void npfctl_build_rulesetref(const char *name) { nl_rule_t *rl; rl = npf_rule_create(name, NPF_RULE_IN | NPF_RULE_OUT, 0); assert(current_group != NULL); npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT); }
nl_nat_t * npf_nat_create(int type, u_int flags, const char *ifname, int af, npf_addr_t *addr, npf_netmask_t mask, in_port_t port) { nl_rule_t *rl; prop_dictionary_t rldict; prop_data_t addrdat; uint32_t attr; size_t sz; if (af == AF_INET) { sz = sizeof(struct in_addr); } else if (af == AF_INET6) { sz = sizeof(struct in6_addr); } else { return NULL; } attr = NPF_RULE_PASS | NPF_RULE_FINAL | (type == NPF_NATOUT ? NPF_RULE_OUT : NPF_RULE_IN); /* Create a rule for NAT policy. Next, will add translation data. */ rl = npf_rule_create(NULL, attr, ifname); if (rl == NULL) { return NULL; } rldict = rl->nrl_dict; /* Translation type and flags. */ prop_dictionary_set_int32(rldict, "type", type); prop_dictionary_set_uint32(rldict, "flags", flags); /* Translation IP and mask. */ addrdat = prop_data_create_data(addr, sz); if (addrdat == NULL) { npf_rule_destroy(rl); return NULL; } prop_dictionary_set(rldict, "translation-ip", addrdat); prop_dictionary_set_uint32(rldict, "translation-mask", mask); prop_object_release(addrdat); /* Translation port (for redirect case). */ prop_dictionary_set_uint16(rldict, "translation-port", port); return (nl_nat_t *)rl; }
/* * npfctl_build_group: create a group, insert into the global ruleset * and update the current group pointer. */ void npfctl_build_group(const char *name, int attr, u_int if_idx) { const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT); nl_rule_t *rl; if (attr & NPF_RULE_DEFAULT) { if (defgroup_set) { yyerror("multiple default groups are not valid"); } defgroup_set = true; attr |= attr_di; } else if ((attr & attr_di) == 0) { attr |= attr_di; } rl = npf_rule_create(name, attr | NPF_RULE_FINAL, if_idx); npf_rule_insert(npf_conf, NULL, rl, NPF_PRI_NEXT); current_group = rl; }
/* * npfctl_build_rule: create a rule, build n-code from filter options, * if any, and insert into the ruleset of current group. */ void npfctl_build_rule(int attr, u_int if_idx, sa_family_t family, const opt_proto_t *op, const filt_opts_t *fopts, const char *rproc) { nl_rule_t *rl; printf("if_idx for build_rule: %d\n", if_idx); rl = npf_rule_create(NULL, attr, if_idx); npfctl_build_ncode(rl, family, op, fopts, false); if (npf_conf != NULL) { if (rproc && npf_rule_setproc(npf_conf, rl, rproc) != 0) { yyerror("rule procedure '%s' is not defined", rproc); } if (current_group == NULL) { yyerror("rule must belong to a group"); } npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT); } else { single_built_rule = rl; } }