ipfilter bug #554 Determining why a ipf rule matches is hard -- replace

ipfilter rule compare with new ipf_rule_compare() function. Obtained from: ipfilter CVS rep (r1.129)
svn path=/head/; revision=272552
2014-10-05 03:45:19 +00:00 · 2014-10-05 03:45:19 +00:00 · a7bd2acdab · 2020-12-20 02:59:44 +00:00
commit a7bd2acdab
parent 7db9f2ba58
1 changed files with 34 additions and 11 deletions
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@ -4435,6 +4435,39 @@ ipf_matchicmpqueryreply(v, ic, icmp, rev)
 }


+/* ------------------------------------------------------------------------ */
+/* Function:    ipf_rule_compare                                            */
+/* Parameters:  fr1(I) - first rule structure to compare                    */
+/*              fr2(I) - second rule structure to compare                   */
+/* Returns:     int    - 0 == rules are the same, else mismatch             */
+/*                                                                          */
+/* Compare two rules and return 0 if they match or a number indicating      */
+/* which of the individual checks failed.                                   */
+/* ------------------------------------------------------------------------ */
+static int
+ipf_rule_compare(frentry_t *fr1, frentry_t *fr2)
+{
+	if (fr1->fr_cksum != fr2->fr_cksum)
+		return 1;
+	if (fr1->fr_size != fr2->fr_size)
+		return 2;
+	if (fr1->fr_dsize != fr2->fr_dsize)
+		return 3;
+	if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func,
+		 fr1->fr_size - offsetof(struct frentry, fr_func)) != 0)
+		return 4;
+	if (fr1->fr_data && !fr2->fr_data)
+		return 5;
+	if (!fr1->fr_data && fr2->fr_data)
+		return 6;
+	if (fr1->fr_data) {
+		if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize))
+			return 7;
+	}
+	return 0;
+}
+
+
 /* ------------------------------------------------------------------------ */
 /* Function:    frrequest                                                   */
 /* Returns:     int - 0 == success, > 0 == errno value                      */
@ -4928,17 +4961,7 @@ frrequest(softc, unit, req, data, set, makecopy)
 	}

 	for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
-		DT2(rule_cmp, frentry_t *, fp, frentry_t *, f);
-		if ((fp->fr_cksum != f->fr_cksum) ||
-		    (fp->fr_size != f->fr_size) ||
-		    (f->fr_dsize != fp->fr_dsize))
-			continue;
-		if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func,
-			 fp->fr_size - offsetof(struct frentry, fr_func)) != 0)
-			continue;
-		if ((!ptr && !f->fr_data) ||
-		    (ptr && f->fr_data &&
-		     !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
+		if (ipf_rule_compare(fp, f) == 0)
 			break;
 	}