diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-10-31 07:02:36 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-10-31 07:02:36 +0000 |
| commit | 00155d94c95911dc2baedcfe0b620e67115781eb (patch) | |
| tree | d7c6ecfc6d70265f2b184b63f7f0db29bf54e2fe /sbin | |
| parent | 449abfd1cae84d644c099f6c5514781657922b58 (diff) | |
- don't allow anchors with _* names to be cleared or loaded from the
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified
'looks sensible' deraadt@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 9 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 12 |
2 files changed, 18 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 128e87a6fa9..454bd58e80f 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.513 2006/10/28 14:29:05 mcbride Exp $ */ +/* $OpenBSD: parse.y,v 1.514 2006/10/31 07:02:35 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -672,6 +672,13 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto YYERROR; } + if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) { + free($2); + yyerror("anchor names beginning with '_' " + "are reserved for internal use"); + YYERROR; + } + memset(&r, 0, sizeof(r)); if (pf->astack[pf->asd + 1]) { if ($2) { diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 20b768965f8..1d8020ef03b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.248 2006/10/28 14:29:05 mcbride Exp $ */ +/* $OpenBSD: pfctl.c,v 1.249 2006/10/31 07:02:35 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1720,7 +1720,8 @@ pfctl_show_anchors(int dev, int opts, char *anchorname) strlcat(sub, "/", sizeof(sub)); } strlcat(sub, pr.name, sizeof(sub)); - printf(" %s\n", sub); + if (sub[0] != '_' || opts & PF_OPT_VERBOSE) + printf(" %s\n", sub); if (opts & PF_OPT_VERBOSE && pfctl_show_anchors(dev, opts, sub)) return (-1); } @@ -1987,6 +1988,10 @@ main(int argc, char *argv[]) } if (clearopt != NULL) { + if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL) + errx(1, "anchor names beginning with '_' cannot " + "be modified from the command line"); + switch (*clearopt) { case 'r': pfctl_clear_rules(dev, opts, anchorname); @@ -2055,6 +2060,9 @@ main(int argc, char *argv[]) error = 1; if (rulesopt != NULL) { + if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL) + errx(1, "anchor names beginning with '_' cannot " + "be modified from the command line"); if (pfctl_rules(dev, rulesopt, fin, opts, anchorname, NULL)) error = 1; else if (!(opts & PF_OPT_NOACTION) && |