diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2002-09-14 17:50:18 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2002-09-14 17:50:18 +0000 |
| commit | b2143a33ea86b7c43343cad385adae31af848844 (patch) | |
| tree | 45d86c5db39170fb17e616a08084923e239852f9 | |
| parent | ba7f64753be9b6947a6f7ced6881ff8514567111 (diff) | |
bit more clue in rdr/nat rules wrt address family examination
don't take the af from host_node structs based on interface lookups, most
interfaces will have both IPv4 and IPv6 addresses. Most rdr/nat rules will
at least have one IP address specified from whoch we take the af for the
whole rule. The rare exceptional cases require the user to specify the af.
ok frantzen@
| -rw-r--r-- | sbin/pfctl/Makefile | 5 | ||||
| -rw-r--r-- | sbin/pfctl/parse.y | 16 |
2 files changed, 14 insertions, 7 deletions
diff --git a/sbin/pfctl/Makefile b/sbin/pfctl/Makefile index 40bac5a51fb..678d3260802 100644 --- a/sbin/pfctl/Makefile +++ b/sbin/pfctl/Makefile @@ -1,8 +1,9 @@ -# $OpenBSD: Makefile,v 1.6 2002/06/06 22:22:44 mickey Exp $ +# $OpenBSD: Makefile,v 1.7 2002/09/14 17:50:17 henning Exp $ PROG= pfctl SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c -CFLAGS+= -Wall +CFLAGS+= -Wall -Werror -Wmissing-prototypes -Wno-uninitialized +CFLAGS+= -Wstrict-prototypes YFLAGS= MAN= pfctl.8 diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index d6847c10edb..54aee9c8e3e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.148 2002/09/12 12:43:23 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.149 2002/09/14 17:50:17 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1274,9 +1274,11 @@ natrule : no NAT interface af proto fromto redirection nat.af = $4; if (!nat.af) { - if ($6.src.host && $6.src.host->af) + if ($6.src.host && $6.src.host->af + && !$6.src.host->ifindex) nat.af = $6.src.host->af; - else if ($6.dst.host && $6.dst.host->af) + else if ($6.dst.host && $6.dst.host->af + && !$6.dst.host->ifindex) nat.af = $6.dst.host->af; } @@ -1294,6 +1296,8 @@ natrule : no NAT interface af proto fromto redirection "address'"); YYERROR; } + if (!nat.af && !$7->address->ifindex) + nat.af = $7->address->af; n = ifa_pick_ip($7->address, nat.af); if (n == NULL) YYERROR; @@ -1447,7 +1451,7 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirection memcpy(&rdr.smask, &$7->mask, sizeof(rdr.smask)); rdr.snot = $7->not; - if (!rdr.af) + if (!rdr.af && !$7->ifindex) rdr.af = $7->af; } if ($9 != NULL) { @@ -1456,7 +1460,7 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirection memcpy(&rdr.dmask, &$9->mask, sizeof(rdr.dmask)); rdr.dnot = $9->not; - if (!rdr.af) + if (!rdr.af && !$9->ifindex) rdr.af = $9->af; } @@ -1477,6 +1481,8 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirection "address'"); YYERROR; } + if (!rdr.af && !$11->address->ifindex) + rdr.af = $11->address->af; n = ifa_pick_ip($11->address, rdr.af); if (n == NULL) YYERROR; |