Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net/npf - Explain the magic in npf_tcpfl2case().
details: https://anonhg.NetBSD.org/src/rev/7cc13c113dcc
branches: trunk
changeset: 771920:7cc13c113dcc
user: rmind <rmind%NetBSD.org@localhost>
date: Thu Dec 08 23:36:57 2011 +0000
description:
- Explain the magic in npf_tcpfl2case().
- Use __unused instead of (void)cast; fix comment.
diffstat:
sys/net/npf/npf_ruleset.c | 7 +++----
sys/net/npf/npf_state_tcp.c | 25 ++++++++++++++++++++-----
2 files changed, 23 insertions(+), 9 deletions(-)
diffs (89 lines):
diff -r 1c2aa1f7844c -r 7cc13c113dcc sys/net/npf/npf_ruleset.c
--- a/sys/net/npf/npf_ruleset.c Thu Dec 08 22:36:42 2011 +0000
+++ b/sys/net/npf/npf_ruleset.c Thu Dec 08 23:36:57 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.7 2011/02/02 02:20:25 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.7 2011/02/02 02:20:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -306,7 +306,7 @@
{
npf_rule_t *rl;
const char *rname;
- int errat;
+ int errat __unused;
/* Allocate a rule structure. */
rl = kmem_alloc(sizeof(npf_rule_t), KM_SLEEP);
@@ -316,7 +316,6 @@
rl->r_natp = NULL;
/* N-code. */
- (void)errat;
KASSERT(nc == NULL || npf_ncode_validate(nc, nc_size, &errat) == 0);
rl->r_ncode = nc;
rl->r_nc_size = nc_size;
diff -r 1c2aa1f7844c -r 7cc13c113dcc sys/net/npf/npf_state_tcp.c
--- a/sys/net/npf/npf_state_tcp.c Thu Dec 08 22:36:42 2011 +0000
+++ b/sys/net/npf/npf_state_tcp.c Thu Dec 08 23:36:57 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_state_tcp.c,v 1.2 2011/12/05 00:34:25 rmind Exp $ */
+/* $NetBSD: npf_state_tcp.c,v 1.3 2011/12/08 23:36:57 rmind Exp $ */
/*-
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.2 2011/12/05 00:34:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.3 2011/12/08 23:36:57 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -115,9 +115,24 @@
{
u_int i, c;
+ CTASSERT(TH_FIN == 0x01);
+ CTASSERT(TH_SYN == 0x02);
+ CTASSERT(TH_ACK == 0x10);
+
/*
- * Magic value maps flag combinations to TCPFC case numbers.
- * Other cases are zero. Note: FIN-ACK is mapped to FIN.
+ * Flags are shifted to use three least significant bits, thus each
+ * flag combination has a unique number ranging from 0 to 7, e.g.
+ * TH_SYN | TH_ACK has number 6, since (0x02 | (0x10 >> 2)) == 6.
+ * However, the requirement is to have number 0 for invalid cases,
+ * such as TH_SYN | TH_FIN, and to have the same number for TH_FIN
+ * and TH_FIN|TH_ACK cases. Thus, we generate a mask assigning 3
+ * bits for each number, which contains the actual case numbers:
+ *
+ * TCPFC_SYNACK << (6 << 2) == 0x2000000 (6 - SYN,ACK)
+ * TCPFC_FIN << (5 << 2) == 0x0400000 (5 - FIN,ACK)
+ * ...
+ *
+ * Hence, OR'ed mask value is 0x2430140.
*/
i = (tcpfl & (TH_SYN | TH_FIN)) | ((tcpfl & TH_ACK) >> 2);
c = (0x2430140 >> (i << 2)) & 7;
@@ -291,7 +306,7 @@
* Rooij G., "Real stateful TCP packet filtering in IP Filter",
* 10th USENIX Security Symposium invited talk, Aug. 2001.
*
- * There four boundaries are defined as following:
+ * There are four boundaries defined as following:
* I) SEQ + LEN <= MAX { SND.ACK + MAX(SND.WIN, 1) }
* II) SEQ >= MAX { SND.SEQ + SND.LEN - MAX(RCV.WIN, 1) }
* III) ACK <= MAX { RCV.SEQ + RCV.LEN }
Home |
Main Index |
Thread Index |
Old Index