diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 23 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 10 | ||||
| -rw-r--r-- | share/man/man4/pfsync.4 | 10 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 9 | ||||
| -rw-r--r-- | sys/net/if_pfsync.h | 17 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
6 files changed, 60 insertions, 12 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 54a36cf53ef..de5ace0dc16 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.420 2003/11/06 15:16:50 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.421 2003/11/08 00:45:34 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -112,7 +112,7 @@ struct node_icmp { struct node_icmp *tail; }; -enum { PF_STATE_OPT_MAX=0, PF_STATE_OPT_TIMEOUT=1 }; +enum { PF_STATE_OPT_MAX=0, PF_STATE_OPT_NOSYNC=1, PF_STATE_OPT_TIMEOUT=2 }; struct node_state_opt { int type; union { @@ -367,7 +367,7 @@ typedef struct { %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID -%token REQUIREORDER SYNPROXY FINGERPRINTS +%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC %token ANTISPOOF FOR %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT @@ -1408,6 +1408,14 @@ pfrule : action dir logquick interface route af proto fromto } r.max_states = o->data.max_states; break; + case PF_STATE_OPT_NOSYNC: + if (r.rule_flag & PFRULE_NOSYNC) { + yyerror("state option 'sync' " + "multiple definitions"); + YYERROR; + } + r.rule_flag |= PFRULE_NOSYNC; + break; case PF_STATE_OPT_TIMEOUT: if (r.timeout[o->data.timeout.number]) { yyerror("state timeout %s " @@ -2398,6 +2406,14 @@ state_opt_item : MAXIMUM number { $$->next = NULL; $$->tail = $$; } + | NOSYNC { + $$ = calloc(1, sizeof(struct node_state_opt)); + if ($$ == NULL) + err(1, "state_opt_item: calloc"); + $$->type = PF_STATE_OPT_NOSYNC; + $$->next = NULL; + $$->tail = $$; + } | STRING number { int i; @@ -3950,6 +3966,7 @@ lookup(char *s) { "no", NO}, { "no-df", NODF}, { "no-route", NOROUTE}, + { "no-sync", NOSYNC}, { "on", ON}, { "optimization", OPTIMIZATION}, { "os", OS}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index ae4aec5a168..18adf05bfa8 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.179 2003/11/06 15:18:12 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.180 2003/11/08 00:45:34 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -704,6 +704,8 @@ print_rule(struct pf_rule *r, int verbose) opts = 0; if (r->max_states) opts = 1; + if (r->rule_flag & PFRULE_NOSYNC) + opts = 1; for (i = 0; !opts && i < PFTM_MAX; ++i) if (r->timeout[i]) opts = 1; @@ -713,6 +715,12 @@ print_rule(struct pf_rule *r, int verbose) printf("max %u", r->max_states); opts = 0; } + if (r->rule_flag & PFRULE_NOSYNC) { + if (!opts) + printf(", "); + printf("no-sync"); + opts = 0; + } for (i = 0; i < PFTM_MAX; ++i) if (r->timeout[i]) { if (!opts) diff --git a/share/man/man4/pfsync.4 b/share/man/man4/pfsync.4 index 21dd7d5412f..3eef718c34a 100644 --- a/share/man/man4/pfsync.4 +++ b/share/man/man4/pfsync.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfsync.4,v 1.6 2003/06/06 10:29:41 jmc Exp $ +.\" $OpenBSD: pfsync.4,v 1.7 2003/11/08 00:45:33 mcbride Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff .\" All rights reserved. @@ -43,6 +43,13 @@ for changes in the table by invoking on the .Nm interface. +States created by a rule marked with the +.Ar no-sync +keyword are ommited from the +.Nm pfsync +interface (see +.Xr pf.conf 5 +for details). .Pp Each packet retrieved on this interface has a header associated with it of length @@ -71,6 +78,7 @@ struct pfsync_header { .Xr inet6 4 , .Xr netintro 4 , .Xr pf 4 , +.Xr pf.conf 5 , .Xr ifconfig 8 , .Xr tcpdump 8 .Sh HISTORY diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index f963a1a0936..30cd869c3f9 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.277 2003/11/07 20:29:54 mcbride Exp $ +.\" $OpenBSD: pf.conf.5,v 1.278 2003/11/08 00:45:34 mcbride Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -1737,6 +1737,10 @@ support the following options: Limits the number of concurrent states the rule may create. When this limit is reached, further packets matching the rule that would create state are dropped, until existing states time out. +.It Ar no-sync +Prevent state changes for states created by this rule from appearing on the +.Xr pfsync 4 +interface. .It Ar <timeout> <seconds> Changes the timeout values used for states created by this rule. For a list of all valid timeout names, see @@ -2421,7 +2425,7 @@ tos = "tos" ( "lowdelay" | "throughput" | "reliability" | [ "0x" ] number ) state-opts = state-opt [ [ "," ] state-opts ] -state-opt = ( "max" number ) | ( timeout ) +state-opt = ( "max" number | "no-sync" | timeout ) fragmentation = [ "fragment reassemble" | "fragment crop" | "fragment drop-ovl" ] @@ -2478,6 +2482,7 @@ Example rulesets. .Xr ip 4 , .Xr ip6 4 , .Xr pf 4 , +.Xr pfsync 4 , .Xr tcp 4 , .Xr udp 4 , .Xr hosts 5 , diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index 9fff97fea8e..cbeebcd9adf 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.h,v 1.2 2002/12/11 18:31:26 mickey Exp $ */ +/* $OpenBSD: if_pfsync.h,v 1.3 2003/11/08 00:45:34 mcbride Exp $ */ /* * Copyright (c) 2001 Michael Shalayeff @@ -76,9 +76,18 @@ struct pfsync_header { #ifdef _KERNEL int pfsync_clear_state(struct pf_state *); int pfsync_pack_state(u_int8_t, struct pf_state *); -#define pfsync_insert_state(st) pfsync_pack_state(PFSYNC_ACT_INS, (st)) -#define pfsync_update_state(st) pfsync_pack_state(PFSYNC_ACT_UPD, (st)) -#define pfsync_delete_state(st) pfsync_pack_state(PFSYNC_ACT_DEL, (st)) +#define pfsync_insert_state(st) do { \ + if (!(st->rule.ptr->rule_flag & PFRULE_NOSYNC)) \ + pfsync_pack_state(PFSYNC_ACT_INS, (st));\ +} while (0) +#define pfsync_update_state(st) do { \ + if (!(st->rule.ptr->rule_flag & PFRULE_NOSYNC)) \ + pfsync_pack_state(PFSYNC_ACT_UPD, (st));\ +} while (0) +#define pfsync_delete_state(st) do { \ + if (!(st->rule.ptr->rule_flag & PFRULE_NOSYNC)) \ + pfsync_pack_state(PFSYNC_ACT_DEL, (st));\ +} while (0) #endif #endif /* _NET_IF_PFSYNC_H_ */ diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 5572ba61013..580a9bb9246 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.173 2003/10/31 10:34:47 mcbride Exp $ */ +/* $OpenBSD: pfvar.h,v 1.174 2003/11/08 00:45:34 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -517,6 +517,7 @@ struct pf_rule { #define PFRULE_FRAGMENT 0x0002 #define PFRULE_RETURNICMP 0x0004 #define PFRULE_RETURN 0x0008 +#define PFRULE_NOSYNC 0x0010 /* scrub flags */ #define PFRULE_NODF 0x0100 |