D37193.id112326.diff
No OneTemporary
Actions

Size

9 KB

Referenced Files

None

Subscribers

None

D37193.id112326.diff
View Options

	diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
	--- a/lib/libpfctl/libpfctl.h
	+++ b/lib/libpfctl/libpfctl.h
	@@ -109,6 +109,7 @@
	char tagname[PF_TAG_NAME_SIZE];
	uint16_t dnpipe;
	uint32_t dnflags;
	+ char bridge_to[IFNAMSIZ];
	uint8_t action;

	struct pfctl_eth_anchor *anchor;
	diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
	--- a/lib/libpfctl/libpfctl.c
	+++ b/lib/libpfctl/libpfctl.c
	@@ -664,6 +664,9 @@
	rule->anchor_relative = nvlist_get_number(nvl, "anchor_relative");
	rule->anchor_wildcard = nvlist_get_number(nvl, "anchor_wildcard");

	+ strlcpy(rule->bridge_to, nvlist_get_string(nvl, "bridge_to"),
	+ IFNAMSIZ);
	+
	rule->action = nvlist_get_number(nvl, "action");
	}

	@@ -811,6 +814,8 @@
	nvlist_add_number(nvl, "dnpipe", r->dnpipe);
	nvlist_add_number(nvl, "dnflags", r->dnflags);

	+ nvlist_add_string(nvl, "bridge_to", r->bridge_to);
	+
	nvlist_add_number(nvl, "action", r->action);

	packed = nvlist_pack(nvl, &size);
	diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
	--- a/sbin/pfctl/parse.y
	+++ b/sbin/pfctl/parse.y
	@@ -351,7 +351,8 @@
	void expand_eth_rule(struct pfctl_eth_rule *,
	struct node_if , struct node_etherproto ,
	struct node_mac , struct node_mac ,
	- struct node_host , struct node_host , const char *);
	+ struct node_host , struct node_host , const char *,
	+ const char *);
	void expand_rule(struct pfctl_rule , struct node_if ,
	struct node_host , struct node_proto , struct node_os *,
	struct node_host , struct node_port , struct node_host *,
	@@ -432,6 +433,7 @@
	struct {
	struct node_mac *mac;
	} etheraddr;
	+ char *bridge_to;
	struct {
	struct node_host *host;
	u_int8_t rt;
	@@ -503,7 +505,7 @@
	%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
	%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
	%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
	-%token DIVERTTO DIVERTREPLY
	+%token DIVERTTO DIVERTREPLY BRIDGE_TO
	%token <v.string> STRING
	%token <v.number> NUMBER
	%token <v.i> PORTBINARY
	@@ -563,6 +565,7 @@
	%type <v.etherproto> etherproto etherproto_list etherproto_item
	%type <v.etherfromto> etherfromto
	%type <v.etheraddr> etherfrom etherto
	+%type <v.bridge_to> bridge
	%type <v.mac> xmac mac mac_list macspec
	%%

	@@ -1195,7 +1198,7 @@
	}
	;

	-etherrule : ETHER action dir quick interface etherproto etherfromto l3fromto etherfilter_opts
	+etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fromto etherfilter_opts
	{
	struct pfctl_eth_rule r;

	@@ -1207,23 +1210,23 @@
	r.action = $2.b1;
	r.direction = $3;
	r.quick = $4.quick;
	- if ($9.tag != NULL)
	- memcpy(&r.tagname, $9.tag, sizeof(r.tagname));
	- if ($9.match_tag)
	- if (strlcpy(r.match_tagname, $9.match_tag,
	+ if ($10.tag != NULL)
	+ memcpy(&r.tagname, $10.tag, sizeof(r.tagname));
	+ if ($10.match_tag)
	+ if (strlcpy(r.match_tagname, $10.match_tag,
	PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
	yyerror("tag too long, max %u chars",
	PF_TAG_NAME_SIZE - 1);
	YYERROR;
	}
	- r.match_tag_not = $9.match_tag_not;
	- if ($9.queues.qname != NULL)
	- memcpy(&r.qname, $9.queues.qname, sizeof(r.qname));
	- r.dnpipe = $9.dnpipe;
	- r.dnflags = $9.free_flags;
	+ r.match_tag_not = $10.match_tag_not;
	+ if ($10.queues.qname != NULL)
	+ memcpy(&r.qname, $10.queues.qname, sizeof(r.qname));
	+ r.dnpipe = $10.dnpipe;
	+ r.dnflags = $10.free_flags;

	- expand_eth_rule(&r, $5, $6, $7.src, $7.dst,
	- $8.src.host, $8.dst.host, "");
	+ expand_eth_rule(&r, $5, $7, $8.src, $8.dst,
	+ $9.src.host, $9.dst.host, $6, "");
	}
	;

	@@ -1315,7 +1318,7 @@
	r.quick = $5.quick;

	expand_eth_rule(&r, $6, $7, $8.src, $8.dst,
	- $9.src.host, $9.dst.host,
	+ $9.src.host, $9.dst.host, NULL,
	pf->eastack[pf->asd + 1] ? pf->ealast->name : $3);

	free($3);
	@@ -1361,6 +1364,14 @@
	}
	;

	+bridge : /* empty */ {
	+ $$ = NULL;
	+ }
	+ \| BRIDGE_TO STRING {
	+ $$ = strdup($2);
	+ }
	+ ;
	+
	scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
	{
	struct pfctl_rule r;
	@@ -5801,7 +5812,8 @@
	expand_eth_rule(struct pfctl_eth_rule *r,
	struct node_if interfaces, struct node_etherproto protos,
	struct node_mac srcs, struct node_mac dsts,
	- struct node_host ipsrcs, struct node_host ipdsts, const char *anchor_call)
	+ struct node_host ipsrcs, struct node_host ipdsts,
	+ const char bridge_to, const char anchor_call)
	{
	char tagname[PF_TAG_NAME_SIZE];
	char match_tagname[PF_TAG_NAME_SIZE];
	@@ -5852,6 +5864,9 @@
	if (strlcpy(r->qname, qname, sizeof(r->qname)) >= sizeof(r->qname))
	errx(1, "expand_eth_rule: r->qname");

	+ if (bridge_to)
	+ strlcpy(r->bridge_to, bridge_to, sizeof(r->bridge_to));
	+
	pfctl_append_eth_rule(pf, r, anchor_call);
	))))));

	@@ -6110,6 +6125,7 @@
	{ "bitmask", BITMASK},
	{ "block", BLOCK},
	{ "block-policy", BLOCKPOLICY},
	+ { "bridge-to", BRIDGE_TO},
	{ "buckets", BUCKETS},
	{ "cbq", CBQ},
	{ "code", CODE},
	diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
	--- a/sbin/pfctl/pfctl_parser.c
	+++ b/sbin/pfctl/pfctl_parser.c
	@@ -772,6 +772,8 @@
	else
	printf(" on %s", r->ifname);
	}
	+ if (r->bridge_to[0])
	+ printf(" bridge-to %s", r->bridge_to);
	if (r->proto)
	printf(" proto 0x%04x", r->proto);

	diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
	--- a/share/man/man5/pf.conf.5
	+++ b/share/man/man5/pf.conf.5
	@@ -28,7 +28,7 @@
	.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	.\" POSSIBILITY OF SUCH DAMAGE.
	.\"
	-.Dd March 9, 2022
	+.Dd October 28, 2022
	.Dt PF.CONF 5
	.Os
	.Sh NAME
	@@ -710,6 +710,9 @@
	.Ic group
	keyword in
	.Xr ifconfig 8 .
	+.It Ar bridge-to Aq interface
	+Packets matching this rule will be sent out of the specified interface without
	+futher processing.
	.It Ar proto Aq Ar protocol
	This rule applies only to packets of this protocol.
	Note that Ethernet protocol numbers are different from those used in
	@@ -3076,8 +3079,9 @@
	[ "keepcounters" ] )

	ether-rule = "ether" etheraction [ ( "in" \| "out" ) ]
	- [ "quick" ] [ "on" ifspec ] [ etherprotospec ]
	- etherhosts [ "l3" hosts ] [ etherfilteropt-list ]
	+ [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
	+ [ etherprotospec ] etherhosts [ "l3" hosts ]
	+ [ etherfilteropt-list ]

	pf-rule = action [ ( "in" \| "out" ) ]
	[ "log" [ "(" logopts ")"] ] [ "quick" ]
	diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
	--- a/sys/net/pfvar.h
	+++ b/sys/net/pfvar.h
	@@ -690,6 +690,8 @@
	int qid;
	char tagname[PF_TAG_NAME_SIZE];
	uint16_t tag;
	+ char bridge_to_name[IFNAMSIZ];
	+ struct pfi_kkif *bridge_to;
	uint8_t action;
	uint16_t dnpipe;
	uint32_t dnflags;
	diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
	--- a/sys/netpfil/pf/pf.c
	+++ b/sys/netpfil/pf/pf.c
	@@ -3833,6 +3833,17 @@
	(r->match_tag_not && r->match_tag != *tag));
	}

	+static void
	+pf_bridge_to(struct pfi_kkif kif, struct mbuf m)
	+{
	+ /* If we don't have the interface drop the packet. */
	+ if (kif->pfik_ifp == NULL) {
	+ m_freem(m);
	+ return;
	+ }
	+ kif->pfik_ifp->if_transmit(kif->pfik_ifp, m);
	+}
	+
	static int
	pf_test_eth_rule(int dir, struct pfi_kkif kif, struct mbuf *m0)
	{
	@@ -4092,6 +4103,11 @@

	action = r->action;

	+ if (action == PF_PASS && r->bridge_to) {
	+ pf_bridge_to(r->bridge_to, *m0);
	+ m0 = NULL; / We've eaten the packet. */
	+ }
	+
	PF_RULES_RUNLOCK();

	return (action);
	diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
	--- a/sys/netpfil/pf/pf_ioctl.c
	+++ b/sys/netpfil/pf/pf_ioctl.c
	@@ -522,6 +522,8 @@
	pf_qid_unref(rule->qid);
	#endif

	+ if (rule->bridge_to)
	+ pfi_kkif_unref(rule->bridge_to);
	if (rule->kif)
	pfi_kkif_unref(rule->kif);

	@@ -2809,7 +2811,7 @@
	void *nvlpacked = NULL;
	struct pf_keth_rule rule = NULL, tail = NULL;
	struct pf_keth_ruleset *ruleset = NULL;
	- struct pfi_kkif *kif = NULL;
	+ struct pfi_kkif kif = NULL, bridge_to_kif = NULL;
	const char anchor = "", anchor_call = "";

	#define ERROUT(x) ERROUT_IOCTL(DIOCADDETHRULE_error, x)
	@@ -2861,6 +2863,8 @@

	if (rule->ifname[0])
	kif = pf_kkif_create(M_WAITOK);
	+ if (rule->bridge_to_name[0])
	+ bridge_to_kif = pf_kkif_create(M_WAITOK);
	rule->evaluations = counter_u64_alloc(M_WAITOK);
	for (int i = 0; i < 2; i++) {
	rule->packets[i] = counter_u64_alloc(M_WAITOK);
	@@ -2876,6 +2880,12 @@
	pfi_kkif_ref(rule->kif);
	} else
	rule->kif = NULL;
	+ if (rule->bridge_to_name[0]) {
	+ rule->bridge_to = pfi_kkif_attach(bridge_to_kif,
	+ rule->bridge_to_name);
	+ pfi_kkif_ref(rule->bridge_to);
	+ } else
	+ rule->bridge_to = NULL;

	#ifdef ALTQ
	/* set queue IDs */
	diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c
	--- a/sys/netpfil/pf/pf_nv.c
	+++ b/sys/netpfil/pf/pf_nv.c
	@@ -1114,6 +1114,7 @@
	nvlist_add_number(nvl, "anchor_relative", krule->anchor_relative);
	nvlist_add_number(nvl, "anchor_wildcard", krule->anchor_wildcard);

	+ nvlist_add_string(nvl, "bridge_to", krule->bridge_to_name);
	nvlist_add_number(nvl, "action", krule->action);

	return (nvl);
	@@ -1182,6 +1183,8 @@

	PFNV_CHK(pf_nvuint16_opt(nvl, "dnpipe", &krule->dnpipe, 0));
	PFNV_CHK(pf_nvuint32_opt(nvl, "dnflags", &krule->dnflags, 0));
	+ PFNV_CHK(pf_nvstring(nvl, "bridge_to", krule->bridge_to_name,
	+ sizeof(krule->bridge_to_name)));

	PFNV_CHK(pf_nvuint8(nvl, "action", &krule->action));

File Metadata

Mime Type: text/plain
Expires: Sat, Nov 16, 7:57 PM (20 h, 18 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 14663784
Default Alt Text: D37193.id112326.diff (9 KB)

D37193.id112326.diffNo OneTemporaryActions

D37193.id112326.diffView Options

File Metadata

Event Timeline

D37193.id112326.diff
No OneTemporary
Actions

D37193.id112326.diff
View Options