mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-04 23:50:27 +00:00
pfctl: fix recursive printing of nat anchors
Similar to the preceding fix for rules, ensure that we recursively list wildcard anchors for nat rules. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
parent
6ee3e37682
commit
8ddd0359bc
|
@ -98,7 +98,7 @@ void pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
|
||||||
void pfctl_print_rule_counters(struct pfctl_rule *, int);
|
void pfctl_print_rule_counters(struct pfctl_rule *, int);
|
||||||
int pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int, int);
|
int pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int, int);
|
||||||
int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int);
|
int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int);
|
||||||
int pfctl_show_nat(int, char *, int, char *, int);
|
int pfctl_show_nat(int, char *, int, char *, int, int);
|
||||||
int pfctl_show_src_nodes(int, int);
|
int pfctl_show_src_nodes(int, int);
|
||||||
int pfctl_show_states(int, const char *, int);
|
int pfctl_show_states(int, const char *, int);
|
||||||
int pfctl_show_status(int, int);
|
int pfctl_show_status(int, int);
|
||||||
|
@ -1417,7 +1417,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
|
pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth,
|
||||||
|
int wildcard)
|
||||||
{
|
{
|
||||||
struct pfctl_rules_info ri;
|
struct pfctl_rules_info ri;
|
||||||
struct pfctl_rule rule;
|
struct pfctl_rule rule;
|
||||||
|
@ -1425,14 +1426,65 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
|
||||||
u_int32_t nr;
|
u_int32_t nr;
|
||||||
static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
|
static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
|
||||||
int i, dotitle = opts & PF_OPT_SHOWALL;
|
int i, dotitle = opts & PF_OPT_SHOWALL;
|
||||||
int brace, ret;
|
int ret;
|
||||||
int len = strlen(path);
|
int len = strlen(path);
|
||||||
char *p;
|
char *npath, *p;
|
||||||
|
|
||||||
if (path[0])
|
/*
|
||||||
snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
|
* Truncate a trailing / and * on an anchorname before searching for
|
||||||
else
|
* the ruleset, this is syntactic sugar that doesn't actually make it
|
||||||
snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
|
* to the kernel.
|
||||||
|
*/
|
||||||
|
if ((p = strrchr(anchorname, '/')) != NULL &&
|
||||||
|
p[1] == '*' && p[2] == '\0') {
|
||||||
|
p[0] = '\0';
|
||||||
|
}
|
||||||
|
|
||||||
|
if (anchorname[0] == '/') {
|
||||||
|
if ((npath = calloc(1, MAXPATHLEN)) == NULL)
|
||||||
|
errx(1, "pfctl_rules: calloc");
|
||||||
|
snprintf(npath, MAXPATHLEN, "%s", anchorname);
|
||||||
|
} else {
|
||||||
|
if (path[0])
|
||||||
|
snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
|
||||||
|
else
|
||||||
|
snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
|
||||||
|
npath = path;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If this anchor was called with a wildcard path, go through
|
||||||
|
* the rulesets in the anchor rather than the rules.
|
||||||
|
*/
|
||||||
|
if (wildcard && (opts & PF_OPT_RECURSE)) {
|
||||||
|
struct pfioc_ruleset prs;
|
||||||
|
u_int32_t mnr, nr;
|
||||||
|
memset(&prs, 0, sizeof(prs));
|
||||||
|
memcpy(prs.path, npath, sizeof(prs.path));
|
||||||
|
if (ioctl(dev, DIOCGETRULESETS, &prs)) {
|
||||||
|
if (errno == EINVAL)
|
||||||
|
fprintf(stderr, "NAT anchor '%s' "
|
||||||
|
"not found.\n", anchorname);
|
||||||
|
else
|
||||||
|
err(1, "DIOCGETRULESETS");
|
||||||
|
}
|
||||||
|
mnr = prs.nr;
|
||||||
|
|
||||||
|
pfctl_print_rule_counters(&rule, opts);
|
||||||
|
for (nr = 0; nr < mnr; ++nr) {
|
||||||
|
prs.nr = nr;
|
||||||
|
if (ioctl(dev, DIOCGETRULESET, &prs))
|
||||||
|
err(1, "DIOCGETRULESET");
|
||||||
|
INDENT(depth, !(opts & PF_OPT_VERBOSE));
|
||||||
|
printf("nat-anchor \"%s\" all {\n", prs.name);
|
||||||
|
pfctl_show_nat(dev, npath, opts,
|
||||||
|
prs.name, depth + 1, 0);
|
||||||
|
INDENT(depth, !(opts & PF_OPT_VERBOSE));
|
||||||
|
printf("}\n");
|
||||||
|
}
|
||||||
|
path[len] = '\0';
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < 3; i++) {
|
for (i = 0; i < 3; i++) {
|
||||||
ret = pfctl_get_rules_info_h(pfh, &ri, nattype[i], path);
|
ret = pfctl_get_rules_info_h(pfh, &ri, nattype[i], path);
|
||||||
|
@ -1441,7 +1493,6 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
for (nr = 0; nr < ri.nr; ++nr) {
|
for (nr = 0; nr < ri.nr; ++nr) {
|
||||||
brace = 0;
|
|
||||||
INDENT(depth, !(opts & PF_OPT_VERBOSE));
|
INDENT(depth, !(opts & PF_OPT_VERBOSE));
|
||||||
|
|
||||||
if (pfctl_get_rule_h(pfh, nr, ri.ticket, path,
|
if (pfctl_get_rule_h(pfh, nr, ri.ticket, path,
|
||||||
|
@ -1453,35 +1504,25 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
|
||||||
ri.ticket, nattype[i], path) != 0)
|
ri.ticket, nattype[i], path) != 0)
|
||||||
return (-1);
|
return (-1);
|
||||||
|
|
||||||
if (anchor_call[0] &&
|
|
||||||
((((p = strrchr(anchor_call, '_')) != NULL) &&
|
|
||||||
(p == anchor_call ||
|
|
||||||
*(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
|
|
||||||
brace++;
|
|
||||||
if ((p = strrchr(anchor_call, '/')) !=
|
|
||||||
NULL)
|
|
||||||
p++;
|
|
||||||
else
|
|
||||||
p = &anchor_call[0];
|
|
||||||
} else
|
|
||||||
p = &anchor_call[0];
|
|
||||||
|
|
||||||
if (dotitle) {
|
if (dotitle) {
|
||||||
pfctl_print_title("TRANSLATION RULES:");
|
pfctl_print_title("TRANSLATION RULES:");
|
||||||
dotitle = 0;
|
dotitle = 0;
|
||||||
}
|
}
|
||||||
print_rule(&rule, anchor_call,
|
print_rule(&rule, anchor_call,
|
||||||
opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
|
opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
|
||||||
if (brace)
|
if (anchor_call[0] &&
|
||||||
|
(((p = strrchr(anchor_call, '/')) ?
|
||||||
|
p[1] == '_' : anchor_call[0] == '_') ||
|
||||||
|
opts & PF_OPT_RECURSE)) {
|
||||||
printf(" {\n");
|
printf(" {\n");
|
||||||
else
|
pfctl_print_rule_counters(&rule, opts);
|
||||||
printf("\n");
|
pfctl_show_nat(dev, npath, opts, anchor_call,
|
||||||
pfctl_print_rule_counters(&rule, opts);
|
depth + 1, rule.anchor_wildcard);
|
||||||
pfctl_clear_pool(&rule.rpool);
|
|
||||||
if (brace) {
|
|
||||||
pfctl_show_nat(dev, path, opts, p, depth + 1);
|
|
||||||
INDENT(depth, !(opts & PF_OPT_VERBOSE));
|
INDENT(depth, !(opts & PF_OPT_VERBOSE));
|
||||||
printf("}\n");
|
printf("}\n");
|
||||||
|
} else {
|
||||||
|
printf("\n");
|
||||||
|
pfctl_print_rule_counters(&rule, opts);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -3101,7 +3142,7 @@ main(int argc, char *argv[])
|
||||||
break;
|
break;
|
||||||
case 'n':
|
case 'n':
|
||||||
pfctl_load_fingerprints(dev, opts);
|
pfctl_load_fingerprints(dev, opts);
|
||||||
pfctl_show_nat(dev, path, opts, anchorname, 0);
|
pfctl_show_nat(dev, path, opts, anchorname, 0, 0);
|
||||||
break;
|
break;
|
||||||
case 'q':
|
case 'q':
|
||||||
pfctl_show_altq(dev, ifaceopt, opts,
|
pfctl_show_altq(dev, ifaceopt, opts,
|
||||||
|
@ -3136,7 +3177,7 @@ main(int argc, char *argv[])
|
||||||
pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
|
pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
|
||||||
0);
|
0);
|
||||||
|
|
||||||
pfctl_show_nat(dev, path, opts, anchorname, 0);
|
pfctl_show_nat(dev, path, opts, anchorname, 0, 0);
|
||||||
pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0);
|
pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0);
|
||||||
pfctl_show_altq(dev, ifaceopt, opts, 0);
|
pfctl_show_altq(dev, ifaceopt, opts, 0);
|
||||||
pfctl_show_states(dev, ifaceopt, opts);
|
pfctl_show_states(dev, ifaceopt, opts);
|
||||||
|
|
Loading…
Reference in a new issue