From nobody Mon Apr 29 14:36:49 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VSm9s3FD4z5JS1x; Mon, 29 Apr 2024 14:36:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VSm9s20R3z4KS9; Mon, 29 Apr 2024 14:36:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714401409; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VsolLw7qz2Y79HtmK/U7O3/uEcumROuwhvp1uwd3oG4=; b=Kx9QpZ2zLqGDQTNz5cvz5Q59LuK51EZ7iNopJtXm+ixEE2Au/QVX3JcpQ3kBu3aD8/ThHT BFEPOPzfGzoVMgdvhlSmVXuji0GB2+aR5oUQskEnS9vd1CE8xSVWtlhs6/Dq1nCljRSnRS DB5CsZEtVCarB/nydbwrSbcslHHwb3kLoIix5QEzrW8H7J4kfeIRoZ8M2ud6wYPfDsaIyT VKH990bTCOc5a2F+aiYS5lUd3tcrTHYYLpEOa8rR4N2iDJwzeCKok1N9KTdYsl/KeZY9d0 jIq4U3P0cpbSIgqSKGfTldXkoG6LfJ/3xy2dbPOGaAIszrBm7t7gMUqzJAR97A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714401409; a=rsa-sha256; cv=none; b=PRF7XymhozEIpmUAWaEiDcxr+wCnWQVTwMeN2prL+bVTP7XpvHusrEuwJX28Ll9J9To3VC DXE90KowZQvCl4ioiAXynLa2L2wq8Q2XxmgJqnY9CPTIxQNT2PvXEzMNJVVg0A2g1enWZM t5NPGdh25jwZ8TKzPjz3Nx3bQwoqQozxeOV+GyQNPzKGSqw0nsaR8adrowAcoOsiCjUHAC agiT/nRa66PacQRtVRv7nThPJoLjSjirAYkBF4yPNJ6ghZbO7NZt75c99QFxZmcL1EX2SV rzUekMKBthL2V7ATNG2RHoJu6s38XW7W6M0untjhGy61gQ9IcCa8Lh1mP6ZJwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714401409; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VsolLw7qz2Y79HtmK/U7O3/uEcumROuwhvp1uwd3oG4=; b=ltSz78uE7DUb1qHaMxcKCHJGhHf3/xSeqVHaZOQtYmWkOkur28JkQ0AHMJEtAR7makoU1E YDHmpRfafIAhwNXns+WHzdIuGPFVL13shC3g+0foxk/d6xxCpWTOQaVD7UMhybrCymoLZy ahUN/dizc4l86Cp+94avXQp9AQjI7HxhAxpQA3iwiEPJTba2NN1eYP47wB6l81yUk8GxZ4 1Mo2Rcw/Mmn6hsWQxJIIG/aZ7omWU25VpJlfuRcX1q2eYB2LNtza4pOrEhSkXq/eGQNq93 Y8k+rG0C+aEVc73fEwhIWNkb8KVMMiwsF+EFJAaE1lloSQzqp0wR+niLuOUb6A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VSm9s1PhRz1CL7; Mon, 29 Apr 2024 14:36:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43TEanlY080607; Mon, 29 Apr 2024 14:36:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43TEan1U080604; Mon, 29 Apr 2024 14:36:49 GMT (envelope-from git) Date: Mon, 29 Apr 2024 14:36:49 GMT Message-Id: <202404291436.43TEan1U080604@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 044243fcc9b4 - main - libpfctl: allow access to the fd List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 044243fcc9b4c639cf5655e37b98478bcb312590 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=044243fcc9b4c639cf5655e37b98478bcb312590 commit 044243fcc9b4c639cf5655e37b98478bcb312590 Author: Kristof Provost AuthorDate: 2024-04-24 06:40:05 +0000 Commit: Kristof Provost CommitDate: 2024-04-29 14:32:23 +0000 libpfctl: allow access to the fd pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/ pf fd via pfctl_fd(). This means that libpfctl users no longer have to open /dev/pf themselves for any calls that are not yet available in libpfctl. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks --- contrib/pf/authpf/authpf.c | 20 +++++++++----------- contrib/pf/ftp-proxy/filter.c | 23 ++++++++++------------- contrib/pf/tftp-proxy/filter.c | 25 ++++++++++--------------- lib/libpfctl/libpfctl.c | 6 ++++++ lib/libpfctl/libpfctl.h | 1 + 5 files changed, 36 insertions(+), 39 deletions(-) diff --git a/contrib/pf/authpf/authpf.c b/contrib/pf/authpf/authpf.c index 81dbcb747f5f..fcf9812cdcca 100644 --- a/contrib/pf/authpf/authpf.c +++ b/contrib/pf/authpf/authpf.c @@ -56,7 +56,6 @@ static int change_filter(int, const char *, const char *); static int change_table(int, const char *); static void authpf_kill_states(void); -int dev; /* pf device */ struct pfctl_handle *pfh; char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf"; char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2]; @@ -135,9 +134,8 @@ main(void) exit(1); } /* open the pf device */ - dev = open(PATH_DEVFILE, O_RDWR); pfh = pfctl_open(PATH_DEVFILE); - if (dev == -1 || pfh == NULL) { + if (pfh == NULL) { syslog(LOG_ERR, "cannot open packet filter device (%m)"); goto die; } @@ -648,7 +646,7 @@ remove_stale_rulesets(void) memset(&prs, 0, sizeof(prs)); strlcpy(prs.path, anchorname, sizeof(prs.path)); - if (ioctl(dev, DIOCGETRULESETS, &prs)) { + if (ioctl(pfctl_fd(pfh), DIOCGETRULESETS, &prs)) { if (errno == EINVAL) return (0); else @@ -661,7 +659,7 @@ remove_stale_rulesets(void) pid_t pid; prs.nr = nr - 1; - if (ioctl(dev, DIOCGETRULESET, &prs)) + if (ioctl(pfctl_fd(pfh), DIOCGETRULESET, &prs)) return (1); errno = 0; if ((t = strchr(prs.name, '(')) == NULL) @@ -705,8 +703,8 @@ recursive_ruleset_purge(char *an, char *rs) snprintf(t_e[i].anchor, sizeof(t_e[i].anchor), "%s/%s", an, rs); } t_e[PF_RULESET_MAX].rs_num = PF_RULESET_TABLE; - if ((ioctl(dev, DIOCXBEGIN, t) || - ioctl(dev, DIOCXCOMMIT, t)) && + if ((ioctl(pfctl_fd(pfh), DIOCXBEGIN, t) || + ioctl(pfctl_fd(pfh), DIOCXCOMMIT, t)) && errno != EINVAL) goto cleanup; @@ -714,7 +712,7 @@ recursive_ruleset_purge(char *an, char *rs) if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL) goto no_mem; snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs); - if (ioctl(dev, DIOCGETRULESETS, prs)) { + if (ioctl(pfctl_fd(pfh), DIOCGETRULESETS, prs)) { if (errno != EINVAL) goto cleanup; errno = 0; @@ -723,7 +721,7 @@ recursive_ruleset_purge(char *an, char *rs) while (nr) { prs->nr = 0; - if (ioctl(dev, DIOCGETRULESET, prs)) + if (ioctl(pfctl_fd(pfh), DIOCGETRULESET, prs)) goto cleanup; if (recursive_ruleset_purge(prs->path, prs->name)) @@ -769,7 +767,7 @@ change_filter(int add, const char *l_user, const char *ip_src) if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1) goto no_mem; - if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1) + if (asprintf(&fdpath, "/dev/fd/%d", pfctl_fd(pfh)) == -1) goto no_mem; if (asprintf(&ipstr, "user_ip=%s", ip_src) == -1) goto no_mem; @@ -868,7 +866,7 @@ change_table(int add, const char *ip_src) return (-1); } - if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) && + if (ioctl(pfctl_fd(pfh), add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) && errno != ESRCH) { syslog(LOG_ERR, "cannot %s %s from table %s: %s", add ? "add" : "remove", ip_src, tablename, diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c index 612e35c4ac6e..3bad5feb4be4 100644 --- a/contrib/pf/ftp-proxy/filter.c +++ b/contrib/pf/ftp-proxy/filter.c @@ -57,7 +57,7 @@ static uint32_t pfticket; static uint32_t pfpool_ticket; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; -static int dev, rule_log; +static int rule_log; static struct pfctl_handle *pfh = NULL; static const char *qname, *tagname; @@ -104,7 +104,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(nat)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) + if (ioctl(pfctl_fd(pfh), DIOCADDADDR, &pfp) == -1) return (-1); pfrule.rpool.proxy_port[0] = nat_range_low; @@ -138,7 +138,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(rdr)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) + if (ioctl(pfctl_fd(pfh), DIOCADDADDR, &pfp) == -1) return (-1); pfrule.rpool.proxy_port[0] = rdr_port; @@ -152,7 +152,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, int do_commit(void) { - if (ioctl(dev, DIOCXCOMMIT, &pft) == -1) + if (ioctl(pfctl_fd(pfh), DIOCXCOMMIT, &pft) == -1) return (-1); return (0); @@ -161,7 +161,7 @@ do_commit(void) int do_rollback(void) { - if (ioctl(dev, DIOCXROLLBACK, &pft) == -1) + if (ioctl(pfctl_fd(pfh), DIOCXROLLBACK, &pft) == -1) return (-1); return (0); @@ -180,13 +180,10 @@ init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose) else if (opt_verbose == 2) rule_log = PF_LOG_ALL; - dev = open("/dev/pf", O_RDWR); - if (dev == -1) - err(1, "open /dev/pf"); pfh = pfctl_open(PF_DEVICE); if (pfh == NULL) err(1, "pfctl_open"); - status = pfctl_get_status(dev); + status = pfctl_get_status(pfctl_fd(pfh)); if (status == NULL) err(1, "DIOCGETSTATUS"); if (!status->running) @@ -227,7 +224,7 @@ prepare_commit(u_int32_t id) } } - if (ioctl(dev, DIOCXBEGIN, &pft) == -1) + if (ioctl(pfctl_fd(pfh), DIOCXBEGIN, &pft) == -1) return (-1); return (0); @@ -266,7 +263,7 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, errno = EINVAL; return (-1); } - if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) + if (ioctl(pfctl_fd(pfh), DIOCBEGINADDRS, &pfp) == -1) return (-1); pfpool_ticket = pfp.ticket; @@ -366,7 +363,7 @@ server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, pnl.sport = client->sin_port; pnl.dport = proxy->sin_port; - if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) + if (ioctl(pfctl_fd(pfh), DIOCNATLOOK, &pnl) == -1) return (-1); memset(server, 0, sizeof(struct sockaddr_in)); @@ -394,7 +391,7 @@ server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy, pnl.sport = client->sin6_port; pnl.dport = proxy->sin6_port; - if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) + if (ioctl(pfctl_fd(pfh), DIOCNATLOOK, &pnl) == -1) return (-1); memset(server, 0, sizeof(struct sockaddr_in6)); diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c index f372ddd0aeae..b69247caf04f 100644 --- a/contrib/pf/tftp-proxy/filter.c +++ b/contrib/pf/tftp-proxy/filter.c @@ -61,7 +61,7 @@ static char pfanchor[PF_ANCHOR_NAME_SIZE]; static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; -static int dev, rule_log; +static int rule_log; static struct pfctl_handle *pfh = NULL; static char *qname; @@ -108,7 +108,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(nat)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) + if (ioctl(pfctl_fd(pfh), DIOCADDADDR, &pfp) == -1) return (-1); pfrule.rpool.proxy_port[0] = nat_range_low; @@ -142,7 +142,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, &satosin6(rdr)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) + if (ioctl(pfctl_fd(pfh), DIOCADDADDR, &pfp) == -1) return (-1); pfrule.rpool.proxy_port[0] = rdr_port; @@ -156,7 +156,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, int do_commit(void) { - if (ioctl(dev, DIOCXCOMMIT, &pft) == -1) + if (ioctl(pfctl_fd(pfh), DIOCXCOMMIT, &pft) == -1) return (-1); return (0); @@ -165,7 +165,7 @@ do_commit(void) int do_rollback(void) { - if (ioctl(dev, DIOCXROLLBACK, &pft) == -1) + if (ioctl(pfctl_fd(pfh), DIOCXROLLBACK, &pft) == -1) return (-1); return (0); @@ -183,17 +183,12 @@ init_filter(char *opt_qname, int opt_verbose) else if (opt_verbose == 2) rule_log = PF_LOG_ALL; - dev = open("/dev/pf", O_RDWR); - if (dev == -1) { - syslog(LOG_ERR, "can't open /dev/pf"); - exit(1); - } pfh = pfctl_open(PF_DEVICE); if (pfh == NULL) { syslog(LOG_ERR, "can't pfctl_open()"); exit(1); } - status = pfctl_get_status(dev); + status = pfctl_get_status(pfctl_fd(pfh)); if (status == NULL) { syslog(LOG_ERR, "DIOCGETSTATUS"); exit(1); @@ -238,7 +233,7 @@ prepare_commit(u_int32_t id) } } - if (ioctl(dev, DIOCXBEGIN, &pft) == -1) + if (ioctl(pfctl_fd(pfh), DIOCXBEGIN, &pft) == -1) return (-1); return (0); @@ -277,7 +272,7 @@ prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, errno = EINVAL; return (-1); } - if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) + if (ioctl(pfctl_fd(pfh), DIOCBEGINADDRS, &pfp) == -1) return (-1); pfpool_ticket = pfp.ticket; @@ -379,7 +374,7 @@ server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, pnl.sport = client->sin_port; pnl.dport = proxy->sin_port; - if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) + if (ioctl(pfctl_fd(pfh), DIOCNATLOOK, &pnl) == -1) return (-1); memset(server, 0, sizeof(struct sockaddr_in)); @@ -407,7 +402,7 @@ server_lookup6(struct sockaddr_in6 *client, struct sockaddr_in6 *proxy, pnl.sport = client->sin6_port; pnl.dport = proxy->sin6_port; - if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) + if (ioctl(pfctl_fd(pfh), DIOCNATLOOK, &pnl) == -1) return (-1); memset(server, 0, sizeof(struct sockaddr_in6)); diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index b42afc542273..5b9500980996 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -102,6 +102,12 @@ pfctl_close(struct pfctl_handle *h) free(h); } +int +pfctl_fd(struct pfctl_handle *h) +{ + return (h->fd); +} + static int pfctl_do_ioctl(int dev, uint cmd, size_t size, nvlist_t **nvl) { diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index bdb4bfae4be1..a290fa45501a 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -390,6 +390,7 @@ struct pfctl_syncookies { struct pfctl_handle; struct pfctl_handle *pfctl_open(const char *pf_device); void pfctl_close(struct pfctl_handle *); +int pfctl_fd(struct pfctl_handle *); int pfctl_startstop(struct pfctl_handle *h, int start); struct pfctl_status* pfctl_get_status(int dev);