src - OpenBSD base system

diff options


context:
space:
mode:

author	Alexander Bluhm <bluhm@cvs.openbsd.org>	2011-07-03 23:33:39 +0000
committer	Alexander Bluhm <bluhm@cvs.openbsd.org>	2011-07-03 23:33:39 +0000
commit	8c4fabd58502851b921aa22c22ff07c9d5e3769a (patch)
tree	90e2f65ef5568234668146eafb3adc8808a280b1 /sys
parent	a1944dc1f6a9bd8737295db8f335793d5f295463 (diff)

In pf_setup_pdesc() the code for analysing TCP and UDP headers was

the same for v4 and v6. Deduplicate by moving the protocol switch after the address family switch. ok henning@ claudio@

Diffstat (limited to 'sys')

-rw-r--r--

sys/net/pf.c

155

1 files changed, 60 insertions, 95 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 60ea53f0561..51daae475b8 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pf.c,v 1.754 2011/07/03 18:42:45 henning Exp $ */

+/* $OpenBSD: pf.c,v 1.755 2011/07/03 23:33:38 bluhm Exp $ */

@@ -5542,46 +5542,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,

REASON_SET(reason, PFRES_FRAG);

return (-1);

}

- switch (h->ip_p) {

- case IPPROTO_TCP: {

- struct tcphdr *th = pd->hdr.tcp;

- if (!pf_pull_hdr(m, *off, th, sizeof(*th),

- action, reason, AF_INET))

- return (-1);

- *hdrlen = sizeof(*th);

- pd->p_len = pd->tot_len - *off - (th->th_off << 2);

- pd->sport = &th->th_sport;

- pd->dport = &th->th_dport;

- break;

- }

- case IPPROTO_UDP: {

- struct udphdr *uh = pd->hdr.udp;

- if (!pf_pull_hdr(m, *off, uh, sizeof(*uh),

- action, reason, AF_INET))

- return (-1);

- *hdrlen = sizeof(*uh);

- if (uh->uh_dport == 0 ||

- ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off ||

- ntohs(uh->uh_ulen) < sizeof(struct udphdr)) {

- *action = PF_DROP;

- REASON_SET(reason, PFRES_SHORT);

- return (-1);

- }

- pd->sport = &uh->uh_sport;

- pd->dport = &uh->uh_dport;

- break;

- }

- case IPPROTO_ICMP: {

- if (!pf_pull_hdr(m, *off, pd->hdr.icmp, ICMP_MINLEN,

- action, reason, AF_INET))

- return (-1);

- *hdrlen = ICMP_MINLEN;

- break;

- }

break;

}

#endif

@@ -5698,69 +5658,74 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,

break;

}

} while (!terminal);

+ break;

+ }

+#endif

+ default:

+ panic("pf_setup_pdesc called with illegal af %u", af);

- switch (pd->proto) {

- case IPPROTO_TCP: {

- struct tcphdr *th = pd->hdr.tcp;

+ }

- if (!pf_pull_hdr(m, *off, th, sizeof(*th),

- action, reason, AF_INET6))

- return (-1);

- *hdrlen = sizeof(*th);

- pd->p_len = pd->tot_len - *off - (th->th_off << 2);

- pd->sport = &th->th_sport;

- pd->dport = &th->th_dport;

- break;

- }

- case IPPROTO_UDP: {

- struct udphdr *uh = pd->hdr.udp;

+ switch (pd->proto) {

+ case IPPROTO_TCP: {

+ struct tcphdr *th = pd->hdr.tcp;

- if (!pf_pull_hdr(m, *off, uh, sizeof(*uh),

- action, reason, AF_INET6))

- return (-1);

- *hdrlen = sizeof(*uh);

- if (uh->uh_dport == 0 ||

- ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off ||

- ntohs(uh->uh_ulen) < sizeof(struct udphdr)) {

- *action = PF_DROP;

- REASON_SET(reason, PFRES_SHORT);

- return (-1);

- }

- pd->sport = &uh->uh_sport;

- pd->dport = &uh->uh_dport;

- break;

+ if (!pf_pull_hdr(m, *off, th, sizeof(*th), action, reason, af))

+ return (-1);

+ *hdrlen = sizeof(*th);

+ pd->p_len = pd->tot_len - *off - (th->th_off << 2);

+ pd->sport = &th->th_sport;

+ pd->dport = &th->th_dport;

+ break;

+ }

+ case IPPROTO_UDP: {

+ struct udphdr *uh = pd->hdr.udp;

+ if (!pf_pull_hdr(m, *off, uh, sizeof(*uh), action, reason, af))

+ return (-1);

+ *hdrlen = sizeof(*uh);

+ if (uh->uh_dport == 0 ||

+ ntohs(uh->uh_ulen) > m->m_pkthdr.len - *off ||

+ ntohs(uh->uh_ulen) < sizeof(struct udphdr)) {

+ *action = PF_DROP;

+ REASON_SET(reason, PFRES_SHORT);

+ return (-1);

}

- case IPPROTO_ICMPV6: {

- size_t icmp_hlen = sizeof(struct icmp6_hdr);

+ pd->sport = &uh->uh_sport;

+ pd->dport = &uh->uh_dport;

+ break;

+ }

+ case IPPROTO_ICMP: {

+ if (!pf_pull_hdr(m, *off, pd->hdr.icmp, ICMP_MINLEN,

+ action, reason, af))

+ return (-1);

+ *hdrlen = ICMP_MINLEN;

+ break;

+ }

+ case IPPROTO_ICMPV6: {

+ size_t icmp_hlen = sizeof(struct icmp6_hdr);

- if (!pf_pull_hdr(m, *off, pd->hdr.icmp6, icmp_hlen,

- action, reason, AF_INET6))

- return (-1);

- /* ICMP headers we look further into to match state */

- switch (pd->hdr.icmp6->icmp6_type) {

- case MLD_LISTENER_QUERY:

- case MLD_LISTENER_REPORT:

- icmp_hlen = sizeof(struct mld_hdr);

- break;

- case ND_NEIGHBOR_SOLICIT:

- case ND_NEIGHBOR_ADVERT:

- icmp_hlen = sizeof(struct nd_neighbor_solicit);

- break;

- }

- if (icmp_hlen > sizeof(struct icmp6_hdr) &&

- !pf_pull_hdr(m, *off, pd->hdr.icmp6, icmp_hlen,

- action, reason, AF_INET6))

- return (-1);

- *hdrlen = icmp_hlen;

+ if (!pf_pull_hdr(m, *off, pd->hdr.icmp6, icmp_hlen,

+ action, reason, af))

+ return (-1);

+ /* ICMP headers we look further into to match state */

+ switch (pd->hdr.icmp6->icmp6_type) {

+ case MLD_LISTENER_QUERY:

+ case MLD_LISTENER_REPORT:

+ icmp_hlen = sizeof(struct mld_hdr);

+ break;

+ case ND_NEIGHBOR_SOLICIT:

+ case ND_NEIGHBOR_ADVERT:

+ icmp_hlen = sizeof(struct nd_neighbor_solicit);

break;

}

- }

+ if (icmp_hlen > sizeof(struct icmp6_hdr) &&

+ !pf_pull_hdr(m, *off, pd->hdr.icmp6, icmp_hlen,

+ action, reason, af))

+ return (-1);

+ *hdrlen = icmp_hlen;

break;

}

-#endif

- default:

- panic("pf_setup_pdesc called with illegal af %u", af);

}

return (0);

}