From 174fbda2c260804acfb6658ed33e6fad46c516f9 Mon Sep 17 00:00:00 2001
From: Ryan Thomas McBride <mcbride@cvs.openbsd.org>
Date: Tue, 31 Dec 2002 19:18:42 +0000
Subject: Split scrub rules out from the filter rules in the kernel. Precursor
 to removing rule.action from skip steps.

Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules

ok henning@ dhartmei@
---
 sys/net/pf.c       | 32 ++++++++++++++++----------------
 sys/net/pf_ioctl.c | 45 ++++++++++++++++++++++++++++++++++++++-------
 sys/net/pf_norm.c  | 16 +++++++++++-----
 sys/net/pfvar.h    |  8 ++++----
 4 files changed, 69 insertions(+), 32 deletions(-)

(limited to 'sys/net')

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 5f21e196d70..750aab15214 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.289 2002/12/31 00:00:44 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.290 2002/12/31 19:18:41 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1808,7 +1808,7 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
 		}
 	}
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
 	while (r != NULL) {
 		r->evaluations++;
 		if (r->action == PF_SCRUB)
@@ -1869,11 +1869,11 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
 				r = TAILQ_NEXT(r, entries);
 			} else
 				PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
-				    PF_RULESET_RULE);
+				    PF_RULESET_FILTER);
 		}
 		if (r == NULL && anchorrule != NULL)
 			PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
-			    PF_RULESET_RULE);
+			    PF_RULESET_FILTER);
 	}
 
 	if (*rm != NULL) {
@@ -2063,7 +2063,7 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp,
 		}
 	}
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
 	while (r != NULL) {
 		r->evaluations++;
 		if (r->action == PF_SCRUB)
@@ -2124,11 +2124,11 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp,
 				r = TAILQ_NEXT(r, entries);
 			} else
 				PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
-				    PF_RULESET_RULE);
+				    PF_RULESET_FILTER);
 		}
 		if (r == NULL && anchorrule != NULL)
 			PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
-			    PF_RULESET_RULE);
+			    PF_RULESET_FILTER);
 	}
 
 	if (*rm != NULL) {
@@ -2344,7 +2344,7 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp,
 		}
 	}
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
 	while (r != NULL) {
 		r->evaluations++;
 		if (r->action == PF_SCRUB)
@@ -2389,11 +2389,11 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp,
 				r = TAILQ_NEXT(r, entries);
 			} else
 				PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
-				    PF_RULESET_RULE);
+				    PF_RULESET_FILTER);
 		}
 		if (r == NULL && anchorrule != NULL)
 			PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
-			    PF_RULESET_RULE);
+			    PF_RULESET_FILTER);
 	}
 
 	if (*rm != NULL) {
@@ -2549,7 +2549,7 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp,
 		}
 	}
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
 	while (r != NULL) {
 		r->evaluations++;
 		if (r->action == PF_SCRUB)
@@ -2590,11 +2590,11 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp,
 				r = TAILQ_NEXT(r, entries);
 			} else
 				PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
-				    PF_RULESET_RULE);
+				    PF_RULESET_FILTER);
 		}
 		if (r == NULL && anchorrule != NULL)
 			PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
-			    PF_RULESET_RULE);
+			    PF_RULESET_FILTER);
 	}
 
 	if (*rm != NULL) {
@@ -2696,7 +2696,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp,
 
 	*rm = NULL;
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
 	while (r != NULL) {
 		r->evaluations++;
 		if (r->action == PF_SCRUB)
@@ -2738,11 +2738,11 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp,
 				r = TAILQ_NEXT(r, entries);
 			} else
 				PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset,
-				    PF_RULESET_RULE);
+				    PF_RULESET_FILTER);
 		}
 		if (r == NULL && anchorrule != NULL)
 			PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
-			    PF_RULESET_RULE);
+			    PF_RULESET_FILTER);
 	}
 
 	if (*rm != NULL) {
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 6283a0abaaa..c39dfd7f1b2 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.36 2002/12/31 00:00:44 dhartmei Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.37 2002/12/31 19:18:41 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -156,6 +156,8 @@ pf_get_pool(char *anchorname, char *rulesetname, u_int32_t ticket,
 	if (ruleset == NULL)
 		return (NULL);
 	rs_num = pf_get_ruleset_number(rule_action);
+	if (rs_num >= PF_RULESET_MAX) 
+		return (NULL);
 	if (active) {
 		if (check_ticket && ticket !=
 		    ruleset->rules[rs_num].active.ticket)
@@ -222,11 +224,12 @@ int
 pf_get_ruleset_number(u_int8_t action)
 {
 	switch (action) {
+	case PF_SCRUB:
+		return (PF_RULESET_SCRUB);
+		break;
 	case PF_PASS:
 	case PF_DROP:
-	case PF_SCRUB:
-	default:
-		return (PF_RULESET_RULE);
+		return (PF_RULESET_FILTER);
 		break;
 	case PF_NAT:
 	case PF_NONAT:
@@ -240,6 +243,9 @@ pf_get_ruleset_number(u_int8_t action)
 	case PF_NORDR:
 		return (PF_RULESET_RDR);
 		break;
+	default:
+		return (PF_RULESET_MAX);
+		break;
 	}
 }
 
@@ -525,6 +531,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			break;
 		}
 		rs_num = pf_get_ruleset_number(pr->rule.action);
+		if (rs_num >= PF_RULESET_MAX) {
+			error = EINVAL;
+			break;
+		}
 		while ((rule =
 		    TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr)) != NULL)
 			pf_rm_rule(ruleset->rules[rs_num].inactive.ptr, rule);
@@ -544,6 +554,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			break;
 		}
 		rs_num = pf_get_ruleset_number(pr->rule.action);
+		if (rs_num >= PF_RULESET_MAX) {
+			error = EINVAL;
+			break;
+		}
 		if (pr->rule.anchorname[0] && ruleset != &pf_main_ruleset) {
 			error = EINVAL;
 			break;
@@ -631,6 +645,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			break;
 		}
 		rs_num = pf_get_ruleset_number(pr->rule.action);
+		if (rs_num >= PF_RULESET_MAX) {
+			error = EINVAL;
+			break;
+		}
 		if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) {
 			error = EBUSY;
 			break;
@@ -641,11 +659,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		/*
 		 * Rules are about to get freed, clear rule pointers in states
 		 */
-		if (rs_num == PF_RULESET_RULE) {
+		if (rs_num == PF_RULESET_FILTER) {
 			if (ruleset == &pf_main_ruleset)
 				RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
 					n->state->rule.ptr = NULL;
-		} else
+		} else if ((rs_num == PF_RULESET_NAT) ||
+		    (rs_num == PF_RULESET_BINAT) || (rs_num == PF_RULESET_RDR))
 			RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
 				n->state->nat_rule = NULL;
 		old_rules = ruleset->rules[rs_num].active.ptr;
@@ -677,6 +696,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			break;
 		}
 		rs_num = pf_get_ruleset_number(pr->rule.action);
+		if (rs_num >= PF_RULESET_MAX) {
+			error = EINVAL;
+			break;
+		}
 		s = splsoftnet();
 		tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr,
 		    pf_rulequeue);
@@ -701,6 +724,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			break;
 		}
 		rs_num = pf_get_ruleset_number(pr->rule.action);
+		if (rs_num >= PF_RULESET_MAX) {
+			error = EINVAL;
+			break;
+		}
 		if (pr->ticket != ruleset->rules[rs_num].active.ticket) {
 			error = EBUSY;
 			break;
@@ -752,6 +779,10 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			break;
 		}
 		rs_num = pf_get_ruleset_number(pcr->rule.action);
+		if (rs_num >= PF_RULESET_MAX) {
+			error = EINVAL;
+			break;
+		}
 
 		if (pcr->action == PF_CHANGE_GET_TICKET) {
 			pcr->ticket = ++ruleset->rules[rs_num].active.ticket;
@@ -1190,7 +1221,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 
 		s = splsoftnet();
 		TAILQ_FOREACH(rule,
-		    ruleset->rules[PF_RULESET_RULE].active.ptr, entries)
+		    ruleset->rules[PF_RULESET_FILTER].active.ptr, entries)
 			rule->evaluations = rule->packets =
 			    rule->bytes = 0;
 		splx(s);
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 3781ec6dc89..3814aa6d5f2 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_norm.c,v 1.43 2002/12/18 19:17:07 henning Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.44 2002/12/31 19:18:41 mcbride Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -800,8 +800,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason)
 	int			 ip_len;
 	int			 ip_off;
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
 	while (r != NULL) {
+		r->evaluations++;
 		if (r->action != PF_SCRUB)
 			r = r->skip[PF_SKIP_ACTION].ptr;
 		else if (r->ifp != NULL && r->ifp != ifp)
@@ -826,6 +827,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason)
 
 	if (r == NULL)
 		return (PF_PASS);
+	else 
+                r->packets++;
 
 	/* Check for illegal packets */
 	if (hlen < (int)sizeof(struct ip))
@@ -1002,8 +1005,9 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff,
 	u_int8_t	 flags;
 	sa_family_t	 af = pd->af;
 
-	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_RULE].active.ptr);
+	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
 	while (r != NULL) {
+		r->evaluations++;
 		if (r->action != PF_SCRUB)
 			r = r->skip[PF_SKIP_ACTION].ptr;
 		else if (r->ifp != NULL && r->ifp != ifp)
@@ -1040,6 +1044,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff,
 
 	if (rm == NULL)
 		return (PF_PASS);
+	else 
+                r->packets++;
 
 	flags = th->th_flags;
 	if (flags & TH_SYN) {
@@ -1097,8 +1103,8 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff,
 
  tcp_drop:
 	REASON_SET(&reason, PFRES_NORM);
-	if (rm != NULL && rm->log)
-		PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, rm);
+	if (rm != NULL && r->log)
+		PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, r);
 	return (PF_DROP);
 }
 
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 5973ad20ff9..652ec2731b2 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.119 2002/12/29 20:07:34 cedric Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.120 2002/12/31 19:18:41 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -43,8 +43,8 @@
 enum	{ PF_IN=1, PF_OUT=2 };
 enum	{ PF_PASS=0, PF_DROP=1, PF_SCRUB=2, PF_NAT=3, PF_NONAT=4,
 	  PF_BINAT=5, PF_NOBINAT=6, PF_RDR=7, PF_NORDR=8 };
-enum	{ PF_RULESET_RULE=0, PF_RULESET_NAT=1, PF_RULESET_BINAT=2,
-	  PF_RULESET_RDR=3, PF_RULESET_MAX=4 };
+enum	{ PF_RULESET_SCRUB=0, PF_RULESET_FILTER=1, PF_RULESET_NAT=2,
+	  PF_RULESET_BINAT=3, PF_RULESET_RDR=4, PF_RULESET_MAX=5 };
 enum	{ PF_OP_IRG=1, PF_OP_EQ=2, PF_OP_NE=3, PF_OP_LT=4,
 	  PF_OP_LE=5, PF_OP_GT=6, PF_OP_GE=7, PF_OP_XRG=8, PF_OP_RRG=9 };
 enum	{ PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
@@ -425,7 +425,7 @@ struct pf_ruleset {
 			struct pf_rulequeue	*ptr;
 			u_int32_t		 ticket;
 		}			 active, inactive;
-	}			 rules[4];
+	}			 rules[PF_RULESET_MAX];
 	struct pf_anchor	*anchor;
 };
 
-- 
cgit v1.2.3