Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dist/pf/net resolve conflicts. (pf from OpenBSD 3.6, ke...
details: https://anonhg.NetBSD.org/src/rev/50ee592ce911
branches: trunk
changeset: 571221:50ee592ce911
user: yamt <yamt%NetBSD.org@localhost>
date: Sun Nov 14 11:12:16 2004 +0000
description:
resolve conflicts. (pf from OpenBSD 3.6, kernel part)
diffstat:
sys/dist/pf/net/if_pflog.c | 10 +-
sys/dist/pf/net/if_pflog.h | 11 +-
sys/dist/pf/net/pf.c | 764 +++++++++++++++++++++++++++-----------------
sys/dist/pf/net/pf_if.c | 92 +---
sys/dist/pf/net/pf_ioctl.c | 712 ++++++++++++++++++++++++-----------------
sys/dist/pf/net/pf_norm.c | 393 ++++++++++++++++++++--
sys/dist/pf/net/pf_osfp.c | 8 +-
sys/dist/pf/net/pf_table.c | 184 ++++++----
sys/dist/pf/net/pfvar.h | 146 +++++---
9 files changed, 1459 insertions(+), 861 deletions(-)
diffs (truncated from 4805 to 300 lines):
diff -r 089bfb501a24 -r 50ee592ce911 sys/dist/pf/net/if_pflog.c
--- a/sys/dist/pf/net/if_pflog.c Sun Nov 14 11:08:58 2004 +0000
+++ b/sys/dist/pf/net/if_pflog.c Sun Nov 14 11:12:16 2004 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: if_pflog.c,v 1.4 2004/09/10 08:48:32 yamt Exp $ */
-/* $OpenBSD: if_pflog.c,v 1.11 2003/12/31 11:18:25 cedric Exp $ */
+/* $NetBSD: if_pflog.c,v 1.5 2004/11/14 11:12:16 yamt Exp $ */
+/* $OpenBSD: if_pflog.c,v 1.12 2004/05/19 17:50:51 dhartmei Exp $ */
/*
* The authors of this code are John Ioannidis (ji%tla.org@localhost),
* Angelos D. Keromytis (kermit%csd.uch.gr@localhost) and
@@ -230,11 +230,9 @@
} else {
hdr.rulenr = htonl(am->nr);
hdr.subrulenr = htonl(rm->nr);
- if (ruleset != NULL)
- memcpy(hdr.ruleset, ruleset->name,
+ if (ruleset != NULL && ruleset->anchor != NULL)
+ strlcpy(hdr.ruleset, ruleset->anchor->name,
sizeof(hdr.ruleset));
-
-
}
hdr.dir = dir;
diff -r 089bfb501a24 -r 50ee592ce911 sys/dist/pf/net/if_pflog.h
--- a/sys/dist/pf/net/if_pflog.h Sun Nov 14 11:08:58 2004 +0000
+++ b/sys/dist/pf/net/if_pflog.h Sun Nov 14 11:12:16 2004 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: if_pflog.h,v 1.2 2004/06/22 14:17:07 itojun Exp $ */
-/* $OpenBSD: if_pflog.h,v 1.10 2004/03/19 04:52:04 frantzen Exp $ */
+/* $NetBSD: if_pflog.h,v 1.3 2004/11/14 11:12:16 yamt Exp $ */
+/* $OpenBSD: if_pflog.h,v 1.11 2004/05/19 17:50:51 dhartmei Exp $ */
/*
* Copyright 2001 Niels Provos <provos%citi.umich.edu@localhost>
* All rights reserved.
@@ -32,10 +32,7 @@
struct ifnet sc_if; /* the interface */
};
-/* XXX keep in sync with pfvar.h */
-#ifndef PF_RULESET_NAME_SIZE
-#define PF_RULESET_NAME_SIZE 16
-#endif
+#define PFLOG_RULESET_NAME_SIZE 16
struct pfloghdr {
u_int8_t length;
@@ -43,7 +40,7 @@
u_int8_t action;
u_int8_t reason;
char ifname[IFNAMSIZ];
- char ruleset[PF_RULESET_NAME_SIZE];
+ char ruleset[PFLOG_RULESET_NAME_SIZE];
u_int32_t rulenr;
u_int32_t subrulenr;
u_int8_t dir;
diff -r 089bfb501a24 -r 50ee592ce911 sys/dist/pf/net/pf.c
--- a/sys/dist/pf/net/pf.c Sun Nov 14 11:08:58 2004 +0000
+++ b/sys/dist/pf/net/pf.c Sun Nov 14 11:12:16 2004 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: pf.c,v 1.4 2004/09/08 12:11:25 yamt Exp $ */
-/* $OpenBSD: pf.c,v 1.433 2004/03/26 22:20:57 dhartmei Exp $ */
+/* $NetBSD: pf.c,v 1.5 2004/11/14 11:12:16 yamt Exp $ */
+/* $OpenBSD: pf.c,v 1.457.2.1 2004/11/06 00:39:35 brad Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -76,6 +76,11 @@
#include <netinet/tcp_var.h>
#include <netinet/udp_var.h>
#include <netinet/icmp_var.h>
+#ifdef __OpenBSD__
+#include <netinet/if_ether.h>
+#else
+#include <net/if_ether.h>
+#endif
#ifdef __OpenBSD__
#include <dev/rndvar.h>
@@ -99,14 +104,13 @@
#include <netinet6/nd6.h>
#endif /* INET6 */
-
#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
/*
* Global variables
*/
-struct pf_anchorqueue pf_anchors;
+struct pf_anchor_global pf_anchors;
struct pf_ruleset pf_main_ruleset;
struct pf_altqqueue pf_altqs[2];
struct pf_palist pf_pabuf;
@@ -125,15 +129,18 @@
struct callout pf_expire_to; /* expire timeout */
#endif
+struct pf_anchor_stackframe {
+ struct pf_ruleset *rs;
+ struct pf_rule *r;
+ struct pf_anchor_node *parent;
+ struct pf_anchor *child;
+} pf_anchor_stack[64];
+
struct pool pf_src_tree_pl, pf_rule_pl;
struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
-void pf_print_state(struct pf_state *);
-void pf_print_flags(u_int8_t);
-
-u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
- u_int8_t);
+
void pf_change_ap(struct pf_addr *, u_int16_t *,
u_int16_t *, u_int16_t *, struct pf_addr *,
u_int16_t, u_int8_t, sa_family_t);
@@ -148,7 +155,8 @@
void pf_send_tcp(const struct pf_rule *, sa_family_t,
const struct pf_addr *, const struct pf_addr *,
u_int16_t, u_int16_t, u_int32_t, u_int32_t,
- u_int8_t, u_int16_t, u_int16_t, u_int8_t);
+ u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
+ struct ether_header *, struct ifnet *);
void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
sa_family_t, struct pf_rule *);
struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
@@ -163,19 +171,19 @@
int pf_test_tcp(struct pf_rule **, struct pf_state **,
int, struct pfi_kif *, struct mbuf *, int,
void *, struct pf_pdesc *, struct pf_rule **,
- struct pf_ruleset **);
+ struct pf_ruleset **, struct ifqueue *);
int pf_test_udp(struct pf_rule **, struct pf_state **,
int, struct pfi_kif *, struct mbuf *, int,
void *, struct pf_pdesc *, struct pf_rule **,
- struct pf_ruleset **);
+ struct pf_ruleset **, struct ifqueue *);
int pf_test_icmp(struct pf_rule **, struct pf_state **,
int, struct pfi_kif *, struct mbuf *, int,
void *, struct pf_pdesc *, struct pf_rule **,
- struct pf_ruleset **);
+ struct pf_ruleset **, struct ifqueue *);
int pf_test_other(struct pf_rule **, struct pf_state **,
int, struct pfi_kif *, struct mbuf *, int, void *,
struct pf_pdesc *, struct pf_rule **,
- struct pf_ruleset **);
+ struct pf_ruleset **, struct ifqueue *);
int pf_test_fragment(struct pf_rule **, int,
struct pfi_kif *, struct mbuf *, void *,
struct pf_pdesc *, struct pf_rule **,
@@ -193,7 +201,7 @@
struct pfi_kif *, struct pf_pdesc *);
struct pf_tag *pf_get_tag(struct mbuf *);
int pf_match_tag(struct mbuf *, struct pf_rule *,
- struct pf_rule *, struct pf_tag *, int *);
+ struct pf_rule *, struct pf_tag **, int *);
void pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
int pf_map_addr(u_int8_t, struct pf_rule *,
@@ -224,6 +232,7 @@
static int pf_add_mbuf_tag(struct mbuf *, u_int);
struct pf_state *pf_find_state_recurse(struct pfi_kif *,
struct pf_state *, u_int8_t);
+int pf_check_congestion(struct ifqueue *);
struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
{ &pf_state_pl, PFSTATE_HIWAT },
@@ -270,6 +279,7 @@
struct pf_state *);
static __inline int pf_state_compare_id(struct pf_state *,
struct pf_state *);
+static __inline int pf_anchor_compare(struct pf_anchor *, struct pf_anchor *);
struct pf_src_tree tree_src_tracking;
@@ -283,6 +293,8 @@
u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
RB_GENERATE(pf_state_tree_id, pf_state,
u.s.entry_id, pf_state_compare_id);
+RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
+RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
static __inline int
pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
@@ -479,6 +491,14 @@
return (0);
}
+static __inline int
+pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b)
+{
+ int c = strcmp(a->path, b->path);
+
+ return (c ? (c < 0 ? -1 : 1) : 0);
+}
+
#ifdef INET6
void
pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
@@ -497,7 +517,7 @@
break;
}
}
-#endif
+#endif /* INET6 */
struct pf_state *
pf_find_state_byid(struct pf_state *key)
@@ -614,7 +634,7 @@
pool_put(&pf_src_tree_pl, *sn);
return (-1);
}
- (*sn)->creation = time.tv_sec;
+ (*sn)->creation = time_second;
(*sn)->ruletype = rule->action;
if ((*sn)->rule.ptr != NULL)
(*sn)->rule.ptr->src_nodes++;
@@ -739,7 +759,7 @@
/* handle all PFTM_* > PFTM_MAX here */
if (state->timeout == PFTM_PURGE)
- return (time.tv_sec);
+ return (time_second);
if (state->timeout == PFTM_UNTIL_PACKET)
return (0);
KASSERT(state->timeout < PFTM_MAX);
@@ -760,7 +780,7 @@
return (state->expire + timeout * (end - states) /
(end - start));
else
- return (time.tv_sec);
+ return (time_second);
}
return (state->expire + timeout);
}
@@ -773,7 +793,7 @@
for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
- if (cur->states <= 0 && cur->expire <= time.tv_sec) {
+ if (cur->states <= 0 && cur->expire <= time_second) {
if (cur->rule.ptr != NULL) {
cur->rule.ptr->src_nodes--;
if (cur->rule.ptr->states <= 0 &&
@@ -799,7 +819,7 @@
if (!timeout)
timeout =
pf_default_rule.timeout[PFTM_SRC_NODE];
- s->src_node->expire = time.tv_sec + timeout;
+ s->src_node->expire = time_second + timeout;
}
}
if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
@@ -808,13 +828,49 @@
if (!timeout)
timeout =
pf_default_rule.timeout[PFTM_SRC_NODE];
- s->nat_src_node->expire = time.tv_sec + timeout;
+ s->nat_src_node->expire = time_second + timeout;
}
}
s->src_node = s->nat_src_node = NULL;
}
void
+pf_purge_expired_state(struct pf_state *cur)
+{
+ if (cur->src.state == PF_TCPS_PROXY_DST)
+ pf_send_tcp(cur->rule.ptr, cur->af,
+ &cur->ext.addr, &cur->lan.addr,
+ cur->ext.port, cur->lan.port,
+ cur->src.seqhi, cur->src.seqlo + 1,
+ TH_RST|TH_ACK, 0, 0, 0, 1, NULL, NULL);
+ RB_REMOVE(pf_state_tree_ext_gwy,
+ &cur->u.s.kif->pfik_ext_gwy, cur);
+ RB_REMOVE(pf_state_tree_lan_ext,
+ &cur->u.s.kif->pfik_lan_ext, cur);
+ RB_REMOVE(pf_state_tree_id, &tree_id, cur);
+#if NPFSYNC
+ pfsync_delete_state(cur);
+#endif
+ pf_src_tree_remove_state(cur);
+ if (--cur->rule.ptr->states <= 0 &&
+ cur->rule.ptr->src_nodes <= 0)
+ pf_rm_rule(NULL, cur->rule.ptr);
+ if (cur->nat_rule.ptr != NULL)
+ if (--cur->nat_rule.ptr->states <= 0 &&
+ cur->nat_rule.ptr->src_nodes <= 0)
+ pf_rm_rule(NULL, cur->nat_rule.ptr);
+ if (cur->anchor.ptr != NULL)
+ if (--cur->anchor.ptr->states <= 0)
+ pf_rm_rule(NULL, cur->anchor.ptr);
+ pf_normalize_tcp_cleanup(cur);
+ pfi_detach_state(cur->u.s.kif);
+ TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates);
+ pool_put(&pf_state_pl, cur);
Home |
Main Index |
Thread Index |
Old Index