git: 1bf46184cdc3 - main - pf: factor out duplicate code to undo nat
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 31 Mar 2025 14:58:02 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=1bf46184cdc35779849d909b3a483183245a0aba
commit 1bf46184cdc35779849d909b3a483183245a0aba
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-03-29 09:51:57 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-03-31 12:57:14 +0000
pf: factor out duplicate code to undo nat
Suggested by: markj
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D49582
---
sys/netpfil/pf/pf.c | 33 +++++++++++++--------------------
1 file changed, 13 insertions(+), 20 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index e4affb502d0e..775bd016c656 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -4263,17 +4263,12 @@ pf_send_tcp(const struct pf_krule *r, sa_family_t af,
}
static void
-pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
- struct tcphdr *th, u_int16_t bproto_sum, u_int16_t bip_sum,
- u_short *reason, int rtableid)
+pf_undo_nat(struct pf_krule *nr, struct pf_pdesc *pd, uint16_t bip_sum)
{
- struct pf_addr * const saddr = pd->src;
- struct pf_addr * const daddr = pd->dst;
-
/* undo NAT changes, if they have taken place */
if (nr != NULL) {
- PF_ACPY(saddr, &pd->osrc, pd->af);
- PF_ACPY(daddr, &pd->odst, pd->af);
+ PF_ACPY(pd->src, &pd->osrc, pd->af);
+ PF_ACPY(pd->dst, &pd->odst, pd->af);
if (pd->sport)
*pd->sport = pd->osport;
if (pd->dport)
@@ -4282,6 +4277,15 @@ pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
*pd->ip_sum = bip_sum;
m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
}
+}
+
+static void
+pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
+ struct tcphdr *th, u_int16_t bproto_sum, u_int16_t bip_sum,
+ u_short *reason, int rtableid)
+{
+ pf_undo_nat(nr, pd, bip_sum);
+
if (pd->proto == IPPROTO_TCP &&
((r->rule_flag & PFRULE_RETURNRST) ||
(r->rule_flag & PFRULE_RETURN)) &&
@@ -6239,18 +6243,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) ==
TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_SRC);
- /* undo NAT changes, if they have taken place */
- if (nr != NULL) {
- PF_ACPY(pd->src, &pd->osrc, pd->af);
- PF_ACPY(pd->dst, &pd->odst, pd->af);
- if (pd->sport)
- *pd->sport = pd->osport;
- if (pd->dport)
- *pd->dport = pd->odport;
- if (pd->ip_sum)
- *pd->ip_sum = bip_sum;
- m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
- }
+ pf_undo_nat(nr, pd, bip_sum);
s->src.seqhi = htonl(arc4random());
/* Find mss option */
int rtid = M_GETFIB(pd->m);