diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2007-03-29 13:09:27 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2007-03-29 13:09:27 +0000 |
commit | 32b01fa449ec77184ebf015668fd2b7173094f4e (patch) | |
tree | ce2c0dd7a1c6f4546f74e539a76567d5b4ec2edc /usr.sbin | |
parent | a190246b78c841d125f40b05d20127311b25625d (diff) |
Until now prefixlen defaulted to AF_INET if it was used without a prefix.
This makes prefixlen filtering for AF_INET6 unnecessary complex. From now
on if prefixlen is used alone the address family needs to be specified
beforehands via the new inet or inet6 keywords.
Remove an old check so that it is finally possible to filter IPv6 prefixes.
OK henning@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/bgpd/parse.y | 39 | ||||
-rw-r--r-- | usr.sbin/bgpd/printconf.c | 9 |
2 files changed, 38 insertions, 10 deletions
diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index 2816f6657c9..3966a3e1ce5 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.201 2007/03/06 16:52:48 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.202 2007/03/29 13:09:26 claudio Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -89,6 +89,7 @@ struct filter_match_l { struct filter_match m; struct filter_prefix_l *prefix_l; struct filter_as_l *as_l; + sa_family_t af; } fmopts; struct file *include_file(const char *); @@ -1027,13 +1028,6 @@ encspec : /* nada */ { filterrule : action quick direction filter_peer_h filter_match_h filter_set { struct filter_rule r; - struct filter_prefix_l *l; - - for (l = $5.prefix_l; l != NULL; l = l->next) - if (l->p.addr.af && l->p.addr.af != AF_INET) { - yyerror("king bula sez: AF_INET only"); - YYERROR; - } bzero(&r, sizeof(r)); r.action = $1; @@ -1146,6 +1140,12 @@ filter_prefix_l : filter_prefix { $$ = $1; } ; filter_prefix : prefix { + if (fmopts.af && fmopts.af != $1.prefix.af) { + yyerror("rules with mixed address families " + "are not allowed"); + YYERROR; + } else + fmopts.af = $1.prefix.af; if (($$ = calloc(1, sizeof(struct filter_prefix_l))) == NULL) fatal(NULL); @@ -1235,13 +1235,18 @@ filter_elm : filter_prefix_h { fmopts.prefix_l = $1; } | PREFIXLEN prefixlenop { + if (fmopts.af == 0) { + yyerror("address family needs to be specified " + "before \"prefixlen\""); + YYERROR; + } if (fmopts.m.prefixlen.af) { yyerror("\"prefixlen\" already specified"); YYERROR; } memcpy(&fmopts.m.prefixlen, &$2, sizeof(fmopts.m.prefixlen)); - fmopts.m.prefixlen.af = AF_INET; + fmopts.m.prefixlen.af = fmopts.af; } | filter_as_h { if (fmopts.as_l != NULL) { @@ -1263,6 +1268,20 @@ filter_elm : filter_prefix_h { } free($2); } + | IPV4 { + if (fmopts.af) { + yyerror("address family already specified"); + YYERROR; + } + fmopts.af = AF_INET; + } + | IPV6 { + if (fmopts.af) { + yyerror("address family already specified"); + YYERROR; + } + fmopts.af = AF_INET6; + } ; prefixlenop : unaryop number { @@ -1639,6 +1658,8 @@ lookup(char *s) { "ike", IKE}, { "in", IN}, { "include", INCLUDE}, + { "inet", IPV4}, + { "inet6", IPV6}, { "ipsec", IPSEC}, { "key", KEY}, { "listen", LISTEN}, diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c index f335c7a6322..f72ef14e957 100644 --- a/usr.sbin/bgpd/printconf.c +++ b/usr.sbin/bgpd/printconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printconf.c,v 1.60 2007/03/06 16:52:48 henning Exp $ */ +/* $OpenBSD: printconf.c,v 1.61 2007/03/29 13:09:26 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -447,6 +447,13 @@ print_rule(struct peer *peer_l, struct filter_rule *r) printf("prefix %s/%u ", log_addr(&r->match.prefix.addr), r->match.prefix.len); + if (r->match.prefix.addr.af == 0 && r->match.prefixlen.af) { + if (r->match.prefixlen.af == AF_INET) + printf("inet "); + if (r->match.prefixlen.af == AF_INET6) + printf("inet6 "); + } + if (r->match.prefixlen.op) { if (r->match.prefixlen.op == OP_RANGE || r->match.prefixlen.op == OP_XRANGE) { |