From 830df3f8420b9a9e5efb47bd5a79ec1eaba144a4 Mon Sep 17 00:00:00 2001 From: Ryan Thomas McBride Date: Tue, 31 Oct 2006 23:46:26 +0000 Subject: Allow a user to recursively print anchors including those without reserved names, if a trailing * is specified in the anchor name. e.g. recursively print the main ruleset: pfctl -a '*' -sr Recursively print the spam anchor: pfctl -a 'spam*' pfctl -a 'spam/*' Also fix a bug which prevented the contents of inline anchors with explicit names from being loaded into the kernel. ok henning@ --- sbin/pfctl/pfctl.c | 45 ++++++++++++++++++++++++++++++++++++++------- sbin/pfctl/pfctl_parser.c | 8 +------- sbin/pfctl/pfctl_parser.h | 3 ++- 3 files changed, 41 insertions(+), 15 deletions(-) (limited to 'sbin') diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 5f434f3d988..ed3e06cb59b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.250 2006/10/31 14:17:45 mcbride Exp $ */ +/* $OpenBSD: pfctl.c,v 1.251 2006/10/31 23:46:24 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -652,6 +652,7 @@ pfctl_show_rules(int dev, char *path, int opts, int format, u_int32_t nr, mnr, header = 0; int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG); int len = strlen(path); + int brace; if (path[0]) snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname); @@ -711,6 +712,7 @@ pfctl_show_rules(int dev, char *path, int opts, int format, if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; print_rule(&pr.rule, pr.anchor_call, rule_numbers); + printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); } pfctl_clear_pool(&pr.rule.rpool); @@ -749,12 +751,20 @@ pfctl_show_rules(int dev, char *path, int opts, int format, } break; default: + brace = 0; if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; INDENT(depth, !(opts & PF_OPT_VERBOSE)); print_rule(&pr.rule, pr.anchor_call, rule_numbers); + if (strlen(pr.anchor_call) && + (pr.anchor_call[0] == '_' || + opts & PF_OPT_RECURSE)) { + brace++; + printf(" {\n"); + } else + printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); - if (pr.anchor_call[0] == '_') { + if (brace) { pfctl_show_rules(dev, path, opts, format, pr.anchor_call, depth + 1); INDENT(depth, !(opts & PF_OPT_VERBOSE)); @@ -803,6 +813,7 @@ pfctl_show_nat(int dev, int opts, char *anchorname) } print_rule(&pr.rule, pr.anchor_call, opts & PF_OPT_VERBOSE2); + printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); pfctl_clear_pool(&pr.rule.rpool); } @@ -1050,6 +1061,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, { struct pf_rule *r; int error, len = strlen(path); + int brace = 0; pf->anchor = rs->anchor; @@ -1070,20 +1082,30 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, if (pf->optimize && rs_num == PF_RULESET_FILTER) pfctl_optimize_ruleset(pf, rs); + if (pf->opts & PF_OPT_VERBOSE && depth) { + if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) { + brace++; + printf(" {\n"); + } else + printf("\n"); + } + while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) { TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries); if ((error = pfctl_load_rule(pf, path, r, depth))) goto error; - if (r->anchor && r->anchor->name[0] == '_') { + if (r->anchor) { if ((error = pfctl_load_ruleset(pf, path, &r->anchor->ruleset, rs_num, depth + 1))) goto error; - INDENT(depth, (pf->opts & PF_OPT_VERBOSE)); - if (pf->opts & PF_OPT_VERBOSE) - printf("}\n"); - } + } else if (pf->opts & PF_OPT_VERBOSE) + printf("\n"); free(r); } + if (brace) { + INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE)); + printf("}\n"); + } path[len] = '\0'; return (0); @@ -1912,6 +1934,15 @@ main(int argc, char *argv[]) memset(anchorname, 0, sizeof(anchorname)); if (anchoropt != NULL) { + int len = strlen(anchoropt); + + if (anchoropt[len - 1] == '*') { + if (len >= 2 && anchoropt[len - 2] == '/') + anchoropt[len - 2] = '\0'; + else + anchoropt[len - 1] = '\0'; + } + opts |= PF_OPT_RECURSE; if (strlcpy(anchorname, anchoropt, sizeof(anchorname)) >= sizeof(anchorname)) errx(1, "anchor name '%s' too long", diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 4503048e069..e7b3b852735 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.233 2006/10/28 14:29:05 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.234 2006/10/31 23:46:24 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -668,7 +668,6 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) "anchor", "nat-anchor", "nat-anchor", "binat-anchor", "binat-anchor", "rdr-anchor", "rdr-anchor" }; int i, opts; - int brace = 0; if (verbose) printf("@%d ", r->nr); @@ -676,12 +675,10 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf("action(%d)", r->action); else if (anchor_call[0]) { if (anchor_call[0] == '_') { - brace++; printf("%s", anchortypes[r->action]); } else printf("%s \"%s\"", anchortypes[r->action], anchor_call); - } else { printf("%s", actiontypes[r->action]); if (r->natpass) @@ -990,9 +987,6 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) print_pool(&r->rpool, r->rpool.proxy_port[0], r->rpool.proxy_port[1], r->af, r->action); } - if (brace) - printf(" {"); - printf("\n"); } void diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index f6f45bc0fa5..b901fb906ec 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.85 2006/10/31 14:17:45 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -48,6 +48,7 @@ #define PF_OPT_SHOWALL 0x0400 #define PF_OPT_OPTIMIZE 0x0800 #define PF_OPT_MERGE 0x2000 +#define PF_OPT_RECURSE 0x4000 #define PF_TH_ALL 0xFF -- cgit v1.2.3