diff options
| author |   mcbride <mcbride@openbsd.org> | 2006-10-06 10:45:44 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2006-10-06 10:45:44 +0000 |
| commit | fdee1077e86a6db6cb79dda27a36ad9b74dd452b (patch) | |
| tree | de0aa86438a32cffabe47befe150c999f8009714 | |
| parent | Coverity fixes backported from the heimdal cvs. (diff) | |
| download | wireguard-openbsd-fdee1077e86a6db6cb79dda27a36ad9b74dd452b.tar.xz wireguard-openbsd-fdee1077e86a6db6cb79dda27a36ad9b74dd452b.zip | |
Make 'flags S/SA keep state' the implicit for filter rules, based on
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.
IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.
Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.
ok dhartmei@ deraadt@ henning@
| -rw-r--r-- | sbin/pfctl/parse.y | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 5e3efea0181..5fbee3426e6 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.503 2006/08/22 15:55:13 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.504 2006/10/06 10:45:44 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1620,6 +1620,12 @@ pfrule : action dir logquick interface route af proto fromto r.tos = $9.tos; r.keep_state = $9.keep.action; + + /* 'keep state' by default on pass rules. */ + if (!r.keep_state && !r.action && + !($9.marker & FOM_KEEP)) + r.keep_state = PF_STATE_NORMAL; + o = $9.keep.options; while (o) { struct node_state_opt *p = o; @@ -1772,6 +1778,13 @@ pfrule : action dir logquick interface route af proto fromto o = o->next; free(p); } + + /* 'flags S/SA' by default on pass rules. */ + if (!r.action && !r.flags && !r.flagset && + !($9.marker & FOM_FLAGS)) { + r.flags = parse_flags("S"); + r.flagset = parse_flags("SA"); + } if (!adaptive && r.max_states) { r.timeout[PFTM_ADAPTIVE_START] = (r.max_states / 10) * 6; @@ -2718,6 +2731,7 @@ flag : STRING { flags : FLAGS flag '/' flag { $$.b1 = $2.b1; $$.b2 = $4.b1; } | FLAGS '/' flag { $$.b1 = 0; $$.b2 = $3.b1; } + | FLAGS ANY { $$.b1 = 0; $$.b2 = 0; } ; icmpspec : ICMPTYPE icmp_item { $$ = $2; } @@ -2907,7 +2921,11 @@ statelock : IFBOUND { } ; -keep : KEEP STATE state_opt_spec { +keep : NO STATE { + $$.action = 0; + $$.options = NULL; + } + | KEEP STATE state_opt_spec { $$.action = PF_STATE_NORMAL; $$.options = $3; } |