-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FreeBSD: use libpfctl #671
Conversation
I think we should |
Something like this then. I've added an 'r' pointer in most functions because it avoids a lot of ifdef USE_LIBPFCTL then rule.... #else pr.rule.... #endif all over the place. |
It looks great ! |
to prepare the use of libpfctl see #671
FreeBSD 15 has removed several ioctl calls (such as DIOCGETSTATUS and DIOCGETRULE) and replaced them. The easiest way to cope with that is to use the provided libpfctl library. Sponsored by: Rubicon Communications, LLC ("Netgate")
@kprovost libpfctl will only be available starting with FreeBSD 15, right ? |
No, it's available on all support FreeBSD versions, 12.4, 13.2 and 14.0. The DIOCGETRULE ioctl no longer exists in 15, so there you either use libpfctl or implement the new nvlist-based ioctl (don't do that, it's likely to go away and be replaced as well). |
shouldn't pfctl_get_rules_info() be used instead of DIOCGETRULES ? |
We can, and in due course should, but it's not required on FreeBSD 15. I think I'd prefer to keep this patch as small as possible to fix the immediate problem (of not actually working with FreeBSD 15). We can continue other cleanup work in separate patches. |
That appears to still be using DIOCGETRULE in ./pf/pfpinhole.c |
Okay, I can confirm that builds, and at first glance that looks good. I'll do a better review and try to test this as well early next week. |
There's still at least one issue here. I can create pinholes (rdr rules in pf parlance), but not list them. Using 'upnpc -l' I see 'ioctl(dev, DIOCGETADDR, ...):1523 Device busy' from miniupnpd. That appears to be because in get_redirect_rule_by_index() we take the ticket number from pr.ticket, however in the LIBPFCTL case we get that from ri.ticket. With that adjustment I can enumerate the rdr rules. I'm also still seeing a problem where rules that have an expired leaseTime (i.e. 0) don't appear to be cleaned up. There's no associated error message in the miniupnpd log, so I've not worked out why that is yet. |
I think the delete doesn't work... |
@kprovost what is that adjustment you made ? |
Essentially this, everywhere we call pfctl_get_rules_info() (and also use a struct pfioc_rule pr):
|
@kprovost it must be better now |
That fixes retrieval. Deletion of rules is still broken. I've had a quick look and couldn't immediately figure out why. As far as I can tell it's not actually in the pf abstraction code, as that doesn't appear to be getting called. |
No, I was wrong. The bug is that in priv_delete_redirect_rule_desc() we do
fixes that for me. |
I'm going to merge my branch into master. alea jacta est |
I've re-tested master with these changes included. As far as I can tell everything works. |
FreeBSD 15 has removed several ioctl calls (such as DIOCGETSTATUS and DIOCGETRULE) and replaced them. The easiest way to cope with that is to use the provided libpfctl library.
NOTE: This version of the patch will break use on OpenBSD or NetBSD and is intended to serve as a basis for discussing the best approach to cope with these differences.
Sponsored by: Rubicon Communications, LLC ("Netgate")