« Return to Thread: pfctl: fix printing of 'foo/*' anchors
pfctl: fix printing of 'foo/*' anchors
by Lawrence Teo-6
::
Rate this Message:
The pfctl(8) man page says:
By default, recursive inline printing of anchors applies only to
unnamed anchors specified inline in the ruleset. If the anchor
name is terminated with a `*' character, the -s flag will
recursively print all anchors in a brace delimited block. For
example the following will print the ``authpf'' ruleset
recursively:
# pfctl -a 'authpf/*' -sr
However, that pfctl command will not show any output, whether for
'authpf/*' or any other 'foo/*' anchor, even if they are populated.
I tested this by setting up authpf and logged in as two users (bula and
charlie) so that my 'authpf/*' anchor is populated. My live PF
ruleset looks like this:
# pfctl -a '*' -sr
pass all flags S/SA
anchor "authpf/*" all {
anchor "bula(1874)" all {
pass in on em0 inet proto tcp from 172.16.0.15 to any port = 9876 flags S/SA
}
anchor "charlie(5749)" all {
pass in quick on em0 inet proto tcp from 172.16.0.22 to any port = 5678 flags S/SA
}
}
When I try to print just the 'authpf/*' anchor per the man page, pfctl
does not show any output:
# pfctl -a 'authpf/*' -sr
#
The diff below fixes pfctl so that it will show the 'authpf/*' anchor
as intended:
# pfctl -a 'authpf/*' -sr
anchor "bula(1874)" all {
pass in on em0 inet proto tcp from 172.16.0.15 to any port = 9876 flags S/SA
}
anchor "charlie(5749)" all {
pass in quick on em0 inet proto tcp from 172.16.0.22 to any port = 5678 flags S/SA
}
Note that since this diff changes the behavior of
"pfctl -a 'foo/*' -sr", it will also change the pfload* regression
tests since those tests execute this command:
pfctl -o none -a 'regress/*' -gvvsr
If this diff is correct, I would appreciate some guidance from the
developers on how to address the pfload* regression tests.
Comments are welcome.
Thank you,
Lawrence
Index: pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.310
diff -u -p -r1.310 pfctl.c
--- pfctl.c 18 Apr 2012 14:42:17 -0000 1.310
+++ pfctl.c 26 Apr 2012 03:50:02 -0000
@@ -1937,6 +1937,7 @@ main(int argc, char *argv[])
int optimize = PF_OPTIMIZE_BASIC;
int level;
char anchorname[MAXPATHLEN];
+ int anchor_wildcard = 0;
char *path;
char *lfile = NULL, *sfile = NULL;
const char *errstr;
@@ -2097,9 +2098,10 @@ main(int argc, char *argv[])
int len = strlen(anchoropt);
if (anchoropt[len - 1] == '*') {
- if (len >= 2 && anchoropt[len - 2] == '/')
+ if (len >= 2 && anchoropt[len - 2] == '/') {
anchoropt[len - 2] = '\0';
- else
+ anchor_wildcard = 1;
+ } else
anchoropt[len - 1] = '\0';
opts |= PF_OPT_RECURSE;
}
@@ -2136,7 +2138,7 @@ main(int argc, char *argv[])
case 'r':
pfctl_load_fingerprints(dev, opts);
pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
- anchorname, 0, 0, shownr);
+ anchorname, 0, anchor_wildcard, shownr);
break;
case 'l':
pfctl_load_fingerprints(dev, opts);
By default, recursive inline printing of anchors applies only to
unnamed anchors specified inline in the ruleset. If the anchor
name is terminated with a `*' character, the -s flag will
recursively print all anchors in a brace delimited block. For
example the following will print the ``authpf'' ruleset
recursively:
# pfctl -a 'authpf/*' -sr
However, that pfctl command will not show any output, whether for
'authpf/*' or any other 'foo/*' anchor, even if they are populated.
I tested this by setting up authpf and logged in as two users (bula and
charlie) so that my 'authpf/*' anchor is populated. My live PF
ruleset looks like this:
# pfctl -a '*' -sr
pass all flags S/SA
anchor "authpf/*" all {
anchor "bula(1874)" all {
pass in on em0 inet proto tcp from 172.16.0.15 to any port = 9876 flags S/SA
}
anchor "charlie(5749)" all {
pass in quick on em0 inet proto tcp from 172.16.0.22 to any port = 5678 flags S/SA
}
}
When I try to print just the 'authpf/*' anchor per the man page, pfctl
does not show any output:
# pfctl -a 'authpf/*' -sr
#
The diff below fixes pfctl so that it will show the 'authpf/*' anchor
as intended:
# pfctl -a 'authpf/*' -sr
anchor "bula(1874)" all {
pass in on em0 inet proto tcp from 172.16.0.15 to any port = 9876 flags S/SA
}
anchor "charlie(5749)" all {
pass in quick on em0 inet proto tcp from 172.16.0.22 to any port = 5678 flags S/SA
}
Note that since this diff changes the behavior of
"pfctl -a 'foo/*' -sr", it will also change the pfload* regression
tests since those tests execute this command:
pfctl -o none -a 'regress/*' -gvvsr
If this diff is correct, I would appreciate some guidance from the
developers on how to address the pfload* regression tests.
Comments are welcome.
Thank you,
Lawrence
Index: pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.310
diff -u -p -r1.310 pfctl.c
--- pfctl.c 18 Apr 2012 14:42:17 -0000 1.310
+++ pfctl.c 26 Apr 2012 03:50:02 -0000
@@ -1937,6 +1937,7 @@ main(int argc, char *argv[])
int optimize = PF_OPTIMIZE_BASIC;
int level;
char anchorname[MAXPATHLEN];
+ int anchor_wildcard = 0;
char *path;
char *lfile = NULL, *sfile = NULL;
const char *errstr;
@@ -2097,9 +2098,10 @@ main(int argc, char *argv[])
int len = strlen(anchoropt);
if (anchoropt[len - 1] == '*') {
- if (len >= 2 && anchoropt[len - 2] == '/')
+ if (len >= 2 && anchoropt[len - 2] == '/') {
anchoropt[len - 2] = '\0';
- else
+ anchor_wildcard = 1;
+ } else
anchoropt[len - 1] = '\0';
opts |= PF_OPT_RECURSE;
}
@@ -2136,7 +2138,7 @@ main(int argc, char *argv[])
case 'r':
pfctl_load_fingerprints(dev, opts);
pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
- anchorname, 0, 0, shownr);
+ anchorname, 0, anchor_wildcard, shownr);
break;
case 'l':
pfctl_load_fingerprints(dev, opts);
« Return to Thread: pfctl: fix printing of 'foo/*' anchors
| Free embeddable forum powered by Nabble | Forum Help |
