err, nobody?
* Henning Brauer <henn...@openbsd.org> [2012-07-11 13:14]:
> ..because now you had to initialize both set_prio in pf_rule to it
> everywhere. we did that, at least in some parts of our tree...
> problem being of course that 0 is a valid value there and can\t easily
> be used as "don't touch" indicator.
> so use a flag and only ever look at the set_prio fields if the flag is
> set.
>
> this is entirely untested, I am asking you guys to help with this. I
> am reaosnably confident this is right tho.
>
> now excuse me pls, have to bang my head against a wall of queues
>
> Index: libexec/tftp-proxy/filter.c
> ===================================================================
> RCS file: /cvs/src/libexec/tftp-proxy/filter.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 filter.c
> --- libexec/tftp-proxy/filter.c 8 Jul 2012 11:57:08 -0000 1.13
> +++ libexec/tftp-proxy/filter.c 11 Jul 2012 11:03:11 -0000
> @@ -176,7 +176,6 @@ prepare_rule(u_int32_t id, struct sockad
> pfr.rule.dst.port[0] = htons(d_port);
> pfr.rule.rtableid = -1;
> pfr.rule.onrdomain = -1;
> - pfr.rule.set_prio[0] = pfr.rule.set_prio[1] = PF_PRIO_NOTSET;
> pfr.rule.action = PF_PASS;
> pfr.rule.quick = 1;
> pfr.rule.log = rule_log;
> Index: sbin/pfctl/parse.y
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/parse.y,v
> retrieving revision 1.618
> diff -u -p -r1.618 parse.y
> --- sbin/pfctl/parse.y 10 Jul 2012 09:29:36 -0000 1.618
> +++ sbin/pfctl/parse.y 11 Jul 2012 10:57:07 -0000
> @@ -892,8 +892,8 @@ anchorrule : ANCHOR anchorname dir quick
> if ($9.marker & FOM_SETPRIO) {
> r.set_prio[0] = $9.set_prio[0];
> r.set_prio[1] = $9.set_prio[1];
> - } else
> - r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET;
> + r.scrub_flags |= PFSTATE_SETPRIO;
> + }
>
> decide_address_family($8.src.host, &r.af);
> decide_address_family($8.dst.host, &r.af);
> @@ -1025,7 +1025,6 @@ antispoof : ANTISPOOF logquick antispoof
> r.logif = $2.logif;
> r.quick = $2.quick;
> r.af = $4;
> - r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET;
> if (rule_label(&r, $5.label))
> YYERROR;
> r.rtableid = $5.rtableid;
> @@ -1710,8 +1709,8 @@ pfrule : action dir logquick interface
> if ($8.marker & FOM_SETPRIO) {
> r.set_prio[0] = $8.set_prio[0];
> r.set_prio[1] = $8.set_prio[1];
> - } else
> - r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET;
> + r.scrub_flags |= PFSTATE_SETPRIO;
> + }
> if ($8.marker & FOM_ONCE)
> r.rule_flag |= PFRULE_ONCE;
> if ($8.marker & FOM_AFTO)
> Index: sbin/pfctl/pfctl_parser.c
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
> retrieving revision 1.289
> diff -u -p -r1.289 pfctl_parser.c
> --- sbin/pfctl/pfctl_parser.c 10 Jul 2012 09:39:26 -0000 1.289
> +++ sbin/pfctl/pfctl_parser.c 11 Jul 2012 10:59:19 -0000
> @@ -843,11 +843,10 @@ print_rule(struct pf_rule *r, const char
> if (r->tos)
> printf(" tos 0x%2.2x", r->tos);
>
> - if (r->set_prio[0] != PF_PRIO_NOTSET ||
> - r->scrub_flags & PFSTATE_SETTOS) {
> + if (r->scrub_flags & PFSTATE_SETMASK) {
> char *comma = "";
> printf(" set (");
> - if (r->set_prio[0] != PF_PRIO_NOTSET) {
> + if (r->scrub_flags & PFSTATE_SETPRIO) {
> if (r->set_prio[0] == r->set_prio[1])
> printf("%s prio %u", comma, r->set_prio[0]);
> else
> Index: sys/net/pf.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf.c,v
> retrieving revision 1.808
> diff -u -p -r1.808 pf.c
> --- sys/net/pf.c 10 Jul 2012 17:33:48 -0000 1.808
> +++ sys/net/pf.c 11 Jul 2012 10:52:59 -0000
> @@ -2526,7 +2526,7 @@ pf_send_tcp(const struct pf_rule *r, sa_
> m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
> m->m_pkthdr.pf.tag = rtag;
> m->m_pkthdr.rdomain = rdom;
> - if (r && r->set_prio[0] != PF_PRIO_NOTSET)
> + if (r && (r->scrub_flags & PFSTATE_SETPRIO))
> m->m_pkthdr.pf.prio = r->set_prio[0];
>
> #ifdef ALTQ
> @@ -2650,7 +2650,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
>
> m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
> m0->m_pkthdr.rdomain = rdomain;
> - if (r && r->set_prio[0] != PF_PRIO_NOTSET)
> + if (r && (r->scrub_flags & PFSTATE_SETPRIO))
> m0->m_pkthdr.pf.prio = r->set_prio[0];
>
> #ifdef ALTQ
> @@ -3279,11 +3279,9 @@ pf_rule_to_actions(struct pf_rule *r, st
> if (r->max_mss)
> a->max_mss = r->max_mss;
> a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID|
> - PFSTATE_SETTOS|PFSTATE_SCRUB_TCP));
> - if (r->set_prio[0] != PF_PRIO_NOTSET)
> - a->set_prio[0] = r->set_prio[0];
> - if (r->set_prio[1] != PF_PRIO_NOTSET)
> - a->set_prio[1] = r->set_prio[1];
> + PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO));
> + a->set_prio[0] = r->set_prio[0];
> + a->set_prio[1] = r->set_prio[1];
> }
>
> #define PF_TEST_ATTRIB(t, a) \
> @@ -3319,7 +3317,6 @@ pf_test_rule(struct pf_pdesc *pd, struct
> u_int8_t icmptype = 0, icmpcode = 0;
>
> bzero(&act, sizeof(act));
> - act.set_prio[0] = act.set_prio[1] = PF_PRIO_NOTSET;
> bzero(sns, sizeof(sns));
> act.rtableid = pd->rdomain;
> SLIST_INIT(&rules);
> @@ -6886,11 +6883,11 @@ done:
> pf_tag_packet(pd.m, s->tag, s->rtableid[pd.didx]);
> if (pqid || (pd.tos & IPTOS_LOWDELAY)) {
> qid = s->pqid;
> - if (s->set_prio[1] != PF_PRIO_NOTSET)
> + if (s->state_flags & PFSTATE_SETPRIO)
> pd.m->m_pkthdr.pf.prio = s->set_prio[1];
> } else {
> qid = s->qid;
> - if (s->set_prio[0] != PF_PRIO_NOTSET)
> + if (s->state_flags & PFSTATE_SETPRIO)
> pd.m->m_pkthdr.pf.prio = s->set_prio[0];
> }
> } else {
> @@ -6898,11 +6895,11 @@ done:
> r->set_tos);
> if (pqid || (pd.tos & IPTOS_LOWDELAY)) {
> qid = r->pqid;
> - if (r->set_prio[1] != PF_PRIO_NOTSET)
> + if (r->scrub_flags & PFSTATE_SETPRIO)
> pd.m->m_pkthdr.pf.prio = r->set_prio[1];
> } else {
> qid = r->qid;
> - if (r->set_prio[0] != PF_PRIO_NOTSET)
> + if (r->scrub_flags & PFSTATE_SETPRIO)
> pd.m->m_pkthdr.pf.prio = r->set_prio[0];
> }
> }
> Index: sys/net/pf_ioctl.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_ioctl.c,v
> retrieving revision 1.253
> diff -u -p -r1.253 pf_ioctl.c
> --- sys/net/pf_ioctl.c 8 Jul 2012 07:58:09 -0000 1.253
> +++ sys/net/pf_ioctl.c 11 Jul 2012 10:54:35 -0000
> @@ -1088,10 +1088,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
> error = EINVAL;
> if (rule->rt && !rule->direction)
> error = EINVAL;
> - if ((rule->set_prio[0] != PF_PRIO_NOTSET &&
> - rule->set_prio[0] > IFQ_MAXPRIO) ||
> - (rule->set_prio[1] != PF_PRIO_NOTSET &&
> - rule->set_prio[1] > IFQ_MAXPRIO))
> + if (rule->scrub_flags & PFSTATE_SETPRIO &&
> + (rule->set_prio[0] > IFQ_MAXPRIO ||
> + rule->set_prio[1] > IFQ_MAXPRIO))
> error = EINVAL;
>
> if (error) {
> Index: sys/net/pfvar.h
> ===================================================================
> RCS file: /cvs/src/sys/net/pfvar.h,v
> retrieving revision 1.365
> diff -u -p -r1.365 pfvar.h
> --- sys/net/pfvar.h 10 Jul 2012 09:38:22 -0000 1.365
> +++ sys/net/pfvar.h 11 Jul 2012 10:59:21 -0000
> @@ -648,7 +648,6 @@ struct pf_rule {
> #define PF_FLUSH 0x01
> #define PF_FLUSH_GLOBAL 0x02
> u_int8_t flush;
> -#define PF_PRIO_NOTSET 0xff
> u_int8_t set_prio[2];
> sa_family_t naf;
>
> @@ -840,7 +839,9 @@ struct pf_state {
> #define PFSTATE_SETTOS 0x0040
> #define PFSTATE_RANDOMID 0x0080
> #define PFSTATE_SCRUB_TCP 0x0100
> +#define PFSTATE_SETPRIO 0x0200
> #define PFSTATE_SCRUBMASK
> (PFSTATE_NODF|PFSTATE_RANDOMID|PFSTATE_SCRUB_TCP)
> +#define PFSTATE_SETMASK (PFSTATE_SETTOS|PFSTATE_SETPRIO)
> u_int8_t log;
> u_int8_t timeout;
> u_int8_t sync_state; /* PFSYNC_S_x */
> Index: usr.sbin/ftp-proxy/filter.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ftp-proxy/filter.c,v
> retrieving revision 1.19
> diff -u -p -r1.19 filter.c
> --- usr.sbin/ftp-proxy/filter.c 7 Jul 2012 16:24:32 -0000 1.19
> +++ usr.sbin/ftp-proxy/filter.c 11 Jul 2012 11:00:05 -0000
> @@ -207,7 +207,6 @@ prepare_rule(u_int32_t id, struct sockad
> pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
> pfr.rule.nat.addr.type = PF_ADDR_NONE;
> pfr.rule.rdr.addr.type = PF_ADDR_NONE;
> - pfr.rule.set_prio[0] = pfr.rule.set_prio[1] = PF_PRIO_NOTSET;
>
> if (src->sa_family == AF_INET) {
> memcpy(&pfr.rule.src.addr.v.a.addr.v4,
> Index: usr.sbin/relayd/pfe_filter.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
> retrieving revision 1.49
> diff -u -p -r1.49 pfe_filter.c
> --- usr.sbin/relayd/pfe_filter.c 7 Jul 2012 16:24:32 -0000 1.49
> +++ usr.sbin/relayd/pfe_filter.c 11 Jul 2012 11:00:43 -0000
> @@ -440,7 +440,6 @@ sync_ruleset(struct relayd *env, struct
> rio.rule.dst.port[1] = address->port.val[1];
> rio.rule.rtableid = -1; /* stay in the main routing table */
> rio.rule.onrdomain = getrtable();
> - rio.rule.set_prio[0] = rio.rule.set_prio[1] = PF_PRIO_NOTSET;
>
> if (rio.rule.proto == IPPROTO_TCP)
> rio.rule.timeout[PFTM_TCP_ESTABLISHED] =
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
