svn commit: r285945 - head/sys/netpfil/pf

Tue Jul 28 13:19:03 UTC 2015

> On Jul 28, 2015, at 08:20, Gleb Smirnoff <glebius at FreeBSD.org> wrote:
> 
>  Renato,
> 
> On Tue, Jul 28, 2015 at 10:31:35AM +0000, Renato Botelho wrote:
> R> Author: garga (ports committer)
> R> Date: Tue Jul 28 10:31:34 2015
> R> New Revision: 285945
> R> URL: https://svnweb.freebsd.org/changeset/base/285945
> R> 
> R> Log:
> R>   Respect pf rule log option before log dropped packets with IP options or
> R>   dangerous v6 headers
> R>   
> R>   Reviewed by:	gnn, eri
> R>   Approved by:	gnn
> R>   Obtained from:	pfSense
> R>   MFC after:	3 days
> R>   Sponsored by:	Netgate
> R>   Differential Revision:	https://reviews.freebsd.org/D3222
> R> 
> R> Modified:
> R>   head/sys/netpfil/pf/pf.c
> R> 
> R> Modified: head/sys/netpfil/pf/pf.c
> R> ==============================================================================
> R> --- head/sys/netpfil/pf/pf.c	Tue Jul 28 09:36:26 2015	(r285944)
> R> +++ head/sys/netpfil/pf/pf.c	Tue Jul 28 10:31:34 2015	(r285945)
> R> @@ -5895,7 +5895,8 @@ done:
> R>  	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
> R>  		action = PF_DROP;
> R>  		REASON_SET(&reason, PFRES_IPOPTIONS);
> R> -		log = 1;
> R> +		if (r->log)
> R> +			log = 1;
> R>  		DPFPRINTF(PF_DEBUG_MISC,
> R>  		    ("pf: dropping packet with ip options\n"));
> R>  	}
> R> @@ -6329,7 +6330,8 @@ done:
> R>  	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
> R>  		action = PF_DROP;
> R>  		REASON_SET(&reason, PFRES_IPOPTIONS);
> R> -		log = 1;
> R> +		if (r->log)
> R> +			log = 1;
> R>  		DPFPRINTF(PF_DEBUG_MISC,
> R>  		    ("pf: dropping packet with dangerous v6 headers\n"));
> R>  	}
> 
> Why not simply:
> 
> 	log = r->log;
> 
> ?
> 
> That would also match the style of the function, since it already has:
> 
> 	log = s->log;

Thanks for pointing this out. Do you approve the following patch?

Index: sys/netpfil/pf/pf.c
===================================================================

--- sys/netpfil/pf/pf.c	(revision 285945)
+++ sys/netpfil/pf/pf.c	(working copy)
@@ -5895,8 +5895,7 @@
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
 		action = PF_DROP;
 		REASON_SET(&reason, PFRES_IPOPTIONS);
-		if (r->log)
-			log = 1;
+		log = r->log;
 		DPFPRINTF(PF_DEBUG_MISC,
 		    ("pf: dropping packet with ip options\n"));
 	}
@@ -6330,8 +6329,7 @@
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
 		action = PF_DROP;
 		REASON_SET(&reason, PFRES_IPOPTIONS);
-		if (r->log)
-			log = 1;
+		log = r->log;
 		DPFPRINTF(PF_DEBUG_MISC,
 		    ("pf: dropping packet with dangerous v6 headers\n"));
 	}

--
Renato Botelho

