On 13:22:23 Dec 05, [EMAIL PROTECTED] wrote:
> A longer winded version (same idea - Perl ... and no prizes for my code)
>
> use warnings;
> use strict;
>
> # Get the rules
> my $pfctl_rules=`pfctl -s rules`;
>
> # Get the known services
> open(SERVICES,"</etc/services");
> my (@services)=<SERVICES>;
>
> # Pull out the TCP services
> my %services;
> foreach my $service (@services) {
> if ($service =~ /(.*?)[\s]*([0-9]{1,4})\/tcp/) {
> my $service_name=$1;
> my $service_port=$2;
> $services{$service_name}=$service_port;
> }
> }
>
> # Now go through the rules - if we find port = ccc then translate, otherwise
> # just print the pftcl line "as is"
> foreach my $pfctl_rule (split /\n/,$pfctl_rules) {
> if ($pfctl_rule =~ /(.*?)port = ([\D]*?)([\s].*)/) {
> my $look_up="";
> if (exists $services{$2}) {
> $look_up=$services{$2};
> }
> print "$1port = $2($look_up)$3\n";
> } else {
> print "$pfctl_rule\n";
> }
> }
>
> Sample (manually altered, obviously):
>
> # perl pfrules.pl
> block drop log all
> pass out quick on XXX1 inet proto tcp from (XXX1) to NNN.NNN.NNN.NNN port =
> ssh(22) flags S/SA keep state
> pass proto udp from any to any port = domain(53) keep state
> pass in log on XXX0 inet proto tcp from any to 127.0.0.1 port = 8021 flags
> S/SA
> keep state
> pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = www(80)
> flags
> S/SA keep state
> pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = https(443)
> flags S/SA keep state
If I had done this in my patch, probably it would have got accepted. ;)
Even now it could be done of course.
Just that I thought the "options" way.
If there is enough coffee for me in the list, I would do it. ;)
-Girish
