summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2009-11-23 18:04:11 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2009-11-23 18:04:11 +0000
commit19f49e0091711ae7866bbff745001326b4920bb7 (patch)
treefa6aeb8c9b3635490193577aff12be2f3777cdc3 /sys
parent9247ff805bb61e33937eb50cd1fb597172176a4f (diff)
sync the handling of the log flag from pf_test (where it is correct)
to pf_test6 (where it is wrong in some edge cases, for match rules and logs a packet twice in some cases). ok claudio
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c50
1 files changed, 32 insertions, 18 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 69e2c094108..3b47dbc1b3d 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.673 2009/11/23 17:22:11 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.674 2009/11/23 18:04:10 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -5785,7 +5785,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (m->m_pkthdr.len < (int)sizeof(*h)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
@@ -5846,7 +5846,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
("pf: IPv6 more than one rthdr\n"));
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
@@ -5855,7 +5855,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
("pf: IPv6 short rthdr\n"));
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
@@ -5863,7 +5863,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
("pf: IPv6 rthdr0\n"));
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
/* FALLTHROUGH */
@@ -5879,7 +5879,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
DPFPRINTF(PF_DEBUG_MISC,
("pf: IPv6 short opt\n"));
action = PF_DROP;
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
if (pd.proto == IPPROTO_AH)
@@ -5908,7 +5908,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
pd.hdr.tcp = &th;
if (!pf_pull_hdr(m, off, &th, sizeof(th),
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
pd.p_len = pd.tot_len - off - (th.th_off << 2);
@@ -5925,7 +5926,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -5945,7 +5946,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
pd.hdr.udp = &uh;
if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
if (uh.uh_dport == 0 ||
@@ -5964,7 +5966,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -5989,7 +5991,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
pd.hdr.icmp6 = &ih.icmp6;
if (!pf_pull_hdr(m, off, &ih, icmp_hlen,
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
/* ICMP headers we look further into to match state */
@@ -6006,7 +6009,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
if (icmp_hlen > sizeof(struct icmp6_hdr) &&
!pf_pull_hdr(m, off, &ih, icmp_hlen,
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
action = pf_test_state_icmp(&s, dir, kif,
@@ -6017,7 +6021,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -6032,7 +6036,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, h,
&pd, &a, &ruleset, &ip6intrq);
@@ -6050,7 +6054,7 @@ done:
!((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log = 1;
+ log |= PF_LOG_FORCE;;
DPFPRINTF(PF_DEBUG_MISC,
("pf: dropping packet with dangerous v6 headers\n"));
}
@@ -6103,9 +6107,19 @@ done:
action = PF_DIVERT;
}
- if (log)
- PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset,
- &pd);
+ if (log) {
+ struct pf_rule_item *ri;
+
+ if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL)
+ PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a,
+ ruleset, &pd);
+ if (s) {
+ SLIST_FOREACH(ri, &s->match_rules, entry)
+ if (ri->r->log & PF_LOG_ALL)
+ PFLOG_PACKET(kif, h, m, AF_INET6, dir,
+ reason, ri->r, a, ruleset, &pd);
+ }
+ }
kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;