PERFORCE change 145769 for review

Gleb Kurtsou gk at FreeBSD.org
Thu Jul 24 08:16:39 UTC 2008 

http://perforce.freebsd.org/chv.cgi?CH=145769

Change 145769 by gk at gk_h1 on 2008/07/24 08:16:05

	add per rule flag PFRULE_ETHERSTATE: conditionally perform stateful ethernet filtering. 
	usage: pass log on bridge0 from <test1> to <test1> keep state (ether) 

Affected files ...

.. //depot/projects/soc2008/gk_l2filter/sbin-pfctl/parse.y#4 edit
.. //depot/projects/soc2008/gk_l2filter/sbin-pfctl/pfctl_parser.c#5 edit
.. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#7 edit
.. //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#6 edit

Differences ...

==== //depot/projects/soc2008/gk_l2filter/sbin-pfctl/parse.y#4 (text+ko) ====

@@ -128,7 +128,7 @@
 	    PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
 	    PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
 	    PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
-	    PF_STATE_OPT_TIMEOUT };
+	    PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_ETHER };
 
 enum	{ PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
 
@@ -1906,6 +1906,10 @@
 					}
 					r.timeout[o->data.timeout.number] =
 					    o->data.timeout.seconds;
+					break;
+				case PF_STATE_OPT_ETHER:
+					r.rule_flag |= PFRULE_ETHERSTATE;
+					break;
 				}
 				o = o->next;
 				free(p);
@@ -3207,6 +3211,14 @@
 			$$->next = NULL;
 			$$->tail = $$;
 		}
+		| ETHER {
+			$$ = calloc(1, sizeof(struct node_state_opt));
+			if ($$ == NULL)
+				err(1, "state_opt_item: calloc");
+			$$->type = PF_STATE_OPT_ETHER;
+			$$->next = NULL;
+			$$->tail = $$;
+		}
 		| sourcetrack {
 			$$ = calloc(1, sizeof(struct node_state_opt));
 			if ($$ == NULL)

==== //depot/projects/soc2008/gk_l2filter/sbin-pfctl/pfctl_parser.c#5 (text+ko) ====

@@ -877,6 +877,8 @@
 	for (i = 0; !opts && i < PFTM_MAX; ++i)
 		if (r->timeout[i])
 			opts = 1;
+	if (r->rule_flag & PFRULE_ETHERSTATE)
+		opts = 1;
 	if (opts) {
 		printf(" (");
 		if (r->max_states) {
@@ -955,6 +957,12 @@
 				    "inv.timeout" : pf_timeouts[j].name,
 				    r->timeout[i]);
 			}
+		if (r->rule_flag & PFRULE_ETHERSTATE) {
+			if (!opts)
+				printf(", ");
+			printf("ether");
+			opts = 0;
+		}
 		printf(")");
 	}
 	if (r->rule_flag & PFRULE_FRAGMENT)

==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pf.c#7 (text+ko) ====

@@ -706,6 +706,9 @@
 {
 	struct pf_addr_ether	*src, *dst;
 
+	if ((state->rule.ptr->rule_flag & PFRULE_ETHERSTATE) == 0)
+		return (1);
+
 	if (direction == PF_IN) {
 		src = &state->ext.addr_ether;
 		dst = &state->gwy.addr_ether;

==== //depot/projects/soc2008/gk_l2filter/sys-pf/net/pfvar.h#6 (text+ko) ====

@@ -705,6 +705,7 @@
 #define	PFRULE_NOSYNC		0x0010
 #define PFRULE_SRCTRACK		0x0020  /* track source states */
 #define PFRULE_RULESRCTRACK	0x0040  /* per rule */
+#define PFRULE_ETHERSTATE	0x0080  /* per rule */
 
 /* scrub flags */
 #define	PFRULE_NODF		0x0100

More information about the p4-projects mailing list