diff options
author | Kristof Provost <kp@FreeBSD.org> | 2018-06-22 21:59:30 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2018-06-22 21:59:30 +0000 |
commit | 150182e309ff781a0c71519ea6da708d999d5ccb (patch) | |
tree | ebd8090b59a0cf0f02b63546c6005adaf9297f30 /sbin | |
parent | ba6cce3aea29af80beef44853ca82006165f0e2a (diff) | |
download | src-150182e309ff781a0c71519ea6da708d999d5ccb.tar.gz src-150182e309ff781a0c71519ea6da708d999d5ccb.zip |
pf: Support "return" statements in passing rules when they fail.
Normally pf rules are expected to do one of two things: pass the traffic or
block it. Blocking can be silent - "drop", or loud - "return", "return-rst",
"return-icmp". Yet there is a 3rd category of traffic passing through pf:
Packets matching a "pass" rule but when applying the rule fails. This happens
when redirection table is empty or when src node or state creation fails. Such
rules always fail silently without notifying the sender.
Allow users to configure this behaviour too, so that pf returns an error packet
in these cases.
PR: 226850
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
MFC after: 1 week
Sponsored by: InnoGames GmbH
Notes
Notes:
svn path=/head/; revision=335569
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/pfctl/parse.y | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index c976358325e7..26d1dbb1a1ec 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -79,6 +79,7 @@ static u_int16_t returnicmpdefault = static u_int16_t returnicmp6default = (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT; static int blockpolicy = PFRULE_DROP; +static int failpolicy = PFRULE_DROP; static int require_order = 1; static int default_statelock; @@ -455,8 +456,8 @@ int parseport(char *, struct range *r, int); %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR -%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID -%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID +%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY +%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID %token ANTISPOOF FOR INCLUDE %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME @@ -640,6 +641,20 @@ option : SET OPTIMIZATION STRING { YYERROR; blockpolicy = PFRULE_RETURN; } + | SET FAILPOLICY DROP { + if (pf->opts & PF_OPT_VERBOSE) + printf("set fail-policy drop\n"); + if (check_rulestate(PFCTL_STATE_OPTION)) + YYERROR; + failpolicy = PFRULE_DROP; + } + | SET FAILPOLICY RETURN { + if (pf->opts & PF_OPT_VERBOSE) + printf("set fail-policy return\n"); + if (check_rulestate(PFCTL_STATE_OPTION)) + YYERROR; + failpolicy = PFRULE_RETURN; + } | SET REQUIREORDER yesno { if (pf->opts & PF_OPT_VERBOSE) printf("set require-order %s\n", @@ -2636,7 +2651,12 @@ probability : STRING { ; -action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; } +action : PASS { + $$.b1 = PF_PASS; + $$.b2 = failpolicy; + $$.w = returnicmpdefault; + $$.w2 = returnicmp6default; + } | BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; } ; @@ -5471,6 +5491,7 @@ lookup(char *s) { "drop", DROP}, { "drop-ovl", FRAGDROP}, { "dup-to", DUPTO}, + { "fail-policy", FAILPOLICY}, { "fairq", FAIRQ}, { "fastroute", FASTROUTE}, { "file", FILENAME}, @@ -5935,6 +5956,7 @@ parse_config(char *filename, struct pfctl *xpf) returnicmp6default = (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT; blockpolicy = PFRULE_DROP; + failpolicy = PFRULE_DROP; require_order = 1; if ((file = pushfile(filename, 0)) == NULL) { |