svn commit: r307235 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf

Kristof Provost kp at FreeBSD.org
Fri Oct 14 08:25:51 UTC 2016 

This work was done by franco_opnsense.org
I forgot to credit him in the commit message. Sorry Franco.

Regards,
Kristof

On 13 Oct 2016, at 22:34, Kristof Provost wrote:

> Author: kp
> Date: Thu Oct 13 20:34:44 2016
> New Revision: 307235
> URL: https://svnweb.freebsd.org/changeset/base/307235
>
> Log:
>   pf: port extended DSCP support from OpenBSD
>
>   Ignore the ECN bits on 'tos' and 'set-tos' and allow to use
>   DCSP names instead of having to embed their TOS equivalents
>   as plain numbers.
>
>   Obtained from:	OpenBSD
>   Sponsored by:	OPNsense
>   Differential Revision:	https://reviews.freebsd.org/D8165
>
> Modified:
>   head/sbin/pfctl/parse.y
>   head/share/man/man5/pf.conf.5
>   head/sys/netpfil/pf/pf.c
>   head/sys/netpfil/pf/pf_norm.c
>
> Modified: head/sbin/pfctl/parse.y
> ==============================================================================
> --- head/sbin/pfctl/parse.y	Thu Oct 13 20:15:47 2016	(r307234)
> +++ head/sbin/pfctl/parse.y	Thu Oct 13 20:34:44 2016	(r307235)
> @@ -351,6 +351,8 @@ void	 decide_address_family(struct node_
>  void	 remove_invalid_hosts(struct node_host **, sa_family_t *);
>  int	 invalid_redirect(struct node_host *, sa_family_t);
>  u_int16_t parseicmpspec(char *, sa_family_t);
> +int	 kw_casecmp(const void *, const void *);
> +int	 map_tos(char *string, int *);
>
>  static TAILQ_HEAD(loadanchorshead, loadanchors)
>      loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
> @@ -3584,15 +3586,17 @@ icmp6type	: STRING			{
>  		;
>
>  tos	: STRING			{
> -			if (!strcmp($1, "lowdelay"))
> -				$$ = IPTOS_LOWDELAY;
> -			else if (!strcmp($1, "throughput"))
> -				$$ = IPTOS_THROUGHPUT;
> -			else if (!strcmp($1, "reliability"))
> -				$$ = IPTOS_RELIABILITY;
> -			else if ($1[0] == '0' && $1[1] == 'x')
> -				$$ = strtoul($1, NULL, 16);
> -			else
> +			int val;
> +			char *end;
> +
> +			if (map_tos($1, &val))
> +				$$ = val;
> +			else if ($1[0] == '0' && $1[1] == 'x') {
> +				errno = 0;
> +				$$ = strtoul($1, &end, 16);
> +				if (errno || *end != '\0')
> +					$$ = 256;
> +			} else
>  				$$ = 256;		/* flag bad argument */
>  			if ($$ < 0 || $$ > 255) {
>  				yyerror("illegal tos value %s", $1);
> @@ -6250,6 +6254,57 @@ pfctl_load_anchors(int dev, struct pfctl
>  }
>
>  int
> +kw_casecmp(const void *k, const void *e)
> +{
> +	return (strcasecmp(k, ((const struct keywords *)e)->k_name));
> +}
> +
> +int
> +map_tos(char *s, int *val)
> +{
> +	/* DiffServ Codepoints and other TOS mappings */
> +	const struct keywords	 toswords[] = {
> +		{ "af11",		IPTOS_DSCP_AF11 },
> +		{ "af12",		IPTOS_DSCP_AF12 },
> +		{ "af13",		IPTOS_DSCP_AF13 },
> +		{ "af21",		IPTOS_DSCP_AF21 },
> +		{ "af22",		IPTOS_DSCP_AF22 },
> +		{ "af23",		IPTOS_DSCP_AF23 },
> +		{ "af31",		IPTOS_DSCP_AF31 },
> +		{ "af32",		IPTOS_DSCP_AF32 },
> +		{ "af33",		IPTOS_DSCP_AF33 },
> +		{ "af41",		IPTOS_DSCP_AF41 },
> +		{ "af42",		IPTOS_DSCP_AF42 },
> +		{ "af43",		IPTOS_DSCP_AF43 },
> +		{ "critical",		IPTOS_PREC_CRITIC_ECP },
> +		{ "cs0",		IPTOS_DSCP_CS0 },
> +		{ "cs1",		IPTOS_DSCP_CS1 },
> +		{ "cs2",		IPTOS_DSCP_CS2 },
> +		{ "cs3",		IPTOS_DSCP_CS3 },
> +		{ "cs4",		IPTOS_DSCP_CS4 },
> +		{ "cs5",		IPTOS_DSCP_CS5 },
> +		{ "cs6",		IPTOS_DSCP_CS6 },
> +		{ "cs7",		IPTOS_DSCP_CS7 },
> +		{ "ef",			IPTOS_DSCP_EF },
> +		{ "inetcontrol",	IPTOS_PREC_INTERNETCONTROL },
> +		{ "lowdelay",		IPTOS_LOWDELAY },
> +		{ "netcontrol",		IPTOS_PREC_NETCONTROL },
> +		{ "reliability",	IPTOS_RELIABILITY },
> +		{ "throughput",		IPTOS_THROUGHPUT }
> +	};
> +	const struct keywords	*p;
> +
> +	p = bsearch(s, toswords, sizeof(toswords)/sizeof(toswords[0]),
> +	    sizeof(toswords[0]), kw_casecmp);
> +
> +	if (p) {
> +		*val = p->k_val;
> +		return (1);
> +	}
> +	return (0);
> +}
> +
> +int
>  rt_tableid_max(void)
>  {
>  #ifdef __FreeBSD__
>
> Modified: head/share/man/man5/pf.conf.5
> ==============================================================================
> --- head/share/man/man5/pf.conf.5	Thu Oct 13 20:15:47 2016	(r307234)
> +++ head/share/man/man5/pf.conf.5	Thu Oct 13 20:34:44 2016	(r307235)
> @@ -28,7 +28,7 @@
>  .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
>  .\" POSSIBILITY OF SUCH DAMAGE.
>  .\"
> -.Dd September 28, 2016
> +.Dd October 6, 2016
>  .Dt PF.CONF 5
>  .Os
>  .Sh NAME
> @@ -648,9 +648,16 @@ for matching IP packets.
>  .Em TOS
>  may be
>  given as one of
> +.Ar critical ,
> +.Ar inetcontrol ,
>  .Ar lowdelay ,
> +.Ar netcontrol ,
>  .Ar throughput ,
>  .Ar reliability ,
> +or one of the DiffServ Code Points:
> +.Ar ef ,
> +.Ar af11 No ... Ar af43 ,
> +.Ar cs0 No ... Ar cs7 ;
>  or as either hex or decimal.
>  .It Ar random-id
>  Replaces the IP identification field with random values to compensate
> @@ -1697,9 +1704,16 @@ bits set.
>  .Em TOS
>  may be
>  given as one of
> +.Ar critical ,
> +.Ar inetcontrol ,
>  .Ar lowdelay ,
> +.Ar netcontrol ,
>  .Ar throughput ,
>  .Ar reliability ,
> +or one of the DiffServ Code Points:
> +.Ar ef ,
> +.Ar af11 No ... Ar af43 ,
> +.Ar cs0 No ... Ar cs7 ;
>  or as either hex or decimal.
>  .Pp
>  For example, the following rules are identical:
> @@ -1803,7 +1817,6 @@ pass in proto tcp to port 25 set prio 2
>  pass in proto tcp to port 22 set prio (2, 5)
>  .Ed
>  .Pp
> -
>  .It Ar tag Aq Ar string
>  Packets matching this rule will be tagged with the
>  specified string.
>
> Modified: head/sys/netpfil/pf/pf.c
> ==============================================================================
> --- head/sys/netpfil/pf/pf.c	Thu Oct 13 20:15:47 2016	(r307234)
> +++ head/sys/netpfil/pf/pf.c	Thu Oct 13 20:34:44 2016	(r307235)
> @@ -5893,7 +5893,7 @@ pf_test(int dir, struct ifnet *ifp, stru
>  	pd.sidx = (dir == PF_IN) ? 0 : 1;
>  	pd.didx = (dir == PF_IN) ? 1 : 0;
>  	pd.af = AF_INET;
> -	pd.tos = h->ip_tos;
> +	pd.tos = h->ip_tos & ~IPTOS_ECN_MASK;
>  	pd.tot_len = ntohs(h->ip_len);
>
>  	/* handle fragments that didn't get reassembled by normalization */
>
> Modified: head/sys/netpfil/pf/pf_norm.c
> ==============================================================================
> --- head/sys/netpfil/pf/pf_norm.c	Thu Oct 13 20:15:47 2016	(r307234)
> +++ head/sys/netpfil/pf/pf_norm.c	Thu Oct 13 20:34:44 2016	(r307235)
> @@ -1811,7 +1811,7 @@ pf_scrub_ip(struct mbuf **m0, u_int32_t
>  		u_int16_t	ov, nv;
>
>  		ov = *(u_int16_t *)h;
> -		h->ip_tos = tos;
> +		h->ip_tos = tos | (h->ip_tos & IPTOS_ECN_MASK);
>  		nv = *(u_int16_t *)h;
>
>  		h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0);
>

More information about the svn-src-all mailing list