now with the minimum manpage bits. I'd like to get this in pretty much
now - a) to make sure it's in 5.2 before people start using prio much
and b) because i need to fix sth on top which will cause conflict hell
otherwise... oks?
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.615
diff -u -p -r1.615 parse.y
--- sbin/pfctl/parse.y 7 Jul 2012 18:39:21 -0000 1.615
+++ sbin/pfctl/parse.y 9 Jul 2012 12:55:21 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.614 2012/07/07 16:24:32 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.615 2012/07/07 18:39:21 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -508,6 +508,7 @@ int parseport(char *, struct range *r, i
%type <v.hfsc_opts> hfscopts_list hfscopts_item hfsc_opts
%type <v.queue_bwspec> bandwidth
%type <v.filter_opts> filter_opts filter_opt filter_opts_l
+%type <v.filter_opts> filter_sets filter_set filter_sets_l
%type <v.antispoof_opts> antispoof_opts antispoof_opt antispoof_opts_l
%type <v.queue_opts> queue_opts queue_opt queue_opts_l
%type <v.scrub_opts> scrub_opts scrub_opt scrub_opts_l
@@ -979,7 +980,7 @@ scrub_opt : NODF {
scrub_opts.marker |= FOM_MAXMSS;
scrub_opts.maxmss = $2;
}
- | SETTOS tos {
+ | SETTOS tos { /* XXX remove in 5.3-current */
if (scrub_opts.marker & FOM_SETTOS) {
yyerror("set-tos cannot be respecified");
YYERROR;
@@ -2379,7 +2380,21 @@ filter_opt : USER uids {
}
filter_opts.rcv = $2;
}
- | prio {
+ | ONCE {
+ filter_opts.marker |= FOM_ONCE;
+ }
+ | filter_sets
+ ;
+
+filter_sets : SET '{' filter_sets_l '}' { $$ = filter_opts; }
+ | SET filter_set { $$ = filter_opts; }
+ ;
+
+filter_sets_l : filter_sets_l comma filter_set
+ | filter_set
+ ;
+
+filter_set : prio {
if (filter_opts.marker & FOM_SETPRIO) {
yyerror("prio cannot be redefined");
YYERROR;
@@ -2388,8 +2403,13 @@ filter_opt : USER uids {
filter_opts.set_prio[0] = $1.b1;
filter_opts.set_prio[1] = $1.b2;
}
- | ONCE {
- filter_opts.marker |= FOM_ONCE;
+ | TOS tos {
+ if (filter_opts.marker & FOM_SETTOS) {
+ yyerror("tos cannot be respecified");
+ YYERROR;
+ }
+ filter_opts.marker |= FOM_SETTOS;
+ filter_opts.settos = $2;
}
;
Index: sbin/pfctl/pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.285
diff -u -p -r1.285 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c 7 Jul 2012 16:24:32 -0000 1.285
+++ sbin/pfctl/pfctl_parser.c 7 Jul 2012 17:08:31 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.283 2011/11/23 10:24:37 henning Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.285 2012/07/07 16:24:32 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -843,6 +843,25 @@ print_rule(struct pf_rule *r, const char
if (r->tos)
printf(" tos 0x%2.2x", r->tos);
+ if (r->set_prio[0] != PF_PRIO_NOTSET ||
+ r->scrub_flags & PFSTATE_SETTOS) {
+ char *comma = "";
+ printf(" set {");
+ if (r->set_prio[0] != PF_PRIO_NOTSET) {
+ if (r->set_prio[0] == r->set_prio[1])
+ printf("%s prio %u", comma, r->set_prio[0]);
+ else
+ printf("%s prio(%u, %u)", comma, r->set_prio[0],
+ r->set_prio[1]);
+ comma = ",";
+ }
+ if (r->scrub_flags & PFSTATE_SETTOS) {
+ printf("%s tos 0x%2.2x", comma, r->set_tos);
+ comma = ",";
+ }
+ printf(" }");
+ }
+
ropts = 0;
if (r->max_states || r->max_src_nodes || r->max_src_states)
ropts = 1;
@@ -998,12 +1017,6 @@ print_rule(struct pf_rule *r, const char
printf("min-ttl %d", r->min_ttl);
ropts = 0;
}
- if (r->scrub_flags & PFSTATE_SETTOS) {
- if (!ropts)
- printf(" ");
- printf("set-tos 0x%2.2x", r->set_tos);
- ropts = 0;
- }
if (r->scrub_flags & PFSTATE_SCRUB_TCP) {
if (!ropts)
printf(" ");
@@ -1088,12 +1101,6 @@ print_rule(struct pf_rule *r, const char
printf(" dup-to");
printf(" ");
print_pool(&r->route, 0, 0, r->af, PF_POOL_ROUTE, verbose);
- }
- if (r->set_prio[0] != PF_PRIO_NOTSET) {
- if (r->set_prio[0] == r->set_prio[1])
- printf(" prio %u", r->set_prio[0]);
- else
- printf(" prio(%u, %u)", r->set_prio[0], r->set_prio[1]);
}
}
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.515
diff -u -p -r1.515 pf.conf.5
--- share/man/man5/pf.conf.5 29 Jun 2012 12:56:20 -0000 1.515
+++ share/man/man5/pf.conf.5 9 Jul 2012 12:52:42 -0000
@@ -622,7 +622,7 @@ For example, the following rule will dro
.Pp
.Dl block in proto icmp probability 20%
.Pp
-.It Xo Ar prio Aq Ar priority
+.It Xo Ar set prio Aq Ar priority
.No \*(Ba ( Aq Ar priority ,
.Aq Ar priority )
.Xc
@@ -639,8 +639,8 @@ and TCP ACKs with no data payload will b
.Pp
For example:
.Bd -literal -offset indent
-pass in proto tcp to port 25 prio 2
-pass in proto tcp to port 22 prio (2, 5)
+pass in proto tcp to port 25 set prio 2
+pass in proto tcp to port 22 set prio (2, 5)
.Ed
.Pp
The interface priority queues accessed by the
@@ -2356,10 +2356,10 @@ artificially extends the security of TCP
bits when the host uses appropriately randomized timestamps, since a
blind attacker would have to guess the timestamp as well.
.El
-.It Xo Ar set-tos Aq Ar string
+.It Xo Ar set tos Aq Ar string
.No \*(Ba Aq Ar number
.Xc
-Enforces a TOS for matching IPv4 packets.
+Enforces a TOS for matching packets.
.Ar string
may be one of
.Ar critical ,
@@ -2788,7 +2788,7 @@ filteropt = user | group | flags |
"divert-packet" "port" port | "divert-reply" |
"divert-to" host "port" port |
"label" string | "tag" string | [ ! ] "tagged" string |
- "prio" ( number | "(" number [ [ "," ] number ] ")" ) |
+ "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
"queue" ( string | "(" string [ [ "," ] string ] ")" ) |
"rtable" number | "probability" number"%" |
"af-to" af "from" ( redirhost | "{" redirhost-list "}" )
@@ -2804,7 +2804,7 @@ filteropt = user | group | flags |
scrubopts = scrubopt [ [ "," ] scrubopts ]
scrubopt = "no-df" | "min-ttl" number | "max-mss" number |
- "set-tos" tos | "reassemble tcp" | "random-id"
+ "set tos" tos | "reassemble tcp" | "random-id"
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
"for" ifspec [ af ] [ "label" string ]
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
