void
npfctl_build_rulesetref(const char *name)
{
nl_rule_t *rl;
rl = npf_rule_create(name, NPF_RULE_IN | NPF_RULE_OUT, 0);
assert(current_group != NULL);
npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT);
}
nl_nat_t *
npf_nat_create(int type, u_int flags, const char *ifname,
int af, npf_addr_t *addr, npf_netmask_t mask, in_port_t port)
{
nl_rule_t *rl;
prop_dictionary_t rldict;
prop_data_t addrdat;
uint32_t attr;
size_t sz;
if (af == AF_INET) {
sz = sizeof(struct in_addr);
} else if (af == AF_INET6) {
sz = sizeof(struct in6_addr);
} else {
return NULL;
}
attr = NPF_RULE_PASS | NPF_RULE_FINAL |
(type == NPF_NATOUT ? NPF_RULE_OUT : NPF_RULE_IN);
/* Create a rule for NAT policy. Next, will add translation data. */
rl = npf_rule_create(NULL, attr, ifname);
if (rl == NULL) {
return NULL;
}
rldict = rl->nrl_dict;
/* Translation type and flags. */
prop_dictionary_set_int32(rldict, "type", type);
prop_dictionary_set_uint32(rldict, "flags", flags);
/* Translation IP and mask. */
addrdat = prop_data_create_data(addr, sz);
if (addrdat == NULL) {
npf_rule_destroy(rl);
return NULL;
}
prop_dictionary_set(rldict, "translation-ip", addrdat);
prop_dictionary_set_uint32(rldict, "translation-mask", mask);
prop_object_release(addrdat);
/* Translation port (for redirect case). */
prop_dictionary_set_uint16(rldict, "translation-port", port);
return (nl_nat_t *)rl;
}
/*
* npfctl_build_group: create a group, insert into the global ruleset
* and update the current group pointer.
*/
void
npfctl_build_group(const char *name, int attr, u_int if_idx)
{
const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT);
nl_rule_t *rl;
if (attr & NPF_RULE_DEFAULT) {
if (defgroup_set) {
yyerror("multiple default groups are not valid");
}
defgroup_set = true;
attr |= attr_di;
} else if ((attr & attr_di) == 0) {
attr |= attr_di;
}
rl = npf_rule_create(name, attr | NPF_RULE_FINAL, if_idx);
npf_rule_insert(npf_conf, NULL, rl, NPF_PRI_NEXT);
current_group = rl;
}
/*
* npfctl_build_rule: create a rule, build n-code from filter options,
* if any, and insert into the ruleset of current group.
*/
void
npfctl_build_rule(int attr, u_int if_idx, sa_family_t family,
const opt_proto_t *op, const filt_opts_t *fopts, const char *rproc)
{
nl_rule_t *rl;
printf("if_idx for build_rule: %d\n", if_idx);
rl = npf_rule_create(NULL, attr, if_idx);
npfctl_build_ncode(rl, family, op, fopts, false);
if (npf_conf != NULL) {
if (rproc && npf_rule_setproc(npf_conf, rl, rproc) != 0) {
yyerror("rule procedure '%s' is not defined", rproc);
}
if (current_group == NULL) {
yyerror("rule must belong to a group");
}
npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT);
} else {
single_built_rule = rl;
}
}
