summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2001-07-04 20:00:39 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2001-07-04 20:00:39 +0000
commite5e41f6e6dd3e9b8015b8cb087c9b26f27d5bcdd (patch)
treeb51c923c63846ec3d9e41edc3ddbec1a487c19a0
parent79eb346980d2d3d06201ab7e0955a9ef9d1e89ce (diff)
call ip_output() correctly, use ICMP_MINLEN, only m_copyback() where needed. ok deraadt@
-rw-r--r--sys/net/pf.c40
1 files changed, 16 insertions, 24 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 49c7a11ad29..0df1440c13a 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.97 2001/07/03 04:20:47 deraadt Exp $ */
+/* $OpenBSD: pf.c,v 1.98 2001/07/04 20:00:38 dhartmei Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -315,9 +315,8 @@ pf_tree_insert(struct pf_tree_node **n, struct pf_tree_node *p,
if (*n == NULL) {
*n = pool_get(&pf_tree_pl, PR_NOWAIT);
- if (*n == NULL) {
+ if (*n == NULL)
return (0);
- }
bcopy(key, &(*n)->key, sizeof(struct pf_tree_key));
(*n)->state = state;
(*n)->balance = 0;
@@ -1274,7 +1273,7 @@ pf_send_reset(struct ip *h, int off, struct tcphdr *th)
/* IP header fields included in the TCP checksum */
h2->ip_p = IPPROTO_TCP;
- h2->ip_len = htons(sizeof(struct tcphdr));
+ h2->ip_len = htons(sizeof(*th2));
h2->ip_src.s_addr = h->ip_dst.s_addr;
h2->ip_dst.s_addr = h->ip_src.s_addr;
@@ -1299,14 +1298,12 @@ pf_send_reset(struct ip *h, int off, struct tcphdr *th)
/* Finish the IP header */
h2->ip_v = 4;
- h2->ip_hl = sizeof(struct ip) >> 2;
- h2->ip_len = htons(len);
+ h2->ip_hl = sizeof(*h2) >> 2;
h2->ip_ttl = 128;
h2->ip_sum = 0;
-
- /* IP header checksum */
- h2->ip_sum = in_cksum(m, sizeof(struct ip));
- ip_output(m, NULL, NULL, 0, NULL);
+ h2->ip_len = len;
+ h2->ip_off = 0;
+ ip_output(m, NULL, NULL, 0, NULL, NULL);
}
void
@@ -1656,7 +1653,7 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf *m,
u_int16_t len;
struct pf_state *s;
- len = h->ip_len - off - 8;
+ len = h->ip_len - off - sizeof(*uh);
s = pool_get(&pf_state_pl, PR_NOWAIT);
if (s == NULL)
return (PF_DROP);
@@ -1764,12 +1761,12 @@ pf_test_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
u_int16_t id;
struct pf_state *s;
- len = h->ip_len - off - 8;
+ len = h->ip_len - off - ICMP_MINLEN;
id = ih->icmp_id;
s = pool_get(&pf_state_pl, PR_NOWAIT);
- if (s == NULL) {
+ if (s == NULL)
return (PF_DROP);
- }
+
s->rule = rm;
s->log = rm && (rm->log & 2);
s->proto = IPPROTO_ICMP;
@@ -1804,10 +1801,6 @@ pf_test_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
pf_insert_state(s);
}
- /* copy back packet headers if we performed NAT operations */
- if (rewrite)
- m_copyback(m, off, sizeof(*ih), (caddr_t)ih);
-
return (PF_PASS);
}
@@ -2014,7 +2007,7 @@ pf_test_state_udp(int direction, struct ifnet *ifp, struct mbuf *m,
s = pf_find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext,
&key);
if (s != NULL) {
- u_int16_t len = h->ip_len - off - 8;
+ u_int16_t len = h->ip_len - off - sizeof(*uh);
struct pf_state_peer *src, *dst;
if (direction == s->direction) {
@@ -2121,7 +2114,7 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
int ipoff2;
int off2;
- ipoff2 = off + 8; /* offset of h2 in mbuf chain */
+ ipoff2 = off + ICMP_MINLEN; /* offset of h2 in mbuf chain */
if (!pf_pull_hdr(ifp, m, 0, ipoff2, &h2, sizeof(h2), h,
NULL, NULL)) {
printf("pf: ICMP error message too short (ip)\n");
@@ -2198,7 +2191,6 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
* operations
*/
if (rewrite) {
- m_copyback(m, off, sizeof(*ih), (caddr_t)ih);
m_copyback(m, ipoff2, sizeof(h2),
(caddr_t)&h2);
m_copyback(m, off2, 8,
@@ -2253,7 +2245,6 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
* operations
*/
if (rewrite) {
- m_copyback(m, off, sizeof(*ih), (caddr_t)ih);
m_copyback(m, ipoff2, sizeof(h2),
(caddr_t)&h2);
m_copyback(m, off2, sizeof(uh),
@@ -2789,7 +2780,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
case IPPROTO_ICMP: {
struct icmp ih;
- if (!pf_pull_hdr(ifp, m, 0, off, &ih, sizeof(ih), h,
+ if (!pf_pull_hdr(ifp, m, 0, off, &ih, ICMP_MINLEN, h,
&action, &reason)) {
log = action != PF_PASS;
goto done;
@@ -2808,11 +2799,12 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
break;
}
-done:
if (ifp == status_ifp) {
pf_status.bcounters[dir] += h->ip_len;
pf_status.pcounters[dir][action]++;
}
+
+done:
if (log) {
struct pf_rule r0;