Page MenuHomeFreeBSD
Files F142538412

D47063.id144655.diff
No OneTemporary
Actions

D47063.id144655.diff
View Options

diff --git a/sys/net/slcompress.c b/sys/net/slcompress.c
--- a/sys/net/slcompress.c
+++ b/sys/net/slcompress.c
@@ -170,7 +170,7 @@
return (TYPE_IP);
th = (struct tcphdr *)&((int32_t *)ip)[hlen];
- if ((th->th_flags & (TH_SYN|TH_FIN|TH_RST|TH_ACK)) != TH_ACK)
+ if ((tcp_get_flags(th) & (TH_SYN|TH_FIN|TH_RST|TH_ACK)) != TH_ACK)
return (TYPE_IP);
/*
* Packet is compressible -- we're going to send either a
@@ -271,7 +271,7 @@
* ack, seq (the order minimizes the number of temporaries
* needed in this section of code).
*/
- if (th->th_flags & TH_URG) {
+ if (tcp_get_flags(th) & TH_URG) {
deltaS = ntohs(th->th_urp);
ENCODEZ(deltaS);
changes |= NEW_U;
@@ -351,7 +351,7 @@
ENCODEZ(deltaS);
changes |= NEW_I;
}
- if (th->th_flags & TH_PUSH)
+ if (tcp_get_flags(th) & TH_PUSH)
changes |= TCP_PUSH_BIT;
/*
* Grab the cksum before we overwrite it below. Then update our
@@ -516,9 +516,9 @@
th->th_sum = htons((*cp << 8) | cp[1]);
cp += 2;
if (changes & TCP_PUSH_BIT)
- th->th_flags |= TH_PUSH;
+ tcp_set_flags(th, tcp_get_flags(th) | TH_PUSH);
else
- th->th_flags &=~ TH_PUSH;
+ tcp_set_flags(th, tcp_get_flags(th) & ~TH_PUSH);
switch (changes & SPECIALS_MASK) {
case SPECIAL_I:
@@ -536,10 +536,10 @@
default:
if (changes & NEW_U) {
- th->th_flags |= TH_URG;
+ tcp_set_flags(th, tcp_get_flags(th) | TH_URG);
DECODEU(th->th_urp)
} else
- th->th_flags &=~ TH_URG;
+ tcp_set_flags(th, tcp_get_flags(th) & ~TH_URG);
if (changes & NEW_W)
DECODES(th->th_win)
if (changes & NEW_A)
diff --git a/sys/netinet/libalias/alias.c b/sys/netinet/libalias/alias.c
--- a/sys/netinet/libalias/alias.c
+++ b/sys/netinet/libalias/alias.c
@@ -183,12 +183,12 @@
*/
/* Local prototypes */
-static void TcpMonitorIn(u_char, struct alias_link *);
+static void TcpMonitorIn(u_int, struct alias_link *);
-static void TcpMonitorOut(u_char, struct alias_link *);
+static void TcpMonitorOut(u_int, struct alias_link *);
static void
-TcpMonitorIn(u_char th_flags, struct alias_link *lnk)
+TcpMonitorIn(u_int th_flags, struct alias_link *lnk)
{
switch (GetStateIn(lnk)) {
case ALIAS_TCP_STATE_NOT_CONNECTED:
@@ -205,7 +205,7 @@
}
static void
-TcpMonitorOut(u_char th_flags, struct alias_link *lnk)
+TcpMonitorOut(u_int th_flags, struct alias_link *lnk)
{
switch (GetStateOut(lnk)) {
case ALIAS_TCP_STATE_NOT_CONNECTED:
@@ -1053,7 +1053,7 @@
/* Monitor TCP connection state */
tc = (struct tcphdr *)ip_next(pip);
- TcpMonitorIn(tc->th_flags, lnk);
+ TcpMonitorIn(tcp_get_flags(tc), lnk);
return (PKT_ALIAS_OK);
}
@@ -1142,7 +1142,7 @@
/* Monitor TCP connection state */
tc = (struct tcphdr *)ip_next(pip);
- TcpMonitorOut(tc->th_flags, lnk);
+ TcpMonitorOut(tcp_get_flags(tc), lnk);
/* Walk out chain. */
find_handler(OUT, TCP, la, pip, &ad);
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1308,7 +1308,7 @@
tp->t_flags &= ~TF_RXWIN0SENT;
if (SEQ_GT(tp->snd_up, tp->snd_nxt)) {
th->th_urp = htons((u_short)(tp->snd_up - tp->snd_nxt));
- th->th_flags |= TH_URG;
+ flags |= TH_URG;
} else
/*
* If no urgent pointer to send, then we pull
diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -1330,8 +1330,8 @@
return (1);
}
- flags = tcp->th_flags;
- fin->fin_tcpf = tcp->th_flags;
+ flags = tcp_get_flags(tcp);
+ fin->fin_tcpf = tcp_get_flags(tcp);
/*
* If the urgent flag is set, then the urgent pointer must
diff --git a/sys/netpfil/ipfilter/netinet/ip_compat.h b/sys/netpfil/ipfilter/netinet/ip_compat.h
--- a/sys/netpfil/ipfilter/netinet/ip_compat.h
+++ b/sys/netpfil/ipfilter/netinet/ip_compat.h
@@ -696,7 +696,7 @@
#define IPMINLEN(i, h) ((i)->ip_len >= (IP_HL(i) * 4 + sizeof(struct h)))
#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|\
- TH_ECN|TH_CWR)
+ TH_ECN|TH_CWR|TH_AE)
#if !SOLARIS && !defined(m_act)
# define m_act m_nextpkt
@@ -1128,7 +1128,10 @@
#ifndef TH_CWR
# define TH_CWR 0x80
#endif
-#define TH_ECNALL (TH_ECN|TH_CWR)
+#ifndef TH_AE
+# define TH_AE 0x100
+#endif
+#define TH_ECNALL (TH_ECN|TH_CWR|TH_AE)
/*
* TCP States
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
--- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
@@ -341,15 +341,15 @@
ip_t *ip;
tcp = fin->fin_dp;
- if (tcp->th_flags & TH_RST)
+ if (tcp_get_flags(tcp) & TH_RST)
return (-1); /* feedback loop */
if (ipf_checkl4sum(fin) == -1)
return (-1);
tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
- ((tcp->th_flags & TH_SYN) ? 1 : 0) +
- ((tcp->th_flags & TH_FIN) ? 1 : 0);
+ ((tcp_get_flags(tcp) & TH_SYN) ? 1 : 0) +
+ ((tcp_get_flags(tcp) & TH_FIN) ? 1 : 0);
#ifdef USE_INET6
hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
diff --git a/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c
--- a/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c
+++ b/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c
@@ -543,7 +543,7 @@
tcp2->th_win = htons(8192);
TCP_OFF_A(tcp2, 5);
- tcp2->th_flags = TH_SYN;
+ tcp_set_flags(tcp2, TH_SYN);
if (nat->nat_dir == NAT_INBOUND) {
fi.fin_out = 1;
@@ -873,7 +873,7 @@
fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
TCP_OFF_A(tcp2, 5);
- tcp2->th_flags = TH_SYN;
+ tcp_set_flags(tcp2, TH_SYN);
tcp2->th_win = htons(8192);
tcp2->th_dport = htons(port);
@@ -1240,9 +1240,9 @@
if (softf->ipf_p_ftp_debug & DEBUG_INFO)
printf("ipf_p_ftp_process: %d:%d,%d, mlen %d flags %x\n",
fin->fin_out, fin->fin_sport, fin->fin_dport,
- mlen, tcp->th_flags);
+ mlen, tcp_get_flags(tcp));
- if ((mlen == 0) && ((tcp->th_flags & TH_OPENING) == TH_OPENING)) {
+ if ((mlen == 0) && ((tcp_get_flags(tcp) & TH_OPENING) == TH_OPENING)) {
f->ftps_seq[0] = thseq + 1;
t->ftps_seq[0] = thack;
return (0);
@@ -1283,7 +1283,7 @@
}
if (softf->ipf_p_ftp_debug & DEBUG_INFO) {
printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n",
- rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff,
+ rv ? "IN" : "OUT", tcp_get_flags(tcp), thseq, seqoff,
thack, ackoff, mlen, fin->fin_plen, off);
printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
@@ -1357,7 +1357,7 @@
f->ftps_seq[0], f->ftps_seq[1]);
}
- if (tcp->th_flags & TH_FIN) {
+ if (tcp_get_flags(tcp) & TH_FIN) {
if (thseq == f->ftps_seq[1]) {
f->ftps_seq[0] = f->ftps_seq[1] - seqoff;
f->ftps_seq[1] = thseq + 1 - seqoff;
@@ -1530,7 +1530,7 @@
}
/* f->ftps_seq[1] += inc; */
- if (tcp->th_flags & TH_FIN)
+ if (tcp_get_flags(tcp) & TH_FIN)
f->ftps_seq[1]++;
if (softf->ipf_p_ftp_debug & DEBUG_PARSE_INFO) {
mlen = MSGDSIZE(m);
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -5715,7 +5715,7 @@
* Do a MSS CLAMPING on a SYN packet,
* only deal IPv4 for now.
*/
- if ((nat->nat_mssclamp != 0) && (tcp->th_flags & TH_SYN) != 0)
+ if ((nat->nat_mssclamp != 0) && (tcp_get_flags(tcp) & TH_SYN) != 0)
ipf_nat_mssclamp(tcp, nat->nat_mssclamp, fin, csump);
break;
diff --git a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c
--- a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c
+++ b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c
@@ -515,7 +515,7 @@
rev = 0;
tcp = (tcphdr_t *)fin->fin_dp;
- if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
+ if ((tcp_get_flags(tcp) & TH_OPENING) == TH_OPENING) {
pptp = (pptp_pxy_t *)aps->aps_data;
pptp->pptp_side[1 - rev].pptps_next = ntohl(tcp->th_ack);
pptp->pptp_side[1 - rev].pptps_nexthdr = ntohl(tcp->th_ack);
diff --git a/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c b/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c
--- a/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c
+++ b/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c
@@ -263,7 +263,7 @@
bzero((char *)tcp2, sizeof(*tcp2));
tcp2->th_win = htons(8192);
TCP_OFF_A(tcp2, 5);
- tcp2->th_flags = TH_SYN;
+ tcp_set_flags(tcp2, TH_SYN);
fi.fin_dp = (char *)tcp2;
fi.fin_fr = &rcmdfr;
diff --git a/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c b/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c
--- a/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c
+++ b/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c
@@ -1127,7 +1127,7 @@
tcp.th_win = htons(8192);
TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
fi.fin_dlen = sizeof(tcphdr_t);
- tcp.th_flags = TH_SYN;
+ tcp_set_flags(&tcp, TH_SYN);
nflags = NAT_TCP;
} else {
fi.fin_dlen = sizeof(udphdr_t);
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -1520,7 +1520,7 @@
case IPPROTO_TCP :
tcp = fin->fin_dp;
- if (tcp->th_flags & TH_RST) {
+ if (tcp_get_flags(tcp) & TH_RST) {
SBUMPD(ipf_state_stats, iss_tcp_rstadd);
return (-4);
}
@@ -1553,15 +1553,15 @@
if ((fin->fin_flx & FI_IGNORE) == 0) {
is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
(TCP_OFF(tcp) << 2) +
- ((tcp->th_flags & TH_SYN) ? 1 : 0) +
- ((tcp->th_flags & TH_FIN) ? 1 : 0);
+ ((tcp_get_flags(tcp) & TH_SYN) ? 1 : 0) +
+ ((tcp_get_flags(tcp) & TH_FIN) ? 1 : 0);
is->is_maxsend = is->is_send;
/*
* Window scale option is only present in
* SYN/SYN-ACK packet.
*/
- if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
+ if ((tcp_get_flags(tcp) & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
TH_SYN &&
(TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
if (ipf_tcpoptions(softs, fin, tcp,
@@ -1576,7 +1576,7 @@
ipf_fixoutisn(fin, is);
}
- if ((tcp->th_flags & TH_OPENING) == TH_SYN)
+ if ((tcp_get_flags(tcp) & TH_OPENING) == TH_SYN)
flags |= IS_TCPFSM;
else {
is->is_maxdwin = is->is_maxswin * 2;
@@ -1968,7 +1968,7 @@
* If a SYN packet is received for a connection that is on the way out
* but hasn't yet departed then advance this session along the way.
*/
- if ((tcp->th_flags & TH_OPENING) == TH_SYN) {
+ if ((tcp_get_flags(tcp) & TH_OPENING) == TH_SYN) {
if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) &&
(is->is_state[1] > IPF_TCPS_ESTABLISHED)) {
is->is_state[!source] = IPF_TCPS_CLOSED;
@@ -2011,7 +2011,7 @@
* Window scale option is only present in SYN/SYN-ACK packet.
* Compare with ~TH_FIN to mask out T/TCP setups.
*/
- flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL);
+ flags = tcp_get_flags(tcp) & ~(TH_FIN|TH_ECNALL);
if (flags == (TH_SYN|TH_ACK)) {
is->is_s0[source] = ntohl(tcp->th_ack);
is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
@@ -2110,7 +2110,7 @@
/*
* Find difference between last checked packet and this packet.
*/
- tcpflags = tcp->th_flags;
+ tcpflags = tcp_get_flags(tcp);
seq = ntohl(tcp->th_seq);
ack = ntohl(tcp->th_ack);
if (tcpflags & TH_SYN)
@@ -2313,8 +2313,8 @@
clone->is_state[0] = 0;
clone->is_state[1] = 0;
send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
- ((tcp->th_flags & TH_SYN) ? 1 : 0) +
- ((tcp->th_flags & TH_FIN) ? 1 : 0);
+ ((tcp_get_flags(tcp) & TH_SYN) ? 1 : 0) +
+ ((tcp_get_flags(tcp) & TH_FIN) ? 1 : 0);
if (fin->fin_rev == 1) {
clone->is_dend = send;
@@ -3954,7 +3954,7 @@
rval = 0;
dir = fin->fin_rev;
- tcpflags = tcp->th_flags;
+ tcpflags = tcp_get_flags(tcp);
dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
ostate = tqe->tqe_state[1 - dir];
nstate = tqe->tqe_state[dir];
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3437,7 +3437,7 @@
th->th_seq = htonl(seq);
th->th_ack = htonl(ack);
th->th_off = tlen >> 2;
- th->th_flags = tcp_flags;
+ tcp_set_flags(th, tcp_flags);
th->th_win = htons(win);
if (mss) {
@@ -3658,16 +3658,16 @@
if (pd->proto == IPPROTO_TCP &&
((r->rule_flag & PFRULE_RETURNRST) ||
(r->rule_flag & PFRULE_RETURN)) &&
- !(th->th_flags & TH_RST)) {
+ !(tcp_get_flags(th) & TH_RST)) {
u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off,
IPPROTO_TCP, pd->af))
REASON_SET(reason, PFRES_PROTCKSUM);
else {
- if (th->th_flags & TH_SYN)
+ if (tcp_get_flags(th) & TH_SYN)
ack++;
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
ack++;
pf_send_tcp(r, pd->af, pd->dst,
pd->src, th->th_dport, th->th_sport,
@@ -5128,7 +5128,7 @@
break;
case IPPROTO_TCP:
- PF_TEST_ATTRIB((r->flagset & th->th_flags) != r->flags,
+ PF_TEST_ATTRIB((r->flagset & tcp_get_flags(th)) != r->flags,
TAILQ_NEXT(r, entries));
/* FALLTHROUGH */
case IPPROTO_SCTP:
@@ -5389,7 +5389,7 @@
case IPPROTO_TCP:
s->src.seqlo = ntohl(th->th_seq);
s->src.seqhi = s->src.seqlo + pd->p_len + 1;
- if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
+ if ((tcp_get_flags(th) & (TH_SYN|TH_ACK)) == TH_SYN &&
r->keep_state == PF_STATE_MODULATE) {
/* Generate sequence number modulator */
if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
@@ -5400,7 +5400,7 @@
*rewrite = 1;
} else
s->src.seqdiff = 0;
- if (th->th_flags & TH_SYN) {
+ if (tcp_get_flags(th) & TH_SYN) {
s->src.seqhi++;
s->src.wscale = pf_get_wscale(pd);
}
@@ -5412,7 +5412,7 @@
s->src.max_win = (win - 1) >>
(s->src.wscale & PF_WSCALE_MASK);
}
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
s->src.seqhi++;
s->dst.seqhi = 1;
s->dst.max_win = 1;
@@ -5508,7 +5508,7 @@
if (tag > 0)
s->tag = tag;
- if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
+ if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) ==
TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_SRC);
/* undo NAT changes, if they have taken place */
@@ -5612,7 +5612,7 @@
pdst = PF_PEER_SRC;
}
- if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
+ if (src->wscale && dst->wscale && !(tcp_get_flags(th) & TH_SYN)) {
sws = src->wscale & PF_WSCALE_MASK;
dws = dst->wscale & PF_WSCALE_MASK;
} else
@@ -5651,7 +5651,7 @@
}
end = seq + pd->p_len;
- if (th->th_flags & TH_SYN) {
+ if (tcp_get_flags(th) & TH_SYN) {
end++;
if (dst->wscale & PF_WSCALE_FLAG) {
src->wscale = pf_get_wscale(pd);
@@ -5673,7 +5673,7 @@
}
}
data_end = end;
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
end++;
src->seqlo = seq;
@@ -5701,18 +5701,18 @@
*copyback = 1;
}
end = seq + pd->p_len;
- if (th->th_flags & TH_SYN)
+ if (tcp_get_flags(th) & TH_SYN)
end++;
data_end = end;
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
end++;
}
- if ((th->th_flags & TH_ACK) == 0) {
+ if ((tcp_get_flags(th) & TH_ACK) == 0) {
/* Let it pass through the ack skew check */
ack = dst->seqlo;
} else if ((ack == 0 &&
- (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
+ (tcp_get_flags(th) & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
/* broken tcp stacks do not set ack */
(dst->state < TCPS_SYN_SENT)) {
/*
@@ -5756,7 +5756,7 @@
/* Acking not more than one reassembled fragment backwards */
(ackskew <= (MAXACKWINDOW << sws)) &&
/* Acking not more than one window forward */
- ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
+ ((tcp_get_flags(th) & TH_RST) == 0 || orig_seq == src->seqlo ||
(orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) {
/* Require an exact/+1 sequence match on resets when possible */
@@ -5777,13 +5777,13 @@
dst->seqhi = ack + MAX((win << sws), 1);
/* update states */
- if (th->th_flags & TH_SYN)
+ if (tcp_get_flags(th) & TH_SYN)
if (src->state < TCPS_SYN_SENT)
pf_set_protostate(*state, psrc, TCPS_SYN_SENT);
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
if (src->state < TCPS_CLOSING)
pf_set_protostate(*state, psrc, TCPS_CLOSING);
- if (th->th_flags & TH_ACK) {
+ if (tcp_get_flags(th) & TH_ACK) {
if (dst->state == TCPS_SYN_SENT) {
pf_set_protostate(*state, pdst,
TCPS_ESTABLISHED);
@@ -5797,7 +5797,7 @@
pf_set_protostate(*state, pdst,
TCPS_FIN_WAIT_2);
}
- if (th->th_flags & TH_RST)
+ if (tcp_get_flags(th) & TH_RST)
pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT);
/* update expire time */
@@ -5851,7 +5851,7 @@
if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: loose state match: ");
pf_print_state(*state);
- pf_print_flags(th->th_flags);
+ pf_print_flags(tcp_get_flags(th));
printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
@@ -5881,10 +5881,10 @@
* SYN and not an already established connection.
*/
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
if (src->state < TCPS_CLOSING)
pf_set_protostate(*state, psrc, TCPS_CLOSING);
- if (th->th_flags & TH_RST)
+ if (tcp_get_flags(th) & TH_RST)
pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT);
/* Fall through to PASS packet */
@@ -5893,7 +5893,7 @@
if ((*state)->dst.state == TCPS_SYN_SENT &&
(*state)->src.state == TCPS_SYN_SENT) {
/* Send RST for state mismatches during handshake */
- if (!(th->th_flags & TH_RST))
+ if (!(tcp_get_flags(th) & TH_RST))
pf_send_tcp((*state)->rule, pd->af,
pd->dst, pd->src, th->th_dport,
th->th_sport, ntohl(th->th_ack), 0,
@@ -5906,7 +5906,7 @@
} else if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: BAD state: ");
pf_print_state(*state);
- pf_print_flags(th->th_flags);
+ pf_print_flags(tcp_get_flags(th));
printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n",
seq, orig_seq, ack, pd->p_len, ackskew,
@@ -5949,13 +5949,13 @@
pdst = PF_PEER_SRC;
}
- if (th->th_flags & TH_SYN)
+ if (tcp_get_flags(th) & TH_SYN)
if (src->state < TCPS_SYN_SENT)
pf_set_protostate(*state, psrc, TCPS_SYN_SENT);
- if (th->th_flags & TH_FIN)
+ if (tcp_get_flags(th) & TH_FIN)
if (src->state < TCPS_CLOSING)
pf_set_protostate(*state, psrc, TCPS_CLOSING);
- if (th->th_flags & TH_ACK) {
+ if (tcp_get_flags(th) & TH_ACK) {
if (dst->state == TCPS_SYN_SENT) {
pf_set_protostate(*state, pdst, TCPS_ESTABLISHED);
if (src->state == TCPS_ESTABLISHED &&
@@ -5993,7 +5993,7 @@
pf_set_protostate(*state, pdst, TCPS_CLOSING);
}
}
- if (th->th_flags & TH_RST)
+ if (tcp_get_flags(th) & TH_RST)
pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT);
/* update expire time */
@@ -6027,7 +6027,7 @@
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
}
- if (th->th_flags & TH_SYN) {
+ if (tcp_get_flags(th) & TH_SYN) {
if (ntohl(th->th_seq) != (*state)->src.seqlo) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_DROP);
@@ -6039,7 +6039,7 @@
(*state)->act.rtableid);
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
- } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
+ } else if ((tcp_get_flags(th) & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
@@ -6054,7 +6054,7 @@
}
if ((*state)->src.state == PF_TCPS_PROXY_DST) {
if (pd->dir == (*state)->direction) {
- if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
+ if (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) != TH_ACK) ||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
@@ -6071,7 +6071,7 @@
(*state)->act.rtableid);
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
- } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
+ } else if (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) !=
(TH_SYN|TH_ACK)) ||
(ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
@@ -6149,13 +6149,13 @@
if (dst->state >= TCPS_FIN_WAIT_2 &&
src->state >= TCPS_FIN_WAIT_2 &&
- (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) ||
- ((th->th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_ACK &&
+ (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) == TH_SYN) ||
+ ((tcp_get_flags(th) & (TH_SYN|TH_ACK|TH_RST)) == TH_ACK &&
pf_syncookie_check(pd) && pd->dir == PF_IN))) {
if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: state reuse ");
pf_print_state(*state);
- pf_print_flags(th->th_flags);
+ pf_print_flags(tcp_get_flags(th));
printf("\n");
}
/* XXX make sure it's the same direction ?? */
@@ -9063,14 +9063,14 @@
case IPPROTO_TCP: {
/* Respond to SYN with a syncookie. */
- if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
+ if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
pd.dir == PF_IN && pf_synflood_check(&pd)) {
pf_syncookie_send(&pd);
action = PF_DROP;
break;
}
- if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0)
+ if ((tcp_get_flags(&pd.hdr.tcp) & TH_ACK) && pd.p_len == 0)
use_2nd_queue = 1;
action = pf_normalize_tcp(&pd);
if (action == PF_DROP)
@@ -9084,7 +9084,7 @@
} else if (s == NULL) {
/* Validate remote SYN|ACK, re-create original SYN if
* valid. */
- if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) ==
+ if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) ==
TH_ACK && pf_syncookie_validate(&pd) &&
pd.dir == PF_IN) {
struct mbuf *msyn;
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1446,7 +1446,7 @@
* All normalizations below are only begun if we see the start of
* the connections. They must all set an enabled bit in pfss_flags
*/
- if ((th->th_flags & TH_SYN) == 0)
+ if ((tcp_get_flags(th) & TH_SYN) == 0)
return (0);
if (th->th_off > (sizeof(struct tcphdr) >> 2) && src->scrub &&
@@ -1797,7 +1797,7 @@
dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0));
if (V_pf_status.debug >= PF_DEBUG_MISC) {
pf_print_state(state);
- pf_print_flags(th->th_flags);
+ pf_print_flags(tcp_get_flags(th));
printf("\n");
}
REASON_SET(reason, PFRES_TS);
@@ -1806,9 +1806,9 @@
/* XXX I'd really like to require tsecr but it's optional */
- } else if (!got_ts && (th->th_flags & TH_RST) == 0 &&
+ } else if (!got_ts && (tcp_get_flags(th) & TH_RST) == 0 &&
((src->state == TCPS_ESTABLISHED && dst->state == TCPS_ESTABLISHED)
- || pd->p_len > 0 || (th->th_flags & TH_SYN)) &&
+ || pd->p_len > 0 || (tcp_get_flags(th) & TH_SYN)) &&
src->scrub && dst->scrub &&
(src->scrub->pfss_flags & PFSS_PAWS) &&
(dst->scrub->pfss_flags & PFSS_PAWS)) {
@@ -1847,7 +1847,7 @@
DPFPRINTF(("Did not receive expected RFC1323 "
"timestamp\n"));
pf_print_state(state);
- pf_print_flags(th->th_flags);
+ pf_print_flags(tcp_get_flags(th));
printf("\n");
}
REASON_SET(reason, PFRES_TS);
@@ -1876,7 +1876,7 @@
"timestamp data packet. Disabled PAWS "
"security.\n"));
pf_print_state(state);
- pf_print_flags(th->th_flags);
+ pf_print_flags(tcp_get_flags(th));
printf("\n");
}
}
diff --git a/sys/netpfil/pf/pf_osfp.c b/sys/netpfil/pf/pf_osfp.c
--- a/sys/netpfil/pf/pf_osfp.c
+++ b/sys/netpfil/pf/pf_osfp.c
@@ -103,7 +103,7 @@
char srcname[INET_ADDRSTRLEN];
#endif
- if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN)
+ if ((tcp_get_flags(tcp) & (TH_SYN|TH_ACK)) != TH_SYN)
return (NULL);
if (ip) {
if ((ip->ip_off & htons(IP_OFFMASK)) != 0)

File Metadata

Mime Type
text/plain
Expires
Wed, Jan 21, 6:30 PM (10 h, 17 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27816654
Default Alt Text
D47063.id144655.diff (23 KB)

Event Timeline