From nobody Wed Sep 25 12:34:28 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDGPx32Sfz5XQLC; Wed, 25 Sep 2024 12:34:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XDGPw6qDwz4vlc; Wed, 25 Sep 2024 12:34:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727267669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qcSbMfKsRkSL6qT9FRB5kEzPBpL1Rc5wsVpCTO+mICo=; b=hZEUpESpxNwF4Ub86tYXJMrWJD1MNyorfSYqDj7nW2+4Gj4k8mtwGChA5tKijLMFbAP+a/ dYe+1gZ6241mNhYDfLnaMEocmqxhWMcxGAPKyVumf+qqkVowaZu66vXPqLi67qkJmETEZ3 g+POLQmX3uoVk60t4+UgpYXGKAmtj04bFATNpgLf9ITUqxmYFlYLquzkJHOXL2TFtDYcta Y6RNVOPJXrg3j4dQb967Hl7v5DYHPTVCvk47sJgQyFWnkgJE3z17Uuq2L30551vmk3744X Mgnz8v9Ch83xV4sxCYaLDy+FjuN6G63Jwb7QcRbiksXHa8Uw5JKcBVIkv21wfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727267669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qcSbMfKsRkSL6qT9FRB5kEzPBpL1Rc5wsVpCTO+mICo=; b=ABBzQiy34+CalM8ilr8/P90ziDqpXSD7rVlHavsGCMS1IbWkFDUEC/FSCb6cB3v8EXhUxr DHEEz7CUFmgdTmZ9LQH6xErRG0rTF+BKBdj9Af1zHmdx3i3k3ZyLOswj4TUuB8MBEAwhrs W7aOTcs6vLVw9+Oe/FhSV+m7LyBSvQWvJ5gNHzCPQhvvVAavnRTW6vgjwiPcityYxHQsBD KtIhvQag8qNxgleDwHmBec10iCHu0kCjhGHFwEb1e+nGWqOGmKTho219DSYQ4jWKpJaHQy eOKV/F1OQE3+NlidIEqhtQQTNG0DHfcrXW52ocCmR7E0WFh7fr2Lr5zdoigRhw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727267669; a=rsa-sha256; cv=none; b=xAuHQENbgTxpdPzckkE7J2Abxmbe+C21fzjv5lgddURel5PTqUnBQNVOrWcf18lCwEJ6Yo EL0LM47xOcEfbqAQpL1RLCFGtoegYQY80/ij0bm/fKFHlgKiBQMgsSoQW7sKeG1sQ3EpCo d/omIUWcDR59EcS5BOat4cigJ3MqplerIv+qp2zopl4n6kzfY1EvmqyknYZPxQ7iFnuQ87 CC1nzJQf332Sf0sGg/70PViN247j/e7zsxGg/SYSibx28+wXrEMizqNEKeK1E+1DLdPLdR v0FzwlC6oq4XLFlKsAj68TVymzYRYJHTdTB+ROr+RAkTnmyoORtR6NDahDZ0Wg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XDGPw6DY4z1CX3; Wed, 25 Sep 2024 12:34:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48PCYS5g071686; Wed, 25 Sep 2024 12:34:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48PCYSaM071683; Wed, 25 Sep 2024 12:34:28 GMT (envelope-from git) Date: Wed, 25 Sep 2024 12:34:28 GMT Message-Id: <202409251234.48PCYSaM071683@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 905db4aa8877 - main - pf: dedupe layer 4 protocol code in pf_setup_pdesc() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 905db4aa88775865097714c170f4503da385747c Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=905db4aa88775865097714c170f4503da385747c commit 905db4aa88775865097714c170f4503da385747c Author: Kristof Provost AuthorDate: 2024-09-10 18:17:13 +0000 Commit: Kristof Provost CommitDate: 2024-09-25 10:44:30 +0000 pf: dedupe layer 4 protocol code in pf_setup_pdesc() In pf_setup_pdesc() the code for analysing TCP and UDP headers was the same for v4 and v6. Deduplicate by moving the protocol switch after the address family switch. ok henning@ claudio@ Obtained from: OpenBSD, bluhm , 72cf18cc6e Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46647 --- sys/netpfil/pf/pf.c | 255 ++++++++++++++++++++-------------------------------- 1 file changed, 97 insertions(+), 158 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index e65d848d7cc9..215f2655d9d4 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8590,78 +8590,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, if (h->ip_off & htons(IP_MF | IP_OFFMASK)) return (0); - switch (h->ip_p) { - case IPPROTO_TCP: { - struct tcphdr *th = &pd->hdr.tcp; - - if (!pf_pull_hdr(m, *off, th, sizeof(*th), action, - reason, AF_INET)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = sizeof(*th); - pd->p_len = pd->tot_len - *off - (th->th_off << 2); - pd->sport = &th->th_sport; - pd->dport = &th->th_dport; - break; - } - case IPPROTO_UDP: { - struct udphdr *uh = &pd->hdr.udp; - - if (!pf_pull_hdr(m, *off, uh, sizeof(*uh), action, - reason, AF_INET)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = sizeof(*uh); - if (uh->uh_dport == 0 || - ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off || - ntohs(uh->uh_ulen) < sizeof(struct udphdr)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - pd->sport = &uh->uh_sport; - pd->dport = &uh->uh_dport; - break; - } - case IPPROTO_SCTP: { - if (!pf_pull_hdr(m, *off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), - action, reason, AF_INET)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = sizeof(pd->hdr.sctp); - pd->p_len = pd->tot_len - *off; - - pd->sport = &pd->hdr.sctp.src_port; - pd->dport = &pd->hdr.sctp.dest_port; - if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - if (pf_scan_sctp(m, *off, pd, kif) != PF_PASS) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - break; - } - case IPPROTO_ICMP: { - if (!pf_pull_hdr(m, *off, &pd->hdr.icmp, ICMP_MINLEN, - action, reason, AF_INET)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = ICMP_MINLEN; - break; - } - } break; } #endif @@ -8750,103 +8678,114 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, } } while (!terminal); - switch (pd->proto) { - case IPPROTO_TCP: { - struct tcphdr *th = &pd->hdr.tcp; + break; + } +#endif + default: + panic("pf_setup_pdesc called with illegal af %u", af); + } - if (!pf_pull_hdr(m, *off, th, sizeof(*th), action, - reason, AF_INET6)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = sizeof(*th); - pd->p_len = pd->tot_len - *off - (th->th_off << 2); - pd->sport = &th->th_sport; - pd->dport = &th->th_dport; - break; + switch (pd->proto) { + case IPPROTO_TCP: { + struct tcphdr *th = &pd->hdr.tcp; + + if (!pf_pull_hdr(m, *off, th, sizeof(*th), action, + reason, af)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); } - case IPPROTO_UDP: { - struct udphdr *uh = &pd->hdr.udp; + *hdrlen = sizeof(*th); + pd->p_len = pd->tot_len - *off - (th->th_off << 2); + pd->sport = &th->th_sport; + pd->dport = &th->th_dport; + break; + } + case IPPROTO_UDP: { + struct udphdr *uh = &pd->hdr.udp; - if (!pf_pull_hdr(m, *off, uh, sizeof(*uh), action, - reason, AF_INET6)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = sizeof(*uh); - if (uh->uh_dport == 0 || - ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off || - ntohs(uh->uh_ulen) < sizeof(struct udphdr)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - pd->sport = &uh->uh_sport; - pd->dport = &uh->uh_dport; - break; + if (!pf_pull_hdr(m, *off, uh, sizeof(*uh), action, + reason, af)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); } - case IPPROTO_SCTP: { - if (!pf_pull_hdr(m, *off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), - action, reason, AF_INET6)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = sizeof(pd->hdr.sctp); - pd->p_len = pd->tot_len - *off; - - pd->sport = &pd->hdr.sctp.src_port; - pd->dport = &pd->hdr.sctp.dest_port; - if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - if (pf_scan_sctp(m, *off, pd, kif) != PF_PASS) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - break; + *hdrlen = sizeof(*uh); + if (uh->uh_dport == 0 || + ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off || + ntohs(uh->uh_ulen) < sizeof(struct udphdr)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); } - case IPPROTO_ICMPV6: { - size_t icmp_hlen = sizeof(struct icmp6_hdr); + pd->sport = &uh->uh_sport; + pd->dport = &uh->uh_dport; + break; + } + case IPPROTO_SCTP: { + if (!pf_pull_hdr(m, *off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), + action, reason, af)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + *hdrlen = sizeof(pd->hdr.sctp); + pd->p_len = pd->tot_len - *off; - if (!pf_pull_hdr(m, *off, &pd->hdr.icmp6, icmp_hlen, - action, reason, AF_INET6)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - /* ICMP headers we look further into to match state */ - switch (pd->hdr.icmp6.icmp6_type) { - case MLD_LISTENER_QUERY: - case MLD_LISTENER_REPORT: - icmp_hlen = sizeof(struct mld_hdr); - break; - case ND_NEIGHBOR_SOLICIT: - case ND_NEIGHBOR_ADVERT: - icmp_hlen = sizeof(struct nd_neighbor_solicit); - break; - } - if (icmp_hlen > sizeof(struct icmp6_hdr) && - !pf_pull_hdr(m, *off, &pd->hdr.icmp6, icmp_hlen, - action, reason, AF_INET6)) { - *action = PF_DROP; - REASON_SET(reason, PFRES_SHORT); - return (-1); - } - *hdrlen = icmp_hlen; + pd->sport = &pd->hdr.sctp.src_port; + pd->dport = &pd->hdr.sctp.dest_port; + if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + if (pf_scan_sctp(m, *off, pd, kif) != PF_PASS) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + break; + } + case IPPROTO_ICMP: { + if (!pf_pull_hdr(m, *off, &pd->hdr.icmp, ICMP_MINLEN, + action, reason, af)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + *hdrlen = ICMP_MINLEN; + break; + } + case IPPROTO_ICMPV6: { + size_t icmp_hlen = sizeof(struct icmp6_hdr); + + if (!pf_pull_hdr(m, *off, &pd->hdr.icmp6, icmp_hlen, + action, reason, af)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + /* ICMP headers we look further into to match state */ + switch (pd->hdr.icmp6.icmp6_type) { + case MLD_LISTENER_QUERY: + case MLD_LISTENER_REPORT: + icmp_hlen = sizeof(struct mld_hdr); + break; + case ND_NEIGHBOR_SOLICIT: + case ND_NEIGHBOR_ADVERT: + icmp_hlen = sizeof(struct nd_neighbor_solicit); break; } + if (icmp_hlen > sizeof(struct icmp6_hdr) && + !pf_pull_hdr(m, *off, &pd->hdr.icmp6, icmp_hlen, + action, reason, af)) { + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); } + *hdrlen = icmp_hlen; break; } -#endif - default: - panic("pf_setup_pdesc called with illegal af %u", af); } return (0); }