Changeset View
Changeset View
Standalone View
Standalone View
sbin/pfctl/parse.y
Show First 20 Lines • Show All 230 Lines • ▼ Show 20 Lines | struct { | ||||
u_int8_t b1; | u_int8_t b1; | ||||
u_int8_t b2; | u_int8_t b2; | ||||
u_int16_t w; | u_int16_t w; | ||||
u_int16_t w2; | u_int16_t w2; | ||||
} flags; | } flags; | ||||
struct node_icmp *icmpspec; | struct node_icmp *icmpspec; | ||||
u_int32_t tos; | u_int32_t tos; | ||||
u_int32_t prob; | u_int32_t prob; | ||||
u_int32_t ridentifier; | |||||
struct { | struct { | ||||
int action; | int action; | ||||
struct node_state_opt *options; | struct node_state_opt *options; | ||||
} keep; | } keep; | ||||
int fragment; | int fragment; | ||||
int allowopts; | int allowopts; | ||||
char *label[PF_RULE_MAX_LABEL_COUNT]; | char *label[PF_RULE_MAX_LABEL_COUNT]; | ||||
int labelcount; | int labelcount; | ||||
Show All 11 Lines | struct { | ||||
struct node_host *addr; | struct node_host *addr; | ||||
u_int16_t port; | u_int16_t port; | ||||
} divert; | } divert; | ||||
} filter_opts; | } filter_opts; | ||||
static struct antispoof_opts { | static struct antispoof_opts { | ||||
char *label[PF_RULE_MAX_LABEL_COUNT]; | char *label[PF_RULE_MAX_LABEL_COUNT]; | ||||
int labelcount; | int labelcount; | ||||
u_int32_t ridentifier; | |||||
eri: Is there no better place for such info?
It sounds like forced through as is | |||||
Done Inline ActionsI’m not sure I understand your objection. kp: I’m not sure I understand your objection. | |||||
Done Inline ActionsI am pointing out that antispoof structure does not seem to have a relationship with a rule identifier. eri: I am pointing out that antispoof structure does not seem to have a relationship with a rule… | |||||
Done Inline ActionsThat's there because you can also set ridentifier on antispoof rules. See line 1332 (in the new version). kp: That's there because you can also set ridentifier on antispoof rules. See line 1332 (in the new… | |||||
u_int rtableid; | u_int rtableid; | ||||
} antispoof_opts; | } antispoof_opts; | ||||
static struct scrub_opts { | static struct scrub_opts { | ||||
int marker; | int marker; | ||||
#define SOM_MINTTL 0x01 | #define SOM_MINTTL 0x01 | ||||
#define SOM_MAXMSS 0x02 | #define SOM_MAXMSS 0x02 | ||||
#define SOM_FRAGCACHE 0x04 | #define SOM_FRAGCACHE 0x04 | ||||
▲ Show 20 Lines • Show All 192 Lines • ▼ Show 20 Lines | |||||
%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE | %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE | ||||
%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR | %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR | ||||
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | ||||
%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | %token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | ||||
%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS SYNCOOKIES | %token ANTISPOOF FOR INCLUDE KEEPCOUNTERS SYNCOOKIES | ||||
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET | %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET | ||||
%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | ||||
%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | ||||
%token DNPIPE DNQUEUE | %token DNPIPE DNQUEUE RIDENTIFIER | ||||
%token LOAD RULESET_OPTIMIZATION PRIO | %token LOAD RULESET_OPTIMIZATION PRIO | ||||
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE | %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE | ||||
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY | %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY | ||||
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS | %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS | ||||
%token DIVERTTO DIVERTREPLY | %token DIVERTTO DIVERTREPLY | ||||
%token <v.string> STRING | %token <v.string> STRING | ||||
%token <v.number> NUMBER | %token <v.number> NUMBER | ||||
%token <v.i> PORTBINARY | %token <v.i> PORTBINARY | ||||
▲ Show 20 Lines • Show All 439 Lines • ▼ Show 20 Lines | anchorrule : ANCHOR anchorname dir quick interface af proto fromto | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
} | } | ||||
r.direction = $3; | r.direction = $3; | ||||
r.quick = $4.quick; | r.quick = $4.quick; | ||||
r.af = $6; | r.af = $6; | ||||
r.prob = $9.prob; | r.prob = $9.prob; | ||||
r.rtableid = $9.rtableid; | r.rtableid = $9.rtableid; | ||||
r.ridentifier = $9.ridentifier; | |||||
if ($9.tag) | if ($9.tag) | ||||
if (strlcpy(r.tagname, $9.tag, | if (strlcpy(r.tagname, $9.tag, | ||||
PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { | PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { | ||||
yyerror("tag too long, max %u chars", | yyerror("tag too long, max %u chars", | ||||
PF_TAG_NAME_SIZE - 1); | PF_TAG_NAME_SIZE - 1); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 383 Lines • ▼ Show 20 Lines | antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { | ||||
bzero(&r, sizeof(r)); | bzero(&r, sizeof(r)); | ||||
r.action = PF_DROP; | r.action = PF_DROP; | ||||
r.direction = PF_IN; | r.direction = PF_IN; | ||||
r.log = $2.log; | r.log = $2.log; | ||||
r.logif = $2.logif; | r.logif = $2.logif; | ||||
r.quick = $2.quick; | r.quick = $2.quick; | ||||
r.af = $4; | r.af = $4; | ||||
r.ridentifier = $5.ridentifier; | |||||
if (rule_label(&r, $5.label)) | if (rule_label(&r, $5.label)) | ||||
YYERROR; | YYERROR; | ||||
r.rtableid = $5.rtableid; | r.rtableid = $5.rtableid; | ||||
j = calloc(1, sizeof(struct node_if)); | j = calloc(1, sizeof(struct node_if)); | ||||
if (j == NULL) | if (j == NULL) | ||||
err(1, "antispoof: calloc"); | err(1, "antispoof: calloc"); | ||||
if (strlcpy(j->ifname, i->ifname, | if (strlcpy(j->ifname, i->ifname, | ||||
sizeof(j->ifname)) >= sizeof(j->ifname)) { | sizeof(j->ifname)) >= sizeof(j->ifname)) { | ||||
Show All 36 Lines | antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { | ||||
bzero(&r, sizeof(r)); | bzero(&r, sizeof(r)); | ||||
r.action = PF_DROP; | r.action = PF_DROP; | ||||
r.direction = PF_IN; | r.direction = PF_IN; | ||||
r.log = $2.log; | r.log = $2.log; | ||||
r.logif = $2.logif; | r.logif = $2.logif; | ||||
r.quick = $2.quick; | r.quick = $2.quick; | ||||
r.af = $4; | r.af = $4; | ||||
r.ridentifier = $5.ridentifier; | |||||
if (rule_label(&r, $5.label)) | if (rule_label(&r, $5.label)) | ||||
YYERROR; | YYERROR; | ||||
r.rtableid = $5.rtableid; | r.rtableid = $5.rtableid; | ||||
if (hh != NULL) | if (hh != NULL) | ||||
h = hh; | h = hh; | ||||
else | else | ||||
h = ifa_lookup(i->ifname, 0); | h = ifa_lookup(i->ifname, 0); | ||||
if (h != NULL) | if (h != NULL) | ||||
▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines | |||||
antispoof_opt : label { | antispoof_opt : label { | ||||
if (antispoof_opts.labelcount >= PF_RULE_MAX_LABEL_COUNT) { | if (antispoof_opts.labelcount >= PF_RULE_MAX_LABEL_COUNT) { | ||||
yyerror("label can only be used %d times", PF_RULE_MAX_LABEL_COUNT); | yyerror("label can only be used %d times", PF_RULE_MAX_LABEL_COUNT); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
antispoof_opts.label[antispoof_opts.labelcount++] = $1; | antispoof_opts.label[antispoof_opts.labelcount++] = $1; | ||||
} | } | ||||
| RIDENTIFIER number { | |||||
antispoof_opts.ridentifier = $2; | |||||
} | |||||
| RTABLE NUMBER { | | RTABLE NUMBER { | ||||
if ($2 < 0 || $2 > rt_tableid_max()) { | if ($2 < 0 || $2 > rt_tableid_max()) { | ||||
yyerror("invalid rtable id"); | yyerror("invalid rtable id"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
antispoof_opts.rtableid = $2; | antispoof_opts.rtableid = $2; | ||||
} | } | ||||
; | ; | ||||
▲ Show 20 Lines • Show All 699 Lines • ▼ Show 20 Lines | pfrule : action dir logquick interface route af proto fromto | ||||
PF_TAG_NAME_SIZE - 1); | PF_TAG_NAME_SIZE - 1); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
r.match_tag_not = $9.match_tag_not; | r.match_tag_not = $9.match_tag_not; | ||||
if (rule_label(&r, $9.label)) | if (rule_label(&r, $9.label)) | ||||
YYERROR; | YYERROR; | ||||
for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) | for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) | ||||
free($9.label[i]); | free($9.label[i]); | ||||
r.ridentifier = $9.ridentifier; | |||||
r.flags = $9.flags.b1; | r.flags = $9.flags.b1; | ||||
r.flagset = $9.flags.b2; | r.flagset = $9.flags.b2; | ||||
if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { | if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { | ||||
yyerror("flags always false"); | yyerror("flags always false"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
if ($9.flags.b1 || $9.flags.b2 || $8.src_os) { | if ($9.flags.b1 || $9.flags.b2 || $8.src_os) { | ||||
for (proto = $7; proto != NULL && | for (proto = $7; proto != NULL && | ||||
▲ Show 20 Lines • Show All 423 Lines • ▼ Show 20 Lines | | keep { | ||||
if (filter_opts.marker & FOM_KEEP) { | if (filter_opts.marker & FOM_KEEP) { | ||||
yyerror("modulate or keep cannot be redefined"); | yyerror("modulate or keep cannot be redefined"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
filter_opts.marker |= FOM_KEEP; | filter_opts.marker |= FOM_KEEP; | ||||
filter_opts.keep.action = $1.action; | filter_opts.keep.action = $1.action; | ||||
filter_opts.keep.options = $1.options; | filter_opts.keep.options = $1.options; | ||||
} | } | ||||
| RIDENTIFIER number { | |||||
filter_opts.ridentifier = $2; | |||||
} | |||||
| FRAGMENT { | | FRAGMENT { | ||||
filter_opts.fragment = 1; | filter_opts.fragment = 1; | ||||
} | } | ||||
| ALLOWOPTS { | | ALLOWOPTS { | ||||
filter_opts.allowopts = 1; | filter_opts.allowopts = 1; | ||||
} | } | ||||
| label { | | label { | ||||
if (filter_opts.labelcount >= PF_RULE_MAX_LABEL_COUNT) { | if (filter_opts.labelcount >= PF_RULE_MAX_LABEL_COUNT) { | ||||
▲ Show 20 Lines • Show All 3,126 Lines • ▼ Show 20 Lines | static const struct keywords keywords[] = { | ||||
{ "realtime", REALTIME}, | { "realtime", REALTIME}, | ||||
{ "reassemble", REASSEMBLE}, | { "reassemble", REASSEMBLE}, | ||||
{ "reply-to", REPLYTO}, | { "reply-to", REPLYTO}, | ||||
{ "require-order", REQUIREORDER}, | { "require-order", REQUIREORDER}, | ||||
{ "return", RETURN}, | { "return", RETURN}, | ||||
{ "return-icmp", RETURNICMP}, | { "return-icmp", RETURNICMP}, | ||||
{ "return-icmp6", RETURNICMP6}, | { "return-icmp6", RETURNICMP6}, | ||||
{ "return-rst", RETURNRST}, | { "return-rst", RETURNRST}, | ||||
{ "ridentifier", RIDENTIFIER}, | |||||
{ "round-robin", ROUNDROBIN}, | { "round-robin", ROUNDROBIN}, | ||||
{ "route", ROUTE}, | { "route", ROUTE}, | ||||
{ "route-to", ROUTETO}, | { "route-to", ROUTETO}, | ||||
{ "rtable", RTABLE}, | { "rtable", RTABLE}, | ||||
{ "rule", RULE}, | { "rule", RULE}, | ||||
{ "ruleset-optimization", RULESET_OPTIMIZATION}, | { "ruleset-optimization", RULESET_OPTIMIZATION}, | ||||
{ "scrub", SCRUB}, | { "scrub", SCRUB}, | ||||
{ "set", SET}, | { "set", SET}, | ||||
▲ Show 20 Lines • Show All 786 Lines • Show Last 20 Lines |
Is there no better place for such info?
It sounds like forced through as is