1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2023 Alexander V. Chernikov <melifaro@FreeBSD.org> 5 * Copyright (c) 2023 Rubicon Communications, LLC (Netgate) 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 */ 29 30 #include <sys/param.h> 31 #include <sys/malloc.h> 32 #include <sys/mbuf.h> 33 #include <sys/socket.h> 34 #include <sys/ucred.h> 35 36 #include <net/pfvar.h> 37 38 #include <netlink/netlink.h> 39 #include <netlink/netlink_ctl.h> 40 #include <netlink/netlink_generic.h> 41 #include <netlink/netlink_message_writer.h> 42 43 #include <netpfil/pf/pf_nl.h> 44 45 #define DEBUG_MOD_NAME nl_pf 46 #define DEBUG_MAX_LEVEL LOG_DEBUG3 47 #include <netlink/netlink_debug.h> 48 _DECLARE_DEBUG(LOG_DEBUG); 49 50 struct nl_parsed_state { 51 uint8_t version; 52 uint32_t id; 53 uint32_t creatorid; 54 char ifname[IFNAMSIZ]; 55 uint16_t proto; 56 sa_family_t af; 57 struct pf_addr addr; 58 struct pf_addr mask; 59 }; 60 61 #define _IN(_field) offsetof(struct genlmsghdr, _field) 62 #define _OUT(_field) offsetof(struct nl_parsed_state, _field) 63 static const struct nlattr_parser nla_p_state[] = { 64 { .type = PF_ST_ID, .off = _OUT(id), .cb = nlattr_get_uint32 }, 65 { .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = nlattr_get_uint32 }, 66 { .type = PF_ST_IFNAME, .arg = (const void *)IFNAMSIZ, .off = _OUT(ifname), .cb = nlattr_get_chara }, 67 { .type = PF_ST_AF, .off = _OUT(proto), .cb = nlattr_get_uint8 }, 68 { .type = PF_ST_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint16 }, 69 { .type = PF_ST_FILTER_ADDR, .off = _OUT(addr), .cb = nlattr_get_in6_addr }, 70 { .type = PF_ST_FILTER_MASK, .off = _OUT(mask), .cb = nlattr_get_in6_addr }, 71 }; 72 static const struct nlfield_parser nlf_p_generic[] = { 73 { .off_in = _IN(version), .off_out = _OUT(version), .cb = nlf_get_u8 }, 74 }; 75 #undef _IN 76 #undef _OUT 77 NL_DECLARE_PARSER(state_parser, struct genlmsghdr, nlf_p_generic, nla_p_state); 78 79 static void 80 dump_addr(struct nl_writer *nw, int attr, const struct pf_addr *addr, int af) 81 { 82 switch (af) { 83 case AF_INET: 84 nlattr_add(nw, attr, 4, &addr->v4); 85 break; 86 case AF_INET6: 87 nlattr_add(nw, attr, 16, &addr->v6); 88 break; 89 }; 90 } 91 92 static bool 93 dump_state_peer(struct nl_writer *nw, int attr, const struct pf_state_peer *peer) 94 { 95 int off = nlattr_add_nested(nw, attr); 96 if (off == 0) 97 return (false); 98 99 nlattr_add_u32(nw, PF_STP_SEQLO, peer->seqlo); 100 nlattr_add_u32(nw, PF_STP_SEQHI, peer->seqhi); 101 nlattr_add_u32(nw, PF_STP_SEQDIFF, peer->seqdiff); 102 nlattr_add_u16(nw, PF_STP_MAX_WIN, peer->max_win); 103 nlattr_add_u16(nw, PF_STP_MSS, peer->mss); 104 nlattr_add_u8(nw, PF_STP_STATE, peer->state); 105 nlattr_add_u8(nw, PF_STP_WSCALE, peer->wscale); 106 107 if (peer->scrub != NULL) { 108 struct pf_state_scrub *sc = peer->scrub; 109 uint16_t pfss_flags = sc->pfss_flags & PFSS_TIMESTAMP; 110 111 nlattr_add_u16(nw, PF_STP_PFSS_FLAGS, pfss_flags); 112 nlattr_add_u32(nw, PF_STP_PFSS_TS_MOD, sc->pfss_ts_mod); 113 nlattr_add_u8(nw, PF_STP_PFSS_TTL, sc->pfss_ttl); 114 nlattr_add_u8(nw, PF_STP_SCRUB_FLAG, PFSYNC_SCRUB_FLAG_VALID); 115 } 116 nlattr_set_len(nw, off); 117 118 return (true); 119 } 120 121 static bool 122 dump_state_key(struct nl_writer *nw, int attr, const struct pf_state_key *key) 123 { 124 int off = nlattr_add_nested(nw, attr); 125 if (off == 0) 126 return (false); 127 128 dump_addr(nw, PF_STK_ADDR0, &key->addr[0], key->af); 129 dump_addr(nw, PF_STK_ADDR1, &key->addr[1], key->af); 130 nlattr_add_u16(nw, PF_STK_PORT0, key->port[0]); 131 nlattr_add_u16(nw, PF_STK_PORT1, key->port[1]); 132 133 nlattr_set_len(nw, off); 134 135 return (true); 136 } 137 138 static int 139 dump_state(struct nlpcb *nlp, const struct nlmsghdr *hdr, struct pf_kstate *s, 140 struct nl_pstate *npt) 141 { 142 struct nl_writer *nw = npt->nw; 143 int error = 0; 144 int af; 145 struct pf_state_key *key; 146 147 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr))) 148 goto enomem; 149 150 struct genlmsghdr *ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr); 151 ghdr_new->cmd = PFNL_CMD_GETSTATES; 152 ghdr_new->version = 0; 153 ghdr_new->reserved = 0; 154 155 nlattr_add_u64(nw, PF_ST_VERSION, PF_STATE_VERSION); 156 157 key = s->key[PF_SK_WIRE]; 158 if (!dump_state_key(nw, PF_ST_KEY_WIRE, key)) 159 goto enomem; 160 key = s->key[PF_SK_STACK]; 161 if (!dump_state_key(nw, PF_ST_KEY_STACK, key)) 162 goto enomem; 163 164 af = s->key[PF_SK_WIRE]->af; 165 nlattr_add_u8(nw, PF_ST_PROTO, s->key[PF_SK_WIRE]->proto); 166 nlattr_add_u8(nw, PF_ST_AF, af); 167 168 nlattr_add_string(nw, PF_ST_IFNAME, s->kif->pfik_name); 169 nlattr_add_string(nw, PF_ST_ORIG_IFNAME, s->orig_kif->pfik_name); 170 dump_addr(nw, PF_ST_RT_ADDR, &s->rt_addr, af); 171 nlattr_add_u32(nw, PF_ST_CREATION, time_uptime - s->creation); 172 uint32_t expire = pf_state_expires(s); 173 if (expire > time_uptime) 174 expire = expire - time_uptime; 175 nlattr_add_u32(nw, PF_ST_EXPIRE, expire); 176 nlattr_add_u8(nw, PF_ST_DIRECTION, s->direction); 177 nlattr_add_u8(nw, PF_ST_LOG, s->act.log); 178 nlattr_add_u8(nw, PF_ST_TIMEOUT, s->timeout); 179 nlattr_add_u16(nw, PF_ST_STATE_FLAGS, s->state_flags); 180 uint8_t sync_flags = 0; 181 if (s->src_node) 182 sync_flags |= PFSYNC_FLAG_SRCNODE; 183 if (s->nat_src_node) 184 sync_flags |= PFSYNC_FLAG_NATSRCNODE; 185 nlattr_add_u8(nw, PF_ST_SYNC_FLAGS, sync_flags); 186 nlattr_add_u64(nw, PF_ST_ID, s->id); 187 nlattr_add_u32(nw, PF_ST_CREATORID, htonl(s->creatorid)); 188 189 nlattr_add_u32(nw, PF_ST_RULE, s->rule.ptr ? s->rule.ptr->nr : -1); 190 nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor.ptr ? s->anchor.ptr->nr : -1); 191 nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1); 192 193 nlattr_add_u64(nw, PF_ST_PACKETS0, s->packets[0]); 194 nlattr_add_u64(nw, PF_ST_PACKETS1, s->packets[1]); 195 nlattr_add_u64(nw, PF_ST_BYTES0, s->bytes[0]); 196 nlattr_add_u64(nw, PF_ST_BYTES1, s->bytes[1]); 197 198 if (!dump_state_peer(nw, PF_ST_PEER_SRC, &s->src)) 199 goto enomem; 200 if (!dump_state_peer(nw, PF_ST_PEER_DST, &s->dst)) 201 goto enomem; 202 203 if (nlmsg_end(nw)) 204 return (0); 205 206 enomem: 207 error = ENOMEM; 208 nlmsg_abort(nw); 209 return (error); 210 } 211 212 static int 213 handle_dumpstates(struct nlpcb *nlp, struct nl_parsed_state *attrs, 214 struct nlmsghdr *hdr, struct nl_pstate *npt) 215 { 216 int error = 0; 217 218 hdr->nlmsg_flags |= NLM_F_MULTI; 219 220 for (int i = 0; i <= pf_hashmask; i++) { 221 struct pf_idhash *ih = &V_pf_idhash[i]; 222 struct pf_kstate *s; 223 224 if (LIST_EMPTY(&ih->states)) 225 continue; 226 227 PF_HASHROW_LOCK(ih); 228 LIST_FOREACH(s, &ih->states, entry) { 229 sa_family_t af = s->key[PF_SK_WIRE]->af; 230 231 if (s->timeout == PFTM_UNLINKED) 232 continue; 233 234 /* Filter */ 235 if (attrs->creatorid != 0 && s->creatorid != attrs->creatorid) 236 continue; 237 if (attrs->ifname[0] != 0 && 238 strncmp(attrs->ifname, s->kif->pfik_name, IFNAMSIZ) != 0) 239 continue; 240 if (attrs->proto != 0 && s->key[PF_SK_WIRE]->proto != attrs->proto) 241 continue; 242 if (attrs->af != 0 && af != attrs->af) 243 continue; 244 if (pf_match_addr(1, &s->key[PF_SK_WIRE]->addr[0], 245 &attrs->mask, &attrs->addr, af) && 246 pf_match_addr(1, &s->key[PF_SK_WIRE]->addr[1], 247 &attrs->mask, &attrs->addr, af) && 248 pf_match_addr(1, &s->key[PF_SK_STACK]->addr[0], 249 &attrs->mask, &attrs->addr, af) && 250 pf_match_addr(1, &s->key[PF_SK_STACK]->addr[1], 251 &attrs->mask, &attrs->addr, af)) 252 continue; 253 254 error = dump_state(nlp, hdr, s, npt); 255 if (error != 0) 256 break; 257 } 258 PF_HASHROW_UNLOCK(ih); 259 } 260 261 if (!nlmsg_end_dump(npt->nw, error, hdr)) { 262 NL_LOG(LOG_DEBUG, "Unable to finalize the dump"); 263 return (ENOMEM); 264 } 265 266 return (error); 267 } 268 269 static int 270 handle_getstate(struct nlpcb *nlp, struct nl_parsed_state *attrs, 271 struct nlmsghdr *hdr, struct nl_pstate *npt) 272 { 273 struct pf_kstate *s = pf_find_state_byid(attrs->id, attrs->creatorid); 274 if (s == NULL) 275 return (ENOENT); 276 return (dump_state(nlp, hdr, s, npt)); 277 } 278 279 static int 280 dump_creatorid(struct nlpcb *nlp, const struct nlmsghdr *hdr, uint32_t creator, 281 struct nl_pstate *npt) 282 { 283 struct nl_writer *nw = npt->nw; 284 285 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr))) 286 goto enomem; 287 288 struct genlmsghdr *ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr); 289 ghdr_new->cmd = PFNL_CMD_GETCREATORS; 290 ghdr_new->version = 0; 291 ghdr_new->reserved = 0; 292 293 nlattr_add_u32(nw, PF_ST_CREATORID, htonl(creator)); 294 295 if (nlmsg_end(nw)) 296 return (0); 297 298 enomem: 299 nlmsg_abort(nw); 300 return (ENOMEM); 301 } 302 303 static int 304 pf_handle_getstates(struct nlmsghdr *hdr, struct nl_pstate *npt) 305 { 306 int error; 307 308 struct nl_parsed_state attrs = {}; 309 error = nl_parse_nlmsg(hdr, &state_parser, npt, &attrs); 310 if (error != 0) 311 return (error); 312 313 if (attrs.id != 0) 314 error = handle_getstate(npt->nlp, &attrs, hdr, npt); 315 else 316 error = handle_dumpstates(npt->nlp, &attrs, hdr, npt); 317 318 return (error); 319 } 320 321 static int 322 pf_handle_getcreators(struct nlmsghdr *hdr, struct nl_pstate *npt) 323 { 324 uint32_t creators[16]; 325 int error = 0; 326 327 bzero(creators, sizeof(creators)); 328 329 for (int i = 0; i < pf_hashmask; i++) { 330 struct pf_idhash *ih = &V_pf_idhash[i]; 331 struct pf_kstate *s; 332 333 if (LIST_EMPTY(&ih->states)) 334 continue; 335 336 PF_HASHROW_LOCK(ih); 337 LIST_FOREACH(s, &ih->states, entry) { 338 int j; 339 if (s->timeout == PFTM_UNLINKED) 340 continue; 341 342 for (j = 0; j < nitems(creators); j++) { 343 if (creators[j] == s->creatorid) 344 break; 345 if (creators[j] == 0) { 346 creators[j] = s->creatorid; 347 break; 348 } 349 } 350 if (j == nitems(creators)) 351 printf("Warning: too many creators!\n"); 352 } 353 PF_HASHROW_UNLOCK(ih); 354 } 355 356 hdr->nlmsg_flags |= NLM_F_MULTI; 357 for (int i = 0; i < nitems(creators); i++) { 358 if (creators[i] == 0) 359 break; 360 error = dump_creatorid(npt->nlp, hdr, creators[i], npt); 361 } 362 363 if (!nlmsg_end_dump(npt->nw, error, hdr)) { 364 NL_LOG(LOG_DEBUG, "Unable to finalize the dump"); 365 return (ENOMEM); 366 } 367 368 return (error); 369 } 370 371 static int 372 pf_handle_start(struct nlmsghdr *hdr __unused, struct nl_pstate *npt __unused) 373 { 374 return (pf_start()); 375 } 376 377 static int 378 pf_handle_stop(struct nlmsghdr *hdr __unused, struct nl_pstate *npt __unused) 379 { 380 return (pf_stop()); 381 } 382 383 #define _OUT(_field) offsetof(struct pf_addr_wrap, _field) 384 static const struct nlattr_parser nla_p_addr_wrap[] = { 385 { .type = PF_AT_ADDR, .off = _OUT(v.a.addr), .cb = nlattr_get_in6_addr }, 386 { .type = PF_AT_MASK, .off = _OUT(v.a.mask), .cb = nlattr_get_in6_addr }, 387 { .type = PF_AT_IFNAME, .off = _OUT(v.ifname), .arg = (void *)IFNAMSIZ,.cb = nlattr_get_chara }, 388 { .type = PF_AT_TABLENAME, .off = _OUT(v.tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara }, 389 { .type = PF_AT_TYPE, .off = _OUT(type), .cb = nlattr_get_uint8 }, 390 { .type = PF_AT_IFLAGS, .off = _OUT(iflags), .cb = nlattr_get_uint8 }, 391 }; 392 NL_DECLARE_ATTR_PARSER(addr_wrap_parser, nla_p_addr_wrap); 393 #undef _OUT 394 395 #define _OUT(_field) offsetof(struct pf_rule_addr, _field) 396 static const struct nlattr_parser nla_p_ruleaddr[] = { 397 { .type = PF_RAT_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = nlattr_get_nested }, 398 { .type = PF_RAT_SRC_PORT, .off = _OUT(port[0]), .cb = nlattr_get_uint16 }, 399 { .type = PF_RAT_DST_PORT, .off = _OUT(port[1]), .cb = nlattr_get_uint16 }, 400 { .type = PF_RAT_NEG, .off = _OUT(neg), .cb = nlattr_get_uint8 }, 401 { .type = PF_RAT_OP, .off = _OUT(port_op), .cb = nlattr_get_uint8 }, 402 }; 403 NL_DECLARE_ATTR_PARSER(rule_addr_parser, nla_p_ruleaddr); 404 #undef _OUT 405 406 #define _OUT(_field) offsetof(struct pf_mape_portset, _field) 407 static const struct nlattr_parser nla_p_mape_portset[] = { 408 { .type = PF_MET_OFFSET, .off = _OUT(offset), .cb = nlattr_get_uint8 }, 409 { .type = PF_MET_PSID_LEN, .off = _OUT(psidlen), .cb = nlattr_get_uint8 }, 410 {. type = PF_MET_PSID, .off = _OUT(psid), .cb = nlattr_get_uint16 }, 411 }; 412 NL_DECLARE_ATTR_PARSER(mape_portset_parser, nla_p_mape_portset); 413 #undef _OUT 414 415 struct nl_parsed_labels 416 { 417 char labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 418 uint32_t i; 419 }; 420 421 static int 422 nlattr_get_pf_rule_labels(struct nlattr *nla, struct nl_pstate *npt, 423 const void *arg, void *target) 424 { 425 struct nl_parsed_labels *l = (struct nl_parsed_labels *)target; 426 int ret; 427 428 if (l->i >= PF_RULE_MAX_LABEL_COUNT) 429 return (E2BIG); 430 431 ret = nlattr_get_chara(nla, npt, (void *)PF_RULE_LABEL_SIZE, 432 l->labels[l->i]); 433 if (ret == 0) 434 l->i++; 435 436 return (ret); 437 } 438 439 #define _OUT(_field) offsetof(struct nl_parsed_labels, _field) 440 static const struct nlattr_parser nla_p_labels[] = { 441 { .type = PF_LT_LABEL, .off = 0, .cb = nlattr_get_pf_rule_labels }, 442 }; 443 NL_DECLARE_ATTR_PARSER(rule_labels_parser, nla_p_labels); 444 #undef _OUT 445 446 static int 447 nlattr_get_nested_pf_rule_labels(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target) 448 { 449 struct nl_parsed_labels parsed_labels = { }; 450 int error; 451 452 /* Assumes target points to the beginning of the structure */ 453 error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), &rule_labels_parser, npt, &parsed_labels); 454 if (error != 0) 455 return (error); 456 457 memcpy(target, parsed_labels.labels, sizeof(parsed_labels)); 458 459 return (0); 460 } 461 462 #define _OUT(_field) offsetof(struct pf_kpool, _field) 463 static const struct nlattr_parser nla_p_pool[] = { 464 { .type = PF_PT_KEY, .off = _OUT(key), .arg = (void *)sizeof(struct pf_poolhashkey), .cb = nlattr_get_bytes }, 465 { .type = PF_PT_COUNTER, .off = _OUT(counter), .cb = nlattr_get_in6_addr }, 466 { .type = PF_PT_TBLIDX, .off = _OUT(tblidx), .cb = nlattr_get_uint32 }, 467 { .type = PF_PT_PROXY_SRC_PORT, .off = _OUT(proxy_port[0]), .cb = nlattr_get_uint16 }, 468 { .type = PF_PT_PROXY_DST_PORT, .off = _OUT(proxy_port[1]), .cb = nlattr_get_uint16 }, 469 { .type = PF_PT_OPTS, .off = _OUT(opts), .cb = nlattr_get_uint8 }, 470 { .type = PF_PT_MAPE, .off = _OUT(mape), .arg = &mape_portset_parser, .cb = nlattr_get_nested }, 471 }; 472 NL_DECLARE_ATTR_PARSER(pool_parser, nla_p_pool); 473 #undef _OUT 474 475 #define _OUT(_field) offsetof(struct pf_rule_uid, _field) 476 static const struct nlattr_parser nla_p_rule_uid[] = { 477 { .type = PF_RUT_UID_LOW, .off = _OUT(uid[0]), .cb = nlattr_get_uint32 }, 478 { .type = PF_RUT_UID_HIGH, .off = _OUT(uid[1]), .cb = nlattr_get_uint32 }, 479 { .type = PF_RUT_OP, .off = _OUT(op), .cb = nlattr_get_uint8 }, 480 }; 481 NL_DECLARE_ATTR_PARSER(rule_uid_parser, nla_p_rule_uid); 482 #undef _OUT 483 484 struct nl_parsed_timeouts 485 { 486 uint32_t timeouts[PFTM_MAX]; 487 uint32_t i; 488 }; 489 490 static int 491 nlattr_get_pf_timeout(struct nlattr *nla, struct nl_pstate *npt, 492 const void *arg, void *target) 493 { 494 struct nl_parsed_timeouts *t = (struct nl_parsed_timeouts *)target; 495 int ret; 496 497 if (t->i >= PFTM_MAX) 498 return (E2BIG); 499 500 ret = nlattr_get_uint32(nla, npt, NULL, &t->timeouts[t->i]); 501 if (ret == 0) 502 t->i++; 503 504 return (ret); 505 } 506 507 #define _OUT(_field) offsetof(struct nl_parsed_timeout, _field) 508 static const struct nlattr_parser nla_p_timeouts[] = { 509 { .type = PF_TT_TIMEOUT, .off = 0, .cb = nlattr_get_pf_timeout }, 510 }; 511 NL_DECLARE_ATTR_PARSER(timeout_parser, nla_p_timeouts); 512 #undef _OUT 513 514 static int 515 nlattr_get_nested_timeouts(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target) 516 { 517 struct nl_parsed_timeouts parsed_timeouts = { }; 518 int error; 519 520 /* Assumes target points to the beginning of the structure */ 521 error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), &timeout_parser, npt, &parsed_timeouts); 522 if (error != 0) 523 return (error); 524 525 memcpy(target, parsed_timeouts.timeouts, sizeof(parsed_timeouts.timeouts)); 526 527 return (0); 528 } 529 530 #define _OUT(_field) offsetof(struct pf_krule, _field) 531 static const struct nlattr_parser nla_p_rule[] = { 532 { .type = PF_RT_SRC, .off = _OUT(src), .arg = &rule_addr_parser,.cb = nlattr_get_nested }, 533 { .type = PF_RT_DST, .off = _OUT(dst), .arg = &rule_addr_parser,.cb = nlattr_get_nested }, 534 { .type = PF_RT_RIDENTIFIER, .off = _OUT(ridentifier), .cb = nlattr_get_uint32 }, 535 { .type = PF_RT_LABELS, .off = _OUT(label), .arg = &rule_labels_parser,.cb = nlattr_get_nested_pf_rule_labels }, 536 { .type = PF_RT_IFNAME, .off = _OUT(ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara }, 537 { .type = PF_RT_QNAME, .off = _OUT(qname), .arg = (void *)PF_QNAME_SIZE, .cb = nlattr_get_chara }, 538 { .type = PF_RT_PQNAME, .off = _OUT(pqname), .arg = (void *)PF_QNAME_SIZE, .cb = nlattr_get_chara }, 539 { .type = PF_RT_TAGNAME, .off = _OUT(tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara }, 540 { .type = PF_RT_MATCH_TAGNAME, .off = _OUT(match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara }, 541 { .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara }, 542 { .type = PF_RT_RPOOL, .off = _OUT(rpool), .arg = &pool_parser, .cb = nlattr_get_nested }, 543 { .type = PF_RT_OS_FINGERPRINT, .off = _OUT(os_fingerprint), .cb = nlattr_get_uint32 }, 544 { .type = PF_RT_RTABLEID, .off = _OUT(rtableid), .cb = nlattr_get_uint32 }, 545 { .type = PF_RT_TIMEOUT, .off = _OUT(timeout), .arg = &timeout_parser, .cb = nlattr_get_nested_timeouts }, 546 { .type = PF_RT_MAX_STATES, .off = _OUT(max_states), .cb = nlattr_get_uint32 }, 547 { .type = PF_RT_MAX_SRC_NODES, .off = _OUT(max_src_nodes), .cb = nlattr_get_uint32 }, 548 { .type = PF_RT_MAX_SRC_STATES, .off = _OUT(max_src_states), .cb = nlattr_get_uint32 }, 549 { .type = PF_RT_MAX_SRC_CONN_RATE_LIMIT, .off = _OUT(max_src_conn_rate.limit), .cb = nlattr_get_uint32 }, 550 { .type = PF_RT_MAX_SRC_CONN_RATE_SECS, .off = _OUT(max_src_conn_rate.seconds), .cb = nlattr_get_uint32 }, 551 { .type = PF_RT_DNPIPE, .off = _OUT(dnpipe), .cb = nlattr_get_uint16 }, 552 { .type = PF_RT_DNRPIPE, .off = _OUT(dnrpipe), .cb = nlattr_get_uint16 }, 553 { .type = PF_RT_DNFLAGS, .off = _OUT(free_flags), .cb = nlattr_get_uint32 }, 554 { .type = PF_RT_NR, .off = _OUT(nr), .cb = nlattr_get_uint32 }, 555 { .type = PF_RT_PROB, .off = _OUT(prob), .cb = nlattr_get_uint32 }, 556 { .type = PF_RT_CUID, .off = _OUT(cuid), .cb = nlattr_get_uint32 }, 557 {. type = PF_RT_CPID, .off = _OUT(cpid), .cb = nlattr_get_uint32 }, 558 { .type = PF_RT_RETURN_ICMP, .off = _OUT(return_icmp), .cb = nlattr_get_uint16 }, 559 { .type = PF_RT_RETURN_ICMP6, .off = _OUT(return_icmp6), .cb = nlattr_get_uint16 }, 560 { .type = PF_RT_MAX_MSS, .off = _OUT(max_mss), .cb = nlattr_get_uint16 }, 561 { .type = PF_RT_SCRUB_FLAGS, .off = _OUT(scrub_flags), .cb = nlattr_get_uint16 }, 562 { .type = PF_RT_UID, .off = _OUT(uid), .arg = &rule_uid_parser, .cb = nlattr_get_nested }, 563 { .type = PF_RT_GID, .off = _OUT(gid), .arg = &rule_uid_parser, .cb = nlattr_get_nested }, 564 { .type = PF_RT_RULE_FLAG, .off = _OUT(rule_flag), .cb = nlattr_get_uint32 }, 565 { .type = PF_RT_ACTION, .off = _OUT(action), .cb = nlattr_get_uint8 }, 566 { .type = PF_RT_DIRECTION, .off = _OUT(direction), .cb = nlattr_get_uint8 }, 567 { .type = PF_RT_LOG, .off = _OUT(log), .cb = nlattr_get_uint8 }, 568 { .type = PF_RT_LOGIF, .off = _OUT(logif), .cb = nlattr_get_uint8 }, 569 { .type = PF_RT_QUICK, .off = _OUT(quick), .cb = nlattr_get_uint8 }, 570 { .type = PF_RT_IF_NOT, .off = _OUT(ifnot), .cb = nlattr_get_uint8 }, 571 { .type = PF_RT_MATCH_TAG_NOT, .off = _OUT(match_tag_not), .cb = nlattr_get_uint8 }, 572 { .type = PF_RT_NATPASS, .off = _OUT(natpass), .cb = nlattr_get_uint8 }, 573 { .type = PF_RT_KEEP_STATE, .off = _OUT(keep_state), .cb = nlattr_get_uint8 }, 574 { .type = PF_RT_AF, .off = _OUT(af), .cb = nlattr_get_uint8 }, 575 { .type = PF_RT_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint8 }, 576 { .type = PF_RT_TYPE, .off = _OUT(type), .cb = nlattr_get_uint8 }, 577 { .type = PF_RT_CODE, .off = _OUT(code), .cb = nlattr_get_uint8 }, 578 { .type = PF_RT_FLAGS, .off = _OUT(flags), .cb = nlattr_get_uint8 }, 579 { .type = PF_RT_FLAGSET, .off = _OUT(flagset), .cb = nlattr_get_uint8 }, 580 { .type = PF_RT_MIN_TTL, .off = _OUT(min_ttl), .cb = nlattr_get_uint8 }, 581 { .type = PF_RT_ALLOW_OPTS, .off = _OUT(allow_opts), .cb = nlattr_get_uint8 }, 582 { .type = PF_RT_RT, .off = _OUT(rt), .cb = nlattr_get_uint8 }, 583 { .type = PF_RT_RETURN_TTL, .off = _OUT(return_ttl), .cb = nlattr_get_uint8 }, 584 { .type = PF_RT_TOS, .off = _OUT(tos), .cb = nlattr_get_uint8 }, 585 { .type = PF_RT_SET_TOS, .off = _OUT(set_tos), .cb = nlattr_get_uint8 }, 586 { .type = PF_RT_ANCHOR_RELATIVE, .off = _OUT(anchor_relative), .cb = nlattr_get_uint8 }, 587 { .type = PF_RT_ANCHOR_WILDCARD, .off = _OUT(anchor_wildcard), .cb = nlattr_get_uint8 }, 588 { .type = PF_RT_FLUSH, .off = _OUT(flush), .cb = nlattr_get_uint8 }, 589 { .type = PF_RT_PRIO, .off = _OUT(prio), .cb = nlattr_get_uint8 }, 590 { .type = PF_RT_SET_PRIO, .off = _OUT(set_prio[0]), .cb = nlattr_get_uint8 }, 591 { .type = PF_RT_SET_PRIO_REPLY, .off = _OUT(set_prio[1]), .cb = nlattr_get_uint8 }, 592 { .type = PF_RT_DIVERT_ADDRESS, .off = _OUT(divert.addr), .cb = nlattr_get_in6_addr }, 593 { .type = PF_RT_DIVERT_PORT, .off = _OUT(divert.port), .cb = nlattr_get_uint16 }, 594 }; 595 NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule); 596 #undef _OUT 597 struct nl_parsed_addrule { 598 struct pf_krule *rule; 599 uint32_t ticket; 600 uint32_t pool_ticket; 601 char *anchor; 602 char *anchor_call; 603 }; 604 #define _IN(_field) offsetof(struct genlmsghdr, _field) 605 #define _OUT(_field) offsetof(struct nl_parsed_addrule, _field) 606 static const struct nlattr_parser nla_p_addrule[] = { 607 { .type = PF_ART_TICKET, .off = _OUT(ticket), .cb = nlattr_get_uint32 }, 608 { .type = PF_ART_POOL_TICKET, .off = _OUT(pool_ticket), .cb = nlattr_get_uint32 }, 609 { .type = PF_ART_ANCHOR, .off = _OUT(anchor), .cb = nlattr_get_string }, 610 { .type = PF_ART_ANCHOR_CALL, .off = _OUT(anchor_call), .cb = nlattr_get_string }, 611 { .type = PF_ART_RULE, .off = _OUT(rule), .arg = &rule_parser, .cb = nlattr_get_nested_ptr } 612 }; 613 static const struct nlfield_parser nlf_p_addrule[] = { 614 }; 615 #undef _IN 616 #undef _OUT 617 NL_DECLARE_PARSER(addrule_parser, struct genlmsghdr, nlf_p_addrule, nla_p_addrule); 618 619 static int 620 pf_handle_addrule(struct nlmsghdr *hdr, struct nl_pstate *npt) 621 { 622 int error; 623 struct nl_parsed_addrule attrs = {}; 624 625 attrs.rule = pf_krule_alloc(); 626 627 error = nl_parse_nlmsg(hdr, &addrule_parser, npt, &attrs); 628 if (error != 0) 629 return (error); 630 631 error = pf_ioctl_addrule(attrs.rule, attrs.ticket, attrs.pool_ticket, 632 attrs.anchor, attrs.anchor_call, nlp_get_cred(npt->nlp)->cr_uid, 633 hdr->nlmsg_pid); 634 635 return (error); 636 } 637 638 struct nl_parsed_getrules { 639 char *anchor; 640 uint8_t action; 641 }; 642 #define _IN(_field) offsetof(struct genlmsghdr, _field) 643 #define _OUT(_field) offsetof(struct pfioc_rule, _field) 644 static const struct nlattr_parser nla_p_getrules[] = { 645 { .type = PF_GR_ANCHOR, .off = _OUT(anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara }, 646 { .type = PF_GR_ACTION, .off = _OUT(rule.action), .cb = nlattr_get_uint8 }, 647 }; 648 static const struct nlfield_parser nlf_p_getrules[] = { 649 }; 650 NL_DECLARE_PARSER(getrules_parser, struct genlmsghdr, nlf_p_getrules, nla_p_getrules); 651 652 static int 653 pf_handle_getrules(struct nlmsghdr *hdr, struct nl_pstate *npt) 654 { 655 struct pfioc_rule attrs = {}; 656 int error; 657 struct nl_writer *nw = npt->nw; 658 struct genlmsghdr *ghdr_new; 659 660 error = nl_parse_nlmsg(hdr, &getrules_parser, npt, &attrs); 661 if (error != 0) 662 return (error); 663 664 if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr))) 665 return (ENOMEM); 666 667 ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr); 668 ghdr_new->cmd = PFNL_CMD_GETRULES; 669 ghdr_new->version = 0; 670 ghdr_new->reserved = 0; 671 672 error = pf_ioctl_getrules(&attrs); 673 if (error != 0) 674 goto out; 675 676 nlattr_add_u32(nw, PF_GR_NR, attrs.nr); 677 nlattr_add_u32(nw, PF_GR_TICKET, attrs.ticket); 678 679 if (!nlmsg_end(nw)) { 680 error = ENOMEM; 681 goto out; 682 } 683 684 return (0); 685 686 out: 687 nlmsg_abort(nw); 688 return (error); 689 } 690 691 static const struct nlhdr_parser *all_parsers[] = { 692 &state_parser, 693 &addrule_parser, 694 &getrules_parser 695 }; 696 697 static int family_id; 698 699 static const struct genl_cmd pf_cmds[] = { 700 { 701 .cmd_num = PFNL_CMD_GETSTATES, 702 .cmd_name = "GETSTATES", 703 .cmd_cb = pf_handle_getstates, 704 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, 705 }, 706 { 707 .cmd_num = PFNL_CMD_GETCREATORS, 708 .cmd_name = "GETCREATORS", 709 .cmd_cb = pf_handle_getcreators, 710 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, 711 }, 712 { 713 .cmd_num = PFNL_CMD_START, 714 .cmd_name = "START", 715 .cmd_cb = pf_handle_start, 716 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, 717 }, 718 { 719 .cmd_num = PFNL_CMD_STOP, 720 .cmd_name = "STOP", 721 .cmd_cb = pf_handle_stop, 722 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, 723 }, 724 { 725 .cmd_num = PFNL_CMD_ADDRULE, 726 .cmd_name = "ADDRULE", 727 .cmd_cb = pf_handle_addrule, 728 .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, 729 }, 730 { 731 .cmd_num = PFNL_CMD_GETRULES, 732 .cmd_name = "GETRULES", 733 .cmd_cb = pf_handle_getrules, 734 .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, 735 }, 736 }; 737 738 void 739 pf_nl_register(void) 740 { 741 NL_VERIFY_PARSERS(all_parsers); 742 743 family_id = genl_register_family(PFNL_FAMILY_NAME, 0, 2, PFNL_CMD_MAX); 744 genl_register_cmds(PFNL_FAMILY_NAME, pf_cmds, NL_ARRAY_LEN(pf_cmds)); 745 } 746 747 void 748 pf_nl_unregister(void) 749 { 750 genl_unregister_family(PFNL_FAMILY_NAME); 751 } 752