diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2010-01-12 03:20:52 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2010-01-12 03:20:52 +0000 |
| commit | ae2d82548e03e3028f9752c263ff4a49c932b794 (patch) | |
| tree | 57e55f4567ae309b01d4c8e9e2823ed2fcd00b06 /usr.sbin | |
| parent | 313603d4428293c98b8b3c8507cd482b109cc026 (diff) | |
First pass at removing the 'pf_pool' mechanism for translation and routing
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ftp-proxy/filter.c | 28 | ||||
| -rw-r--r-- | usr.sbin/relayd/pfe_filter.c | 22 |
2 files changed, 17 insertions, 33 deletions
diff --git a/usr.sbin/ftp-proxy/filter.c b/usr.sbin/ftp-proxy/filter.c index 16c3cd25573..49fe6b6d7ef 100644 --- a/usr.sbin/ftp-proxy/filter.c +++ b/usr.sbin/ftp-proxy/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.11 2009/11/22 23:30:05 deraadt Exp $ */ +/* $OpenBSD: filter.c,v 1.12 2010/01/12 03:20:51 mcbride Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -39,7 +39,7 @@ #define satosin(sa) ((struct sockaddr_in *)(sa)) #define satosin6(sa) ((struct sockaddr_in6 *)(sa)) -int add_addr(struct sockaddr *, int); +int add_addr(struct sockaddr *, struct pf_pool *); int prepare_rule(u_int32_t, struct sockaddr *, struct sockaddr *, u_int16_t); int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, @@ -47,7 +47,6 @@ int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, struct sockaddr_in6 *); -static struct pfioc_pooladdr pfp; static struct pfioc_rule pfr; static struct pfioc_trans pft; static struct pfioc_trans_e pfte; @@ -55,20 +54,18 @@ static int dev, rule_log; static char *qname, *tagname; int -add_addr(struct sockaddr *addr, int which) +add_addr(struct sockaddr *addr, struct pf_pool *pfp) { if (addr->sa_family == AF_INET) { - memcpy(&pfp.addr.addr.v.a.addr.v4, + memcpy(&pfp->addr.v.a.addr.v4, &satosin(addr)->sin_addr.s_addr, 4); - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); + memset(&pfp->addr.v.a.mask.addr8, 255, 4); } else { - memcpy(&pfp.addr.addr.v.a.addr.v6, + memcpy(&pfp->addr.v.a.addr.v6, &satosin6(addr)->sin6_addr.s6_addr, 16); - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); + memset(&pfp->addr.v.a.mask.addr8, 255, 16); } - pfp.which = which; - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) - return (-1); + pfp->addr.type = PF_ADDR_ADDRMASK; return (0); } @@ -86,7 +83,7 @@ add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, if (prepare_rule(id, src, dst, d_port) == -1) return (-1); - if (add_addr(nat, PF_NAT) == -1) + if (add_addr(nat, &pfr.rule.nat) == -1) return (-1); pfr.rule.direction = PF_OUT; @@ -111,7 +108,7 @@ add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, if (prepare_rule(id, src, dst, d_port) == -1) return (-1); - if (add_addr(rdr, PF_RDR) == -1) + if (add_addr(rdr, &pfr.rule.rdr) == -1) return (-1); pfr.rule.direction = PF_IN; @@ -196,17 +193,12 @@ prepare_rule(u_int32_t id, struct sockaddr *src, return (-1); } - memset(&pfp, 0, sizeof pfp); memset(&pfr, 0, sizeof pfr); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); - strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); pfr.ticket = pfte.ticket; - if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) - return (-1); - pfr.pool_ticket = pfp.ticket; /* Generic for all rule types. */ pfr.rule.af = src->sa_family; diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c index 24341dc05b8..bd2e515c979 100644 --- a/usr.sbin/relayd/pfe_filter.c +++ b/usr.sbin/relayd/pfe_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfe_filter.c,v 1.40 2009/11/23 00:45:41 claudio Exp $ */ +/* $OpenBSD: pfe_filter.c,v 1.41 2010/01/12 03:20:51 mcbride Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -360,7 +360,6 @@ void sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) { struct pfioc_rule rio; - struct pfioc_pooladdr pio; struct sockaddr_in *sain; struct sockaddr_in6 *sain6; struct address *address; @@ -393,7 +392,6 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) TAILQ_FOREACH(address, &rdr->virts, entry) { memset(&rio, 0, sizeof(rio)); - memset(&pio, 0, sizeof(pio)); (void)strlcpy(rio.anchor, anchor, sizeof(rio.anchor)); rio.rule.action = PF_PASS; @@ -422,10 +420,7 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) } rio.ticket = env->sc_pf->pfte.ticket; - if (ioctl(env->sc_pf->dev, DIOCBEGINADDRS, &pio) == -1) - fatal("sync_ruleset: cannot initialise address pool"); - rio.pool_ticket = pio.ticket; rio.rule.af = address->ss.ss_family; rio.rule.proto = address->ipproto; rio.rule.src.addr.type = PF_ADDR_ADDRMASK; @@ -461,17 +456,14 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) memset(&rio.rule.dst.addr.v.a.mask.addr8, 0xff, 16); } - pio.addr.addr.type = PF_ADDR_TABLE; + rio.rule.rdr.addr.type = PF_ADDR_TABLE; if (strlen(t->conf.ifname)) - (void)strlcpy(pio.addr.ifname, t->conf.ifname, - sizeof(pio.addr.ifname)); - if (strlcpy(pio.addr.addr.v.tblname, rdr->conf.name, - sizeof(pio.addr.addr.v.tblname)) >= - sizeof(pio.addr.addr.v.tblname)) + (void)strlcpy(rio.rule.rdr.ifname, t->conf.ifname, + sizeof(rio.rule.rdr.ifname)); + if (strlcpy(rio.rule.rdr.addr.v.tblname, rdr->conf.name, + sizeof(rio.rule.rdr.addr.v.tblname)) >= + sizeof(rio.rule.rdr.addr.v.tblname)) fatal("sync_ruleset: table name too long"); - pio.which = PF_RDR; - if (ioctl(env->sc_pf->dev, DIOCADDADDR, &pio) == -1) - fatal("sync_ruleset: cannot add address to pool"); if (address->port.op == PF_OP_EQ || rdr->table->conf.flags & F_PORT) { |