diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-11-22 13:23:27 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-11-28 19:19:05 +0000 |
| commit | 57e047e51c6daf72912332bc95263084f4f0430c (patch) | |
| tree | 3aa68aa8e994fba038bbc84fdff5c9d94f2ed63c /sbin/pfctl | |
| parent | ce9f36610ea9ff29d42a2bcfed44b020c2e56dcb (diff) | |
| download | src-57e047e51c6daf72912332bc95263084f4f0430c.tar.gz src-57e047e51c6daf72912332bc95263084f4f0430c.zip | |
pf: allow scrub rules without fragment reassemble
scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this has become less obvious and more expensive ("reassemble" being the
more expensive option, even if it's the one the vast majority of users
should be using).
Extend the 'scrub' syntax to allow fragment reassembly to be disabled,
while retaining the other scrub behaviour (e.g. TTL changes, random-id,
..) using 'scrub fragment no reassemble'.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37459
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 3 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 3 | ||||
| -rw-r--r-- | sbin/pfctl/tests/files/pf1011.in | 1 | ||||
| -rw-r--r-- | sbin/pfctl/tests/files/pf1011.ok | 1 | ||||
| -rw-r--r-- | sbin/pfctl/tests/files/pf1012.in | 1 | ||||
| -rw-r--r-- | sbin/pfctl/tests/files/pf1012.ok | 1 | ||||
| -rw-r--r-- | sbin/pfctl/tests/pfctl_test_list.inc | 2 |
7 files changed, 10 insertions, 2 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 1d0494e6d0b9..166cbae79087 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1528,7 +1528,8 @@ scrub_opt : NODF { } ; -fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } +fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } + | FRAGMENT NO REASSEMBLE { $$ = PFRULE_FRAGMENT_NOREASS; } | FRAGMENT FRAGCROP { $$ = 0; } | FRAGMENT FRAGDROP { $$ = 0; } ; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 824e473ea2e9..fca1a7aa7b8f 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1131,7 +1131,8 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer if (r->rule_flag & PFRULE_REASSEMBLE_TCP) printf(" reassemble tcp"); - printf(" fragment reassemble"); + printf(" fragment %sreassemble", + r->rule_flag & PFRULE_FRAGMENT_NOREASS ? "no " : ""); } i = 0; while (r->label[i][0]) diff --git a/sbin/pfctl/tests/files/pf1011.in b/sbin/pfctl/tests/files/pf1011.in new file mode 100644 index 000000000000..84f0e7204e40 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1011.in @@ -0,0 +1 @@ +scrub fragment no reassemble diff --git a/sbin/pfctl/tests/files/pf1011.ok b/sbin/pfctl/tests/files/pf1011.ok new file mode 100644 index 000000000000..48572b371d8d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1011.ok @@ -0,0 +1 @@ +scrub all fragment no reassemble diff --git a/sbin/pfctl/tests/files/pf1012.in b/sbin/pfctl/tests/files/pf1012.in new file mode 100644 index 000000000000..9083d1bf5396 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1012.in @@ -0,0 +1 @@ +scrub diff --git a/sbin/pfctl/tests/files/pf1012.ok b/sbin/pfctl/tests/files/pf1012.ok new file mode 100644 index 000000000000..b7f1f454fb6a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1012.ok @@ -0,0 +1 @@ +scrub all fragment reassemble diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc index 0b6d5110034d..0b7d89099efe 100644 --- a/sbin/pfctl/tests/pfctl_test_list.inc +++ b/sbin/pfctl/tests/pfctl_test_list.inc @@ -121,3 +121,5 @@ PFCTL_TEST(1007, "Basic ethernet rule") PFCTL_TEST(1008, "Ethernet rule with mask length") PFCTL_TEST(1009, "Ethernet rule with mask") PFCTL_TEST(1010, "POM_STICKYADDRESS test") +PFCTL_TEST(1011, "Test disabling scrub fragment reassemble") +PFCTL_TEST(1012, "Test scrub fragment reassemble is default") |