move the opening of /dev/pf from the parent process to the pfe process

where it is used.
Currently pf is opened on every reload, that will no longer be
possible in the future with pledged programms that do ioctls.
This prepares relayd for that change.

ok deraadt@, meinetwegen reyk@

4 files changed, 37 insertions, 51 deletions

diff --git a/usr.sbin/relayd/pfe.c b/usr.sbin/relayd/pfe.c
index 012b49f24e8..df80dd97d4e 100644
--- a/usr.sbin/relayd/pfe.c
+++ b/usr.sbin/relayd/pfe.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfe.c,v 1.87 2016/09/02 16:14:09 reyk Exp $	*/
+/*	$OpenBSD: pfe.c,v 1.88 2017/01/24 10:49:14 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -18,10 +18,15 @@
 
 #include <sys/types.h>
 #include <sys/queue.h>
+#include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/uio.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <net/pfvar.h>
 
 #include <event.h>
+#include <fcntl.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@@ -51,8 +56,25 @@ static struct privsep_proc procs[] = {
 void
 pfe(struct privsep *ps, struct privsep_proc *p)
 {
+	int 			s;
+	struct pf_status	status;
+
 	env = ps->ps_env;
 
+	if ((s = open(PF_SOCKET, O_RDWR)) == -1) {
+		fatal("%s: cannot open pf socket", __func__);
+	}
+	if (env->sc_pf == NULL) {
+		if ((env->sc_pf = calloc(1, sizeof(*(env->sc_pf)))) == NULL)
+			fatal("calloc");
+		env->sc_pf->dev = s;
+	}
+	if (ioctl(env->sc_pf->dev, DIOCGETSTATUS, &status) == -1)
+		fatal("init_filter: DIOCGETSTATUS");
+	if (!status.running)
+		fatalx("init_filter: pf is disabled");
+	log_debug("%s: filter init done", __func__);
+
 	proc_run(ps, p, procs, nitems(procs), pfe_init, NULL);
 }
 
@@ -203,7 +225,6 @@ pfe_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 		break;
 	case IMSG_CFG_DONE:
 		config_getcfg(env, imsg);
-		init_filter(env, imsg->fd);
 		init_tables(env);
 		snmp_init(env, PROC_PARENT);
 		break;
diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c
index add0bf8b4d9..2dd2ddbfd36 100644
--- a/usr.sbin/relayd/pfe_filter.c
+++ b/usr.sbin/relayd/pfe_filter.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfe_filter.c,v 1.60 2016/09/02 14:45:51 reyk Exp $	*/
+/*	$OpenBSD: pfe_filter.c,v 1.61 2017/01/24 10:49:14 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -39,43 +39,12 @@
 
 #include "relayd.h"
 
-struct pfdata {
-	int			 dev;
-	struct pf_anchor	*anchor;
-	struct pfioc_trans	 pft;
-	struct pfioc_trans_e	 pfte;
-	u_int8_t		 pfused;
-};
-
 int	 transaction_init(struct relayd *, const char *);
 int	 transaction_commit(struct relayd *);
 void	 kill_tables(struct relayd *);
 int	 kill_srcnodes(struct relayd *, struct table *);
 
 void
-init_filter(struct relayd *env, int s)
-{
-	struct pf_status	status;
-
-	if (!(env->sc_conf.flags & F_NEEDPF))
-		return;
-
-	if (s == -1)
-		fatalx("init_filter: invalid socket");
-	if (env->sc_pf == NULL) {
-		if ((env->sc_pf = calloc(1, sizeof(*(env->sc_pf)))) == NULL)
-			fatal("calloc");
-	} else
-		close(env->sc_pf->dev);
-	env->sc_pf->dev = s;
-	if (ioctl(env->sc_pf->dev, DIOCGETSTATUS, &status) == -1)
-		fatal("init_filter: DIOCGETSTATUS");
-	if (!status.running)
-		fatalx("init_filter: pf is disabled");
-	log_debug("%s: filter init done", __func__);
-}
-
-void
 init_tables(struct relayd *env)
 {
 	int			 i;
diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c
index 3a66500e60c..2730f9f2902 100644
--- a/usr.sbin/relayd/relayd.c
+++ b/usr.sbin/relayd/relayd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.c,v 1.164 2017/01/09 14:49:21 reyk Exp $	*/
+/*	$OpenBSD: relayd.c,v 1.165 2017/01/24 10:49:14 benno Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -279,7 +279,7 @@ parent_configure(struct relayd *env)
 	struct protocol		*proto;
 	struct relay		*rlay;
 	int			 id;
-	int			 s, ret = -1;
+	int			 ret = -1;
 
 	TAILQ_FOREACH(tb, env->sc_tables, entry)
 		config_settable(env, tb);
@@ -308,24 +308,12 @@ parent_configure(struct relayd *env)
 	for (id = 0; id < PROC_MAX; id++) {
 		if (id == privsep_process)
 			continue;
-
-		if ((env->sc_conf.flags & F_NEEDPF) && id == PROC_PFE) {
-			/* Send pf socket to the pf engine */
-			if ((s = open(PF_SOCKET, O_RDWR)) == -1) {
-				log_debug("%s: cannot open pf socket",
-				    __func__);
-				goto done;
-			}
-		} else
-			s = -1;
-
 		proc_compose_imsg(env->sc_ps, id, -1, IMSG_CFG_DONE, -1,
-		    s, &env->sc_conf, sizeof(env->sc_conf));
+		    -1, &env->sc_conf, sizeof(env->sc_conf));
 	}
 
 	ret = 0;
 
- done:
 	config_purge(env, CONFIG_ALL & ~CONFIG_RELAYS);
 	return (ret);
 }
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index 1a438bbc0c8..6fb8186ff7c 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.237 2017/01/09 14:49:21 reyk Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.238 2017/01/24 10:49:14 benno Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -28,6 +28,7 @@
 #include <sys/time.h>
 
 #include <net/if.h>
+#include <net/pfvar.h>
 
 #include <stdarg.h>
 #include <limits.h>
@@ -1050,6 +1051,14 @@ struct relayd_config {
 	u_int32_t		 flags;
 };
 
+struct pfdata {
+	int			 dev;
+	struct pf_anchor	*anchor;
+	struct pfioc_trans	 pft;
+	struct pfioc_trans_e	 pfte;
+	u_int8_t		 pfused;
+};
+
 struct relayd {
 	struct relayd_config	 sc_conf;
 	const char		*sc_conffile;
@@ -1142,7 +1151,6 @@ int	 disable_table(struct ctl_conn *, struct ctl_id *);
 int	 disable_host(struct ctl_conn *, struct ctl_id *, struct host *);
 
 /* pfe_filter.c */
-void	 init_filter(struct relayd *, int);
 void	 init_tables(struct relayd *);
 void	 flush_table(struct relayd *, struct rdr *);
 void	 sync_table(struct relayd *, struct rdr *, struct table *);