npfctl

Mindaugas Rasiukevicius Fri, 20 Mar 2015 17:50:05 -0700

Module Name:    src
Committed By:   rmind
Date:           Sat Mar 21 00:49:07 UTC 2015


Modified Files:
        src/usr.sbin/npf/npfctl: npf_build.c npf_show.c

Log Message:
npfctl:
- Fix the filter criteria when to/from is omitted but port used.
- Print more user-friendly error if an NPF table has a duplicate entry.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npfctl/npf_show.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.38 src/usr.sbin/npf/npfctl/npf_build.c:1.39
--- src/usr.sbin/npf/npfctl/npf_build.c:1.38	Sat May 31 22:41:37 2014
+++ src/usr.sbin/npf/npfctl/npf_build.c	Sat Mar 21 00:49:07 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/mman.h>
@@ -91,6 +91,10 @@ npfctl_config_send(int fd, const char *o
 	}
 	npf_rule_insert(npf_conf, NULL, defgroup);
 	error = npf_config_submit(npf_conf, fd);
+	if (error == EEXIST) { /* XXX */
+		errx(EXIT_FAILURE, "(re)load failed: "
+		    "some table has a duplicate entry?");
+	}
 	if (error) {
 		nl_error_t ne;
 		_npf_config_error(npf_conf, &ne);

Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.17 src/usr.sbin/npf/npfctl/npf_show.c:1.18
--- src/usr.sbin/npf/npfctl/npf_show.c:1.17	Mon Feb  2 19:08:32 2015
+++ src/usr.sbin/npf/npfctl/npf_show.c	Sat Mar 21 00:49:07 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $	*/
+/*	$NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $");
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -53,13 +53,22 @@ __RCSID("$NetBSD: npf_show.c,v 1.17 2015
 
 #include "npfctl.h"
 
+#define	SEEN_SRC	0x01
+#define	SEEN_DST	0x02
+
 typedef struct {
 	nl_config_t *	conf;
 	FILE *		fp;
 	long		fpos;
+	u_int		flags;
+	uint32_t	curmark;
 } npf_conf_info_t;
 
-static npf_conf_info_t	stdout_ctx = { .fp = stdout, .fpos = 0 };
+static npf_conf_info_t	stdout_ctx = {
+	.fp = stdout,
+	.fpos = 0,
+	.flags = 0
+};
 
 static void	print_indent(npf_conf_info_t *, u_int);
 static void	print_linesep(npf_conf_info_t *);
@@ -201,12 +210,18 @@ static char *
 print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
 {
 	u_int fport = words[0], tport = words[1];
+	const char *any_str = "";
 	char *p;
 
+	if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0)
+		any_str = "to any ";
+	if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0)
+		any_str = "from any ";
+
 	if (fport != tport) {
-		easprintf(&p, "%u:%u", fport, tport);
+		easprintf(&p, "%s%u:%u", any_str, fport, tport);
 	} else {
-		easprintf(&p, "%u", fport);
+		easprintf(&p, "%s%u", any_str, fport);
 	}
 	return p;
 }
@@ -244,22 +259,23 @@ static const struct mark_keyword_mapent 
 	u_int		mark;
 	const char *	token;
 	const char *	sep;
+	u_int		set_flags;
 	char *		(*printfn)(npf_conf_info_t *, const uint32_t *);
 	u_int		fwords;
 } mark_keyword_map[] = {
-	{ BM_IPVER,	"family %s",	NULL,		print_family,	1 },
-	{ BM_PROTO,	"proto %s",	", ",		print_proto,	1 },
-	{ BM_TCPFL,	"flags %s",	NULL,		print_tcpflags,	2 },
-	{ BM_ICMP_TYPE,	"icmp-type %s",	NULL,		print_number,	1 },
-	{ BM_ICMP_CODE,	"code %s",	NULL,		print_number,	1 },
-
-	{ BM_SRC_CIDR,	"from %s",	", ",		print_address,	6 },
-	{ BM_SRC_TABLE,	"from <%s>",	NULL,		print_table,	1 },
-	{ BM_SRC_PORTS,	"port %s",	", ",		print_portrange,2 },
-
-	{ BM_DST_CIDR,	"to %s",	", ",		print_address,	6 },
-	{ BM_DST_TABLE,	"to <%s>",	NULL,		print_table,	1 },
-	{ BM_DST_PORTS,	"port %s",	", ",		print_portrange,2 },
+	{ BM_IPVER,	"family %s",	NULL, 0,	print_family,	1 },
+	{ BM_PROTO,	"proto %s",	", ", 0,	print_proto,	1 },
+	{ BM_TCPFL,	"flags %s",	NULL, 0,	print_tcpflags,	2 },
+	{ BM_ICMP_TYPE,	"icmp-type %s",	NULL, 0,	print_number,	1 },
+	{ BM_ICMP_CODE,	"code %s",	NULL, 0,	print_number,	1 },
+
+	{ BM_SRC_CIDR,	"from %s",	", ", SEEN_SRC,	print_address,	6 },
+	{ BM_SRC_TABLE,	"from <%s>",	NULL, SEEN_SRC,	print_table,	1 },
+	{ BM_SRC_PORTS,	"port %s",	", ", 0,	print_portrange,2 },
+
+	{ BM_DST_CIDR,	"to %s",	", ", SEEN_DST,	print_address,	6 },
+	{ BM_DST_TABLE,	"to <%s>",	NULL, SEEN_DST,	print_table,	1 },
+	{ BM_DST_PORTS,	"port %s",	", ", 0,	print_portrange,2 },
 };
 
 static const char * __attribute__((format_arg(2)))
@@ -285,6 +301,10 @@ scan_marks(npf_conf_info_t *ctx, const s
 			errx(EXIT_FAILURE, "byte-code marking inconsistency");
 		}
 		if (m == mk->mark) {
+			/* Set the current mark and the flags. */
+			ctx->flags |= mk->set_flags;
+			ctx->curmark = m;
+
 			/* Value is processed by the print function. */
 			assert(mk->fwords == nwords);
 			vals[nvals++] = mk->printfn(ctx, marks);

CVS commit: src/usr.sbin/npf/npfctl

Reply via email to