From 76c5eecc3490d89a9a3492ed2354802b69d69602 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Fri, 29 Oct 2021 17:40:53 +0200 Subject: pf: Introduce ridentifier Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember that pf rules continue to exist and match existing states, even if they're removed from the active ruleset) and pflog. Obtained from: pfSense MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32750 --- lib/libpfctl/libpfctl.c | 2 ++ lib/libpfctl/libpfctl.h | 1 + 2 files changed, 3 insertions(+) (limited to 'lib/libpfctl') diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index aaf5998ed0d6..9abfbdce8cf1 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -455,6 +455,7 @@ pf_nvrule_to_rule(const nvlist_t *nvl, struct pfctl_rule *rule) assert(labelcount <= PF_RULE_MAX_LABEL_COUNT); for (size_t i = 0; i < labelcount; i++) strlcpy(rule->label[i], labels[i], PF_RULE_LABEL_SIZE); + rule->ridentifier = nvlist_get_number(nvl, "ridentifier"); strlcpy(rule->ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ); strlcpy(rule->qname, nvlist_get_string(nvl, "qname"), PF_QNAME_SIZE); strlcpy(rule->pqname, nvlist_get_string(nvl, "pqname"), PF_QNAME_SIZE); @@ -569,6 +570,7 @@ pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor, r->label[labelcount]); labelcount++; } + nvlist_add_number(nvlr, "ridentifier", r->ridentifier); nvlist_add_string(nvlr, "ifname", r->ifname); nvlist_add_string(nvlr, "qname", r->qname); diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index 1f7259ee8d32..71806ed217ee 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -81,6 +81,7 @@ struct pfctl_rule { struct pf_rule_addr dst; union pf_rule_ptr skip[PF_SKIP_COUNT]; char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; + u_int32_t ridentifier; char ifname[IFNAMSIZ]; char qname[PF_QNAME_SIZE]; char pqname[PF_QNAME_SIZE]; -- cgit v1.3