Skip to content
Browse files

sync w/ latest

  • Loading branch information...
1 parent 3cb860e commit 2e330996cb41ecb7ab3fa5afbc32d07c36e98ec2 itojun committed Jul 5, 2003
View
117 kame/kame/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.394 2003/07/03 09:13:05 cedric Exp $ */
+/* $OpenBSD: parse.y,v 1.397 2003/07/04 11:05:44 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -373,7 +373,7 @@ typedef struct {
%token <v.i> PORTBINARY
%type <v.interface> interface if_list if_item_not if_item
%type <v.number> number icmptype icmp6type uid gid
-%type <v.number> tos not yesno
+%type <v.number> tos not yesno natpass
%type <v.i> no dir log af fragcache
%type <v.i> staticport unaryop
%type <v.b> action nataction flags flag blockspec
@@ -858,11 +858,12 @@ tabledef : TABLE '<' STRING '>' table_opts {
if (pfctl_define_table($3, $5.flags, $5.init_addr,
(pf->opts & PF_OPT_NOACTION) || !(pf->loadopt &
(PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL)),
- pf->anchor, pf->ruleset, pf->ab)) {
+ pf->anchor, pf->ruleset, pf->ab, pf->tticket)) {
yyerror("cannot define table %s: %s", $3,
pfr_strerror(errno));
- YYERROR;
+ YYERROR;
}
+ pf->tdirty = 1;
}
;
@@ -893,11 +894,11 @@ table_opt : STRING
}
| '{' tableaddrs '}' { table_opts.init_addr = 1; }
| FILENAME STRING {
- if(pfr_buf_load(pf->ab, $2, 0, append_addr)) {
+ if (pfr_buf_load(pf->ab, $2, 0, append_addr)) {
if (errno)
- yyerror("cannot load %s: %s", $2,
- pfr_strerror(errno));
- YYERROR;
+ yyerror("cannot load %s: %s", $2,
+ pfr_strerror(errno));
+ YYERROR;
}
table_opts.init_addr = 1;
}
@@ -916,7 +917,7 @@ tableaddr : not STRING {
}
| not STRING '/' number {
char *buf = NULL;
-
+
if (asprintf(&buf, "%s/%d", $2, $4) < 0) {
if (errno)
yyerror("cannot add %s/%d: %s", $2, $4,
@@ -2517,19 +2518,25 @@ redirection : /* empty */ { $$ = NULL; }
}
;
-nataction : no NAT {
+natpass : /* empty */ { $$ = 0; }
+ | PASS { $$ = 1; }
+ ;
+
+nataction : no NAT natpass {
$$.b2 = $$.w = 0;
if ($1)
$$.b1 = PF_NONAT;
else
$$.b1 = PF_NAT;
+ $$.b2 = $3;
}
- | no RDR {
+ | no RDR natpass {
$$.b2 = $$.w = 0;
if ($1)
$$.b1 = PF_NORDR;
else
$$.b1 = PF_RDR;
+ $$.b2 = $3;
}
;
@@ -2544,6 +2551,7 @@ natrule : nataction interface af proto fromto tag redirpool pooltype
memset(&r, 0, sizeof(r));
r.action = $1.b1;
+ r.natpass = $1.b2;
r.af = $3;
if (!r.af) {
@@ -2679,7 +2687,7 @@ natrule : nataction interface af proto fromto tag redirpool pooltype
}
;
-binatrule : no BINAT interface af proto FROM host TO ipspec tag
+binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag
redirection
{
struct pf_rule binat;
@@ -2694,107 +2702,108 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag
binat.action = PF_NOBINAT;
else
binat.action = PF_BINAT;
- binat.af = $4;
- if (!binat.af && $7 != NULL && $7->af)
- binat.af = $7->af;
- if (!binat.af && $9 != NULL && $9->af)
- binat.af = $9->af;
- if (!binat.af && $11 != NULL && $11->host)
- binat.af = $11->host->af;
+ binat.natpass = $3;
+ binat.af = $5;
+ if (!binat.af && $8 != NULL && $8->af)
+ binat.af = $8->af;
+ if (!binat.af && $10 != NULL && $10->af)
+ binat.af = $10->af;
+ if (!binat.af && $12 != NULL && $12->host)
+ binat.af = $12->host->af;
if (!binat.af) {
yyerror("address family (inet/inet6) "
"undefined");
YYERROR;
}
- if ($3 != NULL) {
- memcpy(binat.ifname, $3->ifname,
+ if ($4 != NULL) {
+ memcpy(binat.ifname, $4->ifname,
sizeof(binat.ifname));
- free($3);
+ free($4);
}
- if ($10 != NULL)
- if (strlcpy(binat.tagname, $10,
+ if ($11 != NULL)
+ if (strlcpy(binat.tagname, $11,
PF_TAG_NAME_SIZE) > PF_TAG_NAME_SIZE) {
yyerror("tag too long, max %u chars",
PF_TAG_NAME_SIZE - 1);
YYERROR;
}
- if ($5 != NULL) {
- binat.proto = $5->proto;
- free($5);
+ if ($6 != NULL) {
+ binat.proto = $6->proto;
+ free($6);
}
- if ($7 != NULL && disallow_table($7, "invalid use of "
+ if ($8 != NULL && disallow_table($8, "invalid use of "
"table <%s> as the source address of a binat rule"))
YYERROR;
- if ($11 != NULL && $11->host != NULL && disallow_table(
- $11->host, "invalid use of table <%s> as the "
+ if ($12 != NULL && $12->host != NULL && disallow_table(
+ $12->host, "invalid use of table <%s> as the "
"redirect address of a binat rule"))
YYERROR;
- if ($7 != NULL) {
- if ($7->next) {
+ if ($8 != NULL) {
+ if ($8->next) {
yyerror("multiple binat ip addresses");
YYERROR;
}
- if ($7->addr.type == PF_ADDR_DYNIFTL)
- $7->af = binat.af;
- if ($7->af != binat.af) {
+ if ($8->addr.type == PF_ADDR_DYNIFTL)
+ $8->af = binat.af;
+ if ($8->af != binat.af) {
yyerror("binat ip versions must match");
YYERROR;
}
- if (check_netmask($7, binat.af))
+ if (check_netmask($8, binat.af))
YYERROR;
- memcpy(&binat.src.addr, &$7->addr,
+ memcpy(&binat.src.addr, &$8->addr,
sizeof(binat.src.addr));
- free($7);
+ free($8);
}
- if ($9 != NULL) {
- if ($9->next) {
+ if ($10 != NULL) {
+ if ($10->next) {
yyerror("multiple binat ip addresses");
YYERROR;
}
- if ($9->af != binat.af && $9->af) {
+ if ($10->af != binat.af && $10->af) {
yyerror("binat ip versions must match");
YYERROR;
}
- if (check_netmask($9, binat.af))
+ if (check_netmask($10, binat.af))
YYERROR;
- memcpy(&binat.dst.addr, &$9->addr,
+ memcpy(&binat.dst.addr, &$10->addr,
sizeof(binat.dst.addr));
- binat.dst.not = $9->not;
- free($9);
+ binat.dst.not = $10->not;
+ free($10);
}
if (binat.action == PF_NOBINAT) {
- if ($11 != NULL) {
+ if ($12 != NULL) {
yyerror("'no binat' rule does not need"
" '->'");
YYERROR;
}
} else {
- if ($11 == NULL || $11->host == NULL) {
+ if ($12 == NULL || $12->host == NULL) {
yyerror("'binat' rule requires"
" '-> address'");
YYERROR;
}
- remove_invalid_hosts(&$11->host, &binat.af);
- if (invalid_redirect($11->host, binat.af))
+ remove_invalid_hosts(&$12->host, &binat.af);
+ if (invalid_redirect($12->host, binat.af))
YYERROR;
- if ($11->host->next != NULL) {
+ if ($12->host->next != NULL) {
yyerror("binat rule must redirect to "
"a single address");
YYERROR;
}
- if (check_netmask($11->host, binat.af))
+ if (check_netmask($12->host, binat.af))
YYERROR;
if (!PF_AZERO(&binat.src.addr.v.a.mask,
binat.af) &&
!PF_AEQ(&binat.src.addr.v.a.mask,
- &$11->host->addr.v.a.mask, binat.af)) {
+ &$12->host->addr.v.a.mask, binat.af)) {
yyerror("'binat' source mask and "
"redirect mask must be the same");
YYERROR;
@@ -2804,12 +2813,12 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag
pa = calloc(1, sizeof(struct pf_pooladdr));
if (pa == NULL)
err(1, "binat: calloc");
- pa->addr.addr = $11->host->addr;
+ pa->addr.addr = $12->host->addr;
pa->ifname[0] = 0;
TAILQ_INSERT_TAIL(&binat.rpool.list,
pa, entries);
- free($11);
+ free($12);
}
pfctl_add_rule(pf, &binat);
View
4 kame/kame/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_print_state.c,v 1.31 2003/06/21 09:07:01 djm Exp $ */
+/* $OpenBSD: pf_print_state.c,v 1.32 2003/07/04 11:05:16 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -253,7 +253,7 @@ print_state(struct pf_state *s, int opts)
min = s->expire % 60;
s->expire /= 60;
printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
- printf(", %u:%u pkts, %u:%u bytes",
+ printf(", %u:%u pkts, %u:%u bytes",
s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
if (s->anchor.nr != -1)
printf(", anchor %u", s->anchor.nr);
View
56 kame/kame/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.179 2003/07/03 09:13:06 cedric Exp $ */
+/* $OpenBSD: pfctl.c,v 1.180 2003/07/03 21:09:13 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -914,6 +914,9 @@ int
pfctl_rules(int dev, char *filename, int opts, char *anchorname,
char *rulesetname)
{
+#define ERR(x) do { warn(x); goto _error; } while(0)
+#define ERRX(x) do { warnx(x); goto _error; } while(0)
+
FILE *fin;
struct pfioc_rule pr[PF_RULESET_MAX];
struct pfioc_altq pa;
@@ -944,29 +947,31 @@ pfctl_rules(int dev, char *filename, int opts, char *anchorname,
if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {
pr[PF_RULESET_NAT].rule.action = PF_NAT;
if (ioctl(dev, DIOCBEGINRULES, &pr[PF_RULESET_NAT]))
- err(1, "DIOCBEGINRULES");
+ ERR("DIOCBEGINRULES");
pr[PF_RULESET_RDR].rule.action = PF_RDR;
if (ioctl(dev, DIOCBEGINRULES, &pr[PF_RULESET_RDR]))
- err(1, "DIOCBEGINRULES");
+ ERR("DIOCBEGINRULES");
pr[PF_RULESET_BINAT].rule.action = PF_BINAT;
if (ioctl(dev, DIOCBEGINRULES, &pr[PF_RULESET_BINAT]))
- err(1, "DIOCBEGINRULES");
+ ERR("DIOCBEGINRULES");
}
if (((altqsupport && (loadopt &
(PFCTL_FLAG_ALTQ | PFCTL_FLAG_ALL)) != 0)) &&
ioctl(dev, DIOCBEGINALTQS, &pa.ticket)) {
- err(1, "DIOCBEGINALTQS");
+ ERR("DIOCBEGINALTQS");
}
if ((loadopt & (PFCTL_FLAG_FILTER | PFCTL_FLAG_ALL)) != 0) {
pr[PF_RULESET_SCRUB].rule.action = PF_SCRUB;
if (ioctl(dev, DIOCBEGINRULES, &pr[PF_RULESET_SCRUB]))
- err(1, "DIOCBEGINRULES");
+ ERR("DIOCBEGINRULES");
pr[PF_RULESET_FILTER].rule.action = PF_PASS;
if (ioctl(dev, DIOCBEGINRULES, &pr[PF_RULESET_FILTER]))
- err(1, "DIOCBEGINRULES");
+ ERR("DIOCBEGINRULES");
+ }
+ if (loadopt & (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL)) {
+ if (pfr_ina_begin(&pf.tticket, NULL, 0) != 0)
+ ERR("begin table");
}
- if (loadopt & (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL))
- pfctl_begin_table();
}
/* fill in callback data */
pf.dev = dev;
@@ -981,51 +986,62 @@ pfctl_rules(int dev, char *filename, int opts, char *anchorname,
pf.anchor = anchorname;
pf.ruleset = rulesetname;
if (parse_rules(fin, &pf) < 0)
- errx(1, "Syntax error in config file: pf rules not loaded");
+ ERRX("Syntax error in config file: pf rules not loaded");
if ((altqsupport && (loadopt & (PFCTL_FLAG_ALTQ | PFCTL_FLAG_ALL)) != 0))
if (check_commit_altq(dev, opts) != 0)
- errx(1, "errors in altq config");
+ ERRX("errors in altq config");
if ((opts & PF_OPT_NOACTION) == 0) {
if ((loadopt & (PFCTL_FLAG_NAT | PFCTL_FLAG_ALL)) != 0) {
pr[PF_RULESET_NAT].rule.action = PF_NAT;
if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_NAT]) &&
(errno != EINVAL || pf.rule_nr))
- err(1, "DIOCCOMMITRULES NAT");
+ ERR("DIOCCOMMITRULES NAT");
pr[PF_RULESET_RDR].rule.action = PF_RDR;
if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_RDR]) &&
(errno != EINVAL || pf.rule_nr))
- err(1, "DIOCCOMMITRULES RDR");
+ ERR("DIOCCOMMITRULES RDR");
pr[PF_RULESET_BINAT].rule.action = PF_BINAT;
if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_BINAT]) &&
(errno != EINVAL || pf.rule_nr))
- err(1, "DIOCCOMMITRULES BINAT");
+ ERR("DIOCCOMMITRULES BINAT");
}
if (((altqsupport && (loadopt &
(PFCTL_FLAG_ALTQ | PFCTL_FLAG_ALL)) != 0)) &&
ioctl(dev, DIOCCOMMITALTQS, &pa.ticket))
- err(1, "DIOCCOMMITALTQS");
+ ERR("DIOCCOMMITALTQS");
if ((loadopt & (PFCTL_FLAG_FILTER | PFCTL_FLAG_ALL)) != 0) {
pr[PF_RULESET_SCRUB].rule.action = PF_SCRUB;
if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_SCRUB]) &&
(errno != EINVAL || pf.rule_nr))
- err(1, "DIOCCOMMITRULES SCRUB");
+ ERR("DIOCCOMMITRULES SCRUB");
pr[PF_RULESET_FILTER].rule.action = PF_PASS;
if (ioctl(dev, DIOCCOMMITRULES, &pr[PF_RULESET_FILTER]) &&
(errno != EINVAL || pf.rule_nr))
- err(1, "DIOCCOMMITRULES FILTER");
+ ERR("DIOCCOMMITRULES FILTER");
+ }
+ if (loadopt & (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL)) {
+ if (pfr_ina_commit(pf.tticket, NULL, NULL, 0))
+ ERR("commit table");
+ pf.tdirty = 0;
}
- if (loadopt & (PFCTL_FLAG_TABLE | PFCTL_FLAG_ALL))
- pfctl_commit_table();
}
if (fin != stdin)
fclose(fin);
/* process "load anchor" directives */
if (!anchorname[0] && !rulesetname[0])
if (pfctl_load_anchors(dev, opts) == -1)
- return (-1);
+ ERRX("load anchors");
return (0);
+
+_error:
+ if (pf.tdirty) /* cleanup kernel leftover */
+ pfr_ina_begin(NULL, NULL, 0);
+ exit(1);
+
+#undef ERR
+#undef ERRX
}
int
View
4 kame/kame/pfctl/pfctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.h,v 1.22 2003/07/03 09:13:06 cedric Exp $ */
+/* $OpenBSD: pfctl.h,v 1.23 2003/07/04 11:05:44 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -41,7 +41,7 @@ struct pfr_buffer {
void *pfrb_caddr; /* malloc'ated memory area */
};
#define PFRB_FOREACH(var, buf) \
- for((var) = pfr_buf_next((buf), NULL); \
+ for ((var) = pfr_buf_next((buf), NULL); \
(var) != NULL; \
(var) = pfr_buf_next((buf), (var)))
View
9 kame/kame/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.165 2003/07/03 09:13:06 cedric Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.167 2003/07/04 11:05:44 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -577,8 +577,11 @@ print_rule(struct pf_rule *r, int verbose)
printf("action(%d) ", r->action);
else if (r->anchorname[0])
printf("%s %s ", anchortypes[r->action], r->anchorname);
- else
+ else {
printf("%s ", actiontypes[r->action]);
+ if (r->natpass)
+ printf("pass ");
+ }
if (r->action == PF_DROP) {
if (r->rule_flag & PFRULE_RETURN)
printf("return ");
@@ -1196,7 +1199,7 @@ host_dns(const char *s, int v4mask, int v6mask)
* if set to 1, only simple addresses are accepted (no netblock, no "!").
*/
int
-append_addr(struct pfr_buffer *b, char *s, int test)
+append_addr(struct pfr_buffer *b, char *s, int test)
{
return append_addr_not(b, s, test, 0);
}
View
8 kame/kame/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.h,v 1.62 2003/07/03 09:13:06 cedric Exp $ */
+/* $OpenBSD: pfctl_parser.h,v 1.63 2003/07/03 21:09:13 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -60,6 +60,8 @@ struct pfctl {
int dev;
int opts;
int loadopt;
+ int tticket; /* table ticket */
+ int tdirty; /* kernel dirty */
u_int32_t rule_nr;
struct pfioc_pooladdr paddr;
struct pfioc_rule *prule[PF_RULESET_MAX];
@@ -154,10 +156,8 @@ void print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *,
void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,
int, struct node_queue_opt *);
-void pfctl_begin_table(void);
int pfctl_define_table(char *, int, int, int, const char *, const char *,
- struct pfr_buffer *);
-void pfctl_commit_table(void);
+ struct pfr_buffer *, int);
struct icmptypeent {
const char *name;
View
8 kame/kame/pfctl/pfctl_radix.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_radix.c,v 1.17 2003/07/03 09:13:06 cedric Exp $ */
+/* $OpenBSD: pfctl_radix.c,v 1.18 2003/07/04 11:05:44 henning Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@@ -455,7 +455,7 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
/* buffer managment code */
-size_t buf_esize[PFRB_MAX] = { 0,
+size_t buf_esize[PFRB_MAX] = { 0,
sizeof(struct pfr_table), sizeof(struct pfr_tstats),
sizeof(struct pfr_addr), sizeof(struct pfr_astats),
};
@@ -499,7 +499,7 @@ pfr_buf_next(struct pfr_buffer *b, const void *prev)
return (b->pfrb_caddr);
bs = buf_esize[b->pfrb_type];
if ((((caddr_t)prev)-((caddr_t)b->pfrb_caddr)) / bs >= b->pfrb_size-1)
- return (NULL);
+ return (NULL);
return (((caddr_t)prev) + bs);
}
@@ -552,7 +552,7 @@ pfr_buf_grow(struct pfr_buffer *b, int minsize)
* reset buffer and free memory.
*/
void
-pfr_buf_clear(struct pfr_buffer *b)
+pfr_buf_clear(struct pfr_buffer *b)
{
if (b == NULL)
return;
View
43 kame/kame/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_table.c,v 1.46 2003/07/03 09:13:06 cedric Exp $ */
+/* $OpenBSD: pfctl_table.c,v 1.47 2003/07/03 21:09:13 cedric Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@@ -65,12 +65,8 @@ static int load_addr(struct pfr_buffer *, int, char *[], char *, int);
static void print_addrx(struct pfr_addr *, struct pfr_addr *, int);
static void print_astats(struct pfr_astats *, int);
static void radix_perror(void);
-static void inactive_cleanup(void);
static void xprintf(int, const char *, ...);
-static int ticket, inactive;
-extern char *__progname;
-
static const char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = {
{ "In/Block:", "In/Pass:", "In/XPass:" },
{ "Out/Block:", "Out/Pass:", "Out/XPass:" }
@@ -446,27 +442,14 @@ print_astats(struct pfr_astats *as, int dns)
void
radix_perror(void)
{
+ extern char *__progname;
fprintf(stderr, "%s: %s.\n", __progname, pfr_strerror(errno));
}
-void
-pfctl_begin_table(void)
-{
- static int hookreg;
-
- if (pfr_ina_begin(&ticket, NULL, 0) != 0) {
- radix_perror();
- exit(1);
- }
- if (!hookreg) {
- atexit(inactive_cleanup);
- hookreg = 1;
- }
-}
-
int
pfctl_define_table(char *name, int flags, int addrs, int noaction,
- const char *anchor, const char *ruleset, struct pfr_buffer *ab)
+ const char *anchor, const char *ruleset, struct pfr_buffer *ab,
+ int ticket)
{
struct pfr_table tbl;
int rv = 0;
@@ -482,7 +465,6 @@ pfctl_define_table(char *name, int flags, int addrs, int noaction,
errx(1, "pfctl_define_table: strlcpy");
tbl.pfrt_flags = flags;
- inactive = 1;
if (pfr_ina_define(&tbl, ab->pfrb_caddr, ab->pfrb_size, NULL,
NULL, ticket, addrs ? PFR_FLAG_ADDRSTOO : 0) != 0) {
rv = -1;
@@ -493,23 +475,6 @@ pfctl_define_table(char *name, int flags, int addrs, int noaction,
}
void
-pfctl_commit_table(void)
-{
- if (pfr_ina_commit(ticket, NULL, NULL, 0) != 0) {
- radix_perror();
- exit(1);
- }
- inactive = 0;
-}
-
-void
-inactive_cleanup(void)
-{
- if (inactive)
- pfr_ina_begin(NULL, NULL, 0);
-}
-
-void
xprintf(int opts, const char *fmt, ...)
{
va_list args;

0 comments on commit 2e33099

Please sign in to comment.
Something went wrong with that request. Please try again.