git: 05896f1ef8be - main - pf: move pf_test_rule() out of pf_setup_pdesc()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Oct 2024 12:37:24 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=05896f1ef8be5ce9f6d2080b9b116a994ffa06de commit 05896f1ef8be5ce9f6d2080b9b116a994ffa06de Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-10-02 07:28:32 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-10-10 12:10:40 +0000 pf: move pf_test_rule() out of pf_setup_pdesc() Move the call to pf_test_rule() for fragments that have not been reassembled by normalization from pf_setup_pdesc() to pf_test(). This simplifies the paramter list of pf_setup_pdesc() as it can concentrate on its job filling the pf_pdesc struct. ok henning mpf Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, fb9fe53b92 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46935 --- sys/net/pfvar.h | 3 +-- sys/netpfil/pf/pf.c | 41 ++++++++++++++++++++--------------------- sys/netpfil/pf/pf_syncookies.c | 2 +- 3 files changed, 22 insertions(+), 24 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 4b8f7e45e03b..34a6e2028100 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2510,8 +2510,7 @@ void pf_syncookie_send(struct mbuf *m, int off, struct pf_pdesc *); bool pf_syncookie_check(struct pf_pdesc *); u_int8_t pf_syncookie_validate(struct pf_pdesc *); -struct mbuf * pf_syncookie_recreate_syn(int, - struct pf_pdesc *); +struct mbuf * pf_syncookie_recreate_syn(struct pf_pdesc *); VNET_DECLARE(struct pf_kstatus, pf_status); #define V_pf_status VNET(pf_status) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 653365d42059..26820f233cdb 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8633,10 +8633,8 @@ pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m) static int pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, - u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_krule **a, - struct pf_krule **r, struct pf_kstate **s, struct pf_kruleset **ruleset, - int *off, int *hdrlen, struct inpcb *inp, - struct pf_rule_actions *default_actions) + u_short *action, u_short *reason, struct pfi_kkif *kif, int *off, + int *hdrlen, struct pf_rule_actions *default_actions) { struct mbuf *m = *m0; @@ -8796,19 +8794,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, } switch (pd->virtual_proto) { - case PF_VPROTO_FRAGMENT: - /* - * handle fragments that aren't reassembled by - * normalization - */ - if (kif == NULL || r == NULL) /* pflog */ - *action = PF_DROP; - else - *action = pf_test_rule(r, s, kif, m, *off, pd, a, - ruleset, inp, *hdrlen); - if (*action != PF_PASS) - REASON_SET(reason, PFRES_FRAG); - return (-1); case IPPROTO_TCP: { struct tcphdr *th = &pd->hdr.tcp; @@ -9094,8 +9079,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 return (PF_PASS); } - if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r, - &s, &ruleset, &off, &hdrlen, inp, default_actions) == -1) { + if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, + kif, &off, &hdrlen, default_actions) == -1) { if (action != PF_PASS) pd.act.log |= PF_LOG_FORCE; goto done; @@ -9125,7 +9110,21 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 m_tag_delete(m, mtag); } - switch (pd.proto) { + switch (pd.virtual_proto) { + case PF_VPROTO_FRAGMENT: + /* + * handle fragments that aren't reassembled by + * normalization + */ + if (kif == NULL || r == NULL) /* pflog */ + action = PF_DROP; + else + action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, + &ruleset, inp, hdrlen); + if (action != PF_PASS) + REASON_SET(&reason, PFRES_FRAG); + break; + case IPPROTO_TCP: { /* Respond to SYN with a syncookie. */ if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && @@ -9154,7 +9153,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 pd.dir == PF_IN) { struct mbuf *msyn; - msyn = pf_syncookie_recreate_syn(off, &pd); + msyn = pf_syncookie_recreate_syn(&pd); if (msyn == NULL) { action = PF_DROP; break; diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c index 40c664f48914..bbb33d134ce5 100644 --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -498,7 +498,7 @@ pf_syncookie_generate(struct mbuf *m, int off, struct pf_pdesc *pd, } struct mbuf * -pf_syncookie_recreate_syn(int off, struct pf_pdesc *pd) +pf_syncookie_recreate_syn(struct pf_pdesc *pd) { uint8_t wscale; uint16_t mss;