diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-04-24 18:10:26 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-04-24 18:10:26 +0000 |
| commit | 1a804d4f9927039663cbdd8465f7dd1d19d99545 (patch) | |
| tree | 37435a89152b1d4c3879651990532ff6a1ad89a2 /sbin/pfctl | |
| parent | 785a8619f7687670e72618ee146902fc4cf704e5 (diff) | |
Add dynamic (in-kernel) interface name -> address translation. Instead of
using just the interface name instead of an address and reloading the rule
set whenever the interface changes its address, the interface name can be
put in parentheses, and the kernel will keep track of changes and update
rules. There is no additional cost for evaluating rules (per packet),
the cost occurs when an interface changes address (and the rules are
traversed and updated where necessary).
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 304 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 10 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 76 |
3 files changed, 277 insertions, 113 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 19a50de9ff5..13fa80b595a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.60 2002/04/23 14:32:23 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.61 2002/04/24 18:10:25 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -68,7 +68,7 @@ struct node_proto { }; struct node_host { - struct pf_addr addr; + struct pf_addr_wrap addr; struct pf_addr mask; u_int8_t af; u_int8_t not; @@ -473,7 +473,16 @@ host : address { } ; -address : STRING { +address : '(' STRING ')' { + $$ = calloc(1, sizeof(struct node_host)); + if ($$ == NULL) + err(1, "address: calloc"); + $$->af = 0; + $$->addr.addr_dyn = (struct pf_addr_dyn *)1; + strncpy($$->addr.addr.pfa.ifname, $2, + sizeof($$->addr.addr.pfa.ifname)); + } + | STRING { struct hostent *hp; struct ifaddrs *ifa; @@ -489,7 +498,8 @@ address : STRING { if ($$ == NULL) err(1, "address: calloc"); $$->af = AF_INET; - memcpy(&$$->addr, &sin->sin_addr, + $$->addr.addr_dyn = NULL; + memcpy(&$$->addr.addr, &sin->sin_addr, sizeof(u_int32_t)); } else if ((ifa = ifa6_lookup($1))) { struct sockaddr_in6 *sin6 = @@ -501,7 +511,8 @@ address : STRING { if ($$ == NULL) err(1, "address: calloc"); $$->af = AF_INET6; - memcpy(&$$->addr, &sin6->sin6_addr, + $$->addr.addr_dyn = NULL; + memcpy(&$$->addr.addr, &sin6->sin6_addr, sizeof(struct pf_addr)); } else { yyerror("interface %s has no IP " @@ -519,7 +530,8 @@ address : STRING { if ($$ == NULL) err(1, "address: calloc"); $$->af = AF_INET6; - memcpy(&$$->addr, hp->h_addr, + $$->addr.addr_dyn = NULL; + memcpy(&$$->addr.addr, hp->h_addr, sizeof(struct pf_addr)); } } else { @@ -527,7 +539,9 @@ address : STRING { if ($$ == NULL) err(1, "address: calloc"); $$->af = AF_INET; - memcpy(&$$->addr, hp->h_addr, sizeof(u_int32_t)); + $$->addr.addr_dyn = NULL; + memcpy(&$$->addr.addr, hp->h_addr, + sizeof(u_int32_t)); } } | NUMBER '.' NUMBER '.' NUMBER '.' NUMBER { @@ -541,7 +555,8 @@ address : STRING { if ($$ == NULL) err(1, "address: calloc"); $$->af = AF_INET; - $$->addr.addr32[0] = htonl(($1 << 24) | + $$->addr.addr_dyn = NULL; + $$->addr.addr.addr32[0] = htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7); } | IPV6ADDR { $$ = $1; } @@ -819,7 +834,7 @@ redirection : /* empty */ { $$ = NULL; } } ; -natrule : no NAT interface proto FROM ipspec TO ipspec redirection +natrule : no NAT interface af proto FROM ipspec TO ipspec redirection { struct pf_nat nat; @@ -836,59 +851,92 @@ natrule : no NAT interface proto FROM ipspec TO ipspec redirection nat.ifnot = $3->not; free($3); } - if ($4 != NULL) { - nat.proto = $4->proto; - free($4); + nat.af = $4; + if ($5 != NULL) { + nat.proto = $5->proto; + free($5); } - if ($6 != NULL && $8 != NULL && $6->af != $8->af) { + if ($7 != NULL && $9 != NULL && $7->af != $9->af) { yyerror("nat ip versions must match"); YYERROR; } - if ($6 != NULL) { - nat.af = $6->af; - memcpy(&nat.saddr, &$6->addr, + if ($7 != NULL) { + if ($7->addr.addr_dyn != NULL) { + if (!nat.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $7->af = nat.af; + } + if (nat.af && $7->af != nat.af) { + yyerror("nat ip versions must match"); + YYERROR; + } + nat.af = $7->af; + memcpy(&nat.saddr, &$7->addr, sizeof(nat.saddr)); - memcpy(&nat.smask, &$6->mask, + memcpy(&nat.smask, &$7->mask, sizeof(nat.smask)); - nat.snot = $6->not; - free($6); + nat.snot = $7->not; + free($7); } - if ($8 != NULL) { - nat.af = $8->af; - memcpy(&nat.daddr, &$8->addr, + if ($9 != NULL) { + if ($9->addr.addr_dyn != NULL) { + if (!nat.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $9->af = nat.af; + } + if (nat.af && $9->af != nat.af) { + yyerror("nat ip versions must match"); + YYERROR; + } + nat.af = $9->af; + memcpy(&nat.daddr, &$9->addr, sizeof(nat.daddr)); - memcpy(&nat.dmask, &$8->mask, + memcpy(&nat.dmask, &$9->mask, sizeof(nat.dmask)); - nat.dnot = $8->not; - free($8); + nat.dnot = $9->not; + free($9); } if (nat.no) { - if ($9 != NULL) { + if ($10 != NULL) { yyerror("'no nat' rule does not need '->'"); YYERROR; } } else { - if ($9 == NULL || $9->address == NULL) { + if ($10 == NULL || $10->address == NULL) { yyerror("'nat' rule requires '-> address'"); YYERROR; } - if (nat.af && $9->address->af != nat.af) { + if ($10->address->addr.addr_dyn != NULL) { + if (!nat.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $10->address->af = nat.af; + } + if (nat.af && $10->address->af != nat.af) { yyerror("nat ip versions must match"); YYERROR; } - nat.af = $9->address->af; - memcpy(&nat.raddr, &$9->address->addr, + nat.af = $10->address->af; + memcpy(&nat.raddr, &$10->address->addr, sizeof(nat.raddr)); - free($9->address); - free($9); + free($10->address); + free($10); } pfctl_add_nat(pf, &nat); } ; -binatrule : no BINAT interface proto FROM address TO ipspec redirection +binatrule : no BINAT interface af proto FROM address TO ipspec redirection { struct pf_binat binat; @@ -904,57 +952,90 @@ binatrule : no BINAT interface proto FROM address TO ipspec redirection sizeof(binat.ifname)); free($3); } - if ($4 != NULL) { - binat.proto = $4->proto; - free($4); + binat.af = $4; + if ($5 != NULL) { + binat.proto = $5->proto; + free($5); } - if ($6 != NULL && $8 != NULL && $6->af != $8->af) { + if ($7 != NULL && $9 != NULL && $7->af != $9->af) { yyerror("binat ip versions must match"); YYERROR; } - if ($6 != NULL) { - binat.af = $6->af; - memcpy(&binat.saddr, &$6->addr, + if ($7 != NULL) { + if ($7->addr.addr_dyn != NULL) { + if (!binat.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $7->af = binat.af; + } + if (binat.af && $7->af != binat.af) { + yyerror("binat ip versions must match"); + YYERROR; + } + binat.af = $7->af; + memcpy(&binat.saddr, &$7->addr, sizeof(binat.saddr)); - free($6); + free($7); } - if ($8 != NULL) { - binat.af = $8->af; - memcpy(&binat.daddr, &$8->addr, + if ($9 != NULL) { + if ($9->addr.addr_dyn != NULL) { + if (!binat.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $9->af = binat.af; + } + if (binat.af && $9->af != binat.af) { + yyerror("binat ip versions must match"); + YYERROR; + } + binat.af = $9->af; + memcpy(&binat.daddr, &$9->addr, sizeof(binat.daddr)); - memcpy(&binat.dmask, &$8->mask, + memcpy(&binat.dmask, &$9->mask, sizeof(binat.dmask)); - binat.dnot = $8->not; - free($8); + binat.dnot = $9->not; + free($9); } if (binat.no) { - if ($9 != NULL) { + if ($10 != NULL) { yyerror("'no binat' rule does not need" " '->'"); YYERROR; } } else { - if ($9 == NULL || $9->address == NULL) { + if ($10 == NULL || $10->address == NULL) { yyerror("'binat' rule requires" " '-> address'"); YYERROR; } - if (binat.af && $9->address->af != binat.af) { + if ($10->address->addr.addr_dyn != NULL) { + if (!binat.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $10->address->af = binat.af; + } + if (binat.af && $10->address->af != binat.af) { yyerror("binat ip versions must match"); YYERROR; } - binat.af = $9->address->af; - memcpy(&binat.raddr, &$9->address->addr, + binat.af = $10->address->af; + memcpy(&binat.raddr, &$10->address->addr, sizeof(binat.raddr)); - free($9->address); - free($9); + free($10->address); + free($10); } pfctl_add_binat(pf, &binat); } -rdrrule : no RDR interface proto FROM ipspec TO ipspec dport redirection +rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirection { struct pf_rdr rdr; @@ -971,58 +1052,90 @@ rdrrule : no RDR interface proto FROM ipspec TO ipspec dport redirection rdr.ifnot = $3->not; free($3); } - if ($4 != NULL) { - rdr.proto = $4->proto; - free($4); + if ($5 != NULL) { + rdr.proto = $5->proto; + free($5); } - if ($6 != NULL && $8 != NULL && $6->af != $8->af) { + if ($7 != NULL && $9 != NULL && $7->af != $9->af) { yyerror("rdr ip versions must match"); YYERROR; } - if ($6 != NULL) { - rdr.af = $6->af; - memcpy(&rdr.saddr, &$6->addr, + if ($7 != NULL) { + if ($7->addr.addr_dyn != NULL) { + if (!rdr.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $7->af = rdr.af; + } + if (rdr.af && $7->af != rdr.af) { + yyerror("rdr ip versions must match"); + YYERROR; + } + rdr.af = $7->af; + memcpy(&rdr.saddr, &$7->addr, sizeof(rdr.saddr)); - memcpy(&rdr.smask, &$6->mask, + memcpy(&rdr.smask, &$7->mask, sizeof(rdr.smask)); - rdr.snot = $6->not; - free($6); + rdr.snot = $7->not; + free($7); } - if ($8 != NULL) { - rdr.af = $8->af; - memcpy(&rdr.daddr, &$8->addr, + if ($9 != NULL) { + if ($9->addr.addr_dyn != NULL) { + if (!rdr.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $9->af = rdr.af; + } + if (rdr.af && $9->af != rdr.af) { + yyerror("rdr ip versions must match"); + YYERROR; + } + rdr.af = $9->af; + memcpy(&rdr.daddr, &$9->addr, sizeof(rdr.daddr)); - memcpy(&rdr.dmask, &$8->mask, + memcpy(&rdr.dmask, &$9->mask, sizeof(rdr.dmask)); - rdr.dnot = $8->not; - free($8); + rdr.dnot = $9->not; + free($9); } - rdr.dport = $9.a; - rdr.dport2 = $9.b; - rdr.opts |= $9.t; + rdr.dport = $10.a; + rdr.dport2 = $10.b; + rdr.opts |= $10.t; if (rdr.no) { - if ($10 != NULL) { + if ($11 != NULL) { yyerror("'no rdr' rule does not need '->'"); YYERROR; } } else { - if ($10 == NULL || $10->address == NULL) { + if ($11 == NULL || $11->address == NULL) { yyerror("'rdr' rule requires '-> address'"); YYERROR; } - if (rdr.af && $10->address->af != rdr.af) { + if ($11->address->addr.addr_dyn != NULL) { + if (!rdr.af) { + yyerror("address family (inet/" + "inet6) undefined"); + YYERROR; + } + $11->address->af = rdr.af; + } + if (rdr.af && $11->address->af != rdr.af) { yyerror("rdr ip versions must match"); YYERROR; } - rdr.af = $10->address->af; - memcpy(&rdr.raddr, &$10->address->addr, + rdr.af = $11->address->af; + memcpy(&rdr.raddr, &$11->address->addr, sizeof(rdr.raddr)); - free($10->address); - rdr.rport = $10->rport.a; - rdr.opts |= $10->rport.t; - free($10); + free($11->address); + rdr.rport = $11->rport.a; + rdr.opts |= $11->rport.t; + free($11); } if (rdr.proto && rdr.proto != IPPROTO_TCP && @@ -1064,7 +1177,12 @@ route : /* empty */ { | ROUTETO STRING ':' address { $$.string = strdup($2); $$.rt = PF_ROUTETO; - $$.addr = &$4->addr; + if ($4->addr.addr_dyn != NULL) { + yyerror("route-to does not support" + " dynamic addresses"); + YYERROR; + } + $$.addr = &$4->addr.addr; $$.af = $4->af; } | ROUTETO STRING { @@ -1075,7 +1193,12 @@ route : /* empty */ { | DUPTO STRING ':' address { $$.string = strdup($2); $$.rt = PF_DUPTO; - $$.addr = &$4->addr; + if ($4->addr.addr_dyn != NULL) { + yyerror("dup-to does not support" + " dynamic addresses"); + YYERROR; + } + $$.addr = &$4->addr.addr; $$.af = $4->af; } | DUPTO STRING { @@ -1179,6 +1302,11 @@ rule_consistent(struct pf_rule *r) yyerror("allow-opts can only be specified for pass rules"); problems++; } + if (!r->af && (r->src.addr.addr_dyn != NULL || + r->dst.addr.addr_dyn != NULL)) { + yyerror("dynamic addresses require address family (inet/inet6)"); + problems++; + } if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op || r->dst.port_op || r->flagset || r->type || r->code)) { yyerror("fragments can be filtered only on IP header fields"); @@ -1635,7 +1763,8 @@ top: if(!notv6addr && inet_pton(AF_INET6, lookahead, &addr) == 1) { node = calloc(1, sizeof(struct node_host)); node->af = AF_INET6; - memcpy (&node->addr, &addr, sizeof(addr)); + node->addr.addr_dyn = NULL; + memcpy (&node->addr.addr, &addr, sizeof(addr)); yylval.v.host = node; return IPV6ADDR; } else { @@ -1695,7 +1824,8 @@ top: #define allowed_in_string(x) \ (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ x != '{' && x != '}' && x != '<' && x != '>' && \ - x != '!' && x != '=' && x != '/' && x != '#' && x != ',' && x != ':')) + x != '!' && x != '=' && x != '/' && x != '#' && \ + x != ',' && x != ':' && x != '(' && x != ')')) if (isalnum(c)) { do { diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 56424ee8083..e7a4a2f7136 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.60 2002/04/01 20:01:16 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.61 2002/04/24 18:10:25 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -301,10 +301,10 @@ pfctl_kill_states(int dev, int opts) sources++; if (psk.psk_af == AF_INET) - psk.psk_src.addr.v4 = + psk.psk_src.addr.addr.v4 = ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr; else if (psk.psk_af == AF_INET6) - psk.psk_src.addr.v6 = + psk.psk_src.addr.addr.v6 = ((struct sockaddr_in6 *)resp[0]->ai_addr)-> sin6_addr; else @@ -335,11 +335,11 @@ pfctl_kill_states(int dev, int opts) dests++; if (psk.psk_af == AF_INET) - psk.psk_dst.addr.v4 = + psk.psk_dst.addr.addr.v4 = ((struct sockaddr_in *)resp[1]-> ai_addr)->sin_addr; else if (psk.psk_af == AF_INET6) - psk.psk_dst.addr.v6 = + psk.psk_dst.addr.addr.v6 = ((struct sockaddr_in6 *)resp[1]-> ai_addr)->sin6_addr; else diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index d7714290314..74eb673a698 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.65 2002/04/23 14:32:23 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.66 2002/04/24 18:10:25 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -55,7 +55,7 @@ #include "pfctl_parser.h" int unmask (struct pf_addr *, u_int8_t); -void print_addr (struct pf_addr *, struct pf_addr *, u_int8_t); +void print_addr (struct pf_addr_wrap *, struct pf_addr *, u_int8_t); void print_host (struct pf_state_host *, u_int8_t, int); void print_seq (struct pf_state_peer *); void print_port (u_int8_t, u_int16_t, u_int16_t, char *); @@ -277,17 +277,23 @@ unmask(struct pf_addr *m, u_int8_t af) } void -print_addr(struct pf_addr *addr, struct pf_addr *mask, u_int8_t af) +print_addr(struct pf_addr_wrap *addr, struct pf_addr *mask, u_int8_t af) { char buf[48]; - if (inet_ntop(af, addr, buf, sizeof(buf)) == NULL) - printf("?"); - else - printf("%s", buf); + if (addr->addr_dyn != NULL) + printf("(%s)", addr->addr.pfa.ifname); + else { + if (inet_ntop(af, &addr->addr, buf, sizeof(buf)) == NULL) + printf("?"); + else + printf("%s", buf); + } if (mask != NULL) { - if (!PF_AZERO(mask, af)) - printf("/%u", unmask(mask, af)); + int bits = unmask(mask, af); + + if (bits != (af == AF_INET ? 32 : 128)) + printf("/%u", bits); } } @@ -304,6 +310,7 @@ print_name(struct pf_addr *addr, struct pf_addr *mask, int af) printf("%s", hp->h_name); } if (mask != NULL) { + if (!PF_AZERO(mask, af)) printf("/%u", unmask(mask, af)); } @@ -316,8 +323,13 @@ print_host(struct pf_state_host *h, u_int8_t af, int opts) if (opts & PF_OPT_USEDNS) print_name(&h->addr, NULL, af); - else - print_addr(&h->addr, NULL, af); + else { + struct pf_addr_wrap aw; + + aw.addr = h->addr; + aw.addr_dyn = NULL; + print_addr(&aw, NULL, af); + } if (p) { if (af == AF_INET) @@ -392,6 +404,12 @@ print_nat(struct pf_nat *n) printf("! "); printf("%s ", n->ifname); } + if (n->af) { + if (n->af == AF_INET) + printf("inet "); + else + printf("inet6 "); + } if (n->proto) { struct protoent *p = getprotobynumber(n->proto); if (p != NULL) @@ -400,7 +418,7 @@ print_nat(struct pf_nat *n) printf("proto %u ", n->proto); } printf("from "); - if (!PF_AZERO(&n->saddr, n->af) || !PF_AZERO(&n->smask, n->af)) { + if (!PF_AZERO(&n->saddr.addr, n->af) || !PF_AZERO(&n->smask, n->af)) { if (n->snot) printf("! "); print_addr(&n->saddr, &n->smask, n->af); @@ -408,7 +426,7 @@ print_nat(struct pf_nat *n) } else printf("any "); printf("to "); - if (!PF_AZERO(&n->daddr, n->af) || !PF_AZERO(&n->dmask, n->af)) { + if (!PF_AZERO(&n->daddr.addr, n->af) || !PF_AZERO(&n->dmask, n->af)) { if (n->dnot) printf("! "); print_addr(&n->daddr, &n->dmask, n->af); @@ -432,6 +450,12 @@ print_binat(struct pf_binat *b) printf("on "); printf("%s ", b->ifname); } + if (b->af) { + if (b->af == AF_INET) + printf("inet "); + else + printf("inet6 "); + } if (b->proto) { struct protoent *p = getprotobynumber(b->proto); if (p != NULL) @@ -443,7 +467,7 @@ print_binat(struct pf_binat *b) print_addr(&b->saddr, NULL, b->af); printf(" "); printf("to "); - if (!PF_AZERO(&b->daddr, b->af) || !PF_AZERO(&b->dmask, b->af)) { + if (!PF_AZERO(&b->daddr.addr, b->af) || !PF_AZERO(&b->dmask, b->af)) { if (b->dnot) printf("! "); print_addr(&b->daddr, &b->dmask, b->af); @@ -469,6 +493,12 @@ print_rdr(struct pf_rdr *r) printf("! "); printf("%s ", r->ifname); } + if (r->af) { + if (r->af == AF_INET) + printf("inet "); + else + printf("inet6 "); + } if (r->proto) { struct protoent *p = getprotobynumber(r->proto); if (p != NULL) @@ -477,7 +507,7 @@ print_rdr(struct pf_rdr *r) printf("proto %u ", r->proto); } printf("from "); - if (!PF_AZERO(&r->saddr, r->af) || !PF_AZERO(&r->smask, r->af)) { + if (!PF_AZERO(&r->saddr.addr, r->af) || !PF_AZERO(&r->smask, r->af)) { if (r->snot) printf("! "); print_addr(&r->saddr, &r->smask, r->af); @@ -485,7 +515,7 @@ print_rdr(struct pf_rdr *r) } else printf("any "); printf("to "); - if (!PF_AZERO(&r->daddr, r->af) || !PF_AZERO(&r->dmask, r->af)) { + if (!PF_AZERO(&r->daddr.addr, r->af) || !PF_AZERO(&r->dmask, r->af)) { if (r->dnot) printf("! "); print_addr(&r->daddr, &r->dmask, r->af); @@ -685,8 +715,12 @@ print_rule(struct pf_rule *r) if (r->rt_ifname[0]) printf("%s", r->rt_ifname); if (r->af && !PF_AZERO(&r->rt_addr, r->af)) { + struct pf_addr_wrap aw; + + aw.addr = r->rt_addr; + aw.addr_dyn = NULL; printf(":"); - print_addr(&r->rt_addr, NULL, r->af); + print_addr(&aw, NULL, r->af); } printf(" "); } @@ -703,17 +737,17 @@ print_rule(struct pf_rule *r) else printf("proto %u ", r->proto); } - if (PF_AZERO(&r->src.addr, AF_INET6) && + if (PF_AZERO(&r->src.addr.addr, AF_INET6) && PF_AZERO(&r->src.mask, AF_INET6) && !r->src.noroute && !r->dst.noroute && - !r->src.port_op && PF_AZERO(&r->dst.addr, AF_INET6) && + !r->src.port_op && PF_AZERO(&r->dst.addr.addr, AF_INET6) && PF_AZERO(&r->dst.mask, AF_INET6) && !r->dst.port_op) printf("all "); else { printf("from "); if (r->src.noroute) printf("no-route "); - else if (PF_AZERO(&r->src.addr, AF_INET6) && + else if (PF_AZERO(&r->src.addr.addr, AF_INET6) && PF_AZERO(&r->src.mask, AF_INET6)) printf("any "); else { @@ -730,7 +764,7 @@ print_rule(struct pf_rule *r) printf("to "); if (r->dst.noroute) printf("no-route "); - else if (PF_AZERO(&r->dst.addr, AF_INET6) && + else if (PF_AZERO(&r->dst.addr.addr, AF_INET6) && PF_AZERO(&r->dst.mask, AF_INET6)) printf("any "); else { |