search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel - Fix bug in the emergency interrupt polling thread
[dragonfly.git] / usr.sbin / pfctl / pfctl.c
blob749d5319ea981dd4c52ca3edac2eff0f3e8713b6
1 /* $OpenBSD: pfctl.c,v 1.268 2007/06/30 18:25:08 henning Exp $ */
2
3 /*
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 *
32 */
33
34 #include <sys/types.h>
35 #include <sys/ioctl.h>
36 #include <sys/socket.h>
37 #include <sys/stat.h>
38
39 #include <net/if.h>
40 #include <netinet/in.h>
41 #include <net/pf/pfvar.h>
42 #include <arpa/inet.h>
43 #include <net/altq/altq.h>
44 #include <sys/sysctl.h>
45
46 #include <err.h>
47 #include <errno.h>
48 #include <fcntl.h>
49 #include <limits.h>
50 #include <netdb.h>
51 #include <stdio.h>
52 #include <stdlib.h>
53 #include <string.h>
54 #include <unistd.h>
55
56 #include "pfctl_parser.h"
57 #include "pfctl.h"
58
59 void usage(void);
60 int pfctl_enable(int, int);
61 int pfctl_disable(int, int);
62 int pfctl_clear_stats(int, int);
63 int pfctl_clear_interface_flags(int, int);
64 int pfctl_clear_rules(int, int, char *);
65 int pfctl_clear_nat(int, int, char *);
66 int pfctl_clear_altq(int, int);
67 int pfctl_clear_src_nodes(int, int);
68 int pfctl_clear_states(int, const char *, int);
69 void pfctl_addrprefix(char *, struct pf_addr *);
70 int pfctl_kill_src_nodes(int, const char *, int);
71 int pfctl_kill_states(int, const char *, int);
72 void pfctl_init_options(struct pfctl *);
73 int pfctl_load_options(struct pfctl *);
74 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
75 int pfctl_load_timeout(struct pfctl *, unsigned int, unsigned int);
76 int pfctl_load_debug(struct pfctl *, unsigned int);
77 int pfctl_load_logif(struct pfctl *, char *);
78 int pfctl_load_hostid(struct pfctl *, unsigned int);
79 int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int,
80 char *);
81 void pfctl_print_rule_counters(struct pf_rule *, int);
82 int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
83 int pfctl_show_nat(int, int, char *);
84 int pfctl_show_src_nodes(int, int);
85 int pfctl_show_states(int, const char *, int);
86 int pfctl_show_status(int, int);
87 int pfctl_show_timeouts(int, int);
88 int pfctl_show_limits(int, int);
89 void pfctl_debug(int, u_int32_t, int);
90 int pfctl_test_altqsupport(int, int);
91 int pfctl_show_anchors(int, int, char *);
92 int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *);
93 int pfctl_load_ruleset(struct pfctl *, char *,
94 struct pf_ruleset *, int, int);
95 int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int);
96 const char *pfctl_lookup_option(char *, const char **);
97
98 struct pf_anchor_global pf_anchors;
99 struct pf_anchor pf_main_anchor;
100
101 const char *clearopt;
102 char *rulesopt;
103 const char *showopt;
104 const char *debugopt;
105 char *anchoropt;
106 const char *optiopt = NULL;
107 const char *pf_device = "/dev/pf";
108 char *ifaceopt;
109 char *tableopt;
110 const char *tblcmdopt;
111 int src_node_killers;
112 char *src_node_kill[2];
113 int state_killers;
114 char *state_kill[2];
115 int loadopt;
116 int altqsupport;
117
118 int dev_fd = -1;
119 int first_title = 1;
120 int labels = 0;
121
122 const char *infile;
123
124 #define INDENT(d, o) do { \
125 if (o) { \
126 int i; \
127 for (i=0; i < d; i++) \
128 printf(" "); \
129 } \
130 } while (0); \
131
132
133 static const struct {
134 const char *name;
135 int index;
136 } pf_limits[] = {
137 { "states", PF_LIMIT_STATES },
138 { "src-nodes", PF_LIMIT_SRC_NODES },
139 { "frags", PF_LIMIT_FRAGS },
140 { "tables", PF_LIMIT_TABLES },
141 { "table-entries", PF_LIMIT_TABLE_ENTRIES },
142 { NULL, 0 }
143 };
144
145 struct pf_hint {
146 const char *name;
147 int timeout;
148 };
149 static const struct pf_hint pf_hint_normal[] = {
150 { "tcp.first", 2 * 60 },
151 { "tcp.opening", 30 },
152 { "tcp.established", 24 * 60 * 60 },
153 { "tcp.closing", 15 * 60 },
154 { "tcp.finwait", 45 },
155 { "tcp.closed", 90 },
156 { "tcp.tsdiff", 30 },
157 { NULL, 0 }
158 };
159 static const struct pf_hint pf_hint_satellite[] = {
160 { "tcp.first", 3 * 60 },
161 { "tcp.opening", 30 + 5 },
162 { "tcp.established", 24 * 60 * 60 },
163 { "tcp.closing", 15 * 60 + 5 },
164 { "tcp.finwait", 45 + 5 },
165 { "tcp.closed", 90 + 5 },
166 { "tcp.tsdiff", 60 },
167 { NULL, 0 }
168 };
169 static const struct pf_hint pf_hint_conservative[] = {
170 { "tcp.first", 60 * 60 },
171 { "tcp.opening", 15 * 60 },
172 { "tcp.established", 5 * 24 * 60 * 60 },
173 { "tcp.closing", 60 * 60 },
174 { "tcp.finwait", 10 * 60 },
175 { "tcp.closed", 3 * 60 },
176 { "tcp.tsdiff", 60 },
177 { NULL, 0 }
178 };
179 static const struct pf_hint pf_hint_aggressive[] = {
180 { "tcp.first", 30 },
181 { "tcp.opening", 5 },
182 { "tcp.established", 5 * 60 * 60 },
183 { "tcp.closing", 60 },
184 { "tcp.finwait", 30 },
185 { "tcp.closed", 30 },
186 { "tcp.tsdiff", 10 },
187 { NULL, 0 }
188 };
189
190 static const struct {
191 const char *name;
192 const struct pf_hint *hint;
193 } pf_hints[] = {
194 { "normal", pf_hint_normal },
195 { "satellite", pf_hint_satellite },
196 { "high-latency", pf_hint_satellite },
197 { "conservative", pf_hint_conservative },
198 { "aggressive", pf_hint_aggressive },
199 { NULL, NULL }
200 };
201
202 static const char *clearopt_list[] = {
203 "nat", "queue", "rules", "Sources",
204 "states", "info", "Tables", "osfp", "all", NULL
205 };
206
207 static const char *showopt_list[] = {
208 "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
209 "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
210 "all", NULL
211 };
212
213 static const char *tblcmdopt_list[] = {
214 "kill", "flush", "add", "delete", "load", "replace", "show",
215 "test", "zero", "expire", NULL
216 };
217
218 static const char *debugopt_list[] = {
219 "none", "urgent", "misc", "loud", NULL
220 };
221
222 static const char *optiopt_list[] = {
223 "none", "basic", "profile", NULL
224 };
225
226 void
227 usage(void)
228 {
229 fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", getprogname());
230 fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
231 fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
232 fprintf(stderr, "[-k host | network]\n");
233 fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
234 fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
235 exit(1);
236 }
237
238 int
239 pfctl_enable(int dev, int opts)
240 {
241 if (ioctl(dev, DIOCSTART)) {
242 if (errno == EEXIST)
243 errx(1, "pf already enabled");
244 else
245 err(1, "DIOCSTART");
246 }
247 if ((opts & PF_OPT_QUIET) == 0)
248 fprintf(stderr, "pf enabled\n");
249
250 if (altqsupport && ioctl(dev, DIOCSTARTALTQ))
251 if (errno != EEXIST)
252 err(1, "DIOCSTARTALTQ");
253
254 return (0);
255 }
256
257 int
258 pfctl_disable(int dev, int opts)
259 {
260 if (ioctl(dev, DIOCSTOP)) {
261 if (errno == ENOENT)
262 errx(1, "pf not enabled");
263 else
264 err(1, "DIOCSTOP");
265 }
266 if ((opts & PF_OPT_QUIET) == 0)
267 fprintf(stderr, "pf disabled\n");
268
269 if (altqsupport && ioctl(dev, DIOCSTOPALTQ))
270 if (errno != ENOENT)
271 err(1, "DIOCSTOPALTQ");
272
273 return (0);
274 }
275
276 int
277 pfctl_clear_stats(int dev, int opts)
278 {
279 if (ioctl(dev, DIOCCLRSTATUS))
280 err(1, "DIOCCLRSTATUS");
281 if ((opts & PF_OPT_QUIET) == 0)
282 fprintf(stderr, "pf: statistics cleared\n");
283 return (0);
284 }
285
286 int
287 pfctl_clear_interface_flags(int dev, int opts)
288 {
289 struct pfioc_iface pi;
290
291 if ((opts & PF_OPT_NOACTION) == 0) {
292 bzero(&pi, sizeof(pi));
293 pi.pfiio_flags = PFI_IFLAG_SKIP;
294
295 if (ioctl(dev, DIOCCLRIFFLAG, &pi))
296 err(1, "DIOCCLRIFFLAG");
297 if ((opts & PF_OPT_QUIET) == 0)
298 fprintf(stderr, "pf: interface flags reset\n");
299 }
300 return (0);
301 }
302
303 int
304 pfctl_clear_rules(int dev, int opts, char *anchorname)
305 {
306 struct pfr_buffer t;
307
308 memset(&t, 0, sizeof(t));
309 t.pfrb_type = PFRB_TRANS;
310 if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
311 pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
312 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
313 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
314 err(1, "pfctl_clear_rules");
315 if ((opts & PF_OPT_QUIET) == 0)
316 fprintf(stderr, "rules cleared\n");
317 return (0);
318 }
319
320 int
321 pfctl_clear_nat(int dev, int opts, char *anchorname)
322 {
323 struct pfr_buffer t;
324
325 memset(&t, 0, sizeof(t));
326 t.pfrb_type = PFRB_TRANS;
327 if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
328 pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
329 pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
330 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
331 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
332 err(1, "pfctl_clear_nat");
333 if ((opts & PF_OPT_QUIET) == 0)
334 fprintf(stderr, "nat cleared\n");
335 return (0);
336 }
337
338 int
339 pfctl_clear_altq(int dev, int opts)
340 {
341 struct pfr_buffer t;
342
343 if (!altqsupport)
344 return (-1);
345 memset(&t, 0, sizeof(t));
346 t.pfrb_type = PFRB_TRANS;
347 if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
348 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
349 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
350 err(1, "pfctl_clear_altq");
351 if ((opts & PF_OPT_QUIET) == 0)
352 fprintf(stderr, "altq cleared\n");
353 return (0);
354 }
355
356 int
357 pfctl_clear_src_nodes(int dev, int opts)
358 {
359 if (ioctl(dev, DIOCCLRSRCNODES))
360 err(1, "DIOCCLRSRCNODES");
361 if ((opts & PF_OPT_QUIET) == 0)
362 fprintf(stderr, "source tracking entries cleared\n");
363 return (0);
364 }
365
366 int
367 pfctl_clear_states(int dev, const char *iface, int opts)
368 {
369 struct pfioc_state_kill psk;
370
371 memset(&psk, 0, sizeof(psk));
372 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
373 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
374 errx(1, "invalid interface: %s", iface);
375
376 if (ioctl(dev, DIOCCLRSTATES, &psk))
377 err(1, "DIOCCLRSTATES");
378 if ((opts & PF_OPT_QUIET) == 0)
379 fprintf(stderr, "%d states cleared\n", psk.psk_af);
380 return (0);
381 }
382
383 void
384 pfctl_addrprefix(char *addr, struct pf_addr *mask)
385 {
386 char *p;
387 const char *errstr;
388 int prefix, ret_ga, q, r;
389 struct addrinfo hints, *res;
390
391 if ((p = strchr(addr, '/')) == NULL)
392 return;
393
394 *p++ = '\0';
395 prefix = strtonum(p, 0, 128, &errstr);
396 if (errstr)
397 errx(1, "prefix is %s: %s", errstr, p);
398
399 bzero(&hints, sizeof(hints));
400 /* prefix only with numeric addresses */
401 hints.ai_flags |= AI_NUMERICHOST;
402
403 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {
404 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
405 /* NOTREACHED */
406 }
407
408 if (res->ai_family == AF_INET && prefix > 32)
409 errx(1, "prefix too long for AF_INET");
410 else if (res->ai_family == AF_INET6 && prefix > 128)
411 errx(1, "prefix too long for AF_INET6");
412
413 q = prefix >> 3;
414 r = prefix & 7;
415 switch (res->ai_family) {
416 case AF_INET:
417 bzero(&mask->v4, sizeof(mask->v4));
418 mask->v4.s_addr = htonl((u_int32_t)
419 (0xffffffffffULL << (32 - prefix)));
420 break;
421 case AF_INET6:
422 bzero(&mask->v6, sizeof(mask->v6));
423 if (q > 0)
424 memset((void *)&mask->v6, 0xff, q);
425 if (r > 0)
426 *((u_char *)&mask->v6 + q) =
427 (0xff00 >> r) & 0xff;
428 break;
429 }
430 freeaddrinfo(res);
431 }
432
433 int
434 pfctl_kill_src_nodes(int dev, const char *iface __unused, int opts)
435 {
436 struct pfioc_src_node_kill psnk;
437 struct addrinfo *res[2], *resp[2];
438 struct sockaddr last_src, last_dst;
439 int killed, sources, dests;
440 int ret_ga;
441
442 killed = sources = dests = 0;
443
444 memset(&psnk, 0, sizeof(psnk));
445 memset(&psnk.psnk_src.addr.v.a.mask, 0xff,
446 sizeof(psnk.psnk_src.addr.v.a.mask));
447 memset(&last_src, 0xff, sizeof(last_src));
448 memset(&last_dst, 0xff, sizeof(last_dst));
449
450 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask);
451
452 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) {
453 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
454 /* NOTREACHED */
455 }
456 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
457 if (resp[0]->ai_addr == NULL)
458 continue;
459 /* We get lots of duplicates. Catch the easy ones */
460 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
461 continue;
462 last_src = *(struct sockaddr *)resp[0]->ai_addr;
463
464 psnk.psnk_af = resp[0]->ai_family;
465 sources++;
466
467 if (psnk.psnk_af == AF_INET)
468 psnk.psnk_src.addr.v.a.addr.v4 =
469 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
470 else if (psnk.psnk_af == AF_INET6)
471 psnk.psnk_src.addr.v.a.addr.v6 =
472 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
473 sin6_addr;
474 else
475 errx(1, "Unknown address family %d", psnk.psnk_af);
476
477 if (src_node_killers > 1) {
478 dests = 0;
479 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,
480 sizeof(psnk.psnk_dst.addr.v.a.mask));
481 memset(&last_dst, 0xff, sizeof(last_dst));
482 pfctl_addrprefix(src_node_kill[1],
483 &psnk.psnk_dst.addr.v.a.mask);
484 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL,
485 &res[1]))) {
486 errx(1, "getaddrinfo: %s",
487 gai_strerror(ret_ga));
488 /* NOTREACHED */
489 }
490 for (resp[1] = res[1]; resp[1];
491 resp[1] = resp[1]->ai_next) {
492 if (resp[1]->ai_addr == NULL)
493 continue;
494 if (psnk.psnk_af != resp[1]->ai_family)
495 continue;
496
497 if (memcmp(&last_dst, resp[1]->ai_addr,
498 sizeof(last_dst)) == 0)
499 continue;
500 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
501
502 dests++;
503
504 if (psnk.psnk_af == AF_INET)
505 psnk.psnk_dst.addr.v.a.addr.v4 =
506 ((struct sockaddr_in *)resp[1]->
507 ai_addr)->sin_addr;
508 else if (psnk.psnk_af == AF_INET6)
509 psnk.psnk_dst.addr.v.a.addr.v6 =
510 ((struct sockaddr_in6 *)resp[1]->
511 ai_addr)->sin6_addr;
512 else
513 errx(1, "Unknown address family %d",
514 psnk.psnk_af);
515
516 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
517 err(1, "DIOCKILLSRCNODES");
518 killed += psnk.psnk_af;
519 /* fixup psnk.psnk_af */
520 psnk.psnk_af = resp[1]->ai_family;
521 }
522 freeaddrinfo(res[1]);
523 } else {
524 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
525 err(1, "DIOCKILLSRCNODES");
526 killed += psnk.psnk_af;
527 /* fixup psnk.psnk_af */
528 psnk.psnk_af = res[0]->ai_family;
529 }
530 }
531
532 freeaddrinfo(res[0]);
533
534 if ((opts & PF_OPT_QUIET) == 0)
535 fprintf(stderr, "killed %d src nodes from %d sources and %d "
536 "destinations\n", killed, sources, dests);
537 return (0);
538 }
539
540 int
541 pfctl_kill_states(int dev, const char *iface, int opts)
542 {
543 struct pfioc_state_kill psk;
544 struct addrinfo *res[2], *resp[2];
545 struct sockaddr last_src, last_dst;
546 int killed, sources, dests;
547 int ret_ga;
548
549 killed = sources = dests = 0;
550
551 memset(&psk, 0, sizeof(psk));
552 memset(&psk.psk_src.addr.v.a.mask, 0xff,
553 sizeof(psk.psk_src.addr.v.a.mask));
554 memset(&last_src, 0xff, sizeof(last_src));
555 memset(&last_dst, 0xff, sizeof(last_dst));
556 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
557 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
558 errx(1, "invalid interface: %s", iface);
559
560 pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
561
562 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
563 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
564 /* NOTREACHED */
565 }
566 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
567 if (resp[0]->ai_addr == NULL)
568 continue;
569 /* We get lots of duplicates. Catch the easy ones */
570 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
571 continue;
572 last_src = *(struct sockaddr *)resp[0]->ai_addr;
573
574 psk.psk_af = resp[0]->ai_family;
575 sources++;
576
577 if (psk.psk_af == AF_INET)
578 psk.psk_src.addr.v.a.addr.v4 =
579 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
580 else if (psk.psk_af == AF_INET6)
581 psk.psk_src.addr.v.a.addr.v6 =
582 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
583 sin6_addr;
584 else
585 errx(1, "Unknown address family %d", psk.psk_af);
586
587 if (state_killers > 1) {
588 dests = 0;
589 memset(&psk.psk_dst.addr.v.a.mask, 0xff,
590 sizeof(psk.psk_dst.addr.v.a.mask));
591 memset(&last_dst, 0xff, sizeof(last_dst));
592 pfctl_addrprefix(state_kill[1],
593 &psk.psk_dst.addr.v.a.mask);
594 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL,
595 &res[1]))) {
596 errx(1, "getaddrinfo: %s",
597 gai_strerror(ret_ga));
598 /* NOTREACHED */
599 }
600 for (resp[1] = res[1]; resp[1];
601 resp[1] = resp[1]->ai_next) {
602 if (resp[1]->ai_addr == NULL)
603 continue;
604 if (psk.psk_af != resp[1]->ai_family)
605 continue;
606
607 if (memcmp(&last_dst, resp[1]->ai_addr,
608 sizeof(last_dst)) == 0)
609 continue;
610 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
611
612 dests++;
613
614 if (psk.psk_af == AF_INET)
615 psk.psk_dst.addr.v.a.addr.v4 =
616 ((struct sockaddr_in *)resp[1]->
617 ai_addr)->sin_addr;
618 else if (psk.psk_af == AF_INET6)
619 psk.psk_dst.addr.v.a.addr.v6 =
620 ((struct sockaddr_in6 *)resp[1]->
621 ai_addr)->sin6_addr;
622 else
623 errx(1, "Unknown address family %d",
624 psk.psk_af);
625
626 if (ioctl(dev, DIOCKILLSTATES, &psk))
627 err(1, "DIOCKILLSTATES");
628 killed += psk.psk_af;
629 /* fixup psk.psk_af */
630 psk.psk_af = resp[1]->ai_family;
631 }
632 freeaddrinfo(res[1]);
633 } else {
634 if (ioctl(dev, DIOCKILLSTATES, &psk))
635 err(1, "DIOCKILLSTATES");
636 killed += psk.psk_af;
637 /* fixup psk.psk_af */
638 psk.psk_af = res[0]->ai_family;
639 }
640 }
641
642 freeaddrinfo(res[0]);
643
644 if ((opts & PF_OPT_QUIET) == 0)
645 fprintf(stderr, "killed %d states from %d sources and %d "
646 "destinations\n", killed, sources, dests);
647 return (0);
648 }
649
650 int
651 pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
652 u_int32_t ticket, int r_action, char *anchorname)
653 {
654 struct pfioc_pooladdr pp;
655 struct pf_pooladdr *pa;
656 u_int32_t pnr, mpnr;
657
658 memset(&pp, 0, sizeof(pp));
659 memcpy(pp.anchor, anchorname, sizeof(pp.anchor));
660 pp.r_action = r_action;
661 pp.r_num = nr;
662 pp.ticket = ticket;
663 if (ioctl(dev, DIOCGETADDRS, &pp)) {
664 warn("DIOCGETADDRS");
665 return (-1);
666 }
667 mpnr = pp.nr;
668 TAILQ_INIT(&pool->list);
669 for (pnr = 0; pnr < mpnr; ++pnr) {
670 pp.nr = pnr;
671 if (ioctl(dev, DIOCGETADDR, &pp)) {
672 warn("DIOCGETADDR");
673 return (-1);
674 }
675 pa = calloc(1, sizeof(struct pf_pooladdr));
676 if (pa == NULL)
677 err(1, "calloc");
678 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr));
679 TAILQ_INSERT_TAIL(&pool->list, pa, entries);
680 }
681
682 return (0);
683 }
684
685 void
686 pfctl_move_pool(struct pf_pool *src, struct pf_pool *dst)
687 {
688 struct pf_pooladdr *pa;
689
690 while ((pa = TAILQ_FIRST(&src->list)) != NULL) {
691 TAILQ_REMOVE(&src->list, pa, entries);
692 TAILQ_INSERT_TAIL(&dst->list, pa, entries);
693 }
694 }
695
696 void
697 pfctl_clear_pool(struct pf_pool *pool)
698 {
699 struct pf_pooladdr *pa;
700
701 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
702 TAILQ_REMOVE(&pool->list, pa, entries);
703 free(pa);
704 }
705 }
706
707 void
708 pfctl_print_rule_counters(struct pf_rule *rule, int opts)
709 {
710 if (opts & PF_OPT_DEBUG) {
711 const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
712 "p", "sa", "sp", "da", "dp" };
713 int i;
714
715 printf(" [ Skip steps: ");
716 for (i = 0; i < PF_SKIP_COUNT; ++i) {
717 if (rule->skip[i].nr == rule->nr + 1)
718 continue;
719 printf("%s=", t[i]);
720 if (rule->skip[i].nr == (uint32_t)(-1))
721 printf("end ");
722 else
723 printf("%u ", rule->skip[i].nr);
724 }
725 printf("]\n");
726
727 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n",
728 rule->qname, rule->qid, rule->pqname, rule->pqid);
729 }
730 if (opts & PF_OPT_VERBOSE) {
731 printf(" [ Evaluations: %-8llu Packets: %-8llu "
732 "Bytes: %-10llu States: %-6u]\n",
733 (unsigned long long)rule->evaluations,
734 (unsigned long long)(rule->packets[0] +
735 rule->packets[1]),
736 (unsigned long long)(rule->bytes[0] +
737 rule->bytes[1]), rule->states);
738 if (!(opts & PF_OPT_DEBUG))
739 printf(" [ Inserted: uid %u pid %u ]\n",
740 (unsigned)rule->cuid, (unsigned)rule->cpid);
741 }
742 }
743
744 void
745 pfctl_print_title(const char *title)
746 {
747 if (!first_title)
748 printf("\n");
749 first_title = 0;
750 printf("%s\n", title);
751 }
752
753 int
754 pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
755 char *anchorname, int depth)
756 {
757 struct pfioc_rule pr;
758 u_int32_t nr, mnr, header = 0;
759 int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
760 int len = strlen(path);
761 int brace;
762 char *p;
763
764 if (path[0])
765 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
766 else
767 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
768
769 memset(&pr, 0, sizeof(pr));
770 memcpy(pr.anchor, path, sizeof(pr.anchor));
771 if (opts & PF_OPT_SHOWALL) {
772 pr.rule.action = PF_PASS;
773 if (ioctl(dev, DIOCGETRULES, &pr)) {
774 warn("DIOCGETRULES");
775 goto error;
776 }
777 header++;
778 }
779 pr.rule.action = PF_SCRUB;
780 if (ioctl(dev, DIOCGETRULES, &pr)) {
781 warn("DIOCGETRULES");
782 goto error;
783 }
784 if (opts & PF_OPT_SHOWALL) {
785 if (format == PFCTL_SHOW_RULES && (pr.nr > 0 || header))
786 pfctl_print_title("FILTER RULES:");
787 else if (format == PFCTL_SHOW_LABELS && labels)
788 pfctl_print_title("LABEL COUNTERS:");
789 }
790 mnr = pr.nr;
791 if (opts & PF_OPT_CLRRULECTRS)
792 pr.action = PF_GET_CLR_CNTR;
793
794 for (nr = 0; nr < mnr; ++nr) {
795 pr.nr = nr;
796 if (ioctl(dev, DIOCGETRULE, &pr)) {
797 warn("DIOCGETRULE");
798 goto error;
799 }
800
801 if (pfctl_get_pool(dev, &pr.rule.rpool,
802 nr, pr.ticket, PF_SCRUB, path) != 0)
803 goto error;
804
805 switch (format) {
806 case PFCTL_SHOW_LABELS:
807 if (pr.rule.label[0]) {
808 printf("%s ", pr.rule.label);
809 printf("%llu %llu %llu %llu %llu %llu %llu\n",
810 (unsigned long long)pr.rule.evaluations,
811 (unsigned long long)(pr.rule.packets[0] +
812 pr.rule.packets[1]),
813 (unsigned long long)(pr.rule.bytes[0] +
814 pr.rule.bytes[1]),
815 (unsigned long long)pr.rule.packets[0],
816 (unsigned long long)pr.rule.bytes[0],
817 (unsigned long long)pr.rule.packets[1],
818 (unsigned long long)pr.rule.bytes[1]);
819 }
820 break;
821 case PFCTL_SHOW_RULES:
822 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
823 labels = 1;
824 print_rule(&pr.rule, pr.anchor_call, rule_numbers);
825 printf("\n");
826 pfctl_print_rule_counters(&pr.rule, opts);
827 break;
828 case PFCTL_SHOW_NOTHING:
829 break;
830 }
831 pfctl_clear_pool(&pr.rule.rpool);
832 }
833 pr.rule.action = PF_PASS;
834 if (ioctl(dev, DIOCGETRULES, &pr)) {
835 warn("DIOCGETRULES");
836 goto error;
837 }
838 mnr = pr.nr;
839 for (nr = 0; nr < mnr; ++nr) {
840 pr.nr = nr;
841 if (ioctl(dev, DIOCGETRULE, &pr)) {
842 warn("DIOCGETRULE");
843 goto error;
844 }
845
846 if (pfctl_get_pool(dev, &pr.rule.rpool,
847 nr, pr.ticket, PF_PASS, path) != 0)
848 goto error;
849
850 switch (format) {
851 case PFCTL_SHOW_LABELS:
852 if (pr.rule.label[0]) {
853 printf("%s ", pr.rule.label);
854 printf("%llu %llu %llu %llu %llu %llu %llu\n",
855 (unsigned long long)pr.rule.evaluations,
856 (unsigned long long)(pr.rule.packets[0] +
857 pr.rule.packets[1]),
858 (unsigned long long)(pr.rule.bytes[0] +
859 pr.rule.bytes[1]),
860 (unsigned long long)pr.rule.packets[0],
861 (unsigned long long)pr.rule.bytes[0],
862 (unsigned long long)pr.rule.packets[1],
863 (unsigned long long)pr.rule.bytes[1]);
864 }
865 break;
866 case PFCTL_SHOW_RULES:
867 brace = 0;
868 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
869 labels = 1;
870 INDENT(depth, !(opts & PF_OPT_VERBOSE));
871 if (pr.anchor_call[0] &&
872 ((((p = strrchr(pr.anchor_call, '_')) != NULL) &&
873 ((void *)p == (void *)pr.anchor_call ||
874 *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
875 brace++;
876 if ((p = strrchr(pr.anchor_call, '/')) !=
877 NULL)
878 p++;
879 else
880 p = &pr.anchor_call[0];
881 } else
882 p = &pr.anchor_call[0];
883
884 print_rule(&pr.rule, p, rule_numbers);
885 if (brace)
886 printf(" {\n");
887 else
888 printf("\n");
889 pfctl_print_rule_counters(&pr.rule, opts);
890 if (brace) {
891 pfctl_show_rules(dev, path, opts, format,
892 p, depth + 1);
893 INDENT(depth, !(opts & PF_OPT_VERBOSE));
894 printf("}\n");
895 }
896 break;
897 case PFCTL_SHOW_NOTHING:
898 break;
899 }
900 pfctl_clear_pool(&pr.rule.rpool);
901 }
902 path[len] = '\0';
903 return (0);
904
905 error:
906 path[len] = '\0';
907 return (-1);
908 }
909
910 int
911 pfctl_show_nat(int dev, int opts, char *anchorname)
912 {
913 struct pfioc_rule pr;
914 u_int32_t mnr, nr;
915 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
916 int i, dotitle = opts & PF_OPT_SHOWALL;
917
918 memset(&pr, 0, sizeof(pr));
919 memcpy(pr.anchor, anchorname, sizeof(pr.anchor));
920 for (i = 0; i < 3; i++) {
921 pr.rule.action = nattype[i];
922 if (ioctl(dev, DIOCGETRULES, &pr)) {
923 warn("DIOCGETRULES");
924 return (-1);
925 }
926 mnr = pr.nr;
927 for (nr = 0; nr < mnr; ++nr) {
928 pr.nr = nr;
929 if (ioctl(dev, DIOCGETRULE, &pr)) {
930 warn("DIOCGETRULE");
931 return (-1);
932 }
933 if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
934 pr.ticket, nattype[i], anchorname) != 0)
935 return (-1);
936 if (dotitle) {
937 pfctl_print_title("TRANSLATION RULES:");
938 dotitle = 0;
939 }
940 print_rule(&pr.rule, pr.anchor_call,
941 opts & PF_OPT_VERBOSE2);
942 printf("\n");
943 pfctl_print_rule_counters(&pr.rule, opts);
944 pfctl_clear_pool(&pr.rule.rpool);
945 }
946 }
947 return (0);
948 }
949
950 int
951 pfctl_show_src_nodes(int dev, int opts)
952 {
953 struct pfioc_src_nodes psn;
954 struct pf_src_node *p;
955 char *inbuf = NULL, *newinbuf = NULL;
956 unsigned len = 0;
957 int i;
958
959 memset(&psn, 0, sizeof(psn));
960 for (;;) {
961 psn.psn_len = len;
962 if (len) {
963 newinbuf = realloc(inbuf, len);
964 if (newinbuf == NULL)
965 err(1, "realloc");
966 psn.psn_buf = inbuf = newinbuf;
967 }
968 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) {
969 warn("DIOCGETSRCNODES");
970 free(inbuf);
971 return (-1);
972 }
973 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len)
974 break;
975 if (len == 0 && psn.psn_len == 0)
976 goto done;
977 if (len == 0 && psn.psn_len != 0)
978 len = psn.psn_len;
979 if (psn.psn_len == 0)
980 goto done; /* no src_nodes */
981 len *= 2;
982 }
983 p = psn.psn_src_nodes;
984 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL))
985 pfctl_print_title("SOURCE TRACKING NODES:");
986 for (i = 0; i < psn.psn_len; i += sizeof(*p)) {
987 print_src_node(p, opts);
988 p++;
989 }
990 done:
991 free(inbuf);
992 return (0);
993 }
994
995 int
996 pfctl_show_states(int dev, const char *iface, int opts)
997 {
998 struct pfioc_states ps;
999 struct pfsync_state *p;
1000 char *inbuf = NULL, *newinbuf = NULL;
1001 unsigned len = 0;
1002 int i, dotitle = (opts & PF_OPT_SHOWALL);
1003
1004 memset(&ps, 0, sizeof(ps));
1005 for (;;) {
1006 ps.ps_len = len;
1007 if (len) {
1008 newinbuf = realloc(inbuf, len);
1009 if (newinbuf == NULL)
1010 err(1, "realloc");
1011 ps.ps_buf = inbuf = newinbuf;
1012 }
1013 if (ioctl(dev, DIOCGETSTATES, &ps) < 0) {
1014 warn("DIOCGETSTATES");
1015 free(inbuf);
1016 return (-1);
1017 }
1018 if (ps.ps_len + sizeof(struct pfioc_states) < len)
1019 break;
1020 if (len == 0 && ps.ps_len == 0)
1021 goto done;
1022 if (len == 0 && ps.ps_len != 0)
1023 len = ps.ps_len;
1024 if (ps.ps_len == 0)
1025 goto done; /* no states */
1026 len *= 2;
1027 }
1028 p = ps.ps_states;
1029 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
1030 if (iface != NULL && strcmp(p->ifname, iface))
1031 continue;
1032 if (dotitle) {
1033 pfctl_print_title("STATES:");
1034 dotitle = 0;
1035 }
1036 print_state(p, opts);
1037 }
1038 done:
1039 free(inbuf);
1040 return (0);
1041 }
1042
1043 int
1044 pfctl_show_status(int dev, int opts)
1045 {
1046 struct pf_status status;
1047
1048 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1049 warn("DIOCGETSTATUS");
1050 return (-1);
1051 }
1052 if (opts & PF_OPT_SHOWALL)
1053 pfctl_print_title("INFO:");
1054 print_status(&status, opts);
1055 return (0);
1056 }
1057
1058 int
1059 pfctl_show_timeouts(int dev, int opts)
1060 {
1061 struct pfioc_tm pt;
1062 int i;
1063
1064 if (opts & PF_OPT_SHOWALL)
1065 pfctl_print_title("TIMEOUTS:");
1066 memset(&pt, 0, sizeof(pt));
1067 for (i = 0; pf_timeouts[i].name; i++) {
1068 pt.timeout = pf_timeouts[i].timeout;
1069 if (ioctl(dev, DIOCGETTIMEOUT, &pt))
1070 err(1, "DIOCGETTIMEOUT");
1071 printf("%-20s %10d", pf_timeouts[i].name, pt.seconds);
1072 if (pf_timeouts[i].timeout >= PFTM_ADAPTIVE_START &&
1073 pf_timeouts[i].timeout <= PFTM_ADAPTIVE_END)
1074 printf(" states");
1075 else
1076 printf("s");
1077 printf("\n");
1078 }
1079 return (0);
1080
1081 }
1082
1083 int
1084 pfctl_show_limits(int dev, int opts)
1085 {
1086 struct pfioc_limit pl;
1087 int i;
1088
1089 if (opts & PF_OPT_SHOWALL)
1090 pfctl_print_title("LIMITS:");
1091 memset(&pl, 0, sizeof(pl));
1092 for (i = 0; pf_limits[i].name; i++) {
1093 pl.index = pf_limits[i].index;
1094 if (ioctl(dev, DIOCGETLIMIT, &pl))
1095 err(1, "DIOCGETLIMIT");
1096 printf("%-13s ", pf_limits[i].name);
1097 if (pl.limit == UINT_MAX)
1098 printf("unlimited\n");
1099 else
1100 printf("hard limit %8u\n", pl.limit);
1101 }
1102 return (0);
1103 }
1104
1105 /* callbacks for rule/nat/rdr/addr */
1106 int
1107 pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
1108 {
1109 struct pf_pooladdr *pa;
1110
1111 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1112 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr))
1113 err(1, "DIOCBEGINADDRS");
1114 }
1115
1116 pf->paddr.af = af;
1117 TAILQ_FOREACH(pa, &p->list, entries) {
1118 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1119 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1120 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr))
1121 err(1, "DIOCADDADDR");
1122 }
1123 }
1124 return (0);
1125 }
1126
1127 int
1128 pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
1129 {
1130 u_int8_t rs_num;
1131 struct pf_rule *rule;
1132 struct pf_ruleset *rs;
1133 char *p;
1134
1135 rs_num = pf_get_ruleset_number(r->action);
1136 if (rs_num == PF_RULESET_MAX)
1137 errx(1, "Invalid rule type %d", r->action);
1138
1139 rs = &pf->anchor->ruleset;
1140
1141 if (anchor_call[0] && r->anchor == NULL) {
1142 /*
1143 * Don't make non-brace anchors part of the main anchor pool.
1144 */
1145 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1146 err(1, "pfctl_add_rule: calloc");
1147
1148 pf_init_ruleset(&r->anchor->ruleset);
1149 r->anchor->ruleset.anchor = r->anchor;
1150 if (strlcpy(r->anchor->path, anchor_call,
1151 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1152 errx(1, "pfctl_add_rule: strlcpy");
1153 if ((p = strrchr(anchor_call, '/')) != NULL) {
1154 if (!strlen(p))
1155 err(1, "pfctl_add_rule: bad anchor name %s",
1156 anchor_call);
1157 } else
1158 p = __DECONST(char *, anchor_call);
1159 if (strlcpy(r->anchor->name, p,
1160 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1161 errx(1, "pfctl_add_rule: strlcpy");
1162 }
1163
1164 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1165 err(1, "calloc");
1166 bcopy(r, rule, sizeof(*rule));
1167 TAILQ_INIT(&rule->rpool.list);
1168 pfctl_move_pool(&r->rpool, &rule->rpool);
1169
1170 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
1171 return (0);
1172 }
1173
1174 int
1175 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
1176 {
1177 int osize = pf->trans->pfrb_size;
1178
1179 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1180 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1181 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1182 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1183 return (1);
1184 }
1185 if (a == pf->astack[0] && ((altqsupport &&
1186 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1187 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1188 return (2);
1189 }
1190 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1191 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1192 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1193 return (3);
1194 }
1195 if (pf->loadopt & PFCTL_FLAG_TABLE)
1196 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1197 return (4);
1198 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1199 return (5);
1200
1201 return (0);
1202 }
1203
1204 int
1205 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
1206 int rs_num, int depth)
1207 {
1208 struct pf_rule *r;
1209 int error, len = strlen(path);
1210 int brace = 0;
1211
1212 pf->anchor = rs->anchor;
1213
1214 if (path[0])
1215 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1216 else
1217 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1218
1219 if (depth) {
1220 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
1221 brace++;
1222 if (pf->opts & PF_OPT_VERBOSE)
1223 printf(" {\n");
1224 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1225 (error = pfctl_ruleset_trans(pf,
1226 path, rs->anchor))) {
1227 printf("pfctl_load_rulesets: "
1228 "pfctl_ruleset_trans %d\n", error);
1229 goto error;
1230 }
1231 } else if (pf->opts & PF_OPT_VERBOSE)
1232 printf("\n");
1233
1234 }
1235
1236 if (pf->optimize && rs_num == PF_RULESET_FILTER)
1237 pfctl_optimize_ruleset(pf, rs);
1238
1239 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
1240 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
1241 if ((error = pfctl_load_rule(pf, path, r, depth)))
1242 goto error;
1243 if (r->anchor) {
1244 if ((error = pfctl_load_ruleset(pf, path,
1245 &r->anchor->ruleset, rs_num, depth + 1)))
1246 goto error;
1247 } else if (pf->opts & PF_OPT_VERBOSE)
1248 printf("\n");
1249 free(r);
1250 }
1251 if (brace && pf->opts & PF_OPT_VERBOSE) {
1252 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1253 printf("}\n");
1254 }
1255 path[len] = '\0';
1256 return (0);
1257
1258 error:
1259 path[len] = '\0';
1260 return (error);
1261
1262 }
1263
1264 int
1265 pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
1266 {
1267 u_int8_t rs_num = pf_get_ruleset_number(r->action);
1268 char *name;
1269 struct pfioc_rule pr;
1270 int len = strlen(path);
1271
1272 bzero(&pr, sizeof(pr));
1273 /* set up anchor before adding to path for anchor_call */
1274 if ((pf->opts & PF_OPT_NOACTION) == 0)
1275 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path);
1276 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor))
1277 errx(1, "pfctl_load_rule: strlcpy");
1278
1279 if (r->anchor) {
1280 if (r->anchor->match) {
1281 if (path[0])
1282 snprintf(&path[len], MAXPATHLEN - len,
1283 "/%s", r->anchor->name);
1284 else
1285 snprintf(&path[len], MAXPATHLEN - len,
1286 "%s", r->anchor->name);
1287 name = path;
1288 } else
1289 name = r->anchor->path;
1290 } else
1291 name = __DECONST(char *, "");
1292
1293 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1294 if (pfctl_add_pool(pf, &r->rpool, r->af))
1295 return (1);
1296 pr.pool_ticket = pf->paddr.ticket;
1297 memcpy(&pr.rule, r, sizeof(pr.rule));
1298 if (r->anchor && strlcpy(pr.anchor_call, name,
1299 sizeof(pr.anchor_call)) >= sizeof(pr.anchor_call))
1300 errx(1, "pfctl_load_rule: strlcpy");
1301 if (ioctl(pf->dev, DIOCADDRULE, &pr))
1302 err(1, "DIOCADDRULE");
1303 }
1304
1305 if (pf->opts & PF_OPT_VERBOSE) {
1306 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1307 print_rule(r, r->anchor ? r->anchor->name : "",
1308 pf->opts & PF_OPT_VERBOSE2);
1309 }
1310 path[len] = '\0';
1311 pfctl_clear_pool(&r->rpool);
1312 return (0);
1313 }
1314
1315 int
1316 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
1317 {
1318 if (altqsupport &&
1319 (loadopt & PFCTL_FLAG_ALTQ) != 0) {
1320 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
1321 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1322 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
1323 if (errno == ENXIO)
1324 errx(1, "qtype not configured");
1325 else if (errno == ENODEV)
1326 errx(1, "%s: driver does not support "
1327 "altq", a->ifname);
1328 else
1329 err(1, "DIOCADDALTQ");
1330 }
1331 }
1332 pfaltq_store(&pf->paltq->altq);
1333 }
1334 return (0);
1335 }
1336
1337 int
1338 pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
1339 char *anchorname, struct pfr_buffer *trans)
1340 {
1341 #define ERR(x) do { warn(x); goto _error; } while(0)
1342 #define ERRX(x) do { warnx(x); goto _error; } while(0)
1343
1344 struct pfr_buffer *t, buf;
1345 struct pfioc_altq pa;
1346 struct pfctl pf;
1347 struct pf_ruleset *rs;
1348 struct pfr_table trs;
1349 char *path;
1350 int osize;
1351
1352 RB_INIT(&pf_anchors);
1353 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor));
1354 pf_init_ruleset(&pf_main_anchor.ruleset);
1355 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
1356 if (trans == NULL) {
1357 bzero(&buf, sizeof(buf));
1358 buf.pfrb_type = PFRB_TRANS;
1359 t = &buf;
1360 osize = 0;
1361 } else {
1362 t = trans;
1363 osize = t->pfrb_size;
1364 }
1365
1366 memset(&pa, 0, sizeof(pa));
1367 memset(&pf, 0, sizeof(pf));
1368 memset(&trs, 0, sizeof(trs));
1369 if ((path = calloc(1, MAXPATHLEN)) == NULL)
1370 ERRX("pfctl_rules: calloc");
1371 if (strlcpy(trs.pfrt_anchor, anchorname,
1372 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
1373 ERRX("pfctl_rules: strlcpy");
1374 infile = filename;
1375 pf.dev = dev;
1376 pf.opts = opts;
1377 pf.optimize = optimize;
1378 pf.loadopt = loadopt;
1379
1380 /* non-brace anchor, create without resolving the path */
1381 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
1382 ERRX("pfctl_rules: calloc");
1383 rs = &pf.anchor->ruleset;
1384 pf_init_ruleset(rs);
1385 rs->anchor = pf.anchor;
1386 if (strlcpy(pf.anchor->path, anchorname,
1387 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
1388 errx(1, "pfctl_add_rule: strlcpy");
1389 if (strlcpy(pf.anchor->name, anchorname,
1390 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
1391 errx(1, "pfctl_add_rule: strlcpy");
1392
1393
1394 pf.astack[0] = pf.anchor;
1395 pf.asd = 0;
1396 if (anchorname[0])
1397 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
1398 pf.paltq = &pa;
1399 pf.trans = t;
1400 pfctl_init_options(&pf);
1401
1402 if ((opts & PF_OPT_NOACTION) == 0) {
1403 /*
1404 * XXX For the time being we need to open transactions for
1405 * the main ruleset before parsing, because tables are still
1406 * loaded at parse time.
1407 */
1408 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
1409 ERRX("pfctl_rules");
1410 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1411 pa.ticket =
1412 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
1413 if (pf.loadopt & PFCTL_FLAG_TABLE)
1414 pf.astack[0]->ruleset.tticket =
1415 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
1416 }
1417
1418 if (parse_rules(fin, &pf) < 0) {
1419 if ((opts & PF_OPT_NOACTION) == 0)
1420 ERRX("Syntax error in config file: "
1421 "pf rules not loaded");
1422 else
1423 goto _error;
1424 }
1425
1426 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
1427 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
1428 (pf.loadopt & PFCTL_FLAG_NAT &&
1429 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
1430 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
1431 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
1432 (pf.loadopt & PFCTL_FLAG_FILTER &&
1433 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
1434 if ((opts & PF_OPT_NOACTION) == 0)
1435 ERRX("Unable to load rules into kernel");
1436 else
1437 goto _error;
1438 }
1439
1440 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
1441 if (check_commit_altq(dev, opts) != 0)
1442 ERRX("errors in altq config");
1443
1444 if (fin != stdin) {
1445 fclose(fin);
1446 fin = NULL;
1447 }
1448
1449 /* process "load anchor" directives */
1450 if (!anchorname[0])
1451 if (pfctl_load_anchors(dev, &pf, t) == -1)
1452 ERRX("load anchors");
1453
1454 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
1455 if (!anchorname[0])
1456 if (pfctl_load_options(&pf))
1457 goto _error;
1458 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
1459 ERR("DIOCXCOMMIT");
1460 }
1461 return (0);
1462
1463 _error:
1464 if (trans == NULL) { /* main ruleset */
1465 if ((opts & PF_OPT_NOACTION) == 0)
1466 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
1467 err(1, "DIOCXROLLBACK");
1468 exit(1);
1469 } else { /* sub ruleset */
1470 if (fin != NULL && fin != stdin)
1471 fclose(fin);
1472 return (-1);
1473 }
1474
1475 #undef ERR
1476 #undef ERRX
1477 }
1478
1479 FILE *
1480 pfctl_fopen(const char *name, const char *mode)
1481 {
1482 struct stat st;
1483 FILE *fp;
1484
1485 fp = fopen(name, mode);
1486 if (fp == NULL)
1487 return (NULL);
1488 if (fstat(fileno(fp), &st)) {
1489 fclose(fp);
1490 return (NULL);
1491 }
1492 if (S_ISDIR(st.st_mode)) {
1493 fclose(fp);
1494 errno = EISDIR;
1495 return (NULL);
1496 }
1497 return (fp);
1498 }
1499
1500 void
1501 pfctl_init_options(struct pfctl *pf)
1502 {
1503 int mib[2], mem;
1504 size_t size;
1505
1506 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
1507 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
1508 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
1509 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
1510 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
1511 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
1512 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
1513 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
1514 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
1515 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
1516 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
1517 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
1518 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
1519 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
1520 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
1521 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
1522 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
1523 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
1524 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
1525 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1526
1527 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
1528 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
1529 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
1530 pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT;
1531 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1532
1533 mib[0] = CTL_HW;
1534 mib[1] = HW_PHYSMEM;
1535 size = sizeof(mem);
1536 (void) sysctl(mib, 2, &mem, &size, NULL, 0);
1537 if (mem <= 100*1024*1024)
1538 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
1539
1540 pf->debug = PF_DEBUG_URGENT;
1541 }
1542
1543 int
1544 pfctl_load_options(struct pfctl *pf)
1545 {
1546 int i, error = 0;
1547
1548 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1549 return (0);
1550
1551 /* load limits */
1552 for (i = 0; i < PF_LIMIT_MAX; i++) {
1553 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
1554 continue;
1555 if (pfctl_load_limit(pf, i, pf->limit[i]))
1556 error = 1;
1557 }
1558
1559 /*
1560 * If we've set the limit, but havn't explicitly set adaptive
1561 * timeouts, do it now with a start of 60% and end of 120%.
1562 */
1563 if (pf->limit_set[PF_LIMIT_STATES] &&
1564 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
1565 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
1566 pf->timeout[PFTM_ADAPTIVE_START] =
1567 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
1568 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
1569 pf->timeout[PFTM_ADAPTIVE_END] =
1570 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
1571 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
1572 }
1573
1574 /* load timeouts */
1575 for (i = 0; i < PFTM_MAX; i++) {
1576 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
1577 continue;
1578 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
1579 error = 1;
1580 }
1581
1582 /* load debug */
1583 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
1584 if (pfctl_load_debug(pf, pf->debug))
1585 error = 1;
1586
1587 /* load logif */
1588 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
1589 if (pfctl_load_logif(pf, pf->ifname))
1590 error = 1;
1591
1592 /* load hostid */
1593 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
1594 if (pfctl_load_hostid(pf, pf->hostid))
1595 error = 1;
1596
1597 return (error);
1598 }
1599
1600 int
1601 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
1602 {
1603 int i;
1604
1605
1606 for (i = 0; pf_limits[i].name; i++) {
1607 if (strcasecmp(opt, pf_limits[i].name) == 0) {
1608 pf->limit[pf_limits[i].index] = limit;
1609 pf->limit_set[pf_limits[i].index] = 1;
1610 break;
1611 }
1612 }
1613 if (pf_limits[i].name == NULL) {
1614 warnx("Bad pool name.");
1615 return (1);
1616 }
1617
1618 if (pf->opts & PF_OPT_VERBOSE)
1619 printf("set limit %s %d\n", opt, limit);
1620
1621 return (0);
1622 }
1623
1624 int
1625 pfctl_load_limit(struct pfctl *pf, unsigned int his_index, unsigned int limit)
1626 {
1627 struct pfioc_limit pl;
1628
1629 memset(&pl, 0, sizeof(pl));
1630 pl.index = his_index;
1631 pl.limit = limit;
1632 if (ioctl(pf->dev, DIOCSETLIMIT, &pl)) {
1633 if (errno == EBUSY)
1634 warnx("Current pool size exceeds requested hard limit");
1635 else
1636 warnx("DIOCSETLIMIT");
1637 return (1);
1638 }
1639 return (0);
1640 }
1641
1642 int
1643 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
1644 {
1645 int i;
1646
1647 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1648 return (0);
1649
1650 for (i = 0; pf_timeouts[i].name; i++) {
1651 if (strcasecmp(opt, pf_timeouts[i].name) == 0) {
1652 pf->timeout[pf_timeouts[i].timeout] = seconds;
1653 pf->timeout_set[pf_timeouts[i].timeout] = 1;
1654 break;
1655 }
1656 }
1657
1658 if (pf_timeouts[i].name == NULL) {
1659 warnx("Bad timeout name.");
1660 return (1);
1661 }
1662
1663
1664 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
1665 printf("set timeout %s %d\n", opt, seconds);
1666
1667 return (0);
1668 }
1669
1670 int
1671 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
1672 {
1673 struct pfioc_tm pt;
1674
1675 memset(&pt, 0, sizeof(pt));
1676 pt.timeout = timeout;
1677 pt.seconds = seconds;
1678 if (ioctl(pf->dev, DIOCSETTIMEOUT, &pt)) {
1679 warnx("DIOCSETTIMEOUT");
1680 return (1);
1681 }
1682 return (0);
1683 }
1684
1685 int
1686 pfctl_set_optimization(struct pfctl *pf, const char *opt)
1687 {
1688 const struct pf_hint *hint;
1689 int i, r;
1690
1691 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1692 return (0);
1693
1694 for (i = 0; pf_hints[i].name; i++)
1695 if (strcasecmp(opt, pf_hints[i].name) == 0)
1696 break;
1697
1698 hint = pf_hints[i].hint;
1699 if (hint == NULL) {
1700 warnx("invalid state timeouts optimization");
1701 return (1);
1702 }
1703
1704 for (i = 0; hint[i].name; i++)
1705 if ((r = pfctl_set_timeout(pf, hint[i].name,
1706 hint[i].timeout, 1)))
1707 return (r);
1708
1709 if (pf->opts & PF_OPT_VERBOSE)
1710 printf("set optimization %s\n", opt);
1711
1712 return (0);
1713 }
1714
1715 int
1716 pfctl_set_logif(struct pfctl *pf, char *ifname)
1717 {
1718
1719 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1720 return (0);
1721
1722 if (!strcmp(ifname, "none")) {
1723 free(pf->ifname);
1724 pf->ifname = NULL;
1725 } else {
1726 pf->ifname = strdup(ifname);
1727 if (!pf->ifname)
1728 errx(1, "pfctl_set_logif: strdup");
1729 }
1730 pf->ifname_set = 1;
1731
1732 if (pf->opts & PF_OPT_VERBOSE)
1733 printf("set loginterface %s\n", ifname);
1734
1735 return (0);
1736 }
1737
1738 int
1739 pfctl_load_logif(struct pfctl *pf, char *ifname)
1740 {
1741 struct pfioc_if pi;
1742
1743 memset(&pi, 0, sizeof(pi));
1744 if (ifname && strlcpy(pi.ifname, ifname,
1745 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {
1746 warnx("pfctl_load_logif: strlcpy");
1747 return (1);
1748 }
1749 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
1750 warnx("DIOCSETSTATUSIF");
1751 return (1);
1752 }
1753 return (0);
1754 }
1755
1756 int
1757 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
1758 {
1759 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1760 return (0);
1761
1762 hostid = htonl(hostid);
1763
1764 pf->hostid = hostid;
1765 pf->hostid_set = 1;
1766
1767 if (pf->opts & PF_OPT_VERBOSE)
1768 printf("set hostid 0x%08x\n", ntohl(hostid));
1769
1770 return (0);
1771 }
1772
1773 int
1774 pfctl_load_hostid(struct pfctl *pf __unused, u_int32_t hostid)
1775 {
1776 if (ioctl(dev_fd, DIOCSETHOSTID, &hostid)) {
1777 warnx("DIOCSETHOSTID");
1778 return (1);
1779 }
1780 return (0);
1781 }
1782
1783 int
1784 pfctl_set_debug(struct pfctl *pf, char *d)
1785 {
1786 u_int32_t level;
1787
1788 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1789 return (0);
1790
1791 if (!strcmp(d, "none"))
1792 pf->debug = PF_DEBUG_NONE;
1793 else if (!strcmp(d, "urgent"))
1794 pf->debug = PF_DEBUG_URGENT;
1795 else if (!strcmp(d, "misc"))
1796 pf->debug = PF_DEBUG_MISC;
1797 else if (!strcmp(d, "loud"))
1798 pf->debug = PF_DEBUG_NOISY;
1799 else {
1800 warnx("unknown debug level \"%s\"", d);
1801 return (-1);
1802 }
1803
1804 pf->debug_set = 1;
1805
1806 if ((pf->opts & PF_OPT_NOACTION) == 0)
1807 if (ioctl(dev_fd, DIOCSETDEBUG, &level))
1808 err(1, "DIOCSETDEBUG");
1809
1810 if (pf->opts & PF_OPT_VERBOSE)
1811 printf("set debug %s\n", d);
1812
1813 return (0);
1814 }
1815
1816 int
1817 pfctl_load_debug(struct pfctl *pf, unsigned int level)
1818 {
1819 if (ioctl(pf->dev, DIOCSETDEBUG, &level)) {
1820 warnx("DIOCSETDEBUG");
1821 return (1);
1822 }
1823 return (0);
1824 }
1825
1826 int
1827 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
1828 {
1829 struct pfioc_iface pi;
1830
1831 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1832 return (0);
1833
1834 bzero(&pi, sizeof(pi));
1835
1836 pi.pfiio_flags = flags;
1837
1838 if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
1839 sizeof(pi.pfiio_name))
1840 errx(1, "pfctl_set_interface_flags: strlcpy");
1841
1842 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1843 if (how == 0) {
1844 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
1845 err(1, "DIOCCLRIFFLAG");
1846 } else {
1847 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
1848 err(1, "DIOCSETIFFLAG");
1849 }
1850 }
1851 return (0);
1852 }
1853
1854 void
1855 pfctl_debug(int dev, u_int32_t level, int opts)
1856 {
1857 if (ioctl(dev, DIOCSETDEBUG, &level))
1858 err(1, "DIOCSETDEBUG");
1859 if ((opts & PF_OPT_QUIET) == 0) {
1860 fprintf(stderr, "debug level set to '");
1861 switch (level) {
1862 case PF_DEBUG_NONE:
1863 fprintf(stderr, "none");
1864 break;
1865 case PF_DEBUG_URGENT:
1866 fprintf(stderr, "urgent");
1867 break;
1868 case PF_DEBUG_MISC:
1869 fprintf(stderr, "misc");
1870 break;
1871 case PF_DEBUG_NOISY:
1872 fprintf(stderr, "loud");
1873 break;
1874 default:
1875 fprintf(stderr, "<invalid>");
1876 break;
1877 }
1878 fprintf(stderr, "'\n");
1879 }
1880 }
1881
1882 int
1883 pfctl_test_altqsupport(int dev, int opts)
1884 {
1885 struct pfioc_altq pa;
1886
1887 if (ioctl(dev, DIOCGETALTQS, &pa)) {
1888 if (errno == ENODEV) {
1889 if (!(opts & PF_OPT_QUIET))
1890 fprintf(stderr, "No ALTQ support in kernel\n"
1891 "ALTQ related functions disabled\n");
1892 return (0);
1893 } else
1894 err(1, "DIOCGETALTQS");
1895 }
1896 return (1);
1897 }
1898
1899 int
1900 pfctl_show_anchors(int dev, int opts, char *anchorname)
1901 {
1902 struct pfioc_ruleset pr;
1903 u_int32_t mnr, nr;
1904
1905 memset(&pr, 0, sizeof(pr));
1906 memcpy(pr.path, anchorname, sizeof(pr.path));
1907 if (ioctl(dev, DIOCGETRULESETS, &pr)) {
1908 if (errno == EINVAL)
1909 fprintf(stderr, "Anchor '%s' not found.\n",
1910 anchorname);
1911 else
1912 err(1, "DIOCGETRULESETS");
1913 return (-1);
1914 }
1915 mnr = pr.nr;
1916 for (nr = 0; nr < mnr; ++nr) {
1917 char sub[MAXPATHLEN];
1918
1919 pr.nr = nr;
1920 if (ioctl(dev, DIOCGETRULESET, &pr))
1921 err(1, "DIOCGETRULESET");
1922 if (!strcmp(pr.name, PF_RESERVED_ANCHOR))
1923 continue;
1924 sub[0] = 0;
1925 if (pr.path[0]) {
1926 strlcat(sub, pr.path, sizeof(sub));
1927 strlcat(sub, "/", sizeof(sub));
1928 }
1929 strlcat(sub, pr.name, sizeof(sub));
1930 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
1931 printf(" %s\n", sub);
1932 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
1933 return (-1);
1934 }
1935 return (0);
1936 }
1937
1938 const char *
1939 pfctl_lookup_option(char *cmd, const char **list)
1940 {
1941 if (cmd != NULL && *cmd)
1942 for (; *list; list++)
1943 if (!strncmp(cmd, *list, strlen(cmd)))
1944 return (*list);
1945 return (NULL);
1946 }
1947
1948 int
1949 main(int argc, char *argv[])
1950 {
1951 int error = 0;
1952 int ch;
1953 int mode = O_RDONLY;
1954 int opts = 0;
1955 int optimize = PF_OPTIMIZE_BASIC;
1956 char anchorname[MAXPATHLEN];
1957 char *path;
1958 FILE *fin = NULL;
1959
1960 if (argc < 2)
1961 usage();
1962
1963 while ((ch = getopt(argc, argv,
1964 "a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z")) != -1) {
1965 switch (ch) {
1966 case 'a':
1967 anchoropt = optarg;
1968 break;
1969 case 'd':
1970 opts |= PF_OPT_DISABLE;
1971 mode = O_RDWR;
1972 break;
1973 case 'D':
1974 if (pfctl_cmdline_symset(optarg) < 0)
1975 warnx("could not parse macro definition %s",
1976 optarg);
1977 break;
1978 case 'e':
1979 opts |= PF_OPT_ENABLE;
1980 mode = O_RDWR;
1981 break;
1982 case 'q':
1983 opts |= PF_OPT_QUIET;
1984 break;
1985 case 'F':
1986 clearopt = pfctl_lookup_option(optarg, clearopt_list);
1987 if (clearopt == NULL) {
1988 warnx("Unknown flush modifier '%s'", optarg);
1989 usage();
1990 }
1991 mode = O_RDWR;
1992 break;
1993 case 'i':
1994 ifaceopt = optarg;
1995 break;
1996 case 'k':
1997 if (state_killers >= 2) {
1998 warnx("can only specify -k twice");
1999 usage();
2000 /* NOTREACHED */
2001 }
2002 state_kill[state_killers++] = optarg;
2003 mode = O_RDWR;
2004 break;
2005 case 'K':
2006 if (src_node_killers >= 2) {
2007 warnx("can only specify -K twice");
2008 usage();
2009 /* NOTREACHED */
2010 }
2011 src_node_kill[src_node_killers++] = optarg;
2012 mode = O_RDWR;
2013 break;
2014 case 'm':
2015 opts |= PF_OPT_MERGE;
2016 break;
2017 case 'n':
2018 opts |= PF_OPT_NOACTION;
2019 break;
2020 case 'N':
2021 loadopt |= PFCTL_FLAG_NAT;
2022 break;
2023 case 'r':
2024 opts |= PF_OPT_USEDNS;
2025 break;
2026 case 'f':
2027 rulesopt = optarg;
2028 mode = O_RDWR;
2029 break;
2030 case 'g':
2031 opts |= PF_OPT_DEBUG;
2032 break;
2033 case 'A':
2034 loadopt |= PFCTL_FLAG_ALTQ;
2035 break;
2036 case 'R':
2037 loadopt |= PFCTL_FLAG_FILTER;
2038 break;
2039 case 'o':
2040 optiopt = pfctl_lookup_option(optarg, optiopt_list);
2041 if (optiopt == NULL) {
2042 warnx("Unknown optimization '%s'", optarg);
2043 usage();
2044 }
2045 opts |= PF_OPT_OPTIMIZE;
2046 break;
2047 case 'O':
2048 loadopt |= PFCTL_FLAG_OPTION;
2049 break;
2050 case 'p':
2051 pf_device = optarg;
2052 break;
2053 case 's':
2054 showopt = pfctl_lookup_option(optarg, showopt_list);
2055 if (showopt == NULL) {
2056 warnx("Unknown show modifier '%s'", optarg);
2057 usage();
2058 }
2059 break;
2060 case 't':
2061 tableopt = optarg;
2062 break;
2063 case 'T':
2064 tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list);
2065 if (tblcmdopt == NULL) {
2066 warnx("Unknown table command '%s'", optarg);
2067 usage();
2068 }
2069 break;
2070 case 'v':
2071 if (opts & PF_OPT_VERBOSE)
2072 opts |= PF_OPT_VERBOSE2;
2073 opts |= PF_OPT_VERBOSE;
2074 break;
2075 case 'x':
2076 debugopt = pfctl_lookup_option(optarg, debugopt_list);
2077 if (debugopt == NULL) {
2078 warnx("Unknown debug level '%s'", optarg);
2079 usage();
2080 }
2081 mode = O_RDWR;
2082 break;
2083 case 'z':
2084 opts |= PF_OPT_CLRRULECTRS;
2085 mode = O_RDWR;
2086 break;
2087 case 'h':
2088 /* FALLTHROUGH */
2089 default:
2090 usage();
2091 /* NOTREACHED */
2092 }
2093 }
2094
2095 if (tblcmdopt != NULL) {
2096 argc -= optind;
2097 argv += optind;
2098 ch = *tblcmdopt;
2099 if (ch == 'l') {
2100 loadopt |= PFCTL_FLAG_TABLE;
2101 tblcmdopt = NULL;
2102 } else
2103 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
2104 } else if (argc != optind) {
2105 warnx("unknown command line argument: %s ...", argv[optind]);
2106 usage();
2107 /* NOTREACHED */
2108 }
2109 if (loadopt == 0)
2110 loadopt = ~0;
2111
2112 if ((path = calloc(1, MAXPATHLEN)) == NULL)
2113 errx(1, "pfctl: calloc");
2114 memset(anchorname, 0, sizeof(anchorname));
2115 if (anchoropt != NULL) {
2116 int len = strlen(anchoropt);
2117
2118 if (anchoropt[len - 1] == '*') {
2119 if (len >= 2 && anchoropt[len - 2] == '/')
2120 anchoropt[len - 2] = '\0';
2121 else
2122 anchoropt[len - 1] = '\0';
2123 opts |= PF_OPT_RECURSE;
2124 }
2125 if (strlcpy(anchorname, anchoropt,
2126 sizeof(anchorname)) >= sizeof(anchorname))
2127 errx(1, "anchor name '%s' too long",
2128 anchoropt);
2129 loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE;
2130 }
2131
2132 if ((opts & PF_OPT_NOACTION) == 0) {
2133 dev_fd = open(pf_device, mode);
2134 if (dev_fd == -1)
2135 err(1, "%s", pf_device);
2136 altqsupport = pfctl_test_altqsupport(dev_fd, opts);
2137 } else {
2138 dev_fd = open(pf_device, O_RDONLY);
2139 if (dev_fd >= 0)
2140 opts |= PF_OPT_DUMMYACTION;
2141 /* turn off options */
2142 opts &= ~ (PF_OPT_DISABLE | PF_OPT_ENABLE);
2143 clearopt = showopt = debugopt = NULL;
2144 altqsupport = 1;
2145 }
2146
2147 if (opts & PF_OPT_DISABLE)
2148 if (pfctl_disable(dev_fd, opts))
2149 error = 1;
2150
2151 if (showopt != NULL) {
2152 switch (*showopt) {
2153 case 'A':
2154 pfctl_show_anchors(dev_fd, opts, anchorname);
2155 break;
2156 case 'r':
2157 pfctl_load_fingerprints(dev_fd, opts);
2158 pfctl_show_rules(dev_fd, path, opts, PFCTL_SHOW_RULES,
2159 anchorname, 0);
2160 break;
2161 case 'l':
2162 pfctl_load_fingerprints(dev_fd, opts);
2163 pfctl_show_rules(dev_fd, path, opts, PFCTL_SHOW_LABELS,
2164 anchorname, 0);
2165 break;
2166 case 'n':
2167 pfctl_load_fingerprints(dev_fd, opts);
2168 pfctl_show_nat(dev_fd, opts, anchorname);
2169 break;
2170 case 'q':
2171 pfctl_show_altq(dev_fd, ifaceopt, opts,
2172 opts & PF_OPT_VERBOSE2);
2173 break;
2174 case 's':
2175 pfctl_show_states(dev_fd, ifaceopt, opts);
2176 break;
2177 case 'S':
2178 pfctl_show_src_nodes(dev_fd, opts);
2179 break;
2180 case 'i':
2181 pfctl_show_status(dev_fd, opts);
2182 break;
2183 case 't':
2184 pfctl_show_timeouts(dev_fd, opts);
2185 break;
2186 case 'm':
2187 pfctl_show_limits(dev_fd, opts);
2188 break;
2189 case 'a':
2190 opts |= PF_OPT_SHOWALL;
2191 pfctl_load_fingerprints(dev_fd, opts);
2192
2193 pfctl_show_nat(dev_fd, opts, anchorname);
2194 pfctl_show_rules(dev_fd, path, opts, 0, anchorname, 0);
2195 pfctl_show_altq(dev_fd, ifaceopt, opts, 0);
2196 pfctl_show_states(dev_fd, ifaceopt, opts);
2197 pfctl_show_src_nodes(dev_fd, opts);
2198 pfctl_show_status(dev_fd, opts);
2199 pfctl_show_rules(dev_fd, path, opts, 1, anchorname, 0);
2200 pfctl_show_timeouts(dev_fd, opts);
2201 pfctl_show_limits(dev_fd, opts);
2202 pfctl_show_tables(anchorname, opts);
2203 pfctl_show_fingerprints(opts);
2204 break;
2205 case 'T':
2206 pfctl_show_tables(anchorname, opts);
2207 break;
2208 case 'o':
2209 pfctl_load_fingerprints(dev_fd, opts);
2210 pfctl_show_fingerprints(opts);
2211 break;
2212 case 'I':
2213 pfctl_show_ifaces(ifaceopt, opts);
2214 break;
2215 }
2216 }
2217
2218 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL)
2219 pfctl_show_rules(dev_fd, path, opts, PFCTL_SHOW_NOTHING,
2220 anchorname, 0);
2221
2222 if (clearopt != NULL) {
2223 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2224 errx(1, "anchor names beginning with '_' cannot "
2225 "be modified from the command line");
2226
2227 switch (*clearopt) {
2228 case 'r':
2229 pfctl_clear_rules(dev_fd, opts, anchorname);
2230 break;
2231 case 'n':
2232 pfctl_clear_nat(dev_fd, opts, anchorname);
2233 break;
2234 case 'q':
2235 pfctl_clear_altq(dev_fd, opts);
2236 break;
2237 case 's':
2238 pfctl_clear_states(dev_fd, ifaceopt, opts);
2239 break;
2240 case 'S':
2241 pfctl_clear_src_nodes(dev_fd, opts);
2242 break;
2243 case 'i':
2244 pfctl_clear_stats(dev_fd, opts);
2245 break;
2246 case 'a':
2247 pfctl_clear_rules(dev_fd, opts, anchorname);
2248 pfctl_clear_nat(dev_fd, opts, anchorname);
2249 pfctl_clear_tables(anchorname, opts);
2250 if (!*anchorname) {
2251 pfctl_clear_altq(dev_fd, opts);
2252 pfctl_clear_states(dev_fd, ifaceopt, opts);
2253 pfctl_clear_src_nodes(dev_fd, opts);
2254 pfctl_clear_stats(dev_fd, opts);
2255 pfctl_clear_fingerprints(dev_fd, opts);
2256 pfctl_clear_interface_flags(dev_fd, opts);
2257 }
2258 break;
2259 case 'o':
2260 pfctl_clear_fingerprints(dev_fd, opts);
2261 break;
2262 case 'T':
2263 pfctl_clear_tables(anchorname, opts);
2264 break;
2265 }
2266 }
2267 if (state_killers)
2268 pfctl_kill_states(dev_fd, ifaceopt, opts);
2269
2270 if (src_node_killers)
2271 pfctl_kill_src_nodes(dev_fd, ifaceopt, opts);
2272
2273 if (tblcmdopt != NULL) {
2274 error = pfctl_command_tables(argc, argv, tableopt,
2275 tblcmdopt, rulesopt, anchorname, opts);
2276 rulesopt = NULL;
2277 }
2278 if (optiopt != NULL) {
2279 switch (*optiopt) {
2280 case 'n':
2281 optimize = 0;
2282 break;
2283 case 'b':
2284 optimize |= PF_OPTIMIZE_BASIC;
2285 break;
2286 case 'o':
2287 case 'p':
2288 optimize |= PF_OPTIMIZE_PROFILE;
2289 break;
2290 }
2291 }
2292
2293 if (rulesopt != NULL) {
2294 if (strcmp(rulesopt, "-") == 0) {
2295 fin = stdin;
2296 rulesopt = __DECONST(char *, "stdin");
2297 } else {
2298 if ((fin = pfctl_fopen(rulesopt, "r")) == NULL)
2299 err(1, "%s", rulesopt);
2300 }
2301 }
2302 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
2303 !anchorname[0])
2304 if (pfctl_clear_interface_flags(dev_fd, opts | PF_OPT_QUIET))
2305 error = 1;
2306
2307 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &&
2308 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION))
2309 if (pfctl_file_fingerprints(dev_fd, opts, PF_OSFP_FILE))
2310 error = 1;
2311
2312 if (rulesopt != NULL) {
2313 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2314 errx(1, "anchor names beginning with '_' cannot "
2315 "be modified from the command line");
2316 if (pfctl_rules(dev_fd, rulesopt, fin, opts, optimize,
2317 anchorname, NULL))
2318 error = 1;
2319 else if (!(opts & PF_OPT_NOACTION) &&
2320 (loadopt & PFCTL_FLAG_TABLE))
2321 warn_namespace_collision(NULL);
2322 }
2323
2324 if (opts & PF_OPT_ENABLE)
2325 if (pfctl_enable(dev_fd, opts))
2326 error = 1;
2327
2328 if (debugopt != NULL) {
2329 switch (*debugopt) {
2330 case 'n':
2331 pfctl_debug(dev_fd, PF_DEBUG_NONE, opts);
2332 break;
2333 case 'u':
2334 pfctl_debug(dev_fd, PF_DEBUG_URGENT, opts);
2335 break;
2336 case 'm':
2337 pfctl_debug(dev_fd, PF_DEBUG_MISC, opts);
2338 break;
2339 case 'l':
2340 pfctl_debug(dev_fd, PF_DEBUG_NOISY, opts);
2341 break;
2342 }
2343 }
2344
2345 exit(error);
2346 }
DragonFly BSD