diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-26 15:04:38 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-26 15:04:38 +0000 |
| commit | 3a5642b9d63b126cd1777adf6a2703b1dd584b30 (patch) | |
| tree | 8bccd615d357588c33524e8d18dee9065ac62102 /usr.sbin/relayd/parse.y | |
| parent | 1bdbf24ed9482dd43cb746e6323d6127ab04701f (diff) | |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In
some cases it is desired to load the rules as "match in" without "quick"
to allow additional filtering or applying additional rule/state options,
eg. to add an overload table for DOS mitigation. Add the optional "match"
keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
Diffstat (limited to 'usr.sbin/relayd/parse.y')
| -rw-r--r-- | usr.sbin/relayd/parse.y | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index d5b5fa51a0a..98f881873a3 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.148 2010/10/18 11:51:22 sthen Exp $ */ +/* $OpenBSD: parse.y,v 1.149 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org> @@ -149,14 +149,14 @@ typedef struct { %token QUERYSTR REAL REDIRECT RELAY REMOVE REQUEST RESPONSE RETRY %token RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION SOCKET %token SSL STICKYADDR STYLE TABLE TAG TCP TIMEOUT TO ROUTER RTLABEL -%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE +%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE MATCH %token <v.string> STRING %token <v.number> NUMBER %type <v.string> hostname interface table %type <v.number> http_type loglevel mark %type <v.number> direction dstmode flag forwardmode retry %type <v.number> optssl optsslclient sslcache -%type <v.number> redirect_proto relay_proto +%type <v.number> redirect_proto relay_proto match %type <v.port> port %type <v.host> host %type <v.addr> address @@ -499,16 +499,18 @@ rdroptsl : forwardmode TO tablespec interface { } | DISABLE { rdr->conf.flags |= F_DISABLE; } | STICKYADDR { rdr->conf.flags |= F_STICKY; } - | TAG STRING { + | match TAG STRING { conf->sc_flags |= F_NEEDPF; - if (strlcpy(rdr->conf.tag, $2, + if (strlcpy(rdr->conf.tag, $3, sizeof(rdr->conf.tag)) >= sizeof(rdr->conf.tag)) { yyerror("redirection tag name truncated"); - free($2); + free($3); YYERROR; } - free($2); + if ($1) + rdr->conf.flags |= F_MATCH; + free($3); } | SESSION TIMEOUT NUMBER { if ((rdr->conf.timeout.tv_sec = $3) < 0) { @@ -519,6 +521,10 @@ rdroptsl : forwardmode TO tablespec interface { | include ; +match : /* empty */ { $$ = 0; } + | MATCH { $$ = 1; } + ; + forwardmode : FORWARD { $$ = FWD_NORMAL; } | ROUTE { $$ = FWD_ROUTE; } | TRANSPARENT FORWARD { $$ = FWD_TRANS; } @@ -1736,6 +1742,7 @@ lookup(char *s) { "lookup", LOOKUP }, { "mark", MARK }, { "marked", MARKED }, + { "match", MATCH }, { "mode", MODE }, { "nat", NAT }, { "no", NO }, |