diff options
| -rw-r--r-- | sbin/pfctl/parse.y | 88 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 16 |
2 files changed, 4 insertions, 100 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 814f64514f9..0c165c47611 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.601 2011/07/03 23:59:43 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.602 2011/07/04 03:36:14 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -63,13 +63,11 @@ static struct pfctl *pf = NULL; static int debug = 0; -static int rulestate = 0; static u_int16_t returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT; static u_int16_t returnicmp6default = (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT; static int blockpolicy = PFRULE_DROP; -static int require_order = 0; static int default_statelock; TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); @@ -105,14 +103,6 @@ char *symget(const char *); int atoul(char *, u_long *); -enum { - PFCTL_STATE_NONE, - PFCTL_STATE_OPTION, - PFCTL_STATE_QUEUE, - PFCTL_STATE_NAT, - PFCTL_STATE_FILTER -}; - struct node_proto { u_int8_t proto; struct node_proto *next; @@ -362,7 +352,6 @@ int expand_queue(struct pf_altq *, struct node_if *, struct node_queue_opt *); int expand_skip_interface(struct node_if *); -int check_rulestate(int); int getservice(char *); int rule_label(struct pf_rule *, char *); @@ -457,7 +446,7 @@ int parseport(char *, struct range *r, int); %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE ANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID -%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID +%token SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID %token ANTISPOOF FOR INCLUDE MATCHES %token BITMASK RANDOM SOURCEHASH ROUNDROBIN LEASTSTATES STATICPORT PROBABILITY %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT @@ -577,15 +566,9 @@ optnodf : /* empty */ { $$ = 0; } ; option : SET REASSEMBLE yesno optnodf { - if (check_rulestate(PFCTL_STATE_OPTION)) - YYERROR; pfctl_set_reassembly(pf, $3, $4); } | SET OPTIMIZATION STRING { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (pfctl_set_optimization(pf, $3) != 0) { yyerror("unknown optimization %s", $3); free($3); @@ -604,10 +587,6 @@ option : SET REASSEMBLE yesno optnodf { | SET LIMIT limit_spec | SET LIMIT '{' optnl limit_list '}' | SET LOGINTERFACE stringall { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (pfctl_set_logif(pf, $3) != 0) { yyerror("error setting loginterface %s", $3); free($3); @@ -628,30 +607,16 @@ option : SET REASSEMBLE yesno optnodf { | SET BLOCKPOLICY DROP { if (pf->opts & PF_OPT_VERBOSE) printf("set block-policy drop\n"); - if (check_rulestate(PFCTL_STATE_OPTION)) - YYERROR; blockpolicy = PFRULE_DROP; } | SET BLOCKPOLICY RETURN { if (pf->opts & PF_OPT_VERBOSE) printf("set block-policy return\n"); - if (check_rulestate(PFCTL_STATE_OPTION)) - YYERROR; blockpolicy = PFRULE_RETURN; } - | SET REQUIREORDER yesno { - if (pf->opts & PF_OPT_VERBOSE) - printf("set require-order %s\n", - $3 == 1 ? "yes" : "no"); - require_order = $3; - } | SET FINGERPRINTS STRING { if (pf->opts & PF_OPT_VERBOSE) printf("set fingerprints \"%s\"\n", $3); - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (!pf->anchor->name[0]) { if (pfctl_file_fingerprints(pf->dev, pf->opts, $3)) { @@ -676,10 +641,6 @@ option : SET REASSEMBLE yesno optnodf { default_statelock = $3; } | SET DEBUG STRING { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($3); - YYERROR; - } if (pfctl_set_debug(pf, $3) != 0) { yyerror("error setting debuglevel %s", $3); free($3); @@ -796,12 +757,6 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto struct pf_rule r; struct node_proto *proto; - if (check_rulestate(PFCTL_STATE_FILTER)) { - if ($2) - free($2); - YYERROR; - } - if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) { free($2); yyerror("anchor names beginning with '_' " @@ -1037,9 +992,6 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { struct node_host *h = NULL, *hh; struct node_if *i, *j; - if (check_rulestate(PFCTL_STATE_FILTER)) - YYERROR; - for (i = $3; i; i = i->next) { bzero(&r, sizeof(r)); @@ -1295,9 +1247,6 @@ table_opt : STRING { altqif : ALTQ interface queue_opts QUEUE qassign { struct pf_altq a; - if (check_rulestate(PFCTL_STATE_QUEUE)) - YYERROR; - memset(&a, 0, sizeof(a)); if ($3.scheduler.qtype == ALTQT_NONE) { yyerror("no scheduler specified!"); @@ -1319,13 +1268,7 @@ altqif : ALTQ interface queue_opts QUEUE qassign { queuespec : QUEUE STRING interface queue_opts qassign { struct pf_altq a; - if (check_rulestate(PFCTL_STATE_QUEUE)) { - free($2); - YYERROR; - } - memset(&a, 0, sizeof(a)); - if (strlcpy(a.qname, $2, sizeof(a.qname)) >= sizeof(a.qname)) { yyerror("queue name too long (max " @@ -1683,11 +1626,7 @@ pfrule : action dir logquick interface af proto fromto int adaptive = 0; int defaults = 0; - if (check_rulestate(PFCTL_STATE_FILTER)) - YYERROR; - memset(&r, 0, sizeof(r)); - r.action = $1.b1; switch ($1.b2) { case PFRULE_RETURNRST: @@ -3846,10 +3785,6 @@ routespec : route_host { $$ = $1; } timeout_spec : STRING NUMBER { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($1); - YYERROR; - } if ($2 < 0 || $2 > UINT_MAX) { yyerror("only positive values permitted"); YYERROR; @@ -3869,10 +3804,6 @@ timeout_list : timeout_list comma timeout_spec optnl limit_spec : STRING NUMBER { - if (check_rulestate(PFCTL_STATE_OPTION)) { - free($1); - YYERROR; - } if ($2 < 0 || $2 > UINT_MAX) { yyerror("only positive values permitted"); YYERROR; @@ -5036,18 +4967,6 @@ freehostlist(struct node_host *h) #undef LOOP_THROUGH int -check_rulestate(int desired_state) -{ - if (require_order && (rulestate > desired_state)) { - yyerror("Rules must be in order: options, normalization, " - "queueing, translation, filtering"); - return (1); - } - rulestate = desired_state; - return (0); -} - -int kw_cmp(const void *k, const void *e) { return (strcmp(k, ((const struct keywords *)e)->k_name)); @@ -5142,7 +5061,6 @@ lookup(char *s) { "reassemble", REASSEMBLE}, { "received-on", RECEIVEDON}, { "reply-to", REPLYTO}, - { "require-order", REQUIREORDER}, { "return", RETURN}, { "return-icmp", RETURNICMP}, { "return-icmp6", RETURNICMP6}, @@ -5539,12 +5457,10 @@ parse_config(char *filename, struct pfctl *xpf) pf = xpf; errors = 0; - rulestate = PFCTL_STATE_NONE; returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT; returnicmp6default = (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT; blockpolicy = PFRULE_DROP; - require_order = 0; if ((file = pushfile(filename, 0)) == NULL) { warn("cannot open the main config file!"); diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 2bbccb81154..697a69d6754 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.496 2011/07/03 23:37:55 zinke Exp $ +.\" $OpenBSD: pf.conf.5,v 1.497 2011/07/04 03:36:14 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 3 2011 $ +.Dd $Mdocdate: July 4 2011 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -1142,17 +1142,6 @@ instead of being dropped; the reassembled packet will have the .Ar dont-fragment bit cleared. -.It Ar set require-order -If set to -.Ar yes , -.Xr pfctl 8 -will enforce that statement types in the ruleset are listed in the -following order, to match the operation of the underlying packet -filtering engine: -.Em options , -.Em queueing , -.Em filtering . -This option is disabled by default. .It Ar set ruleset-optimization .Bl -tag -width xxxxxxxx -compact .It Ar basic @@ -2666,7 +2655,6 @@ option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | [ "block-policy" ( "drop" | "return" ) ] | [ "state-policy" ( "if-bound" | "floating" ) ] [ "state-defaults" state-opts ] - [ "require-order" ( "yes" | "no" ) ] [ "fingerprints" filename ] | [ "skip on" ifspec ] | [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] | |