On 7 October 2009 c. 13:38:54 Henning Brauer wrote:
> * Vadim Zhukov <[email protected]> [2009-10-07 10:30]:
> > Hello all again.
> >
> > Could anyone explain the reasons of the following difference? More
> > precisely:
> >
> > 1. Why does pf_test() add log flag PF_LOG_FORCE, and pf_test6()
> > resets log flag to plain 1 (PF_LOG)?
>
> i probably missed the ipvshit case when fixing the log flag abuse
So this patch should be somewhat OK? I looked on pf_test() for analogies.
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.664
diff -u -p -r1.664 pf.c
--- pf.c 6 Oct 2009 21:21:48 -0000 1.664
+++ pf.c 7 Oct 2009 10:44:32 -0000
@@ -5767,7 +5767,7 @@ pf_test6(int dir, struct ifnet *ifp, str
if (m->m_pkthdr.len < (int)sizeof(*h)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
@@ -5825,7 +5825,7 @@ pf_test6(int dir, struct ifnet *ifp, str
("pf: IPv6 more than one rthdr\n"));
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
@@ -5834,7 +5834,7 @@ pf_test6(int dir, struct ifnet *ifp, str
("pf: IPv6 short rthdr\n"));
action = PF_DROP;
REASON_SET(&reason, PFRES_SHORT);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
@@ -5842,7 +5842,7 @@ pf_test6(int dir, struct ifnet *ifp, str
("pf: IPv6 rthdr0\n"));
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
/* FALLTHROUGH */
@@ -5858,7 +5858,7 @@ pf_test6(int dir, struct ifnet *ifp, str
DPFPRINTF(PF_DEBUG_MISC,
("pf: IPv6 short opt\n"));
action = PF_DROP;
- log = 1;
+ log |= PF_LOG_FORCE;
goto done;
}
if (pd.proto == IPPROTO_AH)
@@ -5887,7 +5887,8 @@ pf_test6(int dir, struct ifnet *ifp, str
pd.hdr.tcp = &th;
if (!pf_pull_hdr(m, off, &th, sizeof(th),
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
pd.p_len = pd.tot_len - off - (th.th_off << 2);
@@ -5904,7 +5905,7 @@ pf_test6(int dir, struct ifnet *ifp, str
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -5924,7 +5925,8 @@ pf_test6(int dir, struct ifnet *ifp, str
pd.hdr.udp = &uh;
if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
if (uh.uh_dport == 0 ||
@@ -5943,7 +5945,7 @@ pf_test6(int dir, struct ifnet *ifp, str
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -5968,7 +5970,8 @@ pf_test6(int dir, struct ifnet *ifp, str
pd.hdr.icmp6 = &ih.icmp6;
if (!pf_pull_hdr(m, off, &ih, icmp_hlen,
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
/* ICMP headers we look further into to match state */
@@ -5985,7 +5988,8 @@ pf_test6(int dir, struct ifnet *ifp, str
if (icmp_hlen > sizeof(struct icmp6_hdr) &&
!pf_pull_hdr(m, off, &ih, icmp_hlen,
&action, &reason, AF_INET6)) {
- log = action != PF_PASS;
+ if (action != PF_PASS)
+ log |= PF_LOG_FORCE;
goto done;
}
action = pf_test_state_icmp(&s, dir, kif,
@@ -5996,7 +6000,7 @@ pf_test6(int dir, struct ifnet *ifp, str
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
@@ -6011,7 +6015,7 @@ pf_test6(int dir, struct ifnet *ifp, str
#endif /* NPFSYNC */
r = s->rule.ptr;
a = s->anchor.ptr;
- log = s->log;
+ log |= s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, h,
&pd, &a, &ruleset, &ip6intrq);
@@ -6029,7 +6033,7 @@ done:
!((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_IPOPTIONS);
- log = 1;
+ log |= PF_LOG_FORCE;
DPFPRINTF(PF_DEBUG_MISC,
("pf: dropping packet with dangerous v6 headers\n"));
}
@@ -6074,15 +6078,24 @@ done:
}
if (log) {
- struct pf_rule *lr;
+ struct pf_rule *lr;
+ struct pf_rule_item *ri;
if (s != NULL && s->nat_rule.ptr != NULL &&
s->nat_rule.ptr->log & PF_LOG_ALL)
lr = s->nat_rule.ptr;
else
lr = r;
- PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset,
- &pd);
+
+ if (log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
+ PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a,
+ ruleset, &pd);
+ if (s) {
+ SLIST_FOREACH(ri, &s->match_rules, entry)
+ if (ri->r->log & PF_LOG_ALL)
+ PFLOG_PACKET(kif, h, m, AF_INET6, dir,
+ reason, ri->r, a, ruleset, &pd);
+ }
}
kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
@@ -6097,6 +6110,8 @@ done:
a->bytes[dirndx] += pd.tot_len;
}
if (s != NULL) {
+ struct pf_rule_item *ri;
+
if (s->nat_rule.ptr != NULL) {
s->nat_rule.ptr->packets[dirndx]++;
s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
@@ -6112,6 +6127,10 @@ done:
dirndx = (dir == s->direction) ? 0 : 1;
s->packets[dirndx]++;
s->bytes[dirndx] += pd.tot_len;
+ SLIST_FOREACH(ri, &s->match_rules, entry) {
+ ri->r->packets[dirndx]++;
+ ri->r->bytes[dirndx] += pd.tot_len;
+ }
}
tr = r;
nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
@@ -6120,13 +6139,15 @@ done:
if (tr->src.addr.type == PF_ADDR_TABLE)
pfr_update_stats(tr->src.addr.p.tbl,
(s == NULL) ? pd.src :
- &s->key[(s->direction == PF_IN)]->addr[0],
+ &s->key[(s->direction == PF_IN)]->
+ addr[(s->direction == PF_OUT)],
pd.af, pd.tot_len, dir == PF_OUT,
r->action == PF_PASS, tr->src.neg);
if (tr->dst.addr.type == PF_ADDR_TABLE)
pfr_update_stats(tr->dst.addr.p.tbl,
(s == NULL) ? pd.dst :
- &s->key[(s->direction == PF_IN)]->addr[1],
+ &s->key[(s->direction == PF_IN)]->
+ addr[(s->direction == PF_IN)],
pd.af, pd.tot_len, dir == PF_OUT,
r->action == PF_PASS, tr->dst.neg);
}
