Add a new option -P to suppress getservbyport(3) calls when printing rules.
This allows one to force consistent printing of numeric port numbers like we do with -n for other tools like netstat (just that -n was already taken) rather than the service names. -P is currently unused in OpenBSD so the change is eligible for upstreaming. PR: misc/151015 Submitted by: Matt Koivisto (mkoivisto sandvine.com) Sponsored by: Sandvine Incorporated MFC after: 1 week
This commit is contained in:
parent
eb52d12531
commit
38a253506a
@ -26,7 +26,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 20, 2002
|
||||
.Dd June 13, 2011
|
||||
.Dt PFCTL 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -35,7 +35,7 @@
|
||||
.Sh SYNOPSIS
|
||||
.Nm pfctl
|
||||
.Bk -words
|
||||
.Op Fl AdeghmNnOqRrvz
|
||||
.Op Fl AdeghmNnOPqRrvz
|
||||
.Op Fl a Ar anchor
|
||||
.Oo Fl D Ar macro Ns =
|
||||
.Ar value Oc
|
||||
@ -350,6 +350,9 @@ without any options will enable
|
||||
optimizations, and a second
|
||||
.Fl o
|
||||
will enable profiling.
|
||||
.It Fl P
|
||||
Do not perform service name lookup for port specific rules,
|
||||
instead display the ports numerically.
|
||||
.It Fl p Ar device
|
||||
Use the device file
|
||||
.Ar device
|
||||
@ -670,6 +673,7 @@ Passive operating system fingerprint database.
|
||||
.Xr pf.conf 5 ,
|
||||
.Xr pf.os 5 ,
|
||||
.Xr rc.conf 5 ,
|
||||
.Xr services 5 ,
|
||||
.Xr sysctl.conf 5 ,
|
||||
.Xr authpf 8 ,
|
||||
.Xr ftp-proxy 8 ,
|
||||
|
@ -235,7 +235,7 @@ usage(void)
|
||||
{
|
||||
extern char *__progname;
|
||||
|
||||
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
|
||||
fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname);
|
||||
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
|
||||
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
|
||||
fprintf(stderr, "[-k host | network ]\n");
|
||||
@ -770,6 +770,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
|
||||
struct pfioc_rule pr;
|
||||
u_int32_t nr, mnr, header = 0;
|
||||
int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
|
||||
int numeric = opts & PF_OPT_NUMERIC;
|
||||
int len = strlen(path);
|
||||
int brace;
|
||||
char *p;
|
||||
@ -834,7 +835,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
|
||||
case PFCTL_SHOW_RULES:
|
||||
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
|
||||
labels = 1;
|
||||
print_rule(&pr.rule, pr.anchor_call, rule_numbers);
|
||||
print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
|
||||
printf("\n");
|
||||
pfctl_print_rule_counters(&pr.rule, opts);
|
||||
break;
|
||||
@ -894,7 +895,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
|
||||
} else
|
||||
p = &pr.anchor_call[0];
|
||||
|
||||
print_rule(&pr.rule, p, rule_numbers);
|
||||
print_rule(&pr.rule, p, rule_numbers, numeric);
|
||||
if (brace)
|
||||
printf(" {\n");
|
||||
else
|
||||
@ -951,7 +952,7 @@ pfctl_show_nat(int dev, int opts, char *anchorname)
|
||||
dotitle = 0;
|
||||
}
|
||||
print_rule(&pr.rule, pr.anchor_call,
|
||||
opts & PF_OPT_VERBOSE2);
|
||||
opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
|
||||
printf("\n");
|
||||
pfctl_print_rule_counters(&pr.rule, opts);
|
||||
pfctl_clear_pool(&pr.rule.rpool);
|
||||
@ -1318,7 +1319,8 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
|
||||
if (pf->opts & PF_OPT_VERBOSE) {
|
||||
INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
|
||||
print_rule(r, r->anchor ? r->anchor->name : "",
|
||||
pf->opts & PF_OPT_VERBOSE2);
|
||||
pf->opts & PF_OPT_VERBOSE2,
|
||||
pf->opts & PF_OPT_NUMERIC);
|
||||
}
|
||||
path[len] = '\0';
|
||||
pfctl_clear_pool(&r->rpool);
|
||||
@ -1978,7 +1980,7 @@ main(int argc, char *argv[])
|
||||
usage();
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
"a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
|
||||
"a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
anchoropt = optarg;
|
||||
@ -2080,6 +2082,9 @@ main(int argc, char *argv[])
|
||||
case 'p':
|
||||
pf_device = optarg;
|
||||
break;
|
||||
case 'P':
|
||||
opts |= PF_OPT_NUMERIC;
|
||||
break;
|
||||
case 's':
|
||||
showopt = pfctl_lookup_option(optarg, showopt_list);
|
||||
if (showopt == NULL) {
|
||||
|
@ -407,7 +407,7 @@ optimize_superblock(struct pfctl *pf, struct superblock *block)
|
||||
TAILQ_FOREACH(por, &block->sb_rules, por_entry) {
|
||||
printf(" ");
|
||||
print_rule(&por->por_rule, por->por_rule.anchor ?
|
||||
por->por_rule.anchor->name : "", 1);
|
||||
por->por_rule.anchor->name : "", 1, 0);
|
||||
}
|
||||
#endif /* OPT_DEBUG */
|
||||
|
||||
|
@ -64,11 +64,11 @@ __FBSDID("$FreeBSD$");
|
||||
#include "pfctl.h"
|
||||
|
||||
void print_op (u_int8_t, const char *, const char *);
|
||||
void print_port (u_int8_t, u_int16_t, u_int16_t, const char *);
|
||||
void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int);
|
||||
void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);
|
||||
void print_flags (u_int8_t);
|
||||
void print_fromto(struct pf_rule_addr *, pf_osfp_t,
|
||||
struct pf_rule_addr *, u_int8_t, u_int8_t, int);
|
||||
struct pf_rule_addr *, u_int8_t, u_int8_t, int, int);
|
||||
int ifa_skip_if(const char *filter, struct node_host *p);
|
||||
|
||||
struct node_host *ifa_grouplookup(const char *, int);
|
||||
@ -320,12 +320,15 @@ print_op(u_int8_t op, const char *a1, const char *a2)
|
||||
}
|
||||
|
||||
void
|
||||
print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
|
||||
print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numeric)
|
||||
{
|
||||
char a1[6], a2[6];
|
||||
struct servent *s;
|
||||
|
||||
s = getservbyport(p1, proto);
|
||||
if (!numeric)
|
||||
s = getservbyport(p1, proto);
|
||||
else
|
||||
s = NULL;
|
||||
p1 = ntohs(p1);
|
||||
p2 = ntohs(p2);
|
||||
snprintf(a1, sizeof(a1), "%u", p1);
|
||||
@ -363,7 +366,7 @@ print_flags(u_int8_t f)
|
||||
|
||||
void
|
||||
print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,
|
||||
sa_family_t af, u_int8_t proto, int verbose)
|
||||
sa_family_t af, u_int8_t proto, int verbose, int numeric)
|
||||
{
|
||||
char buf[PF_OSFP_LEN*3];
|
||||
if (src->addr.type == PF_ADDR_ADDRMASK &&
|
||||
@ -384,7 +387,8 @@ print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,
|
||||
if (src->port_op)
|
||||
print_port(src->port_op, src->port[0],
|
||||
src->port[1],
|
||||
proto == IPPROTO_TCP ? "tcp" : "udp");
|
||||
proto == IPPROTO_TCP ? "tcp" : "udp",
|
||||
numeric);
|
||||
if (osfp != PF_OSFP_ANY)
|
||||
printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf,
|
||||
sizeof(buf)));
|
||||
@ -396,7 +400,8 @@ print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,
|
||||
if (dst->port_op)
|
||||
print_port(dst->port_op, dst->port[0],
|
||||
dst->port[1],
|
||||
proto == IPPROTO_TCP ? "tcp" : "udp");
|
||||
proto == IPPROTO_TCP ? "tcp" : "udp",
|
||||
numeric);
|
||||
}
|
||||
}
|
||||
|
||||
@ -673,7 +678,7 @@ print_src_node(struct pf_src_node *sn, int opts)
|
||||
}
|
||||
|
||||
void
|
||||
print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
|
||||
print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
|
||||
{
|
||||
static const char *actiontypes[] = { "pass", "block", "scrub",
|
||||
"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };
|
||||
@ -800,7 +805,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
|
||||
printf(" proto %u", r->proto);
|
||||
}
|
||||
print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto,
|
||||
verbose);
|
||||
verbose, numeric);
|
||||
if (r->uid.op)
|
||||
print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
|
||||
UID_MAX);
|
||||
|
@ -48,6 +48,7 @@
|
||||
#define PF_OPT_DEBUG 0x0200
|
||||
#define PF_OPT_SHOWALL 0x0400
|
||||
#define PF_OPT_OPTIMIZE 0x0800
|
||||
#define PF_OPT_NUMERIC 0x1000
|
||||
#define PF_OPT_MERGE 0x2000
|
||||
#define PF_OPT_RECURSE 0x4000
|
||||
|
||||
@ -235,7 +236,7 @@ int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
|
||||
|
||||
void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
|
||||
void print_src_node(struct pf_src_node *, int);
|
||||
void print_rule(struct pf_rule *, const char *, int);
|
||||
void print_rule(struct pf_rule *, const char *, int, int);
|
||||
void print_tabledef(const char *, int, int, struct node_tinithead *);
|
||||
void print_status(struct pf_status *, int);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user