diff options
| author | Cedric Berger <cedric@cvs.openbsd.org> | 2004-02-11 18:34:52 +0000 |
|---|---|---|
| committer | Cedric Berger <cedric@cvs.openbsd.org> | 2004-02-11 18:34:52 +0000 |
| commit | 9e3d280faaa9849cbdc0dc3bd88c06b10534a8db (patch) | |
| tree | f4809f21d7d3566a6113f33f808e9885a94b5e66 | |
| parent | f9a9de048dd628aff9872146742fc83e71ffb3de (diff) | |
Fix interface clobbering for link-local addresses. Found by Pyun YongHyeon.
Fix "antispoof for foo" when foo has no addresses.
ok+help dhartmei@, ok mcbride@
| -rw-r--r-- | regress/sbin/pfctl/if2ip | 4 | ||||
| -rw-r--r-- | sbin/pfctl/parse.y | 19 |
2 files changed, 13 insertions, 10 deletions
diff --git a/regress/sbin/pfctl/if2ip b/regress/sbin/pfctl/if2ip index 8c4eb1e7cf6..56324cc25c1 100644 --- a/regress/sbin/pfctl/if2ip +++ b/regress/sbin/pfctl/if2ip @@ -3,8 +3,8 @@ # done by the userland pfctl tool and by the kernel PF dynamic code. if2ip_user() { - echo "pass in on tun100 from $1" | pfctl -nvf- 2>/dev/null \ - | awk '{print " "$7}' | sort -u + echo "pass in from $1" | pfctl -nvf- 2>/dev/null \ + | awk '{print " "(($3=="on")?$7:$5)}' | sort -u } kernel_spec() { diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 9a47c45001d..17254390222 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.440 2004/02/10 21:06:04 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.441 2004/02/11 18:34:51 cedric Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -878,9 +878,10 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { if (rule_label(&r, $5.label)) YYERROR; h = ifa_lookup(i->ifname, 0); - expand_rule(&r, NULL, NULL, NULL, NULL, - h, NULL, NULL, NULL, NULL, NULL, - NULL); + if (h != NULL) + expand_rule(&r, NULL, NULL, + NULL, NULL, h, NULL, NULL, + NULL, NULL, NULL, NULL); } } free($5.label); @@ -3982,9 +3983,9 @@ expand_rule(struct pf_rule *r, src_host->af != dst_host->af) || (src_host->ifindex && dst_host->ifindex && src_host->ifindex != dst_host->ifindex) || - (src_host->ifindex && if_nametoindex(interface->ifname) && + (src_host->ifindex && *interface->ifname && src_host->ifindex != if_nametoindex(interface->ifname)) || - (dst_host->ifindex && if_nametoindex(interface->ifname) && + (dst_host->ifindex && *interface->ifname && dst_host->ifindex != if_nametoindex(interface->ifname))) continue; if (!r->af && src_host->af) @@ -3992,12 +3993,14 @@ expand_rule(struct pf_rule *r, else if (!r->af && dst_host->af) r->af = dst_host->af; - if (if_indextoname(src_host->ifindex, ifname)) + if (*interface->ifname) + memcpy(r->ifname, interface->ifname, sizeof(r->ifname)); + else if (if_indextoname(src_host->ifindex, ifname)) memcpy(r->ifname, ifname, sizeof(r->ifname)); else if (if_indextoname(dst_host->ifindex, ifname)) memcpy(r->ifname, ifname, sizeof(r->ifname)); else - memcpy(r->ifname, interface->ifname, sizeof(r->ifname)); + memset(r->ifname, '\0', sizeof(r->ifname)); if (strlcpy(r->label, label, sizeof(r->label)) >= sizeof(r->label)) |