Cross Reference: /freebsd-10.1-release/sbin/pfctl/pfctl.c

Deleted Added

sdiff udiff text old ( 145840 ) new ( 171172 )

full compact

pfctl.c (145840)	pfctl.c (171172)
1/* $OpenBSD: pfctl.c,v 1.234 2005/03/07 13:52:50 henning Exp $ */	1/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */
2 3/* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002,2003 Henning Brauer 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions --- 17 unchanged lines hidden (view full) --- 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 */ 33 34#include <sys/cdefs.h>	2 3/* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002,2003 Henning Brauer 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions --- 17 unchanged lines hidden (view full) --- 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 */ 33 34#include <sys/cdefs.h>
35__FBSDID("$FreeBSD: head/contrib/pf/pfctl/pfctl.c 145840 2005-05-03 16:55:20Z mlaier $");	35__FBSDID("$FreeBSD: head/contrib/pf/pfctl/pfctl.c 171172 2007-07-03 12:30:03Z mlaier $");
36 37#include <sys/types.h> 38#include <sys/ioctl.h> 39#include <sys/socket.h> 40#include <sys/stat.h> 41 42#include <net/if.h> 43#include <netinet/in.h> 44#include <net/pfvar.h> 45#include <arpa/inet.h> 46#include <altq/altq.h>	36 37#include <sys/types.h> 38#include <sys/ioctl.h> 39#include <sys/socket.h> 40#include <sys/stat.h> 41 42#include <net/if.h> 43#include <netinet/in.h> 44#include <net/pfvar.h> 45#include <arpa/inet.h> 46#include <altq/altq.h>
	47#include <sys/sysctl.h>
47 48#include <err.h> 49#include <errno.h> 50#include <fcntl.h> 51#include <limits.h> 52#include <netdb.h> 53#include <stdio.h> 54#include <stdlib.h> --- 12 unchanged lines hidden (view full) --- 67int pfctl_disable(int, int); 68int pfctl_clear_stats(int, int); 69int pfctl_clear_interface_flags(int, int); 70int pfctl_clear_rules(int, int, char ); 71int pfctl_clear_nat(int, int, char ); 72int pfctl_clear_altq(int, int); 73int pfctl_clear_src_nodes(int, int); 74int pfctl_clear_states(int, const char *, int);	48 49#include <err.h> 50#include <errno.h> 51#include <fcntl.h> 52#include <limits.h> 53#include <netdb.h> 54#include <stdio.h> 55#include <stdlib.h> --- 12 unchanged lines hidden (view full) --- 68int pfctl_disable(int, int); 69int pfctl_clear_stats(int, int); 70int pfctl_clear_interface_flags(int, int); 71int pfctl_clear_rules(int, int, char ); 72int pfctl_clear_nat(int, int, char ); 73int pfctl_clear_altq(int, int); 74int pfctl_clear_src_nodes(int, int); 75int pfctl_clear_states(int, const char *, int);
	76void pfctl_addrprefix(char , struct pf_addr ); 77int pfctl_kill_src_nodes(int, const char *, int);
75int pfctl_kill_states(int, const char , int); 76void pfctl_init_options(struct pfctl ); 77int pfctl_load_options(struct pfctl ); 78int pfctl_load_limit(struct pfctl , unsigned int, unsigned int); 79int pfctl_load_timeout(struct pfctl , unsigned int, unsigned int); 80int pfctl_load_debug(struct pfctl , unsigned int); 81int pfctl_load_logif(struct pfctl , char ); 82int pfctl_load_hostid(struct pfctl , unsigned int); 83int pfctl_get_pool(int, struct pf_pool , u_int32_t, u_int32_t, int, 84 char ); 85void pfctl_print_rule_counters(struct pf_rule , int);	78int pfctl_kill_states(int, const char , int); 79void pfctl_init_options(struct pfctl ); 80int pfctl_load_options(struct pfctl ); 81int pfctl_load_limit(struct pfctl , unsigned int, unsigned int); 82int pfctl_load_timeout(struct pfctl , unsigned int, unsigned int); 83int pfctl_load_debug(struct pfctl , unsigned int); 84int pfctl_load_logif(struct pfctl , char ); 85int pfctl_load_hostid(struct pfctl , unsigned int); 86int pfctl_get_pool(int, struct pf_pool , u_int32_t, u_int32_t, int, 87 char ); 88void pfctl_print_rule_counters(struct pf_rule , int);
86int pfctl_show_rules(int, int, int, char *);	89int pfctl_show_rules(int, char , int, enum pfctl_show, char , int);
87int pfctl_show_nat(int, int, char ); 88int pfctl_show_src_nodes(int, int); 89int pfctl_show_states(int, const char , int); 90int pfctl_show_status(int, int); 91int pfctl_show_timeouts(int, int); 92int pfctl_show_limits(int, int); 93void pfctl_debug(int, u_int32_t, int);	90int pfctl_show_nat(int, int, char ); 91int pfctl_show_src_nodes(int, int); 92int pfctl_show_states(int, const char , int); 93int pfctl_show_status(int, int); 94int pfctl_show_timeouts(int, int); 95int pfctl_show_limits(int, int); 96void pfctl_debug(int, u_int32_t, int);
94int pfctl_clear_rule_counters(int, int);
95int pfctl_test_altqsupport(int, int); 96int pfctl_show_anchors(int, int, char *);	97int pfctl_test_altqsupport(int, int); 98int pfctl_show_anchors(int, int, char *);
	99int pfctl_ruleset_trans(struct pfctl , char , struct pf_anchor ); 100int pfctl_load_ruleset(struct pfctl , char , 101* struct pf_ruleset , int, int); 102int pfctl_load_rule(struct pfctl , char , struct pf_rule , int);
97const char pfctl_lookup_option(char , const char **); 98	103const char pfctl_lookup_option(char , const char *); 104*
	105struct pf_anchor_global pf_anchors; 106struct pf_anchor pf_main_anchor; 107
99const char clearopt; 100char rulesopt; 101const char showopt; 102const char debugopt; 103char *anchoropt;	108const char clearopt; 109char rulesopt; 110const char showopt; 111const char debugopt; 112char *anchoropt;
	113const char *optiopt = NULL;
104char pf_device = "/dev/pf"; 105char ifaceopt; 106char tableopt; 107const char tblcmdopt;	114char pf_device = "/dev/pf"; 115char ifaceopt; 116char tableopt; 117const char tblcmdopt;
	118int src_node_killers; 119char *src_node_kill[2];
108int state_killers; 109char state_kill[2]; 110int loadopt; 111int altqsupport; 112* 113int dev = -1; 114int first_title = 1; 115int labels = 0; 116 117const char infile; 118*	120int state_killers; 121char state_kill[2]; 122int loadopt; 123int altqsupport; 124* 125int dev = -1; 126int first_title = 1; 127int labels = 0; 128 129const char infile; 130*
	131#define INDENT(d, o) do { \ 132 if (o) { \ 133 int i; \ 134 for (i=0; i < d; i++) \ 135 printf(" "); \ 136 } \ 137 } while (0); \ 138 139
119static const struct { 120 const char name; 121* int index; 122} pf_limits[] = {	140static const struct { 141 const char name; 142* int index; 143} pf_limits[] = {
123 { "states", PF_LIMIT_STATES }, 124 { "src-nodes", PF_LIMIT_SRC_NODES }, 125 { "frags", PF_LIMIT_FRAGS }, 126 { NULL, 0 }	144 { "states", PF_LIMIT_STATES }, 145 { "src-nodes", PF_LIMIT_SRC_NODES }, 146 { "frags", PF_LIMIT_FRAGS }, 147 { "tables", PF_LIMIT_TABLES }, 148 { "table-entries", PF_LIMIT_TABLE_ENTRIES }, 149 { NULL, 0 }
127}; 128 129struct pf_hint { 130 const char name; 131* int timeout; 132}; 133static const struct pf_hint pf_hint_normal[] = { 134 { "tcp.first", 2 * 60 }, --- 56 unchanged lines hidden (view full) --- 191static const char showopt_list[] = { 192* "nat", "queue", "rules", "Anchors", "Sources", "state", "info", 193 "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp", 194 "all", NULL 195}; 196 197static const char tblcmdopt_list[] = { 198* "kill", "flush", "add", "delete", "load", "replace", "show",	150}; 151 152struct pf_hint { 153 const char name; 154* int timeout; 155}; 156static const struct pf_hint pf_hint_normal[] = { 157 { "tcp.first", 2 * 60 }, --- 56 unchanged lines hidden (view full) --- 214static const char showopt_list[] = { 215* "nat", "queue", "rules", "Anchors", "Sources", "state", "info", 216 "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp", 217 "all", NULL 218}; 219 220static const char tblcmdopt_list[] = { 221* "kill", "flush", "add", "delete", "load", "replace", "show",
199 "test", "zero", NULL	222 "test", "zero", "expire", NULL
200}; 201 202static const char debugopt_list[] = { 203* "none", "urgent", "misc", "loud", NULL 204}; 205	223}; 224 225static const char debugopt_list[] = { 226* "none", "urgent", "misc", "loud", NULL 227}; 228
	229static const char optiopt_list[] = { 230* "o", "none", "basic", "profile", NULL 231};
206 207void 208usage(void) 209{ 210 extern char __progname; 211*	232 233void 234usage(void) 235{ 236 extern char __progname; 237*
212 fprintf(stderr, "usage: %s [-AdeghmNnOoqRrvz] ", __progname);	238 fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
213 fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");	239 fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
214 fprintf(stderr, " "); 215 fprintf(stderr, "[-f file] [-i interface] [-k host] "); 216 fprintf(stderr, "[-p device] [-s modifier]\n"); 217 fprintf(stderr, " "); 218 fprintf(stderr, "[-t table -T command [address ...]] "); 219 fprintf(stderr, "[-x level]\n");	240 fprintf(stderr, "\t[-f file] [-i interface] [-K host \| network] "); 241 fprintf(stderr, "[-k host \| network ]\n"); 242 fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n"); 243 fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
220 exit(1); 221} 222 223int 224pfctl_enable(int dev, int opts) 225{ 226 if (ioctl(dev, DIOCSTART)) { 227 if (errno == EEXIST) --- 46 unchanged lines hidden (view full) --- 274 275int 276pfctl_clear_interface_flags(int dev, int opts) 277{ 278 struct pfioc_iface pi; 279 280 if ((opts & PF_OPT_NOACTION) == 0) { 281 bzero(&pi, sizeof(pi));	244 exit(1); 245} 246 247int 248pfctl_enable(int dev, int opts) 249{ 250 if (ioctl(dev, DIOCSTART)) { 251 if (errno == EEXIST) --- 46 unchanged lines hidden (view full) --- 298 299int 300pfctl_clear_interface_flags(int dev, int opts) 301{ 302 struct pfioc_iface pi; 303 304 if ((opts & PF_OPT_NOACTION) == 0) { 305 bzero(&pi, sizeof(pi));
282 pi.pfiio_flags = PFI_IFLAG_SETABLE_MASK;	306 pi.pfiio_flags = PFI_IFLAG_SKIP;
283 284 if (ioctl(dev, DIOCCLRIFFLAG, &pi)) 285 err(1, "DIOCCLRIFFLAG"); 286 if ((opts & PF_OPT_QUIET) == 0) 287 fprintf(stderr, "pf: interface flags reset\n"); 288 } 289 return (0); 290} --- 73 unchanged lines hidden (view full) --- 364 365 if (ioctl(dev, DIOCCLRSTATES, &psk)) 366 err(1, "DIOCCLRSTATES"); 367 if ((opts & PF_OPT_QUIET) == 0) 368 fprintf(stderr, "%d states cleared\n", psk.psk_af); 369 return (0); 370} 371	307 308 if (ioctl(dev, DIOCCLRIFFLAG, &pi)) 309 err(1, "DIOCCLRIFFLAG"); 310 if ((opts & PF_OPT_QUIET) == 0) 311 fprintf(stderr, "pf: interface flags reset\n"); 312 } 313 return (0); 314} --- 73 unchanged lines hidden (view full) --- 388 389 if (ioctl(dev, DIOCCLRSTATES, &psk)) 390 err(1, "DIOCCLRSTATES"); 391 if ((opts & PF_OPT_QUIET) == 0) 392 fprintf(stderr, "%d states cleared\n", psk.psk_af); 393 return (0); 394} 395
	396void 397pfctl_addrprefix(char addr, struct pf_addr mask) 398{ 399 char p; 400* const char errstr; 401* int prefix, ret_ga, q, r; 402 struct addrinfo hints, res; 403* 404 if ((p = strchr(addr, '/')) == NULL) 405 return; 406 407 p++ = '\0'; 408* prefix = strtonum(p, 0, 128, &errstr); 409 if (errstr) 410 errx(1, "prefix is %s: %s", errstr, p); 411 412 bzero(&hints, sizeof(hints)); 413 /* prefix only with numeric addresses / 414* hints.ai_flags \|= AI_NUMERICHOST; 415 416 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) { 417 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); 418 /* NOTREACHED / 419* } 420 421 if (res->ai_family == AF_INET && prefix > 32) 422 errx(1, "prefix too long for AF_INET"); 423 else if (res->ai_family == AF_INET6 && prefix > 128) 424 errx(1, "prefix too long for AF_INET6"); 425 426 q = prefix >> 3; 427 r = prefix & 7; 428 switch (res->ai_family) { 429 case AF_INET: 430 bzero(&mask->v4, sizeof(mask->v4)); 431 mask->v4.s_addr = htonl((u_int32_t) 432 (0xffffffffffULL << (32 - prefix))); 433 break; 434 case AF_INET6: 435 bzero(&mask->v6, sizeof(mask->v6)); 436 if (q > 0) 437 memset((void )&mask->v6, 0xff, q); 438* if (r > 0) 439 ((u_char )&mask->v6 + q) = 440 (0xff00 >> r) & 0xff; 441 break; 442 } 443 freeaddrinfo(res); 444} 445
372int	446int
	447pfctl_kill_src_nodes(int dev, const char iface, int opts) 448{ 449* struct pfioc_src_node_kill psnk; 450 struct addrinfo res[2], resp[2]; 451 struct sockaddr last_src, last_dst; 452 int killed, sources, dests; 453 int ret_ga; 454 455 killed = sources = dests = 0; 456 457 memset(&psnk, 0, sizeof(psnk)); 458 memset(&psnk.psnk_src.addr.v.a.mask, 0xff, 459 sizeof(psnk.psnk_src.addr.v.a.mask)); 460 memset(&last_src, 0xff, sizeof(last_src)); 461 memset(&last_dst, 0xff, sizeof(last_dst)); 462 463 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask); 464 465 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) { 466 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); 467 /* NOTREACHED / 468* } 469 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) { 470 if (resp[0]->ai_addr == NULL) 471 continue; 472 /* We get lots of duplicates. Catch the easy ones / 473* if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0) 474 continue; 475 last_src = (struct sockaddr )resp[0]->ai_addr; 476 477 psnk.psnk_af = resp[0]->ai_family; 478 sources++; 479 480 if (psnk.psnk_af == AF_INET) 481 psnk.psnk_src.addr.v.a.addr.v4 = 482 ((struct sockaddr_in )resp[0]->ai_addr)->sin_addr; 483* else if (psnk.psnk_af == AF_INET6) 484 psnk.psnk_src.addr.v.a.addr.v6 = 485 ((struct sockaddr_in6 )resp[0]->ai_addr)-> 486* sin6_addr; 487 else 488 errx(1, "Unknown address family %d", psnk.psnk_af); 489 490 if (src_node_killers > 1) { 491 dests = 0; 492 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff, 493 sizeof(psnk.psnk_dst.addr.v.a.mask)); 494 memset(&last_dst, 0xff, sizeof(last_dst)); 495 pfctl_addrprefix(src_node_kill[1], 496 &psnk.psnk_dst.addr.v.a.mask); 497 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL, 498 &res[1]))) { 499 errx(1, "getaddrinfo: %s", 500 gai_strerror(ret_ga)); 501 /* NOTREACHED / 502* } 503 for (resp[1] = res[1]; resp[1]; 504 resp[1] = resp[1]->ai_next) { 505 if (resp[1]->ai_addr == NULL) 506 continue; 507 if (psnk.psnk_af != resp[1]->ai_family) 508 continue; 509 510 if (memcmp(&last_dst, resp[1]->ai_addr, 511 sizeof(last_dst)) == 0) 512 continue; 513 last_dst = (struct sockaddr )resp[1]->ai_addr; 514 515 dests++; 516 517 if (psnk.psnk_af == AF_INET) 518 psnk.psnk_dst.addr.v.a.addr.v4 = 519 ((struct sockaddr_in )resp[1]-> 520* ai_addr)->sin_addr; 521 else if (psnk.psnk_af == AF_INET6) 522 psnk.psnk_dst.addr.v.a.addr.v6 = 523 ((struct sockaddr_in6 )resp[1]-> 524* ai_addr)->sin6_addr; 525 else 526 errx(1, "Unknown address family %d", 527 psnk.psnk_af); 528 529 if (ioctl(dev, DIOCKILLSRCNODES, &psnk)) 530 err(1, "DIOCKILLSRCNODES"); 531 killed += psnk.psnk_af; 532 /* fixup psnk.psnk_af / 533* psnk.psnk_af = resp[1]->ai_family; 534 } 535 freeaddrinfo(res[1]); 536 } else { 537 if (ioctl(dev, DIOCKILLSRCNODES, &psnk)) 538 err(1, "DIOCKILLSRCNODES"); 539 killed += psnk.psnk_af; 540 /* fixup psnk.psnk_af / 541* psnk.psnk_af = res[0]->ai_family; 542 } 543 } 544 545 freeaddrinfo(res[0]); 546 547 if ((opts & PF_OPT_QUIET) == 0) 548 fprintf(stderr, "killed %d src nodes from %d sources and %d " 549 "destinations\n", killed, sources, dests); 550 return (0); 551} 552 553int
373pfctl_kill_states(int dev, const char iface, int opts) 374{ 375* struct pfioc_state_kill psk; 376 struct addrinfo res[2], resp[2]; 377 struct sockaddr last_src, last_dst; 378 int killed, sources, dests; 379 int ret_ga; 380 381 killed = sources = dests = 0; 382 383 memset(&psk, 0, sizeof(psk)); 384 memset(&psk.psk_src.addr.v.a.mask, 0xff, 385 sizeof(psk.psk_src.addr.v.a.mask)); 386 memset(&last_src, 0xff, sizeof(last_src)); 387 memset(&last_dst, 0xff, sizeof(last_dst)); 388 if (iface != NULL && strlcpy(psk.psk_ifname, iface, 389 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname)) 390 errx(1, "invalid interface: %s", iface); 391	554pfctl_kill_states(int dev, const char iface, int opts) 555{ 556* struct pfioc_state_kill psk; 557 struct addrinfo res[2], resp[2]; 558 struct sockaddr last_src, last_dst; 559 int killed, sources, dests; 560 int ret_ga; 561 562 killed = sources = dests = 0; 563 564 memset(&psk, 0, sizeof(psk)); 565 memset(&psk.psk_src.addr.v.a.mask, 0xff, 566 sizeof(psk.psk_src.addr.v.a.mask)); 567 memset(&last_src, 0xff, sizeof(last_src)); 568 memset(&last_dst, 0xff, sizeof(last_dst)); 569 if (iface != NULL && strlcpy(psk.psk_ifname, iface, 570 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname)) 571 errx(1, "invalid interface: %s", iface); 572
	573 pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask); 574
392 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) { 393 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); 394 /* NOTREACHED / 395* } 396 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) { 397 if (resp[0]->ai_addr == NULL) 398 continue; 399 /* We get lots of duplicates. Catch the easy ones / --- 14 unchanged lines hidden* (view full) --- 414 else 415 errx(1, "Unknown address family %d", psk.psk_af); 416 417 if (state_killers > 1) { 418 dests = 0; 419 memset(&psk.psk_dst.addr.v.a.mask, 0xff, 420 sizeof(psk.psk_dst.addr.v.a.mask)); 421 memset(&last_dst, 0xff, sizeof(last_dst));	575 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) { 576 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); 577 /* NOTREACHED / 578* } 579 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) { 580 if (resp[0]->ai_addr == NULL) 581 continue; 582 /* We get lots of duplicates. Catch the easy ones / --- 14 unchanged lines hidden* (view full) --- 597 else 598 errx(1, "Unknown address family %d", psk.psk_af); 599 600 if (state_killers > 1) { 601 dests = 0; 602 memset(&psk.psk_dst.addr.v.a.mask, 0xff, 603 sizeof(psk.psk_dst.addr.v.a.mask)); 604 memset(&last_dst, 0xff, sizeof(last_dst));
	605 pfctl_addrprefix(state_kill[1], 606 &psk.psk_dst.addr.v.a.mask);
422 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, 423 &res[1]))) { 424 errx(1, "getaddrinfo: %s", 425 gai_strerror(ret_ga)); 426 /* NOTREACHED / 427* } 428 for (resp[1] = res[1]; resp[1]; 429 resp[1] = resp[1]->ai_next) { --- 76 unchanged lines hidden (view full) --- 506 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr)); 507 TAILQ_INSERT_TAIL(&pool->list, pa, entries); 508 } 509 510 return (0); 511} 512 513void	607 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, 608 &res[1]))) { 609 errx(1, "getaddrinfo: %s", 610 gai_strerror(ret_ga)); 611 /* NOTREACHED / 612* } 613 for (resp[1] = res[1]; resp[1]; 614 resp[1] = resp[1]->ai_next) { --- 76 unchanged lines hidden (view full) --- 691 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr)); 692 TAILQ_INSERT_TAIL(&pool->list, pa, entries); 693 } 694 695 return (0); 696} 697 698void
	699pfctl_move_pool(struct pf_pool src, struct pf_pool dst) 700{ 701 struct pf_pooladdr pa; 702* 703 while ((pa = TAILQ_FIRST(&src->list)) != NULL) { 704 TAILQ_REMOVE(&src->list, pa, entries); 705 TAILQ_INSERT_TAIL(&dst->list, pa, entries); 706 } 707} 708 709void
514pfctl_clear_pool(struct pf_pool pool) 515{ 516* struct pf_pooladdr pa; 517* 518 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) { 519 TAILQ_REMOVE(&pool->list, pa, entries); 520 free(pa); 521 } --- 17 unchanged lines hidden (view full) --- 539 else 540 printf("%u ", rule->skip[i].nr); 541 } 542 printf("]\n"); 543 544 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n", 545 rule->qname, rule->qid, rule->pqname, rule->pqid); 546 }	710pfctl_clear_pool(struct pf_pool pool) 711{ 712* struct pf_pooladdr pa; 713* 714 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) { 715 TAILQ_REMOVE(&pool->list, pa, entries); 716 free(pa); 717 } --- 17 unchanged lines hidden (view full) --- 735 else 736 printf("%u ", rule->skip[i].nr); 737 } 738 printf("]\n"); 739 740 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n", 741 rule->qname, rule->qid, rule->pqname, rule->pqid); 742 }
547 if (opts & PF_OPT_VERBOSE)	743 if (opts & PF_OPT_VERBOSE) {
548 printf(" [ Evaluations: %-8llu Packets: %-8llu " 549 "Bytes: %-10llu States: %-6u]\n", 550 (unsigned long long)rule->evaluations,	744 printf(" [ Evaluations: %-8llu Packets: %-8llu " 745 "Bytes: %-10llu States: %-6u]\n", 746 (unsigned long long)rule->evaluations,
551 (unsigned long long)rule->packets, 552 (unsigned long long)rule->bytes, rule->states);	747 (unsigned long long)(rule->packets[0] + 748 rule->packets[1]), 749 (unsigned long long)(rule->bytes[0] + 750 rule->bytes[1]), rule->states); 751 if (!(opts & PF_OPT_DEBUG)) 752 printf(" [ Inserted: uid %u pid %u ]\n", 753 (unsigned)rule->cuid, (unsigned)rule->cpid); 754 }
553} 554 555void 556pfctl_print_title(char title) 557{ 558* if (!first_title) 559 printf("\n"); 560 first_title = 0; 561 printf("%s\n", title); 562} 563 564int	755} 756 757void 758pfctl_print_title(char title) 759{ 760* if (!first_title) 761 printf("\n"); 762 first_title = 0; 763 printf("%s\n", title); 764} 765 766int
565pfctl_show_rules(int dev, int opts, int format, char *anchorname)	767pfctl_show_rules(int dev, char path, int opts, enum pfctl_show format, 768* char *anchorname, int depth)
566{ 567 struct pfioc_rule pr; 568 u_int32_t nr, mnr, header = 0; 569 int rule_numbers = opts & (PF_OPT_VERBOSE2 \| PF_OPT_DEBUG);	769{ 770 struct pfioc_rule pr; 771 u_int32_t nr, mnr, header = 0; 772 int rule_numbers = opts & (PF_OPT_VERBOSE2 \| PF_OPT_DEBUG);
	773 int len = strlen(path); 774 int brace; 775 char *p;
570	776
	777 if (path[0]) 778 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname); 779 else 780 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname); 781
571 memset(&pr, 0, sizeof(pr));	782 memset(&pr, 0, sizeof(pr));
572 memcpy(pr.anchor, anchorname, sizeof(pr.anchor));	783 memcpy(pr.anchor, path, sizeof(pr.anchor));
573 if (opts & PF_OPT_SHOWALL) { 574 pr.rule.action = PF_PASS; 575 if (ioctl(dev, DIOCGETRULES, &pr)) { 576 warn("DIOCGETRULES");	784 if (opts & PF_OPT_SHOWALL) { 785 pr.rule.action = PF_PASS; 786 if (ioctl(dev, DIOCGETRULES, &pr)) { 787 warn("DIOCGETRULES");
577 return (-1);	788 goto error;
578 } 579 header++; 580 } 581 pr.rule.action = PF_SCRUB; 582 if (ioctl(dev, DIOCGETRULES, &pr)) { 583 warn("DIOCGETRULES");	789 } 790 header++; 791 } 792 pr.rule.action = PF_SCRUB; 793 if (ioctl(dev, DIOCGETRULES, &pr)) { 794 warn("DIOCGETRULES");
584 return (-1);	795 goto error;
585 } 586 if (opts & PF_OPT_SHOWALL) {	796 } 797 if (opts & PF_OPT_SHOWALL) {
587 if (format == 0 && (pr.nr > 0 \|\| header))	798 if (format == PFCTL_SHOW_RULES && (pr.nr > 0 \|\| header))
588 pfctl_print_title("FILTER RULES:");	799 pfctl_print_title("FILTER RULES:");
589 else if (format == 1 && labels)	800 else if (format == PFCTL_SHOW_LABELS && labels)
590 pfctl_print_title("LABEL COUNTERS:"); 591 } 592 mnr = pr.nr;	801 pfctl_print_title("LABEL COUNTERS:"); 802 } 803 mnr = pr.nr;
	804 if (opts & PF_OPT_CLRRULECTRS) 805 pr.action = PF_GET_CLR_CNTR; 806
593 for (nr = 0; nr < mnr; ++nr) { 594 pr.nr = nr; 595 if (ioctl(dev, DIOCGETRULE, &pr)) { 596 warn("DIOCGETRULE");	807 for (nr = 0; nr < mnr; ++nr) { 808 pr.nr = nr; 809 if (ioctl(dev, DIOCGETRULE, &pr)) { 810 warn("DIOCGETRULE");
597 return (-1);	811 goto error;
598 } 599 600 if (pfctl_get_pool(dev, &pr.rule.rpool,	812 } 813 814 if (pfctl_get_pool(dev, &pr.rule.rpool,
601 nr, pr.ticket, PF_SCRUB, anchorname) != 0) 602 return (-1);	815 nr, pr.ticket, PF_SCRUB, path) != 0) 816 goto error;
603 604 switch (format) {	817 818 switch (format) {
605 case 1:	819 case PFCTL_SHOW_LABELS:
606 if (pr.rule.label[0]) { 607 printf("%s ", pr.rule.label);	820 if (pr.rule.label[0]) { 821 printf("%s ", pr.rule.label);
608 printf("%llu %llu %llu\n",	822 printf("%llu %llu %llu %llu %llu %llu %llu\n",
609 (unsigned long long)pr.rule.evaluations,	823 (unsigned long long)pr.rule.evaluations,
610 (unsigned long long)pr.rule.packets, 611 (unsigned long long)pr.rule.bytes);	824 (unsigned long long)(pr.rule.packets[0] + 825 pr.rule.packets[1]), 826 (unsigned long long)(pr.rule.bytes[0] + 827 pr.rule.bytes[1]), 828 (unsigned long long)pr.rule.packets[0], 829 (unsigned long long)pr.rule.bytes[0], 830 (unsigned long long)pr.rule.packets[1], 831 (unsigned long long)pr.rule.bytes[1]);
612 } 613 break;	832 } 833 break;
614 default:	834 case PFCTL_SHOW_RULES:
615 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) 616 labels = 1; 617 print_rule(&pr.rule, pr.anchor_call, rule_numbers);	835 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) 836 labels = 1; 837 print_rule(&pr.rule, pr.anchor_call, rule_numbers);
	838 printf("\n");
618 pfctl_print_rule_counters(&pr.rule, opts);	839 pfctl_print_rule_counters(&pr.rule, opts);
	840 break; 841 case PFCTL_SHOW_NOTHING: 842 break;
619 } 620 pfctl_clear_pool(&pr.rule.rpool); 621 } 622 pr.rule.action = PF_PASS; 623 if (ioctl(dev, DIOCGETRULES, &pr)) { 624 warn("DIOCGETRULES");	843 } 844 pfctl_clear_pool(&pr.rule.rpool); 845 } 846 pr.rule.action = PF_PASS; 847 if (ioctl(dev, DIOCGETRULES, &pr)) { 848 warn("DIOCGETRULES");
625 return (-1);	849 goto error;
626 } 627 mnr = pr.nr; 628 for (nr = 0; nr < mnr; ++nr) { 629 pr.nr = nr; 630 if (ioctl(dev, DIOCGETRULE, &pr)) { 631 warn("DIOCGETRULE");	850 } 851 mnr = pr.nr; 852 for (nr = 0; nr < mnr; ++nr) { 853 pr.nr = nr; 854 if (ioctl(dev, DIOCGETRULE, &pr)) { 855 warn("DIOCGETRULE");
632 return (-1);	856 goto error;
633 } 634 635 if (pfctl_get_pool(dev, &pr.rule.rpool,	857 } 858 859 if (pfctl_get_pool(dev, &pr.rule.rpool,
636 nr, pr.ticket, PF_PASS, anchorname) != 0) 637 return (-1);	860 nr, pr.ticket, PF_PASS, path) != 0) 861 goto error;
638 639 switch (format) {	862 863 switch (format) {
640 case 1:	864 case PFCTL_SHOW_LABELS:
641 if (pr.rule.label[0]) { 642 printf("%s ", pr.rule.label);	865 if (pr.rule.label[0]) { 866 printf("%s ", pr.rule.label);
643 printf("%llu %llu %llu\n",	867 printf("%llu %llu %llu %llu %llu %llu %llu\n",
644 (unsigned long long)pr.rule.evaluations,	868 (unsigned long long)pr.rule.evaluations,
645 (unsigned long long)pr.rule.packets, 646 (unsigned long long)pr.rule.bytes);	869 (unsigned long long)(pr.rule.packets[0] + 870 pr.rule.packets[1]), 871 (unsigned long long)(pr.rule.bytes[0] + 872 pr.rule.bytes[1]), 873 (unsigned long long)pr.rule.packets[0], 874 (unsigned long long)pr.rule.bytes[0], 875 (unsigned long long)pr.rule.packets[1], 876 (unsigned long long)pr.rule.bytes[1]);
647 } 648 break;	877 } 878 break;
649 default:	879 case PFCTL_SHOW_RULES: 880 brace = 0;
650 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) 651 labels = 1;	881 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) 882 labels = 1;
652 print_rule(&pr.rule, pr.anchor_call, rule_numbers);	883 INDENT(depth, !(opts & PF_OPT_VERBOSE)); 884 if (pr.anchor_call[0] && 885 ((((p = strrchr(pr.anchor_call, '_')) != NULL) && 886 ((void )p == (void )pr.anchor_call \|\| 887 (--p) == '/')) \|\| (opts & PF_OPT_RECURSE))) { 888* brace++; 889 if ((p = strrchr(pr.anchor_call, '/')) != 890 NULL) 891 p++; 892 else 893 p = &pr.anchor_call[0]; 894 } else 895 p = &pr.anchor_call[0]; 896 897 print_rule(&pr.rule, p, rule_numbers); 898 if (brace) 899 printf(" {\n"); 900 else 901 printf("\n");
653 pfctl_print_rule_counters(&pr.rule, opts);	902 pfctl_print_rule_counters(&pr.rule, opts);
	903 if (brace) { 904 pfctl_show_rules(dev, path, opts, format, 905 p, depth + 1); 906 INDENT(depth, !(opts & PF_OPT_VERBOSE)); 907 printf("}\n"); 908 } 909 break; 910 case PFCTL_SHOW_NOTHING: 911 break;
654 } 655 pfctl_clear_pool(&pr.rule.rpool); 656 }	912 } 913 pfctl_clear_pool(&pr.rule.rpool); 914 }
	915 path[len] = '\0';
657 return (0);	916 return (0);
	917 918 error: 919 path[len] = '\0'; 920 return (-1);
658} 659 660int 661pfctl_show_nat(int dev, int opts, char anchorname) 662{ 663* struct pfioc_rule pr; 664 u_int32_t mnr, nr; 665 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT }; --- 18 unchanged lines hidden (view full) --- 684 pr.ticket, nattype[i], anchorname) != 0) 685 return (-1); 686 if (dotitle) { 687 pfctl_print_title("TRANSLATION RULES:"); 688 dotitle = 0; 689 } 690 print_rule(&pr.rule, pr.anchor_call, 691 opts & PF_OPT_VERBOSE2);	921} 922 923int 924pfctl_show_nat(int dev, int opts, char anchorname) 925{ 926* struct pfioc_rule pr; 927 u_int32_t mnr, nr; 928 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT }; --- 18 unchanged lines hidden (view full) --- 947 pr.ticket, nattype[i], anchorname) != 0) 948 return (-1); 949 if (dotitle) { 950 pfctl_print_title("TRANSLATION RULES:"); 951 dotitle = 0; 952 } 953 print_rule(&pr.rule, pr.anchor_call, 954 opts & PF_OPT_VERBOSE2);
	955 printf("\n");
692 pfctl_print_rule_counters(&pr.rule, opts); 693 pfctl_clear_pool(&pr.rule.rpool); 694 } 695 } 696 return (0); 697} 698 699int --- 11 unchanged lines hidden (view full) --- 711 if (len) { 712 newinbuf = realloc(inbuf, len); 713 if (newinbuf == NULL) 714 err(1, "realloc"); 715 psn.psn_buf = inbuf = newinbuf; 716 } 717 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) { 718 warn("DIOCGETSRCNODES");	956 pfctl_print_rule_counters(&pr.rule, opts); 957 pfctl_clear_pool(&pr.rule.rpool); 958 } 959 } 960 return (0); 961} 962 963int --- 11 unchanged lines hidden (view full) --- 975 if (len) { 976 newinbuf = realloc(inbuf, len); 977 if (newinbuf == NULL) 978 err(1, "realloc"); 979 psn.psn_buf = inbuf = newinbuf; 980 } 981 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) { 982 warn("DIOCGETSRCNODES");
	983 free(inbuf);
719 return (-1); 720 } 721 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len) 722 break; 723 if (len == 0 && psn.psn_len == 0)	984 return (-1); 985 } 986 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len) 987 break; 988 if (len == 0 && psn.psn_len == 0)
724 return (0);	989 goto done;
725 if (len == 0 && psn.psn_len != 0) 726 len = psn.psn_len; 727 if (psn.psn_len == 0)	990 if (len == 0 && psn.psn_len != 0) 991 len = psn.psn_len; 992 if (psn.psn_len == 0)
728 return (0); /* no src_nodes */	993 goto done; /* no src_nodes */
729 len = 2; 730* } 731 p = psn.psn_src_nodes; 732 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL)) 733 pfctl_print_title("SOURCE TRACKING NODES:"); 734 for (i = 0; i < psn.psn_len; i += sizeof(p)) { 735* print_src_node(p, opts); 736 p++; 737 }	994 len = 2; 995* } 996 p = psn.psn_src_nodes; 997 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL)) 998 pfctl_print_title("SOURCE TRACKING NODES:"); 999 for (i = 0; i < psn.psn_len; i += sizeof(p)) { 1000* print_src_node(p, opts); 1001 p++; 1002 }
	1003done: 1004 free(inbuf);
738 return (0); 739} 740 741int 742pfctl_show_states(int dev, const char iface, int opts) 743{ 744* struct pfioc_states ps; 745 struct pf_state p; --- 7 unchanged lines hidden* (view full) --- 753 if (len) { 754 newinbuf = realloc(inbuf, len); 755 if (newinbuf == NULL) 756 err(1, "realloc"); 757 ps.ps_buf = inbuf = newinbuf; 758 } 759 if (ioctl(dev, DIOCGETSTATES, &ps) < 0) { 760 warn("DIOCGETSTATES");	1005 return (0); 1006} 1007 1008int 1009pfctl_show_states(int dev, const char iface, int opts) 1010{ 1011* struct pfioc_states ps; 1012 struct pf_state p; --- 7 unchanged lines hidden* (view full) --- 1020 if (len) { 1021 newinbuf = realloc(inbuf, len); 1022 if (newinbuf == NULL) 1023 err(1, "realloc"); 1024 ps.ps_buf = inbuf = newinbuf; 1025 } 1026 if (ioctl(dev, DIOCGETSTATES, &ps) < 0) { 1027 warn("DIOCGETSTATES");
	1028 free(inbuf);
761 return (-1); 762 } 763 if (ps.ps_len + sizeof(struct pfioc_states) < len) 764 break; 765 if (len == 0 && ps.ps_len == 0)	1029 return (-1); 1030 } 1031 if (ps.ps_len + sizeof(struct pfioc_states) < len) 1032 break; 1033 if (len == 0 && ps.ps_len == 0)
766 return (0);	1034 goto done;
767 if (len == 0 && ps.ps_len != 0) 768 len = ps.ps_len; 769 if (ps.ps_len == 0)	1035 if (len == 0 && ps.ps_len != 0) 1036 len = ps.ps_len; 1037 if (ps.ps_len == 0)
770 return (0); /* no states */	1038 goto done; /* no states */
771 len = 2; 772* } 773 p = ps.ps_states; 774 for (i = 0; i < ps.ps_len; i += sizeof(p), p++) { 775* if (iface != NULL && strcmp(p->u.ifname, iface)) 776 continue; 777 if (dotitle) { 778 pfctl_print_title("STATES:"); 779 dotitle = 0; 780 } 781 print_state(p, opts); 782 }	1039 len = 2; 1040* } 1041 p = ps.ps_states; 1042 for (i = 0; i < ps.ps_len; i += sizeof(p), p++) { 1043* if (iface != NULL && strcmp(p->u.ifname, iface)) 1044 continue; 1045 if (dotitle) { 1046 pfctl_print_title("STATES:"); 1047 dotitle = 0; 1048 } 1049 print_state(p, opts); 1050 }
	1051done: 1052 free(inbuf);
783 return (0); 784} 785 786int 787pfctl_show_status(int dev, int opts) 788{ 789 struct pf_status status; 790 --- 40 unchanged lines hidden (view full) --- 831 832 if (opts & PF_OPT_SHOWALL) 833 pfctl_print_title("LIMITS:"); 834 memset(&pl, 0, sizeof(pl)); 835 for (i = 0; pf_limits[i].name; i++) { 836 pl.index = pf_limits[i].index; 837 if (ioctl(dev, DIOCGETLIMIT, &pl)) 838 err(1, "DIOCGETLIMIT");	1053 return (0); 1054} 1055 1056int 1057pfctl_show_status(int dev, int opts) 1058{ 1059 struct pf_status status; 1060 --- 40 unchanged lines hidden (view full) --- 1101 1102 if (opts & PF_OPT_SHOWALL) 1103 pfctl_print_title("LIMITS:"); 1104 memset(&pl, 0, sizeof(pl)); 1105 for (i = 0; pf_limits[i].name; i++) { 1106 pl.index = pf_limits[i].index; 1107 if (ioctl(dev, DIOCGETLIMIT, &pl)) 1108 err(1, "DIOCGETLIMIT");
839 printf("%-10s ", pf_limits[i].name);	1109 printf("%-13s ", pf_limits[i].name);
840 if (pl.limit == UINT_MAX) 841 printf("unlimited\n"); 842 else	1110 if (pl.limit == UINT_MAX) 1111 printf("unlimited\n"); 1112 else
843 printf("hard limit %6u\n", pl.limit);	1113 printf("hard limit %8u\n", pl.limit);
844 } 845 return (0); 846} 847 848/* callbacks for rule/nat/rdr/addr / 849int 850pfctl_add_pool(struct pfctl pf, struct pf_pool p, sa_family_t af) 851{ --- 14 unchanged lines hidden* (view full) --- 866 } 867 return (0); 868} 869 870int 871pfctl_add_rule(struct pfctl pf, struct pf_rule r, const char anchor_call) 872{ 873* u_int8_t rs_num;	1114 } 1115 return (0); 1116} 1117 1118/* callbacks for rule/nat/rdr/addr / 1119int 1120pfctl_add_pool(struct pfctl pf, struct pf_pool p, sa_family_t af) 1121{ --- 14 unchanged lines hidden* (view full) --- 1136 } 1137 return (0); 1138} 1139 1140int 1141pfctl_add_rule(struct pfctl pf, struct pf_rule r, const char anchor_call) 1142{ 1143* u_int8_t rs_num;
874 struct pfioc_rule pr;	1144 struct pf_rule rule; 1145* struct pf_ruleset rs; 1146* char *p;
875	1147
876 switch (r->action) { 877 case PF_SCRUB: 878 case PF_NOSCRUB: 879 if ((loadopt & PFCTL_FLAG_FILTER) == 0) 880 return (0); 881 rs_num = PF_RULESET_SCRUB; 882 break; 883 case PF_DROP: 884 case PF_PASS: 885 if ((loadopt & PFCTL_FLAG_FILTER) == 0) 886 return (0); 887 rs_num = PF_RULESET_FILTER; 888 break; 889 case PF_NAT: 890 case PF_NONAT: 891 if ((loadopt & PFCTL_FLAG_NAT) == 0) 892 return (0); 893 rs_num = PF_RULESET_NAT; 894 break; 895 case PF_RDR: 896 case PF_NORDR: 897 if ((loadopt & PFCTL_FLAG_NAT) == 0) 898 return (0); 899 rs_num = PF_RULESET_RDR; 900 break; 901 case PF_BINAT: 902 case PF_NOBINAT: 903 if ((loadopt & PFCTL_FLAG_NAT) == 0) 904 return (0); 905 rs_num = PF_RULESET_BINAT; 906 break; 907 default:	1148 rs_num = pf_get_ruleset_number(r->action); 1149 if (rs_num == PF_RULESET_MAX)
908 errx(1, "Invalid rule type %d", r->action);	1150 errx(1, "Invalid rule type %d", r->action);
909 break; 910 }
911	1151
	1152 rs = &pf->anchor->ruleset;
912	1153
913 if ((pf->opts & PF_OPT_OPTIMIZE) && rs_num == PF_RULESET_FILTER) { 914 /* 915 * We'll do an optimization post-pass before finally adding the 916 * rules. Then we'll disable the optimization flag and feed 917 * the rules right back into this function.	1154 if (anchor_call[0] && r->anchor == NULL) { 1155 /* 1156 * Don't make non-brace anchors part of the main anchor pool.
918 */	1157 */
919 struct pf_opt_rule pfr; 920* struct pf_pooladdr *pa;	1158 if ((r->anchor = calloc(1, sizeof(r->anchor))) == NULL) 1159* err(1, "pfctl_add_rule: calloc"); 1160 1161 pf_init_ruleset(&r->anchor->ruleset); 1162 r->anchor->ruleset.anchor = r->anchor; 1163 if (strlcpy(r->anchor->path, anchor_call, 1164 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path)) 1165 errx(1, "pfctl_add_rule: strlcpy"); 1166 if ((p = strrchr(anchor_call, '/')) != NULL) { 1167 if (!strlen(p)) 1168 err(1, "pfctl_add_rule: bad anchor name %s", 1169 anchor_call); 1170 } else 1171 p = (char )anchor_call; 1172* if (strlcpy(r->anchor->name, p, 1173 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name)) 1174 errx(1, "pfctl_add_rule: strlcpy"); 1175 }
921	1176
922 if ((pfr = calloc(1, sizeof(pfr))) == NULL) 923* err(1, "calloc"); 924 memcpy(&pfr->por_rule, r, sizeof(r)); 925* if (strlcpy(pfr->por_anchor, anchor_call, 926 sizeof(pfr->por_anchor)) >= sizeof(pfr->por_anchor)) 927 errx(1, "pfctl_add_rule: strlcpy"); 928 TAILQ_INSERT_TAIL(&pf->opt_queue, pfr, por_entry);	1177 if ((rule = calloc(1, sizeof(rule))) == NULL) 1178* err(1, "calloc"); 1179 bcopy(r, rule, sizeof(rule)); 1180* TAILQ_INIT(&rule->rpool.list); 1181 pfctl_move_pool(&r->rpool, &rule->rpool);
929	1182
930 if (TAILQ_FIRST(&r->rpool.list) != NULL) { 931 TAILQ_INIT(&pfr->por_rule.rpool.list); 932 while ((pa = TAILQ_FIRST(&r->rpool.list)) != NULL) { 933 TAILQ_REMOVE(&r->rpool.list, pa, entries); 934 TAILQ_INSERT_TAIL(&pfr->por_rule.rpool.list, pa, 935 entries);	1183 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries); 1184 return (0); 1185} 1186 1187int 1188pfctl_ruleset_trans(struct pfctl pf, char path, struct pf_anchor a) 1189{ 1190* int osize = pf->trans->pfrb_size; 1191 1192 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) { 1193 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) \|\| 1194 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) \|\| 1195 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path)) 1196 return (1); 1197 } 1198 if (a == pf->astack[0] && ((altqsupport && 1199 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) { 1200 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path)) 1201 return (2); 1202 } 1203 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) { 1204 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) \|\| 1205 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path)) 1206 return (3); 1207 } 1208 if (pf->loadopt & PFCTL_FLAG_TABLE) 1209 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path)) 1210 return (4); 1211 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize)) 1212 return (5); 1213 1214 return (0); 1215} 1216 1217int 1218pfctl_load_ruleset(struct pfctl pf, char path, struct pf_ruleset rs, 1219* int rs_num, int depth) 1220{ 1221 struct pf_rule r; 1222* int error, len = strlen(path); 1223 int brace = 0; 1224 1225 pf->anchor = rs->anchor; 1226 1227 if (path[0]) 1228 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name); 1229 else 1230 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name); 1231 1232 if (depth) { 1233 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) { 1234 brace++; 1235 if (pf->opts & PF_OPT_VERBOSE) 1236 printf(" {\n"); 1237 if ((pf->opts & PF_OPT_NOACTION) == 0 && 1238 (error = pfctl_ruleset_trans(pf, 1239 path, rs->anchor))) { 1240 printf("pfctl_load_rulesets: " 1241 "pfctl_ruleset_trans %d\n", error); 1242 goto error;
936 }	1243 }
937 } else { 938 memset(&pfr->por_rule.rpool, 0, 939 sizeof(pfr->por_rule.rpool));	1244 } else if (pf->opts & PF_OPT_VERBOSE) 1245 printf("\n");
940	1246
941 } 942 return (0);
943 } 944	1247 } 1248
	1249 if (pf->optimize && rs_num == PF_RULESET_FILTER) 1250 pfctl_optimize_ruleset(pf, rs); 1251 1252 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) { 1253 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries); 1254 if ((error = pfctl_load_rule(pf, path, r, depth))) 1255 goto error; 1256 if (r->anchor) { 1257 if ((error = pfctl_load_ruleset(pf, path, 1258 &r->anchor->ruleset, rs_num, depth + 1))) 1259 goto error; 1260 } else if (pf->opts & PF_OPT_VERBOSE) 1261 printf("\n"); 1262 free(r); 1263 } 1264 if (brace && pf->opts & PF_OPT_VERBOSE) { 1265 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE)); 1266 printf("}\n"); 1267 } 1268 path[len] = '\0'; 1269 return (0); 1270 1271 error: 1272 path[len] = '\0'; 1273 return (error); 1274 1275} 1276 1277int 1278pfctl_load_rule(struct pfctl pf, char path, struct pf_rule r, int depth) 1279{ 1280* u_int8_t rs_num = pf_get_ruleset_number(r->action); 1281 char name; 1282* struct pfioc_rule pr; 1283 int len = strlen(path); 1284 1285 bzero(&pr, sizeof(pr)); 1286 /* set up anchor before adding to path for anchor_call / 1287* if ((pf->opts & PF_OPT_NOACTION) == 0) 1288 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path); 1289 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor)) 1290 errx(1, "pfctl_load_rule: strlcpy"); 1291 1292 if (r->anchor) { 1293 if (r->anchor->match) { 1294 if (path[0]) 1295 snprintf(&path[len], MAXPATHLEN - len, 1296 "/%s", r->anchor->name); 1297 else 1298 snprintf(&path[len], MAXPATHLEN - len, 1299 "%s", r->anchor->name); 1300 name = path; 1301 } else 1302 name = r->anchor->path; 1303 } else 1304 name = ""; 1305
945 if ((pf->opts & PF_OPT_NOACTION) == 0) {	1306 if ((pf->opts & PF_OPT_NOACTION) == 0) {
946 bzero(&pr, sizeof(pr)); 947 if (strlcpy(pr.anchor, pf->anchor, sizeof(pr.anchor)) >= 948 sizeof(pr.anchor)) 949 errx(1, "pfctl_add_rule: strlcpy");
950 if (pfctl_add_pool(pf, &r->rpool, r->af)) 951 return (1);	1307 if (pfctl_add_pool(pf, &r->rpool, r->af)) 1308 return (1);
952 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, pf->anchor);
953 pr.pool_ticket = pf->paddr.ticket; 954 memcpy(&pr.rule, r, sizeof(pr.rule));	1309 pr.pool_ticket = pf->paddr.ticket; 1310 memcpy(&pr.rule, r, sizeof(pr.rule));
955 strlcpy(pr.anchor_call, anchor_call, sizeof(pr.anchor_call));	1311 if (r->anchor && strlcpy(pr.anchor_call, name, 1312 sizeof(pr.anchor_call)) >= sizeof(pr.anchor_call)) 1313 errx(1, "pfctl_load_rule: strlcpy");
956 if (ioctl(pf->dev, DIOCADDRULE, &pr)) 957 err(1, "DIOCADDRULE"); 958 }	1314 if (ioctl(pf->dev, DIOCADDRULE, &pr)) 1315 err(1, "DIOCADDRULE"); 1316 }
959 if (pf->opts & PF_OPT_VERBOSE) 960 print_rule(r, anchor_call, pf->opts & PF_OPT_VERBOSE2);	1317 1318 if (pf->opts & PF_OPT_VERBOSE) { 1319 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); 1320 print_rule(r, r->anchor ? r->anchor->name : "", 1321 pf->opts & PF_OPT_VERBOSE2); 1322 } 1323 path[len] = '\0';
961 pfctl_clear_pool(&r->rpool); 962 return (0); 963} 964 965int 966pfctl_add_altq(struct pfctl pf, struct pf_altq a) 967{ 968 if (altqsupport && --- 11 unchanged lines hidden (view full) --- 980 } 981 } 982 pfaltq_store(&pf->paltq->altq); 983 } 984 return (0); 985} 986 987int	1324 pfctl_clear_pool(&r->rpool); 1325 return (0); 1326} 1327 1328int 1329pfctl_add_altq(struct pfctl pf, struct pf_altq a) 1330{ 1331 if (altqsupport && --- 11 unchanged lines hidden (view full) --- 1343 } 1344 } 1345 pfaltq_store(&pf->paltq->altq); 1346 } 1347 return (0); 1348} 1349 1350int
988pfctl_rules(int dev, char filename, int opts, char anchorname, 989 struct pfr_buffer *trans)	1351pfctl_rules(int dev, char filename, FILE fin, int opts, int optimize, 1352 char anchorname, struct pfr_buffer trans)
990{ 991#define ERR(x) do { warn(x); goto _error; } while(0) 992#define ERRX(x) do { warnx(x); goto _error; } while(0) 993	1353{ 1354#define ERR(x) do { warn(x); goto _error; } while(0) 1355#define ERRX(x) do { warnx(x); goto _error; } while(0) 1356
994 FILE *fin;
995 struct pfr_buffer t, buf; 996* struct pfioc_altq pa; 997 struct pfctl pf;	1357 struct pfr_buffer t, buf; 1358* struct pfioc_altq pa; 1359 struct pfctl pf;
	1360 struct pf_ruleset *rs;
998 struct pfr_table trs;	1361 struct pfr_table trs;
	1362 char *path;
999 int osize; 1000	1363 int osize; 1364
	1365 RB_INIT(&pf_anchors); 1366 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor)); 1367 pf_init_ruleset(&pf_main_anchor.ruleset); 1368 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
1001 if (trans == NULL) {	1369 if (trans == NULL) {
1002 bzero(&buf, sizeof(buf)); 1003 buf.pfrb_type = PFRB_TRANS; 1004 t = &buf; 1005 osize = 0;	1370 bzero(&buf, sizeof(buf)); 1371 buf.pfrb_type = PFRB_TRANS; 1372 t = &buf; 1373 osize = 0;
1006 } else {	1374 } else {
1007 t = trans; 1008 osize = t->pfrb_size;	1375 t = trans; 1376 osize = t->pfrb_size;
1009 } 1010 1011 memset(&pa, 0, sizeof(pa)); 1012 memset(&pf, 0, sizeof(pf)); 1013 memset(&trs, 0, sizeof(trs));	1377 } 1378 1379 memset(&pa, 0, sizeof(pa)); 1380 memset(&pf, 0, sizeof(pf)); 1381 memset(&trs, 0, sizeof(trs));
	1382 if ((path = calloc(1, MAXPATHLEN)) == NULL) 1383 ERRX("pfctl_rules: calloc");
1014 if (strlcpy(trs.pfrt_anchor, anchorname, 1015 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor)) 1016 ERRX("pfctl_rules: strlcpy");	1384 if (strlcpy(trs.pfrt_anchor, anchorname, 1385 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor)) 1386 ERRX("pfctl_rules: strlcpy");
1017 if (strcmp(filename, "-") == 0) { 1018 fin = stdin; 1019 infile = "stdin"; 1020 } else { 1021 if ((fin = pfctl_fopen(filename, "r")) == NULL) { 1022 warn("%s", filename); 1023 return (1); 1024 } 1025 infile = filename; 1026 }	1387 infile = filename;
1027 pf.dev = dev; 1028 pf.opts = opts;	1388 pf.dev = dev; 1389 pf.opts = opts;
	1390 pf.optimize = optimize;
1029 pf.loadopt = loadopt;	1391 pf.loadopt = loadopt;
	1392 1393 /* non-brace anchor, create without resolving the path / 1394* if ((pf.anchor = calloc(1, sizeof(pf.anchor))) == NULL) 1395* ERRX("pfctl_rules: calloc"); 1396 rs = &pf.anchor->ruleset; 1397 pf_init_ruleset(rs); 1398 rs->anchor = pf.anchor; 1399 if (strlcpy(pf.anchor->path, anchorname, 1400 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path)) 1401 errx(1, "pfctl_add_rule: strlcpy"); 1402 if (strlcpy(pf.anchor->name, anchorname, 1403 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name)) 1404 errx(1, "pfctl_add_rule: strlcpy"); 1405 1406 1407 pf.astack[0] = pf.anchor; 1408 pf.asd = 0;
1030 if (anchorname[0]) 1031 pf.loadopt &= ~PFCTL_FLAG_ALTQ; 1032 pf.paltq = &pa; 1033 pf.trans = t;	1409 if (anchorname[0]) 1410 pf.loadopt &= ~PFCTL_FLAG_ALTQ; 1411 pf.paltq = &pa; 1412 pf.trans = t;
1034 pf.rule_nr = 0; 1035 pf.anchor = anchorname; 1036 TAILQ_INIT(&pf.opt_queue);
1037 pfctl_init_options(&pf); 1038 1039 if ((opts & PF_OPT_NOACTION) == 0) {	1413 pfctl_init_options(&pf); 1414 1415 if ((opts & PF_OPT_NOACTION) == 0) {
1040 if ((pf.loadopt & PFCTL_FLAG_NAT) != 0) { 1041 if (pfctl_add_trans(t, PF_RULESET_NAT, anchorname) \|\| 1042 pfctl_add_trans(t, PF_RULESET_BINAT, anchorname) \|\| 1043 pfctl_add_trans(t, PF_RULESET_RDR, anchorname)) 1044 ERR("pfctl_rules"); 1045 } 1046 if (((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))) { 1047 if (pfctl_add_trans(t, PF_RULESET_ALTQ, anchorname)) 1048 ERR("pfctl_rules"); 1049 } 1050 if ((pf.loadopt & PFCTL_FLAG_FILTER) != 0) { 1051 if (pfctl_add_trans(t, PF_RULESET_SCRUB, anchorname) \|\| 1052 pfctl_add_trans(t, PF_RULESET_FILTER, anchorname)) 1053 ERR("pfctl_rules"); 1054 } 1055 if (pf.loadopt & PFCTL_FLAG_TABLE) { 1056 if (pfctl_add_trans(t, PF_RULESET_TABLE, anchorname)) 1057 ERR("pfctl_rules"); 1058 } 1059 if (pfctl_trans(dev, t, DIOCXBEGIN, osize)) 1060 ERR("DIOCXBEGIN");	1416 /* 1417 * XXX For the time being we need to open transactions for 1418 * the main ruleset before parsing, because tables are still 1419 * loaded at parse time. 1420 / 1421* if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor)) 1422 ERRX("pfctl_rules");
1061 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))	1423 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1062 pa.ticket = pfctl_get_ticket(t, PF_RULESET_ALTQ, 1063 anchorname);	1424 pa.ticket = 1425 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
1064 if (pf.loadopt & PFCTL_FLAG_TABLE)	1426 if (pf.loadopt & PFCTL_FLAG_TABLE)
1065 pf.tticket = pfctl_get_ticket(t, PF_RULESET_TABLE, 1066 anchorname);	1427 pf.astack[0]->ruleset.tticket = 1428 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
1067 }	1429 }
	1430
1068 if (parse_rules(fin, &pf) < 0) { 1069 if ((opts & PF_OPT_NOACTION) == 0) 1070 ERRX("Syntax error in config file: " 1071 "pf rules not loaded"); 1072 else 1073 goto _error; 1074 }	1431 if (parse_rules(fin, &pf) < 0) { 1432 if ((opts & PF_OPT_NOACTION) == 0) 1433 ERRX("Syntax error in config file: " 1434 "pf rules not loaded"); 1435 else 1436 goto _error; 1437 }
1075 if (pf.opts & PF_OPT_OPTIMIZE) { 1076 if (pfctl_optimize_rules(&pf)) 1077 ERRX("Failed to optimize ruleset: pf rules not loaded");	1438 1439 if ((pf.loadopt & PFCTL_FLAG_FILTER && 1440 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) \|\| 1441 (pf.loadopt & PFCTL_FLAG_NAT && 1442 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) \|\| 1443 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) \|\| 1444 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) \|\| 1445 (pf.loadopt & PFCTL_FLAG_FILTER && 1446 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) { 1447 if ((opts & PF_OPT_NOACTION) == 0) 1448 ERRX("Unable to load rules into kernel"); 1449 else 1450 goto _error;
1078 } 1079 1080 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0)) 1081 if (check_commit_altq(dev, opts) != 0) 1082 ERRX("errors in altq config"); 1083 1084 if (fin != stdin) { 1085 fclose(fin); 1086 fin = NULL; 1087 } 1088 1089 /* process "load anchor" directives / 1090* if (!anchorname[0])	1451 } 1452 1453 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0)) 1454 if (check_commit_altq(dev, opts) != 0) 1455 ERRX("errors in altq config"); 1456 1457 if (fin != stdin) { 1458 fclose(fin); 1459 fin = NULL; 1460 } 1461 1462 /* process "load anchor" directives / 1463* if (!anchorname[0])
1091 if (pfctl_load_anchors(dev, opts, t) == -1)	1464 if (pfctl_load_anchors(dev, &pf, t) == -1)
1092 ERRX("load anchors"); 1093 1094 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) { 1095 if (!anchorname[0]) 1096 if (pfctl_load_options(&pf)) 1097 goto _error;	1465 ERRX("load anchors"); 1466 1467 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) { 1468 if (!anchorname[0]) 1469 if (pfctl_load_options(&pf)) 1470 goto _error;
1098 if (pfctl_trans(dev, t, DIOCXCOMMIT, 0))	1471 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
1099 ERR("DIOCXCOMMIT"); 1100 } 1101 return (0); 1102 1103_error: 1104 if (trans == NULL) { /* main ruleset / 1105* if ((opts & PF_OPT_NOACTION) == 0)	1472 ERR("DIOCXCOMMIT"); 1473 } 1474 return (0); 1475 1476_error: 1477 if (trans == NULL) { /* main ruleset / 1478* if ((opts & PF_OPT_NOACTION) == 0)
1106 if (pfctl_trans(dev, t, DIOCXROLLBACK, 0))	1479 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
1107 err(1, "DIOCXROLLBACK"); 1108 exit(1); 1109 } else { /* sub ruleset / 1110* if (fin != NULL && fin != stdin) 1111 fclose(fin); 1112 return (-1); 1113 } 1114 --- 20 unchanged lines hidden (view full) --- 1135 return (NULL); 1136 } 1137 return (fp); 1138} 1139 1140void 1141pfctl_init_options(struct pfctl pf) 1142*{	1480 err(1, "DIOCXROLLBACK"); 1481 exit(1); 1482 } else { /* sub ruleset / 1483* if (fin != NULL && fin != stdin) 1484 fclose(fin); 1485 return (-1); 1486 } 1487 --- 20 unchanged lines hidden (view full) --- 1508 return (NULL); 1509 } 1510 return (fp); 1511} 1512 1513void 1514pfctl_init_options(struct pfctl pf) 1515*{
	1516 int mib[2], mem; 1517 size_t size; 1518
1143 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; 1144 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL; 1145 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; 1146 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; 1147 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; 1148 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; 1149 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; 1150 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; 1151 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL; 1152 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL; 1153 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL; 1154 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL; 1155 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL; 1156 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL; 1157 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL; 1158 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL; 1159 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; 1160 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;	1519 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; 1520 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL; 1521 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; 1522 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; 1523 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; 1524 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; 1525 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; 1526 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; 1527 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL; 1528 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL; 1529 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL; 1530 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL; 1531 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL; 1532 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL; 1533 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL; 1534 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL; 1535 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; 1536 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
	1537 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START; 1538 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1161	1539
1162 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; 1163 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; 1164 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;	1540 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; 1541 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; 1542 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; 1543 pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT; 1544 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1165	1545
	1546 mib[0] = CTL_HW; 1547 mib[1] = HW_PHYSMEM; 1548 size = sizeof(mem); 1549 (void) sysctl(mib, 2, &mem, &size, NULL, 0); 1550 if (mem <= 10010241024) 1551 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; 1552
1166 pf->debug = PF_DEBUG_URGENT; 1167} 1168 1169int 1170pfctl_load_options(struct pfctl pf) 1171{ 1172* int i, error = 0; 1173 1174 if ((loadopt & PFCTL_FLAG_OPTION) == 0) 1175 return (0); 1176 1177 /* load limits / 1178* for (i = 0; i < PF_LIMIT_MAX; i++) { 1179 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i]) 1180 continue; 1181 if (pfctl_load_limit(pf, i, pf->limit[i])) 1182 error = 1; 1183 } 1184	1553 pf->debug = PF_DEBUG_URGENT; 1554} 1555 1556int 1557pfctl_load_options(struct pfctl pf) 1558{ 1559* int i, error = 0; 1560 1561 if ((loadopt & PFCTL_FLAG_OPTION) == 0) 1562 return (0); 1563 1564 /* load limits / 1565* for (i = 0; i < PF_LIMIT_MAX; i++) { 1566 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i]) 1567 continue; 1568 if (pfctl_load_limit(pf, i, pf->limit[i])) 1569 error = 1; 1570 } 1571
	1572 /* 1573 * If we've set the limit, but havn't explicitly set adaptive 1574 * timeouts, do it now with a start of 60% and end of 120%. 1575 / 1576* if (pf->limit_set[PF_LIMIT_STATES] && 1577 !pf->timeout_set[PFTM_ADAPTIVE_START] && 1578 !pf->timeout_set[PFTM_ADAPTIVE_END]) { 1579 pf->timeout[PFTM_ADAPTIVE_START] = 1580 (pf->limit[PF_LIMIT_STATES] / 10) * 6; 1581 pf->timeout_set[PFTM_ADAPTIVE_START] = 1; 1582 pf->timeout[PFTM_ADAPTIVE_END] = 1583 (pf->limit[PF_LIMIT_STATES] / 10) * 12; 1584 pf->timeout_set[PFTM_ADAPTIVE_END] = 1; 1585 } 1586
1185 /* load timeouts / 1186* for (i = 0; i < PFTM_MAX; i++) { 1187 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i]) 1188 continue; 1189 if (pfctl_load_timeout(pf, i, pf->timeout[i])) 1190 error = 1; 1191 } 1192 --- 110 unchanged lines hidden (view full) --- 1303 return (0); 1304 1305 for (i = 0; pf_hints[i].name; i++) 1306 if (strcasecmp(opt, pf_hints[i].name) == 0) 1307 break; 1308 1309 hint = pf_hints[i].hint; 1310 if (hint == NULL) {	1587 /* load timeouts / 1588* for (i = 0; i < PFTM_MAX; i++) { 1589 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i]) 1590 continue; 1591 if (pfctl_load_timeout(pf, i, pf->timeout[i])) 1592 error = 1; 1593 } 1594 --- 110 unchanged lines hidden (view full) --- 1705 return (0); 1706 1707 for (i = 0; pf_hints[i].name; i++) 1708 if (strcasecmp(opt, pf_hints[i].name) == 0) 1709 break; 1710 1711 hint = pf_hints[i].hint; 1712 if (hint == NULL) {
1311 warnx("Bad hint name.");	1713 warnx("invalid state timeouts optimization");
1312 return (1); 1313 } 1314 1315 for (i = 0; hint[i].name; i++) 1316 if ((r = pfctl_set_timeout(pf, hint[i].name, 1317 hint[i].timeout, 1))) 1318 return (r); 1319 --- 29 unchanged lines hidden (view full) --- 1349int 1350pfctl_load_logif(struct pfctl pf, char ifname) 1351{ 1352 struct pfioc_if pi; 1353 1354 memset(&pi, 0, sizeof(pi)); 1355 if (ifname && strlcpy(pi.ifname, ifname, 1356 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {	1714 return (1); 1715 } 1716 1717 for (i = 0; hint[i].name; i++) 1718 if ((r = pfctl_set_timeout(pf, hint[i].name, 1719 hint[i].timeout, 1))) 1720 return (r); 1721 --- 29 unchanged lines hidden (view full) --- 1751int 1752pfctl_load_logif(struct pfctl pf, char ifname) 1753{ 1754 struct pfioc_if pi; 1755 1756 memset(&pi, 0, sizeof(pi)); 1757 if (ifname && strlcpy(pi.ifname, ifname, 1758 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {
1357 warnx("pfctl_set_logif: strlcpy");	1759 warnx("pfctl_load_logif: strlcpy");
1358 return (1); 1359 } 1360 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) { 1361 warnx("DIOCSETSTATUSIF"); 1362 return (1); 1363 } 1364 return (0); 1365} --- 120 unchanged lines hidden (view full) --- 1486 fprintf(stderr, "<invalid>"); 1487 break; 1488 } 1489 fprintf(stderr, "'\n"); 1490 } 1491} 1492 1493int	1760 return (1); 1761 } 1762 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) { 1763 warnx("DIOCSETSTATUSIF"); 1764 return (1); 1765 } 1766 return (0); 1767} --- 120 unchanged lines hidden (view full) --- 1888 fprintf(stderr, "<invalid>"); 1889 break; 1890 } 1891 fprintf(stderr, "'\n"); 1892 } 1893} 1894 1895int
1494pfctl_clear_rule_counters(int dev, int opts) 1495{ 1496 if (ioctl(dev, DIOCCLRRULECTRS)) 1497 err(1, "DIOCCLRRULECTRS"); 1498 if ((opts & PF_OPT_QUIET) == 0) 1499 fprintf(stderr, "pf: rule counters cleared\n"); 1500 return (0); 1501} 1502 1503int
1504pfctl_test_altqsupport(int dev, int opts) 1505{ 1506#if defined(__FreeBSD__) && !defined(ENABLE_ALTQ) 1507 return (0); 1508#else 1509 struct pfioc_altq pa; 1510 1511 if (ioctl(dev, DIOCGETALTQS, &pa)) { --- 35 unchanged lines hidden (view full) --- 1547 if (!strcmp(pr.name, PF_RESERVED_ANCHOR)) 1548 continue; 1549 sub[0] = 0; 1550 if (pr.path[0]) { 1551 strlcat(sub, pr.path, sizeof(sub)); 1552 strlcat(sub, "/", sizeof(sub)); 1553 } 1554 strlcat(sub, pr.name, sizeof(sub));	1896pfctl_test_altqsupport(int dev, int opts) 1897{ 1898#if defined(__FreeBSD__) && !defined(ENABLE_ALTQ) 1899 return (0); 1900#else 1901 struct pfioc_altq pa; 1902 1903 if (ioctl(dev, DIOCGETALTQS, &pa)) { --- 35 unchanged lines hidden (view full) --- 1939 if (!strcmp(pr.name, PF_RESERVED_ANCHOR)) 1940 continue; 1941 sub[0] = 0; 1942 if (pr.path[0]) { 1943 strlcat(sub, pr.path, sizeof(sub)); 1944 strlcat(sub, "/", sizeof(sub)); 1945 } 1946 strlcat(sub, pr.name, sizeof(sub));
1555 printf(" %s\n", sub); 1556 if (opts & PF_OPT_VERBOSE && pfctl_show_anchors(dev, opts, sub))	1947 if (sub[0] != '_' \|\| (opts & PF_OPT_VERBOSE)) 1948 printf(" %s\n", sub); 1949 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
1557 return (-1); 1558 } 1559 return (0); 1560} 1561 1562const char * 1563pfctl_lookup_option(char cmd, const char list) 1564{ 1565* if (cmd != NULL && cmd) 1566* for (; list; list++) 1567* if (!strncmp(cmd, list, strlen(cmd))) 1568* return (list); 1569* return (NULL); 1570} 1571 1572int 1573main(int argc, char argv[]) 1574*{	1950 return (-1); 1951 } 1952 return (0); 1953} 1954 1955const char * 1956pfctl_lookup_option(char cmd, const char list) 1957{ 1958* if (cmd != NULL && cmd) 1959* for (; list; list++) 1960* if (!strncmp(cmd, list, strlen(cmd))) 1961* return (list); 1962* return (NULL); 1963} 1964 1965int 1966main(int argc, char argv[]) 1967*{
1575 int error = 0; 1576 int ch; 1577 int mode = O_RDONLY; 1578 int opts = 0; 1579 char anchorname[MAXPATHLEN];	1968 int error = 0; 1969 int ch; 1970 int mode = O_RDONLY; 1971 int opts = 0; 1972 int optimize = 0; 1973 char anchorname[MAXPATHLEN]; 1974 char path; 1975* FILE *fin = NULL;
1580 1581 if (argc < 2) 1582 usage(); 1583 1584 while ((ch = getopt(argc, argv,	1976 1977 if (argc < 2) 1978 usage(); 1979 1980 while ((ch = getopt(argc, argv,
1585 "a:AdD:eqf:F:ghi:k:mnNOop:rRs:t:T:vx:z")) != -1) {	1981 "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
1586 switch (ch) { 1587 case 'a': 1588 anchoropt = optarg; 1589 break; 1590 case 'd': 1591 opts \|= PF_OPT_DISABLE; 1592 mode = O_RDWR; 1593 break; --- 24 unchanged lines hidden (view full) --- 1618 if (state_killers >= 2) { 1619 warnx("can only specify -k twice"); 1620 usage(); 1621 /* NOTREACHED / 1622* } 1623 state_kill[state_killers++] = optarg; 1624 mode = O_RDWR; 1625 break;	1982 switch (ch) { 1983 case 'a': 1984 anchoropt = optarg; 1985 break; 1986 case 'd': 1987 opts \|= PF_OPT_DISABLE; 1988 mode = O_RDWR; 1989 break; --- 24 unchanged lines hidden (view full) --- 2014 if (state_killers >= 2) { 2015 warnx("can only specify -k twice"); 2016 usage(); 2017 /* NOTREACHED / 2018* } 2019 state_kill[state_killers++] = optarg; 2020 mode = O_RDWR; 2021 break;
	2022 case 'K': 2023 if (src_node_killers >= 2) { 2024 warnx("can only specify -K twice"); 2025 usage(); 2026 /* NOTREACHED / 2027* } 2028 src_node_kill[src_node_killers++] = optarg; 2029 mode = O_RDWR; 2030 break;
1626 case 'm': 1627 opts \|= PF_OPT_MERGE; 1628 break; 1629 case 'n': 1630 opts \|= PF_OPT_NOACTION; 1631 break; 1632 case 'N': 1633 loadopt \|= PFCTL_FLAG_NAT; --- 10 unchanged lines hidden (view full) --- 1644 break; 1645 case 'A': 1646 loadopt \|= PFCTL_FLAG_ALTQ; 1647 break; 1648 case 'R': 1649 loadopt \|= PFCTL_FLAG_FILTER; 1650 break; 1651 case 'o':	2031 case 'm': 2032 opts \|= PF_OPT_MERGE; 2033 break; 2034 case 'n': 2035 opts \|= PF_OPT_NOACTION; 2036 break; 2037 case 'N': 2038 loadopt \|= PFCTL_FLAG_NAT; --- 10 unchanged lines hidden (view full) --- 2049 break; 2050 case 'A': 2051 loadopt \|= PFCTL_FLAG_ALTQ; 2052 break; 2053 case 'R': 2054 loadopt \|= PFCTL_FLAG_FILTER; 2055 break; 2056 case 'o':
1652 if (opts & PF_OPT_OPTIMIZE) 1653 opts \|= PF_OPT_OPTIMIZE_PROFILE; 1654 else 1655 opts \|= PF_OPT_OPTIMIZE;	2057 if (optarg) { 2058 optiopt = pfctl_lookup_option(optarg, 2059 optiopt_list); 2060 if (optiopt == NULL) { 2061 warnx("Unknown optimization '%s'", 2062 optarg); 2063 usage(); 2064 } 2065 } 2066 if (opts & PF_OPT_OPTIMIZE) { 2067 if (optiopt != NULL) { 2068 warnx("Cannot specify -o multiple times" 2069 "with optimizer level"); 2070 usage(); 2071 } 2072 optimize \|= PF_OPTIMIZE_PROFILE; 2073 } 2074 optimize \|= PF_OPTIMIZE_BASIC; 2075 opts \|= PF_OPT_OPTIMIZE;
1656 break; 1657 case 'O': 1658 loadopt \|= PFCTL_FLAG_OPTION; 1659 break; 1660 case 'p': 1661 pf_device = optarg; 1662 break; 1663 case 's': --- 41 unchanged lines hidden (view full) --- 1705 if (tblcmdopt != NULL) { 1706 argc -= optind; 1707 argv += optind; 1708 ch = tblcmdopt; 1709* if (ch == 'l') { 1710 loadopt \|= PFCTL_FLAG_TABLE; 1711 tblcmdopt = NULL; 1712 } else	2076 break; 2077 case 'O': 2078 loadopt \|= PFCTL_FLAG_OPTION; 2079 break; 2080 case 'p': 2081 pf_device = optarg; 2082 break; 2083 case 's': --- 41 unchanged lines hidden (view full) --- 2125 if (tblcmdopt != NULL) { 2126 argc -= optind; 2127 argv += optind; 2128 ch = tblcmdopt; 2129* if (ch == 'l') { 2130 loadopt \|= PFCTL_FLAG_TABLE; 2131 tblcmdopt = NULL; 2132 } else
1713 mode = strchr("acdfkrz", ch) ? O_RDWR : O_RDONLY;	2133 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
1714 } else if (argc != optind) { 1715 warnx("unknown command line argument: %s ...", argv[optind]); 1716 usage(); 1717 /* NOTREACHED / 1718* } 1719 if (loadopt == 0) 1720 loadopt = ~0; 1721	2134 } else if (argc != optind) { 2135 warnx("unknown command line argument: %s ...", argv[optind]); 2136 usage(); 2137 /* NOTREACHED / 2138* } 2139 if (loadopt == 0) 2140 loadopt = ~0; 2141
	2142 if ((path = calloc(1, MAXPATHLEN)) == NULL) 2143 errx(1, "pfctl: calloc");
1722 memset(anchorname, 0, sizeof(anchorname)); 1723 if (anchoropt != NULL) {	2144 memset(anchorname, 0, sizeof(anchorname)); 2145 if (anchoropt != NULL) {
	2146 int len = strlen(anchoropt); 2147 2148 if (anchoropt[len - 1] == '') { 2149* if (len >= 2 && anchoropt[len - 2] == '/') 2150 anchoropt[len - 2] = '\0'; 2151 else 2152 anchoropt[len - 1] = '\0'; 2153 opts \|= PF_OPT_RECURSE; 2154 }
1724 if (strlcpy(anchorname, anchoropt, 1725 sizeof(anchorname)) >= sizeof(anchorname)) 1726 errx(1, "anchor name '%s' too long", 1727 anchoropt); 1728 loadopt &= PFCTL_FLAG_FILTER\|PFCTL_FLAG_NAT\|PFCTL_FLAG_TABLE; 1729 } 1730 1731 if ((opts & PF_OPT_NOACTION) == 0) { --- 21 unchanged lines hidden (view full) --- 1753 1754 if (showopt != NULL) { 1755 switch (showopt) { 1756* case 'A': 1757 pfctl_show_anchors(dev, opts, anchorname); 1758 break; 1759 case 'r': 1760 pfctl_load_fingerprints(dev, opts);	2155 if (strlcpy(anchorname, anchoropt, 2156 sizeof(anchorname)) >= sizeof(anchorname)) 2157 errx(1, "anchor name '%s' too long", 2158 anchoropt); 2159 loadopt &= PFCTL_FLAG_FILTER\|PFCTL_FLAG_NAT\|PFCTL_FLAG_TABLE; 2160 } 2161 2162 if ((opts & PF_OPT_NOACTION) == 0) { --- 21 unchanged lines hidden (view full) --- 2184 2185 if (showopt != NULL) { 2186 switch (showopt) { 2187* case 'A': 2188 pfctl_show_anchors(dev, opts, anchorname); 2189 break; 2190 case 'r': 2191 pfctl_load_fingerprints(dev, opts);
1761 pfctl_show_rules(dev, opts, 0, anchorname);	2192 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES, 2193 anchorname, 0);
1762 break; 1763 case 'l': 1764 pfctl_load_fingerprints(dev, opts);	2194 break; 2195 case 'l': 2196 pfctl_load_fingerprints(dev, opts);
1765 pfctl_show_rules(dev, opts, 1, anchorname);	2197 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_LABELS, 2198 anchorname, 0);
1766 break; 1767 case 'n': 1768 pfctl_load_fingerprints(dev, opts); 1769 pfctl_show_nat(dev, opts, anchorname); 1770 break; 1771 case 'q': 1772 pfctl_show_altq(dev, ifaceopt, opts, 1773 opts & PF_OPT_VERBOSE2); --- 13 unchanged lines hidden (view full) --- 1787 case 'm': 1788 pfctl_show_limits(dev, opts); 1789 break; 1790 case 'a': 1791 opts \|= PF_OPT_SHOWALL; 1792 pfctl_load_fingerprints(dev, opts); 1793 1794 pfctl_show_nat(dev, opts, anchorname);	2199 break; 2200 case 'n': 2201 pfctl_load_fingerprints(dev, opts); 2202 pfctl_show_nat(dev, opts, anchorname); 2203 break; 2204 case 'q': 2205 pfctl_show_altq(dev, ifaceopt, opts, 2206 opts & PF_OPT_VERBOSE2); --- 13 unchanged lines hidden (view full) --- 2220 case 'm': 2221 pfctl_show_limits(dev, opts); 2222 break; 2223 case 'a': 2224 opts \|= PF_OPT_SHOWALL; 2225 pfctl_load_fingerprints(dev, opts); 2226 2227 pfctl_show_nat(dev, opts, anchorname);
1795 pfctl_show_rules(dev, opts, 0, anchorname);	2228 pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
1796 pfctl_show_altq(dev, ifaceopt, opts, 0); 1797 pfctl_show_states(dev, ifaceopt, opts); 1798 pfctl_show_src_nodes(dev, opts); 1799 pfctl_show_status(dev, opts);	2229 pfctl_show_altq(dev, ifaceopt, opts, 0); 2230 pfctl_show_states(dev, ifaceopt, opts); 2231 pfctl_show_src_nodes(dev, opts); 2232 pfctl_show_status(dev, opts);
1800 pfctl_show_rules(dev, opts, 1, anchorname);	2233 pfctl_show_rules(dev, path, opts, 1, anchorname, 0);
1801 pfctl_show_timeouts(dev, opts); 1802 pfctl_show_limits(dev, opts); 1803 pfctl_show_tables(anchorname, opts); 1804 pfctl_show_fingerprints(opts); 1805 break; 1806 case 'T': 1807 pfctl_show_tables(anchorname, opts); 1808 break; 1809 case 'o': 1810 pfctl_load_fingerprints(dev, opts); 1811 pfctl_show_fingerprints(opts); 1812 break; 1813 case 'I': 1814 pfctl_show_ifaces(ifaceopt, opts); 1815 break; 1816 } 1817 } 1818	2234 pfctl_show_timeouts(dev, opts); 2235 pfctl_show_limits(dev, opts); 2236 pfctl_show_tables(anchorname, opts); 2237 pfctl_show_fingerprints(opts); 2238 break; 2239 case 'T': 2240 pfctl_show_tables(anchorname, opts); 2241 break; 2242 case 'o': 2243 pfctl_load_fingerprints(dev, opts); 2244 pfctl_show_fingerprints(opts); 2245 break; 2246 case 'I': 2247 pfctl_show_ifaces(ifaceopt, opts); 2248 break; 2249 } 2250 } 2251
	2252 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL) 2253 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING, 2254 anchorname, 0); 2255
1819 if (clearopt != NULL) {	2256 if (clearopt != NULL) {
	2257 if (anchorname[0] == '_' \|\| strstr(anchorname, "/_") != NULL) 2258 errx(1, "anchor names beginning with '_' cannot " 2259 "be modified from the command line"); 2260
1820 switch (clearopt) { 1821* case 'r': 1822 pfctl_clear_rules(dev, opts, anchorname); 1823 break; 1824 case 'n': 1825 pfctl_clear_nat(dev, opts, anchorname); 1826 break; 1827 case 'q': --- 27 unchanged lines hidden (view full) --- 1855 case 'T': 1856 pfctl_clear_tables(anchorname, opts); 1857 break; 1858 } 1859 } 1860 if (state_killers) 1861 pfctl_kill_states(dev, ifaceopt, opts); 1862	2261 switch (clearopt) { 2262* case 'r': 2263 pfctl_clear_rules(dev, opts, anchorname); 2264 break; 2265 case 'n': 2266 pfctl_clear_nat(dev, opts, anchorname); 2267 break; 2268 case 'q': --- 27 unchanged lines hidden (view full) --- 2296 case 'T': 2297 pfctl_clear_tables(anchorname, opts); 2298 break; 2299 } 2300 } 2301 if (state_killers) 2302 pfctl_kill_states(dev, ifaceopt, opts); 2303
	2304 if (src_node_killers) 2305 pfctl_kill_src_nodes(dev, ifaceopt, opts); 2306
1863 if (tblcmdopt != NULL) { 1864 error = pfctl_command_tables(argc, argv, tableopt, 1865 tblcmdopt, rulesopt, anchorname, opts); 1866 rulesopt = NULL; 1867 }	2307 if (tblcmdopt != NULL) { 2308 error = pfctl_command_tables(argc, argv, tableopt, 2309 tblcmdopt, rulesopt, anchorname, opts); 2310 rulesopt = NULL; 2311 }
	2312 if (optiopt != NULL) { 2313 switch (optiopt) { 2314* case 'n': 2315 optimize = 0; 2316 break; 2317 case 'b': 2318 optimize \|= PF_OPTIMIZE_BASIC; 2319 break; 2320 case 'o': 2321 case 'p': 2322 optimize \|= PF_OPTIMIZE_PROFILE; 2323 break; 2324 } 2325 }
1868	2326
1869 if ((rulesopt != NULL) && (!*anchorname))	2327 if (rulesopt != NULL) { 2328 if (strcmp(rulesopt, "-") == 0) { 2329 fin = stdin; 2330 rulesopt = "stdin"; 2331 } else { 2332 if ((fin = pfctl_fopen(rulesopt, "r")) == NULL) 2333 err(1, "%s", rulesopt); 2334 } 2335 } 2336 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) && 2337 !anchorname[0])
1870 if (pfctl_clear_interface_flags(dev, opts \| PF_OPT_QUIET)) 1871 error = 1; 1872 1873 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE\|PF_OPT_NOACTION)) && 1874 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION)) 1875 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE)) 1876 error = 1; 1877 1878 if (rulesopt != NULL) {	2338 if (pfctl_clear_interface_flags(dev, opts \| PF_OPT_QUIET)) 2339 error = 1; 2340 2341 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE\|PF_OPT_NOACTION)) && 2342 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION)) 2343 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE)) 2344 error = 1; 2345 2346 if (rulesopt != NULL) {
1879 if (pfctl_rules(dev, rulesopt, opts, anchorname, NULL))	2347 if (anchorname[0] == '_' \|\| strstr(anchorname, "/_") != NULL) 2348 errx(1, "anchor names beginning with '_' cannot " 2349 "be modified from the command line"); 2350 if (pfctl_rules(dev, rulesopt, fin, opts, optimize, 2351 anchorname, NULL))
1880 error = 1; 1881 else if (!(opts & PF_OPT_NOACTION) && 1882 (loadopt & PFCTL_FLAG_TABLE)) 1883 warn_namespace_collision(NULL); 1884 } 1885 1886 if (opts & PF_OPT_ENABLE) 1887 if (pfctl_enable(dev, opts)) --- 11 unchanged lines hidden (view full) --- 1899 pfctl_debug(dev, PF_DEBUG_MISC, opts); 1900 break; 1901 case 'l': 1902 pfctl_debug(dev, PF_DEBUG_NOISY, opts); 1903 break; 1904 } 1905 } 1906	2352 error = 1; 2353 else if (!(opts & PF_OPT_NOACTION) && 2354 (loadopt & PFCTL_FLAG_TABLE)) 2355 warn_namespace_collision(NULL); 2356 } 2357 2358 if (opts & PF_OPT_ENABLE) 2359 if (pfctl_enable(dev, opts)) --- 11 unchanged lines hidden (view full) --- 2371 pfctl_debug(dev, PF_DEBUG_MISC, opts); 2372 break; 2373 case 'l': 2374 pfctl_debug(dev, PF_DEBUG_NOISY, opts); 2375 break; 2376 } 2377 } 2378
1907 if (opts & PF_OPT_CLRRULECTRS) { 1908 if (pfctl_clear_rule_counters(dev, opts)) 1909 error = 1; 1910 }
1911 exit(error); 1912}	2379 exit(error); 2380}