Attachment #253133 for bug #281099

View | Details | Raw Unified | Return to bug 281099
Collapse All | Expand All




PORTNAME=	miniupnpd
DISTVERSION=	2.3.7
PORTEPOCH=	1
CATEGORIES=	net

MAINTAINER=	squat@squat.no

USE_GITHUB=	yes
GH_ACCOUNT=	miniupnp
GH_PROJECT=	miniupnp
GH_TAGNAME=	miniupnpd_2_3_7

USE_RC_SUBR=	miniupnpd


		sbin/miniupnpd

# unconditionally use pf, ipfw does not work on FreeBSD
CONFIGURE_ARGS=	--firewall=pf \
		--libpfctl

OPTIONS_DEFINE=			CHECK_PORTINUSE IPV6 LEASEFILE UPNP_IGDV2 \
				UPNP_STRICT

Lines 1-3 Link Here

(-)b/net/miniupnpd/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1715155832	1	TIMESTAMP = 1724590328
2	SHA256 (miniupnp-miniupnp-2.3.6-miniupnpd_2_3_6_GH0.tar.gz) = 6e5ee2239030486675f558cc840d154e5e2db9517efc96c5b0ab2b2c34c1a128	2	SHA256 (miniupnp-miniupnp-2.3.7-miniupnpd_2_3_7_GH0.tar.gz) = bbcada94edb0ae6340533cac4633f7a36a515c81bd2815ec0c4e97164c577e8b
3	SIZE (miniupnp-miniupnp-2.3.6-miniupnpd_2_3_6_GH0.tar.gz) = 462607	3	SIZE (miniupnp-miniupnp-2.3.7-miniupnpd_2_3_7_GH0.tar.gz) = 465760




--- pf/obsdrdr.c.orig	2024-03-19 23:41:25 UTC
+++ pf/obsdrdr.c
@@ -64,6 +64,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 
+#include <libpfctl.h>
+
 #include "../macros.h"
 #include "config.h"
 #include "obsdrdr.h"
@@ -155,7 +157,7 @@ init_redirect(void)
 int
 init_redirect(void)
 {
-	struct pf_status status;
+	struct pfctl_status *status;
 	if(dev>=0)
 		shutdown_redirect();
 	dev = open("/dev/pf", O_RDWR);
@@ -163,14 +165,16 @@ init_redirect(void)
 		syslog(LOG_ERR, "open(\"/dev/pf\"): %m");
 		return -1;
 	}
-	if(ioctl(dev, DIOCGETSTATUS, &status)<0) {
+	if ((status = pfctl_get_status(dev)) == NULL) {
 		syslog(LOG_ERR, "DIOCGETSTATUS: %m");
 		return -1;
 	}
-	if(!status.running) {
+	if(!status->running) {
+		pfctl_free_status(status);
 		syslog(LOG_ERR, "pf is disabled");
 		return -1;
 	}
+	pfctl_free_status(status);
 	return 0;
 }
 
@@ -471,6 +475,7 @@ delete_nat_rule(const char * ifname, unsigned short ip
 	int i, n, r;
 	unsigned int tnum;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 	UNUSED(ifname);
 	if(dev<0) {
 		syslog(LOG_ERR, "pf device is not open");
@@ -486,7 +491,7 @@ delete_nat_rule(const char * ifname, unsigned short ip
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -497,7 +502,7 @@ delete_nat_rule(const char * ifname, unsigned short ip
 	for(i=0; i<n; i++)
 	{
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0)
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_NAT, &rule, pr.anchor_call) != 0)
 		{
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			r = -1;
@@ -505,12 +510,12 @@ delete_nat_rule(const char * ifname, unsigned short ip
 		}
 #ifdef TEST
 		syslog(LOG_DEBUG, "%2d port=%hu proto=%d addr=%8x    %8x",
-		       i, ntohs(pr.rule.src.port[0]), pr.rule.proto,
-		       pr.rule.src.addr.v.a.addr.v4.s_addr, iaddr);
+		       i, ntohs(rule.src.port[0]), rule.proto,
+		       rule.src.addr.v.a.addr.v4.s_addr, iaddr);
 #endif /* TEST */
-		if(iport == ntohs(pr.rule.src.port[0])
-		 && pr.rule.proto == proto
-		 && iaddr == pr.rule.src.addr.v.a.addr.v4.s_addr)
+		if(iport == ntohs(rule.src.port[0])
+		 && rule.proto == proto
+		 && iaddr == rule.src.addr.v.a.addr.v4.s_addr)
 		{
 			pr.action = PF_CHANGE_GET_TICKET;
 			if(ioctl(dev, DIOCCHANGERULE, &pr) < 0)
@@ -842,7 +847,7 @@ get_redirect_rule_count(const char * ifname)
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	release_ticket(dev, pr.ticket);
@@ -863,7 +868,9 @@ get_redirect_rule(const char * ifname, unsigned short 
 {
 	int i, n, r;
 	unsigned int tnum;
-	struct pfioc_rule pr;
+	struct pfctl_rules_info info;
+	struct pfctl_rule rule;
+	char anchor_call[MAXPATHLEN];
 #ifndef PF_NEWSTYLE
 	struct pfioc_pooladdr pp;
 #endif
@@ -873,63 +880,57 @@ get_redirect_rule(const char * ifname, unsigned short 
 		syslog(LOG_ERR, "pf device is not open");
 		return -1;
 	}
-	memset(&pr, 0, sizeof(pr));
-	strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
-#ifndef PF_NEWSTYLE
-	pr.rule.action = PF_RDR;
-#endif
-	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
+	if (pfctl_get_rules_info(dev, &info, PF_RDR, anchor_name) != 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
-	n = pr.nr;
+	n = info.nr;
 #ifdef PF_RELEASETICKETS
-	tnum = pr.ticket;
+	tnum = info.ticket;
 #endif /* PF_RELEASETICKETS */
 	r = -2;
 	for(i=0; i<n; i++)
 	{
-		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0)
+		if (pfctl_get_rule(dev, i, info.ticket, anchor_name, PF_RDR, &rule, anchor_call) != 0)
 		{
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			r = -1;
 			break;
 		}
 #ifdef __APPLE__
-		if( (eport == ntohs(pr.rule.dst.xport.range.port[0]))
-		  && (eport == ntohs(pr.rule.dst.xport.range.port[1]))
+		if( (eport == ntohs(rule.dst.xport.range.port[0]))
+		  && (eport == ntohs(rule.dst.xport.range.port[1]))
 #else
-		if( (eport == ntohs(pr.rule.dst.port[0]))
-		  && (eport == ntohs(pr.rule.dst.port[1]))
+		if( (eport == ntohs(rule.dst.port[0]))
+		  && (eport == ntohs(rule.dst.port[1]))
 #endif
-		  && (pr.rule.proto == proto) )
+		  && (rule.proto == proto) )
 		{
 #ifndef PF_NEWSTYLE
-			*iport = pr.rule.rpool.proxy_port[0];
+			*iport = rule.rpool.proxy_port[0];
 #else
-			*iport = pr.rule.rdr.proxy_port[0];
+			*iport = rule.rdr.proxy_port[0];
 #endif
 			if(desc)
-				strlcpy(desc, pr.rule.label, desclen);
+				strlcpy(desc, rule.label[0], desclen);
 #ifdef PFRULE_INOUT_COUNTS
 			if(packets)
-				*packets = pr.rule.packets[0] + pr.rule.packets[1];
+				*packets = rule.packets[0] + rule.packets[1];
 			if(bytes)
-				*bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
+				*bytes = rule.bytes[0] + rule.bytes[1];
 #else
 			if(packets)
-				*packets = pr.rule.packets;
+				*packets = rule.packets;
 			if(bytes)
-				*bytes = pr.rule.bytes;
+				*bytes = rule.bytes;
 #endif
 #ifndef PF_NEWSTYLE
 			memset(&pp, 0, sizeof(pp));
 			strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
 			pp.r_action = PF_RDR;
 			pp.r_num = i;
-			pp.ticket = pr.ticket;
+			pp.ticket = info.ticket;
 			if(ioctl(dev, DIOCGETADDRS, &pp) < 0)
 			{
 				syslog(LOG_ERR, "ioctl(dev, DIOCGETADDRS, ...): %m");
@@ -957,15 +958,15 @@ get_redirect_rule(const char * ifname, unsigned short 
 			          iaddr, iaddrlen);
 #endif
 #else
-			inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr,
+			inet_ntop(AF_INET, &rule.rdr.addr.v.a.addr.v4.s_addr,
 			          iaddr, iaddrlen);
 #endif
 			if(rhost && rhostlen > 0)
 			{
 #ifdef PFVAR_NEW_STYLE
-				if (pr.rule.src.addr.v.a.addr.v4addr.s_addr == 0)
+				if (rule.src.addr.v.a.addr.v4addr.s_addr == 0)
 #else
-				if (pr.rule.src.addr.v.a.addr.v4.s_addr == 0)
+				if (rule.src.addr.v.a.addr.v4.s_addr == 0)
 #endif
 				{
 					rhost[0] = '\0'; /* empty string */
@@ -973,10 +974,10 @@ get_redirect_rule(const char * ifname, unsigned short 
 				else
 				{
 #ifdef PFVAR_NEW_STYLE
-					inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4addr.s_addr,
+					inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4addr.s_addr,
 					          rhost, rhostlen);
 #else
-					inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4.s_addr,
+					inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4.s_addr,
 					          rhost, rhostlen);
 #endif
 				}
@@ -1010,6 +1011,7 @@ priv_delete_redirect_rule_check_desc(const char * ifna
 	int i, n, r;
 	unsigned int tnum;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 	UNUSED(ifname);
 
 	if(dev<0) {
@@ -1023,7 +1025,7 @@ priv_delete_redirect_rule_check_desc(const char * ifna
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -1034,24 +1036,24 @@ priv_delete_redirect_rule_check_desc(const char * ifna
 	for(i=0; i<n; i++)
 	{
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0)
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_RDR, &rule, pr.anchor_call) != 0)
 		{
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			r = -1;
 			break;
 		}
 #ifdef __APPLE__
-		if( (eport == ntohs(pr.rule.dst.xport.range.port[0]))
-		  && (eport == ntohs(pr.rule.dst.xport.range.port[1]))
+		if( (eport == ntohs(rule.dst.xport.range.port[0]))
+		  && (eport == ntohs(rule.dst.xport.range.port[1]))
 #else
-		if( (eport == ntohs(pr.rule.dst.port[0]))
-		  && (eport == ntohs(pr.rule.dst.port[1]))
+		if( (eport == ntohs(rule.dst.port[0]))
+		  && (eport == ntohs(rule.dst.port[1]))
 #endif
-		  && (pr.rule.proto == proto) )
+		  && (rule.proto == proto) )
 		{
 			/* retrieve iport in order to remove filter rule */
 #ifndef PF_NEWSTYLE
-			if(iport) *iport = pr.rule.rpool.proxy_port[0];
+			if(iport) *iport = rule.rpool.proxy_port[0];
 			if(iaddr)
 			{
 				/* retrieve internal address */
@@ -1087,33 +1089,33 @@ priv_delete_redirect_rule_check_desc(const char * ifna
 #endif
 			}
 #else
-			if(iport) *iport = pr.rule.rdr.proxy_port[0];
+			if(iport) *iport = rule.rdr.proxy_port[0];
 			if(iaddr)
 			{
 				/* retrieve internal address */
-				*iaddr = pr.rule.rdr.addr.v.a.addr.v4.s_addr;
+				*iaddr = rule.rdr.addr.v.a.addr.v4.s_addr;
 			}
 #endif
 			if(rhost && rhostlen > 0)
 			{
 #ifdef PFVAR_NEW_STYLE
-				if (pr.rule.src.addr.v.a.addr.v4addr.s_addr == 0)
+				if (rule.src.addr.v.a.addr.v4addr.s_addr == 0)
 #else
-				if (pr.rule.src.addr.v.a.addr.v4.s_addr == 0)
+				if (rule.src.addr.v.a.addr.v4.s_addr == 0)
 #endif
 					rhost[0] = '\0'; /* empty string */
 				else
 #ifdef PFVAR_NEW_STYLE
-					inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4addr.s_addr,
+					inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4addr.s_addr,
 					          rhost, rhostlen);
 #else
-					inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4.s_addr,
+					inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4.s_addr,
 					          rhost, rhostlen);
 #endif
 			}
 			if(check_desc) {
-				if((desc == NULL && pr.rule.label[0] == '\0') ||
-				   (desc && 0 == strcmp(desc, pr.rule.label))) {
+				if((desc == NULL && rule.label[0][0] == '\0') ||
+				   (desc && 0 == strcmp(desc, rule.label[0]))) {
 					r = 1;
 					break;
 				}
@@ -1175,7 +1177,7 @@ priv_delete_filter_rule(const char * ifname, unsigned 
 	pr.rule.action = PF_PASS;
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -1275,6 +1277,7 @@ get_redirect_rule_by_index(int index,
 	int n, r;
 	unsigned int tnum;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 #ifndef PF_NEWSTYLE
 	struct pfioc_pooladdr pp;
 #endif
@@ -1291,7 +1294,7 @@ get_redirect_rule_by_index(int index,
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -1302,36 +1305,36 @@ get_redirect_rule_by_index(int index,
 	if(index >= n)
 		goto error;
 	pr.nr = index;
-	if(ioctl(dev, DIOCGETRULE, &pr) < 0)
+	if (pfctl_get_rule(dev, index, pr.ticket, pr.anchor, PF_RDR, &rule, pr.anchor_call) != 0)
 	{
 		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 		goto error;
 	}
-	*proto = pr.rule.proto;
+	*proto = rule.proto;
 #ifdef __APPLE__
-	*eport = ntohs(pr.rule.dst.xport.range.port[0]);
+	*eport = ntohs(rule.dst.xport.range.port[0]);
 #else
-	*eport = ntohs(pr.rule.dst.port[0]);
+	*eport = ntohs(rule.dst.port[0]);
 #endif
 #ifndef PF_NEWSTYLE
-	*iport = pr.rule.rpool.proxy_port[0];
+	*iport = rule.rpool.proxy_port[0];
 #else
-	*iport = pr.rule.rdr.proxy_port[0];
+	*iport = rule.rdr.proxy_port[0];
 #endif
 	if(ifname)
-		strlcpy(ifname, pr.rule.ifname, IFNAMSIZ);
+		strlcpy(ifname, rule.ifname, IFNAMSIZ);
 	if(desc)
-		strlcpy(desc, pr.rule.label, desclen);
+		strlcpy(desc, rule.label[0], desclen);
 #ifdef PFRULE_INOUT_COUNTS
 	if(packets)
-		*packets = pr.rule.packets[0] + pr.rule.packets[1];
+		*packets = rule.packets[0] + rule.packets[1];
 	if(bytes)
-		*bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
+		*bytes = rule.bytes[0] + rule.bytes[1];
 #else
 	if(packets)
-		*packets = pr.rule.packets;
+		*packets = rule.packets;
 	if(bytes)
-		*bytes = pr.rule.bytes;
+		*bytes = rule.bytes;
 #endif
 #ifndef PF_NEWSTYLE
 	memset(&pp, 0, sizeof(pp));
@@ -1363,15 +1366,15 @@ get_redirect_rule_by_index(int index,
 	          iaddr, iaddrlen);
 #endif
 #else
-	inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr,
+	inet_ntop(AF_INET, &rule.rdr.addr.v.a.addr.v4.s_addr,
 	          iaddr, iaddrlen);
 #endif
 	if(rhost && rhostlen > 0)
 	{
 #ifdef PFVAR_NEW_STYLE
-		if (pr.rule.src.addr.v.a.addr.v4addr.s_addr == 0)
+		if (rule.src.addr.v.a.addr.v4addr.s_addr == 0)
 #else
-		if (pr.rule.src.addr.v.a.addr.v4.s_addr == 0)
+		if (rule.src.addr.v.a.addr.v4.s_addr == 0)
 #endif
 		{
 			rhost[0] = '\0'; /* empty string */
@@ -1379,10 +1382,10 @@ get_redirect_rule_by_index(int index,
 		else
 		{
 #ifdef PFVAR_NEW_STYLE
-			inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4addr.s_addr,
+			inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4addr.s_addr,
 			          rhost, rhostlen);
 #else
-			inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4.s_addr,
+			inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4.s_addr,
 			          rhost, rhostlen);
 #endif
 		}
@@ -1406,6 +1409,7 @@ get_portmappings_in_range(unsigned short startport, un
 	int i, n;
 	unsigned short eport;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 
 	*number = 0;
 	if(dev<0) {
@@ -1426,7 +1430,7 @@ get_portmappings_in_range(unsigned short startport, un
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
 	{
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		free(array);
 		return NULL;
 	}
@@ -1437,19 +1441,19 @@ get_portmappings_in_range(unsigned short startport, un
 	for(i=0; i<n; i++)
 	{
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0)
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_RDR, &rule, pr.anchor_call) != 0)
 		{
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			continue;
 		}
 #ifdef __APPLE__
-		eport = ntohs(pr.rule.dst.xport.range.port[0]);
-		if( (eport == ntohs(pr.rule.dst.xport.range.port[1]))
+		eport = ntohs(rule.dst.xport.range.port[0]);
+		if( (eport == ntohs(rule.dst.xport.range.port[1]))
 #else
-		eport = ntohs(pr.rule.dst.port[0]);
-		if( (eport == ntohs(pr.rule.dst.port[1]))
+		eport = ntohs(rule.dst.port[0]);
+		if( (eport == ntohs(rule.dst.port[1]))
 #endif
-		  && (pr.rule.proto == proto)
+		  && (rule.proto == proto)
 		  && (startport <= eport) && (eport <= endport) )
 		{
 			if(*number >= capacity)




--- pf/pfpinhole.c.orig	2024-03-19 23:41:25 UTC
+++ pf/pfpinhole.c
@@ -28,6 +28,7 @@
 #include <syslog.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <libpfctl.h>
 
 #include "config.h"
 #include "pfpinhole.h"
@@ -171,6 +172,7 @@ int find_pinhole(const char * ifname,
 	unsigned int ts, tnum;
 	int i, n;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 	struct in6_addr saddr;
 	struct in6_addr daddr;
 	UNUSED(ifname);
@@ -191,7 +193,7 @@ int find_pinhole(const char * ifname,
 	pr.rule.action = PF_PASS;
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -200,22 +202,22 @@ int find_pinhole(const char * ifname,
 #endif /* PF_RELEASETICKETS */
 	for(i=0; i<n; i++) {
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			release_ticket(dev, tnum);
 			return -1;
 		}
-		if((proto == pr.rule.proto) && (rem_port == ntohs(pr.rule.src.port[0]))
-		   && (0 == memcmp(&saddr, &pr.rule.src.addr.v.a.addr.v6, sizeof(struct in6_addr)))
-		   && (int_port == ntohs(pr.rule.dst.port[0])) &&
-		   (0 == memcmp(&daddr, &pr.rule.dst.addr.v.a.addr.v6, sizeof(struct in6_addr)))) {
-			if(sscanf(pr.rule.label, PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
-				syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", pr.rule.label);
+		if((proto == rule.proto) && (rem_port == ntohs(rule.src.port[0]))
+		   && (0 == memcmp(&saddr, &rule.src.addr.v.a.addr.v6, sizeof(struct in6_addr)))
+		   && (int_port == ntohs(rule.dst.port[0])) &&
+		   (0 == memcmp(&daddr, &rule.dst.addr.v.a.addr.v6, sizeof(struct in6_addr)))) {
+			if(sscanf(rule.label[0], PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
+				syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", rule.label[0]);
 				continue;
 			}
 			if(timestamp) *timestamp = ts;
 			if(desc) {
-				char * p = strchr(pr.rule.label, ':');
+				char * p = strchr(rule.label[0], ':');
 				if(p) {
 					p += 2;
 					strlcpy(desc, p, desc_len);
@@ -234,6 +236,7 @@ int delete_pinhole(unsigned short uid)
 	int i, n;
 	unsigned int tnum;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 	char label_start[PF_RULE_LABEL_SIZE];
 	char tmp_label[PF_RULE_LABEL_SIZE];
 
@@ -249,7 +252,7 @@ int delete_pinhole(unsigned short uid)
 	pr.rule.action = PF_PASS;
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -258,11 +261,11 @@ int delete_pinhole(unsigned short uid)
 #endif
 	for(i=0; i<n; i++) {
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			return -1;
 		}
-		strlcpy(tmp_label, pr.rule.label, sizeof(tmp_label));
+		strlcpy(tmp_label, rule.label[0], sizeof(tmp_label));
 		strtok(tmp_label, " ");
 		if(0 == strcmp(tmp_label, label_start)) {
 			pr.action = PF_CHANGE_GET_TICKET;
@@ -298,6 +301,7 @@ get_pinhole_info(unsigned short uid,
 	int i, n;
 	unsigned int tnum;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 	char label_start[PF_RULE_LABEL_SIZE];
 	char tmp_label[PF_RULE_LABEL_SIZE];
 	char * p;
@@ -314,7 +318,7 @@ get_pinhole_info(unsigned short uid,
 	pr.rule.action = PF_PASS;
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 	n = pr.nr;
@@ -323,29 +327,29 @@ get_pinhole_info(unsigned short uid,
 #endif
 	for(i=0; i<n; i++) {
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			release_ticket(dev, tnum);
 			return -1;
 		}
-		strlcpy(tmp_label, pr.rule.label, sizeof(tmp_label));
+		strlcpy(tmp_label, rule.label[0], sizeof(tmp_label));
 		p = tmp_label;
 		strsep(&p, " ");
 		if(0 == strcmp(tmp_label, label_start)) {
-			if(rem_host && (inet_ntop(AF_INET6, &pr.rule.src.addr.v.a.addr.v6, rem_host, rem_hostlen) == NULL)) {
+			if(rem_host && (inet_ntop(AF_INET6, &rule.src.addr.v.a.addr.v6, rem_host, rem_hostlen) == NULL)) {
 				release_ticket(dev, tnum);
 				return -1;
 			}
 			if(rem_port)
-				*rem_port = ntohs(pr.rule.src.port[0]);
-			if(int_client && (inet_ntop(AF_INET6, &pr.rule.dst.addr.v.a.addr.v6, int_client, int_clientlen) == NULL)) {
+				*rem_port = ntohs(rule.src.port[0]);
+			if(int_client && (inet_ntop(AF_INET6, &rule.dst.addr.v.a.addr.v6, int_client, int_clientlen) == NULL)) {
 				release_ticket(dev, tnum);
 				return -1;
 			}
 			if(int_port)
-				*int_port = ntohs(pr.rule.dst.port[0]);
+				*int_port = ntohs(rule.dst.port[0]);
 			if(proto)
-				*proto = pr.rule.proto;
+				*proto = rule.proto;
 			if(timestamp)
 				sscanf(p, "ts-%u", timestamp);
 			if(desc) {
@@ -358,14 +362,14 @@ get_pinhole_info(unsigned short uid,
 			}
 #ifdef PFRULE_INOUT_COUNTS
 			if(packets)
-				*packets = pr.rule.packets[0] + pr.rule.packets[1];
+				*packets = rule.packets[0] + rule.packets[1];
 			if(bytes)
-				*bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
+				*bytes = rule.bytes[0] + rule.bytes[1];
 #else
 			if(packets)
-				*packets = pr.rule.packets;
+				*packets = rule.packets;
 			if(bytes)
-				*bytes = pr.rule.bytes;
+				*bytes = rule.bytes;
 #endif
 			release_ticket(dev, tnum);
 			return 0;
@@ -393,6 +397,7 @@ int clean_pinhole_list(unsigned int * next_timestamp)
 {
 	int i;
 	struct pfioc_rule pr;
+	struct pfctl_rule rule;
 	time_t current_time;
 	unsigned int ts, tnum;
 	int uid;
@@ -411,7 +416,7 @@ int clean_pinhole_list(unsigned int * next_timestamp)
 	pr.rule.action = PF_PASS;
 #endif
 	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
-		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+		syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 		return -1;
 	}
 #ifdef PF_RELEASETICKETS
@@ -419,17 +424,17 @@ int clean_pinhole_list(unsigned int * next_timestamp)
 #endif
 	for(i = pr.nr - 1; i >= 0; i--) {
 		pr.nr = i;
-		if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
+		if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
 			syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
 			release_ticket(dev, tnum);
 			return -1;
 		}
-		if(sscanf(pr.rule.label, PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
-			syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", pr.rule.label);
+		if(sscanf(rule.label[0], PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
+			syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", rule.label[0]);
 			continue;
 		}
 		if(ts <= (unsigned int)current_time) {
-			syslog(LOG_INFO, "removing expired pinhole '%s'", pr.rule.label);
+			syslog(LOG_INFO, "removing expired pinhole '%s'", rule.label[0]);
 			pr.action = PF_CHANGE_GET_TICKET;
 			if(ioctl(dev, DIOCCHANGERULE, &pr) < 0) {
 				syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
@@ -449,7 +454,7 @@ int clean_pinhole_list(unsigned int * next_timestamp)
 #endif
 			release_ticket(dev, tnum);
 			if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
-				syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
+				syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
 				return -1;
 			}
 #ifdef PF_RELEASETICKETS
- 

Return to bug 281099

Lines 1-6 Link Here

(-)b/net/miniupnpd/Makefile (-4 / +4 lines)
1	PORTNAME= miniupnpd	1	PORTNAME= miniupnpd
2	DISTVERSION= 2.3.6	2	DISTVERSION= 2.3.7
3	PORTEPOCH= 1
4	CATEGORIES= net	3	CATEGORIES= net
5		4
6	MAINTAINER= squat@squat.no	5	MAINTAINER= squat@squat.no
Lines 17-23 CPE_VENDOR= miniupnp_project Link Here
17	USE_GITHUB= yes	16	USE_GITHUB= yes
18	GH_ACCOUNT= miniupnp	17	GH_ACCOUNT= miniupnp
19	GH_PROJECT= miniupnp	18	GH_PROJECT= miniupnp
20	GH_TAGNAME= miniupnpd_2_3_6	19	GH_TAGNAME= miniupnpd_2_3_7
21		20
22	USE_RC_SUBR= miniupnpd	21	USE_RC_SUBR= miniupnpd
23		22
Lines 34-40 PLIST_FILES= etc/miniupnpd.conf.sample \ Link Here
34	sbin/miniupnpd	33	sbin/miniupnpd
35		34
36	# unconditionally use pf, ipfw does not work on FreeBSD	35	# unconditionally use pf, ipfw does not work on FreeBSD
37	CONFIGURE_ARGS= --firewall=pf	36	CONFIGURE_ARGS= --firewall=pf \
		37	--libpfctl
38		38
39	OPTIONS_DEFINE= CHECK_PORTINUSE IPV6 LEASEFILE UPNP_IGDV2 \	39	OPTIONS_DEFINE= CHECK_PORTINUSE IPV6 LEASEFILE UPNP_IGDV2 \
40	UPNP_STRICT	40	UPNP_STRICT

Removed Link Here

(-)a/net/miniupnpd/files/patch-pf_obsdrdr.c (-458 lines)
1	--- pf/obsdrdr.c.orig 2024-03-19 23:41:25 UTC
2	+++ pf/obsdrdr.c
3	@@ -64,6 +64,8 @@
4	#include <stdio.h>
5	#include <stdlib.h>
6
7	+#include <libpfctl.h>
8	+
9	#include "../macros.h"
10	#include "config.h"
11	#include "obsdrdr.h"
12	@@ -155,7 +157,7 @@ init_redirect(void)
13	int
14	init_redirect(void)
15	{
16	- struct pf_status status;
17	+ struct pfctl_status *status;
18	if(dev>=0)
19	shutdown_redirect();
20	dev = open("/dev/pf", O_RDWR);
21	@@ -163,14 +165,16 @@ init_redirect(void)
22	syslog(LOG_ERR, "open(\"/dev/pf\"): %m");
23	return -1;
24	}
25	- if(ioctl(dev, DIOCGETSTATUS, &status)<0) {
26	+ if ((status = pfctl_get_status(dev)) == NULL) {
27	syslog(LOG_ERR, "DIOCGETSTATUS: %m");
28	return -1;
29	}
30	- if(!status.running) {
31	+ if(!status->running) {
32	+ pfctl_free_status(status);
33	syslog(LOG_ERR, "pf is disabled");
34	return -1;
35	}
36	+ pfctl_free_status(status);
37	return 0;
38	}
39
40	@@ -471,6 +475,7 @@ delete_nat_rule(const char * ifname, unsigned short ip
41	int i, n, r;
42	unsigned int tnum;
43	struct pfioc_rule pr;
44	+ struct pfctl_rule rule;
45	UNUSED(ifname);
46	if(dev<0) {
47	syslog(LOG_ERR, "pf device is not open");
48	@@ -486,7 +491,7 @@ delete_nat_rule(const char * ifname, unsigned short ip
49	#endif
50	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
51	{
52	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
53	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
54	return -1;
55	}
56	n = pr.nr;
57	@@ -497,7 +502,7 @@ delete_nat_rule(const char * ifname, unsigned short ip
58	for(i=0; i<n; i++)
59	{
60	pr.nr = i;
61	- if(ioctl(dev, DIOCGETRULE, &pr) < 0)
62	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_NAT, &rule, pr.anchor_call) != 0)
63	{
64	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
65	r = -1;
66	@@ -505,12 +510,12 @@ delete_nat_rule(const char * ifname, unsigned short ip
67	}
68	#ifdef TEST
69	syslog(LOG_DEBUG, "%2d port=%hu proto=%d addr=%8x %8x",
70	- i, ntohs(pr.rule.src.port[0]), pr.rule.proto,
71	- pr.rule.src.addr.v.a.addr.v4.s_addr, iaddr);
72	+ i, ntohs(rule.src.port[0]), rule.proto,
73	+ rule.src.addr.v.a.addr.v4.s_addr, iaddr);
74	#endif /* TEST */
75	- if(iport == ntohs(pr.rule.src.port[0])
76	- && pr.rule.proto == proto
77	- && iaddr == pr.rule.src.addr.v.a.addr.v4.s_addr)
78	+ if(iport == ntohs(rule.src.port[0])
79	+ && rule.proto == proto
80	+ && iaddr == rule.src.addr.v.a.addr.v4.s_addr)
81	{
82	pr.action = PF_CHANGE_GET_TICKET;
83	if(ioctl(dev, DIOCCHANGERULE, &pr) < 0)
84	@@ -842,7 +847,7 @@ get_redirect_rule_count(const char * ifname)
85	#endif
86	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
87	{
88	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
89	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
90	return -1;
91	}
92	release_ticket(dev, pr.ticket);
93	@@ -863,7 +868,9 @@ get_redirect_rule(const char * ifname, unsigned short
94	{
95	int i, n, r;
96	unsigned int tnum;
97	- struct pfioc_rule pr;
98	+ struct pfctl_rules_info info;
99	+ struct pfctl_rule rule;
100	+ char anchor_call[MAXPATHLEN];
101	#ifndef PF_NEWSTYLE
102	struct pfioc_pooladdr pp;
103	#endif
104	@@ -873,63 +880,57 @@ get_redirect_rule(const char * ifname, unsigned short
105	syslog(LOG_ERR, "pf device is not open");
106	return -1;
107	}
108	- memset(&pr, 0, sizeof(pr));
109	- strlcpy(pr.anchor, anchor_name, MAXPATHLEN);
110	-#ifndef PF_NEWSTYLE
111	- pr.rule.action = PF_RDR;
112	-#endif
113	- if(ioctl(dev, DIOCGETRULES, &pr) < 0)
114	+ if (pfctl_get_rules_info(dev, &info, PF_RDR, anchor_name) != 0)
115	{
116	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
117	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
118	return -1;
119	}
120	- n = pr.nr;
121	+ n = info.nr;
122	#ifdef PF_RELEASETICKETS
123	- tnum = pr.ticket;
124	+ tnum = info.ticket;
125	#endif /* PF_RELEASETICKETS */
126	r = -2;
127	for(i=0; i<n; i++)
128	{
129	- pr.nr = i;
130	- if(ioctl(dev, DIOCGETRULE, &pr) < 0)
131	+ if (pfctl_get_rule(dev, i, info.ticket, anchor_name, PF_RDR, &rule, anchor_call) != 0)
132	{
133	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
134	r = -1;
135	break;
136	}
137	#ifdef __APPLE__
138	- if( (eport == ntohs(pr.rule.dst.xport.range.port[0]))
139	- && (eport == ntohs(pr.rule.dst.xport.range.port[1]))
140	+ if( (eport == ntohs(rule.dst.xport.range.port[0]))
141	+ && (eport == ntohs(rule.dst.xport.range.port[1]))
142	#else
143	- if( (eport == ntohs(pr.rule.dst.port[0]))
144	- && (eport == ntohs(pr.rule.dst.port[1]))
145	+ if( (eport == ntohs(rule.dst.port[0]))
146	+ && (eport == ntohs(rule.dst.port[1]))
147	#endif
148	- && (pr.rule.proto == proto) )
149	+ && (rule.proto == proto) )
150	{
151	#ifndef PF_NEWSTYLE
152	- *iport = pr.rule.rpool.proxy_port[0];
153	+ *iport = rule.rpool.proxy_port[0];
154	#else
155	- *iport = pr.rule.rdr.proxy_port[0];
156	+ *iport = rule.rdr.proxy_port[0];
157	#endif
158	if(desc)
159	- strlcpy(desc, pr.rule.label, desclen);
160	+ strlcpy(desc, rule.label[0], desclen);
161	#ifdef PFRULE_INOUT_COUNTS
162	if(packets)
163	- *packets = pr.rule.packets[0] + pr.rule.packets[1];
164	+ *packets = rule.packets[0] + rule.packets[1];
165	if(bytes)
166	- *bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
167	+ *bytes = rule.bytes[0] + rule.bytes[1];
168	#else
169	if(packets)
170	- *packets = pr.rule.packets;
171	+ *packets = rule.packets;
172	if(bytes)
173	- *bytes = pr.rule.bytes;
174	+ *bytes = rule.bytes;
175	#endif
176	#ifndef PF_NEWSTYLE
177	memset(&pp, 0, sizeof(pp));
178	strlcpy(pp.anchor, anchor_name, MAXPATHLEN);
179	pp.r_action = PF_RDR;
180	pp.r_num = i;
181	- pp.ticket = pr.ticket;
182	+ pp.ticket = info.ticket;
183	if(ioctl(dev, DIOCGETADDRS, &pp) < 0)
184	{
185	syslog(LOG_ERR, "ioctl(dev, DIOCGETADDRS, ...): %m");
186	@@ -957,15 +958,15 @@ get_redirect_rule(const char * ifname, unsigned short
187	iaddr, iaddrlen);
188	#endif
189	#else
190	- inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr,
191	+ inet_ntop(AF_INET, &rule.rdr.addr.v.a.addr.v4.s_addr,
192	iaddr, iaddrlen);
193	#endif
194	if(rhost && rhostlen > 0)
195	{
196	#ifdef PFVAR_NEW_STYLE
197	- if (pr.rule.src.addr.v.a.addr.v4addr.s_addr == 0)
198	+ if (rule.src.addr.v.a.addr.v4addr.s_addr == 0)
199	#else
200	- if (pr.rule.src.addr.v.a.addr.v4.s_addr == 0)
201	+ if (rule.src.addr.v.a.addr.v4.s_addr == 0)
202	#endif
203	{
204	rhost[0] = '\0'; /* empty string */
205	@@ -973,10 +974,10 @@ get_redirect_rule(const char * ifname, unsigned short
206	else
207	{
208	#ifdef PFVAR_NEW_STYLE
209	- inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4addr.s_addr,
210	+ inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4addr.s_addr,
211	rhost, rhostlen);
212	#else
213	- inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4.s_addr,
214	+ inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4.s_addr,
215	rhost, rhostlen);
216	#endif
217	}
218	@@ -1010,6 +1011,7 @@ priv_delete_redirect_rule_check_desc(const char * ifna
219	int i, n, r;
220	unsigned int tnum;
221	struct pfioc_rule pr;
222	+ struct pfctl_rule rule;
223	UNUSED(ifname);
224
225	if(dev<0) {
226	@@ -1023,7 +1025,7 @@ priv_delete_redirect_rule_check_desc(const char * ifna
227	#endif
228	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
229	{
230	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
231	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
232	return -1;
233	}
234	n = pr.nr;
235	@@ -1034,24 +1036,24 @@ priv_delete_redirect_rule_check_desc(const char * ifna
236	for(i=0; i<n; i++)
237	{
238	pr.nr = i;
239	- if(ioctl(dev, DIOCGETRULE, &pr) < 0)
240	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_RDR, &rule, pr.anchor_call) != 0)
241	{
242	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
243	r = -1;
244	break;
245	}
246	#ifdef __APPLE__
247	- if( (eport == ntohs(pr.rule.dst.xport.range.port[0]))
248	- && (eport == ntohs(pr.rule.dst.xport.range.port[1]))
249	+ if( (eport == ntohs(rule.dst.xport.range.port[0]))
250	+ && (eport == ntohs(rule.dst.xport.range.port[1]))
251	#else
252	- if( (eport == ntohs(pr.rule.dst.port[0]))
253	- && (eport == ntohs(pr.rule.dst.port[1]))
254	+ if( (eport == ntohs(rule.dst.port[0]))
255	+ && (eport == ntohs(rule.dst.port[1]))
256	#endif
257	- && (pr.rule.proto == proto) )
258	+ && (rule.proto == proto) )
259	{
260	/* retrieve iport in order to remove filter rule */
261	#ifndef PF_NEWSTYLE
262	- if(iport) *iport = pr.rule.rpool.proxy_port[0];
263	+ if(iport) *iport = rule.rpool.proxy_port[0];
264	if(iaddr)
265	{
266	/* retrieve internal address */
267	@@ -1087,33 +1089,33 @@ priv_delete_redirect_rule_check_desc(const char * ifna
268	#endif
269	}
270	#else
271	- if(iport) *iport = pr.rule.rdr.proxy_port[0];
272	+ if(iport) *iport = rule.rdr.proxy_port[0];
273	if(iaddr)
274	{
275	/* retrieve internal address */
276	- *iaddr = pr.rule.rdr.addr.v.a.addr.v4.s_addr;
277	+ *iaddr = rule.rdr.addr.v.a.addr.v4.s_addr;
278	}
279	#endif
280	if(rhost && rhostlen > 0)
281	{
282	#ifdef PFVAR_NEW_STYLE
283	- if (pr.rule.src.addr.v.a.addr.v4addr.s_addr == 0)
284	+ if (rule.src.addr.v.a.addr.v4addr.s_addr == 0)
285	#else
286	- if (pr.rule.src.addr.v.a.addr.v4.s_addr == 0)
287	+ if (rule.src.addr.v.a.addr.v4.s_addr == 0)
288	#endif
289	rhost[0] = '\0'; /* empty string */
290	else
291	#ifdef PFVAR_NEW_STYLE
292	- inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4addr.s_addr,
293	+ inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4addr.s_addr,
294	rhost, rhostlen);
295	#else
296	- inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4.s_addr,
297	+ inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4.s_addr,
298	rhost, rhostlen);
299	#endif
300	}
301	if(check_desc) {
302	- if((desc == NULL && pr.rule.label[0] == '\0') \|\|
303	- (desc && 0 == strcmp(desc, pr.rule.label))) {
304	+ if((desc == NULL && rule.label[0][0] == '\0') \|\|
305	+ (desc && 0 == strcmp(desc, rule.label[0]))) {
306	r = 1;
307	break;
308	}
309	@@ -1175,7 +1177,7 @@ priv_delete_filter_rule(const char * ifname, unsigned
310	pr.rule.action = PF_PASS;
311	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
312	{
313	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
314	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
315	return -1;
316	}
317	n = pr.nr;
318	@@ -1275,6 +1277,7 @@ get_redirect_rule_by_index(int index,
319	int n, r;
320	unsigned int tnum;
321	struct pfioc_rule pr;
322	+ struct pfctl_rule rule;
323	#ifndef PF_NEWSTYLE
324	struct pfioc_pooladdr pp;
325	#endif
326	@@ -1291,7 +1294,7 @@ get_redirect_rule_by_index(int index,
327	#endif
328	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
329	{
330	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
331	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
332	return -1;
333	}
334	n = pr.nr;
335	@@ -1302,36 +1305,36 @@ get_redirect_rule_by_index(int index,
336	if(index >= n)
337	goto error;
338	pr.nr = index;
339	- if(ioctl(dev, DIOCGETRULE, &pr) < 0)
340	+ if (pfctl_get_rule(dev, index, pr.ticket, pr.anchor, PF_RDR, &rule, pr.anchor_call) != 0)
341	{
342	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
343	goto error;
344	}
345	- *proto = pr.rule.proto;
346	+ *proto = rule.proto;
347	#ifdef __APPLE__
348	- *eport = ntohs(pr.rule.dst.xport.range.port[0]);
349	+ *eport = ntohs(rule.dst.xport.range.port[0]);
350	#else
351	- *eport = ntohs(pr.rule.dst.port[0]);
352	+ *eport = ntohs(rule.dst.port[0]);
353	#endif
354	#ifndef PF_NEWSTYLE
355	- *iport = pr.rule.rpool.proxy_port[0];
356	+ *iport = rule.rpool.proxy_port[0];
357	#else
358	- *iport = pr.rule.rdr.proxy_port[0];
359	+ *iport = rule.rdr.proxy_port[0];
360	#endif
361	if(ifname)
362	- strlcpy(ifname, pr.rule.ifname, IFNAMSIZ);
363	+ strlcpy(ifname, rule.ifname, IFNAMSIZ);
364	if(desc)
365	- strlcpy(desc, pr.rule.label, desclen);
366	+ strlcpy(desc, rule.label[0], desclen);
367	#ifdef PFRULE_INOUT_COUNTS
368	if(packets)
369	- *packets = pr.rule.packets[0] + pr.rule.packets[1];
370	+ *packets = rule.packets[0] + rule.packets[1];
371	if(bytes)
372	- *bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
373	+ *bytes = rule.bytes[0] + rule.bytes[1];
374	#else
375	if(packets)
376	- *packets = pr.rule.packets;
377	+ *packets = rule.packets;
378	if(bytes)
379	- *bytes = pr.rule.bytes;
380	+ *bytes = rule.bytes;
381	#endif
382	#ifndef PF_NEWSTYLE
383	memset(&pp, 0, sizeof(pp));
384	@@ -1363,15 +1366,15 @@ get_redirect_rule_by_index(int index,
385	iaddr, iaddrlen);
386	#endif
387	#else
388	- inet_ntop(AF_INET, &pr.rule.rdr.addr.v.a.addr.v4.s_addr,
389	+ inet_ntop(AF_INET, &rule.rdr.addr.v.a.addr.v4.s_addr,
390	iaddr, iaddrlen);
391	#endif
392	if(rhost && rhostlen > 0)
393	{
394	#ifdef PFVAR_NEW_STYLE
395	- if (pr.rule.src.addr.v.a.addr.v4addr.s_addr == 0)
396	+ if (rule.src.addr.v.a.addr.v4addr.s_addr == 0)
397	#else
398	- if (pr.rule.src.addr.v.a.addr.v4.s_addr == 0)
399	+ if (rule.src.addr.v.a.addr.v4.s_addr == 0)
400	#endif
401	{
402	rhost[0] = '\0'; /* empty string */
403	@@ -1379,10 +1382,10 @@ get_redirect_rule_by_index(int index,
404	else
405	{
406	#ifdef PFVAR_NEW_STYLE
407	- inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4addr.s_addr,
408	+ inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4addr.s_addr,
409	rhost, rhostlen);
410	#else
411	- inet_ntop(AF_INET, &pr.rule.src.addr.v.a.addr.v4.s_addr,
412	+ inet_ntop(AF_INET, &rule.src.addr.v.a.addr.v4.s_addr,
413	rhost, rhostlen);
414	#endif
415	}
416	@@ -1406,6 +1409,7 @@ get_portmappings_in_range(unsigned short startport, un
417	int i, n;
418	unsigned short eport;
419	struct pfioc_rule pr;
420	+ struct pfctl_rule rule;
421
422	*number = 0;
423	if(dev<0) {
424	@@ -1426,7 +1430,7 @@ get_portmappings_in_range(unsigned short startport, un
425	#endif
426	if(ioctl(dev, DIOCGETRULES, &pr) < 0)
427	{
428	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
429	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
430	free(array);
431	return NULL;
432	}
433	@@ -1437,19 +1441,19 @@ get_portmappings_in_range(unsigned short startport, un
434	for(i=0; i<n; i++)
435	{
436	pr.nr = i;
437	- if(ioctl(dev, DIOCGETRULE, &pr) < 0)
438	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_RDR, &rule, pr.anchor_call) != 0)
439	{
440	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
441	continue;
442	}
443	#ifdef __APPLE__
444	- eport = ntohs(pr.rule.dst.xport.range.port[0]);
445	- if( (eport == ntohs(pr.rule.dst.xport.range.port[1]))
446	+ eport = ntohs(rule.dst.xport.range.port[0]);
447	+ if( (eport == ntohs(rule.dst.xport.range.port[1]))
448	#else
449	- eport = ntohs(pr.rule.dst.port[0]);
450	- if( (eport == ntohs(pr.rule.dst.port[1]))
451	+ eport = ntohs(rule.dst.port[0]);
452	+ if( (eport == ntohs(rule.dst.port[1]))
453	#endif
454	- && (pr.rule.proto == proto)
455	+ && (rule.proto == proto)
456	&& (startport <= eport) && (eport <= endport) )
457	{
458	if(*number >= capacity)

Removed Link Here

(-)a/net/miniupnpd/files/patch-pf_pfpinhole.c (-211 lines)
1	--- pf/pfpinhole.c.orig 2024-03-19 23:41:25 UTC
2	+++ pf/pfpinhole.c
3	@@ -28,6 +28,7 @@
4	#include <syslog.h>
5	#include <stdio.h>
6	#include <stdlib.h>
7	+#include <libpfctl.h>
8
9	#include "config.h"
10	#include "pfpinhole.h"
11	@@ -171,6 +172,7 @@ int find_pinhole(const char * ifname,
12	unsigned int ts, tnum;
13	int i, n;
14	struct pfioc_rule pr;
15	+ struct pfctl_rule rule;
16	struct in6_addr saddr;
17	struct in6_addr daddr;
18	UNUSED(ifname);
19	@@ -191,7 +193,7 @@ int find_pinhole(const char * ifname,
20	pr.rule.action = PF_PASS;
21	#endif
22	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
23	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
24	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
25	return -1;
26	}
27	n = pr.nr;
28	@@ -200,22 +202,22 @@ int find_pinhole(const char * ifname,
29	#endif /* PF_RELEASETICKETS */
30	for(i=0; i<n; i++) {
31	pr.nr = i;
32	- if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
33	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
34	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
35	release_ticket(dev, tnum);
36	return -1;
37	}
38	- if((proto == pr.rule.proto) && (rem_port == ntohs(pr.rule.src.port[0]))
39	- && (0 == memcmp(&saddr, &pr.rule.src.addr.v.a.addr.v6, sizeof(struct in6_addr)))
40	- && (int_port == ntohs(pr.rule.dst.port[0])) &&
41	- (0 == memcmp(&daddr, &pr.rule.dst.addr.v.a.addr.v6, sizeof(struct in6_addr)))) {
42	- if(sscanf(pr.rule.label, PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
43	- syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", pr.rule.label);
44	+ if((proto == rule.proto) && (rem_port == ntohs(rule.src.port[0]))
45	+ && (0 == memcmp(&saddr, &rule.src.addr.v.a.addr.v6, sizeof(struct in6_addr)))
46	+ && (int_port == ntohs(rule.dst.port[0])) &&
47	+ (0 == memcmp(&daddr, &rule.dst.addr.v.a.addr.v6, sizeof(struct in6_addr)))) {
48	+ if(sscanf(rule.label[0], PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
49	+ syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", rule.label[0]);
50	continue;
51	}
52	if(timestamp) *timestamp = ts;
53	if(desc) {
54	- char * p = strchr(pr.rule.label, ':');
55	+ char * p = strchr(rule.label[0], ':');
56	if(p) {
57	p += 2;
58	strlcpy(desc, p, desc_len);
59	@@ -234,6 +236,7 @@ int delete_pinhole(unsigned short uid)
60	int i, n;
61	unsigned int tnum;
62	struct pfioc_rule pr;
63	+ struct pfctl_rule rule;
64	char label_start[PF_RULE_LABEL_SIZE];
65	char tmp_label[PF_RULE_LABEL_SIZE];
66
67	@@ -249,7 +252,7 @@ int delete_pinhole(unsigned short uid)
68	pr.rule.action = PF_PASS;
69	#endif
70	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
71	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
72	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
73	return -1;
74	}
75	n = pr.nr;
76	@@ -258,11 +261,11 @@ int delete_pinhole(unsigned short uid)
77	#endif
78	for(i=0; i<n; i++) {
79	pr.nr = i;
80	- if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
81	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
82	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
83	return -1;
84	}
85	- strlcpy(tmp_label, pr.rule.label, sizeof(tmp_label));
86	+ strlcpy(tmp_label, rule.label[0], sizeof(tmp_label));
87	strtok(tmp_label, " ");
88	if(0 == strcmp(tmp_label, label_start)) {
89	pr.action = PF_CHANGE_GET_TICKET;
90	@@ -298,6 +301,7 @@ get_pinhole_info(unsigned short uid,
91	int i, n;
92	unsigned int tnum;
93	struct pfioc_rule pr;
94	+ struct pfctl_rule rule;
95	char label_start[PF_RULE_LABEL_SIZE];
96	char tmp_label[PF_RULE_LABEL_SIZE];
97	char * p;
98	@@ -314,7 +318,7 @@ get_pinhole_info(unsigned short uid,
99	pr.rule.action = PF_PASS;
100	#endif
101	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
102	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
103	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
104	return -1;
105	}
106	n = pr.nr;
107	@@ -323,29 +327,29 @@ get_pinhole_info(unsigned short uid,
108	#endif
109	for(i=0; i<n; i++) {
110	pr.nr = i;
111	- if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
112	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
113	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
114	release_ticket(dev, tnum);
115	return -1;
116	}
117	- strlcpy(tmp_label, pr.rule.label, sizeof(tmp_label));
118	+ strlcpy(tmp_label, rule.label[0], sizeof(tmp_label));
119	p = tmp_label;
120	strsep(&p, " ");
121	if(0 == strcmp(tmp_label, label_start)) {
122	- if(rem_host && (inet_ntop(AF_INET6, &pr.rule.src.addr.v.a.addr.v6, rem_host, rem_hostlen) == NULL)) {
123	+ if(rem_host && (inet_ntop(AF_INET6, &rule.src.addr.v.a.addr.v6, rem_host, rem_hostlen) == NULL)) {
124	release_ticket(dev, tnum);
125	return -1;
126	}
127	if(rem_port)
128	- *rem_port = ntohs(pr.rule.src.port[0]);
129	- if(int_client && (inet_ntop(AF_INET6, &pr.rule.dst.addr.v.a.addr.v6, int_client, int_clientlen) == NULL)) {
130	+ *rem_port = ntohs(rule.src.port[0]);
131	+ if(int_client && (inet_ntop(AF_INET6, &rule.dst.addr.v.a.addr.v6, int_client, int_clientlen) == NULL)) {
132	release_ticket(dev, tnum);
133	return -1;
134	}
135	if(int_port)
136	- *int_port = ntohs(pr.rule.dst.port[0]);
137	+ *int_port = ntohs(rule.dst.port[0]);
138	if(proto)
139	- *proto = pr.rule.proto;
140	+ *proto = rule.proto;
141	if(timestamp)
142	sscanf(p, "ts-%u", timestamp);
143	if(desc) {
144	@@ -358,14 +362,14 @@ get_pinhole_info(unsigned short uid,
145	}
146	#ifdef PFRULE_INOUT_COUNTS
147	if(packets)
148	- *packets = pr.rule.packets[0] + pr.rule.packets[1];
149	+ *packets = rule.packets[0] + rule.packets[1];
150	if(bytes)
151	- *bytes = pr.rule.bytes[0] + pr.rule.bytes[1];
152	+ *bytes = rule.bytes[0] + rule.bytes[1];
153	#else
154	if(packets)
155	- *packets = pr.rule.packets;
156	+ *packets = rule.packets;
157	if(bytes)
158	- *bytes = pr.rule.bytes;
159	+ *bytes = rule.bytes;
160	#endif
161	release_ticket(dev, tnum);
162	return 0;
163	@@ -393,6 +397,7 @@ int clean_pinhole_list(unsigned int * next_timestamp)
164	{
165	int i;
166	struct pfioc_rule pr;
167	+ struct pfctl_rule rule;
168	time_t current_time;
169	unsigned int ts, tnum;
170	int uid;
171	@@ -411,7 +416,7 @@ int clean_pinhole_list(unsigned int * next_timestamp)
172	pr.rule.action = PF_PASS;
173	#endif
174	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
175	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
176	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
177	return -1;
178	}
179	#ifdef PF_RELEASETICKETS
180	@@ -419,17 +424,17 @@ int clean_pinhole_list(unsigned int * next_timestamp)
181	#endif
182	for(i = pr.nr - 1; i >= 0; i--) {
183	pr.nr = i;
184	- if(ioctl(dev, DIOCGETRULE, &pr) < 0) {
185	+ if (pfctl_get_rule(dev, i, pr.ticket, pr.anchor, PF_PASS, &rule, pr.anchor_call) < 0) {
186	syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
187	release_ticket(dev, tnum);
188	return -1;
189	}
190	- if(sscanf(pr.rule.label, PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
191	- syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", pr.rule.label);
192	+ if(sscanf(rule.label[0], PINEHOLE_LABEL_FORMAT_SKIPDESC, &uid, &ts) != 2) {
193	+ syslog(LOG_DEBUG, "rule with label '%s' is not a IGD pinhole", rule.label[0]);
194	continue;
195	}
196	if(ts <= (unsigned int)current_time) {
197	- syslog(LOG_INFO, "removing expired pinhole '%s'", pr.rule.label);
198	+ syslog(LOG_INFO, "removing expired pinhole '%s'", rule.label[0]);
199	pr.action = PF_CHANGE_GET_TICKET;
200	if(ioctl(dev, DIOCCHANGERULE, &pr) < 0) {
201	syslog(LOG_ERR, "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: %m");
202	@@ -449,7 +454,7 @@ int clean_pinhole_list(unsigned int * next_timestamp)
203	#endif
204	release_ticket(dev, tnum);
205	if(ioctl(dev, DIOCGETRULES, &pr) < 0) {
206	- syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...): %m");
207	+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULES, ...) (%s:%d): %m", __func__, __LINE__);
208	return -1;
209	}
210	#ifdef PF_RELEASETICKETS
211	-