diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2009-11-03 10:59:05 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2009-11-03 10:59:05 +0000 |
| commit | aa799beefd4c8fce27ceb0fd6ed143fb40859be2 (patch) | |
| tree | 6e6ca07fa0c49af532b084c80a89d926a9a3bd0f /sbin/pfctl | |
| parent | e5888cd56b381838e11260d5af85260b96ce1f4e (diff) | |
rtables are stacked on rdomains (it is possible to have multiple routing
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/pf_print_state.c | 22 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.h | 4 |
2 files changed, 16 insertions, 10 deletions
diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c index d10c674f1cc..133f7afa28a 100644 --- a/sbin/pfctl/pf_print_state.c +++ b/sbin/pfctl/pf_print_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.54 2009/03/19 01:00:16 bluhm Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.55 2009/11/03 10:59:04 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -165,8 +165,12 @@ print_name(struct pf_addr *addr, sa_family_t af) } void -print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts) +print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int rdom, + int opts) { + if (rdom) + printf("(%d) ", rdom); + if (opts & PF_OPT_USEDNS) print_name(addr, af); else { @@ -231,22 +235,24 @@ print_state(struct pfsync_state *s, int opts) else printf("%u ", s->proto); - print_host(&nk->addr[1], nk->port[1], s->af, opts); + print_host(&nk->addr[1], nk->port[1], s->af, nk->rdomain, opts); if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) || - nk->port[1] != sk->port[1]) { + nk->port[1] != sk->port[1] || + nk->rdomain != sk->rdomain) { printf(" ("); - print_host(&sk->addr[1], sk->port[1], s->af, opts); + print_host(&sk->addr[1], sk->port[1], s->af, sk->rdomain, opts); printf(")"); } if (s->direction == PF_OUT) printf(" -> "); else printf(" <- "); - print_host(&nk->addr[0], nk->port[0], s->af, opts); + print_host(&nk->addr[0], nk->port[0], s->af, nk->rdomain, opts); if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) || - nk->port[0] != sk->port[0]) { + nk->port[0] != sk->port[0] || + nk->rdomain != sk->rdomain) { printf(" ("); - print_host(&sk->addr[0], sk->port[0], s->af, opts); + print_host(&sk->addr[0], sk->port[0], s->af, sk->rdomain, opts); printf(")"); } diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index f9db55072dd..9976d993daa 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.h,v 1.43 2008/05/29 01:00:53 mcbride Exp $ */ +/* $OpenBSD: pfctl.h,v 1.44 2009/11/03 10:59:04 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -109,7 +109,7 @@ struct pf_altq *pfaltq_lookup(const char *); char *rate2str(double); void print_addr(struct pf_addr_wrap *, sa_family_t, int); -void print_host(struct pf_addr *, u_int16_t p, sa_family_t, int); +void print_host(struct pf_addr *, u_int16_t p, sa_family_t, int, int); void print_seq(struct pfsync_state_peer *); void print_state(struct pfsync_state *, int); int unmask(struct pf_addr *, sa_family_t); |