diff options
| -rw-r--r-- | regress/sbin/pfctl/Makefile | 4 | ||||
| -rw-r--r-- | regress/sbin/pfctl/pf3.in | 6 | ||||
| -rw-r--r-- | regress/sbin/pfctl/pf3.ok | 5 | ||||
| -rw-r--r-- | sbin/pfctl/parse.y | 12 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 9 |
5 files changed, 30 insertions, 6 deletions
diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile index 207bc67ddaa..89ec2c4c7cf 100644 --- a/regress/sbin/pfctl/Makefile +++ b/regress/sbin/pfctl/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.1 2001/07/26 14:33:45 markus Exp $ +# $OpenBSD: Makefile,v 1.2 2001/07/31 09:02:18 wilfried Exp $ NOMAN= NOPROG= -PFTESTS=1 2 +PFTESTS=1 2 3 pfail1: @pfctl -nvR- < ${.CURDIR}/pfail1.in > /dev/null 2>&1 || \ diff --git a/regress/sbin/pfctl/pf3.in b/regress/sbin/pfctl/pf3.in new file mode 100644 index 00000000000..739bd1f81fa --- /dev/null +++ b/regress/sbin/pfctl/pf3.in @@ -0,0 +1,6 @@ +pass in all +pass in from any to any + +block in proto tcp from any to any flags FUP +block in proto tcp from any to any flags SF/SFRA +block in proto tcp from any to any flags /SFRA diff --git a/regress/sbin/pfctl/pf3.ok b/regress/sbin/pfctl/pf3.ok new file mode 100644 index 00000000000..ecaf8636412 --- /dev/null +++ b/regress/sbin/pfctl/pf3.ok @@ -0,0 +1,5 @@ +@1 pass in all +@1 pass in all +@1 block in proto tcp all flags FPU/FSRPAU +@1 block in proto tcp all flags FS/FSRA +@1 block in proto tcp all flags /FSRA diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 221c0705ae7..5fa56e07d2a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.15 2001/07/19 00:07:36 krw Exp $ */ +/* $OpenBSD: parse.y,v 1.16 2001/07/31 09:02:18 wilfried Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -355,6 +355,16 @@ flags: { $$.b1 = 0; $$.b2 = 0; } } $$.b2 = f; } + | FLAGS "/" STRING { + int f; + + $$.b1 = 0; + if ((f = parse_flags($3)) < 0) { + warnx("line %d: bad flags %s", lineno, $3); + YYERROR; + } + $$.b2 = f; + } ; icmpspec: { $$.b1 = 0; $$.b2 = 0; } diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 3596c52aa7f..e7cd50bd084 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.9 2001/07/22 20:47:19 krw Exp $ +.\" $OpenBSD: pf.conf.5,v 1.10 2001/07/31 09:02:18 wilfried Exp $ .\" .\" Copyright (c) 2001, Daniel Hartmeier .\" All rights reserved. @@ -66,7 +66,7 @@ unary-op = ( "=" | "!=" | "<" | "<=" | ">" | ">=" ) ( port-name | port-number ) . binary-op = port-number ( "<>" | "><" ) port-number . -flags = "flags" flag-set [ "/" flag-set ] . +flags = "flags" ( flag-set | flag-set "/" flag-set | "/" flag-set ) . flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] . icmp-type = "icmp-type" ( icmp-type-name | icmp-type-number ) @@ -187,7 +187,7 @@ show: pass in proto tcp from any to any port = 25 pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22 .Ed -.Ss flags <a>[/<b>] +.Ss flags <a> | <a>/<b> | /<b> The rule only applies to TCP packets that have the flags <a> set out of set <b>. Flags not specified in <b> are ignored. @@ -203,6 +203,9 @@ This is more restrictive than the previous example. If the second set is not specified, it defaults to FSRPAU. Hence, only packets with SYN set and all other flags unset match this rule. This is more restrictive than the previous example. +.It Em flags /SFRA +If the first set is not specified, it defaults to none. +All of SYN, FIN, RST and ACK must be unset. .El .Ss icmp-type <type> code <code> The rule only applies to ICMP packets with the specified type and code. |