From nobody Tue May 28 20:31:27 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vpkgg6RrPz5L6B3;
	Tue, 28 May 2024 20:31:27 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Vpkgg31h4z4jtc;
	Tue, 28 May 2024 20:31:27 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1716928287;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=HL8MHkv1Kkg6JmA+XnaxJCBXd9bCpykWt3jlj16qAcU=;
	b=cJG/cLv8c3UwvxEsyw6biC0eTbArLqpnw5QRNw8n4YxMgFOS2RlW30vYkShQu3g2nJbW7M
	+H1EJ6vC/S6gTNUyfvG1xQb9j8nIoKbMIkoeKj+CK944RdVqAcwZgL1k8u9FEVdJSLGoZQ
	dRpNyzSszZr3Gh3/eQeWg6lU1/mJ88l/y7bYIV1B2Loibs1lXN7jmECaCi0PyDFGnKi24P
	aH2Pd7h0HBUBRfxysQ+aaj+Xsz1zrsFlwyCaF+CvkTJxJg8jUz9tMgjow0gmG9N3LZp37c
	vQBMk0BvomNGwAQoQSe8p1OK/xSwn8sMkaMXIA3TUfBsA15oPXidW+eoLDgRIA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716928287; a=rsa-sha256; cv=none;
	b=owVTDwFWXmcV7GtRBBP6xISoH8QEq3XOCuzVdLjkndjCad+6NbB4hP4Wj30DHbhGttcYtC
	+6MtcaO1dPc9WcNuPwmEy4Hd+O5ixaOJXw1M3ZOruyJtkIK2uVS63efx/JYvi9TQLXhcDj
	0mwSdrDGIWN+9gToC8x6B952is3ROmrQhCyZ4J8YE+JdzTKekbcjAkG4Ajhor9Dx/8tHRH
	s7pVKZmrT128iuCbRSXvvmkXguSYvqjjBs1DEkr3eikJbwq54lWBGnDiUP8mSr1mnniKBH
	FHxrAkd798+RsYdLIgGnHV+TcNAg3tWteR9KbA9e/GXJolRn9h1DmzMZg1zO5g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1716928287;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=HL8MHkv1Kkg6JmA+XnaxJCBXd9bCpykWt3jlj16qAcU=;
	b=g+jDyQ/qr4y89cJ2LKiifcFOhjAK07C13VqSQySgWMzOlbX2BHxrbPMGQLSd1F2LssyLfu
	TGXfqyPyAkc+zhiK2bkEVofIclLaehwuecW4HyeQbEhurwWhiJcOWDJ/ADoF50lVT5quOL
	7+xg4Uy/6zzxE7+Gbt+3Ud/Dqq8lv0Czx8hXiEi3LZe942d5fnj6UBcQ9dzKEuUoFd91dt
	QOYR2DyxWCUSKNDi0b6r2A0dNRHLYjxd/RXIIycznkN4ex6VBuyzK08hwFdrTy5uQqddl3
	icMB8qHZSoBthd3GtYiHN6Hw0C62vIRRnifohfTxfFG6krMnqfdgSFxvGfcn2A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vpkgg2cxQzRRw;
	Tue, 28 May 2024 20:31:27 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44SKVRlH068189;
	Tue, 28 May 2024 20:31:27 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44SKVR2H068186;
	Tue, 28 May 2024 20:31:27 GMT
	(envelope-from git)
Date: Tue, 28 May 2024 20:31:27 GMT
Message-Id: <202405282031.44SKVR2H068186@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 8ddd0359bca5 - main - pfctl: fix recursive printing
  of nat anchors
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 8ddd0359bca5c5fc38189000a80a3180854a8a2e
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8ddd0359bca5c5fc38189000a80a3180854a8a2e

commit 8ddd0359bca5c5fc38189000a80a3180854a8a2e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-05-28 14:26:28 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-05-28 20:29:28 +0000

    pfctl: fix recursive printing of nat anchors
    
    Similar to the preceding fix for rules, ensure that we
    recursively list wildcard anchors for nat rules.
    
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.c | 103 +++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 72 insertions(+), 31 deletions(-)

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index c89981075ea6..c43d9e88dcbe 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -98,7 +98,7 @@ void	 pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
 void	 pfctl_print_rule_counters(struct pfctl_rule *, int);
 int	 pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int, int);
 int	 pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int);
-int	 pfctl_show_nat(int, char *, int, char *, int);
+int	 pfctl_show_nat(int, char *, int, char *, int, int);
 int	 pfctl_show_src_nodes(int, int);
 int	 pfctl_show_states(int, const char *, int);
 int	 pfctl_show_status(int, int);
@@ -1417,7 +1417,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
 }
 
 int
-pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
+pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth,
+    int wildcard)
 {
 	struct pfctl_rules_info ri;
 	struct pfctl_rule rule;
@@ -1425,14 +1426,65 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
 	u_int32_t nr;
 	static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
 	int i, dotitle = opts & PF_OPT_SHOWALL;
-	int brace, ret;
+	int ret;
 	int len = strlen(path);
-	char *p;
+	char *npath, *p;
 
-	if (path[0])
-		snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
-	else
-		snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
+	/*
+	 * Truncate a trailing / and * on an anchorname before searching for
+	 * the ruleset, this is syntactic sugar that doesn't actually make it
+	 * to the kernel.
+	 */
+	if ((p = strrchr(anchorname, '/')) != NULL &&
+	    p[1] == '*' && p[2] == '\0') {
+		p[0] = '\0';
+	}
+
+	if (anchorname[0] == '/') {
+		if ((npath = calloc(1, MAXPATHLEN)) == NULL)
+			errx(1, "pfctl_rules: calloc");
+		snprintf(npath, MAXPATHLEN, "%s", anchorname);
+	} else {
+		if (path[0])
+			snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
+		else
+			snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
+		npath = path;
+	}
+
+	/*
+	 * If this anchor was called with a wildcard path, go through
+	 * the rulesets in the anchor rather than the rules.
+	 */
+	if (wildcard && (opts & PF_OPT_RECURSE)) {
+		struct pfioc_ruleset     prs;
+		u_int32_t                mnr, nr;
+		memset(&prs, 0, sizeof(prs));
+		memcpy(prs.path, npath, sizeof(prs.path));
+		if (ioctl(dev, DIOCGETRULESETS, &prs)) {
+			if (errno == EINVAL)
+				fprintf(stderr, "NAT anchor '%s' "
+				    "not found.\n", anchorname);
+			else
+				err(1, "DIOCGETRULESETS");
+		}
+		mnr = prs.nr;
+
+		pfctl_print_rule_counters(&rule, opts);
+		for (nr = 0; nr < mnr; ++nr) {
+			prs.nr = nr;
+			if (ioctl(dev, DIOCGETRULESET, &prs))
+				err(1, "DIOCGETRULESET");
+			INDENT(depth, !(opts & PF_OPT_VERBOSE));
+			printf("nat-anchor \"%s\" all {\n", prs.name);
+			pfctl_show_nat(dev, npath, opts,
+			    prs.name, depth + 1, 0);
+			INDENT(depth, !(opts & PF_OPT_VERBOSE));
+			printf("}\n");
+		}
+		path[len] = '\0';
+		return (0);
+	}
 
 	for (i = 0; i < 3; i++) {
 		ret = pfctl_get_rules_info_h(pfh, &ri, nattype[i], path);
@@ -1441,7 +1493,6 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
 			return (-1);
 		}
 		for (nr = 0; nr < ri.nr; ++nr) {
-			brace = 0;
 			INDENT(depth, !(opts & PF_OPT_VERBOSE));
 
 			if (pfctl_get_rule_h(pfh, nr, ri.ticket, path,
@@ -1453,35 +1504,25 @@ pfctl_show_nat(int dev, char *path, int opts, char *anchorname, int depth)
 			    ri.ticket, nattype[i], path) != 0)
 				return (-1);
 
-			if (anchor_call[0] &&
-			   ((((p = strrchr(anchor_call, '_')) != NULL) &&
-			   (p == anchor_call ||
-			   *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
-				brace++;
-				if ((p = strrchr(anchor_call, '/')) !=
-				    NULL)
-					p++;
-				else
-					p = &anchor_call[0];
-			} else
-				p = &anchor_call[0];
-
 			if (dotitle) {
 				pfctl_print_title("TRANSLATION RULES:");
 				dotitle = 0;
 			}
 			print_rule(&rule, anchor_call,
 			    opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
-			if (brace)
+			if (anchor_call[0] &&
+			    (((p = strrchr(anchor_call, '/')) ?
+			      p[1] == '_' : anchor_call[0] == '_') ||
+			     opts & PF_OPT_RECURSE)) {
 				printf(" {\n");
-			else
-				printf("\n");
-			pfctl_print_rule_counters(&rule, opts);
-			pfctl_clear_pool(&rule.rpool);
-			if (brace) {
-				pfctl_show_nat(dev, path, opts, p, depth + 1);
+				pfctl_print_rule_counters(&rule, opts);
+				pfctl_show_nat(dev, npath, opts, anchor_call,
+				    depth + 1, rule.anchor_wildcard);
 				INDENT(depth, !(opts & PF_OPT_VERBOSE));
 				printf("}\n");
+			} else {
+				printf("\n");
+				pfctl_print_rule_counters(&rule, opts);
 			}
 		}
 	}
@@ -3101,7 +3142,7 @@ main(int argc, char *argv[])
 			break;
 		case 'n':
 			pfctl_load_fingerprints(dev, opts);
-			pfctl_show_nat(dev, path, opts, anchorname, 0);
+			pfctl_show_nat(dev, path, opts, anchorname, 0, 0);
 			break;
 		case 'q':
 			pfctl_show_altq(dev, ifaceopt, opts,
@@ -3136,7 +3177,7 @@ main(int argc, char *argv[])
 			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
 			    0);
 
-			pfctl_show_nat(dev, path, opts, anchorname, 0);
+			pfctl_show_nat(dev, path, opts, anchorname, 0, 0);
 			pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0);
 			pfctl_show_altq(dev, ifaceopt, opts, 0);
 			pfctl_show_states(dev, ifaceopt, opts);