diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 37 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 2 | ||||
| -rw-r--r-- | sys/net/pf.c | 11 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
4 files changed, 37 insertions, 16 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 09a3cb05106..099258f1be3 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.160 2002/10/07 13:15:02 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.161 2002/10/07 13:18:40 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -460,13 +460,21 @@ pfrule : action dir logquick interface route af proto fromto memset(&r, 0, sizeof(r)); r.action = $1.b1; - if ($1.b2) { + switch ($1.b2) { + case PFRULE_RETURNRST: r.rule_flag |= PFRULE_RETURNRST; r.return_ttl = $1.w; - } else { + break; + case PFRULE_RETURNICMP: r.rule_flag |= PFRULE_RETURNICMP; r.return_icmp = $1.w; r.return_icmp6 = $1.w2; + break; + case PFRULE_RETURN: + r.rule_flag |= PFRULE_RETURN; + r.return_icmp = $1.w; + r.return_icmp6 = $1.w2; + break; } r.direction = $2; r.log = $3.log; @@ -567,39 +575,48 @@ action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; } ; blockspec : /* empty */ { $$.b2 = 0; $$.w = 0; $$.w2 = 0; } - | RETURNRST { $$.b2 = 1; $$.w = 0; $$.w2 = 0; } + | RETURNRST { + $$.b2 = PFRULE_RETURNRST; + $$.w = 0; + $$.w2 = 0; + } | RETURNRST '(' TTL number ')' { + $$.b2 = PFRULE_RETURNRST; $$.w = $4; $$.w2 = 0; - $$.b2 = 1; } | RETURNICMP { - $$.b2 = 0; + $$.b2 = PFRULE_RETURNICMP; $$.w = returnicmpdefault; $$.w2 = returnicmp6default; } | RETURNICMP6 { - $$.b2 = 0; + $$.b2 = PFRULE_RETURNICMP; $$.w = returnicmpdefault; $$.w2 = returnicmp6default; } | RETURNICMP '(' STRING ')' { + $$.b2 = PFRULE_RETURNICMP; if (!($$.w = parseicmpspec($3, AF_INET))) YYERROR; $$.w2 = returnicmp6default; - $$.b2 = 0; } | RETURNICMP6 '(' STRING ')' { + $$.b2 = PFRULE_RETURNICMP; $$.w = returnicmpdefault; if (!($$.w2 = parseicmpspec($3, AF_INET6))) YYERROR; - $$.b2 = 0; } | RETURNICMP '(' STRING comma STRING ')' { + $$.b2 = PFRULE_RETURNICMP; if (!($$.w = parseicmpspec($3, AF_INET))) YYERROR; if (!($$.w2 = parseicmpspec($5, AF_INET6))); - $$.b2 = 0; + } + | RETURN { + $$.b2 = PFRULE_RETURN; + $$.w = returnicmpdefault; + $$.w2 = returnicmp6default; } ; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 3f59537f450..0f97da42543 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.97 2002/10/07 13:15:02 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.98 2002/10/07 13:18:40 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier diff --git a/sys/net/pf.c b/sys/net/pf.c index 045eb6fd83f..84d40676e40 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.250 2002/10/07 13:15:02 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.251 2002/10/07 13:18:40 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1737,7 +1737,8 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, if (((*rm)->action == PF_DROP) && (((*rm)->rule_flag & PFRULE_RETURNRST) || - ((*rm)->rule_flag & PFRULE_RETURNICMP))) { + ((*rm)->rule_flag & PFRULE_RETURNICMP) || + ((*rm)->rule_flag & PFRULE_RETURN))) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL || (binat != NULL && direction == PF_OUT)) { @@ -1750,7 +1751,8 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, &th->th_sum, &baddr, bport, 0, af); rewrite++; } - if ((*rm)->rule_flag & PFRULE_RETURNRST) + if (((*rm)->rule_flag & PFRULE_RETURNRST) || + ((*rm)->rule_flag & PFRULE_RETURN)) pf_send_reset(off, th, pd, af, (*rm)->return_ttl); else if ((af == AF_INET) && (*rm)->return_icmp) @@ -2001,7 +2003,8 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, } if (((*rm)->action == PF_DROP) && - ((*rm)->rule_flag & PFRULE_RETURNICMP)) { + (((*rm)->rule_flag & PFRULE_RETURNICMP) || + ((*rm)->rule_flag & PFRULE_RETURN))) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL || (binat != NULL && direction == PF_OUT)) { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 31bb6cd2cbc..d165163d983 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.93 2002/10/07 13:15:02 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.94 2002/10/07 13:18:40 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -286,6 +286,7 @@ struct pf_rule { #define PFRULE_RETURNICMP 0x08 #define PFRULE_FRAGCROP 0x10 /* non-buffering frag cache */ #define PFRULE_FRAGDROP 0x20 /* drop funny fragments */ +#define PFRULE_RETURN 0x40 struct pf_state_host { struct pf_addr addr; |