diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2002-12-31 19:18:42 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2002-12-31 19:18:42 +0000 |
| commit | 174fbda2c260804acfb6658ed33e6fad46c516f9 (patch) | |
| tree | e7103a5bb9b0903032bbb2e728a42f5e3e9c128d /sys/net/pf_norm.c | |
| parent | 5bd8a66c32f475b5f4a897da8aef1878cc2e768e (diff) | |
Split scrub rules out from the filter rules in the kernel.
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
Diffstat (limited to 'sys/net/pf_norm.c')
| -rw-r--r-- | sys/net/pf_norm.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 3781ec6dc89..3814aa6d5f2 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.43 2002/12/18 19:17:07 henning Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.44 2002/12/31 19:18:41 mcbride Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -800,8 +800,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) int ip_len; int ip_off; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { + r->evaluations++; if (r->action != PF_SCRUB) r = r->skip[PF_SKIP_ACTION].ptr; else if (r->ifp != NULL && r->ifp != ifp) @@ -826,6 +827,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) if (r == NULL) return (PF_PASS); + else + r->packets++; /* Check for illegal packets */ if (hlen < (int)sizeof(struct ip)) @@ -1002,8 +1005,9 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, u_int8_t flags; sa_family_t af = pd->af; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { + r->evaluations++; if (r->action != PF_SCRUB) r = r->skip[PF_SKIP_ACTION].ptr; else if (r->ifp != NULL && r->ifp != ifp) @@ -1040,6 +1044,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, if (rm == NULL) return (PF_PASS); + else + r->packets++; flags = th->th_flags; if (flags & TH_SYN) { @@ -1097,8 +1103,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, tcp_drop: REASON_SET(&reason, PFRES_NORM); - if (rm != NULL && rm->log) - PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, rm); + if (rm != NULL && r->log) + PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, r); return (PF_DROP); } |