xref: /freebsd/sys/netpfil/pf/pf_nl.c (revision fe75646a0234a261c0013bf1840fdac4acaf0cec)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2023 Alexander V. Chernikov <melifaro@FreeBSD.org>
5  * Copyright (c) 2023 Rubicon Communications, LLC (Netgate)
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  *
28  */
29 
30 #include <sys/param.h>
31 #include <sys/malloc.h>
32 #include <sys/mbuf.h>
33 #include <sys/priv.h>
34 #include <sys/socket.h>
35 #include <sys/ucred.h>
36 
37 #include <net/pfvar.h>
38 
39 #include <netlink/netlink.h>
40 #include <netlink/netlink_ctl.h>
41 #include <netlink/netlink_generic.h>
42 #include <netlink/netlink_message_writer.h>
43 
44 #include <netpfil/pf/pf_nl.h>
45 
46 #define	DEBUG_MOD_NAME	nl_pf
47 #define	DEBUG_MAX_LEVEL	LOG_DEBUG3
48 #include <netlink/netlink_debug.h>
49 _DECLARE_DEBUG(LOG_DEBUG);
50 
51 struct nl_parsed_state {
52 	uint8_t		version;
53 	uint32_t	id;
54 	uint32_t	creatorid;
55 	char		ifname[IFNAMSIZ];
56 	uint16_t	proto;
57 	sa_family_t	af;
58 	struct pf_addr	addr;
59 	struct pf_addr	mask;
60 };
61 
62 #define	_IN(_field)	offsetof(struct genlmsghdr, _field)
63 #define	_OUT(_field)	offsetof(struct nl_parsed_state, _field)
64 static const struct nlattr_parser nla_p_state[] = {
65 	{ .type = PF_ST_ID, .off = _OUT(id), .cb = nlattr_get_uint32 },
66 	{ .type = PF_ST_CREATORID, .off = _OUT(creatorid), .cb = nlattr_get_uint32 },
67 	{ .type = PF_ST_IFNAME, .arg = (const void *)IFNAMSIZ, .off = _OUT(ifname), .cb = nlattr_get_chara },
68 	{ .type = PF_ST_AF, .off = _OUT(proto), .cb = nlattr_get_uint8 },
69 	{ .type = PF_ST_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint16 },
70 	{ .type = PF_ST_FILTER_ADDR, .off = _OUT(addr), .cb = nlattr_get_in6_addr },
71 	{ .type = PF_ST_FILTER_MASK, .off = _OUT(mask), .cb = nlattr_get_in6_addr },
72 };
73 static const struct nlfield_parser nlf_p_generic[] = {
74 	{ .off_in = _IN(version), .off_out = _OUT(version), .cb = nlf_get_u8 },
75 };
76 #undef _IN
77 #undef _OUT
78 NL_DECLARE_PARSER(state_parser, struct genlmsghdr, nlf_p_generic, nla_p_state);
79 
80 static void
81 dump_addr(struct nl_writer *nw, int attr, const struct pf_addr *addr, int af)
82 {
83 	switch (af) {
84 	case AF_INET:
85 		nlattr_add(nw, attr, 4, &addr->v4);
86 		break;
87 	case AF_INET6:
88 		nlattr_add(nw, attr, 16, &addr->v6);
89 		break;
90 	};
91 }
92 
93 static bool
94 dump_state_peer(struct nl_writer *nw, int attr, const struct pf_state_peer *peer)
95 {
96 	int off = nlattr_add_nested(nw, attr);
97 	if (off == 0)
98 		return (false);
99 
100 	nlattr_add_u32(nw, PF_STP_SEQLO, peer->seqlo);
101 	nlattr_add_u32(nw, PF_STP_SEQHI, peer->seqhi);
102 	nlattr_add_u32(nw, PF_STP_SEQDIFF, peer->seqdiff);
103 	nlattr_add_u16(nw, PF_STP_MAX_WIN, peer->max_win);
104 	nlattr_add_u16(nw, PF_STP_MSS, peer->mss);
105 	nlattr_add_u8(nw, PF_STP_STATE, peer->state);
106 	nlattr_add_u8(nw, PF_STP_WSCALE, peer->wscale);
107 
108 	if (peer->scrub != NULL) {
109 		struct pf_state_scrub *sc = peer->scrub;
110 		uint16_t pfss_flags = sc->pfss_flags & PFSS_TIMESTAMP;
111 
112 		nlattr_add_u16(nw, PF_STP_PFSS_FLAGS, pfss_flags);
113 		nlattr_add_u32(nw, PF_STP_PFSS_TS_MOD, sc->pfss_ts_mod);
114 		nlattr_add_u8(nw, PF_STP_PFSS_TTL, sc->pfss_ttl);
115 		nlattr_add_u8(nw, PF_STP_SCRUB_FLAG, PFSYNC_SCRUB_FLAG_VALID);
116 	}
117 	nlattr_set_len(nw, off);
118 
119 	return (true);
120 }
121 
122 static bool
123 dump_state_key(struct nl_writer *nw, int attr, const struct pf_state_key *key)
124 {
125 	int off = nlattr_add_nested(nw, attr);
126 	if (off == 0)
127 		return (false);
128 
129 	dump_addr(nw, PF_STK_ADDR0, &key->addr[0], key->af);
130 	dump_addr(nw, PF_STK_ADDR1, &key->addr[1], key->af);
131 	nlattr_add_u16(nw, PF_STK_PORT0, key->port[0]);
132 	nlattr_add_u16(nw, PF_STK_PORT1, key->port[1]);
133 
134 	nlattr_set_len(nw, off);
135 
136 	return (true);
137 }
138 
139 static int
140 dump_state(struct nlpcb *nlp, const struct nlmsghdr *hdr, struct pf_kstate *s,
141     struct nl_pstate *npt)
142 {
143 	struct nl_writer *nw = npt->nw;
144 	int error = 0;
145 	int af;
146 	struct pf_state_key *key;
147 
148 	if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
149 		goto enomem;
150 
151 	struct genlmsghdr *ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
152 	ghdr_new->cmd = PFNL_CMD_GETSTATES;
153 	ghdr_new->version = 0;
154 	ghdr_new->reserved = 0;
155 
156 	nlattr_add_u64(nw, PF_ST_VERSION, PF_STATE_VERSION);
157 
158 	key = s->key[PF_SK_WIRE];
159 	if (!dump_state_key(nw, PF_ST_KEY_WIRE, key))
160 		goto enomem;
161 	key = s->key[PF_SK_STACK];
162 	if (!dump_state_key(nw, PF_ST_KEY_STACK, key))
163 		goto enomem;
164 
165 	af = s->key[PF_SK_WIRE]->af;
166 	nlattr_add_u8(nw, PF_ST_PROTO, s->key[PF_SK_WIRE]->proto);
167 	nlattr_add_u8(nw, PF_ST_AF, af);
168 
169 	nlattr_add_string(nw, PF_ST_IFNAME, s->kif->pfik_name);
170 	nlattr_add_string(nw, PF_ST_ORIG_IFNAME, s->orig_kif->pfik_name);
171 	dump_addr(nw, PF_ST_RT_ADDR, &s->rt_addr, af);
172 	nlattr_add_u32(nw, PF_ST_CREATION, time_uptime - s->creation);
173 	uint32_t expire = pf_state_expires(s);
174 	if (expire > time_uptime)
175 		expire = expire - time_uptime;
176 	nlattr_add_u32(nw, PF_ST_EXPIRE, expire);
177 	nlattr_add_u8(nw, PF_ST_DIRECTION, s->direction);
178 	nlattr_add_u8(nw, PF_ST_LOG, s->act.log);
179 	nlattr_add_u8(nw, PF_ST_TIMEOUT, s->timeout);
180 	nlattr_add_u16(nw, PF_ST_STATE_FLAGS, s->state_flags);
181 	uint8_t sync_flags = 0;
182 	if (s->src_node)
183 		sync_flags |= PFSYNC_FLAG_SRCNODE;
184 	if (s->nat_src_node)
185 		sync_flags |= PFSYNC_FLAG_NATSRCNODE;
186 	nlattr_add_u8(nw, PF_ST_SYNC_FLAGS, sync_flags);
187 	nlattr_add_u64(nw, PF_ST_ID, s->id);
188 	nlattr_add_u32(nw, PF_ST_CREATORID, htonl(s->creatorid));
189 
190 	nlattr_add_u32(nw, PF_ST_RULE, s->rule.ptr ? s->rule.ptr->nr : -1);
191 	nlattr_add_u32(nw, PF_ST_ANCHOR, s->anchor.ptr ? s->anchor.ptr->nr : -1);
192 	nlattr_add_u32(nw, PF_ST_NAT_RULE, s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1);
193 
194 	nlattr_add_u64(nw, PF_ST_PACKETS0, s->packets[0]);
195 	nlattr_add_u64(nw, PF_ST_PACKETS1, s->packets[1]);
196 	nlattr_add_u64(nw, PF_ST_BYTES0, s->bytes[0]);
197 	nlattr_add_u64(nw, PF_ST_BYTES1, s->bytes[1]);
198 	nlattr_add_u32(nw, PF_ST_RTABLEID, s->act.rtableid);
199 	nlattr_add_u8(nw, PF_ST_MIN_TTL, s->act.min_ttl);
200 	nlattr_add_u16(nw, PF_ST_MAX_MSS, s->act.max_mss);
201 	nlattr_add_u16(nw, PF_ST_DNPIPE, s->act.dnpipe);
202 	nlattr_add_u16(nw, PF_ST_DNRPIPE, s->act.dnrpipe);
203 	nlattr_add_u8(nw, PF_ST_RT, s->rt);
204 	if (s->rt_kif != NULL)
205 		nlattr_add_string(nw, PF_ST_RT_IFNAME, s->rt_kif->pfik_name);
206 
207 	if (!dump_state_peer(nw, PF_ST_PEER_SRC, &s->src))
208 		goto enomem;
209 	if (!dump_state_peer(nw, PF_ST_PEER_DST, &s->dst))
210 		goto enomem;
211 
212 	if (nlmsg_end(nw))
213 		return (0);
214 
215 enomem:
216 	error = ENOMEM;
217 	nlmsg_abort(nw);
218 	return (error);
219 }
220 
221 static int
222 handle_dumpstates(struct nlpcb *nlp, struct nl_parsed_state *attrs,
223     struct nlmsghdr *hdr, struct nl_pstate *npt)
224 {
225 	int error = 0;
226 
227 	hdr->nlmsg_flags |= NLM_F_MULTI;
228 
229 	for (int i = 0; i <= pf_hashmask; i++) {
230 		struct pf_idhash *ih = &V_pf_idhash[i];
231 		struct pf_kstate *s;
232 
233 		if (LIST_EMPTY(&ih->states))
234 			continue;
235 
236 		PF_HASHROW_LOCK(ih);
237 		LIST_FOREACH(s, &ih->states, entry) {
238 			sa_family_t af = s->key[PF_SK_WIRE]->af;
239 
240 			if (s->timeout == PFTM_UNLINKED)
241 				continue;
242 
243 			/* Filter */
244 			if (attrs->creatorid != 0 && s->creatorid != attrs->creatorid)
245 				continue;
246 			if (attrs->ifname[0] != 0 &&
247 			    strncmp(attrs->ifname, s->kif->pfik_name, IFNAMSIZ) != 0)
248 				continue;
249 			if (attrs->proto != 0 && s->key[PF_SK_WIRE]->proto != attrs->proto)
250 				continue;
251 			if (attrs->af != 0 && af != attrs->af)
252 				continue;
253 			if (pf_match_addr(1, &s->key[PF_SK_WIRE]->addr[0],
254 			    &attrs->mask, &attrs->addr, af) &&
255 			    pf_match_addr(1, &s->key[PF_SK_WIRE]->addr[1],
256 			    &attrs->mask, &attrs->addr, af) &&
257 			    pf_match_addr(1, &s->key[PF_SK_STACK]->addr[0],
258 			    &attrs->mask, &attrs->addr, af) &&
259 			    pf_match_addr(1, &s->key[PF_SK_STACK]->addr[1],
260 			    &attrs->mask, &attrs->addr, af))
261 				continue;
262 
263 			error = dump_state(nlp, hdr, s, npt);
264 			if (error != 0)
265 				break;
266 		}
267 		PF_HASHROW_UNLOCK(ih);
268 	}
269 
270 	if (!nlmsg_end_dump(npt->nw, error, hdr)) {
271 		NL_LOG(LOG_DEBUG, "Unable to finalize the dump");
272 		return (ENOMEM);
273 	}
274 
275 	return (error);
276 }
277 
278 static int
279 handle_getstate(struct nlpcb *nlp, struct nl_parsed_state *attrs,
280     struct nlmsghdr *hdr, struct nl_pstate *npt)
281 {
282 	struct pf_kstate *s = pf_find_state_byid(attrs->id, attrs->creatorid);
283 	if (s == NULL)
284 		return (ENOENT);
285 	return (dump_state(nlp, hdr, s, npt));
286 }
287 
288 static int
289 dump_creatorid(struct nlpcb *nlp, const struct nlmsghdr *hdr, uint32_t creator,
290     struct nl_pstate *npt)
291 {
292 	struct nl_writer *nw = npt->nw;
293 
294 	if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
295 		goto enomem;
296 
297 	struct genlmsghdr *ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
298 	ghdr_new->cmd = PFNL_CMD_GETCREATORS;
299 	ghdr_new->version = 0;
300 	ghdr_new->reserved = 0;
301 
302 	nlattr_add_u32(nw, PF_ST_CREATORID, htonl(creator));
303 
304 	if (nlmsg_end(nw))
305 		return (0);
306 
307 enomem:
308 	nlmsg_abort(nw);
309 	return (ENOMEM);
310 }
311 
312 static int
313 pf_handle_getstates(struct nlmsghdr *hdr, struct nl_pstate *npt)
314 {
315 	int error;
316 
317 	struct nl_parsed_state attrs = {};
318 	error = nl_parse_nlmsg(hdr, &state_parser, npt, &attrs);
319 	if (error != 0)
320 		return (error);
321 
322 	if (attrs.id != 0)
323 		error = handle_getstate(npt->nlp, &attrs, hdr, npt);
324 	else
325 		error = handle_dumpstates(npt->nlp, &attrs, hdr, npt);
326 
327 	return (error);
328 }
329 
330 static int
331 pf_handle_getcreators(struct nlmsghdr *hdr, struct nl_pstate *npt)
332 {
333 	uint32_t creators[16];
334 	int error = 0;
335 
336 	bzero(creators, sizeof(creators));
337 
338 	for (int i = 0; i < pf_hashmask; i++) {
339 		struct pf_idhash *ih = &V_pf_idhash[i];
340 		struct pf_kstate *s;
341 
342 		if (LIST_EMPTY(&ih->states))
343 			continue;
344 
345 		PF_HASHROW_LOCK(ih);
346 		LIST_FOREACH(s, &ih->states, entry) {
347 			int j;
348 			if (s->timeout == PFTM_UNLINKED)
349 				continue;
350 
351 			for (j = 0; j < nitems(creators); j++) {
352 				if (creators[j] == s->creatorid)
353 					break;
354 				if (creators[j] == 0) {
355 					creators[j] = s->creatorid;
356 					break;
357 				}
358 			}
359 			if (j == nitems(creators))
360 				printf("Warning: too many creators!\n");
361 		}
362 		PF_HASHROW_UNLOCK(ih);
363 	}
364 
365 	hdr->nlmsg_flags |= NLM_F_MULTI;
366 	for (int i = 0; i < nitems(creators); i++) {
367 		if (creators[i] == 0)
368 			break;
369 		error = dump_creatorid(npt->nlp, hdr, creators[i], npt);
370 	}
371 
372 	if (!nlmsg_end_dump(npt->nw, error, hdr)) {
373 		NL_LOG(LOG_DEBUG, "Unable to finalize the dump");
374 		return (ENOMEM);
375 	}
376 
377 	return (error);
378 }
379 
380 static int
381 pf_handle_start(struct nlmsghdr *hdr __unused, struct nl_pstate *npt __unused)
382 {
383 	return (pf_start());
384 }
385 
386 static int
387 pf_handle_stop(struct nlmsghdr *hdr __unused, struct nl_pstate *npt __unused)
388 {
389 	return (pf_stop());
390 }
391 
392 #define _OUT(_field)	offsetof(struct pf_addr_wrap, _field)
393 static const struct nlattr_parser nla_p_addr_wrap[] = {
394 	{ .type = PF_AT_ADDR, .off = _OUT(v.a.addr), .cb = nlattr_get_in6_addr },
395 	{ .type = PF_AT_MASK, .off = _OUT(v.a.mask), .cb = nlattr_get_in6_addr },
396 	{ .type = PF_AT_IFNAME, .off = _OUT(v.ifname), .arg = (void *)IFNAMSIZ,.cb = nlattr_get_chara },
397 	{ .type = PF_AT_TABLENAME, .off = _OUT(v.tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara },
398 	{ .type = PF_AT_TYPE, .off = _OUT(type), .cb = nlattr_get_uint8 },
399 	{ .type = PF_AT_IFLAGS, .off = _OUT(iflags), .cb = nlattr_get_uint8 },
400 };
401 NL_DECLARE_ATTR_PARSER(addr_wrap_parser, nla_p_addr_wrap);
402 #undef _OUT
403 
404 #define _OUT(_field)	offsetof(struct pf_rule_addr, _field)
405 static const struct nlattr_parser nla_p_ruleaddr[] = {
406 	{ .type = PF_RAT_ADDR, .off = _OUT(addr), .arg = &addr_wrap_parser, .cb = nlattr_get_nested },
407 	{ .type = PF_RAT_SRC_PORT, .off = _OUT(port[0]), .cb = nlattr_get_uint16 },
408 	{ .type = PF_RAT_DST_PORT, .off = _OUT(port[1]), .cb = nlattr_get_uint16 },
409 	{ .type = PF_RAT_NEG, .off = _OUT(neg), .cb = nlattr_get_uint8 },
410 	{ .type = PF_RAT_OP, .off = _OUT(port_op), .cb = nlattr_get_uint8 },
411 };
412 NL_DECLARE_ATTR_PARSER(rule_addr_parser, nla_p_ruleaddr);
413 #undef _OUT
414 
415 #define _OUT(_field)	offsetof(struct pf_mape_portset, _field)
416 static const struct nlattr_parser nla_p_mape_portset[] = {
417 	{ .type = PF_MET_OFFSET, .off = _OUT(offset), .cb = nlattr_get_uint8 },
418 	{ .type = PF_MET_PSID_LEN, .off = _OUT(psidlen), .cb = nlattr_get_uint8 },
419 	{. type = PF_MET_PSID, .off = _OUT(psid), .cb = nlattr_get_uint16 },
420 };
421 NL_DECLARE_ATTR_PARSER(mape_portset_parser, nla_p_mape_portset);
422 #undef _OUT
423 
424 struct nl_parsed_labels
425 {
426 	char		labels[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
427 	uint32_t	i;
428 };
429 
430 static int
431 nlattr_get_pf_rule_labels(struct nlattr *nla, struct nl_pstate *npt,
432     const void *arg, void *target)
433 {
434 	struct nl_parsed_labels *l = (struct nl_parsed_labels *)target;
435 	int ret;
436 
437 	if (l->i >= PF_RULE_MAX_LABEL_COUNT)
438 		return (E2BIG);
439 
440 	ret = nlattr_get_chara(nla, npt, (void *)PF_RULE_LABEL_SIZE,
441 	    l->labels[l->i]);
442 	if (ret == 0)
443 		l->i++;
444 
445 	return (ret);
446 }
447 
448 #define _OUT(_field)	offsetof(struct nl_parsed_labels, _field)
449 static const struct nlattr_parser nla_p_labels[] = {
450 	{ .type = PF_LT_LABEL, .off = 0, .cb = nlattr_get_pf_rule_labels },
451 };
452 NL_DECLARE_ATTR_PARSER(rule_labels_parser, nla_p_labels);
453 #undef _OUT
454 
455 static int
456 nlattr_get_nested_pf_rule_labels(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target)
457 {
458 	struct nl_parsed_labels parsed_labels = { };
459 	int error;
460 
461 	/* Assumes target points to the beginning of the structure */
462 	error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), &rule_labels_parser, npt, &parsed_labels);
463 	if (error != 0)
464 		return (error);
465 
466 	memcpy(target, parsed_labels.labels, sizeof(parsed_labels));
467 
468 	return (0);
469 }
470 
471 #define _OUT(_field)	offsetof(struct pf_kpool, _field)
472 static const struct nlattr_parser nla_p_pool[] = {
473 	{ .type = PF_PT_KEY, .off = _OUT(key), .arg = (void *)sizeof(struct pf_poolhashkey), .cb = nlattr_get_bytes },
474 	{ .type = PF_PT_COUNTER, .off = _OUT(counter), .cb = nlattr_get_in6_addr },
475 	{ .type = PF_PT_TBLIDX, .off = _OUT(tblidx), .cb = nlattr_get_uint32 },
476 	{ .type = PF_PT_PROXY_SRC_PORT, .off = _OUT(proxy_port[0]), .cb = nlattr_get_uint16 },
477 	{ .type = PF_PT_PROXY_DST_PORT, .off = _OUT(proxy_port[1]), .cb = nlattr_get_uint16 },
478 	{ .type = PF_PT_OPTS, .off = _OUT(opts), .cb = nlattr_get_uint8 },
479 	{ .type = PF_PT_MAPE, .off = _OUT(mape), .arg = &mape_portset_parser, .cb = nlattr_get_nested },
480 };
481 NL_DECLARE_ATTR_PARSER(pool_parser, nla_p_pool);
482 #undef _OUT
483 
484 #define _OUT(_field)	offsetof(struct pf_rule_uid, _field)
485 static const struct nlattr_parser nla_p_rule_uid[] = {
486 	{ .type = PF_RUT_UID_LOW, .off = _OUT(uid[0]), .cb = nlattr_get_uint32 },
487 	{ .type = PF_RUT_UID_HIGH, .off = _OUT(uid[1]), .cb = nlattr_get_uint32 },
488 	{ .type = PF_RUT_OP, .off = _OUT(op), .cb = nlattr_get_uint8 },
489 };
490 NL_DECLARE_ATTR_PARSER(rule_uid_parser, nla_p_rule_uid);
491 #undef _OUT
492 
493 struct nl_parsed_timeouts
494 {
495 	uint32_t	timeouts[PFTM_MAX];
496 	uint32_t	i;
497 };
498 
499 static int
500 nlattr_get_pf_timeout(struct nlattr *nla, struct nl_pstate *npt,
501     const void *arg, void *target)
502 {
503 	struct nl_parsed_timeouts *t = (struct nl_parsed_timeouts *)target;
504 	int ret;
505 
506 	if (t->i >= PFTM_MAX)
507 		return (E2BIG);
508 
509 	ret = nlattr_get_uint32(nla, npt, NULL, &t->timeouts[t->i]);
510 	if (ret == 0)
511 		t->i++;
512 
513 	return (ret);
514 }
515 
516 #define _OUT(_field)	offsetof(struct nl_parsed_timeout, _field)
517 static const struct nlattr_parser nla_p_timeouts[] = {
518 	{ .type = PF_TT_TIMEOUT, .off = 0, .cb = nlattr_get_pf_timeout },
519 };
520 NL_DECLARE_ATTR_PARSER(timeout_parser, nla_p_timeouts);
521 #undef _OUT
522 
523 static int
524 nlattr_get_nested_timeouts(struct nlattr *nla, struct nl_pstate *npt, const void *arg, void *target)
525 {
526 	struct nl_parsed_timeouts parsed_timeouts = { };
527 	int error;
528 
529 	/* Assumes target points to the beginning of the structure */
530 	error = nl_parse_header(NLA_DATA(nla), NLA_DATA_LEN(nla), &timeout_parser, npt, &parsed_timeouts);
531 	if (error != 0)
532 		return (error);
533 
534 	memcpy(target, parsed_timeouts.timeouts, sizeof(parsed_timeouts.timeouts));
535 
536 	return (0);
537 }
538 
539 #define _OUT(_field)	offsetof(struct pf_krule, _field)
540 static const struct nlattr_parser nla_p_rule[] = {
541 	{ .type = PF_RT_SRC, .off = _OUT(src), .arg = &rule_addr_parser,.cb = nlattr_get_nested },
542 	{ .type = PF_RT_DST, .off = _OUT(dst), .arg = &rule_addr_parser,.cb = nlattr_get_nested },
543 	{ .type = PF_RT_RIDENTIFIER, .off = _OUT(ridentifier), .cb = nlattr_get_uint32 },
544 	{ .type = PF_RT_LABELS, .off = _OUT(label), .arg = &rule_labels_parser,.cb = nlattr_get_nested_pf_rule_labels },
545 	{ .type = PF_RT_IFNAME, .off = _OUT(ifname), .arg = (void *)IFNAMSIZ, .cb = nlattr_get_chara },
546 	{ .type = PF_RT_QNAME, .off = _OUT(qname), .arg = (void *)PF_QNAME_SIZE, .cb = nlattr_get_chara },
547 	{ .type = PF_RT_PQNAME, .off = _OUT(pqname), .arg = (void *)PF_QNAME_SIZE, .cb = nlattr_get_chara },
548 	{ .type = PF_RT_TAGNAME, .off = _OUT(tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara },
549 	{ .type = PF_RT_MATCH_TAGNAME, .off = _OUT(match_tagname), .arg = (void *)PF_TAG_NAME_SIZE, .cb = nlattr_get_chara },
550 	{ .type = PF_RT_OVERLOAD_TBLNAME, .off = _OUT(overload_tblname), .arg = (void *)PF_TABLE_NAME_SIZE, .cb = nlattr_get_chara },
551 	{ .type = PF_RT_RPOOL, .off = _OUT(rpool), .arg = &pool_parser, .cb = nlattr_get_nested },
552 	{ .type = PF_RT_OS_FINGERPRINT, .off = _OUT(os_fingerprint), .cb = nlattr_get_uint32 },
553 	{ .type = PF_RT_RTABLEID, .off = _OUT(rtableid), .cb = nlattr_get_uint32 },
554 	{ .type = PF_RT_TIMEOUT, .off = _OUT(timeout), .arg = &timeout_parser, .cb = nlattr_get_nested_timeouts },
555 	{ .type = PF_RT_MAX_STATES, .off = _OUT(max_states), .cb = nlattr_get_uint32 },
556 	{ .type = PF_RT_MAX_SRC_NODES, .off = _OUT(max_src_nodes), .cb = nlattr_get_uint32 },
557 	{ .type = PF_RT_MAX_SRC_STATES, .off = _OUT(max_src_states), .cb = nlattr_get_uint32 },
558 	{ .type = PF_RT_MAX_SRC_CONN_RATE_LIMIT, .off = _OUT(max_src_conn_rate.limit), .cb = nlattr_get_uint32 },
559 	{ .type = PF_RT_MAX_SRC_CONN_RATE_SECS, .off = _OUT(max_src_conn_rate.seconds), .cb = nlattr_get_uint32 },
560 	{ .type = PF_RT_DNPIPE, .off = _OUT(dnpipe), .cb = nlattr_get_uint16 },
561 	{ .type = PF_RT_DNRPIPE, .off = _OUT(dnrpipe), .cb = nlattr_get_uint16 },
562 	{ .type = PF_RT_DNFLAGS, .off = _OUT(free_flags), .cb = nlattr_get_uint32 },
563 	{ .type = PF_RT_NR, .off = _OUT(nr), .cb = nlattr_get_uint32 },
564 	{ .type = PF_RT_PROB, .off = _OUT(prob), .cb = nlattr_get_uint32 },
565 	{ .type = PF_RT_CUID, .off = _OUT(cuid), .cb = nlattr_get_uint32 },
566 	{. type = PF_RT_CPID, .off = _OUT(cpid), .cb = nlattr_get_uint32 },
567 	{ .type = PF_RT_RETURN_ICMP, .off = _OUT(return_icmp), .cb = nlattr_get_uint16 },
568 	{ .type = PF_RT_RETURN_ICMP6, .off = _OUT(return_icmp6), .cb = nlattr_get_uint16 },
569 	{ .type = PF_RT_MAX_MSS, .off = _OUT(max_mss), .cb = nlattr_get_uint16 },
570 	{ .type = PF_RT_SCRUB_FLAGS, .off = _OUT(scrub_flags), .cb = nlattr_get_uint16 },
571 	{ .type = PF_RT_UID, .off = _OUT(uid), .arg = &rule_uid_parser, .cb = nlattr_get_nested },
572 	{ .type = PF_RT_GID, .off = _OUT(gid), .arg = &rule_uid_parser, .cb = nlattr_get_nested },
573 	{ .type = PF_RT_RULE_FLAG, .off = _OUT(rule_flag), .cb = nlattr_get_uint32 },
574 	{ .type = PF_RT_ACTION, .off = _OUT(action), .cb = nlattr_get_uint8 },
575 	{ .type = PF_RT_DIRECTION, .off = _OUT(direction), .cb = nlattr_get_uint8 },
576 	{ .type = PF_RT_LOG, .off = _OUT(log), .cb = nlattr_get_uint8 },
577 	{ .type = PF_RT_LOGIF, .off = _OUT(logif), .cb = nlattr_get_uint8 },
578 	{ .type = PF_RT_QUICK, .off = _OUT(quick), .cb = nlattr_get_uint8 },
579 	{ .type = PF_RT_IF_NOT, .off = _OUT(ifnot), .cb = nlattr_get_uint8 },
580 	{ .type = PF_RT_MATCH_TAG_NOT, .off = _OUT(match_tag_not), .cb = nlattr_get_uint8 },
581 	{ .type = PF_RT_NATPASS, .off = _OUT(natpass), .cb = nlattr_get_uint8 },
582 	{ .type = PF_RT_KEEP_STATE, .off = _OUT(keep_state), .cb = nlattr_get_uint8 },
583 	{ .type = PF_RT_AF, .off = _OUT(af), .cb = nlattr_get_uint8 },
584 	{ .type = PF_RT_PROTO, .off = _OUT(proto), .cb = nlattr_get_uint8 },
585 	{ .type = PF_RT_TYPE, .off = _OUT(type), .cb = nlattr_get_uint8 },
586 	{ .type = PF_RT_CODE, .off = _OUT(code), .cb = nlattr_get_uint8 },
587 	{ .type = PF_RT_FLAGS, .off = _OUT(flags), .cb = nlattr_get_uint8 },
588 	{ .type = PF_RT_FLAGSET, .off = _OUT(flagset), .cb = nlattr_get_uint8 },
589 	{ .type = PF_RT_MIN_TTL, .off = _OUT(min_ttl), .cb = nlattr_get_uint8 },
590 	{ .type = PF_RT_ALLOW_OPTS, .off = _OUT(allow_opts), .cb = nlattr_get_uint8 },
591 	{ .type = PF_RT_RT, .off = _OUT(rt), .cb = nlattr_get_uint8 },
592 	{ .type = PF_RT_RETURN_TTL, .off = _OUT(return_ttl), .cb = nlattr_get_uint8 },
593 	{ .type = PF_RT_TOS, .off = _OUT(tos), .cb = nlattr_get_uint8 },
594 	{ .type = PF_RT_SET_TOS, .off = _OUT(set_tos), .cb = nlattr_get_uint8 },
595 	{ .type = PF_RT_ANCHOR_RELATIVE, .off = _OUT(anchor_relative), .cb = nlattr_get_uint8 },
596 	{ .type = PF_RT_ANCHOR_WILDCARD, .off = _OUT(anchor_wildcard), .cb = nlattr_get_uint8 },
597 	{ .type = PF_RT_FLUSH, .off = _OUT(flush), .cb = nlattr_get_uint8 },
598 	{ .type = PF_RT_PRIO, .off = _OUT(prio), .cb = nlattr_get_uint8 },
599 	{ .type = PF_RT_SET_PRIO, .off = _OUT(set_prio[0]), .cb = nlattr_get_uint8 },
600 	{ .type = PF_RT_SET_PRIO_REPLY, .off = _OUT(set_prio[1]), .cb = nlattr_get_uint8 },
601 	{ .type = PF_RT_DIVERT_ADDRESS, .off = _OUT(divert.addr), .cb = nlattr_get_in6_addr },
602 	{ .type = PF_RT_DIVERT_PORT, .off = _OUT(divert.port), .cb = nlattr_get_uint16 },
603 };
604 NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule);
605 #undef _OUT
606 struct nl_parsed_addrule {
607 	struct pf_krule	*rule;
608 	uint32_t	 ticket;
609 	uint32_t	 pool_ticket;
610 	char		*anchor;
611 	char		*anchor_call;
612 };
613 #define	_IN(_field)	offsetof(struct genlmsghdr, _field)
614 #define	_OUT(_field)	offsetof(struct nl_parsed_addrule, _field)
615 static const struct nlattr_parser nla_p_addrule[] = {
616 	{ .type = PF_ART_TICKET, .off = _OUT(ticket), .cb = nlattr_get_uint32 },
617 	{ .type = PF_ART_POOL_TICKET, .off = _OUT(pool_ticket), .cb = nlattr_get_uint32 },
618 	{ .type = PF_ART_ANCHOR, .off = _OUT(anchor), .cb = nlattr_get_string },
619 	{ .type = PF_ART_ANCHOR_CALL, .off = _OUT(anchor_call), .cb = nlattr_get_string },
620 	{ .type = PF_ART_RULE, .off = _OUT(rule), .arg = &rule_parser, .cb = nlattr_get_nested_ptr }
621 };
622 static const struct nlfield_parser nlf_p_addrule[] = {
623 };
624 #undef _IN
625 #undef _OUT
626 NL_DECLARE_PARSER(addrule_parser, struct genlmsghdr, nlf_p_addrule, nla_p_addrule);
627 
628 static int
629 pf_handle_addrule(struct nlmsghdr *hdr, struct nl_pstate *npt)
630 {
631 	int error;
632 	struct nl_parsed_addrule attrs = {};
633 
634 	attrs.rule = pf_krule_alloc();
635 
636 	error = nl_parse_nlmsg(hdr, &addrule_parser, npt, &attrs);
637 	if (error != 0) {
638 		pf_free_rule(attrs.rule);
639 		return (error);
640 	}
641 
642 	error = pf_ioctl_addrule(attrs.rule, attrs.ticket, attrs.pool_ticket,
643 	    attrs.anchor, attrs.anchor_call, nlp_get_cred(npt->nlp)->cr_uid,
644 	    hdr->nlmsg_pid);
645 
646 	return (error);
647 }
648 
649 struct nl_parsed_getrules {
650 	char		*anchor;
651 	uint8_t		 action;
652 };
653 #define	_IN(_field)	offsetof(struct genlmsghdr, _field)
654 #define	_OUT(_field)	offsetof(struct pfioc_rule, _field)
655 static const struct nlattr_parser nla_p_getrules[] = {
656 	{ .type = PF_GR_ANCHOR, .off = _OUT(anchor), .arg = (void *)MAXPATHLEN, .cb = nlattr_get_chara },
657 	{ .type = PF_GR_ACTION, .off = _OUT(rule.action), .cb = nlattr_get_uint8 },
658 };
659 static const struct nlfield_parser nlf_p_getrules[] = {
660 };
661 NL_DECLARE_PARSER(getrules_parser, struct genlmsghdr, nlf_p_getrules, nla_p_getrules);
662 
663 static int
664 pf_handle_getrules(struct nlmsghdr *hdr, struct nl_pstate *npt)
665 {
666 	struct pfioc_rule attrs = {};
667 	int error;
668 	struct nl_writer *nw = npt->nw;
669 	struct genlmsghdr *ghdr_new;
670 
671 	error = nl_parse_nlmsg(hdr, &getrules_parser, npt, &attrs);
672 	if (error != 0)
673 		return (error);
674 
675 	if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
676 		return (ENOMEM);
677 
678 	ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
679 	ghdr_new->cmd = PFNL_CMD_GETRULES;
680 	ghdr_new->version = 0;
681 	ghdr_new->reserved = 0;
682 
683 	error = pf_ioctl_getrules(&attrs);
684 	if (error != 0)
685 		goto out;
686 
687 	nlattr_add_u32(nw, PF_GR_NR, attrs.nr);
688 	nlattr_add_u32(nw, PF_GR_TICKET, attrs.ticket);
689 
690 	if (!nlmsg_end(nw)) {
691 		error = ENOMEM;
692 		goto out;
693 	}
694 
695 	return (0);
696 
697 out:
698 	nlmsg_abort(nw);
699 	return (error);
700 }
701 
702 static const struct nlhdr_parser *all_parsers[] = {
703 	&state_parser,
704 	&addrule_parser,
705 	&getrules_parser
706 };
707 
708 static int family_id;
709 
710 static const struct genl_cmd pf_cmds[] = {
711 	{
712 		.cmd_num = PFNL_CMD_GETSTATES,
713 		.cmd_name = "GETSTATES",
714 		.cmd_cb = pf_handle_getstates,
715 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
716 		.cmd_priv = PRIV_NETINET_PF,
717 	},
718 	{
719 		.cmd_num = PFNL_CMD_GETCREATORS,
720 		.cmd_name = "GETCREATORS",
721 		.cmd_cb = pf_handle_getcreators,
722 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
723 		.cmd_priv = PRIV_NETINET_PF,
724 	},
725 	{
726 		.cmd_num = PFNL_CMD_START,
727 		.cmd_name = "START",
728 		.cmd_cb = pf_handle_start,
729 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
730 		.cmd_priv = PRIV_NETINET_PF,
731 	},
732 	{
733 		.cmd_num = PFNL_CMD_STOP,
734 		.cmd_name = "STOP",
735 		.cmd_cb = pf_handle_stop,
736 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
737 		.cmd_priv = PRIV_NETINET_PF,
738 	},
739 	{
740 		.cmd_num = PFNL_CMD_ADDRULE,
741 		.cmd_name = "ADDRULE",
742 		.cmd_cb = pf_handle_addrule,
743 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
744 		.cmd_priv = PRIV_NETINET_PF,
745 	},
746 	{
747 		.cmd_num = PFNL_CMD_GETRULES,
748 		.cmd_name = "GETRULES",
749 		.cmd_cb = pf_handle_getrules,
750 		.cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
751 		.cmd_priv = PRIV_NETINET_PF,
752 	},
753 };
754 
755 void
756 pf_nl_register(void)
757 {
758 	NL_VERIFY_PARSERS(all_parsers);
759 
760 	family_id = genl_register_family(PFNL_FAMILY_NAME, 0, 2, PFNL_CMD_MAX);
761 	genl_register_cmds(PFNL_FAMILY_NAME, pf_cmds, NL_ARRAY_LEN(pf_cmds));
762 }
763 
764 void
765 pf_nl_unregister(void)
766 {
767 	genl_unregister_family(PFNL_FAMILY_NAME);
768 }
769