule->set_tos = nvlist_get_number(nvl, "set_tos");
799 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative");
800 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard");
801
802 rule->flush = nvlist_get_number(nvl, "flush");
803 rule->prio = nvlist_get_number(nvl, "prio");
804 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL);
805
806 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule);
807
808 rule->states_cur = nvlist_get_number(nvl, "states_cur");
809 rule->states_tot = nvlist_get_number(nvl, "states_tot");
810 rule->src_nodes = nvlist_get_number(nvl, "src_nodes");
811 }
812
813 static void
pfctl_nveth_addr_to_eth_addr(const nvlist_t * nvl,struct pfctl_eth_addr * addr)814 pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr)
815 {
816 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 };
817 size_t len;
818 const void *data;
819
820 data = nvlist_get_binary(nvl, "addr", &len);
821 assert(len == sizeof(addr->addr));
822 memcpy(addr->addr, data, sizeof(addr->addr));
823
824 data = nvlist_get_binary(nvl, "mask", &len);
825 assert(len == sizeof(addr->mask));
826 memcpy(addr->mask, data, sizeof(addr->mask));
827
828 addr->neg = nvlist_get_bool(nvl, "neg");
829
830 /* To make checks for 'is this address set?' easier. */
831 addr->isset = memcmp(addr->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0;
832 }
833
834 static nvlist_t *
pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr * addr)835 pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr)
836 {
837 nvlist_t *nvl;
838
839 nvl = nvlist_create(0);
840 if (nvl == NULL)
841 return (NULL);
842
843 nvlist_add_bool(nvl, "neg", addr->neg);
844 nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN);
845 nvlist_add_binary(nvl, "mask", &addr->mask, ETHER_ADDR_LEN);
846
847 return (nvl);
848 }
849
850 static void
pfctl_nveth_rule_to_eth_rule(const nvlist_t * nvl,struct pfctl_eth_rule * rule)851 pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule)
852 {
853 const char *const *labels;
854 size_t labelcount, i;
855
856 rule->nr = nvlist_get_number(nvl, "nr");
857 rule->quick = nvlist_get_bool(nvl, "quick");
858 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
859 rule->ifnot = nvlist_get_bool(nvl, "ifnot");
860 rule->direction = nvlist_get_number(nvl, "direction");
861 rule->proto = nvlist_get_number(nvl, "proto");
862 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"),
863 PF_TAG_NAME_SIZE);
864 rule->match_tag = nvlist_get_number(nvl, "match_tag");
865 rule->match_tag_not = nvlist_get_bool(nvl, "match_tag_not");
866
867 labels = nvlist_get_string_array(nvl, "labels", &labelcount);
868 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT);
869 for (i = 0; i < labelcount; i++)
870 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE);
871 rule->ridentifier = nvlist_get_number(nvl, "ridentifier");
872
873 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"),
874 &rule->src);
875 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"),
876 &rule->dst);
877
878 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipsrc"),
879 &rule->ipsrc);
880 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipdst"),
881 &rule->ipdst);
882
883 rule->evaluations = nvlist_get_number(nvl, "evaluations");
884 rule->packets[0] = nvlist_get_number(nvl, "packets-in");
885 rule->packets[1] = nvlist_get_number(nvl, "packets-out");
886 rule->bytes[0] = nvlist_get_number(nvl, "bytes-in");
887 rule->bytes[1] = nvlist_get_number(nvl, "bytes-out");
888
889 if (nvlist_exists_number(nvl, "timestamp")) {
890 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp");
891 }
892
893 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE);
894 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"),
895 PF_TAG_NAME_SIZE);
896
897 rule->dnpipe = nvlist_get_number(nvl, "dnpipe");
898 rule->dnflags = nvlist_get_number(nvl, "dnflags");
899
900 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative");
901 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard");
902
903 strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"),
904 IFNAMSIZ);
905
906 rule->action = nvlist_get_number(nvl, "action");
907 }
908
909 int
pfctl_get_eth_rulesets_info(int dev,struct pfctl_eth_rulesets_info * ri,const char * path)910 pfctl_get_eth_rulesets_info(int dev, struct pfctl_eth_rulesets_info *ri,
911 const char *path)
912 {
913 nvlist_t *nvl;
914 int ret;
915
916 bzero(ri, sizeof(*ri));
917
918 nvl = nvlist_create(0);
919 nvlist_add_string(nvl, "path", path);
920
921 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESETS, 256, &nvl)) != 0)
922 goto out;
923
924 ri->nr = nvlist_get_number(nvl, "nr");
925
926 out:
927 nvlist_destroy(nvl);
928 return (ret);
929 }
930
931 int
pfctl_get_eth_ruleset(int dev,const char * path,int nr,struct pfctl_eth_ruleset_info * ri)932 pfctl_get_eth_ruleset(int dev, const char *path, int nr,
933 struct pfctl_eth_ruleset_info *ri)
934 {
935 nvlist_t *nvl;
936 int ret;
937
938 bzero(ri, sizeof(*ri));
939
940 nvl = nvlist_create(0);
941 nvlist_add_string(nvl, "path", path);
942 nvlist_add_number(nvl, "nr", nr);
943
944 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESET, 1024, &nvl)) != 0)
945 goto out;
946
947 ri->nr = nvlist_get_number(nvl, "nr");
948 strlcpy(ri->path, nvlist_get_string(nvl, "path"), MAXPATHLEN);
949 strlcpy(ri->name, nvlist_get_string(nvl, "name"),
950 PF_ANCHOR_NAME_SIZE);
951
952 out:
953 nvlist_destroy(nvl);
954 return (ret);
955 }
956
957 int
pfctl_get_eth_rules_info(int dev,struct pfctl_eth_rules_info * rules,const char * path)958 pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
959 const char *path)
960 {
961 nvlist_t *nvl;
962 int ret;
963
964 bzero(rules, sizeof(*rules));
965
966 nvl = nvlist_create(0);
967 nvlist_add_string(nvl, "anchor", path);
968
969 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULES, 1024, &nvl)) != 0)
970 goto out;
971
972 rules->nr = nvlist_get_number(nvl, "nr");
973 rules->ticket = nvlist_get_number(nvl, "ticket");
974
975 out:
976 nvlist_destroy(nvl);
977 return (ret);
978 }
979
980 int
pfctl_get_eth_rule(int dev,uint32_t nr,uint32_t ticket,const char * path,struct pfctl_eth_rule * rule,bool clear,char * anchor_call)981 pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
982 const char *path, struct pfctl_eth_rule *rule, bool clear,
983 char *anchor_call)
984 {
985 nvlist_t *nvl;
986 int ret;
987
988 nvl = nvlist_create(0);
989
990 nvlist_add_string(nvl, "anchor", path);
991 nvlist_add_number(nvl, "ticket", ticket);
992 nvlist_add_number(nvl, "nr", nr);
993 nvlist_add_bool(nvl, "clear", clear);
994
995 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULE, 4096, &nvl)) != 0)
996 goto out;
997
998 pfctl_nveth_rule_to_eth_rule(nvl, rule);
999
1000 if (anchor_call)
1001 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"),
1002 MAXPATHLEN);
1003
1004 out:
1005 nvlist_destroy(nvl);
1006 return (ret);
1007 }
1008
1009 int
pfctl_add_eth_rule(int dev,const struct pfctl_eth_rule * r,const char * anchor,const char * anchor_call,uint32_t ticket)1010 pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, const char *anchor,
1011 const char *anchor_call, uint32_t ticket)
1012 {
1013 struct pfioc_nv nv;
1014 nvlist_t *nvl, *addr;
1015 void *packed;
1016 int error = 0;
1017 size_t labelcount, size;
1018
1019 nvl = nvlist_create(0);
1020
1021 nvlist_add_number(nvl, "ticket", ticket);
1022 nvlist_add_string(nvl, "anchor", anchor);
1023 nvlist_add_string(nvl, "anchor_call", anchor_call);
1024
1025 nvlist_add_number(nvl, "nr", r->nr);
1026 nvlist_add_bool(nvl, "quick", r->quick);
1027 nvlist_add_string(nvl, "ifname", r->ifname);
1028 nvlist_add_bool(nvl, "ifnot", r->ifnot);
1029 nvlist_add_number(nvl, "direction", r->direction);
1030 nvlist_add_number(nvl, "proto", r->proto);
1031 nvlist_add_string(nvl, "match_tagname", r->match_tagname);
1032 nvlist_add_bool(nvl, "match_tag_not", r->match_tag_not);
1033
1034 addr = pfctl_eth_addr_to_nveth_addr(&r->src);
1035 if (addr == NULL) {
1036 nvlist_destroy(nvl);
1037 return (ENOMEM);
1038 }
1039 nvlist_add_nvlist(nvl, "src", addr);
1040 nvlist_destroy(addr);
1041
1042 addr = pfctl_eth_addr_to_nveth_addr(&r->dst);
1043 if (addr == NULL) {
1044 nvlist_destroy(nvl);
1045 return (ENOMEM);
1046 }
1047 nvlist_add_nvlist(nvl, "dst", addr);
1048 nvlist_destroy(addr);
1049
1050 pfctl_nv_add_rule_addr(nvl, "ipsrc", &r->ipsrc);
1051 pfctl_nv_add_rule_addr(nvl, "ipdst", &r->ipdst);
1052
1053 labelcount = 0;
1054 while (labelcount < PF_RULE_MAX_LABEL_COUNT &&
1055 r->label[labelcount][0] != 0) {
1056 nvlist_append_string_array(nvl, "labels",
1057 r->label[labelcount]);
1058 labelcount++;
1059 }
1060 nvlist_add_number(nvl, "ridentifier", r->ridentifier);
1061
1062 nvlist_add_string(nvl, "qname", r->qname);
1063 nvlist_add_string(nvl, "tagname", r->tagname);
1064 nvlist_add_number(nvl, "dnpipe", r->dnpipe);
1065 nvlist_add_number(nvl, "dnflags", r->dnflags);
1066
1067 nvlist_add_string(nvl, "bridge_to", r->bridge_to);
1068
1069 nvlist_add_number(nvl, "action", r->action);
1070
1071 packed = nvlist_pack(nvl, &size);
1072 if (packed == NULL) {
1073 nvlist_destroy(nvl);
1074 return (ENOMEM);
1075 }
1076
1077 nv.len = size;
1078 nv.size = size;
1079 nv.data = packed;
1080
1081 if (ioctl(dev, DIOCADDETHRULE, &nv) != 0)
1082 error = errno;
1083
1084 free(packed);
1085 nvlist_destroy(nvl);
1086
1087 return (error);
1088 }
1089
1090 static void
snl_add_msg_attr_addr_wrap(struct snl_writer * nw,uint32_t type,const struct pf_addr_wrap * addr)1091 snl_add_msg_attr_addr_wrap(struct snl_writer *nw, uint32_t type, const struct pf_addr_wrap *addr)
1092 {
1093 int off;
1094
1095 off = snl_add_msg_attr_nested(nw, type);
1096
1097 snl_add_msg_attr_ip6(nw, PF_AT_ADDR, &addr->v.a.addr.v6);
1098 snl_add_msg_attr_ip6(nw, PF_AT_MASK, &addr->v.a.mask.v6);
1099
1100 if (addr->type == PF_ADDR_DYNIFTL)
1101 snl_add_msg_attr_string(nw, PF_AT_IFNAME, addr->v.ifname);
1102 if (addr->type == PF_ADDR_TABLE)
1103 snl_add_msg_attr_string(nw, PF_AT_TABLENAME, addr->v.tblname);
1104 snl_add_msg_attr_u8(nw, PF_AT_TYPE, addr->type);
1105 snl_add_msg_attr_u8(nw, PF_AT_IFLAGS, addr->iflags);
1106
1107 snl_end_attr_nested(nw, off);
1108 }
1109
1110 static void
snl_add_msg_attr_pool_addr(struct snl_writer * nw,uint32_t type,const struct pf_pooladdr * pa)1111 snl_add_msg_attr_pool_addr(struct snl_writer *nw, uint32_t type, const struct pf_pooladdr *pa)
1112 {
1113 int off;
1114
1115 off = snl_add_msg_attr_nested(nw, type);
1116
1117 snl_add_msg_attr_string(nw, PF_PA_IFNAME, pa->ifname);
1118 snl_add_msg_attr_addr_wrap(nw, PF_PA_ADDR, &pa->addr);
1119
1120 snl_end_attr_nested(nw, off);
1121 }
1122
1123 static void
snl_add_msg_attr_rule_addr(struct snl_writer * nw,uint32_t type,const struct pf_rule_addr * addr)1124 snl_add_msg_attr_rule_addr(struct snl_writer *nw, uint32_t type, const struct pf_rule_addr *addr)
1125 {
1126 int off;
1127
1128 off = snl_add_msg_attr_nested(nw, type);
1129
1130 snl_add_msg_attr_addr_wrap(nw, PF_RAT_ADDR, &addr->addr);
1131 snl_add_msg_attr_u16(nw, PF_RAT_SRC_PORT, addr->port[0]);
1132 snl_add_msg_attr_u16(nw, PF_RAT_DST_PORT, addr->port[1]);
1133 snl_add_msg_attr_u8(nw, PF_RAT_NEG, addr->neg);
1134 snl_add_msg_attr_u8(nw, PF_RAT_OP, addr->port_op);
1135
1136 snl_end_attr_nested(nw, off);
1137 }
1138
1139 static void
snl_add_msg_attr_rule_labels(struct snl_writer * nw,uint32_t type,const char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE])1140 snl_add_msg_attr_rule_labels(struct snl_writer *nw, uint32_t type, const char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE])
1141 {
1142 int off, i = 0;
1143
1144 off = snl_add_msg_attr_nested(nw, type);
1145
1146 while (i < PF_RULE_MAX_LABEL_COUNT &&
1147 labels[i][0] != 0) {
1148 snl_add_msg_attr_string(nw, PF_LT_LABEL, labels[i]);
1149 i++;
1150 }
1151
1152 snl_end_attr_nested(nw, off);
1153 }
1154
1155 static void
snl_add_msg_attr_mape(struct snl_writer * nw,uint32_t type,const struct pf_mape_portset * me)1156 snl_add_msg_attr_mape(struct snl_writer *nw, uint32_t type, const struct pf_mape_portset *me)
1157 {
1158 int off;
1159
1160 off = snl_add_msg_attr_nested(nw, type);
1161
1162 snl_add_msg_attr_u8(nw, PF_MET_OFFSET, me->offset);
1163 snl_add_msg_attr_u8(nw, PF_MET_PSID_LEN, me->psidlen);
1164 snl_add_msg_attr_u16(nw, PF_MET_PSID, me->psid);
1165
1166 snl_end_attr_nested(nw, off);
1167 }
1168
1169 static void
snl_add_msg_attr_rpool(struct snl_writer * nw,uint32_t type,const struct pfctl_pool * pool)1170 snl_add_msg_attr_rpool(struct snl_writer *nw, uint32_t type, const struct pfctl_pool *pool)
1171 {
1172 int off;
1173
1174 off = snl_add_msg_attr_nested(nw, type);
1175
1176 snl_add_msg_attr(nw, PF_PT_KEY, sizeof(pool->key), &pool->key);
1177 snl_add_msg_attr_ip6(nw, PF_PT_COUNTER, &pool->counter.v6);
1178 snl_add_msg_attr_u32(nw, PF_PT_TBLIDX, pool->tblidx);
1179 snl_add_msg_attr_u16(nw, PF_PT_PROXY_SRC_PORT, pool->proxy_port[0]);
1180 snl_add_msg_attr_u16(nw, PF_PT_PROXY_DST_PORT, pool->proxy_port[1]);
1181 snl_add_msg_attr_u8(nw, PF_PT_OPTS, pool->opts);
1182 snl_add_msg_attr_mape(nw, PF_PT_MAPE, &pool->mape);
1183
1184 snl_end_attr_nested(nw, off);
1185 }
1186
1187 static void
snl_add_msg_attr_timeouts(struct snl_writer * nw,uint32_t type,const uint32_t * timeouts)1188 snl_add_msg_attr_timeouts(struct snl_writer *nw, uint32_t type, const uint32_t *timeouts)
1189 {
1190 int off;
1191
1192 off = snl_add_msg_attr_nested(nw, type);
1193
1194 for (int i = 0; i < PFTM_MAX; i++)
1195 snl_add_msg_attr_u32(nw, PF_TT_TIMEOUT, timeouts[i]);
1196
1197 snl_end_attr_nested(nw, off);
1198 }
1199
1200 static void
snl_add_msg_attr_uid(struct snl_writer * nw,uint32_t type,const struct pf_rule_uid * uid)1201 snl_add_msg_attr_uid(struct snl_writer *nw, uint32_t type, const struct pf_rule_uid *uid)
1202 {
1203 int off;
1204
1205 off = snl_add_msg_attr_nested(nw, type);
1206
1207 snl_add_msg_attr_u32(nw, PF_RUT_UID_LOW, uid->uid[0]);
1208 snl_add_msg_attr_u32(nw, PF_RUT_UID_HIGH, uid->uid[1]);
1209 snl_add_msg_attr_u8(nw, PF_RUT_OP, uid->op);
1210
1211 snl_end_attr_nested(nw, off);
1212 }
1213
1214 static void
snl_add_msg_attr_threshold(struct snl_writer * nw,uint32_t type,const struct pfctl_threshold * th)1215 snl_add_msg_attr_threshold(struct snl_writer *nw, uint32_t type, const struct pfctl_threshold *th)
1216 {
1217 int off;
1218
1219 off = snl_add_msg_attr_nested(nw, type);
1220
1221 snl_add_msg_attr_u32(nw, PF_TH_LIMIT, th->limit);
1222 snl_add_msg_attr_u32(nw, PF_TH_SECONDS, th->seconds);
1223
1224 snl_end_attr_nested(nw, off);
1225 }
1226
1227 static void
snl_add_msg_attr_pf_rule(struct snl_writer * nw,uint32_t type,const struct pfctl_rule * r)1228 snl_add_msg_attr_pf_rule(struct snl_writer *nw, uint32_t type, const struct pfctl_rule *r)
1229 {
1230 int off;
1231
1232 off = snl_add_msg_attr_nested(nw, type);
1233
1234 snl_add_msg_attr_rule_addr(nw, PF_RT_SRC, &r->src);
1235 snl_add_msg_attr_rule_addr(nw, PF_RT_DST, &r->dst);
1236 snl_add_msg_attr_rule_labels(nw, PF_RT_LABELS, r->label);
1237 snl_add_msg_attr_u32(nw, PF_RT_RIDENTIFIER, r->ridentifier);
1238 snl_add_msg_attr_string(nw, PF_RT_IFNAME, r->ifname);
1239 snl_add_msg_attr_string(nw, PF_RT_QNAME, r->qname);
1240 snl_add_msg_attr_string(nw, PF_RT_PQNAME, r->pqname);
1241 snl_add_msg_attr_string(nw, PF_RT_TAGNAME, r->tagname);
1242 snl_add_msg_attr_string(nw, PF_RT_MATCH_TAGNAME, r->match_tagname);
1243 snl_add_msg_attr_string(nw, PF_RT_OVERLOAD_TBLNAME, r->overload_tblname);
1244 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_RDR, &r->rdr);
1245 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_NAT, &r->nat);
1246 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_RT, &r->route);
1247 snl_add_msg_attr_threshold(nw, PF_RT_PKTRATE, &r->pktrate);
1248 snl_add_msg_attr_u32(nw, PF_RT_OS_FINGERPRINT, r->os_fingerprint);
1249 snl_add_msg_attr_u32(nw, PF_RT_RTABLEID, r->rtableid);
1250 snl_add_msg_attr_timeouts(nw, PF_RT_TIMEOUT, r->timeout);
1251 snl_add_msg_attr_u32(nw, PF_RT_MAX_STATES, r->max_states);
1252 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_NODES, r->max_src_nodes);
1253 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_STATES, r->max_src_states);
1254 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN, r->max_src_conn);
1255 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_LIMIT, r->max_src_conn_rate.limit);
1256 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_SECS, r->max_src_conn_rate.seconds);
1257 snl_add_msg_attr_u16(nw, PF_RT_MAX_PKT_SIZE, r->max_pkt_size);
1258
1259 snl_add_msg_attr_u16(nw, PF_RT_DNPIPE, r->dnpipe);
1260 snl_add_msg_attr_u16(nw, PF_RT_DNRPIPE, r->dnrpipe);
1261 snl_add_msg_attr_u32(nw, PF_RT_DNFLAGS, r->free_flags);
1262
1263 snl_add_msg_attr_u32(nw, PF_RT_NR, r->nr);
1264 snl_add_msg_attr_u32(nw, PF_RT_PROB, r->prob);
1265 snl_add_msg_attr_u32(nw, PF_RT_CUID, r->cuid);
1266 snl_add_msg_attr_u32(nw, PF_RT_CPID, r->cpid);
1267
1268 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP, r->return_icmp);
1269 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP6, r->return_icmp6);
1270 snl_add_msg_attr_u16(nw, PF_RT_MAX_MSS, r->max_mss);
1271 snl_add_msg_attr_u16(nw, PF_RT_SCRUB_FLAGS, r->scrub_flags);
1272
1273 snl_add_msg_attr_uid(nw, PF_RT_UID, &r->uid);
1274 snl_add_msg_attr_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&r->gid);
1275 snl_add_msg_attr_string(nw, PF_RT_RCV_IFNAME, r->rcv_ifname);
1276 snl_add_msg_attr_bool(nw, PF_RT_RCV_IFNOT, r->rcvifnot);
1277
1278 snl_add_msg_attr_u32(nw, PF_RT_RULE_FLAG, r->rule_flag);
1279 snl_add_msg_attr_u8(nw, PF_RT_ACTION, r->action);
1280 snl_add_msg_attr_u8(nw, PF_RT_DIRECTION, r->direction);
1281 snl_add_msg_attr_u8(nw, PF_RT_LOG, r->log);
1282 snl_add_msg_attr_u8(nw, PF_RT_LOGIF, r->logif);
1283 snl_add_msg_attr_u8(nw, PF_RT_QUICK, r->quick);
1284 snl_add_msg_attr_u8(nw, PF_RT_IF_NOT, r->ifnot);
1285 snl_add_msg_attr_u8(nw, PF_RT_MATCH_TAG_NOT, r->match_tag_not);
1286 snl_add_msg_attr_u8(nw, PF_RT_NATPASS, r->natpass);
1287 snl_add_msg_attr_u8(nw, PF_RT_KEEP_STATE, r->keep_state);
1288 snl_add_msg_attr_u8(nw, PF_RT_AF, r->af);
1289 snl_add_msg_attr_u8(nw, PF_RT_PROTO, r->proto);
1290 snl_add_msg_attr_u16(nw, PF_RT_TYPE_2, r->type);
1291 snl_add_msg_attr_u16(nw, PF_RT_CODE_2, r->code);
1292 snl_add_msg_attr_u8(nw, PF_RT_FLAGS, r->flags);
1293 snl_add_msg_attr_u8(nw, PF_RT_FLAGSET, r->flagset);
1294 snl_add_msg_attr_u8(nw, PF_RT_MIN_TTL, r->min_ttl);
1295 snl_add_msg_attr_u8(nw, PF_RT_ALLOW_OPTS, r->allow_opts);
1296 snl_add_msg_attr_u8(nw, PF_RT_RT, r->rt);
1297 snl_add_msg_attr_u8(nw, PF_RT_RETURN_TTL, r->return_ttl);
1298 snl_add_msg_attr_u8(nw, PF_RT_TOS, r->tos);
1299 snl_add_msg_attr_u8(nw, PF_RT_SET_TOS, r->set_tos);
1300
1301 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_RELATIVE, r->anchor_relative);
1302 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_WILDCARD, r->anchor_wildcard);
1303 snl_add_msg_attr_u8(nw, PF_RT_FLUSH, r->flush);
1304 snl_add_msg_attr_u8(nw, PF_RT_PRIO, r->prio);
1305 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO, r->set_prio[0]);
1306 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO_REPLY, r->set_prio[1]);
1307 snl_add_msg_attr_u8(nw, PF_RT_NAF, r->naf);
1308
1309 snl_add_msg_attr_ip6(nw, PF_RT_DIVERT_ADDRESS, &r->divert.addr.v6);
1310 snl_add_msg_attr_u16(nw, PF_RT_DIVERT_PORT, r->divert.port);
1311
1312 snl_end_attr_nested(nw, off);
1313 }
1314
1315 int
pfctl_add_rule(int dev __unused,const struct pfctl_rule * r,const char * anchor,const char * anchor_call,uint32_t ticket,uint32_t pool_ticket)1316 pfctl_add_rule(int dev __unused, const struct pfctl_rule *r, const char *anchor,
1317 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket)
1318 {
1319 struct pfctl_handle *h;
1320 int ret;
1321
1322 h = pfctl_open(PF_DEVICE);
1323 if (h == NULL)
1324 return (ENODEV);
1325
1326 ret = pfctl_add_rule_h(h, r, anchor, anchor_call, ticket, pool_ticket);
1327
1328 pfctl_close(h);
1329
1330 return (ret);
1331 }
1332
1333 int
pfctl_add_rule_h(struct pfctl_handle * h,const struct pfctl_rule * r,const char * anchor,const char * anchor_call,uint32_t ticket,uint32_t pool_ticket)1334 pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r,
1335 const char *anchor, const char *anchor_call, uint32_t ticket,
1336 uint32_t pool_ticket)
1337 {
1338 struct snl_writer nw;
1339 struct snl_errmsg_data e = {};
1340 struct nlmsghdr *hdr;
1341 uint32_t seq_id;
1342 int family_id;
1343
1344 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
1345 if (family_id == 0)
1346 return (ENOTSUP);
1347
1348 snl_init_writer(&h->ss, &nw);
1349 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADDRULE);
1350 hdr->nlmsg_flags |= NLM_F_DUMP;
1351 snl_add_msg_attr_u32(&nw, PF_ART_TICKET, ticket);
1352 snl_add_msg_attr_u32(&nw, PF_ART_POOL_TICKET, pool_ticket);
1353 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR, anchor);
1354 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR_CALL, anchor_call);
1355
1356 snl_add_msg_attr_pf_rule(&nw, PF_ART_RULE, r);
1357
1358 if ((hdr = snl_finalize_msg(&nw)) == NULL)
1359 return (ENXIO);
1360
1361 seq_id = hdr->nlmsg_seq;
1362
1363 if (! snl_send_message(&h->ss, hdr))
1364 return (ENXIO);
1365
1366 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
1367 }
1368
1369 return (e.error);
1370 }
1371
1372 #define _IN(_field) offsetof(struct genlmsghdr, _field)
1373 #define _OUT(_field) offsetof(struct pfctl_rules_info, _field)
1374 static struct snl_attr_parser ap_getrules[] = {
1375 { .type = PF_GR_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 },
1376 { .type = PF_GR_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 },
1377 };
1378 #undef _IN
1379 #undef _OUT
1380 SNL_DECLARE_PARSER(getrules_parser, struct genlmsghdr, snl_f_p_empty, ap_getrules);
1381
1382 int
pfctl_get_rules_info_h(struct pfctl_handle * h,struct pfctl_rules_info * rules,uint32_t ruleset,const char * path)1383 pfctl_get_rules_info_h(struct pfctl_handle *h, struct pfctl_rules_info *rules, uint32_t ruleset,
1384 const char *path)
1385 {
1386 struct snl_errmsg_data e = {};
1387 struct nlmsghdr *hdr;
1388 struct snl_writer nw;
1389 uint32_t seq_id;
1390 int family_id;
1391
1392 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
1393 if (family_id == 0)
1394 return (ENOTSUP);
1395
1396 snl_init_writer(&h->ss, &nw);
1397 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETRULES);
1398 hdr->nlmsg_flags |= NLM_F_DUMP;
1399
1400 snl_add_msg_attr_string(&nw, PF_GR_ANCHOR, path);
1401 snl_add_msg_attr_u8(&nw, PF_GR_ACTION, ruleset);
1402
1403 hdr = snl_finalize_msg(&nw);
1404 if (hdr == NULL)
1405 return (ENOMEM);
1406
1407 seq_id = hdr->nlmsg_seq;
1408 if (! snl_send_message(&h->ss, hdr))
1409 return (ENXIO);
1410
1411 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
1412 if (! snl_parse_nlmsg(&h->ss, hdr, &getrules_parser, rules))
1413 continue;
1414 }
1415
1416 return (e.error);
1417 }
1418
1419 int
pfctl_get_rules_info(int dev __unused,struct pfctl_rules_info * rules,uint32_t ruleset,const char * path)1420 pfctl_get_rules_info(int dev __unused, struct pfctl_rules_info *rules, uint32_t ruleset,
1421 const char *path)
1422 {
1423 struct pfctl_handle *h;
1424 int error;
1425
1426 h = pfctl_open(PF_DEVICE);
1427 if (h == NULL)
1428 return (ENOTSUP);
1429 error = pfctl_get_rules_info_h(h, rules, ruleset, path);
1430 pfctl_close(h);
1431
1432 return (error);
1433 }
1434
1435 int
pfctl_get_rule_h(struct pfctl_handle * h,uint32_t nr,uint32_t ticket,const char * anchor,uint32_t ruleset,struct pfctl_rule * rule,char * anchor_call)1436 pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, const char *anchor,
1437 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
1438 {
1439 return (pfctl_get_clear_rule_h(h, nr, ticket, anchor, ruleset, rule,
1440 anchor_call, false));
1441 }
1442
1443 int
pfctl_get_rule(int dev,uint32_t nr,uint32_t ticket,const char * anchor,uint32_t ruleset,struct pfctl_rule * rule,char * anchor_call)1444 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor,
1445 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
1446 {
1447 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule,
1448 anchor_call, false));
1449 }
1450
1451 #define _OUT(_field) offsetof(struct pf_addr_wrap, _field)
1452 static const struct snl_attr_parser ap_addr_wrap[] = {
1453 { .type = PF_AT_ADDR, .off = _OUT(v.a.addr), .cb = snl_attr_get_in6_addr },
1454 { .type = PF_AT_MASK, .off = _OUT(v.a.mask), .cb = snl_attr_get_in6_addr },
1455 { .type = PF_AT_IFNAME, .off = _OUT(v.ifname), .arg = (void *)IFNAMSIZ,.cb = snl_attr_copy_string },
1456 { .type = PF_AT_TABLENAME, .off = _OUT(v.tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string },
1457 { .type = PF_AT_TYPE, .off = _OUT(type), .cb = snl_attr_get_uint8 },
1458 { .type = PF_AT_IFLAGS, .off = _OUT(iflags), .cb = snl_attr_get_uint8 },
1459 { .type = PF_AT_TBLCNT, .off = _OUT(p.tblcnt), .cb = snl_attr_get_uint32 },
1460 { .type = PF_AT_DYNCNT, .off = _OUT(p.dyncnt), .cb = snl_attr_get_uint32 },
1461 };
1462 SNL_DECLARE_ATTR_PARSER(addr_wrap_parser, ap_addr_wrap);
1463 #undef _OUT
1464
1465 #define _OUT(_field) offsetof(struct pf_rule_addr, _field)
1466 static struct snl_attr_parser ap_rule_addr[] = {
1467 { .type = PF_RAT_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = snl_attr_get_nested },
1468 { .type = PF_RAT_SRC_PORT, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 },
1469 { .type = PF_RAT_DST_PORT, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 },
1470 { .type = PF_RAT_NEG, .off = _OUT(neg), .cb = snl_attr_get_uint8 },
1471 { .type = PF_RAT_OP, .off = _OUT(port_op), .cb = snl_attr_get_uint8 },
1472 };
1473 #undef _OUT
1474 SNL_DECLARE_ATTR_PARSER(rule_addr_parser, ap_rule_addr);
1475
1476 struct snl_parsed_labels
1477 {
1478 char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
1479 uint32_t i;
1480 };
1481
1482 static bool
snl_attr_get_pf_rule_labels(struct snl_state * ss,struct nlattr * nla,const void * arg __unused,void * target)1483 snl_attr_get_pf_rule_labels(struct snl_state *ss, struct nlattr *nla,
1484 const void *arg __unused, void *target)
1485 {
1486 struct snl_parsed_labels *l = (struct snl_parsed_labels *)target;
1487 bool ret;
1488
1489 if (l->i >= PF_RULE_MAX_LABEL_COUNT)
1490 return (E2BIG);
1491
1492 ret = snl_attr_copy_string(ss, nla, (void *)PF_RULE_LABEL_SIZE,
1493 l->labels[l->i]);
1494 if (ret)
1495 l->i++;
1496
1497 return (ret);
1498 }
1499
1500 #define _OUT(_field) offsetof(struct nl_parsed_labels, _field)
1501 static const struct snl_attr_parser ap_labels[] = {
1502 { .type = PF_LT_LABEL, .off = 0, .cb = snl_attr_get_pf_rule_labels },
1503 };
1504 SNL_DECLARE_ATTR_PARSER(rule_labels_parser, ap_labels);
1505 #undef _OUT
1506
1507 static bool
snl_attr_get_nested_pf_rule_labels(struct snl_state * ss,struct nlattr * nla,const void * arg __unused,void * target)1508 snl_attr_get_nested_pf_rule_labels(struct snl_state *ss, struct nlattr *nla,
1509 const void *arg __unused, void *target)
1510 {
1511 struct snl_parsed_labels parsed_labels = { };
1512 bool error;
1513
1514 /* Assumes target points to the beginning of the structure */
1515 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &rule_labels_parser, &parsed_labels);
1516 if (! error)
1517 return (error);
1518
1519 memcpy(target, parsed_labels.labels, sizeof(parsed_labels.labels));
1520
1521 return (true);
1522 }
1523
1524 #define _OUT(_field) offsetof(struct pf_mape_portset, _field)
1525 static const struct snl_attr_parser ap_mape_portset[] = {
1526 { .type = PF_MET_OFFSET, .off = _OUT(offset), .cb = snl_attr_get_uint8 },
1527 { .type = PF_MET_PSID_LEN, .off = _OUT(psidlen), .cb = snl_attr_get_uint8 },
1528 {. type = PF_MET_PSID, .off = _OUT(psid), .cb = snl_attr_get_uint16 },
1529 };
1530 SNL_DECLARE_ATTR_PARSER(mape_portset_parser, ap_mape_portset);
1531 #undef _OUT
1532
1533 #define _OUT(_field) offsetof(struct pfctl_pool, _field)
1534 static const struct snl_attr_parser ap_pool[] = {
1535 { .type = PF_PT_KEY, .off = _OUT(key), .arg = (void *)sizeof(struct pf_poolhashkey), .cb = snl_attr_get_bytes },
1536 { .type = PF_PT_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_in6_addr },
1537 { .type = PF_PT_TBLIDX, .off = _OUT(tblidx), .cb = snl_attr_get_uint32 },
1538 { .type = PF_PT_PROXY_SRC_PORT, .off = _OUT(proxy_port[0]), .cb = snl_attr_get_uint16 },
1539 { .type = PF_PT_PROXY_DST_PORT, .off = _OUT(proxy_port[1]), .cb = snl_attr_get_uint16 },
1540 { .type = PF_PT_OPTS, .off = _OUT(opts), .cb = snl_attr_get_uint8 },
1541 { .type = PF_PT_MAPE, .off = _OUT(mape), .arg = &mape_portset_parser, .cb = snl_attr_get_nested },
1542 };
1543 SNL_DECLARE_ATTR_PARSER(pool_parser, ap_pool);
1544 #undef _OUT
1545
1546 struct nl_parsed_timeouts
1547 {
1548 uint32_t timeouts[PFTM_MAX];
1549 uint32_t i;
1550 };
1551
1552 static bool
snl_attr_get_pf_timeout(struct snl_state * ss,struct nlattr * nla,const void * arg __unused,void * target)1553 snl_attr_get_pf_timeout(struct snl_state *ss, struct nlattr *nla,
1554 const void *arg __unused, void *target)
1555 {
1556 struct nl_parsed_timeouts *t = (struct nl_parsed_timeouts *)target;
1557 bool ret;
1558
1559 if (t->i >= PFTM_MAX)
1560 return (E2BIG);
1561
1562 ret = snl_attr_get_uint32(ss, nla, NULL, &t->timeouts[t->i]);
1563 if (ret)
1564 t->i++;
1565
1566 return (ret);
1567 }
1568
1569 #define _OUT(_field) offsetof(struct nl_parsed_timeout, _field)
1570 static const struct snl_attr_parser ap_timeouts[] = {
1571 { .type = PF_TT_TIMEOUT, .off = 0, .cb = snl_attr_get_pf_timeout },
1572 };
1573 SNL_DECLARE_ATTR_PARSER(timeout_parser, ap_timeouts);
1574 #undef _OUT
1575
1576 static bool
snl_attr_get_nested_timeouts(struct snl_state * ss,struct nlattr * nla,const void * arg __unused,void * target)1577 snl_attr_get_nested_timeouts(struct snl_state *ss, struct nlattr *nla,
1578 const void *arg __unused, void *target)
1579 {
1580 struct nl_parsed_timeouts parsed_timeouts = { };
1581 bool error;
1582
1583 /* Assumes target points to the beginning of the structure */
1584 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &timeout_parser, &parsed_timeouts);
1585 if (! error)
1586 return (error);
1587
1588 memcpy(target, parsed_timeouts.timeouts, sizeof(parsed_timeouts.timeouts));
1589
1590 return (true);
1591 }
1592
1593 #define _OUT(_field) offsetof(struct pf_rule_uid, _field)
1594 static const struct snl_attr_parser ap_rule_uid[] = {
1595 { .type = PF_RUT_UID_LOW, .off = _OUT(uid[0]), .cb = snl_attr_get_uint32 },
1596 { .type = PF_RUT_UID_HIGH, .off = _OUT(uid[1]), .cb = snl_attr_get_uint32 },
1597 { .type = PF_RUT_OP, .off = _OUT(op), .cb = snl_attr_get_uint8 },
1598 };
1599 SNL_DECLARE_ATTR_PARSER(rule_uid_parser, ap_rule_uid);
1600 #undef _OUT
1601
1602 #define _OUT(_field) offsetof(struct pfctl_threshold, _field)
1603 static const struct snl_attr_parser ap_pfctl_threshold[] = {
1604 { .type = PF_TH_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 },
1605 { .type = PF_TH_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 },
1606 { .type = PF_TH_COUNT, .off = _OUT(count), .cb = snl_attr_get_uint32 },
1607 };
1608 SNL_DECLARE_ATTR_PARSER(pfctl_threshold_parser, ap_pfctl_threshold);
1609 #undef _OUT
1610
1611 struct pfctl_nl_get_rule {
1612 struct pfctl_rule r;
1613 char anchor_call[MAXPATHLEN];
1614 };
1615 #define _OUT(_field) offsetof(struct pfctl_nl_get_rule, _field)
1616 static struct snl_attr_parser ap_getrule[] = {
1617 { .type = PF_RT_SRC, .off = _OUT(r.src), .arg = &rule_addr_parser,.cb = snl_attr_get_nested },
1618 { .type = PF_RT_DST, .off = _OUT(r.dst), .arg = &rule_addr_parser,.cb = snl_attr_get_nested },
1619 { .type = PF_RT_RIDENTIFIER, .off = _OUT(r.ridentifier), .cb = snl_attr_get_uint32 },
1620 { .type = PF_RT_LABELS, .off = _OUT(r.label), .arg = &rule_labels_parser,.cb = snl_attr_get_nested_pf_rule_labels },
1621 { .type = PF_RT_IFNAME, .off = _OUT(r.ifname), .arg = (void *)IFNAMSIZ, .cb = snl_attr_copy_string },
1622 { .type = PF_RT_QNAME, .off = _OUT(r.qname), .arg = (void *)PF_QNAME_SIZE, .cb = snl_attr_copy_string },
1623 { .type = PF_RT_PQNAME, .off = _OUT(r.pqname), .arg = (void *)PF_QNAME_SIZE, .cb = snl_attr_copy_string },
1624 { .type = PF_RT_TAGNAME, .off = _OUT(r.tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string },
1625 { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(r.match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string },
1626 { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(r.overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string },
1627 { .type = PF_RT_RPOOL_RDR, .off = _OUT(r.rdr), .arg = &pool_parser, .cb = snl_attr_get_nested },
1628 { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(r.os_fingerprint), .cb = snl_attr_get_uint32 },
1629 { .type = PF_RT_RTABLEID, .off = _OUT(r.rtableid), .cb = snl_attr_get_uint32 },
1630 { .type = PF_RT_TIMEOUT, .off = _OUT(r.timeout), .arg = &timeout_parser, .cb = snl_attr_get_nested_timeouts },
1631 { .type = PF_RT_MAX_STATES, .off = _OUT(r.max_states), .cb = snl_attr_get_uint32 },
1632 { .type = PF_RT_MAX_SRC_NODES, .off = _OUT(r.max_src_nodes), .cb = snl_attr_get_uint32 },
1633 { .type = PF_RT_MAX_SRC_STATES, .off = _OUT(r.max_src_states), .cb = snl_attr_get_uint32 },
1634 { .type = PF_RT_MAX_SRC_CONN_RATE_LIMIT, .off = _OUT(r.max_src_conn_rate.limit), .cb = snl_attr_get_uint32 },
1635 { .type = PF_RT_MAX_SRC_CONN_RATE_SECS, .off = _OUT(r.max_src_conn_rate.seconds), .cb = snl_attr_get_uint32 },
1636 { .type = PF_RT_DNPIPE, .off = _OUT(r.dnpipe), .cb = snl_attr_get_uint16 },
1637 { .type = PF_RT_DNRPIPE, .off = _OUT(r.dnrpipe), .cb = snl_attr_get_uint16 },
1638 { .type = PF_RT_DNFLAGS, .off = _OUT(r.free_flags), .cb = snl_attr_get_uint32 },
1639 { .type = PF_RT_NR, .off = _OUT(r.nr), .cb = snl_attr_get_uint32 },
1640 { .type = PF_RT_PROB, .off = _OUT(r.prob), .cb = snl_attr_get_uint32 },
1641 { .type = PF_RT_CUID, .off = _OUT(r.cuid), .cb = snl_attr_get_uint32 },
1642 {. type = PF_RT_CPID, .off = _OUT(r.cpid), .cb = snl_attr_get_uint32 },
1643 { .type = PF_RT_RETURN_ICMP, .off = _OUT(r.return_icmp), .cb = snl_attr_get_uint16 },
1644 { .type = PF_RT_RETURN_ICMP6, .off = _OUT(r.return_icmp6), .cb = snl_attr_get_uint16 },
1645 { .type = PF_RT_MAX_MSS, .off = _OUT(r.max_mss), .cb = snl_attr_get_uint16 },
1646 { .type = PF_RT_SCRUB_FLAGS, .off = _OUT(r.scrub_flags), .cb = snl_attr_get_uint16 },
1647 { .type = PF_RT_UID, .off = _OUT(r.uid), .arg = &rule_uid_parser, .cb = snl_attr_get_nested },
1648 { .type = PF_RT_GID, .off = _OUT(r.gid), .arg = &rule_uid_parser, .cb = snl_attr_get_nested },
1649 { .type = PF_RT_RULE_FLAG, .off = _OUT(r.rule_flag), .cb = snl_attr_get_uint32 },
1650 { .type = PF_RT_ACTION, .off = _OUT(r.action), .cb = snl_attr_get_uint8 },
1651 { .type = PF_RT_DIRECTION, .off = _OUT(r.direction), .cb = snl_attr_get_uint8 },
1652 { .type = PF_RT_LOG, .off = _OUT(r.log), .cb = snl_attr_get_uint8 },
1653 { .type = PF_RT_LOGIF, .off = _OUT(r.logif), .cb = snl_attr_get_uint8 },
1654 { .type = PF_RT_QUICK, .off = _OUT(r.quick), .cb = snl_attr_get_uint8 },
1655 { .type = PF_RT_IF_NOT, .off = _OUT(r.ifnot), .cb = snl_attr_get_uint8 },
1656 { .type = PF_RT_MATCH_TAG_NOT, .off = _OUT(r.match_tag_not), .cb = snl_attr_get_uint8 },
1657 { .type = PF_RT_NATPASS, .off = _OUT(r.natpass), .cb = snl_attr_get_uint8 },
1658 { .type = PF_RT_KEEP_STATE, .off = _OUT(r.keep_state), .cb = snl_attr_get_uint8 },
1659 { .type = PF_RT_AF, .off = _OUT(r.af), .cb = snl_attr_get_uint8 },
1660 { .type = PF_RT_PROTO, .off = _OUT(r.proto), .cb = snl_attr_get_uint8 },
1661 { .type = PF_RT_TYPE, .off = _OUT(r.type), .cb = snl_attr_get_uint8 },
1662 { .type = PF_RT_CODE, .off = _OUT(r.code), .cb = snl_attr_get_uint8 },
1663 { .type = PF_RT_FLAGS, .off = _OUT(r.flags), .cb = snl_attr_get_uint8 },
1664 { .type = PF_RT_FLAGSET, .off = _OUT(r.flagset), .cb = snl_attr_get_uint8 },
1665 { .type = PF_RT_MIN_TTL, .off = _OUT(r.min_ttl), .cb = snl_attr_get_uint8 },
1666 { .type = PF_RT_ALLOW_OPTS, .off = _OUT(r.allow_opts), .cb = snl_attr_get_uint8 },
1667 { .type = PF_RT_RT, .off = _OUT(r.rt), .cb = snl_attr_get_uint8 },
1668 { .type = PF_RT_RETURN_TTL, .off = _OUT(r.return_ttl), .cb = snl_attr_get_uint8 },
1669 { .type = PF_RT_TOS, .off = _OUT(r.tos), .cb = snl_attr_get_uint8 },
1670 { .type = PF_RT_SET_TOS, .off = _OUT(r.set_tos), .cb = snl_attr_get_uint8 },
1671 { .type = PF_RT_ANCHOR_RELATIVE, .off = _OUT(r.anchor_relative), .cb = snl_attr_get_uint8 },
1672 { .type = PF_RT_ANCHOR_WILDCARD, .off = _OUT(r.anchor_wildcard), .cb = snl_attr_get_uint8 },
1673 { .type = PF_RT_FLUSH, .off = _OUT(r.flush), .cb = snl_attr_get_uint8 },
1674 { .type = PF_RT_PRIO, .off = _OUT(r.prio), .cb = snl_attr_get_uint8 },
1675 { .type = PF_RT_SET_PRIO, .off = _OUT(r.set_prio[0]), .cb = snl_attr_get_uint8 },
1676 { .type = PF_RT_SET_PRIO_REPLY, .off = _OUT(r.set_prio[1]), .cb = snl_attr_get_uint8 },
1677 { .type = PF_RT_DIVERT_ADDRESS, .off = _OUT(r.divert.addr), .cb = snl_attr_get_in6_addr },
1678 { .type = PF_RT_DIVERT_PORT, .off = _OUT(r.divert.port), .cb = snl_attr_get_uint16 },
1679 { .type = PF_RT_PACKETS_IN, .off = _OUT(r.packets[0]), .cb = snl_attr_get_uint64 },
1680 { .type = PF_RT_PACKETS_OUT, .off = _OUT(r.packets[1]), .cb = snl_attr_get_uint64 },
1681 { .type = PF_RT_BYTES_IN, .off = _OUT(r.bytes[0]), .cb = snl_attr_get_uint64 },
1682 { .type = PF_RT_BYTES_OUT, .off = _OUT(r.bytes[1]), .cb = snl_attr_get_uint64 },
1683 { .type = PF_RT_EVALUATIONS, .off = _OUT(r.evaluations), .cb = snl_attr_get_uint64 },
1684 { .type = PF_RT_TIMESTAMP, .off = _OUT(r.last_active_timestamp), .cb = snl_attr_get_uint64 },
1685 { .type = PF_RT_STATES_CUR, .off = _OUT(r.states_cur), .cb = snl_attr_get_uint64 },
1686 { .type = PF_RT_STATES_TOTAL, .off = _OUT(r.states_tot), .cb = snl_attr_get_uint64 },
1687 { .type = PF_RT_SRC_NODES, .off = _OUT(r.src_nodes), .cb = snl_attr_get_uint64 },
1688 { .type = PF_RT_ANCHOR_CALL, .off = _OUT(anchor_call), .arg = (void*)MAXPATHLEN, .cb = snl_attr_copy_string },
1689 { .type = PF_RT_RCV_IFNAME, .off = _OUT(r.rcv_ifname), .arg = (void*)IFNAMSIZ, .cb = snl_attr_copy_string },
1690 { .type = PF_RT_MAX_SRC_CONN, .off = _OUT(r.max_src_conn), .cb = snl_attr_get_uint32 },
1691 { .type = PF_RT_RPOOL_NAT, .off = _OUT(r.nat), .arg = &pool_parser, .cb = snl_attr_get_nested },
1692 { .type = PF_RT_NAF, .off = _OUT(r.naf), .cb = snl_attr_get_uint8 },
1693 { .type = PF_RT_RPOOL_RT, .off = _OUT(r.route), .arg = &pool_parser, .cb = snl_attr_get_nested },
1694 { .type = PF_RT_RCV_IFNOT, .off = _OUT(r.rcvifnot),.cb = snl_attr_get_bool },
1695 { .type = PF_RT_SRC_NODES_LIMIT, .off = _OUT(r.src_nodes_type[PF_SN_LIMIT]), .cb = snl_attr_get_uint64 },
1696 { .type = PF_RT_SRC_NODES_NAT, .off = _OUT(r.src_nodes_type[PF_SN_NAT]), .cb = snl_attr_get_uint64 },
1697 { .type = PF_RT_SRC_NODES_ROUTE, .off = _OUT(r.src_nodes_type[PF_SN_ROUTE]), .cb = snl_attr_get_uint64 },
1698 { .type = PF_RT_PKTRATE, .off = _OUT(r.pktrate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested },
1699 { .type = PF_RT_MAX_PKT_SIZE, .off =_OUT(r.max_pkt_size), .cb = snl_attr_get_uint16 },
1700 { .type = PF_RT_TYPE_2, .off = _OUT(r.type), .cb = snl_attr_get_uint16 },
1701 { .type = PF_RT_CODE_2, .off = _OUT(r.code), .cb = snl_attr_get_uint16 },
1702 };
1703 #undef _OUT
1704 SNL_DECLARE_PARSER(getrule_parser, struct genlmsghdr, snl_f_p_empty, ap_getrule);
1705
1706 int
pfctl_get_clear_rule_h(struct pfctl_handle * h,uint32_t nr,uint32_t ticket,const char * anchor,uint32_t ruleset,struct pfctl_rule * rule,char * anchor_call,bool clear)1707 pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket,
1708 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
1709 char *anchor_call, bool clear)
1710 {
1711 struct pfctl_nl_get_rule attrs = {};
1712 struct snl_errmsg_data e = {};
1713 struct nlmsghdr *hdr;
1714 struct snl_writer nw;
1715 uint32_t seq_id;
1716 int family_id;
1717
1718 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
1719 if (family_id == 0)
1720 return (ENOTSUP);
1721
1722 snl_init_writer(&h->ss, &nw);
1723 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETRULE);
1724 hdr->nlmsg_flags |= NLM_F_DUMP;
1725
1726 snl_add_msg_attr_string(&nw, PF_GR_ANCHOR, anchor);
1727 snl_add_msg_attr_u8(&nw, PF_GR_ACTION, ruleset);
1728 snl_add_msg_attr_u32(&nw, PF_GR_NR, nr);
1729 snl_add_msg_attr_u32(&nw, PF_GR_TICKET, ticket);
1730 snl_add_msg_attr_u8(&nw, PF_GR_CLEAR, clear);
1731
1732 hdr = snl_finalize_msg(&nw);
1733 if (hdr == NULL)
1734 return (ENOMEM);
1735
1736 seq_id = hdr->nlmsg_seq;
1737 if (! snl_send_message(&h->ss, hdr))
1738 return (ENXIO);
1739
1740 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
1741 if (! snl_parse_nlmsg(&h->ss, hdr, &getrule_parser, &attrs))
1742 continue;
1743 }
1744
1745 memcpy(rule, &attrs.r, sizeof(attrs.r));
1746 strlcpy(anchor_call, attrs.anchor_call, MAXPATHLEN);
1747
1748 return (e.error);
1749 }
1750
1751 int
pfctl_get_clear_rule(int dev,uint32_t nr,uint32_t ticket,const char * anchor,uint32_t ruleset,struct pfctl_rule * rule,char * anchor_call,bool clear)1752 pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
1753 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
1754 char *anchor_call, bool clear)
1755 {
1756 nvlist_t *nvl;
1757 int ret;
1758
1759 nvl = nvlist_create(0);
1760 if (nvl == 0)
1761 return (ENOMEM);
1762
1763 nvlist_add_number(nvl, "nr", nr);
1764 nvlist_add_number(nvl, "ticket", ticket);
1765 nvlist_add_string(nvl, "anchor", anchor);
1766 nvlist_add_number(nvl, "ruleset", ruleset);
1767
1768 if (clear)
1769 nvlist_add_bool(nvl, "clear_counter", true);
1770
1771 if ((ret = pfctl_do_ioctl(dev, DIOCGETRULENV, 8192, &nvl)) != 0)
1772 goto out;
1773
1774 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule);
1775
1776 if (anchor_call)
1777 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"),
1778 MAXPATHLEN);
1779
1780 out:
1781 nvlist_destroy(nvl);
1782 return (ret);
1783 }
1784
1785 int
pfctl_set_keepcounters(int dev,bool keep)1786 pfctl_set_keepcounters(int dev, bool keep)
1787 {
1788 struct pfioc_nv nv;
1789 nvlist_t *nvl;
1790 int ret;
1791
1792 nvl = nvlist_create(0);
1793
1794 nvlist_add_bool(nvl, "keep_counters", keep);
1795
1796 nv.data = nvlist_pack(nvl, &nv.len);
1797 nv.size = nv.len;
1798
1799 nvlist_destroy(nvl);
1800
1801 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv);
1802
1803 free(nv.data);
1804 return (ret);
1805 }
1806
1807 struct pfctl_creator {
1808 uint32_t id;
1809 };
1810 #define _IN(_field) offsetof(struct genlmsghdr, _field)
1811 #define _OUT(_field) offsetof(struct pfctl_creator, _field)
1812 static struct snl_attr_parser ap_creators[] = {
1813 { .type = PF_ST_CREATORID, .off = _OUT(id), .cb = snl_attr_get_uint32 },
1814 };
1815 #undef _IN
1816 #undef _OUT
1817 SNL_DECLARE_PARSER(creator_parser, struct genlmsghdr, snl_f_p_empty, ap_creators);
1818
1819 static int
pfctl_get_creators_nl(struct snl_state * ss,uint32_t * creators,size_t * len)1820 pfctl_get_creators_nl(struct snl_state *ss, uint32_t *creators, size_t *len)
1821 {
1822
1823 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME);
1824 size_t i = 0;
1825
1826 struct nlmsghdr *hdr;
1827 struct snl_writer nw;
1828
1829 if (family_id == 0)
1830 return (ENOTSUP);
1831
1832 snl_init_writer(ss, &nw);
1833 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETCREATORS);
1834 hdr->nlmsg_flags |= NLM_F_DUMP;
1835 hdr = snl_finalize_msg(&nw);
1836 if (hdr == NULL)
1837 return (ENOMEM);
1838 uint32_t seq_id = hdr->nlmsg_seq;
1839
1840 snl_send_message(ss, hdr);
1841
1842 struct snl_errmsg_data e = {};
1843 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) {
1844 struct pfctl_creator c;
1845 bzero(&c, sizeof(c));
1846
1847 if (!snl_parse_nlmsg(ss, hdr, &creator_parser, &c))
1848 continue;
1849
1850 creators[i] = c.id;
1851 i++;
1852 if (i > *len)
1853 return (E2BIG);
1854 }
1855
1856 *len = i;
1857
1858 return (0);
1859 }
1860
1861 int
pfctl_get_creatorids(struct pfctl_handle * h,uint32_t * creators,size_t * len)1862 pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len)
1863 {
1864 int error;
1865
1866 error = pfctl_get_creators_nl(&h->ss, creators, len);
1867
1868 return (error);
1869 }
1870
1871 static inline bool
snl_attr_get_pfaddr(struct snl_state * ss __unused,struct nlattr * nla,const void * arg __unused,void * target)1872 snl_attr_get_pfaddr(struct snl_state *ss __unused, struct nlattr *nla,
1873 const void *arg __unused, void *target)
1874 {
1875 memcpy(target, NLA_DATA(nla), NLA_DATA_LEN(nla));
1876 return (true);
1877 }
1878
1879 static inline bool
snl_attr_store_ifname(struct snl_state * ss __unused,struct nlattr * nla,const void * arg __unused,void * target)1880 snl_attr_store_ifname(struct snl_state *ss __unused, struct nlattr *nla,
1881 const void *arg __unused, void *target)
1882 {
1883 size_t maxlen = NLA_DATA_LEN(nla);
1884
1885 if (strnlen((char *)NLA_DATA(nla), maxlen) < maxlen) {
1886 strlcpy(target, (char *)NLA_DATA(nla), maxlen);
1887 return (true);
1888 }
1889 return (false);
1890 }
1891
1892 #define _OUT(_field) offsetof(struct pfctl_state_peer, _field)
1893 static const struct snl_attr_parser nla_p_speer[] = {
1894 { .type = PF_STP_SEQLO, .off = _OUT(seqlo), .cb = snl_attr_get_uint32 },
1895 { .type = PF_STP_SEQHI, .off = _OUT(seqhi), .cb = snl_attr_get_uint32 },
1896 { .type = PF_STP_SEQDIFF, .off = _OUT(seqdiff), .cb = snl_attr_get_uint32 },
1897 { .type = PF_STP_STATE, .off = _OUT(state), .cb = snl_attr_get_uint8 },
1898 { .type = PF_STP_WSCALE, .off = _OUT(wscale), .cb = snl_attr_get_uint8 },
1899 };
1900 SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer);
1901 #undef _OUT
1902
1903 #define _OUT(_field) offsetof(struct pfctl_state_key, _field)
1904 static const struct snl_attr_parser nla_p_skey[] = {
1905 { .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr },
1906 { .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr },
1907 { .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 },
1908 { .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 },
1909 { .type = PF_STK_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 },
1910 { .type = PF_STK_PROTO, .off = _OUT(proto), .cb = snl_attr_get_uint16 },
1911 };
1912 SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey);
1913 #undef _OUT
1914
1915 #define _IN(_field) offsetof(struct genlmsghdr, _field)
1916 #define _OUT(_field) offsetof(struct pfctl_state, _field)
1917 static struct snl_attr_parser ap_state[] = {
1918 { .type = PF_ST_ID, .off = _OUT(id), .cb = snl_attr_get_uint64 },
1919 { .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = snl_attr_get_uint32 },
1920 { .type = PF_ST_IFNAME, .off = _OUT(ifname), .cb = snl_attr_store_ifname },
1921 { .type = PF_ST_ORIG_IFNAME, .off = _OUT(orig_ifname), .cb = snl_attr_store_ifname },
1922 { .type = PF_ST_KEY_WIRE, .off = _OUT(key[0]), .arg = &skey_parser, .cb = snl_attr_get_nested },
1923 { .type = PF_ST_KEY_STACK, .off = _OUT(key[1]), .arg = &skey_parser, .cb = snl_attr_get_nested },
1924 { .type = PF_ST_PEER_SRC, .off = _OUT(src), .arg = &speer_parser, .cb = snl_attr_get_nested },
1925 { .type = PF_ST_PEER_DST, .off = _OUT(dst), .arg = &speer_parser, .cb = snl_attr_get_nested },
1926 { .type = PF_ST_RT_ADDR, .off = _OUT(rt_addr), .cb = snl_attr_get_pfaddr },
1927 { .type = PF_ST_RULE, .off = _OUT(rule), .cb = snl_attr_get_uint32 },
1928 { .type = PF_ST_ANCHOR, .off = _OUT(anchor), .cb = snl_attr_get_uint32 },
1929 { .type = PF_ST_NAT_RULE, .off = _OUT(nat_rule), .cb = snl_attr_get_uint32 },
1930 { .type = PF_ST_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint32 },
1931 { .type = PF_ST_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint32 },
1932 { .type = PF_ST_PACKETS0, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 },
1933 { .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 },
1934 { .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 },
1935 { .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 },
1936 { .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 },
1937 { .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 },
1938 { .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 },
1939 { .type = PF_ST_SYNC_FLAGS, .off = _OUT(sync_flags), .cb = snl_attr_get_uint8 },
1940 { .type = PF_ST_RTABLEID, .off = _OUT(rtableid), .cb = snl_attr_get_int32 },
1941 { .type = PF_ST_MIN_TTL, .off = _OUT(min_ttl), .cb = snl_attr_get_uint8 },
1942 { .type = PF_ST_MAX_MSS, .off = _OUT(max_mss), .cb = snl_attr_get_uint16 },
1943 { .type = PF_ST_DNPIPE, .off = _OUT(dnpipe), .cb = snl_attr_get_uint16 },
1944 { .type = PF_ST_DNRPIPE, .off = _OUT(dnrpipe), .cb = snl_attr_get_uint16 },
1945 { .type = PF_ST_RT, .off = _OUT(rt), .cb = snl_attr_get_uint8 },
1946 { .type = PF_ST_RT_IFNAME, .off = _OUT(rt_ifname), .cb = snl_attr_store_ifname },
1947 { .type = PF_ST_SRC_NODE_FLAGS, .off = _OUT(src_node_flags), .cb = snl_attr_get_uint8 },
1948 { .type = PF_ST_RT_AF, .off = _OUT(rt_af), .cb = snl_attr_get_uint8 },
1949 };
1950 #undef _IN
1951 #undef _OUT
1952 SNL_DECLARE_PARSER(state_parser, struct genlmsghdr, snl_f_p_empty, ap_state);
1953
1954 static const struct snl_hdr_parser *all_parsers[] = {
1955 &state_parser, &skey_parser, &speer_parser,
1956 &creator_parser, &getrules_parser
1957 };
1958
1959 static int
pfctl_get_states_nl(struct pfctl_state_filter * filter,struct snl_state * ss,pfctl_get_state_fn f,void * arg)1960 pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfctl_get_state_fn f, void *arg)
1961 {
1962 SNL_VERIFY_PARSERS(all_parsers);
1963 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME);
1964 int ret;
1965
1966 struct nlmsghdr *hdr;
1967 struct snl_writer nw;
1968
1969 if (family_id == 0)
1970 return (ENOTSUP);
1971
1972 snl_init_writer(ss, &nw);
1973 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETSTATES);
1974 hdr->nlmsg_flags |= NLM_F_DUMP;
1975 snl_add_msg_attr_string(&nw, PF_ST_IFNAME, filter->ifname);
1976 snl_add_msg_attr_u16(&nw, PF_ST_PROTO, filter->proto);
1977 snl_add_msg_attr_u8(&nw, PF_ST_AF, filter->af);
1978 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_ADDR, &filter->addr.v6);
1979 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_MASK, &filter->mask.v6);
1980
1981 hdr = snl_finalize_msg(&nw);
1982 if (hdr == NULL)
1983 return (ENOMEM);
1984
1985 uint32_t seq_id = hdr->nlmsg_seq;
1986
1987 snl_send_message(ss, hdr);
1988
1989 struct snl_errmsg_data e = {};
1990 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) {
1991 struct pfctl_state s;
1992 bzero(&s, sizeof(s));
1993 if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s))
1994 continue;
1995
1996 ret = f(&s, arg);
1997 if (ret != 0)
1998 return (ret);
1999 }
2000
2001 return (0);
2002 }
2003
2004 int
pfctl_get_states_iter(pfctl_get_state_fn f,void * arg)2005 pfctl_get_states_iter(pfctl_get_state_fn f, void *arg)
2006 {
2007 struct pfctl_state_filter filter = {};
2008 return (pfctl_get_filtered_states_iter(&filter, f, arg));
2009 }
2010
2011 int
pfctl_get_filtered_states_iter(struct pfctl_state_filter * filter,pfctl_get_state_fn f,void * arg)2012 pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg)
2013 {
2014 struct snl_state ss = {};
2015 int error;
2016
2017 snl_init(&ss, NETLINK_GENERIC);
2018 error = pfctl_get_states_nl(filter, &ss, f, arg);
2019 snl_free(&ss);
2020
2021 return (error);
2022 }
2023
2024 static int
pfctl_append_states(struct pfctl_state * s,void * arg)2025 pfctl_append_states(struct pfctl_state *s, void *arg)
2026 {
2027 struct pfctl_state *new;
2028 struct pfctl_states *states = (struct pfctl_states *)arg;
2029
2030 new = malloc(sizeof(*s));
2031 if (new == NULL)
2032 return (ENOMEM);
2033
2034 memcpy(new, s, sizeof(*s));
2035
2036 TAILQ_INSERT_TAIL(&states->states, new, entry);
2037
2038 return (0);
2039 }
2040
2041 int
pfctl_get_states(int dev __unused,struct pfctl_states * states)2042 pfctl_get_states(int dev __unused, struct pfctl_states *states)
2043 {
2044 int ret;
2045
2046 bzero(states, sizeof(*states));
2047 TAILQ_INIT(&states->states);
2048
2049 ret = pfctl_get_states_iter(pfctl_append_states, states);
2050 if (ret != 0) {
2051 pfctl_free_states(states);
2052 return (ret);
2053 }
2054
2055 return (0);
2056 }
2057
2058 void
pfctl_free_states(struct pfctl_states * states)2059 pfctl_free_states(struct pfctl_states *states)
2060 {
2061 struct pfctl_state *s, *tmp;
2062
2063 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) {
2064 free(s);
2065 }
2066
2067 bzero(states, sizeof(*states));
2068 }
2069
2070 struct pfctl_nl_clear_states {
2071 uint32_t killed;
2072 };
2073 #define _OUT(_field) offsetof(struct pfctl_nl_clear_states, _field)
2074 static struct snl_attr_parser ap_clear_states[] = {
2075 { .type = PF_CS_KILLED, .off = _OUT(killed), .cb = snl_attr_get_uint32 },
2076 };
2077 #undef _OUT
2078 SNL_DECLARE_PARSER(clear_states_parser, struct genlmsghdr, snl_f_p_empty, ap_clear_states);
2079
2080 static int
_pfctl_clear_states_h(struct pfctl_handle * h,const struct pfctl_kill * kill,unsigned int * killed,int cmd)2081 _pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill,
2082 unsigned int *killed, int cmd)
2083 {
2084 struct snl_writer nw;
2085 struct snl_errmsg_data e = {};
2086 struct pfctl_nl_clear_states attrs = {};
2087 struct nlmsghdr *hdr;
2088 uint32_t seq_id;
2089 int family_id;
2090
2091 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2092 if (family_id == 0)
2093 return (ENOTSUP);
2094
2095 snl_init_writer(&h->ss, &nw);
2096 hdr = snl_create_genl_msg_request(&nw, family_id, cmd);
2097 hdr->nlmsg_flags |= NLM_F_DUMP;
2098
2099 snl_add_msg_attr_u64(&nw, PF_CS_CMP_ID, kill->cmp.id);
2100 snl_add_msg_attr_u32(&nw, PF_CS_CMP_CREATORID, htonl(kill->cmp.creatorid));
2101 snl_add_msg_attr_u8(&nw, PF_CS_CMP_DIR, kill->cmp.direction);
2102 snl_add_msg_attr_u8(&nw, PF_CS_AF, kill->af);
2103 snl_add_msg_attr_u8(&nw, PF_CS_PROTO, kill->proto);
2104 snl_add_msg_attr_rule_addr(&nw, PF_CS_SRC, &kill->src);
2105 snl_add_msg_attr_rule_addr(&nw, PF_CS_DST, &kill->dst);
2106 snl_add_msg_attr_rule_addr(&nw, PF_CS_RT_ADDR, &kill->rt_addr);
2107 snl_add_msg_attr_string(&nw, PF_CS_IFNAME, kill->ifname);
2108 snl_add_msg_attr_string(&nw, PF_CS_LABEL, kill->label);
2109 snl_add_msg_attr_bool(&nw, PF_CS_KILL_MATCH, kill->kill_match);
2110 snl_add_msg_attr_bool(&nw, PF_CS_NAT, kill->nat);
2111
2112 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2113 return (ENXIO);
2114
2115 seq_id = hdr->nlmsg_seq;
2116
2117 if (! snl_send_message(&h->ss, hdr))
2118 return (ENXIO);
2119
2120 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2121 if (! snl_parse_nlmsg(&h->ss, hdr, &clear_states_parser, &attrs))
2122 continue;
2123 }
2124
2125 if (killed)
2126 *killed = attrs.killed;
2127
2128 return (e.error);
2129 }
2130
2131 int
pfctl_clear_states_h(struct pfctl_handle * h,const struct pfctl_kill * kill,unsigned int * killed)2132 pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill,
2133 unsigned int *killed)
2134 {
2135 return(_pfctl_clear_states_h(h, kill, killed, PFNL_CMD_CLRSTATES));
2136 }
2137
2138 int
pfctl_kill_states_h(struct pfctl_handle * h,const struct pfctl_kill * kill,unsigned int * killed)2139 pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill,
2140 unsigned int *killed)
2141 {
2142 return(_pfctl_clear_states_h(h, kill, killed, PFNL_CMD_KILLSTATES));
2143 }
2144
2145 static int
_pfctl_clear_states(int dev __unused,const struct pfctl_kill * kill,unsigned int * killed,uint64_t cmd)2146 _pfctl_clear_states(int dev __unused, const struct pfctl_kill *kill,
2147 unsigned int *killed, uint64_t cmd)
2148 {
2149 struct pfctl_handle *h;
2150 int ret;
2151
2152 h = pfctl_open(PF_DEVICE);
2153 if (h == NULL)
2154 return (ENODEV);
2155
2156 ret = _pfctl_clear_states_h(h, kill, killed, cmd);
2157 pfctl_close(h);
2158
2159 return (ret);
2160 }
2161
2162 int
pfctl_clear_states(int dev __unused,const struct pfctl_kill * kill,unsigned int * killed)2163 pfctl_clear_states(int dev __unused, const struct pfctl_kill *kill,
2164 unsigned int *killed)
2165 {
2166 return (_pfctl_clear_states(dev, kill, killed, PFNL_CMD_CLRSTATES));
2167 }
2168
2169 int
pfctl_kill_states(int dev __unused,const struct pfctl_kill * kill,unsigned int * killed)2170 pfctl_kill_states(int dev __unused, const struct pfctl_kill *kill, unsigned int *killed)
2171 {
2172 return (_pfctl_clear_states(dev, kill, killed, PFNL_CMD_KILLSTATES));
2173 }
2174
2175 int
pfctl_clear_rules(int dev,const char * anchorname)2176 pfctl_clear_rules(int dev, const char *anchorname)
2177 {
2178 struct pfioc_trans trans;
2179 struct pfioc_trans_e transe[2];
2180 int ret;
2181
2182 bzero(&trans, sizeof(trans));
2183 bzero(&transe, sizeof(transe));
2184
2185 transe[0].rs_num = PF_RULESET_SCRUB;
2186 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
2187 >= sizeof(transe[0].anchor))
2188 return (E2BIG);
2189
2190 transe[1].rs_num = PF_RULESET_FILTER;
2191 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
2192 >= sizeof(transe[1].anchor))
2193 return (E2BIG);
2194
2195 trans.size = 2;
2196 trans.esize = sizeof(transe[0]);
2197 trans.array = transe;
2198
2199 ret = ioctl(dev, DIOCXBEGIN, &trans);
2200 if (ret != 0)
2201 return (errno);
2202 ret = ioctl(dev, DIOCXCOMMIT, &trans);
2203 if (ret != 0)
2204 return (errno);
2205
2206 return (0);
2207 }
2208
2209 int
pfctl_clear_nat(int dev,const char * anchorname)2210 pfctl_clear_nat(int dev, const char *anchorname)
2211 {
2212 struct pfioc_trans trans;
2213 struct pfioc_trans_e transe[3];
2214 int ret;
2215
2216 bzero(&trans, sizeof(trans));
2217 bzero(&transe, sizeof(transe));
2218
2219 transe[0].rs_num = PF_RULESET_NAT;
2220 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
2221 >= sizeof(transe[0].anchor))
2222 return (E2BIG);
2223
2224 transe[1].rs_num = PF_RULESET_BINAT;
2225 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
2226 >= sizeof(transe[0].anchor))
2227 return (E2BIG);
2228
2229 transe[2].rs_num = PF_RULESET_RDR;
2230 if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor))
2231 >= sizeof(transe[2].anchor))
2232 return (E2BIG);
2233
2234 trans.size = 3;
2235 trans.esize = sizeof(transe[0]);
2236 trans.array = transe;
2237
2238 ret = ioctl(dev, DIOCXBEGIN, &trans);
2239 if (ret != 0)
2240 return (errno);
2241 ret = ioctl(dev, DIOCXCOMMIT, &trans);
2242 if (ret != 0)
2243 return (errno);
2244
2245 return (0);
2246 }
2247
2248 int
pfctl_clear_eth_rules(int dev,const char * anchorname)2249 pfctl_clear_eth_rules(int dev, const char *anchorname)
2250 {
2251 struct pfioc_trans trans;
2252 struct pfioc_trans_e transe;
2253 int ret;
2254
2255 bzero(&trans, sizeof(trans));
2256 bzero(&transe, sizeof(transe));
2257
2258 transe.rs_num = PF_RULESET_ETH;
2259 if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor))
2260 >= sizeof(transe.anchor))
2261 return (E2BIG);
2262
2263 trans.size = 1;
2264 trans.esize = sizeof(transe);
2265 trans.array = &transe;
2266
2267 ret = ioctl(dev, DIOCXBEGIN, &trans);
2268 if (ret != 0)
2269 return (errno);
2270 ret = ioctl(dev, DIOCXCOMMIT, &trans);
2271 if (ret != 0)
2272 return (errno);
2273
2274 return (0);
2275 }
2276
2277 static int
_pfctl_get_limit(int dev,const int index,uint * limit)2278 _pfctl_get_limit(int dev, const int index, uint *limit)
2279 {
2280 struct pfioc_limit pl;
2281
2282 bzero(&pl, sizeof(pl));
2283 pl.index = index;
2284
2285 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1)
2286 return (errno);
2287
2288 *limit = pl.limit;
2289
2290 return (0);
2291 }
2292
2293 int
pfctl_set_syncookies(int dev,const struct pfctl_syncookies * s)2294 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
2295 {
2296 struct pfioc_nv nv;
2297 nvlist_t *nvl;
2298 int ret;
2299 uint state_limit;
2300 uint64_t lim, hi, lo;
2301
2302 ret = _pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
2303 if (ret != 0)
2304 return (ret);
2305
2306 if (state_limit == 0)
2307 state_limit = INT_MAX;
2308
2309 lim = state_limit;
2310 hi = lim * s->highwater / 100;
2311 lo = lim * s->lowwater / 100;
2312
2313 if (lo == hi)
2314 hi++;
2315
2316 nvl = nvlist_create(0);
2317
2318 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
2319 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE);
2320 nvlist_add_number(nvl, "highwater", hi);
2321 nvlist_add_number(nvl, "lowwater", lo);
2322
2323 nv.data = nvlist_pack(nvl, &nv.len);
2324 nv.size = nv.len;
2325 nvlist_destroy(nvl);
2326 nvl = NULL;
2327
2328 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv);
2329
2330 free(nv.data);
2331 if (ret != 0)
2332 return (errno);
2333
2334 return (0);
2335 }
2336
2337 int
pfctl_get_syncookies(int dev,struct pfctl_syncookies * s)2338 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s)
2339 {
2340 nvlist_t *nvl;
2341 int ret;
2342 uint state_limit;
2343 bool enabled, adaptive;
2344
2345 ret = _pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
2346 if (ret != 0)
2347 return (ret);
2348
2349 if (state_limit == 0)
2350 state_limit = INT_MAX;
2351
2352 bzero(s, sizeof(*s));
2353
2354 nvl = nvlist_create(0);
2355
2356 if ((ret = pfctl_do_ioctl(dev, DIOCGETSYNCOOKIES, 256, &nvl)) != 0) {
2357 ret = errno;
2358 goto out;
2359 }
2360
2361 enabled = nvlist_get_bool(nvl, "enabled");
2362 adaptive = nvlist_get_bool(nvl, "adaptive");
2363
2364 if (enabled) {
2365 if (adaptive)
2366 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE;
2367 else
2368 s->mode = PFCTL_SYNCOOKIES_ALWAYS;
2369 } else {
2370 s->mode = PFCTL_SYNCOOKIES_NEVER;
2371 }
2372
2373 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit;
2374 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit;
2375 s->halfopen_states = nvlist_get_number(nvl, "halfopen_states");
2376
2377 out:
2378 nvlist_destroy(nvl);
2379 return (ret);
2380 }
2381
2382 int
pfctl_table_add_addrs(int dev,struct pfr_table * tbl,struct pfr_addr * addr,int size,int * nadd,int flags)2383 pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
2384 *addr, int size, int *nadd, int flags)
2385 {
2386 struct pfioc_table io;
2387
2388 if (tbl == NULL || size < 0 || (size && addr == NULL)) {
2389 return (EINVAL);
2390 }
2391 bzero(&io, sizeof io);
2392 io.pfrio_flags = flags;
2393 io.pfrio_table = *tbl;
2394 io.pfrio_buffer = addr;
2395 io.pfrio_esize = sizeof(*addr);
2396 io.pfrio_size = size;
2397
2398 if (ioctl(dev, DIOCRADDADDRS, &io))
2399 return (errno);
2400 if (nadd != NULL)
2401 *nadd = io.pfrio_nadd;
2402 return (0);
2403 }
2404
2405 static void
snl_add_msg_attr_table(struct snl_writer * nw,uint32_t type,const struct pfr_table * tbl)2406 snl_add_msg_attr_table(struct snl_writer *nw, uint32_t type,
2407 const struct pfr_table *tbl)
2408 {
2409 int off;
2410
2411 off = snl_add_msg_attr_nested(nw, type);
2412
2413 snl_add_msg_attr_string(nw, PF_T_ANCHOR, tbl->pfrt_anchor);
2414 snl_add_msg_attr_string(nw, PF_T_NAME, tbl->pfrt_name);
2415 snl_add_msg_attr_u32(nw, PF_T_TABLE_FLAGS, tbl->pfrt_flags);
2416
2417 snl_end_attr_nested(nw, off);
2418 }
2419
2420 static void
snl_add_msg_attr_pfr_addr(struct snl_writer * nw,uint32_t type,const struct pfr_addr * addr)2421 snl_add_msg_attr_pfr_addr(struct snl_writer *nw, uint32_t type,
2422 const struct pfr_addr *addr)
2423 {
2424 int off;
2425
2426 off = snl_add_msg_attr_nested(nw, type);
2427
2428 snl_add_msg_attr_u8(nw, PFR_A_AF, addr->pfra_af);
2429 snl_add_msg_attr_u8(nw, PFR_A_NET, addr->pfra_net);
2430 snl_add_msg_attr_bool(nw, PFR_A_NOT, addr->pfra_not);
2431 snl_add_msg_attr_ip6(nw, PFR_A_ADDR, &addr->pfra_ip6addr);
2432
2433 snl_end_attr_nested(nw, off);
2434 }
2435
2436 static struct snl_attr_parser ap_table_add_addr[] = {
2437 { .type = PF_TA_NBR_ADDED, .off = 0, .cb = snl_attr_get_uint32 },
2438 };
2439 SNL_DECLARE_PARSER(table_add_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_add_addr);
2440
2441 static int
_pfctl_table_add_addrs_h(struct pfctl_handle * h,struct pfr_table * tbl,struct pfr_addr * addrs,int size,int * nadd,int flags)2442 _pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr
2443 *addrs, int size, int *nadd, int flags)
2444 {
2445 struct snl_writer nw;
2446 struct snl_errmsg_data e = {};
2447 struct nlmsghdr *hdr;
2448 uint32_t seq_id;
2449 uint32_t added;
2450 int family_id;
2451
2452 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2453 if (family_id == 0)
2454 return (ENOTSUP);
2455
2456 snl_init_writer(&h->ss, &nw);
2457 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_ADD_ADDR);
2458
2459 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl);
2460 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags);
2461 for (int i = 0; i < size; i++)
2462 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]);
2463
2464 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2465 return (ENXIO);
2466 seq_id = hdr->nlmsg_seq;
2467
2468 if (! snl_send_message(&h->ss, hdr))
2469 return (ENXIO);
2470
2471 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2472 if (! snl_parse_nlmsg(&h->ss, hdr, &table_add_addr_parser, &added))
2473 continue;
2474 }
2475
2476 if (nadd)
2477 *nadd = added;
2478
2479 return (e.error);
2480 }
2481
2482 int
pfctl_table_add_addrs_h(struct pfctl_handle * h,struct pfr_table * tbl,struct pfr_addr * addr,int size,int * nadd,int flags)2483 pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr
2484 *addr, int size, int *nadd, int flags)
2485 {
2486 int ret;
2487 int off = 0;
2488 int partial_added;
2489 int chunk_size;
2490
2491 do {
2492 chunk_size = MIN(size - off, 256);
2493 ret = _pfctl_table_add_addrs_h(h, tbl, &addr[off], chunk_size, &partial_added, flags);
2494 if (ret != 0)
2495 break;
2496 if (nadd)
2497 *nadd += partial_added;
2498 off += chunk_size;
2499 } while (off < size);
2500
2501 return (ret);
2502 }
2503
2504 static struct snl_attr_parser ap_table_del_addr[] = {
2505 { .type = PF_TA_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint32 },
2506 };
2507 SNL_DECLARE_PARSER(table_del_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_del_addr);
2508 static int
_pfctl_table_del_addrs_h(struct pfctl_handle * h,struct pfr_table * tbl,struct pfr_addr * addrs,int size,int * ndel,int flags)2509 _pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr
2510 *addrs, int size, int *ndel, int flags)
2511 {
2512 struct snl_writer nw;
2513 struct snl_errmsg_data e = {};
2514 struct nlmsghdr *hdr;
2515 uint32_t seq_id;
2516 uint32_t deleted;
2517 int family_id;
2518
2519 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2520 if (family_id == 0)
2521 return (ENOTSUP);
2522
2523 snl_init_writer(&h->ss, &nw);
2524 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_DEL_ADDR);
2525
2526 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl);
2527 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags);
2528 for (int i = 0; i < size; i++)
2529 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]);
2530
2531 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2532 return (ENXIO);
2533 seq_id = hdr->nlmsg_seq;
2534
2535 if (! snl_send_message(&h->ss, hdr))
2536 return (ENXIO);
2537
2538 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2539 if (! snl_parse_nlmsg(&h->ss, hdr, &table_del_addr_parser, &deleted))
2540 continue;
2541 }
2542
2543 if (ndel)
2544 *ndel = deleted;
2545
2546 return (e.error);
2547 }
2548
2549 int
pfctl_table_del_addrs(int dev,struct pfr_table * tbl,struct pfr_addr * addr,int size,int * ndel,int flags)2550 pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
2551 *addr, int size, int *ndel, int flags)
2552 {
2553 struct pfioc_table io;
2554
2555 if (tbl == NULL || size < 0 || (size && addr == NULL)) {
2556 return (EINVAL);
2557 }
2558 bzero(&io, sizeof io);
2559 io.pfrio_flags = flags;
2560 io.pfrio_table = *tbl;
2561 io.pfrio_buffer = addr;
2562 io.pfrio_esize = sizeof(*addr);
2563 io.pfrio_size = size;
2564
2565 if (ioctl(dev, DIOCRDELADDRS, &io))
2566 return (errno);
2567 if (ndel != NULL)
2568 *ndel = io.pfrio_ndel;
2569 return (0);
2570 }
2571
2572 int
pfctl_table_del_addrs_h(struct pfctl_handle * h,struct pfr_table * tbl,struct pfr_addr * addr,int size,int * ndel,int flags)2573 pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr
2574 *addr, int size, int *ndel, int flags)
2575 {
2576 int ret;
2577 int off = 0;
2578 int partial_deleted;
2579 int chunk_size;
2580
2581 do {
2582 chunk_size = MIN(size - off, 256);
2583 ret = _pfctl_table_del_addrs_h(h, tbl, &addr[off], chunk_size,
2584 &partial_deleted, flags);
2585 if (ret != 0)
2586 break;
2587 if (ndel)
2588 *ndel += partial_deleted;
2589 off += chunk_size;
2590 } while (off < size);
2591
2592 return (ret);
2593 }
2594
2595 int
pfctl_table_set_addrs(int dev,struct pfr_table * tbl,struct pfr_addr * addr,int size,int * size2,int * nadd,int * ndel,int * nchange,int flags)2596 pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
2597 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, int flags)
2598 {
2599 struct pfioc_table io;
2600
2601 if (tbl == NULL || size < 0 || (size && addr == NULL)) {
2602 return (EINVAL);
2603 }
2604 bzero(&io, sizeof io);
2605 io.pfrio_flags = flags;
2606 io.pfrio_table = *tbl;
2607 io.pfrio_buffer = addr;
2608 io.pfrio_esize = sizeof(*addr);
2609 io.pfrio_size = size;
2610 io.pfrio_size2 = (size2 != NULL) ? *size2 : 0;
2611 if (ioctl(dev, DIOCRSETADDRS, &io))
2612 return (errno);
2613 if (nadd != NULL)
2614 *nadd = io.pfrio_nadd;
2615 if (ndel != NULL)
2616 *ndel = io.pfrio_ndel;
2617 if (nchange != NULL)
2618 *nchange = io.pfrio_nchange;
2619 if (size2 != NULL)
2620 *size2 = io.pfrio_size2;
2621 return (0);
2622 }
2623
pfctl_table_get_addrs(int dev,struct pfr_table * tbl,struct pfr_addr * addr,int * size,int flags)2624 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr *addr,
2625 int *size, int flags)
2626 {
2627 struct pfioc_table io;
2628
2629 if (tbl == NULL || size == NULL || *size < 0 ||
2630 (*size && addr == NULL)) {
2631 return (EINVAL);
2632 }
2633 bzero(&io, sizeof io);
2634 io.pfrio_flags = flags;
2635 io.pfrio_table = *tbl;
2636 io.pfrio_buffer = addr;
2637 io.pfrio_esize = sizeof(*addr);
2638 io.pfrio_size = *size;
2639 if (ioctl(dev, DIOCRGETADDRS, &io))
2640 return (errno);
2641 *size = io.pfrio_size;
2642 return (0);
2643 }
2644
2645 int
pfctl_set_statusif(struct pfctl_handle * h,const char * ifname)2646 pfctl_set_statusif(struct pfctl_handle *h, const char *ifname)
2647 {
2648 struct snl_writer nw;
2649 struct snl_errmsg_data e = {};
2650 struct nlmsghdr *hdr;
2651 uint32_t seq_id;
2652 int family_id;
2653
2654 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2655 if (family_id == 0)
2656 return (ENOTSUP);
2657
2658 snl_init_writer(&h->ss, &nw);
2659 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_STATUSIF);
2660
2661 snl_add_msg_attr_string(&nw, PF_SS_IFNAME, ifname);
2662
2663 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2664 return (ENXIO);
2665
2666 seq_id = hdr->nlmsg_seq;
2667
2668 if (! snl_send_message(&h->ss, hdr))
2669 return (ENXIO);
2670
2671 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2672 }
2673
2674 return (e.error);
2675 }
2676
2677 #define _IN(_field) offsetof(struct genlmsghdr, _field)
2678 #define _OUT(_field) offsetof(struct pfctl_natlook, _field)
2679 static struct snl_attr_parser ap_natlook[] = {
2680 { .type = PF_NL_SRC_ADDR, .off = _OUT(saddr), .cb = snl_attr_get_in6_addr },
2681 { .type = PF_NL_DST_ADDR, .off = _OUT(daddr), .cb = snl_attr_get_in6_addr },
2682 { .type = PF_NL_SRC_PORT, .off = _OUT(sport), .cb = snl_attr_get_uint16 },
2683 { .type = PF_NL_DST_PORT, .off = _OUT(dport), .cb = snl_attr_get_uint16 },
2684 };
2685 #undef _IN
2686 #undef _OUT
2687 SNL_DECLARE_PARSER(natlook_parser, struct genlmsghdr, snl_f_p_empty, ap_natlook);
2688
2689 int
pfctl_natlook(struct pfctl_handle * h,const struct pfctl_natlook_key * k,struct pfctl_natlook * r)2690 pfctl_natlook(struct pfctl_handle *h, const struct pfctl_natlook_key *k,
2691 struct pfctl_natlook *r)
2692 {
2693 struct snl_writer nw;
2694 struct snl_errmsg_data e = {};
2695 struct nlmsghdr *hdr;
2696 uint32_t seq_id;
2697 int family_id;
2698
2699 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2700 if (family_id == 0)
2701 return (ENOTSUP);
2702
2703 snl_init_writer(&h->ss, &nw);
2704 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_NATLOOK);
2705 hdr->nlmsg_flags |= NLM_F_DUMP;
2706
2707 snl_add_msg_attr_u8(&nw, PF_NL_AF, k->af);
2708 snl_add_msg_attr_u8(&nw, PF_NL_DIRECTION, k->direction);
2709 snl_add_msg_attr_u8(&nw, PF_NL_PROTO, k->proto);
2710 snl_add_msg_attr_ip6(&nw, PF_NL_SRC_ADDR, &k->saddr.v6);
2711 snl_add_msg_attr_ip6(&nw, PF_NL_DST_ADDR, &k->daddr.v6);
2712 snl_add_msg_attr_u16(&nw, PF_NL_SRC_PORT, k->sport);
2713 snl_add_msg_attr_u16(&nw, PF_NL_DST_PORT, k->dport);
2714
2715 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2716 return (ENXIO);
2717
2718 seq_id = hdr->nlmsg_seq;
2719
2720 if (! snl_send_message(&h->ss, hdr))
2721 return (ENXIO);
2722
2723 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2724 if (! snl_parse_nlmsg(&h->ss, hdr, &natlook_parser, r))
2725 continue;
2726 }
2727
2728 return (e.error);
2729 }
2730
2731 int
pfctl_set_debug(struct pfctl_handle * h,uint32_t level)2732 pfctl_set_debug(struct pfctl_handle *h, uint32_t level)
2733 {
2734 struct snl_writer nw;
2735 struct snl_errmsg_data e = {};
2736 struct nlmsghdr *hdr;
2737 uint32_t seq_id;
2738 int family_id;
2739
2740 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2741 if (family_id == 0)
2742 return (ENOTSUP);
2743
2744 snl_init_writer(&h->ss, &nw);
2745 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_DEBUG);
2746
2747 snl_add_msg_attr_u32(&nw, PF_SD_LEVEL, level);
2748
2749 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2750 return (ENXIO);
2751
2752 seq_id = hdr->nlmsg_seq;
2753
2754 if (! snl_send_message(&h->ss, hdr))
2755 return (ENXIO);
2756
2757 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2758 }
2759
2760 return (e.error);
2761 }
2762
2763 int
pfctl_set_timeout(struct pfctl_handle * h,uint32_t timeout,uint32_t seconds)2764 pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds)
2765 {
2766 struct snl_writer nw;
2767 struct snl_errmsg_data e = {};
2768 struct nlmsghdr *hdr;
2769 uint32_t seq_id;
2770 int family_id;
2771
2772 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2773 if (family_id == 0)
2774 return (ENOTSUP);
2775
2776 snl_init_writer(&h->ss, &nw);
2777 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_TIMEOUT);
2778
2779 snl_add_msg_attr_u32(&nw, PF_TO_TIMEOUT, timeout);
2780 snl_add_msg_attr_u32(&nw, PF_TO_SECONDS, seconds);
2781
2782 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2783 return (ENXIO);
2784
2785 seq_id = hdr->nlmsg_seq;
2786
2787 if (! snl_send_message(&h->ss, hdr))
2788 return (ENXIO);
2789
2790 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2791 }
2792
2793 return (e.error);
2794 }
2795
2796 struct pfctl_nl_timeout {
2797 uint32_t seconds;
2798 };
2799 #define _OUT(_field) offsetof(struct pfctl_nl_timeout, _field)
2800 static struct snl_attr_parser ap_get_timeout[] = {
2801 { .type = PF_TO_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 },
2802 };
2803 #undef _OUT
2804 SNL_DECLARE_PARSER(get_timeout_parser, struct genlmsghdr, snl_f_p_empty, ap_get_timeout);
2805
2806 int
pfctl_get_timeout(struct pfctl_handle * h,uint32_t timeout,uint32_t * seconds)2807 pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds)
2808 {
2809 struct snl_writer nw;
2810 struct pfctl_nl_timeout to = {};
2811 struct snl_errmsg_data e = {};
2812 struct nlmsghdr *hdr;
2813 uint32_t seq_id;
2814 int family_id;
2815
2816 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2817 if (family_id == 0)
2818 return (ENOTSUP);
2819
2820 snl_init_writer(&h->ss, &nw);
2821 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_TIMEOUT);
2822 hdr->nlmsg_flags |= NLM_F_DUMP;
2823
2824 snl_add_msg_attr_u32(&nw, PF_TO_TIMEOUT, timeout);
2825
2826 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2827 return (ENXIO);
2828
2829 seq_id = hdr->nlmsg_seq;
2830
2831 if (! snl_send_message(&h->ss, hdr))
2832 return (ENXIO);
2833
2834 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2835 if (! snl_parse_nlmsg(&h->ss, hdr, &get_timeout_parser, &to))
2836 continue;
2837 }
2838
2839 if (seconds != NULL)
2840 *seconds = to.seconds;
2841
2842 return (e.error);
2843 }
2844
2845 int
pfctl_set_limit(struct pfctl_handle * h,const int index,const uint limit)2846 pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit)
2847 {
2848 struct snl_writer nw;
2849 struct snl_errmsg_data e = {};
2850 struct nlmsghdr *hdr;
2851 uint32_t seq_id;
2852 int family_id;
2853
2854 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2855 if (family_id == 0)
2856 return (ENOTSUP);
2857
2858 snl_init_writer(&h->ss, &nw);
2859 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_LIMIT);
2860
2861 snl_add_msg_attr_u32(&nw, PF_LI_INDEX, index);
2862 snl_add_msg_attr_u32(&nw, PF_LI_LIMIT, limit);
2863
2864 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2865 return (ENXIO);
2866
2867 seq_id = hdr->nlmsg_seq;
2868
2869 if (! snl_send_message(&h->ss, hdr))
2870 return (ENXIO);
2871
2872 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2873 }
2874
2875 return (e.error);
2876 }
2877
2878 struct pfctl_nl_limit {
2879 unsigned int limit;
2880 };
2881 #define _OUT(_field) offsetof(struct pfctl_nl_limit, _field)
2882 static struct snl_attr_parser ap_get_limit[] = {
2883 { .type = PF_LI_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 },
2884 };
2885 #undef _OUT
2886 SNL_DECLARE_PARSER(get_limit_parser, struct genlmsghdr, snl_f_p_empty, ap_get_limit);
2887
2888 int
pfctl_get_limit(struct pfctl_handle * h,const int index,uint * limit)2889 pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit)
2890 {
2891 struct snl_writer nw;
2892 struct pfctl_nl_limit li = {};
2893 struct snl_errmsg_data e = {};
2894 struct nlmsghdr *hdr;
2895 uint32_t seq_id;
2896 int family_id;
2897
2898 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2899 if (family_id == 0)
2900 return (ENOTSUP);
2901
2902 snl_init_writer(&h->ss, &nw);
2903 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_LIMIT);
2904 hdr->nlmsg_flags |= NLM_F_DUMP;
2905
2906 snl_add_msg_attr_u32(&nw, PF_LI_INDEX, index);
2907
2908 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2909 return (ENXIO);
2910
2911 seq_id = hdr->nlmsg_seq;
2912
2913 if (! snl_send_message(&h->ss, hdr))
2914 return (ENXIO);
2915
2916 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2917 if (! snl_parse_nlmsg(&h->ss, hdr, &get_limit_parser, &li))
2918 continue;
2919 }
2920
2921 if (limit != NULL)
2922 *limit = li.limit;
2923
2924 return (e.error);
2925 }
2926
2927 struct pfctl_nl_begin_addrs {
2928 uint32_t ticket;
2929 };
2930 #define _OUT(_field) offsetof(struct pfctl_nl_begin_addrs, _field)
2931 static struct snl_attr_parser ap_begin_addrs[] = {
2932 { .type = PF_BA_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 },
2933 };
2934 #undef _OUT
2935 SNL_DECLARE_PARSER(begin_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_begin_addrs);
2936
2937 int
pfctl_begin_addrs(struct pfctl_handle * h,uint32_t * ticket)2938 pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket)
2939 {
2940 struct snl_writer nw;
2941 struct pfctl_nl_begin_addrs attrs = {};
2942 struct snl_errmsg_data e = {};
2943 struct nlmsghdr *hdr;
2944 uint32_t seq_id;
2945 int family_id;
2946
2947 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2948 if (family_id == 0)
2949 return (ENOTSUP);
2950
2951 snl_init_writer(&h->ss, &nw);
2952 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_BEGIN_ADDRS);
2953 hdr->nlmsg_flags |= NLM_F_DUMP;
2954
2955 if ((hdr = snl_finalize_msg(&nw)) == NULL)
2956 return (ENXIO);
2957
2958 seq_id = hdr->nlmsg_seq;
2959
2960 if (! snl_send_message(&h->ss, hdr))
2961 return (ENXIO);
2962
2963 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
2964 if (! snl_parse_nlmsg(&h->ss, hdr, &begin_addrs_parser, &attrs))
2965 continue;
2966 }
2967
2968 if (ticket != NULL)
2969 *ticket = attrs.ticket;
2970
2971 return (e.error);
2972 }
2973
2974 int
pfctl_add_addr(struct pfctl_handle * h,const struct pfioc_pooladdr * pa,int which)2975 pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which)
2976 {
2977 struct snl_writer nw;
2978 struct snl_errmsg_data e = {};
2979 struct nlmsghdr *hdr;
2980 uint32_t seq_id;
2981 int family_id;
2982
2983 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
2984 if (family_id == 0)
2985 return (ENOTSUP);
2986
2987 snl_init_writer(&h->ss, &nw);
2988 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADD_ADDR);
2989
2990 snl_add_msg_attr_u32(&nw, PF_AA_ACTION, pa->action);
2991 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, pa->ticket);
2992 snl_add_msg_attr_u32(&nw, PF_AA_NR, pa->nr);
2993 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, pa->r_num);
2994 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, pa->r_action);
2995 snl_add_msg_attr_u8(&nw, PF_AA_R_LAST, pa->r_last);
2996 snl_add_msg_attr_u8(&nw, PF_AA_AF, pa->af);
2997 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, pa->anchor);
2998 snl_add_msg_attr_pool_addr(&nw, PF_AA_ADDR, &pa->addr);
2999 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which);
3000
3001 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3002 return (ENXIO);
3003
3004 seq_id = hdr->nlmsg_seq;
3005
3006 if (! snl_send_message(&h->ss, hdr))
3007 return (ENXIO);
3008
3009 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3010 }
3011
3012 return (e.error);
3013 }
3014
3015 static const struct snl_attr_parser ap_get_addrs[] = {
3016 { .type = PF_AA_NR, .off = 0, .cb = snl_attr_get_uint32 },
3017 };
3018 SNL_DECLARE_PARSER(get_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_get_addrs);
3019
3020 int
pfctl_get_addrs(struct pfctl_handle * h,uint32_t ticket,uint32_t r_num,uint8_t r_action,const char * anchor,uint32_t * nr,int which)3021 pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num,
3022 uint8_t r_action, const char *anchor, uint32_t *nr, int which)
3023 {
3024 struct snl_writer nw;
3025 struct snl_errmsg_data e = {};
3026 struct nlmsghdr *hdr;
3027 uint32_t seq_id;
3028 int family_id;
3029
3030 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3031 if (family_id == 0)
3032 return (ENOTSUP);
3033
3034 snl_init_writer(&h->ss, &nw);
3035 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_ADDRS);
3036
3037 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, ticket);
3038 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, r_num);
3039 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, r_action);
3040 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, anchor);
3041 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which);
3042
3043 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3044 return (ENXIO);
3045
3046 seq_id = hdr->nlmsg_seq;
3047
3048 if (! snl_send_message(&h->ss, hdr))
3049 return (ENXIO);
3050
3051 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3052 if (! snl_parse_nlmsg(&h->ss, hdr, &get_addrs_parser, nr))
3053 continue;
3054 }
3055
3056 return (e.error);
3057 }
3058
3059 #define _OUT(_field) offsetof(struct pf_pooladdr, _field)
3060 static const struct snl_attr_parser ap_pool_addr[] = {
3061 { .type = PF_PA_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = snl_attr_get_nested },
3062 { .type = PF_PA_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb = snl_attr_copy_string },
3063 };
3064 SNL_DECLARE_ATTR_PARSER(pool_addr_parser, ap_pool_addr);
3065 #undef _OUT
3066
3067 #define _OUT(_field) offsetof(struct pfioc_pooladdr, _field)
3068 static const struct snl_attr_parser ap_get_addr[] = {
3069 { .type = PF_AA_ACTION, .off = _OUT(action), .cb = snl_attr_get_uint32 },
3070 { .type = PF_AA_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 },
3071 { .type = PF_AA_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 },
3072 { .type = PF_AA_R_NUM, .off = _OUT(r_num), .cb = snl_attr_get_uint32 },
3073 { .type = PF_AA_R_ACTION, .off = _OUT(r_action), .cb = snl_attr_get_uint8 },
3074 { .type = PF_AA_R_LAST, .off = _OUT(r_last), .cb = snl_attr_get_uint8 },
3075 { .type = PF_AA_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 },
3076 { .type = PF_AA_ANCHOR, .off = _OUT(anchor), .arg_u32 = MAXPATHLEN, .cb = snl_attr_copy_string },
3077 { .type = PF_AA_ADDR, .off = _OUT(addr), .arg = &pool_addr_parser, .cb = snl_attr_get_nested },
3078 };
3079 SNL_DECLARE_PARSER(get_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_get_addr);
3080 #undef _OUT
3081
3082 int
pfctl_get_addr(struct pfctl_handle * h,uint32_t ticket,uint32_t r_num,uint8_t r_action,const char * anchor,uint32_t nr,struct pfioc_pooladdr * pa,int which)3083 pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num,
3084 uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa,
3085 int which)
3086 {
3087 struct snl_writer nw;
3088 struct snl_errmsg_data e = {};
3089 struct nlmsghdr *hdr;
3090 uint32_t seq_id;
3091 int family_id;
3092
3093 family_id =snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3094 if (family_id == 0)
3095 return (ENOTSUP);
3096
3097 snl_init_writer(&h->ss, &nw);
3098 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_ADDR);
3099
3100 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, ticket);
3101 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, r_num);
3102 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, r_action);
3103 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, anchor);
3104 snl_add_msg_attr_u32(&nw, PF_AA_NR, nr);
3105 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which);
3106
3107 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3108 return (ENXIO);
3109
3110 seq_id = hdr->nlmsg_seq;
3111
3112 if (! snl_send_message(&h->ss, hdr))
3113 return (ENXIO);
3114
3115 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3116 if (! snl_parse_nlmsg(&h->ss, hdr, &get_addr_parser, pa))
3117 continue;
3118 }
3119
3120 return (e.error);
3121 }
3122
3123 #define _OUT(_field) offsetof(struct pfioc_ruleset, _field)
3124 static const struct snl_attr_parser ap_ruleset[] = {
3125 { .type = PF_RS_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 },
3126 { .type = PF_RS_NAME, .off = _OUT(name), .arg = (void *)PF_ANCHOR_NAME_SIZE, .cb = snl_attr_copy_string },
3127 };
3128 SNL_DECLARE_PARSER(ruleset_parser, struct genlmsghdr, snl_f_p_empty, ap_ruleset);
3129 #undef _OUT
3130
3131 int
pfctl_get_rulesets(struct pfctl_handle * h,const char * path,uint32_t * nr)3132 pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr)
3133 {
3134 struct snl_writer nw;
3135 struct snl_errmsg_data e = {};
3136 struct nlmsghdr *hdr;
3137 struct pfioc_ruleset rs = {};
3138 uint32_t seq_id;
3139 int family_id;
3140
3141 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3142 if (family_id == 0)
3143 return (ENOTSUP);
3144
3145 snl_init_writer(&h->ss, &nw);
3146 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_RULESETS);
3147
3148 snl_add_msg_attr_string(&nw, PF_RS_PATH, path);
3149
3150 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3151 return (ENXIO);
3152
3153 seq_id = hdr->nlmsg_seq;
3154
3155 if (! snl_send_message(&h->ss, hdr))
3156 return (ENXIO);
3157
3158 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3159 if (! snl_parse_nlmsg(&h->ss, hdr, &ruleset_parser, &rs))
3160 continue;
3161 }
3162
3163 *nr = rs.nr;
3164
3165 return (e.error);
3166 }
3167
3168 int
pfctl_get_ruleset(struct pfctl_handle * h,const char * path,uint32_t nr,struct pfioc_ruleset * rs)3169 pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs)
3170 {
3171 struct snl_writer nw;
3172 struct snl_errmsg_data e = {};
3173 struct nlmsghdr *hdr;
3174 uint32_t seq_id;
3175 int family_id;
3176
3177 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3178 if (family_id == 0)
3179 return (ENOTSUP);
3180
3181 snl_init_writer(&h->ss, &nw);
3182 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_RULESET);
3183
3184 snl_add_msg_attr_string(&nw, PF_RS_PATH, path);
3185 snl_add_msg_attr_u32(&nw, PF_RS_NR, nr);
3186
3187 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3188 return (ENXIO);
3189
3190 seq_id = hdr->nlmsg_seq;
3191
3192 if (! snl_send_message(&h->ss, hdr))
3193 return (ENXIO);
3194
3195 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3196 if (! snl_parse_nlmsg(&h->ss, hdr, &ruleset_parser, rs))
3197 continue;
3198 }
3199
3200 return (e.error);
3201 }
3202
3203 #define _OUT(_field) offsetof(struct pfctl_src_node, _field)
3204 static struct snl_attr_parser ap_srcnode[] = {
3205 { .type = PF_SN_ADDR, .off = _OUT(addr), .cb = snl_attr_get_in6_addr },
3206 { .type = PF_SN_RADDR, .off = _OUT(raddr), .cb = snl_attr_get_in6_addr },
3207 { .type = PF_SN_RULE_NR, .off = _OUT(rule), .cb = snl_attr_get_uint32 },
3208 { .type = PF_SN_BYTES_IN, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 },
3209 { .type = PF_SN_BYTES_OUT, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 },
3210 { .type = PF_SN_PACKETS_IN, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 },
3211 { .type = PF_SN_PACKETS_OUT, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 },
3212 { .type = PF_SN_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32 },
3213 { .type = PF_SN_CONNECTIONS, .off = _OUT(conn), .cb = snl_attr_get_uint32 },
3214 { .type = PF_SN_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 },
3215 { .type = PF_SN_RULE_TYPE, .off = _OUT(ruletype), .cb = snl_attr_get_uint8 },
3216 { .type = PF_SN_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint64 },
3217 { .type = PF_SN_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint64 },
3218 { .type = PF_SN_CONNECTION_RATE, .off = _OUT(conn_rate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested },
3219 { .type = PF_SN_RAF, .off = _OUT(raf), .cb = snl_attr_get_uint8 },
3220 { .type = PF_SN_NODE_TYPE, .off = _OUT(type), .cb = snl_attr_get_uint8 },
3221 };
3222 #undef _OUT
3223 SNL_DECLARE_PARSER(srcnode_parser, struct genlmsghdr, snl_f_p_empty, ap_srcnode);
3224
3225 int
pfctl_get_srcnodes(struct pfctl_handle * h,pfctl_get_srcnode_fn fn,void * arg)3226 pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg)
3227 {
3228 struct snl_writer nw;
3229 struct pfctl_src_node sn;
3230 struct snl_errmsg_data e = {};
3231 struct nlmsghdr *hdr;
3232 uint32_t seq_id;
3233 int family_id;
3234 int ret;
3235
3236 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3237 if (family_id == 0)
3238 return (ENOTSUP);
3239
3240 snl_init_writer(&h->ss, &nw);
3241 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_SRCNODES);
3242
3243 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3244 return (ENXIO);
3245
3246 seq_id = hdr->nlmsg_seq;
3247
3248 if (!snl_send_message(&h->ss, hdr))
3249 return (ENXIO);
3250
3251 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3252 bzero(&sn, sizeof(sn));
3253 if (!snl_parse_nlmsg(&h->ss, hdr, &srcnode_parser, &sn))
3254 continue;
3255
3256 ret = fn(&sn, arg);
3257 if (ret != 0)
3258 return (ret);
3259 }
3260
3261 return (e.error);
3262 }
3263
3264 static struct snl_attr_parser ap_ndel[] = {
3265 { .type = PF_T_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint32 },
3266 };
3267 SNL_DECLARE_PARSER(ndel_parser, struct genlmsghdr, snl_f_p_empty, ap_ndel);
3268
3269 int
pfctl_clear_tables(struct pfctl_handle * h,struct pfr_table * filter,int * ndel,int flags)3270 pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter,
3271 int *ndel, int flags)
3272 {
3273 struct snl_writer nw;
3274 struct snl_errmsg_data e = {};
3275 struct nlmsghdr *hdr;
3276 uint32_t seq_id;
3277 int family_id;
3278
3279 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3280 if (family_id == 0)
3281 return (ENOTSUP);
3282
3283 snl_init_writer(&h->ss, &nw);
3284 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLEAR_TABLES);
3285
3286 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor);
3287 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name);
3288 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags);
3289 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags);
3290
3291 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3292 return (ENXIO);
3293
3294 seq_id = hdr->nlmsg_seq;
3295
3296 if (!snl_send_message(&h->ss, hdr))
3297 return (ENXIO);
3298
3299 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3300 if (!snl_parse_nlmsg(&h->ss, hdr, &ndel_parser, ndel))
3301 continue;
3302 }
3303
3304 return (e.error);
3305 }
3306
3307 static struct snl_attr_parser ap_nadd[] = {
3308 { .type = PF_T_NBR_ADDED, .off = 0, .cb = snl_attr_get_uint32 },
3309 };
3310 SNL_DECLARE_PARSER(nadd_parser, struct genlmsghdr, snl_f_p_empty, ap_nadd);
3311 int
pfctl_add_table(struct pfctl_handle * h,struct pfr_table * table,int * nadd,int flags)3312 pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table,
3313 int *nadd, int flags)
3314 {
3315 struct snl_writer nw;
3316 struct snl_errmsg_data e = {};
3317 struct nlmsghdr *hdr;
3318 uint32_t seq_id;
3319 int family_id;
3320
3321 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3322 if (family_id == 0)
3323 return (ENOTSUP);
3324
3325 snl_init_writer(&h->ss, &nw);
3326 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADD_TABLE);
3327
3328 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, table->pfrt_anchor);
3329 snl_add_msg_attr_string(&nw, PF_T_NAME, table->pfrt_name);
3330 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, table->pfrt_flags);
3331 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags);
3332
3333 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3334 return (ENXIO);
3335
3336 seq_id = hdr->nlmsg_seq;
3337
3338 if (!snl_send_message(&h->ss, hdr))
3339 return (ENXIO);
3340
3341 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3342 if (!snl_parse_nlmsg(&h->ss, hdr, &nadd_parser, nadd))
3343 continue;
3344 }
3345
3346 return (e.error);
3347 }
3348
3349 int
pfctl_del_table(struct pfctl_handle * h,struct pfr_table * table,int * ndel,int flags)3350 pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table,
3351 int *ndel, int flags)
3352 {
3353 struct snl_writer nw;
3354 struct snl_errmsg_data e = {};
3355 struct nlmsghdr *hdr;
3356 uint32_t seq_id;
3357 int family_id;
3358
3359 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3360 if (family_id == 0)
3361 return (ENOTSUP);
3362
3363 snl_init_writer(&h->ss, &nw);
3364 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_DEL_TABLE);
3365
3366 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, table->pfrt_anchor);
3367 snl_add_msg_attr_string(&nw, PF_T_NAME, table->pfrt_name);
3368 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, table->pfrt_flags);
3369 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags);
3370
3371 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3372 return (ENXIO);
3373
3374 seq_id = hdr->nlmsg_seq;
3375
3376 if (!snl_send_message(&h->ss, hdr))
3377 return (ENXIO);
3378
3379 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3380 if (!snl_parse_nlmsg(&h->ss, hdr, &ndel_parser, ndel))
3381 continue;
3382 }
3383
3384 return (e.error);
3385 }
3386
3387 static bool
snl_attr_get_uint64_into_int_array(struct snl_state * ss,struct nlattr * nla,const void * arg,void * target)3388 snl_attr_get_uint64_into_int_array(struct snl_state *ss, struct nlattr *nla,
3389 const void *arg, void *target)
3390 {
3391 uint64_t *u64target;
3392 struct snl_uint64_array a = {
3393 .count = 0,
3394 .max = (size_t)arg,
3395 };
3396 bool error;
3397
3398 u64target = malloc(a.max * sizeof(uint64_t));
3399 a.array = u64target;
3400
3401 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &array_parser, &a);
3402 if (! error)
3403 return (error);
3404
3405 for (size_t i = 0; i < a.count; i++)
3406 ((int *)target)[i] = (int)u64target[i];
3407
3408 free(u64target);
3409
3410 return (true);
3411 }
3412
3413 #define _OUT(_field) offsetof(struct pfr_table, _field)
3414 static const struct snl_attr_parser ap_table[] = {
3415 { .type = PF_T_ANCHOR, .off = _OUT(pfrt_anchor), .arg = (void *)MAXPATHLEN, .cb = snl_attr_copy_string },
3416 { .type = PF_T_NAME, .off = _OUT(pfrt_name), .arg = (void *)PF_TABLE_NAME_SIZE, .cb =snl_attr_copy_string },
3417 { .type = PF_T_TABLE_FLAGS, .off = _OUT(pfrt_flags), .cb = snl_attr_get_uint32 },
3418 };
3419 #undef _OUT
3420 SNL_DECLARE_ATTR_PARSER(table_parser, ap_table);
3421 #define _OUT(_field) offsetof(struct pfr_tstats, _field)
3422 static struct snl_attr_parser ap_tstats[] = {
3423 { .type = PF_TS_TABLE, .off = _OUT(pfrts_t), .arg = &table_parser, .cb = snl_attr_get_nested },
3424 { .type = PF_TS_PACKETS, .off = _OUT(pfrts_packets), .arg = (void *)(PFR_DIR_MAX * PFR_OP_TABLE_MAX), .cb = snl_attr_get_uint64_array},
3425 { .type = PF_TS_BYTES, .off = _OUT(pfrts_bytes), .arg = (void *)(PFR_DIR_MAX * PFR_OP_TABLE_MAX), .cb = snl_attr_get_uint64_array },
3426 { .type = PF_TS_MATCH, .off = _OUT(pfrts_match), .cb = snl_attr_get_uint64 },
3427 {. type = PF_TS_NOMATCH, .off = _OUT(pfrts_nomatch), .cb = snl_attr_get_uint64 },
3428 { .type = PF_TS_TZERO, .off = _OUT(pfrts_tzero), .cb = snl_attr_get_uint64 },
3429 { .type = PF_TS_REFCNT, .off = _OUT(pfrts_cnt), . arg = (void *)PFR_REFCNT_MAX, .cb = snl_attr_get_uint64_into_int_array },
3430 };
3431 #undef _OUT
3432 SNL_DECLARE_PARSER(tstats_parser, struct genlmsghdr, snl_f_p_empty, ap_tstats);
3433
3434 int
pfctl_get_tstats(struct pfctl_handle * h,const struct pfr_table * filter,pfctl_get_tstats_fn fn,void * arg)3435 pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter,
3436 pfctl_get_tstats_fn fn, void *arg)
3437 {
3438 struct snl_writer nw;
3439 struct snl_errmsg_data e = {};
3440 struct nlmsghdr *hdr;
3441 uint32_t seq_id;
3442 int family_id;
3443 int ret;
3444
3445 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3446 if (family_id == 0)
3447 return (ENOTSUP);
3448
3449 snl_init_writer(&h->ss, &nw);
3450 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_TSTATS);
3451
3452 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor);
3453 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name);
3454 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags);
3455
3456 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3457 return (ENXIO);
3458
3459 seq_id = hdr->nlmsg_seq;
3460
3461 if (!snl_send_message(&h->ss, hdr))
3462 return (ENXIO);
3463
3464 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3465 struct pfr_tstats tstats = {};
3466
3467 if (!snl_parse_nlmsg(&h->ss, hdr, &tstats_parser, &tstats))
3468 continue;
3469
3470 ret = fn(&tstats, arg);
3471 if (ret != 0)
3472 break;
3473 }
3474
3475 return (e.error);
3476 }
3477
3478 static struct snl_attr_parser ap_tstats_clr[] = {
3479 { .type = PF_TS_NZERO, .off = 0, .cb = snl_attr_get_uint64 },
3480 };
3481 SNL_DECLARE_PARSER(tstats_clr_parser, struct genlmsghdr, snl_f_p_empty, ap_tstats_clr);
3482
3483 int
pfctl_clear_tstats(struct pfctl_handle * h,const struct pfr_table * filter,int * nzero,int flags)3484 pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter,
3485 int *nzero, int flags)
3486 {
3487 struct snl_writer nw;
3488 struct snl_errmsg_data e = {};
3489 struct nlmsghdr *hdr;
3490 uint64_t zero;
3491 uint32_t seq_id;
3492 int family_id;
3493
3494 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3495 if (family_id == 0)
3496 return (ENOTSUP);
3497
3498 snl_init_writer(&h->ss, &nw);
3499 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLR_TSTATS);
3500
3501 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor);
3502 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name);
3503 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags);
3504 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags);
3505
3506 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3507 return (ENXIO);
3508
3509 seq_id = hdr->nlmsg_seq;
3510
3511 if (!snl_send_message(&h->ss, hdr))
3512 return (ENXIO);
3513
3514 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3515 if (!snl_parse_nlmsg(&h->ss, hdr, &tstats_clr_parser, &zero))
3516 continue;
3517 if (nzero)
3518 *nzero = (uint32_t)zero;
3519 }
3520
3521 return (e.error);
3522 }
3523
3524 static struct snl_attr_parser ap_clr_addrs[] = {
3525 { .type = PF_T_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint64 },
3526 };
3527 SNL_DECLARE_PARSER(clr_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_clr_addrs);
3528
3529 int
pfctl_clear_addrs(struct pfctl_handle * h,const struct pfr_table * filter,int * ndel,int flags)3530 pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter,
3531 int *ndel, int flags)
3532 {
3533 struct snl_writer nw;
3534 struct snl_errmsg_data e = {};
3535 struct nlmsghdr *hdr;
3536 uint64_t del;
3537 uint32_t seq_id;
3538 int family_id;
3539
3540 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
3541 if (family_id == 0)
3542 return (ENOTSUP);
3543
3544 snl_init_writer(&h->ss, &nw);
3545 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLR_ADDRS);
3546
3547 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor);
3548 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name);
3549 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags);
3550 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags);
3551
3552 if ((hdr = snl_finalize_msg(&nw)) == NULL)
3553 return (ENXIO);
3554
3555 seq_id = hdr->nlmsg_seq;
3556
3557 if (!snl_send_message(&h->ss, hdr))
3558 return (ENXIO);
3559
3560 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
3561 if (!snl_parse_nlmsg(&h->ss, hdr, &clr_addrs_parser, &del))
3562 continue;
3563 if (ndel)
3564 *ndel = (uint32_t)del;
3565 }
3566
3567 return (e.error);
3568 }
3569
3570