diff options
| author |   henning <henning@openbsd.org> | 2013-06-03 01:41:04 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2013-06-03 01:41:04 +0000 |
| commit | 32a028bff729103294a84ce3b45b7537e40c5190 (patch) | |
| tree | ed43b793ee504da3a1357fe5f23ed4f74d7f8241 | |
| parent | force the MAC output to be 64-bit aligned so umac won't see unaligned (diff) | |
| download | wireguard-openbsd-32a028bff729103294a84ce3b45b7537e40c5190.tar.xz wireguard-openbsd-32a028bff729103294a84ce3b45b7537e40c5190.zip | |
fix anchor quick with nested anchors. we lost the quick flag as soon as
we stepped into a child anchor.
simplify the logic, get rid of the match flag in the anchor stack, just
use the match variable we already had (and used in a boolean style) to track
the nest level we had a match at. when a child anchor had a match we also
have a match in the current anchor, so update the match level accordingly,
and thus correctly honour the quick flag.
reported by, along with the right idea on how to fix this, by Sean Gallagher
\sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno
| -rw-r--r-- | sys/net/pf.c | 27 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
2 files changed, 12 insertions, 18 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index ae1a0a1a352..bd3a56112f0 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.827 2013/06/02 23:06:36 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.828 2013/06/03 01:41:04 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -234,7 +234,7 @@ int pf_src_connlimit(struct pf_state **); int pf_check_congestion(struct ifqueue *); int pf_match_rcvif(struct mbuf *, struct pf_rule *); void pf_step_into_anchor(int *, struct pf_ruleset **, - struct pf_rule **, struct pf_rule **, int *); + struct pf_rule **, struct pf_rule **); int pf_step_out_of_anchor(int *, struct pf_ruleset **, struct pf_rule **, struct pf_rule **, int *); @@ -2865,12 +2865,10 @@ pf_tag_packet(struct mbuf *m, int tag, int rtableid) void pf_step_into_anchor(int *depth, struct pf_ruleset **rs, - struct pf_rule **r, struct pf_rule **a, int *match) + struct pf_rule **r, struct pf_rule **a) { struct pf_anchor_stackframe *f; - (*r)->anchor->match = 0; - *match = 0; if (*depth >= sizeof(pf_anchor_stack) / sizeof(pf_anchor_stack[0])) { log(LOG_ERR, "pf_step_into_anchor: stack overflow\n"); @@ -2883,8 +2881,7 @@ pf_step_into_anchor(int *depth, struct pf_ruleset **rs, f->r = *r; if ((*r)->anchor_wildcard) { f->parent = &(*r)->anchor->children; - if ((f->child = RB_MIN(pf_anchor_node, f->parent)) == - NULL) { + if ((f->child = RB_MIN(pf_anchor_node, f->parent)) == NULL) { *r = NULL; return; } @@ -2909,10 +2906,6 @@ pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, break; f = pf_anchor_stack + *depth - 1; if (f->parent != NULL && f->child != NULL) { - if (f->child->match || *match) { - f->r->anchor->match = 1; - *match = 0; - } f->child = RB_NEXT(pf_anchor_node, f->parent, f->child); if (f->child != NULL) { *rs = &f->child->ruleset; @@ -2927,8 +2920,11 @@ pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, if (*depth == 0 && a != NULL) *a = NULL; *rs = f->rs; - if (f->r->anchor->match || *match) - quick = f->r->quick; + if (*match > *depth) { + *match = *depth; + if (f->r->quick) + quick = 1; + } *r = TAILQ_NEXT(f->r, entries); } while (*r == NULL); @@ -3497,7 +3493,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, PFLOG_PACKET(pd, reason, r, a, ruleset); } } else { - match = 1; + match = asd; *rm = r; *am = a; *rsm = ruleset; @@ -3511,8 +3507,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, break; r = TAILQ_NEXT(r, entries); } else - pf_step_into_anchor(&asd, &ruleset, - &r, &a, &match); + pf_step_into_anchor(&asd, &ruleset, &r, &a); nextrule: if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 25be4b3b2c0..36c6e4f5917 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.380 2013/06/01 21:18:02 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.381 2013/06/03 01:41:04 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1004,7 +1004,6 @@ struct pf_anchor { char path[MAXPATHLEN]; struct pf_ruleset ruleset; int refcnt; /* anchor rules */ - int match; }; RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); |