- Fix the filter criteria when to/from is omitted but port used.
- Print more user-friendly error if an NPF table has a duplicate entry.
This commit is contained in:
rmind 2015-03-21 00:49:07 +00:00
parent 94da9a216b
commit 3250dbf286
2 changed files with 42 additions and 18 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $ */ /* $NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $ */
/*- /*-
* Copyright (c) 2011-2014 The NetBSD Foundation, Inc. * Copyright (c) 2011-2014 The NetBSD Foundation, Inc.
@ -34,7 +34,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__RCSID("$NetBSD: npf_build.c,v 1.38 2014/05/31 22:41:37 rmind Exp $"); __RCSID("$NetBSD: npf_build.c,v 1.39 2015/03/21 00:49:07 rmind Exp $");
#include <sys/types.h> #include <sys/types.h>
#include <sys/mman.h> #include <sys/mman.h>
@ -91,6 +91,10 @@ npfctl_config_send(int fd, const char *out)
} }
npf_rule_insert(npf_conf, NULL, defgroup); npf_rule_insert(npf_conf, NULL, defgroup);
error = npf_config_submit(npf_conf, fd); error = npf_config_submit(npf_conf, fd);
if (error == EEXIST) { /* XXX */
errx(EXIT_FAILURE, "(re)load failed: "
"some table has a duplicate entry?");
}
if (error) { if (error) {
nl_error_t ne; nl_error_t ne;
_npf_config_error(npf_conf, &ne); _npf_config_error(npf_conf, &ne);

View File

@ -1,4 +1,4 @@
/* $NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $ */ /* $NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $ */
/*- /*-
* Copyright (c) 2013 The NetBSD Foundation, Inc. * Copyright (c) 2013 The NetBSD Foundation, Inc.
@ -36,7 +36,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $"); __RCSID("$NetBSD: npf_show.c,v 1.18 2015/03/21 00:49:07 rmind Exp $");
#include <sys/socket.h> #include <sys/socket.h>
#include <netinet/in.h> #include <netinet/in.h>
@ -53,13 +53,22 @@ __RCSID("$NetBSD: npf_show.c,v 1.17 2015/02/02 19:08:32 rmind Exp $");
#include "npfctl.h" #include "npfctl.h"
#define SEEN_SRC 0x01
#define SEEN_DST 0x02
typedef struct { typedef struct {
nl_config_t * conf; nl_config_t * conf;
FILE * fp; FILE * fp;
long fpos; long fpos;
u_int flags;
uint32_t curmark;
} npf_conf_info_t; } npf_conf_info_t;
static npf_conf_info_t stdout_ctx = { .fp = stdout, .fpos = 0 }; static npf_conf_info_t stdout_ctx = {
.fp = stdout,
.fpos = 0,
.flags = 0
};
static void print_indent(npf_conf_info_t *, u_int); static void print_indent(npf_conf_info_t *, u_int);
static void print_linesep(npf_conf_info_t *); static void print_linesep(npf_conf_info_t *);
@ -201,12 +210,18 @@ static char *
print_portrange(npf_conf_info_t *ctx, const uint32_t *words) print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
{ {
u_int fport = words[0], tport = words[1]; u_int fport = words[0], tport = words[1];
const char *any_str = "";
char *p; char *p;
if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0)
any_str = "to any ";
if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0)
any_str = "from any ";
if (fport != tport) { if (fport != tport) {
easprintf(&p, "%u:%u", fport, tport); easprintf(&p, "%s%u:%u", any_str, fport, tport);
} else { } else {
easprintf(&p, "%u", fport); easprintf(&p, "%s%u", any_str, fport);
} }
return p; return p;
} }
@ -244,22 +259,23 @@ static const struct mark_keyword_mapent {
u_int mark; u_int mark;
const char * token; const char * token;
const char * sep; const char * sep;
u_int set_flags;
char * (*printfn)(npf_conf_info_t *, const uint32_t *); char * (*printfn)(npf_conf_info_t *, const uint32_t *);
u_int fwords; u_int fwords;
} mark_keyword_map[] = { } mark_keyword_map[] = {
{ BM_IPVER, "family %s", NULL, print_family, 1 }, { BM_IPVER, "family %s", NULL, 0, print_family, 1 },
{ BM_PROTO, "proto %s", ", ", print_proto, 1 }, { BM_PROTO, "proto %s", ", ", 0, print_proto, 1 },
{ BM_TCPFL, "flags %s", NULL, print_tcpflags, 2 }, { BM_TCPFL, "flags %s", NULL, 0, print_tcpflags, 2 },
{ BM_ICMP_TYPE, "icmp-type %s", NULL, print_number, 1 }, { BM_ICMP_TYPE, "icmp-type %s", NULL, 0, print_number, 1 },
{ BM_ICMP_CODE, "code %s", NULL, print_number, 1 }, { BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 },
{ BM_SRC_CIDR, "from %s", ", ", print_address, 6 }, { BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 },
{ BM_SRC_TABLE, "from <%s>", NULL, print_table, 1 }, { BM_SRC_TABLE, "from <%s>", NULL, SEEN_SRC, print_table, 1 },
{ BM_SRC_PORTS, "port %s", ", ", print_portrange,2 }, { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 },
{ BM_DST_CIDR, "to %s", ", ", print_address, 6 }, { BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 },
{ BM_DST_TABLE, "to <%s>", NULL, print_table, 1 }, { BM_DST_TABLE, "to <%s>", NULL, SEEN_DST, print_table, 1 },
{ BM_DST_PORTS, "port %s", ", ", print_portrange,2 }, { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 },
}; };
static const char * __attribute__((format_arg(2))) static const char * __attribute__((format_arg(2)))
@ -285,6 +301,10 @@ scan_marks(npf_conf_info_t *ctx, const struct mark_keyword_mapent *mk,
errx(EXIT_FAILURE, "byte-code marking inconsistency"); errx(EXIT_FAILURE, "byte-code marking inconsistency");
} }
if (m == mk->mark) { if (m == mk->mark) {
/* Set the current mark and the flags. */
ctx->flags |= mk->set_flags;
ctx->curmark = m;
/* Value is processed by the print function. */ /* Value is processed by the print function. */
assert(mk->fwords == nwords); assert(mk->fwords == nwords);
vals[nvals++] = mk->printfn(ctx, marks); vals[nvals++] = mk->printfn(ctx, marks);