diff options
author | Kristof Provost <kp@FreeBSD.org> | 2022-09-22 17:00:11 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2022-11-02 14:45:23 +0000 |
commit | 8a8af94240084a091a1c048da027f80ee37937e7 (patch) | |
tree | 12c459b6fb29f30623f28721ba1380613f8c1a42 /sbin/pfctl | |
parent | ccd9b49f20e7a2e6eac1e7e68db23e222bf40263 (diff) | |
download | src-8a8af94240084a091a1c048da027f80ee37937e7.tar.gz src-8a8af94240084a091a1c048da027f80ee37937e7.zip |
Diffstat (limited to 'sbin/pfctl')
-rw-r--r-- | sbin/pfctl/parse.y | 48 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 2 |
2 files changed, 34 insertions, 16 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index eea9f89782be..1d0494e6d0b9 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -351,7 +351,8 @@ void expand_label_nr(const char *, char *, size_t, void expand_eth_rule(struct pfctl_eth_rule *, struct node_if *, struct node_etherproto *, struct node_mac *, struct node_mac *, - struct node_host *, struct node_host *, const char *); + struct node_host *, struct node_host *, const char *, + const char *); void expand_rule(struct pfctl_rule *, struct node_if *, struct node_host *, struct node_proto *, struct node_os *, struct node_host *, struct node_port *, struct node_host *, @@ -432,6 +433,7 @@ typedef struct { struct { struct node_mac *mac; } etheraddr; + char *bridge_to; struct { struct node_host *host; u_int8_t rt; @@ -503,7 +505,7 @@ int parseport(char *, struct range *r, int); %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS -%token DIVERTTO DIVERTREPLY +%token DIVERTTO DIVERTREPLY BRIDGE_TO %token <v.string> STRING %token <v.number> NUMBER %token <v.i> PORTBINARY @@ -563,6 +565,7 @@ int parseport(char *, struct range *r, int); %type <v.etherproto> etherproto etherproto_list etherproto_item %type <v.etherfromto> etherfromto %type <v.etheraddr> etherfrom etherto +%type <v.bridge_to> bridge %type <v.mac> xmac mac mac_list macspec %% @@ -1195,7 +1198,7 @@ scrubaction : no SCRUB { } ; -etherrule : ETHER action dir quick interface etherproto etherfromto l3fromto etherfilter_opts +etherrule : ETHER action dir quick interface bridge etherproto etherfromto l3fromto etherfilter_opts { struct pfctl_eth_rule r; @@ -1207,23 +1210,23 @@ etherrule : ETHER action dir quick interface etherproto etherfromto l3fromto eth r.action = $2.b1; r.direction = $3; r.quick = $4.quick; - if ($9.tag != NULL) - memcpy(&r.tagname, $9.tag, sizeof(r.tagname)); - if ($9.match_tag) - if (strlcpy(r.match_tagname, $9.match_tag, + if ($10.tag != NULL) + memcpy(&r.tagname, $10.tag, sizeof(r.tagname)); + if ($10.match_tag) + if (strlcpy(r.match_tagname, $10.match_tag, PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) { yyerror("tag too long, max %u chars", PF_TAG_NAME_SIZE - 1); YYERROR; } - r.match_tag_not = $9.match_tag_not; - if ($9.queues.qname != NULL) - memcpy(&r.qname, $9.queues.qname, sizeof(r.qname)); - r.dnpipe = $9.dnpipe; - r.dnflags = $9.free_flags; + r.match_tag_not = $10.match_tag_not; + if ($10.queues.qname != NULL) + memcpy(&r.qname, $10.queues.qname, sizeof(r.qname)); + r.dnpipe = $10.dnpipe; + r.dnflags = $10.free_flags; - expand_eth_rule(&r, $5, $6, $7.src, $7.dst, - $8.src.host, $8.dst.host, ""); + expand_eth_rule(&r, $5, $7, $8.src, $8.dst, + $9.src.host, $9.dst.host, $6, ""); } ; @@ -1315,7 +1318,7 @@ etheranchorrule : ETHER ANCHOR anchorname dir quick interface etherproto etherfr r.quick = $5.quick; expand_eth_rule(&r, $6, $7, $8.src, $8.dst, - $9.src.host, $9.dst.host, + $9.src.host, $9.dst.host, NULL, pf->eastack[pf->asd + 1] ? pf->ealast->name : $3); free($3); @@ -1361,6 +1364,14 @@ etherfilter_opt : etherqname { } ; +bridge : /* empty */ { + $$ = NULL; + } + | BRIDGE_TO STRING { + $$ = strdup($2); + } + ; + scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts { struct pfctl_rule r; @@ -5801,7 +5812,8 @@ void expand_eth_rule(struct pfctl_eth_rule *r, struct node_if *interfaces, struct node_etherproto *protos, struct node_mac *srcs, struct node_mac *dsts, - struct node_host *ipsrcs, struct node_host *ipdsts, const char *anchor_call) + struct node_host *ipsrcs, struct node_host *ipdsts, + const char *bridge_to, const char *anchor_call) { char tagname[PF_TAG_NAME_SIZE]; char match_tagname[PF_TAG_NAME_SIZE]; @@ -5852,6 +5864,9 @@ expand_eth_rule(struct pfctl_eth_rule *r, if (strlcpy(r->qname, qname, sizeof(r->qname)) >= sizeof(r->qname)) errx(1, "expand_eth_rule: r->qname"); + if (bridge_to) + strlcpy(r->bridge_to, bridge_to, sizeof(r->bridge_to)); + pfctl_append_eth_rule(pf, r, anchor_call); )))))); @@ -6110,6 +6125,7 @@ lookup(char *s) { "bitmask", BITMASK}, { "block", BLOCK}, { "block-policy", BLOCKPOLICY}, + { "bridge-to", BRIDGE_TO}, { "buckets", BUCKETS}, { "cbq", CBQ}, { "code", CODE}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 1ad895bede05..824e473ea2e9 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -774,6 +774,8 @@ print_eth_rule(struct pfctl_eth_rule *r, const char *anchor_call, else printf(" on %s", r->ifname); } + if (r->bridge_to[0]) + printf(" bridge-to %s", r->bridge_to); if (r->proto) printf(" proto 0x%04x", r->proto); |