diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-06-11 02:12:38 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-06-11 02:12:38 +0000 |
| commit | a74d174ebe7d9d4fe9d2e8e044766a2230f8db17 (patch) | |
| tree | f0a811470deb7b4f4f163f1607c5188b76d465ca | |
| parent | 43a37245a81d3c24cfe3e0569a87e69eb22ea172 (diff) | |
Make NAT proxy port range configurable per rule, for instance privileged
source ports can mapped to privileged proxy ports, or source port 500
to proxy port 500. ok frantzen@
| -rw-r--r-- | sbin/pfctl/parse.y | 16 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 10 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 6 | ||||
| -rw-r--r-- | share/man/man5/nat.conf.5 | 5 | ||||
| -rw-r--r-- | sys/net/pf.c | 37 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
6 files changed, 61 insertions, 16 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 436b8d32e62..8fa6adc3b61 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.94 2002/06/10 23:07:46 kjell Exp $ */ +/* $OpenBSD: parse.y,v 1.95 2002/06/11 02:12:37 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1150,6 +1150,11 @@ rport : port { $$.a = $1; $$.b = $$.t = 0; } + | port ':' port { + $$.a = $1; + $$.b = $3; + $$.t = PF_RPORT_RANGE; + } | port ':' '*' { $$.a = $1; $$.b = 0; @@ -1232,6 +1237,15 @@ natrule : no NAT interface af proto fromto redirection nat.af = $7->address->af; memcpy(&nat.raddr, &$7->address->addr, sizeof(nat.raddr)); + nat.proxy_port[0] = ntohs($7->rport.a); + nat.proxy_port[1] = ntohs($7->rport.b); + if (!nat.proxy_port[0] && !nat.proxy_port[1]) { + nat.proxy_port[0] = + PF_NAT_PROXY_PORT_LOW; + nat.proxy_port[1] = + PF_NAT_PROXY_PORT_HIGH; + } else if (!nat.proxy_port[1]) + nat.proxy_port[1] = nat.proxy_port[0]; free($7->address); free($7); } diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index c9c7d1d7f6c..dae3e6f8f5e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.86 2002/06/11 01:58:00 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.87 2002/06/11 02:12:37 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -425,6 +425,14 @@ print_nat(struct pf_nat *n) if (!n->no) { printf("-> "); print_addr(&n->raddr, NULL, n->af); + if (n->proxy_port[0] != PF_NAT_PROXY_PORT_LOW || + n->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) { + if (n->proxy_port[0] == n->proxy_port[1]) + printf(" port %u", n->proxy_port[0]); + else + printf(" port %u:%u", n->proxy_port[0], + n->proxy_port[1]); + } } printf("\n"); } diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 3498c3adb81..8cacd0e6c6d 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.21 2002/06/11 01:58:00 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.22 2002/06/11 02:12:37 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -43,6 +43,9 @@ #define PF_TH_ALL 0xFF +#define PF_NAT_PROXY_PORT_LOW 50001 +#define PF_NAT_PROXY_PORT_HIGH 65535 + #define FCNT_NAMES { \ "searches", \ "inserts", \ @@ -50,7 +53,6 @@ NULL \ } - struct pfctl { int dev; int opts; diff --git a/share/man/man5/nat.conf.5 b/share/man/man5/nat.conf.5 index 6f598518a64..9533b0bf346 100644 --- a/share/man/man5/nat.conf.5 +++ b/share/man/man5/nat.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nat.conf.5,v 1.26 2002/06/10 19:31:44 dhartmei Exp $ +.\" $OpenBSD: nat.conf.5,v 1.27 2002/06/11 02:12:37 dhartmei Exp $ .\" .\" Copyright (c) 2001 Ian Darwin. All rights reserved. .\" @@ -83,7 +83,8 @@ Syntax for filter rules in BNF: .Bd -literal rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) . -nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] hosts [ "->" address ] . +nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] hosts + [ "->" address [ portspec ] ] . binat_rule = "binat" "on" ifname [ protospec ] "from" address "to" ipspec [ "->" address ] . diff --git a/sys/net/pf.c b/sys/net/pf.c index ddea43ead20..4d9558bb8ef 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.232 2002/06/11 02:02:21 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.233 2002/06/11 02:12:37 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1410,6 +1410,15 @@ pf_get_sport(u_int8_t proto, u_int16_t low, u_int16_t high, u_int16_t *port) int step; u_int16_t cut; + if (low == 0 && high == 0) { + NTOHS(*port); + return (0); + } + if (low == high) { + *port = low; + return (0); + } + if (proto == IPPROTO_TCP) plist = &pf_tcp_ports; else if (proto == IPPROTO_UDP) @@ -1661,11 +1670,16 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, /* check outgoing packet for NAT */ else if ((nat = pf_get_nat(ifp, IPPROTO_TCP, saddr, th->th_sport, daddr, th->th_dport, af)) != NULL) { - bport = th->th_sport; - error = pf_get_sport(IPPROTO_TCP, 50001, - 65535, &nport); - if (error) + bport = nport = th->th_sport; + error = pf_get_sport(IPPROTO_TCP, nat->proxy_port[0], + nat->proxy_port[1], &nport); + if (error) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: NAT proxy port allocation " + "(tcp %u-%u) failed\n", + nat->proxy_port[0], nat->proxy_port[1])); return (PF_DROP); + } PF_ACPY(&baddr, saddr, af); pf_change_ap(saddr, &th->th_sport, pd->ip_sum, &th->th_sum, &nat->raddr.addr, htons(nport), @@ -1920,11 +1934,16 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, /* check outgoing packet for NAT */ else if ((nat = pf_get_nat(ifp, IPPROTO_UDP, saddr, uh->uh_sport, daddr, uh->uh_dport, af)) != NULL) { - bport = uh->uh_sport; - error = pf_get_sport(IPPROTO_UDP, 50001, - 65535, &nport); - if (error) + bport = nport = uh->uh_sport; + error = pf_get_sport(IPPROTO_UDP, nat->proxy_port[0], + nat->proxy_port[1], &nport); + if (error) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: NAT proxy port allocation " + "(udp %u-%u) failed\n", + nat->proxy_port[0], nat->proxy_port[1])); return (PF_DROP); + } PF_ACPY(&baddr, saddr, af); pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, &uh->uh_sum, &nat->raddr.addr, htons(nport), diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 0cac8668da4..6db53b977ec 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.83 2002/06/11 01:58:00 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.84 2002/06/11 02:12:37 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -334,6 +334,7 @@ struct pf_nat { char ifname[IFNAMSIZ]; struct ifnet *ifp; TAILQ_ENTRY(pf_nat) entries; + u_int16_t proxy_port[2]; u_int8_t af; u_int8_t proto; u_int8_t ifnot; |