aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2024-09-06 11:32:53 +0000
committerKristof Provost <kp@FreeBSD.org>2024-09-25 10:44:18 +0000
commit4f9e688708f1bead81954c429f7eca5109ee454b (patch)
tree94f62d6c8ed03ec2141b28a02671367452bfe47c
parent6aeaadf68def9bb6355c7462c5527574698367df (diff)
downloadsrc-4f9e688708f1.tar.gz
src-4f9e688708f1.zip
pf: merge pf_scrub_ip() and pf_scrub_ip6()
Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. Call pf_scrub with the right arugments in the rule case so that match rules will work as expected. OK henning@ Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 48c45e6969 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46597
-rw-r--r--sys/net/pfvar.h9
-rw-r--r--sys/netpfil/pf/pf.c4
-rw-r--r--sys/netpfil/pf/pf_norm.c60
3 files changed, 36 insertions, 37 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 0dfa58979f16..61752a146b57 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -2642,12 +2642,9 @@ void pf_rule_to_actions(struct pf_krule *,
struct pf_rule_actions *);
int pf_normalize_mss(struct mbuf *m, int off,
struct pf_pdesc *pd);
-#ifdef INET
-void pf_scrub_ip(struct mbuf *, struct pf_pdesc *);
-#endif /* INET */
-#ifdef INET6
-void pf_scrub_ip6(struct mbuf *, struct pf_pdesc *);
-#endif /* INET6 */
+#if defined(INET) || defined(INET6)
+void pf_scrub(struct mbuf *, struct pf_pdesc *);
+#endif
struct pfi_kkif *pf_kkif_create(int);
void pf_kkif_free(struct pfi_kkif *);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index d4adf1363cdf..456fdd0aa9bd 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9221,7 +9221,7 @@ done:
REASON_SET(&reason, PFRES_MEMORY);
}
- pf_scrub_ip(m, &pd);
+ pf_scrub(m, &pd);
if (pd.proto == IPPROTO_TCP && pd.act.max_mss)
pf_normalize_mss(m, off, &pd);
@@ -9676,7 +9676,7 @@ done:
REASON_SET(&reason, PFRES_MEMORY);
}
- pf_scrub_ip6(m, &pd);
+ pf_scrub(m, &pd);
if (pd.proto == IPPROTO_TCP && pd.act.max_mss)
pf_normalize_mss(m, off, &pd);
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 284660767224..926529330619 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -2267,14 +2267,20 @@ sctp_drop:
return (PF_DROP);
}
-#ifdef INET
+#if defined(INET) || defined(INET6)
void
-pf_scrub_ip(struct mbuf *m, struct pf_pdesc *pd)
+pf_scrub(struct mbuf *m, struct pf_pdesc *pd)
{
+
struct ip *h = mtod(m, struct ip *);
+#ifdef INET6
+ struct ip6_hdr *h6 = mtod(m, struct ip6_hdr *);
+#endif
/* Clear IP_DF if no-df was requested */
- if (pd->act.flags & PFSTATE_NODF && h->ip_off & htons(IP_DF)) {
+ if (pd->af == AF_INET && pd->act.flags & PFSTATE_NODF &&
+ h->ip_off & htons(IP_DF))
+ {
u_int16_t ip_off = h->ip_off;
h->ip_off &= htons(~IP_DF);
@@ -2282,48 +2288,44 @@ pf_scrub_ip(struct mbuf *m, struct pf_pdesc *pd)
}
/* Enforce a minimum ttl, may cause endless packet loops */
- if (pd->act.min_ttl && h->ip_ttl < pd->act.min_ttl) {
+ if (pd->af == AF_INET && pd->act.min_ttl &&
+ h->ip_ttl < pd->act.min_ttl) {
u_int16_t ip_ttl = h->ip_ttl;
h->ip_ttl = pd->act.min_ttl;
h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0);
}
-
+#ifdef INET6
+ /* Enforce a minimum ttl, may cause endless packet loops */
+ if (pd->af == AF_INET6 && pd->act.min_ttl &&
+ h6->ip6_hlim < pd->act.min_ttl)
+ h6->ip6_hlim = pd->act.min_ttl;
+#endif
/* Enforce tos */
if (pd->act.flags & PFSTATE_SETTOS) {
- u_int16_t ov, nv;
+ if (pd->af == AF_INET) {
+ u_int16_t ov, nv;
- ov = *(u_int16_t *)h;
- h->ip_tos = pd->act.set_tos | (h->ip_tos & IPTOS_ECN_MASK);
- nv = *(u_int16_t *)h;
+ ov = *(u_int16_t *)h;
+ h->ip_tos = pd->act.set_tos | (h->ip_tos & IPTOS_ECN_MASK);
+ nv = *(u_int16_t *)h;
- h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0);
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0);
+#ifdef INET6
+ } else if (pd->af == AF_INET6) {
+ h6->ip6_flow &= IPV6_FLOWLABEL_MASK | IPV6_VERSION_MASK;
+ h6->ip6_flow |= htonl((pd->act.set_tos | IPV6_ECN(h6)) << 20);
+#endif
+ }
}
/* random-id, but not for fragments */
- if (pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) {
+ if (pd->af == AF_INET &&
+ pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) {
uint16_t ip_id = h->ip_id;
ip_fillid(h);
h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0);
}
}
-#endif /* INET */
-
-#ifdef INET6
-void
-pf_scrub_ip6(struct mbuf *m, struct pf_pdesc *pd)
-{
- struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
-
- /* Enforce a minimum ttl, may cause endless packet loops */
- if (pd->act.min_ttl && h->ip6_hlim < pd->act.min_ttl)
- h->ip6_hlim = pd->act.min_ttl;
-
- /* Enforce tos. Set traffic class bits */
- if (pd->act.flags & PFSTATE_SETTOS) {
- h->ip6_flow &= IPV6_FLOWLABEL_MASK | IPV6_VERSION_MASK;
- h->ip6_flow |= htonl((pd->act.set_tos | IPV6_ECN(h)) << 20);
- }
-}
#endif