On Sun, 2015-10-25 at 13:14 +0000, Kristof Provost wrote: > Author: kp > Date: Sun Oct 25 13:14:53 2015 > New Revision: 289932 > URL: https://svnweb.freebsd.org/changeset/base/289932 > > Log: > PF_ANEQ() macro will in most situations returns TRUE comparing two > identical > IPv4 packets (when it should return FALSE). It happens because > PF_ANEQ() doesn't > stop if first 32 bits of IPv4 packets are equal and starts to check > next 3*32 > bits (like for IPv6 packet). Those bits containt some garbage and > in result > PF_ANEQ() wrongly returns TRUE. > > Fix: Check if packet is of AF_INET type and if it is then compare > only first 32 > bits of data. > > PR: 204005 > Submitted by: MiĆosz Kaniewski > > Modified: > head/sys/net/pfvar.h > > Modified: head/sys/net/pfvar.h > ===================================================================== > ========= > --- head/sys/net/pfvar.h Sun Oct 25 12:09:28 2015 (r289 > 931) > +++ head/sys/net/pfvar.h Sun Oct 25 13:14:53 2015 (r289 > 932) > @@ -198,10 +198,11 @@ extern struct rwlock pf_rules_lock; > (a)->addr32[0] == (b)->addr32[0])) \ > > #define PF_ANEQ(a, b, c) \ > - ((a)->addr32[0] != (b)->addr32[0] || \ > + ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ > + (c == AF_INET6 && (a)->addr32[3] != (b)->addr32[3] && \ > (a)->addr32[1] != (b)->addr32[1] || \ > (a)->addr32[2] != (b)->addr32[2] || \ > - (a)->addr32[3] != (b)->addr32[3]) \ > + (a)->addr32[3] != (b)->addr32[3])) \ > > #define PF_AZERO(a, c) \ > ((c == AF_INET && !(a)->addr32[0]) || \ >
It looks like this change is causing warnings when compiled with gcc: cc1: warnings being treated as errors /local/build/staging/freebsd/dpcur/src/sys/netpfil/pf/if_pfsync.c: In function 'pfsync_state_import': /local/build/staging/freebsd/dpcur/src/sys/netpfil/pf/if_pfsync.c:467: warning: suggest parentheses around && within || [-Wparentheses] /local/build/staging/freebsd/dpcur/src/sys/netpfil/pf/if_pfsync.c:468: warning: suggest parentheses around && within || [-Wparentheses] --- if_pfsync.o --- *** [if_pfsync.o] Error code 1 (and many more just the same building other pf files). -- Ian _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
