Index: stable/11/sys/netpfil/ipfw/ip_fw2.c =================================================================== --- stable/11/sys/netpfil/ipfw/ip_fw2.c (revision 314573) +++ stable/11/sys/netpfil/ipfw/ip_fw2.c (working copy) @@ -382,7 +382,7 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd, /* Check by name or by IP address */ if (cmd->name[0] != '\0') { /* match by name */ if (cmd->name[0] == '\1') /* use tablearg to match */ - return ipfw_lookup_table_extended(chain, cmd->p.kidx, 0, + return ipfw_lookup_table(chain, cmd->p.kidx, 0, &ifp->if_index, tablearg); /* Check name */ if (cmd->p.glob) { @@ -1454,88 +1454,134 @@ do { \ src_ip.s_addr); break; - case O_IP_SRC_LOOKUP: case O_IP_DST_LOOKUP: - if (is_ipv4) { - uint32_t key = - (cmd->opcode == O_IP_DST_LOOKUP) ? - dst_ip.s_addr : src_ip.s_addr; - uint32_t v = 0; + { + void *pkey; + uint32_t vidx, key; + uint16_t keylen; - if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) { - /* generic lookup. The key must be - * in 32bit big-endian format. - */ - v = ((ipfw_insn_u32 *)cmd)->d[1]; - if (v == 0) - key = dst_ip.s_addr; - else if (v == 1) - key = src_ip.s_addr; - else if (v == 6) /* dscp */ - key = (ip->ip_tos >> 2) & 0x3f; - else if (offset != 0) - break; - else if (proto != IPPROTO_TCP && - proto != IPPROTO_UDP) - break; - else if (v == 2) - key = dst_port; - else if (v == 3) - key = src_port; + if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) { + /* Determine lookup key type */ + vidx = ((ipfw_insn_u32 *)cmd)->d[1]; + if (vidx != 4 /* uid */ && + vidx != 5 /* jail */ && + is_ipv6 == 0 && is_ipv4 == 0) + break; + /* Determine key length */ + if (vidx == 0 /* dst-ip */ || + vidx == 1 /* src-ip */) + keylen = is_ipv6 ? + sizeof(struct in6_addr): + sizeof(in_addr_t); + else { + keylen = sizeof(key); + pkey = &key; + } + if (vidx == 0 /* dst-ip */) + pkey = is_ipv4 ? (void *)&dst_ip: + (void *)&args->f_id.dst_ip6; + else if (vidx == 1 /* src-ip */) + pkey = is_ipv4 ? (void *)&src_ip: + (void *)&args->f_id.src_ip6; + else if (vidx == 6 /* dscp */) { + if (is_ipv4) + key = ip->ip_tos >> 2; + else { + key = args->f_id.flow_id6; + key = (key & 0x0f) << 2 | + (key & 0xf000) >> 14; + } + key &= 0x3f; + } else if (vidx == 2 /* dst-port */ || + vidx == 3 /* src-port */) { + /* Skip fragments */ + if (offset != 0) + break; + /* Skip proto without ports */ + if (proto != IPPROTO_TCP && + proto != IPPROTO_UDP && + proto != IPPROTO_SCTP) + break; + if (vidx == 2 /* dst-port */) + key = dst_port; + else + key = src_port; + } #ifndef USERSPACE - else if (v == 4 || v == 5) { - check_uidgid( - (ipfw_insn_u32 *)cmd, - args, &ucred_lookup, + else if (vidx == 4 /* uid */ || + vidx == 5 /* jail */) { + check_uidgid( + (ipfw_insn_u32 *)cmd, + args, &ucred_lookup, #ifdef __FreeBSD__ - &ucred_cache); - if (v == 4 /* O_UID */) - key = ucred_cache->cr_uid; - else if (v == 5 /* O_JAIL */) - key = ucred_cache->cr_prison->pr_id; + &ucred_cache); + if (vidx == 4 /* uid */) + key = ucred_cache->cr_uid; + else if (vidx == 5 /* jail */) + key = ucred_cache->cr_prison->pr_id; #else /* !__FreeBSD__ */ - (void *)&ucred_cache); - if (v ==4 /* O_UID */) - key = ucred_cache.uid; - else if (v == 5 /* O_JAIL */) - key = ucred_cache.xid; + (void *)&ucred_cache); + if (vidx == 4 /* uid */) + key = ucred_cache.uid; + else if (vidx == 5 /* jail */) + key = ucred_cache.xid; #endif /* !__FreeBSD__ */ } #endif /* !USERSPACE */ else - break; - } - match = ipfw_lookup_table(chain, - cmd->arg1, key, &v); - if (!match) + break; + match = ipfw_lookup_table(chain, + cmd->arg1, keylen, pkey, &vidx); + if (!match) + break; + tablearg = vidx; break; - if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = - ((ipfw_insn_u32 *)cmd)->d[0] == v; - else - tablearg = v; + } + /* cmdlen =< F_INSN_SIZE(ipfw_insn_u32) */ + /* FALLTHROUGH */ + } + case O_IP_SRC_LOOKUP: + { + void *pkey; + uint32_t vidx; + uint16_t keylen; + + if (is_ipv4) { + keylen = sizeof(in_addr_t); + if (cmd->opcode == O_IP_DST_LOOKUP) + pkey = &dst_ip; + else + pkey = &src_ip; } else if (is_ipv6) { - uint32_t v = 0; - void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ? - &args->f_id.dst_ip6: &args->f_id.src_ip6; - match = ipfw_lookup_table_extended(chain, - cmd->arg1, - sizeof(struct in6_addr), - pkey, &v); - if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = ((ipfw_insn_u32 *)cmd)->d[0] == v; - if (match) - tablearg = v; + keylen = sizeof(struct in6_addr); + if (cmd->opcode == O_IP_DST_LOOKUP) + pkey = &args->f_id.dst_ip6; + else + pkey = &args->f_id.src_ip6; + } else + break; + match = ipfw_lookup_table(chain, cmd->arg1, + keylen, pkey, &vidx); + if (!match) + break; + if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) { + match = ((ipfw_insn_u32 *)cmd)->d[0] == + TARG_VAL(chain, vidx, tag); + if (!match) + break; } + tablearg = vidx; break; + } case O_IP_FLOW_LOOKUP: { uint32_t v = 0; - match = ipfw_lookup_table_extended(chain, + match = ipfw_lookup_table(chain, cmd->arg1, 0, &args->f_id, &v); if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = ((ipfw_insn_u32 *)cmd)->d[0] == v; + match = ((ipfw_insn_u32 *)cmd)->d[0] == + TARG_VAL(chain, v, tag); if (match) tablearg = v; } Index: stable/11/sys/netpfil/ipfw/ip_fw_private.h =================================================================== --- stable/11/sys/netpfil/ipfw/ip_fw_private.h (revision 314573) +++ stable/11/sys/netpfil/ipfw/ip_fw_private.h (working copy) @@ -739,9 +739,7 @@ struct table_info; typedef int (table_lookup_t)(struct table_info *ti, void *key, uint32_t keylen, uint32_t *val); -int ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, - uint32_t *val); -int ipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, uint16_t plen, +int ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, uint16_t plen, void *paddr, uint32_t *val); int ipfw_init_tables(struct ip_fw_chain *ch, int first); int ipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables); Index: stable/11/sys/netpfil/ipfw/ip_fw_sockopt.c =================================================================== --- stable/11/sys/netpfil/ipfw/ip_fw_sockopt.c (revision 314573) +++ stable/11/sys/netpfil/ipfw/ip_fw_sockopt.c (working copy) @@ -1821,6 +1821,8 @@ check_ipfw_rule_body(ipfw_insn *cmd, int cmd_len, break; case O_IP_SRC_LOOKUP: + if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) + goto bad_size; case O_IP_DST_LOOKUP: if (cmd->arg1 >= V_fw_tables_max) { printf("ipfw: invalid table number %d\n", Index: stable/11/sys/netpfil/ipfw/ip_fw_table.c =================================================================== --- stable/11/sys/netpfil/ipfw/ip_fw_table.c (revision 314573) +++ stable/11/sys/netpfil/ipfw/ip_fw_table.c (working copy) @@ -1606,23 +1606,6 @@ ipfw_resize_tables(struct ip_fw_chain *ch, unsigne } /* - * Lookup an IP @addr in table @tbl. - * Stores found value in @val. - * - * Returns 1 if @addr was found. - */ -int -ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, - uint32_t *val) -{ - struct table_info *ti; - - ti = KIDX_TO_TI(ch, tbl); - - return (ti->lookup(ti, &addr, sizeof(in_addr_t), val)); -} - -/* * Lookup an arbtrary key @paddr of legth @plen in table @tbl. * Stores found value in @val. * @@ -1629,7 +1612,7 @@ ipfw_resize_tables(struct ip_fw_chain *ch, unsigne * Returns 1 if key was found. */ int -ipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, uint16_t plen, +ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, uint16_t plen, void *paddr, uint32_t *val) { struct table_info *ti;