Index: lib/Makefile =================================================================== --- lib/Makefile +++ lib/Makefile @@ -210,6 +210,7 @@ SUBDIR.${MK_OPENMP}+= libomp .endif SUBDIR.${MK_OPENSSL}+= libmp +SUBDIR.${MK_PF}+= libpfctl SUBDIR.${MK_PMC}+= libpmc libpmcstat SUBDIR.${MK_RADIUS_SUPPORT}+= libradius SUBDIR.${MK_SENDMAIL}+= libmilter libsm libsmdb libsmutil Index: lib/libpfctl/Makefile =================================================================== --- /dev/null +++ lib/libpfctl/Makefile @@ -0,0 +1,12 @@ +# $FreeBSD$ + +PACKAGE= lib${LIB} +LIB= pfctl +INTERNALLIB= true + +SRCS= libpfctl.c +INCS= libpfctl.h + +CFLAGS+= -fPIC + +.include Index: lib/libpfctl/libpfctl.h =================================================================== --- lib/libpfctl/libpfctl.h +++ lib/libpfctl/libpfctl.h @@ -36,8 +36,11 @@ #include -int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, +int libpfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor, u_int32_t ruleset, struct pf_rule *rule, char *anchor_call); +int libpfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, + const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket); #endif + Index: lib/libpfctl/libpfctl.c =================================================================== --- lib/libpfctl/libpfctl.c +++ lib/libpfctl/libpfctl.c @@ -48,7 +48,7 @@ #include #include -#include "pfctl_ioctl.h" +#include "libpfctl.h" static void pf_nvuint_8_array(const nvlist_t *nvl, const char *name, size_t maxelems, @@ -118,6 +118,17 @@ *nelems = elems; } +static void +pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, + const struct pf_addr *addr) +{ + nvlist_t *nvl = nvlist_create(0); + + nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); + + nvlist_add_nvlist(nvparent, name, nvl); +} + static void pf_nvaddr_to_addr(const nvlist_t *nvl, struct pf_addr *addr) { @@ -129,6 +140,22 @@ memcpy(addr, data, len); } +static void +pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, + const struct pf_addr_wrap *addr) +{ + nvlist_t *nvl = nvlist_create(0); + + nvlist_add_number(nvl, "type", addr->type); + nvlist_add_number(nvl, "iflags", addr->iflags); + nvlist_add_string(nvl, "ifname", addr->v.ifname); + nvlist_add_string(nvl, "tblname", addr->v.tblname); + pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); + pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); + + nvlist_add_nvlist(nvparent, name, nvl); +} + static void pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr) { @@ -142,6 +169,23 @@ pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask); } +static void +pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, + const struct pf_rule_addr *addr) +{ + u_int64_t ports[2]; + nvlist_t *nvl = nvlist_create(0); + + pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); + ports[0] = addr->port[0]; + ports[1] = addr->port[1]; + nvlist_add_number_array(nvl, "port", ports, 2); + nvlist_add_number(nvl, "neg", addr->neg); + nvlist_add_number(nvl, "port_op", addr->port_op); + + nvlist_add_nvlist(nvparent, name, nvl); +} + static void pf_nvrule_addr_to_rule_addr(const nvlist_t *nvl, struct pf_rule_addr *addr) { @@ -152,6 +196,25 @@ addr->port_op = nvlist_get_number(nvl, "port_op"); } +static void +pfctl_nv_add_pool(nvlist_t *nvparent, const char *name, + const struct pf_pool *pool) +{ + u_int64_t ports[2]; + nvlist_t *nvl = nvlist_create(0); + + nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key)); + pfctl_nv_add_addr(nvl, "counter", &pool->counter); + nvlist_add_number(nvl, "tblidx", pool->tblidx); + + ports[0] = pool->proxy_port[0]; + ports[1] = pool->proxy_port[1]; + nvlist_add_number_array(nvl, "proxy_port", ports, 2); + nvlist_add_number(nvl, "opts", pool->opts); + + nvlist_add_nvlist(nvparent, name, nvl); +} + static void pf_nvpool_to_pool(const nvlist_t *nvl, struct pf_pool *pool) { @@ -169,6 +232,21 @@ pool->opts = nvlist_get_number(nvl, "opts"); } +static void +pfctl_nv_add_uid(nvlist_t *nvparent, const char *name, + const struct pf_rule_uid *uid) +{ + u_int64_t uids[2]; + nvlist_t *nvl = nvlist_create(0); + + uids[0] = uid->uid[0]; + uids[1] = uid->uid[1]; + nvlist_add_number_array(nvl, "uid", uids, 2); + nvlist_add_number(nvl, "op", uid->op); + + nvlist_add_nvlist(nvparent, name, nvl); +} + static void pf_nvrule_uid_to_rule_uid(const nvlist_t *nvl, struct pf_rule_uid *uid) { @@ -176,6 +254,18 @@ uid->op = nvlist_get_number(nvl, "op"); } +static void +pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, + const struct pf_rule *r) +{ + nvlist_t *nvl = nvlist_create(0); + + pfctl_nv_add_addr(nvl, "addr", &r->divert.addr); + nvlist_add_number(nvl, "port", r->divert.port); + + nvlist_add_nvlist(nvparent, name, nvl); +} + static void pf_nvdivert_to_divert(const nvlist_t *nvl, struct pf_rule *rule) { @@ -282,9 +372,116 @@ rule->u_src_nodes = nvlist_get_number(nvl, "src_nodes"); } +int +libpfctl_add_rule(int dev, const struct pf_rule *r, const char *anchor, + const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket) +{ + struct pfioc_nv nv; + u_int64_t timeouts[PFTM_MAX]; + u_int64_t set_prio[2]; + nvlist_t *nvl, *nvlr; + int ret; + + nvl = nvlist_create(0); + nvlr = nvlist_create(0); + + nvlist_add_number(nvl, "ticket", ticket); + nvlist_add_number(nvl, "pool_ticket", pool_ticket); + nvlist_add_string(nvl, "anchor", anchor); + nvlist_add_string(nvl, "anchor_call", anchor_call); + + nvlist_add_number(nvlr, "nr", r->nr); + pfctl_nv_add_rule_addr(nvlr, "src", &r->src); + pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst); + + nvlist_add_string(nvlr, "label", r->label); + nvlist_add_string(nvlr, "ifname", r->ifname); + nvlist_add_string(nvlr, "qname", r->qname); + nvlist_add_string(nvlr, "pqname", r->pqname); + nvlist_add_string(nvlr, "tagname", r->tagname); + nvlist_add_string(nvlr, "match_tagname", r->match_tagname); + nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname); + + pfctl_nv_add_pool(nvlr, "rpool", &r->rpool); + + nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint); + + nvlist_add_number(nvlr, "rtableid", r->rtableid); + for (int i = 0; i < PFTM_MAX; i++) + timeouts[i] = r->timeout[i]; + nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX); + nvlist_add_number(nvlr, "max_states", r->max_states); + nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes); + nvlist_add_number(nvlr, "max_src_states", r->max_src_states); + nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn); + nvlist_add_number(nvlr, "max_src_conn_rate.limit", + r->max_src_conn_rate.limit); + nvlist_add_number(nvlr, "max_src_conn_rate.seconds", + r->max_src_conn_rate.seconds); + nvlist_add_number(nvlr, "prob", r->prob); + nvlist_add_number(nvlr, "cuid", r->cuid); + nvlist_add_number(nvlr, "cpid", r->cpid); + + nvlist_add_number(nvlr, "return_icmp", r->return_icmp); + nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6); + + nvlist_add_number(nvlr, "max_mss", r->max_mss); + nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags); + + pfctl_nv_add_uid(nvlr, "uid", &r->uid); + pfctl_nv_add_uid(nvlr, "gid", (const struct pf_rule_uid *)&r->gid); + + nvlist_add_number(nvlr, "rule_flag", r->rule_flag); + nvlist_add_number(nvlr, "action", r->action); + nvlist_add_number(nvlr, "direction", r->direction); + nvlist_add_number(nvlr, "log", r->log); + nvlist_add_number(nvlr, "logif", r->logif); + nvlist_add_number(nvlr, "quick", r->quick); + nvlist_add_number(nvlr, "ifnot", r->ifnot); + nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not); + nvlist_add_number(nvlr, "natpass", r->natpass); + + nvlist_add_number(nvlr, "keep_state", r->keep_state); + nvlist_add_number(nvlr, "af", r->af); + nvlist_add_number(nvlr, "proto", r->proto); + nvlist_add_number(nvlr, "type", r->type); + nvlist_add_number(nvlr, "code", r->code); + nvlist_add_number(nvlr, "flags", r->flags); + nvlist_add_number(nvlr, "flagset", r->flagset); + nvlist_add_number(nvlr, "min_ttl", r->min_ttl); + nvlist_add_number(nvlr, "allow_opts", r->allow_opts); + nvlist_add_number(nvlr, "rt", r->rt); + nvlist_add_number(nvlr, "return_ttl", r->return_ttl); + nvlist_add_number(nvlr, "tos", r->tos); + nvlist_add_number(nvlr, "set_tos", r->set_tos); + nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative); + nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard); + + nvlist_add_number(nvlr, "flush", r->flush); + + nvlist_add_number(nvlr, "prio", r->prio); + set_prio[0] = r->set_prio[0]; + set_prio[1] = r->set_prio[1]; + nvlist_add_number_array(nvlr, "set_prio", set_prio, 2); + + pfctl_nv_add_divert(nvlr, "divert", r); + + nvlist_add_nvlist(nvl, "rule", nvlr); + + /* Now do the call. */ + nv.data = nvlist_pack(nvl, &nv.len); + nv.size = nv.len; + + ret = ioctl(dev, DIOCADDRULENV, &nv); + + free(nv.data); + nvlist_destroy(nvl); + + return (ret); +} int -pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor, +libpfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor, u_int32_t ruleset, struct pf_rule *rule, char *anchor_call) { struct pfioc_nv nv; Index: sbin/pfctl/Makefile =================================================================== --- sbin/pfctl/Makefile +++ sbin/pfctl/Makefile @@ -9,13 +9,14 @@ SRCS = pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c -SRCS+= pfctl_optimize.c pfctl_ioctl.c +SRCS+= pfctl_optimize.c SRCS+= pf_ruleset.c WARNS?= 2 CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized CFLAGS+= -Wstrict-prototypes CFLAGS+= -DENABLE_ALTQ -I${.CURDIR} +CFLAGS+= -I${SRCTOP}/lib/libpfctl -I${OBJTOP}/lib/libpfctl # Need to use "WITH_" prefix to not conflict with the l/y INET/INET6 keywords .if ${MK_INET6_SUPPORT} != "no" @@ -27,7 +28,7 @@ YFLAGS= -LIBADD= m md nv +LIBADD= m md pfctl HAS_TESTS= SUBDIR.${MK_TESTS}+= tests Index: sbin/pfctl/pfctl.c =================================================================== --- sbin/pfctl/pfctl.c +++ sbin/pfctl/pfctl.c @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include @@ -63,7 +64,6 @@ #include #include -#include "pfctl_ioctl.h" #include "pfctl_parser.h" #include "pfctl.h" @@ -953,7 +953,7 @@ for (nr = 0; nr < mnr; ++nr) { pr.nr = nr; - if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB, + if (libpfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB, &pr.rule, pr.anchor_call)) { warn("DIOCGETRULENV"); goto error; @@ -986,7 +986,7 @@ mnr = pr.nr; for (nr = 0; nr < mnr; ++nr) { pr.nr = nr; - if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS, + if (libpfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS, &pr.rule, pr.anchor_call)) { warn("DIOCGETRULE"); goto error; @@ -1077,7 +1077,7 @@ mnr = pr.nr; for (nr = 0; nr < mnr; ++nr) { pr.nr = nr; - if (pfctl_get_rule(dev, nr, pr.ticket, anchorname, + if (libpfctl_get_rule(dev, nr, pr.ticket, anchorname, nattype[i], &pr.rule, pr.anchor_call)) { warn("DIOCGETRULE"); return (-1); @@ -1427,204 +1427,6 @@ } -static void -pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, - const struct pf_addr *addr) -{ - nvlist_t *nvl = nvlist_create(0); - - nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); - - nvlist_add_nvlist(nvparent, name, nvl); -} - -static void -pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, - const struct pf_addr_wrap *addr) -{ - nvlist_t *nvl = nvlist_create(0); - - nvlist_add_number(nvl, "type", addr->type); - nvlist_add_number(nvl, "iflags", addr->iflags); - nvlist_add_string(nvl, "ifname", addr->v.ifname); - nvlist_add_string(nvl, "tblname", addr->v.tblname); - pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); - pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); - - nvlist_add_nvlist(nvparent, name, nvl); -} - -static void -pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, - const struct pf_rule_addr *addr) -{ - u_int64_t ports[2]; - nvlist_t *nvl = nvlist_create(0); - - pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); - ports[0] = addr->port[0]; - ports[1] = addr->port[1]; - nvlist_add_number_array(nvl, "port", ports, 2); - nvlist_add_number(nvl, "neg", addr->neg); - nvlist_add_number(nvl, "port_op", addr->port_op); - - nvlist_add_nvlist(nvparent, name, nvl); -} - -static void -pfctl_nv_add_pool(nvlist_t *nvparent, const char *name, - const struct pf_pool *pool) -{ - u_int64_t ports[2]; - nvlist_t *nvl = nvlist_create(0); - - nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key)); - pfctl_nv_add_addr(nvl, "counter", &pool->counter); - nvlist_add_number(nvl, "tblidx", pool->tblidx); - - ports[0] = pool->proxy_port[0]; - ports[1] = pool->proxy_port[1]; - nvlist_add_number_array(nvl, "proxy_port", ports, 2); - nvlist_add_number(nvl, "opts", pool->opts); - - nvlist_add_nvlist(nvparent, name, nvl); -} - -static void -pfctl_nv_add_uid(nvlist_t *nvparent, const char *name, - const struct pf_rule_uid *uid) -{ - u_int64_t uids[2]; - nvlist_t *nvl = nvlist_create(0); - - uids[0] = uid->uid[0]; - uids[1] = uid->uid[1]; - nvlist_add_number_array(nvl, "uid", uids, 2); - nvlist_add_number(nvl, "op", uid->op); - - nvlist_add_nvlist(nvparent, name, nvl); -} - -static void -pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, - const struct pf_rule *r) -{ - nvlist_t *nvl = nvlist_create(0); - - pfctl_nv_add_addr(nvl, "addr", &r->divert.addr); - nvlist_add_number(nvl, "port", r->divert.port); - - nvlist_add_nvlist(nvparent, name, nvl); -} - -static int -pfctl_addrule(struct pfctl *pf, const struct pf_rule *r, const char *anchor, - const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket) -{ - struct pfioc_nv nv; - u_int64_t timeouts[PFTM_MAX]; - u_int64_t set_prio[2]; - nvlist_t *nvl, *nvlr; - int ret; - - nvl = nvlist_create(0); - nvlr = nvlist_create(0); - - nvlist_add_number(nvl, "ticket", ticket); - nvlist_add_number(nvl, "pool_ticket", pool_ticket); - nvlist_add_string(nvl, "anchor", anchor); - nvlist_add_string(nvl, "anchor_call", anchor_call); - - nvlist_add_number(nvlr, "nr", r->nr); - pfctl_nv_add_rule_addr(nvlr, "src", &r->src); - pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst); - - nvlist_add_string(nvlr, "label", r->label); - nvlist_add_string(nvlr, "ifname", r->ifname); - nvlist_add_string(nvlr, "qname", r->qname); - nvlist_add_string(nvlr, "pqname", r->pqname); - nvlist_add_string(nvlr, "tagname", r->tagname); - nvlist_add_string(nvlr, "match_tagname", r->match_tagname); - nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname); - - pfctl_nv_add_pool(nvlr, "rpool", &r->rpool); - - nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint); - - nvlist_add_number(nvlr, "rtableid", r->rtableid); - for (int i = 0; i < PFTM_MAX; i++) - timeouts[i] = r->timeout[i]; - nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX); - nvlist_add_number(nvlr, "max_states", r->max_states); - nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes); - nvlist_add_number(nvlr, "max_src_states", r->max_src_states); - nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn); - nvlist_add_number(nvlr, "max_src_conn_rate.limit", - r->max_src_conn_rate.limit); - nvlist_add_number(nvlr, "max_src_conn_rate.seconds", - r->max_src_conn_rate.seconds); - nvlist_add_number(nvlr, "prob", r->prob); - nvlist_add_number(nvlr, "cuid", r->cuid); - nvlist_add_number(nvlr, "cpid", r->cpid); - - nvlist_add_number(nvlr, "return_icmp", r->return_icmp); - nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6); - - nvlist_add_number(nvlr, "max_mss", r->max_mss); - nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags); - - pfctl_nv_add_uid(nvlr, "uid", &r->uid); - pfctl_nv_add_uid(nvlr, "gid", (struct pf_rule_uid *)&r->gid); - - nvlist_add_number(nvlr, "rule_flag", r->rule_flag); - nvlist_add_number(nvlr, "action", r->action); - nvlist_add_number(nvlr, "direction", r->direction); - nvlist_add_number(nvlr, "log", r->log); - nvlist_add_number(nvlr, "logif", r->logif); - nvlist_add_number(nvlr, "quick", r->quick); - nvlist_add_number(nvlr, "ifnot", r->ifnot); - nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not); - nvlist_add_number(nvlr, "natpass", r->natpass); - - nvlist_add_number(nvlr, "keep_state", r->keep_state); - nvlist_add_number(nvlr, "af", r->af); - nvlist_add_number(nvlr, "proto", r->proto); - nvlist_add_number(nvlr, "type", r->type); - nvlist_add_number(nvlr, "code", r->code); - nvlist_add_number(nvlr, "flags", r->flags); - nvlist_add_number(nvlr, "flagset", r->flagset); - nvlist_add_number(nvlr, "min_ttl", r->min_ttl); - nvlist_add_number(nvlr, "allow_opts", r->allow_opts); - nvlist_add_number(nvlr, "rt", r->rt); - nvlist_add_number(nvlr, "return_ttl", r->return_ttl); - nvlist_add_number(nvlr, "tos", r->tos); - nvlist_add_number(nvlr, "set_tos", r->set_tos); - nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative); - nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard); - - nvlist_add_number(nvlr, "flush", r->flush); - - nvlist_add_number(nvlr, "prio", r->prio); - set_prio[0] = r->set_prio[0]; - set_prio[1] = r->set_prio[1]; - nvlist_add_number_array(nvlr, "set_prio", set_prio, 2); - - pfctl_nv_add_divert(nvlr, "divert", r); - - nvlist_add_nvlist(nvl, "rule", nvlr); - - /* Now do the call. */ - nv.data = nvlist_pack(nvl, &nv.len); - nv.size = nv.len; - - ret = ioctl(pf->dev, DIOCADDRULENV, &nv); - - free(nv.data); - nvlist_destroy(nvl); - - return (ret); -} - int pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) { @@ -1657,7 +1459,7 @@ if ((pf->opts & PF_OPT_NOACTION) == 0) { if (pfctl_add_pool(pf, &r->rpool, r->af)) return (1); - if (pfctl_addrule(pf, r, anchor, name, ticket, + if (libpfctl_add_rule(pf->dev, r, anchor, name, ticket, pf->paddr.ticket)) err(1, "DIOCADDRULENV"); } Index: sbin/pfctl/pfctl_ioctl.h =================================================================== --- sbin/pfctl/pfctl_ioctl.h +++ sbin/pfctl/pfctl_ioctl.h @@ -1,43 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-2-Clause - * - * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#ifndef _PFCTL_IOCTL_H_ -#define _PFCTL_IOCTL_H_ - -#include - -int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, - const char *anchor, u_int32_t ruleset, struct pf_rule *rule, - char *anchor_call); - -#endif Index: sbin/pfctl/pfctl_optimize.c =================================================================== --- sbin/pfctl/pfctl_optimize.c +++ sbin/pfctl/pfctl_optimize.c @@ -33,12 +33,12 @@ #include #include #include +#include #include #include #include #include -#include "pfctl_ioctl.h" #include "pfctl_parser.h" #include "pfctl.h" @@ -911,7 +911,7 @@ } pr.nr = nr; - if (pfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS, + if (libpfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS, &pr.rule, pr.anchor_call)) { warn("DIOCGETRULENV"); return (1); Index: share/mk/src.libnames.mk =================================================================== --- share/mk/src.libnames.mk +++ share/mk/src.libnames.mk @@ -57,6 +57,7 @@ opts \ parse \ pe \ + pfctl \ pmcstat \ sl \ sm \ @@ -387,6 +388,7 @@ _DP_be= zfs spl nvpair zfsbootenv _DP_netmap= _DP_ifconfig= m +_DP_pfctl= nv # OFED support .if ${MK_OFED} != "no" @@ -564,6 +566,9 @@ LIBPARSEDIR= ${_LIB_OBJTOP}/usr.sbin/ntp/libparse LIBPARSE?= ${LIBPARSEDIR}/libparse${PIE_SUFFIX}.a +LIBPFCTL= ${_LIB_OBJTOP}/lib/libpfctl +LIBPFCTL?= ${LIBPFCTLDIR}/libpfctl${PIE_SUFFIX}.a + LIBLPRDIR= ${_LIB_OBJTOP}/usr.sbin/lpr/common_source LIBLPR?= ${LIBLPRDIR}/liblpr${PIE_SUFFIX}.a