diff options
| author | Philipp Buehler <pb@cvs.openbsd.org> | 2002-06-07 22:53:46 +0000 |
|---|---|---|
| committer | Philipp Buehler <pb@cvs.openbsd.org> | 2002-06-07 22:53:46 +0000 |
| commit | 8054398cb4c8dbeeb6b0876ca76083a4fbf64b02 (patch) | |
| tree | abf3abfbb81546ebb1864fc323d0d041b7d0c0ac /sbin/pfctl | |
| parent | 0e6e36db1460cfd12df1f2e2a905a6cf620d86c1 (diff) | |
add the possibility to configure a TTL while return-rst
ok dhartmei@, ipv6 part itojun@ ok
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 14 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 11 |
2 files changed, 17 insertions, 8 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index c2bd501998a..81cfaa8e36b 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.75 2002/06/07 21:25:35 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.76 2002/06/07 22:53:45 pb Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -186,7 +186,7 @@ typedef struct { %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL -%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM +%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTUNARY PORTBINARY @@ -243,9 +243,10 @@ pfrule : action dir log quick interface route af proto fromto memset(&r, 0, sizeof(r)); r.action = $1.b1; - if ($1.b2) + if ($1.b2) { r.rule_flag |= PFRULE_RETURNRST; - else + r.return_ttl = $1.w; + } else r.return_icmp = $1.w; r.direction = $2; r.log = $3; @@ -312,6 +313,10 @@ action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; } blockspec : /* empty */ { $$.b2 = 0; $$.w = 0; } | RETURNRST { $$.b2 = 1; $$.w = 0;} + | RETURNRST '(' TTL NUMBER ')' { + $$.w = $4; + $$.b2 = 1; + } | RETURNICMP { $$.b2 = 0; $$.w = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT; @@ -1887,6 +1892,7 @@ lookup(char *s) { "scrub", SCRUB}, { "state", STATE}, { "to", TO}, + { "ttl", TTL}, { "user", USER}, }; const struct keywords *p; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index e843b6adba2..fab149fb866 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.78 2002/06/07 21:25:35 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.79 2002/06/07 22:53:45 pb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -535,9 +535,12 @@ print_rule(struct pf_rule *r) printf("pass "); else if (r->action == PF_DROP) { printf("block "); - if (r->rule_flag & PFRULE_RETURNRST) - printf("return-rst "); - else if (r->return_icmp) { + if (r->rule_flag & PFRULE_RETURNRST) { + if (!r->return_ttl) + printf("return-rst "); + else + printf("return-rst(ttl %d) ", r->return_ttl); + } else if (r->return_icmp) { struct icmpcodeent *ic; if (r->af != AF_INET6) |