diff options
| author |   bluhm <bluhm@openbsd.org> | 2014-09-08 18:10:01 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2014-09-08 18:10:01 +0000 |
| commit | 88e958dae4e6d918b5bea336d2024c89571bc178 (patch) | |
| tree | 3fb3371574126c1fb188c39b119617c0ac2ed01f | |
| parent | Put chpass(1) args between quotes. (diff) | |
| download | wireguard-openbsd-88e958dae4e6d918b5bea336d2024c89571bc178.tar.xz wireguard-openbsd-88e958dae4e6d918b5bea336d2024c89571bc178.zip | |
When logging a packet to a listener on the pflog0 interface, the
function pflog_bpfcopy() is setting up a packet description with
pf_setup_pdesc(). When pf_setup_pdesc() is droppig a bad packet,
it increments the the pf status counters. This way bad packets
could be accounted multiple times. Now pflog_bpfcopy() passes a
reason pointer NULL to indicate that no accounting should be done.
From Florian Riehm; OK henning@
| -rw-r--r-- | sys/net/if_pflog.c | 10 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 9 |
2 files changed, 11 insertions, 8 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c index 8d10cc32fcd..193541f9983 100644 --- a/sys/net/if_pflog.c +++ b/sys/net/if_pflog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pflog.c,v 1.63 2014/09/08 06:24:13 jsg Exp $ */ +/* $OpenBSD: if_pflog.c,v 1.64 2014/09/08 18:10:01 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -311,7 +311,6 @@ pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len) struct pfloghdr *pfloghdr; u_int count; u_char *dst, *mdst; - u_short reason; int afto, hlen, mlen, off; union pf_headers { struct tcphdr tcp; @@ -424,9 +423,12 @@ pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len) mhdr->m_pkthdr.len += m->m_pkthdr.len - hlen; } - /* rewrite addresses if needed */ + /* + * Rewrite addresses if needed. Reason pointer must be NULL to avoid + * counting the packet here again. + */ if (pf_setup_pdesc(&pd, &pdhdrs, pfloghdr->af, pfloghdr->dir, NULL, - mhdr, &reason) != PF_PASS) + mhdr, NULL) != PF_PASS) goto copy; pd.naf = pfloghdr->naf; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 222c885a529..7f2fb488edb 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.402 2014/08/12 15:29:33 mikeb Exp $ */ +/* $OpenBSD: pfvar.h,v 1.403 2014/09/08 18:10:01 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1397,10 +1397,11 @@ struct pf_pdesc { #define REASON_SET(a, x) \ do { \ - if ((void *)(a) != NULL) \ + if ((void *)(a) != NULL) { \ *(a) = (x); \ - if (x < PFRES_MAX) \ - pf_status.counters[x]++; \ + if (x < PFRES_MAX) \ + pf_status.counters[x]++; \ + } \ } while (0) struct pf_status { |