Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F96070489
D32488.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
7 KB
Referenced Files
None
Subscribers
None
D32488.diff
View Options
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -333,14 +333,12 @@
void expand_label_str(char *, size_t, const char *, const char *);
void expand_label_if(const char *, char *, size_t, const char *);
void expand_label_addr(const char *, char *, size_t, u_int8_t,
- struct node_host *);
+ struct pf_rule_addr *);
void expand_label_port(const char *, char *, size_t,
- struct node_port *);
+ struct pf_rule_addr *);
void expand_label_proto(const char *, char *, size_t, u_int8_t);
-void expand_label_nr(const char *, char *, size_t);
-void expand_label(char *, size_t, const char *, u_int8_t,
- struct node_host *, struct node_port *, struct node_host *,
- struct node_port *, u_int8_t);
+void expand_label_nr(const char *, char *, size_t,
+ struct pfctl_rule *);
void expand_rule(struct pfctl_rule *, struct node_if *,
struct node_host *, struct node_proto *, struct node_os *,
struct node_host *, struct node_port *, struct node_host *,
@@ -5022,17 +5020,17 @@
void
expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
- struct node_host *h)
+ struct pf_rule_addr *addr)
{
char tmp[64], tmp_not[66];
if (strstr(label, name) != NULL) {
- switch (h->addr.type) {
+ switch (addr->addr.type) {
case PF_ADDR_DYNIFTL:
- snprintf(tmp, sizeof(tmp), "(%s)", h->addr.v.ifname);
+ snprintf(tmp, sizeof(tmp), "(%s)", addr->addr.v.ifname);
break;
case PF_ADDR_TABLE:
- snprintf(tmp, sizeof(tmp), "<%s>", h->addr.v.tblname);
+ snprintf(tmp, sizeof(tmp), "<%s>", addr->addr.v.tblname);
break;
case PF_ADDR_NOROUTE:
snprintf(tmp, sizeof(tmp), "no-route");
@@ -5041,18 +5039,18 @@
snprintf(tmp, sizeof(tmp), "urpf-failed");
break;
case PF_ADDR_ADDRMASK:
- if (!af || (PF_AZERO(&h->addr.v.a.addr, af) &&
- PF_AZERO(&h->addr.v.a.mask, af)))
+ if (!af || (PF_AZERO(&addr->addr.v.a.addr, af) &&
+ PF_AZERO(&addr->addr.v.a.mask, af)))
snprintf(tmp, sizeof(tmp), "any");
else {
char a[48];
int bits;
- if (inet_ntop(af, &h->addr.v.a.addr, a,
+ if (inet_ntop(af, &addr->addr.v.a.addr, a,
sizeof(a)) == NULL)
snprintf(tmp, sizeof(tmp), "?");
else {
- bits = unmask(&h->addr.v.a.mask, af);
+ bits = unmask(&addr->addr.v.a.mask, af);
if ((af == AF_INET && bits < 32) ||
(af == AF_INET6 && bits < 128))
snprintf(tmp, sizeof(tmp),
@@ -5068,7 +5066,7 @@
break;
}
- if (h->not) {
+ if (addr->neg) {
snprintf(tmp_not, sizeof(tmp_not), "! %s", tmp);
expand_label_str(label, len, name, tmp_not);
} else
@@ -5078,30 +5076,30 @@
void
expand_label_port(const char *name, char *label, size_t len,
- struct node_port *port)
+ struct pf_rule_addr *addr)
{
char a1[6], a2[6], op[13] = "";
if (strstr(label, name) != NULL) {
- snprintf(a1, sizeof(a1), "%u", ntohs(port->port[0]));
- snprintf(a2, sizeof(a2), "%u", ntohs(port->port[1]));
- if (!port->op)
+ snprintf(a1, sizeof(a1), "%u", ntohs(addr->port[0]));
+ snprintf(a2, sizeof(a2), "%u", ntohs(addr->port[1]));
+ if (!addr->port_op)
;
- else if (port->op == PF_OP_IRG)
+ else if (addr->port_op == PF_OP_IRG)
snprintf(op, sizeof(op), "%s><%s", a1, a2);
- else if (port->op == PF_OP_XRG)
+ else if (addr->port_op == PF_OP_XRG)
snprintf(op, sizeof(op), "%s<>%s", a1, a2);
- else if (port->op == PF_OP_EQ)
+ else if (addr->port_op == PF_OP_EQ)
snprintf(op, sizeof(op), "%s", a1);
- else if (port->op == PF_OP_NE)
+ else if (addr->port_op == PF_OP_NE)
snprintf(op, sizeof(op), "!=%s", a1);
- else if (port->op == PF_OP_LT)
+ else if (addr->port_op == PF_OP_LT)
snprintf(op, sizeof(op), "<%s", a1);
- else if (port->op == PF_OP_LE)
+ else if (addr->port_op == PF_OP_LE)
snprintf(op, sizeof(op), "<=%s", a1);
- else if (port->op == PF_OP_GT)
+ else if (addr->port_op == PF_OP_GT)
snprintf(op, sizeof(op), ">%s", a1);
- else if (port->op == PF_OP_GE)
+ else if (addr->port_op == PF_OP_GE)
snprintf(op, sizeof(op), ">=%s", a1);
expand_label_str(label, len, name, op);
}
@@ -5125,29 +5123,27 @@
}
void
-expand_label_nr(const char *name, char *label, size_t len)
+expand_label_nr(const char *name, char *label, size_t len,
+ struct pfctl_rule *r)
{
char n[11];
if (strstr(label, name) != NULL) {
- snprintf(n, sizeof(n), "%u", pf->anchor->match);
+ snprintf(n, sizeof(n), "%u", r->nr);
expand_label_str(label, len, name, n);
}
}
void
-expand_label(char *label, size_t len, const char *ifname, sa_family_t af,
- struct node_host *src_host, struct node_port *src_port,
- struct node_host *dst_host, struct node_port *dst_port,
- u_int8_t proto)
+expand_label(char *label, size_t len, struct pfctl_rule *r)
{
- expand_label_if("$if", label, len, ifname);
- expand_label_addr("$srcaddr", label, len, af, src_host);
- expand_label_addr("$dstaddr", label, len, af, dst_host);
- expand_label_port("$srcport", label, len, src_port);
- expand_label_port("$dstport", label, len, dst_port);
- expand_label_proto("$proto", label, len, proto);
- expand_label_nr("$nr", label, len);
+ expand_label_if("$if", label, len, r->ifname);
+ expand_label_addr("$srcaddr", label, len, r->af, &r->src);
+ expand_label_addr("$dstaddr", label, len, r->af, &r->dst);
+ expand_label_port("$srcport", label, len, &r->src);
+ expand_label_port("$dstport", label, len, &r->dst);
+ expand_label_proto("$proto", label, len, r->proto);
+ expand_label_nr("$nr", label, len, r);
}
int
@@ -5481,15 +5477,6 @@
if (strlcpy(r->match_tagname, match_tagname,
sizeof(r->match_tagname)) >= sizeof(r->match_tagname))
errx(1, "expand_rule: strlcpy");
- for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
- expand_label(r->label[i], PF_RULE_LABEL_SIZE,
- r->ifname, r->af, src_host, src_port, dst_host,
- dst_port, proto->proto);
- expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af,
- src_host, src_port, dst_host, dst_port, proto->proto);
- expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname,
- r->af, src_host, src_port, dst_host, dst_port,
- proto->proto);
error += check_netmask(src_host, r->af);
error += check_netmask(dst_host, r->af);
diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h
--- a/sbin/pfctl/pfctl.h
+++ b/sbin/pfctl/pfctl.h
@@ -138,6 +138,8 @@
struct pfctl_ruleset *pf_find_ruleset(const char *);
struct pfctl_ruleset *pf_find_or_create_ruleset(const char *);
+void expand_label(char *, size_t, struct pfctl_rule *);
+
const char *pfctl_proto2name(int);
#endif /* _PFCTL_H_ */
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1528,6 +1528,12 @@
while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
+
+ for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
+ expand_label(r->label[i], PF_RULE_LABEL_SIZE, r);
+ expand_label(r->tagname, PF_TAG_NAME_SIZE, r);
+ expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r);
+
if ((error = pfctl_load_rule(pf, path, r, depth)))
goto error;
if (r->anchor) {
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Sep 24, 2:32 PM (22 h, 10 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
12668510
Default Alt Text
D32488.diff (7 KB)
Attached To
Mode
D32488: pfctl: delay label macro expansion until after rule optimisation
Attached
Detach File
Event Timeline
Log In to Comment