From e44f0c6d8183c1c1905f32452429309fc9008f40 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Mon, 15 Jul 2002 18:07:18 +0000 Subject: add u_int8_t ifnot to struct pf_rule to support matching packets on any interface except the given one. adjust the pf_test_* functions and pf_skip_step accordingly. ok dhartmei@ --- sys/net/pf.c | 22 +++++++++++++++------- sys/net/pfvar.h | 3 ++- 2 files changed, 17 insertions(+), 8 deletions(-) (limited to 'sys') diff --git a/sys/net/pf.c b/sys/net/pf.c index 32f7a20dc33..ce18e198ef6 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.238 2002/07/15 17:52:44 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.239 2002/07/15 18:07:17 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -393,6 +393,8 @@ pf_compare_rules(struct pf_rule *a, struct pf_rule *b) return (1); if (strcmp(a->ifname, b->ifname)) return (1); + if (a->ifnot != b->ifnot) + return (1); return (0); } @@ -899,7 +901,8 @@ pf_calc_skip_steps(struct pf_rulequeue *rules) PF_CALC_SKIP_STEP(PF_SKIP_ACTION, (s->action == PF_SCRUB && r->action == PF_SCRUB) || (s->action != PF_SCRUB && r->action != PF_SCRUB)); - PF_CALC_SKIP_STEP(PF_SKIP_IFP, s->ifp == r->ifp); + PF_CALC_SKIP_STEP(PF_SKIP_IFP, + s->ifp == r->ifp && s->ifnot == r->ifnot); PF_CALC_SKIP_STEP(PF_SKIP_DIR, s->direction == r->direction); PF_CALC_SKIP_STEP(PF_SKIP_AF, s->af == r->af); @@ -1715,7 +1718,8 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, r->evaluations++; if (r->action == PF_SCRUB) r = r->skip[PF_SKIP_ACTION]; - else if (r->ifp != NULL && r->ifp != ifp) + else if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || + (r->ifp == ifp && r->ifnot))) r = r->skip[PF_SKIP_IFP]; else if (r->direction != direction) r = r->skip[PF_SKIP_DIR]; @@ -1980,7 +1984,8 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, r->evaluations++; if (r->action == PF_SCRUB) r = r->skip[PF_SKIP_ACTION]; - else if (r->ifp != NULL && r->ifp != ifp) + else if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || + (r->ifp == ifp && r->ifnot))) r = r->skip[PF_SKIP_IFP]; else if (r->direction != direction) r = r->skip[PF_SKIP_DIR]; @@ -2278,7 +2283,8 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp, r->evaluations++; if (r->action == PF_SCRUB) r = r->skip[PF_SKIP_ACTION]; - else if (r->ifp != NULL && r->ifp != ifp) + else if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || + (r->ifp == ifp && r->ifnot))) r = r->skip[PF_SKIP_IFP]; else if (r->direction != direction) r = r->skip[PF_SKIP_DIR]; @@ -2497,7 +2503,8 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp, r->evaluations++; if (r->action == PF_SCRUB) r = r->skip[PF_SKIP_ACTION]; - else if (r->ifp != NULL && r->ifp != ifp) + else if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || + (r->ifp == ifp && r->ifnot))) r = r->skip[PF_SKIP_IFP]; else if (r->direction != direction) r = r->skip[PF_SKIP_DIR]; @@ -2619,7 +2626,8 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp, r->evaluations++; if (r->action == PF_SCRUB) r = r->skip[PF_SKIP_ACTION]; - else if (r->ifp != NULL && r->ifp != ifp) + else if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || + (r->ifp == ifp && r->ifnot))) r = r->skip[PF_SKIP_IFP]; else if (r->direction != direction) r = r->skip[PF_SKIP_DIR]; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 150dc570139..821f7607f1f 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.87 2002/06/11 18:03:25 frantzen Exp $ */ +/* $OpenBSD: pfvar.h,v 1.88 2002/07/15 18:07:17 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -259,6 +259,7 @@ struct pf_rule { u_int8_t direction; u_int8_t log; u_int8_t quick; + u_int8_t ifnot; #define PF_STATE_NORMAL 0x1 #define PF_STATE_MODULATE 0x2 -- cgit v1.2.3