Make NAT proxy port range configurable per rule, for instance privileged

source ports can mapped to privileged proxy ports, or source port 500
to proxy port 500. ok frantzen@

3 files changed, 28 insertions, 4 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 436b8d32e62..8fa6adc3b61 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.94 2002/06/10 23:07:46 kjell Exp $	*/
+/*	$OpenBSD: parse.y,v 1.95 2002/06/11 02:12:37 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1150,6 +1150,11 @@ rport		: port				{
 			$$.a = $1;
 			$$.b = $$.t = 0;
 		}
+		| port ':' port			{
+			$$.a = $1;
+			$$.b = $3;
+			$$.t = PF_RPORT_RANGE;
+		}
 		| port ':' '*'			{
 			$$.a = $1;
 			$$.b = 0;
@@ -1232,6 +1237,15 @@ natrule		: no NAT interface af proto fromto redirection
 				nat.af = $7->address->af;
 				memcpy(&nat.raddr, &$7->address->addr,
 				    sizeof(nat.raddr));
+				nat.proxy_port[0] = ntohs($7->rport.a);
+				nat.proxy_port[1] = ntohs($7->rport.b);
+				if (!nat.proxy_port[0] && !nat.proxy_port[1]) {
+					nat.proxy_port[0] =
+					    PF_NAT_PROXY_PORT_LOW;
+					nat.proxy_port[1] =
+					    PF_NAT_PROXY_PORT_HIGH;
+				} else if (!nat.proxy_port[1])
+					nat.proxy_port[1] = nat.proxy_port[0];
 				free($7->address);
 				free($7);
 			}
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index c9c7d1d7f6c..dae3e6f8f5e 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.86 2002/06/11 01:58:00 henning Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.87 2002/06/11 02:12:37 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -425,6 +425,14 @@ print_nat(struct pf_nat *n)
 	if (!n->no) {
 		printf("-> ");
 		print_addr(&n->raddr, NULL, n->af);
+		if (n->proxy_port[0] != PF_NAT_PROXY_PORT_LOW ||
+		    n->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) {
+			if (n->proxy_port[0] == n->proxy_port[1])
+				printf(" port %u", n->proxy_port[0]);
+			else
+				printf(" port %u:%u", n->proxy_port[0],
+				    n->proxy_port[1]);
+		}
 	}
 	printf("\n");
 }
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index 3498c3adb81..8cacd0e6c6d 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.h,v 1.21 2002/06/11 01:58:00 henning Exp $ */
+/*	$OpenBSD: pfctl_parser.h,v 1.22 2002/06/11 02:12:37 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -43,6 +43,9 @@
 
 #define PF_TH_ALL		0xFF
 
+#define PF_NAT_PROXY_PORT_LOW	50001
+#define PF_NAT_PROXY_PORT_HIGH	65535
+
 #define FCNT_NAMES { \
 	"searches", \
 	"inserts", \
@@ -50,7 +53,6 @@
 	NULL \
 }
 
-
 struct pfctl {
 	int dev;
 	int opts;