summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r--sys/net/pf.c63
1 files changed, 32 insertions, 31 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 6ee19e7e4bc..02336cbd64c 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.143 2001/09/04 08:55:37 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.144 2001/09/04 12:32:53 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1607,26 +1607,27 @@ pf_calc_skip_steps(struct pf_rulequeue *rules)
r = TAILQ_FIRST(rules);
while (r != NULL) {
a = 0;
- for (i = 0; i < 5; ++i) {
+ for (i = 0; i < 6; ++i) {
a |= 1 << i;
r->skip[i] = TAILQ_NEXT(r, entries);
}
s = TAILQ_NEXT(r, entries);
while (a && s != NULL) {
- PF_CALC_SKIP_STEP(0, s->proto == r->proto);
- PF_CALC_SKIP_STEP(1,
+ PF_CALC_SKIP_STEP(0, s->ifp == r->ifp);
+ PF_CALC_SKIP_STEP(1, s->proto == r->proto);
+ PF_CALC_SKIP_STEP(2,
s->src.addr == r->src.addr &&
s->src.mask == r->src.mask &&
s->src.not == r->src.not);
- PF_CALC_SKIP_STEP(2,
+ PF_CALC_SKIP_STEP(3,
s->src.port[0] == r->src.port[0] &&
s->src.port[1] == r->src.port[1] &&
s->src.port_op == r->src.port_op);
- PF_CALC_SKIP_STEP(3,
+ PF_CALC_SKIP_STEP(4,
s->dst.addr == r->dst.addr &&
s->dst.mask == r->dst.mask &&
s->dst.not == r->dst.not);
- PF_CALC_SKIP_STEP(4,
+ PF_CALC_SKIP_STEP(5,
s->dst.port[0] == r->dst.port[0] &&
s->dst.port[1] == r->dst.port[1] &&
s->dst.port_op == r->dst.port_op);
@@ -2039,24 +2040,24 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m,
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], th->th_sport))
- r = r->skip[2];
+ r = r->skip[3];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], th->th_dport))
- r = r->skip[4];
+ r = r->skip[5];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else if ((r->flagset & th->th_flags) != r->flags)
r = TAILQ_NEXT(r, entries);
else {
@@ -2234,24 +2235,24 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf *m,
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], uh->uh_sport))
- r = r->skip[2];
+ r = r->skip[3];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], uh->uh_dport))
- r = r->skip[4];
+ r = r->skip[5];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else {
rm = r;
if (rm->quick)
@@ -2382,18 +2383,18 @@ pf_test_icmp(int direction, struct ifnet *ifp, struct mbuf *m,
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else if (r->type && r->type != ih->icmp_type + 1)
r = TAILQ_NEXT(r, entries);
else if (r->code && r->code != ih->icmp_code + 1)
@@ -2485,18 +2486,18 @@ pf_test_other(int direction, struct ifnet *ifp, struct mbuf *m, struct ip *h)
continue;
}
r->evaluations++;
- if (r->proto && r->proto != h->ip_p)
+ if (r->ifp != NULL && r->ifp != ifp)
r = r->skip[0];
+ else if (r->proto && r->proto != h->ip_p)
+ r = r->skip[1];
else if (r->src.mask && !pf_match_addr(r->src.not,
r->src.addr, r->src.mask, h->ip_src.s_addr))
- r = r->skip[1];
+ r = r->skip[2];
else if (r->dst.mask && !pf_match_addr(r->dst.not,
r->dst.addr, r->dst.mask, h->ip_dst.s_addr))
- r = r->skip[3];
+ r = r->skip[4];
else if (r->direction != direction)
r = TAILQ_NEXT(r, entries);
- else if (r->ifp != NULL && r->ifp != ifp)
- r = TAILQ_NEXT(r, entries);
else {
rm = r;
if (rm->quick)