diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-12-10 18:08:13 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-12-10 18:08:13 +0000 |
| commit | ef7fe41359ba259a7857905a4b3d2435be3cdb72 (patch) | |
| tree | c36df67bac485a59cc45f94551938ff5ccfe6a04 /sbin | |
| parent | e86732160464c1736621edc0f8d6a4f07e85cd0f (diff) | |
Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on
source/destination addresses/ports only.
Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols.
Destination and redirection port(s) are now optional for RDR rules.
Not specifying destination port(s) means 'redirect all ports', not
specifying redirection port(s) means 'redirect to the original port'.
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 19 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 8 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 5 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 96 |
4 files changed, 68 insertions, 60 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 3e4b367ba8f..f90fc6bb594 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.46 2001/12/05 17:11:54 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.47 2001/12/10 18:08:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -921,11 +921,21 @@ rdrrule : RDR interface proto FROM ipspec TO ipspec dport ARROW address rport rdr.rport = $11.a; rdr.opts |= $11.t; + if (rdr.proto && rdr.proto != IPPROTO_TCP && + rdr.proto != IPPROTO_UDP && + (rdr.dport || rdr.dport2 || rdr.rport)) { + yyerror("rdr ports are only valid for proto tcp/udp"); + YYERROR; + } + pfctl_add_rdr(pf, &rdr); } ; -dport : PORT port { +dport : /* empty */ { + $$.a = $$.b = $$.t = 0; + } + | PORT port { $$.a = $2; $$.b = $$.t = 0; } @@ -936,7 +946,10 @@ dport : PORT port { } ; -rport : PORT port { +rport : /* empty */ { + $$.a = $$.b = $$.t = 0; + } + | PORT port { $$.a = $2; $$.b = $$.t = 0; } diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 212e091bd75..e10bea3b1ca 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.34 2001/10/11 00:53:21 dhartmei Exp $ +.\" $OpenBSD: pfctl.8,v 1.35 2001/12/10 18:08:12 dhartmei Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -213,6 +213,12 @@ The state after the first packet. The state after an icmp error came back in response to an icmp packet. .El .Pp +Other protocols are handled similarly to UDP: +.Bl -tag -width "t other.multiple " -compact +.It Fl t Ar other.first +.It Fl t Ar other.single +.It Fl t Ar other.multiple +.El .Bd -literal Example: # Timeout established connections after an hour of inactivity diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index c231a2e6232..3f242510653 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.47 2001/10/04 21:54:15 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.48 2001/12/10 18:08:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -94,6 +94,9 @@ static const struct { { "udp.multiple", PFTM_UDP_MULTIPLE }, { "icmp.first", PFTM_ICMP_FIRST_PACKET }, { "icmp.error", PFTM_ICMP_ERROR_REPLY }, + { "other.first", PFTM_OTHER_FIRST_PACKET }, + { "other.single", PFTM_OTHER_SINGLE }, + { "other.multiple", PFTM_OTHER_MULTIPLE }, { "frag", PFTM_FRAG }, { "interval", PFTM_INTERVAL }, { NULL, 0 }}; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 6a3853b3f1b..5a598cfda01 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.55 2001/12/01 16:44:45 frantzen Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.56 2001/12/10 18:08:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -296,10 +296,12 @@ print_host(struct pf_state_host *h, int af) u_int16_t p = ntohs(h->port); print_addr(&h->addr, NULL, af); - if (af == AF_INET) - printf(":%u", p); - else - printf("[%u]", p); + if (p) { + if (af == AF_INET) + printf(":%u", p); + else + printf("[%u]", p); + } } @@ -365,6 +367,13 @@ print_nat(struct pf_nat *n) printf("! "); printf("%s ", n->ifname); } + if (n->proto) { + struct protoent *p = getprotobynumber(n->proto); + if (n != NULL) + printf("proto %s ", p->p_name); + else + printf("proto %u ", n->proto); + } printf("from "); if (!PF_AZERO(&n->saddr, n->af) || !PF_AZERO(&n->smask, n->af)) { if (n->snot) @@ -383,18 +392,6 @@ print_nat(struct pf_nat *n) printf("any "); printf("-> "); print_addr(&n->raddr, NULL, n->af); - printf(" "); - switch (n->proto) { - case IPPROTO_TCP: - printf("proto tcp"); - break; - case IPPROTO_UDP: - printf("proto udp"); - break; - case IPPROTO_ICMP: - printf("proto icmp"); - break; - } printf("\n"); } @@ -406,16 +403,12 @@ print_binat(struct pf_binat *b) printf("on "); printf("%s ", b->ifname); } - switch (b->proto) { - case IPPROTO_TCP: - printf("proto tcp "); - break; - case IPPROTO_UDP: - printf("proto udp "); - break; - case IPPROTO_ICMP: - printf("proto icmp "); - break; + if (b->proto) { + struct protoent *p = getprotobynumber(b->proto); + if (p != NULL) + printf("proto %s ", p->p_name); + else + printf("proto %u ", b->proto); } printf("from "); print_addr(&b->saddr, NULL, b->af); @@ -443,13 +436,12 @@ print_rdr(struct pf_rdr *r) printf("! "); printf("%s ", r->ifname); } - switch (r->proto) { - case IPPROTO_TCP: - printf("proto tcp "); - break; - case IPPROTO_UDP: - printf("proto udp "); - break; + if (r->proto) { + struct protoent *p = getprotobynumber(r->proto); + if (p != NULL) + printf("proto %s ", p->p_name); + else + printf("proto %u ", r->proto); } printf("from "); if (!PF_AZERO(&r->saddr, r->af) || !PF_AZERO(&r->smask, r->af)) { @@ -467,15 +459,19 @@ print_rdr(struct pf_rdr *r) printf(" "); } else printf("any "); - printf("port %u", ntohs(r->dport)); - if (r->opts & PF_DPORT_RANGE) - printf(":%u", ntohs(r->dport2)); + if (r->dport) { + printf("port %u", ntohs(r->dport)); + if (r->opts & PF_DPORT_RANGE) + printf(":%u", ntohs(r->dport2)); + } printf(" -> "); print_addr(&r->raddr, NULL, r->af); printf(" "); - printf("port %u", ntohs(r->rport)); - if (r->opts & PF_RPORT_RANGE) - printf(":*"); + if (r->rport) { + printf("port %u", ntohs(r->rport)); + if (r->opts & PF_RPORT_RANGE) + printf(":*"); + } printf("\n"); } @@ -534,6 +530,7 @@ void print_state(struct pf_state *s, int opts) { struct pf_state_peer *src, *dst; + struct protoent *p; u_int8_t hrs, min, sec; if (s->direction == PF_OUT) { @@ -543,21 +540,10 @@ print_state(struct pf_state *s, int opts) src = &s->dst; dst = &s->src; } - switch (s->proto) { - case IPPROTO_TCP: - printf("TCP "); - break; - case IPPROTO_UDP: - printf("UDP "); - break; - case IPPROTO_ICMPV6: - case IPPROTO_ICMP: - printf("ICMP "); - break; - default: - printf("???? "); - break; - } + if ((p = getprotobynumber(s->proto)) != NULL) + printf("%s ", p->p_name); + else + printf("%u ", s->proto); if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || (s->lan.port != s->gwy.port)) { print_host(&s->lan, s->af); |