diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2007-10-13 21:49:16 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2007-10-13 21:49:16 +0000 |
| commit | 110e2c41f56a076fd14a0b7979920d49d31188d1 (patch) | |
| tree | 7b3e0f07a9c29bfef49c2acdf14e3bb5e58fce18 | |
| parent | e5c6c2d4a510c74c64e850422c7439b8a24ddb5a (diff) | |
support an include directive; file of course must also be "secure" like
the main configuration file; ok henning
| -rw-r--r-- | sbin/pfctl/parse.y | 23 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 15 |
2 files changed, 33 insertions, 5 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 652f83aba93..9abf4c5e280 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.527 2007/10/13 16:35:18 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.528 2007/10/13 21:49:13 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -340,7 +340,7 @@ struct loadanchors { typedef struct { union { - int64_t number; + int64_t number; int i; char *string; u_int rtableid; @@ -423,7 +423,7 @@ typedef struct { %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID -%token ANTISPOOF FOR +%token ANTISPOOF FOR INCLUDE %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT %token QUEUE PRIORITY QLIMIT RTABLE @@ -483,6 +483,7 @@ typedef struct { %% ruleset : /* empty */ + | ruleset include '\n' | ruleset '\n' | ruleset option '\n' | ruleset scrubrule '\n' @@ -500,6 +501,21 @@ ruleset : /* empty */ | ruleset error '\n' { file->errors++; } ; +include : INCLUDE STRING { + struct file *nfile; + + if ((nfile = pushfile($2, 1)) == NULL) { + yyerror("failed to include file %s", $2); + free($2); + YYERROR; + } + free($2); + + file = nfile; + lungetc('\n'); + } + ; + /* * apply to previouslys specified rule: must be careful to note * what that is: pf or nat or binat or rdr @@ -5060,6 +5076,7 @@ lookup(char *s) { "icmp6-type", ICMP6TYPE}, { "if-bound", IFBOUND}, { "in", IN}, + { "include", INCLUDE}, { "inet", INET}, { "inet6", INET6}, { "keep", KEEP}, diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 18d73b36a08..1bc8afff8d8 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.386 2007/09/30 20:12:22 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.387 2007/10/13 21:49:15 deraadt Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 30 2007 $ +.Dd $Mdocdate: October 13 2007 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -78,6 +78,17 @@ By default enforces this order (see .Ar set require-order below). +.Pp +Comments can be put anywhere in the file using a hash mark +.Pq Sq # , +and extend to the end of the current line. +.Pp +Additional configuration files can be included with the +.Ic include +keyword, for example: +.Bd -literal -offset indent +include "/etc/pf/sub.filter.conf" +.Ed .Sh MACROS Macros can be defined that will later be expanded in context. Macro names must start with a letter, and may contain letters, digits |