diff options
-rw-r--r-- | sbin/pfctl/pfctl.c | 47 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 154 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.h | 18 |
3 files changed, 122 insertions, 97 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index cf48cb3d3d4..35864f46493 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.6 2001/06/25 00:02:55 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.7 2001/06/25 09:44:32 deraadt Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -46,22 +46,23 @@ #include "pfctl_parser.h" -static void printerror(char *); -static void usage(char *); -static char *load_file(char *, size_t *); +void printerror(char *); +void usage(char *); +char *load_file(char *, size_t *); int main(int, char *[]); -static void +void printerror(char *s) { fprintf(stderr, "ERROR: %s: %s\n", s, strerror(errno)); return; } -static void +void usage(char *argv0) { char *n = rindex(argv0, '/'); + if (n != NULL) n++; else @@ -83,11 +84,12 @@ usage(char *argv0) fprintf(stderr, "\tlog\t\t<if>\tSet interface to log\n"); } -static char * +char * load_file(char *name, size_t *len) { char *buf = 0; FILE *file = fopen(name, "r"); + *len = 0; if (file == NULL) { fprintf(stderr, "ERROR: couldn't open file %s (%s)\n", @@ -119,6 +121,7 @@ main(int argc, char *argv[]) int dev; struct pfioc *ub; u_int16_t n = 0; + ub = malloc(sizeof(struct pfioc)); if (ub == NULL) { printf("ERROR: malloc() failed\n"); @@ -160,8 +163,9 @@ main(int argc, char *argv[]) return (1); } if (!strcmp(argv[2], "rules")) { - struct rule *rule = ub->buffer; - ub->entries = ub->size / sizeof(struct rule); + struct pf_rule *rule = ub->buffer; + + ub->entries = ub->size / sizeof(struct pf_rule); if (ioctl(dev, DIOCGETRULES, ub)) printerror("DIOCGETRULES"); for (n = 0; n < ub->entries; ++n) { @@ -170,14 +174,15 @@ main(int argc, char *argv[]) } } else if (!strcmp(argv[2], "nat")) { - struct nat *nat = ub->buffer; - struct rdr *rdr = ub->buffer; - ub->entries = ub->size / sizeof(struct nat); + struct pf_nat *nat = ub->buffer; + struct pf_rdr *rdr = ub->buffer; + + ub->entries = ub->size / sizeof(struct pf_nat); if (ioctl(dev, DIOCGETNAT, ub)) printerror("DIOCGETNAT"); for (n = 0; n < ub->entries; ++n) print_nat(nat + n); - ub->entries = ub->size / sizeof(struct rdr); + ub->entries = ub->size / sizeof(struct pf_rdr); if (ioctl(dev, DIOCGETRDR, ub)) printerror("DIOCGETRDR"); for (n = 0; n < ub->entries; ++n) @@ -185,7 +190,8 @@ main(int argc, char *argv[]) } else if (!strcmp(argv[2], "states")) { u_int8_t proto = 0; - struct state *state = ub->buffer; + struct pf_state *state = ub->buffer; + if (argc >= 4) { if (!strcmp(argv[3], "tcp")) proto = IPPROTO_TCP; @@ -199,7 +205,7 @@ main(int argc, char *argv[]) return (1); } } - ub->entries = ub->size / sizeof(struct state); + ub->entries = ub->size / sizeof(struct pf_state); if (ioctl(dev, DIOCGETSTATES, ub)) printerror("DIOCGETSTATES"); for (n = ub->entries; n > 0; --n) @@ -207,7 +213,8 @@ main(int argc, char *argv[]) print_state(state + n - 1); } else if (!strcmp(argv[2], "status")) { - struct status *status = ub->buffer; + struct pf_status *status = ub->buffer; + ub->entries = 1; if (ioctl(dev, DIOCGETSTATUS, ub)) printerror("DIOCGETSTATUS"); @@ -278,7 +285,8 @@ main(int argc, char *argv[]) return (1); if (!strcmp(argv[2], "rules")) { - struct rule *rule = ub->buffer; + struct pf_rule *rule = ub->buffer; + n = 0; nr = 0; s = buf; @@ -300,8 +308,9 @@ main(int argc, char *argv[]) for (n = 0; n < ub->entries; ++n) print_rule(rule + n); } else { - struct nat *nat = ub->buffer; - struct rdr *rdr = ub->buffer; + struct pf_nat *nat = ub->buffer; + struct pf_rdr *rdr = ub->buffer; + n = 0; nr = 0; s = buf; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index df5bbcbcc1d..122a24dd530 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.5 2001/06/25 05:00:58 smart Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.6 2001/06/25 09:44:32 deraadt Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -44,45 +44,47 @@ #include "pfctl_parser.h" -static void print_addr (u_int32_t); -static void print_host (struct state_host *); -static void print_seq (struct state_peer *); -static void print_port (u_int8_t, u_int16_t, u_int16_t, char *); -static void print_flags (u_int8_t); -static char *next_word (char **); -static u_int16_t next_number (char **); -static u_int32_t next_addr (char **); -static u_int8_t next_flags (char **); -static u_int16_t rule_port (char *, u_int8_t); -static u_int32_t rule_mask (u_int8_t); - -static char *tcpflags = "FSRPAU"; - -static void +void print_addr (u_int32_t); +void print_host (struct state_host *); +void print_seq (struct state_peer *); +void print_port (u_int8_t, u_int16_t, u_int16_t, char *); +void print_flags (u_int8_t); +char *next_word (char **); +u_int16_t next_number (char **); +u_int32_t next_addr (char **); +u_int8_t next_flags (char **); +u_int16_t rule_port (char *, u_int8_t); +u_int32_t rule_mask (u_int8_t); + +char *tcpflags = "FSRPAU"; + +void print_addr(u_int32_t a) { a = ntohl(a); printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255); } -static void +void print_host(struct state_host *h) { u_int32_t a = ntohl(h->addr); u_int16_t p = ntohs(h->port); + printf("%u.%u.%u.%u:%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255, p); } -static void +void print_seq(struct state_peer *p) { printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); } -static void +void print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, char *proto) { struct servent *s = getservbyport(p1, proto); + p1 = ntohs(p1); p2 = ntohs(p2); printf("port "); @@ -93,14 +95,12 @@ print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, char *proto) printf("= %s ", s->s_name); else printf("= %u ", p1); - } - else if (op == 3) { + } else if (op == 3) { if (s != NULL) printf("!= %s ", s->s_name); else printf("!= %u ", p1); - } - else if (op == 4) + } else if (op == 4) printf("< %u ", p1); else if (op == 5) printf("<= %u ", p1); @@ -110,17 +110,18 @@ print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, char *proto) printf(">= %u ", p1); } -static void +void print_flags(u_int8_t f) { int i; + for (i = 0; i < 6; ++i) if (f & (1 << i)) printf("%c", tcpflags[i]); } void -print_nat(struct nat *n) +print_nat(struct pf_nat *n) { printf("nat %s ", n->ifname); if (n->not) @@ -147,7 +148,7 @@ print_nat(struct nat *n) } void -print_rdr(struct rdr *r) +print_rdr(struct pf_rdr *r) { printf("rdr %s ", r->ifname); if (r->not) @@ -172,9 +173,10 @@ print_rdr(struct rdr *r) } void -print_status(struct status *s) +print_status(struct pf_status *s) { time_t t = time(NULL); + printf("%u %u %u", t, s->since, s->running); if (s->running) { printf(" %u %u", s->bytes[0], s->bytes[1]); @@ -187,7 +189,7 @@ print_status(struct status *s) } void -print_state(struct state *s) +print_state(struct pf_state *s) { struct state_peer *src, *dst; u_int8_t hrs, min, sec; @@ -253,7 +255,7 @@ print_state(struct state *s) } void -print_rule(struct rule *r) +print_rule(struct pf_rule *r) { if (r->action == 0) printf("pass "); @@ -336,8 +338,8 @@ print_rule(struct rule *r) char * next_line(char **s) { - char *l; - l = *s; + char *l = *s; + while (**s && (**s != '\n')) (*s)++; if (**s) { @@ -347,10 +349,11 @@ next_line(char **s) return (l); } -static char * +char * next_word(char **s) { char *w; + while ((**s == ' ') || (**s == '\t') || (**s == '\n')) (*s)++; w = *s; @@ -363,10 +366,11 @@ next_word(char **s) return (w); } -static u_int16_t +u_int16_t next_number(char **s) { u_int16_t n = 0; + while (**s && !isdigit(**s)) (*s)++; while (**s && isdigit(**s)) { @@ -377,7 +381,7 @@ next_number(char **s) return (n); } -static u_int32_t +u_int32_t next_addr(char **w) { u_int8_t a, b, c, d; @@ -388,11 +392,12 @@ next_addr(char **w) return (htonl((a << 24) | (b << 16) | (c << 8) | d)); } -static u_int8_t +u_int8_t next_flags(char **s) { u_int8_t f = 0; char *p; + while (**s && !strchr(tcpflags, **s)) (*s)++; while (**s && ((p = strchr(tcpflags, **s)) != NULL)) { @@ -402,10 +407,11 @@ next_flags(char **s) return (f ? f : 63); } -static u_int16_t +u_int16_t rule_port(char *w, u_int8_t p) { struct servent *s; + if (isdigit(*w)) return (htons(atoi(w))); s = getservbyname(w, p == IPPROTO_TCP ? "tcp" : "udp"); @@ -414,21 +420,22 @@ rule_port(char *w, u_int8_t p) return (s->s_port); } -static u_int32_t +u_int32_t rule_mask(u_int8_t b) { u_int32_t m = 0; int i; + for (i = 31; i > 31-b; --i) m |= (1 << i); return (htonl(m)); } int -parse_rule(int n, char *l, struct rule *r) +parse_rule(int n, char *l, struct pf_rule *r) { char *w; - memset(r, 0, sizeof(struct rule)); + memset(r, 0, sizeof(struct pf_rule)); w = next_word(&l); /* pass / block */ @@ -437,7 +444,7 @@ parse_rule(int n, char *l, struct rule *r) else if (!strcmp(w, "block")) r->action = 1; else { - fprintf(stderr, "error on line %i: expected pass/block, got %s\n", + fprintf(stderr, "error on line %d: expected pass/block, got %s\n", n, w); return (0); } @@ -455,7 +462,7 @@ parse_rule(int n, char *l, struct rule *r) else if (!strcmp(w, "out")) r->direction = 1; else { - fprintf(stderr, "error on line %i: expected in/out, got %s\n", + fprintf(stderr, "error on line %d: expected in/out, got %s\n", n, w); return (0); } @@ -486,7 +493,7 @@ parse_rule(int n, char *l, struct rule *r) w = next_word(&l); p = getprotobyname(w); if (p == NULL) { - fprintf(stderr, "error on line %i: unknown protocol %s\n", + fprintf(stderr, "error on line %d: unknown protocol %s\n", n, w); return (0); } @@ -514,7 +521,7 @@ parse_rule(int n, char *l, struct rule *r) else if (*w == '/') r->src.mask = rule_mask(next_number(&w)); else { - fprintf(stderr, "error on line %i: expected /, got '%c'\n", n, *w); + fprintf(stderr, "error on line %d: expected /, got '%c'\n", n, *w); return (0); } w = next_word(&l); @@ -544,7 +551,7 @@ parse_rule(int n, char *l, struct rule *r) w = next_word(&l); if (r->src.port_op == 1) { if (strcmp(w, "<>") && strcmp(w, "><")) { - fprintf(stderr, "error on line %i: expected <>/><, got %s\n", n, w); + fprintf(stderr, "error on line %d: expected <>/><, got %s\n", n, w); return (0); } w = next_word(&l); @@ -555,7 +562,7 @@ parse_rule(int n, char *l, struct rule *r) /* destination address */ if (strcmp(w, "to")) { - fprintf(stderr, "error on line %i: expected to, got %s\n", + fprintf(stderr, "error on line %d: expected to, got %s\n", n, w); return (0); } @@ -573,7 +580,7 @@ parse_rule(int n, char *l, struct rule *r) else if (*w == '/') r->dst.mask = rule_mask(next_number(&w)); else { - fprintf(stderr, "error on line %i: expected /, got '%c'\n", n, *w); + fprintf(stderr, "error on line %d: expected /, got '%c'\n", n, *w); return (0); } w = next_word(&l); @@ -603,7 +610,7 @@ parse_rule(int n, char *l, struct rule *r) w = next_word(&l); if (r->dst.port_op == 1) { if (strcmp(w, "<>") && strcmp(w, "><")) { - fprintf(stderr, "error on line %i: expected <>/><, got %s\n", n, w); + fprintf(stderr, "error on line %d: expected <>/><, got %s\n", n, w); return (0); } w = next_word(&l); @@ -614,7 +621,7 @@ parse_rule(int n, char *l, struct rule *r) } else { - fprintf(stderr, "error on line %i: expected all/from, got %s\n", + fprintf(stderr, "error on line %d: expected all/from, got %s\n", n, w); return (0); } @@ -622,7 +629,7 @@ parse_rule(int n, char *l, struct rule *r) /* flags */ if (!strcmp(w, "flags")) { if (r->proto != IPPROTO_TCP) { - fprintf(stderr, "error on line %i: flags only valid for proto tcp\n", n); + fprintf(stderr, "error on line %d: flags only valid for proto tcp\n", n); return (0); } else { @@ -636,7 +643,8 @@ parse_rule(int n, char *l, struct rule *r) /* icmp type/code */ if (!strcmp(w, "icmp-type")) { if (r->proto != IPPROTO_ICMP) { - fprintf(stderr, "error on line %i: icmp-type only valid for proto icmp\n", n); + fprintf(stderr, + "error on line %d: icmp-type only valid for proto icmp\n", n); return (0); } else { @@ -659,14 +667,14 @@ parse_rule(int n, char *l, struct rule *r) r->keep_state = 1; } else { - fprintf(stderr, "error on line %i: expected state, got %s\n", n, w); + fprintf(stderr, "error on line %d: expected state, got %s\n", n, w); return (0); } } /* no further options expected */ while (*w) { - fprintf(stderr, "error on line %i: unexpected %s\n", n, w); + fprintf(stderr, "error on line %d: unexpected %s\n", n, w); w = next_word(&l); } @@ -674,15 +682,17 @@ parse_rule(int n, char *l, struct rule *r) } int -parse_nat(int n, char *l, struct nat *nat) +parse_nat(int n, char *l, struct pf_nat *nat) { char *w; - memset(nat, 0, sizeof(struct nat)); + + memset(nat, 0, sizeof(struct pf_nat)); w = next_word(&l); /* nat */ if (strcmp(w, "nat" )) { - fprintf(stderr, "error on line %i: expected nat, got %s\n", n, w); + fprintf(stderr, + "error on line %d: expected nat, got %s\n", n, w); return (0); } w = next_word(&l); @@ -702,14 +712,16 @@ parse_nat(int n, char *l, struct nat *nat) else if (*w == '/') nat->smask = rule_mask(next_number(&w)); else { - fprintf(stderr, "error on line %i: expected /, got '%c'\n", n, *w); + fprintf(stderr, + "error on line %d: expected /, got '%c'\n", n, *w); return (0); } w = next_word(&l); /* -> */ if (strcmp(w, "->")) { - fprintf(stderr, "error on line %i: expected ->, got %s\n", n, w); + fprintf(stderr, + "error on line %d: expected ->, got %s\n", n, w); return (0); } w = next_word(&l); @@ -729,7 +741,7 @@ parse_nat(int n, char *l, struct nat *nat) nat->proto = IPPROTO_ICMP; else { fprintf(stderr, - "error on line %i: expected tcp/udp/icmp, got %s\n", + "error on line %d: expected tcp/udp/icmp, got %s\n", n, w); return (0); } @@ -738,7 +750,7 @@ parse_nat(int n, char *l, struct nat *nat) /* no further options expected */ while (*w) { - fprintf(stderr, "error on line %i: unexpected %s\n", n, w); + fprintf(stderr, "error on line %d: unexpected %s\n", n, w); w = next_word(&l); } @@ -746,15 +758,17 @@ parse_nat(int n, char *l, struct nat *nat) } int -parse_rdr(int n, char *l, struct rdr *rdr) +parse_rdr(int n, char *l, struct pf_rdr *rdr) { char *w; - memset(rdr, 0, sizeof(struct rdr)); + + memset(rdr, 0, sizeof(struct pf_rdr)); w = next_word(&l); /* rdr */ if (strcmp(w, "rdr" )) { - fprintf(stderr, "error on line %i: expected rdr, got %s\n", n, w); + fprintf(stderr, + "error on line %d: expected rdr, got %s\n", n, w); return (0); } w = next_word(&l); @@ -774,14 +788,15 @@ parse_rdr(int n, char *l, struct rdr *rdr) else if (*w == '/') rdr->dmask = rule_mask(next_number(&w)); else { - fprintf(stderr, "error on line %i: expected /, got '%c'\n", n, *w); + fprintf(stderr, + "error on line %d: expected /, got '%c'\n", n, *w); return (0); } w = next_word(&l); /* external port */ if (strcmp(w, "port")) { - fprintf(stderr, "error on line %i: expected port, got %s\n", n, w); + fprintf(stderr, "error on line %d: expected port, got %s\n", n, w); return (0); } w = next_word(&l); @@ -790,7 +805,8 @@ parse_rdr(int n, char *l, struct rdr *rdr) /* -> */ if (strcmp(w, "->")) { - fprintf(stderr, "error on line %i: expected ->, got %s\n", n, w); + fprintf(stderr, + "error on line %d: expected ->, got %s\n", n, w); return (0); } w = next_word(&l); @@ -801,7 +817,8 @@ parse_rdr(int n, char *l, struct rdr *rdr) /* internal port */ if (strcmp(w, "port")) { - fprintf(stderr, "error on line %i: expected port, got %s\n", n, w); + fprintf(stderr, + "error on line %d: expected port, got %s\n", n, w); return (0); } w = next_word(&l); @@ -817,7 +834,7 @@ parse_rdr(int n, char *l, struct rdr *rdr) rdr->proto = IPPROTO_UDP; else { fprintf(stderr, - "error on line %i: expected tcp/udp, got %s\n", + "error on line %d: expected tcp/udp, got %s\n", n, w); return (0); } @@ -826,10 +843,9 @@ parse_rdr(int n, char *l, struct rdr *rdr) /* no further options expected */ while (*w) { - fprintf(stderr, "error on line %i: unexpected %s\n", n, w); + fprintf(stderr, "error on line %d: unexpected %s\n", n, w); w = next_word(&l); } return (1); } - diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 34f2ebd802a..ff53760f639 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.3 2001/06/24 23:16:36 deraadt Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.4 2001/06/25 09:44:33 deraadt Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -34,13 +34,13 @@ #define _PFM_PARSER_H_ char *next_line (char **); -int parse_rule (int, char *, struct rule *); -int parse_nat (int, char *, struct nat *); -int parse_rdr (int, char *, struct rdr *); -void print_rule (struct rule *); -void print_nat (struct nat *); -void print_rdr (struct rdr *); -void print_state (struct state *); -void print_status (struct status *); +int parse_rule (int, char *, struct pf_rule *); +int parse_nat (int, char *, struct pf_nat *); +int parse_rdr (int, char *, struct pf_rdr *); +void print_rule (struct pf_rule *); +void print_nat (struct pf_nat *); +void print_rdr (struct pf_rdr *); +void print_state (struct pf_state *); +void print_status (struct pf_status *); #endif /* _PFM_PARSER_H_ */ |