diff options
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 19 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 8 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 5 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 96 |
4 files changed, 68 insertions, 60 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 3e4b367ba8f..f90fc6bb594 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.46 2001/12/05 17:11:54 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.47 2001/12/10 18:08:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -921,11 +921,21 @@ rdrrule : RDR interface proto FROM ipspec TO ipspec dport ARROW address rport rdr.rport = $11.a; rdr.opts |= $11.t; + if (rdr.proto && rdr.proto != IPPROTO_TCP && + rdr.proto != IPPROTO_UDP && + (rdr.dport || rdr.dport2 || rdr.rport)) { + yyerror("rdr ports are only valid for proto tcp/udp"); + YYERROR; + } + pfctl_add_rdr(pf, &rdr); } ; -dport : PORT port { +dport : /* empty */ { + $$.a = $$.b = $$.t = 0; + } + | PORT port { $$.a = $2; $$.b = $$.t = 0; } @@ -936,7 +946,10 @@ dport : PORT port { } ; -rport : PORT port { +rport : /* empty */ { + $$.a = $$.b = $$.t = 0; + } + | PORT port { $$.a = $2; $$.b = $$.t = 0; } diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 212e091bd75..e10bea3b1ca 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.34 2001/10/11 00:53:21 dhartmei Exp $ +.\" $OpenBSD: pfctl.8,v 1.35 2001/12/10 18:08:12 dhartmei Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -213,6 +213,12 @@ The state after the first packet. The state after an icmp error came back in response to an icmp packet. .El .Pp +Other protocols are handled similarly to UDP: +.Bl -tag -width "t other.multiple " -compact +.It Fl t Ar other.first +.It Fl t Ar other.single +.It Fl t Ar other.multiple +.El .Bd -literal Example: # Timeout established connections after an hour of inactivity diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index c231a2e6232..3f242510653 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.47 2001/10/04 21:54:15 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.48 2001/12/10 18:08:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -94,6 +94,9 @@ static const struct { { "udp.multiple", PFTM_UDP_MULTIPLE }, { "icmp.first", PFTM_ICMP_FIRST_PACKET }, { "icmp.error", PFTM_ICMP_ERROR_REPLY }, + { "other.first", PFTM_OTHER_FIRST_PACKET }, + { "other.single", PFTM_OTHER_SINGLE }, + { "other.multiple", PFTM_OTHER_MULTIPLE }, { "frag", PFTM_FRAG }, { "interval", PFTM_INTERVAL }, { NULL, 0 }}; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 6a3853b3f1b..5a598cfda01 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.55 2001/12/01 16:44:45 frantzen Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.56 2001/12/10 18:08:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -296,10 +296,12 @@ print_host(struct pf_state_host *h, int af) u_int16_t p = ntohs(h->port); print_addr(&h->addr, NULL, af); - if (af == AF_INET) - printf(":%u", p); - else - printf("[%u]", p); + if (p) { + if (af == AF_INET) + printf(":%u", p); + else + printf("[%u]", p); + } } @@ -365,6 +367,13 @@ print_nat(struct pf_nat *n) printf("! "); printf("%s ", n->ifname); } + if (n->proto) { + struct protoent *p = getprotobynumber(n->proto); + if (n != NULL) + printf("proto %s ", p->p_name); + else + printf("proto %u ", n->proto); + } printf("from "); if (!PF_AZERO(&n->saddr, n->af) || !PF_AZERO(&n->smask, n->af)) { if (n->snot) @@ -383,18 +392,6 @@ print_nat(struct pf_nat *n) printf("any "); printf("-> "); print_addr(&n->raddr, NULL, n->af); - printf(" "); - switch (n->proto) { - case IPPROTO_TCP: - printf("proto tcp"); - break; - case IPPROTO_UDP: - printf("proto udp"); - break; - case IPPROTO_ICMP: - printf("proto icmp"); - break; - } printf("\n"); } @@ -406,16 +403,12 @@ print_binat(struct pf_binat *b) printf("on "); printf("%s ", b->ifname); } - switch (b->proto) { - case IPPROTO_TCP: - printf("proto tcp "); - break; - case IPPROTO_UDP: - printf("proto udp "); - break; - case IPPROTO_ICMP: - printf("proto icmp "); - break; + if (b->proto) { + struct protoent *p = getprotobynumber(b->proto); + if (p != NULL) + printf("proto %s ", p->p_name); + else + printf("proto %u ", b->proto); } printf("from "); print_addr(&b->saddr, NULL, b->af); @@ -443,13 +436,12 @@ print_rdr(struct pf_rdr *r) printf("! "); printf("%s ", r->ifname); } - switch (r->proto) { - case IPPROTO_TCP: - printf("proto tcp "); - break; - case IPPROTO_UDP: - printf("proto udp "); - break; + if (r->proto) { + struct protoent *p = getprotobynumber(r->proto); + if (p != NULL) + printf("proto %s ", p->p_name); + else + printf("proto %u ", r->proto); } printf("from "); if (!PF_AZERO(&r->saddr, r->af) || !PF_AZERO(&r->smask, r->af)) { @@ -467,15 +459,19 @@ print_rdr(struct pf_rdr *r) printf(" "); } else printf("any "); - printf("port %u", ntohs(r->dport)); - if (r->opts & PF_DPORT_RANGE) - printf(":%u", ntohs(r->dport2)); + if (r->dport) { + printf("port %u", ntohs(r->dport)); + if (r->opts & PF_DPORT_RANGE) + printf(":%u", ntohs(r->dport2)); + } printf(" -> "); print_addr(&r->raddr, NULL, r->af); printf(" "); - printf("port %u", ntohs(r->rport)); - if (r->opts & PF_RPORT_RANGE) - printf(":*"); + if (r->rport) { + printf("port %u", ntohs(r->rport)); + if (r->opts & PF_RPORT_RANGE) + printf(":*"); + } printf("\n"); } @@ -534,6 +530,7 @@ void print_state(struct pf_state *s, int opts) { struct pf_state_peer *src, *dst; + struct protoent *p; u_int8_t hrs, min, sec; if (s->direction == PF_OUT) { @@ -543,21 +540,10 @@ print_state(struct pf_state *s, int opts) src = &s->dst; dst = &s->src; } - switch (s->proto) { - case IPPROTO_TCP: - printf("TCP "); - break; - case IPPROTO_UDP: - printf("UDP "); - break; - case IPPROTO_ICMPV6: - case IPPROTO_ICMP: - printf("ICMP "); - break; - default: - printf("???? "); - break; - } + if ((p = getprotobynumber(s->proto)) != NULL) + printf("%s ", p->p_name); + else + printf("%u ", s->proto); if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || (s->lan.port != s->gwy.port)) { print_host(&s->lan, s->af); |