src - OpenBSD base system

diff options


context:
space:
mode:

author	Kjell Wooding <kjell@cvs.openbsd.org>	2002-06-10 23:07:47 +0000
committer	Kjell Wooding <kjell@cvs.openbsd.org>	2002-06-10 23:07:47 +0000
commit	da5d85c6ff54f05cbd015a3485684370dc333f82 (patch)
tree	a4fd0c0f3c71a6d81e4ae0454cd41d595f66d073 /sbin/pfctl
parent	423957fd9ca5294d045595202dfb2441640e4072 (diff)

Merge the NAT and rules files into a single rulefile. Rules must be

in this order, to remove any ambiguity about what order things happen in: scrub rules nat rules filter rules The -N and -R modifiers go away. Rulefiles are now loaded with the more POSIXly-correct '-f' ok frantzen@

Diffstat (limited to 'sbin/pfctl')

-rw-r--r--

sbin/pfctl/parse.y

-rw-r--r--

sbin/pfctl/pfctl.c

2 files changed, 46 insertions, 82 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index d40a4c3479e..436b8d32e62 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.93 2002/06/10 19:31:44 dhartmei Exp $ */

+/* $OpenBSD: parse.y,v 1.94 2002/06/10 23:07:46 kjell Exp $ */

@@ -55,8 +55,11 @@ static FILE *fin = NULL;

static int debug = 0;

static int lineno = 1;

static int errors = 0;

-static int natmode = 0;

+static int rulestate = 0;

+enum {PFCTL_STATE_NONE=0, PFCTL_STATE_SCRUB=1,

+ PFCTL_STATE_NAT=2, PFCTL_STATE_FILTER=3};

struct node_if {

char ifname[IFNAMSIZ];

u_int8_t not;

@@ -231,10 +234,10 @@ typedef struct {

ruleset : /* empty */

| ruleset '\n'

| ruleset scrubrule '\n'

- | ruleset pfrule '\n'

| ruleset natrule '\n'

| ruleset binatrule '\n'

| ruleset rdrrule '\n'

+ | ruleset pfrule '\n'

| ruleset varset '\n'

| ruleset error '\n' { errors++; }

;

@@ -253,6 +256,13 @@ varset : STRING PORTUNARY STRING

scrubrule : SCRUB dir interface fromto nodf minttl maxmss

{

struct pf_rule r;

+ if (rulestate > PFCTL_STATE_SCRUB) {

+ yyerror("Rules must in order: "

+ "scrub, nat, filter");

+ YYERROR;

+ }

+ rulestate = PFCTL_STATE_SCRUB;

memset(&r, 0, sizeof(r));

@@ -277,10 +287,13 @@ pfrule : action dir log quick interface route af proto fromto

struct pf_rule r;

struct node_state_opt *o;

- if (natmode) {

- yyerror("filter rule not permitted in nat mode");

+ if (rulestate > PFCTL_STATE_FILTER) {

+ yyerror("Rules must in order: "

+ "scrub, nat, filter");

YYERROR;

}

+ rulestate = PFCTL_STATE_FILTER;

memset(&r, 0, sizeof(r));

r.action = $1.b1;

@@ -1173,10 +1186,13 @@ natrule : no NAT interface af proto fromto redirection

{

struct pf_nat nat;

- if (!natmode) {

- yyerror("nat rule not permitted in filter mode");

+ if (rulestate > PFCTL_STATE_NAT) {

+ yyerror("Rules must in order: "

+ "scrub, nat, filter");

YYERROR;

}

+ rulestate = PFCTL_STATE_NAT;

memset(&nat, 0, sizeof(nat));

nat.no = $1;

@@ -1229,10 +1245,13 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection

{

struct pf_binat binat;

- if (!natmode) {

- yyerror("binat rule not permitted in filter mode");

+ if (rulestate > PFCTL_STATE_NAT) {

+ yyerror("Rules must in order: "

+ "scrub, nat, filter");

YYERROR;

}

+ rulestate = PFCTL_STATE_NAT;

memset(&binat, 0, sizeof(binat));

binat.no = $1;

@@ -1336,10 +1355,13 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirection

{

struct pf_rdr rdr;

- if (!natmode) {

- yyerror("rdr rule not permitted in filter mode");

+ if (rulestate > PFCTL_STATE_NAT) {

+ yyerror("Rules must in order: "

+ "scrub, nat, filter");

YYERROR;

}

+ rulestate = PFCTL_STATE_NAT;

memset(&rdr, 0, sizeof(rdr));

rdr.no = $1;

@@ -2360,19 +2382,6 @@ top:

int

parse_rules(FILE *input, struct pfctl *xpf)

{

- natmode = 0;

- fin = input;

- pf = xpf;

- lineno = 1;

- errors = 0;

- yyparse();

- return (errors ? -1 : 0);

-int

-parse_nat(FILE *input, struct pfctl *xpf)

- natmode = 1;

fin = input;

pf = xpf;

lineno = 1;

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 1de6febe953..4ed1a782420 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl.c,v 1.73 2002/06/10 15:19:13 mickey Exp $ */

+/* $OpenBSD: pfctl.c,v 1.74 2002/06/10 23:07:46 kjell Exp $ */

@@ -66,7 +66,6 @@ int pfctl_show_nat(int);

int pfctl_show_states(int, u_int8_t, int);

int pfctl_show_status(int);

int pfctl_rules(int, char *, int);

-int pfctl_nat(int, char *, int);

int pfctl_log(int, char *, int);

int pfctl_timeout(int, char *, int);

int pfctl_gettimeout(int, const char *);

@@ -81,7 +80,6 @@ int opts = 0;

char *clearopt;

char *hintopt;

char *logopt;

-char *natopt;

char *rulesopt;

char *showopt;

char *timeoutopt;

@@ -555,51 +553,10 @@ int

pfctl_rules(int dev, char *filename, int opts)

{

FILE *fin;

- struct pfioc_rule pr;

- struct pfctl pf;

- if (strcmp(filename, "-") == 0) {

- infile = "stdin";

- fin = stdin;

- } else {

- fin = fopen(filename, "r");

- infile = filename;

- }

- if (fin == NULL) {

- warn("%s", filename);

- return (1);

- }

- if ((opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(dev, DIOCBEGINRULES, &pr.ticket))

- err(1, "DIOCBEGINRULES");

- }

- /* fill in callback data */

- pf.dev = dev;

- pf.opts = opts;

- pf.prule = &pr;

- pf.rule_nr = 0;

- if (parse_rules(fin, &pf) < 0)

- errx(1, "syntax error in rule file: pf rules not loaded");

- if ((opts & PF_OPT_NOACTION) == 0) {

- if (ioctl(dev, DIOCCOMMITRULES, &pr.ticket))

- err(1, "DIOCCOMMITRULES");

-#if 0

- if ((opts & PF_OPT_QUIET) == 0)

- printf("%u rules loaded\n", n);

-#endif

- }

- if (fin != stdin)

- fclose(fin);

- return (0);

-int

-pfctl_nat(int dev, char *filename, int opts)

- FILE *fin;

struct pfioc_nat pn;

struct pfioc_binat pb;

struct pfioc_rdr pr;

+ struct pfioc_rule pl;

struct pfctl pf;

if (strcmp(filename, "-") == 0) {

@@ -613,7 +570,6 @@ pfctl_nat(int dev, char *filename, int opts)

warn("%s", filename);

return (1);

}

if ((opts & PF_OPT_NOACTION) == 0) {

if (ioctl(dev, DIOCBEGINNATS, &pn.ticket))

err(1, "DIOCBEGINNATS");

@@ -621,6 +577,8 @@ pfctl_nat(int dev, char *filename, int opts)

err(1, "DIOCBEGINRDRS");

if (ioctl(dev, DIOCBEGINBINATS, &pb.ticket))

err(1, "DIOCBEGINBINATS");

+ if (ioctl(dev, DIOCBEGINRULES, &pl.ticket))

+ err(1, "DIOCBEGINRULES");

}

/* fill in callback data */

pf.dev = dev;

@@ -628,8 +586,10 @@ pfctl_nat(int dev, char *filename, int opts)

pf.pnat = &pn;

pf.pbinat = &pb;

pf.prdr = &pr;

- if (parse_nat(fin, &pf) < 0)

- errx(1, "syntax error in file: nat rules not loaded");

+ pf.prule = &pl;

+ pf.rule_nr = 0;

+ if (parse_rules(fin, &pf) < 0)

+ errx(1, "Syntax error in file: pf rules not loaded");

if ((opts & PF_OPT_NOACTION) == 0) {

if (ioctl(dev, DIOCCOMMITNATS, &pn.ticket))

err(1, "DIOCCOMMITNATS");

@@ -637,11 +597,14 @@ pfctl_nat(int dev, char *filename, int opts)

err(1, "DIOCCOMMITRDRS");

if (ioctl(dev, DIOCCOMMITBINATS, &pb.ticket))

err(1, "DIOCCOMMITBINATS");

+ if (ioctl(dev, DIOCCOMMITRULES, &pl.ticket))

+ err(1, "DIOCCOMMITRULES");

#if 0

if ((opts & PF_OPT_QUIET) == 0) {

printf("%u nat entries loaded\n", n);

printf("%u rdr entries loaded\n", r);

printf("%u binat entries loaded\n", b);

+ printf("%u rules loaded\n", n);

}

#endif

}

@@ -909,7 +872,7 @@ main(int argc, char *argv[])

if (argc < 2)

usage();

- while ((ch = getopt(argc, argv, "deqF:hk:l:m:nN:O:rR:s:t:vx:z")) != -1) {

+ while ((ch = getopt(argc, argv, "deqf:F:hk:l:m:nO:rs:t:vx:z")) != -1) {

switch (ch) {

case 'd':

opts |= PF_OPT_DISABLE;

@@ -947,10 +910,6 @@ main(int argc, char *argv[])

case 'n':

opts |= PF_OPT_NOACTION;

break;

- case 'N':

- natopt = optarg;

- mode = O_RDWR;

- break;

case 'O':

hintopt = optarg;

mode = O_RDWR;

@@ -958,7 +917,7 @@ main(int argc, char *argv[])

case 'r':

opts |= PF_OPT_USEDNS;

break;

- case 'R':

+ case 'f':

rulesopt = optarg;

mode = O_RDWR;

break;

@@ -1043,10 +1002,6 @@ main(int argc, char *argv[])

if (pfctl_rules(dev, rulesopt, opts))

error = 1;

- if (natopt != NULL)

- if (pfctl_nat(dev, natopt, opts))

- error = 1;

if (showopt != NULL) {

switch (*showopt) {

case 'r':