summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2010-10-26 15:04:38 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2010-10-26 15:04:38 +0000
commit3a5642b9d63b126cd1777adf6a2703b1dd584b30 (patch)
tree8bccd615d357588c33524e8d18dee9065ac62102 /usr.sbin
parent1bdbf24ed9482dd43cb746e6323d6127ab04701f (diff)
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In
some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/relayd/parse.y21
-rw-r--r--usr.sbin/relayd/pfe_filter.c11
-rw-r--r--usr.sbin/relayd/relayd.conf.518
-rw-r--r--usr.sbin/relayd/relayd.h3
4 files changed, 39 insertions, 14 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
index d5b5fa51a0a..98f881873a3 100644
--- a/usr.sbin/relayd/parse.y
+++ b/usr.sbin/relayd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.148 2010/10/18 11:51:22 sthen Exp $ */
+/* $OpenBSD: parse.y,v 1.149 2010/10/26 15:04:37 reyk Exp $ */
/*
* Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org>
@@ -149,14 +149,14 @@ typedef struct {
%token QUERYSTR REAL REDIRECT RELAY REMOVE REQUEST RESPONSE RETRY
%token RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION SOCKET
%token SSL STICKYADDR STYLE TABLE TAG TCP TIMEOUT TO ROUTER RTLABEL
-%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
+%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE MATCH
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> hostname interface table
%type <v.number> http_type loglevel mark
%type <v.number> direction dstmode flag forwardmode retry
%type <v.number> optssl optsslclient sslcache
-%type <v.number> redirect_proto relay_proto
+%type <v.number> redirect_proto relay_proto match
%type <v.port> port
%type <v.host> host
%type <v.addr> address
@@ -499,16 +499,18 @@ rdroptsl : forwardmode TO tablespec interface {
}
| DISABLE { rdr->conf.flags |= F_DISABLE; }
| STICKYADDR { rdr->conf.flags |= F_STICKY; }
- | TAG STRING {
+ | match TAG STRING {
conf->sc_flags |= F_NEEDPF;
- if (strlcpy(rdr->conf.tag, $2,
+ if (strlcpy(rdr->conf.tag, $3,
sizeof(rdr->conf.tag)) >=
sizeof(rdr->conf.tag)) {
yyerror("redirection tag name truncated");
- free($2);
+ free($3);
YYERROR;
}
- free($2);
+ if ($1)
+ rdr->conf.flags |= F_MATCH;
+ free($3);
}
| SESSION TIMEOUT NUMBER {
if ((rdr->conf.timeout.tv_sec = $3) < 0) {
@@ -519,6 +521,10 @@ rdroptsl : forwardmode TO tablespec interface {
| include
;
+match : /* empty */ { $$ = 0; }
+ | MATCH { $$ = 1; }
+ ;
+
forwardmode : FORWARD { $$ = FWD_NORMAL; }
| ROUTE { $$ = FWD_ROUTE; }
| TRANSPARENT FORWARD { $$ = FWD_TRANS; }
@@ -1736,6 +1742,7 @@ lookup(char *s)
{ "lookup", LOOKUP },
{ "mark", MARK },
{ "marked", MARKED },
+ { "match", MATCH },
{ "mode", MODE },
{ "nat", NAT },
{ "no", NO },
diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c
index f30f5c993b0..37f91d9598f 100644
--- a/usr.sbin/relayd/pfe_filter.c
+++ b/usr.sbin/relayd/pfe_filter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfe_filter.c,v 1.44 2010/09/02 14:03:22 sobrado Exp $ */
+/* $OpenBSD: pfe_filter.c,v 1.45 2010/10/26 15:04:37 reyk Exp $ */
/*
* Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -394,9 +394,14 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable)
memset(&rio, 0, sizeof(rio));
(void)strlcpy(rio.anchor, anchor, sizeof(rio.anchor));
- rio.rule.action = PF_PASS;
+ if (rdr->conf.flags & F_MATCH) {
+ rio.rule.action = PF_MATCH;
+ rio.rule.quick = 0;
+ } else {
+ rio.rule.action = PF_PASS;
+ rio.rule.quick = 1; /* force first match */
+ }
rio.rule.direction = PF_IN;
- rio.rule.quick = 1; /* force first match */
rio.rule.keep_state = PF_STATE_NORMAL;
switch (t->conf.fwdmode) {
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 428502742cd..f2bb57423ef 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: relayd.conf.5,v 1.114 2010/08/01 22:18:35 sthen Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.115 2010/10/26 15:04:37 reyk Exp $
.\"
.\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: August 1 2010 $
+.Dd $Mdocdate: October 26 2010 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
@@ -488,11 +488,23 @@ for an rdr-to rule in
.Xr pf.conf 5 .
It will ensure that multiple connections from the same source are
mapped to the same redirection address.
-.It Ic tag Ar name
+.It Xo
+.Op Ic match
+.Ic tag Ar name
+.Xc
Automatically tag packets passing through the
.Xr pf 4
rdr-to rule with the name supplied.
This allows simpler filter rules.
+The optional
+.Ic match
+keyword will change the default rule action from
+.Ar pass in quick
+to
+.Ar match in
+to allow further evaluation in the pf ruleset using the
+.Ar tagged name
+rule option.
.El
.Sh RELAYS
Relays will forward traffic between a client and a target server.
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index 1194cf69c3c..d2d2369324a 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.h,v 1.137 2010/08/01 22:18:35 sthen Exp $ */
+/* $OpenBSD: relayd.h,v 1.138 2010/10/26 15:04:37 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -246,6 +246,7 @@ TAILQ_HEAD(addresslist, address);
#define F_PORT 0x00100000
#define F_SSLCLIENT 0x00200000
#define F_NEEDRT 0x00400000
+#define F_MATCH 0x00800000
enum forwardmode {
FWD_NORMAL = 0,