npfctl:
- Fix the filter criteria when to/from is omitted but port used. - Print more user-friendly error if an NPF table has a duplicate entry.
This commit is contained in:
parent
94da9a216b
commit
3250dbf286
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $ */
|
/* $NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
|
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
|
||||||
@ -34,7 +34,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $");
|
__RCSID("$NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/mman.h>
|
#include <sys/mman.h>
|
||||||
@ -91,6 +91,10 @@ npfctl_config_send(int fd, const char *out)
|
|||||||
}
|
}
|
||||||
npf_rule_insert(npf_conf, NULL, defgroup);
|
npf_rule_insert(npf_conf, NULL, defgroup);
|
||||||
error = npf_config_submit(npf_conf, fd);
|
error = npf_config_submit(npf_conf, fd);
|
||||||
|
if (error == EEXIST) { /* XXX */
|
||||||
|
errx(EXIT_FAILURE, "(re)load failed: "
|
||||||
|
"some table has a duplicate entry?");
|
||||||
|
}
|
||||||
if (error) {
|
if (error) {
|
||||||
nl_error_t ne;
|
nl_error_t ne;
|
||||||
_npf_config_error(npf_conf, &ne);
|
_npf_config_error(npf_conf, &ne);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $ */
|
/* $NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2013 The NetBSD Foundation, Inc.
|
* Copyright (c) 2013 The NetBSD Foundation, Inc.
|
||||||
@ -36,7 +36,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $");
|
__RCSID("$NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $");
|
||||||
|
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
@ -53,13 +53,22 @@ __RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $");
|
|||||||
|
|
||||||
#include "npfctl.h"
|
#include "npfctl.h"
|
||||||
|
|
||||||
|
#define SEEN_SRC 0x01
|
||||||
|
#define SEEN_DST 0x02
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
nl_config_t * conf;
|
nl_config_t * conf;
|
||||||
FILE * fp;
|
FILE * fp;
|
||||||
long fpos;
|
long fpos;
|
||||||
|
u_int flags;
|
||||||
|
uint32_t curmark;
|
||||||
} npf_conf_info_t;
|
} npf_conf_info_t;
|
||||||
|
|
||||||
static npf_conf_info_t stdout_ctx = { .fp = stdout, .fpos = 0 };
|
static npf_conf_info_t stdout_ctx = {
|
||||||
|
.fp = stdout,
|
||||||
|
.fpos = 0,
|
||||||
|
.flags = 0
|
||||||
|
};
|
||||||
|
|
||||||
static void print_indent(npf_conf_info_t *, u_int);
|
static void print_indent(npf_conf_info_t *, u_int);
|
||||||
static void print_linesep(npf_conf_info_t *);
|
static void print_linesep(npf_conf_info_t *);
|
||||||
@ -201,12 +210,18 @@ static char *
|
|||||||
print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
|
print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
|
||||||
{
|
{
|
||||||
u_int fport = words[0], tport = words[1];
|
u_int fport = words[0], tport = words[1];
|
||||||
|
const char *any_str = "";
|
||||||
char *p;
|
char *p;
|
||||||
|
|
||||||
|
if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0)
|
||||||
|
any_str = "to any ";
|
||||||
|
if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0)
|
||||||
|
any_str = "from any ";
|
||||||
|
|
||||||
if (fport != tport) {
|
if (fport != tport) {
|
||||||
easprintf(&p, "%u:%u", fport, tport);
|
easprintf(&p, "%s%u:%u", any_str, fport, tport);
|
||||||
} else {
|
} else {
|
||||||
easprintf(&p, "%u", fport);
|
easprintf(&p, "%s%u", any_str, fport);
|
||||||
}
|
}
|
||||||
return p;
|
return p;
|
||||||
}
|
}
|
||||||
@ -244,22 +259,23 @@ static const struct mark_keyword_mapent {
|
|||||||
u_int mark;
|
u_int mark;
|
||||||
const char * token;
|
const char * token;
|
||||||
const char * sep;
|
const char * sep;
|
||||||
|
u_int set_flags;
|
||||||
char * (*printfn)(npf_conf_info_t *, const uint32_t *);
|
char * (*printfn)(npf_conf_info_t *, const uint32_t *);
|
||||||
u_int fwords;
|
u_int fwords;
|
||||||
} mark_keyword_map[] = {
|
} mark_keyword_map[] = {
|
||||||
{ BM_IPVER, "family %s", NULL, print_family, 1 },
|
{ BM_IPVER, "family %s", NULL, 0, print_family, 1 },
|
||||||
{ BM_PROTO, "proto %s", ", ", print_proto, 1 },
|
{ BM_PROTO, "proto %s", ", ", 0, print_proto, 1 },
|
||||||
{ BM_TCPFL, "flags %s", NULL, print_tcpflags, 2 },
|
{ BM_TCPFL, "flags %s", NULL, 0, print_tcpflags, 2 },
|
||||||
{ BM_ICMP_TYPE, "icmp-type %s", NULL, print_number, 1 },
|
{ BM_ICMP_TYPE, "icmp-type %s", NULL, 0, print_number, 1 },
|
||||||
{ BM_ICMP_CODE, "code %s", NULL, print_number, 1 },
|
{ BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 },
|
||||||
|
|
||||||
{ BM_SRC_CIDR, "from %s", ", ", print_address, 6 },
|
{ BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 },
|
||||||
{ BM_SRC_TABLE, "from <%s>", NULL, print_table, 1 },
|
{ BM_SRC_TABLE, "from <%s>", NULL, SEEN_SRC, print_table, 1 },
|
||||||
{ BM_SRC_PORTS, "port %s", ", ", print_portrange,2 },
|
{ BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 },
|
||||||
|
|
||||||
{ BM_DST_CIDR, "to %s", ", ", print_address, 6 },
|
{ BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 },
|
||||||
{ BM_DST_TABLE, "to <%s>", NULL, print_table, 1 },
|
{ BM_DST_TABLE, "to <%s>", NULL, SEEN_DST, print_table, 1 },
|
||||||
{ BM_DST_PORTS, "port %s", ", ", print_portrange,2 },
|
{ BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 },
|
||||||
};
|
};
|
||||||
|
|
||||||
static const char * __attribute__((format_arg(2)))
|
static const char * __attribute__((format_arg(2)))
|
||||||
@ -285,6 +301,10 @@ scan_marks(npf_conf_info_t *ctx, const struct mark_keyword_mapent *mk,
|
|||||||
errx(EXIT_FAILURE, "byte-code marking inconsistency");
|
errx(EXIT_FAILURE, "byte-code marking inconsistency");
|
||||||
}
|
}
|
||||||
if (m == mk->mark) {
|
if (m == mk->mark) {
|
||||||
|
/* Set the current mark and the flags. */
|
||||||
|
ctx->flags |= mk->set_flags;
|
||||||
|
ctx->curmark = m;
|
||||||
|
|
||||||
/* Value is processed by the print function. */
|
/* Value is processed by the print function. */
|
||||||
assert(mk->fwords == nwords);
|
assert(mk->fwords == nwords);
|
||||||
vals[nvals++] = mk->printfn(ctx, marks);
|
vals[nvals++] = mk->printfn(ctx, marks);
|
||||||
|
Loading…
Reference in New Issue
Block a user