aboutsummaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/pfctl/parse.y85
-rw-r--r--sbin/pfctl/pfctl.c6
-rw-r--r--sbin/pfctl/pfctl.h2
3 files changed, 44 insertions, 49 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 4be7bd16649a..e22e60182c73 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -333,14 +333,12 @@ int process_tabledef(char *, struct table_opts *);
void expand_label_str(char *, size_t, const char *, const char *);
void expand_label_if(const char *, char *, size_t, const char *);
void expand_label_addr(const char *, char *, size_t, u_int8_t,
- struct node_host *);
+ struct pf_rule_addr *);
void expand_label_port(const char *, char *, size_t,
- struct node_port *);
+ struct pf_rule_addr *);
void expand_label_proto(const char *, char *, size_t, u_int8_t);
-void expand_label_nr(const char *, char *, size_t);
-void expand_label(char *, size_t, const char *, u_int8_t,
- struct node_host *, struct node_port *, struct node_host *,
- struct node_port *, u_int8_t);
+void expand_label_nr(const char *, char *, size_t,
+ struct pfctl_rule *);
void expand_rule(struct pfctl_rule *, struct node_if *,
struct node_host *, struct node_proto *, struct node_os *,
struct node_host *, struct node_port *, struct node_host *,
@@ -5022,17 +5020,17 @@ expand_label_if(const char *name, char *label, size_t len, const char *ifname)
void
expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
- struct node_host *h)
+ struct pf_rule_addr *addr)
{
char tmp[64], tmp_not[66];
if (strstr(label, name) != NULL) {
- switch (h->addr.type) {
+ switch (addr->addr.type) {
case PF_ADDR_DYNIFTL:
- snprintf(tmp, sizeof(tmp), "(%s)", h->addr.v.ifname);
+ snprintf(tmp, sizeof(tmp), "(%s)", addr->addr.v.ifname);
break;
case PF_ADDR_TABLE:
- snprintf(tmp, sizeof(tmp), "<%s>", h->addr.v.tblname);
+ snprintf(tmp, sizeof(tmp), "<%s>", addr->addr.v.tblname);
break;
case PF_ADDR_NOROUTE:
snprintf(tmp, sizeof(tmp), "no-route");
@@ -5041,18 +5039,18 @@ expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
snprintf(tmp, sizeof(tmp), "urpf-failed");
break;
case PF_ADDR_ADDRMASK:
- if (!af || (PF_AZERO(&h->addr.v.a.addr, af) &&
- PF_AZERO(&h->addr.v.a.mask, af)))
+ if (!af || (PF_AZERO(&addr->addr.v.a.addr, af) &&
+ PF_AZERO(&addr->addr.v.a.mask, af)))
snprintf(tmp, sizeof(tmp), "any");
else {
char a[48];
int bits;
- if (inet_ntop(af, &h->addr.v.a.addr, a,
+ if (inet_ntop(af, &addr->addr.v.a.addr, a,
sizeof(a)) == NULL)
snprintf(tmp, sizeof(tmp), "?");
else {
- bits = unmask(&h->addr.v.a.mask, af);
+ bits = unmask(&addr->addr.v.a.mask, af);
if ((af == AF_INET && bits < 32) ||
(af == AF_INET6 && bits < 128))
snprintf(tmp, sizeof(tmp),
@@ -5068,7 +5066,7 @@ expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
break;
}
- if (h->not) {
+ if (addr->neg) {
snprintf(tmp_not, sizeof(tmp_not), "! %s", tmp);
expand_label_str(label, len, name, tmp_not);
} else
@@ -5078,30 +5076,30 @@ expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
void
expand_label_port(const char *name, char *label, size_t len,
- struct node_port *port)
+ struct pf_rule_addr *addr)
{
char a1[6], a2[6], op[13] = "";
if (strstr(label, name) != NULL) {
- snprintf(a1, sizeof(a1), "%u", ntohs(port->port[0]));
- snprintf(a2, sizeof(a2), "%u", ntohs(port->port[1]));
- if (!port->op)
+ snprintf(a1, sizeof(a1), "%u", ntohs(addr->port[0]));
+ snprintf(a2, sizeof(a2), "%u", ntohs(addr->port[1]));
+ if (!addr->port_op)
;
- else if (port->op == PF_OP_IRG)
+ else if (addr->port_op == PF_OP_IRG)
snprintf(op, sizeof(op), "%s><%s", a1, a2);
- else if (port->op == PF_OP_XRG)
+ else if (addr->port_op == PF_OP_XRG)
snprintf(op, sizeof(op), "%s<>%s", a1, a2);
- else if (port->op == PF_OP_EQ)
+ else if (addr->port_op == PF_OP_EQ)
snprintf(op, sizeof(op), "%s", a1);
- else if (port->op == PF_OP_NE)
+ else if (addr->port_op == PF_OP_NE)
snprintf(op, sizeof(op), "!=%s", a1);
- else if (port->op == PF_OP_LT)
+ else if (addr->port_op == PF_OP_LT)
snprintf(op, sizeof(op), "<%s", a1);
- else if (port->op == PF_OP_LE)
+ else if (addr->port_op == PF_OP_LE)
snprintf(op, sizeof(op), "<=%s", a1);
- else if (port->op == PF_OP_GT)
+ else if (addr->port_op == PF_OP_GT)
snprintf(op, sizeof(op), ">%s", a1);
- else if (port->op == PF_OP_GE)
+ else if (addr->port_op == PF_OP_GE)
snprintf(op, sizeof(op), ">=%s", a1);
expand_label_str(label, len, name, op);
}
@@ -5125,29 +5123,27 @@ expand_label_proto(const char *name, char *label, size_t len, u_int8_t proto)
}
void
-expand_label_nr(const char *name, char *label, size_t len)
+expand_label_nr(const char *name, char *label, size_t len,
+ struct pfctl_rule *r)
{
char n[11];
if (strstr(label, name) != NULL) {
- snprintf(n, sizeof(n), "%u", pf->anchor->match);
+ snprintf(n, sizeof(n), "%u", r->nr);
expand_label_str(label, len, name, n);
}
}
void
-expand_label(char *label, size_t len, const char *ifname, sa_family_t af,
- struct node_host *src_host, struct node_port *src_port,
- struct node_host *dst_host, struct node_port *dst_port,
- u_int8_t proto)
+expand_label(char *label, size_t len, struct pfctl_rule *r)
{
- expand_label_if("$if", label, len, ifname);
- expand_label_addr("$srcaddr", label, len, af, src_host);
- expand_label_addr("$dstaddr", label, len, af, dst_host);
- expand_label_port("$srcport", label, len, src_port);
- expand_label_port("$dstport", label, len, dst_port);
- expand_label_proto("$proto", label, len, proto);
- expand_label_nr("$nr", label, len);
+ expand_label_if("$if", label, len, r->ifname);
+ expand_label_addr("$srcaddr", label, len, r->af, &r->src);
+ expand_label_addr("$dstaddr", label, len, r->af, &r->dst);
+ expand_label_port("$srcport", label, len, &r->src);
+ expand_label_port("$dstport", label, len, &r->dst);
+ expand_label_proto("$proto", label, len, r->proto);
+ expand_label_nr("$nr", label, len, r);
}
int
@@ -5481,15 +5477,6 @@ expand_rule(struct pfctl_rule *r,
if (strlcpy(r->match_tagname, match_tagname,
sizeof(r->match_tagname)) >= sizeof(r->match_tagname))
errx(1, "expand_rule: strlcpy");
- for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
- expand_label(r->label[i], PF_RULE_LABEL_SIZE,
- r->ifname, r->af, src_host, src_port, dst_host,
- dst_port, proto->proto);
- expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af,
- src_host, src_port, dst_host, dst_port, proto->proto);
- expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname,
- r->af, src_host, src_port, dst_host, dst_port,
- proto->proto);
error += check_netmask(src_host, r->af);
error += check_netmask(dst_host, r->af);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index d7bde0012e9b..a0eec1b09289 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1528,6 +1528,12 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
+
+ for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
+ expand_label(r->label[i], PF_RULE_LABEL_SIZE, r);
+ expand_label(r->tagname, PF_TAG_NAME_SIZE, r);
+ expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r);
+
if ((error = pfctl_load_rule(pf, path, r, depth)))
goto error;
if (r->anchor) {
diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h
index 80ef184fa90f..606eb729cd44 100644
--- a/sbin/pfctl/pfctl.h
+++ b/sbin/pfctl/pfctl.h
@@ -138,6 +138,8 @@ void pf_remove_if_empty_ruleset(struct pfctl_ruleset *);
struct pfctl_ruleset *pf_find_ruleset(const char *);
struct pfctl_ruleset *pf_find_or_create_ruleset(const char *);
+void expand_label(char *, size_t, struct pfctl_rule *);
+
const char *pfctl_proto2name(int);
#endif /* _PFCTL_H_ */