diff options
-rw-r--r-- | sbin/pfctl/parse.y | 26 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 6 | ||||
-rw-r--r-- | sys/net/pf_norm.c | 5 | ||||
-rw-r--r-- | sys/net/pfvar.h | 3 |
4 files changed, 30 insertions, 10 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 2925ab76f1a..8cd017e5ee1 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.6 2001/07/17 21:54:27 provos Exp $ */ +/* $OpenBSD: parse.y,v 1.7 2001/07/17 22:22:16 provos Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -85,14 +85,14 @@ u_int32_t ipmask(u_int8_t); } %token PASS BLOCK SCRUB RETURN IN OUT LOG LOGALL QUICK ON FROM TO FLAGS %token RETURNRST RETURNICMP PROTO ALL ANY ICMPTYPE CODE KEEP STATE PORT -%token RDR NAT ARROW NODF +%token RDR NAT ARROW NODF MINTTL %token <string> STRING %token <number> NUMBER %token <i> PORTUNARY PORTBINARY %type <addr> ipportspec ipspec host portspec %type <addr2> fromto %type <iface> iface -%type <number> address port icmptype +%type <number> address port icmptype minttl %type <i> direction log quick keep proto nodf %type <b> action icmpspec flags blockspec %type <range> dport rport @@ -105,7 +105,7 @@ ruleset: /* empty */ | ruleset rdrrule '\n' ; -pfrule: action direction log quick iface proto fromto flags icmpspec keep nodf +pfrule: action direction log quick iface proto fromto flags icmpspec keep nodf minttl { struct pf_rule r; @@ -141,6 +141,8 @@ pfrule: action direction log quick iface proto fromto flags icmpspec keep nodf if ($11) r.rule_flag |= PFRULE_NODF; + if ($12) + r.min_ttl = $12; if (rule_consistent(&r) < 0) yyerror("skipping rule due to errors"); @@ -358,6 +360,11 @@ keep: { $$ = 0; } | KEEP STATE { $$ = 1; } ; +minttl: { $$ = 0; } + | MINTTL NUMBER { $$ = $2; } + | MINTTL PORTUNARY NUMBER { $$ = $3; } + ; + nodf: { $$ = 0; } | NODF { $$ = 1; } ; @@ -495,9 +502,15 @@ rule_consistent(struct pf_rule *r) yyerror("icmp-type/code does not apply to scrub"); problems++; } - } else if (r->rule_flag & PFRULE_NODF) { + } else { + if (r->rule_flag & PFRULE_NODF) { yyerror("nodf applies only to scrub"); problems++; + } + if (r->min_ttl) { + yyerror("min-ttl applies only to scrub"); + problems++; + } } if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && (r->src.port_op || r->dst.port_op)) { @@ -529,7 +542,8 @@ lookup(char *s) { "in", IN}, { "keep", KEEP}, { "log", LOG}, - { "log-all", LOGALL}, + { "log-all", LOGALL}, + { "min-ttl", MINTTL}, { "nat", NAT}, { "no-df", NODF}, { "on", ON}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index a0fbf10985c..aded0c57992 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.36 2001/07/17 21:54:27 provos Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.37 2001/07/17 22:22:17 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -546,7 +546,9 @@ print_rule(struct pf_rule *r) if (r->keep_state) printf("keep state "); if (r->rule_flag & PFRULE_NODF) - printf("no-df"); + printf("no-df "); + if (r->min_ttl) + printf("min-ttl = %d ", r->min_ttl); printf("\n"); } diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index c67836e5bfa..b9759a0e9d9 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.2 2001/07/17 21:54:26 provos Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.3 2001/07/17 22:22:14 provos Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -516,6 +516,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) else h->ip_off &= IP_DF; + /* Enforce a minimum ttl, may cause endless packet loops */ + if (r->min_ttl && h->ip_ttl < r->min_ttl) + h->ip_ttl = r->min_ttl; return (PF_PASS); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index c92d2731e5f..38201247d77 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.34 2001/07/17 21:54:26 provos Exp $ */ +/* $OpenBSD: pfvar.h,v 1.35 2001/07/17 22:22:15 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -73,6 +73,7 @@ struct pf_rule { u_int8_t flagset; u_int8_t rule_flag; + u_int8_t min_ttl; /* minimum ttl for packet normalize */ }; #define PFRULE_RETURNRST 0x01 |