diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2016-11-21 15:23:19 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2016-11-21 15:23:19 +0000 |
commit | 951badd8f33bc4ad3cc5ae5e63cf2bd576255fe2 (patch) | |
tree | c7aa01ce018fa1ed688b1012d3e9b54a314ba7cf /sys/net/pf.c | |
parent | 0409e24cb6854207013009c5b3ed0f34bc7307eb (diff) |
In pf_route() and pf_route6() the !r->rt case was only used by
af-to. pf_route6() called ip6_output() to do the work while
pf_route() had some custom implementation for that. It is simpler
to call ip_output() or ip6_output() from pf_test() directly.
OK procter@ sashan@
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r-- | sys/net/pf.c | 92 |
1 files changed, 43 insertions, 49 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index b8e2a6fb7bf..65652bd06e3 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.999 2016/11/17 13:17:32 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1000 2016/11/21 15:23:18 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5820,50 +5820,34 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) dst->sin_addr = ip->ip_dst; rtableid = m0->m_pkthdr.ph_rtableid; - if (!r->rt) { - rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid); - if (rt == NULL) { - ipstat_inc(ips_noroute); + if (s == NULL) { + bzero(sns, sizeof(sns)); + if (pf_map_addr(AF_INET, r, + (struct pf_addr *)&ip->ip_src, + &naddr, NULL, sns, &r->route, PF_SN_ROUTE)) { + DPFPRINTF(LOG_ERR, + "pf_route: pf_map_addr() failed."); goto bad; } - ifp = if_get(rt->rt_ifidx); - - if (rt->rt_flags & RTF_GATEWAY) - dst = satosin(rt->rt_gateway); - - m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; + if (!PF_AZERO(&naddr, AF_INET)) + dst->sin_addr.s_addr = naddr.v4.s_addr; + ifp = r->route.kif ? + r->route.kif->pfik_ifp : NULL; } else { - if (s == NULL) { - bzero(sns, sizeof(sns)); - if (pf_map_addr(AF_INET, r, - (struct pf_addr *)&ip->ip_src, - &naddr, NULL, sns, &r->route, PF_SN_ROUTE)) { - DPFPRINTF(LOG_ERR, - "pf_route: pf_map_addr() failed."); - goto bad; - } - - if (!PF_AZERO(&naddr, AF_INET)) - dst->sin_addr.s_addr = naddr.v4.s_addr; - ifp = r->route.kif ? - r->route.kif->pfik_ifp : NULL; - } else { - if (!PF_AZERO(&s->rt_addr, AF_INET)) - dst->sin_addr.s_addr = - s->rt_addr.v4.s_addr; - ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; - } - - rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid); - if (rt == NULL) { - ipstat_inc(ips_noroute); - goto bad; - } + if (!PF_AZERO(&s->rt_addr, AF_INET)) + dst->sin_addr.s_addr = + s->rt_addr.v4.s_addr; + ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; } if (ifp == NULL) goto bad; + rt = rtalloc(sintosa(dst), RT_RESOLVE, rtableid); + if (rt == NULL) { + ipstat_inc(ips_noroute); + goto bad; + } if (pd->kif->pfik_ifp != ifp) { if (pf_test(AF_INET, PF_OUT, ifp, &m0) != PF_PASS) @@ -5928,8 +5912,6 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) done: if (r->rt != PF_DUPTO) pd->m = NULL; - if (!r->rt) - if_put(ifp); rtfree(rt); return; @@ -5982,12 +5964,6 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s) dst->sin6_addr = ip6->ip6_dst; rtableid = m0->m_pkthdr.ph_rtableid; - if (!r->rt) { - m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; - ip6_output(m0, NULL, NULL, 0, NULL, NULL); - goto done; - } - if (s == NULL) { bzero(sns, sizeof(sns)); if (pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, @@ -6916,10 +6892,28 @@ done: action = PF_DROP; break; } - if (pd.naf == AF_INET) - pf_route(&pd, r, s); - if (pd.naf == AF_INET6) - pf_route6(&pd, r, s); + if (r->rt) { + switch (pd.naf) { + case AF_INET: + pf_route(&pd, r, s); + break; + case AF_INET6: + pf_route6(&pd, r, s); + break; + } + } + if (pd.m) { + pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; + switch (pd.naf) { + case AF_INET: + ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0); + break; + case AF_INET6: + ip6_output(pd.m, NULL, NULL, 0, NULL, NULL); + break; + } + pd.m = NULL; + } action = PF_PASS; break; #endif /* INET6 */ |