diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 99 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 13 |
2 files changed, 38 insertions, 74 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index cc9bd4938f7..5e3efea0181 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.502 2006/07/06 13:26:41 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.503 2006/08/22 15:55:13 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -117,12 +117,6 @@ struct node_icmp { struct node_icmp *tail; }; -struct node_matchtag { - char tagname[PF_TAG_NAME_SIZE]; - struct node_matchtag *next; - struct node_matchtag *tail; -}; - enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK, PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN, PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES, @@ -203,7 +197,7 @@ struct filter_opts { char *label; struct node_qassign queues; char *tag; - struct node_matchtag *match_tags; + char *match_tag; u_int8_t match_tag_not; int rtableid; } filter_opts; @@ -285,7 +279,7 @@ void expand_rule(struct pf_rule *, struct node_if *, struct node_host *, struct node_proto *, struct node_os*, struct node_host *, struct node_port *, struct node_host *, struct node_port *, struct node_uid *, struct node_gid *, struct node_icmp *, - struct node_matchtag *, const char *); + const char *); int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *, struct node_queue_bw bwspec, struct node_queue_opt *); int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *, @@ -396,7 +390,6 @@ typedef struct { struct table_opts table_opts; struct pool_opts pool_opts; struct node_hfsc_opts hfsc_opts; - struct node_matchtag *matchtag_opts; } v; int lineno; } YYSTYPE; @@ -467,7 +460,6 @@ typedef struct { %type <v.scrub_opts> scrub_opts scrub_opt scrub_opts_l %type <v.table_opts> table_opts table_opt table_opts_l %type <v.pool_opts> pool_opts pool_opt pool_opts_l -%type <v.matchtag_opts> matchtag matchtag_list matchtag_item %type <v.tagged> tagged %type <v.rtableid> rtable %% @@ -630,6 +622,13 @@ anchorrule : ANCHOR string dir interface af proto fromto filter_opts { r.prob = $8.prob; r.rtableid = $8.rtableid; + if ($8.match_tag) + if (strlcpy(r.match_tagname, $8.match_tag, + PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { + yyerror("tag too long, max %u chars", + PF_TAG_NAME_SIZE - 1); + YYERROR; + } r.match_tag_not = $8.match_tag_not; decide_address_family($7.src.host, &r.af); @@ -637,7 +636,7 @@ anchorrule : ANCHOR string dir interface af proto fromto filter_opts { expand_rule(&r, $4, NULL, $6, $7.src_os, $7.src.host, $7.src.port, $7.dst.host, $7.dst.port, - 0, 0, 0, $8.match_tags, $2); + 0, 0, 0, $2); free($2); } | NATANCHOR string interface af proto fromto rtable { @@ -658,7 +657,7 @@ anchorrule : ANCHOR string dir interface af proto fromto filter_opts { expand_rule(&r, $3, NULL, $5, $6.src_os, $6.src.host, $6.src.port, $6.dst.host, $6.dst.port, - 0, 0, 0, 0, $2); + 0, 0, 0, $2); free($2); } | RDRANCHOR string interface af proto fromto rtable { @@ -700,7 +699,7 @@ anchorrule : ANCHOR string dir interface af proto fromto filter_opts { expand_rule(&r, $3, NULL, $5, $6.src_os, $6.src.host, $6.src.port, $6.dst.host, $6.dst.port, - 0, 0, 0, 0, $2); + 0, 0, 0, $2); free($2); } | BINATANCHOR string interface af proto fromto rtable { @@ -820,7 +819,7 @@ scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts expand_rule(&r, $4, NULL, $6, $7.src_os, $7.src.host, $7.src.port, $7.dst.host, $7.dst.port, - NULL, NULL, NULL, NULL, ""); + NULL, NULL, NULL, ""); } ; @@ -972,7 +971,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { if (h != NULL) expand_rule(&r, j, NULL, NULL, NULL, h, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, ""); + NULL, ""); if ((i->ifa_flags & IFF_LOOPBACK) == 0) { bzero(&r, sizeof(r)); @@ -992,8 +991,7 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { if (h != NULL) expand_rule(&r, NULL, NULL, NULL, NULL, h, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, ""); + NULL, NULL, NULL, NULL, ""); } else free(hh); } @@ -1578,6 +1576,13 @@ pfrule : action dir logquick interface route af proto fromto PF_TAG_NAME_SIZE - 1); YYERROR; } + if ($9.match_tag) + if (strlcpy(r.match_tagname, $9.match_tag, + PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { + yyerror("tag too long, max %u chars", + PF_TAG_NAME_SIZE - 1); + YYERROR; + } r.match_tag_not = $9.match_tag_not; if (rule_label(&r, $9.label)) YYERROR; @@ -1879,7 +1884,7 @@ pfrule : action dir logquick interface route af proto fromto expand_rule(&r, $4, $5.host, $7, $8.src_os, $8.src.host, $8.src.port, $8.dst.host, $8.dst.port, - $9.uid, $9.gid, $9.icmpspec, $9.match_tags, ""); + $9.uid, $9.gid, $9.icmpspec, ""); } ; @@ -1969,13 +1974,9 @@ filter_opt : USER uids { | TAG string { filter_opts.tag = $2; } - | not matchtag { - filter_opts.match_tags = $2; + | not TAGGED string { + filter_opts.match_tag = $3; filter_opts.match_tag_not = $1; - if ($1 && ($2 != $2->tail)) { - yyerror("cannot negate tag list"); - YYERROR; - } } | PROBABILITY STRING { char *e; @@ -2008,38 +2009,6 @@ filter_opt : USER uids { } ; -matchtag : TAGGED matchtag_item { - $$ = $2; - } - | TAGGED '{' matchtag_list '}' { - $$ = $3; - } - ; - -matchtag_list : matchtag_item { $$ = $1; } - | matchtag_list comma matchtag_item { - $1->tail->next = $3; - $1->tail = $3; - $$ = $1; - } - ; - -matchtag_item : STRING { - $$ = calloc(1, sizeof (struct node_matchtag)); - if ($$ == NULL) - err(1, "matchtag_item: calloc"); - if ((strlcpy($$->tagname,$1,PF_TAG_NAME_SIZE)) >= - PF_TAG_NAME_SIZE) { - yyerror("tag too long, max %u chars", - PF_TAG_NAME_SIZE - 1); - YYERROR; - } - free($1); - $$->next = NULL; - $$->tail = $$; - } - ; - action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; } | BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; } ; @@ -3481,7 +3450,7 @@ natrule : nataction interface af proto fromto tag tagged rtable expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4, $5.src_os, $5.src.host, $5.src.port, $5.dst.host, - $5.dst.port, 0, 0, 0, 0, ""); + $5.dst.port, 0, 0, 0, ""); free($9); } ; @@ -4469,13 +4438,14 @@ expand_rule(struct pf_rule *r, struct node_host *src_hosts, struct node_port *src_ports, struct node_host *dst_hosts, struct node_port *dst_ports, struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types, - struct node_matchtag *match_tags, const char *anchor_call) + const char *anchor_call) { sa_family_t af = r->af; int added = 0, error = 0; char ifname[IF_NAMESIZE]; char label[PF_RULE_LABEL_SIZE]; char tagname[PF_TAG_NAME_SIZE]; + char match_tagname[PF_TAG_NAME_SIZE]; struct pf_pooladdr *pa; struct node_host *h; u_int8_t flags, flagset, keep_state; @@ -4484,6 +4454,9 @@ expand_rule(struct pf_rule *r, errx(1, "expand_rule: strlcpy"); if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) errx(1, "expand_rule: strlcpy"); + if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= + sizeof(match_tagname)) + errx(1, "expand_rule: strlcpy"); flags = r->flags; flagset = r->flagset; keep_state = r->keep_state; @@ -4498,7 +4471,6 @@ expand_rule(struct pf_rule *r, LOOP_THROUGH(struct node_port, dst_port, dst_ports, LOOP_THROUGH(struct node_uid, uid, uids, LOOP_THROUGH(struct node_gid, gid, gids, - LOOP_THROUGH(struct node_matchtag, match_tag, match_tags, r->af = af; /* for link-local IPv6 address, interface must match up */ @@ -4534,9 +4506,7 @@ expand_rule(struct pf_rule *r, if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= sizeof(r->tagname)) errx(1, "expand_rule: strlcpy"); - if (!match_tag->tagname) - errx(1, "expand_rule: no tagname"); - if (strlcpy(r->match_tagname, match_tag->tagname, + if (strlcpy(r->match_tagname, match_tagname, sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) errx(1, "expand_rule: strlcpy"); expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af, @@ -4625,7 +4595,7 @@ expand_rule(struct pf_rule *r, added++; } - ))))))))))); + )))))))))); FREE_LIST(struct node_if, interfaces); FREE_LIST(struct node_proto, protos); @@ -4638,7 +4608,6 @@ expand_rule(struct pf_rule *r, FREE_LIST(struct node_gid, gids); FREE_LIST(struct node_icmp, icmp_types); FREE_LIST(struct node_host, rpool_hosts); - FREE_LIST(struct node_matchtag, match_tags); if (!added) yyerror("rule expands to no valid combination"); diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index d84eda3cb3f..ed0f00e88c7 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.352 2006/08/02 11:45:56 dhartmei Exp $ +.\" $OpenBSD: pf.conf.5,v 1.353 2006/08/22 15:55:13 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -1630,19 +1630,15 @@ or .Ar binat rules in addition to filter rules. Tags take the same macros as labels (see above). -.It Xo Ar tagged Aq Ar string -.No \*(Ba { Ao Ar string Ac , -.Ao Ar string Ac } -.Xc +.It Ar tagged Aq Ar string Used with filter or translation rules to specify that packets must already -be tagged with any of the given tags in order to match the rule. -If only one tag is given, inverse tag matching can also be done +be tagged with the given tag in order to match the rule. +Inverse tag matching can also be done by specifying the .Cm !\& operator before the .Ar tagged keyword. -A list of tags cannot be negated as it would expand to a useless rule. .It Ar probability Aq Ar number A probability attribute can be attached to a rule, with a value set between 0 and 1, bounds not included. @@ -2719,7 +2715,6 @@ filteropt = user | group | flags | icmp-type | icmp6-type | tos | "max-mss" number | "random-id" | "reassemble tcp" | fragmentation | "allow-opts" | "label" string | "tag" string | [ ! ] "tagged" string | - "tagged" "{" string [ [ "," ] string ] "}" | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "probability" number"%" |