since we inherit prio fromoutside sources, i. e. on vlan interfaces,
it is useful to be able to match on it - effectively matching on
classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.644
diff -u -p -r1.644 parse.y
--- sbin/pfctl/parse.y 16 Jan 2015 06:40:00 -0000 1.644
+++ sbin/pfctl/parse.y 8 Feb 2015 23:24:23 -0000
@@ -230,6 +230,7 @@ struct filter_opts {
#define FOM_SCRUB_TCP 0x0200
#define FOM_SETPRIO 0x0400
#define FOM_ONCE 0x1000
+#define FOM_PRIO 0x2000
struct node_uid *uid;
struct node_gid *gid;
struct node_if *rcv;
@@ -254,6 +255,7 @@ struct filter_opts {
char *match_tag;
u_int8_t match_tag_not;
u_int rtableid;
+ u_int8_t prio;
u_int8_t set_prio[2];
struct {
struct node_host *addr;
@@ -881,6 +883,10 @@ anchorrule : ANCHOR anchorname dir quick
YYERROR;
}
r.match_tag_not = $9.match_tag_not;
+ if ($9.marker & FOM_PRIO)
+ r.prio = $9.prio;
+ else
+ r.prio = 0xff;
if ($9.marker & FOM_SETPRIO) {
r.set_prio[0] = $9.set_prio[0];
r.set_prio[1] = $9.set_prio[1];
@@ -1484,6 +1490,10 @@ pfrule : action dir logquick interface
}
if ($8.marker & FOM_SCRUB_TCP)
r.scrub_flags |= PFSTATE_SCRUB_TCP;
+ if ($8.marker & FOM_PRIO)
+ r.prio = $8.prio;
+ else
+ r.prio = 0xff;
if ($8.marker & FOM_SETPRIO) {
r.set_prio[0] = $8.set_prio[0];
r.set_prio[1] = $8.set_prio[1];
@@ -1913,6 +1923,18 @@ filter_opt : USER uids {
}
filter_opts.marker |= FOM_ICMP;
filter_opts.icmpspec = $1;
+ }
+ | PRIO NUMBER {
+ if (filter_opts.marker & FOM_PRIO) {
+ yyerror("prio cannot be redefined");
+ YYERROR;
+ }
+ if ($2 < 0 || $2 > IFQ_MAXPRIO) {
+ yyerror("prio must be 0 - %u", IFQ_MAXPRIO);
+ YYERROR;
+ }
+ filter_opts.marker |= FOM_PRIO;
+ filter_opts.prio = $2;
}
| TOS tos {
if (filter_opts.marker & FOM_TOS) {
Index: sbin/pfctl/pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.302
diff -u -p -r1.302 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c 7 Feb 2015 23:35:27 -0000 1.302
+++ sbin/pfctl/pfctl_parser.c 8 Feb 2015 01:38:07 -0000
@@ -853,6 +853,8 @@ print_rule(struct pf_rule *r, const char
}
if (r->tos)
printf(" tos 0x%2.2x", r->tos);
+ if (r->prio != 0xff)
+ printf(" prio %u", r->prio);
if (r->scrub_flags & PFSTATE_SETMASK || r->qname[0]) {
char *comma = "";
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.541
diff -u -p -r1.541 pf.conf.5
--- share/man/man5/pf.conf.5 16 Jan 2015 17:20:24 -0000 1.541
+++ share/man/man5/pf.conf.5 8 Feb 2015 23:27:43 -0000
@@ -627,6 +627,9 @@ For example, the following rule will dro
.Pp
.Dl block in proto icmp probability 20%
.Pp
+.It Ar prio Aq Ar number
+Only match packets which have the given queueing priority assigned.
+.Pp
.It Ar received-on Aq Ar interface
Only match packets which were received on the specified
.Ar interface
@@ -2640,7 +2643,7 @@ filteropt = user | group | flags |
"label" string | "tag" string | [ ! ] "tagged" string |
"set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
"set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
- "rtable" number | "probability" number"%" |
+ "rtable" number | "probability" number"%" | "prio" number |
"af-to" af "from" ( redirhost | "{" redirhost-list "}" )
[ "to" ( redirhost | "{" redirhost-list "}" ) ] |
"binat-to" ( redirhost | "{" redirhost-list "}" )
Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.901
diff -u -p -r1.901 pf.c
--- sys/net/pf.c 7 Feb 2015 09:15:25 -0000 1.901
+++ sys/net/pf.c 7 Feb 2015 23:59:41 -0000
@@ -3228,6 +3228,9 @@ pf_test_rule(struct pf_pdesc *pd, struct
PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) ==
r->rcvifnot),
TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->prio != 0xff &&
+ r->prio != pd->m->m_pkthdr.pf.prio),
+ TAILQ_NEXT(r, entries));
/* FALLTHROUGH */
if (r->tag)
Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.281
diff -u -p -r1.281 pf_ioctl.c
--- sys/net/pf_ioctl.c 24 Jan 2015 00:29:06 -0000 1.281
+++ sys/net/pf_ioctl.c 7 Feb 2015 23:57:51 -0000
@@ -2459,6 +2459,7 @@ pf_rule_copyin(struct pf_rule *from, str
to->divert.port = from->divert.port;
to->divert_packet.addr = from->divert_packet.addr;
to->divert_packet.port = from->divert_packet.port;
+ to->prio = from->prio;
to->set_prio[0] = from->set_prio[0];
to->set_prio[1] = from->set_prio[1];
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.409
diff -u -p -r1.409 pfvar.h
--- sys/net/pfvar.h 7 Feb 2015 06:27:46 -0000 1.409
+++ sys/net/pfvar.h 7 Feb 2015 23:37:57 -0000
@@ -644,10 +644,11 @@ struct pf_rule {
#define PF_FLUSH 0x01
#define PF_FLUSH_GLOBAL 0x02
u_int8_t flush;
+ u_int8_t prio;
u_int8_t set_prio[2];
sa_family_t naf;
u_int8_t rcvifnot;
- u_int8_t pad[3];
+ u_int8_t pad[2];
struct {
struct pf_addr addr;
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
