summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2013-06-05 00:56:36 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2013-06-05 00:56:36 +0000
commitb628c5aadd099f20ef722e0f3c67d63a241bab2d (patch)
treeb12f7c7b127421d6f82eb5ff6dc37c9cf6b003ea
parente9bbd641054badfebf5127a5572b4f342e0fbd1d (diff)
after the pf_test_state folding, in pf_test in the proto switch, the
udp and the default case are 100% identical, tcp does a little more, but that is easier to add w/ two "if tcp" blocks in the default case, so the udp and tcp cases die. ok bluhm
-rw-r--r--sys/net/pf.c58
1 files changed, 17 insertions, 41 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 55b4ffd01ac..494f844aa14 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.833 2013/06/04 19:07:59 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.834 2013/06/05 00:56:35 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -6643,46 +6643,6 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
break;
}
- case IPPROTO_TCP: {
- if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0)
- pqid = 1;
- action = pf_normalize_tcp(&pd);
- if (action == PF_DROP)
- goto done;
- action = pf_test_state(&pd, &s, &reason);
- if (action == PF_PASS || action == PF_AFRT) {
-#if NPFSYNC > 0
- pfsync_update_state(s);
-#endif /* NPFSYNC */
- r = s->rule.ptr;
- a = s->anchor.ptr;
- pd.pflog |= s->log;
- } else if (s == NULL)
- action = pf_test_rule(&pd, &r, &s, &a, &ruleset);
-
- if (s) {
- if (s->max_mss)
- pf_normalize_mss(&pd, s->max_mss);
- } else if (r->max_mss)
- pf_normalize_mss(&pd, r->max_mss);
-
- break;
- }
-
- case IPPROTO_UDP: {
- action = pf_test_state(&pd, &s, &reason);
- if (action == PF_PASS || action == PF_AFRT) {
-#if NPFSYNC > 0
- pfsync_update_state(s);
-#endif /* NPFSYNC */
- r = s->rule.ptr;
- a = s->anchor.ptr;
- pd.pflog |= s->log;
- } else if (s == NULL)
- action = pf_test_rule(&pd, &r, &s, &a, &ruleset);
- break;
- }
-
case IPPROTO_ICMP: {
if (pd.af != AF_INET) {
action = PF_DROP;
@@ -6728,6 +6688,13 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
#endif /* INET6 */
default:
+ if (pd.virtual_proto == IPPROTO_TCP) {
+ if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0)
+ pqid = 1;
+ action = pf_normalize_tcp(&pd);
+ if (action == PF_DROP)
+ goto done;
+ }
action = pf_test_state(&pd, &s, &reason);
if (action == PF_PASS || action == PF_AFRT) {
#if NPFSYNC > 0
@@ -6738,6 +6705,15 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
pd.pflog |= s->log;
} else if (s == NULL)
action = pf_test_rule(&pd, &r, &s, &a, &ruleset);
+
+ if (pd.virtual_proto == IPPROTO_TCP) {
+ if (s) {
+ if (s->max_mss)
+ pf_normalize_mss(&pd, s->max_mss);
+ } else if (r->max_mss)
+ pf_normalize_mss(&pd, r->max_mss);
+ }
+
break;
}