Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows

rules found in every anchor. This commit introduces the same behavior
for tables. Command 'pfctl -a "*" -sT' prints all tables attached to
every anchor loaded to pf(4).

Inconsistency has been noticed by Klemens (kn@).

OK @bluhm, OK @kn

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index f4ff345..ece39d2 100644 (file)
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl.c,v 1.392 2023/10/26 16:26:01 deraadt Exp $ */
+/*     $OpenBSD: pfctl.c,v 1.393 2024/01/15 07:23:32 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -118,6 +118,7 @@ int pfctl_recurse(int, int, const char *,
 int    pfctl_call_clearrules(int, int, struct pfr_anchoritem *);
 int    pfctl_call_cleartables(int, int, struct pfr_anchoritem *);
 int    pfctl_call_clearanchors(int, int, struct pfr_anchoritem *);
+int    pfctl_call_showtables(int, int, struct pfr_anchoritem *);
 
 const char     *clearopt;
 char           *rulesopt;
@@ -2300,6 +2301,13 @@ pfctl_call_clearrules(int dev, int opts, struct pfr_anchoritem *pfra)
        return (pfctl_clear_rules(dev, opts, pfra->pfra_anchorname));
 }
 
+int
+pfctl_call_showtables(int dev, int opts, struct pfr_anchoritem *pfra)
+{
+       pfctl_show_tables(pfra->pfra_anchorname, opts);
+       return (0);
+}
+
 int
 pfctl_call_clearanchors(int dev, int opts, struct pfr_anchoritem *pfra)
 {
@@ -2325,10 +2333,12 @@ pfctl_recurse(int dev, int opts, const char *anchorname,
         * so that failures on one anchor do not prevent clearing others.
         */
        opts |= PF_OPT_IGNFAIL;
-       printf("Removing:\n");
+       if ((opts & PF_OPT_CALLSHOW) == 0)
+               printf("Removing:\n");
        SLIST_FOREACH_SAFE(pfra, anchors, pfra_sle, pfra_save) {
-               printf("  %s\n", (*pfra->pfra_anchorname == '\0') ?
-                   "/" : pfra->pfra_anchorname);
+               if ((opts & PF_OPT_CALLSHOW) == 0)
+                       printf("  %s\n", (*pfra->pfra_anchorname == '\0') ?
+                           "/" : pfra->pfra_anchorname);
                rv |= walkf(dev, opts, pfra);
                SLIST_REMOVE(anchors, pfra, pfr_anchoritem, pfra_sle);
                free(pfra->pfra_anchorname);
@@ -2747,7 +2757,12 @@ main(int argc, char *argv[])
                        pfctl_show_fingerprints(opts);
                        break;
                case 'T':
-                       pfctl_show_tables(anchorname, opts);
+                       if (opts & PF_OPT_RECURSE) {
+                               opts |= PF_OPT_CALLSHOW;
+                               pfctl_recurse(dev, opts, anchorname,
+                                   pfctl_call_showtables);
+                       } else
+                               pfctl_show_tables(anchorname, opts);
                        break;
                case 'o':
                        pfctl_load_fingerprints(dev, opts);

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 01a61a4..146580d 100644 (file)
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl_parser.h,v 1.118 2021/10/25 14:50:29 sashan Exp $ */
+/*     $OpenBSD: pfctl_parser.h,v 1.119 2024/01/15 07:23:32 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -52,6 +52,7 @@
 #define PF_OPT_RECURSE         0x04000
 #define PF_OPT_PORTNAMES       0x08000
 #define PF_OPT_IGNFAIL         0x10000
+#define PF_OPT_CALLSHOW                0x20000
 
 #define PF_TH_ALL              0xFF
 

diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index d041b15..ba21402 100644 (file)
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl_table.c,v 1.86 2023/10/26 16:26:01 deraadt Exp $ */
+/*     $OpenBSD: pfctl_table.c,v 1.87 2024/01/15 07:23:32 sashan Exp $ */
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -369,21 +369,21 @@ print_table(struct pfr_table *ta, int verbose, int debug)
 {
        if (!debug && !(ta->pfrt_flags & PFR_TFLAG_ACTIVE))
                return;
-       if (verbose) {
-               printf("%c%c%c%c%c%c%c\t%s",
+       if (verbose)
+               printf("%c%c%c%c%c%c%c\t",
                    (ta->pfrt_flags & PFR_TFLAG_CONST) ? 'c' : '-',
                    (ta->pfrt_flags & PFR_TFLAG_PERSIST) ? 'p' : '-',
                    (ta->pfrt_flags & PFR_TFLAG_ACTIVE) ? 'a' : '-',
                    (ta->pfrt_flags & PFR_TFLAG_INACTIVE) ? 'i' : '-',
                    (ta->pfrt_flags & PFR_TFLAG_REFERENCED) ? 'r' : '-',
                    (ta->pfrt_flags & PFR_TFLAG_REFDANCHOR) ? 'h' : '-',
-                   (ta->pfrt_flags & PFR_TFLAG_COUNTERS) ? 'C' : '-',
-                   ta->pfrt_name);
-               if (ta->pfrt_anchor[0])
-                       printf("\t%s", ta->pfrt_anchor);
-               puts("");
-       } else
-               puts(ta->pfrt_name);
+                   (ta->pfrt_flags & PFR_TFLAG_COUNTERS) ? 'C' : '-');
+
+       printf("%s", ta->pfrt_name);
+       if (ta->pfrt_anchor[0] != '\0')
+               printf("@%s", ta->pfrt_anchor);
+
+       printf("\n");
 }
 
 void