support loading of anchors from within the main ruleset via

load anchor anchorname:rulesetname file /path/to/file

ok pb@ dhartmei@ cedric@

3 files changed, 95 insertions, 11 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8e3ce470f2d..211f07f9e81 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.372 2003/05/03 16:50:38 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.373 2003/05/10 00:45:23 henning Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -262,6 +262,15 @@ void	 remove_invalid_hosts(struct node_host **, sa_family_t *);
 int	 invalid_redirect(struct node_host *, sa_family_t);
 u_int16_t parseicmpspec(char *, sa_family_t);
 
+TAILQ_HEAD(loadanchorshead, loadanchors)	 loadanchorshead =
+   TAILQ_HEAD_INITIALIZER(loadanchorshead);
+struct loadanchors {
+	TAILQ_ENTRY(loadanchors)	 entries;
+	char				*anchorname;
+	char				*rulesetname;
+	char				*filename;
+};
+
 typedef struct {
 	union {
 		u_int32_t		 number;
@@ -354,6 +363,7 @@ typedef struct {
 %token	BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT
 %token	ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
 %token	QUEUE PRIORITY QLIMIT
+%token	LOAD
 %token	<v.string>		STRING
 %token	<v.i>			PORTBINARY
 %type	<v.interface>		interface if_list if_item_not if_item
@@ -406,6 +416,7 @@ ruleset		: /* empty */
 		| ruleset binatrule '\n'
 		| ruleset pfrule '\n'
 		| ruleset anchorrule '\n'
+		| ruleset loadrule '\n'
 		| ruleset altqif '\n'
 		| ruleset queuespec '\n'
 		| ruleset varset '\n'
@@ -582,6 +593,43 @@ anchorrule	: ANCHOR string	dir interface af proto fromto {
 		}
 		;
 
+loadrule	: LOAD ANCHOR string FROM string	{
+			char			*t;
+			struct loadanchors	*loadanchor;
+
+			t = strsep(&$3, ":");
+			if (*t == '\0' || *$3 == '\0') {
+				yyerror("anchor '%s' invalid\n", $3);
+				YYERROR;
+			}
+			if (strlen(t) >= PF_ANCHOR_NAME_SIZE) {
+				yyerror("anchorname %s too long, max %u\n",
+				    t, PF_ANCHOR_NAME_SIZE - 1);
+				YYERROR;
+			}
+			if (strlen($3) >= PF_RULESET_NAME_SIZE) {
+				yyerror("rulesetname %s too long, max %u\n",
+				    $3, PF_RULESET_NAME_SIZE - 1);
+				YYERROR;
+			}
+
+			loadanchor = calloc(1, sizeof(struct loadanchors));
+			if (loadanchor == NULL)
+				err(1, "loadrule: calloc");
+			if ((loadanchor->anchorname = strdup(t)) == NULL)
+				err(1, "loadrule: strdup");
+			if ((loadanchor->rulesetname = strdup($3)) == NULL)
+				err(1, "loadrule: strdup");
+			if ((loadanchor->filename = strdup($5)) == NULL)
+				err(1, "loadrule: strdup");
+
+			TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
+			    entries);
+
+			free(t); /* not $3 */
+			free($5);
+		};
+
 scrubrule	: SCRUB dir logquick interface af fromto scrub_opts
 		{
 			struct pf_rule	r;
@@ -3586,6 +3634,7 @@ lookup(char *s)
 		{ "label",		LABEL},
 		{ "limit",		LIMIT},
 		{ "linkshare",		LINKSHARE},
+		{ "load",		LOAD},
 		{ "log",		LOG},
 		{ "log-all",		LOGALL},
 		{ "loginterface",	LOGINTERFACE},
@@ -3873,15 +3922,24 @@ parse_rules(FILE *input, struct pfctl *xpf)
 	lineno = 1;
 	errors = 0;
 	rulestate = PFCTL_STATE_NONE;
+	returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
+	returnicmp6default =
+	    (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
+	blockpolicy = PFRULE_DROP;
+	require_order = 1;
+
 	yyparse();
 
-	/* Check which macros have not been used. */
-	if (pf->opts & PF_OPT_VERBOSE2)
-		for (sym = TAILQ_FIRST(&symhead); sym;
-		    sym = TAILQ_NEXT(sym, entries))
-			if (!sym->used)
-				fprintf(stderr, "warning: macro '%s' not "
-				    "used\n", sym->nam);
+	/* Free macros and check which have not been used. */
+	TAILQ_FOREACH(sym, &symhead, entries) {
+		if ((pf->opts & PF_OPT_VERBOSE2) && !sym->used)
+			fprintf(stderr, "warning: macro '%s' not "
+			    "used\n", sym->nam);
+		free(sym->nam);
+		free(sym->val);
+		TAILQ_REMOVE(&symhead, sym, entries);
+	}
+
 	return (errors ? -1 : 0);
 }
 
@@ -4106,3 +4164,21 @@ parseicmpspec(char *w, sa_family_t af)
 	}
 	return (icmptype << 8 | ulval);
 }
+
+int
+pfctl_load_anchors(int dev, int opts)
+{
+	struct loadanchors	*la;
+
+	TAILQ_FOREACH(la, &loadanchorshead, entries) {
+		if (opts & PF_OPT_VERBOSE)
+			fprintf(stderr, "\nLoading anchor %s:%s from %s\n",
+			    la->anchorname, la->rulesetname, la->filename);
+		if (pfctl_rules(dev, la->filename, opts, la->anchorname,
+		    la->rulesetname) == -1)
+			return (-1);
+	}
+
+	return (0);
+}
+
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 839838dd588..3e7067cb981 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.169 2003/04/30 13:22:26 henning Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.170 2003/05/10 00:45:24 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -72,7 +72,6 @@ int	 pfctl_show_states(int, u_int8_t, int);
 int	 pfctl_show_status(int);
 int	 pfctl_show_timeouts(int);
 int	 pfctl_show_limits(int);
-int	 pfctl_rules(int, char *, int, char *, char *);
 int	 pfctl_debug(int, u_int32_t, int);
 int	 pfctl_clear_rule_counters(int, int);
 int	 pfctl_test_altqsupport(int, int);
@@ -1026,6 +1025,12 @@ pfctl_rules(int dev, char *filename, int opts, char *anchorname,
 	}
 	if (fin != stdin)
 		fclose(fin);
+
+	/* process "load anchor" directives */
+	if (!anchorname[0] && !rulesetname[0])
+		if (pfctl_load_anchors(dev, opts) == -1)
+			return (-1);
+
 	return (0);
 }
 
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 48e8ef74f19..abaeacf2360 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.h,v 1.59 2003/04/30 12:30:27 cedric Exp $ */
+/*	$OpenBSD: pfctl_parser.h,v 1.60 2003/05/10 00:45:24 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -123,6 +123,8 @@ struct node_queue_opt {
 	}			 data;
 };
 
+int	pfctl_rules(int, char *, int, char *, char *);
+
 int	pfctl_add_rule(struct pfctl *, struct pf_rule *);
 int	pfctl_add_altq(struct pfctl *, struct pf_altq *);
 int	pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t);
@@ -135,6 +137,7 @@ int	pfctl_set_logif(struct pfctl *, char *);
 
 int	parse_rules(FILE *, struct pfctl *);
 int	parse_flags(char *);
+int	pfctl_load_anchors(int, int);
 
 void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
 void	print_rule(struct pf_rule *, int);