summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2008-05-29 01:00:54 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2008-05-29 01:00:54 +0000
commitc496441ad96ff1d247439f6f966240d5f8e657fd (patch)
tree5667310b4fbf5a6b6cab31c04126b2780c0795de /usr.sbin
parentb4ce6f58e6b8cf560109ecf401d63df14e2f9431 (diff)
Second half of PF state table rearrangement.
- Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST) ok henning beck deraadt tested by otto dlg beck laurent Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/tcpdump/pf_print_state.c48
1 files changed, 30 insertions, 18 deletions
diff --git a/usr.sbin/tcpdump/pf_print_state.c b/usr.sbin/tcpdump/pf_print_state.c
index 745dadc9da2..2306cf9768a 100644
--- a/usr.sbin/tcpdump/pf_print_state.c
+++ b/usr.sbin/tcpdump/pf_print_state.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_print_state.c,v 1.5 2008/05/09 11:57:52 mpf Exp $ */
+/* $OpenBSD: pf_print_state.c,v 1.6 2008/05/29 01:00:53 mcbride Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -129,17 +129,15 @@ print_name(struct pf_addr *addr, sa_family_t af)
}
void
-print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
+print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts)
{
- u_int16_t p = ntohs(h->port);
-
if (opts & PF_OPT_USEDNS)
- print_name(&h->addr, af);
+ print_name(addr, af);
else {
struct pf_addr_wrap aw;
memset(&aw, 0, sizeof(aw));
- aw.v.a.addr = h->addr;
+ aw.v.a.addr = *addr;
if (af == AF_INET)
aw.v.a.mask.addr32[0] = 0xffffffff;
else {
@@ -149,11 +147,11 @@ print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
}
- if (p) {
+ if (port) {
if (af == AF_INET)
- printf(":%u", p);
+ printf(":%u", ntohs(port));
else
- printf("[%u]", p);
+ printf("[%u]", ntohs(port));
}
}
@@ -172,31 +170,45 @@ void
print_state(struct pfsync_state *s, int opts)
{
struct pfsync_state_peer *src, *dst;
+ struct pfsync_state_key *sk, *nk;
int min, sec;
if (s->direction == PF_OUT) {
src = &s->src;
dst = &s->dst;
+ sk = &s->key[PF_SK_STACK];
+ nk = &s->key[PF_SK_WIRE];
+ if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
+ sk->port[0] = nk->port[0];
} else {
src = &s->dst;
dst = &s->src;
+ sk = &s->key[PF_SK_WIRE];
+ nk = &s->key[PF_SK_STACK];
+ if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
+ sk->port[1] = nk->port[1];
}
printf("%s ", s->ifname);
printf("%s ", ipproto_string(s->proto));
- if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
- (s->lan.port != s->gwy.port)) {
- print_host(&s->lan, s->af, opts);
- if (s->direction == PF_OUT)
- printf(" -> ");
- else
- printf(" <- ");
+
+ print_host(&nk->addr[1], nk->port[1], s->af, opts);
+ if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) ||
+ nk->port[1] != sk->port[1]) {
+ printf(" (");
+ print_host(&sk->addr[1], sk->port[1], s->af, opts);
+ printf(")");
}
- print_host(&s->gwy, s->af, opts);
if (s->direction == PF_OUT)
printf(" -> ");
else
printf(" <- ");
- print_host(&s->ext, s->af, opts);
+ print_host(&nk->addr[0], nk->port[0], s->af, opts);
+ if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) ||
+ nk->port[0] != sk->port[0]) {
+ printf(" (");
+ print_host(&sk->addr[0], sk->port[0], s->af, opts);
+ printf(")");
+ }
printf(" ");
if (s->proto == IPPROTO_TCP) {