From 46b57908d298e78fe239fb227fea78ff8c2b0038 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Tue, 1 Sep 2009 13:42:01 +0000 Subject: the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too --- sbin/pfctl/pfctl_parser.c | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) (limited to 'sbin/pfctl/pfctl_parser.c') diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index b86759166b0..1f1d4899150 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.244 2009/04/15 05:07:02 david Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.245 2009/09/01 13:42:00 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -643,14 +643,6 @@ print_src_node(struct pf_src_node *sn, int opts) sn->packets[0] + sn->packets[1], sn->bytes[0] + sn->bytes[1]); switch (sn->ruletype) { - case PF_NAT: - if (sn->rule.nr != -1) - printf(", nat rule %u", sn->rule.nr); - break; - case PF_RDR: - if (sn->rule.nr != -1) - printf(", rdr rule %u", sn->rule.nr); - break; case PF_PASS: case PF_MATCH: if (sn->rule.nr != -1) @@ -772,7 +764,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" fastroute"); if (r->rt != PF_FASTROUTE) { printf(" "); - print_pool(&r->rpool, 0, 0, r->af, PF_PASS); + print_pool(&r->rdr, 0, 0, r->af, PF_PASS); } } if (r->af) { @@ -1037,11 +1029,15 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose) printf(" port %u", ntohs(r->divert.port)); } } - if (!anchor_call[0] && (r->action == PF_NAT || - r->action == PF_BINAT || r->action == PF_RDR)) { - printf(" -> "); - print_pool(&r->rpool, r->rpool.proxy_port[0], - r->rpool.proxy_port[1], r->af, r->action); + if (!anchor_call[0] && !TAILQ_EMPTY(&r->nat.list)) { + printf (" nat-to "); + print_pool(&r->nat, r->nat.proxy_port[0], + r->nat.proxy_port[1], r->af, PF_NAT); + } + if (!r->rt && !anchor_call[0] && !TAILQ_EMPTY(&r->rdr.list)) { + printf (" rdr-to "); + print_pool(&r->rdr, r->rdr.proxy_port[0], + r->rdr.proxy_port[1], r->af, PF_RDR); } } -- cgit v1.2.3