Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/usr.sbin/npf/npfctl Pull up following revision(s) (reques...
details: https://anonhg.NetBSD.org/src/rev/cc53cf5bf3ce
branches: netbsd-8
changeset: 450586:cc53cf5bf3ce
user: martin <martin%NetBSD.org@localhost>
date: Fri Apr 19 09:10:49 2019 +0000
description:
Pull up following revision(s) (requested by tih in ticket #1232):
usr.sbin/npf/npfctl/npf_build.c: revision 1.48
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.12
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect
TCP packets but don't specify any flags, doesn't actually get applied
to a rule like "pass stateful out all". The big problem with this is
that when you then do a "block return-rst" for an incoming packet, the
generated RST packet will create state for the connection attempt it's
blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple
rules. It also fixes a related bug in the code generation for the
flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind>
Closes PR bin/54124
Pullup to NetBSD 8
diffstat:
usr.sbin/npf/npfctl/npf_bpf_comp.c | 10 ++++------
usr.sbin/npf/npfctl/npf_build.c | 9 +++++----
2 files changed, 9 insertions(+), 10 deletions(-)
diffs (68 lines):
diff -r 020f520f56b7 -r cc53cf5bf3ce usr.sbin/npf/npfctl/npf_bpf_comp.c
--- a/usr.sbin/npf/npfctl/npf_bpf_comp.c Wed Apr 17 15:58:12 2019 +0000
+++ b/usr.sbin/npf/npfctl/npf_bpf_comp.c Fri Apr 19 09:10:49 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $ */
+/* $NetBSD: npf_bpf_comp.c,v 1.10.6.1 2019/04/19 09:10:49 martin Exp $ */
/*-
* Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.10.6.1 2019/04/19 09:10:49 martin Exp $");
#include <stdlib.h>
#include <stdbool.h>
@@ -567,10 +567,8 @@
};
add_insns(ctx, insns_cmp, __arraycount(insns_cmp));
- if (!checktcp) {
- uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
- done_block(ctx, mwords, sizeof(mwords));
- }
+ uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
+ done_block(ctx, mwords, sizeof(mwords));
}
/*
diff -r 020f520f56b7 -r cc53cf5bf3ce usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c Wed Apr 17 15:58:12 2019 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c Fri Apr 19 09:10:49 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.44.4.1 2019/04/19 09:10:49 martin Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.44.4.1 2019/04/19 09:10:49 martin Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -317,7 +317,7 @@
npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op,
const filt_opts_t *fopts)
{
- bool noproto, noaddrs, noports, need_tcpudp = false;
+ bool noproto, noaddrs, noports, nostate, need_tcpudp = false;
const addr_port_t *apfrom = &fopts->fo_from;
const addr_port_t *apto = &fopts->fo_to;
const int proto = op->op_proto;
@@ -329,7 +329,8 @@
noproto = family == AF_UNSPEC && proto == -1 && !op->op_opts;
noaddrs = !apfrom->ap_netaddr && !apto->ap_netaddr;
noports = !apfrom->ap_portrange && !apto->ap_portrange;
- if (noproto && noaddrs && noports) {
+ nostate = !(npf_rule_getattr(rl) & NPF_RULE_STATEFUL);
+ if (noproto && noaddrs && noports && nostate) {
return false;
}
Home |
Main Index |
Thread Index |
Old Index