diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 21 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 | ||||
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 5 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
5 files changed, 20 insertions, 19 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index ef9de03522f..2d814d6e857 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.611 2011/12/03 12:46:16 mcbride Exp $ */ +/* $OpenBSD: parse.y,v 1.612 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -896,7 +896,6 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto decide_address_family($8.src.host, &r.af); decide_address_family($8.dst.host, &r.af); - r.naf = r.af; expand_rule(&r, 0, $5, NULL, NULL, NULL, $7, $8.src_os, $8.src.host, $8.src.port, $8.dst.host, $8.dst.port, @@ -1726,6 +1725,7 @@ pfrule : action dir logquick interface af proto fromto "translation"); YYERROR; } + r.rule_flag |= PFRULE_AFTO; } r.af = $5; @@ -2012,7 +2012,6 @@ pfrule : action dir logquick interface af proto fromto decide_address_family($7.src.host, &r.af); decide_address_family($7.dst.host, &r.af); - r.naf = r.af; if ($8.route.rt) { if (!r.direction) { @@ -4194,7 +4193,7 @@ rule_consistent(struct pf_rule *r, int anchor_call) "must not be used on match rules"); problems++; } - if (r->nat.addr.type != PF_ADDR_NONE && r->naf != r->af) { + if (r->rule_flag & PFRULE_AFTO) { yyerror("af-to is not supported on match rules"); problems++; } @@ -4697,21 +4696,22 @@ collapse_redirspec(struct pf_pool *rpool, struct pf_rule *r, struct pf_rule_addr ra; int i = 0; - if (rs && rs->af) - r->naf = rs->af; - if (!rs || !rs->rdr || rs->rdr->host == NULL) { rpool->addr.type = PF_ADDR_NONE; return (0); } + if (r->rule_flag & PFRULE_AFTO) + r->naf = rs->af; + /* count matching addresses */ for (h = rs->rdr->host; h != NULL; h = h->next) { if (!r->af || !h->af || rs->af || h->af == r->af) { i++; if (h->af && !r->af) r->af = h->af; - } + } else if (r->naf && h->af == r->naf) + i++; } if (i == 0) { /* no pool address */ @@ -4720,7 +4720,8 @@ collapse_redirspec(struct pf_pool *rpool, struct pf_rule *r, return (1); } else if (i == 1) { /* only one address */ for (h = rs->rdr->host; h != NULL; h = h->next) - if (!h->af || !r->af || rs->af || r->af == h->af) + if (!h->af || !r->af || rs->af || r->af == h->af || + (r->naf && r->naf == h->af)) break; rpool->addr = h->addr; if (!allow_if && h->ifname) { @@ -4889,7 +4890,7 @@ expand_rule(struct pf_rule *r, int keeprule, struct node_if *interfaces, LOOP_THROUGH(struct node_uid, uid, uids, LOOP_THROUGH(struct node_gid, gid, gids, - r->af = af; + r->af = r->naf = af; error += collapse_redirspec(&r->rdr, r, rdr, 0); error += collapse_redirspec(&r->nat, r, nat, 0); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 2fd27648d46..47bd4ce5fcb 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.283 2011/11/23 10:24:37 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.284 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1058,7 +1058,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts) printf(" divert-packet port %u", ntohs(r->divert_packet.port)); if (!anchor_call[0] && r->nat.addr.type != PF_ADDR_NONE && - r->naf != r->af) { + r->rule_flag & PFRULE_AFTO) { printf(" af-to %s from ", r->naf == AF_INET ? "inet" : "inet6"); print_pool(&r->nat, r->nat.proxy_port[0], r->nat.proxy_port[1], r->naf ? r->naf : r->af, diff --git a/sys/net/pf.c b/sys/net/pf.c index 725ca496ed5..167e555e417 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.789 2011/12/02 03:15:31 haesbaert Exp $ */ +/* $OpenBSD: pf.c,v 1.790 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3364,7 +3364,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, /* order is irrelevant */ SLIST_INSERT_HEAD(&rules, ri, entry); pf_rule_to_actions(r, &act); - if (r->naf) + if (r->rule_flag & PFRULE_AFTO) pd->naf = r->naf; if (pf_get_transaddr(r, pd, sns, &nr) == -1) { REASON_SET(&reason, PFRES_MEMORY); @@ -3399,7 +3399,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, /* apply actions for last matching pass/block rule */ pf_rule_to_actions(r, &act); - if (r->naf) + if (r->rule_flag & PFRULE_AFTO) pd->naf = r->naf; if (pf_get_transaddr(r, pd, sns, &nr) == -1) { REASON_SET(&reason, PFRES_MEMORY); diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index aa883ba6d14..d8b963d39b5 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.247 2011/11/29 10:17:52 dlg Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.248 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2519,8 +2519,6 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, pf_pool_copyin(&from->rdr, &to->rdr); pf_pool_copyin(&from->route, &to->route); - to->naf = from->naf; - if (pf_kif_setup(to->ifname, &to->kif)) return (EINVAL); if (pf_kif_setup(to->rcv_ifname, &to->rcv_kif)) @@ -2603,6 +2601,7 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, to->match_tag_not = from->match_tag_not; to->keep_state = from->keep_state; to->af = from->af; + to->naf = from->naf; to->proto = from->proto; to->type = from->type; to->code = from->code; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 62e5652afef..236a427640c 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.357 2011/11/29 10:17:52 dlg Exp $ */ +/* $OpenBSD: pfvar.h,v 1.358 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -673,6 +673,7 @@ struct pf_rule { #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ #define PFRULE_PFLOW 0x00040000 #define PFRULE_ONCE 0x00100000 /* one shot rule */ +#define PFRULE_AFTO 0x00200000 /* af-to rule */ #define PFSTATE_HIWAT 10000 /* default state table size */ #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */ |