diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 17 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 |
2 files changed, 18 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 7d75c6b6708..36f05bfa565 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.607 2011/07/29 10:51:46 mcbride Exp $ */ +/* $OpenBSD: parse.y,v 1.608 2011/08/30 00:43:57 mikeb Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -231,6 +231,7 @@ struct filter_opts { #define FOM_SETTOS 0x0100 #define FOM_SCRUB_TCP 0x0200 #define FOM_PRIO 0x0400 +#define FOM_ONCE 0x1000 struct node_uid *uid; struct node_gid *gid; struct node_if *rcv; @@ -455,7 +456,7 @@ int parseport(char *, struct range *r, int); %token WEIGHT %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT %token QUEUE PRIORITY QLIMIT RTABLE RDOMAIN -%token LOAD RULESET_OPTIMIZATION RTABLE RDOMAIN PRIO +%token LOAD RULESET_OPTIMIZATION RTABLE RDOMAIN PRIO ONCE %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS @@ -874,6 +875,12 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto YYERROR; } + if ($9.marker & FOM_ONCE) { + yyerror("cannot specify 'once' " + "on anchors"); + YYERROR; + } + if ($9.match_tag) if (strlcpy(r.match_tagname, $9.match_tag, PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { @@ -1705,6 +1712,8 @@ pfrule : action dir logquick interface af proto fromto r.prio[1] = $8.prio[1]; } else r.prio[0] = r.prio[1] = PF_PRIO_NOTSET; + if ($8.marker & FOM_ONCE) + r.rule_flag |= PFRULE_ONCE; r.af = $5; if ($8.tag) @@ -2317,6 +2326,9 @@ filter_opt : USER uids { filter_opts.prio[0] = $1.b1; filter_opts.prio[1] = $1.b2; } + | ONCE { + filter_opts.marker |= FOM_ONCE; + } ; prio : PRIO NUMBER { @@ -5167,6 +5179,7 @@ lookup(char *s) { "no-route", NOROUTE}, { "no-sync", NOSYNC}, { "on", ON}, + { "once", ONCE}, { "optimization", OPTIMIZATION}, { "os", OS}, { "out", OUT}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 4ad8c50e9e9..10dc9c94f5e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.279 2011/07/27 00:26:10 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.280 2011/08/30 00:43:57 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1019,6 +1019,8 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" allow-opts"); if (r->label[0]) printf(" label \"%s\"", r->label); + if (r->rule_flag & PFRULE_ONCE) + printf(" once"); if (r->qname[0] && r->pqname[0]) printf(" queue(%s, %s)", r->qname, r->pqname); else if (r->qname[0]) |