1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 34 #include <sys/ioctl.h> 35 #include <sys/nv.h> 36 #include <sys/queue.h> 37 #include <sys/types.h> 38 39 #include <net/if.h> 40 #include <net/pfvar.h> 41 #include <netinet/in.h> 42 43 #include <assert.h> 44 #include <err.h> 45 #include <errno.h> 46 #include <stdlib.h> 47 #include <string.h> 48 49 #include "libpfctl.h" 50 51 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = { 52 "never", 53 "always", 54 "adaptive" 55 }; 56 57 static int _pfctl_clear_states(int , const struct pfctl_kill *, 58 unsigned int *, uint64_t); 59 60 static int 61 pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl) 62 { 63 struct pfioc_nv nv; 64 void *data; 65 size_t nvlen; 66 int ret; 67 68 data = nvlist_pack(*nvl, &nvlen); 69 if (nvlen > size) 70 size = nvlen; 71 72 retry: 73 nv.data = malloc(size); 74 memcpy(nv.data, data, nvlen); 75 free(data); 76 77 nv.len = nvlen; 78 nv.size = size; 79 80 ret = ioctl(dev, cmd, &nv); 81 if (ret == -1 && errno == ENOSPC) { 82 size *= 2; 83 free(nv.data); 84 goto retry; 85 } 86 87 nvlist_destroy(*nvl); 88 *nvl = NULL; 89 90 if (ret == 0) { 91 *nvl = nvlist_unpack(nv.data, nv.len, 0); 92 if (*nvl == NULL) { 93 free(nv.data); 94 return (EIO); 95 } 96 } else { 97 ret = errno; 98 } 99 100 free(nv.data); 101 102 return (ret); 103 } 104 105 static void 106 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems, 107 uint8_t *numbers, size_t *nelems) 108 { 109 const uint64_t *tmp; 110 size_t elems; 111 112 tmp = nvlist_get_number_array(nvl, name, &elems); 113 assert(elems <= maxelems); 114 115 for (size_t i = 0; i < elems; i++) 116 numbers[i] = tmp[i]; 117 118 if (nelems) 119 *nelems = elems; 120 } 121 122 static void 123 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems, 124 uint16_t *numbers, size_t *nelems) 125 { 126 const uint64_t *tmp; 127 size_t elems; 128 129 tmp = nvlist_get_number_array(nvl, name, &elems); 130 assert(elems <= maxelems); 131 132 for (size_t i = 0; i < elems; i++) 133 numbers[i] = tmp[i]; 134 135 if (nelems) 136 *nelems = elems; 137 } 138 139 static void 140 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems, 141 uint32_t *numbers, size_t *nelems) 142 { 143 const uint64_t *tmp; 144 size_t elems; 145 146 tmp = nvlist_get_number_array(nvl, name, &elems); 147 assert(elems <= maxelems); 148 149 for (size_t i = 0; i < elems; i++) 150 numbers[i] = tmp[i]; 151 152 if (nelems) 153 *nelems = elems; 154 } 155 156 static void 157 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems, 158 uint64_t *numbers, size_t *nelems) 159 { 160 const uint64_t *tmp; 161 size_t elems; 162 163 tmp = nvlist_get_number_array(nvl, name, &elems); 164 assert(elems <= maxelems); 165 166 for (size_t i = 0; i < elems; i++) 167 numbers[i] = tmp[i]; 168 169 if (nelems) 170 *nelems = elems; 171 } 172 173 static void 174 _pfctl_get_status_counters(const nvlist_t *nvl, 175 struct pfctl_status_counters *counters) 176 { 177 const uint64_t *ids, *counts; 178 const char *const *names; 179 size_t id_len, counter_len, names_len; 180 181 ids = nvlist_get_number_array(nvl, "ids", &id_len); 182 counts = nvlist_get_number_array(nvl, "counters", &counter_len); 183 names = nvlist_get_string_array(nvl, "names", &names_len); 184 assert(id_len == counter_len); 185 assert(counter_len == names_len); 186 187 TAILQ_INIT(counters); 188 189 for (size_t i = 0; i < id_len; i++) { 190 struct pfctl_status_counter *c; 191 192 c = malloc(sizeof(*c)); 193 194 c->id = ids[i]; 195 c->counter = counts[i]; 196 c->name = strdup(names[i]); 197 198 TAILQ_INSERT_TAIL(counters, c, entry); 199 } 200 } 201 202 struct pfctl_status * 203 pfctl_get_status(int dev) 204 { 205 struct pfctl_status *status; 206 nvlist_t *nvl; 207 size_t len; 208 const void *chksum; 209 210 status = calloc(1, sizeof(*status)); 211 if (status == NULL) 212 return (NULL); 213 214 nvl = nvlist_create(0); 215 216 if (pfctl_do_ioctl(dev, DIOCGETSTATUSNV, 4096, &nvl)) { 217 free(status); 218 return (NULL); 219 } 220 221 status->running = nvlist_get_bool(nvl, "running"); 222 status->since = nvlist_get_number(nvl, "since"); 223 status->debug = nvlist_get_number(nvl, "debug"); 224 status->hostid = ntohl(nvlist_get_number(nvl, "hostid")); 225 status->states = nvlist_get_number(nvl, "states"); 226 status->src_nodes = nvlist_get_number(nvl, "src_nodes"); 227 status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active"); 228 status->reass = nvlist_get_number(nvl, "reass"); 229 230 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"), 231 IFNAMSIZ); 232 chksum = nvlist_get_binary(nvl, "chksum", &len); 233 assert(len == PF_MD5_DIGEST_LENGTH); 234 memcpy(status->pf_chksum, chksum, len); 235 236 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"), 237 &status->counters); 238 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"), 239 &status->lcounters); 240 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"), 241 &status->fcounters); 242 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"), 243 &status->scounters); 244 245 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 3, 246 (uint64_t *)status->pcounters, NULL); 247 pf_nvuint_64_array(nvl, "bcounters", 2 * 2, 248 (uint64_t *)status->bcounters, NULL); 249 250 nvlist_destroy(nvl); 251 252 return (status); 253 } 254 255 static uint64_t 256 _pfctl_status_counter(struct pfctl_status_counters *counters, uint64_t id) 257 { 258 struct pfctl_status_counter *c; 259 260 TAILQ_FOREACH(c, counters, entry) { 261 if (c->id == id) 262 return (c->counter); 263 } 264 265 return (0); 266 } 267 268 uint64_t 269 pfctl_status_counter(struct pfctl_status *status, int id) 270 { 271 return (_pfctl_status_counter(&status->counters, id)); 272 } 273 274 uint64_t 275 pfctl_status_fcounter(struct pfctl_status *status, int id) 276 { 277 return (_pfctl_status_counter(&status->fcounters, id)); 278 } 279 280 uint64_t 281 pfctl_status_scounter(struct pfctl_status *status, int id) 282 { 283 return (_pfctl_status_counter(&status->scounters, id)); 284 } 285 286 void 287 pfctl_free_status(struct pfctl_status *status) 288 { 289 struct pfctl_status_counter *c, *tmp; 290 291 if (status == NULL) 292 return; 293 294 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) { 295 free(c->name); 296 free(c); 297 } 298 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) { 299 free(c->name); 300 free(c); 301 } 302 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) { 303 free(c->name); 304 free(c); 305 } 306 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) { 307 free(c->name); 308 free(c); 309 } 310 311 free(status); 312 } 313 314 static void 315 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, 316 const struct pf_addr *addr) 317 { 318 nvlist_t *nvl = nvlist_create(0); 319 320 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); 321 322 nvlist_add_nvlist(nvparent, name, nvl); 323 nvlist_destroy(nvl); 324 } 325 326 static void 327 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr) 328 { 329 size_t len; 330 const void *data; 331 332 data = nvlist_get_binary(nvl, "addr", &len); 333 assert(len == sizeof(struct pf_addr)); 334 memcpy(addr, data, len); 335 } 336 337 static void 338 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, 339 const struct pf_addr_wrap *addr) 340 { 341 nvlist_t *nvl = nvlist_create(0); 342 343 nvlist_add_number(nvl, "type", addr->type); 344 nvlist_add_number(nvl, "iflags", addr->iflags); 345 if (addr->type == PF_ADDR_DYNIFTL) 346 nvlist_add_string(nvl, "ifname", addr->v.ifname); 347 if (addr->type == PF_ADDR_TABLE) 348 nvlist_add_string(nvl, "tblname", addr->v.tblname); 349 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); 350 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); 351 352 nvlist_add_nvlist(nvparent, name, nvl); 353 nvlist_destroy(nvl); 354 } 355 356 static void 357 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr) 358 { 359 bzero(addr, sizeof(*addr)); 360 361 addr->type = nvlist_get_number(nvl, "type"); 362 addr->iflags = nvlist_get_number(nvl, "iflags"); 363 if (addr->type == PF_ADDR_DYNIFTL) { 364 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"), 365 IFNAMSIZ); 366 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt"); 367 } 368 if (addr->type == PF_ADDR_TABLE) { 369 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"), 370 PF_TABLE_NAME_SIZE); 371 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt"); 372 } 373 374 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr); 375 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask); 376 } 377 378 static void 379 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, 380 const struct pf_rule_addr *addr) 381 { 382 uint64_t ports[2]; 383 nvlist_t *nvl = nvlist_create(0); 384 385 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); 386 ports[0] = addr->port[0]; 387 ports[1] = addr->port[1]; 388 nvlist_add_number_array(nvl, "port", ports, 2); 389 nvlist_add_number(nvl, "neg", addr->neg); 390 nvlist_add_number(nvl, "port_op", addr->port_op); 391 392 nvlist_add_nvlist(nvparent, name, nvl); 393 nvlist_destroy(nvl); 394 } 395 396 static void 397 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr) 398 { 399 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr); 400 401 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL); 402 addr->neg = nvlist_get_number(nvl, "neg"); 403 addr->port_op = nvlist_get_number(nvl, "port_op"); 404 } 405 406 static void 407 pfctl_nv_add_mape(nvlist_t *nvparent, const char *name, 408 const struct pf_mape_portset *mape) 409 { 410 nvlist_t *nvl = nvlist_create(0); 411 412 nvlist_add_number(nvl, "offset", mape->offset); 413 nvlist_add_number(nvl, "psidlen", mape->psidlen); 414 nvlist_add_number(nvl, "psid", mape->psid); 415 nvlist_add_nvlist(nvparent, name, nvl); 416 nvlist_destroy(nvl); 417 } 418 419 static void 420 pfctl_nv_add_pool(nvlist_t *nvparent, const char *name, 421 const struct pfctl_pool *pool) 422 { 423 uint64_t ports[2]; 424 nvlist_t *nvl = nvlist_create(0); 425 426 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key)); 427 pfctl_nv_add_addr(nvl, "counter", &pool->counter); 428 nvlist_add_number(nvl, "tblidx", pool->tblidx); 429 430 ports[0] = pool->proxy_port[0]; 431 ports[1] = pool->proxy_port[1]; 432 nvlist_add_number_array(nvl, "proxy_port", ports, 2); 433 nvlist_add_number(nvl, "opts", pool->opts); 434 pfctl_nv_add_mape(nvl, "mape", &pool->mape); 435 436 nvlist_add_nvlist(nvparent, name, nvl); 437 nvlist_destroy(nvl); 438 } 439 440 static void 441 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape) 442 { 443 mape->offset = nvlist_get_number(nvl, "offset"); 444 mape->psidlen = nvlist_get_number(nvl, "psidlen"); 445 mape->psid = nvlist_get_number(nvl, "psid"); 446 } 447 448 static void 449 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool) 450 { 451 size_t len; 452 const void *data; 453 454 data = nvlist_get_binary(nvl, "key", &len); 455 assert(len == sizeof(pool->key)); 456 memcpy(&pool->key, data, len); 457 458 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter); 459 460 pool->tblidx = nvlist_get_number(nvl, "tblidx"); 461 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL); 462 pool->opts = nvlist_get_number(nvl, "opts"); 463 464 if (nvlist_exists_nvlist(nvl, "mape")) 465 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape); 466 } 467 468 static void 469 pfctl_nv_add_uid(nvlist_t *nvparent, const char *name, 470 const struct pf_rule_uid *uid) 471 { 472 uint64_t uids[2]; 473 nvlist_t *nvl = nvlist_create(0); 474 475 uids[0] = uid->uid[0]; 476 uids[1] = uid->uid[1]; 477 nvlist_add_number_array(nvl, "uid", uids, 2); 478 nvlist_add_number(nvl, "op", uid->op); 479 480 nvlist_add_nvlist(nvparent, name, nvl); 481 nvlist_destroy(nvl); 482 } 483 484 static void 485 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) 486 { 487 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL); 488 uid->op = nvlist_get_number(nvl, "op"); 489 } 490 491 static void 492 pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, 493 const struct pfctl_rule *r) 494 { 495 nvlist_t *nvl = nvlist_create(0); 496 497 pfctl_nv_add_addr(nvl, "addr", &r->divert.addr); 498 nvlist_add_number(nvl, "port", r->divert.port); 499 500 nvlist_add_nvlist(nvparent, name, nvl); 501 nvlist_destroy(nvl); 502 } 503 504 static void 505 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule) 506 { 507 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr); 508 rule->divert.port = nvlist_get_number(nvl, "port"); 509 } 510 511 static void 512 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) 513 { 514 const uint64_t *skip; 515 const char *const *labels; 516 size_t skipcount, labelcount; 517 518 rule->nr = nvlist_get_number(nvl, "nr"); 519 520 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src); 521 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst); 522 523 skip = nvlist_get_number_array(nvl, "skip", &skipcount); 524 assert(skip); 525 assert(skipcount == PF_SKIP_COUNT); 526 for (int i = 0; i < PF_SKIP_COUNT; i++) 527 rule->skip[i].nr = skip[i]; 528 529 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 530 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 531 for (size_t i = 0; i < labelcount; i++) 532 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 533 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 534 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 535 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 536 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE); 537 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 538 PF_TAG_NAME_SIZE); 539 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 540 PF_TAG_NAME_SIZE); 541 542 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"), 543 PF_TABLE_NAME_SIZE); 544 545 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rpool); 546 547 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 548 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL); 549 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL); 550 551 if (nvlist_exists_number(nvl, "timestamp")) { 552 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 553 } 554 555 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint"); 556 557 rule->rtableid = nvlist_get_number(nvl, "rtableid"); 558 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL); 559 rule->max_states = nvlist_get_number(nvl, "max_states"); 560 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes"); 561 rule->max_src_states = nvlist_get_number(nvl, "max_src_states"); 562 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn"); 563 rule->max_src_conn_rate.limit = 564 nvlist_get_number(nvl, "max_src_conn_rate.limit"); 565 rule->max_src_conn_rate.seconds = 566 nvlist_get_number(nvl, "max_src_conn_rate.seconds"); 567 rule->qid = nvlist_get_number(nvl, "qid"); 568 rule->pqid = nvlist_get_number(nvl, "pqid"); 569 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 570 rule->dnrpipe = nvlist_get_number(nvl, "dnrpipe"); 571 rule->free_flags = nvlist_get_number(nvl, "dnflags"); 572 rule->prob = nvlist_get_number(nvl, "prob"); 573 rule->cuid = nvlist_get_number(nvl, "cuid"); 574 rule->cpid = nvlist_get_number(nvl, "cpid"); 575 576 rule->return_icmp = nvlist_get_number(nvl, "return_icmp"); 577 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6"); 578 rule->max_mss = nvlist_get_number(nvl, "max_mss"); 579 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags"); 580 581 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid); 582 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"), 583 (struct pf_rule_uid *)&rule->gid); 584 585 rule->rule_flag = nvlist_get_number(nvl, "rule_flag"); 586 rule->action = nvlist_get_number(nvl, "action"); 587 rule->direction = nvlist_get_number(nvl, "direction"); 588 rule->log = nvlist_get_number(nvl, "log"); 589 rule->logif = nvlist_get_number(nvl, "logif"); 590 rule->quick = nvlist_get_number(nvl, "quick"); 591 rule->ifnot = nvlist_get_number(nvl, "ifnot"); 592 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not"); 593 rule->natpass = nvlist_get_number(nvl, "natpass"); 594 595 rule->keep_state = nvlist_get_number(nvl, "keep_state"); 596 rule->af = nvlist_get_number(nvl, "af"); 597 rule->proto = nvlist_get_number(nvl, "proto"); 598 rule->type = nvlist_get_number(nvl, "type"); 599 rule->code = nvlist_get_number(nvl, "code"); 600 rule->flags = nvlist_get_number(nvl, "flags"); 601 rule->flagset = nvlist_get_number(nvl, "flagset"); 602 rule->min_ttl = nvlist_get_number(nvl, "min_ttl"); 603 rule->allow_opts = nvlist_get_number(nvl, "allow_opts"); 604 rule->rt = nvlist_get_number(nvl, "rt"); 605 rule->return_ttl = nvlist_get_number(nvl, "return_ttl"); 606 rule->tos = nvlist_get_number(nvl, "tos"); 607 rule->set_tos = nvlist_get_number(nvl, "set_tos"); 608 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 609 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 610 611 rule->flush = nvlist_get_number(nvl, "flush"); 612 rule->prio = nvlist_get_number(nvl, "prio"); 613 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL); 614 615 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule); 616 617 rule->states_cur = nvlist_get_number(nvl, "states_cur"); 618 rule->states_tot = nvlist_get_number(nvl, "states_tot"); 619 rule->src_nodes = nvlist_get_number(nvl, "src_nodes"); 620 } 621 622 static void 623 pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr) 624 { 625 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 }; 626 size_t len; 627 const void *data; 628 629 data = nvlist_get_binary(nvl, "addr", &len); 630 assert(len == sizeof(addr->addr)); 631 memcpy(addr->addr, data, sizeof(addr->addr)); 632 633 data = nvlist_get_binary(nvl, "mask", &len); 634 assert(len == sizeof(addr->mask)); 635 memcpy(addr->mask, data, sizeof(addr->mask)); 636 637 addr->neg = nvlist_get_bool(nvl, "neg"); 638 639 /* To make checks for 'is this address set?' easier. */ 640 addr->isset = memcmp(addr->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0; 641 } 642 643 static nvlist_t * 644 pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr) 645 { 646 nvlist_t *nvl; 647 648 nvl = nvlist_create(0); 649 if (nvl == NULL) 650 return (NULL); 651 652 nvlist_add_bool(nvl, "neg", addr->neg); 653 nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN); 654 nvlist_add_binary(nvl, "mask", &addr->mask, ETHER_ADDR_LEN); 655 656 return (nvl); 657 } 658 659 static void 660 pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule) 661 { 662 const char *const *labels; 663 size_t labelcount, i; 664 665 rule->nr = nvlist_get_number(nvl, "nr"); 666 rule->quick = nvlist_get_bool(nvl, "quick"); 667 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); 668 rule->ifnot = nvlist_get_bool(nvl, "ifnot"); 669 rule->direction = nvlist_get_number(nvl, "direction"); 670 rule->proto = nvlist_get_number(nvl, "proto"); 671 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"), 672 PF_TAG_NAME_SIZE); 673 rule->match_tag = nvlist_get_number(nvl, "match_tag"); 674 rule->match_tag_not = nvlist_get_bool(nvl, "match_tag_not"); 675 676 labels = nvlist_get_string_array(nvl, "labels", &labelcount); 677 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); 678 for (i = 0; i < labelcount; i++) 679 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); 680 rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); 681 682 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"), 683 &rule->src); 684 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"), 685 &rule->dst); 686 687 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipsrc"), 688 &rule->ipsrc); 689 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipdst"), 690 &rule->ipdst); 691 692 rule->evaluations = nvlist_get_number(nvl, "evaluations"); 693 rule->packets[0] = nvlist_get_number(nvl, "packets-in"); 694 rule->packets[1] = nvlist_get_number(nvl, "packets-out"); 695 rule->bytes[0] = nvlist_get_number(nvl, "bytes-in"); 696 rule->bytes[1] = nvlist_get_number(nvl, "bytes-out"); 697 698 if (nvlist_exists_number(nvl, "timestamp")) { 699 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp"); 700 } 701 702 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); 703 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"), 704 PF_TAG_NAME_SIZE); 705 706 rule->dnpipe = nvlist_get_number(nvl, "dnpipe"); 707 rule->dnflags = nvlist_get_number(nvl, "dnflags"); 708 709 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative"); 710 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard"); 711 712 strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"), 713 IFNAMSIZ); 714 715 rule->action = nvlist_get_number(nvl, "action"); 716 } 717 718 int 719 pfctl_get_eth_rulesets_info(int dev, struct pfctl_eth_rulesets_info *ri, 720 const char *path) 721 { 722 nvlist_t *nvl; 723 int ret; 724 725 bzero(ri, sizeof(*ri)); 726 727 nvl = nvlist_create(0); 728 nvlist_add_string(nvl, "path", path); 729 730 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESETS, 256, &nvl)) != 0) 731 return (ret); 732 733 ri->nr = nvlist_get_number(nvl, "nr"); 734 735 nvlist_destroy(nvl); 736 return (0); 737 } 738 739 int 740 pfctl_get_eth_ruleset(int dev, const char *path, int nr, 741 struct pfctl_eth_ruleset_info *ri) 742 { 743 nvlist_t *nvl; 744 int ret; 745 746 bzero(ri, sizeof(*ri)); 747 748 nvl = nvlist_create(0); 749 nvlist_add_string(nvl, "path", path); 750 nvlist_add_number(nvl, "nr", nr); 751 752 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESET, 1024, &nvl)) != 0) 753 return (ret); 754 755 ri->nr = nvlist_get_number(nvl, "nr"); 756 strlcpy(ri->path, nvlist_get_string(nvl, "path"), MAXPATHLEN); 757 strlcpy(ri->name, nvlist_get_string(nvl, "name"), 758 PF_ANCHOR_NAME_SIZE); 759 760 return (0); 761 } 762 763 int 764 pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 765 const char *path) 766 { 767 nvlist_t *nvl; 768 int ret; 769 770 bzero(rules, sizeof(*rules)); 771 772 nvl = nvlist_create(0); 773 nvlist_add_string(nvl, "anchor", path); 774 775 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULES, 1024, &nvl)) != 0) 776 return (ret); 777 778 rules->nr = nvlist_get_number(nvl, "nr"); 779 rules->ticket = nvlist_get_number(nvl, "ticket"); 780 781 nvlist_destroy(nvl); 782 return (0); 783 } 784 785 int 786 pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 787 const char *path, struct pfctl_eth_rule *rule, bool clear, 788 char *anchor_call) 789 { 790 nvlist_t *nvl; 791 int ret; 792 793 nvl = nvlist_create(0); 794 795 nvlist_add_string(nvl, "anchor", path); 796 nvlist_add_number(nvl, "ticket", ticket); 797 nvlist_add_number(nvl, "nr", nr); 798 nvlist_add_bool(nvl, "clear", clear); 799 800 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULE, 4096, &nvl)) != 0) 801 return (ret); 802 803 pfctl_nveth_rule_to_eth_rule(nvl, rule); 804 805 if (anchor_call) 806 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 807 MAXPATHLEN); 808 809 nvlist_destroy(nvl); 810 return (0); 811 } 812 813 int 814 pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, const char *anchor, 815 const char *anchor_call, uint32_t ticket) 816 { 817 struct pfioc_nv nv; 818 nvlist_t *nvl, *addr; 819 void *packed; 820 int error = 0; 821 size_t labelcount, size; 822 823 nvl = nvlist_create(0); 824 825 nvlist_add_number(nvl, "ticket", ticket); 826 nvlist_add_string(nvl, "anchor", anchor); 827 nvlist_add_string(nvl, "anchor_call", anchor_call); 828 829 nvlist_add_number(nvl, "nr", r->nr); 830 nvlist_add_bool(nvl, "quick", r->quick); 831 nvlist_add_string(nvl, "ifname", r->ifname); 832 nvlist_add_bool(nvl, "ifnot", r->ifnot); 833 nvlist_add_number(nvl, "direction", r->direction); 834 nvlist_add_number(nvl, "proto", r->proto); 835 nvlist_add_string(nvl, "match_tagname", r->match_tagname); 836 nvlist_add_bool(nvl, "match_tag_not", r->match_tag_not); 837 838 addr = pfctl_eth_addr_to_nveth_addr(&r->src); 839 if (addr == NULL) { 840 nvlist_destroy(nvl); 841 return (ENOMEM); 842 } 843 nvlist_add_nvlist(nvl, "src", addr); 844 nvlist_destroy(addr); 845 846 addr = pfctl_eth_addr_to_nveth_addr(&r->dst); 847 if (addr == NULL) { 848 nvlist_destroy(nvl); 849 return (ENOMEM); 850 } 851 nvlist_add_nvlist(nvl, "dst", addr); 852 nvlist_destroy(addr); 853 854 pfctl_nv_add_rule_addr(nvl, "ipsrc", &r->ipsrc); 855 pfctl_nv_add_rule_addr(nvl, "ipdst", &r->ipdst); 856 857 labelcount = 0; 858 while (r->label[labelcount][0] != 0 && 859 labelcount < PF_RULE_MAX_LABEL_COUNT) { 860 nvlist_append_string_array(nvl, "labels", 861 r->label[labelcount]); 862 labelcount++; 863 } 864 nvlist_add_number(nvl, "ridentifier", r->ridentifier); 865 866 nvlist_add_string(nvl, "qname", r->qname); 867 nvlist_add_string(nvl, "tagname", r->tagname); 868 nvlist_add_number(nvl, "dnpipe", r->dnpipe); 869 nvlist_add_number(nvl, "dnflags", r->dnflags); 870 871 nvlist_add_string(nvl, "bridge_to", r->bridge_to); 872 873 nvlist_add_number(nvl, "action", r->action); 874 875 packed = nvlist_pack(nvl, &size); 876 if (packed == NULL) { 877 nvlist_destroy(nvl); 878 return (ENOMEM); 879 } 880 881 nv.len = size; 882 nv.size = size; 883 nv.data = packed; 884 885 if (ioctl(dev, DIOCADDETHRULE, &nv) != 0) 886 error = errno; 887 888 free(packed); 889 nvlist_destroy(nvl); 890 891 return (error); 892 } 893 894 int 895 pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor, 896 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket) 897 { 898 struct pfioc_nv nv; 899 uint64_t timeouts[PFTM_MAX]; 900 uint64_t set_prio[2]; 901 nvlist_t *nvl, *nvlr; 902 size_t labelcount; 903 int ret; 904 905 nvl = nvlist_create(0); 906 nvlr = nvlist_create(0); 907 908 nvlist_add_number(nvl, "ticket", ticket); 909 nvlist_add_number(nvl, "pool_ticket", pool_ticket); 910 nvlist_add_string(nvl, "anchor", anchor); 911 nvlist_add_string(nvl, "anchor_call", anchor_call); 912 913 nvlist_add_number(nvlr, "nr", r->nr); 914 pfctl_nv_add_rule_addr(nvlr, "src", &r->src); 915 pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst); 916 917 labelcount = 0; 918 while (r->label[labelcount][0] != 0 && 919 labelcount < PF_RULE_MAX_LABEL_COUNT) { 920 nvlist_append_string_array(nvlr, "labels", 921 r->label[labelcount]); 922 labelcount++; 923 } 924 nvlist_add_number(nvlr, "ridentifier", r->ridentifier); 925 926 nvlist_add_string(nvlr, "ifname", r->ifname); 927 nvlist_add_string(nvlr, "qname", r->qname); 928 nvlist_add_string(nvlr, "pqname", r->pqname); 929 nvlist_add_string(nvlr, "tagname", r->tagname); 930 nvlist_add_string(nvlr, "match_tagname", r->match_tagname); 931 nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname); 932 933 pfctl_nv_add_pool(nvlr, "rpool", &r->rpool); 934 935 nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint); 936 937 nvlist_add_number(nvlr, "rtableid", r->rtableid); 938 for (int i = 0; i < PFTM_MAX; i++) 939 timeouts[i] = r->timeout[i]; 940 nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX); 941 nvlist_add_number(nvlr, "max_states", r->max_states); 942 nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes); 943 nvlist_add_number(nvlr, "max_src_states", r->max_src_states); 944 nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn); 945 nvlist_add_number(nvlr, "max_src_conn_rate.limit", 946 r->max_src_conn_rate.limit); 947 nvlist_add_number(nvlr, "max_src_conn_rate.seconds", 948 r->max_src_conn_rate.seconds); 949 nvlist_add_number(nvlr, "dnpipe", r->dnpipe); 950 nvlist_add_number(nvlr, "dnrpipe", r->dnrpipe); 951 nvlist_add_number(nvlr, "dnflags", r->free_flags); 952 nvlist_add_number(nvlr, "prob", r->prob); 953 nvlist_add_number(nvlr, "cuid", r->cuid); 954 nvlist_add_number(nvlr, "cpid", r->cpid); 955 956 nvlist_add_number(nvlr, "return_icmp", r->return_icmp); 957 nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6); 958 959 nvlist_add_number(nvlr, "max_mss", r->max_mss); 960 nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags); 961 962 pfctl_nv_add_uid(nvlr, "uid", &r->uid); 963 pfctl_nv_add_uid(nvlr, "gid", (const struct pf_rule_uid *)&r->gid); 964 965 nvlist_add_number(nvlr, "rule_flag", r->rule_flag); 966 nvlist_add_number(nvlr, "action", r->action); 967 nvlist_add_number(nvlr, "direction", r->direction); 968 nvlist_add_number(nvlr, "log", r->log); 969 nvlist_add_number(nvlr, "logif", r->logif); 970 nvlist_add_number(nvlr, "quick", r->quick); 971 nvlist_add_number(nvlr, "ifnot", r->ifnot); 972 nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not); 973 nvlist_add_number(nvlr, "natpass", r->natpass); 974 975 nvlist_add_number(nvlr, "keep_state", r->keep_state); 976 nvlist_add_number(nvlr, "af", r->af); 977 nvlist_add_number(nvlr, "proto", r->proto); 978 nvlist_add_number(nvlr, "type", r->type); 979 nvlist_add_number(nvlr, "code", r->code); 980 nvlist_add_number(nvlr, "flags", r->flags); 981 nvlist_add_number(nvlr, "flagset", r->flagset); 982 nvlist_add_number(nvlr, "min_ttl", r->min_ttl); 983 nvlist_add_number(nvlr, "allow_opts", r->allow_opts); 984 nvlist_add_number(nvlr, "rt", r->rt); 985 nvlist_add_number(nvlr, "return_ttl", r->return_ttl); 986 nvlist_add_number(nvlr, "tos", r->tos); 987 nvlist_add_number(nvlr, "set_tos", r->set_tos); 988 nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative); 989 nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard); 990 991 nvlist_add_number(nvlr, "flush", r->flush); 992 993 nvlist_add_number(nvlr, "prio", r->prio); 994 set_prio[0] = r->set_prio[0]; 995 set_prio[1] = r->set_prio[1]; 996 nvlist_add_number_array(nvlr, "set_prio", set_prio, 2); 997 998 pfctl_nv_add_divert(nvlr, "divert", r); 999 1000 nvlist_add_nvlist(nvl, "rule", nvlr); 1001 nvlist_destroy(nvlr); 1002 1003 /* Now do the call. */ 1004 nv.data = nvlist_pack(nvl, &nv.len); 1005 nv.size = nv.len; 1006 1007 ret = ioctl(dev, DIOCADDRULENV, &nv); 1008 if (ret == -1) 1009 ret = errno; 1010 1011 free(nv.data); 1012 nvlist_destroy(nvl); 1013 1014 return (ret); 1015 } 1016 1017 int 1018 pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, uint32_t ruleset, 1019 const char *path) 1020 { 1021 struct pfioc_rule pr; 1022 int ret; 1023 1024 bzero(&pr, sizeof(pr)); 1025 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor)) 1026 return (E2BIG); 1027 1028 pr.rule.action = ruleset; 1029 ret = ioctl(dev, DIOCGETRULES, &pr); 1030 if (ret != 0) 1031 return (ret); 1032 1033 rules->nr = pr.nr; 1034 rules->ticket = pr.ticket; 1035 1036 return (0); 1037 } 1038 1039 int 1040 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor, 1041 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) 1042 { 1043 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule, 1044 anchor_call, false)); 1045 } 1046 1047 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 1048 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 1049 char *anchor_call, bool clear) 1050 { 1051 nvlist_t *nvl; 1052 int ret; 1053 1054 nvl = nvlist_create(0); 1055 if (nvl == 0) 1056 return (ENOMEM); 1057 1058 nvlist_add_number(nvl, "nr", nr); 1059 nvlist_add_number(nvl, "ticket", ticket); 1060 nvlist_add_string(nvl, "anchor", anchor); 1061 nvlist_add_number(nvl, "ruleset", ruleset); 1062 1063 if (clear) 1064 nvlist_add_bool(nvl, "clear_counter", true); 1065 1066 if ((ret = pfctl_do_ioctl(dev, DIOCGETRULENV, 8192, &nvl)) != 0) 1067 return (ret); 1068 1069 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule); 1070 1071 if (anchor_call) 1072 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"), 1073 MAXPATHLEN); 1074 1075 nvlist_destroy(nvl); 1076 1077 return (0); 1078 } 1079 1080 int 1081 pfctl_set_keepcounters(int dev, bool keep) 1082 { 1083 struct pfioc_nv nv; 1084 nvlist_t *nvl; 1085 int ret; 1086 1087 nvl = nvlist_create(0); 1088 1089 nvlist_add_bool(nvl, "keep_counters", keep); 1090 1091 nv.data = nvlist_pack(nvl, &nv.len); 1092 nv.size = nv.len; 1093 1094 nvlist_destroy(nvl); 1095 1096 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv); 1097 1098 free(nv.data); 1099 return (ret); 1100 } 1101 1102 static void 1103 pfctl_nv_add_state_cmp(nvlist_t *nvl, const char *name, 1104 const struct pfctl_state_cmp *cmp) 1105 { 1106 nvlist_t *nv; 1107 1108 nv = nvlist_create(0); 1109 1110 nvlist_add_number(nv, "id", cmp->id); 1111 nvlist_add_number(nv, "creatorid", htonl(cmp->creatorid)); 1112 nvlist_add_number(nv, "direction", cmp->direction); 1113 1114 nvlist_add_nvlist(nvl, name, nv); 1115 nvlist_destroy(nv); 1116 } 1117 1118 static void 1119 pf_state_key_export_to_state_key(struct pfctl_state_key *ps, 1120 const struct pf_state_key_export *s) 1121 { 1122 bcopy(s->addr, ps->addr, sizeof(ps->addr[0]) * 2); 1123 ps->port[0] = s->port[0]; 1124 ps->port[1] = s->port[1]; 1125 } 1126 1127 static void 1128 pf_state_peer_export_to_state_peer(struct pfctl_state_peer *ps, 1129 const struct pf_state_peer_export *s) 1130 { 1131 /* Ignore scrub. */ 1132 ps->seqlo = s->seqlo; 1133 ps->seqhi = s->seqhi; 1134 ps->seqdiff = s->seqdiff; 1135 /* Ignore max_win & mss */ 1136 ps->state = s->state; 1137 ps->wscale = s->wscale; 1138 } 1139 1140 static void 1141 pf_state_export_to_state(struct pfctl_state *ps, const struct pf_state_export *s) 1142 { 1143 assert(s->version >= PF_STATE_VERSION); 1144 1145 ps->id = s->id; 1146 strlcpy(ps->ifname, s->ifname, sizeof(ps->ifname)); 1147 strlcpy(ps->orig_ifname, s->orig_ifname, sizeof(ps->orig_ifname)); 1148 strlcpy(ps->rt_ifname, s->rt_ifname, sizeof(ps->rt_ifname)); 1149 pf_state_key_export_to_state_key(&ps->key[0], &s->key[0]); 1150 pf_state_key_export_to_state_key(&ps->key[1], &s->key[1]); 1151 pf_state_peer_export_to_state_peer(&ps->src, &s->src); 1152 pf_state_peer_export_to_state_peer(&ps->dst, &s->dst); 1153 bcopy(&s->rt_addr, &ps->rt_addr, sizeof(ps->rt_addr)); 1154 ps->rule = ntohl(s->rule); 1155 ps->anchor = ntohl(s->anchor); 1156 ps->nat_rule = ntohl(s->nat_rule); 1157 ps->creation = ntohl(s->creation); 1158 ps->expire = ntohl(s->expire); 1159 ps->packets[0] = s->packets[0]; 1160 ps->packets[1] = s->packets[1]; 1161 ps->bytes[0] = s->bytes[0]; 1162 ps->bytes[1] = s->bytes[1]; 1163 ps->creatorid = ntohl(s->creatorid); 1164 ps->key[0].proto = s->proto; 1165 ps->key[1].proto = s->proto; 1166 ps->key[0].af = s->af; 1167 ps->key[1].af = s->af; 1168 ps->direction = s->direction; 1169 ps->state_flags = ntohs(s->state_flags); 1170 ps->sync_flags = ntohs(s->sync_flags); 1171 ps->qid = ntohs(s->qid); 1172 ps->pqid = ntohs(s->pqid); 1173 ps->dnpipe = ntohs(s->dnpipe); 1174 ps->dnrpipe = ntohs(s->dnrpipe); 1175 ps->rtableid = ntohl(s->rtableid); 1176 ps->min_ttl = s->min_ttl; 1177 ps->set_tos = s->set_tos; 1178 ps->max_mss = ntohs(s->max_mss); 1179 ps->rt = s->rt; 1180 ps->set_prio[0] = s->set_prio[0]; 1181 ps->set_prio[1] = s->set_prio[1]; 1182 } 1183 1184 int 1185 pfctl_get_states(int dev, struct pfctl_states *states) 1186 { 1187 struct pfioc_states_v2 ps; 1188 struct pf_state_export *p; 1189 char *inbuf = NULL, *newinbuf = NULL; 1190 unsigned int len = 0; 1191 int i, error; 1192 1193 bzero(&ps, sizeof(ps)); 1194 ps.ps_req_version = PF_STATE_VERSION; 1195 1196 bzero(states, sizeof(*states)); 1197 TAILQ_INIT(&states->states); 1198 1199 for (;;) { 1200 ps.ps_len = len; 1201 if (len) { 1202 newinbuf = realloc(inbuf, len); 1203 if (newinbuf == NULL) 1204 return (ENOMEM); 1205 ps.ps_buf = inbuf = newinbuf; 1206 } 1207 if ((error = ioctl(dev, DIOCGETSTATESV2, &ps)) < 0) { 1208 free(inbuf); 1209 return (error); 1210 } 1211 if (ps.ps_len + sizeof(struct pfioc_states_v2) < len) 1212 break; 1213 if (len == 0 && ps.ps_len == 0) 1214 goto out; 1215 if (len == 0 && ps.ps_len != 0) 1216 len = ps.ps_len; 1217 if (ps.ps_len == 0) 1218 goto out; /* no states */ 1219 len *= 2; 1220 } 1221 p = ps.ps_states; 1222 1223 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) { 1224 struct pfctl_state *s = malloc(sizeof(*s)); 1225 if (s == NULL) { 1226 pfctl_free_states(states); 1227 error = ENOMEM; 1228 goto out; 1229 } 1230 1231 pf_state_export_to_state(s, p); 1232 TAILQ_INSERT_TAIL(&states->states, s, entry); 1233 } 1234 1235 out: 1236 free(inbuf); 1237 return (error); 1238 } 1239 1240 void 1241 pfctl_free_states(struct pfctl_states *states) 1242 { 1243 struct pfctl_state *s, *tmp; 1244 1245 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) { 1246 free(s); 1247 } 1248 1249 bzero(states, sizeof(*states)); 1250 } 1251 1252 static int 1253 _pfctl_clear_states(int dev, const struct pfctl_kill *kill, 1254 unsigned int *killed, uint64_t ioctlval) 1255 { 1256 nvlist_t *nvl; 1257 int ret; 1258 1259 nvl = nvlist_create(0); 1260 1261 pfctl_nv_add_state_cmp(nvl, "cmp", &kill->cmp); 1262 nvlist_add_number(nvl, "af", kill->af); 1263 nvlist_add_number(nvl, "proto", kill->proto); 1264 pfctl_nv_add_rule_addr(nvl, "src", &kill->src); 1265 pfctl_nv_add_rule_addr(nvl, "dst", &kill->dst); 1266 pfctl_nv_add_rule_addr(nvl, "rt_addr", &kill->rt_addr); 1267 nvlist_add_string(nvl, "ifname", kill->ifname); 1268 nvlist_add_string(nvl, "label", kill->label); 1269 nvlist_add_bool(nvl, "kill_match", kill->kill_match); 1270 1271 if ((ret = pfctl_do_ioctl(dev, ioctlval, 1024, &nvl)) != 0) 1272 return (ret); 1273 1274 if (killed) 1275 *killed = nvlist_get_number(nvl, "killed"); 1276 1277 nvlist_destroy(nvl); 1278 1279 return (ret); 1280 } 1281 1282 int 1283 pfctl_clear_states(int dev, const struct pfctl_kill *kill, 1284 unsigned int *killed) 1285 { 1286 return (_pfctl_clear_states(dev, kill, killed, DIOCCLRSTATESNV)); 1287 } 1288 1289 int 1290 pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed) 1291 { 1292 return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV)); 1293 } 1294 1295 int 1296 pfctl_clear_rules(int dev, const char *anchorname) 1297 { 1298 struct pfioc_trans trans; 1299 struct pfioc_trans_e transe[2]; 1300 int ret; 1301 1302 bzero(&trans, sizeof(trans)); 1303 bzero(&transe, sizeof(transe)); 1304 1305 transe[0].rs_num = PF_RULESET_SCRUB; 1306 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 1307 >= sizeof(transe[0].anchor)) 1308 return (E2BIG); 1309 1310 transe[1].rs_num = PF_RULESET_FILTER; 1311 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 1312 >= sizeof(transe[1].anchor)) 1313 return (E2BIG); 1314 1315 trans.size = 2; 1316 trans.esize = sizeof(transe[0]); 1317 trans.array = transe; 1318 1319 ret = ioctl(dev, DIOCXBEGIN, &trans); 1320 if (ret != 0) 1321 return (ret); 1322 return ioctl(dev, DIOCXCOMMIT, &trans); 1323 } 1324 1325 int 1326 pfctl_clear_nat(int dev, const char *anchorname) 1327 { 1328 struct pfioc_trans trans; 1329 struct pfioc_trans_e transe[3]; 1330 int ret; 1331 1332 bzero(&trans, sizeof(trans)); 1333 bzero(&transe, sizeof(transe)); 1334 1335 transe[0].rs_num = PF_RULESET_NAT; 1336 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor)) 1337 >= sizeof(transe[0].anchor)) 1338 return (E2BIG); 1339 1340 transe[1].rs_num = PF_RULESET_BINAT; 1341 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor)) 1342 >= sizeof(transe[0].anchor)) 1343 return (E2BIG); 1344 1345 transe[2].rs_num = PF_RULESET_RDR; 1346 if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor)) 1347 >= sizeof(transe[2].anchor)) 1348 return (E2BIG); 1349 1350 trans.size = 3; 1351 trans.esize = sizeof(transe[0]); 1352 trans.array = transe; 1353 1354 ret = ioctl(dev, DIOCXBEGIN, &trans); 1355 if (ret != 0) 1356 return (ret); 1357 return ioctl(dev, DIOCXCOMMIT, &trans); 1358 } 1359 int 1360 pfctl_clear_eth_rules(int dev, const char *anchorname) 1361 { 1362 struct pfioc_trans trans; 1363 struct pfioc_trans_e transe; 1364 int ret; 1365 1366 bzero(&trans, sizeof(trans)); 1367 bzero(&transe, sizeof(transe)); 1368 1369 transe.rs_num = PF_RULESET_ETH; 1370 if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor)) 1371 >= sizeof(transe.anchor)) 1372 return (E2BIG); 1373 1374 trans.size = 1; 1375 trans.esize = sizeof(transe); 1376 trans.array = &transe; 1377 1378 ret = ioctl(dev, DIOCXBEGIN, &trans); 1379 if (ret != 0) 1380 return (ret); 1381 return ioctl(dev, DIOCXCOMMIT, &trans); 1382 } 1383 1384 static int 1385 pfctl_get_limit(int dev, const int index, uint *limit) 1386 { 1387 struct pfioc_limit pl; 1388 1389 bzero(&pl, sizeof(pl)); 1390 pl.index = index; 1391 1392 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1) 1393 return (errno); 1394 1395 *limit = pl.limit; 1396 1397 return (0); 1398 } 1399 1400 int 1401 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s) 1402 { 1403 struct pfioc_nv nv; 1404 nvlist_t *nvl; 1405 int ret; 1406 uint state_limit; 1407 uint64_t lim, hi, lo; 1408 1409 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 1410 if (ret != 0) 1411 return (ret); 1412 1413 lim = state_limit; 1414 hi = lim * s->highwater / 100; 1415 lo = lim * s->lowwater / 100; 1416 1417 if (lo == hi) 1418 hi++; 1419 1420 nvl = nvlist_create(0); 1421 1422 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER); 1423 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE); 1424 nvlist_add_number(nvl, "highwater", hi); 1425 nvlist_add_number(nvl, "lowwater", lo); 1426 1427 nv.data = nvlist_pack(nvl, &nv.len); 1428 nv.size = nv.len; 1429 nvlist_destroy(nvl); 1430 nvl = NULL; 1431 1432 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv); 1433 1434 free(nv.data); 1435 return (ret); 1436 } 1437 1438 int 1439 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s) 1440 { 1441 nvlist_t *nvl; 1442 int ret; 1443 uint state_limit; 1444 bool enabled, adaptive; 1445 1446 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit); 1447 if (ret != 0) 1448 return (ret); 1449 1450 bzero(s, sizeof(*s)); 1451 1452 nvl = nvlist_create(0); 1453 1454 if ((ret = pfctl_do_ioctl(dev, DIOCGETSYNCOOKIES, 256, &nvl)) != 0) 1455 return (errno); 1456 1457 enabled = nvlist_get_bool(nvl, "enabled"); 1458 adaptive = nvlist_get_bool(nvl, "adaptive"); 1459 1460 if (enabled) { 1461 if (adaptive) 1462 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE; 1463 else 1464 s->mode = PFCTL_SYNCOOKIES_ALWAYS; 1465 } else { 1466 s->mode = PFCTL_SYNCOOKIES_NEVER; 1467 } 1468 1469 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit; 1470 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit; 1471 1472 nvlist_destroy(nvl); 1473 1474 return (0); 1475 } 1476 1477 int 1478 pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 1479 *addr, int size, int *nadd, int flags) 1480 { 1481 struct pfioc_table io; 1482 1483 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 1484 return (EINVAL); 1485 } 1486 bzero(&io, sizeof io); 1487 io.pfrio_flags = flags; 1488 io.pfrio_table = *tbl; 1489 io.pfrio_buffer = addr; 1490 io.pfrio_esize = sizeof(*addr); 1491 io.pfrio_size = size; 1492 1493 if (ioctl(dev, DIOCRADDADDRS, &io)) 1494 return (errno); 1495 if (nadd != NULL) 1496 *nadd = io.pfrio_nadd; 1497 return (0); 1498 } 1499 1500 int 1501 pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 1502 *addr, int size, int *ndel, int flags) 1503 { 1504 struct pfioc_table io; 1505 1506 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 1507 return (EINVAL); 1508 } 1509 bzero(&io, sizeof io); 1510 io.pfrio_flags = flags; 1511 io.pfrio_table = *tbl; 1512 io.pfrio_buffer = addr; 1513 io.pfrio_esize = sizeof(*addr); 1514 io.pfrio_size = size; 1515 1516 if (ioctl(dev, DIOCRDELADDRS, &io)) 1517 return (errno); 1518 if (ndel != NULL) 1519 *ndel = io.pfrio_ndel; 1520 return (0); 1521 } 1522 1523 int 1524 pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 1525 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, int flags) 1526 { 1527 struct pfioc_table io; 1528 1529 if (tbl == NULL || size < 0 || (size && addr == NULL)) { 1530 return (EINVAL); 1531 } 1532 bzero(&io, sizeof io); 1533 io.pfrio_flags = flags; 1534 io.pfrio_table = *tbl; 1535 io.pfrio_buffer = addr; 1536 io.pfrio_esize = sizeof(*addr); 1537 io.pfrio_size = size; 1538 io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; 1539 if (ioctl(dev, DIOCRSETADDRS, &io)) 1540 return (-1); 1541 if (nadd != NULL) 1542 *nadd = io.pfrio_nadd; 1543 if (ndel != NULL) 1544 *ndel = io.pfrio_ndel; 1545 if (nchange != NULL) 1546 *nchange = io.pfrio_nchange; 1547 if (size2 != NULL) 1548 *size2 = io.pfrio_size2; 1549 return (0); 1550 } 1551 1552 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr *addr, 1553 int *size, int flags) 1554 { 1555 struct pfioc_table io; 1556 1557 if (tbl == NULL || size == NULL || *size < 0 || 1558 (*size && addr == NULL)) { 1559 return (EINVAL); 1560 } 1561 bzero(&io, sizeof io); 1562 io.pfrio_flags = flags; 1563 io.pfrio_table = *tbl; 1564 io.pfrio_buffer = addr; 1565 io.pfrio_esize = sizeof(*addr); 1566 io.pfrio_size = *size; 1567 if (ioctl(dev, DIOCRGETADDRS, &io)) 1568 return (-1); 1569 *size = io.pfrio_size; 1570 return (0); 1571 } 1572