diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2010-06-27 01:39:44 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2010-06-27 01:39:44 +0000 |
commit | e27daf9a5459e72ae53b8dd3d5594bfa9f875b46 (patch) | |
tree | e38c512598731ae417adbbdbb2ca9c6e7d701037 | |
parent | 020ba06d0fd1f2501bd51824a3c45c9a803f00a9 (diff) |
stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while
walking the ruleset and up until state is fully set up) into pf_pdesc instead
of passing around those 4 seperately all the time, also shrinks the argument
count for a few functions that have/partialy had an insane count of arguments.
kinda preparational since we'll need them elsewhere too, soon
ok ryan jsing
-rw-r--r-- | sys/net/pf.c | 95 | ||||
-rw-r--r-- | sys/net/pf_lb.c | 79 | ||||
-rw-r--r-- | sys/net/pfvar.h | 14 |
3 files changed, 88 insertions, 100 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 0a196fe2600..c78c82da080 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.691 2010/05/07 13:33:16 claudio Exp $ */ +/* $OpenBSD: pf.c,v 1.692 2010/06/27 01:39:43 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -168,11 +168,11 @@ int pf_test_rule(struct pf_rule **, struct pf_state **, static __inline int pf_create_state(struct pf_rule *, struct pf_rule *, struct pf_pdesc *, struct pf_state_key **, struct pf_state_key **, struct mbuf *, int, - struct pf_addr *, u_int16_t, struct pf_addr *, - u_int16_t, int *, struct pfi_kif *, - struct pf_state **, int, u_int16_t, u_int16_t, - int, struct pf_rule_slist *, + int *, struct pfi_kif *, struct pf_state **, int, + u_int16_t, u_int16_t, int, struct pf_rule_slist *, struct pf_rule_actions *, struct pf_src_node *[]); +int pf_state_key_setup(struct pf_pdesc *, struct + pf_state_key **, struct pf_state_key **, int); void pf_translate(struct pf_pdesc *, struct pf_addr *, u_int16_t, struct pf_addr *, u_int16_t, u_int16_t, int, struct mbuf *, int); @@ -826,10 +826,8 @@ pf_alloc_state_key(int pool_flags) } int -pf_state_key_setup(struct pf_pdesc *pd, - struct pf_state_key **skw, struct pf_state_key **sks, - struct pf_addr **saddr, struct pf_addr **daddr, - u_int16_t *sport, u_int16_t *dport, int rtableid) +pf_state_key_setup(struct pf_pdesc *pd, struct pf_state_key **skw, + struct pf_state_key **sks, int rtableid) { /* if returning error we MUST pool_put state keys ourselves */ struct pf_state_key *sk1, *sk2; @@ -848,18 +846,18 @@ pf_state_key_setup(struct pf_pdesc *pd, if (rtableid >= 0) wrdom = rtable_l2(rtableid); - if (PF_ANEQ(*saddr, pd->src, pd->af) || - PF_ANEQ(*daddr, pd->dst, pd->af) || - *sport != pd->osport || *dport != pd->odport || + if (PF_ANEQ(&pd->nsaddr, pd->src, pd->af) || + PF_ANEQ(&pd->ndaddr, pd->dst, pd->af) || + pd->nsport != pd->osport || pd->ndport != pd->odport || wrdom != pd->rdomain) { /* NAT */ if ((sk2 = pf_alloc_state_key(PR_NOWAIT | PR_ZERO)) == NULL) { pool_put(&pf_state_key_pl, sk1); return (ENOMEM); } - PF_ACPY(&sk2->addr[pd->sidx], *saddr, pd->af); - PF_ACPY(&sk2->addr[pd->didx], *daddr, pd->af); - sk2->port[pd->sidx] = *sport; - sk2->port[pd->didx] = *dport; + PF_ACPY(&sk2->addr[pd->sidx], &pd->nsaddr, pd->af); + PF_ACPY(&sk2->addr[pd->didx], &pd->ndaddr, pd->af); + sk2->port[pd->sidx] = pd->nsport; + sk2->port[pd->didx] = pd->ndport; sk2->proto = pd->proto; sk2->af = pd->af; sk2->rdomain = wrdom; @@ -2736,7 +2734,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, struct ifqueue *ifq) { struct pf_rule *lastr = NULL; - struct pf_addr saddr, daddr; sa_family_t af = pd->af; struct pf_rule *r, *a = NULL; struct pf_ruleset *ruleset = NULL; @@ -2752,12 +2749,12 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, int asd = 0; int match = 0; int state_icmp = 0, icmp_dir, multi; - u_int16_t sport, dport, virtual_type, virtual_id; + u_int16_t virtual_type, virtual_id; u_int16_t bproto_sum = 0, bip_sum; u_int8_t icmptype = 0, icmpcode = 0; - PF_ACPY(&saddr, pd->src, pd->af); - PF_ACPY(&daddr, pd->dst, pd->af); + PF_ACPY(&pd->nsaddr, pd->src, pd->af); + PF_ACPY(&pd->ndaddr, pd->dst, pd->af); bzero(&act, sizeof(act)); bzero(sns, sizeof(sns)); @@ -2771,13 +2768,13 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, switch (pd->proto) { case IPPROTO_TCP: - sport = th->th_sport; - dport = th->th_dport; + pd->nsport = th->th_sport; + pd->ndport = th->th_dport; hdrlen = sizeof(*th); break; case IPPROTO_UDP: - sport = pd->hdr.udp->uh_sport; - dport = pd->hdr.udp->uh_dport; + pd->nsport = pd->hdr.udp->uh_sport; + pd->ndport = pd->hdr.udp->uh_dport; hdrlen = sizeof(*pd->hdr.udp); break; #ifdef INET @@ -2790,11 +2787,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, state_icmp = pf_icmp_mapping(pd, icmptype, &icmp_dir, &multi, &virtual_id, &virtual_type); if (icmp_dir == PF_IN) { - sport = virtual_id; - dport = virtual_type; + pd->nsport = virtual_id; + pd->ndport = virtual_type; } else { - sport = virtual_type; - dport = virtual_id; + pd->nsport = virtual_type; + pd->ndport = virtual_id; } break; #endif /* INET */ @@ -2808,21 +2805,21 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, state_icmp = pf_icmp_mapping(pd, icmptype, &icmp_dir, &multi, &virtual_id, &virtual_type); if (icmp_dir == PF_IN) { - sport = virtual_id; - dport = virtual_type; + pd->nsport = virtual_id; + pd->ndport = virtual_type; } else { - sport = virtual_type; - dport = virtual_id; + pd->nsport = virtual_type; + pd->ndport = virtual_id; } break; #endif /* INET6 */ default: - sport = dport = hdrlen = 0; + pd->nsport = pd->ndport = hdrlen = 0; break; } - pd->osport = sport; - pd->odport = dport; + pd->osport = pd->nsport; + pd->odport = pd->ndport; r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr); while (r != NULL) { @@ -2835,19 +2832,19 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, r = r->skip[PF_SKIP_AF].ptr; else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, &saddr, af, + else if (PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, af, r->src.neg, kif, act.rtableid)) r = r->skip[PF_SKIP_SRC_ADDR].ptr; /* tcp/udp only. port_op always 0 in other cases */ else if (r->src.port_op && !pf_match_port(r->src.port_op, - r->src.port[0], r->src.port[1], sport)) + r->src.port[0], r->src.port[1], pd->nsport)) r = r->skip[PF_SKIP_SRC_PORT].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, &daddr, af, + else if (PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, af, r->dst.neg, NULL, act.rtableid)) r = r->skip[PF_SKIP_DST_ADDR].ptr; /* tcp/udp only. port_op always 0 in other cases */ else if (r->dst.port_op && !pf_match_port(r->dst.port_op, - r->dst.port[0], r->dst.port[1], dport)) + r->dst.port[0], r->dst.port[1], pd->ndport)) r = r->skip[PF_SKIP_DST_PORT].ptr; /* icmp only. type always 0 in other cases */ else if (r->type && r->type != icmptype + 1) @@ -2902,9 +2899,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, /* order is irrelevant */ SLIST_INSERT_HEAD(&rules, ri, entry); pf_rule_to_actions(r, &act); - if (pf_get_transaddr(r, pd, - &saddr, &sport, &daddr, &dport, - sns) == -1) { + if (pf_get_transaddr(r, pd, sns) == + -1) { REASON_SET(&reason, PFRES_MEMORY); goto cleanup; @@ -2934,8 +2930,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, /* apply actions for last matching rule */ if (lastr && lastr->action != PF_MATCH) { pf_rule_to_actions(lastr, &act); - if (pf_get_transaddr(lastr, pd, &saddr, &sport, &daddr, - &dport, sns) == -1) { + if (pf_get_transaddr(lastr, pd, sns) == -1) { REASON_SET(&reason, PFRES_MEMORY); goto cleanup; } @@ -3024,9 +3019,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, goto cleanup; } - action = pf_create_state(r, a, pd, &skw, &sks, m, - off, &saddr, sport, &daddr, dport, &rewrite, kif, sm, tag, - bproto_sum, bip_sum, hdrlen, &rules, &act, sns); + action = pf_create_state(r, a, pd, &skw, &sks, m, off, + &rewrite, kif, sm, tag, bproto_sum, bip_sum, hdrlen, + &rules, &act, sns); if (action != PF_PASS) return (action); @@ -3082,8 +3077,7 @@ cleanup: static __inline int pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd, struct pf_state_key **skw, struct pf_state_key **sks, struct mbuf *m, - int off, struct pf_addr *saddr, u_int16_t sport, struct pf_addr *daddr, - u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm, + int off, int *rewrite, struct pfi_kif *kif, struct pf_state **sm, int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen, struct pf_rule_slist *rules, struct pf_rule_actions *act, struct pf_src_node *sns[PF_SN_MAX]) @@ -3199,8 +3193,7 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd, } s->direction = pd->dir; - if (pf_state_key_setup(pd, skw, sks, &saddr, &daddr, &sport, &dport, - act->rtableid)) { + if (pf_state_key_setup(pd, skw, sks, act->rtableid)) { REASON_SET(&reason, PFRES_MEMORY); goto csfailed; } diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c index 7e9bc93ebcd..b80ac0da564 100644 --- a/sys/net/pf_lb.c +++ b/sys/net/pf_lb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_lb.c,v 1.12 2010/02/04 14:10:12 sthen Exp $ */ +/* $OpenBSD: pf_lb.c,v 1.13 2010/06/27 01:39:43 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -100,10 +100,9 @@ void pf_hash(struct pf_addr *, struct pf_addr *, struct pf_poolhashkey *, sa_family_t); -int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, - struct pf_addr *, u_int16_t, struct pf_addr *, - u_int16_t, struct pf_addr *, u_int16_t *, - u_int16_t, u_int16_t, struct pf_src_node **, int); +int pf_get_sport(struct pf_pdesc *, struct pf_rule *, + struct pf_addr *, u_int16_t *, u_int16_t, + u_int16_t, struct pf_src_node **); #define mix(a,b,c) \ do { \ @@ -163,24 +162,22 @@ pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, } int -pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, - struct pf_addr *saddr, u_int16_t sport, - struct pf_addr *daddr, u_int16_t dport, +pf_get_sport(struct pf_pdesc *pd, struct pf_rule *r, struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, - struct pf_src_node **sn, int rdomain) + struct pf_src_node **sn) { struct pf_state_key_cmp key; struct pf_addr init_addr; u_int16_t cut; bzero(&init_addr, sizeof(init_addr)); - if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn, &r->nat, + if (pf_map_addr(pd->af, r, &pd->nsaddr, naddr, &init_addr, sn, &r->nat, PF_SN_NAT)) return (1); - if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) { - if (dport == htons(ICMP6_ECHO_REQUEST) || - dport == htons(ICMP_ECHO)) { + if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) { + if (pd->ndport == htons(ICMP6_ECHO_REQUEST) || + pd->ndport == htons(ICMP_ECHO)) { low = 1; high = 65535; } else @@ -188,30 +185,30 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, } do { - key.af = af; - key.proto = proto; - key.rdomain = rdomain; - PF_ACPY(&key.addr[0], daddr, key.af); + key.af = pd->af; + key.proto = pd->proto; + key.rdomain = pd->rdomain; + PF_ACPY(&key.addr[0], &pd->ndaddr, key.af); PF_ACPY(&key.addr[1], naddr, key.af); - key.port[0] = dport; + key.port[0] = pd->ndport; /* * port search; start random, step; * similar 2 portloop in in_pcbbind */ - if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || - proto == IPPROTO_ICMP)) { + if (!(pd->proto == IPPROTO_TCP || pd->proto == IPPROTO_UDP || + pd->proto == IPPROTO_ICMP)) { /* XXX bug: icmp states dont use the id on both * XXX sides (traceroute -I through nat) */ - key.port[1] = sport; + key.port[1] = pd->nsport; if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { - *nport = sport; + *nport = pd->nsport; return (0); } } else if (low == 0 && high == 0) { - key.port[1] = sport; + key.port[1] = pd->nsport; if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { - *nport = sport; + *nport = pd->nsport; return (0); } } else if (low == high) { @@ -234,7 +231,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, for (tmp = cut; tmp <= high; ++(tmp)) { key.port[1] = htons(tmp); if (pf_find_state_all(&key, PF_IN, NULL) == - NULL && !in_baddynamic(tmp, proto)) { + NULL && !in_baddynamic(tmp, pd->proto)) { *nport = htons(tmp); return (0); } @@ -242,7 +239,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, for (tmp = cut - 1; tmp >= low; --(tmp)) { key.port[1] = htons(tmp); if (pf_find_state_all(&key, PF_IN, NULL) == - NULL && !in_baddynamic(tmp, proto)) { + NULL && !in_baddynamic(tmp, pd->proto)) { *nport = htons(tmp); return (0); } @@ -252,8 +249,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, switch (r->nat.opts & PF_POOL_TYPEMASK) { case PF_POOL_RANDOM: case PF_POOL_ROUNDROBIN: - if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn, - &r->nat, PF_SN_NAT)) + if (pf_map_addr(pd->af, r, &pd->nsaddr, naddr, + &init_addr, sn, &r->nat, PF_SN_NAT)) return (1); break; case PF_POOL_NONE: @@ -262,7 +259,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, default: return (1); } - } while (! PF_AEQ(&init_addr, naddr, af) ); + } while (! PF_AEQ(&init_addr, naddr, pd->af) ); return (1); /* none available */ } @@ -424,8 +421,7 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, } int -pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr, - u_int16_t *sport, struct pf_addr *daddr, u_int16_t *dport, +pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_src_node **sns) { struct pf_addr naddr; @@ -434,30 +430,29 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr, if (r->nat.addr.type != PF_ADDR_NONE) { /* XXX is this right? what if rtable is changed at the same * XXX time? where do I need to figure out the sport? */ - if (pf_get_sport(pd->af, pd->proto, r, saddr, *sport, - daddr, *dport, &naddr, &nport, r->nat.proxy_port[0], - r->nat.proxy_port[1], sns, pd->rdomain)) { + if (pf_get_sport(pd, r, &naddr, &nport, + r->nat.proxy_port[0], r->nat.proxy_port[1], sns)) { DPFPRINTF(LOG_NOTICE, "pf: NAT proxy port allocation (%u-%u) failed", r->nat.proxy_port[0], r->nat.proxy_port[1]); return (-1); } - PF_ACPY(saddr, &naddr, pd->af); - *sport = nport; + PF_ACPY(&pd->nsaddr, &naddr, pd->af); + pd->nsport = nport; } if (r->rdr.addr.type != PF_ADDR_NONE) { - if (pf_map_addr(pd->af, r, saddr, &naddr, NULL, sns, &r->rdr, - PF_SN_RDR)) + if (pf_map_addr(pd->af, r, &pd->nsaddr, &naddr, NULL, sns, + &r->rdr, PF_SN_RDR)) return (-1); if ((r->rdr.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) PF_POOLMASK(&naddr, &naddr, &r->rdr.addr.v.a.mask, - daddr, pd->af); + &pd->ndaddr, pd->af); if (r->rdr.proxy_port[1]) { u_int32_t tmp_nport; - tmp_nport = ((ntohs(*dport) - + tmp_nport = ((ntohs(pd->ndport) - ntohs(r->dst.port[0])) % (r->rdr.proxy_port[1] - r->rdr.proxy_port[0] + 1)) + @@ -470,9 +465,9 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr, } else if (r->rdr.proxy_port[0]) nport = htons(r->rdr.proxy_port[0]); - PF_ACPY(daddr, &naddr, pd->af); + PF_ACPY(&pd->ndaddr, &naddr, pd->af); if (nport) - *dport = nport; + pd->ndport = nport; } return (0); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index c1093556d67..8c91ce7ca46 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.309 2010/05/07 13:33:16 claudio Exp $ */ +/* $OpenBSD: pfvar.h,v 1.310 2010/06/27 01:39:43 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1196,6 +1196,9 @@ struct pf_pdesc { void *any; } hdr; + struct pf_addr nsaddr; /* src address after NAT */ + struct pf_addr ndaddr; /* dst address after NAT */ + struct ether_header *eh; struct pf_addr *src; /* src address */ @@ -1204,6 +1207,8 @@ struct pf_pdesc { u_int16_t *dport; u_int16_t osport; u_int16_t odport; + u_int16_t nsport; /* src port after NAT */ + u_int16_t ndport; /* dst port after NAT */ u_int32_t p_len; /* total length of payload */ @@ -1925,18 +1930,13 @@ int pf_step_out_of_anchor(int *, struct pf_ruleset **, int *); int pf_get_transaddr(struct pf_rule *, struct pf_pdesc *, - struct pf_addr *, u_int16_t *, struct pf_addr *, - u_int16_t *, struct pf_src_node **); + struct pf_src_node **); int pf_map_addr(sa_family_t, struct pf_rule *, struct pf_addr *, struct pf_addr *, struct pf_addr *, struct pf_src_node **, struct pf_pool *, enum pf_sn_types); -int pf_state_key_setup(struct pf_pdesc *, - struct pf_state_key **, struct pf_state_key **, - struct pf_addr **, struct pf_addr **, - u_int16_t *, u_int16_t *, int); #endif /* _KERNEL */ |