xref: /freebsd/sbin/pfilctl/pfilctl.c (revision e2eeea75eb8b6dd50c1298067a0655880d186734)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2019 Gleb Smirnoff <glebius@FreeBSD.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/param.h>
32 #include <sys/ioctl.h>
33 #include <net/if.h>
34 #include <net/pfil.h>
35 
36 #include <err.h>
37 #include <fcntl.h>
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <unistd.h>
42 
43 static int dev;
44 
45 static const char * const typenames[] = {
46 	[PFIL_TYPE_IP4] = "IPv4",
47 	[PFIL_TYPE_IP6] = "IPv6",
48 	[PFIL_TYPE_ETHERNET] = "Ethernet",
49 };
50 
51 static void listheads(int argc, char *argv[]);
52 static void listhooks(int argc, char *argv[]);
53 static void hook(int argc, char *argv[]);
54 static void help(void);
55 
56 static const struct cmd {
57 	const char	*cmd_name;
58 	void		(*cmd_func)(int argc, char *argv[]);
59 } cmds[] = {
60 	{ "heads",	listheads },
61 	{ "hooks",	listhooks },
62 	{ "link",	hook },
63 	{ "unlink",	hook },
64 	{ NULL,		NULL },
65 };
66 
67 int
68 main(int argc __unused, char *argv[] __unused)
69 {
70 	int cmd = -1;
71 
72 	if (--argc == 0)
73 		help();
74 	argv++;
75 
76 	for (int i = 0; cmds[i].cmd_name != NULL; i++)
77 		if (!strncmp(argv[0], cmds[i].cmd_name, strlen(argv[0]))) {
78 			if (cmd != -1)
79 				errx(1, "ambiguous command: %s", argv[0]);
80 			cmd = i;
81 		}
82 	if (cmd == -1)
83 		errx(1, "unknown command: %s", argv[0]);
84 
85 	dev = open("/dev/" PFILDEV, O_RDWR);
86 	if (dev == -1)
87 		err(1, "open(%s)", "/dev/" PFILDEV);
88 
89 	(*cmds[cmd].cmd_func)(argc, argv);
90 
91 	return (0);
92 }
93 
94 static void
95 help(void)
96 {
97 
98 	fprintf(stderr, "usage: %s (heads|hooks|link|unlink)\n", getprogname());
99 	exit(0);
100 }
101 
102 static void
103 listheads(int argc __unused, char *argv[] __unused)
104 {
105 	struct pfilioc_list plh;
106 	u_int nheads, nhooks, i;
107 	int j, h;
108 
109 	plh.pio_nheads = 0;
110 	plh.pio_nhooks = 0;
111 	if (ioctl(dev, PFILIOC_LISTHEADS, &plh) != 0)
112 		err(1, "ioctl(PFILIOC_LISTHEADS)");
113 
114 retry:
115 	plh.pio_heads = calloc(plh.pio_nheads, sizeof(struct pfilioc_head));
116 	if (plh.pio_heads == NULL)
117 		err(1, "malloc");
118 	plh.pio_hooks = calloc(plh.pio_nhooks, sizeof(struct pfilioc_hook));
119 	if (plh.pio_hooks == NULL)
120 		err(1, "malloc");
121 
122 	nheads = plh.pio_nheads;
123 	nhooks = plh.pio_nhooks;
124 
125 	if (ioctl(dev, PFILIOC_LISTHEADS, &plh) != 0)
126 		err(1, "ioctl(PFILIOC_LISTHEADS)");
127 
128 	if (plh.pio_nheads > nheads || plh.pio_nhooks > nhooks) {
129 		free(plh.pio_heads);
130 		free(plh.pio_hooks);
131 		goto retry;
132 	}
133 
134 #define	FMTHD	"%16s %8s\n"
135 #define	FMTHK	"%29s %16s %16s\n"
136 	printf(FMTHD, "Intercept point", "Type");
137 	for (i = 0, h = 0; i < plh.pio_nheads; i++) {
138 		printf(FMTHD, plh.pio_heads[i].pio_name,
139 		    typenames[plh.pio_heads[i].pio_type]);
140 		for (j = 0; j < plh.pio_heads[i].pio_nhooksin; j++, h++)
141 			printf(FMTHK, "In", plh.pio_hooks[h].pio_module,
142 			    plh.pio_hooks[h].pio_ruleset);
143 		for (j = 0; j < plh.pio_heads[i].pio_nhooksout; j++, h++)
144 			printf(FMTHK, "Out", plh.pio_hooks[h].pio_module,
145 			    plh.pio_hooks[h].pio_ruleset);
146 	}
147 }
148 
149 static void
150 listhooks(int argc __unused, char *argv[] __unused)
151 {
152 	struct pfilioc_list plh;
153 	u_int nhooks, i;
154 
155 	plh.pio_nhooks = 0;
156 	if (ioctl(dev, PFILIOC_LISTHEADS, &plh) != 0)
157 		err(1, "ioctl(PFILIOC_LISTHEADS)");
158 retry:
159 	plh.pio_hooks = calloc(plh.pio_nhooks, sizeof(struct pfilioc_hook));
160 	if (plh.pio_hooks == NULL)
161 		err(1, "malloc");
162 
163 	nhooks = plh.pio_nhooks;
164 
165 	if (ioctl(dev, PFILIOC_LISTHOOKS, &plh) != 0)
166 		err(1, "ioctl(PFILIOC_LISTHOOKS)");
167 
168 	if (plh.pio_nhooks > nhooks) {
169 		free(plh.pio_hooks);
170 		goto retry;
171 	}
172 
173 	printf("Available hooks:\n");
174 	for (i = 0; i < plh.pio_nhooks; i++) {
175 		printf("\t%s:%s %s\n", plh.pio_hooks[i].pio_module,
176 		    plh.pio_hooks[i].pio_ruleset,
177 		    typenames[plh.pio_hooks[i].pio_type]);
178 	}
179 }
180 
181 static void
182 hook(int argc, char *argv[])
183 {
184 	struct pfilioc_link req;
185 	int c;
186 	char *ruleset;
187 
188 	if (argv[0][0] == 'u')
189 		req.pio_flags = PFIL_UNLINK;
190 	else
191 		req.pio_flags = 0;
192 
193 	while ((c = getopt(argc, argv, "ioa")) != -1)
194 		switch (c) {
195 		case 'i':
196 			req.pio_flags |= PFIL_IN;
197 			break;
198 		case 'o':
199 			req.pio_flags |= PFIL_OUT;
200 			break;
201 		case 'a':
202 			req.pio_flags |= PFIL_APPEND;
203 			break;
204 		default:
205 			help();
206 		}
207 
208 	if (!PFIL_DIR(req.pio_flags))
209 		help();
210 
211 	argc -= optind;
212 	argv += optind;
213 
214 	if (argc != 2)
215 		help();
216 
217 	/* link mod:ruleset head */
218 	if ((ruleset = strchr(argv[0], ':')) == NULL)
219 		help();
220 	*ruleset = '\0';
221 	ruleset++;
222 
223 	strlcpy(req.pio_name, argv[1], sizeof(req.pio_name));
224 	strlcpy(req.pio_module, argv[0], sizeof(req.pio_module));
225 	strlcpy(req.pio_ruleset, ruleset, sizeof(req.pio_ruleset));
226 
227 	if (ioctl(dev, PFILIOC_LINK, &req) != 0)
228 		err(1, "ioctl(PFILIOC_LINK)");
229 }
230