From nobody Thu Jan 04 22:11:12 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T5glh4WyHz55NW9; Thu, 4 Jan 2024 22:11:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T5glh2S3tz4NL4; Thu, 4 Jan 2024 22:11:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704406272; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=teSRzhJT7ij5s2IM6DTtH0r61pvLFsoCOpTFtXh+Xsw=; b=uZVarp9ebBEOsO55yyS43CemUwbyKEfPhf6r+mJeYEOAd9klpDEh34IL50kRCn4TYzCbq/ ekvYekESPoaLs3/eslhRFbtHFX28z04mwTGlpbusbytTzsVz04nhWhqd/zAWrm+sOlLmo7 F+2/MAEXSzexPXAf+wgfFRrNS0fPUZ1HlPaBgyVK7+iffMf+OQR5PtAVrAu1Kz6KN6bC/8 L433WC3z1t206A7uyIHKUCPfvkHSVJd+MyMH9wUcZFmL8mIa1+4RBQVwuGQmyoCnkgW4Gm mvs0rA2Fx65sAGwjwygkHlPUIy7tNHBaEPks9DlY7GPtK1vzoiK7Gl33s37PMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704406272; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=teSRzhJT7ij5s2IM6DTtH0r61pvLFsoCOpTFtXh+Xsw=; b=SxlWwDLSRMxTQ0AfepGIr4o8iv8khOdN9YsSI2ygGKKRyU3EfTvzdKyoFu6fz0k2ScwcOf TEenuRGCWmxq8PGQrTyf23pXJTwNhmJ4K/4w3zTrPURGreOcaNZQpAzlYMf3Tjy46Qb9JG OwvPOGLd0/IC/txYfn3bn5R4sse7lA9Ig6927HIllXHQoKIkbZa1R4RkP++2481PVvjBq0 hwGBnrAXv3/EtOD3UAAPNFJ/Y79canr/JnF3L+X0+rlS3ks+R52BD0UQ7olGYMMPlrdVHS yHDWX/TRpTYc/OHQxMBIZNVMFjl5gcOb/TH6Mn1aHWQDsDfxvVtnh7Mfz+Ed1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704406272; a=rsa-sha256; cv=none; b=eK46bYYPtGehHrlEFUlv5eiDIZWlIvkmngH5pfQaRZxBFr1ntSc2PVkXdFzKSX29rCLZ25 EuBrPp0r5tonW4/mIpDyqtCREUN5+RWmcyWr5BOllkMdXDYj+RTER7Nzn5AJ1TJD9qmzRX otZPgN5OQppfATXSONuWEN6zGR0T/ovepNq9cCvESZazOQB/+bTFqWZk5oTXlUhewBNX7t un4p6DZwqYZbI3dXJZSSKDxMqsVwyBuYc6eMWrsSbkK/F4/yScW8pK+7BzAWLITK76lhBW osVx0/K4fiieLUCNlxNAeX5aotYdiVaDJHPT3TNwV1Wg7njMTRAXZ3wRU52Zyw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T5glh1WdyzX4n; Thu, 4 Jan 2024 22:11:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 404MBC3r003219; Thu, 4 Jan 2024 22:11:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 404MBC3D003204; Thu, 4 Jan 2024 22:11:12 GMT (envelope-from git) Date: Thu, 4 Jan 2024 22:11:12 GMT Message-Id: <202401042211.404MBC3D003204@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 324fd7ec4043 - main - libpfctl: introduce a handle-enabled variant of pfctl_add_rule() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 324fd7ec40439e6b3916429a69956d7acf74eb19 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=324fd7ec40439e6b3916429a69956d7acf74eb19 commit 324fd7ec40439e6b3916429a69956d7acf74eb19 Author: Kristof Provost AuthorDate: 2024-01-04 12:45:56 +0000 Commit: Kristof Provost CommitDate: 2024-01-04 22:10:44 +0000 libpfctl: introduce a handle-enabled variant of pfctl_add_rule() Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a file descriptor (which it didn't use). This means that library users can open the handle while they're running as root, but later drop privileges and still add rules to pf. Sponsored by: Rubicon Communications, LLC ("Netgate") --- contrib/pf/ftp-proxy/filter.c | 10 +++++++--- contrib/pf/tftp-proxy/filter.c | 12 +++++++++--- lib/libpfctl/libpfctl.c | 29 +++++++++++++++++++++++------ lib/libpfctl/libpfctl.h | 3 +++ 4 files changed, 42 insertions(+), 12 deletions(-) diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c index 4277e079f3be..612e35c4ac6e 100644 --- a/contrib/pf/ftp-proxy/filter.c +++ b/contrib/pf/ftp-proxy/filter.c @@ -58,6 +58,7 @@ static uint32_t pfpool_ticket; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; +static struct pfctl_handle *pfh = NULL; static const char *qname, *tagname; int @@ -73,7 +74,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, return (-1); pfrule.direction = dir; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -108,7 +109,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, pfrule.rpool.proxy_port[0] = nat_range_low; pfrule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -141,7 +142,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, return (-1); pfrule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -182,6 +183,9 @@ init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose) dev = open("/dev/pf", O_RDWR); if (dev == -1) err(1, "open /dev/pf"); + pfh = pfctl_open(PF_DEVICE); + if (pfh == NULL) + err(1, "pfctl_open"); status = pfctl_get_status(dev); if (status == NULL) err(1, "DIOCGETSTATUS"); diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c index 966628464d28..f372ddd0aeae 100644 --- a/contrib/pf/tftp-proxy/filter.c +++ b/contrib/pf/tftp-proxy/filter.c @@ -62,6 +62,7 @@ static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; +static struct pfctl_handle *pfh = NULL; static char *qname; int @@ -77,7 +78,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, return (-1); pfrule.direction = dir; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -112,7 +113,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, pfrule.rpool.proxy_port[0] = nat_range_low; pfrule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -145,7 +146,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, return (-1); pfrule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -187,6 +188,11 @@ init_filter(char *opt_qname, int opt_verbose) syslog(LOG_ERR, "can't open /dev/pf"); exit(1); } + pfh = pfctl_open(PF_DEVICE); + if (pfh == NULL) { + syslog(LOG_ERR, "can't pfctl_open()"); + exit(1); + } status = pfctl_get_status(dev); if (status == NULL) { syslog(LOG_ERR, "DIOCGETSTATUS"); diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 94949a5a7337..2db3f0ede99f 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -1116,20 +1116,37 @@ snl_add_msg_attr_pf_rule(struct snl_writer *nw, uint32_t type, const struct pfct int pfctl_add_rule(int dev __unused, const struct pfctl_rule *r, const char *anchor, const char *anchor_call, uint32_t ticket, uint32_t pool_ticket) +{ + struct pfctl_handle *h; + int ret; + + h = pfctl_open(PF_DEVICE); + if (h == NULL) + return (ENODEV); + + ret = pfctl_add_rule_h(h, r, anchor, anchor_call, ticket, pool_ticket); + + pfctl_close(h); + + return (ret); +} + +int +pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, + const char *anchor, const char *anchor_call, uint32_t ticket, + uint32_t pool_ticket) { struct snl_writer nw; - struct snl_state ss = {}; struct snl_errmsg_data e = {}; struct nlmsghdr *hdr; uint32_t seq_id; int family_id; - snl_init(&ss, NETLINK_GENERIC); - family_id = snl_get_genl_family(&ss, PFNL_FAMILY_NAME); + family_id = snl_get_genl_family(&h->ss, PFNL_FAMILY_NAME); if (family_id == 0) return (ENOTSUP); - snl_init_writer(&ss, &nw); + snl_init_writer(&h->ss, &nw); hdr = snl_create_genl_msg_request(&nw, family_id, PFNL_CMD_ADDRULE); hdr->nlmsg_flags |= NLM_F_DUMP; snl_add_msg_attr_u32(&nw, PF_ART_TICKET, ticket); @@ -1144,10 +1161,10 @@ pfctl_add_rule(int dev __unused, const struct pfctl_rule *r, const char *anchor, seq_id = hdr->nlmsg_seq; - if (! snl_send_message(&ss, hdr)) + if (! snl_send_message(&h->ss, hdr)) return (ENXIO); - while ((hdr = snl_read_reply_multi(&ss, seq_id, &e)) != NULL) { + while ((hdr = snl_read_reply_multi(&h->ss, seq_id, &e)) != NULL) { } return (e.error); diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index f128e5340891..cd72d04d6715 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -421,6 +421,9 @@ int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, int pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor, const char *anchor_call, uint32_t ticket, uint32_t pool_ticket); +int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, + const char *anchor, const char *anchor_call, uint32_t ticket, + uint32_t pool_ticket); int pfctl_set_keepcounters(int dev, bool keep); int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len);