diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-08 20:13:21 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-08 20:13:21 +0000 |
| commit | 615fa40fdb9c9961935e2cefd2bd118c7225347b (patch) | |
| tree | 2fb3cd51ac24eb8f16755de83ae21fd59d9172f8 /sbin/pfctl/parse.y | |
| parent | 18a76cba38a02030b3e3550931ecf3ffc7b27e97 (diff) | |
Add scrub option 'random-id', which replaces IP IDs with random values
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Diffstat (limited to 'sbin/pfctl/parse.y')
| -rw-r--r-- | sbin/pfctl/parse.y | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b37742ce037..f9845ff2a75 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.308 2003/02/05 16:05:54 cedric Exp $ */ +/* $OpenBSD: parse.y,v 1.309 2003/02/08 20:13:20 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -194,6 +194,7 @@ struct scrub_opts { int minttl; int maxmss; int fragcache; + int randomid; } scrub_opts; struct queue_opts { @@ -354,7 +355,7 @@ typedef struct { %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token FRAGNORM FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR -%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY +%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER YES %token ANTISPOOF FOR %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT @@ -616,6 +617,8 @@ scrubrule : SCRUB dir logquick interface af fromto scrub_opts r.af = $5; if ($7.nodf) r.rule_flag |= PFRULE_NODF; + if ($7.randomid) + r.rule_flag |= PFRULE_RANDOMID; if ($7.minttl) r.min_ttl = $7.minttl; if ($7.maxmss) @@ -679,6 +682,13 @@ scrub_opt : NODF { scrub_opts.marker |= SOM_FRAGCACHE; scrub_opts.fragcache = $1; } + | RANDOMID { + if (scrub_opts.randomid) { + yyerror("random-id cannot be respecified"); + YYERROR; + } + scrub_opts.randomid = 1; + } ; fragcache : FRAGMENT FRAGNORM { $$ = 0; /* default */ } @@ -3623,6 +3633,7 @@ lookup(char *s) { "queue", QUEUE}, { "quick", QUICK}, { "random", RANDOM}, + { "random-id", RANDOMID}, { "rdr", RDR}, { "rdr-anchor", RDRANCHOR}, { "reassemble", FRAGNORM}, |