diff options
author | Cedric Berger <cedric@cvs.openbsd.org> | 2003-09-01 10:41:39 +0000 |
---|---|---|
committer | Cedric Berger <cedric@cvs.openbsd.org> | 2003-09-01 10:41:39 +0000 |
commit | 094d639b6d7809deef5f17c7ba831d2cbee20fce (patch) | |
tree | e4966e493a731d94e5423e951f60909a472c8232 | |
parent | 1f0adacb6132052fd9c02ca50cfdda9cff16cc5b (diff) |
Make nat rule update the table counters when no filtering rule is used.
This is mostly to support the new "nat pass" rule.
ok dhartmei@ henning@
-rw-r--r-- | sys/net/pf.c | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index a1e690be286..a150df458f9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.387 2003/08/28 09:41:03 cedric Exp $ */ +/* $OpenBSD: pf.c,v 1.388 2003/09/01 10:41:38 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4846,7 +4846,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) u_short action, reason = 0, log = 0; struct mbuf *m = *m0; struct ip *h; - struct pf_rule *a = NULL, *r = &pf_default_rule; + struct pf_rule *a = NULL, *r = &pf_default_rule, *tr; struct pf_state *s = NULL; struct pf_ruleset *ruleset = NULL; struct pf_pdesc pd; @@ -5008,16 +5008,19 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) } done: - if (r->src.addr.type == PF_ADDR_TABLE) - pfr_update_stats(r->src.addr.p.tbl, + tr = r; + if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL) + tr = s->nat_rule.ptr; + if (tr->src.addr.type == PF_ADDR_TABLE) + pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af, pd.tot_len, dir == PF_OUT, r->action == PF_PASS, - r->src.not); - if (r->dst.addr.type == PF_ADDR_TABLE) - pfr_update_stats(r->dst.addr.p.tbl, + tr->src.not); + if (tr->dst.addr.type == PF_ADDR_TABLE) + pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af, pd.tot_len, dir == PF_OUT, r->action == PF_PASS, - r->dst.not); + tr->dst.not); if (action == PF_PASS && h->ip_hl > 5 && !((s && s->allow_opts) || r->allow_opts)) { @@ -5070,7 +5073,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) u_short action, reason = 0, log = 0; struct mbuf *m = *m0; struct ip6_hdr *h; - struct pf_rule *a = NULL, *r = &pf_default_rule; + struct pf_rule *a = NULL, *r = &pf_default_rule, *tr; struct pf_state *s = NULL; struct pf_ruleset *ruleset = NULL; struct pf_pdesc pd; @@ -5242,16 +5245,19 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) } done: - if (r->src.addr.type == PF_ADDR_TABLE) - pfr_update_stats(r->src.addr.p.tbl, + tr = r; + if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL) + tr = s->nat_rule.ptr; + if (tr->src.addr.type == PF_ADDR_TABLE) + pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af, pd.tot_len, dir == PF_OUT, r->action == PF_PASS, - r->src.not); - if (r->dst.addr.type == PF_ADDR_TABLE) - pfr_update_stats(r->dst.addr.p.tbl, + tr->src.not); + if (tr->dst.addr.type == PF_ADDR_TABLE) + pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af, pd.tot_len, dir == PF_OUT, r->action == PF_PASS, - r->dst.not); + tr->dst.not); /* XXX handle IPv6 options, if not allowed. not implemented. */ |