Author: cy
Date: Sun Oct 5 03:45:19 2014
New Revision: 272552
URL: https://svnweb.freebsd.org/changeset/base/272552
Log:
ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
ipfilter rule compare with new ipf_rule_compare() function.
Obtained from: ipfilter CVS rep (r1.129)
Modified:
head/sys/contrib/ipfilter/netinet/fil.c
Modified: head/sys/contrib/ipfilter/netinet/fil.c
==============================================================================
--- head/sys/contrib/ipfilter/netinet/fil.c Sun Oct 5 03:41:47 2014
(r272551)
+++ head/sys/contrib/ipfilter/netinet/fil.c Sun Oct 5 03:45:19 2014
(r272552)
@@ -4436,6 +4436,39 @@ ipf_matchicmpqueryreply(v, ic, icmp, rev
/* ------------------------------------------------------------------------ */
+/* Function: ipf_rule_compare */
+/* Parameters: fr1(I) - first rule structure to compare */
+/* fr2(I) - second rule structure to compare */
+/* Returns: int - 0 == rules are the same, else mismatch */
+/* */
+/* Compare two rules and return 0 if they match or a number indicating */
+/* which of the individual checks failed. */
+/* ------------------------------------------------------------------------ */
+static int
+ipf_rule_compare(frentry_t *fr1, frentry_t *fr2)
+{
+ if (fr1->fr_cksum != fr2->fr_cksum)
+ return 1;
+ if (fr1->fr_size != fr2->fr_size)
+ return 2;
+ if (fr1->fr_dsize != fr2->fr_dsize)
+ return 3;
+ if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func,
+ fr1->fr_size - offsetof(struct frentry, fr_func)) != 0)
+ return 4;
+ if (fr1->fr_data && !fr2->fr_data)
+ return 5;
+ if (!fr1->fr_data && fr2->fr_data)
+ return 6;
+ if (fr1->fr_data) {
+ if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize))
+ return 7;
+ }
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
/* Function: frrequest */
/* Returns: int - 0 == success, > 0 == errno value */
/* Parameters: unit(I) - device for which this is for */
@@ -4928,17 +4961,7 @@ frrequest(softc, unit, req, data, set, m
}
for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
- DT2(rule_cmp, frentry_t *, fp, frentry_t *, f);
- if ((fp->fr_cksum != f->fr_cksum) ||
- (fp->fr_size != f->fr_size) ||
- (f->fr_dsize != fp->fr_dsize))
- continue;
- if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func,
- fp->fr_size - offsetof(struct frentry, fr_func)) != 0)
- continue;
- if ((!ptr && !f->fr_data) ||
- (ptr && f->fr_data &&
- !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
+ if (ipf_rule_compare(fp, f) == 0)
break;
}
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
