diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2009-11-23 18:04:11 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2009-11-23 18:04:11 +0000 |
commit | 19f49e0091711ae7866bbff745001326b4920bb7 (patch) | |
tree | fa6aeb8c9b3635490193577aff12be2f3777cdc3 /sys | |
parent | 9247ff805bb61e33937eb50cd1fb597172176a4f (diff) |
sync the handling of the log flag from pf_test (where it is correct)
to pf_test6 (where it is wrong in some edge cases, for match rules and
logs a packet twice in some cases). ok claudio
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf.c | 50 |
1 files changed, 32 insertions, 18 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 69e2c094108..3b47dbc1b3d 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.673 2009/11/23 17:22:11 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.674 2009/11/23 18:04:10 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5785,7 +5785,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (m->m_pkthdr.len < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log = 1; + log |= PF_LOG_FORCE; goto done; } @@ -5846,7 +5846,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, ("pf: IPv6 more than one rthdr\n")); action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; + log |= PF_LOG_FORCE; goto done; } if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL, @@ -5855,7 +5855,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, ("pf: IPv6 short rthdr\n")); action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); - log = 1; + log |= PF_LOG_FORCE; goto done; } if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { @@ -5863,7 +5863,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, ("pf: IPv6 rthdr0\n")); action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; + log |= PF_LOG_FORCE; goto done; } /* FALLTHROUGH */ @@ -5879,7 +5879,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, DPFPRINTF(PF_DEBUG_MISC, ("pf: IPv6 short opt\n")); action = PF_DROP; - log = 1; + log |= PF_LOG_FORCE; goto done; } if (pd.proto == IPPROTO_AH) @@ -5908,7 +5908,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, pd.hdr.tcp = &th; if (!pf_pull_hdr(m, off, &th, sizeof(th), &action, &reason, AF_INET6)) { - log = action != PF_PASS; + if (action != PF_PASS) + log |= PF_LOG_FORCE; goto done; } pd.p_len = pd.tot_len - off - (th.th_off << 2); @@ -5925,7 +5926,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log = s->log; + log |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -5945,7 +5946,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, pd.hdr.udp = &uh; if (!pf_pull_hdr(m, off, &uh, sizeof(uh), &action, &reason, AF_INET6)) { - log = action != PF_PASS; + if (action != PF_PASS) + log |= PF_LOG_FORCE; goto done; } if (uh.uh_dport == 0 || @@ -5964,7 +5966,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log = s->log; + log |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -5989,7 +5991,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, pd.hdr.icmp6 = &ih.icmp6; if (!pf_pull_hdr(m, off, &ih, icmp_hlen, &action, &reason, AF_INET6)) { - log = action != PF_PASS; + if (action != PF_PASS) + log |= PF_LOG_FORCE; goto done; } /* ICMP headers we look further into to match state */ @@ -6006,7 +6009,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, if (icmp_hlen > sizeof(struct icmp6_hdr) && !pf_pull_hdr(m, off, &ih, icmp_hlen, &action, &reason, AF_INET6)) { - log = action != PF_PASS; + if (action != PF_PASS) + log |= PF_LOG_FORCE; goto done; } action = pf_test_state_icmp(&s, dir, kif, @@ -6017,7 +6021,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log = s->log; + log |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6032,7 +6036,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, #endif /* NPFSYNC */ r = s->rule.ptr; a = s->anchor.ptr; - log = s->log; + log |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, h, &pd, &a, &ruleset, &ip6intrq); @@ -6050,7 +6054,7 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; + log |= PF_LOG_FORCE;; DPFPRINTF(PF_DEBUG_MISC, ("pf: dropping packet with dangerous v6 headers\n")); } @@ -6103,9 +6107,19 @@ done: action = PF_DIVERT; } - if (log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset, - &pd); + if (log) { + struct pf_rule_item *ri; + + if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL) + PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, + ruleset, &pd); + if (s) { + SLIST_FOREACH(ri, &s->match_rules, entry) + if (ri->r->log & PF_LOG_ALL) + PFLOG_PACKET(kif, h, m, AF_INET6, dir, + reason, ri->r, a, ruleset, &pd); + } + } kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; |