src - OpenBSD base system

diff options


context:
space:
mode:

author	Kjell Wooding <kjell@cvs.openbsd.org>	2002-06-11 06:12:16 +0000
committer	Kjell Wooding <kjell@cvs.openbsd.org>	2002-06-11 06:12:16 +0000
commit	ea445c9a491356bc5908d76271fddc05137a4a3c (patch)
tree	051752eba025afa8a8bc83bf91cc2ff0045d71b4 /sbin
parent	7fded9be06016564a5a5737c435216ba5d1acd5b (diff)

Add -N and -R options. When used in conjunction with

pfctl -f <rulefile> they allow just the nat or filter rules to be reloaded, respectively. The default (no flags) is to load everything. If -N is specified, any existing filter rules are retained, similarly for -R. ok deraadt@, dhartmei@

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/pfctl/pfctl.c

103

-rw-r--r--

sbin/pfctl/pfctl_parser.h

2 files changed, 68 insertions, 41 deletions

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index f243313002d..8011c51772e 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl.c,v 1.75 2002/06/11 02:26:10 henning Exp $ */

+/* $OpenBSD: pfctl.c,v 1.76 2002/06/11 06:12:15 kjell Exp $ */

@@ -87,6 +87,7 @@ char *limitopt;

char *debugopt;

int state_killers;

char *state_kill[2];

+int loadopt = PFCTL_FLAG_ALL;

char *infile;

@@ -500,52 +501,60 @@ pfctl_show_status(int dev)

int

pfctl_add_rule(struct pfctl *pf, struct pf_rule *r)

{

- memcpy(&pf->prule->rule, r, sizeof(pf->prule->rule));

- if ((pf->opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(pf->dev, DIOCADDRULE, pf->prule))

- err(1, "DIOCADDRULE");

+ if ((loadopt & (PFCTL_FLAG_FILTER | PFCTL_FLAG_ALL)) != 0) {

+ memcpy(&pf->prule->rule, r, sizeof(pf->prule->rule));

+ if ((pf->opts & PF_OPT_NOACTION) == 0) {

+ if (ioctl(pf->dev, DIOCADDRULE, pf->prule))

+ err(1, "DIOCADDRULE");

+ }

+ if (pf->opts & PF_OPT_VERBOSE)

+ print_rule(&pf->prule->rule);

}

- if (pf->opts & PF_OPT_VERBOSE)

- print_rule(&pf->prule->rule);

return (0);

}

int

pfctl_add_nat(struct pfctl *pf, struct pf_nat *n)

{

- memcpy(&pf->pnat->nat, n, sizeof(pf->pnat->nat));

- if ((pf->opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(pf->dev, DIOCADDNAT, pf->pnat))

- err(1, "DIOCADDNAT");

+ if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {

+ memcpy(&pf->pnat->nat, n, sizeof(pf->pnat->nat));

+ if ((pf->opts & PF_OPT_NOACTION) == 0) {

+ if (ioctl(pf->dev, DIOCADDNAT, pf->pnat))

+ err(1, "DIOCADDNAT");

+ }

+ if (pf->opts & PF_OPT_VERBOSE)

+ print_nat(&pf->pnat->nat);

}

- if (pf->opts & PF_OPT_VERBOSE)

- print_nat(&pf->pnat->nat);

return (0);

}

int

pfctl_add_binat(struct pfctl *pf, struct pf_binat *b)

{

- memcpy(&pf->pbinat->binat, b, sizeof(pf->pbinat->binat));

- if ((pf->opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(pf->dev, DIOCADDBINAT, pf->pbinat))

- err(1, "DIOCADDBINAT");

+ if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {

+ memcpy(&pf->pbinat->binat, b, sizeof(pf->pbinat->binat));

+ if ((pf->opts & PF_OPT_NOACTION) == 0) {

+ if (ioctl(pf->dev, DIOCADDBINAT, pf->pbinat))

+ err(1, "DIOCADDBINAT");

+ }

+ if (pf->opts & PF_OPT_VERBOSE)

+ print_binat(&pf->pbinat->binat);

}

- if (pf->opts & PF_OPT_VERBOSE)

- print_binat(&pf->pbinat->binat);

return (0);

}

int

pfctl_add_rdr(struct pfctl *pf, struct pf_rdr *r)

{

- memcpy(&pf->prdr->rdr, r, sizeof(pf->prdr->rdr));

- if ((pf->opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(pf->dev, DIOCADDRDR, pf->prdr))

- err(1, "DIOCADDRDR");

+ if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {

+ memcpy(&pf->prdr->rdr, r, sizeof(pf->prdr->rdr));

+ if ((pf->opts & PF_OPT_NOACTION) == 0) {

+ if (ioctl(pf->dev, DIOCADDRDR, pf->prdr))

+ err(1, "DIOCADDRDR");

+ }

+ if (pf->opts & PF_OPT_VERBOSE)

+ print_rdr(&pf->prdr->rdr);

}

- if (pf->opts & PF_OPT_VERBOSE)

- print_rdr(&pf->prdr->rdr);

return (0);

}

@@ -571,13 +580,16 @@ pfctl_rules(int dev, char *filename, int opts)

return (1);

}

if ((opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(dev, DIOCBEGINNATS, &pn.ticket))

- err(1, "DIOCBEGINNATS");

- if (ioctl(dev, DIOCBEGINRDRS, &pr.ticket))

- err(1, "DIOCBEGINRDRS");

- if (ioctl(dev, DIOCBEGINBINATS, &pb.ticket))

- err(1, "DIOCBEGINBINATS");

- if (ioctl(dev, DIOCBEGINRULES, &pl.ticket))

+ if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {

+ if (ioctl(dev, DIOCBEGINNATS, &pn.ticket))

+ err(1, "DIOCBEGINNATS");

+ if (ioctl(dev, DIOCBEGINRDRS, &pr.ticket))

+ err(1, "DIOCBEGINRDRS");

+ if (ioctl(dev, DIOCBEGINBINATS, &pb.ticket))

+ err(1, "DIOCBEGINBINATS");

+ }

+ if (((loadopt & (PFCTL_FLAG_FILTER | PFCTL_FLAG_ALL)) != 0) &&

+ ioctl(dev, DIOCBEGINRULES, &pl.ticket))

err(1, "DIOCBEGINRULES");

}

/* fill in callback data */

@@ -591,13 +603,16 @@ pfctl_rules(int dev, char *filename, int opts)

if (parse_rules(fin, &pf) < 0)

errx(1, "Syntax error in file: pf rules not loaded");

if ((opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket))

- err(1, "DIOCCOMMITNATS");

- if (ioctl(dev, DIOCCOMMITRDRS, &pr.ticket))

- err(1, "DIOCCOMMITRDRS");

- if (ioctl(dev, DIOCCOMMITBINATS, &pb.ticket))

- err(1, "DIOCCOMMITBINATS");

- if (ioctl(dev, DIOCCOMMITRULES, &pl.ticket))

+ if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {

+ if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket))

+ err(1, "DIOCCOMMITNATS");

+ if (ioctl(dev, DIOCCOMMITRDRS, &pr.ticket))

+ err(1, "DIOCCOMMITRDRS");

+ if (ioctl(dev, DIOCCOMMITBINATS, &pb.ticket))

+ err(1, "DIOCCOMMITBINATS");

+ }

+ if (((loadopt & (PFCTL_FLAG_FILTER | PFCTL_FLAG_ALL)) != 0) &&

+ ioctl(dev, DIOCCOMMITRULES, &pl.ticket))

err(1, "DIOCCOMMITRULES");

#if 0

if ((opts & PF_OPT_QUIET) == 0) {

@@ -872,7 +887,7 @@ main(int argc, char *argv[])

if (argc < 2)

usage();

- while ((ch = getopt(argc, argv, "deqf:F:hk:l:m:nO:rs:t:vx:z")) != -1) {

+ while ((ch = getopt(argc, argv, "deqf:F:hk:l:m:nNO:rRs:St:vx:z")) != -1) {

switch (ch) {

case 'd':

opts |= PF_OPT_DISABLE;

@@ -910,6 +925,10 @@ main(int argc, char *argv[])

case 'n':

opts |= PF_OPT_NOACTION;

break;

+ case 'N':

+ loadopt &= ~PFCTL_FLAG_ALL;

+ loadopt |= PFCTL_FLAG_NAT;

+ break;

case 'O':

hintopt = optarg;

mode = O_RDWR;

@@ -921,6 +940,10 @@ main(int argc, char *argv[])

rulesopt = optarg;

mode = O_RDWR;

break;

+ case 'R':

+ loadopt &= ~PFCTL_FLAG_ALL;

+ loadopt |= PFCTL_FLAG_FILTER;

+ break;

case 's':

showopt = optarg;

break;

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index a47c1c8656d..a0aa02c7105 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.h,v 1.23 2002/06/11 03:12:03 dhartmei Exp $ */

+/* $OpenBSD: pfctl_parser.h,v 1.24 2002/06/11 06:12:15 kjell Exp $ */

@@ -100,6 +100,10 @@ struct pf_timeout {

int timeout;

};

+#define PFCTL_FLAG_ALL 0x01

+#define PFCTL_FLAG_FILTER 0x02

+#define PFCTL_FLAG_NAT 0x04

extern const struct pf_timeout pf_timeouts[];

#endif /* _PFCTL_PARSER_H_ */