summaryrefslogtreecommitdiff
path: root/sbin/pfctl
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-06-07 21:25:37 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-06-07 21:25:37 +0000
commit87739f251b80651d7bf5e456e0dc04696a638f9b (patch)
tree8a36dbdfa9d45f950ffcc830260b168b4eb45f94 /sbin/pfctl
parent1001fef5168442fee0d557002fbdd7ba550de37a (diff)
Add "(max <number>)" option for "keep/modulate state" to limit the number
of concurrent connections a rule can create. ok frantzen@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r--sbin/pfctl/parse.y39
-rw-r--r--sbin/pfctl/pfctl.c9
-rw-r--r--sbin/pfctl/pfctl_parser.c4
3 files changed, 40 insertions, 12 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 5a9eb9619b5..c2bd501998a 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.74 2002/06/07 19:33:03 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.75 2002/06/07 21:25:35 dhartmei Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -170,6 +170,12 @@ typedef struct {
struct node_host *address;
struct range rport;
} *redirection;
+ struct {
+ int action;
+ struct {
+ u_int32_t max_states;
+ } options;
+ } keep_state;
} v;
int lineno;
} YYSTYPE;
@@ -180,13 +186,13 @@ typedef struct {
%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
%token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL
-%token NOROUTE FRAGMENT USER GROUP MAXMSS
+%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM
%token <v.string> STRING
%token <v.number> NUMBER
%token <v.i> PORTUNARY PORTBINARY
%type <v.interface> interface if_list if_item_not if_item
%type <v.number> port icmptype icmp6type minttl uid gid maxmss
-%type <v.i> no dir log quick af keep nodf allowopts fragment
+%type <v.i> no dir log quick af nodf allowopts fragment
%type <v.b> action flag flags blockspec
%type <v.range> dport rport
%type <v.proto> proto proto_list proto_item
@@ -200,6 +206,7 @@ typedef struct {
%type <v.route> route
%type <v.redirection> redirection
%type <v.string> label
+%type <v.keep_state> keep keep_opts
%%
ruleset : /* empty */
@@ -249,7 +256,8 @@ pfrule : action dir log quick interface route af proto fromto
r.flags = $12.b1;
r.flagset = $12.b2;
- r.keep_state = $14;
+ r.keep_state = $14.action;
+ r.max_states = $14.options.max_states;
if ($15)
r.rule_flag |= PFRULE_FRAGMENT;
@@ -958,9 +966,25 @@ icmp6type : STRING {
}
;
-keep : /* empty */ { $$ = 0; }
- | KEEP STATE { $$ = PF_STATE_NORMAL; }
- | MODULATE STATE { $$ = PF_STATE_MODULATE; }
+keep : /* empty */ { $$.action = 0; }
+ | KEEP STATE keep_opts {
+ $$.action = PF_STATE_NORMAL;
+ $$.options = $3.options;
+ }
+ | MODULATE STATE keep_opts {
+ $$.action = PF_STATE_MODULATE;
+ $$.options = $3.options;
+ }
+ ;
+
+keep_opts : /* empty */ { $$.options.max_states = 0; }
+ | '(' MAXIMUM NUMBER ')' {
+ if ($3 <= 0) {
+ yyerror("illegal keep states max value %d", $3);
+ YYERROR;
+ }
+ $$.options.max_states = $3;
+ }
;
fragment : /* empty */ { $$ = 0; }
@@ -1840,6 +1864,7 @@ lookup(char *s)
{ "label", LABEL},
{ "log", LOG},
{ "log-all", LOGALL},
+ { "max", MAXIMUM},
{ "max-mss", MAXMSS},
{ "min-ttl", MINTTL},
{ "modulate", MODULATE},
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 81dd612d407..b08b13261c2 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.68 2002/06/06 22:22:44 mickey Exp $ */
+/* $OpenBSD: pfctl.c,v 1.69 2002/06/07 21:25:35 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -410,9 +410,10 @@ pfctl_show_rules(int dev, int opts, int format)
default:
print_rule(&pr.rule);
if (opts & PF_OPT_VERBOSE)
- printf("[ Evaluations: %-10llu Packets: %-10llu "
- "Bytes: %-10llu ]\n\n", pr.rule.evaluations,
- pr.rule.packets, pr.rule.bytes);
+ printf("[ Evaluations: %-8llu Packets: %-8llu "
+ "Bytes: %-10llu States: %-6u]\n\n",
+ pr.rule.evaluations, pr.rule.packets,
+ pr.rule.bytes, pr.rule.states);
}
}
return (0);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 51c8652821a..e843b6adba2 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.77 2002/06/07 19:30:40 henning Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.78 2002/06/07 21:25:35 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -682,6 +682,8 @@ print_rule(struct pf_rule *r)
printf("keep state ");
else if (r->keep_state == PF_STATE_MODULATE)
printf("modulate state ");
+ if (r->max_states)
+ printf("(max %u) ", r->max_states);
if (r->rule_flag & PFRULE_FRAGMENT)
printf("fragment ");
if (r->rule_flag & PFRULE_NODF)