diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-11-28 16:05:48 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-11-28 16:05:48 +0000 |
| commit | f3dee7913b56f8f8505740cc4f9d9faa8ef20697 (patch) | |
| tree | 0c47974eebb04e628b9bb2664f15afe6804dba20 /sbin/pfctl | |
| parent | be9a9c1cab09b852c5fa59520a7c9dd8737ef89d (diff) | |
The divert structure was using the port number to indicate that
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 10 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 41 |
2 files changed, 30 insertions, 21 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 8b95b5dd6b0..06615c985ce 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.667 2017/11/27 23:21:50 bluhm Exp $ */ +/* $OpenBSD: parse.y,v 1.668 2017/11/28 16:05:46 bluhm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -4084,7 +4084,7 @@ rule_consistent(struct pf_rule *r, int anchor_call) /* Basic rule sanity check. */ switch (r->action) { case PF_MATCH: - if (r->divert.port) { + if (r->divert.type != PF_DIVERT_NONE) { yyerror("divert is not supported on match rules"); problems++; } @@ -4445,16 +4445,18 @@ expand_divertspec(struct pf_rule *r, struct divertspec *ds) r->divert.addr = ds->addr->addr.v.a.addr; } r->divert.port = ds->port; + r->divert.type = ds->type; return (0); case PF_DIVERT_REPLY: if (r->direction == PF_IN) { yyerror("divert-reply used with incoming rule"); return (1); } - r->divert.port = 1; /* some random value */ + r->divert.type = ds->type; return (0); case PF_DIVERT_PACKET: - r->divert_packet.port = ds->port; + r->divert.port = ds->port; + r->divert.type = ds->type; return (0); } return (1); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 5963b6bdffd..f0e43882790 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.317 2017/11/13 11:30:11 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.318 2017/11/28 16:05:47 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1077,24 +1077,31 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts) } if (r->rtableid != -1) printf(" rtable %u", r->rtableid); - if (r->divert.port) { - if (PF_AZERO(&r->divert.addr, AF_INET6)) { - printf(" divert-reply"); - } else { - /* XXX cut&paste from print_addr */ - char buf[48]; + switch (r->divert.type) { + case PF_DIVERT_NONE: + break; + case PF_DIVERT_TO: { + /* XXX cut&paste from print_addr */ + char buf[48]; - printf(" divert-to "); - if (inet_ntop(r->af, &r->divert.addr, buf, - sizeof(buf)) == NULL) - printf("?"); - else - printf("%s", buf); - printf(" port %u", ntohs(r->divert.port)); - } + printf(" divert-to "); + if (inet_ntop(r->af, &r->divert.addr, buf, sizeof(buf)) == NULL) + printf("?"); + else + printf("%s", buf); + printf(" port %u", ntohs(r->divert.port)); + break; + } + case PF_DIVERT_REPLY: + printf(" divert-reply"); + break; + case PF_DIVERT_PACKET: + printf(" divert-packet port %u", ntohs(r->divert.port)); + break; + default: + printf(" divert ???"); + break; } - if (r->divert_packet.port) - printf(" divert-packet port %u", ntohs(r->divert_packet.port)); if (!anchor_call[0] && r->nat.addr.type != PF_ADDR_NONE && r->rule_flag & PFRULE_AFTO) { |