From 3a5642b9d63b126cd1777adf6a2703b1dd584b30 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Tue, 26 Oct 2010 15:04:38 +0000 Subject: redirects are loaded as "pass in quick ... rdr-to" pf rules by default. In some cases it is desired to load the rules as "match in" without "quick" to allow additional filtering or applying additional rule/state options, eg. to add an overload table for DOS mitigation. Add the optional "match" keyword for the redirect "tag" option to change the pf rule type accordingly. ok jsg@ mikeb@ --- usr.sbin/relayd/parse.y | 21 ++++++++++++++------- usr.sbin/relayd/pfe_filter.c | 11 ++++++++--- usr.sbin/relayd/relayd.conf.5 | 18 +++++++++++++++--- usr.sbin/relayd/relayd.h | 3 ++- 4 files changed, 39 insertions(+), 14 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index d5b5fa51a0a..98f881873a3 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.148 2010/10/18 11:51:22 sthen Exp $ */ +/* $OpenBSD: parse.y,v 1.149 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter @@ -149,14 +149,14 @@ typedef struct { %token QUERYSTR REAL REDIRECT RELAY REMOVE REQUEST RESPONSE RETRY %token RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION SOCKET %token SSL STICKYADDR STYLE TABLE TAG TCP TIMEOUT TO ROUTER RTLABEL -%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE +%token TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE MATCH %token STRING %token NUMBER %type hostname interface table %type http_type loglevel mark %type direction dstmode flag forwardmode retry %type optssl optsslclient sslcache -%type redirect_proto relay_proto +%type redirect_proto relay_proto match %type port %type host %type address @@ -499,16 +499,18 @@ rdroptsl : forwardmode TO tablespec interface { } | DISABLE { rdr->conf.flags |= F_DISABLE; } | STICKYADDR { rdr->conf.flags |= F_STICKY; } - | TAG STRING { + | match TAG STRING { conf->sc_flags |= F_NEEDPF; - if (strlcpy(rdr->conf.tag, $2, + if (strlcpy(rdr->conf.tag, $3, sizeof(rdr->conf.tag)) >= sizeof(rdr->conf.tag)) { yyerror("redirection tag name truncated"); - free($2); + free($3); YYERROR; } - free($2); + if ($1) + rdr->conf.flags |= F_MATCH; + free($3); } | SESSION TIMEOUT NUMBER { if ((rdr->conf.timeout.tv_sec = $3) < 0) { @@ -519,6 +521,10 @@ rdroptsl : forwardmode TO tablespec interface { | include ; +match : /* empty */ { $$ = 0; } + | MATCH { $$ = 1; } + ; + forwardmode : FORWARD { $$ = FWD_NORMAL; } | ROUTE { $$ = FWD_ROUTE; } | TRANSPARENT FORWARD { $$ = FWD_TRANS; } @@ -1736,6 +1742,7 @@ lookup(char *s) { "lookup", LOOKUP }, { "mark", MARK }, { "marked", MARKED }, + { "match", MATCH }, { "mode", MODE }, { "nat", NAT }, { "no", NO }, diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c index f30f5c993b0..37f91d9598f 100644 --- a/usr.sbin/relayd/pfe_filter.c +++ b/usr.sbin/relayd/pfe_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfe_filter.c,v 1.44 2010/09/02 14:03:22 sobrado Exp $ */ +/* $OpenBSD: pfe_filter.c,v 1.45 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard @@ -394,9 +394,14 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) memset(&rio, 0, sizeof(rio)); (void)strlcpy(rio.anchor, anchor, sizeof(rio.anchor)); - rio.rule.action = PF_PASS; + if (rdr->conf.flags & F_MATCH) { + rio.rule.action = PF_MATCH; + rio.rule.quick = 0; + } else { + rio.rule.action = PF_PASS; + rio.rule.quick = 1; /* force first match */ + } rio.rule.direction = PF_IN; - rio.rule.quick = 1; /* force first match */ rio.rule.keep_state = PF_STATE_NORMAL; switch (t->conf.fwdmode) { diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 428502742cd..f2bb57423ef 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.114 2010/08/01 22:18:35 sthen Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.115 2010/10/26 15:04:37 reyk Exp $ .\" .\" Copyright (c) 2006, 2007 Reyk Floeter .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 1 2010 $ +.Dd $Mdocdate: October 26 2010 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -488,11 +488,23 @@ for an rdr-to rule in .Xr pf.conf 5 . It will ensure that multiple connections from the same source are mapped to the same redirection address. -.It Ic tag Ar name +.It Xo +.Op Ic match +.Ic tag Ar name +.Xc Automatically tag packets passing through the .Xr pf 4 rdr-to rule with the name supplied. This allows simpler filter rules. +The optional +.Ic match +keyword will change the default rule action from +.Ar pass in quick +to +.Ar match in +to allow further evaluation in the pf ruleset using the +.Ar tagged name +rule option. .El .Sh RELAYS Relays will forward traffic between a client and a target server. diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 1194cf69c3c..d2d2369324a 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.137 2010/08/01 22:18:35 sthen Exp $ */ +/* $OpenBSD: relayd.h,v 1.138 2010/10/26 15:04:37 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -246,6 +246,7 @@ TAILQ_HEAD(addresslist, address); #define F_PORT 0x00100000 #define F_SSLCLIENT 0x00200000 #define F_NEEDRT 0x00400000 +#define F_MATCH 0x00800000 enum forwardmode { FWD_NORMAL = 0, -- cgit v1.2.3