diff options
-rw-r--r-- | sys/net/pf.c | 63 | ||||
-rw-r--r-- | sys/net/pfvar.h | 4 |
2 files changed, 34 insertions, 33 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 6ee19e7e4bc..02336cbd64c 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.143 2001/09/04 08:55:37 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.144 2001/09/04 12:32:53 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1607,26 +1607,27 @@ pf_calc_skip_steps(struct pf_rulequeue *rules) r = TAILQ_FIRST(rules); while (r != NULL) { a = 0; - for (i = 0; i < 5; ++i) { + for (i = 0; i < 6; ++i) { a |= 1 << i; r->skip[i] = TAILQ_NEXT(r, entries); } s = TAILQ_NEXT(r, entries); while (a && s != NULL) { - PF_CALC_SKIP_STEP(0, s->proto == r->proto); - PF_CALC_SKIP_STEP(1, + PF_CALC_SKIP_STEP(0, s->ifp == r->ifp); + PF_CALC_SKIP_STEP(1, s->proto == r->proto); + PF_CALC_SKIP_STEP(2, s->src.addr == r->src.addr && s->src.mask == r->src.mask && s->src.not == r->src.not); - PF_CALC_SKIP_STEP(2, + PF_CALC_SKIP_STEP(3, s->src.port[0] == r->src.port[0] && s->src.port[1] == r->src.port[1] && s->src.port_op == r->src.port_op); - PF_CALC_SKIP_STEP(3, + PF_CALC_SKIP_STEP(4, s->dst.addr == r->dst.addr && s->dst.mask == r->dst.mask && s->dst.not == r->dst.not); - PF_CALC_SKIP_STEP(4, + PF_CALC_SKIP_STEP(5, s->dst.port[0] == r->dst.port[0] && s->dst.port[1] == r->dst.port[1] && s->dst.port_op == r->dst.port_op); @@ -2039,24 +2040,24 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, continue; } r->evaluations++; - if (r->proto && r->proto != h->ip_p) + if (r->ifp != NULL && r->ifp != ifp) r = r->skip[0]; + else if (r->proto && r->proto != h->ip_p) + r = r->skip[1]; else if (r->src.mask && !pf_match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) - r = r->skip[1]; + r = r->skip[2]; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], th->th_sport)) - r = r->skip[2]; + r = r->skip[3]; else if (r->dst.mask && !pf_match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) - r = r->skip[3]; + r = r->skip[4]; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], th->th_dport)) - r = r->skip[4]; + r = r->skip[5]; else if (r->direction != direction) r = TAILQ_NEXT(r, entries); - else if (r->ifp != NULL && r->ifp != ifp) - r = TAILQ_NEXT(r, entries); else if ((r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); else { @@ -2234,24 +2235,24 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf *m, continue; } r->evaluations++; - if (r->proto && r->proto != h->ip_p) + if (r->ifp != NULL && r->ifp != ifp) r = r->skip[0]; + else if (r->proto && r->proto != h->ip_p) + r = r->skip[1]; else if (r->src.mask && !pf_match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) - r = r->skip[1]; + r = r->skip[2]; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], uh->uh_sport)) - r = r->skip[2]; + r = r->skip[3]; else if (r->dst.mask && !pf_match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) - r = r->skip[3]; + r = r->skip[4]; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], uh->uh_dport)) - r = r->skip[4]; + r = r->skip[5]; else if (r->direction != direction) r = TAILQ_NEXT(r, entries); - else if (r->ifp != NULL && r->ifp != ifp) - r = TAILQ_NEXT(r, entries); else { rm = r; if (rm->quick) @@ -2382,18 +2383,18 @@ pf_test_icmp(int direction, struct ifnet *ifp, struct mbuf *m, continue; } r->evaluations++; - if (r->proto && r->proto != h->ip_p) + if (r->ifp != NULL && r->ifp != ifp) r = r->skip[0]; + else if (r->proto && r->proto != h->ip_p) + r = r->skip[1]; else if (r->src.mask && !pf_match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) - r = r->skip[1]; + r = r->skip[2]; else if (r->dst.mask && !pf_match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) - r = r->skip[3]; + r = r->skip[4]; else if (r->direction != direction) r = TAILQ_NEXT(r, entries); - else if (r->ifp != NULL && r->ifp != ifp) - r = TAILQ_NEXT(r, entries); else if (r->type && r->type != ih->icmp_type + 1) r = TAILQ_NEXT(r, entries); else if (r->code && r->code != ih->icmp_code + 1) @@ -2485,18 +2486,18 @@ pf_test_other(int direction, struct ifnet *ifp, struct mbuf *m, struct ip *h) continue; } r->evaluations++; - if (r->proto && r->proto != h->ip_p) + if (r->ifp != NULL && r->ifp != ifp) r = r->skip[0]; + else if (r->proto && r->proto != h->ip_p) + r = r->skip[1]; else if (r->src.mask && !pf_match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) - r = r->skip[1]; + r = r->skip[2]; else if (r->dst.mask && !pf_match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) - r = r->skip[3]; + r = r->skip[4]; else if (r->direction != direction) r = TAILQ_NEXT(r, entries); - else if (r->ifp != NULL && r->ifp != ifp) - r = TAILQ_NEXT(r, entries); else { rm = r; if (rm->quick) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 614532b26de..6978ef3d71e 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.47 2001/08/28 00:02:43 frantzen Exp $ */ +/* $OpenBSD: pfvar.h,v 1.48 2001/09/04 12:32:53 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -63,7 +63,7 @@ struct pf_rule { struct ifnet *ifp; struct pf_rule_addr src; struct pf_rule_addr dst; - struct pf_rule *skip[5]; + struct pf_rule *skip[6]; TAILQ_ENTRY(pf_rule) entries; u_int64_t evaluations; |