misc/151015: [patch] Add pfctl -P option to not perform service
name lookup
Matt Koivisto
mkoivisto at sandvine.com
Mon Sep 27 21:20:05 UTC 2010
>Number: 151015
>Category: misc
>Synopsis: [patch] Add pfctl -P option to not perform service name lookup
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 27 21:20:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Matt Koivisto
>Release: 8.1
>Organization:
Sandvine
>Environment:
N/A
>Description:
pfctl output uses getservbyport(3) calls to display ports by their service name. Currently, there is no option to disable this lookup and force numeric output.
>How-To-Repeat:
For example,
# pfctl -sr
..
pass in proto udp from any to any port = ssh keep state
>Fix:
See attached patch against RELENG_8_1
Added -P because -n (for numeric along the lines of netstat -n or tcpdump -n) was taken, as was -N and -p.
Patch after example,
# pfctl -sr -P
..
pass in proto udp from any to any port = 22 keep state
Patch attached with submission follows:
--- src/contrib/pf/pfctl/pfctl.c@@\main\RELENG_8\RELENG_8_1\0 2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl.c 2010-09-27 15:00:19.000000000 -0400
@@ -233,11 +233,11 @@
void
usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
+ fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
fprintf(stderr, "[-k host | network ]\n");
fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
@@ -768,10 +768,11 @@
char *anchorname, int depth)
{
struct pfioc_rule pr;
u_int32_t nr, mnr, header = 0;
int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
+ int numeric = opts & PF_OPT_NUMERIC;
int len = strlen(path);
int brace;
char *p;
if (path[0])
@@ -832,11 +833,11 @@
}
break;
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
labels = 1;
- print_rule(&pr.rule, pr.anchor_call, rule_numbers);
+ print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
break;
case PFCTL_SHOW_NOTHING:
break;
@@ -892,11 +893,11 @@
else
p = &pr.anchor_call[0];
} else
p = &pr.anchor_call[0];
- print_rule(&pr.rule, p, rule_numbers);
+ print_rule(&pr.rule, p, rule_numbers, numeric);
if (brace)
printf(" {\n");
else
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
@@ -949,11 +950,11 @@
if (dotitle) {
pfctl_print_title("TRANSLATION RULES:");
dotitle = 0;
}
print_rule(&pr.rule, pr.anchor_call,
- opts & PF_OPT_VERBOSE2);
+ opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
printf("\n");
pfctl_print_rule_counters(&pr.rule, opts);
pfctl_clear_pool(&pr.rule.rpool);
}
}
@@ -1316,11 +1317,12 @@
}
if (pf->opts & PF_OPT_VERBOSE) {
INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
print_rule(r, r->anchor ? r->anchor->name : "",
- pf->opts & PF_OPT_VERBOSE2);
+ pf->opts & PF_OPT_VERBOSE2,
+ pf->opts & PF_OPT_NUMERIC);
}
path[len] = '\0';
pfctl_clear_pool(&r->rpool);
return (0);
}
@@ -1976,11 +1978,11 @@
if (argc < 2)
usage();
while ((ch = getopt(argc, argv,
- "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
+ "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
break;
case 'd':
@@ -2078,10 +2080,13 @@
loadopt |= PFCTL_FLAG_OPTION;
break;
case 'p':
pf_device = optarg;
break;
+ case 'P':
+ opts |= PF_OPT_NUMERIC;
+ break;
case 's':
showopt = pfctl_lookup_option(optarg, showopt_list);
if (showopt == NULL) {
warnx("Unknown show modifier '%s'", optarg);
usage();
--- src/contrib/pf/pfctl/pfctl_optimize.c@@\main\RELENG_8\RELENG_8_1\0 2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl_optimize.c 2010-09-27 14:55:08.000000000 -0400
@@ -405,11 +405,11 @@
#ifdef OPT_DEBUG
printf("--- Superblock ---\n");
TAILQ_FOREACH(por, &block->sb_rules, por_entry) {
printf(" ");
print_rule(&por->por_rule, por->por_rule.anchor ?
- por->por_rule.anchor->name : "", 1);
+ por->por_rule.anchor->name : "", 1, 0);
}
#endif /* OPT_DEBUG */
if (remove_identical_rules(pf, block))
--- src/contrib/pf/pfctl/pfctl_parser.c@@\main\RELENG_8\RELENG_8_1\0 2010-01-23 00:32:19.000000000 -0500
+++ src/contrib/pf/pfctl/pfctl_parser.c 2010-09-27 14:54:59.000000000 -0400
@@ -62,15 +62,15 @@
#include "pfctl_parser.h"
#include "pfctl.h"
void print_op (u_int8_t, const char *, const char *);
-void print_port (u_int8_t, u_int16_t, u_int16_t, const char *);
+void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int);
void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);
void print_flags (u_int8_t);
void print_fromto(struct pf_rule_addr *, pf_osfp_t,
- struct pf_rule_addr *, u_int8_t, u_int8_t, int);
+ struct pf_rule_addr *, u_int8_t, u_int8_t, int, int);
int ifa_skip_if(const char *filter, struct node_host *p);
struct node_host *ifa_grouplookup(const char *, int);
struct node_host *host_if(const char *, int);
struct node_host *host_v4(const char *, int);
@@ -318,16 +318,17 @@
else if (op == PF_OP_RRG)
printf(" %s:%s", a1, a2);
}
void
-print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
+print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numeric)
{
char a1[6], a2[6];
- struct servent *s;
+ struct servent *s = NULL;
- s = getservbyport(p1, proto);
+ if (!numeric)
+ s = getservbyport(p1, proto);
p1 = ntohs(p1);
p2 = ntohs(p2);
snprintf(a1, sizeof(a1), "%u", p1);
snprintf(a2, sizeof(a2), "%u", p2);
printf(" port");
@@ -361,11 +362,11 @@
printf("%c", tcpflags[i]);
}
void
print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,
- sa_family_t af, u_int8_t proto, int verbose)
+ sa_family_t af, u_int8_t proto, int verbose, int numeric)
{
char buf[PF_OSFP_LEN*3];
if (src->addr.type == PF_ADDR_ADDRMASK &&
dst->addr.type == PF_ADDR_ADDRMASK &&
PF_AZERO(&src->addr.v.a.addr, AF_INET6) &&
@@ -382,11 +383,12 @@
printf("! ");
print_addr(&src->addr, af, verbose);
if (src->port_op)
print_port(src->port_op, src->port[0],
src->port[1],
- proto == IPPROTO_TCP ? "tcp" : "udp");
+ proto == IPPROTO_TCP ? "tcp" : "udp",
+ numeric);
if (osfp != PF_OSFP_ANY)
printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf,
sizeof(buf)));
printf(" to ");
@@ -394,11 +396,12 @@
printf("! ");
print_addr(&dst->addr, af, verbose);
if (dst->port_op)
print_port(dst->port_op, dst->port[0],
dst->port[1],
- proto == IPPROTO_TCP ? "tcp" : "udp");
+ proto == IPPROTO_TCP ? "tcp" : "udp",
+ numeric);
}
}
void
print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
@@ -671,11 +674,11 @@
printf("\n");
}
}
void
-print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
+print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
{
static const char *actiontypes[] = { "pass", "block", "scrub",
"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };
static const char *anchortypes[] = { "anchor", "anchor", "anchor",
"anchor", "nat-anchor", "nat-anchor", "binat-anchor",
@@ -798,11 +801,11 @@
printf(" proto %s", p->p_name);
else
printf(" proto %u", r->proto);
}
print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto,
- verbose);
+ verbose, numeric);
if (r->uid.op)
print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
UID_MAX);
if (r->gid.op)
print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
--- src/contrib/pf/pfctl/pfctl_parser.h@@\main\RELENG_8\RELENG_8_1\0 2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl_parser.h 2010-09-27 14:55:02.000000000 -0400
@@ -46,10 +46,11 @@
#define PF_OPT_VERBOSE2 0x0080
#define PF_OPT_DUMMYACTION 0x0100
#define PF_OPT_DEBUG 0x0200
#define PF_OPT_SHOWALL 0x0400
#define PF_OPT_OPTIMIZE 0x0800
+#define PF_OPT_NUMERIC 0x1000
#define PF_OPT_MERGE 0x2000
#define PF_OPT_RECURSE 0x4000
#define PF_TH_ALL 0xFF
@@ -233,11 +234,11 @@
int parse_flags(char *);
int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
void print_src_node(struct pf_src_node *, int);
-void print_rule(struct pf_rule *, const char *, int);
+void print_rule(struct pf_rule *, const char *, int, int);
void print_tabledef(const char *, int, int, struct node_tinithead *);
void print_status(struct pf_status *, int);
int eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
struct node_queue_opt *);
--- src/contrib/pf/pfctl/pfctl.8@@\main\RELENG_8\RELENG_8_1\0 2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl.8 2010-09-27 15:21:14.000000000 -0400
@@ -348,10 +348,13 @@
without any options will enable
.Cm basic
optimizations, and a second
.Fl o
will enable profiling.
+.It Fl P
+Do not perform service name lookup for port specific rules,
+instead display the ports numerically.
.It Fl p Ar device
Use the device file
.Ar device
instead of the default
.Pa /dev/pf .
@@ -668,10 +671,11 @@
.Sh SEE ALSO
.Xr pf 4 ,
.Xr pf.conf 5 ,
.Xr pf.os 5 ,
.Xr rc.conf 5 ,
+.Xr services 5 ,
.Xr sysctl.conf 5 ,
.Xr authpf 8 ,
.Xr ftp-proxy 8 ,
.Xr rc 8 ,
.Xr sysctl 8
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list