Module Name: src
Committed By: rmind
Date: Thu Dec 8 23:36:57 UTC 2011
Modified Files:
src/sys/net/npf: npf_ruleset.c npf_state_tcp.c
Log Message:
- Explain the magic in npf_tcpfl2case().
- Use __unused instead of (void)cast; fix comment.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/npf_state_tcp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.7 src/sys/net/npf/npf_ruleset.c:1.8
--- src/sys/net/npf/npf_ruleset.c:1.7 Wed Feb 2 02:20:25 2011
+++ src/sys/net/npf/npf_ruleset.c Thu Dec 8 23:36:57 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ruleset.c,v 1.7 2011/02/02 02:20:25 rmind Exp $ */
+/* $NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $ */
/*-
* Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.7 2011/02/02 02:20:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -306,7 +306,7 @@ npf_rule_alloc(prop_dictionary_t rldict,
{
npf_rule_t *rl;
const char *rname;
- int errat;
+ int errat __unused;
/* Allocate a rule structure. */
rl = kmem_alloc(sizeof(npf_rule_t), KM_SLEEP);
@@ -316,7 +316,6 @@ npf_rule_alloc(prop_dictionary_t rldict,
rl->r_natp = NULL;
/* N-code. */
- (void)errat;
KASSERT(nc == NULL || npf_ncode_validate(nc, nc_size, &errat) == 0);
rl->r_ncode = nc;
rl->r_nc_size = nc_size;
Index: src/sys/net/npf/npf_state_tcp.c
diff -u src/sys/net/npf/npf_state_tcp.c:1.2 src/sys/net/npf/npf_state_tcp.c:1.3
--- src/sys/net/npf/npf_state_tcp.c:1.2 Mon Dec 5 00:34:25 2011
+++ src/sys/net/npf/npf_state_tcp.c Thu Dec 8 23:36:57 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_state_tcp.c,v 1.2 2011/12/05 00:34:25 rmind Exp $ */
+/* $NetBSD: npf_state_tcp.c,v 1.3 2011/12/08 23:36:57 rmind Exp $ */
/*-
* Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.2 2011/12/05 00:34:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.3 2011/12/08 23:36:57 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -115,9 +115,24 @@ npf_tcpfl2case(const int tcpfl)
{
u_int i, c;
+ CTASSERT(TH_FIN == 0x01);
+ CTASSERT(TH_SYN == 0x02);
+ CTASSERT(TH_ACK == 0x10);
+
/*
- * Magic value maps flag combinations to TCPFC case numbers.
- * Other cases are zero. Note: FIN-ACK is mapped to FIN.
+ * Flags are shifted to use three least significant bits, thus each
+ * flag combination has a unique number ranging from 0 to 7, e.g.
+ * TH_SYN | TH_ACK has number 6, since (0x02 | (0x10 >> 2)) == 6.
+ * However, the requirement is to have number 0 for invalid cases,
+ * such as TH_SYN | TH_FIN, and to have the same number for TH_FIN
+ * and TH_FIN|TH_ACK cases. Thus, we generate a mask assigning 3
+ * bits for each number, which contains the actual case numbers:
+ *
+ * TCPFC_SYNACK << (6 << 2) == 0x2000000 (6 - SYN,ACK)
+ * TCPFC_FIN << (5 << 2) == 0x0400000 (5 - FIN,ACK)
+ * ...
+ *
+ * Hence, OR'ed mask value is 0x2430140.
*/
i = (tcpfl & (TH_SYN | TH_FIN)) | ((tcpfl & TH_ACK) >> 2);
c = (0x2430140 >> (i << 2)) & 7;
@@ -291,7 +306,7 @@ npf_tcp_inwindow(const npf_cache_t *npc,
* Rooij G., "Real stateful TCP packet filtering in IP Filter",
* 10th USENIX Security Symposium invited talk, Aug. 2001.
*
- * There four boundaries are defined as following:
+ * There are four boundaries defined as following:
* I) SEQ + LEN <= MAX { SND.ACK + MAX(SND.WIN, 1) }
* II) SEQ >= MAX { SND.SEQ + SND.LEN - MAX(RCV.WIN, 1) }
* III) ACK <= MAX { RCV.SEQ + RCV.LEN }
