libpfctl: support flushing rules/nat/eth

Move the code to flush regular rules, nat rules and Ethernet rules into libpfctl for easier re-use. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34442
2026-05-28 04:12:45 -04:00 · 2022-03-04 15:50:43 +01:00 · 2022-03-04 15:50:43 +01:00 · f0c334e4de
commit f0c334e4de
parent 45b6c31a38
3 changed files with 116 additions and 34 deletions
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@ -1169,6 +1169,95 @@ pfctl_kill_states(int dev, const struct pfctl_kill *kill, unsigned int *killed)
 	return (_pfctl_clear_states(dev, kill, killed, DIOCKILLSTATESNV));
 }

+int
+pfctl_clear_rules(int dev, const char *anchorname)
+{
+	struct pfioc_trans trans;
+	struct pfioc_trans_e transe[2];
+	int ret;
+
+	bzero(&trans, sizeof(trans));
+	bzero(&transe, sizeof(transe));
+
+	transe[0].rs_num = PF_RULESET_SCRUB;
+	if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
+	    >= sizeof(transe[0].anchor))
+		return (E2BIG);
+
+	transe[1].rs_num = PF_RULESET_FILTER;
+	if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
+	    >= sizeof(transe[1].anchor))
+		return (E2BIG);
+
+	trans.size = 2;
+	trans.esize = sizeof(transe[0]);
+	trans.array = transe;
+
+	ret = ioctl(dev, DIOCXBEGIN, &trans);
+	if (ret != 0)
+		return (ret);
+	return ioctl(dev, DIOCXCOMMIT, &trans);
+}
+
+int
+pfctl_clear_nat(int dev, const char *anchorname)
+{
+	struct pfioc_trans trans;
+	struct pfioc_trans_e transe[3];
+	int ret;
+
+	bzero(&trans, sizeof(trans));
+	bzero(&transe, sizeof(transe));
+
+	transe[0].rs_num = PF_RULESET_NAT;
+	if (strlcpy(transe[0].anchor, anchorname, sizeof(transe[0].anchor))
+	    >= sizeof(transe[0].anchor))
+		return (E2BIG);
+
+	transe[1].rs_num = PF_RULESET_BINAT;
+	if (strlcpy(transe[1].anchor, anchorname, sizeof(transe[1].anchor))
+	    >= sizeof(transe[0].anchor))
+		return (E2BIG);
+
+	transe[2].rs_num = PF_RULESET_RDR;
+	if (strlcpy(transe[2].anchor, anchorname, sizeof(transe[2].anchor))
+	    >= sizeof(transe[2].anchor))
+		return (E2BIG);
+
+	trans.size = 3;
+	trans.esize = sizeof(transe[0]);
+	trans.array = transe;
+
+	ret = ioctl(dev, DIOCXBEGIN, &trans);
+	if (ret != 0)
+		return (ret);
+	return ioctl(dev, DIOCXCOMMIT, &trans);
+}
+int
+pfctl_clear_eth_rules(int dev, const char *anchorname)
+{
+	struct pfioc_trans trans;
+	struct pfioc_trans_e transe;
+	int ret;
+
+	bzero(&trans, sizeof(trans));
+	bzero(&transe, sizeof(transe));
+
+	transe.rs_num = PF_RULESET_ETH;
+	if (strlcpy(transe.anchor, anchorname, sizeof(transe.anchor))
+	    >= sizeof(transe.anchor))
+		return (E2BIG);
+
+	trans.size = 1;
+	trans.esize = sizeof(transe);
+	trans.array = &transe;
+
+	ret = ioctl(dev, DIOCXBEGIN, &trans);
+	if (ret != 0)
+		return (ret);
+	return ioctl(dev, DIOCXCOMMIT, &trans);
+}
+
 static int
 pfctl_get_limit(int dev, const int index, uint *limit)
 {
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@ -373,6 +373,9 @@ int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
 	    unsigned int *killed);
 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
 	    unsigned int *killed);
+int	pfctl_clear_rules(int dev, const char *anchorname);
+int	pfctl_clear_nat(int dev, const char *anchorname);
+int	pfctl_clear_eth_rules(int dev, const char *anchorname);
 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);

--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@ -75,9 +75,9 @@ int	 pfctl_get_skip_ifaces(void);
 int	 pfctl_check_skip_ifaces(char *);
 int	 pfctl_adjust_skip_ifaces(struct pfctl *);
 int	 pfctl_clear_interface_flags(int, int);
-int	 pfctl_clear_eth_rules(int, int, char *);
-int	 pfctl_clear_rules(int, int, char *);
-int	 pfctl_clear_nat(int, int, char *);
+int	 pfctl_flush_eth_rules(int, int, char *);
+int	 pfctl_flush_rules(int, int, char *);
+int	 pfctl_flush_nat(int, int, char *);
 int	 pfctl_clear_altq(int, int);
 int	 pfctl_clear_src_nodes(int, int);
 int	 pfctl_clear_iface_states(int, const char *, int);
@ -460,32 +460,27 @@ pfctl_clear_interface_flags(int dev, int opts)
 }

 int
-pfctl_clear_eth_rules(int dev, int opts, char *anchorname)
+pfctl_flush_eth_rules(int dev, int opts, char *anchorname)
 {
-	struct pfr_buffer t;
+	int ret;

-	memset(&t, 0, sizeof(t));
-	t.pfrb_type = PFRB_TRANS;
-	if (pfctl_add_trans(&t, PF_RULESET_ETH, anchorname) ||
-	    pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
-	    pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+	ret = pfctl_clear_eth_rules(dev, anchorname);
+	if (ret != 0)
 		err(1, "pfctl_clear_eth_rules");
+
 	if ((opts & PF_OPT_QUIET) == 0)
 		fprintf(stderr, "Ethernet rules cleared\n");
-	return (0);
+
+	return (ret);
 }

 int
-pfctl_clear_rules(int dev, int opts, char *anchorname)
+pfctl_flush_rules(int dev, int opts, char *anchorname)
 {
-	struct pfr_buffer t;
+	int ret;

-	memset(&t, 0, sizeof(t));
-	t.pfrb_type = PFRB_TRANS;
-	if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
-	    pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
-	    pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
-	    pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+	ret = pfctl_clear_rules(dev, anchorname);
+	if (ret != 0)
 		err(1, "pfctl_clear_rules");
 	if ((opts & PF_OPT_QUIET) == 0)
 		fprintf(stderr, "rules cleared\n");
@ -493,17 +488,12 @@ pfctl_clear_rules(int dev, int opts, char *anchorname)
 }

 int
-pfctl_clear_nat(int dev, int opts, char *anchorname)
+pfctl_flush_nat(int dev, int opts, char *anchorname)
 {
-	struct pfr_buffer t;
+	int ret;

-	memset(&t, 0, sizeof(t));
-	t.pfrb_type = PFRB_TRANS;
-	if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
-	    pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
-	    pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
-	    pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
-	    pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+	ret = pfctl_clear_nat(dev, anchorname);
+	if (ret != 0)
 		err(1, "pfctl_clear_nat");
 	if ((opts & PF_OPT_QUIET) == 0)
 		fprintf(stderr, "nat cleared\n");
@ -2926,13 +2916,13 @@ main(int argc, char *argv[])

 		switch (*clearopt) {
 		case 'e':
-			pfctl_clear_eth_rules(dev, opts, anchorname);
+			pfctl_flush_eth_rules(dev, opts, anchorname);
 			break;
 		case 'r':
-			pfctl_clear_rules(dev, opts, anchorname);
+			pfctl_flush_rules(dev, opts, anchorname);
 			break;
 		case 'n':
-			pfctl_clear_nat(dev, opts, anchorname);
+			pfctl_flush_nat(dev, opts, anchorname);
 			break;
 		case 'q':
 			pfctl_clear_altq(dev, opts);
@ -2947,9 +2937,9 @@ main(int argc, char *argv[])
 			pfctl_clear_stats(dev, opts);
 			break;
 		case 'a':
-			pfctl_clear_eth_rules(dev, opts, anchorname);
-			pfctl_clear_rules(dev, opts, anchorname);
-			pfctl_clear_nat(dev, opts, anchorname);
+			pfctl_flush_eth_rules(dev, opts, anchorname);
+			pfctl_flush_rules(dev, opts, anchorname);
+			pfctl_flush_nat(dev, opts, anchorname);
 			pfctl_clear_tables(anchorname, opts);
 			if (!*anchorname) {
 				pfctl_clear_altq(dev, opts);