From owner-p4-projects@FreeBSD.ORG Thu Jul 24 08:16:39 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id DE4CA1065678; Thu, 24 Jul 2008 08:16:38 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F77E1065672 for ; Thu, 24 Jul 2008 08:16:38 +0000 (UTC) (envelope-from gk@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 6E26F8FC15 for ; Thu, 24 Jul 2008 08:16:38 +0000 (UTC) (envelope-from gk@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.2/8.14.2) with ESMTP id m6O8GcRP005543 for ; Thu, 24 Jul 2008 08:16:38 GMT (envelope-from gk@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m6O8Gc2J005541 for perforce@freebsd.org; Thu, 24 Jul 2008 08:16:38 GMT (envelope-from gk@FreeBSD.org) Date: Thu, 24 Jul 2008 08:16:38 GMT Message-Id: <200807240816.m6O8Gc2J005541@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gk@FreeBSD.org using -f From: Gleb Kurtsou To: Perforce Change Reviews Cc: Subject: PERFORCE change 145769 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 08:16:39 -0000 http://perforce.freebsd.org/chv.cgi?CH=145769 Change 145769 by gk@gk_h1 on 2008/07/24 08:16:05 add per rule flag PFRULE_ETHERSTATE: conditionally perform stateful ethernet filtering. usage: pass log on bridge0 from to keep state (ether) Affected files ... .. //depot/projects/soc2008/gk_l2filter/sbin-pfctl/parse.y#4 edit .. //depot/projects/soc2008/gk_l2filter/sbin-pfctl/pfctl_parser.c#5 edit .. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#7 edit .. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#6 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sbin-pfctl/parse.y#4 (text+ko) ==== @@ -128,7 +128,7 @@ PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN, PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES, PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK, - PF_STATE_OPT_TIMEOUT }; + PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_ETHER }; enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE }; @@ -1906,6 +1906,10 @@ } r.timeout[o->data.timeout.number] = o->data.timeout.seconds; + break; + case PF_STATE_OPT_ETHER: + r.rule_flag |= PFRULE_ETHERSTATE; + break; } o = o->next; free(p); @@ -3207,6 +3211,14 @@ $$->next = NULL; $$->tail = $$; } + | ETHER { + $$ = calloc(1, sizeof(struct node_state_opt)); + if ($$ == NULL) + err(1, "state_opt_item: calloc"); + $$->type = PF_STATE_OPT_ETHER; + $$->next = NULL; + $$->tail = $$; + } | sourcetrack { $$ = calloc(1, sizeof(struct node_state_opt)); if ($$ == NULL) ==== //depot/projects/soc2008/gk_l2filter/sbin-pfctl/pfctl_parser.c#5 (text+ko) ==== @@ -877,6 +877,8 @@ for (i = 0; !opts && i < PFTM_MAX; ++i) if (r->timeout[i]) opts = 1; + if (r->rule_flag & PFRULE_ETHERSTATE) + opts = 1; if (opts) { printf(" ("); if (r->max_states) { @@ -955,6 +957,12 @@ "inv.timeout" : pf_timeouts[j].name, r->timeout[i]); } + if (r->rule_flag & PFRULE_ETHERSTATE) { + if (!opts) + printf(", "); + printf("ether"); + opts = 0; + } printf(")"); } if (r->rule_flag & PFRULE_FRAGMENT) ==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#7 (text+ko) ==== @@ -706,6 +706,9 @@ { struct pf_addr_ether *src, *dst; + if ((state->rule.ptr->rule_flag & PFRULE_ETHERSTATE) == 0) + return (1); + if (direction == PF_IN) { src = &state->ext.addr_ether; dst = &state->gwy.addr_ether; ==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#6 (text+ko) ==== @@ -705,6 +705,7 @@ #define PFRULE_NOSYNC 0x0010 #define PFRULE_SRCTRACK 0x0020 /* track source states */ #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ +#define PFRULE_ETHERSTATE 0x0080 /* per rule */ /* scrub flags */ #define PFRULE_NODF 0x0100