msg.mpi

5 files changed, 77 insertions, 31 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index fc29f01da14..6db3d4d9dc6 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.927 2015/07/18 15:47:01 mpi Exp $ */
+/*	$OpenBSD: pf.c,v 1.928 2015/07/18 19:19:00 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -76,8 +76,14 @@
 #include <netinet/ip_divert.h>
 
 #include <net/pfvar.h>
+
+#if NPFLOG > 0
 #include <net/if_pflog.h>
+#endif	/* NPFLOG > 0 */
+
+#if NPFLOW > 0
 #include <net/if_pflow.h>
+#endif	/* NPFLOW > 0 */
 
 #if NPFSYNC > 0
 #include <net/if_pfsync.h>
@@ -227,9 +233,11 @@ int			 pf_step_out_of_anchor(int *, struct pf_ruleset **,
 void			 pf_counters_inc(int, struct pf_pdesc *,
 			    struct pf_state *, struct pf_rule *,
 			    struct pf_rule *);
+#if NPFLOG > 0
 void			 pf_log_matches(struct pf_pdesc *, struct pf_rule *,
 			    struct pf_rule *, struct pf_ruleset *,
 			    struct pf_rule_slist *);
+#endif	/* NPFLOG > 0 */
 
 extern struct pool pfr_ktable_pl;
 extern struct pool pfr_kentry_pl;
@@ -937,7 +945,7 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key **skw,
 	pfi_kif_ref(kif, PFI_KIF_REF_STATE);
 #if NPFSYNC > 0
 	pfsync_insert_state(s);
-#endif
+#endif	/* NPFSYNC > 0 */
 	return (0);
 }
 
@@ -1100,7 +1108,9 @@ pf_state_export(struct pfsync_state *sp, struct pf_state *st)
 		sp->expire = htonl(expire - time_uptime);
 
 	sp->direction = st->direction;
+#if NPFLOG > 0
 	sp->log = st->log;
+#endif	/* NPFLOG > 0 */
 	sp->timeout = st->timeout;
 	sp->state_flags = htons(st->state_flags);
 	if (!SLIST_EMPTY(&st->src_nodes))
@@ -1266,10 +1276,10 @@ pf_unlink_state(struct pf_state *cur)
 #if NPFLOW > 0
 	if (cur->state_flags & PFSTATE_PFLOW)
 		export_pflow(cur);
-#endif
+#endif	/* NPFLOW > 0 */
 #if NPFSYNC > 0
 	pfsync_delete_state(cur);
-#endif
+#endif	/* NPFSYNC > 0 */
 	cur->timeout = PFTM_UNLINKED;
 	pf_src_tree_remove_state(cur);
 	pf_detach_state(cur);
@@ -1287,7 +1297,7 @@ pf_free_state(struct pf_state *cur)
 #if NPFSYNC > 0
 	if (pfsync_state_in_use(cur))
 		return;
-#endif
+#endif	/* NPFSYNC > 0 */
 	KASSERT(cur->timeout == PFTM_UNLINKED);
 	if (--cur->rule.ptr->states_cur == 0 &&
 	    cur->rule.ptr->src_nodes == 0)
@@ -3007,7 +3017,9 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a)
 		a->pqid = r->pqid;
 	if (r->rtableid >= 0)
 		a->rtableid = r->rtableid;
+#if NPFLOG > 0
 	a->log |= r->log;
+#endif	/* NPFLOG > 0 */
 	if (r->scrub_flags & PFSTATE_SETTOS)
 		a->set_tos = r->set_tos;
 	if (r->min_ttl)
@@ -3225,11 +3237,13 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 					REASON_SET(&reason, PFRES_TRANSLATE);
 					goto cleanup;
 				}
+#if NPFLOG > 0 
 				if (r->log) {
 					REASON_SET(&reason, PFRES_MATCH);
 					PFLOG_PACKET(pd, reason, r, a, ruleset,
 					    NULL);
 				}
+#endif	/* NPFLOG > 0 */
 			} else {
 				match = asd;
 				*rm = r;
@@ -3238,8 +3252,10 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 				arsm = aruleset;
 			}
 
+#if NPFLOG > 0
 			if (act.log & PF_LOG_MATCHES)
 				pf_log_matches(pd, r, a, ruleset, &rules);
+#endif	/* NPFLOG > 0 */
 
 			if (r->quick)
 				break;
@@ -3269,10 +3285,12 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 	}
 	REASON_SET(&reason, PFRES_MATCH);
 
+#if NPFLOG > 0
 	if (r->log)
 		PFLOG_PACKET(pd, reason, r, a, ruleset, NULL);
 	if (act.log & PF_LOG_MATCHES)
 		pf_log_matches(pd, r, a, ruleset, &rules);
+#endif	/* NPFLOG > 0 */
 
 	if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
 	    (r->action == PF_DROP) &&
@@ -3321,7 +3339,9 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 
 	if (r->action == PF_PASS && pd->badopts && ! r->allow_opts) {
 		REASON_SET(&reason, PFRES_IPOPTIONS);
+#if NPFLOG > 0
 		pd->pflog |= PF_LOG_FORCE;
+#endif	/* NPFLOG > 0 */
 		DPFPRINTF(LOG_NOTICE, "dropping packet with "
 		    "ip/ipv6 options in pf_test_rule()");
 		goto cleanup;
@@ -3388,7 +3408,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 		if (pfsync_defer(*sm, pd->m))
 			return (PF_DEFER);
 	}
-#endif
+#endif	/* NPFSYNC > 0 */
 
 	if (r->rule_flag & PFRULE_ONCE)
 		pf_purge_rule(ruleset, r, aruleset, a);
@@ -3436,7 +3456,9 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
 		s->state_flags |= PFSTATE_SLOPPY;
 	if (r->rule_flag & PFRULE_PFLOW)
 		s->state_flags |= PFSTATE_PFLOW;
+#if NPFLOG > 0
 	s->log = act->log & PF_LOG_ALL;
+#endif	/* NPFLOG > 0 */
 	s->qid = act->qid;
 	s->pqid = act->pqid;
 	s->rtableid[pd->didx] = act->rtableid;
@@ -3447,7 +3469,7 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
 	s->state_flags |= act->flags;
 #if NPFSYNC > 0
 	s->sync_state = PFSYNC_S_NONE;
-#endif
+#endif	/* NPFSYNC > 0 */
 	s->set_prio[0] = act->set_prio[0];
 	s->set_prio[1] = act->set_prio[1];
 	SLIST_INIT(&s->src_nodes);
@@ -6080,7 +6102,7 @@ pf_setup_pdesc(struct pf_pdesc *pd, void *pdhdrs, sa_family_t af, int dir,
 			REASON_SET(reason, PFRES_NORM);
 			return (PF_DROP);
 		}
-#endif
+#endif	/* 1 */
 
 		pd->src = (struct pf_addr *)&h->ip6_src;
 		pd->dst = (struct pf_addr *)&h->ip6_dst;
@@ -6300,7 +6322,9 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 
 	action = pf_setup_pdesc(&pd, &pdhdrs, af, dir, kif, *m0, &reason);
 	if (action != PF_PASS) {
+#if NPFLOG > 0
 		pd.pflog |= PF_LOG_FORCE;
+#endif	/* NPFLOG > 0 */
 		goto done;
 	}
 
@@ -6320,7 +6344,9 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 	if (pd.m == NULL)
 		return PF_PASS;
 	if (action != PF_PASS) {
+#if NPFLOG > 0
 		pd.pflog |= PF_LOG_FORCE;
+#endif	/* NPFLOG > 0 */
 		goto done;
 	}
 
@@ -6329,7 +6355,9 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 		action = pf_setup_pdesc(&pd, &pdhdrs, af, dir, kif, *m0,
 		    &reason);
 		if (action != PF_PASS) {
+#if NPFLOG > 0
 			pd.pflog |= PF_LOG_FORCE;
+#endif	/* NPFLOG > 0 */
 			goto done;
 		}
 	}
@@ -6360,10 +6388,12 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 		if (action == PF_PASS || action == PF_AFRT) {
 #if NPFSYNC > 0
 			pfsync_update_state(s);
-#endif /* NPFSYNC */
+#endif /* NPFSYNC > 0 */
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
+#if NPFLOG > 0
 			pd.pflog |= s->log;
+#endif	/* NPFLOG > 0 */
 		} else if (s == NULL)
 			action = pf_test_rule(&pd, &r, &s, &a, &ruleset);
 		break;
@@ -6382,10 +6412,12 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 		if (action == PF_PASS || action == PF_AFRT) {
 #if NPFSYNC > 0
 			pfsync_update_state(s);
-#endif /* NPFSYNC */
+#endif /* NPFSYNC > 0 */
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
+#if NPFLOG > 0
 			pd.pflog |= s->log;
+#endif	/* NPFLOG > 0 */
 		} else if (s == NULL)
 			action = pf_test_rule(&pd, &r, &s, &a, &ruleset);
 		break;
@@ -6404,10 +6436,12 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 		if (action == PF_PASS || action == PF_AFRT) {
 #if NPFSYNC > 0
 			pfsync_update_state(s);
-#endif /* NPFSYNC */
+#endif /* NPFSYNC > 0 */
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
+#if NPFLOG > 0
 			pd.pflog |= s->log;
+#endif	/* NPFLOG > 0 */
 		} else if (s == NULL)
 			action = pf_test_rule(&pd, &r, &s, &a, &ruleset);
 
@@ -6430,7 +6464,9 @@ done:
 			    !(s->state_flags & PFSTATE_ALLOWOPTS)) {
 				action = PF_DROP;
 				REASON_SET(&reason, PFRES_IPOPTIONS);
+#if NPFLOG > 0
 				pd.pflog |= PF_LOG_FORCE;
+#endif	/* NPFLOG > 0 */
 				DPFPRINTF(LOG_NOTICE, "dropping packet with "
 				    "ip/ipv6 options in pf_test()");
 			}
@@ -6501,6 +6537,7 @@ done:
 	if (action == PF_PASS && r->divert_packet.port)
 		action = PF_DIVERT;
 
+#if NPFLOG > 0
 	if (pd.pflog) {
 		struct pf_rule_item	*ri;
 
@@ -6513,6 +6550,7 @@ done:
 					    ruleset, NULL);
 		}
 	}
+#endif	/* NPFLOG > 0 */
 
 	pf_counters_inc(action, &pd, s, r, a);
 
@@ -6633,6 +6671,7 @@ pf_pkt_addr_changed(struct mbuf *m)
 	m->m_pkthdr.pf.inp = NULL;
 }
 
+#if NPFLOG > 0
 void
 pf_log_matches(struct pf_pdesc *pd, struct pf_rule *rm, struct pf_rule *am,
     struct pf_ruleset *ruleset, struct pf_rule_slist *matchrules)
@@ -6647,3 +6686,4 @@ pf_log_matches(struct pf_pdesc *pd, struct pf_rule *rm, struct pf_rule *am,
 		if (ri->r->log & PF_LOG_MATCHES)
 			PFLOG_PACKET(pd, PFRES_MATCH, rm, am, ruleset, ri->r);
 }
+#endif	/* NPFLOG > 0 */
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 857ad2152c4..3e183ea4799 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.285 2015/04/11 13:00:12 dlg Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.286 2015/07/18 19:19:00 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1344,7 +1344,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 #if NPFSYNC > 0
 				/* don't send out individual delete messages */
 				SET(s->state_flags, PFSTATE_NOSYNC);
-#endif
+#endif	/* NPFSYNC > 0 */
 				pf_unlink_state(s);
 				killed++;
 			}
@@ -1352,7 +1352,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		psk->psk_killed = killed;
 #if NPFSYNC > 0
 		pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
-#endif
+#endif	/* NPFSYNC > 0 */
 		break;
 	}
 
@@ -1434,7 +1434,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		error = pfsync_state_import(sp, PFSYNC_SI_IOCTL);
 		break;
 	}
-#endif
+#endif	/* NPFSYNC > 0 */
 
 	case DIOCGETSTATE: {
 		struct pfioc_state	*ps = (struct pfioc_state *)addr;
@@ -2428,7 +2428,7 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
 #if NPFLOG > 0
 	if (!to->log)
 		to->logif = 0;
-#endif
+#endif	/* NPFLOG > 0 */
 	to->quick = from->quick;
 	to->ifnot = from->ifnot;
 	to->rcvifnot = from->rcvifnot;
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c
index 3dcb7bcb364..473d0dd974e 100644
--- a/sys/net/pf_lb.c
+++ b/sys/net/pf_lb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_lb.c,v 1.46 2015/07/18 15:19:44 sashan Exp $ */
+/*	$OpenBSD: pf_lb.c,v 1.47 2015/07/18 19:19:00 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -74,8 +74,14 @@
 #include <netinet/in_pcb.h>
 
 #include <net/pfvar.h>
+
+#if NPFLOG > 0
 #include <net/if_pflog.h>
+#endif	/* NPFLOG > 0 */
+
+#if NPFLOW > 0
 #include <net/if_pflow.h>
+#endif	/* NPFLOW > 0 */
 
 #if NPFSYNC > 0
 #include <net/if_pfsync.h>
diff --git a/sys/net/pf_osfp.c b/sys/net/pf_osfp.c
index 5fe6ca587eb..34888c2a233 100644
--- a/sys/net/pf_osfp.c
+++ b/sys/net/pf_osfp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_osfp.c,v 1.30 2015/07/16 16:12:15 mpi Exp $ */
+/*	$OpenBSD: pf_osfp.c,v 1.31 2015/07/18 19:19:00 sashan Exp $ */
 
 /*
  * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
@@ -39,7 +39,7 @@
 #ifdef _KERNEL
 typedef struct pool pool_t;
 
-#else
+#else	/* !_KERNEL */
 /* Userland equivalents so we can lend code to tcpdump et al. */
 
 # include <arpa/inet.h>
@@ -113,9 +113,9 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6,
 	const u_int8_t *optp;
 #ifdef _KERNEL
 	char srcname[128];
-#else
+#else	/* !_KERNEL */
 	char srcname[NI_MAXHOST];
-#endif
+#endif	/* _KERNEL */
 
 	if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN)
 		return (NULL);
@@ -129,7 +129,7 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6,
 	if (ip) {
 #ifndef _KERNEL
 		struct sockaddr_in sin;
-#endif
+#endif	/* _KERNEL */
 
 		fp.fp_psize = ntohs(ip->ip_len);
 		fp.fp_ttl = ip->ip_ttl;
@@ -137,7 +137,7 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6,
 			fp.fp_flags |= PF_OSFP_DF;
 #ifdef _KERNEL
 		inet_ntop(AF_INET, &ip->ip_src, srcname, sizeof(srcname));
-#else
+#else	/* !_KERNEL */
 		memset(&sin, 0, sizeof(sin));
 		sin.sin_family = AF_INET;
 		sin.sin_len = sizeof(struct sockaddr_in);
@@ -145,13 +145,13 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6,
 		(void)getnameinfo((struct sockaddr *)&sin,
 		    sizeof(struct sockaddr_in), srcname, sizeof(srcname),
 		    NULL, 0, NI_NUMERICHOST);
-#endif
+#endif	/* _KERNEL */
 	}
 #ifdef INET6
 	else if (ip6) {
 #ifndef _KERNEL
 		struct sockaddr_in6 sin6;
-#endif
+#endif	/* !_KERNEL */
 
 		/* jumbo payload? */
 		fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
@@ -160,7 +160,7 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6,
 		fp.fp_flags |= PF_OSFP_INET6;
 #ifdef _KERNEL
 		inet_ntop(AF_INET6, &ip6->ip6_src, srcname, sizeof(srcname));
-#else
+#else	/* !_KERNEL */
 		memset(&sin6, 0, sizeof(sin6));
 		sin6.sin6_family = AF_INET6;
 		sin6.sin6_len = sizeof(struct sockaddr_in6);
@@ -168,9 +168,9 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6,
 		(void)getnameinfo((struct sockaddr *)&sin6,
 		    sizeof(struct sockaddr_in6), srcname, sizeof(srcname),
 		    NULL, 0, NI_NUMERICHOST);
-#endif
+#endif	/* !_KERNEL */
 	}
-#endif
+#endif	/* INET6 */
 	else
 		return (NULL);
 	fp.fp_wsize = ntohs(tcp->th_win);
diff --git a/sys/net/pf_ruleset.c b/sys/net/pf_ruleset.c
index d8abc403dbe..b04c0ee5545 100644
--- a/sys/net/pf_ruleset.c
+++ b/sys/net/pf_ruleset.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ruleset.c,v 1.9 2014/07/22 11:06:10 mpi Exp $ */
+/*	$OpenBSD: pf_ruleset.c,v 1.10 2015/07/18 19:19:00 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -59,7 +59,7 @@
 #define rs_malloc(x)		malloc(x, M_TEMP, M_WAITOK|M_CANFAIL|M_ZERO)
 #define rs_free(x)		free(x, M_TEMP, 0)
 
-#else
+#else	/* !_KERNEL */
 /* Userland equivalents so we can lend code to pfctl et al. */
 
 # include <arpa/inet.h>
@@ -72,7 +72,7 @@
 
 # ifdef PFDEBUG
 #  include <sys/stdarg.h>	/* for DPFPRINTF() */
-# endif
+# endif	/* PFDEBUG */
 #endif /* _KERNEL */