Module Name: src Committed By: rmind Date: Mon Feb 2 00:31:39 UTC 2015
Modified Files: src/sys/net/npf: npf_impl.h npf_ruleset.c src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl(8): report dynamic rule ID in a comment, print the case when libpcap is used correctly. Also, add npf_ruleset_dump() helper in the kernel. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/npf/npf_impl.h diff -u src/sys/net/npf/npf_impl.h:1.60 src/sys/net/npf/npf_impl.h:1.61 --- src/sys/net/npf/npf_impl.h:1.60 Sun Nov 30 01:37:53 2014 +++ src/sys/net/npf/npf_impl.h Mon Feb 2 00:31:39 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_impl.h,v 1.60 2014/11/30 01:37:53 rmind Exp $ */ +/* $NetBSD: npf_impl.h,v 1.61 2015/02/02 00:31:39 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -344,6 +344,7 @@ prop_array_t npf_alg_export(void); const char * npf_addr_dump(const npf_addr_t *, int); void npf_state_dump(const npf_state_t *); void npf_nat_dump(const npf_nat_t *); +void npf_ruleset_dump(const char *); void npf_state_setsampler(void (*)(npf_state_t *, bool)); #endif /* _NPF_IMPL_H_ */ Index: src/sys/net/npf/npf_ruleset.c diff -u src/sys/net/npf/npf_ruleset.c:1.40 src/sys/net/npf/npf_ruleset.c:1.41 --- src/sys/net/npf/npf_ruleset.c:1.40 Sun Nov 30 01:37:53 2014 +++ src/sys/net/npf/npf_ruleset.c Mon Feb 2 00:31:39 2015 @@ -1,7 +1,7 @@ -/* $NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $ */ +/* $NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $ */ /*- - * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. + * Copyright (c) 2009-2015 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -34,7 +34,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.40 2014/11/30 01:37:53 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.41 2015/02/02 00:31:39 rmind Exp $"); #include <sys/param.h> #include <sys/types.h> @@ -936,3 +936,25 @@ npf_rule_conclude(const npf_rule_t *rl, *retfl = rl->r_attr; return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH; } + + +#if defined(DDB) || defined(_NPF_TESTING) + +void +npf_ruleset_dump(const char *name) +{ + npf_ruleset_t *rlset = npf_config_ruleset(); + npf_rule_t *rg, *rl; + + LIST_FOREACH(rg, &rlset->rs_dynamic, r_dentry) { + printf("ruleset '%s':\n", rg->r_name); + TAILQ_FOREACH(rl, &rg->r_subset, r_entry) { + printf("\tid %"PRIu64", key: ", rl->r_id); + for (u_int i = 0; i < NPF_RULE_MAXKEYLEN; i++) + printf("%x", rl->r_key[i]); + printf("\n"); + } + } +} + +#endif Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.15 src/usr.sbin/npf/npfctl/npf_show.c:1.16 --- src/usr.sbin/npf/npfctl/npf_show.c:1.15 Sun Jul 20 00:48:51 2014 +++ src/usr.sbin/npf/npfctl/npf_show.c Mon Feb 2 00:31:39 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: npf_show.c,v 1.15 2014/07/20 00:48:51 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.16 2015/02/02 00:31:39 rmind Exp $"); #include <sys/socket.h> #include <netinet/in.h> @@ -316,10 +316,25 @@ static void npfctl_print_filter(npf_conf_info_t *ctx, nl_rule_t *rl) { const void *marks; - size_t mlen; + size_t mlen, len; + const void *code; + int type; - /* BPF filter criteria described by the byte-code marks. */ marks = npf_rule_getinfo(rl, &mlen); + if (!marks && (code = npf_rule_getcode(rl, &type, &len)) != NULL) { + /* + * No marks, but the byte-code is present. This must + * have been filled by libpcap(3) or possibly an unknown + * to us byte-code. + */ + fprintf(ctx->fp, "%s ", type == NPF_CODE_BPF ? + "pcap-filter \"...\"" : "unrecognized-bytecode"); + return; + } + + /* + * BPF filter criteria described by the byte-code marks. + */ for (u_int i = 0; i < __arraycount(mark_keyword_map); i++) { const struct mark_keyword_mapent *mk = &mark_keyword_map[i]; char *val; @@ -356,7 +371,7 @@ npfctl_print_rule(npf_conf_info_t *ctx, fprintf(ctx->fp, "on %s ", ifname); } - if ((attr & (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)) == NPF_RULE_GROUP) { + if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP) { /* Group; done. */ fputs("\n", ctx->fp); return; @@ -367,8 +382,15 @@ npfctl_print_rule(npf_conf_info_t *ctx, /* Rule procedure. */ if ((rproc = npf_rule_getproc(rl)) != NULL) { - fprintf(ctx->fp, "apply \"%s\"", rproc); + fprintf(ctx->fp, "apply \"%s\" ", rproc); + } + + /* If dynamic rule - print its ID. */ + if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) { + uint64_t id = npf_rule_getid(rl); + fprintf(ctx->fp, "# id = \"%" PRIu64 "\" ", id); } + fputs("\n", ctx->fp); }