From 91627ea8959bf9fbfc90c2468768eecbaff96ded Mon Sep 17 00:00:00 2001 From: Claudio Jeker Date: Wed, 6 Apr 2011 13:18:40 +0000 Subject: Allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@ --- sys/net/pf_ioctl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'sys/net/pf_ioctl.c') diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 43062c18989..5d2f1ae51e2 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.237 2011/03/25 10:54:22 claudio Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.238 2011/04/06 13:18:39 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2517,8 +2517,13 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, to->os_fingerprint = from->os_fingerprint; to->rtableid = from->rtableid; - if (to->rtableid > 0 && !rtable_exists(to->rtableid)) + if (to->rtableid >= 0 && !rtable_exists(to->rtableid)) return (EBUSY); + to->onrdomain = from->onrdomain; + if (to->onrdomain >= 0 && !rtable_exists(to->onrdomain)) + return (EBUSY); + if (to->onrdomain >= 0) /* make sure it is a real rdomain */ + to->onrdomain = rtable_l2(to->onrdomain); for (i = 0; i < PFTM_MAX; i++) to->timeout[i] = from->timeout[i]; -- cgit v1.2.3