summaryrefslogtreecommitdiffstats
path: root/contrib/pf/pfctl/pfctl.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/pf/pfctl/pfctl.c')
-rw-r--r--contrib/pf/pfctl/pfctl.c231
1 files changed, 127 insertions, 104 deletions
diff --git a/contrib/pf/pfctl/pfctl.c b/contrib/pf/pfctl/pfctl.c
index e76261b..8b07a2b 100644
--- a/contrib/pf/pfctl/pfctl.c
+++ b/contrib/pf/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */
+/* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -39,6 +39,10 @@ __FBSDID("$FreeBSD$");
#include <sys/socket.h>
#include <sys/stat.h>
+#ifdef __FreeBSD__
+#include <sys/endian.h>
+#endif
+
#include <net/if.h>
#include <netinet/in.h>
#include <net/pfvar.h>
@@ -59,10 +63,6 @@ __FBSDID("$FreeBSD$");
#include "pfctl_parser.h"
#include "pfctl.h"
-#ifdef __FreeBSD__
-#define HTONL(x) (x) = htonl((__uint32_t)(x))
-#endif
-
void usage(void);
int pfctl_enable(int, int);
int pfctl_disable(int, int);
@@ -75,7 +75,9 @@ int pfctl_clear_src_nodes(int, int);
int pfctl_clear_states(int, const char *, int);
void pfctl_addrprefix(char *, struct pf_addr *);
int pfctl_kill_src_nodes(int, const char *, int);
-int pfctl_kill_states(int, const char *, int);
+int pfctl_net_kill_states(int, const char *, int);
+int pfctl_label_kill_states(int, const char *, int);
+int pfctl_id_kill_states(int, const char *, int);
void pfctl_init_options(struct pfctl *);
int pfctl_load_options(struct pfctl *);
int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
@@ -126,8 +128,6 @@ int dev = -1;
int first_title = 1;
int labels = 0;
-const char *infile;
-
#define INDENT(d, o) do { \
if (o) { \
int i; \
@@ -208,11 +208,11 @@ static const struct {
static const char *clearopt_list[] = {
"nat", "queue", "rules", "Sources",
- "state", "info", "Tables", "osfp", "all", NULL
+ "states", "info", "Tables", "osfp", "all", NULL
};
static const char *showopt_list[] = {
- "nat", "queue", "rules", "Anchors", "Sources", "state", "info",
+ "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
"all", NULL
};
@@ -227,7 +227,7 @@ static const char *debugopt_list[] = {
};
static const char *optiopt_list[] = {
- "o", "none", "basic", "profile", NULL
+ "none", "basic", "profile", NULL
};
void
@@ -237,10 +237,11 @@ usage(void)
fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
- fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
- fprintf(stderr, "[-k host | network ]\n");
- fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
- fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
+ fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n");
+ fprintf(stderr, "\t[-k host | network | label | id] ");
+ fprintf(stderr, "[-o level] [-p device]\n");
+ fprintf(stderr, "\t[-s modifier] ");
+ fprintf(stderr, "[-t table -T command [address ...]] [-x level]\n");
exit(1);
}
@@ -389,7 +390,7 @@ pfctl_clear_states(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCCLRSTATES, &psk))
err(1, "DIOCCLRSTATES");
if ((opts & PF_OPT_QUIET) == 0)
- fprintf(stderr, "%d states cleared\n", psk.psk_af);
+ fprintf(stderr, "%d states cleared\n", psk.psk_killed);
return (0);
}
@@ -528,17 +529,13 @@ pfctl_kill_src_nodes(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
err(1, "DIOCKILLSRCNODES");
- killed += psnk.psnk_af;
- /* fixup psnk.psnk_af */
- psnk.psnk_af = resp[1]->ai_family;
+ killed += psnk.psnk_killed;
}
freeaddrinfo(res[1]);
} else {
if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
err(1, "DIOCKILLSRCNODES");
- killed += psnk.psnk_af;
- /* fixup psnk.psnk_af */
- psnk.psnk_af = res[0]->ai_family;
+ killed += psnk.psnk_killed;
}
}
@@ -551,7 +548,7 @@ pfctl_kill_src_nodes(int dev, const char *iface, int opts)
}
int
-pfctl_kill_states(int dev, const char *iface, int opts)
+pfctl_net_kill_states(int dev, const char *iface, int opts)
{
struct pfioc_state_kill psk;
struct addrinfo *res[2], *resp[2];
@@ -638,17 +635,13 @@ pfctl_kill_states(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
- killed += psk.psk_af;
- /* fixup psk.psk_af */
- psk.psk_af = resp[1]->ai_family;
+ killed += psk.psk_killed;
}
freeaddrinfo(res[1]);
} else {
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
- killed += psk.psk_af;
- /* fixup psk.psk_af */
- psk.psk_af = res[0]->ai_family;
+ killed += psk.psk_killed;
}
}
@@ -661,6 +654,68 @@ pfctl_kill_states(int dev, const char *iface, int opts)
}
int
+pfctl_label_kill_states(int dev, const char *iface, int opts)
+{
+ struct pfioc_state_kill psk;
+
+ if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
+ warnx("no label specified");
+ usage();
+ }
+ memset(&psk, 0, sizeof(psk));
+ if (iface != NULL && strlcpy(psk.psk_ifname, iface,
+ sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
+ errx(1, "invalid interface: %s", iface);
+
+ if (strlcpy(psk.psk_label, state_kill[1], sizeof(psk.psk_label)) >=
+ sizeof(psk.psk_label))
+ errx(1, "label too long: %s", state_kill[1]);
+
+ if (ioctl(dev, DIOCKILLSTATES, &psk))
+ err(1, "DIOCKILLSTATES");
+
+ if ((opts & PF_OPT_QUIET) == 0)
+ fprintf(stderr, "killed %d states\n", psk.psk_killed);
+
+ return (0);
+}
+
+int
+pfctl_id_kill_states(int dev, const char *iface, int opts)
+{
+ struct pfioc_state_kill psk;
+
+ if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
+ warnx("no id specified");
+ usage();
+ }
+
+ memset(&psk, 0, sizeof(psk));
+ if ((sscanf(state_kill[1], "%jx/%x",
+ &psk.psk_pfcmp.id, &psk.psk_pfcmp.creatorid)) == 2)
+ HTONL(psk.psk_pfcmp.creatorid);
+ else if ((sscanf(state_kill[1], "%jx", &psk.psk_pfcmp.id)) == 1) {
+ psk.psk_pfcmp.creatorid = 0;
+ } else {
+ warnx("wrong id format specified");
+ usage();
+ }
+ if (psk.psk_pfcmp.id == 0) {
+ warnx("cannot kill id 0");
+ usage();
+ }
+
+ psk.psk_pfcmp.id = htobe64(psk.psk_pfcmp.id);
+ if (ioctl(dev, DIOCKILLSTATES, &psk))
+ err(1, "DIOCKILLSTATES");
+
+ if ((opts & PF_OPT_QUIET) == 0)
+ fprintf(stderr, "killed %d states\n", psk.psk_killed);
+
+ return (0);
+}
+
+int
pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
u_int32_t ticket, int r_action, char *anchorname)
{
@@ -747,10 +802,12 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts)
(unsigned long long)(rule->packets[0] +
rule->packets[1]),
(unsigned long long)(rule->bytes[0] +
- rule->bytes[1]), rule->states);
+ rule->bytes[1]), rule->states_cur);
if (!(opts & PF_OPT_DEBUG))
- printf(" [ Inserted: uid %u pid %u ]\n",
- (unsigned)rule->cuid, (unsigned)rule->cpid);
+ printf(" [ Inserted: uid %u pid %u "
+ "State Creations: %-6u]\n",
+ (unsigned)rule->cuid, (unsigned)rule->cpid,
+ rule->states_tot);
}
}
@@ -818,19 +875,6 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
switch (format) {
case PFCTL_SHOW_LABELS:
- if (pr.rule.label[0]) {
- printf("%s ", pr.rule.label);
- printf("%llu %llu %llu %llu %llu %llu %llu\n",
- (unsigned long long)pr.rule.evaluations,
- (unsigned long long)(pr.rule.packets[0] +
- pr.rule.packets[1]),
- (unsigned long long)(pr.rule.bytes[0] +
- pr.rule.bytes[1]),
- (unsigned long long)pr.rule.packets[0],
- (unsigned long long)pr.rule.bytes[0],
- (unsigned long long)pr.rule.packets[1],
- (unsigned long long)pr.rule.bytes[1]);
- }
break;
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
@@ -864,8 +908,9 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
switch (format) {
case PFCTL_SHOW_LABELS:
if (pr.rule.label[0]) {
- printf("%s ", pr.rule.label);
- printf("%llu %llu %llu %llu %llu %llu %llu\n",
+ printf("%s %llu %llu %llu %llu"
+ " %llu %llu %llu %llu\n",
+ pr.rule.label,
(unsigned long long)pr.rule.evaluations,
(unsigned long long)(pr.rule.packets[0] +
pr.rule.packets[1]),
@@ -874,7 +919,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
(unsigned long long)pr.rule.packets[0],
(unsigned long long)pr.rule.bytes[0],
(unsigned long long)pr.rule.packets[1],
- (unsigned long long)pr.rule.bytes[1]);
+ (unsigned long long)pr.rule.bytes[1],
+ (unsigned long long)pr.rule.states_tot);
}
break;
case PFCTL_SHOW_RULES:
@@ -967,7 +1013,7 @@ pfctl_show_src_nodes(int dev, int opts)
struct pfioc_src_nodes psn;
struct pf_src_node *p;
char *inbuf = NULL, *newinbuf = NULL;
- unsigned len = 0;
+ unsigned int len = 0;
int i;
memset(&psn, 0, sizeof(psn));
@@ -1010,9 +1056,9 @@ int
pfctl_show_states(int dev, const char *iface, int opts)
{
struct pfioc_states ps;
- struct pf_state *p;
+ struct pfsync_state *p;
char *inbuf = NULL, *newinbuf = NULL;
- unsigned len = 0;
+ unsigned int len = 0;
int i, dotitle = (opts & PF_OPT_SHOWALL);
memset(&ps, 0, sizeof(ps));
@@ -1041,7 +1087,7 @@ pfctl_show_states(int dev, const char *iface, int opts)
}
p = ps.ps_states;
for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
- if (iface != NULL && strcmp(p->u.ifname, iface))
+ if (iface != NULL && strcmp(p->ifname, iface))
continue;
if (dotitle) {
pfctl_print_title("STATES:");
@@ -1163,7 +1209,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
r->anchor->ruleset.anchor = r->anchor;
if (strlcpy(r->anchor->path, anchor_call,
sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
- errx(1, "pfctl_add_rule: strlcpy");
+ errx(1, "pfctl_add_rule: strlcpy");
if ((p = strrchr(anchor_call, '/')) != NULL) {
if (!strlen(p))
err(1, "pfctl_add_rule: bad anchor name %s",
@@ -1172,7 +1218,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
p = (char *)anchor_call;
if (strlcpy(r->anchor->name, p,
sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
- errx(1, "pfctl_add_rule: strlcpy");
+ errx(1, "pfctl_add_rule: strlcpy");
}
if ((rule = calloc(1, sizeof(*rule))) == NULL)
@@ -1197,7 +1243,7 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
return (1);
}
if (a == pf->astack[0] && ((altqsupport &&
- (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
+ (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
return (2);
}
@@ -1350,7 +1396,7 @@ pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
}
int
-pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
+pfctl_rules(int dev, char *filename, int opts, int optimize,
char *anchorname, struct pfr_buffer *trans)
{
#define ERR(x) do { warn(x); goto _error; } while(0)
@@ -1386,7 +1432,6 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
if (strlcpy(trs.pfrt_anchor, anchorname,
sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
ERRX("pfctl_rules: strlcpy");
- infile = filename;
pf.dev = dev;
pf.opts = opts;
pf.optimize = optimize;
@@ -1430,7 +1475,7 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
}
- if (parse_rules(fin, &pf) < 0) {
+ if (parse_config(filename, &pf) < 0) {
if ((opts & PF_OPT_NOACTION) == 0)
ERRX("Syntax error in config file: "
"pf rules not loaded");
@@ -1456,11 +1501,6 @@ pfctl_rules(int dev, char *filename, FILE *fin, int opts, int optimize,
if (check_commit_altq(dev, opts) != 0)
ERRX("errors in altq config");
- if (fin != stdin) {
- fclose(fin);
- fin = NULL;
- }
-
/* process "load anchor" directives */
if (!anchorname[0])
if (pfctl_load_anchors(dev, &pf, t) == -1)
@@ -1482,8 +1522,6 @@ _error:
err(1, "DIOCXROLLBACK");
exit(1);
} else { /* sub ruleset */
- if (fin != NULL && fin != stdin)
- fclose(fin);
return (-1);
}
@@ -1515,7 +1553,8 @@ pfctl_fopen(const char *name, const char *mode)
void
pfctl_init_options(struct pfctl *pf)
{
- int mib[2], mem;
+ int64_t mem;
+ int mib[2];
size_t size;
pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
@@ -1546,9 +1585,14 @@ pfctl_init_options(struct pfctl *pf)
pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
mib[0] = CTL_HW;
+#ifdef __FreeBSD__
mib[1] = HW_PHYSMEM;
+#else
+ mib[1] = HW_PHYSMEM64;
+#endif
size = sizeof(mem);
- (void) sysctl(mib, 2, &mem, &size, NULL, 0);
+ if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1)
+ err(1, "sysctl");
if (mem <= 100*1024*1024)
pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
@@ -1572,7 +1616,7 @@ pfctl_load_options(struct pfctl *pf)
}
/*
- * If we've set the limit, but havn't explicitly set adaptive
+ * If we've set the limit, but haven't explicitly set adaptive
* timeouts, do it now with a start of 60% and end of 120%.
*/
if (pf->limit_set[PF_LIMIT_STATES] &&
@@ -1897,9 +1941,6 @@ pfctl_debug(int dev, u_int32_t level, int opts)
int
pfctl_test_altqsupport(int dev, int opts)
{
-#if defined(__FreeBSD__) && !defined(ENABLE_ALTQ)
- return (0);
-#else
struct pfioc_altq pa;
if (ioctl(dev, DIOCGETALTQS, &pa)) {
@@ -1912,7 +1953,6 @@ pfctl_test_altqsupport(int dev, int opts)
err(1, "DIOCGETALTQS");
}
return (1);
-#endif
}
int
@@ -1971,16 +2011,15 @@ main(int argc, char *argv[])
int ch;
int mode = O_RDONLY;
int opts = 0;
- int optimize = 0;
+ int optimize = PF_OPTIMIZE_BASIC;
char anchorname[MAXPATHLEN];
char *path;
- FILE *fin = NULL;
if (argc < 2)
usage();
while ((ch = getopt(argc, argv,
- "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
+ "a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -2056,24 +2095,11 @@ main(int argc, char *argv[])
loadopt |= PFCTL_FLAG_FILTER;
break;
case 'o':
- if (optarg) {
- optiopt = pfctl_lookup_option(optarg,
- optiopt_list);
- if (optiopt == NULL) {
- warnx("Unknown optimization '%s'",
- optarg);
- usage();
- }
- }
- if (opts & PF_OPT_OPTIMIZE) {
- if (optiopt != NULL) {
- warnx("Cannot specify -o multiple times"
- "with optimizer level");
- usage();
- }
- optimize |= PF_OPTIMIZE_PROFILE;
+ optiopt = pfctl_lookup_option(optarg, optiopt_list);
+ if (optiopt == NULL) {
+ warnx("Unknown optimization '%s'", optarg);
+ usage();
}
- optimize |= PF_OPTIMIZE_BASIC;
opts |= PF_OPT_OPTIMIZE;
break;
case 'O':
@@ -2303,8 +2329,14 @@ main(int argc, char *argv[])
break;
}
}
- if (state_killers)
- pfctl_kill_states(dev, ifaceopt, opts);
+ if (state_killers) {
+ if (!strcmp(state_kill[0], "label"))
+ pfctl_label_kill_states(dev, ifaceopt, opts);
+ else if (!strcmp(state_kill[0], "id"))
+ pfctl_id_kill_states(dev, ifaceopt, opts);
+ else
+ pfctl_net_kill_states(dev, ifaceopt, opts);
+ }
if (src_node_killers)
pfctl_kill_src_nodes(dev, ifaceopt, opts);
@@ -2329,15 +2361,6 @@ main(int argc, char *argv[])
}
}
- if (rulesopt != NULL) {
- if (strcmp(rulesopt, "-") == 0) {
- fin = stdin;
- rulesopt = "stdin";
- } else {
- if ((fin = pfctl_fopen(rulesopt, "r")) == NULL)
- err(1, "%s", rulesopt);
- }
- }
if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
!anchorname[0])
if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET))
@@ -2352,7 +2375,7 @@ main(int argc, char *argv[])
if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
errx(1, "anchor names beginning with '_' cannot "
"be modified from the command line");
- if (pfctl_rules(dev, rulesopt, fin, opts, optimize,
+ if (pfctl_rules(dev, rulesopt, opts, optimize,
anchorname, NULL))
error = 1;
else if (!(opts & PF_OPT_NOACTION) &&
OpenPOWER on IntegriCloud