diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-07-01 23:04:46 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-07-01 23:04:46 +0000 |
| commit | 63d3dec5dda49230245975ec2593a5c0a4acc553 (patch) | |
| tree | eed9696dc820f0c0913c3239b2663be56daca072 /sbin | |
| parent | 7a32b7a5e6f98c65a2918997eafb4487cb72b6ef (diff) | |
tag packets generated by pf (return-rst, return-icmp) so they are not filtered, use existing icmp_error() and ip_output(). ok dugsong@, frantzen@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 54 |
1 files changed, 45 insertions, 9 deletions
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 074407a5640..082719c69d3 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.24 2001/07/01 17:16:02 kjell Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.25 2001/07/01 23:04:45 dhartmei Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -405,12 +405,26 @@ print_rule(struct pf_rule *r) printf("@%d ", r->nr + 1); if (r->action == PF_PASS) printf("pass "); - else if (r->action == PF_DROP || r->action == PF_DROP_RST) + else if (r->action == PF_DROP) { printf("block "); - else + if (r->return_rst) + printf("return-rst "); + else if (r->return_icmp) { + struct icmpcodeent *ic; + + printf("return-icmp"); + ic = geticmpcodebynumber(r->return_icmp >> 8, + r->return_icmp & 255); + if ((ic == NULL) || (ic->type != ICMP_UNREACH)) + printf("(%u,%u) ", r->return_icmp >> 8, + r->return_icmp & 255); + else if (ic->code != ICMP_UNREACH_PORT) + printf("(%s) ", ic->name); + else + printf(" "); + } + } else printf("scrub "); - if (r->action == 2) - printf("return-rst "); if (r->direction == 0) printf("in "); else @@ -626,10 +640,32 @@ parse_rule(int n, char *l, struct pf_rule *r) } w = next_word(&l); - /* return-rst */ - if ((r->action == PF_DROP) && !strcmp(w, "return-rst")) { - r->action = PF_DROP_RST; - w = next_word(&l); + /* return-rst/return-icmp */ + if (r->action == PF_DROP) { + if (!strcmp(w, "return-rst")) { + r->return_rst = 1; + w = next_word(&l); + } else if (!strncmp(w, "return-icmp", 11)) { + w += 11; + if ((strlen(w) > 2) && (w[0] == '(') && + (w[strlen(w)-1] == ')')) { + struct icmpcodeent *ic; + + w[strlen(w)-1] = 0; + w++; + ic = geticmpcodebyname(ICMP_UNREACH, w); + if (ic == NULL) { + error(n, "expected icmp code, got %s\n", + w); + return (0); + } + r->return_icmp = ic->type << 8; + r->return_icmp |= ic->code; + } else + r->return_icmp = (ICMP_UNREACH << 8) | + ICMP_UNREACH_PORT; + w = next_word(&l); + } } /* in / out */ |