diff options
| author |   henning <henning@openbsd.org> | 2013-06-05 00:56:35 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2013-06-05 00:56:35 +0000 |
| commit | 644c98137c6caf7eb4f685a08d61ae5d434b0616 (patch) | |
| tree | 7c39cede7cf8375e7b4b458e7b2ab7a84dd2c495 | |
| parent | factor out pid allocation to functions. add a small cache of recently (diff) | |
| download | wireguard-openbsd-644c98137c6caf7eb4f685a08d61ae5d434b0616.tar.xz wireguard-openbsd-644c98137c6caf7eb4f685a08d61ae5d434b0616.zip | |
after the pf_test_state folding, in pf_test in the proto switch, the
udp and the default case are 100% identical, tcp does a little more, but
that is easier to add w/ two "if tcp" blocks in the default case, so the
udp and tcp cases die. ok bluhm
| -rw-r--r-- | sys/net/pf.c | 58 |
1 files changed, 17 insertions, 41 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 55b4ffd01ac..494f844aa14 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.833 2013/06/04 19:07:59 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.834 2013/06/05 00:56:35 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6643,46 +6643,6 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0, break; } - case IPPROTO_TCP: { - if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0) - pqid = 1; - action = pf_normalize_tcp(&pd); - if (action == PF_DROP) - goto done; - action = pf_test_state(&pd, &s, &reason); - if (action == PF_PASS || action == PF_AFRT) { -#if NPFSYNC > 0 - pfsync_update_state(s); -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - pd.pflog |= s->log; - } else if (s == NULL) - action = pf_test_rule(&pd, &r, &s, &a, &ruleset); - - if (s) { - if (s->max_mss) - pf_normalize_mss(&pd, s->max_mss); - } else if (r->max_mss) - pf_normalize_mss(&pd, r->max_mss); - - break; - } - - case IPPROTO_UDP: { - action = pf_test_state(&pd, &s, &reason); - if (action == PF_PASS || action == PF_AFRT) { -#if NPFSYNC > 0 - pfsync_update_state(s); -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - pd.pflog |= s->log; - } else if (s == NULL) - action = pf_test_rule(&pd, &r, &s, &a, &ruleset); - break; - } - case IPPROTO_ICMP: { if (pd.af != AF_INET) { action = PF_DROP; @@ -6728,6 +6688,13 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0, #endif /* INET6 */ default: + if (pd.virtual_proto == IPPROTO_TCP) { + if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0) + pqid = 1; + action = pf_normalize_tcp(&pd); + if (action == PF_DROP) + goto done; + } action = pf_test_state(&pd, &s, &reason); if (action == PF_PASS || action == PF_AFRT) { #if NPFSYNC > 0 @@ -6738,6 +6705,15 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0, pd.pflog |= s->log; } else if (s == NULL) action = pf_test_rule(&pd, &r, &s, &a, &ruleset); + + if (pd.virtual_proto == IPPROTO_TCP) { + if (s) { + if (s->max_mss) + pf_normalize_mss(&pd, s->max_mss); + } else if (r->max_mss) + pf_normalize_mss(&pd, r->max_mss); + } + break; } |