d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libpfctl: Switch to pfctl_rule

Browse Source 
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.

Reviewed by:	glebius
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29644
This commit is contained in:
Kristof Provost 2021-04-08 10:31:46 +02:00
parent a9b338b260
commit e9eb09414a
12 changed files with 416 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
contrib/pf/ftp-proxy/filter.c
View File

@ -50,7 +50,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
struct sockaddr_in6 *);
static struct pfioc_pooladdr pfp;
static struct pfioc_rule pfr;
static struct pfctl_rule pfrule;
static char pfanchor[PF_ANCHOR_NAME_SIZE];
static char pfanchor_call[PF_ANCHOR_NAME_SIZE];
static uint32_t pfticket;
static uint32_t pfpool_ticket;
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
static int dev, rule_log;
@ -68,9 +72,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1)
return (-1);
pfr.rule.direction = dir;
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
pfrule.direction = dir;
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
return (0);
@ -99,14 +103,14 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
&satosin6(nat)->sin6_addr.s6_addr, 16);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
}
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
pfr.rule.rpool.proxy_port[0] = nat_range_low;
pfr.rule.rpool.proxy_port[1] = nat_range_high;
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
pfrule.rpool.proxy_port[0] = nat_range_low;
pfrule.rpool.proxy_port[1] = nat_range_high;
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
return (0);
@ -134,13 +138,13 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
&satosin6(rdr)->sin6_addr.s6_addr, 16);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
}
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
pfr.rule.rpool.proxy_port[0] = rdr_port;
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
pfrule.rpool.proxy_port[0] = rdr_port;
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
return (0);
@ -237,21 +241,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
memset(&pfp, 0, sizeof pfp);
memset(&pfr, 0, sizeof pfr);
memset(&pfrule, 0, sizeof pfrule);
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE);
switch (rs_num) {
case PF_RULESET_FILTER:
pfr.ticket = pfte[TRANS_FILTER].ticket;
pfticket = pfte[TRANS_FILTER].ticket;
break;
case PF_RULESET_NAT:
pfr.ticket = pfte[TRANS_NAT].ticket;
pfticket = pfte[TRANS_NAT].ticket;
break;
case PF_RULESET_RDR:
pfr.ticket = pfte[TRANS_RDR].ticket;
pfticket = pfte[TRANS_RDR].ticket;
break;
default:
errno = EINVAL;
@ -259,30 +263,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
return (-1);
pfr.pool_ticket = pfp.ticket;
pfpool_ticket = pfp.ticket;
/* Generic for all rule types. */
pfr.rule.af = src->sa_family;
pfr.rule.proto = IPPROTO_TCP;
pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
pfrule.af = src->sa_family;
pfrule.proto = IPPROTO_TCP;
pfrule.src.addr.type = PF_ADDR_ADDRMASK;
pfrule.dst.addr.type = PF_ADDR_ADDRMASK;
if (src->sa_family == AF_INET) {
memcpy(&pfr.rule.src.addr.v.a.addr.v4,
memcpy(&pfrule.src.addr.v.a.addr.v4,
&satosin(src)->sin_addr.s_addr, 4);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4);
memcpy(&pfrule.dst.addr.v.a.addr.v4,
&satosin(dst)->sin_addr.s_addr, 4);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4);
} else {
memcpy(&pfr.rule.src.addr.v.a.addr.v6,
memcpy(&pfrule.src.addr.v.a.addr.v6,
&satosin6(src)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16);
memcpy(&pfrule.dst.addr.v.a.addr.v6,
&satosin6(dst)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16);
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
pfrule.dst.port_op = PF_OP_EQ;
pfrule.dst.port[0] = htons(d_port);
switch (rs_num) {
case PF_RULESET_FILTER:
@ -291,32 +295,32 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
* from $src to $dst port = $d_port flags S/SA keep state
* (max 1) [queue qname] [tag tagname]
*/
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
pfr.rule.flags = TH_SYN;
pfr.rule.flagset = (TH_SYN|TH_ACK);
pfr.rule.max_states = 1;
pfrule.action = PF_PASS;
pfrule.quick = 1;
pfrule.log = rule_log;
pfrule.keep_state = 1;
pfrule.flags = TH_SYN;
pfrule.flagset = (TH_SYN|TH_ACK);
pfrule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
strlcpy(pfrule.qname, qname, sizeof pfrule.qname);
if (tagname != NULL) {
pfr.rule.quick = 0;
strlcpy(pfr.rule.tagname, tagname,
sizeof pfr.rule.tagname);
pfrule.quick = 0;
strlcpy(pfrule.tagname, tagname,
sizeof pfrule.tagname);
}
break;
case PF_RULESET_NAT:
/*
* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
*/
pfr.rule.action = PF_NAT;
pfrule.action = PF_NAT;
break;
case PF_RULESET_RDR:
/*
* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
*/
pfr.rule.action = PF_RDR;
pfrule.action = PF_RDR;
break;
default:
errno = EINVAL;

90
contrib/pf/tftp-proxy/filter.c
View File

@ -54,7 +54,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *,
struct sockaddr_in6 *, u_int8_t);
static struct pfioc_pooladdr pfp;
static struct pfioc_rule pfr;
static struct pfctl_rule pfrule;
static uint32_t pfticket;
static uint32_t pfpool_ticket;
static char pfanchor[PF_ANCHOR_NAME_SIZE];
static char pfanchor_call[PF_ANCHOR_NAME_SIZE];
static struct pfioc_trans pft;
static struct pfioc_trans_e pfte[TRANS_SIZE];
static int dev, rule_log;
@ -72,9 +76,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1)
return (-1);
pfr.rule.direction = dir;
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
pfrule.direction = dir;
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
return (0);
@ -106,10 +110,10 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
return (-1);
pfr.rule.rpool.proxy_port[0] = nat_range_low;
pfr.rule.rpool.proxy_port[1] = nat_range_high;
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
pfrule.rpool.proxy_port[0] = nat_range_low;
pfrule.rpool.proxy_port[1] = nat_range_high;
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
return (0);
@ -140,9 +144,9 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
return (-1);
pfr.rule.rpool.proxy_port[0] = rdr_port;
if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
pfr.ticket, pfr.pool_ticket))
pfrule.rpool.proxy_port[0] = rdr_port;
if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
pfticket, pfpool_ticket))
return (-1);
return (0);
@ -244,21 +248,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
memset(&pfp, 0, sizeof pfp);
memset(&pfr, 0, sizeof pfr);
memset(&pfrule, 0, sizeof pfrule);
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE);
switch (rs_num) {
case PF_RULESET_FILTER:
pfr.ticket = pfte[TRANS_FILTER].ticket;
pfticket = pfte[TRANS_FILTER].ticket;
break;
case PF_RULESET_NAT:
pfr.ticket = pfte[TRANS_NAT].ticket;
pfticket = pfte[TRANS_NAT].ticket;
break;
case PF_RULESET_RDR:
pfr.ticket = pfte[TRANS_RDR].ticket;
pfticket = pfte[TRANS_RDR].ticket;
break;
default:
errno = EINVAL;
@ -266,30 +270,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
}
if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
return (-1);
pfr.pool_ticket = pfp.ticket;
pfpool_ticket = pfp.ticket;
/* Generic for all rule types. */
pfr.rule.af = src->sa_family;
pfr.rule.proto = proto;
pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
pfrule.af = src->sa_family;
pfrule.proto = proto;
pfrule.src.addr.type = PF_ADDR_ADDRMASK;
pfrule.dst.addr.type = PF_ADDR_ADDRMASK;
if (src->sa_family == AF_INET) {
memcpy(&pfr.rule.src.addr.v.a.addr.v4,
memcpy(&pfrule.src.addr.v.a.addr.v4,
&satosin(src)->sin_addr.s_addr, 4);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4);
memcpy(&pfrule.dst.addr.v.a.addr.v4,
&satosin(dst)->sin_addr.s_addr, 4);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4);
} else {
memcpy(&pfr.rule.src.addr.v.a.addr.v6,
memcpy(&pfrule.src.addr.v.a.addr.v6,
&satosin6(src)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16);
memcpy(&pfrule.dst.addr.v.a.addr.v6,
&satosin6(dst)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16);
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
pfrule.dst.port_op = PF_OP_EQ;
pfrule.dst.port[0] = htons(d_port);
switch (rs_num) {
case PF_RULESET_FILTER:
@ -298,34 +302,34 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
* from $src to $dst port = $d_port flags S/SAFR keep state
* (max 1) [queue qname]
*/
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
pfrule.action = PF_PASS;
pfrule.quick = 1;
pfrule.log = rule_log;
pfrule.keep_state = 1;
#ifdef __FreeBSD__
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
pfr.rule.flagset = (proto == IPPROTO_TCP ?
pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
pfrule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
#else
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
pfr.rule.flagset = (proto == IPPROTO_TCP ?
pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
pfrule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL);
#endif
pfr.rule.max_states = 1;
pfrule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
strlcpy(pfrule.qname, qname, sizeof pfrule.qname);
break;
case PF_RULESET_NAT:
/*
* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
*/
pfr.rule.action = PF_NAT;
pfrule.action = PF_NAT;
break;
case PF_RULESET_RDR:
/*
* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
*/
pfr.rule.action = PF_RDR;
pfrule.action = PF_RDR;
break;
default:
errno = EINVAL;

10
lib/libpfctl/libpfctl.c
View File

@ -256,7 +256,7 @@ pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
static void
pfctl_nv_add_divert(nvlist_t *nvparent, const char *name,
const struct pf_rule *r)
const struct pfctl_rule *r)
{
nvlist_t *nvl = nvlist_create(0);
@ -267,14 +267,14 @@ pfctl_nv_add_divert(nvlist_t *nvparent, const char *name,
}
static void
pf_nvdivert_to_divert(const nvlist_t *nvl, struct pf_rule *rule)
pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule)
{
pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr);
rule->divert.port = nvlist_get_number(nvl, "port");
}
static void
pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule)
pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule)
{
const uint64_t *skip;
size_t skipcount;
@ -373,7 +373,7 @@ pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule)
}
int
pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor,
pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket)
{
struct pfioc_nv nv;
@ -482,7 +482,7 @@ pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor,
int
pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
u_int32_t ruleset, struct pf_rule *rule, char *anchor_call)
u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
{
struct pfioc_nv nv;
nvlist_t *nvl;

143
lib/libpfctl/libpfctl.h
View File

@ -36,10 +36,147 @@
#include <netpfil/pf/pf.h>
struct pfctl_anchor;
struct pfctl_rule {
struct pf_rule_addr src;
struct pf_rule_addr dst;
union pf_rule_ptr skip[PF_SKIP_COUNT];
char label[PF_RULE_LABEL_SIZE];
char ifname[IFNAMSIZ];
char qname[PF_QNAME_SIZE];
char pqname[PF_QNAME_SIZE];
char tagname[PF_TAG_NAME_SIZE];
char match_tagname[PF_TAG_NAME_SIZE];
char overload_tblname[PF_TABLE_NAME_SIZE];
TAILQ_ENTRY(pfctl_rule) entries;
struct pf_pool rpool;
u_int64_t evaluations;
u_int64_t packets[2];
u_int64_t bytes[2];
struct pfi_kif *kif;
struct pfctl_anchor *anchor;
struct pfr_ktable *overload_tbl;
pf_osfp_t os_fingerprint;
int rtableid;
u_int32_t timeout[PFTM_MAX];
u_int32_t max_states;
u_int32_t max_src_nodes;
u_int32_t max_src_states;
u_int32_t max_src_conn;
struct {
u_int32_t limit;
u_int32_t seconds;
} max_src_conn_rate;
u_int32_t qid;
u_int32_t pqid;
u_int32_t nr;
u_int32_t prob;
uid_t cuid;
pid_t cpid;
counter_u64_t states_cur;
counter_u64_t states_tot;
counter_u64_t src_nodes;
u_int16_t return_icmp;
u_int16_t return_icmp6;
u_int16_t max_mss;
u_int16_t tag;
u_int16_t match_tag;
u_int16_t scrub_flags;
struct pf_rule_uid uid;
struct pf_rule_gid gid;
u_int32_t rule_flag;
u_int8_t action;
u_int8_t direction;
u_int8_t log;
u_int8_t logif;
u_int8_t quick;
u_int8_t ifnot;
u_int8_t match_tag_not;
u_int8_t natpass;
u_int8_t keep_state;
sa_family_t af;
u_int8_t proto;
u_int8_t type;
u_int8_t code;
u_int8_t flags;
u_int8_t flagset;
u_int8_t min_ttl;
u_int8_t allow_opts;
u_int8_t rt;
u_int8_t return_ttl;
u_int8_t tos;
u_int8_t set_tos;
u_int8_t anchor_relative;
u_int8_t anchor_wildcard;
u_int8_t flush;
u_int8_t prio;
u_int8_t set_prio[2];
struct {
struct pf_addr addr;
u_int16_t port;
} divert;
uint64_t u_states_cur;
uint64_t u_states_tot;
uint64_t u_src_nodes;
};
TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
struct pfctl_ruleset {
struct {
struct pfctl_rulequeue queues[2];
struct {
struct pfctl_rulequeue *ptr;
struct pfctl_rule **ptr_array;
u_int32_t rcount;
u_int32_t ticket;
int open;
} active, inactive;
} rules[PF_RULESET_MAX];
struct pfctl_anchor *anchor;
u_int32_t tticket;
int tables;
int topen;
};
RB_HEAD(pfctl_anchor_global, pfctl_anchor);
RB_HEAD(pfctl_anchor_node, pfctl_anchor);
struct pfctl_anchor {
RB_ENTRY(pfctl_anchor) entry_global;
RB_ENTRY(pfctl_anchor) entry_node;
struct pfctl_anchor *parent;
struct pfctl_anchor_node children;
char name[PF_ANCHOR_NAME_SIZE];
char path[MAXPATHLEN];
struct pfctl_ruleset ruleset;
int refcnt; /* anchor rules */
int match; /* XXX: used for pfctl black magic */
};
RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
pf_anchor_compare);
RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
pf_anchor_compare);
int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
const char *anchor, u_int32_t ruleset, struct pf_rule *rule,
const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
char *anchor_call);
int pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor,
const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket);
int pfctl_add_rule(int dev, const struct pfctl_rule *r,
const char *anchor, const char *anchor_call, u_int32_t ticket,
u_int32_t pool_ticket);
#endif

52
sbin/pfctl/parse.y
View File

@ -317,10 +317,10 @@ static struct node_state_opt *keep_state_defaults = NULL;
int disallow_table(struct node_host *, const char *);
int disallow_urpf_failed(struct node_host *, const char *);
int disallow_alias(struct node_host *, const char *);
int rule_consistent(struct pf_rule *, int);
int filter_consistent(struct pf_rule *, int);
int nat_consistent(struct pf_rule *);
int rdr_consistent(struct pf_rule *);
int rule_consistent(struct pfctl_rule *, int);
int filter_consistent(struct pfctl_rule *, int);
int nat_consistent(struct pfctl_rule *);
int rdr_consistent(struct pfctl_rule *);
int process_tabledef(char *, struct table_opts *);
void expand_label_str(char *, size_t, const char *, const char *);
void expand_label_if(const char *, char *, size_t, const char *);
@ -333,7 +333,7 @@ void expand_label_nr(const char *, char *, size_t);
void expand_label(char *, size_t, const char *, u_int8_t,
struct node_host *, struct node_port *, struct node_host *,
struct node_port *, u_int8_t);
void expand_rule(struct pf_rule *, struct node_if *,
void expand_rule(struct pfctl_rule *, struct node_if *,
struct node_host *, struct node_proto *, struct node_os *,
struct node_host *, struct node_port *, struct node_host *,
struct node_port *, struct node_uid *, struct node_gid *,
@ -348,10 +348,10 @@ int expand_skip_interface(struct node_if *);
int check_rulestate(int);
int getservice(char *);
int rule_label(struct pf_rule *, char *);
int rule_label(struct pfctl_rule *, char *);
int rt_tableid_max(void);
void mv_rules(struct pf_ruleset *, struct pf_ruleset *);
void mv_rules(struct pfctl_ruleset *, struct pfctl_ruleset *);
void decide_address_family(struct node_host *, sa_family_t *);
void remove_invalid_hosts(struct node_host **, sa_family_t *);
int invalid_redirect(struct node_host *, sa_family_t);
@ -788,7 +788,7 @@ pfa_anchorlist : /* empty */
pfa_anchor : '{'
{
char ta[PF_ANCHOR_NAME_SIZE];
struct pf_ruleset *rs;
struct pfctl_ruleset *rs;
/* steping into a brace anchor */
pf->asd++;
@ -814,7 +814,7 @@ pfa_anchor : '{'
anchorrule : ANCHOR anchorname dir quick interface af proto fromto
filter_opts pfa_anchor
{
struct pf_rule r;
struct pfctl_rule r;
struct node_proto *proto;
if (check_rulestate(PFCTL_STATE_FILTER)) {
@ -833,7 +833,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
memset(&r, 0, sizeof(r));
if (pf->astack[pf->asd + 1]) {
/* move inline rules into relative location */
pf_anchor_setup(&r,
pfctl_anchor_setup(&r,
&pf->astack[pf->asd]->ruleset,
$2 ? $2 : pf->alast->name);
@ -946,7 +946,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
pf->astack[pf->asd + 1] = NULL;
}
| NATANCHOR string interface af proto fromto rtable {
struct pf_rule r;
struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT)) {
free($2);
@ -967,7 +967,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
free($2);
}
| RDRANCHOR string interface af proto fromto rtable {
struct pf_rule r;
struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT)) {
free($2);
@ -1009,7 +1009,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
free($2);
}
| BINATANCHOR string interface af proto fromto rtable {
struct pf_rule r;
struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT)) {
free($2);
@ -1087,7 +1087,7 @@ scrubaction : no SCRUB {
scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
{
struct pf_rule r;
struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_SCRUB))
YYERROR;
@ -1247,7 +1247,7 @@ fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
;
antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
struct pf_rule r;
struct pfctl_rule r;
struct node_host *h = NULL, *hh;
struct node_if *i, *j;
@ -2022,7 +2022,7 @@ qassign_item : STRING {
pfrule : action dir logquick interface route af proto fromto
filter_opts
{
struct pf_rule r;
struct pfctl_rule r;
struct node_state_opt *o;
struct node_proto *proto;
int srctrack = 0;
@ -4071,7 +4071,7 @@ nataction : no NAT natpasslog {
natrule : nataction interface af proto fromto tag tagged rtable
redirpool pool_opts
{
struct pf_rule r;
struct pfctl_rule r;
if (check_rulestate(PFCTL_STATE_NAT))
YYERROR;
@ -4230,7 +4230,7 @@ natrule : nataction interface af proto fromto tag tagged rtable
binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag
tagged rtable redirection
{
struct pf_rule binat;
struct pfctl_rule binat;
struct pf_pooladdr *pa;
if (check_rulestate(PFCTL_STATE_NAT))
@ -4615,7 +4615,7 @@ disallow_alias(struct node_host *h, const char *fmt)
}
int
rule_consistent(struct pf_rule *r, int anchor_call)
rule_consistent(struct pfctl_rule *r, int anchor_call)
{
int problems = 0;
@ -4643,7 +4643,7 @@ rule_consistent(struct pf_rule *r, int anchor_call)
}
int
filter_consistent(struct pf_rule *r, int anchor_call)
filter_consistent(struct pfctl_rule *r, int anchor_call)
{
int problems = 0;
@ -4706,13 +4706,13 @@ filter_consistent(struct pf_rule *r, int anchor_call)
}
int
nat_consistent(struct pf_rule *r)
nat_consistent(struct pfctl_rule *r)
{
return (0); /* yeah! */
}
int
rdr_consistent(struct pf_rule *r)
rdr_consistent(struct pfctl_rule *r)
{
int problems = 0;
@ -5248,7 +5248,7 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces,
}
void
expand_rule(struct pf_rule *r,
expand_rule(struct pfctl_rule *r,
struct node_if *interfaces, struct node_host *rpool_hosts,
struct node_proto *protos, struct node_os *src_oses,
struct node_host *src_hosts, struct node_port *src_ports,
@ -6080,10 +6080,10 @@ symget(const char *nam)
}
void
mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst)
mv_rules(struct pfctl_ruleset *src, struct pfctl_ruleset *dst)
{
int i;
struct pf_rule *r;
struct pfctl_rule *r;
for (i = 0; i < PF_RULESET_MAX; ++i) {
while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
@ -6214,7 +6214,7 @@ getservice(char *n)
}
int
rule_label(struct pf_rule *r, char *s)
rule_label(struct pfctl_rule *r, char *s)
{
if (s) {
if (strlcpy(r->label, s, sizeof(r->label)) >=

63
sbin/pfctl/pf_ruleset.c
View File

@ -73,22 +73,23 @@ __FBSDID("$FreeBSD$");
#define DPFPRINTF(format, x...) ((void)0)
#endif /* PFDEBUG */
struct pf_anchor_global pf_anchors;
struct pf_anchor pf_main_anchor;
struct pfctl_anchor_global pf_anchors;
struct pfctl_anchor pf_main_anchor;
#undef V_pf_anchors
#define V_pf_anchors pf_anchors
#undef pf_main_ruleset
#define pf_main_ruleset pf_main_anchor.ruleset
static __inline int pf_anchor_compare(struct pf_anchor *,
struct pf_anchor *);
static struct pf_anchor *pf_find_anchor(const char *);
static __inline int pf_anchor_compare(struct pfctl_anchor *,
struct pfctl_anchor *);
static struct pfctl_anchor *pf_find_anchor(const char *);
RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
RB_GENERATE(pfctl_anchor_global, pfctl_anchor, entry_global,
pf_anchor_compare);
RB_GENERATE(pfctl_anchor_node, pfctl_anchor, entry_node, pf_anchor_compare);
static __inline int
pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b)
pf_anchor_compare(struct pfctl_anchor *a, struct pfctl_anchor *b)
{
int c = strcmp(a->path, b->path);
@ -126,11 +127,11 @@ pf_get_ruleset_number(u_int8_t action)
}
void
pf_init_ruleset(struct pf_ruleset *ruleset)
pf_init_ruleset(struct pfctl_ruleset *ruleset)
{
int i;
memset(ruleset, 0, sizeof(struct pf_ruleset));
memset(ruleset, 0, sizeof(struct pfctl_ruleset));
for (i = 0; i < PF_RULESET_MAX; i++) {
TAILQ_INIT(&ruleset->rules[i].queues[0]);
TAILQ_INIT(&ruleset->rules[i].queues[1]);
@ -139,24 +140,24 @@ pf_init_ruleset(struct pf_ruleset *ruleset)
}
}
static struct pf_anchor *
static struct pfctl_anchor *
pf_find_anchor(const char *path)
{
struct pf_anchor *key, *found;
struct pfctl_anchor *key, *found;
key = (struct pf_anchor *)rs_malloc(sizeof(*key));
key = (struct pfctl_anchor *)rs_malloc(sizeof(*key));
if (key == NULL)
return (NULL);
strlcpy(key->path, path, sizeof(key->path));
found = RB_FIND(pf_anchor_global, &V_pf_anchors, key);
found = RB_FIND(pfctl_anchor_global, &V_pf_anchors, key);
rs_free(key);
return (found);
}
struct pf_ruleset *
struct pfctl_ruleset *
pf_find_ruleset(const char *path)
{
struct pf_anchor *anchor;
struct pfctl_anchor *anchor;
while (*path == '/')
path++;
@ -169,12 +170,12 @@ pf_find_ruleset(const char *path)
return (&anchor->ruleset);
}
struct pf_ruleset *
struct pfctl_ruleset *
pf_find_or_create_ruleset(const char *path)
{
char *p, *q, *r;
struct pf_ruleset *ruleset;
struct pf_anchor *anchor = NULL, *dup, *parent = NULL;
struct pfctl_ruleset *ruleset;
struct pfctl_anchor *anchor = NULL, *dup, *parent = NULL;
if (path[0] == 0)
return (&pf_main_ruleset);
@ -212,7 +213,7 @@ pf_find_or_create_ruleset(const char *path)
rs_free(p);
return (NULL);
}
anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor));
anchor = (struct pfctl_anchor *)rs_malloc(sizeof(*anchor));
if (anchor == NULL) {
rs_free(p);
return (NULL);
@ -225,7 +226,7 @@ pf_find_or_create_ruleset(const char *path)
strlcat(anchor->path, "/", sizeof(anchor->path));
}
strlcat(anchor->path, anchor->name, sizeof(anchor->path));
if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) !=
if ((dup = RB_INSERT(pfctl_anchor_global, &V_pf_anchors, anchor)) !=
NULL) {
printf("pf_find_or_create_ruleset: RB_INSERT1 "
"'%s' '%s' collides with '%s' '%s'\n",
@ -236,13 +237,13 @@ pf_find_or_create_ruleset(const char *path)
}
if (parent != NULL) {
anchor->parent = parent;
if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
if ((dup = RB_INSERT(pfctl_anchor_node, &parent->children,
anchor)) != NULL) {
printf("pf_find_or_create_ruleset: "
"RB_INSERT2 '%s' '%s' collides with "
"'%s' '%s'\n", anchor->path, anchor->name,
dup->path, dup->name);
RB_REMOVE(pf_anchor_global, &V_pf_anchors,
RB_REMOVE(pfctl_anchor_global, &V_pf_anchors,
anchor);
rs_free(anchor);
rs_free(p);
@ -262,9 +263,9 @@ pf_find_or_create_ruleset(const char *path)
}
void
pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
pf_remove_if_empty_ruleset(struct pfctl_ruleset *ruleset)
{
struct pf_anchor *parent;
struct pfctl_anchor *parent;
int i;
while (ruleset != NULL) {
@ -278,9 +279,9 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
!TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
ruleset->rules[i].inactive.open)
return;
RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor);
RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, ruleset->anchor);
if ((parent = ruleset->anchor->parent) != NULL)
RB_REMOVE(pf_anchor_node, &parent->children,
RB_REMOVE(pfctl_anchor_node, &parent->children,
ruleset->anchor);
rs_free(ruleset->anchor);
if (parent == NULL)
@ -289,11 +290,11 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
}
}
int
pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
pfctl_anchor_setup(struct pfctl_rule *r, const struct pfctl_ruleset *s,
const char *name)
{
char *p, *path;
struct pf_ruleset *ruleset;
struct pfctl_ruleset *ruleset;
r->anchor = NULL;
r->anchor_relative = 0;
@ -314,7 +315,7 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
strlcpy(path, s->anchor->path, MAXPATHLEN);
while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
if (!path[0]) {
printf("pf_anchor_setup: .. beyond root\n");
printf("pfctl_anchor_setup: .. beyond root\n");
rs_free(path);
return (1);
}
@ -336,7 +337,7 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
ruleset = pf_find_or_create_ruleset(path);
rs_free(path);
if (ruleset == NULL || ruleset->anchor == NULL) {
printf("pf_anchor_setup: ruleset\n");
printf("pfctl_anchor_setup: ruleset\n");
return (1);
}
r->anchor = ruleset->anchor;

91
sbin/pfctl/pfctl.c
View File

@ -94,7 +94,7 @@ int pfctl_load_logif(struct pfctl *, char *);
int pfctl_load_hostid(struct pfctl *, u_int32_t);
int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int,
char *);
void pfctl_print_rule_counters(struct pf_rule *, int);
void pfctl_print_rule_counters(struct pfctl_rule *, int);
int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
int pfctl_show_nat(int, int, char *);
int pfctl_show_src_nodes(int, int);
@ -106,14 +106,14 @@ int pfctl_show_limits(int, int);
void pfctl_debug(int, u_int32_t, int);
int pfctl_test_altqsupport(int, int);
int pfctl_show_anchors(int, int, char *);
int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *);
int pfctl_ruleset_trans(struct pfctl *, char *, struct pfctl_anchor *);
int pfctl_load_ruleset(struct pfctl *, char *,
struct pf_ruleset *, int, int);
int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int);
struct pfctl_ruleset *, int, int);
int pfctl_load_rule(struct pfctl *, char *, struct pfctl_rule *, int);
const char *pfctl_lookup_option(char *, const char * const *);
static struct pf_anchor_global pf_anchors;
static struct pf_anchor pf_main_anchor;
static struct pfctl_anchor_global pf_anchors;
static struct pfctl_anchor pf_main_anchor;
static struct pfr_buffer skip_b;
static const char *clearopt;
@ -862,7 +862,7 @@ pfctl_clear_pool(struct pf_pool *pool)
}
void
pfctl_print_rule_counters(struct pf_rule *rule, int opts)
pfctl_print_rule_counters(struct pfctl_rule *rule, int opts)
{
if (opts & PF_OPT_DEBUG) {
const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
@ -914,6 +914,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
char *anchorname, int depth)
{
struct pfioc_rule pr;
struct pfctl_rule rule;
u_int32_t nr, mnr, header = 0;
int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
int numeric = opts & PF_OPT_NUMERIC;
@ -954,12 +955,12 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr;
if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB,
&pr.rule, pr.anchor_call)) {
&rule, pr.anchor_call)) {
warn("DIOCGETRULENV");
goto error;
}
if (pfctl_get_pool(dev, &pr.rule.rpool,
if (pfctl_get_pool(dev, &rule.rpool,
nr, pr.ticket, PF_SCRUB, path) != 0)
goto error;
@ -967,16 +968,16 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
case PFCTL_SHOW_LABELS:
break;
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
if (rule.label[0] && (opts & PF_OPT_SHOWALL))
labels = 1;
print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
print_rule(&rule, pr.anchor_call, rule_numbers, numeric);
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
pfctl_print_rule_counters(&rule, opts);
break;
case PFCTL_SHOW_NOTHING:
break;
}
pfctl_clear_pool(&pr.rule.rpool);
pfctl_clear_pool(&rule.rpool);
}
pr.rule.action = PF_PASS;
if (ioctl(dev, DIOCGETRULES, &pr)) {
@ -987,36 +988,36 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr;
if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS,
&pr.rule, pr.anchor_call)) {
&rule, pr.anchor_call)) {
warn("DIOCGETRULE");
goto error;
}
if (pfctl_get_pool(dev, &pr.rule.rpool,
if (pfctl_get_pool(dev, &rule.rpool,
nr, pr.ticket, PF_PASS, path) != 0)
goto error;
switch (format) {
case PFCTL_SHOW_LABELS:
if (pr.rule.label[0]) {
if (rule.label[0]) {
printf("%s %llu %llu %llu %llu"
" %llu %llu %llu %ju\n",
pr.rule.label,
(unsigned long long)pr.rule.evaluations,
(unsigned long long)(pr.rule.packets[0] +
pr.rule.packets[1]),
(unsigned long long)(pr.rule.bytes[0] +
pr.rule.bytes[1]),
(unsigned long long)pr.rule.packets[0],
(unsigned long long)pr.rule.bytes[0],
(unsigned long long)pr.rule.packets[1],
(unsigned long long)pr.rule.bytes[1],
(uintmax_t)pr.rule.u_states_tot);
rule.label,
(unsigned long long)rule.evaluations,
(unsigned long long)(rule.packets[0] +
rule.packets[1]),
(unsigned long long)(rule.bytes[0] +
rule.bytes[1]),
(unsigned long long)rule.packets[0],
(unsigned long long)rule.bytes[0],
(unsigned long long)rule.packets[1],
(unsigned long long)rule.bytes[1],
(uintmax_t)rule.u_states_tot);
}
break;
case PFCTL_SHOW_RULES:
brace = 0;
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
if (rule.label[0] && (opts & PF_OPT_SHOWALL))
labels = 1;
INDENT(depth, !(opts & PF_OPT_VERBOSE));
if (pr.anchor_call[0] &&
@ -1032,12 +1033,12 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
} else
p = &pr.anchor_call[0];
print_rule(&pr.rule, p, rule_numbers, numeric);
print_rule(&rule, p, rule_numbers, numeric);
if (brace)
printf(" {\n");
else
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
pfctl_print_rule_counters(&rule, opts);
if (brace) {
pfctl_show_rules(dev, path, opts, format,
p, depth + 1);
@ -1048,7 +1049,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
case PFCTL_SHOW_NOTHING:
break;
}
pfctl_clear_pool(&pr.rule.rpool);
pfctl_clear_pool(&rule.rpool);
}
path[len] = '\0';
return (0);
@ -1062,6 +1063,7 @@ int
pfctl_show_nat(int dev, int opts, char *anchorname)
{
struct pfioc_rule pr;
struct pfctl_rule rule;
u_int32_t mnr, nr;
static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
int i, dotitle = opts & PF_OPT_SHOWALL;
@ -1078,22 +1080,22 @@ pfctl_show_nat(int dev, int opts, char *anchorname)
for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr;
if (pfctl_get_rule(dev, nr, pr.ticket, anchorname,
nattype[i], &pr.rule, pr.anchor_call)) {
nattype[i], &rule, pr.anchor_call)) {
warn("DIOCGETRULE");
return (-1);
}
if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
if (pfctl_get_pool(dev, &rule.rpool, nr,
pr.ticket, nattype[i], anchorname) != 0)
return (-1);
if (dotitle) {
pfctl_print_title("TRANSLATION RULES:");
dotitle = 0;
}
print_rule(&pr.rule, pr.anchor_call,
print_rule(&rule, pr.anchor_call,
opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
pfctl_clear_pool(&pr.rule.rpool);
pfctl_print_rule_counters(&rule, opts);
pfctl_clear_pool(&rule.rpool);
}
}
return (0);
@ -1291,11 +1293,12 @@ pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
}
int
pfctl_append_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r,
const char *anchor_call)
{
u_int8_t rs_num;
struct pf_rule *rule;
struct pf_ruleset *rs;
struct pfctl_rule *rule;
struct pfctl_ruleset *rs;
char *p;
rs_num = pf_get_ruleset_number(r->action);
@ -1338,7 +1341,7 @@ pfctl_append_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
}
int
pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a)
{
int osize = pf->trans->pfrb_size;
@ -1368,10 +1371,10 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
}
int
pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
int rs_num, int depth)
{
struct pf_rule *r;
struct pfctl_rule *r;
int error, len = strlen(path);
int brace = 0;
@ -1428,7 +1431,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
}
int
pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
{
u_int8_t rs_num = pf_get_ruleset_number(r->action);
char *name;
@ -1507,7 +1510,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
struct pfr_buffer *t, buf;
struct pfioc_altq pa;
struct pfctl pf;
struct pf_ruleset *rs;
struct pfctl_ruleset *rs;
struct pfr_table trs;
char *path;
int osize;

14
sbin/pfctl/pfctl.h
View File

@ -36,6 +36,8 @@
#ifndef _PFCTL_H_
#define _PFCTL_H_
#include <libpfctl.h>
enum pfctl_show { PFCTL_SHOW_RULES, PFCTL_SHOW_LABELS, PFCTL_SHOW_NOTHING };
enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
@ -129,11 +131,11 @@ u_int32_t
int pfctl_trans(int, struct pfr_buffer *, u_long, int);
int pf_get_ruleset_number(u_int8_t);
void pf_init_ruleset(struct pf_ruleset *);
int pf_anchor_setup(struct pf_rule *,
const struct pf_ruleset *, const char *);
void pf_remove_if_empty_ruleset(struct pf_ruleset *);
struct pf_ruleset *pf_find_ruleset(const char *);
struct pf_ruleset *pf_find_or_create_ruleset(const char *);
void pf_init_ruleset(struct pfctl_ruleset *);
int pfctl_anchor_setup(struct pfctl_rule *,
const struct pfctl_ruleset *, const char *);
void pf_remove_if_empty_ruleset(struct pfctl_ruleset *);
struct pfctl_ruleset *pf_find_ruleset(const char *);
struct pfctl_ruleset *pf_find_or_create_ruleset(const char *);
#endif /* _PFCTL_H_ */

82
sbin/pfctl/pfctl_optimize.c
View File

@ -100,8 +100,8 @@ static struct pf_rule_field {
#define PF_RULE_FIELD(field, ty) \
{#field, \
ty, \
offsetof(struct pf_rule, field), \
sizeof(((struct pf_rule *)0)->field)}
offsetof(struct pfctl_rule, field), \
sizeof(((struct pfctl_rule *)0)->field)}
/*
@ -214,10 +214,10 @@ int addrs_combineable(struct pf_rule_addr *, struct pf_rule_addr *);
int addrs_equal(struct pf_rule_addr *, struct pf_rule_addr *);
int block_feedback(struct pfctl *, struct superblock *);
int combine_rules(struct pfctl *, struct superblock *);
void comparable_rule(struct pf_rule *, const struct pf_rule *, int);
void comparable_rule(struct pfctl_rule *, const struct pfctl_rule *, int);
int construct_superblocks(struct pfctl *, struct pf_opt_queue *,
struct superblocks *);
void exclude_supersets(struct pf_rule *, struct pf_rule *);
void exclude_supersets(struct pfctl_rule *, struct pfctl_rule *);
int interface_group(const char *);
int load_feedback_profile(struct pfctl *, struct superblocks *);
int optimize_superblock(struct pfctl *, struct superblock *);
@ -226,25 +226,25 @@ void remove_from_skipsteps(struct skiplist *, struct superblock *,
struct pf_opt_rule *, struct pf_skip_step *);
int remove_identical_rules(struct pfctl *, struct superblock *);
int reorder_rules(struct pfctl *, struct superblock *, int);
int rules_combineable(struct pf_rule *, struct pf_rule *);
int rules_combineable(struct pfctl_rule *, struct pfctl_rule *);
void skip_append(struct superblock *, int, struct pf_skip_step *,
struct pf_opt_rule *);
int skip_compare(int, struct pf_skip_step *, struct pf_opt_rule *);
void skip_init(void);
int skip_cmp_af(struct pf_rule *, struct pf_rule *);
int skip_cmp_dir(struct pf_rule *, struct pf_rule *);
int skip_cmp_dst_addr(struct pf_rule *, struct pf_rule *);
int skip_cmp_dst_port(struct pf_rule *, struct pf_rule *);
int skip_cmp_ifp(struct pf_rule *, struct pf_rule *);
int skip_cmp_proto(struct pf_rule *, struct pf_rule *);
int skip_cmp_src_addr(struct pf_rule *, struct pf_rule *);
int skip_cmp_src_port(struct pf_rule *, struct pf_rule *);
int skip_cmp_af(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_dir(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_dst_addr(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_dst_port(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_ifp(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_proto(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_src_addr(struct pfctl_rule *, struct pfctl_rule *);
int skip_cmp_src_port(struct pfctl_rule *, struct pfctl_rule *);
int superblock_inclusive(struct superblock *, struct pf_opt_rule *);
void superblock_free(struct pfctl *, struct superblock *);
static int (*skip_comparitors[PF_SKIP_COUNT])(struct pf_rule *,
struct pf_rule *);
static int (*skip_comparitors[PF_SKIP_COUNT])(struct pfctl_rule *,
struct pfctl_rule *);
static const char *skip_comparitors_names[PF_SKIP_COUNT];
#define PF_SKIP_COMPARITORS { \
{ "ifp", PF_SKIP_IFP, skip_cmp_ifp }, \
@ -262,14 +262,14 @@ static int table_identifier;
int
pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs)
pfctl_optimize_ruleset(struct pfctl *pf, struct pfctl_ruleset *rs)
{
struct superblocks superblocks;
struct pf_opt_queue opt_queue;
struct superblock *block;
struct pf_opt_rule *por;
struct pf_rule *r;
struct pf_rulequeue *old_rules;
struct pfctl_rule *r;
struct pfctl_rulequeue *old_rules;
DEBUG("optimizing ruleset");
memset(&table_buffer, 0, sizeof(table_buffer));
@ -450,7 +450,7 @@ int
remove_identical_rules(struct pfctl *pf, struct superblock *block)
{
struct pf_opt_rule *por1, *por2, *por_next, *por2_next;
struct pf_rule a, a2, b, b2;
struct pfctl_rule a, a2, b, b2;
for (por1 = TAILQ_FIRST(&block->sb_rules); por1; por1 = por_next) {
por_next = TAILQ_NEXT(por1, por_entry);
@ -818,7 +818,7 @@ block_feedback(struct pfctl *pf, struct superblock *block)
TAILQ_HEAD( , pf_opt_rule) queue;
struct pf_opt_rule *por1, *por2;
u_int64_t total_count = 0;
struct pf_rule a, b;
struct pfctl_rule a, b;
/*
@ -888,7 +888,7 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks)
struct pf_opt_rule *por;
struct pf_opt_queue queue;
struct pfioc_rule pr;
struct pf_rule a, b;
struct pfctl_rule a, b, rule;
int nr, mnr;
TAILQ_INIT(&queue);
@ -904,7 +904,7 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks)
DEBUG("Loading %d active rules for a feedback profile", mnr);
for (nr = 0; nr < mnr; ++nr) {
struct pf_ruleset *rs;
struct pfctl_ruleset *rs;
if ((por = calloc(1, sizeof(*por))) == NULL) {
warn("calloc");
return (1);
@ -912,11 +912,11 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks)
pr.nr = nr;
if (pfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS,
&pr.rule, pr.anchor_call)) {
&rule, pr.anchor_call)) {
warn("DIOCGETRULENV");
return (1);
}
memcpy(&por->por_rule, &pr.rule, sizeof(por->por_rule));
memcpy(&por->por_rule, &rule, sizeof(por->por_rule));
rs = pf_find_or_create_ruleset(pr.anchor_call);
por->por_rule.anchor = rs->anchor;
if (TAILQ_EMPTY(&por->por_rule.rpool.list))
@ -924,9 +924,9 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks)
sizeof(por->por_rule.rpool));
TAILQ_INSERT_TAIL(&queue, por, por_entry);
/* XXX pfctl_get_pool(pf->dev, &pr.rule.rpool, nr, pr.ticket,
/* XXX pfctl_get_pool(pf->dev, &rule.rpool, nr, pr.ticket,
* PF_PASS, pf->anchor) ???
* ... pfctl_clear_pool(&pr.rule.rpool)
* ... pfctl_clear_pool(&rule.rpool)
*/
}
@ -977,7 +977,7 @@ int
skip_compare(int skipnum, struct pf_skip_step *skiplist,
struct pf_opt_rule *por)
{
struct pf_rule *a, *b;
struct pfctl_rule *a, *b;
if (skipnum >= PF_SKIP_COUNT || skipnum < 0)
errx(1, "skip_compare() out of bounds");
a = &por->por_rule;
@ -1053,7 +1053,7 @@ remove_from_skipsteps(struct skiplist *head, struct superblock *block,
/* Compare two rules AF field for skiplist construction */
int
skip_cmp_af(struct pf_rule *a, struct pf_rule *b)
skip_cmp_af(struct pfctl_rule *a, struct pfctl_rule *b)
{
if (a->af != b->af || a->af == 0)
return (1);
@ -1062,7 +1062,7 @@ skip_cmp_af(struct pf_rule *a, struct pf_rule *b)
/* Compare two rules DIRECTION field for skiplist construction */
int
skip_cmp_dir(struct pf_rule *a, struct pf_rule *b)
skip_cmp_dir(struct pfctl_rule *a, struct pfctl_rule *b)
{
if (a->direction == 0 || a->direction != b->direction)
return (1);
@ -1071,7 +1071,7 @@ skip_cmp_dir(struct pf_rule *a, struct pf_rule *b)
/* Compare two rules DST Address field for skiplist construction */
int
skip_cmp_dst_addr(struct pf_rule *a, struct pf_rule *b)
skip_cmp_dst_addr(struct pfctl_rule *a, struct pfctl_rule *b)
{
if (a->dst.neg != b->dst.neg ||
a->dst.addr.type != b->dst.addr.type)
@ -1111,7 +1111,7 @@ skip_cmp_dst_addr(struct pf_rule *a, struct pf_rule *b)
/* Compare two rules DST port field for skiplist construction */
int
skip_cmp_dst_port(struct pf_rule *a, struct pf_rule *b)
skip_cmp_dst_port(struct pfctl_rule *a, struct pfctl_rule *b)
{
/* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0
* && (a->proto == IPPROTO_TCP || a->proto == IPPROTO_UDP ||
@ -1127,7 +1127,7 @@ skip_cmp_dst_port(struct pf_rule *a, struct pf_rule *b)
/* Compare two rules IFP field for skiplist construction */
int
skip_cmp_ifp(struct pf_rule *a, struct pf_rule *b)
skip_cmp_ifp(struct pfctl_rule *a, struct pfctl_rule *b)
{
if (strcmp(a->ifname, b->ifname) || a->ifname[0] == '\0')
return (1);
@ -1136,14 +1136,14 @@ skip_cmp_ifp(struct pf_rule *a, struct pf_rule *b)
/* Compare two rules PROTO field for skiplist construction */
int
skip_cmp_proto(struct pf_rule *a, struct pf_rule *b)
skip_cmp_proto(struct pfctl_rule *a, struct pfctl_rule *b)
{
return (a->proto != b->proto || a->proto == 0);
}
/* Compare two rules SRC addr field for skiplist construction */
int
skip_cmp_src_addr(struct pf_rule *a, struct pf_rule *b)
skip_cmp_src_addr(struct pfctl_rule *a, struct pfctl_rule *b)
{
if (a->src.neg != b->src.neg ||
a->src.addr.type != b->src.addr.type)
@ -1183,7 +1183,7 @@ skip_cmp_src_addr(struct pf_rule *a, struct pf_rule *b)
/* Compare two rules SRC port field for skiplist construction */
int
skip_cmp_src_port(struct pf_rule *a, struct pf_rule *b)
skip_cmp_src_port(struct pfctl_rule *a, struct pfctl_rule *b)
{
if (a->src.port_op == PF_OP_NONE || a->src.port_op != b->src.port_op ||
a->src.port[0] != b->src.port[0] ||
@ -1204,7 +1204,7 @@ skip_init(void)
struct {
char *name;
int skipnum;
int (*func)(struct pf_rule *, struct pf_rule *);
int (*func)(struct pfctl_rule *, struct pfctl_rule *);
} comps[] = PF_SKIP_COMPARITORS;
int skipnum, i;
@ -1397,9 +1397,9 @@ addrs_combineable(struct pf_rule_addr *a, struct pf_rule_addr *b)
* Are we allowed to combine these two rules
*/
int
rules_combineable(struct pf_rule *p1, struct pf_rule *p2)
rules_combineable(struct pfctl_rule *p1, struct pfctl_rule *p2)
{
struct pf_rule a, b;
struct pfctl_rule a, b;
comparable_rule(&a, p1, COMBINED);
comparable_rule(&b, p2, COMBINED);
@ -1413,7 +1413,7 @@ rules_combineable(struct pf_rule *p1, struct pf_rule *p2)
int
superblock_inclusive(struct superblock *block, struct pf_opt_rule *por)
{
struct pf_rule a, b;
struct pfctl_rule a, b;
int i, j;
/* First check for hard breaks */
@ -1528,7 +1528,7 @@ interface_group(const char *ifname)
* Make a rule that can directly compared by memcmp()
*/
void
comparable_rule(struct pf_rule *dst, const struct pf_rule *src, int type)
comparable_rule(struct pfctl_rule *dst, const struct pfctl_rule *src, int type)
{
int i;
/*
@ -1553,7 +1553,7 @@ comparable_rule(struct pf_rule *dst, const struct pf_rule *src, int type)
* with memcmp()
*/
void
exclude_supersets(struct pf_rule *super, struct pf_rule *sub)
exclude_supersets(struct pfctl_rule *super, struct pfctl_rule *sub)
{
if (super->ifname[0] == '\0')
memset(sub->ifname, 0, sizeof(sub->ifname));

2
sbin/pfctl/pfctl_parser.c
View File

@ -694,7 +694,7 @@ print_src_node(struct pf_src_node *sn, int opts)
}
void
print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numeric)
{
static const char *actiontypes[] = { "pass", "block", "scrub",
"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };

14
sbin/pfctl/pfctl_parser.h
View File

@ -36,6 +36,8 @@
#ifndef _PFCTL_PARSER_H_
#define _PFCTL_PARSER_H_
#include <libpfctl.h>
#define PF_OSFP_FILE "/etc/pf.os"
#define PF_OPT_DISABLE 0x0001
@ -82,12 +84,12 @@ struct pfctl {
int brace;
int tdirty; /* kernel dirty */
#define PFCTL_ANCHOR_STACK_DEPTH 64
struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
struct pfctl_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
struct pfioc_pooladdr paddr;
struct pfioc_altq *paltq;
struct pfioc_queue *pqueue;
struct pfr_buffer *trans;
struct pf_anchor *anchor, *alast;
struct pfctl_anchor *anchor, *alast;
const char *ruleset;
/* 'set foo' options */
@ -239,7 +241,7 @@ struct pf_opt_tbl {
/* optimizer pf_rule container */
struct pf_opt_rule {
struct pf_rule por_rule;
struct pfctl_rule por_rule;
struct pf_opt_tbl *por_src_tbl;
struct pf_opt_tbl *por_dst_tbl;
u_int64_t por_profile_count;
@ -250,9 +252,9 @@ struct pf_opt_rule {
TAILQ_HEAD(pf_opt_queue, pf_opt_rule);
int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *);
int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
int pfctl_optimize_ruleset(struct pfctl *, struct pfctl_ruleset *);
int pfctl_append_rule(struct pfctl *, struct pf_rule *, const char *);
int pfctl_append_rule(struct pfctl *, struct pfctl_rule *, const char *);
int pfctl_add_altq(struct pfctl *, struct pf_altq *);
int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t);
void pfctl_move_pool(struct pf_pool *, struct pf_pool *);
@ -272,7 +274,7 @@ int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
void print_src_node(struct pf_src_node *, int);
void print_rule(struct pf_rule *, const char *, int, int);
void print_rule(struct pfctl_rule *, const char *, int, int);
void print_tabledef(const char *, int, int, struct node_tinithead *);
void print_status(struct pf_status *, int);
void print_running(struct pf_status *);

17
usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
View File

@ -1515,6 +1515,7 @@ static int
pfl_scan_ruleset(const char *path)
{
struct pfioc_rule pr;
struct pfctl_rule rule;
struct pfl_entry *e;
u_int32_t nr, i;
@ -1529,14 +1530,14 @@ pfl_scan_ruleset(const char *path)
for (nr = pr.nr, i = 0; i < nr; i++) {
pr.nr = i;
if (pfctl_add_rule(dev, &pr.rule, pr.anchor, pr.anchor_call,
if (pfctl_add_rule(dev, &rule, pr.anchor, pr.anchor_call,
pr.ticket, pr.pool_ticket)) {
syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULE):"
" %s", strerror(errno));
goto err;
}
if (pr.rule.label[0]) {
if (rule.label[0]) {
e = (struct pfl_entry *)malloc(sizeof(*e));
if (e == NULL)
goto err;
@ -1544,13 +1545,13 @@ pfl_scan_ruleset(const char *path)
strlcpy(e->name, path, sizeof(e->name));
if (path[0])
strlcat(e->name, "/", sizeof(e->name));
strlcat(e->name, pr.rule.label, sizeof(e->name));
strlcat(e->name, rule.label, sizeof(e->name));
e->evals = pr.rule.evaluations;
e->bytes[IN] = pr.rule.bytes[IN];
e->bytes[OUT] = pr.rule.bytes[OUT];
e->pkts[IN] = pr.rule.packets[IN];
e->pkts[OUT] = pr.rule.packets[OUT];
e->evals = rule.evaluations;
e->bytes[IN] = rule.bytes[IN];
e->bytes[OUT] = rule.bytes[OUT];
e->pkts[IN] = rule.packets[IN];
e->pkts[OUT] = rule.packets[OUT];
e->index = ++pfl_table_count;
TAILQ_INSERT_TAIL(&pfl_table, e, link);