diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-12-12 21:30:28 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-12-12 21:30:28 +0000 |
| commit | 562884e3097b384db00a91e7ac0907f4534ad348 (patch) | |
| tree | 73b8c83404b6fc7e1ee626544f2bed452b4ed597 /sys | |
| parent | c87647cb851030fe1b4adad4f6aa27d9a247b8f3 (diff) | |
fixup af-to regression with match rules
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf.c | 6 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 5 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
3 files changed, 7 insertions, 7 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 725ca496ed5..167e555e417 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.789 2011/12/02 03:15:31 haesbaert Exp $ */ +/* $OpenBSD: pf.c,v 1.790 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3364,7 +3364,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, /* order is irrelevant */ SLIST_INSERT_HEAD(&rules, ri, entry); pf_rule_to_actions(r, &act); - if (r->naf) + if (r->rule_flag & PFRULE_AFTO) pd->naf = r->naf; if (pf_get_transaddr(r, pd, sns, &nr) == -1) { REASON_SET(&reason, PFRES_MEMORY); @@ -3399,7 +3399,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, /* apply actions for last matching pass/block rule */ pf_rule_to_actions(r, &act); - if (r->naf) + if (r->rule_flag & PFRULE_AFTO) pd->naf = r->naf; if (pf_get_transaddr(r, pd, sns, &nr) == -1) { REASON_SET(&reason, PFRES_MEMORY); diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index aa883ba6d14..d8b963d39b5 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.247 2011/11/29 10:17:52 dlg Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.248 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2519,8 +2519,6 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, pf_pool_copyin(&from->rdr, &to->rdr); pf_pool_copyin(&from->route, &to->route); - to->naf = from->naf; - if (pf_kif_setup(to->ifname, &to->kif)) return (EINVAL); if (pf_kif_setup(to->rcv_ifname, &to->rcv_kif)) @@ -2603,6 +2601,7 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to, to->match_tag_not = from->match_tag_not; to->keep_state = from->keep_state; to->af = from->af; + to->naf = from->naf; to->proto = from->proto; to->type = from->type; to->code = from->code; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 62e5652afef..236a427640c 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.357 2011/11/29 10:17:52 dlg Exp $ */ +/* $OpenBSD: pfvar.h,v 1.358 2011/12/12 21:30:27 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -673,6 +673,7 @@ struct pf_rule { #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ #define PFRULE_PFLOW 0x00040000 #define PFRULE_ONCE 0x00100000 /* one shot rule */ +#define PFRULE_AFTO 0x00200000 /* af-to rule */ #define PFSTATE_HIWAT 10000 /* default state table size */ #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */ |