fix some of the confusion we have in pf regarding filter criteria vs

options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler

3 files changed, 54 insertions, 27 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 50b7fe2dc3d..ea52bfebe24 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.615 2012/07/07 18:39:21 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.616 2012/07/09 14:05:35 henning Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -508,6 +508,7 @@ int	parseport(char *, struct range *r, int);
 %type	<v.hfsc_opts>		hfscopts_list hfscopts_item hfsc_opts
 %type	<v.queue_bwspec>	bandwidth
 %type	<v.filter_opts>		filter_opts filter_opt filter_opts_l
+%type	<v.filter_opts>		filter_sets filter_set filter_sets_l
 %type	<v.antispoof_opts>	antispoof_opts antispoof_opt antispoof_opts_l
 %type	<v.queue_opts>		queue_opts queue_opt queue_opts_l
 %type	<v.scrub_opts>		scrub_opts scrub_opt scrub_opts_l
@@ -979,7 +980,7 @@ scrub_opt	: NODF	{
 			scrub_opts.marker |= FOM_MAXMSS;
 			scrub_opts.maxmss = $2;
 		}
-		| SETTOS tos {
+		| SETTOS tos {	/* XXX remove in 5.3-current */
 			if (scrub_opts.marker & FOM_SETTOS) {
 				yyerror("set-tos cannot be respecified");
 				YYERROR;
@@ -2379,7 +2380,21 @@ filter_opt	: USER uids {
 			}
 			filter_opts.rcv = $2;
 		}
-		| prio {
+		| ONCE {
+			filter_opts.marker |= FOM_ONCE;
+		}
+		| filter_sets
+		;
+
+filter_sets	: SET '{' filter_sets_l '}'	{ $$ = filter_opts; }
+		| SET filter_set		{ $$ = filter_opts; }
+		;
+
+filter_sets_l	: filter_sets_l comma filter_set
+		| filter_set
+		;
+
+filter_set	: prio {
 			if (filter_opts.marker & FOM_SETPRIO) {
 				yyerror("prio cannot be redefined");
 				YYERROR;
@@ -2388,8 +2403,13 @@ filter_opt	: USER uids {
 			filter_opts.set_prio[0] = $1.b1;
 			filter_opts.set_prio[1] = $1.b2;
 		}
-		| ONCE {
-			filter_opts.marker |= FOM_ONCE;
+		| TOS tos {
+			if (filter_opts.marker & FOM_SETTOS) {
+				yyerror("tos cannot be respecified");
+				YYERROR;
+			}
+			filter_opts.marker |= FOM_SETTOS;
+			filter_opts.settos = $2;
 		}
 		;
 
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index ec2af0ac5c3..5b0533b3b34 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.285 2012/07/07 16:24:32 henning Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.286 2012/07/09 14:05:35 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -843,6 +843,25 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts)
 	if (r->tos)
 		printf(" tos 0x%2.2x", r->tos);
 
+	if (r->set_prio[0] != PF_PRIO_NOTSET ||
+	    r->scrub_flags & PFSTATE_SETTOS) {
+		char *comma = "";
+		printf(" set {");
+		if (r->set_prio[0] != PF_PRIO_NOTSET) {
+			if (r->set_prio[0] == r->set_prio[1])
+				printf("%s prio %u", comma, r->set_prio[0]);
+			else
+				printf("%s prio(%u, %u)", comma, r->set_prio[0],
+				    r->set_prio[1]);
+			comma = ",";
+		}
+		if (r->scrub_flags & PFSTATE_SETTOS) {
+			printf("%s tos 0x%2.2x", comma, r->set_tos);
+			comma = ",";
+		}
+		printf(" }");
+	}
+
 	ropts = 0;
 	if (r->max_states || r->max_src_nodes || r->max_src_states)
 		ropts = 1;
@@ -998,12 +1017,6 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts)
 			printf("min-ttl %d", r->min_ttl);
 			ropts = 0;
 		}
-		if (r->scrub_flags & PFSTATE_SETTOS) {
-			if (!ropts)
-				printf(" ");
-			printf("set-tos 0x%2.2x", r->set_tos);
-			ropts = 0;
-		}
 		if (r->scrub_flags & PFSTATE_SCRUB_TCP) {
 			if (!ropts)
 				printf(" ");
@@ -1089,12 +1102,6 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts)
 		printf(" ");
 		print_pool(&r->route, 0, 0, r->af, PF_POOL_ROUTE, verbose);
 	}
-	if (r->set_prio[0] != PF_PRIO_NOTSET) {
-		if (r->set_prio[0] == r->set_prio[1])
-			printf(" prio %u", r->set_prio[0]);
-		else
-			printf(" prio(%u, %u)", r->set_prio[0], r->set_prio[1]);
-	}
 }
 
 void
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 6488dc58534..3d9f5d46444 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.515 2012/06/29 12:56:20 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.516 2012/07/09 14:05:35 henning Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 29 2012 $
+.Dd $Mdocdate: July 9 2012 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -622,7 +622,7 @@ For example, the following rule will drop 20% of incoming ICMP packets:
 .Pp
 .Dl block in proto icmp probability 20%
 .Pp
-.It Xo Ar prio Aq Ar priority
+.It Xo Ar set prio Aq Ar priority
 .No \*(Ba ( Aq Ar priority ,
 .Aq Ar priority )
 .Xc
@@ -639,8 +639,8 @@ and TCP ACKs with no data payload will be assigned to the second one.
 .Pp
 For example:
 .Bd -literal -offset indent
-pass in proto tcp to port 25 prio 2
-pass in proto tcp to port 22 prio (2, 5)
+pass in proto tcp to port 25 set prio 2
+pass in proto tcp to port 22 set prio (2, 5)
 .Ed
 .Pp
 The interface priority queues accessed by the
@@ -2356,10 +2356,10 @@ artificially extends the security of TCP sequence numbers by 10 to 18
 bits when the host uses appropriately randomized timestamps, since a
 blind attacker would have to guess the timestamp as well.
 .El
-.It Xo Ar set-tos Aq Ar string
+.It Xo Ar set tos Aq Ar string
 .No \*(Ba Aq Ar number
 .Xc
-Enforces a TOS for matching IPv4 packets.
+Enforces a TOS for matching packets.
 .Ar string
 may be one of
 .Ar critical ,
@@ -2788,7 +2788,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type |
 		 "divert-packet" "port" port | "divert-reply" |
 		 "divert-to" host "port" port |
                  "label" string | "tag" string | [ ! ] "tagged" string |
-                 "prio" ( number | "(" number [ [ "," ] number ] ")" ) |
+                 "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
                  "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                  "rtable" number | "probability" number"%" |
 		 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
@@ -2804,7 +2804,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type |
 
 scrubopts      = scrubopt [ [ "," ] scrubopts ]
 scrubopt       = "no-df" | "min-ttl" number | "max-mss" number |
-                 "set-tos" tos | "reassemble tcp" | "random-id"
+                 "set tos" tos | "reassemble tcp" | "random-id"
 
 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
                  "for" ifspec [ af ] [ "label" string ]