summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2010-06-27 01:39:44 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2010-06-27 01:39:44 +0000
commite27daf9a5459e72ae53b8dd3d5594bfa9f875b46 (patch)
treee38c512598731ae417adbbdbb2ca9c6e7d701037
parent020ba06d0fd1f2501bd51824a3c45c9a803f00a9 (diff)
stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while
walking the ruleset and up until state is fully set up) into pf_pdesc instead of passing around those 4 seperately all the time, also shrinks the argument count for a few functions that have/partialy had an insane count of arguments. kinda preparational since we'll need them elsewhere too, soon ok ryan jsing
-rw-r--r--sys/net/pf.c95
-rw-r--r--sys/net/pf_lb.c79
-rw-r--r--sys/net/pfvar.h14
3 files changed, 88 insertions, 100 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 0a196fe2600..c78c82da080 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.691 2010/05/07 13:33:16 claudio Exp $ */
+/* $OpenBSD: pf.c,v 1.692 2010/06/27 01:39:43 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -168,11 +168,11 @@ int pf_test_rule(struct pf_rule **, struct pf_state **,
static __inline int pf_create_state(struct pf_rule *, struct pf_rule *,
struct pf_pdesc *, struct pf_state_key **,
struct pf_state_key **, struct mbuf *, int,
- struct pf_addr *, u_int16_t, struct pf_addr *,
- u_int16_t, int *, struct pfi_kif *,
- struct pf_state **, int, u_int16_t, u_int16_t,
- int, struct pf_rule_slist *,
+ int *, struct pfi_kif *, struct pf_state **, int,
+ u_int16_t, u_int16_t, int, struct pf_rule_slist *,
struct pf_rule_actions *, struct pf_src_node *[]);
+int pf_state_key_setup(struct pf_pdesc *, struct
+ pf_state_key **, struct pf_state_key **, int);
void pf_translate(struct pf_pdesc *, struct pf_addr *,
u_int16_t, struct pf_addr *, u_int16_t, u_int16_t,
int, struct mbuf *, int);
@@ -826,10 +826,8 @@ pf_alloc_state_key(int pool_flags)
}
int
-pf_state_key_setup(struct pf_pdesc *pd,
- struct pf_state_key **skw, struct pf_state_key **sks,
- struct pf_addr **saddr, struct pf_addr **daddr,
- u_int16_t *sport, u_int16_t *dport, int rtableid)
+pf_state_key_setup(struct pf_pdesc *pd, struct pf_state_key **skw,
+ struct pf_state_key **sks, int rtableid)
{
/* if returning error we MUST pool_put state keys ourselves */
struct pf_state_key *sk1, *sk2;
@@ -848,18 +846,18 @@ pf_state_key_setup(struct pf_pdesc *pd,
if (rtableid >= 0)
wrdom = rtable_l2(rtableid);
- if (PF_ANEQ(*saddr, pd->src, pd->af) ||
- PF_ANEQ(*daddr, pd->dst, pd->af) ||
- *sport != pd->osport || *dport != pd->odport ||
+ if (PF_ANEQ(&pd->nsaddr, pd->src, pd->af) ||
+ PF_ANEQ(&pd->ndaddr, pd->dst, pd->af) ||
+ pd->nsport != pd->osport || pd->ndport != pd->odport ||
wrdom != pd->rdomain) { /* NAT */
if ((sk2 = pf_alloc_state_key(PR_NOWAIT | PR_ZERO)) == NULL) {
pool_put(&pf_state_key_pl, sk1);
return (ENOMEM);
}
- PF_ACPY(&sk2->addr[pd->sidx], *saddr, pd->af);
- PF_ACPY(&sk2->addr[pd->didx], *daddr, pd->af);
- sk2->port[pd->sidx] = *sport;
- sk2->port[pd->didx] = *dport;
+ PF_ACPY(&sk2->addr[pd->sidx], &pd->nsaddr, pd->af);
+ PF_ACPY(&sk2->addr[pd->didx], &pd->ndaddr, pd->af);
+ sk2->port[pd->sidx] = pd->nsport;
+ sk2->port[pd->didx] = pd->ndport;
sk2->proto = pd->proto;
sk2->af = pd->af;
sk2->rdomain = wrdom;
@@ -2736,7 +2734,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
struct ifqueue *ifq)
{
struct pf_rule *lastr = NULL;
- struct pf_addr saddr, daddr;
sa_family_t af = pd->af;
struct pf_rule *r, *a = NULL;
struct pf_ruleset *ruleset = NULL;
@@ -2752,12 +2749,12 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
int asd = 0;
int match = 0;
int state_icmp = 0, icmp_dir, multi;
- u_int16_t sport, dport, virtual_type, virtual_id;
+ u_int16_t virtual_type, virtual_id;
u_int16_t bproto_sum = 0, bip_sum;
u_int8_t icmptype = 0, icmpcode = 0;
- PF_ACPY(&saddr, pd->src, pd->af);
- PF_ACPY(&daddr, pd->dst, pd->af);
+ PF_ACPY(&pd->nsaddr, pd->src, pd->af);
+ PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
bzero(&act, sizeof(act));
bzero(sns, sizeof(sns));
@@ -2771,13 +2768,13 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
switch (pd->proto) {
case IPPROTO_TCP:
- sport = th->th_sport;
- dport = th->th_dport;
+ pd->nsport = th->th_sport;
+ pd->ndport = th->th_dport;
hdrlen = sizeof(*th);
break;
case IPPROTO_UDP:
- sport = pd->hdr.udp->uh_sport;
- dport = pd->hdr.udp->uh_dport;
+ pd->nsport = pd->hdr.udp->uh_sport;
+ pd->ndport = pd->hdr.udp->uh_dport;
hdrlen = sizeof(*pd->hdr.udp);
break;
#ifdef INET
@@ -2790,11 +2787,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
state_icmp = pf_icmp_mapping(pd, icmptype,
&icmp_dir, &multi, &virtual_id, &virtual_type);
if (icmp_dir == PF_IN) {
- sport = virtual_id;
- dport = virtual_type;
+ pd->nsport = virtual_id;
+ pd->ndport = virtual_type;
} else {
- sport = virtual_type;
- dport = virtual_id;
+ pd->nsport = virtual_type;
+ pd->ndport = virtual_id;
}
break;
#endif /* INET */
@@ -2808,21 +2805,21 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
state_icmp = pf_icmp_mapping(pd, icmptype,
&icmp_dir, &multi, &virtual_id, &virtual_type);
if (icmp_dir == PF_IN) {
- sport = virtual_id;
- dport = virtual_type;
+ pd->nsport = virtual_id;
+ pd->ndport = virtual_type;
} else {
- sport = virtual_type;
- dport = virtual_id;
+ pd->nsport = virtual_type;
+ pd->ndport = virtual_id;
}
break;
#endif /* INET6 */
default:
- sport = dport = hdrlen = 0;
+ pd->nsport = pd->ndport = hdrlen = 0;
break;
}
- pd->osport = sport;
- pd->odport = dport;
+ pd->osport = pd->nsport;
+ pd->odport = pd->ndport;
r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr);
while (r != NULL) {
@@ -2835,19 +2832,19 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO].ptr;
- else if (PF_MISMATCHAW(&r->src.addr, &saddr, af,
+ else if (PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, af,
r->src.neg, kif, act.rtableid))
r = r->skip[PF_SKIP_SRC_ADDR].ptr;
/* tcp/udp only. port_op always 0 in other cases */
else if (r->src.port_op && !pf_match_port(r->src.port_op,
- r->src.port[0], r->src.port[1], sport))
+ r->src.port[0], r->src.port[1], pd->nsport))
r = r->skip[PF_SKIP_SRC_PORT].ptr;
- else if (PF_MISMATCHAW(&r->dst.addr, &daddr, af,
+ else if (PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, af,
r->dst.neg, NULL, act.rtableid))
r = r->skip[PF_SKIP_DST_ADDR].ptr;
/* tcp/udp only. port_op always 0 in other cases */
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
- r->dst.port[0], r->dst.port[1], dport))
+ r->dst.port[0], r->dst.port[1], pd->ndport))
r = r->skip[PF_SKIP_DST_PORT].ptr;
/* icmp only. type always 0 in other cases */
else if (r->type && r->type != icmptype + 1)
@@ -2902,9 +2899,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
/* order is irrelevant */
SLIST_INSERT_HEAD(&rules, ri, entry);
pf_rule_to_actions(r, &act);
- if (pf_get_transaddr(r, pd,
- &saddr, &sport, &daddr, &dport,
- sns) == -1) {
+ if (pf_get_transaddr(r, pd, sns) ==
+ -1) {
REASON_SET(&reason,
PFRES_MEMORY);
goto cleanup;
@@ -2934,8 +2930,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
/* apply actions for last matching rule */
if (lastr && lastr->action != PF_MATCH) {
pf_rule_to_actions(lastr, &act);
- if (pf_get_transaddr(lastr, pd, &saddr, &sport, &daddr,
- &dport, sns) == -1) {
+ if (pf_get_transaddr(lastr, pd, sns) == -1) {
REASON_SET(&reason, PFRES_MEMORY);
goto cleanup;
}
@@ -3024,9 +3019,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
goto cleanup;
}
- action = pf_create_state(r, a, pd, &skw, &sks, m,
- off, &saddr, sport, &daddr, dport, &rewrite, kif, sm, tag,
- bproto_sum, bip_sum, hdrlen, &rules, &act, sns);
+ action = pf_create_state(r, a, pd, &skw, &sks, m, off,
+ &rewrite, kif, sm, tag, bproto_sum, bip_sum, hdrlen,
+ &rules, &act, sns);
if (action != PF_PASS)
return (action);
@@ -3082,8 +3077,7 @@ cleanup:
static __inline int
pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd,
struct pf_state_key **skw, struct pf_state_key **sks, struct mbuf *m,
- int off, struct pf_addr *saddr, u_int16_t sport, struct pf_addr *daddr,
- u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
+ int off, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
struct pf_rule_slist *rules, struct pf_rule_actions *act,
struct pf_src_node *sns[PF_SN_MAX])
@@ -3199,8 +3193,7 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd,
}
s->direction = pd->dir;
- if (pf_state_key_setup(pd, skw, sks, &saddr, &daddr, &sport, &dport,
- act->rtableid)) {
+ if (pf_state_key_setup(pd, skw, sks, act->rtableid)) {
REASON_SET(&reason, PFRES_MEMORY);
goto csfailed;
}
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c
index 7e9bc93ebcd..b80ac0da564 100644
--- a/sys/net/pf_lb.c
+++ b/sys/net/pf_lb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_lb.c,v 1.12 2010/02/04 14:10:12 sthen Exp $ */
+/* $OpenBSD: pf_lb.c,v 1.13 2010/06/27 01:39:43 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -100,10 +100,9 @@
void pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
-int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
- struct pf_addr *, u_int16_t, struct pf_addr *,
- u_int16_t, struct pf_addr *, u_int16_t *,
- u_int16_t, u_int16_t, struct pf_src_node **, int);
+int pf_get_sport(struct pf_pdesc *, struct pf_rule *,
+ struct pf_addr *, u_int16_t *, u_int16_t,
+ u_int16_t, struct pf_src_node **);
#define mix(a,b,c) \
do { \
@@ -163,24 +162,22 @@ pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
}
int
-pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
- struct pf_addr *saddr, u_int16_t sport,
- struct pf_addr *daddr, u_int16_t dport,
+pf_get_sport(struct pf_pdesc *pd, struct pf_rule *r,
struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
- struct pf_src_node **sn, int rdomain)
+ struct pf_src_node **sn)
{
struct pf_state_key_cmp key;
struct pf_addr init_addr;
u_int16_t cut;
bzero(&init_addr, sizeof(init_addr));
- if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn, &r->nat,
+ if (pf_map_addr(pd->af, r, &pd->nsaddr, naddr, &init_addr, sn, &r->nat,
PF_SN_NAT))
return (1);
- if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) {
- if (dport == htons(ICMP6_ECHO_REQUEST) ||
- dport == htons(ICMP_ECHO)) {
+ if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) {
+ if (pd->ndport == htons(ICMP6_ECHO_REQUEST) ||
+ pd->ndport == htons(ICMP_ECHO)) {
low = 1;
high = 65535;
} else
@@ -188,30 +185,30 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
}
do {
- key.af = af;
- key.proto = proto;
- key.rdomain = rdomain;
- PF_ACPY(&key.addr[0], daddr, key.af);
+ key.af = pd->af;
+ key.proto = pd->proto;
+ key.rdomain = pd->rdomain;
+ PF_ACPY(&key.addr[0], &pd->ndaddr, key.af);
PF_ACPY(&key.addr[1], naddr, key.af);
- key.port[0] = dport;
+ key.port[0] = pd->ndport;
/*
* port search; start random, step;
* similar 2 portloop in in_pcbbind
*/
- if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
- proto == IPPROTO_ICMP)) {
+ if (!(pd->proto == IPPROTO_TCP || pd->proto == IPPROTO_UDP ||
+ pd->proto == IPPROTO_ICMP)) {
/* XXX bug: icmp states dont use the id on both
* XXX sides (traceroute -I through nat) */
- key.port[1] = sport;
+ key.port[1] = pd->nsport;
if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
- *nport = sport;
+ *nport = pd->nsport;
return (0);
}
} else if (low == 0 && high == 0) {
- key.port[1] = sport;
+ key.port[1] = pd->nsport;
if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
- *nport = sport;
+ *nport = pd->nsport;
return (0);
}
} else if (low == high) {
@@ -234,7 +231,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
for (tmp = cut; tmp <= high; ++(tmp)) {
key.port[1] = htons(tmp);
if (pf_find_state_all(&key, PF_IN, NULL) ==
- NULL && !in_baddynamic(tmp, proto)) {
+ NULL && !in_baddynamic(tmp, pd->proto)) {
*nport = htons(tmp);
return (0);
}
@@ -242,7 +239,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
for (tmp = cut - 1; tmp >= low; --(tmp)) {
key.port[1] = htons(tmp);
if (pf_find_state_all(&key, PF_IN, NULL) ==
- NULL && !in_baddynamic(tmp, proto)) {
+ NULL && !in_baddynamic(tmp, pd->proto)) {
*nport = htons(tmp);
return (0);
}
@@ -252,8 +249,8 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
switch (r->nat.opts & PF_POOL_TYPEMASK) {
case PF_POOL_RANDOM:
case PF_POOL_ROUNDROBIN:
- if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn,
- &r->nat, PF_SN_NAT))
+ if (pf_map_addr(pd->af, r, &pd->nsaddr, naddr,
+ &init_addr, sn, &r->nat, PF_SN_NAT))
return (1);
break;
case PF_POOL_NONE:
@@ -262,7 +259,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
default:
return (1);
}
- } while (! PF_AEQ(&init_addr, naddr, af) );
+ } while (! PF_AEQ(&init_addr, naddr, pd->af) );
return (1); /* none available */
}
@@ -424,8 +421,7 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
}
int
-pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr,
- u_int16_t *sport, struct pf_addr *daddr, u_int16_t *dport,
+pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd,
struct pf_src_node **sns)
{
struct pf_addr naddr;
@@ -434,30 +430,29 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr,
if (r->nat.addr.type != PF_ADDR_NONE) {
/* XXX is this right? what if rtable is changed at the same
* XXX time? where do I need to figure out the sport? */
- if (pf_get_sport(pd->af, pd->proto, r, saddr, *sport,
- daddr, *dport, &naddr, &nport, r->nat.proxy_port[0],
- r->nat.proxy_port[1], sns, pd->rdomain)) {
+ if (pf_get_sport(pd, r, &naddr, &nport,
+ r->nat.proxy_port[0], r->nat.proxy_port[1], sns)) {
DPFPRINTF(LOG_NOTICE,
"pf: NAT proxy port allocation (%u-%u) failed",
r->nat.proxy_port[0],
r->nat.proxy_port[1]);
return (-1);
}
- PF_ACPY(saddr, &naddr, pd->af);
- *sport = nport;
+ PF_ACPY(&pd->nsaddr, &naddr, pd->af);
+ pd->nsport = nport;
}
if (r->rdr.addr.type != PF_ADDR_NONE) {
- if (pf_map_addr(pd->af, r, saddr, &naddr, NULL, sns, &r->rdr,
- PF_SN_RDR))
+ if (pf_map_addr(pd->af, r, &pd->nsaddr, &naddr, NULL, sns,
+ &r->rdr, PF_SN_RDR))
return (-1);
if ((r->rdr.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)
PF_POOLMASK(&naddr, &naddr, &r->rdr.addr.v.a.mask,
- daddr, pd->af);
+ &pd->ndaddr, pd->af);
if (r->rdr.proxy_port[1]) {
u_int32_t tmp_nport;
- tmp_nport = ((ntohs(*dport) -
+ tmp_nport = ((ntohs(pd->ndport) -
ntohs(r->dst.port[0])) %
(r->rdr.proxy_port[1] -
r->rdr.proxy_port[0] + 1)) +
@@ -470,9 +465,9 @@ pf_get_transaddr(struct pf_rule *r, struct pf_pdesc *pd, struct pf_addr *saddr,
} else if (r->rdr.proxy_port[0])
nport = htons(r->rdr.proxy_port[0]);
- PF_ACPY(daddr, &naddr, pd->af);
+ PF_ACPY(&pd->ndaddr, &naddr, pd->af);
if (nport)
- *dport = nport;
+ pd->ndport = nport;
}
return (0);
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index c1093556d67..8c91ce7ca46 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.309 2010/05/07 13:33:16 claudio Exp $ */
+/* $OpenBSD: pfvar.h,v 1.310 2010/06/27 01:39:43 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1196,6 +1196,9 @@ struct pf_pdesc {
void *any;
} hdr;
+ struct pf_addr nsaddr; /* src address after NAT */
+ struct pf_addr ndaddr; /* dst address after NAT */
+
struct ether_header
*eh;
struct pf_addr *src; /* src address */
@@ -1204,6 +1207,8 @@ struct pf_pdesc {
u_int16_t *dport;
u_int16_t osport;
u_int16_t odport;
+ u_int16_t nsport; /* src port after NAT */
+ u_int16_t ndport; /* dst port after NAT */
u_int32_t p_len; /* total length of payload */
@@ -1925,18 +1930,13 @@ int pf_step_out_of_anchor(int *, struct pf_ruleset **,
int *);
int pf_get_transaddr(struct pf_rule *, struct pf_pdesc *,
- struct pf_addr *, u_int16_t *, struct pf_addr *,
- u_int16_t *, struct pf_src_node **);
+ struct pf_src_node **);
int pf_map_addr(sa_family_t, struct pf_rule *,
struct pf_addr *, struct pf_addr *,
struct pf_addr *, struct pf_src_node **,
struct pf_pool *, enum pf_sn_types);
-int pf_state_key_setup(struct pf_pdesc *,
- struct pf_state_key **, struct pf_state_key **,
- struct pf_addr **, struct pf_addr **,
- u_int16_t *, u_int16_t *, int);
#endif /* _KERNEL */