libpfctl: introduce a handle-enabled variant of pfctl_add_rule()

Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a
file descriptor (which it didn't use). This means that library users can
open the handle while they're running as root, but later drop privileges
and still add rules to pf.

Sponsored by:	Rubicon Communications, LLC ("Netgate")

2 files changed, 16 insertions, 6 deletions

diff --git a/contrib/pf/ftp-proxy/filter.c b/contrib/pf/ftp-proxy/filter.c
index 4277e079f3be..612e35c4ac6e 100644
--- a/contrib/pf/ftp-proxy/filter.c
+++ b/contrib/pf/ftp-proxy/filter.c
@@ -58,6 +58,7 @@ static uint32_t			pfpool_ticket;
 static struct pfioc_trans	pft;
 static struct pfioc_trans_e	pfte[TRANS_SIZE];
 static int dev, rule_log;
+static struct pfctl_handle *pfh = NULL;
 static const char *qname, *tagname;
 
 int
@@ -73,7 +74,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
 		return (-1);
 
 	pfrule.direction = dir;
-	if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+	if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call,
 	    pfticket, pfpool_ticket))
 		return (-1);
 
@@ -108,7 +109,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
 
 	pfrule.rpool.proxy_port[0] = nat_range_low;
 	pfrule.rpool.proxy_port[1] = nat_range_high;
-	if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+	if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call,
 	    pfticket, pfpool_ticket))
 		return (-1);
 
@@ -141,7 +142,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
 		return (-1);
 
 	pfrule.rpool.proxy_port[0] = rdr_port;
-	if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+	if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call,
 	    pfticket, pfpool_ticket))
 		return (-1);
 
@@ -182,6 +183,9 @@ init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose)
 	dev = open("/dev/pf", O_RDWR);	
 	if (dev == -1)
 		err(1, "open /dev/pf");
+	pfh = pfctl_open(PF_DEVICE);
+	if (pfh == NULL)
+		err(1, "pfctl_open");
 	status = pfctl_get_status(dev);
 	if (status == NULL)
 		err(1, "DIOCGETSTATUS");
diff --git a/contrib/pf/tftp-proxy/filter.c b/contrib/pf/tftp-proxy/filter.c
index 966628464d28..f372ddd0aeae 100644
--- a/contrib/pf/tftp-proxy/filter.c
+++ b/contrib/pf/tftp-proxy/filter.c
@@ -62,6 +62,7 @@ static char			pfanchor_call[PF_ANCHOR_NAME_SIZE];
 static struct pfioc_trans	pft;
 static struct pfioc_trans_e	pfte[TRANS_SIZE];
 static int dev, rule_log;
+static struct pfctl_handle *pfh = NULL;
 static char *qname;
 
 int
@@ -77,7 +78,7 @@ add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src,
 		return (-1);
 
 	pfrule.direction = dir;
-	if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+	if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call,
 	    pfticket, pfpool_ticket))
 		return (-1);
 
@@ -112,7 +113,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
 
 	pfrule.rpool.proxy_port[0] = nat_range_low;
 	pfrule.rpool.proxy_port[1] = nat_range_high;
-	if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+	if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call,
 	    pfticket, pfpool_ticket))
 		return (-1);
 
@@ -145,7 +146,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
 		return (-1);
 
 	pfrule.rpool.proxy_port[0] = rdr_port;
-	if (pfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
+	if (pfctl_add_rule_h(pfh, &pfrule, pfanchor, pfanchor_call,
 	    pfticket, pfpool_ticket))
 		return (-1);
 
@@ -187,6 +188,11 @@ init_filter(char *opt_qname, int opt_verbose)
 		syslog(LOG_ERR, "can't open /dev/pf");
 		exit(1);
 	}
+	pfh = pfctl_open(PF_DEVICE);
+	if (pfh == NULL) {
+		syslog(LOG_ERR, "can't pfctl_open()");
+		exit(1);
+	}
 	status = pfctl_get_status(dev);
 	if (status == NULL) {
 		syslog(LOG_ERR, "DIOCGETSTATUS");