|
1
|
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
|
|
2
|
index 0f19175..3e52fb2 100644
|
|
3
|
--- a/sbin/pfctl/parse.y
|
|
4
|
+++ b/sbin/pfctl/parse.y
|
|
5
|
@@ -479,8 +479,8 @@ int parseport(char *, struct range *r, int);
|
|
6
|
%type <v.icmp> icmp6_list icmp6_item
|
|
7
|
%type <v.number> reticmpspec reticmp6spec
|
|
8
|
%type <v.fromto> fromto
|
|
9
|
-%type <v.peer> ipportspec from to
|
|
10
|
-%type <v.host> ipspec toipspec xhost host dynaddr host_list
|
|
11
|
+%type <v.peer> ipportspec from to toipportspec
|
|
12
|
+%type <v.host> ipspec xhost host dynaddr host_list
|
|
13
|
%type <v.host> redir_host_list redirspec
|
|
14
|
%type <v.host> route_host route_host_list routespec
|
|
15
|
%type <v.os> os xos os_list
|
|
16
|
@@ -2813,8 +2813,8 @@ ipspec : ANY { $$ = NULL; }
|
|
17
|
| '{' optnl host_list '}' { $$ = $3; }
|
|
18
|
;
|
|
19
|
|
|
20
|
-toipspec : TO ipspec { $$ = $2; }
|
|
21
|
- | /* empty */ { $$ = NULL; }
|
|
22
|
+toipportspec : TO ipportspec { $$ = $2; }
|
|
23
|
+ | /* empty */ { $$.host = NULL; $$.port = NULL; }
|
|
24
|
;
|
|
25
|
|
|
26
|
host_list : ipspec optnl { $$ = $1; }
|
|
27
|
@@ -4085,7 +4085,7 @@ natrule : nataction interface af proto fromto tag tagged rtable
|
|
28
|
}
|
|
29
|
;
|
|
30
|
|
|
31
|
-binatrule : no BINAT natpasslog interface af proto FROM host toipspec tag
|
|
32
|
+binatrule : no BINAT natpasslog interface af proto FROM ipportspec toipportspec tag
|
|
33
|
tagged rtable redirection
|
|
34
|
{
|
|
35
|
struct pf_rule binat;
|
|
36
|
@@ -4093,7 +4093,7 @@ binatrule : no BINAT natpasslog interface af proto FROM host toipspec tag
|
|
37
|
|
|
38
|
if (check_rulestate(PFCTL_STATE_NAT))
|
|
39
|
YYERROR;
|
|
40
|
- if (disallow_urpf_failed($9, "\"urpf-failed\" is not "
|
|
41
|
+ if (disallow_urpf_failed($9.host, "\"urpf-failed\" is not "
|
|
42
|
"permitted as a binat destination"))
|
|
43
|
YYERROR;
|
|
44
|
|
|
45
|
@@ -4111,10 +4111,10 @@ binatrule : no BINAT natpasslog interface af proto FROM host toipspec tag
|
|
46
|
binat.log = $3.b2;
|
|
47
|
binat.logif = $3.w2;
|
|
48
|
binat.af = $5;
|
|
49
|
- if (!binat.af && $8 != NULL && $8->af)
|
|
50
|
- binat.af = $8->af;
|
|
51
|
- if (!binat.af && $9 != NULL && $9->af)
|
|
52
|
- binat.af = $9->af;
|
|
53
|
+ if (!binat.af && $8.host != NULL && $8.host->af)
|
|
54
|
+ binat.af = $8.host->af;
|
|
55
|
+ if (!binat.af && $9.host != NULL && $9.host->af)
|
|
56
|
+ binat.af = $9.host->af;
|
|
57
|
|
|
58
|
if (!binat.af && $13 != NULL && $13->host)
|
|
59
|
binat.af = $13->host->af;
|
|
60
|
@@ -4153,10 +4153,10 @@ binatrule : no BINAT natpasslog interface af proto FROM host toipspec tag
|
|
61
|
free($6);
|
|
62
|
}
|
|
63
|
|
|
64
|
- if ($8 != NULL && disallow_table($8, "invalid use of "
|
|
65
|
+ if ($8.host != NULL && disallow_table($8.host, "invalid use of "
|
|
66
|
"table <%s> as the source address of a binat rule"))
|
|
67
|
YYERROR;
|
|
68
|
- if ($8 != NULL && disallow_alias($8, "invalid use of "
|
|
69
|
+ if ($8.host != NULL && disallow_alias($8.host, "invalid use of "
|
|
70
|
"interface (%s) as the source address of a binat "
|
|
71
|
"rule"))
|
|
72
|
YYERROR;
|
|
73
|
@@ -4169,38 +4169,46 @@ binatrule : no BINAT natpasslog interface af proto FROM host toipspec tag
|
|
74
|
"redirect address of a binat rule"))
|
|
75
|
YYERROR;
|
|
76
|
|
|
77
|
- if ($8 != NULL) {
|
|
78
|
- if ($8->next) {
|
|
79
|
+ if ($8.host != NULL) {
|
|
80
|
+ if ($8.host->next) {
|
|
81
|
yyerror("multiple binat ip addresses");
|
|
82
|
YYERROR;
|
|
83
|
}
|
|
84
|
- if ($8->addr.type == PF_ADDR_DYNIFTL)
|
|
85
|
- $8->af = binat.af;
|
|
86
|
- if ($8->af != binat.af) {
|
|
87
|
+ if ($8.host->addr.type == PF_ADDR_DYNIFTL)
|
|
88
|
+ $8.host->af = binat.af;
|
|
89
|
+ if ($8.host->af != binat.af) {
|
|
90
|
yyerror("binat ip versions must match");
|
|
91
|
YYERROR;
|
|
92
|
}
|
|
93
|
- if (check_netmask($8, binat.af))
|
|
94
|
+ if (check_netmask($8.host, binat.af))
|
|
95
|
YYERROR;
|
|
96
|
- memcpy(&binat.src.addr, &$8->addr,
|
|
97
|
+ memcpy(&binat.src.addr, &$8.host->addr,
|
|
98
|
sizeof(binat.src.addr));
|
|
99
|
- free($8);
|
|
100
|
+ binat.src.neg = $8.host->not;
|
|
101
|
+ free($8.host);
|
|
102
|
}
|
|
103
|
- if ($9 != NULL) {
|
|
104
|
- if ($9->next) {
|
|
105
|
+ if ($9.host != NULL) {
|
|
106
|
+ if ($9.host->next) {
|
|
107
|
yyerror("multiple binat ip addresses");
|
|
108
|
YYERROR;
|
|
109
|
}
|
|
110
|
- if ($9->af != binat.af && $9->af) {
|
|
111
|
+ if ($9.host->af != binat.af && $9.host->af) {
|
|
112
|
yyerror("binat ip versions must match");
|
|
113
|
YYERROR;
|
|
114
|
}
|
|
115
|
- if (check_netmask($9, binat.af))
|
|
116
|
+ if (check_netmask($9.host, binat.af))
|
|
117
|
YYERROR;
|
|
118
|
- memcpy(&binat.dst.addr, &$9->addr,
|
|
119
|
+ memcpy(&binat.dst.addr, &$9.host->addr,
|
|
120
|
sizeof(binat.dst.addr));
|
|
121
|
- binat.dst.neg = $9->not;
|
|
122
|
- free($9);
|
|
123
|
+ binat.dst.neg = $9.host->not;
|
|
124
|
+ free($9.host);
|
|
125
|
+ }
|
|
126
|
+
|
|
127
|
+ if ($9.port != NULL) {
|
|
128
|
+ binat.dst.port[0] = $9.port->port[0];
|
|
129
|
+ binat.dst.port[1] = $9.port->port[1];
|
|
130
|
+ binat.dst.port_op = $9.port->op;
|
|
131
|
+ free($9.port);
|
|
132
|
}
|
|
133
|
|
|
134
|
if (binat.action == PF_NOBINAT) {
|