1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 34 #include <sys/ioctl.h> 35 #include <sys/nv.h> 36 #include <sys/queue.h> 37 #include <sys/types.h> 38 39 #include <net/if.h> 40 #include <net/pfvar.h> 41 #include <netinet/in.h> 42 43 #include <netpfil/pf/pf_nl.h> 44 #include <netlink/netlink.h> 45 #include <netlink/netlink_generic.h> 46 #include <netlink/netlink_snl.h> 47 #include <netlink/netlink_snl_generic.h> 48 #include <netlink/netlink_snl_route.h> 49 50 #include <assert.h> 51 #include <err.h> 52 #include <errno.h> 53 #include <fcntl.h> 54 #include <stdlib.h> 55 #include <string.h> 56 57 #include "libpfctl.h" 58 59 struct pfctl_handle { 60 int fd; 61 struct snl_state ss; 62 }; 63 64 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = { 65 "never", 66 "always", 67 "adaptive" 68 }; 69 70 static int _pfctl_clear_states(int , const struct pfctl_kill *, 71 unsigned int *, uint64_t); 72 73 struct pfctl_handle * 74 pfctl_open(const char *pf_device) 75 { 76 struct pfctl_handle *h; 77 78 h = calloc(1, sizeof(struct pfctl_handle)); 79 h->fd = -1; 80 81 h->fd = open(pf_device, O_RDWR); 82 if (h->fd < 0) 83 goto error; 84 85 if (!snl_init(&h->ss, NETLINK_GENERIC)) 86 goto error; 87 88 return (h); 89 error: 90 close(h->fd); 91 snl_free(&h->ss); 92 free(h); 93 94 return (NULL); 95 } 96 97 void 98 pfctl_close(struct pfctl_handle *h) 99 { 100 close(h->fd); 101 snl_free(&h->ss); 102 free(h); 103 } 104 105 int 106 pfctl_fd(struct pfctl_handle *h) 107 { 108 return (h->fd); 109 } 110 111 static int 112 pfctl_do_netlink_cmd(struct pfctl_handle *h, uint cmd) 113 { 114 struct snl_errmsg_data e = {}; 115 struct snl_writer nw; 116 struct nlmsghdr *hdr; 117 uint32_t seq_id; 118 int family_id; 119 120 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 121 if (family_id == 0) 122 return (ENOTSUP); 123 124 snl_init_writer(&h->ss, &nw); 125 hdr = snl_create_genl_msg_request(&nw, family_id, cmd); 126 127 hdr = snl_finalize_msg(&nw); 128 if (hdr == NULL) 129 return (ENOMEM); 130 seq_id = hdr->nlmsg_seq; 131 132 snl_send_message(&h->ss, hdr); 133 134 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 135 } 136 137 return (e.error); 138 } 139 140 static int 141 pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl) 142 { 143 struct pfioc_nv nv; 144 void *data; 145 size_t nvlen; 146 int ret; 147 148 data = nvlist_pack(*nvl, &nvlen); 149 if (nvlen > size) 150 size = nvlen; 151 152 retry: 153 nv.data = malloc(size); 154 if (nv.data == NULL) { 155 ret = ENOMEM; 156 goto out; 157 } 158 159 memcpy(nv.data, data, nvlen); 160 161 nv.len = nvlen; 162 nv.size = size; 163 164 ret = ioctl(dev, cmd, &nv); 165 if (ret == -1 && errno == ENOSPC) { 166 size *= 2; 167 free(nv.data); 168 goto retry; 169 } 170 171 nvlist_destroy(*nvl); 172 *nvl = NULL; 173 174 if (ret == 0) { 175 *nvl = nvlist_unpack(nv.data, nv.len, 0); 176 if (*nvl == NULL) { 177 ret = EIO; 178 goto out; 179 } 180 } else { 181 ret = errno; 182 } 183 184 out: 185 free(data); 186 free(nv.data); 187 188 return (ret); 189 } 190 191 static void 192 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems, 193 uint8_t *numbers, size_t *nelems) 194 { 195 const uint64_t *tmp; 196 size_t elems; 197 198 tmp = nvlist_get_number_array(nvl, name, &elems); 199 assert(elems <= maxelems); 200 201 for (size_t i = 0; i < elems; i++) 202 numbers[i] = tmp[i]; 203 204 if (nelems) 205 *nelems = elems; 206 } 207 208 static void 209 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems, 210 uint16_t *numbers, size_t *nelems) 211 { 212 const uint64_t *tmp; 213 size_t elems; 214 215 tmp = nvlist_get_number_array(nvl, name, &elems); 216 assert(elems <= maxelems); 217 218 for (size_t i = 0; i < elems; i++) 219 numbers[i] = tmp[i]; 220 221 if (nelems) 222 *nelems = elems; 223 } 224 225 static void 226 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems, 227 uint32_t *numbers, size_t *nelems) 228 { 229 const uint64_t *tmp; 230 size_t elems; 231 232 tmp = nvlist_get_number_array(nvl, name, &elems); 233 234 for (size_t i = 0; i < elems && i < maxelems; i++) 235 numbers[i] = tmp[i]; 236 237 if (nelems) 238 *nelems = elems; 239 } 240 241 static void 242 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems, 243 uint64_t *numbers, size_t *nelems) 244 { 245 const uint64_t *tmp; 246 size_t elems; 247 248 tmp = nvlist_get_number_array(nvl, name, &elems); 249 assert(elems <= maxelems); 250 251 for (size_t i = 0; i < elems; i++) 252 numbers[i] = tmp[i]; 253 254 if (nelems) 255 *nelems = elems; 256 } 257 258 int 259 pfctl_startstop(struct pfctl_handle *h, int start) 260 { 261 return (pfctl_do_netlink_cmd(h, start ? PFNL_CMD_START : PFNL_CMD_STOP)); 262 } 263 264 static void 265 _pfctl_get_status_counters(const nvlist_t *nvl, 266 struct pfctl_status_counters *counters) 267 { 268 const uint64_t *ids, *counts; 269 const char *const *names; 270 size_t id_len, counter_len, names_len; 271 272 ids = nvlist_get_number_array(nvl, "ids", &id_len); 273 counts = nvlist_get_number_array(nvl, "counters", &counter_len); 274 names = nvlist_get_string_array(nvl, "names", &names_len); 275 assert(id_len == counter_len); 276 assert(counter_len == names_len); 277 278 TAILQ_INIT(counters); 279 280 for (size_t i = 0; i < id_len; i++) { 281 struct pfctl_status_counter *c; 282 283 c = malloc(sizeof(*c)); 284 if (c == NULL) 285 continue; 286 287 c->id = ids[i]; 288 c->counter = counts[i]; 289 c->name = strdup(names[i]); 290 291 TAILQ_INSERT_TAIL(counters, c, entry); 292 } 293 } 294 295 #define _OUT(_field) offsetof(struct pfctl_status_counter, _field) 296 static const struct snl_attr_parser ap_counter[] = { 297 { .type = PF_C_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_uint64 }, 298 { .type = PF_C_NAME, .off = _OUT(name), .cb = snl_attr_get_string }, 299 { .type = PF_C_ID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, 300 }; 301 SNL_DECLARE_ATTR_PARSER(counter_parser, ap_counter); 302 #undef _OUT 303 304 static bool 305 snl_attr_get_counters(struct snl_state *ss, struct nlattr *nla, 306 const void *arg __unused, void *target) 307 { 308 struct pfctl_status_counter counter = {}; 309 struct pfctl_status_counter *c; 310 bool error; 311 312 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &counter_parser, &counter); 313 if (! error) 314 return (error); 315 316 c = malloc(sizeof(*c)); 317 if (c == NULL) 318 return (false); 319 320 c->id = counter.id; 321 c->counter = counter.counter; 322 c->name = strdup(counter.name); 323 324 TAILQ_INSERT_TAIL((struct pfctl_status_counters *)target, c, entry); 325 326 return (error); 327 } 328 329 struct snl_uint64_array { 330 uint64_t *array; 331 size_t count; 332 size_t max; 333 }; 334 static bool 335 snl_attr_get_uint64_element(struct snl_state *ss, struct nlattr *nla, 336 const void *arg, void *target) 337 { 338 bool error; 339 uint64_t value; 340 struct snl_uint64_array *t = (struct snl_uint64_array *)target; 341 342 if (t->count >= t->max) 343 return (false); 344 345 error = snl_attr_get_uint64(ss, nla, arg, &value); 346 if (! error) 347 return (error); 348 349 t->array[t->count++] = value; 350 351 return (true); 352 } 353 354 static const struct snl_attr_parser ap_array[] = { 355 { .cb = snl_attr_get_uint64_element }, 356 }; 357 SNL_DECLARE_ATTR_PARSER(array_parser, ap_array); 358 static bool 359 snl_attr_get_uint64_array(struct snl_state *ss, struct nlattr *nla, 360 const void *arg, void *target) 361 { 362 struct snl_uint64_array a = { 363 .array = target, 364 .count = 0, 365 .max = (size_t)arg, 366 }; 367 bool error; 368 369 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &array_parser, &a); 370 if (! error) 371 return (error); 372 373 return (true); 374 } 375 376 #define _OUT(_field) offsetof(struct pfctl_status, _field) 377 static const struct snl_attr_parser ap_getstatus[] = { 378 { .type = PF_GS_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb = snl_attr_copy_string }, 379 { .type = PF_GS_RUNNING, .off = _OUT(running), .cb = snl_attr_get_bool }, 380 { .type = PF_GS_SINCE, .off = _OUT(since), .cb = snl_attr_get_uint32 }, 381 { .type = PF_GS_DEBUG, .off = _OUT(debug), .cb = snl_attr_get_uint32 }, 382 { .type = PF_GS_HOSTID, .off = _OUT(hostid), .cb = snl_attr_get_uint32 }, 383 { .type = PF_GS_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32 }, 384 { .type = PF_GS_SRC_NODES, .off = _OUT(src_nodes), .cb = snl_attr_get_uint32 }, 385 { .type = PF_GS_REASSEMBLE, .off = _OUT(reass), .cb = snl_attr_get_uint32 }, 386 { .type = PF_GS_SYNCOOKIES_ACTIVE, .off = _OUT(syncookies_active), .cb = snl_attr_get_uint32 }, 387 { .type = PF_GS_COUNTERS, .off = _OUT(counters), .cb = snl_attr_get_counters }, 388 { .type = PF_GS_LCOUNTERS, .off = _OUT(lcounters), .cb = snl_attr_get_counters }, 389 { .type = PF_GS_FCOUNTERS, .off = _OUT(fcounters), .cb = snl_attr_get_counters }, 390 { .type = PF_GS_SCOUNTERS, .off = _OUT(scounters), .cb = snl_attr_get_counters }, 391 { .type = PF_GS_CHKSUM, .off = _OUT(pf_chksum), .arg_u32 = PF_MD5_DIGEST_LENGTH, .cb = snl_attr_get_bytes }, 392 { .type = PF_GS_BCOUNTERS, .off = _OUT(bcounters), .arg_u32 = 2 * 2, .cb = snl_attr_get_uint64_array }, 393 { .type = PF_GS_PCOUNTERS, .off = _OUT(pcounters), .arg_u32 = 2 * 2 * 2, .cb = snl_attr_get_uint64_array }, 394 { .type = PF_GS_NCOUNTERS, .off = _OUT(ncounters), .cb = snl_attr_get_counters }, 395 { .type = PF_GS_FRAGMENTS, .off = _OUT(fragments), .cb = snl_attr_get_uint64 }, 396 }; 397 SNL_DECLARE_PARSER(getstatus_parser, struct genlmsghdr, snl_f_p_empty, ap_getstatus); 398 #undef _OUT 399 400 struct pfctl_status * 401 pfctl_get_status_h(struct pfctl_handle *h) 402 { 403 struct pfctl_status *status; 404 struct snl_errmsg_data e = {}; 405 struct nlmsghdr *hdr; 406 struct snl_writer nw; 407 uint32_t seq_id; 408 int family_id; 409 410 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 411 if (family_id == 0) 412 return (NULL); 413 414 snl_init_writer(&h->ss, &nw); 415 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_STATUS); 416 hdr->nlmsg_flags |= NLM_F_DUMP; 417 418 hdr = snl_finalize_msg(&nw); 419 if (hdr == NULL) { 420 return (NULL); 421 } 422 423 seq_id = hdr->nlmsg_seq; 424 if (! snl_send_message(&h->ss, hdr)) 425 return (NULL); 426 427 status = calloc(1, sizeof(*status)); 428 if (status == NULL) 429 return (NULL); 430 TAILQ_INIT(&status->counters); 431 TAILQ_INIT(&status->lcounters); 432 TAILQ_INIT(&status->fcounters); 433 TAILQ_INIT(&status->scounters); 434 TAILQ_INIT(&status->ncounters); 435 436 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 437 if (! snl_parse_nlmsg(&h->ss, hdr, &getstatus_parser, status)) 438 continue; 439 } 440 441 return (status); 442 } 443 444 struct pfctl_status * 445 pfctl_get_status(int dev) 446 { 447 struct pfctl_status *status; 448 nvlist_t *nvl; 449 size_t len; 450 const void *chksum; 451 452 status = calloc(1, sizeof(*status)); 453 if (status == NULL) 454 return (NULL); 455 456 nvl = nvlist_create(0); 457 458 if (pfctl_do_ioctl(dev, DIOCGETSTATUSNV, 4096, &nvl)) { 459 nvlist_destroy(nvl); 460 free(status); 461 return (NULL); 462 } 463 464 status->running = nvlist_get_bool(nvl, "running"); 465 status->since = nvlist_get_number(nvl, "since"); 466 status->debug = nvlist_get_number(nvl, "debug"); 467 status->hostid = ntohl(nvlist_get_number(nvl, "hostid")); 468 status->states = nvlist_get_number(nvl, "states"); 469 status->src_nodes = nvlist_get_number(nvl, "src_nodes"); 470 status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active"); 471 status->reass = nvlist_get_number(nvl, "reass"); 472 473 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"), 474 IFNAMSIZ); 475 chksum = nvlist_get_binary(nvl, "chksum", &len); 476 assert(len == PF_MD5_DIGEST_LENGTH); 477 memcpy(status->pf_chksum, chksum, len); 478 479 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"), 480 &status->counters); 481 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"), 482 &status->lcounters); 483 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"), 484 &status->fcounters); 485 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"), 486 &status->scounters); 487 488 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 2, 489 (uint64_t *)status->pcounters, NULL); 490 pf_nvuint_64_array(nvl, "bcounters", 2 * 2, 491 (uint64_t *)status->bcounters, NULL); 492 493 nvlist_destroy(nvl); 494 495 return (status); 496 } 497 int 498 pfctl_clear_status(struct pfctl_handle *h) 499 { 500 return (pfctl_do_netlink_cmd(h, PFNL_CMD_CLEAR_STATUS)); 501 } 502 503 static uint64_t 504 _pfctl_status_counter(struct pfctl_status_counters *counters, uint64_t id) 505 { 506 struct pfctl_status_counter *c; 507 508 TAILQ_FOREACH(c, counters, entry) { 509 if (c->id == id) 510 return (c->counter); 511 } 512 513 return (0); 514 } 515 516 uint64_t 517 pfctl_status_counter(struct pfctl_status *status, int id) 518 { 519 return (_pfctl_status_counter(&status->counters, id)); 520 } 521 522 uint64_t 523 pfctl_status_lcounter(struct pfctl_status *status, int id) 524 { 525 return (_pfctl_status_counter(&status->lcounters, id)); 526 } 527 528 uint64_t 529 pfctl_status_fcounter(struct pfctl_status *status, int id) 530 { 531 return (_pfctl_status_counter(&status->fcounters, id)); 532 } 533 534 uint64_t 535 pfctl_status_scounter(struct pfctl_status *status, int id) 536 { 537 return (_pfctl_status_counter(&status->scounters, id)); 538 } 539 540 void 541 pfctl_free_status(struct pfctl_status *status) 542 { 543 struct pfctl_status_counter *c, *tmp; 544 545 if (status == NULL) 546 return; 547 548 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) { 549 free(c->name); 550 free(c); 551 } 552 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) { 553 free(c->name); 554 free(c); 555 } 556 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) { 557 free(c->name); 558 free(c); 559 } 560 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) { 561 free(c->name); 562 free(c); 563 } 564 TAILQ_FOREACH_SAFE(c, &status->ncounters, entry, tmp) { 565 free(c->name); 566 free(c); 567 } 568 569 free(status); 570 } 571 572 static void 573 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, 574 const struct pf_addr *addr) 575 { 576 nvlist_t *nvl = nvlist_create(0); 577 578 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); 579 580 nvlist_add_nvlist(nvparent, name, nvl); 581 nvlist_destroy(nvl); 582 } 583 584 static void 585 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr) 586 { 587 size_t len; 588 const void *data; 589 590 data = nvlist_get_binary(nvl, "addr", &len); 591 assert(len == sizeof(struct pf_addr)); 592 memcpy(addr, data, len); 593 } 594 595 static void 596 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, 597 const struct pf_addr_wrap *addr) 598 { 599 nvlist_t *nvl = nvlist_create(0); 600 601 nvlist_add_number(nvl, "type", addr->type); 602 nvlist_add_number(nvl, "iflags", addr->iflags); 603 if (addr->type == PF_ADDR_DYNIFTL) 604 nvlist_add_string(nvl, "ifname", addr->v.ifname); 605 if (addr->type == PF_ADDR_TABLE) 606 nvlist_add_string(nvl, "tblname", addr->v.tblname); 607 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); 608 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); 609 610 nvlist_add_nvlist(nvparent, name, nvl); 611 nvlist_destroy(nvl); 612 } 613 614 static void 615 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr) 616 { 617 bzero(addr, sizeof(*addr)); 618 619 addr->type = nvlist_get_number(nvl, "type"); 620 addr->iflags = nvlist_get_number(nvl, "iflags"); 621 if (addr->type == PF_ADDR_DYNIFTL) { 622 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"), 623 IFNAMSIZ); 624 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt"); 625 } 626 if (addr->type == PF_ADDR_TABLE) { 627 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"), 628 PF_TABLE_NAME_SIZE); 629 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt"); 630 } 631 632 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr); 633 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask); 634 } 635 636 static void 637 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, 638 const struct pf_rule_addr *addr) 639 { 640 uint64_t ports[2]; 641 nvlist_t *nvl = nvlist_create(0); 642 643 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); 644 ports[0] = addr->port[0]; 645 ports[1] = addr->port[1]; 646 nvlist_add_number_array(nvl, "port", ports, 2); 647 nvlist_add_number(nvl, "neg", addr->neg); 648 nvlist_add_number(nvl, "port_op", addr->port_op); 649 650 nvlist_add_nvlist(nvparent, name, nvl); 651 nvlist_destroy(nvl); 652 } 653 654 static void 655 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr) 656 { 657 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr); 658 659 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL); 660 addr->neg = nvlist_get_number(nvl, "neg"); 661 addr->port_op = nvlist_get_number(nvl, "port_op"); 662 } 663 664 static void 665 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape) 666 { 667 mape->offset = nvlist_get_number(nvl, "offset"); 668 mape->psidlen = nvlist_get_number(nvl, "psidlen"); 669 mape->psid = nvlist_get_number(nvl, "psid"); 670 } 671 672 static void 673 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool) 674 { 675 size_t len; 676 const void *data; 677 678 data = nvlist_get_binary(nvl, "key", &len); 679 assert(len == sizeof(pool->key)); 680 memcpy(&pool->key, data, len); 681 682 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter); 683 684 pool->tblidx = nvlist_get_number(nvl, "tblidx"); 685 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL); 686 pool->opts = nvlist_get_number(nvl, "opts"); 687 688 if (nvlist_exists_nvlist(nvl, "mape")) 689 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape); 690 } 691 692 static void 693 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) 694 { 695 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL); 696 uid->op = nvlist_get_number(nvl, "op"); 697 } 698 699 static void 700 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule) 701 { 702 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr); 703 rule->divert.port = nvlist_get_number(nvl, "port"); 704 } 705 706 static void 707 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) 708 { 709 const uint64_t *skip; 710 const char *const *labels; 711 size_t skipcount, labelcount; 712 713 rule->nr = nvlist_get_number(nvl, "nr"); 714 715 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src); 716 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst); 717 718 skip = nvlist_get_number_array(nvl, "skip", &skipcount); 719 assert(skip); 720 assert(skipcount == PF_SKIP_COUNT); 721 for (int i = 0; i < PF_SKIP_COUNT; i++) 722 rule->skip[i].nr = skip[i]; 723 724 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 725 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 726 for (size_t i = 0; i < labelcount; i++) 727 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 728 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 729 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 730 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 731 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE); 732 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 733 PF_TAG_NAME_SIZE); 734 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 735 PF_TAG_NAME_SIZE); 736 737 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"), 738 PF_TABLE_NAME_SIZE); 739 740 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rdr); 741 742 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 743 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL); 744 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL); 745 746 if (nvlist_exists_number(nvl, "timestamp")) { 747 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 748 } 749 750 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint"); 751 752 rule->rtableid = nvlist_get_number(nvl, "rtableid"); 753 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL); 754 rule->max_states = nvlist_get_number(nvl, "max_states"); 755 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes"); 756 rule->max_src_states = nvlist_get_number(nvl, "max_src_states"); 757 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn"); 758 rule->max_src_conn_rate.limit = 759 nvlist_get_number(nvl, "max_src_conn_rate.limit"); 760 rule->max_src_conn_rate.seconds = 761 nvlist_get_number(nvl, "max_src_conn_rate.seconds"); 762 rule->qid = nvlist_get_number(nvl, "qid"); 763 rule->pqid = nvlist_get_number(nvl, "pqid"); 764 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 765 rule->dnrpipe = nvlist_get_number(nvl, "dnrpipe"); 766 rule->free_flags = nvlist_get_number(nvl, "dnflags"); 767 rule->prob = nvlist_get_number(nvl, "prob"); 768 rule->cuid = nvlist_get_number(nvl, "cuid"); 769 rule->cpid = nvlist_get_number(nvl, "cpid"); 770 771 rule->return_icmp = nvlist_get_number(nvl, "return_icmp"); 772 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6"); 773 rule->max_mss = nvlist_get_number(nvl, "max_mss"); 774 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags"); 775 776 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid); 777 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"), 778 (struct pf_rule_uid *)&rule->gid); 779 780 rule->rule_flag = nvlist_get_number(nvl, "rule_flag"); 781 rule->action = nvlist_get_number(nvl, "action"); 782 rule->direction = nvlist_get_number(nvl, "direction"); 783 rule->log = nvlist_get_number(nvl, "log"); 784 rule->logif = nvlist_get_number(nvl, "logif"); 785 rule->quick = nvlist_get_number(nvl, "quick"); 786 rule->ifnot = nvlist_get_number(nvl, "ifnot"); 787 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not"); 788 rule->natpass = nvlist_get_number(nvl, "natpass"); 789 790 rule->keep_state = nvlist_get_number(nvl, "keep_state"); 791 rule->af = nvlist_get_number(nvl, "af"); 792 rule->proto = nvlist_get_number(nvl, "proto"); 793 rule->type = nvlist_get_number(nvl, "type"); 794 rule->code = nvlist_get_number(nvl, "code"); 795 rule->flags = nvlist_get_number(nvl, "flags"); 796 rule->flagset = nvlist_get_number(nvl, "flagset"); 797 rule->min_ttl = nvlist_get_number(nvl, "min_ttl"); 798 rule->allow_opts = nvlist_get_number(nvl, "allow_opts"); 799 rule->rt = nvlist_get_number(nvl, "rt"); 800 rule->return_ttl = nvlist_get_number(nvl, "return_ttl"); 801 rule->tos = nvlist_get_number(nvl, "tos"); 802 rule->set_tos = nvlist_get_number(nvl, "set_tos"); 803 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 804 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 805 806 rule->flush = nvlist_get_number(nvl, "flush"); 807 rule->prio = nvlist_get_number(nvl, "prio"); 808 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL); 809 810 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule); 811 812 rule->states_cur = nvlist_get_number(nvl, "states_cur"); 813 rule->states_tot = nvlist_get_number(nvl, "states_tot"); 814 rule->src_nodes = nvlist_get_number(nvl, "src_nodes"); 815 } 816 817 static void 818 pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr) 819 { 820 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 }; 821 size_t len; 822 const void *data; 823 824 data = nvlist_get_binary(nvl, "addr", &len); 825 assert(len == sizeof(addr->addr)); 826 memcpy(addr->addr, data, sizeof(addr->addr)); 827 828 data = nvlist_get_binary(nvl, "mask", &len); 829 assert(len == sizeof(addr->mask)); 830 memcpy(addr->mask, data, sizeof(addr->mask)); 831 832 addr->neg = nvlist_get_bool(nvl, "neg"); 833 834 /* To make checks for 'is this address set?' easier. */ 835 addr->isset = memcmp(addr->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0; 836 } 837 838 static nvlist_t * 839 pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr) 840 { 841 nvlist_t *nvl; 842 843 nvl = nvlist_create(0); 844 if (nvl == NULL) 845 return (NULL); 846 847 nvlist_add_bool(nvl, "neg", addr->neg); 848 nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN); 849 nvlist_add_binary(nvl, "mask", &addr->mask, ETHER_ADDR_LEN); 850 851 return (nvl); 852 } 853 854 static void 855 pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule) 856 { 857 const char *const *labels; 858 size_t labelcount, i; 859 860 rule->nr = nvlist_get_number(nvl, "nr"); 861 rule->quick = nvlist_get_bool(nvl, "quick"); 862 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 863 rule->ifnot = nvlist_get_bool(nvl, "ifnot"); 864 rule->direction = nvlist_get_number(nvl, "direction"); 865 rule->proto = nvlist_get_number(nvl, "proto"); 866 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 867 PF_TAG_NAME_SIZE); 868 rule->match_tag = nvlist_get_number(nvl, "match_tag"); 869 rule->match_tag_not = nvlist_get_bool(nvl, "match_tag_not"); 870 871 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 872 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 873 for (i = 0; i < labelcount; i++) 874 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 875 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 876 877 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"), 878 &rule->src); 879 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"), 880 &rule->dst); 881 882 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipsrc"), 883 &rule->ipsrc); 884 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipdst"), 885 &rule->ipdst); 886 887 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 888 rule->packets[0] = nvlist_get_number(nvl, "packets-in"); 889 rule->packets[1] = nvlist_get_number(nvl, "packets-out"); 890 rule->bytes[0] = nvlist_get_number(nvl, "bytes-in"); 891 rule->bytes[1] = nvlist_get_number(nvl, "bytes-out"); 892 893 if (nvlist_exists_number(nvl, "timestamp")) { 894 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 895 } 896 897 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 898 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 899 PF_TAG_NAME_SIZE); 900 901 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 902 rule->dnflags = nvlist_get_number(nvl, "dnflags"); 903 904 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 905 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 906 907 strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"), 908 IFNAMSIZ); 909 910 rule->action = nvlist_get_number(nvl, "action"); 911 } 912 913 int 914 pfctl_get_eth_rulesets_info(int dev, struct pfctl_eth_rulesets_info *ri, 915 const char *path) 916 { 917 nvlist_t *nvl; 918 int ret; 919 920 bzero(ri, sizeof(*ri)); 921 922 nvl = nvlist_create(0); 923 nvlist_add_string(nvl, "path", path); 924 925 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESETS, 256, &nvl)) != 0) 926 goto out; 927 928 ri->nr = nvlist_get_number(nvl, "nr"); 929 930 out: 931 nvlist_destroy(nvl); 932 return (ret); 933 } 934 935 int 936 pfctl_get_eth_ruleset(int dev, const char *path, int nr, 937 struct pfctl_eth_ruleset_info *ri) 938 { 939 nvlist_t *nvl; 940 int ret; 941 942 bzero(ri, sizeof(*ri)); 943 944 nvl = nvlist_create(0); 945 nvlist_add_string(nvl, "path", path); 946 nvlist_add_number(nvl, "nr", nr); 947 948 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESET, 1024, &nvl)) != 0) 949 goto out; 950 951 ri->nr = nvlist_get_number(nvl, "nr"); 952 strlcpy(ri->path, nvlist_get_string(nvl, "path"), MAXPATHLEN); 953 strlcpy(ri->name, nvlist_get_string(nvl, "name"), 954 PF_ANCHOR_NAME_SIZE); 955 956 out: 957 nvlist_destroy(nvl); 958 return (ret); 959 } 960 961 int 962 pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 963 const char *path) 964 { 965 nvlist_t *nvl; 966 int ret; 967 968 bzero(rules, sizeof(*rules)); 969 970 nvl = nvlist_create(0); 971 nvlist_add_string(nvl, "anchor", path); 972 973 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULES, 1024, &nvl)) != 0) 974 goto out; 975 976 rules->nr = nvlist_get_number(nvl, "nr"); 977 rules->ticket = nvlist_get_number(nvl, "ticket"); 978 979 out: 980 nvlist_destroy(nvl); 981 return (ret); 982 } 983 984 int 985 pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 986 const char *path, struct pfctl_eth_rule *rule, bool clear, 987 char *anchor_call) 988 { 989 nvlist_t *nvl; 990 int ret; 991 992 nvl = nvlist_create(0); 993 994 nvlist_add_string(nvl, "anchor", path); 995 nvlist_add_number(nvl, "ticket", ticket); 996 nvlist_add_number(nvl, "nr", nr); 997 nvlist_add_bool(nvl, "clear", clear); 998 999 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULE, 4096, &nvl)) != 0) 1000 goto out; 1001 1002 pfctl_nveth_rule_to_eth_rule(nvl, rule); 1003 1004 if (anchor_call) 1005 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 1006 MAXPATHLEN); 1007 1008 out: 1009 nvlist_destroy(nvl); 1010 return (ret); 1011 } 1012 1013 int 1014 pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, const char *anchor, 1015 const char *anchor_call, uint32_t ticket) 1016 { 1017 struct pfioc_nv nv; 1018 nvlist_t *nvl, *addr; 1019 void *packed; 1020 int error = 0; 1021 size_t labelcount, size; 1022 1023 nvl = nvlist_create(0); 1024 1025 nvlist_add_number(nvl, "ticket", ticket); 1026 nvlist_add_string(nvl, "anchor", anchor); 1027 nvlist_add_string(nvl, "anchor_call", anchor_call); 1028 1029 nvlist_add_number(nvl, "nr", r->nr); 1030 nvlist_add_bool(nvl, "quick", r->quick); 1031 nvlist_add_string(nvl, "ifname", r->ifname); 1032 nvlist_add_bool(nvl, "ifnot", r->ifnot); 1033 nvlist_add_number(nvl, "direction", r->direction); 1034 nvlist_add_number(nvl, "proto", r->proto); 1035 nvlist_add_string(nvl, "match_tagname", r->match_tagname); 1036 nvlist_add_bool(nvl, "match_tag_not", r->match_tag_not); 1037 1038 addr = pfctl_eth_addr_to_nveth_addr(&r->src); 1039 if (addr == NULL) { 1040 nvlist_destroy(nvl); 1041 return (ENOMEM); 1042 } 1043 nvlist_add_nvlist(nvl, "src", addr); 1044 nvlist_destroy(addr); 1045 1046 addr = pfctl_eth_addr_to_nveth_addr(&r->dst); 1047 if (addr == NULL) { 1048 nvlist_destroy(nvl); 1049 return (ENOMEM); 1050 } 1051 nvlist_add_nvlist(nvl, "dst", addr); 1052 nvlist_destroy(addr); 1053 1054 pfctl_nv_add_rule_addr(nvl, "ipsrc", &r->ipsrc); 1055 pfctl_nv_add_rule_addr(nvl, "ipdst", &r->ipdst); 1056 1057 labelcount = 0; 1058 while (labelcount < PF_RULE_MAX_LABEL_COUNT && 1059 r->label[labelcount][0] != 0) { 1060 nvlist_append_string_array(nvl, "labels", 1061 r->label[labelcount]); 1062 labelcount++; 1063 } 1064 nvlist_add_number(nvl, "ridentifier", r->ridentifier); 1065 1066 nvlist_add_string(nvl, "qname", r->qname); 1067 nvlist_add_string(nvl, "tagname", r->tagname); 1068 nvlist_add_number(nvl, "dnpipe", r->dnpipe); 1069 nvlist_add_number(nvl, "dnflags", r->dnflags); 1070 1071 nvlist_add_string(nvl, "bridge_to", r->bridge_to); 1072 1073 nvlist_add_number(nvl, "action", r->action); 1074 1075 packed = nvlist_pack(nvl, &size); 1076 if (packed == NULL) { 1077 nvlist_destroy(nvl); 1078 return (ENOMEM); 1079 } 1080 1081 nv.len = size; 1082 nv.size = size; 1083 nv.data = packed; 1084 1085 if (ioctl(dev, DIOCADDETHRULE, &nv) != 0) 1086 error = errno; 1087 1088 free(packed); 1089 nvlist_destroy(nvl); 1090 1091 return (error); 1092 } 1093 1094 static void 1095 snl_add_msg_attr_addr_wrap(struct snl_writer *nw, uint32_t type, const struct pf_addr_wrap *addr) 1096 { 1097 int off; 1098 1099 off = snl_add_msg_attr_nested(nw, type); 1100 1101 snl_add_msg_attr_ip6(nw, PF_AT_ADDR, &addr->v.a.addr.v6); 1102 snl_add_msg_attr_ip6(nw, PF_AT_MASK, &addr->v.a.mask.v6); 1103 1104 if (addr->type == PF_ADDR_DYNIFTL) 1105 snl_add_msg_attr_string(nw, PF_AT_IFNAME, addr->v.ifname); 1106 if (addr->type == PF_ADDR_TABLE) 1107 snl_add_msg_attr_string(nw, PF_AT_TABLENAME, addr->v.tblname); 1108 snl_add_msg_attr_u8(nw, PF_AT_TYPE, addr->type); 1109 snl_add_msg_attr_u8(nw, PF_AT_IFLAGS, addr->iflags); 1110 1111 snl_end_attr_nested(nw, off); 1112 } 1113 1114 static void 1115 snl_add_msg_attr_pool_addr(struct snl_writer *nw, uint32_t type, const struct pf_pooladdr *pa) 1116 { 1117 int off; 1118 1119 off = snl_add_msg_attr_nested(nw, type); 1120 1121 snl_add_msg_attr_string(nw, PF_PA_IFNAME, pa->ifname); 1122 snl_add_msg_attr_addr_wrap(nw, PF_PA_ADDR, &pa->addr); 1123 1124 snl_end_attr_nested(nw, off); 1125 } 1126 1127 static void 1128 snl_add_msg_attr_rule_addr(struct snl_writer *nw, uint32_t type, const struct pf_rule_addr *addr) 1129 { 1130 int off; 1131 1132 off = snl_add_msg_attr_nested(nw, type); 1133 1134 snl_add_msg_attr_addr_wrap(nw, PF_RAT_ADDR, &addr->addr); 1135 snl_add_msg_attr_u16(nw, PF_RAT_SRC_PORT, addr->port[0]); 1136 snl_add_msg_attr_u16(nw, PF_RAT_DST_PORT, addr->port[1]); 1137 snl_add_msg_attr_u8(nw, PF_RAT_NEG, addr->neg); 1138 snl_add_msg_attr_u8(nw, PF_RAT_OP, addr->port_op); 1139 1140 snl_end_attr_nested(nw, off); 1141 } 1142 1143 static void 1144 snl_add_msg_attr_rule_labels(struct snl_writer *nw, uint32_t type, const char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]) 1145 { 1146 int off, i = 0; 1147 1148 off = snl_add_msg_attr_nested(nw, type); 1149 1150 while (i < PF_RULE_MAX_LABEL_COUNT && 1151 labels[i][0] != 0) { 1152 snl_add_msg_attr_string(nw, PF_LT_LABEL, labels[i]); 1153 i++; 1154 } 1155 1156 snl_end_attr_nested(nw, off); 1157 } 1158 1159 static void 1160 snl_add_msg_attr_mape(struct snl_writer *nw, uint32_t type, const struct pf_mape_portset *me) 1161 { 1162 int off; 1163 1164 off = snl_add_msg_attr_nested(nw, type); 1165 1166 snl_add_msg_attr_u8(nw, PF_MET_OFFSET, me->offset); 1167 snl_add_msg_attr_u8(nw, PF_MET_PSID_LEN, me->psidlen); 1168 snl_add_msg_attr_u16(nw, PF_MET_PSID, me->psid); 1169 1170 snl_end_attr_nested(nw, off); 1171 } 1172 1173 static void 1174 snl_add_msg_attr_rpool(struct snl_writer *nw, uint32_t type, const struct pfctl_pool *pool) 1175 { 1176 int off; 1177 1178 off = snl_add_msg_attr_nested(nw, type); 1179 1180 snl_add_msg_attr(nw, PF_PT_KEY, sizeof(pool->key), &pool->key); 1181 snl_add_msg_attr_ip6(nw, PF_PT_COUNTER, &pool->counter.v6); 1182 snl_add_msg_attr_u32(nw, PF_PT_TBLIDX, pool->tblidx); 1183 snl_add_msg_attr_u16(nw, PF_PT_PROXY_SRC_PORT, pool->proxy_port[0]); 1184 snl_add_msg_attr_u16(nw, PF_PT_PROXY_DST_PORT, pool->proxy_port[1]); 1185 snl_add_msg_attr_u8(nw, PF_PT_OPTS, pool->opts); 1186 snl_add_msg_attr_mape(nw, PF_PT_MAPE, &pool->mape); 1187 1188 snl_end_attr_nested(nw, off); 1189 } 1190 1191 static void 1192 snl_add_msg_attr_timeouts(struct snl_writer *nw, uint32_t type, const uint32_t *timeouts) 1193 { 1194 int off; 1195 1196 off = snl_add_msg_attr_nested(nw, type); 1197 1198 for (int i = 0; i < PFTM_MAX; i++) 1199 snl_add_msg_attr_u32(nw, PF_TT_TIMEOUT, timeouts[i]); 1200 1201 snl_end_attr_nested(nw, off); 1202 } 1203 1204 static void 1205 snl_add_msg_attr_uid(struct snl_writer *nw, uint32_t type, const struct pf_rule_uid *uid) 1206 { 1207 int off; 1208 1209 off = snl_add_msg_attr_nested(nw, type); 1210 1211 snl_add_msg_attr_u32(nw, PF_RUT_UID_LOW, uid->uid[0]); 1212 snl_add_msg_attr_u32(nw, PF_RUT_UID_HIGH, uid->uid[1]); 1213 snl_add_msg_attr_u8(nw, PF_RUT_OP, uid->op); 1214 1215 snl_end_attr_nested(nw, off); 1216 } 1217 1218 static void 1219 snl_add_msg_attr_threshold(struct snl_writer *nw, uint32_t type, const struct pfctl_threshold *th) 1220 { 1221 int off; 1222 1223 off = snl_add_msg_attr_nested(nw, type); 1224 1225 snl_add_msg_attr_u32(nw, PF_TH_LIMIT, th->limit); 1226 snl_add_msg_attr_u32(nw, PF_TH_SECONDS, th->seconds); 1227 1228 snl_end_attr_nested(nw, off); 1229 } 1230 1231 static void 1232 snl_add_msg_attr_pf_rule(struct snl_writer *nw, uint32_t type, const struct pfctl_rule *r) 1233 { 1234 int off; 1235 1236 off = snl_add_msg_attr_nested(nw, type); 1237 1238 snl_add_msg_attr_rule_addr(nw, PF_RT_SRC, &r->src); 1239 snl_add_msg_attr_rule_addr(nw, PF_RT_DST, &r->dst); 1240 snl_add_msg_attr_rule_labels(nw, PF_RT_LABELS, r->label); 1241 snl_add_msg_attr_u32(nw, PF_RT_RIDENTIFIER, r->ridentifier); 1242 snl_add_msg_attr_string(nw, PF_RT_IFNAME, r->ifname); 1243 snl_add_msg_attr_string(nw, PF_RT_QNAME, r->qname); 1244 snl_add_msg_attr_string(nw, PF_RT_PQNAME, r->pqname); 1245 snl_add_msg_attr_string(nw, PF_RT_TAGNAME, r->tagname); 1246 snl_add_msg_attr_string(nw, PF_RT_MATCH_TAGNAME, r->match_tagname); 1247 snl_add_msg_attr_string(nw, PF_RT_OVERLOAD_TBLNAME, r->overload_tblname); 1248 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_RDR, &r->rdr); 1249 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_NAT, &r->nat); 1250 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_RT, &r->route); 1251 snl_add_msg_attr_threshold(nw, PF_RT_PKTRATE, &r->pktrate); 1252 snl_add_msg_attr_u32(nw, PF_RT_OS_FINGERPRINT, r->os_fingerprint); 1253 snl_add_msg_attr_u32(nw, PF_RT_RTABLEID, r->rtableid); 1254 snl_add_msg_attr_timeouts(nw, PF_RT_TIMEOUT, r->timeout); 1255 snl_add_msg_attr_u32(nw, PF_RT_MAX_STATES, r->max_states); 1256 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_NODES, r->max_src_nodes); 1257 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_STATES, r->max_src_states); 1258 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN, r->max_src_conn); 1259 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_LIMIT, r->max_src_conn_rate.limit); 1260 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_SECS, r->max_src_conn_rate.seconds); 1261 snl_add_msg_attr_u16(nw, PF_RT_MAX_PKT_SIZE, r->max_pkt_size); 1262 1263 snl_add_msg_attr_u16(nw, PF_RT_DNPIPE, r->dnpipe); 1264 snl_add_msg_attr_u16(nw, PF_RT_DNRPIPE, r->dnrpipe); 1265 snl_add_msg_attr_u32(nw, PF_RT_DNFLAGS, r->free_flags); 1266 1267 snl_add_msg_attr_u32(nw, PF_RT_NR, r->nr); 1268 snl_add_msg_attr_u32(nw, PF_RT_PROB, r->prob); 1269 snl_add_msg_attr_u32(nw, PF_RT_CUID, r->cuid); 1270 snl_add_msg_attr_u32(nw, PF_RT_CPID, r->cpid); 1271 1272 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP, r->return_icmp); 1273 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP6, r->return_icmp6); 1274 snl_add_msg_attr_u16(nw, PF_RT_MAX_MSS, r->max_mss); 1275 snl_add_msg_attr_u16(nw, PF_RT_SCRUB_FLAGS, r->scrub_flags); 1276 1277 snl_add_msg_attr_uid(nw, PF_RT_UID, &r->uid); 1278 snl_add_msg_attr_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&r->gid); 1279 snl_add_msg_attr_string(nw, PF_RT_RCV_IFNAME, r->rcv_ifname); 1280 snl_add_msg_attr_bool(nw, PF_RT_RCV_IFNOT, r->rcvifnot); 1281 1282 snl_add_msg_attr_u32(nw, PF_RT_RULE_FLAG, r->rule_flag); 1283 snl_add_msg_attr_u8(nw, PF_RT_ACTION, r->action); 1284 snl_add_msg_attr_u8(nw, PF_RT_DIRECTION, r->direction); 1285 snl_add_msg_attr_u8(nw, PF_RT_LOG, r->log); 1286 snl_add_msg_attr_u8(nw, PF_RT_LOGIF, r->logif); 1287 snl_add_msg_attr_u8(nw, PF_RT_QUICK, r->quick); 1288 snl_add_msg_attr_u8(nw, PF_RT_IF_NOT, r->ifnot); 1289 snl_add_msg_attr_u8(nw, PF_RT_MATCH_TAG_NOT, r->match_tag_not); 1290 snl_add_msg_attr_u8(nw, PF_RT_NATPASS, r->natpass); 1291 snl_add_msg_attr_u8(nw, PF_RT_KEEP_STATE, r->keep_state); 1292 snl_add_msg_attr_u8(nw, PF_RT_AF, r->af); 1293 snl_add_msg_attr_u8(nw, PF_RT_PROTO, r->proto); 1294 snl_add_msg_attr_u16(nw, PF_RT_TYPE_2, r->type); 1295 snl_add_msg_attr_u16(nw, PF_RT_CODE_2, r->code); 1296 snl_add_msg_attr_u8(nw, PF_RT_FLAGS, r->flags); 1297 snl_add_msg_attr_u8(nw, PF_RT_FLAGSET, r->flagset); 1298 snl_add_msg_attr_u8(nw, PF_RT_MIN_TTL, r->min_ttl); 1299 snl_add_msg_attr_u8(nw, PF_RT_ALLOW_OPTS, r->allow_opts); 1300 snl_add_msg_attr_u8(nw, PF_RT_RT, r->rt); 1301 snl_add_msg_attr_u8(nw, PF_RT_RETURN_TTL, r->return_ttl); 1302 snl_add_msg_attr_u8(nw, PF_RT_TOS, r->tos); 1303 snl_add_msg_attr_u8(nw, PF_RT_SET_TOS, r->set_tos); 1304 1305 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_RELATIVE, r->anchor_relative); 1306 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_WILDCARD, r->anchor_wildcard); 1307 snl_add_msg_attr_u8(nw, PF_RT_FLUSH, r->flush); 1308 snl_add_msg_attr_u8(nw, PF_RT_PRIO, r->prio); 1309 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO, r->set_prio[0]); 1310 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO_REPLY, r->set_prio[1]); 1311 snl_add_msg_attr_u8(nw, PF_RT_NAF, r->naf); 1312 1313 snl_add_msg_attr_ip6(nw, PF_RT_DIVERT_ADDRESS, &r->divert.addr.v6); 1314 snl_add_msg_attr_u16(nw, PF_RT_DIVERT_PORT, r->divert.port); 1315 1316 snl_end_attr_nested(nw, off); 1317 } 1318 1319 int 1320 pfctl_add_rule(int dev __unused, const struct pfctl_rule *r, const char *anchor, 1321 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket) 1322 { 1323 struct pfctl_handle *h; 1324 int ret; 1325 1326 h = pfctl_open(PF_DEVICE); 1327 if (h == NULL) 1328 return (ENODEV); 1329 1330 ret = pfctl_add_rule_h(h, r, anchor, anchor_call, ticket, pool_ticket); 1331 1332 pfctl_close(h); 1333 1334 return (ret); 1335 } 1336 1337 int 1338 pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 1339 const char *anchor, const char *anchor_call, uint32_t ticket, 1340 uint32_t pool_ticket) 1341 { 1342 struct snl_writer nw; 1343 struct snl_errmsg_data e = {}; 1344 struct nlmsghdr *hdr; 1345 uint32_t seq_id; 1346 int family_id; 1347 1348 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 1349 if (family_id == 0) 1350 return (ENOTSUP); 1351 1352 snl_init_writer(&h->ss, &nw); 1353 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADDRULE); 1354 hdr->nlmsg_flags |= NLM_F_DUMP; 1355 snl_add_msg_attr_u32(&nw, PF_ART_TICKET, ticket); 1356 snl_add_msg_attr_u32(&nw, PF_ART_POOL_TICKET, pool_ticket); 1357 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR, anchor); 1358 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR_CALL, anchor_call); 1359 1360 snl_add_msg_attr_pf_rule(&nw, PF_ART_RULE, r); 1361 1362 if ((hdr = snl_finalize_msg(&nw)) == NULL) 1363 return (ENXIO); 1364 1365 seq_id = hdr->nlmsg_seq; 1366 1367 if (! snl_send_message(&h->ss, hdr)) 1368 return (ENXIO); 1369 1370 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 1371 } 1372 1373 return (e.error); 1374 } 1375 1376 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1377 #define _OUT(_field) offsetof(struct pfctl_rules_info, _field) 1378 static struct snl_attr_parser ap_getrules[] = { 1379 { .type = PF_GR_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 }, 1380 { .type = PF_GR_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 }, 1381 }; 1382 #undef _IN 1383 #undef _OUT 1384 SNL_DECLARE_PARSER(getrules_parser, struct genlmsghdr, snl_f_p_empty, ap_getrules); 1385 1386 int 1387 pfctl_get_rules_info_h(struct pfctl_handle *h, struct pfctl_rules_info *rules, uint32_t ruleset, 1388 const char *path) 1389 { 1390 struct snl_errmsg_data e = {}; 1391 struct nlmsghdr *hdr; 1392 struct snl_writer nw; 1393 uint32_t seq_id; 1394 int family_id; 1395 1396 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 1397 if (family_id == 0) 1398 return (ENOTSUP); 1399 1400 snl_init_writer(&h->ss, &nw); 1401 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETRULES); 1402 hdr->nlmsg_flags |= NLM_F_DUMP; 1403 1404 snl_add_msg_attr_string(&nw, PF_GR_ANCHOR, path); 1405 snl_add_msg_attr_u8(&nw, PF_GR_ACTION, ruleset); 1406 1407 hdr = snl_finalize_msg(&nw); 1408 if (hdr == NULL) 1409 return (ENOMEM); 1410 1411 seq_id = hdr->nlmsg_seq; 1412 if (! snl_send_message(&h->ss, hdr)) 1413 return (ENXIO); 1414 1415 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 1416 if (! snl_parse_nlmsg(&h->ss, hdr, &getrules_parser, rules)) 1417 continue; 1418 } 1419 1420 return (e.error); 1421 } 1422 1423 int 1424 pfctl_get_rules_info(int dev __unused, struct pfctl_rules_info *rules, uint32_t ruleset, 1425 const char *path) 1426 { 1427 struct pfctl_handle *h; 1428 int error; 1429 1430 h = pfctl_open(PF_DEVICE); 1431 if (h == NULL) 1432 return (ENOTSUP); 1433 error = pfctl_get_rules_info_h(h, rules, ruleset, path); 1434 pfctl_close(h); 1435 1436 return (error); 1437 } 1438 1439 int 1440 pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, const char *anchor, 1441 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) 1442 { 1443 return (pfctl_get_clear_rule_h(h, nr, ticket, anchor, ruleset, rule, 1444 anchor_call, false)); 1445 } 1446 1447 int 1448 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor, 1449 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) 1450 { 1451 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule, 1452 anchor_call, false)); 1453 } 1454 1455 #define _OUT(_field) offsetof(struct pf_addr_wrap, _field) 1456 static const struct snl_attr_parser ap_addr_wrap[] = { 1457 { .type = PF_AT_ADDR, .off = _OUT(v.a.addr), .cb = snl_attr_get_in6_addr }, 1458 { .type = PF_AT_MASK, .off = _OUT(v.a.mask), .cb = snl_attr_get_in6_addr }, 1459 { .type = PF_AT_IFNAME, .off = _OUT(v.ifname), .arg = (void *)IFNAMSIZ,.cb = snl_attr_copy_string }, 1460 { .type = PF_AT_TABLENAME, .off = _OUT(v.tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string }, 1461 { .type = PF_AT_TYPE, .off = _OUT(type), .cb = snl_attr_get_uint8 }, 1462 { .type = PF_AT_IFLAGS, .off = _OUT(iflags), .cb = snl_attr_get_uint8 }, 1463 { .type = PF_AT_TBLCNT, .off = _OUT(p.tblcnt), .cb = snl_attr_get_uint32 }, 1464 { .type = PF_AT_DYNCNT, .off = _OUT(p.dyncnt), .cb = snl_attr_get_uint32 }, 1465 }; 1466 SNL_DECLARE_ATTR_PARSER(addr_wrap_parser, ap_addr_wrap); 1467 #undef _OUT 1468 1469 #define _OUT(_field) offsetof(struct pf_rule_addr, _field) 1470 static struct snl_attr_parser ap_rule_addr[] = { 1471 { .type = PF_RAT_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = snl_attr_get_nested }, 1472 { .type = PF_RAT_SRC_PORT, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, 1473 { .type = PF_RAT_DST_PORT, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, 1474 { .type = PF_RAT_NEG, .off = _OUT(neg), .cb = snl_attr_get_uint8 }, 1475 { .type = PF_RAT_OP, .off = _OUT(port_op), .cb = snl_attr_get_uint8 }, 1476 }; 1477 #undef _OUT 1478 SNL_DECLARE_ATTR_PARSER(rule_addr_parser, ap_rule_addr); 1479 1480 struct snl_parsed_labels 1481 { 1482 char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 1483 uint32_t i; 1484 }; 1485 1486 static bool 1487 snl_attr_get_pf_rule_labels(struct snl_state *ss, struct nlattr *nla, 1488 const void *arg __unused, void *target) 1489 { 1490 struct snl_parsed_labels *l = (struct snl_parsed_labels *)target; 1491 bool ret; 1492 1493 if (l->i >= PF_RULE_MAX_LABEL_COUNT) 1494 return (E2BIG); 1495 1496 ret = snl_attr_copy_string(ss, nla, (void *)PF_RULE_LABEL_SIZE, 1497 l->labels[l->i]); 1498 if (ret) 1499 l->i++; 1500 1501 return (ret); 1502 } 1503 1504 #define _OUT(_field) offsetof(struct nl_parsed_labels, _field) 1505 static const struct snl_attr_parser ap_labels[] = { 1506 { .type = PF_LT_LABEL, .off = 0, .cb = snl_attr_get_pf_rule_labels }, 1507 }; 1508 SNL_DECLARE_ATTR_PARSER(rule_labels_parser, ap_labels); 1509 #undef _OUT 1510 1511 static bool 1512 snl_attr_get_nested_pf_rule_labels(struct snl_state *ss, struct nlattr *nla, 1513 const void *arg __unused, void *target) 1514 { 1515 struct snl_parsed_labels parsed_labels = { }; 1516 bool error; 1517 1518 /* Assumes target points to the beginning of the structure */ 1519 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &rule_labels_parser, &parsed_labels); 1520 if (! error) 1521 return (error); 1522 1523 memcpy(target, parsed_labels.labels, sizeof(parsed_labels.labels)); 1524 1525 return (true); 1526 } 1527 1528 #define _OUT(_field) offsetof(struct pf_mape_portset, _field) 1529 static const struct snl_attr_parser ap_mape_portset[] = { 1530 { .type = PF_MET_OFFSET, .off = _OUT(offset), .cb = snl_attr_get_uint8 }, 1531 { .type = PF_MET_PSID_LEN, .off = _OUT(psidlen), .cb = snl_attr_get_uint8 }, 1532 {. type = PF_MET_PSID, .off = _OUT(psid), .cb = snl_attr_get_uint16 }, 1533 }; 1534 SNL_DECLARE_ATTR_PARSER(mape_portset_parser, ap_mape_portset); 1535 #undef _OUT 1536 1537 #define _OUT(_field) offsetof(struct pfctl_pool, _field) 1538 static const struct snl_attr_parser ap_pool[] = { 1539 { .type = PF_PT_KEY, .off = _OUT(key), .arg = (void *)sizeof(struct pf_poolhashkey), .cb = snl_attr_get_bytes }, 1540 { .type = PF_PT_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_in6_addr }, 1541 { .type = PF_PT_TBLIDX, .off = _OUT(tblidx), .cb = snl_attr_get_uint32 }, 1542 { .type = PF_PT_PROXY_SRC_PORT, .off = _OUT(proxy_port[0]), .cb = snl_attr_get_uint16 }, 1543 { .type = PF_PT_PROXY_DST_PORT, .off = _OUT(proxy_port[1]), .cb = snl_attr_get_uint16 }, 1544 { .type = PF_PT_OPTS, .off = _OUT(opts), .cb = snl_attr_get_uint8 }, 1545 { .type = PF_PT_MAPE, .off = _OUT(mape), .arg = &mape_portset_parser, .cb = snl_attr_get_nested }, 1546 }; 1547 SNL_DECLARE_ATTR_PARSER(pool_parser, ap_pool); 1548 #undef _OUT 1549 1550 struct nl_parsed_timeouts 1551 { 1552 uint32_t timeouts[PFTM_MAX]; 1553 uint32_t i; 1554 }; 1555 1556 static bool 1557 snl_attr_get_pf_timeout(struct snl_state *ss, struct nlattr *nla, 1558 const void *arg __unused, void *target) 1559 { 1560 struct nl_parsed_timeouts *t = (struct nl_parsed_timeouts *)target; 1561 bool ret; 1562 1563 if (t->i >= PFTM_MAX) 1564 return (E2BIG); 1565 1566 ret = snl_attr_get_uint32(ss, nla, NULL, &t->timeouts[t->i]); 1567 if (ret) 1568 t->i++; 1569 1570 return (ret); 1571 } 1572 1573 #define _OUT(_field) offsetof(struct nl_parsed_timeout, _field) 1574 static const struct snl_attr_parser ap_timeouts[] = { 1575 { .type = PF_TT_TIMEOUT, .off = 0, .cb = snl_attr_get_pf_timeout }, 1576 }; 1577 SNL_DECLARE_ATTR_PARSER(timeout_parser, ap_timeouts); 1578 #undef _OUT 1579 1580 static bool 1581 snl_attr_get_nested_timeouts(struct snl_state *ss, struct nlattr *nla, 1582 const void *arg __unused, void *target) 1583 { 1584 struct nl_parsed_timeouts parsed_timeouts = { }; 1585 bool error; 1586 1587 /* Assumes target points to the beginning of the structure */ 1588 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &timeout_parser, &parsed_timeouts); 1589 if (! error) 1590 return (error); 1591 1592 memcpy(target, parsed_timeouts.timeouts, sizeof(parsed_timeouts.timeouts)); 1593 1594 return (true); 1595 } 1596 1597 #define _OUT(_field) offsetof(struct pf_rule_uid, _field) 1598 static const struct snl_attr_parser ap_rule_uid[] = { 1599 { .type = PF_RUT_UID_LOW, .off = _OUT(uid[0]), .cb = snl_attr_get_uint32 }, 1600 { .type = PF_RUT_UID_HIGH, .off = _OUT(uid[1]), .cb = snl_attr_get_uint32 }, 1601 { .type = PF_RUT_OP, .off = _OUT(op), .cb = snl_attr_get_uint8 }, 1602 }; 1603 SNL_DECLARE_ATTR_PARSER(rule_uid_parser, ap_rule_uid); 1604 #undef _OUT 1605 1606 #define _OUT(_field) offsetof(struct pfctl_threshold, _field) 1607 static const struct snl_attr_parser ap_pfctl_threshold[] = { 1608 { .type = PF_TH_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, 1609 { .type = PF_TH_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 }, 1610 { .type = PF_TH_COUNT, .off = _OUT(count), .cb = snl_attr_get_uint32 }, 1611 }; 1612 SNL_DECLARE_ATTR_PARSER(pfctl_threshold_parser, ap_pfctl_threshold); 1613 #undef _OUT 1614 1615 struct pfctl_nl_get_rule { 1616 struct pfctl_rule r; 1617 char anchor_call[MAXPATHLEN]; 1618 }; 1619 #define _OUT(_field) offsetof(struct pfctl_nl_get_rule, _field) 1620 static struct snl_attr_parser ap_getrule[] = { 1621 { .type = PF_RT_SRC, .off = _OUT(r.src), .arg = &rule_addr_parser,.cb = snl_attr_get_nested }, 1622 { .type = PF_RT_DST, .off = _OUT(r.dst), .arg = &rule_addr_parser,.cb = snl_attr_get_nested }, 1623 { .type = PF_RT_RIDENTIFIER, .off = _OUT(r.ridentifier), .cb = snl_attr_get_uint32 }, 1624 { .type = PF_RT_LABELS, .off = _OUT(r.label), .arg = &rule_labels_parser,.cb = snl_attr_get_nested_pf_rule_labels }, 1625 { .type = PF_RT_IFNAME, .off = _OUT(r.ifname), .arg = (void *)IFNAMSIZ, .cb = snl_attr_copy_string }, 1626 { .type = PF_RT_QNAME, .off = _OUT(r.qname), .arg = (void *)PF_QNAME_SIZE, .cb = snl_attr_copy_string }, 1627 { .type = PF_RT_PQNAME, .off = _OUT(r.pqname), .arg = (void *)PF_QNAME_SIZE, .cb = snl_attr_copy_string }, 1628 { .type = PF_RT_TAGNAME, .off = _OUT(r.tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string }, 1629 { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(r.match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string }, 1630 { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(r.overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string }, 1631 { .type = PF_RT_RPOOL_RDR, .off = _OUT(r.rdr), .arg = &pool_parser, .cb = snl_attr_get_nested }, 1632 { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(r.os_fingerprint), .cb = snl_attr_get_uint32 }, 1633 { .type = PF_RT_RTABLEID, .off = _OUT(r.rtableid), .cb = snl_attr_get_uint32 }, 1634 { .type = PF_RT_TIMEOUT, .off = _OUT(r.timeout), .arg = &timeout_parser, .cb = snl_attr_get_nested_timeouts }, 1635 { .type = PF_RT_MAX_STATES, .off = _OUT(r.max_states), .cb = snl_attr_get_uint32 }, 1636 { .type = PF_RT_MAX_SRC_NODES, .off = _OUT(r.max_src_nodes), .cb = snl_attr_get_uint32 }, 1637 { .type = PF_RT_MAX_SRC_STATES, .off = _OUT(r.max_src_states), .cb = snl_attr_get_uint32 }, 1638 { .type = PF_RT_MAX_SRC_CONN_RATE_LIMIT, .off = _OUT(r.max_src_conn_rate.limit), .cb = snl_attr_get_uint32 }, 1639 { .type = PF_RT_MAX_SRC_CONN_RATE_SECS, .off = _OUT(r.max_src_conn_rate.seconds), .cb = snl_attr_get_uint32 }, 1640 { .type = PF_RT_DNPIPE, .off = _OUT(r.dnpipe), .cb = snl_attr_get_uint16 }, 1641 { .type = PF_RT_DNRPIPE, .off = _OUT(r.dnrpipe), .cb = snl_attr_get_uint16 }, 1642 { .type = PF_RT_DNFLAGS, .off = _OUT(r.free_flags), .cb = snl_attr_get_uint32 }, 1643 { .type = PF_RT_NR, .off = _OUT(r.nr), .cb = snl_attr_get_uint32 }, 1644 { .type = PF_RT_PROB, .off = _OUT(r.prob), .cb = snl_attr_get_uint32 }, 1645 { .type = PF_RT_CUID, .off = _OUT(r.cuid), .cb = snl_attr_get_uint32 }, 1646 {. type = PF_RT_CPID, .off = _OUT(r.cpid), .cb = snl_attr_get_uint32 }, 1647 { .type = PF_RT_RETURN_ICMP, .off = _OUT(r.return_icmp), .cb = snl_attr_get_uint16 }, 1648 { .type = PF_RT_RETURN_ICMP6, .off = _OUT(r.return_icmp6), .cb = snl_attr_get_uint16 }, 1649 { .type = PF_RT_MAX_MSS, .off = _OUT(r.max_mss), .cb = snl_attr_get_uint16 }, 1650 { .type = PF_RT_SCRUB_FLAGS, .off = _OUT(r.scrub_flags), .cb = snl_attr_get_uint16 }, 1651 { .type = PF_RT_UID, .off = _OUT(r.uid), .arg = &rule_uid_parser, .cb = snl_attr_get_nested }, 1652 { .type = PF_RT_GID, .off = _OUT(r.gid), .arg = &rule_uid_parser, .cb = snl_attr_get_nested }, 1653 { .type = PF_RT_RULE_FLAG, .off = _OUT(r.rule_flag), .cb = snl_attr_get_uint32 }, 1654 { .type = PF_RT_ACTION, .off = _OUT(r.action), .cb = snl_attr_get_uint8 }, 1655 { .type = PF_RT_DIRECTION, .off = _OUT(r.direction), .cb = snl_attr_get_uint8 }, 1656 { .type = PF_RT_LOG, .off = _OUT(r.log), .cb = snl_attr_get_uint8 }, 1657 { .type = PF_RT_LOGIF, .off = _OUT(r.logif), .cb = snl_attr_get_uint8 }, 1658 { .type = PF_RT_QUICK, .off = _OUT(r.quick), .cb = snl_attr_get_uint8 }, 1659 { .type = PF_RT_IF_NOT, .off = _OUT(r.ifnot), .cb = snl_attr_get_uint8 }, 1660 { .type = PF_RT_MATCH_TAG_NOT, .off = _OUT(r.match_tag_not), .cb = snl_attr_get_uint8 }, 1661 { .type = PF_RT_NATPASS, .off = _OUT(r.natpass), .cb = snl_attr_get_uint8 }, 1662 { .type = PF_RT_KEEP_STATE, .off = _OUT(r.keep_state), .cb = snl_attr_get_uint8 }, 1663 { .type = PF_RT_AF, .off = _OUT(r.af), .cb = snl_attr_get_uint8 }, 1664 { .type = PF_RT_PROTO, .off = _OUT(r.proto), .cb = snl_attr_get_uint8 }, 1665 { .type = PF_RT_TYPE, .off = _OUT(r.type), .cb = snl_attr_get_uint8 }, 1666 { .type = PF_RT_CODE, .off = _OUT(r.code), .cb = snl_attr_get_uint8 }, 1667 { .type = PF_RT_FLAGS, .off = _OUT(r.flags), .cb = snl_attr_get_uint8 }, 1668 { .type = PF_RT_FLAGSET, .off = _OUT(r.flagset), .cb = snl_attr_get_uint8 }, 1669 { .type = PF_RT_MIN_TTL, .off = _OUT(r.min_ttl), .cb = snl_attr_get_uint8 }, 1670 { .type = PF_RT_ALLOW_OPTS, .off = _OUT(r.allow_opts), .cb = snl_attr_get_uint8 }, 1671 { .type = PF_RT_RT, .off = _OUT(r.rt), .cb = snl_attr_get_uint8 }, 1672 { .type = PF_RT_RETURN_TTL, .off = _OUT(r.return_ttl), .cb = snl_attr_get_uint8 }, 1673 { .type = PF_RT_TOS, .off = _OUT(r.tos), .cb = snl_attr_get_uint8 }, 1674 { .type = PF_RT_SET_TOS, .off = _OUT(r.set_tos), .cb = snl_attr_get_uint8 }, 1675 { .type = PF_RT_ANCHOR_RELATIVE, .off = _OUT(r.anchor_relative), .cb = snl_attr_get_uint8 }, 1676 { .type = PF_RT_ANCHOR_WILDCARD, .off = _OUT(r.anchor_wildcard), .cb = snl_attr_get_uint8 }, 1677 { .type = PF_RT_FLUSH, .off = _OUT(r.flush), .cb = snl_attr_get_uint8 }, 1678 { .type = PF_RT_PRIO, .off = _OUT(r.prio), .cb = snl_attr_get_uint8 }, 1679 { .type = PF_RT_SET_PRIO, .off = _OUT(r.set_prio[0]), .cb = snl_attr_get_uint8 }, 1680 { .type = PF_RT_SET_PRIO_REPLY, .off = _OUT(r.set_prio[1]), .cb = snl_attr_get_uint8 }, 1681 { .type = PF_RT_DIVERT_ADDRESS, .off = _OUT(r.divert.addr), .cb = snl_attr_get_in6_addr }, 1682 { .type = PF_RT_DIVERT_PORT, .off = _OUT(r.divert.port), .cb = snl_attr_get_uint16 }, 1683 { .type = PF_RT_PACKETS_IN, .off = _OUT(r.packets[0]), .cb = snl_attr_get_uint64 }, 1684 { .type = PF_RT_PACKETS_OUT, .off = _OUT(r.packets[1]), .cb = snl_attr_get_uint64 }, 1685 { .type = PF_RT_BYTES_IN, .off = _OUT(r.bytes[0]), .cb = snl_attr_get_uint64 }, 1686 { .type = PF_RT_BYTES_OUT, .off = _OUT(r.bytes[1]), .cb = snl_attr_get_uint64 }, 1687 { .type = PF_RT_EVALUATIONS, .off = _OUT(r.evaluations), .cb = snl_attr_get_uint64 }, 1688 { .type = PF_RT_TIMESTAMP, .off = _OUT(r.last_active_timestamp), .cb = snl_attr_get_uint64 }, 1689 { .type = PF_RT_STATES_CUR, .off = _OUT(r.states_cur), .cb = snl_attr_get_uint64 }, 1690 { .type = PF_RT_STATES_TOTAL, .off = _OUT(r.states_tot), .cb = snl_attr_get_uint64 }, 1691 { .type = PF_RT_SRC_NODES, .off = _OUT(r.src_nodes), .cb = snl_attr_get_uint64 }, 1692 { .type = PF_RT_ANCHOR_CALL, .off = _OUT(anchor_call), .arg = (void*)MAXPATHLEN, .cb = snl_attr_copy_string }, 1693 { .type = PF_RT_RCV_IFNAME, .off = _OUT(r.rcv_ifname), .arg = (void*)IFNAMSIZ, .cb = snl_attr_copy_string }, 1694 { .type = PF_RT_MAX_SRC_CONN, .off = _OUT(r.max_src_conn), .cb = snl_attr_get_uint32 }, 1695 { .type = PF_RT_RPOOL_NAT, .off = _OUT(r.nat), .arg = &pool_parser, .cb = snl_attr_get_nested }, 1696 { .type = PF_RT_NAF, .off = _OUT(r.naf), .cb = snl_attr_get_uint8 }, 1697 { .type = PF_RT_RPOOL_RT, .off = _OUT(r.route), .arg = &pool_parser, .cb = snl_attr_get_nested }, 1698 { .type = PF_RT_RCV_IFNOT, .off = _OUT(r.rcvifnot),.cb = snl_attr_get_bool }, 1699 { .type = PF_RT_SRC_NODES_LIMIT, .off = _OUT(r.src_nodes_type[PF_SN_LIMIT]), .cb = snl_attr_get_uint64 }, 1700 { .type = PF_RT_SRC_NODES_NAT, .off = _OUT(r.src_nodes_type[PF_SN_NAT]), .cb = snl_attr_get_uint64 }, 1701 { .type = PF_RT_SRC_NODES_ROUTE, .off = _OUT(r.src_nodes_type[PF_SN_ROUTE]), .cb = snl_attr_get_uint64 }, 1702 { .type = PF_RT_PKTRATE, .off = _OUT(r.pktrate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested }, 1703 { .type = PF_RT_MAX_PKT_SIZE, .off =_OUT(r.max_pkt_size), .cb = snl_attr_get_uint16 }, 1704 { .type = PF_RT_TYPE_2, .off = _OUT(r.type), .cb = snl_attr_get_uint16 }, 1705 { .type = PF_RT_CODE_2, .off = _OUT(r.code), .cb = snl_attr_get_uint16 }, 1706 { .type = PF_RT_EXPTIME, .off = _OUT(r.exptime), .cb = snl_attr_get_time_t }, 1707 }; 1708 #undef _OUT 1709 SNL_DECLARE_PARSER(getrule_parser, struct genlmsghdr, snl_f_p_empty, ap_getrule); 1710 1711 int 1712 pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 1713 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 1714 char *anchor_call, bool clear) 1715 { 1716 struct pfctl_nl_get_rule attrs = {}; 1717 struct snl_errmsg_data e = {}; 1718 struct nlmsghdr *hdr; 1719 struct snl_writer nw; 1720 uint32_t seq_id; 1721 int family_id; 1722 1723 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 1724 if (family_id == 0) 1725 return (ENOTSUP); 1726 1727 snl_init_writer(&h->ss, &nw); 1728 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETRULE); 1729 hdr->nlmsg_flags |= NLM_F_DUMP; 1730 1731 snl_add_msg_attr_string(&nw, PF_GR_ANCHOR, anchor); 1732 snl_add_msg_attr_u8(&nw, PF_GR_ACTION, ruleset); 1733 snl_add_msg_attr_u32(&nw, PF_GR_NR, nr); 1734 snl_add_msg_attr_u32(&nw, PF_GR_TICKET, ticket); 1735 snl_add_msg_attr_u8(&nw, PF_GR_CLEAR, clear); 1736 1737 hdr = snl_finalize_msg(&nw); 1738 if (hdr == NULL) 1739 return (ENOMEM); 1740 1741 seq_id = hdr->nlmsg_seq; 1742 if (! snl_send_message(&h->ss, hdr)) 1743 return (ENXIO); 1744 1745 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 1746 if (! snl_parse_nlmsg(&h->ss, hdr, &getrule_parser, &attrs)) 1747 continue; 1748 } 1749 1750 memcpy(rule, &attrs.r, sizeof(attrs.r)); 1751 strlcpy(anchor_call, attrs.anchor_call, MAXPATHLEN); 1752 1753 return (e.error); 1754 } 1755 1756 int 1757 pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 1758 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 1759 char *anchor_call, bool clear) 1760 { 1761 nvlist_t *nvl; 1762 int ret; 1763 1764 nvl = nvlist_create(0); 1765 if (nvl == 0) 1766 return (ENOMEM); 1767 1768 nvlist_add_number(nvl, "nr", nr); 1769 nvlist_add_number(nvl, "ticket", ticket); 1770 nvlist_add_string(nvl, "anchor", anchor); 1771 nvlist_add_number(nvl, "ruleset", ruleset); 1772 1773 if (clear) 1774 nvlist_add_bool(nvl, "clear_counter", true); 1775 1776 if ((ret = pfctl_do_ioctl(dev, DIOCGETRULENV, 8192, &nvl)) != 0) 1777 goto out; 1778 1779 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule); 1780 1781 if (anchor_call) 1782 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 1783 MAXPATHLEN); 1784 1785 out: 1786 nvlist_destroy(nvl); 1787 return (ret); 1788 } 1789 1790 int 1791 pfctl_set_keepcounters(int dev, bool keep) 1792 { 1793 struct pfioc_nv nv; 1794 nvlist_t *nvl; 1795 int ret; 1796 1797 nvl = nvlist_create(0); 1798 1799 nvlist_add_bool(nvl, "keep_counters", keep); 1800 1801 nv.data = nvlist_pack(nvl, &nv.len); 1802 nv.size = nv.len; 1803 1804 nvlist_destroy(nvl); 1805 1806 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv); 1807 1808 free(nv.data); 1809 return (ret); 1810 } 1811 1812 struct pfctl_creator { 1813 uint32_t id; 1814 }; 1815 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1816 #define _OUT(_field) offsetof(struct pfctl_creator, _field) 1817 static struct snl_attr_parser ap_creators[] = { 1818 { .type = PF_ST_CREATORID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, 1819 }; 1820 #undef _IN 1821 #undef _OUT 1822 SNL_DECLARE_PARSER(creator_parser, struct genlmsghdr, snl_f_p_empty, ap_creators); 1823 1824 static int 1825 pfctl_get_creators_nl(struct snl_state *ss, uint32_t *creators, size_t *len) 1826 { 1827 1828 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME); 1829 size_t i = 0; 1830 1831 struct nlmsghdr *hdr; 1832 struct snl_writer nw; 1833 1834 if (family_id == 0) 1835 return (ENOTSUP); 1836 1837 snl_init_writer(ss, &nw); 1838 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETCREATORS); 1839 hdr->nlmsg_flags |= NLM_F_DUMP; 1840 hdr = snl_finalize_msg(&nw); 1841 if (hdr == NULL) 1842 return (ENOMEM); 1843 uint32_t seq_id = hdr->nlmsg_seq; 1844 1845 snl_send_message(ss, hdr); 1846 1847 struct snl_errmsg_data e = {}; 1848 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) { 1849 struct pfctl_creator c; 1850 bzero(&c, sizeof(c)); 1851 1852 if (!snl_parse_nlmsg(ss, hdr, &creator_parser, &c)) 1853 continue; 1854 1855 creators[i] = c.id; 1856 i++; 1857 if (i > *len) 1858 return (E2BIG); 1859 } 1860 1861 *len = i; 1862 1863 return (0); 1864 } 1865 1866 int 1867 pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len) 1868 { 1869 int error; 1870 1871 error = pfctl_get_creators_nl(&h->ss, creators, len); 1872 1873 return (error); 1874 } 1875 1876 static inline bool 1877 snl_attr_get_pfaddr(struct snl_state *ss __unused, struct nlattr *nla, 1878 const void *arg __unused, void *target) 1879 { 1880 memcpy(target, NLA_DATA(nla), NLA_DATA_LEN(nla)); 1881 return (true); 1882 } 1883 1884 static inline bool 1885 snl_attr_store_ifname(struct snl_state *ss __unused, struct nlattr *nla, 1886 const void *arg __unused, void *target) 1887 { 1888 size_t maxlen = NLA_DATA_LEN(nla); 1889 1890 if (strnlen((char *)NLA_DATA(nla), maxlen) < maxlen) { 1891 strlcpy(target, (char *)NLA_DATA(nla), maxlen); 1892 return (true); 1893 } 1894 return (false); 1895 } 1896 1897 #define _OUT(_field) offsetof(struct pfctl_state_peer, _field) 1898 static const struct snl_attr_parser nla_p_speer[] = { 1899 { .type = PF_STP_SEQLO, .off = _OUT(seqlo), .cb = snl_attr_get_uint32 }, 1900 { .type = PF_STP_SEQHI, .off = _OUT(seqhi), .cb = snl_attr_get_uint32 }, 1901 { .type = PF_STP_SEQDIFF, .off = _OUT(seqdiff), .cb = snl_attr_get_uint32 }, 1902 { .type = PF_STP_STATE, .off = _OUT(state), .cb = snl_attr_get_uint8 }, 1903 { .type = PF_STP_WSCALE, .off = _OUT(wscale), .cb = snl_attr_get_uint8 }, 1904 }; 1905 SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer); 1906 #undef _OUT 1907 1908 #define _OUT(_field) offsetof(struct pfctl_state_key, _field) 1909 static const struct snl_attr_parser nla_p_skey[] = { 1910 { .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr }, 1911 { .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr }, 1912 { .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, 1913 { .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, 1914 { .type = PF_STK_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, 1915 { .type = PF_STK_PROTO, .off = _OUT(proto), .cb = snl_attr_get_uint16 }, 1916 }; 1917 SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey); 1918 #undef _OUT 1919 1920 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1921 #define _OUT(_field) offsetof(struct pfctl_state, _field) 1922 static struct snl_attr_parser ap_state[] = { 1923 { .type = PF_ST_ID, .off = _OUT(id), .cb = snl_attr_get_uint64 }, 1924 { .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = snl_attr_get_uint32 }, 1925 { .type = PF_ST_IFNAME, .off = _OUT(ifname), .cb = snl_attr_store_ifname }, 1926 { .type = PF_ST_ORIG_IFNAME, .off = _OUT(orig_ifname), .cb = snl_attr_store_ifname }, 1927 { .type = PF_ST_KEY_WIRE, .off = _OUT(key[0]), .arg = &skey_parser, .cb = snl_attr_get_nested }, 1928 { .type = PF_ST_KEY_STACK, .off = _OUT(key[1]), .arg = &skey_parser, .cb = snl_attr_get_nested }, 1929 { .type = PF_ST_PEER_SRC, .off = _OUT(src), .arg = &speer_parser, .cb = snl_attr_get_nested }, 1930 { .type = PF_ST_PEER_DST, .off = _OUT(dst), .arg = &speer_parser, .cb = snl_attr_get_nested }, 1931 { .type = PF_ST_RT_ADDR, .off = _OUT(rt_addr), .cb = snl_attr_get_pfaddr }, 1932 { .type = PF_ST_RULE, .off = _OUT(rule), .cb = snl_attr_get_uint32 }, 1933 { .type = PF_ST_ANCHOR, .off = _OUT(anchor), .cb = snl_attr_get_uint32 }, 1934 { .type = PF_ST_NAT_RULE, .off = _OUT(nat_rule), .cb = snl_attr_get_uint32 }, 1935 { .type = PF_ST_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint32 }, 1936 { .type = PF_ST_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint32 }, 1937 { .type = PF_ST_PACKETS0, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 }, 1938 { .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, 1939 { .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, 1940 { .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, 1941 { .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 }, 1942 { .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 }, 1943 { .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 }, 1944 { .type = PF_ST_SYNC_FLAGS, .off = _OUT(sync_flags), .cb = snl_attr_get_uint8 }, 1945 { .type = PF_ST_RTABLEID, .off = _OUT(rtableid), .cb = snl_attr_get_int32 }, 1946 { .type = PF_ST_MIN_TTL, .off = _OUT(min_ttl), .cb = snl_attr_get_uint8 }, 1947 { .type = PF_ST_MAX_MSS, .off = _OUT(max_mss), .cb = snl_attr_get_uint16 }, 1948 { .type = PF_ST_DNPIPE, .off = _OUT(dnpipe), .cb = snl_attr_get_uint16 }, 1949 { .type = PF_ST_DNRPIPE, .off = _OUT(dnrpipe), .cb = snl_attr_get_uint16 }, 1950 { .type = PF_ST_RT, .off = _OUT(rt), .cb = snl_attr_get_uint8 }, 1951 { .type = PF_ST_RT_IFNAME, .off = _OUT(rt_ifname), .cb = snl_attr_store_ifname }, 1952 { .type = PF_ST_SRC_NODE_FLAGS, .off = _OUT(src_node_flags), .cb = snl_attr_get_uint8 }, 1953 { .type = PF_ST_RT_AF, .off = _OUT(rt_af), .cb = snl_attr_get_uint8 }, 1954 }; 1955 #undef _IN 1956 #undef _OUT 1957 SNL_DECLARE_PARSER(state_parser, struct genlmsghdr, snl_f_p_empty, ap_state); 1958 1959 static const struct snl_hdr_parser *all_parsers[] = { 1960 &state_parser, &skey_parser, &speer_parser, 1961 &creator_parser, &getrules_parser 1962 }; 1963 1964 static int 1965 pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfctl_get_state_fn f, void *arg) 1966 { 1967 SNL_VERIFY_PARSERS(all_parsers); 1968 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME); 1969 int ret; 1970 1971 struct nlmsghdr *hdr; 1972 struct snl_writer nw; 1973 1974 if (family_id == 0) 1975 return (ENOTSUP); 1976 1977 snl_init_writer(ss, &nw); 1978 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETSTATES); 1979 hdr->nlmsg_flags |= NLM_F_DUMP; 1980 snl_add_msg_attr_string(&nw, PF_ST_IFNAME, filter->ifname); 1981 snl_add_msg_attr_u16(&nw, PF_ST_PROTO, filter->proto); 1982 snl_add_msg_attr_u8(&nw, PF_ST_AF, filter->af); 1983 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_ADDR, &filter->addr.v6); 1984 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_MASK, &filter->mask.v6); 1985 1986 hdr = snl_finalize_msg(&nw); 1987 if (hdr == NULL) 1988 return (ENOMEM); 1989 1990 uint32_t seq_id = hdr->nlmsg_seq; 1991 1992 snl_send_message(ss, hdr); 1993 1994 struct snl_errmsg_data e = {}; 1995 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) { 1996 struct pfctl_state s; 1997 bzero(&s, sizeof(s)); 1998 if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s)) 1999 continue; 2000 2001 ret = f(&s, arg); 2002 if (ret != 0) 2003 return (ret); 2004 } 2005 2006 return (0); 2007 } 2008 2009 int 2010 pfctl_get_states_iter(pfctl_get_state_fn f, void *arg) 2011 { 2012 struct pfctl_state_filter filter = {}; 2013 return (pfctl_get_filtered_states_iter(&filter, f, arg)); 2014 } 2015 2016 int 2017 pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg) 2018 { 2019 struct snl_state ss = {}; 2020 int error; 2021 2022 snl_init(&ss, NETLINK_GENERIC); 2023 error = pfctl_get_states_nl(filter, &ss, f, arg); 2024 snl_free(&ss); 2025 2026 return (error); 2027 } 2028 2029 static int 2030 pfctl_append_states(struct pfctl_state *s, void *arg) 2031 { 2032 struct pfctl_state *new; 2033 struct pfctl_states *states = (struct pfctl_states *)arg; 2034 2035 new = malloc(sizeof(*s)); 2036 if (new == NULL) 2037 return (ENOMEM); 2038 2039 memcpy(new, s, sizeof(*s)); 2040 2041 TAILQ_INSERT_TAIL(&states->states, new, entry); 2042 2043 return (0); 2044 } 2045 2046 int 2047 pfctl_get_states(int dev __unused, struct pfctl_states *states) 2048 { 2049 int ret; 2050 2051 bzero(states, sizeof(*states)); 2052 TAILQ_INIT(&states->states); 2053 2054 ret = pfctl_get_states_iter(pfctl_append_states, states); 2055 if (ret != 0) { 2056 pfctl_free_states(states); 2057 return (ret); 2058 } 2059 2060 return (0); 2061 } 2062 2063 void 2064 pfctl_free_states(struct pfctl_states *states) 2065 { 2066 struct pfctl_state *s, *tmp; 2067 2068 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) { 2069 free(s); 2070 } 2071 2072 bzero(states, sizeof(*states)); 2073 } 2074 2075 struct pfctl_nl_clear_states { 2076 uint32_t killed; 2077 }; 2078 #define _OUT(_field) offsetof(struct pfctl_nl_clear_states, _field) 2079 static struct snl_attr_parser ap_clear_states[] = { 2080 { .type = PF_CS_KILLED, .off = _OUT(killed), .cb = snl_attr_get_uint32 }, 2081 }; 2082 #undef _OUT 2083 SNL_DECLARE_PARSER(clear_states_parser, struct genlmsghdr, snl_f_p_empty, ap_clear_states); 2084 2085 static int 2086 _pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 2087 unsigned int *killed, int cmd) 2088 { 2089 struct snl_writer nw; 2090 struct snl_errmsg_data e = {}; 2091 struct pfctl_nl_clear_states attrs = {}; 2092 struct nlmsghdr *hdr; 2093 uint32_t seq_id; 2094 int family_id; 2095 2096 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2097 if (family_id == 0) 2098 return (ENOTSUP); 2099 2100 snl_init_writer(&h->ss, &nw); 2101 hdr = snl_create_genl_msg_request(&nw, family_id, cmd); 2102 hdr->nlmsg_flags |= NLM_F_DUMP; 2103 2104 snl_add_msg_attr_u64(&nw, PF_CS_CMP_ID, kill->cmp.id); 2105 snl_add_msg_attr_u32(&nw, PF_CS_CMP_CREATORID, htonl(kill->cmp.creatorid)); 2106 snl_add_msg_attr_u8(&nw, PF_CS_CMP_DIR, kill->cmp.direction); 2107 snl_add_msg_attr_u8(&nw, PF_CS_AF, kill->af); 2108 snl_add_msg_attr_u8(&nw, PF_CS_PROTO, kill->proto); 2109 snl_add_msg_attr_rule_addr(&nw, PF_CS_SRC, &kill->src); 2110 snl_add_msg_attr_rule_addr(&nw, PF_CS_DST, &kill->dst); 2111 snl_add_msg_attr_rule_addr(&nw, PF_CS_RT_ADDR, &kill->rt_addr); 2112 snl_add_msg_attr_string(&nw, PF_CS_IFNAME, kill->ifname); 2113 snl_add_msg_attr_string(&nw, PF_CS_LABEL, kill->label); 2114 snl_add_msg_attr_bool(&nw, PF_CS_KILL_MATCH, kill->kill_match); 2115 snl_add_msg_attr_bool(&nw, PF_CS_NAT, kill->nat); 2116 2117 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2118 return (ENXIO); 2119 2120 seq_id = hdr->nlmsg_seq; 2121 2122 if (! snl_send_message(&h->ss, hdr)) 2123 return (ENXIO); 2124 2125 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2126 if (! snl_parse_nlmsg(&h->ss, hdr, &clear_states_parser, &attrs)) 2127 continue; 2128 } 2129 2130 if (killed) 2131 *killed = attrs.killed; 2132 2133 return (e.error); 2134 } 2135 2136 int 2137 pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 2138 unsigned int *killed) 2139 { 2140 return(_pfctl_clear_states_h(h, kill, killed, PFNL_CMD_CLRSTATES)); 2141 } 2142 2143 int 2144 pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 2145 unsigned int *killed) 2146 { 2147 return(_pfctl_clear_states_h(h, kill, killed, PFNL_CMD_KILLSTATES)); 2148 } 2149 2150 static int 2151 _pfctl_clear_states(int dev __unused, const struct pfctl_kill *kill, 2152 unsigned int *killed, uint64_t cmd) 2153 { 2154 struct pfctl_handle *h; 2155 int ret; 2156 2157 h = pfctl_open(PF_DEVICE); 2158 if (h == NULL) 2159 return (ENODEV); 2160 2161 ret = _pfctl_clear_states_h(h, kill, killed, cmd); 2162 pfctl_close(h); 2163 2164 return (ret); 2165 } 2166 2167 int 2168 pfctl_clear_states(int dev __unused, const struct pfctl_kill *kill, 2169 unsigned int *killed) 2170 { 2171 return (_pfctl_clear_states(dev, kill, killed, PFNL_CMD_CLRSTATES)); 2172 } 2173 2174 int 2175 pfctl_kill_states(int dev __unused, const struct pfctl_kill *kill, unsigned int *killed) 2176 { 2177 return (_pfctl_clear_states(dev, kill, killed, PFNL_CMD_KILLSTATES)); 2178 } 2179 2180 int 2181 pfctl_clear_rules(int dev, const char *anchorname) 2182 { 2183 struct pfioc_trans trans; 2184 struct pfioc_trans_e transe[2]; 2185 int ret; 2186 2187 bzero(&trans, sizeof(trans)); 2188 bzero(&transe, sizeof(transe)); 2189 2190 transe[0].rs_num = PF_RULESET_SCRUB; 2191 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 2192 >= sizeof(transe[0].anchor)) 2193 return (E2BIG); 2194 2195 transe[1].rs_num = PF_RULESET_FILTER; 2196 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 2197 >= sizeof(transe[1].anchor)) 2198 return (E2BIG); 2199 2200 trans.size = 2; 2201 trans.esize = sizeof(transe[0]); 2202 trans.array = transe; 2203 2204 ret = ioctl(dev, DIOCXBEGIN, &trans); 2205 if (ret != 0) 2206 return (errno); 2207 ret = ioctl(dev, DIOCXCOMMIT, &trans); 2208 if (ret != 0) 2209 return (errno); 2210 2211 return (0); 2212 } 2213 2214 int 2215 pfctl_clear_nat(int dev, const char *anchorname) 2216 { 2217 struct pfioc_trans trans; 2218 struct pfioc_trans_e transe[3]; 2219 int ret; 2220 2221 bzero(&trans, sizeof(trans)); 2222 bzero(&transe, sizeof(transe)); 2223 2224 transe[0].rs_num = PF_RULESET_NAT; 2225 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 2226 >= sizeof(transe[0].anchor)) 2227 return (E2BIG); 2228 2229 transe[1].rs_num = PF_RULESET_BINAT; 2230 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 2231 >= sizeof(transe[0].anchor)) 2232 return (E2BIG); 2233 2234 transe[2].rs_num = PF_RULESET_RDR; 2235 if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor)) 2236 >= sizeof(transe[2].anchor)) 2237 return (E2BIG); 2238 2239 trans.size = 3; 2240 trans.esize = sizeof(transe[0]); 2241 trans.array = transe; 2242 2243 ret = ioctl(dev, DIOCXBEGIN, &trans); 2244 if (ret != 0) 2245 return (errno); 2246 ret = ioctl(dev, DIOCXCOMMIT, &trans); 2247 if (ret != 0) 2248 return (errno); 2249 2250 return (0); 2251 } 2252 2253 int 2254 pfctl_clear_eth_rules(int dev, const char *anchorname) 2255 { 2256 struct pfioc_trans trans; 2257 struct pfioc_trans_e transe; 2258 int ret; 2259 2260 bzero(&trans, sizeof(trans)); 2261 bzero(&transe, sizeof(transe)); 2262 2263 transe.rs_num = PF_RULESET_ETH; 2264 if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor)) 2265 >= sizeof(transe.anchor)) 2266 return (E2BIG); 2267 2268 trans.size = 1; 2269 trans.esize = sizeof(transe); 2270 trans.array = &transe; 2271 2272 ret = ioctl(dev, DIOCXBEGIN, &trans); 2273 if (ret != 0) 2274 return (errno); 2275 ret = ioctl(dev, DIOCXCOMMIT, &trans); 2276 if (ret != 0) 2277 return (errno); 2278 2279 return (0); 2280 } 2281 2282 static int 2283 _pfctl_get_limit(int dev, const int index, uint *limit) 2284 { 2285 struct pfioc_limit pl; 2286 2287 bzero(&pl, sizeof(pl)); 2288 pl.index = index; 2289 2290 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1) 2291 return (errno); 2292 2293 *limit = pl.limit; 2294 2295 return (0); 2296 } 2297 2298 int 2299 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s) 2300 { 2301 struct pfioc_nv nv; 2302 nvlist_t *nvl; 2303 int ret; 2304 uint state_limit; 2305 uint64_t lim, hi, lo; 2306 2307 ret = _pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 2308 if (ret != 0) 2309 return (ret); 2310 2311 if (state_limit == 0) 2312 state_limit = INT_MAX; 2313 2314 lim = state_limit; 2315 hi = lim * s->highwater / 100; 2316 lo = lim * s->lowwater / 100; 2317 2318 if (lo == hi) 2319 hi++; 2320 2321 nvl = nvlist_create(0); 2322 2323 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER); 2324 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE); 2325 nvlist_add_number(nvl, "highwater", hi); 2326 nvlist_add_number(nvl, "lowwater", lo); 2327 2328 nv.data = nvlist_pack(nvl, &nv.len); 2329 nv.size = nv.len; 2330 nvlist_destroy(nvl); 2331 nvl = NULL; 2332 2333 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv); 2334 2335 free(nv.data); 2336 if (ret != 0) 2337 return (errno); 2338 2339 return (0); 2340 } 2341 2342 int 2343 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s) 2344 { 2345 nvlist_t *nvl; 2346 int ret; 2347 uint state_limit; 2348 bool enabled, adaptive; 2349 2350 ret = _pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 2351 if (ret != 0) 2352 return (ret); 2353 2354 if (state_limit == 0) 2355 state_limit = INT_MAX; 2356 2357 bzero(s, sizeof(*s)); 2358 2359 nvl = nvlist_create(0); 2360 2361 if ((ret = pfctl_do_ioctl(dev, DIOCGETSYNCOOKIES, 256, &nvl)) != 0) { 2362 ret = errno; 2363 goto out; 2364 } 2365 2366 enabled = nvlist_get_bool(nvl, "enabled"); 2367 adaptive = nvlist_get_bool(nvl, "adaptive"); 2368 2369 if (enabled) { 2370 if (adaptive) 2371 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE; 2372 else 2373 s->mode = PFCTL_SYNCOOKIES_ALWAYS; 2374 } else { 2375 s->mode = PFCTL_SYNCOOKIES_NEVER; 2376 } 2377 2378 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit; 2379 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit; 2380 s->halfopen_states = nvlist_get_number(nvl, "halfopen_states"); 2381 2382 out: 2383 nvlist_destroy(nvl); 2384 return (ret); 2385 } 2386 2387 int 2388 pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 2389 *addr, int size, int *nadd, int flags) 2390 { 2391 struct pfioc_table io; 2392 2393 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 2394 return (EINVAL); 2395 } 2396 bzero(&io, sizeof io); 2397 io.pfrio_flags = flags; 2398 io.pfrio_table = *tbl; 2399 io.pfrio_buffer = addr; 2400 io.pfrio_esize = sizeof(*addr); 2401 io.pfrio_size = size; 2402 2403 if (ioctl(dev, DIOCRADDADDRS, &io)) 2404 return (errno); 2405 if (nadd != NULL) 2406 *nadd = io.pfrio_nadd; 2407 return (0); 2408 } 2409 2410 static void 2411 snl_add_msg_attr_table(struct snl_writer *nw, uint32_t type, 2412 const struct pfr_table *tbl) 2413 { 2414 int off; 2415 2416 off = snl_add_msg_attr_nested(nw, type); 2417 2418 snl_add_msg_attr_string(nw, PF_T_ANCHOR, tbl->pfrt_anchor); 2419 snl_add_msg_attr_string(nw, PF_T_NAME, tbl->pfrt_name); 2420 snl_add_msg_attr_u32(nw, PF_T_TABLE_FLAGS, tbl->pfrt_flags); 2421 2422 snl_end_attr_nested(nw, off); 2423 } 2424 2425 static void 2426 snl_add_msg_attr_pfr_addr(struct snl_writer *nw, uint32_t type, 2427 const struct pfr_addr *addr) 2428 { 2429 int off; 2430 2431 off = snl_add_msg_attr_nested(nw, type); 2432 2433 snl_add_msg_attr_u8(nw, PFR_A_AF, addr->pfra_af); 2434 snl_add_msg_attr_u8(nw, PFR_A_NET, addr->pfra_net); 2435 snl_add_msg_attr_bool(nw, PFR_A_NOT, addr->pfra_not); 2436 snl_add_msg_attr_ip6(nw, PFR_A_ADDR, &addr->pfra_ip6addr); 2437 2438 snl_end_attr_nested(nw, off); 2439 } 2440 2441 static struct snl_attr_parser ap_table_add_addr[] = { 2442 { .type = PF_TA_NBR_ADDED, .off = 0, .cb = snl_attr_get_uint32 }, 2443 }; 2444 SNL_DECLARE_PARSER(table_add_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_add_addr); 2445 2446 static int 2447 _pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2448 *addrs, int size, int *nadd, int flags) 2449 { 2450 struct snl_writer nw; 2451 struct snl_errmsg_data e = {}; 2452 struct nlmsghdr *hdr; 2453 uint32_t seq_id; 2454 uint32_t added; 2455 int family_id; 2456 2457 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2458 if (family_id == 0) 2459 return (ENOTSUP); 2460 2461 snl_init_writer(&h->ss, &nw); 2462 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_ADD_ADDR); 2463 2464 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl); 2465 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags); 2466 for (int i = 0; i < size; i++) 2467 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]); 2468 2469 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2470 return (ENXIO); 2471 seq_id = hdr->nlmsg_seq; 2472 2473 if (! snl_send_message(&h->ss, hdr)) 2474 return (ENXIO); 2475 2476 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2477 if (! snl_parse_nlmsg(&h->ss, hdr, &table_add_addr_parser, &added)) 2478 continue; 2479 } 2480 2481 if (nadd) 2482 *nadd = added; 2483 2484 return (e.error); 2485 } 2486 2487 int 2488 pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2489 *addr, int size, int *nadd, int flags) 2490 { 2491 int ret; 2492 int off = 0; 2493 int partial_added; 2494 int chunk_size; 2495 2496 do { 2497 chunk_size = MIN(size - off, 256); 2498 ret = _pfctl_table_add_addrs_h(h, tbl, &addr[off], chunk_size, &partial_added, flags); 2499 if (ret != 0) 2500 break; 2501 if (nadd) 2502 *nadd += partial_added; 2503 off += chunk_size; 2504 } while (off < size); 2505 2506 return (ret); 2507 } 2508 2509 static struct snl_attr_parser ap_table_del_addr[] = { 2510 { .type = PF_TA_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint32 }, 2511 }; 2512 SNL_DECLARE_PARSER(table_del_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_del_addr); 2513 static int 2514 _pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2515 *addrs, int size, int *ndel, int flags) 2516 { 2517 struct snl_writer nw; 2518 struct snl_errmsg_data e = {}; 2519 struct nlmsghdr *hdr; 2520 uint32_t seq_id; 2521 uint32_t deleted; 2522 int family_id; 2523 2524 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2525 if (family_id == 0) 2526 return (ENOTSUP); 2527 2528 snl_init_writer(&h->ss, &nw); 2529 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_DEL_ADDR); 2530 2531 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl); 2532 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags); 2533 for (int i = 0; i < size; i++) 2534 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]); 2535 2536 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2537 return (ENXIO); 2538 seq_id = hdr->nlmsg_seq; 2539 2540 if (! snl_send_message(&h->ss, hdr)) 2541 return (ENXIO); 2542 2543 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2544 if (! snl_parse_nlmsg(&h->ss, hdr, &table_del_addr_parser, &deleted)) 2545 continue; 2546 } 2547 2548 if (ndel) 2549 *ndel = deleted; 2550 2551 return (e.error); 2552 } 2553 2554 int 2555 pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 2556 *addr, int size, int *ndel, int flags) 2557 { 2558 struct pfioc_table io; 2559 2560 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 2561 return (EINVAL); 2562 } 2563 bzero(&io, sizeof io); 2564 io.pfrio_flags = flags; 2565 io.pfrio_table = *tbl; 2566 io.pfrio_buffer = addr; 2567 io.pfrio_esize = sizeof(*addr); 2568 io.pfrio_size = size; 2569 2570 if (ioctl(dev, DIOCRDELADDRS, &io)) 2571 return (errno); 2572 if (ndel != NULL) 2573 *ndel = io.pfrio_ndel; 2574 return (0); 2575 } 2576 2577 int 2578 pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2579 *addr, int size, int *ndel, int flags) 2580 { 2581 int ret; 2582 int off = 0; 2583 int partial_deleted; 2584 int chunk_size; 2585 2586 do { 2587 chunk_size = MIN(size - off, 256); 2588 ret = _pfctl_table_del_addrs_h(h, tbl, &addr[off], chunk_size, 2589 &partial_deleted, flags); 2590 if (ret != 0) 2591 break; 2592 if (ndel) 2593 *ndel += partial_deleted; 2594 off += chunk_size; 2595 } while (off < size); 2596 2597 return (ret); 2598 } 2599 2600 struct pfctl_change { 2601 int add; 2602 int del; 2603 int change; 2604 }; 2605 #define _OUT(_field) offsetof(struct pfctl_change, _field) 2606 static struct snl_attr_parser ap_table_set_addr[] = { 2607 { .type = PF_TA_NBR_ADDED, .off = _OUT(add), .cb = snl_attr_get_uint32 }, 2608 { .type = PF_TA_NBR_DELETED, .off = _OUT(del), .cb = snl_attr_get_uint32 }, 2609 { .type = PF_TA_NBR_CHANGED, .off = _OUT(change), .cb = snl_attr_get_uint32 }, 2610 }; 2611 #undef _OUT 2612 SNL_DECLARE_PARSER(table_set_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_set_addr); 2613 2614 static int 2615 _pfctl_table_set_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2616 *addrs, int size, int *nadd, int *ndel, int *nchange, int flags) 2617 { 2618 struct snl_writer nw; 2619 struct snl_errmsg_data e = {}; 2620 struct nlmsghdr *hdr; 2621 struct pfctl_change change = { 0 }; 2622 uint32_t seq_id; 2623 int family_id; 2624 2625 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2626 if (family_id == 0) 2627 return (ENOTSUP); 2628 2629 snl_init_writer(&h->ss, &nw); 2630 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_SET_ADDR); 2631 2632 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl); 2633 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags); 2634 for (int i = 0; i < size; i++) 2635 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]); 2636 2637 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2638 return (ENXIO); 2639 seq_id = hdr->nlmsg_seq; 2640 2641 if (! snl_send_message(&h->ss, hdr)) 2642 return (ENXIO); 2643 2644 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2645 if (! snl_parse_nlmsg(&h->ss, hdr, &table_set_addr_parser, &change)) 2646 continue; 2647 } 2648 2649 if (nadd) 2650 *nadd = change.add; 2651 if (ndel) 2652 *ndel = change.del; 2653 if (nchange) 2654 *nchange = change.change; 2655 2656 return (e.error); 2657 } 2658 2659 int 2660 pfctl_table_set_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, 2661 struct pfr_addr *addr, int size, int *nadd, int *ndel, 2662 int *nchange, int flags) 2663 { 2664 int ret; 2665 int off = 0; 2666 int partial_add, partial_del, partial_change; 2667 int chunk_size; 2668 2669 do { 2670 flags &= ~(PFR_FLAG_START | PFR_FLAG_DONE); 2671 if (off == 0) 2672 flags |= PFR_FLAG_START; 2673 chunk_size = MIN(size - off, 256); 2674 if ((chunk_size + off) == size) 2675 flags |= PFR_FLAG_DONE; 2676 ret = _pfctl_table_set_addrs_h(h, tbl, &addr[off], chunk_size, 2677 &partial_add, &partial_del, &partial_change, flags); 2678 if (ret != 0) 2679 break; 2680 if (! (flags & PFR_FLAG_DONE)) { 2681 assert(partial_del == 0); 2682 } 2683 if (nadd) 2684 *nadd += partial_add; 2685 if (ndel) 2686 *ndel += partial_del; 2687 if (nchange) 2688 *nchange += partial_change; 2689 off += chunk_size; 2690 } while (off < size); 2691 2692 return (ret); 2693 } 2694 2695 int 2696 pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 2697 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, int flags) 2698 { 2699 struct pfioc_table io; 2700 2701 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 2702 return (EINVAL); 2703 } 2704 bzero(&io, sizeof io); 2705 io.pfrio_flags = flags; 2706 io.pfrio_table = *tbl; 2707 io.pfrio_buffer = addr; 2708 io.pfrio_esize = sizeof(*addr); 2709 io.pfrio_size = size; 2710 io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; 2711 if (ioctl(dev, DIOCRSETADDRS, &io)) 2712 return (errno); 2713 if (nadd != NULL) 2714 *nadd = io.pfrio_nadd; 2715 if (ndel != NULL) 2716 *ndel = io.pfrio_ndel; 2717 if (nchange != NULL) 2718 *nchange = io.pfrio_nchange; 2719 if (size2 != NULL) 2720 *size2 = io.pfrio_size2; 2721 return (0); 2722 } 2723 2724 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr *addr, 2725 int *size, int flags) 2726 { 2727 struct pfioc_table io; 2728 2729 if (tbl == NULL || size == NULL || *size < 0 || 2730 (*size && addr == NULL)) { 2731 return (EINVAL); 2732 } 2733 bzero(&io, sizeof io); 2734 io.pfrio_flags = flags; 2735 io.pfrio_table = *tbl; 2736 io.pfrio_buffer = addr; 2737 io.pfrio_esize = sizeof(*addr); 2738 io.pfrio_size = *size; 2739 if (ioctl(dev, DIOCRGETADDRS, &io)) 2740 return (errno); 2741 *size = io.pfrio_size; 2742 return (0); 2743 } 2744 2745 int 2746 pfctl_set_statusif(struct pfctl_handle *h, const char *ifname) 2747 { 2748 struct snl_writer nw; 2749 struct snl_errmsg_data e = {}; 2750 struct nlmsghdr *hdr; 2751 uint32_t seq_id; 2752 int family_id; 2753 2754 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2755 if (family_id == 0) 2756 return (ENOTSUP); 2757 2758 snl_init_writer(&h->ss, &nw); 2759 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_STATUSIF); 2760 2761 snl_add_msg_attr_string(&nw, PF_SS_IFNAME, ifname); 2762 2763 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2764 return (ENXIO); 2765 2766 seq_id = hdr->nlmsg_seq; 2767 2768 if (! snl_send_message(&h->ss, hdr)) 2769 return (ENXIO); 2770 2771 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2772 } 2773 2774 return (e.error); 2775 } 2776 2777 #define _IN(_field) offsetof(struct genlmsghdr, _field) 2778 #define _OUT(_field) offsetof(struct pfctl_natlook, _field) 2779 static struct snl_attr_parser ap_natlook[] = { 2780 { .type = PF_NL_SRC_ADDR, .off = _OUT(saddr), .cb = snl_attr_get_in6_addr }, 2781 { .type = PF_NL_DST_ADDR, .off = _OUT(daddr), .cb = snl_attr_get_in6_addr }, 2782 { .type = PF_NL_SRC_PORT, .off = _OUT(sport), .cb = snl_attr_get_uint16 }, 2783 { .type = PF_NL_DST_PORT, .off = _OUT(dport), .cb = snl_attr_get_uint16 }, 2784 }; 2785 #undef _IN 2786 #undef _OUT 2787 SNL_DECLARE_PARSER(natlook_parser, struct genlmsghdr, snl_f_p_empty, ap_natlook); 2788 2789 int 2790 pfctl_natlook(struct pfctl_handle *h, const struct pfctl_natlook_key *k, 2791 struct pfctl_natlook *r) 2792 { 2793 struct snl_writer nw; 2794 struct snl_errmsg_data e = {}; 2795 struct nlmsghdr *hdr; 2796 uint32_t seq_id; 2797 int family_id; 2798 2799 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2800 if (family_id == 0) 2801 return (ENOTSUP); 2802 2803 snl_init_writer(&h->ss, &nw); 2804 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_NATLOOK); 2805 hdr->nlmsg_flags |= NLM_F_DUMP; 2806 2807 snl_add_msg_attr_u8(&nw, PF_NL_AF, k->af); 2808 snl_add_msg_attr_u8(&nw, PF_NL_DIRECTION, k->direction); 2809 snl_add_msg_attr_u8(&nw, PF_NL_PROTO, k->proto); 2810 snl_add_msg_attr_ip6(&nw, PF_NL_SRC_ADDR, &k->saddr.v6); 2811 snl_add_msg_attr_ip6(&nw, PF_NL_DST_ADDR, &k->daddr.v6); 2812 snl_add_msg_attr_u16(&nw, PF_NL_SRC_PORT, k->sport); 2813 snl_add_msg_attr_u16(&nw, PF_NL_DST_PORT, k->dport); 2814 2815 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2816 return (ENXIO); 2817 2818 seq_id = hdr->nlmsg_seq; 2819 2820 if (! snl_send_message(&h->ss, hdr)) 2821 return (ENXIO); 2822 2823 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2824 if (! snl_parse_nlmsg(&h->ss, hdr, &natlook_parser, r)) 2825 continue; 2826 } 2827 2828 return (e.error); 2829 } 2830 2831 int 2832 pfctl_set_debug(struct pfctl_handle *h, uint32_t level) 2833 { 2834 struct snl_writer nw; 2835 struct snl_errmsg_data e = {}; 2836 struct nlmsghdr *hdr; 2837 uint32_t seq_id; 2838 int family_id; 2839 2840 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2841 if (family_id == 0) 2842 return (ENOTSUP); 2843 2844 snl_init_writer(&h->ss, &nw); 2845 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_DEBUG); 2846 2847 snl_add_msg_attr_u32(&nw, PF_SD_LEVEL, level); 2848 2849 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2850 return (ENXIO); 2851 2852 seq_id = hdr->nlmsg_seq; 2853 2854 if (! snl_send_message(&h->ss, hdr)) 2855 return (ENXIO); 2856 2857 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2858 } 2859 2860 return (e.error); 2861 } 2862 2863 int 2864 pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds) 2865 { 2866 struct snl_writer nw; 2867 struct snl_errmsg_data e = {}; 2868 struct nlmsghdr *hdr; 2869 uint32_t seq_id; 2870 int family_id; 2871 2872 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2873 if (family_id == 0) 2874 return (ENOTSUP); 2875 2876 snl_init_writer(&h->ss, &nw); 2877 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_TIMEOUT); 2878 2879 snl_add_msg_attr_u32(&nw, PF_TO_TIMEOUT, timeout); 2880 snl_add_msg_attr_u32(&nw, PF_TO_SECONDS, seconds); 2881 2882 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2883 return (ENXIO); 2884 2885 seq_id = hdr->nlmsg_seq; 2886 2887 if (! snl_send_message(&h->ss, hdr)) 2888 return (ENXIO); 2889 2890 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2891 } 2892 2893 return (e.error); 2894 } 2895 2896 struct pfctl_nl_timeout { 2897 uint32_t seconds; 2898 }; 2899 #define _OUT(_field) offsetof(struct pfctl_nl_timeout, _field) 2900 static struct snl_attr_parser ap_get_timeout[] = { 2901 { .type = PF_TO_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 }, 2902 }; 2903 #undef _OUT 2904 SNL_DECLARE_PARSER(get_timeout_parser, struct genlmsghdr, snl_f_p_empty, ap_get_timeout); 2905 2906 int 2907 pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds) 2908 { 2909 struct snl_writer nw; 2910 struct pfctl_nl_timeout to = {}; 2911 struct snl_errmsg_data e = {}; 2912 struct nlmsghdr *hdr; 2913 uint32_t seq_id; 2914 int family_id; 2915 2916 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2917 if (family_id == 0) 2918 return (ENOTSUP); 2919 2920 snl_init_writer(&h->ss, &nw); 2921 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_TIMEOUT); 2922 hdr->nlmsg_flags |= NLM_F_DUMP; 2923 2924 snl_add_msg_attr_u32(&nw, PF_TO_TIMEOUT, timeout); 2925 2926 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2927 return (ENXIO); 2928 2929 seq_id = hdr->nlmsg_seq; 2930 2931 if (! snl_send_message(&h->ss, hdr)) 2932 return (ENXIO); 2933 2934 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2935 if (! snl_parse_nlmsg(&h->ss, hdr, &get_timeout_parser, &to)) 2936 continue; 2937 } 2938 2939 if (seconds != NULL) 2940 *seconds = to.seconds; 2941 2942 return (e.error); 2943 } 2944 2945 int 2946 pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit) 2947 { 2948 struct snl_writer nw; 2949 struct snl_errmsg_data e = {}; 2950 struct nlmsghdr *hdr; 2951 uint32_t seq_id; 2952 int family_id; 2953 2954 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2955 if (family_id == 0) 2956 return (ENOTSUP); 2957 2958 snl_init_writer(&h->ss, &nw); 2959 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_LIMIT); 2960 2961 snl_add_msg_attr_u32(&nw, PF_LI_INDEX, index); 2962 snl_add_msg_attr_u32(&nw, PF_LI_LIMIT, limit); 2963 2964 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2965 return (ENXIO); 2966 2967 seq_id = hdr->nlmsg_seq; 2968 2969 if (! snl_send_message(&h->ss, hdr)) 2970 return (ENXIO); 2971 2972 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2973 } 2974 2975 return (e.error); 2976 } 2977 2978 struct pfctl_nl_limit { 2979 unsigned int limit; 2980 }; 2981 #define _OUT(_field) offsetof(struct pfctl_nl_limit, _field) 2982 static struct snl_attr_parser ap_get_limit[] = { 2983 { .type = PF_LI_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, 2984 }; 2985 #undef _OUT 2986 SNL_DECLARE_PARSER(get_limit_parser, struct genlmsghdr, snl_f_p_empty, ap_get_limit); 2987 2988 int 2989 pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit) 2990 { 2991 struct snl_writer nw; 2992 struct pfctl_nl_limit li = {}; 2993 struct snl_errmsg_data e = {}; 2994 struct nlmsghdr *hdr; 2995 uint32_t seq_id; 2996 int family_id; 2997 2998 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2999 if (family_id == 0) 3000 return (ENOTSUP); 3001 3002 snl_init_writer(&h->ss, &nw); 3003 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_LIMIT); 3004 hdr->nlmsg_flags |= NLM_F_DUMP; 3005 3006 snl_add_msg_attr_u32(&nw, PF_LI_INDEX, index); 3007 3008 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3009 return (ENXIO); 3010 3011 seq_id = hdr->nlmsg_seq; 3012 3013 if (! snl_send_message(&h->ss, hdr)) 3014 return (ENXIO); 3015 3016 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3017 if (! snl_parse_nlmsg(&h->ss, hdr, &get_limit_parser, &li)) 3018 continue; 3019 } 3020 3021 if (limit != NULL) 3022 *limit = li.limit; 3023 3024 return (e.error); 3025 } 3026 3027 struct pfctl_nl_begin_addrs { 3028 uint32_t ticket; 3029 }; 3030 #define _OUT(_field) offsetof(struct pfctl_nl_begin_addrs, _field) 3031 static struct snl_attr_parser ap_begin_addrs[] = { 3032 { .type = PF_BA_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 }, 3033 }; 3034 #undef _OUT 3035 SNL_DECLARE_PARSER(begin_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_begin_addrs); 3036 3037 int 3038 pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket) 3039 { 3040 struct snl_writer nw; 3041 struct pfctl_nl_begin_addrs attrs = {}; 3042 struct snl_errmsg_data e = {}; 3043 struct nlmsghdr *hdr; 3044 uint32_t seq_id; 3045 int family_id; 3046 3047 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3048 if (family_id == 0) 3049 return (ENOTSUP); 3050 3051 snl_init_writer(&h->ss, &nw); 3052 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_BEGIN_ADDRS); 3053 hdr->nlmsg_flags |= NLM_F_DUMP; 3054 3055 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3056 return (ENXIO); 3057 3058 seq_id = hdr->nlmsg_seq; 3059 3060 if (! snl_send_message(&h->ss, hdr)) 3061 return (ENXIO); 3062 3063 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3064 if (! snl_parse_nlmsg(&h->ss, hdr, &begin_addrs_parser, &attrs)) 3065 continue; 3066 } 3067 3068 if (ticket != NULL) 3069 *ticket = attrs.ticket; 3070 3071 return (e.error); 3072 } 3073 3074 int 3075 pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which) 3076 { 3077 struct snl_writer nw; 3078 struct snl_errmsg_data e = {}; 3079 struct nlmsghdr *hdr; 3080 uint32_t seq_id; 3081 int family_id; 3082 3083 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3084 if (family_id == 0) 3085 return (ENOTSUP); 3086 3087 snl_init_writer(&h->ss, &nw); 3088 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADD_ADDR); 3089 3090 snl_add_msg_attr_u32(&nw, PF_AA_ACTION, pa->action); 3091 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, pa->ticket); 3092 snl_add_msg_attr_u32(&nw, PF_AA_NR, pa->nr); 3093 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, pa->r_num); 3094 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, pa->r_action); 3095 snl_add_msg_attr_u8(&nw, PF_AA_R_LAST, pa->r_last); 3096 snl_add_msg_attr_u8(&nw, PF_AA_AF, pa->af); 3097 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, pa->anchor); 3098 snl_add_msg_attr_pool_addr(&nw, PF_AA_ADDR, &pa->addr); 3099 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which); 3100 3101 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3102 return (ENXIO); 3103 3104 seq_id = hdr->nlmsg_seq; 3105 3106 if (! snl_send_message(&h->ss, hdr)) 3107 return (ENXIO); 3108 3109 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3110 } 3111 3112 return (e.error); 3113 } 3114 3115 static const struct snl_attr_parser ap_get_addrs[] = { 3116 { .type = PF_AA_NR, .off = 0, .cb = snl_attr_get_uint32 }, 3117 }; 3118 SNL_DECLARE_PARSER(get_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_get_addrs); 3119 3120 int 3121 pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 3122 uint8_t r_action, const char *anchor, uint32_t *nr, int which) 3123 { 3124 struct snl_writer nw; 3125 struct snl_errmsg_data e = {}; 3126 struct nlmsghdr *hdr; 3127 uint32_t seq_id; 3128 int family_id; 3129 3130 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3131 if (family_id == 0) 3132 return (ENOTSUP); 3133 3134 snl_init_writer(&h->ss, &nw); 3135 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_ADDRS); 3136 3137 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, ticket); 3138 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, r_num); 3139 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, r_action); 3140 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, anchor); 3141 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which); 3142 3143 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3144 return (ENXIO); 3145 3146 seq_id = hdr->nlmsg_seq; 3147 3148 if (! snl_send_message(&h->ss, hdr)) 3149 return (ENXIO); 3150 3151 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3152 if (! snl_parse_nlmsg(&h->ss, hdr, &get_addrs_parser, nr)) 3153 continue; 3154 } 3155 3156 return (e.error); 3157 } 3158 3159 #define _OUT(_field) offsetof(struct pf_pooladdr, _field) 3160 static const struct snl_attr_parser ap_pool_addr[] = { 3161 { .type = PF_PA_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = snl_attr_get_nested }, 3162 { .type = PF_PA_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb = snl_attr_copy_string }, 3163 }; 3164 SNL_DECLARE_ATTR_PARSER(pool_addr_parser, ap_pool_addr); 3165 #undef _OUT 3166 3167 #define _OUT(_field) offsetof(struct pfioc_pooladdr, _field) 3168 static const struct snl_attr_parser ap_get_addr[] = { 3169 { .type = PF_AA_ACTION, .off = _OUT(action), .cb = snl_attr_get_uint32 }, 3170 { .type = PF_AA_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 }, 3171 { .type = PF_AA_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 }, 3172 { .type = PF_AA_R_NUM, .off = _OUT(r_num), .cb = snl_attr_get_uint32 }, 3173 { .type = PF_AA_R_ACTION, .off = _OUT(r_action), .cb = snl_attr_get_uint8 }, 3174 { .type = PF_AA_R_LAST, .off = _OUT(r_last), .cb = snl_attr_get_uint8 }, 3175 { .type = PF_AA_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, 3176 { .type = PF_AA_ANCHOR, .off = _OUT(anchor), .arg_u32 = MAXPATHLEN, .cb = snl_attr_copy_string }, 3177 { .type = PF_AA_ADDR, .off = _OUT(addr), .arg = &pool_addr_parser, .cb = snl_attr_get_nested }, 3178 }; 3179 SNL_DECLARE_PARSER(get_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_get_addr); 3180 #undef _OUT 3181 3182 int 3183 pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 3184 uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 3185 int which) 3186 { 3187 struct snl_writer nw; 3188 struct snl_errmsg_data e = {}; 3189 struct nlmsghdr *hdr; 3190 uint32_t seq_id; 3191 int family_id; 3192 3193 family_id =snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3194 if (family_id == 0) 3195 return (ENOTSUP); 3196 3197 snl_init_writer(&h->ss, &nw); 3198 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_ADDR); 3199 3200 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, ticket); 3201 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, r_num); 3202 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, r_action); 3203 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, anchor); 3204 snl_add_msg_attr_u32(&nw, PF_AA_NR, nr); 3205 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which); 3206 3207 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3208 return (ENXIO); 3209 3210 seq_id = hdr->nlmsg_seq; 3211 3212 if (! snl_send_message(&h->ss, hdr)) 3213 return (ENXIO); 3214 3215 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3216 if (! snl_parse_nlmsg(&h->ss, hdr, &get_addr_parser, pa)) 3217 continue; 3218 } 3219 3220 return (e.error); 3221 } 3222 3223 #define _OUT(_field) offsetof(struct pfioc_ruleset, _field) 3224 static const struct snl_attr_parser ap_ruleset[] = { 3225 { .type = PF_RS_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 }, 3226 { .type = PF_RS_NAME, .off = _OUT(name), .arg = (void *)PF_ANCHOR_NAME_SIZE, .cb = snl_attr_copy_string }, 3227 }; 3228 SNL_DECLARE_PARSER(ruleset_parser, struct genlmsghdr, snl_f_p_empty, ap_ruleset); 3229 #undef _OUT 3230 3231 int 3232 pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr) 3233 { 3234 struct snl_writer nw; 3235 struct snl_errmsg_data e = {}; 3236 struct nlmsghdr *hdr; 3237 struct pfioc_ruleset rs = {}; 3238 uint32_t seq_id; 3239 int family_id; 3240 3241 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3242 if (family_id == 0) 3243 return (ENOTSUP); 3244 3245 snl_init_writer(&h->ss, &nw); 3246 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_RULESETS); 3247 3248 snl_add_msg_attr_string(&nw, PF_RS_PATH, path); 3249 3250 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3251 return (ENXIO); 3252 3253 seq_id = hdr->nlmsg_seq; 3254 3255 if (! snl_send_message(&h->ss, hdr)) 3256 return (ENXIO); 3257 3258 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3259 if (! snl_parse_nlmsg(&h->ss, hdr, &ruleset_parser, &rs)) 3260 continue; 3261 } 3262 3263 *nr = rs.nr; 3264 3265 return (e.error); 3266 } 3267 3268 int 3269 pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs) 3270 { 3271 struct snl_writer nw; 3272 struct snl_errmsg_data e = {}; 3273 struct nlmsghdr *hdr; 3274 uint32_t seq_id; 3275 int family_id; 3276 3277 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3278 if (family_id == 0) 3279 return (ENOTSUP); 3280 3281 snl_init_writer(&h->ss, &nw); 3282 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_RULESET); 3283 3284 snl_add_msg_attr_string(&nw, PF_RS_PATH, path); 3285 snl_add_msg_attr_u32(&nw, PF_RS_NR, nr); 3286 3287 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3288 return (ENXIO); 3289 3290 seq_id = hdr->nlmsg_seq; 3291 3292 if (! snl_send_message(&h->ss, hdr)) 3293 return (ENXIO); 3294 3295 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3296 if (! snl_parse_nlmsg(&h->ss, hdr, &ruleset_parser, rs)) 3297 continue; 3298 } 3299 3300 rs->nr = nr; 3301 strlcpy(rs->path, path, sizeof(rs->path)); 3302 3303 return (e.error); 3304 } 3305 3306 #define _OUT(_field) offsetof(struct pfctl_src_node, _field) 3307 static struct snl_attr_parser ap_srcnode[] = { 3308 { .type = PF_SN_ADDR, .off = _OUT(addr), .cb = snl_attr_get_in6_addr }, 3309 { .type = PF_SN_RADDR, .off = _OUT(raddr), .cb = snl_attr_get_in6_addr }, 3310 { .type = PF_SN_RULE_NR, .off = _OUT(rule), .cb = snl_attr_get_uint32 }, 3311 { .type = PF_SN_BYTES_IN, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, 3312 { .type = PF_SN_BYTES_OUT, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, 3313 { .type = PF_SN_PACKETS_IN, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 }, 3314 { .type = PF_SN_PACKETS_OUT, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, 3315 { .type = PF_SN_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32 }, 3316 { .type = PF_SN_CONNECTIONS, .off = _OUT(conn), .cb = snl_attr_get_uint32 }, 3317 { .type = PF_SN_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, 3318 { .type = PF_SN_RULE_TYPE, .off = _OUT(ruletype), .cb = snl_attr_get_uint8 }, 3319 { .type = PF_SN_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint64 }, 3320 { .type = PF_SN_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint64 }, 3321 { .type = PF_SN_CONNECTION_RATE, .off = _OUT(conn_rate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested }, 3322 { .type = PF_SN_RAF, .off = _OUT(raf), .cb = snl_attr_get_uint8 }, 3323 { .type = PF_SN_NODE_TYPE, .off = _OUT(type), .cb = snl_attr_get_uint8 }, 3324 }; 3325 #undef _OUT 3326 SNL_DECLARE_PARSER(srcnode_parser, struct genlmsghdr, snl_f_p_empty, ap_srcnode); 3327 3328 int 3329 pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg) 3330 { 3331 struct snl_writer nw; 3332 struct pfctl_src_node sn; 3333 struct snl_errmsg_data e = {}; 3334 struct nlmsghdr *hdr; 3335 uint32_t seq_id; 3336 int family_id; 3337 int ret; 3338 3339 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3340 if (family_id == 0) 3341 return (ENOTSUP); 3342 3343 snl_init_writer(&h->ss, &nw); 3344 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_SRCNODES); 3345 3346 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3347 return (ENXIO); 3348 3349 seq_id = hdr->nlmsg_seq; 3350 3351 if (!snl_send_message(&h->ss, hdr)) 3352 return (ENXIO); 3353 3354 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3355 bzero(&sn, sizeof(sn)); 3356 if (!snl_parse_nlmsg(&h->ss, hdr, &srcnode_parser, &sn)) 3357 continue; 3358 3359 ret = fn(&sn, arg); 3360 if (ret != 0) 3361 return (ret); 3362 } 3363 3364 return (e.error); 3365 } 3366 3367 static struct snl_attr_parser ap_ndel[] = { 3368 { .type = PF_T_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint32 }, 3369 }; 3370 SNL_DECLARE_PARSER(ndel_parser, struct genlmsghdr, snl_f_p_empty, ap_ndel); 3371 3372 int 3373 pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 3374 int *ndel, int flags) 3375 { 3376 struct snl_writer nw; 3377 struct snl_errmsg_data e = {}; 3378 struct nlmsghdr *hdr; 3379 uint32_t seq_id; 3380 int family_id; 3381 3382 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3383 if (family_id == 0) 3384 return (ENOTSUP); 3385 3386 snl_init_writer(&h->ss, &nw); 3387 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLEAR_TABLES); 3388 3389 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3390 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3391 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3392 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3393 3394 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3395 return (ENXIO); 3396 3397 seq_id = hdr->nlmsg_seq; 3398 3399 if (!snl_send_message(&h->ss, hdr)) 3400 return (ENXIO); 3401 3402 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3403 if (!snl_parse_nlmsg(&h->ss, hdr, &ndel_parser, ndel)) 3404 continue; 3405 } 3406 3407 return (e.error); 3408 } 3409 3410 static struct snl_attr_parser ap_nadd[] = { 3411 { .type = PF_T_NBR_ADDED, .off = 0, .cb = snl_attr_get_uint32 }, 3412 }; 3413 SNL_DECLARE_PARSER(nadd_parser, struct genlmsghdr, snl_f_p_empty, ap_nadd); 3414 int 3415 pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 3416 int *nadd, int flags) 3417 { 3418 struct snl_writer nw; 3419 struct snl_errmsg_data e = {}; 3420 struct nlmsghdr *hdr; 3421 uint32_t seq_id; 3422 int family_id; 3423 3424 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3425 if (family_id == 0) 3426 return (ENOTSUP); 3427 3428 snl_init_writer(&h->ss, &nw); 3429 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADD_TABLE); 3430 3431 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, table->pfrt_anchor); 3432 snl_add_msg_attr_string(&nw, PF_T_NAME, table->pfrt_name); 3433 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, table->pfrt_flags); 3434 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3435 3436 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3437 return (ENXIO); 3438 3439 seq_id = hdr->nlmsg_seq; 3440 3441 if (!snl_send_message(&h->ss, hdr)) 3442 return (ENXIO); 3443 3444 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3445 if (!snl_parse_nlmsg(&h->ss, hdr, &nadd_parser, nadd)) 3446 continue; 3447 } 3448 3449 return (e.error); 3450 } 3451 3452 int 3453 pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 3454 int *ndel, int flags) 3455 { 3456 struct snl_writer nw; 3457 struct snl_errmsg_data e = {}; 3458 struct nlmsghdr *hdr; 3459 uint32_t seq_id; 3460 int family_id; 3461 3462 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3463 if (family_id == 0) 3464 return (ENOTSUP); 3465 3466 snl_init_writer(&h->ss, &nw); 3467 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_DEL_TABLE); 3468 3469 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, table->pfrt_anchor); 3470 snl_add_msg_attr_string(&nw, PF_T_NAME, table->pfrt_name); 3471 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, table->pfrt_flags); 3472 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3473 3474 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3475 return (ENXIO); 3476 3477 seq_id = hdr->nlmsg_seq; 3478 3479 if (!snl_send_message(&h->ss, hdr)) 3480 return (ENXIO); 3481 3482 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3483 if (!snl_parse_nlmsg(&h->ss, hdr, &ndel_parser, ndel)) 3484 continue; 3485 } 3486 3487 return (e.error); 3488 } 3489 3490 static bool 3491 snl_attr_get_uint64_into_int_array(struct snl_state *ss, struct nlattr *nla, 3492 const void *arg, void *target) 3493 { 3494 uint64_t *u64target; 3495 struct snl_uint64_array a = { 3496 .count = 0, 3497 .max = (size_t)arg, 3498 }; 3499 bool error; 3500 3501 u64target = malloc(a.max * sizeof(uint64_t)); 3502 a.array = u64target; 3503 3504 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &array_parser, &a); 3505 if (! error) 3506 return (error); 3507 3508 for (size_t i = 0; i < a.count; i++) 3509 ((int *)target)[i] = (int)u64target[i]; 3510 3511 free(u64target); 3512 3513 return (true); 3514 } 3515 3516 #define _OUT(_field) offsetof(struct pfr_table, _field) 3517 static const struct snl_attr_parser ap_table[] = { 3518 { .type = PF_T_ANCHOR, .off = _OUT(pfrt_anchor), .arg = (void *)MAXPATHLEN, .cb = snl_attr_copy_string }, 3519 { .type = PF_T_NAME, .off = _OUT(pfrt_name), .arg = (void *)PF_TABLE_NAME_SIZE, .cb =snl_attr_copy_string }, 3520 { .type = PF_T_TABLE_FLAGS, .off = _OUT(pfrt_flags), .cb = snl_attr_get_uint32 }, 3521 }; 3522 #undef _OUT 3523 SNL_DECLARE_ATTR_PARSER(table_parser, ap_table); 3524 #define _OUT(_field) offsetof(struct pfr_tstats, _field) 3525 static struct snl_attr_parser ap_tstats[] = { 3526 { .type = PF_TS_TABLE, .off = _OUT(pfrts_t), .arg = &table_parser, .cb = snl_attr_get_nested }, 3527 { .type = PF_TS_PACKETS, .off = _OUT(pfrts_packets), .arg = (void *)(PFR_DIR_MAX * PFR_OP_TABLE_MAX), .cb = snl_attr_get_uint64_array}, 3528 { .type = PF_TS_BYTES, .off = _OUT(pfrts_bytes), .arg = (void *)(PFR_DIR_MAX * PFR_OP_TABLE_MAX), .cb = snl_attr_get_uint64_array }, 3529 { .type = PF_TS_MATCH, .off = _OUT(pfrts_match), .cb = snl_attr_get_uint64 }, 3530 {. type = PF_TS_NOMATCH, .off = _OUT(pfrts_nomatch), .cb = snl_attr_get_uint64 }, 3531 { .type = PF_TS_TZERO, .off = _OUT(pfrts_tzero), .cb = snl_attr_get_uint64 }, 3532 { .type = PF_TS_REFCNT, .off = _OUT(pfrts_cnt), . arg = (void *)PFR_REFCNT_MAX, .cb = snl_attr_get_uint64_into_int_array }, 3533 }; 3534 #undef _OUT 3535 SNL_DECLARE_PARSER(tstats_parser, struct genlmsghdr, snl_f_p_empty, ap_tstats); 3536 3537 int 3538 pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 3539 pfctl_get_tstats_fn fn, void *arg) 3540 { 3541 struct snl_writer nw; 3542 struct snl_errmsg_data e = {}; 3543 struct nlmsghdr *hdr; 3544 uint32_t seq_id; 3545 int family_id; 3546 int ret; 3547 3548 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3549 if (family_id == 0) 3550 return (ENOTSUP); 3551 3552 snl_init_writer(&h->ss, &nw); 3553 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_TSTATS); 3554 3555 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3556 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3557 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3558 3559 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3560 return (ENXIO); 3561 3562 seq_id = hdr->nlmsg_seq; 3563 3564 if (!snl_send_message(&h->ss, hdr)) 3565 return (ENXIO); 3566 3567 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3568 struct pfr_tstats tstats = {}; 3569 3570 if (!snl_parse_nlmsg(&h->ss, hdr, &tstats_parser, &tstats)) 3571 continue; 3572 3573 ret = fn(&tstats, arg); 3574 if (ret != 0) 3575 break; 3576 } 3577 3578 return (e.error); 3579 } 3580 3581 static struct snl_attr_parser ap_tstats_clr[] = { 3582 { .type = PF_TS_NZERO, .off = 0, .cb = snl_attr_get_uint64 }, 3583 }; 3584 SNL_DECLARE_PARSER(tstats_clr_parser, struct genlmsghdr, snl_f_p_empty, ap_tstats_clr); 3585 3586 int 3587 pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 3588 int *nzero, int flags) 3589 { 3590 struct snl_writer nw; 3591 struct snl_errmsg_data e = {}; 3592 struct nlmsghdr *hdr; 3593 uint64_t zero; 3594 uint32_t seq_id; 3595 int family_id; 3596 3597 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3598 if (family_id == 0) 3599 return (ENOTSUP); 3600 3601 snl_init_writer(&h->ss, &nw); 3602 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLR_TSTATS); 3603 3604 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3605 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3606 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3607 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3608 3609 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3610 return (ENXIO); 3611 3612 seq_id = hdr->nlmsg_seq; 3613 3614 if (!snl_send_message(&h->ss, hdr)) 3615 return (ENXIO); 3616 3617 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3618 if (!snl_parse_nlmsg(&h->ss, hdr, &tstats_clr_parser, &zero)) 3619 continue; 3620 if (nzero) 3621 *nzero = (uint32_t)zero; 3622 } 3623 3624 return (e.error); 3625 } 3626 3627 static struct snl_attr_parser ap_clr_addrs[] = { 3628 { .type = PF_T_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint64 }, 3629 }; 3630 SNL_DECLARE_PARSER(clr_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_clr_addrs); 3631 3632 int 3633 pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter, 3634 int *ndel, int flags) 3635 { 3636 struct snl_writer nw; 3637 struct snl_errmsg_data e = {}; 3638 struct nlmsghdr *hdr; 3639 uint64_t del; 3640 uint32_t seq_id; 3641 int family_id; 3642 3643 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3644 if (family_id == 0) 3645 return (ENOTSUP); 3646 3647 snl_init_writer(&h->ss, &nw); 3648 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLR_ADDRS); 3649 3650 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3651 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3652 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3653 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3654 3655 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3656 return (ENXIO); 3657 3658 seq_id = hdr->nlmsg_seq; 3659 3660 if (!snl_send_message(&h->ss, hdr)) 3661 return (ENXIO); 3662 3663 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3664 if (!snl_parse_nlmsg(&h->ss, hdr, &clr_addrs_parser, &del)) 3665 continue; 3666 if (ndel) 3667 *ndel = (uint32_t)del; 3668 } 3669 3670 return (e.error); 3671 } 3672 3673