summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2016-11-21 15:23:19 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2016-11-21 15:23:19 +0000
commit951badd8f33bc4ad3cc5ae5e63cf2bd576255fe2 (patch)
treec7aa01ce018fa1ed688b1012d3e9b54a314ba7cf /sys/net/pf.c
parent0409e24cb6854207013009c5b3ed0f34bc7307eb (diff)
In pf_route() and pf_route6() the !r->rt case was only used by
af-to. pf_route6() called ip6_output() to do the work while pf_route() had some custom implementation for that. It is simpler to call ip_output() or ip6_output() from pf_test() directly. OK procter@ sashan@
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r--sys/net/pf.c92
1 files changed, 43 insertions, 49 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index b8e2a6fb7bf..65652bd06e3 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.999 2016/11/17 13:17:32 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.1000 2016/11/21 15:23:18 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -5820,50 +5820,34 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
dst->sin_addr = ip->ip_dst;
rtableid = m0->m_pkthdr.ph_rtableid;
- if (!r->rt) {
- rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid);
- if (rt == NULL) {
- ipstat_inc(ips_noroute);
+ if (s == NULL) {
+ bzero(sns, sizeof(sns));
+ if (pf_map_addr(AF_INET, r,
+ (struct pf_addr *)&ip->ip_src,
+ &naddr, NULL, sns, &r->route, PF_SN_ROUTE)) {
+ DPFPRINTF(LOG_ERR,
+ "pf_route: pf_map_addr() failed.");
goto bad;
}
- ifp = if_get(rt->rt_ifidx);
-
- if (rt->rt_flags & RTF_GATEWAY)
- dst = satosin(rt->rt_gateway);
-
- m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
+ if (!PF_AZERO(&naddr, AF_INET))
+ dst->sin_addr.s_addr = naddr.v4.s_addr;
+ ifp = r->route.kif ?
+ r->route.kif->pfik_ifp : NULL;
} else {
- if (s == NULL) {
- bzero(sns, sizeof(sns));
- if (pf_map_addr(AF_INET, r,
- (struct pf_addr *)&ip->ip_src,
- &naddr, NULL, sns, &r->route, PF_SN_ROUTE)) {
- DPFPRINTF(LOG_ERR,
- "pf_route: pf_map_addr() failed.");
- goto bad;
- }
-
- if (!PF_AZERO(&naddr, AF_INET))
- dst->sin_addr.s_addr = naddr.v4.s_addr;
- ifp = r->route.kif ?
- r->route.kif->pfik_ifp : NULL;
- } else {
- if (!PF_AZERO(&s->rt_addr, AF_INET))
- dst->sin_addr.s_addr =
- s->rt_addr.v4.s_addr;
- ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
- }
-
- rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid);
- if (rt == NULL) {
- ipstat_inc(ips_noroute);
- goto bad;
- }
+ if (!PF_AZERO(&s->rt_addr, AF_INET))
+ dst->sin_addr.s_addr =
+ s->rt_addr.v4.s_addr;
+ ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
}
if (ifp == NULL)
goto bad;
+ rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid);
+ if (rt == NULL) {
+ ipstat_inc(ips_noroute);
+ goto bad;
+ }
if (pd->kif->pfik_ifp != ifp) {
if (pf_test(AF_INET, PF_OUT, ifp, &m0) != PF_PASS)
@@ -5928,8 +5912,6 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
done:
if (r->rt != PF_DUPTO)
pd->m = NULL;
- if (!r->rt)
- if_put(ifp);
rtfree(rt);
return;
@@ -5982,12 +5964,6 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
dst->sin6_addr = ip6->ip6_dst;
rtableid = m0->m_pkthdr.ph_rtableid;
- if (!r->rt) {
- m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
- ip6_output(m0, NULL, NULL, 0, NULL, NULL);
- goto done;
- }
-
if (s == NULL) {
bzero(sns, sizeof(sns));
if (pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
@@ -6916,10 +6892,28 @@ done:
action = PF_DROP;
break;
}
- if (pd.naf == AF_INET)
- pf_route(&pd, r, s);
- if (pd.naf == AF_INET6)
- pf_route6(&pd, r, s);
+ if (r->rt) {
+ switch (pd.naf) {
+ case AF_INET:
+ pf_route(&pd, r, s);
+ break;
+ case AF_INET6:
+ pf_route6(&pd, r, s);
+ break;
+ }
+ }
+ if (pd.m) {
+ pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
+ switch (pd.naf) {
+ case AF_INET:
+ ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
+ break;
+ case AF_INET6:
+ ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
+ break;
+ }
+ pd.m = NULL;
+ }
action = PF_PASS;
break;
#endif /* INET6 */