From owner-svn-src-all@FreeBSD.ORG Mon Jun 13 20:11:28 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E210E1065677; Mon, 13 Jun 2011 20:11:28 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D07388FC08; Mon, 13 Jun 2011 20:11:28 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p5DKBS7T096910; Mon, 13 Jun 2011 20:11:28 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p5DKBSGI096903; Mon, 13 Jun 2011 20:11:28 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201106132011.p5DKBSGI096903@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Mon, 13 Jun 2011 20:11:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r223057 - head/contrib/pf/pfctl X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2011 20:11:29 -0000 Author: bz Date: Mon Jun 13 20:11:28 2011 New Revision: 223057 URL: http://svn.freebsd.org/changeset/base/223057 Log: Add a new option -P to suppress getservbyport(3) calls when printing rules. This allows one to force consistent printing of numeric port numbers like we do with -n for other tools like netstat (just that -n was already taken) rather than the service names. -P is currently unused in OpenBSD so the change is eligible for upstreaming. PR: misc/151015 Submitted by: Matt Koivisto (mkoivisto sandvine.com) Sponsored by: Sandvine Incorporated MFC after: 1 week Modified: head/contrib/pf/pfctl/pfctl.8 head/contrib/pf/pfctl/pfctl.c head/contrib/pf/pfctl/pfctl_optimize.c head/contrib/pf/pfctl/pfctl_parser.c head/contrib/pf/pfctl/pfctl_parser.h Modified: head/contrib/pf/pfctl/pfctl.8 ============================================================================== --- head/contrib/pf/pfctl/pfctl.8 Mon Jun 13 19:45:01 2011 (r223056) +++ head/contrib/pf/pfctl/pfctl.8 Mon Jun 13 20:11:28 2011 (r223057) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 20, 2002 +.Dd June 13, 2011 .Dt PFCTL 8 .Os .Sh NAME @@ -35,7 +35,7 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl AdeghmNnOqRrvz +.Op Fl AdeghmNnOPqRrvz .Op Fl a Ar anchor .Oo Fl D Ar macro Ns = .Ar value Oc @@ -350,6 +350,9 @@ without any options will enable optimizations, and a second .Fl o will enable profiling. +.It Fl P +Do not perform service name lookup for port specific rules, +instead display the ports numerically. .It Fl p Ar device Use the device file .Ar device @@ -670,6 +673,7 @@ Passive operating system fingerprint dat .Xr pf.conf 5 , .Xr pf.os 5 , .Xr rc.conf 5 , +.Xr services 5 , .Xr sysctl.conf 5 , .Xr authpf 8 , .Xr ftp-proxy 8 , Modified: head/contrib/pf/pfctl/pfctl.c ============================================================================== --- head/contrib/pf/pfctl/pfctl.c Mon Jun 13 19:45:01 2011 (r223056) +++ head/contrib/pf/pfctl/pfctl.c Mon Jun 13 20:11:28 2011 (r223057) @@ -235,7 +235,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname); + fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); fprintf(stderr, "[-k host | network ]\n"); @@ -770,6 +770,7 @@ pfctl_show_rules(int dev, char *path, in struct pfioc_rule pr; u_int32_t nr, mnr, header = 0; int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG); + int numeric = opts & PF_OPT_NUMERIC; int len = strlen(path); int brace; char *p; @@ -834,7 +835,7 @@ pfctl_show_rules(int dev, char *path, in case PFCTL_SHOW_RULES: if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; - print_rule(&pr.rule, pr.anchor_call, rule_numbers); + print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric); printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); break; @@ -894,7 +895,7 @@ pfctl_show_rules(int dev, char *path, in } else p = &pr.anchor_call[0]; - print_rule(&pr.rule, p, rule_numbers); + print_rule(&pr.rule, p, rule_numbers, numeric); if (brace) printf(" {\n"); else @@ -951,7 +952,7 @@ pfctl_show_nat(int dev, int opts, char * dotitle = 0; } print_rule(&pr.rule, pr.anchor_call, - opts & PF_OPT_VERBOSE2); + opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC); printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); pfctl_clear_pool(&pr.rule.rpool); @@ -1318,7 +1319,8 @@ pfctl_load_rule(struct pfctl *pf, char * if (pf->opts & PF_OPT_VERBOSE) { INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); print_rule(r, r->anchor ? r->anchor->name : "", - pf->opts & PF_OPT_VERBOSE2); + pf->opts & PF_OPT_VERBOSE2, + pf->opts & PF_OPT_NUMERIC); } path[len] = '\0'; pfctl_clear_pool(&r->rpool); @@ -1978,7 +1980,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2080,6 +2082,9 @@ main(int argc, char *argv[]) case 'p': pf_device = optarg; break; + case 'P': + opts |= PF_OPT_NUMERIC; + break; case 's': showopt = pfctl_lookup_option(optarg, showopt_list); if (showopt == NULL) { Modified: head/contrib/pf/pfctl/pfctl_optimize.c ============================================================================== --- head/contrib/pf/pfctl/pfctl_optimize.c Mon Jun 13 19:45:01 2011 (r223056) +++ head/contrib/pf/pfctl/pfctl_optimize.c Mon Jun 13 20:11:28 2011 (r223057) @@ -407,7 +407,7 @@ optimize_superblock(struct pfctl *pf, st TAILQ_FOREACH(por, &block->sb_rules, por_entry) { printf(" "); print_rule(&por->por_rule, por->por_rule.anchor ? - por->por_rule.anchor->name : "", 1); + por->por_rule.anchor->name : "", 1, 0); } #endif /* OPT_DEBUG */ Modified: head/contrib/pf/pfctl/pfctl_parser.c ============================================================================== --- head/contrib/pf/pfctl/pfctl_parser.c Mon Jun 13 19:45:01 2011 (r223056) +++ head/contrib/pf/pfctl/pfctl_parser.c Mon Jun 13 20:11:28 2011 (r223057) @@ -64,11 +64,11 @@ __FBSDID("$FreeBSD$"); #include "pfctl.h" void print_op (u_int8_t, const char *, const char *); -void print_port (u_int8_t, u_int16_t, u_int16_t, const char *); +void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int); void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned); void print_flags (u_int8_t); void print_fromto(struct pf_rule_addr *, pf_osfp_t, - struct pf_rule_addr *, u_int8_t, u_int8_t, int); + struct pf_rule_addr *, u_int8_t, u_int8_t, int, int); int ifa_skip_if(const char *filter, struct node_host *p); struct node_host *ifa_grouplookup(const char *, int); @@ -320,12 +320,15 @@ print_op(u_int8_t op, const char *a1, co } void -print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto) +print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numeric) { char a1[6], a2[6]; struct servent *s; - s = getservbyport(p1, proto); + if (!numeric) + s = getservbyport(p1, proto); + else + s = NULL; p1 = ntohs(p1); p2 = ntohs(p2); snprintf(a1, sizeof(a1), "%u", p1); @@ -363,7 +366,7 @@ print_flags(u_int8_t f) void print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst, - sa_family_t af, u_int8_t proto, int verbose) + sa_family_t af, u_int8_t proto, int verbose, int numeric) { char buf[PF_OSFP_LEN*3]; if (src->addr.type == PF_ADDR_ADDRMASK && @@ -384,7 +387,8 @@ print_fromto(struct pf_rule_addr *src, p if (src->port_op) print_port(src->port_op, src->port[0], src->port[1], - proto == IPPROTO_TCP ? "tcp" : "udp"); + proto == IPPROTO_TCP ? "tcp" : "udp", + numeric); if (osfp != PF_OSFP_ANY) printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf, sizeof(buf))); @@ -396,7 +400,8 @@ print_fromto(struct pf_rule_addr *src, p if (dst->port_op) print_port(dst->port_op, dst->port[0], dst->port[1], - proto == IPPROTO_TCP ? "tcp" : "udp"); + proto == IPPROTO_TCP ? "tcp" : "udp", + numeric); } } @@ -673,7 +678,7 @@ print_src_node(struct pf_src_node *sn, i } void -print_rule(struct pf_rule *r, const char *anchor_call, int verbose) +print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) { static const char *actiontypes[] = { "pass", "block", "scrub", "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" }; @@ -800,7 +805,7 @@ print_rule(struct pf_rule *r, const char printf(" proto %u", r->proto); } print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto, - verbose); + verbose, numeric); if (r->uid.op) print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user", UID_MAX); Modified: head/contrib/pf/pfctl/pfctl_parser.h ============================================================================== --- head/contrib/pf/pfctl/pfctl_parser.h Mon Jun 13 19:45:01 2011 (r223056) +++ head/contrib/pf/pfctl/pfctl_parser.h Mon Jun 13 20:11:28 2011 (r223057) @@ -48,6 +48,7 @@ #define PF_OPT_DEBUG 0x0200 #define PF_OPT_SHOWALL 0x0400 #define PF_OPT_OPTIMIZE 0x0800 +#define PF_OPT_NUMERIC 0x1000 #define PF_OPT_MERGE 0x2000 #define PF_OPT_RECURSE 0x4000 @@ -235,7 +236,7 @@ int pfctl_load_anchors(int, struct pfctl void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); void print_src_node(struct pf_src_node *, int); -void print_rule(struct pf_rule *, const char *, int); +void print_rule(struct pf_rule *, const char *, int, int); void print_tabledef(const char *, int, int, struct node_tinithead *); void print_status(struct pf_status *, int);