diff options
author | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2002-10-22 07:07:36 +0000 |
---|---|---|
committer | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2002-10-22 07:07:36 +0000 |
commit | d7c1aefc5698cf538b7942f6328e0110781c8b25 (patch) | |
tree | 10cf17b6b84818bb3a1ebb417335a011b5cdd902 | |
parent | f0387f159e8ce5e21c56282b74f7f39c5da9e484 (diff) |
Rename ipmask to set_ipmask and add some functionality: the netmask
is applied immediately to the address.
This way, the parsed rules output shows exactly which bits of an
address are significant for a match and errors due to wrong netmasks
can be spotted more easily.
Example:
$ pfctl -nvf -
pass in on lo0 from 172.17.0.0/12 to any
@0 pass in on lo0 inet from 172.16.0.0/12 to any
idea refined by dhartmei@
ok frantzen@ henning@
-rw-r--r-- | sbin/pfctl/parse.y | 49 |
1 files changed, 24 insertions, 25 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 7b96cf6d360..09d3d6866fe 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.171 2002/10/17 11:22:42 mcbride Exp $ */ +/* $OpenBSD: parse.y,v 1.172 2002/10/22 07:07:35 camield Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -157,7 +157,7 @@ int rule_consistent(struct pf_rule *); int nat_consistent(struct pf_nat *); int rdr_consistent(struct pf_rdr *); int yyparse(void); -void ipmask(struct pf_addr *, u_int8_t); +void set_ipmask(struct node_host *, u_int8_t); void expand_rdr(struct pf_rdr *, struct node_if *, struct node_proto *, struct node_host *, struct node_host *); void expand_nat(struct pf_nat *, struct node_if *, struct node_proto *, @@ -805,22 +805,13 @@ host : address | address '/' number { struct node_host *n; for (n = $1; n; n = n->next) { - if ($1->af == AF_INET) { - if ($3 > 32) { - yyerror( - "illegal netmask value /%d", - $3); - YYERROR; - } - } else { - if ($3 > 128) { - yyerror( - "illegal netmask value /%d", - $3); - YYERROR; - } + if (($1->af == AF_INET && $3 > 32) || + ($1->af == AF_INET6 && $3 > 128)) { + yyerror("illegal netmask value /%d", + $3); + YYERROR; } - ipmask(&n->mask, $3); + set_ipmask(n, $3); } $$ = $1; } @@ -842,7 +833,7 @@ address : '(' STRING ')' { if ($$ == NULL) err(1, "address: calloc"); $$->af = 0; - ipmask(&$$->mask, 128); + set_ipmask($$, 128); $$->addr.addr_dyn = (struct pf_addr_dyn *)1; strncpy($$->addr.addr.pfa.ifname, $2, sizeof($$->addr.addr.pfa.ifname)); @@ -2663,10 +2654,13 @@ parse_rules(FILE *input, struct pfctl *xpf) } void -ipmask(struct pf_addr *m, u_int8_t b) +set_ipmask(struct node_host *h, u_int8_t b) { + struct pf_addr *m, *n; int i, j = 0; + m = &h->mask; + for (i = 0; i < 4; i++) m->addr32[i] = 0; @@ -2678,6 +2672,11 @@ ipmask(struct pf_addr *m, u_int8_t b) m->addr32[j] |= (1 << i); if (b) m->addr32[j] = htonl(m->addr32[j]); + + /* Mask off bits of the address that will never be used. */ + n = &h->addr.addr; + for (i = 0; i < 4; i++) + n->addr32[i] = n->addr32[i] & m->addr32[i]; } /* @@ -2852,9 +2851,9 @@ ifa_lookup(char *ifa_name, enum pfctl_iflookup_mode mode) memcpy(&n->mask, &p->mask, sizeof(struct pf_addr)); else { if (n->af == AF_INET) - ipmask(&n->mask, 32); + set_ipmask(n, 32); else - ipmask(&n->mask, 128); + set_ipmask(n, 128); } n->ifindex = p->ifindex; @@ -2930,7 +2929,7 @@ host(char *s) h->af = AF_INET; h->addr.addr_dyn = NULL; h->addr.addr.addr32[0] = ina.s_addr; - ipmask(&h->mask, 32); + set_ipmask(h, 32); h->next = NULL; h->tail = h; return (h); @@ -2950,7 +2949,7 @@ host(char *s) &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, sizeof(n->addr.addr)); n->ifindex = ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id; - ipmask(&n->mask, 128); + set_ipmask(n, 128); freeaddrinfo(res); n->next = NULL; n->tail = n; @@ -2979,14 +2978,14 @@ host(char *s) memcpy(&n->addr.addr, &((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr, sizeof(struct in_addr)); - ipmask(&n->mask, 32); + set_ipmask(n, 32); } else { memcpy(&n->addr.addr, &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr, sizeof(struct in6_addr)); n->ifindex = ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id; - ipmask(&n->mask, 128); + set_ipmask(n, 128); } n->next = NULL; n->tail = n; |