diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2008-05-07 07:07:30 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2008-05-07 07:07:30 +0000 |
| commit | 0475b63024ae6fd7465eff6951c8feda22a1c78b (patch) | |
| tree | b927dce3be9d0b9c6f9f665c770076ee1c28b468 | |
| parent | 2057b495386ca1b4ff0fd1a4580e6f181d670106 (diff) | |
scrub packets based on tags; ok henning
| -rw-r--r-- | regress/sbin/pfctl/pf15.in | 1 | ||||
| -rw-r--r-- | regress/sbin/pfctl/pf15.ok | 1 | ||||
| -rw-r--r-- | sbin/pfctl/parse.y | 16 | ||||
| -rw-r--r-- | sys/net/pf.c | 3 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 5 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
6 files changed, 24 insertions, 5 deletions
diff --git a/regress/sbin/pfctl/pf15.in b/regress/sbin/pfctl/pf15.in index c2678c1cabf..ef6c25c74d6 100644 --- a/regress/sbin/pfctl/pf15.in +++ b/regress/sbin/pfctl/pf15.in @@ -16,3 +16,4 @@ scrub proto udp set-tos lowdelay scrub out proto esp set-tos throughput scrub out proto ah set-tos reliability scrub out proto icmp set-tos 0x12 +scrub out all tagged THROUGHPUT set-tos throughput diff --git a/regress/sbin/pfctl/pf15.ok b/regress/sbin/pfctl/pf15.ok index 70d9dcd7a52..fbd17ea02df 100644 --- a/regress/sbin/pfctl/pf15.ok +++ b/regress/sbin/pfctl/pf15.ok @@ -29,3 +29,4 @@ scrub proto udp all set-tos 0x10 fragment reassemble scrub out proto esp all set-tos 0x08 fragment reassemble scrub out proto ah all set-tos 0x04 fragment reassemble scrub out proto icmp all set-tos 0x12 fragment reassemble +scrub out all set-tos 0x08 fragment reassemble tagged THROUGHPUT diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 6accb0ffe53..ed040b159aa 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.538 2008/05/07 06:23:30 markus Exp $ */ +/* $OpenBSD: parse.y,v 1.539 2008/05/07 07:07:29 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -252,6 +252,8 @@ struct scrub_opts { int fragcache; int randomid; int reassemble_tcp; + char *match_tag; + u_int8_t match_tag_not; u_int rtableid; } scrub_opts; @@ -1041,6 +1043,14 @@ scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts } if ($8.fragcache) r.rule_flag |= $8.fragcache; + if ($8.match_tag) + if (strlcpy(r.match_tagname, $8.match_tag, + PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { + yyerror("tag too long, max %u chars", + PF_TAG_NAME_SIZE - 1); + YYERROR; + } + r.match_tag_not = $8.match_tag_not; r.rtableid = $8.rtableid; expand_rule(&r, $4, NULL, $6, $7.src_os, @@ -1141,6 +1151,10 @@ scrub_opt : NODF { } scrub_opts.rtableid = $2; } + | not TAGGED string { + scrub_opts.match_tag = $3; + scrub_opts.match_tag_not = $1; + } ; fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } diff --git a/sys/net/pf.c b/sys/net/pf.c index 88f331219ad..a76f3c7fbe8 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.571 2008/05/07 06:15:26 markus Exp $ */ +/* $OpenBSD: pf.c,v 1.572 2008/05/07 07:07:29 markus Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -187,7 +187,6 @@ int pf_test_state_icmp(struct pf_state **, int, void *, struct pf_pdesc *, u_short *); int pf_test_state_other(struct pf_state **, int, struct pfi_kif *, struct pf_pdesc *); -int pf_match_tag(struct mbuf *, struct pf_rule *, int *); void pf_step_into_anchor(int *, struct pf_ruleset **, int, struct pf_rule **, struct pf_rule **, int *); int pf_step_out_of_anchor(int *, struct pf_ruleset **, diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 9623470a45e..a6837a209fc 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.112 2008/05/07 06:23:30 markus Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.113 2008/05/07 07:07:29 markus Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -827,6 +827,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, u_int16_t max; int ip_len; int ip_off; + int tag = -1; r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { @@ -847,6 +848,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, (struct pf_addr *)&h->ip_dst.s_addr, AF_INET, r->dst.neg, NULL)) r = r->skip[PF_SKIP_DST_ADDR].ptr; + else if (r->match_tag && !pf_match_tag(m, r, &tag)) + r = TAILQ_NEXT(r, entries); else break; } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 1f1f471d20e..bb9bcaa9a0a 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.262 2008/05/07 06:23:30 markus Exp $ */ +/* $OpenBSD: pfvar.h,v 1.263 2008/05/07 07:07:29 markus Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1699,6 +1699,7 @@ int pfi_get_ifaces(const char *, struct pfi_kif *, int *); int pfi_set_flags(const char *, int); int pfi_clear_flags(const char *, int); +int pf_match_tag(struct mbuf *, struct pf_rule *, int *); u_int16_t pf_tagname2tag(char *); void pf_tag2tagname(u_int16_t, char *); void pf_tag_ref(u_int16_t); |