The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4ace4ea9ca6ee18d2c449ea7a8f909fe8836eb9e
commit 4ace4ea9ca6ee18d2c449ea7a8f909fe8836eb9e
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-05-29 14:13:10 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-06-09 19:38:06 +0000
pfctl: add option -S (no domain resolution)
manpage wording and reminder about usage() jmc@
ok florian@ henning@
Reviewed by: ziaee (manpages)
Obtained from: OpenBSD, benno <be...@openbsd.org>, 7c8726d43b
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50724
---
sbin/pfctl/parse.y | 19 ++++++++++---------
sbin/pfctl/pfctl.8 | 5 ++++-
sbin/pfctl/pfctl.c | 7 +++++--
sbin/pfctl/pfctl.h | 2 +-
sbin/pfctl/pfctl_parser.c | 15 +++++++++------
sbin/pfctl/pfctl_parser.h | 37 +++++++++++++++++++------------------
sbin/pfctl/pfctl_radix.c | 4 ++--
sbin/pfctl/pfctl_table.c | 18 +++++++++---------
8 files changed, 59 insertions(+), 48 deletions(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 3ddf391810c6..1b137eecfa47 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -364,7 +364,7 @@ int rule_consistent(struct pfctl_rule *, int);
int filter_consistent(struct pfctl_rule *, int);
int nat_consistent(struct pfctl_rule *);
int rdr_consistent(struct pfctl_rule *);
-int process_tabledef(char *, struct table_opts *);
+int process_tabledef(char *, struct table_opts *, int);
void expand_label_str(char *, size_t, const char *, const char *);
void expand_label_if(const char *, char *, size_t, const char *);
void expand_label_addr(const char *, char *, size_t, sa_family_t,
@@ -1746,7 +1746,7 @@ tabledef : TABLE '<' STRING '>' table_opts {
YYERROR;
}
if (pf->loadopt & PFCTL_FLAG_TABLE)
- if (process_tabledef($3, &$5)) {
+ if (process_tabledef($3, &$5, pf->opts)) {
free($3);
YYERROR;
}
@@ -3007,7 +3007,7 @@ filter_opt : USER uids {
}
| DIVERTTO STRING PORT portplain {
#ifndef __FreeBSD__
- if ((filter_opts.divert.addr = host($2)) == NULL) {
+ if ((filter_opts.divert.addr = host($2, pf->opts)) ==
NULL) {
yyerror("could not parse divert address: %s",
$2);
free($2);
@@ -3719,7 +3719,7 @@ xhost : not host {
;
host : STRING {
- if (($$ = host($1)) == NULL) {
+ if (($$ = host($1, pf->opts)) == NULL) {
/* error. "any" is handled elsewhere */
free($1);
yyerror("could not parse host specification");
@@ -3731,7 +3731,8 @@ host : STRING {
| STRING '-' STRING {
struct node_host *b, *e;
- if ((b = host($1)) == NULL || (e = host($3)) == NULL) {
+ if ((b = host($1, pf->opts)) == NULL ||
+ (e = host($3, pf->opts)) == NULL) {
free($1);
free($3);
yyerror("could not parse host specification");
@@ -3767,7 +3768,7 @@ host : STRING {
if (asprintf(&buf, "%s/%lld", $1, (long long)$3) == -1)
err(1, "host: asprintf");
free($1);
- if (($$ = host(buf)) == NULL) {
+ if (($$ = host(buf, pf->opts)) == NULL) {
/* error. "any" is handled elsewhere */
free(buf);
yyerror("could not parse host specification");
@@ -3785,7 +3786,7 @@ host : STRING {
if (asprintf(&buf, "%lld/%lld", $1, $3) == -1)
#endif
err(1, "host: asprintf");
- if (($$ = host(buf)) == NULL) {
+ if (($$ = host(buf, pf->opts)) == NULL) {
/* error. "any" is handled elsewhere */
free(buf);
yyerror("could not parse host specification");
@@ -5494,7 +5495,7 @@ rdr_consistent(struct pfctl_rule *r)
}
int
-process_tabledef(char *name, struct table_opts *opts)
+process_tabledef(char *name, struct table_opts *opts, int popts)
{
struct pfr_buffer ab;
struct node_tinit *ti;
@@ -5505,7 +5506,7 @@ process_tabledef(char *name, struct table_opts *opts)
ab.pfrb_type = PFRB_ADDRS;
SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) {
if (ti->file)
- if (pfr_buf_load(&ab, ti->file, 0, append_addr)) {
+ if (pfr_buf_load(&ab, ti->file, 0, append_addr, popts))
{
if (errno)
yyerror("cannot load \"%s\": %s",
ti->file, strerror(errno));
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index acf1bacee08f..0a4b8952ef74 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd May 9, 2025
+.Dd May 29, 2025
.Dt PFCTL 8
.Os
.Sh NAME
@@ -527,6 +527,9 @@ address mapping failed
.It translate
no free ports in translation port range
.El
+.It Fl S
+Do not perform domain name resolution.
+If a name cannot be resolved without DNS, an error will be reported.
.It Fl T Ar command Op Ar address ...
Specify the
.Ar command
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 32b957cbc889..cd4e2ae82aae 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -258,7 +258,7 @@ usage(void)
extern char *__progname;
fprintf(stderr,
-"usage: %s [-AdeghMmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
+"usage: %s [-AdeghMmNnOPqRSrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
"\t[-f file] [-i interface] [-K host | network]\n"
"\t[-k host | network | gateway | label | id] [-o level] [-p device]\n"
"\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
@@ -3035,7 +3035,7 @@ main(int argc, char *argv[])
usage();
while ((ch = getopt(argc, argv,
- "a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:t:T:vx:z")) != -1) {
+ "a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:St:T:vx:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -3137,6 +3137,9 @@ main(int argc, char *argv[])
usage();
}
break;
+ case 'S':
+ opts |= PF_OPT_NODNS;
+ break;
case 't':
tableopt = optarg;
break;
diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h
index 7df56499ea16..f4a033971865 100644
--- a/sbin/pfctl/pfctl.h
+++ b/sbin/pfctl/pfctl.h
@@ -75,7 +75,7 @@ int pfr_buf_add(struct pfr_buffer *, const void *);
void *pfr_buf_next(struct pfr_buffer *, const void *);
int pfr_buf_grow(struct pfr_buffer *, int);
int pfr_buf_load(struct pfr_buffer *, char *, int,
- int (*)(struct pfr_buffer *, char *, int));
+ int (*)(struct pfr_buffer *, char *, int, int), int);
char *pfr_strerror(int);
int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
int pfi_clr_istats(const char *, int *, int);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index d814b5f200e1..2d88c6d00605 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -77,7 +77,7 @@ int ifa_skip_if(const char *filter, struct
node_host *p);
struct node_host *host_if(const char *, int, int *);
struct node_host *host_v4(const char *, int);
struct node_host *host_v6(const char *, int);
-struct node_host *host_dns(const char *, int, int);
+struct node_host *host_dns(const char *, int, int, int);
const char * const tcpflags = "FSRPAUEWe";
@@ -1801,7 +1801,7 @@ ifa_skip_if(const char *filter, struct node_host *p)
struct node_host *
-host(const char *s)
+host(const char *s, int opts)
{
struct node_host *h = NULL;
int mask, v4mask, v6mask, cont = 1;
@@ -1839,7 +1839,8 @@ host(const char *s)
cont = 0;
/* dns lookup */
- if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL)
+ if (cont && (h = host_dns(ps, v4mask, v6mask,
+ (opts & PF_OPT_NODNS))) != NULL)
cont = 0;
free(ps);
@@ -1957,7 +1958,7 @@ host_v6(const char *s, int mask)
}
struct node_host *
-host_dns(const char *s, int v4mask, int v6mask)
+host_dns(const char *s, int v4mask, int v6mask, int numeric)
{
struct addrinfo hints, *res0, *res;
struct node_host *n, *h = NULL;
@@ -1974,6 +1975,8 @@ host_dns(const char *s, int v4mask, int v6mask)
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM; /* DUMMY */
+ if (numeric)
+ hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(ps, NULL, &hints, &res0);
if (error) {
free(ps);
@@ -2037,7 +2040,7 @@ host_dns(const char *s, int v4mask, int v6mask)
* if set to 1, only simple addresses are accepted (no netblock, no "!").
*/
int
-append_addr(struct pfr_buffer *b, char *s, int test)
+append_addr(struct pfr_buffer *b, char *s, int test, int opts)
{
char *r;
struct node_host *h, *n;
@@ -2045,7 +2048,7 @@ append_addr(struct pfr_buffer *b, char *s, int test)
for (r = s; *r == '!'; r++)
not = !not;
- if ((n = host(r)) == NULL) {
+ if ((n = host(r, opts)) == NULL) {
errno = 0;
return (-1);
}
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 7ab872c6ee41..718c05b306b2 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -38,22 +38,23 @@
#define PF_OSFP_FILE "/etc/pf.os"
-#define PF_OPT_DISABLE 0x0001
-#define PF_OPT_ENABLE 0x0002
-#define PF_OPT_VERBOSE 0x0004
-#define PF_OPT_NOACTION 0x0008
-#define PF_OPT_QUIET 0x0010
-#define PF_OPT_CLRRULECTRS 0x0020
-#define PF_OPT_USEDNS 0x0040
-#define PF_OPT_VERBOSE2 0x0080
-#define PF_OPT_DUMMYACTION 0x0100
-#define PF_OPT_DEBUG 0x0200
-#define PF_OPT_SHOWALL 0x0400
-#define PF_OPT_OPTIMIZE 0x0800
-#define PF_OPT_NUMERIC 0x1000
-#define PF_OPT_MERGE 0x2000
-#define PF_OPT_RECURSE 0x4000
-#define PF_OPT_KILLMATCH 0x8000
+#define PF_OPT_DISABLE 0x00001
+#define PF_OPT_ENABLE 0x00002
+#define PF_OPT_VERBOSE 0x00004
+#define PF_OPT_NOACTION 0x00008
+#define PF_OPT_QUIET 0x00010
+#define PF_OPT_CLRRULECTRS 0x00020
+#define PF_OPT_USEDNS 0x00040
+#define PF_OPT_VERBOSE2 0x00080
+#define PF_OPT_DUMMYACTION 0x00100
+#define PF_OPT_DEBUG 0x00200
+#define PF_OPT_SHOWALL 0x00400
+#define PF_OPT_OPTIMIZE 0x00800
+#define PF_OPT_NUMERIC 0x01000
+#define PF_OPT_MERGE 0x02000
+#define PF_OPT_RECURSE 0x04000
+#define PF_OPT_KILLMATCH 0x08000
+#define PF_OPT_NODNS 0x10000
#define PF_NAT_PROXY_PORT_LOW 50001
#define PF_NAT_PROXY_PORT_HIGH 65535
@@ -370,9 +371,9 @@ int get_query_socket(void);
struct node_host *ifa_exists(char *);
struct node_host *ifa_grouplookup(char *ifa_name, int flags);
struct node_host *ifa_lookup(char *, int);
-struct node_host *host(const char *);
+struct node_host *host(const char *, int);
-int append_addr(struct pfr_buffer *, char *, int);
+int append_addr(struct pfr_buffer *, char *, int, int);
int append_addr_host(struct pfr_buffer *,
struct node_host *, int, int);
diff --git a/sbin/pfctl/pfctl_radix.c b/sbin/pfctl/pfctl_radix.c
index 9739b0f238e1..21191259adff 100644
--- a/sbin/pfctl/pfctl_radix.c
+++ b/sbin/pfctl/pfctl_radix.c
@@ -400,7 +400,7 @@ pfr_buf_clear(struct pfr_buffer *b)
int
pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork,
- int (*append_addr)(struct pfr_buffer *, char *, int))
+ int (*append_addr)(struct pfr_buffer *, char *, int, int), int opts)
{
FILE *fp;
char buf[BUF_SIZE];
@@ -416,7 +416,7 @@ pfr_buf_load(struct pfr_buffer *b, char *file, int
nonetwork,
return (-1);
}
while ((rv = pfr_next_token(buf, fp)) == 1)
- if (append_addr(b, buf, nonetwork)) {
+ if (append_addr(b, buf, nonetwork, opts)) {
rv = -1;
break;
}
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index f23a62f518e1..3fe87b53b7f9 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -59,7 +59,7 @@ static int pfctl_table(int, char *[], char *, const char
*, char *,
const char *, int);
static void print_table(const struct pfr_table *, int, int);
static int print_tstats(const struct pfr_tstats *, int);
-static int load_addr(struct pfr_buffer *, int, char *[], char *, int);
+static int load_addr(struct pfr_buffer *, int, char *[], char *, int, int);
static void print_addrx(struct pfr_addr *, struct pfr_addr *, int);
static int nonzero_astats(struct pfr_astats *);
static void print_astats(struct pfr_astats *, int);
@@ -204,7 +204,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char
*command,
xprintf(opts, "%d addresses deleted", ndel);
} else if (!strcmp(command, "add")) {
b.pfrb_type = PFRB_ADDRS;
- if (load_addr(&b, argc, argv, file, 0))
+ if (load_addr(&b, argc, argv, file, 0, opts))
goto _error;
CREATE_TABLE;
if (opts & PF_OPT_VERBOSE)
@@ -219,7 +219,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char
*command,
opts & PF_OPT_USEDNS);
} else if (!strcmp(command, "delete")) {
b.pfrb_type = PFRB_ADDRS;
- if (load_addr(&b, argc, argv, file, 0))
+ if (load_addr(&b, argc, argv, file, 0, opts))
goto _error;
if (opts & PF_OPT_VERBOSE)
flags |= PFR_FLAG_FEEDBACK;
@@ -233,7 +233,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char
*command,
opts & PF_OPT_USEDNS);
} else if (!strcmp(command, "replace")) {
b.pfrb_type = PFRB_ADDRS;
- if (load_addr(&b, argc, argv, file, 0))
+ if (load_addr(&b, argc, argv, file, 0, opts))
goto _error;
CREATE_TABLE;
if (opts & PF_OPT_VERBOSE)
@@ -356,7 +356,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char
*command,
b.pfrb_type = PFRB_ADDRS;
b2.pfrb_type = PFRB_ADDRS;
- if (load_addr(&b, argc, argv, file, 1))
+ if (load_addr(&b, argc, argv, file, 1, opts))
goto _error;
if (opts & PF_OPT_VERBOSE2) {
flags |= PFR_FLAG_REPLACE;
@@ -383,7 +383,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char
*command,
rv = 2;
} else if (!strcmp(command, "zero") && (argc || file != NULL)) {
b.pfrb_type = PFRB_ADDRS;
- if (load_addr(&b, argc, argv, file, 0))
+ if (load_addr(&b, argc, argv, file, 0, opts))
goto _error;
if (opts & PF_OPT_VERBOSE)
flags |= PFR_FLAG_FEEDBACK;
@@ -463,15 +463,15 @@ print_tstats(const struct pfr_tstats *ts, int debug)
int
load_addr(struct pfr_buffer *b, int argc, char *argv[], char *file,
- int nonetwork)
+ int nonetwork, int opts)
{
while (argc--)
- if (append_addr(b, *argv++, nonetwork)) {
+ if (append_addr(b, *argv++, nonetwork, opts)) {
if (errno)
warn("cannot decode %s", argv[-1]);
return (-1);
}
- if (pfr_buf_load(b, file, nonetwork, append_addr)) {
+ if (pfr_buf_load(b, file, nonetwork, append_addr, opts)) {
warn("cannot load %s", file);
return (-1);
}
