upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-14 19:20:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pfctl: Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX.

Browse source 
This is the userland portion.  OK deraadt@ sashan@

Obtained from:	OpenBSD, millert <millert@openbsd.org>, b4de054894
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost 2025-07-03 14:01:41 +02:00
parent cface4d97a
commit 1997370109
2 changed files with 13 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
sbin/pfctl/parse.y
View file

@ -3905,7 +3905,7 @@ uid_item : uid {
$$->tail = $$;
}
| unaryop uid {
if ($2 == UID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
if ($2 == -1 && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
yyerror("user unknown requires operator = or "
"!=");
YYERROR;
@ -3920,7 +3920,7 @@ uid_item : uid {
$$->tail = $$;
}
| uid PORTBINARY uid {
if ($1 == UID_MAX || $3 == UID_MAX) {
if ($1 == -1 || $3 == -1) {
yyerror("user unknown requires operator = or "
"!=");
YYERROR;
@ -3938,7 +3938,7 @@ uid_item : uid {
uid : STRING {
if (!strcmp($1, "unknown"))
$$ = UID_MAX;
$$ = -1;
else {
uid_t uid;
@ -3983,7 +3983,7 @@ gid_item : gid {
$$->tail = $$;
}
| unaryop gid {
if ($2 == GID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
if ($2 == -1 && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
yyerror("group unknown requires operator = or "
"!=");
YYERROR;
@ -3998,7 +3998,7 @@ gid_item : gid {
$$->tail = $$;
}
| gid PORTBINARY gid {
if ($1 == GID_MAX || $3 == GID_MAX) {
if ($1 == -1 || $3 == -1) {
yyerror("group unknown requires operator = or "
"!=");
YYERROR;
@ -4016,7 +4016,7 @@ gid_item : gid {
gid : STRING {
if (!strcmp($1, "unknown"))
$$ = GID_MAX;
$$ = -1;
else {
gid_t gid;

16
sbin/pfctl/pfctl_parser.c
View file

@ -68,7 +68,7 @@
void print_op (u_int8_t, const char *, const char *);
void print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int);
void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);
void print_ugid (u_int8_t, id_t, id_t, const char *);
void print_flags (uint16_t);
void print_fromto(struct pf_rule_addr *, pf_osfp_t,
struct pf_rule_addr *, sa_family_t, u_int8_t, int, int);
@ -364,14 +364,14 @@ print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numer
}
void
print_ugid(u_int8_t op, unsigned u1, unsigned u2, const char *t, unsigned umax)
print_ugid(u_int8_t op, id_t i1, id_t i2, const char *t)
{
char a1[11], a2[11];
snprintf(a1, sizeof(a1), "%u", u1);
snprintf(a2, sizeof(a2), "%u", u2);
snprintf(a1, sizeof(a1), "%lu", i1);
snprintf(a2, sizeof(a2), "%lu", i2);
printf(" %s", t);
if (u1 == umax && (op == PF_OP_EQ || op == PF_OP_NE))
if (i1 == -1 && (op == PF_OP_EQ || op == PF_OP_NE))
print_op(op, "unknown", a2);
else
print_op(op, a1, a2);
@ -977,11 +977,9 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer
printf(" %sreceived-on %s", r->rcvifnot ? "!" : "",
r->rcv_ifname);
if (r->uid.op)
print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
UID_MAX);
print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user");
if (r->gid.op)
print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
GID_MAX);
print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group");
if (r->flags || r->flagset) {
printf(" flags ");
print_flags(r->flags);