From 7ceffe8d596a6c4a956b1da3e5903b397b597c3d Mon Sep 17 00:00:00 2001 From: bz Date: Mon, 13 Jun 2011 20:11:28 +0000 Subject: [PATCH] Add a new option -P to suppress getservbyport(3) calls when printing rules. This allows one to force consistent printing of numeric port numbers like we do with -n for other tools like netstat (just that -n was already taken) rather than the service names. -P is currently unused in OpenBSD so the change is eligible for upstreaming. PR: misc/151015 Submitted by: Matt Koivisto (mkoivisto sandvine.com) Sponsored by: Sandvine Incorporated MFC after: 1 week --- contrib/pf/pfctl/pfctl.8 | 8 ++++++-- contrib/pf/pfctl/pfctl.c | 17 +++++++++++------ contrib/pf/pfctl/pfctl_optimize.c | 2 +- contrib/pf/pfctl/pfctl_parser.c | 23 ++++++++++++++--------- contrib/pf/pfctl/pfctl_parser.h | 3 ++- 5 files changed, 34 insertions(+), 19 deletions(-) diff --git a/contrib/pf/pfctl/pfctl.8 b/contrib/pf/pfctl/pfctl.8 index 24be6e51c487..917a859745c7 100644 --- a/contrib/pf/pfctl/pfctl.8 +++ b/contrib/pf/pfctl/pfctl.8 @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 20, 2002 +.Dd June 13, 2011 .Dt PFCTL 8 .Os .Sh NAME @@ -35,7 +35,7 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl AdeghmNnOqRrvz +.Op Fl AdeghmNnOPqRrvz .Op Fl a Ar anchor .Oo Fl D Ar macro Ns = .Ar value Oc @@ -350,6 +350,9 @@ without any options will enable optimizations, and a second .Fl o will enable profiling. +.It Fl P +Do not perform service name lookup for port specific rules, +instead display the ports numerically. .It Fl p Ar device Use the device file .Ar device @@ -670,6 +673,7 @@ Passive operating system fingerprint database. .Xr pf.conf 5 , .Xr pf.os 5 , .Xr rc.conf 5 , +.Xr services 5 , .Xr sysctl.conf 5 , .Xr authpf 8 , .Xr ftp-proxy 8 , diff --git a/contrib/pf/pfctl/pfctl.c b/contrib/pf/pfctl/pfctl.c index 21995f6468de..e76261bdcbbf 100644 --- a/contrib/pf/pfctl/pfctl.c +++ b/contrib/pf/pfctl/pfctl.c @@ -235,7 +235,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname); + fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); fprintf(stderr, "[-k host | network ]\n"); @@ -770,6 +770,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, struct pfioc_rule pr; u_int32_t nr, mnr, header = 0; int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG); + int numeric = opts & PF_OPT_NUMERIC; int len = strlen(path); int brace; char *p; @@ -834,7 +835,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, case PFCTL_SHOW_RULES: if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; - print_rule(&pr.rule, pr.anchor_call, rule_numbers); + print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric); printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); break; @@ -894,7 +895,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, } else p = &pr.anchor_call[0]; - print_rule(&pr.rule, p, rule_numbers); + print_rule(&pr.rule, p, rule_numbers, numeric); if (brace) printf(" {\n"); else @@ -951,7 +952,7 @@ pfctl_show_nat(int dev, int opts, char *anchorname) dotitle = 0; } print_rule(&pr.rule, pr.anchor_call, - opts & PF_OPT_VERBOSE2); + opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC); printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); pfctl_clear_pool(&pr.rule.rpool); @@ -1318,7 +1319,8 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth) if (pf->opts & PF_OPT_VERBOSE) { INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); print_rule(r, r->anchor ? r->anchor->name : "", - pf->opts & PF_OPT_VERBOSE2); + pf->opts & PF_OPT_VERBOSE2, + pf->opts & PF_OPT_NUMERIC); } path[len] = '\0'; pfctl_clear_pool(&r->rpool); @@ -1978,7 +1980,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2080,6 +2082,9 @@ main(int argc, char *argv[]) case 'p': pf_device = optarg; break; + case 'P': + opts |= PF_OPT_NUMERIC; + break; case 's': showopt = pfctl_lookup_option(optarg, showopt_list); if (showopt == NULL) { diff --git a/contrib/pf/pfctl/pfctl_optimize.c b/contrib/pf/pfctl/pfctl_optimize.c index 44c04779d61e..0514e8105bf2 100644 --- a/contrib/pf/pfctl/pfctl_optimize.c +++ b/contrib/pf/pfctl/pfctl_optimize.c @@ -407,7 +407,7 @@ optimize_superblock(struct pfctl *pf, struct superblock *block) TAILQ_FOREACH(por, &block->sb_rules, por_entry) { printf(" "); print_rule(&por->por_rule, por->por_rule.anchor ? - por->por_rule.anchor->name : "", 1); + por->por_rule.anchor->name : "", 1, 0); } #endif /* OPT_DEBUG */ diff --git a/contrib/pf/pfctl/pfctl_parser.c b/contrib/pf/pfctl/pfctl_parser.c index c9b2e1189b68..7dc0c592f2e1 100644 --- a/contrib/pf/pfctl/pfctl_parser.c +++ b/contrib/pf/pfctl/pfctl_parser.c @@ -64,11 +64,11 @@ __FBSDID("$FreeBSD$"); #include "pfctl.h" void print_op (u_int8_t, const char *, const char *); -void print_port (u_int8_t, u_int16_t, u_int16_t, const char *); +void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int); void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned); void print_flags (u_int8_t); void print_fromto(struct pf_rule_addr *, pf_osfp_t, - struct pf_rule_addr *, u_int8_t, u_int8_t, int); + struct pf_rule_addr *, u_int8_t, u_int8_t, int, int); int ifa_skip_if(const char *filter, struct node_host *p); struct node_host *ifa_grouplookup(const char *, int); @@ -320,12 +320,15 @@ print_op(u_int8_t op, const char *a1, const char *a2) } void -print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto) +print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numeric) { char a1[6], a2[6]; struct servent *s; - s = getservbyport(p1, proto); + if (!numeric) + s = getservbyport(p1, proto); + else + s = NULL; p1 = ntohs(p1); p2 = ntohs(p2); snprintf(a1, sizeof(a1), "%u", p1); @@ -363,7 +366,7 @@ print_flags(u_int8_t f) void print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst, - sa_family_t af, u_int8_t proto, int verbose) + sa_family_t af, u_int8_t proto, int verbose, int numeric) { char buf[PF_OSFP_LEN*3]; if (src->addr.type == PF_ADDR_ADDRMASK && @@ -384,7 +387,8 @@ print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst, if (src->port_op) print_port(src->port_op, src->port[0], src->port[1], - proto == IPPROTO_TCP ? "tcp" : "udp"); + proto == IPPROTO_TCP ? "tcp" : "udp", + numeric); if (osfp != PF_OSFP_ANY) printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf, sizeof(buf))); @@ -396,7 +400,8 @@ print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst, if (dst->port_op) print_port(dst->port_op, dst->port[0], dst->port[1], - proto == IPPROTO_TCP ? "tcp" : "udp"); + proto == IPPROTO_TCP ? "tcp" : "udp", + numeric); } } @@ -673,7 +678,7 @@ print_src_node(struct pf_src_node *sn, int opts) } void -print_rule(struct pf_rule *r, const char *anchor_call, int verbose) +print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) { static const char *actiontypes[] = { "pass", "block", "scrub", "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" }; @@ -800,7 +805,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" proto %u", r->proto); } print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto, - verbose); + verbose, numeric); if (r->uid.op) print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user", UID_MAX); diff --git a/contrib/pf/pfctl/pfctl_parser.h b/contrib/pf/pfctl/pfctl_parser.h index 4885203a532b..ab9017e51a2f 100644 --- a/contrib/pf/pfctl/pfctl_parser.h +++ b/contrib/pf/pfctl/pfctl_parser.h @@ -48,6 +48,7 @@ #define PF_OPT_DEBUG 0x0200 #define PF_OPT_SHOWALL 0x0400 #define PF_OPT_OPTIMIZE 0x0800 +#define PF_OPT_NUMERIC 0x1000 #define PF_OPT_MERGE 0x2000 #define PF_OPT_RECURSE 0x4000 @@ -235,7 +236,7 @@ int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); void print_src_node(struct pf_src_node *, int); -void print_rule(struct pf_rule *, const char *, int); +void print_rule(struct pf_rule *, const char *, int, int); void print_tabledef(const char *, int, int, struct node_tinithead *); void print_status(struct pf_status *, int);