Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Aug 2018 00:42:05 +0000 (UTC)
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r338036 - stable/11/sys/netpfil/pf
Message-ID:  <201808190042.w7J0g5D0031923@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kp
Date: Sun Aug 19 00:42:05 2018
New Revision: 338036
URL: https://svnweb.freebsd.org/changeset/base/338036

Log:
  MFC r337643:
  
  pf: Fix 'set skip on' for groups
  
  The pfi_skip_if() function sometimes caused skipping of groups to work,
  if the members of the group used the groupname as a name prefix.
  This is often the case, e.g. group lo usually contains lo0, lo1, ...,
  but not always.
  
  Rather than relying on the name explicitly check for group memberships.
  
  Obtained from:	OpenBSD (pf_if.c,v 1.62, pf_if.c,v 1.63)

Modified:
  stable/11/sys/netpfil/pf/pf_if.c

Modified: stable/11/sys/netpfil/pf/pf_if.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf_if.c	Sun Aug 19 00:22:21 2018	(r338035)
+++ stable/11/sys/netpfil/pf/pf_if.c	Sun Aug 19 00:42:05 2018	(r338036)
@@ -734,6 +734,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, 
 static int
 pfi_skip_if(const char *filter, struct pfi_kif *p)
 {
+	struct ifg_list *i;
 	int	n;
 
 	if (filter == NULL || !*filter)
@@ -744,10 +745,19 @@ pfi_skip_if(const char *filter, struct pfi_kif *p)
 	if (n < 1 || n >= IFNAMSIZ)
 		return (1);	/* sanity check */
 	if (filter[n-1] >= '0' && filter[n-1] <= '9')
-		return (1);	/* only do exact match in that case */
-	if (strncmp(p->pfik_name, filter, n))
-		return (1);	/* prefix doesn't match */
-	return (p->pfik_name[n] < '0' || p->pfik_name[n] > '9');
+		return (1);	/* group names may not end in a digit */
+	if (p->pfik_ifp != NULL) {
+		IF_ADDR_RLOCK(p->pfik_ifp);
+		TAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next) {
+			if (!strncmp(i->ifgl_group->ifg_group, filter,
+			      IFNAMSIZ)) {
+				IF_ADDR_RUNLOCK(p->pfik_ifp);
+				return (0); /* iface is in group "filter" */
+			}
+		}
+		IF_ADDR_RUNLOCK(p->pfik_ifp);
+	}
+	return (1);
 }
 
 int



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808190042.w7J0g5D0031923>