Date: Mon, 9 Jun 2025 21:06:53 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 4ace4ea9ca6e - main - pfctl: add option -S (no domain resolution) Message-ID: <202506092106.559L6rLY089765@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=4ace4ea9ca6ee18d2c449ea7a8f909fe8836eb9e commit 4ace4ea9ca6ee18d2c449ea7a8f909fe8836eb9e Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-05-29 14:13:10 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-06-09 19:38:06 +0000 pfctl: add option -S (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@ Reviewed by: ziaee (manpages) Obtained from: OpenBSD, benno <benno@openbsd.org>, 7c8726d43b Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D50724 --- sbin/pfctl/parse.y | 19 ++++++++++--------- sbin/pfctl/pfctl.8 | 5 ++++- sbin/pfctl/pfctl.c | 7 +++++-- sbin/pfctl/pfctl.h | 2 +- sbin/pfctl/pfctl_parser.c | 15 +++++++++------ sbin/pfctl/pfctl_parser.h | 37 +++++++++++++++++++------------------ sbin/pfctl/pfctl_radix.c | 4 ++-- sbin/pfctl/pfctl_table.c | 18 +++++++++--------- 8 files changed, 59 insertions(+), 48 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 3ddf391810c6..1b137eecfa47 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -364,7 +364,7 @@ int rule_consistent(struct pfctl_rule *, int); int filter_consistent(struct pfctl_rule *, int); int nat_consistent(struct pfctl_rule *); int rdr_consistent(struct pfctl_rule *); -int process_tabledef(char *, struct table_opts *); +int process_tabledef(char *, struct table_opts *, int); void expand_label_str(char *, size_t, const char *, const char *); void expand_label_if(const char *, char *, size_t, const char *); void expand_label_addr(const char *, char *, size_t, sa_family_t, @@ -1746,7 +1746,7 @@ tabledef : TABLE '<' STRING '>' table_opts { YYERROR; } if (pf->loadopt & PFCTL_FLAG_TABLE) - if (process_tabledef($3, &$5)) { + if (process_tabledef($3, &$5, pf->opts)) { free($3); YYERROR; } @@ -3007,7 +3007,7 @@ filter_opt : USER uids { } | DIVERTTO STRING PORT portplain { #ifndef __FreeBSD__ - if ((filter_opts.divert.addr = host($2)) == NULL) { + if ((filter_opts.divert.addr = host($2, pf->opts)) == NULL) { yyerror("could not parse divert address: %s", $2); free($2); @@ -3719,7 +3719,7 @@ xhost : not host { ; host : STRING { - if (($$ = host($1)) == NULL) { + if (($$ = host($1, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free($1); yyerror("could not parse host specification"); @@ -3731,7 +3731,8 @@ host : STRING { | STRING '-' STRING { struct node_host *b, *e; - if ((b = host($1)) == NULL || (e = host($3)) == NULL) { + if ((b = host($1, pf->opts)) == NULL || + (e = host($3, pf->opts)) == NULL) { free($1); free($3); yyerror("could not parse host specification"); @@ -3767,7 +3768,7 @@ host : STRING { if (asprintf(&buf, "%s/%lld", $1, (long long)$3) == -1) err(1, "host: asprintf"); free($1); - if (($$ = host(buf)) == NULL) { + if (($$ = host(buf, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free(buf); yyerror("could not parse host specification"); @@ -3785,7 +3786,7 @@ host : STRING { if (asprintf(&buf, "%lld/%lld", $1, $3) == -1) #endif err(1, "host: asprintf"); - if (($$ = host(buf)) == NULL) { + if (($$ = host(buf, pf->opts)) == NULL) { /* error. "any" is handled elsewhere */ free(buf); yyerror("could not parse host specification"); @@ -5494,7 +5495,7 @@ rdr_consistent(struct pfctl_rule *r) } int -process_tabledef(char *name, struct table_opts *opts) +process_tabledef(char *name, struct table_opts *opts, int popts) { struct pfr_buffer ab; struct node_tinit *ti; @@ -5505,7 +5506,7 @@ process_tabledef(char *name, struct table_opts *opts) ab.pfrb_type = PFRB_ADDRS; SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) { if (ti->file) - if (pfr_buf_load(&ab, ti->file, 0, append_addr)) { + if (pfr_buf_load(&ab, ti->file, 0, append_addr, popts)) { if (errno) yyerror("cannot load \"%s\": %s", ti->file, strerror(errno)); diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index acf1bacee08f..0a4b8952ef74 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 9, 2025 +.Dd May 29, 2025 .Dt PFCTL 8 .Os .Sh NAME @@ -527,6 +527,9 @@ address mapping failed .It translate no free ports in translation port range .El +.It Fl S +Do not perform domain name resolution. +If a name cannot be resolved without DNS, an error will be reported. .It Fl T Ar command Op Ar address ... Specify the .Ar command diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 32b957cbc889..cd4e2ae82aae 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -258,7 +258,7 @@ usage(void) extern char *__progname; fprintf(stderr, -"usage: %s [-AdeghMmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n" +"usage: %s [-AdeghMmNnOPqRSrvz] [-a anchor] [-D macro=value] [-F modifier]\n" "\t[-f file] [-i interface] [-K host | network]\n" "\t[-k host | network | gateway | label | id] [-o level] [-p device]\n" "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n", @@ -3035,7 +3035,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:St:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -3137,6 +3137,9 @@ main(int argc, char *argv[]) usage(); } break; + case 'S': + opts |= PF_OPT_NODNS; + break; case 't': tableopt = optarg; break; diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index 7df56499ea16..f4a033971865 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -75,7 +75,7 @@ int pfr_buf_add(struct pfr_buffer *, const void *); void *pfr_buf_next(struct pfr_buffer *, const void *); int pfr_buf_grow(struct pfr_buffer *, int); int pfr_buf_load(struct pfr_buffer *, char *, int, - int (*)(struct pfr_buffer *, char *, int)); + int (*)(struct pfr_buffer *, char *, int, int), int); char *pfr_strerror(int); int pfi_get_ifaces(const char *, struct pfi_kif *, int *); int pfi_clr_istats(const char *, int *, int); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index d814b5f200e1..2d88c6d00605 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -77,7 +77,7 @@ int ifa_skip_if(const char *filter, struct node_host *p); struct node_host *host_if(const char *, int, int *); struct node_host *host_v4(const char *, int); struct node_host *host_v6(const char *, int); -struct node_host *host_dns(const char *, int, int); +struct node_host *host_dns(const char *, int, int, int); const char * const tcpflags = "FSRPAUEWe"; @@ -1801,7 +1801,7 @@ ifa_skip_if(const char *filter, struct node_host *p) struct node_host * -host(const char *s) +host(const char *s, int opts) { struct node_host *h = NULL; int mask, v4mask, v6mask, cont = 1; @@ -1839,7 +1839,8 @@ host(const char *s) cont = 0; /* dns lookup */ - if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL) + if (cont && (h = host_dns(ps, v4mask, v6mask, + (opts & PF_OPT_NODNS))) != NULL) cont = 0; free(ps); @@ -1957,7 +1958,7 @@ host_v6(const char *s, int mask) } struct node_host * -host_dns(const char *s, int v4mask, int v6mask) +host_dns(const char *s, int v4mask, int v6mask, int numeric) { struct addrinfo hints, *res0, *res; struct node_host *n, *h = NULL; @@ -1974,6 +1975,8 @@ host_dns(const char *s, int v4mask, int v6mask) memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; /* DUMMY */ + if (numeric) + hints.ai_flags = AI_NUMERICHOST; error = getaddrinfo(ps, NULL, &hints, &res0); if (error) { free(ps); @@ -2037,7 +2040,7 @@ host_dns(const char *s, int v4mask, int v6mask) * if set to 1, only simple addresses are accepted (no netblock, no "!"). */ int -append_addr(struct pfr_buffer *b, char *s, int test) +append_addr(struct pfr_buffer *b, char *s, int test, int opts) { char *r; struct node_host *h, *n; @@ -2045,7 +2048,7 @@ append_addr(struct pfr_buffer *b, char *s, int test) for (r = s; *r == '!'; r++) not = !not; - if ((n = host(r)) == NULL) { + if ((n = host(r, opts)) == NULL) { errno = 0; return (-1); } diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 7ab872c6ee41..718c05b306b2 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -38,22 +38,23 @@ #define PF_OSFP_FILE "/etc/pf.os" -#define PF_OPT_DISABLE 0x0001 -#define PF_OPT_ENABLE 0x0002 -#define PF_OPT_VERBOSE 0x0004 -#define PF_OPT_NOACTION 0x0008 -#define PF_OPT_QUIET 0x0010 -#define PF_OPT_CLRRULECTRS 0x0020 -#define PF_OPT_USEDNS 0x0040 -#define PF_OPT_VERBOSE2 0x0080 -#define PF_OPT_DUMMYACTION 0x0100 -#define PF_OPT_DEBUG 0x0200 -#define PF_OPT_SHOWALL 0x0400 -#define PF_OPT_OPTIMIZE 0x0800 -#define PF_OPT_NUMERIC 0x1000 -#define PF_OPT_MERGE 0x2000 -#define PF_OPT_RECURSE 0x4000 -#define PF_OPT_KILLMATCH 0x8000 +#define PF_OPT_DISABLE 0x00001 +#define PF_OPT_ENABLE 0x00002 +#define PF_OPT_VERBOSE 0x00004 +#define PF_OPT_NOACTION 0x00008 +#define PF_OPT_QUIET 0x00010 +#define PF_OPT_CLRRULECTRS 0x00020 +#define PF_OPT_USEDNS 0x00040 +#define PF_OPT_VERBOSE2 0x00080 +#define PF_OPT_DUMMYACTION 0x00100 +#define PF_OPT_DEBUG 0x00200 +#define PF_OPT_SHOWALL 0x00400 +#define PF_OPT_OPTIMIZE 0x00800 +#define PF_OPT_NUMERIC 0x01000 +#define PF_OPT_MERGE 0x02000 +#define PF_OPT_RECURSE 0x04000 +#define PF_OPT_KILLMATCH 0x08000 +#define PF_OPT_NODNS 0x10000 #define PF_NAT_PROXY_PORT_LOW 50001 #define PF_NAT_PROXY_PORT_HIGH 65535 @@ -370,9 +371,9 @@ int get_query_socket(void); struct node_host *ifa_exists(char *); struct node_host *ifa_grouplookup(char *ifa_name, int flags); struct node_host *ifa_lookup(char *, int); -struct node_host *host(const char *); +struct node_host *host(const char *, int); -int append_addr(struct pfr_buffer *, char *, int); +int append_addr(struct pfr_buffer *, char *, int, int); int append_addr_host(struct pfr_buffer *, struct node_host *, int, int); diff --git a/sbin/pfctl/pfctl_radix.c b/sbin/pfctl/pfctl_radix.c index 9739b0f238e1..21191259adff 100644 --- a/sbin/pfctl/pfctl_radix.c +++ b/sbin/pfctl/pfctl_radix.c @@ -400,7 +400,7 @@ pfr_buf_clear(struct pfr_buffer *b) int pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork, - int (*append_addr)(struct pfr_buffer *, char *, int)) + int (*append_addr)(struct pfr_buffer *, char *, int, int), int opts) { FILE *fp; char buf[BUF_SIZE]; @@ -416,7 +416,7 @@ pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork, return (-1); } while ((rv = pfr_next_token(buf, fp)) == 1) - if (append_addr(b, buf, nonetwork)) { + if (append_addr(b, buf, nonetwork, opts)) { rv = -1; break; } diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index f23a62f518e1..3fe87b53b7f9 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -59,7 +59,7 @@ static int pfctl_table(int, char *[], char *, const char *, char *, const char *, int); static void print_table(const struct pfr_table *, int, int); static int print_tstats(const struct pfr_tstats *, int); -static int load_addr(struct pfr_buffer *, int, char *[], char *, int); +static int load_addr(struct pfr_buffer *, int, char *[], char *, int, int); static void print_addrx(struct pfr_addr *, struct pfr_addr *, int); static int nonzero_astats(struct pfr_astats *); static void print_astats(struct pfr_astats *, int); @@ -204,7 +204,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, xprintf(opts, "%d addresses deleted", ndel); } else if (!strcmp(command, "add")) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; CREATE_TABLE; if (opts & PF_OPT_VERBOSE) @@ -219,7 +219,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "delete")) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; @@ -233,7 +233,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, opts & PF_OPT_USEDNS); } else if (!strcmp(command, "replace")) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; CREATE_TABLE; if (opts & PF_OPT_VERBOSE) @@ -356,7 +356,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, b.pfrb_type = PFRB_ADDRS; b2.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 1)) + if (load_addr(&b, argc, argv, file, 1, opts)) goto _error; if (opts & PF_OPT_VERBOSE2) { flags |= PFR_FLAG_REPLACE; @@ -383,7 +383,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, rv = 2; } else if (!strcmp(command, "zero") && (argc || file != NULL)) { b.pfrb_type = PFRB_ADDRS; - if (load_addr(&b, argc, argv, file, 0)) + if (load_addr(&b, argc, argv, file, 0, opts)) goto _error; if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; @@ -463,15 +463,15 @@ print_tstats(const struct pfr_tstats *ts, int debug) int load_addr(struct pfr_buffer *b, int argc, char *argv[], char *file, - int nonetwork) + int nonetwork, int opts) { while (argc--) - if (append_addr(b, *argv++, nonetwork)) { + if (append_addr(b, *argv++, nonetwork, opts)) { if (errno) warn("cannot decode %s", argv[-1]); return (-1); } - if (pfr_buf_load(b, file, nonetwork, append_addr)) { + if (pfr_buf_load(b, file, nonetwork, append_addr, opts)) { warn("cannot load %s", file); return (-1); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202506092106.559L6rLY089765>