summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/pfctl/parse.y111
-rw-r--r--sbin/pfctl/pfctl_parser.c126
-rw-r--r--sbin/pfctl/pfctl_parser.h4
3 files changed, 120 insertions, 121 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c696af244de..7cf57b6b96b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.223 2002/11/27 18:50:32 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.224 2002/11/28 12:14:24 mcbride Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -258,6 +258,7 @@ typedef struct {
struct {
struct peer src, dst;
} fromto;
+ struct pf_poolhashkey *hashkey;
struct {
struct node_host *host;
u_int8_t rt;
@@ -299,7 +300,7 @@ typedef struct {
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY
%token REQUIREORDER YES
%token ANTISPOOF FOR
-%token BITMASK RANDOM SOURCEHASH ROUNDROBIN KEY STATICPORT
+%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT
%token ALTQ SCHEDULER CBQ BANDWIDTH TBRSIZE
%token QUEUE PRIORITY QLIMIT
%token DEFAULT CONTROL BORROW RED ECN RIO
@@ -312,6 +313,7 @@ typedef struct {
%type <v.i> staticport
%type <v.b> action flag flags blockspec
%type <v.range> dport rport
+%type <v.hashkey> hashkey
%type <v.pooltype> pooltype
%type <v.proto> proto proto_list proto_item
%type <v.icmp> icmpspec icmp_list icmp6_list icmp_item icmp6_item
@@ -1630,32 +1632,63 @@ redirpool : /* empty */ { $$ = NULL; }
}
;
+hashkey : /* empty */
+ {
+ $$ = malloc(sizeof(struct pf_poolhashkey));
+ if ($$ == NULL)
+ err(1, "pooltype: malloc");
+ $$->key32[0] = arc4random();
+ $$->key32[1] = arc4random();
+ $$->key32[2] = arc4random();
+ $$->key32[3] = arc4random();
+ }
+ | string
+ {
+ char buf[11] = "0x";
+ int i;
+
+ if (!strncmp((char *)$1, "0x", 2)) {
+ if (strlen((char *)$1) != 34) {
+ yyerror("hex key must be 128 bits "
+ "(32 hex digits) long");
+ YYERROR;
+ }
+ $$ = calloc(1, sizeof(struct pf_poolhashkey));
+ if ($$ == NULL)
+ err(1, "hashkey: calloc");
+
+ /* convert to binary */
+ for (i = 0; i < 4; i++) {
+ strncpy((char *)(buf + 2),
+ (char *)($1 + 2 + (i * 8)), 8);
+ if (atoul(buf,
+ (u_long *)&$$->key32[i]) == -1) {
+ /* not hex */
+ free($$);
+ yyerror("invalid hex key");
+ YYERROR;
+ }
+ }
+ } else {
+ MD5_CTX context;
+
+ $$ = calloc(1, sizeof(struct pf_poolhashkey));
+ if ($$ == NULL)
+ err(1, "hashkey: calloc");
+ MD5Init(&context);
+ MD5Update(&context, $1, strlen($1));
+ MD5Final((unsigned char *)$$, &context);
+ }
+ }
+ ;
+
pooltype : /* empty */ { $$.type = PF_POOL_NONE; }
| BITMASK { $$.type = PF_POOL_BITMASK; }
| RANDOM { $$.type = PF_POOL_RANDOM; }
- | SOURCEHASH { $$.type = PF_POOL_SRCHASH; }
- | SOURCEHASH RANDOM
- {
- $$.key = calloc(1, sizeof(struct pf_poolhashkey));
- if ($$.key == NULL)
- err(1, "pooltype: calloc");
- $$.type = PF_POOL_SRCKEYHASH;
- $$.key->key32[0] = arc4random();
- $$.key->key32[1] = arc4random();
- $$.key->key32[2] = arc4random();
- $$.key->key32[3] = arc4random();
- }
- | SOURCEHASH KEY string
+ | SOURCEHASH hashkey
{
- MD5_CTX context;
-
- $$.key = calloc(1, sizeof(struct pf_poolhashkey));
- if ($$.key == NULL)
- err(1, "pooltype: calloc");
- $$.type = PF_POOL_SRCKEYHASH;
- MD5Init(&context);
- MD5Update(&context, $3, strlen($3));
- MD5Final((unsigned char *)$$.key, &context);
+ $$.type = PF_POOL_SRCHASH;
+ $$.key = $2;
}
| ROUNDROBIN { $$.type = PF_POOL_ROUNDROBIN; }
;
@@ -1758,11 +1791,11 @@ natrule : no NAT interface af proto fromto redirpool pooltype staticport
nat.rpool.opts = $8.type;
}
}
- if ((nat.rpool.opts & PF_POOL_TYPEMASK) ==
- PF_POOL_SRCKEYHASH) {
- memcpy(&nat.rpool.key, $8.key,
- sizeof(struct pf_poolhashkey));
- }
+ }
+
+ if ($8.key != NULL) {
+ memcpy(&nat.rpool.key, $8.key,
+ sizeof(struct pf_poolhashkey));
}
expand_nat(&nat, $3, $5, $6.src.host, $6.src.port,
@@ -1973,11 +2006,11 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport redirpool poolt
$12.type;
}
}
- if ((rdr.rpool.opts & PF_POOL_TYPEMASK) ==
- PF_POOL_SRCKEYHASH) {
- memcpy(&rdr.rpool.key, $12.key,
- sizeof(struct pf_poolhashkey));
- }
+ }
+
+ if ($12.key != NULL) {
+ memcpy(&rdr.rpool.key, $12.key,
+ sizeof(struct pf_poolhashkey));
}
expand_rdr(&rdr, $3, $5, $7, $9,
@@ -2069,22 +2102,19 @@ route : /* empty */ {
| ROUTETO routespec pooltype {
$$.host = $2;
$$.rt = PF_ROUTETO;
- if (($$.pool_opts & PF_POOL_TYPEMASK) ==
- PF_POOL_SRCKEYHASH)
+ if ($3.key != NULL)
$$.key = $3.key;
}
| REPLYTO routespec pooltype {
$$.host = $2;
$$.rt = PF_REPLYTO;
- if (($$.pool_opts & PF_POOL_TYPEMASK) ==
- PF_POOL_SRCKEYHASH)
+ if ($3.key != NULL)
$$.key = $3.key;
}
| DUPTO routespec pooltype {
$$.host = $2;
$$.rt = PF_DUPTO;
- if (($$.pool_opts & PF_POOL_TYPEMASK) ==
- PF_POOL_SRCKEYHASH)
+ if ($3.key != NULL)
$$.key = $3.key;
}
;
@@ -2929,7 +2959,6 @@ lookup(char *s)
{ "inet6", INET6},
{ "ipv6-icmp-type", ICMP6TYPE},
{ "keep", KEEP},
- { "key", KEY},
{ "label", LABEL},
{ "limit", LIMIT},
{ "log", LOG},
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index f4715e182b6..03c16332e64 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.112 2002/11/23 11:58:44 dhartmei Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.113 2002/11/28 12:14:25 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -396,7 +396,8 @@ print_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,
}
void
-print_pool(struct pf_pool *pool, sa_family_t af, int id)
+print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
+ sa_family_t af, int id)
{
struct pf_pooladdr *pooladdr;
@@ -424,6 +425,47 @@ print_pool(struct pf_pool *pool, sa_family_t af, int id)
else if (TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
printf(" }");
}
+ switch (id) {
+ case PF_POOL_NAT_R:
+ if (p1 != PF_NAT_PROXY_PORT_LOW ||
+ p2 != PF_NAT_PROXY_PORT_HIGH) {
+ if (p1 == p2)
+ printf(" port %u", p1);
+ else
+ printf(" port %u:%u", p1, p2);
+ }
+ break;
+ case PF_POOL_RDR_R:
+ if (p1) {
+ printf(" port %u", ntohs(p1));
+ if (p2 & PF_RPORT_RANGE)
+ printf(":*");
+ }
+ break;
+ case PF_POOL_RULE_RT:
+ default:
+ break;
+ }
+ switch (pool->opts & PF_POOL_TYPEMASK) {
+ case PF_POOL_NONE:
+ break;
+ case PF_POOL_BITMASK:
+ printf(" bitmask");
+ break;
+ case PF_POOL_RANDOM:
+ printf(" random");
+ break;
+ case PF_POOL_SRCHASH:
+ printf(" source-hash 0x%08X%08X%08X%08X",
+ pool->key.key32[0], pool->key.key32[1],
+ pool->key.key32[2], pool->key.key32[3]);
+ break;
+ case PF_POOL_ROUNDROBIN:
+ printf(" round-robin");
+ break;
+ }
+ if (pool->opts & PF_POOL_STATICPORT)
+ printf(" static-port");
}
void
@@ -455,36 +497,8 @@ print_nat(struct pf_nat *n)
print_fromto(&n->src, &n->dst, n->af, n->proto);
if (!n->no) {
printf("-> ");
- print_pool(&n->rpool, n->af, PF_POOL_NAT_R);
- if (n->proxy_port[0] != PF_NAT_PROXY_PORT_LOW ||
- n->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) {
- if (n->proxy_port[0] == n->proxy_port[1])
- printf(" port %u", n->proxy_port[0]);
- else
- printf(" port %u:%u", n->proxy_port[0],
- n->proxy_port[1]);
- }
- switch (n->rpool.opts & 0x0f) {
- case PF_POOL_NONE:
- break;
- case PF_POOL_BITMASK:
- printf(" bitmask");
- break;
- case PF_POOL_RANDOM:
- printf(" random");
- break;
- case PF_POOL_SRCHASH:
- printf(" source-hash");
- break;
- case PF_POOL_SRCKEYHASH:
- printf(" source-hash key");
- break;
- case PF_POOL_ROUNDROBIN:
- printf(" round-robin");
- break;
- }
- if (n->rpool.opts & PF_POOL_STATICPORT)
- printf(" static-port");
+ print_pool(&n->rpool, n->proxy_port[0], n->proxy_port[1],
+ n->af, PF_POOL_NAT_R);
}
printf("\n");
}
@@ -583,32 +597,7 @@ print_rdr(struct pf_rdr *r)
}
if (!r->no) {
printf(" -> ");
- print_pool(&r->rpool, r->af, PF_POOL_RDR_R);
- printf(" ");
- switch (r->rpool.opts & 0x0f) {
- case PF_POOL_NONE:
- break;
- case PF_POOL_BITMASK:
- printf("bitmask ");
- break;
- case PF_POOL_RANDOM:
- printf("random ");
- break;
- case PF_POOL_SRCHASH:
- printf("source-hash ");
- break;
- case PF_POOL_SRCKEYHASH:
- printf("source-hash key ");
- break;
- case PF_POOL_ROUNDROBIN:
- printf("round-robin ");
- break;
- }
- if (r->rport) {
- printf("port %u", ntohs(r->rport));
- if (r->opts & PF_RPORT_RANGE)
- printf(":*");
- }
+ print_pool(&r->rpool, r->rport, r->opts, r->af, PF_POOL_RDR_R);
}
printf("\n");
}
@@ -778,28 +767,9 @@ print_rule(struct pf_rule *r)
else if (r->rt == PF_FASTROUTE)
printf("fastroute ");
if (r->rt != PF_FASTROUTE) {
- print_pool(&r->rt_pool, r->af, PF_POOL_RULE_RT);
+ print_pool(&r->rt_pool, 0, 0, r->af, PF_POOL_RULE_RT);
printf(" ");
}
- switch (r->rt_pool.opts & 0x0f) {
- case PF_POOL_NONE:
- break;
- case PF_POOL_BITMASK:
- printf("bitmask ");
- break;
- case PF_POOL_RANDOM:
- printf("random ");
- break;
- case PF_POOL_SRCHASH:
- printf("source-hash ");
- break;
- case PF_POOL_SRCKEYHASH:
- printf("source-hash key ");
- break;
- case PF_POOL_ROUNDROBIN:
- printf("round-robin ");
- break;
- }
}
if (r->af) {
if (r->af == AF_INET)
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index b598f3e4c31..4782c55f751 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.h,v 1.29 2002/11/23 06:18:42 mcbride Exp $ */
+/* $OpenBSD: pfctl_parser.h,v 1.30 2002/11/28 12:14:25 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -81,7 +81,7 @@ int parse_rules(FILE *, struct pfctl *);
int parse_flags(char *);
void print_rule(struct pf_rule *);
-void print_pool(struct pf_pool *, sa_family_t, int);
+void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
void print_nat(struct pf_nat *);
void print_binat(struct pf_binat *);
void print_rdr(struct pf_rdr *);