1 /* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
2
3 /*-
4 * SPDX-License-Identifier: BSD-2-Clause
5 *
6 * Copyright (c) 2001 Daniel Hartmeier
7 * Copyright (c) 2002,2003 Henning Brauer
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * - Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * - Redistributions in binary form must reproduce the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer in the documentation and/or other materials provided
19 * with the distribution.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
33 *
34 */
35
36 #include <sys/cdefs.h>
37 #define PFIOC_USE_LATEST
38
39 #include <sys/types.h>
40 #include <sys/ioctl.h>
41 #include <sys/socket.h>
42 #include <sys/stat.h>
43 #include <sys/endian.h>
44
45 #include <net/if.h>
46 #include <netinet/in.h>
47 #include <net/pfvar.h>
48 #include <arpa/inet.h>
49 #include <net/altq/altq.h>
50
51 #include <err.h>
52 #include <errno.h>
53 #include <fcntl.h>
54 #include <libpfctl.h>
55 #include <limits.h>
56 #include <netdb.h>
57 #include <stdint.h>
58 #include <stdio.h>
59 #include <stdlib.h>
60 #include <string.h>
61 #include <unistd.h>
62
63 #include "pfctl_parser.h"
64 #include "pfctl.h"
65
66 void usage(void);
67 int pfctl_enable(int, int);
68 int pfctl_disable(int, int);
69 int pfctl_clear_stats(struct pfctl_handle *, int);
70 int pfctl_get_skip_ifaces(void);
71 int pfctl_check_skip_ifaces(char *);
72 int pfctl_adjust_skip_ifaces(struct pfctl *);
73 int pfctl_clear_interface_flags(int, int);
74 int pfctl_flush_eth_rules(int, int, char *);
75 int pfctl_flush_rules(int, int, char *);
76 int pfctl_flush_nat(int, int, char *);
77 int pfctl_clear_altq(int, int);
78 int pfctl_clear_src_nodes(int, int);
79 int pfctl_clear_iface_states(int, const char *, int);
80 void pfctl_addrprefix(char *, struct pf_addr *);
81 int pfctl_kill_src_nodes(int, const char *, int);
82 int pfctl_net_kill_states(int, const char *, int);
83 int pfctl_gateway_kill_states(int, const char *, int);
84 int pfctl_label_kill_states(int, const char *, int);
85 int pfctl_id_kill_states(int, const char *, int);
86 void pfctl_init_options(struct pfctl *);
87 int pfctl_load_options(struct pfctl *);
88 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
89 int pfctl_load_timeout(struct pfctl *, unsigned int, unsigned int);
90 int pfctl_load_debug(struct pfctl *, unsigned int);
91 int pfctl_load_logif(struct pfctl *, char *);
92 int pfctl_load_hostid(struct pfctl *, u_int32_t);
93 int pfctl_load_reassembly(struct pfctl *, u_int32_t);
94 int pfctl_load_syncookies(struct pfctl *, u_int8_t);
95 int pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int,
96 char *, int);
97 void pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
98 void pfctl_print_rule_counters(struct pfctl_rule *, int);
99 int pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int, int);
100 int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int);
101 int pfctl_show_nat(int, char *, int, char *, int, int);
102 int pfctl_show_src_nodes(int, int);
103 int pfctl_show_states(int, const char *, int);
104 int pfctl_show_status(int, int);
105 int pfctl_show_running(int);
106 int pfctl_show_timeouts(int, int);
107 int pfctl_show_limits(int, int);
108 void pfctl_debug(int, u_int32_t, int);
109 int pfctl_test_altqsupport(int, int);
110 int pfctl_show_anchors(int, int, char *);
111 int pfctl_show_eth_anchors(int, int, char *);
112 int pfctl_ruleset_trans(struct pfctl *, char *, struct pfctl_anchor *, bool);
113 int pfctl_eth_ruleset_trans(struct pfctl *, char *,
114 struct pfctl_eth_anchor *);
115 int pfctl_load_eth_ruleset(struct pfctl *, char *,
116 struct pfctl_eth_ruleset *, int);
117 int pfctl_load_eth_rule(struct pfctl *, char *, struct pfctl_eth_rule *,
118 int);
119 int pfctl_load_ruleset(struct pfctl *, char *,
120 struct pfctl_ruleset *, int, int);
121 int pfctl_load_rule(struct pfctl *, char *, struct pfctl_rule *, int);
122 const char *pfctl_lookup_option(char *, const char * const *);
123
124 static struct pfctl_anchor_global pf_anchors;
125 struct pfctl_anchor pf_main_anchor;
126 struct pfctl_eth_anchor pf_eth_main_anchor;
127 static struct pfr_buffer skip_b;
128
129 static const char *clearopt;
130 static char *rulesopt;
131 static const char *showopt;
132 static const char *debugopt;
133 static char *anchoropt;
134 static const char *optiopt = NULL;
135 static const char *pf_device = PF_DEVICE;
136 static char *ifaceopt;
137 static char *tableopt;
138 static const char *tblcmdopt;
139 static int src_node_killers;
140 static char *src_node_kill[2];
141 static int state_killers;
142 static char *state_kill[2];
143 int loadopt;
144 int altqsupport;
145
146 int dev = -1;
147 struct pfctl_handle *pfh = NULL;
148 static int first_title = 1;
149 static int labels = 0;
150
151 #define INDENT(d, o) do { \
152 if (o) { \
153 int i; \
154 for (i=0; i < d; i++) \
155 printf(" "); \
156 } \
157 } while (0); \
158
159
160 static const struct {
161 const char *name;
162 int index;
163 } pf_limits[] = {
164 { "states", PF_LIMIT_STATES },
165 { "src-nodes", PF_LIMIT_SRC_NODES },
166 { "frags", PF_LIMIT_FRAGS },
167 { "table-entries", PF_LIMIT_TABLE_ENTRIES },
168 { NULL, 0 }
169 };
170
171 struct pf_hint {
172 const char *name;
173 int timeout;
174 };
175 static const struct pf_hint pf_hint_normal[] = {
176 { "tcp.first", 2 * 60 },
177 { "tcp.opening", 30 },
178 { "tcp.established", 24 * 60 * 60 },
179 { "tcp.closing", 15 * 60 },
180 { "tcp.finwait", 45 },
181 { "tcp.closed", 90 },
182 { "tcp.tsdiff", 30 },
183 { NULL, 0 }
184 };
185 static const struct pf_hint pf_hint_satellite[] = {
186 { "tcp.first", 3 * 60 },
187 { "tcp.opening", 30 + 5 },
188 { "tcp.established", 24 * 60 * 60 },
189 { "tcp.closing", 15 * 60 + 5 },
190 { "tcp.finwait", 45 + 5 },
191 { "tcp.closed", 90 + 5 },
192 { "tcp.tsdiff", 60 },
193 { NULL, 0 }
194 };
195 static const struct pf_hint pf_hint_conservative[] = {
196 { "tcp.first", 60 * 60 },
197 { "tcp.opening", 15 * 60 },
198 { "tcp.established", 5 * 24 * 60 * 60 },
199 { "tcp.closing", 60 * 60 },
200 { "tcp.finwait", 10 * 60 },
201 { "tcp.closed", 3 * 60 },
202 { "tcp.tsdiff", 60 },
203 { NULL, 0 }
204 };
205 static const struct pf_hint pf_hint_aggressive[] = {
206 { "tcp.first", 30 },
207 { "tcp.opening", 5 },
208 { "tcp.established", 5 * 60 * 60 },
209 { "tcp.closing", 60 },
210 { "tcp.finwait", 30 },
211 { "tcp.closed", 30 },
212 { "tcp.tsdiff", 10 },
213 { NULL, 0 }
214 };
215
216 static const struct {
217 const char *name;
218 const struct pf_hint *hint;
219 } pf_hints[] = {
220 { "normal", pf_hint_normal },
221 { "satellite", pf_hint_satellite },
222 { "high-latency", pf_hint_satellite },
223 { "conservative", pf_hint_conservative },
224 { "aggressive", pf_hint_aggressive },
225 { NULL, NULL }
226 };
227
228 static const char * const clearopt_list[] = {
229 "nat", "queue", "rules", "Sources",
230 "states", "info", "Tables", "osfp", "all",
231 "ethernet", NULL
232 };
233
234 static const char * const showopt_list[] = {
235 "ether", "nat", "queue", "rules", "Anchors", "Sources", "states",
236 "info", "Interfaces", "labels", "timeouts", "memory", "Tables",
237 "osfp", "Running", "all", "creatorids", NULL
238 };
239
240 static const char * const tblcmdopt_list[] = {
241 "kill", "flush", "add", "delete", "load", "replace", "show",
242 "test", "zero", "expire", "reset", NULL
243 };
244
245 static const char * const debugopt_list[] = {
246 "none", "urgent", "misc", "loud", NULL
247 };
248
249 static const char * const optiopt_list[] = {
250 "none", "basic", "profile", NULL
251 };
252
253 void
usage(void)254 usage(void)
255 {
256 extern char *__progname;
257
258 fprintf(stderr,
259 "usage: %s [-AdeghMmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
260 "\t[-f file] [-i interface] [-K host | network]\n"
261 "\t[-k host | network | gateway | label | id] [-o level] [-p device]\n"
262 "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
263 __progname);
264
265 exit(1);
266 }
267
268 /*
269 * Cache protocol number to name translations.
270 *
271 * Translation is performed a lot e.g., when dumping states and
272 * getprotobynumber is incredibly expensive.
273 *
274 * Note from the getprotobynumber(3) manpage:
275 * <quote>
276 * These functions use a thread-specific data space; if the data is needed
277 * for future use, it should be copied before any subsequent calls overwrite
278 * it. Only the Internet protocols are currently understood.
279 * </quote>
280 *
281 * Consequently we only cache the name and strdup it for safety.
282 *
283 * At the time of writing this comment the last entry in /etc/protocols is:
284 * divert 258 DIVERT # Divert pseudo-protocol [non IANA]
285 */
286 const char *
pfctl_proto2name(int proto)287 pfctl_proto2name(int proto)
288 {
289 static const char *pfctl_proto_cache[259];
290 struct protoent *p;
291
292 if (proto >= nitems(pfctl_proto_cache)) {
293 p = getprotobynumber(proto);
294 if (p == NULL) {
295 return (NULL);
296 }
297 return (p->p_name);
298 }
299
300 if (pfctl_proto_cache[proto] == NULL) {
301 p = getprotobynumber(proto);
302 if (p == NULL) {
303 return (NULL);
304 }
305 pfctl_proto_cache[proto] = strdup(p->p_name);
306 }
307
308 return (pfctl_proto_cache[proto]);
309 }
310
311 int
pfctl_enable(int dev,int opts)312 pfctl_enable(int dev, int opts)
313 {
314 int ret;
315
316 if ((ret = pfctl_startstop(pfh, 1)) != 0) {
317 if (ret == EEXIST)
318 errx(1, "pf already enabled");
319 else if (ret == ESRCH)
320 errx(1, "pfil registeration failed");
321 else
322 errc(1, ret, "DIOCSTART");
323 }
324 if ((opts & PF_OPT_QUIET) == 0)
325 fprintf(stderr, "pf enabled\n");
326
327 if (altqsupport && ioctl(dev, DIOCSTARTALTQ))
328 if (errno != EEXIST)
329 err(1, "DIOCSTARTALTQ");
330
331 return (0);
332 }
333
334 int
pfctl_disable(int dev,int opts)335 pfctl_disable(int dev, int opts)
336 {
337 int ret;
338
339 if ((ret = pfctl_startstop(pfh, 0)) != 0) {
340 if (ret == ENOENT)
341 errx(1, "pf not enabled");
342 else
343 errc(1, ret, "DIOCSTOP");
344 }
345 if ((opts & PF_OPT_QUIET) == 0)
346 fprintf(stderr, "pf disabled\n");
347
348 if (altqsupport && ioctl(dev, DIOCSTOPALTQ))
349 if (errno != ENOENT)
350 err(1, "DIOCSTOPALTQ");
351
352 return (0);
353 }
354
355 int
pfctl_clear_stats(struct pfctl_handle * h,int opts)356 pfctl_clear_stats(struct pfctl_handle *h, int opts)
357 {
358 int ret;
359 if ((ret = pfctl_clear_status(h)) != 0)
360 errc(1, ret, "DIOCCLRSTATUS");
361 if ((opts & PF_OPT_QUIET) == 0)
362 fprintf(stderr, "pf: statistics cleared\n");
363 return (0);
364 }
365
366 int
pfctl_get_skip_ifaces(void)367 pfctl_get_skip_ifaces(void)
368 {
369 bzero(&skip_b, sizeof(skip_b));
370 skip_b.pfrb_type = PFRB_IFACES;
371 for (;;) {
372 pfr_buf_grow(&skip_b, skip_b.pfrb_size);
373 skip_b.pfrb_size = skip_b.pfrb_msize;
374 if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size))
375 err(1, "pfi_get_ifaces");
376 if (skip_b.pfrb_size <= skip_b.pfrb_msize)
377 break;
378 }
379 return (0);
380 }
381
382 int
pfctl_check_skip_ifaces(char * ifname)383 pfctl_check_skip_ifaces(char *ifname)
384 {
385 struct pfi_kif *p;
386 struct node_host *h = NULL, *n = NULL;
387
388 PFRB_FOREACH(p, &skip_b) {
389 if (!strcmp(ifname, p->pfik_name) &&
390 (p->pfik_flags & PFI_IFLAG_SKIP))
391 p->pfik_flags &= ~PFI_IFLAG_SKIP;
392 if (!strcmp(ifname, p->pfik_name) && p->pfik_group != NULL) {
393 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
394 continue;
395
396 for (n = h; n != NULL; n = n->next) {
397 if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
398 continue;
399
400 p->pfik_flags &= ~PFI_IFLAG_SKIP;
401 }
402 }
403 }
404 return (0);
405 }
406
407 int
pfctl_adjust_skip_ifaces(struct pfctl * pf)408 pfctl_adjust_skip_ifaces(struct pfctl *pf)
409 {
410 struct pfi_kif *p, *pp;
411 struct node_host *h = NULL, *n = NULL;
412
413 PFRB_FOREACH(p, &skip_b) {
414 if (p->pfik_group == NULL || !(p->pfik_flags & PFI_IFLAG_SKIP))
415 continue;
416
417 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
418 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
419 continue;
420
421 for (n = h; n != NULL; n = n->next)
422 PFRB_FOREACH(pp, &skip_b) {
423 if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ))
424 continue;
425
426 if (!(pp->pfik_flags & PFI_IFLAG_SKIP))
427 pfctl_set_interface_flags(pf,
428 pp->pfik_name, PFI_IFLAG_SKIP, 1);
429 if (pp->pfik_flags & PFI_IFLAG_SKIP)
430 pp->pfik_flags &= ~PFI_IFLAG_SKIP;
431 }
432 }
433
434 PFRB_FOREACH(p, &skip_b) {
435 if (! (p->pfik_flags & PFI_IFLAG_SKIP))
436 continue;
437
438 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
439 }
440
441 return (0);
442 }
443
444 int
pfctl_clear_interface_flags(int dev,int opts)445 pfctl_clear_interface_flags(int dev, int opts)
446 {
447 struct pfioc_iface pi;
448
449 if ((opts & PF_OPT_NOACTION) == 0) {
450 bzero(&pi, sizeof(pi));
451 pi.pfiio_flags = PFI_IFLAG_SKIP;
452
453 if (ioctl(dev, DIOCCLRIFFLAG, &pi))
454 err(1, "DIOCCLRIFFLAG");
455 if ((opts & PF_OPT_QUIET) == 0)
456 fprintf(stderr, "pf: interface flags reset\n");
457 }
458 return (0);
459 }
460
461 int
pfctl_flush_eth_rules(int dev,int opts,char * anchorname)462 pfctl_flush_eth_rules(int dev, int opts, char *anchorname)
463 {
464 int ret;
465
466 ret = pfctl_clear_eth_rules(dev, anchorname);
467 if (ret != 0)
468 err(1, "pfctl_clear_eth_rules");
469
470 if ((opts & PF_OPT_QUIET) == 0)
471 fprintf(stderr, "Ethernet rules cleared\n");
472
473 return (ret);
474 }
475
476 int
pfctl_flush_rules(int dev,int opts,char * anchorname)477 pfctl_flush_rules(int dev, int opts, char *anchorname)
478 {
479 int ret;
480
481 ret = pfctl_clear_rules(dev, anchorname);
482 if (ret != 0)
483 err(1, "pfctl_clear_rules");
484 if ((opts & PF_OPT_QUIET) == 0)
485 fprintf(stderr, "rules cleared\n");
486 return (0);
487 }
488
489 int
pfctl_flush_nat(int dev,int opts,char * anchorname)490 pfctl_flush_nat(int dev, int opts, char *anchorname)
491 {
492 int ret;
493
494 ret = pfctl_clear_nat(dev, anchorname);
495 if (ret != 0)
496 err(1, "pfctl_clear_nat");
497 if ((opts & PF_OPT_QUIET) == 0)
498 fprintf(stderr, "nat cleared\n");
499 return (0);
500 }
501
502 int
pfctl_clear_altq(int dev,int opts)503 pfctl_clear_altq(int dev, int opts)
504 {
505 struct pfr_buffer t;
506
507 if (!altqsupport)
508 return (-1);
509 memset(&t, 0, sizeof(t));
510 t.pfrb_type = PFRB_TRANS;
511 if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
512 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
513 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
514 err(1, "pfctl_clear_altq");
515 if ((opts & PF_OPT_QUIET) == 0)
516 fprintf(stderr, "altq cleared\n");
517 return (0);
518 }
519
520 int
pfctl_clear_src_nodes(int dev,int opts)521 pfctl_clear_src_nodes(int dev, int opts)
522 {
523 if (ioctl(dev, DIOCCLRSRCNODES))
524 err(1, "DIOCCLRSRCNODES");
525 if ((opts & PF_OPT_QUIET) == 0)
526 fprintf(stderr, "source tracking entries cleared\n");
527 return (0);
528 }
529
530 int
pfctl_clear_iface_states(int dev,const char * iface,int opts)531 pfctl_clear_iface_states(int dev, const char *iface, int opts)
532 {
533 struct pfctl_kill kill;
534 unsigned int killed;
535 int ret;
536
537 memset(&kill, 0, sizeof(kill));
538 if (iface != NULL && strlcpy(kill.ifname, iface,
539 sizeof(kill.ifname)) >= sizeof(kill.ifname))
540 errx(1, "invalid interface: %s", iface);
541
542 if (opts & PF_OPT_KILLMATCH)
543 kill.kill_match = true;
544
545 if ((ret = pfctl_clear_states_h(pfh, &kill, &killed)) != 0)
546 errc(1, ret, "DIOCCLRSTATES");
547 if ((opts & PF_OPT_QUIET) == 0)
548 fprintf(stderr, "%d states cleared\n", killed);
549 return (0);
550 }
551
552 void
pfctl_addrprefix(char * addr,struct pf_addr * mask)553 pfctl_addrprefix(char *addr, struct pf_addr *mask)
554 {
555 char *p;
556 const char *errstr;
557 int prefix, ret_ga, q, r;
558 struct addrinfo hints, *res;
559
560 if ((p = strchr(addr, '/')) == NULL)
561 return;
562
563 *p++ = '\0';
564 prefix = strtonum(p, 0, 128, &errstr);
565 if (errstr)
566 errx(1, "prefix is %s: %s", errstr, p);
567
568 bzero(&hints, sizeof(hints));
569 /* prefix only with numeric addresses */
570 hints.ai_flags |= AI_NUMERICHOST;
571
572 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {
573 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
574 /* NOTREACHED */
575 }
576
577 if (res->ai_family == AF_INET && prefix > 32)
578 errx(1, "prefix too long for AF_INET");
579 else if (res->ai_family == AF_INET6 && prefix > 128)
580 errx(1, "prefix too long for AF_INET6");
581
582 q = prefix >> 3;
583 r = prefix & 7;
584 switch (res->ai_family) {
585 case AF_INET:
586 bzero(&mask->v4, sizeof(mask->v4));
587 mask->v4.s_addr = htonl((u_int32_t)
588 (0xffffffffffULL << (32 - prefix)));
589 break;
590 case AF_INET6:
591 bzero(&mask->v6, sizeof(mask->v6));
592 if (q > 0)
593 memset((void *)&mask->v6, 0xff, q);
594 if (r > 0)
595 *((u_char *)&mask->v6 + q) =
596 (0xff00 >> r) & 0xff;
597 break;
598 }
599 freeaddrinfo(res);
600 }
601
602 int
pfctl_kill_src_nodes(int dev,const char * iface,int opts)603 pfctl_kill_src_nodes(int dev, const char *iface, int opts)
604 {
605 struct pfioc_src_node_kill psnk;
606 struct addrinfo *res[2], *resp[2];
607 struct sockaddr last_src, last_dst;
608 int killed, sources, dests;
609 int ret_ga;
610
611 killed = sources = dests = 0;
612
613 memset(&psnk, 0, sizeof(psnk));
614 memset(&psnk.psnk_src.addr.v.a.mask, 0xff,
615 sizeof(psnk.psnk_src.addr.v.a.mask));
616 memset(&last_src, 0xff, sizeof(last_src));
617 memset(&last_dst, 0xff, sizeof(last_dst));
618
619 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask);
620
621 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) {
622 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
623 /* NOTREACHED */
624 }
625 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
626 if (resp[0]->ai_addr == NULL)
627 continue;
628 /* We get lots of duplicates. Catch the easy ones */
629 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
630 continue;
631 last_src = *(struct sockaddr *)resp[0]->ai_addr;
632
633 psnk.psnk_af = resp[0]->ai_family;
634 sources++;
635
636 if (psnk.psnk_af == AF_INET)
637 psnk.psnk_src.addr.v.a.addr.v4 =
638 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
639 else if (psnk.psnk_af == AF_INET6)
640 psnk.psnk_src.addr.v.a.addr.v6 =
641 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
642 sin6_addr;
643 else
644 errx(1, "Unknown address family %d", psnk.psnk_af);
645
646 if (src_node_killers > 1) {
647 dests = 0;
648 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,
649 sizeof(psnk.psnk_dst.addr.v.a.mask));
650 memset(&last_dst, 0xff, sizeof(last_dst));
651 pfctl_addrprefix(src_node_kill[1],
652 &psnk.psnk_dst.addr.v.a.mask);
653 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL,
654 &res[1]))) {
655 errx(1, "getaddrinfo: %s",
656 gai_strerror(ret_ga));
657 /* NOTREACHED */
658 }
659 for (resp[1] = res[1]; resp[1];
660 resp[1] = resp[1]->ai_next) {
661 if (resp[1]->ai_addr == NULL)
662 continue;
663 if (psnk.psnk_af != resp[1]->ai_family)
664 continue;
665
666 if (memcmp(&last_dst, resp[1]->ai_addr,
667 sizeof(last_dst)) == 0)
668 continue;
669 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
670
671 dests++;
672
673 if (psnk.psnk_af == AF_INET)
674 psnk.psnk_dst.addr.v.a.addr.v4 =
675 ((struct sockaddr_in *)resp[1]->
676 ai_addr)->sin_addr;
677 else if (psnk.psnk_af == AF_INET6)
678 psnk.psnk_dst.addr.v.a.addr.v6 =
679 ((struct sockaddr_in6 *)resp[1]->
680 ai_addr)->sin6_addr;
681 else
682 errx(1, "Unknown address family %d",
683 psnk.psnk_af);
684
685 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
686 err(1, "DIOCKILLSRCNODES");
687 killed += psnk.psnk_killed;
688 }
689 freeaddrinfo(res[1]);
690 } else {
691 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
692 err(1, "DIOCKILLSRCNODES");
693 killed += psnk.psnk_killed;
694 }
695 }
696
697 freeaddrinfo(res[0]);
698
699 if ((opts & PF_OPT_QUIET) == 0)
700 fprintf(stderr, "killed %d src nodes from %d sources and %d "
701 "destinations\n", killed, sources, dests);
702 return (0);
703 }
704
705 int
pfctl_net_kill_states(int dev,const char * iface,int opts)706 pfctl_net_kill_states(int dev, const char *iface, int opts)
707 {
708 struct pfctl_kill kill;
709 struct addrinfo *res[2], *resp[2];
710 struct sockaddr last_src, last_dst;
711 unsigned int newkilled;
712 int killed, sources, dests;
713 int ret_ga, ret;
714
715 killed = sources = dests = 0;
716
717 memset(&kill, 0, sizeof(kill));
718 memset(&kill.src.addr.v.a.mask, 0xff,
719 sizeof(kill.src.addr.v.a.mask));
720 memset(&last_src, 0xff, sizeof(last_src));
721 memset(&last_dst, 0xff, sizeof(last_dst));
722 if (iface != NULL && strlcpy(kill.ifname, iface,
723 sizeof(kill.ifname)) >= sizeof(kill.ifname))
724 errx(1, "invalid interface: %s", iface);
725
726 if (state_killers == 2 && (strcmp(state_kill[0], "nat") == 0)) {
727 kill.nat = true;
728 state_kill[0] = state_kill[1];
729 state_killers = 1;
730 }
731
732 pfctl_addrprefix(state_kill[0], &kill.src.addr.v.a.mask);
733
734 if (opts & PF_OPT_KILLMATCH)
735 kill.kill_match = true;
736
737 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
738 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
739 /* NOTREACHED */
740 }
741 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
742 if (resp[0]->ai_addr == NULL)
743 continue;
744 /* We get lots of duplicates. Catch the easy ones */
745 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
746 continue;
747 last_src = *(struct sockaddr *)resp[0]->ai_addr;
748
749 kill.af = resp[0]->ai_family;
750 sources++;
751
752 if (kill.af == AF_INET)
753 kill.src.addr.v.a.addr.v4 =
754 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
755 else if (kill.af == AF_INET6)
756 kill.src.addr.v.a.addr.v6 =
757 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
758 sin6_addr;
759 else
760 errx(1, "Unknown address family %d", kill.af);
761
762 if (state_killers > 1) {
763 dests = 0;
764 memset(&kill.dst.addr.v.a.mask, 0xff,
765 sizeof(kill.dst.addr.v.a.mask));
766 memset(&last_dst, 0xff, sizeof(last_dst));
767 pfctl_addrprefix(state_kill[1],
768 &kill.dst.addr.v.a.mask);
769 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL,
770 &res[1]))) {
771 errx(1, "getaddrinfo: %s",
772 gai_strerror(ret_ga));
773 /* NOTREACHED */
774 }
775 for (resp[1] = res[1]; resp[1];
776 resp[1] = resp[1]->ai_next) {
777 if (resp[1]->ai_addr == NULL)
778 continue;
779 if (kill.af != resp[1]->ai_family)
780 continue;
781
782 if (memcmp(&last_dst, resp[1]->ai_addr,
783 sizeof(last_dst)) == 0)
784 continue;
785 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
786
787 dests++;
788
789 if (kill.af == AF_INET)
790 kill.dst.addr.v.a.addr.v4 =
791 ((struct sockaddr_in *)resp[1]->
792 ai_addr)->sin_addr;
793 else if (kill.af == AF_INET6)
794 kill.dst.addr.v.a.addr.v6 =
795 ((struct sockaddr_in6 *)resp[1]->
796 ai_addr)->sin6_addr;
797 else
798 errx(1, "Unknown address family %d",
799 kill.af);
800
801 if ((ret = pfctl_kill_states_h(pfh, &kill, &newkilled)) != 0)
802 errc(1, ret, "DIOCKILLSTATES");
803 killed += newkilled;
804 }
805 freeaddrinfo(res[1]);
806 } else {
807 if ((ret = pfctl_kill_states_h(pfh, &kill, &newkilled)) != 0)
808 errc(1, ret, "DIOCKILLSTATES");
809 killed += newkilled;
810 }
811 }
812
813 freeaddrinfo(res[0]);
814
815 if ((opts & PF_OPT_QUIET) == 0)
816 fprintf(stderr, "killed %d states from %d sources and %d "
817 "destinations\n", killed, sources, dests);
818 return (0);
819 }
820
821 int
pfctl_gateway_kill_states(int dev,const char * iface,int opts)822 pfctl_gateway_kill_states(int dev, const char *iface, int opts)
823 {
824 struct pfctl_kill kill;
825 struct addrinfo *res, *resp;
826 struct sockaddr last_src;
827 unsigned int newkilled;
828 int killed = 0;
829 int ret_ga;
830
831 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
832 warnx("no gateway specified");
833 usage();
834 }
835
836 memset(&kill, 0, sizeof(kill));
837 memset(&kill.rt_addr.addr.v.a.mask, 0xff,
838 sizeof(kill.rt_addr.addr.v.a.mask));
839 memset(&last_src, 0xff, sizeof(last_src));
840 if (iface != NULL && strlcpy(kill.ifname, iface,
841 sizeof(kill.ifname)) >= sizeof(kill.ifname))
842 errx(1, "invalid interface: %s", iface);
843
844 if (opts & PF_OPT_KILLMATCH)
845 kill.kill_match = true;
846
847 pfctl_addrprefix(state_kill[1], &kill.rt_addr.addr.v.a.mask);
848
849 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, &res))) {
850 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
851 /* NOTREACHED */
852 }
853 for (resp = res; resp; resp = resp->ai_next) {
854 if (resp->ai_addr == NULL)
855 continue;
856 /* We get lots of duplicates. Catch the easy ones */
857 if (memcmp(&last_src, resp->ai_addr, sizeof(last_src)) == 0)
858 continue;
859 last_src = *(struct sockaddr *)resp->ai_addr;
860
861 kill.af = resp->ai_family;
862
863 if (kill.af == AF_INET)
864 kill.rt_addr.addr.v.a.addr.v4 =
865 ((struct sockaddr_in *)resp->ai_addr)->sin_addr;
866 else if (kill.af == AF_INET6)
867 kill.rt_addr.addr.v.a.addr.v6 =
868 ((struct sockaddr_in6 *)resp->ai_addr)->
869 sin6_addr;
870 else
871 errx(1, "Unknown address family %d", kill.af);
872
873 if (pfctl_kill_states_h(pfh, &kill, &newkilled))
874 err(1, "DIOCKILLSTATES");
875 killed += newkilled;
876 }
877
878 freeaddrinfo(res);
879
880 if ((opts & PF_OPT_QUIET) == 0)
881 fprintf(stderr, "killed %d states\n", killed);
882 return (0);
883 }
884
885 int
pfctl_label_kill_states(int dev,const char * iface,int opts)886 pfctl_label_kill_states(int dev, const char *iface, int opts)
887 {
888 struct pfctl_kill kill;
889 unsigned int killed;
890 int ret;
891
892 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
893 warnx("no label specified");
894 usage();
895 }
896 memset(&kill, 0, sizeof(kill));
897 if (iface != NULL && strlcpy(kill.ifname, iface,
898 sizeof(kill.ifname)) >= sizeof(kill.ifname))
899 errx(1, "invalid interface: %s", iface);
900
901 if (opts & PF_OPT_KILLMATCH)
902 kill.kill_match = true;
903
904 if (strlcpy(kill.label, state_kill[1], sizeof(kill.label)) >=
905 sizeof(kill.label))
906 errx(1, "label too long: %s", state_kill[1]);
907
908 if ((ret = pfctl_kill_states_h(pfh, &kill, &killed)) != 0)
909 errc(1, ret, "DIOCKILLSTATES");
910
911 if ((opts & PF_OPT_QUIET) == 0)
912 fprintf(stderr, "killed %d states\n", killed);
913
914 return (0);
915 }
916
917 int
pfctl_id_kill_states(int dev,const char * iface,int opts)918 pfctl_id_kill_states(int dev, const char *iface, int opts)
919 {
920 struct pfctl_kill kill;
921 unsigned int killed;
922 int ret;
923
924 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
925 warnx("no id specified");
926 usage();
927 }
928
929 memset(&kill, 0, sizeof(kill));
930
931 if (opts & PF_OPT_KILLMATCH)
932 kill.kill_match = true;
933
934 if ((sscanf(state_kill[1], "%jx/%x",
935 &kill.cmp.id, &kill.cmp.creatorid)) == 2) {
936 }
937 else if ((sscanf(state_kill[1], "%jx", &kill.cmp.id)) == 1) {
938 kill.cmp.creatorid = 0;
939 } else {
940 warnx("wrong id format specified");
941 usage();
942 }
943 if (kill.cmp.id == 0) {
944 warnx("cannot kill id 0");
945 usage();
946 }
947
948 if ((ret = pfctl_kill_states_h(pfh, &kill, &killed)) != 0)
949 errc(1, ret, "DIOCKILLSTATES");
950
951 if ((opts & PF_OPT_QUIET) == 0)
952 fprintf(stderr, "killed %d states\n", killed);
953
954 return (0);
955 }
956
957 int
pfctl_get_pool(int dev,struct pfctl_pool * pool,u_int32_t nr,u_int32_t ticket,int r_action,char * anchorname,int which)958 pfctl_get_pool(int dev, struct pfctl_pool *pool, u_int32_t nr,
959 u_int32_t ticket, int r_action, char *anchorname, int which)
960 {
961 struct pfioc_pooladdr pp;
962 struct pf_pooladdr *pa;
963 u_int32_t pnr, mpnr;
964 int ret;
965
966 memset(&pp, 0, sizeof(pp));
967 if ((ret = pfctl_get_addrs(pfh, ticket, nr, r_action, anchorname, &mpnr, which)) != 0) {
968 warnc(ret, "DIOCGETADDRS");
969 return (-1);
970 }
971
972 TAILQ_INIT(&pool->list);
973 for (pnr = 0; pnr < mpnr; ++pnr) {
974 if ((ret = pfctl_get_addr(pfh, ticket, nr, r_action, anchorname, pnr, &pp, which)) != 0) {
975 warnc(ret, "DIOCGETADDR");
976 return (-1);
977 }
978 pa = calloc(1, sizeof(struct pf_pooladdr));
979 if (pa == NULL)
980 err(1, "calloc");
981 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr));
982 TAILQ_INSERT_TAIL(&pool->list, pa, entries);
983 }
984
985 return (0);
986 }
987
988 void
pfctl_move_pool(struct pfctl_pool * src,struct pfctl_pool * dst)989 pfctl_move_pool(struct pfctl_pool *src, struct pfctl_pool *dst)
990 {
991 struct pf_pooladdr *pa;
992
993 while ((pa = TAILQ_FIRST(&src->list)) != NULL) {
994 TAILQ_REMOVE(&src->list, pa, entries);
995 TAILQ_INSERT_TAIL(&dst->list, pa, entries);
996 }
997 }
998
999 void
pfctl_clear_pool(struct pfctl_pool * pool)1000 pfctl_clear_pool(struct pfctl_pool *pool)
1001 {
1002 struct pf_pooladdr *pa;
1003
1004 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
1005 TAILQ_REMOVE(&pool->list, pa, entries);
1006 free(pa);
1007 }
1008 }
1009
1010 void
pfctl_print_eth_rule_counters(struct pfctl_eth_rule * rule,int opts)1011 pfctl_print_eth_rule_counters(struct pfctl_eth_rule *rule, int opts)
1012 {
1013 if (opts & PF_OPT_VERBOSE) {
1014 printf(" [ Evaluations: %-8llu Packets: %-8llu "
1015 "Bytes: %-10llu]\n",
1016 (unsigned long long)rule->evaluations,
1017 (unsigned long long)(rule->packets[0] +
1018 rule->packets[1]),
1019 (unsigned long long)(rule->bytes[0] +
1020 rule->bytes[1]));
1021 }
1022 if (opts & PF_OPT_VERBOSE2) {
1023 char timestr[30];
1024
1025 if (rule->last_active_timestamp != 0) {
1026 bcopy(ctime(&rule->last_active_timestamp), timestr,
1027 sizeof(timestr));
1028 *strchr(timestr, '\n') = '\0';
1029 } else {
1030 snprintf(timestr, sizeof(timestr), "N/A");
1031 }
1032 printf(" [ Last Active Time: %s ]\n", timestr);
1033 }
1034 }
1035
1036 void
pfctl_print_rule_counters(struct pfctl_rule * rule,int opts)1037 pfctl_print_rule_counters(struct pfctl_rule *rule, int opts)
1038 {
1039 if (opts & PF_OPT_DEBUG) {
1040 const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
1041 "p", "sa", "da", "sp", "dp" };
1042 int i;
1043
1044 printf(" [ Skip steps: ");
1045 for (i = 0; i < PF_SKIP_COUNT; ++i) {
1046 if (rule->skip[i].nr == rule->nr + 1)
1047 continue;
1048 printf("%s=", t[i]);
1049 if (rule->skip[i].nr == -1)
1050 printf("end ");
1051 else
1052 printf("%u ", rule->skip[i].nr);
1053 }
1054 printf("]\n");
1055
1056 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n",
1057 rule->qname, rule->qid, rule->pqname, rule->pqid);
1058 }
1059 if (opts & PF_OPT_VERBOSE) {
1060 printf(" [ Evaluations: %-8llu Packets: %-8llu "
1061 "Bytes: %-10llu States: %-6ju]\n",
1062 (unsigned long long)rule->evaluations,
1063 (unsigned long long)(rule->packets[0] +
1064 rule->packets[1]),
1065 (unsigned long long)(rule->bytes[0] +
1066 rule->bytes[1]), (uintmax_t)rule->states_cur);
1067 if (!(opts & PF_OPT_DEBUG))
1068 printf(" [ Inserted: uid %u pid %u "
1069 "State Creations: %-6ju]\n",
1070 (unsigned)rule->cuid, (unsigned)rule->cpid,
1071 (uintmax_t)rule->states_tot);
1072 }
1073 if (opts & PF_OPT_VERBOSE2) {
1074 char timestr[30];
1075 if (rule->last_active_timestamp != 0) {
1076 bcopy(ctime(&rule->last_active_timestamp), timestr,
1077 sizeof(timestr));
1078 *strchr(timestr, '\n') = '\0';
1079 } else {
1080 snprintf(timestr, sizeof(timestr), "N/A");
1081 }
1082 printf(" [ Last Active Time: %s ]\n", timestr);
1083 }
1084 }
1085
1086 void
pfctl_print_title(char * title)1087 pfctl_print_title(char *title)
1088 {
1089 if (!first_title)
1090 printf("\n");
1091 first_title = 0;
1092 printf("%s\n", title);
1093 }
1094
1095 int
pfctl_show_eth_rules(int dev,char * path,int opts,enum pfctl_show format,char * anchorname,int depth,int wildcard)1096 pfctl_show_eth_rules(int dev, char *path, int opts, enum pfctl_show format,
1097 char *anchorname, int depth, int wildcard)
1098 {
1099 char anchor_call[MAXPATHLEN];
1100 struct pfctl_eth_rules_info info;
1101 struct pfctl_eth_rule rule;
1102 int brace;
1103 int dotitle = opts & PF_OPT_SHOWALL;
1104 int len = strlen(path);
1105 int ret;
1106 char *npath, *p;
1107
1108 /*
1109 * Truncate a trailing / and * on an anchorname before searching for
1110 * the ruleset, this is syntactic sugar that doesn't actually make it
1111 * to the kernel.
1112 */
1113 if ((p = strrchr(anchorname, '/')) != NULL &&
1114 p[1] == '*' && p[2] == '\0') {
1115 p[0] = '\0';
1116 }
1117
1118 if (anchorname[0] == '/') {
1119 if ((npath = calloc(1, MAXPATHLEN)) == NULL)
1120 errx(1, "pfctl_rules: calloc");
1121 snprintf(npath, MAXPATHLEN, "%s", anchorname);
1122 } else {
1123 if (path[0])
1124 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
1125 else
1126 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
1127 npath = path;
1128 }
1129
1130 /*
1131 * If this anchor was called with a wildcard path, go through
1132 * the rulesets in the anchor rather than the rules.
1133 */
1134 if (wildcard && (opts & PF_OPT_RECURSE)) {
1135 struct pfctl_eth_rulesets_info ri;
1136 u_int32_t mnr, nr;
1137
1138 if ((ret = pfctl_get_eth_rulesets_info(dev, &ri, npath)) != 0) {
1139 if (ret == EINVAL) {
1140 fprintf(stderr, "Anchor '%s' "
1141 "not found.\n", anchorname);
1142 } else {
1143 warnc(ret, "DIOCGETETHRULESETS");
1144 return (-1);
1145 }
1146 }
1147 mnr = ri.nr;
1148
1149 pfctl_print_eth_rule_counters(&rule, opts);
1150 for (nr = 0; nr < mnr; ++nr) {
1151 struct pfctl_eth_ruleset_info rs;
1152
1153 if ((ret = pfctl_get_eth_ruleset(dev, npath, nr, &rs)) != 0)
1154 errc(1, ret, "DIOCGETETHRULESET");
1155 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1156 printf("anchor \"%s\" all {\n", rs.name);
1157 pfctl_show_eth_rules(dev, npath, opts,
1158 format, rs.name, depth + 1, 0);
1159 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1160 printf("}\n");
1161 }
1162 path[len] = '\0';
1163 return (0);
1164 }
1165
1166 if ((ret = pfctl_get_eth_rules_info(dev, &info, path)) != 0) {
1167 warnc(ret, "DIOCGETETHRULES");
1168 return (-1);
1169 }
1170 for (int nr = 0; nr < info.nr; nr++) {
1171 brace = 0;
1172 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1173 if ((ret = pfctl_get_eth_rule(dev, nr, info.ticket, path, &rule,
1174 opts & PF_OPT_CLRRULECTRS, anchor_call)) != 0) {
1175 warnc(ret, "DIOCGETETHRULE");
1176 return (-1);
1177 }
1178 if (anchor_call[0] &&
1179 ((((p = strrchr(anchor_call, '_')) != NULL) &&
1180 (p == anchor_call ||
1181 *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
1182 brace++;
1183 int aclen = strlen(anchor_call);
1184 if (anchor_call[aclen - 1] == '*')
1185 anchor_call[aclen - 2] = '\0';
1186 }
1187 p = &anchor_call[0];
1188 if (dotitle) {
1189 pfctl_print_title("ETH RULES:");
1190 dotitle = 0;
1191 }
1192 print_eth_rule(&rule, anchor_call,
1193 opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG));
1194 if (brace)
1195 printf(" {\n");
1196 else
1197 printf("\n");
1198 pfctl_print_eth_rule_counters(&rule, opts);
1199 if (brace) {
1200 pfctl_show_eth_rules(dev, path, opts, format,
1201 p, depth + 1, rule.anchor_wildcard);
1202 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1203 printf("}\n");
1204 }
1205 }
1206
1207 path[len] = '\0';
1208 return (0);
1209 }
1210
1211 int
pfctl_show_rules(int dev,char * path,int opts,enum pfctl_show format,char * anchorname,int depth,int wildcard)1212 pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
1213 char *anchorname, int depth, int wildcard)
1214 {
1215 struct pfctl_rules_info ri;
1216 struct pfctl_rule rule;
1217 char anchor_call[MAXPATHLEN];
1218 u_int32_t nr, header = 0;
1219 int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
1220 int numeric = opts & PF_OPT_NUMERIC;
1221 int len = strlen(path), ret = 0;
1222 char *npath, *p;
1223
1224 /*
1225 * Truncate a trailing / and * on an anchorname before searching for
1226 * the ruleset, this is syntactic sugar that doesn't actually make it
1227 * to the kernel.
1228 */
1229 if ((p = strrchr(anchorname, '/')) != NULL &&
1230 p[1] == '*' && p[2] == '\0') {
1231 p[0] = '\0';
1232 }
1233
1234 if (anchorname[0] == '/') {
1235 if ((npath = calloc(1, MAXPATHLEN)) == NULL)
1236 errx(1, "pfctl_rules: calloc");
1237 strlcpy(npath, anchorname, MAXPATHLEN);
1238 } else {
1239 if (path[0])
1240 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
1241 else
1242 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
1243 npath = path;
1244 }
1245
1246 /*
1247 * If this anchor was called with a wildcard path, go through
1248 * the rulesets in the anchor rather than the rules.
1249 */
1250 if (wildcard && (opts & PF_OPT_RECURSE)) {
1251 struct pfioc_ruleset prs;
1252 u_int32_t mnr, nr;
1253
1254 memset(&prs, 0, sizeof(prs));
1255 if ((ret = pfctl_get_rulesets(pfh, npath, &mnr)) != 0) {
1256 if (ret == EINVAL)
1257 fprintf(stderr, "Anchor '%s' "
1258 "not found.\n", anchorname);
1259 else
1260 errc(1, ret, "DIOCGETRULESETS");
1261 }
1262
1263 pfctl_print_rule_counters(&rule, opts);
1264 for (nr = 0; nr < mnr; ++nr) {
1265 if ((ret = pfctl_get_ruleset(pfh, npath, nr, &prs)) != 0)
1266 errc(1, ret, "DIOCGETRULESET");
1267 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1268 printf("anchor \"%s\" all {\n", prs.name);
1269 pfctl_show_rules(dev, npath, opts,
1270 format, prs.name, depth + 1, 0);
1271 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1272 printf("}\n");
1273 }
1274 path[len] = '\0';
1275 return (0);
1276 }
1277
1278 if (opts & PF_OPT_SHOWALL) {
1279 ret = pfctl_get_rules_info_h(pfh, &ri, PF_PASS, path);
1280 if (ret != 0) {
1281 warnc(ret, "DIOCGETRULES");
1282 goto error;
1283 }
1284 header++;
1285 }
1286 ret = pfctl_get_rules_info_h(pfh, &ri, PF_SCRUB, path);
1287 if (ret != 0) {
1288 warnc(ret, "DIOCGETRULES");
1289 goto error;
1290 }
1291 if (opts & PF_OPT_SHOWALL) {
1292 if (format == PFCTL_SHOW_RULES && (ri.nr > 0 || header))
1293 pfctl_print_title("FILTER RULES:");
1294 else if (format == PFCTL_SHOW_LABELS && labels)
1295 pfctl_print_title("LABEL COUNTERS:");
1296 }
1297
1298 for (nr = 0; nr < ri.nr; ++nr) {
1299 if ((ret = pfctl_get_clear_rule_h(pfh, nr, ri.ticket, path, PF_SCRUB,
1300 &rule, anchor_call, opts & PF_OPT_CLRRULECTRS)) != 0) {
1301 warnc(ret, "DIOCGETRULENV");
1302 goto error;
1303 }
1304
1305 if (pfctl_get_pool(dev, &rule.rdr,
1306 nr, ri.ticket, PF_SCRUB, path, PF_RDR) != 0)
1307 goto error;
1308
1309 if (pfctl_get_pool(dev, &rule.nat,
1310 nr, ri.ticket, PF_SCRUB, path, PF_NAT) != 0)
1311 goto error;
1312
1313 if (pfctl_get_pool(dev, &rule.route,
1314 nr, ri.ticket, PF_SCRUB, path, PF_RT) != 0)
1315 goto error;
1316
1317 switch (format) {
1318 case PFCTL_SHOW_LABELS:
1319 break;
1320 case PFCTL_SHOW_RULES:
1321 if (rule.label[0][0] && (opts & PF_OPT_SHOWALL))
1322 labels = 1;
1323 print_rule(&rule, anchor_call, rule_numbers, numeric);
1324 printf("\n");
1325 pfctl_print_rule_counters(&rule, opts);
1326 break;
1327 case PFCTL_SHOW_NOTHING:
1328 break;
1329 }
1330 pfctl_clear_pool(&rule.rdr);
1331 pfctl_clear_pool(&rule.nat);
1332 pfctl_clear_pool(&rule.route);
1333 }
1334 ret = pfctl_get_rules_info_h(pfh, &ri, PF_PASS, path);
1335 if (ret != 0) {
1336 warnc(ret, "DIOCGETRULES");
1337 goto error;
1338 }
1339 for (nr = 0; nr < ri.nr; ++nr) {
1340 if ((ret = pfctl_get_clear_rule_h(pfh, nr, ri.ticket, path, PF_PASS,
1341 &rule, anchor_call, opts & PF_OPT_CLRRULECTRS)) != 0) {
1342 warnc(ret, "DIOCGETRULE");
1343 goto error;
1344 }
1345
1346 if (pfctl_get_pool(dev, &rule.rdr,
1347 nr, ri.ticket, PF_PASS, path, PF_RDR) != 0)
1348 goto error;
1349
1350 if (pfctl_get_pool(dev, &rule.nat,
1351 nr, ri.ticket, PF_PASS, path, PF_NAT) != 0)
1352 goto error;
1353
1354 if (pfctl_get_pool(dev, &rule.route,
1355 nr, ri.ticket, PF_PASS, path, PF_RT) != 0)
1356 goto error;
1357
1358 switch (format) {
1359 case PFCTL_SHOW_LABELS: {
1360 bool show = false;
1361 int i = 0;
1362
1363 while (rule.label[i][0]) {
1364 printf("%s ", rule.label[i++]);
1365 show = true;
1366 }
1367
1368 if (show) {
1369 printf("%llu %llu %llu %llu"
1370 " %llu %llu %llu %ju\n",
1371 (unsigned long long)rule.evaluations,
1372 (unsigned long long)(rule.packets[0] +
1373 rule.packets[1]),
1374 (unsigned long long)(rule.bytes[0] +
1375 rule.bytes[1]),
1376 (unsigned long long)rule.packets[0],
1377 (unsigned long long)rule.bytes[0],
1378 (unsigned long long)rule.packets[1],
1379 (unsigned long long)rule.bytes[1],
1380 (uintmax_t)rule.states_tot);
1381 }
1382
1383 if (anchor_call[0] &&
1384 (((p = strrchr(anchor_call, '/')) ?
1385 p[1] == '_' : anchor_call[0] == '_') ||
1386 opts & PF_OPT_RECURSE)) {
1387 pfctl_show_rules(dev, npath, opts, format,
1388 anchor_call, depth, rule.anchor_wildcard);
1389 }
1390 break;
1391 }
1392 case PFCTL_SHOW_RULES:
1393 if (rule.label[0][0] && (opts & PF_OPT_SHOWALL))
1394 labels = 1;
1395 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1396 print_rule(&rule, anchor_call, rule_numbers, numeric);
1397
1398 /*
1399 * If this is a 'unnamed' brace notation
1400 * anchor, OR the user has explicitly requested
1401 * recursion, print it recursively.
1402 */
1403 if (anchor_call[0] &&
1404 (((p = strrchr(anchor_call, '/')) ?
1405 p[1] == '_' : anchor_call[0] == '_') ||
1406 opts & PF_OPT_RECURSE)) {
1407 printf(" {\n");
1408 pfctl_print_rule_counters(&rule, opts);
1409 pfctl_show_rules(dev, npath, opts, format,
1410 anchor_call, depth + 1,
1411 rule.anchor_wildcard);
1412 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1413 printf("}\n");
1414 } else {
1415 printf("\n");
1416 pfctl_print_rule_counters(&rule, opts);
1417 }
1418 break;
1419 case PFCTL_SHOW_NOTHING:
1420 break;
1421 }
1422 pfctl_clear_pool(&rule.rdr);
1423 pfctl_clear_pool(&rule.nat);
1424 }
1425
1426 error:
1427 path[len] = '\0';
1428 return (ret);
1429 }
1430
1431 int
pfctl_show_nat(int dev,char * path,int opts,char * anchorname,int depth,int wildcard)1432 pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth,
1433 int wildcard)
1434 {
1435 struct pfctl_rules_info ri;
1436 struct pfctl_rule rule;
1437 char anchor_call[MAXPATHLEN];
1438 u_int32_t nr;
1439 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
1440 int i, dotitle = opts & PF_OPT_SHOWALL;
1441 int ret;
1442 int len = strlen(path);
1443 char *npath, *p;
1444
1445 /*
1446 * Truncate a trailing / and * on an anchorname before searching for
1447 * the ruleset, this is syntactic sugar that doesn't actually make it
1448 * to the kernel.
1449 */
1450 if ((p = strrchr(anchorname, '/')) != NULL &&
1451 p[1] == '*' && p[2] == '\0') {
1452 p[0] = '\0';
1453 }
1454
1455 if (anchorname[0] == '/') {
1456 if ((npath = calloc(1, MAXPATHLEN)) == NULL)
1457 errx(1, "pfctl_rules: calloc");
1458 snprintf(npath, MAXPATHLEN, "%s", anchorname);
1459 } else {
1460 if (path[0])
1461 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
1462 else
1463 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
1464 npath = path;
1465 }
1466
1467 /*
1468 * If this anchor was called with a wildcard path, go through
1469 * the rulesets in the anchor rather than the rules.
1470 */
1471 if (wildcard && (opts & PF_OPT_RECURSE)) {
1472 struct pfioc_ruleset prs;
1473 u_int32_t mnr, nr;
1474 memset(&prs, 0, sizeof(prs));
1475 if ((ret = pfctl_get_rulesets(pfh, npath, &mnr)) != 0) {
1476 if (ret == EINVAL)
1477 fprintf(stderr, "NAT anchor '%s' "
1478 "not found.\n", anchorname);
1479 else
1480 errc(1, ret, "DIOCGETRULESETS");
1481 }
1482
1483 pfctl_print_rule_counters(&rule, opts);
1484 for (nr = 0; nr < mnr; ++nr) {
1485 if ((ret = pfctl_get_ruleset(pfh, npath, nr, &prs)) != 0)
1486 errc(1, ret, "DIOCGETRULESET");
1487 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1488 printf("nat-anchor \"%s\" all {\n", prs.name);
1489 pfctl_show_nat(dev, npath, opts,
1490 prs.name, depth + 1, 0);
1491 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1492 printf("}\n");
1493 }
1494 path[len] = '\0';
1495 return (0);
1496 }
1497
1498 for (i = 0; i < 3; i++) {
1499 ret = pfctl_get_rules_info_h(pfh, &ri, nattype[i], path);
1500 if (ret != 0) {
1501 warnc(ret, "DIOCGETRULES");
1502 return (-1);
1503 }
1504 for (nr = 0; nr < ri.nr; ++nr) {
1505 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1506
1507 if ((ret = pfctl_get_rule_h(pfh, nr, ri.ticket, path,
1508 nattype[i], &rule, anchor_call)) != 0) {
1509 warnc(ret, "DIOCGETRULE");
1510 return (-1);
1511 }
1512 if (pfctl_get_pool(dev, &rule.rdr, nr,
1513 ri.ticket, nattype[i], path, PF_RDR) != 0)
1514 return (-1);
1515 if (pfctl_get_pool(dev, &rule.nat, nr,
1516 ri.ticket, nattype[i], path, PF_NAT) != 0)
1517 return (-1);
1518 if (pfctl_get_pool(dev, &rule.route, nr,
1519 ri.ticket, nattype[i], path, PF_RT) != 0)
1520 return (-1);
1521
1522 if (dotitle) {
1523 pfctl_print_title("TRANSLATION RULES:");
1524 dotitle = 0;
1525 }
1526 print_rule(&rule, anchor_call,
1527 opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
1528 if (anchor_call[0] &&
1529 (((p = strrchr(anchor_call, '/')) ?
1530 p[1] == '_' : anchor_call[0] == '_') ||
1531 opts & PF_OPT_RECURSE)) {
1532 printf(" {\n");
1533 pfctl_print_rule_counters(&rule, opts);
1534 pfctl_show_nat(dev, npath, opts, anchor_call,
1535 depth + 1, rule.anchor_wildcard);
1536 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1537 printf("}\n");
1538 } else {
1539 printf("\n");
1540 pfctl_print_rule_counters(&rule, opts);
1541 }
1542 }
1543 }
1544 return (0);
1545 }
1546
1547 static int
pfctl_print_src_node(struct pfctl_src_node * sn,void * arg)1548 pfctl_print_src_node(struct pfctl_src_node *sn, void *arg)
1549 {
1550 int *opts = (int *)arg;
1551
1552 if (*opts & PF_OPT_SHOWALL) {
1553 pfctl_print_title("SOURCE TRACKING NODES:");
1554 *opts &= ~PF_OPT_SHOWALL;
1555 }
1556
1557 print_src_node(sn, *opts);
1558
1559 return (0);
1560 }
1561
1562 int
pfctl_show_src_nodes(int dev,int opts)1563 pfctl_show_src_nodes(int dev, int opts)
1564 {
1565 int error;
1566
1567 error = pfctl_get_srcnodes(pfh, pfctl_print_src_node, &opts);
1568
1569 return (error);
1570 }
1571
1572 struct pfctl_show_state_arg {
1573 int opts;
1574 int dotitle;
1575 const char *iface;
1576 };
1577
1578 static int
pfctl_show_state(struct pfctl_state * s,void * arg)1579 pfctl_show_state(struct pfctl_state *s, void *arg)
1580 {
1581 struct pfctl_show_state_arg *a = (struct pfctl_show_state_arg *)arg;
1582
1583 if (a->dotitle) {
1584 pfctl_print_title("STATES:");
1585 a->dotitle = 0;
1586 }
1587 print_state(s, a->opts);
1588
1589 return (0);
1590 }
1591
1592 int
pfctl_show_states(int dev,const char * iface,int opts)1593 pfctl_show_states(int dev, const char *iface, int opts)
1594 {
1595 struct pfctl_show_state_arg arg;
1596 struct pfctl_state_filter filter = {};
1597
1598 if (iface != NULL)
1599 strncpy(filter.ifname, iface, IFNAMSIZ);
1600
1601 arg.opts = opts;
1602 arg.dotitle = opts & PF_OPT_SHOWALL;
1603 arg.iface = iface;
1604
1605 if (pfctl_get_filtered_states_iter(&filter, pfctl_show_state, &arg))
1606 return (-1);
1607
1608 return (0);
1609 }
1610
1611 int
pfctl_show_status(int dev,int opts)1612 pfctl_show_status(int dev, int opts)
1613 {
1614 struct pfctl_status *status;
1615 struct pfctl_syncookies cookies;
1616 int ret;
1617
1618 if ((status = pfctl_get_status_h(pfh)) == NULL) {
1619 warn("DIOCGETSTATUS");
1620 return (-1);
1621 }
1622 if ((ret = pfctl_get_syncookies(dev, &cookies)) != 0) {
1623 pfctl_free_status(status);
1624 warnc(ret, "DIOCGETSYNCOOKIES");
1625 return (-1);
1626 }
1627 if (opts & PF_OPT_SHOWALL)
1628 pfctl_print_title("INFO:");
1629 print_status(status, &cookies, opts);
1630 pfctl_free_status(status);
1631 return (0);
1632 }
1633
1634 int
pfctl_show_running(int dev)1635 pfctl_show_running(int dev)
1636 {
1637 struct pfctl_status *status;
1638 int running;
1639
1640 if ((status = pfctl_get_status_h(pfh)) == NULL) {
1641 warn("DIOCGETSTATUS");
1642 return (-1);
1643 }
1644
1645 running = status->running;
1646
1647 print_running(status);
1648 pfctl_free_status(status);
1649 return (!running);
1650 }
1651
1652 int
pfctl_show_timeouts(int dev,int opts)1653 pfctl_show_timeouts(int dev, int opts)
1654 {
1655 uint32_t seconds;
1656 int i;
1657 int ret;
1658
1659 if (opts & PF_OPT_SHOWALL)
1660 pfctl_print_title("TIMEOUTS:");
1661 for (i = 0; pf_timeouts[i].name; i++) {
1662 if ((ret = pfctl_get_timeout(pfh, pf_timeouts[i].timeout, &seconds)) != 0)
1663 errc(1, ret, "DIOCGETTIMEOUT");
1664 printf("%-20s %10d", pf_timeouts[i].name, seconds);
1665 if (pf_timeouts[i].timeout >= PFTM_ADAPTIVE_START &&
1666 pf_timeouts[i].timeout <= PFTM_ADAPTIVE_END)
1667 printf(" states");
1668 else
1669 printf("s");
1670 printf("\n");
1671 }
1672 return (0);
1673
1674 }
1675
1676 int
pfctl_show_limits(int dev,int opts)1677 pfctl_show_limits(int dev, int opts)
1678 {
1679 unsigned int limit;
1680 int i;
1681 int ret;
1682
1683 if (opts & PF_OPT_SHOWALL)
1684 pfctl_print_title("LIMITS:");
1685 for (i = 0; pf_limits[i].name; i++) {
1686 if ((ret = pfctl_get_limit(pfh, pf_limits[i].index, &limit)) != 0)
1687 errc(1, ret, "DIOCGETLIMIT");
1688 printf("%-13s ", pf_limits[i].name);
1689 if (limit == UINT_MAX)
1690 printf("unlimited\n");
1691 else
1692 printf("hard limit %8u\n", limit);
1693 }
1694 return (0);
1695 }
1696
1697 void
pfctl_show_creators(int opts)1698 pfctl_show_creators(int opts)
1699 {
1700 int ret;
1701 uint32_t creators[16];
1702 size_t count = nitems(creators);
1703
1704 ret = pfctl_get_creatorids(pfh, creators, &count);
1705 if (ret != 0)
1706 errx(ret, "Failed to retrieve creators");
1707
1708 printf("Creator IDs:\n");
1709 for (size_t i = 0; i < count; i++)
1710 printf("%08x\n", creators[i]);
1711 }
1712
1713 /* callbacks for rule/nat/rdr/addr */
1714 int
pfctl_add_pool(struct pfctl * pf,struct pfctl_pool * p,sa_family_t af,int which)1715 pfctl_add_pool(struct pfctl *pf, struct pfctl_pool *p, sa_family_t af, int which)
1716 {
1717 struct pf_pooladdr *pa;
1718 int ret;
1719
1720 pf->paddr.af = af;
1721 TAILQ_FOREACH(pa, &p->list, entries) {
1722 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1723 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1724 if ((ret = pfctl_add_addr(pf->h, &pf->paddr, which)) != 0)
1725 errc(1, ret, "DIOCADDADDR");
1726 }
1727 }
1728 return (0);
1729 }
1730
1731 int
pfctl_append_rule(struct pfctl * pf,struct pfctl_rule * r,const char * anchor_call)1732 pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r,
1733 const char *anchor_call)
1734 {
1735 u_int8_t rs_num;
1736 struct pfctl_rule *rule;
1737 struct pfctl_ruleset *rs;
1738 char *p;
1739
1740 rs_num = pf_get_ruleset_number(r->action);
1741 if (rs_num == PF_RULESET_MAX)
1742 errx(1, "Invalid rule type %d", r->action);
1743
1744 rs = &pf->anchor->ruleset;
1745
1746 if (anchor_call[0] && r->anchor == NULL) {
1747 /*
1748 * Don't make non-brace anchors part of the main anchor pool.
1749 */
1750 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1751 err(1, "pfctl_append_rule: calloc");
1752
1753 pf_init_ruleset(&r->anchor->ruleset);
1754 r->anchor->ruleset.anchor = r->anchor;
1755 if (strlcpy(r->anchor->path, anchor_call,
1756 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1757 errx(1, "pfctl_append_rule: strlcpy");
1758 if ((p = strrchr(anchor_call, '/')) != NULL) {
1759 if (!strlen(p))
1760 err(1, "pfctl_append_rule: bad anchor name %s",
1761 anchor_call);
1762 } else
1763 p = (char *)anchor_call;
1764 if (strlcpy(r->anchor->name, p,
1765 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1766 errx(1, "pfctl_append_rule: strlcpy");
1767 }
1768
1769 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1770 err(1, "calloc");
1771 bcopy(r, rule, sizeof(*rule));
1772 TAILQ_INIT(&rule->rdr.list);
1773 pfctl_move_pool(&r->rdr, &rule->rdr);
1774 TAILQ_INIT(&rule->nat.list);
1775 pfctl_move_pool(&r->nat, &rule->nat);
1776 TAILQ_INIT(&rule->route.list);
1777 pfctl_move_pool(&r->route, &rule->route);
1778
1779 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
1780 return (0);
1781 }
1782
1783 int
pfctl_append_eth_rule(struct pfctl * pf,struct pfctl_eth_rule * r,const char * anchor_call)1784 pfctl_append_eth_rule(struct pfctl *pf, struct pfctl_eth_rule *r,
1785 const char *anchor_call)
1786 {
1787 struct pfctl_eth_rule *rule;
1788 struct pfctl_eth_ruleset *rs;
1789 char *p;
1790
1791 rs = &pf->eanchor->ruleset;
1792
1793 if (anchor_call[0] && r->anchor == NULL) {
1794 /*
1795 * Don't make non-brace anchors part of the main anchor pool.
1796 */
1797 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1798 err(1, "pfctl_append_rule: calloc");
1799
1800 pf_init_eth_ruleset(&r->anchor->ruleset);
1801 r->anchor->ruleset.anchor = r->anchor;
1802 if (strlcpy(r->anchor->path, anchor_call,
1803 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1804 errx(1, "pfctl_append_rule: strlcpy");
1805 if ((p = strrchr(anchor_call, '/')) != NULL) {
1806 if (!strlen(p))
1807 err(1, "pfctl_append_eth_rule: bad anchor name %s",
1808 anchor_call);
1809 } else
1810 p = (char *)anchor_call;
1811 if (strlcpy(r->anchor->name, p,
1812 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1813 errx(1, "pfctl_append_eth_rule: strlcpy");
1814 }
1815
1816 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1817 err(1, "calloc");
1818 bcopy(r, rule, sizeof(*rule));
1819
1820 TAILQ_INSERT_TAIL(&rs->rules, rule, entries);
1821 return (0);
1822 }
1823
1824 int
pfctl_eth_ruleset_trans(struct pfctl * pf,char * path,struct pfctl_eth_anchor * a)1825 pfctl_eth_ruleset_trans(struct pfctl *pf, char *path,
1826 struct pfctl_eth_anchor *a)
1827 {
1828 int osize = pf->trans->pfrb_size;
1829
1830 if ((pf->loadopt & PFCTL_FLAG_ETH) != 0) {
1831 if (pfctl_add_trans(pf->trans, PF_RULESET_ETH, path))
1832 return (1);
1833 }
1834 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1835 return (5);
1836
1837 return (0);
1838 }
1839
1840 int
pfctl_ruleset_trans(struct pfctl * pf,char * path,struct pfctl_anchor * a,bool do_eth)1841 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a, bool do_eth)
1842 {
1843 int osize = pf->trans->pfrb_size;
1844
1845 if ((pf->loadopt & PFCTL_FLAG_ETH) != 0 && do_eth) {
1846 if (pfctl_add_trans(pf->trans, PF_RULESET_ETH, path))
1847 return (1);
1848 }
1849 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1850 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1851 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1852 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1853 return (1);
1854 }
1855 if (a == pf->astack[0] && ((altqsupport &&
1856 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1857 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1858 return (2);
1859 }
1860 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1861 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1862 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1863 return (3);
1864 }
1865 if (pf->loadopt & PFCTL_FLAG_TABLE)
1866 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1867 return (4);
1868 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1869 return (5);
1870
1871 return (0);
1872 }
1873
1874 int
pfctl_load_eth_ruleset(struct pfctl * pf,char * path,struct pfctl_eth_ruleset * rs,int depth)1875 pfctl_load_eth_ruleset(struct pfctl *pf, char *path,
1876 struct pfctl_eth_ruleset *rs, int depth)
1877 {
1878 struct pfctl_eth_rule *r;
1879 int error, len = strlen(path);
1880 int brace = 0;
1881
1882 pf->eanchor = rs->anchor;
1883 if (path[0])
1884 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->eanchor->name);
1885 else
1886 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->eanchor->name);
1887
1888 if (depth) {
1889 if (TAILQ_FIRST(&rs->rules) != NULL) {
1890 brace++;
1891 if (pf->opts & PF_OPT_VERBOSE)
1892 printf(" {\n");
1893 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1894 (error = pfctl_eth_ruleset_trans(pf,
1895 path, rs->anchor))) {
1896 printf("pfctl_load_eth_rulesets: "
1897 "pfctl_eth_ruleset_trans %d\n", error);
1898 goto error;
1899 }
1900 } else if (pf->opts & PF_OPT_VERBOSE)
1901 printf("\n");
1902 }
1903
1904 while ((r = TAILQ_FIRST(&rs->rules)) != NULL) {
1905 TAILQ_REMOVE(&rs->rules, r, entries);
1906
1907 error = pfctl_load_eth_rule(pf, path, r, depth);
1908 if (error)
1909 return (error);
1910
1911 if (r->anchor) {
1912 if ((error = pfctl_load_eth_ruleset(pf, path,
1913 &r->anchor->ruleset, depth + 1)))
1914 return (error);
1915 } else if (pf->opts & PF_OPT_VERBOSE)
1916 printf("\n");
1917 free(r);
1918 }
1919 if (brace && pf->opts & PF_OPT_VERBOSE) {
1920 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1921 printf("}\n");
1922 }
1923 path[len] = '\0';
1924
1925 return (0);
1926 error:
1927 path[len] = '\0';
1928 return (error);
1929 }
1930
1931 int
pfctl_load_eth_rule(struct pfctl * pf,char * path,struct pfctl_eth_rule * r,int depth)1932 pfctl_load_eth_rule(struct pfctl *pf, char *path, struct pfctl_eth_rule *r,
1933 int depth)
1934 {
1935 char *name;
1936 char anchor[PF_ANCHOR_NAME_SIZE];
1937 int len = strlen(path);
1938 int ret;
1939
1940 if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
1941 errx(1, "pfctl_load_eth_rule: strlcpy");
1942
1943 if (r->anchor) {
1944 if (r->anchor->match) {
1945 if (path[0])
1946 snprintf(&path[len], MAXPATHLEN - len,
1947 "/%s", r->anchor->name);
1948 else
1949 snprintf(&path[len], MAXPATHLEN - len,
1950 "%s", r->anchor->name);
1951 name = r->anchor->name;
1952 } else
1953 name = r->anchor->path;
1954 } else
1955 name = "";
1956
1957 if ((pf->opts & PF_OPT_NOACTION) == 0)
1958 if ((ret = pfctl_add_eth_rule(pf->dev, r, anchor, name,
1959 pf->eth_ticket)) != 0)
1960 errc(1, ret, "DIOCADDETHRULENV");
1961
1962 if (pf->opts & PF_OPT_VERBOSE) {
1963 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1964 print_eth_rule(r, r->anchor ? r->anchor->name : "",
1965 pf->opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG));
1966 }
1967
1968 path[len] = '\0';
1969
1970 return (0);
1971 }
1972
1973 int
pfctl_load_ruleset(struct pfctl * pf,char * path,struct pfctl_ruleset * rs,int rs_num,int depth)1974 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
1975 int rs_num, int depth)
1976 {
1977 struct pfctl_rule *r;
1978 int error, len = strlen(path);
1979 int brace = 0;
1980
1981 pf->anchor = rs->anchor;
1982
1983 if (path[0])
1984 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1985 else
1986 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1987
1988 if (depth) {
1989 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
1990 brace++;
1991 if (pf->opts & PF_OPT_VERBOSE)
1992 printf(" {\n");
1993 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1994 (error = pfctl_ruleset_trans(pf,
1995 path, rs->anchor, false))) {
1996 printf("pfctl_load_rulesets: "
1997 "pfctl_ruleset_trans %d\n", error);
1998 goto error;
1999 }
2000 } else if (pf->opts & PF_OPT_VERBOSE)
2001 printf("\n");
2002
2003 }
2004
2005 if (pf->optimize && rs_num == PF_RULESET_FILTER)
2006 pfctl_optimize_ruleset(pf, rs);
2007
2008 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
2009 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
2010
2011 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
2012 expand_label(r->label[i], PF_RULE_LABEL_SIZE, r);
2013 expand_label(r->tagname, PF_TAG_NAME_SIZE, r);
2014 expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r);
2015
2016 if ((error = pfctl_load_rule(pf, path, r, depth)))
2017 goto error;
2018 if (r->anchor) {
2019 if ((error = pfctl_load_ruleset(pf, path,
2020 &r->anchor->ruleset, rs_num, depth + 1)))
2021 goto error;
2022 } else if (pf->opts & PF_OPT_VERBOSE)
2023 printf("\n");
2024 free(r);
2025 }
2026 if (brace && pf->opts & PF_OPT_VERBOSE) {
2027 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
2028 printf("}\n");
2029 }
2030 path[len] = '\0';
2031 return (0);
2032
2033 error:
2034 path[len] = '\0';
2035 return (error);
2036
2037 }
2038
2039 int
pfctl_load_rule(struct pfctl * pf,char * path,struct pfctl_rule * r,int depth)2040 pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
2041 {
2042 u_int8_t rs_num = pf_get_ruleset_number(r->action);
2043 char *name;
2044 u_int32_t ticket;
2045 char anchor[PF_ANCHOR_NAME_SIZE];
2046 int len = strlen(path);
2047 int error;
2048 bool was_present;
2049
2050 /* set up anchor before adding to path for anchor_call */
2051 if ((pf->opts & PF_OPT_NOACTION) == 0)
2052 ticket = pfctl_get_ticket(pf->trans, rs_num, path);
2053 if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
2054 errx(1, "pfctl_load_rule: strlcpy");
2055
2056 if (r->anchor) {
2057 if (r->anchor->match) {
2058 if (path[0])
2059 snprintf(&path[len], MAXPATHLEN - len,
2060 "/%s", r->anchor->name);
2061 else
2062 snprintf(&path[len], MAXPATHLEN - len,
2063 "%s", r->anchor->name);
2064 name = r->anchor->name;
2065 } else
2066 name = r->anchor->path;
2067 } else
2068 name = "";
2069
2070 was_present = false;
2071 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2072 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2073 if ((error = pfctl_begin_addrs(pf->h,
2074 &pf->paddr.ticket)) != 0)
2075 errc(1, error, "DIOCBEGINADDRS");
2076 }
2077
2078 if (pfctl_add_pool(pf, &r->rdr, r->af, PF_RDR))
2079 return (1);
2080 if (pfctl_add_pool(pf, &r->nat, r->naf ? r->naf : r->af, PF_NAT))
2081 return (1);
2082 if (pfctl_add_pool(pf, &r->route, r->af, PF_RT))
2083 return (1);
2084 error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket,
2085 pf->paddr.ticket);
2086 switch (error) {
2087 case 0:
2088 /* things worked, do nothing */
2089 break;
2090 case EEXIST:
2091 /* an identical rule is already present */
2092 was_present = true;
2093 break;
2094 default:
2095 errc(1, error, "DIOCADDRULE");
2096 }
2097 }
2098
2099 if (pf->opts & PF_OPT_VERBOSE) {
2100 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
2101 print_rule(r, name,
2102 pf->opts & PF_OPT_VERBOSE2,
2103 pf->opts & PF_OPT_NUMERIC);
2104 if (was_present)
2105 printf(" -- rule was already present");
2106 }
2107 path[len] = '\0';
2108 pfctl_clear_pool(&r->rdr);
2109 pfctl_clear_pool(&r->nat);
2110 return (0);
2111 }
2112
2113 int
pfctl_add_altq(struct pfctl * pf,struct pf_altq * a)2114 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
2115 {
2116 if (altqsupport &&
2117 (loadopt & PFCTL_FLAG_ALTQ) != 0) {
2118 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
2119 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2120 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
2121 if (errno == ENXIO)
2122 errx(1, "qtype not configured");
2123 else if (errno == ENODEV)
2124 errx(1, "%s: driver does not support "
2125 "altq", a->ifname);
2126 else
2127 err(1, "DIOCADDALTQ");
2128 }
2129 }
2130 pfaltq_store(&pf->paltq->altq);
2131 }
2132 return (0);
2133 }
2134
2135 int
pfctl_rules(int dev,char * filename,int opts,int optimize,char * anchorname,struct pfr_buffer * trans)2136 pfctl_rules(int dev, char *filename, int opts, int optimize,
2137 char *anchorname, struct pfr_buffer *trans)
2138 {
2139 #define ERR(x) do { warn(x); goto _error; } while(0)
2140 #define ERRX(x) do { warnx(x); goto _error; } while(0)
2141
2142 struct pfr_buffer *t, buf;
2143 struct pfioc_altq pa;
2144 struct pfctl pf;
2145 struct pfctl_ruleset *rs;
2146 struct pfctl_eth_ruleset *ethrs;
2147 struct pfr_table trs;
2148 char *path;
2149 int osize;
2150
2151 RB_INIT(&pf_anchors);
2152 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor));
2153 pf_init_ruleset(&pf_main_anchor.ruleset);
2154 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
2155
2156 memset(&pf_eth_main_anchor, 0, sizeof(pf_eth_main_anchor));
2157 pf_init_eth_ruleset(&pf_eth_main_anchor.ruleset);
2158 pf_eth_main_anchor.ruleset.anchor = &pf_eth_main_anchor;
2159
2160 if (trans == NULL) {
2161 bzero(&buf, sizeof(buf));
2162 buf.pfrb_type = PFRB_TRANS;
2163 t = &buf;
2164 osize = 0;
2165 } else {
2166 t = trans;
2167 osize = t->pfrb_size;
2168 }
2169
2170 memset(&pa, 0, sizeof(pa));
2171 pa.version = PFIOC_ALTQ_VERSION;
2172 memset(&pf, 0, sizeof(pf));
2173 memset(&trs, 0, sizeof(trs));
2174 if ((path = calloc(1, MAXPATHLEN)) == NULL)
2175 ERRX("pfctl_rules: calloc");
2176 if (strlcpy(trs.pfrt_anchor, anchorname,
2177 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
2178 ERRX("pfctl_rules: strlcpy");
2179 pf.dev = dev;
2180 pf.h = pfh;
2181 pf.opts = opts;
2182 pf.optimize = optimize;
2183 pf.loadopt = loadopt;
2184
2185 /* non-brace anchor, create without resolving the path */
2186 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
2187 ERRX("pfctl_rules: calloc");
2188 rs = &pf.anchor->ruleset;
2189 pf_init_ruleset(rs);
2190 rs->anchor = pf.anchor;
2191 if (strlcpy(pf.anchor->path, anchorname,
2192 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
2193 errx(1, "pfctl_rules: strlcpy");
2194 if (strlcpy(pf.anchor->name, anchorname,
2195 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
2196 errx(1, "pfctl_rules: strlcpy");
2197
2198
2199 pf.astack[0] = pf.anchor;
2200 pf.asd = 0;
2201 if (anchorname[0])
2202 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
2203 pf.paltq = &pa;
2204 pf.trans = t;
2205 pfctl_init_options(&pf);
2206
2207 /* Set up ethernet anchor */
2208 if ((pf.eanchor = calloc(1, sizeof(*pf.eanchor))) == NULL)
2209 ERRX("pfctl_rules: calloc");
2210
2211 if (strlcpy(pf.eanchor->path, anchorname,
2212 sizeof(pf.eanchor->path)) >= sizeof(pf.eanchor->path))
2213 errx(1, "pfctl_rules: strlcpy");
2214 if (strlcpy(pf.eanchor->name, anchorname,
2215 sizeof(pf.eanchor->name)) >= sizeof(pf.eanchor->name))
2216 errx(1, "pfctl_rules: strlcpy");
2217
2218 ethrs = &pf.eanchor->ruleset;
2219 pf_init_eth_ruleset(ethrs);
2220 ethrs->anchor = pf.eanchor;
2221 pf.eastack[0] = pf.eanchor;
2222
2223 if ((opts & PF_OPT_NOACTION) == 0) {
2224 /*
2225 * XXX For the time being we need to open transactions for
2226 * the main ruleset before parsing, because tables are still
2227 * loaded at parse time.
2228 */
2229 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor, true))
2230 ERRX("pfctl_rules");
2231 if (pf.loadopt & PFCTL_FLAG_ETH)
2232 pf.eth_ticket = pfctl_get_ticket(t, PF_RULESET_ETH, anchorname);
2233 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
2234 pa.ticket =
2235 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
2236 if (pf.loadopt & PFCTL_FLAG_TABLE)
2237 pf.astack[0]->ruleset.tticket =
2238 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
2239 }
2240
2241 if (parse_config(filename, &pf) < 0) {
2242 if ((opts & PF_OPT_NOACTION) == 0)
2243 ERRX("Syntax error in config file: "
2244 "pf rules not loaded");
2245 else
2246 goto _error;
2247 }
2248 if (loadopt & PFCTL_FLAG_OPTION)
2249 pfctl_adjust_skip_ifaces(&pf);
2250
2251 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
2252 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
2253 (pf.loadopt & PFCTL_FLAG_ETH &&
2254 (pfctl_load_eth_ruleset(&pf, path, ethrs, 0))) ||
2255 (pf.loadopt & PFCTL_FLAG_NAT &&
2256 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
2257 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
2258 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
2259 (pf.loadopt & PFCTL_FLAG_FILTER &&
2260 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
2261 if ((opts & PF_OPT_NOACTION) == 0)
2262 ERRX("Unable to load rules into kernel");
2263 else
2264 goto _error;
2265 }
2266
2267 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
2268 if (check_commit_altq(dev, opts) != 0)
2269 ERRX("errors in altq config");
2270
2271 /* process "load anchor" directives */
2272 if (!anchorname[0])
2273 if (pfctl_load_anchors(dev, &pf, t) == -1)
2274 ERRX("load anchors");
2275
2276 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
2277 if (!anchorname[0])
2278 if (pfctl_load_options(&pf))
2279 goto _error;
2280 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
2281 ERR("DIOCXCOMMIT");
2282 }
2283 free(path);
2284 return (0);
2285
2286 _error:
2287 if (trans == NULL) { /* main ruleset */
2288 if ((opts & PF_OPT_NOACTION) == 0)
2289 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
2290 err(1, "DIOCXROLLBACK");
2291 exit(1);
2292 } else { /* sub ruleset */
2293 free(path);
2294 return (-1);
2295 }
2296
2297 #undef ERR
2298 #undef ERRX
2299 }
2300
2301 FILE *
pfctl_fopen(const char * name,const char * mode)2302 pfctl_fopen(const char *name, const char *mode)
2303 {
2304 struct stat st;
2305 FILE *fp;
2306
2307 fp = fopen(name, mode);
2308 if (fp == NULL)
2309 return (NULL);
2310 if (fstat(fileno(fp), &st)) {
2311 fclose(fp);
2312 return (NULL);
2313 }
2314 if (S_ISDIR(st.st_mode)) {
2315 fclose(fp);
2316 errno = EISDIR;
2317 return (NULL);
2318 }
2319 return (fp);
2320 }
2321
2322 void
pfctl_init_options(struct pfctl * pf)2323 pfctl_init_options(struct pfctl *pf)
2324 {
2325
2326 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
2327 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
2328 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
2329 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
2330 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
2331 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
2332 pf->timeout[PFTM_SCTP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
2333 pf->timeout[PFTM_SCTP_OPENING] = PFTM_TCP_OPENING_VAL;
2334 pf->timeout[PFTM_SCTP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
2335 pf->timeout[PFTM_SCTP_CLOSING] = PFTM_TCP_CLOSING_VAL;
2336 pf->timeout[PFTM_SCTP_CLOSED] = PFTM_TCP_CLOSED_VAL;
2337 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
2338 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
2339 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
2340 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
2341 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
2342 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
2343 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
2344 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
2345 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
2346 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
2347 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
2348 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
2349 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
2350 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
2351
2352 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
2353 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
2354 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
2355 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
2356
2357 pf->debug = PF_DEBUG_URGENT;
2358 pf->reassemble = 0;
2359
2360 pf->syncookies = false;
2361 pf->syncookieswat[0] = PF_SYNCOOKIES_LOWATPCT;
2362 pf->syncookieswat[1] = PF_SYNCOOKIES_HIWATPCT;
2363 }
2364
2365 int
pfctl_load_options(struct pfctl * pf)2366 pfctl_load_options(struct pfctl *pf)
2367 {
2368 int i, error = 0;
2369
2370 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2371 return (0);
2372
2373 /* load limits */
2374 for (i = 0; i < PF_LIMIT_MAX; i++) {
2375 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
2376 continue;
2377 if (pfctl_load_limit(pf, i, pf->limit[i]))
2378 error = 1;
2379 }
2380
2381 /*
2382 * If we've set the limit, but haven't explicitly set adaptive
2383 * timeouts, do it now with a start of 60% and end of 120%.
2384 */
2385 if (pf->limit_set[PF_LIMIT_STATES] &&
2386 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
2387 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
2388 pf->timeout[PFTM_ADAPTIVE_START] =
2389 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
2390 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
2391 pf->timeout[PFTM_ADAPTIVE_END] =
2392 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
2393 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
2394 }
2395
2396 /* load timeouts */
2397 for (i = 0; i < PFTM_MAX; i++) {
2398 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
2399 continue;
2400 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
2401 error = 1;
2402 }
2403
2404 /* load debug */
2405 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
2406 if (pfctl_load_debug(pf, pf->debug))
2407 error = 1;
2408
2409 /* load logif */
2410 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
2411 if (pfctl_load_logif(pf, pf->ifname))
2412 error = 1;
2413
2414 /* load hostid */
2415 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
2416 if (pfctl_load_hostid(pf, pf->hostid))
2417 error = 1;
2418
2419 /* load reassembly settings */
2420 if (!(pf->opts & PF_OPT_MERGE) || pf->reass_set)
2421 if (pfctl_load_reassembly(pf, pf->reassemble))
2422 error = 1;
2423
2424 /* load keepcounters */
2425 if (pfctl_set_keepcounters(pf->dev, pf->keep_counters))
2426 error = 1;
2427
2428 /* load syncookies settings */
2429 if (pfctl_load_syncookies(pf, pf->syncookies))
2430 error = 1;
2431
2432 return (error);
2433 }
2434
2435 int
pfctl_apply_limit(struct pfctl * pf,const char * opt,unsigned int limit)2436 pfctl_apply_limit(struct pfctl *pf, const char *opt, unsigned int limit)
2437 {
2438 int i;
2439
2440
2441 for (i = 0; pf_limits[i].name; i++) {
2442 if (strcasecmp(opt, pf_limits[i].name) == 0) {
2443 pf->limit[pf_limits[i].index] = limit;
2444 pf->limit_set[pf_limits[i].index] = 1;
2445 break;
2446 }
2447 }
2448 if (pf_limits[i].name == NULL) {
2449 warnx("Bad pool name.");
2450 return (1);
2451 }
2452
2453 if (pf->opts & PF_OPT_VERBOSE)
2454 printf("set limit %s %d\n", opt, limit);
2455
2456 return (0);
2457 }
2458
2459 int
pfctl_load_limit(struct pfctl * pf,unsigned int index,unsigned int limit)2460 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
2461 {
2462 if (pfctl_set_limit(pf->h, index, limit)) {
2463 if (errno == EBUSY)
2464 warnx("Current pool size exceeds requested hard limit");
2465 else
2466 warnx("DIOCSETLIMIT");
2467 return (1);
2468 }
2469 return (0);
2470 }
2471
2472 int
pfctl_apply_timeout(struct pfctl * pf,const char * opt,int seconds,int quiet)2473 pfctl_apply_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
2474 {
2475 int i;
2476
2477 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2478 return (0);
2479
2480 for (i = 0; pf_timeouts[i].name; i++) {
2481 if (strcasecmp(opt, pf_timeouts[i].name) == 0) {
2482 pf->timeout[pf_timeouts[i].timeout] = seconds;
2483 pf->timeout_set[pf_timeouts[i].timeout] = 1;
2484 break;
2485 }
2486 }
2487
2488 if (pf_timeouts[i].name == NULL) {
2489 warnx("Bad timeout name.");
2490 return (1);
2491 }
2492
2493
2494 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
2495 printf("set timeout %s %d\n", opt, seconds);
2496
2497 return (0);
2498 }
2499
2500 int
pfctl_load_timeout(struct pfctl * pf,unsigned int timeout,unsigned int seconds)2501 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
2502 {
2503 if (pfctl_set_timeout(pf->h, timeout, seconds)) {
2504 warnx("DIOCSETTIMEOUT");
2505 return (1);
2506 }
2507 return (0);
2508 }
2509
2510 int
pfctl_set_reassembly(struct pfctl * pf,int on,int nodf)2511 pfctl_set_reassembly(struct pfctl *pf, int on, int nodf)
2512 {
2513 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2514 return (0);
2515
2516 pf->reass_set = 1;
2517 if (on) {
2518 pf->reassemble = PF_REASS_ENABLED;
2519 if (nodf)
2520 pf->reassemble |= PF_REASS_NODF;
2521 } else {
2522 pf->reassemble = 0;
2523 }
2524
2525 if (pf->opts & PF_OPT_VERBOSE)
2526 printf("set reassemble %s %s\n", on ? "yes" : "no",
2527 nodf ? "no-df" : "");
2528
2529 return (0);
2530 }
2531
2532 int
pfctl_set_optimization(struct pfctl * pf,const char * opt)2533 pfctl_set_optimization(struct pfctl *pf, const char *opt)
2534 {
2535 const struct pf_hint *hint;
2536 int i, r;
2537
2538 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2539 return (0);
2540
2541 for (i = 0; pf_hints[i].name; i++)
2542 if (strcasecmp(opt, pf_hints[i].name) == 0)
2543 break;
2544
2545 hint = pf_hints[i].hint;
2546 if (hint == NULL) {
2547 warnx("invalid state timeouts optimization");
2548 return (1);
2549 }
2550
2551 for (i = 0; hint[i].name; i++)
2552 if ((r = pfctl_apply_timeout(pf, hint[i].name,
2553 hint[i].timeout, 1)))
2554 return (r);
2555
2556 if (pf->opts & PF_OPT_VERBOSE)
2557 printf("set optimization %s\n", opt);
2558
2559 return (0);
2560 }
2561
2562 int
pfctl_set_logif(struct pfctl * pf,char * ifname)2563 pfctl_set_logif(struct pfctl *pf, char *ifname)
2564 {
2565
2566 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2567 return (0);
2568
2569 if (!strcmp(ifname, "none")) {
2570 free(pf->ifname);
2571 pf->ifname = NULL;
2572 } else {
2573 pf->ifname = strdup(ifname);
2574 if (!pf->ifname)
2575 errx(1, "pfctl_set_logif: strdup");
2576 }
2577 pf->ifname_set = 1;
2578
2579 if (pf->opts & PF_OPT_VERBOSE)
2580 printf("set loginterface %s\n", ifname);
2581
2582 return (0);
2583 }
2584
2585 int
pfctl_load_logif(struct pfctl * pf,char * ifname)2586 pfctl_load_logif(struct pfctl *pf, char *ifname)
2587 {
2588 if (ifname != NULL && strlen(ifname) >= IFNAMSIZ) {
2589 warnx("pfctl_load_logif: strlcpy");
2590 return (1);
2591 }
2592 return (pfctl_set_statusif(pfh, ifname ? ifname : ""));
2593 }
2594
2595 void
pfctl_set_hostid(struct pfctl * pf,u_int32_t hostid)2596 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
2597 {
2598 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2599 return;
2600
2601 HTONL(hostid);
2602
2603 pf->hostid = hostid;
2604 pf->hostid_set = 1;
2605
2606 if (pf->opts & PF_OPT_VERBOSE)
2607 printf("set hostid 0x%08x\n", ntohl(hostid));
2608 }
2609
2610 int
pfctl_load_hostid(struct pfctl * pf,u_int32_t hostid)2611 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
2612 {
2613 if (ioctl(dev, DIOCSETHOSTID, &hostid)) {
2614 warnx("DIOCSETHOSTID");
2615 return (1);
2616 }
2617 return (0);
2618 }
2619
2620 int
pfctl_load_reassembly(struct pfctl * pf,u_int32_t reassembly)2621 pfctl_load_reassembly(struct pfctl *pf, u_int32_t reassembly)
2622 {
2623 if (ioctl(dev, DIOCSETREASS, &reassembly)) {
2624 warnx("DIOCSETREASS");
2625 return (1);
2626 }
2627 return (0);
2628 }
2629
2630 int
pfctl_load_syncookies(struct pfctl * pf,u_int8_t val)2631 pfctl_load_syncookies(struct pfctl *pf, u_int8_t val)
2632 {
2633 struct pfctl_syncookies cookies;
2634
2635 bzero(&cookies, sizeof(cookies));
2636
2637 cookies.mode = val;
2638 cookies.lowwater = pf->syncookieswat[0];
2639 cookies.highwater = pf->syncookieswat[1];
2640
2641 if (pfctl_set_syncookies(dev, &cookies)) {
2642 warnx("DIOCSETSYNCOOKIES");
2643 return (1);
2644 }
2645 return (0);
2646 }
2647
2648 int
pfctl_cfg_syncookies(struct pfctl * pf,uint8_t val,struct pfctl_watermarks * w)2649 pfctl_cfg_syncookies(struct pfctl *pf, uint8_t val, struct pfctl_watermarks *w)
2650 {
2651 if (val != PF_SYNCOOKIES_ADAPTIVE && w != NULL) {
2652 warnx("syncookies start/end only apply to adaptive");
2653 return (1);
2654 }
2655 if (val == PF_SYNCOOKIES_ADAPTIVE && w != NULL) {
2656 if (!w->hi)
2657 w->hi = PF_SYNCOOKIES_HIWATPCT;
2658 if (!w->lo)
2659 w->lo = w->hi / 2;
2660 if (w->lo >= w->hi) {
2661 warnx("start must be higher than end");
2662 return (1);
2663 }
2664 pf->syncookieswat[0] = w->lo;
2665 pf->syncookieswat[1] = w->hi;
2666 pf->syncookieswat_set = 1;
2667 }
2668
2669 if (pf->opts & PF_OPT_VERBOSE) {
2670 if (val == PF_SYNCOOKIES_NEVER)
2671 printf("set syncookies never\n");
2672 else if (val == PF_SYNCOOKIES_ALWAYS)
2673 printf("set syncookies always\n");
2674 else if (val == PF_SYNCOOKIES_ADAPTIVE) {
2675 if (pf->syncookieswat_set)
2676 printf("set syncookies adaptive (start %u%%, "
2677 "end %u%%)\n", pf->syncookieswat[1],
2678 pf->syncookieswat[0]);
2679 else
2680 printf("set syncookies adaptive\n");
2681 } else { /* cannot happen */
2682 warnx("king bula ate all syncookies");
2683 return (1);
2684 }
2685 }
2686
2687 pf->syncookies = val;
2688 return (0);
2689 }
2690
2691 int
pfctl_do_set_debug(struct pfctl * pf,char * d)2692 pfctl_do_set_debug(struct pfctl *pf, char *d)
2693 {
2694 u_int32_t level;
2695 int ret;
2696
2697 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2698 return (0);
2699
2700 if (!strcmp(d, "none"))
2701 pf->debug = PF_DEBUG_NONE;
2702 else if (!strcmp(d, "urgent"))
2703 pf->debug = PF_DEBUG_URGENT;
2704 else if (!strcmp(d, "misc"))
2705 pf->debug = PF_DEBUG_MISC;
2706 else if (!strcmp(d, "loud"))
2707 pf->debug = PF_DEBUG_NOISY;
2708 else {
2709 warnx("unknown debug level \"%s\"", d);
2710 return (-1);
2711 }
2712
2713 pf->debug_set = 1;
2714 level = pf->debug;
2715
2716 if ((pf->opts & PF_OPT_NOACTION) == 0)
2717 if ((ret = pfctl_set_debug(pfh, level)) != 0)
2718 errc(1, ret, "DIOCSETDEBUG");
2719
2720 if (pf->opts & PF_OPT_VERBOSE)
2721 printf("set debug %s\n", d);
2722
2723 return (0);
2724 }
2725
2726 int
pfctl_load_debug(struct pfctl * pf,unsigned int level)2727 pfctl_load_debug(struct pfctl *pf, unsigned int level)
2728 {
2729 if (pfctl_set_debug(pf->h, level)) {
2730 warnx("DIOCSETDEBUG");
2731 return (1);
2732 }
2733 return (0);
2734 }
2735
2736 int
pfctl_set_interface_flags(struct pfctl * pf,char * ifname,int flags,int how)2737 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
2738 {
2739 struct pfioc_iface pi;
2740 struct node_host *h = NULL, *n = NULL;
2741
2742 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2743 return (0);
2744
2745 bzero(&pi, sizeof(pi));
2746
2747 pi.pfiio_flags = flags;
2748
2749 /* Make sure our cache matches the kernel. If we set or clear the flag
2750 * for a group this applies to all members. */
2751 h = ifa_grouplookup(ifname, 0);
2752 for (n = h; n != NULL; n = n->next)
2753 pfctl_set_interface_flags(pf, n->ifname, flags, how);
2754
2755 if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
2756 sizeof(pi.pfiio_name))
2757 errx(1, "pfctl_set_interface_flags: strlcpy");
2758
2759 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2760 if (how == 0) {
2761 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
2762 err(1, "DIOCCLRIFFLAG");
2763 } else {
2764 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
2765 err(1, "DIOCSETIFFLAG");
2766 pfctl_check_skip_ifaces(ifname);
2767 }
2768 }
2769 return (0);
2770 }
2771
2772 void
pfctl_debug(int dev,u_int32_t level,int opts)2773 pfctl_debug(int dev, u_int32_t level, int opts)
2774 {
2775 int ret;
2776
2777 if ((ret = pfctl_set_debug(pfh, level)) != 0)
2778 errc(1, ret, "DIOCSETDEBUG");
2779 if ((opts & PF_OPT_QUIET) == 0) {
2780 fprintf(stderr, "debug level set to '");
2781 switch (level) {
2782 case PF_DEBUG_NONE:
2783 fprintf(stderr, "none");
2784 break;
2785 case PF_DEBUG_URGENT:
2786 fprintf(stderr, "urgent");
2787 break;
2788 case PF_DEBUG_MISC:
2789 fprintf(stderr, "misc");
2790 break;
2791 case PF_DEBUG_NOISY:
2792 fprintf(stderr, "loud");
2793 break;
2794 default:
2795 fprintf(stderr, "<invalid>");
2796 break;
2797 }
2798 fprintf(stderr, "'\n");
2799 }
2800 }
2801
2802 int
pfctl_test_altqsupport(int dev,int opts)2803 pfctl_test_altqsupport(int dev, int opts)
2804 {
2805 struct pfioc_altq pa;
2806
2807 pa.version = PFIOC_ALTQ_VERSION;
2808 if (ioctl(dev, DIOCGETALTQS, &pa)) {
2809 if (errno == ENODEV) {
2810 if (opts & PF_OPT_VERBOSE)
2811 fprintf(stderr, "No ALTQ support in kernel\n"
2812 "ALTQ related functions disabled\n");
2813 return (0);
2814 } else
2815 err(1, "DIOCGETALTQS");
2816 }
2817 return (1);
2818 }
2819
2820 int
pfctl_show_anchors(int dev,int opts,char * anchorname)2821 pfctl_show_anchors(int dev, int opts, char *anchorname)
2822 {
2823 struct pfioc_ruleset pr;
2824 u_int32_t mnr, nr;
2825 int ret;
2826
2827 memset(&pr, 0, sizeof(pr));
2828 if ((ret = pfctl_get_rulesets(pfh, anchorname, &mnr)) != 0) {
2829 if (ret == EINVAL)
2830 fprintf(stderr, "Anchor '%s' not found.\n",
2831 anchorname);
2832 else
2833 errc(1, ret, "DIOCGETRULESETS");
2834 return (-1);
2835 }
2836 for (nr = 0; nr < mnr; ++nr) {
2837 char sub[MAXPATHLEN];
2838
2839 if ((ret = pfctl_get_ruleset(pfh, anchorname, nr, &pr)) != 0)
2840 errc(1, ret, "DIOCGETRULESET");
2841 if (!strcmp(pr.name, PF_RESERVED_ANCHOR))
2842 continue;
2843 sub[0] = 0;
2844 if (pr.path[0]) {
2845 strlcat(sub, pr.path, sizeof(sub));
2846 strlcat(sub, "/", sizeof(sub));
2847 }
2848 strlcat(sub, pr.name, sizeof(sub));
2849 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
2850 printf(" %s\n", sub);
2851 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
2852 return (-1);
2853 }
2854 return (0);
2855 }
2856
2857 int
pfctl_show_eth_anchors(int dev,int opts,char * anchorname)2858 pfctl_show_eth_anchors(int dev, int opts, char *anchorname)
2859 {
2860 struct pfctl_eth_rulesets_info ri;
2861 struct pfctl_eth_ruleset_info rs;
2862 int ret;
2863
2864 if ((ret = pfctl_get_eth_rulesets_info(dev, &ri, anchorname)) != 0) {
2865 if (ret == ENOENT)
2866 fprintf(stderr, "Anchor '%s' not found.\n",
2867 anchorname);
2868 else
2869 errc(1, ret, "DIOCGETETHRULESETS");
2870 return (-1);
2871 }
2872
2873 for (int nr = 0; nr < ri.nr; nr++) {
2874 char sub[MAXPATHLEN];
2875
2876 if ((ret = pfctl_get_eth_ruleset(dev, anchorname, nr, &rs)) != 0)
2877 errc(1, ret, "DIOCGETETHRULESET");
2878
2879 if (!strcmp(rs.name, PF_RESERVED_ANCHOR))
2880 continue;
2881 sub[0] = 0;
2882 if (rs.path[0]) {
2883 strlcat(sub, rs.path, sizeof(sub));
2884 strlcat(sub, "/", sizeof(sub));
2885 }
2886 strlcat(sub, rs.name, sizeof(sub));
2887 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
2888 printf(" %s\n", sub);
2889 if ((opts & PF_OPT_VERBOSE) && pfctl_show_eth_anchors(dev, opts, sub))
2890 return (-1);
2891 }
2892 return (0);
2893 }
2894
2895 const char *
pfctl_lookup_option(char * cmd,const char * const * list)2896 pfctl_lookup_option(char *cmd, const char * const *list)
2897 {
2898 if (cmd != NULL && *cmd)
2899 for (; *list; list++)
2900 if (!strncmp(cmd, *list, strlen(cmd)))
2901 return (*list);
2902 return (NULL);
2903 }
2904
2905 int
main(int argc,char * argv[])2906 main(int argc, char *argv[])
2907 {
2908 int error = 0;
2909 int ch;
2910 int mode = O_RDONLY;
2911 int opts = 0;
2912 int optimize = PF_OPTIMIZE_BASIC;
2913 char anchorname[MAXPATHLEN];
2914 char *path;
2915
2916 if (argc < 2)
2917 usage();
2918
2919 while ((ch = getopt(argc, argv,
2920 "a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:t:T:vx:z")) != -1) {
2921 switch (ch) {
2922 case 'a':
2923 anchoropt = optarg;
2924 break;
2925 case 'd':
2926 opts |= PF_OPT_DISABLE;
2927 mode = O_RDWR;
2928 break;
2929 case 'D':
2930 if (pfctl_cmdline_symset(optarg) < 0)
2931 warnx("could not parse macro definition %s",
2932 optarg);
2933 break;
2934 case 'e':
2935 opts |= PF_OPT_ENABLE;
2936 mode = O_RDWR;
2937 break;
2938 case 'q':
2939 opts |= PF_OPT_QUIET;
2940 break;
2941 case 'F':
2942 clearopt = pfctl_lookup_option(optarg, clearopt_list);
2943 if (clearopt == NULL) {
2944 warnx("Unknown flush modifier '%s'", optarg);
2945 usage();
2946 }
2947 mode = O_RDWR;
2948 break;
2949 case 'i':
2950 ifaceopt = optarg;
2951 break;
2952 case 'k':
2953 if (state_killers >= 2) {
2954 warnx("can only specify -k twice");
2955 usage();
2956 /* NOTREACHED */
2957 }
2958 state_kill[state_killers++] = optarg;
2959 mode = O_RDWR;
2960 break;
2961 case 'K':
2962 if (src_node_killers >= 2) {
2963 warnx("can only specify -K twice");
2964 usage();
2965 /* NOTREACHED */
2966 }
2967 src_node_kill[src_node_killers++] = optarg;
2968 mode = O_RDWR;
2969 break;
2970 case 'm':
2971 opts |= PF_OPT_MERGE;
2972 break;
2973 case 'M':
2974 opts |= PF_OPT_KILLMATCH;
2975 break;
2976 case 'n':
2977 opts |= PF_OPT_NOACTION;
2978 break;
2979 case 'N':
2980 loadopt |= PFCTL_FLAG_NAT;
2981 break;
2982 case 'r':
2983 opts |= PF_OPT_USEDNS;
2984 break;
2985 case 'f':
2986 rulesopt = optarg;
2987 mode = O_RDWR;
2988 break;
2989 case 'g':
2990 opts |= PF_OPT_DEBUG;
2991 break;
2992 case 'A':
2993 loadopt |= PFCTL_FLAG_ALTQ;
2994 break;
2995 case 'R':
2996 loadopt |= PFCTL_FLAG_FILTER;
2997 break;
2998 case 'o':
2999 optiopt = pfctl_lookup_option(optarg, optiopt_list);
3000 if (optiopt == NULL) {
3001 warnx("Unknown optimization '%s'", optarg);
3002 usage();
3003 }
3004 opts |= PF_OPT_OPTIMIZE;
3005 break;
3006 case 'O':
3007 loadopt |= PFCTL_FLAG_OPTION;
3008 break;
3009 case 'p':
3010 pf_device = optarg;
3011 break;
3012 case 'P':
3013 opts |= PF_OPT_NUMERIC;
3014 break;
3015 case 's':
3016 showopt = pfctl_lookup_option(optarg, showopt_list);
3017 if (showopt == NULL) {
3018 warnx("Unknown show modifier '%s'", optarg);
3019 usage();
3020 }
3021 break;
3022 case 't':
3023 tableopt = optarg;
3024 break;
3025 case 'T':
3026 tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list);
3027 if (tblcmdopt == NULL) {
3028 warnx("Unknown table command '%s'", optarg);
3029 usage();
3030 }
3031 break;
3032 case 'v':
3033 if (opts & PF_OPT_VERBOSE)
3034 opts |= PF_OPT_VERBOSE2;
3035 opts |= PF_OPT_VERBOSE;
3036 break;
3037 case 'x':
3038 debugopt = pfctl_lookup_option(optarg, debugopt_list);
3039 if (debugopt == NULL) {
3040 warnx("Unknown debug level '%s'", optarg);
3041 usage();
3042 }
3043 mode = O_RDWR;
3044 break;
3045 case 'z':
3046 opts |= PF_OPT_CLRRULECTRS;
3047 mode = O_RDWR;
3048 break;
3049 case 'h':
3050 /* FALLTHROUGH */
3051 default:
3052 usage();
3053 /* NOTREACHED */
3054 }
3055 }
3056
3057 if (tblcmdopt != NULL) {
3058 argc -= optind;
3059 argv += optind;
3060 ch = *tblcmdopt;
3061 if (ch == 'l') {
3062 loadopt |= PFCTL_FLAG_TABLE;
3063 tblcmdopt = NULL;
3064 } else
3065 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
3066 } else if (argc != optind) {
3067 warnx("unknown command line argument: %s ...", argv[optind]);
3068 usage();
3069 /* NOTREACHED */
3070 }
3071 if (loadopt == 0)
3072 loadopt = ~0;
3073
3074 if ((path = calloc(1, MAXPATHLEN)) == NULL)
3075 errx(1, "pfctl: calloc");
3076 memset(anchorname, 0, sizeof(anchorname));
3077 if (anchoropt != NULL) {
3078 int len = strlen(anchoropt);
3079
3080 if (len >= 1 && anchoropt[len - 1] == '*') {
3081 if (len >= 2 && anchoropt[len - 2] == '/')
3082 anchoropt[len - 2] = '\0';
3083 else
3084 anchoropt[len - 1] = '\0';
3085 opts |= PF_OPT_RECURSE;
3086 }
3087 if (strlcpy(anchorname, anchoropt,
3088 sizeof(anchorname)) >= sizeof(anchorname))
3089 errx(1, "anchor name '%s' too long",
3090 anchoropt);
3091 loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE|PFCTL_FLAG_ETH;
3092 }
3093
3094 if ((opts & PF_OPT_NOACTION) == 0) {
3095 dev = open(pf_device, mode);
3096 if (dev == -1)
3097 err(1, "%s", pf_device);
3098 altqsupport = pfctl_test_altqsupport(dev, opts);
3099 } else {
3100 dev = open(pf_device, O_RDONLY);
3101 if (dev >= 0)
3102 opts |= PF_OPT_DUMMYACTION;
3103 /* turn off options */
3104 opts &= ~ (PF_OPT_DISABLE | PF_OPT_ENABLE);
3105 clearopt = showopt = debugopt = NULL;
3106 #if !defined(ENABLE_ALTQ)
3107 altqsupport = 0;
3108 #else
3109 altqsupport = 1;
3110 #endif
3111 }
3112 pfh = pfctl_open(pf_device);
3113 if (pfh == NULL)
3114 err(1, "Failed to open netlink");
3115
3116 if (opts & PF_OPT_DISABLE)
3117 if (pfctl_disable(dev, opts))
3118 error = 1;
3119
3120 if (showopt != NULL) {
3121 switch (*showopt) {
3122 case 'A':
3123 pfctl_show_anchors(dev, opts, anchorname);
3124 if (opts & PF_OPT_VERBOSE2)
3125 printf("Ethernet:\n");
3126 pfctl_show_eth_anchors(dev, opts, anchorname);
3127 break;
3128 case 'r':
3129 pfctl_load_fingerprints(dev, opts);
3130 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
3131 anchorname, 0, 0);
3132 break;
3133 case 'l':
3134 pfctl_load_fingerprints(dev, opts);
3135 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_LABELS,
3136 anchorname, 0, 0);
3137 break;
3138 case 'n':
3139 pfctl_load_fingerprints(dev, opts);
3140 pfctl_show_nat(dev, path, opts, anchorname, 0, 0);
3141 break;
3142 case 'q':
3143 pfctl_show_altq(dev, ifaceopt, opts,
3144 opts & PF_OPT_VERBOSE2);
3145 break;
3146 case 's':
3147 pfctl_show_states(dev, ifaceopt, opts);
3148 break;
3149 case 'S':
3150 pfctl_show_src_nodes(dev, opts);
3151 break;
3152 case 'i':
3153 pfctl_show_status(dev, opts);
3154 break;
3155 case 'R':
3156 error = pfctl_show_running(dev);
3157 break;
3158 case 't':
3159 pfctl_show_timeouts(dev, opts);
3160 break;
3161 case 'm':
3162 pfctl_show_limits(dev, opts);
3163 break;
3164 case 'e':
3165 pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
3166 0);
3167 break;
3168 case 'a':
3169 opts |= PF_OPT_SHOWALL;
3170 pfctl_load_fingerprints(dev, opts);
3171
3172 pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
3173 0);
3174
3175 pfctl_show_nat(dev, path, opts, anchorname, 0, 0);
3176 pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0);
3177 pfctl_show_altq(dev, ifaceopt, opts, 0);
3178 pfctl_show_states(dev, ifaceopt, opts);
3179 pfctl_show_src_nodes(dev, opts);
3180 pfctl_show_status(dev, opts);
3181 pfctl_show_rules(dev, path, opts, 1, anchorname, 0, 0);
3182 pfctl_show_timeouts(dev, opts);
3183 pfctl_show_limits(dev, opts);
3184 pfctl_show_tables(anchorname, opts);
3185 pfctl_show_fingerprints(opts);
3186 break;
3187 case 'T':
3188 pfctl_show_tables(anchorname, opts);
3189 break;
3190 case 'o':
3191 pfctl_load_fingerprints(dev, opts);
3192 pfctl_show_fingerprints(opts);
3193 break;
3194 case 'I':
3195 pfctl_show_ifaces(ifaceopt, opts);
3196 break;
3197 case 'c':
3198 pfctl_show_creators(opts);
3199 break;
3200 }
3201 }
3202
3203 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL) {
3204 pfctl_show_eth_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
3205 anchorname, 0, 0);
3206 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
3207 anchorname, 0, 0);
3208 }
3209
3210 if (clearopt != NULL) {
3211 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
3212 errx(1, "anchor names beginning with '_' cannot "
3213 "be modified from the command line");
3214
3215 switch (*clearopt) {
3216 case 'e':
3217 pfctl_flush_eth_rules(dev, opts, anchorname);
3218 break;
3219 case 'r':
3220 pfctl_flush_rules(dev, opts, anchorname);
3221 break;
3222 case 'n':
3223 pfctl_flush_nat(dev, opts, anchorname);
3224 break;
3225 case 'q':
3226 pfctl_clear_altq(dev, opts);
3227 break;
3228 case 's':
3229 pfctl_clear_iface_states(dev, ifaceopt, opts);
3230 break;
3231 case 'S':
3232 pfctl_clear_src_nodes(dev, opts);
3233 break;
3234 case 'i':
3235 pfctl_clear_stats(pfh, opts);
3236 break;
3237 case 'a':
3238 pfctl_flush_eth_rules(dev, opts, anchorname);
3239 pfctl_flush_rules(dev, opts, anchorname);
3240 pfctl_flush_nat(dev, opts, anchorname);
3241 pfctl_do_clear_tables(anchorname, opts);
3242 if (!*anchorname) {
3243 pfctl_clear_altq(dev, opts);
3244 pfctl_clear_iface_states(dev, ifaceopt, opts);
3245 pfctl_clear_src_nodes(dev, opts);
3246 pfctl_clear_stats(pfh, opts);
3247 pfctl_clear_fingerprints(dev, opts);
3248 pfctl_clear_interface_flags(dev, opts);
3249 }
3250 break;
3251 case 'o':
3252 pfctl_clear_fingerprints(dev, opts);
3253 break;
3254 case 'T':
3255 pfctl_do_clear_tables(anchorname, opts);
3256 break;
3257 }
3258 }
3259 if (state_killers) {
3260 if (!strcmp(state_kill[0], "label"))
3261 pfctl_label_kill_states(dev, ifaceopt, opts);
3262 else if (!strcmp(state_kill[0], "id"))
3263 pfctl_id_kill_states(dev, ifaceopt, opts);
3264 else if (!strcmp(state_kill[0], "gateway"))
3265 pfctl_gateway_kill_states(dev, ifaceopt, opts);
3266 else
3267 pfctl_net_kill_states(dev, ifaceopt, opts);
3268 }
3269
3270 if (src_node_killers)
3271 pfctl_kill_src_nodes(dev, ifaceopt, opts);
3272
3273 if (tblcmdopt != NULL) {
3274 error = pfctl_command_tables(argc, argv, tableopt,
3275 tblcmdopt, rulesopt, anchorname, opts);
3276 rulesopt = NULL;
3277 }
3278 if (optiopt != NULL) {
3279 switch (*optiopt) {
3280 case 'n':
3281 optimize = 0;
3282 break;
3283 case 'b':
3284 optimize |= PF_OPTIMIZE_BASIC;
3285 break;
3286 case 'o':
3287 case 'p':
3288 optimize |= PF_OPTIMIZE_PROFILE;
3289 break;
3290 }
3291 }
3292
3293 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
3294 !anchorname[0] && !(opts & PF_OPT_NOACTION))
3295 if (pfctl_get_skip_ifaces())
3296 error = 1;
3297
3298 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &&
3299 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION))
3300 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE))
3301 error = 1;
3302
3303 if (rulesopt != NULL) {
3304 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
3305 errx(1, "anchor names beginning with '_' cannot "
3306 "be modified from the command line");
3307 if (pfctl_rules(dev, rulesopt, opts, optimize,
3308 anchorname, NULL))
3309 error = 1;
3310 else if (!(opts & PF_OPT_NOACTION) &&
3311 (loadopt & PFCTL_FLAG_TABLE))
3312 warn_namespace_collision(NULL);
3313 }
3314
3315 if (opts & PF_OPT_ENABLE)
3316 if (pfctl_enable(dev, opts))
3317 error = 1;
3318
3319 if (debugopt != NULL) {
3320 switch (*debugopt) {
3321 case 'n':
3322 pfctl_debug(dev, PF_DEBUG_NONE, opts);
3323 break;
3324 case 'u':
3325 pfctl_debug(dev, PF_DEBUG_URGENT, opts);
3326 break;
3327 case 'm':
3328 pfctl_debug(dev, PF_DEBUG_MISC, opts);
3329 break;
3330 case 'l':
3331 pfctl_debug(dev, PF_DEBUG_NOISY, opts);
3332 break;
3333 }
3334 }
3335
3336 exit(error);
3337 }
3338