diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-26 15:04:38 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-26 15:04:38 +0000 |
commit | 3a5642b9d63b126cd1777adf6a2703b1dd584b30 (patch) | |
tree | 8bccd615d357588c33524e8d18dee9065ac62102 /usr.sbin | |
parent | 1bdbf24ed9482dd43cb746e6323d6127ab04701f (diff) |
redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In
some cases it is desired to load the rules as "match in" without "quick"
to allow additional filtering or applying additional rule/state options,
eg. to add an overload table for DOS mitigation. Add the optional "match"
keyword for the redirect "tag" option to change the pf rule type accordingly.
ok jsg@ mikeb@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/relayd/parse.y | 21 | ||||
-rw-r--r-- | usr.sbin/relayd/pfe_filter.c | 11 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 18 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.h | 3 |
4 files changed, 39 insertions, 14 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index d5b5fa51a0a..98f881873a3 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.148 2010/10/18 11:51:22 sthen Exp $ */ +/* $OpenBSD: parse.y,v 1.149 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org> @@ -149,14 +149,14 @@ typedef struct { %token QUERYSTR REAL REDIRECT RELAY REMOVE REQUEST RESPONSE RETRY %token RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION SOCKET %token SSL STICKYADDR STYLE TABLE TAG TCP TIMEOUT TO ROUTER RTLABEL -%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE +%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE MATCH %token <v.string> STRING %token <v.number> NUMBER %type <v.string> hostname interface table %type <v.number> http_type loglevel mark %type <v.number> direction dstmode flag forwardmode retry %type <v.number> optssl optsslclient sslcache -%type <v.number> redirect_proto relay_proto +%type <v.number> redirect_proto relay_proto match %type <v.port> port %type <v.host> host %type <v.addr> address @@ -499,16 +499,18 @@ rdroptsl : forwardmode TO tablespec interface { } | DISABLE { rdr->conf.flags |= F_DISABLE; } | STICKYADDR { rdr->conf.flags |= F_STICKY; } - | TAG STRING { + | match TAG STRING { conf->sc_flags |= F_NEEDPF; - if (strlcpy(rdr->conf.tag, $2, + if (strlcpy(rdr->conf.tag, $3, sizeof(rdr->conf.tag)) >= sizeof(rdr->conf.tag)) { yyerror("redirection tag name truncated"); - free($2); + free($3); YYERROR; } - free($2); + if ($1) + rdr->conf.flags |= F_MATCH; + free($3); } | SESSION TIMEOUT NUMBER { if ((rdr->conf.timeout.tv_sec = $3) < 0) { @@ -519,6 +521,10 @@ rdroptsl : forwardmode TO tablespec interface { | include ; +match : /* empty */ { $$ = 0; } + | MATCH { $$ = 1; } + ; + forwardmode : FORWARD { $$ = FWD_NORMAL; } | ROUTE { $$ = FWD_ROUTE; } | TRANSPARENT FORWARD { $$ = FWD_TRANS; } @@ -1736,6 +1742,7 @@ lookup(char *s) { "lookup", LOOKUP }, { "mark", MARK }, { "marked", MARKED }, + { "match", MATCH }, { "mode", MODE }, { "nat", NAT }, { "no", NO }, diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c index f30f5c993b0..37f91d9598f 100644 --- a/usr.sbin/relayd/pfe_filter.c +++ b/usr.sbin/relayd/pfe_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfe_filter.c,v 1.44 2010/09/02 14:03:22 sobrado Exp $ */ +/* $OpenBSD: pfe_filter.c,v 1.45 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -394,9 +394,14 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) memset(&rio, 0, sizeof(rio)); (void)strlcpy(rio.anchor, anchor, sizeof(rio.anchor)); - rio.rule.action = PF_PASS; + if (rdr->conf.flags & F_MATCH) { + rio.rule.action = PF_MATCH; + rio.rule.quick = 0; + } else { + rio.rule.action = PF_PASS; + rio.rule.quick = 1; /* force first match */ + } rio.rule.direction = PF_IN; - rio.rule.quick = 1; /* force first match */ rio.rule.keep_state = PF_STATE_NORMAL; switch (t->conf.fwdmode) { diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 428502742cd..f2bb57423ef 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.114 2010/08/01 22:18:35 sthen Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.115 2010/10/26 15:04:37 reyk Exp $ .\" .\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 1 2010 $ +.Dd $Mdocdate: October 26 2010 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -488,11 +488,23 @@ for an rdr-to rule in .Xr pf.conf 5 . It will ensure that multiple connections from the same source are mapped to the same redirection address. -.It Ic tag Ar name +.It Xo +.Op Ic match +.Ic tag Ar name +.Xc Automatically tag packets passing through the .Xr pf 4 rdr-to rule with the name supplied. This allows simpler filter rules. +The optional +.Ic match +keyword will change the default rule action from +.Ar pass in quick +to +.Ar match in +to allow further evaluation in the pf ruleset using the +.Ar tagged name +rule option. .El .Sh RELAYS Relays will forward traffic between a client and a target server. diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 1194cf69c3c..d2d2369324a 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.137 2010/08/01 22:18:35 sthen Exp $ */ +/* $OpenBSD: relayd.h,v 1.138 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -246,6 +246,7 @@ TAILQ_HEAD(addresslist, address); #define F_PORT 0x00100000 #define F_SSLCLIENT 0x00200000 #define F_NEEDRT 0x00400000 +#define F_MATCH 0x00800000 enum forwardmode { FWD_NORMAL = 0, |