Changeset View
Changeset View
Standalone View
Standalone View
sbin/pfctl/pfctl.c
Show First 20 Lines • Show All 49 Lines • ▼ Show 20 Lines | |||||
#include <net/pfvar.h> | #include <net/pfvar.h> | ||||
#include <arpa/inet.h> | #include <arpa/inet.h> | ||||
#include <net/altq/altq.h> | #include <net/altq/altq.h> | ||||
#include <sys/sysctl.h> | #include <sys/sysctl.h> | ||||
#include <err.h> | #include <err.h> | ||||
#include <errno.h> | #include <errno.h> | ||||
#include <fcntl.h> | #include <fcntl.h> | ||||
#include <libpfctl.h> | |||||
#include <limits.h> | #include <limits.h> | ||||
#include <netdb.h> | #include <netdb.h> | ||||
#include <stdint.h> | #include <stdint.h> | ||||
#include <stdio.h> | #include <stdio.h> | ||||
#include <stdlib.h> | #include <stdlib.h> | ||||
#include <string.h> | #include <string.h> | ||||
#include <unistd.h> | #include <unistd.h> | ||||
#include "pfctl_ioctl.h" | |||||
#include "pfctl_parser.h" | #include "pfctl_parser.h" | ||||
#include "pfctl.h" | #include "pfctl.h" | ||||
void usage(void); | void usage(void); | ||||
int pfctl_enable(int, int); | int pfctl_enable(int, int); | ||||
int pfctl_disable(int, int); | int pfctl_disable(int, int); | ||||
int pfctl_clear_stats(int, int); | int pfctl_clear_stats(int, int); | ||||
int pfctl_get_skip_ifaces(void); | int pfctl_get_skip_ifaces(void); | ||||
▲ Show 20 Lines • Show All 1,211 Lines • ▼ Show 20 Lines | if ((pf->opts & PF_OPT_NOACTION) == 0) { | ||||
if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr)) | if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr)) | ||||
err(1, "DIOCADDADDR"); | err(1, "DIOCADDADDR"); | ||||
} | } | ||||
} | } | ||||
return (0); | return (0); | ||||
} | } | ||||
int | int | ||||
pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call) | pfctl_append_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call) | ||||
{ | { | ||||
u_int8_t rs_num; | u_int8_t rs_num; | ||||
struct pf_rule *rule; | struct pf_rule *rule; | ||||
struct pf_ruleset *rs; | struct pf_ruleset *rs; | ||||
char *p; | char *p; | ||||
rs_num = pf_get_ruleset_number(r->action); | rs_num = pf_get_ruleset_number(r->action); | ||||
if (rs_num == PF_RULESET_MAX) | if (rs_num == PF_RULESET_MAX) | ||||
errx(1, "Invalid rule type %d", r->action); | errx(1, "Invalid rule type %d", r->action); | ||||
rs = &pf->anchor->ruleset; | rs = &pf->anchor->ruleset; | ||||
if (anchor_call[0] && r->anchor == NULL) { | if (anchor_call[0] && r->anchor == NULL) { | ||||
/* | /* | ||||
* Don't make non-brace anchors part of the main anchor pool. | * Don't make non-brace anchors part of the main anchor pool. | ||||
*/ | */ | ||||
if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL) | if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL) | ||||
err(1, "pfctl_add_rule: calloc"); | err(1, "pfctl_append_rule: calloc"); | ||||
pf_init_ruleset(&r->anchor->ruleset); | pf_init_ruleset(&r->anchor->ruleset); | ||||
r->anchor->ruleset.anchor = r->anchor; | r->anchor->ruleset.anchor = r->anchor; | ||||
if (strlcpy(r->anchor->path, anchor_call, | if (strlcpy(r->anchor->path, anchor_call, | ||||
sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path)) | sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path)) | ||||
errx(1, "pfctl_add_rule: strlcpy"); | errx(1, "pfctl_append_rule: strlcpy"); | ||||
if ((p = strrchr(anchor_call, '/')) != NULL) { | if ((p = strrchr(anchor_call, '/')) != NULL) { | ||||
if (!strlen(p)) | if (!strlen(p)) | ||||
err(1, "pfctl_add_rule: bad anchor name %s", | err(1, "pfctl_append_rule: bad anchor name %s", | ||||
anchor_call); | anchor_call); | ||||
} else | } else | ||||
p = (char *)anchor_call; | p = (char *)anchor_call; | ||||
if (strlcpy(r->anchor->name, p, | if (strlcpy(r->anchor->name, p, | ||||
sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name)) | sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name)) | ||||
errx(1, "pfctl_add_rule: strlcpy"); | errx(1, "pfctl_append_rule: strlcpy"); | ||||
} | } | ||||
if ((rule = calloc(1, sizeof(*rule))) == NULL) | if ((rule = calloc(1, sizeof(*rule))) == NULL) | ||||
err(1, "calloc"); | err(1, "calloc"); | ||||
bcopy(r, rule, sizeof(*rule)); | bcopy(r, rule, sizeof(*rule)); | ||||
TAILQ_INIT(&rule->rpool.list); | TAILQ_INIT(&rule->rpool.list); | ||||
pfctl_move_pool(&r->rpool, &rule->rpool); | pfctl_move_pool(&r->rpool, &rule->rpool); | ||||
▲ Show 20 Lines • Show All 86 Lines • ▼ Show 20 Lines | pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, | ||||
return (0); | return (0); | ||||
error: | error: | ||||
path[len] = '\0'; | path[len] = '\0'; | ||||
return (error); | return (error); | ||||
} | } | ||||
static void | |||||
pfctl_nv_add_addr(nvlist_t *nvparent, const char *name, | |||||
const struct pf_addr *addr) | |||||
{ | |||||
nvlist_t *nvl = nvlist_create(0); | |||||
nvlist_add_binary(nvl, "addr", addr, sizeof(*addr)); | |||||
nvlist_add_nvlist(nvparent, name, nvl); | |||||
} | |||||
static void | |||||
pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name, | |||||
const struct pf_addr_wrap *addr) | |||||
{ | |||||
nvlist_t *nvl = nvlist_create(0); | |||||
nvlist_add_number(nvl, "type", addr->type); | |||||
nvlist_add_number(nvl, "iflags", addr->iflags); | |||||
nvlist_add_string(nvl, "ifname", addr->v.ifname); | |||||
nvlist_add_string(nvl, "tblname", addr->v.tblname); | |||||
pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr); | |||||
pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask); | |||||
nvlist_add_nvlist(nvparent, name, nvl); | |||||
} | |||||
static void | |||||
pfctl_nv_add_rule_addr(nvlist_t *nvparent, const char *name, | |||||
const struct pf_rule_addr *addr) | |||||
{ | |||||
u_int64_t ports[2]; | |||||
nvlist_t *nvl = nvlist_create(0); | |||||
pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr); | |||||
ports[0] = addr->port[0]; | |||||
ports[1] = addr->port[1]; | |||||
nvlist_add_number_array(nvl, "port", ports, 2); | |||||
nvlist_add_number(nvl, "neg", addr->neg); | |||||
nvlist_add_number(nvl, "port_op", addr->port_op); | |||||
nvlist_add_nvlist(nvparent, name, nvl); | |||||
} | |||||
static void | |||||
pfctl_nv_add_pool(nvlist_t *nvparent, const char *name, | |||||
const struct pf_pool *pool) | |||||
{ | |||||
u_int64_t ports[2]; | |||||
nvlist_t *nvl = nvlist_create(0); | |||||
nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key)); | |||||
pfctl_nv_add_addr(nvl, "counter", &pool->counter); | |||||
nvlist_add_number(nvl, "tblidx", pool->tblidx); | |||||
ports[0] = pool->proxy_port[0]; | |||||
ports[1] = pool->proxy_port[1]; | |||||
nvlist_add_number_array(nvl, "proxy_port", ports, 2); | |||||
nvlist_add_number(nvl, "opts", pool->opts); | |||||
nvlist_add_nvlist(nvparent, name, nvl); | |||||
} | |||||
static void | |||||
pfctl_nv_add_uid(nvlist_t *nvparent, const char *name, | |||||
const struct pf_rule_uid *uid) | |||||
{ | |||||
u_int64_t uids[2]; | |||||
nvlist_t *nvl = nvlist_create(0); | |||||
uids[0] = uid->uid[0]; | |||||
uids[1] = uid->uid[1]; | |||||
nvlist_add_number_array(nvl, "uid", uids, 2); | |||||
nvlist_add_number(nvl, "op", uid->op); | |||||
nvlist_add_nvlist(nvparent, name, nvl); | |||||
} | |||||
static void | |||||
pfctl_nv_add_divert(nvlist_t *nvparent, const char *name, | |||||
const struct pf_rule *r) | |||||
{ | |||||
nvlist_t *nvl = nvlist_create(0); | |||||
pfctl_nv_add_addr(nvl, "addr", &r->divert.addr); | |||||
nvlist_add_number(nvl, "port", r->divert.port); | |||||
nvlist_add_nvlist(nvparent, name, nvl); | |||||
} | |||||
static int | |||||
pfctl_addrule(struct pfctl *pf, const struct pf_rule *r, const char *anchor, | |||||
const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket) | |||||
{ | |||||
struct pfioc_nv nv; | |||||
u_int64_t timeouts[PFTM_MAX]; | |||||
u_int64_t set_prio[2]; | |||||
nvlist_t *nvl, *nvlr; | |||||
int ret; | |||||
nvl = nvlist_create(0); | |||||
nvlr = nvlist_create(0); | |||||
nvlist_add_number(nvl, "ticket", ticket); | |||||
nvlist_add_number(nvl, "pool_ticket", pool_ticket); | |||||
nvlist_add_string(nvl, "anchor", anchor); | |||||
nvlist_add_string(nvl, "anchor_call", anchor_call); | |||||
nvlist_add_number(nvlr, "nr", r->nr); | |||||
pfctl_nv_add_rule_addr(nvlr, "src", &r->src); | |||||
pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst); | |||||
nvlist_add_string(nvlr, "label", r->label); | |||||
nvlist_add_string(nvlr, "ifname", r->ifname); | |||||
nvlist_add_string(nvlr, "qname", r->qname); | |||||
nvlist_add_string(nvlr, "pqname", r->pqname); | |||||
nvlist_add_string(nvlr, "tagname", r->tagname); | |||||
nvlist_add_string(nvlr, "match_tagname", r->match_tagname); | |||||
nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname); | |||||
pfctl_nv_add_pool(nvlr, "rpool", &r->rpool); | |||||
nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint); | |||||
nvlist_add_number(nvlr, "rtableid", r->rtableid); | |||||
for (int i = 0; i < PFTM_MAX; i++) | |||||
timeouts[i] = r->timeout[i]; | |||||
nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX); | |||||
nvlist_add_number(nvlr, "max_states", r->max_states); | |||||
nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes); | |||||
nvlist_add_number(nvlr, "max_src_states", r->max_src_states); | |||||
nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn); | |||||
nvlist_add_number(nvlr, "max_src_conn_rate.limit", | |||||
r->max_src_conn_rate.limit); | |||||
nvlist_add_number(nvlr, "max_src_conn_rate.seconds", | |||||
r->max_src_conn_rate.seconds); | |||||
nvlist_add_number(nvlr, "prob", r->prob); | |||||
nvlist_add_number(nvlr, "cuid", r->cuid); | |||||
nvlist_add_number(nvlr, "cpid", r->cpid); | |||||
nvlist_add_number(nvlr, "return_icmp", r->return_icmp); | |||||
nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6); | |||||
nvlist_add_number(nvlr, "max_mss", r->max_mss); | |||||
nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags); | |||||
pfctl_nv_add_uid(nvlr, "uid", &r->uid); | |||||
pfctl_nv_add_uid(nvlr, "gid", (struct pf_rule_uid *)&r->gid); | |||||
nvlist_add_number(nvlr, "rule_flag", r->rule_flag); | |||||
nvlist_add_number(nvlr, "action", r->action); | |||||
nvlist_add_number(nvlr, "direction", r->direction); | |||||
nvlist_add_number(nvlr, "log", r->log); | |||||
nvlist_add_number(nvlr, "logif", r->logif); | |||||
nvlist_add_number(nvlr, "quick", r->quick); | |||||
nvlist_add_number(nvlr, "ifnot", r->ifnot); | |||||
nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not); | |||||
nvlist_add_number(nvlr, "natpass", r->natpass); | |||||
nvlist_add_number(nvlr, "keep_state", r->keep_state); | |||||
nvlist_add_number(nvlr, "af", r->af); | |||||
nvlist_add_number(nvlr, "proto", r->proto); | |||||
nvlist_add_number(nvlr, "type", r->type); | |||||
nvlist_add_number(nvlr, "code", r->code); | |||||
nvlist_add_number(nvlr, "flags", r->flags); | |||||
nvlist_add_number(nvlr, "flagset", r->flagset); | |||||
nvlist_add_number(nvlr, "min_ttl", r->min_ttl); | |||||
nvlist_add_number(nvlr, "allow_opts", r->allow_opts); | |||||
nvlist_add_number(nvlr, "rt", r->rt); | |||||
nvlist_add_number(nvlr, "return_ttl", r->return_ttl); | |||||
nvlist_add_number(nvlr, "tos", r->tos); | |||||
nvlist_add_number(nvlr, "set_tos", r->set_tos); | |||||
nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative); | |||||
nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard); | |||||
nvlist_add_number(nvlr, "flush", r->flush); | |||||
nvlist_add_number(nvlr, "prio", r->prio); | |||||
set_prio[0] = r->set_prio[0]; | |||||
set_prio[1] = r->set_prio[1]; | |||||
nvlist_add_number_array(nvlr, "set_prio", set_prio, 2); | |||||
pfctl_nv_add_divert(nvlr, "divert", r); | |||||
nvlist_add_nvlist(nvl, "rule", nvlr); | |||||
/* Now do the call. */ | |||||
nv.data = nvlist_pack(nvl, &nv.len); | |||||
nv.size = nv.len; | |||||
ret = ioctl(pf->dev, DIOCADDRULENV, &nv); | |||||
free(nv.data); | |||||
nvlist_destroy(nvl); | |||||
return (ret); | |||||
} | |||||
int | int | ||||
pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) | pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) | ||||
{ | { | ||||
u_int8_t rs_num = pf_get_ruleset_number(r->action); | u_int8_t rs_num = pf_get_ruleset_number(r->action); | ||||
char *name; | char *name; | ||||
u_int32_t ticket; | u_int32_t ticket; | ||||
char anchor[PF_ANCHOR_NAME_SIZE]; | char anchor[PF_ANCHOR_NAME_SIZE]; | ||||
int len = strlen(path); | int len = strlen(path); | ||||
Show All 16 Lines | if (r->anchor) { | ||||
} else | } else | ||||
name = r->anchor->path; | name = r->anchor->path; | ||||
} else | } else | ||||
name = ""; | name = ""; | ||||
if ((pf->opts & PF_OPT_NOACTION) == 0) { | if ((pf->opts & PF_OPT_NOACTION) == 0) { | ||||
if (pfctl_add_pool(pf, &r->rpool, r->af)) | if (pfctl_add_pool(pf, &r->rpool, r->af)) | ||||
return (1); | return (1); | ||||
if (pfctl_addrule(pf, r, anchor, name, ticket, | if (pfctl_add_rule(pf->dev, r, anchor, name, ticket, | ||||
pf->paddr.ticket)) | pf->paddr.ticket)) | ||||
err(1, "DIOCADDRULENV"); | err(1, "DIOCADDRULENV"); | ||||
} | } | ||||
if (pf->opts & PF_OPT_VERBOSE) { | if (pf->opts & PF_OPT_VERBOSE) { | ||||
INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); | INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); | ||||
print_rule(r, r->anchor ? r->anchor->name : "", | print_rule(r, r->anchor ? r->anchor->name : "", | ||||
pf->opts & PF_OPT_VERBOSE2, | pf->opts & PF_OPT_VERBOSE2, | ||||
▲ Show 20 Lines • Show All 1,042 Lines • Show Last 20 Lines |