[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pfctl : recursive parsing of groups

To: bugs_(_at_)_openbsd_(_dot_)_org
Subject: pfctl : recursive parsing of groups
From: Stephen Samuel <samuel_(_at_)_bcgreen_(_dot_)_com>
Date: Sun, 30 Mar 2003 20:42:39 -0800
Organization: Just Another Radical

for pfctl's parsing of pf and nat rules, a grouping is currently
defined as
 group ::= NAME | '{' NAME [ , NAME ...] '}'
 How difficult would it be to define it as
 group ::= NAME | '{' group [ , group ...] '}'

The reason for this is that I ran into a situation where I
defined something like the following:

int = "{ xl1, xl2 }"
ext = " xl0 "

For the most part, this works fine, because I tend to define packets
in terms of either  coming from the inside or the outside, but when
cheking for wormsign,  I ran into the following construct:


block in log on  { $int, $ext } proto udp from any port 2002 to any port 2002

This, of course, fails because the { $int, $ext } expands to:
{ { xl1, xl2 }, xl0  }
which is currently illegal.

My workaround was:

either = "{ xl0, xl1, xl2 }"
# apache worm.
block in log on  $either proto udp from any port 2002 to any port 2002


In this specific case I could also just remove the 'on' construct,
but I'd prefer to have the IF designation there for completeness.
(it also works in case a 4th interface gets added that doesn't actually
fit in the group).

--
Stephen Samuel +1(604)876-0426                samuel_(_at_)_bcgreen_(_dot_)_com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

Prev by Date: Openbsd Servers Can Be Hacked
Next by Date: Your mlmXtreme Position is Active!
Previous by thread: Openbsd Servers Can Be Hacked
Next by thread: Your mlmXtreme Position is Active!
Index(es):
- Date
- Thread

Visit your host, monkey.org