system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-09-30 05:36:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

pf: do not pass af to PFLOG_PACKET

Browse source 
Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET()
because either the info is already available in struct pd or easy
to figure out.  Makes pf_test() and pf_test6() even more similar
(with the target to remove one of them in the near future).
OK henning@

Reviewed by:	zlei
Obtained from:	OpenBSD, claudio <claudio@openbsd.org>, 5480721ed1
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D46596
This commit is contained in:
Kristof Provost 2024-09-06 10:55:52 +02:00
parent 9746c1e288
commit bc4b0defb0
5 changed files with 21 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
sys/net/if_pflog.h
View file

@ -69,9 +69,9 @@ struct pf_ruleset;
struct pfi_kif; struct pfi_kif;
struct pf_pdesc; struct pf_pdesc;
#define PFLOG_PACKET(i,a,b,t,c,d,e,f,g,di) do { \ #define PFLOG_PACKET(i,a,b,t,c,d,e,f,g) do { \
if (pflog_packet_ptr != NULL) \ if (pflog_packet_ptr != NULL) \
pflog_packet_ptr(i,a,b,t,c,d,e,f,g,di); \ pflog_packet_ptr(i,a,b,t,c,d,e,f,g); \
} while (0) } while (0)
#endif /* _KERNEL */ #endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */ #endif /* _NET_IF_PFLOG_H_ */

2
sys/net/pfvar.h
View file

@ -1254,7 +1254,7 @@ void pf_state_export(struct pf_state_export *,
/* pflog */ /* pflog */
struct pf_kruleset; struct pf_kruleset;
struct pf_pdesc; struct pf_pdesc;
typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t, typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *,
uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *, uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
struct pf_pdesc *, int); struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr; extern pflog_packet_t *pflog_packet_ptr;

6
sys/netpfil/pf/if_pflog.c
View file

@ -213,7 +213,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
} }
static int static int
pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, pflog_packet(struct pfi_kkif *kif, struct mbuf *m,
uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am, uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{ {
@ -229,7 +229,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af,
bzero(&hdr, sizeof(hdr)); bzero(&hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN; hdr.length = PFLOG_REAL_HDRLEN;
hdr.af = af; hdr.af = pd->af;
hdr.action = action; hdr.action = action;
hdr.reason = reason; hdr.reason = reason;
memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
@ -262,7 +262,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af,
hdr.dir = pd->dir; hdr.dir = pd->dir;
#ifdef INET #ifdef INET
if (af == AF_INET && pd->dir == PF_OUT) { if (pd->af == AF_INET && pd->dir == PF_OUT) {
struct ip *ip; struct ip *ip;
ip = mtod(m, struct ip *); ip = mtod(m, struct ip *);

20
sys/netpfil/pf/pf.c
View file

@ -4974,7 +4974,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
KASSERT(nk != NULL, ("%s: null nk", __func__)); KASSERT(nk != NULL, ("%s: null nk", __func__));
if (nr->log) { if (nr->log) {
PFLOG_PACKET(kif, m, af, PF_PASS, PFRES_MATCH, nr, a, PFLOG_PACKET(kif, m, PF_PASS, PFRES_MATCH, nr, a,
ruleset, pd, 1); ruleset, pd, 1);
} }
@ -5201,7 +5201,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
pf_counter_u64_critical_exit(); pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act); pf_rule_to_actions(r, &pd->act);
if (r->log || pd->act.log & PF_LOG_MATCHES) if (r->log || pd->act.log & PF_LOG_MATCHES)
PFLOG_PACKET(kif, m, af, PFLOG_PACKET(kif, m,
r->action, PFRES_MATCH, r, r->action, PFRES_MATCH, r,
a, ruleset, pd, 1); a, ruleset, pd, 1);
} else { } else {
@ -5210,7 +5210,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
*am = a; *am = a;
*rsm = ruleset; *rsm = ruleset;
if (pd->act.log & PF_LOG_MATCHES) if (pd->act.log & PF_LOG_MATCHES)
PFLOG_PACKET(kif, m, af, PFLOG_PACKET(kif, m,
r->action, PFRES_MATCH, r, r->action, PFRES_MATCH, r,
a, ruleset, pd, 1); a, ruleset, pd, 1);
} }
@ -5238,7 +5238,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
if (r->log || pd->act.log & PF_LOG_MATCHES) { if (r->log || pd->act.log & PF_LOG_MATCHES) {
if (rewrite) if (rewrite)
m_copyback(m, off, hdrlen, pd->hdr.any); m_copyback(m, off, hdrlen, pd->hdr.any);
PFLOG_PACKET(kif, m, af, r->action, reason, r, a, ruleset, pd, 1); PFLOG_PACKET(kif, m, r->action, reason, r, a, ruleset, pd, 1);
} }
if ((r->action == PF_DROP) && if ((r->action == PF_DROP) &&
@ -5659,7 +5659,7 @@ pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif,
pf_counter_u64_critical_exit(); pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act); pf_rule_to_actions(r, &pd->act);
if (r->log) if (r->log)
PFLOG_PACKET(kif, m, af, PFLOG_PACKET(kif, m,
r->action, PFRES_MATCH, r, r->action, PFRES_MATCH, r,
a, ruleset, pd, 1); a, ruleset, pd, 1);
} else { } else {
@ -5690,7 +5690,7 @@ pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif,
pf_rule_to_actions(r, &pd->act); pf_rule_to_actions(r, &pd->act);
if (r->log) if (r->log)
PFLOG_PACKET(kif, m, af, r->action, reason, r, a, ruleset, pd, 1); PFLOG_PACKET(kif, m, r->action, reason, r, a, ruleset, pd, 1);
if (r->action != PF_PASS) if (r->action != PF_PASS)
return (PF_DROP); return (PF_DROP);
@ -9328,12 +9328,12 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
lr = r; lr = r;
if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET, action, reason, lr, a, PFLOG_PACKET(kif, m, action, reason, lr, a,
ruleset, &pd, (s == NULL)); ruleset, &pd, (s == NULL));
if (s) { if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry) SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL) if (ri->r->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET, action, PFLOG_PACKET(kif, m, action,
reason, ri->r, a, ruleset, &pd, 0); reason, ri->r, a, ruleset, &pd, 0);
} }
} }
@ -9736,12 +9736,12 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
lr = r; lr = r;
if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET6, action, reason, lr, a, ruleset, PFLOG_PACKET(kif, m, action, reason, lr, a, ruleset,
&pd, (s == NULL)); &pd, (s == NULL));
if (s) { if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry) SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL) if (ri->r->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET6, action, reason, PFLOG_PACKET(kif, m, action, reason,
ri->r, a, ruleset, &pd, 0); ri->r, a, ruleset, &pd, 0);
} }
} }

10
sys/netpfil/pf/pf_norm.c
View file

@ -1199,7 +1199,7 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
REASON_SET(reason, PFRES_FRAG); REASON_SET(reason, PFRES_FRAG);
drop: drop:
if (r != NULL && r->log) if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET, PF_DROP, *reason, r, NULL, NULL, pd, 1); PFLOG_PACKET(kif, m, PF_DROP, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP); return (PF_DROP);
} }
@ -1372,13 +1372,13 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
shortpkt: shortpkt:
REASON_SET(reason, PFRES_SHORT); REASON_SET(reason, PFRES_SHORT);
if (r != NULL && r->log) if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET6, PF_DROP, *reason, r, NULL, NULL, pd, 1); PFLOG_PACKET(kif, m, PF_DROP, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP); return (PF_DROP);
drop: drop:
REASON_SET(reason, PFRES_NORM); REASON_SET(reason, PFRES_NORM);
if (r != NULL && r->log) if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET6, PF_DROP, *reason, r, NULL, NULL, pd, 1); PFLOG_PACKET(kif, m, PF_DROP, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP); return (PF_DROP);
} }
#endif /* INET6 */ #endif /* INET6 */
@ -1504,7 +1504,7 @@ pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, int ipoff,
tcp_drop: tcp_drop:
REASON_SET(&reason, PFRES_NORM); REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log) if (rm != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET, PF_DROP, reason, r, NULL, NULL, pd, 1); PFLOG_PACKET(kif, m, PF_DROP, reason, r, NULL, NULL, pd, 1);
return (PF_DROP); return (PF_DROP);
} }
@ -2261,7 +2261,7 @@ pf_normalize_sctp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
sctp_drop: sctp_drop:
REASON_SET(&reason, PFRES_NORM); REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log) if (rm != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET, PF_DROP, reason, r, NULL, NULL, pd, PFLOG_PACKET(kif, m, PF_DROP, reason, r, NULL, NULL, pd,
1); 1);
return (PF_DROP); return (PF_DROP);