Page MenuHomeFreeBSD

pf: Simplify rule actions logic
ClosedPublic

Authored by vegeta_tuxpowered.net on Jul 12 2023, 4:54 PM.
Tags
None
Referenced Files
F132144582: D41009.id.diff
Tue, Oct 14, 4:05 AM
Unknown Object (File)
Sep 13 2025, 9:33 PM
Unknown Object (File)
Sep 10 2025, 7:24 PM
Unknown Object (File)
Sep 10 2025, 9:29 AM
Unknown Object (File)
Sep 10 2025, 3:31 AM
Unknown Object (File)
Aug 27 2025, 5:21 AM
Unknown Object (File)
Aug 19 2025, 6:32 PM
Unknown Object (File)
Aug 18 2025, 5:16 PM

Details

Summary

Actions applied to a processed packet come in case of stateless firewalling from a rule or in case of statefull firewalling from a state. The state obtains the actions from a rule when it is created by a rule or by pfsync. The logic for deciding if actions come from a rule or a state is spread across many places in pf.

There already is struct pf_rule_actions in struct pf_pdesc and thus it can be used as a central place for storing actions and their parameters. OpenBSD does something similar: they also store the actions in struct pf_pdesc and have no variables in pf_test() but they use separate variables instead of a structure. By using struct pf_rule_actions we can simplify the code even further. Applying of actions is done *only* in pf_rule_to_actions() no matter if for the legacy scrub rules or for the normal match / pass rules. The logic of choosing if rule or state actions are used is applied only once in pf_test() by copying the whole struct.

Sponsored by: InnoGames GmbH

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

"5 files changed, 139 insertions(+), 265 deletions(-)" is pretty nice.

This revision is now accepted and ready to land.Jul 13 2023, 7:36 AM
This revision was automatically updated to reflect the committed changes.