diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2001-12-01 19:11:42 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2001-12-01 19:11:42 +0000 |
commit | afb17db562a8a1e79ce3443e80f84b9bc997e809 (patch) | |
tree | 78b0bd9e5c28c2eea68c1a0f70bc370e4e03fc29 /sys/net/pf.c | |
parent | 7aea70daa6990e11bf8dbfab21885771156c64e4 (diff) |
217 lines of diff for KNF, dhartmei, you are evil
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r-- | sys/net/pf.c | 120 |
1 files changed, 59 insertions, 61 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index bdffc69942e..2ded26a3030 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.174 2001/11/30 17:01:54 jasoni Exp $ */ +/* $OpenBSD: pf.c,v 1.175 2001/12/01 19:11:41 deraadt Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -178,7 +178,7 @@ void pf_addrcpy(struct pf_addr *, struct pf_addr *, int pf_compare_rules(struct pf_rule *, struct pf_rule *); int pf_compare_nats(struct pf_nat *, struct pf_nat *); -int pf_compare_binats(struct pf_binat *, +int pf_compare_binats(struct pf_binat *, struct pf_binat *); int pf_compare_rdrs(struct pf_rdr *, struct pf_rdr *); void pf_tree_rotate_left(struct pf_tree_node **); @@ -344,7 +344,7 @@ pf_tree_key_compare(struct pf_tree_key *a, struct pf_tree_key *b) break; #endif /* INET6 */ } - + if ((diff = a->port[0] - b->port[0]) != 0) return (diff); if ((diff = a->port[1] - b->port[1]) != 0) @@ -369,7 +369,7 @@ pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, u_int8_t af) dst->addr32[2] = src->addr32[2]; dst->addr32[3] = src->addr32[3]; break; - } + } } #endif @@ -850,7 +850,7 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, u_int8_t af) printf("%u.%u.%u.%u:%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255, p); break; - } + } #endif /* INET */ #ifdef INET6 case AF_INET6: { @@ -877,7 +877,7 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, u_int8_t af) for (i = 0; i < 8; i++) { if (i >= maxstart && i <= maxend) { if (maxend != 7) { - if (i == maxstart) + if (i == maxstart) printf(":"); } else { if (i == maxend) @@ -1488,7 +1488,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) TAILQ_INSERT_BEFORE(oldnat, newnat, entries); else TAILQ_INSERT_AFTER(pf_nats_active, oldnat, - newnat, entries); + newnat, entries); } ticket_nats_active++; @@ -1684,11 +1684,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) entries); else if (pcn->action == PF_CHANGE_ADD_HEAD || pcn->action == PF_CHANGE_ADD_BEFORE) - TAILQ_INSERT_BEFORE(oldbinat, newbinat, + TAILQ_INSERT_BEFORE(oldbinat, newbinat, entries); else TAILQ_INSERT_AFTER(pf_binats_active, oldbinat, - newbinat, entries); + newbinat, entries); } ticket_binats_active++; @@ -1886,7 +1886,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) TAILQ_INSERT_BEFORE(oldrdr, newrdr, entries); else TAILQ_INSERT_AFTER(pf_rdrs_active, oldrdr, - newrdr, entries); + newrdr, entries); } ticket_rdrs_active++; @@ -2025,7 +2025,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) PF_ACPY(&key.addr[0], &pnl->daddr, pnl->af); key.port[0] = pnl->dport; - if (!pnl->proto || + if (!pnl->proto || PF_AZERO(&pnl->saddr, pnl->af) || PF_AZERO(&pnl->daddr, pnl->af) || !pnl->dport || !pnl->sport) @@ -2133,7 +2133,7 @@ pf_calc_skip_steps(struct pf_rulequeue *rules) PF_AEQ(&s->src.mask, &r->src.mask, r->af) && s->src.not == r->src.not); PF_CALC_SKIP_STEP(PF_SKIP_SRC_PORT, - s->src.port[0] == r->src.port[0] && + s->src.port[0] == r->src.port[0] && s->src.port[1] == r->src.port[1] && s->src.port_op == r->src.port_op); PF_CALC_SKIP_STEP(PF_SKIP_DST_ADDR, @@ -2201,9 +2201,9 @@ pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, ao.addr16[3], an->addr16[3], u), ao.addr16[4], an->addr16[4], u), ao.addr16[5], an->addr16[5], u), - ao.addr16[6], an->addr16[6], u), + ao.addr16[6], an->addr16[6], u), ao.addr16[7], an->addr16[7], u), - po, pn, u); + po, pn, u); break; #endif /* INET6 */ } @@ -2223,7 +2223,7 @@ pf_change_a(u_int32_t *a, u_int16_t *c, u_int32_t an, u_int8_t u) void pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) { - struct pf_addr ao; + struct pf_addr ao; PF_ACPY(&ao, a, AF_INET6); PF_ACPY(a, an, AF_INET6); @@ -2237,7 +2237,7 @@ pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) ao.addr16[3], an->addr16[3], u), ao.addr16[4], an->addr16[4], u), ao.addr16[5], an->addr16[5], u), - ao.addr16[6], an->addr16[6], u), + ao.addr16[6], an->addr16[6], u), ao.addr16[7], an->addr16[7], u); } #endif /* INET6 */ @@ -2287,7 +2287,7 @@ pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, oia.addr16[3], ia->addr16[3], u), oia.addr16[4], ia->addr16[4], u), oia.addr16[5], ia->addr16[5], u), - oia.addr16[6], ia->addr16[6], u), + oia.addr16[6], ia->addr16[6], u), oia.addr16[7], ia->addr16[7], u); break; #endif /* INET6 */ @@ -2314,7 +2314,7 @@ pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, ooa.addr16[3], oa->addr16[3], u), ooa.addr16[4], oa->addr16[4], u), ooa.addr16[5], oa->addr16[5], u), - ooa.addr16[6], oa->addr16[6], u), + ooa.addr16[6], oa->addr16[6], u), ooa.addr16[7], oa->addr16[7], u); break; #endif /* INET6 */ @@ -2388,7 +2388,7 @@ pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af) h2_6->ip6_nxt = IPPROTO_TCP; h2_6->ip6_plen = htons(sizeof(*th2)); memcpy(&h2_6->ip6_src, pd->dst, sizeof(struct in6_addr)); - memcpy(&h2_6->ip6_dst, pd->src, sizeof(struct in6_addr)); + memcpy(&h2_6->ip6_dst, pd->src, sizeof(struct in6_addr)); th2 = (struct tcphdr *)((caddr_t)h2_6 + sizeof(struct ip6_hdr)); break; @@ -2491,18 +2491,18 @@ pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, #endif /* INET */ #ifdef INET6 case AF_INET6: - if (((a->addr32[0] & m->addr32[0]) == - (b->addr32[0] & m->addr32[0])) && - ((a->addr32[1] & m->addr32[1]) == - (b->addr32[1] & m->addr32[1])) && - ((a->addr32[2] & m->addr32[2]) == - (b->addr32[2] & m->addr32[2])) && - ((a->addr32[3] & m->addr32[3]) == - (b->addr32[3] & m->addr32[3]))) + if (((a->addr32[0] & m->addr32[0]) == + (b->addr32[0] & m->addr32[0])) && + ((a->addr32[1] & m->addr32[1]) == + (b->addr32[1] & m->addr32[1])) && + ((a->addr32[2] & m->addr32[2]) == + (b->addr32[2] & m->addr32[2])) && + ((a->addr32[3] & m->addr32[3]) == + (b->addr32[3] & m->addr32[3]))) match++; break; #endif /* INET6 */ - } + } if (match) { if (n) return (0); @@ -2668,7 +2668,7 @@ pf_get_binat(int direction, struct ifnet *ifp, u_int8_t proto, struct pf_addr *saddr, struct pf_addr *daddr, int af) { struct pf_binat *b, *bm = NULL; - struct pf_addr fullmask; + struct pf_addr fullmask; memset(&fullmask, 0xff, sizeof(fullmask)); @@ -2680,7 +2680,7 @@ pf_get_binat(int direction, struct ifnet *ifp, u_int8_t proto, PF_MATCHA(0, &b->saddr, &fullmask, saddr, af) && PF_MATCHA(b->dnot, &b->daddr, &b->dmask, daddr, af)) bm = b; - else if (direction == PF_IN && b->ifp == ifp && + else if (direction == PF_IN && b->ifp == ifp && (!b->proto || b->proto == proto) && (!b->af || b->af == af) && PF_MATCHA(0, &b->raddr, &fullmask, saddr, af) && @@ -2856,7 +2856,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, } if ((*rm)->rule_flag & PFRULE_RETURNRST) pf_send_reset(off, th, pd, af); - else + else pf_send_icmp(m, (*rm)->return_icmp >> 8, (*rm)->return_icmp & 255, af); } @@ -2993,7 +2993,7 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, } } else { /* check incoming packet for RDR */ - if ((rdr = pf_get_rdr(ifp, IPPROTO_UDP, saddr, daddr, + if ((rdr = pf_get_rdr(ifp, IPPROTO_UDP, saddr, daddr, uh->uh_dport, af)) != NULL) { bport = uh->uh_dport; if (rdr->opts & PF_RPORT_RANGE) @@ -3033,11 +3033,11 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, r = r->skip[PF_SKIP_PROTO]; else if (!PF_AZERO(&r->src.mask, af) && !PF_MATCHA(r->src.not, &r->src.addr, &r->src.mask, - saddr, af)) + saddr, af)) r = r->skip[PF_SKIP_SRC_ADDR]; else if (r->src.port_op && !pf_match_port(r->src.port_op, - r->src.port[0], r->src.port[1], uh->uh_sport)) - r = r->skip[PF_SKIP_SRC_PORT]; + r->src.port[0], r->src.port[1], uh->uh_sport)) + r = r->skip[PF_SKIP_SRC_PORT]; else if (!PF_AZERO(&r->dst.mask, af) && !PF_MATCHA(r->dst.not, &r->dst.addr, &r->dst.mask, daddr, af)) @@ -3076,7 +3076,6 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, &uh->uh_sum, &baddr, bport, 1, af); rewrite++; - } pf_send_icmp(m, (*rm)->return_icmp >> 8, (*rm)->return_icmp & 255, af); @@ -3325,7 +3324,7 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp, s->gwy.port = icmpid; PF_ACPY(&s->ext.addr, daddr, af); s->ext.port = icmpid; - if (nat != NULL || binat != NULL) + if (nat != NULL || binat != NULL) PF_ACPY(&s->lan.addr, &baddr, af); else PF_ACPY(&s->lan.addr, &s->gwy.addr, af); @@ -3934,7 +3933,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, pd2.af = pd->af; switch (pd->af) { #ifdef INET - case AF_INET: + case AF_INET: /* offset of h2 in mbuf chain */ ipoff2 = off + ICMP_MINLEN; @@ -3959,10 +3958,10 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, #endif /* INET */ #ifdef INET6 case AF_INET6: - ipoff2 = off + sizeof(struct icmp6_hdr); + ipoff2 = off + sizeof(struct icmp6_hdr); if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), - NULL, NULL, pd2.af)) { + NULL, NULL, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short (ip6)\n")); return (PF_DROP); @@ -3972,9 +3971,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; pd2.ip_sum = NULL; off2 = ipoff2 + sizeof(h2_6); - do { + do { switch (pd2.proto) { - case IPPROTO_FRAGMENT: + case IPPROTO_FRAGMENT: /* XXX we don't handle fagments yet */ return (PF_DROP); case IPPROTO_AH: @@ -4003,7 +4002,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, break; #endif /* INET6 */ } - + switch (pd2.proto) { case IPPROTO_TCP: { struct tcphdr th; @@ -4133,7 +4132,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, pd2.ip_sum, icmpsum, pd->ip_sum, 1, pd2.af); } else { - pf_change_icmp(pd2.dst, &uh.uh_dport, + pf_change_icmp(pd2.dst, &uh.uh_dport, saddr, &(*state)->gwy.addr, (*state)->gwy.port, &uh.uh_sum, pd2.ip_sum, icmpsum, @@ -4310,13 +4309,13 @@ pf_pull_hdr(struct mbuf *m, int off, void *p, int len, #endif /* INET */ #ifdef INET6 case AF_INET6: { - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); + struct ip6_hdr *h = mtod(m, struct ip6_hdr *); if (m->m_pkthdr.len < off + len || (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < off + len) { - ACTION_SET(actionp, PF_DROP); - REASON_SET(reasonp, PFRES_SHORT); - return (NULL); - } + ACTION_SET(actionp, PF_DROP); + REASON_SET(reasonp, PFRES_SHORT); + return (NULL); + } break; } #endif /* INET6 */ @@ -4396,7 +4395,6 @@ pf_route(struct mbuf *m, struct pf_rule *r) else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) udpstat.udps_outhwcsum++; error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL); - goto done; } @@ -4422,11 +4420,11 @@ pf_route(struct mbuf *m, struct pf_rule *r) in_delayed_cksum(m0); m0->m_pkthdr.csum &= ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); } - + { int mhlen, firstlen = len; struct mbuf **mnext = &m0->m_nextpkt; - + /* * Loop through length of segment after first fragment, * make new header and copy data of each part and link onto chain. @@ -4506,11 +4504,11 @@ sendorfree: else m_freem(m0); } - + if (error == 0) ipstat.ips_fragmented++; } - + done: if (ro == &iproute && ro->ro_rt) RTFREE(ro->ro_rt); @@ -4738,7 +4736,7 @@ done: if (r->rt != PF_DUPTO) { /* m0 already freed */ *m0 = NULL; - } + } } if (log) { @@ -4804,9 +4802,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); pd.proto = h->ip6_nxt; - do { + do { switch (pd.proto) { - case IPPROTO_FRAGMENT: + case IPPROTO_FRAGMENT: /* XXX we don't handle fragments yet */ action = PF_DROP; REASON_SET(&reason, PFRES_FRAG); @@ -4851,8 +4849,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) } pd.p_len = pd.tot_len - off - (th.th_off << 2); action = pf_normalize_tcp(dir, ifp, m, 0, off, h, &pd); - if (action == PF_DROP) - break; + if (action == PF_DROP) + break; action = pf_test_state_tcp(&s, dir, ifp, m, 0, off, h, &pd); if (action == PF_PASS) { r = s->rule; @@ -4912,7 +4910,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) pf_status.pcounters[1][dir][action]++; } -done: +done: /* XXX handle IPv6 options, if not allowed. not implemented. */ if (r && r->rt) { @@ -4920,7 +4918,7 @@ done: if (r->rt != PF_DUPTO) { /* m0 already freed */ *m0 = NULL; - } + } } if (log) { |