From owner-freebsd-bugs@FreeBSD.ORG  Mon Sep 27 21:20:05 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6A1671065697
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 27 Sep 2010 21:20:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 45C5F8FC0C
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 27 Sep 2010 21:20:05 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8RLK58B061150
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 27 Sep 2010 21:20:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8RLK597061149;
	Mon, 27 Sep 2010 21:20:05 GMT (envelope-from gnats)
Resent-Date: Mon, 27 Sep 2010 21:20:05 GMT
Resent-Message-Id: <201009272120.o8RLK597061149@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Matt Koivisto <mkoivisto@sandvine.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B0306106566C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 27 Sep 2010 21:13:40 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D9DC8FC1C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 27 Sep 2010 21:13:40 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o8RLDeVO027178
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 Sep 2010 21:13:40 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o8RLDexJ027177;
	Mon, 27 Sep 2010 21:13:40 GMT (envelope-from nobody)
Message-Id: <201009272113.o8RLDexJ027177@www.freebsd.org>
Date: Mon, 27 Sep 2010 21:13:40 GMT
From: Matt Koivisto <mkoivisto@sandvine.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/151015: [patch] Add pfctl -P option to not perform service
	name lookup
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 21:20:05 -0000


>Number:         151015
>Category:       misc
>Synopsis:       [patch] Add pfctl -P option to not perform service name lookup
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 27 21:20:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Matt Koivisto
>Release:        8.1
>Organization:
Sandvine
>Environment:
N/A
>Description:
pfctl output uses getservbyport(3) calls to display ports by their service name. Currently, there is no option to disable this lookup and force numeric output.

>How-To-Repeat:
For example,

# pfctl -sr
..
pass in proto udp from any to any port = ssh keep state

>Fix:
See attached patch against RELENG_8_1

Added -P because -n (for numeric along the lines of netstat -n or tcpdump -n) was taken, as was -N and -p.

Patch after example,

# pfctl -sr -P
..
pass in proto udp from any to any port = 22 keep state


Patch attached with submission follows:

--- src/contrib/pf/pfctl/pfctl.c@@\main\RELENG_8\RELENG_8_1\0	2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl.c	2010-09-27 15:00:19.000000000 -0400
@@ -233,11 +233,11 @@
 void
 usage(void)
 {
 	extern char *__progname;
 
-	fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
+	fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] ", __progname);
 	fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
 	fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
 	fprintf(stderr, "[-k host | network ]\n");
 	fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
 	fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
@@ -768,10 +768,11 @@
     char *anchorname, int depth)
 {
 	struct pfioc_rule pr;
 	u_int32_t nr, mnr, header = 0;
 	int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
+	int numeric = opts & PF_OPT_NUMERIC;
 	int len = strlen(path);
 	int brace;
 	char *p;
 
 	if (path[0])
@@ -832,11 +833,11 @@
 			}
 			break;
 		case PFCTL_SHOW_RULES:
 			if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
 				labels = 1;
-			print_rule(&pr.rule, pr.anchor_call, rule_numbers);
+			print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
 			printf("\n");
 			pfctl_print_rule_counters(&pr.rule, opts);
 			break;
 		case PFCTL_SHOW_NOTHING:
 			break;
@@ -892,11 +893,11 @@
 				else
 					p = &pr.anchor_call[0];
 			} else
 				p = &pr.anchor_call[0];
 		
-			print_rule(&pr.rule, p, rule_numbers);
+			print_rule(&pr.rule, p, rule_numbers, numeric);
 			if (brace)
 				printf(" {\n");
 			else
 				printf("\n");
 			pfctl_print_rule_counters(&pr.rule, opts);
@@ -949,11 +950,11 @@
 			if (dotitle) {
 				pfctl_print_title("TRANSLATION RULES:");
 				dotitle = 0;
 			}
 			print_rule(&pr.rule, pr.anchor_call,
-			    opts & PF_OPT_VERBOSE2);
+			    opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
 			printf("\n");
 			pfctl_print_rule_counters(&pr.rule, opts);
 			pfctl_clear_pool(&pr.rule.rpool);
 		}
 	}
@@ -1316,11 +1317,12 @@
 	}
 
 	if (pf->opts & PF_OPT_VERBOSE) {
 		INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
 		print_rule(r, r->anchor ? r->anchor->name : "",
-		    pf->opts & PF_OPT_VERBOSE2);
+		    pf->opts & PF_OPT_VERBOSE2,
+		    pf->opts & PF_OPT_NUMERIC);
 	}
 	path[len] = '\0';
 	pfctl_clear_pool(&r->rpool);
 	return (0);
 }
@@ -1976,11 +1978,11 @@
 
 	if (argc < 2)
 		usage();
 
 	while ((ch = getopt(argc, argv,
-	    "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
+	    "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
 		switch (ch) {
 		case 'a':
 			anchoropt = optarg;
 			break;
 		case 'd':
@@ -2078,10 +2080,13 @@
 			loadopt |= PFCTL_FLAG_OPTION;
 			break;
 		case 'p':
 			pf_device = optarg;
 			break;
+		case 'P':
+			opts |= PF_OPT_NUMERIC;
+			break;
 		case 's':
 			showopt = pfctl_lookup_option(optarg, showopt_list);
 			if (showopt == NULL) {
 				warnx("Unknown show modifier '%s'", optarg);
 				usage();
--- src/contrib/pf/pfctl/pfctl_optimize.c@@\main\RELENG_8\RELENG_8_1\0	2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl_optimize.c	2010-09-27 14:55:08.000000000 -0400
@@ -405,11 +405,11 @@
 #ifdef OPT_DEBUG
 	printf("--- Superblock ---\n");
 	TAILQ_FOREACH(por, &block->sb_rules, por_entry) {
 		printf("  ");
 		print_rule(&por->por_rule, por->por_rule.anchor ?
-		    por->por_rule.anchor->name : "", 1);
+		    por->por_rule.anchor->name : "", 1, 0);
 	}
 #endif /* OPT_DEBUG */
 
 
 	if (remove_identical_rules(pf, block))
--- src/contrib/pf/pfctl/pfctl_parser.c@@\main\RELENG_8\RELENG_8_1\0	2010-01-23 00:32:19.000000000 -0500
+++ src/contrib/pf/pfctl/pfctl_parser.c	2010-09-27 14:54:59.000000000 -0400
@@ -62,15 +62,15 @@
 
 #include "pfctl_parser.h"
 #include "pfctl.h"
 
 void		 print_op (u_int8_t, const char *, const char *);
-void		 print_port (u_int8_t, u_int16_t, u_int16_t, const char *);
+void		 print_port (u_int8_t, u_int16_t, u_int16_t, const char *, int);
 void		 print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);
 void		 print_flags (u_int8_t);
 void		 print_fromto(struct pf_rule_addr *, pf_osfp_t,
-		    struct pf_rule_addr *, u_int8_t, u_int8_t, int);
+		    struct pf_rule_addr *, u_int8_t, u_int8_t, int, int);
 int		 ifa_skip_if(const char *filter, struct node_host *p);
 
 struct node_host	*ifa_grouplookup(const char *, int);
 struct node_host	*host_if(const char *, int);
 struct node_host	*host_v4(const char *, int);
@@ -318,16 +318,17 @@
 	else if (op == PF_OP_RRG)
 		printf(" %s:%s", a1, a2);
 }
 
 void
-print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
+print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto, int numeric)
 {
 	char		 a1[6], a2[6];
-	struct servent	*s;
+	struct servent	*s = NULL;
 
-	s = getservbyport(p1, proto);
+	if (!numeric)
+		s = getservbyport(p1, proto);
 	p1 = ntohs(p1);
 	p2 = ntohs(p2);
 	snprintf(a1, sizeof(a1), "%u", p1);
 	snprintf(a2, sizeof(a2), "%u", p2);
 	printf(" port");
@@ -361,11 +362,11 @@
 			printf("%c", tcpflags[i]);
 }
 
 void
 print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,
-    sa_family_t af, u_int8_t proto, int verbose)
+    sa_family_t af, u_int8_t proto, int verbose, int numeric)
 {
 	char buf[PF_OSFP_LEN*3];
 	if (src->addr.type == PF_ADDR_ADDRMASK &&
 	    dst->addr.type == PF_ADDR_ADDRMASK &&
 	    PF_AZERO(&src->addr.v.a.addr, AF_INET6) &&
@@ -382,11 +383,12 @@
 			printf("! ");
 		print_addr(&src->addr, af, verbose);
 		if (src->port_op)
 			print_port(src->port_op, src->port[0],
 			    src->port[1],
-			    proto == IPPROTO_TCP ? "tcp" : "udp");
+			    proto == IPPROTO_TCP ? "tcp" : "udp",
+			    numeric);
 		if (osfp != PF_OSFP_ANY)
 			printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf,
 			    sizeof(buf)));
 
 		printf(" to ");
@@ -394,11 +396,12 @@
 			printf("! ");
 		print_addr(&dst->addr, af, verbose);
 		if (dst->port_op)
 			print_port(dst->port_op, dst->port[0],
 			    dst->port[1],
-			    proto == IPPROTO_TCP ? "tcp" : "udp");
+			    proto == IPPROTO_TCP ? "tcp" : "udp",
+			    numeric);
 	}
 }
 
 void
 print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
@@ -671,11 +674,11 @@
 		printf("\n");
 	}
 }
 
 void
-print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
+print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
 {
 	static const char *actiontypes[] = { "pass", "block", "scrub",
 	    "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };
 	static const char *anchortypes[] = { "anchor", "anchor", "anchor",
 	    "anchor", "nat-anchor", "nat-anchor", "binat-anchor",
@@ -798,11 +801,11 @@
 			printf(" proto %s", p->p_name);
 		else
 			printf(" proto %u", r->proto);
 	}
 	print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto,
-	    verbose);
+	    verbose, numeric);
 	if (r->uid.op)
 		print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
 		    UID_MAX);
 	if (r->gid.op)
 		print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
--- src/contrib/pf/pfctl/pfctl_parser.h@@\main\RELENG_8\RELENG_8_1\0	2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl_parser.h	2010-09-27 14:55:02.000000000 -0400
@@ -46,10 +46,11 @@
 #define PF_OPT_VERBOSE2		0x0080
 #define PF_OPT_DUMMYACTION	0x0100
 #define PF_OPT_DEBUG		0x0200
 #define PF_OPT_SHOWALL		0x0400
 #define PF_OPT_OPTIMIZE		0x0800
+#define PF_OPT_NUMERIC		0x1000
 #define PF_OPT_MERGE		0x2000
 #define PF_OPT_RECURSE		0x4000
 
 #define PF_TH_ALL		0xFF
 
@@ -233,11 +234,11 @@
 int	parse_flags(char *);
 int	pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
 
 void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
 void	print_src_node(struct pf_src_node *, int);
-void	print_rule(struct pf_rule *, const char *, int);
+void	print_rule(struct pf_rule *, const char *, int, int);
 void	print_tabledef(const char *, int, int, struct node_tinithead *);
 void	print_status(struct pf_status *, int);
 
 int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
 	    struct node_queue_opt *);
--- src/contrib/pf/pfctl/pfctl.8@@\main\RELENG_8\RELENG_8_1\0	2009-08-03 08:13:06.000000000 -0400
+++ src/contrib/pf/pfctl/pfctl.8	2010-09-27 15:21:14.000000000 -0400
@@ -348,10 +348,13 @@
 without any options will enable
 .Cm basic
 optimizations, and a second
 .Fl o
 will enable profiling.
+.It Fl P
+Do not perform service name lookup for port specific rules,
+instead display the ports numerically.
 .It Fl p Ar device
 Use the device file
 .Ar device
 instead of the default
 .Pa /dev/pf .
@@ -668,10 +671,11 @@
 .Sh SEE ALSO
 .Xr pf 4 ,
 .Xr pf.conf 5 ,
 .Xr pf.os 5 ,
 .Xr rc.conf 5 ,
+.Xr services 5 ,
 .Xr sysctl.conf 5 ,
 .Xr authpf 8 ,
 .Xr ftp-proxy 8 ,
 .Xr rc 8 ,
 .Xr sysctl 8


>Release-Note:
>Audit-Trail:
>Unformatted: