diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2011-04-06 13:19:56 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2011-04-06 13:19:56 +0000 |
| commit | f9f04df92b8065d144e484973f346e4981c22a9a (patch) | |
| tree | 7bba0ff92a80bd70c4acf6843f000ffbfd0a7a2b /sbin | |
| parent | 91627ea8959bf9fbfc90c2468768eecbaff96ded (diff) | |
Userland bits to allow PF to filter on the rdomain a packet belongs to.
This allows to write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 29 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_optimize.c | 15 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 8 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 4 |
4 files changed, 51 insertions, 5 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 4fba39e65b8..5a2e36a373a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.598 2011/04/05 13:48:18 mikeb Exp $ */ +/* $OpenBSD: parse.y,v 1.599 2011/04/06 13:19:55 claudio Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -461,7 +461,7 @@ int parseport(char *, struct range *r, int); %token ANTISPOOF FOR INCLUDE MATCHES %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT -%token QUEUE PRIORITY QLIMIT RTABLE +%token QUEUE PRIORITY QLIMIT RTABLE RDOMAIN %token LOAD RULESET_OPTIMIZATION %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW @@ -2539,6 +2539,20 @@ if_item : STRING { $$->next = NULL; $$->tail = $$; } + | RDOMAIN NUMBER { + if ($2 < 0 || $2 > RT_TABLEID_MAX) { + yyerror("rdomain outside range"); + YYERROR; + } + $$ = calloc(1, sizeof(struct node_if)); + if ($$ == NULL) + err(1, "if_item: calloc"); + $$->not = 0; + $$->use_rdomain = 1; + $$->rdomain = $2; + $$->next = NULL; + $$->tail = $$; + } ; af : /* empty */ { $$ = 0; } @@ -4298,6 +4312,9 @@ expand_altq(struct pf_altq *a, struct node_if *interfaces, if (interface->not) { yyerror("altq on ! <interface> is not supported"); errs++; + } else if (interface->use_rdomain) { + yyerror("altq on rdomain <num> is not supported"); + errs++; } else { if (eval_pfaltq(pf, &pa, &bwspec, opts)) errs++; @@ -4754,6 +4771,10 @@ expand_rule(struct pf_rule *r, int keeprule, struct node_if *interfaces, else memset(r->ifname, '\0', sizeof(r->ifname)); + if (interface->use_rdomain) + r->onrdomain = interface->rdomain; + else + r->onrdomain = -1; if (strlcpy(r->label, label, sizeof(r->label)) >= sizeof(r->label)) errx(1, "expand_rule: strlcpy"); @@ -4964,6 +4985,9 @@ expand_skip_interface(struct node_if *interfaces) if (interface->not) { yyerror("skip on ! <interface> is not supported"); errs++; + } else if (interface->use_rdomain) { + yyerror("skip on rdomain <num> is not supported"); + errs++; } else errs += pfctl_set_interface_flags(pf, interface->ifname, PFI_IFLAG_SKIP, 1); @@ -5093,6 +5117,7 @@ lookup(char *s) { "quick", QUICK}, { "random", RANDOM}, { "random-id", RANDOMID}, + { "rdomain", RDOMAIN}, { "rdr-to", RDRTO}, { "realtime", REALTIME}, { "reassemble", REASSEMBLE}, diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index c5d872ac7dd..45f1bb747c8 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_optimize.c,v 1.25 2010/03/23 13:31:29 henning Exp $ */ +/* $OpenBSD: pfctl_optimize.c,v 1.26 2011/04/06 13:19:55 claudio Exp $ */ /* * Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org> @@ -173,6 +173,8 @@ struct pf_rule_field { PF_RULE_FIELD(dst.port_op, NOMERGE), PF_RULE_FIELD(src.neg, NOMERGE), PF_RULE_FIELD(dst.neg, NOMERGE), + PF_RULE_FIELD(rtableid, NOMERGE), + PF_RULE_FIELD(onrdomain, NOMERGE), /* These fields can be merged */ PF_RULE_FIELD(src.addr, COMBINED), @@ -227,6 +229,7 @@ int skip_compare(int, struct pf_skip_step *, struct pf_opt_rule *); void skip_init(void); int skip_cmp_af(struct pf_rule *, struct pf_rule *); int skip_cmp_dir(struct pf_rule *, struct pf_rule *); +int skip_cmp_rdom(struct pf_rule *, struct pf_rule *); int skip_cmp_dst_addr(struct pf_rule *, struct pf_rule *); int skip_cmp_dst_port(struct pf_rule *, struct pf_rule *); int skip_cmp_ifp(struct pf_rule *, struct pf_rule *); @@ -242,6 +245,7 @@ const char *skip_comparitors_names[PF_SKIP_COUNT]; #define PF_SKIP_COMPARITORS { \ { "ifp", PF_SKIP_IFP, skip_cmp_ifp }, \ { "dir", PF_SKIP_DIR, skip_cmp_dir }, \ + { "rdomain", PF_SKIP_RDOM, skip_cmp_rdom }, \ { "af", PF_SKIP_AF, skip_cmp_af }, \ { "proto", PF_SKIP_PROTO, skip_cmp_proto }, \ { "saddr", PF_SKIP_SRC_ADDR, skip_cmp_src_addr }, \ @@ -1036,6 +1040,15 @@ skip_cmp_dir(struct pf_rule *a, struct pf_rule *b) return (0); } +/* Compare two rules ON RDOMAIN field for skiplist construction */ +int +skip_cmp_rdom(struct pf_rule *a, struct pf_rule *b) +{ + if (a->onrdomain == -1 || a->onrdomain != b->onrdomain) + return (1); + return (a->ifnot != b->ifnot); +} + /* Compare two rules DST Address field for skiplist construction */ int skip_cmp_dst_addr(struct pf_rule *a, struct pf_rule *b) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index f6ab2c68312..f6c5c7f16eb 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.274 2011/04/05 13:48:18 mikeb Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.275 2011/04/06 13:19:55 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -771,6 +771,12 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) else printf(" on %s", r->ifname); } + if (r->onrdomain >= 0) { + if (r->ifnot) + printf(" on ! rdomain %i", r->onrdomain); + else + printf(" on rdomain %i", r->onrdomain); + } if (r->af) { if (r->af == AF_INET) printf(" inet"); diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 26cd0beb1be..8131ac6bbc0 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.94 2010/06/25 23:27:47 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.95 2011/04/06 13:19:55 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -103,7 +103,9 @@ struct node_if { char ifname[IFNAMSIZ]; u_int8_t not; u_int8_t dynamic; /* antispoof */ + u_int8_t use_rdomain; u_int ifa_flags; + int rdomain; struct node_if *next; struct node_if *tail; }; |