From nobody Thu Oct 10 12:37:24 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XPTmN5Ct4z5Z08H; Thu, 10 Oct 2024 12:37:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XPTmN3QGZz4H4F; Thu, 10 Oct 2024 12:37:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728563844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CXajVqUjYDhW2MQArw0v3KrhsBtnkNtj2qpTpFA8lr4=; b=amRgul8qjElxCiIJl2SoLXotcyxd7j9UUbWcK3jRnzpkAnp/7AgcabPS/04SgTuurJuOjK W53tq8ucRqz6eWoogTlfomWTLmxkQITvN0XzxB19daTXGPsN+T+Lx8jCjkAO6ZuJSmWCBe uGtIcnHt31u1GS7qsZPdLsgYQWrRi2z0Z5cPhxUSPeySoZXa64ius5Wnm+m187Dr1U77+H UbxugFVZH/hxf/KSTsG/oHgpnrGXF+pyvmAHp4JPALbp+KTwVZsFiwT4IG+IKwGYu05McS EjFK5Y52VDGKUaaEd70Dzqb7eOQrHHPxiLIuqrUS8qNsqD6EoafWjOL/bnAC2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728563844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CXajVqUjYDhW2MQArw0v3KrhsBtnkNtj2qpTpFA8lr4=; b=H7wHILgv6awoS2OA4TNAT43/oWb+Bro015zbxOAVL2gYIaByPrLSISihhz7CzT2m8187lE kLBERv7eAS/Rw0z3S0MWGioFBSHjf+a3yVrCc+oBnKQvpyAq5MMhYc4fL3AbJNEn/SVxXh t1YJ4f7OQRJPS10KvXcRE+Zmf/wNenS/MZg06yZZ4EOzaFeNvNzYatlZSLO2UOzSb7LQTY OlgQAUmBeYjtsELX9eoWS54x2FL9wnbFeB1xmKWerryLlImarA2PsWw7OFzFqqWi7ClR6Q pZu5guLDu9ooHmM9YgLtkS2mNegaYrFI8THftoVuwzv61R4HLliPMmda/sRg1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728563844; a=rsa-sha256; cv=none; b=CsD7vxEQacf1O2OhATKSZkdz/+TQcjWiPkhhRH7Qi6NWK9HJxosXAqBf/J2SZ4j0A/W/Kc sEPUyZLHbTzRxY0xrVd2AX7l+4aJ3uVEaMG2Gi9JVYq23ps5XuM5odZenlmMjHGhcVq/3q zSjgG3hWqp3d3jge4tfGyr57A4S5n5CfSR/knO5mpO/VFhFtpMeHLp1sq6rSKIsCjt0my1 3K3cRbJES8YwMhVkoOVI8+i5l7OyZqlgQnhf9fgwugMIopfv6coJF7kNrOOicxbh4MzWwT 7sv7zq3fKShC0Ffhj9MdW9DEPpl8BrcHn8yk+Aauo/upmU13iS4KF9bcxHn+kg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XPTmN32bGzxrg; Thu, 10 Oct 2024 12:37:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49ACbO0v006546; Thu, 10 Oct 2024 12:37:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49ACbOZ2006543; Thu, 10 Oct 2024 12:37:24 GMT (envelope-from git) Date: Thu, 10 Oct 2024 12:37:24 GMT Message-Id: <202410101237.49ACbOZ2006543@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 05896f1ef8be - main - pf: move pf_test_rule() out of pf_setup_pdesc() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 05896f1ef8be5ce9f6d2080b9b116a994ffa06de Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=05896f1ef8be5ce9f6d2080b9b116a994ffa06de commit 05896f1ef8be5ce9f6d2080b9b116a994ffa06de Author: Kristof Provost AuthorDate: 2024-10-02 07:28:32 +0000 Commit: Kristof Provost CommitDate: 2024-10-10 12:10:40 +0000 pf: move pf_test_rule() out of pf_setup_pdesc() Move the call to pf_test_rule() for fragments that have not been reassembled by normalization from pf_setup_pdesc() to pf_test(). This simplifies the paramter list of pf_setup_pdesc() as it can concentrate on its job filling the pf_pdesc struct. ok henning mpf Obtained from: OpenBSD, bluhm , fb9fe53b92 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46935 --- sys/net/pfvar.h | 3 +-- sys/netpfil/pf/pf.c | 41 ++++++++++++++++++++--------------------- sys/netpfil/pf/pf_syncookies.c | 2 +- 3 files changed, 22 insertions(+), 24 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 4b8f7e45e03b..34a6e2028100 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2510,8 +2510,7 @@ void pf_syncookie_send(struct mbuf *m, int off, struct pf_pdesc *); bool pf_syncookie_check(struct pf_pdesc *); u_int8_t pf_syncookie_validate(struct pf_pdesc *); -struct mbuf * pf_syncookie_recreate_syn(int, - struct pf_pdesc *); +struct mbuf * pf_syncookie_recreate_syn(struct pf_pdesc *); VNET_DECLARE(struct pf_kstatus, pf_status); #define V_pf_status VNET(pf_status) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 653365d42059..26820f233cdb 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8633,10 +8633,8 @@ pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m) static int pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, - u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_krule **a, - struct pf_krule **r, struct pf_kstate **s, struct pf_kruleset **ruleset, - int *off, int *hdrlen, struct inpcb *inp, - struct pf_rule_actions *default_actions) + u_short *action, u_short *reason, struct pfi_kkif *kif, int *off, + int *hdrlen, struct pf_rule_actions *default_actions) { struct mbuf *m = *m0; @@ -8796,19 +8794,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, } switch (pd->virtual_proto) { - case PF_VPROTO_FRAGMENT: - /* - * handle fragments that aren't reassembled by - * normalization - */ - if (kif == NULL || r == NULL) /* pflog */ - *action = PF_DROP; - else - *action = pf_test_rule(r, s, kif, m, *off, pd, a, - ruleset, inp, *hdrlen); - if (*action != PF_PASS) - REASON_SET(reason, PFRES_FRAG); - return (-1); case IPPROTO_TCP: { struct tcphdr *th = &pd->hdr.tcp; @@ -9094,8 +9079,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 return (PF_PASS); } - if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r, - &s, &ruleset, &off, &hdrlen, inp, default_actions) == -1) { + if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, + kif, &off, &hdrlen, default_actions) == -1) { if (action != PF_PASS) pd.act.log |= PF_LOG_FORCE; goto done; @@ -9125,7 +9110,21 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 m_tag_delete(m, mtag); } - switch (pd.proto) { + switch (pd.virtual_proto) { + case PF_VPROTO_FRAGMENT: + /* + * handle fragments that aren't reassembled by + * normalization + */ + if (kif == NULL || r == NULL) /* pflog */ + action = PF_DROP; + else + action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, + &ruleset, inp, hdrlen); + if (action != PF_PASS) + REASON_SET(&reason, PFRES_FRAG); + break; + case IPPROTO_TCP: { /* Respond to SYN with a syncookie. */ if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && @@ -9154,7 +9153,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 pd.dir == PF_IN) { struct mbuf *msyn; - msyn = pf_syncookie_recreate_syn(off, &pd); + msyn = pf_syncookie_recreate_syn(&pd); if (msyn == NULL) { action = PF_DROP; break; diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c index 40c664f48914..bbb33d134ce5 100644 --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -498,7 +498,7 @@ pf_syncookie_generate(struct mbuf *m, int off, struct pf_pdesc *pd, } struct mbuf * -pf_syncookie_recreate_syn(int off, struct pf_pdesc *pd) +pf_syncookie_recreate_syn(struct pf_pdesc *pd) { uint8_t wscale; uint16_t mss;