summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKjell Wooding <kjell@cvs.openbsd.org>2001-06-26 23:24:07 +0000
committerKjell Wooding <kjell@cvs.openbsd.org>2001-06-26 23:24:07 +0000
commit7c78add46f8923ccecb22448f42730a2e7a9e5fe (patch)
treefd75e521bb8582c607daf6bb99ae6af59a55f533
parente5aa2ae3c2db89c0ffedc4daf9f09bf120334a10 (diff)
Add -N (parse, but do not load) and -v (verbose: show parsed rules)
for pf and nat rules.
-rw-r--r--sbin/pfctl/pfctl.88
-rw-r--r--sbin/pfctl/pfctl.c124
2 files changed, 83 insertions, 49 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 6fe58ec3079..70e837dbaea 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.11 2001/06/26 17:52:40 kjell Exp $
+.\" $OpenBSD: pfctl.8,v 1.12 2001/06/26 23:24:05 kjell Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@@ -40,8 +40,10 @@
.Op Fl c Ar set
.Op Fl l Ar interface
.Op Fl n Ar file
+.Op Fl N
.Op Fl r Ar file
.Op Fl s Ar set
+.Op Fl v
.Sh DESCRIPTION
The
.Nm
@@ -98,6 +100,8 @@ Enable collection of packet and byte count statistics for interface named
These statistics can be viewed with the
.Fl s Ar status
option.
+.It Fl N
+Do not actually load rules
.It Fl n Ar file
Load a NAT rules file
.It Fl r Ar file
@@ -116,6 +120,8 @@ Show the contents of the state table
.It Ar status
Show filter statistics
.El
+.It Fl v
+Show rules as they are parsed
.El
.Sh FILES
.Bl -tag -width "/etc/nat.conf" -compact
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 7b8f5d20eaf..2b7d72a0633 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.17 2001/06/26 22:24:14 provos Exp $ */
+/* $OpenBSD: pfctl.c,v 1.18 2001/06/26 23:24:06 kjell Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -58,12 +58,14 @@ int pfctl_show_rules(int);
int pfctl_show_nat(int);
int pfctl_show_states(int, u_int8_t);
int pfctl_show_status(int);
-int pfctl_rules(int, char *);
-int pfctl_nat(int, char *);
+int pfctl_rules(int, char *, int, int);
+int pfctl_nat(int, char *, int, int);
int pfctl_log(int, char *);
-int dflag;
-int eflag;
+int dflag = 0;
+int eflag = 0;
+int vflag = 0;
+int Nflag = 0;
char *clearopt;
char *logopt;
char *natopt;
@@ -269,7 +271,7 @@ pfctl_show_status(int dev)
}
int
-pfctl_rules(int dev, char *filename)
+pfctl_rules(int dev, char *filename, int nflag, int vflag)
{
struct pfioc_rule pr;
char *buf, *s;
@@ -279,10 +281,12 @@ pfctl_rules(int dev, char *filename)
buf = load_file(filename, &len);
if (buf == NULL)
return (1);
- if (ioctl(dev, DIOCBEGINRULES, &pr.ticket)) {
- errx(1, "DIOCBEGINRULES");
- free(buf);
- return (1);
+ if (!nflag) {
+ if (ioctl(dev, DIOCBEGINRULES, &pr.ticket)) {
+ errx(1, "DIOCBEGINRULES");
+ free(buf);
+ return (1);
+ }
}
n = 0;
nr = 0;
@@ -292,25 +296,31 @@ pfctl_rules(int dev, char *filename)
nr++;
if (*line && (*line != '#'))
if (parse_rule(nr, line, &pr.rule)) {
- if (ioctl(dev, DIOCADDRULE, &pr)) {
- errx(1, "DIOCADDRULE");
- free(buf);
- return (1);
+ if (!nflag) {
+ if (ioctl(dev, DIOCADDRULE, &pr)) {
+ errx(1, "DIOCADDRULE");
+ free(buf);
+ return (1);
+ }
}
+ if (vflag)
+ print_rule(&pr.rule);
n++;
}
} while (s < (buf + len));
free(buf);
- if (ioctl(dev, DIOCCOMMITRULES, &pr.ticket)) {
- errx(1, "DIOCCOMMITRULES");
- return (1);
+ if (!nflag) {
+ if (ioctl(dev, DIOCCOMMITRULES, &pr.ticket)) {
+ errx(1, "DIOCCOMMITRULES");
+ return (1);
+ }
+ printf("%u rules loaded\n", n);
}
- printf("%u rules loaded\n", n);
return (0);
}
int
-pfctl_nat(int dev, char *filename)
+pfctl_nat(int dev, char *filename, int nflag, int vflag)
{
struct pfioc_nat pn;
struct pfioc_rdr pr;
@@ -318,10 +328,12 @@ pfctl_nat(int dev, char *filename)
size_t len;
unsigned n, nr;
- if (ioctl(dev, DIOCBEGINNATS, &pn.ticket)) {
- errx(1, "DIOCBEGINNATS");
- return (1);
- }
+ if (!nflag)
+ if (ioctl(dev, DIOCBEGINNATS, &pn.ticket)) {
+ errx(1, "DIOCBEGINNATS");
+ return (1);
+ }
+
buf = load_file(filename, &len);
if (buf == NULL)
return (1);
@@ -333,24 +345,29 @@ pfctl_nat(int dev, char *filename)
nr++;
if (*line && (*line == 'n'))
if (parse_nat(nr, line, &pn.nat)) {
- if (ioctl(dev, DIOCADDNAT, &pn)) {
- errx(1, "DIOCADDNAT");
- free(buf);
- return (1);
- }
+ if (!nflag)
+ if (ioctl(dev, DIOCADDNAT, &pn)) {
+ errx(1, "DIOCADDNAT");
+ free(buf);
+ return (1);
+ }
+ if (vflag)
+ print_nat(&pn.nat);
n++;
}
} while (s < (buf + len));
free(buf);
- if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket)) {
- errx(1, "DIOCCOMMITNATS");
- return (1);
- }
- printf("%u nat entries loaded\n", n);
+ if (!nflag) {
+ if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket)) {
+ errx(1, "DIOCCOMMITNATS");
+ return (1);
+ }
+ printf("%u nat entries loaded\n", n);
- if (ioctl(dev, DIOCBEGINRDRS, &pr.ticket)) {
- errx(1, "DIOCBEGINRDRS");
- return 1;
+ if (ioctl(dev, DIOCBEGINRDRS, &pr.ticket)) {
+ errx(1, "DIOCBEGINRDRS");
+ return 1;
+ }
}
buf = load_file(filename, &len);
if (buf == NULL)
@@ -363,20 +380,25 @@ pfctl_nat(int dev, char *filename)
nr++;
if (*line && (*line == 'r'))
if (parse_rdr(nr, line, &pr.rdr)) {
- if (ioctl(dev, DIOCADDRDR, &pr)) {
- errx(1, "DIOCADDRDR");
- free(buf);
- return (1);
- }
+ if (!nflag)
+ if (ioctl(dev, DIOCADDRDR, &pr)) {
+ errx(1, "DIOCADDRDR");
+ free(buf);
+ return (1);
+ }
+ if (vflag)
+ print_rdr(&pr.rdr);
n++;
}
} while (s < (buf + len));
free(buf);
- if (ioctl(dev, DIOCCOMMITRDRS, &pr.ticket)) {
- errx(1, "DIOCCOMMITRDRS");
- return (1);
+ if (!nflag) {
+ if (ioctl(dev, DIOCCOMMITRDRS, &pr.ticket)) {
+ errx(1, "DIOCCOMMITRDRS");
+ return (1);
+ }
+ printf("%u rdr entries loaded\n", n);
}
- printf("%u rdr entries loaded\n", n);
return (0);
}
@@ -406,7 +428,7 @@ main(int argc, char *argv[])
if (argc < 2)
usage();
- while ((ch = getopt(argc, argv, "c:del:n:r:s:")) != -1) {
+ while ((ch = getopt(argc, argv, "c:del:Nn:r:s:v")) != -1) {
switch (ch) {
case 'c':
clearopt = optarg;
@@ -420,6 +442,9 @@ main(int argc, char *argv[])
case 'l':
logopt = optarg;
break;
+ case 'N':
+ Nflag++;
+ break;
case 'n':
natopt = optarg;
break;
@@ -429,6 +454,9 @@ main(int argc, char *argv[])
case 's':
showopt = optarg;
break;
+ case 'v':
+ vflag++;
+ break;
default:
usage();
/* NOTREACHED */
@@ -462,11 +490,11 @@ main(int argc, char *argv[])
}
if (rulesopt != NULL)
- if (pfctl_rules(dev, rulesopt))
+ if (pfctl_rules(dev, rulesopt, Nflag, vflag))
error = 1;
if (natopt != NULL)
- if (pfctl_nat(dev, natopt))
+ if (pfctl_nat(dev, natopt, Nflag, vflag))
error = 1;
if (showopt != NULL) {