summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCedric Berger <cedric@cvs.openbsd.org>2003-09-01 10:41:39 +0000
committerCedric Berger <cedric@cvs.openbsd.org>2003-09-01 10:41:39 +0000
commit094d639b6d7809deef5f17c7ba831d2cbee20fce (patch)
treee4966e493a731d94e5423e951f60909a472c8232
parent1f0adacb6132052fd9c02ca50cfdda9cff16cc5b (diff)
Make nat rule update the table counters when no filtering rule is used.
This is mostly to support the new "nat pass" rule. ok dhartmei@ henning@
-rw-r--r--sys/net/pf.c36
1 files changed, 21 insertions, 15 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index a1e690be286..a150df458f9 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.387 2003/08/28 09:41:03 cedric Exp $ */
+/* $OpenBSD: pf.c,v 1.388 2003/09/01 10:41:38 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -4846,7 +4846,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0;
struct ip *h;
- struct pf_rule *a = NULL, *r = &pf_default_rule;
+ struct pf_rule *a = NULL, *r = &pf_default_rule, *tr;
struct pf_state *s = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
@@ -5008,16 +5008,19 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
}
done:
- if (r->src.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(r->src.addr.p.tbl,
+ tr = r;
+ if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL)
+ tr = s->nat_rule.ptr;
+ if (tr->src.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->src.addr.p.tbl,
(s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af,
pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- r->src.not);
- if (r->dst.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(r->dst.addr.p.tbl,
+ tr->src.not);
+ if (tr->dst.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->dst.addr.p.tbl,
(s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af,
pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- r->dst.not);
+ tr->dst.not);
if (action == PF_PASS && h->ip_hl > 5 &&
!((s && s->allow_opts) || r->allow_opts)) {
@@ -5070,7 +5073,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0;
struct ip6_hdr *h;
- struct pf_rule *a = NULL, *r = &pf_default_rule;
+ struct pf_rule *a = NULL, *r = &pf_default_rule, *tr;
struct pf_state *s = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
@@ -5242,16 +5245,19 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
}
done:
- if (r->src.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(r->src.addr.p.tbl,
+ tr = r;
+ if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL)
+ tr = s->nat_rule.ptr;
+ if (tr->src.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->src.addr.p.tbl,
(s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af,
pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- r->src.not);
- if (r->dst.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(r->dst.addr.p.tbl,
+ tr->src.not);
+ if (tr->dst.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->dst.addr.p.tbl,
(s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af,
pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- r->dst.not);
+ tr->dst.not);
/* XXX handle IPv6 options, if not allowed. not implemented. */