[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS: cvs.openbsd.org: src



CVSROOT:	/cvs
Module name:	src
Changes by:	henning_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org	2002/07/09 04:39:08

Modified files:
	sbin/pfctl     : parse.y 

Log message:
rework the interface-to-IP routines.

you can use interface names instead of an IP in most places. However, until
now, it was only expanded to the interface's first IPv4 address if existant
(and address family unset or inet) and the first IPv6 address otherwise.

this diff changes that.  the interface is proper expanded to all IPs, IPv4
_and_ IPv6, now.

it also cleans up the lookup procedures (well, in fact, they are replaced by
a new one), there's no need for different procedures for IPv4 and IPv6. we
now just have one list of interfaces (AF_LINK) and one list with IPs
(AF_INET and AF_INET6) with corresponding lookup functions, ifa_exists and
ifa_lookup.

nat, rdr & friends now use the new function ifa_pick_ip to get the IP in
rules like

nat on $interface from $whatever to any -> $interface

ifa_pick_ip tries to be smart.
if the interface has only one IP address and the nat rule doesn't specify an
address family (or it matches with this address), take this one.
If the address family is specified in the nat rule and there is only one IP
for the given address family, this one is used. if the address family is not
specified and there is more than one IP pfctl throws an error. The same
applies for multiple IPs per address family.

This causes regression tests 18 and 20 to fail because the address family
isn't specified there; diff for those coming.

also fix some prototypes while I'm here.

pb@ found another problem while testing that we must have introduced somewhat
after 3.1.

$cat t
nat on ne3 from any to any -> 213.128.133.5
$pfctl -nvf t
nat on ne3 all -> ?

it's only a representation bug as far as I've checked, nontheless it should
be fixed. as a nat/rdr rule always nats/redirects to one IP only we can just
steal its target's IP af and set the rule's af accordingly. then inet_ntop
does play nice.
binat rules already enforce having an address family set always and thus are
not affected.

ok dhartmei@, pb@, kjell@
"It looks good" frantzen@



Visit your host, monkey.org