summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAaron Campbell <aaron@cvs.openbsd.org>2004-09-21 16:59:13 +0000
committerAaron Campbell <aaron@cvs.openbsd.org>2004-09-21 16:59:13 +0000
commit1b1b7e0ae965714670e0dda240c73d1e215242ce (patch)
treed7fb3721412e7ce3398afff543a7fd7f1331e4be /sys
parent597a56a976641df53c64f741912ed1b884fcca9e (diff)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf_ioctl.c3
-rw-r--r--sys/net/pf_norm.c4
-rw-r--r--sys/net/pfvar.h4
3 files changed, 6 insertions, 5 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 2eb48a748f2..e5c50615f16 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.130 2004/09/09 22:08:42 dhartmei Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.131 2004/09/21 16:59:12 aaron Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -257,6 +257,7 @@ pf_get_ruleset_number(u_int8_t action)
{
switch (action) {
case PF_SCRUB:
+ case PF_NOSCRUB:
return (PF_RULESET_SCRUB);
break;
case PF_PASS:
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 9d1cc22debe..3c3dbc062ca 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.96 2004/07/17 00:17:27 frantzen Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.97 2004/09/21 16:59:12 aaron Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -1244,7 +1244,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
}
}
- if (rm == NULL)
+ if (rm == NULL || rm->action == PF_NOSCRUB)
return (PF_PASS);
else
r->packets++;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 1e23993297c..6bd93c7a714 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.202 2004/07/12 00:50:22 itojun Exp $ */
+/* $OpenBSD: pfvar.h,v 1.203 2004/09/21 16:59:12 aaron Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -49,7 +49,7 @@ struct ip;
enum { PF_INOUT, PF_IN, PF_OUT };
enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
-enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT,
+enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP };
enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };