diff options
| author |   mcbride <mcbride@openbsd.org> | 2002-11-02 17:04:13 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2002-11-02 17:04:13 +0000 |
| commit | b8ebdbad07425830d02fc7e43a53ffb29ed66080 (patch) | |
| tree | 87b7d1671aa1caf7180fa1f9e0245d25bf7d2e36 | |
| parent | Make PF_ANEQ(), PF_ANEQ() and PF_AZERO() check the whole address if af (diff) | |
| download | wireguard-openbsd-b8ebdbad07425830d02fc7e43a53ffb29ed66080.tar.xz wireguard-openbsd-b8ebdbad07425830d02fc7e43a53ffb29ed66080.zip | |
Compare dynamic addresses correctly in pf_compare_*: check the interface name
rather than the ip address if it exists.
ok dhartmei@ henning@
| -rw-r--r-- | sys/net/pf_ioctl.c | 56 |
1 files changed, 38 insertions, 18 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index acfe9650da1..7fc28dc83c0 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.13 2002/10/25 15:18:20 dhartmei Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.14 2002/11/02 17:04:13 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -70,6 +70,8 @@ void pfattach(int); int pfopen(dev_t, int, int, struct proc *); int pfclose(dev_t, int, int, struct proc *); +int pf_compare_addr_wrap(struct pf_addr_wrap *, + struct pf_addr_wrap *, sa_family_t af); int pf_compare_rules(struct pf_rule *, struct pf_rule *); int pf_compare_nats(struct pf_nat *, struct pf_nat *); @@ -147,6 +149,22 @@ pfclose(dev_t dev, int flags, int fmt, struct proc *p) } int +pf_compare_addr_wrap(struct pf_addr_wrap *a, struct pf_addr_wrap *b, + sa_family_t af) +{ + if (a->addr_dyn != NULL && b->addr_dyn != NULL) { + if (strcmp(a->addr_dyn->ifname, b->addr_dyn->ifname)) + return (1); + } else { + if (a->addr_dyn != NULL || b->addr_dyn != NULL) + return (1); + if (PF_ANEQ(&a->addr, &b->addr, af)) + return (1); + } + return (0); +} + +int pf_compare_rules(struct pf_rule *a, struct pf_rule *b) { if (a->return_icmp != b->return_icmp || @@ -168,15 +186,17 @@ pf_compare_rules(struct pf_rule *a, struct pf_rule *b) a->allow_opts != b->allow_opts || a->ifnot != b->ifnot) return (1); - if (PF_ANEQ(&a->src.addr.addr, &b->src.addr.addr, a->af) || - PF_ANEQ(&a->src.mask, &b->src.mask, a->af) || + if (pf_compare_addr_wrap(&a->src.addr, &b->src.addr, a->af)) + return (1); + if (PF_ANEQ(&a->src.mask, &b->src.mask, a->af) || a->src.port[0] != b->src.port[0] || a->src.port[1] != b->src.port[1] || a->src.not != b->src.not || a->src.port_op != b->src.port_op) return (1); - if (PF_ANEQ(&a->dst.addr.addr, &b->dst.addr.addr, a->af) || - PF_ANEQ(&a->dst.mask, &b->dst.mask, a->af) || + if (pf_compare_addr_wrap(&a->dst.addr, &b->dst.addr, a->af)) + return (1); + if (PF_ANEQ(&a->dst.mask, &b->dst.mask, a->af) || a->dst.port[0] != b->dst.port[0] || a->dst.port[1] != b->dst.port[1] || a->dst.not != b->dst.not || @@ -196,21 +216,23 @@ pf_compare_nats(struct pf_nat *a, struct pf_nat *b) a->ifnot != b->ifnot || a->no != b->no) return (1); - if (PF_ANEQ(&a->src.addr.addr, &b->src.addr.addr, a->af) || - PF_ANEQ(&a->src.mask, &b->src.mask, a->af) || + if (pf_compare_addr_wrap(&a->src.addr, &b->src.addr, a->af)) + return (1); + if (PF_ANEQ(&a->src.mask, &b->src.mask, a->af) || a->src.port[0] != b->src.port[0] || a->src.port[1] != b->src.port[1] || a->src.not != b->src.not || a->src.port_op != b->src.port_op) return (1); - if (PF_ANEQ(&a->dst.addr.addr, &b->dst.addr.addr, a->af) || - PF_ANEQ(&a->dst.mask, &b->dst.mask, a->af) || + if (pf_compare_addr_wrap(&a->dst.addr, &b->dst.addr, a->af)) + return (1); + if (PF_ANEQ(&a->dst.mask, &b->dst.mask, a->af) || a->dst.port[0] != b->dst.port[0] || a->dst.port[1] != b->dst.port[1] || a->dst.not != b->dst.not || a->dst.port_op != b->dst.port_op) return (1); - if (PF_ANEQ(&a->raddr.addr, &b->raddr.addr, a->af)) + if (pf_compare_addr_wrap(&a->raddr, &b->raddr, a->af)) return (1); if (strcmp(a->ifname, b->ifname)) return (1); @@ -225,17 +247,15 @@ pf_compare_binats(struct pf_binat *a, struct pf_binat *b) a->af != b->af || a->no != b->no) return (1); - if (PF_ANEQ(&a->saddr.addr, &b->saddr.addr, a->af)) + if (pf_compare_addr_wrap(&a->saddr, &b->saddr, a->af)) return (1); if (PF_ANEQ(&a->smask, &b->smask, a->af)) return (1); - if (PF_ANEQ(&a->daddr.addr, &b->daddr.addr, a->af)) + if (pf_compare_addr_wrap(&a->daddr, &b->daddr, a->af)) return (1); if (PF_ANEQ(&a->dmask, &b->dmask, a->af)) return (1); - if (PF_ANEQ(&a->raddr.addr, &b->raddr.addr, a->af)) - return (1); - if (PF_ANEQ(&a->rmask, &b->rmask, a->af)) + if (pf_compare_addr_wrap(&a->raddr, &b->raddr, a->af)) return (1); if (strcmp(a->ifname, b->ifname)) return (1); @@ -256,15 +276,15 @@ pf_compare_rdrs(struct pf_rdr *a, struct pf_rdr *b) a->opts != b->opts || a->no != b->no) return (1); - if (PF_ANEQ(&a->saddr.addr, &b->saddr.addr, a->af)) + if (pf_compare_addr_wrap(&a->saddr, &b->saddr, a->af)) return (1); if (PF_ANEQ(&a->smask, &b->smask, a->af)) return (1); - if (PF_ANEQ(&a->daddr.addr, &b->daddr.addr, a->af)) + if (pf_compare_addr_wrap(&a->daddr, &b->daddr, a->af)) return (1); if (PF_ANEQ(&a->dmask, &b->dmask, a->af)) return (1); - if (PF_ANEQ(&a->raddr.addr, &b->raddr.addr, a->af)) + if (pf_compare_addr_wrap(&a->raddr, &b->raddr, a->af)) return (1); if (strcmp(a->ifname, b->ifname)) return (1); |