rtables are stacked on rdomains (it is possible to have multiple routing

tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@

1 files changed, 5 insertions, 7 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 9c81e44b583..c481333d176 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.171 2009/08/23 20:06:25 david Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.172 2009/11/03 10:59:04 claudio Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -681,6 +681,7 @@ in_iawithaddr(struct in_addr ina, struct mbuf *m, u_int rdomain)
 {
 	struct in_ifaddr *ia;
 
+	rdomain = rtable_l2(rdomain);
 	TAILQ_FOREACH(ia, &in_ifaddr, ia_list) {
 		if (ia->ia_ifp->if_rdomain != rdomain)
 			continue;
@@ -1076,8 +1077,7 @@ ip_dooptions(m)
 				ia = (INA)ifa_ifwithnet((SA)&ipaddr,
 				    m->m_pkthdr.rdomain);
 			} else
-				/* keep packet in the original VRF instance */
-				/* XXX rdomain or rtableid ??? */
+				/* keep packet in the virtual instance */
 				ia = ip_rtaddr(ipaddr.sin_addr,
 				    m->m_pkthdr.rdomain);
 			if (ia == 0) {
@@ -1116,8 +1116,7 @@ ip_dooptions(m)
 			/*
 			 * locate outgoing interface; if we're the destination,
 			 * use the incoming interface (should be same).
-			 * Again keep the packet inside the VRF instance.
-			 * XXX rdomain vs. rtableid ???
+			 * Again keep the packet inside the virtual instance.
 			 */
 			if ((ia = (INA)ifa_ifwithaddr((SA)&ipaddr,
 			    m->m_pkthdr.rdomain)) == 0 &&
@@ -1276,6 +1275,7 @@ ip_weadvertise(u_int32_t addr, u_int rtableid)
 		return 0;
 	}
 
+	rtableid = rtable_l2(rtableid);
 	TAILQ_FOREACH(ifp, &ifnet, if_list) {
 		if (ifp->if_rdomain != rtableid)
 			continue;
@@ -1445,8 +1445,6 @@ ip_forward(m, srcrt)
 	}
 
 	rtableid = m->m_pkthdr.rdomain;
-	if (m->m_pkthdr.pf.rtableid)
-		rtableid = m->m_pkthdr.pf.rtableid;
 
 	sin = satosin(&ipforward_rt.ro_dst);
 	if ((rt = ipforward_rt.ro_rt) == 0 ||