From owner-svn-src-stable@FreeBSD.ORG  Sun Oct 12 17:15:21 2014
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 405D3D14;
 Sun, 12 Oct 2014 17:15:21 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 218FBF1B;
 Sun, 12 Oct 2014 17:15:21 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9CHFLgS063430;
 Sun, 12 Oct 2014 17:15:21 GMT (envelope-from cy@FreeBSD.org)
Received: (from cy@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9CHFKXE063428;
 Sun, 12 Oct 2014 17:15:20 GMT (envelope-from cy@FreeBSD.org)
Message-Id: <201410121715.s9CHFKXE063428@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: cy set sender to cy@FreeBSD.org
 using -f
From: Cy Schubert <cy@FreeBSD.org>
Date: Sun, 12 Oct 2014 17:15:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r272995 - stable/10/sys/contrib/ipfilter/netinet
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Oct 2014 17:15:21 -0000

Author: cy
Date: Sun Oct 12 17:15:20 2014
New Revision: 272995
URL: https://svnweb.freebsd.org/changeset/base/272995

Log:
  MFC r272552
  
  ipfilter bug #554 Determining why a ipf rule matches is hard -- replace
  ipfilter rule compare with new ipf_rule_compare() function.
  
  Obtained from:	ipfilter CVS rep (r1.129)

Modified:
  stable/10/sys/contrib/ipfilter/netinet/fil.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/contrib/ipfilter/netinet/fil.c
==============================================================================
--- stable/10/sys/contrib/ipfilter/netinet/fil.c	Sun Oct 12 17:13:14 2014	(r272994)
+++ stable/10/sys/contrib/ipfilter/netinet/fil.c	Sun Oct 12 17:15:20 2014	(r272995)
@@ -4436,6 +4436,39 @@ ipf_matchicmpqueryreply(v, ic, icmp, rev
 
 
 /* ------------------------------------------------------------------------ */
+/* Function:    ipf_rule_compare                                            */
+/* Parameters:  fr1(I) - first rule structure to compare                    */
+/*              fr2(I) - second rule structure to compare                   */
+/* Returns:     int    - 0 == rules are the same, else mismatch             */
+/*                                                                          */
+/* Compare two rules and return 0 if they match or a number indicating      */
+/* which of the individual checks failed.                                   */
+/* ------------------------------------------------------------------------ */
+static int
+ipf_rule_compare(frentry_t *fr1, frentry_t *fr2)
+{
+	if (fr1->fr_cksum != fr2->fr_cksum)
+		return 1;
+	if (fr1->fr_size != fr2->fr_size)
+		return 2;
+	if (fr1->fr_dsize != fr2->fr_dsize)
+		return 3;
+	if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func,
+		 fr1->fr_size - offsetof(struct frentry, fr_func)) != 0)
+		return 4;
+	if (fr1->fr_data && !fr2->fr_data)
+		return 5;
+	if (!fr1->fr_data && fr2->fr_data)
+		return 6;
+	if (fr1->fr_data) {
+		if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize))
+			return 7;
+	}
+	return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
 /* Function:    frrequest                                                   */
 /* Returns:     int - 0 == success, > 0 == errno value                      */
 /* Parameters:  unit(I)     - device for which this is for                  */
@@ -4928,17 +4961,7 @@ frrequest(softc, unit, req, data, set, m
 	}
 
 	for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
-		DT2(rule_cmp, frentry_t *, fp, frentry_t *, f);
-		if ((fp->fr_cksum != f->fr_cksum) ||
-		    (fp->fr_size != f->fr_size) ||
-		    (f->fr_dsize != fp->fr_dsize))
-			continue;
-		if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func,
-			 fp->fr_size - offsetof(struct frentry, fr_func)) != 0)
-			continue;
-		if ((!ptr && !f->fr_data) ||
-		    (ptr && f->fr_data &&
-		     !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
+		if (ipf_rule_compare(fp, f) == 0)
 			break;
 	}