From 87739f251b80651d7bf5e456e0dc04696a638f9b Mon Sep 17 00:00:00 2001 From: Daniel Hartmeier Date: Fri, 7 Jun 2002 21:25:37 +0000 Subject: Add "(max )" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@ --- sbin/pfctl/parse.y | 39 ++++++++++++++++++++++++++++++++------- sbin/pfctl/pfctl.c | 9 +++++---- sbin/pfctl/pfctl_parser.c | 4 +++- 3 files changed, 40 insertions(+), 12 deletions(-) (limited to 'sbin') diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 5a9eb9619b5..c2bd501998a 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.74 2002/06/07 19:33:03 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.75 2002/06/07 21:25:35 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -170,6 +170,12 @@ typedef struct { struct node_host *address; struct range rport; } *redirection; + struct { + int action; + struct { + u_int32_t max_states; + } options; + } keep_state; } v; int lineno; } YYSTYPE; @@ -180,13 +186,13 @@ typedef struct { %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL -%token NOROUTE FRAGMENT USER GROUP MAXMSS +%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM %token STRING %token NUMBER %token PORTUNARY PORTBINARY %type interface if_list if_item_not if_item %type port icmptype icmp6type minttl uid gid maxmss -%type no dir log quick af keep nodf allowopts fragment +%type no dir log quick af nodf allowopts fragment %type action flag flags blockspec %type dport rport %type proto proto_list proto_item @@ -200,6 +206,7 @@ typedef struct { %type route %type redirection %type label +%type keep keep_opts %% ruleset : /* empty */ @@ -249,7 +256,8 @@ pfrule : action dir log quick interface route af proto fromto r.flags = $12.b1; r.flagset = $12.b2; - r.keep_state = $14; + r.keep_state = $14.action; + r.max_states = $14.options.max_states; if ($15) r.rule_flag |= PFRULE_FRAGMENT; @@ -958,9 +966,25 @@ icmp6type : STRING { } ; -keep : /* empty */ { $$ = 0; } - | KEEP STATE { $$ = PF_STATE_NORMAL; } - | MODULATE STATE { $$ = PF_STATE_MODULATE; } +keep : /* empty */ { $$.action = 0; } + | KEEP STATE keep_opts { + $$.action = PF_STATE_NORMAL; + $$.options = $3.options; + } + | MODULATE STATE keep_opts { + $$.action = PF_STATE_MODULATE; + $$.options = $3.options; + } + ; + +keep_opts : /* empty */ { $$.options.max_states = 0; } + | '(' MAXIMUM NUMBER ')' { + if ($3 <= 0) { + yyerror("illegal keep states max value %d", $3); + YYERROR; + } + $$.options.max_states = $3; + } ; fragment : /* empty */ { $$ = 0; } @@ -1840,6 +1864,7 @@ lookup(char *s) { "label", LABEL}, { "log", LOG}, { "log-all", LOGALL}, + { "max", MAXIMUM}, { "max-mss", MAXMSS}, { "min-ttl", MINTTL}, { "modulate", MODULATE}, diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 81dd612d407..b08b13261c2 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.68 2002/06/06 22:22:44 mickey Exp $ */ +/* $OpenBSD: pfctl.c,v 1.69 2002/06/07 21:25:35 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -410,9 +410,10 @@ pfctl_show_rules(int dev, int opts, int format) default: print_rule(&pr.rule); if (opts & PF_OPT_VERBOSE) - printf("[ Evaluations: %-10llu Packets: %-10llu " - "Bytes: %-10llu ]\n\n", pr.rule.evaluations, - pr.rule.packets, pr.rule.bytes); + printf("[ Evaluations: %-8llu Packets: %-8llu " + "Bytes: %-10llu States: %-6u]\n\n", + pr.rule.evaluations, pr.rule.packets, + pr.rule.bytes, pr.rule.states); } } return (0); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 51c8652821a..e843b6adba2 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.77 2002/06/07 19:30:40 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.78 2002/06/07 21:25:35 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -682,6 +682,8 @@ print_rule(struct pf_rule *r) printf("keep state "); else if (r->keep_state == PF_STATE_MODULATE) printf("modulate state "); + if (r->max_states) + printf("(max %u) ", r->max_states); if (r->rule_flag & PFRULE_FRAGMENT) printf("fragment "); if (r->rule_flag & PFRULE_NODF) -- cgit v1.2.3