git: 7aac81a639b4 - main - pfctl: support recusive printing of tables

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 10 Sep 2025 19:52:24 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=7aac81a639b49849e9ce1f59f538a2f491395037

commit 7aac81a639b49849e9ce1f59f538a2f491395037
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-20 12:41:57 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-10 19:51:39 +0000

    pfctl: support recusive printing of tables
    
    Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows
    rules found in every anchor. This commit introduces the same behavior
    for tables. Command 'pfctl -a "*" -sT' prints all tables attached to
    every anchor loaded to pf(4).
    
    Inconsistency has been noticed by Klemens (kn@).
    
    OK @bluhm, OK @kn
    
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, 3898e3532e
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.c        | 25 ++++++++++++++++++++-----
 sbin/pfctl/pfctl_parser.h |  1 +
 sbin/pfctl/pfctl_table.c  | 18 +++++++++---------
 3 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 36bdd9705830..10a833ea4850 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -137,6 +137,7 @@ int	 pfctl_recurse(int, int, const char *,
 int	 pfctl_call_clearrules(int, int, struct pfr_anchoritem *);
 int	 pfctl_call_cleartables(int, int, struct pfr_anchoritem *);
 int	 pfctl_call_clearanchors(int, int, struct pfr_anchoritem *);
+int	 pfctl_call_showtables(int, int, struct pfr_anchoritem *);
 
 static struct pfctl_anchor_global	 pf_anchors;
 struct pfctl_anchor	 pf_main_anchor;
@@ -3056,6 +3057,13 @@ pfctl_call_clearanchors(int dev, int opts, struct pfr_anchoritem *pfra)
 	return (rv);
 }
 
+int
+pfctl_call_showtables(int dev, int opts, struct pfr_anchoritem *pfra)
+{
+	pfctl_show_tables(pfra->pfra_anchorname, opts);
+	return (0);
+}
+
 int
 pfctl_recurse(int dev, int opts, const char *anchorname,
     int(*walkf)(int, int, struct pfr_anchoritem *))
@@ -3070,11 +3078,13 @@ pfctl_recurse(int dev, int opts, const char *anchorname,
 	 * so that failures on one anchor do not prevent clearing others.
 	 */
 	opts |= PF_OPT_IGNFAIL;
-	printf("Removing:\n");
+	if ((opts & PF_OPT_CALLSHOW) == 0)
+		printf("Removing:\n");
 	SLIST_FOREACH_SAFE(pfra, anchors, pfra_sle, pfra_save) {
-		printf("  %s\n",
-		    (*pfra->pfra_anchorname == '\0') ? "/" :
-		    pfra->pfra_anchorname);
+		if ((opts & PF_OPT_CALLSHOW) == 0)
+			printf("  %s\n",
+			    (*pfra->pfra_anchorname == '\0') ? "/" :
+			    pfra->pfra_anchorname);
 		rv |= walkf(dev, opts, pfra);
 		SLIST_REMOVE(anchors, pfra, pfr_anchoritem, pfra_sle);
 		free(pfra->pfra_anchorname);
@@ -3477,7 +3487,12 @@ main(int argc, char *argv[])
 			pfctl_show_fingerprints(opts);
 			break;
 		case 'T':
-			pfctl_show_tables(anchorname, opts);
+			if (opts & PF_OPT_RECURSE) {
+				opts |= PF_OPT_CALLSHOW;
+				pfctl_recurse(dev, opts, anchorname,
+				    pfctl_call_showtables);
+			} else
+				pfctl_show_tables(anchorname, opts);
 			break;
 		case 'o':
 			pfctl_load_fingerprints(dev, opts);
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 721950967661..58d3abc36691 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -56,6 +56,7 @@
 #define PF_OPT_KILLMATCH	0x08000
 #define PF_OPT_NODNS		0x10000
 #define PF_OPT_IGNFAIL		0x20000
+#define PF_OPT_CALLSHOW		0x40000
 
 #define PF_NAT_PROXY_PORT_LOW	50001
 #define PF_NAT_PROXY_PORT_HIGH	65535
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index f583f5ef8e79..0845f765a063 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -417,21 +417,21 @@ print_table(const struct pfr_table *ta, int verbose, int debug)
 {
 	if (!debug && !(ta->pfrt_flags & PFR_TFLAG_ACTIVE))
 		return;
-	if (verbose) {
-		printf("%c%c%c%c%c%c%c\t%s",
+	if (verbose)
+		printf("%c%c%c%c%c%c%c\t",
 		    (ta->pfrt_flags & PFR_TFLAG_CONST) ? 'c' : '-',
 		    (ta->pfrt_flags & PFR_TFLAG_PERSIST) ? 'p' : '-',
 		    (ta->pfrt_flags & PFR_TFLAG_ACTIVE) ? 'a' : '-',
 		    (ta->pfrt_flags & PFR_TFLAG_INACTIVE) ? 'i' : '-',
 		    (ta->pfrt_flags & PFR_TFLAG_REFERENCED) ? 'r' : '-',
 		    (ta->pfrt_flags & PFR_TFLAG_REFDANCHOR) ? 'h' : '-',
-		    (ta->pfrt_flags & PFR_TFLAG_COUNTERS) ? 'C' : '-',
-		    ta->pfrt_name);
-		if (ta->pfrt_anchor[0])
-			printf("\t%s", ta->pfrt_anchor);
-		puts("");
-	} else
-		puts(ta->pfrt_name);
+		    (ta->pfrt_flags & PFR_TFLAG_COUNTERS) ? 'C' : '-');
+
+	printf("%s", ta->pfrt_name);
+	if (ta->pfrt_anchor[0] != '\0')
+		printf("@%s", ta->pfrt_anchor);
+
+	printf("\n");
 }
 
 int