Date: Fri, 14 Oct 2016 10:25:47 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Cc: franco@opnsense.org Subject: Re: svn commit: r307235 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf Message-ID: <676A40F0-F529-4DFB-8F56-2607D000A47F@FreeBSD.org> In-Reply-To: <201610132034.u9DKYi07016276@repo.freebsd.org> References: <201610132034.u9DKYi07016276@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This work was done by franco_opnsense.org I forgot to credit him in the commit message. Sorry Franco. Regards, Kristof On 13 Oct 2016, at 22:34, Kristof Provost wrote: > Author: kp > Date: Thu Oct 13 20:34:44 2016 > New Revision: 307235 > URL: https://svnweb.freebsd.org/changeset/base/307235 > > Log: > pf: port extended DSCP support from OpenBSD > > Ignore the ECN bits on 'tos' and 'set-tos' and allow to use > DCSP names instead of having to embed their TOS equivalents > as plain numbers. > > Obtained from: OpenBSD > Sponsored by: OPNsense > Differential Revision: https://reviews.freebsd.org/D8165 > > Modified: > head/sbin/pfctl/parse.y > head/share/man/man5/pf.conf.5 > head/sys/netpfil/pf/pf.c > head/sys/netpfil/pf/pf_norm.c > > Modified: head/sbin/pfctl/parse.y > ============================================================================== > --- head/sbin/pfctl/parse.y Thu Oct 13 20:15:47 2016 (r307234) > +++ head/sbin/pfctl/parse.y Thu Oct 13 20:34:44 2016 (r307235) > @@ -351,6 +351,8 @@ void decide_address_family(struct node_ > void remove_invalid_hosts(struct node_host **, sa_family_t *); > int invalid_redirect(struct node_host *, sa_family_t); > u_int16_t parseicmpspec(char *, sa_family_t); > +int kw_casecmp(const void *, const void *); > +int map_tos(char *string, int *); > > static TAILQ_HEAD(loadanchorshead, loadanchors) > loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead); > @@ -3584,15 +3586,17 @@ icmp6type : STRING { > ; > > tos : STRING { > - if (!strcmp($1, "lowdelay")) > - $$ = IPTOS_LOWDELAY; > - else if (!strcmp($1, "throughput")) > - $$ = IPTOS_THROUGHPUT; > - else if (!strcmp($1, "reliability")) > - $$ = IPTOS_RELIABILITY; > - else if ($1[0] == '0' && $1[1] == 'x') > - $$ = strtoul($1, NULL, 16); > - else > + int val; > + char *end; > + > + if (map_tos($1, &val)) > + $$ = val; > + else if ($1[0] == '0' && $1[1] == 'x') { > + errno = 0; > + $$ = strtoul($1, &end, 16); > + if (errno || *end != '\0') > + $$ = 256; > + } else > $$ = 256; /* flag bad argument */ > if ($$ < 0 || $$ > 255) { > yyerror("illegal tos value %s", $1); > @@ -6250,6 +6254,57 @@ pfctl_load_anchors(int dev, struct pfctl > } > > int > +kw_casecmp(const void *k, const void *e) > +{ > + return (strcasecmp(k, ((const struct keywords *)e)->k_name)); > +} > + > +int > +map_tos(char *s, int *val) > +{ > + /* DiffServ Codepoints and other TOS mappings */ > + const struct keywords toswords[] = { > + { "af11", IPTOS_DSCP_AF11 }, > + { "af12", IPTOS_DSCP_AF12 }, > + { "af13", IPTOS_DSCP_AF13 }, > + { "af21", IPTOS_DSCP_AF21 }, > + { "af22", IPTOS_DSCP_AF22 }, > + { "af23", IPTOS_DSCP_AF23 }, > + { "af31", IPTOS_DSCP_AF31 }, > + { "af32", IPTOS_DSCP_AF32 }, > + { "af33", IPTOS_DSCP_AF33 }, > + { "af41", IPTOS_DSCP_AF41 }, > + { "af42", IPTOS_DSCP_AF42 }, > + { "af43", IPTOS_DSCP_AF43 }, > + { "critical", IPTOS_PREC_CRITIC_ECP }, > + { "cs0", IPTOS_DSCP_CS0 }, > + { "cs1", IPTOS_DSCP_CS1 }, > + { "cs2", IPTOS_DSCP_CS2 }, > + { "cs3", IPTOS_DSCP_CS3 }, > + { "cs4", IPTOS_DSCP_CS4 }, > + { "cs5", IPTOS_DSCP_CS5 }, > + { "cs6", IPTOS_DSCP_CS6 }, > + { "cs7", IPTOS_DSCP_CS7 }, > + { "ef", IPTOS_DSCP_EF }, > + { "inetcontrol", IPTOS_PREC_INTERNETCONTROL }, > + { "lowdelay", IPTOS_LOWDELAY }, > + { "netcontrol", IPTOS_PREC_NETCONTROL }, > + { "reliability", IPTOS_RELIABILITY }, > + { "throughput", IPTOS_THROUGHPUT } > + }; > + const struct keywords *p; > + > + p = bsearch(s, toswords, sizeof(toswords)/sizeof(toswords[0]), > + sizeof(toswords[0]), kw_casecmp); > + > + if (p) { > + *val = p->k_val; > + return (1); > + } > + return (0); > +} > + > +int > rt_tableid_max(void) > { > #ifdef __FreeBSD__ > > Modified: head/share/man/man5/pf.conf.5 > ============================================================================== > --- head/share/man/man5/pf.conf.5 Thu Oct 13 20:15:47 2016 (r307234) > +++ head/share/man/man5/pf.conf.5 Thu Oct 13 20:34:44 2016 (r307235) > @@ -28,7 +28,7 @@ > .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE > .\" POSSIBILITY OF SUCH DAMAGE. > .\" > -.Dd September 28, 2016 > +.Dd October 6, 2016 > .Dt PF.CONF 5 > .Os > .Sh NAME > @@ -648,9 +648,16 @@ for matching IP packets. > .Em TOS > may be > given as one of > +.Ar critical , > +.Ar inetcontrol , > .Ar lowdelay , > +.Ar netcontrol , > .Ar throughput , > .Ar reliability , > +or one of the DiffServ Code Points: > +.Ar ef , > +.Ar af11 No ... Ar af43 , > +.Ar cs0 No ... Ar cs7 ; > or as either hex or decimal. > .It Ar random-id > Replaces the IP identification field with random values to compensate > @@ -1697,9 +1704,16 @@ bits set. > .Em TOS > may be > given as one of > +.Ar critical , > +.Ar inetcontrol , > .Ar lowdelay , > +.Ar netcontrol , > .Ar throughput , > .Ar reliability , > +or one of the DiffServ Code Points: > +.Ar ef , > +.Ar af11 No ... Ar af43 , > +.Ar cs0 No ... Ar cs7 ; > or as either hex or decimal. > .Pp > For example, the following rules are identical: > @@ -1803,7 +1817,6 @@ pass in proto tcp to port 25 set prio 2 > pass in proto tcp to port 22 set prio (2, 5) > .Ed > .Pp > - > .It Ar tag Aq Ar string > Packets matching this rule will be tagged with the > specified string. > > Modified: head/sys/netpfil/pf/pf.c > ============================================================================== > --- head/sys/netpfil/pf/pf.c Thu Oct 13 20:15:47 2016 (r307234) > +++ head/sys/netpfil/pf/pf.c Thu Oct 13 20:34:44 2016 (r307235) > @@ -5893,7 +5893,7 @@ pf_test(int dir, struct ifnet *ifp, stru > pd.sidx = (dir == PF_IN) ? 0 : 1; > pd.didx = (dir == PF_IN) ? 1 : 0; > pd.af = AF_INET; > - pd.tos = h->ip_tos; > + pd.tos = h->ip_tos & ~IPTOS_ECN_MASK; > pd.tot_len = ntohs(h->ip_len); > > /* handle fragments that didn't get reassembled by normalization */ > > Modified: head/sys/netpfil/pf/pf_norm.c > ============================================================================== > --- head/sys/netpfil/pf/pf_norm.c Thu Oct 13 20:15:47 2016 (r307234) > +++ head/sys/netpfil/pf/pf_norm.c Thu Oct 13 20:34:44 2016 (r307235) > @@ -1811,7 +1811,7 @@ pf_scrub_ip(struct mbuf **m0, u_int32_t > u_int16_t ov, nv; > > ov = *(u_int16_t *)h; > - h->ip_tos = tos; > + h->ip_tos = tos | (h->ip_tos & IPTOS_ECN_MASK); > nv = *(u_int16_t *)h; > > h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0); >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?676A40F0-F529-4DFB-8F56-2607D000A47F>