Changeset View
Changeset View
Standalone View
Standalone View
sbin/pfctl/parse.y
Context not available. | |||||
int type; | int type; | ||||
int staticport; | int staticport; | ||||
struct pf_poolhashkey *key; | struct pf_poolhashkey *key; | ||||
struct pf_mape_portset mape; | |||||
} pool_opts; | } pool_opts; | ||||
Context not available. | |||||
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | ||||
%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | %token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | ||||
%token ANTISPOOF FOR INCLUDE | %token ANTISPOOF FOR INCLUDE | ||||
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY | %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET | ||||
%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | ||||
%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | ||||
%token LOAD RULESET_OPTIMIZATION PRIO | %token LOAD RULESET_OPTIMIZATION PRIO | ||||
Context not available. | |||||
pool_opts.marker |= POM_STICKYADDRESS; | pool_opts.marker |= POM_STICKYADDRESS; | ||||
pool_opts.opts |= PF_POOL_STICKYADDR; | pool_opts.opts |= PF_POOL_STICKYADDR; | ||||
} | } | ||||
| MAPEPORTSET number '/' number '/' number { | |||||
if (pool_opts.mape.offset) { | |||||
yyerror("map-e-portset cannot be redefined"); | |||||
YYERROR; | |||||
} | |||||
if (pool_opts.type) { | |||||
yyerror("map-e-portset cannot be used with " | |||||
"address pools"); | |||||
YYERROR; | |||||
} | |||||
if ($2 < 0 || $2 >= 16) { | |||||
yyerror("MAP-E PSID offset must be 1-15"); | |||||
kp: The warning doesn't match the check. 0 is allowed here. | |||||
takahiro.kurosawa_gmail.comAuthorUnsubmitted Done Inline ActionsI will fix $2 < 0 to $2 <= 0 takahiro.kurosawa_gmail.com: I will fix `$2 < 0` to `$2 <= 0` | |||||
YYERROR; | |||||
} | |||||
if ($4 < 0 || $4 >= 16 || $2 + $4 > 16) { | |||||
yyerror("Invalid MAP-E PSID length"); | |||||
YYERROR; | |||||
} else if ($4 == 0) { | |||||
yyerror("PSID Length = 0: this means" | |||||
" you do not need MAP-E"); | |||||
YYERROR; | |||||
} | |||||
if ($6 < 0 || $6 > 65535) { | |||||
yyerror("Invalid MAP-E PSID"); | |||||
YYERROR; | |||||
} | |||||
pool_opts.mape.offset = $2; | |||||
pool_opts.mape.psidlen = $4; | |||||
pool_opts.mape.psid = $6; | |||||
} | |||||
; | ; | ||||
redirection : /* empty */ { $$ = NULL; } | redirection : /* empty */ { $$ = NULL; } | ||||
Context not available. | |||||
r.rpool.proxy_port[1] = 0; | r.rpool.proxy_port[1] = 0; | ||||
} | } | ||||
if ($10.mape.offset) { | |||||
if (r.action != PF_NAT) { | |||||
kpUnsubmitted Done Inline ActionsIf I'm reading the parser code correctly this is impossible, so maybe this should be an assert() rather than input validation. kp: If I'm reading the parser code correctly this is impossible, so maybe this should be an assert… | |||||
takahiro.kurosawa_gmail.comAuthorUnsubmitted Done Inline ActionsI have confirmed that the yyerror message below is actually displayed by running: $ echo 'rdr on lo0 proto tcp from any to any -> 127.0.0.1 map-e-portset 6/8/0x34' | /sbin/pfctl -n -f - stdin:1: the 'map-e-portset' option is only valid with nat rules So I'm going to keep it unchanged. takahiro.kurosawa_gmail.com: I have confirmed that the yyerror message below is actually displayed by running:
```
$ echo… | |||||
yyerror("the 'map-e-portset' option is" | |||||
" only valid with nat rules"); | |||||
YYERROR; | |||||
} | |||||
if ($10.staticport) { | |||||
yyerror("the 'map-e-portset' option" | |||||
" can't be used 'static-port'"); | |||||
YYERROR; | |||||
} | |||||
if (r.rpool.proxy_port[0] != | |||||
PF_NAT_PROXY_PORT_LOW && | |||||
r.rpool.proxy_port[1] != | |||||
PF_NAT_PROXY_PORT_HIGH) { | |||||
yyerror("the 'map-e-portset' option" | |||||
" can't be used when specifying" | |||||
" a port range"); | |||||
YYERROR; | |||||
} | |||||
r.rpool.mape = $10.mape; | |||||
} | |||||
expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4, | expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4, | ||||
$5.src_os, $5.src.host, $5.src.port, $5.dst.host, | $5.src_os, $5.src.host, $5.src.port, $5.dst.host, | ||||
$5.dst.port, 0, 0, 0, ""); | $5.dst.port, 0, 0, 0, ""); | ||||
Context not available. | |||||
{ "load", LOAD}, | { "load", LOAD}, | ||||
{ "log", LOG}, | { "log", LOG}, | ||||
{ "loginterface", LOGINTERFACE}, | { "loginterface", LOGINTERFACE}, | ||||
{ "map-e-portset", MAPEPORTSET}, | |||||
{ "max", MAXIMUM}, | { "max", MAXIMUM}, | ||||
{ "max-mss", MAXMSS}, | { "max-mss", MAXMSS}, | ||||
{ "max-src-conn", MAXSRCCONN}, | { "max-src-conn", MAXSRCCONN}, | ||||
Context not available. |
The warning doesn't match the check. 0 is allowed here.