diff options
-rw-r--r-- | sys/net/pf.c | 61 | ||||
-rw-r--r-- | sys/net/pfvar.h | 111 |
2 files changed, 99 insertions, 73 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 91b075e23e2..9a0b7be50ad 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.7 2001/06/24 21:29:29 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.8 2001/06/24 21:50:29 deraadt Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -147,16 +147,26 @@ tree_key_compare(struct tree_key *a, struct tree_key *b) * could use memcmp(), but with the best manual order, we can * minimize the number of average compares. what is faster? */ - if (a->proto < b->proto ) return -1; - if (a->proto > b->proto ) return 1; - if (a->addr[0] < b->addr[0]) return -1; - if (a->addr[0] > b->addr[0]) return 1; - if (a->addr[1] < b->addr[1]) return -1; - if (a->addr[1] > b->addr[1]) return 1; - if (a->port[0] < b->port[0]) return -1; - if (a->port[0] > b->port[0]) return 1; - if (a->port[1] < b->port[1]) return -1; - if (a->port[1] > b->port[1]) return 1; + if (a->proto < b->proto ) + return -1; + if (a->proto > b->proto ) + return 1; + if (a->addr[0] < b->addr[0]) + return -1; + if (a->addr[0] > b->addr[0]) + return 1; + if (a->addr[1] < b->addr[1]) + return -1; + if (a->addr[1] > b->addr[1]) + return 1; + if (a->port[0] < b->port[0]) + return -1; + if (a->port[0] > b->port[0]) + return 1; + if (a->port[1] < b->port[1]) + return -1; + if (a->port[1] > b->port[1]) + return 1; return 0; } @@ -304,6 +314,7 @@ inline struct state * find_state(struct tree_node *p, struct tree_key *key) { signed char c; + while ((p != NULL) && (c = tree_key_compare(&p->key, key))) p = (c > 0) ? p->left : p->right; status.state_searches++; @@ -878,13 +889,20 @@ inline int match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) { switch (op) { - case 1: return (p >= a1) && (p <= a2); - case 2: return p == a1; - case 3: return p != a1; - case 4: return p < a1; - case 5: return p <= a1; - case 6: return p > a1; - case 7: return p >= a1; + case 1: + return (p >= a1) && (p <= a2); + case 2: + return p == a1; + case 3: + return p != a1; + case 4: + return p < a1; + case 5: + return p <= a1; + case 6: + return p > a1; + case 7: + return p >= a1; } return 0; /* never reached */ } @@ -1290,11 +1308,10 @@ pf_test_state_tcp(int direction, struct ifnet *ifp, struct ip *h, struct tcphdr s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key); if (s != NULL) { - u_int16_t len = h->ip_len - ((h->ip_hl + th->th_off) << 2); u_int32_t seq = ntohl(th->th_seq), ack = ntohl(th->th_ack); + struct state_peer *src, *dst; - struct peer *src, *dst; if (direction == s->direction) { src = &s->src; dst = &s->dst; @@ -1398,7 +1415,7 @@ pf_test_state_udp(int direction, struct ifnet *ifp, struct ip *h, struct udphdr u_int16_t len = h->ip_len - (h->ip_hl << 2) - 8; - struct peer *src, *dst; + struct state_peer *src, *dst; if (direction == s->direction) { src = &s->src; dst = &s->dst; @@ -1505,7 +1522,7 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct ip *h, struct icmp * u_int32_t seq = ntohl(th->th_seq); struct state *s; struct tree_key key; - struct peer *src; + struct state_peer *src; key.proto = IPPROTO_TCP; key.addr[0] = h2->ip_dst.s_addr; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index f0ecbe51f80..55142862182 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.3 2001/06/24 21:32:17 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.4 2001/06/24 21:50:29 deraadt Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier @@ -38,84 +38,93 @@ enum { PF_IN=0, PF_OUT=1 }; enum { PF_PASS=0, PF_DROP=1, PF_DROP_RST=2 }; +struct rule_addr { + u_int32_t addr; + u_int32_t mask; + u_int16_t port[2]; + u_int8_t not; + u_int8_t port_op; +}; + struct rule { + char ifname[IFNAMSIZ]; + struct ifnet *ifp; + struct rule_addr src; + struct rule_addr dst; + struct rule *next; + u_int8_t action; u_int8_t direction; u_int8_t log; u_int8_t quick; + u_int8_t keep_state; - char ifname[16]; - struct ifnet *ifp; u_int8_t proto; - struct { - u_int8_t not; - u_int32_t addr, - mask; - u_int8_t port_op; - u_int16_t port[2]; - } src, - dst; - u_int8_t type, - code; - u_int8_t flags, - flagset; - struct rule *next; + u_int8_t type; + u_int8_t code; + + u_int8_t flags; + u_int8_t flagset; +}; + +struct state_host { + u_int32_t addr; + u_int16_t port; +}; + +struct state_peer { + u_int32_t seqlo; + u_int32_t seqhi; + u_int8_t state; }; struct state { + struct state *next; + struct state_host lan; + struct state_host gwy; + struct state_host ext; + struct state_peer src; + struct state_peer dst; + u_int32_t creation; + u_int32_t expire; + u_int32_t packets; + u_int32_t bytes; u_int8_t proto; u_int8_t direction; - struct host { - u_int32_t addr; - u_int16_t port; - } lan, - gwy, - ext; - struct peer { - u_int32_t seqlo, - seqhi; - u_int8_t state; - } src, - dst; - u_int32_t creation, - expire; - u_int32_t packets, - bytes; - struct state *next; }; struct nat { - char ifname[16]; + char ifname[IFNAMSIZ]; struct ifnet *ifp; + struct nat *next; + u_int32_t saddr; + u_int32_t smask; + u_int32_t daddr; u_int8_t proto; u_int8_t not; - u_int32_t saddr, - smask, - daddr; - struct nat *next; }; struct rdr { - char ifname[16]; + char ifname[IFNAMSIZ]; struct ifnet *ifp; + struct rdr *next; + u_int32_t daddr; + u_int32_t dmask; + u_int32_t raddr; + u_int16_t dport; + u_int16_t rport; u_int8_t proto; u_int8_t not; - u_int32_t daddr, - dmask, - raddr; - u_int16_t dport, - rport; - struct rdr *next; }; struct status { - u_int8_t running; + u_int32_t running; u_int32_t bytes[2]; u_int32_t packets[2][2]; - u_int32_t states, - state_inserts, - state_removals, - state_searches; + u_int32_t states; + u_int32_t state_inserts; + u_int32_t state_removals; + u_int32_t state_searches; u_int32_t since; }; @@ -163,7 +172,7 @@ enum error_msg { #ifdef _KERNEL -int pf_test (int, struct ifnet *, struct mbuf **); +int pf_test(int, struct ifnet *, struct mbuf **); #endif /* _KERNEL */ |