summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/net/pf.c63
-rw-r--r--sys/net/pfvar.h4
2 files changed, 34 insertions, 33 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 6ee19e7e4bc..02336cbd64c 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.143 2001/09/04 08:55:37 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.144 2001/09/04 12:32:53 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1607,26 +1607,27 @@ pf_calc_skip_steps(struct pf_rulequeue *rules)
r = TAILQ_FIRST(rules);
while (r != NULL) {
a = 0;
- for (i = 0; i < 5; ++i) {
+ for (i = 0; i < 6; ++i) {
a |= 1 << i;
r->skip[i] = TAILQ_NEXT(r, entries);
}
s = TAILQ_NEXT(r, entries);
while (a && s != NULL) {
- PF_CALC_SKIP_STEP(0, s->proto == r->proto);
- PF_CALC_SKIP_STEP(1,
+ PF_CALC_SKIP_STEP(0, s->ifp == r->ifp);
+ PF_CALC_SKIP_STEP(1, s->proto == r->proto);
+ PF_CALC_SKIP_STEP(2,
s->src.addr == r->src.addr &&
s->src.mask == r->src.mask &&
s->src.not == r->src.not);
- PF_CALC_SKIP_STEP(2,
+ PF_CALC_SKIP_STEP(3,
s->src.port[0] == r->src.port[0] &&
s->src.port[1] == r->src.port[1] &&
s->src.port_op == r->src.port_op);
- PF_CALC_SKIP_STEP(3,
+ PF_CALC_SKIP_STEP(4,
s->dst.addr == r->dst.addr &&
s->dst.mask == r->dst.mask &&
s->dst.not == r->dst.not);
- PF_CALC_SKIP_STEP(4,
+ PF_CALC_SKIP_STEP(5,
s->dst.port[0] == r->dst.port[0] &&
s->dst.port[1] == r->dst.port[1] &&
s->dst.port_op == r->dst.port_op);
@@ -2039,24 +2040,24 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m,
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], th->th_sport))
- r = r->skip[2];
+ r = r->skip[3];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], th->th_dport))
- r = r->skip[4];
+ r = r->skip[5];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else if ((r->flagset & th->th_flags) != r->flags)
r = TAILQ_NEXT(r, entries);
else {
@@ -2234,24 +2235,24 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf *m,
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], uh->uh_sport))
- r = r->skip[2];
+ r = r->skip[3];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], uh->uh_dport))
- r = r->skip[4];
+ r = r->skip[5];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else {
rm = r;
if (rm->quick)
@@ -2382,18 +2383,18 @@ pf_test_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else if (r->type && r->type != ih->icmp_type + 1)
r = TAILQ_NEXT(r, entries);
else if (r->code && r->code != ih->icmp_code + 1)
@@ -2485,18 +2486,18 @@ pf_test_other(int direction, struct ifnet *ifp, struct mbuf *m, struct ip *h)
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else {
rm = r;
if (rm->quick)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 614532b26de..6978ef3d71e 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.47 2001/08/28 00:02:43 frantzen Exp $ */
+/* $OpenBSD: pfvar.h,v 1.48 2001/09/04 12:32:53 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -63,7 +63,7 @@ struct pf_rule {
struct ifnet *ifp;
struct pf_rule_addr src;
struct pf_rule_addr dst;
- struct pf_rule *skip[5];
+ struct pf_rule *skip[6];
TAILQ_ENTRY(pf_rule) entries;
u_int64_t evaluations;