Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src npfctl(8): report dynamic rule ID in a comment, print the ca...



details:   https://anonhg.NetBSD.org/src/rev/55a536afb5e3
branches:  trunk
changeset: 806096:55a536afb5e3
user:      rmind <rmind%NetBSD.org@localhost>
date:      Mon Feb 02 00:31:39 2015 +0000

description:
npfctl(8): report dynamic rule ID in a comment, print the case when libpcap
is used correctly.  Also, add npf_ruleset_dump() helper in the kernel.

diffstat:

 sys/net/npf/npf_impl.h         |   3 ++-
 sys/net/npf/npf_ruleset.c      |  28 +++++++++++++++++++++++++---
 usr.sbin/npf/npfctl/npf_show.c |  34 ++++++++++++++++++++++++++++------
 3 files changed, 55 insertions(+), 10 deletions(-)

diffs (137 lines):

diff -r 4c05acac41a7 -r 55a536afb5e3 sys/net/npf/npf_impl.h
--- a/sys/net/npf/npf_impl.h    Sun Feb 01 22:57:21 2015 +0000
+++ b/sys/net/npf/npf_impl.h    Mon Feb 02 00:31:39 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $      */
+/*     $NetBSD: npf_impl.h,v 1.61 2015/02/02 00:31:39 rmind Exp $      */
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -344,6 +344,7 @@
 const char *   npf_addr_dump(const npf_addr_t *, int);
 void           npf_state_dump(const npf_state_t *);
 void           npf_nat_dump(const npf_nat_t *);
+void           npf_ruleset_dump(const char *);
 void           npf_state_setsampler(void (*)(npf_state_t *, bool));
 
 #endif /* _NPF_IMPL_H_ */
diff -r 4c05acac41a7 -r 55a536afb5e3 sys/net/npf/npf_ruleset.c
--- a/sys/net/npf/npf_ruleset.c Sun Feb 01 22:57:21 2015 +0000
+++ b/sys/net/npf/npf_ruleset.c Mon Feb 02 00:31:39 2015 +0000
@@ -1,7 +1,7 @@
-/*     $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $   */
+/*     $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $   */
 
 /*-
- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -936,3 +936,25 @@
        *retfl = rl->r_attr;
        return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH;
 }
+
+
+#if defined(DDB) || defined(_NPF_TESTING)
+
+void
+npf_ruleset_dump(const char *name)
+{
+       npf_ruleset_t *rlset = npf_config_ruleset();
+       npf_rule_t *rg, *rl;
+
+       LIST_FOREACH(rg, &rlset->rs_dynamic, r_dentry) {
+               printf("ruleset '%s':\n", rg->r_name);
+               TAILQ_FOREACH(rl, &rg->r_subset, r_entry) {
+                       printf("\tid %"PRIu64", key: ", rl->r_id);
+                       for (u_int i = 0; i < NPF_RULE_MAXKEYLEN; i++)
+                               printf("%x", rl->r_key[i]);
+                       printf("\n");
+               }
+       }
+}
+
+#endif
diff -r 4c05acac41a7 -r 55a536afb5e3 usr.sbin/npf/npfctl/npf_show.c
--- a/usr.sbin/npf/npfctl/npf_show.c    Sun Feb 01 22:57:21 2015 +0000
+++ b/usr.sbin/npf/npfctl/npf_show.c    Mon Feb 02 00:31:39 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $      */
+/*     $NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $      */
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $");
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -316,10 +316,25 @@
 npfctl_print_filter(npf_conf_info_t *ctx, nl_rule_t *rl)
 {
        const void *marks;
-       size_t mlen;
+       size_t mlen, len;
+       const void *code;
+       int type;
 
-       /* BPF filter criteria described by the byte-code marks. */
        marks = npf_rule_getinfo(rl, &mlen);
+       if (!marks && (code = npf_rule_getcode(rl, &type, &len)) != NULL) {
+               /*
+                * No marks, but the byte-code is present.  This must
+                * have been filled by libpcap(3) or possibly an unknown
+                * to us byte-code.
+                */
+               fprintf(ctx->fp, "%s ", type == NPF_CODE_BPF ?
+                   "pcap-filter \"...\"" : "unrecognized-bytecode");
+               return;
+       }
+
+       /*
+        * BPF filter criteria described by the byte-code marks.
+        */
        for (u_int i = 0; i < __arraycount(mark_keyword_map); i++) {
                const struct mark_keyword_mapent *mk = &mark_keyword_map[i];
                char *val;
@@ -356,7 +371,7 @@
                fprintf(ctx->fp, "on %s ", ifname);
        }
 
-       if ((attr & (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)) == NPF_RULE_GROUP) {
+       if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP) {
                /* Group; done. */
                fputs("\n", ctx->fp);
                return;
@@ -367,8 +382,15 @@
 
        /* Rule procedure. */
        if ((rproc = npf_rule_getproc(rl)) != NULL) {
-               fprintf(ctx->fp, "apply \"%s\"", rproc);
+               fprintf(ctx->fp, "apply \"%s\" ", rproc);
        }
+
+       /* If dynamic rule - print its ID. */
+       if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) {
+               uint64_t id = npf_rule_getid(rl);
+               fprintf(ctx->fp, "# id = \"%" PRIu64 "\" ", id);
+       }
+
        fputs("\n", ctx->fp);
 }
 



Home | Main Index | Thread Index | Old Index