diff options
author | Kristof Provost <kp@FreeBSD.org> | 2024-09-06 11:32:53 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2024-09-25 10:44:18 +0000 |
commit | 4f9e688708f1bead81954c429f7eca5109ee454b (patch) | |
tree | 94f62d6c8ed03ec2141b28a02671367452bfe47c | |
parent | 6aeaadf68def9bb6355c7462c5527574698367df (diff) | |
download | src-4f9e688708f1.tar.gz src-4f9e688708f1.zip |
pf: merge pf_scrub_ip() and pf_scrub_ip6()
Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. Call
pf_scrub with the right arugments in the rule case so that match
rules will work as expected.
OK henning@
Obtained from: OpenBSD, claudio <claudio@openbsd.org>, 48c45e6969
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46597
-rw-r--r-- | sys/net/pfvar.h | 9 | ||||
-rw-r--r-- | sys/netpfil/pf/pf.c | 4 | ||||
-rw-r--r-- | sys/netpfil/pf/pf_norm.c | 60 |
3 files changed, 36 insertions, 37 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 0dfa58979f16..61752a146b57 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2642,12 +2642,9 @@ void pf_rule_to_actions(struct pf_krule *, struct pf_rule_actions *); int pf_normalize_mss(struct mbuf *m, int off, struct pf_pdesc *pd); -#ifdef INET -void pf_scrub_ip(struct mbuf *, struct pf_pdesc *); -#endif /* INET */ -#ifdef INET6 -void pf_scrub_ip6(struct mbuf *, struct pf_pdesc *); -#endif /* INET6 */ +#if defined(INET) || defined(INET6) +void pf_scrub(struct mbuf *, struct pf_pdesc *); +#endif struct pfi_kkif *pf_kkif_create(int); void pf_kkif_free(struct pfi_kkif *); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index d4adf1363cdf..456fdd0aa9bd 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9221,7 +9221,7 @@ done: REASON_SET(&reason, PFRES_MEMORY); } - pf_scrub_ip(m, &pd); + pf_scrub(m, &pd); if (pd.proto == IPPROTO_TCP && pd.act.max_mss) pf_normalize_mss(m, off, &pd); @@ -9676,7 +9676,7 @@ done: REASON_SET(&reason, PFRES_MEMORY); } - pf_scrub_ip6(m, &pd); + pf_scrub(m, &pd); if (pd.proto == IPPROTO_TCP && pd.act.max_mss) pf_normalize_mss(m, off, &pd); diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 284660767224..926529330619 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -2267,14 +2267,20 @@ sctp_drop: return (PF_DROP); } -#ifdef INET +#if defined(INET) || defined(INET6) void -pf_scrub_ip(struct mbuf *m, struct pf_pdesc *pd) +pf_scrub(struct mbuf *m, struct pf_pdesc *pd) { + struct ip *h = mtod(m, struct ip *); +#ifdef INET6 + struct ip6_hdr *h6 = mtod(m, struct ip6_hdr *); +#endif /* Clear IP_DF if no-df was requested */ - if (pd->act.flags & PFSTATE_NODF && h->ip_off & htons(IP_DF)) { + if (pd->af == AF_INET && pd->act.flags & PFSTATE_NODF && + h->ip_off & htons(IP_DF)) + { u_int16_t ip_off = h->ip_off; h->ip_off &= htons(~IP_DF); @@ -2282,48 +2288,44 @@ pf_scrub_ip(struct mbuf *m, struct pf_pdesc *pd) } /* Enforce a minimum ttl, may cause endless packet loops */ - if (pd->act.min_ttl && h->ip_ttl < pd->act.min_ttl) { + if (pd->af == AF_INET && pd->act.min_ttl && + h->ip_ttl < pd->act.min_ttl) { u_int16_t ip_ttl = h->ip_ttl; h->ip_ttl = pd->act.min_ttl; h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0); } - +#ifdef INET6 + /* Enforce a minimum ttl, may cause endless packet loops */ + if (pd->af == AF_INET6 && pd->act.min_ttl && + h6->ip6_hlim < pd->act.min_ttl) + h6->ip6_hlim = pd->act.min_ttl; +#endif /* Enforce tos */ if (pd->act.flags & PFSTATE_SETTOS) { - u_int16_t ov, nv; + if (pd->af == AF_INET) { + u_int16_t ov, nv; - ov = *(u_int16_t *)h; - h->ip_tos = pd->act.set_tos | (h->ip_tos & IPTOS_ECN_MASK); - nv = *(u_int16_t *)h; + ov = *(u_int16_t *)h; + h->ip_tos = pd->act.set_tos | (h->ip_tos & IPTOS_ECN_MASK); + nv = *(u_int16_t *)h; - h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0); + h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0); +#ifdef INET6 + } else if (pd->af == AF_INET6) { + h6->ip6_flow &= IPV6_FLOWLABEL_MASK | IPV6_VERSION_MASK; + h6->ip6_flow |= htonl((pd->act.set_tos | IPV6_ECN(h6)) << 20); +#endif + } } /* random-id, but not for fragments */ - if (pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) { + if (pd->af == AF_INET && + pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) { uint16_t ip_id = h->ip_id; ip_fillid(h); h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0); } } -#endif /* INET */ - -#ifdef INET6 -void -pf_scrub_ip6(struct mbuf *m, struct pf_pdesc *pd) -{ - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); - - /* Enforce a minimum ttl, may cause endless packet loops */ - if (pd->act.min_ttl && h->ip6_hlim < pd->act.min_ttl) - h->ip6_hlim = pd->act.min_ttl; - - /* Enforce tos. Set traffic class bits */ - if (pd->act.flags & PFSTATE_SETTOS) { - h->ip6_flow &= IPV6_FLOWLABEL_MASK | IPV6_VERSION_MASK; - h->ip6_flow |= htonl((pd->act.set_tos | IPV6_ECN(h)) << 20); - } -} #endif |