diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 40 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 6 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.h | 7 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 70 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 11 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_radix.c | 33 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_table.c | 351 | ||||
| -rw-r--r-- | usr.sbin/authpf/authpf.c | 19 |
8 files changed, 266 insertions, 271 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index dd22ff8bcfd..224a0e3339e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.393 2003/06/19 22:08:35 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.394 2003/07/03 09:13:05 cedric Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -855,10 +855,14 @@ tabledef : TABLE '<' STRING '>' table_opts { PF_TABLE_NAME_SIZE - 1); YYERROR; } - pfctl_define_table($3, $5.flags, $5.init_addr, + if (pfctl_define_table($3, $5.flags, $5.init_addr, (pf->opts & PF_OPT_NOACTION) || !(pf->loadopt & (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL)), - pf->anchor, pf->ruleset); + pf->anchor, pf->ruleset, pf->ab)) { + yyerror("cannot define table %s: %s", $3, + pfr_strerror(errno)); + YYERROR; + } } ; @@ -889,7 +893,12 @@ table_opt : STRING } | '{' tableaddrs '}' { table_opts.init_addr = 1; } | FILENAME STRING { - pfctl_append_file($2); + if(pfr_buf_load(pf->ab, $2, 0, append_addr)) { + if (errno) + yyerror("cannot load %s: %s", $2, + pfr_strerror(errno)); + YYERROR; + } table_opts.init_addr = 1; } ; @@ -898,10 +907,29 @@ tableaddrs : /* empty */ | tableaddrs tableaddr comma tableaddr : not STRING { - pfctl_append_addr($2, -1, $1); + if (append_addr_not(pf->ab, $2, 0, $1)) { + if (errno) + yyerror("cannot add %s: %s", $2, + pfr_strerror(errno)); + YYERROR; + } } | not STRING '/' number { - pfctl_append_addr($2, $4, $1); + char *buf = NULL; + + if (asprintf(&buf, "%s/%d", $2, $4) < 0) { + if (errno) + yyerror("cannot add %s/%d: %s", $2, $4, + strerror(errno)); + YYERROR; + } else if (append_addr_not(pf->ab, buf, 0, $1)) { + if (errno) + yyerror("cannot add %s: %s", buf, + pfr_strerror(errno)); + free(buf); + YYERROR; + } + free(buf); } ; diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 8ef20339e6e..57e313bc4fd 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.178 2003/06/29 12:22:39 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.179 2003/07/03 09:13:06 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -918,10 +918,13 @@ pfctl_rules(int dev, char *filename, int opts, char *anchorname, struct pfioc_rule pr[PF_RULESET_MAX]; struct pfioc_altq pa; struct pfctl pf; + struct pfr_buffer ab; int i; memset(&pa, 0, sizeof(pa)); memset(&pf, 0, sizeof(pf)); + memset(&ab, 0, sizeof(ab)); + ab.pfrb_type = PFRB_ADDRS; for (i = 0; i < PF_RULESET_MAX; i++) { memset(&pr[i], 0, sizeof(pr[i])); memcpy(pr[i].anchor, anchorname, sizeof(pr[i].anchor)); @@ -970,6 +973,7 @@ pfctl_rules(int dev, char *filename, int opts, char *anchorname, pf.opts = opts; pf.loadopt = loadopt; pf.paltq = &pa; + pf.ab = &ab; for (i = 0; i < PF_RULESET_MAX; i++) { pf.prule[i] = &pr[i]; } diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index 64116781700..3e4cbc1f202 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.h,v 1.21 2003/06/30 20:02:46 cedric Exp $ */ +/* $OpenBSD: pfctl.h,v 1.22 2003/07/03 09:13:06 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -38,7 +38,7 @@ struct pfr_buffer { int pfrb_type; /* type of content, see enum above */ int pfrb_size; /* number of objects in buffer */ int pfrb_msize; /* maximum number of objects in buffer */ - caddr_t pfrb_caddr; /* malloc'ated memory area */ + void *pfrb_caddr; /* malloc'ated memory area */ }; #define PFRB_FOREACH(var, buf) \ for((var) = pfr_buf_next((buf), NULL); \ @@ -71,7 +71,8 @@ void pfr_buf_clear(struct pfr_buffer *); int pfr_buf_add(struct pfr_buffer *, const void *); void *pfr_buf_next(struct pfr_buffer *, const void *); int pfr_buf_grow(struct pfr_buffer *, int); -void pfr_buf_load(char *, int, void (*)(char *, int)); +int pfr_buf_load(struct pfr_buffer *, char *, int, + int (*)(struct pfr_buffer *, char *, int)); char *pfr_strerror(int); int pfctl_clear_tables(const char *, const char *, int); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 78553943946..707ff7de860 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.164 2003/06/12 09:40:33 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.165 2003/07/03 09:13:06 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1170,3 +1170,71 @@ host_dns(const char *s, int v4mask, int v6mask) return (h); } + +/* + * convert a hostname to a list of addresses and put them in the given buffer. + * test: + * if set to 1, only simple addresses are accepted (no netblock, no "!"). + */ +int +append_addr(struct pfr_buffer *b, char *s, int test) +{ + return append_addr_not(b, s, test, 0); +} + +/* + * same as previous function, but with the ability to "negate" the result. + * not: + * setting it to 1 is equivalent to adding "!" in front of parameter s. + */ +int +append_addr_not(struct pfr_buffer *b, char *s, int test, int not) +{ + char buf[256], *r; + int bits; + struct node_host *n, *h; + struct pfr_addr addr; + + for (r = s; *r == '!'; r++) + not = !not; + if (strlcpy(buf, r, sizeof(buf)) >= sizeof(buf)) { + errno = EINVAL; + return (-1); + } + if ((n = host(buf)) == NULL) { + errno = 0; + return (-1); + } + do { + bzero(&addr, sizeof(addr)); + addr.pfra_not = not; + addr.pfra_af = n->af; + addr.pfra_net = unmask(&n->addr.v.a.mask, n->af); + switch (n->af) { + case AF_INET: + addr.pfra_ip4addr.s_addr = n->addr.v.a.addr.addr32[0]; + bits = 32; + break; + case AF_INET6: + memcpy(&addr.pfra_ip6addr, &n->addr.v.a.addr.v6, + sizeof(struct in6_addr)); + bits = 128; + break; + default: + errno = EINVAL; + return (-1); + } + if ((test && (not || addr.pfra_net != bits)) || + addr.pfra_net > bits) { + errno = EINVAL; + return (-1); + } + if (pfr_buf_add(b, &addr)) + return (-1); + h = n; + n = n->next; + free(h); + } while (n != NULL); + + return (0); +} diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 6754df4e023..faea7e1ccbc 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.61 2003/05/19 20:21:53 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.62 2003/07/03 09:13:06 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -65,6 +65,7 @@ struct pfctl { struct pfioc_rule *prule[PF_RULESET_MAX]; struct pfioc_altq *paltq; struct pfioc_queue *pqueue; + struct pfr_buffer *ab; /* address buffer */ const char *anchor; const char *ruleset; }; @@ -154,9 +155,8 @@ void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *, int, struct node_queue_opt *); void pfctl_begin_table(void); -void pfctl_append_addr(char *, int, int); -void pfctl_append_file(char *); -void pfctl_define_table(char *, int, int, int, const char *, const char *); +int pfctl_define_table(char *, int, int, int, const char *, const char *, + struct pfr_buffer *); void pfctl_commit_table(void); struct icmptypeent { @@ -196,4 +196,7 @@ struct node_host *ifa_exists(const char *); struct node_host *ifa_lookup(const char *, enum pfctl_iflookup_mode); struct node_host *host(const char *); +int append_addr(struct pfr_buffer *, char *, int); +int append_addr_not(struct pfr_buffer *, char *, int, int); + #endif /* _PFCTL_PARSER_H_ */ diff --git a/sbin/pfctl/pfctl_radix.c b/sbin/pfctl/pfctl_radix.c index 15bf44d7426..64a2fc187f8 100644 --- a/sbin/pfctl/pfctl_radix.c +++ b/sbin/pfctl/pfctl_radix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_radix.c,v 1.16 2003/06/30 20:02:46 cedric Exp $ */ +/* $OpenBSD: pfctl_radix.c,v 1.17 2003/07/03 09:13:06 cedric Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -473,7 +473,7 @@ pfr_buf_add(struct pfr_buffer *b, const void *e) if (b->pfrb_size == b->pfrb_msize) if (pfr_buf_grow(b, 0)) return (-1); - memcpy(b->pfrb_caddr + bs * b->pfrb_size, e, bs); + memcpy(((caddr_t)b->pfrb_caddr) + bs * b->pfrb_size, e, bs); b->pfrb_size++; return (0); } @@ -494,7 +494,7 @@ pfr_buf_next(struct pfr_buffer *b, const void *prev) if (prev == NULL) return (b->pfrb_caddr); bs = buf_esize[b->pfrb_type]; - if ((((caddr_t)prev) - b->pfrb_caddr) / bs >= b->pfrb_size - 1) + if ((((caddr_t)prev)-((caddr_t)b->pfrb_caddr)) / bs >= b->pfrb_size-1) return (NULL); return (((caddr_t)prev) + bs); } @@ -538,7 +538,8 @@ pfr_buf_grow(struct pfr_buffer *b, int minsize) b->pfrb_caddr = realloc(b->pfrb_caddr, b->pfrb_msize * bs); if (b->pfrb_caddr == NULL) return (-1); - bzero(b->pfrb_caddr + omsize * bs, (b->pfrb_msize-omsize) * bs); + bzero(((caddr_t)b->pfrb_caddr) + omsize * bs, + (b->pfrb_msize-omsize) * bs); } return (0); } @@ -557,25 +558,31 @@ pfr_buf_clear(struct pfr_buffer *b) b->pfrb_size = b->pfrb_msize = 0; } -void -pfr_buf_load(char *file, int nonetwork, void (*append_addr)(char *, int)) +int +pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork, + int (*append_addr)(struct pfr_buffer *, char *, int)) { FILE *fp; char buf[BUF_SIZE]; + int rv; if (file == NULL) - return; + return (0); if (!strcmp(file, "-")) fp = stdin; else { fp = fopen(file, "r"); if (fp == NULL) - err(1, "%s", file); + return (-1); } - while (pfr_next_token(buf, fp)) - append_addr(buf, nonetwork); + while ((rv = pfr_next_token(buf, fp)) == 1) + if (append_addr(b, buf, nonetwork)) { + rv = -1; + break; + } if (fp != stdin) fclose(fp); + return (rv); } int @@ -607,8 +614,10 @@ pfr_next_token(char buf[BUF_SIZE], FILE *fp) buf[i++] = next_ch; next_ch = fgetc(fp); } while (!feof(fp) && !isspace(next_ch)); - if (i >= BUF_SIZE) - errx(1, "address too long (%d bytes)", i); + if (i >= BUF_SIZE) { + errno = EINVAL; + return (-1); + } buf[i] = '\0'; return (1); } diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index 0d5167b1f74..afd45a8c090 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_table.c,v 1.45 2003/06/29 12:22:39 dhartmei Exp $ */ +/* $OpenBSD: pfctl_table.c,v 1.46 2003/07/03 09:13:06 cedric Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -51,31 +51,19 @@ #include "pfctl_parser.h" #include "pfctl.h" -#define BUF_SIZE 256 - extern void usage(void); static int pfctl_table(int, char *[], char *, const char *, char *, const char *, const char *, int); -static void grow_buffer(size_t, int); static void print_table(struct pfr_table *, int, int); static void print_tstats(struct pfr_tstats *, int); -static void load_addr(int, char *[], char *, int); -static void append_addr(char *, int); +static int load_addr(struct pfr_buffer *, int, char *[], char *, int); static void print_addrx(struct pfr_addr *, struct pfr_addr *, int); static void print_astats(struct pfr_astats *, int); static void radix_perror(void); static void inactive_cleanup(void); static void xprintf(int, const char *, ...); -static union { - caddr_t caddr; - struct pfr_table *tables; - struct pfr_addr *addrs; - struct pfr_tstats *tstats; - struct pfr_astats *astats; -} buffer, buffer2; - -static int size, msize, ticket, inactive; +static int ticket, inactive; extern char *__progname; static const char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = { @@ -88,7 +76,7 @@ static const char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = { (opts & PF_OPT_DUMMYACTION)) && \ (fct)) { \ radix_perror(); \ - return (1); \ + goto _error; \ } \ } while (0) @@ -131,13 +119,19 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, char *file, const char *anchor, const char *ruleset, int opts) { struct pfr_table table; + struct pfr_buffer b, b2; + struct pfr_addr *a, *a2; int nadd = 0, ndel = 0, nchange = 0, nzero = 0; - int i, flags = 0, nmatch = 0; + int rv = 0, flags = 0, nmatch = 0; + void *p; if (command == NULL) usage(); if (opts & PF_OPT_NOACTION) flags |= PFR_FLAG_DUMMY; + + bzero(&b, sizeof(b)); + bzero(&b2, sizeof(b2)); bzero(&table, sizeof(table)); if (tname != NULL) { if (strlen(tname) >= PF_TABLE_NAME_SIZE) @@ -151,36 +145,34 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, strlcpy(table.pfrt_ruleset, ruleset, sizeof(table.pfrt_ruleset)) >= sizeof(table.pfrt_ruleset)) errx(1, "pfctl_table: strlcpy"); + if (!strcmp(command, "-F")) { if (argc || file != NULL) usage(); RVTEST(pfr_clr_tables(&table, &ndel, flags)); xprintf(opts, "%d tables deleted", ndel); } else if (!strcmp(command, "-s")) { + b.pfrb_type = (opts & PF_OPT_VERBOSE2) ? + PFRB_TSTATS : PFRB_TABLES; if (argc || file != NULL) usage(); for (;;) { - if (opts & PF_OPT_VERBOSE2) { - grow_buffer(sizeof(struct pfr_tstats), size); - size = msize; - RVTEST(pfr_get_tstats(&table, buffer.tstats, - &size, flags)); - } else { - grow_buffer(sizeof(struct pfr_table), size); - size = msize; - RVTEST(pfr_get_tables(&table, buffer.tables, - &size, flags)); - } - if (size <= msize) + pfr_buf_grow(&b, b.pfrb_size); + b.pfrb_size = b.pfrb_msize; + if (opts & PF_OPT_VERBOSE2) + RVTEST(pfr_get_tstats(&table, + b.pfrb_caddr, &b.pfrb_size, flags)); + else + RVTEST(pfr_get_tables(&table, + b.pfrb_caddr, &b.pfrb_size, flags)); + if (b.pfrb_size <= b.pfrb_msize) break; } - for (i = 0; i < size; i++) + PFRB_FOREACH(p, &b) if (opts & PF_OPT_VERBOSE2) - print_tstats(buffer.tstats+i, - opts & PF_OPT_DEBUG); + print_tstats(p, opts & PF_OPT_DEBUG); else - print_table(buffer.tables+i, - opts & PF_OPT_VERBOSE, + print_table(p, opts & PF_OPT_VERBOSE, opts & PF_OPT_DEBUG); } else if (!strcmp(command, "kill")) { if (argc || file != NULL) @@ -193,47 +185,51 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, RVTEST(pfr_clr_addrs(&table, &ndel, flags)); xprintf(opts, "%d addresses deleted", ndel); } else if (!strcmp(command, "add")) { - load_addr(argc, argv, file, 0); + b.pfrb_type = PFRB_ADDRS; + if (load_addr(&b, argc, argv, file, 0)) + goto _error; CREATE_TABLE; if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; - RVTEST(pfr_add_addrs(&table, buffer.addrs, size, &nadd, - flags)); - xprintf(opts, "%d/%d addresses added", nadd, size); + RVTEST(pfr_add_addrs(&table, b.pfrb_caddr, b.pfrb_size, + &nadd, flags)); + xprintf(opts, "%d/%d addresses added", nadd, b.pfrb_size); if (opts & PF_OPT_VERBOSE) - for (i = 0; i < size; i++) - if ((opts & PF_OPT_VERBOSE2) || - buffer.addrs[i].pfra_fback) - print_addrx(buffer.addrs+i, NULL, + PFRB_FOREACH(a, &b) + if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback) + print_addrx(a, NULL, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "delete")) { - load_addr(argc, argv, file, 0); + b.pfrb_type = PFRB_ADDRS; + if (load_addr(&b, argc, argv, file, 0)) + goto _error; if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; - RVTEST(pfr_del_addrs(&table, buffer.addrs, size, &nadd, - flags)); - xprintf(opts, "%d/%d addresses deleted", nadd, size); + RVTEST(pfr_del_addrs(&table, b.pfrb_caddr, b.pfrb_size, + &ndel, flags)); + xprintf(opts, "%d/%d addresses deleted", ndel, b.pfrb_size); if (opts & PF_OPT_VERBOSE) - for (i = 0; i < size; i++) - if ((opts & PF_OPT_VERBOSE2) || - buffer.addrs[i].pfra_fback) - print_addrx(buffer.addrs+i, NULL, + PFRB_FOREACH(a, &b) + if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback) + print_addrx(a, NULL, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "replace")) { - load_addr(argc, argv, file, 0); + b.pfrb_type = PFRB_ADDRS; + if (load_addr(&b, argc, argv, file, 0)) + goto _error; CREATE_TABLE; if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; for (;;) { - int size2 = msize; + int sz2 = b.pfrb_msize; - RVTEST(pfr_set_addrs(&table, buffer.addrs, size, - &size2, &nadd, &ndel, &nchange, flags)); - if (size2 <= msize) { - size = size2; + RVTEST(pfr_set_addrs(&table, b.pfrb_caddr, b.pfrb_size, + &sz2, &nadd, &ndel, &nchange, flags)); + if (sz2 <= b.pfrb_msize) { + b.pfrb_size = sz2; break; } else - grow_buffer(sizeof(struct pfr_addr), size2); + pfr_buf_grow(&b, sz2); } if (nadd) xprintf(opts, "%d addresses added", nadd); @@ -244,63 +240,61 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, if (!nadd && !ndel && !nchange) xprintf(opts, "no changes"); if (opts & PF_OPT_VERBOSE) - for (i = 0; i < size; i++) - if ((opts & PF_OPT_VERBOSE2) || - buffer.addrs[i].pfra_fback) - print_addrx(buffer.addrs+i, NULL, + PFRB_FOREACH(a, &b) + if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback) + print_addrx(a, NULL, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "show")) { + b.pfrb_type = (opts & PF_OPT_VERBOSE) ? + PFRB_ASTATS : PFRB_ADDRS; if (argc || file != NULL) usage(); for (;;) { - if (opts & PF_OPT_VERBOSE) { - grow_buffer(sizeof(struct pfr_astats), size); - size = msize; - RVTEST(pfr_get_astats(&table, buffer.astats, - &size, flags)); - } else { - grow_buffer(sizeof(struct pfr_addr), size); - size = msize; - RVTEST(pfr_get_addrs(&table, buffer.addrs, - &size, flags)); - } - if (size <= msize) + pfr_buf_grow(&b, b.pfrb_size); + b.pfrb_size = b.pfrb_msize; + if (opts & PF_OPT_VERBOSE) + RVTEST(pfr_get_astats(&table, b.pfrb_caddr, + &b.pfrb_size, flags)); + else + RVTEST(pfr_get_addrs(&table, b.pfrb_caddr, + &b.pfrb_size, flags)); + if (b.pfrb_size <= b.pfrb_msize) break; } - for (i = 0; i < size; i++) - if (opts & PF_OPT_VERBOSE) { - print_astats(buffer.astats+i, - opts & PF_OPT_USEDNS); - } else { - print_addrx(buffer.addrs+i, NULL, - opts & PF_OPT_USEDNS); - } + PFRB_FOREACH(p, &b) + if (opts & PF_OPT_VERBOSE) + print_astats(p, opts & PF_OPT_USEDNS); + else + print_addrx(p, NULL, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "test")) { - load_addr(argc, argv, file, 1); + b.pfrb_type = PFRB_ADDRS; + b2.pfrb_type = PFRB_ADDRS; + + if (load_addr(&b, argc, argv, file, 1)) + goto _error; if (opts & PF_OPT_VERBOSE2) { flags |= PFR_FLAG_REPLACE; - buffer2.caddr = calloc(sizeof(buffer.addrs[0]), size); - if (buffer2.caddr == NULL) - err(1, "calloc"); - memcpy(buffer2.addrs, buffer.addrs, size * - sizeof(buffer.addrs[0])); + PFRB_FOREACH(a, &b) + if (pfr_buf_add(&b2, a)) + err(1, "duplicate buffer"); } - RVTEST(pfr_tst_addrs(&table, buffer.addrs, size, &nmatch, - flags)); - xprintf(opts, "%d/%d addresses match", nmatch, size); + RVTEST(pfr_tst_addrs(&table, b.pfrb_caddr, b.pfrb_size, + &nmatch, flags)); + xprintf(opts, "%d/%d addresses match", nmatch, b.pfrb_size); if (opts & PF_OPT_VERBOSE && !(opts & PF_OPT_VERBOSE2)) - for (i = 0; i < size; i++) - if (buffer.addrs[i].pfra_fback == PFR_FB_MATCH) - print_addrx(buffer.addrs+i, NULL, + PFRB_FOREACH(a, &b) + if (a->pfra_fback == PFR_FB_MATCH) + print_addrx(a, NULL, opts & PF_OPT_USEDNS); if (opts & PF_OPT_VERBOSE2) { - for (i = 0; i < size; i++) - print_addrx(buffer2.addrs+i, buffer.addrs+i, - opts & PF_OPT_USEDNS); - free(buffer2.addrs); + a2 = NULL; + PFRB_FOREACH(a, &b) { + a2 = pfr_buf_next(&b2, a2); + print_addrx(a2, a, opts & PF_OPT_USEDNS); + } } - if (nmatch < size) - return (2); + if (nmatch < b.pfrb_size) + rv = 2; } else if (!strcmp(command, "zero")) { if (argc || file != NULL) usage(); @@ -309,39 +303,14 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, xprintf(opts, "%d table/stats cleared", nzero); } else warnx("pfctl_table: unknown command '%s'", command); - if (buffer.caddr) - free(buffer.caddr); - size = msize = 0; - return (0); -} - -void -grow_buffer(size_t bs, int minsize) -{ - if (minsize != 0 && minsize <= msize) { - warnx("grow_buffer: superfluous call"); - return; - } - if (!msize) { - msize = minsize; - if (msize < 64) - msize = 64; - buffer.caddr = calloc(bs, msize); - if (buffer.caddr == NULL) - err(1, "calloc"); - } else { - int omsize = msize; - if (minsize == 0) - msize *= 2; - else - msize = minsize; - if (msize < 0 || msize >= SIZE_T_MAX / bs) - errx(1, "msize overflow"); - buffer.caddr = realloc(buffer.caddr, msize * bs); - if (buffer.caddr == NULL) - err(1, "realloc"); - bzero(buffer.caddr + omsize * bs, (msize-omsize) * bs); - } + goto _cleanup; + +_error: + rv = -1; +_cleanup: + pfr_buf_clear(&b); + pfr_buf_clear(&b2); + return (rv); } void @@ -391,73 +360,27 @@ print_tstats(struct pfr_tstats *ts, int debug) ts->pfrts_bytes[dir][op]); } -void -load_addr(int argc, char *argv[], char *file, int nonetwork) +int +load_addr(struct pfr_buffer *b, int argc, char *argv[], char *file, + int nonetwork) { while (argc--) - append_addr(*argv++, nonetwork); - pfr_buf_load(file, nonetwork, append_addr); -} - -void -append_addr(char *s, int test) -{ - char buf[BUF_SIZE], *r; - int not = 0; - struct node_host *n, *h; - - for (r = s; *r == '!'; r++) - not = !not; - if (strlcpy(buf, r, sizeof(buf)) >= sizeof(buf)) - errx(1, "address too long"); - - if ((n = host(buf)) == NULL) - exit (1); - - do { - if (size >= msize) - grow_buffer(sizeof(struct pfr_addr), 0); - buffer.addrs[size].pfra_not = not; - switch (n->af) { - case AF_INET: - buffer.addrs[size].pfra_af = AF_INET; - buffer.addrs[size].pfra_ip4addr.s_addr = - n->addr.v.a.addr.addr32[0]; - buffer.addrs[size].pfra_net = - unmask(&n->addr.v.a.mask, AF_INET); - if (test && (not || buffer.addrs[size].pfra_net != 32)) - errx(1, "illegal test address"); - if (buffer.addrs[size].pfra_net > 32) - errx(1, "illegal netmask %d", - buffer.addrs[size].pfra_net); - break; - case AF_INET6: - buffer.addrs[size].pfra_af = AF_INET6; - memcpy(&buffer.addrs[size].pfra_ip6addr, - &n->addr.v.a.addr.v6, sizeof(struct in6_addr)); - buffer.addrs[size].pfra_net = - unmask(&n->addr.v.a.mask, AF_INET6); - if (test && (not || buffer.addrs[size].pfra_net != 128)) - errx(1, "illegal test address"); - if (buffer.addrs[size].pfra_net > 128) - errx(1, "illegal netmask %d", - buffer.addrs[size].pfra_net); - break; - default: - errx(1, "unknown address family %d", n->af); - break; + if (append_addr(b, *argv++, nonetwork)) { + if (errno) + warn("cannot decode %s", argv[-1]); + return (-1); } - size++; - h = n; - n = n->next; - free(h); - } while (n != NULL); + if (pfr_buf_load(b, file, nonetwork, append_addr)) { + warn("cannot load %s", file); + return (-1); + } + return (0); } void print_addrx(struct pfr_addr *ad, struct pfr_addr *rad, int dns) { - char ch, buf[BUF_SIZE] = "{error}"; + char ch, buf[256] = "{error}"; char fb[] = { ' ', 'M', 'A', 'D', 'C', 'Z', 'X', ' ', 'Y' }; unsigned int fback, hostnet; @@ -536,41 +459,12 @@ pfctl_begin_table(void) } } -void -pfctl_append_addr(char *addr, int net, int neg) -{ - char *p = NULL; - int rval; - - if (net < 0 && !neg) { - append_addr(addr, 0); - return; - } - if (net >= 0 && !neg) - rval = asprintf(&p, "%s/%d", addr, net); - else if (net < 0) - rval = asprintf(&p, "!%s", addr); - else - rval = asprintf(&p, "!%s/%d", addr, net); - if (rval == -1 || p == NULL) { - radix_perror(); - exit(1); - } - append_addr(p, 0); - free(p); -} - -void -pfctl_append_file(char *file) -{ - load_addr(0, NULL, file, 0); -} - -void +int pfctl_define_table(char *name, int flags, int addrs, int noaction, - const char *anchor, const char *ruleset) + const char *anchor, const char *ruleset, struct pfr_buffer *ab) { struct pfr_table tbl; + int rv = 0; if (!noaction) { bzero(&tbl, sizeof(tbl)); @@ -584,14 +478,13 @@ pfctl_define_table(char *name, int flags, int addrs, int noaction, tbl.pfrt_flags = flags; inactive = 1; - if (pfr_ina_define(&tbl, buffer.addrs, size, NULL, NULL, - ticket, addrs ? PFR_FLAG_ADDRSTOO : 0) != 0) { - radix_perror(); - exit(1); + if (pfr_ina_define(&tbl, ab->pfrb_caddr, ab->pfrb_size, NULL, + NULL, ticket, addrs ? PFR_FLAG_ADDRSTOO : 0) != 0) { + rv = -1; } } - bzero(buffer.addrs, size * sizeof(buffer.addrs[0])); - size = 0; + pfr_buf_clear(ab); + return (rv); } void diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index c5b28c87449..56183c9b7e5 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.62 2003/06/28 20:37:29 deraadt Exp $ */ +/* $OpenBSD: authpf.c,v 1.63 2003/07/03 09:13:05 cedric Exp $ */ /* * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). @@ -846,23 +846,12 @@ pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit) return (1); } -void -pfctl_append_addr(char *addr, int net, int neg) -{ - /* appropriate message will be printed by following function */ -} - -void -pfctl_append_file(char *file) -{ - /* appropriate message will be printed by following function */ -} - -void +int pfctl_define_table(char *name, int flags, int addrs, int noaction, - const char *anchor, const char *ruleset) + const char *anchor, const char *ruleset, struct pfr_buffer *ab) { fprintf(stderr, "table definitions not yet supported in authpf\n"); + return (1); } int |