diff options
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 27 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 |
2 files changed, 27 insertions, 4 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 31553f93497..c6d1a164bb5 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.569 2009/09/08 17:52:17 michele Exp $ */ +/* $OpenBSD: parse.y,v 1.570 2009/10/04 16:08:37 michele Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -266,7 +266,7 @@ struct filter_opts { struct { struct node_host *addr; u_int16_t port; - } divert; + } divert, divert_packet; struct redirspec nat; struct redirspec rdr; @@ -461,7 +461,7 @@ int parseport(char *, struct range *r, int); %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS -%token DIVERTTO DIVERTREPLY NATTO RDRTO +%token DIVERTTO DIVERTREPLY DIVERTPACKET NATTO RDRTO %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTBINARY @@ -2094,6 +2094,7 @@ pfrule : action dir logquick interface af proto fromto $8.divert.addr->addr.v.a.addr; } } + r.divert_packet.port = $8.divert_packet.port; expand_rule(&r, 0, $4, &$8.nat, &$8.rdr, $6, $7.src_os, $7.src.host, $7.src.port, $7.dst.host, $7.dst.port, @@ -2227,6 +2228,21 @@ filter_opt : USER uids { | DIVERTREPLY { filter_opts.divert.port = 1; /* some random value */ } + | DIVERTPACKET PORT number { + /* + * If IP reassembly was not turned off, also + * forcibly enable TCP reassembly by default. + */ + if (pf->reassemble & PF_REASS_ENABLED) + filter_opts.marker |= FOM_SCRUB_TCP; + + if ($3 < 1 || $3 > 65535) { + yyerror("invalid divert port"); + YYERROR; + } + + filter_opts.divert_packet.port = htons($3); + } | SCRUB '(' scrub_opts ')' { filter_opts.nodf = $3.nodf; filter_opts.minttl = $3.minttl; @@ -3914,6 +3930,10 @@ rule_consistent(struct pf_rule *r, int anchor_call) yyerror("divert is not supported on match rules"); problems++; } + if (r->divert_packet.port) { + yyerror("divert is not supported on match rules"); + problems++; + } if (r->rt) { yyerror("route-to, reply-to, dup-to and fastroute " "must not be used on match rules"); @@ -4836,6 +4856,7 @@ lookup(char *s) { "code", CODE}, { "crop", FRAGCROP}, { "debug", DEBUG}, + { "divert-packet", DIVERTPACKET}, { "divert-reply", DIVERTREPLY}, { "divert-to", DIVERTTO}, { "drop", DROP}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 5ec44787ac6..72e3739cd0e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.248 2009/09/08 17:52:17 michele Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.249 2009/10/04 16:08:37 michele Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1015,6 +1015,8 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" port %u", ntohs(r->divert.port)); } } + if (r->divert_packet.port) + printf(" divert-packet port %u", ntohs(r->divert_packet.port)); if (!anchor_call[0] && !TAILQ_EMPTY(&r->nat.list)) { printf (" nat-to "); print_pool(&r->nat, r->nat.proxy_port[0], |