Differential D38025 Diff 119138 sbin/pfctl/pfctl_parser.c

Changeset View

Standalone View

sbin/pfctl/pfctl_parser.c

Show First 20 Lines • Show All 423 Lines • ▼ Show 20 Lines	print_pool(struct pfctl_pool *pool, u_int16_t p1, u_int16_t p2,
TAILQ_FOREACH(pooladdr, &pool->list, entries){		TAILQ_FOREACH(pooladdr, &pool->list, entries){
switch (id) {		switch (id) {
case PF_NAT:		case PF_NAT:
case PF_RDR:		case PF_RDR:
case PF_BINAT:		case PF_BINAT:
print_addr(&pooladdr->addr, af, 0);		print_addr(&pooladdr->addr, af, 0);
break;		break;
case PF_PASS:		case PF_PASS:
		case PF_MATCH:
if (PF_AZERO(&pooladdr->addr.v.a.addr, af))		if (PF_AZERO(&pooladdr->addr.v.a.addr, af))
printf("%s", pooladdr->ifname);		printf("%s", pooladdr->ifname);
else {		else {
printf("(%s ", pooladdr->ifname);		printf("(%s ", pooladdr->ifname);
print_addr(&pooladdr->addr, af, 0);		print_addr(&pooladdr->addr, af, 0);
printf(")");		printf(")");
}		}
break;		break;
▲ Show 20 Lines • Show All 179 Lines • ▼ Show 20 Lines	if (opts & PF_OPT_VERBOSE) {
}		}

printf("Syncookies\n");		printf("Syncookies\n");
assert(cookies->mode <= PFCTL_SYNCOOKIES_ADAPTIVE);		assert(cookies->mode <= PFCTL_SYNCOOKIES_ADAPTIVE);
printf(" %-25s %s\n", "mode",		printf(" %-25s %s\n", "mode",
PFCTL_SYNCOOKIES_MODE_NAMES[cookies->mode]);		PFCTL_SYNCOOKIES_MODE_NAMES[cookies->mode]);
printf(" %-25s %s\n", "active",		printf(" %-25s %s\n", "active",
s->syncookies_active ? "active" : "inactive");		s->syncookies_active ? "active" : "inactive");
		printf("Reassemble %24s %s\n",
		s->reass & PF_REASS_ENABLED ? "yes" : "no",
		s->reass & PF_REASS_NODF ? "no-df" : ""
		);
}		}
}		}

void		void
print_running(struct pfctl_status *status)		print_running(struct pfctl_status *status)
{		{
printf("%s\n", status->running ? "Enabled" : "Disabled");		printf("%s\n", status->running ? "Enabled" : "Disabled");
}		}
▲ Show 20 Lines • Show All 45 Lines • ▼ Show 20 Lines	case PF_NAT:
if (sn->rule.nr != -1)		if (sn->rule.nr != -1)
printf(", nat rule %u", sn->rule.nr);		printf(", nat rule %u", sn->rule.nr);
break;		break;
case PF_RDR:		case PF_RDR:
if (sn->rule.nr != -1)		if (sn->rule.nr != -1)
printf(", rdr rule %u", sn->rule.nr);		printf(", rdr rule %u", sn->rule.nr);
break;		break;
case PF_PASS:		case PF_PASS:
		case PF_MATCH:
if (sn->rule.nr != -1)		if (sn->rule.nr != -1)
printf(", filter rule %u", sn->rule.nr);		printf(", filter rule %u", sn->rule.nr);
break;		break;
}		}
printf("\n");		printf("\n");
}		}
}		}

▲ Show 20 Lines • Show All 109 Lines • ▼ Show 20 Lines	printf(" %s %d",
r->dnflags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue",		r->dnflags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue",
r->dnpipe);		r->dnpipe);
}		}

void		void
print_rule(struct pfctl_rule r, const char anchor_call, int verbose, int numeric)		print_rule(struct pfctl_rule r, const char anchor_call, int verbose, int numeric)
{		{
static const char *actiontypes[] = { "pass", "block", "scrub",		static const char *actiontypes[] = { "pass", "block", "scrub",
"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };		"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr",
		"", "", "match"};
static const char *anchortypes[] = { "anchor", "anchor", "anchor",		static const char *anchortypes[] = { "anchor", "anchor", "anchor",
"anchor", "nat-anchor", "nat-anchor", "binat-anchor",		"anchor", "nat-anchor", "nat-anchor", "binat-anchor",
"binat-anchor", "rdr-anchor", "rdr-anchor" };		"binat-anchor", "rdr-anchor", "rdr-anchor" };
int i, opts;		int i, opts;
char *p;		char *p;

if (verbose)		if (verbose)
printf("@%d ", r->nr);		printf("@%d ", r->nr);
▲ Show 20 Lines • Show All 119 Lines • ▼ Show 20 Lines	print_rule(struct pfctl_rule r, const char anchor_call, int verbose, int numeric)
if (r->gid.op)		if (r->gid.op)
print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",		print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
GID_MAX);		GID_MAX);
if (r->flags \|\| r->flagset) {		if (r->flags \|\| r->flagset) {
printf(" flags ");		printf(" flags ");
print_flags(r->flags);		print_flags(r->flags);
printf("/");		printf("/");
print_flags(r->flagset);		print_flags(r->flagset);
} else if (r->action == PF_PASS &&		} else if ((r->action == PF_PASS \|\| r->action == PF_MATCH) &&
(!r->proto \|\| r->proto == IPPROTO_TCP) &&		(!r->proto \|\| r->proto == IPPROTO_TCP) &&
!(r->rule_flag & PFRULE_FRAGMENT) &&		!(r->rule_flag & PFRULE_FRAGMENT) &&
!anchor_call[0] && r->keep_state)		!anchor_call[0] && r->keep_state)
printf(" flags any");		printf(" flags any");
if (r->type) {		if (r->type) {
const struct icmptypeent *it;		const struct icmptypeent *it;

it = geticmptypebynumber(r->type-1, r->af);		it = geticmptypebynumber(r->type-1, r->af);
Show All 25 Lines	if (r->scrub_flags & PFSTATE_SETMASK) {
if (r->scrub_flags & PFSTATE_SETPRIO) {		if (r->scrub_flags & PFSTATE_SETPRIO) {
if (r->set_prio[0] == r->set_prio[1])		if (r->set_prio[0] == r->set_prio[1])
printf("%s prio %u", comma, r->set_prio[0]);		printf("%s prio %u", comma, r->set_prio[0]);
else		else
printf("%s prio(%u, %u)", comma, r->set_prio[0],		printf("%s prio(%u, %u)", comma, r->set_prio[0],
r->set_prio[1]);		r->set_prio[1]);
comma = ",";		comma = ",";
}		}
		if (r->scrub_flags & PFSTATE_SETTOS) {
		printf("%s tos 0x%2.2x", comma, r->set_tos);
		comma = ",";
		}
printf(" )");		printf(" )");
}		}
if (!r->keep_state && r->action == PF_PASS && !anchor_call[0])		if (!r->keep_state && r->action == PF_PASS && !anchor_call[0])
printf(" no state");		printf(" no state");
else if (r->keep_state == PF_STATE_NORMAL)		else if (r->keep_state == PF_STATE_NORMAL)
printf(" keep state");		printf(" keep state");
else if (r->keep_state == PF_STATE_MODULATE)		else if (r->keep_state == PF_STATE_MODULATE)
printf(" modulate state");		printf(" modulate state");
▲ Show 20 Lines • Show All 109 Lines • ▼ Show 20 Lines	for (i = 0; i < PFTM_MAX; ++i)
if (pf_timeouts[j].timeout == i)		if (pf_timeouts[j].timeout == i)
break;		break;
printf("%s %u", pf_timeouts[j].name == NULL ?		printf("%s %u", pf_timeouts[j].name == NULL ?
"inv.timeout" : pf_timeouts[j].name,		"inv.timeout" : pf_timeouts[j].name,
r->timeout[i]);		r->timeout[i]);
}		}
printf(")");		printf(")");
}		}
		if (r->allow_opts)
		printf(" allow-opts");
if (r->rule_flag & PFRULE_FRAGMENT)		if (r->rule_flag & PFRULE_FRAGMENT)
printf(" fragment");		printf(" fragment");
		if (r->action == PF_SCRUB) {
		/* Scrub flags for old-style scrub. */
if (r->rule_flag & PFRULE_NODF)		if (r->rule_flag & PFRULE_NODF)
printf(" no-df");		printf(" no-df");
if (r->rule_flag & PFRULE_RANDOMID)		if (r->rule_flag & PFRULE_RANDOMID)
printf(" random-id");		printf(" random-id");
if (r->min_ttl)		if (r->min_ttl)
printf(" min-ttl %d", r->min_ttl);		printf(" min-ttl %d", r->min_ttl);
if (r->max_mss)		if (r->max_mss)
printf(" max-mss %d", r->max_mss);		printf(" max-mss %d", r->max_mss);
if (r->rule_flag & PFRULE_SET_TOS)		if (r->rule_flag & PFRULE_SET_TOS)
printf(" set-tos 0x%2.2x", r->set_tos);		printf(" set-tos 0x%2.2x", r->set_tos);
		kpUnsubmitted Done Inline Actions This seems to be why the pfctl pf0039 test fails. We no longer print 'fragment' on the rule that had it set. kp: This seems to be why the pfctl pf0039 test fails. We no longer print 'fragment' on the rule…
		vegeta_tuxpowered.netAuthorUnsubmitted Done Inline Actions Fixed. vegeta_tuxpowered.net: Fixed.
if (r->allow_opts)
printf(" allow-opts");
if (r->action == PF_SCRUB) {
if (r->rule_flag & PFRULE_REASSEMBLE_TCP)		if (r->rule_flag & PFRULE_REASSEMBLE_TCP)
printf(" reassemble tcp");		printf(" reassemble tcp");
		/* The PFRULE_FRAGMENT_NOREASS is set on all rules by default! */
printf(" fragment %sreassemble",		printf(" fragment %sreassemble",
r->rule_flag & PFRULE_FRAGMENT_NOREASS ? "no " : "");		r->rule_flag & PFRULE_FRAGMENT_NOREASS ? "no " : "");
		} else if (r->scrub_flags & PFSTATE_SCRUBMASK \|\| r->min_ttl \|\| r->max_mss) {
		/* Scrub actions on normal rules. */
		printf(" scrub(");
		if (r->scrub_flags & PFSTATE_NODF)
		printf(" no-df");
		if (r->scrub_flags & PFSTATE_RANDOMID)
		printf(" random-id");
		if (r->min_ttl)
		printf(" min-ttl %d", r->min_ttl);
		if (r->scrub_flags & PFSTATE_SETTOS)
		printf(" set-tos 0x%2.2x", r->set_tos);
		if (r->scrub_flags & PFSTATE_SCRUB_TCP)
		printf(" reassemble tcp");
		if (r->max_mss)
		printf(" max-mss %d", r->max_mss);
		printf(")");
}		}
i = 0;		i = 0;
		kpUnsubmitted Done Inline Actions We've got this twice. See also line 1127. kp: We've got this twice. See also line 1127.
while (r->label[i][0])		while (r->label[i][0])
printf(" label \"%s\"", r->label[i++]);		printf(" label \"%s\"", r->label[i++]);
if (r->ridentifier)		if (r->ridentifier)
printf(" ridentifier %u", r->ridentifier);		printf(" ridentifier %u", r->ridentifier);
/* Only dnrpipe as we might do (0, 42) to only queue return traffic. */		/* Only dnrpipe as we might do (0, 42) to only queue return traffic. */
if (r->dnrpipe)		if (r->dnrpipe)
printf(" %s(%d, %d)",		printf(" %s(%d, %d)",
r->free_flags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue",		r->free_flags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue",
▲ Show 20 Lines • Show All 861 Lines • Show Last 20 Lines