FreeBSD Bugzilla – Attachment 145653 Details for
Bug 183997
route-to rule passes traffic when no targets are specified
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
improved patch
pf_mapfailed.diff (text/plain), 2.63 KB, created by
Gleb Smirnoff
on 2014-08-11 08:56:28 UTC
(
hide
)
Description:
improved patch
Filename:
MIME Type:
Creator:
Gleb Smirnoff
Created:
2014-08-11 08:56:28 UTC
Size:
2.63 KB
patch
obsolete
>Index: pf.c >=================================================================== >--- pf.c (revision 269624) >+++ pf.c (working copy) >@@ -266,8 +266,6 @@ static u_int16_t pf_get_mss(struct mbuf *, int, u > sa_family_t); > static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, > int, u_int16_t); >-static void pf_set_rt_ifp(struct pf_state *, >- struct pf_addr *); > static int pf_check_proto_cksum(struct mbuf *, int, int, > u_int8_t, sa_family_t); > static void pf_print_state_parts(struct pf_state *, >@@ -2954,31 +2952,6 @@ pf_calc_mss(struct pf_addr *addr, sa_family_t af, > return (mss); > } > >-static void >-pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) >-{ >- struct pf_rule *r = s->rule.ptr; >- struct pf_src_node *sn = NULL; >- >- s->rt_kif = NULL; >- if (!r->rt || r->rt == PF_FASTROUTE) >- return; >- switch (s->key[PF_SK_WIRE]->af) { >-#ifdef INET >- case AF_INET: >- pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, &sn); >- s->rt_kif = r->rpool.cur->kif; >- break; >-#endif /* INET */ >-#ifdef INET6 >- case AF_INET6: >- pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, &sn); >- s->rt_kif = r->rpool.cur->kif; >- break; >-#endif /* INET6 */ >- } >-} >- > static u_int32_t > pf_tcp_iss(struct pf_pdesc *pd) > { >@@ -3541,6 +3514,19 @@ pf_create_state(struct pf_rule *r, struct pf_rule > s->timeout = PFTM_OTHER_FIRST_PACKET; > } > >+ if (r->rt && r->rt != PF_FASTROUTE) { >+ struct pf_src_node *sn = NULL; >+ >+ if (pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, &sn)) { >+ REASON_SET(&reason, PFRES_MAPFAILED); >+ pf_src_tree_remove_state(s); >+ STATE_DEC_COUNTERS(s); >+ uma_zfree(V_pf_state_z, s); >+ goto csfailed; >+ } >+ s->rt_kif = r->rpool.cur->kif; >+ } >+ > s->creation = time_uptime; > s->expire = time_uptime; > >@@ -3606,7 +3592,6 @@ pf_create_state(struct pf_rule *r, struct pf_rule > } else > *sm = s; > >- pf_set_rt_ifp(s, pd->src); /* needs s->state_key set */ > if (tag > 0) > s->tag = tag; > if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) == >Index: pf.h >=================================================================== >--- pf.h (revision 269624) >+++ pf.h (working copy) >@@ -124,7 +124,8 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_ > #define PFRES_MAXSTATES 12 /* State limit */ > #define PFRES_SRCLIMIT 13 /* Source node/conn limit */ > #define PFRES_SYNPROXY 14 /* SYN proxy */ >-#define PFRES_MAX 15 /* total+1 */ >+#define PFRES_MAPFAILED 15 /* pa_map_addr() failed */ >+#define PFRES_MAX 16 /* total+1 */ > > #define PFRES_NAMES { \ > "match", \ >@@ -142,6 +143,7 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_ > "state-limit", \ > "src-limit", \ > "synproxy", \ >+ "map-failed", \ > NULL \ > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=145653">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 183997
:
138138
|
145617
| 145653