Updated to OpenBSD 7.4

CHANGELOG.md

@@ -1,3 +1,8 @@
+Dec 22, 2023 -- version 0.2.3
+-----------------------------
+- Updated to OpenBSD 7.4
+
+
 Mar 12, 2022 -- version 0.2.2
 -----------------------------
 - Switching to Python 3 on the main branch

pf/_struct.py

@@ -277,7 +277,6 @@ class pf_threshold(Structure):          # From /usr/include/net/pfvar.h
 class divert(Structure):                # From /usr/include/net/pfvar.h
     _fields_ = [("addr",              pf_addr),
                 ("port",              c_uint16),
-                ("rdomain",           c_uint16),
                 ("type",              c_uint8)]
 
 
@@ -348,8 +347,8 @@ class _conn_rate(Structure):
                 ("keep_state",        c_uint8),
                 ("af",                c_uint8),       # sa_family_t
                 ("proto",             c_uint8),
-                ("type",              c_uint8),
-                ("code",              c_uint8),
+                ("type",              c_uint16),
+                ("code",              c_uint16),
                 ("flags",             c_uint8),
                 ("flagset",           c_uint8),
                 ("min_ttl",           c_uint8),
@@ -365,10 +364,7 @@ class _conn_rate(Structure):
                 ("set_prio",          c_uint8 * 2),
                 ("naf",               c_uint8),       # sa_family_t
                 ("rcvifnot",          c_uint8),
-                ("pad",               c_uint8 * 2),
                 ("divert",            divert),
-                ("gcle",              c_void_p),      # SLIST_ENTRY(pf_rule)
-                ("ruleset",           c_void_p),      # struct pf_ruleset *
                 ("exptime",           c_int64)]       # time_t
 
 
@@ -463,6 +459,7 @@ class _RB_ENTRY(Structure):
                 ("pfik_rules",        c_int),
                 ("pfik_routes",       c_int),
                 ("pfik_srcnodes",     c_int),
+                ("pfik_flagrefs",     c_int),
                 ("pfik_dynaddrs",     c_void_p * 2)]  # TAILQ_HEAD(,pfi_dynaddr)
 
 

pf/constants.py

@@ -24,15 +24,21 @@
 PF_TRANS_TABLE          = 1
 
 # PF rule flags (from /usr/include/net/pfvar.h)
-PFRULE_DROP             = 0x0000
-PFRULE_RETURNRST        = 0x0001
-PFRULE_FRAGMENT         = 0x0002
-PFRULE_RETURNICMP       = 0x0004
-PFRULE_RETURN           = 0x0008
-PFRULE_NOSYNC           = 0x0010
-PFRULE_SRCTRACK         = 0x0020
-PFRULE_RULESRCTRACK     = 0x0040
-PFRULE_SETDELAY         = 0x0080
+PFRULE_DROP             = 0x000000
+PFRULE_RETURNRST        = 0x000001
+PFRULE_FRAGMENT         = 0x000002
+PFRULE_RETURNICMP       = 0x000004
+PFRULE_RETURN           = 0x000008
+PFRULE_NOSYNC           = 0x000010
+PFRULE_SRCTRACK         = 0x000020
+PFRULE_RULESRCTRACK     = 0x000040
+PFRULE_SETDELAY         = 0x000080
+PFRULE_IFBOUND          = 0x010000
+PFRULE_STATESLOPPY      = 0x020000
+PFRULE_PFLOW            = 0x040000
+PFRULE_ONCE             = 0x100000
+PFRULE_AFTO             = 0x200000
+PFRULE_EXPIRED          = 0x400000
 
 # PF rule flags (from /usr/include/net/pfvar.h)
 PFRULE_IFBOUND          = 0x00010000

pf/filter.py

@@ -284,25 +284,28 @@ def get_optimization(self):
             if val["tcp.first"] == tm["tcp.first"]:
                 return name
 
-    def get_ifaces(self, ifname=""):
+    def get_ifaces(self, ifname="", size=8):
         """Get the list of interfaces and interface drivers known to pf.
 
         Return a tuple of PFIface objects or a single PFIface object if a
         specific 'ifname' is specified.
         """
         pi = pfioc_iface(pfiio_name=ifname.encode(),
-                         pfiio_esize=sizeof(pfi_kif))
+                         pfiio_esize=sizeof(pfi_kif),
+                         pfiio_size=size+1)
 
         with open(self.dev, 'w') as d:
-            ioctl(d, DIOCIGETIFACES, pi)
             buf = (pfi_kif * pi.pfiio_size)()
             pi.pfiio_buffer = addressof(buf)
             ioctl(d, DIOCIGETIFACES, pi)
 
-        if ifname and len(buf) == 1:
+        if ifname:
             return PFIface(buf[0])
         else:
-            return tuple(map(PFIface, buf))
+            ifaces = tuple(i for i in map(PFIface, buf) if i.name)
+            if len(ifaces) == size:
+                return self.get_ifaces(ifname, size*2)
+            return ifaces
 
     def set_ifflags(self, ifname, flags):
         """Set the user setable 'flags' on the interface 'ifname'."""
@@ -370,7 +373,7 @@ def get_states(self):
         with open(self.dev, 'w') as d:
             while True:
                 if l:
-                    ps_states = (pfsync_state * (l / sizeof(pfsync_state)))()
+                    ps_states = (pfsync_state * int(l / sizeof(pfsync_state)))()
                     ps.ps_buf = addressof(ps_states)
                     ps.ps_len = l
                 ioctl(d, DIOCGETSTATES, ps)
@@ -380,7 +383,7 @@ def get_states(self):
                     break
                 l = (ps.ps_len * 2)
 
-        ps_num = (ps.ps_len / sizeof(pfsync_state))
+        ps_num = int(ps.ps_len / sizeof(pfsync_state))
         return tuple([PFState(s) for s in ps_states[:ps_num]])
 
     def clear_states(self, ifname=""):

pf/rule.py

@@ -858,6 +858,9 @@ def _to_string(self):
                       "nat-anchor", "binat-anchor", "binat-anchor",
                       "rdr-anchor", "rdr-anchor")
 
+        if self.rule_flag & PFRULE_EXPIRED:
+            return ""
+
         if self.action > PF_MATCH:
             s = "action({.action})".format(self)
         elif isinstance(self, PFRuleset):
@@ -1000,7 +1003,7 @@ def _to_string(self):
         if (self.max_states or self.max_src_nodes or self.max_src_states)  or \
            self.rule_flag & (PFRULE_NOSYNC|PFRULE_SRCTRACK|PFRULE_IFBOUND) or \
            self.rule_flag & (PFRULE_STATESLOPPY|PFRULE_PFLOW)              or \
-           filter(None, self.timeout):
+           any(self.timeout):
             has_opts = True
 
         if not self.keep_state and self.action == PF_PASS and \

pf/state.py

@@ -57,7 +57,7 @@ def _from_struct(self, k):
 
 
         a[0].v.a.addr, a[1].v.a.addr = k.addr
-        mask = '\xff' * {AF_INET: 4, AF_INET6: 16}[self.af]
+        mask = b'\xff' * {AF_INET: 4, AF_INET6: 16}[self.af]
         memmove(a[0].v.a.mask.v6, c_char_p(mask), len(mask))
         memmove(a[1].v.a.mask.v6, c_char_p(mask), len(mask))
 
@@ -78,7 +78,7 @@ def __init__(self, state):
     def _from_struct(self, s):
         """Initialize class attributes from a pfsync_state structure."""
         self.id              = unpack("Q", pack(">Q", s.id))[0]
-        self.ifname          = s.ifname
+        self.ifname          = s.ifname.decode()
 
         a                    = pf_addr_wrap()
         a.v.a.addr           = s.rt_addr

pf/status.py

@@ -164,7 +164,7 @@ def __init__(self, iface):
 
     def _from_struct(self, i):
         """Initialize class attributes from a pfi_kif structure."""
-        self.name      = i.pfik_name
+        self.name      = i.pfik_name.decode()
         self.packets   = {'in':  ((i.pfik_packets[0][0][PF_PASS],
                                    i.pfik_packets[1][0][PF_PASS]),
                                   (i.pfik_packets[0][0][PF_DROP],

pf/tests/test_filter.py

@@ -86,7 +86,7 @@ def test_set_status_if(self):
 
     def test_clear_status(self):
         self.pf.clear_status()
-        self.assertGreaterEqual(self.pf.get_status().since, pf._utils.uptime())
+        self.assertGreaterEqual(pf._utils.uptime(), self.pf.get_status().since)
 
     def __test_clear_states(self):
         self.pf.clear_rules()

setup.py

@@ -16,8 +16,8 @@
 
 
 __author__ = "Daniele Mazzocchio <danix@kernel-panic.it>"
-__version__ = "0.2.2"
-__date__    = "Mar 12, 2022"
+__version__ = "0.2.3"
+__date__    = "Dec 22, 2023"
 
 
 setup(name         = "py-pf",