[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pfctl prints keep state timeout options incorrectly



This was found by Alexey E. Suslikov, try

  $ echo "pass keep state (udp.single 10)" | pfctl -nvf -
  pass all keep state (udp.first 10)

note "udp.first" vs. "udp.single"

The reason for this is that pfctl_parser.c's pf_timeouts[] does not
match the order of PFTM_* timeouts in pfvar.h after the sixth element.

The parser will actually load the right timeout, but prints loaded
timeouts incorrectly.

We can either sync the order and keep it sync'd whenever we change it,
like when adding PFTM_TS_DIFF, or just add a little loop that searches
for the entry instead of assuming that they are ordered at all.

Ok?

Daniel


Index: pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.206
diff -u -r1.206 pfctl_parser.c
--- pfctl_parser.c	30 Sep 2004 16:38:01 -0000	1.206
+++ pfctl_parser.c	9 Nov 2004 10:55:25 -0000
@@ -856,11 +856,17 @@
 		}
 		for (i = 0; i < PFTM_MAX; ++i)
 			if (r->timeout[i]) {
+				int j;
+
 				if (!opts)
 					printf(", ");
 				opts = 0;
-				printf("%s %u", pf_timeouts[i].name,
-				    r->timeout[i]);
+				for (j = 0; j < sizeof(pf_timeouts) /
+				    sizeof(pf_timeouts[0]); ++j)
+					if (pf_timeouts[j].timeout == i)
+						break;
+				printf("%s %u", j == PFTM_MAX ?  "inv.timeout" :
+				    pf_timeouts[j].name, r->timeout[i]);
 			}
 		printf(")");
 	}