diff options
-rw-r--r-- | sbin/pfctl/parse.y | 111 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 126 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.h | 4 |
3 files changed, 120 insertions, 121 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index c696af244de..7cf57b6b96b 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.223 2002/11/27 18:50:32 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.224 2002/11/28 12:14:24 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -258,6 +258,7 @@ typedef struct { struct { struct peer src, dst; } fromto; + struct pf_poolhashkey *hashkey; struct { struct node_host *host; u_int8_t rt; @@ -299,7 +300,7 @@ typedef struct { %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY %token REQUIREORDER YES %token ANTISPOOF FOR -%token BITMASK RANDOM SOURCEHASH ROUNDROBIN KEY STATICPORT +%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT %token ALTQ SCHEDULER CBQ BANDWIDTH TBRSIZE %token QUEUE PRIORITY QLIMIT %token DEFAULT CONTROL BORROW RED ECN RIO @@ -312,6 +313,7 @@ typedef struct { %type <v.i> staticport %type <v.b> action flag flags blockspec %type <v.range> dport rport +%type <v.hashkey> hashkey %type <v.pooltype> pooltype %type <v.proto> proto proto_list proto_item %type <v.icmp> icmpspec icmp_list icmp6_list icmp_item icmp6_item @@ -1630,32 +1632,63 @@ redirpool : /* empty */ { $$ = NULL; } } ; +hashkey : /* empty */ + { + $$ = malloc(sizeof(struct pf_poolhashkey)); + if ($$ == NULL) + err(1, "pooltype: malloc"); + $$->key32[0] = arc4random(); + $$->key32[1] = arc4random(); + $$->key32[2] = arc4random(); + $$->key32[3] = arc4random(); + } + | string + { + char buf[11] = "0x"; + int i; + + if (!strncmp((char *)$1, "0x", 2)) { + if (strlen((char *)$1) != 34) { + yyerror("hex key must be 128 bits " + "(32 hex digits) long"); + YYERROR; + } + $$ = calloc(1, sizeof(struct pf_poolhashkey)); + if ($$ == NULL) + err(1, "hashkey: calloc"); + + /* convert to binary */ + for (i = 0; i < 4; i++) { + strncpy((char *)(buf + 2), + (char *)($1 + 2 + (i * 8)), 8); + if (atoul(buf, + (u_long *)&$$->key32[i]) == -1) { + /* not hex */ + free($$); + yyerror("invalid hex key"); + YYERROR; + } + } + } else { + MD5_CTX context; + + $$ = calloc(1, sizeof(struct pf_poolhashkey)); + if ($$ == NULL) + err(1, "hashkey: calloc"); + MD5Init(&context); + MD5Update(&context, $1, strlen($1)); + MD5Final((unsigned char *)$$, &context); + } + } + ; + pooltype : /* empty */ { $$.type = PF_POOL_NONE; } | BITMASK { $$.type = PF_POOL_BITMASK; } | RANDOM { $$.type = PF_POOL_RANDOM; } - | SOURCEHASH { $$.type = PF_POOL_SRCHASH; } - | SOURCEHASH RANDOM - { - $$.key = calloc(1, sizeof(struct pf_poolhashkey)); - if ($$.key == NULL) - err(1, "pooltype: calloc"); - $$.type = PF_POOL_SRCKEYHASH; - $$.key->key32[0] = arc4random(); - $$.key->key32[1] = arc4random(); - $$.key->key32[2] = arc4random(); - $$.key->key32[3] = arc4random(); - } - | SOURCEHASH KEY string + | SOURCEHASH hashkey { - MD5_CTX context; - - $$.key = calloc(1, sizeof(struct pf_poolhashkey)); - if ($$.key == NULL) - err(1, "pooltype: calloc"); - $$.type = PF_POOL_SRCKEYHASH; - MD5Init(&context); - MD5Update(&context, $3, strlen($3)); - MD5Final((unsigned char *)$$.key, &context); + $$.type = PF_POOL_SRCHASH; + $$.key = $2; } | ROUNDROBIN { $$.type = PF_POOL_ROUNDROBIN; } ; @@ -1758,11 +1791,11 @@ natrule : no NAT interface af proto fromto redirpool pooltype staticport nat.rpool.opts = $8.type; } } - if ((nat.rpool.opts & PF_POOL_TYPEMASK) == - PF_POOL_SRCKEYHASH) { - memcpy(&nat.rpool.key, $8.key, - sizeof(struct pf_poolhashkey)); - } + } + + if ($8.key != NULL) { + memcpy(&nat.rpool.key, $8.key, + sizeof(struct pf_poolhashkey)); } expand_nat(&nat, $3, $5, $6.src.host, $6.src.port, @@ -1973,11 +2006,11 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirpool poolt $12.type; } } - if ((rdr.rpool.opts & PF_POOL_TYPEMASK) == - PF_POOL_SRCKEYHASH) { - memcpy(&rdr.rpool.key, $12.key, - sizeof(struct pf_poolhashkey)); - } + } + + if ($12.key != NULL) { + memcpy(&rdr.rpool.key, $12.key, + sizeof(struct pf_poolhashkey)); } expand_rdr(&rdr, $3, $5, $7, $9, @@ -2069,22 +2102,19 @@ route : /* empty */ { | ROUTETO routespec pooltype { $$.host = $2; $$.rt = PF_ROUTETO; - if (($$.pool_opts & PF_POOL_TYPEMASK) == - PF_POOL_SRCKEYHASH) + if ($3.key != NULL) $$.key = $3.key; } | REPLYTO routespec pooltype { $$.host = $2; $$.rt = PF_REPLYTO; - if (($$.pool_opts & PF_POOL_TYPEMASK) == - PF_POOL_SRCKEYHASH) + if ($3.key != NULL) $$.key = $3.key; } | DUPTO routespec pooltype { $$.host = $2; $$.rt = PF_DUPTO; - if (($$.pool_opts & PF_POOL_TYPEMASK) == - PF_POOL_SRCKEYHASH) + if ($3.key != NULL) $$.key = $3.key; } ; @@ -2929,7 +2959,6 @@ lookup(char *s) { "inet6", INET6}, { "ipv6-icmp-type", ICMP6TYPE}, { "keep", KEEP}, - { "key", KEY}, { "label", LABEL}, { "limit", LIMIT}, { "log", LOG}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index f4715e182b6..03c16332e64 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.112 2002/11/23 11:58:44 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.113 2002/11/28 12:14:25 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -396,7 +396,8 @@ print_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst, } void -print_pool(struct pf_pool *pool, sa_family_t af, int id) +print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2, + sa_family_t af, int id) { struct pf_pooladdr *pooladdr; @@ -424,6 +425,47 @@ print_pool(struct pf_pool *pool, sa_family_t af, int id) else if (TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL) printf(" }"); } + switch (id) { + case PF_POOL_NAT_R: + if (p1 != PF_NAT_PROXY_PORT_LOW || + p2 != PF_NAT_PROXY_PORT_HIGH) { + if (p1 == p2) + printf(" port %u", p1); + else + printf(" port %u:%u", p1, p2); + } + break; + case PF_POOL_RDR_R: + if (p1) { + printf(" port %u", ntohs(p1)); + if (p2 & PF_RPORT_RANGE) + printf(":*"); + } + break; + case PF_POOL_RULE_RT: + default: + break; + } + switch (pool->opts & PF_POOL_TYPEMASK) { + case PF_POOL_NONE: + break; + case PF_POOL_BITMASK: + printf(" bitmask"); + break; + case PF_POOL_RANDOM: + printf(" random"); + break; + case PF_POOL_SRCHASH: + printf(" source-hash 0x%08X%08X%08X%08X", + pool->key.key32[0], pool->key.key32[1], + pool->key.key32[2], pool->key.key32[3]); + break; + case PF_POOL_ROUNDROBIN: + printf(" round-robin"); + break; + } + if (pool->opts & PF_POOL_STATICPORT) + printf(" static-port"); } void @@ -455,36 +497,8 @@ print_nat(struct pf_nat *n) print_fromto(&n->src, &n->dst, n->af, n->proto); if (!n->no) { printf("-> "); - print_pool(&n->rpool, n->af, PF_POOL_NAT_R); - if (n->proxy_port[0] != PF_NAT_PROXY_PORT_LOW || - n->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) { - if (n->proxy_port[0] == n->proxy_port[1]) - printf(" port %u", n->proxy_port[0]); - else - printf(" port %u:%u", n->proxy_port[0], - n->proxy_port[1]); - } - switch (n->rpool.opts & 0x0f) { - case PF_POOL_NONE: - break; - case PF_POOL_BITMASK: - printf(" bitmask"); - break; - case PF_POOL_RANDOM: - printf(" random"); - break; - case PF_POOL_SRCHASH: - printf(" source-hash"); - break; - case PF_POOL_SRCKEYHASH: - printf(" source-hash key"); - break; - case PF_POOL_ROUNDROBIN: - printf(" round-robin"); - break; - } - if (n->rpool.opts & PF_POOL_STATICPORT) - printf(" static-port"); + print_pool(&n->rpool, n->proxy_port[0], n->proxy_port[1], + n->af, PF_POOL_NAT_R); } printf("\n"); } @@ -583,32 +597,7 @@ print_rdr(struct pf_rdr *r) } if (!r->no) { printf(" -> "); - print_pool(&r->rpool, r->af, PF_POOL_RDR_R); - printf(" "); - switch (r->rpool.opts & 0x0f) { - case PF_POOL_NONE: - break; - case PF_POOL_BITMASK: - printf("bitmask "); - break; - case PF_POOL_RANDOM: - printf("random "); - break; - case PF_POOL_SRCHASH: - printf("source-hash "); - break; - case PF_POOL_SRCKEYHASH: - printf("source-hash key "); - break; - case PF_POOL_ROUNDROBIN: - printf("round-robin "); - break; - } - if (r->rport) { - printf("port %u", ntohs(r->rport)); - if (r->opts & PF_RPORT_RANGE) - printf(":*"); - } + print_pool(&r->rpool, r->rport, r->opts, r->af, PF_POOL_RDR_R); } printf("\n"); } @@ -778,28 +767,9 @@ print_rule(struct pf_rule *r) else if (r->rt == PF_FASTROUTE) printf("fastroute "); if (r->rt != PF_FASTROUTE) { - print_pool(&r->rt_pool, r->af, PF_POOL_RULE_RT); + print_pool(&r->rt_pool, 0, 0, r->af, PF_POOL_RULE_RT); printf(" "); } - switch (r->rt_pool.opts & 0x0f) { - case PF_POOL_NONE: - break; - case PF_POOL_BITMASK: - printf("bitmask "); - break; - case PF_POOL_RANDOM: - printf("random "); - break; - case PF_POOL_SRCHASH: - printf("source-hash "); - break; - case PF_POOL_SRCKEYHASH: - printf("source-hash key "); - break; - case PF_POOL_ROUNDROBIN: - printf("round-robin "); - break; - } } if (r->af) { if (r->af == AF_INET) diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index b598f3e4c31..4782c55f751 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.29 2002/11/23 06:18:42 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.30 2002/11/28 12:14:25 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -81,7 +81,7 @@ int parse_rules(FILE *, struct pfctl *); int parse_flags(char *); void print_rule(struct pf_rule *); -void print_pool(struct pf_pool *, sa_family_t, int); +void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); void print_nat(struct pf_nat *); void print_binat(struct pf_binat *); void print_rdr(struct pf_rdr *); |