diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2023-05-30 19:17:54 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2023-06-02 14:05:30 +0000 |
| commit | 9925aee0aaeccabd26f41625694a97b64185a59d (patch) | |
| tree | 58522b711e843b9b56d846a4d1bed387af49c37a /sys | |
| parent | caf98b9d13b68f2c41aba263fada63dbe1ed197e (diff) | |
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pfvar.h | 6 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf.c | 16 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 9 |
3 files changed, 20 insertions, 11 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 2f2cc1632edc..a658573cf6f1 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2230,13 +2230,15 @@ void pf_free_rule(struct pf_krule *); int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *); #ifdef INET -int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *); +int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *, + struct pf_rule_actions *); int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *, struct pf_pdesc *); #endif /* INET */ #ifdef INET6 -int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *); +int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *, + struct pf_rule_actions *); int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *, struct pf_pdesc *); void pf_poolmask(struct pf_addr *, struct pf_addr*, diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 75c58609318c..78bd8b1dab12 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6546,7 +6546,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, goto bad; if (dir == PF_IN) { - if (pf_test(PF_OUT, 0, ifp, &m0, inp) != PF_PASS) + if (pf_test(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS) goto bad; else if (m0 == NULL) goto done; @@ -6762,7 +6762,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, goto bad; if (dir == PF_IN) { - if (pf_test6(PF_OUT, 0, ifp, &m0, inp) != PF_PASS) + if (pf_test6(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS) goto bad; else if (m0 == NULL) goto done; @@ -7120,7 +7120,8 @@ pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s, #ifdef INET int -pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) +pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, + struct inpcb *inp, struct pf_rule_actions *default_actions) { struct pfi_kkif *kif; u_short action, reason = 0, log = 0; @@ -7172,6 +7173,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * } memset(&pd, 0, sizeof(pd)); + if (default_actions != NULL) + memcpy(&pd.act, default_actions, sizeof(pd.act)); pd.pf_mtag = pf_find_mtag(m); if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { @@ -7312,7 +7315,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * break; } - action = pf_test(dir, pflags, ifp, &msyn, inp); + action = pf_test(dir, pflags, ifp, &msyn, inp, &pd.act); m_freem(msyn); if (action == PF_PASS) { @@ -7682,7 +7685,8 @@ done: #ifdef INET6 int -pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) +pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp, + struct pf_rule_actions *default_actions) { struct pfi_kkif *kif; u_short action, reason = 0, log = 0; @@ -7733,6 +7737,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb } memset(&pd, 0, sizeof(pd)); + if (default_actions != NULL) + memcpy(&pd.act, default_actions, sizeof(pd.act)); pd.pf_mtag = pf_find_mtag(m); if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index db88c7d2dc0e..cb6d22885ef4 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -6534,7 +6534,7 @@ pf_check_in(struct mbuf **m, struct ifnet *ifp, int flags, { int chk; - chk = pf_test(PF_IN, flags, ifp, m, inp); + chk = pf_test(PF_IN, flags, ifp, m, inp, NULL); return (pf_check_return(chk, m)); } @@ -6545,7 +6545,7 @@ pf_check_out(struct mbuf **m, struct ifnet *ifp, int flags, { int chk; - chk = pf_test(PF_OUT, flags, ifp, m, inp); + chk = pf_test(PF_OUT, flags, ifp, m, inp, NULL); return (pf_check_return(chk, m)); } @@ -6564,7 +6564,8 @@ pf_check6_in(struct mbuf **m, struct ifnet *ifp, int flags, * filtering we have change this to lo0 as it is the case in IPv4. */ CURVNET_SET(ifp->if_vnet); - chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp); + chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, + m, inp, NULL); CURVNET_RESTORE(); return (pf_check_return(chk, m)); @@ -6577,7 +6578,7 @@ pf_check6_out(struct mbuf **m, struct ifnet *ifp, int flags, int chk; CURVNET_SET(ifp->if_vnet); - chk = pf_test6(PF_OUT, flags, ifp, m, inp); + chk = pf_test6(PF_OUT, flags, ifp, m, inp, NULL); CURVNET_RESTORE(); return (pf_check_return(chk, m)); |