summaryrefslogtreecommitdiff
path: root/sbin/pfctl
diff options
context:
space:
mode:
authorMike Frantzen <frantzen@cvs.openbsd.org>2003-05-14 23:51:30 +0000
committerMike Frantzen <frantzen@cvs.openbsd.org>2003-05-14 23:51:30 +0000
commit4468520026b30756c78bc7326e2797114bc61854 (patch)
treeb94d67c8c65f7ca66a56cad18885dc8b2820059d /sbin/pfctl
parent8c3c6c71c2b8d93cf283abe8b468d66ca5a61961 (diff)
add scrub modifier "reassemble tcp" to turn on stateful TCP normalizations
ok henning@ dhartmei@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r--sbin/pfctl/parse.y26
-rw-r--r--sbin/pfctl/pfctl_parser.c5
2 files changed, 26 insertions, 5 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0b5b76ac45f..84a15dea6c1 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.381 2003/05/14 22:54:39 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.382 2003/05/14 23:51:28 frantzen Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -187,6 +187,7 @@ struct scrub_opts {
int maxmss;
int fragcache;
int randomid;
+ int reassemble_tcp;
} scrub_opts;
struct queue_opts {
@@ -358,7 +359,7 @@ typedef struct {
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
-%token FRAGNORM FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
+%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
%token REQUIREORDER
%token ANTISPOOF FOR
@@ -663,6 +664,14 @@ scrubrule : SCRUB dir logquick interface af proto fromto scrub_opts
r.rule_flag |= PFRULE_NODF;
if ($8.randomid)
r.rule_flag |= PFRULE_RANDOMID;
+ if ($8.reassemble_tcp) {
+ if (r.direction != PF_INOUT) {
+ yyerror("reassmble tcp rules can not "
+ "specify direction");
+ YYERROR;
+ }
+ r.rule_flag |= PFRULE_REASSEMBLE_TCP;
+ }
if ($8.minttl)
r.min_ttl = $8.minttl;
if ($8.maxmss)
@@ -726,6 +735,15 @@ scrub_opt : NODF {
scrub_opts.marker |= SOM_FRAGCACHE;
scrub_opts.fragcache = $1;
}
+ | REASSEMBLE STRING {
+ if (strcasecmp($2, "tcp") != 0)
+ YYERROR;
+ if (scrub_opts.reassemble_tcp) {
+ yyerror("reassemble tcp cannot be respecified");
+ YYERROR;
+ }
+ scrub_opts.reassemble_tcp = 1;
+ }
| RANDOMID {
if (scrub_opts.randomid) {
yyerror("random-id cannot be respecified");
@@ -735,7 +753,7 @@ scrub_opt : NODF {
}
;
-fragcache : FRAGMENT FRAGNORM { $$ = 0; /* default */ }
+fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
| FRAGMENT FRAGCROP { $$ = PFRULE_FRAGCROP; }
| FRAGMENT FRAGDROP { $$ = PFRULE_FRAGDROP; }
;
@@ -3692,7 +3710,7 @@ lookup(char *s)
{ "rdr", RDR},
{ "rdr-anchor", RDRANCHOR},
{ "realtime", REALTIME},
- { "reassemble", FRAGNORM},
+ { "reassemble", REASSEMBLE},
{ "reply-to", REPLYTO},
{ "require-order", REQUIREORDER},
{ "return", RETURN},
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index c8a1525326e..af95a4bdcf3 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.155 2003/05/14 00:56:38 henning Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.156 2003/05/14 23:51:29 frantzen Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -727,6 +727,9 @@ print_rule(struct pf_rule *r, int verbose)
if (r->allow_opts)
printf("allow-opts ");
if (r->action == PF_SCRUB) {
+ if (r->rule_flag & PFRULE_REASSEMBLE_TCP)
+ printf("reassemble tcp ");
+
if (r->rule_flag & PFRULE_FRAGDROP)
printf("fragment drop-ovl ");
else if (r->rule_flag & PFRULE_FRAGCROP)