If there is anyone out there who disables fragment reassembly (enabled
by default), you need to help testing this diff which folds
pf_test_fragment() into pf_test_rule().
If I don't hear from anyone we may one day decide that nobody actually
does this and remove the ability to disable reassembly completely...
Index: sys/net/if_pflog.c
===================================================================
RCS file: /cvs/src/sys/net/if_pflog.c,v
retrieving revision 1.35
diff -u -p -r1.35 if_pflog.c
--- sys/net/if_pflog.c 20 Jun 2011 19:03:41 -0000 1.35
+++ sys/net/if_pflog.c 6 Jul 2011 03:56:44 -0000
@@ -273,6 +273,7 @@ pflog_bpfcopy(const void *src_arg, void
{
const struct mbuf *m;
struct pfloghdr *pfloghdr;
+ struct pf_state *s = NULL;
u_int count;
u_char *dst;
u_short action, reason;
@@ -335,7 +336,7 @@ pflog_bpfcopy(const void *src_arg, void
memset(&pd, 0, sizeof(pd));
pd.hdr.any = &pf_hdrs;
if (pf_setup_pdesc(pfloghdr->af, pfloghdr->dir, &pd, &mfake, &action,
- &reason, NULL, NULL, NULL, NULL, &off, &hdrlen) == -1)
+ &reason, NULL, NULL, NULL, &s, NULL, &off, &hdrlen) == -1)
return;
PF_ACPY(&osaddr, pd.src, pd.af);
Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.759
diff -u -p -r1.759 pf.c
--- sys/net/pf.c 4 Jul 2011 18:12:51 -0000 1.759
+++ sys/net/pf.c 6 Jul 2011 04:35:06 -0000
@@ -186,10 +186,6 @@ static __inline int pf_create_state(str
struct pf_rule_actions *, struct pf_src_node *[]);
int pf_state_key_setup(struct pf_pdesc *, struct
pf_state_key **, struct pf_state_key **, int);
-int pf_test_fragment(struct pf_rule **, int,
- struct pfi_kif *, struct mbuf *,
- struct pf_pdesc *, struct pf_rule **,
- struct pf_ruleset **);
int pf_tcp_track_full(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
struct pfi_kif *, struct mbuf *, int,
@@ -1467,13 +1463,13 @@ pf_calc_skip_steps(struct pf_rulequeue *
if (cur->src.neg != prev->src.neg ||
pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
+ if (cur->dst.neg != prev->dst.neg ||
+ pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
+ PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
if (cur->src.port[0] != prev->src.port[0] ||
cur->src.port[1] != prev->src.port[1] ||
cur->src.port_op != prev->src.port_op)
PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
- if (cur->dst.neg != prev->dst.neg ||
- pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
- PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
if (cur->dst.port[0] != prev->dst.port[0] ||
cur->dst.port[1] != prev->dst.port[1] ||
cur->dst.port_op != prev->dst.port_op)
@@ -2719,6 +2715,14 @@ pf_rule_to_actions(struct pf_rule *r, st
PFSTATE_SETTOS|PFSTATE_SCRUB_TCP));
}
+#define PF_TEST_ATTRIB(t, a) \
+ do { \
+ if (t) { \
+ r = a; \
+ goto nextrule; \
+ } \
+ } while (0)
+
int
pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
struct pfi_kif *kif, struct mbuf *m, int off,
@@ -2763,6 +2767,9 @@ pf_test_rule(struct pf_rule **rm, struct
return (PF_DROP);
}
+ if (pd->frag)
+ goto fragment;
+
switch (pd->proto) {
case IPPROTO_TCP:
pd->nsport = th->th_sport;
@@ -2803,7 +2810,8 @@ pf_test_rule(struct pf_rule **rm, struct
break;
#endif /* INET6 */
default:
- pd->nsport = pd->ndport;
+ fragment:
+ pd->nsport = pd->ndport = 0;
break;
}
@@ -2813,116 +2821,134 @@ pf_test_rule(struct pf_rule **rm, struct
r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr);
while (r != NULL) {
r->evaluations++;
- if (pfi_kif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
- else if (r->direction && r->direction != direction)
- r = r->skip[PF_SKIP_DIR].ptr;
- else if (r->onrdomain >= 0 &&
- (r->onrdomain == pd->rdomain) == r->ifnot)
- r = r->skip[PF_SKIP_RDOM].ptr;
- else if (r->af && r->af != af)
- r = r->skip[PF_SKIP_AF].ptr;
- else if (r->proto && r->proto != pd->proto)
- r = r->skip[PF_SKIP_PROTO].ptr;
- else if (PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, af,
- r->src.neg, kif, act.rtableid))
- r = r->skip[PF_SKIP_SRC_ADDR].ptr;
- /* tcp/udp only. port_op always 0 in other cases */
- else if (r->src.port_op && !pf_match_port(r->src.port_op,
- r->src.port[0], r->src.port[1], pd->nsport))
- r = r->skip[PF_SKIP_SRC_PORT].ptr;
- else if (PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, af,
- r->dst.neg, NULL, act.rtableid))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
- /* tcp/udp only. port_op always 0 in other cases */
- else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
- r->dst.port[0], r->dst.port[1], pd->ndport))
- r = r->skip[PF_SKIP_DST_PORT].ptr;
- /* icmp only. type always 0 in other cases */
- else if (r->type && r->type != icmptype + 1)
- r = TAILQ_NEXT(r, entries);
- /* icmp only. type always 0 in other cases */
- else if (r->code && r->code != icmpcode + 1)
- r = TAILQ_NEXT(r, entries);
- else if (r->tos && !(r->tos == pd->tos))
- r = TAILQ_NEXT(r, entries);
- else if (r->rule_flag & PFRULE_FRAGMENT)
- r = TAILQ_NEXT(r, entries);
- else if (pd->proto == IPPROTO_TCP &&
- (r->flagset & th->th_flags) != r->flags)
- r = TAILQ_NEXT(r, entries);
- /* tcp/udp only. uid.op always 0 in other cases */
- else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
- pf_socket_lookup(direction, pd), 1)) &&
- !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
- pd->lookup.uid))
- r = TAILQ_NEXT(r, entries);
- /* tcp/udp only. gid.op always 0 in other cases */
- else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
- pf_socket_lookup(direction, pd), 1)) &&
- !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
- pd->lookup.gid))
- r = TAILQ_NEXT(r, entries);
- else if (r->prob &&
- r->prob <= arc4random_uniform(UINT_MAX - 1) + 1)
- r = TAILQ_NEXT(r, entries);
- else if (r->match_tag && !pf_match_tag(m, r, &tag))
- r = TAILQ_NEXT(r, entries);
- else if (r->rcv_kif && !pf_match_rcvif(m, r))
- r = TAILQ_NEXT(r, entries);
- else if (r->os_fingerprint != PF_OSFP_ANY &&
- (pd->proto != IPPROTO_TCP || !pf_osfp_match(
- pf_osfp_fingerprint(pd, m, off, th),
- r->os_fingerprint)))
- r = TAILQ_NEXT(r, entries);
- else {
- if (r->tag)
- tag = r->tag;
- if (r->anchor == NULL) {
- lastr = r;
- if (r->action == PF_MATCH) {
- if ((ri = pool_get(&pf_rule_item_pl,
- PR_NOWAIT)) == NULL) {
- REASON_SET(&reason,
- PFRES_MEMORY);
- goto cleanup;
- }
- ri->r = r;
- /* order is irrelevant */
- SLIST_INSERT_HEAD(&rules, ri, entry);
- pf_rule_to_actions(r, &act);
- if (pf_get_transaddr(r, pd, sns) ==
- -1) {
- REASON_SET(&reason,
- PFRES_MEMORY);
- goto cleanup;
- }
- /*
- * We need to save this rule pointer,
- * otherwise the counter decrease
- * would not work for SLB.
- */
- nr = r;
- if (r->log || act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m, direction,
- reason, r, a, ruleset, pd);
- } else {
- match = 1;
- *rm = r;
- *am = a;
- *rsm = ruleset;
- if (act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m, direction,
- reason, r, a, ruleset, pd);
+ PF_TEST_ATTRIB((pfi_kif_match(r->kif, kif) == r->ifnot),
+ r->skip[PF_SKIP_IFP].ptr);
+ PF_TEST_ATTRIB((r->direction && r->direction != direction),
+ r->skip[PF_SKIP_DIR].ptr);
+ PF_TEST_ATTRIB((r->onrdomain >= 0 &&
+ (r->onrdomain == pd->rdomain) == r->ifnot),
+ r->skip[PF_SKIP_RDOM].ptr);
+ PF_TEST_ATTRIB((r->af && r->af != af),
+ r->skip[PF_SKIP_AF].ptr);
+ PF_TEST_ATTRIB((r->proto && r->proto != pd->proto),
+ r->skip[PF_SKIP_PROTO].ptr);
+ PF_TEST_ATTRIB((PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, af,
+ r->src.neg, kif, act.rtableid)),
+ r->skip[PF_SKIP_SRC_ADDR].ptr);
+ PF_TEST_ATTRIB((PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, af,
+ r->dst.neg, NULL, act.rtableid)),
+ r->skip[PF_SKIP_DST_ADDR].ptr);
+ if (pd->frag) {
+ /* tcp/udp only. port_op always 0 in other cases */
+ PF_TEST_ATTRIB((r->src.port_op || r->dst.port_op),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP && r->flagset),
+ TAILQ_NEXT(r, entries));
+ /* icmp only. type/code always 0 in other cases */
+ PF_TEST_ATTRIB((r->type || r->code),
+ TAILQ_NEXT(r, entries));
+ /* tcp/udp only. {uid|gid}.op always 0 in other cases */
+ PF_TEST_ATTRIB((r->gid.op || r->uid.op),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY),
+ TAILQ_NEXT(r, entries));
+ } else {
+ /* tcp/udp only. port_op always 0 in other cases */
+ PF_TEST_ATTRIB((r->src.port_op &&
+ !pf_match_port(r->src.port_op, r->src.port[0],
+ r->src.port[1], pd->nsport)),
+ r->skip[PF_SKIP_SRC_PORT].ptr);
+ PF_TEST_ATTRIB((r->dst.port_op &&
+ !pf_match_port(r->dst.port_op, r->dst.port[0],
+ r->dst.port[1], pd->ndport)),
+ r->skip[PF_SKIP_DST_PORT].ptr);
+ /* icmp only. type always 0 in other cases */
+ PF_TEST_ATTRIB((r->type && r->type != icmptype + 1),
+ TAILQ_NEXT(r, entries));
+ /* icmp only. type always 0 in other cases */
+ PF_TEST_ATTRIB((r->code && r->code != icmpcode + 1),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP &&
+ (r->flagset & th->th_flags) != r->flags),
+ TAILQ_NEXT(r, entries));
+ /* tcp/udp only. uid.op always 0 in other cases */
+ PF_TEST_ATTRIB((r->uid.op && (pd->lookup.done ||
+ (pd->lookup.done =
+ pf_socket_lookup(direction, pd), 1)) &&
+ !pf_match_uid(r->uid.op, r->uid.uid[0],
+ r->uid.uid[1], pd->lookup.uid)),
+ TAILQ_NEXT(r, entries));
+ /* tcp/udp only. gid.op always 0 in other cases */
+ PF_TEST_ATTRIB((r->gid.op && (pd->lookup.done ||
+ (pd->lookup.done =
+ pf_socket_lookup(direction, pd), 1)) &&
+ !pf_match_gid(r->gid.op, r->gid.gid[0],
+ r->gid.gid[1], pd->lookup.gid)),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&
+ (pd->proto != IPPROTO_TCP || !pf_osfp_match(
+ pf_osfp_fingerprint(pd, m, off, th),
+ r->os_fingerprint))),
+ TAILQ_NEXT(r, entries));
+ }
+ PF_TEST_ATTRIB((r->tos && !(r->tos == pd->tos)),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->prob &&
+ r->prob <= arc4random_uniform(UINT_MAX - 1) + 1),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->match_tag && !pf_match_tag(m, r, &tag)),
+ TAILQ_NEXT(r, entries));
+ PF_TEST_ATTRIB((r->rcv_kif && !pf_match_rcvif(m, r)),
+ TAILQ_NEXT(r, entries));
+
+ /* FALLTHROUGH */
+ if (r->tag)
+ tag = r->tag;
+ if (r->anchor == NULL) {
+ lastr = r;
+ if (r->action == PF_MATCH) {
+ if ((ri = pool_get(&pf_rule_item_pl,
+ PR_NOWAIT)) == NULL) {
+ REASON_SET(&reason, PFRES_MEMORY);
+ goto cleanup;
}
+ ri->r = r;
+ /* order is irrelevant */
+ SLIST_INSERT_HEAD(&rules, ri, entry);
+ pf_rule_to_actions(r, &act);
+ if (pf_get_transaddr(r, pd, sns) == -1) {
+ REASON_SET(&reason, PFRES_MEMORY);
+ goto cleanup;
+ }
+ /*
+ * We need to save this rule pointer,
+ * otherwise the counter decrease
+ * would not work for SLB.
+ */
+ nr = r;
+ if (r->log || act.log & PF_LOG_MATCHES)
+ PFLOG_PACKET(kif, m, direction,
+ reason, r, a, ruleset, pd);
+ } else {
+ match = 1;
+ *rm = r;
+ *am = a;
+ *rsm = ruleset;
+ if (act.log & PF_LOG_MATCHES)
+ PFLOG_PACKET(kif, m, direction,
+ reason, r, a, ruleset, pd);
+ }
- if ((*rm)->quick)
- break;
- r = TAILQ_NEXT(r, entries);
- } else
- pf_step_into_anchor(&asd, &ruleset,
- &r, &a, &match);
- }
+ if ((*rm)->quick)
+ break;
+ r = TAILQ_NEXT(r, entries);
+ } else
+ pf_step_into_anchor(&asd, &ruleset,
+ &r, &a, &match);
+
+ nextrule:
if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
&r, &a, &match))
break;
@@ -2942,7 +2968,7 @@ pf_test_rule(struct pf_rule **rm, struct
if (r->log || act.log & PF_LOG_MATCHES)
PFLOG_PACKET(kif, m, direction, reason, r, a, ruleset, pd);
- if ((r->action == PF_DROP) &&
+ if (!pd->frag && (r->action == PF_DROP) &&
((r->rule_flag & PFRULE_RETURNRST) ||
(r->rule_flag & PFRULE_RETURNICMP) ||
(r->rule_flag & PFRULE_RETURN))) {
@@ -3005,7 +3031,7 @@ pf_test_rule(struct pf_rule **rm, struct
goto cleanup;
}
- if (!state_icmp && r->keep_state) {
+ if (!pd->frag && !state_icmp && r->keep_state) {
int action;
if (r->rule_flag & PFRULE_SRCTRACK &&
@@ -3385,92 +3411,6 @@ pf_translate(struct pf_pdesc *pd, struct
}
int
-pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
- struct mbuf *m, struct pf_pdesc *pd, struct pf_rule **am,
- struct pf_ruleset **rsm)
-{
- struct pf_rule *r, *a = NULL;
- struct pf_ruleset *ruleset = NULL;
- sa_family_t af = pd->af;
- u_short reason;
- int tag = -1;
- int asd = 0;
- int match = 0;
-
- r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr);
- while (r != NULL) {
- r->evaluations++;
- if (pfi_kif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
- else if (r->direction && r->direction != direction)
- r = r->skip[PF_SKIP_DIR].ptr;
- else if (r->onrdomain >= 0 &&
- (r->onrdomain == pd->rdomain) == r->ifnot)
- r = r->skip[PF_SKIP_RDOM].ptr;
- else if (r->af && r->af != af)
- r = r->skip[PF_SKIP_AF].ptr;
- else if (r->proto && r->proto != pd->proto)
- r = r->skip[PF_SKIP_PROTO].ptr;
- else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
- r->src.neg, kif, pd->rdomain))
- r = r->skip[PF_SKIP_SRC_ADDR].ptr;
- else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
- r->dst.neg, NULL, pd->rdomain))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
- else if (r->tos && !(r->tos == pd->tos))
- r = TAILQ_NEXT(r, entries);
- else if (r->os_fingerprint != PF_OSFP_ANY)
- r = TAILQ_NEXT(r, entries);
- else if (pd->proto == IPPROTO_UDP &&
- (r->src.port_op || r->dst.port_op))
- r = TAILQ_NEXT(r, entries);
- else if (pd->proto == IPPROTO_TCP &&
- (r->src.port_op || r->dst.port_op || r->flagset))
- r = TAILQ_NEXT(r, entries);
- else if ((pd->proto == IPPROTO_ICMP ||
- pd->proto == IPPROTO_ICMPV6) &&
- (r->type || r->code))
- r = TAILQ_NEXT(r, entries);
- else if (r->prob && r->prob <=
- (arc4random() % (UINT_MAX - 1) + 1))
- r = TAILQ_NEXT(r, entries);
- else if (r->match_tag && !pf_match_tag(m, r, &tag))
- r = TAILQ_NEXT(r, entries);
- else {
- if (r->anchor == NULL) {
- match = 1;
- *rm = r;
- *am = a;
- *rsm = ruleset;
- if ((*rm)->quick)
- break;
- r = TAILQ_NEXT(r, entries);
- } else
- pf_step_into_anchor(&asd, &ruleset,
- &r, &a, &match);
- }
- if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
- &r, &a, &match))
- break;
- }
- r = *rm;
- a = *am;
- ruleset = *rsm;
-
- REASON_SET(&reason, PFRES_MATCH);
-
- if (r->log)
- PFLOG_PACKET(kif, m, direction, reason, r, a, ruleset, pd);
-
- if (r->action == PF_DROP)
- return (PF_DROP);
-
- pf_tag_packet(m, tag, -1);
-
- return (PF_PASS);
-}
-
-int
pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off,
struct pf_pdesc *pd, u_short *reason, int *copyback)
@@ -5477,7 +5417,8 @@ pf_get_divert(struct mbuf *m)
int
pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
u_short *action, u_short *reason, struct pfi_kif *kif, struct pf_rule **a,
- struct pf_rule **r, struct pf_ruleset **ruleset, int *off, int *hdrlen)
+ struct pf_rule **r, struct pf_state **s, struct pf_ruleset **ruleset,
+ int *off, int *hdrlen)
{
struct mbuf *m = *m0;
@@ -5545,11 +5486,12 @@ pf_setup_pdesc(sa_family_t af, int dir,
* handle fragments that aren't reassembled by
* normalization
*/
+ pd->frag = 1;
if (kif == NULL || r == NULL) /* pflog */
*action = PF_DROP;
else
- *action = pf_test_fragment(r, dir, kif,
- m, pd, a, ruleset);
+ *action = pf_test_rule(r, s, dir, kif,
+ m, *off, pd, a, ruleset, *hdrlen);
if (*action != PF_PASS)
REASON_SET(reason, PFRES_FRAG);
return (-1);
@@ -5609,11 +5551,12 @@ pf_setup_pdesc(sa_family_t af, int dir,
do {
switch (pd->proto) {
case IPPROTO_FRAGMENT:
+ pd->frag = 1;
if (kif == NULL || r == NULL) /* pflog */
*action = PF_DROP;
else
- *action = pf_test_fragment(r, dir, kif,
- m, pd, a, ruleset);
+ *action = pf_test_rule(r, s, dir, kif,
+ m, *off, pd, a, ruleset, *hdrlen);
if (*action != PF_PASS)
REASON_SET(reason, PFRES_FRAG);
return (-1);
@@ -5844,7 +5787,7 @@ pf_test(sa_family_t af, int fwdir, struc
return (PF_PASS);
}
- if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r,
+ if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r, &s,
&ruleset, &off, &hdrlen) == -1) {
if (action == PF_PASS)
return (PF_PASS);
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.337
diff -u -p -r1.337 pfvar.h
--- sys/net/pfvar.h 4 Jul 2011 18:12:51 -0000 1.337
+++ sys/net/pfvar.h 5 Jul 2011 19:39:49 -0000
@@ -548,8 +548,8 @@ struct pf_rule {
#define PF_SKIP_AF 3
#define PF_SKIP_PROTO 4
#define PF_SKIP_SRC_ADDR 5
-#define PF_SKIP_SRC_PORT 6
-#define PF_SKIP_DST_ADDR 7
+#define PF_SKIP_DST_ADDR 6
+#define PF_SKIP_SRC_PORT 7
#define PF_SKIP_DST_PORT 8
#define PF_SKIP_COUNT 9
union pf_rule_ptr skip[PF_SKIP_COUNT];
@@ -1245,6 +1245,7 @@ struct pf_pdesc {
u_int8_t didx; /* key index for destination */
u_int8_t destchg; /* flag set when destination changed */
u_int8_t pflog; /* flags for packet logging */
+ u_int8_t frag; /* this packet is a fragment */
};
/* flags for RDR options */
@@ -1757,7 +1758,8 @@ int
pf_setup_pdesc(sa_family_t, int,
struct pf_pdesc *, struct mbuf **,
u_short *, u_short *, struct pfi_kif *,
struct pf_rule **, struct pf_rule **,
- struct pf_ruleset **, int *, int *);
+ struct pf_state **, struct pf_ruleset **,
+ int *, int *);
int pf_test(sa_family_t, int, struct ifnet *, struct mbuf **,
struct ether_header *);
Index: sbin/pfctl//parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.602
diff -u -p -r1.602 parse.y
--- sbin/pfctl//parse.y 4 Jul 2011 03:36:14 -0000 1.602
+++ sbin/pfctl//parse.y 5 Jul 2011 06:49:50 -0000
@@ -4672,10 +4672,10 @@ expand_rule(struct pf_rule *r, int keepr
LOOP_THROUGH(struct node_proto, proto, protos,
LOOP_THROUGH(struct node_icmp, icmp_type, icmp_types,
LOOP_THROUGH(struct node_host, src_host, src_hosts,
- LOOP_THROUGH(struct node_port, src_port, src_ports,
- LOOP_THROUGH(struct node_os, src_os, src_oses,
LOOP_THROUGH(struct node_host, dst_host, dst_hosts,
+ LOOP_THROUGH(struct node_port, src_port, src_ports,
LOOP_THROUGH(struct node_port, dst_port, dst_ports,
+ LOOP_THROUGH(struct node_os, src_os, src_oses,
LOOP_THROUGH(struct node_uid, uid, uids,
LOOP_THROUGH(struct node_gid, gid, gids,
Index: sbin/pfctl//pfctl_optimize.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_optimize.c,v
retrieving revision 1.27
diff -u -p -r1.27 pfctl_optimize.c
--- sbin/pfctl//pfctl_optimize.c 3 Jul 2011 23:37:55 -0000 1.27
+++ sbin/pfctl//pfctl_optimize.c 5 Jul 2011 06:49:50 -0000
@@ -249,8 +249,8 @@ const char *skip_comparitors_names[PF_SK
{ "af", PF_SKIP_AF, skip_cmp_af }, \
{ "proto", PF_SKIP_PROTO, skip_cmp_proto }, \
{ "saddr", PF_SKIP_SRC_ADDR, skip_cmp_src_addr }, \
- { "sport", PF_SKIP_SRC_PORT, skip_cmp_src_port }, \
{ "daddr", PF_SKIP_DST_ADDR, skip_cmp_dst_addr }, \
+ { "sport", PF_SKIP_SRC_PORT, skip_cmp_src_port }, \
{ "dport", PF_SKIP_DST_PORT, skip_cmp_dst_port } \
}
