diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2002-10-14 12:58:29 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2002-10-14 12:58:29 +0000 |
commit | ddf9a76a6ac99f77e2d616c4494271e8414a7c68 (patch) | |
tree | 6f24af57e08272cd4c30bee5051c8de12beb4a9a /sbin | |
parent | 6726798190bfe92e3616e969f4fa2612a2720bcb (diff) |
Allow one to specify a netblock in a binat rule:
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27
Both the network mask on the source and redirect addresses MUST be the
same, and it works by essentially combining the network section of the
redirect address with the host section of the source address.
from ryan
ok dhartmei@
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/pfctl/parse.y | 31 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 6 |
2 files changed, 24 insertions, 13 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 05b74b0ae62..cf7c1dffe7a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.167 2002/10/11 12:57:53 camield Exp $ */ +/* $OpenBSD: parse.y,v 1.168 2002/10/14 12:58:28 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1362,14 +1362,14 @@ rport : STRING { ; redirection : /* empty */ { $$ = NULL; } - | ARROW address { + | ARROW host { $$ = malloc(sizeof(struct redirection)); if ($$ == NULL) err(1, "redirection: malloc"); $$->address = $2; $$->rport.a = $$->rport.b = $$->rport.t = 0; } - | ARROW address PORT rport { + | ARROW host PORT rport { $$ = malloc(sizeof(struct redirection)); if ($$ == NULL) err(1, "redirection: malloc"); @@ -1440,7 +1440,7 @@ natrule : no NAT interface af proto fromto redirection } ; -binatrule : no BINAT interface af proto FROM address TO ipspec redirection +binatrule : no BINAT interface af proto FROM host TO ipspec redirection { struct pf_binat binat; @@ -1482,8 +1482,10 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection YYERROR; } binat.af = $7->af; - memcpy(&binat.saddr, &$7->addr, - sizeof(binat.saddr)); + memcpy(&binat.saddr.addr, &$7->addr.addr, + sizeof(binat.saddr.addr)); + memcpy(&binat.smask, &$7->mask, + sizeof(binat.smask)); free($7); } if ($9 != NULL) { @@ -1504,8 +1506,8 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection YYERROR; } binat.af = $9->af; - memcpy(&binat.daddr, &$9->addr, - sizeof(binat.daddr)); + memcpy(&binat.daddr.addr, &$9->addr.addr, + sizeof(binat.daddr.addr)); memcpy(&binat.dmask, &$9->mask, sizeof(binat.dmask)); binat.dnot = $9->not; @@ -1542,8 +1544,17 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection YYERROR; } binat.af = n->af; - memcpy(&binat.raddr, &n->addr, - sizeof(binat.raddr)); + memcpy(&binat.raddr.addr, &n->addr.addr, + sizeof(binat.raddr.addr)); + memcpy(&binat.rmask, &n->mask, + sizeof(binat.rmask)); + if (!PF_AZERO(&binat.smask, binat.af) && + !PF_AEQ(&binat.smask, + &binat.rmask, binat.af)) { + yyerror("'binat' source mask and " + "redirect mask must be the same"); + YYERROR; + } free($10->address); free($10); } diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 5b7f23cdbfe..6c1d84a9a5c 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.99 2002/10/07 13:23:46 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.100 2002/10/14 12:58:28 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -462,7 +462,7 @@ print_binat(struct pf_binat *b) printf("proto %u ", b->proto); } printf("from "); - print_addr(&b->saddr, NULL, b->af); + print_addr(&b->saddr, &b->smask, b->af); printf(" "); printf("to "); if (!PF_AZERO(&b->daddr.addr, b->af) || !PF_AZERO(&b->dmask, b->af)) { @@ -474,7 +474,7 @@ print_binat(struct pf_binat *b) printf("any "); if (!b->no) { printf("-> "); - print_addr(&b->raddr, NULL, b->af); + print_addr(&b->raddr, &b->rmask, b->af); } printf("\n"); } |