View | Details | Raw Unified | Return to bug 183997 | Differences between
and this patch

Collapse All | Expand All

(-)b/sys/netpfil/pf/pf.c (-9 / +24 lines)
Lines 283-290 static u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, Link Here
283
			    sa_family_t);
283
			    sa_family_t);
284
static u_int16_t	 pf_calc_mss(struct pf_addr *, sa_family_t,
284
static u_int16_t	 pf_calc_mss(struct pf_addr *, sa_family_t,
285
				int, u_int16_t);
285
				int, u_int16_t);
286
static void		 pf_set_rt_ifp(struct pf_state *,
286
static int		 pf_set_rt_ifp(struct pf_state *,
287
			    struct pf_addr *);
287
			    struct pf_addr *, sa_family_t af);
288
static int		 pf_check_proto_cksum(struct mbuf *, int, int,
288
static int		 pf_check_proto_cksum(struct mbuf *, int, int,
289
			    u_int8_t, sa_family_t);
289
			    u_int8_t, sa_family_t);
290
static void		 pf_print_state_parts(struct pf_state *,
290
static void		 pf_print_state_parts(struct pf_state *,
Lines 3103-3131 pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer) Link Here
3103
	return (mss);
3103
	return (mss);
3104
}
3104
}
3105
3105
3106
static void
3106
static int
3107
pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
3107
pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr, sa_family_t af)
3108
{
3108
{
3109
	struct pf_rule *r = s->rule.ptr;
3109
	struct pf_rule *r = s->rule.ptr;
3110
	struct pf_src_node *sn = NULL;
3110
	struct pf_src_node *sn = NULL;
3111
	int map_status = 0;
3111
3112
3112
	s->rt_kif = NULL;
3113
	s->rt_kif = NULL;
3113
	if (!r->rt || r->rt == PF_FASTROUTE)
3114
	if (!r->rt || r->rt == PF_FASTROUTE)
3114
		return;
3115
		return 0;
3115
	switch (s->key[PF_SK_WIRE]->af) {
3116
	switch (af) {
3116
#ifdef INET
3117
#ifdef INET
3117
	case AF_INET:
3118
	case AF_INET:
3118
		pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, &sn);
3119
		map_status = pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, &sn);
3119
		s->rt_kif = r->rpool.cur->kif;
3120
		s->rt_kif = r->rpool.cur->kif;
3120
		break;
3121
		break;
3121
#endif /* INET */
3122
#endif /* INET */
3122
#ifdef INET6
3123
#ifdef INET6
3123
	case AF_INET6:
3124
	case AF_INET6:
3124
		pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, &sn);
3125
		map_status = pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, &sn);
3125
		s->rt_kif = r->rpool.cur->kif;
3126
		s->rt_kif = r->rpool.cur->kif;
3126
		break;
3127
		break;
3127
#endif /* INET6 */
3128
#endif /* INET6 */
3128
	}
3129
	}
3130
3131
	return map_status;
3129
}
3132
}
3130
3133
3131
static u_int32_t
3134
static u_int32_t
Lines 3690-3695 pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, Link Here
3690
		s->timeout = PFTM_OTHER_FIRST_PACKET;
3693
		s->timeout = PFTM_OTHER_FIRST_PACKET;
3691
	}
3694
	}
3692
3695
3696
	/* Call pf_set_rt_ifp (and thus pf_map_addr). If pf_map_addr fails,
3697
	   remove the state and drop the packet. It makes no sense forwarding
3698
	   it if redirection mapping has failed. Do it before setting timeouts,
3699
	   csfailed won't remove the src_node otherwise. */
3700
	if (pf_set_rt_ifp(s, pd->src, pd->af)) {
3701
		REASON_SET(&reason, PFRES_MAPFAILED);
3702
		pf_src_tree_remove_state(s);
3703
		STATE_DEC_COUNTERS(s);
3704
		uma_zfree(V_pf_state_z, s);
3705
		/* Try to remove (nat_)src_node. */
3706
		goto csfailed;
3707
	}
3708
3693
	s->creation = time_uptime;
3709
	s->creation = time_uptime;
3694
	s->expire = time_uptime;
3710
	s->expire = time_uptime;
3695
3711
Lines 3755-3761 pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, Link Here
3755
	} else
3771
	} else
3756
		*sm = s;
3772
		*sm = s;
3757
3773
3758
	pf_set_rt_ifp(s, pd->src);	/* needs s->state_key set */
3759
	if (tag > 0)
3774
	if (tag > 0)
3760
		s->tag = tag;
3775
		s->tag = tag;
3761
	if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
3776
	if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
(-)b/sys/netpfil/pf/pf.h (-1 / +3 lines)
Lines 125-131 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, Link Here
125
#define PFRES_MAXSTATES	12		/* State limit */
125
#define PFRES_MAXSTATES	12		/* State limit */
126
#define PFRES_SRCLIMIT	13		/* Source node/conn limit */
126
#define PFRES_SRCLIMIT	13		/* Source node/conn limit */
127
#define PFRES_SYNPROXY	14		/* SYN proxy */
127
#define PFRES_SYNPROXY	14		/* SYN proxy */
128
#define PFRES_MAX	15		/* total+1 */
128
#define PFRES_MAPFAILED	15		/* pf_map_addr failed */
129
#define PFRES_MAX	16		/* total+1 */
129
130
130
#define PFRES_NAMES { \
131
#define PFRES_NAMES { \
131
	"match", \
132
	"match", \
Lines 143-148 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, Link Here
143
	"state-limit", \
144
	"state-limit", \
144
	"src-limit", \
145
	"src-limit", \
145
	"synproxy", \
146
	"synproxy", \
147
	"map-failed", \
146
	NULL \
148
	NULL \
147
}
149
}
148
150

Return to bug 183997