Hi,
the relayd code already had a few bits for from/to specifiers in
filter rules, but it wasn't finished. I did get occasional requests
if it would be possible to filter based on IPs (much like Allow/Deny
rules elsewhere). Simple blocking should better be done in pf but the
purpose of this is to match URLs/headers related to IPs (see below).
```relayd.conf
http protocol foo {
block from 10.1.1.1
block from 10.1.1.2 to 192.168.0.0/24
pass from 10.1.0.0/16 path "/hello/*" forward to <a>
pass from 10.2.0.0/16 path "/hello/*" forward to <b>
}
```
Ok?
Reyk
Index: usr.sbin/relayd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.233
diff -u -p -u -p -r1.233 parse.y
--- usr.sbin/relayd/parse.y 13 Mar 2019 23:29:32 -0000 1.233
+++ usr.sbin/relayd/parse.y 9 May 2019 17:12:09 -0000
@@ -153,6 +153,7 @@ typedef struct {
enum direction dir;
struct {
struct sockaddr_storage ss;
+ int prefixlen;
char name[HOST_NAME_MAX+1];
} addr;
struct {
@@ -187,7 +188,7 @@ typedef struct {
%type <v.number> action ruleaf key_option
%type <v.port> port
%type <v.host> host
-%type <v.addr> address
+%type <v.addr> address rulesrc ruledst addrprefix
%type <v.tv> timeout
%type <v.digest> digest optdigest
%type <v.table> tablespec
@@ -1293,6 +1294,20 @@ filterrule : action dir quick ruleaf rul
rule->rule_dir = $2;
rule->rule_flags |= $3;
rule->rule_af = $4;
+ rule->rule_src.addr = $5.ss;
+ rule->rule_src.addr_mask = $5.prefixlen;
+ rule->rule_dst.addr = $6.ss;
+ rule->rule_dst.addr_mask = $6.prefixlen;
+
+ if (RELAY_AF_NEQ(rule->rule_af,
+ rule->rule_src.addr.ss_family) ||
+ RELAY_AF_NEQ(rule->rule_af,
+ rule->rule_dst.addr.ss_family) ||
+ RELAY_AF_NEQ(rule->rule_src.addr.ss_family,
+ rule->rule_dst.addr.ss_family)) {
+ yyerror("address family mismatch");
+ YYERROR;
+ }
rulefile = NULL;
} ruleopts_l {
@@ -1341,10 +1356,20 @@ ruleaf : /* empty */ { $$ =
AF_UNSPEC
| INET { $$ = AF_INET; }
;
-rulesrc : /* XXX */
+rulesrc : /* empty */ {
+ memset(&$$, 0, sizeof($$));
+ }
+ | FROM addrprefix {
+ $$ = $2;
+ }
;
-ruledst : /* XXX */
+ruledst : /* empty */ {
+ memset(&$$, 0, sizeof($$));
+ }
+ | TO addrprefix {
+ $$ = $2;
+ }
;
ruleopts_l : /* empty */
@@ -1967,7 +1992,7 @@ routeopts_l : routeopts_l routeoptsl nl
| routeoptsl optnl
;
-routeoptsl : ROUTE address '/' NUMBER {
+routeoptsl : ROUTE addrprefix {
struct netroute *nr;
if (router->rt_conf.af == AF_UNSPEC)
@@ -1978,14 +2003,6 @@ routeoptsl : ROUTE address '/' NUMBER {
YYERROR;
}
- if ((router->rt_conf.af == AF_INET &&
- ($4 > 32 || $4 < 0)) ||
- (router->rt_conf.af == AF_INET6 &&
- ($4 > 128 || $4 < 0))) {
- yyerror("invalid prefixlen %d", $4);
- YYERROR;
- }
-
if ((nr = calloc(1, sizeof(*nr))) == NULL)
fatal("out of memory");
@@ -1995,7 +2012,7 @@ routeoptsl : ROUTE address '/' NUMBER {
free(nr);
YYERROR;
}
- nr->nr_conf.prefixlen = $4;
+ nr->nr_conf.prefixlen = $2.prefixlen;
nr->nr_conf.routerid = router->rt_conf.id;
nr->nr_router = router;
bcopy(&$2.ss, &nr->nr_conf.ss, sizeof($2.ss));
@@ -2166,6 +2183,26 @@ address : STRING {
h = TAILQ_FIRST(&al);
memcpy(&$$.ss, &h->ss, sizeof($$.ss));
host_free(&al);
+ }
+ ;
+
+addrprefix : address '/' NUMBER {
+ $$ = $1;
+ if (($$.ss.ss_family == AF_INET &&
+ ($3 > 32 || $3 < 0)) ||
+ ($$.ss.ss_family == AF_INET6 &&
+ ($3 > 128 || $3 < 0))) {
+ yyerror("invalid prefixlen %d", $3);
+ YYERROR;
+ }
+ $$.prefixlen = $3;
+ }
+ | address {
+ $$ = $1;
+ if ($$.ss.ss_family == AF_INET)
+ $$.prefixlen = 32;
+ else if ($$.ss.ss_family == AF_INET6)
+ $$.prefixlen = 128;
}
;
Index: usr.sbin/relayd/relay.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.243
diff -u -p -u -p -r1.243 relay.c
--- usr.sbin/relayd/relay.c 8 May 2019 23:22:19 -0000 1.243
+++ usr.sbin/relayd/relay.c 9 May 2019 17:12:09 -0000
@@ -28,6 +28,7 @@
#include <arpa/inet.h>
#include <limits.h>
+#include <netdb.h>
#include <poll.h>
#include <stdio.h>
#include <stdlib.h>
@@ -117,6 +118,7 @@ relay_ruledebug(struct relay_rule *rule)
{
struct kv *kv = NULL;
u_int i;
+ char buf[NI_MAXHOST];
fprintf(stderr, "\t\t");
@@ -150,6 +152,25 @@ relay_ruledebug(struct relay_rule *rule)
if (rule->rule_flags & RULE_FLAG_QUICK)
fprintf(stderr, "quick ");
+ switch (rule->rule_af) {
+ case AF_INET:
+ fprintf(stderr, "inet ");
+ break;
+ case AF_INET6:
+ fprintf(stderr, "inet6 ");
+ break;
+ }
+
+ if (rule->rule_src.addr.ss_family != AF_UNSPEC)
+ fprintf(stderr, "from %s/%d ",
+ print_host(&rule->rule_src.addr, buf, sizeof(buf)),
+ rule->rule_src.addr_mask);
+
+ if (rule->rule_dst.addr.ss_family != AF_UNSPEC)
+ fprintf(stderr, "to %s/%d ",
+ print_host(&rule->rule_dst.addr, buf, sizeof(buf)),
+ rule->rule_dst.addr_mask);
+
for (i = 1; i < KEY_TYPE_MAX; i++) {
kv = &rule->rule_kv[i];
if (kv->kv_type != i)
@@ -1118,7 +1139,13 @@ relay_accept(int fd, short event, void *
con->se_in.port = ((struct sockaddr_in6 *)&ss)->sin6_port;
break;
}
- bcopy(&ss, &con->se_in.ss, sizeof(con->se_in.ss));
+ memcpy(&con->se_in.ss, &ss, sizeof(con->se_in.ss));
+
+ slen = sizeof(con->se_sockname);
+ if (getsockname(s, (struct sockaddr *)&con->se_sockname, &slen) == -1) {
+ relay_close(con, "sockname lookup failed", 1);
+ return;
+ }
getmonotime(&con->se_tv_start);
bcopy(&con->se_tv_start, &con->se_tv_last, sizeof(con->se_tv_last));
@@ -1143,12 +1170,8 @@ relay_accept(int fd, short event, void *
}
if (rlay->rl_conf.flags & F_DIVERT) {
- slen = sizeof(con->se_out.ss);
- if (getsockname(s, (struct sockaddr *)&con->se_out.ss,
- &slen) == -1) {
- relay_close(con, "peer lookup failed", 1);
- return;
- }
+ memcpy(&con->se_out.ss, &con->se_sockname,
+ sizeof(con->se_out.ss));
con->se_out.port = relay_socket_getport(&con->se_out.ss);
/* Detect loop and fall back to the alternate forward target */
@@ -1169,13 +1192,8 @@ relay_accept(int fd, short event, void *
cnl->proc = ps->ps_instance;
cnl->proto = IPPROTO_TCP;
- bcopy(&con->se_in.ss, &cnl->src, sizeof(cnl->src));
- slen = sizeof(cnl->dst);
- if (getsockname(s,
- (struct sockaddr *)&cnl->dst, &slen) == -1) {
- relay_close(con, "failed to get local address", 1);
- return;
- }
+ memcpy(&cnl->src, &con->se_in.ss, sizeof(cnl->src));
+ memcpy(&cnl->dst, &con->se_sockname, sizeof(cnl->dst));
proc_compose(env->sc_ps, PROC_PFE, IMSG_NATLOOK,
cnl, sizeof(*cnl));
Index: usr.sbin/relayd/relay_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay_http.c,v
retrieving revision 1.73
diff -u -p -u -p -r1.73 relay_http.c
--- usr.sbin/relayd/relay_http.c 8 May 2019 23:22:19 -0000 1.73
+++ usr.sbin/relayd/relay_http.c 9 May 2019 17:12:09 -0000
@@ -1765,13 +1765,12 @@ relay_test(struct protocol *proto, struc
RELAY_GET_SKIP_STEP(RULE_SKIP_DIR);
else if (proto->type != r->rule_proto)
RELAY_GET_SKIP_STEP(RULE_SKIP_PROTO);
- else if (r->rule_af != AF_UNSPEC &&
- (cre->ss.ss_family != r->rule_af ||
- cre->dst->ss.ss_family != r->rule_af))
+ else if (RELAY_AF_NEQ(r->rule_af, cre->ss.ss_family) ||
+ RELAY_AF_NEQ(r->rule_af, cre->dst->ss.ss_family))
RELAY_GET_SKIP_STEP(RULE_SKIP_AF);
else if (RELAY_ADDR_CMP(&r->rule_src, &cre->ss) != 0)
RELAY_GET_SKIP_STEP(RULE_SKIP_SRC);
- else if (RELAY_ADDR_CMP(&r->rule_dst, &cre->dst->ss) != 0)
+ else if (RELAY_ADDR_CMP(&r->rule_dst, &con->se_sockname) != 0)
RELAY_GET_SKIP_STEP(RULE_SKIP_DST);
else if (r->rule_method != HTTP_METHOD_NONE &&
(desc->http_method == HTTP_METHOD_RESPONSE ||
@@ -1870,7 +1869,7 @@ relay_calc_skip_steps(struct relay_rules
RELAY_SET_SKIP_STEPS(RULE_SKIP_DIR);
else if (cur->rule_proto != prev->rule_proto)
RELAY_SET_SKIP_STEPS(RULE_SKIP_PROTO);
- else if (cur->rule_af != prev->rule_af)
+ else if (RELAY_AF_NEQ(cur->rule_af, prev->rule_af))
RELAY_SET_SKIP_STEPS(RULE_SKIP_AF);
else if (RELAY_ADDR_NEQ(&cur->rule_src, &prev->rule_src))
RELAY_SET_SKIP_STEPS(RULE_SKIP_SRC);
Index: usr.sbin/relayd/relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.188
diff -u -p -u -p -r1.188 relayd.conf.5
--- usr.sbin/relayd/relayd.conf.5 4 Mar 2019 21:25:03 -0000 1.188
+++ usr.sbin/relayd/relayd.conf.5 9 May 2019 17:12:09 -0000
@@ -1080,6 +1080,13 @@ evaluation is skipped.
.It Ic inet No or Ic inet6
Only match connections with the specified address family,
either of type IPv4 or IPv6.
+.It Ic from Ar address Ns Oo Li / Ns Ar prefix Oc
+This rule only matches for connections from the specified source.
+.It Ic to Ar address Ns Oo Li / Ns Ar prefix Oc
+This rule only matches for connections to the specified destination.
+The destination is the address the client was connecting to,
+typically the relay's listen address in non-transparent mode,
+not the address of the forwarded backend connection.
.It Ic forward to Pf < Ar table Ns >
Forward the request to a server in the specified table.
With this option, requests can be passed to specific backend servers.
Index: usr.sbin/relayd/relayd.h
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
retrieving revision 1.253
diff -u -p -u -p -r1.253 relayd.h
--- usr.sbin/relayd/relayd.h 8 May 2019 23:22:19 -0000 1.253
+++ usr.sbin/relayd/relayd.h 9 May 2019 17:12:09 -0000
@@ -550,6 +550,7 @@ TAILQ_HEAD(rdrlist, rdr);
struct rsession {
objid_t se_id;
objid_t se_relayid;
+ struct sockaddr_storage se_sockname;
struct ctl_relay_event se_in;
struct ctl_relay_event se_out;
void *se_priv;
@@ -601,11 +602,9 @@ enum rule_action {
};
struct rule_addr {
- int addr_af;
struct sockaddr_storage addr;
u_int8_t addr_mask;
- int addr_net;
- in_port_t addr_port;
+ int addr_port;
};
#define RELAY_ADDR_EQ(_a, _b) \
@@ -621,6 +620,10 @@ struct rule_addr {
((_a)->addr_mask != (_b)->addr_mask || \
sockaddr_cmp((struct sockaddr *)&(_a)->addr, \
(struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0)
+
+#define RELAY_AF_NEQ(_a, _b) \
+ (((_a) != AF_UNSPEC) && ((_b) != AF_UNSPEC) && \
+ ((_a) != (_b)))
struct relay_rule {
objid_t rule_id;
