diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-03 15:44:53 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-03 15:44:53 +0000 |
commit | 7f9e383105f5f9b02cb27c42cef4d4c8db12270b (patch) | |
tree | 04c73873049e4b9cc9b6e6d62ce2ee258d8d196e | |
parent | 59bf24a030195c8eb48026e6e0e377501ff16d32 (diff) |
Don't allow loopback interfaces as route/reply/dup-to targets. ok henning@
-rw-r--r-- | regress/sbin/pfctl/Makefile | 4 | ||||
-rw-r--r-- | regress/sbin/pfctl/pf46.in | 16 | ||||
-rw-r--r-- | regress/sbin/pfctl/pf46.ok | 16 | ||||
-rw-r--r-- | regress/sbin/pfctl/pfail16.in | 3 | ||||
-rw-r--r-- | sbin/pfctl/parse.y | 18 |
5 files changed, 36 insertions, 21 deletions
diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile index 6de5d34fc8a..9ee520ba885 100644 --- a/regress/sbin/pfctl/Makefile +++ b/regress/sbin/pfctl/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.67 2003/01/30 15:32:22 henning Exp $ +# $OpenBSD: Makefile,v 1.68 2003/02/03 15:44:52 dhartmei Exp $ PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 PFTESTS+=28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 -PFFAIL=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +PFFAIL=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PFSIMPLE=1 2 PFSETUP=1 PFLOAD=1 2 3 4 5 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 25 26 27 28 29 diff --git a/regress/sbin/pfctl/pf46.in b/regress/sbin/pfctl/pf46.in index 545c3c4caff..833be0ad7b1 100644 --- a/regress/sbin/pfctl/pf46.in +++ b/regress/sbin/pfctl/pf46.in @@ -1,8 +1,8 @@ -pass in on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } all -pass out on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } round-robin all -pass in on lo0 route-to (lo0 127.0.0.1/24) bitmask all -pass out on lo0 dup-to (lo0 127.0.0.1/24) random all -pass in on lo0 reply-to { lo0, lo0 } round-robin inet6 all -pass in on lo0 reply-to (lo0 127.0.0.0/28) source-hash 0x0123456789ABCDEF0123456789abcdef inet all -pass out on lo0 route-to (lo0 127.0.0.1/24) source-hash foobarlicious all -pass in on lo0 dup-to (lo0 127.0.0.1/24) round-robin all +pass in on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } all +pass out on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin all +pass in on lo0 route-to (pflog0 127.0.0.1/24) bitmask all +pass out on lo0 dup-to (pflog0 127.0.0.1/24) random all +pass in on lo0 reply-to { pflog0, pflog0 } round-robin inet6 all +pass in on lo0 reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789ABCDEF0123456789abcdef inet all +pass out on lo0 route-to (pflog0 127.0.0.1/24) source-hash foobarlicious all +pass in on lo0 dup-to (pflog0 127.0.0.1/24) round-robin all diff --git a/regress/sbin/pfctl/pf46.ok b/regress/sbin/pfctl/pf46.ok index 13630e5674e..79d6b4c2d4e 100644 --- a/regress/sbin/pfctl/pf46.ok +++ b/regress/sbin/pfctl/pf46.ok @@ -1,8 +1,8 @@ -pass in on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } round-robin inet all -pass out on lo0 route-to { (lo0 127.0.0.1), (lo0 127.0.0.2) } round-robin inet all -pass in on lo0 route-to (lo0 127.0.0.0/24) bitmask inet all -pass out on lo0 dup-to (lo0 127.0.0.0/24) random inet all -pass in on lo0 reply-to { lo0, lo0 } round-robin inet6 all -pass in on lo0 reply-to (lo0 127.0.0.0/28) source-hash 0x0123456789abcdef0123456789abcdef inet all -pass out on lo0 route-to (lo0 127.0.0.0/24) source-hash 0x4da8e393fd22f577426cfdf7fe52d3b0 inet all -pass in on lo0 dup-to (lo0 127.0.0.0/24) round-robin inet all +pass in on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin inet all +pass out on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin inet all +pass in on lo0 route-to (pflog0 127.0.0.0/24) bitmask inet all +pass out on lo0 dup-to (pflog0 127.0.0.0/24) random inet all +pass in on lo0 reply-to { pflog0, pflog0 } round-robin inet6 all +pass in on lo0 reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789abcdef0123456789abcdef inet all +pass out on lo0 route-to (pflog0 127.0.0.0/24) source-hash 0x4da8e393fd22f577426cfdf7fe52d3b0 inet all +pass in on lo0 dup-to (pflog0 127.0.0.0/24) round-robin inet all diff --git a/regress/sbin/pfctl/pfail16.in b/regress/sbin/pfctl/pfail16.in new file mode 100644 index 00000000000..3dc660c7ac4 --- /dev/null +++ b/regress/sbin/pfctl/pfail16.in @@ -0,0 +1,3 @@ +# route/reply/dup-to can't have a loopback interface as argument + +pass in on lo0 route-to lo0 inet all diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b739cd62e9e..0f0f98c2a03 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.304 2003/02/03 14:51:36 cedric Exp $ */ +/* $OpenBSD: parse.y,v 1.305 2003/02/03 15:44:52 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -2586,27 +2586,39 @@ dport : /* empty */ { ; route_host : STRING { + struct node_host *n; + $$ = calloc(1, sizeof(struct node_host)); if ($$ == NULL) err(1, "route_host: calloc"); if (($$->ifname = strdup($1)) == NULL) err(1, "routeto: strdup"); - if (ifa_exists($$->ifname) == NULL) { + if ((n = ifa_exists($$->ifname)) == NULL) { yyerror("routeto: unknown interface %s", $$->ifname); YYERROR; + } else if (n->ifa_flags & IFF_LOOPBACK) { + yyerror("routeto: loopback interface %s not " + "supported", $$->ifname); + YYERROR; } $$->next = NULL; $$->tail = $$; } | '(' STRING host ')' { + struct node_host *n; + $$ = $3; if (($$->ifname = strdup($2)) == NULL) err(1, "routeto: strdup"); - if (ifa_exists($$->ifname) == NULL) { + if ((n = ifa_exists($$->ifname)) == NULL) { yyerror("routeto: unknown interface %s", $$->ifname); YYERROR; + } else if (n->ifa_flags & IFF_LOOPBACK) { + yyerror("routeto: loopback interface %s not " + "supported", $$->ifname); + YYERROR; } if (disallow_table($3, "invalid use of table <%s> in " "a route expression")) |