Implement "no scrub" to allow exclusion of specific traffic from scrub rules.

First match wins, just like "no {binat,nat,rdr}".  henning@, dhartmei@ ok

7 files changed, 30 insertions, 17 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 7a5b152f033..749e82d009e 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.459 2004/06/29 22:14:13 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.460 2004/09/21 16:59:11 aaron Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -401,7 +401,8 @@ typedef struct {
 %type	<v.number>		tos not yesno natpass
 %type	<v.i>			no dir log af fragcache sourcetrack
 %type	<v.i>			unaryop statelock
-%type	<v.b>			action nataction flags flag blockspec
+%type	<v.b>			action nataction scrubaction
+%type	<v.b>			flags flag blockspec
 %type	<v.range>		port rport
 %type	<v.hashkey>		hashkey
 %type	<v.proto>		proto proto_list proto_item
@@ -728,7 +729,16 @@ loadrule	: LOAD ANCHOR string FROM string	{
 			free($5);
 		};
 
-scrubrule	: SCRUB dir logquick interface af proto fromto scrub_opts
+scrubaction	: no SCRUB {
+			$$.b2 = $$.w = 0;
+			if ($1)
+				$$.b1 = PF_NOSCRUB;
+			else
+				$$.b1 = PF_SCRUB;
+		}
+		;
+
+scrubrule	: scrubaction dir logquick interface af proto fromto scrub_opts
 		{
 			struct pf_rule	r;
 
@@ -737,7 +747,7 @@ scrubrule	: SCRUB dir logquick interface af proto fromto scrub_opts
 
 			memset(&r, 0, sizeof(r));
 
-			r.action = PF_SCRUB;
+			r.action = $1.b1;
 			r.direction = $2;
 
 			r.log = $3.log;
@@ -3500,6 +3510,7 @@ rule_consistent(struct pf_rule *r)
 	case PF_PASS:
 	case PF_DROP:
 	case PF_SCRUB:
+	case PF_NOSCRUB:
 		problems = filter_consistent(r);
 		break;
 	case PF_NAT:
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 0718c471860..c06c304a282 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.222 2004/08/26 16:35:36 jaredy Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.223 2004/09/21 16:59:11 aaron Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -839,6 +839,7 @@ pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
 
 	switch (r->action) {
 	case PF_SCRUB:
+	case PF_NOSCRUB:
 		if ((loadopt & PFCTL_FLAG_FILTER) == 0)
 			return (0);
 		rs_num = PF_RULESET_SCRUB;
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index e83ae9eab95..79c85406c2d 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.203 2004/07/16 23:44:25 frantzen Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.204 2004/09/21 16:59:11 aaron Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -628,11 +628,11 @@ print_src_node(struct pf_src_node *sn, int opts)
 void
 print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
 {
-	static const char *actiontypes[] = { "pass", "block", "scrub", "nat",
-	    "no nat", "binat", "no binat", "rdr", "no rdr" };
+	static const char *actiontypes[] = { "pass", "block", "scrub",
+	    "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };
 	static const char *anchortypes[] = { "anchor", "anchor", "anchor",
-	    "nat-anchor", "nat-anchor", "binat-anchor", "binat-anchor",
-	    "rdr-anchor", "rdr-anchor" };
+	    "anchor", "nat-anchor", "nat-anchor", "binat-anchor",
+	    "binat-anchor", "rdr-anchor", "rdr-anchor" };
 	int	i, opts;
 
 	if (verbose)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index a37a7fd34dd..4c0b60c3872 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.300 2004/09/10 12:40:49 jaredy Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.301 2004/09/21 16:59:11 aaron Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -2589,7 +2589,7 @@ queueopts      = [ "bandwidth" bandwidth-spec ] |
 schedulers     = ( cbq-def | priq-def | hfsc-def )
 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
 
-action         = "pass" | "block" [ return ] | "scrub"
+action         = "pass" | "block" [ return ] | [ "no" ] "scrub"
 return         = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
                  "return-icmp" [ "(" icmpcode ["," icmp6code ] ")" ] |
                  "return-icmp6" [ "(" icmp6code ")" ]
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 2eb48a748f2..e5c50615f16 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.130 2004/09/09 22:08:42 dhartmei Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.131 2004/09/21 16:59:12 aaron Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -257,6 +257,7 @@ pf_get_ruleset_number(u_int8_t action)
 {
 	switch (action) {
 	case PF_SCRUB:
+	case PF_NOSCRUB:
 		return (PF_RULESET_SCRUB);
 		break;
 	case PF_PASS:
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 9d1cc22debe..3c3dbc062ca 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_norm.c,v 1.96 2004/07/17 00:17:27 frantzen Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.97 2004/09/21 16:59:12 aaron Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -1244,7 +1244,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
 		}
 	}
 
-	if (rm == NULL)
+	if (rm == NULL || rm->action == PF_NOSCRUB)
 		return (PF_PASS);
 	else
 		r->packets++;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 1e23993297c..6bd93c7a714 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.202 2004/07/12 00:50:22 itojun Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.203 2004/09/21 16:59:12 aaron Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -49,7 +49,7 @@ struct ip;
 
 enum	{ PF_INOUT, PF_IN, PF_OUT };
 enum	{ PF_LAN_EXT, PF_EXT_GWY, PF_ID };
-enum	{ PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT,
+enum	{ PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
 	  PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP };
 enum	{ PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
 	  PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };