Date: Mon, 21 Jul 2008 09:58:25 GMT From: Gleb Kurtsou <gk@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 145550 for review Message-ID: <200807210958.m6L9wPGU084442@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=145550 Change 145550 by gk@gk_h1 on 2008/07/21 09:57:25 add src_ether and dst_ether to struct pf_pdesc use pf_addr_ether to compare addresses in pf_match_addr_ether Affected files ... .. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#3 edit .. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#3 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#3 (text+ko) ==== @@ -335,7 +335,7 @@ kif, &key, PF_LAN_EXT); \ if (*state == NULL || (*state)->timeout == PFTM_PURGE) \ return (PF_DROP); \ - if (!pf_state_check_ether(*state, pd, direction)) \ + if (!pf_state_match_addr_ether(*state, pd, direction)) \ return (PF_DROP); \ if (direction == PF_OUT && \ (((*state)->rule.ptr->rt == PF_ROUTETO && \ @@ -702,7 +702,7 @@ } static __inline int -pf_addr_ether_pass(struct pf_addr_ether *want, u_int8_t *ea) +pf_match_addr_ether(struct pf_addr_ether *want, struct pf_addr_ether *a, int match_empty) { static struct pf_addr_ether mask = { .octet = { 0xff, 0xff, 0xff, 0xff, 0xff,0xff }, @@ -710,41 +710,33 @@ }; if ((want->flags & PFAE_CHECK) == 0) return (1); + if ((a->flags & PFAE_CHECK) == 0) + return (match_empty); if (want->flags & PFAE_MULTICAST) { - return (ETHER_IS_MULTICAST(ea)); + return (ETHER_IS_MULTICAST(a->octet)); } -#define EA_CMP(a) (*((u_int64_t*)(a)) & *((u_int64_t*)&mask)) - return (EA_CMP(want) == EA_CMP(ea)); +#define EA_CMP(x) (*((u_int64_t*)(x)) & *((u_int64_t*)&mask)) + return (EA_CMP(want) == EA_CMP(a)); #undef EA_CMP } static __inline int -pf_rule_check_ether(struct pf_rule *r, struct pf_pdesc *pd) +pf_rule_match_addr_ether(struct pf_rule *r, struct pf_pdesc *pd) { - if (!pd->eh) { - if ((r->src.addr_ether.flags & PFAE_CHECK) || - (r->dst.addr_ether.flags & PFAE_CHECK)) - return (0); - return (1); - } - - if (pf_addr_ether_pass(&r->src.addr_ether, pd->eh->ether_shost) && - pf_addr_ether_pass(&r->dst.addr_ether, pd->eh->ether_dhost)) + if (pf_match_addr_ether(&r->src.addr_ether, &pd->src_ether, 0) && + pf_match_addr_ether(&r->dst.addr_ether, &pd->dst_ether, 0)) return (1); return (0); } static __inline int -pf_state_check_ether(struct pf_state *state, struct pf_pdesc *pd, int direction) +pf_state_match_addr_ether(struct pf_state *state, struct pf_pdesc *pd, int direction) { struct pf_rule *r; struct pf_addr_ether *src, *dst; - if (!pd->eh) - return (1); - r = state->rule.ptr; if (direction == state->direction) { @@ -755,8 +747,8 @@ dst = &r->src.addr_ether; } - if (pf_addr_ether_pass(src, pd->eh->ether_shost) && - pf_addr_ether_pass(dst, pd->eh->ether_dhost)) + if (pf_match_addr_ether(src, &pd->src_ether, 1) && + pf_match_addr_ether(dst, &pd->dst_ether, 1)) return (1); return (0); @@ -3419,7 +3411,7 @@ else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) r = TAILQ_NEXT(r, entries); - else if (!pf_rule_check_ether(r, pd)) + else if (!pf_rule_match_addr_ether(r, pd)) r = TAILQ_NEXT(r, entries); else { if (r->tag) @@ -3840,7 +3832,7 @@ r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); - else if (!pf_rule_check_ether(r, pd)) + else if (!pf_rule_match_addr_ether(r, pd)) r = TAILQ_NEXT(r, entries); else { if (r->tag) @@ -4179,7 +4171,7 @@ r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); - else if (!pf_rule_check_ether(r, pd)) + else if (!pf_rule_match_addr_ether(r, pd)) r = TAILQ_NEXT(r, entries); else { if (r->tag) @@ -4440,7 +4432,7 @@ r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); - else if (!pf_rule_check_ether(r, pd)) + else if (!pf_rule_match_addr_ether(r, pd)) r = TAILQ_NEXT(r, entries); else { if (r->tag) @@ -4667,7 +4659,7 @@ r = TAILQ_NEXT(r, entries); else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) r = TAILQ_NEXT(r, entries); - else if (!pf_rule_check_ether(r, pd)) + else if (!pf_rule_match_addr_ether(r, pd)) r = TAILQ_NEXT(r, entries); else { if (r->anchor == NULL) { @@ -6921,6 +6913,12 @@ pd.tos = h->ip_tos; pd.tot_len = ntohs(h->ip_len); pd.eh = eh; + if (eh) { + memcpy(pd.src_ether.octet, eh->ether_shost, ETHER_ADDR_LEN); + pd.src_ether.flags = PFAE_CHECK; + memcpy(pd.dst_ether.octet, eh->ether_dhost, ETHER_ADDR_LEN); + pd.dst_ether.flags = PFAE_CHECK; + } /* handle fragments that didn't get reassembled by normalization */ if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { ==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#3 (text+ko) ==== @@ -1063,6 +1063,10 @@ struct pf_addr *dst; struct ether_header *eh; + struct pf_addr_ether + src_ether; + struct pf_addr_ether + dst_ether; struct pf_mtag *pf_mtag; u_int16_t *ip_sum; u_int32_t p_len; /* total length of payload */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807210958.m6L9wPGU084442>