..because now you had to initialize both set_prio in pf_rule to it
everywhere. we did that, at least in some parts of our tree...
problem being of course that 0 is a valid value there and can\t easily
be used as "don't touch" indicator.
so use a flag and only ever look at the set_prio fields if the flag is
set.
this is entirely untested, I am asking you guys to help with this. I
am reaosnably confident this is right tho.
now excuse me pls, have to bang my head against a wall of queues
Index: libexec/tftp-proxy/filter.c
===================================================================
RCS file: /cvs/src/libexec/tftp-proxy/filter.c,v
retrieving revision 1.13
diff -u -p -r1.13 filter.c
--- libexec/tftp-proxy/filter.c 8 Jul 2012 11:57:08 -0000 1.13
+++ libexec/tftp-proxy/filter.c 11 Jul 2012 11:03:11 -0000
@@ -176,7 +176,6 @@ prepare_rule(u_int32_t id, struct sockad
pfr.rule.dst.port[0] = htons(d_port);
pfr.rule.rtableid = -1;
pfr.rule.onrdomain = -1;
- pfr.rule.set_prio[0] = pfr.rule.set_prio[1] = PF_PRIO_NOTSET;
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.618
diff -u -p -r1.618 parse.y
--- sbin/pfctl/parse.y 10 Jul 2012 09:29:36 -0000 1.618
+++ sbin/pfctl/parse.y 11 Jul 2012 10:57:07 -0000
@@ -892,8 +892,8 @@ anchorrule : ANCHOR anchorname dir quick
if ($9.marker & FOM_SETPRIO) {
r.set_prio[0] = $9.set_prio[0];
r.set_prio[1] = $9.set_prio[1];
- } else
- r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET;
+ r.scrub_flags |= PFSTATE_SETPRIO;
+ }
decide_address_family($8.src.host, &r.af);
decide_address_family($8.dst.host, &r.af);
@@ -1025,7 +1025,6 @@ antispoof : ANTISPOOF logquick antispoof
r.logif = $2.logif;
r.quick = $2.quick;
r.af = $4;
- r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET;
if (rule_label(&r, $5.label))
YYERROR;
r.rtableid = $5.rtableid;
@@ -1710,8 +1709,8 @@ pfrule : action dir logquick interface
if ($8.marker & FOM_SETPRIO) {
r.set_prio[0] = $8.set_prio[0];
r.set_prio[1] = $8.set_prio[1];
- } else
- r.set_prio[0] = r.set_prio[1] = PF_PRIO_NOTSET;
+ r.scrub_flags |= PFSTATE_SETPRIO;
+ }
if ($8.marker & FOM_ONCE)
r.rule_flag |= PFRULE_ONCE;
if ($8.marker & FOM_AFTO)
Index: sbin/pfctl/pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.289
diff -u -p -r1.289 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c 10 Jul 2012 09:39:26 -0000 1.289
+++ sbin/pfctl/pfctl_parser.c 11 Jul 2012 10:59:19 -0000
@@ -843,11 +843,10 @@ print_rule(struct pf_rule *r, const char
if (r->tos)
printf(" tos 0x%2.2x", r->tos);
- if (r->set_prio[0] != PF_PRIO_NOTSET ||
- r->scrub_flags & PFSTATE_SETTOS) {
+ if (r->scrub_flags & PFSTATE_SETMASK) {
char *comma = "";
printf(" set (");
- if (r->set_prio[0] != PF_PRIO_NOTSET) {
+ if (r->scrub_flags & PFSTATE_SETPRIO) {
if (r->set_prio[0] == r->set_prio[1])
printf("%s prio %u", comma, r->set_prio[0]);
else
Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.808
diff -u -p -r1.808 pf.c
--- sys/net/pf.c 10 Jul 2012 17:33:48 -0000 1.808
+++ sys/net/pf.c 11 Jul 2012 10:52:59 -0000
@@ -2526,7 +2526,7 @@ pf_send_tcp(const struct pf_rule *r, sa_
m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
m->m_pkthdr.pf.tag = rtag;
m->m_pkthdr.rdomain = rdom;
- if (r && r->set_prio[0] != PF_PRIO_NOTSET)
+ if (r && (r->scrub_flags & PFSTATE_SETPRIO))
m->m_pkthdr.pf.prio = r->set_prio[0];
#ifdef ALTQ
@@ -2650,7 +2650,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
m0->m_pkthdr.rdomain = rdomain;
- if (r && r->set_prio[0] != PF_PRIO_NOTSET)
+ if (r && (r->scrub_flags & PFSTATE_SETPRIO))
m0->m_pkthdr.pf.prio = r->set_prio[0];
#ifdef ALTQ
@@ -3279,11 +3279,9 @@ pf_rule_to_actions(struct pf_rule *r, st
if (r->max_mss)
a->max_mss = r->max_mss;
a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID|
- PFSTATE_SETTOS|PFSTATE_SCRUB_TCP));
- if (r->set_prio[0] != PF_PRIO_NOTSET)
- a->set_prio[0] = r->set_prio[0];
- if (r->set_prio[1] != PF_PRIO_NOTSET)
- a->set_prio[1] = r->set_prio[1];
+ PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO));
+ a->set_prio[0] = r->set_prio[0];
+ a->set_prio[1] = r->set_prio[1];
}
#define PF_TEST_ATTRIB(t, a) \
@@ -3319,7 +3317,6 @@ pf_test_rule(struct pf_pdesc *pd, struct
u_int8_t icmptype = 0, icmpcode = 0;
bzero(&act, sizeof(act));
- act.set_prio[0] = act.set_prio[1] = PF_PRIO_NOTSET;
bzero(sns, sizeof(sns));
act.rtableid = pd->rdomain;
SLIST_INIT(&rules);
@@ -6886,11 +6883,11 @@ done:
pf_tag_packet(pd.m, s->tag, s->rtableid[pd.didx]);
if (pqid || (pd.tos & IPTOS_LOWDELAY)) {
qid = s->pqid;
- if (s->set_prio[1] != PF_PRIO_NOTSET)
+ if (s->state_flags & PFSTATE_SETPRIO)
pd.m->m_pkthdr.pf.prio = s->set_prio[1];
} else {
qid = s->qid;
- if (s->set_prio[0] != PF_PRIO_NOTSET)
+ if (s->state_flags & PFSTATE_SETPRIO)
pd.m->m_pkthdr.pf.prio = s->set_prio[0];
}
} else {
@@ -6898,11 +6895,11 @@ done:
r->set_tos);
if (pqid || (pd.tos & IPTOS_LOWDELAY)) {
qid = r->pqid;
- if (r->set_prio[1] != PF_PRIO_NOTSET)
+ if (r->scrub_flags & PFSTATE_SETPRIO)
pd.m->m_pkthdr.pf.prio = r->set_prio[1];
} else {
qid = r->qid;
- if (r->set_prio[0] != PF_PRIO_NOTSET)
+ if (r->scrub_flags & PFSTATE_SETPRIO)
pd.m->m_pkthdr.pf.prio = r->set_prio[0];
}
}
Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.253
diff -u -p -r1.253 pf_ioctl.c
--- sys/net/pf_ioctl.c 8 Jul 2012 07:58:09 -0000 1.253
+++ sys/net/pf_ioctl.c 11 Jul 2012 10:54:35 -0000
@@ -1088,10 +1088,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
error = EINVAL;
if (rule->rt && !rule->direction)
error = EINVAL;
- if ((rule->set_prio[0] != PF_PRIO_NOTSET &&
- rule->set_prio[0] > IFQ_MAXPRIO) ||
- (rule->set_prio[1] != PF_PRIO_NOTSET &&
- rule->set_prio[1] > IFQ_MAXPRIO))
+ if (rule->scrub_flags & PFSTATE_SETPRIO &&
+ (rule->set_prio[0] > IFQ_MAXPRIO ||
+ rule->set_prio[1] > IFQ_MAXPRIO))
error = EINVAL;
if (error) {
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.365
diff -u -p -r1.365 pfvar.h
--- sys/net/pfvar.h 10 Jul 2012 09:38:22 -0000 1.365
+++ sys/net/pfvar.h 11 Jul 2012 10:59:21 -0000
@@ -648,7 +648,6 @@ struct pf_rule {
#define PF_FLUSH 0x01
#define PF_FLUSH_GLOBAL 0x02
u_int8_t flush;
-#define PF_PRIO_NOTSET 0xff
u_int8_t set_prio[2];
sa_family_t naf;
@@ -840,7 +839,9 @@ struct pf_state {
#define PFSTATE_SETTOS 0x0040
#define PFSTATE_RANDOMID 0x0080
#define PFSTATE_SCRUB_TCP 0x0100
+#define PFSTATE_SETPRIO 0x0200
#define PFSTATE_SCRUBMASK
(PFSTATE_NODF|PFSTATE_RANDOMID|PFSTATE_SCRUB_TCP)
+#define PFSTATE_SETMASK (PFSTATE_SETTOS|PFSTATE_SETPRIO)
u_int8_t log;
u_int8_t timeout;
u_int8_t sync_state; /* PFSYNC_S_x */
Index: usr.sbin/ftp-proxy/filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/filter.c,v
retrieving revision 1.19
diff -u -p -r1.19 filter.c
--- usr.sbin/ftp-proxy/filter.c 7 Jul 2012 16:24:32 -0000 1.19
+++ usr.sbin/ftp-proxy/filter.c 11 Jul 2012 11:00:05 -0000
@@ -207,7 +207,6 @@ prepare_rule(u_int32_t id, struct sockad
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.nat.addr.type = PF_ADDR_NONE;
pfr.rule.rdr.addr.type = PF_ADDR_NONE;
- pfr.rule.set_prio[0] = pfr.rule.set_prio[1] = PF_PRIO_NOTSET;
if (src->sa_family == AF_INET) {
memcpy(&pfr.rule.src.addr.v.a.addr.v4,
Index: usr.sbin/relayd/pfe_filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
retrieving revision 1.49
diff -u -p -r1.49 pfe_filter.c
--- usr.sbin/relayd/pfe_filter.c 7 Jul 2012 16:24:32 -0000 1.49
+++ usr.sbin/relayd/pfe_filter.c 11 Jul 2012 11:00:43 -0000
@@ -440,7 +440,6 @@ sync_ruleset(struct relayd *env, struct
rio.rule.dst.port[1] = address->port.val[1];
rio.rule.rtableid = -1; /* stay in the main routing table */
rio.rule.onrdomain = getrtable();
- rio.rule.set_prio[0] = rio.rule.set_prio[1] = PF_PRIO_NOTSET;
if (rio.rule.proto == IPPROTO_TCP)
rio.rule.timeout[PFTM_TCP_ESTABLISHED] =
