git: 3495832877ca - main - pf: convert NAT rule handling to PF_TEST_ATTRIB as well

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 02 Jun 2025 15:30:33 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=3495832877caebdf2f6f0a01a3b1f43a80351a55

commit 3495832877caebdf2f6f0a01a3b1f43a80351a55
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-05-23 15:22:14 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-02 15:30:18 +0000

    pf: convert NAT rule handling to PF_TEST_ATTRIB as well
    
    We previously made this change in the filter rules, apply it to the NAT rules
    as well.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D50580
---
 sys/netpfil/pf/pf_lb.c | 108 ++++++++++++++++++++++++++-----------------------
 1 file changed, 58 insertions(+), 50 deletions(-)

diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 43edfc806c1c..00f25c29e23c 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -128,6 +128,14 @@ pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
 	return (res);
 }
 
+#define PF_TEST_ATTRIB(t, a)\
+	do {				\
+		if (t) {		\
+			r = a;		\
+			goto nextrule;	\
+		}			\
+	} while (0)
+
 struct pf_krule *
 pf_match_translation(struct pf_pdesc *pd,
     int rs_num, struct pf_kanchor_stackframe *anchor_stack)
@@ -153,60 +161,60 @@ pf_match_translation(struct pf_pdesc *pd,
 		}
 
 		pf_counter_u64_add(&r->evaluations, 1);
-		if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)
-			r = r->skip[PF_SKIP_IFP];
-		else if (r->direction && r->direction != pd->dir)
-			r = r->skip[PF_SKIP_DIR];
-		else if (r->af && r->af != pd->af)
-			r = r->skip[PF_SKIP_AF];
-		else if (r->proto && r->proto != pd->proto)
-			r = r->skip[PF_SKIP_PROTO];
-		else if (PF_MISMATCHAW(&src->addr, &pd->nsaddr, pd->af,
-		    src->neg, pd->kif, M_GETFIB(pd->m)))
-			r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
-			    PF_SKIP_DST_ADDR];
-		else if (src->port_op && !pf_match_port(src->port_op,
-		    src->port[0], src->port[1], pd->nsport))
-			r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
-			    PF_SKIP_DST_PORT];
-		else if (dst != NULL &&
+		PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot,
+			r->skip[PF_SKIP_IFP]);
+		PF_TEST_ATTRIB(r->direction && r->direction != pd->dir,
+			r->skip[PF_SKIP_DIR]);
+		PF_TEST_ATTRIB(r->af && r->af != pd->af,
+			r->skip[PF_SKIP_AF]);
+		PF_TEST_ATTRIB(r->proto && r->proto != pd->proto,
+			r->skip[PF_SKIP_PROTO]);
+		PF_TEST_ATTRIB(PF_MISMATCHAW(&src->addr, &pd->nsaddr, pd->af,
+		    src->neg, pd->kif, M_GETFIB(pd->m)),
+			r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
+			    PF_SKIP_DST_ADDR]);
+		PF_TEST_ATTRIB(src->port_op && !pf_match_port(src->port_op,
+		    src->port[0], src->port[1], pd->nsport),
+			r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
+			    PF_SKIP_DST_PORT]);
+		PF_TEST_ATTRIB(dst != NULL &&
 		    PF_MISMATCHAW(&dst->addr, &pd->ndaddr, pd->af, dst->neg, NULL,
-		    M_GETFIB(pd->m)))
-			r = r->skip[PF_SKIP_DST_ADDR];
-		else if (xdst != NULL && PF_MISMATCHAW(xdst, &pd->ndaddr, pd->af,
-		    0, NULL, M_GETFIB(pd->m)))
-			r = TAILQ_NEXT(r, entries);
-		else if (dst != NULL && dst->port_op &&
+		    M_GETFIB(pd->m)),
+			r->skip[PF_SKIP_DST_ADDR]);
+		PF_TEST_ATTRIB(xdst != NULL && PF_MISMATCHAW(xdst, &pd->ndaddr, pd->af,
+		    0, NULL, M_GETFIB(pd->m)),
+			TAILQ_NEXT(r, entries));
+		PF_TEST_ATTRIB(dst != NULL && dst->port_op &&
 		    !pf_match_port(dst->port_op, dst->port[0],
-		    dst->port[1], pd->ndport))
-			r = r->skip[PF_SKIP_DST_PORT];
-		else if (r->match_tag && !pf_match_tag(pd->m, r, &tag,
-		    pd->pf_mtag ? pd->pf_mtag->tag : 0))
-			r = TAILQ_NEXT(r, entries);
-		else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
+		    dst->port[1], pd->ndport),
+			r->skip[PF_SKIP_DST_PORT]);
+		PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag,
+		    pd->pf_mtag ? pd->pf_mtag->tag : 0),
+			TAILQ_NEXT(r, entries));
+		PF_TEST_ATTRIB(r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
 		    IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd,
-		    &pd->hdr.tcp), r->os_fingerprint)))
-			r = TAILQ_NEXT(r, entries);
-		else {
-			if (r->tag)
-				tag = r->tag;
-			if (r->rtableid >= 0)
-				rtableid = r->rtableid;
-			if (r->anchor == NULL) {
-				rm = r;
-				if (rm->action == PF_NONAT ||
-				    rm->action == PF_NORDR ||
-				    rm->action == PF_NOBINAT) {
-					rm = NULL;
-				}
-				break;
-			} else
-				pf_step_into_anchor(anchor_stack, &asd,
-				    &ruleset, rs_num, &r, NULL);
+		    &pd->hdr.tcp), r->os_fingerprint)),
+			TAILQ_NEXT(r, entries));
+		if (r->tag)
+			tag = r->tag;
+		if (r->rtableid >= 0)
+			rtableid = r->rtableid;
+		if (r->anchor == NULL) {
+			rm = r;
+			if (rm->action == PF_NONAT ||
+			    rm->action == PF_NORDR ||
+			    rm->action == PF_NOBINAT) {
+				rm = NULL;
+			}
+			break;
+		} else {
+			pf_step_into_anchor(anchor_stack, &asd,
+			    &ruleset, rs_num, &r, NULL);
 		}
-		if (r == NULL)
-			pf_step_out_of_anchor(anchor_stack, &asd, &ruleset,
-			    rs_num, &r, NULL, NULL);
+nextrule:
+		if (r == NULL && pf_step_out_of_anchor(anchor_stack, &asd, &ruleset,
+			    rs_num, &r, NULL, NULL))
+			break;
 	}
 
 	if (tag > 0 && pf_tag_packet(pd, tag))