diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2001-07-17 21:54:28 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2001-07-17 21:54:28 +0000 |
| commit | 5b5d6a6789a07db25d822e6cdc8faa22b41e4711 (patch) | |
| tree | 365e6ecc9ea7110736f16283d8e4d8485a9865b8 | |
| parent | ea39f2de65a8a34702e80c95d96f70aace6bce30 (diff) | |
normalize ip_off, make IP_DF stripping optional, return rst is a flag now.
okay markus@
| -rw-r--r-- | sbin/pfctl/parse.y | 23 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 7 | ||||
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 9 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 8 |
5 files changed, 39 insertions, 14 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b8e8a489bab..2925ab76f1a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.5 2001/07/17 17:39:42 marc Exp $ */ +/* $OpenBSD: parse.y,v 1.6 2001/07/17 21:54:27 provos Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -85,7 +85,7 @@ u_int32_t ipmask(u_int8_t); } %token PASS BLOCK SCRUB RETURN IN OUT LOG LOGALL QUICK ON FROM TO FLAGS %token RETURNRST RETURNICMP PROTO ALL ANY ICMPTYPE CODE KEEP STATE PORT -%token RDR NAT ARROW +%token RDR NAT ARROW NODF %token <string> STRING %token <number> NUMBER %token <i> PORTUNARY PORTBINARY @@ -93,7 +93,7 @@ u_int32_t ipmask(u_int8_t); %type <addr2> fromto %type <iface> iface %type <number> address port icmptype -%type <i> direction log quick keep proto +%type <i> direction log quick keep proto nodf %type <b> action icmpspec flags blockspec %type <range> dport rport %% @@ -105,7 +105,7 @@ ruleset: /* empty */ | ruleset rdrrule '\n' ; -pfrule: action direction log quick iface proto fromto flags icmpspec keep +pfrule: action direction log quick iface proto fromto flags icmpspec keep nodf { struct pf_rule r; @@ -117,7 +117,7 @@ pfrule: action direction log quick iface proto fromto flags icmpspec keep r.action = $1.b1; if ($1.b2) - r.return_rst = 1; + r.rule_flag |= PFRULE_RETURNRST; else r.return_icmp = $1.w; r.direction = $2; @@ -139,6 +139,9 @@ pfrule: action direction log quick iface proto fromto flags icmpspec keep r.code = $9.b2; r.keep_state = $10; + if ($11) + r.rule_flag |= PFRULE_NODF; + if (rule_consistent(&r) < 0) yyerror("skipping rule due to errors"); else @@ -355,6 +358,10 @@ keep: { $$ = 0; } | KEEP STATE { $$ = 1; } ; +nodf: { $$ = 0; } + | NODF { $$ = 1; } + ; + natrule: NAT iface proto FROM ipspec TO ipspec ARROW address { struct pf_nat nat; @@ -488,6 +495,9 @@ rule_consistent(struct pf_rule *r) yyerror("icmp-type/code does not apply to scrub"); problems++; } + } else if (r->rule_flag & PFRULE_NODF) { + yyerror("nodf applies only to scrub"); + problems++; } if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && (r->src.port_op || r->dst.port_op)) { @@ -520,7 +530,8 @@ lookup(char *s) { "keep", KEEP}, { "log", LOG}, { "log-all", LOGALL}, - { "nat", NAT}, + { "nat", NAT}, + { "no-df", NODF}, { "on", ON}, { "out", OUT}, { "pass", PASS}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index d60cf229c45..a0fbf10985c 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.35 2001/07/16 21:09:38 markus Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.36 2001/07/17 21:54:27 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -442,7 +442,7 @@ print_rule(struct pf_rule *r) printf("pass "); else if (r->action == PF_DROP) { printf("block "); - if (r->return_rst) + if (r->rule_flag & PFRULE_RETURNRST) printf("return-rst "); else if (r->return_icmp) { struct icmpcodeent *ic; @@ -545,6 +545,9 @@ print_rule(struct pf_rule *r) } if (r->keep_state) printf("keep state "); + if (r->rule_flag & PFRULE_NODF) + printf("no-df"); + printf("\n"); } diff --git a/sys/net/pf.c b/sys/net/pf.c index a56f33f5c36..8cb7f7f8836 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.114 2001/07/17 20:34:51 provos Exp $ */ +/* $OpenBSD: pf.c,v 1.115 2001/07/17 21:54:25 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -1446,7 +1446,7 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, PFLOG_PACKET(h, m, AF_INET, direction, reason, rm); if ((rm->action == PF_DROP) && - (rm->return_rst || rm->return_icmp)) { + ((rm->rule_flag & PFRULE_RETURNRST) || rm->return_icmp)) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL) { pf_change_ap(&h->ip_src.s_addr, &th->th_sport, @@ -1457,7 +1457,7 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, &h->ip_sum, &th->th_sum, baddr, bport); rewrite++; } - if (rm->return_rst) + if (rm->rule_flag & PFRULE_RETURNRST) pf_send_reset(h, off, th); else pf_send_icmp(m, rm->return_icmp >> 8, diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 25b964f2c01..c67836e5bfa 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.1 2001/07/17 20:35:26 provos Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.2 2001/07/17 21:54:26 provos Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -510,6 +510,13 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) if (dir != PF_OUT) return (PF_PASS); + /* At this point, only IP_DF is allowed in ip_off */ + if (r->rule_flag & PFRULE_NODF) + h->ip_off = 0; + else + h->ip_off &= IP_DF; + + return (PF_PASS); drop: diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 2424acf3eb0..c92d2731e5f 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.33 2001/07/17 20:34:51 provos Exp $ */ +/* $OpenBSD: pfvar.h,v 1.34 2001/07/17 21:54:26 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -71,9 +71,13 @@ struct pf_rule { u_int8_t flags; u_int8_t flagset; - u_int8_t return_rst; + + u_int8_t rule_flag; }; +#define PFRULE_RETURNRST 0x01 +#define PFRULE_NODF 0x02 + struct pf_state_host { u_int32_t addr; u_int16_t port; |