From 97af97df552997bcf634d59c48367a88719b7c2f Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Fri, 25 Jun 2010 23:27:48 +0000 Subject: remove -m (merge). it is violating the transactional model we have and made stronger in pf, it is broken in some cases and since some options are passed to the kernel while some are userland only and affect how the rules are parsed it is complete bullshit anyway - obviously, changing options that affect ruleset parsing without reloading and thus reparsing the ruleset cannot work. so stop pretending it could and cut the crap. ok dlg krw deraadt --- sbin/pfctl/pfctl.8 | 13 +++---------- sbin/pfctl/pfctl.c | 42 ++++++++++++++---------------------------- sbin/pfctl/pfctl_parser.h | 3 +-- 3 files changed, 18 insertions(+), 40 deletions(-) diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index c81f9154545..ee926718b50 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.144 2010/03/23 17:34:30 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.145 2010/06/25 23:27:47 henning Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 23 2010 $ +.Dd $Mdocdate: June 25 2010 $ .Dt PFCTL 8 .Os .Sh NAME @@ -33,7 +33,7 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl deghmnqrvz +.Op Fl deghnqrvz .Op Fl a Ar anchor .Oo Fl D Ar macro Ns = .Ar value Oc @@ -316,13 +316,6 @@ firewall with hostid 00000002 use: .It Fl L Ar statefile Load pf states from the file specified by .Ar statefile . -.It Fl m -Merge in explicitly given options without resetting those -which are omitted. -Allows single options to be modified without disturbing the others: -.Bd -literal -offset indent -# echo "set loginterface fxp0" | pfctl -mf - -.Ed .It Fl n Do not actually load rules, just parse them. .It Fl o Ar level diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 2521780cf8a..1f0deda6ef1 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.296 2010/04/02 09:48:48 sthen Exp $ */ +/* $OpenBSD: pfctl.c,v 1.297 2010/06/25 23:27:47 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -231,7 +231,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-deghmnqrvz] ", __progname); + fprintf(stderr, "usage: %s [-deghnqrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n"); fprintf(stderr, "\t[-k host | network | label | id] "); @@ -1389,12 +1389,9 @@ pfctl_load_options(struct pfctl *pf) int i, error = 0; /* load limits */ - for (i = 0; i < PF_LIMIT_MAX; i++) { - if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i]) - continue; + for (i = 0; i < PF_LIMIT_MAX; i++) if (pfctl_load_limit(pf, i, pf->limit[i])) error = 1; - } /* * If we've set the limit, but haven't explicitly set adaptive @@ -1412,32 +1409,25 @@ pfctl_load_options(struct pfctl *pf) } /* load timeouts */ - for (i = 0; i < PFTM_MAX; i++) { - if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i]) - continue; + for (i = 0; i < PFTM_MAX; i++) if (pfctl_load_timeout(pf, i, pf->timeout[i])) error = 1; - } /* load debug */ - if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set) - if (pfctl_load_debug(pf, pf->debug)) - error = 1; + if (pf->debug_set && pfctl_load_debug(pf, pf->debug)) + error = 1; /* load logif */ - if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set) - if (pfctl_load_logif(pf, pf->ifname)) - error = 1; + if (pf->ifname_set && pfctl_load_logif(pf, pf->ifname)) + error = 1; /* load hostid */ - if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set) - if (pfctl_load_hostid(pf, pf->hostid)) - error = 1; + if (pf->hostid_set && pfctl_load_hostid(pf, pf->hostid)) + error = 1; /* load reassembly settings */ - if (!(pf->opts & PF_OPT_MERGE) || pf->reass_set) - if (pfctl_load_reassembly(pf, pf->reassemble)) - error = 1; + if (pf->reass_set && pfctl_load_reassembly(pf, pf->reassemble)) + error = 1; return (error); } @@ -1884,7 +1874,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:dD:eqf:F:ghi:k:K:L:mno:p:rS:s:t:T:vx:z")) != -1) { + "a:dD:eqf:F:ghi:k:K:L:no:p:rS:s:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -1934,9 +1924,6 @@ main(int argc, char *argv[]) src_node_kill[src_node_killers++] = optarg; mode = O_RDWR; break; - case 'm': - opts |= PF_OPT_MERGE; - break; case 'n': opts |= PF_OPT_NOACTION; break; @@ -2202,8 +2189,7 @@ main(int argc, char *argv[]) if (pfctl_clear_interface_flags(dev, opts | PF_OPT_QUIET)) error = 1; - if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) && - !anchorname[0]) + if (rulesopt != NULL && !(opts & PF_OPT_NOACTION) && !anchorname[0]) if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE)) error = 1; diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index c50d414c9a9..26cd0beb1be 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.93 2010/03/23 13:31:29 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.94 2010/06/25 23:27:47 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -47,7 +47,6 @@ #define PF_OPT_DEBUG 0x0200 #define PF_OPT_SHOWALL 0x0400 #define PF_OPT_OPTIMIZE 0x0800 -#define PF_OPT_MERGE 0x2000 #define PF_OPT_RECURSE 0x4000 #define PF_TH_ALL 0xFF -- cgit v1.2.3