diff options
author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2008-05-29 01:00:54 +0000 |
---|---|---|
committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2008-05-29 01:00:54 +0000 |
commit | c496441ad96ff1d247439f6f966240d5f8e657fd (patch) | |
tree | 5667310b4fbf5a6b6cab31c04126b2780c0795de /usr.sbin | |
parent | b4ce6f58e6b8cf560109ecf401d63df14e2f9431 (diff) |
Second half of PF state table rearrangement.
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/tcpdump/pf_print_state.c | 48 |
1 files changed, 30 insertions, 18 deletions
diff --git a/usr.sbin/tcpdump/pf_print_state.c b/usr.sbin/tcpdump/pf_print_state.c index 745dadc9da2..2306cf9768a 100644 --- a/usr.sbin/tcpdump/pf_print_state.c +++ b/usr.sbin/tcpdump/pf_print_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.5 2008/05/09 11:57:52 mpf Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.6 2008/05/29 01:00:53 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -129,17 +129,15 @@ print_name(struct pf_addr *addr, sa_family_t af) } void -print_host(struct pfsync_state_host *h, sa_family_t af, int opts) +print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts) { - u_int16_t p = ntohs(h->port); - if (opts & PF_OPT_USEDNS) - print_name(&h->addr, af); + print_name(addr, af); else { struct pf_addr_wrap aw; memset(&aw, 0, sizeof(aw)); - aw.v.a.addr = h->addr; + aw.v.a.addr = *addr; if (af == AF_INET) aw.v.a.mask.addr32[0] = 0xffffffff; else { @@ -149,11 +147,11 @@ print_host(struct pfsync_state_host *h, sa_family_t af, int opts) print_addr(&aw, af, opts & PF_OPT_VERBOSE2); } - if (p) { + if (port) { if (af == AF_INET) - printf(":%u", p); + printf(":%u", ntohs(port)); else - printf("[%u]", p); + printf("[%u]", ntohs(port)); } } @@ -172,31 +170,45 @@ void print_state(struct pfsync_state *s, int opts) { struct pfsync_state_peer *src, *dst; + struct pfsync_state_key *sk, *nk; int min, sec; if (s->direction == PF_OUT) { src = &s->src; dst = &s->dst; + sk = &s->key[PF_SK_STACK]; + nk = &s->key[PF_SK_WIRE]; + if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) + sk->port[0] = nk->port[0]; } else { src = &s->dst; dst = &s->src; + sk = &s->key[PF_SK_WIRE]; + nk = &s->key[PF_SK_STACK]; + if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) + sk->port[1] = nk->port[1]; } printf("%s ", s->ifname); printf("%s ", ipproto_string(s->proto)); - if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || - (s->lan.port != s->gwy.port)) { - print_host(&s->lan, s->af, opts); - if (s->direction == PF_OUT) - printf(" -> "); - else - printf(" <- "); + + print_host(&nk->addr[1], nk->port[1], s->af, opts); + if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) || + nk->port[1] != sk->port[1]) { + printf(" ("); + print_host(&sk->addr[1], sk->port[1], s->af, opts); + printf(")"); } - print_host(&s->gwy, s->af, opts); if (s->direction == PF_OUT) printf(" -> "); else printf(" <- "); - print_host(&s->ext, s->af, opts); + print_host(&nk->addr[0], nk->port[0], s->af, opts); + if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) || + nk->port[0] != sk->port[0]) { + printf(" ("); + print_host(&sk->addr[0], sk->port[0], s->af, opts); + printf(")"); + } printf(" "); if (s->proto == IPPROTO_TCP) { |