svn commit: r278831 - head/sys/netpfil/pf

Sergey Kandaurov pluknet at freebsd.org
Tue Feb 17 21:40:44 UTC 2015 

On 17 February 2015 at 20:31, John-Mark Gurney <jmg at funkthat.com> wrote:
> Gleb Smirnoff wrote this message on Mon, Feb 16, 2015 at 03:38 +0000:
>> Author: glebius
>> Date: Mon Feb 16 03:38:27 2015
>> New Revision: 278831
>> URL: https://svnweb.freebsd.org/changeset/base/278831
>>
>> Log:
>>   Update the pf fragment handling code to closer match recent OpenBSD.
>>   That partially fixes IPv6 fragment handling. Thanks to Kristof for
>>   working on that.
>>
>>   Submitted by:               Kristof Provost
>>   Tested by:          peter
>>   Differential Revision:      D1765
>
> Looks like pf_flush_fragments still called in !INET case, though only
> defined for INET case:
> /scratch/tmp/jmg/src.head/sys/modules/pf/../../netpfil/pf/pf_norm.c:385:3: error: implicit declaration of function 'pf_flush_fragments' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
>                 pf_flush_fragments();
>
> when compiling LINT-NOINET kernel..

With the changes attached I got all three kernels with both cc compiled
(tested on MINI w/ MODULES_OVERRIDE=pf). Basically,
- pf_flush_fragments is improperly INET-only
- pf_find_fragment is properly declared, but its body is under INET
- pf_refragment6 / pf_reassemble6 are properly under INET6,
  which is also under INET (the latter is wrong).
- bonus: some functions may be / were static'ized.

-- 
wbr,
pluknet
-------------- next part --------------
Index: sys/netpfil/pf/pf_norm.c
===================================================================
--- sys/netpfil/pf/pf_norm.c	(revision 278917)
+++ sys/netpfil/pf/pf_norm.c	(working copy)
@@ -138,17 +138,17 @@ static void	pf_free_fragment(struct pf_fragment *)
 static void	pf_remove_fragment(struct pf_fragment *);
 static int	pf_normalize_tcpopt(struct pf_rule *, struct mbuf *,
 		    struct tcphdr *, int, sa_family_t);
-struct pf_frent	*pf_create_fragment(u_short *);
+static struct pf_frent	*pf_create_fragment(u_short *);
 static struct pf_fragment *
 		pf_find_fragment(struct pf_fragment_cmp *key,
 		    struct pf_frag_tree *tree);
 static struct pf_fragment *
 		pf_fillup_fragment(struct pf_fragment_cmp *, struct pf_frent *,			    u_short *);
 static int	pf_isfull_fragment(struct pf_fragment *);
-struct mbuf	*pf_join_fragment(struct pf_fragment *);
+static struct mbuf	*pf_join_fragment(struct pf_fragment *);
+static void	pf_flush_fragments(void);
 #ifdef INET
 static void	pf_scrub_ip(struct mbuf **, uint32_t, uint8_t, uint8_t);
-static void	pf_flush_fragments(void);
 static int	pf_reassemble(struct mbuf **, struct ip *, int, u_short *);
 static struct mbuf *
 		pf_fragcache(struct mbuf **, struct ip*, struct pf_fragment **,
@@ -267,7 +267,6 @@ pf_purge_expired_fragments(void)
 	PF_FRAG_UNLOCK();
 }
 
-#ifdef INET
 /*
  * Try to flush old fragments to make space for new ones
  */
@@ -292,7 +291,6 @@ pf_flush_fragments(void)
 			break;
 	}
 }
-#endif /* INET */
 
 /* Frees the fragments and all associated entries */
 static void
@@ -329,7 +327,6 @@ pf_free_fragment(struct pf_fragment *frag)
 	pf_remove_fragment(frag);
 }
 
-#ifdef INET
 static struct pf_fragment *
 pf_find_fragment(struct pf_fragment_cmp *key, struct pf_frag_tree *tree)
 {
@@ -352,10 +349,8 @@ pf_find_fragment(struct pf_fragment_cmp *key, stru
 
 	return (frag);
 }
-#endif /* INET */
 
 /* Removes a fragment from the fragment queue and frees the fragment */
-
 static void
 pf_remove_fragment(struct pf_fragment *frag)
 {
@@ -373,7 +368,7 @@ pf_remove_fragment(struct pf_fragment *frag)
 	}
 }
 
-struct pf_frent *
+static struct pf_frent *
 pf_create_fragment(u_short *reason)
 {
 	struct pf_frent *frent;
@@ -393,7 +388,7 @@ pf_create_fragment(u_short *reason)
 	return (frent);
 }
 
-struct pf_fragment *
+static struct pf_fragment *
 pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
 		u_short *reason)
 {
@@ -570,7 +565,7 @@ pf_isfull_fragment(struct pf_fragment *frag)
 	return (1);
 }
 
-struct mbuf *
+static struct mbuf *
 pf_join_fragment(struct pf_fragment *frag)
 {
 	struct mbuf *m, *m2;
@@ -666,6 +661,7 @@ pf_reassemble(struct mbuf **m0, struct ip *ip, int
 	DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len)));
 	return (PF_PASS);
 }
+#endif	/* INET */
 
 #ifdef INET6
 static int
@@ -789,6 +785,7 @@ fail:
 }
 #endif	/* INET6 */
 
+#ifdef INET
 static struct mbuf *
 pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff,
     int drop, int *nomem)
@@ -1090,6 +1087,7 @@ pf_fragcache(struct mbuf **m0, struct ip *h, struc
 	m_freem(m);
 	return (NULL);
 }
+#endif	/* INET */
 
 #ifdef INET6
 int
@@ -1162,6 +1160,7 @@ pf_refragment6(struct ifnet *ifp, struct mbuf **m0
 }
 #endif /* INET6 */
 
+#ifdef INET
 int
 pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
     struct pf_pdesc *pd)

More information about the svn-src-all mailing list