D31115.diff
No OneTemporary
Actions

Size

7 KB

Referenced Files

None

Subscribers

None

D31115.diff
View Options

	diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
	--- a/sbin/pfctl/parse.y
	+++ b/sbin/pfctl/parse.y
	@@ -456,7 +456,7 @@

	%}

	-%token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
	+%token PASS BLOCK MATCH SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
	%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
	%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
	%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
	@@ -2677,6 +2677,7 @@
	$$.w = returnicmpdefault;
	$$.w2 = returnicmp6default;
	}
	+ \| MATCH { $$.b1 = PF_MATCH; $$.b2 = $$.w = 0; }
	\| BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; }
	;

	@@ -5612,6 +5613,7 @@
	{ "log", LOG},
	{ "loginterface", LOGINTERFACE},
	{ "map-e-portset", MAPEPORTSET},
	+ { "match", MATCH},
	{ "max", MAXIMUM},
	{ "max-mss", MAXMSS},
	{ "max-src-conn", MAXSRCCONN},
	diff --git a/sbin/pfctl/pf_ruleset.c b/sbin/pfctl/pf_ruleset.c
	--- a/sbin/pfctl/pf_ruleset.c
	+++ b/sbin/pfctl/pf_ruleset.c
	@@ -106,6 +106,7 @@
	break;
	case PF_PASS:
	case PF_DROP:
	+ case PF_MATCH:
	return (PF_RULESET_FILTER);
	break;
	case PF_NAT:
	diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
	--- a/sbin/pfctl/pfctl_parser.c
	+++ b/sbin/pfctl/pfctl_parser.c
	@@ -708,7 +708,9 @@

	if (verbose)
	printf("@%d ", r->nr);
	- if (r->action > PF_NORDR)
	+ if (r->action == PF_MATCH)
	+ printf("match");
	+ else if (r->action > PF_NORDR)
	printf("action(%d)", r->action);
	else if (anchor_call[0]) {
	if (anchor_call[0] == '_') {
	diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
	--- a/sys/net/pfvar.h
	+++ b/sys/net/pfvar.h
	@@ -332,6 +332,11 @@
	u_int8_t opts;
	};

	+struct pf_rule_actions {
	+ u_int32_t qid;
	+ u_int32_t pqid;
	+};
	+
	union pf_krule_ptr {
	struct pf_krule *ptr;
	u_int32_t nr;
	@@ -607,6 +612,8 @@
	u_int32_t creation;
	u_int32_t expire;
	u_int32_t pfsync_time;
	+ u_int32_t qid;
	+ u_int32_t pqid;
	u_int16_t tag;
	u_int8_t log;
	u_int8_t state_flags;
	@@ -1057,6 +1064,7 @@
	u_int16_t *sport;
	u_int16_t *dport;
	struct pf_mtag *pf_mtag;
	+ struct pf_rule_actions act;

	u_int32_t p_len; /* total length of payload */

	diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
	--- a/sys/netpfil/pf/pf.h
	+++ b/sys/netpfil/pf/pf.h
	@@ -49,7 +49,8 @@

	enum { PF_INOUT, PF_IN, PF_OUT };
	enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
	- PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
	+ PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER,
	+ PF_MATCH };
	enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
	PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
	enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
	diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
	--- a/sys/netpfil/pf/pf.c
	+++ b/sys/netpfil/pf/pf.c
	@@ -257,6 +257,8 @@
	static void pf_state_key_detach(struct pf_kstate *, int);
	static int pf_state_key_ctor(void , int, void , int);
	static u_int32_t pf_tcp_iss(struct pf_pdesc *);
	+void pf_rule_to_actions(struct pf_krule *,
	+ struct pf_rule_actions *);
	static int pf_test_rule(struct pf_krule , struct pf_kstate ,
	int, struct pfi_kkif , struct mbuf , int,
	struct pf_pdesc , struct pf_krule *,
	@@ -3112,6 +3114,15 @@
	}
	#endif /* INET6 */

	+void
	+pf_rule_to_actions(struct pf_krule r, struct pf_rule_actions a)
	+{
	+ if (r->qid)
	+ a->qid = r->qid;
	+ if (r->pqid)
	+ a->pqid = r->pqid;
	+}
	+
	int
	pf_socket_lookup(int direction, struct pf_pdesc pd, struct mbuf m)
	{
	@@ -3620,10 +3631,20 @@
	if (r->rtableid >= 0)
	rtableid = r->rtableid;
	if (r->anchor == NULL) {
	- match = 1;
	- *rm = r;
	- *am = a;
	- *rsm = ruleset;
	+ if (r->action == PF_MATCH) {
	+ counter_u64_add(r->packets[direction == PF_OUT], 1);
	+ counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len);
	+ pf_rule_to_actions(r, &pd->act);
	+ if (r->log)
	+ PFLOG_PACKET(kif, m, af,
	+ direction, PFRES_MATCH, r,
	+ a, ruleset, pd, 1);
	+ } else {
	+ match = 1;
	+ *rm = r;
	+ *am = a;
	+ *rsm = ruleset;
	+ }
	if ((*rm)->quick)
	break;
	r = TAILQ_NEXT(r, entries);
	@@ -3642,6 +3663,9 @@

	REASON_SET(&reason, PFRES_MATCH);

	+ /* apply actions for last matching pass/block rule */
	+ pf_rule_to_actions(r, &pd->act);
	+
	if (r->log \|\| (nr != NULL && nr->log)) {
	if (rewrite)
	m_copyback(m, off, hdrlen, pd->hdr.any);
	@@ -3760,6 +3784,8 @@
	s->state_flags \|= PFSTATE_SLOPPY;
	s->log = r->log & PF_LOG_ALL;
	s->sync_state = PFSYNC_S_NONE;
	+ s->qid = pd->act.qid;
	+ s->pqid = pd->act.pqid;
	if (nr != NULL)
	s->log \|= nr->log & PF_LOG_ALL;
	switch (pd->proto) {
	@@ -4019,10 +4045,20 @@
	r = TAILQ_NEXT(r, entries);
	else {
	if (r->anchor == NULL) {
	- match = 1;
	- *rm = r;
	- *am = a;
	- *rsm = ruleset;
	+ if (r->action == PF_MATCH) {
	+ counter_u64_add(r->packets[direction == PF_OUT], 1);
	+ counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len);
	+ pf_rule_to_actions(r, &pd->act);
	+ if (r->log)
	+ PFLOG_PACKET(kif, m, af,
	+ direction, PFRES_MATCH, r,
	+ a, ruleset, pd, 1);
	+ } else {
	+ match = 1;
	+ *rm = r;
	+ *am = a;
	+ *rsm = ruleset;
	+ }
	if ((*rm)->quick)
	break;
	r = TAILQ_NEXT(r, entries);
	@@ -4041,6 +4077,9 @@

	REASON_SET(&reason, PFRES_MATCH);

	+ /* apply actions for last matching pass/block rule */
	+ pf_rule_to_actions(r, &pd->act);
	+
	if (r->log)
	PFLOG_PACKET(kif, m, af, direction, reason, r, a, ruleset, pd,
	1);
	@@ -6152,7 +6191,14 @@
	}

	#ifdef ALTQ
	- if (action == PF_PASS && r->qid) {
	+ if (s && s->qid) {
	+ pd.act.pqid = s->pqid;
	+ pd.act.qid = s->qid;
	+ } else if (r->qid) {
	+ pd.act.pqid = r->pqid;
	+ pd.act.qid = r->qid;
	+ }
	+ if (action == PF_PASS && pd.act.qid) {
	if (pd.pf_mtag == NULL &&
	((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
	action = PF_DROP;
	@@ -6161,9 +6207,9 @@
	if (s != NULL)
	pd.pf_mtag->qid_hash = pf_state_hash(s);
	if (pqid \|\| (pd.tos & IPTOS_LOWDELAY))
	- pd.pf_mtag->qid = r->pqid;
	+ pd.pf_mtag->qid = pd.act.pqid;
	else
	- pd.pf_mtag->qid = r->qid;
	+ pd.pf_mtag->qid = pd.act.qid;
	/* Add hints for ecn. */
	pd.pf_mtag->hdr = h;
	}
	@@ -6592,7 +6638,14 @@
	}

	#ifdef ALTQ
	- if (action == PF_PASS && r->qid) {
	+ if (s && s->qid) {
	+ pd.act.pqid = s->pqid;
	+ pd.act.qid = s->qid;
	+ } else if (r->qid) {
	+ pd.act.pqid = r->pqid;
	+ pd.act.qid = r->qid;
	+ }
	+ if (action == PF_PASS && pd.act.qid) {
	if (pd.pf_mtag == NULL &&
	((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
	action = PF_DROP;
	@@ -6601,9 +6654,9 @@
	if (s != NULL)
	pd.pf_mtag->qid_hash = pf_state_hash(s);
	if (pd.tos & IPTOS_LOWDELAY)
	- pd.pf_mtag->qid = r->pqid;
	+ pd.pf_mtag->qid = pd.act.pqid;
	else
	- pd.pf_mtag->qid = r->qid;
	+ pd.pf_mtag->qid = pd.act.qid;
	/* Add hints for ecn. */
	pd.pf_mtag->hdr = h;
	}
	diff --git a/sys/netpfil/pf/pf_ruleset.c b/sys/netpfil/pf/pf_ruleset.c
	--- a/sys/netpfil/pf/pf_ruleset.c
	+++ b/sys/netpfil/pf/pf_ruleset.c
	@@ -95,6 +95,7 @@
	return (PF_RULESET_SCRUB);
	break;
	case PF_PASS:
	+ case PF_MATCH:
	case PF_DROP:
	return (PF_RULESET_FILTER);
	break;

File Metadata

Mime Type: text/plain
Expires: Mon, Feb 10, 11:46 PM (9 h, 3 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 16585410
Default Alt Text: D31115.diff (7 KB)

D31115.diffNo OneTemporaryActions

D31115.diffView Options

File Metadata

Event Timeline

D31115.diff
No OneTemporary
Actions

D31115.diff
View Options