libpfctl: support flushing rules/nat/eth

Move the code to flush regular rules, nat rules and Ethernet rules into
libpfctl for easier re-use.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34442

(cherry picked from commit f0c334e4deca08b56b4226539c844a7018e9182d)

3 files changed, 81 insertions, 23 deletions

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 61fce7d743f6..4c110131dcbe 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -946,6 +946,71 @@ pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed)
 	return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV));
 }
 
+int
+pfctl_clear_rules(int dev, const char *anchorname)
+{
+	struct pfioc_trans trans;
+	struct pfioc_trans_e transe[2];
+	int ret;
+
+	bzero(&trans, sizeof(trans));
+	bzero(&transe, sizeof(transe));
+
+	transe[0].rs_num = PF_RULESET_SCRUB;
+	if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
+	    >= sizeof(transe[0].anchor))
+		return (E2BIG);
+
+	transe[1].rs_num = PF_RULESET_FILTER;
+	if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
+	    >= sizeof(transe[1].anchor))
+		return (E2BIG);
+
+	trans.size = 2;
+	trans.esize = sizeof(transe[0]);
+	trans.array = transe;
+
+	ret = ioctl(dev, DIOCXBEGIN, &trans);
+	if (ret != 0)
+		return (ret);
+	return ioctl(dev, DIOCXCOMMIT, &trans);
+}
+
+int
+pfctl_clear_nat(int dev, const char *anchorname)
+{
+	struct pfioc_trans trans;
+	struct pfioc_trans_e transe[3];
+	int ret;
+
+	bzero(&trans, sizeof(trans));
+	bzero(&transe, sizeof(transe));
+
+	transe[0].rs_num = PF_RULESET_NAT;
+	if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
+	    >= sizeof(transe[0].anchor))
+		return (E2BIG);
+
+	transe[1].rs_num = PF_RULESET_BINAT;
+	if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
+	    >= sizeof(transe[0].anchor))
+		return (E2BIG);
+
+	transe[2].rs_num = PF_RULESET_RDR;
+	if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor))
+	    >= sizeof(transe[2].anchor))
+		return (E2BIG);
+
+	trans.size = 3;
+	trans.esize = sizeof(transe[0]);
+	trans.array = transe;
+
+	ret = ioctl(dev, DIOCXBEGIN, &trans);
+	if (ret != 0)
+		return (ret);
+	return ioctl(dev, DIOCXCOMMIT, &trans);
+}
+
 static int
 pfctl_get_limit(int dev, const int index, uint *limit)
 {
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index a9bd14527126..3b4e61be0165 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -304,6 +304,8 @@ int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
 	    unsigned int *killed);
 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
 	    unsigned int *killed);
+int	pfctl_clear_rules(int dev, const char *anchorname);
+int	pfctl_clear_nat(int dev, const char *anchorname);
 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
 
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 342f355a0116..7dfcd7cc494a 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -75,8 +75,8 @@ int	 pfctl_get_skip_ifaces(void);
 int	 pfctl_check_skip_ifaces(char *);
 int	 pfctl_adjust_skip_ifaces(struct pfctl *);
 int	 pfctl_clear_interface_flags(int, int);
-int	 pfctl_clear_rules(int, int, char *);
-int	 pfctl_clear_nat(int, int, char *);
+int	 pfctl_flush_rules(int, int, char *);
+int	 pfctl_flush_nat(int, int, char *);
 int	 pfctl_clear_altq(int, int);
 int	 pfctl_clear_src_nodes(int, int);
 int	 pfctl_clear_iface_states(int, const char *, int);
@@ -449,16 +449,12 @@ pfctl_clear_interface_flags(int dev, int opts)
 }
 
 int
-pfctl_clear_rules(int dev, int opts, char *anchorname)
+pfctl_flush_rules(int dev, int opts, char *anchorname)
 {
-	struct pfr_buffer t;
+	int ret;
 
-	memset(&t, 0, sizeof(t));
-	t.pfrb_type = PFRB_TRANS;
-	if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
-	    pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
-	    pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
-	    pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+	ret = pfctl_clear_rules(dev, anchorname);
+	if (ret != 0)
 		err(1, "pfctl_clear_rules");
 	if ((opts & PF_OPT_QUIET) == 0)
 		fprintf(stderr, "rules cleared\n");
@@ -466,17 +462,12 @@ pfctl_clear_rules(int dev, int opts, char *anchorname)
 }
 
 int
-pfctl_clear_nat(int dev, int opts, char *anchorname)
+pfctl_flush_nat(int dev, int opts, char *anchorname)
 {
-	struct pfr_buffer t;
+	int ret;
 
-	memset(&t, 0, sizeof(t));
-	t.pfrb_type = PFRB_TRANS;
-	if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
-	    pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
-	    pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
-	    pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
-	    pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+	ret = pfctl_clear_nat(dev, anchorname);
+	if (ret != 0)
 		err(1, "pfctl_clear_nat");
 	if ((opts & PF_OPT_QUIET) == 0)
 		fprintf(stderr, "nat cleared\n");
@@ -2628,10 +2619,10 @@ main(int argc, char *argv[])
 
 		switch (*clearopt) {
 		case 'r':
-			pfctl_clear_rules(dev, opts, anchorname);
+			pfctl_flush_rules(dev, opts, anchorname);
 			break;
 		case 'n':
-			pfctl_clear_nat(dev, opts, anchorname);
+			pfctl_flush_nat(dev, opts, anchorname);
 			break;
 		case 'q':
 			pfctl_clear_altq(dev, opts);
@@ -2646,8 +2637,8 @@ main(int argc, char *argv[])
 			pfctl_clear_stats(dev, opts);
 			break;
 		case 'a':
-			pfctl_clear_rules(dev, opts, anchorname);
-			pfctl_clear_nat(dev, opts, anchorname);
+			pfctl_flush_rules(dev, opts, anchorname);
+			pfctl_flush_nat(dev, opts, anchorname);
 			pfctl_clear_tables(anchorname, opts);
 			if (!*anchorname) {
 				pfctl_clear_altq(dev, opts);