summaryrefslogtreecommitdiff
path: root/sys/net/pf_lb.c
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2012-12-29 14:59:53 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2012-12-29 14:59:53 +0000
commitb0929029b350a75de46ce83eef8b054b40b12ff3 (patch)
tree3758ef27d34c8b87d56d5a1df9cf1a33ba18cddf /sys/net/pf_lb.c
parentf22310bceda42b8f611ee5b9e18b856ff98ed399 (diff)
make sure the entry from tree_src_tracking is still in the pool;
fixes nat with sticky address and ip address change on pppoe(4) for example; ok henning@, zinke@; mikeb@
Diffstat (limited to 'sys/net/pf_lb.c')
-rw-r--r--sys/net/pf_lb.c101
1 files changed, 78 insertions, 23 deletions
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c
index 70e6d9dc3f0..d129a54eaf6 100644
--- a/sys/net/pf_lb.c
+++ b/sys/net/pf_lb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_lb.c,v 1.23 2012/12/29 14:54:45 markus Exp $ */
+/* $OpenBSD: pf_lb.c,v 1.24 2012/12/29 14:59:52 markus Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -106,6 +106,10 @@ int pf_get_sport(struct pf_pdesc *, struct pf_rule *,
u_int16_t, struct pf_src_node **);
int pf_get_transaddr_af(struct pf_rule *,
struct pf_pdesc *, struct pf_src_node **);
+int pf_map_addr_sticky(sa_family_t, struct pf_rule *,
+ struct pf_addr *, struct pf_addr *,
+ struct pf_src_node **, struct pf_pool *,
+ enum pf_sn_types);
#define mix(a,b,c) \
do { \
@@ -268,6 +272,76 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_rule *r,
}
int
+pf_map_addr_sticky(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
+ struct pf_addr *naddr, struct pf_src_node **sns, struct pf_pool *rpool,
+ enum pf_sn_types type)
+{
+ struct pf_addr *raddr, *rmask, *cached;
+ struct pf_state *s;
+ struct pf_src_node k;
+ int valid;
+
+ k.af = af;
+ k.type = type;
+ PF_ACPY(&k.addr, saddr, af);
+ k.rule.ptr = r;
+ pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
+ sns[type] = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
+ if (sns[type] == NULL)
+ return (-1);
+
+ /* check if the cached entry is still valid */
+ cached = &(sns[type])->raddr;
+ valid = 0;
+ if (PF_AZERO(cached, af)) {
+ valid = 1;
+ } else if (rpool->addr.type == PF_ADDR_DYNIFTL) {
+ if (pfr_kentry_byaddr(rpool->addr.p.dyn->pfid_kt, cached,
+ af, 0))
+ valid = 1;
+ } else if (rpool->addr.type == PF_ADDR_TABLE) {
+ if (pfr_kentry_byaddr(rpool->addr.p.tbl, cached, af, 0))
+ valid = 1;
+ } else if (rpool->addr.type != PF_ADDR_NOROUTE) {
+ raddr = &rpool->addr.v.a.addr;
+ rmask = &rpool->addr.v.a.mask;
+ valid = pf_match_addr(0, raddr, rmask, cached, af);
+ }
+ if (!valid) {
+ if (pf_status.debug >= LOG_DEBUG) {
+ log(LOG_DEBUG, "pf: pf_map_addr: "
+ "stale src tracking (%u) ", type);
+ pf_print_host(&k.addr, 0, af);
+ addlog(" to ");
+ pf_print_host(cached, 0, af);
+ addlog("\n");
+ }
+ if (sns[type]->states != 0) {
+ /* XXX expensive */
+ RB_FOREACH(s, pf_state_tree_id,
+ &tree_id)
+ pf_state_rm_src_node(s,
+ sns[type]);
+ }
+ sns[type]->expire = 1;
+ pf_remove_src_node(sns[type]);
+ sns[type] = NULL;
+ return (-1);
+ }
+ if (!PF_AZERO(cached, af))
+ PF_ACPY(naddr, cached, af);
+ if (pf_status.debug >= LOG_DEBUG) {
+ log(LOG_DEBUG, "pf: pf_map_addr: "
+ "src tracking (%u) maps ", type);
+ pf_print_host(&k.addr, 0, af);
+ addlog(" to ");
+ pf_print_host(naddr, 0, af);
+ addlog("\n");
+ }
+ return (0);
+}
+
+int
pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sns,
struct pf_pool *rpool, enum pf_sn_types type)
@@ -276,34 +350,15 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
struct pf_addr faddr;
struct pf_addr *raddr = &rpool->addr.v.a.addr;
struct pf_addr *rmask = &rpool->addr.v.a.mask;
- struct pf_src_node k;
u_int64_t states;
u_int16_t weight;
u_int64_t load;
u_int64_t cload;
if (sns[type] == NULL && rpool->opts & PF_POOL_STICKYADDR &&
- (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
- k.af = af;
- k.type = type;
- PF_ACPY(&k.addr, saddr, af);
- k.rule.ptr = r;
- pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
- sns[type] = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
- if (sns[type] != NULL) {
- if (!PF_AZERO(&(sns[type])->raddr, af))
- PF_ACPY(naddr, &(sns[type])->raddr, af);
- if (pf_status.debug >= LOG_DEBUG) {
- log(LOG_DEBUG, "pf: pf_map_addr: "
- "src tracking (%u) maps ", type);
- pf_print_host(&k.addr, 0, af);
- addlog(" to ");
- pf_print_host(naddr, 0, af);
- addlog("\n");
- }
- return (0);
- }
- }
+ (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE &&
+ pf_map_addr_sticky(af, r, saddr, naddr, sns, rpool, type) == 0)
+ return (0);
if (rpool->addr.type == PF_ADDR_NOROUTE)
return (1);