NetBSD · Emmankoko · Mar 29, 2025
diff --git a/lib/libnpf/npf.c b/lib/libnpf/npf.c
@@ -735,6 +735,16 @@ npf_rule_setproc(nl_rule_t *rl, const char *name)
 	return nvlist_error(rl->rule_dict);
 }
 
+
+/* use a single id hack for both user and group */
+int
+npf_rule_setrid(nl_rule_t *rl, struct r_id rid, const char *name)
+{
+	uint64_t uid_element[3] = { rid.id[0], rid.id[1], rid.op };
+	nvlist_add_number_array(rl->rule_dict, name, uid_element, 3);
+	return nvlist_error(rl->rule_dict);
+}
+
 void *
 npf_rule_export(nl_rule_t *rl, size_t *length)
 {

diff --git a/lib/libnpf/npf.expsym b/lib/libnpf/npf.expsym
@@ -75,6 +75,7 @@ npf_rule_setinfo
 npf_rule_setkey
 npf_rule_setprio
 npf_rule_setproc
+npf_rule_setrid
 npf_ruleset_add
 npf_ruleset_flush
 npf_ruleset_remkey

diff --git a/lib/libnpf/npf.h b/lib/libnpf/npf.h
@@ -106,6 +106,7 @@ nl_rule_t *	npf_rule_create(const char *, uint32_t, const char *);
 int		npf_rule_setcode(nl_rule_t *, int, const void *, size_t);
 int		npf_rule_setprio(nl_rule_t *, int);
 int		npf_rule_setproc(nl_rule_t *, const char *);
+int		npf_rule_setrid(nl_rule_t *, struct r_id, const char *);
 int		npf_rule_setkey(nl_rule_t *, const void *, size_t);
 int		npf_rule_setinfo(nl_rule_t *, const void *, size_t);
 const char *	npf_rule_getname(nl_rule_t *);

diff --git a/sys/net/npf/npf.h b/sys/net/npf/npf.h
@@ -59,6 +59,15 @@ typedef union {
 	uint32_t		word32[4];
 } npf_addr_t;
 
+
+/*
+ * use a single type for both user id and group id
+ */
+struct r_id {
+	uint32_t		id[2];
+	uint8_t		 op;
+};
+
 typedef uint8_t			npf_netmask_t;
 
 #define	NPF_MAX_NETMASK		(128)
@@ -372,6 +381,19 @@ typedef enum {
 	NPF_STATS_COUNT
 } npf_stats_t;
 
+/* unary and binary operators */
+enum {
+	NPF_OP_NONE,
+	NPF_OP_EQ,
+	NPF_OP_NE,
+	NPF_OP_LE,
+	NPF_OP_LT,
+	NPF_OP_GE,
+	NPF_OP_GT,
+	NPF_OP_XRG,
+	NPF_OP_IRG
+};
+
 #define	NPF_STATS_SIZE		(sizeof(uint64_t) * NPF_STATS_COUNT)
 
 #endif	/* _NPF_NET_H_ */
diff --git a/usr.sbin/npf/npfctl/npf_build.c b/usr.sbin/npf/npfctl/npf_build.c
@@ -715,6 +715,14 @@ npfctl_build_rule(uint32_t attr, const char *ifname, sa_family_t family,
 		npfctl_build_code(rl, family, popts, fopts);
 	}
 
+	if (fopts->uid.op != NPF_OP_NONE) {
+		npf_rule_setrid(rl, fopts->uid, "r_user");
+	}
+
+	if (fopts->gid.op != NPF_OP_NONE) {
+		npf_rule_setrid(rl, fopts->gid, "r_group");
+	}
+
 	if (rproc) {
 		npf_rule_setproc(rl, rproc);
 	}

diff --git a/usr.sbin/npf/npfctl/npf_data.c b/usr.sbin/npf/npfctl/npf_data.c
@@ -52,6 +52,8 @@ __RCSID("$NetBSD: npf_data.c,v 1.30 2019/01/19 21:19:32 rmind Exp $");
 #include <errno.h>
 #include <ifaddrs.h>
 #include <netdb.h>
+#include <pwd.h>
+#include <grp.h>
 
 #include "npfctl.h"
 
@@ -267,6 +269,52 @@ npfctl_parse_table_id(const char *name)
 	return npfvar_create_element(NPFVAR_TABLE, &tid, sizeof(u_int));
 }
 
+int
+npfctl_parse_user(const char *user, uint32_t *uid)
+{
+	if (!strcmp(user, "unknown"))
+		*uid = UID_MAX;
+	else {
+		struct passwd	*pw;
+
+		if ((pw = getpwnam(user)) == NULL) {
+			return -1;
+		}
+		*uid = pw->pw_uid;
+	}
+	return 0;
+}
+
+int
+npfctl_parse_group(const char *group, uint32_t *gid)
+{
+	if (!strcmp(usergroup, "unknown"))
+		*gid = GID_MAX;
+	else {
+		struct group	*grp;
+
+		if ((grp = getgrnam(group)) == NULL) {
+			return -1;
+		}
+		*gid = grp->gr_gid;
+	}
+	return 0;
+}
+
+/*
+ * this function is called for both gid and uid init in parser
+ * both uid and gid are both uint32_t
+ */
+struct r_id
+npfctl_init_rid(uint32_t id1, uint32_t id2, uint8_t op)
+{
+	struct r_id rid;
+	rid.id[0] = id1;
+	rid.id[1] = id2;
+	rid.op = op;
+	return rid;
+}
+
 /*
  * npfctl_parse_port_range: create a port-range variable.  Note that the
  * passed port numbers should be in host byte order.