From nobody Tue Jun 18 14:47:23 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W3V2z74Tbz5NwDr; Tue, 18 Jun 2024 14:47:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W3V2z4qg2z4bFN; Tue, 18 Jun 2024 14:47:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718722043; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GZWkmXGcZA8LgWh6v3xQ/mePmD88169PVWV0i/Hink8=; b=ZD6+PQqtw6B+eNZgCgH6SuzlxiZ8IJtEUTCl8L+BXzlUlDPA5stQ1MfX80PdMh5eIy5iT8 ALGXqCpcnBHZhj9NM1o1NjNFtOlhCwcox/my0bUDaBNKANqWeIrCv5MSG3x3RyolSC7kGl meKn4OQs/jlytyf7CZIdMbLKxW0cNcDHouIF5NxpP3mTFpl2FXM49FWryYHBjyjoNRl5Mq VGNjX6FUmOtDcYxlhJg9iPJAu2kZkJ2Tygl/chjuzGpWRcVqJS9NWj9OsxtIJqPTAFT6Ag qIF5vzl04DZgOSnRjO9FvulXHhgok0lrRKufg4A3f+I0X4DhspsHUa4rS1+iQA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718722043; a=rsa-sha256; cv=none; b=CM4lDa+qgRrLpW/sbkV5D13upTNYdljQBkeAq6a1cJWuaSR/DDAsHHv2S3lmTcFtPDrbC8 gsEXhVoWUtUBHE5u8xvIyN2SejMlqXlviVr6RH3v8GnT1UvWETu6QnhBg5S1JLc3wB/wsV xIh7YraYCbr5sQCO0oT1/v6+vghTkIqMjaDzO/leBqEI5ijATcZ2hu5oQwjSrXA7Ga08GU zhr6Uuyk1IwCq6742fHAf65JqruWtQl3riRL4KOg2osma22FWivAMkK2H1Th56fSYT6r1Y MSkbgxAWd+M06nH4dvOYJaYY2t5VtlvytJPDFe80JYzQx3Fn3E4wA3ylq8s+qw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718722043; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GZWkmXGcZA8LgWh6v3xQ/mePmD88169PVWV0i/Hink8=; b=SiniFg6yml/1RH/wF2nbaqPliQfgI7gteWg82o8rINs/VRFfNFkLYK8i38xtVVL8JxcLSj THYDWxQpp3ikxA+nN843kFGxbN9CgrOsxXgA8uPHUI7a5uelkVvyXMkFlhBFUwAcgVH17j 4U2Re9laR0DYT5hu5TDwfujGogn++SlPqJPm4PC/ovEKIcjNXBieQxJrMBNuuxkXSkAW2R TMgRCVvyR1lo1wSUwFas0OlKZJdJgsA6CfEm3ZOrw3GTW+7JpCtBOfDbBf1BwwJfdvd/oD C1xJHW8X/YRZSQPh01OqE/wopUyV8/PwGHc/xpDDqDomZS1kJcVJIcqKHCe0tw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W3V2z3GpSz137q; Tue, 18 Jun 2024 14:47:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45IElNPV070756; Tue, 18 Jun 2024 14:47:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45IElNib070753; Tue, 18 Jun 2024 14:47:23 GMT (envelope-from git) Date: Tue, 18 Jun 2024 14:47:23 GMT Message-Id: <202406181447.45IElNib070753@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 70cd0b4b03b0 - stable/13 - pfctl: fix recursive printing of nat anchors List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 70cd0b4b03b0eee2668b1a88b2f1076407753dbf Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=70cd0b4b03b0eee2668b1a88b2f1076407753dbf commit 70cd0b4b03b0eee2668b1a88b2f1076407753dbf Author: Kristof Provost AuthorDate: 2024-05-28 14:26:28 +0000 Commit: Kristof Provost CommitDate: 2024-06-18 14:43:43 +0000 pfctl: fix recursive printing of nat anchors Similar to the preceding fix for rules, ensure that we recursively list wildcard anchors for nat rules. MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 8ddd0359bca5c5fc38189000a80a3180854a8a2e) --- sbin/pfctl/pfctl.c | 103 +++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 72 insertions(+), 31 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 985cbe0771c0..1cdcd1d0b912 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -96,7 +96,7 @@ int pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int, char *); void pfctl_print_rule_counters(struct pfctl_rule *, int); int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int); -int pfctl_show_nat(int, char *, int, char *, int); +int pfctl_show_nat(int, char *, int, char *, int, int); int pfctl_show_src_nodes(int, int); int pfctl_show_states(int, const char *, int); int pfctl_show_status(int, int); @@ -1220,7 +1220,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, } int -pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth) +pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth, + int wildcard) { struct pfctl_rules_info ri; struct pfctl_rule rule; @@ -1228,14 +1229,65 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth) u_int32_t nr; static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT }; int i, dotitle = opts & PF_OPT_SHOWALL; - int brace, ret; + int ret; int len = strlen(path); - char *p; + char *npath, *p; - if (path[0]) - snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname); - else - snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname); + /* + * Truncate a trailing / and * on an anchorname before searching for + * the ruleset, this is syntactic sugar that doesn't actually make it + * to the kernel. + */ + if ((p = strrchr(anchorname, '/')) != NULL && + p[1] == '*' && p[2] == '\0') { + p[0] = '\0'; + } + + if (anchorname[0] == '/') { + if ((npath = calloc(1, MAXPATHLEN)) == NULL) + errx(1, "pfctl_rules: calloc"); + snprintf(npath, MAXPATHLEN, "%s", anchorname); + } else { + if (path[0]) + snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname); + else + snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname); + npath = path; + } + + /* + * If this anchor was called with a wildcard path, go through + * the rulesets in the anchor rather than the rules. + */ + if (wildcard && (opts & PF_OPT_RECURSE)) { + struct pfioc_ruleset prs; + u_int32_t mnr, nr; + memset(&prs, 0, sizeof(prs)); + memcpy(prs.path, npath, sizeof(prs.path)); + if (ioctl(dev, DIOCGETRULESETS, &prs)) { + if (errno == EINVAL) + fprintf(stderr, "NAT anchor '%s' " + "not found.\n", anchorname); + else + err(1, "DIOCGETRULESETS"); + } + mnr = prs.nr; + + pfctl_print_rule_counters(&rule, opts); + for (nr = 0; nr < mnr; ++nr) { + prs.nr = nr; + if (ioctl(dev, DIOCGETRULESET, &prs)) + err(1, "DIOCGETRULESET"); + INDENT(depth, !(opts & PF_OPT_VERBOSE)); + printf("nat-anchor \"%s\" all {\n", prs.name); + pfctl_show_nat(dev, npath, opts, + prs.name, depth + 1, 0); + INDENT(depth, !(opts & PF_OPT_VERBOSE)); + printf("}\n"); + } + path[len] = '\0'; + return (0); + } for (i = 0; i < 3; i++) { ret = pfctl_get_rules_info(dev, &ri, nattype[i], path); @@ -1244,7 +1296,6 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth) return (-1); } for (nr = 0; nr < ri.nr; ++nr) { - brace = 0; INDENT(depth, !(opts & PF_OPT_VERBOSE)); if (pfctl_get_rule(dev, nr, ri.ticket, path, @@ -1256,35 +1307,25 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth) ri.ticket, nattype[i], path) != 0) return (-1); - if (anchor_call[0] && - ((((p = strrchr(anchor_call, '_')) != NULL) && - (p == anchor_call || - *(--p) == '/')) || (opts & PF_OPT_RECURSE))) { - brace++; - if ((p = strrchr(anchor_call, '/')) != - NULL) - p++; - else - p = &anchor_call[0]; - } else - p = &anchor_call[0]; - if (dotitle) { pfctl_print_title("TRANSLATION RULES:"); dotitle = 0; } print_rule(&rule, anchor_call, opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC); - if (brace) + if (anchor_call[0] && + (((p = strrchr(anchor_call, '/')) ? + p[1] == '_' : anchor_call[0] == '_') || + opts & PF_OPT_RECURSE)) { printf(" {\n"); - else - printf("\n"); - pfctl_print_rule_counters(&rule, opts); - pfctl_clear_pool(&rule.rpool); - if (brace) { - pfctl_show_nat(dev, path, opts, p, depth + 1); + pfctl_print_rule_counters(&rule, opts); + pfctl_show_nat(dev, npath, opts, anchor_call, + depth + 1, rule.anchor_wildcard); INDENT(depth, !(opts & PF_OPT_VERBOSE)); printf("}\n"); + } else { + printf("\n"); + pfctl_print_rule_counters(&rule, opts); } } } @@ -2601,7 +2642,7 @@ main(int argc, char *argv[]) break; case 'n': pfctl_load_fingerprints(dev, opts); - pfctl_show_nat(dev, path, opts, anchorname, 0); + pfctl_show_nat(dev, path, opts, anchorname, 0, 0); break; case 'q': pfctl_show_altq(dev, ifaceopt, opts, @@ -2629,7 +2670,7 @@ main(int argc, char *argv[]) opts |= PF_OPT_SHOWALL; pfctl_load_fingerprints(dev, opts); - pfctl_show_nat(dev, path, opts, anchorname, 0); + pfctl_show_nat(dev, path, opts, anchorname, 0, 0); pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0); pfctl_show_altq(dev, ifaceopt, opts, 0); pfctl_show_states(dev, ifaceopt, opts);