1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 34 #include <sys/ioctl.h> 35 #include <sys/nv.h> 36 #include <sys/queue.h> 37 #include <sys/types.h> 38 39 #include <net/if.h> 40 #include <net/pfvar.h> 41 #include <netinet/in.h> 42 43 #include <netpfil/pf/pf_nl.h> 44 #include <netlink/netlink.h> 45 #include <netlink/netlink_generic.h> 46 #include <netlink/netlink_snl.h> 47 #include <netlink/netlink_snl_generic.h> 48 #include <netlink/netlink_snl_route.h> 49 50 #include <assert.h> 51 #include <err.h> 52 #include <errno.h> 53 #include <fcntl.h> 54 #include <stdlib.h> 55 #include <string.h> 56 57 #include "libpfctl.h" 58 59 struct pfctl_handle { 60 int fd; 61 struct snl_state ss; 62 }; 63 64 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = { 65 "never", 66 "always", 67 "adaptive" 68 }; 69 70 static int _pfctl_clear_states(int , const struct pfctl_kill *, 71 unsigned int *, uint64_t); 72 73 struct pfctl_handle * 74 pfctl_open(const char *pf_device) 75 { 76 struct pfctl_handle *h; 77 78 h = calloc(1, sizeof(struct pfctl_handle)); 79 h->fd = -1; 80 81 h->fd = open(pf_device, O_RDWR); 82 if (h->fd < 0) 83 goto error; 84 85 if (!snl_init(&h->ss, NETLINK_GENERIC)) 86 goto error; 87 88 return (h); 89 error: 90 close(h->fd); 91 snl_free(&h->ss); 92 free(h); 93 94 return (NULL); 95 } 96 97 void 98 pfctl_close(struct pfctl_handle *h) 99 { 100 close(h->fd); 101 snl_free(&h->ss); 102 free(h); 103 } 104 105 int 106 pfctl_fd(struct pfctl_handle *h) 107 { 108 return (h->fd); 109 } 110 111 static int 112 pfctl_do_netlink_cmd(struct pfctl_handle *h, uint cmd) 113 { 114 struct snl_errmsg_data e = {}; 115 struct snl_writer nw; 116 struct nlmsghdr *hdr; 117 uint32_t seq_id; 118 int family_id; 119 120 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 121 if (family_id == 0) 122 return (ENOTSUP); 123 124 snl_init_writer(&h->ss, &nw); 125 hdr = snl_create_genl_msg_request(&nw, family_id, cmd); 126 127 hdr = snl_finalize_msg(&nw); 128 if (hdr == NULL) 129 return (ENOMEM); 130 seq_id = hdr->nlmsg_seq; 131 132 snl_send_message(&h->ss, hdr); 133 134 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 135 } 136 137 return (e.error); 138 } 139 140 static int 141 pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl) 142 { 143 struct pfioc_nv nv; 144 void *data; 145 size_t nvlen; 146 int ret; 147 148 data = nvlist_pack(*nvl, &nvlen); 149 if (nvlen > size) 150 size = nvlen; 151 152 retry: 153 nv.data = malloc(size); 154 if (nv.data == NULL) { 155 ret = ENOMEM; 156 goto out; 157 } 158 159 memcpy(nv.data, data, nvlen); 160 161 nv.len = nvlen; 162 nv.size = size; 163 164 ret = ioctl(dev, cmd, &nv); 165 if (ret == -1 && errno == ENOSPC) { 166 size *= 2; 167 free(nv.data); 168 goto retry; 169 } 170 171 nvlist_destroy(*nvl); 172 *nvl = NULL; 173 174 if (ret == 0) { 175 *nvl = nvlist_unpack(nv.data, nv.len, 0); 176 if (*nvl == NULL) { 177 ret = EIO; 178 goto out; 179 } 180 } else { 181 ret = errno; 182 } 183 184 out: 185 free(data); 186 free(nv.data); 187 188 return (ret); 189 } 190 191 static void 192 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems, 193 uint8_t *numbers, size_t *nelems) 194 { 195 const uint64_t *tmp; 196 size_t elems; 197 198 tmp = nvlist_get_number_array(nvl, name, &elems); 199 assert(elems <= maxelems); 200 201 for (size_t i = 0; i < elems; i++) 202 numbers[i] = tmp[i]; 203 204 if (nelems) 205 *nelems = elems; 206 } 207 208 static void 209 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems, 210 uint16_t *numbers, size_t *nelems) 211 { 212 const uint64_t *tmp; 213 size_t elems; 214 215 tmp = nvlist_get_number_array(nvl, name, &elems); 216 assert(elems <= maxelems); 217 218 for (size_t i = 0; i < elems; i++) 219 numbers[i] = tmp[i]; 220 221 if (nelems) 222 *nelems = elems; 223 } 224 225 static void 226 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems, 227 uint32_t *numbers, size_t *nelems) 228 { 229 const uint64_t *tmp; 230 size_t elems; 231 232 tmp = nvlist_get_number_array(nvl, name, &elems); 233 234 for (size_t i = 0; i < elems && i < maxelems; i++) 235 numbers[i] = tmp[i]; 236 237 if (nelems) 238 *nelems = elems; 239 } 240 241 static void 242 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems, 243 uint64_t *numbers, size_t *nelems) 244 { 245 const uint64_t *tmp; 246 size_t elems; 247 248 tmp = nvlist_get_number_array(nvl, name, &elems); 249 assert(elems <= maxelems); 250 251 for (size_t i = 0; i < elems; i++) 252 numbers[i] = tmp[i]; 253 254 if (nelems) 255 *nelems = elems; 256 } 257 258 int 259 pfctl_startstop(struct pfctl_handle *h, int start) 260 { 261 return (pfctl_do_netlink_cmd(h, start ? PFNL_CMD_START : PFNL_CMD_STOP)); 262 } 263 264 static void 265 _pfctl_get_status_counters(const nvlist_t *nvl, 266 struct pfctl_status_counters *counters) 267 { 268 const uint64_t *ids, *counts; 269 const char *const *names; 270 size_t id_len, counter_len, names_len; 271 272 ids = nvlist_get_number_array(nvl, "ids", &id_len); 273 counts = nvlist_get_number_array(nvl, "counters", &counter_len); 274 names = nvlist_get_string_array(nvl, "names", &names_len); 275 assert(id_len == counter_len); 276 assert(counter_len == names_len); 277 278 TAILQ_INIT(counters); 279 280 for (size_t i = 0; i < id_len; i++) { 281 struct pfctl_status_counter *c; 282 283 c = malloc(sizeof(*c)); 284 if (c == NULL) 285 continue; 286 287 c->id = ids[i]; 288 c->counter = counts[i]; 289 c->name = strdup(names[i]); 290 291 TAILQ_INSERT_TAIL(counters, c, entry); 292 } 293 } 294 295 #define _OUT(_field) offsetof(struct pfctl_status_counter, _field) 296 static const struct snl_attr_parser ap_counter[] = { 297 { .type = PF_C_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_uint64 }, 298 { .type = PF_C_NAME, .off = _OUT(name), .cb = snl_attr_get_string }, 299 { .type = PF_C_ID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, 300 }; 301 SNL_DECLARE_ATTR_PARSER(counter_parser, ap_counter); 302 #undef _OUT 303 304 static bool 305 snl_attr_get_counters(struct snl_state *ss, struct nlattr *nla, 306 const void *arg __unused, void *target) 307 { 308 struct pfctl_status_counter counter = {}; 309 struct pfctl_status_counter *c; 310 bool error; 311 312 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &counter_parser, &counter); 313 if (! error) 314 return (error); 315 316 c = malloc(sizeof(*c)); 317 if (c == NULL) 318 return (false); 319 320 c->id = counter.id; 321 c->counter = counter.counter; 322 c->name = strdup(counter.name); 323 324 TAILQ_INSERT_TAIL((struct pfctl_status_counters *)target, c, entry); 325 326 return (error); 327 } 328 329 struct snl_uint64_array { 330 uint64_t *array; 331 size_t count; 332 size_t max; 333 }; 334 static bool 335 snl_attr_get_uint64_element(struct snl_state *ss, struct nlattr *nla, 336 const void *arg, void *target) 337 { 338 bool error; 339 uint64_t value; 340 struct snl_uint64_array *t = (struct snl_uint64_array *)target; 341 342 if (t->count >= t->max) 343 return (false); 344 345 error = snl_attr_get_uint64(ss, nla, arg, &value); 346 if (! error) 347 return (error); 348 349 t->array[t->count++] = value; 350 351 return (true); 352 } 353 354 static const struct snl_attr_parser ap_array[] = { 355 { .cb = snl_attr_get_uint64_element }, 356 }; 357 SNL_DECLARE_ATTR_PARSER(array_parser, ap_array); 358 static bool 359 snl_attr_get_uint64_array(struct snl_state *ss, struct nlattr *nla, 360 const void *arg, void *target) 361 { 362 struct snl_uint64_array a = { 363 .array = target, 364 .count = 0, 365 .max = (size_t)arg, 366 }; 367 bool error; 368 369 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &array_parser, &a); 370 if (! error) 371 return (error); 372 373 return (true); 374 } 375 376 #define _OUT(_field) offsetof(struct pfctl_status, _field) 377 static const struct snl_attr_parser ap_getstatus[] = { 378 { .type = PF_GS_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb = snl_attr_copy_string }, 379 { .type = PF_GS_RUNNING, .off = _OUT(running), .cb = snl_attr_get_bool }, 380 { .type = PF_GS_SINCE, .off = _OUT(since), .cb = snl_attr_get_uint32 }, 381 { .type = PF_GS_DEBUG, .off = _OUT(debug), .cb = snl_attr_get_uint32 }, 382 { .type = PF_GS_HOSTID, .off = _OUT(hostid), .cb = snl_attr_get_uint32 }, 383 { .type = PF_GS_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32 }, 384 { .type = PF_GS_SRC_NODES, .off = _OUT(src_nodes), .cb = snl_attr_get_uint32 }, 385 { .type = PF_GS_REASSEMBLE, .off = _OUT(reass), .cb = snl_attr_get_uint32 }, 386 { .type = PF_GS_SYNCOOKIES_ACTIVE, .off = _OUT(syncookies_active), .cb = snl_attr_get_uint32 }, 387 { .type = PF_GS_COUNTERS, .off = _OUT(counters), .cb = snl_attr_get_counters }, 388 { .type = PF_GS_LCOUNTERS, .off = _OUT(lcounters), .cb = snl_attr_get_counters }, 389 { .type = PF_GS_FCOUNTERS, .off = _OUT(fcounters), .cb = snl_attr_get_counters }, 390 { .type = PF_GS_SCOUNTERS, .off = _OUT(scounters), .cb = snl_attr_get_counters }, 391 { .type = PF_GS_CHKSUM, .off = _OUT(pf_chksum), .arg_u32 = PF_MD5_DIGEST_LENGTH, .cb = snl_attr_get_bytes }, 392 { .type = PF_GS_BCOUNTERS, .off = _OUT(bcounters), .arg_u32 = 2 * 2, .cb = snl_attr_get_uint64_array }, 393 { .type = PF_GS_PCOUNTERS, .off = _OUT(pcounters), .arg_u32 = 2 * 2 * 2, .cb = snl_attr_get_uint64_array }, 394 { .type = PF_GS_NCOUNTERS, .off = _OUT(ncounters), .cb = snl_attr_get_counters }, 395 { .type = PF_GS_FRAGMENTS, .off = _OUT(fragments), .cb = snl_attr_get_uint64 }, 396 }; 397 SNL_DECLARE_PARSER(getstatus_parser, struct genlmsghdr, snl_f_p_empty, ap_getstatus); 398 #undef _OUT 399 400 struct pfctl_status * 401 pfctl_get_status_h(struct pfctl_handle *h) 402 { 403 struct pfctl_status *status; 404 struct snl_errmsg_data e = {}; 405 struct nlmsghdr *hdr; 406 struct snl_writer nw; 407 uint32_t seq_id; 408 int family_id; 409 410 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 411 if (family_id == 0) 412 return (NULL); 413 414 snl_init_writer(&h->ss, &nw); 415 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_STATUS); 416 hdr->nlmsg_flags |= NLM_F_DUMP; 417 418 hdr = snl_finalize_msg(&nw); 419 if (hdr == NULL) { 420 return (NULL); 421 } 422 423 seq_id = hdr->nlmsg_seq; 424 if (! snl_send_message(&h->ss, hdr)) 425 return (NULL); 426 427 status = calloc(1, sizeof(*status)); 428 if (status == NULL) 429 return (NULL); 430 TAILQ_INIT(&status->counters); 431 TAILQ_INIT(&status->lcounters); 432 TAILQ_INIT(&status->fcounters); 433 TAILQ_INIT(&status->scounters); 434 TAILQ_INIT(&status->ncounters); 435 436 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 437 if (! snl_parse_nlmsg(&h->ss, hdr, &getstatus_parser, status)) 438 continue; 439 } 440 441 return (status); 442 } 443 444 struct pfctl_status * 445 pfctl_get_status(int dev) 446 { 447 struct pfctl_status *status; 448 nvlist_t *nvl; 449 size_t len; 450 const void *chksum; 451 452 status = calloc(1, sizeof(*status)); 453 if (status == NULL) 454 return (NULL); 455 456 nvl = nvlist_create(0); 457 458 if (pfctl_do_ioctl(dev, DIOCGETSTATUSNV, 4096, &nvl)) { 459 nvlist_destroy(nvl); 460 free(status); 461 return (NULL); 462 } 463 464 status->running = nvlist_get_bool(nvl, "running"); 465 status->since = nvlist_get_number(nvl, "since"); 466 status->debug = nvlist_get_number(nvl, "debug"); 467 status->hostid = ntohl(nvlist_get_number(nvl, "hostid")); 468 status->states = nvlist_get_number(nvl, "states"); 469 status->src_nodes = nvlist_get_number(nvl, "src_nodes"); 470 status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active"); 471 status->reass = nvlist_get_number(nvl, "reass"); 472 473 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"), 474 IFNAMSIZ); 475 chksum = nvlist_get_binary(nvl, "chksum", &len); 476 assert(len == PF_MD5_DIGEST_LENGTH); 477 memcpy(status->pf_chksum, chksum, len); 478 479 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"), 480 &status->counters); 481 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"), 482 &status->lcounters); 483 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"), 484 &status->fcounters); 485 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"), 486 &status->scounters); 487 488 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 2, 489 (uint64_t *)status->pcounters, NULL); 490 pf_nvuint_64_array(nvl, "bcounters", 2 * 2, 491 (uint64_t *)status->bcounters, NULL); 492 493 nvlist_destroy(nvl); 494 495 return (status); 496 } 497 int 498 pfctl_clear_status(struct pfctl_handle *h) 499 { 500 return (pfctl_do_netlink_cmd(h, PFNL_CMD_CLEAR_STATUS)); 501 } 502 503 static uint64_t 504 _pfctl_status_counter(struct pfctl_status_counters *counters, uint64_t id) 505 { 506 struct pfctl_status_counter *c; 507 508 TAILQ_FOREACH(c, counters, entry) { 509 if (c->id == id) 510 return (c->counter); 511 } 512 513 return (0); 514 } 515 516 uint64_t 517 pfctl_status_counter(struct pfctl_status *status, int id) 518 { 519 return (_pfctl_status_counter(&status->counters, id)); 520 } 521 522 uint64_t 523 pfctl_status_lcounter(struct pfctl_status *status, int id) 524 { 525 return (_pfctl_status_counter(&status->lcounters, id)); 526 } 527 528 uint64_t 529 pfctl_status_fcounter(struct pfctl_status *status, int id) 530 { 531 return (_pfctl_status_counter(&status->fcounters, id)); 532 } 533 534 uint64_t 535 pfctl_status_scounter(struct pfctl_status *status, int id) 536 { 537 return (_pfctl_status_counter(&status->scounters, id)); 538 } 539 540 void 541 pfctl_free_status(struct pfctl_status *status) 542 { 543 struct pfctl_status_counter *c, *tmp; 544 545 if (status == NULL) 546 return; 547 548 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) { 549 free(c->name); 550 free(c); 551 } 552 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) { 553 free(c->name); 554 free(c); 555 } 556 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) { 557 free(c->name); 558 free(c); 559 } 560 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) { 561 free(c->name); 562 free(c); 563 } 564 TAILQ_FOREACH_SAFE(c, &status->ncounters, entry, tmp) { 565 free(c->name); 566 free(c); 567 } 568 569 free(status); 570 } 571 572 static void 573 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, 574 const struct pf_addr *addr) 575 { 576 nvlist_t *nvl = nvlist_create(0); 577 578 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); 579 580 nvlist_add_nvlist(nvparent, name, nvl); 581 nvlist_destroy(nvl); 582 } 583 584 static void 585 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr) 586 { 587 size_t len; 588 const void *data; 589 590 data = nvlist_get_binary(nvl, "addr", &len); 591 assert(len == sizeof(struct pf_addr)); 592 memcpy(addr, data, len); 593 } 594 595 static void 596 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, 597 const struct pf_addr_wrap *addr) 598 { 599 nvlist_t *nvl = nvlist_create(0); 600 601 nvlist_add_number(nvl, "type", addr->type); 602 nvlist_add_number(nvl, "iflags", addr->iflags); 603 if (addr->type == PF_ADDR_DYNIFTL) 604 nvlist_add_string(nvl, "ifname", addr->v.ifname); 605 if (addr->type == PF_ADDR_TABLE) 606 nvlist_add_string(nvl, "tblname", addr->v.tblname); 607 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); 608 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); 609 610 nvlist_add_nvlist(nvparent, name, nvl); 611 nvlist_destroy(nvl); 612 } 613 614 static void 615 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr) 616 { 617 bzero(addr, sizeof(*addr)); 618 619 addr->type = nvlist_get_number(nvl, "type"); 620 addr->iflags = nvlist_get_number(nvl, "iflags"); 621 if (addr->type == PF_ADDR_DYNIFTL) { 622 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"), 623 IFNAMSIZ); 624 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt"); 625 } 626 if (addr->type == PF_ADDR_TABLE) { 627 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"), 628 PF_TABLE_NAME_SIZE); 629 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt"); 630 } 631 632 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr); 633 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask); 634 } 635 636 static void 637 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, 638 const struct pf_rule_addr *addr) 639 { 640 uint64_t ports[2]; 641 nvlist_t *nvl = nvlist_create(0); 642 643 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); 644 ports[0] = addr->port[0]; 645 ports[1] = addr->port[1]; 646 nvlist_add_number_array(nvl, "port", ports, 2); 647 nvlist_add_number(nvl, "neg", addr->neg); 648 nvlist_add_number(nvl, "port_op", addr->port_op); 649 650 nvlist_add_nvlist(nvparent, name, nvl); 651 nvlist_destroy(nvl); 652 } 653 654 static void 655 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr) 656 { 657 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr); 658 659 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL); 660 addr->neg = nvlist_get_number(nvl, "neg"); 661 addr->port_op = nvlist_get_number(nvl, "port_op"); 662 } 663 664 static void 665 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape) 666 { 667 mape->offset = nvlist_get_number(nvl, "offset"); 668 mape->psidlen = nvlist_get_number(nvl, "psidlen"); 669 mape->psid = nvlist_get_number(nvl, "psid"); 670 } 671 672 static void 673 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool) 674 { 675 size_t len; 676 const void *data; 677 678 data = nvlist_get_binary(nvl, "key", &len); 679 assert(len == sizeof(pool->key)); 680 memcpy(&pool->key, data, len); 681 682 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter); 683 684 pool->tblidx = nvlist_get_number(nvl, "tblidx"); 685 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL); 686 pool->opts = nvlist_get_number(nvl, "opts"); 687 688 if (nvlist_exists_nvlist(nvl, "mape")) 689 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape); 690 } 691 692 static void 693 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) 694 { 695 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL); 696 uid->op = nvlist_get_number(nvl, "op"); 697 } 698 699 static void 700 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule) 701 { 702 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr); 703 rule->divert.port = nvlist_get_number(nvl, "port"); 704 } 705 706 static void 707 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) 708 { 709 const uint64_t *skip; 710 const char *const *labels; 711 size_t skipcount, labelcount; 712 713 rule->nr = nvlist_get_number(nvl, "nr"); 714 715 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src); 716 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst); 717 718 skip = nvlist_get_number_array(nvl, "skip", &skipcount); 719 assert(skip); 720 assert(skipcount == PF_SKIP_COUNT); 721 for (int i = 0; i < PF_SKIP_COUNT; i++) 722 rule->skip[i].nr = skip[i]; 723 724 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 725 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 726 for (size_t i = 0; i < labelcount; i++) 727 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 728 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 729 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 730 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 731 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE); 732 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 733 PF_TAG_NAME_SIZE); 734 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 735 PF_TAG_NAME_SIZE); 736 737 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"), 738 PF_TABLE_NAME_SIZE); 739 740 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rdr); 741 742 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 743 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL); 744 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL); 745 746 if (nvlist_exists_number(nvl, "timestamp")) { 747 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 748 } 749 750 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint"); 751 752 rule->rtableid = nvlist_get_number(nvl, "rtableid"); 753 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL); 754 rule->max_states = nvlist_get_number(nvl, "max_states"); 755 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes"); 756 rule->max_src_states = nvlist_get_number(nvl, "max_src_states"); 757 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn"); 758 rule->max_src_conn_rate.limit = 759 nvlist_get_number(nvl, "max_src_conn_rate.limit"); 760 rule->max_src_conn_rate.seconds = 761 nvlist_get_number(nvl, "max_src_conn_rate.seconds"); 762 rule->qid = nvlist_get_number(nvl, "qid"); 763 rule->pqid = nvlist_get_number(nvl, "pqid"); 764 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 765 rule->dnrpipe = nvlist_get_number(nvl, "dnrpipe"); 766 rule->free_flags = nvlist_get_number(nvl, "dnflags"); 767 rule->prob = nvlist_get_number(nvl, "prob"); 768 rule->cuid = nvlist_get_number(nvl, "cuid"); 769 rule->cpid = nvlist_get_number(nvl, "cpid"); 770 771 rule->return_icmp = nvlist_get_number(nvl, "return_icmp"); 772 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6"); 773 rule->max_mss = nvlist_get_number(nvl, "max_mss"); 774 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags"); 775 776 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid); 777 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"), 778 (struct pf_rule_uid *)&rule->gid); 779 780 rule->rule_flag = nvlist_get_number(nvl, "rule_flag"); 781 rule->action = nvlist_get_number(nvl, "action"); 782 rule->direction = nvlist_get_number(nvl, "direction"); 783 rule->log = nvlist_get_number(nvl, "log"); 784 rule->logif = nvlist_get_number(nvl, "logif"); 785 rule->quick = nvlist_get_number(nvl, "quick"); 786 rule->ifnot = nvlist_get_number(nvl, "ifnot"); 787 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not"); 788 rule->natpass = nvlist_get_number(nvl, "natpass"); 789 790 rule->keep_state = nvlist_get_number(nvl, "keep_state"); 791 rule->af = nvlist_get_number(nvl, "af"); 792 rule->proto = nvlist_get_number(nvl, "proto"); 793 rule->type = nvlist_get_number(nvl, "type"); 794 rule->code = nvlist_get_number(nvl, "code"); 795 rule->flags = nvlist_get_number(nvl, "flags"); 796 rule->flagset = nvlist_get_number(nvl, "flagset"); 797 rule->min_ttl = nvlist_get_number(nvl, "min_ttl"); 798 rule->allow_opts = nvlist_get_number(nvl, "allow_opts"); 799 rule->rt = nvlist_get_number(nvl, "rt"); 800 rule->return_ttl = nvlist_get_number(nvl, "return_ttl"); 801 rule->tos = nvlist_get_number(nvl, "tos"); 802 rule->set_tos = nvlist_get_number(nvl, "set_tos"); 803 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 804 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 805 806 rule->flush = nvlist_get_number(nvl, "flush"); 807 rule->prio = nvlist_get_number(nvl, "prio"); 808 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL); 809 810 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule); 811 812 rule->states_cur = nvlist_get_number(nvl, "states_cur"); 813 rule->states_tot = nvlist_get_number(nvl, "states_tot"); 814 rule->src_nodes = nvlist_get_number(nvl, "src_nodes"); 815 } 816 817 static void 818 pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr) 819 { 820 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 }; 821 size_t len; 822 const void *data; 823 824 data = nvlist_get_binary(nvl, "addr", &len); 825 assert(len == sizeof(addr->addr)); 826 memcpy(addr->addr, data, sizeof(addr->addr)); 827 828 data = nvlist_get_binary(nvl, "mask", &len); 829 assert(len == sizeof(addr->mask)); 830 memcpy(addr->mask, data, sizeof(addr->mask)); 831 832 addr->neg = nvlist_get_bool(nvl, "neg"); 833 834 /* To make checks for 'is this address set?' easier. */ 835 addr->isset = memcmp(addr->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0; 836 } 837 838 static nvlist_t * 839 pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr) 840 { 841 nvlist_t *nvl; 842 843 nvl = nvlist_create(0); 844 if (nvl == NULL) 845 return (NULL); 846 847 nvlist_add_bool(nvl, "neg", addr->neg); 848 nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN); 849 nvlist_add_binary(nvl, "mask", &addr->mask, ETHER_ADDR_LEN); 850 851 return (nvl); 852 } 853 854 static void 855 pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule) 856 { 857 const char *const *labels; 858 size_t labelcount, i; 859 860 rule->nr = nvlist_get_number(nvl, "nr"); 861 rule->quick = nvlist_get_bool(nvl, "quick"); 862 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 863 rule->ifnot = nvlist_get_bool(nvl, "ifnot"); 864 rule->direction = nvlist_get_number(nvl, "direction"); 865 rule->proto = nvlist_get_number(nvl, "proto"); 866 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 867 PF_TAG_NAME_SIZE); 868 rule->match_tag = nvlist_get_number(nvl, "match_tag"); 869 rule->match_tag_not = nvlist_get_bool(nvl, "match_tag_not"); 870 871 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 872 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 873 for (i = 0; i < labelcount; i++) 874 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 875 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 876 877 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"), 878 &rule->src); 879 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"), 880 &rule->dst); 881 882 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipsrc"), 883 &rule->ipsrc); 884 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipdst"), 885 &rule->ipdst); 886 887 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 888 rule->packets[0] = nvlist_get_number(nvl, "packets-in"); 889 rule->packets[1] = nvlist_get_number(nvl, "packets-out"); 890 rule->bytes[0] = nvlist_get_number(nvl, "bytes-in"); 891 rule->bytes[1] = nvlist_get_number(nvl, "bytes-out"); 892 893 if (nvlist_exists_number(nvl, "timestamp")) { 894 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 895 } 896 897 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 898 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 899 PF_TAG_NAME_SIZE); 900 901 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 902 rule->dnflags = nvlist_get_number(nvl, "dnflags"); 903 904 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 905 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 906 907 strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"), 908 IFNAMSIZ); 909 910 rule->action = nvlist_get_number(nvl, "action"); 911 } 912 913 int 914 pfctl_get_eth_rulesets_info(int dev, struct pfctl_eth_rulesets_info *ri, 915 const char *path) 916 { 917 nvlist_t *nvl; 918 int ret; 919 920 bzero(ri, sizeof(*ri)); 921 922 nvl = nvlist_create(0); 923 nvlist_add_string(nvl, "path", path); 924 925 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESETS, 256, &nvl)) != 0) 926 goto out; 927 928 ri->nr = nvlist_get_number(nvl, "nr"); 929 930 out: 931 nvlist_destroy(nvl); 932 return (ret); 933 } 934 935 int 936 pfctl_get_eth_ruleset(int dev, const char *path, int nr, 937 struct pfctl_eth_ruleset_info *ri) 938 { 939 nvlist_t *nvl; 940 int ret; 941 942 bzero(ri, sizeof(*ri)); 943 944 nvl = nvlist_create(0); 945 nvlist_add_string(nvl, "path", path); 946 nvlist_add_number(nvl, "nr", nr); 947 948 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESET, 1024, &nvl)) != 0) 949 goto out; 950 951 ri->nr = nvlist_get_number(nvl, "nr"); 952 strlcpy(ri->path, nvlist_get_string(nvl, "path"), MAXPATHLEN); 953 strlcpy(ri->name, nvlist_get_string(nvl, "name"), 954 PF_ANCHOR_NAME_SIZE); 955 956 out: 957 nvlist_destroy(nvl); 958 return (ret); 959 } 960 961 int 962 pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 963 const char *path) 964 { 965 nvlist_t *nvl; 966 int ret; 967 968 bzero(rules, sizeof(*rules)); 969 970 nvl = nvlist_create(0); 971 nvlist_add_string(nvl, "anchor", path); 972 973 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULES, 1024, &nvl)) != 0) 974 goto out; 975 976 rules->nr = nvlist_get_number(nvl, "nr"); 977 rules->ticket = nvlist_get_number(nvl, "ticket"); 978 979 out: 980 nvlist_destroy(nvl); 981 return (ret); 982 } 983 984 int 985 pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 986 const char *path, struct pfctl_eth_rule *rule, bool clear, 987 char *anchor_call) 988 { 989 nvlist_t *nvl; 990 int ret; 991 992 nvl = nvlist_create(0); 993 994 nvlist_add_string(nvl, "anchor", path); 995 nvlist_add_number(nvl, "ticket", ticket); 996 nvlist_add_number(nvl, "nr", nr); 997 nvlist_add_bool(nvl, "clear", clear); 998 999 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULE, 4096, &nvl)) != 0) 1000 goto out; 1001 1002 pfctl_nveth_rule_to_eth_rule(nvl, rule); 1003 1004 if (anchor_call) 1005 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 1006 MAXPATHLEN); 1007 1008 out: 1009 nvlist_destroy(nvl); 1010 return (ret); 1011 } 1012 1013 int 1014 pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, const char *anchor, 1015 const char *anchor_call, uint32_t ticket) 1016 { 1017 struct pfioc_nv nv; 1018 nvlist_t *nvl, *addr; 1019 void *packed; 1020 int error = 0; 1021 size_t labelcount, size; 1022 1023 nvl = nvlist_create(0); 1024 1025 nvlist_add_number(nvl, "ticket", ticket); 1026 nvlist_add_string(nvl, "anchor", anchor); 1027 nvlist_add_string(nvl, "anchor_call", anchor_call); 1028 1029 nvlist_add_number(nvl, "nr", r->nr); 1030 nvlist_add_bool(nvl, "quick", r->quick); 1031 nvlist_add_string(nvl, "ifname", r->ifname); 1032 nvlist_add_bool(nvl, "ifnot", r->ifnot); 1033 nvlist_add_number(nvl, "direction", r->direction); 1034 nvlist_add_number(nvl, "proto", r->proto); 1035 nvlist_add_string(nvl, "match_tagname", r->match_tagname); 1036 nvlist_add_bool(nvl, "match_tag_not", r->match_tag_not); 1037 1038 addr = pfctl_eth_addr_to_nveth_addr(&r->src); 1039 if (addr == NULL) { 1040 nvlist_destroy(nvl); 1041 return (ENOMEM); 1042 } 1043 nvlist_add_nvlist(nvl, "src", addr); 1044 nvlist_destroy(addr); 1045 1046 addr = pfctl_eth_addr_to_nveth_addr(&r->dst); 1047 if (addr == NULL) { 1048 nvlist_destroy(nvl); 1049 return (ENOMEM); 1050 } 1051 nvlist_add_nvlist(nvl, "dst", addr); 1052 nvlist_destroy(addr); 1053 1054 pfctl_nv_add_rule_addr(nvl, "ipsrc", &r->ipsrc); 1055 pfctl_nv_add_rule_addr(nvl, "ipdst", &r->ipdst); 1056 1057 labelcount = 0; 1058 while (labelcount < PF_RULE_MAX_LABEL_COUNT && 1059 r->label[labelcount][0] != 0) { 1060 nvlist_append_string_array(nvl, "labels", 1061 r->label[labelcount]); 1062 labelcount++; 1063 } 1064 nvlist_add_number(nvl, "ridentifier", r->ridentifier); 1065 1066 nvlist_add_string(nvl, "qname", r->qname); 1067 nvlist_add_string(nvl, "tagname", r->tagname); 1068 nvlist_add_number(nvl, "dnpipe", r->dnpipe); 1069 nvlist_add_number(nvl, "dnflags", r->dnflags); 1070 1071 nvlist_add_string(nvl, "bridge_to", r->bridge_to); 1072 1073 nvlist_add_number(nvl, "action", r->action); 1074 1075 packed = nvlist_pack(nvl, &size); 1076 if (packed == NULL) { 1077 nvlist_destroy(nvl); 1078 return (ENOMEM); 1079 } 1080 1081 nv.len = size; 1082 nv.size = size; 1083 nv.data = packed; 1084 1085 if (ioctl(dev, DIOCADDETHRULE, &nv) != 0) 1086 error = errno; 1087 1088 free(packed); 1089 nvlist_destroy(nvl); 1090 1091 return (error); 1092 } 1093 1094 static void 1095 snl_add_msg_attr_addr_wrap(struct snl_writer *nw, uint32_t type, const struct pf_addr_wrap *addr) 1096 { 1097 int off; 1098 1099 off = snl_add_msg_attr_nested(nw, type); 1100 1101 snl_add_msg_attr_ip6(nw, PF_AT_ADDR, &addr->v.a.addr.v6); 1102 snl_add_msg_attr_ip6(nw, PF_AT_MASK, &addr->v.a.mask.v6); 1103 1104 if (addr->type == PF_ADDR_DYNIFTL) 1105 snl_add_msg_attr_string(nw, PF_AT_IFNAME, addr->v.ifname); 1106 if (addr->type == PF_ADDR_TABLE) 1107 snl_add_msg_attr_string(nw, PF_AT_TABLENAME, addr->v.tblname); 1108 snl_add_msg_attr_u8(nw, PF_AT_TYPE, addr->type); 1109 snl_add_msg_attr_u8(nw, PF_AT_IFLAGS, addr->iflags); 1110 1111 snl_end_attr_nested(nw, off); 1112 } 1113 1114 static void 1115 snl_add_msg_attr_pool_addr(struct snl_writer *nw, uint32_t type, const struct pf_pooladdr *pa) 1116 { 1117 int off; 1118 1119 off = snl_add_msg_attr_nested(nw, type); 1120 1121 snl_add_msg_attr_string(nw, PF_PA_IFNAME, pa->ifname); 1122 snl_add_msg_attr_addr_wrap(nw, PF_PA_ADDR, &pa->addr); 1123 1124 snl_end_attr_nested(nw, off); 1125 } 1126 1127 static void 1128 snl_add_msg_attr_rule_addr(struct snl_writer *nw, uint32_t type, const struct pf_rule_addr *addr) 1129 { 1130 int off; 1131 1132 off = snl_add_msg_attr_nested(nw, type); 1133 1134 snl_add_msg_attr_addr_wrap(nw, PF_RAT_ADDR, &addr->addr); 1135 snl_add_msg_attr_u16(nw, PF_RAT_SRC_PORT, addr->port[0]); 1136 snl_add_msg_attr_u16(nw, PF_RAT_DST_PORT, addr->port[1]); 1137 snl_add_msg_attr_u8(nw, PF_RAT_NEG, addr->neg); 1138 snl_add_msg_attr_u8(nw, PF_RAT_OP, addr->port_op); 1139 1140 snl_end_attr_nested(nw, off); 1141 } 1142 1143 static void 1144 snl_add_msg_attr_rule_labels(struct snl_writer *nw, uint32_t type, const char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]) 1145 { 1146 int off, i = 0; 1147 1148 off = snl_add_msg_attr_nested(nw, type); 1149 1150 while (i < PF_RULE_MAX_LABEL_COUNT && 1151 labels[i][0] != 0) { 1152 snl_add_msg_attr_string(nw, PF_LT_LABEL, labels[i]); 1153 i++; 1154 } 1155 1156 snl_end_attr_nested(nw, off); 1157 } 1158 1159 static void 1160 snl_add_msg_attr_mape(struct snl_writer *nw, uint32_t type, const struct pf_mape_portset *me) 1161 { 1162 int off; 1163 1164 off = snl_add_msg_attr_nested(nw, type); 1165 1166 snl_add_msg_attr_u8(nw, PF_MET_OFFSET, me->offset); 1167 snl_add_msg_attr_u8(nw, PF_MET_PSID_LEN, me->psidlen); 1168 snl_add_msg_attr_u16(nw, PF_MET_PSID, me->psid); 1169 1170 snl_end_attr_nested(nw, off); 1171 } 1172 1173 static void 1174 snl_add_msg_attr_rpool(struct snl_writer *nw, uint32_t type, const struct pfctl_pool *pool) 1175 { 1176 int off; 1177 1178 off = snl_add_msg_attr_nested(nw, type); 1179 1180 snl_add_msg_attr(nw, PF_PT_KEY, sizeof(pool->key), &pool->key); 1181 snl_add_msg_attr_ip6(nw, PF_PT_COUNTER, &pool->counter.v6); 1182 snl_add_msg_attr_u32(nw, PF_PT_TBLIDX, pool->tblidx); 1183 snl_add_msg_attr_u16(nw, PF_PT_PROXY_SRC_PORT, pool->proxy_port[0]); 1184 snl_add_msg_attr_u16(nw, PF_PT_PROXY_DST_PORT, pool->proxy_port[1]); 1185 snl_add_msg_attr_u8(nw, PF_PT_OPTS, pool->opts); 1186 snl_add_msg_attr_mape(nw, PF_PT_MAPE, &pool->mape); 1187 1188 snl_end_attr_nested(nw, off); 1189 } 1190 1191 static void 1192 snl_add_msg_attr_timeouts(struct snl_writer *nw, uint32_t type, const uint32_t *timeouts) 1193 { 1194 int off; 1195 1196 off = snl_add_msg_attr_nested(nw, type); 1197 1198 for (int i = 0; i < PFTM_MAX; i++) 1199 snl_add_msg_attr_u32(nw, PF_TT_TIMEOUT, timeouts[i]); 1200 1201 snl_end_attr_nested(nw, off); 1202 } 1203 1204 static void 1205 snl_add_msg_attr_uid(struct snl_writer *nw, uint32_t type, const struct pf_rule_uid *uid) 1206 { 1207 int off; 1208 1209 off = snl_add_msg_attr_nested(nw, type); 1210 1211 snl_add_msg_attr_u32(nw, PF_RUT_UID_LOW, uid->uid[0]); 1212 snl_add_msg_attr_u32(nw, PF_RUT_UID_HIGH, uid->uid[1]); 1213 snl_add_msg_attr_u8(nw, PF_RUT_OP, uid->op); 1214 1215 snl_end_attr_nested(nw, off); 1216 } 1217 1218 static void 1219 snl_add_msg_attr_threshold(struct snl_writer *nw, uint32_t type, const struct pfctl_threshold *th) 1220 { 1221 int off; 1222 1223 off = snl_add_msg_attr_nested(nw, type); 1224 1225 snl_add_msg_attr_u32(nw, PF_TH_LIMIT, th->limit); 1226 snl_add_msg_attr_u32(nw, PF_TH_SECONDS, th->seconds); 1227 1228 snl_end_attr_nested(nw, off); 1229 } 1230 1231 static void 1232 snl_add_msg_attr_pf_rule(struct snl_writer *nw, uint32_t type, const struct pfctl_rule *r) 1233 { 1234 int off; 1235 1236 off = snl_add_msg_attr_nested(nw, type); 1237 1238 snl_add_msg_attr_rule_addr(nw, PF_RT_SRC, &r->src); 1239 snl_add_msg_attr_rule_addr(nw, PF_RT_DST, &r->dst); 1240 snl_add_msg_attr_rule_labels(nw, PF_RT_LABELS, r->label); 1241 snl_add_msg_attr_u32(nw, PF_RT_RIDENTIFIER, r->ridentifier); 1242 snl_add_msg_attr_string(nw, PF_RT_IFNAME, r->ifname); 1243 snl_add_msg_attr_string(nw, PF_RT_QNAME, r->qname); 1244 snl_add_msg_attr_string(nw, PF_RT_PQNAME, r->pqname); 1245 snl_add_msg_attr_string(nw, PF_RT_TAGNAME, r->tagname); 1246 snl_add_msg_attr_string(nw, PF_RT_MATCH_TAGNAME, r->match_tagname); 1247 snl_add_msg_attr_string(nw, PF_RT_OVERLOAD_TBLNAME, r->overload_tblname); 1248 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_RDR, &r->rdr); 1249 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_NAT, &r->nat); 1250 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL_RT, &r->route); 1251 snl_add_msg_attr_threshold(nw, PF_RT_PKTRATE, &r->pktrate); 1252 snl_add_msg_attr_u32(nw, PF_RT_OS_FINGERPRINT, r->os_fingerprint); 1253 snl_add_msg_attr_u32(nw, PF_RT_RTABLEID, r->rtableid); 1254 snl_add_msg_attr_timeouts(nw, PF_RT_TIMEOUT, r->timeout); 1255 snl_add_msg_attr_u32(nw, PF_RT_MAX_STATES, r->max_states); 1256 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_NODES, r->max_src_nodes); 1257 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_STATES, r->max_src_states); 1258 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN, r->max_src_conn); 1259 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_LIMIT, r->max_src_conn_rate.limit); 1260 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_SECS, r->max_src_conn_rate.seconds); 1261 snl_add_msg_attr_u16(nw, PF_RT_MAX_PKT_SIZE, r->max_pkt_size); 1262 1263 snl_add_msg_attr_u16(nw, PF_RT_DNPIPE, r->dnpipe); 1264 snl_add_msg_attr_u16(nw, PF_RT_DNRPIPE, r->dnrpipe); 1265 snl_add_msg_attr_u32(nw, PF_RT_DNFLAGS, r->free_flags); 1266 1267 snl_add_msg_attr_u32(nw, PF_RT_NR, r->nr); 1268 snl_add_msg_attr_u32(nw, PF_RT_PROB, r->prob); 1269 snl_add_msg_attr_u32(nw, PF_RT_CUID, r->cuid); 1270 snl_add_msg_attr_u32(nw, PF_RT_CPID, r->cpid); 1271 1272 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP, r->return_icmp); 1273 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP6, r->return_icmp6); 1274 snl_add_msg_attr_u16(nw, PF_RT_MAX_MSS, r->max_mss); 1275 snl_add_msg_attr_u16(nw, PF_RT_SCRUB_FLAGS, r->scrub_flags); 1276 1277 snl_add_msg_attr_uid(nw, PF_RT_UID, &r->uid); 1278 snl_add_msg_attr_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&r->gid); 1279 snl_add_msg_attr_string(nw, PF_RT_RCV_IFNAME, r->rcv_ifname); 1280 snl_add_msg_attr_bool(nw, PF_RT_RCV_IFNOT, r->rcvifnot); 1281 1282 snl_add_msg_attr_u32(nw, PF_RT_RULE_FLAG, r->rule_flag); 1283 snl_add_msg_attr_u8(nw, PF_RT_ACTION, r->action); 1284 snl_add_msg_attr_u8(nw, PF_RT_DIRECTION, r->direction); 1285 snl_add_msg_attr_u8(nw, PF_RT_LOG, r->log); 1286 snl_add_msg_attr_u8(nw, PF_RT_LOGIF, r->logif); 1287 snl_add_msg_attr_u8(nw, PF_RT_QUICK, r->quick); 1288 snl_add_msg_attr_u8(nw, PF_RT_IF_NOT, r->ifnot); 1289 snl_add_msg_attr_u8(nw, PF_RT_MATCH_TAG_NOT, r->match_tag_not); 1290 snl_add_msg_attr_u8(nw, PF_RT_NATPASS, r->natpass); 1291 snl_add_msg_attr_u8(nw, PF_RT_KEEP_STATE, r->keep_state); 1292 snl_add_msg_attr_u8(nw, PF_RT_AF, r->af); 1293 snl_add_msg_attr_u8(nw, PF_RT_PROTO, r->proto); 1294 snl_add_msg_attr_u16(nw, PF_RT_TYPE_2, r->type); 1295 snl_add_msg_attr_u16(nw, PF_RT_CODE_2, r->code); 1296 snl_add_msg_attr_u8(nw, PF_RT_FLAGS, r->flags); 1297 snl_add_msg_attr_u8(nw, PF_RT_FLAGSET, r->flagset); 1298 snl_add_msg_attr_u8(nw, PF_RT_MIN_TTL, r->min_ttl); 1299 snl_add_msg_attr_u8(nw, PF_RT_ALLOW_OPTS, r->allow_opts); 1300 snl_add_msg_attr_u8(nw, PF_RT_RT, r->rt); 1301 snl_add_msg_attr_u8(nw, PF_RT_RETURN_TTL, r->return_ttl); 1302 snl_add_msg_attr_u8(nw, PF_RT_TOS, r->tos); 1303 snl_add_msg_attr_u8(nw, PF_RT_SET_TOS, r->set_tos); 1304 1305 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_RELATIVE, r->anchor_relative); 1306 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_WILDCARD, r->anchor_wildcard); 1307 snl_add_msg_attr_u8(nw, PF_RT_FLUSH, r->flush); 1308 snl_add_msg_attr_u8(nw, PF_RT_PRIO, r->prio); 1309 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO, r->set_prio[0]); 1310 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO_REPLY, r->set_prio[1]); 1311 snl_add_msg_attr_u8(nw, PF_RT_NAF, r->naf); 1312 1313 snl_add_msg_attr_ip6(nw, PF_RT_DIVERT_ADDRESS, &r->divert.addr.v6); 1314 snl_add_msg_attr_u16(nw, PF_RT_DIVERT_PORT, r->divert.port); 1315 1316 snl_end_attr_nested(nw, off); 1317 } 1318 1319 int 1320 pfctl_add_rule(int dev __unused, const struct pfctl_rule *r, const char *anchor, 1321 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket) 1322 { 1323 struct pfctl_handle *h; 1324 int ret; 1325 1326 h = pfctl_open(PF_DEVICE); 1327 if (h == NULL) 1328 return (ENODEV); 1329 1330 ret = pfctl_add_rule_h(h, r, anchor, anchor_call, ticket, pool_ticket); 1331 1332 pfctl_close(h); 1333 1334 return (ret); 1335 } 1336 1337 int 1338 pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 1339 const char *anchor, const char *anchor_call, uint32_t ticket, 1340 uint32_t pool_ticket) 1341 { 1342 struct snl_writer nw; 1343 struct snl_errmsg_data e = {}; 1344 struct nlmsghdr *hdr; 1345 uint32_t seq_id; 1346 int family_id; 1347 1348 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 1349 if (family_id == 0) 1350 return (ENOTSUP); 1351 1352 snl_init_writer(&h->ss, &nw); 1353 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADDRULE); 1354 hdr->nlmsg_flags |= NLM_F_DUMP; 1355 snl_add_msg_attr_u32(&nw, PF_ART_TICKET, ticket); 1356 snl_add_msg_attr_u32(&nw, PF_ART_POOL_TICKET, pool_ticket); 1357 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR, anchor); 1358 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR_CALL, anchor_call); 1359 1360 snl_add_msg_attr_pf_rule(&nw, PF_ART_RULE, r); 1361 1362 if ((hdr = snl_finalize_msg(&nw)) == NULL) 1363 return (ENXIO); 1364 1365 seq_id = hdr->nlmsg_seq; 1366 1367 if (! snl_send_message(&h->ss, hdr)) 1368 return (ENXIO); 1369 1370 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 1371 } 1372 1373 return (e.error); 1374 } 1375 1376 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1377 #define _OUT(_field) offsetof(struct pfctl_rules_info, _field) 1378 static struct snl_attr_parser ap_getrules[] = { 1379 { .type = PF_GR_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 }, 1380 { .type = PF_GR_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 }, 1381 }; 1382 #undef _IN 1383 #undef _OUT 1384 SNL_DECLARE_PARSER(getrules_parser, struct genlmsghdr, snl_f_p_empty, ap_getrules); 1385 1386 int 1387 pfctl_get_rules_info_h(struct pfctl_handle *h, struct pfctl_rules_info *rules, uint32_t ruleset, 1388 const char *path) 1389 { 1390 struct snl_errmsg_data e = {}; 1391 struct nlmsghdr *hdr; 1392 struct snl_writer nw; 1393 uint32_t seq_id; 1394 int family_id; 1395 1396 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 1397 if (family_id == 0) 1398 return (ENOTSUP); 1399 1400 snl_init_writer(&h->ss, &nw); 1401 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETRULES); 1402 hdr->nlmsg_flags |= NLM_F_DUMP; 1403 1404 snl_add_msg_attr_string(&nw, PF_GR_ANCHOR, path); 1405 snl_add_msg_attr_u8(&nw, PF_GR_ACTION, ruleset); 1406 1407 hdr = snl_finalize_msg(&nw); 1408 if (hdr == NULL) 1409 return (ENOMEM); 1410 1411 seq_id = hdr->nlmsg_seq; 1412 if (! snl_send_message(&h->ss, hdr)) 1413 return (ENXIO); 1414 1415 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 1416 if (! snl_parse_nlmsg(&h->ss, hdr, &getrules_parser, rules)) 1417 continue; 1418 } 1419 1420 return (e.error); 1421 } 1422 1423 int 1424 pfctl_get_rules_info(int dev __unused, struct pfctl_rules_info *rules, uint32_t ruleset, 1425 const char *path) 1426 { 1427 struct pfctl_handle *h; 1428 int error; 1429 1430 h = pfctl_open(PF_DEVICE); 1431 if (h == NULL) 1432 return (ENOTSUP); 1433 error = pfctl_get_rules_info_h(h, rules, ruleset, path); 1434 pfctl_close(h); 1435 1436 return (error); 1437 } 1438 1439 int 1440 pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, const char *anchor, 1441 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) 1442 { 1443 return (pfctl_get_clear_rule_h(h, nr, ticket, anchor, ruleset, rule, 1444 anchor_call, false)); 1445 } 1446 1447 int 1448 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor, 1449 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) 1450 { 1451 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule, 1452 anchor_call, false)); 1453 } 1454 1455 #define _OUT(_field) offsetof(struct pf_addr_wrap, _field) 1456 static const struct snl_attr_parser ap_addr_wrap[] = { 1457 { .type = PF_AT_ADDR, .off = _OUT(v.a.addr), .cb = snl_attr_get_in6_addr }, 1458 { .type = PF_AT_MASK, .off = _OUT(v.a.mask), .cb = snl_attr_get_in6_addr }, 1459 { .type = PF_AT_IFNAME, .off = _OUT(v.ifname), .arg = (void *)IFNAMSIZ,.cb = snl_attr_copy_string }, 1460 { .type = PF_AT_TABLENAME, .off = _OUT(v.tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string }, 1461 { .type = PF_AT_TYPE, .off = _OUT(type), .cb = snl_attr_get_uint8 }, 1462 { .type = PF_AT_IFLAGS, .off = _OUT(iflags), .cb = snl_attr_get_uint8 }, 1463 { .type = PF_AT_TBLCNT, .off = _OUT(p.tblcnt), .cb = snl_attr_get_uint32 }, 1464 { .type = PF_AT_DYNCNT, .off = _OUT(p.dyncnt), .cb = snl_attr_get_uint32 }, 1465 }; 1466 SNL_DECLARE_ATTR_PARSER(addr_wrap_parser, ap_addr_wrap); 1467 #undef _OUT 1468 1469 #define _OUT(_field) offsetof(struct pf_rule_addr, _field) 1470 static struct snl_attr_parser ap_rule_addr[] = { 1471 { .type = PF_RAT_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = snl_attr_get_nested }, 1472 { .type = PF_RAT_SRC_PORT, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, 1473 { .type = PF_RAT_DST_PORT, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, 1474 { .type = PF_RAT_NEG, .off = _OUT(neg), .cb = snl_attr_get_uint8 }, 1475 { .type = PF_RAT_OP, .off = _OUT(port_op), .cb = snl_attr_get_uint8 }, 1476 }; 1477 #undef _OUT 1478 SNL_DECLARE_ATTR_PARSER(rule_addr_parser, ap_rule_addr); 1479 1480 struct snl_parsed_labels 1481 { 1482 char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 1483 uint32_t i; 1484 }; 1485 1486 static bool 1487 snl_attr_get_pf_rule_labels(struct snl_state *ss, struct nlattr *nla, 1488 const void *arg __unused, void *target) 1489 { 1490 struct snl_parsed_labels *l = (struct snl_parsed_labels *)target; 1491 bool ret; 1492 1493 if (l->i >= PF_RULE_MAX_LABEL_COUNT) 1494 return (E2BIG); 1495 1496 ret = snl_attr_copy_string(ss, nla, (void *)PF_RULE_LABEL_SIZE, 1497 l->labels[l->i]); 1498 if (ret) 1499 l->i++; 1500 1501 return (ret); 1502 } 1503 1504 #define _OUT(_field) offsetof(struct nl_parsed_labels, _field) 1505 static const struct snl_attr_parser ap_labels[] = { 1506 { .type = PF_LT_LABEL, .off = 0, .cb = snl_attr_get_pf_rule_labels }, 1507 }; 1508 SNL_DECLARE_ATTR_PARSER(rule_labels_parser, ap_labels); 1509 #undef _OUT 1510 1511 static bool 1512 snl_attr_get_nested_pf_rule_labels(struct snl_state *ss, struct nlattr *nla, 1513 const void *arg __unused, void *target) 1514 { 1515 struct snl_parsed_labels parsed_labels = { }; 1516 bool error; 1517 1518 /* Assumes target points to the beginning of the structure */ 1519 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &rule_labels_parser, &parsed_labels); 1520 if (! error) 1521 return (error); 1522 1523 memcpy(target, parsed_labels.labels, sizeof(parsed_labels.labels)); 1524 1525 return (true); 1526 } 1527 1528 #define _OUT(_field) offsetof(struct pf_mape_portset, _field) 1529 static const struct snl_attr_parser ap_mape_portset[] = { 1530 { .type = PF_MET_OFFSET, .off = _OUT(offset), .cb = snl_attr_get_uint8 }, 1531 { .type = PF_MET_PSID_LEN, .off = _OUT(psidlen), .cb = snl_attr_get_uint8 }, 1532 {. type = PF_MET_PSID, .off = _OUT(psid), .cb = snl_attr_get_uint16 }, 1533 }; 1534 SNL_DECLARE_ATTR_PARSER(mape_portset_parser, ap_mape_portset); 1535 #undef _OUT 1536 1537 #define _OUT(_field) offsetof(struct pfctl_pool, _field) 1538 static const struct snl_attr_parser ap_pool[] = { 1539 { .type = PF_PT_KEY, .off = _OUT(key), .arg = (void *)sizeof(struct pf_poolhashkey), .cb = snl_attr_get_bytes }, 1540 { .type = PF_PT_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_in6_addr }, 1541 { .type = PF_PT_TBLIDX, .off = _OUT(tblidx), .cb = snl_attr_get_uint32 }, 1542 { .type = PF_PT_PROXY_SRC_PORT, .off = _OUT(proxy_port[0]), .cb = snl_attr_get_uint16 }, 1543 { .type = PF_PT_PROXY_DST_PORT, .off = _OUT(proxy_port[1]), .cb = snl_attr_get_uint16 }, 1544 { .type = PF_PT_OPTS, .off = _OUT(opts), .cb = snl_attr_get_uint8 }, 1545 { .type = PF_PT_MAPE, .off = _OUT(mape), .arg = &mape_portset_parser, .cb = snl_attr_get_nested }, 1546 }; 1547 SNL_DECLARE_ATTR_PARSER(pool_parser, ap_pool); 1548 #undef _OUT 1549 1550 struct nl_parsed_timeouts 1551 { 1552 uint32_t timeouts[PFTM_MAX]; 1553 uint32_t i; 1554 }; 1555 1556 static bool 1557 snl_attr_get_pf_timeout(struct snl_state *ss, struct nlattr *nla, 1558 const void *arg __unused, void *target) 1559 { 1560 struct nl_parsed_timeouts *t = (struct nl_parsed_timeouts *)target; 1561 bool ret; 1562 1563 if (t->i >= PFTM_MAX) 1564 return (E2BIG); 1565 1566 ret = snl_attr_get_uint32(ss, nla, NULL, &t->timeouts[t->i]); 1567 if (ret) 1568 t->i++; 1569 1570 return (ret); 1571 } 1572 1573 #define _OUT(_field) offsetof(struct nl_parsed_timeout, _field) 1574 static const struct snl_attr_parser ap_timeouts[] = { 1575 { .type = PF_TT_TIMEOUT, .off = 0, .cb = snl_attr_get_pf_timeout }, 1576 }; 1577 SNL_DECLARE_ATTR_PARSER(timeout_parser, ap_timeouts); 1578 #undef _OUT 1579 1580 static bool 1581 snl_attr_get_nested_timeouts(struct snl_state *ss, struct nlattr *nla, 1582 const void *arg __unused, void *target) 1583 { 1584 struct nl_parsed_timeouts parsed_timeouts = { }; 1585 bool error; 1586 1587 /* Assumes target points to the beginning of the structure */ 1588 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &timeout_parser, &parsed_timeouts); 1589 if (! error) 1590 return (error); 1591 1592 memcpy(target, parsed_timeouts.timeouts, sizeof(parsed_timeouts.timeouts)); 1593 1594 return (true); 1595 } 1596 1597 #define _OUT(_field) offsetof(struct pf_rule_uid, _field) 1598 static const struct snl_attr_parser ap_rule_uid[] = { 1599 { .type = PF_RUT_UID_LOW, .off = _OUT(uid[0]), .cb = snl_attr_get_uint32 }, 1600 { .type = PF_RUT_UID_HIGH, .off = _OUT(uid[1]), .cb = snl_attr_get_uint32 }, 1601 { .type = PF_RUT_OP, .off = _OUT(op), .cb = snl_attr_get_uint8 }, 1602 }; 1603 SNL_DECLARE_ATTR_PARSER(rule_uid_parser, ap_rule_uid); 1604 #undef _OUT 1605 1606 #define _OUT(_field) offsetof(struct pfctl_threshold, _field) 1607 static const struct snl_attr_parser ap_pfctl_threshold[] = { 1608 { .type = PF_TH_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, 1609 { .type = PF_TH_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 }, 1610 { .type = PF_TH_COUNT, .off = _OUT(count), .cb = snl_attr_get_uint32 }, 1611 }; 1612 SNL_DECLARE_ATTR_PARSER(pfctl_threshold_parser, ap_pfctl_threshold); 1613 #undef _OUT 1614 1615 struct pfctl_nl_get_rule { 1616 struct pfctl_rule r; 1617 char anchor_call[MAXPATHLEN]; 1618 }; 1619 #define _OUT(_field) offsetof(struct pfctl_nl_get_rule, _field) 1620 static struct snl_attr_parser ap_getrule[] = { 1621 { .type = PF_RT_SRC, .off = _OUT(r.src), .arg = &rule_addr_parser,.cb = snl_attr_get_nested }, 1622 { .type = PF_RT_DST, .off = _OUT(r.dst), .arg = &rule_addr_parser,.cb = snl_attr_get_nested }, 1623 { .type = PF_RT_RIDENTIFIER, .off = _OUT(r.ridentifier), .cb = snl_attr_get_uint32 }, 1624 { .type = PF_RT_LABELS, .off = _OUT(r.label), .arg = &rule_labels_parser,.cb = snl_attr_get_nested_pf_rule_labels }, 1625 { .type = PF_RT_IFNAME, .off = _OUT(r.ifname), .arg = (void *)IFNAMSIZ, .cb = snl_attr_copy_string }, 1626 { .type = PF_RT_QNAME, .off = _OUT(r.qname), .arg = (void *)PF_QNAME_SIZE, .cb = snl_attr_copy_string }, 1627 { .type = PF_RT_PQNAME, .off = _OUT(r.pqname), .arg = (void *)PF_QNAME_SIZE, .cb = snl_attr_copy_string }, 1628 { .type = PF_RT_TAGNAME, .off = _OUT(r.tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string }, 1629 { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(r.match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = snl_attr_copy_string }, 1630 { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(r.overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = snl_attr_copy_string }, 1631 { .type = PF_RT_RPOOL_RDR, .off = _OUT(r.rdr), .arg = &pool_parser, .cb = snl_attr_get_nested }, 1632 { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(r.os_fingerprint), .cb = snl_attr_get_uint32 }, 1633 { .type = PF_RT_RTABLEID, .off = _OUT(r.rtableid), .cb = snl_attr_get_uint32 }, 1634 { .type = PF_RT_TIMEOUT, .off = _OUT(r.timeout), .arg = &timeout_parser, .cb = snl_attr_get_nested_timeouts }, 1635 { .type = PF_RT_MAX_STATES, .off = _OUT(r.max_states), .cb = snl_attr_get_uint32 }, 1636 { .type = PF_RT_MAX_SRC_NODES, .off = _OUT(r.max_src_nodes), .cb = snl_attr_get_uint32 }, 1637 { .type = PF_RT_MAX_SRC_STATES, .off = _OUT(r.max_src_states), .cb = snl_attr_get_uint32 }, 1638 { .type = PF_RT_MAX_SRC_CONN_RATE_LIMIT, .off = _OUT(r.max_src_conn_rate.limit), .cb = snl_attr_get_uint32 }, 1639 { .type = PF_RT_MAX_SRC_CONN_RATE_SECS, .off = _OUT(r.max_src_conn_rate.seconds), .cb = snl_attr_get_uint32 }, 1640 { .type = PF_RT_DNPIPE, .off = _OUT(r.dnpipe), .cb = snl_attr_get_uint16 }, 1641 { .type = PF_RT_DNRPIPE, .off = _OUT(r.dnrpipe), .cb = snl_attr_get_uint16 }, 1642 { .type = PF_RT_DNFLAGS, .off = _OUT(r.free_flags), .cb = snl_attr_get_uint32 }, 1643 { .type = PF_RT_NR, .off = _OUT(r.nr), .cb = snl_attr_get_uint32 }, 1644 { .type = PF_RT_PROB, .off = _OUT(r.prob), .cb = snl_attr_get_uint32 }, 1645 { .type = PF_RT_CUID, .off = _OUT(r.cuid), .cb = snl_attr_get_uint32 }, 1646 {. type = PF_RT_CPID, .off = _OUT(r.cpid), .cb = snl_attr_get_uint32 }, 1647 { .type = PF_RT_RETURN_ICMP, .off = _OUT(r.return_icmp), .cb = snl_attr_get_uint16 }, 1648 { .type = PF_RT_RETURN_ICMP6, .off = _OUT(r.return_icmp6), .cb = snl_attr_get_uint16 }, 1649 { .type = PF_RT_MAX_MSS, .off = _OUT(r.max_mss), .cb = snl_attr_get_uint16 }, 1650 { .type = PF_RT_SCRUB_FLAGS, .off = _OUT(r.scrub_flags), .cb = snl_attr_get_uint16 }, 1651 { .type = PF_RT_UID, .off = _OUT(r.uid), .arg = &rule_uid_parser, .cb = snl_attr_get_nested }, 1652 { .type = PF_RT_GID, .off = _OUT(r.gid), .arg = &rule_uid_parser, .cb = snl_attr_get_nested }, 1653 { .type = PF_RT_RULE_FLAG, .off = _OUT(r.rule_flag), .cb = snl_attr_get_uint32 }, 1654 { .type = PF_RT_ACTION, .off = _OUT(r.action), .cb = snl_attr_get_uint8 }, 1655 { .type = PF_RT_DIRECTION, .off = _OUT(r.direction), .cb = snl_attr_get_uint8 }, 1656 { .type = PF_RT_LOG, .off = _OUT(r.log), .cb = snl_attr_get_uint8 }, 1657 { .type = PF_RT_LOGIF, .off = _OUT(r.logif), .cb = snl_attr_get_uint8 }, 1658 { .type = PF_RT_QUICK, .off = _OUT(r.quick), .cb = snl_attr_get_uint8 }, 1659 { .type = PF_RT_IF_NOT, .off = _OUT(r.ifnot), .cb = snl_attr_get_uint8 }, 1660 { .type = PF_RT_MATCH_TAG_NOT, .off = _OUT(r.match_tag_not), .cb = snl_attr_get_uint8 }, 1661 { .type = PF_RT_NATPASS, .off = _OUT(r.natpass), .cb = snl_attr_get_uint8 }, 1662 { .type = PF_RT_KEEP_STATE, .off = _OUT(r.keep_state), .cb = snl_attr_get_uint8 }, 1663 { .type = PF_RT_AF, .off = _OUT(r.af), .cb = snl_attr_get_uint8 }, 1664 { .type = PF_RT_PROTO, .off = _OUT(r.proto), .cb = snl_attr_get_uint8 }, 1665 { .type = PF_RT_TYPE, .off = _OUT(r.type), .cb = snl_attr_get_uint8 }, 1666 { .type = PF_RT_CODE, .off = _OUT(r.code), .cb = snl_attr_get_uint8 }, 1667 { .type = PF_RT_FLAGS, .off = _OUT(r.flags), .cb = snl_attr_get_uint8 }, 1668 { .type = PF_RT_FLAGSET, .off = _OUT(r.flagset), .cb = snl_attr_get_uint8 }, 1669 { .type = PF_RT_MIN_TTL, .off = _OUT(r.min_ttl), .cb = snl_attr_get_uint8 }, 1670 { .type = PF_RT_ALLOW_OPTS, .off = _OUT(r.allow_opts), .cb = snl_attr_get_uint8 }, 1671 { .type = PF_RT_RT, .off = _OUT(r.rt), .cb = snl_attr_get_uint8 }, 1672 { .type = PF_RT_RETURN_TTL, .off = _OUT(r.return_ttl), .cb = snl_attr_get_uint8 }, 1673 { .type = PF_RT_TOS, .off = _OUT(r.tos), .cb = snl_attr_get_uint8 }, 1674 { .type = PF_RT_SET_TOS, .off = _OUT(r.set_tos), .cb = snl_attr_get_uint8 }, 1675 { .type = PF_RT_ANCHOR_RELATIVE, .off = _OUT(r.anchor_relative), .cb = snl_attr_get_uint8 }, 1676 { .type = PF_RT_ANCHOR_WILDCARD, .off = _OUT(r.anchor_wildcard), .cb = snl_attr_get_uint8 }, 1677 { .type = PF_RT_FLUSH, .off = _OUT(r.flush), .cb = snl_attr_get_uint8 }, 1678 { .type = PF_RT_PRIO, .off = _OUT(r.prio), .cb = snl_attr_get_uint8 }, 1679 { .type = PF_RT_SET_PRIO, .off = _OUT(r.set_prio[0]), .cb = snl_attr_get_uint8 }, 1680 { .type = PF_RT_SET_PRIO_REPLY, .off = _OUT(r.set_prio[1]), .cb = snl_attr_get_uint8 }, 1681 { .type = PF_RT_DIVERT_ADDRESS, .off = _OUT(r.divert.addr), .cb = snl_attr_get_in6_addr }, 1682 { .type = PF_RT_DIVERT_PORT, .off = _OUT(r.divert.port), .cb = snl_attr_get_uint16 }, 1683 { .type = PF_RT_PACKETS_IN, .off = _OUT(r.packets[0]), .cb = snl_attr_get_uint64 }, 1684 { .type = PF_RT_PACKETS_OUT, .off = _OUT(r.packets[1]), .cb = snl_attr_get_uint64 }, 1685 { .type = PF_RT_BYTES_IN, .off = _OUT(r.bytes[0]), .cb = snl_attr_get_uint64 }, 1686 { .type = PF_RT_BYTES_OUT, .off = _OUT(r.bytes[1]), .cb = snl_attr_get_uint64 }, 1687 { .type = PF_RT_EVALUATIONS, .off = _OUT(r.evaluations), .cb = snl_attr_get_uint64 }, 1688 { .type = PF_RT_TIMESTAMP, .off = _OUT(r.last_active_timestamp), .cb = snl_attr_get_uint64 }, 1689 { .type = PF_RT_STATES_CUR, .off = _OUT(r.states_cur), .cb = snl_attr_get_uint64 }, 1690 { .type = PF_RT_STATES_TOTAL, .off = _OUT(r.states_tot), .cb = snl_attr_get_uint64 }, 1691 { .type = PF_RT_SRC_NODES, .off = _OUT(r.src_nodes), .cb = snl_attr_get_uint64 }, 1692 { .type = PF_RT_ANCHOR_CALL, .off = _OUT(anchor_call), .arg = (void*)MAXPATHLEN, .cb = snl_attr_copy_string }, 1693 { .type = PF_RT_RCV_IFNAME, .off = _OUT(r.rcv_ifname), .arg = (void*)IFNAMSIZ, .cb = snl_attr_copy_string }, 1694 { .type = PF_RT_MAX_SRC_CONN, .off = _OUT(r.max_src_conn), .cb = snl_attr_get_uint32 }, 1695 { .type = PF_RT_RPOOL_NAT, .off = _OUT(r.nat), .arg = &pool_parser, .cb = snl_attr_get_nested }, 1696 { .type = PF_RT_NAF, .off = _OUT(r.naf), .cb = snl_attr_get_uint8 }, 1697 { .type = PF_RT_RPOOL_RT, .off = _OUT(r.route), .arg = &pool_parser, .cb = snl_attr_get_nested }, 1698 { .type = PF_RT_RCV_IFNOT, .off = _OUT(r.rcvifnot),.cb = snl_attr_get_bool }, 1699 { .type = PF_RT_SRC_NODES_LIMIT, .off = _OUT(r.src_nodes_type[PF_SN_LIMIT]), .cb = snl_attr_get_uint64 }, 1700 { .type = PF_RT_SRC_NODES_NAT, .off = _OUT(r.src_nodes_type[PF_SN_NAT]), .cb = snl_attr_get_uint64 }, 1701 { .type = PF_RT_SRC_NODES_ROUTE, .off = _OUT(r.src_nodes_type[PF_SN_ROUTE]), .cb = snl_attr_get_uint64 }, 1702 { .type = PF_RT_PKTRATE, .off = _OUT(r.pktrate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested }, 1703 { .type = PF_RT_MAX_PKT_SIZE, .off =_OUT(r.max_pkt_size), .cb = snl_attr_get_uint16 }, 1704 { .type = PF_RT_TYPE_2, .off = _OUT(r.type), .cb = snl_attr_get_uint16 }, 1705 { .type = PF_RT_CODE_2, .off = _OUT(r.code), .cb = snl_attr_get_uint16 }, 1706 { .type = PF_RT_EXPTIME, .off = _OUT(r.exptime), .cb = snl_attr_get_time_t }, 1707 }; 1708 #undef _OUT 1709 SNL_DECLARE_PARSER(getrule_parser, struct genlmsghdr, snl_f_p_empty, ap_getrule); 1710 1711 int 1712 pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 1713 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 1714 char *anchor_call, bool clear) 1715 { 1716 struct pfctl_nl_get_rule attrs = {}; 1717 struct snl_errmsg_data e = {}; 1718 struct nlmsghdr *hdr; 1719 struct snl_writer nw; 1720 uint32_t seq_id; 1721 int family_id; 1722 1723 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 1724 if (family_id == 0) 1725 return (ENOTSUP); 1726 1727 snl_init_writer(&h->ss, &nw); 1728 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETRULE); 1729 hdr->nlmsg_flags |= NLM_F_DUMP; 1730 1731 snl_add_msg_attr_string(&nw, PF_GR_ANCHOR, anchor); 1732 snl_add_msg_attr_u8(&nw, PF_GR_ACTION, ruleset); 1733 snl_add_msg_attr_u32(&nw, PF_GR_NR, nr); 1734 snl_add_msg_attr_u32(&nw, PF_GR_TICKET, ticket); 1735 snl_add_msg_attr_u8(&nw, PF_GR_CLEAR, clear); 1736 1737 hdr = snl_finalize_msg(&nw); 1738 if (hdr == NULL) 1739 return (ENOMEM); 1740 1741 seq_id = hdr->nlmsg_seq; 1742 if (! snl_send_message(&h->ss, hdr)) 1743 return (ENXIO); 1744 1745 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 1746 if (! snl_parse_nlmsg(&h->ss, hdr, &getrule_parser, &attrs)) 1747 continue; 1748 } 1749 1750 memcpy(rule, &attrs.r, sizeof(attrs.r)); 1751 strlcpy(anchor_call, attrs.anchor_call, MAXPATHLEN); 1752 1753 return (e.error); 1754 } 1755 1756 int 1757 pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 1758 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 1759 char *anchor_call, bool clear) 1760 { 1761 nvlist_t *nvl; 1762 int ret; 1763 1764 nvl = nvlist_create(0); 1765 if (nvl == 0) 1766 return (ENOMEM); 1767 1768 nvlist_add_number(nvl, "nr", nr); 1769 nvlist_add_number(nvl, "ticket", ticket); 1770 nvlist_add_string(nvl, "anchor", anchor); 1771 nvlist_add_number(nvl, "ruleset", ruleset); 1772 1773 if (clear) 1774 nvlist_add_bool(nvl, "clear_counter", true); 1775 1776 if ((ret = pfctl_do_ioctl(dev, DIOCGETRULENV, 8192, &nvl)) != 0) 1777 goto out; 1778 1779 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule); 1780 1781 if (anchor_call) 1782 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 1783 MAXPATHLEN); 1784 1785 out: 1786 nvlist_destroy(nvl); 1787 return (ret); 1788 } 1789 1790 int 1791 pfctl_set_keepcounters(int dev, bool keep) 1792 { 1793 struct pfioc_nv nv; 1794 nvlist_t *nvl; 1795 int ret; 1796 1797 nvl = nvlist_create(0); 1798 1799 nvlist_add_bool(nvl, "keep_counters", keep); 1800 1801 nv.data = nvlist_pack(nvl, &nv.len); 1802 nv.size = nv.len; 1803 1804 nvlist_destroy(nvl); 1805 1806 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv); 1807 1808 free(nv.data); 1809 return (ret); 1810 } 1811 1812 struct pfctl_creator { 1813 uint32_t id; 1814 }; 1815 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1816 #define _OUT(_field) offsetof(struct pfctl_creator, _field) 1817 static struct snl_attr_parser ap_creators[] = { 1818 { .type = PF_ST_CREATORID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, 1819 }; 1820 #undef _IN 1821 #undef _OUT 1822 SNL_DECLARE_PARSER(creator_parser, struct genlmsghdr, snl_f_p_empty, ap_creators); 1823 1824 static int 1825 pfctl_get_creators_nl(struct snl_state *ss, uint32_t *creators, size_t *len) 1826 { 1827 1828 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME); 1829 size_t i = 0; 1830 1831 struct nlmsghdr *hdr; 1832 struct snl_writer nw; 1833 1834 if (family_id == 0) 1835 return (ENOTSUP); 1836 1837 snl_init_writer(ss, &nw); 1838 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETCREATORS); 1839 hdr->nlmsg_flags |= NLM_F_DUMP; 1840 hdr = snl_finalize_msg(&nw); 1841 if (hdr == NULL) 1842 return (ENOMEM); 1843 uint32_t seq_id = hdr->nlmsg_seq; 1844 1845 snl_send_message(ss, hdr); 1846 1847 struct snl_errmsg_data e = {}; 1848 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) { 1849 struct pfctl_creator c; 1850 bzero(&c, sizeof(c)); 1851 1852 if (!snl_parse_nlmsg(ss, hdr, &creator_parser, &c)) 1853 continue; 1854 1855 creators[i] = c.id; 1856 i++; 1857 if (i > *len) 1858 return (E2BIG); 1859 } 1860 1861 *len = i; 1862 1863 return (0); 1864 } 1865 1866 int 1867 pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len) 1868 { 1869 int error; 1870 1871 error = pfctl_get_creators_nl(&h->ss, creators, len); 1872 1873 return (error); 1874 } 1875 1876 static inline bool 1877 snl_attr_get_pfaddr(struct snl_state *ss __unused, struct nlattr *nla, 1878 const void *arg __unused, void *target) 1879 { 1880 memcpy(target, NLA_DATA(nla), NLA_DATA_LEN(nla)); 1881 return (true); 1882 } 1883 1884 static inline bool 1885 snl_attr_store_ifname(struct snl_state *ss __unused, struct nlattr *nla, 1886 const void *arg __unused, void *target) 1887 { 1888 size_t maxlen = NLA_DATA_LEN(nla); 1889 1890 if (strnlen((char *)NLA_DATA(nla), maxlen) < maxlen) { 1891 strlcpy(target, (char *)NLA_DATA(nla), maxlen); 1892 return (true); 1893 } 1894 return (false); 1895 } 1896 1897 #define _OUT(_field) offsetof(struct pfctl_state_peer, _field) 1898 static const struct snl_attr_parser nla_p_speer[] = { 1899 { .type = PF_STP_SEQLO, .off = _OUT(seqlo), .cb = snl_attr_get_uint32 }, 1900 { .type = PF_STP_SEQHI, .off = _OUT(seqhi), .cb = snl_attr_get_uint32 }, 1901 { .type = PF_STP_SEQDIFF, .off = _OUT(seqdiff), .cb = snl_attr_get_uint32 }, 1902 { .type = PF_STP_STATE, .off = _OUT(state), .cb = snl_attr_get_uint8 }, 1903 { .type = PF_STP_WSCALE, .off = _OUT(wscale), .cb = snl_attr_get_uint8 }, 1904 }; 1905 SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer); 1906 #undef _OUT 1907 1908 #define _OUT(_field) offsetof(struct pfctl_state_key, _field) 1909 static const struct snl_attr_parser nla_p_skey[] = { 1910 { .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr }, 1911 { .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr }, 1912 { .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, 1913 { .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, 1914 { .type = PF_STK_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, 1915 { .type = PF_STK_PROTO, .off = _OUT(proto), .cb = snl_attr_get_uint16 }, 1916 }; 1917 SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey); 1918 #undef _OUT 1919 1920 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1921 #define _OUT(_field) offsetof(struct pfctl_state, _field) 1922 static struct snl_attr_parser ap_state[] = { 1923 { .type = PF_ST_ID, .off = _OUT(id), .cb = snl_attr_get_uint64 }, 1924 { .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = snl_attr_get_uint32 }, 1925 { .type = PF_ST_IFNAME, .off = _OUT(ifname), .cb = snl_attr_store_ifname }, 1926 { .type = PF_ST_ORIG_IFNAME, .off = _OUT(orig_ifname), .cb = snl_attr_store_ifname }, 1927 { .type = PF_ST_KEY_WIRE, .off = _OUT(key[0]), .arg = &skey_parser, .cb = snl_attr_get_nested }, 1928 { .type = PF_ST_KEY_STACK, .off = _OUT(key[1]), .arg = &skey_parser, .cb = snl_attr_get_nested }, 1929 { .type = PF_ST_PEER_SRC, .off = _OUT(src), .arg = &speer_parser, .cb = snl_attr_get_nested }, 1930 { .type = PF_ST_PEER_DST, .off = _OUT(dst), .arg = &speer_parser, .cb = snl_attr_get_nested }, 1931 { .type = PF_ST_RT_ADDR, .off = _OUT(rt_addr), .cb = snl_attr_get_pfaddr }, 1932 { .type = PF_ST_RULE, .off = _OUT(rule), .cb = snl_attr_get_uint32 }, 1933 { .type = PF_ST_ANCHOR, .off = _OUT(anchor), .cb = snl_attr_get_uint32 }, 1934 { .type = PF_ST_NAT_RULE, .off = _OUT(nat_rule), .cb = snl_attr_get_uint32 }, 1935 { .type = PF_ST_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint32 }, 1936 { .type = PF_ST_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint32 }, 1937 { .type = PF_ST_PACKETS0, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 }, 1938 { .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, 1939 { .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, 1940 { .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, 1941 { .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 }, 1942 { .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 }, 1943 { .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 }, 1944 { .type = PF_ST_SYNC_FLAGS, .off = _OUT(sync_flags), .cb = snl_attr_get_uint8 }, 1945 { .type = PF_ST_RTABLEID, .off = _OUT(rtableid), .cb = snl_attr_get_int32 }, 1946 { .type = PF_ST_MIN_TTL, .off = _OUT(min_ttl), .cb = snl_attr_get_uint8 }, 1947 { .type = PF_ST_MAX_MSS, .off = _OUT(max_mss), .cb = snl_attr_get_uint16 }, 1948 { .type = PF_ST_DNPIPE, .off = _OUT(dnpipe), .cb = snl_attr_get_uint16 }, 1949 { .type = PF_ST_DNRPIPE, .off = _OUT(dnrpipe), .cb = snl_attr_get_uint16 }, 1950 { .type = PF_ST_RT, .off = _OUT(rt), .cb = snl_attr_get_uint8 }, 1951 { .type = PF_ST_RT_IFNAME, .off = _OUT(rt_ifname), .cb = snl_attr_store_ifname }, 1952 { .type = PF_ST_SRC_NODE_FLAGS, .off = _OUT(src_node_flags), .cb = snl_attr_get_uint8 }, 1953 { .type = PF_ST_RT_AF, .off = _OUT(rt_af), .cb = snl_attr_get_uint8 }, 1954 }; 1955 #undef _IN 1956 #undef _OUT 1957 SNL_DECLARE_PARSER(state_parser, struct genlmsghdr, snl_f_p_empty, ap_state); 1958 1959 static const struct snl_hdr_parser *all_parsers[] = { 1960 &state_parser, &skey_parser, &speer_parser, 1961 &creator_parser, &getrules_parser 1962 }; 1963 1964 static int 1965 pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfctl_get_state_fn f, void *arg) 1966 { 1967 SNL_VERIFY_PARSERS(all_parsers); 1968 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME); 1969 int ret; 1970 1971 struct nlmsghdr *hdr; 1972 struct snl_writer nw; 1973 1974 if (family_id == 0) 1975 return (ENOTSUP); 1976 1977 snl_init_writer(ss, &nw); 1978 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETSTATES); 1979 hdr->nlmsg_flags |= NLM_F_DUMP; 1980 snl_add_msg_attr_string(&nw, PF_ST_IFNAME, filter->ifname); 1981 snl_add_msg_attr_u16(&nw, PF_ST_PROTO, filter->proto); 1982 snl_add_msg_attr_u8(&nw, PF_ST_AF, filter->af); 1983 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_ADDR, &filter->addr.v6); 1984 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_MASK, &filter->mask.v6); 1985 1986 hdr = snl_finalize_msg(&nw); 1987 if (hdr == NULL) 1988 return (ENOMEM); 1989 1990 uint32_t seq_id = hdr->nlmsg_seq; 1991 1992 snl_send_message(ss, hdr); 1993 1994 struct snl_errmsg_data e = {}; 1995 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) { 1996 struct pfctl_state s; 1997 bzero(&s, sizeof(s)); 1998 if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s)) 1999 continue; 2000 2001 ret = f(&s, arg); 2002 if (ret != 0) 2003 return (ret); 2004 } 2005 2006 return (0); 2007 } 2008 2009 int 2010 pfctl_get_states_iter(pfctl_get_state_fn f, void *arg) 2011 { 2012 struct pfctl_state_filter filter = {}; 2013 return (pfctl_get_filtered_states_iter(&filter, f, arg)); 2014 } 2015 2016 int 2017 pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg) 2018 { 2019 struct snl_state ss = {}; 2020 int error; 2021 2022 snl_init(&ss, NETLINK_GENERIC); 2023 error = pfctl_get_states_nl(filter, &ss, f, arg); 2024 snl_free(&ss); 2025 2026 return (error); 2027 } 2028 2029 static int 2030 pfctl_append_states(struct pfctl_state *s, void *arg) 2031 { 2032 struct pfctl_state *new; 2033 struct pfctl_states *states = (struct pfctl_states *)arg; 2034 2035 new = malloc(sizeof(*s)); 2036 if (new == NULL) 2037 return (ENOMEM); 2038 2039 memcpy(new, s, sizeof(*s)); 2040 2041 TAILQ_INSERT_TAIL(&states->states, new, entry); 2042 2043 return (0); 2044 } 2045 2046 int 2047 pfctl_get_states(int dev __unused, struct pfctl_states *states) 2048 { 2049 int ret; 2050 2051 bzero(states, sizeof(*states)); 2052 TAILQ_INIT(&states->states); 2053 2054 ret = pfctl_get_states_iter(pfctl_append_states, states); 2055 if (ret != 0) { 2056 pfctl_free_states(states); 2057 return (ret); 2058 } 2059 2060 return (0); 2061 } 2062 2063 void 2064 pfctl_free_states(struct pfctl_states *states) 2065 { 2066 struct pfctl_state *s, *tmp; 2067 2068 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) { 2069 free(s); 2070 } 2071 2072 bzero(states, sizeof(*states)); 2073 } 2074 2075 struct pfctl_nl_clear_states { 2076 uint32_t killed; 2077 }; 2078 #define _OUT(_field) offsetof(struct pfctl_nl_clear_states, _field) 2079 static struct snl_attr_parser ap_clear_states[] = { 2080 { .type = PF_CS_KILLED, .off = _OUT(killed), .cb = snl_attr_get_uint32 }, 2081 }; 2082 #undef _OUT 2083 SNL_DECLARE_PARSER(clear_states_parser, struct genlmsghdr, snl_f_p_empty, ap_clear_states); 2084 2085 static int 2086 _pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 2087 unsigned int *killed, int cmd) 2088 { 2089 struct snl_writer nw; 2090 struct snl_errmsg_data e = {}; 2091 struct pfctl_nl_clear_states attrs = {}; 2092 struct nlmsghdr *hdr; 2093 uint32_t seq_id; 2094 int family_id; 2095 2096 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2097 if (family_id == 0) 2098 return (ENOTSUP); 2099 2100 snl_init_writer(&h->ss, &nw); 2101 hdr = snl_create_genl_msg_request(&nw, family_id, cmd); 2102 hdr->nlmsg_flags |= NLM_F_DUMP; 2103 2104 snl_add_msg_attr_u64(&nw, PF_CS_CMP_ID, kill->cmp.id); 2105 snl_add_msg_attr_u32(&nw, PF_CS_CMP_CREATORID, htonl(kill->cmp.creatorid)); 2106 snl_add_msg_attr_u8(&nw, PF_CS_CMP_DIR, kill->cmp.direction); 2107 snl_add_msg_attr_u8(&nw, PF_CS_AF, kill->af); 2108 snl_add_msg_attr_u8(&nw, PF_CS_PROTO, kill->proto); 2109 snl_add_msg_attr_rule_addr(&nw, PF_CS_SRC, &kill->src); 2110 snl_add_msg_attr_rule_addr(&nw, PF_CS_DST, &kill->dst); 2111 snl_add_msg_attr_rule_addr(&nw, PF_CS_RT_ADDR, &kill->rt_addr); 2112 snl_add_msg_attr_string(&nw, PF_CS_IFNAME, kill->ifname); 2113 snl_add_msg_attr_string(&nw, PF_CS_LABEL, kill->label); 2114 snl_add_msg_attr_bool(&nw, PF_CS_KILL_MATCH, kill->kill_match); 2115 snl_add_msg_attr_bool(&nw, PF_CS_NAT, kill->nat); 2116 2117 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2118 return (ENXIO); 2119 2120 seq_id = hdr->nlmsg_seq; 2121 2122 if (! snl_send_message(&h->ss, hdr)) 2123 return (ENXIO); 2124 2125 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2126 if (! snl_parse_nlmsg(&h->ss, hdr, &clear_states_parser, &attrs)) 2127 continue; 2128 } 2129 2130 if (killed) 2131 *killed = attrs.killed; 2132 2133 return (e.error); 2134 } 2135 2136 int 2137 pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 2138 unsigned int *killed) 2139 { 2140 return(_pfctl_clear_states_h(h, kill, killed, PFNL_CMD_CLRSTATES)); 2141 } 2142 2143 int 2144 pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 2145 unsigned int *killed) 2146 { 2147 return(_pfctl_clear_states_h(h, kill, killed, PFNL_CMD_KILLSTATES)); 2148 } 2149 2150 static int 2151 _pfctl_clear_states(int dev __unused, const struct pfctl_kill *kill, 2152 unsigned int *killed, uint64_t cmd) 2153 { 2154 struct pfctl_handle *h; 2155 int ret; 2156 2157 h = pfctl_open(PF_DEVICE); 2158 if (h == NULL) 2159 return (ENODEV); 2160 2161 ret = _pfctl_clear_states_h(h, kill, killed, cmd); 2162 pfctl_close(h); 2163 2164 return (ret); 2165 } 2166 2167 int 2168 pfctl_clear_states(int dev __unused, const struct pfctl_kill *kill, 2169 unsigned int *killed) 2170 { 2171 return (_pfctl_clear_states(dev, kill, killed, PFNL_CMD_CLRSTATES)); 2172 } 2173 2174 int 2175 pfctl_kill_states(int dev __unused, const struct pfctl_kill *kill, unsigned int *killed) 2176 { 2177 return (_pfctl_clear_states(dev, kill, killed, PFNL_CMD_KILLSTATES)); 2178 } 2179 2180 int 2181 pfctl_clear_rules(int dev, const char *anchorname) 2182 { 2183 struct pfioc_trans trans; 2184 struct pfioc_trans_e transe[2]; 2185 int ret; 2186 2187 bzero(&trans, sizeof(trans)); 2188 bzero(&transe, sizeof(transe)); 2189 2190 transe[0].rs_num = PF_RULESET_SCRUB; 2191 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 2192 >= sizeof(transe[0].anchor)) 2193 return (E2BIG); 2194 2195 transe[1].rs_num = PF_RULESET_FILTER; 2196 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 2197 >= sizeof(transe[1].anchor)) 2198 return (E2BIG); 2199 2200 trans.size = 2; 2201 trans.esize = sizeof(transe[0]); 2202 trans.array = transe; 2203 2204 ret = ioctl(dev, DIOCXBEGIN, &trans); 2205 if (ret != 0) 2206 return (errno); 2207 ret = ioctl(dev, DIOCXCOMMIT, &trans); 2208 if (ret != 0) 2209 return (errno); 2210 2211 return (0); 2212 } 2213 2214 int 2215 pfctl_clear_nat(int dev, const char *anchorname) 2216 { 2217 struct pfioc_trans trans; 2218 struct pfioc_trans_e transe[3]; 2219 int ret; 2220 2221 bzero(&trans, sizeof(trans)); 2222 bzero(&transe, sizeof(transe)); 2223 2224 transe[0].rs_num = PF_RULESET_NAT; 2225 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 2226 >= sizeof(transe[0].anchor)) 2227 return (E2BIG); 2228 2229 transe[1].rs_num = PF_RULESET_BINAT; 2230 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 2231 >= sizeof(transe[0].anchor)) 2232 return (E2BIG); 2233 2234 transe[2].rs_num = PF_RULESET_RDR; 2235 if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor)) 2236 >= sizeof(transe[2].anchor)) 2237 return (E2BIG); 2238 2239 trans.size = 3; 2240 trans.esize = sizeof(transe[0]); 2241 trans.array = transe; 2242 2243 ret = ioctl(dev, DIOCXBEGIN, &trans); 2244 if (ret != 0) 2245 return (errno); 2246 ret = ioctl(dev, DIOCXCOMMIT, &trans); 2247 if (ret != 0) 2248 return (errno); 2249 2250 return (0); 2251 } 2252 2253 int 2254 pfctl_clear_eth_rules(int dev, const char *anchorname) 2255 { 2256 struct pfioc_trans trans; 2257 struct pfioc_trans_e transe; 2258 int ret; 2259 2260 bzero(&trans, sizeof(trans)); 2261 bzero(&transe, sizeof(transe)); 2262 2263 transe.rs_num = PF_RULESET_ETH; 2264 if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor)) 2265 >= sizeof(transe.anchor)) 2266 return (E2BIG); 2267 2268 trans.size = 1; 2269 trans.esize = sizeof(transe); 2270 trans.array = &transe; 2271 2272 ret = ioctl(dev, DIOCXBEGIN, &trans); 2273 if (ret != 0) 2274 return (errno); 2275 ret = ioctl(dev, DIOCXCOMMIT, &trans); 2276 if (ret != 0) 2277 return (errno); 2278 2279 return (0); 2280 } 2281 2282 static int 2283 _pfctl_get_limit(int dev, const int index, uint *limit) 2284 { 2285 struct pfioc_limit pl; 2286 2287 bzero(&pl, sizeof(pl)); 2288 pl.index = index; 2289 2290 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1) 2291 return (errno); 2292 2293 *limit = pl.limit; 2294 2295 return (0); 2296 } 2297 2298 int 2299 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s) 2300 { 2301 struct pfioc_nv nv; 2302 nvlist_t *nvl; 2303 int ret; 2304 uint state_limit; 2305 uint64_t lim, hi, lo; 2306 2307 ret = _pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 2308 if (ret != 0) 2309 return (ret); 2310 2311 if (state_limit == 0) 2312 state_limit = INT_MAX; 2313 2314 lim = state_limit; 2315 hi = lim * s->highwater / 100; 2316 lo = lim * s->lowwater / 100; 2317 2318 if (lo == hi) 2319 hi++; 2320 2321 nvl = nvlist_create(0); 2322 2323 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER); 2324 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE); 2325 nvlist_add_number(nvl, "highwater", hi); 2326 nvlist_add_number(nvl, "lowwater", lo); 2327 2328 nv.data = nvlist_pack(nvl, &nv.len); 2329 nv.size = nv.len; 2330 nvlist_destroy(nvl); 2331 nvl = NULL; 2332 2333 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv); 2334 2335 free(nv.data); 2336 if (ret != 0) 2337 return (errno); 2338 2339 return (0); 2340 } 2341 2342 int 2343 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s) 2344 { 2345 nvlist_t *nvl; 2346 int ret; 2347 uint state_limit; 2348 bool enabled, adaptive; 2349 2350 ret = _pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 2351 if (ret != 0) 2352 return (ret); 2353 2354 if (state_limit == 0) 2355 state_limit = INT_MAX; 2356 2357 bzero(s, sizeof(*s)); 2358 2359 nvl = nvlist_create(0); 2360 2361 if ((ret = pfctl_do_ioctl(dev, DIOCGETSYNCOOKIES, 256, &nvl)) != 0) { 2362 ret = errno; 2363 goto out; 2364 } 2365 2366 enabled = nvlist_get_bool(nvl, "enabled"); 2367 adaptive = nvlist_get_bool(nvl, "adaptive"); 2368 2369 if (enabled) { 2370 if (adaptive) 2371 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE; 2372 else 2373 s->mode = PFCTL_SYNCOOKIES_ALWAYS; 2374 } else { 2375 s->mode = PFCTL_SYNCOOKIES_NEVER; 2376 } 2377 2378 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit; 2379 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit; 2380 s->halfopen_states = nvlist_get_number(nvl, "halfopen_states"); 2381 2382 out: 2383 nvlist_destroy(nvl); 2384 return (ret); 2385 } 2386 2387 int 2388 pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 2389 *addr, int size, int *nadd, int flags) 2390 { 2391 struct pfioc_table io; 2392 2393 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 2394 return (EINVAL); 2395 } 2396 bzero(&io, sizeof io); 2397 io.pfrio_flags = flags; 2398 io.pfrio_table = *tbl; 2399 io.pfrio_buffer = addr; 2400 io.pfrio_esize = sizeof(*addr); 2401 io.pfrio_size = size; 2402 2403 if (ioctl(dev, DIOCRADDADDRS, &io)) 2404 return (errno); 2405 if (nadd != NULL) 2406 *nadd = io.pfrio_nadd; 2407 return (0); 2408 } 2409 2410 static void 2411 snl_add_msg_attr_table(struct snl_writer *nw, uint32_t type, 2412 const struct pfr_table *tbl) 2413 { 2414 int off; 2415 2416 off = snl_add_msg_attr_nested(nw, type); 2417 2418 snl_add_msg_attr_string(nw, PF_T_ANCHOR, tbl->pfrt_anchor); 2419 snl_add_msg_attr_string(nw, PF_T_NAME, tbl->pfrt_name); 2420 snl_add_msg_attr_u32(nw, PF_T_TABLE_FLAGS, tbl->pfrt_flags); 2421 2422 snl_end_attr_nested(nw, off); 2423 } 2424 2425 static void 2426 snl_add_msg_attr_pfr_addr(struct snl_writer *nw, uint32_t type, 2427 const struct pfr_addr *addr) 2428 { 2429 int off; 2430 2431 off = snl_add_msg_attr_nested(nw, type); 2432 2433 snl_add_msg_attr_u8(nw, PFR_A_AF, addr->pfra_af); 2434 snl_add_msg_attr_u8(nw, PFR_A_NET, addr->pfra_net); 2435 snl_add_msg_attr_bool(nw, PFR_A_NOT, addr->pfra_not); 2436 snl_add_msg_attr_ip6(nw, PFR_A_ADDR, &addr->pfra_ip6addr); 2437 2438 snl_end_attr_nested(nw, off); 2439 } 2440 2441 static struct snl_attr_parser ap_table_add_addr[] = { 2442 { .type = PF_TA_NBR_ADDED, .off = 0, .cb = snl_attr_get_uint32 }, 2443 }; 2444 SNL_DECLARE_PARSER(table_add_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_add_addr); 2445 2446 static int 2447 _pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2448 *addrs, int size, int *nadd, int flags) 2449 { 2450 struct snl_writer nw; 2451 struct snl_errmsg_data e = {}; 2452 struct nlmsghdr *hdr; 2453 uint32_t seq_id; 2454 uint32_t added; 2455 int family_id; 2456 2457 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2458 if (family_id == 0) 2459 return (ENOTSUP); 2460 2461 snl_init_writer(&h->ss, &nw); 2462 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_ADD_ADDR); 2463 2464 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl); 2465 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags); 2466 for (int i = 0; i < size; i++) 2467 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]); 2468 2469 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2470 return (ENXIO); 2471 seq_id = hdr->nlmsg_seq; 2472 2473 if (! snl_send_message(&h->ss, hdr)) 2474 return (ENXIO); 2475 2476 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2477 if (! snl_parse_nlmsg(&h->ss, hdr, &table_add_addr_parser, &added)) 2478 continue; 2479 } 2480 2481 if (nadd) 2482 *nadd = added; 2483 2484 return (e.error); 2485 } 2486 2487 int 2488 pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2489 *addr, int size, int *nadd, int flags) 2490 { 2491 int ret; 2492 int off = 0; 2493 int partial_added; 2494 int chunk_size; 2495 2496 do { 2497 chunk_size = MIN(size - off, 256); 2498 ret = _pfctl_table_add_addrs_h(h, tbl, &addr[off], chunk_size, &partial_added, flags); 2499 if (ret != 0) 2500 break; 2501 if (nadd) 2502 *nadd += partial_added; 2503 off += chunk_size; 2504 } while (off < size); 2505 2506 return (ret); 2507 } 2508 2509 static struct snl_attr_parser ap_table_del_addr[] = { 2510 { .type = PF_TA_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint32 }, 2511 }; 2512 SNL_DECLARE_PARSER(table_del_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_table_del_addr); 2513 static int 2514 _pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2515 *addrs, int size, int *ndel, int flags) 2516 { 2517 struct snl_writer nw; 2518 struct snl_errmsg_data e = {}; 2519 struct nlmsghdr *hdr; 2520 uint32_t seq_id; 2521 uint32_t deleted; 2522 int family_id; 2523 2524 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2525 if (family_id == 0) 2526 return (ENOTSUP); 2527 2528 snl_init_writer(&h->ss, &nw); 2529 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_TABLE_DEL_ADDR); 2530 2531 snl_add_msg_attr_table(&nw, PF_TA_TABLE, tbl); 2532 snl_add_msg_attr_u32(&nw, PF_TA_FLAGS, flags); 2533 for (int i = 0; i < size; i++) 2534 snl_add_msg_attr_pfr_addr(&nw, PF_TA_ADDR, &addrs[i]); 2535 2536 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2537 return (ENXIO); 2538 seq_id = hdr->nlmsg_seq; 2539 2540 if (! snl_send_message(&h->ss, hdr)) 2541 return (ENXIO); 2542 2543 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2544 if (! snl_parse_nlmsg(&h->ss, hdr, &table_del_addr_parser, &deleted)) 2545 continue; 2546 } 2547 2548 if (ndel) 2549 *ndel = deleted; 2550 2551 return (e.error); 2552 } 2553 2554 int 2555 pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 2556 *addr, int size, int *ndel, int flags) 2557 { 2558 struct pfioc_table io; 2559 2560 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 2561 return (EINVAL); 2562 } 2563 bzero(&io, sizeof io); 2564 io.pfrio_flags = flags; 2565 io.pfrio_table = *tbl; 2566 io.pfrio_buffer = addr; 2567 io.pfrio_esize = sizeof(*addr); 2568 io.pfrio_size = size; 2569 2570 if (ioctl(dev, DIOCRDELADDRS, &io)) 2571 return (errno); 2572 if (ndel != NULL) 2573 *ndel = io.pfrio_ndel; 2574 return (0); 2575 } 2576 2577 int 2578 pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 2579 *addr, int size, int *ndel, int flags) 2580 { 2581 int ret; 2582 int off = 0; 2583 int partial_deleted; 2584 int chunk_size; 2585 2586 do { 2587 chunk_size = MIN(size - off, 256); 2588 ret = _pfctl_table_del_addrs_h(h, tbl, &addr[off], chunk_size, 2589 &partial_deleted, flags); 2590 if (ret != 0) 2591 break; 2592 if (ndel) 2593 *ndel += partial_deleted; 2594 off += chunk_size; 2595 } while (off < size); 2596 2597 return (ret); 2598 } 2599 2600 int 2601 pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 2602 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, int flags) 2603 { 2604 struct pfioc_table io; 2605 2606 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 2607 return (EINVAL); 2608 } 2609 bzero(&io, sizeof io); 2610 io.pfrio_flags = flags; 2611 io.pfrio_table = *tbl; 2612 io.pfrio_buffer = addr; 2613 io.pfrio_esize = sizeof(*addr); 2614 io.pfrio_size = size; 2615 io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; 2616 if (ioctl(dev, DIOCRSETADDRS, &io)) 2617 return (errno); 2618 if (nadd != NULL) 2619 *nadd = io.pfrio_nadd; 2620 if (ndel != NULL) 2621 *ndel = io.pfrio_ndel; 2622 if (nchange != NULL) 2623 *nchange = io.pfrio_nchange; 2624 if (size2 != NULL) 2625 *size2 = io.pfrio_size2; 2626 return (0); 2627 } 2628 2629 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr *addr, 2630 int *size, int flags) 2631 { 2632 struct pfioc_table io; 2633 2634 if (tbl == NULL || size == NULL || *size < 0 || 2635 (*size && addr == NULL)) { 2636 return (EINVAL); 2637 } 2638 bzero(&io, sizeof io); 2639 io.pfrio_flags = flags; 2640 io.pfrio_table = *tbl; 2641 io.pfrio_buffer = addr; 2642 io.pfrio_esize = sizeof(*addr); 2643 io.pfrio_size = *size; 2644 if (ioctl(dev, DIOCRGETADDRS, &io)) 2645 return (errno); 2646 *size = io.pfrio_size; 2647 return (0); 2648 } 2649 2650 int 2651 pfctl_set_statusif(struct pfctl_handle *h, const char *ifname) 2652 { 2653 struct snl_writer nw; 2654 struct snl_errmsg_data e = {}; 2655 struct nlmsghdr *hdr; 2656 uint32_t seq_id; 2657 int family_id; 2658 2659 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2660 if (family_id == 0) 2661 return (ENOTSUP); 2662 2663 snl_init_writer(&h->ss, &nw); 2664 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_STATUSIF); 2665 2666 snl_add_msg_attr_string(&nw, PF_SS_IFNAME, ifname); 2667 2668 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2669 return (ENXIO); 2670 2671 seq_id = hdr->nlmsg_seq; 2672 2673 if (! snl_send_message(&h->ss, hdr)) 2674 return (ENXIO); 2675 2676 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2677 } 2678 2679 return (e.error); 2680 } 2681 2682 #define _IN(_field) offsetof(struct genlmsghdr, _field) 2683 #define _OUT(_field) offsetof(struct pfctl_natlook, _field) 2684 static struct snl_attr_parser ap_natlook[] = { 2685 { .type = PF_NL_SRC_ADDR, .off = _OUT(saddr), .cb = snl_attr_get_in6_addr }, 2686 { .type = PF_NL_DST_ADDR, .off = _OUT(daddr), .cb = snl_attr_get_in6_addr }, 2687 { .type = PF_NL_SRC_PORT, .off = _OUT(sport), .cb = snl_attr_get_uint16 }, 2688 { .type = PF_NL_DST_PORT, .off = _OUT(dport), .cb = snl_attr_get_uint16 }, 2689 }; 2690 #undef _IN 2691 #undef _OUT 2692 SNL_DECLARE_PARSER(natlook_parser, struct genlmsghdr, snl_f_p_empty, ap_natlook); 2693 2694 int 2695 pfctl_natlook(struct pfctl_handle *h, const struct pfctl_natlook_key *k, 2696 struct pfctl_natlook *r) 2697 { 2698 struct snl_writer nw; 2699 struct snl_errmsg_data e = {}; 2700 struct nlmsghdr *hdr; 2701 uint32_t seq_id; 2702 int family_id; 2703 2704 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2705 if (family_id == 0) 2706 return (ENOTSUP); 2707 2708 snl_init_writer(&h->ss, &nw); 2709 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_NATLOOK); 2710 hdr->nlmsg_flags |= NLM_F_DUMP; 2711 2712 snl_add_msg_attr_u8(&nw, PF_NL_AF, k->af); 2713 snl_add_msg_attr_u8(&nw, PF_NL_DIRECTION, k->direction); 2714 snl_add_msg_attr_u8(&nw, PF_NL_PROTO, k->proto); 2715 snl_add_msg_attr_ip6(&nw, PF_NL_SRC_ADDR, &k->saddr.v6); 2716 snl_add_msg_attr_ip6(&nw, PF_NL_DST_ADDR, &k->daddr.v6); 2717 snl_add_msg_attr_u16(&nw, PF_NL_SRC_PORT, k->sport); 2718 snl_add_msg_attr_u16(&nw, PF_NL_DST_PORT, k->dport); 2719 2720 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2721 return (ENXIO); 2722 2723 seq_id = hdr->nlmsg_seq; 2724 2725 if (! snl_send_message(&h->ss, hdr)) 2726 return (ENXIO); 2727 2728 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2729 if (! snl_parse_nlmsg(&h->ss, hdr, &natlook_parser, r)) 2730 continue; 2731 } 2732 2733 return (e.error); 2734 } 2735 2736 int 2737 pfctl_set_debug(struct pfctl_handle *h, uint32_t level) 2738 { 2739 struct snl_writer nw; 2740 struct snl_errmsg_data e = {}; 2741 struct nlmsghdr *hdr; 2742 uint32_t seq_id; 2743 int family_id; 2744 2745 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2746 if (family_id == 0) 2747 return (ENOTSUP); 2748 2749 snl_init_writer(&h->ss, &nw); 2750 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_DEBUG); 2751 2752 snl_add_msg_attr_u32(&nw, PF_SD_LEVEL, level); 2753 2754 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2755 return (ENXIO); 2756 2757 seq_id = hdr->nlmsg_seq; 2758 2759 if (! snl_send_message(&h->ss, hdr)) 2760 return (ENXIO); 2761 2762 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2763 } 2764 2765 return (e.error); 2766 } 2767 2768 int 2769 pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds) 2770 { 2771 struct snl_writer nw; 2772 struct snl_errmsg_data e = {}; 2773 struct nlmsghdr *hdr; 2774 uint32_t seq_id; 2775 int family_id; 2776 2777 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2778 if (family_id == 0) 2779 return (ENOTSUP); 2780 2781 snl_init_writer(&h->ss, &nw); 2782 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_TIMEOUT); 2783 2784 snl_add_msg_attr_u32(&nw, PF_TO_TIMEOUT, timeout); 2785 snl_add_msg_attr_u32(&nw, PF_TO_SECONDS, seconds); 2786 2787 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2788 return (ENXIO); 2789 2790 seq_id = hdr->nlmsg_seq; 2791 2792 if (! snl_send_message(&h->ss, hdr)) 2793 return (ENXIO); 2794 2795 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2796 } 2797 2798 return (e.error); 2799 } 2800 2801 struct pfctl_nl_timeout { 2802 uint32_t seconds; 2803 }; 2804 #define _OUT(_field) offsetof(struct pfctl_nl_timeout, _field) 2805 static struct snl_attr_parser ap_get_timeout[] = { 2806 { .type = PF_TO_SECONDS, .off = _OUT(seconds), .cb = snl_attr_get_uint32 }, 2807 }; 2808 #undef _OUT 2809 SNL_DECLARE_PARSER(get_timeout_parser, struct genlmsghdr, snl_f_p_empty, ap_get_timeout); 2810 2811 int 2812 pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds) 2813 { 2814 struct snl_writer nw; 2815 struct pfctl_nl_timeout to = {}; 2816 struct snl_errmsg_data e = {}; 2817 struct nlmsghdr *hdr; 2818 uint32_t seq_id; 2819 int family_id; 2820 2821 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2822 if (family_id == 0) 2823 return (ENOTSUP); 2824 2825 snl_init_writer(&h->ss, &nw); 2826 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_TIMEOUT); 2827 hdr->nlmsg_flags |= NLM_F_DUMP; 2828 2829 snl_add_msg_attr_u32(&nw, PF_TO_TIMEOUT, timeout); 2830 2831 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2832 return (ENXIO); 2833 2834 seq_id = hdr->nlmsg_seq; 2835 2836 if (! snl_send_message(&h->ss, hdr)) 2837 return (ENXIO); 2838 2839 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2840 if (! snl_parse_nlmsg(&h->ss, hdr, &get_timeout_parser, &to)) 2841 continue; 2842 } 2843 2844 if (seconds != NULL) 2845 *seconds = to.seconds; 2846 2847 return (e.error); 2848 } 2849 2850 int 2851 pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit) 2852 { 2853 struct snl_writer nw; 2854 struct snl_errmsg_data e = {}; 2855 struct nlmsghdr *hdr; 2856 uint32_t seq_id; 2857 int family_id; 2858 2859 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2860 if (family_id == 0) 2861 return (ENOTSUP); 2862 2863 snl_init_writer(&h->ss, &nw); 2864 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_SET_LIMIT); 2865 2866 snl_add_msg_attr_u32(&nw, PF_LI_INDEX, index); 2867 snl_add_msg_attr_u32(&nw, PF_LI_LIMIT, limit); 2868 2869 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2870 return (ENXIO); 2871 2872 seq_id = hdr->nlmsg_seq; 2873 2874 if (! snl_send_message(&h->ss, hdr)) 2875 return (ENXIO); 2876 2877 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2878 } 2879 2880 return (e.error); 2881 } 2882 2883 struct pfctl_nl_limit { 2884 unsigned int limit; 2885 }; 2886 #define _OUT(_field) offsetof(struct pfctl_nl_limit, _field) 2887 static struct snl_attr_parser ap_get_limit[] = { 2888 { .type = PF_LI_LIMIT, .off = _OUT(limit), .cb = snl_attr_get_uint32 }, 2889 }; 2890 #undef _OUT 2891 SNL_DECLARE_PARSER(get_limit_parser, struct genlmsghdr, snl_f_p_empty, ap_get_limit); 2892 2893 int 2894 pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit) 2895 { 2896 struct snl_writer nw; 2897 struct pfctl_nl_limit li = {}; 2898 struct snl_errmsg_data e = {}; 2899 struct nlmsghdr *hdr; 2900 uint32_t seq_id; 2901 int family_id; 2902 2903 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2904 if (family_id == 0) 2905 return (ENOTSUP); 2906 2907 snl_init_writer(&h->ss, &nw); 2908 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_LIMIT); 2909 hdr->nlmsg_flags |= NLM_F_DUMP; 2910 2911 snl_add_msg_attr_u32(&nw, PF_LI_INDEX, index); 2912 2913 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2914 return (ENXIO); 2915 2916 seq_id = hdr->nlmsg_seq; 2917 2918 if (! snl_send_message(&h->ss, hdr)) 2919 return (ENXIO); 2920 2921 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2922 if (! snl_parse_nlmsg(&h->ss, hdr, &get_limit_parser, &li)) 2923 continue; 2924 } 2925 2926 if (limit != NULL) 2927 *limit = li.limit; 2928 2929 return (e.error); 2930 } 2931 2932 struct pfctl_nl_begin_addrs { 2933 uint32_t ticket; 2934 }; 2935 #define _OUT(_field) offsetof(struct pfctl_nl_begin_addrs, _field) 2936 static struct snl_attr_parser ap_begin_addrs[] = { 2937 { .type = PF_BA_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 }, 2938 }; 2939 #undef _OUT 2940 SNL_DECLARE_PARSER(begin_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_begin_addrs); 2941 2942 int 2943 pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket) 2944 { 2945 struct snl_writer nw; 2946 struct pfctl_nl_begin_addrs attrs = {}; 2947 struct snl_errmsg_data e = {}; 2948 struct nlmsghdr *hdr; 2949 uint32_t seq_id; 2950 int family_id; 2951 2952 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2953 if (family_id == 0) 2954 return (ENOTSUP); 2955 2956 snl_init_writer(&h->ss, &nw); 2957 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_BEGIN_ADDRS); 2958 hdr->nlmsg_flags |= NLM_F_DUMP; 2959 2960 if ((hdr = snl_finalize_msg(&nw)) == NULL) 2961 return (ENXIO); 2962 2963 seq_id = hdr->nlmsg_seq; 2964 2965 if (! snl_send_message(&h->ss, hdr)) 2966 return (ENXIO); 2967 2968 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 2969 if (! snl_parse_nlmsg(&h->ss, hdr, &begin_addrs_parser, &attrs)) 2970 continue; 2971 } 2972 2973 if (ticket != NULL) 2974 *ticket = attrs.ticket; 2975 2976 return (e.error); 2977 } 2978 2979 int 2980 pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which) 2981 { 2982 struct snl_writer nw; 2983 struct snl_errmsg_data e = {}; 2984 struct nlmsghdr *hdr; 2985 uint32_t seq_id; 2986 int family_id; 2987 2988 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 2989 if (family_id == 0) 2990 return (ENOTSUP); 2991 2992 snl_init_writer(&h->ss, &nw); 2993 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADD_ADDR); 2994 2995 snl_add_msg_attr_u32(&nw, PF_AA_ACTION, pa->action); 2996 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, pa->ticket); 2997 snl_add_msg_attr_u32(&nw, PF_AA_NR, pa->nr); 2998 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, pa->r_num); 2999 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, pa->r_action); 3000 snl_add_msg_attr_u8(&nw, PF_AA_R_LAST, pa->r_last); 3001 snl_add_msg_attr_u8(&nw, PF_AA_AF, pa->af); 3002 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, pa->anchor); 3003 snl_add_msg_attr_pool_addr(&nw, PF_AA_ADDR, &pa->addr); 3004 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which); 3005 3006 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3007 return (ENXIO); 3008 3009 seq_id = hdr->nlmsg_seq; 3010 3011 if (! snl_send_message(&h->ss, hdr)) 3012 return (ENXIO); 3013 3014 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3015 } 3016 3017 return (e.error); 3018 } 3019 3020 static const struct snl_attr_parser ap_get_addrs[] = { 3021 { .type = PF_AA_NR, .off = 0, .cb = snl_attr_get_uint32 }, 3022 }; 3023 SNL_DECLARE_PARSER(get_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_get_addrs); 3024 3025 int 3026 pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 3027 uint8_t r_action, const char *anchor, uint32_t *nr, int which) 3028 { 3029 struct snl_writer nw; 3030 struct snl_errmsg_data e = {}; 3031 struct nlmsghdr *hdr; 3032 uint32_t seq_id; 3033 int family_id; 3034 3035 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3036 if (family_id == 0) 3037 return (ENOTSUP); 3038 3039 snl_init_writer(&h->ss, &nw); 3040 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_ADDRS); 3041 3042 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, ticket); 3043 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, r_num); 3044 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, r_action); 3045 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, anchor); 3046 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which); 3047 3048 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3049 return (ENXIO); 3050 3051 seq_id = hdr->nlmsg_seq; 3052 3053 if (! snl_send_message(&h->ss, hdr)) 3054 return (ENXIO); 3055 3056 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3057 if (! snl_parse_nlmsg(&h->ss, hdr, &get_addrs_parser, nr)) 3058 continue; 3059 } 3060 3061 return (e.error); 3062 } 3063 3064 #define _OUT(_field) offsetof(struct pf_pooladdr, _field) 3065 static const struct snl_attr_parser ap_pool_addr[] = { 3066 { .type = PF_PA_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = snl_attr_get_nested }, 3067 { .type = PF_PA_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb = snl_attr_copy_string }, 3068 }; 3069 SNL_DECLARE_ATTR_PARSER(pool_addr_parser, ap_pool_addr); 3070 #undef _OUT 3071 3072 #define _OUT(_field) offsetof(struct pfioc_pooladdr, _field) 3073 static const struct snl_attr_parser ap_get_addr[] = { 3074 { .type = PF_AA_ACTION, .off = _OUT(action), .cb = snl_attr_get_uint32 }, 3075 { .type = PF_AA_TICKET, .off = _OUT(ticket), .cb = snl_attr_get_uint32 }, 3076 { .type = PF_AA_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 }, 3077 { .type = PF_AA_R_NUM, .off = _OUT(r_num), .cb = snl_attr_get_uint32 }, 3078 { .type = PF_AA_R_ACTION, .off = _OUT(r_action), .cb = snl_attr_get_uint8 }, 3079 { .type = PF_AA_R_LAST, .off = _OUT(r_last), .cb = snl_attr_get_uint8 }, 3080 { .type = PF_AA_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, 3081 { .type = PF_AA_ANCHOR, .off = _OUT(anchor), .arg_u32 = MAXPATHLEN, .cb = snl_attr_copy_string }, 3082 { .type = PF_AA_ADDR, .off = _OUT(addr), .arg = &pool_addr_parser, .cb = snl_attr_get_nested }, 3083 }; 3084 SNL_DECLARE_PARSER(get_addr_parser, struct genlmsghdr, snl_f_p_empty, ap_get_addr); 3085 #undef _OUT 3086 3087 int 3088 pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 3089 uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 3090 int which) 3091 { 3092 struct snl_writer nw; 3093 struct snl_errmsg_data e = {}; 3094 struct nlmsghdr *hdr; 3095 uint32_t seq_id; 3096 int family_id; 3097 3098 family_id =snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3099 if (family_id == 0) 3100 return (ENOTSUP); 3101 3102 snl_init_writer(&h->ss, &nw); 3103 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_ADDR); 3104 3105 snl_add_msg_attr_u32(&nw, PF_AA_TICKET, ticket); 3106 snl_add_msg_attr_u32(&nw, PF_AA_R_NUM, r_num); 3107 snl_add_msg_attr_u8(&nw, PF_AA_R_ACTION, r_action); 3108 snl_add_msg_attr_string(&nw, PF_AA_ANCHOR, anchor); 3109 snl_add_msg_attr_u32(&nw, PF_AA_NR, nr); 3110 snl_add_msg_attr_u32(&nw, PF_AA_WHICH, which); 3111 3112 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3113 return (ENXIO); 3114 3115 seq_id = hdr->nlmsg_seq; 3116 3117 if (! snl_send_message(&h->ss, hdr)) 3118 return (ENXIO); 3119 3120 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3121 if (! snl_parse_nlmsg(&h->ss, hdr, &get_addr_parser, pa)) 3122 continue; 3123 } 3124 3125 return (e.error); 3126 } 3127 3128 #define _OUT(_field) offsetof(struct pfioc_ruleset, _field) 3129 static const struct snl_attr_parser ap_ruleset[] = { 3130 { .type = PF_RS_NR, .off = _OUT(nr), .cb = snl_attr_get_uint32 }, 3131 { .type = PF_RS_NAME, .off = _OUT(name), .arg = (void *)PF_ANCHOR_NAME_SIZE, .cb = snl_attr_copy_string }, 3132 }; 3133 SNL_DECLARE_PARSER(ruleset_parser, struct genlmsghdr, snl_f_p_empty, ap_ruleset); 3134 #undef _OUT 3135 3136 int 3137 pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr) 3138 { 3139 struct snl_writer nw; 3140 struct snl_errmsg_data e = {}; 3141 struct nlmsghdr *hdr; 3142 struct pfioc_ruleset rs = {}; 3143 uint32_t seq_id; 3144 int family_id; 3145 3146 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3147 if (family_id == 0) 3148 return (ENOTSUP); 3149 3150 snl_init_writer(&h->ss, &nw); 3151 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_RULESETS); 3152 3153 snl_add_msg_attr_string(&nw, PF_RS_PATH, path); 3154 3155 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3156 return (ENXIO); 3157 3158 seq_id = hdr->nlmsg_seq; 3159 3160 if (! snl_send_message(&h->ss, hdr)) 3161 return (ENXIO); 3162 3163 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3164 if (! snl_parse_nlmsg(&h->ss, hdr, &ruleset_parser, &rs)) 3165 continue; 3166 } 3167 3168 *nr = rs.nr; 3169 3170 return (e.error); 3171 } 3172 3173 int 3174 pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs) 3175 { 3176 struct snl_writer nw; 3177 struct snl_errmsg_data e = {}; 3178 struct nlmsghdr *hdr; 3179 uint32_t seq_id; 3180 int family_id; 3181 3182 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3183 if (family_id == 0) 3184 return (ENOTSUP); 3185 3186 snl_init_writer(&h->ss, &nw); 3187 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_RULESET); 3188 3189 snl_add_msg_attr_string(&nw, PF_RS_PATH, path); 3190 snl_add_msg_attr_u32(&nw, PF_RS_NR, nr); 3191 3192 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3193 return (ENXIO); 3194 3195 seq_id = hdr->nlmsg_seq; 3196 3197 if (! snl_send_message(&h->ss, hdr)) 3198 return (ENXIO); 3199 3200 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3201 if (! snl_parse_nlmsg(&h->ss, hdr, &ruleset_parser, rs)) 3202 continue; 3203 } 3204 3205 return (e.error); 3206 } 3207 3208 #define _OUT(_field) offsetof(struct pfctl_src_node, _field) 3209 static struct snl_attr_parser ap_srcnode[] = { 3210 { .type = PF_SN_ADDR, .off = _OUT(addr), .cb = snl_attr_get_in6_addr }, 3211 { .type = PF_SN_RADDR, .off = _OUT(raddr), .cb = snl_attr_get_in6_addr }, 3212 { .type = PF_SN_RULE_NR, .off = _OUT(rule), .cb = snl_attr_get_uint32 }, 3213 { .type = PF_SN_BYTES_IN, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, 3214 { .type = PF_SN_BYTES_OUT, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, 3215 { .type = PF_SN_PACKETS_IN, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 }, 3216 { .type = PF_SN_PACKETS_OUT, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, 3217 { .type = PF_SN_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32 }, 3218 { .type = PF_SN_CONNECTIONS, .off = _OUT(conn), .cb = snl_attr_get_uint32 }, 3219 { .type = PF_SN_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, 3220 { .type = PF_SN_RULE_TYPE, .off = _OUT(ruletype), .cb = snl_attr_get_uint8 }, 3221 { .type = PF_SN_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint64 }, 3222 { .type = PF_SN_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint64 }, 3223 { .type = PF_SN_CONNECTION_RATE, .off = _OUT(conn_rate), .arg = &pfctl_threshold_parser, .cb = snl_attr_get_nested }, 3224 { .type = PF_SN_RAF, .off = _OUT(raf), .cb = snl_attr_get_uint8 }, 3225 { .type = PF_SN_NODE_TYPE, .off = _OUT(type), .cb = snl_attr_get_uint8 }, 3226 }; 3227 #undef _OUT 3228 SNL_DECLARE_PARSER(srcnode_parser, struct genlmsghdr, snl_f_p_empty, ap_srcnode); 3229 3230 int 3231 pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg) 3232 { 3233 struct snl_writer nw; 3234 struct pfctl_src_node sn; 3235 struct snl_errmsg_data e = {}; 3236 struct nlmsghdr *hdr; 3237 uint32_t seq_id; 3238 int family_id; 3239 int ret; 3240 3241 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3242 if (family_id == 0) 3243 return (ENOTSUP); 3244 3245 snl_init_writer(&h->ss, &nw); 3246 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_SRCNODES); 3247 3248 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3249 return (ENXIO); 3250 3251 seq_id = hdr->nlmsg_seq; 3252 3253 if (!snl_send_message(&h->ss, hdr)) 3254 return (ENXIO); 3255 3256 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3257 bzero(&sn, sizeof(sn)); 3258 if (!snl_parse_nlmsg(&h->ss, hdr, &srcnode_parser, &sn)) 3259 continue; 3260 3261 ret = fn(&sn, arg); 3262 if (ret != 0) 3263 return (ret); 3264 } 3265 3266 return (e.error); 3267 } 3268 3269 static struct snl_attr_parser ap_ndel[] = { 3270 { .type = PF_T_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint32 }, 3271 }; 3272 SNL_DECLARE_PARSER(ndel_parser, struct genlmsghdr, snl_f_p_empty, ap_ndel); 3273 3274 int 3275 pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 3276 int *ndel, int flags) 3277 { 3278 struct snl_writer nw; 3279 struct snl_errmsg_data e = {}; 3280 struct nlmsghdr *hdr; 3281 uint32_t seq_id; 3282 int family_id; 3283 3284 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3285 if (family_id == 0) 3286 return (ENOTSUP); 3287 3288 snl_init_writer(&h->ss, &nw); 3289 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLEAR_TABLES); 3290 3291 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3292 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3293 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3294 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3295 3296 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3297 return (ENXIO); 3298 3299 seq_id = hdr->nlmsg_seq; 3300 3301 if (!snl_send_message(&h->ss, hdr)) 3302 return (ENXIO); 3303 3304 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3305 if (!snl_parse_nlmsg(&h->ss, hdr, &ndel_parser, ndel)) 3306 continue; 3307 } 3308 3309 return (e.error); 3310 } 3311 3312 static struct snl_attr_parser ap_nadd[] = { 3313 { .type = PF_T_NBR_ADDED, .off = 0, .cb = snl_attr_get_uint32 }, 3314 }; 3315 SNL_DECLARE_PARSER(nadd_parser, struct genlmsghdr, snl_f_p_empty, ap_nadd); 3316 int 3317 pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 3318 int *nadd, int flags) 3319 { 3320 struct snl_writer nw; 3321 struct snl_errmsg_data e = {}; 3322 struct nlmsghdr *hdr; 3323 uint32_t seq_id; 3324 int family_id; 3325 3326 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3327 if (family_id == 0) 3328 return (ENOTSUP); 3329 3330 snl_init_writer(&h->ss, &nw); 3331 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADD_TABLE); 3332 3333 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, table->pfrt_anchor); 3334 snl_add_msg_attr_string(&nw, PF_T_NAME, table->pfrt_name); 3335 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, table->pfrt_flags); 3336 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3337 3338 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3339 return (ENXIO); 3340 3341 seq_id = hdr->nlmsg_seq; 3342 3343 if (!snl_send_message(&h->ss, hdr)) 3344 return (ENXIO); 3345 3346 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3347 if (!snl_parse_nlmsg(&h->ss, hdr, &nadd_parser, nadd)) 3348 continue; 3349 } 3350 3351 return (e.error); 3352 } 3353 3354 int 3355 pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 3356 int *ndel, int flags) 3357 { 3358 struct snl_writer nw; 3359 struct snl_errmsg_data e = {}; 3360 struct nlmsghdr *hdr; 3361 uint32_t seq_id; 3362 int family_id; 3363 3364 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3365 if (family_id == 0) 3366 return (ENOTSUP); 3367 3368 snl_init_writer(&h->ss, &nw); 3369 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_DEL_TABLE); 3370 3371 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, table->pfrt_anchor); 3372 snl_add_msg_attr_string(&nw, PF_T_NAME, table->pfrt_name); 3373 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, table->pfrt_flags); 3374 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3375 3376 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3377 return (ENXIO); 3378 3379 seq_id = hdr->nlmsg_seq; 3380 3381 if (!snl_send_message(&h->ss, hdr)) 3382 return (ENXIO); 3383 3384 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3385 if (!snl_parse_nlmsg(&h->ss, hdr, &ndel_parser, ndel)) 3386 continue; 3387 } 3388 3389 return (e.error); 3390 } 3391 3392 static bool 3393 snl_attr_get_uint64_into_int_array(struct snl_state *ss, struct nlattr *nla, 3394 const void *arg, void *target) 3395 { 3396 uint64_t *u64target; 3397 struct snl_uint64_array a = { 3398 .count = 0, 3399 .max = (size_t)arg, 3400 }; 3401 bool error; 3402 3403 u64target = malloc(a.max * sizeof(uint64_t)); 3404 a.array = u64target; 3405 3406 error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla), &array_parser, &a); 3407 if (! error) 3408 return (error); 3409 3410 for (size_t i = 0; i < a.count; i++) 3411 ((int *)target)[i] = (int)u64target[i]; 3412 3413 free(u64target); 3414 3415 return (true); 3416 } 3417 3418 #define _OUT(_field) offsetof(struct pfr_table, _field) 3419 static const struct snl_attr_parser ap_table[] = { 3420 { .type = PF_T_ANCHOR, .off = _OUT(pfrt_anchor), .arg = (void *)MAXPATHLEN, .cb = snl_attr_copy_string }, 3421 { .type = PF_T_NAME, .off = _OUT(pfrt_name), .arg = (void *)PF_TABLE_NAME_SIZE, .cb =snl_attr_copy_string }, 3422 { .type = PF_T_TABLE_FLAGS, .off = _OUT(pfrt_flags), .cb = snl_attr_get_uint32 }, 3423 }; 3424 #undef _OUT 3425 SNL_DECLARE_ATTR_PARSER(table_parser, ap_table); 3426 #define _OUT(_field) offsetof(struct pfr_tstats, _field) 3427 static struct snl_attr_parser ap_tstats[] = { 3428 { .type = PF_TS_TABLE, .off = _OUT(pfrts_t), .arg = &table_parser, .cb = snl_attr_get_nested }, 3429 { .type = PF_TS_PACKETS, .off = _OUT(pfrts_packets), .arg = (void *)(PFR_DIR_MAX * PFR_OP_TABLE_MAX), .cb = snl_attr_get_uint64_array}, 3430 { .type = PF_TS_BYTES, .off = _OUT(pfrts_bytes), .arg = (void *)(PFR_DIR_MAX * PFR_OP_TABLE_MAX), .cb = snl_attr_get_uint64_array }, 3431 { .type = PF_TS_MATCH, .off = _OUT(pfrts_match), .cb = snl_attr_get_uint64 }, 3432 {. type = PF_TS_NOMATCH, .off = _OUT(pfrts_nomatch), .cb = snl_attr_get_uint64 }, 3433 { .type = PF_TS_TZERO, .off = _OUT(pfrts_tzero), .cb = snl_attr_get_uint64 }, 3434 { .type = PF_TS_REFCNT, .off = _OUT(pfrts_cnt), . arg = (void *)PFR_REFCNT_MAX, .cb = snl_attr_get_uint64_into_int_array }, 3435 }; 3436 #undef _OUT 3437 SNL_DECLARE_PARSER(tstats_parser, struct genlmsghdr, snl_f_p_empty, ap_tstats); 3438 3439 int 3440 pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 3441 pfctl_get_tstats_fn fn, void *arg) 3442 { 3443 struct snl_writer nw; 3444 struct snl_errmsg_data e = {}; 3445 struct nlmsghdr *hdr; 3446 uint32_t seq_id; 3447 int family_id; 3448 int ret; 3449 3450 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3451 if (family_id == 0) 3452 return (ENOTSUP); 3453 3454 snl_init_writer(&h->ss, &nw); 3455 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_TSTATS); 3456 3457 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3458 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3459 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3460 3461 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3462 return (ENXIO); 3463 3464 seq_id = hdr->nlmsg_seq; 3465 3466 if (!snl_send_message(&h->ss, hdr)) 3467 return (ENXIO); 3468 3469 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3470 struct pfr_tstats tstats = {}; 3471 3472 if (!snl_parse_nlmsg(&h->ss, hdr, &tstats_parser, &tstats)) 3473 continue; 3474 3475 ret = fn(&tstats, arg); 3476 if (ret != 0) 3477 break; 3478 } 3479 3480 return (e.error); 3481 } 3482 3483 static struct snl_attr_parser ap_tstats_clr[] = { 3484 { .type = PF_TS_NZERO, .off = 0, .cb = snl_attr_get_uint64 }, 3485 }; 3486 SNL_DECLARE_PARSER(tstats_clr_parser, struct genlmsghdr, snl_f_p_empty, ap_tstats_clr); 3487 3488 int 3489 pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 3490 int *nzero, int flags) 3491 { 3492 struct snl_writer nw; 3493 struct snl_errmsg_data e = {}; 3494 struct nlmsghdr *hdr; 3495 uint64_t zero; 3496 uint32_t seq_id; 3497 int family_id; 3498 3499 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3500 if (family_id == 0) 3501 return (ENOTSUP); 3502 3503 snl_init_writer(&h->ss, &nw); 3504 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLR_TSTATS); 3505 3506 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3507 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3508 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3509 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3510 3511 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3512 return (ENXIO); 3513 3514 seq_id = hdr->nlmsg_seq; 3515 3516 if (!snl_send_message(&h->ss, hdr)) 3517 return (ENXIO); 3518 3519 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3520 if (!snl_parse_nlmsg(&h->ss, hdr, &tstats_clr_parser, &zero)) 3521 continue; 3522 if (nzero) 3523 *nzero = (uint32_t)zero; 3524 } 3525 3526 return (e.error); 3527 } 3528 3529 static struct snl_attr_parser ap_clr_addrs[] = { 3530 { .type = PF_T_NBR_DELETED, .off = 0, .cb = snl_attr_get_uint64 }, 3531 }; 3532 SNL_DECLARE_PARSER(clr_addrs_parser, struct genlmsghdr, snl_f_p_empty, ap_clr_addrs); 3533 3534 int 3535 pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter, 3536 int *ndel, int flags) 3537 { 3538 struct snl_writer nw; 3539 struct snl_errmsg_data e = {}; 3540 struct nlmsghdr *hdr; 3541 uint64_t del; 3542 uint32_t seq_id; 3543 int family_id; 3544 3545 family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); 3546 if (family_id == 0) 3547 return (ENOTSUP); 3548 3549 snl_init_writer(&h->ss, &nw); 3550 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_CLR_ADDRS); 3551 3552 snl_add_msg_attr_string(&nw, PF_T_ANCHOR, filter->pfrt_anchor); 3553 snl_add_msg_attr_string(&nw, PF_T_NAME, filter->pfrt_name); 3554 snl_add_msg_attr_u32(&nw, PF_T_TABLE_FLAGS, filter->pfrt_flags); 3555 snl_add_msg_attr_u32(&nw, PF_T_FLAGS, flags); 3556 3557 if ((hdr = snl_finalize_msg(&nw)) == NULL) 3558 return (ENXIO); 3559 3560 seq_id = hdr->nlmsg_seq; 3561 3562 if (!snl_send_message(&h->ss, hdr)) 3563 return (ENXIO); 3564 3565 while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { 3566 if (!snl_parse_nlmsg(&h->ss, hdr, &clr_addrs_parser, &del)) 3567 continue; 3568 if (ndel) 3569 *ndel = (uint32_t)del; 3570 } 3571 3572 return (e.error); 3573 } 3574 3575