From owner-svn-src-all@freebsd.org Sat Aug 11 16:34:30 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D68EB1072E39; Sat, 11 Aug 2018 16:34:30 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF0408733D; Sat, 11 Aug 2018 16:34:30 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8F4DE19C58; Sat, 11 Aug 2018 16:34:30 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w7BGYUlI025222; Sat, 11 Aug 2018 16:34:30 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w7BGYUbO025221; Sat, 11 Aug 2018 16:34:30 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201808111634.w7BGYUbO025221@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Sat, 11 Aug 2018 16:34:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r337643 - head/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/sys/netpfil/pf X-SVN-Commit-Revision: 337643 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2018 16:34:31 -0000 Author: kp Date: Sat Aug 11 16:34:30 2018 New Revision: 337643 URL: https://svnweb.freebsd.org/changeset/base/337643 Log: pf: Fix 'set skip on' for groups The pfi_skip_if() function sometimes caused skipping of groups to work, if the members of the group used the groupname as a name prefix. This is often the case, e.g. group lo usually contains lo0, lo1, ..., but not always. Rather than relying on the name explicitly check for group memberships. Obtained from: OpenBSD (pf_if.c,v 1.62, pf_if.c,v 1.63) Sponsored by: Essen Hackathon Modified: head/sys/netpfil/pf/pf_if.c Modified: head/sys/netpfil/pf/pf_if.c ============================================================================== --- head/sys/netpfil/pf/pf_if.c Sat Aug 11 16:30:06 2018 (r337642) +++ head/sys/netpfil/pf/pf_if.c Sat Aug 11 16:34:30 2018 (r337643) @@ -735,6 +735,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf, static int pfi_skip_if(const char *filter, struct pfi_kif *p) { + struct ifg_list *i; int n; if (filter == NULL || !*filter) @@ -745,10 +746,19 @@ pfi_skip_if(const char *filter, struct pfi_kif *p) if (n < 1 || n >= IFNAMSIZ) return (1); /* sanity check */ if (filter[n-1] >= '0' && filter[n-1] <= '9') - return (1); /* only do exact match in that case */ - if (strncmp(p->pfik_name, filter, n)) - return (1); /* prefix doesn't match */ - return (p->pfik_name[n] < '0' || p->pfik_name[n] > '9'); + return (1); /* group names may not end in a digit */ + if (p->pfik_ifp != NULL) { + IF_ADDR_RLOCK(p->pfik_ifp); + CK_STAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next) { + if (!strncmp(i->ifgl_group->ifg_group, filter, + IFNAMSIZ)) { + IF_ADDR_RUNLOCK(p->pfik_ifp); + return (0); /* iface is in group "filter" */ + } + } + IF_ADDR_RUNLOCK(p->pfik_ifp); + } + return (1); } int