Author: bz
Date: Mon Jun 20 08:37:20 2011
New Revision: 223329
URL: http://svn.freebsd.org/changeset/base/223329
Log:
MFC r223057:
Add a new option -P to suppress getservbyport(3) calls when printing rules.
This allows one to force consistent printing of numeric port numbers like
we do with -n for other tools like netstat (just that -n was already taken)
rather than the service names.
PR: misc/151015
Submitted by: Matt Koivisto (mkoivisto sandvine.com)
Sponsored by: Sandvine Incorporated
Modified:
stable/8/contrib/pf/pfctl/pfctl.8
stable/8/contrib/pf/pfctl/pfctl.c
stable/8/contrib/pf/pfctl/pfctl_optimize.c
stable/8/contrib/pf/pfctl/pfctl_parser.c
stable/8/contrib/pf/pfctl/pfctl_parser.h
Directory Properties:
stable/8/contrib/pf/ (props changed)
Modified: stable/8/contrib/pf/pfctl/pfctl.8
==============================================================================
--- stable/8/contrib/pf/pfctl/pfctl.8 Mon Jun 20 08:00:32 2011
(r223328)
+++ stable/8/contrib/pf/pfctl/pfctl.8 Mon Jun 20 08:37:20 2011
(r223329)
@@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 20, 2002
+.Dd June 13, 2011
.Dt PFCTL 8
.Os
.Sh NAME
@@ -35,7 +35,7 @@
.Sh SYNOPSIS
.Nm pfctl
.Bk -words
-.Op Fl AdeghmNnOqRrvz
+.Op Fl AdeghmNnOPqRrvz
.Op Fl a Ar anchor
.Oo Fl D Ar macro Ns =
.Ar value Oc
@@ -350,6 +350,9 @@ without any options will enable
optimizations, and a second
.Fl o
will enable profiling.
+.It Fl P
+Do not perform service name lookup for port specific rules,
+instead display the ports numerically.
.It Fl p Ar device
Use the device file
.Ar device
@@ -670,6 +673,7 @@ Passive operating system fingerprint dat
.Xr pf.conf 5 ,
.Xr pf.os 5 ,
.Xr rc.conf 5 ,
+.Xr services 5 ,
.Xr sysctl.conf 5 ,
.Xr authpf 8 ,
.Xr ftp-proxy 8 ,
Modified: stable/8/contrib/pf/pfctl/pfctl.c
==============================================================================
--- stable/8/contrib/pf/pfctl/pfctl.c Mon Jun 20 08:00:32 2011
(r223328)
+++ stable/8/contrib/pf/pfctl/pfctl.c Mon Jun 20 08:37:20 2011
(r223329)
@@ -235,7 +235,7 @@ usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
+ fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
fprintf(stderr, "[-k host | network ]\n");
@@ -770,6 +770,7 @@ pfctl_show_rules(int dev, char *path, in
struct pfioc_rule pr;
u_int32_t nr, mnr, header = 0;
int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
+ int numeric = opts & PF_OPT_NUMERIC;
int len = strlen(path);
int brace;
char *p;
@@ -834,7 +835,7 @@ pfctl_show_rules(int dev, char *path, in
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
labels = 1;
- print_rule(&pr.rule, pr.anchor_call, rule_numbers);
+ print_rule(&pr.rule, pr.anchor_call, rule_numbers,
numeric);
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
break;
@@ -894,7 +895,7 @@ pfctl_show_rules(int dev, char *path, in
} else
p = &pr.anchor_call[0];
- print_rule(&pr.rule, p, rule_numbers);
+ print_rule(&pr.rule, p, rule_numbers, numeric);
if (brace)
printf(" {\n");
else
@@ -951,7 +952,7 @@ pfctl_show_nat(int dev, int opts, char *
dotitle = 0;
}
print_rule(&pr.rule, pr.anchor_call,
- opts & PF_OPT_VERBOSE2);
+ opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
pfctl_clear_pool(&pr.rule.rpool);
@@ -1318,7 +1319,8 @@ pfctl_load_rule(struct pfctl *pf, char *
if (pf->opts & PF_OPT_VERBOSE) {
INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
print_rule(r, r->anchor ? r->anchor->name : "",
- pf->opts & PF_OPT_VERBOSE2);
+ pf->opts & PF_OPT_VERBOSE2,
+ pf->opts & PF_OPT_NUMERIC);
}
path[len] = '\0';
pfctl_clear_pool(&r->rpool);
@@ -1978,7 +1980,7 @@ main(int argc, char *argv[])
usage();
while ((ch = getopt(argc, argv,
- "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
+ "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -2080,6 +2082,9 @@ main(int argc, char *argv[])
case 'p':
pf_device = optarg;
break;
+ case 'P':
+ opts |= PF_OPT_NUMERIC;
+ break;
case 's':
showopt = pfctl_lookup_option(optarg, showopt_list);
if (showopt == NULL) {
Modified: stable/8/contrib/pf/pfctl/pfctl_optimize.c
==============================================================================
--- stable/8/contrib/pf/pfctl/pfctl_optimize.c Mon Jun 20 08:00:32 2011
(r223328)
+++ stable/8/contrib/pf/pfctl/pfctl_optimize.c Mon Jun 20 08:37:20 2011
(r223329)
@@ -407,7 +407,7 @@ optimize_superblock(struct pfctl *pf, st
TAILQ_FOREACH(por, &block->sb_rules, por_entry) {
printf(" ");
print_rule(&por->por_rule, por->por_rule.anchor ?
- por->por_rule.anchor->name : "", 1);
+ por->por_rule.anchor->name : "", 1, 0);
}
#endif /* OPT_DEBUG */
Modified: stable/8/contrib/pf/pfctl/pfctl_parser.c
==============================================================================
--- stable/8/contrib/pf/pfctl/pfctl_parser.c Mon Jun 20 08:00:32 2011
(r223328)
+++ stable/8/contrib/pf/pfctl/pfctl_parser.c Mon Jun 20 08:37:20 2011
(r223329)
@@ -64,11 +64,11 @@ __FBSDID("$FreeBSD$");
#include "pfctl.h"
void print_op (u_int8_t, const char *, const char *);
-void print_port (u_int8_t, u_int16_t, u_int16_t, const char *);
+void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int);
void print_ugid (u_int8_t, unsigned, unsigned, const char *,
unsigned);
void print_flags (u_int8_t);
void print_fromto(struct pf_rule_addr *, pf_osfp_t,
- struct pf_rule_addr *, u_int8_t, u_int8_t, int);
+ struct pf_rule_addr *, u_int8_t, u_int8_t, int, int);
int ifa_skip_if(const char *filter, struct node_host *p);
struct node_host *ifa_grouplookup(const char *, int);
@@ -320,12 +320,15 @@ print_op(u_int8_t op, const char *a1, co
}
void
-print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
+print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int
numeric)
{
char a1[6], a2[6];
struct servent *s;
- s = getservbyport(p1, proto);
+ if (!numeric)
+ s = getservbyport(p1, proto);
+ else
+ s = NULL;
p1 = ntohs(p1);
p2 = ntohs(p2);
snprintf(a1, sizeof(a1), "%u", p1);
@@ -363,7 +366,7 @@ print_flags(u_int8_t f)
void
print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr
*dst,
- sa_family_t af, u_int8_t proto, int verbose)
+ sa_family_t af, u_int8_t proto, int verbose, int numeric)
{
char buf[PF_OSFP_LEN*3];
if (src->addr.type == PF_ADDR_ADDRMASK &&
@@ -384,7 +387,8 @@ print_fromto(struct pf_rule_addr *src, p
if (src->port_op)
print_port(src->port_op, src->port[0],
src->port[1],
- proto == IPPROTO_TCP ? "tcp" : "udp");
+ proto == IPPROTO_TCP ? "tcp" : "udp",
+ numeric);
if (osfp != PF_OSFP_ANY)
printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf,
sizeof(buf)));
@@ -396,7 +400,8 @@ print_fromto(struct pf_rule_addr *src, p
if (dst->port_op)
print_port(dst->port_op, dst->port[0],
dst->port[1],
- proto == IPPROTO_TCP ? "tcp" : "udp");
+ proto == IPPROTO_TCP ? "tcp" : "udp",
+ numeric);
}
}
@@ -673,7 +678,7 @@ print_src_node(struct pf_src_node *sn, i
}
void
-print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
+print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int
numeric)
{
static const char *actiontypes[] = { "pass", "block", "scrub",
"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };
@@ -800,7 +805,7 @@ print_rule(struct pf_rule *r, const char
printf(" proto %u", r->proto);
}
print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto,
- verbose);
+ verbose, numeric);
if (r->uid.op)
print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
UID_MAX);
Modified: stable/8/contrib/pf/pfctl/pfctl_parser.h
==============================================================================
--- stable/8/contrib/pf/pfctl/pfctl_parser.h Mon Jun 20 08:00:32 2011
(r223328)
+++ stable/8/contrib/pf/pfctl/pfctl_parser.h Mon Jun 20 08:37:20 2011
(r223329)
@@ -48,6 +48,7 @@
#define PF_OPT_DEBUG 0x0200
#define PF_OPT_SHOWALL 0x0400
#define PF_OPT_OPTIMIZE 0x0800
+#define PF_OPT_NUMERIC 0x1000
#define PF_OPT_MERGE 0x2000
#define PF_OPT_RECURSE 0x4000
@@ -235,7 +236,7 @@ int pfctl_load_anchors(int, struct pfctl
void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
void print_src_node(struct pf_src_node *, int);
-void print_rule(struct pf_rule *, const char *, int);
+void print_rule(struct pf_rule *, const char *, int, int);
void print_tabledef(const char *, int, int, struct node_tinithead *);
void print_status(struct pf_status *, int);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
