Date: Thu, 13 Feb 2025 12:39:06 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 67c19da08f57 - main - pf: support negated matches on the rcvif Message-ID: <202502131239.51DCd6R6075621@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=67c19da08f5788da53cec2764618b9a0dd97460f commit 67c19da08f5788da53cec2764618b9a0dd97460f Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-02-10 16:30:50 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-02-13 12:38:44 +0000 pf: support negated matches on the rcvif ok dlg benno Obtained from: OpenBSD, henning <henning@openbsd.org>, 08c03b768d Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.c | 3 ++- sys/netpfil/pf/pf_ioctl.c | 1 + sys/netpfil/pf/pf_nl.c | 2 ++ sys/netpfil/pf/pf_nl.h | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 88364aaa45ed..d973fe15a5c4 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -865,6 +865,7 @@ struct pf_krule { u_int8_t prio; u_int8_t set_prio[2]; sa_family_t naf; + u_int8_t rcvifnot; struct { struct pf_addr addr; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 1b0eb6d6dd80..378be1e72d9a 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5778,7 +5778,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r), + PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) == + r->rcvifnot), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT && pd->virtual_proto != PF_VPROTO_FRAGMENT), diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index b8e9a078baf2..bea2cf1a5331 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1316,6 +1316,7 @@ pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule) PF_MD5_UPD(rule, af); PF_MD5_UPD(rule, quick); PF_MD5_UPD(rule, ifnot); + PF_MD5_UPD(rule, rcvifnot); PF_MD5_UPD(rule, match_tag_not); PF_MD5_UPD(rule, natpass); PF_MD5_UPD(rule, keep_state); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index 97552880b9e3..4cdb16d1fbba 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -737,6 +737,7 @@ static const struct nlattr_parser nla_p_rule[] = { { .type = PF_RT_RPOOL_NAT, .off = _OUT(nat), .arg = &pool_parser, .cb = nlattr_get_nested }, { .type = PF_RT_NAF, .off = _OUT(naf), .cb = nlattr_get_uint8 }, { .type = PF_RT_RPOOL_RT, .off = _OUT(route), .arg = &pool_parser, .cb = nlattr_get_nested }, + { .type = PF_RT_RCV_IFNOT, .off = _OUT(rcvifnot), .cb = nlattr_get_bool }, }; NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule); #undef _OUT @@ -940,6 +941,7 @@ pf_handle_getrule(struct nlmsghdr *hdr, struct nl_pstate *npt) nlattr_add_rule_uid(nw, PF_RT_GID, (const struct pf_rule_uid *)&rule->gid); nlattr_add_string(nw, PF_RT_RCV_IFNAME, rule->rcv_ifname); + nlattr_add_bool(nw, PF_RT_RCV_IFNOT, rule->rcvifnot); nlattr_add_u32(nw, PF_RT_RULE_FLAG, rule->rule_flag); nlattr_add_u8(nw, PF_RT_ACTION, rule->action); diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h index a66ff5bc3f1e..4d9db08c8be2 100644 --- a/sys/netpfil/pf/pf_nl.h +++ b/sys/netpfil/pf/pf_nl.h @@ -270,6 +270,7 @@ enum pf_rule_type_t { PF_RT_RPOOL_NAT = 75, /* nested, pf_rpool_type_t */ PF_RT_NAF = 76, /* u8 */ PF_RT_RPOOL_RT = 77, /* nested, pf_rpool_type_t */ + PF_RT_RCV_IFNOT = 78, /* bool */ }; enum pf_addrule_type_t {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502131239.51DCd6R6075621>