2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
30 #include "opt_inet6.h"
32 #include <sys/param.h>
33 #include <sys/errno.h>
34 #include <sys/limits.h>
35 #include <sys/queue.h>
36 #include <sys/systm.h>
38 #include <netpfil/pf/pf_nv.h>
40 #define PF_NV_IMPL_UINT(fnname, type, max) \
42 pf_nv ## fnname ## _opt(const nvlist_t *nvl, const char *name, \
43 type *val, type dflt) \
46 if (! nvlist_exists_number(nvl, name)) { \
50 raw = nvlist_get_number(nvl, name); \
57 pf_nv ## fnname(const nvlist_t *nvl, const char *name, type *val) \
60 if (! nvlist_exists_number(nvl, name)) \
62 raw = nvlist_get_number(nvl, name); \
69 pf_nv ## fnname ## _array(const nvlist_t *nvl, const char *name, \
70 type *array, size_t maxelems, size_t *nelems) \
74 bzero(array, sizeof(type) * maxelems); \
75 if (! nvlist_exists_number_array(nvl, name)) \
77 n = nvlist_get_number_array(nvl, name, &nitems); \
78 if (nitems > maxelems) \
82 for (size_t i = 0; i < nitems; i++) { \
85 array[i] = (type)n[i]; \
90 pf_ ## fnname ## _array_nv(nvlist_t *nvl, const char *name, \
91 const type *numbers, size_t count) \
94 for (size_t i = 0; i < count; i++) { \
96 nvlist_append_number_array(nvl, name, tmp); \
101 pf_nvbool(const nvlist_t *nvl, const char *name, bool *val)
103 if (! nvlist_exists_bool(nvl, name))
106 *val = nvlist_get_bool(nvl, name);
112 pf_nvbinary(const nvlist_t *nvl, const char *name, void *data,
113 size_t expected_size)
115 const uint8_t *nvdata;
118 bzero(data, expected_size);
120 if (! nvlist_exists_binary(nvl, name))
123 nvdata = (const uint8_t *)nvlist_get_binary(nvl, name, &len);
124 if (len > expected_size)
127 memcpy(data, nvdata, len);
132 PF_NV_IMPL_UINT(uint8, uint8_t, UINT8_MAX);
133 PF_NV_IMPL_UINT(uint16, uint16_t, UINT16_MAX);
134 PF_NV_IMPL_UINT(uint32, uint32_t, UINT32_MAX);
135 PF_NV_IMPL_UINT(uint64, uint64_t, UINT64_MAX);
138 pf_nvint(const nvlist_t *nvl, const char *name, int *val)
142 if (! nvlist_exists_number(nvl, name))
145 raw = nvlist_get_number(nvl, name);
146 if (raw > INT_MAX || raw < INT_MIN)
155 pf_nvstring(const nvlist_t *nvl, const char *name, char *str, size_t maxlen)
159 if (! nvlist_exists_string(nvl, name))
162 ret = strlcpy(str, nvlist_get_string(nvl, name), maxlen);
170 pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *paddr)
172 return (pf_nvbinary(nvl, "addr", paddr, sizeof(*paddr)));
176 pf_addr_to_nvaddr(const struct pf_addr *paddr)
180 nvl = nvlist_create(0);
184 nvlist_add_binary(nvl, "addr", paddr, sizeof(*paddr));
190 pf_nvmape_to_mape(const nvlist_t *nvl, struct pf_mape_portset *mape)
194 bzero(mape, sizeof(*mape));
195 PFNV_CHK(pf_nvuint8(nvl, "offset", &mape->offset));
196 PFNV_CHK(pf_nvuint8(nvl, "psidlen", &mape->psidlen));
197 PFNV_CHK(pf_nvuint16(nvl, "psid", &mape->psid));
204 pf_mape_to_nvmape(const struct pf_mape_portset *mape)
208 nvl = nvlist_create(0);
212 nvlist_add_number(nvl, "offset", mape->offset);
213 nvlist_add_number(nvl, "psidlen", mape->psidlen);
214 nvlist_add_number(nvl, "psid", mape->psid);
220 pf_nvpool_to_pool(const nvlist_t *nvl, struct pf_kpool *kpool)
224 PFNV_CHK(pf_nvbinary(nvl, "key", &kpool->key, sizeof(kpool->key)));
226 if (nvlist_exists_nvlist(nvl, "counter")) {
227 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "counter"),
231 PFNV_CHK(pf_nvint(nvl, "tblidx", &kpool->tblidx));
232 PFNV_CHK(pf_nvuint16_array(nvl, "proxy_port", kpool->proxy_port, 2,
234 PFNV_CHK(pf_nvuint8(nvl, "opts", &kpool->opts));
236 if (nvlist_exists_nvlist(nvl, "mape")) {
237 PFNV_CHK(pf_nvmape_to_mape(nvlist_get_nvlist(nvl, "mape"),
246 pf_pool_to_nvpool(const struct pf_kpool *pool)
251 nvl = nvlist_create(0);
255 nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
256 tmp = pf_addr_to_nvaddr(&pool->counter);
259 nvlist_add_nvlist(nvl, "counter", tmp);
262 nvlist_add_number(nvl, "tblidx", pool->tblidx);
263 pf_uint16_array_nv(nvl, "proxy_port", pool->proxy_port, 2);
264 nvlist_add_number(nvl, "opts", pool->opts);
266 tmp = pf_mape_to_nvmape(&pool->mape);
269 nvlist_add_nvlist(nvl, "mape", tmp);
280 pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
284 bzero(addr, sizeof(*addr));
286 PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
287 PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
288 if (addr->type == PF_ADDR_DYNIFTL)
289 PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
290 sizeof(addr->v.ifname)));
291 if (addr->type == PF_ADDR_TABLE)
292 PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
293 sizeof(addr->v.tblname)));
295 if (! nvlist_exists_nvlist(nvl, "addr"))
297 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"),
300 if (! nvlist_exists_nvlist(nvl, "mask"))
302 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"),
305 switch (addr->type) {
306 case PF_ADDR_DYNIFTL:
309 case PF_ADDR_ADDRMASK:
310 case PF_ADDR_NOROUTE:
311 case PF_ADDR_URPFFAILED:
322 pf_addr_wrap_to_nvaddr_wrap(const struct pf_addr_wrap *addr)
327 struct pfr_ktable *kt;
329 nvl = nvlist_create(0);
333 nvlist_add_number(nvl, "type", addr->type);
334 nvlist_add_number(nvl, "iflags", addr->iflags);
335 if (addr->type == PF_ADDR_DYNIFTL) {
336 nvlist_add_string(nvl, "ifname", addr->v.ifname);
338 if (addr->p.dyn != NULL)
339 num = addr->p.dyn->pfid_acnt4 +
340 addr->p.dyn->pfid_acnt6;
341 nvlist_add_number(nvl, "dyncnt", num);
343 if (addr->type == PF_ADDR_TABLE) {
344 nvlist_add_string(nvl, "tblname", addr->v.tblname);
347 if ((kt->pfrkt_flags & PFR_TFLAG_ACTIVE) &&
348 kt->pfrkt_root != NULL)
350 if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE)
352 nvlist_add_number(nvl, "tblcnt", num);
355 tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
358 nvlist_add_nvlist(nvl, "addr", tmp);
360 tmp = pf_addr_to_nvaddr(&addr->v.a.mask);
363 nvlist_add_nvlist(nvl, "mask", tmp);
374 pf_validate_op(uint8_t op)
396 pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr)
400 if (! nvlist_exists_nvlist(nvl, "addr"))
403 PFNV_CHK(pf_nvaddr_wrap_to_addr_wrap(nvlist_get_nvlist(nvl, "addr"),
405 PFNV_CHK(pf_nvuint16_array(nvl, "port", addr->port, 2, NULL));
406 PFNV_CHK(pf_nvuint8(nvl, "neg", &addr->neg));
407 PFNV_CHK(pf_nvuint8(nvl, "port_op", &addr->port_op));
409 PFNV_CHK(pf_validate_op(addr->port_op));
416 pf_rule_addr_to_nvrule_addr(const struct pf_rule_addr *addr)
421 nvl = nvlist_create(0);
425 tmp = pf_addr_wrap_to_nvaddr_wrap(&addr->addr);
428 nvlist_add_nvlist(nvl, "addr", tmp);
430 pf_uint16_array_nv(nvl, "port", addr->port, 2);
431 nvlist_add_number(nvl, "neg", addr->neg);
432 nvlist_add_number(nvl, "port_op", addr->port_op);
442 pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid)
446 bzero(uid, sizeof(*uid));
448 PFNV_CHK(pf_nvuint32_array(nvl, "uid", uid->uid, 2, NULL));
449 PFNV_CHK(pf_nvuint8(nvl, "op", &uid->op));
451 PFNV_CHK(pf_validate_op(uid->op));
458 pf_rule_uid_to_nvrule_uid(const struct pf_rule_uid *uid)
462 nvl = nvlist_create(0);
466 pf_uint32_array_nv(nvl, "uid", uid->uid, 2);
467 nvlist_add_number(nvl, "op", uid->op);
473 pf_nvrule_gid_to_rule_gid(const nvlist_t *nvl, struct pf_rule_gid *gid)
475 /* Cheat a little. These stucts are the same, other than the name of
476 * the first field. */
477 return (pf_nvrule_uid_to_rule_uid(nvl, (struct pf_rule_uid *)gid));
481 pf_check_rule_addr(const struct pf_rule_addr *addr)
484 switch (addr->addr.type) {
485 case PF_ADDR_ADDRMASK:
486 case PF_ADDR_NOROUTE:
487 case PF_ADDR_DYNIFTL:
489 case PF_ADDR_URPFFAILED:
496 if (addr->addr.p.dyn != NULL) {
505 pf_nvrule_to_krule(const nvlist_t *nvl, struct pf_krule *rule)
509 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
511 PFNV_CHK(pf_nvuint32(nvl, "nr", &rule->nr));
513 if (! nvlist_exists_nvlist(nvl, "src"))
516 error = pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"),
521 if (! nvlist_exists_nvlist(nvl, "dst"))
524 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"),
527 if (nvlist_exists_string(nvl, "label")) {
528 PFNV_CHK(pf_nvstring(nvl, "label", rule->label[0],
529 sizeof(rule->label[0])));
530 } else if (nvlist_exists_string_array(nvl, "labels")) {
531 const char *const *strs;
535 strs = nvlist_get_string_array(nvl, "labels", &items);
536 if (items > PF_RULE_MAX_LABEL_COUNT)
539 for (size_t i = 0; i < items; i++) {
540 ret = strlcpy(rule->label[i], strs[i],
541 sizeof(rule->label[0]));
542 if (ret >= sizeof(rule->label[0]))
547 PFNV_CHK(pf_nvuint32_opt(nvl, "ridentifier", &rule->ridentifier, 0));
548 PFNV_CHK(pf_nvstring(nvl, "ifname", rule->ifname,
549 sizeof(rule->ifname)));
550 PFNV_CHK(pf_nvstring(nvl, "qname", rule->qname, sizeof(rule->qname)));
551 PFNV_CHK(pf_nvstring(nvl, "pqname", rule->pqname,
552 sizeof(rule->pqname)));
553 PFNV_CHK(pf_nvstring(nvl, "tagname", rule->tagname,
554 sizeof(rule->tagname)));
555 PFNV_CHK(pf_nvuint16_opt(nvl, "dnpipe", &rule->dnpipe, 0));
556 PFNV_CHK(pf_nvuint16_opt(nvl, "dnrpipe", &rule->dnrpipe, 0));
557 PFNV_CHK(pf_nvuint32_opt(nvl, "dnflags", &rule->free_flags, 0));
558 PFNV_CHK(pf_nvstring(nvl, "match_tagname", rule->match_tagname,
559 sizeof(rule->match_tagname)));
560 PFNV_CHK(pf_nvstring(nvl, "overload_tblname", rule->overload_tblname,
561 sizeof(rule->overload_tblname)));
563 if (! nvlist_exists_nvlist(nvl, "rpool"))
565 PFNV_CHK(pf_nvpool_to_pool(nvlist_get_nvlist(nvl, "rpool"),
568 PFNV_CHK(pf_nvuint32(nvl, "os_fingerprint", &rule->os_fingerprint));
570 PFNV_CHK(pf_nvint(nvl, "rtableid", &rule->rtableid));
571 PFNV_CHK(pf_nvuint32_array(nvl, "timeout", rule->timeout, PFTM_MAX, NULL));
572 PFNV_CHK(pf_nvuint32(nvl, "max_states", &rule->max_states));
573 PFNV_CHK(pf_nvuint32(nvl, "max_src_nodes", &rule->max_src_nodes));
574 PFNV_CHK(pf_nvuint32(nvl, "max_src_states", &rule->max_src_states));
575 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn", &rule->max_src_conn));
576 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.limit",
577 &rule->max_src_conn_rate.limit));
578 PFNV_CHK(pf_nvuint32(nvl, "max_src_conn_rate.seconds",
579 &rule->max_src_conn_rate.seconds));
580 PFNV_CHK(pf_nvuint32(nvl, "prob", &rule->prob));
581 PFNV_CHK(pf_nvuint32(nvl, "cuid", &rule->cuid));
582 PFNV_CHK(pf_nvuint32(nvl, "cpid", &rule->cpid));
584 PFNV_CHK(pf_nvuint16(nvl, "return_icmp", &rule->return_icmp));
585 PFNV_CHK(pf_nvuint16(nvl, "return_icmp6", &rule->return_icmp6));
587 PFNV_CHK(pf_nvuint16(nvl, "max_mss", &rule->max_mss));
588 PFNV_CHK(pf_nvuint16(nvl, "scrub_flags", &rule->scrub_flags));
590 if (! nvlist_exists_nvlist(nvl, "uid"))
592 PFNV_CHK(pf_nvrule_uid_to_rule_uid(nvlist_get_nvlist(nvl, "uid"),
595 if (! nvlist_exists_nvlist(nvl, "gid"))
597 PFNV_CHK(pf_nvrule_gid_to_rule_gid(nvlist_get_nvlist(nvl, "gid"),
600 PFNV_CHK(pf_nvuint32(nvl, "rule_flag", &rule->rule_flag));
601 PFNV_CHK(pf_nvuint8(nvl, "action", &rule->action));
602 PFNV_CHK(pf_nvuint8(nvl, "direction", &rule->direction));
603 PFNV_CHK(pf_nvuint8(nvl, "log", &rule->log));
604 PFNV_CHK(pf_nvuint8(nvl, "logif", &rule->logif));
605 PFNV_CHK(pf_nvuint8(nvl, "quick", &rule->quick));
606 PFNV_CHK(pf_nvuint8(nvl, "ifnot", &rule->ifnot));
607 PFNV_CHK(pf_nvuint8(nvl, "match_tag_not", &rule->match_tag_not));
608 PFNV_CHK(pf_nvuint8(nvl, "natpass", &rule->natpass));
610 PFNV_CHK(pf_nvuint8(nvl, "keep_state", &rule->keep_state));
611 PFNV_CHK(pf_nvuint8(nvl, "af", &rule->af));
612 PFNV_CHK(pf_nvuint8(nvl, "proto", &rule->proto));
613 PFNV_CHK(pf_nvuint8(nvl, "type", &rule->type));
614 PFNV_CHK(pf_nvuint8(nvl, "code", &rule->code));
615 PFNV_CHK(pf_nvuint8(nvl, "flags", &rule->flags));
616 PFNV_CHK(pf_nvuint8(nvl, "flagset", &rule->flagset));
617 PFNV_CHK(pf_nvuint8(nvl, "min_ttl", &rule->min_ttl));
618 PFNV_CHK(pf_nvuint8(nvl, "allow_opts", &rule->allow_opts));
619 PFNV_CHK(pf_nvuint8(nvl, "rt", &rule->rt));
620 PFNV_CHK(pf_nvuint8(nvl, "return_ttl", &rule->return_ttl));
621 PFNV_CHK(pf_nvuint8(nvl, "tos", &rule->tos));
622 PFNV_CHK(pf_nvuint8(nvl, "set_tos", &rule->set_tos));
624 PFNV_CHK(pf_nvuint8(nvl, "flush", &rule->flush));
625 PFNV_CHK(pf_nvuint8(nvl, "prio", &rule->prio));
627 PFNV_CHK(pf_nvuint8_array(nvl, "set_prio", rule->set_prio, 2, NULL));
629 if (nvlist_exists_nvlist(nvl, "divert")) {
630 const nvlist_t *nvldivert = nvlist_get_nvlist(nvl, "divert");
632 if (! nvlist_exists_nvlist(nvldivert, "addr"))
634 PFNV_CHK(pf_nvaddr_to_addr(nvlist_get_nvlist(nvldivert, "addr"),
635 &rule->divert.addr));
636 PFNV_CHK(pf_nvuint16(nvldivert, "port", &rule->divert.port));
641 if (rule->af == AF_INET)
642 ERROUT(EAFNOSUPPORT);
645 if (rule->af == AF_INET6)
646 ERROUT(EAFNOSUPPORT);
649 PFNV_CHK(pf_check_rule_addr(&rule->src));
650 PFNV_CHK(pf_check_rule_addr(&rule->dst));
660 pf_divert_to_nvdivert(const struct pf_krule *rule)
665 nvl = nvlist_create(0);
669 tmp = pf_addr_to_nvaddr(&rule->divert.addr);
672 nvlist_add_nvlist(nvl, "addr", tmp);
674 nvlist_add_number(nvl, "port", rule->divert.port);
684 pf_krule_to_nvrule(struct pf_krule *rule)
688 nvl = nvlist_create(0);
692 nvlist_add_number(nvl, "nr", rule->nr);
693 tmp = pf_rule_addr_to_nvrule_addr(&rule->src);
696 nvlist_add_nvlist(nvl, "src", tmp);
698 tmp = pf_rule_addr_to_nvrule_addr(&rule->dst);
701 nvlist_add_nvlist(nvl, "dst", tmp);
704 for (int i = 0; i < PF_SKIP_COUNT; i++) {
705 nvlist_append_number_array(nvl, "skip",
706 rule->skip[i].ptr ? rule->skip[i].ptr->nr : -1);
709 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) {
710 nvlist_append_string_array(nvl, "labels", rule->label[i]);
712 nvlist_add_string(nvl, "label", rule->label[0]);
713 nvlist_add_number(nvl, "ridentifier", rule->ridentifier);
714 nvlist_add_string(nvl, "ifname", rule->ifname);
715 nvlist_add_string(nvl, "qname", rule->qname);
716 nvlist_add_string(nvl, "pqname", rule->pqname);
717 nvlist_add_number(nvl, "dnpipe", rule->dnpipe);
718 nvlist_add_number(nvl, "dnrpipe", rule->dnrpipe);
719 nvlist_add_number(nvl, "dnflags", rule->free_flags);
720 nvlist_add_string(nvl, "tagname", rule->tagname);
721 nvlist_add_string(nvl, "match_tagname", rule->match_tagname);
722 nvlist_add_string(nvl, "overload_tblname", rule->overload_tblname);
724 tmp = pf_pool_to_nvpool(&rule->rpool);
727 nvlist_add_nvlist(nvl, "rpool", tmp);
730 nvlist_add_number(nvl, "evaluations",
731 pf_counter_u64_fetch(&rule->evaluations));
732 for (int i = 0; i < 2; i++) {
733 nvlist_append_number_array(nvl, "packets",
734 pf_counter_u64_fetch(&rule->packets[i]));
735 nvlist_append_number_array(nvl, "bytes",
736 pf_counter_u64_fetch(&rule->bytes[i]));
738 nvlist_add_number(nvl, "timestamp", pf_get_timestamp(rule));
740 nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint);
742 nvlist_add_number(nvl, "rtableid", rule->rtableid);
743 pf_uint32_array_nv(nvl, "timeout", rule->timeout, PFTM_MAX);
744 nvlist_add_number(nvl, "max_states", rule->max_states);
745 nvlist_add_number(nvl, "max_src_nodes", rule->max_src_nodes);
746 nvlist_add_number(nvl, "max_src_states", rule->max_src_states);
747 nvlist_add_number(nvl, "max_src_conn", rule->max_src_conn);
748 nvlist_add_number(nvl, "max_src_conn_rate.limit",
749 rule->max_src_conn_rate.limit);
750 nvlist_add_number(nvl, "max_src_conn_rate.seconds",
751 rule->max_src_conn_rate.seconds);
752 nvlist_add_number(nvl, "qid", rule->qid);
753 nvlist_add_number(nvl, "pqid", rule->pqid);
754 nvlist_add_number(nvl, "prob", rule->prob);
755 nvlist_add_number(nvl, "cuid", rule->cuid);
756 nvlist_add_number(nvl, "cpid", rule->cpid);
758 nvlist_add_number(nvl, "states_cur",
759 counter_u64_fetch(rule->states_cur));
760 nvlist_add_number(nvl, "states_tot",
761 counter_u64_fetch(rule->states_tot));
762 nvlist_add_number(nvl, "src_nodes",
763 counter_u64_fetch(rule->src_nodes));
765 nvlist_add_number(nvl, "return_icmp", rule->return_icmp);
766 nvlist_add_number(nvl, "return_icmp6", rule->return_icmp6);
768 nvlist_add_number(nvl, "max_mss", rule->max_mss);
769 nvlist_add_number(nvl, "scrub_flags", rule->scrub_flags);
771 tmp = pf_rule_uid_to_nvrule_uid(&rule->uid);
774 nvlist_add_nvlist(nvl, "uid", tmp);
776 tmp = pf_rule_uid_to_nvrule_uid((const struct pf_rule_uid *)&rule->gid);
779 nvlist_add_nvlist(nvl, "gid", tmp);
782 nvlist_add_number(nvl, "rule_flag", rule->rule_flag);
783 nvlist_add_number(nvl, "action", rule->action);
784 nvlist_add_number(nvl, "direction", rule->direction);
785 nvlist_add_number(nvl, "log", rule->log);
786 nvlist_add_number(nvl, "logif", rule->logif);
787 nvlist_add_number(nvl, "quick", rule->quick);
788 nvlist_add_number(nvl, "ifnot", rule->ifnot);
789 nvlist_add_number(nvl, "match_tag_not", rule->match_tag_not);
790 nvlist_add_number(nvl, "natpass", rule->natpass);
792 nvlist_add_number(nvl, "keep_state", rule->keep_state);
793 nvlist_add_number(nvl, "af", rule->af);
794 nvlist_add_number(nvl, "proto", rule->proto);
795 nvlist_add_number(nvl, "type", rule->type);
796 nvlist_add_number(nvl, "code", rule->code);
797 nvlist_add_number(nvl, "flags", rule->flags);
798 nvlist_add_number(nvl, "flagset", rule->flagset);
799 nvlist_add_number(nvl, "min_ttl", rule->min_ttl);
800 nvlist_add_number(nvl, "allow_opts", rule->allow_opts);
801 nvlist_add_number(nvl, "rt", rule->rt);
802 nvlist_add_number(nvl, "return_ttl", rule->return_ttl);
803 nvlist_add_number(nvl, "tos", rule->tos);
804 nvlist_add_number(nvl, "set_tos", rule->set_tos);
805 nvlist_add_number(nvl, "anchor_relative", rule->anchor_relative);
806 nvlist_add_number(nvl, "anchor_wildcard", rule->anchor_wildcard);
808 nvlist_add_number(nvl, "flush", rule->flush);
809 nvlist_add_number(nvl, "prio", rule->prio);
811 pf_uint8_array_nv(nvl, "set_prio", rule->set_prio, 2);
813 tmp = pf_divert_to_nvdivert(rule);
816 nvlist_add_nvlist(nvl, "divert", tmp);
827 pf_nvstate_cmp_to_state_cmp(const nvlist_t *nvl, struct pf_state_cmp *cmp)
831 bzero(cmp, sizeof(*cmp));
833 PFNV_CHK(pf_nvuint64(nvl, "id", &cmp->id));
834 PFNV_CHK(pf_nvuint32(nvl, "creatorid", &cmp->creatorid));
835 PFNV_CHK(pf_nvuint8(nvl, "direction", &cmp->direction));
842 pf_nvstate_kill_to_kstate_kill(const nvlist_t *nvl,
843 struct pf_kstate_kill *kill)
847 bzero(kill, sizeof(*kill));
849 if (! nvlist_exists_nvlist(nvl, "cmp"))
852 PFNV_CHK(pf_nvstate_cmp_to_state_cmp(nvlist_get_nvlist(nvl, "cmp"),
854 PFNV_CHK(pf_nvuint8(nvl, "af", &kill->psk_af));
855 PFNV_CHK(pf_nvint(nvl, "proto", &kill->psk_proto));
857 if (! nvlist_exists_nvlist(nvl, "src"))
859 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "src"),
861 if (! nvlist_exists_nvlist(nvl, "dst"))
863 PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"),
865 if (nvlist_exists_nvlist(nvl, "rt_addr")) {
866 PFNV_CHK(pf_nvrule_addr_to_rule_addr(
867 nvlist_get_nvlist(nvl, "rt_addr"), &kill->psk_rt_addr));
870 PFNV_CHK(pf_nvstring(nvl, "ifname", kill->psk_ifname,
871 sizeof(kill->psk_ifname)));
872 PFNV_CHK(pf_nvstring(nvl, "label", kill->psk_label,
873 sizeof(kill->psk_label)));
874 PFNV_CHK(pf_nvbool(nvl, "kill_match", &kill->psk_kill_match));
881 pf_state_key_to_nvstate_key(const struct pf_state_key *key)
885 nvl = nvlist_create(0);
889 for (int i = 0; i < 2; i++) {
890 tmp = pf_addr_to_nvaddr(&key->addr[i]);
893 nvlist_append_nvlist_array(nvl, "addr", tmp);
895 nvlist_append_number_array(nvl, "port", key->port[i]);
897 nvlist_add_number(nvl, "af", key->af);
898 nvlist_add_number(nvl, "proto", key->proto);
908 pf_state_peer_to_nvstate_peer(const struct pf_state_peer *peer)
912 nvl = nvlist_create(0);
916 nvlist_add_number(nvl, "seqlo", peer->seqlo);
917 nvlist_add_number(nvl, "seqhi", peer->seqhi);
918 nvlist_add_number(nvl, "seqdiff", peer->seqdiff);
919 nvlist_add_number(nvl, "state", peer->state);
920 nvlist_add_number(nvl, "wscale", peer->wscale);
926 pf_state_to_nvstate(const struct pf_kstate *s)
929 uint32_t expire, flags = 0;
931 nvl = nvlist_create(0);
935 nvlist_add_number(nvl, "id", s->id);
936 nvlist_add_string(nvl, "ifname", s->kif->pfik_name);
937 nvlist_add_string(nvl, "orig_ifname", s->orig_kif->pfik_name);
939 tmp = pf_state_key_to_nvstate_key(s->key[PF_SK_STACK]);
942 nvlist_add_nvlist(nvl, "stack_key", tmp);
945 tmp = pf_state_key_to_nvstate_key(s->key[PF_SK_WIRE]);
948 nvlist_add_nvlist(nvl, "wire_key", tmp);
951 tmp = pf_state_peer_to_nvstate_peer(&s->src);
954 nvlist_add_nvlist(nvl, "src", tmp);
957 tmp = pf_state_peer_to_nvstate_peer(&s->dst);
960 nvlist_add_nvlist(nvl, "dst", tmp);
963 tmp = pf_addr_to_nvaddr(&s->rt_addr);
966 nvlist_add_nvlist(nvl, "rt_addr", tmp);
969 nvlist_add_number(nvl, "rule", s->rule.ptr ? s->rule.ptr->nr : -1);
970 nvlist_add_number(nvl, "anchor",
971 s->anchor.ptr ? s->anchor.ptr->nr : -1);
972 nvlist_add_number(nvl, "nat_rule",
973 s->nat_rule.ptr ? s->nat_rule.ptr->nr : -1);
974 nvlist_add_number(nvl, "creation", s->creation);
976 expire = pf_state_expires(s);
977 if (expire <= time_uptime)
980 expire = expire - time_uptime;
981 nvlist_add_number(nvl, "expire", expire);
983 for (int i = 0; i < 2; i++) {
984 nvlist_append_number_array(nvl, "packets",
986 nvlist_append_number_array(nvl, "bytes",
990 nvlist_add_number(nvl, "creatorid", s->creatorid);
991 nvlist_add_number(nvl, "direction", s->direction);
992 nvlist_add_number(nvl, "state_flags", s->state_flags);
994 flags |= PFSYNC_FLAG_SRCNODE;
996 flags |= PFSYNC_FLAG_NATSRCNODE;
997 nvlist_add_number(nvl, "sync_flags", flags);
1002 nvlist_destroy(nvl);
1007 pf_nveth_rule_addr_to_keth_rule_addr(const nvlist_t *nvl,
1008 struct pf_keth_rule_addr *krule)
1010 static const u_int8_t EMPTY_MAC[ETHER_ADDR_LEN] = { 0 };
1013 PFNV_CHK(pf_nvbinary(nvl, "addr", &krule->addr, sizeof(krule->addr)));
1014 PFNV_CHK(pf_nvbool(nvl, "neg", &krule->neg));
1015 if (nvlist_exists_binary(nvl, "mask"))
1016 PFNV_CHK(pf_nvbinary(nvl, "mask", &krule->mask,
1017 sizeof(krule->mask)));
1019 /* To make checks for 'is this address set?' easier. */
1020 if (memcmp(krule->addr, EMPTY_MAC, ETHER_ADDR_LEN) != 0)
1028 pf_keth_rule_addr_to_nveth_rule_addr(const struct pf_keth_rule_addr *krule)
1032 nvl = nvlist_create(0);
1036 nvlist_add_binary(nvl, "addr", &krule->addr, sizeof(krule->addr));
1037 nvlist_add_binary(nvl, "mask", &krule->mask, sizeof(krule->mask));
1038 nvlist_add_bool(nvl, "neg", krule->neg);
1044 pf_keth_rule_to_nveth_rule(const struct pf_keth_rule *krule)
1046 nvlist_t *nvl, *addr;
1048 nvl = nvlist_create(0);
1052 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) {
1053 nvlist_append_string_array(nvl, "labels", krule->label[i]);
1055 nvlist_add_number(nvl, "ridentifier", krule->ridentifier);
1057 nvlist_add_number(nvl, "nr", krule->nr);
1058 nvlist_add_bool(nvl, "quick", krule->quick);
1059 nvlist_add_string(nvl, "ifname", krule->ifname);
1060 nvlist_add_bool(nvl, "ifnot", krule->ifnot);
1061 nvlist_add_number(nvl, "direction", krule->direction);
1062 nvlist_add_number(nvl, "proto", krule->proto);
1063 nvlist_add_string(nvl, "match_tagname", krule->match_tagname);
1064 nvlist_add_number(nvl, "match_tag", krule->match_tag);
1065 nvlist_add_bool(nvl, "match_tag_not", krule->match_tag_not);
1067 addr = pf_keth_rule_addr_to_nveth_rule_addr(&krule->src);
1069 nvlist_destroy(nvl);
1072 nvlist_add_nvlist(nvl, "src", addr);
1073 nvlist_destroy(addr);
1075 addr = pf_keth_rule_addr_to_nveth_rule_addr(&krule->dst);
1077 nvlist_destroy(nvl);
1080 nvlist_add_nvlist(nvl, "dst", addr);
1081 nvlist_destroy(addr);
1083 addr = pf_rule_addr_to_nvrule_addr(&krule->ipsrc);
1085 nvlist_destroy(nvl);
1088 nvlist_add_nvlist(nvl, "ipsrc", addr);
1089 nvlist_destroy(addr);
1091 addr = pf_rule_addr_to_nvrule_addr(&krule->ipdst);
1093 nvlist_destroy(nvl);
1096 nvlist_add_nvlist(nvl, "ipdst", addr);
1097 nvlist_destroy(addr);
1099 nvlist_add_number(nvl, "evaluations",
1100 counter_u64_fetch(krule->evaluations));
1101 nvlist_add_number(nvl, "packets-in",
1102 counter_u64_fetch(krule->packets[0]));
1103 nvlist_add_number(nvl, "packets-out",
1104 counter_u64_fetch(krule->packets[1]));
1105 nvlist_add_number(nvl, "bytes-in",
1106 counter_u64_fetch(krule->bytes[0]));
1107 nvlist_add_number(nvl, "bytes-out",
1108 counter_u64_fetch(krule->bytes[1]));
1110 nvlist_add_number(nvl, "timestamp", pf_get_timestamp(krule));
1111 nvlist_add_string(nvl, "qname", krule->qname);
1112 nvlist_add_string(nvl, "tagname", krule->tagname);
1114 nvlist_add_number(nvl, "dnpipe", krule->dnpipe);
1115 nvlist_add_number(nvl, "dnflags", krule->dnflags);
1117 nvlist_add_number(nvl, "anchor_relative", krule->anchor_relative);
1118 nvlist_add_number(nvl, "anchor_wildcard", krule->anchor_wildcard);
1120 nvlist_add_string(nvl, "bridge_to", krule->bridge_to_name);
1121 nvlist_add_number(nvl, "action", krule->action);
1127 pf_nveth_rule_to_keth_rule(const nvlist_t *nvl,
1128 struct pf_keth_rule *krule)
1132 #define ERROUT(x) ERROUT_FUNCTION(errout, x)
1134 bzero(krule, sizeof(*krule));
1136 if (nvlist_exists_string_array(nvl, "labels")) {
1137 const char *const *strs;
1141 strs = nvlist_get_string_array(nvl, "labels", &items);
1142 if (items > PF_RULE_MAX_LABEL_COUNT)
1145 for (size_t i = 0; i < items; i++) {
1146 ret = strlcpy(krule->label[i], strs[i],
1147 sizeof(krule->label[0]));
1148 if (ret >= sizeof(krule->label[0]))
1153 PFNV_CHK(pf_nvuint32_opt(nvl, "ridentifier", &krule->ridentifier, 0));
1155 PFNV_CHK(pf_nvuint32(nvl, "nr", &krule->nr));
1156 PFNV_CHK(pf_nvbool(nvl, "quick", &krule->quick));
1157 PFNV_CHK(pf_nvstring(nvl, "ifname", krule->ifname,
1158 sizeof(krule->ifname)));
1159 PFNV_CHK(pf_nvbool(nvl, "ifnot", &krule->ifnot));
1160 PFNV_CHK(pf_nvuint8(nvl, "direction", &krule->direction));
1161 PFNV_CHK(pf_nvuint16(nvl, "proto", &krule->proto));
1163 if (nvlist_exists_nvlist(nvl, "src")) {
1164 error = pf_nveth_rule_addr_to_keth_rule_addr(
1165 nvlist_get_nvlist(nvl, "src"), &krule->src);
1169 if (nvlist_exists_nvlist(nvl, "dst")) {
1170 error = pf_nveth_rule_addr_to_keth_rule_addr(
1171 nvlist_get_nvlist(nvl, "dst"), &krule->dst);
1176 if (nvlist_exists_nvlist(nvl, "ipsrc")) {
1177 error = pf_nvrule_addr_to_rule_addr(
1178 nvlist_get_nvlist(nvl, "ipsrc"), &krule->ipsrc);
1182 if (krule->ipsrc.addr.type != PF_ADDR_ADDRMASK &&
1183 krule->ipsrc.addr.type != PF_ADDR_TABLE)
1187 if (nvlist_exists_nvlist(nvl, "ipdst")) {
1188 error = pf_nvrule_addr_to_rule_addr(
1189 nvlist_get_nvlist(nvl, "ipdst"), &krule->ipdst);
1193 if (krule->ipdst.addr.type != PF_ADDR_ADDRMASK &&
1194 krule->ipdst.addr.type != PF_ADDR_TABLE)
1198 if (nvlist_exists_string(nvl, "match_tagname")) {
1199 PFNV_CHK(pf_nvstring(nvl, "match_tagname", krule->match_tagname,
1200 sizeof(krule->match_tagname)));
1201 PFNV_CHK(pf_nvbool(nvl, "match_tag_not", &krule->match_tag_not));
1204 PFNV_CHK(pf_nvstring(nvl, "qname", krule->qname, sizeof(krule->qname)));
1205 PFNV_CHK(pf_nvstring(nvl, "tagname", krule->tagname,
1206 sizeof(krule->tagname)));
1208 PFNV_CHK(pf_nvuint16_opt(nvl, "dnpipe", &krule->dnpipe, 0));
1209 PFNV_CHK(pf_nvuint32_opt(nvl, "dnflags", &krule->dnflags, 0));
1210 PFNV_CHK(pf_nvstring(nvl, "bridge_to", krule->bridge_to_name,
1211 sizeof(krule->bridge_to_name)));
1213 PFNV_CHK(pf_nvuint8(nvl, "action", &krule->action));
1215 if (krule->action != PF_PASS && krule->action != PF_DROP &&
1216 krule->action != PF_MATCH)
projects / FreeBSD / FreeBSD.git / blob