pf: Fix parsing of long table names
When parsing the nvlist for a struct pf_addr_wrap we unconditionally
tried to parse "ifname". This broke for PF_ADDR_TABLE when the table
name was longer than IFNAMSIZ. PF_TABLE_NAME_SIZE is longer than
IFNAMSIZ, so this is a valid configuration.
Only parse (or return) ifname or tblname for the corresponding
pf_addr_wrap type.
This manifested as a failure to set rules such as these, where the pfctl
optimiser generated an automatic table:
pass in proto tcp to 192.168.0.1 port ssh
pass in proto tcp to 192.168.0.2 port ssh
pass in proto tcp to 192.168.0.3 port ssh
pass in proto tcp to 192.168.0.4 port ssh
pass in proto tcp to 192.168.0.5 port ssh
pass in proto tcp to 192.168.0.6 port ssh
pass in proto tcp to 192.168.0.7 port ssh
Reported by: Florian Smeets
Tested by: Florian Smeets
Reviewed by: donner
X-MFC-With: 5c11c5a365
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29962
This commit is contained in:
parent
e657f3de6d
commit
402dfb0a8d
@ -148,8 +148,10 @@ pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name,
|
|||||||
|
|
||||||
nvlist_add_number(nvl, "type", addr->type);
|
nvlist_add_number(nvl, "type", addr->type);
|
||||||
nvlist_add_number(nvl, "iflags", addr->iflags);
|
nvlist_add_number(nvl, "iflags", addr->iflags);
|
||||||
nvlist_add_string(nvl, "ifname", addr->v.ifname);
|
if (addr->type == PF_ADDR_DYNIFTL)
|
||||||
nvlist_add_string(nvl, "tblname", addr->v.tblname);
|
nvlist_add_string(nvl, "ifname", addr->v.ifname);
|
||||||
|
if (addr->type == PF_ADDR_TABLE)
|
||||||
|
nvlist_add_string(nvl, "tblname", addr->v.tblname);
|
||||||
pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
|
pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
|
||||||
pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
|
pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
|
||||||
|
|
||||||
@ -161,9 +163,12 @@ pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
|
|||||||
{
|
{
|
||||||
addr->type = nvlist_get_number(nvl, "type");
|
addr->type = nvlist_get_number(nvl, "type");
|
||||||
addr->iflags = nvlist_get_number(nvl, "iflags");
|
addr->iflags = nvlist_get_number(nvl, "iflags");
|
||||||
strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
|
if (addr->type == PF_ADDR_DYNIFTL)
|
||||||
strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
|
strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"),
|
||||||
PF_TABLE_NAME_SIZE);
|
IFNAMSIZ);
|
||||||
|
if (addr->type == PF_ADDR_TABLE)
|
||||||
|
strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
|
||||||
|
PF_TABLE_NAME_SIZE);
|
||||||
|
|
||||||
pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr);
|
pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr);
|
||||||
pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
|
pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
|
||||||
|
@ -1784,10 +1784,12 @@ pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
|
|||||||
|
|
||||||
PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
|
PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
|
||||||
PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
|
PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
|
||||||
PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
|
if (addr->type == PF_ADDR_DYNIFTL)
|
||||||
sizeof(addr->v.ifname)));
|
PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
|
||||||
PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
|
sizeof(addr->v.ifname)));
|
||||||
sizeof(addr->v.tblname)));
|
if (addr->type == PF_ADDR_TABLE)
|
||||||
|
PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
|
||||||
|
sizeof(addr->v.tblname)));
|
||||||
|
|
||||||
if (! nvlist_exists_nvlist(nvl, "addr"))
|
if (! nvlist_exists_nvlist(nvl, "addr"))
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
@ -1827,8 +1829,10 @@ pf_addr_wrap_to_nvaddr_wrap(const struct pf_addr_wrap *addr)
|
|||||||
|
|
||||||
nvlist_add_number(nvl, "type", addr->type);
|
nvlist_add_number(nvl, "type", addr->type);
|
||||||
nvlist_add_number(nvl, "iflags", addr->iflags);
|
nvlist_add_number(nvl, "iflags", addr->iflags);
|
||||||
nvlist_add_string(nvl, "ifname", addr->v.ifname);
|
if (addr->type == PF_ADDR_DYNIFTL)
|
||||||
nvlist_add_string(nvl, "tblname", addr->v.tblname);
|
nvlist_add_string(nvl, "ifname", addr->v.ifname);
|
||||||
|
if (addr->type == PF_ADDR_TABLE)
|
||||||
|
nvlist_add_string(nvl, "tblname", addr->v.tblname);
|
||||||
|
|
||||||
tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
|
tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
|
||||||
if (tmp == NULL)
|
if (tmp == NULL)
|
||||||
|
Loading…
Reference in New Issue
Block a user