svn commit: r337643 - head/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Sat Aug 11 16:34:31 UTC 2018
Author: kp
Date: Sat Aug 11 16:34:30 2018
New Revision: 337643
URL: https://svnweb.freebsd.org/changeset/base/337643
Log:
pf: Fix 'set skip on' for groups
The pfi_skip_if() function sometimes caused skipping of groups to work,
if the members of the group used the groupname as a name prefix.
This is often the case, e.g. group lo usually contains lo0, lo1, ...,
but not always.
Rather than relying on the name explicitly check for group memberships.
Obtained from: OpenBSD (pf_if.c,v 1.62, pf_if.c,v 1.63)
Sponsored by: Essen Hackathon
Modified:
head/sys/netpfil/pf/pf_if.c
Modified: head/sys/netpfil/pf/pf_if.c
==============================================================================
--- head/sys/netpfil/pf/pf_if.c Sat Aug 11 16:30:06 2018 (r337642)
+++ head/sys/netpfil/pf/pf_if.c Sat Aug 11 16:34:30 2018 (r337643)
@@ -735,6 +735,7 @@ pfi_get_ifaces(const char *name, struct pfi_kif *buf,
static int
pfi_skip_if(const char *filter, struct pfi_kif *p)
{
+ struct ifg_list *i;
int n;
if (filter == NULL || !*filter)
@@ -745,10 +746,19 @@ pfi_skip_if(const char *filter, struct pfi_kif *p)
if (n < 1 || n >= IFNAMSIZ)
return (1); /* sanity check */
if (filter[n-1] >= '0' && filter[n-1] <= '9')
- return (1); /* only do exact match in that case */
- if (strncmp(p->pfik_name, filter, n))
- return (1); /* prefix doesn't match */
- return (p->pfik_name[n] < '0' || p->pfik_name[n] > '9');
+ return (1); /* group names may not end in a digit */
+ if (p->pfik_ifp != NULL) {
+ IF_ADDR_RLOCK(p->pfik_ifp);
+ CK_STAILQ_FOREACH(i, &p->pfik_ifp->if_groups, ifgl_next) {
+ if (!strncmp(i->ifgl_group->ifg_group, filter,
+ IFNAMSIZ)) {
+ IF_ADDR_RUNLOCK(p->pfik_ifp);
+ return (0); /* iface is in group "filter" */
+ }
+ }
+ IF_ADDR_RUNLOCK(p->pfik_ifp);
+ }
+ return (1);
}
int
More information about the svn-src-all
mailing list