diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2011-07-04 03:36:15 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2011-07-04 03:36:15 +0000 |
commit | b9f6604717f5585b998237983a67dab066e8a448 (patch) | |
tree | eb1eaaa894e14f60c54d365341c14280f6a93dc3 | |
parent | 9161482435f992bb186f4b3bc1bd049f169ffc8f (diff) |
bye bye require-order.
i added that button many many many years ago since the order (options, scrub,
nat, filter) was enforced back then, which I hated. now we had that turned
off for ages, and with the scrub and nat rulesets being gone, there is very
little reason to enforce an order at all. so let's get rid of it.
introducing this button was one of my very early commits to openbsd... feels
a bit strange to remove it now :)
ok ryan dlg theo
-rw-r--r-- | sbin/pfctl/parse.y | 88 | ||||
-rw-r--r-- | share/man/man5/pf.conf.5 | 16 |
2 files changed, 4 insertions, 100 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 814f64514f9..0c165c47611 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.601 2011/07/03 23:59:43 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.602 2011/07/04 03:36:14 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -63,13 +63,11 @@ static struct pfctl *pf = NULL; static int debug = 0; -static int rulestate = 0; static u_int16_t returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT; static u_int16_t returnicmp6default = (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT; static int blockpolicy = PFRULE_DROP; -static int require_order = 0; static int default_statelock; TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); @@ -105,14 +103,6 @@ char *symget(const char *); int atoul(char *, u_long *); -enum { - PFCTL_STATE_NONE, - PFCTL_STATE_OPTION, - PFCTL_STATE_QUEUE, - PFCTL_STATE_NAT, - PFCTL_STATE_FILTER -}; - struct node_proto { u_int8_t proto; struct node_proto *next; @@ -362,7 +352,6 @@ int expand_queue(struct pf_altq *, struct node_if *, struct node_queue_opt *); int expand_skip_interface(struct node_if *); -int check_rulestate(int); int getservice(char *); int rule_label(struct pf_rule *, char *); @@ -457,7 +446,7 @@ int parseport(char *, struct range *r, int); %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE ANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID -%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID +%token SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID %token ANTISPOOF FOR INCLUDE MATCHES %token BITMASK RANDOM SOURCEHASH ROUNDROBIN LEASTSTATES STATICPORT PROBABILITY %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT @@ -577,15 +566,9 @@ optnodf : /* empty */ { $$ = 0; } ; option : SET REASSEMBLE yesno optnodf { - if (check_rulestate(PFCTL_STATE_OPTION)) - YYERROR; pfctl_set_reassembly(pf, $3, $4); } | SET OPTIMIZATION STRING { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (pfctl_set_optimization(pf, $3) != 0) { yyerror("unknown optimization %s", $3); free($3); @@ -604,10 +587,6 @@ option : SET REASSEMBLE yesno optnodf { | SET LIMIT limit_spec | SET LIMIT '{' optnl limit_list '}' | SET LOGINTERFACE stringall { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (pfctl_set_logif(pf, $3) != 0) { yyerror("error setting loginterface %s", $3); free($3); @@ -628,30 +607,16 @@ option : SET REASSEMBLE yesno optnodf { | SET BLOCKPOLICY DROP { if (pf->opts & PF_OPT_VERBOSE) printf("set block-policy drop\n"); - if (check_rulestate(PFCTL_STATE_OPTION)) - YYERROR; blockpolicy = PFRULE_DROP; } | SET BLOCKPOLICY RETURN { if (pf->opts & PF_OPT_VERBOSE) printf("set block-policy return\n"); - if (check_rulestate(PFCTL_STATE_OPTION)) - YYERROR; blockpolicy = PFRULE_RETURN; } - | SET REQUIREORDER yesno { - if (pf->opts & PF_OPT_VERBOSE) - printf("set require-order %s\n", - $3 == 1 ? "yes" : "no"); - require_order = $3; - } | SET FINGERPRINTS STRING { if (pf->opts & PF_OPT_VERBOSE) printf("set fingerprints \"%s\"\n", $3); - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (!pf->anchor->name[0]) { if (pfctl_file_fingerprints(pf->dev, pf->opts, $3)) { @@ -676,10 +641,6 @@ option : SET REASSEMBLE yesno optnodf { default_statelock = $3; } | SET DEBUG STRING { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (pfctl_set_debug(pf, $3) != 0) { yyerror("error setting debuglevel %s", $3); free($3); @@ -796,12 +757,6 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto struct pf_rule r; struct node_proto *proto; - if (check_rulestate(PFCTL_STATE_FILTER)) { - if ($2) - free($2); - YYERROR; - } - if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) { free($2); yyerror("anchor names beginning with '_' " @@ -1037,9 +992,6 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { struct node_host *h = NULL, *hh; struct node_if *i, *j; - if (check_rulestate(PFCTL_STATE_FILTER)) - YYERROR; - for (i = $3; i; i = i->next) { bzero(&r, sizeof(r)); @@ -1295,9 +1247,6 @@ table_opt : STRING { altqif : ALTQ interface queue_opts QUEUE qassign { struct pf_altq a; - if (check_rulestate(PFCTL_STATE_QUEUE)) - YYERROR; - memset(&a, 0, sizeof(a)); if ($3.scheduler.qtype == ALTQT_NONE) { yyerror("no scheduler specified!"); @@ -1319,13 +1268,7 @@ altqif : ALTQ interface queue_opts QUEUE qassign { queuespec : QUEUE STRING interface queue_opts qassign { struct pf_altq a; - if (check_rulestate(PFCTL_STATE_QUEUE)) { - free($2); - YYERROR; - } - memset(&a, 0, sizeof(a)); - if (strlcpy(a.qname, $2, sizeof(a.qname)) >= sizeof(a.qname)) { yyerror("queue name too long (max " @@ -1683,11 +1626,7 @@ pfrule : action dir logquick interface af proto fromto int adaptive = 0; int defaults = 0; - if (check_rulestate(PFCTL_STATE_FILTER)) - YYERROR; - memset(&r, 0, sizeof(r)); - r.action = $1.b1; switch ($1.b2) { case PFRULE_RETURNRST: @@ -3846,10 +3785,6 @@ routespec : route_host { $$ = $1; } timeout_spec : STRING NUMBER { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($1); - YYERROR; - } if ($2 < 0 || $2 > UINT_MAX) { yyerror("only positive values permitted"); YYERROR; @@ -3869,10 +3804,6 @@ timeout_list : timeout_list comma timeout_spec optnl limit_spec : STRING NUMBER { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($1); - YYERROR; - } if ($2 < 0 || $2 > UINT_MAX) { yyerror("only positive values permitted"); YYERROR; @@ -5036,18 +4967,6 @@ freehostlist(struct node_host *h) #undef LOOP_THROUGH int -check_rulestate(int desired_state) -{ - if (require_order && (rulestate > desired_state)) { - yyerror("Rules must be in order: options, normalization, " - "queueing, translation, filtering"); - return (1); - } - rulestate = desired_state; - return (0); -} - -int kw_cmp(const void *k, const void *e) { return (strcmp(k, ((const struct keywords *)e)->k_name)); @@ -5142,7 +5061,6 @@ lookup(char *s) { "reassemble", REASSEMBLE}, { "received-on", RECEIVEDON}, { "reply-to", REPLYTO}, - { "require-order", REQUIREORDER}, { "return", RETURN}, { "return-icmp", RETURNICMP}, { "return-icmp6", RETURNICMP6}, @@ -5539,12 +5457,10 @@ parse_config(char *filename, struct pfctl *xpf) pf = xpf; errors = 0; - rulestate = PFCTL_STATE_NONE; returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT; returnicmp6default = (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT; blockpolicy = PFRULE_DROP; - require_order = 0; if ((file = pushfile(filename, 0)) == NULL) { warn("cannot open the main config file!"); diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 2bbccb81154..697a69d6754 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.496 2011/07/03 23:37:55 zinke Exp $ +.\" $OpenBSD: pf.conf.5,v 1.497 2011/07/04 03:36:14 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 3 2011 $ +.Dd $Mdocdate: July 4 2011 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -1142,17 +1142,6 @@ instead of being dropped; the reassembled packet will have the .Ar dont-fragment bit cleared. -.It Ar set require-order -If set to -.Ar yes , -.Xr pfctl 8 -will enforce that statement types in the ruleset are listed in the -following order, to match the operation of the underlying packet -filtering engine: -.Em options , -.Em queueing , -.Em filtering . -This option is disabled by default. .It Ar set ruleset-optimization .Bl -tag -width xxxxxxxx -compact .It Ar basic @@ -2666,7 +2655,6 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | [ "block-policy" ( "drop" | "return" ) ] | [ "state-policy" ( "if-bound" | "floating" ) ] [ "state-defaults" state-opts ] - [ "require-order" ( "yes" | "no" ) ] [ "fingerprints" filename ] | [ "skip on" ifspec ] | [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] | |