summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2002-10-14 12:58:29 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2002-10-14 12:58:29 +0000
commitddf9a76a6ac99f77e2d616c4494271e8414a7c68 (patch)
tree6f24af57e08272cd4c30bee5051c8de12beb4a9a /sbin
parent6726798190bfe92e3616e969f4fa2612a2720bcb (diff)
Allow one to specify a netblock in a binat rule:
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
Diffstat (limited to 'sbin')
-rw-r--r--sbin/pfctl/parse.y31
-rw-r--r--sbin/pfctl/pfctl_parser.c6
2 files changed, 24 insertions, 13 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 05b74b0ae62..cf7c1dffe7a 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.167 2002/10/11 12:57:53 camield Exp $ */
+/* $OpenBSD: parse.y,v 1.168 2002/10/14 12:58:28 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -1362,14 +1362,14 @@ rport : STRING {
;
redirection : /* empty */ { $$ = NULL; }
- | ARROW address {
+ | ARROW host {
$$ = malloc(sizeof(struct redirection));
if ($$ == NULL)
err(1, "redirection: malloc");
$$->address = $2;
$$->rport.a = $$->rport.b = $$->rport.t = 0;
}
- | ARROW address PORT rport {
+ | ARROW host PORT rport {
$$ = malloc(sizeof(struct redirection));
if ($$ == NULL)
err(1, "redirection: malloc");
@@ -1440,7 +1440,7 @@ natrule : no NAT interface af proto fromto redirection
}
;
-binatrule : no BINAT interface af proto FROM address TO ipspec redirection
+binatrule : no BINAT interface af proto FROM host TO ipspec redirection
{
struct pf_binat binat;
@@ -1482,8 +1482,10 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection
YYERROR;
}
binat.af = $7->af;
- memcpy(&binat.saddr, &$7->addr,
- sizeof(binat.saddr));
+ memcpy(&binat.saddr.addr, &$7->addr.addr,
+ sizeof(binat.saddr.addr));
+ memcpy(&binat.smask, &$7->mask,
+ sizeof(binat.smask));
free($7);
}
if ($9 != NULL) {
@@ -1504,8 +1506,8 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection
YYERROR;
}
binat.af = $9->af;
- memcpy(&binat.daddr, &$9->addr,
- sizeof(binat.daddr));
+ memcpy(&binat.daddr.addr, &$9->addr.addr,
+ sizeof(binat.daddr.addr));
memcpy(&binat.dmask, &$9->mask,
sizeof(binat.dmask));
binat.dnot = $9->not;
@@ -1542,8 +1544,17 @@ binatrule : no BINAT interface af proto FROM address TO ipspec redirection
YYERROR;
}
binat.af = n->af;
- memcpy(&binat.raddr, &n->addr,
- sizeof(binat.raddr));
+ memcpy(&binat.raddr.addr, &n->addr.addr,
+ sizeof(binat.raddr.addr));
+ memcpy(&binat.rmask, &n->mask,
+ sizeof(binat.rmask));
+ if (!PF_AZERO(&binat.smask, binat.af) &&
+ !PF_AEQ(&binat.smask,
+ &binat.rmask, binat.af)) {
+ yyerror("'binat' source mask and "
+ "redirect mask must be the same");
+ YYERROR;
+ }
free($10->address);
free($10);
}
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 5b7f23cdbfe..6c1d84a9a5c 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.99 2002/10/07 13:23:46 henning Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.100 2002/10/14 12:58:28 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -462,7 +462,7 @@ print_binat(struct pf_binat *b)
printf("proto %u ", b->proto);
}
printf("from ");
- print_addr(&b->saddr, NULL, b->af);
+ print_addr(&b->saddr, &b->smask, b->af);
printf(" ");
printf("to ");
if (!PF_AZERO(&b->daddr.addr, b->af) || !PF_AZERO(&b->dmask, b->af)) {
@@ -474,7 +474,7 @@ print_binat(struct pf_binat *b)
printf("any ");
if (!b->no) {
printf("-> ");
- print_addr(&b->raddr, NULL, b->af);
+ print_addr(&b->raddr, &b->rmask, b->af);
}
printf("\n");
}