summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2003-02-03 15:44:53 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2003-02-03 15:44:53 +0000
commit7f9e383105f5f9b02cb27c42cef4d4c8db12270b (patch)
tree04c73873049e4b9cc9b6e6d62ce2ee258d8d196e
parent59bf24a030195c8eb48026e6e0e377501ff16d32 (diff)
Don't allow loopback interfaces as route/reply/dup-to targets. ok henning@
-rw-r--r--regress/sbin/pfctl/Makefile4
-rw-r--r--regress/sbin/pfctl/pf46.in16
-rw-r--r--regress/sbin/pfctl/pf46.ok16
-rw-r--r--regress/sbin/pfctl/pfail16.in3
-rw-r--r--sbin/pfctl/parse.y18
5 files changed, 36 insertions, 21 deletions
diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile
index 6de5d34fc8a..9ee520ba885 100644
--- a/regress/sbin/pfctl/Makefile
+++ b/regress/sbin/pfctl/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.67 2003/01/30 15:32:22 henning Exp $
+# $OpenBSD: Makefile,v 1.68 2003/02/03 15:44:52 dhartmei Exp $
PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
PFTESTS+=28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
-PFFAIL=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+PFFAIL=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
PFSIMPLE=1 2
PFSETUP=1
PFLOAD=1 2 3 4 5 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 25 26 27 28 29
diff --git a/regress/sbin/pfctl/pf46.in b/regress/sbin/pfctl/pf46.in
index 545c3c4caff..833be0ad7b1 100644
--- a/regress/sbin/pfctl/pf46.in
+++ b/regress/sbin/pfctl/pf46.in
@@ -1,8 +1,8 @@
-pass in on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } all
-pass out on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } round-robin all
-pass in on lo0 route-to (lo0 127.0.0.1/24) bitmask all
-pass out on lo0 dup-to (lo0 127.0.0.1/24) random all
-pass in on lo0 reply-to { lo0, lo0 } round-robin inet6 all
-pass in on lo0 reply-to (lo0 127.0.0.0/28) source-hash 0x0123456789ABCDEF0123456789abcdef inet all
-pass out on lo0 route-to (lo0 127.0.0.1/24) source-hash foobarlicious all
-pass in on lo0 dup-to (lo0 127.0.0.1/24) round-robin all
+pass in on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } all
+pass out on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin all
+pass in on lo0 route-to (pflog0 127.0.0.1/24) bitmask all
+pass out on lo0 dup-to (pflog0 127.0.0.1/24) random all
+pass in on lo0 reply-to { pflog0, pflog0 } round-robin inet6 all
+pass in on lo0 reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789ABCDEF0123456789abcdef inet all
+pass out on lo0 route-to (pflog0 127.0.0.1/24) source-hash foobarlicious all
+pass in on lo0 dup-to (pflog0 127.0.0.1/24) round-robin all
diff --git a/regress/sbin/pfctl/pf46.ok b/regress/sbin/pfctl/pf46.ok
index 13630e5674e..79d6b4c2d4e 100644
--- a/regress/sbin/pfctl/pf46.ok
+++ b/regress/sbin/pfctl/pf46.ok
@@ -1,8 +1,8 @@
-pass in on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } round-robin inet all
-pass out on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } round-robin inet all
-pass in on lo0 route-to (lo0 127.0.0.0/24) bitmask inet all
-pass out on lo0 dup-to (lo0 127.0.0.0/24) random inet all
-pass in on lo0 reply-to { lo0, lo0 } round-robin inet6 all
-pass in on lo0 reply-to (lo0 127.0.0.0/28) source-hash 0x0123456789abcdef0123456789abcdef inet all
-pass out on lo0 route-to (lo0 127.0.0.0/24) source-hash 0x4da8e393fd22f577426cfdf7fe52d3b0 inet all
-pass in on lo0 dup-to (lo0 127.0.0.0/24) round-robin inet all
+pass in on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin inet all
+pass out on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin inet all
+pass in on lo0 route-to (pflog0 127.0.0.0/24) bitmask inet all
+pass out on lo0 dup-to (pflog0 127.0.0.0/24) random inet all
+pass in on lo0 reply-to { pflog0, pflog0 } round-robin inet6 all
+pass in on lo0 reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789abcdef0123456789abcdef inet all
+pass out on lo0 route-to (pflog0 127.0.0.0/24) source-hash 0x4da8e393fd22f577426cfdf7fe52d3b0 inet all
+pass in on lo0 dup-to (pflog0 127.0.0.0/24) round-robin inet all
diff --git a/regress/sbin/pfctl/pfail16.in b/regress/sbin/pfctl/pfail16.in
new file mode 100644
index 00000000000..3dc660c7ac4
--- /dev/null
+++ b/regress/sbin/pfctl/pfail16.in
@@ -0,0 +1,3 @@
+# route/reply/dup-to can't have a loopback interface as argument
+
+pass in on lo0 route-to lo0 inet all
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index b739cd62e9e..0f0f98c2a03 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.304 2003/02/03 14:51:36 cedric Exp $ */
+/* $OpenBSD: parse.y,v 1.305 2003/02/03 15:44:52 dhartmei Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -2586,27 +2586,39 @@ dport : /* empty */ {
;
route_host : STRING {
+ struct node_host *n;
+
$$ = calloc(1, sizeof(struct node_host));
if ($$ == NULL)
err(1, "route_host: calloc");
if (($$->ifname = strdup($1)) == NULL)
err(1, "routeto: strdup");
- if (ifa_exists($$->ifname) == NULL) {
+ if ((n = ifa_exists($$->ifname)) == NULL) {
yyerror("routeto: unknown interface %s",
$$->ifname);
YYERROR;
+ } else if (n->ifa_flags & IFF_LOOPBACK) {
+ yyerror("routeto: loopback interface %s not "
+ "supported", $$->ifname);
+ YYERROR;
}
$$->next = NULL;
$$->tail = $$;
}
| '(' STRING host ')' {
+ struct node_host *n;
+
$$ = $3;
if (($$->ifname = strdup($2)) == NULL)
err(1, "routeto: strdup");
- if (ifa_exists($$->ifname) == NULL) {
+ if ((n = ifa_exists($$->ifname)) == NULL) {
yyerror("routeto: unknown interface %s",
$$->ifname);
YYERROR;
+ } else if (n->ifa_flags & IFF_LOOPBACK) {
+ yyerror("routeto: loopback interface %s not "
+ "supported", $$->ifname);
+ YYERROR;
}
if (disallow_table($3, "invalid use of table <%s> in "
"a route expression"))