diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2012-09-18 10:11:54 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2012-09-18 10:11:54 +0000 |
| commit | 5cbfd54d42fca4aae4acd938c65ea1462689056e (patch) | |
| tree | cd21cf7c5166aa9ed1a3882488e060208a8ad522 | |
| parent | 44e67610ead05537f054eb6709008a692dfd8021 (diff) | |
prio 0 is valid, therefore, I chose an "impossible" value for prio meaning
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
| -rw-r--r-- | sbin/pfctl/parse.y | 11 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 7 | ||||
| -rw-r--r-- | sys/net/pf.c | 23 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 9 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 5 | ||||
| -rw-r--r-- | usr.sbin/ftp-proxy/filter.c | 3 | ||||
| -rw-r--r-- | usr.sbin/relayd/pfe_filter.c | 3 |
7 files changed, 27 insertions, 34 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b8c54d361a3..32ef212819b 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.618 2012/07/10 09:29:36 bluhm Exp $ */ +/* $OpenBSD: parse.y,v 1.619 2012/09/18 10:11:52 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -892,8 +892,8 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto if ($9.marker & FOM_SETPRIO) { r.set_prio[0] = $9.set_prio[0]; r.set_prio[1] = $9.set_prio[1]; - } else - r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET; + r.scrub_flags |= PFSTATE_SETPRIO; + } decide_address_family($8.src.host, &r.af); decide_address_family($8.dst.host, &r.af); @@ -1025,7 +1025,6 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { r.logif = $2.logif; r.quick = $2.quick; r.af = $4; - r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET; if (rule_label(&r, $5.label)) YYERROR; r.rtableid = $5.rtableid; @@ -1710,8 +1709,8 @@ pfrule : action dir logquick interface af proto fromto if ($8.marker & FOM_SETPRIO) { r.set_prio[0] = $8.set_prio[0]; r.set_prio[1] = $8.set_prio[1]; - } else - r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET; + r.scrub_flags |= PFSTATE_SETPRIO; + } if ($8.marker & FOM_ONCE) r.rule_flag |= PFRULE_ONCE; if ($8.marker & FOM_AFTO) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index e247b62eded..5b81642b5e8 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.289 2012/07/10 09:39:26 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.290 2012/09/18 10:11:53 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -843,11 +843,10 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts) if (r->tos) printf(" tos 0x%2.2x", r->tos); - if (r->set_prio[0] != PF_PRIO_NOTSET || - r->scrub_flags & PFSTATE_SETTOS) { + if (r->scrub_flags & PFSTATE_SETMASK) { char *comma = ""; printf(" set ("); - if (r->set_prio[0] != PF_PRIO_NOTSET) { + if (r->scrub_flags & PFSTATE_SETPRIO) { if (r->set_prio[0] == r->set_prio[1]) printf("%s prio %u", comma, r->set_prio[0]); else diff --git a/sys/net/pf.c b/sys/net/pf.c index 16330ca7cf6..de049198099 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.810 2012/08/30 11:43:36 mikeb Exp $ */ +/* $OpenBSD: pf.c,v 1.811 2012/09/18 10:11:53 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2524,7 +2524,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; m->m_pkthdr.pf.tag = rtag; m->m_pkthdr.rdomain = rdom; - if (r && r->set_prio[0] != PF_PRIO_NOTSET) + if (r && (r->scrub_flags & PFSTATE_SETPRIO)) m->m_pkthdr.pf.prio = r->set_prio[0]; #ifdef ALTQ @@ -2648,7 +2648,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; m0->m_pkthdr.rdomain = rdomain; - if (r && r->set_prio[0] != PF_PRIO_NOTSET) + if (r && (r->scrub_flags & PFSTATE_SETPRIO)) m0->m_pkthdr.pf.prio = r->set_prio[0]; #ifdef ALTQ @@ -3277,11 +3277,9 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a) if (r->max_mss) a->max_mss = r->max_mss; a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID| - PFSTATE_SETTOS|PFSTATE_SCRUB_TCP)); - if (r->set_prio[0] != PF_PRIO_NOTSET) - a->set_prio[0] = r->set_prio[0]; - if (r->set_prio[1] != PF_PRIO_NOTSET) - a->set_prio[1] = r->set_prio[1]; + PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO)); + a->set_prio[0] = r->set_prio[0]; + a->set_prio[1] = r->set_prio[1]; } #define PF_TEST_ATTRIB(t, a) \ @@ -3317,7 +3315,6 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, u_int8_t icmptype = 0, icmpcode = 0; bzero(&act, sizeof(act)); - act.set_prio[0] = act.set_prio[1] = PF_PRIO_NOTSET; bzero(sns, sizeof(sns)); act.rtableid = pd->rdomain; SLIST_INIT(&rules); @@ -6887,11 +6884,11 @@ done: pf_tag_packet(pd.m, s->tag, s->rtableid[pd.didx]); if (pqid || (pd.tos & IPTOS_LOWDELAY)) { qid = s->pqid; - if (s->set_prio[1] != PF_PRIO_NOTSET) + if (s->state_flags & PFSTATE_SETPRIO) pd.m->m_pkthdr.pf.prio = s->set_prio[1]; } else { qid = s->qid; - if (s->set_prio[0] != PF_PRIO_NOTSET) + if (s->state_flags & PFSTATE_SETPRIO) pd.m->m_pkthdr.pf.prio = s->set_prio[0]; } } else { @@ -6899,11 +6896,11 @@ done: r->set_tos); if (pqid || (pd.tos & IPTOS_LOWDELAY)) { qid = r->pqid; - if (r->set_prio[1] != PF_PRIO_NOTSET) + if (r->scrub_flags & PFSTATE_SETPRIO) pd.m->m_pkthdr.pf.prio = r->set_prio[1]; } else { qid = r->qid; - if (r->set_prio[0] != PF_PRIO_NOTSET) + if (r->scrub_flags & PFSTATE_SETPRIO) pd.m->m_pkthdr.pf.prio = r->set_prio[0]; } } diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 943c97a1a4b..4b71d1a7d6c 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.253 2012/07/08 07:58:09 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.254 2012/09/18 10:11:53 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1088,10 +1088,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; if (rule->rt && !rule->direction) error = EINVAL; - if ((rule->set_prio[0] != PF_PRIO_NOTSET && - rule->set_prio[0] > IFQ_MAXPRIO) || - (rule->set_prio[1] != PF_PRIO_NOTSET && - rule->set_prio[1] > IFQ_MAXPRIO)) + if (rule->scrub_flags & PFSTATE_SETPRIO && + (rule->set_prio[0] > IFQ_MAXPRIO || + rule->set_prio[1] > IFQ_MAXPRIO)) error = EINVAL; if (error) { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 8ea5fa2eb20..9f6f186edd7 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.367 2012/07/26 12:25:31 mikeb Exp $ */ +/* $OpenBSD: pfvar.h,v 1.368 2012/09/18 10:11:53 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -648,7 +648,6 @@ struct pf_rule { #define PF_FLUSH 0x01 #define PF_FLUSH_GLOBAL 0x02 u_int8_t flush; -#define PF_PRIO_NOTSET 0xff u_int8_t set_prio[2]; sa_family_t naf; @@ -840,7 +839,9 @@ struct pf_state { #define PFSTATE_SETTOS 0x0040 #define PFSTATE_RANDOMID 0x0080 #define PFSTATE_SCRUB_TCP 0x0100 +#define PFSTATE_SETPRIO 0x0200 #define PFSTATE_SCRUBMASK (PFSTATE_NODF|PFSTATE_RANDOMID|PFSTATE_SCRUB_TCP) +#define PFSTATE_SETMASK (PFSTATE_SETTOS|PFSTATE_SETPRIO) u_int8_t log; u_int8_t timeout; u_int8_t sync_state; /* PFSYNC_S_x */ diff --git a/usr.sbin/ftp-proxy/filter.c b/usr.sbin/ftp-proxy/filter.c index 2709ee66683..25ecc8208b9 100644 --- a/usr.sbin/ftp-proxy/filter.c +++ b/usr.sbin/ftp-proxy/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.19 2012/07/07 16:24:32 henning Exp $ */ +/* $OpenBSD: filter.c,v 1.20 2012/09/18 10:11:53 henning Exp $ */ /* * Copyright (c) 2004, 2005 Camiel Dobbelaar, <cd@sentia.nl> @@ -207,7 +207,6 @@ prepare_rule(u_int32_t id, struct sockaddr *src, pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; pfr.rule.nat.addr.type = PF_ADDR_NONE; pfr.rule.rdr.addr.type = PF_ADDR_NONE; - pfr.rule.set_prio[0] = pfr.rule.set_prio[1] = PF_PRIO_NOTSET; if (src->sa_family == AF_INET) { memcpy(&pfr.rule.src.addr.v.a.addr.v4, diff --git a/usr.sbin/relayd/pfe_filter.c b/usr.sbin/relayd/pfe_filter.c index 07244bd8e1e..0cafed503c7 100644 --- a/usr.sbin/relayd/pfe_filter.c +++ b/usr.sbin/relayd/pfe_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfe_filter.c,v 1.49 2012/07/07 16:24:32 henning Exp $ */ +/* $OpenBSD: pfe_filter.c,v 1.50 2012/09/18 10:11:53 henning Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -440,7 +440,6 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable) rio.rule.dst.port[1] = address->port.val[1]; rio.rule.rtableid = -1; /* stay in the main routing table */ rio.rule.onrdomain = getrtable(); - rio.rule.set_prio[0] = rio.rule.set_prio[1] = PF_PRIO_NOTSET; if (rio.rule.proto == IPPROTO_TCP) rio.rule.timeout[PFTM_TCP_ESTABLISHED] = |