aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2024-10-02 07:28:32 +0000
committerKristof Provost <kp@FreeBSD.org>2024-10-10 12:10:40 +0000
commit05896f1ef8be5ce9f6d2080b9b116a994ffa06de (patch)
tree6e2027c9bd439f2e76ee4c7dfa84482017e327a3
parentabc8996e7fa6c3755306021bffbf58c707e33d18 (diff)
downloadsrc-05896f1ef8be.tar.gz
src-05896f1ef8be.zip
pf: move pf_test_rule() out of pf_setup_pdesc()
Move the call to pf_test_rule() for fragments that have not been reassembled by normalization from pf_setup_pdesc() to pf_test(). This simplifies the paramter list of pf_setup_pdesc() as it can concentrate on its job filling the pf_pdesc struct. ok henning mpf Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, fb9fe53b92 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46935
-rw-r--r--sys/net/pfvar.h3
-rw-r--r--sys/netpfil/pf/pf.c41
-rw-r--r--sys/netpfil/pf/pf_syncookies.c2
3 files changed, 22 insertions, 24 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 4b8f7e45e03b..34a6e2028100 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -2510,8 +2510,7 @@ void pf_syncookie_send(struct mbuf *m, int off,
struct pf_pdesc *);
bool pf_syncookie_check(struct pf_pdesc *);
u_int8_t pf_syncookie_validate(struct pf_pdesc *);
-struct mbuf * pf_syncookie_recreate_syn(int,
- struct pf_pdesc *);
+struct mbuf * pf_syncookie_recreate_syn(struct pf_pdesc *);
VNET_DECLARE(struct pf_kstatus, pf_status);
#define V_pf_status VNET(pf_status)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 653365d42059..26820f233cdb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8633,10 +8633,8 @@ pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m)
static int
pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
- u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_krule **a,
- struct pf_krule **r, struct pf_kstate **s, struct pf_kruleset **ruleset,
- int *off, int *hdrlen, struct inpcb *inp,
- struct pf_rule_actions *default_actions)
+ u_short *action, u_short *reason, struct pfi_kkif *kif, int *off,
+ int *hdrlen, struct pf_rule_actions *default_actions)
{
struct mbuf *m = *m0;
@@ -8796,19 +8794,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
}
switch (pd->virtual_proto) {
- case PF_VPROTO_FRAGMENT:
- /*
- * handle fragments that aren't reassembled by
- * normalization
- */
- if (kif == NULL || r == NULL) /* pflog */
- *action = PF_DROP;
- else
- *action = pf_test_rule(r, s, kif, m, *off, pd, a,
- ruleset, inp, *hdrlen);
- if (*action != PF_PASS)
- REASON_SET(reason, PFRES_FRAG);
- return (-1);
case IPPROTO_TCP: {
struct tcphdr *th = &pd->hdr.tcp;
@@ -9094,8 +9079,8 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
return (PF_PASS);
}
- if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r,
- &s, &ruleset, &off, &hdrlen, inp, default_actions) == -1) {
+ if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason,
+ kif, &off, &hdrlen, default_actions) == -1) {
if (action != PF_PASS)
pd.act.log |= PF_LOG_FORCE;
goto done;
@@ -9125,7 +9110,21 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
m_tag_delete(m, mtag);
}
- switch (pd.proto) {
+ switch (pd.virtual_proto) {
+ case PF_VPROTO_FRAGMENT:
+ /*
+ * handle fragments that aren't reassembled by
+ * normalization
+ */
+ if (kif == NULL || r == NULL) /* pflog */
+ action = PF_DROP;
+ else
+ action = pf_test_rule(&r, &s, kif, m, off, &pd, &a,
+ &ruleset, inp, hdrlen);
+ if (action != PF_PASS)
+ REASON_SET(&reason, PFRES_FRAG);
+ break;
+
case IPPROTO_TCP: {
/* Respond to SYN with a syncookie. */
if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
@@ -9154,7 +9153,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
pd.dir == PF_IN) {
struct mbuf *msyn;
- msyn = pf_syncookie_recreate_syn(off, &pd);
+ msyn = pf_syncookie_recreate_syn(&pd);
if (msyn == NULL) {
action = PF_DROP;
break;
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
index 40c664f48914..bbb33d134ce5 100644
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -498,7 +498,7 @@ pf_syncookie_generate(struct mbuf *m, int off, struct pf_pdesc *pd,
}
struct mbuf *
-pf_syncookie_recreate_syn(int off, struct pf_pdesc *pd)
+pf_syncookie_recreate_syn(struct pf_pdesc *pd)
{
uint8_t wscale;
uint16_t mss;