diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2005-03-03 07:13:40 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2005-03-03 07:13:40 +0000 |
commit | 74e31718e934b6c70edeae5da1c065fb025d7b22 (patch) | |
tree | 199a18726ff02f0afb14fa75f250de67378c73d1 /sys | |
parent | 4cc14d352e644d696645f03b9dcbbf778544d83d (diff) |
when tagging, apply the same tag to all packets matching a state entry
(not just to the initial packet). note: kernel/userland abi change
(rebuild pfctl). ok henning@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf.c | 23 | ||||
-rw-r--r-- | sys/net/pf_ioctl.c | 14 | ||||
-rw-r--r-- | sys/net/pfvar.h | 4 |
3 files changed, 38 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index ad2678132f8..dd775bcff49 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.480 2005/02/27 15:08:39 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.481 2005/03/03 07:13:39 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -992,6 +992,8 @@ pf_purge_expired_state(struct pf_state *cur) pf_normalize_tcp_cleanup(cur); pfi_detach_state(cur->u.s.kif); TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); + if (cur->tag) + pf_tag_unref(cur->tag); pool_put(&pf_state_pl, cur); pf_status.fcounters[FCNT_STATE_REMOVALS]++; pf_status.states--; @@ -3003,6 +3005,10 @@ cleanup: return (PF_DROP); } else *sm = s; + if (tag > 0) { + pf_tag_ref(tag); + s->tag = tag; + } if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && r->keep_state == PF_STATE_SYNPROXY) { s->src.state = PF_TCPS_PROXY_SRC; @@ -3303,6 +3309,10 @@ cleanup: return (PF_DROP); } else *sm = s; + if (tag > 0) { + pf_tag_ref(tag); + s->tag = tag; + } } /* copy back packet headers if we performed NAT operations */ @@ -3589,6 +3599,10 @@ cleanup: return (PF_DROP); } else *sm = s; + if (tag > 0) { + pf_tag_ref(tag); + s->tag = tag; + } } #ifdef INET6 @@ -3857,6 +3871,10 @@ cleanup: return (PF_DROP); } else *sm = s; + if (tag > 0) { + pf_tag_ref(tag); + s->tag = tag; + } } return (PF_PASS); @@ -5864,6 +5882,9 @@ done: ("pf: dropping packet with ip options\n")); } + if (s && s->tag) + pf_tag_packet(m, pf_get_tag(m), s->tag); + #ifdef ALTQ if (action == PF_PASS && r->qid) { struct m_tag *mtag; diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 750fa1e2969..f73c67b852f 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.138 2005/01/05 18:11:55 mcbride Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.139 2005/03/03 07:13:39 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -702,6 +702,18 @@ pf_tag2tagname(u_int16_t tagid, char *p) } void +pf_tag_ref(u_int16_t tag) +{ + struct pf_tagname *t; + + TAILQ_FOREACH(t, &pf_tags, entries) + if (t->tag == tag) + break; + if (t != NULL) + t->ref++; +} + +void pf_tag_unref(u_int16_t tag) { return (tag_unref(&pf_tags, tag)); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index c4424264597..d27d01d2323 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.212 2005/01/30 00:02:30 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -686,6 +686,7 @@ struct pf_state { u_int32_t packets[2]; u_int32_t bytes[2]; u_int32_t creatorid; + u_int16_t tag; sa_family_t af; u_int8_t proto; u_int8_t direction; @@ -1538,6 +1539,7 @@ extern struct pfi_statehead pfi_statehead; u_int16_t pf_tagname2tag(char *); void pf_tag2tagname(u_int16_t, char *); +void pf_tag_ref(u_int16_t); void pf_tag_unref(u_int16_t); int pf_tag_packet(struct mbuf *, struct pf_tag *, int); u_int32_t pf_qname2qid(char *); |