D45672.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D45672.diff
View Options

	diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
	--- a/sys/net/pfvar.h
	+++ b/sys/net/pfvar.h
	@@ -2569,11 +2569,12 @@
	struct pf_addr , struct pf_addr ,
	struct pfi_kkif *nkif, struct pf_addr ,
	struct pf_ksrc_node **);
	-struct pf_krule pf_get_translation(struct pf_pdesc , struct mbuf *,
	+u_short pf_get_translation(struct pf_pdesc , struct mbuf ,
	int, struct pfi_kkif , struct pf_ksrc_node *,
	struct pf_state_key , struct pf_state_key ,
	struct pf_addr , struct pf_addr ,
	- uint16_t, uint16_t, struct pf_kanchor_stackframe *);
	+ uint16_t, uint16_t, struct pf_kanchor_stackframe *,
	+ struct pf_krule **);

	struct pf_state_key pf_state_key_setup(struct pf_pdesc , struct pf_addr *,
	struct pf_addr *, u_int16_t, u_int16_t);
	diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
	--- a/sys/netpfil/pf/pf.c
	+++ b/sys/netpfil/pf/pf.c
	@@ -4605,7 +4605,7 @@
	struct pf_ksrc_node *nsn = NULL;
	struct tcphdr *th = &pd->hdr.tcp;
	struct pf_state_key sk = NULL, nk = NULL;
	- u_short reason;
	+ u_short reason, transerror;
	int rewrite = 0, hdrlen = 0;
	int tag = -1;
	int asd = 0;
	@@ -4618,6 +4618,8 @@

	PF_RULES_RASSERT();

	+ SLIST_INIT(&match_rules);
	+
	if (inp != NULL) {
	INP_LOCK_ASSERT(inp);
	pd->lookup.uid = inp->inp_cred->cr_uid;
	@@ -4686,8 +4688,17 @@
	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);

	/* check packet for BINAT/NAT/RDR */
	- if ((nr = pf_get_translation(pd, m, off, kif, &nsn, &sk,
	- &nk, saddr, daddr, sport, dport, anchor_stack)) != NULL) {
	+ transerror = pf_get_translation(pd, m, off, kif, &nsn, &sk,
	+ &nk, saddr, daddr, sport, dport, anchor_stack, &nr);
	+ switch (transerror) {
	+ default:
	+ /* A translation error occurred. */
	+ REASON_SET(&reason, transerror);
	+ goto cleanup;
	+ case PFRES_MAX:
	+ /* No match. */
	+ break;
	+ case PFRES_MATCH:
	KASSERT(sk != NULL, ("%s: null sk", __func__));
	KASSERT(nk != NULL, ("%s: null nk", __func__));

	@@ -4836,7 +4847,6 @@
	pd->nat_rule = nr;
	}

	- SLIST_INIT(&match_rules);
	while (r != NULL) {
	pf_counter_u64_add(&r->evaluations, 1);
	if (pfi_kkif_match(r->kif, kif) == r->ifnot)
	diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
	--- a/sys/netpfil/pf/pf_lb.c
	+++ b/sys/netpfil/pf/pf_lb.c
	@@ -591,22 +591,26 @@
	return (reason);
	}

	-struct pf_krule *
	+u_short
	pf_get_translation(struct pf_pdesc pd, struct mbuf m, int off,
	struct pfi_kkif kif, struct pf_ksrc_node *sn,
	struct pf_state_key skp, struct pf_state_key nkp,
	struct pf_addr saddr, struct pf_addr daddr,
	- uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack)
	+ uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack,
	+ struct pf_krule **rp)
	{
	struct pf_krule *r = NULL;
	struct pf_addr *naddr;
	uint16_t *nportp;
	uint16_t low, high;
	+ u_short reason;

	PF_RULES_RASSERT();
	KASSERT(skp == NULL, ("skp not NULL"));
	KASSERT(nkp == NULL, ("nkp not NULL"));

	+ *rp = NULL;
	+
	if (pd->dir == PF_OUT) {
	r = pf_match_translation(pd, m, off, kif, saddr,
	sport, daddr, dport, PF_RULESET_BINAT, anchor_stack);
	@@ -624,23 +628,23 @@
	}

	if (r == NULL)
	- return (NULL);
	+ return (PFRES_MAX);

	switch (r->action) {
	case PF_NONAT:
	case PF_NOBINAT:
	case PF_NORDR:
	- return (NULL);
	+ return (PFRES_MAX);
	}

	*skp = pf_state_key_setup(pd, saddr, daddr, sport, dport);
	if (*skp == NULL)
	- return (NULL);
	+ return (PFRES_MEMORY);
	nkp = pf_state_key_clone(skp);
	if (*nkp == NULL) {
	uma_zfree(V_pf_state_key_z, *skp);
	*skp = NULL;
	- return (NULL);
	+ return (PFRES_MEMORY);
	}

	naddr = &(*nkp)->addr[1];
	@@ -664,6 +668,7 @@
	r->rpool.mape.offset,
	r->rpool.mape.psidlen,
	r->rpool.mape.psid));
	+ reason = PFRES_MAPFAILED;
	goto notrans;
	}
	} else if (pf_get_sport(pd->af, pd->proto, r, saddr, sport,
	@@ -671,6 +676,7 @@
	DPFPRINTF(PF_DEBUG_MISC,
	("pf: NAT proxy port allocation (%u-%u) failed\n",
	r->rpool.proxy_port[0], r->rpool.proxy_port[1]));
	+ reason = PFRES_MAPFAILED;
	goto notrans;
	}
	break;
	@@ -682,8 +688,10 @@
	#ifdef INET
	case AF_INET:
	if (r->rpool.cur->addr.p.dyn->
	- pfid_acnt4 < 1)
	+ pfid_acnt4 < 1) {
	+ reason = PFRES_MAPFAILED;
	goto notrans;
	+ }
	PF_POOLMASK(naddr,
	&r->rpool.cur->addr.p.dyn->
	pfid_addr4,
	@@ -694,8 +702,10 @@
	#ifdef INET6
	case AF_INET6:
	if (r->rpool.cur->addr.p.dyn->
	- pfid_acnt6 < 1)
	+ pfid_acnt6 < 1) {
	+ reason = PFRES_MAPFAILED;
	goto notrans;
	+ }
	PF_POOLMASK(naddr,
	&r->rpool.cur->addr.p.dyn->
	pfid_addr6,
	@@ -715,8 +725,10 @@
	switch (pd->af) {
	#ifdef INET
	case AF_INET:
	- if (r->src.addr.p.dyn-> pfid_acnt4 < 1)
	+ if (r->src.addr.p.dyn->pfid_acnt4 < 1) {
	+ reason = PFRES_MAPFAILED;
	goto notrans;
	+ }
	PF_POOLMASK(naddr,
	&r->src.addr.p.dyn->pfid_addr4,
	&r->src.addr.p.dyn->pfid_mask4,
	@@ -725,8 +737,10 @@
	#endif /* INET */
	#ifdef INET6
	case AF_INET6:
	- if (r->src.addr.p.dyn->pfid_acnt6 < 1)
	+ if (r->src.addr.p.dyn->pfid_acnt6 < 1) {
	+ reason = PFRES_MAPFAILED;
	goto notrans;
	+ }
	PF_POOLMASK(naddr,
	&r->src.addr.p.dyn->pfid_addr6,
	&r->src.addr.p.dyn->pfid_mask6,
	@@ -744,7 +758,8 @@
	struct pf_state_key_cmp key;
	uint16_t cut, low, high, nport;

	- if (pf_map_addr(pd->af, r, saddr, naddr, NULL, NULL, sn))
	+ reason = pf_map_addr(pd->af, r, saddr, naddr, NULL, NULL, sn);
	+ if (reason != 0)
	goto notrans;
	if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)
	PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask,
	@@ -815,12 +830,13 @@

	DPFPRINTF(PF_DEBUG_MISC,
	("pf: RDR source port allocation failed\n"));
	- if (0) {
	+ reason = PFRES_MAPFAILED;
	+ goto notrans;
	+
	out:
	- DPFPRINTF(PF_DEBUG_MISC,
	- ("pf: RDR source port allocation %u->%u\n",
	- ntohs(sport), ntohs((*nkp)->port[0])));
	- }
	+ DPFPRINTF(PF_DEBUG_MISC,
	+ ("pf: RDR source port allocation %u->%u\n",
	+ ntohs(sport), ntohs((*nkp)->port[0])));
	break;
	}
	default:
	@@ -828,14 +844,17 @@
	}

	/* Return success only if translation really happened. */
	- if (bcmp(skp, nkp, sizeof(struct pf_state_key_cmp)))
	- return (r);
	+ if (bcmp(skp, nkp, sizeof(struct pf_state_key_cmp))) {
	+ *rp = r;
	+ return (PFRES_MATCH);
	+ }

	+ reason = PFRES_MAX;
	notrans:
	uma_zfree(V_pf_state_key_z, *nkp);
	uma_zfree(V_pf_state_key_z, *skp);
	skp = nkp = NULL;
	*sn = NULL;

	- return (NULL);
	+ return (reason);
	}

File Metadata

Mime Type: text/plain
Expires: Mon, Apr 28, 10:39 AM (7 h, 2 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 17829044
Default Alt Text: D45672.diff (6 KB)

D45672.diffNo OneTemporaryActions

D45672.diffView Options

File Metadata

Event Timeline

D45672.diff
No OneTemporary
Actions

D45672.diff
View Options