Hi,
On Sat, 09.01.2010 at 13:09:29 -0500, Ted Unangst ted.unan...@gmail.com wrote:
On Sat, Jan 9, 2010 at 11:40 AM, Toni Mueller openbsd-m...@oeko.net wrote:
# /sbin/pfctl -n -f pf.conf.test
pf.conf.test:23: illegal tos value (null)
Best guess: sbin/pfctl/parse.y
thanks, Ted, this worked quite nicely. For the record, in
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/parse.y.diff?r1=1.561;r2=1.562
there are two places where there a condition changed to allow a zero as
a value, around line 3300 and line 3320, like this:
| NUMBER{
$$ = $1;
- if (!$$ || $$ 255) {
+ if ($$ 255) {
yyerror(illegal tos value %s, $1);
YYERROR;
}
If one changes this condition and recompiles pfctl, the value '0x0' (at
least) can be used in a rule. I didn't have success using this global
rule:
match in all tos 3 scrub (set-tos 0x0)
That was ineffective for me, but I don't know why.
Instead, I had to augment a regular pass rule to make this work:
pass quick on { $ext_if0, $ext_if1, $ext_if2, $int_if } all flags any no state
tos 3 scrub (set-tos 0x0)
The complete ruleset on this router looks like this:
# pfctl -s r
match in all tos 0x03 scrub (set-tos 0x00)
match in all scrub (no-df)
pass quick on bge1 all tos 0x03 no state scrub (set-tos 0x00)
pass quick on art0 all tos 0x03 no state scrub (set-tos 0x00)
pass quick on art1 all tos 0x03 no state scrub (set-tos 0x00)
pass quick on fxp0 all tos 0x03 no state scrub (set-tos 0x00)
pass in on bge0 all flags S/SA keep state
block drop out on bge0 all
HTH,
--Toni++
