summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCedric Berger <cedric@cvs.openbsd.org>2004-04-14 11:16:44 +0000
committerCedric Berger <cedric@cvs.openbsd.org>2004-04-14 11:16:44 +0000
commit8373b3a382e06eb9bed6167f7d23496d06246d6f (patch)
treedde169258fc83befb510ca358950616c3484ebc4
parenta1ecda1672af16d2de2846e2b6ebc4e14f5fcca4 (diff)
make antispoof work with dynamic addresses. ok dhartmei@ mcbride@
-rw-r--r--sbin/pfctl/parse.y51
-rw-r--r--sbin/pfctl/pfctl_parser.h3
2 files changed, 44 insertions, 10 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index bcfd8a3dc95..22cbd50fa4d 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.449 2004/03/20 23:20:20 david Exp $ */
+/* $OpenBSD: parse.y,v 1.450 2004/04/14 11:16:42 cedric Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -433,7 +433,7 @@ typedef struct {
%type <v.keep_state> keep
%type <v.state_opt> state_opt_spec state_opt_list state_opt_item
%type <v.logquick> logquick
-%type <v.interface> antispoof_ifspc antispoof_iflst
+%type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if
%type <v.qassign> qname
%type <v.queue> qassign qassign_list qassign_item
%type <v.queue_options> scheduler
@@ -883,7 +883,7 @@ fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
struct pf_rule r;
- struct node_host *h = NULL;
+ struct node_host *h = NULL, *hh;
struct node_if *i, *j;
if (check_rulestate(PFCTL_STATE_FILTER))
@@ -909,7 +909,29 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
YYERROR;
}
j->not = 1;
- h = ifa_lookup(j->ifname, PFI_AFLAG_NETWORK);
+ if (i->dynamic) {
+ h = calloc(1, sizeof(*h));
+ if (h == NULL)
+ err(1, "address: calloc");
+ h->addr.type = PF_ADDR_DYNIFTL;
+ set_ipmask(h, 128);
+ if (strlcpy(h->addr.v.ifname, i->ifname,
+ sizeof(h->addr.v.ifname)) >=
+ sizeof(h->addr.v.ifname)) {
+ yyerror(
+ "interface name too long");
+ YYERROR;
+ }
+ hh = malloc(sizeof(*hh));
+ if (hh == NULL)
+ err(1, "address: malloc");
+ bcopy(h, hh, sizeof(*hh));
+ h->addr.iflags = PFI_AFLAG_NETWORK;
+ } else {
+ h = ifa_lookup(j->ifname,
+ PFI_AFLAG_NETWORK);
+ hh = NULL;
+ }
if (h != NULL)
expand_rule(&r, j, NULL, NULL, NULL, h,
@@ -925,29 +947,40 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
r.af = $4;
if (rule_label(&r, $5.label))
YYERROR;
- h = ifa_lookup(i->ifname, 0);
+ if (hh != NULL)
+ h = hh;
+ else
+ h = ifa_lookup(i->ifname, 0);
if (h != NULL)
expand_rule(&r, NULL, NULL,
NULL, NULL, h, NULL, NULL,
NULL, NULL, NULL, NULL);
- }
+ } else
+ free(hh);
}
free($5.label);
}
;
-antispoof_ifspc : FOR if_item { $$ = $2; }
+antispoof_ifspc : FOR antispoof_if { $$ = $2; }
| FOR '{' antispoof_iflst '}' { $$ = $3; }
;
-antispoof_iflst : if_item { $$ = $1; }
- | antispoof_iflst comma if_item {
+antispoof_iflst : antispoof_if { $$ = $1; }
+ | antispoof_iflst comma antispoof_if {
$1->tail->next = $3;
$1->tail = $3;
$$ = $1;
}
;
+antispoof_if : if_item { $$ = $1; }
+ | '(' if_item ')' {
+ $2->dynamic = 1;
+ $$ = $2;
+ }
+ ;
+
antispoof_opts : { bzero(&antispoof_opts, sizeof antispoof_opts); }
antispoof_opts_l
{ $$ = antispoof_opts; }
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 125201f4f4c..52de11f5b3d 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.h,v 1.74 2004/02/10 22:26:56 dhartmei Exp $ */
+/* $OpenBSD: pfctl_parser.h,v 1.75 2004/04/14 11:16:43 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -77,6 +77,7 @@ struct pfctl {
struct node_if {
char ifname[IFNAMSIZ];
u_int8_t not;
+ u_int8_t dynamic; /* antispoof */
u_int ifa_flags;
struct node_if *next;
struct node_if *tail;