diff options
author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-05-14 23:51:30 +0000 |
---|---|---|
committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-05-14 23:51:30 +0000 |
commit | 4468520026b30756c78bc7326e2797114bc61854 (patch) | |
tree | b94d67c8c65f7ca66a56cad18885dc8b2820059d /sbin/pfctl | |
parent | 8c3c6c71c2b8d93cf283abe8b468d66ca5a61961 (diff) |
add scrub modifier "reassemble tcp" to turn on stateful TCP normalizations
ok henning@ dhartmei@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r-- | sbin/pfctl/parse.y | 26 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 5 |
2 files changed, 26 insertions, 5 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 0b5b76ac45f..84a15dea6c1 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.381 2003/05/14 22:54:39 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.382 2003/05/14 23:51:28 frantzen Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -187,6 +187,7 @@ struct scrub_opts { int maxmss; int fragcache; int randomid; + int reassemble_tcp; } scrub_opts; struct queue_opts { @@ -358,7 +359,7 @@ typedef struct { %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE -%token FRAGNORM FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR +%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER %token ANTISPOOF FOR @@ -663,6 +664,14 @@ scrubrule : SCRUB dir logquick interface af proto fromto scrub_opts r.rule_flag |= PFRULE_NODF; if ($8.randomid) r.rule_flag |= PFRULE_RANDOMID; + if ($8.reassemble_tcp) { + if (r.direction != PF_INOUT) { + yyerror("reassmble tcp rules can not " + "specify direction"); + YYERROR; + } + r.rule_flag |= PFRULE_REASSEMBLE_TCP; + } if ($8.minttl) r.min_ttl = $8.minttl; if ($8.maxmss) @@ -726,6 +735,15 @@ scrub_opt : NODF { scrub_opts.marker |= SOM_FRAGCACHE; scrub_opts.fragcache = $1; } + | REASSEMBLE STRING { + if (strcasecmp($2, "tcp") != 0) + YYERROR; + if (scrub_opts.reassemble_tcp) { + yyerror("reassemble tcp cannot be respecified"); + YYERROR; + } + scrub_opts.reassemble_tcp = 1; + } | RANDOMID { if (scrub_opts.randomid) { yyerror("random-id cannot be respecified"); @@ -735,7 +753,7 @@ scrub_opt : NODF { } ; -fragcache : FRAGMENT FRAGNORM { $$ = 0; /* default */ } +fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } | FRAGMENT FRAGCROP { $$ = PFRULE_FRAGCROP; } | FRAGMENT FRAGDROP { $$ = PFRULE_FRAGDROP; } ; @@ -3692,7 +3710,7 @@ lookup(char *s) { "rdr", RDR}, { "rdr-anchor", RDRANCHOR}, { "realtime", REALTIME}, - { "reassemble", FRAGNORM}, + { "reassemble", REASSEMBLE}, { "reply-to", REPLYTO}, { "require-order", REQUIREORDER}, { "return", RETURN}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index c8a1525326e..af95a4bdcf3 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.155 2003/05/14 00:56:38 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.156 2003/05/14 23:51:29 frantzen Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -727,6 +727,9 @@ print_rule(struct pf_rule *r, int verbose) if (r->allow_opts) printf("allow-opts "); if (r->action == PF_SCRUB) { + if (r->rule_flag & PFRULE_REASSEMBLE_TCP) + printf("reassemble tcp "); + if (r->rule_flag & PFRULE_FRAGDROP) printf("fragment drop-ovl "); else if (r->rule_flag & PFRULE_FRAGCROP) |