From nobody Wed Apr 16 13:48:57 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zd2S96Dvrz5sjSg; Wed, 16 Apr 2025 13:48:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zd2S95XJPz3gSR; Wed, 16 Apr 2025 13:48:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744811337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uX9RGmHw/Idault9TdyNIbcxr7fMLO/0DKISUgJZwPA=; b=nEt+C2MGL3BzWugcXmeG6XhOjK7Lb+WlkVzp0onoscu0RUPI5OdZQwxFCgHgoMf0hjtEan w93wrHazvzfUDkFJ8zR1A7mKAsQnDGqYachYg6ybUWAgnIC6ghILN5Zf/eXXukFX+Pcqwn 0Sowu2w/BfhWFZeTiYEhRbq6BOw2+hnlmqTVxrp8vnfCkpKoXIek+RHQltjbY0VN8Y9u3e 9L2fIIiYHLIogWXC81RWYFlIk98X+XuVv3ArpISZS48NgqB6VzT9hePWY3xDhuPfoV/UXf SFVnnm+SKv5ObUNRgETCKqVEkKnvY0Hxfs9tTnfH0+WBV1sDLNUaBequ2anxmg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744811337; a=rsa-sha256; cv=none; b=XpqWJ5ZumCHxeuYreWgy8G3C+AVyKAr7iS4s/AEoUdjwufoCFuw/x80t0zhjLWoh27bQ11 TdGjEHP+wWS7excd6sZYEgoGZVSi1ITofQK2xlcoORkHBSR9FY84TlVGQ6wHmy/QPhKNmA zKlwfpwZoFVooqbx8hrEL9QG2ODyZ8RASlvpQvbD1DfeC+I+epgr4F6OAwaX39FbbGBEPM yipN/93HeUpkOOFmKwGcQ551LGsvBnlB2QqFeuYyoXfQ8H4mvq/BJcI6PuP+VtXLB5aJkw aQ8Q5gweADeJ+r16A8ws6EcXbOQPxYICL/Knq/7n/KIn/i4/FKsqC3yhKkQECg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1744811337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uX9RGmHw/Idault9TdyNIbcxr7fMLO/0DKISUgJZwPA=; b=ej4DGNHtIIh/1km3e6Na/1aqJY2Gx4jjtGDvgUU/WD9UJOACsii/pHFoVN6wWI3n6ZWtye DB/N10WhB8eLO2Eg0JG1kvQlqJWEPdP/P6NxH6FXdKWjvVBTujhVBpvR61Rh1A973jSjL5 nfF5HEuSfxVvzEnZt/qotNoC+26szuF4t1MIm5YhoA3a/27M8ybTJ82CwmR0R9lJNrJjQx kwr7XPBWskw1epT70HJk93Stm1Gt27fulCCqc8CgY8VukOtzJU4cGYZ8eatEaUPMplCmeX jUIWaU9nkU3Qn2MCdQ6WVP5nqY2t+IQtSVIx2yvJW8HGRvn4ULF0Ur+4X4zK/Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zd2S94mvdz1K5R; Wed, 16 Apr 2025 13:48:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53GDmvLw088129; Wed, 16 Apr 2025 13:48:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53GDmvjR088126; Wed, 16 Apr 2025 13:48:57 GMT (envelope-from git) Date: Wed, 16 Apr 2025 13:48:57 GMT Message-Id: <202504161348.53GDmvjR088126@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0da181786849 - stable/14 - pfctl: fix recursive printing of NAT rules List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 0da181786849d3af346a3f392e9f28ac6c2ecf96 Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0da181786849d3af346a3f392e9f28ac6c2ecf96 commit 0da181786849d3af346a3f392e9f28ac6c2ecf96 Author: Kristof Provost AuthorDate: 2025-04-02 16:04:46 +0000 Commit: Kristof Provost CommitDate: 2025-04-16 07:34:56 +0000 pfctl: fix recursive printing of NAT rules pfctl_show_nat() is called recursively to print nat anchors. This passes the anchor path, but this path was modified by pfctl_show_nat(), leading to issues printing the anchors. Make a copy of the path ('npath') before we modify it. Ensure we do this correctly by sprinking in 'const', and add a test case to verify that we do now print things correctly. Reported by: Thomas Pasqualini MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 58164dcb55d62ca73b5e550b8344bf61e2d8a47a) --- sbin/pfctl/pfctl.c | 29 +++++++++++++------------- tests/sys/netpfil/pf/anchor.sh | 46 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 14 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 5b5bfc636807..dfc473f21566 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -93,12 +93,12 @@ int pfctl_load_hostid(struct pfctl *, u_int32_t); int pfctl_load_reassembly(struct pfctl *, u_int32_t); int pfctl_load_syncookies(struct pfctl *, u_int8_t); int pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int, - char *); + const char *); void pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int); void pfctl_print_rule_counters(struct pfctl_rule *, int); int pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int, int); int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int); -int pfctl_show_nat(int, char *, int, char *, int, int); +int pfctl_show_nat(int, const char *, int, char *, int, int); int pfctl_show_src_nodes(int, int); int pfctl_show_states(int, const char *, int); int pfctl_show_status(int, int); @@ -946,7 +946,7 @@ pfctl_id_kill_states(int dev, const char *iface, int opts) int pfctl_get_pool(int dev, struct pfctl_pool *pool, u_int32_t nr, - u_int32_t ticket, int r_action, char *anchorname) + u_int32_t ticket, int r_action, const char *anchorname) { struct pfioc_pooladdr pp; struct pf_pooladdr *pa; @@ -1398,7 +1398,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, } int -pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth, +pfctl_show_nat(int dev, const char *path, int opts, char *anchorname, int depth, int wildcard) { struct pfctl_rules_info ri; @@ -1421,16 +1421,17 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth, p[0] = '\0'; } + if ((npath = calloc(1, MAXPATHLEN)) == NULL) + errx(1, "pfctl_rules: calloc"); + if (anchorname[0] == '/') { - if ((npath = calloc(1, MAXPATHLEN)) == NULL) - errx(1, "pfctl_rules: calloc"); snprintf(npath, MAXPATHLEN, "%s", anchorname); } else { - if (path[0]) - snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname); + snprintf(npath, MAXPATHLEN, "%s", path); + if (npath[0]) + snprintf(&npath[len], MAXPATHLEN - len, "/%s", anchorname); else - snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname); - npath = path; + snprintf(&npath[len], MAXPATHLEN - len, "%s", anchorname); } /* @@ -1463,12 +1464,12 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth, INDENT(depth, !(opts & PF_OPT_VERBOSE)); printf("}\n"); } - path[len] = '\0'; + npath[len] = '\0'; return (0); } for (i = 0; i < 3; i++) { - ret = pfctl_get_rules_info(dev, &ri, nattype[i], path); + ret = pfctl_get_rules_info(dev, &ri, nattype[i], npath); if (ret != 0) { warn("DIOCGETRULES"); return (-1); @@ -1476,13 +1477,13 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth, for (nr = 0; nr < ri.nr; ++nr) { INDENT(depth, !(opts & PF_OPT_VERBOSE)); - if (pfctl_get_rule(dev, nr, ri.ticket, path, + if (pfctl_get_rule(dev, nr, ri.ticket, npath, nattype[i], &rule, anchor_call)) { warn("DIOCGETRULE"); return (-1); } if (pfctl_get_pool(dev, &rule.rpool, nr, - ri.ticket, nattype[i], path) != 0) + ri.ticket, nattype[i], npath) != 0) return (-1); if (dotitle) { diff --git a/tests/sys/netpfil/pf/anchor.sh b/tests/sys/netpfil/pf/anchor.sh index eba1ee935930..da4ef3970d18 100644 --- a/tests/sys/netpfil/pf/anchor.sh +++ b/tests/sys/netpfil/pf/anchor.sh @@ -161,10 +161,56 @@ wildcard_cleanup() pft_cleanup } +atf_test_case "nat" "cleanup" +nat_head() +{ + atf_set descr 'Test nested nat anchors' + atf_set require.user root +} + +nat_body() +{ + pft_init + + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}a + + ifconfig ${epair}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "nat-anchor \"foo/*\"" \ + "pass" + + echo "nat log on ${epair}a inet from 192.0.2.0/24 to any port = 53 -> 192.0.2.1" \ + | jexec alcatraz pfctl -a "foo/bar" -g -f - + echo "rdr on ${epair}a proto tcp to port echo -> 127.0.0.1 port echo" \ + | jexec alcatraz pfctl -a "foo/baz" -g -f - + + jexec alcatraz pfctl -sn -a "*" + jexec alcatraz pfctl -sn -a "foo/bar" + jexec alcatraz pfctl -sn -a "foo/baz" + + atf_check -s exit:0 -o match:"nat log on epair0a inet from 192.0.2.0/24 to any port = domain -> 192.0.2.1" \ + jexec alcatraz pfctl -sn -a "*" + atf_check -s exit:0 -o match:"rdr on epair0a inet proto tcp from any to any port = echo -> 127.0.0.1 port 7" \ + jexec alcatraz pfctl -sn -a "*" +} + +nat_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "pr183198" atf_add_test_case "pr279225" atf_add_test_case "nested_anchor" atf_add_test_case "wildcard" + atf_add_test_case "nat" }