diff options
author | Kristof Provost <kp@FreeBSD.org> | 2024-01-04 12:45:56 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2024-01-04 22:10:44 +0000 |
commit | 324fd7ec40439e6b3916429a69956d7acf74eb19 (patch) | |
tree | 44d165d05672e8b51f4101485acf07543e6fdc67 /contrib | |
parent | 66cacc141d372fdfa624a380bac6880ecf809994 (diff) | |
download | src-324fd7ec40439e6b3916429a69956d7acf74eb19.tar.gz src-324fd7ec40439e6b3916429a69956d7acf74eb19.zip |
libpfctl: introduce a handle-enabled variant of pfctl_add_rule()
Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a
file descriptor (which it didn't use). This means that library users can
open the handle while they're running as root, but later drop privileges
and still add rules to pf.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/pf/ftp-proxy/filter.c | 10 | ||||
-rw-r--r-- | contrib/pf/tftp-proxy/filter.c | 12 |
2 files changed, 16 insertions, 6 deletions
diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c index 4277e079f3be..612e35c4ac6e 100644 --- a/contrib/pf/ftp-proxy/filter.c +++ b/contrib/pf/ftp-proxy/filter.c @@ -58,6 +58,7 @@ static uint32_t pfpool_ticket; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; +static struct pfctl_handle *pfh = NULL; static const char *qname, *tagname; int @@ -73,7 +74,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, return (-1); pfrule.direction = dir; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -108,7 +109,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, pfrule.rpool.proxy_port[0] = nat_range_low; pfrule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -141,7 +142,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, return (-1); pfrule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -182,6 +183,9 @@ init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose) dev = open("/dev/pf", O_RDWR); if (dev == -1) err(1, "open /dev/pf"); + pfh = pfctl_open(PF_DEVICE); + if (pfh == NULL) + err(1, "pfctl_open"); status = pfctl_get_status(dev); if (status == NULL) err(1, "DIOCGETSTATUS"); diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c index 966628464d28..f372ddd0aeae 100644 --- a/contrib/pf/tftp-proxy/filter.c +++ b/contrib/pf/tftp-proxy/filter.c @@ -62,6 +62,7 @@ static char pfanchor_call[PF_ANCHOR_NAME_SIZE]; static struct pfioc_trans pft; static struct pfioc_trans_e pfte[TRANS_SIZE]; static int dev, rule_log; +static struct pfctl_handle *pfh = NULL; static char *qname; int @@ -77,7 +78,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, return (-1); pfrule.direction = dir; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -112,7 +113,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, pfrule.rpool.proxy_port[0] = nat_range_low; pfrule.rpool.proxy_port[1] = nat_range_high; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -145,7 +146,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, return (-1); pfrule.rpool.proxy_port[0] = rdr_port; - if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call, + if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call, pfticket, pfpool_ticket)) return (-1); @@ -187,6 +188,11 @@ init_filter(char *opt_qname, int opt_verbose) syslog(LOG_ERR, "can't open /dev/pf"); exit(1); } + pfh = pfctl_open(PF_DEVICE); + if (pfh == NULL) { + syslog(LOG_ERR, "can't pfctl_open()"); + exit(1); + } status = pfctl_get_status(dev); if (status == NULL) { syslog(LOG_ERR, "DIOCGETSTATUS"); |