diff options
| author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2002-06-11 02:27:20 +0000 |
|---|---|---|
| committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2002-06-11 02:27:20 +0000 |
| commit | 7923463712aeebd381606d84547c328d4e2d5a79 (patch) | |
| tree | 65445cf86d56fdad12d31930d0c0ae4599f500c6 /sbin | |
| parent | 4aa39a04544f9e194e45e88c95e17915dd075304 (diff) | |
SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragments
without the memory overhead of the conventional defrag in SCRUB
ok dhartmei@, idea by deraadt@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 26 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 10 |
2 files changed, 24 insertions, 12 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 8fa6adc3b61..d91dced4147 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.95 2002/06/11 02:12:37 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.96 2002/06/11 02:27:19 frantzen Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -207,13 +207,13 @@ typedef struct { %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL -%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL +%token NOROUTE FRAGCACHE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTUNARY PORTBINARY %type <v.interface> interface if_list if_item_not if_item %type <v.number> port icmptype icmp6type minttl uid gid maxmss -%type <v.i> no dir log quick af nodf allowopts fragment +%type <v.i> no dir log quick af nodf allowopts fragment fragcache %type <v.b> action flag flags blockspec %type <v.range> dport rport %type <v.proto> proto proto_list proto_item @@ -253,7 +253,7 @@ varset : STRING PORTUNARY STRING } ; -scrubrule : SCRUB dir interface fromto nodf minttl maxmss +scrubrule : SCRUB fragcache dir interface fromto nodf minttl maxmss { struct pf_rule r; @@ -267,14 +267,16 @@ scrubrule : SCRUB dir interface fromto nodf minttl maxmss memset(&r, 0, sizeof(r)); r.action = PF_SCRUB; - r.direction = $2; + r.direction = $3; - if ($5) - r.rule_flag |= PFRULE_NODF; + if ($2) + r.rule_flag |= PFRULE_FRAGCACHE; if ($6) - r.min_ttl = $6; + r.rule_flag |= PFRULE_NODF; if ($7) - r.max_mss = $7; + r.min_ttl = $7; + if ($8) + r.max_mss = $8; pfctl_add_rule(pf, &r); @@ -431,6 +433,11 @@ blockspec : /* empty */ { $$.b2 = 0; $$.w = 0; } } ; +fragcache : /* empty */ { $$ = 0; } + | '(' FRAGCACHE ')' { $$ = PFRULE_FRAGCACHE; } + ; + + dir : IN { $$ = PF_IN; } | OUT { $$ = PF_OUT; } ; @@ -2038,6 +2045,7 @@ lookup(char *s) { "dup-to", DUPTO}, { "fastroute", FASTROUTE}, { "flags", FLAGS}, + { "fragcache", FRAGCACHE}, { "fragment", FRAGMENT}, { "from", FROM}, { "group", GROUP}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index dae3e6f8f5e..0697ccd68ec 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.87 2002/06/11 02:12:37 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.88 2002/06/11 02:27:19 frantzen Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -648,8 +648,12 @@ print_rule(struct pf_rule *r) else printf(" "); } - } else - printf("scrub "); + } else { + if ((r->rule_flag & PFRULE_FRAGCACHE) == 0) + printf("scrub "); + else + printf("scrub(fragcache) "); + } if (r->direction == 0) printf("in "); else |