git: 2b29ceb86f50 - main - pfctl: Print Ethernet rules
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 02 Mar 2022 16:00:42 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=2b29ceb86f509dfaf34c3b7f790776c345915dba
commit 2b29ceb86f509dfaf34c3b7f790776c345915dba
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-04 12:19:12 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-02 16:00:03 +0000
pfctl: Print Ethernet rules
Extent pfctl to be able to read configured Ethernet filtering rules from
the kernel and print them.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31738
---
lib/libpfctl/libpfctl.c | 179 ++++++++++++++++++++++++++++++++++++++
lib/libpfctl/libpfctl.h | 42 +++++++++
sbin/pfctl/parse.y | 216 +++++++++++++++++++++++++++++++++++++++++++++-
sbin/pfctl/pfctl.c | 89 ++++++++++++++++++-
sbin/pfctl/pfctl_parser.c | 44 ++++++++++
sbin/pfctl/pfctl_parser.h | 5 ++
6 files changed, 568 insertions(+), 7 deletions(-)
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 66f7f61cc1fa..e158faf317c1 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -546,6 +546,185 @@ pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule)
rule->src_nodes = nvlist_get_number(nvl, "src_nodes");
}
+static void
+pfctl_nveth_addr_to_eth_addr(const nvlist_t *nvl, struct pfctl_eth_addr *addr)
+{
+ size_t len;
+ const void *data;
+
+ data = nvlist_get_binary(nvl, "addr", &len);
+ assert(len == sizeof(addr->addr));
+ memcpy(addr->addr, data, sizeof(addr->addr));
+
+ addr->neg = nvlist_get_bool(nvl, "neg");
+}
+
+static nvlist_t *
+pfctl_eth_addr_to_nveth_addr(const struct pfctl_eth_addr *addr)
+{
+ nvlist_t *nvl;
+
+ nvl = nvlist_create(0);
+ if (nvl == NULL)
+ return (NULL);
+
+ nvlist_add_bool(nvl, "neg", addr->neg);
+ nvlist_add_binary(nvl, "addr", &addr->addr, ETHER_ADDR_LEN);
+
+ return (nvl);
+}
+
+static void
+pfctl_nveth_rule_to_eth_rule(const nvlist_t *nvl, struct pfctl_eth_rule *rule)
+{
+ rule->nr = nvlist_get_number(nvl, "nr");
+ rule->quick = nvlist_get_bool(nvl, "quick");
+ strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
+ rule->ifnot = nvlist_get_bool(nvl, "ifnot");
+ rule->direction = nvlist_get_number(nvl, "direction");
+ rule->proto = nvlist_get_number(nvl, "proto");
+
+ pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "src"),
+ &rule->src);
+ pfctl_nveth_addr_to_eth_addr(nvlist_get_nvlist(nvl, "dst"),
+ &rule->dst);
+
+ rule->evaluations = nvlist_get_number(nvl, "evaluations");
+ rule->packets[0] = nvlist_get_number(nvl, "packets-in");
+ rule->packets[1] = nvlist_get_number(nvl, "packets-out");
+ rule->bytes[0] = nvlist_get_number(nvl, "bytes-in");
+ rule->bytes[1] = nvlist_get_number(nvl, "bytes-out");
+
+ strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE);
+ strlcpy(rule->tagname, nvlist_get_string(nvl, "tagname"),
+ PF_TAG_NAME_SIZE);
+
+ rule->action = nvlist_get_number(nvl, "action");
+}
+
+int
+pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules)
+{
+ uint8_t buf[1024];
+ struct pfioc_nv nv;
+ nvlist_t *nvl;
+
+ bzero(rules, sizeof(*rules));
+
+ nv.data = buf;
+ nv.len = nv.size = sizeof(buf);
+
+ if (ioctl(dev, DIOCGETETHRULES, &nv) != 0)
+ return (errno);
+
+ nvl = nvlist_unpack(buf, nv.len, 0);
+ if (nvl == NULL)
+ return (EIO);
+
+ rules->nr = nvlist_get_number(nvl, "nr");
+ rules->ticket = nvlist_get_number(nvl, "ticket");
+
+ nvlist_destroy(nvl);
+ return (0);
+}
+
+int
+pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
+ struct pfctl_eth_rule *rule, bool clear)
+{
+ uint8_t buf[1024];
+ struct pfioc_nv nv;
+ nvlist_t *nvl;
+ void *data;
+ size_t len;
+
+ nvl = nvlist_create(0);
+
+ nvlist_add_number(nvl, "ticket", ticket);
+ nvlist_add_number(nvl, "nr", nr);
+ nvlist_add_bool(nvl, "clear", clear);
+
+ data = nvlist_pack(nvl, &len);
+ nv.data = buf;
+ memcpy(buf, data, len);
+ free(data);
+ nv.len = len;
+ nv.size = sizeof(buf);
+ if (ioctl(dev, DIOCGETETHRULE, &nv)) {
+ nvlist_destroy(nvl);
+ return (errno);
+ }
+ nvlist_destroy(nvl);
+
+ nvl = nvlist_unpack(buf, nv.len, 0);
+ if (nvl == NULL) {
+ return (EIO);
+ }
+
+ pfctl_nveth_rule_to_eth_rule(nvl, rule);
+
+ nvlist_destroy(nvl);
+ return (0);
+}
+
+int
+pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, uint32_t ticket)
+{
+ struct pfioc_nv nv;
+ nvlist_t *nvl, *addr;
+ void *packed;
+ int error;
+ size_t size;
+
+ nvl = nvlist_create(0);
+
+ nvlist_add_number(nvl, "ticket", ticket);
+
+ nvlist_add_number(nvl, "nr", r->nr);
+ nvlist_add_bool(nvl, "quick", r->quick);
+ nvlist_add_string(nvl, "ifname", r->ifname);
+ nvlist_add_bool(nvl, "ifnot", r->ifnot);
+ nvlist_add_number(nvl, "direction", r->direction);
+ nvlist_add_number(nvl, "proto", r->proto);
+
+ addr = pfctl_eth_addr_to_nveth_addr(&r->src);
+ if (addr == NULL) {
+ nvlist_destroy(nvl);
+ return (ENOMEM);
+ }
+ nvlist_add_nvlist(nvl, "src", addr);
+ nvlist_destroy(addr);
+
+ addr = pfctl_eth_addr_to_nveth_addr(&r->dst);
+ if (addr == NULL) {
+ nvlist_destroy(nvl);
+ return (ENOMEM);
+ }
+ nvlist_add_nvlist(nvl, "dst", addr);
+ nvlist_destroy(addr);
+
+ nvlist_add_string(nvl, "qname", r->qname);
+ nvlist_add_string(nvl, "tagname", r->tagname);
+ nvlist_add_number(nvl, "action", r->action);
+
+ packed = nvlist_pack(nvl, &size);
+ if (packed == NULL) {
+ nvlist_destroy(nvl);
+ return (ENOMEM);
+ }
+
+ nv.len = size;
+ nv.size = size;
+ nv.data = packed;
+
+ error = ioctl(dev, DIOCADDETHRULE, &nv);
+
+ free(packed);
+ nvlist_destroy(nvl);
+
+ return (error);
+}
+
int
pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
const char *anchor_call, uint32_t ticket, uint32_t pool_ticket)
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index 6b516b0a7649..e2b3711f9ffd 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -65,6 +65,43 @@ struct pfctl_status {
uint64_t bcounters[2][2];
};
+struct pfctl_eth_rules_info {
+ uint32_t nr;
+ uint32_t ticket;
+};
+
+struct pfctl_eth_addr {
+ uint8_t addr[ETHER_ADDR_LEN];
+ bool neg;
+};
+
+struct pfctl_eth_rule {
+ uint32_t nr;
+
+ bool quick;
+
+ /* Filter */
+ char ifname[IFNAMSIZ];
+ uint8_t ifnot;
+ uint8_t direction;
+ uint16_t proto;
+ struct pfctl_eth_addr src, dst;
+
+ /* Stats */
+ uint64_t evaluations;
+ uint64_t packets[2];
+ uint64_t bytes[2];
+
+ /* Action */
+ char qname[PF_QNAME_SIZE];
+ char tagname[PF_TAG_NAME_SIZE];
+ uint8_t action;
+
+ TAILQ_ENTRY(pfctl_eth_rule) entries;
+};
+
+TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
+
struct pfctl_pool {
struct pf_palist list;
struct pf_pooladdr *cur;
@@ -291,6 +328,11 @@ struct pfctl_syncookies {
struct pfctl_status* pfctl_get_status(int dev);
void pfctl_free_status(struct pfctl_status *status);
+int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules);
+int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
+ struct pfctl_eth_rule *rule, bool clear);
+int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
+ uint32_t ticket);
int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
char *anchor_call);
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index f931d1c062b9..1bf9372cd7a6 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -122,12 +122,19 @@ int atoul(char *, u_long *);
enum {
PFCTL_STATE_NONE,
PFCTL_STATE_OPTION,
+ PFCTL_STATE_ETHER,
PFCTL_STATE_SCRUB,
PFCTL_STATE_QUEUE,
PFCTL_STATE_NAT,
PFCTL_STATE_FILTER
};
+struct node_etherproto {
+ u_int16_t proto;
+ struct node_etherproto *next;
+ struct node_etherproto *tail;
+};
+
struct node_proto {
u_int8_t proto;
struct node_proto *next;
@@ -341,6 +348,8 @@ void expand_label_port(const char *, char *, size_t,
void expand_label_proto(const char *, char *, size_t, u_int8_t);
void expand_label_nr(const char *, char *, size_t,
struct pfctl_rule *);
+void expand_eth_rule(struct pfctl_eth_rule *,
+ struct node_if *, struct node_etherproto *);
void expand_rule(struct pfctl_rule *, struct node_if *,
struct node_host *, struct node_proto *, struct node_os *,
struct node_host *, struct node_port *, struct node_host *,
@@ -396,6 +405,7 @@ typedef struct {
} range;
struct node_if *interface;
struct node_proto *proto;
+ struct node_etherproto *etherproto;
struct node_icmp *icmp;
struct node_host *host;
struct node_os *os;
@@ -408,6 +418,17 @@ typedef struct {
struct peer src, dst;
struct node_os *src_os;
} fromto;
+ struct {
+ u_int8_t src[ETHER_ADDR_LEN];
+ u_int8_t srcneg;
+ u_int8_t dst[ETHER_ADDR_LEN];
+ u_int8_t dstneg;
+ } etherfromto;
+ u_int8_t mac[ETHER_ADDR_LEN];
+ struct {
+ uint8_t mac[ETHER_ADDR_LEN];
+ u_int8_t neg;
+ } etheraddr;
struct {
struct node_host *host;
u_int8_t rt;
@@ -470,6 +491,7 @@ int parseport(char *, struct range *r, int);
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY
%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS SYNCOOKIES
+%token ETHER
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET
%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL
@@ -488,6 +510,7 @@ int parseport(char *, struct range *r, int);
%type <v.probability> probability
%type <v.i> no dir af fragcache optimizer syncookie_val
%type <v.i> sourcetrack flush unaryop statelock
+%type <v.i> etherprotoval
%type <v.b> action nataction natpasslog scrubaction
%type <v.b> flags flag blockspec prio
%type <v.range> portplain portstar portrange
@@ -515,7 +538,7 @@ int parseport(char *, struct range *r, int);
%type <v.state_opt> state_opt_spec state_opt_list state_opt_item
%type <v.logquick> logquick quick log logopts logopt
%type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if
-%type <v.qassign> qname
+%type <v.qassign> qname etherqname
%type <v.queue> qassign qassign_list qassign_item
%type <v.queue_options> scheduler
%type <v.number> cbqflags_list cbqflags_item
@@ -524,7 +547,7 @@ int parseport(char *, struct range *r, int);
%type <v.fairq_opts> fairqopts_list fairqopts_item fairq_opts
%type <v.codel_opts> codelopts_list codelopts_item codel_opts
%type <v.queue_bwspec> bandwidth
-%type <v.filter_opts> filter_opts filter_opt filter_opts_l
+%type <v.filter_opts> filter_opts filter_opt filter_opts_l etherfilter_opts etherfilter_opt etherfilter_opts_l
%type <v.filter_opts> filter_sets filter_set filter_sets_l
%type <v.antispoof_opts> antispoof_opts antispoof_opt antispoof_opts_l
%type <v.queue_opts> queue_opts queue_opt queue_opts_l
@@ -534,12 +557,17 @@ int parseport(char *, struct range *r, int);
%type <v.tagged> tagged
%type <v.rtableid> rtable
%type <v.watermarks> syncookie_opts
+%type <v.etherproto> etherproto etherproto_list etherproto_item
+%type <v.etherfromto> etherfromto
+%type <v.etheraddr> etherfrom etherto
+%type <v.mac> mac
%%
ruleset : /* empty */
| ruleset include '\n'
| ruleset '\n'
| ruleset option '\n'
+ | ruleset etherrule '\n'
| ruleset scrubrule '\n'
| ruleset natrule '\n'
| ruleset binatrule '\n'
@@ -1151,6 +1179,58 @@ scrubaction : no SCRUB {
}
;
+etherrule : ETHER action dir quick interface etherproto etherfromto etherfilter_opts
+ {
+ struct pfctl_eth_rule r;
+
+ bzero(&r, sizeof(r));
+
+ if (check_rulestate(PFCTL_STATE_ETHER))
+ YYERROR;
+
+ r.action = $2.b1;
+ r.direction = $3;
+ r.quick = $4.quick;
+ /* XXX TODO: ! support */
+ memcpy(&r.src.addr, $7.src, sizeof(r.src.addr));
+ r.src.neg = $7.srcneg;
+ memcpy(&r.dst.addr, $7.dst, sizeof(r.dst.addr));
+ r.dst.neg = $7.dstneg;
+ if ($8.tag != NULL)
+ memcpy(&r.tagname, $8.tag, sizeof(r.tagname));
+ if ($8.queues.qname != NULL)
+ memcpy(&r.qname, $8.queues.qname, sizeof(r.qname));
+
+ expand_eth_rule(&r, $5, $6);
+ }
+ ;
+
+etherfilter_opts : {
+ bzero(&filter_opts, sizeof filter_opts);
+ }
+ etherfilter_opts_l
+ { $$ = filter_opts; }
+ | /* empty */ {
+ bzero(&filter_opts, sizeof filter_opts);
+ $$ = filter_opts;
+ }
+ ;
+
+etherfilter_opts_l : etherfilter_opts_l etherfilter_opt
+ | etherfilter_opt
+
+etherfilter_opt : etherqname {
+ if (filter_opts.queues.qname) {
+ yyerror("queue cannot be redefined");
+ YYERROR;
+ }
+ filter_opts.queues = $1;
+ }
+ | TAG string {
+ filter_opts.tag = $2;
+ }
+ ;
+
scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
{
struct pfctl_rule r;
@@ -2978,6 +3058,56 @@ af : /* empty */ { $$ = 0; }
| INET6 { $$ = AF_INET6; }
;
+etherproto : /* empty */ { $$ = NULL; }
+ | PROTO etherproto_item { $$ = $2; }
+ | PROTO '{' optnl etherproto_list '}' { $$ = $4; }
+ ;
+
+etherproto_list : etherproto_item optnl { $$ = $1; }
+ | etherproto_list comma etherproto_item optnl {
+ $1->tail->next = $3;
+ $1->tail = $3;
+ $$ = $1;
+ }
+ ;
+
+etherproto_item : etherprotoval {
+ u_int16_t pr;
+
+ pr = (u_int16_t)$1;
+ if (pr == 0) {
+ yyerror("proto 0 cannot be used");
+ YYERROR;
+ }
+ $$ = calloc(1, sizeof(struct node_proto));
+ if ($$ == NULL)
+ err(1, "proto_item: calloc");
+ $$->proto = pr;
+ $$->next = NULL;
+ $$->tail = $$;
+ }
+ ;
+
+etherprotoval : NUMBER {
+ if ($1 < 0 || $1 > 65565) {
+ yyerror("protocol outside range");
+ YYERROR;
+ }
+ }
+ | STRING
+ {
+ if (!strncmp($1, "0x", 2)) {
+ if (sscanf($1, "0x%4x", &$$) != 1) {
+ free($1);
+ yyerror("invalid EtherType hex");
+ YYERROR;
+ }
+ } else {
+ yyerror("Symbolic EtherType not yet supported");
+ }
+ }
+ ;
+
proto : /* empty */ { $$ = NULL; }
| PROTO proto_item { $$ = $2; }
| PROTO '{' optnl proto_list '}' { $$ = $4; }
@@ -3028,6 +3158,50 @@ protoval : STRING {
}
;
+etherfromto : ALL {
+ bzero($$.src, sizeof($$.src));
+ $$.srcneg = 0;
+ bzero($$.dst, sizeof($$.dst));
+ $$.dstneg = 0;
+ }
+ | etherfrom etherto {
+ memcpy(&$$.src, $1.mac, sizeof($$.src));
+ $$.srcneg = $1.neg;
+ memcpy(&$$.dst, $2.mac, sizeof($$.dst));
+ $$.dstneg = $2.neg;
+ }
+ ;
+
+etherfrom : /* emtpy */ {
+ bzero(&$$, sizeof($$));
+ }
+ | FROM not mac {
+ memcpy(&$$.mac, $3, sizeof($$));
+ $$.neg = $2;
+ }
+ ;
+
+etherto : /* empty */ {
+ bzero(&$$, sizeof($$));
+ }
+ | TO not mac {
+ memcpy(&$$.mac, $3, sizeof($$));
+ $$.neg = $2;
+ }
+ ;
+
+mac : string {
+ if (sscanf($1, "%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx",
+ &$$[0], &$$[1], &$$[2], &$$[3], &$$[4],
+ &$$[5]) != 6) {
+ free($$);
+ free($1);
+ yyerror("invalid MAC address");
+ YYERROR;
+ }
+ }
+ ;
+
fromto : ALL {
$$.src.host = NULL;
$$.src.port = NULL;
@@ -3965,6 +4139,14 @@ label : LABEL STRING {
}
;
+etherqname : QUEUE STRING {
+ $$.qname = $2;
+ }
+ | QUEUE '(' STRING ')' {
+ $$.qname = $3;
+ }
+ ;
+
qname : QUEUE STRING {
$$.qname = $2;
$$.pqname = NULL;
@@ -5422,6 +5604,31 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces,
return (0);
}
+void
+expand_eth_rule(struct pfctl_eth_rule *r,
+ struct node_if *interfaces, struct node_etherproto *protos)
+{
+ struct pfctl_eth_rule *rule;
+
+ LOOP_THROUGH(struct node_if, interface, interfaces,
+ LOOP_THROUGH(struct node_etherproto, proto, protos,
+ r->nr = pf->eth_nr++;
+ strlcpy(r->ifname, interface->ifname,
+ sizeof(r->ifname));
+ r->ifnot = interface->not;
+ r->proto = proto->proto;
+
+ if ((rule = calloc(1, sizeof(*rule))) == NULL)
+ err(1, "calloc");
+ bcopy(r, rule, sizeof(*rule));
+
+ TAILQ_INSERT_TAIL(&pf->eth_rules, rule, entries);
+ ));
+
+ FREE_LIST(struct node_if, interfaces);
+ FREE_LIST(struct node_etherproto, protos);
+}
+
void
expand_rule(struct pfctl_rule *r,
struct node_if *interfaces, struct node_host *rpool_hosts,
@@ -5638,8 +5845,8 @@ int
check_rulestate(int desired_state)
{
if (require_order && (rulestate > desired_state)) {
- yyerror("Rules must be in order: options, normalization, "
- "queueing, translation, filtering");
+ yyerror("Rules must be in order: options, ethernet, "
+ "normalization, queueing, translation, filtering");
return (1);
}
rulestate = desired_state;
@@ -5682,6 +5889,7 @@ lookup(char *s)
{ "drop", DROP},
{ "drop-ovl", FRAGDROP},
{ "dup-to", DUPTO},
+ { "ether", ETHER},
{ "fail-policy", FAILPOLICY},
{ "fairq", FAIRQ},
{ "fastroute", FASTROUTE},
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index a0eec1b09289..83b3c1db0613 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -96,7 +96,9 @@ int pfctl_load_hostid(struct pfctl *, u_int32_t);
int pfctl_load_syncookies(struct pfctl *, u_int8_t);
int pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int,
char *);
+void pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
void pfctl_print_rule_counters(struct pfctl_rule *, int);
+int pfctl_show_eth_rules(int, int);
int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
int pfctl_show_nat(int, int, char *);
int pfctl_show_src_nodes(int, int);
@@ -109,6 +111,7 @@ void pfctl_debug(int, u_int32_t, int);
int pfctl_test_altqsupport(int, int);
int pfctl_show_anchors(int, int, char *);
int pfctl_ruleset_trans(struct pfctl *, char *, struct pfctl_anchor *);
+int pfctl_load_eth_ruleset(struct pfctl *);
int pfctl_load_ruleset(struct pfctl *, char *,
struct pfctl_ruleset *, int, int);
int pfctl_load_rule(struct pfctl *, char *, struct pfctl_rule *, int);
@@ -222,9 +225,9 @@ static const char * const clearopt_list[] = {
};
static const char * const showopt_list[] = {
- "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
- "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
- "Running", "all", NULL
+ "ether", "nat", "queue", "rules", "Anchors", "Sources", "states",
+ "info", "Interfaces", "labels", "timeouts", "memory", "Tables",
+ "osfp", "Running", "all", NULL
};
static const char * const tblcmdopt_list[] = {
@@ -986,6 +989,20 @@ pfctl_clear_pool(struct pfctl_pool *pool)
}
}
+void
+pfctl_print_eth_rule_counters(struct pfctl_eth_rule *rule, int opts)
+{
+ if (opts & PF_OPT_VERBOSE) {
+ printf(" [ Evaluations: %-8llu Packets: %-8llu "
+ "Bytes: %-10llu]\n",
+ (unsigned long long)rule->evaluations,
+ (unsigned long long)(rule->packets[0] +
+ rule->packets[1]),
+ (unsigned long long)(rule->bytes[0] +
+ rule->bytes[1]));
+ }
+}
+
void
pfctl_print_rule_counters(struct pfctl_rule *rule, int opts)
{
@@ -1034,6 +1051,35 @@ pfctl_print_title(char *title)
printf("%s\n", title);
}
+int
+pfctl_show_eth_rules(int dev, int opts)
+{
+ struct pfctl_eth_rules_info info;
+ struct pfctl_eth_rule rule;
+ int dotitle = opts & PF_OPT_SHOWALL;
+
+ if (pfctl_get_eth_rules_info(dev, &info)) {
+ warn("DIOCGETETHRULES");
+ return (-1);
+ }
+ for (int nr = 0; nr < info.nr; nr++) {
+ if (pfctl_get_eth_rule(dev, nr, info.ticket, &rule, false)
+ != 0) {
+ warn("DIOCGETETHRULE");
+ return (-1);
+ }
+ if (dotitle) {
+ pfctl_print_title("ETH RULES:");
+ dotitle = 0;
+ }
+ print_eth_rule(&rule, opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG));
+ printf("\n");
+ pfctl_print_eth_rule_counters(&rule, opts);
+ }
+
+ return (0);
+}
+
int
pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
char *anchorname, int depth)
@@ -1466,6 +1512,12 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a)
{
int osize = pf->trans->pfrb_size;
+ if ((pf->loadopt & PFCTL_FLAG_ETH) != 0) {
+ if (! path[0]) {
+ if (pfctl_add_trans(pf->trans, PF_RULESET_ETH, path))
+ return (1);
+ }
+ }
if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
@@ -1491,6 +1543,27 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a)
return (0);
}
+int
+pfctl_load_eth_ruleset(struct pfctl *pf)
+{
+ struct pfctl_eth_rule *r;
+ int error;
+
+ while ((r = TAILQ_FIRST(&pf->eth_rules)) != NULL) {
+ TAILQ_REMOVE(&pf->eth_rules, r, entries);
+
+ if ((pf->opts & PF_OPT_NOACTION) == 0) {
+ error = pfctl_add_eth_rule(pf->dev, r, pf->eth_ticket);
+ if (error)
+ return (error);
+ }
+
+ free(r);
+ }
+
+ return (0);
+}
+
int
pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
int rs_num, int depth)
@@ -1669,6 +1742,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
pf.opts = opts;
pf.optimize = optimize;
pf.loadopt = loadopt;
+ TAILQ_INIT(&pf.eth_rules);
/* non-brace anchor, create without resolving the path */
if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
@@ -1700,6 +1774,8 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
*/
if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
ERRX("pfctl_rules");
+ if (pf.loadopt & PFCTL_FLAG_ETH)
+ pf.eth_ticket = pfctl_get_ticket(t, PF_RULESET_ETH, anchorname);
if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
pa.ticket =
pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
@@ -1720,6 +1796,8 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
if ((pf.loadopt & PFCTL_FLAG_FILTER &&
(pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
+ (pf.loadopt & PFCTL_FLAG_ETH &&
+ (pfctl_load_eth_ruleset(&pf))) ||
(pf.loadopt & PFCTL_FLAG_NAT &&
(pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
@@ -2561,10 +2639,15 @@ main(int argc, char *argv[])
case 'm':
pfctl_show_limits(dev, opts);
break;
+ case 'e':
+ pfctl_show_eth_rules(dev, opts);
+ break;
case 'a':
opts |= PF_OPT_SHOWALL;
pfctl_load_fingerprints(dev, opts);
+ pfctl_show_eth_rules(dev, opts);
+
pfctl_show_nat(dev, opts, anchorname);
pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
pfctl_show_altq(dev, ifaceopt, opts, 0);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 5a01c30a076e..8814dc38b23c 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -691,6 +691,50 @@ print_src_node(struct pf_src_node *sn, int opts)
}
}
+static void
+print_eth_addr(const struct pfctl_eth_addr *a)
+{
+ printf("%s%02x:%02x:%02x:%02x:%02x:%02x", a->neg ? "! " : "",
+ a->addr[0], a->addr[1], a->addr[2], a->addr[3], a->addr[4],
+ a->addr[5]);
+}
+
+void
+print_eth_rule(struct pfctl_eth_rule *r, int rule_numbers)
+{
+ static const char *actiontypes[] = { "pass", "block" };
+
+ if (rule_numbers)
+ printf("@%u ", r->nr);
+
+ printf("ether %s", actiontypes[r->action]);
+ if (r->direction == PF_IN)
+ printf(" in");
+ else if (r->direction == PF_OUT)
+ printf(" out");
+
+ if (r->quick)
+ printf(" quick");
+ if (r->ifname[0]) {
+ if (r->ifnot)
+ printf(" on ! %s", r->ifname);
+ else
+ printf(" on %s", r->ifname);
+ }
+ if (r->proto)
+ printf(" proto 0x%04x", r->proto);
+
+ printf(" from ");
+ print_eth_addr(&r->src);
+ printf(" to ");
+ print_eth_addr(&r->dst);
+
+ if (r->qname[0])
+ printf(" queue %s", r->qname);
+ if (r->tagname[0])
+ printf(" tag %s", r->tagname);
+}
+
void
print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numeric)
{
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 0cd19a560f8d..1d69682b1b6c 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -90,6 +90,9 @@ struct pfctl {
struct pfioc_queue *pqueue;
struct pfr_buffer *trans;
struct pfctl_anchor *anchor, *alast;
+ int eth_nr;
+ struct pfctl_eth_rules eth_rules;
+ u_int32_t eth_ticket;
const char *ruleset;
/* 'set foo' options */
@@ -284,6 +287,7 @@ int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
void print_pool(struct pfctl_pool *, u_int16_t, u_int16_t, sa_family_t, int);
void print_src_node(struct pf_src_node *, int);
+void print_eth_rule(struct pfctl_eth_rule *, int);
void print_rule(struct pfctl_rule *, const char *, int, int);
void print_tabledef(const char *, int, int, struct node_tinithead *);
void print_status(struct pfctl_status *, struct pfctl_syncookies *, int);
@@ -336,6 +340,7 @@ struct pf_timeout {
#define PFCTL_FLAG_OPTION 0x08
#define PFCTL_FLAG_ALTQ 0x10
#define PFCTL_FLAG_TABLE 0x20
+#define PFCTL_FLAG_ETH 0x40
extern const struct pf_timeout pf_timeouts[];