diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2010-03-23 13:31:30 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2010-03-23 13:31:30 +0000 |
| commit | 29f00368cb030a23d7413513a3e6b804a97c49e0 (patch) | |
| tree | 6a8015a01cd4da80fecc1f90b55587191d8d0415 | |
| parent | 8346a32c855ddf516e5c720820ab83a2301a6a6c (diff) | |
remove -A, -O, -R and -T load
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc
| -rw-r--r-- | sbin/pfctl/parse.y | 22 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 24 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 95 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.h | 4 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_optimize.c | 7 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 9 |
6 files changed, 31 insertions, 130 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index a6ffe42d12a..8f92e2f265b 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.588 2010/01/13 05:20:10 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.589 2010/03/23 13:31:29 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1174,11 +1174,10 @@ tabledef : TABLE '<' STRING '>' table_opts { free($3); YYERROR; } - if (pf->loadopt & PFCTL_FLAG_TABLE) - if (process_tabledef($3, &$5)) { - free($3); - YYERROR; - } + if (process_tabledef($3, &$5)) { + free($3); + YYERROR; + } free($3); for (ti = SIMPLEQ_FIRST(&$5.init_nodes); ti != SIMPLEQ_END(&$5.init_nodes); ti = nti) { @@ -4279,12 +4278,6 @@ expand_altq(struct pf_altq *a, struct node_if *interfaces, struct node_queue_bw bw; int errs = 0; - if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) { - FREE_LIST(struct node_if, interfaces); - FREE_LIST(struct node_queue, nqueues); - return (0); - } - LOOP_THROUGH(struct node_if, interface, interfaces, memcpy(&pa, a, sizeof(struct pf_altq)); if (strlcpy(pa.ifname, interface->ifname, @@ -4387,11 +4380,6 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces, u_int8_t found = 0; u_int8_t errs = 0; - if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) { - FREE_LIST(struct node_queue, nqueues); - return (0); - } - if (queues == NULL) { yyerror("queue %s has no parent", a->qname); FREE_LIST(struct node_queue, nqueues); diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index d98ee96e7e4..af26e698431 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.142 2010/01/18 23:52:46 mcbride Exp $ +.\" $OpenBSD: pfctl.8,v 1.143 2010/03/23 13:31:29 henning Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 18 2010 $ +.Dd $Mdocdate: March 23 2010 $ .Dt PFCTL 8 .Os .Sh NAME @@ -33,7 +33,7 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl AdeghmnOqRrvz +.Op Fl deghmnqrvz .Op Fl a Ar anchor .Oo Fl D Ar macro Ns = .Ar value Oc @@ -111,9 +111,6 @@ The utility provides several commands. The options are as follows: .Bl -tag -width Ds -.It Fl A -Load only the queue rules present in the rule file. -Other rules and options are ignored. .It Fl a Ar anchor Apply flags .Fl f , @@ -328,9 +325,6 @@ Allows single options to be modified without disturbing the others: .Ed .It Fl n Do not actually load rules, just parse them. -.It Fl O -Load only the options present in the rule file. -Other rules and options are ignored. .It Fl o Ar level Control the ruleset optimizer, overriding any rule file settings. .Pp @@ -352,9 +346,6 @@ instead of the default .Pa /dev/pf . .It Fl q Only print errors and warnings. -.It Fl R -Load only the filter rules present in the rule file. -Other rules and options are ignored. .It Fl r Perform reverse DNS lookups on states when displaying them. .It Fl S Ar statefile @@ -467,15 +458,6 @@ Show the content (addresses) of a table. Test if the given addresses match a table. .It Fl T Cm zero Clear all the statistics of a table. -.It Fl T Cm load -Load only the table definitions from -.Xr pf.conf 5 . -This is used in conjunction with the -.Fl f -flag, as in: -.Bd -literal -offset indent -# pfctl -Tl -f pf.conf -.Ed .El .Pp For the diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index c9bcb4f84d6..209fa4ed596 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.294 2010/01/18 23:52:46 mcbride Exp $ */ +/* $OpenBSD: pfctl.c,v 1.295 2010/03/23 13:31:29 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -114,7 +114,6 @@ int src_node_killers; char *src_node_kill[2]; int state_killers; char *state_kill[2]; -int loadopt; int altqsupport; int dev = -1; @@ -211,7 +210,7 @@ static const char *showopt_list[] = { }; static const char *tblcmdopt_list[] = { - "kill", "flush", "add", "delete", "load", "replace", "show", + "kill", "flush", "add", "delete", "replace", "show", "test", "zero", "expire", NULL }; @@ -231,7 +230,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-AdeghmnOqRrvz] ", __progname); + fprintf(stderr, "usage: %s [-deghmnqrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n"); fprintf(stderr, "\t[-k host | network | label | id] "); @@ -1046,18 +1045,14 @@ pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a) { int osize = pf->trans->pfrb_size; - if (a == pf->astack[0] && ((altqsupport && - (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) { + if (a == pf->astack[0] && altqsupport) { if (pfctl_add_trans(pf->trans, PF_TRANS_ALTQ, path)) return (2); } - if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) { - if (pfctl_add_trans(pf->trans, PF_TRANS_RULESET, path)) - return (3); - } - if (pf->loadopt & PFCTL_FLAG_TABLE) - if (pfctl_add_trans(pf->trans, PF_TRANS_TABLE, path)) - return (4); + if (pfctl_add_trans(pf->trans, PF_TRANS_RULESET, path)) + return (3); + if (pfctl_add_trans(pf->trans, PF_TRANS_TABLE, path)) + return (4); if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize)) return (5); @@ -1173,8 +1168,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) int pfctl_add_altq(struct pfctl *pf, struct pf_altq *a) { - if (altqsupport && - (loadopt & PFCTL_FLAG_ALTQ) != 0) { + if (altqsupport) { memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq)); if ((pf->opts & PF_OPT_NOACTION) == 0) { if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) { @@ -1232,7 +1226,6 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, pf.dev = dev; pf.opts = opts; pf.optimize = optimize; - pf.loadopt = loadopt; /* non-brace anchor, create without resolving the path */ if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL) @@ -1250,8 +1243,6 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, pf.astack[0] = pf.anchor; pf.asd = 0; - if (anchorname[0]) - pf.loadopt &= ~PFCTL_FLAG_ALTQ; pf.paltq = &pa; pf.trans = t; pfctl_init_options(&pf); @@ -1264,12 +1255,11 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, */ if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor)) ERRX("pfctl_rules"); - if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ)) + if (altqsupport) pa.ticket = pfctl_get_ticket(t, PF_TRANS_ALTQ, anchorname); - if (pf.loadopt & PFCTL_FLAG_TABLE) - pf.astack[0]->ruleset.tticket = - pfctl_get_ticket(t, PF_TRANS_TABLE, anchorname); + pf.astack[0]->ruleset.tticket = + pfctl_get_ticket(t, PF_TRANS_TABLE, anchorname); } if (parse_config(filename, &pf) < 0) { @@ -1280,8 +1270,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, goto _error; } - if ((pf.loadopt & PFCTL_FLAG_FILTER && - pfctl_load_ruleset(&pf, path, rs, 0))) { + if (pfctl_load_ruleset(&pf, path, rs, 0)) { if ((opts & PF_OPT_NOACTION) == 0) ERRX("Unable to load rules into kernel"); else @@ -1290,9 +1279,8 @@ pfctl_rules(int dev, char *filename, int opts, int optimize, free(path); - if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0)) - if (check_commit_altq(dev, opts) != 0) - ERRX("errors in altq config"); + if (altqsupport && check_commit_altq(dev, opts) != 0) + ERRX("errors in altq config"); /* process "load anchor" directives */ if (!anchorname[0]) @@ -1397,9 +1385,6 @@ pfctl_load_options(struct pfctl *pf) { int i, error = 0; - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - /* load limits */ for (i = 0; i < PF_LIMIT_MAX; i++) { if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i]) @@ -1501,9 +1486,6 @@ pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet) { int i; - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - for (i = 0; pf_timeouts[i].name; i++) { if (strcasecmp(opt, pf_timeouts[i].name) == 0) { pf->timeout[pf_timeouts[i].timeout] = seconds; @@ -1542,9 +1524,6 @@ pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds) int pfctl_set_reassembly(struct pfctl *pf, int on, int nodf) { - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - pf->reass_set = 1; if (on) { pf->reassemble = PF_REASS_ENABLED; @@ -1567,9 +1546,6 @@ pfctl_set_optimization(struct pfctl *pf, const char *opt) const struct pf_hint *hint; int i, r; - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - for (i = 0; pf_hints[i].name; i++) if (strcasecmp(opt, pf_hints[i].name) == 0) break; @@ -1594,10 +1570,6 @@ pfctl_set_optimization(struct pfctl *pf, const char *opt) int pfctl_set_logif(struct pfctl *pf, char *ifname) { - - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - if (!strcmp(ifname, "none")) { free(pf->ifname); pf->ifname = NULL; @@ -1635,9 +1607,6 @@ pfctl_load_logif(struct pfctl *pf, char *ifname) int pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid) { - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - HTONL(hostid); pf->hostid = hostid; @@ -1675,9 +1644,6 @@ pfctl_set_debug(struct pfctl *pf, char *d) u_int32_t level; int loglevel; - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - if (!strcmp(d, "none")) level = LOG_CRIT; else if (!strcmp(d, "urgent")) @@ -1720,9 +1686,6 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how) { struct pfioc_iface pi; - if ((loadopt & PFCTL_FLAG_OPTION) == 0) - return (0); - bzero(&pi, sizeof(pi)); pi.pfiio_flags = flags; @@ -1918,7 +1881,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:L:mnOo:p:rRS:s:t:T:vx:z")) != -1) { + "a:dD:eqf:F:ghi:k:K:L:mno:p:rS:s:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -1984,12 +1947,6 @@ main(int argc, char *argv[]) case 'g': opts |= PF_OPT_DEBUG; break; - case 'A': - loadopt |= PFCTL_FLAG_ALTQ; - break; - case 'R': - loadopt |= PFCTL_FLAG_FILTER; - break; case 'o': optiopt = pfctl_lookup_option(optarg, optiopt_list); if (optiopt == NULL) { @@ -1998,9 +1955,6 @@ main(int argc, char *argv[]) } opts |= PF_OPT_OPTIMIZE; break; - case 'O': - loadopt |= PFCTL_FLAG_OPTION; - break; case 'p': pf_device = optarg; break; @@ -2057,18 +2011,12 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; ch = *tblcmdopt; - if (ch == 'l') { - loadopt |= PFCTL_FLAG_TABLE; - tblcmdopt = NULL; - } else - mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY; + mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY; } else if (argc != optind) { warnx("unknown command line argument: %s ...", argv[optind]); usage(); /* NOTREACHED */ } - if (loadopt == 0) - loadopt = ~0; if ((path = calloc(1, MAXPATHLEN)) == NULL) errx(1, "pfctl: calloc"); @@ -2087,7 +2035,6 @@ main(int argc, char *argv[]) sizeof(anchorname)) >= sizeof(anchorname)) errx(1, "anchor name '%s' too long", anchoropt); - loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_TABLE; } if ((opts & PF_OPT_NOACTION) == 0) { @@ -2248,13 +2195,12 @@ main(int argc, char *argv[]) } } - if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) && - !anchorname[0]) + if ((rulesopt != NULL) && !anchorname[0]) if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET)) error = 1; if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) && - !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION)) + !anchorname[0]) if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE)) error = 1; @@ -2265,8 +2211,7 @@ main(int argc, char *argv[]) if (pfctl_rules(dev, rulesopt, opts, optimize, anchorname, NULL)) error = 1; - else if (!(opts & PF_OPT_NOACTION) && - (loadopt & PFCTL_FLAG_TABLE)) + else if (!(opts & PF_OPT_NOACTION)) warn_namespace_collision(NULL); } diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index 9976d993daa..d18226143ce 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.h,v 1.44 2009/11/03 10:59:04 claudio Exp $ */ +/* $OpenBSD: pfctl.h,v 1.45 2010/03/23 13:31:29 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -101,8 +101,6 @@ struct segment { double x, y, d, m; }; -extern int loadopt; - int check_commit_altq(int, int); void pfaltq_store(struct pf_altq *); struct pf_altq *pfaltq_lookup(const char *); diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index b53f1980ead..c5d872ac7dd 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_optimize.c,v 1.24 2010/01/12 03:20:51 mcbride Exp $ */ +/* $OpenBSD: pfctl_optimize.c,v 1.25 2010/03/23 13:31:29 henning Exp $ */ /* * Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org> @@ -473,11 +473,6 @@ combine_rules(struct pfctl *pf, struct superblock *block) struct pf_opt_rule *p1, *p2, *por_next; int src_eq, dst_eq; - if ((pf->loadopt & PFCTL_FLAG_TABLE) == 0) { - warnx("Must enable table loading for optimizations"); - return (1); - } - /* First we make a pass to combine the rules. O(n log n) */ TAILQ_FOREACH(p1, &block->sb_rules, por_entry) { for (p2 = TAILQ_NEXT(p1, por_entry); p2; p2 = por_next) { diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index a1145a34214..c50d414c9a9 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.92 2010/01/18 23:52:46 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.93 2010/03/23 13:31:29 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -72,7 +72,6 @@ struct pfctl { int dev; int opts; int optimize; - int loadopt; int asd; /* anchor stack depth */ int bn; /* brace number */ int brace; @@ -265,12 +264,6 @@ struct pf_timeout { int timeout; }; -#define PFCTL_FLAG_FILTER 0x02 -#define PFCTL_FLAG_NAT 0x04 -#define PFCTL_FLAG_OPTION 0x08 -#define PFCTL_FLAG_ALTQ 0x10 -#define PFCTL_FLAG_TABLE 0x20 - extern const struct pf_timeout pf_timeouts[]; void set_ipmask(struct node_host *, u_int8_t); |