The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5824df8d991c32def616c51994161e60e5b78948
commit 5824df8d991c32def616c51994161e60e5b78948
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2024-03-23 06:31:51 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2024-04-29 14:32:23 +0000
pf: convert DIOCGETSTATUS to netlink
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this
variant
use netlink to obtain the information.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
contrib/pf/ftp-proxy/filter.c | 2 +-
contrib/pf/tftp-proxy/filter.c | 2 +-
lib/libpfctl/libpfctl.c | 147 ++++++++++++++++++++++++++++++
lib/libpfctl/libpfctl.h | 1 +
sbin/pfctl/pfctl.c | 4 +-
sys/netlink/netlink_message_writer.h | 6 ++
sys/netlink/netlink_snl.h | 11 +++
sys/netpfil/pf/pf_nl.c | 114 ++++++++++++++++++++++-
sys/netpfil/pf/pf_nl.h | 29 ++++++
usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c | 35 +++----
10 files changed, 329 insertions(+), 22 deletions(-)
diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c
index 3bad5feb4be4..7893be97f9b2 100644
--- a/contrib/pf/ftp-proxy/filter.c
+++ b/contrib/pf/ftp-proxy/filter.c
@@ -183,7 +183,7 @@ init_filter(const char *opt_qname, const char *opt_tagname,
int opt_verbose)
pfh = pfctl_open(PF_DEVICE);
if (pfh == NULL)
err(1, "pfctl_open");
- status = pfctl_get_status(pfctl_fd(pfh));
+ status = pfctl_get_status_h(pfh);
if (status == NULL)
err(1, "DIOCGETSTATUS");
if (!status->running)
diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c
index b69247caf04f..1e6d54303996 100644
--- a/contrib/pf/tftp-proxy/filter.c
+++ b/contrib/pf/tftp-proxy/filter.c
@@ -188,7 +188,7 @@ init_filter(char *opt_qname, int opt_verbose)
syslog(LOG_ERR, "can't pfctl_open()");
exit(1);
}
- status = pfctl_get_status(pfctl_fd(pfh));
+ status = pfctl_get_status_h(pfh);
if (status == NULL) {
syslog(LOG_ERR, "DIOCGETSTATUS");
exit(1);
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 5b9500980996..6da3b6969107 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -287,6 +287,153 @@ _pfctl_get_status_counters(const nvlist_t *nvl,
}
}
+#define _OUT(_field) offsetof(struct pfctl_status_counter, _field)
+static const struct snl_attr_parser ap_counter[] = {
+ { .type = PF_C_COUNTER, .off = _OUT(counter), .cb = snl_attr_get_uint64
},
+ { .type = PF_C_NAME, .off = _OUT(name), .cb = snl_attr_get_string },
+ { .type = PF_C_ID, .off = _OUT(id), .cb = snl_attr_get_uint32 },
+};
+SNL_DECLARE_ATTR_PARSER(counter_parser, ap_counter);
+#undef _OUT
+
+static bool
+snl_attr_get_counters(struct snl_state *ss, struct nlattr *nla,
+ const void *arg __unused, void *target)
+{
+ struct pfctl_status_counter counter = {};
+ struct pfctl_status_counter *c;
+ bool error;
+
+ error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla),
&counter_parser, &counter);
+ if (! error)
+ return (error);
+
+ c = malloc(sizeof(*c));
+ if (c == NULL)
+ return (false);
+
+ c->id = counter.id;
+ c->counter = counter.counter;
+ c->name = strdup(counter.name);
+
+ TAILQ_INSERT_TAIL((struct pfctl_status_counters *)target, c, entry);
+
+ return (error);
+}
+
+struct snl_uint64_array {
+ uint64_t *array;
+ size_t count;
+ size_t max;
+};
+static bool
+snl_attr_get_uint64_element(struct snl_state *ss, struct nlattr *nla,
+ const void *arg, void *target)
+{
+ bool error;
+ uint64_t value;
+ struct snl_uint64_array *t = (struct snl_uint64_array *)target;
+
+ if (t->count >= t->max)
+ return (false);
+
+ error = snl_attr_get_uint64(ss, nla, arg, &value);
+ if (! error)
+ return (error);
+
+ t->array[t->count++] = value;
+
+ return (true);
+}
+
+static const struct snl_attr_parser ap_array[] = {
+ { .cb = snl_attr_get_uint64_element },
+};
+SNL_DECLARE_ATTR_PARSER(array_parser, ap_array);
+static bool
+snl_attr_get_uint64_array(struct snl_state *ss, struct nlattr *nla,
+ const void *arg, void *target)
+{
+ struct snl_uint64_array a = {
+ .array = target,
+ .count = 0,
+ .max = (size_t)arg,
+ };
+ bool error;
+
+ error = snl_parse_header(ss, NLA_DATA(nla), NLA_DATA_LEN(nla),
&array_parser, &a);
+ if (! error)
+ return (error);
+
+ return (true);
+}
+
+#define _OUT(_field) offsetof(struct pfctl_status, _field)
+static const struct snl_attr_parser ap_getstatus[] = {
+ { .type = PF_GS_IFNAME, .off = _OUT(ifname), .arg_u32 = IFNAMSIZ, .cb =
snl_attr_copy_string },
+ { .type = PF_GS_RUNNING, .off = _OUT(running), .cb = snl_attr_get_bool
},
+ { .type = PF_GS_SINCE, .off = _OUT(since), .cb = snl_attr_get_uint32 },
+ { .type = PF_GS_DEBUG, .off = _OUT(debug), .cb = snl_attr_get_uint32 },
+ { .type = PF_GS_HOSTID, .off = _OUT(hostid), .cb = snl_attr_get_uint32
},
+ { .type = PF_GS_STATES, .off = _OUT(states), .cb = snl_attr_get_uint32
},
+ { .type = PF_GS_SRC_NODES, .off = _OUT(src_nodes), .cb =
snl_attr_get_uint32 },
+ { .type = PF_GS_REASSEMBLE, .off = _OUT(reass), .cb =
snl_attr_get_uint32 },
+ { .type = PF_GS_SYNCOOKIES_ACTIVE, .off = _OUT(syncookies_active), .cb
= snl_attr_get_uint32 },
+ { .type = PF_GS_COUNTERS, .off = _OUT(counters), .cb =
snl_attr_get_counters },
+ { .type = PF_GS_LCOUNTERS, .off = _OUT(lcounters), .cb =
snl_attr_get_counters },
+ { .type = PF_GS_FCOUNTERS, .off = _OUT(fcounters), .cb =
snl_attr_get_counters },
+ { .type = PF_GS_SCOUNTERS, .off = _OUT(scounters), .cb =
snl_attr_get_counters },
+ { .type = PF_GS_CHKSUM, .off = _OUT(pf_chksum), .arg_u32 =
PF_MD5_DIGEST_LENGTH, .cb = snl_attr_get_bytes },
+ { .type = PF_GS_BCOUNTERS, .off = _OUT(bcounters), .arg_u32 = 2 * 2,
.cb = snl_attr_get_uint64_array },
+ { .type = PF_GS_PCOUNTERS, .off = _OUT(pcounters), .arg_u32 = 2 * 2 *
2, .cb = snl_attr_get_uint64_array },
+};
+static struct snl_field_parser fp_getstatus[] = {};
+SNL_DECLARE_PARSER(getstatus_parser, struct genlmsghdr, fp_getstatus,
ap_getstatus);
+#undef _OUT
+
+struct pfctl_status *
+pfctl_get_status_h(struct pfctl_handle *h __unused)
+{
+ struct pfctl_status *status;
+ struct snl_errmsg_data e = {};
+ struct nlmsghdr *hdr;
+ struct snl_writer nw;
+ uint32_t seq_id;
+ int family_id;
+
+ family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME);
+ if (family_id == 0)
+ return (NULL);
+
+ snl_init_writer(&h->ss, &nw);
+ hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_GET_STATUS);
+ hdr->nlmsg_flags |= NLM_F_DUMP;
+
+ hdr = snl_finalize_msg(&nw);
+ if (hdr == NULL) {
+ return (NULL);
+ }
+
+ seq_id = hdr->nlmsg_seq;
+ if (! snl_send_message(&h->ss, hdr))
+ return (NULL);
+
+ status = calloc(1, sizeof(*status));
+ if (status == NULL)
+ return (NULL);
+ TAILQ_INIT(&status->counters);
+ TAILQ_INIT(&status->lcounters);
+ TAILQ_INIT(&status->fcounters);
+ TAILQ_INIT(&status->scounters);
+
+ while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) {
+ if (! snl_parse_nlmsg(&h->ss, hdr, &getstatus_parser, status))
+ continue;
+ }
+
+ return (status);
+}
+
struct pfctl_status *
pfctl_get_status(int dev)
{
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index a290fa45501a..2937a36a8a47 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -393,6 +393,7 @@ void pfctl_close(struct pfctl_handle *);
int pfctl_fd(struct pfctl_handle *);
int pfctl_startstop(struct pfctl_handle *h, int start);
+struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h);
struct pfctl_status* pfctl_get_status(int dev);
uint64_t pfctl_status_counter(struct pfctl_status *status, int id);
uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 8d59871701f8..17901b04a130 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1578,7 +1578,7 @@ pfctl_show_status(int dev, int opts)
struct pfctl_status *status;
struct pfctl_syncookies cookies;
- if ((status = pfctl_get_status(dev)) == NULL) {
+ if ((status = pfctl_get_status_h(pfh)) == NULL) {
warn("DIOCGETSTATUS");
return (-1);
}
@@ -1600,7 +1600,7 @@ pfctl_show_running(int dev)
struct pfctl_status *status;
int running;
- if ((status = pfctl_get_status(dev)) == NULL) {
+ if ((status = pfctl_get_status_h(pfh)) == NULL) {
warn("DIOCGETSTATUS");
return (-1);
}
diff --git a/sys/netlink/netlink_message_writer.h
b/sys/netlink/netlink_message_writer.h
index 28f3fb78018c..cb771cf93e53 100644
--- a/sys/netlink/netlink_message_writer.h
+++ b/sys/netlink/netlink_message_writer.h
@@ -225,6 +225,12 @@ nlattr_add_raw(struct nl_writer *nw, const struct nlattr
*nla_src)
return (nlattr_add(nw, nla_src->nla_type, attr_len, (const void
*)(nla_src + 1)));
}
+static inline bool
+nlattr_add_bool(struct nl_writer *nw, int attrtype, bool value)
+{
+ return (nlattr_add(nw, attrtype, sizeof(bool), &value));
+}
+
static inline bool
nlattr_add_u8(struct nl_writer *nw, int attrtype, uint8_t value)
{
diff --git a/sys/netlink/netlink_snl.h b/sys/netlink/netlink_snl.h
index 6553a391a8f5..7550800bb0f7 100644
--- a/sys/netlink/netlink_snl.h
+++ b/sys/netlink/netlink_snl.h
@@ -537,6 +537,17 @@ snl_attr_get_bytes(struct snl_state *ss __unused, struct
nlattr *nla, const void
return (true);
}
+static inline bool
+snl_attr_get_bool(struct snl_state *ss __unused, struct nlattr *nla,
+ const void *arg __unused, void *target)
+{
+ if (NLA_DATA_LEN(nla) == sizeof(bool)) {
+ *((bool *)target) = *((const bool *)NLA_DATA_CONST(nla));
+ return (true);
+ }
+ return (false);
+}
+
static inline bool
snl_attr_get_uint8(struct snl_state *ss __unused, struct nlattr *nla,
const void *arg __unused, void *target)
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index 5f33e49b4a2e..307e1ca1689d 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -1109,6 +1109,111 @@ pf_handle_set_statusif(struct nlmsghdr *hdr, struct
nl_pstate *npt)
return (0);
}
+static bool
+nlattr_add_counters(struct nl_writer *nw, int attr, size_t number, char
**names,
+ counter_u64_t *counters)
+{
+ for (int i = 0; i < number; i++) {
+ int off = nlattr_add_nested(nw, attr);
+ nlattr_add_u32(nw, PF_C_ID, i);
+ nlattr_add_string(nw, PF_C_NAME, names[i]);
+ nlattr_add_u64(nw, PF_C_COUNTER,
counter_u64_fetch(counters[i]));
+ nlattr_set_len(nw, off);
+ }
+
+ return (true);
+}
+
+static bool
+nlattr_add_fcounters(struct nl_writer *nw, int attr, size_t number, char
**names,
+ struct pf_counter_u64 *counters)
+{
+ for (int i = 0; i < number; i++) {
+ int off = nlattr_add_nested(nw, attr);
+ nlattr_add_u32(nw, PF_C_ID, i);
+ nlattr_add_string(nw, PF_C_NAME, names[i]);
+ nlattr_add_u64(nw, PF_C_COUNTER,
pf_counter_u64_fetch(&counters[i]));
+ nlattr_set_len(nw, off);
+ }
+
+ return (true);
+}
+
+static bool
+nlattr_add_u64_array(struct nl_writer *nw, int attr, size_t number, uint64_t
*array)
+{
+ int off = nlattr_add_nested(nw, attr);
+
+ for (size_t i = 0; i < number; i++)
+ nlattr_add_u64(nw, 0, array[i]);
+
+ nlattr_set_len(nw, off);
+
+ return (true);
+}
+
+static int
+pf_handle_get_status(struct nlmsghdr *hdr, struct nl_pstate *npt)
+{
+ struct pf_status s;
+ struct nl_writer *nw = npt->nw;
+ struct genlmsghdr *ghdr_new;
+ char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
+ char *pf_lcounter[KLCNT_MAX+1] = KLCNT_NAMES;
+ char *pf_fcounter[FCNT_MAX+1] = FCNT_NAMES;
+ int error;
+
+ PF_RULES_RLOCK_TRACKER;
+
+ if (!nlmsg_reply(nw, hdr, sizeof(struct genlmsghdr)))
+ return (ENOMEM);
+
+ ghdr_new = nlmsg_reserve_object(nw, struct genlmsghdr);
+ ghdr_new->cmd = PFNL_CMD_GET_STATUS;
+ ghdr_new->version = 0;
+ ghdr_new->reserved = 0;
+
+ PF_RULES_RLOCK();
+
+ nlattr_add_string(nw, PF_GS_IFNAME, V_pf_status.ifname);
+ nlattr_add_bool(nw, PF_GS_RUNNING, V_pf_status.running);
+ nlattr_add_u32(nw, PF_GS_SINCE, V_pf_status.since);
+ nlattr_add_u32(nw, PF_GS_DEBUG, V_pf_status.debug);
+ nlattr_add_u32(nw, PF_GS_HOSTID, ntohl(V_pf_status.hostid));
+ nlattr_add_u32(nw, PF_GS_STATES, V_pf_status.states);
+ nlattr_add_u32(nw, PF_GS_SRC_NODES, V_pf_status.src_nodes);
+ nlattr_add_u32(nw, PF_GS_REASSEMBLE, V_pf_status.reass);
+ nlattr_add_u32(nw, PF_GS_SYNCOOKIES_ACTIVE,
V_pf_status.syncookies_active);
+
+ nlattr_add_counters(nw, PF_GS_COUNTERS, PFRES_MAX, pf_reasons,
+ V_pf_status.counters);
+ nlattr_add_counters(nw, PF_GS_LCOUNTERS, KLCNT_MAX, pf_lcounter,
+ V_pf_status.lcounters);
+ nlattr_add_fcounters(nw, PF_GS_FCOUNTERS, FCNT_MAX, pf_fcounter,
+ V_pf_status.fcounters);
+ nlattr_add_counters(nw, PF_GS_SCOUNTERS, SCNT_MAX, pf_fcounter,
+ V_pf_status.scounters);
+
+ pfi_update_status(V_pf_status.ifname, &s);
+ nlattr_add_u64_array(nw, PF_GS_BCOUNTERS, 2 * 2, (uint64_t
*)s.bcounters);
+ nlattr_add_u64_array(nw, PF_GS_PCOUNTERS, 2 * 2 * 2, (uint64_t
*)s.pcounters);
+
+ nlattr_add(nw, PF_GS_CHKSUM, PF_MD5_DIGEST_LENGTH,
V_pf_status.pf_chksum);
+
+ PF_RULES_RUNLOCK();
+
+ if (!nlmsg_end(nw)) {
+ error = ENOMEM;
+ goto out;
+ }
+
+ return (0);
+
+out:
+ nlmsg_abort(nw);
+ return (error);
+}
+
static const struct nlhdr_parser *all_parsers[] = {
&state_parser,
&addrule_parser,
@@ -1189,7 +1294,14 @@ static const struct genl_cmd pf_cmds[] = {
.cmd_cb = pf_handle_set_statusif,
.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
.cmd_priv = PRIV_NETINET_PF,
- }
+ },
+ {
+ .cmd_num = PFNL_CMD_GET_STATUS,
+ .cmd_name = "GETSTATUS",
+ .cmd_cb = pf_handle_get_status,
+ .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
+ .cmd_priv = PRIV_NETINET_PF,
+ },
};
void
diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h
index c44e331722b7..e486e9781b2e 100644
--- a/sys/netpfil/pf/pf_nl.h
+++ b/sys/netpfil/pf/pf_nl.h
@@ -46,6 +46,7 @@ enum {
PFNL_CMD_CLRSTATES = 8,
PFNL_CMD_KILLSTATES = 9,
PFNL_CMD_SET_STATUSIF = 10,
+ PFNL_CMD_GET_STATUS = 11,
__PFNL_CMD_MAX,
};
#define PFNL_CMD_MAX (__PFNL_CMD_MAX -1)
@@ -286,6 +287,34 @@ enum pf_set_statusif_types_t {
PF_SS_UNSPEC,
PF_SS_IFNAME = 1, /* string */
};
+
+enum pf_counter_types_t {
+ PF_C_UNSPEC,
+ PF_C_COUNTER = 1, /* u64 */
+ PF_C_NAME = 2, /* string */
+ PF_C_ID = 3, /* u32 */
+};
+
+enum pf_get_status_types_t {
+ PF_GS_UNSPEC,
+ PF_GS_IFNAME = 1, /* string */
+ PF_GS_RUNNING = 2, /* bool */
+ PF_GS_SINCE = 3, /* u32 */
+ PF_GS_DEBUG = 4, /* u32 */
+ PF_GS_HOSTID = 5, /* u32 */
+ PF_GS_STATES = 6, /* u32 */
+ PF_GS_SRC_NODES = 7, /* u32 */
+ PF_GS_REASSEMBLE = 8, /* u32 */
+ PF_GS_SYNCOOKIES_ACTIVE = 9, /* bool */
+ PF_GS_COUNTERS = 10, /* nested, */
+ PF_GS_LCOUNTERS = 11, /* nested, */
+ PF_GS_FCOUNTERS = 12, /* nested, */
+ PF_GS_SCOUNTERS = 13, /* nested, */
+ PF_GS_CHKSUM = 14, /* byte array */
+ PF_GS_PCOUNTERS = 15, /* u64 array */
+ PF_GS_BCOUNTERS = 16, /* u64 array */
+};
+
#ifdef _KERNEL
void pf_nl_register(void);
diff --git a/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
b/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
index bb064dd549d2..e618683845be 100644
--- a/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
+++ b/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
@@ -50,7 +50,7 @@
struct lmodule *module;
-static int dev = -1;
+static struct pfctl_handle *pfh;
static int started;
static uint64_t pf_tick;
@@ -341,7 +341,7 @@ pf_limits(struct snmp_context __unused *ctx, struct
snmp_value *val,
return (SNMP_ERR_NOSUCHNAME);
}
- if (ioctl(dev, DIOCGETLIMIT, &pl)) {
+ if (ioctl(pfctl_fd(pfh), DIOCGETLIMIT, &pl)) {
syslog(LOG_ERR, "pf_limits(): ioctl(): %s",
strerror(errno));
return (SNMP_ERR_GENERR);
@@ -431,7 +431,7 @@ pf_timeouts(struct snmp_context __unused *ctx, struct
snmp_value *val,
return (SNMP_ERR_NOSUCHNAME);
}
- if (ioctl(dev, DIOCGETTIMEOUT, &pt)) {
+ if (ioctl(pfctl_fd(pfh), DIOCGETTIMEOUT, &pt)) {
syslog(LOG_ERR, "pf_timeouts(): ioctl(): %s",
strerror(errno));
return (SNMP_ERR_GENERR);
@@ -1174,7 +1174,7 @@ pfi_refresh(void)
io.pfiio_size = numifs;
io.pfiio_buffer = p;
- if (ioctl(dev, DIOCIGETIFACES, &io)) {
+ if (ioctl(pfctl_fd(pfh), DIOCIGETIFACES, &io)) {
syslog(LOG_ERR, "pfi_refresh(): ioctl(): %s",
strerror(errno));
goto err2;
@@ -1231,7 +1231,7 @@ pfq_refresh(void)
bzero(&pa, sizeof(pa));
pa.version = PFIOC_ALTQ_VERSION;
- if (ioctl(dev, DIOCGETALTQS, &pa)) {
+ if (ioctl(pfctl_fd(pfh), DIOCGETALTQS, &pa)) {
syslog(LOG_ERR, "pfq_refresh: ioctl(DIOCGETALTQS): %s",
strerror(errno));
return (-1);
@@ -1251,7 +1251,7 @@ pfq_refresh(void)
pa.ticket = ticket;
pa.nr = i;
- if (ioctl(dev, DIOCGETALTQ, &pa)) {
+ if (ioctl(pfctl_fd(pfh), DIOCGETALTQ, &pa)) {
syslog(LOG_ERR, "pfq_refresh(): "
"ioctl(DIOCGETALTQ): %s",
strerror(errno));
@@ -1287,7 +1287,7 @@ pfs_refresh(void)
return (0);
pfctl_free_status(pfs);
- pfs = pfctl_get_status(dev);
+ pfs = pfctl_get_status_h(pfh);
if (pfs == NULL) {
syslog(LOG_ERR, "pfs_refresh(): ioctl(): %s",
@@ -1329,7 +1329,7 @@ pft_refresh(void)
io.pfrio_size = numtbls;
io.pfrio_buffer = t;
- if (ioctl(dev, DIOCRGETTSTATS, &io)) {
+ if (ioctl(pfctl_fd(pfh), DIOCRGETTSTATS, &io)) {
syslog(LOG_ERR, "pft_refresh(): ioctl(): %s",
strerror(errno));
goto err2;
@@ -1396,7 +1396,7 @@ pfa_table_addrs(u_int sidx, struct pfr_table *pt)
io.pfrio_buffer = t;
io.pfrio_esize = sizeof(struct pfr_astats);
- if (ioctl(dev, DIOCRGETASTATS, &io)) {
+ if (ioctl(pfctl_fd(pfh), DIOCRGETASTATS, &io)) {
syslog(LOG_ERR, "pfa_table_addrs(): ioctl() on %s: %s",
pt->pfrt_name, strerror(errno));
numaddrs = -1;
@@ -1464,7 +1464,7 @@ pfa_refresh(void)
io.pfrio_size = numtbls;
io.pfrio_buffer = pt;
- if (ioctl(dev, DIOCRGETTABLES, &io)) {
+ if (ioctl(pfctl_fd(pfh), DIOCRGETTABLES, &io)) {
syslog(LOG_ERR, "pfa_refresh(): ioctl(): %s",
strerror(errno));
goto err2;
@@ -1519,14 +1519,14 @@ pfl_scan_ruleset(const char *path)
struct pfl_entry *e;
u_int32_t nr, i;
- if (pfctl_get_rules_info(dev, &rules, PF_PASS, path)) {
+ if (pfctl_get_rules_info(pfctl_fd(pfh), &rules, PF_PASS, path)) {
syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULES): %s",
strerror(errno));
goto err;
}
for (nr = rules.nr, i = 0; i < nr; i++) {
- if (pfctl_get_rule(dev, i, rules.ticket, path,
+ if (pfctl_get_rule(pfctl_fd(pfh), i, rules.ticket, path,
PF_PASS, &rule, anchor_call)) {
syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULE):"
" %s", strerror(errno));
@@ -1572,7 +1572,7 @@ pfl_walk_rulesets(const char *path)
bzero(&prs, sizeof(prs));
strlcpy(prs.path, path, sizeof(prs.path));
- if (ioctl(dev, DIOCGETRULESETS, &prs)) {
+ if (ioctl(pfctl_fd(pfh), DIOCGETRULESETS, &prs)) {
syslog(LOG_ERR, "pfl_walk_rulesets: ioctl(DIOCGETRULESETS): %s",
strerror(errno));
goto err;
@@ -1580,7 +1580,7 @@ pfl_walk_rulesets(const char *path)
for (nr = prs.nr, i = 0; i < nr; i++) {
prs.nr = i;
- if (ioctl(dev, DIOCGETRULESET, &prs)) {
+ if (ioctl(pfctl_fd(pfh), DIOCGETRULESET, &prs)) {
syslog(LOG_ERR, "pfl_walk_rulesets:
ioctl(DIOCGETRULESET):"
" %s", strerror(errno));
goto err;
@@ -1671,13 +1671,13 @@ pf_init(struct lmodule *mod, int __unused argc, char
__unused *argv[])
{
module = mod;
- if ((dev = open("/dev/pf", O_RDONLY)) == -1) {
+ if ((pfh = pfctl_open(PF_DEVICE)) == NULL) {
syslog(LOG_ERR, "pf_init(): open(): %s\n",
strerror(errno));
return (-1);
}
- if ((altq_enabled = altq_is_enabled(dev)) == -1) {
+ if ((altq_enabled = altq_is_enabled(pfctl_fd(pfh))) == -1) {
syslog(LOG_ERR, "pf_init(): altq test failed");
return (-1);
}
@@ -1756,7 +1756,8 @@ pf_fini(void)
pfctl_free_status(pfs);
pfs = NULL;
- close(dev);
+ pfctl_close(pfh);
+
return (0);
}
