Page MenuHomeFreeBSD
Files F116048728

D46939.diff
No OneTemporary
Actions

D46939.diff
View Options

diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -69,9 +69,9 @@
struct pfi_kif;
struct pf_pdesc;
-#define PFLOG_PACKET(i,a,b,t,c,d,e,f,g) do { \
+#define PFLOG_PACKET(a,b,t,c,d,e,f,g) do { \
if (pflog_packet_ptr != NULL) \
- pflog_packet_ptr(i,a,b,t,c,d,e,f,g); \
+ pflog_packet_ptr(a,b,t,c,d,e,f,g); \
} while (0)
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1249,8 +1249,8 @@
/* pflog */
struct pf_kruleset;
struct pf_pdesc;
-typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *,
- uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
+typedef int pflog_packet_t(struct mbuf *, uint8_t, u_int8_t,
+ struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr;
@@ -1597,6 +1597,8 @@
char any[0];
} hdr;
+ struct pfi_kkif *kif; /* incomming interface */
+
struct pf_addr *src; /* src address */
struct pf_addr *dst; /* dst address */
u_int16_t *sport;
@@ -2353,21 +2355,19 @@
void pf_free_rule(struct pf_krule *);
int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
-int pf_scan_sctp(struct mbuf *, int, struct pf_pdesc *, struct pfi_kkif *);
+int pf_scan_sctp(struct mbuf *, struct pf_pdesc *);
#if defined(INET) || defined(INET6)
int pf_test(sa_family_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *,
struct pf_rule_actions *);
#endif
#ifdef INET
-int pf_normalize_ip(struct mbuf **, struct pfi_kkif *, u_short *,
- struct pf_pdesc *);
+int pf_normalize_ip(struct mbuf **, u_short *, struct pf_pdesc *);
#endif /* INET */
#ifdef INET6
int pf_walk_header6(struct mbuf *, struct ip6_hdr *, int *, int *, int *,
uint8_t *, uint32_t *, u_short *);
-int pf_normalize_ip6(struct mbuf **, struct pfi_kkif *, int,
- u_short *, struct pf_pdesc *);
+int pf_normalize_ip6(struct mbuf **, int, u_short *, struct pf_pdesc *);
void pf_poolmask(struct pf_addr *, struct pf_addr*,
struct pf_addr *, struct pf_addr *, sa_family_t);
void pf_addr_inc(struct pf_addr *, sa_family_t);
@@ -2375,10 +2375,8 @@
int pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool);
#endif /* INET6 */
-int pf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *,
- struct pfi_kkif *);
-int pf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *,
- struct pfi_kkif *);
+int pf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *);
+int pf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *);
u_int32_t pf_new_isn(struct pf_kstate *);
void *pf_pull_hdr(const struct mbuf *, int, void *, int, u_short *, u_short *,
@@ -2400,7 +2398,7 @@
void pf_normalize_init(void);
void pf_normalize_cleanup(void);
-int pf_normalize_tcp(struct pfi_kkif *, struct mbuf *, struct pf_pdesc *);
+int pf_normalize_tcp(struct mbuf *, struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_kstate *);
int pf_normalize_tcp_init(struct mbuf *, struct pf_pdesc *,
struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *);
@@ -2409,7 +2407,7 @@
struct pf_state_peer *, struct pf_state_peer *, int *);
int pf_normalize_sctp_init(struct mbuf *, struct pf_pdesc *,
struct pf_state_peer *, struct pf_state_peer *);
-int pf_normalize_sctp(struct pfi_kkif *, struct mbuf *, struct pf_pdesc *);
+int pf_normalize_sctp(struct mbuf *, struct pf_pdesc *);
u_int32_t
pf_state_expires(const struct pf_kstate *);
void pf_purge_expired_fragments(void);
@@ -2625,7 +2623,7 @@
struct pfi_kkif **nkif, struct pf_addr *,
struct pf_ksrc_node **);
u_short pf_get_translation(struct pf_pdesc *, struct mbuf *,
- int, struct pfi_kkif *, struct pf_ksrc_node **,
+ int, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *,
uint16_t, uint16_t, struct pf_kanchor_stackframe *,
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -213,14 +213,14 @@
}
static int
-pflog_packet(struct pfi_kkif *kif, struct mbuf *m,
- uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
+pflog_packet(struct mbuf *m, uint8_t action, u_int8_t reason,
+ struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{
struct ifnet *ifn;
struct pfloghdr hdr;
- if (kif == NULL || m == NULL || rm == NULL || pd == NULL)
+ if (m == NULL || rm == NULL || pd == NULL)
return (1);
ifn = V_pflogifs[rm->logif];
@@ -232,7 +232,7 @@
hdr.af = pd->af;
hdr.action = action;
hdr.reason = reason;
- memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
+ memcpy(hdr.ifname, pd->kif->pfik_name, sizeof(hdr.ifname));
if (am == NULL) {
hdr.rulenr = htonl(rm->nr);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -320,45 +320,39 @@
static int pf_test_eth_rule(int, struct pfi_kkif *,
struct mbuf **);
static int pf_test_rule(struct pf_krule **, struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *,
- struct pf_pdesc *, struct pf_krule **,
+ struct mbuf *, struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **, struct inpcb *);
static int pf_create_state(struct pf_krule *, struct pf_krule *,
struct pf_krule *, struct pf_pdesc *,
struct pf_ksrc_node *, struct pf_state_key *,
struct pf_state_key *, struct mbuf *,
- u_int16_t, u_int16_t, int *, struct pfi_kkif *,
+ u_int16_t, u_int16_t, int *,
struct pf_kstate **, int, u_int16_t, u_int16_t,
struct pf_krule_slist *, struct pf_udp_mapping *);
static int pf_state_key_addr_setup(struct pf_pdesc *, struct mbuf *,
struct pf_state_key_cmp *, int, struct pf_addr *,
int, struct pf_addr *, int);
static int pf_tcp_track_full(struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *,
- struct pf_pdesc *, u_short *, int *);
+ struct mbuf *, struct pf_pdesc *, u_short *, int *);
static int pf_tcp_track_sloppy(struct pf_kstate **,
struct pf_pdesc *, u_short *);
static int pf_test_state_tcp(struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *,
- struct pf_pdesc *, u_short *);
+ struct mbuf *, struct pf_pdesc *, u_short *);
static int pf_test_state_udp(struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *,
- struct pf_pdesc *);
+ struct mbuf *, struct pf_pdesc *);
int pf_icmp_state_lookup(struct pf_state_key_cmp *,
struct pf_pdesc *, struct pf_kstate **, struct mbuf *,
- int, struct pfi_kkif *, u_int16_t, u_int16_t,
+ int, u_int16_t, u_int16_t,
int, int *, int, int);
-static int pf_test_state_icmp(struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *,
+static int pf_test_state_icmp(struct pf_kstate **, struct mbuf *,
struct pf_pdesc *, u_short *);
static void pf_sctp_multihome_detach_addr(const struct pf_kstate *);
static void pf_sctp_multihome_delayed(struct pf_pdesc *,
struct pfi_kkif *, struct pf_kstate *, int);
-static int pf_test_state_sctp(struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *,
+static int pf_test_state_sctp(struct pf_kstate **, struct mbuf *,
struct pf_pdesc *, u_short *);
static int pf_test_state_other(struct pf_kstate **,
- struct pfi_kkif *, struct mbuf *, struct pf_pdesc *);
+ struct mbuf *, struct pf_pdesc *);
static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
int, u_int16_t);
static int pf_check_proto_cksum(struct mbuf *, int, int,
@@ -373,8 +367,7 @@
const struct pf_state_key_cmp *, u_int);
static int pf_src_connlimit(struct pf_kstate **);
static int pf_match_rcvif(struct mbuf *, struct pf_krule *);
-static void pf_counters_inc(int,
- struct pf_pdesc *, struct pfi_kkif *,
+static void pf_counters_inc(int, struct pf_pdesc *,
struct pf_kstate *, struct pf_krule *,
struct pf_krule *);
static void pf_overload_task(void *v, int pending);
@@ -422,10 +415,10 @@
#define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
(pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
-#define STATE_LOOKUP(i, k, s, pd) \
+#define STATE_LOOKUP(k, s, pd) \
do { \
- (s) = pf_find_state((i), (k), (pd->dir)); \
- SDT_PROBE5(pf, ip, state, lookup, i, k, (pd->dir), pd, (s)); \
+ (s) = pf_find_state((pd->kif), (k), (pd->dir)); \
+ SDT_PROBE5(pf, ip, state, lookup, pd->kif, k, (pd->dir), pd, (s)); \
if ((s) == NULL) \
return (PF_DROP); \
if (PACKET_LOOPED(pd)) \
@@ -3655,7 +3648,7 @@
static void
pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
struct pf_state_key *sk, struct mbuf *m, struct tcphdr *th,
- struct pfi_kkif *kif, u_int16_t bproto_sum, u_int16_t bip_sum,
+ u_int16_t bproto_sum, u_int16_t bip_sum,
u_short *reason, int rtableid)
{
struct pf_addr * const saddr = pd->src;
@@ -4865,7 +4858,7 @@
} while (0)
static int
-pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
+pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
struct mbuf *m, struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm, struct inpcb *inp)
{
@@ -4956,7 +4949,7 @@
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
/* check packet for BINAT/NAT/RDR */
- transerror = pf_get_translation(pd, m, pd->off, kif, &nsn, &sk,
+ transerror = pf_get_translation(pd, m, pd->off, &nsn, &sk,
&nk, saddr, daddr, sport, dport, anchor_stack, &nr, &udp_mapping);
switch (transerror) {
default:
@@ -4971,7 +4964,7 @@
KASSERT(nk != NULL, ("%s: null nk", __func__));
if (nr->log) {
- PFLOG_PACKET(kif, m, PF_PASS, PFRES_MATCH, nr, a,
+ PFLOG_PACKET(m, PF_PASS, PFRES_MATCH, nr, a,
ruleset, pd, 1);
}
@@ -5116,7 +5109,7 @@
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
- PF_TEST_ATTRIB(pfi_kkif_match(r->kif, kif) == r->ifnot,
+ PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot,
r->skip[PF_SKIP_IFP]);
PF_TEST_ATTRIB(r->direction && r->direction != pd->dir,
r->skip[PF_SKIP_DIR]);
@@ -5125,7 +5118,7 @@
PF_TEST_ATTRIB(r->proto && r->proto != pd->proto,
r->skip[PF_SKIP_PROTO]);
PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, saddr, pd->af,
- r->src.neg, kif, M_GETFIB(m)),
+ r->src.neg, pd->kif, M_GETFIB(m)),
r->skip[PF_SKIP_SRC_ADDR]);
PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, daddr, pd->af,
r->dst.neg, NULL, M_GETFIB(m)),
@@ -5225,7 +5218,7 @@
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log || pd->act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m,
+ PFLOG_PACKET(m,
r->action, PFRES_MATCH, r,
a, ruleset, pd, 1);
} else {
@@ -5234,7 +5227,7 @@
*am = a;
*rsm = ruleset;
if (pd->act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m,
+ PFLOG_PACKET(m,
r->action, PFRES_MATCH, r,
a, ruleset, pd, 1);
}
@@ -5262,7 +5255,7 @@
if (r->log || pd->act.log & PF_LOG_MATCHES) {
if (rewrite)
m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any);
- PFLOG_PACKET(kif, m, r->action, reason, r, a, ruleset, pd, 1);
+ PFLOG_PACKET(m, r->action, reason, r, a, ruleset, pd, 1);
}
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
@@ -5270,7 +5263,7 @@
((r->rule_flag & PFRULE_RETURNRST) ||
(r->rule_flag & PFRULE_RETURNICMP) ||
(r->rule_flag & PFRULE_RETURN))) {
- pf_return(r, nr, pd, sk, m, th, kif, bproto_sum,
+ pf_return(r, nr, pd, sk, m, th, bproto_sum,
bip_sum, &reason, r->rtableid);
}
@@ -5289,13 +5282,13 @@
(pd->flags & PFDESC_TCP_NORM)))) {
int action;
action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m,
- sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
+ sport, dport, &rewrite, sm, tag, bproto_sum, bip_sum,
&match_rules, udp_mapping);
if (action != PF_PASS) {
pf_udp_mapping_release(udp_mapping);
if (action == PF_DROP &&
(r->rule_flag & PFRULE_RETURN))
- pf_return(r, nr, pd, sk, m, th, kif,
+ pf_return(r, nr, pd, sk, m, th,
bproto_sum, bip_sum, &reason,
pd->act.rtableid);
return (action);
@@ -5345,7 +5338,7 @@
pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk,
struct pf_state_key *sk, struct mbuf *m, u_int16_t sport,
- u_int16_t dport, int *rewrite, struct pfi_kkif *kif, struct pf_kstate **sm,
+ u_int16_t dport, int *rewrite, struct pf_kstate **sm,
int tag, u_int16_t bproto_sum, u_int16_t bip_sum,
struct pf_krule_slist *match_rules, struct pf_udp_mapping *udp_mapping)
{
@@ -5518,7 +5511,7 @@
__func__, nr, sk, nk));
/* Swap sk/nk for PF_OUT. */
- if (pf_state_insert(BOUND_IFACE(s, kif), kif,
+ if (pf_state_insert(BOUND_IFACE(s, pd->kif), pd->kif,
(pd->dir == PF_IN) ? sk : nk,
(pd->dir == PF_IN) ? nk : sk, s)) {
REASON_SET(&reason, PFRES_STATEINS);
@@ -5610,9 +5603,8 @@
}
static int
-pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif,
- struct mbuf *m, struct pf_pdesc *pd, u_short *reason,
- int *copyback)
+pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m,
+ struct pf_pdesc *pd, u_short *reason, int *copyback)
{
struct tcphdr *th = &pd->hdr.tcp;
struct pf_state_peer *src, *dst;
@@ -6131,9 +6123,8 @@
}
static int
-pf_test_state_tcp(struct pf_kstate **state, struct pfi_kkif *kif,
- struct mbuf *m, struct pf_pdesc *pd,
- u_short *reason)
+pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m,
+ struct pf_pdesc *pd, u_short *reason)
{
struct pf_state_key_cmp key;
struct tcphdr *th = &pd->hdr.tcp;
@@ -6156,7 +6147,7 @@
key.port[0] = th->th_dport;
}
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
@@ -6191,7 +6182,7 @@
if (pf_tcp_track_sloppy(state, pd, reason) == PF_DROP)
return (PF_DROP);
} else {
- if (pf_tcp_track_full(state, kif, m, pd, reason,
+ if (pf_tcp_track_full(state, m, pd, reason,
&copyback) == PF_DROP)
return (PF_DROP);
}
@@ -6222,8 +6213,8 @@
}
static int
-pf_test_state_udp(struct pf_kstate **state, struct pfi_kkif *kif,
- struct mbuf *m, struct pf_pdesc *pd)
+pf_test_state_udp(struct pf_kstate **state, struct mbuf *m,
+ struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
struct pf_state_key_cmp key;
@@ -6245,7 +6236,7 @@
key.port[0] = uh->uh_dport;
}
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
@@ -6294,8 +6285,8 @@
}
static int
-pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
- struct mbuf *m, struct pf_pdesc *pd, u_short *reason)
+pf_test_state_sctp(struct pf_kstate **state, struct mbuf *m,
+ struct pf_pdesc *pd, u_short *reason)
{
struct pf_state_key_cmp key;
struct pf_state_peer *src, *dst;
@@ -6317,7 +6308,7 @@
key.port[0] = sh->dest_port;
}
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
@@ -6559,7 +6550,8 @@
* we cannot know what interfaces it will use.
* That's why we pass V_pfi_all rather than kif.
*/
- ret = pf_test_rule(&r, &sm, V_pfi_all,
+ j->pd.kif = V_pfi_all;
+ ret = pf_test_rule(&r, &sm,
j->m, &j->pd, &ra, &rs, NULL);
PF_RULES_RUNLOCK();
SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->m, ret);
@@ -6678,7 +6670,7 @@
static int
pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
- struct pfi_kkif *kif, int op)
+ int op)
{
int off = 0;
struct pf_sctp_multihome_job *job;
@@ -6777,7 +6769,7 @@
return (PF_DROP);
ret = pf_multihome_scan(m, start + off + sizeof(ah),
- ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
+ ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_ADD_IP_ADDRESS);
if (ret != PF_PASS)
return (ret);
@@ -6791,7 +6783,7 @@
NULL, NULL, pd->af))
return (PF_DROP);
ret = pf_multihome_scan(m, start + off + sizeof(ah),
- ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
+ ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_DEL_IP_ADDRESS);
if (ret != PF_PASS)
return (ret);
@@ -6807,29 +6799,28 @@
return (PF_PASS);
}
int
-pf_multihome_scan_init(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
- struct pfi_kkif *kif)
+pf_multihome_scan_init(struct mbuf *m, int start, int len, struct pf_pdesc *pd)
{
start += sizeof(struct sctp_init_chunk);
len -= sizeof(struct sctp_init_chunk);
- return (pf_multihome_scan(m, start, len, pd, kif, SCTP_ADD_IP_ADDRESS));
+ return (pf_multihome_scan(m, start, len, pd, SCTP_ADD_IP_ADDRESS));
}
int
pf_multihome_scan_asconf(struct mbuf *m, int start, int len,
- struct pf_pdesc *pd, struct pfi_kkif *kif)
+ struct pf_pdesc *pd)
{
start += sizeof(struct sctp_asconf_chunk);
len -= sizeof(struct sctp_asconf_chunk);
- return (pf_multihome_scan(m, start, len, pd, kif, SCTP_ADD_IP_ADDRESS));
+ return (pf_multihome_scan(m, start, len, pd, SCTP_ADD_IP_ADDRESS));
}
int
pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
struct pf_kstate **state, struct mbuf *m, int direction,
- struct pfi_kkif *kif, u_int16_t icmpid, u_int16_t type, int icmp_dir,
+ u_int16_t icmpid, u_int16_t type, int icmp_dir,
int *iidx, int multi, int inner)
{
key->af = pd->af;
@@ -6847,7 +6838,7 @@
pd->didx, pd->dst, multi))
return (PF_DROP);
- STATE_LOOKUP(kif, key, *state, pd);
+ STATE_LOOKUP(key, *state, pd);
if ((*state)->state_flags & PFSTATE_SLOPPY)
return (-1);
@@ -6871,8 +6862,8 @@
}
static int
-pf_test_state_icmp(struct pf_kstate **state, struct pfi_kkif *kif,
- struct mbuf *m, struct pf_pdesc *pd, u_short *reason)
+pf_test_state_icmp(struct pf_kstate **state, struct mbuf *m,
+ struct pf_pdesc *pd, u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
u_int16_t *icmpsum, virtual_id, virtual_type;
@@ -6914,14 +6905,14 @@
* Search for an ICMP state.
*/
ret = pf_icmp_state_lookup(&key, pd, state, m, pd->dir,
- kif, virtual_id, virtual_type, icmp_dir, &iidx,
+ virtual_id, virtual_type, icmp_dir, &iidx,
PF_ICMP_MULTI_NONE, 0);
if (ret >= 0) {
MPASS(*state == NULL);
if (ret == PF_DROP && pd->af == AF_INET6 &&
icmp_dir == PF_OUT) {
ret = pf_icmp_state_lookup(&key, pd, state, m,
- pd->dir, kif, virtual_id, virtual_type,
+ pd->dir, virtual_id, virtual_type,
icmp_dir, &iidx, multi, 0);
if (ret >= 0) {
MPASS(*state == NULL);
@@ -7112,7 +7103,7 @@
key.port[pd2.sidx] = th.th_sport;
key.port[pd2.didx] = th.th_dport;
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
if (pd->dir == (*state)->direction) {
src = &(*state)->dst;
@@ -7233,7 +7224,7 @@
key.port[pd2.sidx] = uh.uh_sport;
key.port[pd2.didx] = uh.uh_dport;
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -7304,7 +7295,7 @@
&icmp_dir, &multi, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&key, &pd2, state, m,
- pd2.dir, kif, virtual_id, virtual_type,
+ pd2.dir, virtual_id, virtual_type,
icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
if (ret >= 0) {
MPASS(*state == NULL);
@@ -7366,14 +7357,14 @@
&icmp_dir, &multi, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&key, &pd2, state, m,
- pd->dir, kif, virtual_id, virtual_type,
+ pd->dir, virtual_id, virtual_type,
icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
if (ret >= 0) {
MPASS(*state == NULL);
if (ret == PF_DROP && pd2.af == AF_INET6 &&
icmp_dir == PF_OUT) {
ret = pf_icmp_state_lookup(&key, &pd2,
- state, m, pd->dir, kif,
+ state, m, pd->dir,
virtual_id, virtual_type,
icmp_dir, &iidx, multi, 1);
if (ret >= 0) {
@@ -7427,7 +7418,7 @@
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = 0;
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -7476,8 +7467,8 @@
}
static int
-pf_test_state_other(struct pf_kstate **state, struct pfi_kkif *kif,
- struct mbuf *m, struct pf_pdesc *pd)
+pf_test_state_other(struct pf_kstate **state, struct mbuf *m,
+ struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
struct pf_state_key_cmp key;
@@ -7496,7 +7487,7 @@
key.port[1] = key.port[0] = 0;
}
- STATE_LOOKUP(kif, &key, *state, pd);
+ STATE_LOOKUP(&key, *state, pd);
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
@@ -8614,6 +8605,7 @@
pd->af = af;
pd->dir = dir;
+ pd->kif = kif;
pd->sidx = (dir == PF_IN) ? 0 : 1;
pd->didx = (dir == PF_IN) ? 1 : 0;
@@ -8640,7 +8632,7 @@
return (-1);
}
- if (pf_normalize_ip(m0, kif, reason, pd) != PF_PASS) {
+ if (pf_normalize_ip(m0, reason, pd) != PF_PASS) {
/* We do IP header normalization and packet reassembly here */
*action = PF_DROP;
return (-1);
@@ -8722,7 +8714,7 @@
}
/* We do IP header normalization and packet reassembly here */
- if (pf_normalize_ip6(m0, kif, fragoff, reason, pd) !=
+ if (pf_normalize_ip6(m0, fragoff, reason, pd) !=
PF_PASS) {
*action = PF_DROP;
return (-1);
@@ -8815,7 +8807,7 @@
REASON_SET(reason, PFRES_SHORT);
return (-1);
}
- if (pf_scan_sctp(m, pd->off, pd, kif) != PF_PASS) {
+ if (pf_scan_sctp(m, pd) != PF_PASS) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
return (-1);
@@ -8870,8 +8862,7 @@
static void
pf_counters_inc(int action, struct pf_pdesc *pd,
- struct pfi_kkif *kif, struct pf_kstate *s,
- struct pf_krule *r, struct pf_krule *a)
+ struct pf_kstate *s, struct pf_krule *r, struct pf_krule *a)
{
struct pf_krule *tr;
int dir = pd->dir;
@@ -8879,10 +8870,10 @@
pf_counter_u64_critical_enter();
pf_counter_u64_add_protected(
- &kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
+ &pd->kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
pd->tot_len);
pf_counter_u64_add_protected(
- &kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
+ &pd->kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
1);
if (action == PF_PASS || r->action == PF_DROP) {
@@ -9087,7 +9078,7 @@
if (kif == NULL || r == NULL) /* pflog */
action = PF_DROP;
else
- action = pf_test_rule(&r, &s, kif, m, &pd, &a,
+ action = pf_test_rule(&r, &s, m, &pd, &a,
&ruleset, inp);
if (action != PF_PASS)
REASON_SET(&reason, PFRES_FRAG);
@@ -9104,10 +9095,10 @@
if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0)
use_2nd_queue = 1;
- action = pf_normalize_tcp(kif, m, &pd);
+ action = pf_normalize_tcp(m, &pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_tcp(&s, kif, m, &pd, &reason);
+ action = pf_test_state_tcp(&s, m, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -9133,7 +9124,7 @@
if (action != PF_PASS)
break;
- action = pf_test_state_tcp(&s, kif, m,
+ action = pf_test_state_tcp(&s, m,
&pd, &reason);
if (action != PF_PASS || s == NULL) {
action = PF_DROP;
@@ -9146,7 +9137,7 @@
action = pf_synproxy(&pd, &s, &reason);
break;
} else {
- action = pf_test_rule(&r, &s, kif, m, &pd,
+ action = pf_test_rule(&r, &s, m, &pd,
&a, &ruleset, inp);
}
}
@@ -9154,30 +9145,30 @@
}
case IPPROTO_UDP: {
- action = pf_test_state_udp(&s, kif, m, &pd);
+ action = pf_test_state_udp(&s, m, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, kif, m, &pd,
+ action = pf_test_rule(&r, &s, m, &pd,
&a, &ruleset, inp);
break;
}
case IPPROTO_SCTP: {
- action = pf_normalize_sctp(kif, m, &pd);
+ action = pf_normalize_sctp(m, &pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_sctp(&s, kif, m, &pd, &reason);
+ action = pf_test_state_sctp(&s, m, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL) {
- action = pf_test_rule(&r, &s, kif, m,
+ action = pf_test_rule(&r, &s, m,
&pd, &a, &ruleset, inp);
}
break;
@@ -9191,14 +9182,14 @@
("dropping IPv6 packet with ICMPv4 payload"));
goto done;
}
- action = pf_test_state_icmp(&s, kif, m, &pd, &reason);
+ action = pf_test_state_icmp(&s, m, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, kif, m, &pd,
+ action = pf_test_rule(&r, &s, m, &pd,
&a, &ruleset, inp);
break;
}
@@ -9211,27 +9202,27 @@
("pf: dropping IPv4 packet with ICMPv6 payload\n"));
goto done;
}
- action = pf_test_state_icmp(&s, kif, m, &pd, &reason);
+ action = pf_test_state_icmp(&s, m, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, kif, m, &pd,
+ action = pf_test_rule(&r, &s, m, &pd,
&a, &ruleset, inp);
break;
}
default:
- action = pf_test_state_other(&s, kif, m, &pd);
+ action = pf_test_state_other(&s, m, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, kif, m, &pd,
+ action = pf_test_rule(&r, &s, m, &pd,
&a, &ruleset, inp);
break;
}
@@ -9379,17 +9370,17 @@
lr = r;
if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
- PFLOG_PACKET(kif, m, action, reason, lr, a,
+ PFLOG_PACKET(m, action, reason, lr, a,
ruleset, &pd, (s == NULL));
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
- PFLOG_PACKET(kif, m, action,
+ PFLOG_PACKET(m, action,
reason, ri->r, a, ruleset, &pd, 0);
}
}
- pf_counters_inc(action, &pd, kif, s, r, a);
+ pf_counters_inc(action, &pd, s, r, a);
switch (action) {
case PF_SYNPROXY_DROP:
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -64,7 +64,7 @@
static void pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
static struct pf_krule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
- struct pfi_kkif *, struct pf_addr *, u_int16_t,
+ struct pf_addr *, u_int16_t,
struct pf_addr *, uint16_t, int,
struct pf_kanchor_stackframe *);
static int pf_get_sport(sa_family_t, uint8_t, struct pf_krule *,
@@ -132,7 +132,7 @@
static struct pf_krule *
pf_match_translation(struct pf_pdesc *pd, struct mbuf *m,
- struct pfi_kkif *kif, struct pf_addr *saddr, u_int16_t sport,
+ struct pf_addr *saddr, u_int16_t sport,
struct pf_addr *daddr, uint16_t dport, int rs_num,
struct pf_kanchor_stackframe *anchor_stack)
{
@@ -157,7 +157,7 @@
}
pf_counter_u64_add(&r->evaluations, 1);
- if (pfi_kkif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR];
@@ -166,7 +166,7 @@
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
- src->neg, kif, M_GETFIB(m)))
+ src->neg, pd->kif, M_GETFIB(m)))
r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
PF_SKIP_DST_ADDR];
else if (src->port_op && !pf_match_port(src->port_op,
@@ -697,9 +697,8 @@
u_short
pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
- struct pfi_kkif *kif, struct pf_ksrc_node **sn,
- struct pf_state_key **skp, struct pf_state_key **nkp,
- struct pf_addr *saddr, struct pf_addr *daddr,
+ struct pf_ksrc_node **sn, struct pf_state_key **skp,
+ struct pf_state_key **nkp, struct pf_addr *saddr, struct pf_addr *daddr,
uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack,
struct pf_krule **rp,
struct pf_udp_mapping **udp_mapping)
@@ -717,17 +716,17 @@
*rp = NULL;
if (pd->dir == PF_OUT) {
- r = pf_match_translation(pd, m, kif, saddr,
+ r = pf_match_translation(pd, m, saddr,
sport, daddr, dport, PF_RULESET_BINAT, anchor_stack);
if (r == NULL)
- r = pf_match_translation(pd, m, kif,
+ r = pf_match_translation(pd, m,
saddr, sport, daddr, dport, PF_RULESET_NAT,
anchor_stack);
} else {
- r = pf_match_translation(pd, m, kif, saddr,
+ r = pf_match_translation(pd, m, saddr,
sport, daddr, dport, PF_RULESET_RDR, anchor_stack);
if (r == NULL)
- r = pf_match_translation(pd, m, kif,
+ r = pf_match_translation(pd, m,
saddr, sport, daddr, dport, PF_RULESET_BINAT,
anchor_stack);
}
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1047,7 +1047,7 @@
#ifdef INET
int
-pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
+pf_normalize_ip(struct mbuf **m0, u_short *reason,
struct pf_pdesc *pd)
{
struct mbuf *m = *m0;
@@ -1078,7 +1078,7 @@
scrub_compat = (r != NULL);
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
- if (pfi_kkif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR];
@@ -1088,7 +1088,7 @@
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr,
(struct pf_addr *)&h->ip_src.s_addr, AF_INET,
- r->src.neg, kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (PF_MISMATCHAW(&r->dst.addr,
(struct pf_addr *)&h->ip_dst.s_addr, AF_INET,
@@ -1201,7 +1201,7 @@
REASON_SET(reason, PFRES_FRAG);
drop:
if (r != NULL && r->log)
- PFLOG_PACKET(kif, m, PF_DROP, *reason, r, NULL, NULL, pd, 1);
+ PFLOG_PACKET(m, PF_DROP, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}
@@ -1209,8 +1209,8 @@
#ifdef INET6
int
-pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
- int off, u_short *reason, struct pf_pdesc *pd)
+pf_normalize_ip6(struct mbuf **m0, int off, u_short *reason,
+ struct pf_pdesc *pd)
{
struct mbuf *m;
struct pf_krule *r;
@@ -1233,7 +1233,7 @@
scrub_compat = (r != NULL);
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
- if (pfi_kkif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR];
@@ -1243,7 +1243,7 @@
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr,
(struct pf_addr *)&pd->src, AF_INET6,
- r->src.neg, kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (PF_MISMATCHAW(&r->dst.addr,
(struct pf_addr *)&pd->dst, AF_INET6,
@@ -1287,7 +1287,7 @@
#endif /* INET6 */
int
-pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, struct pf_pdesc *pd)
+pf_normalize_tcp(struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_krule *r, *rm = NULL;
struct tcphdr *th = &pd->hdr.tcp;
@@ -1305,7 +1305,7 @@
srs = (r != NULL);
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
- if (pfi_kkif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR];
@@ -1314,7 +1314,7 @@
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
- r->src.neg, kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], th->th_sport))
@@ -1406,7 +1406,7 @@
tcp_drop:
REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log)
- PFLOG_PACKET(kif, m, PF_DROP, reason, r, NULL, NULL, pd, 1);
+ PFLOG_PACKET(m, PF_DROP, reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}
@@ -1969,16 +1969,15 @@
}
int
-pf_scan_sctp(struct mbuf *m, int off, struct pf_pdesc *pd,
- struct pfi_kkif *kif)
+pf_scan_sctp(struct mbuf *m, struct pf_pdesc *pd)
{
struct sctp_chunkhdr ch = { };
int chunk_off = sizeof(struct sctphdr);
int chunk_start;
int ret;
- while (off + chunk_off < pd->tot_len) {
- if (!pf_pull_hdr(m, off + chunk_off, &ch, sizeof(ch), NULL,
+ while (pd->off + chunk_off < pd->tot_len) {
+ if (!pf_pull_hdr(m, pd->off + chunk_off, &ch, sizeof(ch), NULL,
NULL, pd->af))
return (PF_DROP);
@@ -1994,7 +1993,7 @@
case SCTP_INITIATION_ACK: {
struct sctp_init_chunk init;
- if (!pf_pull_hdr(m, off + chunk_start, &init,
+ if (!pf_pull_hdr(m, pd->off + chunk_start, &init,
sizeof(init), NULL, NULL, pd->af))
return (PF_DROP);
@@ -2026,8 +2025,8 @@
else
pd->sctp_flags |= PFDESC_SCTP_INIT_ACK;
- ret = pf_multihome_scan_init(m, off + chunk_start,
- ntohs(init.ch.chunk_length), pd, kif);
+ ret = pf_multihome_scan_init(m, pd->off + chunk_start,
+ ntohs(init.ch.chunk_length), pd);
if (ret != PF_PASS)
return (ret);
@@ -2061,8 +2060,8 @@
case SCTP_ASCONF:
pd->sctp_flags |= PFDESC_SCTP_ASCONF;
- ret = pf_multihome_scan_asconf(m, off + chunk_start,
- ntohs(ch.chunk_length), pd, kif);
+ ret = pf_multihome_scan_asconf(m, pd->off + chunk_start,
+ ntohs(ch.chunk_length), pd);
if (ret != PF_PASS)
return (ret);
break;
@@ -2073,7 +2072,7 @@
}
/* Validate chunk lengths vs. packet length. */
- if (off + chunk_off != pd->tot_len)
+ if (pd->off + chunk_off != pd->tot_len)
return (PF_DROP);
/*
@@ -2094,8 +2093,7 @@
}
int
-pf_normalize_sctp(struct pfi_kkif *kif, struct mbuf *m,
- struct pf_pdesc *pd)
+pf_normalize_sctp(struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_krule *r, *rm = NULL;
struct sctphdr *sh = &pd->hdr.sctp;
@@ -2111,7 +2109,7 @@
srs = (r != NULL);
while (r != NULL) {
pf_counter_u64_add(&r->evaluations, 1);
- if (pfi_kkif_match(r->kif, kif) == r->ifnot)
+ if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP];
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR];
@@ -2120,7 +2118,7 @@
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
- r->src.neg, kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], sh->src_port))
@@ -2163,7 +2161,7 @@
sctp_drop:
REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log)
- PFLOG_PACKET(kif, m, PF_DROP, reason, r, NULL, NULL, pd,
+ PFLOG_PACKET(m, PF_DROP, reason, r, NULL, NULL, pd,
1);
return (PF_DROP);

File Metadata

Mime Type
text/plain
Expires
Sat, May 3, 1:52 AM (13 h, 40 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
17916822
Default Alt Text
D46939.diff (35 KB)

Event Timeline