diff options
| -rw-r--r-- | regress/sbin/pfctl/Makefile | 29 | ||||
| -rw-r--r-- | sbin/pfctl/parse.y | 25 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 9 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 9 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.h | 4 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 17 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 7 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_radix.c | 6 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_table.c | 18 |
9 files changed, 81 insertions, 43 deletions
diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile index ff9c38e28a8..d42bb446e68 100644 --- a/regress/sbin/pfctl/Makefile +++ b/regress/sbin/pfctl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.226 2017/07/19 13:02:46 mikeb Exp $ +# $OpenBSD: Makefile,v 1.227 2017/08/11 22:30:38 benno Exp $ # TARGETS # pf: feed pfNN.in through pfctl and check whether the output matches pfNN.ok @@ -29,6 +29,7 @@ PFOPT=1 2 6 PFIF2IP=1 2 3 PFCHKSUM=1 2 3 PFCMD=1 +PFCMDFAIL=1 MAKEOBJDIRPREFIX= @@ -252,6 +253,32 @@ REGRESS_TARGETS+=pfcmd REGRESS_ROOT_TARGETS+=pfcmd UPDATE_TARGETS+=pfcmd-update +.for n in ${PFCMDFAIL} +PFCMDFAIL_TARGETS+=pfcmdfail${n} +PFCMDFAIL_UPDATES+=pfcmdfail${n}-update + +pfcmdfail${n}: + ${SUDO} pfctl `cat ${.CURDIR}/pfcmdfail${n}.opts` \ + -f - < ${.CURDIR}/pfcmdfail${n}.in 2>&1 | \ + diff -u ${.CURDIR}/pfcmdfail${n}.ok /dev/stdin + +pfcmdfail${n}-update: + if ${SUDO} pfctl `cat ${.CURDIR}/pfcmdfail${n}.opts` \ + -f - < ${.CURDIR}/pfcmdfail${n}.in > \ + ${.CURDIR}/pfcmdfail${n}.ok 2>&1; then \ + true; \ + fi; + +.endfor + +pfcmdfail: ${PFCMDFAIL_TARGETS} +pfcmdfail-update: ${PFCMDFAIL_UPDATES} +NODEFAULT_TARGETS+=pfcmdfail +REGRESS_TARGETS+=pfcmdfail + +REGRESS_ROOT_TARGETS+=pfcmd +UPDATE_TARGETS+=pfcmd-update + .for n in ${PFSETUP} PFSETUP_TARGETS+=pfsetup${n} PFSETUP_UPDATES+=pfsetup${n}-update diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 5ae134e04a2..694e3d729b0 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.662 2017/07/19 12:58:31 mikeb Exp $ */ +/* $OpenBSD: parse.y,v 1.663 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -342,7 +342,7 @@ int disallow_table(struct node_host *, const char *); int disallow_urpf_failed(struct node_host *, const char *); int disallow_alias(struct node_host *, const char *); int rule_consistent(struct pf_rule *, int); -int process_tabledef(char *, struct table_opts *); +int process_tabledef(char *, struct table_opts *, int); void expand_label_str(char *, size_t, const char *, const char *); void expand_label_if(const char *, char *, size_t, const char *); void expand_label_addr(const char *, char *, size_t, u_int8_t, @@ -1176,7 +1176,7 @@ tabledef : TABLE '<' STRING '>' table_opts { free($3); YYERROR; } - if (process_tabledef($3, &$5)) { + if (process_tabledef($3, &$5, pf->opts)) { free($3); YYERROR; } @@ -2035,7 +2035,7 @@ filter_opt : USER uids { filter_opts.rtableid = $2; } | DIVERTTO STRING PORT portplain { - if ((filter_opts.divert.addr = host($2)) == NULL) { + if ((filter_opts.divert.addr = host($2, pf->opts)) == NULL) { yyerror("could not parse divert address: %s", $2); free($2); @@ -2670,7 +2670,7 @@ optweight : WEIGHT NUMBER { ; host : STRING { - if (($$ = host($1)) == NULL) { + if (($$ = host($1, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free($1); yyerror("could not parse host specification"); @@ -2682,7 +2682,8 @@ host : STRING { | STRING '-' STRING { struct node_host *b, *e; - if ((b = host($1)) == NULL || (e = host($3)) == NULL) { + if ((b = host($1, pf->opts)) == NULL || + (e = host($3, pf->opts)) == NULL) { free($1); free($3); yyerror("could not parse host specification"); @@ -2718,7 +2719,7 @@ host : STRING { if (asprintf(&buf, "%s/%lld", $1, $3) == -1) err(1, "host: asprintf"); free($1); - if (($$ = host(buf)) == NULL) { + if (($$ = host(buf, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free(buf); yyerror("could not parse host specification"); @@ -2732,7 +2733,7 @@ host : STRING { /* ie. for 10/8 parsing */ if (asprintf(&buf, "%lld/%lld", $1, $3) == -1) err(1, "host: asprintf"); - if (($$ = host(buf)) == NULL) { + if (($$ = host(buf, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free(buf); yyerror("could not parse host specification"); @@ -3722,7 +3723,7 @@ pool_opt : BITMASK { route_host : STRING { /* try to find @if0 address specs */ if (strrchr($1, '@') != NULL) { - if (($$ = host($1)) == NULL) { + if (($$ = host($1, pf->opts)) == NULL) { yyerror("invalid host for route spec"); YYERROR; } @@ -3744,7 +3745,7 @@ route_host : STRING { if (asprintf(&buf, "%s/%s", $1, $3) == -1) err(1, "host: asprintf"); free($1); - if (($$ = host(buf)) == NULL) { + if (($$ = host(buf, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free(buf); yyerror("could not parse host specification"); @@ -4080,7 +4081,7 @@ rule_consistent(struct pf_rule *r, int anchor_call) } int -process_tabledef(char *name, struct table_opts *opts) +process_tabledef(char *name, struct table_opts *opts, int popts) { struct pfr_buffer ab; struct node_tinit *ti; @@ -4089,7 +4090,7 @@ process_tabledef(char *name, struct table_opts *opts) ab.pfrb_type = PFRB_ADDRS; SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) { if (ti->file) - if (pfr_buf_load(&ab, ti->file, 0)) { + if (pfr_buf_load(&ab, ti->file, 0, popts)) { if (errno) yyerror("cannot load \"%s\": %s", ti->file, strerror(errno)); diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index bd9afd75eaa..11dd379a445 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.170 2017/07/20 07:45:10 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.171 2017/08/11 22:30:38 benno Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 20 2017 $ +.Dd $Mdocdate: August 11 2017 $ .Dt PFCTL 8 .Os .Sh NAME @@ -33,7 +33,7 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl deghnPqrvz +.Op Fl deghNnPqrvz .Op Fl a Ar anchor .Op Fl D Ar macro Ns = Ns Ar value .Op Fl F Ar modifier @@ -282,6 +282,9 @@ firewall with hostid 00000002 use: .It Fl L Ar statefile Load pf states from the file specified by .Ar statefile . +.It Fl N +Do not perform domain name resolution. +If a name cannot be resolved without DNS, an error will be reported. .It Fl n Do not actually load rules, just parse them. .It Fl o Ar level diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 281cd939c6e..699f5dc83d3 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.347 2017/07/19 12:58:31 mikeb Exp $ */ +/* $OpenBSD: pfctl.c,v 1.348 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -237,7 +237,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-deghnPqrvz] ", __progname); + fprintf(stderr, "usage: %s [-deghNnPqrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]"); fprintf(stderr, " [-f file]\n"); fprintf(stderr, "\t[-i interface] [-K key] [-k key] [-L statefile]"); @@ -2238,7 +2238,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vV:x:z")) != -1) { + "a:dD:eqf:F:ghi:k:K:L:Nno:Pp:R:rS:s:t:T:vV:x:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2288,6 +2288,9 @@ main(int argc, char *argv[]) src_node_kill[src_node_killers++] = optarg; mode = O_RDWR; break; + case 'N': + opts |= PF_OPT_NODNS; + break; case 'n': opts |= PF_OPT_NOACTION; break; diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index 4a276998eb7..024c81520e1 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.h,v 1.54 2017/07/15 16:01:14 awolk Exp $ */ +/* $OpenBSD: pfctl.h,v 1.55 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -69,7 +69,7 @@ void pfr_buf_clear(struct pfr_buffer *); int pfr_buf_add(struct pfr_buffer *, const void *); void *pfr_buf_next(struct pfr_buffer *, const void *); int pfr_buf_grow(struct pfr_buffer *, int); -int pfr_buf_load(struct pfr_buffer *, char *, int); +int pfr_buf_load(struct pfr_buffer *, char *, int, int); char *pfr_strerror(int); int pfi_get_ifaces(const char *, struct pfi_kif *, int *); int pfi_clr_istats(const char *, int *, int); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 6844c29c9fe..bb1fab6d103 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.314 2017/08/03 17:36:06 florian Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.315 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -76,7 +76,7 @@ struct node_host *ifa_grouplookup(const char *, int); struct node_host *host_if(const char *, int); struct node_host *host_v4(const char *, int); struct node_host *host_v6(const char *, int); -struct node_host *host_dns(const char *, int, int); +struct node_host *host_dns(const char *, int, int, int); const char *tcpflags = "FSRPAUEW"; @@ -1609,7 +1609,7 @@ ifa_skip_if(const char *filter, struct node_host *p) } struct node_host * -host(const char *s) +host(const char *s, int opts) { struct node_host *h = NULL, *n; int mask = -1, v4mask = 32, v6mask = 128, cont = 1; @@ -1653,7 +1653,8 @@ host(const char *s) cont = 0; /* dns lookup */ - if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL) + if (cont && (h = host_dns(ps, v4mask, v6mask, + (opts & PF_OPT_NODNS))) != NULL) cont = 0; if (if_name && if_name[0]) @@ -1779,7 +1780,7 @@ host_v6(const char *s, int mask) } struct node_host * -host_dns(const char *s, int v4mask, int v6mask) +host_dns(const char *s, int v4mask, int v6mask, int numeric) { struct addrinfo hints, *res0, *res; struct node_host *n, *h = NULL; @@ -1796,6 +1797,8 @@ host_dns(const char *s, int v4mask, int v6mask) memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; /* DUMMY */ + if (numeric) + hints.ai_flags = AI_NUMERICHOST; error = getaddrinfo(ps, NULL, &hints, &res0); if (error) { free(ps); @@ -1859,7 +1862,7 @@ host_dns(const char *s, int v4mask, int v6mask) * if set to 1, only simple addresses are accepted (no netblock, no "!"). */ int -append_addr(struct pfr_buffer *b, char *s, int test) +append_addr(struct pfr_buffer *b, char *s, int test, int opts) { static int previous = 0; static int expect = 0; @@ -1899,7 +1902,7 @@ append_addr(struct pfr_buffer *b, char *s, int test) for (r = s; *r == '!'; r++) not = !not; - if ((n = host(r)) == NULL) { + if ((n = host(r, opts)) == NULL) { errno = 0; return (-1); } diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 89d9fc4d2d4..7dacc34de1c 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.105 2016/07/18 19:11:18 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.106 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -48,6 +48,7 @@ #define PF_OPT_DEBUG 0x0200 #define PF_OPT_SHOWALL 0x0400 #define PF_OPT_OPTIMIZE 0x0800 +#define PF_OPT_NODNS 0x1000 #define PF_OPT_RECURSE 0x4000 #define PF_OPT_PORTNAMES 0x8000 @@ -280,9 +281,9 @@ unsigned int ifa_nametoindex(const char *); char *ifa_indextoname(unsigned int, char *); struct node_host *ifa_exists(const char *); struct node_host *ifa_lookup(const char *, int); -struct node_host *host(const char *); +struct node_host *host(const char *, int); -int append_addr(struct pfr_buffer *, char *, int); +int append_addr(struct pfr_buffer *, char *, int, int); int append_addr_host(struct pfr_buffer *, struct node_host *, int, int); diff --git a/sbin/pfctl/pfctl_radix.c b/sbin/pfctl/pfctl_radix.c index a43c469e40f..632e3939121 100644 --- a/sbin/pfctl/pfctl_radix.c +++ b/sbin/pfctl/pfctl_radix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_radix.c,v 1.33 2015/12/10 17:27:00 mmcc Exp $ */ +/* $OpenBSD: pfctl_radix.c,v 1.34 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -496,7 +496,7 @@ pfr_buf_clear(struct pfr_buffer *b) } int -pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork) +pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork, int opts) { FILE *fp; char buf[BUF_SIZE]; @@ -513,7 +513,7 @@ pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork) return (-1); } while ((rv = pfr_next_token(buf, fp)) == 1) - if ((ev = append_addr(b, buf, nonetwork)) == -1) { + if ((ev = append_addr(b, buf, nonetwork, opts)) == -1) { rv = -1; break; } diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index 0e2f81d888e..ef7ac5b944e 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_table.c,v 1.76 2017/07/15 16:01:14 awolk Exp $ */ +/* $OpenBSD: pfctl_table.c,v 1.77 2017/08/11 22:30:38 benno Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -58,7 +58,7 @@ static int pfctl_table(int, char *[], char *, const char *, char *, const char *, int); static void print_table(struct pfr_table *, int, int); static void print_tstats(struct pfr_tstats *, int); -static int load_addr(struct pfr_buffer *, int, char *[], char *, int); +static int load_addr(struct pfr_buffer *, int, char *[], char *, int, int); static void print_addrx(struct pfr_addr *, struct pfr_addr *, int); static void print_astats(struct pfr_astats *, int); static void radix_perror(void); @@ -199,7 +199,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, xprintf(opts, "%d addresses deleted", ndel); } else if (!strcmp(command, "add")) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; CREATE_TABLE; if (opts & PF_OPT_VERBOSE) @@ -214,7 +214,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "delete")) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; @@ -228,7 +228,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "replace")) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; CREATE_TABLE; if (opts & PF_OPT_VERBOSE) @@ -321,7 +321,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, b.pfrb_type = PFRB_ADDRS; b2.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 1)) + if (load_addr(&b, argc, argv, file, 1, opts)) goto _error; if (opts & PF_OPT_VERBOSE2) { flags |= PFR_FLAG_REPLACE; @@ -413,11 +413,11 @@ print_tstats(struct pfr_tstats *ts, int debug) int load_addr(struct pfr_buffer *b, int argc, char *argv[], char *file, - int nonetwork) + int nonetwork, int opts) { int ev = 0; while (argc--) - if ((ev = append_addr(b, *argv++, nonetwork)) == -1) { + if ((ev = append_addr(b, *argv++, nonetwork, opts)) == -1) { if (errno) warn("cannot decode %s", argv[-1]); return (-1); @@ -426,7 +426,7 @@ load_addr(struct pfr_buffer *b, int argc, char *argv[], char *file, warnx("failed to decode %s", argv[-1]); return (-1); } - if (pfr_buf_load(b, file, nonetwork)) { + if (pfr_buf_load(b, file, nonetwork, opts)) { warn("cannot load %s", file); return (-1); } |