Skip to content

Commit

Permalink
libpfctl: support flushing rules/nat/eth
Browse files Browse the repository at this point in the history
Move the code to flush regular rules, nat rules and Ethernet rules into
libpfctl for easier re-use.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D34442

(cherry picked from commit f0c334e)
  • Loading branch information
kprovost authored and fichtner committed Dec 13, 2022
1 parent 8a0e090 commit bea4498
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 23 deletions.
65 changes: 65 additions & 0 deletions lib/libpfctl/libpfctl.c
Original file line number Diff line number Diff line change
Expand Up @@ -946,6 +946,71 @@ pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed)
return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV));
}

int
pfctl_clear_rules(int dev, const char *anchorname)
{
struct pfioc_trans trans;
struct pfioc_trans_e transe[2];
int ret;

bzero(&trans, sizeof(trans));
bzero(&transe, sizeof(transe));

transe[0].rs_num = PF_RULESET_SCRUB;
if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
>= sizeof(transe[0].anchor))
return (E2BIG);

transe[1].rs_num = PF_RULESET_FILTER;
if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
>= sizeof(transe[1].anchor))
return (E2BIG);

trans.size = 2;
trans.esize = sizeof(transe[0]);
trans.array = transe;

ret = ioctl(dev, DIOCXBEGIN, &trans);
if (ret != 0)
return (ret);
return ioctl(dev, DIOCXCOMMIT, &trans);
}

int
pfctl_clear_nat(int dev, const char *anchorname)
{
struct pfioc_trans trans;
struct pfioc_trans_e transe[3];
int ret;

bzero(&trans, sizeof(trans));
bzero(&transe, sizeof(transe));

transe[0].rs_num = PF_RULESET_NAT;
if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
>= sizeof(transe[0].anchor))
return (E2BIG);

transe[1].rs_num = PF_RULESET_BINAT;
if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
>= sizeof(transe[0].anchor))
return (E2BIG);

transe[2].rs_num = PF_RULESET_RDR;
if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor))
>= sizeof(transe[2].anchor))
return (E2BIG);

trans.size = 3;
trans.esize = sizeof(transe[0]);
trans.array = transe;

ret = ioctl(dev, DIOCXBEGIN, &trans);
if (ret != 0)
return (ret);
return ioctl(dev, DIOCXCOMMIT, &trans);
}

static int
pfctl_get_limit(int dev, const int index, uint *limit)
{
Expand Down
2 changes: 2 additions & 0 deletions lib/libpfctl/libpfctl.h
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,8 @@ int pfctl_clear_states(int dev, const struct pfctl_kill *kill,
unsigned int *killed);
int pfctl_kill_states(int dev, const struct pfctl_kill *kill,
unsigned int *killed);
int pfctl_clear_rules(int dev, const char *anchorname);
int pfctl_clear_nat(int dev, const char *anchorname);
int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);

Expand Down
37 changes: 14 additions & 23 deletions sbin/pfctl/pfctl.c
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ int pfctl_get_skip_ifaces(void);
int pfctl_check_skip_ifaces(char *);
int pfctl_adjust_skip_ifaces(struct pfctl *);
int pfctl_clear_interface_flags(int, int);
int pfctl_clear_rules(int, int, char *);
int pfctl_clear_nat(int, int, char *);
int pfctl_flush_rules(int, int, char *);
int pfctl_flush_nat(int, int, char *);
int pfctl_clear_altq(int, int);
int pfctl_clear_src_nodes(int, int);
int pfctl_clear_iface_states(int, const char *, int);
Expand Down Expand Up @@ -449,34 +449,25 @@ pfctl_clear_interface_flags(int dev, int opts)
}

int
pfctl_clear_rules(int dev, int opts, char *anchorname)
pfctl_flush_rules(int dev, int opts, char *anchorname)
{
struct pfr_buffer t;
int ret;

memset(&t, 0, sizeof(t));
t.pfrb_type = PFRB_TRANS;
if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
ret = pfctl_clear_rules(dev, anchorname);
if (ret != 0)
err(1, "pfctl_clear_rules");
if ((opts & PF_OPT_QUIET) == 0)
fprintf(stderr, "rules cleared\n");
return (0);
}

int
pfctl_clear_nat(int dev, int opts, char *anchorname)
pfctl_flush_nat(int dev, int opts, char *anchorname)
{
struct pfr_buffer t;
int ret;

memset(&t, 0, sizeof(t));
t.pfrb_type = PFRB_TRANS;
if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
ret = pfctl_clear_nat(dev, anchorname);
if (ret != 0)
err(1, "pfctl_clear_nat");
if ((opts & PF_OPT_QUIET) == 0)
fprintf(stderr, "nat cleared\n");
Expand Down Expand Up @@ -2601,10 +2592,10 @@ main(int argc, char *argv[])

switch (*clearopt) {
case 'r':
pfctl_clear_rules(dev, opts, anchorname);
pfctl_flush_rules(dev, opts, anchorname);
break;
case 'n':
pfctl_clear_nat(dev, opts, anchorname);
pfctl_flush_nat(dev, opts, anchorname);
break;
case 'q':
pfctl_clear_altq(dev, opts);
Expand All @@ -2619,8 +2610,8 @@ main(int argc, char *argv[])
pfctl_clear_stats(dev, opts);
break;
case 'a':
pfctl_clear_rules(dev, opts, anchorname);
pfctl_clear_nat(dev, opts, anchorname);
pfctl_flush_rules(dev, opts, anchorname);
pfctl_flush_nat(dev, opts, anchorname);
pfctl_clear_tables(anchorname, opts);
if (!*anchorname) {
pfctl_clear_altq(dev, opts);
Expand Down

0 comments on commit bea4498

Please sign in to comment.