diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2004-06-29 22:14:14 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2004-06-29 22:14:14 +0000 |
| commit | c656db7455e6e26ca6bd4f87ad167c5aa2e60258 (patch) | |
| tree | 3a2f1d27e89344a57b2168bf2ea5a59ffdd0f4ed /sbin | |
| parent | 2235761a3b73f67f5b425b465d3528b98c74e829 (diff) | |
remove cedric's bogus interface name verification code.
this was meant to verify that ne3 is a valid interface that could show
up, but bogus0 is not. while this might sound like a good idea it is
completely broken and causes a shitload of problems. just allow for anything
as interface name, the kernel abstracts that nice enough. if no interface
by that name exists (or shows up) the rule never matches; that matches
pf semantics used everywhere else.
this also fixes the "pfctl always has to run as root" issue that cedric
did not fix over the last 6 months despite being bugged to regularily.
help & ok mcbride@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 34 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 60 |
2 files changed, 7 insertions, 87 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index a1578f49e8f..7a5b152f033 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.458 2004/06/29 17:40:18 frantzen Exp $ */ +/* $OpenBSD: parse.y,v 1.459 2004/06/29 22:14:13 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -477,11 +477,6 @@ option : SET OPTIMIZATION STRING { free($3); YYERROR; } - if ((ifa_exists($3, 0) == NULL) && strcmp($3, "none")) { - yyerror("interface %s doesn't exist", $3); - free($3); - YYERROR; - } if (pfctl_set_logif(pf, $3) != 0) { yyerror("error setting loginterface %s", $3); free($3); @@ -1930,11 +1925,6 @@ if_item_not : not if_item { $$ = $2; $$->not = $1; } if_item : STRING { struct node_host *n; - if ((n = ifa_exists($1, 1)) == NULL) { - yyerror("unknown interface %s", $1); - free($1); - YYERROR; - } $$ = calloc(1, sizeof(struct node_if)); if ($$ == NULL) err(1, "if_item: calloc"); @@ -1945,8 +1935,11 @@ if_item : STRING { yyerror("interface name too long"); YYERROR; } + + if ((n = ifa_exists($1, 1)) != NULL) + $$->ifa_flags = n->ifa_flags; + free($1); - $$->ifa_flags = n->ifa_flags; $$->not = 0; $$->next = NULL; $$->tail = $$; @@ -2204,11 +2197,6 @@ dynaddr : '(' STRING ')' { "interface modifiers"); YYERROR; } - if (ifa_exists($2, 1) == NULL && strcmp($2, "self")) { - yyerror("interface %s does not exist", $2); - free(op); - YYERROR; - } $$ = calloc(1, sizeof(struct node_host)); if ($$ == NULL) err(1, "address: calloc"); @@ -3340,13 +3328,6 @@ route_host : STRING { if ($$ == NULL) err(1, "route_host: calloc"); $$->ifname = $1; - if (ifa_exists($$->ifname, 0) == NULL) { - yyerror("routeto: unknown interface %s", - $$->ifname); - free($1); - free($$); - YYERROR; - } set_ipmask($$, 128); $$->next = NULL; $$->tail = $$; @@ -3354,11 +3335,6 @@ route_host : STRING { | '(' STRING host ')' { $$ = $3; $$->ifname = $2; - if (ifa_exists($$->ifname, 0) == NULL) { - yyerror("routeto: unknown interface %s", - $$->ifname); - YYERROR; - } } ; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index af0974658dc..0d0aaf54278 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.201 2004/06/10 14:22:54 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.202 2004/06/29 22:14:13 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1020,8 +1020,6 @@ ifa_load(void) { struct ifaddrs *ifap, *ifa; struct node_host *n = NULL, *h = NULL; - struct pfr_buffer b; - struct pfi_if *p; if (getifaddrs(&ifap) < 0) err(1, "getifaddrs"); @@ -1097,43 +1095,6 @@ ifa_load(void) } } - /* add interface groups, including clonable and dynamic stuff */ - bzero(&b, sizeof(b)); - b.pfrb_type = PFRB_IFACES; - for (;;) { - if (pfr_buf_grow(&b, b.pfrb_size)) - err(1, "ifa_load: pfr_buf_grow"); - b.pfrb_size = b.pfrb_msize; - if (pfi_get_ifaces(NULL, b.pfrb_caddr, &b.pfrb_size, - PFI_FLAG_GROUP)) - err(1, "ifa_load: pfi_get_ifaces"); - if (b.pfrb_size <= b.pfrb_msize) - break; - } - PFRB_FOREACH(p, &b) { - n = calloc(1, sizeof(struct node_host)); - if (n == NULL) - err(1, "address: calloc"); - n->af = AF_LINK; - n->ifa_flags = PF_IFA_FLAG_GROUP; - if (p->pfif_flags & PFI_IFLAG_DYNAMIC) - n->ifa_flags |= PF_IFA_FLAG_DYNAMIC; - if (p->pfif_flags & PFI_IFLAG_CLONABLE) - n->ifa_flags |= PF_IFA_FLAG_CLONABLE; - if (!strcmp(p->pfif_name, "lo")) - n->ifa_flags |= IFF_LOOPBACK; - if ((n->ifname = strdup(p->pfif_name)) == NULL) - err(1, "ifa_load: strdup"); - n->next = NULL; - n->tail = n; - if (h == NULL) - h = n; - else { - h->tail->next = n; - h->tail = n; - } - } - iftab = h; freeifaddrs(ifap); } @@ -1142,12 +1103,7 @@ struct node_host * ifa_exists(const char *ifa_name, int group_ok) { struct node_host *n; - char *p, buf[IFNAMSIZ]; - int group; - group = !isdigit(ifa_name[strlen(ifa_name) - 1]); - if (group && !group_ok) - return (NULL); if (iftab == NULL) ifa_load(); @@ -1155,19 +1111,7 @@ ifa_exists(const char *ifa_name, int group_ok) if (n->af == AF_LINK && !strncmp(n->ifname, ifa_name, IFNAMSIZ)) return (n); } - if (!group) { - /* look for clonable and/or dynamic interface */ - strlcpy(buf, ifa_name, sizeof(buf)); - for (p = buf + strlen(buf) - 1; p > buf && isdigit(*p); p--) - *p = '\0'; - for (n = iftab; n != NULL; n = n->next) - if (n->af == AF_LINK && - !strncmp(n->ifname, buf, IFNAMSIZ)) - break; - if (n != NULL && n->ifa_flags & - (PF_IFA_FLAG_DYNAMIC | PF_IFA_FLAG_CLONABLE)) - return (n); /* XXX */ - } + return (NULL); } |