src - OpenBSD base system

diff options


context:
space:
mode:

author	Cedric Berger <cedric@cvs.openbsd.org>	2003-04-30 12:30:28 +0000
committer	Cedric Berger <cedric@cvs.openbsd.org>	2003-04-30 12:30:28 +0000
commit	ba4eec495765b9095d5d66d12e933cae99fbfba5 (patch)
tree	8242fa1f0a74e8277324734a9b5d014dbf6d7771 /sbin
parent	d08d75cff317e4ebbe3d8d3f9ebdd6daee64a27f (diff)

Allow tables to be loaded into anchors.

Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/pfctl/parse.y

-rw-r--r--

sbin/pfctl/pfctl.c

-rw-r--r--

sbin/pfctl/pfctl.h

-rw-r--r--

sbin/pfctl/pfctl_parser.h

-rw-r--r--

sbin/pfctl/pfctl_table.c

5 files changed, 71 insertions, 38 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 76bf7b7c24e..f3b7041d5b7 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.368 2003/04/25 17:36:33 dhartmei Exp $ */

+/* $OpenBSD: parse.y,v 1.369 2003/04/30 12:30:27 cedric Exp $ */

@@ -756,7 +756,8 @@ tabledef : TABLE '<' STRING '>' table_opts {

}

pfctl_define_table($3, $5.flags, $5.init_addr,

(pf->opts & PF_OPT_NOACTION) || !(pf->loadopt &

- (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL)));

+ (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL)),

+ pf->anchor, pf->ruleset);

}

;

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 702108565cd..c8725390062 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl.c,v 1.167 2003/04/03 15:52:24 cedric Exp $ */

+/* $OpenBSD: pfctl.c,v 1.168 2003/04/30 12:30:27 cedric Exp $ */

@@ -988,6 +988,8 @@ pfctl_rules(int dev, char *filename, int opts)

pf.prule[i] = &pr[i];

}

pf.rule_nr = 0;

+ pf.anchor = anchorname;

+ pf.ruleset = rulesetname;

if (parse_rules(fin, &pf) < 0)

errx(1, "Syntax error in config file: pf rules not loaded");

if ((altqsupport && (loadopt & (PFCTL_FLAG_ALTQ | PFCTL_FLAG_ALL)) != 0))

@@ -996,14 +998,17 @@ pfctl_rules(int dev, char *filename, int opts)

if ((opts & PF_OPT_NOACTION) == 0) {

if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {

pr[PF_RULESET_NAT].rule.action = PF_NAT;

- if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_NAT]))

- err(1, "DIOCCOMMITRULES");

+ if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_NAT]) &&

+ (errno != EINVAL || pf.rule_nr))

+ err(1, "DIOCCOMMITRULES NAT");

pr[PF_RULESET_RDR].rule.action = PF_RDR;

- if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_RDR]))

- err(1, "DIOCCOMMITRULES");

+ if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_RDR]) &&

+ (errno != EINVAL || pf.rule_nr))

+ err(1, "DIOCCOMMITRULES RDR");

pr[PF_RULESET_BINAT].rule.action = PF_BINAT;

- if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_BINAT]))

- err(1, "DIOCCOMMITRULES");

+ if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_BINAT]) &&

+ (errno != EINVAL || pf.rule_nr))

+ err(1, "DIOCCOMMITRULES BINAT");

}

if (((altqsupport && (loadopt &

(PFCTL_FLAG_ALTQ | PFCTL_FLAG_ALL)) != 0)) &&

@@ -1011,11 +1016,13 @@ pfctl_rules(int dev, char *filename, int opts)

err(1, "DIOCCOMMITALTQS");

if ((loadopt & (PFCTL_FLAG_FILTER | PFCTL_FLAG_ALL)) != 0) {

pr[PF_RULESET_SCRUB].rule.action = PF_SCRUB;

- if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_SCRUB]))

- err(1, "DIOCCOMMITRULES");

+ if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_SCRUB]) &&

+ (errno != EINVAL || pf.rule_nr))

+ err(1, "DIOCCOMMITRULES SCRUB");

pr[PF_RULESET_FILTER].rule.action = PF_PASS;

- if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_FILTER]))

- err(1, "DIOCCOMMITRULES");

+ if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_FILTER]) &&

+ (errno != EINVAL || pf.rule_nr))

+ err(1, "DIOCCOMMITRULES FILTER");

}

if (loadopt & (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL))

pfctl_commit_table();

@@ -1438,6 +1445,7 @@ main(int argc, char *argv[])

loadopt &= ~PFCTL_FLAG_ALL;

loadopt |= PFCTL_FLAG_FILTER;

loadopt |= PFCTL_FLAG_NAT;

+ loadopt |= PFCTL_FLAG_TABLE;

}

@@ -1480,10 +1488,10 @@ main(int argc, char *argv[])

pfctl_clear_altq(dev, opts);

pfctl_clear_states(dev, opts);

pfctl_clear_stats(dev, opts);

- pfctl_clear_tables(opts);

+ pfctl_clear_tables(anchorname, rulesetname, opts);

break;

case 'T':

- pfctl_clear_tables(opts);

+ pfctl_clear_tables(anchorname, rulesetname, opts);

break;

default:

assert(0);

@@ -1494,7 +1502,7 @@ main(int argc, char *argv[])

if (tblcmdopt != NULL) {

error = pfctl_command_tables(argc, argv, tableopt,

- tblcmdopt, rulesopt, opts);

+ tblcmdopt, rulesopt, anchorname, rulesetname, opts);

rulesopt = NULL;

}

@@ -1540,10 +1548,10 @@ main(int argc, char *argv[])

pfctl_show_rules(dev, opts, 1);

pfctl_show_timeouts(dev);

pfctl_show_limits(dev);

- pfctl_show_tables(opts);

+ pfctl_show_tables(anchorname, rulesetname, opts);

break;

case 'T':

- pfctl_show_tables(opts);

+ pfctl_show_tables(anchorname, rulesetname, opts);

break;

default:

assert(0);

diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h
index 873aee6a4c9..5ca83fa05a3 100644
--- a/sbin/pfctl/pfctl.h
+++ b/sbin/pfctl/pfctl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl.h,v 1.17 2003/04/14 14:50:46 henning Exp $ */

+/* $OpenBSD: pfctl.h,v 1.18 2003/04/30 12:30:27 cedric Exp $ */

@@ -55,9 +55,10 @@ int pfr_ina_begin(int *, int *, int);

int pfr_ina_commit(int, int *, int *, int);

int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,

int *, int, int);

-int pfctl_clear_tables(int);

-int pfctl_show_tables(int);

-int pfctl_command_tables(int, char *[], char *, const char *, char *, int);

+int pfctl_clear_tables(const char *, const char *, int);

+int pfctl_show_tables(const char *, const char *, int);

+int pfctl_command_tables(int, char *[], char *, const char *, char *,

+ const char *, const char *, int);

int pfctl_show_altq(int, int, int);

#ifndef DEFAULT_PRIORITY

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index b890117af9a..48e8ef74f19 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.h,v 1.58 2003/04/15 11:29:24 henning Exp $ */

+/* $OpenBSD: pfctl_parser.h,v 1.59 2003/04/30 12:30:27 cedric Exp $ */

@@ -65,6 +65,8 @@ struct pfctl {

struct pfioc_rule *prule[PF_RULESET_MAX];

struct pfioc_altq *paltq;

struct pfioc_queue *pqueue;

+ const char *anchor;

+ const char *ruleset;

};

enum pfctl_iflookup_mode {

@@ -151,7 +153,7 @@ void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,

void pfctl_begin_table(void);

void pfctl_append_addr(char *, int, int);

void pfctl_append_file(char *);

-void pfctl_define_table(char *, int, int, int);

+void pfctl_define_table(char *, int, int, int, const char *, const char *);

void pfctl_commit_table(void);

struct icmptypeent {

diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index 44abcf6a6e3..f3776f79c52 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_table.c,v 1.40 2003/04/27 16:02:08 cedric Exp $ */

+/* $OpenBSD: pfctl_table.c,v 1.41 2003/04/30 12:30:27 cedric Exp $ */

@@ -55,7 +55,8 @@

#define BUF_SIZE 256

extern void usage(void);

-static int pfctl_table(int, char *[], char *, const char *, char *, int);

+static int pfctl_table(int, char *[], char *, const char *, char *,

+ const char *, const char *, int);

static void grow_buffer(size_t, int);

static void print_table(struct pfr_table *, int, int);

static void print_tstats(struct pfr_tstats *, int);

@@ -105,29 +106,31 @@ static const char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = {

} while(0)

int

-pfctl_clear_tables(int opts)

+pfctl_clear_tables(const char *anchor, const char *ruleset, int opts)

{

- return pfctl_table(0, NULL, NULL, "-F", NULL, opts);

+ return pfctl_table(0, NULL, NULL, "-F", NULL, anchor, ruleset, opts);

}

int

-pfctl_show_tables(int opts)

+pfctl_show_tables(const char *anchor, const char *ruleset, int opts)

{

- return pfctl_table(0, NULL, NULL, "-s", NULL, opts);

+ return pfctl_table(0, NULL, NULL, "-s", NULL, anchor, ruleset, opts);

}

int

pfctl_command_tables(int argc, char *argv[], char *tname,

- const char *command, char *file, int opts)

+ const char *command, char *file, const char *anchor, const char *ruleset,

+ int opts)

{

if (tname == NULL || command == NULL)

usage();

- return pfctl_table(argc, argv, tname, command, file, opts);

+ return pfctl_table(argc, argv, tname, command, file, anchor, ruleset,

+ opts);

}

int

pfctl_table(int argc, char *argv[], char *tname, const char *command,

- char *file, int opts)

+ char *file, const char *anchor, const char *ruleset, int opts)

{

struct pfr_table table;

int nadd = 0, ndel = 0, nchange = 0, nzero = 0;

@@ -145,6 +148,11 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,

sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name))

errx(1, "pfctl_table: strlcpy");

}

+ if (strlcpy(table.pfrt_anchor, anchor,

+ sizeof(table.pfrt_anchor)) >= sizeof(table.pfrt_anchor) ||

+ strlcpy(table.pfrt_ruleset, ruleset,

+ sizeof(table.pfrt_ruleset)) >= sizeof(table.pfrt_ruleset))

+ errx(1, "pfctl_table: strlcpy");

if (!strcmp(command, "-F")) {

if (argc || file != NULL)

usage();

@@ -336,13 +344,19 @@ print_table(struct pfr_table *ta, int verbose, int debug)

if (!debug && !(ta->pfrt_flags & PFR_TFLAG_ACTIVE))

return;

if (verbose) {

- printf("%c%c%c%c%c\t%s\n",

+ printf("%c%c%c%c%c%c\t%s",

(ta->pfrt_flags & PFR_TFLAG_CONST) ? 'c' : '-',

(ta->pfrt_flags & PFR_TFLAG_PERSIST) ? 'p' : '-',

(ta->pfrt_flags & PFR_TFLAG_ACTIVE) ? 'a' : '-',

(ta->pfrt_flags & PFR_TFLAG_INACTIVE) ? 'i' : '-',

(ta->pfrt_flags & PFR_TFLAG_REFERENCED) ? 'r' : '-',

+ (ta->pfrt_flags & PFR_TFLAG_REFDANCHOR) ? 'h' : '-',

ta->pfrt_name);

+ if (ta->pfrt_anchor[0])

+ printf("\t%s", ta->pfrt_anchor);

+ if (ta->pfrt_ruleset[0])

+ printf(":%s", ta->pfrt_ruleset);

+ puts("");

} else

puts(ta->pfrt_name);

}

@@ -357,8 +371,10 @@ print_tstats(struct pfr_tstats *ts, int debug)

return;

print_table(&ts->pfrts_t, 1, debug);

printf("\tAddresses: %d\n", ts->pfrts_cnt);

- printf("\tReferences: %d\n", ts->pfrts_refcnt[PFR_REFCNT_RULE]);

printf("\tCleared: %s", ctime(&time));

+ printf("\tReferences: [ Anchors: %-18d Rules: %-18d ]\n",

+ ts->pfrts_refcnt[PFR_REFCNT_ANCHOR],

+ ts->pfrts_refcnt[PFR_REFCNT_RULE]);

printf("\tEvaluations: [ NoMatch: %-18llu Match: %-18llu ]\n",

ts->pfrts_nomatch, ts->pfrts_match);

for (dir = 0; dir < PFR_DIR_MAX; dir++)

@@ -598,14 +614,19 @@ pfctl_append_file(char *file)

}

void

-pfctl_define_table(char *name, int flags, int addrs, int noaction)

+pfctl_define_table(char *name, int flags, int addrs, int noaction,

+ const char *anchor, const char *ruleset)

{

struct pfr_table tbl;

if (!noaction) {

bzero(&tbl, sizeof(tbl));

- if (strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name)) >=

- sizeof(tbl.pfrt_name))

+ if (strlcpy(tbl.pfrt_name, name,

+ sizeof(tbl.pfrt_name)) >= sizeof(tbl.pfrt_name) ||

+ strlcpy(tbl.pfrt_anchor, anchor,

+ sizeof(tbl.pfrt_anchor)) >= sizeof(tbl.pfrt_anchor) ||

+ strlcpy(tbl.pfrt_ruleset, ruleset,

+ sizeof(tbl.pfrt_ruleset)) >= sizeof(tbl.pfrt_ruleset))

errx(1, "pfctl_define_table: strlcpy");

tbl.pfrt_flags = flags;