2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
34 #include <sys/cdefs.h>
36 #include <sys/ioctl.h>
38 #include <sys/queue.h>
39 #include <sys/types.h>
42 #include <net/pfvar.h>
43 #include <netinet/in.h>
53 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = {
59 static int _pfctl_clear_states(int , const struct pfctl_kill *,
60 unsigned int *, uint64_t);
63 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems,
64 uint8_t *numbers, size_t *nelems)
69 tmp = nvlist_get_number_array(nvl, name, &elems);
70 assert(elems <= maxelems);
72 for (size_t i = 0; i < elems; i++)
80 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems,
81 uint16_t *numbers, size_t *nelems)
86 tmp = nvlist_get_number_array(nvl, name, &elems);
87 assert(elems <= maxelems);
89 for (size_t i = 0; i < elems; i++)
97 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems,
98 uint32_t *numbers, size_t *nelems)
103 tmp = nvlist_get_number_array(nvl, name, &elems);
104 assert(elems <= maxelems);
106 for (size_t i = 0; i < elems; i++)
114 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems,
115 uint64_t *numbers, size_t *nelems)
120 tmp = nvlist_get_number_array(nvl, name, &elems);
121 assert(elems <= maxelems);
123 for (size_t i = 0; i < elems; i++)
131 _pfctl_get_status_counters(const nvlist_t *nvl,
132 struct pfctl_status_counters *counters)
134 const uint64_t *ids, *counts;
135 const char *const *names;
136 size_t id_len, counter_len, names_len;
138 ids = nvlist_get_number_array(nvl, "ids", &id_len);
139 counts = nvlist_get_number_array(nvl, "counters", &counter_len);
140 names = nvlist_get_string_array(nvl, "names", &names_len);
141 assert(id_len == counter_len);
142 assert(counter_len == names_len);
144 TAILQ_INIT(counters);
146 for (size_t i = 0; i < id_len; i++) {
147 struct pfctl_status_counter *c;
149 c = malloc(sizeof(*c));
152 c->counter = counts[i];
153 c->name = strdup(names[i]);
155 TAILQ_INSERT_TAIL(counters, c, entry);
159 struct pfctl_status *
160 pfctl_get_status(int dev)
163 struct pfctl_status *status;
168 status = calloc(1, sizeof(*status));
172 nv.data = malloc(4096);
173 nv.len = nv.size = 4096;
175 if (ioctl(dev, DIOCGETSTATUSNV, &nv)) {
181 nvl = nvlist_unpack(nv.data, nv.len, 0);
188 status->running = nvlist_get_bool(nvl, "running");
189 status->since = nvlist_get_number(nvl, "since");
190 status->debug = nvlist_get_number(nvl, "debug");
191 status->hostid = nvlist_get_number(nvl, "hostid");
192 status->states = nvlist_get_number(nvl, "states");
193 status->src_nodes = nvlist_get_number(nvl, "src_nodes");
195 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"),
197 chksum = nvlist_get_binary(nvl, "chksum", &len);
198 assert(len == PF_MD5_DIGEST_LENGTH);
199 memcpy(status->pf_chksum, chksum, len);
201 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"),
203 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"),
205 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"),
207 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"),
210 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 3,
211 (uint64_t *)status->pcounters, NULL);
212 pf_nvuint_64_array(nvl, "bcounters", 2 * 2,
213 (uint64_t *)status->bcounters, NULL);
221 pfctl_free_status(struct pfctl_status *status)
223 struct pfctl_status_counter *c, *tmp;
225 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) {
229 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) {
233 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) {
237 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) {
246 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name,
247 const struct pf_addr *addr)
249 nvlist_t *nvl = nvlist_create(0);
251 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr));
253 nvlist_add_nvlist(nvparent, name, nvl);
258 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr)
263 data = nvlist_get_binary(nvl, "addr", &len);
264 assert(len == sizeof(struct pf_addr));
265 memcpy(addr, data, len);
269 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name,
270 const struct pf_addr_wrap *addr)
272 nvlist_t *nvl = nvlist_create(0);
274 nvlist_add_number(nvl, "type", addr->type);
275 nvlist_add_number(nvl, "iflags", addr->iflags);
276 if (addr->type == PF_ADDR_DYNIFTL)
277 nvlist_add_string(nvl, "ifname", addr->v.ifname);
278 if (addr->type == PF_ADDR_TABLE)
279 nvlist_add_string(nvl, "tblname", addr->v.tblname);
280 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
281 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
283 nvlist_add_nvlist(nvparent, name, nvl);
288 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
290 bzero(addr, sizeof(*addr));
292 addr->type = nvlist_get_number(nvl, "type");
293 addr->iflags = nvlist_get_number(nvl, "iflags");
294 if (addr->type == PF_ADDR_DYNIFTL) {
295 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"),
297 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt");
299 if (addr->type == PF_ADDR_TABLE) {
300 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
302 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt");
305 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr);
306 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
310 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name,
311 const struct pf_rule_addr *addr)
314 nvlist_t *nvl = nvlist_create(0);
316 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr);
317 ports[0] = addr->port[0];
318 ports[1] = addr->port[1];
319 nvlist_add_number_array(nvl, "port", ports, 2);
320 nvlist_add_number(nvl, "neg", addr->neg);
321 nvlist_add_number(nvl, "port_op", addr->port_op);
323 nvlist_add_nvlist(nvparent, name, nvl);
328 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
330 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr);
332 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL);
333 addr->neg = nvlist_get_number(nvl, "neg");
334 addr->port_op = nvlist_get_number(nvl, "port_op");
338 pfctl_nv_add_mape(nvlist_t *nvparent, const char *name,
339 const struct pf_mape_portset *mape)
341 nvlist_t *nvl = nvlist_create(0);
343 nvlist_add_number(nvl, "offset", mape->offset);
344 nvlist_add_number(nvl, "psidlen", mape->psidlen);
345 nvlist_add_number(nvl, "psid", mape->psid);
346 nvlist_add_nvlist(nvparent, name, nvl);
351 pfctl_nv_add_pool(nvlist_t *nvparent, const char *name,
352 const struct pfctl_pool *pool)
355 nvlist_t *nvl = nvlist_create(0);
357 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
358 pfctl_nv_add_addr(nvl, "counter", &pool->counter);
359 nvlist_add_number(nvl, "tblidx", pool->tblidx);
361 ports[0] = pool->proxy_port[0];
362 ports[1] = pool->proxy_port[1];
363 nvlist_add_number_array(nvl, "proxy_port", ports, 2);
364 nvlist_add_number(nvl, "opts", pool->opts);
365 pfctl_nv_add_mape(nvl, "mape", &pool->mape);
367 nvlist_add_nvlist(nvparent, name, nvl);
372 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
374 mape->offset = nvlist_get_number(nvl, "offset");
375 mape->psidlen = nvlist_get_number(nvl, "psidlen");
376 mape->psid = nvlist_get_number(nvl, "psid");
380 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool)
385 data = nvlist_get_binary(nvl, "key", &len);
386 assert(len == sizeof(pool->key));
387 memcpy(&pool->key, data, len);
389 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter);
391 pool->tblidx = nvlist_get_number(nvl, "tblidx");
392 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL);
393 pool->opts = nvlist_get_number(nvl, "opts");
395 if (nvlist_exists_nvlist(nvl, "mape"))
396 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape);
400 pfctl_nv_add_uid(nvlist_t *nvparent, const char *name,
401 const struct pf_rule_uid *uid)
404 nvlist_t *nvl = nvlist_create(0);
406 uids[0] = uid->uid[0];
407 uids[1] = uid->uid[1];
408 nvlist_add_number_array(nvl, "uid", uids, 2);
409 nvlist_add_number(nvl, "op", uid->op);
411 nvlist_add_nvlist(nvparent, name, nvl);
416 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
418 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL);
419 uid->op = nvlist_get_number(nvl, "op");
423 pfctl_nv_add_divert(nvlist_t *nvparent, const char *name,
424 const struct pfctl_rule *r)
426 nvlist_t *nvl = nvlist_create(0);
428 pfctl_nv_add_addr(nvl, "addr", &r->divert.addr);
429 nvlist_add_number(nvl, "port", r->divert.port);
431 nvlist_add_nvlist(nvparent, name, nvl);
436 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule)
438 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr);
439 rule->divert.port = nvlist_get_number(nvl, "port");
443 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule)
445 const uint64_t *skip;
446 const char *const *labels;
447 size_t skipcount, labelcount;
449 rule->nr = nvlist_get_number(nvl, "nr");
451 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src);
452 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst);
454 skip = nvlist_get_number_array(nvl, "skip", &skipcount);
456 assert(skipcount == PF_SKIP_COUNT);
457 for (int i = 0; i < PF_SKIP_COUNT; i++)
458 rule->skip[i].nr = skip[i];
460 labels = nvlist_get_string_array(nvl, "labels", &labelcount);
461 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT);
462 for (size_t i = 0; i < labelcount; i++)
463 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE);
464 rule->ridentifier = nvlist_get_number(nvl, "ridentifier");
465 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
466 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE);
467 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE);
468 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"),
470 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"),
473 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"),
476 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rpool);
478 rule->evaluations = nvlist_get_number(nvl, "evaluations");
479 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL);
480 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL);
482 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint");
484 rule->rtableid = nvlist_get_number(nvl, "rtableid");
485 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL);
486 rule->max_states = nvlist_get_number(nvl, "max_states");
487 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes");
488 rule->max_src_states = nvlist_get_number(nvl, "max_src_states");
489 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn");
490 rule->max_src_conn_rate.limit =
491 nvlist_get_number(nvl, "max_src_conn_rate.limit");
492 rule->max_src_conn_rate.seconds =
493 nvlist_get_number(nvl, "max_src_conn_rate.seconds");
494 rule->qid = nvlist_get_number(nvl, "qid");
495 rule->pqid = nvlist_get_number(nvl, "pqid");
496 rule->prob = nvlist_get_number(nvl, "prob");
497 rule->cuid = nvlist_get_number(nvl, "cuid");
498 rule->cpid = nvlist_get_number(nvl, "cpid");
500 rule->return_icmp = nvlist_get_number(nvl, "return_icmp");
501 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6");
502 rule->max_mss = nvlist_get_number(nvl, "max_mss");
503 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags");
505 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid);
506 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"),
507 (struct pf_rule_uid *)&rule->gid);
509 rule->rule_flag = nvlist_get_number(nvl, "rule_flag");
510 rule->action = nvlist_get_number(nvl, "action");
511 rule->direction = nvlist_get_number(nvl, "direction");
512 rule->log = nvlist_get_number(nvl, "log");
513 rule->logif = nvlist_get_number(nvl, "logif");
514 rule->quick = nvlist_get_number(nvl, "quick");
515 rule->ifnot = nvlist_get_number(nvl, "ifnot");
516 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not");
517 rule->natpass = nvlist_get_number(nvl, "natpass");
519 rule->keep_state = nvlist_get_number(nvl, "keep_state");
520 rule->af = nvlist_get_number(nvl, "af");
521 rule->proto = nvlist_get_number(nvl, "proto");
522 rule->type = nvlist_get_number(nvl, "type");
523 rule->code = nvlist_get_number(nvl, "code");
524 rule->flags = nvlist_get_number(nvl, "flags");
525 rule->flagset = nvlist_get_number(nvl, "flagset");
526 rule->min_ttl = nvlist_get_number(nvl, "min_ttl");
527 rule->allow_opts = nvlist_get_number(nvl, "allow_opts");
528 rule->rt = nvlist_get_number(nvl, "rt");
529 rule->return_ttl = nvlist_get_number(nvl, "return_ttl");
530 rule->tos = nvlist_get_number(nvl, "tos");
531 rule->set_tos = nvlist_get_number(nvl, "set_tos");
532 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative");
533 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard");
535 rule->flush = nvlist_get_number(nvl, "flush");
536 rule->prio = nvlist_get_number(nvl, "prio");
537 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL);
539 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule);
541 rule->states_cur = nvlist_get_number(nvl, "states_cur");
542 rule->states_tot = nvlist_get_number(nvl, "states_tot");
543 rule->src_nodes = nvlist_get_number(nvl, "src_nodes");
547 pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
548 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket)
551 uint64_t timeouts[PFTM_MAX];
552 uint64_t set_prio[2];
553 nvlist_t *nvl, *nvlr;
557 nvl = nvlist_create(0);
558 nvlr = nvlist_create(0);
560 nvlist_add_number(nvl, "ticket", ticket);
561 nvlist_add_number(nvl, "pool_ticket", pool_ticket);
562 nvlist_add_string(nvl, "anchor", anchor);
563 nvlist_add_string(nvl, "anchor_call", anchor_call);
565 nvlist_add_number(nvlr, "nr", r->nr);
566 pfctl_nv_add_rule_addr(nvlr, "src", &r->src);
567 pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst);
570 while (r->label[labelcount][0] != 0 &&
571 labelcount < PF_RULE_MAX_LABEL_COUNT) {
572 nvlist_append_string_array(nvlr, "labels",
573 r->label[labelcount]);
576 nvlist_add_number(nvlr, "ridentifier", r->ridentifier);
578 nvlist_add_string(nvlr, "ifname", r->ifname);
579 nvlist_add_string(nvlr, "qname", r->qname);
580 nvlist_add_string(nvlr, "pqname", r->pqname);
581 nvlist_add_string(nvlr, "tagname", r->tagname);
582 nvlist_add_string(nvlr, "match_tagname", r->match_tagname);
583 nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname);
585 pfctl_nv_add_pool(nvlr, "rpool", &r->rpool);
587 nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint);
589 nvlist_add_number(nvlr, "rtableid", r->rtableid);
590 for (int i = 0; i < PFTM_MAX; i++)
591 timeouts[i] = r->timeout[i];
592 nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX);
593 nvlist_add_number(nvlr, "max_states", r->max_states);
594 nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes);
595 nvlist_add_number(nvlr, "max_src_states", r->max_src_states);
596 nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn);
597 nvlist_add_number(nvlr, "max_src_conn_rate.limit",
598 r->max_src_conn_rate.limit);
599 nvlist_add_number(nvlr, "max_src_conn_rate.seconds",
600 r->max_src_conn_rate.seconds);
601 nvlist_add_number(nvlr, "prob", r->prob);
602 nvlist_add_number(nvlr, "cuid", r->cuid);
603 nvlist_add_number(nvlr, "cpid", r->cpid);
605 nvlist_add_number(nvlr, "return_icmp", r->return_icmp);
606 nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6);
608 nvlist_add_number(nvlr, "max_mss", r->max_mss);
609 nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags);
611 pfctl_nv_add_uid(nvlr, "uid", &r->uid);
612 pfctl_nv_add_uid(nvlr, "gid", (const struct pf_rule_uid *)&r->gid);
614 nvlist_add_number(nvlr, "rule_flag", r->rule_flag);
615 nvlist_add_number(nvlr, "action", r->action);
616 nvlist_add_number(nvlr, "direction", r->direction);
617 nvlist_add_number(nvlr, "log", r->log);
618 nvlist_add_number(nvlr, "logif", r->logif);
619 nvlist_add_number(nvlr, "quick", r->quick);
620 nvlist_add_number(nvlr, "ifnot", r->ifnot);
621 nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not);
622 nvlist_add_number(nvlr, "natpass", r->natpass);
624 nvlist_add_number(nvlr, "keep_state", r->keep_state);
625 nvlist_add_number(nvlr, "af", r->af);
626 nvlist_add_number(nvlr, "proto", r->proto);
627 nvlist_add_number(nvlr, "type", r->type);
628 nvlist_add_number(nvlr, "code", r->code);
629 nvlist_add_number(nvlr, "flags", r->flags);
630 nvlist_add_number(nvlr, "flagset", r->flagset);
631 nvlist_add_number(nvlr, "min_ttl", r->min_ttl);
632 nvlist_add_number(nvlr, "allow_opts", r->allow_opts);
633 nvlist_add_number(nvlr, "rt", r->rt);
634 nvlist_add_number(nvlr, "return_ttl", r->return_ttl);
635 nvlist_add_number(nvlr, "tos", r->tos);
636 nvlist_add_number(nvlr, "set_tos", r->set_tos);
637 nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative);
638 nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard);
640 nvlist_add_number(nvlr, "flush", r->flush);
642 nvlist_add_number(nvlr, "prio", r->prio);
643 set_prio[0] = r->set_prio[0];
644 set_prio[1] = r->set_prio[1];
645 nvlist_add_number_array(nvlr, "set_prio", set_prio, 2);
647 pfctl_nv_add_divert(nvlr, "divert", r);
649 nvlist_add_nvlist(nvl, "rule", nvlr);
650 nvlist_destroy(nvlr);
652 /* Now do the call. */
653 nv.data = nvlist_pack(nvl, &nv.len);
656 ret = ioctl(dev, DIOCADDRULENV, &nv);
665 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor,
666 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
668 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule,
669 anchor_call, false));
672 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
673 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
674 char *anchor_call, bool clear)
681 nvl = nvlist_create(0);
685 nvlist_add_number(nvl, "nr", nr);
686 nvlist_add_number(nvl, "ticket", ticket);
687 nvlist_add_string(nvl, "anchor", anchor);
688 nvlist_add_number(nvl, "ruleset", ruleset);
691 nvlist_add_bool(nvl, "clear_counter", true);
693 nvlpacked = nvlist_pack(nvl, &nv.len);
694 if (nvlpacked == NULL) {
698 nv.data = malloc(8182);
700 assert(nv.len <= nv.size);
701 memcpy(nv.data, nvlpacked, nv.len);
706 ret = ioctl(dev, DIOCGETRULENV, &nv);
712 nvl = nvlist_unpack(nv.data, nv.len, 0);
718 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule);
721 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"),
731 pfctl_set_keepcounters(int dev, bool keep)
737 nvl = nvlist_create(0);
739 nvlist_add_bool(nvl, "keep_counters", keep);
741 nv.data = nvlist_pack(nvl, &nv.len);
746 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv);
753 pfctl_nv_add_state_cmp(nvlist_t *nvl, const char *name,
754 const struct pfctl_state_cmp *cmp)
758 nv = nvlist_create(0);
760 nvlist_add_number(nv, "id", cmp->id);
761 nvlist_add_number(nv, "creatorid", cmp->creatorid);
762 nvlist_add_number(nv, "direction", cmp->direction);
764 nvlist_add_nvlist(nvl, name, nv);
769 pf_state_key_export_to_state_key(struct pfctl_state_key *ps,
770 const struct pf_state_key_export *s)
772 bcopy(s->addr, ps->addr, sizeof(ps->addr[0]) * 2);
773 ps->port[0] = s->port[0];
774 ps->port[1] = s->port[1];
778 pf_state_peer_export_to_state_peer(struct pfctl_state_peer *ps,
779 const struct pf_state_peer_export *s)
782 ps->seqlo = s->seqlo;
783 ps->seqhi = s->seqhi;
784 ps->seqdiff = s->seqdiff;
785 /* Ignore max_win & mss */
786 ps->state = s->state;
787 ps->wscale = s->wscale;
791 pf_state_export_to_state(struct pfctl_state *ps, const struct pf_state_export *s)
793 assert(s->version >= PF_STATE_VERSION);
796 strlcpy(ps->ifname, s->ifname, sizeof(ps->ifname));
797 strlcpy(ps->orig_ifname, s->orig_ifname, sizeof(ps->orig_ifname));
798 pf_state_key_export_to_state_key(&ps->key[0], &s->key[0]);
799 pf_state_key_export_to_state_key(&ps->key[1], &s->key[1]);
800 pf_state_peer_export_to_state_peer(&ps->src, &s->src);
801 pf_state_peer_export_to_state_peer(&ps->dst, &s->dst);
802 bcopy(&s->rt_addr, &ps->rt_addr, sizeof(ps->rt_addr));
803 ps->rule = ntohl(s->rule);
804 ps->anchor = ntohl(s->anchor);
805 ps->nat_rule = ntohl(s->nat_rule);
806 ps->creation = ntohl(s->creation);
807 ps->expire = ntohl(s->expire);
808 ps->packets[0] = s->packets[0];
809 ps->packets[1] = s->packets[1];
810 ps->bytes[0] = s->bytes[0];
811 ps->bytes[1] = s->bytes[1];
812 ps->creatorid = s->creatorid;
813 ps->key[0].proto = s->proto;
814 ps->key[1].proto = s->proto;
815 ps->key[0].af = s->af;
816 ps->key[1].af = s->af;
817 ps->direction = s->direction;
818 ps->state_flags = s->state_flags;
819 ps->sync_flags = s->sync_flags;
823 pfctl_get_states(int dev, struct pfctl_states *states)
825 struct pfioc_states_v2 ps;
826 struct pf_state_export *p;
827 char *inbuf = NULL, *newinbuf = NULL;
828 unsigned int len = 0;
831 bzero(&ps, sizeof(ps));
832 ps.ps_req_version = PF_STATE_VERSION;
834 bzero(states, sizeof(*states));
835 TAILQ_INIT(&states->states);
840 newinbuf = realloc(inbuf, len);
841 if (newinbuf == NULL)
843 ps.ps_buf = inbuf = newinbuf;
845 if ((error = ioctl(dev, DIOCGETSTATESV2, &ps)) < 0) {
849 if (ps.ps_len + sizeof(struct pfioc_states_v2) < len)
851 if (len == 0 && ps.ps_len == 0)
853 if (len == 0 && ps.ps_len != 0)
856 goto out; /* no states */
861 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
862 struct pfctl_state *s = malloc(sizeof(*s));
864 pfctl_free_states(states);
869 pf_state_export_to_state(s, p);
870 TAILQ_INSERT_TAIL(&states->states, s, entry);
879 pfctl_free_states(struct pfctl_states *states)
881 struct pfctl_state *s, *tmp;
883 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) {
887 bzero(states, sizeof(*states));
891 _pfctl_clear_states(int dev, const struct pfctl_kill *kill,
892 unsigned int *killed, uint64_t ioctlval)
898 nvl = nvlist_create(0);
900 pfctl_nv_add_state_cmp(nvl, "cmp", &kill->cmp);
901 nvlist_add_number(nvl, "af", kill->af);
902 nvlist_add_number(nvl, "proto", kill->proto);
903 pfctl_nv_add_rule_addr(nvl, "src", &kill->src);
904 pfctl_nv_add_rule_addr(nvl, "dst", &kill->dst);
905 pfctl_nv_add_rule_addr(nvl, "rt_addr", &kill->rt_addr);
906 nvlist_add_string(nvl, "ifname", kill->ifname);
907 nvlist_add_string(nvl, "label", kill->label);
908 nvlist_add_bool(nvl, "kill_match", kill->kill_match);
910 nv.data = nvlist_pack(nvl, &nv.len);
915 ret = ioctl(dev, ioctlval, &nv);
921 nvl = nvlist_unpack(nv.data, nv.len, 0);
928 *killed = nvlist_get_number(nvl, "killed");
937 pfctl_clear_states(int dev, const struct pfctl_kill *kill,
938 unsigned int *killed)
940 return (_pfctl_clear_states(dev, kill, killed, DIOCCLRSTATESNV));
944 pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed)
946 return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV));
950 pfctl_get_limit(int dev, const int index, uint *limit)
952 struct pfioc_limit pl;
954 bzero(&pl, sizeof(pl));
957 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1)
966 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
973 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
977 nvl = nvlist_create(0);
979 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
980 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE);
981 nvlist_add_number(nvl, "highwater", state_limit * s->highwater / 100);
982 nvlist_add_number(nvl, "lowwater", state_limit * s->lowwater / 100);
984 nv.data = nvlist_pack(nvl, &nv.len);
989 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv);
996 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s)
1002 bool enabled, adaptive;
1004 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
1008 bzero(s, sizeof(*s));
1010 nv.data = malloc(256);
1011 nv.len = nv.size = 256;
1013 if (ioctl(dev, DIOCGETSYNCOOKIES, &nv)) {
1018 nvl = nvlist_unpack(nv.data, nv.len, 0);
1024 enabled = nvlist_get_bool(nvl, "enabled");
1025 adaptive = nvlist_get_bool(nvl, "adaptive");
1029 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE;
1031 s->mode = PFCTL_SYNCOOKIES_ALWAYS;
1033 s->mode = PFCTL_SYNCOOKIES_NEVER;
1036 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit;
1037 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit;
1039 nvlist_destroy(nvl);
projects / FreeBSD / FreeBSD.git / blob