PERFORCE change 154100 for review
Marko Zec
zec at FreeBSD.org
Fri Dec 5 02:18:01 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=154100
Change 154100 by zec at zec_tca51 on 2008/12/05 10:17:49
De-virtualize TCP ISN code in PF because it wasn't done the
right way, so leave this for the time when a complete PF
virtualization will be implemented (if ever).
The problem was in naming clash between TCP ISN state
variables in pf code and in netinet/tcp_subr.c which occured as
a result of blind / automated V_ prepending.
Affected files ...
.. //depot/projects/vimage-commit2/src/sys/contrib/pf/net/pf_subr.c#9 edit
Differences ...
==== //depot/projects/vimage-commit2/src/sys/contrib/pf/net/pf_subr.c#9 (text+ko) ====
@@ -116,26 +116,22 @@
#define ISN_STATIC_INCREMENT 4096
#define ISN_RANDOM_INCREMENT (4096 - 1)
-#ifdef VIMAGE_GLOBALS
-/* XXX WARNING WARNING clash with netinet/tcp_subr.c - REVISIT !!! */
static u_char isn_secret[32];
static int isn_last_reseed;
static u_int32_t isn_offset;
static MD5_CTX isn_ctx;
-#endif
u_int32_t
pf_new_isn(struct pf_state *s)
{
- INIT_VNET_INET(curvnet);
u_int32_t md5_buffer[4];
u_int32_t new_isn;
struct pf_state_host *src, *dst;
/* Seed if this is the first use, reseed if requested. */
- if (V_isn_last_reseed == 0) {
- read_random(&V_isn_secret, sizeof(V_isn_secret));
- V_isn_last_reseed = ticks;
+ if (isn_last_reseed == 0) {
+ read_random(&isn_secret, sizeof(isn_secret));
+ isn_last_reseed = ticks;
}
if (s->direction == PF_IN) {
@@ -147,28 +143,28 @@
}
/* Compute the md5 hash and return the ISN. */
- MD5Init(&V_isn_ctx);
- MD5Update(&V_isn_ctx, (u_char *) &dst->port, sizeof(u_short));
- MD5Update(&V_isn_ctx, (u_char *) &src->port, sizeof(u_short));
+ MD5Init(&isn_ctx);
+ MD5Update(&isn_ctx, (u_char *) &dst->port, sizeof(u_short));
+ MD5Update(&isn_ctx, (u_char *) &src->port, sizeof(u_short));
#ifdef INET6
if (s->af == AF_INET6) {
- MD5Update(&V_isn_ctx, (u_char *) &dst->addr,
+ MD5Update(&isn_ctx, (u_char *) &dst->addr,
sizeof(struct in6_addr));
- MD5Update(&V_isn_ctx, (u_char *) &src->addr,
+ MD5Update(&isn_ctx, (u_char *) &src->addr,
sizeof(struct in6_addr));
} else
#endif
{
- MD5Update(&V_isn_ctx, (u_char *) &dst->addr,
+ MD5Update(&isn_ctx, (u_char *) &dst->addr,
sizeof(struct in_addr));
- MD5Update(&V_isn_ctx, (u_char *) &src->addr,
+ MD5Update(&isn_ctx, (u_char *) &src->addr,
sizeof(struct in_addr));
}
- MD5Update(&V_isn_ctx, (u_char *) &V_isn_secret, sizeof(V_isn_secret));
- MD5Final((u_char *) &md5_buffer, &V_isn_ctx);
+ MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret));
+ MD5Final((u_char *) &md5_buffer, &isn_ctx);
new_isn = (tcp_seq) md5_buffer[0];
- V_isn_offset += ISN_STATIC_INCREMENT +
+ isn_offset += ISN_STATIC_INCREMENT +
(arc4random() & ISN_RANDOM_INCREMENT);
- new_isn += V_isn_offset;
+ new_isn += isn_offset;
return (new_isn);
}
More information about the p4-projects
mailing list