diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-04-23 14:32:24 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-04-23 14:32:24 +0000 |
| commit | d70cb2c050204739bb31da06800d79bad94f2730 (patch) | |
| tree | 36a354437114272043ed536e25019006c1c1301d /sbin | |
| parent | 06672d3a1880a142ab171f0458ad27cdb1f8e81a (diff) | |
Allow explicit filtering of fragments when they are not reassembled.
Document fragment handling in the man page. Short version: if you're
scrubbing everything (as is recommended, in general), nothing changes.
If you want to deal with fragments manually, read the man page.
ok frantzen.
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 37 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 |
2 files changed, 29 insertions, 12 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 0e2387fc187..19a50de9ff5 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.59 2002/04/18 06:02:18 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.60 2002/04/23 14:32:23 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -172,13 +172,13 @@ typedef struct { %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL -%token NOROUTE +%token NOROUTE FRAGMENT %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTUNARY PORTBINARY %type <v.interface> interface if_list if_item_not if_item %type <v.number> port icmptype icmp6type minttl -%type <v.i> no dir log quick af keep nodf allowopts +%type <v.i> no dir log quick af keep nodf allowopts fragment %type <v.b> action flag flags blockspec %type <v.range> dport rport %type <v.proto> proto proto_list proto_item @@ -213,7 +213,7 @@ varset : STRING PORTUNARY STRING } ; -pfrule : action dir log quick interface route af proto fromto flags icmpspec keep nodf minttl allowopts label +pfrule : action dir log quick interface route af proto fromto flags icmpspec keep fragment nodf minttl allowopts label { struct pf_rule r; @@ -240,10 +240,12 @@ pfrule : action dir log quick interface route af proto fromto flags icmpspec ke r.keep_state = $12; if ($13) - r.rule_flag |= PFRULE_NODF; + r.rule_flag |= PFRULE_FRAGMENT; if ($14) - r.min_ttl = $14; - r.allow_opts = $15; + r.rule_flag |= PFRULE_NODF; + if ($15) + r.min_ttl = $15; + r.allow_opts = $16; if ($6.rt) { r.rt = $6.rt; @@ -266,14 +268,14 @@ pfrule : action dir log quick interface route af proto fromto flags icmpspec ke } } - if ($16) { - if (strlen($16) >= PF_RULE_LABEL_SIZE) { + if ($17) { + if (strlen($17) >= PF_RULE_LABEL_SIZE) { yyerror("rule label too long (max " "%d chars)", PF_RULE_LABEL_SIZE-1); YYERROR; } - strlcpy(r.label, $16, sizeof(r.label)); - free($16); + strlcpy(r.label, $17, sizeof(r.label)); + free($17); } expand_rule(&r, $5, $8, $9.src.host, $9.src.port, @@ -756,6 +758,9 @@ keep : /* empty */ { $$ = 0; } | MODULATE STATE { $$ = PF_STATE_MODULATE; } ; +fragment : /* empty */ { $$ = 0; } + | FRAGMENT { $$ = 1; } + minttl : /* empty */ { $$ = 0; } | MINTTL NUMBER { if ($2 < 0 || $2 > 255) { @@ -1126,6 +1131,10 @@ rule_consistent(struct pf_rule *r) yyerror("icmp-type/code does not apply to scrub"); problems++; } + if (r->rule_flag & PFRULE_FRAGMENT) { + yyerror("fragment flag does not apply to scrub"); + problems++; + } } else { if (r->rule_flag & PFRULE_NODF) { yyerror("nodf only applies to scrub"); @@ -1170,6 +1179,11 @@ rule_consistent(struct pf_rule *r) yyerror("allow-opts can only be specified for pass rules"); problems++; } + if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op || + r->dst.port_op || r->flagset || r->type || r->code)) { + yyerror("fragments can be filtered only on IP header fields"); + problems++; + } return (-problems); } @@ -1368,6 +1382,7 @@ lookup(char *s) { "dup-to", DUPTO}, { "fastroute", FASTROUTE}, { "flags", FLAGS}, + { "fragment", FRAGMENT}, { "from", FROM}, { "icmp-type", ICMPTYPE}, { "in", IN}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 8c4f0a9dac1..d7714290314 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.64 2002/04/15 20:39:58 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.65 2002/04/23 14:32:23 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -777,6 +777,8 @@ print_rule(struct pf_rule *r) printf("keep state "); else if (r->keep_state == PF_STATE_MODULATE) printf("modulate state "); + if (r->rule_flag & PFRULE_FRAGMENT) + printf("fragment "); if (r->rule_flag & PFRULE_NODF) printf("no-df "); if (r->min_ttl) |