Date: Wed, 28 Apr 2021 15:14:15 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 6210e809da13 - stable/13 - pf: Refactor state killing Message-ID: <202104281514.13SFEF39017916@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6210e809da13c80ed560ce0d76c9bf81352b8a1d commit 6210e809da13c80ed560ce0d76c9bf81352b8a1d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-04-16 14:34:21 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-04-28 15:06:28 +0000 pf: Refactor state killing Extract the state killing code from pfioctl() and rephrase the filtering conditions for readability. No functional change intended. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29795 (cherry picked from commit 586aab9e0aa6c811758c19fb03831fc1e7305252) --- sys/netpfil/pf/pf_ioctl.c | 122 ++++++++++++++++++++++++++-------------------- 1 file changed, 68 insertions(+), 54 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index ce889c8d797e..3161c6b1f7c9 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1732,6 +1732,72 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) return (0); } +static int +pf_killstates_row(struct pfioc_state_kill *psk, struct pf_idhash *ih) +{ + struct pf_state *s; + struct pf_state_key *sk; + struct pf_addr *srcaddr, *dstaddr; + int killed = 0; + u_int16_t srcport, dstport; + +relock_DIOCKILLSTATES: + PF_HASHROW_LOCK(ih); + LIST_FOREACH(s, &ih->states, entry) { + sk = s->key[PF_SK_WIRE]; + if (s->direction == PF_OUT) { + srcaddr = &sk->addr[1]; + dstaddr = &sk->addr[0]; + srcport = sk->port[1]; + dstport = sk->port[0]; + } else { + srcaddr = &sk->addr[0]; + dstaddr = &sk->addr[1]; + srcport = sk->port[0]; + dstport = sk->port[1]; + } + + if (psk->psk_af && sk->af != psk->psk_af) + continue; + + if (psk->psk_proto && psk->psk_proto != sk->proto) + continue; + + if (! PF_MATCHA(psk->psk_src.neg, &psk->psk_src.addr.v.a.addr, + &psk->psk_src.addr.v.a.mask, srcaddr, sk->af)) + continue; + + if (! PF_MATCHA(psk->psk_dst.neg, &psk->psk_dst.addr.v.a.addr, + &psk->psk_dst.addr.v.a.mask, dstaddr, sk->af)) + continue; + + if (psk->psk_src.port_op != 0 && + ! pf_match_port(psk->psk_src.port_op, + psk->psk_src.port[0], psk->psk_src.port[1], srcport)) + continue; + + if (psk->psk_dst.port_op != 0 && + ! pf_match_port(psk->psk_dst.port_op, + psk->psk_dst.port[0], psk->psk_dst.port[1], dstport)) + continue; + + if (psk->psk_label[0] && (! s->rule.ptr->label[0] || + strcmp(psk->psk_label, s->rule.ptr->label))) + continue; + + if (psk->psk_ifname[0] && strcmp(psk->psk_ifname, + s->kif->pfik_name)) + continue; + + pf_unlink_state(s, PF_ENTER_LOCKED); + killed++; + goto relock_DIOCKILLSTATES; + } + PF_HASHROW_UNLOCK(ih); + + return (killed); +} + static int pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td) { @@ -2371,9 +2437,6 @@ relock_DIOCCLRSTATES: case DIOCKILLSTATES: { struct pf_state *s; - struct pf_state_key *sk; - struct pf_addr *srcaddr, *dstaddr; - u_int16_t srcport, dstport; struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; u_int i, killed = 0; @@ -2388,58 +2451,9 @@ relock_DIOCCLRSTATES: break; } - for (i = 0; i <= pf_hashmask; i++) { - struct pf_idhash *ih = &V_pf_idhash[i]; + for (i = 0; i <= pf_hashmask; i++) + killed += pf_killstates_row(psk, &V_pf_idhash[i]); -relock_DIOCKILLSTATES: - PF_HASHROW_LOCK(ih); - LIST_FOREACH(s, &ih->states, entry) { - sk = s->key[PF_SK_WIRE]; - if (s->direction == PF_OUT) { - srcaddr = &sk->addr[1]; - dstaddr = &sk->addr[0]; - srcport = sk->port[1]; - dstport = sk->port[0]; - } else { - srcaddr = &sk->addr[0]; - dstaddr = &sk->addr[1]; - srcport = sk->port[0]; - dstport = sk->port[1]; - } - - if ((!psk->psk_af || sk->af == psk->psk_af) - && (!psk->psk_proto || psk->psk_proto == - sk->proto) && - PF_MATCHA(psk->psk_src.neg, - &psk->psk_src.addr.v.a.addr, - &psk->psk_src.addr.v.a.mask, - srcaddr, sk->af) && - PF_MATCHA(psk->psk_dst.neg, - &psk->psk_dst.addr.v.a.addr, - &psk->psk_dst.addr.v.a.mask, - dstaddr, sk->af) && - (psk->psk_src.port_op == 0 || - pf_match_port(psk->psk_src.port_op, - psk->psk_src.port[0], psk->psk_src.port[1], - srcport)) && - (psk->psk_dst.port_op == 0 || - pf_match_port(psk->psk_dst.port_op, - psk->psk_dst.port[0], psk->psk_dst.port[1], - dstport)) && - (!psk->psk_label[0] || - (s->rule.ptr->label[0] && - !strcmp(psk->psk_label, - s->rule.ptr->label))) && - (!psk->psk_ifname[0] || - !strcmp(psk->psk_ifname, - s->kif->pfik_name))) { - pf_unlink_state(s, PF_ENTER_LOCKED); - killed++; - goto relock_DIOCKILLSTATES; - } - } - PF_HASHROW_UNLOCK(ih); - } psk->psk_killed = killed; break; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104281514.13SFEF39017916>