2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
32 #include "opt_inet6.h"
34 #include <sys/param.h>
35 #include <sys/errno.h>
36 #include <sys/limits.h>
37 #include <sys/queue.h>
38 #include <sys/systm.h>
40 #include <netpfil/pf/pf_nv.h>
42 #define PF_NV_IMPL_UINT(fnname, type, max) \
44 pf_nv ## fnname ## _opt(const nvlist_t *nvl, const char *name, \
45 type *val, type dflt) \
48 if (! nvlist_exists_number(nvl, name)) { \
52 raw = nvlist_get_number(nvl, name); \
59 pf_nv ## fnname(const nvlist_t *nvl, const char *name, type *val) \
62 if (! nvlist_exists_number(nvl, name)) \
64 raw = nvlist_get_number(nvl, name); \
71 pf_nv ## fnname ## _array(const nvlist_t *nvl, const char *name, \
72 type *array, size_t maxelems, size_t *nelems) \
76 bzero(array, sizeof(type) * maxelems); \
77 if (! nvlist_exists_number_array(nvl, name)) \
79 n = nvlist_get_number_array(nvl, name, &nitems); \
80 if (nitems != maxelems) \
84 for (size_t i = 0; i < nitems; i++) { \
87 array[i] = (type)n[i]; \
92 pf_ ## fnname ## _array_nv(nvlist_t *nvl, const char *name, \
93 const type *numbers, size_t count) \
96 for (size_t i = 0; i < count; i++) { \
98 nvlist_append_number_array(nvl, name, tmp); \
103 pf_nvbinary(const nvlist_t *nvl, const char *name, void *data,
104 size_t expected_size)
106 const uint8_t *nvdata;
109 bzero(data, expected_size);
111 if (! nvlist_exists_binary(nvl, name))
114 nvdata = (const uint8_t *)nvlist_get_binary(nvl, name, &len);
115 if (len > expected_size)
118 memcpy(data, nvdata, len);
123 PF_NV_IMPL_UINT(uint8, uint8_t, UINT8_MAX);
124 PF_NV_IMPL_UINT(uint16, uint16_t, UINT16_MAX);
125 PF_NV_IMPL_UINT(uint32, uint32_t, UINT32_MAX);
126 PF_NV_IMPL_UINT(uint64, uint64_t, UINT64_MAX);
129 pf_nvint(const nvlist_t *nvl, const char *name, int *val)
133 if (! nvlist_exists_number(nvl, name))
136 raw = nvlist_get_number(nvl, name);
137 if (raw > INT_MAX || raw < INT_MIN)
146 pf_nvstring(const nvlist_t *nvl, const char *name, char *str, size_t maxlen)
150 if (! nvlist_exists_string(nvl, name))
153 ret = strlcpy(str, nvlist_get_string(nvl, name), maxlen);
161 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *paddr)
163 return (pf_nvbinary(nvl, "addr", paddr, sizeof(*paddr)));
167 pf_addr_to_nvaddr(const struct pf_addr *paddr)
171 nvl = nvlist_create(0);
175 nvlist_add_binary(nvl, "addr", paddr, sizeof(*paddr));
181 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
185 bzero(mape, sizeof(*mape));
186 PFNV_CHK(pf_nvuint8(nvl, "offset", &mape->offset));
187 PFNV_CHK(pf_nvuint8(nvl, "psidlen", &mape->psidlen));
188 PFNV_CHK(pf_nvuint16(nvl, "psid", &mape->psid));
195 pf_mape_to_nvmape(const struct pf_mape_portset *mape)
199 nvl = nvlist_create(0);
203 nvlist_add_number(nvl, "offset", mape->offset);
204 nvlist_add_number(nvl, "psidlen", mape->psidlen);
205 nvlist_add_number(nvl, "psid", mape->psid);
211 pf_nvpool_to_pool(const nvlist_t *nvl, struct pf_kpool *kpool)
215 bzero(kpool, sizeof(*kpool));
217 PFNV_CHK(pf_nvbinary(nvl, "key", &kpool->key, sizeof(kpool->key)));
219 if (nvlist_exists_nvlist(nvl, "counter")) {
220 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"),
224 PFNV_CHK(pf_nvint(nvl, "tblidx", &kpool->tblidx));
225 PFNV_CHK(pf_nvuint16_array(nvl, "proxy_port", kpool->proxy_port, 2,
227 PFNV_CHK(pf_nvuint8(nvl, "opts", &kpool->opts));
229 if (nvlist_exists_nvlist(nvl, "mape")) {
230 PFNV_CHK(pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"),
239 pf_pool_to_nvpool(const struct pf_kpool *pool)
244 nvl = nvlist_create(0);
248 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
249 tmp = pf_addr_to_nvaddr(&pool->counter);
252 nvlist_add_nvlist(nvl, "counter", tmp);
255 nvlist_add_number(nvl, "tblidx", pool->tblidx);
256 pf_uint16_array_nv(nvl, "proxy_port", pool->proxy_port, 2);
257 nvlist_add_number(nvl, "opts", pool->opts);
259 tmp = pf_mape_to_nvmape(&pool->mape);
262 nvlist_add_nvlist(nvl, "mape", tmp);
273 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
277 bzero(addr, sizeof(*addr));
279 PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
280 PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
281 if (addr->type == PF_ADDR_DYNIFTL)
282 PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
283 sizeof(addr->v.ifname)));
284 if (addr->type == PF_ADDR_TABLE)
285 PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
286 sizeof(addr->v.tblname)));
288 if (! nvlist_exists_nvlist(nvl, "addr"))
290 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"),
293 if (! nvlist_exists_nvlist(nvl, "mask"))
295 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"),
298 switch (addr->type) {
299 case PF_ADDR_DYNIFTL:
302 case PF_ADDR_ADDRMASK:
303 case PF_ADDR_NOROUTE:
304 case PF_ADDR_URPFFAILED:
315 pf_addr_wrap_to_nvaddr_wrap(const struct pf_addr_wrap *addr)
320 nvl = nvlist_create(0);
324 nvlist_add_number(nvl, "type", addr->type);
325 nvlist_add_number(nvl, "iflags", addr->iflags);
326 if (addr->type == PF_ADDR_DYNIFTL)
327 nvlist_add_string(nvl, "ifname", addr->v.ifname);
328 if (addr->type == PF_ADDR_TABLE)
329 nvlist_add_string(nvl, "tblname", addr->v.tblname);
331 tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
334 nvlist_add_nvlist(nvl, "addr", tmp);
336 tmp = pf_addr_to_nvaddr(&addr->v.a.mask);
339 nvlist_add_nvlist(nvl, "mask", tmp);
350 pf_validate_op(uint8_t op)
372 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
376 if (! nvlist_exists_nvlist(nvl, "addr"))
379 PFNV_CHK(pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"),
381 PFNV_CHK(pf_nvuint16_array(nvl, "port", addr->port, 2, NULL));
382 PFNV_CHK(pf_nvuint8(nvl, "neg", &addr->neg));
383 PFNV_CHK(pf_nvuint8(nvl, "port_op", &addr->port_op));
385 PFNV_CHK(pf_validate_op(addr->port_op));
392 pf_rule_addr_to_nvrule_addr(const struct pf_rule_addr *addr)
397 nvl = nvlist_create(0);
401 tmp = pf_addr_wrap_to_nvaddr_wrap(&addr->addr);
404 nvlist_add_nvlist(nvl, "addr", tmp);
406 pf_uint16_array_nv(nvl, "port", addr->port, 2);
407 nvlist_add_number(nvl, "neg", addr->neg);
408 nvlist_add_number(nvl, "port_op", addr->port_op);
418 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
422 bzero(uid, sizeof(*uid));
424 PFNV_CHK(pf_nvuint32_array(nvl, "uid", uid->uid, 2, NULL));
425 PFNV_CHK(pf_nvuint8(nvl, "op", &uid->op));
427 PFNV_CHK(pf_validate_op(uid->op));
434 pf_rule_uid_to_nvrule_uid(const struct pf_rule_uid *uid)
438 nvl = nvlist_create(0);
442 pf_uint32_array_nv(nvl, "uid", uid->uid, 2);
443 nvlist_add_number(nvl, "op", uid->op);
449 pf_nvrule_gid_to_rule_gid(const nvlist_t *nvl, struct pf_rule_gid *gid)
451 /* Cheat a little. These stucts are the same, other than the name of
452 * the first field. */
453 return (pf_nvrule_uid_to_rule_uid(nvl, (struct pf_rule_uid *)gid));
457 pf_check_rule_addr(const struct pf_rule_addr *addr)
460 switch (addr->addr.type) {
461 case PF_ADDR_ADDRMASK:
462 case PF_ADDR_NOROUTE:
463 case PF_ADDR_DYNIFTL:
465 case PF_ADDR_URPFFAILED:
472 if (addr->addr.p.dyn != NULL) {
481 pf_nvrule_to_krule(const nvlist_t *nvl, struct pf_krule *rule)
485 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
487 PFNV_CHK(pf_nvuint32(nvl, "nr", &rule->nr));
489 if (! nvlist_exists_nvlist(nvl, "src"))
492 error = pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"),
497 if (! nvlist_exists_nvlist(nvl, "dst"))
500 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"),
503 if (nvlist_exists_string(nvl, "label")) {
504 PFNV_CHK(pf_nvstring(nvl, "label", rule->label[0],
505 sizeof(rule->label[0])));
506 } else if (nvlist_exists_string_array(nvl, "labels")) {
507 const char *const *strs;
511 strs = nvlist_get_string_array(nvl, "labels", &items);
512 if (items > PF_RULE_MAX_LABEL_COUNT)
515 for (size_t i = 0; i < items; i++) {
516 ret = strlcpy(rule->label[i], strs[i],
517 sizeof(rule->label[0]));
518 if (ret >= sizeof(rule->label[0]))
523 PFNV_CHK(pf_nvstring(nvl, "ifname", rule->ifname,
524 sizeof(rule->ifname)));
525 PFNV_CHK(pf_nvstring(nvl, "qname", rule->qname, sizeof(rule->qname)));
526 PFNV_CHK(pf_nvstring(nvl, "pqname", rule->pqname,
527 sizeof(rule->pqname)));
528 PFNV_CHK(pf_nvstring(nvl, "tagname", rule->tagname,
529 sizeof(rule->tagname)));
530 PFNV_CHK(pf_nvstring(nvl, "match_tagname", rule->match_tagname,
531 sizeof(rule->match_tagname)));
532 PFNV_CHK(pf_nvstring(nvl, "overload_tblname", rule->overload_tblname,
533 sizeof(rule->overload_tblname)));
535 if (! nvlist_exists_nvlist(nvl, "rpool"))
537 PFNV_CHK(pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"),
540 PFNV_CHK(pf_nvuint32(nvl, "os_fingerprint", &rule->os_fingerprint));
542 PFNV_CHK(pf_nvint(nvl, "rtableid", &rule->rtableid));
543 PFNV_CHK(pf_nvuint32_array(nvl, "timeout", rule->timeout, PFTM_MAX, NULL));
544 PFNV_CHK(pf_nvuint32(nvl, "max_states", &rule->max_states));
545 PFNV_CHK(pf_nvuint32(nvl, "max_src_nodes", &rule->max_src_nodes));
546 PFNV_CHK(pf_nvuint32(nvl, "max_src_states", &rule->max_src_states));
547 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn", &rule->max_src_conn));
548 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.limit",
549 &rule->max_src_conn_rate.limit));
550 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.seconds",
551 &rule->max_src_conn_rate.seconds));
552 PFNV_CHK(pf_nvuint32(nvl, "prob", &rule->prob));
553 PFNV_CHK(pf_nvuint32(nvl, "cuid", &rule->cuid));
554 PFNV_CHK(pf_nvuint32(nvl, "cpid", &rule->cpid));
556 PFNV_CHK(pf_nvuint16(nvl, "return_icmp", &rule->return_icmp));
557 PFNV_CHK(pf_nvuint16(nvl, "return_icmp6", &rule->return_icmp6));
559 PFNV_CHK(pf_nvuint16(nvl, "max_mss", &rule->max_mss));
560 PFNV_CHK(pf_nvuint16(nvl, "scrub_flags", &rule->scrub_flags));
562 if (! nvlist_exists_nvlist(nvl, "uid"))
564 PFNV_CHK(pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"),
567 if (! nvlist_exists_nvlist(nvl, "gid"))
569 PFNV_CHK(pf_nvrule_gid_to_rule_gid(nvlist_get_nvlist(nvl, "gid"),
572 PFNV_CHK(pf_nvuint32(nvl, "rule_flag", &rule->rule_flag));
573 PFNV_CHK(pf_nvuint8(nvl, "action", &rule->action));
574 PFNV_CHK(pf_nvuint8(nvl, "direction", &rule->direction));
575 PFNV_CHK(pf_nvuint8(nvl, "log", &rule->log));
576 PFNV_CHK(pf_nvuint8(nvl, "logif", &rule->logif));
577 PFNV_CHK(pf_nvuint8(nvl, "quick", &rule->quick));
578 PFNV_CHK(pf_nvuint8(nvl, "ifnot", &rule->ifnot));
579 PFNV_CHK(pf_nvuint8(nvl, "match_tag_not", &rule->match_tag_not));
580 PFNV_CHK(pf_nvuint8(nvl, "natpass", &rule->natpass));
582 PFNV_CHK(pf_nvuint8(nvl, "keep_state", &rule->keep_state));
583 PFNV_CHK(pf_nvuint8(nvl, "af", &rule->af));
584 PFNV_CHK(pf_nvuint8(nvl, "proto", &rule->proto));
585 PFNV_CHK(pf_nvuint8(nvl, "type", &rule->type));
586 PFNV_CHK(pf_nvuint8(nvl, "code", &rule->code));
587 PFNV_CHK(pf_nvuint8(nvl, "flags", &rule->flags));
588 PFNV_CHK(pf_nvuint8(nvl, "flagset", &rule->flagset));
589 PFNV_CHK(pf_nvuint8(nvl, "min_ttl", &rule->min_ttl));
590 PFNV_CHK(pf_nvuint8(nvl, "allow_opts", &rule->allow_opts));
591 PFNV_CHK(pf_nvuint8(nvl, "rt", &rule->rt));
592 PFNV_CHK(pf_nvuint8(nvl, "return_ttl", &rule->return_ttl));
593 PFNV_CHK(pf_nvuint8(nvl, "tos", &rule->tos));
594 PFNV_CHK(pf_nvuint8(nvl, "set_tos", &rule->set_tos));
595 PFNV_CHK(pf_nvuint8(nvl, "anchor_relative", &rule->anchor_relative));
596 PFNV_CHK(pf_nvuint8(nvl, "anchor_wildcard", &rule->anchor_wildcard));
598 PFNV_CHK(pf_nvuint8(nvl, "flush", &rule->flush));
599 PFNV_CHK(pf_nvuint8(nvl, "prio", &rule->prio));
601 PFNV_CHK(pf_nvuint8_array(nvl, "set_prio", &rule->prio, 2, NULL));
603 if (nvlist_exists_nvlist(nvl, "divert")) {
604 const nvlist_t *nvldivert = nvlist_get_nvlist(nvl, "divert");
606 if (! nvlist_exists_nvlist(nvldivert, "addr"))
608 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvldivert, "addr"),
609 &rule->divert.addr));
610 PFNV_CHK(pf_nvuint16(nvldivert, "port", &rule->divert.port));
615 if (rule->af == AF_INET)
616 ERROUT(EAFNOSUPPORT);
619 if (rule->af == AF_INET6)
620 ERROUT(EAFNOSUPPORT);
623 PFNV_CHK(pf_check_rule_addr(&rule->src));
624 PFNV_CHK(pf_check_rule_addr(&rule->dst));
634 pf_divert_to_nvdivert(const struct pf_krule *rule)
639 nvl = nvlist_create(0);
643 tmp = pf_addr_to_nvaddr(&rule->divert.addr);
646 nvlist_add_nvlist(nvl, "addr", tmp);
648 nvlist_add_number(nvl, "port", rule->divert.port);
658 pf_krule_to_nvrule(const struct pf_krule *rule)
662 nvl = nvlist_create(0);
666 nvlist_add_number(nvl, "nr", rule->nr);
667 tmp = pf_rule_addr_to_nvrule_addr(&rule->src);
670 nvlist_add_nvlist(nvl, "src", tmp);
672 tmp = pf_rule_addr_to_nvrule_addr(&rule->dst);
675 nvlist_add_nvlist(nvl, "dst", tmp);
678 for (int i = 0; i < PF_SKIP_COUNT; i++) {
679 nvlist_append_number_array(nvl, "skip",
680 rule->skip[i].ptr ? rule->skip[i].ptr->nr : -1);
683 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) {
684 nvlist_append_string_array(nvl, "labels", rule->label[i]);
686 nvlist_add_string(nvl, "label", rule->label[0]);
687 nvlist_add_string(nvl, "ifname", rule->ifname);
688 nvlist_add_string(nvl, "qname", rule->qname);
689 nvlist_add_string(nvl, "pqname", rule->pqname);
690 nvlist_add_string(nvl, "tagname", rule->tagname);
691 nvlist_add_string(nvl, "match_tagname", rule->match_tagname);
692 nvlist_add_string(nvl, "overload_tblname", rule->overload_tblname);
694 tmp = pf_pool_to_nvpool(&rule->rpool);
697 nvlist_add_nvlist(nvl, "rpool", tmp);
700 nvlist_add_number(nvl, "evaluations",
701 counter_u64_fetch(rule->evaluations));
702 for (int i = 0; i < 2; i++) {
703 nvlist_append_number_array(nvl, "packets",
704 counter_u64_fetch(rule->packets[i]));
705 nvlist_append_number_array(nvl, "bytes",
706 counter_u64_fetch(rule->bytes[i]));
709 nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint);
711 nvlist_add_number(nvl, "rtableid", rule->rtableid);
712 pf_uint32_array_nv(nvl, "timeout", rule->timeout, PFTM_MAX);
713 nvlist_add_number(nvl, "max_states", rule->max_states);
714 nvlist_add_number(nvl, "max_src_nodes", rule->max_src_nodes);
715 nvlist_add_number(nvl, "max_src_states", rule->max_src_states);
716 nvlist_add_number(nvl, "max_src_conn", rule->max_src_conn);
717 nvlist_add_number(nvl, "max_src_conn_rate.limit",
718 rule->max_src_conn_rate.limit);
719 nvlist_add_number(nvl, "max_src_conn_rate.seconds",
720 rule->max_src_conn_rate.seconds);
721 nvlist_add_number(nvl, "qid", rule->qid);
722 nvlist_add_number(nvl, "pqid", rule->pqid);
723 nvlist_add_number(nvl, "prob", rule->prob);
724 nvlist_add_number(nvl, "cuid", rule->cuid);
725 nvlist_add_number(nvl, "cpid", rule->cpid);
727 nvlist_add_number(nvl, "states_cur",
728 counter_u64_fetch(rule->states_cur));
729 nvlist_add_number(nvl, "states_tot",
730 counter_u64_fetch(rule->states_tot));
731 nvlist_add_number(nvl, "src_nodes",
732 counter_u64_fetch(rule->src_nodes));
734 nvlist_add_number(nvl, "return_icmp", rule->return_icmp);
735 nvlist_add_number(nvl, "return_icmp6", rule->return_icmp6);
737 nvlist_add_number(nvl, "max_mss", rule->max_mss);
738 nvlist_add_number(nvl, "scrub_flags", rule->scrub_flags);
740 tmp = pf_rule_uid_to_nvrule_uid(&rule->uid);
743 nvlist_add_nvlist(nvl, "uid", tmp);
745 tmp = pf_rule_uid_to_nvrule_uid((const struct pf_rule_uid *)&rule->gid);
748 nvlist_add_nvlist(nvl, "gid", tmp);
751 nvlist_add_number(nvl, "rule_flag", rule->rule_flag);
752 nvlist_add_number(nvl, "action", rule->action);
753 nvlist_add_number(nvl, "direction", rule->direction);
754 nvlist_add_number(nvl, "log", rule->log);
755 nvlist_add_number(nvl, "logif", rule->logif);
756 nvlist_add_number(nvl, "quick", rule->quick);
757 nvlist_add_number(nvl, "ifnot", rule->ifnot);
758 nvlist_add_number(nvl, "match_tag_not", rule->match_tag_not);
759 nvlist_add_number(nvl, "natpass", rule->natpass);
761 nvlist_add_number(nvl, "keep_state", rule->keep_state);
762 nvlist_add_number(nvl, "af", rule->af);
763 nvlist_add_number(nvl, "proto", rule->proto);
764 nvlist_add_number(nvl, "type", rule->type);
765 nvlist_add_number(nvl, "code", rule->code);
766 nvlist_add_number(nvl, "flags", rule->flags);
767 nvlist_add_number(nvl, "flagset", rule->flagset);
768 nvlist_add_number(nvl, "min_ttl", rule->min_ttl);
769 nvlist_add_number(nvl, "allow_opts", rule->allow_opts);
770 nvlist_add_number(nvl, "rt", rule->rt);
771 nvlist_add_number(nvl, "return_ttl", rule->return_ttl);
772 nvlist_add_number(nvl, "tos", rule->tos);
773 nvlist_add_number(nvl, "set_tos", rule->set_tos);
774 nvlist_add_number(nvl, "anchor_relative", rule->anchor_relative);
775 nvlist_add_number(nvl, "anchor_wildcard", rule->anchor_wildcard);
777 nvlist_add_number(nvl, "flush", rule->flush);
778 nvlist_add_number(nvl, "prio", rule->prio);
780 pf_uint8_array_nv(nvl, "set_prio", &rule->prio, 2);
782 tmp = pf_divert_to_nvdivert(rule);
785 nvlist_add_nvlist(nvl, "divert", tmp);
796 pf_nvstate_cmp_to_state_cmp(const nvlist_t *nvl, struct pf_state_cmp *cmp)
800 bzero(cmp, sizeof(*cmp));
802 PFNV_CHK(pf_nvuint64(nvl, "id", &cmp->id));
803 PFNV_CHK(pf_nvuint32(nvl, "creatorid", &cmp->creatorid));
804 PFNV_CHK(pf_nvuint8(nvl, "direction", &cmp->direction));
811 pf_nvstate_kill_to_kstate_kill(const nvlist_t *nvl,
812 struct pf_kstate_kill *kill)
816 bzero(kill, sizeof(*kill));
818 if (! nvlist_exists_nvlist(nvl, "cmp"))
821 PFNV_CHK(pf_nvstate_cmp_to_state_cmp(nvlist_get_nvlist(nvl, "cmp"),
823 PFNV_CHK(pf_nvuint8(nvl, "af", &kill->psk_af));
824 PFNV_CHK(pf_nvint(nvl, "proto", &kill->psk_proto));
826 if (! nvlist_exists_nvlist(nvl, "src"))
828 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"),
830 if (! nvlist_exists_nvlist(nvl, "dst"))
832 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"),
834 if (nvlist_exists_nvlist(nvl, "rt_addr")) {
835 PFNV_CHK(pf_nvrule_addr_to_rule_addr(
836 nvlist_get_nvlist(nvl, "rt_addr"), &kill->psk_rt_addr));
839 PFNV_CHK(pf_nvstring(nvl, "ifname", kill->psk_ifname,
840 sizeof(kill->psk_ifname)));
841 PFNV_CHK(pf_nvstring(nvl, "label", kill->psk_label,
842 sizeof(kill->psk_label)));
843 if (nvlist_exists_bool(nvl, "kill_match"))
844 kill->psk_kill_match = nvlist_get_bool(nvl, "kill_match");
851 pf_state_key_to_nvstate_key(const struct pf_state_key *key)
855 nvl = nvlist_create(0);
859 for (int i = 0; i < 2; i++) {
860 tmp = pf_addr_to_nvaddr(&key->addr[i]);
863 nvlist_append_nvlist_array(nvl, "addr", tmp);
864 nvlist_append_number_array(nvl, "port", key->port[i]);
866 nvlist_add_number(nvl, "af", key->af);
867 nvlist_add_number(nvl, "proto", key->proto);
877 pf_state_scrub_to_nvstate_scrub(const struct pf_state_scrub *scrub)
881 nvl = nvlist_create(0);
885 nvlist_add_bool(nvl, "timestamp", scrub->pfss_flags & PFSS_TIMESTAMP);
886 nvlist_add_number(nvl, "ttl", scrub->pfss_ttl);
887 nvlist_add_number(nvl, "ts_mod", scrub->pfss_ts_mod);
893 pf_state_peer_to_nvstate_peer(const struct pf_state_peer *peer)
897 nvl = nvlist_create(0);
902 tmp = pf_state_scrub_to_nvstate_scrub(peer->scrub);
905 nvlist_add_nvlist(nvl, "scrub", tmp);
909 nvlist_add_number(nvl, "seqlo", peer->seqlo);
910 nvlist_add_number(nvl, "seqhi", peer->seqhi);
911 nvlist_add_number(nvl, "seqdiff", peer->seqdiff);
912 nvlist_add_number(nvl, "max_win", peer->max_win);
913 nvlist_add_number(nvl, "mss", peer->mss);
914 nvlist_add_number(nvl, "state", peer->state);
915 nvlist_add_number(nvl, "wscale", peer->wscale);
925 pf_state_to_nvstate(const struct pf_state *s)
928 uint32_t expire, flags = 0;
930 nvl = nvlist_create(0);
934 nvlist_add_number(nvl, "id", s->id);
935 nvlist_add_string(nvl, "ifname", s->kif->pfik_name);
936 nvlist_add_string(nvl, "orig_ifname", s->orig_kif->pfik_name);
938 tmp = pf_state_key_to_nvstate_key(s->key[PF_SK_STACK]);
941 nvlist_add_nvlist(nvl, "stack_key", tmp);
944 tmp = pf_state_key_to_nvstate_key(s->key[PF_SK_WIRE]);
947 nvlist_add_nvlist(nvl, "wire_key", tmp);
950 tmp = pf_state_peer_to_nvstate_peer(&s->src);
953 nvlist_add_nvlist(nvl, "src", tmp);
956 tmp = pf_state_peer_to_nvstate_peer(&s->dst);
959 nvlist_add_nvlist(nvl, "dst", tmp);
962 tmp = pf_addr_to_nvaddr(&s->rt_addr);
965 nvlist_add_nvlist(nvl, "rt_addr", tmp);
968 nvlist_add_number(nvl, "rule", s->rule.ptr ? s->rule.ptr->nr : -1);
969 nvlist_add_number(nvl, "anchor",
970 s->anchor.ptr ? s->anchor.ptr->nr : -1);
971 nvlist_add_number(nvl, "nat_rule",
972 s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1);
973 nvlist_add_number(nvl, "creation", s->creation);
975 expire = pf_state_expires(s);
976 if (expire <= time_uptime)
979 expire = expire - time_uptime;
980 nvlist_add_number(nvl, "expire", expire);
982 for (int i = 0; i < 2; i++) {
983 nvlist_append_number_array(nvl, "packets",
984 counter_u64_fetch(s->packets[i]));
985 nvlist_append_number_array(nvl, "bytes",
986 counter_u64_fetch(s->bytes[i]));
989 nvlist_add_number(nvl, "creatorid", s->creatorid);
990 nvlist_add_number(nvl, "direction", s->direction);
991 nvlist_add_number(nvl, "log", s->log);
992 nvlist_add_number(nvl, "state_flags", s->state_flags);
993 nvlist_add_number(nvl, "timeout", s->timeout);
995 flags |= PFSYNC_FLAG_SRCNODE;
997 flags |= PFSYNC_FLAG_NATSRCNODE;
998 nvlist_add_number(nvl, "sync_flags", flags);
1003 nvlist_destroy(nvl);
projects / FreeBSD / FreeBSD.git / blob