diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2001-07-17 21:54:28 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2001-07-17 21:54:28 +0000 |
| commit | 5b5d6a6789a07db25d822e6cdc8faa22b41e4711 (patch) | |
| tree | 365e6ecc9ea7110736f16283d8e4d8485a9865b8 /sys/net | |
| parent | ea39f2de65a8a34702e80c95d96f70aace6bce30 (diff) | |
normalize ip_off, make IP_DF stripping optional, return rst is a flag now.
okay markus@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 9 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 8 |
3 files changed, 17 insertions, 6 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index a56f33f5c36..8cb7f7f8836 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.114 2001/07/17 20:34:51 provos Exp $ */ +/* $OpenBSD: pf.c,v 1.115 2001/07/17 21:54:25 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -1446,7 +1446,7 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, PFLOG_PACKET(h, m, AF_INET, direction, reason, rm); if ((rm->action == PF_DROP) && - (rm->return_rst || rm->return_icmp)) { + ((rm->rule_flag & PFRULE_RETURNRST) || rm->return_icmp)) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL) { pf_change_ap(&h->ip_src.s_addr, &th->th_sport, @@ -1457,7 +1457,7 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, &h->ip_sum, &th->th_sum, baddr, bport); rewrite++; } - if (rm->return_rst) + if (rm->rule_flag & PFRULE_RETURNRST) pf_send_reset(h, off, th); else pf_send_icmp(m, rm->return_icmp >> 8, diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 25b964f2c01..c67836e5bfa 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.1 2001/07/17 20:35:26 provos Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.2 2001/07/17 21:54:26 provos Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -510,6 +510,13 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) if (dir != PF_OUT) return (PF_PASS); + /* At this point, only IP_DF is allowed in ip_off */ + if (r->rule_flag & PFRULE_NODF) + h->ip_off = 0; + else + h->ip_off &= IP_DF; + + return (PF_PASS); drop: diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 2424acf3eb0..c92d2731e5f 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.33 2001/07/17 20:34:51 provos Exp $ */ +/* $OpenBSD: pfvar.h,v 1.34 2001/07/17 21:54:26 provos Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -71,9 +71,13 @@ struct pf_rule { u_int8_t flags; u_int8_t flagset; - u_int8_t return_rst; + + u_int8_t rule_flag; }; +#define PFRULE_RETURNRST 0x01 +#define PFRULE_NODF 0x02 + struct pf_state_host { u_int32_t addr; u_int16_t port; |