diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2002-11-13 22:44:12 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2002-11-13 22:44:12 +0000 |
| commit | 36be95e377cc11d2becf189a891f3bcf39ad8385 (patch) | |
| tree | 32f8df4627e570f1d9b6ec45e873dd233879af0d | |
| parent | 8d08a68ec4b0a2feae84ec156506da48aacde53b (diff) | |
as scrub rules end up in a struct pf_rule just call expand_rule instead of
handcrufting this.
has quite a few positive side effects:
-interface list expansion works (fries@ asked for that)
-can specify address family, very helpful with dynamic interface expansion
(pointed out by daniel)
-src/dst ip/port list expansion works
-fixes a long standing, scary, though never noticed bug:
scrub out on lo1 from any to 10.0.0.1
expanded to
scrub out on lo1 all
... this bug was there from day #1.
"sneaky diff of the month award" dhartmei@
| -rw-r--r-- | sbin/pfctl/parse.y | 30 |
1 files changed, 10 insertions, 20 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index e807f4b3573..ecc9b9c1aca 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.185 2002/11/13 18:24:53 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.186 2002/11/13 22:44:11 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -375,7 +375,7 @@ varset : STRING PORTUNARY string { } ; -scrubrule : SCRUB dir interface fromto nodf minttl maxmss fragcache +scrubrule : SCRUB dir interface af fromto nodf minttl maxmss fragcache { struct pf_rule r; @@ -392,30 +392,20 @@ scrubrule : SCRUB dir interface fromto nodf minttl maxmss fragcache yyerror("scrub rules don't support " "'! <if>'"); YYERROR; - } else if ($3->next) { - yyerror("scrub rules don't support " - "{} expansion"); - YYERROR; } - memcpy(r.ifname, $3->ifname, - sizeof(r.ifname)); - free($3); } - if ($5) - r.rule_flag |= PFRULE_NODF; + r.af = $4; if ($6) - r.min_ttl = $6; + r.rule_flag |= PFRULE_NODF; if ($7) - r.max_mss = $7; + r.min_ttl = $7; if ($8) - r.rule_flag |= $8; - - r.nr = pf->rule_nr++; - if (rule_consistent(&r) < 0) - yyerror("skipping scrub rule due to errors"); - else - pfctl_add_rule(pf, &r); + r.max_mss = $8; + if ($9) + r.rule_flag |= $9; + expand_rule(&r, $3, NULL, $5.src.host, $5.src.port, + $5.dst.host, $5.dst.port, NULL, NULL, NULL); } ; |