Date: Sun, 5 Oct 2014 03:45:20 +0000 (UTC) From: Cy Schubert <cy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r272552 - head/sys/contrib/ipfilter/netinet Message-ID: <201410050345.s953jKTo015694@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Sun Oct 5 03:45:19 2014 New Revision: 272552 URL: https://svnweb.freebsd.org/changeset/base/272552 Log: ipfilter bug #554 Determining why a ipf rule matches is hard -- replace ipfilter rule compare with new ipf_rule_compare() function. Obtained from: ipfilter CVS rep (r1.129) Modified: head/sys/contrib/ipfilter/netinet/fil.c Modified: head/sys/contrib/ipfilter/netinet/fil.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/fil.c Sun Oct 5 03:41:47 2014 (r272551) +++ head/sys/contrib/ipfilter/netinet/fil.c Sun Oct 5 03:45:19 2014 (r272552) @@ -4436,6 +4436,39 @@ ipf_matchicmpqueryreply(v, ic, icmp, rev /* ------------------------------------------------------------------------ */ +/* Function: ipf_rule_compare */ +/* Parameters: fr1(I) - first rule structure to compare */ +/* fr2(I) - second rule structure to compare */ +/* Returns: int - 0 == rules are the same, else mismatch */ +/* */ +/* Compare two rules and return 0 if they match or a number indicating */ +/* which of the individual checks failed. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_rule_compare(frentry_t *fr1, frentry_t *fr2) +{ + if (fr1->fr_cksum != fr2->fr_cksum) + return 1; + if (fr1->fr_size != fr2->fr_size) + return 2; + if (fr1->fr_dsize != fr2->fr_dsize) + return 3; + if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func, + fr1->fr_size - offsetof(struct frentry, fr_func)) != 0) + return 4; + if (fr1->fr_data && !fr2->fr_data) + return 5; + if (!fr1->fr_data && fr2->fr_data) + return 6; + if (fr1->fr_data) { + if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize)) + return 7; + } + return 0; +} + + +/* ------------------------------------------------------------------------ */ /* Function: frrequest */ /* Returns: int - 0 == success, > 0 == errno value */ /* Parameters: unit(I) - device for which this is for */ @@ -4928,17 +4961,7 @@ frrequest(softc, unit, req, data, set, m } for (; (f = *ftail) != NULL; ftail = &f->fr_next) { - DT2(rule_cmp, frentry_t *, fp, frentry_t *, f); - if ((fp->fr_cksum != f->fr_cksum) || - (fp->fr_size != f->fr_size) || - (f->fr_dsize != fp->fr_dsize)) - continue; - if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, - fp->fr_size - offsetof(struct frentry, fr_func)) != 0) - continue; - if ((!ptr && !f->fr_data) || - (ptr && f->fr_data && - !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize))) + if (ipf_rule_compare(fp, f) == 0) break; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410050345.s953jKTo015694>