diff options
-rw-r--r-- | sys/net/if_pflog.c | 6 | ||||
-rw-r--r-- | sys/net/if_pflog.h | 6 | ||||
-rw-r--r-- | sys/net/pf.c | 80 | ||||
-rw-r--r-- | sys/net/pfvar.h | 4 |
4 files changed, 52 insertions, 44 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index fe9dfcde627..8302f85d17c 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.33 2010/12/07 11:39:40 jsg Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.34 2011/05/22 13:21:24 claudio Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -210,7 +210,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } int -pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, +pflog_packet(struct pfi_kif *kif, struct mbuf *m, u_int8_t dir, u_int8_t reason, struct pf_rule *rm, struct pf_rule *am, struct pf_ruleset *ruleset, struct pf_pdesc *pd) { @@ -226,7 +226,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, bzero(&hdr, sizeof(hdr)); hdr.length = PFLOG_REAL_HDRLEN; - hdr.af = af; + hdr.af = pd->af; hdr.action = rm->action; hdr.reason = reason; memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index e1ef3cdd60f..ca6037abf4d 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.h,v 1.17 2010/09/21 11:05:10 henning Exp $ */ +/* $OpenBSD: if_pflog.h,v 1.18 2011/05/22 13:21:24 claudio Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -70,9 +70,9 @@ struct pfloghdr { void pflog_bpfcopy(const void *, void *, size_t); #if NPFLOG > 0 -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) pflog_packet(i,a,b,c,d,e,f,g,h) +#define PFLOG_PACKET(i,x,b,c,d,e,f,g,h) pflog_packet(i,b,c,d,e,f,g,h) #else -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) ((void)0) +#define PFLOG_PACKET(i,x,b,c,d,e,f,g,h) ((void)0) #endif /* NPFLOG > 0 */ #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/net/pf.c b/sys/net/pf.c index 594f73ceea5..dd409468abd 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.743 2011/05/13 14:31:16 oga Exp $ */ +/* $OpenBSD: pf.c,v 1.744 2011/05/22 13:21:24 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -175,7 +175,7 @@ void pf_rule_to_actions(struct pf_rule *, int pf_test_rule(struct pf_rule **, struct pf_state **, int, struct pfi_kif *, struct mbuf *, int, struct pf_pdesc *, struct pf_rule **, - struct pf_ruleset **, struct ifqueue *, int); + struct pf_ruleset **, int); static __inline int pf_create_state(struct pf_rule *, struct pf_rule *, struct pf_pdesc *, struct pf_state_key **, struct pf_state_key **, struct mbuf *, int, @@ -2716,7 +2716,7 @@ int pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm, - struct ifqueue *ifq, int hdrlen) + int hdrlen) { struct pf_rule *lastr = NULL; sa_family_t af = pd->af; @@ -2728,6 +2728,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, struct tcphdr *th = pd->hdr.tcp; struct pf_state_key *skw = NULL, *sks = NULL; struct pf_rule_actions act; + struct ifqueue *ifq = &ipintrq; u_short reason; int rewrite = 0; int tag = -1; @@ -2745,6 +2746,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, act.rtableid = pd->rdomain; SLIST_INIT(&rules); + if (af == AF_INET6) + ifq = &ip6intrq; + if (direction == PF_IN && pf_check_congestion(ifq)) { REASON_SET(&reason, PFRES_CONGEST); return (PF_DROP); @@ -2885,7 +2889,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, goto cleanup; } if (r->log || act.log & PF_LOG_MATCHES) - PFLOG_PACKET(kif, h, m, af, + PFLOG_PACKET(kif, h, m, direction, reason, r, a, ruleset, pd); } else { @@ -2894,7 +2898,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, *am = a; *rsm = ruleset; if (act.log & PF_LOG_MATCHES) - PFLOG_PACKET(kif, h, m, af, + PFLOG_PACKET(kif, h, m, direction, reason, r, a, ruleset, pd); } @@ -2923,7 +2927,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, REASON_SET(&reason, PFRES_MATCH); if (r->log || act.log & PF_LOG_MATCHES) - PFLOG_PACKET(kif, h, m, af, direction, reason, + PFLOG_PACKET(kif, h, m, direction, reason, r, a, ruleset, pd); if ((r->action == PF_DROP) && @@ -3447,8 +3451,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, REASON_SET(&reason, PFRES_MATCH); if (r->log) - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset, - pd); + PFLOG_PACKET(kif, h, m, direction, reason, r, a, ruleset, pd); if (r->action == PF_DROP) return (PF_DROP); @@ -5798,9 +5801,15 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET) return (PF_PASS); + if (m->m_pkthdr.pf.flags & PF_TAG_REFRAGMENTED) { + m->m_pkthdr.pf.flags &= ~PF_TAG_REFRAGMENTED; + return (PF_PASS); + } + /* packet reassembly here if 1) enabled 2) we deal with a fragment */ h = mtod(m, struct ip *); - if (pf_status.reass && (h->ip_off & htons(IP_MF | IP_OFFMASK)) && + if (pf_status.reass && + (h->ip_off & htons(IP_MF | IP_OFFMASK)) && pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; goto done; @@ -5825,7 +5834,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, goto done; } - switch (h->ip_p) { + switch (pd.proto) { case IPPROTO_TCP: { if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0) @@ -5844,7 +5853,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, - m, off, &pd, &a, &ruleset, &ipintrq, hdrlen); + m, off, &pd, &a, &ruleset, hdrlen); if (s) { if (s->max_mss) @@ -5866,7 +5875,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, - m, off, &pd, &a, &ruleset, &ipintrq, hdrlen); + m, off, &pd, &a, &ruleset, hdrlen); break; } @@ -5882,7 +5891,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, - m, off, &pd, &a, &ruleset, &ipintrq, hdrlen); + m, off, &pd, &a, &ruleset, hdrlen); break; } @@ -5904,7 +5913,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, - &pd, &a, &ruleset, &ipintrq, hdrlen); + &pd, &a, &ruleset, hdrlen); break; } @@ -5982,12 +5991,12 @@ done: struct pf_rule_item *ri; if (pd.pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL) - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, + PFLOG_PACKET(kif, h, m, dir, reason, r, a, ruleset, &pd); if (s) { SLIST_FOREACH(ri, &s->match_rules, entry) if (ri->r->log & PF_LOG_ALL) - PFLOG_PACKET(kif, h, m, AF_INET, dir, + PFLOG_PACKET(kif, h, m, dir, reason, ri->r, a, ruleset, &pd); } } @@ -6128,7 +6137,7 @@ pf_test6(int fwdir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, - m, off, &pd, &a, &ruleset, &ip6intrq, hdrlen); + m, off, &pd, &a, &ruleset, hdrlen); if (s) { if (s->max_mss) @@ -6150,7 +6159,7 @@ pf_test6(int fwdir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, - m, off, &pd, &a, &ruleset, &ip6intrq, hdrlen); + m, off, &pd, &a, &ruleset, hdrlen); break; } @@ -6162,8 +6171,8 @@ pf_test6(int fwdir, struct ifnet *ifp, struct mbuf **m0, } case IPPROTO_ICMPV6: { - action = pf_test_state_icmp(&s, dir, kif, - m, off, &pd, &reason); + action = pf_test_state_icmp(&s, dir, kif, m, off, &pd, + &reason); if (action == PF_PASS) { #if NPFSYNC > 0 pfsync_update_state(s); @@ -6173,7 +6182,7 @@ pf_test6(int fwdir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, - m, off, &pd, &a, &ruleset, &ip6intrq, hdrlen); + m, off, &pd, &a, &ruleset, hdrlen); break; } @@ -6188,24 +6197,25 @@ pf_test6(int fwdir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, - &pd, &a, &ruleset, &ip6intrq, hdrlen); + &pd, &a, &ruleset, hdrlen); break; } done: - /* handle dangerous IPv6 extension headers. */ - if (action == PF_PASS && pd.rh_cnt && - !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_IPOPTIONS); - pd.pflog |= PF_LOG_FORCE; - DPFPRINTF(LOG_NOTICE, - "dropping packet with dangerous v6 headers"); - } - if (action != PF_DROP) { if (s) { + /* handle dangerous IPv6 extension headers. */ + if (action == PF_PASS && pd.rh_cnt && + !(s->state_flags & PFSTATE_ALLOWOPTS)) { + action = PF_DROP; + REASON_SET(&reason, PFRES_IPOPTIONS); + pd.pflog |= PF_LOG_FORCE; + DPFPRINTF(LOG_NOTICE, "dropping packet with " + "dangerous v6 headers"); + } + pf_scrub_ip6(m, s->min_ttl); + pf_tag_packet(m, s->tag, s->rtableid[pd.didx]); if (pqid || (pd.tos & IPTOS_LOWDELAY)) qid = s->pqid; else @@ -6218,8 +6228,6 @@ done: qid = r->qid; } } - if (s && s->tag) - pf_tag_packet(m, s ? s->tag : 0, s->rtableid[pd.didx]); if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; @@ -6262,12 +6270,12 @@ done: struct pf_rule_item *ri; if (pd.pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, + PFLOG_PACKET(kif, h, m, dir, reason, r, a, ruleset, &pd); if (s) { SLIST_FOREACH(ri, &s->match_rules, entry) if (ri->r->log & PF_LOG_ALL) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, + PFLOG_PACKET(kif, h, m, dir, reason, ri->r, a, ruleset, &pd); } } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 0024b3d489f..6af4d70a69e 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.330 2011/05/17 12:44:05 mikeb Exp $ */ +/* $OpenBSD: pfvar.h,v 1.331 2011/05/22 13:21:24 claudio Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1762,7 +1762,7 @@ void pf_addr_inc(struct pf_addr *, sa_family_t); void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, sa_family_t); void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); -int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, +int pflog_packet(struct pfi_kif *, struct mbuf *, u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *, struct pf_pdesc *); void pf_send_deferred_syn(struct pf_state *); |