diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1390,6 +1390,11 @@ PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE, PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_NOCOUNT, PFR_FB_MAX }; +typedef enum { + PF_AF_INET = AF_INET, + PF_AF_INET6 = AF_INET6, +} pf_af_t; + struct pfr_addr { union { struct in_addr _pfra_ip4addr; @@ -1619,7 +1624,7 @@ * state code. Easier than tags */ #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */ - sa_family_t af; + pf_af_t af; u_int8_t proto; u_int8_t tos; u_int8_t dir; /* direction */ @@ -2362,7 +2367,7 @@ int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *); int pf_scan_sctp(struct mbuf *, int, struct pf_pdesc *, struct pfi_kkif *); #if defined(INET) || defined(INET6) -int pf_test(sa_family_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *, +int pf_test(pf_af_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *, struct pf_rule_actions *); #endif #ifdef INET diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -584,15 +584,13 @@ } static bool -pf_is_loopback(sa_family_t af, struct pf_addr *addr) +pf_is_loopback(pf_af_t af, struct pf_addr *addr) { switch (af) { - case AF_INET: + case PF_AF_INET: return IN_LOOPBACK(ntohl(addr->v4.s_addr)); - case AF_INET6: + case PF_AF_INET6: return IN6_IS_ADDR_LOOPBACK(&addr->v6); - default: - panic("Unknown af %d", af); } } @@ -8889,7 +8887,7 @@ #if defined(INET) || defined(INET6) int -pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, +pf_test(pf_af_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp, struct pf_rule_actions *default_actions) { struct pfi_kkif *kif; @@ -8909,6 +8907,7 @@ PF_RULES_RLOCK_TRACKER; KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); + KASSERT(af == PF_AF_INET || af == PF_AF_INET6, ("Unsupported af %d", af)); M_ASSERTPKTHDR(m); if (!V_pf_status.running) @@ -8945,7 +8944,7 @@ switch (af) { #ifdef INET - case AF_INET: + case PF_AF_INET: if (__predict_false(m->m_len < sizeof(struct ip)) && (m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { DPFPRINTF(PF_DEBUG_URGENT, @@ -8965,7 +8964,7 @@ break; #endif #ifdef INET6 - case AF_INET6: + case PF_AF_INET6: /* * If we end up changing IP addresses (e.g. binat) the stack may get * confused and fail to send the icmp6 packet too big error. Just send @@ -8997,8 +8996,6 @@ ttl = h6->ip6_hlim; break; #endif - default: - panic("Unknown af %d", af); } if (pf_setup_pdesc(af, dir, &pd, m, &action, &reason, kif, &a, &r, @@ -9064,7 +9061,7 @@ switch (af) { #ifdef INET - case AF_INET: + case PF_AF_INET: /* handle fragments that didn't get reassembled by normalization */ if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { action = pf_test_fragment(&r, kif, m, &pd, &a, &ruleset); @@ -9073,7 +9070,7 @@ break; #endif #ifdef INET6 - case AF_INET6: + case PF_AF_INET6: /* * we do not support jumbogram. if we keep going, zero ip6_plen * will do something bad, so drop the packet for now. @@ -9085,8 +9082,6 @@ } break; #endif - default: - panic("Unknown af %d", af); } switch (pd.proto) { @@ -9294,7 +9289,7 @@ else pd.pf_mtag->qid = pd.act.qid; /* Add hints for ecn. */ - if (af == AF_INET) + if (af == PF_AF_INET) pd.pf_mtag->hdr = h; else pd.pf_mtag->hdr = h6; @@ -9314,7 +9309,7 @@ pf_is_loopback(af, pd.dst)) m->m_flags |= M_SKIP_FIREWALL; - if (af == AF_INET && __predict_false(ip_divert_ptr != NULL) && + if (af == PF_AF_INET && __predict_false(ip_divert_ptr != NULL) && action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { mtag = m_tag_alloc(MTAG_PF_DIVERT, 0, sizeof(struct pf_divert_mtag), M_NOWAIT | M_ZERO); @@ -9357,7 +9352,7 @@ } } /* XXX: Anybody working on it?! */ - if (af == AF_INET6 && r->divert.port) + if (af == PF_AF_INET6 && r->divert.port) printf("pf: divert(9) is not supported for IPv6\n"); /* this flag will need revising if the pkt is forwarded */ @@ -9402,19 +9397,17 @@ if (rt) { switch (af) { #ifdef INET - case AF_INET: + case PF_AF_INET: /* pf_route() returns unlocked. */ pf_route(m0, r, kif->pfik_ifp, s, &pd, inp); break; #endif #ifdef INET6 - case AF_INET6: + case PF_AF_INET6: /* pf_route6() returns unlocked. */ pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp); break; #endif - default: - panic("Unknown af %d", af); } goto out; } @@ -9439,7 +9432,7 @@ #ifdef INET6 /* If reassembled packet passed, create new fragments. */ - if (af == AF_INET6 && action == PF_PASS && *m0 && dir == PF_OUT && + if (af == PF_AF_INET6 && action == PF_PASS && *m0 && dir == PF_OUT && (mtag = m_tag_find(m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL) action = pf_refragment6(ifp, m0, mtag, pflags & PFIL_FWD); #endif diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -6471,7 +6471,7 @@ CURVNET_ASSERT_SET(); - chk = pf_test(AF_INET, PF_IN, flags, ifp, m, inp, NULL); + chk = pf_test(PF_AF_INET, PF_IN, flags, ifp, m, inp, NULL); return (pf_check_return(chk, m)); } @@ -6484,7 +6484,7 @@ CURVNET_ASSERT_SET(); - chk = pf_test(AF_INET, PF_OUT, flags, ifp, m, inp, NULL); + chk = pf_test(PF_AF_INET, PF_OUT, flags, ifp, m, inp, NULL); return (pf_check_return(chk, m)); } @@ -6504,7 +6504,7 @@ * order to support scoped addresses. In order to support stateful * filtering we have change this to lo0 as it is the case in IPv4. */ - chk = pf_test(AF_INET6, PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, + chk = pf_test(PF_AF_INET6, PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp, NULL); return (pf_check_return(chk, m)); @@ -6518,7 +6518,7 @@ CURVNET_ASSERT_SET(); - chk = pf_test(AF_INET6, PF_OUT, flags, ifp, m, inp, NULL); + chk = pf_test(PF_AF_INET6, PF_OUT, flags, ifp, m, inp, NULL); return (pf_check_return(chk, m)); }