diff options
author | Cedric Berger <cedric@cvs.openbsd.org> | 2004-04-14 11:16:44 +0000 |
---|---|---|
committer | Cedric Berger <cedric@cvs.openbsd.org> | 2004-04-14 11:16:44 +0000 |
commit | 8373b3a382e06eb9bed6167f7d23496d06246d6f (patch) | |
tree | dde169258fc83befb510ca358950616c3484ebc4 | |
parent | a1ecda1672af16d2de2846e2b6ebc4e14f5fcca4 (diff) |
make antispoof work with dynamic addresses. ok dhartmei@ mcbride@
-rw-r--r-- | sbin/pfctl/parse.y | 51 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.h | 3 |
2 files changed, 44 insertions, 10 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index bcfd8a3dc95..22cbd50fa4d 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.449 2004/03/20 23:20:20 david Exp $ */ +/* $OpenBSD: parse.y,v 1.450 2004/04/14 11:16:42 cedric Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -433,7 +433,7 @@ typedef struct { %type <v.keep_state> keep %type <v.state_opt> state_opt_spec state_opt_list state_opt_item %type <v.logquick> logquick -%type <v.interface> antispoof_ifspc antispoof_iflst +%type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if %type <v.qassign> qname %type <v.queue> qassign qassign_list qassign_item %type <v.queue_options> scheduler @@ -883,7 +883,7 @@ fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { struct pf_rule r; - struct node_host *h = NULL; + struct node_host *h = NULL, *hh; struct node_if *i, *j; if (check_rulestate(PFCTL_STATE_FILTER)) @@ -909,7 +909,29 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { YYERROR; } j->not = 1; - h = ifa_lookup(j->ifname, PFI_AFLAG_NETWORK); + if (i->dynamic) { + h = calloc(1, sizeof(*h)); + if (h == NULL) + err(1, "address: calloc"); + h->addr.type = PF_ADDR_DYNIFTL; + set_ipmask(h, 128); + if (strlcpy(h->addr.v.ifname, i->ifname, + sizeof(h->addr.v.ifname)) >= + sizeof(h->addr.v.ifname)) { + yyerror( + "interface name too long"); + YYERROR; + } + hh = malloc(sizeof(*hh)); + if (hh == NULL) + err(1, "address: malloc"); + bcopy(h, hh, sizeof(*hh)); + h->addr.iflags = PFI_AFLAG_NETWORK; + } else { + h = ifa_lookup(j->ifname, + PFI_AFLAG_NETWORK); + hh = NULL; + } if (h != NULL) expand_rule(&r, j, NULL, NULL, NULL, h, @@ -925,29 +947,40 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { r.af = $4; if (rule_label(&r, $5.label)) YYERROR; - h = ifa_lookup(i->ifname, 0); + if (hh != NULL) + h = hh; + else + h = ifa_lookup(i->ifname, 0); if (h != NULL) expand_rule(&r, NULL, NULL, NULL, NULL, h, NULL, NULL, NULL, NULL, NULL, NULL); - } + } else + free(hh); } free($5.label); } ; -antispoof_ifspc : FOR if_item { $$ = $2; } +antispoof_ifspc : FOR antispoof_if { $$ = $2; } | FOR '{' antispoof_iflst '}' { $$ = $3; } ; -antispoof_iflst : if_item { $$ = $1; } - | antispoof_iflst comma if_item { +antispoof_iflst : antispoof_if { $$ = $1; } + | antispoof_iflst comma antispoof_if { $1->tail->next = $3; $1->tail = $3; $$ = $1; } ; +antispoof_if : if_item { $$ = $1; } + | '(' if_item ')' { + $2->dynamic = 1; + $$ = $2; + } + ; + antispoof_opts : { bzero(&antispoof_opts, sizeof antispoof_opts); } antispoof_opts_l { $$ = antispoof_opts; } diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 125201f4f4c..52de11f5b3d 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.74 2004/02/10 22:26:56 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.75 2004/04/14 11:16:43 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -77,6 +77,7 @@ struct pfctl { struct node_if { char ifname[IFNAMSIZ]; u_int8_t not; + u_int8_t dynamic; /* antispoof */ u_int ifa_flags; struct node_if *next; struct node_if *tail; |