From e055cd8e7a2c6ba5a96ec095290ad4893bb38f88 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 8 Apr 2021 10:31:46 +0200 Subject: [PATCH] libpfctl: Switch to pfctl_rule Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644 (cherry picked from commit e9eb09414a8de8f3329f51b48c90a5e5ac8f09cf) --- contrib/pf/ftp-proxy/filter.c | 100 +++++++-------- contrib/pf/tftp-proxy/filter.c | 90 +++++++------- lib/libpfctl/libpfctl.c | 10 +- lib/libpfctl/libpfctl.h | 143 +++++++++++++++++++++- sbin/pfctl/parse.y | 52 ++++---- sbin/pfctl/pf_ruleset.c | 63 +++++----- sbin/pfctl/pfctl.c | 91 +++++++------- sbin/pfctl/pfctl.h | 14 ++- sbin/pfctl/pfctl_optimize.c | 82 ++++++------- sbin/pfctl/pfctl_parser.c | 2 +- sbin/pfctl/pfctl_parser.h | 14 ++- usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c | 17 +-- 12 files changed, 416 insertions(+), 262 deletions(-) diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c index db3735565da..dad6324808b 100644 --- a/contrib/pf/ftp-proxy/filter.c +++ b/contrib/pf/ftp-proxy/filter.c @@ -50,7 +50,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, struct sockaddr_in6 *); static struct pfioc_pooladdr pfp; -static struct pfioc_rule pfr; +static struct pfctl_rule pfrule; +static char pfanchor[PF_ANCHOR_NAME_SIZE]; +static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; +static uint32_t pfticket; +static uint32_t pfpool_ticket; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; @@ -68,9 +72,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1) return (-1); - pfr.rule.direction = dir; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.direction = dir; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -99,14 +103,14 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(nat)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); - pfr.rule.rpool.proxy_port[0] = nat_range_low; - pfr.rule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = nat_range_low; + pfrule.rpool.proxy_port[1] = nat_range_high; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -134,13 +138,13 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(rdr)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); - pfr.rule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = rdr_port; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -237,21 +241,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } memset(&pfp, 0, sizeof pfp); - memset(&pfr, 0, sizeof pfr); + memset(&pfrule, 0, sizeof pfrule); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); - strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); + strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE); switch (rs_num) { case PF_RULESET_FILTER: - pfr.ticket = pfte[TRANS_FILTER].ticket; + pfticket = pfte[TRANS_FILTER].ticket; break; case PF_RULESET_NAT: - pfr.ticket = pfte[TRANS_NAT].ticket; + pfticket = pfte[TRANS_NAT].ticket; break; case PF_RULESET_RDR: - pfr.ticket = pfte[TRANS_RDR].ticket; + pfticket = pfte[TRANS_RDR].ticket; break; default: errno = EINVAL; @@ -259,30 +263,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) return (-1); - pfr.pool_ticket = pfp.ticket; + pfpool_ticket = pfp.ticket; /* Generic for all rule types. */ - pfr.rule.af = src->sa_family; - pfr.rule.proto = IPPROTO_TCP; - pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; - pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; + pfrule.af = src->sa_family; + pfrule.proto = IPPROTO_TCP; + pfrule.src.addr.type = PF_ADDR_ADDRMASK; + pfrule.dst.addr.type = PF_ADDR_ADDRMASK; if (src->sa_family == AF_INET) { - memcpy(&pfr.rule.src.addr.v.a.addr.v4, + memcpy(&pfrule.src.addr.v.a.addr.v4, &satosin(src)->sin_addr.s_addr, 4); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); - memcpy(&pfr.rule.dst.addr.v.a.addr.v4, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4); + memcpy(&pfrule.dst.addr.v.a.addr.v4, &satosin(dst)->sin_addr.s_addr, 4); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4); } else { - memcpy(&pfr.rule.src.addr.v.a.addr.v6, + memcpy(&pfrule.src.addr.v.a.addr.v6, &satosin6(src)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); - memcpy(&pfr.rule.dst.addr.v.a.addr.v6, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16); + memcpy(&pfrule.dst.addr.v.a.addr.v6, &satosin6(dst)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16); } - pfr.rule.dst.port_op = PF_OP_EQ; - pfr.rule.dst.port[0] = htons(d_port); + pfrule.dst.port_op = PF_OP_EQ; + pfrule.dst.port[0] = htons(d_port); switch (rs_num) { case PF_RULESET_FILTER: @@ -291,32 +295,32 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, * from $src to $dst port = $d_port flags S/SA keep state * (max 1) [queue qname] [tag tagname] */ - pfr.rule.action = PF_PASS; - pfr.rule.quick = 1; - pfr.rule.log = rule_log; - pfr.rule.keep_state = 1; - pfr.rule.flags = TH_SYN; - pfr.rule.flagset = (TH_SYN|TH_ACK); - pfr.rule.max_states = 1; + pfrule.action = PF_PASS; + pfrule.quick = 1; + pfrule.log = rule_log; + pfrule.keep_state = 1; + pfrule.flags = TH_SYN; + pfrule.flagset = (TH_SYN|TH_ACK); + pfrule.max_states = 1; if (qname != NULL) - strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); + strlcpy(pfrule.qname, qname, sizeof pfrule.qname); if (tagname != NULL) { - pfr.rule.quick = 0; - strlcpy(pfr.rule.tagname, tagname, - sizeof pfr.rule.tagname); + pfrule.quick = 0; + strlcpy(pfrule.tagname, tagname, + sizeof pfrule.tagname); } break; case PF_RULESET_NAT: /* * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat */ - pfr.rule.action = PF_NAT; + pfrule.action = PF_NAT; break; case PF_RULESET_RDR: /* * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr */ - pfr.rule.action = PF_RDR; + pfrule.action = PF_RDR; break; default: errno = EINVAL; diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c index 0b87d568809..1689d3465fd 100644 --- a/contrib/pf/tftp-proxy/filter.c +++ b/contrib/pf/tftp-proxy/filter.c @@ -54,7 +54,11 @@ int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, struct sockaddr_in6 *, u_int8_t); static struct pfioc_pooladdr pfp; -static struct pfioc_rule pfr; +static struct pfctl_rule pfrule; +static uint32_t pfticket; +static uint32_t pfpool_ticket; +static char pfanchor[PF_ANCHOR_NAME_SIZE]; +static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; @@ -72,9 +76,9 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1) return (-1); - pfr.rule.direction = dir; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.direction = dir; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -106,10 +110,10 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, if (ioctl(dev, DIOCADDADDR, &pfp) == -1) return (-1); - pfr.rule.rpool.proxy_port[0] = nat_range_low; - pfr.rule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = nat_range_low; + pfrule.rpool.proxy_port[1] = nat_range_high; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -140,9 +144,9 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, if (ioctl(dev, DIOCADDADDR, &pfp) == -1) return (-1); - pfr.rule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call, - pfr.ticket, pfr.pool_ticket)) + pfrule.rpool.proxy_port[0] = rdr_port; + if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + pfticket, pfpool_ticket)) return (-1); return (0); @@ -244,21 +248,21 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } memset(&pfp, 0, sizeof pfp); - memset(&pfr, 0, sizeof pfr); + memset(&pfrule, 0, sizeof pfrule); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); - strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); + strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE); switch (rs_num) { case PF_RULESET_FILTER: - pfr.ticket = pfte[TRANS_FILTER].ticket; + pfticket = pfte[TRANS_FILTER].ticket; break; case PF_RULESET_NAT: - pfr.ticket = pfte[TRANS_NAT].ticket; + pfticket = pfte[TRANS_NAT].ticket; break; case PF_RULESET_RDR: - pfr.ticket = pfte[TRANS_RDR].ticket; + pfticket = pfte[TRANS_RDR].ticket; break; default: errno = EINVAL; @@ -266,30 +270,30 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, } if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) return (-1); - pfr.pool_ticket = pfp.ticket; + pfpool_ticket = pfp.ticket; /* Generic for all rule types. */ - pfr.rule.af = src->sa_family; - pfr.rule.proto = proto; - pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; - pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; + pfrule.af = src->sa_family; + pfrule.proto = proto; + pfrule.src.addr.type = PF_ADDR_ADDRMASK; + pfrule.dst.addr.type = PF_ADDR_ADDRMASK; if (src->sa_family == AF_INET) { - memcpy(&pfr.rule.src.addr.v.a.addr.v4, + memcpy(&pfrule.src.addr.v.a.addr.v4, &satosin(src)->sin_addr.s_addr, 4); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); - memcpy(&pfr.rule.dst.addr.v.a.addr.v4, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4); + memcpy(&pfrule.dst.addr.v.a.addr.v4, &satosin(dst)->sin_addr.s_addr, 4); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4); } else { - memcpy(&pfr.rule.src.addr.v.a.addr.v6, + memcpy(&pfrule.src.addr.v.a.addr.v6, &satosin6(src)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); - memcpy(&pfr.rule.dst.addr.v.a.addr.v6, + memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16); + memcpy(&pfrule.dst.addr.v.a.addr.v6, &satosin6(dst)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); + memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16); } - pfr.rule.dst.port_op = PF_OP_EQ; - pfr.rule.dst.port[0] = htons(d_port); + pfrule.dst.port_op = PF_OP_EQ; + pfrule.dst.port[0] = htons(d_port); switch (rs_num) { case PF_RULESET_FILTER: @@ -298,34 +302,34 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, * from $src to $dst port = $d_port flags S/SAFR keep state * (max 1) [queue qname] */ - pfr.rule.action = PF_PASS; - pfr.rule.quick = 1; - pfr.rule.log = rule_log; - pfr.rule.keep_state = 1; + pfrule.action = PF_PASS; + pfrule.quick = 1; + pfrule.log = rule_log; + pfrule.keep_state = 1; #ifdef __FreeBSD__ - pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0); - pfr.rule.flagset = (proto == IPPROTO_TCP ? + pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0); + pfrule.flagset = (proto == IPPROTO_TCP ? (TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0); #else - pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); - pfr.rule.flagset = (proto == IPPROTO_TCP ? + pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); + pfrule.flagset = (proto == IPPROTO_TCP ? (TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL); #endif - pfr.rule.max_states = 1; + pfrule.max_states = 1; if (qname != NULL) - strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); + strlcpy(pfrule.qname, qname, sizeof pfrule.qname); break; case PF_RULESET_NAT: /* * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat */ - pfr.rule.action = PF_NAT; + pfrule.action = PF_NAT; break; case PF_RULESET_RDR: /* * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr */ - pfr.rule.action = PF_RDR; + pfrule.action = PF_RDR; break; default: errno = EINVAL; diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index e0d429112f5..dc174d8d5b7 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -256,7 +256,7 @@ pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) static void pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, - const struct pf_rule *r) + const struct pfctl_rule *r) { nvlist_t *nvl = nvlist_create(0); @@ -267,14 +267,14 @@ pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, } static void -pf_nvdivert_to_divert(const nvlist_t *nvl, struct pf_rule *rule) +pf_nvdivert_to_divert(const nvlist_t *nvl, struct pfctl_rule *rule) { pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr); rule->divert.port = nvlist_get_number(nvl, "port"); } static void -pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule) +pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) { const uint64_t *skip; size_t skipcount; @@ -373,7 +373,7 @@ pf_nvrule_to_rule(const nvlist_t *nvl, struct pf_rule *rule) } int -pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, +pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor, const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket) { struct pfioc_nv nv; @@ -482,7 +482,7 @@ pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor, - u_int32_t ruleset, struct pf_rule *rule, char *anchor_call) + u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call) { struct pfioc_nv nv; nvlist_t *nvl; diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index 65ff2179f23..99683061948 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -36,10 +36,147 @@ #include +struct pfctl_anchor; + +struct pfctl_rule { + struct pf_rule_addr src; + struct pf_rule_addr dst; + union pf_rule_ptr skip[PF_SKIP_COUNT]; + char label[PF_RULE_LABEL_SIZE]; + char ifname[IFNAMSIZ]; + char qname[PF_QNAME_SIZE]; + char pqname[PF_QNAME_SIZE]; + char tagname[PF_TAG_NAME_SIZE]; + char match_tagname[PF_TAG_NAME_SIZE]; + + char overload_tblname[PF_TABLE_NAME_SIZE]; + + TAILQ_ENTRY(pfctl_rule) entries; + struct pf_pool rpool; + + u_int64_t evaluations; + u_int64_t packets[2]; + u_int64_t bytes[2]; + + struct pfi_kif *kif; + struct pfctl_anchor *anchor; + struct pfr_ktable *overload_tbl; + + pf_osfp_t os_fingerprint; + + int rtableid; + u_int32_t timeout[PFTM_MAX]; + u_int32_t max_states; + u_int32_t max_src_nodes; + u_int32_t max_src_states; + u_int32_t max_src_conn; + struct { + u_int32_t limit; + u_int32_t seconds; + } max_src_conn_rate; + u_int32_t qid; + u_int32_t pqid; + u_int32_t nr; + u_int32_t prob; + uid_t cuid; + pid_t cpid; + + counter_u64_t states_cur; + counter_u64_t states_tot; + counter_u64_t src_nodes; + + u_int16_t return_icmp; + u_int16_t return_icmp6; + u_int16_t max_mss; + u_int16_t tag; + u_int16_t match_tag; + u_int16_t scrub_flags; + + struct pf_rule_uid uid; + struct pf_rule_gid gid; + + u_int32_t rule_flag; + u_int8_t action; + u_int8_t direction; + u_int8_t log; + u_int8_t logif; + u_int8_t quick; + u_int8_t ifnot; + u_int8_t match_tag_not; + u_int8_t natpass; + + u_int8_t keep_state; + sa_family_t af; + u_int8_t proto; + u_int8_t type; + u_int8_t code; + u_int8_t flags; + u_int8_t flagset; + u_int8_t min_ttl; + u_int8_t allow_opts; + u_int8_t rt; + u_int8_t return_ttl; + u_int8_t tos; + u_int8_t set_tos; + u_int8_t anchor_relative; + u_int8_t anchor_wildcard; + + u_int8_t flush; + u_int8_t prio; + u_int8_t set_prio[2]; + + struct { + struct pf_addr addr; + u_int16_t port; + } divert; + + uint64_t u_states_cur; + uint64_t u_states_tot; + uint64_t u_src_nodes; +}; + +TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); + +struct pfctl_ruleset { + struct { + struct pfctl_rulequeue queues[2]; + struct { + struct pfctl_rulequeue *ptr; + struct pfctl_rule **ptr_array; + u_int32_t rcount; + u_int32_t ticket; + int open; + } active, inactive; + } rules[PF_RULESET_MAX]; + struct pfctl_anchor *anchor; + u_int32_t tticket; + int tables; + int topen; +}; + +RB_HEAD(pfctl_anchor_global, pfctl_anchor); +RB_HEAD(pfctl_anchor_node, pfctl_anchor); +struct pfctl_anchor { + RB_ENTRY(pfctl_anchor) entry_global; + RB_ENTRY(pfctl_anchor) entry_node; + struct pfctl_anchor *parent; + struct pfctl_anchor_node children; + char name[PF_ANCHOR_NAME_SIZE]; + char path[MAXPATHLEN]; + struct pfctl_ruleset ruleset; + int refcnt; /* anchor rules */ + int match; /* XXX: used for pfctl black magic */ +}; +RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, + pf_anchor_compare); +RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, + pf_anchor_compare); + int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, - const char *anchor, u_int32_t ruleset, struct pf_rule *rule, + const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call); -int pfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, - const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket); +int pfctl_add_rule(int dev, const struct pfctl_rule *r, + const char *anchor, const char *anchor_call, u_int32_t ticket, + u_int32_t pool_ticket); #endif diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 56c1f82e39a..ff4eca03f4c 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -317,10 +317,10 @@ static struct node_state_opt *keep_state_defaults = NULL; int disallow_table(struct node_host *, const char *); int disallow_urpf_failed(struct node_host *, const char *); int disallow_alias(struct node_host *, const char *); -int rule_consistent(struct pf_rule *, int); -int filter_consistent(struct pf_rule *, int); -int nat_consistent(struct pf_rule *); -int rdr_consistent(struct pf_rule *); +int rule_consistent(struct pfctl_rule *, int); +int filter_consistent(struct pfctl_rule *, int); +int nat_consistent(struct pfctl_rule *); +int rdr_consistent(struct pfctl_rule *); int process_tabledef(char *, struct table_opts *); void expand_label_str(char *, size_t, const char *, const char *); void expand_label_if(const char *, char *, size_t, const char *); @@ -333,7 +333,7 @@ void expand_label_nr(const char *, char *, size_t); void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *, struct node_port *, struct node_host *, struct node_port *, u_int8_t); -void expand_rule(struct pf_rule *, struct node_if *, +void expand_rule(struct pfctl_rule *, struct node_if *, struct node_host *, struct node_proto *, struct node_os *, struct node_host *, struct node_port *, struct node_host *, struct node_port *, struct node_uid *, struct node_gid *, @@ -348,10 +348,10 @@ int expand_skip_interface(struct node_if *); int check_rulestate(int); int getservice(char *); -int rule_label(struct pf_rule *, char *); +int rule_label(struct pfctl_rule *, char *); int rt_tableid_max(void); -void mv_rules(struct pf_ruleset *, struct pf_ruleset *); +void mv_rules(struct pfctl_ruleset *, struct pfctl_ruleset *); void decide_address_family(struct node_host *, sa_family_t *); void remove_invalid_hosts(struct node_host **, sa_family_t *); int invalid_redirect(struct node_host *, sa_family_t); @@ -780,7 +780,7 @@ pfa_anchorlist : /* empty */ pfa_anchor : '{' { char ta[PF_ANCHOR_NAME_SIZE]; - struct pf_ruleset *rs; + struct pfctl_ruleset *rs; /* steping into a brace anchor */ pf->asd++; @@ -806,7 +806,7 @@ pfa_anchor : '{' anchorrule : ANCHOR anchorname dir quick interface af proto fromto filter_opts pfa_anchor { - struct pf_rule r; + struct pfctl_rule r; struct node_proto *proto; if (check_rulestate(PFCTL_STATE_FILTER)) { @@ -825,7 +825,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto memset(&r, 0, sizeof(r)); if (pf->astack[pf->asd + 1]) { /* move inline rules into relative location */ - pf_anchor_setup(&r, + pfctl_anchor_setup(&r, &pf->astack[pf->asd]->ruleset, $2 ? $2 : pf->alast->name); @@ -938,7 +938,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto pf->astack[pf->asd + 1] = NULL; } | NATANCHOR string interface af proto fromto rtable { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) { free($2); @@ -959,7 +959,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto free($2); } | RDRANCHOR string interface af proto fromto rtable { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) { free($2); @@ -1001,7 +1001,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto free($2); } | BINATANCHOR string interface af proto fromto rtable { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) { free($2); @@ -1079,7 +1079,7 @@ scrubaction : no SCRUB { scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_SCRUB)) YYERROR; @@ -1239,7 +1239,7 @@ fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } ; antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { - struct pf_rule r; + struct pfctl_rule r; struct node_host *h = NULL, *hh; struct node_if *i, *j; @@ -2014,7 +2014,7 @@ qassign_item : STRING { pfrule : action dir logquick interface route af proto fromto filter_opts { - struct pf_rule r; + struct pfctl_rule r; struct node_state_opt *o; struct node_proto *proto; int srctrack = 0; @@ -4063,7 +4063,7 @@ nataction : no NAT natpasslog { natrule : nataction interface af proto fromto tag tagged rtable redirpool pool_opts { - struct pf_rule r; + struct pfctl_rule r; if (check_rulestate(PFCTL_STATE_NAT)) YYERROR; @@ -4222,7 +4222,7 @@ natrule : nataction interface af proto fromto tag tagged rtable binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag tagged rtable redirection { - struct pf_rule binat; + struct pfctl_rule binat; struct pf_pooladdr *pa; if (check_rulestate(PFCTL_STATE_NAT)) @@ -4607,7 +4607,7 @@ disallow_alias(struct node_host *h, const char *fmt) } int -rule_consistent(struct pf_rule *r, int anchor_call) +rule_consistent(struct pfctl_rule *r, int anchor_call) { int problems = 0; @@ -4635,7 +4635,7 @@ rule_consistent(struct pf_rule *r, int anchor_call) } int -filter_consistent(struct pf_rule *r, int anchor_call) +filter_consistent(struct pfctl_rule *r, int anchor_call) { int problems = 0; @@ -4698,13 +4698,13 @@ filter_consistent(struct pf_rule *r, int anchor_call) } int -nat_consistent(struct pf_rule *r) +nat_consistent(struct pfctl_rule *r) { return (0); /* yeah! */ } int -rdr_consistent(struct pf_rule *r) +rdr_consistent(struct pfctl_rule *r) { int problems = 0; @@ -5240,7 +5240,7 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces, } void -expand_rule(struct pf_rule *r, +expand_rule(struct pfctl_rule *r, struct node_if *interfaces, struct node_host *rpool_hosts, struct node_proto *protos, struct node_os *src_oses, struct node_host *src_hosts, struct node_port *src_ports, @@ -6072,10 +6072,10 @@ symget(const char *nam) } void -mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst) +mv_rules(struct pfctl_ruleset *src, struct pfctl_ruleset *dst) { int i; - struct pf_rule *r; + struct pfctl_rule *r; for (i = 0; i < PF_RULESET_MAX; ++i) { while ((r = TAILQ_FIRST(src->rules[i].active.ptr)) @@ -6206,7 +6206,7 @@ getservice(char *n) } int -rule_label(struct pf_rule *r, char *s) +rule_label(struct pfctl_rule *r, char *s) { if (s) { if (strlcpy(r->label, s, sizeof(r->label)) >= diff --git a/sbin/pfctl/pf_ruleset.c b/sbin/pfctl/pf_ruleset.c index baac1deb4fa..f5cddf48187 100644 --- a/sbin/pfctl/pf_ruleset.c +++ b/sbin/pfctl/pf_ruleset.c @@ -73,22 +73,23 @@ __FBSDID("$FreeBSD$"); #define DPFPRINTF(format, x...) ((void)0) #endif /* PFDEBUG */ -struct pf_anchor_global pf_anchors; -struct pf_anchor pf_main_anchor; +struct pfctl_anchor_global pf_anchors; +struct pfctl_anchor pf_main_anchor; #undef V_pf_anchors #define V_pf_anchors pf_anchors #undef pf_main_ruleset #define pf_main_ruleset pf_main_anchor.ruleset -static __inline int pf_anchor_compare(struct pf_anchor *, - struct pf_anchor *); -static struct pf_anchor *pf_find_anchor(const char *); +static __inline int pf_anchor_compare(struct pfctl_anchor *, + struct pfctl_anchor *); +static struct pfctl_anchor *pf_find_anchor(const char *); -RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); -RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); +RB_GENERATE(pfctl_anchor_global, pfctl_anchor, entry_global, + pf_anchor_compare); +RB_GENERATE(pfctl_anchor_node, pfctl_anchor, entry_node, pf_anchor_compare); static __inline int -pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b) +pf_anchor_compare(struct pfctl_anchor *a, struct pfctl_anchor *b) { int c = strcmp(a->path, b->path); @@ -126,11 +127,11 @@ pf_get_ruleset_number(u_int8_t action) } void -pf_init_ruleset(struct pf_ruleset *ruleset) +pf_init_ruleset(struct pfctl_ruleset *ruleset) { int i; - memset(ruleset, 0, sizeof(struct pf_ruleset)); + memset(ruleset, 0, sizeof(struct pfctl_ruleset)); for (i = 0; i < PF_RULESET_MAX; i++) { TAILQ_INIT(&ruleset->rules[i].queues[0]); TAILQ_INIT(&ruleset->rules[i].queues[1]); @@ -139,24 +140,24 @@ pf_init_ruleset(struct pf_ruleset *ruleset) } } -static struct pf_anchor * +static struct pfctl_anchor * pf_find_anchor(const char *path) { - struct pf_anchor *key, *found; + struct pfctl_anchor *key, *found; - key = (struct pf_anchor *)rs_malloc(sizeof(*key)); + key = (struct pfctl_anchor *)rs_malloc(sizeof(*key)); if (key == NULL) return (NULL); strlcpy(key->path, path, sizeof(key->path)); - found = RB_FIND(pf_anchor_global, &V_pf_anchors, key); + found = RB_FIND(pfctl_anchor_global, &V_pf_anchors, key); rs_free(key); return (found); } -struct pf_ruleset * +struct pfctl_ruleset * pf_find_ruleset(const char *path) { - struct pf_anchor *anchor; + struct pfctl_anchor *anchor; while (*path == '/') path++; @@ -169,12 +170,12 @@ pf_find_ruleset(const char *path) return (&anchor->ruleset); } -struct pf_ruleset * +struct pfctl_ruleset * pf_find_or_create_ruleset(const char *path) { char *p, *q, *r; - struct pf_ruleset *ruleset; - struct pf_anchor *anchor = NULL, *dup, *parent = NULL; + struct pfctl_ruleset *ruleset; + struct pfctl_anchor *anchor = NULL, *dup, *parent = NULL; if (path[0] == 0) return (&pf_main_ruleset); @@ -212,7 +213,7 @@ pf_find_or_create_ruleset(const char *path) rs_free(p); return (NULL); } - anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor)); + anchor = (struct pfctl_anchor *)rs_malloc(sizeof(*anchor)); if (anchor == NULL) { rs_free(p); return (NULL); @@ -225,7 +226,7 @@ pf_find_or_create_ruleset(const char *path) strlcat(anchor->path, "/", sizeof(anchor->path)); } strlcat(anchor->path, anchor->name, sizeof(anchor->path)); - if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) != + if ((dup = RB_INSERT(pfctl_anchor_global, &V_pf_anchors, anchor)) != NULL) { printf("pf_find_or_create_ruleset: RB_INSERT1 " "'%s' '%s' collides with '%s' '%s'\n", @@ -236,13 +237,13 @@ pf_find_or_create_ruleset(const char *path) } if (parent != NULL) { anchor->parent = parent; - if ((dup = RB_INSERT(pf_anchor_node, &parent->children, + if ((dup = RB_INSERT(pfctl_anchor_node, &parent->children, anchor)) != NULL) { printf("pf_find_or_create_ruleset: " "RB_INSERT2 '%s' '%s' collides with " "'%s' '%s'\n", anchor->path, anchor->name, dup->path, dup->name); - RB_REMOVE(pf_anchor_global, &V_pf_anchors, + RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, anchor); rs_free(anchor); rs_free(p); @@ -262,9 +263,9 @@ pf_find_or_create_ruleset(const char *path) } void -pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) +pf_remove_if_empty_ruleset(struct pfctl_ruleset *ruleset) { - struct pf_anchor *parent; + struct pfctl_anchor *parent; int i; while (ruleset != NULL) { @@ -278,9 +279,9 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) || ruleset->rules[i].inactive.open) return; - RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor); + RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, ruleset->anchor); if ((parent = ruleset->anchor->parent) != NULL) - RB_REMOVE(pf_anchor_node, &parent->children, + RB_REMOVE(pfctl_anchor_node, &parent->children, ruleset->anchor); rs_free(ruleset->anchor); if (parent == NULL) @@ -289,11 +290,11 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) } } int -pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, +pfctl_anchor_setup(struct pfctl_rule *r, const struct pfctl_ruleset *s, const char *name) { char *p, *path; - struct pf_ruleset *ruleset; + struct pfctl_ruleset *ruleset; r->anchor = NULL; r->anchor_relative = 0; @@ -314,7 +315,7 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, strlcpy(path, s->anchor->path, MAXPATHLEN); while (name[0] == '.' && name[1] == '.' && name[2] == '/') { if (!path[0]) { - printf("pf_anchor_setup: .. beyond root\n"); + printf("pfctl_anchor_setup: .. beyond root\n"); rs_free(path); return (1); } @@ -336,7 +337,7 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, ruleset = pf_find_or_create_ruleset(path); rs_free(path); if (ruleset == NULL || ruleset->anchor == NULL) { - printf("pf_anchor_setup: ruleset\n"); + printf("pfctl_anchor_setup: ruleset\n"); return (1); } r->anchor = ruleset->anchor; diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index fde9d61260e..548aab0f839 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -94,7 +94,7 @@ int pfctl_load_logif(struct pfctl *, char *); int pfctl_load_hostid(struct pfctl *, u_int32_t); int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int, char *); -void pfctl_print_rule_counters(struct pf_rule *, int); +void pfctl_print_rule_counters(struct pfctl_rule *, int); int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int); int pfctl_show_nat(int, int, char *); int pfctl_show_src_nodes(int, int); @@ -106,14 +106,14 @@ int pfctl_show_limits(int, int); void pfctl_debug(int, u_int32_t, int); int pfctl_test_altqsupport(int, int); int pfctl_show_anchors(int, int, char *); -int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *); +int pfctl_ruleset_trans(struct pfctl *, char *, struct pfctl_anchor *); int pfctl_load_ruleset(struct pfctl *, char *, - struct pf_ruleset *, int, int); -int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int); + struct pfctl_ruleset *, int, int); +int pfctl_load_rule(struct pfctl *, char *, struct pfctl_rule *, int); const char *pfctl_lookup_option(char *, const char * const *); -static struct pf_anchor_global pf_anchors; -static struct pf_anchor pf_main_anchor; +static struct pfctl_anchor_global pf_anchors; +static struct pfctl_anchor pf_main_anchor; static struct pfr_buffer skip_b; static const char *clearopt; @@ -862,7 +862,7 @@ pfctl_clear_pool(struct pf_pool *pool) } void -pfctl_print_rule_counters(struct pf_rule *rule, int opts) +pfctl_print_rule_counters(struct pfctl_rule *rule, int opts) { if (opts & PF_OPT_DEBUG) { const char *t[PF_SKIP_COUNT] = { "i", "d", "f", @@ -914,6 +914,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, char *anchorname, int depth) { struct pfioc_rule pr; + struct pfctl_rule rule; u_int32_t nr, mnr, header = 0; int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG); int numeric = opts & PF_OPT_NUMERIC; @@ -954,12 +955,12 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, for (nr = 0; nr < mnr; ++nr) { pr.nr = nr; if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB, - &pr.rule, pr.anchor_call)) { + &rule, pr.anchor_call)) { warn("DIOCGETRULENV"); goto error; } - if (pfctl_get_pool(dev, &pr.rule.rpool, + if (pfctl_get_pool(dev, &rule.rpool, nr, pr.ticket, PF_SCRUB, path) != 0) goto error; @@ -967,16 +968,16 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, case PFCTL_SHOW_LABELS: break; case PFCTL_SHOW_RULES: - if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) + if (rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; - print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric); + print_rule(&rule, pr.anchor_call, rule_numbers, numeric); printf("\n"); - pfctl_print_rule_counters(&pr.rule, opts); + pfctl_print_rule_counters(&rule, opts); break; case PFCTL_SHOW_NOTHING: break; } - pfctl_clear_pool(&pr.rule.rpool); + pfctl_clear_pool(&rule.rpool); } pr.rule.action = PF_PASS; if (ioctl(dev, DIOCGETRULES, &pr)) { @@ -987,36 +988,36 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, for (nr = 0; nr < mnr; ++nr) { pr.nr = nr; if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS, - &pr.rule, pr.anchor_call)) { + &rule, pr.anchor_call)) { warn("DIOCGETRULE"); goto error; } - if (pfctl_get_pool(dev, &pr.rule.rpool, + if (pfctl_get_pool(dev, &rule.rpool, nr, pr.ticket, PF_PASS, path) != 0) goto error; switch (format) { case PFCTL_SHOW_LABELS: - if (pr.rule.label[0]) { + if (rule.label[0]) { printf("%s %llu %llu %llu %llu" " %llu %llu %llu %ju\n", - pr.rule.label, - (unsigned long long)pr.rule.evaluations, - (unsigned long long)(pr.rule.packets[0] + - pr.rule.packets[1]), - (unsigned long long)(pr.rule.bytes[0] + - pr.rule.bytes[1]), - (unsigned long long)pr.rule.packets[0], - (unsigned long long)pr.rule.bytes[0], - (unsigned long long)pr.rule.packets[1], - (unsigned long long)pr.rule.bytes[1], - (uintmax_t)pr.rule.u_states_tot); + rule.label, + (unsigned long long)rule.evaluations, + (unsigned long long)(rule.packets[0] + + rule.packets[1]), + (unsigned long long)(rule.bytes[0] + + rule.bytes[1]), + (unsigned long long)rule.packets[0], + (unsigned long long)rule.bytes[0], + (unsigned long long)rule.packets[1], + (unsigned long long)rule.bytes[1], + (uintmax_t)rule.u_states_tot); } break; case PFCTL_SHOW_RULES: brace = 0; - if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) + if (rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; INDENT(depth, !(opts & PF_OPT_VERBOSE)); if (pr.anchor_call[0] && @@ -1032,12 +1033,12 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, } else p = &pr.anchor_call[0]; - print_rule(&pr.rule, p, rule_numbers, numeric); + print_rule(&rule, p, rule_numbers, numeric); if (brace) printf(" {\n"); else printf("\n"); - pfctl_print_rule_counters(&pr.rule, opts); + pfctl_print_rule_counters(&rule, opts); if (brace) { pfctl_show_rules(dev, path, opts, format, p, depth + 1); @@ -1048,7 +1049,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, case PFCTL_SHOW_NOTHING: break; } - pfctl_clear_pool(&pr.rule.rpool); + pfctl_clear_pool(&rule.rpool); } path[len] = '\0'; return (0); @@ -1062,6 +1063,7 @@ int pfctl_show_nat(int dev, int opts, char *anchorname) { struct pfioc_rule pr; + struct pfctl_rule rule; u_int32_t mnr, nr; static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT }; int i, dotitle = opts & PF_OPT_SHOWALL; @@ -1078,22 +1080,22 @@ pfctl_show_nat(int dev, int opts, char *anchorname) for (nr = 0; nr < mnr; ++nr) { pr.nr = nr; if (pfctl_get_rule(dev, nr, pr.ticket, anchorname, - nattype[i], &pr.rule, pr.anchor_call)) { + nattype[i], &rule, pr.anchor_call)) { warn("DIOCGETRULE"); return (-1); } - if (pfctl_get_pool(dev, &pr.rule.rpool, nr, + if (pfctl_get_pool(dev, &rule.rpool, nr, pr.ticket, nattype[i], anchorname) != 0) return (-1); if (dotitle) { pfctl_print_title("TRANSLATION RULES:"); dotitle = 0; } - print_rule(&pr.rule, pr.anchor_call, + print_rule(&rule, pr.anchor_call, opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC); printf("\n"); - pfctl_print_rule_counters(&pr.rule, opts); - pfctl_clear_pool(&pr.rule.rpool); + pfctl_print_rule_counters(&rule, opts); + pfctl_clear_pool(&rule.rpool); } } return (0); @@ -1291,11 +1293,12 @@ pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af) } int -pfctl_append_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call) +pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r, + const char *anchor_call) { u_int8_t rs_num; - struct pf_rule *rule; - struct pf_ruleset *rs; + struct pfctl_rule *rule; + struct pfctl_ruleset *rs; char *p; rs_num = pf_get_ruleset_number(r->action); @@ -1338,7 +1341,7 @@ pfctl_append_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call) } int -pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a) +pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a) { int osize = pf->trans->pfrb_size; @@ -1368,10 +1371,10 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a) } int -pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, +pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs, int rs_num, int depth) { - struct pf_rule *r; + struct pfctl_rule *r; int error, len = strlen(path); int brace = 0; @@ -1428,7 +1431,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, } int -pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) +pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth) { u_int8_t rs_num = pf_get_ruleset_number(r->action); char *name; @@ -1507,7 +1510,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, struct pfr_buffer *t, buf; struct pfioc_altq pa; struct pfctl pf; - struct pf_ruleset *rs; + struct pfctl_ruleset *rs; struct pfr_table trs; char *path; int osize; diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index 5aa94b2bb0c..93b3af083b5 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -36,6 +36,8 @@ #ifndef _PFCTL_H_ #define _PFCTL_H_ +#include + enum pfctl_show { PFCTL_SHOW_RULES, PFCTL_SHOW_LABELS, PFCTL_SHOW_NOTHING }; enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS, @@ -129,11 +131,11 @@ u_int32_t int pfctl_trans(int, struct pfr_buffer *, u_long, int); int pf_get_ruleset_number(u_int8_t); -void pf_init_ruleset(struct pf_ruleset *); -int pf_anchor_setup(struct pf_rule *, - const struct pf_ruleset *, const char *); -void pf_remove_if_empty_ruleset(struct pf_ruleset *); -struct pf_ruleset *pf_find_ruleset(const char *); -struct pf_ruleset *pf_find_or_create_ruleset(const char *); +void pf_init_ruleset(struct pfctl_ruleset *); +int pfctl_anchor_setup(struct pfctl_rule *, + const struct pfctl_ruleset *, const char *); +void pf_remove_if_empty_ruleset(struct pfctl_ruleset *); +struct pfctl_ruleset *pf_find_ruleset(const char *); +struct pfctl_ruleset *pf_find_or_create_ruleset(const char *); #endif /* _PFCTL_H_ */ diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index 821a528932f..cb557884067 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -100,8 +100,8 @@ static struct pf_rule_field { #define PF_RULE_FIELD(field, ty) \ {#field, \ ty, \ - offsetof(struct pf_rule, field), \ - sizeof(((struct pf_rule *)0)->field)} + offsetof(struct pfctl_rule, field), \ + sizeof(((struct pfctl_rule *)0)->field)} /* @@ -214,10 +214,10 @@ int addrs_combineable(struct pf_rule_addr *, struct pf_rule_addr *); int addrs_equal(struct pf_rule_addr *, struct pf_rule_addr *); int block_feedback(struct pfctl *, struct superblock *); int combine_rules(struct pfctl *, struct superblock *); -void comparable_rule(struct pf_rule *, const struct pf_rule *, int); +void comparable_rule(struct pfctl_rule *, const struct pfctl_rule *, int); int construct_superblocks(struct pfctl *, struct pf_opt_queue *, struct superblocks *); -void exclude_supersets(struct pf_rule *, struct pf_rule *); +void exclude_supersets(struct pfctl_rule *, struct pfctl_rule *); int interface_group(const char *); int load_feedback_profile(struct pfctl *, struct superblocks *); int optimize_superblock(struct pfctl *, struct superblock *); @@ -226,25 +226,25 @@ void remove_from_skipsteps(struct skiplist *, struct superblock *, struct pf_opt_rule *, struct pf_skip_step *); int remove_identical_rules(struct pfctl *, struct superblock *); int reorder_rules(struct pfctl *, struct superblock *, int); -int rules_combineable(struct pf_rule *, struct pf_rule *); +int rules_combineable(struct pfctl_rule *, struct pfctl_rule *); void skip_append(struct superblock *, int, struct pf_skip_step *, struct pf_opt_rule *); int skip_compare(int, struct pf_skip_step *, struct pf_opt_rule *); void skip_init(void); -int skip_cmp_af(struct pf_rule *, struct pf_rule *); -int skip_cmp_dir(struct pf_rule *, struct pf_rule *); -int skip_cmp_dst_addr(struct pf_rule *, struct pf_rule *); -int skip_cmp_dst_port(struct pf_rule *, struct pf_rule *); -int skip_cmp_ifp(struct pf_rule *, struct pf_rule *); -int skip_cmp_proto(struct pf_rule *, struct pf_rule *); -int skip_cmp_src_addr(struct pf_rule *, struct pf_rule *); -int skip_cmp_src_port(struct pf_rule *, struct pf_rule *); +int skip_cmp_af(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_dir(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_dst_addr(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_dst_port(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_ifp(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_proto(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_src_addr(struct pfctl_rule *, struct pfctl_rule *); +int skip_cmp_src_port(struct pfctl_rule *, struct pfctl_rule *); int superblock_inclusive(struct superblock *, struct pf_opt_rule *); void superblock_free(struct pfctl *, struct superblock *); -static int (*skip_comparitors[PF_SKIP_COUNT])(struct pf_rule *, - struct pf_rule *); +static int (*skip_comparitors[PF_SKIP_COUNT])(struct pfctl_rule *, + struct pfctl_rule *); static const char *skip_comparitors_names[PF_SKIP_COUNT]; #define PF_SKIP_COMPARITORS { \ { "ifp", PF_SKIP_IFP, skip_cmp_ifp }, \ @@ -262,14 +262,14 @@ static int table_identifier; int -pfctl_optimize_ruleset(struct pfctl *pf, struct pf_ruleset *rs) +pfctl_optimize_ruleset(struct pfctl *pf, struct pfctl_ruleset *rs) { struct superblocks superblocks; struct pf_opt_queue opt_queue; struct superblock *block; struct pf_opt_rule *por; - struct pf_rule *r; - struct pf_rulequeue *old_rules; + struct pfctl_rule *r; + struct pfctl_rulequeue *old_rules; DEBUG("optimizing ruleset"); memset(&table_buffer, 0, sizeof(table_buffer)); @@ -450,7 +450,7 @@ int remove_identical_rules(struct pfctl *pf, struct superblock *block) { struct pf_opt_rule *por1, *por2, *por_next, *por2_next; - struct pf_rule a, a2, b, b2; + struct pfctl_rule a, a2, b, b2; for (por1 = TAILQ_FIRST(&block->sb_rules); por1; por1 = por_next) { por_next = TAILQ_NEXT(por1, por_entry); @@ -818,7 +818,7 @@ block_feedback(struct pfctl *pf, struct superblock *block) TAILQ_HEAD( , pf_opt_rule) queue; struct pf_opt_rule *por1, *por2; u_int64_t total_count = 0; - struct pf_rule a, b; + struct pfctl_rule a, b; /* @@ -888,7 +888,7 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks) struct pf_opt_rule *por; struct pf_opt_queue queue; struct pfioc_rule pr; - struct pf_rule a, b; + struct pfctl_rule a, b, rule; int nr, mnr; TAILQ_INIT(&queue); @@ -904,7 +904,7 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks) DEBUG("Loading %d active rules for a feedback profile", mnr); for (nr = 0; nr < mnr; ++nr) { - struct pf_ruleset *rs; + struct pfctl_ruleset *rs; if ((por = calloc(1, sizeof(*por))) == NULL) { warn("calloc"); return (1); @@ -912,11 +912,11 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks) pr.nr = nr; if (pfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS, - &pr.rule, pr.anchor_call)) { + &rule, pr.anchor_call)) { warn("DIOCGETRULENV"); return (1); } - memcpy(&por->por_rule, &pr.rule, sizeof(por->por_rule)); + memcpy(&por->por_rule, &rule, sizeof(por->por_rule)); rs = pf_find_or_create_ruleset(pr.anchor_call); por->por_rule.anchor = rs->anchor; if (TAILQ_EMPTY(&por->por_rule.rpool.list)) @@ -924,9 +924,9 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks) sizeof(por->por_rule.rpool)); TAILQ_INSERT_TAIL(&queue, por, por_entry); - /* XXX pfctl_get_pool(pf->dev, &pr.rule.rpool, nr, pr.ticket, + /* XXX pfctl_get_pool(pf->dev, &rule.rpool, nr, pr.ticket, * PF_PASS, pf->anchor) ??? - * ... pfctl_clear_pool(&pr.rule.rpool) + * ... pfctl_clear_pool(&rule.rpool) */ } @@ -977,7 +977,7 @@ int skip_compare(int skipnum, struct pf_skip_step *skiplist, struct pf_opt_rule *por) { - struct pf_rule *a, *b; + struct pfctl_rule *a, *b; if (skipnum >= PF_SKIP_COUNT || skipnum < 0) errx(1, "skip_compare() out of bounds"); a = &por->por_rule; @@ -1053,7 +1053,7 @@ remove_from_skipsteps(struct skiplist *head, struct superblock *block, /* Compare two rules AF field for skiplist construction */ int -skip_cmp_af(struct pf_rule *a, struct pf_rule *b) +skip_cmp_af(struct pfctl_rule *a, struct pfctl_rule *b) { if (a->af != b->af || a->af == 0) return (1); @@ -1062,7 +1062,7 @@ skip_cmp_af(struct pf_rule *a, struct pf_rule *b) /* Compare two rules DIRECTION field for skiplist construction */ int -skip_cmp_dir(struct pf_rule *a, struct pf_rule *b) +skip_cmp_dir(struct pfctl_rule *a, struct pfctl_rule *b) { if (a->direction == 0 || a->direction != b->direction) return (1); @@ -1071,7 +1071,7 @@ skip_cmp_dir(struct pf_rule *a, struct pf_rule *b) /* Compare two rules DST Address field for skiplist construction */ int -skip_cmp_dst_addr(struct pf_rule *a, struct pf_rule *b) +skip_cmp_dst_addr(struct pfctl_rule *a, struct pfctl_rule *b) { if (a->dst.neg != b->dst.neg || a->dst.addr.type != b->dst.addr.type) @@ -1111,7 +1111,7 @@ skip_cmp_dst_addr(struct pf_rule *a, struct pf_rule *b) /* Compare two rules DST port field for skiplist construction */ int -skip_cmp_dst_port(struct pf_rule *a, struct pf_rule *b) +skip_cmp_dst_port(struct pfctl_rule *a, struct pfctl_rule *b) { /* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0 * && (a->proto == IPPROTO_TCP || a->proto == IPPROTO_UDP || @@ -1127,7 +1127,7 @@ skip_cmp_dst_port(struct pf_rule *a, struct pf_rule *b) /* Compare two rules IFP field for skiplist construction */ int -skip_cmp_ifp(struct pf_rule *a, struct pf_rule *b) +skip_cmp_ifp(struct pfctl_rule *a, struct pfctl_rule *b) { if (strcmp(a->ifname, b->ifname) || a->ifname[0] == '\0') return (1); @@ -1136,14 +1136,14 @@ skip_cmp_ifp(struct pf_rule *a, struct pf_rule *b) /* Compare two rules PROTO field for skiplist construction */ int -skip_cmp_proto(struct pf_rule *a, struct pf_rule *b) +skip_cmp_proto(struct pfctl_rule *a, struct pfctl_rule *b) { return (a->proto != b->proto || a->proto == 0); } /* Compare two rules SRC addr field for skiplist construction */ int -skip_cmp_src_addr(struct pf_rule *a, struct pf_rule *b) +skip_cmp_src_addr(struct pfctl_rule *a, struct pfctl_rule *b) { if (a->src.neg != b->src.neg || a->src.addr.type != b->src.addr.type) @@ -1183,7 +1183,7 @@ skip_cmp_src_addr(struct pf_rule *a, struct pf_rule *b) /* Compare two rules SRC port field for skiplist construction */ int -skip_cmp_src_port(struct pf_rule *a, struct pf_rule *b) +skip_cmp_src_port(struct pfctl_rule *a, struct pfctl_rule *b) { if (a->src.port_op == PF_OP_NONE || a->src.port_op != b->src.port_op || a->src.port[0] != b->src.port[0] || @@ -1204,7 +1204,7 @@ skip_init(void) struct { char *name; int skipnum; - int (*func)(struct pf_rule *, struct pf_rule *); + int (*func)(struct pfctl_rule *, struct pfctl_rule *); } comps[] = PF_SKIP_COMPARITORS; int skipnum, i; @@ -1397,9 +1397,9 @@ addrs_combineable(struct pf_rule_addr *a, struct pf_rule_addr *b) * Are we allowed to combine these two rules */ int -rules_combineable(struct pf_rule *p1, struct pf_rule *p2) +rules_combineable(struct pfctl_rule *p1, struct pfctl_rule *p2) { - struct pf_rule a, b; + struct pfctl_rule a, b; comparable_rule(&a, p1, COMBINED); comparable_rule(&b, p2, COMBINED); @@ -1413,7 +1413,7 @@ rules_combineable(struct pf_rule *p1, struct pf_rule *p2) int superblock_inclusive(struct superblock *block, struct pf_opt_rule *por) { - struct pf_rule a, b; + struct pfctl_rule a, b; int i, j; /* First check for hard breaks */ @@ -1528,7 +1528,7 @@ interface_group(const char *ifname) * Make a rule that can directly compared by memcmp() */ void -comparable_rule(struct pf_rule *dst, const struct pf_rule *src, int type) +comparable_rule(struct pfctl_rule *dst, const struct pfctl_rule *src, int type) { int i; /* @@ -1553,7 +1553,7 @@ comparable_rule(struct pf_rule *dst, const struct pf_rule *src, int type) * with memcmp() */ void -exclude_supersets(struct pf_rule *super, struct pf_rule *sub) +exclude_supersets(struct pfctl_rule *super, struct pfctl_rule *sub) { if (super->ifname[0] == '\0') memset(sub->ifname, 0, sizeof(sub->ifname)); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 7416ae26be4..b7ac9527db6 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -694,7 +694,7 @@ print_src_node(struct pf_src_node *sn, int opts) } void -print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) +print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numeric) { static const char *actiontypes[] = { "pass", "block", "scrub", "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" }; diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 2547caa1a8c..f36e8f1d4ac 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -36,6 +36,8 @@ #ifndef _PFCTL_PARSER_H_ #define _PFCTL_PARSER_H_ +#include + #define PF_OSFP_FILE "/etc/pf.os" #define PF_OPT_DISABLE 0x0001 @@ -82,12 +84,12 @@ struct pfctl { int brace; int tdirty; /* kernel dirty */ #define PFCTL_ANCHOR_STACK_DEPTH 64 - struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; + struct pfctl_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; struct pfioc_pooladdr paddr; struct pfioc_altq *paltq; struct pfioc_queue *pqueue; struct pfr_buffer *trans; - struct pf_anchor *anchor, *alast; + struct pfctl_anchor *anchor, *alast; const char *ruleset; /* 'set foo' options */ @@ -239,7 +241,7 @@ struct pf_opt_tbl { /* optimizer pf_rule container */ struct pf_opt_rule { - struct pf_rule por_rule; + struct pfctl_rule por_rule; struct pf_opt_tbl *por_src_tbl; struct pf_opt_tbl *por_dst_tbl; u_int64_t por_profile_count; @@ -250,9 +252,9 @@ struct pf_opt_rule { TAILQ_HEAD(pf_opt_queue, pf_opt_rule); int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *); -int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); +int pfctl_optimize_ruleset(struct pfctl *, struct pfctl_ruleset *); -int pfctl_append_rule(struct pfctl *, struct pf_rule *, const char *); +int pfctl_append_rule(struct pfctl *, struct pfctl_rule *, const char *); int pfctl_add_altq(struct pfctl *, struct pf_altq *); int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t); void pfctl_move_pool(struct pf_pool *, struct pf_pool *); @@ -272,7 +274,7 @@ int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); void print_src_node(struct pf_src_node *, int); -void print_rule(struct pf_rule *, const char *, int, int); +void print_rule(struct pfctl_rule *, const char *, int, int); void print_tabledef(const char *, int, int, struct node_tinithead *); void print_status(struct pf_status *, int); void print_running(struct pf_status *); diff --git a/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c b/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c index dc55c730bc5..018f3751ca5 100644 --- a/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c +++ b/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c @@ -1515,6 +1515,7 @@ static int pfl_scan_ruleset(const char *path) { struct pfioc_rule pr; + struct pfctl_rule rule; struct pfl_entry *e; u_int32_t nr, i; @@ -1529,14 +1530,14 @@ pfl_scan_ruleset(const char *path) for (nr = pr.nr, i = 0; i < nr; i++) { pr.nr = i; - if (pfctl_add_rule(dev, &pr.rule, pr.anchor, pr.anchor_call, + if (pfctl_add_rule(dev, &rule, pr.anchor, pr.anchor_call, pr.ticket, pr.pool_ticket)) { syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULE):" " %s", strerror(errno)); goto err; } - if (pr.rule.label[0]) { + if (rule.label[0]) { e = (struct pfl_entry *)malloc(sizeof(*e)); if (e == NULL) goto err; @@ -1544,13 +1545,13 @@ pfl_scan_ruleset(const char *path) strlcpy(e->name, path, sizeof(e->name)); if (path[0]) strlcat(e->name, "/", sizeof(e->name)); - strlcat(e->name, pr.rule.label, sizeof(e->name)); + strlcat(e->name, rule.label, sizeof(e->name)); - e->evals = pr.rule.evaluations; - e->bytes[IN] = pr.rule.bytes[IN]; - e->bytes[OUT] = pr.rule.bytes[OUT]; - e->pkts[IN] = pr.rule.packets[IN]; - e->pkts[OUT] = pr.rule.packets[OUT]; + e->evals = rule.evaluations; + e->bytes[IN] = rule.bytes[IN]; + e->bytes[OUT] = rule.bytes[OUT]; + e->pkts[IN] = rule.packets[IN]; + e->pkts[OUT] = rule.packets[OUT]; e->index = ++pfl_table_count; TAILQ_INSERT_TAIL(&pfl_table, e, link); -- 2.45.0