diff options
author | cy <cy@FreeBSD.org> | 2014-10-05 03:45:19 +0000 |
---|---|---|
committer | cy <cy@FreeBSD.org> | 2014-10-05 03:45:19 +0000 |
commit | 58962ac6b1398dfbeaa196621f14debe72a1f4fb (patch) | |
tree | 9ead55977a124c570483d547d20917d364c1f3c6 /sys/contrib/ipfilter | |
parent | aa4fd5bae7d9ad42e26e3c04633b4fbc18ca84e1 (diff) | |
download | FreeBSD-src-58962ac6b1398dfbeaa196621f14debe72a1f4fb.zip FreeBSD-src-58962ac6b1398dfbeaa196621f14debe72a1f4fb.tar.gz |
ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
ipfilter rule compare with new ipf_rule_compare() function.
Obtained from: ipfilter CVS rep (r1.129)
Diffstat (limited to 'sys/contrib/ipfilter')
-rw-r--r-- | sys/contrib/ipfilter/netinet/fil.c | 45 |
1 files changed, 34 insertions, 11 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index f600092..4d86e47 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -4436,6 +4436,39 @@ ipf_matchicmpqueryreply(v, ic, icmp, rev) /* ------------------------------------------------------------------------ */ +/* Function: ipf_rule_compare */ +/* Parameters: fr1(I) - first rule structure to compare */ +/* fr2(I) - second rule structure to compare */ +/* Returns: int - 0 == rules are the same, else mismatch */ +/* */ +/* Compare two rules and return 0 if they match or a number indicating */ +/* which of the individual checks failed. */ +/* ------------------------------------------------------------------------ */ +static int +ipf_rule_compare(frentry_t *fr1, frentry_t *fr2) +{ + if (fr1->fr_cksum != fr2->fr_cksum) + return 1; + if (fr1->fr_size != fr2->fr_size) + return 2; + if (fr1->fr_dsize != fr2->fr_dsize) + return 3; + if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func, + fr1->fr_size - offsetof(struct frentry, fr_func)) != 0) + return 4; + if (fr1->fr_data && !fr2->fr_data) + return 5; + if (!fr1->fr_data && fr2->fr_data) + return 6; + if (fr1->fr_data) { + if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize)) + return 7; + } + return 0; +} + + +/* ------------------------------------------------------------------------ */ /* Function: frrequest */ /* Returns: int - 0 == success, > 0 == errno value */ /* Parameters: unit(I) - device for which this is for */ @@ -4928,17 +4961,7 @@ frrequest(softc, unit, req, data, set, makecopy) } for (; (f = *ftail) != NULL; ftail = &f->fr_next) { - DT2(rule_cmp, frentry_t *, fp, frentry_t *, f); - if ((fp->fr_cksum != f->fr_cksum) || - (fp->fr_size != f->fr_size) || - (f->fr_dsize != fp->fr_dsize)) - continue; - if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, - fp->fr_size - offsetof(struct frentry, fr_func)) != 0) - continue; - if ((!ptr && !f->fr_data) || - (ptr && f->fr_data && - !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize))) + if (ipf_rule_compare(fp, f) == 0) break; } |