src - OpenBSD base system

diff options


context:
space:
mode:

author	Philipp Buehler <pb@cvs.openbsd.org>	2002-06-07 22:53:46 +0000
committer	Philipp Buehler <pb@cvs.openbsd.org>	2002-06-07 22:53:46 +0000
commit	8054398cb4c8dbeeb6b0876ca76083a4fbf64b02 (patch)
tree	abf3abfbb81546ebb1864fc323d0d041b7d0c0ac
parent	0e6e36db1460cfd12df1f2e2a905a6cf620d86c1 (diff)

add the possibility to configure a TTL while return-rst

ok dhartmei@, ipv6 part itojun@ ok

Diffstat

-rw-r--r--

sbin/pfctl/parse.y

-rw-r--r--

sbin/pfctl/pfctl_parser.c

-rw-r--r--

share/man/man5/pf.conf.5

-rw-r--r--

sys/net/pf.c

-rw-r--r--

sys/net/pfvar.h

5 files changed, 35 insertions, 19 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c2bd501998a..81cfaa8e36b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.75 2002/06/07 21:25:35 dhartmei Exp $ */

+/* $OpenBSD: parse.y,v 1.76 2002/06/07 22:53:45 pb Exp $ */

@@ -186,7 +186,7 @@ typedef struct {

%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE

%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF

%token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL

-%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM

+%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL

%token <v.string> STRING

%token <v.number> NUMBER

%token <v.i> PORTUNARY PORTBINARY

@@ -243,9 +243,10 @@ pfrule : action dir log quick interface route af proto fromto

memset(&r, 0, sizeof(r));

r.action = $1.b1;

- if ($1.b2)

+ if ($1.b2) {

r.rule_flag |= PFRULE_RETURNRST;

- else

+ r.return_ttl = $1.w;

+ } else

r.return_icmp = $1.w;

r.direction = $2;

r.log = $3;

@@ -312,6 +313,10 @@ action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; }

blockspec : /* empty */ { $$.b2 = 0; $$.w = 0; }

| RETURNRST { $$.b2 = 1; $$.w = 0;}

+ | RETURNRST '(' TTL NUMBER ')' {

+ $$.w = $4;

+ $$.b2 = 1;

+ }

| RETURNICMP {

$$.b2 = 0;

$$.w = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;

@@ -1887,6 +1892,7 @@ lookup(char *s)

{ "scrub", SCRUB},

{ "state", STATE},

{ "to", TO},

+ { "ttl", TTL},

{ "user", USER},

};

const struct keywords *p;

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index e843b6adba2..fab149fb866 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.c,v 1.78 2002/06/07 21:25:35 dhartmei Exp $ */

+/* $OpenBSD: pfctl_parser.c,v 1.79 2002/06/07 22:53:45 pb Exp $ */

@@ -535,9 +535,12 @@ print_rule(struct pf_rule *r)

printf("pass ");

else if (r->action == PF_DROP) {

printf("block ");

- if (r->rule_flag & PFRULE_RETURNRST)

- printf("return-rst ");

- else if (r->return_icmp) {

+ if (r->rule_flag & PFRULE_RETURNRST) {

+ if (!r->return_ttl)

+ printf("return-rst ");

+ else

+ printf("return-rst(ttl %d) ", r->return_ttl);

+ } else if (r->return_icmp) {

struct icmpcodeent *ic;

if (r->af != AF_INET6)

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 6fe407392bf..2775c145ec4 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5

@@ -1,4 +1,4 @@

-.\" $OpenBSD: pf.conf.5,v 1.49 2002/06/07 21:25:36 dhartmei Exp $

+.\" $OpenBSD: pf.conf.5,v 1.50 2002/06/07 22:53:45 pb Exp $

.\"

@@ -59,7 +59,7 @@ rule = action ( "in" | "out" )

[ "label" string ] .

action = "pass" | "block" [ return ] | "scrub" .

-return = "return-rst" |

+return = "return-rst" [ "(" "ttl" number ")" ] |

"return-icmp"

[ "(" ( icmp-code-name | icmp-code-number ) ")" ] |

"return-icmp6"

@@ -137,7 +137,8 @@ The packet is passed.

.It Em block

The packet is blocked.

Optionally, the filter can return a TCP RST or ICMP UNREACHABLE packet

-to the sender, where applicable.

+to the sender, where applicable. Returning ICMP packets can have

+an ICMP code set by number or name, TCP RST can have a TTL set.

.It Em scrub

The packet is run through normalization/defragmentation.

Scrub rules are not considered last matching rules.

diff --git a/sys/net/pf.c b/sys/net/pf.c
index fb387b1c790..5600ecf8000 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pf.c,v 1.218 2002/06/07 21:46:08 jasoni Exp $ */

+/* $OpenBSD: pf.c,v 1.219 2002/06/07 22:53:37 pb Exp $ */

@@ -205,7 +205,7 @@ void pf_change_icmp(struct pf_addr *, u_int16_t *,

u_int16_t *, u_int16_t *, u_int16_t *,

u_int16_t *, u_int8_t, int);

void pf_send_reset(int, struct tcphdr *,

- struct pf_pdesc *, int);

+ struct pf_pdesc *, int, u_int8_t);

void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, int);

u_int16_t pf_map_port_range(struct pf_rdr *, u_int16_t);

struct pf_nat *pf_get_nat(struct ifnet *, u_int8_t,

@@ -2492,7 +2492,8 @@ pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,

}

void

-pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af)

+pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af,

+ u_int8_t return_ttl)

{

struct mbuf *m;

struct m_tag *mtag;

@@ -2591,7 +2592,9 @@ pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af)

/* Finish the IP header */

h2->ip_v = 4;

h2->ip_hl = sizeof(*h2) >> 2;

- h2->ip_ttl = ip_defttl;

+ if (!return_ttl)

+ return_ttl = ip_defttl;

+ h2->ip_ttl = return_ttl;

h2->ip_sum = 0;

h2->ip_len = len;

h2->ip_off = ip_mtudisc ? IP_DF : 0;

@@ -2605,7 +2608,9 @@ pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af)

sizeof(struct ip6_hdr), sizeof(*th));

h2_6->ip6_vfc |= IPV6_VERSION;

- h2_6->ip6_hlim = 128;

+ if (!return_ttl)

+ return_ttl = IPV6_DEFHLIM;

+ h2_6->ip6_hlim = return_ttl;

ip6_output(m, NULL, NULL, 0, NULL, NULL);

#endif /* INET6 */

@@ -3151,7 +3156,8 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,

rewrite++;

}

if ((*rm)->rule_flag & PFRULE_RETURNRST)

- pf_send_reset(off, th, pd, af);

+ pf_send_reset(off, th, pd, af,

+ (*rm)->return_ttl);

else

pf_send_icmp(m, (*rm)->return_icmp >> 8,

(*rm)->return_icmp & 255, af);

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 9222f40c498..7fe4bd1e108 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfvar.h,v 1.75 2002/06/07 21:25:35 dhartmei Exp $ */

+/* $OpenBSD: pfvar.h,v 1.76 2002/06/07 22:53:37 pb Exp $ */

@@ -269,11 +269,11 @@ struct pf_rule {

u_int8_t flags;

u_int8_t flagset;

u_int8_t rule_flag;

u_int8_t min_ttl;

u_int8_t allow_opts;

u_int8_t rt;

+ u_int8_t return_ttl;

};

#define PFRULE_RETURNRST 0x01