Hi,
This patch folds pf_headers into pf_pdesc, and eliminates pf_pdesc's
header pointers. It's mostly mechanical except for strengthening a guard
in pf_socket_lookup().
I've an OK from bluhm@ but to give others a heads-up I won't commit for
another 48 hours.
+ve removes the header buffer indirection
+ve shaves a parameter from pf_setup_pdesc; no need to allocate
a separate header struct on the stack.
+ve lets us scrub a few (void*) casts
+ve shaves ~200 bytes from pf.o on i386 (adds ~20 on amd64).
-ve it's relatively big
-ve? pf_headers is now bzero'ed on init (28 bytes).
As per usual I've broken this into an easier-to-review series
of patches, which is available at http://203.79.107.124/hdr
Compiled and tested for basic sanity on i386.
best,
Richard.
--
(includes whitespace fixes from bluhm@)
Index: net/pf.c
===================================================================
--- net.orig/pf.c
+++ net/pf.c
@@ -773,25 +773,22 @@ pf_state_key_addr_setup(struct pf_pdesc
{
struct pf_state_key_cmp *key = arg;
#ifdef INET6
- struct nd_neighbor_solicit *nd;
struct pf_addr *target;
if (af == AF_INET || pd->proto != IPPROTO_ICMPV6)
goto copy;
- switch (pd->hdr.icmp6->icmp6_type) {
+ switch (pd->hdr.icmp6.icmp6_type) {
case ND_NEIGHBOR_SOLICIT:
if (multi)
return (-1);
- nd = (void *)pd->hdr.icmp6;
- target = (struct pf_addr *)&nd->nd_ns_target;
+ target = (struct pf_addr *)&pd->hdr.nd_ns.nd_ns_target;
daddr = target;
break;
case ND_NEIGHBOR_ADVERT:
if (multi)
return (-1);
- nd = (void *)pd->hdr.icmp6;
- target = (struct pf_addr *)&nd->nd_ns_target;
+ target = (struct pf_addr *)&pd->hdr.nd_ns.nd_ns_target;
saddr = target;
if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) {
key->addr[didx].addr32[0] = 0;
@@ -1978,7 +1975,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_i
/* FALLTHROUGH */
case ICMP_ECHOREPLY:
*virtual_type = ICMP_ECHO;
- *virtual_id = pd->hdr.icmp->icmp_id;
+ *virtual_id = pd->hdr.icmp.icmp_id;
break;
case ICMP_TSTAMP:
@@ -1986,7 +1983,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_i
/* FALLTHROUGH */
case ICMP_TSTAMPREPLY:
*virtual_type = ICMP_TSTAMP;
- *virtual_id = pd->hdr.icmp->icmp_id;
+ *virtual_id = pd->hdr.icmp.icmp_id;
break;
case ICMP_IREQ:
@@ -1994,7 +1991,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_i
/* FALLTHROUGH */
case ICMP_IREQREPLY:
*virtual_type = ICMP_IREQ;
- *virtual_id = pd->hdr.icmp->icmp_id;
+ *virtual_id = pd->hdr.icmp.icmp_id;
break;
case ICMP_MASKREQ:
@@ -2002,7 +1999,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_i
/* FALLTHROUGH */
case ICMP_MASKREPLY:
*virtual_type = ICMP_MASKREQ;
- *virtual_id = pd->hdr.icmp->icmp_id;
+ *virtual_id = pd->hdr.icmp.icmp_id;
break;
case ICMP_IPV6_WHEREAREYOU:
@@ -2060,14 +2057,14 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_i
/* FALLTHROUGH */
case ICMP6_ECHO_REPLY:
*virtual_type = ICMP6_ECHO_REQUEST;
- *virtual_id = pd->hdr.icmp6->icmp6_id;
+ *virtual_id = pd->hdr.icmp6.icmp6_id;
break;
case MLD_LISTENER_QUERY:
*icmp_dir = PF_IN;
/* FALLTHROUGH */
case MLD_LISTENER_REPORT: {
- struct mld_hdr *mld = (void *)pd->hdr.icmp6;
+ struct mld_hdr *mld = &pd->hdr.mld;
u_int32_t h;
*virtual_type = MLD_LISTENER_QUERY;
@@ -2104,7 +2101,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_i
*icmp_dir = PF_IN;
/* FALLTHROUGH */
case ND_NEIGHBOR_ADVERT: {
- struct nd_neighbor_solicit *nd = (void *)pd->hdr.icmp6;
+ struct nd_neighbor_solicit *nd = &pd->hdr.nd_ns;
u_int32_t h;
*virtual_type = ND_NEIGHBOR_SOLICIT;
@@ -2307,7 +2304,7 @@ pf_translate_af(struct pf_pdesc *pd)
/* flush pd->pcksum */
if (copyback)
- m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any, M_NOWAIT);
+ m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT);
return (0);
}
@@ -2624,7 +2621,7 @@ pf_translate_icmp_af(struct pf_pdesc *pd
int
pf_modulate_sack(struct pf_pdesc *pd, struct pf_state_peer *dst)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
int hlen = (th->th_off << 2) - sizeof(*th);
int thoptlen = hlen;
u_int8_t opts[MAX_TCPOPTLEN], *opt = opts;
@@ -2824,7 +2821,7 @@ pf_send_challenge_ack(struct pf_pdesc *p
* memory.
*/
pf_send_tcp(s->rule.ptr, pd->af, pd->dst, pd->src,
- pd->hdr.tcp->th_dport, pd->hdr.tcp->th_sport, dst->seqlo,
+ pd->hdr.tcp.th_dport, pd->hdr.tcp.th_sport, dst->seqlo,
src->seqlo, TH_ACK, 0, 0, s->rule.ptr->return_ttl, 1, 0,
pd->rdomain);
}
@@ -3158,24 +3155,18 @@ pf_socket_lookup(struct pf_pdesc *pd)
struct inpcbtable *tb;
struct inpcb *inp;
- if (pd == NULL)
- return (-1);
pd->lookup.uid = UID_MAX;
pd->lookup.gid = GID_MAX;
pd->lookup.pid = NO_PID;
- switch (pd->proto) {
+ switch (pd->virtual_proto) {
case IPPROTO_TCP:
- if (pd->hdr.tcp == NULL)
- return (-1);
- sport = pd->hdr.tcp->th_sport;
- dport = pd->hdr.tcp->th_dport;
+ sport = pd->hdr.tcp.th_sport;
+ dport = pd->hdr.tcp.th_dport;
tb = &tcbtable;
break;
case IPPROTO_UDP:
- if (pd->hdr.udp == NULL)
- return (-1);
- sport = pd->hdr.udp->uh_sport;
- dport = pd->hdr.udp->uh_dport;
+ sport = pd->hdr.udp.uh_sport;
+ dport = pd->hdr.udp.uh_dport;
tb = &udbtable;
break;
default:
@@ -3232,7 +3223,7 @@ pf_socket_lookup(struct pf_pdesc *pd)
u_int8_t
pf_get_wscale(struct pf_pdesc *pd)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
int hlen;
u_int8_t hdr[60];
u_int8_t *opt, optlen;
@@ -3273,7 +3264,7 @@ pf_get_wscale(struct pf_pdesc *pd)
u_int16_t
pf_get_mss(struct pf_pdesc *pd)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
int hlen;
u_int8_t hdr[60];
u_int8_t *opt, optlen;
@@ -3410,8 +3401,8 @@ pf_tcp_iss(struct pf_pdesc *pd)
ctx = pf_tcp_secret_ctx;
SHA512Update(&ctx, &pd->rdomain, sizeof(pd->rdomain));
- SHA512Update(&ctx, &pd->hdr.tcp->th_sport, sizeof(u_short));
- SHA512Update(&ctx, &pd->hdr.tcp->th_dport, sizeof(u_short));
+ SHA512Update(&ctx, &pd->hdr.tcp.th_sport, sizeof(u_short));
+ SHA512Update(&ctx, &pd->hdr.tcp.th_dport, sizeof(u_short));
switch (pd->af) {
case AF_INET:
SHA512Update(&ctx, &pd->src->v4, sizeof(struct in_addr));
@@ -3476,7 +3467,6 @@ pf_test_rule(struct pf_pdesc *pd, struct
struct pf_rule_slist rules;
struct pf_rule_item *ri;
struct pf_src_node *sns[PF_SN_MAX];
- struct tcphdr *th = pd->hdr.tcp;
struct pf_state_key *skw = NULL, *sks = NULL;
struct pf_rule_actions act;
int rewrite = 0;
@@ -3500,8 +3490,8 @@ pf_test_rule(struct pf_pdesc *pd, struct
switch (pd->virtual_proto) {
case IPPROTO_ICMP:
- icmptype = pd->hdr.icmp->icmp_type;
- icmpcode = pd->hdr.icmp->icmp_code;
+ icmptype = pd->hdr.icmp.icmp_type;
+ icmpcode = pd->hdr.icmp.icmp_code;
state_icmp = pf_icmp_mapping(pd, icmptype,
&icmp_dir, &virtual_id, &virtual_type);
if (icmp_dir == PF_IN) {
@@ -3514,8 +3504,8 @@ pf_test_rule(struct pf_pdesc *pd, struct
break;
#ifdef INET6
case IPPROTO_ICMPV6:
- icmptype = pd->hdr.icmp6->icmp6_type;
- icmpcode = pd->hdr.icmp6->icmp6_code;
+ icmptype = pd->hdr.icmp6.icmp6_type;
+ icmpcode = pd->hdr.icmp6.icmp6_code;
state_icmp = pf_icmp_mapping(pd, icmptype,
&icmp_dir, &virtual_id, &virtual_type);
if (icmp_dir == PF_IN) {
@@ -3571,7 +3561,7 @@ pf_test_rule(struct pf_pdesc *pd, struct
break;
case IPPROTO_TCP:
- PF_TEST_ATTRIB(((r->flagset & th->th_flags) !=
+ PF_TEST_ATTRIB(((r->flagset & pd->hdr.tcp.th_flags) !=
r->flags),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&
@@ -3725,8 +3715,9 @@ pf_test_rule(struct pf_pdesc *pd, struct
if (pd->proto == IPPROTO_TCP &&
((r->rule_flag & PFRULE_RETURNRST) ||
(r->rule_flag & PFRULE_RETURN)) &&
- !(th->th_flags & TH_RST)) {
- u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
+ !(pd->hdr.tcp.th_flags & TH_RST)) {
+ struct tcphdr *th = &pd->hdr.tcp;
+ u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
if (pf_check_tcp_cksum(pd->m, pd->off,
pd->tot_len - pd->off, pd->af))
@@ -3824,7 +3815,7 @@ pf_test_rule(struct pf_pdesc *pd, struct
/* copy back packet headers if needed */
if (rewrite && pd->hdrlen) {
- m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any, M_NOWAIT);
+ m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT);
}
#if NPFSYNC > 0
@@ -3865,7 +3856,7 @@ pf_create_state(struct pf_pdesc *pd, str
struct pf_rule_actions *act, struct pf_src_node *sns[PF_SN_MAX])
{
struct pf_state *s = NULL;
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
u_int16_t mss = tcp_mssdflt;
u_short reason;
u_int i;
@@ -4082,7 +4073,7 @@ pf_translate(struct pf_pdesc *pd, struct
if (afto) {
#ifdef INET6
- if (pf_translate_icmp_af(pd, AF_INET6, pd->hdr.icmp))
+ if (pf_translate_icmp_af(pd, AF_INET6, &pd->hdr.icmp))
return (0);
pd->proto = IPPROTO_ICMPV6;
rewrite = 1;
@@ -4091,7 +4082,7 @@ pf_translate(struct pf_pdesc *pd, struct
if (virtual_type == htons(ICMP_ECHO)) {
u_int16_t icmpid = (icmp_dir == PF_IN) ? sport : dport;
rewrite += pf_patch_16(pd,
- &pd->hdr.icmp->icmp_id, icmpid);
+ &pd->hdr.icmp.icmp_id, icmpid);
}
break;
@@ -4102,7 +4093,7 @@ pf_translate(struct pf_pdesc *pd, struct
return (0);
if (afto) {
- if (pf_translate_icmp_af(pd, AF_INET, pd->hdr.icmp6))
+ if (pf_translate_icmp_af(pd, AF_INET, &pd->hdr.icmp6))
return (0);
pd->proto = IPPROTO_ICMP;
rewrite = 1;
@@ -4110,7 +4101,7 @@ pf_translate(struct pf_pdesc *pd, struct
if (virtual_type == htons(ICMP6_ECHO_REQUEST)) {
u_int16_t icmpid = (icmp_dir == PF_IN) ? sport : dport;
rewrite += pf_patch_16(pd,
- &pd->hdr.icmp6->icmp6_id, icmpid);
+ &pd->hdr.icmp6.icmp6_id, icmpid);
}
break;
#endif /* INET6 */
@@ -4129,7 +4120,7 @@ pf_tcp_track_full(struct pf_pdesc *pd, s
struct pf_state_peer *dst, struct pf_state **state, u_short *reason,
int *copyback)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
u_int16_t win = ntohs(th->th_win);
u_int32_t ack, end, data_end, seq, orig_seq;
u_int8_t sws, dws;
@@ -4452,7 +4443,7 @@ int
pf_tcp_track_sloppy(struct pf_pdesc *pd, struct pf_state_peer *src,
struct pf_state_peer *dst, struct pf_state **state, u_short *reason)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
if (th->th_flags & TH_SYN)
if (src->state < TCPS_SYN_SENT)
@@ -4525,7 +4516,7 @@ pf_synproxy(struct pf_pdesc *pd, struct
struct pf_state_key *sk = (*state)->key[pd->didx];
if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
if (pd->dir != (*state)->direction) {
REASON_SET(reason, PFRES_SYNPROXY);
@@ -4556,7 +4547,7 @@ pf_synproxy(struct pf_pdesc *pd, struct
(*state)->src.state = PF_TCPS_PROXY_DST;
}
if ((*state)->src.state == PF_TCPS_PROXY_DST) {
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
if (pd->dir == (*state)->direction) {
if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
@@ -4645,14 +4636,14 @@ pf_test_state(struct pf_pdesc *pd, struc
case IPPROTO_TCP:
if ((action = pf_synproxy(pd, state, reason)) != PF_PASS)
return (action);
- if ((pd->hdr.tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) {
+ if ((pd->hdr.tcp.th_flags & (TH_SYN|TH_ACK)) == TH_SYN) {
if (dst->state >= TCPS_FIN_WAIT_2 &&
src->state >= TCPS_FIN_WAIT_2) {
if (pf_status.debug >= LOG_NOTICE) {
log(LOG_NOTICE, "pf: state reuse ");
pf_print_state(*state);
- pf_print_flags(pd->hdr.tcp->th_flags);
+ pf_print_flags(pd->hdr.tcp.th_flags);
addlog("\n");
}
/* XXX make sure it's the same direction ?? */
@@ -4770,7 +4761,7 @@ pf_test_state(struct pf_pdesc *pd, struc
}
if (copyback && pd->hdrlen > 0) {
- m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any, M_NOWAIT);
+ m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT);
}
return (action);
@@ -4838,11 +4829,11 @@ pf_test_state_icmp(struct pf_pdesc *pd,
switch (pd->proto) {
case IPPROTO_ICMP:
- icmptype = pd->hdr.icmp->icmp_type;
+ icmptype = pd->hdr.icmp.icmp_type;
break;
#ifdef INET6
case IPPROTO_ICMPV6:
- icmptype = pd->hdr.icmp6->icmp6_type;
+ icmptype = pd->hdr.icmp6.icmp6_type;
break;
#endif /* INET6 */
default:
@@ -4906,32 +4897,32 @@ pf_test_state_icmp(struct pf_pdesc *pd,
#ifdef INET6
if (afto) {
if (pf_translate_icmp_af(pd, AF_INET6,
- pd->hdr.icmp))
+ &pd->hdr.icmp))
return (PF_DROP);
pd->proto = IPPROTO_ICMPV6;
}
#endif /* INET6 */
pf_patch_16(pd,
- &pd->hdr.icmp->icmp_id, nk->port[iidx]);
+ &pd->hdr.icmp.icmp_id, nk->port[iidx]);
m_copyback(pd->m, pd->off, ICMP_MINLEN,
- pd->hdr.icmp, M_NOWAIT);
+ &pd->hdr.icmp, M_NOWAIT);
copyback = 1;
break;
#ifdef INET6
case AF_INET6:
if (afto) {
if (pf_translate_icmp_af(pd, AF_INET,
- pd->hdr.icmp6))
+ &pd->hdr.icmp6))
return (PF_DROP);
pd->proto = IPPROTO_ICMP;
}
pf_patch_16(pd,
- &pd->hdr.icmp6->icmp6_id, nk->port[iidx]);
+ &pd->hdr.icmp6.icmp6_id, nk->port[iidx]);
m_copyback(pd->m, pd->off,
- sizeof(struct icmp6_hdr), pd->hdr.icmp6,
+ sizeof(struct icmp6_hdr), &pd->hdr.icmp6,
M_NOWAIT);
copyback = 1;
break;
@@ -5019,7 +5010,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
switch (pd2.proto) {
case IPPROTO_TCP: {
- struct tcphdr th;
+ struct tcphdr *th = &pd2.hdr.tcp;
u_int32_t seq;
struct pf_state_peer *src, *dst;
u_int8_t dws;
@@ -5029,7 +5020,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
* expected. Don't access any TCP header fields after
* th_seq, an ackskew test is not possible.
*/
- if (!pf_pull_hdr(pd2.m, pd2.off, &th, 8, NULL, reason,
+ if (!pf_pull_hdr(pd2.m, pd2.off, th, 8, NULL, reason,
pd2.af)) {
DPFPRINTF(LOG_NOTICE,
"ICMP error message too short (tcp)");
@@ -5041,8 +5032,8 @@ pf_test_state_icmp(struct pf_pdesc *pd,
key.rdomain = pd2.rdomain;
PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
- key.port[pd2.sidx] = th.th_sport;
- key.port[pd2.didx] = th.th_dport;
+ key.port[pd2.sidx] = th->th_sport;
+ key.port[pd2.didx] = th->th_dport;
STATE_LOOKUP(pd2.kif, &key, pd2.dir, *state, pd2.m);
@@ -5070,9 +5061,9 @@ pf_test_state_icmp(struct pf_pdesc *pd,
dws = 0;
/* Demodulate sequence number */
- seq = ntohl(th.th_seq) - src->seqdiff;
+ seq = ntohl(th->th_seq) - src->seqdiff;
if (src->seqdiff) {
- pf_patch_32(pd, &th.th_seq, htonl(seq));
+ pf_patch_32(pd, &th->th_seq, htonl(seq));
copyback = 1;
}
@@ -5082,7 +5073,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (pf_status.debug >= LOG_NOTICE) {
log(LOG_NOTICE,
"pf: BAD ICMP %d:%d ",
- icmptype, pd->hdr.icmp->icmp_code);
+ icmptype, pd->hdr.icmp.icmp_code);
pf_print_host(pd->src, 0, pd->af);
addlog(" -> ");
pf_print_host(pd->dst, 0, pd->af);
@@ -5096,7 +5087,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (pf_status.debug >= LOG_DEBUG) {
log(LOG_DEBUG,
"pf: OK ICMP %d:%d ",
- icmptype, pd->hdr.icmp->icmp_code);
+ icmptype, pd->hdr.icmp.icmp_code);
pf_print_host(pd->src, 0, pd->af);
addlog(" -> ");
pf_print_host(pd->dst, 0, pd->af);
@@ -5124,11 +5115,11 @@ pf_test_state_icmp(struct pf_pdesc *pd,
#ifdef INET6
if (afto) {
if (pf_translate_icmp_af(pd, nk->af,
- pd->hdr.icmp))
+ &pd->hdr.icmp))
return (PF_DROP);
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
if (pf_change_icmp_af(pd->m, ipoff2,
pd, &pd2, &nk->addr[sidx],
&nk->addr[didx], pd->af, nk->af))
@@ -5147,20 +5138,20 @@ pf_test_state_icmp(struct pf_pdesc *pd,
pd->naf = nk->af;
pf_patch_16(pd,
- &th.th_sport, nk->port[sidx]);
+ &th->th_sport, nk->port[sidx]);
pf_patch_16(pd,
- &th.th_dport, nk->port[didx]);
+ &th->th_dport, nk->port[didx]);
- m_copyback(pd2.m, pd2.off, 8, &th,
+ m_copyback(pd2.m, pd2.off, 8, th,
M_NOWAIT);
return (PF_AFRT);
}
#endif /* INET6 */
if (PF_ANEQ(pd2.src,
&nk->addr[pd2.sidx], pd2.af) ||
- nk->port[pd2.sidx] != th.th_sport)
+ nk->port[pd2.sidx] != th->th_sport)
pf_translate_icmp(pd, pd2.src,
- &th.th_sport, pd->dst,
+ &th->th_sport, pd->dst,
&nk->addr[pd2.sidx],
nk->port[pd2.sidx]);
@@ -5171,9 +5162,9 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (PF_ANEQ(pd2.dst,
&nk->addr[pd2.didx], pd2.af) ||
- nk->port[pd2.didx] != th.th_dport)
+ nk->port[pd2.didx] != th->th_dport)
pf_translate_icmp(pd, pd2.dst,
- &th.th_dport, pd->src,
+ &th->th_dport, pd->src,
&nk->addr[pd2.didx],
nk->port[pd2.didx]);
copyback = 1;
@@ -5183,7 +5174,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
switch (pd2.af) {
case AF_INET:
m_copyback(pd->m, pd->off, ICMP_MINLEN,
- pd->hdr.icmp, M_NOWAIT);
+ &pd->hdr.icmp, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2),
&h2, M_NOWAIT);
break;
@@ -5191,20 +5182,20 @@ pf_test_state_icmp(struct pf_pdesc *pd,
case AF_INET6:
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2_6),
&h2_6, M_NOWAIT);
break;
#endif /* INET6 */
}
- m_copyback(pd2.m, pd2.off, 8, &th, M_NOWAIT);
+ m_copyback(pd2.m, pd2.off, 8, th, M_NOWAIT);
}
break;
}
case IPPROTO_UDP: {
- struct udphdr uh;
+ struct udphdr *uh = &pd2.hdr.udp;
- if (!pf_pull_hdr(pd2.m, pd2.off, &uh, sizeof(uh),
+ if (!pf_pull_hdr(pd2.m, pd2.off, uh, sizeof(*uh),
NULL, reason, pd2.af)) {
DPFPRINTF(LOG_NOTICE,
"ICMP error message too short (udp)");
@@ -5216,8 +5207,8 @@ pf_test_state_icmp(struct pf_pdesc *pd,
key.rdomain = pd2.rdomain;
PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
- key.port[pd2.sidx] = uh.uh_sport;
- key.port[pd2.didx] = uh.uh_dport;
+ key.port[pd2.sidx] = uh->uh_sport;
+ key.port[pd2.didx] = uh->uh_dport;
STATE_LOOKUP(pd2.kif, &key, pd2.dir, *state, pd2.m);
@@ -5239,11 +5230,11 @@ pf_test_state_icmp(struct pf_pdesc *pd,
#ifdef INET6
if (afto) {
if (pf_translate_icmp_af(pd, nk->af,
- pd->hdr.icmp))
+ &pd->hdr.icmp))
return (PF_DROP);
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
if (pf_change_icmp_af(pd->m, ipoff2,
pd, &pd2, &nk->addr[sidx],
&nk->addr[didx], pd->af, nk->af))
@@ -5262,21 +5253,21 @@ pf_test_state_icmp(struct pf_pdesc *pd,
pd->naf = nk->af;
pf_patch_16(pd,
- &uh.uh_sport, nk->port[sidx]);
+ &uh->uh_sport, nk->port[sidx]);
pf_patch_16(pd,
- &uh.uh_dport, nk->port[didx]);
+ &uh->uh_dport, nk->port[didx]);
m_copyback(pd2.m, pd2.off, sizeof(uh),
- &uh, M_NOWAIT);
+ uh, M_NOWAIT);
return (PF_AFRT);
}
#endif /* INET6 */
if (PF_ANEQ(pd2.src,
&nk->addr[pd2.sidx], pd2.af) ||
- nk->port[pd2.sidx] != uh.uh_sport)
+ nk->port[pd2.sidx] != uh->uh_sport)
pf_translate_icmp(pd, pd2.src,
- &uh.uh_sport, pd->dst,
+ &uh->uh_sport, pd->dst,
&nk->addr[pd2.sidx],
nk->port[pd2.sidx]);
@@ -5287,16 +5278,16 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (PF_ANEQ(pd2.dst,
&nk->addr[pd2.didx], pd2.af) ||
- nk->port[pd2.didx] != uh.uh_dport)
+ nk->port[pd2.didx] != uh->uh_dport)
pf_translate_icmp(pd, pd2.dst,
- &uh.uh_dport, pd->src,
+ &uh->uh_dport, pd->src,
&nk->addr[pd2.didx],
nk->port[pd2.didx]);
switch (pd2.af) {
case AF_INET:
m_copyback(pd->m, pd->off, ICMP_MINLEN,
- pd->hdr.icmp, M_NOWAIT);
+ &pd->hdr.icmp, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2),
&h2, M_NOWAIT);
break;
@@ -5304,7 +5295,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
case AF_INET6:
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2_6),
&h2_6, M_NOWAIT);
break;
@@ -5313,30 +5304,29 @@ pf_test_state_icmp(struct pf_pdesc *pd,
/* Avoid recomputing quoted UDP checksum.
* note: udp6 0 csum invalid per rfc2460 p27.
* but presumed nothing cares in this context */
- pf_patch_16(pd, &uh.uh_sum, 0);
- m_copyback(pd2.m, pd2.off, sizeof(uh), &uh,
+ pf_patch_16(pd, &uh->uh_sum, 0);
+ m_copyback(pd2.m, pd2.off, sizeof(*uh), uh,
M_NOWAIT);
copyback = 1;
}
break;
}
case IPPROTO_ICMP: {
- struct icmp iih;
+ struct icmp *iih = &pd2.hdr.icmp;
if (pd2.af != AF_INET) {
REASON_SET(reason, PFRES_NORM);
return (PF_DROP);
}
- if (!pf_pull_hdr(pd2.m, pd2.off, &iih, ICMP_MINLEN,
+ if (!pf_pull_hdr(pd2.m, pd2.off, iih, ICMP_MINLEN,
NULL, reason, pd2.af)) {
DPFPRINTF(LOG_NOTICE,
"ICMP error message too short (icmp)");
return (PF_DROP);
}
- pd2.hdr.icmp = &iih;
- pf_icmp_mapping(&pd2, iih.icmp_type,
+ pf_icmp_mapping(&pd2, iih->icmp_type,
&icmp_dir, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&pd2, &key, state,
@@ -5365,24 +5355,24 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (nk->af != AF_INET6)
return (PF_DROP);
if (pf_translate_icmp_af(pd, nk->af,
- pd->hdr.icmp))
+ &pd->hdr.icmp))
return (PF_DROP);
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
if (pf_change_icmp_af(pd->m, ipoff2,
pd, &pd2, &nk->addr[sidx],
&nk->addr[didx], pd->af, nk->af))
return (PF_DROP);
pd->proto = IPPROTO_ICMPV6;
if (pf_translate_icmp_af(pd,
- nk->af, &iih))
+ nk->af, iih))
return (PF_DROP);
if (virtual_type == htons(ICMP_ECHO))
- pf_patch_16(pd, &iih.icmp_id,
+ pf_patch_16(pd, &iih->icmp_id,
nk->port[iidx]);
m_copyback(pd2.m, pd2.off, ICMP_MINLEN,
- &iih, M_NOWAIT);
+ iih, M_NOWAIT);
pd->m->m_pkthdr.ph_rtableid =
nk->rdomain;
pd->destchg = 1;
@@ -5398,10 +5388,10 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (PF_ANEQ(pd2.src,
&nk->addr[pd2.sidx], pd2.af) ||
(virtual_type == htons(ICMP_ECHO) &&
- nk->port[iidx] != iih.icmp_id))
+ nk->port[iidx] != iih->icmp_id))
pf_translate_icmp(pd, pd2.src,
(virtual_type == htons(ICMP_ECHO)) ?
- &iih.icmp_id : NULL,
+ &iih->icmp_id : NULL,
pd->dst, &nk->addr[pd2.sidx],
(virtual_type == htons(ICMP_ECHO)) ?
nk->port[iidx] : 0);
@@ -5417,10 +5407,10 @@ pf_test_state_icmp(struct pf_pdesc *pd,
pd->src, &nk->addr[pd2.didx], 0);
m_copyback(pd->m, pd->off, ICMP_MINLEN,
- pd->hdr.icmp, M_NOWAIT);
+ &pd->hdr.icmp, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2), &h2,
M_NOWAIT);
- m_copyback(pd2.m, pd2.off, ICMP_MINLEN, &iih,
+ m_copyback(pd2.m, pd2.off, ICMP_MINLEN, iih,
M_NOWAIT);
copyback = 1;
}
@@ -5428,22 +5418,21 @@ pf_test_state_icmp(struct pf_pdesc *pd,
}
#ifdef INET6
case IPPROTO_ICMPV6: {
- struct icmp6_hdr iih;
+ struct icmp6_hdr *iih = &pd2.hdr.icmp6;
if (pd2.af != AF_INET6) {
REASON_SET(reason, PFRES_NORM);
return (PF_DROP);
}
- if (!pf_pull_hdr(pd2.m, pd2.off, &iih,
+ if (!pf_pull_hdr(pd2.m, pd2.off, iih,
sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
DPFPRINTF(LOG_NOTICE,
"ICMP error message too short (icmp6)");
return (PF_DROP);
}
- pd2.hdr.icmp6 = &iih;
- pf_icmp_mapping(&pd2, iih.icmp6_type,
+ pf_icmp_mapping(&pd2, iih->icmp6_type,
&icmp_dir, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&pd2, &key, state,
virtual_id, virtual_type, icmp_dir, &iidx, 0, 1);
@@ -5476,25 +5465,25 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (nk->af != AF_INET)
return (PF_DROP);
if (pf_translate_icmp_af(pd, nk->af,
- pd->hdr.icmp))
+ &pd->hdr.icmp))
return (PF_DROP);
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
if (pf_change_icmp_af(pd->m, ipoff2,
pd, &pd2, &nk->addr[sidx],
&nk->addr[didx], pd->af, nk->af))
return (PF_DROP);
pd->proto = IPPROTO_ICMP;
if (pf_translate_icmp_af(pd,
- nk->af, &iih))
+ nk->af, iih))
return (PF_DROP);
if (virtual_type ==
htons(ICMP6_ECHO_REQUEST))
- pf_patch_16(pd, &iih.icmp6_id,
+ pf_patch_16(pd, &iih->icmp6_id,
nk->port[iidx]);
m_copyback(pd2.m, pd2.off,
- sizeof(struct icmp6_hdr), &iih,
+ sizeof(struct icmp6_hdr), iih,
M_NOWAIT);
pd->m->m_pkthdr.ph_rtableid =
nk->rdomain;
@@ -5511,11 +5500,11 @@ pf_test_state_icmp(struct pf_pdesc *pd,
&nk->addr[pd2.sidx], pd2.af) ||
((virtual_type ==
htons(ICMP6_ECHO_REQUEST)) &&
- nk->port[pd2.sidx] != iih.icmp6_id))
+ nk->port[pd2.sidx] != iih->icmp6_id))
pf_translate_icmp(pd, pd2.src,
(virtual_type ==
htons(ICMP6_ECHO_REQUEST))
- ? &iih.icmp6_id : NULL,
+ ? &iih->icmp6_id : NULL,
pd->dst, &nk->addr[pd2.sidx],
(virtual_type ==
htons(ICMP6_ECHO_REQUEST))
@@ -5532,12 +5521,12 @@ pf_test_state_icmp(struct pf_pdesc *pd,
pd->src, &nk->addr[pd2.didx], 0);
m_copyback(pd->m, pd->off,
- sizeof(struct icmp6_hdr), pd->hdr.icmp6,
+ sizeof(struct icmp6_hdr), &pd->hdr.icmp6,
M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2_6), &h2_6,
M_NOWAIT);
m_copyback(pd2.m, pd2.off,
- sizeof(struct icmp6_hdr), &iih, M_NOWAIT);
+ sizeof(struct icmp6_hdr), iih, M_NOWAIT);
copyback = 1;
}
break;
@@ -5577,7 +5566,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
switch (pd2.af) {
case AF_INET:
m_copyback(pd->m, pd->off, ICMP_MINLEN,
- pd->hdr.icmp, M_NOWAIT);
+ &pd->hdr.icmp, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2),
&h2, M_NOWAIT);
break;
@@ -5585,7 +5574,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
case AF_INET6:
m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
- pd->hdr.icmp6, M_NOWAIT);
+ &pd->hdr.icmp6, M_NOWAIT);
m_copyback(pd2.m, ipoff2, sizeof(h2_6),
&h2_6, M_NOWAIT);
break;
@@ -5598,7 +5587,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
}
}
if (copyback) {
- m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any, M_NOWAIT);
+ m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT);
}
return (PF_PASS);
@@ -6331,11 +6320,10 @@ pf_walk_header6(struct pf_pdesc *pd, str
#endif /* INET6 */
int
-pf_setup_pdesc(struct pf_pdesc *pd, void *pdhdrs, sa_family_t af, int dir,
+pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir,
struct pfi_kif *kif, struct mbuf *m, u_short *reason)
{
bzero(pd, sizeof(*pd));
- pd->hdr.any = pdhdrs;
pd->dir = dir;
pd->kif = kif; /* kif is NULL when called by pflog */
pd->m = m;
@@ -6434,7 +6422,7 @@ pf_setup_pdesc(struct pf_pdesc *pd, void
switch (pd->virtual_proto) {
case IPPROTO_TCP: {
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th),
NULL, reason, pd->af))
@@ -6452,7 +6440,7 @@ pf_setup_pdesc(struct pf_pdesc *pd, void
break;
}
case IPPROTO_UDP: {
- struct udphdr *uh = pd->hdr.udp;
+ struct udphdr *uh = &pd->hdr.udp;
if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh),
NULL, reason, pd->af))
@@ -6470,7 +6458,7 @@ pf_setup_pdesc(struct pf_pdesc *pd, void
break;
}
case IPPROTO_ICMP: {
- if (!pf_pull_hdr(pd->m, pd->off, pd->hdr.icmp, ICMP_MINLEN,
+ if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN,
NULL, reason, pd->af))
return (PF_DROP);
pd->hdrlen = ICMP_MINLEN;
@@ -6478,18 +6466,18 @@ pf_setup_pdesc(struct pf_pdesc *pd, void
REASON_SET(reason, PFRES_SHORT);
return (PF_DROP);
}
- pd->pcksum = &pd->hdr.icmp->icmp_cksum;
+ pd->pcksum = &pd->hdr.icmp.icmp_cksum;
break;
}
#ifdef INET6
case IPPROTO_ICMPV6: {
size_t icmp_hlen = sizeof(struct icmp6_hdr);
- if (!pf_pull_hdr(pd->m, pd->off, pd->hdr.icmp6, icmp_hlen,
+ if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
NULL, reason, pd->af))
return (PF_DROP);
/* ICMP headers we look further into to match state */
- switch (pd->hdr.icmp6->icmp6_type) {
+ switch (pd->hdr.icmp6.icmp6_type) {
case MLD_LISTENER_QUERY:
case MLD_LISTENER_REPORT:
icmp_hlen = sizeof(struct mld_hdr);
@@ -6500,7 +6488,7 @@ pf_setup_pdesc(struct pf_pdesc *pd, void
break;
}
if (icmp_hlen > sizeof(struct icmp6_hdr) &&
- !pf_pull_hdr(pd->m, pd->off, pd->hdr.icmp6, icmp_hlen,
+ !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
NULL, reason, pd->af))
return (PF_DROP);
pd->hdrlen = icmp_hlen;
@@ -6508,7 +6496,7 @@ pf_setup_pdesc(struct pf_pdesc *pd, void
REASON_SET(reason, PFRES_SHORT);
return (PF_DROP);
}
- pd->pcksum = &pd->hdr.icmp6->icmp6_cksum;
+ pd->pcksum = &pd->hdr.icmp6.icmp6_cksum;
break;
}
#endif /* INET6 */
@@ -6592,7 +6580,6 @@ pf_test(sa_family_t af, int fwdir, struc
struct pf_state *s = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
- union pf_headers pdhdrs;
int dir = (fwdir == PF_FWD) ? PF_OUT : fwdir;
u_int32_t qid, pqid = 0;
@@ -6630,7 +6617,7 @@ pf_test(sa_family_t af, int fwdir, struc
return (PF_PASS);
}
- action = pf_setup_pdesc(&pd, &pdhdrs, af, dir, kif, *m0, &reason);
+ action = pf_setup_pdesc(&pd, af, dir, kif, *m0, &reason);
if (action != PF_PASS) {
#if NPFLOG > 0
pd.pflog |= PF_LOG_FORCE;
@@ -6662,8 +6649,7 @@ pf_test(sa_family_t af, int fwdir, struc
/* if packet has been reassembled, update packet description */
if (pf_status.reass && pd.virtual_proto == PF_VPROTO_FRAGMENT) {
- action = pf_setup_pdesc(&pd, &pdhdrs, af, dir, kif, pd.m,
- &reason);
+ action = pf_setup_pdesc(&pd, af, dir, kif, pd.m, &reason);
if (action != PF_PASS) {
#if NPFLOG > 0
pd.pflog |= PF_LOG_FORCE;
@@ -6738,7 +6724,7 @@ pf_test(sa_family_t af, int fwdir, struc
default:
if (pd.virtual_proto == IPPROTO_TCP) {
- if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0)
+ if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0)
pqid = 1;
action = pf_normalize_tcp(&pd);
if (action == PF_DROP)
Index: net/if_pflog.c
===================================================================
--- net.orig/if_pflog.c
+++ net/if_pflog.c
@@ -298,7 +298,6 @@ pflog_bpfcopy(const void *src_arg, void
u_int count;
u_char *dst, *mdst;
int afto, hlen, mlen, off;
- union pf_headers pdhdrs;
struct pf_pdesc pd;
struct pf_addr osaddr, odaddr;
@@ -404,7 +403,7 @@ pflog_bpfcopy(const void *src_arg, void
* Rewrite addresses if needed. Reason pointer must be NULL to avoid
* counting the packet here again.
*/
- if (pf_setup_pdesc(&pd, &pdhdrs, pfloghdr->af, pfloghdr->dir, NULL,
+ if (pf_setup_pdesc(&pd, pfloghdr->af, pfloghdr->dir, NULL,
mhdr, NULL) != PF_PASS)
goto copy;
pd.naf = pfloghdr->naf;
@@ -421,7 +420,7 @@ pflog_bpfcopy(const void *src_arg, void
pfloghdr->sport, &pfloghdr->daddr, pfloghdr->dport, 0,
pfloghdr->dir))) {
m_copyback(pd.m, pd.off, min(pd.m->m_len - pd.off, pd.hdrlen),
- pd.hdr.any, M_NOWAIT);
+ &pd.hdr, M_NOWAIT);
#ifdef INET6
if (afto) {
PF_ACPY(&pd.nsaddr, &pfloghdr->saddr, pd.naf);
Index: net/pfvar.h
===================================================================
--- net.orig/pfvar.h
+++ net/pfvar.h
@@ -1648,9 +1648,9 @@ void pf_rm_rule(struct
pf_rulequeue
struct pf_rule *);
void pf_purge_rule(struct pf_rule *);
struct pf_divert *pf_find_divert(struct mbuf *);
-int pf_setup_pdesc(struct pf_pdesc *, void *,
- sa_family_t, int, struct pfi_kif *,
- struct mbuf *, u_short *);
+int pf_setup_pdesc(struct pf_pdesc *, sa_family_t,
+ int, struct pfi_kif *, struct mbuf *,
+ u_short *);
int pf_test(sa_family_t, int, struct ifnet *, struct mbuf **);
Index: net/if_pfsync.c
===================================================================
--- net.orig/if_pfsync.c
+++ net/if_pfsync.c
@@ -1733,7 +1733,6 @@ pfsync_undefer(struct pfsync_deferral *p
{
struct pfsync_softc *sc = pfsyncif;
struct pf_pdesc pdesc;
- union pf_headers pdhdrs;
splsoftassert(IPL_SOFTNET);
@@ -1745,7 +1744,7 @@ pfsync_undefer(struct pfsync_deferral *p
m_freem(pd->pd_m);
else {
if (pd->pd_st->rule.ptr->rt == PF_ROUTETO) {
- if (pf_setup_pdesc(&pdesc, &pdhdrs,
+ if (pf_setup_pdesc(&pdesc,
pd->pd_st->key[PF_SK_WIRE]->af,
pd->pd_st->direction, pd->pd_st->rt_kif,
pd->pd_m, NULL) != PF_PASS) {
Index: net/pfvar_priv.h
===================================================================
--- net.orig/pfvar_priv.h
+++ net/pfvar_priv.h
@@ -37,17 +37,6 @@
#ifdef _KERNEL
-union pf_headers {
- struct tcphdr tcp;
- struct udphdr udp;
- struct icmp icmp;
-#ifdef INET6
- struct icmp6_hdr icmp6;
- struct mld_hdr mld;
- struct nd_neighbor_solicit nd_ns;
-#endif /* INET6 */
-};
-
struct pf_pdesc {
struct {
int done;
@@ -56,15 +45,6 @@ struct pf_pdesc {
pid_t pid;
} lookup;
u_int64_t tot_len; /* Make Mickey money */
- union {
- struct tcphdr *tcp;
- struct udphdr *udp;
- struct icmp *icmp;
-#ifdef INET6
- struct icmp6_hdr *icmp6;
-#endif /* INET6 */
- void *any;
- } hdr;
struct pf_addr nsaddr; /* src address after NAT */
struct pf_addr ndaddr; /* dst address after NAT */
@@ -102,6 +82,16 @@ struct pf_pdesc {
u_int8_t didx; /* key index for destination */
u_int8_t destchg; /* flag set when destination changed */
u_int8_t pflog; /* flags for packet logging */
+ union {
+ struct tcphdr tcp;
+ struct udphdr udp;
+ struct icmp icmp;
+#ifdef INET6
+ struct icmp6_hdr icmp6;
+ struct mld_hdr mld;
+ struct nd_neighbor_solicit nd_ns;
+#endif /* INET6 */
+ } hdr;
};
#endif /* _KERNEL */
Index: net/pf_norm.c
===================================================================
--- net.orig/pf_norm.c
+++ net/pf_norm.c
@@ -851,7 +851,7 @@ no_fragment:
int
pf_normalize_tcp(struct pf_pdesc *pd)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
u_short reason;
u_int8_t flags;
u_int rewrite = 0;
@@ -907,7 +907,7 @@ tcp_drop:
int
pf_normalize_tcp_init(struct pf_pdesc *pd, struct pf_state_peer *src)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
u_int32_t tsval, tsecr;
u_int8_t hdr[60];
u_int8_t *opt;
@@ -1002,7 +1002,7 @@ pf_normalize_tcp_stateful(struct pf_pdes
struct pf_state *state, struct pf_state_peer *src,
struct pf_state_peer *dst, int *writeback)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
struct timeval uptime;
u_int32_t tsval, tsecr;
u_int tsval_from_last;
@@ -1393,7 +1393,7 @@ pf_normalize_tcp_stateful(struct pf_pdes
int
pf_normalize_mss(struct pf_pdesc *pd, u_int16_t maxmss)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
u_int16_t mss;
int thoff;
int opt, cnt, optlen = 0;
Index: net/pf_osfp.c
===================================================================
--- net.orig/pf_osfp.c
+++ net/pf_osfp.c
@@ -86,7 +86,7 @@ void pf_osfp_insert(struct pf_osfp_l
struct pf_osfp_enlist *
pf_osfp_fingerprint(struct pf_pdesc *pd)
{
- struct tcphdr *th = pd->hdr.tcp;
+ struct tcphdr *th = &pd->hdr.tcp;
struct ip *ip = NULL;
struct ip6_hdr *ip6 = NULL;
char hdr[60];
