diff options
author | Cedric Berger <cedric@cvs.openbsd.org> | 2003-08-09 14:56:49 +0000 |
---|---|---|
committer | Cedric Berger <cedric@cvs.openbsd.org> | 2003-08-09 14:56:49 +0000 |
commit | b7323c0ae2f827695d5f116067f71a7ad66431e4 (patch) | |
tree | f6ecc8a86c5cf9a94655c88ee236f4c7979d31bf /sbin/pfctl | |
parent | 0876dde502ec6049eb887678ab0a3bad64d94127 (diff) |
This patch remove the restriction that tables cannot be used in routing or
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r-- | sbin/pfctl/parse.y | 28 |
1 files changed, 9 insertions, 19 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 98daaec5d9e..5b89dcf3f1e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.404 2003/07/29 18:47:43 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.405 2003/08/09 14:56:48 cedric Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -2593,10 +2593,6 @@ natrule : nataction interface af proto fromto tag redirpool pooltype "address'"); YYERROR; } - if (disallow_table($7->host, "invalid use of " - "table <%s> as the redirection address " - "of a translation rule")) - YYERROR; if (!r.af && ! $7->host->ifindex) r.af = $7->host->af; @@ -2636,11 +2632,15 @@ natrule : nataction interface af proto fromto tag redirpool pooltype break; } + r.rpool.opts = $8.type; + if (r.rpool.opts == PF_POOL_NONE) + r.rpool.opts = PF_POOL_ROUNDROBIN; + if (r.rpool.opts != PF_POOL_ROUNDROBIN) + if (disallow_table($7->host, "tables " + "are only supported in round-robin " + "redirection pools")) + YYERROR; if ($7->host->next) { - r.rpool.opts = $8.type; - if (r.rpool.opts == PF_POOL_NONE) - r.rpool.opts = - PF_POOL_ROUNDROBIN; if (r.rpool.opts != PF_POOL_ROUNDROBIN) { yyerror("only round-robin " @@ -2656,13 +2656,6 @@ natrule : nataction interface af proto fromto tag redirpool pooltype unmask(&$7->host->addr.v.a.mask, r.af) == 128)) { r.rpool.opts = PF_POOL_NONE; - } else { - if ($8.type == PF_POOL_NONE) - r.rpool.opts = - PF_POOL_ROUNDROBIN; - else - r.rpool.opts = - $8.type; } } } @@ -2866,9 +2859,6 @@ route_host : STRING { $$->ifname); YYERROR; } - if (disallow_table($3, "invalid use of table <%s> in " - "a route expression")) - YYERROR; } ; |