mirror of
https://github.com/opnsense/src.git
synced 2026-06-12 18:20:49 -04:00
pfctl: add option -S (no domain resolution)
manpage wording and reminder about usage() jmc@
ok florian@ henning@
Reviewed by: ziaee (manpages)
Obtained from: OpenBSD, benno <benno@openbsd.org>, 7c8726d43b
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50724
This commit is contained in:
Kristof Provost
parent
defc181278
commit
4ace4ea9ca
8 changed files with 59 additions and 48 deletions
|
|
@ -364,7 +364,7 @@ int rule_consistent(struct pfctl_rule *, int);
|
|||
int filter_consistent(struct pfctl_rule *, int);
|
||||
int nat_consistent(struct pfctl_rule *);
|
||||
int rdr_consistent(struct pfctl_rule *);
|
||||
int process_tabledef(char *, struct table_opts *);
|
||||
int process_tabledef(char *, struct table_opts *, int);
|
||||
void expand_label_str(char *, size_t, const char *, const char *);
|
||||
void expand_label_if(const char *, char *, size_t, const char *);
|
||||
void expand_label_addr(const char *, char *, size_t, sa_family_t,
|
||||
|
|
@ -1746,7 +1746,7 @@ tabledef : TABLE '<' STRING '>' table_opts {
|
|||
YYERROR;
|
||||
}
|
||||
if (pf->loadopt & PFCTL_FLAG_TABLE)
|
||||
if (process_tabledef($3, &$5)) {
|
||||
if (process_tabledef($3, &$5, pf->opts)) {
|
||||
free($3);
|
||||
YYERROR;
|
||||
}
|
||||
|
|
@ -3007,7 +3007,7 @@ filter_opt : USER uids {
|
|||
}
|
||||
| DIVERTTO STRING PORT portplain {
|
||||
#ifndef __FreeBSD__
|
||||
if ((filter_opts.divert.addr = host($2)) == NULL) {
|
||||
if ((filter_opts.divert.addr = host($2, pf->opts)) == NULL) {
|
||||
yyerror("could not parse divert address: %s",
|
||||
$2);
|
||||
free($2);
|
||||
|
|
@ -3719,7 +3719,7 @@ xhost : not host {
|
|||
;
|
||||
|
||||
host : STRING {
|
||||
if (($$ = host($1)) == NULL) {
|
||||
if (($$ = host($1, pf->opts)) == NULL) {
|
||||
/* error. "any" is handled elsewhere */
|
||||
free($1);
|
||||
yyerror("could not parse host specification");
|
||||
|
|
@ -3731,7 +3731,8 @@ host : STRING {
|
|||
| STRING '-' STRING {
|
||||
struct node_host *b, *e;
|
||||
|
||||
if ((b = host($1)) == NULL || (e = host($3)) == NULL) {
|
||||
if ((b = host($1, pf->opts)) == NULL ||
|
||||
(e = host($3, pf->opts)) == NULL) {
|
||||
free($1);
|
||||
free($3);
|
||||
yyerror("could not parse host specification");
|
||||
|
|
@ -3767,7 +3768,7 @@ host : STRING {
|
|||
if (asprintf(&buf, "%s/%lld", $1, (long long)$3) == -1)
|
||||
err(1, "host: asprintf");
|
||||
free($1);
|
||||
if (($$ = host(buf)) == NULL) {
|
||||
if (($$ = host(buf, pf->opts)) == NULL) {
|
||||
/* error. "any" is handled elsewhere */
|
||||
free(buf);
|
||||
yyerror("could not parse host specification");
|
||||
|
|
@ -3785,7 +3786,7 @@ host : STRING {
|
|||
if (asprintf(&buf, "%lld/%lld", $1, $3) == -1)
|
||||
#endif
|
||||
err(1, "host: asprintf");
|
||||
if (($$ = host(buf)) == NULL) {
|
||||
if (($$ = host(buf, pf->opts)) == NULL) {
|
||||
/* error. "any" is handled elsewhere */
|
||||
free(buf);
|
||||
yyerror("could not parse host specification");
|
||||
|
|
@ -5494,7 +5495,7 @@ rdr_consistent(struct pfctl_rule *r)
|
|||
}
|
||||
|
||||
int
|
||||
process_tabledef(char *name, struct table_opts *opts)
|
||||
process_tabledef(char *name, struct table_opts *opts, int popts)
|
||||
{
|
||||
struct pfr_buffer ab;
|
||||
struct node_tinit *ti;
|
||||
|
|
@ -5505,7 +5506,7 @@ process_tabledef(char *name, struct table_opts *opts)
|
|||
ab.pfrb_type = PFRB_ADDRS;
|
||||
SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) {
|
||||
if (ti->file)
|
||||
if (pfr_buf_load(&ab, ti->file, 0, append_addr)) {
|
||||
if (pfr_buf_load(&ab, ti->file, 0, append_addr, popts)) {
|
||||
if (errno)
|
||||
yyerror("cannot load \"%s\": %s",
|
||||
ti->file, strerror(errno));
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd May 9, 2025
|
||||
.Dd May 29, 2025
|
||||
.Dt PFCTL 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -527,6 +527,9 @@ address mapping failed
|
|||
.It translate
|
||||
no free ports in translation port range
|
||||
.El
|
||||
.It Fl S
|
||||
Do not perform domain name resolution.
|
||||
If a name cannot be resolved without DNS, an error will be reported.
|
||||
.It Fl T Ar command Op Ar address ...
|
||||
Specify the
|
||||
.Ar command
|
||||
|
|
|
|||
|
|
@ -258,7 +258,7 @@ usage(void)
|
|||
extern char *__progname;
|
||||
|
||||
fprintf(stderr,
|
||||
"usage: %s [-AdeghMmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
|
||||
"usage: %s [-AdeghMmNnOPqRSrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
|
||||
"\t[-f file] [-i interface] [-K host | network]\n"
|
||||
"\t[-k host | network | gateway | label | id] [-o level] [-p device]\n"
|
||||
"\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
|
||||
|
|
@ -3035,7 +3035,7 @@ main(int argc, char *argv[])
|
|||
usage();
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
"a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:t:T:vx:z")) != -1) {
|
||||
"a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:St:T:vx:z")) != -1) {
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
anchoropt = optarg;
|
||||
|
|
@ -3137,6 +3137,9 @@ main(int argc, char *argv[])
|
|||
usage();
|
||||
}
|
||||
break;
|
||||
case 'S':
|
||||
opts |= PF_OPT_NODNS;
|
||||
break;
|
||||
case 't':
|
||||
tableopt = optarg;
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ int pfr_buf_add(struct pfr_buffer *, const void *);
|
|||
void *pfr_buf_next(struct pfr_buffer *, const void *);
|
||||
int pfr_buf_grow(struct pfr_buffer *, int);
|
||||
int pfr_buf_load(struct pfr_buffer *, char *, int,
|
||||
int (*)(struct pfr_buffer *, char *, int));
|
||||
int (*)(struct pfr_buffer *, char *, int, int), int);
|
||||
char *pfr_strerror(int);
|
||||
int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
|
||||
int pfi_clr_istats(const char *, int *, int);
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ int ifa_skip_if(const char *filter, struct node_host *p);
|
|||
struct node_host *host_if(const char *, int, int *);
|
||||
struct node_host *host_v4(const char *, int);
|
||||
struct node_host *host_v6(const char *, int);
|
||||
struct node_host *host_dns(const char *, int, int);
|
||||
struct node_host *host_dns(const char *, int, int, int);
|
||||
|
||||
const char * const tcpflags = "FSRPAUEWe";
|
||||
|
||||
|
|
@ -1801,7 +1801,7 @@ ifa_skip_if(const char *filter, struct node_host *p)
|
|||
|
||||
|
||||
struct node_host *
|
||||
host(const char *s)
|
||||
host(const char *s, int opts)
|
||||
{
|
||||
struct node_host *h = NULL;
|
||||
int mask, v4mask, v6mask, cont = 1;
|
||||
|
|
@ -1839,7 +1839,8 @@ host(const char *s)
|
|||
cont = 0;
|
||||
|
||||
/* dns lookup */
|
||||
if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL)
|
||||
if (cont && (h = host_dns(ps, v4mask, v6mask,
|
||||
(opts & PF_OPT_NODNS))) != NULL)
|
||||
cont = 0;
|
||||
free(ps);
|
||||
|
||||
|
|
@ -1957,7 +1958,7 @@ host_v6(const char *s, int mask)
|
|||
}
|
||||
|
||||
struct node_host *
|
||||
host_dns(const char *s, int v4mask, int v6mask)
|
||||
host_dns(const char *s, int v4mask, int v6mask, int numeric)
|
||||
{
|
||||
struct addrinfo hints, *res0, *res;
|
||||
struct node_host *n, *h = NULL;
|
||||
|
|
@ -1974,6 +1975,8 @@ host_dns(const char *s, int v4mask, int v6mask)
|
|||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
hints.ai_socktype = SOCK_STREAM; /* DUMMY */
|
||||
if (numeric)
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
error = getaddrinfo(ps, NULL, &hints, &res0);
|
||||
if (error) {
|
||||
free(ps);
|
||||
|
|
@ -2037,7 +2040,7 @@ host_dns(const char *s, int v4mask, int v6mask)
|
|||
* if set to 1, only simple addresses are accepted (no netblock, no "!").
|
||||
*/
|
||||
int
|
||||
append_addr(struct pfr_buffer *b, char *s, int test)
|
||||
append_addr(struct pfr_buffer *b, char *s, int test, int opts)
|
||||
{
|
||||
char *r;
|
||||
struct node_host *h, *n;
|
||||
|
|
@ -2045,7 +2048,7 @@ append_addr(struct pfr_buffer *b, char *s, int test)
|
|||
|
||||
for (r = s; *r == '!'; r++)
|
||||
not = !not;
|
||||
if ((n = host(r)) == NULL) {
|
||||
if ((n = host(r, opts)) == NULL) {
|
||||
errno = 0;
|
||||
return (-1);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,22 +38,23 @@
|
|||
|
||||
#define PF_OSFP_FILE "/etc/pf.os"
|
||||
|
||||
#define PF_OPT_DISABLE 0x0001
|
||||
#define PF_OPT_ENABLE 0x0002
|
||||
#define PF_OPT_VERBOSE 0x0004
|
||||
#define PF_OPT_NOACTION 0x0008
|
||||
#define PF_OPT_QUIET 0x0010
|
||||
#define PF_OPT_CLRRULECTRS 0x0020
|
||||
#define PF_OPT_USEDNS 0x0040
|
||||
#define PF_OPT_VERBOSE2 0x0080
|
||||
#define PF_OPT_DUMMYACTION 0x0100
|
||||
#define PF_OPT_DEBUG 0x0200
|
||||
#define PF_OPT_SHOWALL 0x0400
|
||||
#define PF_OPT_OPTIMIZE 0x0800
|
||||
#define PF_OPT_NUMERIC 0x1000
|
||||
#define PF_OPT_MERGE 0x2000
|
||||
#define PF_OPT_RECURSE 0x4000
|
||||
#define PF_OPT_KILLMATCH 0x8000
|
||||
#define PF_OPT_DISABLE 0x00001
|
||||
#define PF_OPT_ENABLE 0x00002
|
||||
#define PF_OPT_VERBOSE 0x00004
|
||||
#define PF_OPT_NOACTION 0x00008
|
||||
#define PF_OPT_QUIET 0x00010
|
||||
#define PF_OPT_CLRRULECTRS 0x00020
|
||||
#define PF_OPT_USEDNS 0x00040
|
||||
#define PF_OPT_VERBOSE2 0x00080
|
||||
#define PF_OPT_DUMMYACTION 0x00100
|
||||
#define PF_OPT_DEBUG 0x00200
|
||||
#define PF_OPT_SHOWALL 0x00400
|
||||
#define PF_OPT_OPTIMIZE 0x00800
|
||||
#define PF_OPT_NUMERIC 0x01000
|
||||
#define PF_OPT_MERGE 0x02000
|
||||
#define PF_OPT_RECURSE 0x04000
|
||||
#define PF_OPT_KILLMATCH 0x08000
|
||||
#define PF_OPT_NODNS 0x10000
|
||||
|
||||
#define PF_NAT_PROXY_PORT_LOW 50001
|
||||
#define PF_NAT_PROXY_PORT_HIGH 65535
|
||||
|
|
@ -370,9 +371,9 @@ int get_query_socket(void);
|
|||
struct node_host *ifa_exists(char *);
|
||||
struct node_host *ifa_grouplookup(char *ifa_name, int flags);
|
||||
struct node_host *ifa_lookup(char *, int);
|
||||
struct node_host *host(const char *);
|
||||
struct node_host *host(const char *, int);
|
||||
|
||||
int append_addr(struct pfr_buffer *, char *, int);
|
||||
int append_addr(struct pfr_buffer *, char *, int, int);
|
||||
int append_addr_host(struct pfr_buffer *,
|
||||
struct node_host *, int, int);
|
||||
|
||||
|
|
|
|||
|
|
@ -400,7 +400,7 @@ pfr_buf_clear(struct pfr_buffer *b)
|
|||
|
||||
int
|
||||
pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork,
|
||||
int (*append_addr)(struct pfr_buffer *, char *, int))
|
||||
int (*append_addr)(struct pfr_buffer *, char *, int, int), int opts)
|
||||
{
|
||||
FILE *fp;
|
||||
char buf[BUF_SIZE];
|
||||
|
|
@ -416,7 +416,7 @@ pfr_buf_load(struct pfr_buffer *b, char *file, int nonetwork,
|
|||
return (-1);
|
||||
}
|
||||
while ((rv = pfr_next_token(buf, fp)) == 1)
|
||||
if (append_addr(b, buf, nonetwork)) {
|
||||
if (append_addr(b, buf, nonetwork, opts)) {
|
||||
rv = -1;
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ static int pfctl_table(int, char *[], char *, const char *, char *,
|
|||
const char *, int);
|
||||
static void print_table(const struct pfr_table *, int, int);
|
||||
static int print_tstats(const struct pfr_tstats *, int);
|
||||
static int load_addr(struct pfr_buffer *, int, char *[], char *, int);
|
||||
static int load_addr(struct pfr_buffer *, int, char *[], char *, int, int);
|
||||
static void print_addrx(struct pfr_addr *, struct pfr_addr *, int);
|
||||
static int nonzero_astats(struct pfr_astats *);
|
||||
static void print_astats(struct pfr_astats *, int);
|
||||
|
|
@ -204,7 +204,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
|
|||
xprintf(opts, "%d addresses deleted", ndel);
|
||||
} else if (!strcmp(command, "add")) {
|
||||
b.pfrb_type = PFRB_ADDRS;
|
||||
if (load_addr(&b, argc, argv, file, 0))
|
||||
if (load_addr(&b, argc, argv, file, 0, opts))
|
||||
goto _error;
|
||||
CREATE_TABLE;
|
||||
if (opts & PF_OPT_VERBOSE)
|
||||
|
|
@ -219,7 +219,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
|
|||
opts & PF_OPT_USEDNS);
|
||||
} else if (!strcmp(command, "delete")) {
|
||||
b.pfrb_type = PFRB_ADDRS;
|
||||
if (load_addr(&b, argc, argv, file, 0))
|
||||
if (load_addr(&b, argc, argv, file, 0, opts))
|
||||
goto _error;
|
||||
if (opts & PF_OPT_VERBOSE)
|
||||
flags |= PFR_FLAG_FEEDBACK;
|
||||
|
|
@ -233,7 +233,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
|
|||
opts & PF_OPT_USEDNS);
|
||||
} else if (!strcmp(command, "replace")) {
|
||||
b.pfrb_type = PFRB_ADDRS;
|
||||
if (load_addr(&b, argc, argv, file, 0))
|
||||
if (load_addr(&b, argc, argv, file, 0, opts))
|
||||
goto _error;
|
||||
CREATE_TABLE;
|
||||
if (opts & PF_OPT_VERBOSE)
|
||||
|
|
@ -356,7 +356,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
|
|||
b.pfrb_type = PFRB_ADDRS;
|
||||
b2.pfrb_type = PFRB_ADDRS;
|
||||
|
||||
if (load_addr(&b, argc, argv, file, 1))
|
||||
if (load_addr(&b, argc, argv, file, 1, opts))
|
||||
goto _error;
|
||||
if (opts & PF_OPT_VERBOSE2) {
|
||||
flags |= PFR_FLAG_REPLACE;
|
||||
|
|
@ -383,7 +383,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
|
|||
rv = 2;
|
||||
} else if (!strcmp(command, "zero") && (argc || file != NULL)) {
|
||||
b.pfrb_type = PFRB_ADDRS;
|
||||
if (load_addr(&b, argc, argv, file, 0))
|
||||
if (load_addr(&b, argc, argv, file, 0, opts))
|
||||
goto _error;
|
||||
if (opts & PF_OPT_VERBOSE)
|
||||
flags |= PFR_FLAG_FEEDBACK;
|
||||
|
|
@ -463,15 +463,15 @@ print_tstats(const struct pfr_tstats *ts, int debug)
|
|||
|
||||
int
|
||||
load_addr(struct pfr_buffer *b, int argc, char *argv[], char *file,
|
||||
int nonetwork)
|
||||
int nonetwork, int opts)
|
||||
{
|
||||
while (argc--)
|
||||
if (append_addr(b, *argv++, nonetwork)) {
|
||||
if (append_addr(b, *argv++, nonetwork, opts)) {
|
||||
if (errno)
|
||||
warn("cannot decode %s", argv[-1]);
|
||||
return (-1);
|
||||
}
|
||||
if (pfr_buf_load(b, file, nonetwork, append_addr)) {
|
||||
if (pfr_buf_load(b, file, nonetwork, append_addr, opts)) {
|
||||
warn("cannot load %s", file);
|
||||
return (-1);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue