From owner-freebsd-pf@FreeBSD.ORG Sun Sep 19 10:03:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE73D16A4CE for ; Sun, 19 Sep 2004 10:03:26 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id B829143D1D for ; Sun, 19 Sep 2004 10:03:25 +0000 (GMT) (envelope-from sam.wun@authtec.net) Received: (qmail 77014 invoked from network); 19 Sep 2004 10:03:23 -0000 Received: from unknown (HELO [192.168.4.129]) (samwun@hgcbroadband.com@[221.127.106.235]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 19 Sep 2004 10:03:23 -0000 Message-ID: <414D5858.2030709@authtec.net> Date: Sun, 19 Sep 2004 17:58:48 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Latest PF patch faield with Beta 4 Current X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 10:03:27 -0000 Hi, PF patch is failed with the following rej file: *************** *** 544,557 **** #else #define BRIDGE_TEST (0) /* cc will optimise the test away */ #endif /* * For a bridge, we want to check the address irrespective * of the receive interface. (This will change slightly * when we have clusters of interfaces). */ LIST_FOREACH(ia, INADDR_HASH(itaddr.s_addr), ia_hash) - if ((BRIDGE_TEST || (ia->ia_ifp == ifp)) && - itaddr.s_addr == ia->ia_addr.sin_addr.s_addr) goto match; LIST_FOREACH(ia, INADDR_HASH(isaddr.s_addr), ia_hash) if ((BRIDGE_TEST || (ia->ia_ifp == ifp)) && --- 550,572 ---- #else #define BRIDGE_TEST (0) /* cc will optimise the test away */ #endif + /* * For a bridge, we want to check the address irrespective * of the receive interface. (This will change slightly * when we have clusters of interfaces). + * If the interface does not match, but the recieving interface + * is part of carp, we call carp_iamatch to see if this is a + * request for the virtual host ip. + * XXX: This is really ugly! */ LIST_FOREACH(ia, INADDR_HASH(itaddr.s_addr), ia_hash) + if ((BRIDGE_TEST || (ia->ia_ifp == ifp) + #ifdef DEV_CARP + || (ifp->if_carp + && carp_iamatch(ifp->if_carp, ia, &isaddr, &enaddr)) + #endif + ) && itaddr.s_addr == ia->ia_addr.sin_addr.s_addr) goto match; LIST_FOREACH(ia, INADDR_HASH(isaddr.s_addr), ia_hash) if ((BRIDGE_TEST || (ia->ia_ifp == ifp)) && *************** *** 566,579 **** ia = ifatoia(ifa); goto match; } /* * If bridging, fall back to using any inet address. */ if (!BRIDGE_TEST || (ia = TAILQ_FIRST(&in_ifaddrhead)) == NULL) goto drop; match: myaddr = ia->ia_addr.sin_addr; - if (!bcmp(ar_sha(ah), IF_LLADDR(ifp), ifp->if_addrlen)) goto drop; /* it's from me, ignore it. */ if (!bcmp(ar_sha(ah), ifp->if_broadcastaddr, ifp->if_addrlen)) { log(LOG_ERR, --- 581,597 ---- ia = ifatoia(ifa); goto match; } + /* * If bridging, fall back to using any inet address. */ if (!BRIDGE_TEST || (ia = TAILQ_FIRST(&in_ifaddrhead)) == NULL) goto drop; match: + if (!enaddr) + enaddr = (u_int8_t *)IF_LLADDR(ifp); myaddr = ia->ia_addr.sin_addr; + if (!bcmp(ar_sha(ah), enaddr, ifp->if_addrlen)) goto drop; /* it's from me, ignore it. */ if (!bcmp(ar_sha(ah), ifp->if_broadcastaddr, ifp->if_addrlen)) { log(LOG_ERR, sam.