1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 34 #include <sys/ioctl.h> 35 #include <sys/nv.h> 36 #include <sys/queue.h> 37 #include <sys/types.h> 38 39 #include <net/if.h> 40 #include <net/pfvar.h> 41 #include <netinet/in.h> 42 43 #include <netpfil/pf/pf_nl.h> 44 #include <netlink/netlink.h> 45 #include <netlink/netlink_generic.h> 46 #include <netlink/netlink_snl.h> 47 #include <netlink/netlink_snl_generic.h> 48 #include <netlink/netlink_snl_route.h> 49 50 #include <assert.h> 51 #include <err.h> 52 #include <errno.h> 53 #include <stdlib.h> 54 #include <string.h> 55 56 #include "libpfctl.h" 57 58 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = { 59 "never", 60 "always", 61 "adaptive" 62 }; 63 64 static int _pfctl_clear_states(int , const struct pfctl_kill *, 65 unsigned int *, uint64_t); 66 67 static int 68 pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl) 69 { 70 struct pfioc_nv nv; 71 void *data; 72 size_t nvlen; 73 int ret; 74 75 data = nvlist_pack(*nvl, &nvlen); 76 if (nvlen > size) 77 size = nvlen; 78 79 retry: 80 nv.data = malloc(size); 81 memcpy(nv.data, data, nvlen); 82 83 nv.len = nvlen; 84 nv.size = size; 85 86 ret = ioctl(dev, cmd, &nv); 87 if (ret == -1 && errno == ENOSPC) { 88 size *= 2; 89 free(nv.data); 90 goto retry; 91 } 92 93 nvlist_destroy(*nvl); 94 *nvl = NULL; 95 96 if (ret == 0) { 97 *nvl = nvlist_unpack(nv.data, nv.len, 0); 98 if (*nvl == NULL) { 99 ret = EIO; 100 goto out; 101 } 102 } else { 103 ret = errno; 104 } 105 106 out: 107 free(data); 108 free(nv.data); 109 110 return (ret); 111 } 112 113 static void 114 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems, 115 uint8_t *numbers, size_t *nelems) 116 { 117 const uint64_t *tmp; 118 size_t elems; 119 120 tmp = nvlist_get_number_array(nvl, name, &elems); 121 assert(elems <= maxelems); 122 123 for (size_t i = 0; i < elems; i++) 124 numbers[i] = tmp[i]; 125 126 if (nelems) 127 *nelems = elems; 128 } 129 130 static void 131 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems, 132 uint16_t *numbers, size_t *nelems) 133 { 134 const uint64_t *tmp; 135 size_t elems; 136 137 tmp = nvlist_get_number_array(nvl, name, &elems); 138 assert(elems <= maxelems); 139 140 for (size_t i = 0; i < elems; i++) 141 numbers[i] = tmp[i]; 142 143 if (nelems) 144 *nelems = elems; 145 } 146 147 static void 148 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems, 149 uint32_t *numbers, size_t *nelems) 150 { 151 const uint64_t *tmp; 152 size_t elems; 153 154 tmp = nvlist_get_number_array(nvl, name, &elems); 155 156 for (size_t i = 0; i < elems && i < maxelems; i++) 157 numbers[i] = tmp[i]; 158 159 if (nelems) 160 *nelems = elems; 161 } 162 163 static void 164 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems, 165 uint64_t *numbers, size_t *nelems) 166 { 167 const uint64_t *tmp; 168 size_t elems; 169 170 tmp = nvlist_get_number_array(nvl, name, &elems); 171 assert(elems <= maxelems); 172 173 for (size_t i = 0; i < elems; i++) 174 numbers[i] = tmp[i]; 175 176 if (nelems) 177 *nelems = elems; 178 } 179 180 int 181 pfctl_startstop(int start) 182 { 183 struct snl_state ss = {}; 184 struct snl_errmsg_data e = {}; 185 struct snl_writer nw; 186 struct nlmsghdr *hdr; 187 uint32_t seq_id; 188 int family_id; 189 190 snl_init(&ss, NETLINK_GENERIC); 191 family_id = snl_get_genl_family(&ss, PFNL_FAMILY_NAME); 192 193 snl_init_writer(&ss, &nw); 194 hdr = snl_create_genl_msg_request(&nw, family_id, 195 start ? PFNL_CMD_START : PFNL_CMD_STOP); 196 197 hdr = snl_finalize_msg(&nw); 198 if (hdr == NULL) 199 return (ENOMEM); 200 seq_id = hdr->nlmsg_seq; 201 202 snl_send_message(&ss, hdr); 203 204 while ((hdr = snl_read_reply_multi(&ss, seq_id, &e)) != NULL) { 205 } 206 207 return (e.error); 208 } 209 210 static void 211 _pfctl_get_status_counters(const nvlist_t *nvl, 212 struct pfctl_status_counters *counters) 213 { 214 const uint64_t *ids, *counts; 215 const char *const *names; 216 size_t id_len, counter_len, names_len; 217 218 ids = nvlist_get_number_array(nvl, "ids", &id_len); 219 counts = nvlist_get_number_array(nvl, "counters", &counter_len); 220 names = nvlist_get_string_array(nvl, "names", &names_len); 221 assert(id_len == counter_len); 222 assert(counter_len == names_len); 223 224 TAILQ_INIT(counters); 225 226 for (size_t i = 0; i < id_len; i++) { 227 struct pfctl_status_counter *c; 228 229 c = malloc(sizeof(*c)); 230 231 c->id = ids[i]; 232 c->counter = counts[i]; 233 c->name = strdup(names[i]); 234 235 TAILQ_INSERT_TAIL(counters, c, entry); 236 } 237 } 238 239 struct pfctl_status * 240 pfctl_get_status(int dev) 241 { 242 struct pfctl_status *status; 243 nvlist_t *nvl; 244 size_t len; 245 const void *chksum; 246 247 status = calloc(1, sizeof(*status)); 248 if (status == NULL) 249 return (NULL); 250 251 nvl = nvlist_create(0); 252 253 if (pfctl_do_ioctl(dev, DIOCGETSTATUSNV, 4096, &nvl)) { 254 free(status); 255 return (NULL); 256 } 257 258 status->running = nvlist_get_bool(nvl, "running"); 259 status->since = nvlist_get_number(nvl, "since"); 260 status->debug = nvlist_get_number(nvl, "debug"); 261 status->hostid = ntohl(nvlist_get_number(nvl, "hostid")); 262 status->states = nvlist_get_number(nvl, "states"); 263 status->src_nodes = nvlist_get_number(nvl, "src_nodes"); 264 status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active"); 265 status->reass = nvlist_get_number(nvl, "reass"); 266 267 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"), 268 IFNAMSIZ); 269 chksum = nvlist_get_binary(nvl, "chksum", &len); 270 assert(len == PF_MD5_DIGEST_LENGTH); 271 memcpy(status->pf_chksum, chksum, len); 272 273 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"), 274 &status->counters); 275 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"), 276 &status->lcounters); 277 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"), 278 &status->fcounters); 279 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"), 280 &status->scounters); 281 282 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 3, 283 (uint64_t *)status->pcounters, NULL); 284 pf_nvuint_64_array(nvl, "bcounters", 2 * 2, 285 (uint64_t *)status->bcounters, NULL); 286 287 nvlist_destroy(nvl); 288 289 return (status); 290 } 291 292 static uint64_t 293 _pfctl_status_counter(struct pfctl_status_counters *counters, uint64_t id) 294 { 295 struct pfctl_status_counter *c; 296 297 TAILQ_FOREACH(c, counters, entry) { 298 if (c->id == id) 299 return (c->counter); 300 } 301 302 return (0); 303 } 304 305 uint64_t 306 pfctl_status_counter(struct pfctl_status *status, int id) 307 { 308 return (_pfctl_status_counter(&status->counters, id)); 309 } 310 311 uint64_t 312 pfctl_status_lcounter(struct pfctl_status *status, int id) 313 { 314 return (_pfctl_status_counter(&status->lcounters, id)); 315 } 316 317 uint64_t 318 pfctl_status_fcounter(struct pfctl_status *status, int id) 319 { 320 return (_pfctl_status_counter(&status->fcounters, id)); 321 } 322 323 uint64_t 324 pfctl_status_scounter(struct pfctl_status *status, int id) 325 { 326 return (_pfctl_status_counter(&status->scounters, id)); 327 } 328 329 void 330 pfctl_free_status(struct pfctl_status *status) 331 { 332 struct pfctl_status_counter *c, *tmp; 333 334 if (status == NULL) 335 return; 336 337 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) { 338 free(c->name); 339 free(c); 340 } 341 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) { 342 free(c->name); 343 free(c); 344 } 345 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) { 346 free(c->name); 347 free(c); 348 } 349 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) { 350 free(c->name); 351 free(c); 352 } 353 354 free(status); 355 } 356 357 static void 358 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, 359 const struct pf_addr *addr) 360 { 361 nvlist_t *nvl = nvlist_create(0); 362 363 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); 364 365 nvlist_add_nvlist(nvparent, name, nvl); 366 nvlist_destroy(nvl); 367 } 368 369 static void 370 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr) 371 { 372 size_t len; 373 const void *data; 374 375 data = nvlist_get_binary(nvl, "addr", &len); 376 assert(len == sizeof(struct pf_addr)); 377 memcpy(addr, data, len); 378 } 379 380 static void 381 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, 382 const struct pf_addr_wrap *addr) 383 { 384 nvlist_t *nvl = nvlist_create(0); 385 386 nvlist_add_number(nvl, "type", addr->type); 387 nvlist_add_number(nvl, "iflags", addr->iflags); 388 if (addr->type == PF_ADDR_DYNIFTL) 389 nvlist_add_string(nvl, "ifname", addr->v.ifname); 390 if (addr->type == PF_ADDR_TABLE) 391 nvlist_add_string(nvl, "tblname", addr->v.tblname); 392 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); 393 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); 394 395 nvlist_add_nvlist(nvparent, name, nvl); 396 nvlist_destroy(nvl); 397 } 398 399 static void 400 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr) 401 { 402 bzero(addr, sizeof(*addr)); 403 404 addr->type = nvlist_get_number(nvl, "type"); 405 addr->iflags = nvlist_get_number(nvl, "iflags"); 406 if (addr->type == PF_ADDR_DYNIFTL) { 407 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"), 408 IFNAMSIZ); 409 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt"); 410 } 411 if (addr->type == PF_ADDR_TABLE) { 412 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"), 413 PF_TABLE_NAME_SIZE); 414 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt"); 415 } 416 417 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr); 418 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask); 419 } 420 421 static void 422 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, 423 const struct pf_rule_addr *addr) 424 { 425 uint64_t ports[2]; 426 nvlist_t *nvl = nvlist_create(0); 427 428 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); 429 ports[0] = addr->port[0]; 430 ports[1] = addr->port[1]; 431 nvlist_add_number_array(nvl, "port", ports, 2); 432 nvlist_add_number(nvl, "neg", addr->neg); 433 nvlist_add_number(nvl, "port_op", addr->port_op); 434 435 nvlist_add_nvlist(nvparent, name, nvl); 436 nvlist_destroy(nvl); 437 } 438 439 static void 440 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr) 441 { 442 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr); 443 444 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL); 445 addr->neg = nvlist_get_number(nvl, "neg"); 446 addr->port_op = nvlist_get_number(nvl, "port_op"); 447 } 448 449 static void 450 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape) 451 { 452 mape->offset = nvlist_get_number(nvl, "offset"); 453 mape->psidlen = nvlist_get_number(nvl, "psidlen"); 454 mape->psid = nvlist_get_number(nvl, "psid"); 455 } 456 457 static void 458 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool) 459 { 460 size_t len; 461 const void *data; 462 463 data = nvlist_get_binary(nvl, "key", &len); 464 assert(len == sizeof(pool->key)); 465 memcpy(&pool->key, data, len); 466 467 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter); 468 469 pool->tblidx = nvlist_get_number(nvl, "tblidx"); 470 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL); 471 pool->opts = nvlist_get_number(nvl, "opts"); 472 473 if (nvlist_exists_nvlist(nvl, "mape")) 474 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape); 475 } 476 477 static void 478 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) 479 { 480 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL); 481 uid->op = nvlist_get_number(nvl, "op"); 482 } 483 484 static void 485 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule) 486 { 487 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr); 488 rule->divert.port = nvlist_get_number(nvl, "port"); 489 } 490 491 static void 492 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) 493 { 494 const uint64_t *skip; 495 const char *const *labels; 496 size_t skipcount, labelcount; 497 498 rule->nr = nvlist_get_number(nvl, "nr"); 499 500 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src); 501 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst); 502 503 skip = nvlist_get_number_array(nvl, "skip", &skipcount); 504 assert(skip); 505 assert(skipcount == PF_SKIP_COUNT); 506 for (int i = 0; i < PF_SKIP_COUNT; i++) 507 rule->skip[i].nr = skip[i]; 508 509 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 510 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 511 for (size_t i = 0; i < labelcount; i++) 512 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 513 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 514 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 515 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 516 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE); 517 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 518 PF_TAG_NAME_SIZE); 519 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 520 PF_TAG_NAME_SIZE); 521 522 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"), 523 PF_TABLE_NAME_SIZE); 524 525 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rpool); 526 527 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 528 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL); 529 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL); 530 531 if (nvlist_exists_number(nvl, "timestamp")) { 532 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 533 } 534 535 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint"); 536 537 rule->rtableid = nvlist_get_number(nvl, "rtableid"); 538 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL); 539 rule->max_states = nvlist_get_number(nvl, "max_states"); 540 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes"); 541 rule->max_src_states = nvlist_get_number(nvl, "max_src_states"); 542 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn"); 543 rule->max_src_conn_rate.limit = 544 nvlist_get_number(nvl, "max_src_conn_rate.limit"); 545 rule->max_src_conn_rate.seconds = 546 nvlist_get_number(nvl, "max_src_conn_rate.seconds"); 547 rule->qid = nvlist_get_number(nvl, "qid"); 548 rule->pqid = nvlist_get_number(nvl, "pqid"); 549 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 550 rule->dnrpipe = nvlist_get_number(nvl, "dnrpipe"); 551 rule->free_flags = nvlist_get_number(nvl, "dnflags"); 552 rule->prob = nvlist_get_number(nvl, "prob"); 553 rule->cuid = nvlist_get_number(nvl, "cuid"); 554 rule->cpid = nvlist_get_number(nvl, "cpid"); 555 556 rule->return_icmp = nvlist_get_number(nvl, "return_icmp"); 557 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6"); 558 rule->max_mss = nvlist_get_number(nvl, "max_mss"); 559 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags"); 560 561 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid); 562 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"), 563 (struct pf_rule_uid *)&rule->gid); 564 565 rule->rule_flag = nvlist_get_number(nvl, "rule_flag"); 566 rule->action = nvlist_get_number(nvl, "action"); 567 rule->direction = nvlist_get_number(nvl, "direction"); 568 rule->log = nvlist_get_number(nvl, "log"); 569 rule->logif = nvlist_get_number(nvl, "logif"); 570 rule->quick = nvlist_get_number(nvl, "quick"); 571 rule->ifnot = nvlist_get_number(nvl, "ifnot"); 572 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not"); 573 rule->natpass = nvlist_get_number(nvl, "natpass"); 574 575 rule->keep_state = nvlist_get_number(nvl, "keep_state"); 576 rule->af = nvlist_get_number(nvl, "af"); 577 rule->proto = nvlist_get_number(nvl, "proto"); 578 rule->type = nvlist_get_number(nvl, "type"); 579 rule->code = nvlist_get_number(nvl, "code"); 580 rule->flags = nvlist_get_number(nvl, "flags"); 581 rule->flagset = nvlist_get_number(nvl, "flagset"); 582 rule->min_ttl = nvlist_get_number(nvl, "min_ttl"); 583 rule->allow_opts = nvlist_get_number(nvl, "allow_opts"); 584 rule->rt = nvlist_get_number(nvl, "rt"); 585 rule->return_ttl = nvlist_get_number(nvl, "return_ttl"); 586 rule->tos = nvlist_get_number(nvl, "tos"); 587 rule->set_tos = nvlist_get_number(nvl, "set_tos"); 588 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 589 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 590 591 rule->flush = nvlist_get_number(nvl, "flush"); 592 rule->prio = nvlist_get_number(nvl, "prio"); 593 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL); 594 595 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule); 596 597 rule->states_cur = nvlist_get_number(nvl, "states_cur"); 598 rule->states_tot = nvlist_get_number(nvl, "states_tot"); 599 rule->src_nodes = nvlist_get_number(nvl, "src_nodes"); 600 } 601 602 static void 603 pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr) 604 { 605 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 }; 606 size_t len; 607 const void *data; 608 609 data = nvlist_get_binary(nvl, "addr", &len); 610 assert(len == sizeof(addr->addr)); 611 memcpy(addr->addr, data, sizeof(addr->addr)); 612 613 data = nvlist_get_binary(nvl, "mask", &len); 614 assert(len == sizeof(addr->mask)); 615 memcpy(addr->mask, data, sizeof(addr->mask)); 616 617 addr->neg = nvlist_get_bool(nvl, "neg"); 618 619 /* To make checks for 'is this address set?' easier. */ 620 addr->isset = memcmp(addr->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0; 621 } 622 623 static nvlist_t * 624 pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr) 625 { 626 nvlist_t *nvl; 627 628 nvl = nvlist_create(0); 629 if (nvl == NULL) 630 return (NULL); 631 632 nvlist_add_bool(nvl, "neg", addr->neg); 633 nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN); 634 nvlist_add_binary(nvl, "mask", &addr->mask, ETHER_ADDR_LEN); 635 636 return (nvl); 637 } 638 639 static void 640 pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule) 641 { 642 const char *const *labels; 643 size_t labelcount, i; 644 645 rule->nr = nvlist_get_number(nvl, "nr"); 646 rule->quick = nvlist_get_bool(nvl, "quick"); 647 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 648 rule->ifnot = nvlist_get_bool(nvl, "ifnot"); 649 rule->direction = nvlist_get_number(nvl, "direction"); 650 rule->proto = nvlist_get_number(nvl, "proto"); 651 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 652 PF_TAG_NAME_SIZE); 653 rule->match_tag = nvlist_get_number(nvl, "match_tag"); 654 rule->match_tag_not = nvlist_get_bool(nvl, "match_tag_not"); 655 656 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 657 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 658 for (i = 0; i < labelcount; i++) 659 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 660 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 661 662 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"), 663 &rule->src); 664 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"), 665 &rule->dst); 666 667 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipsrc"), 668 &rule->ipsrc); 669 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipdst"), 670 &rule->ipdst); 671 672 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 673 rule->packets[0] = nvlist_get_number(nvl, "packets-in"); 674 rule->packets[1] = nvlist_get_number(nvl, "packets-out"); 675 rule->bytes[0] = nvlist_get_number(nvl, "bytes-in"); 676 rule->bytes[1] = nvlist_get_number(nvl, "bytes-out"); 677 678 if (nvlist_exists_number(nvl, "timestamp")) { 679 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 680 } 681 682 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 683 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 684 PF_TAG_NAME_SIZE); 685 686 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 687 rule->dnflags = nvlist_get_number(nvl, "dnflags"); 688 689 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 690 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 691 692 strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"), 693 IFNAMSIZ); 694 695 rule->action = nvlist_get_number(nvl, "action"); 696 } 697 698 int 699 pfctl_get_eth_rulesets_info(int dev, struct pfctl_eth_rulesets_info *ri, 700 const char *path) 701 { 702 nvlist_t *nvl; 703 int ret; 704 705 bzero(ri, sizeof(*ri)); 706 707 nvl = nvlist_create(0); 708 nvlist_add_string(nvl, "path", path); 709 710 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESETS, 256, &nvl)) != 0) 711 return (ret); 712 713 ri->nr = nvlist_get_number(nvl, "nr"); 714 715 nvlist_destroy(nvl); 716 return (0); 717 } 718 719 int 720 pfctl_get_eth_ruleset(int dev, const char *path, int nr, 721 struct pfctl_eth_ruleset_info *ri) 722 { 723 nvlist_t *nvl; 724 int ret; 725 726 bzero(ri, sizeof(*ri)); 727 728 nvl = nvlist_create(0); 729 nvlist_add_string(nvl, "path", path); 730 nvlist_add_number(nvl, "nr", nr); 731 732 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESET, 1024, &nvl)) != 0) 733 return (ret); 734 735 ri->nr = nvlist_get_number(nvl, "nr"); 736 strlcpy(ri->path, nvlist_get_string(nvl, "path"), MAXPATHLEN); 737 strlcpy(ri->name, nvlist_get_string(nvl, "name"), 738 PF_ANCHOR_NAME_SIZE); 739 740 nvlist_destroy(nvl); 741 742 return (0); 743 } 744 745 int 746 pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 747 const char *path) 748 { 749 nvlist_t *nvl; 750 int ret; 751 752 bzero(rules, sizeof(*rules)); 753 754 nvl = nvlist_create(0); 755 nvlist_add_string(nvl, "anchor", path); 756 757 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULES, 1024, &nvl)) != 0) 758 return (ret); 759 760 rules->nr = nvlist_get_number(nvl, "nr"); 761 rules->ticket = nvlist_get_number(nvl, "ticket"); 762 763 nvlist_destroy(nvl); 764 return (0); 765 } 766 767 int 768 pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 769 const char *path, struct pfctl_eth_rule *rule, bool clear, 770 char *anchor_call) 771 { 772 nvlist_t *nvl; 773 int ret; 774 775 nvl = nvlist_create(0); 776 777 nvlist_add_string(nvl, "anchor", path); 778 nvlist_add_number(nvl, "ticket", ticket); 779 nvlist_add_number(nvl, "nr", nr); 780 nvlist_add_bool(nvl, "clear", clear); 781 782 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULE, 4096, &nvl)) != 0) 783 return (ret); 784 785 pfctl_nveth_rule_to_eth_rule(nvl, rule); 786 787 if (anchor_call) 788 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 789 MAXPATHLEN); 790 791 nvlist_destroy(nvl); 792 return (0); 793 } 794 795 int 796 pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, const char *anchor, 797 const char *anchor_call, uint32_t ticket) 798 { 799 struct pfioc_nv nv; 800 nvlist_t *nvl, *addr; 801 void *packed; 802 int error = 0; 803 size_t labelcount, size; 804 805 nvl = nvlist_create(0); 806 807 nvlist_add_number(nvl, "ticket", ticket); 808 nvlist_add_string(nvl, "anchor", anchor); 809 nvlist_add_string(nvl, "anchor_call", anchor_call); 810 811 nvlist_add_number(nvl, "nr", r->nr); 812 nvlist_add_bool(nvl, "quick", r->quick); 813 nvlist_add_string(nvl, "ifname", r->ifname); 814 nvlist_add_bool(nvl, "ifnot", r->ifnot); 815 nvlist_add_number(nvl, "direction", r->direction); 816 nvlist_add_number(nvl, "proto", r->proto); 817 nvlist_add_string(nvl, "match_tagname", r->match_tagname); 818 nvlist_add_bool(nvl, "match_tag_not", r->match_tag_not); 819 820 addr = pfctl_eth_addr_to_nveth_addr(&r->src); 821 if (addr == NULL) { 822 nvlist_destroy(nvl); 823 return (ENOMEM); 824 } 825 nvlist_add_nvlist(nvl, "src", addr); 826 nvlist_destroy(addr); 827 828 addr = pfctl_eth_addr_to_nveth_addr(&r->dst); 829 if (addr == NULL) { 830 nvlist_destroy(nvl); 831 return (ENOMEM); 832 } 833 nvlist_add_nvlist(nvl, "dst", addr); 834 nvlist_destroy(addr); 835 836 pfctl_nv_add_rule_addr(nvl, "ipsrc", &r->ipsrc); 837 pfctl_nv_add_rule_addr(nvl, "ipdst", &r->ipdst); 838 839 labelcount = 0; 840 while (labelcount < PF_RULE_MAX_LABEL_COUNT && 841 r->label[labelcount][0] != 0) { 842 nvlist_append_string_array(nvl, "labels", 843 r->label[labelcount]); 844 labelcount++; 845 } 846 nvlist_add_number(nvl, "ridentifier", r->ridentifier); 847 848 nvlist_add_string(nvl, "qname", r->qname); 849 nvlist_add_string(nvl, "tagname", r->tagname); 850 nvlist_add_number(nvl, "dnpipe", r->dnpipe); 851 nvlist_add_number(nvl, "dnflags", r->dnflags); 852 853 nvlist_add_string(nvl, "bridge_to", r->bridge_to); 854 855 nvlist_add_number(nvl, "action", r->action); 856 857 packed = nvlist_pack(nvl, &size); 858 if (packed == NULL) { 859 nvlist_destroy(nvl); 860 return (ENOMEM); 861 } 862 863 nv.len = size; 864 nv.size = size; 865 nv.data = packed; 866 867 if (ioctl(dev, DIOCADDETHRULE, &nv) != 0) 868 error = errno; 869 870 free(packed); 871 nvlist_destroy(nvl); 872 873 return (error); 874 } 875 876 static void 877 snl_add_msg_attr_addr_wrap(struct snl_writer *nw, uint32_t type, const struct pf_addr_wrap *addr) 878 { 879 int off; 880 881 off = snl_add_msg_attr_nested(nw, type); 882 883 snl_add_msg_attr_ip6(nw, PF_AT_ADDR, &addr->v.a.addr.v6); 884 snl_add_msg_attr_ip6(nw, PF_AT_MASK, &addr->v.a.mask.v6); 885 886 if (addr->type == PF_ADDR_DYNIFTL) 887 snl_add_msg_attr_string(nw, PF_AT_IFNAME, addr->v.ifname); 888 if (addr->type == PF_ADDR_TABLE) 889 snl_add_msg_attr_string(nw, PF_AT_TABLENAME, addr->v.tblname); 890 snl_add_msg_attr_u8(nw, PF_AT_TYPE, addr->type); 891 snl_add_msg_attr_u8(nw, PF_AT_IFLAGS, addr->iflags); 892 893 snl_end_attr_nested(nw, off); 894 } 895 896 static void 897 snl_add_msg_attr_rule_addr(struct snl_writer *nw, uint32_t type, const struct pf_rule_addr *addr) 898 { 899 int off; 900 901 off = snl_add_msg_attr_nested(nw, type); 902 903 snl_add_msg_attr_addr_wrap(nw, PF_RAT_ADDR, &addr->addr); 904 snl_add_msg_attr_u16(nw, PF_RAT_SRC_PORT, addr->port[0]); 905 snl_add_msg_attr_u16(nw, PF_RAT_DST_PORT, addr->port[1]); 906 snl_add_msg_attr_u8(nw, PF_RAT_NEG, addr->neg); 907 snl_add_msg_attr_u8(nw, PF_RAT_OP, addr->port_op); 908 909 snl_end_attr_nested(nw, off); 910 } 911 912 static void 913 snl_add_msg_attr_rule_labels(struct snl_writer *nw, uint32_t type, const char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]) 914 { 915 int off, i = 0; 916 917 off = snl_add_msg_attr_nested(nw, type); 918 919 while (labels[i][0] != 0 && 920 i < PF_RULE_MAX_LABEL_COUNT) { 921 snl_add_msg_attr_string(nw, PF_LT_LABEL, labels[i]); 922 i++; 923 } 924 925 snl_end_attr_nested(nw, off); 926 } 927 928 static void 929 snl_add_msg_attr_mape(struct snl_writer *nw, uint32_t type, const struct pf_mape_portset *me) 930 { 931 int off; 932 933 off = snl_add_msg_attr_nested(nw, type); 934 935 snl_add_msg_attr_u8(nw, PF_MET_OFFSET, me->offset); 936 snl_add_msg_attr_u8(nw, PF_MET_PSID_LEN, me->psidlen); 937 snl_add_msg_attr_u16(nw, PF_MET_PSID, me->psid); 938 939 snl_end_attr_nested(nw, off); 940 } 941 942 static void 943 snl_add_msg_attr_rpool(struct snl_writer *nw, uint32_t type, const struct pfctl_pool *pool) 944 { 945 int off; 946 947 off = snl_add_msg_attr_nested(nw, type); 948 949 snl_add_msg_attr(nw, PF_PT_KEY, sizeof(pool->key), &pool->key); 950 snl_add_msg_attr_ip6(nw, PF_PT_COUNTER, &pool->counter.v6); 951 snl_add_msg_attr_u32(nw, PF_PT_TBLIDX, pool->tblidx); 952 snl_add_msg_attr_u16(nw, PF_PT_PROXY_SRC_PORT, pool->proxy_port[0]); 953 snl_add_msg_attr_u16(nw, PF_PT_PROXY_DST_PORT, pool->proxy_port[1]); 954 snl_add_msg_attr_u8(nw, PF_PT_OPTS, pool->opts); 955 snl_add_msg_attr_mape(nw, PF_PT_MAPE, &pool->mape); 956 957 snl_end_attr_nested(nw, off); 958 } 959 960 static void 961 snl_add_msg_attr_timeouts(struct snl_writer *nw, uint32_t type, const uint32_t *timeouts) 962 { 963 int off; 964 965 off = snl_add_msg_attr_nested(nw, type); 966 967 for (int i = 0; i < PFTM_MAX; i++) 968 snl_add_msg_attr_u32(nw, PF_TT_TIMEOUT, timeouts[i]); 969 970 snl_end_attr_nested(nw, off); 971 } 972 973 static void 974 snl_add_msg_attr_uid(struct snl_writer *nw, uint32_t type, const struct pf_rule_uid *uid) 975 { 976 int off; 977 978 off = snl_add_msg_attr_nested(nw, type); 979 980 snl_add_msg_attr_u32(nw, PF_RUT_UID_LOW, uid->uid[0]); 981 snl_add_msg_attr_u32(nw, PF_RUT_UID_HIGH, uid->uid[1]); 982 snl_add_msg_attr_u8(nw, PF_RUT_OP, uid->op); 983 984 snl_end_attr_nested(nw, off); 985 } 986 987 static void 988 snl_add_msg_attr_pf_rule(struct snl_writer *nw, uint32_t type, const struct pfctl_rule *r) 989 { 990 int off; 991 992 off = snl_add_msg_attr_nested(nw, type); 993 994 snl_add_msg_attr_rule_addr(nw, PF_RT_SRC, &r->src); 995 snl_add_msg_attr_rule_addr(nw, PF_RT_DST, &r->dst); 996 snl_add_msg_attr_rule_labels(nw, PF_RT_LABELS, r->label); 997 snl_add_msg_attr_u32(nw, PF_RT_RIDENTIFIER, r->ridentifier); 998 snl_add_msg_attr_string(nw, PF_RT_IFNAME, r->ifname); 999 snl_add_msg_attr_string(nw, PF_RT_QNAME, r->qname); 1000 snl_add_msg_attr_string(nw, PF_RT_PQNAME, r->pqname); 1001 snl_add_msg_attr_string(nw, PF_RT_TAGNAME, r->tagname); 1002 snl_add_msg_attr_string(nw, PF_RT_MATCH_TAGNAME, r->match_tagname); 1003 snl_add_msg_attr_string(nw, PF_RT_OVERLOAD_TBLNAME, r->overload_tblname); 1004 snl_add_msg_attr_rpool(nw, PF_RT_RPOOL, &r->rpool); 1005 snl_add_msg_attr_u32(nw, PF_RT_OS_FINGERPRINT, r->os_fingerprint); 1006 snl_add_msg_attr_u32(nw, PF_RT_RTABLEID, r->rtableid); 1007 snl_add_msg_attr_timeouts(nw, PF_RT_TIMEOUT, r->timeout); 1008 snl_add_msg_attr_u32(nw, PF_RT_MAX_STATES, r->max_states); 1009 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_NODES, r->max_src_nodes); 1010 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_STATES, r->max_src_states); 1011 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_LIMIT, r->max_src_conn_rate.limit); 1012 snl_add_msg_attr_u32(nw, PF_RT_MAX_SRC_CONN_RATE_SECS, r->max_src_conn_rate.seconds); 1013 1014 snl_add_msg_attr_u16(nw, PF_RT_DNPIPE, r->dnpipe); 1015 snl_add_msg_attr_u16(nw, PF_RT_DNRPIPE, r->dnrpipe); 1016 snl_add_msg_attr_u32(nw, PF_RT_DNFLAGS, r->free_flags); 1017 1018 snl_add_msg_attr_u32(nw, PF_RT_NR, r->nr); 1019 snl_add_msg_attr_u32(nw, PF_RT_PROB, r->prob); 1020 snl_add_msg_attr_u32(nw, PF_RT_CUID, r->cuid); 1021 snl_add_msg_attr_u32(nw, PF_RT_CPID, r->cpid); 1022 1023 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP, r->return_icmp); 1024 snl_add_msg_attr_u16(nw, PF_RT_RETURN_ICMP6, r->return_icmp6); 1025 snl_add_msg_attr_u16(nw, PF_RT_MAX_MSS, r->max_mss); 1026 snl_add_msg_attr_u16(nw, PF_RT_SCRUB_FLAGS, r->scrub_flags); 1027 1028 snl_add_msg_attr_uid(nw, PF_RT_UID, &r->uid); 1029 snl_add_msg_attr_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&r->gid); 1030 1031 snl_add_msg_attr_u32(nw, PF_RT_RULE_FLAG, r->rule_flag); 1032 snl_add_msg_attr_u8(nw, PF_RT_ACTION, r->action); 1033 snl_add_msg_attr_u8(nw, PF_RT_DIRECTION, r->direction); 1034 snl_add_msg_attr_u8(nw, PF_RT_LOG, r->log); 1035 snl_add_msg_attr_u8(nw, PF_RT_LOGIF, r->logif); 1036 snl_add_msg_attr_u8(nw, PF_RT_QUICK, r->quick); 1037 snl_add_msg_attr_u8(nw, PF_RT_IF_NOT, r->ifnot); 1038 snl_add_msg_attr_u8(nw, PF_RT_MATCH_TAG_NOT, r->match_tag_not); 1039 snl_add_msg_attr_u8(nw, PF_RT_NATPASS, r->natpass); 1040 snl_add_msg_attr_u8(nw, PF_RT_KEEP_STATE, r->keep_state); 1041 snl_add_msg_attr_u8(nw, PF_RT_AF, r->af); 1042 snl_add_msg_attr_u8(nw, PF_RT_PROTO, r->proto); 1043 snl_add_msg_attr_u8(nw, PF_RT_TYPE, r->type); 1044 snl_add_msg_attr_u8(nw, PF_RT_CODE, r->code); 1045 snl_add_msg_attr_u8(nw, PF_RT_FLAGS, r->flags); 1046 snl_add_msg_attr_u8(nw, PF_RT_FLAGSET, r->flagset); 1047 snl_add_msg_attr_u8(nw, PF_RT_MIN_TTL, r->min_ttl); 1048 snl_add_msg_attr_u8(nw, PF_RT_ALLOW_OPTS, r->allow_opts); 1049 snl_add_msg_attr_u8(nw, PF_RT_RT, r->rt); 1050 snl_add_msg_attr_u8(nw, PF_RT_RETURN_TTL, r->return_ttl); 1051 snl_add_msg_attr_u8(nw, PF_RT_TOS, r->tos); 1052 snl_add_msg_attr_u8(nw, PF_RT_SET_TOS, r->set_tos); 1053 1054 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_RELATIVE, r->anchor_relative); 1055 snl_add_msg_attr_u8(nw, PF_RT_ANCHOR_WILDCARD, r->anchor_wildcard); 1056 snl_add_msg_attr_u8(nw, PF_RT_FLUSH, r->flush); 1057 snl_add_msg_attr_u8(nw, PF_RT_PRIO, r->prio); 1058 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO, r->set_prio[0]); 1059 snl_add_msg_attr_u8(nw, PF_RT_SET_PRIO_REPLY, r->set_prio[1]); 1060 1061 snl_add_msg_attr_ip6(nw, PF_RT_DIVERT_ADDRESS, &r->divert.addr.v6); 1062 snl_add_msg_attr_u16(nw, PF_RT_DIVERT_PORT, r->divert.port); 1063 1064 snl_end_attr_nested(nw, off); 1065 } 1066 1067 int 1068 pfctl_add_rule(int dev __unused, const struct pfctl_rule *r, const char *anchor, 1069 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket) 1070 { 1071 struct snl_writer nw; 1072 struct snl_state ss = {}; 1073 struct snl_errmsg_data e = {}; 1074 struct nlmsghdr *hdr; 1075 uint32_t seq_id; 1076 int family_id; 1077 1078 snl_init(&ss, NETLINK_GENERIC); 1079 family_id = snl_get_genl_family(&ss, PFNL_FAMILY_NAME); 1080 1081 snl_init_writer(&ss, &nw); 1082 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADDRULE); 1083 hdr->nlmsg_flags |= NLM_F_DUMP; 1084 snl_add_msg_attr_u32(&nw, PF_ART_TICKET, ticket); 1085 snl_add_msg_attr_u32(&nw, PF_ART_POOL_TICKET, pool_ticket); 1086 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR, anchor); 1087 snl_add_msg_attr_string(&nw, PF_ART_ANCHOR_CALL, anchor_call); 1088 1089 snl_add_msg_attr_pf_rule(&nw, PF_ART_RULE, r); 1090 1091 if ((hdr = snl_finalize_msg(&nw)) == NULL) 1092 return (ENXIO); 1093 1094 seq_id = hdr->nlmsg_seq; 1095 1096 if (! snl_send_message(&ss, hdr)) { 1097 printf("Send failed\n"); 1098 return (ENXIO); 1099 } 1100 1101 while ((hdr = snl_read_reply_multi(&ss, seq_id, &e)) != NULL) { 1102 } 1103 1104 return (e.error); 1105 } 1106 1107 int 1108 pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, uint32_t ruleset, 1109 const char *path) 1110 { 1111 struct pfioc_rule pr; 1112 int ret; 1113 1114 bzero(&pr, sizeof(pr)); 1115 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor)) 1116 return (E2BIG); 1117 1118 pr.rule.action = ruleset; 1119 ret = ioctl(dev, DIOCGETRULES, &pr); 1120 if (ret != 0) 1121 return (ret); 1122 1123 rules->nr = pr.nr; 1124 rules->ticket = pr.ticket; 1125 1126 return (0); 1127 } 1128 1129 int 1130 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor, 1131 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) 1132 { 1133 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule, 1134 anchor_call, false)); 1135 } 1136 1137 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 1138 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 1139 char *anchor_call, bool clear) 1140 { 1141 nvlist_t *nvl; 1142 int ret; 1143 1144 nvl = nvlist_create(0); 1145 if (nvl == 0) 1146 return (ENOMEM); 1147 1148 nvlist_add_number(nvl, "nr", nr); 1149 nvlist_add_number(nvl, "ticket", ticket); 1150 nvlist_add_string(nvl, "anchor", anchor); 1151 nvlist_add_number(nvl, "ruleset", ruleset); 1152 1153 if (clear) 1154 nvlist_add_bool(nvl, "clear_counter", true); 1155 1156 if ((ret = pfctl_do_ioctl(dev, DIOCGETRULENV, 8192, &nvl)) != 0) 1157 return (ret); 1158 1159 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule); 1160 1161 if (anchor_call) 1162 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 1163 MAXPATHLEN); 1164 1165 nvlist_destroy(nvl); 1166 1167 return (0); 1168 } 1169 1170 int 1171 pfctl_set_keepcounters(int dev, bool keep) 1172 { 1173 struct pfioc_nv nv; 1174 nvlist_t *nvl; 1175 int ret; 1176 1177 nvl = nvlist_create(0); 1178 1179 nvlist_add_bool(nvl, "keep_counters", keep); 1180 1181 nv.data = nvlist_pack(nvl, &nv.len); 1182 nv.size = nv.len; 1183 1184 nvlist_destroy(nvl); 1185 1186 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv); 1187 1188 free(nv.data); 1189 return (ret); 1190 } 1191 1192 struct pfctl_creator { 1193 uint32_t id; 1194 }; 1195 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1196 #define _OUT(_field) offsetof(struct pfctl_creator, _field) 1197 static struct snl_attr_parser ap_creators[] = { 1198 { .type = PF_ST_CREATORID, .off = _OUT(id), .cb = snl_attr_get_uint32 }, 1199 }; 1200 static struct snl_field_parser fp_creators[] = { 1201 }; 1202 #undef _IN 1203 #undef _OUT 1204 SNL_DECLARE_PARSER(creator_parser, struct genlmsghdr, fp_creators, ap_creators); 1205 1206 static int 1207 pfctl_get_creators_nl(struct snl_state *ss, uint32_t *creators, size_t *len) 1208 { 1209 1210 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME); 1211 size_t i = 0; 1212 1213 struct nlmsghdr *hdr; 1214 struct snl_writer nw; 1215 1216 snl_init_writer(ss, &nw); 1217 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETCREATORS); 1218 hdr->nlmsg_flags |= NLM_F_DUMP; 1219 hdr = snl_finalize_msg(&nw); 1220 if (hdr == NULL) 1221 return (ENOMEM); 1222 uint32_t seq_id = hdr->nlmsg_seq; 1223 1224 snl_send_message(ss, hdr); 1225 1226 struct snl_errmsg_data e = {}; 1227 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) { 1228 struct pfctl_creator c; 1229 bzero(&c, sizeof(c)); 1230 1231 if (!snl_parse_nlmsg(ss, hdr, &creator_parser, &c)) 1232 continue; 1233 1234 creators[i] = c.id; 1235 i++; 1236 if (i > *len) 1237 return (E2BIG); 1238 } 1239 1240 *len = i; 1241 1242 return (0); 1243 } 1244 1245 int 1246 pfctl_get_creatorids(uint32_t *creators, size_t *len) 1247 { 1248 struct snl_state ss = {}; 1249 int error; 1250 1251 snl_init(&ss, NETLINK_GENERIC); 1252 error = pfctl_get_creators_nl(&ss, creators, len); 1253 snl_free(&ss); 1254 1255 return (error); 1256 1257 } 1258 1259 static void 1260 pfctl_nv_add_state_cmp(nvlist_t *nvl, const char *name, 1261 const struct pfctl_state_cmp *cmp) 1262 { 1263 nvlist_t *nv; 1264 1265 nv = nvlist_create(0); 1266 1267 nvlist_add_number(nv, "id", cmp->id); 1268 nvlist_add_number(nv, "creatorid", htonl(cmp->creatorid)); 1269 nvlist_add_number(nv, "direction", cmp->direction); 1270 1271 nvlist_add_nvlist(nvl, name, nv); 1272 nvlist_destroy(nv); 1273 } 1274 1275 static inline bool 1276 snl_attr_get_pfaddr(struct snl_state *ss __unused, struct nlattr *nla, 1277 const void *arg __unused, void *target) 1278 { 1279 memcpy(target, NLA_DATA(nla), NLA_DATA_LEN(nla)); 1280 return (true); 1281 } 1282 1283 static inline bool 1284 snl_attr_store_ifname(struct snl_state *ss __unused, struct nlattr *nla, 1285 const void *arg __unused, void *target) 1286 { 1287 size_t maxlen = NLA_DATA_LEN(nla); 1288 1289 if (strnlen((char *)NLA_DATA(nla), maxlen) < maxlen) { 1290 strlcpy(target, (char *)NLA_DATA(nla), maxlen); 1291 return (true); 1292 } 1293 return (false); 1294 } 1295 1296 #define _OUT(_field) offsetof(struct pfctl_state_peer, _field) 1297 static const struct snl_attr_parser nla_p_speer[] = { 1298 { .type = PF_STP_SEQLO, .off = _OUT(seqlo), .cb = snl_attr_get_uint32 }, 1299 { .type = PF_STP_SEQHI, .off = _OUT(seqhi), .cb = snl_attr_get_uint32 }, 1300 { .type = PF_STP_SEQDIFF, .off = _OUT(seqdiff), .cb = snl_attr_get_uint32 }, 1301 { .type = PF_STP_STATE, .off = _OUT(state), .cb = snl_attr_get_uint8 }, 1302 { .type = PF_STP_WSCALE, .off = _OUT(wscale), .cb = snl_attr_get_uint8 }, 1303 }; 1304 SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer); 1305 #undef _OUT 1306 1307 #define _OUT(_field) offsetof(struct pf_state_key_export, _field) 1308 static const struct snl_attr_parser nla_p_skey[] = { 1309 { .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr }, 1310 { .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr }, 1311 { .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, 1312 { .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, 1313 }; 1314 SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey); 1315 #undef _OUT 1316 1317 #define _IN(_field) offsetof(struct genlmsghdr, _field) 1318 #define _OUT(_field) offsetof(struct pfctl_state, _field) 1319 static struct snl_attr_parser ap_state[] = { 1320 { .type = PF_ST_ID, .off = _OUT(id), .cb = snl_attr_get_uint64 }, 1321 { .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = snl_attr_get_uint32 }, 1322 { .type = PF_ST_IFNAME, .off = _OUT(ifname), .cb = snl_attr_store_ifname }, 1323 { .type = PF_ST_ORIG_IFNAME, .off = _OUT(orig_ifname), .cb = snl_attr_store_ifname }, 1324 { .type = PF_ST_KEY_WIRE, .off = _OUT(key[0]), .arg = &skey_parser, .cb = snl_attr_get_nested }, 1325 { .type = PF_ST_KEY_STACK, .off = _OUT(key[1]), .arg = &skey_parser, .cb = snl_attr_get_nested }, 1326 { .type = PF_ST_PEER_SRC, .off = _OUT(src), .arg = &speer_parser, .cb = snl_attr_get_nested }, 1327 { .type = PF_ST_PEER_DST, .off = _OUT(dst), .arg = &speer_parser, .cb = snl_attr_get_nested }, 1328 { .type = PF_ST_RT_ADDR, .off = _OUT(rt_addr), .cb = snl_attr_get_pfaddr }, 1329 { .type = PF_ST_RULE, .off = _OUT(rule), .cb = snl_attr_get_uint32 }, 1330 { .type = PF_ST_ANCHOR, .off = _OUT(anchor), .cb = snl_attr_get_uint32 }, 1331 { .type = PF_ST_NAT_RULE, .off = _OUT(nat_rule), .cb = snl_attr_get_uint32 }, 1332 { .type = PF_ST_CREATION, .off = _OUT(creation), .cb = snl_attr_get_uint32 }, 1333 { .type = PF_ST_EXPIRE, .off = _OUT(expire), .cb = snl_attr_get_uint32 }, 1334 { .type = PF_ST_PACKETS0, .off = _OUT(packets[0]), .cb = snl_attr_get_uint64 }, 1335 { .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, 1336 { .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, 1337 { .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, 1338 { .type = PF_ST_AF, .off = _OUT(key[0].af), .cb = snl_attr_get_uint8 }, 1339 { .type = PF_ST_PROTO, .off = _OUT(key[0].proto), .cb = snl_attr_get_uint8 }, 1340 { .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 }, 1341 { .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 }, 1342 { .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 }, 1343 { .type = PF_ST_SYNC_FLAGS, .off = _OUT(sync_flags), .cb = snl_attr_get_uint8 }, 1344 }; 1345 static struct snl_field_parser fp_state[] = { 1346 }; 1347 #undef _IN 1348 #undef _OUT 1349 SNL_DECLARE_PARSER(state_parser, struct genlmsghdr, fp_state, ap_state); 1350 1351 static const struct snl_hdr_parser *all_parsers[] = { 1352 &state_parser, &skey_parser, &speer_parser, 1353 &creator_parser, 1354 }; 1355 1356 static int 1357 pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfctl_get_state_fn f, void *arg) 1358 { 1359 SNL_VERIFY_PARSERS(all_parsers); 1360 int family_id = snl_get_genl_family(ss, PFNL_FAMILY_NAME); 1361 int ret; 1362 1363 struct nlmsghdr *hdr; 1364 struct snl_writer nw; 1365 1366 snl_init_writer(ss, &nw); 1367 hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GETSTATES); 1368 hdr->nlmsg_flags |= NLM_F_DUMP; 1369 snl_add_msg_attr_string(&nw, PF_ST_IFNAME, filter->ifname); 1370 snl_add_msg_attr_u16(&nw, PF_ST_PROTO, filter->proto); 1371 snl_add_msg_attr_u8(&nw, PF_ST_AF, filter->af); 1372 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_ADDR, &filter->addr.v6); 1373 snl_add_msg_attr_ip6(&nw, PF_ST_FILTER_MASK, &filter->mask.v6); 1374 1375 hdr = snl_finalize_msg(&nw); 1376 if (hdr == NULL) 1377 return (ENOMEM); 1378 1379 uint32_t seq_id = hdr->nlmsg_seq; 1380 1381 snl_send_message(ss, hdr); 1382 1383 struct snl_errmsg_data e = {}; 1384 while ((hdr = snl_read_reply_multi(ss, seq_id, &e)) != NULL) { 1385 struct pfctl_state s; 1386 bzero(&s, sizeof(s)); 1387 if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s)) 1388 continue; 1389 1390 s.key[1].af = s.key[0].af; 1391 s.key[1].proto = s.key[0].proto; 1392 1393 ret = f(&s, arg); 1394 if (ret != 0) 1395 return (ret); 1396 } 1397 1398 return (0); 1399 } 1400 1401 int 1402 pfctl_get_states_iter(pfctl_get_state_fn f, void *arg) 1403 { 1404 struct pfctl_state_filter filter = {}; 1405 return (pfctl_get_filtered_states_iter(&filter, f, arg)); 1406 } 1407 1408 int 1409 pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg) 1410 { 1411 struct snl_state ss = {}; 1412 int error; 1413 1414 snl_init(&ss, NETLINK_GENERIC); 1415 error = pfctl_get_states_nl(filter, &ss, f, arg); 1416 snl_free(&ss); 1417 1418 return (error); 1419 } 1420 1421 static int 1422 pfctl_append_states(struct pfctl_state *s, void *arg) 1423 { 1424 struct pfctl_state *new; 1425 struct pfctl_states *states = (struct pfctl_states *)arg; 1426 1427 new = malloc(sizeof(*s)); 1428 if (new == NULL) 1429 return (ENOMEM); 1430 1431 memcpy(new, s, sizeof(*s)); 1432 1433 TAILQ_INSERT_TAIL(&states->states, new, entry); 1434 1435 return (0); 1436 } 1437 1438 int 1439 pfctl_get_states(int dev __unused, struct pfctl_states *states) 1440 { 1441 int ret; 1442 1443 bzero(states, sizeof(*states)); 1444 TAILQ_INIT(&states->states); 1445 1446 ret = pfctl_get_states_iter(pfctl_append_states, states); 1447 if (ret != 0) { 1448 pfctl_free_states(states); 1449 return (ret); 1450 } 1451 1452 return (0); 1453 } 1454 1455 void 1456 pfctl_free_states(struct pfctl_states *states) 1457 { 1458 struct pfctl_state *s, *tmp; 1459 1460 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) { 1461 free(s); 1462 } 1463 1464 bzero(states, sizeof(*states)); 1465 } 1466 1467 static int 1468 _pfctl_clear_states(int dev, const struct pfctl_kill *kill, 1469 unsigned int *killed, uint64_t ioctlval) 1470 { 1471 nvlist_t *nvl; 1472 int ret; 1473 1474 nvl = nvlist_create(0); 1475 1476 pfctl_nv_add_state_cmp(nvl, "cmp", &kill->cmp); 1477 nvlist_add_number(nvl, "af", kill->af); 1478 nvlist_add_number(nvl, "proto", kill->proto); 1479 pfctl_nv_add_rule_addr(nvl, "src", &kill->src); 1480 pfctl_nv_add_rule_addr(nvl, "dst", &kill->dst); 1481 pfctl_nv_add_rule_addr(nvl, "rt_addr", &kill->rt_addr); 1482 nvlist_add_string(nvl, "ifname", kill->ifname); 1483 nvlist_add_string(nvl, "label", kill->label); 1484 nvlist_add_bool(nvl, "kill_match", kill->kill_match); 1485 nvlist_add_bool(nvl, "nat", kill->nat); 1486 1487 if ((ret = pfctl_do_ioctl(dev, ioctlval, 1024, &nvl)) != 0) 1488 return (ret); 1489 1490 if (killed) 1491 *killed = nvlist_get_number(nvl, "killed"); 1492 1493 nvlist_destroy(nvl); 1494 1495 return (ret); 1496 } 1497 1498 int 1499 pfctl_clear_states(int dev, const struct pfctl_kill *kill, 1500 unsigned int *killed) 1501 { 1502 return (_pfctl_clear_states(dev, kill, killed, DIOCCLRSTATESNV)); 1503 } 1504 1505 int 1506 pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed) 1507 { 1508 return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV)); 1509 } 1510 1511 int 1512 pfctl_clear_rules(int dev, const char *anchorname) 1513 { 1514 struct pfioc_trans trans; 1515 struct pfioc_trans_e transe[2]; 1516 int ret; 1517 1518 bzero(&trans, sizeof(trans)); 1519 bzero(&transe, sizeof(transe)); 1520 1521 transe[0].rs_num = PF_RULESET_SCRUB; 1522 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 1523 >= sizeof(transe[0].anchor)) 1524 return (E2BIG); 1525 1526 transe[1].rs_num = PF_RULESET_FILTER; 1527 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 1528 >= sizeof(transe[1].anchor)) 1529 return (E2BIG); 1530 1531 trans.size = 2; 1532 trans.esize = sizeof(transe[0]); 1533 trans.array = transe; 1534 1535 ret = ioctl(dev, DIOCXBEGIN, &trans); 1536 if (ret != 0) 1537 return (ret); 1538 return ioctl(dev, DIOCXCOMMIT, &trans); 1539 } 1540 1541 int 1542 pfctl_clear_nat(int dev, const char *anchorname) 1543 { 1544 struct pfioc_trans trans; 1545 struct pfioc_trans_e transe[3]; 1546 int ret; 1547 1548 bzero(&trans, sizeof(trans)); 1549 bzero(&transe, sizeof(transe)); 1550 1551 transe[0].rs_num = PF_RULESET_NAT; 1552 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 1553 >= sizeof(transe[0].anchor)) 1554 return (E2BIG); 1555 1556 transe[1].rs_num = PF_RULESET_BINAT; 1557 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 1558 >= sizeof(transe[0].anchor)) 1559 return (E2BIG); 1560 1561 transe[2].rs_num = PF_RULESET_RDR; 1562 if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor)) 1563 >= sizeof(transe[2].anchor)) 1564 return (E2BIG); 1565 1566 trans.size = 3; 1567 trans.esize = sizeof(transe[0]); 1568 trans.array = transe; 1569 1570 ret = ioctl(dev, DIOCXBEGIN, &trans); 1571 if (ret != 0) 1572 return (ret); 1573 return ioctl(dev, DIOCXCOMMIT, &trans); 1574 } 1575 int 1576 pfctl_clear_eth_rules(int dev, const char *anchorname) 1577 { 1578 struct pfioc_trans trans; 1579 struct pfioc_trans_e transe; 1580 int ret; 1581 1582 bzero(&trans, sizeof(trans)); 1583 bzero(&transe, sizeof(transe)); 1584 1585 transe.rs_num = PF_RULESET_ETH; 1586 if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor)) 1587 >= sizeof(transe.anchor)) 1588 return (E2BIG); 1589 1590 trans.size = 1; 1591 trans.esize = sizeof(transe); 1592 trans.array = &transe; 1593 1594 ret = ioctl(dev, DIOCXBEGIN, &trans); 1595 if (ret != 0) 1596 return (ret); 1597 return ioctl(dev, DIOCXCOMMIT, &trans); 1598 } 1599 1600 static int 1601 pfctl_get_limit(int dev, const int index, uint *limit) 1602 { 1603 struct pfioc_limit pl; 1604 1605 bzero(&pl, sizeof(pl)); 1606 pl.index = index; 1607 1608 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1) 1609 return (errno); 1610 1611 *limit = pl.limit; 1612 1613 return (0); 1614 } 1615 1616 int 1617 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s) 1618 { 1619 struct pfioc_nv nv; 1620 nvlist_t *nvl; 1621 int ret; 1622 uint state_limit; 1623 uint64_t lim, hi, lo; 1624 1625 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 1626 if (ret != 0) 1627 return (ret); 1628 1629 lim = state_limit; 1630 hi = lim * s->highwater / 100; 1631 lo = lim * s->lowwater / 100; 1632 1633 if (lo == hi) 1634 hi++; 1635 1636 nvl = nvlist_create(0); 1637 1638 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER); 1639 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE); 1640 nvlist_add_number(nvl, "highwater", hi); 1641 nvlist_add_number(nvl, "lowwater", lo); 1642 1643 nv.data = nvlist_pack(nvl, &nv.len); 1644 nv.size = nv.len; 1645 nvlist_destroy(nvl); 1646 nvl = NULL; 1647 1648 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv); 1649 1650 free(nv.data); 1651 return (ret); 1652 } 1653 1654 int 1655 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s) 1656 { 1657 nvlist_t *nvl; 1658 int ret; 1659 uint state_limit; 1660 bool enabled, adaptive; 1661 1662 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 1663 if (ret != 0) 1664 return (ret); 1665 1666 bzero(s, sizeof(*s)); 1667 1668 nvl = nvlist_create(0); 1669 1670 if ((ret = pfctl_do_ioctl(dev, DIOCGETSYNCOOKIES, 256, &nvl)) != 0) 1671 return (errno); 1672 1673 enabled = nvlist_get_bool(nvl, "enabled"); 1674 adaptive = nvlist_get_bool(nvl, "adaptive"); 1675 1676 if (enabled) { 1677 if (adaptive) 1678 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE; 1679 else 1680 s->mode = PFCTL_SYNCOOKIES_ALWAYS; 1681 } else { 1682 s->mode = PFCTL_SYNCOOKIES_NEVER; 1683 } 1684 1685 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit; 1686 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit; 1687 1688 nvlist_destroy(nvl); 1689 1690 return (0); 1691 } 1692 1693 int 1694 pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 1695 *addr, int size, int *nadd, int flags) 1696 { 1697 struct pfioc_table io; 1698 1699 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 1700 return (EINVAL); 1701 } 1702 bzero(&io, sizeof io); 1703 io.pfrio_flags = flags; 1704 io.pfrio_table = *tbl; 1705 io.pfrio_buffer = addr; 1706 io.pfrio_esize = sizeof(*addr); 1707 io.pfrio_size = size; 1708 1709 if (ioctl(dev, DIOCRADDADDRS, &io)) 1710 return (errno); 1711 if (nadd != NULL) 1712 *nadd = io.pfrio_nadd; 1713 return (0); 1714 } 1715 1716 int 1717 pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 1718 *addr, int size, int *ndel, int flags) 1719 { 1720 struct pfioc_table io; 1721 1722 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 1723 return (EINVAL); 1724 } 1725 bzero(&io, sizeof io); 1726 io.pfrio_flags = flags; 1727 io.pfrio_table = *tbl; 1728 io.pfrio_buffer = addr; 1729 io.pfrio_esize = sizeof(*addr); 1730 io.pfrio_size = size; 1731 1732 if (ioctl(dev, DIOCRDELADDRS, &io)) 1733 return (errno); 1734 if (ndel != NULL) 1735 *ndel = io.pfrio_ndel; 1736 return (0); 1737 } 1738 1739 int 1740 pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 1741 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, int flags) 1742 { 1743 struct pfioc_table io; 1744 1745 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 1746 return (EINVAL); 1747 } 1748 bzero(&io, sizeof io); 1749 io.pfrio_flags = flags; 1750 io.pfrio_table = *tbl; 1751 io.pfrio_buffer = addr; 1752 io.pfrio_esize = sizeof(*addr); 1753 io.pfrio_size = size; 1754 io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; 1755 if (ioctl(dev, DIOCRSETADDRS, &io)) 1756 return (-1); 1757 if (nadd != NULL) 1758 *nadd = io.pfrio_nadd; 1759 if (ndel != NULL) 1760 *ndel = io.pfrio_ndel; 1761 if (nchange != NULL) 1762 *nchange = io.pfrio_nchange; 1763 if (size2 != NULL) 1764 *size2 = io.pfrio_size2; 1765 return (0); 1766 } 1767 1768 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr *addr, 1769 int *size, int flags) 1770 { 1771 struct pfioc_table io; 1772 1773 if (tbl == NULL || size == NULL || *size < 0 || 1774 (*size && addr == NULL)) { 1775 return (EINVAL); 1776 } 1777 bzero(&io, sizeof io); 1778 io.pfrio_flags = flags; 1779 io.pfrio_table = *tbl; 1780 io.pfrio_buffer = addr; 1781 io.pfrio_esize = sizeof(*addr); 1782 io.pfrio_size = *size; 1783 if (ioctl(dev, DIOCRGETADDRS, &io)) 1784 return (-1); 1785 *size = io.pfrio_size; 1786 return (0); 1787 } 1788