npfctl(8): report dynamic rule ID in a comment, print the case when libpcap

is used correctly.  Also, add npf_ruleset_dump() helper in the kernel.

sys/net/npf/npf_impl.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.61 2015/02/02 00:31:39 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -344,6 +344,7 @@ prop_array_t	npf_alg_export(void);
 const char *	npf_addr_dump(const npf_addr_t *, int);
 void		npf_state_dump(const npf_state_t *);
 void		npf_nat_dump(const npf_nat_t *);
+void		npf_ruleset_dump(const char *);
 void		npf_state_setsampler(void (*)(npf_state_t *, bool));
 
 #endif	/* _NPF_IMPL_H_ */

sys/net/npf/npf_ruleset.c

@@ -1,7 +1,7 @@
-/*	$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -936,3 +936,25 @@ npf_rule_conclude(const npf_rule_t *rl, int *retfl)
 	*retfl = rl->r_attr;
 	return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH;
 }
+
+
+#if defined(DDB) || defined(_NPF_TESTING)
+
+void
+npf_ruleset_dump(const char *name)
+{
+	npf_ruleset_t *rlset = npf_config_ruleset();
+	npf_rule_t *rg, *rl;
+
+	LIST_FOREACH(rg, &rlset->rs_dynamic, r_dentry) {
+		printf("ruleset '%s':\n", rg->r_name);
+		TAILQ_FOREACH(rl, &rg->r_subset, r_entry) {
+			printf("\tid %"PRIu64", key: ", rl->r_id);
+			for (u_int i = 0; i < NPF_RULE_MAXKEYLEN; i++)
+				printf("%x", rl->r_key[i]);
+			printf("\n");
+		}
+	}
+}
+
+#endif

usr.sbin/npf/npfctl/npf_show.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $	*/
+/*	$NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $");
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -316,10 +316,25 @@ static void
 npfctl_print_filter(npf_conf_info_t *ctx, nl_rule_t *rl)
 {
 	const void *marks;
-	size_t mlen;
+	size_t mlen, len;
+	const void *code;
+	int type;
 
-	/* BPF filter criteria described by the byte-code marks. */
 	marks = npf_rule_getinfo(rl, &mlen);
+	if (!marks && (code = npf_rule_getcode(rl, &type, &len)) != NULL) {
+		/*
+		 * No marks, but the byte-code is present.  This must
+		 * have been filled by libpcap(3) or possibly an unknown
+		 * to us byte-code.
+		 */
+		fprintf(ctx->fp, "%s ", type == NPF_CODE_BPF ?
+		    "pcap-filter \"...\"" : "unrecognized-bytecode");
+		return;
+	}
+
+	/*
+	 * BPF filter criteria described by the byte-code marks.
+	 */
 	for (u_int i = 0; i < __arraycount(mark_keyword_map); i++) {
 		const struct mark_keyword_mapent *mk = &mark_keyword_map[i];
 		char *val;
@@ -356,7 +371,7 @@ npfctl_print_rule(npf_conf_info_t *ctx, nl_rule_t *rl)
 		fprintf(ctx->fp, "on %s ", ifname);
 	}
 
-	if ((attr & (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)) == NPF_RULE_GROUP) {
+	if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP) {
 		/* Group; done. */
 		fputs("\n", ctx->fp);
 		return;
@@ -367,8 +382,15 @@ npfctl_print_rule(npf_conf_info_t *ctx, nl_rule_t *rl)
 
 	/* Rule procedure. */
 	if ((rproc = npf_rule_getproc(rl)) != NULL) {
-		fprintf(ctx->fp, "apply \"%s\"", rproc);
+		fprintf(ctx->fp, "apply \"%s\" ", rproc);
 	}
+
+	/* If dynamic rule - print its ID. */
+	if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) {
+		uint64_t id = npf_rule_getid(rl);
+		fprintf(ctx->fp, "# id = \"%" PRIu64 "\" ", id);
+	}
+
 	fputs("\n", ctx->fp);
 }