diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2007-08-30 09:28:50 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2007-08-30 09:28:50 +0000 |
| commit | eab5da4ad50973492e4006b90a121d5e0700a56b (patch) | |
| tree | 329a79f665779d7d104f88c1066caab489cc3df9 /sys | |
| parent | 73bc0ba623ce24190c9095c492a035142c0a5bc6 (diff) | |
add support for address ranges ("from 10.1.2.50 - 10.1.3.75") in from/to
criteria. ok mcbride@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf.c | 40 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 10 |
2 files changed, 47 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 7518038a2e8..c72f538d2bd 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.554 2007/08/28 16:09:12 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.555 2007/08/30 09:28:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1790,6 +1790,44 @@ pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, } } +/* + * Return 1 if b <= a <= e, otherwise return 0. + */ +int +pf_match_addr_range(struct pf_addr *b, struct pf_addr *e, + struct pf_addr *a, sa_family_t af) +{ + switch (af) { +#ifdef INET + case AF_INET: + if ((a->addr32[0] < b->addr32[0]) || + (a->addr32[0] > e->addr32[0])) + return (0); + break; +#endif /* INET */ +#ifdef INET6 + case AF_INET6: { + int i; + + /* check a >= b */ + for (i = 0; i < 4; ++i) + if (a->addr32[i] > b->addr32[i]) + break; + else if (a->addr32[i] < b->addr32[i]) + return (0); + /* check a <= e */ + for (i = 0; i < 4; ++i) + if (a->addr32[i] < e->addr32[i]) + break; + else if (a->addr32[i] > e->addr32[i]) + return (0); + break; + } +#endif /* INET6 */ + } + return (1); +} + int pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 1cea3385e15..db7175c0846 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.254 2007/07/13 09:17:48 markus Exp $ */ +/* $OpenBSD: pfvar.h,v 1.255 2007/08/30 09:28:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -112,7 +112,8 @@ enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, - PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED }; + PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED, + PF_ADDR_RANGE }; #define PF_POOL_TYPEMASK 0x0f #define PF_POOL_STICKYADDR 0x20 #define PF_WSCALE_FLAG 0x80 @@ -329,6 +330,9 @@ struct pfi_dynaddr { !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ ((aw)->type == PF_ADDR_DYNIFTL && \ !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ + ((aw)->type == PF_ADDR_RANGE && \ + !pf_match_addr_range(&(aw)->v.a.addr, \ + &(aw)->v.a.mask, (x), (af))) || \ ((aw)->type == PF_ADDR_ADDRMASK && \ !PF_AZERO(&(aw)->v.a.mask, (af)) && \ !PF_MATCHA(0, &(aw)->v.a.addr, \ @@ -1612,6 +1616,8 @@ int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, struct pf_pdesc *); int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, struct pf_addr *, sa_family_t); +int pf_match_addr_range(struct pf_addr *, struct pf_addr *, + struct pf_addr *, sa_family_t); int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); |