git: 05896f1ef8be - main - pf: move pf_test_rule() out of pf_setup_pdesc()

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 10 Oct 2024 12:37:24 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=05896f1ef8be5ce9f6d2080b9b116a994ffa06de

commit 05896f1ef8be5ce9f6d2080b9b116a994ffa06de
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-10-02 07:28:32 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-10-10 12:10:40 +0000

    pf: move pf_test_rule() out of pf_setup_pdesc()
    
    Move the call to pf_test_rule() for fragments that have not been
    reassembled by normalization from pf_setup_pdesc() to pf_test().
    This simplifies the paramter list of pf_setup_pdesc() as it can
    concentrate on its job filling the pf_pdesc struct.
    ok henning mpf
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, fb9fe53b92
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D46935
---
 sys/net/pfvar.h                |  3 +--
 sys/netpfil/pf/pf.c            | 41 ++++++++++++++++++++---------------------
 sys/netpfil/pf/pf_syncookies.c |  2 +-
 3 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 4b8f7e45e03b..34a6e2028100 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -2510,8 +2510,7 @@ void			 pf_syncookie_send(struct mbuf *m, int off,
 			    struct pf_pdesc *);
 bool			 pf_syncookie_check(struct pf_pdesc *);
 u_int8_t		 pf_syncookie_validate(struct pf_pdesc *);
-struct mbuf *		 pf_syncookie_recreate_syn(int,
-			    struct pf_pdesc *);
+struct mbuf *		 pf_syncookie_recreate_syn(struct pf_pdesc *);
 
 VNET_DECLARE(struct pf_kstatus, pf_status);
 #define	V_pf_status	VNET(pf_status)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 653365d42059..26820f233cdb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8633,10 +8633,8 @@ pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m)
 
 static int
 pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
-    u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_krule **a,
-    struct pf_krule **r, struct pf_kstate **s, struct pf_kruleset **ruleset,
-    int *off, int *hdrlen, struct inpcb *inp,
-    struct pf_rule_actions *default_actions)
+    u_short *action, u_short *reason, struct pfi_kkif *kif, int *off,
+    int *hdrlen, struct pf_rule_actions *default_actions)
 {
 	struct mbuf *m = *m0;
 
@@ -8796,19 +8794,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
 	}
 
 	switch (pd->virtual_proto) {
-	case PF_VPROTO_FRAGMENT:
-		/*
-		 * handle fragments that aren't reassembled by
-		 * normalization
-		 */
-		if (kif == NULL || r == NULL) /* pflog */
-			*action = PF_DROP;
-		else
-			*action = pf_test_rule(r, s, kif, m, *off, pd, a,
-			    ruleset, inp, *hdrlen);
-		if (*action != PF_PASS)
-			REASON_SET(reason, PFRES_FRAG);
-		return (-1);
 	case IPPROTO_TCP: {
 		struct tcphdr *th = &pd->hdr.tcp;
 
@@ -9094,8 +9079,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
 		return (PF_PASS);
 	}
 
-	if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r,
-		&s, &ruleset, &off, &hdrlen, inp, default_actions) == -1) {
+	if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason,
+		kif, &off, &hdrlen, default_actions) == -1) {
 		if (action != PF_PASS)
 			pd.act.log |= PF_LOG_FORCE;
 		goto done;
@@ -9125,7 +9110,21 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
 			m_tag_delete(m, mtag);
 	}
 
-	switch (pd.proto) {
+	switch (pd.virtual_proto) {
+	case PF_VPROTO_FRAGMENT:
+		/*
+		 * handle fragments that aren't reassembled by
+		 * normalization
+		 */
+		if (kif == NULL || r == NULL) /* pflog */
+			action = PF_DROP;
+		else
+			action = pf_test_rule(&r, &s, kif, m, off, &pd, &a,
+			    &ruleset, inp, hdrlen);
+		if (action != PF_PASS)
+			REASON_SET(&reason, PFRES_FRAG);
+		break;
+
 	case IPPROTO_TCP: {
 		/* Respond to SYN with a syncookie. */
 		if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
@@ -9154,7 +9153,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
 			    pd.dir == PF_IN) {
 				struct mbuf *msyn;
 
-				msyn = pf_syncookie_recreate_syn(off, &pd);
+				msyn = pf_syncookie_recreate_syn(&pd);
 				if (msyn == NULL) {
 					action = PF_DROP;
 					break;
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index 40c664f48914..bbb33d134ce5 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -498,7 +498,7 @@ pf_syncookie_generate(struct mbuf *m, int off, struct pf_pdesc *pd,
 }
 
 struct mbuf *
-pf_syncookie_recreate_syn(int off, struct pf_pdesc *pd)
+pf_syncookie_recreate_syn(struct pf_pdesc *pd)
 {
 	uint8_t			 wscale;
 	uint16_t		 mss;