summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/net/pf.c61
-rw-r--r--sys/net/pfvar.h111
2 files changed, 99 insertions, 73 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 91b075e23e2..9a0b7be50ad 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.7 2001/06/24 21:29:29 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.8 2001/06/24 21:50:29 deraadt Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -147,16 +147,26 @@ tree_key_compare(struct tree_key *a, struct tree_key *b)
* could use memcmp(), but with the best manual order, we can
* minimize the number of average compares. what is faster?
*/
- if (a->proto < b->proto ) return -1;
- if (a->proto > b->proto ) return 1;
- if (a->addr[0] < b->addr[0]) return -1;
- if (a->addr[0] > b->addr[0]) return 1;
- if (a->addr[1] < b->addr[1]) return -1;
- if (a->addr[1] > b->addr[1]) return 1;
- if (a->port[0] < b->port[0]) return -1;
- if (a->port[0] > b->port[0]) return 1;
- if (a->port[1] < b->port[1]) return -1;
- if (a->port[1] > b->port[1]) return 1;
+ if (a->proto < b->proto )
+ return -1;
+ if (a->proto > b->proto )
+ return 1;
+ if (a->addr[0] < b->addr[0])
+ return -1;
+ if (a->addr[0] > b->addr[0])
+ return 1;
+ if (a->addr[1] < b->addr[1])
+ return -1;
+ if (a->addr[1] > b->addr[1])
+ return 1;
+ if (a->port[0] < b->port[0])
+ return -1;
+ if (a->port[0] > b->port[0])
+ return 1;
+ if (a->port[1] < b->port[1])
+ return -1;
+ if (a->port[1] > b->port[1])
+ return 1;
return 0;
}
@@ -304,6 +314,7 @@ inline struct state *
find_state(struct tree_node *p, struct tree_key *key)
{
signed char c;
+
while ((p != NULL) && (c = tree_key_compare(&p->key, key)))
p = (c > 0) ? p->left : p->right;
status.state_searches++;
@@ -878,13 +889,20 @@ inline int
match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
{
switch (op) {
- case 1: return (p >= a1) && (p <= a2);
- case 2: return p == a1;
- case 3: return p != a1;
- case 4: return p < a1;
- case 5: return p <= a1;
- case 6: return p > a1;
- case 7: return p >= a1;
+ case 1:
+ return (p >= a1) && (p <= a2);
+ case 2:
+ return p == a1;
+ case 3:
+ return p != a1;
+ case 4:
+ return p < a1;
+ case 5:
+ return p <= a1;
+ case 6:
+ return p > a1;
+ case 7:
+ return p >= a1;
}
return 0; /* never reached */
}
@@ -1290,11 +1308,10 @@ pf_test_state_tcp(int direction, struct ifnet *ifp, struct ip *h, struct tcphdr
s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key);
if (s != NULL) {
-
u_int16_t len = h->ip_len - ((h->ip_hl + th->th_off) << 2);
u_int32_t seq = ntohl(th->th_seq), ack = ntohl(th->th_ack);
+ struct state_peer *src, *dst;
- struct peer *src, *dst;
if (direction == s->direction) {
src = &s->src;
dst = &s->dst;
@@ -1398,7 +1415,7 @@ pf_test_state_udp(int direction, struct ifnet *ifp, struct ip *h, struct udphdr
u_int16_t len = h->ip_len - (h->ip_hl << 2) - 8;
- struct peer *src, *dst;
+ struct state_peer *src, *dst;
if (direction == s->direction) {
src = &s->src;
dst = &s->dst;
@@ -1505,7 +1522,7 @@ pf_test_state_icmp(int direction, struct ifnet *ifp, struct ip *h, struct icmp *
u_int32_t seq = ntohl(th->th_seq);
struct state *s;
struct tree_key key;
- struct peer *src;
+ struct state_peer *src;
key.proto = IPPROTO_TCP;
key.addr[0] = h2->ip_dst.s_addr;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index f0ecbe51f80..55142862182 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.3 2001/06/24 21:32:17 dhartmei Exp $ */
+/* $OpenBSD: pfvar.h,v 1.4 2001/06/24 21:50:29 deraadt Exp $ */
/*
* Copyright (c) 2001, Daniel Hartmeier
@@ -38,84 +38,93 @@
enum { PF_IN=0, PF_OUT=1 };
enum { PF_PASS=0, PF_DROP=1, PF_DROP_RST=2 };
+struct rule_addr {
+ u_int32_t addr;
+ u_int32_t mask;
+ u_int16_t port[2];
+ u_int8_t not;
+ u_int8_t port_op;
+};
+
struct rule {
+ char ifname[IFNAMSIZ];
+ struct ifnet *ifp;
+ struct rule_addr src;
+ struct rule_addr dst;
+ struct rule *next;
+
u_int8_t action;
u_int8_t direction;
u_int8_t log;
u_int8_t quick;
+
u_int8_t keep_state;
- char ifname[16];
- struct ifnet *ifp;
u_int8_t proto;
- struct {
- u_int8_t not;
- u_int32_t addr,
- mask;
- u_int8_t port_op;
- u_int16_t port[2];
- } src,
- dst;
- u_int8_t type,
- code;
- u_int8_t flags,
- flagset;
- struct rule *next;
+ u_int8_t type;
+ u_int8_t code;
+
+ u_int8_t flags;
+ u_int8_t flagset;
+};
+
+struct state_host {
+ u_int32_t addr;
+ u_int16_t port;
+};
+
+struct state_peer {
+ u_int32_t seqlo;
+ u_int32_t seqhi;
+ u_int8_t state;
};
struct state {
+ struct state *next;
+ struct state_host lan;
+ struct state_host gwy;
+ struct state_host ext;
+ struct state_peer src;
+ struct state_peer dst;
+ u_int32_t creation;
+ u_int32_t expire;
+ u_int32_t packets;
+ u_int32_t bytes;
u_int8_t proto;
u_int8_t direction;
- struct host {
- u_int32_t addr;
- u_int16_t port;
- } lan,
- gwy,
- ext;
- struct peer {
- u_int32_t seqlo,
- seqhi;
- u_int8_t state;
- } src,
- dst;
- u_int32_t creation,
- expire;
- u_int32_t packets,
- bytes;
- struct state *next;
};
struct nat {
- char ifname[16];
+ char ifname[IFNAMSIZ];
struct ifnet *ifp;
+ struct nat *next;
+ u_int32_t saddr;
+ u_int32_t smask;
+ u_int32_t daddr;
u_int8_t proto;
u_int8_t not;
- u_int32_t saddr,
- smask,
- daddr;
- struct nat *next;
};
struct rdr {
- char ifname[16];
+ char ifname[IFNAMSIZ];
struct ifnet *ifp;
+ struct rdr *next;
+ u_int32_t daddr;
+ u_int32_t dmask;
+ u_int32_t raddr;
+ u_int16_t dport;
+ u_int16_t rport;
u_int8_t proto;
u_int8_t not;
- u_int32_t daddr,
- dmask,
- raddr;
- u_int16_t dport,
- rport;
- struct rdr *next;
};
struct status {
- u_int8_t running;
+ u_int32_t running;
u_int32_t bytes[2];
u_int32_t packets[2][2];
- u_int32_t states,
- state_inserts,
- state_removals,
- state_searches;
+ u_int32_t states;
+ u_int32_t state_inserts;
+ u_int32_t state_removals;
+ u_int32_t state_searches;
u_int32_t since;
};
@@ -163,7 +172,7 @@ enum error_msg {
#ifdef _KERNEL
-int pf_test (int, struct ifnet *, struct mbuf **);
+int pf_test(int, struct ifnet *, struct mbuf **);
#endif /* _KERNEL */