diff options
author | Kjell Wooding <kjell@cvs.openbsd.org> | 2001-06-26 23:24:07 +0000 |
---|---|---|
committer | Kjell Wooding <kjell@cvs.openbsd.org> | 2001-06-26 23:24:07 +0000 |
commit | 7c78add46f8923ccecb22448f42730a2e7a9e5fe (patch) | |
tree | fd75e521bb8582c607daf6bb99ae6af59a55f533 | |
parent | e5aa2ae3c2db89c0ffedc4daf9f09bf120334a10 (diff) |
Add -N (parse, but do not load) and -v (verbose: show parsed rules)
for pf and nat rules.
-rw-r--r-- | sbin/pfctl/pfctl.8 | 8 | ||||
-rw-r--r-- | sbin/pfctl/pfctl.c | 124 |
2 files changed, 83 insertions, 49 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 6fe58ec3079..70e837dbaea 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.11 2001/06/26 17:52:40 kjell Exp $ +.\" $OpenBSD: pfctl.8,v 1.12 2001/06/26 23:24:05 kjell Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -40,8 +40,10 @@ .Op Fl c Ar set .Op Fl l Ar interface .Op Fl n Ar file +.Op Fl N .Op Fl r Ar file .Op Fl s Ar set +.Op Fl v .Sh DESCRIPTION The .Nm @@ -98,6 +100,8 @@ Enable collection of packet and byte count statistics for interface named These statistics can be viewed with the .Fl s Ar status option. +.It Fl N +Do not actually load rules .It Fl n Ar file Load a NAT rules file .It Fl r Ar file @@ -116,6 +120,8 @@ Show the contents of the state table .It Ar status Show filter statistics .El +.It Fl v +Show rules as they are parsed .El .Sh FILES .Bl -tag -width "/etc/nat.conf" -compact diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 7b8f5d20eaf..2b7d72a0633 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.17 2001/06/26 22:24:14 provos Exp $ */ +/* $OpenBSD: pfctl.c,v 1.18 2001/06/26 23:24:06 kjell Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -58,12 +58,14 @@ int pfctl_show_rules(int); int pfctl_show_nat(int); int pfctl_show_states(int, u_int8_t); int pfctl_show_status(int); -int pfctl_rules(int, char *); -int pfctl_nat(int, char *); +int pfctl_rules(int, char *, int, int); +int pfctl_nat(int, char *, int, int); int pfctl_log(int, char *); -int dflag; -int eflag; +int dflag = 0; +int eflag = 0; +int vflag = 0; +int Nflag = 0; char *clearopt; char *logopt; char *natopt; @@ -269,7 +271,7 @@ pfctl_show_status(int dev) } int -pfctl_rules(int dev, char *filename) +pfctl_rules(int dev, char *filename, int nflag, int vflag) { struct pfioc_rule pr; char *buf, *s; @@ -279,10 +281,12 @@ pfctl_rules(int dev, char *filename) buf = load_file(filename, &len); if (buf == NULL) return (1); - if (ioctl(dev, DIOCBEGINRULES, &pr.ticket)) { - errx(1, "DIOCBEGINRULES"); - free(buf); - return (1); + if (!nflag) { + if (ioctl(dev, DIOCBEGINRULES, &pr.ticket)) { + errx(1, "DIOCBEGINRULES"); + free(buf); + return (1); + } } n = 0; nr = 0; @@ -292,25 +296,31 @@ pfctl_rules(int dev, char *filename) nr++; if (*line && (*line != '#')) if (parse_rule(nr, line, &pr.rule)) { - if (ioctl(dev, DIOCADDRULE, &pr)) { - errx(1, "DIOCADDRULE"); - free(buf); - return (1); + if (!nflag) { + if (ioctl(dev, DIOCADDRULE, &pr)) { + errx(1, "DIOCADDRULE"); + free(buf); + return (1); + } } + if (vflag) + print_rule(&pr.rule); n++; } } while (s < (buf + len)); free(buf); - if (ioctl(dev, DIOCCOMMITRULES, &pr.ticket)) { - errx(1, "DIOCCOMMITRULES"); - return (1); + if (!nflag) { + if (ioctl(dev, DIOCCOMMITRULES, &pr.ticket)) { + errx(1, "DIOCCOMMITRULES"); + return (1); + } + printf("%u rules loaded\n", n); } - printf("%u rules loaded\n", n); return (0); } int -pfctl_nat(int dev, char *filename) +pfctl_nat(int dev, char *filename, int nflag, int vflag) { struct pfioc_nat pn; struct pfioc_rdr pr; @@ -318,10 +328,12 @@ pfctl_nat(int dev, char *filename) size_t len; unsigned n, nr; - if (ioctl(dev, DIOCBEGINNATS, &pn.ticket)) { - errx(1, "DIOCBEGINNATS"); - return (1); - } + if (!nflag) + if (ioctl(dev, DIOCBEGINNATS, &pn.ticket)) { + errx(1, "DIOCBEGINNATS"); + return (1); + } + buf = load_file(filename, &len); if (buf == NULL) return (1); @@ -333,24 +345,29 @@ pfctl_nat(int dev, char *filename) nr++; if (*line && (*line == 'n')) if (parse_nat(nr, line, &pn.nat)) { - if (ioctl(dev, DIOCADDNAT, &pn)) { - errx(1, "DIOCADDNAT"); - free(buf); - return (1); - } + if (!nflag) + if (ioctl(dev, DIOCADDNAT, &pn)) { + errx(1, "DIOCADDNAT"); + free(buf); + return (1); + } + if (vflag) + print_nat(&pn.nat); n++; } } while (s < (buf + len)); free(buf); - if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket)) { - errx(1, "DIOCCOMMITNATS"); - return (1); - } - printf("%u nat entries loaded\n", n); + if (!nflag) { + if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket)) { + errx(1, "DIOCCOMMITNATS"); + return (1); + } + printf("%u nat entries loaded\n", n); - if (ioctl(dev, DIOCBEGINRDRS, &pr.ticket)) { - errx(1, "DIOCBEGINRDRS"); - return 1; + if (ioctl(dev, DIOCBEGINRDRS, &pr.ticket)) { + errx(1, "DIOCBEGINRDRS"); + return 1; + } } buf = load_file(filename, &len); if (buf == NULL) @@ -363,20 +380,25 @@ pfctl_nat(int dev, char *filename) nr++; if (*line && (*line == 'r')) if (parse_rdr(nr, line, &pr.rdr)) { - if (ioctl(dev, DIOCADDRDR, &pr)) { - errx(1, "DIOCADDRDR"); - free(buf); - return (1); - } + if (!nflag) + if (ioctl(dev, DIOCADDRDR, &pr)) { + errx(1, "DIOCADDRDR"); + free(buf); + return (1); + } + if (vflag) + print_rdr(&pr.rdr); n++; } } while (s < (buf + len)); free(buf); - if (ioctl(dev, DIOCCOMMITRDRS, &pr.ticket)) { - errx(1, "DIOCCOMMITRDRS"); - return (1); + if (!nflag) { + if (ioctl(dev, DIOCCOMMITRDRS, &pr.ticket)) { + errx(1, "DIOCCOMMITRDRS"); + return (1); + } + printf("%u rdr entries loaded\n", n); } - printf("%u rdr entries loaded\n", n); return (0); } @@ -406,7 +428,7 @@ main(int argc, char *argv[]) if (argc < 2) usage(); - while ((ch = getopt(argc, argv, "c:del:n:r:s:")) != -1) { + while ((ch = getopt(argc, argv, "c:del:Nn:r:s:v")) != -1) { switch (ch) { case 'c': clearopt = optarg; @@ -420,6 +442,9 @@ main(int argc, char *argv[]) case 'l': logopt = optarg; break; + case 'N': + Nflag++; + break; case 'n': natopt = optarg; break; @@ -429,6 +454,9 @@ main(int argc, char *argv[]) case 's': showopt = optarg; break; + case 'v': + vflag++; + break; default: usage(); /* NOTREACHED */ @@ -462,11 +490,11 @@ main(int argc, char *argv[]) } if (rulesopt != NULL) - if (pfctl_rules(dev, rulesopt)) + if (pfctl_rules(dev, rulesopt, Nflag, vflag)) error = 1; if (natopt != NULL) - if (pfctl_nat(dev, natopt)) + if (pfctl_nat(dev, natopt, Nflag, vflag)) error = 1; if (showopt != NULL) { |