Date: Thu, 24 Jul 2008 08:16:38 GMT From: Gleb Kurtsou <gk@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 145769 for review Message-ID: <200807240816.m6O8Gc2J005541@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=145769 Change 145769 by gk@gk_h1 on 2008/07/24 08:16:05 add per rule flag PFRULE_ETHERSTATE: conditionally perform stateful ethernet filtering. usage: pass log on bridge0 from <test1> to <test1> keep state (ether) Affected files ... .. //depot/projects/soc2008/gk_l2filter/sbin-pfctl/parse.y#4 edit .. //depot/projects/soc2008/gk_l2filter/sbin-pfctl/pfctl_parser.c#5 edit .. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#7 edit .. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#6 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sbin-pfctl/parse.y#4 (text+ko) ==== @@ -128,7 +128,7 @@ PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN, PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES, PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK, - PF_STATE_OPT_TIMEOUT }; + PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_ETHER }; enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE }; @@ -1906,6 +1906,10 @@ } r.timeout[o->data.timeout.number] = o->data.timeout.seconds; + break; + case PF_STATE_OPT_ETHER: + r.rule_flag |= PFRULE_ETHERSTATE; + break; } o = o->next; free(p); @@ -3207,6 +3211,14 @@ $$->next = NULL; $$->tail = $$; } + | ETHER { + $$ = calloc(1, sizeof(struct node_state_opt)); + if ($$ == NULL) + err(1, "state_opt_item: calloc"); + $$->type = PF_STATE_OPT_ETHER; + $$->next = NULL; + $$->tail = $$; + } | sourcetrack { $$ = calloc(1, sizeof(struct node_state_opt)); if ($$ == NULL) ==== //depot/projects/soc2008/gk_l2filter/sbin-pfctl/pfctl_parser.c#5 (text+ko) ==== @@ -877,6 +877,8 @@ for (i = 0; !opts && i < PFTM_MAX; ++i) if (r->timeout[i]) opts = 1; + if (r->rule_flag & PFRULE_ETHERSTATE) + opts = 1; if (opts) { printf(" ("); if (r->max_states) { @@ -955,6 +957,12 @@ "inv.timeout" : pf_timeouts[j].name, r->timeout[i]); } + if (r->rule_flag & PFRULE_ETHERSTATE) { + if (!opts) + printf(", "); + printf("ether"); + opts = 0; + } printf(")"); } if (r->rule_flag & PFRULE_FRAGMENT) ==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#7 (text+ko) ==== @@ -706,6 +706,9 @@ { struct pf_addr_ether *src, *dst; + if ((state->rule.ptr->rule_flag & PFRULE_ETHERSTATE) == 0) + return (1); + if (direction == PF_IN) { src = &state->ext.addr_ether; dst = &state->gwy.addr_ether; ==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#6 (text+ko) ==== @@ -705,6 +705,7 @@ #define PFRULE_NOSYNC 0x0010 #define PFRULE_SRCTRACK 0x0020 /* track source states */ #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ +#define PFRULE_ETHERSTATE 0x0080 /* per rule */ /* scrub flags */ #define PFRULE_NODF 0x0100
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807240816.m6O8Gc2J005541>