CVS commit: src/usr.sbin/npf/npfctl

Sun, 10 Feb 2013 16:03:10 -0800 

Module Name:    src
Committed By:   rmind
Date:           Mon Feb 11 00:00:20 UTC 2013

Modified Files:
        src/usr.sbin/npf/npfctl: npf_build.c

Log Message:
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npf_build.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.19 src/usr.sbin/npf/npfctl/npf_build.c:1.20
--- src/usr.sbin/npf/npfctl/npf_build.c:1.19	Sun Feb 10 23:47:37 2013
+++ src/usr.sbin/npf/npfctl/npf_build.c	Mon Feb 11 00:00:20 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_build.c,v 1.19 2013/02/10 23:47:37 rmind Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.20 2013/02/11 00:00:20 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.19 2013/02/10 23:47:37 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.20 2013/02/11 00:00:20 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -242,7 +242,7 @@ npfctl_build_vars(nc_ctx_t *nc, sa_famil
 
 static int
 npfctl_build_proto(nc_ctx_t *nc, sa_family_t family,
-    const opt_proto_t *op, bool nof, bool nop)
+    const opt_proto_t *op, bool noaddrs, bool noports)
 {
 	const npfvar_t *popts = op->op_opts;
 	const int proto = op->op_proto;
@@ -262,7 +262,7 @@ npfctl_build_proto(nc_ctx_t *nc, sa_fami
 		tf = npfvar_get_data(popts, NPFVAR_TCPFLAG, 0);
 		tf_mask = npfvar_get_data(popts, NPFVAR_TCPFLAG, 1);
 		npfctl_gennc_tcpfl(nc, *tf, *tf_mask);
-		nop = false;
+		noports = false;
 		break;
 	case IPPROTO_UDP:
 		pflag = NC_MATCH_UDP;
@@ -271,7 +271,7 @@ npfctl_build_proto(nc_ctx_t *nc, sa_fami
 		/*
 		 * Build ICMP block.
 		 */
-		if (!nop) {
+		if (!noports) {
 			goto invop;
 		}
 		assert(npfvar_get_count(popts) == 2);
@@ -280,13 +280,13 @@ npfctl_build_proto(nc_ctx_t *nc, sa_fami
 		icmp_type = npfvar_get_data(popts, NPFVAR_ICMP, 0);
 		icmp_code = npfvar_get_data(popts, NPFVAR_ICMP, 1);
 		npfctl_gennc_icmp(nc, *icmp_type, *icmp_code);
-		nop = false;
+		noports = false;
 		break;
 	case IPPROTO_ICMPV6:
 		/*
 		 * Build ICMP block.
 		 */
-		if (!nop) {
+		if (!noports) {
 			goto invop;
 		}
 		assert(npfvar_get_count(popts) == 2);
@@ -295,17 +295,18 @@ npfctl_build_proto(nc_ctx_t *nc, sa_fami
 		icmp6_type = npfvar_get_data(popts, NPFVAR_ICMP6, 0);
 		icmp6_code = npfvar_get_data(popts, NPFVAR_ICMP6, 1);
 		npfctl_gennc_icmp6(nc, *icmp6_type, *icmp6_code);
-		nop = false;
+		noports = false;
 		break;
 	case -1:
 		pflag = NC_MATCH_TCP | NC_MATCH_UDP;
-		nop = false;
+		noports = false;
 		break;
 	default:
 		/*
-		 * No filter options are supported for other protcols.
+		 * No filter options are supported for other protocols,
+		 * only the IP addresses are allowed.
 		 */
-		if (nof && nop) {
+		if (noports) {
 			break;
 		}
 invop:
@@ -316,7 +317,7 @@ invop:
 	 * Build the protocol block, unless other blocks will implicitly
 	 * perform the family/protocol checks for us.
 	 */
-	if ((family != AF_UNSPEC && nof) || (proto != -1 && nop)) {
+	if ((family != AF_UNSPEC && noaddrs) || (proto != -1 && noports)) {
 		uint8_t addrlen;
 
 		switch (family) {
@@ -329,7 +330,9 @@ invop:
 		default:
 			addrlen = 0;
 		}
-		npfctl_gennc_proto(nc, nof ? addrlen : 0, nop ? proto : 0xff);
+		npfctl_gennc_proto(nc,
+		    noaddrs ? addrlen : 0,
+		    noports ? proto : 0xff);
 	}
 	return pflag;
 }
@@ -341,7 +344,7 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam
 	const addr_port_t *apfrom = &fopts->fo_from;
 	const addr_port_t *apto = &fopts->fo_to;
 	const int proto = op->op_proto;
-	bool nof, nop;
+	bool noaddrs, noports;
 	nc_ctx_t *nc;
 	void *code;
 	size_t len;
@@ -349,9 +352,10 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam
 	/*
 	 * If none specified, no n-code.
 	 */
-	nof = !apfrom->ap_netaddr && !apto->ap_netaddr;
-	nop = !apfrom->ap_portrange && !apto->ap_portrange;
-	if (family == AF_UNSPEC && proto == -1 && !op->op_opts && nof && nop)
+	noaddrs = !apfrom->ap_netaddr && !apto->ap_netaddr;
+	noports = !apfrom->ap_portrange && !apto->ap_portrange;
+	if (family == AF_UNSPEC && proto == -1 && !op->op_opts &&
+	    noaddrs && noports)
 		return false;
 
 	int srcflag = NC_MATCH_SRC;
@@ -365,7 +369,7 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam
 	nc = npfctl_ncgen_create();
 
 	/* Build layer 4 protocol blocks. */
-	int pflag = npfctl_build_proto(nc, family, op, nof, nop);
+	int pflag = npfctl_build_proto(nc, family, op, noaddrs, noports);
 
 	/* Build IP address blocks. */
 	npfctl_build_vars(nc, family, apfrom->ap_netaddr, srcflag);

Reply via email to