diff options
| author | Michael Shalayeff <mickey@cvs.openbsd.org> | 2002-03-27 18:16:24 +0000 |
|---|---|---|
| committer | Michael Shalayeff <mickey@cvs.openbsd.org> | 2002-03-27 18:16:24 +0000 |
| commit | f5b5f9a9d79ac00b898f03754f8633d88a7da65e (patch) | |
| tree | 7b2124304dd57c38560864fefe926e31ef5f4fde /sbin | |
| parent | 0383b042ec78518838e9c7faf713ed09c8414734 (diff) | |
implement a "no-route" keyword.
usage semantics are analogous w/ "any", meaning is
"any ip address for which there is no route in the
current routing table", could be used in both from and to.
typical usage would be (assuming symmetrical routing):
block in from no-route to any
also doc "any" in the pf.conf.5, include in regress, etc.
tested by me on i386 and sparc.
dhartmei@ and frantzen@ ok
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 13 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 11 |
2 files changed, 20 insertions, 4 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index ad86add008c..9b186b68e4f 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.56 2002/02/27 18:11:45 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.57 2002/03/27 18:16:22 mickey Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -72,6 +72,7 @@ struct node_host { struct pf_addr mask; u_int8_t af; u_int8_t not; + u_int8_t noroute; struct node_host *next; }; @@ -171,6 +172,7 @@ typedef struct { %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL +%token NOROUTE %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTUNARY PORTBINARY @@ -437,6 +439,12 @@ host_list : xhost { $$ = $1; } xhost : '!' host { $$ = $2; $$->not = 1; } | host { $$ = $1; } + | NOROUTE { + $$ = calloc(1, sizeof(struct node_host)); + if ($$ == NULL) + err(1, "xhost: calloc"); + $$->noroute = 1; + } ; host : address { @@ -1213,12 +1221,14 @@ void expand_rule_hosts(struct pf_rule *r, r->proto = proto->proto; r->src.addr = src_host->addr; r->src.mask = src_host->mask; + r->src.noroute = src_host->noroute; r->src.not = src_host->not; r->src.port[0] = src_port->port[0]; r->src.port[1] = src_port->port[1]; r->src.port_op = src_port->op; r->dst.addr = dst_host->addr; r->dst.mask = dst_host->mask; + r->dst.noroute = dst_host->noroute; r->dst.not = dst_host->not; r->dst.port[0] = dst_port->port[0]; r->dst.port[1] = dst_port->port[1]; @@ -1373,6 +1383,7 @@ lookup(char *s) { "nat", NAT}, { "no", NO}, { "no-df", NODF}, + { "no-route", NOROUTE}, { "on", ON}, { "out", OUT}, { "pass", PASS}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index c9043f9b523..567683785d6 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.62 2002/03/12 08:15:03 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.63 2002/03/27 18:16:23 mickey Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -705,12 +705,15 @@ print_rule(struct pf_rule *r) } if (PF_AZERO(&r->src.addr, AF_INET6) && PF_AZERO(&r->src.mask, AF_INET6) && + !r->src.noroute && !r->dst.noroute && !r->src.port_op && PF_AZERO(&r->dst.addr, AF_INET6) && PF_AZERO(&r->dst.mask, AF_INET6) && !r->dst.port_op) printf("all "); else { printf("from "); - if (PF_AZERO(&r->src.addr, AF_INET6) && + if (r->src.noroute) + printf("no-route "); + else if (PF_AZERO(&r->src.addr, AF_INET6) && PF_AZERO(&r->src.mask, AF_INET6)) printf("any "); else { @@ -725,7 +728,9 @@ print_rule(struct pf_rule *r) r->proto == IPPROTO_TCP ? "tcp" : "udp"); printf("to "); - if (PF_AZERO(&r->dst.addr, AF_INET6) && + if (r->dst.noroute) + printf("no-route "); + else if (PF_AZERO(&r->dst.addr, AF_INET6) && PF_AZERO(&r->dst.mask, AF_INET6)) printf("any "); else { |