![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to obsdrdr.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / miniupnpd / pf|
Return to obsdrdr.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / miniupnpd / pf |
1.1 misho 1: /* $Id: obsdrdr.c,v 1.59 2010/05/11 16:19:26 nanard Exp $ */
2: /* MiniUPnP project
3: * http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
4: * (c) 2006-2010 Thomas Bernard
5: * This software is subject to the conditions detailed
6: * in the LICENCE file provided within the distribution */
7:
8: /*
9: * pf rules created (with ext_if = xl1)
10: * - OpenBSD up to version 4.6 :
11: * rdr pass on xl1 inet proto udp from any to any port = 54321 \
12: * label "test label" -> 192.168.0.141 port 12345
13: * or a rdr rule + a pass rule
14: *
15: * - OpenBSD starting from version 4.7
16: * match in on xl1 inet proto udp from any to any port 54321 \
17: * label "test label" rdr-to 192.168.0.141 port 12345
18: * or
19: * pass in quick on xl1 inet proto udp from any to any port 54321 \
20: * label "test label" rdr-to 192.168.0.141 port 12345
21: *
22: *
23: *
24: * Macros/#defines :
25: * - PF_ENABLE_FILTER_RULES
26: * If set, two rules are created : rdr + pass. Else a rdr/pass rule
27: * is created.
28: * - USE_IFNAME_IN_RULES
29: * If set the interface name is set in the rule.
30: * - PFRULE_INOUT_COUNTS
31: * Must be set with OpenBSD version 3.8 and up.
32: * - PFRULE_HAS_RTABLEID
33: * Must be set with OpenBSD version 4.0 and up.
34: * - PF_NEWSSTYLE
35: * Must be set with OpenBSD version 4.7 and up.
36: */
37:
38: #include <sys/types.h>
39: #include <sys/socket.h>
40: #include <sys/param.h>
41: #include <net/if.h>
42: #include <netinet/in.h>
43: #include <netinet/tcp.h>
44: #include <arpa/inet.h>
45: #ifdef __DragonFly__
46: #include <net/pf/pfvar.h>
47: #else
48: #include <net/pfvar.h>
49: #endif
50: #include <fcntl.h>
51: #include <sys/ioctl.h>
52: #include <unistd.h>
53: #include <string.h>
54: #include <syslog.h>
55: #include <stdio.h>
56: #include <stdlib.h>
57:
58: #include "../config.h"
59: #include "obsdrdr.h"
60: #include "../upnpglobalvars.h"
61:
62: /* anchor name */
63: static const char anchor_name[] = "miniupnpd";
64:
65: /* /dev/pf when opened */
66: static int dev = -1;
67:
68: /* shutdown_redirect() :
69: * close the /dev/pf device */
70: void
71: shutdown_redirect(void)
72: {
73: if(close(dev)<0)
74: syslog(LOG_ERR, "close(\"/dev/pf\"): %m");
75: dev = -1;
76: }
77:
78: /* open the device */
79: int
80: init_redirect(void)
81: {
82: struct pf_status status;
83: if(dev>=0)
84: shutdown_redirect();
85: dev = open("/dev/pf", O_RDWR);
86: if(dev<0) {
87: syslog(LOG_ERR, "open(\"/dev/pf\"): %m");
88: return -1;
89: }
90: if(ioctl(dev, DIOCGETSTATUS, &status)<0) {
91: syslog(LOG_ERR, "DIOCGETSTATUS: %m");
92: return -1;
93: }
94: if(!status.running) {
95: syslog(LOG_ERR, "pf is disabled");
96: return -1;
97: }
98: return 0;
99: }
100:
101: #if TEST
102: /* for debug */
103: int
104: clear_redirect_rules(void)
105: {
106: struct pfioc_trans io;
107: struct pfioc_trans_e ioe;
108: if(dev<0) {
109: syslog(LOG_ERR, "pf device is not open");
110: return -1;
111: }
112: memset(&ioe, 0, sizeof(ioe));
113: io.size = 1;
114: io.esize = sizeof(ioe);
115: io.array = &ioe;
116: #ifndef PF_NEWSTYLE
117: ioe.rs_num = PF_RULESET_RDR;
118: #else
119: ioe.type = PF_TRANS_RULESET;
120: #endif
121: strlcpy(ioe.anchor, anchor_name, MAXPATHLEN);
122: if(ioctl(dev, DIOCXBEGIN, &io) < 0)
123: {
124: syslog(LOG_ERR, "ioctl(dev, DIOCXBEGIN, ...): %m");
125: goto error;
126: }
127: if(ioctl(dev, DIOCXCOMMIT, &io) < 0)
128: {
129: syslog(LOG_ERR, "ioctl(dev, DIOCXCOMMIT, ...): %m");
130: goto error;
131: }
132: return 0;
133: error:
134: return -1;
135: }
136: #endif
137:
138: /* add_redirect_rule2() :
139: * create a rdr rule */
140: int
141: add_redirect_rule2(const char * ifname, unsigned short eport,
142: const char * iaddr, unsigned short iport, int proto,
143: const char * desc)
144: {
145: int r;
146: struct pfioc_rule pcr;
147: #ifndef PF_NEWSTYLE
148: struct pfioc_pooladdr pp;
149: struct pf_pooladdr *a;
150: #endif
151: if(dev<0) {
152: syslog(LOG_ERR, "pf device is not open");
153: return -1;
154: }
155: r = 0;
156: memset(&pcr, 0, sizeof(pcr));
157: strlcpy(pcr.anchor, anchor_name, MAXPATHLEN);
158:
159: #ifndef PF_NEWSTYLE
160: memset(&pp, 0, sizeof(pp));
161: strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
162: if(ioctl(dev, DIOCBEGINADDRS, &pp) < 0)
163: {
164: syslog(LOG_ERR, "ioctl(dev, DIOCBEGINADDRS, ...): %m");
165: r = -1;
166: }
167: else
168: {
169: pcr.pool_ticket = pp.ticket;
170: #else
171: if(1)
172: {
173: pcr.rule.direction = PF_IN;
174: //pcr.rule.src.addr.type = PF_ADDR_NONE;
175: pcr.rule.src.addr.type = PF_ADDR_ADDRMASK;
176: pcr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
177: pcr.rule.nat.addr.type = PF_ADDR_NONE;
178: pcr.rule.rdr.addr.type = PF_ADDR_ADDRMASK;
179: #endif
180:
181: pcr.rule.dst.port_op = PF_OP_EQ;
182: pcr.rule.dst.port[0] = htons(eport);
183: pcr.rule.dst.port[1] = htons(eport);
184: #ifndef PF_NEWSTYLE
185: pcr.rule.action = PF_RDR;
186: #ifndef PF_ENABLE_FILTER_RULES
187: pcr.rule.natpass = 1;
188: #else
189: pcr.rule.natpass = 0;
190: #endif
191: #else
192: #ifndef PF_ENABLE_FILTER_RULES
193: pcr.rule.action = PF_PASS;
194: #else
195: pcr.rule.action = PF_MATCH;
196: #endif
197: #endif
198: pcr.rule.af = AF_INET;
199: #ifdef USE_IFNAME_IN_RULES
200: if(ifname)
201: strlcpy(pcr.rule.ifname, ifname, IFNAMSIZ);
202: #endif
203: pcr.rule.proto = proto;
204: pcr.rule.log = (GETFLAG(LOGPACKETSMASK))?1:0; /*logpackets;*/
205: #ifdef PFRULE_HAS_RTABLEID
206: pcr.rule.rtableid = -1; /* first appeared in OpenBSD 4.0 */
207: #endif
208: pcr.rule.quick = 1;
209: pcr.rule.keep_state = PF_STATE_NORMAL;
210: if(tag)
211: strlcpy(pcr.rule.tagname, tag, PF_TAG_NAME_SIZE);
212: strlcpy(pcr.rule.label, desc, PF_RULE_LABEL_SIZE);
213: #ifndef PF_NEWSTYLE
214: pcr.rule.rpool.proxy_port[0] = iport;
215: pcr.rule.rpool.proxy_port[1] = iport;
216: TAILQ_INIT(&pcr.rule.rpool.list);
217: a = calloc(1, sizeof(struct pf_pooladdr));
218: inet_pton(AF_INET, iaddr, &a->addr.v.a.addr.v4.s_addr);
219: a->addr.v.a.mask.v4.s_addr = htonl(INADDR_NONE);
220: TAILQ_INSERT_TAIL(&pcr.rule.rpool.list, a, entries);
221:
222: memcpy(&pp.addr, a, sizeof(struct pf_pooladdr));
223: if(ioctl(dev, DIOCADDADDR, &pp) < 0)
224: {
225: syslog(LOG_ERR, "ioctl(dev, DIOCADDADDR, ...): %m");
226: r = -1;
227: }
228: else
229: {
230: #else
231: pcr.rule.rdr.proxy_port[0] = iport;
232: pcr.rule.rdr.proxy_port[1] = iport;
233: inet_pton(AF_INET, iaddr, &pcr.rule.rdr.addr.v.a.addr.v4.s_addr);
234: pcr.rule.rdr.addr.v.a.mask.v4.s_addr = htonl(INADDR_NONE);
235: if(1)
236: {
237: #endif
238: pcr.action = PF_CHANGE_GET_TICKET;
239: if(ioctl(dev, DIOCCHANGERULE, &pcr) < 0)
240: {
241: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
242: r = -1;
243: }
244: else
245: {
246: pcr.action = PF_CHANGE_ADD_TAIL;
247: if(ioctl(dev, DIOCCHANGERULE, &pcr) < 0)
248: {
249: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: %m");
250: r = -1;
251: }
252: }
253: }
254: #ifndef PF_NEWSTYLE
255: free(a);
256: #endif
257: }
258: return r;
259: }
260:
261: /* thanks to Seth Mos for this function */
262: int
263: add_filter_rule2(const char * ifname, const char * iaddr,
264: unsigned short eport, unsigned short iport,
265: int proto, const char * desc)
266: {
267: #ifndef PF_ENABLE_FILTER_RULES
268: return 0;
269: #else
270: int r;
271: struct pfioc_rule pcr;
272: #ifndef PF_NEWSTYLE
273: struct pfioc_pooladdr pp;
274: struct pf_pooladdr *a;
275: #endif
276: if(dev<0) {
277: syslog(LOG_ERR, "pf device is not open");
278: return -1;
279: }
280: r = 0;
281: memset(&pcr, 0, sizeof(pcr));
282: strlcpy(pcr.anchor, anchor_name, MAXPATHLEN);
283:
284: #ifndef PF_NEWSTYLE
285: memset(&pp, 0, sizeof(pp));
286: strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
287: if(ioctl(dev, DIOCBEGINADDRS, &pp) < 0)
288: {
289: syslog(LOG_ERR, "ioctl(dev, DIOCBEGINADDRS, ...): %m");
290: r = -1;
291: }
292: else
293: {
294: pcr.pool_ticket = pp.ticket;
295: #else
296: if(1)
297: {
298: #endif
299:
300: pcr.rule.dst.port_op = PF_OP_EQ;
301: pcr.rule.dst.port[0] = htons(eport);
302: pcr.rule.direction = PF_IN;
303: pcr.rule.action = PF_PASS;
304: pcr.rule.af = AF_INET;
305: #ifdef USE_IFNAME_IN_RULES
306: if(ifname)
307: strlcpy(pcr.rule.ifname, ifname, IFNAMSIZ);
308: #endif
309: pcr.rule.proto = proto;
310: pcr.rule.quick = (GETFLAG(PFNOQUICKRULESMASK))?0:1;
311: pcr.rule.log = (GETFLAG(LOGPACKETSMASK))?1:0; /*logpackets;*/
312: /* see the discussion on the forum :
313: * http://miniupnp.tuxfamily.org/forum/viewtopic.php?p=638 */
314: pcr.rule.flags = TH_SYN;
315: pcr.rule.flagset = (TH_SYN|TH_ACK);
316: #ifdef PFRULE_HAS_RTABLEID
317: pcr.rule.rtableid = -1; /* first appeared in OpenBSD 4.0 */
318: #endif
319: pcr.rule.keep_state = 1;
320: strlcpy(pcr.rule.label, desc, PF_RULE_LABEL_SIZE);
321: if(queue)
322: strlcpy(pcr.rule.qname, queue, PF_QNAME_SIZE);
323: if(tag)
324: strlcpy(pcr.rule.tagname, tag, PF_TAG_NAME_SIZE);
325:
326: #ifndef PF_NEWSTYLE
327: pcr.rule.rpool.proxy_port[0] = eport;
328: a = calloc(1, sizeof(struct pf_pooladdr));
329: inet_pton(AF_INET, iaddr, &a->addr.v.a.addr.v4.s_addr);
330: a->addr.v.a.mask.v4.s_addr = htonl(INADDR_NONE);
331: memcpy(&pp.addr, a, sizeof(struct pf_pooladdr));
332: TAILQ_INIT(&pcr.rule.rpool.list);
333: inet_pton(AF_INET, iaddr, &a->addr.v.a.addr.v4.s_addr);
334: TAILQ_INSERT_TAIL(&pcr.rule.rpool.list, a, entries);
335:
336: /* we have any - any port = # keep state label */
337: /* we want any - iaddr port = # keep state label */
338: /* memcpy(&pcr.rule.dst, a, sizeof(struct pf_pooladdr)); */
339:
340: memcpy(&pp.addr, a, sizeof(struct pf_pooladdr));
341: strlcpy(pcr.rule.label, desc, PF_RULE_LABEL_SIZE);
342: if(ioctl(dev, DIOCADDADDR, &pp) < 0)
343: {
344: syslog(LOG_ERR, "ioctl(dev, DIOCADDADDR, ...): %m");
345: r = -1;
346: }
347: else
348: {
349: #else
350: if(1)
351: {
352: #endif
353: pcr.action = PF_CHANGE_GET_TICKET;
354: if(ioctl(dev, DIOCCHANGERULE, &pcr) < 0)
355: {
356: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
357: r = -1;
358: }
359: else
360: {
361: pcr.action = PF_CHANGE_ADD_TAIL;
362: if(ioctl(dev, DIOCCHANGERULE, &pcr) < 0)
363: {
364: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: %m");
365: r = -1;
366: }
367: }
368: }
369: #ifndef PF_NEWSTYLE
370: free(a);
371: #endif
372: }
373: return r;
374: #endif
375: }
376:
377: /* get_redirect_rule()
378: * return value : 0 success (found)
379: * -1 = error or rule not found */
380: int
381: get_redirect_rule(const char * ifname, unsigned short eport, int proto,
382: char * iaddr, int iaddrlen, unsigned short * iport,
383: char * desc, int desclen,
384: u_int64_t * packets, u_int64_t * bytes)
385: {
386: int i, n;
387: struct pfioc_rule pr;
388: #ifndef PF_NEWSTYLE
389: struct pfioc_pooladdr pp;
390: #endif
391: if(dev<0) {
392: syslog(LOG_ERR, "pf device is not open");
393: return -1;
394: }
395: memset(&pr, 0, sizeof(pr));
396: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
397: #ifndef PF_NEWSTYLE
398: pr.rule.action = PF_RDR;
399: #endif
400: if(ioctl(dev, DIOCGETRULES, &pr) < 0)
401: {
402: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
403: goto error;
404: }
405: n = pr.nr;
406: for(i=0; i<n; i++)
407: {
408: pr.nr = i;
409: if(ioctl(dev, DIOCGETRULE, &pr) < 0)
410: {
411: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
412: goto error;
413: }
414: if( (eport == ntohs(pr.rule.dst.port[0]))
415: && (eport == ntohs(pr.rule.dst.port[1]))
416: && (pr.rule.proto == proto) )
417: {
418: #ifndef PF_NEWSTYLE
419: *iport = pr.rule.rpool.proxy_port[0];
420: #else
421: *iport = pr.rule.rdr.proxy_port[0];
422: #endif
423: if(desc)
424: strlcpy(desc, pr.rule.label, desclen);
425: #ifdef PFRULE_INOUT_COUNTS
426: if(packets)
427: *packets = pr.rule.packets[0] + pr.rule.packets[1];
428: if(bytes)
429: *bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
430: #else
431: if(packets)
432: *packets = pr.rule.packets;
433: if(bytes)
434: *bytes = pr.rule.bytes;
435: #endif
436: #ifndef PF_NEWSTYLE
437: memset(&pp, 0, sizeof(pp));
438: strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
439: pp.r_action = PF_RDR;
440: pp.r_num = i;
441: pp.ticket = pr.ticket;
442: if(ioctl(dev, DIOCGETADDRS, &pp) < 0)
443: {
444: syslog(LOG_ERR, "ioctl(dev, DIOCGETADDRS, ...): %m");
445: goto error;
446: }
447: if(pp.nr != 1)
448: {
449: syslog(LOG_NOTICE, "No address associated with pf rule");
450: goto error;
451: }
452: pp.nr = 0; /* first */
453: if(ioctl(dev, DIOCGETADDR, &pp) < 0)
454: {
455: syslog(LOG_ERR, "ioctl(dev, DIOCGETADDR, ...): %m");
456: goto error;
457: }
458: inet_ntop(AF_INET, &pp.addr.addr.v.a.addr.v4.s_addr,
459: iaddr, iaddrlen);
460: #else
461: inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr,
462: iaddr, iaddrlen);
463: #endif
464: return 0;
465: }
466: }
467: error:
468: return -1;
469: }
470:
471: int
472: delete_redirect_rule(const char * ifname, unsigned short eport, int proto)
473: {
474: int i, n;
475: struct pfioc_rule pr;
476: if(dev<0) {
477: syslog(LOG_ERR, "pf device is not open");
478: return -1;
479: }
480: memset(&pr, 0, sizeof(pr));
481: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
482: #ifndef PF_NEWSTYLE
483: pr.rule.action = PF_RDR;
484: #endif
485: if(ioctl(dev, DIOCGETRULES, &pr) < 0)
486: {
487: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
488: goto error;
489: }
490: n = pr.nr;
491: for(i=0; i<n; i++)
492: {
493: pr.nr = i;
494: if(ioctl(dev, DIOCGETRULE, &pr) < 0)
495: {
496: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
497: goto error;
498: }
499: if( (eport == ntohs(pr.rule.dst.port[0]))
500: && (eport == ntohs(pr.rule.dst.port[1]))
501: && (pr.rule.proto == proto) )
502: {
503: pr.action = PF_CHANGE_GET_TICKET;
504: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0)
505: {
506: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
507: goto error;
508: }
509: pr.action = PF_CHANGE_REMOVE;
510: pr.nr = i;
511: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0)
512: {
513: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_REMOVE: %m");
514: goto error;
515: }
516: return 0;
517: }
518: }
519: error:
520: return -1;
521: }
522:
523: int
524: delete_filter_rule(const char * ifname, unsigned short eport, int proto)
525: {
526: #ifndef PF_ENABLE_FILTER_RULES
527: return 0;
528: #else
529: int i, n;
530: struct pfioc_rule pr;
531: if(dev<0) {
532: syslog(LOG_ERR, "pf device is not open");
533: return -1;
534: }
535: memset(&pr, 0, sizeof(pr));
536: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
537: pr.rule.action = PF_PASS;
538: if(ioctl(dev, DIOCGETRULES, &pr) < 0)
539: {
540: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
541: goto error;
542: }
543: n = pr.nr;
544: for(i=0; i<n; i++)
545: {
546: pr.nr = i;
547: if(ioctl(dev, DIOCGETRULE, &pr) < 0)
548: {
549: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
550: goto error;
551: }
552: if( (eport == ntohs(pr.rule.dst.port[0]))
553: && (pr.rule.proto == proto) )
554: {
555: pr.action = PF_CHANGE_GET_TICKET;
556: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0)
557: {
558: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
559: goto error;
560: }
561: pr.action = PF_CHANGE_REMOVE;
562: pr.nr = i;
563: if(ioctl(dev, DIOCCHANGERULE, &pr) < 0)
564: {
565: syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_REMOVE: %m");
566: goto error;
567: }
568: return 0;
569: }
570: }
571: error:
572: return -1;
573: #endif
574: }
575:
576: int
577: get_redirect_rule_by_index(int index,
578: char * ifname, unsigned short * eport,
579: char * iaddr, int iaddrlen, unsigned short * iport,
580: int * proto, char * desc, int desclen,
581: u_int64_t * packets, u_int64_t * bytes)
582: {
583: int n;
584: struct pfioc_rule pr;
585: #ifndef PF_NEWSTYLE
586: struct pfioc_pooladdr pp;
587: #endif
588: if(index < 0)
589: return -1;
590: if(dev<0) {
591: syslog(LOG_ERR, "pf device is not open");
592: return -1;
593: }
594: memset(&pr, 0, sizeof(pr));
595: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
596: #ifndef PF_NEWSTYLE
597: pr.rule.action = PF_RDR;
598: #endif
599: if(ioctl(dev, DIOCGETRULES, &pr) < 0)
600: {
601: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
602: goto error;
603: }
604: n = pr.nr;
605: if(index >= n)
606: goto error;
607: pr.nr = index;
608: if(ioctl(dev, DIOCGETRULE, &pr) < 0)
609: {
610: syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
611: goto error;
612: }
613: *proto = pr.rule.proto;
614: *eport = ntohs(pr.rule.dst.port[0]);
615: #ifndef PF_NEWSTYLE
616: *iport = pr.rule.rpool.proxy_port[0];
617: #else
618: *iport = pr.rule.rdr.proxy_port[0];
619: #endif
620: if(ifname)
621: strlcpy(ifname, pr.rule.ifname, IFNAMSIZ);
622: if(desc)
623: strlcpy(desc, pr.rule.label, desclen);
624: #ifdef PFRULE_INOUT_COUNTS
625: if(packets)
626: *packets = pr.rule.packets[0] + pr.rule.packets[1];
627: if(bytes)
628: *bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
629: #else
630: if(packets)
631: *packets = pr.rule.packets;
632: if(bytes)
633: *bytes = pr.rule.bytes;
634: #endif
635: #ifndef PF_NEWSTYLE
636: memset(&pp, 0, sizeof(pp));
637: strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
638: pp.r_action = PF_RDR;
639: pp.r_num = index;
640: pp.ticket = pr.ticket;
641: if(ioctl(dev, DIOCGETADDRS, &pp) < 0)
642: {
643: syslog(LOG_ERR, "ioctl(dev, DIOCGETADDRS, ...): %m");
644: goto error;
645: }
646: if(pp.nr != 1)
647: {
648: syslog(LOG_NOTICE, "No address associated with pf rule");
649: goto error;
650: }
651: pp.nr = 0; /* first */
652: if(ioctl(dev, DIOCGETADDR, &pp) < 0)
653: {
654: syslog(LOG_ERR, "ioctl(dev, DIOCGETADDR, ...): %m");
655: goto error;
656: }
657: inet_ntop(AF_INET, &pp.addr.addr.v.a.addr.v4.s_addr,
658: iaddr, iaddrlen);
659: #else
660: inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr,
661: iaddr, iaddrlen);
662: #endif
663: return 0;
664: error:
665: return -1;
666: }
667:
668: /* this function is only for testing */
669: #if TEST
670: void
671: list_rules(void)
672: {
673: char buf[32];
674: int i, n;
675: struct pfioc_rule pr;
676: #ifndef PF_NEWSTYLE
677: struct pfioc_pooladdr pp;
678: #endif
679:
680: if(dev<0)
681: {
682: perror("pf dev not open");
683: return ;
684: }
685: memset(&pr, 0, sizeof(pr));
686: strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
687: pr.rule.action = PF_RDR;
688: if(ioctl(dev, DIOCGETRULES, &pr) < 0)
689: perror("DIOCGETRULES");
690: printf("ticket = %d, nr = %d\n", pr.ticket, pr.nr);
691: n = pr.nr;
692: for(i=0; i<n; i++)
693: {
694: printf("-- rule %d --\n", i);
695: pr.nr = i;
696: if(ioctl(dev, DIOCGETRULE, &pr) < 0)
697: perror("DIOCGETRULE");
698: printf(" %s %d:%d -> %d:%d proto %d keep_state=%d action=%d\n",
699: pr.rule.ifname,
700: (int)ntohs(pr.rule.dst.port[0]),
701: (int)ntohs(pr.rule.dst.port[1]),
702: #ifndef PF_NEWSTYLE
703: (int)pr.rule.rpool.proxy_port[0],
704: (int)pr.rule.rpool.proxy_port[1],
705: #else
706: (int)pr.rule.rdr.proxy_port[0],
707: (int)pr.rule.rdr.proxy_port[1],
708: #endif
709: (int)pr.rule.proto,
710: (int)pr.rule.keep_state,
711: (int)pr.rule.action);
712: printf(" description: \"%s\"\n", pr.rule.label);
713: #ifndef PF_NEWSTYLE
714: memset(&pp, 0, sizeof(pp));
715: strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
716: pp.r_action = PF_RDR;
717: pp.r_num = i;
718: pp.ticket = pr.ticket;
719: if(ioctl(dev, DIOCGETADDRS, &pp) < 0)
720: perror("DIOCGETADDRS");
721: printf(" nb pool addr = %d ticket=%d\n", pp.nr, pp.ticket);
722: /*if(ioctl(dev, DIOCGETRULE, &pr) < 0)
723: perror("DIOCGETRULE"); */
724: pp.nr = 0; /* first */
725: if(ioctl(dev, DIOCGETADDR, &pp) < 0)
726: perror("DIOCGETADDR");
727: /* addr.v.a.addr.v4.s_addr */
728: printf(" %s\n", inet_ntop(AF_INET, &pp.addr.addr.v.a.addr.v4.s_addr, buf, 32));
729: #else
730: printf(" rule_flag=%08x action=%d direction=%d log=%d logif=%d "
731: "quick=%d ifnot=%d af=%d type=%d code=%d rdr.port_op=%d rdr.opts=%d\n",
732: pr.rule.rule_flag, pr.rule.action, pr.rule.direction,
733: pr.rule.log, pr.rule.logif, pr.rule.quick, pr.rule.ifnot,
734: pr.rule.af, pr.rule.type, pr.rule.code,
735: pr.rule.rdr.port_op, pr.rule.rdr.opts);
736: printf(" %s\n", inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr, buf, 32));
737: #endif
738: }
739: }
740: #endif
741: