[src/trunk]: src/usr.sbin/npf/npfctl Allow filtering on IP addresses even if ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/npf/npfctl Allow filtering on IP addresses even if ...
From: rmind <rmind%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 00:15:36 +0000

details:   https://anonhg.NetBSD.org/src/rev/f0e4411c548e
branches:  trunk
changeset: 784837:f0e4411c548e
user:      rmind <rmind%NetBSD.org@localhost>
date:      Mon Feb 11 00:00:20 2013 +0000

description:
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.

diffstat:

 usr.sbin/npf/npfctl/npf_build.c |  40 ++++++++++++++++++++++------------------
 1 files changed, 22 insertions(+), 18 deletions(-)

diffs (136 lines):

diff -r 44c4d35a1eea -r f0e4411c548e usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c   Sun Feb 10 23:58:27 2013 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c   Mon Feb 11 00:00:20 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_build.c,v 1.19 2013/02/10 23:47:37 rmind Exp $     */
+/*     $NetBSD: npf_build.c,v 1.20 2013/02/11 00:00:20 rmind Exp $     */
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.19 2013/02/10 23:47:37 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.20 2013/02/11 00:00:20 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -242,7 +242,7 @@
 
 static int
 npfctl_build_proto(nc_ctx_t *nc, sa_family_t family,
-    const opt_proto_t *op, bool nof, bool nop)
+    const opt_proto_t *op, bool noaddrs, bool noports)
 {
        const npfvar_t *popts = op->op_opts;
        const int proto = op->op_proto;
@@ -262,7 +262,7 @@
                tf = npfvar_get_data(popts, NPFVAR_TCPFLAG, 0);
                tf_mask = npfvar_get_data(popts, NPFVAR_TCPFLAG, 1);
                npfctl_gennc_tcpfl(nc, *tf, *tf_mask);
-               nop = false;
+               noports = false;
                break;
        case IPPROTO_UDP:
                pflag = NC_MATCH_UDP;
@@ -271,7 +271,7 @@
                /*
                 * Build ICMP block.
                 */
-               if (!nop) {
+               if (!noports) {
                        goto invop;
                }
                assert(npfvar_get_count(popts) == 2);
@@ -280,13 +280,13 @@
                icmp_type = npfvar_get_data(popts, NPFVAR_ICMP, 0);
                icmp_code = npfvar_get_data(popts, NPFVAR_ICMP, 1);
                npfctl_gennc_icmp(nc, *icmp_type, *icmp_code);
-               nop = false;
+               noports = false;
                break;
        case IPPROTO_ICMPV6:
                /*
                 * Build ICMP block.
                 */
-               if (!nop) {
+               if (!noports) {
                        goto invop;
                }
                assert(npfvar_get_count(popts) == 2);
@@ -295,17 +295,18 @@
                icmp6_type = npfvar_get_data(popts, NPFVAR_ICMP6, 0);
                icmp6_code = npfvar_get_data(popts, NPFVAR_ICMP6, 1);
                npfctl_gennc_icmp6(nc, *icmp6_type, *icmp6_code);
-               nop = false;
+               noports = false;
                break;
        case -1:
                pflag = NC_MATCH_TCP | NC_MATCH_UDP;
-               nop = false;
+               noports = false;
                break;
        default:
                /*
-                * No filter options are supported for other protcols.
+                * No filter options are supported for other protocols,
+                * only the IP addresses are allowed.
                 */
-               if (nof && nop) {
+               if (noports) {
                        break;
                }
 invop:
@@ -316,7 +317,7 @@
         * Build the protocol block, unless other blocks will implicitly
         * perform the family/protocol checks for us.
         */
-       if ((family != AF_UNSPEC && nof) || (proto != -1 && nop)) {
+       if ((family != AF_UNSPEC && noaddrs) || (proto != -1 && noports)) {
                uint8_t addrlen;
 
                switch (family) {
@@ -329,7 +330,9 @@
                default:
                        addrlen = 0;
                }
-               npfctl_gennc_proto(nc, nof ? addrlen : 0, nop ? proto : 0xff);
+               npfctl_gennc_proto(nc,
+                   noaddrs ? addrlen : 0,
+                   noports ? proto : 0xff);
        }
        return pflag;
 }
@@ -341,7 +344,7 @@
        const addr_port_t *apfrom = &fopts->fo_from;
        const addr_port_t *apto = &fopts->fo_to;
        const int proto = op->op_proto;
-       bool nof, nop;
+       bool noaddrs, noports;
        nc_ctx_t *nc;
        void *code;
        size_t len;
@@ -349,9 +352,10 @@
        /*
         * If none specified, no n-code.
         */
-       nof = !apfrom->ap_netaddr && !apto->ap_netaddr;
-       nop = !apfrom->ap_portrange && !apto->ap_portrange;
-       if (family == AF_UNSPEC && proto == -1 && !op->op_opts && nof && nop)
+       noaddrs = !apfrom->ap_netaddr && !apto->ap_netaddr;
+       noports = !apfrom->ap_portrange && !apto->ap_portrange;
+       if (family == AF_UNSPEC && proto == -1 && !op->op_opts &&
+           noaddrs && noports)
                return false;
 
        int srcflag = NC_MATCH_SRC;
@@ -365,7 +369,7 @@
        nc = npfctl_ncgen_create();
 
        /* Build layer 4 protocol blocks. */
-       int pflag = npfctl_build_proto(nc, family, op, nof, nop);
+       int pflag = npfctl_build_proto(nc, family, op, noaddrs, noports);
 
        /* Build IP address blocks. */
        npfctl_build_vars(nc, family, apfrom->ap_netaddr, srcflag);

Prev by Date: [src/trunk]: src/external/historical/nawk/dist PR/47553: Aleksev Cheusov: awk...
Next by Date: [src/trunk]: src/usr.sbin/makemandb add -r flag to elide tty formatting
Previous by Thread: [src/trunk]: src/external/historical/nawk/dist PR/47553: Aleksev Cheusov: awk...
Next by Thread: [src/trunk]: src/usr.sbin/makemandb add -r flag to elide tty formatting
Indexes:

Home | Main Index | Thread Index | Old Index