diff options
author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2002-12-31 19:18:42 +0000 |
---|---|---|
committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2002-12-31 19:18:42 +0000 |
commit | 174fbda2c260804acfb6658ed33e6fad46c516f9 (patch) | |
tree | e7103a5bb9b0903032bbb2e728a42f5e3e9c128d /sys | |
parent | 5bd8a66c32f475b5f4a897da8aef1878cc2e768e (diff) |
Split scrub rules out from the filter rules in the kernel.
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf.c | 32 | ||||
-rw-r--r-- | sys/net/pf_ioctl.c | 45 | ||||
-rw-r--r-- | sys/net/pf_norm.c | 16 | ||||
-rw-r--r-- | sys/net/pfvar.h | 8 |
4 files changed, 69 insertions, 32 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 5f21e196d70..750aab15214 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.289 2002/12/31 00:00:44 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.290 2002/12/31 19:18:41 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1808,7 +1808,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, } } - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { r->evaluations++; if (r->action == PF_SCRUB) @@ -1869,11 +1869,11 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, r = TAILQ_NEXT(r, entries); } else PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (r == NULL && anchorrule != NULL) PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (*rm != NULL) { @@ -2063,7 +2063,7 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, } } - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { r->evaluations++; if (r->action == PF_SCRUB) @@ -2124,11 +2124,11 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, r = TAILQ_NEXT(r, entries); } else PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (r == NULL && anchorrule != NULL) PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (*rm != NULL) { @@ -2344,7 +2344,7 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp, } } - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { r->evaluations++; if (r->action == PF_SCRUB) @@ -2389,11 +2389,11 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp, r = TAILQ_NEXT(r, entries); } else PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (r == NULL && anchorrule != NULL) PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (*rm != NULL) { @@ -2549,7 +2549,7 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp, } } - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { r->evaluations++; if (r->action == PF_SCRUB) @@ -2590,11 +2590,11 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp, r = TAILQ_NEXT(r, entries); } else PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (r == NULL && anchorrule != NULL) PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (*rm != NULL) { @@ -2696,7 +2696,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp, *rm = NULL; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { r->evaluations++; if (r->action == PF_SCRUB) @@ -2738,11 +2738,11 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp, r = TAILQ_NEXT(r, entries); } else PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (r == NULL && anchorrule != NULL) PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, - PF_RULESET_RULE); + PF_RULESET_FILTER); } if (*rm != NULL) { diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 6283a0abaaa..c39dfd7f1b2 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.36 2002/12/31 00:00:44 dhartmei Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.37 2002/12/31 19:18:41 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -156,6 +156,8 @@ pf_get_pool(char *anchorname, char *rulesetname, u_int32_t ticket, if (ruleset == NULL) return (NULL); rs_num = pf_get_ruleset_number(rule_action); + if (rs_num >= PF_RULESET_MAX) + return (NULL); if (active) { if (check_ticket && ticket != ruleset->rules[rs_num].active.ticket) @@ -222,11 +224,12 @@ int pf_get_ruleset_number(u_int8_t action) { switch (action) { + case PF_SCRUB: + return (PF_RULESET_SCRUB); + break; case PF_PASS: case PF_DROP: - case PF_SCRUB: - default: - return (PF_RULESET_RULE); + return (PF_RULESET_FILTER); break; case PF_NAT: case PF_NONAT: @@ -240,6 +243,9 @@ pf_get_ruleset_number(u_int8_t action) case PF_NORDR: return (PF_RULESET_RDR); break; + default: + return (PF_RULESET_MAX); + break; } } @@ -525,6 +531,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } rs_num = pf_get_ruleset_number(pr->rule.action); + if (rs_num >= PF_RULESET_MAX) { + error = EINVAL; + break; + } while ((rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr)) != NULL) pf_rm_rule(ruleset->rules[rs_num].inactive.ptr, rule); @@ -544,6 +554,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } rs_num = pf_get_ruleset_number(pr->rule.action); + if (rs_num >= PF_RULESET_MAX) { + error = EINVAL; + break; + } if (pr->rule.anchorname[0] && ruleset != &pf_main_ruleset) { error = EINVAL; break; @@ -631,6 +645,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } rs_num = pf_get_ruleset_number(pr->rule.action); + if (rs_num >= PF_RULESET_MAX) { + error = EINVAL; + break; + } if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) { error = EBUSY; break; @@ -641,11 +659,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) /* * Rules are about to get freed, clear rule pointers in states */ - if (rs_num == PF_RULESET_RULE) { + if (rs_num == PF_RULESET_FILTER) { if (ruleset == &pf_main_ruleset) RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) n->state->rule.ptr = NULL; - } else + } else if ((rs_num == PF_RULESET_NAT) || + (rs_num == PF_RULESET_BINAT) || (rs_num == PF_RULESET_RDR)) RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) n->state->nat_rule = NULL; old_rules = ruleset->rules[rs_num].active.ptr; @@ -677,6 +696,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } rs_num = pf_get_ruleset_number(pr->rule.action); + if (rs_num >= PF_RULESET_MAX) { + error = EINVAL; + break; + } s = splsoftnet(); tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, pf_rulequeue); @@ -701,6 +724,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } rs_num = pf_get_ruleset_number(pr->rule.action); + if (rs_num >= PF_RULESET_MAX) { + error = EINVAL; + break; + } if (pr->ticket != ruleset->rules[rs_num].active.ticket) { error = EBUSY; break; @@ -752,6 +779,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } rs_num = pf_get_ruleset_number(pcr->rule.action); + if (rs_num >= PF_RULESET_MAX) { + error = EINVAL; + break; + } if (pcr->action == PF_CHANGE_GET_TICKET) { pcr->ticket = ++ruleset->rules[rs_num].active.ticket; @@ -1190,7 +1221,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) s = splsoftnet(); TAILQ_FOREACH(rule, - ruleset->rules[PF_RULESET_RULE].active.ptr, entries) + ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) rule->evaluations = rule->packets = rule->bytes = 0; splx(s); diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 3781ec6dc89..3814aa6d5f2 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.43 2002/12/18 19:17:07 henning Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.44 2002/12/31 19:18:41 mcbride Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -800,8 +800,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) int ip_len; int ip_off; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { + r->evaluations++; if (r->action != PF_SCRUB) r = r->skip[PF_SKIP_ACTION].ptr; else if (r->ifp != NULL && r->ifp != ifp) @@ -826,6 +827,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) if (r == NULL) return (PF_PASS); + else + r->packets++; /* Check for illegal packets */ if (hlen < (int)sizeof(struct ip)) @@ -1002,8 +1005,9 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, u_int8_t flags; sa_family_t af = pd->af; - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { + r->evaluations++; if (r->action != PF_SCRUB) r = r->skip[PF_SKIP_ACTION].ptr; else if (r->ifp != NULL && r->ifp != ifp) @@ -1040,6 +1044,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, if (rm == NULL) return (PF_PASS); + else + r->packets++; flags = th->th_flags; if (flags & TH_SYN) { @@ -1097,8 +1103,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, tcp_drop: REASON_SET(&reason, PFRES_NORM); - if (rm != NULL && rm->log) - PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, rm); + if (rm != NULL && r->log) + PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, r); return (PF_DROP); } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 5973ad20ff9..652ec2731b2 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.119 2002/12/29 20:07:34 cedric Exp $ */ +/* $OpenBSD: pfvar.h,v 1.120 2002/12/31 19:18:41 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -43,8 +43,8 @@ enum { PF_IN=1, PF_OUT=2 }; enum { PF_PASS=0, PF_DROP=1, PF_SCRUB=2, PF_NAT=3, PF_NONAT=4, PF_BINAT=5, PF_NOBINAT=6, PF_RDR=7, PF_NORDR=8 }; -enum { PF_RULESET_RULE=0, PF_RULESET_NAT=1, PF_RULESET_BINAT=2, - PF_RULESET_RDR=3, PF_RULESET_MAX=4 }; +enum { PF_RULESET_SCRUB=0, PF_RULESET_FILTER=1, PF_RULESET_NAT=2, + PF_RULESET_BINAT=3, PF_RULESET_RDR=4, PF_RULESET_MAX=5 }; enum { PF_OP_IRG=1, PF_OP_EQ=2, PF_OP_NE=3, PF_OP_LT=4, PF_OP_LE=5, PF_OP_GT=6, PF_OP_GE=7, PF_OP_XRG=8, PF_OP_RRG=9 }; enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 }; @@ -425,7 +425,7 @@ struct pf_ruleset { struct pf_rulequeue *ptr; u_int32_t ticket; } active, inactive; - } rules[4]; + } rules[PF_RULESET_MAX]; struct pf_anchor *anchor; }; |