Add 'reply-to' to filter rules, similar to route-to, but applying to

replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.

5 files changed, 61 insertions, 9 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 40506b4aee7..146969840e6 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.157 2002/10/06 16:22:10 dhartmei Exp $	*/
+/*	$OpenBSD: parse.y,v 1.158 2002/10/07 12:39:29 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -250,7 +250,7 @@ typedef struct {
 %token	PASS BLOCK SCRUB RETURN IN OUT LOG LOGALL QUICK ON FROM TO FLAGS
 %token	RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
 %token	ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
-%token	MINTTL ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL
+%token	MINTTL ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO REPLYTO NO LABEL
 %token	NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS
 %token	FRAGNORM FRAGDROP FRAGCROP
 %token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE
@@ -1644,6 +1644,32 @@ route		: /* empty */			{
 			$$.rt = PF_ROUTETO;
 			$$.addr = NULL;
 		}
+		| REPLYTO '(' STRING address ')' {
+			if (($$.string = strdup($3)) == NULL) {
+				yyerror("reply-to: strdup");
+				YYERROR;
+			}
+			$$.rt = PF_REPLYTO;
+			if ($4->addr.addr_dyn != NULL) {
+				yyerror("reply-to does not support"
+				    " dynamic addresses");
+				YYERROR;
+			}
+			if ($4->next) {
+				yyerror("multiple reply-to ip addresses");
+				YYERROR;
+			}
+			$$.addr = &$4->addr.addr;
+			$$.af = $4->af;
+		}
+		| REPLYTO STRING {
+			if (($$.string = strdup($2)) == NULL) {
+				yyerror("reply-to: strdup");
+				YYERROR;
+			}
+			$$.rt = PF_REPLYTO;
+			$$.addr = NULL;
+		}
 		| DUPTO '(' STRING address ')' {
 			if (($$.string = strdup($3)) == NULL) {
 				yyerror("dupto: strdup");
@@ -2319,6 +2345,7 @@ lookup(char *s)
 		{ "quick",	QUICK},
 		{ "rdr",	RDR},
 		{ "reassemble",	FRAGNORM},
+		{ "reply-to",	REPLYTO},
 		{ "return",	RETURN},
 		{ "return-icmp",RETURNICMP},
 		{ "return-icmp6",RETURNICMP6},
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index e063f58f8d6..ba3714ef5fe 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.95 2002/10/05 21:17:57 dhartmei Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.96 2002/10/07 12:39:29 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -679,6 +679,8 @@ print_rule(struct pf_rule *r)
 	if (r->rt) {
 		if (r->rt == PF_ROUTETO)
 			printf("route-to ");
+		else if (r->rt == PF_REPLYTO)
+			printf("reply-to ");
 		else if (r->rt == PF_DUPTO)
 			printf("dup-to ");
 		else if (r->rt == PF_FASTROUTE)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 38b2809159f..2c0bb8c647f 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.91 2002/10/05 21:17:57 dhartmei Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.92 2002/10/07 12:39:29 dhartmei Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -514,6 +514,8 @@ This option causes matching packets to remain untranslated.
 .Sh ROUTING
 If a packet matches a rule with a route option set, the packet filter will
 route the packet according to the type of route option.
+When such a rule creates state, the route option is also applied to all
+packets matching the same connection.
 .Ss fastroute
 The
 .Em fastroute
@@ -523,6 +525,25 @@ The
 .Em route-to
 option routes the packet to the specified interface with an optional address
 for the next hop.
+When a
+.Em route-to
+rule creates state, only packets that pass in the same direction as the
+filter rule specifies will be routed in this way.
+Packets passing in the opposite direction (replies) are not affected
+and routed normally.
+.Ss reply-to
+The
+.Em reply-to
+option is similar to
+.Em route-to
+but routes packets that pass in the opposite direction (replies) to the
+specified interface.
+Opposite direction is only defined in context of a state entry, and
+.Em route-to
+is useful only in rules that create state.
+It can be used on systems with multiple external connections to
+route all outgoing packets of a connection through the interface
+the incoming connection arrived through (symmetric routing enforcement).
 .Ss dup-to
 The
 .Em dup-to
@@ -1039,6 +1060,8 @@ interface-list = [ "!" ] interface-name [ [ "," ] interface-list ] .
 route          = "fastroute" |
                  "route-to" "(" interface-name address ")" |
                  "route-to" interface-name |
+                 "reply-to" "(" interface-name address ")" |
+                 "reply-to" interface-name |
                  "dup-to" "(" interface-name address ")" |
                  "dup-to" interface-name
 af	       = "inet" | "inet6" .
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 379725adc1f..783f211b40a 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.247 2002/10/05 21:17:57 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.248 2002/10/07 12:39:29 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -3631,7 +3631,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp)
 		if (m0 == NULL)
 			return;
 	} else {
-		if (r->direction != dir)
+		if ((r->rt == PF_REPLYTO) == (r->direction == dir))
 			return;
 		m0 = *m;
 	}
@@ -3770,7 +3770,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp)
 		if (m0 == NULL)
 			return;
 	} else {
-		if (r->direction != dir)
+		if ((r->rt == PF_REPLYTO) == (r->direction == dir))
 			return;
 		m0 = *m;
 	}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 8da6466f27b..62b5c342f40 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.90 2002/10/05 21:17:57 dhartmei Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.91 2002/10/07 12:39:29 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -51,7 +51,7 @@ enum	{ PFTM_TCP_FIRST_PACKET=0, PFTM_TCP_OPENING=1, PFTM_TCP_ESTABLISHED=2,
 	  PFTM_ICMP_FIRST_PACKET=9, PFTM_ICMP_ERROR_REPLY=10,
 	  PFTM_OTHER_FIRST_PACKET=11, PFTM_OTHER_SINGLE=12,
 	  PFTM_OTHER_MULTIPLE=13, PFTM_FRAG=14, PFTM_INTERVAL=15, PFTM_MAX=16 };
-enum	{ PF_FASTROUTE=1, PF_ROUTETO=2, PF_DUPTO=3 };
+enum	{ PF_FASTROUTE=1, PF_ROUTETO=2, PF_DUPTO=3, PF_REPLYTO=4 };
 enum	{ PF_LIMIT_STATES=0, PF_LIMIT_FRAGS=1, PF_LIMIT_MAX=2 };
 
 struct pf_addr {