summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/net/pf.c76
1 files changed, 27 insertions, 49 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 338cb22f1cc..c1aec3ffd8f 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.293 2003/01/01 16:09:29 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.294 2003/01/02 01:56:56 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -235,6 +235,24 @@ int pf_socket_lookup(uid_t *, gid_t *, int, sa_family_t,
struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] =
{ { &pf_state_pl, PFSTATE_HIWAT }, { &pf_frent_pl, PFFRAG_FRENT_HIWAT } };
+#define STATE_LOOKUP() \
+ do { \
+ if (direction == PF_IN) \
+ *state = pf_find_state(&tree_ext_gwy, &key); \
+ else \
+ *state = pf_find_state(&tree_lan_ext, &key); \
+ if (*state == NULL) \
+ return (PF_DROP); \
+ if ((*state)->rule.ptr != NULL && \
+ (((*state)->rule.ptr->rt == PF_ROUTETO && \
+ (*state)->rule.ptr->direction == direction) || \
+ ((*state)->rule.ptr->rt == PF_REPLYTO && \
+ (*state)->rule.ptr->direction != direction)) && \
+ (*state)->rt_ifp != NULL && \
+ (*state)->rt_ifp != ifp) \
+ return (PF_PASS); \
+ } while (0)
+
#define STATE_TRANSLATE(s) \
(s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
((s)->af == AF_INET6 && \
@@ -2768,12 +2786,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
key.port[0] = th->th_sport;
key.port[1] = th->th_dport;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (direction == (*state)->direction) {
src = &(*state)->src;
@@ -3053,12 +3066,7 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp,
key.port[0] = pd->hdr.udp->uh_sport;
key.port[1] = pd->hdr.udp->uh_dport;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (direction == (*state)->direction) {
src = &(*state)->src;
@@ -3163,12 +3171,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
key.port[0] = icmpid;
key.port[1] = icmpid;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
(*state)->packets++;
(*state)->bytes += pd->tot_len;
@@ -3347,12 +3350,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
PF_ACPY(&key.addr[1], pd2.src, pd2.af);
key.port[1] = th.th_sport;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (direction == (*state)->direction) {
src = &(*state)->dst;
@@ -3437,12 +3435,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
PF_ACPY(&key.addr[1], pd2.src, pd2.af);
key.port[1] = uh.uh_sport;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (STATE_TRANSLATE(*state)) {
if (direction == PF_IN) {
@@ -3503,12 +3496,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
PF_ACPY(&key.addr[1], pd2.src, pd2.af);
key.port[1] = iih.icmp_id;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (STATE_TRANSLATE(*state)) {
if (direction == PF_IN) {
@@ -3556,12 +3544,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp,
PF_ACPY(&key.addr[1], pd2.src, pd2.af);
key.port[1] = iih.icmp6_id;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (STATE_TRANSLATE(*state)) {
if (direction == PF_IN) {
@@ -3612,12 +3595,7 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp,
key.port[0] = 0;
key.port[1] = 0;
- if (direction == PF_IN)
- *state = pf_find_state(&tree_ext_gwy, &key);
- else
- *state = pf_find_state(&tree_lan_ext, &key);
- if (*state == NULL)
- return (PF_DROP);
+ STATE_LOOKUP();
if (direction == (*state)->direction) {
src = &(*state)->src;