summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2002-12-31 19:18:42 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2002-12-31 19:18:42 +0000
commit174fbda2c260804acfb6658ed33e6fad46c516f9 (patch)
treee7103a5bb9b0903032bbb2e728a42f5e3e9c128d /sys
parent5bd8a66c32f475b5f4a897da8aef1878cc2e768e (diff)
Split scrub rules out from the filter rules in the kernel.
Precursor to removing rule.action from skip steps. Also a couple of other small fixes: - s/PF_RULESET_RULE/PF_RULESET_FILTER/ - replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset { - error handling in ioctl of an invalid value in rule.action - counting evaluations and matching packets for scrub rules ok henning@ dhartmei@
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c32
-rw-r--r--sys/net/pf_ioctl.c45
-rw-r--r--sys/net/pf_norm.c16
-rw-r--r--sys/net/pfvar.h8
4 files changed, 69 insertions, 32 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 5f21e196d70..750aab15214 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.289 2002/12/31 00:00:44 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.290 2002/12/31 19:18:41 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1808,7 +1808,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
}
}
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
r->evaluations++;
if (r->action == PF_SCRUB)
@@ -1869,11 +1869,11 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
r = TAILQ_NEXT(r, entries);
} else
PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (r == NULL && anchorrule != NULL)
PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (*rm != NULL) {
@@ -2063,7 +2063,7 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp,
}
}
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
r->evaluations++;
if (r->action == PF_SCRUB)
@@ -2124,11 +2124,11 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp,
r = TAILQ_NEXT(r, entries);
} else
PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (r == NULL && anchorrule != NULL)
PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (*rm != NULL) {
@@ -2344,7 +2344,7 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp,
}
}
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
r->evaluations++;
if (r->action == PF_SCRUB)
@@ -2389,11 +2389,11 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp,
r = TAILQ_NEXT(r, entries);
} else
PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (r == NULL && anchorrule != NULL)
PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (*rm != NULL) {
@@ -2549,7 +2549,7 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp,
}
}
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
r->evaluations++;
if (r->action == PF_SCRUB)
@@ -2590,11 +2590,11 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp,
r = TAILQ_NEXT(r, entries);
} else
PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (r == NULL && anchorrule != NULL)
PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (*rm != NULL) {
@@ -2696,7 +2696,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp,
*rm = NULL;
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
r->evaluations++;
if (r->action == PF_SCRUB)
@@ -2738,11 +2738,11 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp,
r = TAILQ_NEXT(r, entries);
} else
PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (r == NULL && anchorrule != NULL)
PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
- PF_RULESET_RULE);
+ PF_RULESET_FILTER);
}
if (*rm != NULL) {
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 6283a0abaaa..c39dfd7f1b2 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.36 2002/12/31 00:00:44 dhartmei Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.37 2002/12/31 19:18:41 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -156,6 +156,8 @@ pf_get_pool(char *anchorname, char *rulesetname, u_int32_t ticket,
if (ruleset == NULL)
return (NULL);
rs_num = pf_get_ruleset_number(rule_action);
+ if (rs_num >= PF_RULESET_MAX)
+ return (NULL);
if (active) {
if (check_ticket && ticket !=
ruleset->rules[rs_num].active.ticket)
@@ -222,11 +224,12 @@ int
pf_get_ruleset_number(u_int8_t action)
{
switch (action) {
+ case PF_SCRUB:
+ return (PF_RULESET_SCRUB);
+ break;
case PF_PASS:
case PF_DROP:
- case PF_SCRUB:
- default:
- return (PF_RULESET_RULE);
+ return (PF_RULESET_FILTER);
break;
case PF_NAT:
case PF_NONAT:
@@ -240,6 +243,9 @@ pf_get_ruleset_number(u_int8_t action)
case PF_NORDR:
return (PF_RULESET_RDR);
break;
+ default:
+ return (PF_RULESET_MAX);
+ break;
}
}
@@ -525,6 +531,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
}
rs_num = pf_get_ruleset_number(pr->rule.action);
+ if (rs_num >= PF_RULESET_MAX) {
+ error = EINVAL;
+ break;
+ }
while ((rule =
TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr)) != NULL)
pf_rm_rule(ruleset->rules[rs_num].inactive.ptr, rule);
@@ -544,6 +554,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
}
rs_num = pf_get_ruleset_number(pr->rule.action);
+ if (rs_num >= PF_RULESET_MAX) {
+ error = EINVAL;
+ break;
+ }
if (pr->rule.anchorname[0] && ruleset != &pf_main_ruleset) {
error = EINVAL;
break;
@@ -631,6 +645,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
}
rs_num = pf_get_ruleset_number(pr->rule.action);
+ if (rs_num >= PF_RULESET_MAX) {
+ error = EINVAL;
+ break;
+ }
if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
error = EBUSY;
break;
@@ -641,11 +659,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
/*
* Rules are about to get freed, clear rule pointers in states
*/
- if (rs_num == PF_RULESET_RULE) {
+ if (rs_num == PF_RULESET_FILTER) {
if (ruleset == &pf_main_ruleset)
RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
n->state->rule.ptr = NULL;
- } else
+ } else if ((rs_num == PF_RULESET_NAT) ||
+ (rs_num == PF_RULESET_BINAT) || (rs_num == PF_RULESET_RDR))
RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
n->state->nat_rule = NULL;
old_rules = ruleset->rules[rs_num].active.ptr;
@@ -677,6 +696,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
}
rs_num = pf_get_ruleset_number(pr->rule.action);
+ if (rs_num >= PF_RULESET_MAX) {
+ error = EINVAL;
+ break;
+ }
s = splsoftnet();
tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
pf_rulequeue);
@@ -701,6 +724,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
}
rs_num = pf_get_ruleset_number(pr->rule.action);
+ if (rs_num >= PF_RULESET_MAX) {
+ error = EINVAL;
+ break;
+ }
if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
error = EBUSY;
break;
@@ -752,6 +779,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
break;
}
rs_num = pf_get_ruleset_number(pcr->rule.action);
+ if (rs_num >= PF_RULESET_MAX) {
+ error = EINVAL;
+ break;
+ }
if (pcr->action == PF_CHANGE_GET_TICKET) {
pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
@@ -1190,7 +1221,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
s = splsoftnet();
TAILQ_FOREACH(rule,
- ruleset->rules[PF_RULESET_RULE].active.ptr, entries)
+ ruleset->rules[PF_RULESET_FILTER].active.ptr, entries)
rule->evaluations = rule->packets =
rule->bytes = 0;
splx(s);
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 3781ec6dc89..3814aa6d5f2 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.43 2002/12/18 19:17:07 henning Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.44 2002/12/31 19:18:41 mcbride Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -800,8 +800,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason)
int ip_len;
int ip_off;
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
+ r->evaluations++;
if (r->action != PF_SCRUB)
r = r->skip[PF_SKIP_ACTION].ptr;
else if (r->ifp != NULL && r->ifp != ifp)
@@ -826,6 +827,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason)
if (r == NULL)
return (PF_PASS);
+ else
+ r->packets++;
/* Check for illegal packets */
if (hlen < (int)sizeof(struct ip))
@@ -1002,8 +1005,9 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff,
u_int8_t flags;
sa_family_t af = pd->af;
- r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
+ r->evaluations++;
if (r->action != PF_SCRUB)
r = r->skip[PF_SKIP_ACTION].ptr;
else if (r->ifp != NULL && r->ifp != ifp)
@@ -1040,6 +1044,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff,
if (rm == NULL)
return (PF_PASS);
+ else
+ r->packets++;
flags = th->th_flags;
if (flags & TH_SYN) {
@@ -1097,8 +1103,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff,
tcp_drop:
REASON_SET(&reason, PFRES_NORM);
- if (rm != NULL && rm->log)
- PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, rm);
+ if (rm != NULL && r->log)
+ PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, r);
return (PF_DROP);
}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 5973ad20ff9..652ec2731b2 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.119 2002/12/29 20:07:34 cedric Exp $ */
+/* $OpenBSD: pfvar.h,v 1.120 2002/12/31 19:18:41 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -43,8 +43,8 @@
enum { PF_IN=1, PF_OUT=2 };
enum { PF_PASS=0, PF_DROP=1, PF_SCRUB=2, PF_NAT=3, PF_NONAT=4,
PF_BINAT=5, PF_NOBINAT=6, PF_RDR=7, PF_NORDR=8 };
-enum { PF_RULESET_RULE=0, PF_RULESET_NAT=1, PF_RULESET_BINAT=2,
- PF_RULESET_RDR=3, PF_RULESET_MAX=4 };
+enum { PF_RULESET_SCRUB=0, PF_RULESET_FILTER=1, PF_RULESET_NAT=2,
+ PF_RULESET_BINAT=3, PF_RULESET_RDR=4, PF_RULESET_MAX=5 };
enum { PF_OP_IRG=1, PF_OP_EQ=2, PF_OP_NE=3, PF_OP_LT=4,
PF_OP_LE=5, PF_OP_GT=6, PF_OP_GE=7, PF_OP_XRG=8, PF_OP_RRG=9 };
enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
@@ -425,7 +425,7 @@ struct pf_ruleset {
struct pf_rulequeue *ptr;
u_int32_t ticket;
} active, inactive;
- } rules[4];
+ } rules[PF_RULESET_MAX];
struct pf_anchor *anchor;
};