diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-03-04 16:12:01 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-03-15 03:23:28 +0000 |
| commit | 7539ebfeb37f45f5c3655643bf6bf9f20ddd2660 (patch) | |
| tree | 075eaec1ecca2d7cf87c0c1aea27f382d63636e5 | |
| parent | a445feae98f27325c6845ccebb35f062fce1889d (diff) | |
| download | src-7539ebfeb37f45f5c3655643bf6bf9f20ddd2660.tar.gz src-7539ebfeb37f45f5c3655643bf6bf9f20ddd2660.zip | |
libpfct: factor out pfctl_get_rules_info()
Introduce pfctl_get_rules_info(), similar to pfctl_get_eth_rules_info()
to retrieve rules information (ticket and total number of rules).
Use the new function in pfctl.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34443
(cherry picked from commit 8c1400b0a1083c9e2bf8f3418eb3e3cfba1a8444)
| -rw-r--r-- | lib/libpfctl/libpfctl.c | 22 | ||||
| -rw-r--r-- | lib/libpfctl/libpfctl.h | 7 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 93 |
3 files changed, 72 insertions, 50 deletions
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 4c110131dcbe..3a06600f396c 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -662,6 +662,28 @@ pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor, } int +pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, uint32_t ruleset, + const char *path) +{ + struct pfioc_rule pr; + int ret; + + bzero(&pr, sizeof(pr)); + if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor)) + return (E2BIG); + + pr.rule.action = ruleset; + ret = ioctl(dev, DIOCGETRULES, &pr); + if (ret != 0) + return (ret); + + rules->nr = pr.nr; + rules->ticket = pr.ticket; + + return (0); +} + +int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call) { diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index 3b4e61be0165..726ec89cd3d6 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -76,6 +76,11 @@ struct pfctl_pool { uint8_t opts; }; +struct pfctl_rules_info { + uint32_t nr; + uint32_t ticket; +}; + struct pfctl_rule { struct pf_rule_addr src; struct pf_rule_addr dst; @@ -288,6 +293,8 @@ struct pfctl_syncookies { struct pfctl_status* pfctl_get_status(int dev); void pfctl_free_status(struct pfctl_status *status); +int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, + uint32_t ruleset, const char *path); int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, char *anchor_call); diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 7dfcd7cc494a..676d3eb1ce8d 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1029,13 +1029,15 @@ int pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, char *anchorname, int depth) { - struct pfioc_rule pr; + struct pfctl_rules_info ri; struct pfctl_rule rule; - u_int32_t nr, mnr, header = 0; + char anchor_call[MAXPATHLEN]; + u_int32_t nr, header = 0; int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG); int numeric = opts & PF_OPT_NUMERIC; int len = strlen(path); int brace; + int ret; char *p; if (path[0]) @@ -1043,39 +1045,35 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, else snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname); - memset(&pr, 0, sizeof(pr)); - memcpy(pr.anchor, path, sizeof(pr.anchor)); if (opts & PF_OPT_SHOWALL) { - pr.rule.action = PF_PASS; - if (ioctl(dev, DIOCGETRULES, &pr)) { + ret = pfctl_get_rules_info(dev, &ri, PF_PASS, anchorname); + if (ret != 0) { warn("DIOCGETRULES"); goto error; } header++; } - pr.rule.action = PF_SCRUB; - if (ioctl(dev, DIOCGETRULES, &pr)) { + ret = pfctl_get_rules_info(dev, &ri, PF_SCRUB, anchorname); + if (ret != 0) { warn("DIOCGETRULES"); goto error; } if (opts & PF_OPT_SHOWALL) { - if (format == PFCTL_SHOW_RULES && (pr.nr > 0 || header)) + if (format == PFCTL_SHOW_RULES && (ri.nr > 0 || header)) pfctl_print_title("FILTER RULES:"); else if (format == PFCTL_SHOW_LABELS && labels) pfctl_print_title("LABEL COUNTERS:"); } - mnr = pr.nr; - for (nr = 0; nr < mnr; ++nr) { - pr.nr = nr; - if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_SCRUB, - &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) { + for (nr = 0; nr < ri.nr; ++nr) { + if (pfctl_get_clear_rule(dev, nr, ri.ticket, path, PF_SCRUB, + &rule, anchor_call, opts & PF_OPT_CLRRULECTRS)) { warn("DIOCGETRULENV"); goto error; } if (pfctl_get_pool(dev, &rule.rpool, - nr, pr.ticket, PF_SCRUB, path) != 0) + nr, ri.ticket, PF_SCRUB, path) != 0) goto error; switch (format) { @@ -1084,7 +1082,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, case PFCTL_SHOW_RULES: if (rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; - print_rule(&rule, pr.anchor_call, rule_numbers, numeric); + print_rule(&rule, anchor_call, rule_numbers, numeric); printf("\n"); pfctl_print_rule_counters(&rule, opts); break; @@ -1093,22 +1091,20 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, } pfctl_clear_pool(&rule.rpool); } - pr.rule.action = PF_PASS; - if (ioctl(dev, DIOCGETRULES, &pr)) { + ret = pfctl_get_rules_info(dev, &ri, PF_PASS, anchorname); + if (ret != 0) { warn("DIOCGETRULES"); goto error; } - mnr = pr.nr; - for (nr = 0; nr < mnr; ++nr) { - pr.nr = nr; - if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_PASS, - &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) { + for (nr = 0; nr < ri.nr; ++nr) { + if (pfctl_get_clear_rule(dev, nr, ri.ticket, path, PF_PASS, + &rule, anchor_call, opts & PF_OPT_CLRRULECTRS)) { warn("DIOCGETRULE"); goto error; } if (pfctl_get_pool(dev, &rule.rpool, - nr, pr.ticket, PF_PASS, path) != 0) + nr, ri.ticket, PF_PASS, path) != 0) goto error; switch (format) { @@ -1142,18 +1138,18 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, if (rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; INDENT(depth, !(opts & PF_OPT_VERBOSE)); - if (pr.anchor_call[0] && - ((((p = strrchr(pr.anchor_call, '_')) != NULL) && - ((void *)p == (void *)pr.anchor_call || + if (anchor_call[0] && + ((((p = strrchr(anchor_call, '_')) != NULL) && + ((void *)p == (void *)anchor_call || *(--p) == '/')) || (opts & PF_OPT_RECURSE))) { brace++; - if ((p = strrchr(pr.anchor_call, '/')) != + if ((p = strrchr(anchor_call, '/')) != NULL) p++; else - p = &pr.anchor_call[0]; + p = &anchor_call[0]; } else - p = &pr.anchor_call[0]; + p = &anchor_call[0]; print_rule(&rule, p, rule_numbers, numeric); if (brace) @@ -1184,55 +1180,52 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, int pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth) { - struct pfioc_rule pr; + struct pfctl_rules_info ri; struct pfctl_rule rule; - u_int32_t mnr, nr; + char anchor_call[MAXPATHLEN]; + u_int32_t nr; static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT }; int i, dotitle = opts & PF_OPT_SHOWALL; - int brace; + int brace, ret; char *p; for (i = 0; i < 3; i++) { - memset(&pr, 0, sizeof(pr)); - memcpy(pr.anchor, anchorname, sizeof(pr.anchor)); - pr.rule.action = nattype[i]; - if (ioctl(dev, DIOCGETRULES, &pr)) { + ret = pfctl_get_rules_info(dev, &ri, nattype[i], anchorname); + if (ret != 0) { warn("DIOCGETRULES"); return (-1); } - mnr = pr.nr; - for (nr = 0; nr < mnr; ++nr) { + for (nr = 0; nr < ri.nr; ++nr) { brace = 0; INDENT(depth, !(opts & PF_OPT_VERBOSE)); - pr.nr = nr; - if (pfctl_get_rule(dev, nr, pr.ticket, anchorname, - nattype[i], &rule, pr.anchor_call)) { + if (pfctl_get_rule(dev, nr, ri.ticket, anchorname, + nattype[i], &rule, anchor_call)) { warn("DIOCGETRULE"); return (-1); } if (pfctl_get_pool(dev, &rule.rpool, nr, - pr.ticket, nattype[i], anchorname) != 0) + ri.ticket, nattype[i], anchorname) != 0) return (-1); - if (pr.anchor_call[0] && - ((((p = strrchr(pr.anchor_call, '_')) != NULL) && - (p == pr.anchor_call || + if (anchor_call[0] && + ((((p = strrchr(anchor_call, '_')) != NULL) && + (p == anchor_call || *(--p) == '/')) || (opts & PF_OPT_RECURSE))) { brace++; - if ((p = strrchr(pr.anchor_call, '/')) != + if ((p = strrchr(anchor_call, '/')) != NULL) p++; else - p = &pr.anchor_call[0]; + p = &anchor_call[0]; } else - p = &pr.anchor_call[0]; + p = &anchor_call[0]; if (dotitle) { pfctl_print_title("TRANSLATION RULES:"); dotitle = 0; } - print_rule(&rule, pr.anchor_call, + print_rule(&rule, anchor_call, opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC); if (brace) printf(" {\n"); |