summaryrefslogtreecommitdiff
path: root/sbin/pfctl
diff options
context:
space:
mode:
authorCedric Berger <cedric@cvs.openbsd.org>2003-08-09 14:56:49 +0000
committerCedric Berger <cedric@cvs.openbsd.org>2003-08-09 14:56:49 +0000
commitb7323c0ae2f827695d5f116067f71a7ad66431e4 (patch)
treef6ecc8a86c5cf9a94655c88ee236f4c7979d31bf /sbin/pfctl
parent0876dde502ec6049eb887678ab0a3bad64d94127 (diff)
This patch remove the restriction that tables cannot be used in routing or
redirection rules... The advantage of using tables in redirection/routing rules is not efficiency, in fact it will run slower than straight address pools. However, this brings a lot of flexibility to PF, allowing simple scripts/daemons to add/remove addresses from redirection/routing pools easily. This implementation support all table features, including cidr blocks and negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6. Tables can also be combined with simple addresses, so the following rule will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }" ok henning@ mcbride@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r--sbin/pfctl/parse.y28
1 files changed, 9 insertions, 19 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 98daaec5d9e..5b89dcf3f1e 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.404 2003/07/29 18:47:43 deraadt Exp $ */
+/* $OpenBSD: parse.y,v 1.405 2003/08/09 14:56:48 cedric Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -2593,10 +2593,6 @@ natrule : nataction interface af proto fromto tag redirpool pooltype
"address'");
YYERROR;
}
- if (disallow_table($7->host, "invalid use of "
- "table <%s> as the redirection address "
- "of a translation rule"))
- YYERROR;
if (!r.af && ! $7->host->ifindex)
r.af = $7->host->af;
@@ -2636,11 +2632,15 @@ natrule : nataction interface af proto fromto tag redirpool pooltype
break;
}
+ r.rpool.opts = $8.type;
+ if (r.rpool.opts == PF_POOL_NONE)
+ r.rpool.opts = PF_POOL_ROUNDROBIN;
+ if (r.rpool.opts != PF_POOL_ROUNDROBIN)
+ if (disallow_table($7->host, "tables "
+ "are only supported in round-robin "
+ "redirection pools"))
+ YYERROR;
if ($7->host->next) {
- r.rpool.opts = $8.type;
- if (r.rpool.opts == PF_POOL_NONE)
- r.rpool.opts =
- PF_POOL_ROUNDROBIN;
if (r.rpool.opts !=
PF_POOL_ROUNDROBIN) {
yyerror("only round-robin "
@@ -2656,13 +2656,6 @@ natrule : nataction interface af proto fromto tag redirpool pooltype
unmask(&$7->host->addr.v.a.mask,
r.af) == 128)) {
r.rpool.opts = PF_POOL_NONE;
- } else {
- if ($8.type == PF_POOL_NONE)
- r.rpool.opts =
- PF_POOL_ROUNDROBIN;
- else
- r.rpool.opts =
- $8.type;
}
}
}
@@ -2866,9 +2859,6 @@ route_host : STRING {
$$->ifname);
YYERROR;
}
- if (disallow_table($3, "invalid use of table <%s> in "
- "a route expression"))
- YYERROR;
}
;