D29562.1778346961.diff
No OneTemporary
Actions

Size

21 KB

Referenced Files

None

Subscribers

None

D29562.1778346961.diff
View Options

	Index: lib/Makefile
	===================================================================
	--- lib/Makefile
	+++ lib/Makefile
	@@ -210,6 +210,7 @@
	SUBDIR.${MK_OPENMP}+= libomp
	.endif
	SUBDIR.${MK_OPENSSL}+= libmp
	+SUBDIR.${MK_PF}+= libpfctl
	SUBDIR.${MK_PMC}+= libpmc libpmcstat
	SUBDIR.${MK_RADIUS_SUPPORT}+= libradius
	SUBDIR.${MK_SENDMAIL}+= libmilter libsm libsmdb libsmutil
	Index: lib/libpfctl/Makefile
	===================================================================
	--- /dev/null
	+++ lib/libpfctl/Makefile
	@@ -0,0 +1,12 @@
	+# $FreeBSD$
	+
	+PACKAGE= lib${LIB}
	+LIB= pfctl
	+INTERNALLIB= true
	+
	+SRCS= libpfctl.c
	+INCS= libpfctl.h
	+
	+CFLAGS+= -fPIC
	+
	+.include <bsd.lib.mk>
	Index: lib/libpfctl/libpfctl.h
	===================================================================
	--- lib/libpfctl/libpfctl.h
	+++ lib/libpfctl/libpfctl.h
	@@ -36,8 +36,11 @@

	#include <netpfil/pf/pf.h>

	-int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
	+int libpfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
	const char anchor, u_int32_t ruleset, struct pf_rule rule,
	char *anchor_call);
	+int libpfctl_add_rule(int dev, const struct pf_rule r, const char anchor,
	+ const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket);

	#endif
	+
	Index: lib/libpfctl/libpfctl.c
	===================================================================
	--- lib/libpfctl/libpfctl.c
	+++ lib/libpfctl/libpfctl.c
	@@ -48,7 +48,7 @@
	#include <stdlib.h>
	#include <string.h>

	-#include "pfctl_ioctl.h"
	+#include "libpfctl.h"

	static void
	pf_nvuint_8_array(const nvlist_t nvl, const char name, size_t maxelems,
	@@ -118,6 +118,17 @@
	*nelems = elems;
	}

	+static void
	+pfctl_nv_add_addr(nvlist_t nvparent, const char name,
	+ const struct pf_addr *addr)
	+{
	+ nvlist_t *nvl = nvlist_create(0);
	+
	+ nvlist_add_binary(nvl, "addr", addr, sizeof(*addr));
	+
	+ nvlist_add_nvlist(nvparent, name, nvl);
	+}
	+
	static void
	pf_nvaddr_to_addr(const nvlist_t nvl, struct pf_addr addr)
	{
	@@ -129,6 +140,22 @@
	memcpy(addr, data, len);
	}

	+static void
	+pfctl_nv_add_addr_wrap(nvlist_t nvparent, const char name,
	+ const struct pf_addr_wrap *addr)
	+{
	+ nvlist_t *nvl = nvlist_create(0);
	+
	+ nvlist_add_number(nvl, "type", addr->type);
	+ nvlist_add_number(nvl, "iflags", addr->iflags);
	+ nvlist_add_string(nvl, "ifname", addr->v.ifname);
	+ nvlist_add_string(nvl, "tblname", addr->v.tblname);
	+ pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
	+ pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
	+
	+ nvlist_add_nvlist(nvparent, name, nvl);
	+}
	+
	static void
	pf_nvaddr_wrap_to_addr_wrap(const nvlist_t nvl, struct pf_addr_wrap addr)
	{
	@@ -142,6 +169,23 @@
	pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
	}

	+static void
	+pfctl_nv_add_rule_addr(nvlist_t nvparent, const char name,
	+ const struct pf_rule_addr *addr)
	+{
	+ u_int64_t ports[2];
	+ nvlist_t *nvl = nvlist_create(0);
	+
	+ pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr);
	+ ports[0] = addr->port[0];
	+ ports[1] = addr->port[1];
	+ nvlist_add_number_array(nvl, "port", ports, 2);
	+ nvlist_add_number(nvl, "neg", addr->neg);
	+ nvlist_add_number(nvl, "port_op", addr->port_op);
	+
	+ nvlist_add_nvlist(nvparent, name, nvl);
	+}
	+
	static void
	pf_nvrule_addr_to_rule_addr(const nvlist_t nvl, struct pf_rule_addr addr)
	{
	@@ -152,6 +196,25 @@
	addr->port_op = nvlist_get_number(nvl, "port_op");
	}

	+static void
	+pfctl_nv_add_pool(nvlist_t nvparent, const char name,
	+ const struct pf_pool *pool)
	+{
	+ u_int64_t ports[2];
	+ nvlist_t *nvl = nvlist_create(0);
	+
	+ nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
	+ pfctl_nv_add_addr(nvl, "counter", &pool->counter);
	+ nvlist_add_number(nvl, "tblidx", pool->tblidx);
	+
	+ ports[0] = pool->proxy_port[0];
	+ ports[1] = pool->proxy_port[1];
	+ nvlist_add_number_array(nvl, "proxy_port", ports, 2);
	+ nvlist_add_number(nvl, "opts", pool->opts);
	+
	+ nvlist_add_nvlist(nvparent, name, nvl);
	+}
	+
	static void
	pf_nvpool_to_pool(const nvlist_t nvl, struct pf_pool pool)
	{
	@@ -169,6 +232,21 @@
	pool->opts = nvlist_get_number(nvl, "opts");
	}

	+static void
	+pfctl_nv_add_uid(nvlist_t nvparent, const char name,
	+ const struct pf_rule_uid *uid)
	+{
	+ u_int64_t uids[2];
	+ nvlist_t *nvl = nvlist_create(0);
	+
	+ uids[0] = uid->uid[0];
	+ uids[1] = uid->uid[1];
	+ nvlist_add_number_array(nvl, "uid", uids, 2);
	+ nvlist_add_number(nvl, "op", uid->op);
	+
	+ nvlist_add_nvlist(nvparent, name, nvl);
	+}
	+
	static void
	pf_nvrule_uid_to_rule_uid(const nvlist_t nvl, struct pf_rule_uid uid)
	{
	@@ -176,6 +254,18 @@
	uid->op = nvlist_get_number(nvl, "op");
	}

	+static void
	+pfctl_nv_add_divert(nvlist_t nvparent, const char name,
	+ const struct pf_rule *r)
	+{
	+ nvlist_t *nvl = nvlist_create(0);
	+
	+ pfctl_nv_add_addr(nvl, "addr", &r->divert.addr);
	+ nvlist_add_number(nvl, "port", r->divert.port);
	+
	+ nvlist_add_nvlist(nvparent, name, nvl);
	+}
	+
	static void
	pf_nvdivert_to_divert(const nvlist_t nvl, struct pf_rule rule)
	{
	@@ -281,9 +371,117 @@
	rule->u_src_nodes = nvlist_get_number(nvl, "src_nodes");
	}

	+int
	+libpfctl_add_rule(int dev, const struct pf_rule r, const char anchor,
	+ const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket)
	+{
	+ struct pfioc_nv nv;
	+ u_int64_t timeouts[PFTM_MAX];
	+ u_int64_t set_prio[2];
	+ nvlist_t nvl, nvlr;
	+ int ret;
	+
	+ nvl = nvlist_create(0);
	+ nvlr = nvlist_create(0);
	+
	+ nvlist_add_number(nvl, "ticket", ticket);
	+ nvlist_add_number(nvl, "pool_ticket", pool_ticket);
	+ nvlist_add_string(nvl, "anchor", anchor);
	+ nvlist_add_string(nvl, "anchor_call", anchor_call);
	+
	+ nvlist_add_number(nvlr, "nr", r->nr);
	+ pfctl_nv_add_rule_addr(nvlr, "src", &r->src);
	+ pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst);
	+
	+ nvlist_add_string(nvlr, "label", r->label);
	+ nvlist_add_string(nvlr, "ifname", r->ifname);
	+ nvlist_add_string(nvlr, "qname", r->qname);
	+ nvlist_add_string(nvlr, "pqname", r->pqname);
	+ nvlist_add_string(nvlr, "tagname", r->tagname);
	+ nvlist_add_string(nvlr, "match_tagname", r->match_tagname);
	+ nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname);
	+
	+ pfctl_nv_add_pool(nvlr, "rpool", &r->rpool);
	+
	+ nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint);
	+
	+ nvlist_add_number(nvlr, "rtableid", r->rtableid);
	+ for (int i = 0; i < PFTM_MAX; i++)
	+ timeouts[i] = r->timeout[i];
	+ nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX);
	+ nvlist_add_number(nvlr, "max_states", r->max_states);
	+ nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes);
	+ nvlist_add_number(nvlr, "max_src_states", r->max_src_states);
	+ nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn);
	+ nvlist_add_number(nvlr, "max_src_conn_rate.limit",
	+ r->max_src_conn_rate.limit);
	+ nvlist_add_number(nvlr, "max_src_conn_rate.seconds",
	+ r->max_src_conn_rate.seconds);
	+ nvlist_add_number(nvlr, "rt_listid", r->rt_listid);
	+ nvlist_add_number(nvlr, "prob", r->prob);
	+ nvlist_add_number(nvlr, "cuid", r->cuid);
	+ nvlist_add_number(nvlr, "cpid", r->cpid);
	+
	+ nvlist_add_number(nvlr, "return_icmp", r->return_icmp);
	+ nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6);
	+
	+ nvlist_add_number(nvlr, "max_mss", r->max_mss);
	+ nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags);
	+
	+ pfctl_nv_add_uid(nvlr, "uid", &r->uid);
	+ pfctl_nv_add_uid(nvlr, "gid", (const struct pf_rule_uid *)&r->gid);
	+
	+ nvlist_add_number(nvlr, "rule_flag", r->rule_flag);
	+ nvlist_add_number(nvlr, "action", r->action);
	+ nvlist_add_number(nvlr, "direction", r->direction);
	+ nvlist_add_number(nvlr, "log", r->log);
	+ nvlist_add_number(nvlr, "logif", r->logif);
	+ nvlist_add_number(nvlr, "quick", r->quick);
	+ nvlist_add_number(nvlr, "ifnot", r->ifnot);
	+ nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not);
	+ nvlist_add_number(nvlr, "natpass", r->natpass);
	+
	+ nvlist_add_number(nvlr, "keep_state", r->keep_state);
	+ nvlist_add_number(nvlr, "af", r->af);
	+ nvlist_add_number(nvlr, "proto", r->proto);
	+ nvlist_add_number(nvlr, "type", r->type);
	+ nvlist_add_number(nvlr, "code", r->code);
	+ nvlist_add_number(nvlr, "flags", r->flags);
	+ nvlist_add_number(nvlr, "flagset", r->flagset);
	+ nvlist_add_number(nvlr, "min_ttl", r->min_ttl);
	+ nvlist_add_number(nvlr, "allow_opts", r->allow_opts);
	+ nvlist_add_number(nvlr, "rt", r->rt);
	+ nvlist_add_number(nvlr, "return_ttl", r->return_ttl);
	+ nvlist_add_number(nvlr, "tos", r->tos);
	+ nvlist_add_number(nvlr, "set_tos", r->set_tos);
	+ nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative);
	+ nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard);
	+
	+ nvlist_add_number(nvlr, "flush", r->flush);
	+
	+ nvlist_add_number(nvlr, "prio", r->prio);
	+ set_prio[0] = r->set_prio[0];
	+ set_prio[1] = r->set_prio[1];
	+ nvlist_add_number_array(nvlr, "set_prio", set_prio, 2);
	+
	+ pfctl_nv_add_divert(nvlr, "divert", r);
	+
	+ nvlist_add_nvlist(nvl, "rule", nvlr);
	+
	+ /* Now do the call. */
	+ nv.data = nvlist_pack(nvl, &nv.len);
	+ nv.size = nv.len;
	+
	+ ret = ioctl(dev, DIOCADDRULENV, &nv);
	+
	+ free(nv.data);
	+ nvlist_destroy(nvl);
	+
	+ return (ret);
	+}

	int
	-pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
	+libpfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
	u_int32_t ruleset, struct pf_rule rule, char anchor_call)
	{
	struct pfioc_nv nv;
	Index: sbin/pfctl/Makefile
	===================================================================
	--- sbin/pfctl/Makefile
	+++ sbin/pfctl/Makefile
	@@ -9,13 +9,14 @@

	SRCS = pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
	SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
	-SRCS+= pfctl_optimize.c pfctl_ioctl.c
	+SRCS+= pfctl_optimize.c
	SRCS+= pf_ruleset.c

	WARNS?= 2
	CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
	CFLAGS+= -Wstrict-prototypes
	CFLAGS+= -DENABLE_ALTQ -I${.CURDIR}
	+CFLAGS+= -I${SRCTOP}/lib/libpfctl -I${OBJTOP}/lib/libpfctl

	# Need to use "WITH_" prefix to not conflict with the l/y INET/INET6 keywords
	.if ${MK_INET6_SUPPORT} != "no"
	@@ -27,7 +28,7 @@

	YFLAGS=

	-LIBADD= m md nv
	+LIBADD= m md pfctl

	HAS_TESTS=
	SUBDIR.${MK_TESTS}+= tests
	Index: sbin/pfctl/pfctl.c
	===================================================================
	--- sbin/pfctl/pfctl.c
	+++ sbin/pfctl/pfctl.c
	@@ -55,6 +55,7 @@
	#include <err.h>
	#include <errno.h>
	#include <fcntl.h>
	+#include <libpfctl.h>
	#include <limits.h>
	#include <netdb.h>
	#include <stdint.h>
	@@ -63,7 +64,6 @@
	#include <string.h>
	#include <unistd.h>

	-#include "pfctl_ioctl.h"
	#include "pfctl_parser.h"
	#include "pfctl.h"

	@@ -953,7 +953,7 @@

	for (nr = 0; nr < mnr; ++nr) {
	pr.nr = nr;
	- if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB,
	+ if (libpfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB,
	&pr.rule, pr.anchor_call)) {
	warn("DIOCGETRULENV");
	goto error;
	@@ -986,7 +986,7 @@
	mnr = pr.nr;
	for (nr = 0; nr < mnr; ++nr) {
	pr.nr = nr;
	- if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS,
	+ if (libpfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS,
	&pr.rule, pr.anchor_call)) {
	warn("DIOCGETRULE");
	goto error;
	@@ -1077,7 +1077,7 @@
	mnr = pr.nr;
	for (nr = 0; nr < mnr; ++nr) {
	pr.nr = nr;
	- if (pfctl_get_rule(dev, nr, pr.ticket, anchorname,
	+ if (libpfctl_get_rule(dev, nr, pr.ticket, anchorname,
	nattype[i], &pr.rule, pr.anchor_call)) {
	warn("DIOCGETRULE");
	return (-1);
	@@ -1427,205 +1427,6 @@

	}

	-static void
	-pfctl_nv_add_addr(nvlist_t nvparent, const char name,
	- const struct pf_addr *addr)
	-{
	- nvlist_t *nvl = nvlist_create(0);
	-
	- nvlist_add_binary(nvl, "addr", addr, sizeof(*addr));
	-
	- nvlist_add_nvlist(nvparent, name, nvl);
	-}
	-
	-static void
	-pfctl_nv_add_addr_wrap(nvlist_t nvparent, const char name,
	- const struct pf_addr_wrap *addr)
	-{
	- nvlist_t *nvl = nvlist_create(0);
	-
	- nvlist_add_number(nvl, "type", addr->type);
	- nvlist_add_number(nvl, "iflags", addr->iflags);
	- nvlist_add_string(nvl, "ifname", addr->v.ifname);
	- nvlist_add_string(nvl, "tblname", addr->v.tblname);
	- pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
	- pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
	-
	- nvlist_add_nvlist(nvparent, name, nvl);
	-}
	-
	-static void
	-pfctl_nv_add_rule_addr(nvlist_t nvparent, const char name,
	- const struct pf_rule_addr *addr)
	-{
	- u_int64_t ports[2];
	- nvlist_t *nvl = nvlist_create(0);
	-
	- pfctl_nv_add_addr_wrap(nvl, "addr", &addr->addr);
	- ports[0] = addr->port[0];
	- ports[1] = addr->port[1];
	- nvlist_add_number_array(nvl, "port", ports, 2);
	- nvlist_add_number(nvl, "neg", addr->neg);
	- nvlist_add_number(nvl, "port_op", addr->port_op);
	-
	- nvlist_add_nvlist(nvparent, name, nvl);
	-}
	-
	-static void
	-pfctl_nv_add_pool(nvlist_t nvparent, const char name,
	- const struct pf_pool *pool)
	-{
	- u_int64_t ports[2];
	- nvlist_t *nvl = nvlist_create(0);
	-
	- nvlist_add_binary(nvl, "key", &pool->key, sizeof(pool->key));
	- pfctl_nv_add_addr(nvl, "counter", &pool->counter);
	- nvlist_add_number(nvl, "tblidx", pool->tblidx);
	-
	- ports[0] = pool->proxy_port[0];
	- ports[1] = pool->proxy_port[1];
	- nvlist_add_number_array(nvl, "proxy_port", ports, 2);
	- nvlist_add_number(nvl, "opts", pool->opts);
	-
	- nvlist_add_nvlist(nvparent, name, nvl);
	-}
	-
	-static void
	-pfctl_nv_add_uid(nvlist_t nvparent, const char name,
	- const struct pf_rule_uid *uid)
	-{
	- u_int64_t uids[2];
	- nvlist_t *nvl = nvlist_create(0);
	-
	- uids[0] = uid->uid[0];
	- uids[1] = uid->uid[1];
	- nvlist_add_number_array(nvl, "uid", uids, 2);
	- nvlist_add_number(nvl, "op", uid->op);
	-
	- nvlist_add_nvlist(nvparent, name, nvl);
	-}
	-
	-static void
	-pfctl_nv_add_divert(nvlist_t nvparent, const char name,
	- const struct pf_rule *r)
	-{
	- nvlist_t *nvl = nvlist_create(0);
	-
	- pfctl_nv_add_addr(nvl, "addr", &r->divert.addr);
	- nvlist_add_number(nvl, "port", r->divert.port);
	-
	- nvlist_add_nvlist(nvparent, name, nvl);
	-}
	-
	-static int
	-pfctl_addrule(struct pfctl pf, const struct pf_rule r, const char *anchor,
	- const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket)
	-{
	- struct pfioc_nv nv;
	- u_int64_t timeouts[PFTM_MAX];
	- u_int64_t set_prio[2];
	- nvlist_t nvl, nvlr;
	- int ret;
	-
	- nvl = nvlist_create(0);
	- nvlr = nvlist_create(0);
	-
	- nvlist_add_number(nvl, "ticket", ticket);
	- nvlist_add_number(nvl, "pool_ticket", pool_ticket);
	- nvlist_add_string(nvl, "anchor", anchor);
	- nvlist_add_string(nvl, "anchor_call", anchor_call);
	-
	- nvlist_add_number(nvlr, "nr", r->nr);
	- pfctl_nv_add_rule_addr(nvlr, "src", &r->src);
	- pfctl_nv_add_rule_addr(nvlr, "dst", &r->dst);
	-
	- nvlist_add_string(nvlr, "label", r->label);
	- nvlist_add_string(nvlr, "ifname", r->ifname);
	- nvlist_add_string(nvlr, "qname", r->qname);
	- nvlist_add_string(nvlr, "pqname", r->pqname);
	- nvlist_add_string(nvlr, "tagname", r->tagname);
	- nvlist_add_string(nvlr, "match_tagname", r->match_tagname);
	- nvlist_add_string(nvlr, "overload_tblname", r->overload_tblname);
	-
	- pfctl_nv_add_pool(nvlr, "rpool", &r->rpool);
	-
	- nvlist_add_number(nvlr, "os_fingerprint", r->os_fingerprint);
	-
	- nvlist_add_number(nvlr, "rtableid", r->rtableid);
	- for (int i = 0; i < PFTM_MAX; i++)
	- timeouts[i] = r->timeout[i];
	- nvlist_add_number_array(nvlr, "timeout", timeouts, PFTM_MAX);
	- nvlist_add_number(nvlr, "max_states", r->max_states);
	- nvlist_add_number(nvlr, "max_src_nodes", r->max_src_nodes);
	- nvlist_add_number(nvlr, "max_src_states", r->max_src_states);
	- nvlist_add_number(nvlr, "max_src_conn", r->max_src_conn);
	- nvlist_add_number(nvlr, "max_src_conn_rate.limit",
	- r->max_src_conn_rate.limit);
	- nvlist_add_number(nvlr, "max_src_conn_rate.seconds",
	- r->max_src_conn_rate.seconds);
	- nvlist_add_number(nvlr, "rt_listid", r->rt_listid);
	- nvlist_add_number(nvlr, "prob", r->prob);
	- nvlist_add_number(nvlr, "cuid", r->cuid);
	- nvlist_add_number(nvlr, "cpid", r->cpid);
	-
	- nvlist_add_number(nvlr, "return_icmp", r->return_icmp);
	- nvlist_add_number(nvlr, "return_icmp6", r->return_icmp6);
	-
	- nvlist_add_number(nvlr, "max_mss", r->max_mss);
	- nvlist_add_number(nvlr, "scrub_flags", r->scrub_flags);
	-
	- pfctl_nv_add_uid(nvlr, "uid", &r->uid);
	- pfctl_nv_add_uid(nvlr, "gid", (struct pf_rule_uid *)&r->gid);
	-
	- nvlist_add_number(nvlr, "rule_flag", r->rule_flag);
	- nvlist_add_number(nvlr, "action", r->action);
	- nvlist_add_number(nvlr, "direction", r->direction);
	- nvlist_add_number(nvlr, "log", r->log);
	- nvlist_add_number(nvlr, "logif", r->logif);
	- nvlist_add_number(nvlr, "quick", r->quick);
	- nvlist_add_number(nvlr, "ifnot", r->ifnot);
	- nvlist_add_number(nvlr, "match_tag_not", r->match_tag_not);
	- nvlist_add_number(nvlr, "natpass", r->natpass);
	-
	- nvlist_add_number(nvlr, "keep_state", r->keep_state);
	- nvlist_add_number(nvlr, "af", r->af);
	- nvlist_add_number(nvlr, "proto", r->proto);
	- nvlist_add_number(nvlr, "type", r->type);
	- nvlist_add_number(nvlr, "code", r->code);
	- nvlist_add_number(nvlr, "flags", r->flags);
	- nvlist_add_number(nvlr, "flagset", r->flagset);
	- nvlist_add_number(nvlr, "min_ttl", r->min_ttl);
	- nvlist_add_number(nvlr, "allow_opts", r->allow_opts);
	- nvlist_add_number(nvlr, "rt", r->rt);
	- nvlist_add_number(nvlr, "return_ttl", r->return_ttl);
	- nvlist_add_number(nvlr, "tos", r->tos);
	- nvlist_add_number(nvlr, "set_tos", r->set_tos);
	- nvlist_add_number(nvlr, "anchor_relative", r->anchor_relative);
	- nvlist_add_number(nvlr, "anchor_wildcard", r->anchor_wildcard);
	-
	- nvlist_add_number(nvlr, "flush", r->flush);
	-
	- nvlist_add_number(nvlr, "prio", r->prio);
	- set_prio[0] = r->set_prio[0];
	- set_prio[1] = r->set_prio[1];
	- nvlist_add_number_array(nvlr, "set_prio", set_prio, 2);
	-
	- pfctl_nv_add_divert(nvlr, "divert", r);
	-
	- nvlist_add_nvlist(nvl, "rule", nvlr);
	-
	- /* Now do the call. */
	- nv.data = nvlist_pack(nvl, &nv.len);
	- nv.size = nv.len;
	-
	- ret = ioctl(pf->dev, DIOCADDRULENV, &nv);
	-
	- free(nv.data);
	- nvlist_destroy(nvl);
	-
	- return (ret);
	-}
	-
	int
	pfctl_load_rule(struct pfctl pf, char path, struct pf_rule *r, int depth)
	{
	@@ -1658,7 +1459,7 @@
	if ((pf->opts & PF_OPT_NOACTION) == 0) {
	if (pfctl_add_pool(pf, &r->rpool, r->af))
	return (1);
	- if (pfctl_addrule(pf, r, anchor, name, ticket,
	+ if (libpfctl_add_rule(pf->dev, r, anchor, name, ticket,
	pf->paddr.ticket))
	err(1, "DIOCADDRULENV");
	}
	Index: sbin/pfctl/pfctl_ioctl.h
	===================================================================
	--- sbin/pfctl/pfctl_ioctl.h
	+++ sbin/pfctl/pfctl_ioctl.h
	@@ -1,43 +0,0 @@
	-/*-
	- * SPDX-License-Identifier: BSD-2-Clause
	- *
	- * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
	- * All rights reserved.
	- *
	- * Redistribution and use in source and binary forms, with or without
	- * modification, are permitted provided that the following conditions
	- * are met:
	- *
	- * - Redistributions of source code must retain the above copyright
	- * notice, this list of conditions and the following disclaimer.
	- * - Redistributions in binary form must reproduce the above
	- * copyright notice, this list of conditions and the following
	- * disclaimer in the documentation and/or other materials provided
	- * with the distribution.
	- *
	- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	- * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	- * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
	- * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	- * POSSIBILITY OF SUCH DAMAGE.
	- *
	- * $FreeBSD$
	- */
	-
	-#ifndef _PFCTL_IOCTL_H_
	-#define _PFCTL_IOCTL_H_
	-
	-#include <netpfil/pf/pf.h>
	-
	-int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
	- const char anchor, u_int32_t ruleset, struct pf_rule rule,
	- char *anchor_call);
	-
	-#endif
	Index: sbin/pfctl/pfctl_optimize.c
	===================================================================
	--- sbin/pfctl/pfctl_optimize.c
	+++ sbin/pfctl/pfctl_optimize.c
	@@ -33,12 +33,12 @@
	#include <ctype.h>
	#include <err.h>
	#include <errno.h>
	+#include <libpfctl.h>
	#include <stddef.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>

	-#include "pfctl_ioctl.h"
	#include "pfctl_parser.h"
	#include "pfctl.h"

	@@ -911,7 +911,7 @@
	}
	pr.nr = nr;

	- if (pfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS,
	+ if (libpfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS,
	&pr.rule, pr.anchor_call)) {
	warn("DIOCGETRULENV");
	return (1);
	Index: share/mk/src.libnames.mk
	===================================================================
	--- share/mk/src.libnames.mk
	+++ share/mk/src.libnames.mk
	@@ -57,6 +57,7 @@
	opts \
	parse \
	pe \
	+ pfctl \
	pmcstat \
	sl \
	sm \
	@@ -387,6 +388,7 @@
	_DP_be= zfs spl nvpair zfsbootenv
	_DP_netmap=
	_DP_ifconfig= m
	+_DP_pfctl= nv

	# OFED support
	.if ${MK_OFED} != "no"
	@@ -564,6 +566,9 @@
	LIBPARSEDIR= ${_LIB_OBJTOP}/usr.sbin/ntp/libparse
	LIBPARSE?= ${LIBPARSEDIR}/libparse${PIE_SUFFIX}.a

	+LIBPFCTL= ${_LIB_OBJTOP}/lib/libpfctl
	+LIBPFCTL?= ${LIBPFCTLDIR}/libpfctl${PIE_SUFFIX}.a
	+
	LIBLPRDIR= ${_LIB_OBJTOP}/usr.sbin/lpr/common_source
	LIBLPR?= ${LIBLPRDIR}/liblpr${PIE_SUFFIX}.a

File Metadata

Mime Type: text/plain
Expires: Sat, May 9, 5:16 PM (2 h, 9 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28624185
Default Alt Text: D29562.1778346961.diff (21 KB)

D29562.1778346961.diffNo OneTemporaryActions

D29562.1778346961.diffView Options

File Metadata

Event Timeline

D29562.1778346961.diff
No OneTemporary
Actions

D29562.1778346961.diff
View Options