svn commit: r272995 - stable/10/sys/contrib/ipfilter/netinet

Cy Schubert cy at FreeBSD.org
Sun Oct 12 17:15:21 UTC 2014 

Author: cy
Date: Sun Oct 12 17:15:20 2014
New Revision: 272995
URL: https://svnweb.freebsd.org/changeset/base/272995

Log:
  MFC r272552
  
  ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
  ipfilter rule compare with new ipf_rule_compare() function.
  
  Obtained from:	ipfilter CVS rep (r1.129)

Modified:
  stable/10/sys/contrib/ipfilter/netinet/fil.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/contrib/ipfilter/netinet/fil.c
==============================================================================
--- stable/10/sys/contrib/ipfilter/netinet/fil.c	Sun Oct 12 17:13:14 2014	(r272994)
+++ stable/10/sys/contrib/ipfilter/netinet/fil.c	Sun Oct 12 17:15:20 2014	(r272995)
@@ -4436,6 +4436,39 @@ ipf_matchicmpqueryreply(v, ic, icmp, rev
 
 
 /* ------------------------------------------------------------------------ */
+/* Function:    ipf_rule_compare                                            */
+/* Parameters:  fr1(I) - first rule structure to compare                    */
+/*              fr2(I) - second rule structure to compare                   */
+/* Returns:     int    - 0 == rules are the same, else mismatch             */
+/*                                                                          */
+/* Compare two rules and return 0 if they match or a number indicating      */
+/* which of the individual checks failed.                                   */
+/* ------------------------------------------------------------------------ */
+static int
+ipf_rule_compare(frentry_t *fr1, frentry_t *fr2)
+{
+	if (fr1->fr_cksum != fr2->fr_cksum)
+		return 1;
+	if (fr1->fr_size != fr2->fr_size)
+		return 2;
+	if (fr1->fr_dsize != fr2->fr_dsize)
+		return 3;
+	if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func,
+		 fr1->fr_size - offsetof(struct frentry, fr_func)) != 0)
+		return 4;
+	if (fr1->fr_data && !fr2->fr_data)
+		return 5;
+	if (!fr1->fr_data && fr2->fr_data)
+		return 6;
+	if (fr1->fr_data) {
+		if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize))
+			return 7;
+	}
+	return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
 /* Function:    frrequest                                                   */
 /* Returns:     int - 0 == success, > 0 == errno value                      */
 /* Parameters:  unit(I)     - device for which this is for                  */
@@ -4928,17 +4961,7 @@ frrequest(softc, unit, req, data, set, m
 	}
 
 	for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
-		DT2(rule_cmp, frentry_t *, fp, frentry_t *, f);
-		if ((fp->fr_cksum != f->fr_cksum) ||
-		    (fp->fr_size != f->fr_size) ||
-		    (f->fr_dsize != fp->fr_dsize))
-			continue;
-		if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func,
-			 fp->fr_size - offsetof(struct frentry, fr_func)) != 0)
-			continue;
-		if ((!ptr && !f->fr_data) ||
-		    (ptr && f->fr_data &&
-		     !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
+		if (ipf_rule_compare(fp, f) == 0)
 			break;
 	}

More information about the svn-src-stable-10 mailing list