diff options
| author | Michele Marchetto <michele@cvs.openbsd.org> | 2009-10-04 16:08:38 +0000 |
|---|---|---|
| committer | Michele Marchetto <michele@cvs.openbsd.org> | 2009-10-04 16:08:38 +0000 |
| commit | 82b30916c9515794d7aca77e8c937fc5e0455586 (patch) | |
| tree | ce06c3cb91a134e4d7d4cb69f04155cf3c8ba2dc /sbin/pfctl | |
| parent | dd5c2f75fe5e092eb892c438f7f87faa2e57fcb6 (diff) | |
Add (again) support for divert sockets. They allow you to:
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 27 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 |
2 files changed, 27 insertions, 4 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 31553f93497..c6d1a164bb5 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.569 2009/09/08 17:52:17 michele Exp $ */ +/* $OpenBSD: parse.y,v 1.570 2009/10/04 16:08:37 michele Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -266,7 +266,7 @@ struct filter_opts { struct { struct node_host *addr; u_int16_t port; - } divert; + } divert, divert_packet; struct redirspec nat; struct redirspec rdr; @@ -461,7 +461,7 @@ int parseport(char *, struct range *r, int); %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS -%token DIVERTTO DIVERTREPLY NATTO RDRTO +%token DIVERTTO DIVERTREPLY DIVERTPACKET NATTO RDRTO %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTBINARY @@ -2094,6 +2094,7 @@ pfrule : action dir logquick interface af proto fromto $8.divert.addr->addr.v.a.addr; } } + r.divert_packet.port = $8.divert_packet.port; expand_rule(&r, 0, $4, &$8.nat, &$8.rdr, $6, $7.src_os, $7.src.host, $7.src.port, $7.dst.host, $7.dst.port, @@ -2227,6 +2228,21 @@ filter_opt : USER uids { | DIVERTREPLY { filter_opts.divert.port = 1; /* some random value */ } + | DIVERTPACKET PORT number { + /* + * If IP reassembly was not turned off, also + * forcibly enable TCP reassembly by default. + */ + if (pf->reassemble & PF_REASS_ENABLED) + filter_opts.marker |= FOM_SCRUB_TCP; + + if ($3 < 1 || $3 > 65535) { + yyerror("invalid divert port"); + YYERROR; + } + + filter_opts.divert_packet.port = htons($3); + } | SCRUB '(' scrub_opts ')' { filter_opts.nodf = $3.nodf; filter_opts.minttl = $3.minttl; @@ -3914,6 +3930,10 @@ rule_consistent(struct pf_rule *r, int anchor_call) yyerror("divert is not supported on match rules"); problems++; } + if (r->divert_packet.port) { + yyerror("divert is not supported on match rules"); + problems++; + } if (r->rt) { yyerror("route-to, reply-to, dup-to and fastroute " "must not be used on match rules"); @@ -4836,6 +4856,7 @@ lookup(char *s) { "code", CODE}, { "crop", FRAGCROP}, { "debug", DEBUG}, + { "divert-packet", DIVERTPACKET}, { "divert-reply", DIVERTREPLY}, { "divert-to", DIVERTTO}, { "drop", DROP}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 5ec44787ac6..72e3739cd0e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.248 2009/09/08 17:52:17 michele Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.249 2009/10/04 16:08:37 michele Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1015,6 +1015,8 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" port %u", ntohs(r->divert.port)); } } + if (r->divert_packet.port) + printf(" divert-packet port %u", ntohs(r->divert_packet.port)); if (!anchor_call[0] && !TAILQ_EMPTY(&r->nat.list)) { printf (" nat-to "); print_pool(&r->nat, r->nat.proxy_port[0], |