Date: Mon, 20 Jun 2011 08:37:34 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r223330 - stable/7/contrib/pf/pfctl Message-ID: <201106200837.p5K8bYR5031338@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Mon Jun 20 08:37:34 2011 New Revision: 223330 URL: http://svn.freebsd.org/changeset/base/223330 Log: MFC r223057: Add a new option -P to suppress getservbyport(3) calls when printing rules. This allows one to force consistent printing of numeric port numbers like we do with -n for other tools like netstat (just that -n was already taken) rather than the service names. PR: misc/151015 Submitted by: Matt Koivisto (mkoivisto sandvine.com) Sponsored by: Sandvine Incorporated Modified: stable/7/contrib/pf/pfctl/pfctl.8 stable/7/contrib/pf/pfctl/pfctl.c stable/7/contrib/pf/pfctl/pfctl_optimize.c stable/7/contrib/pf/pfctl/pfctl_parser.c stable/7/contrib/pf/pfctl/pfctl_parser.h Directory Properties: stable/7/contrib/pf/ (props changed) Modified: stable/7/contrib/pf/pfctl/pfctl.8 ============================================================================== --- stable/7/contrib/pf/pfctl/pfctl.8 Mon Jun 20 08:37:20 2011 (r223329) +++ stable/7/contrib/pf/pfctl/pfctl.8 Mon Jun 20 08:37:34 2011 (r223330) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 20, 2002 +.Dd June 13, 2011 .Dt PFCTL 8 .Os .Sh NAME @@ -35,7 +35,7 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl AdeghmNnOqRrvz +.Op Fl AdeghmNnOPqRrvz .Op Fl a Ar anchor .Oo Fl D Ar macro Ns = .Ar value Oc @@ -350,6 +350,9 @@ without any options will enable optimizations, and a second .Fl o will enable profiling. +.It Fl P +Do not perform service name lookup for port specific rules, +instead display the ports numerically. .It Fl p Ar device Use the device file .Ar device @@ -670,6 +673,7 @@ Passive operating system fingerprint dat .Xr pf.conf 5 , .Xr pf.os 5 , .Xr rc.conf 5 , +.Xr services 5 , .Xr sysctl.conf 5 , .Xr authpf 8 , .Xr ftp-proxy 8 , Modified: stable/7/contrib/pf/pfctl/pfctl.c ============================================================================== --- stable/7/contrib/pf/pfctl/pfctl.c Mon Jun 20 08:37:20 2011 (r223329) +++ stable/7/contrib/pf/pfctl/pfctl.c Mon Jun 20 08:37:34 2011 (r223330) @@ -235,7 +235,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname); + fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname); fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n"); fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] "); fprintf(stderr, "[-k host | network ]\n"); @@ -770,6 +770,7 @@ pfctl_show_rules(int dev, char *path, in struct pfioc_rule pr; u_int32_t nr, mnr, header = 0; int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG); + int numeric = opts & PF_OPT_NUMERIC; int len = strlen(path); int brace; char *p; @@ -834,7 +835,7 @@ pfctl_show_rules(int dev, char *path, in case PFCTL_SHOW_RULES: if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL)) labels = 1; - print_rule(&pr.rule, pr.anchor_call, rule_numbers); + print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric); printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); break; @@ -894,7 +895,7 @@ pfctl_show_rules(int dev, char *path, in } else p = &pr.anchor_call[0]; - print_rule(&pr.rule, p, rule_numbers); + print_rule(&pr.rule, p, rule_numbers, numeric); if (brace) printf(" {\n"); else @@ -951,7 +952,7 @@ pfctl_show_nat(int dev, int opts, char * dotitle = 0; } print_rule(&pr.rule, pr.anchor_call, - opts & PF_OPT_VERBOSE2); + opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC); printf("\n"); pfctl_print_rule_counters(&pr.rule, opts); pfctl_clear_pool(&pr.rule.rpool); @@ -1318,7 +1319,8 @@ pfctl_load_rule(struct pfctl *pf, char * if (pf->opts & PF_OPT_VERBOSE) { INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); print_rule(r, r->anchor ? r->anchor->name : "", - pf->opts & PF_OPT_VERBOSE2); + pf->opts & PF_OPT_VERBOSE2, + pf->opts & PF_OPT_NUMERIC); } path[len] = '\0'; pfctl_clear_pool(&r->rpool); @@ -1978,7 +1980,7 @@ main(int argc, char *argv[]) usage(); while ((ch = getopt(argc, argv, - "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) { + "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) { switch (ch) { case 'a': anchoropt = optarg; @@ -2080,6 +2082,9 @@ main(int argc, char *argv[]) case 'p': pf_device = optarg; break; + case 'P': + opts |= PF_OPT_NUMERIC; + break; case 's': showopt = pfctl_lookup_option(optarg, showopt_list); if (showopt == NULL) { Modified: stable/7/contrib/pf/pfctl/pfctl_optimize.c ============================================================================== --- stable/7/contrib/pf/pfctl/pfctl_optimize.c Mon Jun 20 08:37:20 2011 (r223329) +++ stable/7/contrib/pf/pfctl/pfctl_optimize.c Mon Jun 20 08:37:34 2011 (r223330) @@ -407,7 +407,7 @@ optimize_superblock(struct pfctl *pf, st TAILQ_FOREACH(por, &block->sb_rules, por_entry) { printf(" "); print_rule(&por->por_rule, por->por_rule.anchor ? - por->por_rule.anchor->name : "", 1); + por->por_rule.anchor->name : "", 1, 0); } #endif /* OPT_DEBUG */ Modified: stable/7/contrib/pf/pfctl/pfctl_parser.c ============================================================================== --- stable/7/contrib/pf/pfctl/pfctl_parser.c Mon Jun 20 08:37:20 2011 (r223329) +++ stable/7/contrib/pf/pfctl/pfctl_parser.c Mon Jun 20 08:37:34 2011 (r223330) @@ -64,11 +64,11 @@ __FBSDID("$FreeBSD$"); #include "pfctl.h" void print_op (u_int8_t, const char *, const char *); -void print_port (u_int8_t, u_int16_t, u_int16_t, const char *); +void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int); void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned); void print_flags (u_int8_t); void print_fromto(struct pf_rule_addr *, pf_osfp_t, - struct pf_rule_addr *, u_int8_t, u_int8_t, int); + struct pf_rule_addr *, u_int8_t, u_int8_t, int, int); int ifa_skip_if(const char *filter, struct node_host *p); struct node_host *ifa_grouplookup(const char *, int); @@ -320,12 +320,15 @@ print_op(u_int8_t op, const char *a1, co } void -print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto) +print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numeric) { char a1[6], a2[6]; struct servent *s; - s = getservbyport(p1, proto); + if (!numeric) + s = getservbyport(p1, proto); + else + s = NULL; p1 = ntohs(p1); p2 = ntohs(p2); snprintf(a1, sizeof(a1), "%u", p1); @@ -363,7 +366,7 @@ print_flags(u_int8_t f) void print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst, - sa_family_t af, u_int8_t proto, int verbose) + sa_family_t af, u_int8_t proto, int verbose, int numeric) { char buf[PF_OSFP_LEN*3]; if (src->addr.type == PF_ADDR_ADDRMASK && @@ -384,7 +387,8 @@ print_fromto(struct pf_rule_addr *src, p if (src->port_op) print_port(src->port_op, src->port[0], src->port[1], - proto == IPPROTO_TCP ? "tcp" : "udp"); + proto == IPPROTO_TCP ? "tcp" : "udp", + numeric); if (osfp != PF_OSFP_ANY) printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf, sizeof(buf))); @@ -396,7 +400,8 @@ print_fromto(struct pf_rule_addr *src, p if (dst->port_op) print_port(dst->port_op, dst->port[0], dst->port[1], - proto == IPPROTO_TCP ? "tcp" : "udp"); + proto == IPPROTO_TCP ? "tcp" : "udp", + numeric); } } @@ -673,7 +678,7 @@ print_src_node(struct pf_src_node *sn, i } void -print_rule(struct pf_rule *r, const char *anchor_call, int verbose) +print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) { static const char *actiontypes[] = { "pass", "block", "scrub", "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" }; @@ -800,7 +805,7 @@ print_rule(struct pf_rule *r, const char printf(" proto %u", r->proto); } print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto, - verbose); + verbose, numeric); if (r->uid.op) print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user", UID_MAX); Modified: stable/7/contrib/pf/pfctl/pfctl_parser.h ============================================================================== --- stable/7/contrib/pf/pfctl/pfctl_parser.h Mon Jun 20 08:37:20 2011 (r223329) +++ stable/7/contrib/pf/pfctl/pfctl_parser.h Mon Jun 20 08:37:34 2011 (r223330) @@ -48,6 +48,7 @@ #define PF_OPT_DEBUG 0x0200 #define PF_OPT_SHOWALL 0x0400 #define PF_OPT_OPTIMIZE 0x0800 +#define PF_OPT_NUMERIC 0x1000 #define PF_OPT_MERGE 0x2000 #define PF_OPT_RECURSE 0x4000 @@ -235,7 +236,7 @@ int pfctl_load_anchors(int, struct pfctl void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); void print_src_node(struct pf_src_node *, int); -void print_rule(struct pf_rule *, const char *, int); +void print_rule(struct pf_rule *, const char *, int, int); void print_tabledef(const char *, int, int, struct node_tinithead *); void print_status(struct pf_status *, int);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106200837.p5K8bYR5031338>