UnivNautes

/*

        Copyright (C) 2010 Ermal Lu?i

        All rights reserved.

        Redistribution and use in source and binary forms, with or without

        modification, are permitted provided that the following conditions are met:

        1. Redistributions of source code must retain the above copyright notice,

           this list of conditions and the following disclaimer.

        2. Redistributions in binary form must reproduce the above copyright

           notice, this list of conditions and the following disclaimer in the

           documentation and/or other materials provided with the distribution.

        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

        POSSIBILITY OF SUCH DAMAGE.

*/

/*

Functions copied from util.c and modem.c of mpd5 source are protected by

this copyright.

They are ExclusiveOpenDevice/ExclusiveCloseDevice and

OpenSerialDevice.

Copyright (c) 1995-1999 Whistle Communications, Inc. All rights reserved.

Subject to the following obligations and disclaimer of warranty,

use and redistribution of this software, in source or object code

forms, with or without modifications are expressly permitted by

Whistle Communications; provided, however, that:   (i) any and

all reproductions of the source or object code must include the

copyright notice above and the following disclaimer of warranties;

and (ii) no rights are granted, in any manner or form, to use

Whistle Communications, Inc. trademarks, including the mark "WHISTLE

COMMUNICATIONS" on advertising, endorsements, or otherwise except

as such appears in the above copyright notice or in the software.

THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS "AS IS",

AND TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS

MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED,

REGARDING THIS SOFTWARE, INCLUDING WITHOUT LIMITATION, ANY AND

ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR

PURPOSE, OR NON-INFRINGEMENT.  WHISTLE COMMUNICATIONS DOES NOT

WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE

OF, OR THE RESULTS OF THE USE OF THIS SOFTWARE IN TERMS OF ITS

CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE.  IN NO EVENT

SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES RESULTING

FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING WITHOUT

LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE

GOODS OR SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED

AND UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS

IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*/

#define IS_EXT_MODULE

#ifdef HAVE_CONFIG_H

#include "config.h"

#endif

#include "php.h"

#include "php_ini.h"

#include "php_pfSense.h"

#include <sys/types.h>

#include <sys/socket.h>

#include <ifaddrs.h>

#include <net/ethernet.h>

#include <net/if_types.h>

#include <net/if.h>

#include <net/if_var.h>

#include <net/if_vlan_var.h>

#include <net/if_dl.h>

#include <net/if_mib.h>

#include <net/if_bridgevar.h>

#include <netinet/in.h>

#include <netinet/in_var.h>

#include <net/pfvar.h>

#include <net/route.h>

#include <netinet/ip_fw.h>

#include <sys/ioctl.h>

#include <sys/sysctl.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <net/ethernet.h>

#include <netinet/if_ether.h>

#include <netgraph/ng_message.h>

#include <netgraph/ng_ether.h>

#include <netinet/ip_fw.h>

#include <vm/vm_param.h>

#include <fcntl.h>

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <strings.h>

#include <glob.h>

#include <termios.h>

#include <poll.h>

#include <netgraph.h>

#include <netdb.h>

int pfSense_dhcpd;

ZEND_DECLARE_MODULE_GLOBALS(pfSense)

static zend_function_entry pfSense_functions[] = {

    PHP_FE(pfSense_get_interface_info, NULL)

    PHP_FE(pfSense_get_interface_addresses, NULL)

    PHP_FE(pfSense_getall_interface_addresses, NULL)

    PHP_FE(pfSense_get_interface_stats, NULL)

    PHP_FE(pfSense_get_pf_stats, NULL)

    PHP_FE(pfSense_get_os_hw_data, NULL)

    PHP_FE(pfSense_get_os_kern_data, NULL)

    PHP_FE(pfSense_vlan_create, NULL)

    PHP_FE(pfSense_interface_rename, NULL)

    PHP_FE(pfSense_interface_mtu, NULL)

    PHP_FE(pfSense_bridge_add_member, NULL)

    PHP_FE(pfSense_bridge_del_member, NULL)

    PHP_FE(pfSense_bridge_member_flags, NULL)

    PHP_FE(pfSense_interface_listget, NULL)

    PHP_FE(pfSense_interface_create, NULL)

    PHP_FE(pfSense_interface_destroy, NULL)

    PHP_FE(pfSense_interface_flags, NULL)

    PHP_FE(pfSense_interface_capabilities, NULL)

    PHP_FE(pfSense_interface_setaddress, NULL)

    PHP_FE(pfSense_interface_deladdress, NULL)

    PHP_FE(pfSense_ngctl_name, NULL)

    PHP_FE(pfSense_ngctl_attach, NULL)

    PHP_FE(pfSense_ngctl_detach, NULL)

    PHP_FE(pfSense_get_modem_devices, NULL)

    PHP_FE(pfSense_sync, NULL)

    PHP_FE(pfSense_kill_states, NULL)

    PHP_FE(pfSense_kill_srcstates, NULL)

    PHP_FE(pfSense_ip_to_mac, NULL)

#ifdef DHCP_INTEGRATION

    PHP_FE(pfSense_open_dhcpd, NULL)

    PHP_FE(pfSense_close_dhcpd, NULL)

    PHP_FE(pfSense_register_lease, NULL)

    PHP_FE(pfSense_delete_lease, NULL)

#endif

#ifdef IPFW_FUNCTIONS

   PHP_FE(pfSense_ipfw_getTablestats, NULL)

   PHP_FE(pfSense_ipfw_Tableaction, NULL)

   PHP_FE(pfSense_pipe_action, NULL)

#endif

    {NULL, NULL, NULL}

};

zend_module_entry pfSense_module_entry = {

#if ZEND_MODULE_API_NO >= 20010901

    STANDARD_MODULE_HEADER,

#endif

    PHP_PFSENSE_WORLD_EXTNAME,

    pfSense_functions,

    PHP_MINIT(pfSense_socket),

    PHP_MSHUTDOWN(pfSense_socket_close),

    NULL,

    NULL,

    NULL,

#if ZEND_MODULE_API_NO >= 20010901

    PHP_PFSENSE_WORLD_VERSION,

#endif

    STANDARD_MODULE_PROPERTIES

};

#ifdef COMPILE_DL_PFSENSE

ZEND_GET_MODULE(pfSense)

#endif

#ifdef DHCP_INTEGRATION

static void

php_pfSense_destroy_dhcpd(zend_rsrc_list_entry *rsrc TSRMLS_DC)

{

	omapi_data *conn = (omapi_data *)rsrc->ptr;

	if (conn)

		efree(conn);

}

#endif

/* interface management code */

static int

pfi_get_ifaces(int dev, const char *filter, struct pfi_kif *buf, int *size)

{

	struct pfioc_iface io;

	caddr_t buff[sizeof(struct pfi_kif) + 1] = { 0 };

	bzero(&io, sizeof io);

	if (filter != NULL)

		if (strlcpy(io.pfiio_name, filter, sizeof(io.pfiio_name)) >=

		    sizeof(io.pfiio_name)) {

			errno = EINVAL;

			return (-1);

		}

	io.pfiio_buffer = buf;

	io.pfiio_esize = sizeof(struct pfi_kif);

	io.pfiio_size = *size;

	if (ioctl(dev, DIOCIGETIFACES, &io))

		return (-1);

	*size = io.pfiio_size;

	return (0);

}

/* returns prefixlen, obtained from sbin/ifconfig/af_inet6.c */

static int

prefix(void *val, int size)

{

	u_char *name = (u_char *)val;

	int byte, bit, plen = 0;

	for (byte = 0; byte < size; byte++, plen += 8)

		if (name[byte] != 0xff)

			break;

	if (byte == size)

		return (plen);

	for (bit = 7; bit != 0; bit--, plen++)

		if (!(name[byte] & (1 << bit)))

			break;

	for (; bit != 0; bit--)

		if (name[byte] & (1 << bit))

			return(0);

	byte++;

	for (; byte < size; byte++)

		if (name[byte])

			return(0);

	return (plen);

}

PHP_MINIT_FUNCTION(pfSense_socket)

{

	int csock;

	PFSENSE_G(s) = socket(AF_LOCAL, SOCK_DGRAM, 0);

	if (PFSENSE_G(s) < 0)

		return FAILURE;

	PFSENSE_G(inets) = socket(AF_INET, SOCK_DGRAM, 0);

	if (PFSENSE_G(inets) < 0) {

		close(PFSENSE_G(s));

		return FAILURE;

	}

	if (geteuid() == 0 || getuid() == 0) {

#ifdef IPFW_FUNCTIONS

		PFSENSE_G(ipfw) = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

		if (PFSENSE_G(ipfw) < 0) {

			close(PFSENSE_G(s));

			close(PFSENSE_G(inets));

			return FAILURE;

		} else

			fcntl(PFSENSE_G(ipfw), F_SETFD, fcntl(PFSENSE_G(ipfw), F_GETFD, 0) | FD_CLOEXEC);

#endif

		/* Create a new socket node */

		if (NgMkSockNode(NULL, &csock, NULL) < 0)

			csock = -1;

		else

			fcntl(csock, F_SETFD, fcntl(csock, F_GETFD, 0) | FD_CLOEXEC);

		PFSENSE_G(csock) = csock;

#ifdef DHCP_INTEGRATION

		pfSense_dhcpd = zend_register_list_destructors_ex(php_pfSense_destroy_dhcpd, NULL, PHP_PFSENSE_RES_NAME, module_number);

		dhcpctl_initialize();

		omapi_init();

#endif

	} else

		PFSENSE_G(csock) = -1;

	/* Don't leak these sockets to child processes */

	fcntl(PFSENSE_G(s), F_SETFD, fcntl(PFSENSE_G(s), F_GETFD, 0) | FD_CLOEXEC);

	fcntl(PFSENSE_G(inets), F_SETFD, fcntl(PFSENSE_G(inets), F_GETFD, 0) | FD_CLOEXEC);

	REGISTER_LONG_CONSTANT("IFF_UP", IFF_UP, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFF_LINK0", IFF_LINK0, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFF_LINK1", IFF_LINK1, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFF_LINK2", IFF_LINK2, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFF_NOARP", IFF_NOARP, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFF_STATICARP", IFF_STATICARP, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_RXCSUM", IFCAP_RXCSUM, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_TXCSUM", IFCAP_TXCSUM, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_POLLING", IFCAP_POLLING, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_TSO", IFCAP_TSO, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_LRO", IFCAP_LRO, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_WOL", IFCAP_WOL, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_WOL_UCAST", IFCAP_WOL_UCAST, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_WOL_MCAST", IFCAP_WOL_MCAST, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_WOL_MAGIC", IFCAP_WOL_MAGIC, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_VLAN_HWTAGGING", IFCAP_VLAN_HWTAGGING, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_VLAN_MTU", IFCAP_VLAN_MTU, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFCAP_VLAN_HWFILTER", IFCAP_VLAN_HWFILTER, CONST_PERSISTENT | CONST_CS);

#ifdef IFCAP_VLAN_HWCSUM

	REGISTER_LONG_CONSTANT("IFCAP_VLAN_HWCSUM", IFCAP_VLAN_HWCSUM, CONST_PERSISTENT | CONST_CS);

#endif

#ifdef IFCAP_VLAN_HWTSO

	REGISTER_LONG_CONSTANT("IFCAP_VLAN_HWTSO", IFCAP_VLAN_HWTSO, CONST_PERSISTENT | CONST_CS);

#endif

	REGISTER_LONG_CONSTANT("IFBIF_LEARNING", IFBIF_LEARNING, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_DISCOVER", IFBIF_DISCOVER, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_STP", IFBIF_STP, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_SPAN", IFBIF_SPAN, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_STICKY", IFBIF_STICKY, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_BSTP_EDGE", IFBIF_BSTP_EDGE, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_BSTP_AUTOEDGE", IFBIF_BSTP_AUTOEDGE, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_BSTP_PTP", IFBIF_BSTP_PTP, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_BSTP_AUTOPTP", IFBIF_BSTP_AUTOPTP, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_BSTP_ADMEDGE", IFBIF_BSTP_ADMEDGE, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_BSTP_ADMCOST", IFBIF_BSTP_ADMCOST, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IFBIF_PRIVATE", IFBIF_PRIVATE, CONST_PERSISTENT | CONST_CS);

#ifdef IPFW_FUNCTIONS

#if (__FreeBSD_version >= 1000000)

	REGISTER_LONG_CONSTANT("IP_FW_TABLE_XADD", IP_FW_TABLE_XADD, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IP_FW_TABLE_XDEL", IP_FW_TABLE_XDEL, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IP_FW_TABLE_XZEROENTRY", IP_FW_TABLE_XZEROENTRY, CONST_PERSISTENT | CONST_CS);

#else

	REGISTER_LONG_CONSTANT("IP_FW_TABLE_ADD", IP_FW_TABLE_ADD, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IP_FW_TABLE_DEL", IP_FW_TABLE_DEL, CONST_PERSISTENT | CONST_CS);

	REGISTER_LONG_CONSTANT("IP_FW_TABLE_ZERO_ENTRY_STATS", IP_FW_TABLE_ZERO_ENTRY_STATS, CONST_PERSISTENT | CONST_CS);

#endif

#endif

	return SUCCESS;

}

PHP_MSHUTDOWN_FUNCTION(pfSense_socket_close)

{

	if (PFSENSE_G(csock) != -1)

		close(PFSENSE_G(csock));

	if (PFSENSE_G(inets) != -1)

		close(PFSENSE_G(inets));

	if (PFSENSE_G(s) != -1)

		close(PFSENSE_G(s));

	return SUCCESS;

}

static int

pfctl_addrprefix(char *addr, struct pf_addr *mask)

{

	char *p;

	const char *errstr;

	int prefix, ret_ga, q, r;

	struct addrinfo hints, *res;

	if ((p = strchr(addr, '/')) == NULL)

		return 0;

	*p++ = '\0';

	prefix = strtonum(p, 0, 128, &errstr);

	if (errstr) {

		php_printf("prefix is %s: %s", errstr, p);

		return (-1);

	}

	bzero(&hints, sizeof(hints));

	/* prefix only with numeric addresses */

	hints.ai_flags |= AI_NUMERICHOST;

	if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {

		php_printf("getaddrinfo: %s", gai_strerror(ret_ga));

		return (-1);

		/* NOTREACHED */

	}

	if (res->ai_family == AF_INET && prefix > 32) {

		php_printf("prefix too long for AF_INET");

		return (-1);

	} else if (res->ai_family == AF_INET6 && prefix > 128) {

		php_printf("prefix too long for AF_INET6");

		return (-1);

	}

	q = prefix >> 3;

	r = prefix & 7;

	switch (res->ai_family) {

	case AF_INET:

		bzero(&mask->v4, sizeof(mask->v4));

		mask->v4.s_addr = htonl((u_int32_t)

		    (0xffffffffffULL << (32 - prefix)));

		break;

	case AF_INET6:

		bzero(&mask->v6, sizeof(mask->v6));

		if (q > 0)

			memset((void *)&mask->v6, 0xff, q);

		if (r > 0)

			*((u_char *)&mask->v6 + q) =

			    (0xff00 >> r) & 0xff;

		break;

	}

	freeaddrinfo(res);

	return (0);

}

PHP_FUNCTION(pfSense_kill_srcstates)

{

	struct pfioc_src_node_kill psnk;

	struct addrinfo *res[2], *resp[2];

	struct sockaddr last_src, last_dst;

	int killed, sources, dests;

	int ret_ga;

        int dev;

	char *ip1 = NULL, *ip2 = NULL;

	int ip1_len = 0, ip2_len = 0;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &ip1, &ip1_len, &ip2, &ip2_len) == FAILURE) {

		RETURN_NULL();

	}

	if ((dev = open("/dev/pf", O_RDWR)) < 0)

		RETURN_NULL();

	killed = sources = dests = 0;

	memset(&psnk, 0, sizeof(psnk));

	memset(&psnk.psnk_src.addr.v.a.mask, 0xff,

	    sizeof(psnk.psnk_src.addr.v.a.mask));

	memset(&last_src, 0xff, sizeof(last_src));

	memset(&last_dst, 0xff, sizeof(last_dst));

	pfctl_addrprefix(ip1, &psnk.psnk_src.addr.v.a.mask);

	if ((ret_ga = getaddrinfo(ip1, NULL, NULL, &res[0]))) {

		php_printf("getaddrinfo: %s", gai_strerror(ret_ga));

		RETURN_NULL();

		/* NOTREACHED */

	}

	for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {

		if (resp[0]->ai_addr == NULL)

			continue;

		/* We get lots of duplicates.  Catch the easy ones */

		if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)

			continue;

		last_src = *(struct sockaddr *)resp[0]->ai_addr;

		psnk.psnk_af = resp[0]->ai_family;

		sources++;

		if (psnk.psnk_af == AF_INET)

			psnk.psnk_src.addr.v.a.addr.v4 =

			    ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;

		else if (psnk.psnk_af == AF_INET6)

			psnk.psnk_src.addr.v.a.addr.v6 =

			    ((struct sockaddr_in6 *)resp[0]->ai_addr)->

			    sin6_addr;

		else {

			php_printf("Unknown address family %d", psnk.psnk_af);

			continue;

		}

		if (ip2 != NULL) {

			dests = 0;

			memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,

			    sizeof(psnk.psnk_dst.addr.v.a.mask));

			memset(&last_dst, 0xff, sizeof(last_dst));

			pfctl_addrprefix(ip2,

			    &psnk.psnk_dst.addr.v.a.mask);

			if ((ret_ga = getaddrinfo(ip2, NULL, NULL,

			    &res[1]))) {

				php_printf("getaddrinfo: %s", gai_strerror(ret_ga));

				break;

			}

			for (resp[1] = res[1]; resp[1];

			    resp[1] = resp[1]->ai_next) {

				if (resp[1]->ai_addr == NULL)

					continue;

				if (psnk.psnk_af != resp[1]->ai_family)

					continue;

				if (memcmp(&last_dst, resp[1]->ai_addr,

				    sizeof(last_dst)) == 0)

					continue;

				last_dst = *(struct sockaddr *)resp[1]->ai_addr;

				dests++;

				if (psnk.psnk_af == AF_INET)

					psnk.psnk_dst.addr.v.a.addr.v4 =

					    ((struct sockaddr_in *)resp[1]->

					    ai_addr)->sin_addr;

				else if (psnk.psnk_af == AF_INET6)

					psnk.psnk_dst.addr.v.a.addr.v6 =

					    ((struct sockaddr_in6 *)resp[1]->

					    ai_addr)->sin6_addr;

				else {

					php_printf("Unknown address family %d",

					    psnk.psnk_af);

					continue;

				}

				if (ioctl(dev, DIOCKILLSRCNODES, &psnk))

					php_printf("DIOCKILLSRCNODES");

				killed += psnk.psnk_af;

				/* fixup psnk.psnk_af */

				psnk.psnk_af = resp[1]->ai_family;

			}

			freeaddrinfo(res[1]);

		} else {

			if (ioctl(dev, DIOCKILLSRCNODES, &psnk)) {

				php_printf("DIOCKILLSRCNODES");

				break;

			}

			killed += psnk.psnk_af;

			/* fixup psnk.psnk_af */

			psnk.psnk_af = res[0]->ai_family;

		}

	}

	freeaddrinfo(res[0]);

	RETURN_TRUE;

}

PHP_FUNCTION(pfSense_kill_states)

{

	struct pfioc_state_kill psk;

	struct addrinfo *res[2], *resp[2];

	struct sockaddr last_src, last_dst;

	int killed, sources, dests;

	int ret_ga;

	int dev;

	char *ip1 = NULL, *ip2 = NULL;

	int ip1_len = 0, ip2_len = 0;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &ip1, &ip1_len, &ip2, &ip2_len) == FAILURE) {

		RETURN_NULL();

	}

	if ((dev = open("/dev/pf", O_RDWR)) < 0)

		RETURN_NULL();

	killed = sources = dests = 0;

	memset(&psk, 0, sizeof(psk));

	memset(&psk.psk_src.addr.v.a.mask, 0xff,

	    sizeof(psk.psk_src.addr.v.a.mask));

	memset(&last_src, 0xff, sizeof(last_src));

	memset(&last_dst, 0xff, sizeof(last_dst));

#if 0

	if (iface != NULL && strlcpy(psk.psk_ifname, iface,

	    sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))

		errx(1, "invalid interface: %s", iface);

#endif

	if (pfctl_addrprefix(ip1, &psk.psk_src.addr.v.a.mask) < 0)

		RETURN_NULL();

	if ((ret_ga = getaddrinfo(ip1, NULL, NULL, &res[0]))) {

		php_printf("getaddrinfo: %s", gai_strerror(ret_ga));

		RETURN_NULL();

		/* NOTREACHED */

	}

	for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {

		if (resp[0]->ai_addr == NULL)

			continue;

		/* We get lots of duplicates.  Catch the easy ones */

		if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)

			continue;

		last_src = *(struct sockaddr *)resp[0]->ai_addr;

		psk.psk_af = resp[0]->ai_family;

		sources++;

		if (psk.psk_af == AF_INET)

			psk.psk_src.addr.v.a.addr.v4 =

			    ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;

		else if (psk.psk_af == AF_INET6)

			psk.psk_src.addr.v.a.addr.v6 =

			    ((struct sockaddr_in6 *)resp[0]->ai_addr)->

			    sin6_addr;

		else {

			php_printf("Unknown address family %d", psk.psk_af);

			continue;

		}

		if (ip2 != NULL) {

			dests = 0;

			memset(&psk.psk_dst.addr.v.a.mask, 0xff,

			    sizeof(psk.psk_dst.addr.v.a.mask));

			memset(&last_dst, 0xff, sizeof(last_dst));

			pfctl_addrprefix(ip2,

			    &psk.psk_dst.addr.v.a.mask);

			if ((ret_ga = getaddrinfo(ip2, NULL, NULL,

			    &res[1]))) {

				php_printf("getaddrinfo: %s",

				    gai_strerror(ret_ga));

				break;

				/* NOTREACHED */

			}

			for (resp[1] = res[1]; resp[1];

			    resp[1] = resp[1]->ai_next) {

				if (resp[1]->ai_addr == NULL)

					continue;

				if (psk.psk_af != resp[1]->ai_family)

					continue;

				if (memcmp(&last_dst, resp[1]->ai_addr,

				    sizeof(last_dst)) == 0)

					continue;

				last_dst = *(struct sockaddr *)resp[1]->ai_addr;

				dests++;

				if (psk.psk_af == AF_INET)

					psk.psk_dst.addr.v.a.addr.v4 =

					    ((struct sockaddr_in *)resp[1]->

					    ai_addr)->sin_addr;

				else if (psk.psk_af == AF_INET6)

					psk.psk_dst.addr.v.a.addr.v6 =

					    ((struct sockaddr_in6 *)resp[1]->

					    ai_addr)->sin6_addr;

				else {

					php_printf("Unknown address family %d", psk.psk_af);

					continue;

				}

				if (ioctl(dev, DIOCKILLSTATES, &psk))

					php_printf("Could not kill states\n");

				killed += psk.psk_af;

				/* fixup psk.psk_af */

				psk.psk_af = resp[1]->ai_family;

			}

			freeaddrinfo(res[1]);

		} else {

			if (ioctl(dev, DIOCKILLSTATES, &psk)) {

				php_printf("Could not kill states\n");

				break;

			}

			killed += psk.psk_af;

			/* fixup psk.psk_af */

			psk.psk_af = res[0]->ai_family;

		}

	}

	freeaddrinfo(res[0]);

	RETURN_TRUE;

}

#ifdef IPFW_FUNCTIONS

/* Stolen from ipfw2.c code */

static unsigned long long

pfSense_align_uint64(const uint64_t *pll)

{

	uint64_t ret;

	bcopy (pll, &ret, sizeof(ret));

	return ret;

}

PHP_FUNCTION(pfSense_pipe_action)

{

	int ac, do_pipe = 1, param_len = 0;

	enum { bufsize = 2048 };

	char **ap, *av[bufsize], *param = NULL;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &param, &param_len) == FAILURE) {

		RETURN_FALSE;

	}

	memset(av, 0, sizeof(av));

	ac = 0;

	for (ap = av; (*ap = strsep(&param, " \t")) != NULL;) {

		if (**ap != '\0') {

			if (++ap >= &av[bufsize])

				break;

		}

		ac++;

	}

	if (ac > 0)

		ac = ac - 1;

	if (!strncmp(*av, "pipe", strlen(*av)))

		do_pipe = 1;

	else if (!strncmp(*av, "queue", strlen(*av)))

		do_pipe = 2;

	else if (!strncmp(*av, "flowset", strlen(*av)))

		do_pipe = 2;

	else if (!strncmp(*av, "sched", strlen(*av)))

		do_pipe = 3;

	else

		RETURN_FALSE;

	ap = av;

	ac--;

	ap++;

	if (!strncmp(*ap, "delete", strlen(*ap))) {

		ipfw_delete_pipe(do_pipe, strtol(ap[1], NULL, 10));

	} else if (!strncmp(ap[1], "config", strlen(ap[1]))) {

		/*

		 * For pipes, queues and nats we normally say 'nat|pipe NN config'

		 * but the code is easier to parse as 'nat|pipe config NN'

		 * so we swap the two arguments.

		 */

		if (ac > 1 && isdigit(*ap[0])) {

			char *p = ap[0];

			ap[0] = ap[1];

			ap[1] = p;

		}

		if (ipfw_config_pipe(ac, ap, do_pipe) < 0) {

			RETURN_FALSE;

		}

	} else

		RETURN_FALSE;

	RETURN_TRUE;

}

PHP_FUNCTION(pfSense_ipfw_Tableaction)

{

#if (__FreeBSD_version >= 1000000)

	ip_fw3_opheader *op3;

	ipfw_table_xentry *xent;

	socklen_t size;

	long mask = 0, table = 0, pipe = 0, zone = 0;

	char *ip, *mac = NULL, *p;

	int ip_len, mac_len = 0;

	long action = IP_FW_TABLE_XADD;

	int err;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "llls|lsl", &zone, &action, &table, &ip, &ip_len, &mask, &mac, &mac_len, &pipe) == FAILURE) {

		RETURN_FALSE;

	}

	if (action != IP_FW_TABLE_XDEL && action != IP_FW_TABLE_XADD && action != IP_FW_TABLE_XZEROENTRY)

		RETURN_FALSE;

	size = sizeof(*op3) + sizeof(*xent);

	if ((op3 = (ip_fw3_opheader *)emalloc(size)) == NULL)

		RETURN_FALSE;

	memset(op3, 0, size);

	op3->ctxid = (uint16_t)zone;

	op3->opcode = action;

	xent = (ipfw_table_xentry *)(op3 + 1);

	xent->tbl = (u_int16_t)table;

	if (strchr(ip, ':')) {

		if (!inet_pton(AF_INET6, ip, &xent->k.addr6)) {

			efree(op3);

			RETURN_FALSE;

		}

	} else if (!inet_pton(AF_INET, ip, &xent->k.addr6)) {

		efree(op3);

		RETURN_FALSE;

	}

	if (!strchr(ip, ':'))

		xent->flags = IPFW_TCF_INET;

	if (mask)

		xent->masklen = (u_int8_t)mask;

	else

		xent->masklen = 32;

	if (pipe)