2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
34 #include <sys/cdefs.h>
36 #include <sys/ioctl.h>
38 #include <sys/queue.h>
39 #include <sys/types.h>
42 #include <net/pfvar.h>
43 #include <netinet/in.h>
53 const char* PFCTL_SYNCOOKIES_MODE_NAMES[] = {
59 static int _pfctl_clear_states(int , const struct pfctl_kill *,
60 unsigned int *, uint64_t);
63 pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl)
70 data = nvlist_pack(*nvl, &nvlen);
73 nv.data = malloc(size);
74 memcpy(nv.data, data, nvlen);
80 ret = ioctl(dev, cmd, &nv);
81 if (ret == -1 && errno == ENOSPC) {
91 *nvl = nvlist_unpack(nv.data, nv.len, 0);
106 pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems,
107 uint8_t *numbers, size_t *nelems)
112 tmp = nvlist_get_number_array(nvl, name, &elems);
113 assert(elems <= maxelems);
115 for (size_t i = 0; i < elems; i++)
123 pf_nvuint_16_array(const nvlist_t *nvl, const char *name, size_t maxelems,
124 uint16_t *numbers, size_t *nelems)
129 tmp = nvlist_get_number_array(nvl, name, &elems);
130 assert(elems <= maxelems);
132 for (size_t i = 0; i < elems; i++)
140 pf_nvuint_32_array(const nvlist_t *nvl, const char *name, size_t maxelems,
141 uint32_t *numbers, size_t *nelems)
146 tmp = nvlist_get_number_array(nvl, name, &elems);
147 assert(elems <= maxelems);
149 for (size_t i = 0; i < elems; i++)
157 pf_nvuint_64_array(const nvlist_t *nvl, const char *name, size_t maxelems,
158 uint64_t *numbers, size_t *nelems)
163 tmp = nvlist_get_number_array(nvl, name, &elems);
164 assert(elems <= maxelems);
166 for (size_t i = 0; i < elems; i++)
174 _pfctl_get_status_counters(const nvlist_t *nvl,
175 struct pfctl_status_counters *counters)
177 const uint64_t *ids, *counts;
178 const char *const *names;
179 size_t id_len, counter_len, names_len;
181 ids = nvlist_get_number_array(nvl, "ids", &id_len);
182 counts = nvlist_get_number_array(nvl, "counters", &counter_len);
183 names = nvlist_get_string_array(nvl, "names", &names_len);
184 assert(id_len == counter_len);
185 assert(counter_len == names_len);
187 TAILQ_INIT(counters);
189 for (size_t i = 0; i < id_len; i++) {
190 struct pfctl_status_counter *c;
192 c = malloc(sizeof(*c));
195 c->counter = counts[i];
196 c->name = strdup(names[i]);
198 TAILQ_INSERT_TAIL(counters, c, entry);
202 struct pfctl_status *
203 pfctl_get_status(int dev)
205 struct pfctl_status *status;
210 status = calloc(1, sizeof(*status));
214 nvl = nvlist_create(0);
216 if (pfctl_do_ioctl(dev, DIOCGETSTATUSNV, 4096, &nvl)) {
221 status->running = nvlist_get_bool(nvl, "running");
222 status->since = nvlist_get_number(nvl, "since");
223 status->debug = nvlist_get_number(nvl, "debug");
224 status->hostid = ntohl(nvlist_get_number(nvl, "hostid"));
225 status->states = nvlist_get_number(nvl, "states");
226 status->src_nodes = nvlist_get_number(nvl, "src_nodes");
227 status->syncookies_active = nvlist_get_bool(nvl, "syncookies_active");
228 status->reass = nvlist_get_number(nvl, "reass");
230 strlcpy(status->ifname, nvlist_get_string(nvl, "ifname"),
232 chksum = nvlist_get_binary(nvl, "chksum", &len);
233 assert(len == PF_MD5_DIGEST_LENGTH);
234 memcpy(status->pf_chksum, chksum, len);
236 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "counters"),
238 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "lcounters"),
240 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "fcounters"),
242 _pfctl_get_status_counters(nvlist_get_nvlist(nvl, "scounters"),
245 pf_nvuint_64_array(nvl, "pcounters", 2 * 2 * 3,
246 (uint64_t *)status->pcounters, NULL);
247 pf_nvuint_64_array(nvl, "bcounters", 2 * 2,
248 (uint64_t *)status->bcounters, NULL);
256 pfctl_free_status(struct pfctl_status *status)
258 struct pfctl_status_counter *c, *tmp;
260 TAILQ_FOREACH_SAFE(c, &status->counters, entry, tmp) {
264 TAILQ_FOREACH_SAFE(c, &status->lcounters, entry, tmp) {
268 TAILQ_FOREACH_SAFE(c, &status->fcounters, entry, tmp) {
272 TAILQ_FOREACH_SAFE(c, &status->scounters, entry, tmp) {
281 pfctl_nv_add_addr(nvlist_t *nvparent, const char *name,
282 const struct pf_addr *addr)
284 nvlist_t *nvl = nvlist_create(0);
286 nvlist_add_binary(nvl, "addr", addr, sizeof(*addr));
288 nvlist_add_nvlist(nvparent, name, nvl);
293 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr)
298 data = nvlist_get_binary(nvl, "addr", &len);
299 assert(len == sizeof(struct pf_addr));
300 memcpy(addr, data, len);
304 pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name,
305 const struct pf_addr_wrap *addr)
307 nvlist_t *nvl = nvlist_create(0);
309 nvlist_add_number(nvl, "type", addr->type);
310 nvlist_add_number(nvl, "iflags", addr->iflags);
311 if (addr->type == PF_ADDR_DYNIFTL)
312 nvlist_add_string(nvl, "ifname", addr->v.ifname);
313 if (addr->type == PF_ADDR_TABLE)
314 nvlist_add_string(nvl, "tblname", addr->v.tblname);
315 pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
316 pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
318 nvlist_add_nvlist(nvparent, name, nvl);
323 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
325 bzero(addr, sizeof(*addr));
327 addr->type = nvlist_get_number(nvl, "type");
328 addr->iflags = nvlist_get_number(nvl, "iflags");
329 if (addr->type == PF_ADDR_DYNIFTL) {
330 strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"),
332 addr->p.dyncnt = nvlist_get_number(nvl, "dyncnt");
334 if (addr->type == PF_ADDR_TABLE) {
335 strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
337 addr->p.tblcnt = nvlist_get_number(nvl, "tblcnt");
340 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr);
341 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
345 pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name,
346 const struct pf_rule_addr *addr)
349 nvlist_t *nvl = nvlist_create(0);
351 pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr);
352 ports[0] = addr->port[0];
353 ports[1] = addr->port[1];
354 nvlist_add_number_array(nvl, "port", ports, 2);
355 nvlist_add_number(nvl, "neg", addr->neg);
356 nvlist_add_number(nvl, "port_op", addr->port_op);
358 nvlist_add_nvlist(nvparent, name, nvl);
363 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
365 pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"), &addr->addr);
367 pf_nvuint_16_array(nvl, "port", 2, addr->port, NULL);
368 addr->neg = nvlist_get_number(nvl, "neg");
369 addr->port_op = nvlist_get_number(nvl, "port_op");
373 pfctl_nv_add_mape(nvlist_t *nvparent, const char *name,
374 const struct pf_mape_portset *mape)
376 nvlist_t *nvl = nvlist_create(0);
378 nvlist_add_number(nvl, "offset", mape->offset);
379 nvlist_add_number(nvl, "psidlen", mape->psidlen);
380 nvlist_add_number(nvl, "psid", mape->psid);
381 nvlist_add_nvlist(nvparent, name, nvl);
386 pfctl_nv_add_pool(nvlist_t *nvparent, const char *name,
387 const struct pfctl_pool *pool)
390 nvlist_t *nvl = nvlist_create(0);
392 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
393 pfctl_nv_add_addr(nvl, "counter", &pool->counter);
394 nvlist_add_number(nvl, "tblidx", pool->tblidx);
396 ports[0] = pool->proxy_port[0];
397 ports[1] = pool->proxy_port[1];
398 nvlist_add_number_array(nvl, "proxy_port", ports, 2);
399 nvlist_add_number(nvl, "opts", pool->opts);
400 pfctl_nv_add_mape(nvl, "mape", &pool->mape);
402 nvlist_add_nvlist(nvparent, name, nvl);
407 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
409 mape->offset = nvlist_get_number(nvl, "offset");
410 mape->psidlen = nvlist_get_number(nvl, "psidlen");
411 mape->psid = nvlist_get_number(nvl, "psid");
415 pf_nvpool_to_pool(const nvlist_t *nvl, struct pfctl_pool *pool)
420 data = nvlist_get_binary(nvl, "key", &len);
421 assert(len == sizeof(pool->key));
422 memcpy(&pool->key, data, len);
424 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"), &pool->counter);
426 pool->tblidx = nvlist_get_number(nvl, "tblidx");
427 pf_nvuint_16_array(nvl, "proxy_port", 2, pool->proxy_port, NULL);
428 pool->opts = nvlist_get_number(nvl, "opts");
430 if (nvlist_exists_nvlist(nvl, "mape"))
431 pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"), &pool->mape);
435 pfctl_nv_add_uid(nvlist_t *nvparent, const char *name,
436 const struct pf_rule_uid *uid)
439 nvlist_t *nvl = nvlist_create(0);
441 uids[0] = uid->uid[0];
442 uids[1] = uid->uid[1];
443 nvlist_add_number_array(nvl, "uid", uids, 2);
444 nvlist_add_number(nvl, "op", uid->op);
446 nvlist_add_nvlist(nvparent, name, nvl);
451 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
453 pf_nvuint_32_array(nvl, "uid", 2, uid->uid, NULL);
454 uid->op = nvlist_get_number(nvl, "op");
458 pfctl_nv_add_divert(nvlist_t *nvparent, const char *name,
459 const struct pfctl_rule *r)
461 nvlist_t *nvl = nvlist_create(0);
463 pfctl_nv_add_addr(nvl, "addr", &r->divert.addr);
464 nvlist_add_number(nvl, "port", r->divert.port);
466 nvlist_add_nvlist(nvparent, name, nvl);
471 pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule)
473 pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr);
474 rule->divert.port = nvlist_get_number(nvl, "port");
478 pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule)
480 const uint64_t *skip;
481 const char *const *labels;
482 size_t skipcount, labelcount;
484 rule->nr = nvlist_get_number(nvl, "nr");
486 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"), &rule->src);
487 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &rule->dst);
489 skip = nvlist_get_number_array(nvl, "skip", &skipcount);
491 assert(skipcount == PF_SKIP_COUNT);
492 for (int i = 0; i < PF_SKIP_COUNT; i++)
493 rule->skip[i].nr = skip[i];
495 labels = nvlist_get_string_array(nvl, "labels", &labelcount);
496 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT);
497 for (size_t i = 0; i < labelcount; i++)
498 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE);
499 rule->ridentifier = nvlist_get_number(nvl, "ridentifier");
500 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
501 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE);
502 strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE);
503 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"),
505 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"),
508 strlcpy(rule->overload_tblname, nvlist_get_string(nvl, "overload_tblname"),
511 pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"), &rule->rpool);
513 rule->evaluations = nvlist_get_number(nvl, "evaluations");
514 pf_nvuint_64_array(nvl, "packets", 2, rule->packets, NULL);
515 pf_nvuint_64_array(nvl, "bytes", 2, rule->bytes, NULL);
517 if (nvlist_exists_number(nvl, "timestamp")) {
518 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp");
521 rule->os_fingerprint = nvlist_get_number(nvl, "os_fingerprint");
523 rule->rtableid = nvlist_get_number(nvl, "rtableid");
524 pf_nvuint_32_array(nvl, "timeout", PFTM_MAX, rule->timeout, NULL);
525 rule->max_states = nvlist_get_number(nvl, "max_states");
526 rule->max_src_nodes = nvlist_get_number(nvl, "max_src_nodes");
527 rule->max_src_states = nvlist_get_number(nvl, "max_src_states");
528 rule->max_src_conn = nvlist_get_number(nvl, "max_src_conn");
529 rule->max_src_conn_rate.limit =
530 nvlist_get_number(nvl, "max_src_conn_rate.limit");
531 rule->max_src_conn_rate.seconds =
532 nvlist_get_number(nvl, "max_src_conn_rate.seconds");
533 rule->qid = nvlist_get_number(nvl, "qid");
534 rule->pqid = nvlist_get_number(nvl, "pqid");
535 rule->dnpipe = nvlist_get_number(nvl, "dnpipe");
536 rule->dnrpipe = nvlist_get_number(nvl, "dnrpipe");
537 rule->free_flags = nvlist_get_number(nvl, "dnflags");
538 rule->prob = nvlist_get_number(nvl, "prob");
539 rule->cuid = nvlist_get_number(nvl, "cuid");
540 rule->cpid = nvlist_get_number(nvl, "cpid");
542 rule->return_icmp = nvlist_get_number(nvl, "return_icmp");
543 rule->return_icmp6 = nvlist_get_number(nvl, "return_icmp6");
544 rule->max_mss = nvlist_get_number(nvl, "max_mss");
545 rule->scrub_flags = nvlist_get_number(nvl, "scrub_flags");
547 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"), &rule->uid);
548 pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "gid"),
549 (struct pf_rule_uid *)&rule->gid);
551 rule->rule_flag = nvlist_get_number(nvl, "rule_flag");
552 rule->action = nvlist_get_number(nvl, "action");
553 rule->direction = nvlist_get_number(nvl, "direction");
554 rule->log = nvlist_get_number(nvl, "log");
555 rule->logif = nvlist_get_number(nvl, "logif");
556 rule->quick = nvlist_get_number(nvl, "quick");
557 rule->ifnot = nvlist_get_number(nvl, "ifnot");
558 rule->match_tag_not = nvlist_get_number(nvl, "match_tag_not");
559 rule->natpass = nvlist_get_number(nvl, "natpass");
561 rule->keep_state = nvlist_get_number(nvl, "keep_state");
562 rule->af = nvlist_get_number(nvl, "af");
563 rule->proto = nvlist_get_number(nvl, "proto");
564 rule->type = nvlist_get_number(nvl, "type");
565 rule->code = nvlist_get_number(nvl, "code");
566 rule->flags = nvlist_get_number(nvl, "flags");
567 rule->flagset = nvlist_get_number(nvl, "flagset");
568 rule->min_ttl = nvlist_get_number(nvl, "min_ttl");
569 rule->allow_opts = nvlist_get_number(nvl, "allow_opts");
570 rule->rt = nvlist_get_number(nvl, "rt");
571 rule->return_ttl = nvlist_get_number(nvl, "return_ttl");
572 rule->tos = nvlist_get_number(nvl, "tos");
573 rule->set_tos = nvlist_get_number(nvl, "set_tos");
574 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative");
575 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard");
577 rule->flush = nvlist_get_number(nvl, "flush");
578 rule->prio = nvlist_get_number(nvl, "prio");
579 pf_nvuint_8_array(nvl, "set_prio", 2, rule->set_prio, NULL);
581 pf_nvdivert_to_divert(nvlist_get_nvlist(nvl, "divert"), rule);
583 rule->states_cur = nvlist_get_number(nvl, "states_cur");
584 rule->states_tot = nvlist_get_number(nvl, "states_tot");
585 rule->src_nodes = nvlist_get_number(nvl, "src_nodes");
589 pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr)
591 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 };
595 data = nvlist_get_binary(nvl, "addr", &len);
596 assert(len == sizeof(addr->addr));
597 memcpy(addr->addr, data, sizeof(addr->addr));
599 data = nvlist_get_binary(nvl, "mask", &len);
600 assert(len == sizeof(addr->mask));
601 memcpy(addr->mask, data, sizeof(addr->mask));
603 addr->neg = nvlist_get_bool(nvl, "neg");
605 /* To make checks for 'is this address set?' easier. */
606 addr->isset = memcmp(addr->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0;
610 pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr)
614 nvl = nvlist_create(0);
618 nvlist_add_bool(nvl, "neg", addr->neg);
619 nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN);
620 nvlist_add_binary(nvl, "mask", &addr->mask, ETHER_ADDR_LEN);
626 pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule)
628 const char *const *labels;
629 size_t labelcount, i;
631 rule->nr = nvlist_get_number(nvl, "nr");
632 rule->quick = nvlist_get_bool(nvl, "quick");
633 strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
634 rule->ifnot = nvlist_get_bool(nvl, "ifnot");
635 rule->direction = nvlist_get_number(nvl, "direction");
636 rule->proto = nvlist_get_number(nvl, "proto");
637 strlcpy(rule->match_tagname, nvlist_get_string(nvl, "match_tagname"),
639 rule->match_tag = nvlist_get_number(nvl, "match_tag");
640 rule->match_tag_not = nvlist_get_bool(nvl, "match_tag_not");
642 labels = nvlist_get_string_array(nvl, "labels", &labelcount);
643 assert(labelcount <= PF_RULE_MAX_LABEL_COUNT);
644 for (i = 0; i < labelcount; i++)
645 strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE);
646 rule->ridentifier = nvlist_get_number(nvl, "ridentifier");
648 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"),
650 pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"),
653 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipsrc"),
655 pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "ipdst"),
658 rule->evaluations = nvlist_get_number(nvl, "evaluations");
659 rule->packets[0] = nvlist_get_number(nvl, "packets-in");
660 rule->packets[1] = nvlist_get_number(nvl, "packets-out");
661 rule->bytes[0] = nvlist_get_number(nvl, "bytes-in");
662 rule->bytes[1] = nvlist_get_number(nvl, "bytes-out");
664 if (nvlist_exists_number(nvl, "timestamp")) {
665 rule->last_active_timestamp = nvlist_get_number(nvl, "timestamp");
668 strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE);
669 strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"),
672 rule->dnpipe = nvlist_get_number(nvl, "dnpipe");
673 rule->dnflags = nvlist_get_number(nvl, "dnflags");
675 rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative");
676 rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard");
678 strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"),
681 rule->action = nvlist_get_number(nvl, "action");
685 pfctl_get_eth_rulesets_info(int dev, struct pfctl_eth_rulesets_info *ri,
691 bzero(ri, sizeof(*ri));
693 nvl = nvlist_create(0);
694 nvlist_add_string(nvl, "path", path);
696 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESETS, 256, &nvl)) != 0)
699 ri->nr = nvlist_get_number(nvl, "nr");
706 pfctl_get_eth_ruleset(int dev, const char *path, int nr,
707 struct pfctl_eth_ruleset_info *ri)
712 bzero(ri, sizeof(*ri));
714 nvl = nvlist_create(0);
715 nvlist_add_string(nvl, "path", path);
716 nvlist_add_number(nvl, "nr", nr);
718 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULESET, 1024, &nvl)) != 0)
721 ri->nr = nvlist_get_number(nvl, "nr");
722 strlcpy(ri->path, nvlist_get_string(nvl, "path"), MAXPATHLEN);
723 strlcpy(ri->name, nvlist_get_string(nvl, "name"),
724 PF_ANCHOR_NAME_SIZE);
730 pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
736 bzero(rules, sizeof(*rules));
738 nvl = nvlist_create(0);
739 nvlist_add_string(nvl, "anchor", path);
741 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULES, 1024, &nvl)) != 0)
744 rules->nr = nvlist_get_number(nvl, "nr");
745 rules->ticket = nvlist_get_number(nvl, "ticket");
752 pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
753 const char *path, struct pfctl_eth_rule *rule, bool clear,
759 nvl = nvlist_create(0);
761 nvlist_add_string(nvl, "anchor", path);
762 nvlist_add_number(nvl, "ticket", ticket);
763 nvlist_add_number(nvl, "nr", nr);
764 nvlist_add_bool(nvl, "clear", clear);
766 if ((ret = pfctl_do_ioctl(dev, DIOCGETETHRULE, 4096, &nvl)) != 0)
769 pfctl_nveth_rule_to_eth_rule(nvl, rule);
772 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"),
780 pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, const char *anchor,
781 const char *anchor_call, uint32_t ticket)
784 nvlist_t *nvl, *addr;
787 size_t labelcount, size;
789 nvl = nvlist_create(0);
791 nvlist_add_number(nvl, "ticket", ticket);
792 nvlist_add_string(nvl, "anchor", anchor);
793 nvlist_add_string(nvl, "anchor_call", anchor_call);
795 nvlist_add_number(nvl, "nr", r->nr);
796 nvlist_add_bool(nvl, "quick", r->quick);
797 nvlist_add_string(nvl, "ifname", r->ifname);
798 nvlist_add_bool(nvl, "ifnot", r->ifnot);
799 nvlist_add_number(nvl, "direction", r->direction);
800 nvlist_add_number(nvl, "proto", r->proto);
801 nvlist_add_string(nvl, "match_tagname", r->match_tagname);
802 nvlist_add_bool(nvl, "match_tag_not", r->match_tag_not);
804 addr = pfctl_eth_addr_to_nveth_addr(&r->src);
809 nvlist_add_nvlist(nvl, "src", addr);
810 nvlist_destroy(addr);
812 addr = pfctl_eth_addr_to_nveth_addr(&r->dst);
817 nvlist_add_nvlist(nvl, "dst", addr);
818 nvlist_destroy(addr);
820 pfctl_nv_add_rule_addr(nvl, "ipsrc", &r->ipsrc);
821 pfctl_nv_add_rule_addr(nvl, "ipdst", &r->ipdst);
824 while (r->label[labelcount][0] != 0 &&
825 labelcount < PF_RULE_MAX_LABEL_COUNT) {
826 nvlist_append_string_array(nvl, "labels",
827 r->label[labelcount]);
830 nvlist_add_number(nvl, "ridentifier", r->ridentifier);
832 nvlist_add_string(nvl, "qname", r->qname);
833 nvlist_add_string(nvl, "tagname", r->tagname);
834 nvlist_add_number(nvl, "dnpipe", r->dnpipe);
835 nvlist_add_number(nvl, "dnflags", r->dnflags);
837 nvlist_add_string(nvl, "bridge_to", r->bridge_to);
839 nvlist_add_number(nvl, "action", r->action);
841 packed = nvlist_pack(nvl, &size);
842 if (packed == NULL) {
851 if (ioctl(dev, DIOCADDETHRULE, &nv) != 0)
861 pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
862 const char *anchor_call, uint32_t ticket, uint32_t pool_ticket)
865 uint64_t timeouts[PFTM_MAX];
866 uint64_t set_prio[2];
867 nvlist_t *nvl, *nvlr;
871 nvl = nvlist_create(0);
872 nvlr = nvlist_create(0);
874 nvlist_add_number(nvl, "ticket", ticket);
875 nvlist_add_number(nvl, "pool_ticket", pool_ticket);
876 nvlist_add_string(nvl, "anchor", anchor);
877 nvlist_add_string(nvl, "anchor_call", anchor_call);
879 nvlist_add_number(nvlr, "nr", r->nr);
880 pfctl_nv_add_rule_addr(nvlr, "src", &r->src);
881 pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst);
884 while (r->label[labelcount][0] != 0 &&
885 labelcount < PF_RULE_MAX_LABEL_COUNT) {
886 nvlist_append_string_array(nvlr, "labels",
887 r->label[labelcount]);
890 nvlist_add_number(nvlr, "ridentifier", r->ridentifier);
892 nvlist_add_string(nvlr, "ifname", r->ifname);
893 nvlist_add_string(nvlr, "qname", r->qname);
894 nvlist_add_string(nvlr, "pqname", r->pqname);
895 nvlist_add_string(nvlr, "tagname", r->tagname);
896 nvlist_add_string(nvlr, "match_tagname", r->match_tagname);
897 nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname);
899 pfctl_nv_add_pool(nvlr, "rpool", &r->rpool);
901 nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint);
903 nvlist_add_number(nvlr, "rtableid", r->rtableid);
904 for (int i = 0; i < PFTM_MAX; i++)
905 timeouts[i] = r->timeout[i];
906 nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX);
907 nvlist_add_number(nvlr, "max_states", r->max_states);
908 nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes);
909 nvlist_add_number(nvlr, "max_src_states", r->max_src_states);
910 nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn);
911 nvlist_add_number(nvlr, "max_src_conn_rate.limit",
912 r->max_src_conn_rate.limit);
913 nvlist_add_number(nvlr, "max_src_conn_rate.seconds",
914 r->max_src_conn_rate.seconds);
915 nvlist_add_number(nvlr, "dnpipe", r->dnpipe);
916 nvlist_add_number(nvlr, "dnrpipe", r->dnrpipe);
917 nvlist_add_number(nvlr, "dnflags", r->free_flags);
918 nvlist_add_number(nvlr, "prob", r->prob);
919 nvlist_add_number(nvlr, "cuid", r->cuid);
920 nvlist_add_number(nvlr, "cpid", r->cpid);
922 nvlist_add_number(nvlr, "return_icmp", r->return_icmp);
923 nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6);
925 nvlist_add_number(nvlr, "max_mss", r->max_mss);
926 nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags);
928 pfctl_nv_add_uid(nvlr, "uid", &r->uid);
929 pfctl_nv_add_uid(nvlr, "gid", (const struct pf_rule_uid *)&r->gid);
931 nvlist_add_number(nvlr, "rule_flag", r->rule_flag);
932 nvlist_add_number(nvlr, "action", r->action);
933 nvlist_add_number(nvlr, "direction", r->direction);
934 nvlist_add_number(nvlr, "log", r->log);
935 nvlist_add_number(nvlr, "logif", r->logif);
936 nvlist_add_number(nvlr, "quick", r->quick);
937 nvlist_add_number(nvlr, "ifnot", r->ifnot);
938 nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not);
939 nvlist_add_number(nvlr, "natpass", r->natpass);
941 nvlist_add_number(nvlr, "keep_state", r->keep_state);
942 nvlist_add_number(nvlr, "af", r->af);
943 nvlist_add_number(nvlr, "proto", r->proto);
944 nvlist_add_number(nvlr, "type", r->type);
945 nvlist_add_number(nvlr, "code", r->code);
946 nvlist_add_number(nvlr, "flags", r->flags);
947 nvlist_add_number(nvlr, "flagset", r->flagset);
948 nvlist_add_number(nvlr, "min_ttl", r->min_ttl);
949 nvlist_add_number(nvlr, "allow_opts", r->allow_opts);
950 nvlist_add_number(nvlr, "rt", r->rt);
951 nvlist_add_number(nvlr, "return_ttl", r->return_ttl);
952 nvlist_add_number(nvlr, "tos", r->tos);
953 nvlist_add_number(nvlr, "set_tos", r->set_tos);
954 nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative);
955 nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard);
957 nvlist_add_number(nvlr, "flush", r->flush);
959 nvlist_add_number(nvlr, "prio", r->prio);
960 set_prio[0] = r->set_prio[0];
961 set_prio[1] = r->set_prio[1];
962 nvlist_add_number_array(nvlr, "set_prio", set_prio, 2);
964 pfctl_nv_add_divert(nvlr, "divert", r);
966 nvlist_add_nvlist(nvl, "rule", nvlr);
967 nvlist_destroy(nvlr);
969 /* Now do the call. */
970 nv.data = nvlist_pack(nvl, &nv.len);
973 ret = ioctl(dev, DIOCADDRULENV, &nv);
984 pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, uint32_t ruleset,
987 struct pfioc_rule pr;
990 bzero(&pr, sizeof(pr));
991 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor))
994 pr.rule.action = ruleset;
995 ret = ioctl(dev, DIOCGETRULES, &pr);
1000 rules->ticket = pr.ticket;
1006 pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor,
1007 uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
1009 return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule,
1010 anchor_call, false));
1013 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
1014 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
1015 char *anchor_call, bool clear)
1020 nvl = nvlist_create(0);
1024 nvlist_add_number(nvl, "nr", nr);
1025 nvlist_add_number(nvl, "ticket", ticket);
1026 nvlist_add_string(nvl, "anchor", anchor);
1027 nvlist_add_number(nvl, "ruleset", ruleset);
1030 nvlist_add_bool(nvl, "clear_counter", true);
1032 if ((ret = pfctl_do_ioctl(dev, DIOCGETRULENV, 8192, &nvl)) != 0)
1035 pf_nvrule_to_rule(nvlist_get_nvlist(nvl, "rule"), rule);
1038 strlcpy(anchor_call, nvlist_get_string(nvl, "anchor_call"),
1041 nvlist_destroy(nvl);
1047 pfctl_set_keepcounters(int dev, bool keep)
1053 nvl = nvlist_create(0);
1055 nvlist_add_bool(nvl, "keep_counters", keep);
1057 nv.data = nvlist_pack(nvl, &nv.len);
1060 nvlist_destroy(nvl);
1062 ret = ioctl(dev, DIOCKEEPCOUNTERS, &nv);
1069 pfctl_nv_add_state_cmp(nvlist_t *nvl, const char *name,
1070 const struct pfctl_state_cmp *cmp)
1074 nv = nvlist_create(0);
1076 nvlist_add_number(nv, "id", cmp->id);
1077 nvlist_add_number(nv, "creatorid", htonl(cmp->creatorid));
1078 nvlist_add_number(nv, "direction", cmp->direction);
1080 nvlist_add_nvlist(nvl, name, nv);
1085 pf_state_key_export_to_state_key(struct pfctl_state_key *ps,
1086 const struct pf_state_key_export *s)
1088 bcopy(s->addr, ps->addr, sizeof(ps->addr[0]) * 2);
1089 ps->port[0] = s->port[0];
1090 ps->port[1] = s->port[1];
1094 pf_state_peer_export_to_state_peer(struct pfctl_state_peer *ps,
1095 const struct pf_state_peer_export *s)
1098 ps->seqlo = s->seqlo;
1099 ps->seqhi = s->seqhi;
1100 ps->seqdiff = s->seqdiff;
1101 /* Ignore max_win & mss */
1102 ps->state = s->state;
1103 ps->wscale = s->wscale;
1107 pf_state_export_to_state(struct pfctl_state *ps, const struct pf_state_export *s)
1109 assert(s->version >= PF_STATE_VERSION);
1112 strlcpy(ps->ifname, s->ifname, sizeof(ps->ifname));
1113 strlcpy(ps->orig_ifname, s->orig_ifname, sizeof(ps->orig_ifname));
1114 strlcpy(ps->rt_ifname, s->rt_ifname, sizeof(ps->rt_ifname));
1115 pf_state_key_export_to_state_key(&ps->key[0], &s->key[0]);
1116 pf_state_key_export_to_state_key(&ps->key[1], &s->key[1]);
1117 pf_state_peer_export_to_state_peer(&ps->src, &s->src);
1118 pf_state_peer_export_to_state_peer(&ps->dst, &s->dst);
1119 bcopy(&s->rt_addr, &ps->rt_addr, sizeof(ps->rt_addr));
1120 ps->rule = ntohl(s->rule);
1121 ps->anchor = ntohl(s->anchor);
1122 ps->nat_rule = ntohl(s->nat_rule);
1123 ps->creation = ntohl(s->creation);
1124 ps->expire = ntohl(s->expire);
1125 ps->packets[0] = s->packets[0];
1126 ps->packets[1] = s->packets[1];
1127 ps->bytes[0] = s->bytes[0];
1128 ps->bytes[1] = s->bytes[1];
1129 ps->creatorid = ntohl(s->creatorid);
1130 ps->key[0].proto = s->proto;
1131 ps->key[1].proto = s->proto;
1132 ps->key[0].af = s->af;
1133 ps->key[1].af = s->af;
1134 ps->direction = s->direction;
1135 ps->state_flags = ntohs(s->state_flags);
1136 ps->sync_flags = ntohs(s->sync_flags);
1137 ps->qid = ntohs(s->qid);
1138 ps->pqid = ntohs(s->pqid);
1139 ps->dnpipe = ntohs(s->dnpipe);
1140 ps->dnrpipe = ntohs(s->dnrpipe);
1141 ps->rtableid = ntohl(s->rtableid);
1142 ps->min_ttl = s->min_ttl;
1143 ps->set_tos = s->set_tos;
1144 ps->max_mss = ntohs(s->max_mss);
1146 ps->set_prio[0] = s->set_prio[0];
1147 ps->set_prio[1] = s->set_prio[1];
1151 pfctl_get_states(int dev, struct pfctl_states *states)
1153 struct pfioc_states_v2 ps;
1154 struct pf_state_export *p;
1155 char *inbuf = NULL, *newinbuf = NULL;
1156 unsigned int len = 0;
1159 bzero(&ps, sizeof(ps));
1160 ps.ps_req_version = PF_STATE_VERSION;
1162 bzero(states, sizeof(*states));
1163 TAILQ_INIT(&states->states);
1168 newinbuf = realloc(inbuf, len);
1169 if (newinbuf == NULL)
1171 ps.ps_buf = inbuf = newinbuf;
1173 if ((error = ioctl(dev, DIOCGETSTATESV2, &ps)) < 0) {
1177 if (ps.ps_len + sizeof(struct pfioc_states_v2) < len)
1179 if (len == 0 && ps.ps_len == 0)
1181 if (len == 0 && ps.ps_len != 0)
1184 goto out; /* no states */
1189 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
1190 struct pfctl_state *s = malloc(sizeof(*s));
1192 pfctl_free_states(states);
1197 pf_state_export_to_state(s, p);
1198 TAILQ_INSERT_TAIL(&states->states, s, entry);
1207 pfctl_free_states(struct pfctl_states *states)
1209 struct pfctl_state *s, *tmp;
1211 TAILQ_FOREACH_SAFE(s, &states->states, entry, tmp) {
1215 bzero(states, sizeof(*states));
1219 _pfctl_clear_states(int dev, const struct pfctl_kill *kill,
1220 unsigned int *killed, uint64_t ioctlval)
1225 nvl = nvlist_create(0);
1227 pfctl_nv_add_state_cmp(nvl, "cmp", &kill->cmp);
1228 nvlist_add_number(nvl, "af", kill->af);
1229 nvlist_add_number(nvl, "proto", kill->proto);
1230 pfctl_nv_add_rule_addr(nvl, "src", &kill->src);
1231 pfctl_nv_add_rule_addr(nvl, "dst", &kill->dst);
1232 pfctl_nv_add_rule_addr(nvl, "rt_addr", &kill->rt_addr);
1233 nvlist_add_string(nvl, "ifname", kill->ifname);
1234 nvlist_add_string(nvl, "label", kill->label);
1235 nvlist_add_bool(nvl, "kill_match", kill->kill_match);
1237 if ((ret = pfctl_do_ioctl(dev, ioctlval, 1024, &nvl)) != 0)
1241 *killed = nvlist_get_number(nvl, "killed");
1243 nvlist_destroy(nvl);
1249 pfctl_clear_states(int dev, const struct pfctl_kill *kill,
1250 unsigned int *killed)
1252 return (_pfctl_clear_states(dev, kill, killed, DIOCCLRSTATESNV));
1256 pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed)
1258 return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV));
1262 pfctl_clear_rules(int dev, const char *anchorname)
1264 struct pfioc_trans trans;
1265 struct pfioc_trans_e transe[2];
1268 bzero(&trans, sizeof(trans));
1269 bzero(&transe, sizeof(transe));
1271 transe[0].rs_num = PF_RULESET_SCRUB;
1272 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
1273 >= sizeof(transe[0].anchor))
1276 transe[1].rs_num = PF_RULESET_FILTER;
1277 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
1278 >= sizeof(transe[1].anchor))
1282 trans.esize = sizeof(transe[0]);
1283 trans.array = transe;
1285 ret = ioctl(dev, DIOCXBEGIN, &trans);
1288 return ioctl(dev, DIOCXCOMMIT, &trans);
1292 pfctl_clear_nat(int dev, const char *anchorname)
1294 struct pfioc_trans trans;
1295 struct pfioc_trans_e transe[3];
1298 bzero(&trans, sizeof(trans));
1299 bzero(&transe, sizeof(transe));
1301 transe[0].rs_num = PF_RULESET_NAT;
1302 if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
1303 >= sizeof(transe[0].anchor))
1306 transe[1].rs_num = PF_RULESET_BINAT;
1307 if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
1308 >= sizeof(transe[0].anchor))
1311 transe[2].rs_num = PF_RULESET_RDR;
1312 if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor))
1313 >= sizeof(transe[2].anchor))
1317 trans.esize = sizeof(transe[0]);
1318 trans.array = transe;
1320 ret = ioctl(dev, DIOCXBEGIN, &trans);
1323 return ioctl(dev, DIOCXCOMMIT, &trans);
1326 pfctl_clear_eth_rules(int dev, const char *anchorname)
1328 struct pfioc_trans trans;
1329 struct pfioc_trans_e transe;
1332 bzero(&trans, sizeof(trans));
1333 bzero(&transe, sizeof(transe));
1335 transe.rs_num = PF_RULESET_ETH;
1336 if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor))
1337 >= sizeof(transe.anchor))
1341 trans.esize = sizeof(transe);
1342 trans.array = &transe;
1344 ret = ioctl(dev, DIOCXBEGIN, &trans);
1347 return ioctl(dev, DIOCXCOMMIT, &trans);
1351 pfctl_get_limit(int dev, const int index, uint *limit)
1353 struct pfioc_limit pl;
1355 bzero(&pl, sizeof(pl));
1358 if (ioctl(dev, DIOCGETLIMIT, &pl) == -1)
1367 pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
1373 uint64_t lim, hi, lo;
1375 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
1380 hi = lim * s->highwater / 100;
1381 lo = lim * s->lowwater / 100;
1386 nvl = nvlist_create(0);
1388 nvlist_add_bool(nvl, "enabled", s->mode != PFCTL_SYNCOOKIES_NEVER);
1389 nvlist_add_bool(nvl, "adaptive", s->mode == PFCTL_SYNCOOKIES_ADAPTIVE);
1390 nvlist_add_number(nvl, "highwater", hi);
1391 nvlist_add_number(nvl, "lowwater", lo);
1393 nv.data = nvlist_pack(nvl, &nv.len);
1395 nvlist_destroy(nvl);
1398 ret = ioctl(dev, DIOCSETSYNCOOKIES, &nv);
1405 pfctl_get_syncookies(int dev, struct pfctl_syncookies *s)
1410 bool enabled, adaptive;
1412 ret = pfctl_get_limit(dev, PF_LIMIT_STATES, &state_limit);
1416 bzero(s, sizeof(*s));
1418 nvl = nvlist_create(0);
1420 if ((ret = pfctl_do_ioctl(dev, DIOCGETSYNCOOKIES, 256, &nvl)) != 0)
1423 enabled = nvlist_get_bool(nvl, "enabled");
1424 adaptive = nvlist_get_bool(nvl, "adaptive");
1428 s->mode = PFCTL_SYNCOOKIES_ADAPTIVE;
1430 s->mode = PFCTL_SYNCOOKIES_ALWAYS;
1432 s->mode = PFCTL_SYNCOOKIES_NEVER;
1435 s->highwater = nvlist_get_number(nvl, "highwater") * 100 / state_limit;
1436 s->lowwater = nvlist_get_number(nvl, "lowwater") * 100 / state_limit;
1438 nvlist_destroy(nvl);
1444 pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
1445 *addr, int size, int *nadd, int flags)
1447 struct pfioc_table io;
1449 if (tbl == NULL || size < 0 || (size && addr == NULL)) {
1452 bzero(&io, sizeof io);
1453 io.pfrio_flags = flags;
1454 io.pfrio_table = *tbl;
1455 io.pfrio_buffer = addr;
1456 io.pfrio_esize = sizeof(*addr);
1457 io.pfrio_size = size;
1459 if (ioctl(dev, DIOCRADDADDRS, &io))
1462 *nadd = io.pfrio_nadd;
1467 pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
1468 *addr, int size, int *ndel, int flags)
1470 struct pfioc_table io;
1472 if (tbl == NULL || size < 0 || (size && addr == NULL)) {
1475 bzero(&io, sizeof io);
1476 io.pfrio_flags = flags;
1477 io.pfrio_table = *tbl;
1478 io.pfrio_buffer = addr;
1479 io.pfrio_esize = sizeof(*addr);
1480 io.pfrio_size = size;
1482 if (ioctl(dev, DIOCRDELADDRS, &io))
1485 *ndel = io.pfrio_ndel;
1490 pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
1491 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, int flags)
1493 struct pfioc_table io;
1495 if (tbl == NULL || size < 0 || (size && addr == NULL)) {
1498 bzero(&io, sizeof io);
1499 io.pfrio_flags = flags;
1500 io.pfrio_table = *tbl;
1501 io.pfrio_buffer = addr;
1502 io.pfrio_esize = sizeof(*addr);
1503 io.pfrio_size = size;
1504 io.pfrio_size2 = (size2 != NULL) ? *size2 : 0;
1505 if (ioctl(dev, DIOCRSETADDRS, &io))
1508 *nadd = io.pfrio_nadd;
1510 *ndel = io.pfrio_ndel;
1511 if (nchange != NULL)
1512 *nchange = io.pfrio_nchange;
1514 *size2 = io.pfrio_size2;
1518 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr *addr,
1519 int *size, int flags)
1521 struct pfioc_table io;
1523 if (tbl == NULL || size == NULL || *size < 0 ||
1524 (*size && addr == NULL)) {
1527 bzero(&io, sizeof io);
1528 io.pfrio_flags = flags;
1529 io.pfrio_table = *tbl;
1530 io.pfrio_buffer = addr;
1531 io.pfrio_esize = sizeof(*addr);
1532 io.pfrio_size = *size;
1533 if (ioctl(dev, DIOCRGETADDRS, &io))
1535 *size = io.pfrio_size;
projects / FreeBSD / FreeBSD.git / blob