diff options
| author |   dhartmei <dhartmei@openbsd.org> | 2005-05-26 15:29:47 +0000 |
|---|---|---|
| committer | dhartmei <dhartmei@openbsd.org> | 2005-05-26 15:29:47 +0000 |
| commit | ce9eb5ecff89d421df4cce56f3752acae8efbcfa (patch) | |
| tree | 045931eadf15410aad894678060e3748c87bb8f5 | |
| parent | sync (diff) | |
| download | wireguard-openbsd-ce9eb5ecff89d421df4cce56f3752acae8efbcfa.tar.xz wireguard-openbsd-ce9eb5ecff89d421df4cce56f3752acae8efbcfa.zip | |
support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
| -rw-r--r-- | sbin/pfctl/parse.y | 39 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 13 | ||||
| -rw-r--r-- | sys/net/pf.c | 62 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 6 |
4 files changed, 85 insertions, 35 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 38273ffe940..ceb489064cb 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.485 2005/05/23 21:29:50 camield Exp $ */ +/* $OpenBSD: parse.y,v 1.486 2005/05/26 15:29:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -415,10 +415,10 @@ typedef struct { %token <v.i> PORTBINARY %type <v.interface> interface if_list if_item_not if_item %type <v.number> number icmptype icmp6type uid gid -%type <v.number> tos not yesno natpass +%type <v.number> tos not yesno %type <v.i> no dir log af fragcache sourcetrack flush %type <v.i> unaryop statelock -%type <v.b> action nataction scrubaction +%type <v.b> action nataction natpass scrubaction %type <v.b> flags flag blockspec %type <v.range> port rport %type <v.hashkey> hashkey @@ -2028,8 +2028,8 @@ logquick : /* empty */ { $$.log = 0; $$.quick = 0; } | QUICK log { $$.log = $2; $$.quick = 1; } ; -log : LOG { $$ = 1; } - | LOGALL { $$ = 2; } +log : LOG { $$ = PF_LOG; } + | LOGALL { $$ = PF_LOGALL; } ; interface : /* empty */ { $$ = NULL; } @@ -3178,25 +3178,34 @@ redirection : /* empty */ { $$ = NULL; } } ; -natpass : /* empty */ { $$ = 0; } - | PASS { $$ = 1; } +natpass : /* empty */ { $$.b1 = $$.b2 = 0; } + | PASS { $$.b1 = 1; $$.b2 = 0; } + | PASS log { $$.b1 = 1; $$.b2 = $2; } ; nataction : no NAT natpass { - $$.b2 = $$.w = 0; + if ($1 && ($3.b1 || $3.b2)) { + yyerror("\"pass\" and \"log\" not valid with \"no\""); + YYERROR; + } if ($1) $$.b1 = PF_NONAT; else $$.b1 = PF_NAT; - $$.b2 = $3; + $$.b2 = $3.b1; + $$.w = $3.b2; } | no RDR natpass { - $$.b2 = $$.w = 0; + if ($1 && ($3.b1 || $3.b2)) { + yyerror("\"pass\" and \"log\" not valid with \"no\""); + YYERROR; + } if ($1) $$.b1 = PF_NORDR; else $$.b1 = PF_RDR; - $$.b2 = $3; + $$.b2 = $3.b1; + $$.w = $3.b2; } ; @@ -3211,6 +3220,7 @@ natrule : nataction interface af proto fromto tag tagged redirpool pool_opts r.action = $1.b1; r.natpass = $1.b2; + r.log = $1.w; r.af = $3; if (!r.af) { @@ -3366,11 +3376,16 @@ binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag tagged memset(&binat, 0, sizeof(binat)); + if ($1 && ($3.b1 || $3.b2)) { + yyerror("\"pass\" and \"log\" not valid with \"no\""); + YYERROR; + } if ($1) binat.action = PF_NOBINAT; else binat.action = PF_BINAT; - binat.natpass = $3; + binat.natpass = $3.b1; + binat.log = $3.b2; binat.af = $5; if (!binat.af && $8 != NULL && $8->af) binat.af = $8->af; diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 858e2bb4a96..0e3c44ffc41 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.329 2005/05/26 05:34:00 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.330 2005/05/26 15:29:47 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -2621,18 +2621,21 @@ filteropt = user | group | flags | icmp-type | icmp6-type | tos | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "probability" number"%" -nat-rule = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ] +nat-rule = [ "no" ] "nat" [ "pass" [ "log" | "log-all" ] ] + [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ] -binat-rule = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ] - [ af ] [ "proto" ( proto-name | proto-number ) ] +binat-rule = [ "no" ] "binat" [ "pass" [ "log" | "log-all" ] ] + [ "on" interface-name ] [ af ] + [ "proto" ( proto-name | proto-number ) ] "from" address [ "/" mask-bits ] "to" ipspec [ "tag" string ] [ "tagged" string ] [ "->" address [ "/" mask-bits ] ] -rdr-rule = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ] +rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" | "log-all" ] ] + [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] ] diff --git a/sys/net/pf.c b/sys/net/pf.c index 8dea6c47aca..7ef95995677 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.490 2005/05/23 23:28:53 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.491 2005/05/26 15:29:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2805,10 +2805,11 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) { + if (r->log || (nr != NULL && nr->natpass && nr->log)) { if (rewrite) m_copyback(m, off, sizeof(*th), th); - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); } if ((r->action == PF_DROP) && @@ -2911,7 +2912,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = IPPROTO_TCP; s->direction = direction; s->af = af; @@ -3176,10 +3179,11 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) { + if (r->log || (nr != NULL && nr->natpass && nr->log)) { if (rewrite) m_copyback(m, off, sizeof(*uh), uh); - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); } if ((r->action == PF_DROP) && @@ -3264,7 +3268,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = IPPROTO_UDP; s->direction = direction; s->af = af; @@ -3491,13 +3497,14 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) { + if (r->log || (nr != NULL && nr->natpass && nr->log)) { #ifdef INET6 if (rewrite) m_copyback(m, off, sizeof(struct icmp6_hdr), pd->hdr.icmp6); #endif /* INET6 */ - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); } if (r->action != PF_PASS) @@ -3559,7 +3566,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = pd->proto; s->direction = direction; s->af = af; @@ -3738,8 +3747,9 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); - if (r->log) - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); + if (r->log || (nr != NULL && nr->natpass && nr->log)) + PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, + a, ruleset); if ((r->action == PF_DROP) && ((r->rule_flag & PFRULE_RETURNICMP) || @@ -3834,7 +3844,9 @@ cleanup: s->anchor.ptr = a; STATE_INC_COUNTERS(s); s->allow_opts = r->allow_opts; - s->log = r->log & 2; + s->log = r->log & PF_LOGALL; + if (nr != NULL) + s->log |= nr->log & PF_LOGALL; s->proto = pd->proto; s->direction = direction; s->af = af; @@ -5924,8 +5936,16 @@ done: REASON_SET(&reason, PFRES_MEMORY); } - if (log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset); + if (log) { + struct pf_rule *lr; + + if (s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->log & PF_LOGALL) + lr = s->nat_rule.ptr; + else + lr = r; + PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset); + } kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; @@ -6258,8 +6278,16 @@ done: REASON_SET(&reason, PFRES_MEMORY); } - if (log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset); + if (log) { + struct pf_rule *lr; + + if (s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->log & PF_LOGALL) + lr = s->nat_rule.ptr; + else + lr = r; + PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset); + } kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 63d04bd2810..3761928e6d9 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.218 2005/05/25 06:50:05 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.219 2005/05/26 15:29:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -60,6 +60,7 @@ enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; + /* * Note about PFTM_*: real indices into pf_rule.timeout[] come before * PFTM_MAX, special cases afterwards. See pf_state_expires(). @@ -106,6 +107,9 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, #define PF_WSCALE_FLAG 0x80 #define PF_WSCALE_MASK 0x0f +#define PF_LOG 0x01 +#define PF_LOGALL 0x02 + struct pf_addr { union { struct in_addr v4; |