1 /* $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $ */
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002 - 2008 Henning Brauer
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
38 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
43 #include "opt_inet6.h"
47 #include <sys/param.h>
49 #include <sys/endian.h>
51 #include <sys/interrupt.h>
52 #include <sys/kernel.h>
53 #include <sys/kthread.h>
54 #include <sys/limits.h>
57 #include <sys/random.h>
58 #include <sys/refcount.h>
59 #include <sys/socket.h>
60 #include <sys/sysctl.h>
61 #include <sys/taskqueue.h>
62 #include <sys/ucred.h>
65 #include <net/if_types.h>
66 #include <net/route.h>
67 #include <net/radix_mpath.h>
70 #include <net/pfvar.h>
71 #include <net/pf_mtag.h>
72 #include <net/if_pflog.h>
73 #include <net/if_pfsync.h>
75 #include <netinet/in_pcb.h>
76 #include <netinet/in_var.h>
77 #include <netinet/ip.h>
78 #include <netinet/ip_fw.h>
79 #include <netinet/ip_icmp.h>
80 #include <netinet/icmp_var.h>
81 #include <netinet/ip_var.h>
82 #include <netinet/ipfw/ip_fw_private.h> /* XXX: only for DIR_IN/DIR_OUT */
83 #include <netinet/tcp.h>
84 #include <netinet/tcp_fsm.h>
85 #include <netinet/tcp_seq.h>
86 #include <netinet/tcp_timer.h>
87 #include <netinet/tcp_var.h>
88 #include <netinet/udp.h>
89 #include <netinet/udp_var.h>
92 #include <netinet/ip6.h>
93 #include <netinet/icmp6.h>
94 #include <netinet6/nd6.h>
95 #include <netinet6/ip6_var.h>
96 #include <netinet6/in6_pcb.h>
99 #include <machine/in_cksum.h>
100 #include <security/mac/mac_framework.h>
102 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
109 VNET_DEFINE(struct pf_altqqueue, pf_altqs[2]);
110 VNET_DEFINE(struct pf_palist, pf_pabuf);
111 VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active);
112 VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive);
113 VNET_DEFINE(struct pf_status, pf_status);
115 VNET_DEFINE(u_int32_t, ticket_altqs_active);
116 VNET_DEFINE(u_int32_t, ticket_altqs_inactive);
117 VNET_DEFINE(int, altqs_inactive_open);
118 VNET_DEFINE(u_int32_t, ticket_pabuf);
120 VNET_DEFINE(MD5_CTX, pf_tcp_secret_ctx);
121 #define V_pf_tcp_secret_ctx VNET(pf_tcp_secret_ctx)
122 VNET_DEFINE(u_char, pf_tcp_secret[16]);
123 #define V_pf_tcp_secret VNET(pf_tcp_secret)
124 VNET_DEFINE(int, pf_tcp_secret_init);
125 #define V_pf_tcp_secret_init VNET(pf_tcp_secret_init)
126 VNET_DEFINE(int, pf_tcp_iss_off);
127 #define V_pf_tcp_iss_off VNET(pf_tcp_iss_off)
129 struct pf_anchor_stackframe {
130 struct pf_ruleset *rs;
132 struct pf_anchor_node *parent;
133 struct pf_anchor *child;
135 VNET_DEFINE(struct pf_anchor_stackframe, pf_anchor_stack[64]);
136 #define V_pf_anchor_stack VNET(pf_anchor_stack)
139 * Queue for pf_intr() sends.
141 static MALLOC_DEFINE(M_PFTEMP, "pf_temp", "pf(4) temporary allocations");
142 struct pf_send_entry {
143 STAILQ_ENTRY(pf_send_entry) pfse_next;
160 #define pfse_icmp_type u.icmpopts.type
161 #define pfse_icmp_code u.icmpopts.code
162 #define pfse_icmp_mtu u.icmpopts.mtu
165 STAILQ_HEAD(pf_send_head, pf_send_entry);
166 static VNET_DEFINE(struct pf_send_head, pf_sendqueue);
167 #define V_pf_sendqueue VNET(pf_sendqueue)
169 static struct mtx pf_sendqueue_mtx;
170 #define PF_SENDQ_LOCK() mtx_lock(&pf_sendqueue_mtx)
171 #define PF_SENDQ_UNLOCK() mtx_unlock(&pf_sendqueue_mtx)
174 * Queue for pf_flush_task() tasks.
176 struct pf_flush_entry {
177 SLIST_ENTRY(pf_flush_entry) next;
181 struct pf_rule *rule; /* never dereferenced */
184 SLIST_HEAD(pf_flush_head, pf_flush_entry);
185 static VNET_DEFINE(struct pf_flush_head, pf_flushqueue);
186 #define V_pf_flushqueue VNET(pf_flushqueue)
187 static VNET_DEFINE(struct task, pf_flushtask);
188 #define V_pf_flushtask VNET(pf_flushtask)
190 static struct mtx pf_flushqueue_mtx;
191 #define PF_FLUSHQ_LOCK() mtx_lock(&pf_flushqueue_mtx)
192 #define PF_FLUSHQ_UNLOCK() mtx_unlock(&pf_flushqueue_mtx)
194 VNET_DEFINE(struct pf_rulequeue, pf_unlinked_rules);
195 struct mtx pf_unlnkdrules_mtx;
197 static VNET_DEFINE(uma_zone_t, pf_sources_z);
198 #define V_pf_sources_z VNET(pf_sources_z)
199 static VNET_DEFINE(uma_zone_t, pf_mtag_z);
200 #define V_pf_mtag_z VNET(pf_mtag_z)
201 VNET_DEFINE(uma_zone_t, pf_state_z);
202 VNET_DEFINE(uma_zone_t, pf_state_key_z);
204 VNET_DEFINE(uint64_t, pf_stateid[MAXCPU]);
205 #define PFID_CPUBITS 8
206 #define PFID_CPUSHIFT (sizeof(uint64_t) * NBBY - PFID_CPUBITS)
207 #define PFID_CPUMASK ((uint64_t)((1 << PFID_CPUBITS) - 1) << PFID_CPUSHIFT)
208 #define PFID_MAXID (~PFID_CPUMASK)
209 CTASSERT((1 << PFID_CPUBITS) > MAXCPU);
211 static void pf_src_tree_remove_state(struct pf_state *);
212 static void pf_init_threshold(struct pf_threshold *, u_int32_t,
214 static void pf_add_threshold(struct pf_threshold *);
215 static int pf_check_threshold(struct pf_threshold *);
217 static void pf_change_ap(struct pf_addr *, u_int16_t *,
218 u_int16_t *, u_int16_t *, struct pf_addr *,
219 u_int16_t, u_int8_t, sa_family_t);
220 static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
221 struct tcphdr *, struct pf_state_peer *);
222 static void pf_change_icmp(struct pf_addr *, u_int16_t *,
223 struct pf_addr *, struct pf_addr *, u_int16_t,
224 u_int16_t *, u_int16_t *, u_int16_t *,
225 u_int16_t *, u_int8_t, sa_family_t);
226 static void pf_send_tcp(struct mbuf *,
227 const struct pf_rule *, sa_family_t,
228 const struct pf_addr *, const struct pf_addr *,
229 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
230 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
231 u_int16_t, struct ifnet *);
232 static void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
233 sa_family_t, struct pf_rule *);
234 static void pf_detach_state(struct pf_state *);
235 static int pf_state_key_attach(struct pf_state_key *,
236 struct pf_state_key *, struct pf_state *);
237 static void pf_state_key_detach(struct pf_state *, int);
238 static int pf_state_key_ctor(void *, int, void *, int);
239 static u_int32_t pf_tcp_iss(struct pf_pdesc *);
240 static int pf_test_rule(struct pf_rule **, struct pf_state **,
241 int, struct pfi_kif *, struct mbuf *, int,
242 struct pf_pdesc *, struct pf_rule **,
243 struct pf_ruleset **, struct inpcb *);
244 static int pf_create_state(struct pf_rule *, struct pf_rule *,
245 struct pf_rule *, struct pf_pdesc *,
246 struct pf_src_node *, struct pf_state_key *,
247 struct pf_state_key *, struct mbuf *, int,
248 u_int16_t, u_int16_t, int *, struct pfi_kif *,
249 struct pf_state **, int, u_int16_t, u_int16_t,
251 static int pf_test_fragment(struct pf_rule **, int,
252 struct pfi_kif *, struct mbuf *, void *,
253 struct pf_pdesc *, struct pf_rule **,
254 struct pf_ruleset **);
255 static int pf_tcp_track_full(struct pf_state_peer *,
256 struct pf_state_peer *, struct pf_state **,
257 struct pfi_kif *, struct mbuf *, int,
258 struct pf_pdesc *, u_short *, int *);
259 static int pf_tcp_track_sloppy(struct pf_state_peer *,
260 struct pf_state_peer *, struct pf_state **,
261 struct pf_pdesc *, u_short *);
262 static int pf_test_state_tcp(struct pf_state **, int,
263 struct pfi_kif *, struct mbuf *, int,
264 void *, struct pf_pdesc *, u_short *);
265 static int pf_test_state_udp(struct pf_state **, int,
266 struct pfi_kif *, struct mbuf *, int,
267 void *, struct pf_pdesc *);
268 static int pf_test_state_icmp(struct pf_state **, int,
269 struct pfi_kif *, struct mbuf *, int,
270 void *, struct pf_pdesc *, u_short *);
271 static int pf_test_state_other(struct pf_state **, int,
272 struct pfi_kif *, struct mbuf *, struct pf_pdesc *);
273 static u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
275 static u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
277 static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
279 static void pf_set_rt_ifp(struct pf_state *,
281 static int pf_check_proto_cksum(struct mbuf *, int, int,
282 u_int8_t, sa_family_t);
283 static void pf_print_state_parts(struct pf_state *,
284 struct pf_state_key *, struct pf_state_key *);
285 static int pf_addr_wrap_neq(struct pf_addr_wrap *,
286 struct pf_addr_wrap *);
287 static struct pf_state *pf_find_state(struct pfi_kif *,
288 struct pf_state_key_cmp *, u_int);
289 static int pf_src_connlimit(struct pf_state **);
290 static void pf_flush_task(void *c, int pending);
291 static int pf_insert_src_node(struct pf_src_node **,
292 struct pf_rule *, struct pf_addr *, sa_family_t);
293 static int pf_purge_expired_states(int);
294 static void pf_purge_unlinked_rules(void);
295 static int pf_mtag_init(void *, int, int);
296 static void pf_mtag_free(struct m_tag *);
298 static void pf_route(struct mbuf **, struct pf_rule *, int,
299 struct ifnet *, struct pf_state *,
303 static void pf_change_a6(struct pf_addr *, u_int16_t *,
304 struct pf_addr *, u_int8_t);
305 static void pf_route6(struct mbuf **, struct pf_rule *, int,
306 struct ifnet *, struct pf_state *,
310 int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len);
312 VNET_DECLARE(int, pf_end_threads);
314 VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
316 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
317 (pd)->pf_mtag->flags & PF_PACKET_LOOPED)
319 #define STATE_LOOKUP(i, k, d, s, pd) \
321 (s) = pf_find_state((i), (k), (d)); \
322 if ((s) == NULL || (s)->timeout == PFTM_PURGE) \
324 if (PACKET_LOOPED(pd)) \
326 if ((d) == PF_OUT && \
327 (((s)->rule.ptr->rt == PF_ROUTETO && \
328 (s)->rule.ptr->direction == PF_OUT) || \
329 ((s)->rule.ptr->rt == PF_REPLYTO && \
330 (s)->rule.ptr->direction == PF_IN)) && \
331 (s)->rt_kif != NULL && \
332 (s)->rt_kif != (i)) \
336 #define BOUND_IFACE(r, k) \
337 ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : V_pfi_all
339 #define STATE_INC_COUNTERS(s) \
341 s->rule.ptr->states_cur++; \
342 s->rule.ptr->states_tot++; \
343 if (s->anchor.ptr != NULL) { \
344 s->anchor.ptr->states_cur++; \
345 s->anchor.ptr->states_tot++; \
347 if (s->nat_rule.ptr != NULL) { \
348 s->nat_rule.ptr->states_cur++; \
349 s->nat_rule.ptr->states_tot++; \
353 #define STATE_DEC_COUNTERS(s) \
355 if (s->nat_rule.ptr != NULL) \
356 s->nat_rule.ptr->states_cur--; \
357 if (s->anchor.ptr != NULL) \
358 s->anchor.ptr->states_cur--; \
359 s->rule.ptr->states_cur--; \
362 static MALLOC_DEFINE(M_PFHASH, "pf_hash", "pf(4) hash header structures");
363 VNET_DEFINE(struct pf_keyhash *, pf_keyhash);
364 VNET_DEFINE(struct pf_idhash *, pf_idhash);
365 VNET_DEFINE(u_long, pf_hashmask);
366 VNET_DEFINE(struct pf_srchash *, pf_srchash);
367 VNET_DEFINE(u_long, pf_srchashmask);
369 SYSCTL_NODE(_net, OID_AUTO, pf, CTLFLAG_RW, 0, "pf(4)");
371 VNET_DEFINE(u_long, pf_hashsize);
372 #define V_pf_hashsize VNET(pf_hashsize)
373 SYSCTL_VNET_UINT(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN,
374 &VNET_NAME(pf_hashsize), 0, "Size of pf(4) states hashtable");
376 VNET_DEFINE(u_long, pf_srchashsize);
377 #define V_pf_srchashsize VNET(pf_srchashsize)
378 SYSCTL_VNET_UINT(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
379 &VNET_NAME(pf_srchashsize), 0, "Size of pf(4) source nodes hashtable");
381 VNET_DEFINE(void *, pf_swi_cookie);
383 VNET_DEFINE(uint32_t, pf_hashseed);
384 #define V_pf_hashseed VNET(pf_hashseed)
386 static __inline uint32_t
387 pf_hashkey(struct pf_state_key *sk)
391 h = jenkins_hash32((uint32_t *)sk,
392 sizeof(struct pf_state_key_cmp)/sizeof(uint32_t),
395 return (h & V_pf_hashmask);
400 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
405 dst->addr32[0] = src->addr32[0];
409 dst->addr32[0] = src->addr32[0];
410 dst->addr32[1] = src->addr32[1];
411 dst->addr32[2] = src->addr32[2];
412 dst->addr32[3] = src->addr32[3];
419 pf_init_threshold(struct pf_threshold *threshold,
420 u_int32_t limit, u_int32_t seconds)
422 threshold->limit = limit * PF_THRESHOLD_MULT;
423 threshold->seconds = seconds;
424 threshold->count = 0;
425 threshold->last = time_uptime;
429 pf_add_threshold(struct pf_threshold *threshold)
431 u_int32_t t = time_uptime, diff = t - threshold->last;
433 if (diff >= threshold->seconds)
434 threshold->count = 0;
436 threshold->count -= threshold->count * diff /
438 threshold->count += PF_THRESHOLD_MULT;
443 pf_check_threshold(struct pf_threshold *threshold)
445 return (threshold->count > threshold->limit);
449 pf_src_connlimit(struct pf_state **state)
452 struct pf_flush_entry *pffe;
455 PF_STATE_LOCK_ASSERT(*state);
457 (*state)->src_node->conn++;
458 (*state)->src.tcp_est = 1;
459 pf_add_threshold(&(*state)->src_node->conn_rate);
461 if ((*state)->rule.ptr->max_src_conn &&
462 (*state)->rule.ptr->max_src_conn <
463 (*state)->src_node->conn) {
464 V_pf_status.lcounters[LCNT_SRCCONN]++;
468 if ((*state)->rule.ptr->max_src_conn_rate.limit &&
469 pf_check_threshold(&(*state)->src_node->conn_rate)) {
470 V_pf_status.lcounters[LCNT_SRCCONNRATE]++;
477 /* Kill this state. */
478 (*state)->timeout = PFTM_PURGE;
479 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
481 if ((*state)->rule.ptr->overload_tbl == NULL)
484 V_pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
485 if (V_pf_status.debug >= PF_DEBUG_MISC) {
486 printf("%s: blocking address ", __func__);
487 pf_print_host(&(*state)->src_node->addr, 0,
488 (*state)->key[PF_SK_WIRE]->af);
492 bzero(&p, sizeof(p));
493 p.pfra_af = (*state)->key[PF_SK_WIRE]->af;
494 switch ((*state)->key[PF_SK_WIRE]->af) {
498 p.pfra_ip4addr = (*state)->src_node->addr.v4;
504 p.pfra_ip6addr = (*state)->src_node->addr.v6;
509 pfr_insert_kentry((*state)->rule.ptr->overload_tbl, &p, time_second);
511 if ((*state)->rule.ptr->flush == 0)
514 /* Schedule flushing task. */
515 pffe = malloc(sizeof(*pffe), M_PFTEMP, M_NOWAIT);
517 return (1); /* too bad :( */
519 bcopy(&(*state)->src_node->addr, &pffe->addr, sizeof(pffe->addr));
520 pffe->af = (*state)->key[PF_SK_WIRE]->af;
521 pffe->dir = (*state)->direction;
522 if ((*state)->rule.ptr->flush & PF_FLUSH_GLOBAL)
525 pffe->rule = (*state)->rule.ptr;
527 SLIST_INSERT_HEAD(&V_pf_flushqueue, pffe, next);
529 taskqueue_enqueue(taskqueue_swi, &V_pf_flushtask);
535 pf_flush_task(void *c, int pending)
537 struct pf_flush_head queue;
538 struct pf_flush_entry *pffe, *pffe1;
542 queue = *(struct pf_flush_head *)c;
543 SLIST_INIT((struct pf_flush_head *)c);
546 V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
548 for (int i = 0; i <= V_pf_hashmask; i++) {
549 struct pf_idhash *ih = &V_pf_idhash[i];
550 struct pf_state_key *sk;
554 LIST_FOREACH(s, &ih->states, entry) {
555 sk = s->key[PF_SK_WIRE];
556 SLIST_FOREACH(pffe, &queue, next)
557 if (sk->af == pffe->af && (pffe->rule == NULL ||
558 pffe->rule == s->rule.ptr) &&
559 ((pffe->dir == PF_OUT &&
560 PF_AEQ(&pffe->addr, &sk->addr[1], sk->af)) ||
561 (pffe->dir == PF_IN &&
562 PF_AEQ(&pffe->addr, &sk->addr[0], sk->af)))) {
563 s->timeout = PFTM_PURGE;
564 s->src.state = s->dst.state = TCPS_CLOSED;
568 PF_HASHROW_UNLOCK(ih);
570 SLIST_FOREACH_SAFE(pffe, &queue, next, pffe1)
571 free(pffe, M_PFTEMP);
572 if (V_pf_status.debug >= PF_DEBUG_MISC)
573 printf("%s: %u states killed", __func__, killed);
577 * Can return locked on failure, so that we can consistently
578 * allocate and insert a new one.
581 pf_find_src_node(struct pf_addr *src, struct pf_rule *rule, sa_family_t af,
584 struct pf_srchash *sh;
585 struct pf_src_node *n;
587 V_pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
589 sh = &V_pf_srchash[pf_hashsrc(src, af)];
591 LIST_FOREACH(n, &sh->nodes, entry)
592 if (n->rule.ptr == rule && n->af == af &&
593 ((af == AF_INET && n->addr.v4.s_addr == src->v4.s_addr) ||
594 (af == AF_INET6 && bcmp(&n->addr, src, sizeof(*src)) == 0)))
596 if (n != NULL || returnlocked == 0)
597 PF_HASHROW_UNLOCK(sh);
603 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
604 struct pf_addr *src, sa_family_t af)
607 KASSERT((rule->rule_flag & PFRULE_RULESRCTRACK ||
608 rule->rpool.opts & PF_POOL_STICKYADDR),
609 ("%s for non-tracking rule %p", __func__, rule));
612 *sn = pf_find_src_node(src, rule, af, 1);
615 struct pf_srchash *sh = &V_pf_srchash[pf_hashsrc(src, af)];
617 PF_HASHROW_ASSERT(sh);
619 if (!rule->max_src_nodes ||
620 rule->src_nodes < rule->max_src_nodes)
621 (*sn) = uma_zalloc(V_pf_sources_z, M_NOWAIT | M_ZERO);
623 V_pf_status.lcounters[LCNT_SRCNODES]++;
625 PF_HASHROW_UNLOCK(sh);
629 pf_init_threshold(&(*sn)->conn_rate,
630 rule->max_src_conn_rate.limit,
631 rule->max_src_conn_rate.seconds);
634 (*sn)->rule.ptr = rule;
635 PF_ACPY(&(*sn)->addr, src, af);
636 LIST_INSERT_HEAD(&sh->nodes, *sn, entry);
637 (*sn)->creation = time_uptime;
638 (*sn)->ruletype = rule->action;
639 if ((*sn)->rule.ptr != NULL)
640 (*sn)->rule.ptr->src_nodes++;
641 PF_HASHROW_UNLOCK(sh);
642 V_pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
643 V_pf_status.src_nodes++;
645 if (rule->max_src_states &&
646 (*sn)->states >= rule->max_src_states) {
647 V_pf_status.lcounters[LCNT_SRCSTATES]++;
655 pf_remove_src_node(struct pf_src_node *src)
657 struct pf_srchash *sh;
659 sh = &V_pf_srchash[pf_hashsrc(&src->addr, src->af)];
661 LIST_REMOVE(src, entry);
662 PF_HASHROW_UNLOCK(sh);
665 /* Data storage structures initialization. */
669 struct pf_keyhash *kh;
670 struct pf_idhash *ih;
671 struct pf_srchash *sh;
674 TUNABLE_ULONG_FETCH("net.pf.states_hashsize", &V_pf_hashsize);
675 if (V_pf_hashsize == 0 || !powerof2(V_pf_hashsize))
676 V_pf_hashsize = PF_HASHSIZ;
677 TUNABLE_ULONG_FETCH("net.pf.source_nodes_hashsize", &V_pf_srchashsize);
678 if (V_pf_srchashsize == 0 || !powerof2(V_pf_srchashsize))
679 V_pf_srchashsize = PF_HASHSIZ / 4;
681 V_pf_hashseed = arc4random();
683 /* States and state keys storage. */
684 V_pf_state_z = uma_zcreate("pf states", sizeof(struct pf_state),
685 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
686 V_pf_limits[PF_LIMIT_STATES].zone = V_pf_state_z;
687 uma_zone_set_max(V_pf_state_z, PFSTATE_HIWAT);
689 V_pf_state_key_z = uma_zcreate("pf state keys",
690 sizeof(struct pf_state_key), pf_state_key_ctor, NULL, NULL, NULL,
692 V_pf_keyhash = malloc(V_pf_hashsize * sizeof(struct pf_keyhash),
693 M_PFHASH, M_WAITOK | M_ZERO);
694 V_pf_idhash = malloc(V_pf_hashsize * sizeof(struct pf_idhash),
695 M_PFHASH, M_WAITOK | M_ZERO);
696 V_pf_hashmask = V_pf_hashsize - 1;
697 for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask;
699 mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF);
700 mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF);
704 V_pf_sources_z = uma_zcreate("pf source nodes",
705 sizeof(struct pf_src_node), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,
707 V_pf_limits[PF_LIMIT_SRC_NODES].zone = V_pf_sources_z;
708 uma_zone_set_max(V_pf_sources_z, PFSNODE_HIWAT);
709 V_pf_srchash = malloc(V_pf_srchashsize * sizeof(struct pf_srchash),
710 M_PFHASH, M_WAITOK|M_ZERO);
711 V_pf_srchashmask = V_pf_srchashsize - 1;
712 for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++)
713 mtx_init(&sh->lock, "pf_srchash", NULL, MTX_DEF);
716 TAILQ_INIT(&V_pf_altqs[0]);
717 TAILQ_INIT(&V_pf_altqs[1]);
718 TAILQ_INIT(&V_pf_pabuf);
719 V_pf_altqs_active = &V_pf_altqs[0];
720 V_pf_altqs_inactive = &V_pf_altqs[1];
723 V_pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) +
724 sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL,
727 /* Send & flush queues. */
728 STAILQ_INIT(&V_pf_sendqueue);
729 SLIST_INIT(&V_pf_flushqueue);
730 TASK_INIT(&V_pf_flushtask, 0, pf_flush_task, &V_pf_flushqueue);
731 mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
732 mtx_init(&pf_flushqueue_mtx, "pf flush queue", NULL, MTX_DEF);
734 /* Unlinked, but may be referenced rules. */
735 TAILQ_INIT(&V_pf_unlinked_rules);
736 mtx_init(&pf_unlnkdrules_mtx, "pf unlinked rules", NULL, MTX_DEF);
742 struct pf_keyhash *kh;
743 struct pf_idhash *ih;
744 struct pf_srchash *sh;
745 struct pf_send_entry *pfse, *next;
748 for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask;
750 KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty",
752 KASSERT(LIST_EMPTY(&ih->states), ("%s: id hash not empty",
754 mtx_destroy(&kh->lock);
755 mtx_destroy(&ih->lock);
757 free(V_pf_keyhash, M_PFHASH);
758 free(V_pf_idhash, M_PFHASH);
760 for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) {
761 KASSERT(LIST_EMPTY(&sh->nodes),
762 ("%s: source node hash not empty", __func__));
763 mtx_destroy(&sh->lock);
765 free(V_pf_srchash, M_PFHASH);
767 STAILQ_FOREACH_SAFE(pfse, &V_pf_sendqueue, pfse_next, next) {
768 m_freem(pfse->pfse_m);
769 free(pfse, M_PFTEMP);
772 mtx_destroy(&pf_sendqueue_mtx);
773 mtx_destroy(&pf_flushqueue_mtx);
774 mtx_destroy(&pf_unlnkdrules_mtx);
776 uma_zdestroy(V_pf_mtag_z);
777 uma_zdestroy(V_pf_sources_z);
778 uma_zdestroy(V_pf_state_z);
779 uma_zdestroy(V_pf_state_key_z);
783 pf_mtag_init(void *mem, int size, int how)
787 t = (struct m_tag *)mem;
788 t->m_tag_cookie = MTAG_ABI_COMPAT;
789 t->m_tag_id = PACKET_TAG_PF;
790 t->m_tag_len = sizeof(struct pf_mtag);
791 t->m_tag_free = pf_mtag_free;
797 pf_mtag_free(struct m_tag *t)
800 uma_zfree(V_pf_mtag_z, t);
804 pf_get_mtag(struct mbuf *m)
808 if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) != NULL)
809 return ((struct pf_mtag *)(mtag + 1));
811 mtag = uma_zalloc(V_pf_mtag_z, M_NOWAIT);
814 bzero(mtag + 1, sizeof(struct pf_mtag));
815 m_tag_prepend(m, mtag);
817 return ((struct pf_mtag *)(mtag + 1));
821 pf_state_key_attach(struct pf_state_key *skw, struct pf_state_key *sks,
824 struct pf_keyhash *kh;
825 struct pf_state_key *sk, *cur;
826 struct pf_state *si, *olds = NULL;
829 KASSERT(s->refs == 0, ("%s: state not pristine", __func__));
830 KASSERT(s->key[PF_SK_WIRE] == NULL, ("%s: state has key", __func__));
831 KASSERT(s->key[PF_SK_STACK] == NULL, ("%s: state has key", __func__));
834 * First run: start with wire key.
840 kh = &V_pf_keyhash[pf_hashkey(sk)];
843 LIST_FOREACH(cur, &kh->keys, entry)
844 if (bcmp(cur, sk, sizeof(struct pf_state_key_cmp)) == 0)
848 /* Key exists. Check for same kif, if none, add to key. */
849 TAILQ_FOREACH(si, &cur->states[idx], key_list[idx]) {
850 struct pf_idhash *ih = &V_pf_idhash[PF_IDHASH(si)];
853 if (si->kif == s->kif &&
854 si->direction == s->direction) {
855 if (sk->proto == IPPROTO_TCP &&
856 si->src.state >= TCPS_FIN_WAIT_2 &&
857 si->dst.state >= TCPS_FIN_WAIT_2) {
858 si->src.state = si->dst.state =
860 /* Unlink later or cur can go away. */
864 if (V_pf_status.debug >= PF_DEBUG_MISC) {
865 printf("pf: %s key attach "
867 (idx == PF_SK_WIRE) ?
870 pf_print_state_parts(s,
871 (idx == PF_SK_WIRE) ?
873 (idx == PF_SK_STACK) ?
875 printf(", existing: ");
876 pf_print_state_parts(si,
877 (idx == PF_SK_WIRE) ?
879 (idx == PF_SK_STACK) ?
883 PF_HASHROW_UNLOCK(ih);
884 PF_HASHROW_UNLOCK(kh);
885 uma_zfree(V_pf_state_key_z, sk);
886 if (idx == PF_SK_STACK)
888 return (-1); /* collision! */
891 PF_HASHROW_UNLOCK(ih);
893 uma_zfree(V_pf_state_key_z, sk);
896 LIST_INSERT_HEAD(&kh->keys, sk, entry);
901 /* List is sorted, if-bound states before floating. */
902 if (s->kif == V_pfi_all)
903 TAILQ_INSERT_TAIL(&s->key[idx]->states[idx], s, key_list[idx]);
905 TAILQ_INSERT_HEAD(&s->key[idx]->states[idx], s, key_list[idx]);
908 * Attach done. See how should we (or should not?)
909 * attach a second key.
912 s->key[PF_SK_STACK] = s->key[PF_SK_WIRE];
916 } else if (sks != NULL) {
917 PF_HASHROW_UNLOCK(kh);
919 pf_unlink_state(olds, 0);
920 pf_release_state(olds);
924 * Continue attaching with stack key.
931 PF_HASHROW_UNLOCK(kh);
934 pf_unlink_state(olds, 0);
935 pf_release_state(olds);
938 KASSERT(s->key[PF_SK_WIRE] != NULL && s->key[PF_SK_STACK] != NULL,
939 ("%s failure", __func__));
945 pf_detach_state(struct pf_state *s)
947 struct pf_state_key *sks = s->key[PF_SK_STACK];
948 struct pf_keyhash *kh;
951 kh = &V_pf_keyhash[pf_hashkey(sks)];
953 if (s->key[PF_SK_STACK] != NULL)
954 pf_state_key_detach(s, PF_SK_STACK);
956 * If both point to same key, then we are done.
958 if (sks == s->key[PF_SK_WIRE]) {
959 pf_state_key_detach(s, PF_SK_WIRE);
960 PF_HASHROW_UNLOCK(kh);
963 PF_HASHROW_UNLOCK(kh);
966 if (s->key[PF_SK_WIRE] != NULL) {
967 kh = &V_pf_keyhash[pf_hashkey(s->key[PF_SK_WIRE])];
969 if (s->key[PF_SK_WIRE] != NULL)
970 pf_state_key_detach(s, PF_SK_WIRE);
971 PF_HASHROW_UNLOCK(kh);
976 pf_state_key_detach(struct pf_state *s, int idx)
978 struct pf_state_key *sk = s->key[idx];
980 struct pf_keyhash *kh = &V_pf_keyhash[pf_hashkey(sk)];
982 PF_HASHROW_ASSERT(kh);
984 TAILQ_REMOVE(&sk->states[idx], s, key_list[idx]);
987 if (TAILQ_EMPTY(&sk->states[0]) && TAILQ_EMPTY(&sk->states[1])) {
988 LIST_REMOVE(sk, entry);
989 uma_zfree(V_pf_state_key_z, sk);
994 pf_state_key_ctor(void *mem, int size, void *arg, int flags)
996 struct pf_state_key *sk = mem;
998 bzero(sk, sizeof(struct pf_state_key_cmp));
999 TAILQ_INIT(&sk->states[PF_SK_WIRE]);
1000 TAILQ_INIT(&sk->states[PF_SK_STACK]);
1005 struct pf_state_key *
1006 pf_state_key_setup(struct pf_pdesc *pd, struct pf_addr *saddr,
1007 struct pf_addr *daddr, u_int16_t sport, u_int16_t dport)
1009 struct pf_state_key *sk;
1011 sk = uma_zalloc(V_pf_state_key_z, M_NOWAIT);
1015 PF_ACPY(&sk->addr[pd->sidx], saddr, pd->af);
1016 PF_ACPY(&sk->addr[pd->didx], daddr, pd->af);
1017 sk->port[pd->sidx] = sport;
1018 sk->port[pd->didx] = dport;
1019 sk->proto = pd->proto;
1025 struct pf_state_key *
1026 pf_state_key_clone(struct pf_state_key *orig)
1028 struct pf_state_key *sk;
1030 sk = uma_zalloc(V_pf_state_key_z, M_NOWAIT);
1034 bcopy(orig, sk, sizeof(struct pf_state_key_cmp));
1040 pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
1041 struct pf_state_key *sks, struct pf_state *s)
1043 struct pf_idhash *ih;
1044 struct pf_state *cur;
1046 KASSERT(TAILQ_EMPTY(&sks->states[0]) && TAILQ_EMPTY(&sks->states[1]),
1047 ("%s: sks not pristine", __func__));
1048 KASSERT(TAILQ_EMPTY(&skw->states[0]) && TAILQ_EMPTY(&skw->states[1]),
1049 ("%s: skw not pristine", __func__));
1050 KASSERT(s->refs == 0, ("%s: state not pristine", __func__));
1054 if (pf_state_key_attach(skw, sks, s))
1057 if (s->id == 0 && s->creatorid == 0) {
1058 /* XXX: should be atomic, but probability of collision low */
1059 if ((s->id = V_pf_stateid[curcpu]++) == PFID_MAXID)
1060 V_pf_stateid[curcpu] = 1;
1061 s->id |= (uint64_t )curcpu << PFID_CPUSHIFT;
1062 s->id = htobe64(s->id);
1063 s->creatorid = V_pf_status.hostid;
1066 ih = &V_pf_idhash[PF_IDHASH(s)];
1067 PF_HASHROW_LOCK(ih);
1068 LIST_FOREACH(cur, &ih->states, entry)
1069 if (cur->id == s->id && cur->creatorid == s->creatorid)
1073 PF_HASHROW_UNLOCK(ih);
1074 if (V_pf_status.debug >= PF_DEBUG_MISC) {
1075 printf("pf: state insert failed: "
1076 "id: %016llx creatorid: %08x",
1077 (unsigned long long)be64toh(s->id),
1078 ntohl(s->creatorid));
1084 LIST_INSERT_HEAD(&ih->states, s, entry);
1085 /* One for keys, one for ID hash. */
1086 refcount_init(&s->refs, 2);
1088 V_pf_status.fcounters[FCNT_STATE_INSERT]++;
1089 if (pfsync_insert_state_ptr != NULL)
1090 pfsync_insert_state_ptr(s);
1092 /* Returns locked. */
1097 * Find state by ID: returns with locked row on success.
1100 pf_find_state_byid(uint64_t id, uint32_t creatorid)
1102 struct pf_idhash *ih;
1105 V_pf_status.fcounters[FCNT_STATE_SEARCH]++;
1107 ih = &V_pf_idhash[(be64toh(id) % (V_pf_hashmask + 1))];
1109 PF_HASHROW_LOCK(ih);
1110 LIST_FOREACH(s, &ih->states, entry)
1111 if (s->id == id && s->creatorid == creatorid)
1115 PF_HASHROW_UNLOCK(ih);
1121 * Find state by key.
1122 * Returns with ID hash slot locked on success.
1124 static struct pf_state *
1125 pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir)
1127 struct pf_keyhash *kh;
1128 struct pf_state_key *sk;
1132 V_pf_status.fcounters[FCNT_STATE_SEARCH]++;
1134 kh = &V_pf_keyhash[pf_hashkey((struct pf_state_key *)key)];
1136 PF_HASHROW_LOCK(kh);
1137 LIST_FOREACH(sk, &kh->keys, entry)
1138 if (bcmp(sk, key, sizeof(struct pf_state_key_cmp)) == 0)
1141 PF_HASHROW_UNLOCK(kh);
1145 idx = (dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK);
1147 /* List is sorted, if-bound states before floating ones. */
1148 TAILQ_FOREACH(s, &sk->states[idx], key_list[idx])
1149 if (s->kif == V_pfi_all || s->kif == kif) {
1151 PF_HASHROW_UNLOCK(kh);
1152 if (s->timeout == PFTM_UNLINKED) {
1154 * State is being processed
1155 * by pf_unlink_state() in
1163 PF_HASHROW_UNLOCK(kh);
1169 pf_find_state_all(struct pf_state_key_cmp *key, u_int dir, int *more)
1171 struct pf_keyhash *kh;
1172 struct pf_state_key *sk;
1173 struct pf_state *s, *ret = NULL;
1176 V_pf_status.fcounters[FCNT_STATE_SEARCH]++;
1178 kh = &V_pf_keyhash[pf_hashkey((struct pf_state_key *)key)];
1180 PF_HASHROW_LOCK(kh);
1181 LIST_FOREACH(sk, &kh->keys, entry)
1182 if (bcmp(sk, key, sizeof(struct pf_state_key_cmp)) == 0)
1185 PF_HASHROW_UNLOCK(kh);
1200 panic("%s: dir %u", __func__, dir);
1203 TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) {
1205 PF_HASHROW_UNLOCK(kh);
1219 PF_HASHROW_UNLOCK(kh);
1224 /* END state table stuff */
1227 pf_send(struct pf_send_entry *pfse)
1231 STAILQ_INSERT_TAIL(&V_pf_sendqueue, pfse, pfse_next);
1233 swi_sched(V_pf_swi_cookie, 0);
1239 struct pf_send_head queue;
1240 struct pf_send_entry *pfse, *next;
1242 CURVNET_SET((struct vnet *)v);
1245 queue = V_pf_sendqueue;
1246 STAILQ_INIT(&V_pf_sendqueue);
1249 STAILQ_FOREACH_SAFE(pfse, &queue, pfse_next, next) {
1250 switch (pfse->pfse_type) {
1253 ip_output(pfse->pfse_m, NULL, NULL, 0, NULL, NULL);
1256 icmp_error(pfse->pfse_m, pfse->pfse_icmp_type,
1257 pfse->pfse_icmp_code, 0, pfse->pfse_icmp_mtu);
1262 ip6_output(pfse->pfse_m, NULL, NULL, 0, NULL, NULL,
1266 icmp6_error(pfse->pfse_m, pfse->pfse_icmp_type,
1267 pfse->pfse_icmp_code, pfse->pfse_icmp_mtu);
1271 panic("%s: unknown type", __func__);
1273 free(pfse, M_PFTEMP);
1279 pf_purge_thread(void *v)
1283 CURVNET_SET((struct vnet *)v);
1287 rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftm", hz / 10);
1289 if (V_pf_end_threads) {
1291 * To cleanse up all kifs and rules we need
1292 * two runs: first one clears reference flags,
1293 * then pf_purge_expired_states() doesn't
1294 * raise them, and then second run frees.
1297 pf_purge_unlinked_rules();
1301 * Now purge everything.
1303 pf_purge_expired_states(V_pf_hashmask + 1);
1304 pf_purge_expired_fragments();
1305 pf_purge_expired_src_nodes();
1308 * Now all kifs & rules should be unreferenced,
1309 * thus should be successfully freed.
1311 pf_purge_unlinked_rules();
1315 * Announce success and exit.
1320 wakeup(pf_purge_thread);
1325 /* Process 1/interval fraction of the state table every run. */
1326 fullrun = pf_purge_expired_states(V_pf_hashmask /
1327 (V_pf_default_rule.timeout[PFTM_INTERVAL] * 10));
1329 /* Purge other expired types every PFTM_INTERVAL seconds. */
1332 * Order is important:
1333 * - states and src nodes reference rules
1334 * - states and rules reference kifs
1336 pf_purge_expired_fragments();
1337 pf_purge_expired_src_nodes();
1338 pf_purge_unlinked_rules();
1347 pf_state_expires(const struct pf_state *state)
1354 /* handle all PFTM_* > PFTM_MAX here */
1355 if (state->timeout == PFTM_PURGE)
1356 return (time_uptime);
1357 if (state->timeout == PFTM_UNTIL_PACKET)
1359 KASSERT(state->timeout != PFTM_UNLINKED,
1360 ("pf_state_expires: timeout == PFTM_UNLINKED"));
1361 KASSERT((state->timeout < PFTM_MAX),
1362 ("pf_state_expires: timeout > PFTM_MAX"));
1363 timeout = state->rule.ptr->timeout[state->timeout];
1365 timeout = V_pf_default_rule.timeout[state->timeout];
1366 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1368 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1369 states = state->rule.ptr->states_cur; /* XXXGL */
1371 start = V_pf_default_rule.timeout[PFTM_ADAPTIVE_START];
1372 end = V_pf_default_rule.timeout[PFTM_ADAPTIVE_END];
1373 states = V_pf_status.states;
1375 if (end && states > start && start < end) {
1377 return (state->expire + timeout * (end - states) /
1380 return (time_uptime);
1382 return (state->expire + timeout);
1386 pf_purge_expired_src_nodes()
1388 struct pf_srchash *sh;
1389 struct pf_src_node *cur, *next;
1392 for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) {
1393 PF_HASHROW_LOCK(sh);
1394 LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next)
1395 if (cur->states <= 0 && cur->expire <= time_uptime) {
1396 if (cur->rule.ptr != NULL)
1397 cur->rule.ptr->src_nodes--;
1398 LIST_REMOVE(cur, entry);
1399 V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
1400 V_pf_status.src_nodes--;
1401 uma_zfree(V_pf_sources_z, cur);
1402 } else if (cur->rule.ptr != NULL)
1403 cur->rule.ptr->rule_flag |= PFRULE_REFS;
1404 PF_HASHROW_UNLOCK(sh);
1409 pf_src_tree_remove_state(struct pf_state *s)
1413 if (s->src_node != NULL) {
1415 --s->src_node->conn;
1416 if (--s->src_node->states <= 0) {
1417 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1420 V_pf_default_rule.timeout[PFTM_SRC_NODE];
1421 s->src_node->expire = time_uptime + timeout;
1424 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
1425 if (--s->nat_src_node->states <= 0) {
1426 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1429 V_pf_default_rule.timeout[PFTM_SRC_NODE];
1430 s->nat_src_node->expire = time_uptime + timeout;
1433 s->src_node = s->nat_src_node = NULL;
1437 * Unlink and potentilly free a state. Function may be
1438 * called with ID hash row locked, but always returns
1439 * unlocked, since it needs to go through key hash locking.
1442 pf_unlink_state(struct pf_state *s, u_int flags)
1444 struct pf_idhash *ih = &V_pf_idhash[PF_IDHASH(s)];
1446 if ((flags & PF_ENTER_LOCKED) == 0)
1447 PF_HASHROW_LOCK(ih);
1449 PF_HASHROW_ASSERT(ih);
1451 if (s->timeout == PFTM_UNLINKED) {
1453 * State is being processed
1454 * by pf_unlink_state() in
1457 PF_HASHROW_UNLOCK(ih);
1458 return (0); /* XXXGL: undefined actually */
1461 s->timeout = PFTM_UNLINKED;
1463 if (s->src.state == PF_TCPS_PROXY_DST) {
1464 /* XXX wire key the right one? */
1465 pf_send_tcp(NULL, s->rule.ptr, s->key[PF_SK_WIRE]->af,
1466 &s->key[PF_SK_WIRE]->addr[1],
1467 &s->key[PF_SK_WIRE]->addr[0],
1468 s->key[PF_SK_WIRE]->port[1],
1469 s->key[PF_SK_WIRE]->port[0],
1470 s->src.seqhi, s->src.seqlo + 1,
1471 TH_RST|TH_ACK, 0, 0, 0, 1, s->tag, NULL);
1474 LIST_REMOVE(s, entry);
1475 pf_src_tree_remove_state(s);
1476 PF_HASHROW_UNLOCK(ih);
1478 if (pfsync_delete_state_ptr != NULL)
1479 pfsync_delete_state_ptr(s);
1482 refcount_release(&s->refs);
1484 return (pf_release_state(s));
1488 pf_free_state(struct pf_state *cur)
1491 KASSERT(cur->refs == 0, ("%s: %p has refs", __func__, cur));
1492 KASSERT(cur->timeout == PFTM_UNLINKED, ("%s: timeout %u", __func__,
1494 --cur->rule.ptr->states_cur;
1495 if (cur->nat_rule.ptr != NULL)
1496 --cur->nat_rule.ptr->states_cur;
1497 if (cur->anchor.ptr != NULL)
1498 --cur->anchor.ptr->states_cur;
1499 pf_normalize_tcp_cleanup(cur);
1500 uma_zfree(V_pf_state_z, cur);
1501 V_pf_status.fcounters[FCNT_STATE_REMOVALS]++;
1505 * Called only from pf_purge_thread(), thus serialized.
1508 pf_purge_expired_states(int maxcheck)
1512 struct pf_idhash *ih;
1516 V_pf_status.states = uma_zone_get_cur(V_pf_state_z);
1519 * Go through hash and unlink states that expire now.
1521 while (maxcheck > 0) {
1523 /* Wrap to start of hash when we hit the end. */
1524 if (i > V_pf_hashmask) {
1529 ih = &V_pf_idhash[i];
1531 PF_HASHROW_LOCK(ih);
1532 LIST_FOREACH(s, &ih->states, entry) {
1533 if (pf_state_expires(s) <= time_uptime) {
1534 V_pf_status.states -=
1535 pf_unlink_state(s, PF_ENTER_LOCKED);
1538 s->rule.ptr->rule_flag |= PFRULE_REFS;
1539 if (s->nat_rule.ptr != NULL)
1540 s->nat_rule.ptr->rule_flag |= PFRULE_REFS;
1541 if (s->anchor.ptr != NULL)
1542 s->anchor.ptr->rule_flag |= PFRULE_REFS;
1543 s->kif->pfik_flags |= PFI_IFLAG_REFS;
1545 s->rt_kif->pfik_flags |= PFI_IFLAG_REFS;
1547 PF_HASHROW_UNLOCK(ih);
1552 V_pf_status.states = uma_zone_get_cur(V_pf_state_z);
1558 pf_purge_unlinked_rules()
1560 struct pf_rulequeue tmpq;
1561 struct pf_rule *r, *r1;
1564 * Do naive mark-and-sweep garbage collecting of old rules.
1565 * Reference flag is raised by pf_purge_expired_states()
1566 * and pf_purge_expired_src_nodes().
1568 * To avoid LOR between PF_UNLNKDRULES_LOCK/PF_RULES_WLOCK,
1569 * use a temporary queue.
1572 PF_UNLNKDRULES_LOCK();
1573 TAILQ_FOREACH_SAFE(r, &V_pf_unlinked_rules, entries, r1) {
1574 if (!(r->rule_flag & PFRULE_REFS)) {
1575 TAILQ_REMOVE(&V_pf_unlinked_rules, r, entries);
1576 TAILQ_INSERT_TAIL(&tmpq, r, entries);
1578 r->rule_flag &= ~PFRULE_REFS;
1580 PF_UNLNKDRULES_UNLOCK();
1582 if (!TAILQ_EMPTY(&tmpq)) {
1584 TAILQ_FOREACH_SAFE(r, &tmpq, entries, r1) {
1585 TAILQ_REMOVE(&tmpq, r, entries);
1593 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
1598 u_int32_t a = ntohl(addr->addr32[0]);
1599 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
1611 u_int8_t i, curstart, curend, maxstart, maxend;
1612 curstart = curend = maxstart = maxend = 255;
1613 for (i = 0; i < 8; i++) {
1614 if (!addr->addr16[i]) {
1615 if (curstart == 255)
1619 if ((curend - curstart) >
1620 (maxend - maxstart)) {
1621 maxstart = curstart;
1624 curstart = curend = 255;
1627 if ((curend - curstart) >
1628 (maxend - maxstart)) {
1629 maxstart = curstart;
1632 for (i = 0; i < 8; i++) {
1633 if (i >= maxstart && i <= maxend) {
1639 b = ntohs(addr->addr16[i]);
1656 pf_print_state(struct pf_state *s)
1658 pf_print_state_parts(s, NULL, NULL);
1662 pf_print_state_parts(struct pf_state *s,
1663 struct pf_state_key *skwp, struct pf_state_key *sksp)
1665 struct pf_state_key *skw, *sks;
1666 u_int8_t proto, dir;
1668 /* Do our best to fill these, but they're skipped if NULL */
1669 skw = skwp ? skwp : (s ? s->key[PF_SK_WIRE] : NULL);
1670 sks = sksp ? sksp : (s ? s->key[PF_SK_STACK] : NULL);
1671 proto = skw ? skw->proto : (sks ? sks->proto : 0);
1672 dir = s ? s->direction : 0;
1690 case IPPROTO_ICMPV6:
1694 printf("%u", skw->proto);
1707 pf_print_host(&skw->addr[0], skw->port[0], skw->af);
1709 pf_print_host(&skw->addr[1], skw->port[1], skw->af);
1714 pf_print_host(&sks->addr[0], sks->port[0], sks->af);
1716 pf_print_host(&sks->addr[1], sks->port[1], sks->af);
1721 if (proto == IPPROTO_TCP) {
1722 printf(" [lo=%u high=%u win=%u modulator=%u",
1723 s->src.seqlo, s->src.seqhi,
1724 s->src.max_win, s->src.seqdiff);
1725 if (s->src.wscale && s->dst.wscale)
1726 printf(" wscale=%u",
1727 s->src.wscale & PF_WSCALE_MASK);
1729 printf(" [lo=%u high=%u win=%u modulator=%u",
1730 s->dst.seqlo, s->dst.seqhi,
1731 s->dst.max_win, s->dst.seqdiff);
1732 if (s->src.wscale && s->dst.wscale)
1733 printf(" wscale=%u",
1734 s->dst.wscale & PF_WSCALE_MASK);
1737 printf(" %u:%u", s->src.state, s->dst.state);
1742 pf_print_flags(u_int8_t f)
1764 #define PF_SET_SKIP_STEPS(i) \
1766 while (head[i] != cur) { \
1767 head[i]->skip[i].ptr = cur; \
1768 head[i] = TAILQ_NEXT(head[i], entries); \
1773 pf_calc_skip_steps(struct pf_rulequeue *rules)
1775 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1778 cur = TAILQ_FIRST(rules);
1780 for (i = 0; i < PF_SKIP_COUNT; ++i)
1782 while (cur != NULL) {
1784 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1785 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1786 if (cur->direction != prev->direction)
1787 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1788 if (cur->af != prev->af)
1789 PF_SET_SKIP_STEPS(PF_SKIP_AF);
1790 if (cur->proto != prev->proto)
1791 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1792 if (cur->src.neg != prev->src.neg ||
1793 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1794 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1795 if (cur->src.port[0] != prev->src.port[0] ||
1796 cur->src.port[1] != prev->src.port[1] ||
1797 cur->src.port_op != prev->src.port_op)
1798 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1799 if (cur->dst.neg != prev->dst.neg ||
1800 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1801 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1802 if (cur->dst.port[0] != prev->dst.port[0] ||
1803 cur->dst.port[1] != prev->dst.port[1] ||
1804 cur->dst.port_op != prev->dst.port_op)
1805 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1808 cur = TAILQ_NEXT(cur, entries);
1810 for (i = 0; i < PF_SKIP_COUNT; ++i)
1811 PF_SET_SKIP_STEPS(i);
1815 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1817 if (aw1->type != aw2->type)
1819 switch (aw1->type) {
1820 case PF_ADDR_ADDRMASK:
1822 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1824 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1827 case PF_ADDR_DYNIFTL:
1828 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
1829 case PF_ADDR_NOROUTE:
1830 case PF_ADDR_URPFFAILED:
1833 return (aw1->p.tbl != aw2->p.tbl);
1835 printf("invalid address type: %d\n", aw1->type);
1841 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1847 l = cksum + old - new;
1848 l = (l >> 16) + (l & 65535);
1856 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1857 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1862 PF_ACPY(&ao, a, af);
1870 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1871 ao.addr16[0], an->addr16[0], 0),
1872 ao.addr16[1], an->addr16[1], 0);
1874 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1875 ao.addr16[0], an->addr16[0], u),
1876 ao.addr16[1], an->addr16[1], u),
1882 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1883 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1884 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1885 ao.addr16[0], an->addr16[0], u),
1886 ao.addr16[1], an->addr16[1], u),
1887 ao.addr16[2], an->addr16[2], u),
1888 ao.addr16[3], an->addr16[3], u),
1889 ao.addr16[4], an->addr16[4], u),
1890 ao.addr16[5], an->addr16[5], u),
1891 ao.addr16[6], an->addr16[6], u),
1892 ao.addr16[7], an->addr16[7], u),
1900 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
1902 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1906 memcpy(&ao, a, sizeof(ao));
1907 memcpy(a, &an, sizeof(u_int32_t));
1908 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1909 ao % 65536, an % 65536, u);
1914 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1918 PF_ACPY(&ao, a, AF_INET6);
1919 PF_ACPY(a, an, AF_INET6);
1921 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1922 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1923 pf_cksum_fixup(pf_cksum_fixup(*c,
1924 ao.addr16[0], an->addr16[0], u),
1925 ao.addr16[1], an->addr16[1], u),
1926 ao.addr16[2], an->addr16[2], u),
1927 ao.addr16[3], an->addr16[3], u),
1928 ao.addr16[4], an->addr16[4], u),
1929 ao.addr16[5], an->addr16[5], u),
1930 ao.addr16[6], an->addr16[6], u),
1931 ao.addr16[7], an->addr16[7], u);
1936 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1937 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1938 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1940 struct pf_addr oia, ooa;
1942 PF_ACPY(&oia, ia, af);
1944 PF_ACPY(&ooa, oa, af);
1946 /* Change inner protocol port, fix inner protocol checksum. */
1948 u_int16_t oip = *ip;
1955 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
1956 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1958 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1960 /* Change inner ip address, fix inner ip and icmp checksums. */
1961 PF_ACPY(ia, na, af);
1965 u_int32_t oh2c = *h2c;
1967 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1968 oia.addr16[0], ia->addr16[0], 0),
1969 oia.addr16[1], ia->addr16[1], 0);
1970 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1971 oia.addr16[0], ia->addr16[0], 0),
1972 oia.addr16[1], ia->addr16[1], 0);
1973 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1979 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1980 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1981 pf_cksum_fixup(pf_cksum_fixup(*ic,
1982 oia.addr16[0], ia->addr16[0], u),
1983 oia.addr16[1], ia->addr16[1], u),
1984 oia.addr16[2], ia->addr16[2], u),
1985 oia.addr16[3], ia->addr16[3], u),
1986 oia.addr16[4], ia->addr16[4], u),
1987 oia.addr16[5], ia->addr16[5], u),
1988 oia.addr16[6], ia->addr16[6], u),
1989 oia.addr16[7], ia->addr16[7], u);
1993 /* Outer ip address, fix outer ip or icmpv6 checksum, if necessary. */
1995 PF_ACPY(oa, na, af);
1999 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
2000 ooa.addr16[0], oa->addr16[0], 0),
2001 ooa.addr16[1], oa->addr16[1], 0);
2006 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2007 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2008 pf_cksum_fixup(pf_cksum_fixup(*ic,
2009 ooa.addr16[0], oa->addr16[0], u),
2010 ooa.addr16[1], oa->addr16[1], u),
2011 ooa.addr16[2], oa->addr16[2], u),
2012 ooa.addr16[3], oa->addr16[3], u),
2013 ooa.addr16[4], oa->addr16[4], u),
2014 ooa.addr16[5], oa->addr16[5], u),
2015 ooa.addr16[6], oa->addr16[6], u),
2016 ooa.addr16[7], oa->addr16[7], u);
2025 * Need to modulate the sequence numbers in the TCP SACK option
2026 * (credits to Krzysztof Pfaff for report and patch)
2029 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
2030 struct tcphdr *th, struct pf_state_peer *dst)
2032 int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
2033 u_int8_t opts[TCP_MAXOLEN], *opt = opts;
2034 int copyback = 0, i, olen;
2035 struct sackblk sack;
2037 #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
2038 if (hlen < TCPOLEN_SACKLEN ||
2039 !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
2042 while (hlen >= TCPOLEN_SACKLEN) {
2045 case TCPOPT_EOL: /* FALLTHROUGH */
2053 if (olen >= TCPOLEN_SACKLEN) {
2054 for (i = 2; i + TCPOLEN_SACK <= olen;
2055 i += TCPOLEN_SACK) {
2056 memcpy(&sack, &opt[i], sizeof(sack));
2057 pf_change_a(&sack.start, &th->th_sum,
2058 htonl(ntohl(sack.start) -
2060 pf_change_a(&sack.end, &th->th_sum,
2061 htonl(ntohl(sack.end) -
2063 memcpy(&opt[i], &sack, sizeof(sack));
2077 m_copyback(m, off + sizeof(*th), thoptlen, (caddr_t)opts);
2082 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
2083 const struct pf_addr *saddr, const struct pf_addr *daddr,
2084 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
2085 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
2086 u_int16_t rtag, struct ifnet *ifp)
2088 struct pf_send_entry *pfse;
2092 struct ip *h = NULL;
2095 struct ip6_hdr *h6 = NULL;
2099 struct pf_mtag *pf_mtag;
2104 /* maximum segment size tcp option */
2105 tlen = sizeof(struct tcphdr);
2112 len = sizeof(struct ip) + tlen;
2117 len = sizeof(struct ip6_hdr) + tlen;
2121 panic("%s: unsupported af %d", __func__, af);
2124 /* Allocate outgoing queue entry, mbuf and mbuf tag. */
2125 pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT);
2128 m = m_gethdr(M_NOWAIT, MT_HEADER);
2130 free(pfse, M_PFTEMP);
2134 mac_netinet_firewall_send(m);
2136 if ((pf_mtag = pf_get_mtag(m)) == NULL) {
2137 free(pfse, M_PFTEMP);
2142 m->m_flags |= M_SKIP_FIREWALL;
2143 pf_mtag->tag = rtag;
2145 if (r != NULL && r->rtableid >= 0)
2146 M_SETFIB(m, r->rtableid);
2149 if (r != NULL && r->qid) {
2150 pf_mtag->qid = r->qid;
2152 /* add hints for ecn */
2153 pf_mtag->hdr = mtod(m, struct ip *);
2156 m->m_data += max_linkhdr;
2157 m->m_pkthdr.len = m->m_len = len;
2158 m->m_pkthdr.rcvif = NULL;
2159 bzero(m->m_data, len);
2163 h = mtod(m, struct ip *);
2165 /* IP header fields included in the TCP checksum */
2166 h->ip_p = IPPROTO_TCP;
2167 h->ip_len = htons(tlen);
2168 h->ip_src.s_addr = saddr->v4.s_addr;
2169 h->ip_dst.s_addr = daddr->v4.s_addr;
2171 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
2176 h6 = mtod(m, struct ip6_hdr *);
2178 /* IP header fields included in the TCP checksum */
2179 h6->ip6_nxt = IPPROTO_TCP;
2180 h6->ip6_plen = htons(tlen);
2181 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
2182 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
2184 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
2190 th->th_sport = sport;
2191 th->th_dport = dport;
2192 th->th_seq = htonl(seq);
2193 th->th_ack = htonl(ack);
2194 th->th_off = tlen >> 2;
2195 th->th_flags = flags;
2196 th->th_win = htons(win);
2199 opt = (char *)(th + 1);
2200 opt[0] = TCPOPT_MAXSEG;
2203 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
2210 th->th_sum = in_cksum(m, len);
2212 /* Finish the IP header */
2214 h->ip_hl = sizeof(*h) >> 2;
2215 h->ip_tos = IPTOS_LOWDELAY;
2216 h->ip_off = V_path_mtu_discovery ? IP_DF : 0;
2218 h->ip_ttl = ttl ? ttl : V_ip_defttl;
2221 pfse->pfse_type = PFSE_IP;
2227 th->th_sum = in6_cksum(m, IPPROTO_TCP,
2228 sizeof(struct ip6_hdr), tlen);
2230 h6->ip6_vfc |= IPV6_VERSION;
2231 h6->ip6_hlim = IPV6_DEFHLIM;
2233 pfse->pfse_type = PFSE_IP6;
2242 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
2245 struct pf_send_entry *pfse;
2247 struct pf_mtag *pf_mtag;
2249 /* Allocate outgoing queue entry, mbuf and mbuf tag. */
2250 pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT);
2254 if ((m0 = m_copypacket(m, M_NOWAIT)) == NULL) {
2255 free(pfse, M_PFTEMP);
2259 if ((pf_mtag = pf_get_mtag(m0)) == NULL) {
2260 free(pfse, M_PFTEMP);
2264 m0->m_flags |= M_SKIP_FIREWALL;
2266 if (r->rtableid >= 0)
2267 M_SETFIB(m0, r->rtableid);
2271 pf_mtag->qid = r->qid;
2272 /* add hints for ecn */
2273 pf_mtag->hdr = mtod(m0, struct ip *);
2283 /* icmp_error() expects host byte ordering */
2284 ip = mtod(m0, struct ip *);
2288 pfse->pfse_type = PFSE_ICMP;
2294 pfse->pfse_type = PFSE_ICMP6;
2299 pfse->pfse_icmp_type = type;
2300 pfse->pfse_icmp_code = code;
2305 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
2306 * If n is 0, they match if they are equal. If n is != 0, they match if they
2310 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
2311 struct pf_addr *b, sa_family_t af)
2318 if ((a->addr32[0] & m->addr32[0]) ==
2319 (b->addr32[0] & m->addr32[0]))
2325 if (((a->addr32[0] & m->addr32[0]) ==
2326 (b->addr32[0] & m->addr32[0])) &&
2327 ((a->addr32[1] & m->addr32[1]) ==
2328 (b->addr32[1] & m->addr32[1])) &&
2329 ((a->addr32[2] & m->addr32[2]) ==
2330 (b->addr32[2] & m->addr32[2])) &&
2331 ((a->addr32[3] & m->addr32[3]) ==
2332 (b->addr32[3] & m->addr32[3])))
2351 * Return 1 if b <= a <= e, otherwise return 0.
2354 pf_match_addr_range(struct pf_addr *b, struct pf_addr *e,
2355 struct pf_addr *a, sa_family_t af)
2360 if ((a->addr32[0] < b->addr32[0]) ||
2361 (a->addr32[0] > e->addr32[0]))
2370 for (i = 0; i < 4; ++i)
2371 if (a->addr32[i] > b->addr32[i])
2373 else if (a->addr32[i] < b->addr32[i])
2376 for (i = 0; i < 4; ++i)
2377 if (a->addr32[i] < e->addr32[i])
2379 else if (a->addr32[i] > e->addr32[i])
2389 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
2393 return ((p > a1) && (p < a2));
2395 return ((p < a1) || (p > a2));
2397 return ((p >= a1) && (p <= a2));
2411 return (0); /* never reached */
2415 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
2420 return (pf_match(op, a1, a2, p));
2424 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
2426 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2428 return (pf_match(op, a1, a2, u));
2432 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
2434 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2436 return (pf_match(op, a1, a2, g));
2440 pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag)
2445 return ((!r->match_tag_not && r->match_tag == *tag) ||
2446 (r->match_tag_not && r->match_tag != *tag));
2450 pf_tag_packet(struct mbuf *m, struct pf_pdesc *pd, int tag)
2453 KASSERT(tag > 0, ("%s: tag %d", __func__, tag));
2455 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(m)) == NULL))
2458 pd->pf_mtag->tag = tag;
2464 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
2465 struct pf_rule **r, struct pf_rule **a, int *match)
2467 struct pf_anchor_stackframe *f;
2471 (*r)->anchor->match = 0;
2474 if (*depth >= sizeof(V_pf_anchor_stack) /
2475 sizeof(V_pf_anchor_stack[0])) {
2476 printf("pf_step_into_anchor: stack overflow\n");
2477 *r = TAILQ_NEXT(*r, entries);
2479 } else if (*depth == 0 && a != NULL)
2481 f = V_pf_anchor_stack + (*depth)++;
2484 if ((*r)->anchor_wildcard) {
2485 f->parent = &(*r)->anchor->children;
2486 if ((f->child = RB_MIN(pf_anchor_node, f->parent)) ==
2491 *rs = &f->child->ruleset;
2495 *rs = &(*r)->anchor->ruleset;
2497 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2501 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
2502 struct pf_rule **r, struct pf_rule **a, int *match)
2504 struct pf_anchor_stackframe *f;
2512 f = V_pf_anchor_stack + *depth - 1;
2513 if (f->parent != NULL && f->child != NULL) {
2514 if (f->child->match ||
2515 (match != NULL && *match)) {
2516 f->r->anchor->match = 1;
2519 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
2520 if (f->child != NULL) {
2521 *rs = &f->child->ruleset;
2522 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2530 if (*depth == 0 && a != NULL)
2533 if (f->r->anchor->match || (match != NULL && *match))
2534 quick = f->r->quick;
2535 *r = TAILQ_NEXT(f->r, entries);
2536 } while (*r == NULL);
2543 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
2544 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
2549 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2550 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2554 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2555 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2556 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
2557 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
2558 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
2559 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
2560 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
2561 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
2567 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
2572 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
2576 if (addr->addr32[3] == 0xffffffff) {
2577 addr->addr32[3] = 0;
2578 if (addr->addr32[2] == 0xffffffff) {
2579 addr->addr32[2] = 0;
2580 if (addr->addr32[1] == 0xffffffff) {
2581 addr->addr32[1] = 0;
2583 htonl(ntohl(addr->addr32[0]) + 1);
2586 htonl(ntohl(addr->addr32[1]) + 1);
2589 htonl(ntohl(addr->addr32[2]) + 1);
2592 htonl(ntohl(addr->addr32[3]) + 1);
2599 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
2601 struct pf_addr *saddr, *daddr;
2602 u_int16_t sport, dport;
2603 struct inpcbinfo *pi;
2606 pd->lookup.uid = UID_MAX;
2607 pd->lookup.gid = GID_MAX;
2609 switch (pd->proto) {
2611 if (pd->hdr.tcp == NULL)
2613 sport = pd->hdr.tcp->th_sport;
2614 dport = pd->hdr.tcp->th_dport;
2618 if (pd->hdr.udp == NULL)
2620 sport = pd->hdr.udp->uh_sport;
2621 dport = pd->hdr.udp->uh_dport;
2627 if (direction == PF_IN) {
2642 inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4,
2643 dport, INPLOOKUP_RLOCKPCB, NULL, m);
2645 inp = in_pcblookup_mbuf(pi, saddr->v4, sport,
2646 daddr->v4, dport, INPLOOKUP_WILDCARD |
2647 INPLOOKUP_RLOCKPCB, NULL, m);
2655 inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6,
2656 dport, INPLOOKUP_RLOCKPCB, NULL, m);
2658 inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport,
2659 &daddr->v6, dport, INPLOOKUP_WILDCARD |
2660 INPLOOKUP_RLOCKPCB, NULL, m);
2670 INP_RLOCK_ASSERT(inp);
2671 pd->lookup.uid = inp->inp_cred->cr_uid;
2672 pd->lookup.gid = inp->inp_cred->cr_groups[0];
2679 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2683 u_int8_t *opt, optlen;
2684 u_int8_t wscale = 0;
2686 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
2687 if (hlen <= sizeof(struct tcphdr))
2689 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2691 opt = hdr + sizeof(struct tcphdr);
2692 hlen -= sizeof(struct tcphdr);
2702 if (wscale > TCP_MAX_WINSHIFT)
2703 wscale = TCP_MAX_WINSHIFT;
2704 wscale |= PF_WSCALE_FLAG;
2719 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2723 u_int8_t *opt, optlen;
2724 u_int16_t mss = V_tcp_mssdflt;
2726 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
2727 if (hlen <= sizeof(struct tcphdr))
2729 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2731 opt = hdr + sizeof(struct tcphdr);
2732 hlen -= sizeof(struct tcphdr);
2733 while (hlen >= TCPOLEN_MAXSEG) {
2741 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
2757 pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer)
2760 struct sockaddr_in *dst;
2764 struct sockaddr_in6 *dst6;
2765 struct route_in6 ro6;
2767 struct rtentry *rt = NULL;
2769 u_int16_t mss = V_tcp_mssdflt;
2774 hlen = sizeof(struct ip);
2775 bzero(&ro, sizeof(ro));
2776 dst = (struct sockaddr_in *)&ro.ro_dst;
2777 dst->sin_family = AF_INET;
2778 dst->sin_len = sizeof(*dst);
2779 dst->sin_addr = addr->v4;
2780 in_rtalloc_ign(&ro, 0, rtableid);
2786 hlen = sizeof(struct ip6_hdr);
2787 bzero(&ro6, sizeof(ro6));
2788 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
2789 dst6->sin6_family = AF_INET6;
2790 dst6->sin6_len = sizeof(*dst6);
2791 dst6->sin6_addr = addr->v6;
2792 in6_rtalloc_ign(&ro6, 0, rtableid);
2798 if (rt && rt->rt_ifp) {
2799 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
2800 mss = max(V_tcp_mssdflt, mss);
2803 mss = min(mss, offer);
2804 mss = max(mss, 64); /* sanity - at least max opt space */
2809 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
2811 struct pf_rule *r = s->rule.ptr;
2812 struct pf_src_node *sn = NULL;
2815 if (!r->rt || r->rt == PF_FASTROUTE)
2817 switch (s->key[PF_SK_WIRE]->af) {
2820 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, &sn);
2821 s->rt_kif = r->rpool.cur->kif;
2826 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, &sn);
2827 s->rt_kif = r->rpool.cur->kif;
2834 pf_tcp_iss(struct pf_pdesc *pd)
2837 u_int32_t digest[4];
2839 if (V_pf_tcp_secret_init == 0) {
2840 read_random(&V_pf_tcp_secret, sizeof(V_pf_tcp_secret));
2841 MD5Init(&V_pf_tcp_secret_ctx);
2842 MD5Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret,
2843 sizeof(V_pf_tcp_secret));
2844 V_pf_tcp_secret_init = 1;
2847 ctx = V_pf_tcp_secret_ctx;
2849 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof(u_short));
2850 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof(u_short));
2851 if (pd->af == AF_INET6) {
2852 MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr));
2853 MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr));
2855 MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr));
2856 MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr));
2858 MD5Final((u_char *)digest, &ctx);
2859 V_pf_tcp_iss_off += 4096;
2860 #define ISN_RANDOM_INCREMENT (4096 - 1)
2861 return (digest[0] + (arc4random() & ISN_RANDOM_INCREMENT) +
2863 #undef ISN_RANDOM_INCREMENT
2867 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
2868 struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
2869 struct pf_rule **am, struct pf_ruleset **rsm, struct inpcb *inp)
2871 struct pf_rule *nr = NULL;
2872 struct pf_addr * const saddr = pd->src;
2873 struct pf_addr * const daddr = pd->dst;
2874 sa_family_t af = pd->af;
2875 struct pf_rule *r, *a = NULL;
2876 struct pf_ruleset *ruleset = NULL;
2877 struct pf_src_node *nsn = NULL;
2878 struct tcphdr *th = pd->hdr.tcp;
2879 struct pf_state_key *sk = NULL, *nk = NULL;
2881 int rewrite = 0, hdrlen = 0;
2882 int tag = -1, rtableid = -1;
2886 u_int16_t sport = 0, dport = 0;
2887 u_int16_t bproto_sum = 0, bip_sum = 0;
2888 u_int8_t icmptype = 0, icmpcode = 0;
2893 INP_LOCK_ASSERT(inp);
2894 pd->lookup.uid = inp->inp_cred->cr_uid;
2895 pd->lookup.gid = inp->inp_cred->cr_groups[0];
2896 pd->lookup.done = 1;
2899 switch (pd->proto) {
2901 sport = th->th_sport;
2902 dport = th->th_dport;
2903 hdrlen = sizeof(*th);
2906 sport = pd->hdr.udp->uh_sport;
2907 dport = pd->hdr.udp->uh_dport;
2908 hdrlen = sizeof(*pd->hdr.udp);
2912 if (pd->af != AF_INET)
2914 sport = dport = pd->hdr.icmp->icmp_id;
2915 hdrlen = sizeof(*pd->hdr.icmp);
2916 icmptype = pd->hdr.icmp->icmp_type;
2917 icmpcode = pd->hdr.icmp->icmp_code;
2919 if (icmptype == ICMP_UNREACH ||
2920 icmptype == ICMP_SOURCEQUENCH ||
2921 icmptype == ICMP_REDIRECT ||
2922 icmptype == ICMP_TIMXCEED ||
2923 icmptype == ICMP_PARAMPROB)
2928 case IPPROTO_ICMPV6:
2931 sport = dport = pd->hdr.icmp6->icmp6_id;
2932 hdrlen = sizeof(*pd->hdr.icmp6);
2933 icmptype = pd->hdr.icmp6->icmp6_type;
2934 icmpcode = pd->hdr.icmp6->icmp6_code;
2936 if (icmptype == ICMP6_DST_UNREACH ||
2937 icmptype == ICMP6_PACKET_TOO_BIG ||
2938 icmptype == ICMP6_TIME_EXCEEDED ||
2939 icmptype == ICMP6_PARAM_PROB)
2944 sport = dport = hdrlen = 0;
2948 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2950 /* check packet for BINAT/NAT/RDR */
2951 if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk,
2952 &nk, saddr, daddr, sport, dport)) != NULL) {
2953 KASSERT(sk != NULL, ("%s: null sk", __func__));
2954 KASSERT(nk != NULL, ("%s: null nk", __func__));
2957 bip_sum = *pd->ip_sum;
2959 switch (pd->proto) {
2961 bproto_sum = th->th_sum;
2962 pd->proto_sum = &th->th_sum;
2964 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
2965 nk->port[pd->sidx] != sport) {
2966 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2967 &th->th_sum, &nk->addr[pd->sidx],
2968 nk->port[pd->sidx], 0, af);
2969 pd->sport = &th->th_sport;
2970 sport = th->th_sport;
2973 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
2974 nk->port[pd->didx] != dport) {
2975 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2976 &th->th_sum, &nk->addr[pd->didx],
2977 nk->port[pd->didx], 0, af);
2978 dport = th->th_dport;
2979 pd->dport = &th->th_dport;
2984 bproto_sum = pd->hdr.udp->uh_sum;
2985 pd->proto_sum = &pd->hdr.udp->uh_sum;
2987 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
2988 nk->port[pd->sidx] != sport) {
2989 pf_change_ap(saddr, &pd->hdr.udp->uh_sport,
2990 pd->ip_sum, &pd->hdr.udp->uh_sum,
2991 &nk->addr[pd->sidx],
2992 nk->port[pd->sidx], 1, af);
2993 sport = pd->hdr.udp->uh_sport;
2994 pd->sport = &pd->hdr.udp->uh_sport;
2997 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
2998 nk->port[pd->didx] != dport) {
2999 pf_change_ap(daddr, &pd->hdr.udp->uh_dport,
3000 pd->ip_sum, &pd->hdr.udp->uh_sum,
3001 &nk->addr[pd->didx],
3002 nk->port[pd->didx], 1, af);
3003 dport = pd->hdr.udp->uh_dport;
3004 pd->dport = &pd->hdr.udp->uh_dport;
3010 nk->port[0] = nk->port[1];
3011 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET))
3012 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3013 nk->addr[pd->sidx].v4.s_addr, 0);
3015 if (PF_ANEQ(daddr, &nk->addr[pd->didx], AF_INET))
3016 pf_change_a(&daddr->v4.s_addr, pd->ip_sum,
3017 nk->addr[pd->didx].v4.s_addr, 0);
3019 if (nk->port[1] != pd->hdr.icmp->icmp_id) {
3020 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
3021 pd->hdr.icmp->icmp_cksum, sport,
3023 pd->hdr.icmp->icmp_id = nk->port[1];
3024 pd->sport = &pd->hdr.icmp->icmp_id;
3026 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
3030 case IPPROTO_ICMPV6:
3031 nk->port[0] = nk->port[1];
3032 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET6))
3033 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3034 &nk->addr[pd->sidx], 0);
3036 if (PF_ANEQ(daddr, &nk->addr[pd->didx], AF_INET6))
3037 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3038 &nk->addr[pd->didx], 0);
3047 &nk->addr[pd->sidx], AF_INET))
3048 pf_change_a(&saddr->v4.s_addr,
3050 nk->addr[pd->sidx].v4.s_addr, 0);
3053 &nk->addr[pd->didx], AF_INET))
3054 pf_change_a(&daddr->v4.s_addr,
3056 nk->addr[pd->didx].v4.s_addr, 0);
3062 &nk->addr[pd->sidx], AF_INET6))
3063 PF_ACPY(saddr, &nk->addr[pd->sidx], af);
3066 &nk->addr[pd->didx], AF_INET6))
3067 PF_ACPY(saddr, &nk->addr[pd->didx], af);
3080 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3081 r = r->skip[PF_SKIP_IFP].ptr;
3082 else if (r->direction && r->direction != direction)
3083 r = r->skip[PF_SKIP_DIR].ptr;
3084 else if (r->af && r->af != af)
3085 r = r->skip[PF_SKIP_AF].ptr;
3086 else if (r->proto && r->proto != pd->proto)
3087 r = r->skip[PF_SKIP_PROTO].ptr;
3088 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3089 r->src.neg, kif, M_GETFIB(m)))
3090 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3091 /* tcp/udp only. port_op always 0 in other cases */
3092 else if (r->src.port_op && !pf_match_port(r->src.port_op,
3093 r->src.port[0], r->src.port[1], sport))
3094 r = r->skip[PF_SKIP_SRC_PORT].ptr;
3095 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3096 r->dst.neg, NULL, M_GETFIB(m)))
3097 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3098 /* tcp/udp only. port_op always 0 in other cases */
3099 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3100 r->dst.port[0], r->dst.port[1], dport))
3101 r = r->skip[PF_SKIP_DST_PORT].ptr;
3102 /* icmp only. type always 0 in other cases */
3103 else if (r->type && r->type != icmptype + 1)
3104 r = TAILQ_NEXT(r, entries);
3105 /* icmp only. type always 0 in other cases */
3106 else if (r->code && r->code != icmpcode + 1)
3107 r = TAILQ_NEXT(r, entries);
3108 else if (r->tos && !(r->tos == pd->tos))
3109 r = TAILQ_NEXT(r, entries);
3110 else if (r->rule_flag & PFRULE_FRAGMENT)
3111 r = TAILQ_NEXT(r, entries);
3112 else if (pd->proto == IPPROTO_TCP &&
3113 (r->flagset & th->th_flags) != r->flags)
3114 r = TAILQ_NEXT(r, entries);
3115 /* tcp/udp only. uid.op always 0 in other cases */
3116 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3117 pf_socket_lookup(direction, pd, m), 1)) &&
3118 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3120 r = TAILQ_NEXT(r, entries);
3121 /* tcp/udp only. gid.op always 0 in other cases */
3122 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3123 pf_socket_lookup(direction, pd, m), 1)) &&
3124 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3126 r = TAILQ_NEXT(r, entries);
3128 r->prob <= arc4random())
3129 r = TAILQ_NEXT(r, entries);
3130 else if (r->match_tag && !pf_match_tag(m, r, &tag,
3131 pd->pf_mtag ? pd->pf_mtag->tag : 0))
3132 r = TAILQ_NEXT(r, entries);
3133 else if (r->os_fingerprint != PF_OSFP_ANY &&
3134 (pd->proto != IPPROTO_TCP || !pf_osfp_match(
3135 pf_osfp_fingerprint(pd, m, off, th),
3136 r->os_fingerprint)))
3137 r = TAILQ_NEXT(r, entries);
3141 if (r->rtableid >= 0)
3142 rtableid = r->rtableid;
3143 if (r->anchor == NULL) {
3150 r = TAILQ_NEXT(r, entries);
3152 pf_step_into_anchor(&asd, &ruleset,
3153 PF_RULESET_FILTER, &r, &a, &match);
3155 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3156 PF_RULESET_FILTER, &r, &a, &match))
3163 REASON_SET(&reason, PFRES_MATCH);
3165 if (r->log || (nr != NULL && nr->log)) {
3167 m_copyback(m, off, hdrlen, pd->hdr.any);
3168 PFLOG_PACKET(kif, m, af, direction, reason, r->log ? r : nr, a,
3172 if ((r->action == PF_DROP) &&
3173 ((r->rule_flag & PFRULE_RETURNRST) ||
3174 (r->rule_flag & PFRULE_RETURNICMP) ||
3175 (r->rule_flag & PFRULE_RETURN))) {
3176 /* undo NAT changes, if they have taken place */
3178 PF_ACPY(saddr, &sk->addr[pd->sidx], af);
3179 PF_ACPY(daddr, &sk->addr[pd->didx], af);
3181 *pd->sport = sk->port[pd->sidx];
3183 *pd->dport = sk->port[pd->didx];
3185 *pd->proto_sum = bproto_sum;
3187 *pd->ip_sum = bip_sum;
3188 m_copyback(m, off, hdrlen, pd->hdr.any);
3190 if (pd->proto == IPPROTO_TCP &&
3191 ((r->rule_flag & PFRULE_RETURNRST) ||
3192 (r->rule_flag & PFRULE_RETURN)) &&
3193 !(th->th_flags & TH_RST)) {
3194 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
3206 h4 = mtod(m, struct ip *);
3207 len = ntohs(h4->ip_len) - off;
3212 h6 = mtod(m, struct ip6_hdr *);
3213 len = ntohs(h6->ip6_plen) - (off - sizeof(*h6));
3218 if (pf_check_proto_cksum(m, off, len, IPPROTO_TCP, af))
3219 REASON_SET(&reason, PFRES_PROTCKSUM);
3221 if (th->th_flags & TH_SYN)
3223 if (th->th_flags & TH_FIN)
3225 pf_send_tcp(m, r, af, pd->dst,
3226 pd->src, th->th_dport, th->th_sport,
3227 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
3228 r->return_ttl, 1, 0, kif->pfik_ifp);
3230 } else if (pd->proto != IPPROTO_ICMP && af == AF_INET &&
3232 pf_send_icmp(m, r->return_icmp >> 8,
3233 r->return_icmp & 255, af, r);
3234 else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 &&
3236 pf_send_icmp(m, r->return_icmp6 >> 8,
3237 r->return_icmp6 & 255, af, r);
3240 if (r->action == PF_DROP)
3243 if (tag > 0 && pf_tag_packet(m, pd, tag)) {
3244 REASON_SET(&reason, PFRES_MEMORY);
3248 M_SETFIB(m, rtableid);
3250 if (!state_icmp && (r->keep_state || nr != NULL ||
3251 (pd->flags & PFDESC_TCP_NORM))) {
3253 action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
3254 sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
3256 if (action != PF_PASS)
3260 uma_zfree(V_pf_state_key_z, sk);
3262 uma_zfree(V_pf_state_key_z, nk);
3265 /* copy back packet headers if we performed NAT operations */
3267 m_copyback(m, off, hdrlen, pd->hdr.any);
3269 if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) &&
3270 direction == PF_OUT &&
3271 pfsync_defer_ptr != NULL && pfsync_defer_ptr(*sm, m))
3273 * We want the state created, but we dont
3274 * want to send this in case a partner
3275 * firewall has to know about it to allow
3276 * replies through it.
3284 uma_zfree(V_pf_state_key_z, sk);
3286 uma_zfree(V_pf_state_key_z, nk);
3291 pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a,
3292 struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *nk,
3293 struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,
3294 u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
3295 int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen)
3297 struct pf_state *s = NULL;
3298 struct pf_src_node *sn = NULL;
3299 struct tcphdr *th = pd->hdr.tcp;
3300 u_int16_t mss = V_tcp_mssdflt;
3303 /* check maximums */
3304 if (r->max_states && (r->states_cur >= r->max_states)) {
3305 V_pf_status.lcounters[LCNT_STATES]++;
3306 REASON_SET(&reason, PFRES_MAXSTATES);
3309 /* src node for filter rule */
3310 if ((r->rule_flag & PFRULE_SRCTRACK ||
3311 r->rpool.opts & PF_POOL_STICKYADDR) &&
3312 pf_insert_src_node(&sn, r, pd->src, pd->af) != 0) {
3313 REASON_SET(&reason, PFRES_SRCLIMIT);
3316 /* src node for translation rule */
3317 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3318 pf_insert_src_node(&nsn, nr, &sk->addr[pd->sidx], pd->af)) {
3319 REASON_SET(&reason, PFRES_SRCLIMIT);
3322 s = uma_zalloc(V_pf_state_z, M_NOWAIT | M_ZERO);
3324 REASON_SET(&reason, PFRES_MEMORY);
3328 s->nat_rule.ptr = nr;
3330 STATE_INC_COUNTERS(s);
3332 s->state_flags |= PFSTATE_ALLOWOPTS;
3333 if (r->rule_flag & PFRULE_STATESLOPPY)
3334 s->state_flags |= PFSTATE_SLOPPY;
3335 s->log = r->log & PF_LOG_ALL;
3336 s->sync_state = PFSYNC_S_NONE;
3338 s->log |= nr->log & PF_LOG_ALL;
3339 switch (pd->proto) {
3341 s->src.seqlo = ntohl(th->th_seq);
3342 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
3343 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3344 r->keep_state == PF_STATE_MODULATE) {
3345 /* Generate sequence number modulator */
3346 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
3349 pf_change_a(&th->th_seq, &th->th_sum,
3350 htonl(s->src.seqlo + s->src.seqdiff), 0);
3354 if (th->th_flags & TH_SYN) {
3356 s->src.wscale = pf_get_wscale(m, off,
3357 th->th_off, pd->af);
3359 s->src.max_win = MAX(ntohs(th->th_win), 1);
3360 if (s->src.wscale & PF_WSCALE_MASK) {
3361 /* Remove scale factor from initial window */
3362 int win = s->src.max_win;
3363 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
3364 s->src.max_win = (win - 1) >>
3365 (s->src.wscale & PF_WSCALE_MASK);
3367 if (th->th_flags & TH_FIN)
3371 s->src.state = TCPS_SYN_SENT;
3372 s->dst.state = TCPS_CLOSED;
3373 s->timeout = PFTM_TCP_FIRST_PACKET;
3376 s->src.state = PFUDPS_SINGLE;
3377 s->dst.state = PFUDPS_NO_TRAFFIC;
3378 s->timeout = PFTM_UDP_FIRST_PACKET;
3382 case IPPROTO_ICMPV6:
3384 s->timeout = PFTM_ICMP_FIRST_PACKET;
3387 s->src.state = PFOTHERS_SINGLE;
3388 s->dst.state = PFOTHERS_NO_TRAFFIC;
3389 s->timeout = PFTM_OTHER_FIRST_PACKET;
3392 s->creation = time_uptime;
3393 s->expire = time_uptime;
3397 s->src_node->states++;
3400 /* XXX We only modify one side for now. */
3401 PF_ACPY(&nsn->raddr, &nk->addr[1], pd->af);
3402 s->nat_src_node = nsn;
3403 s->nat_src_node->states++;
3405 if (pd->proto == IPPROTO_TCP) {
3406 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
3407 off, pd, th, &s->src, &s->dst)) {
3408 REASON_SET(&reason, PFRES_MEMORY);
3409 pf_src_tree_remove_state(s);
3410 STATE_DEC_COUNTERS(s);
3411 uma_zfree(V_pf_state_z, s);
3414 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3415 pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
3416 &s->src, &s->dst, rewrite)) {
3417 /* This really shouldn't happen!!! */
3418 DPFPRINTF(PF_DEBUG_URGENT,
3419 ("pf_normalize_tcp_stateful failed on first pkt"));
3420 pf_normalize_tcp_cleanup(s);
3421 pf_src_tree_remove_state(s);
3422 STATE_DEC_COUNTERS(s);
3423 uma_zfree(V_pf_state_z, s);
3427 s->direction = pd->dir;
3430 * sk/nk could already been setup by pf_get_translation().
3433 KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p",
3434 __func__, nr, sk, nk));
3435 sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport);
3440 KASSERT((sk != NULL && nk != NULL), ("%s: nr %p sk %p, nk %p",
3441 __func__, nr, sk, nk));
3443 /* Swap sk/nk for PF_OUT. */
3444 if (pf_state_insert(BOUND_IFACE(r, kif),
3445 (pd->dir == PF_IN) ? sk : nk,
3446 (pd->dir == PF_IN) ? nk : sk, s)) {
3447 if (pd->proto == IPPROTO_TCP)
3448 pf_normalize_tcp_cleanup(s);
3449 REASON_SET(&reason, PFRES_STATEINS);
3450 pf_src_tree_remove_state(s);
3451 STATE_DEC_COUNTERS(s);
3452 uma_zfree(V_pf_state_z, s);
3457 pf_set_rt_ifp(s, pd->src); /* needs s->state_key set */
3460 if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
3461 TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
3462 s->src.state = PF_TCPS_PROXY_SRC;
3463 /* undo NAT changes, if they have taken place */
3465 struct pf_state_key *skt = s->key[PF_SK_WIRE];
3466 if (pd->dir == PF_OUT)
3467 skt = s->key[PF_SK_STACK];
3468 PF_ACPY(pd->src, &skt->addr[pd->sidx], pd->af);
3469 PF_ACPY(pd->dst, &skt->addr[pd->didx], pd->af);
3471 *pd->sport = skt->port[pd->sidx];
3473 *pd->dport = skt->port[pd->didx];
3475 *pd->proto_sum = bproto_sum;
3477 *pd->ip_sum = bip_sum;
3478 m_copyback(m, off, hdrlen, pd->hdr.any);
3480 s->src.seqhi = htonl(arc4random());
3481 /* Find mss option */
3482 int rtid = M_GETFIB(m);
3483 mss = pf_get_mss(m, off, th->th_off, pd->af);
3484 mss = pf_calc_mss(pd->src, pd->af, rtid, mss);
3485 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss);
3487 pf_send_tcp(NULL, r, pd->af, pd->dst, pd->src, th->th_dport,
3488 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3489 TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL);
3490 REASON_SET(&reason, PFRES_SYNPROXY);
3491 return (PF_SYNPROXY_DROP);
3498 uma_zfree(V_pf_state_key_z, sk);
3500 uma_zfree(V_pf_state_key_z, nk);
3502 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3503 pf_remove_src_node(sn);
3504 V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3505 V_pf_status.src_nodes--;
3506 uma_zfree(V_pf_sources_z, sn);
3508 if (nsn != sn && nsn != NULL && nsn->states == 0 && nsn->expire == 0) {
3509 pf_remove_src_node(nsn);
3510 V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3511 V_pf_status.src_nodes--;
3512 uma_zfree(V_pf_sources_z, nsn);
3518 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
3519 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
3520 struct pf_ruleset **rsm)
3522 struct pf_rule *r, *a = NULL;
3523 struct pf_ruleset *ruleset = NULL;
3524 sa_family_t af = pd->af;
3532 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3535 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3536 r = r->skip[PF_SKIP_IFP].ptr;
3537 else if (r->direction && r->direction != direction)
3538 r = r->skip[PF_SKIP_DIR].ptr;
3539 else if (r->af && r->af != af)
3540 r = r->skip[PF_SKIP_AF].ptr;
3541 else if (r->proto && r->proto != pd->proto)
3542 r = r->skip[PF_SKIP_PROTO].ptr;
3543 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
3544 r->src.neg, kif, M_GETFIB(m)))
3545 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3546 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
3547 r->dst.neg, NULL, M_GETFIB(m)))
3548 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3549 else if (r->tos && !(r->tos == pd->tos))
3550 r = TAILQ_NEXT(r, entries);
3551 else if (r->os_fingerprint != PF_OSFP_ANY)
3552 r = TAILQ_NEXT(r, entries);
3553 else if (pd->proto == IPPROTO_UDP &&
3554 (r->src.port_op || r->dst.port_op))
3555 r = TAILQ_NEXT(r, entries);
3556 else if (pd->proto == IPPROTO_TCP &&
3557 (r->src.port_op || r->dst.port_op || r->flagset))
3558 r = TAILQ_NEXT(r, entries);
3559 else if ((pd->proto == IPPROTO_ICMP ||
3560 pd->proto == IPPROTO_ICMPV6) &&
3561 (r->type || r->code))
3562 r = TAILQ_NEXT(r, entries);
3563 else if (r->prob && r->prob <=
3564 (arc4random() % (UINT_MAX - 1) + 1))
3565 r = TAILQ_NEXT(r, entries);
3566 else if (r->match_tag && !pf_match_tag(m, r, &tag,
3567 pd->pf_mtag ? pd->pf_mtag->tag : 0))
3568 r = TAILQ_NEXT(r, entries);
3570 if (r->anchor == NULL) {
3577 r = TAILQ_NEXT(r, entries);
3579 pf_step_into_anchor(&asd, &ruleset,
3580 PF_RULESET_FILTER, &r, &a, &match);
3582 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3583 PF_RULESET_FILTER, &r, &a, &match))
3590 REASON_SET(&reason, PFRES_MATCH);
3593 PFLOG_PACKET(kif, m, af, direction, reason, r, a, ruleset, pd,
3596 if (r->action != PF_PASS)
3599 if (tag > 0 && pf_tag_packet(m, pd, tag)) {
3600 REASON_SET(&reason, PFRES_MEMORY);
3608 pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
3609 struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off,
3610 struct pf_pdesc *pd, u_short *reason, int *copyback)
3612 struct tcphdr *th = pd->hdr.tcp;
3613 u_int16_t win = ntohs(th->th_win);
3614 u_int32_t ack, end, seq, orig_seq;
3618 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
3619 sws = src->wscale & PF_WSCALE_MASK;
3620 dws = dst->wscale & PF_WSCALE_MASK;
3625 * Sequence tracking algorithm from Guido van Rooij's paper:
3626 * http://www.madison-gurkha.com/publications/tcp_filtering/
3630 orig_seq = seq = ntohl(th->th_seq);
3631 if (src->seqlo == 0) {
3632 /* First packet from this end. Set its state */
3634 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
3635 src->scrub == NULL) {
3636 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
3637 REASON_SET(reason, PFRES_MEMORY);
3642 /* Deferred generation of sequence number modulator */
3643 if (dst->seqdiff && !src->seqdiff) {
3644 /* use random iss for the TCP server */
3645 while ((src->seqdiff = arc4random() - seq) == 0)
3647 ack = ntohl(th->th_ack) - dst->seqdiff;
3648 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3650 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3653 ack = ntohl(th->th_ack);
3656 end = seq + pd->p_len;
3657 if (th->th_flags & TH_SYN) {
3659 if (dst->wscale & PF_WSCALE_FLAG) {
3660 src->wscale = pf_get_wscale(m, off, th->th_off,
3662 if (src->wscale & PF_WSCALE_FLAG) {
3663 /* Remove scale factor from initial
3665 sws = src->wscale & PF_WSCALE_MASK;
3666 win = ((u_int32_t)win + (1 << sws) - 1)
3668 dws = dst->wscale & PF_WSCALE_MASK;
3670 /* fixup other window */
3671 dst->max_win <<= dst->wscale &
3673 /* in case of a retrans SYN|ACK */
3678 if (th->th_flags & TH_FIN)
3682 if (src->state < TCPS_SYN_SENT)
3683 src->state = TCPS_SYN_SENT;
3686 * May need to slide the window (seqhi may have been set by
3687 * the crappy stack check or if we picked up the connection
3688 * after establishment)
3690 if (src->seqhi == 1 ||
3691 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
3692 src->seqhi = end + MAX(1, dst->max_win << dws);
3693 if (win > src->max_win)
3697 ack = ntohl(th->th_ack) - dst->seqdiff;
3699 /* Modulate sequence numbers */
3700 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3702 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3705 end = seq + pd->p_len;
3706 if (th->th_flags & TH_SYN)
3708 if (th->th_flags & TH_FIN)
3712 if ((th->th_flags & TH_ACK) == 0) {
3713 /* Let it pass through the ack skew check */
3715 } else if ((ack == 0 &&
3716 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
3717 /* broken tcp stacks do not set ack */
3718 (dst->state < TCPS_SYN_SENT)) {
3720 * Many stacks (ours included) will set the ACK number in an
3721 * FIN|ACK if the SYN times out -- no sequence to ACK.
3727 /* Ease sequencing restrictions on no data packets */
3732 ackskew = dst->seqlo - ack;
3736 * Need to demodulate the sequence numbers in any TCP SACK options
3737 * (Selective ACK). We could optionally validate the SACK values
3738 * against the current ACK window, either forwards or backwards, but
3739 * I'm not confident that SACK has been implemented properly
3740 * everywhere. It wouldn't surprise me if several stacks accidently
3741 * SACK too far backwards of previously ACKed data. There really aren't
3742 * any security implications of bad SACKing unless the target stack
3743 * doesn't validate the option length correctly. Someone trying to
3744 * spoof into a TCP connection won't bother blindly sending SACK
3747 if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
3748 if (pf_modulate_sack(m, off, pd, th, dst))
3753 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
3754 if (SEQ_GEQ(src->seqhi, end) &&
3755 /* Last octet inside other's window space */
3756 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
3757 /* Retrans: not more than one window back */
3758 (ackskew >= -MAXACKWINDOW) &&
3759 /* Acking not more than one reassembled fragment backwards */
3760 (ackskew <= (MAXACKWINDOW << sws)) &&
3761 /* Acking not more than one window forward */
3762 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
3763 (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) ||
3764 (pd->flags & PFDESC_IP_REAS) == 0)) {
3765 /* Require an exact/+1 sequence match on resets when possible */
3767 if (dst->scrub || src->scrub) {
3768 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
3769 *state, src, dst, copyback))
3773 /* update max window */
3774 if (src->max_win < win)
3776 /* synchronize sequencing */
3777 if (SEQ_GT(end, src->seqlo))
3779 /* slide the window of what the other end can send */
3780 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3781 dst->seqhi = ack + MAX((win << sws), 1);
3785 if (th->th_flags & TH_SYN)
3786 if (src->state < TCPS_SYN_SENT)
3787 src->state = TCPS_SYN_SENT;
3788 if (th->th_flags & TH_FIN)
3789 if (src->state < TCPS_CLOSING)
3790 src->state = TCPS_CLOSING;
3791 if (th->th_flags & TH_ACK) {
3792 if (dst->state == TCPS_SYN_SENT) {
3793 dst->state = TCPS_ESTABLISHED;
3794 if (src->state == TCPS_ESTABLISHED &&
3795 (*state)->src_node != NULL &&
3796 pf_src_connlimit(state)) {
3797 REASON_SET(reason, PFRES_SRCLIMIT);
3800 } else if (dst->state == TCPS_CLOSING)
3801 dst->state = TCPS_FIN_WAIT_2;
3803 if (th->th_flags & TH_RST)
3804 src->state = dst->state = TCPS_TIME_WAIT;
3806 /* update expire time */
3807 (*state)->expire = time_uptime;
3808 if (src->state >= TCPS_FIN_WAIT_2 &&
3809 dst->state >= TCPS_FIN_WAIT_2)
3810 (*state)->timeout = PFTM_TCP_CLOSED;
3811 else if (src->state >= TCPS_CLOSING &&
3812 dst->state >= TCPS_CLOSING)
3813 (*state)->timeout = PFTM_TCP_FIN_WAIT;
3814 else if (src->state < TCPS_ESTABLISHED ||
3815 dst->state < TCPS_ESTABLISHED)
3816 (*state)->timeout = PFTM_TCP_OPENING;
3817 else if (src->state >= TCPS_CLOSING ||
3818 dst->state >= TCPS_CLOSING)
3819 (*state)->timeout = PFTM_TCP_CLOSING;
3821 (*state)->timeout = PFTM_TCP_ESTABLISHED;
3823 /* Fall through to PASS packet */
3825 } else if ((dst->state < TCPS_SYN_SENT ||
3826 dst->state >= TCPS_FIN_WAIT_2 ||
3827 src->state >= TCPS_FIN_WAIT_2) &&
3828 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
3829 /* Within a window forward of the originating packet */
3830 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
3831 /* Within a window backward of the originating packet */
3834 * This currently handles three situations:
3835 * 1) Stupid stacks will shotgun SYNs before their peer
3837 * 2) When PF catches an already established stream (the
3838 * firewall rebooted, the state table was flushed, routes
3840 * 3) Packets get funky immediately after the connection
3841 * closes (this should catch Solaris spurious ACK|FINs
3842 * that web servers like to spew after a close)
3844 * This must be a little more careful than the above code
3845 * since packet floods will also be caught here. We don't
3846 * update the TTL here to mitigate the damage of a packet
3847 * flood and so the same code can handle awkward establishment
3848 * and a loosened connection close.
3849 * In the establishment case, a correct peer response will
3850 * validate the connection, go through the normal state code
3851 * and keep updating the state TTL.
3854 if (V_pf_status.debug >= PF_DEBUG_MISC) {
3855 printf("pf: loose state match: ");
3856 pf_print_state(*state);
3857 pf_print_flags(th->th_flags);
3858 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
3859 "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
3860 pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
3861 (unsigned long long)(*state)->packets[1],
3862 pd->dir == PF_IN ? "in" : "out",
3863 pd->dir == (*state)->direction ? "fwd" : "rev");
3866 if (dst->scrub || src->scrub) {
3867 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
3868 *state, src, dst, copyback))
3872 /* update max window */
3873 if (src->max_win < win)
3875 /* synchronize sequencing */
3876 if (SEQ_GT(end, src->seqlo))
3878 /* slide the window of what the other end can send */
3879 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3880 dst->seqhi = ack + MAX((win << sws), 1);
3883 * Cannot set dst->seqhi here since this could be a shotgunned
3884 * SYN and not an already established connection.
3887 if (th->th_flags & TH_FIN)
3888 if (src->state < TCPS_CLOSING)
3889 src->state = TCPS_CLOSING;
3890 if (th->th_flags & TH_RST)
3891 src->state = dst->state = TCPS_TIME_WAIT;
3893 /* Fall through to PASS packet */
3896 if ((*state)->dst.state == TCPS_SYN_SENT &&
3897 (*state)->src.state == TCPS_SYN_SENT) {
3898 /* Send RST for state mismatches during handshake */
3899 if (!(th->th_flags & TH_RST))
3900 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
3901 pd->dst, pd->src, th->th_dport,
3902 th->th_sport, ntohl(th->th_ack), 0,
3904 (*state)->rule.ptr->return_ttl, 1, 0,
3909 } else if (V_pf_status.debug >= PF_DEBUG_MISC) {
3910 printf("pf: BAD state: ");
3911 pf_print_state(*state);
3912 pf_print_flags(th->th_flags);
3913 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
3914 "pkts=%llu:%llu dir=%s,%s\n",
3915 seq, orig_seq, ack, pd->p_len, ackskew,
3916 (unsigned long long)(*state)->packets[0],
3917 (unsigned long long)(*state)->packets[1],
3918 pd->dir == PF_IN ? "in" : "out",
3919 pd->dir == (*state)->direction ? "fwd" : "rev");
3920 printf("pf: State failure on: %c %c %c %c | %c %c\n",
3921 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
3922 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
3924 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
3925 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
3926 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
3927 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
3929 REASON_SET(reason, PFRES_BADSTATE);
3937 pf_tcp_track_sloppy(struct pf_state_peer *src, struct pf_state_peer *dst,
3938 struct pf_state **state, struct pf_pdesc *pd, u_short *reason)
3940 struct tcphdr *th = pd->hdr.tcp;
3942 if (th->th_flags & TH_SYN)
3943 if (src->state < TCPS_SYN_SENT)
3944 src->state = TCPS_SYN_SENT;
3945 if (th->th_flags & TH_FIN)
3946 if (src->state < TCPS_CLOSING)
3947 src->state = TCPS_CLOSING;
3948 if (th->th_flags & TH_ACK) {
3949 if (dst->state == TCPS_SYN_SENT) {
3950 dst->state = TCPS_ESTABLISHED;
3951 if (src->state == TCPS_ESTABLISHED &&
3952 (*state)->src_node != NULL &&
3953 pf_src_connlimit(state)) {
3954 REASON_SET(reason, PFRES_SRCLIMIT);
3957 } else if (dst->state == TCPS_CLOSING) {
3958 dst->state = TCPS_FIN_WAIT_2;
3959 } else if (src->state == TCPS_SYN_SENT &&
3960 dst->state < TCPS_SYN_SENT) {
3962 * Handle a special sloppy case where we only see one
3963 * half of the connection. If there is a ACK after
3964 * the initial SYN without ever seeing a packet from
3965 * the destination, set the connection to established.
3967 dst->state = src->state = TCPS_ESTABLISHED;
3968 if ((*state)->src_node != NULL &&
3969 pf_src_connlimit(state)) {
3970 REASON_SET(reason, PFRES_SRCLIMIT);
3973 } else if (src->state == TCPS_CLOSING &&
3974 dst->state == TCPS_ESTABLISHED &&
3977 * Handle the closing of half connections where we
3978 * don't see the full bidirectional FIN/ACK+ACK
3981 dst->state = TCPS_CLOSING;
3984 if (th->th_flags & TH_RST)
3985 src->state = dst->state = TCPS_TIME_WAIT;
3987 /* update expire time */
3988 (*state)->expire = time_uptime;
3989 if (src->state >= TCPS_FIN_WAIT_2 &&
3990 dst->state >= TCPS_FIN_WAIT_2)
3991 (*state)->timeout = PFTM_TCP_CLOSED;
3992 else if (src->state >= TCPS_CLOSING &&
3993 dst->state >= TCPS_CLOSING)
3994 (*state)->timeout = PFTM_TCP_FIN_WAIT;
3995 else if (src->state < TCPS_ESTABLISHED ||
3996 dst->state < TCPS_ESTABLISHED)
3997 (*state)->timeout = PFTM_TCP_OPENING;
3998 else if (src->state >= TCPS_CLOSING ||
3999 dst->state >= TCPS_CLOSING)
4000 (*state)->timeout = PFTM_TCP_CLOSING;
4002 (*state)->timeout = PFTM_TCP_ESTABLISHED;
4008 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
4009 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4012 struct pf_state_key_cmp key;
4013 struct tcphdr *th = pd->hdr.tcp;
4015 struct pf_state_peer *src, *dst;
4016 struct pf_state_key *sk;
4018 bzero(&key, sizeof(key));
4020 key.proto = IPPROTO_TCP;
4021 if (direction == PF_IN) { /* wire side, straight */
4022 PF_ACPY(&key.addr[0], pd->src, key.af);
4023 PF_ACPY(&key.addr[1], pd->dst, key.af);
4024 key.port[0] = th->th_sport;
4025 key.port[1] = th->th_dport;
4026 } else { /* stack side, reverse */
4027 PF_ACPY(&key.addr[1], pd->src, key.af);
4028 PF_ACPY(&key.addr[0], pd->dst, key.af);
4029 key.port[1] = th->th_sport;
4030 key.port[0] = th->th_dport;
4033 STATE_LOOKUP(kif, &key, direction, *state, pd);
4035 if (direction == (*state)->direction) {
4036 src = &(*state)->src;
4037 dst = &(*state)->dst;
4039 src = &(*state)->dst;
4040 dst = &(*state)->src;
4043 sk = (*state)->key[pd->didx];
4045 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
4046 if (direction != (*state)->direction) {
4047 REASON_SET(reason, PFRES_SYNPROXY);
4048 return (PF_SYNPROXY_DROP);
4050 if (th->th_flags & TH_SYN) {
4051 if (ntohl(th->th_seq) != (*state)->src.seqlo) {
4052 REASON_SET(reason, PFRES_SYNPROXY);
4055 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4056 pd->src, th->th_dport, th->th_sport,
4057 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4058 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
4059 REASON_SET(reason, PFRES_SYNPROXY);
4060 return (PF_SYNPROXY_DROP);
4061 } else if (!(th->th_flags & TH_ACK) ||
4062 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4063 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4064 REASON_SET(reason, PFRES_SYNPROXY);
4066 } else if ((*state)->src_node != NULL &&
4067 pf_src_connlimit(state)) {
4068 REASON_SET(reason, PFRES_SRCLIMIT);
4071 (*state)->src.state = PF_TCPS_PROXY_DST;
4073 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
4074 if (direction == (*state)->direction) {
4075 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
4076 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4077 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4078 REASON_SET(reason, PFRES_SYNPROXY);
4081 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
4082 if ((*state)->dst.seqhi == 1)
4083 (*state)->dst.seqhi = htonl(arc4random());
4084 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4085 &sk->addr[pd->sidx], &sk->addr[pd->didx],
4086 sk->port[pd->sidx], sk->port[pd->didx],
4087 (*state)->dst.seqhi, 0, TH_SYN, 0,
4088 (*state)->src.mss, 0, 0, (*state)->tag, NULL);
4089 REASON_SET(reason, PFRES_SYNPROXY);
4090 return (PF_SYNPROXY_DROP);
4091 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
4093 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
4094 REASON_SET(reason, PFRES_SYNPROXY);
4097 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
4098 (*state)->dst.seqlo = ntohl(th->th_seq);
4099 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4100 pd->src, th->th_dport, th->th_sport,
4101 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4102 TH_ACK, (*state)->src.max_win, 0, 0, 0,
4103 (*state)->tag, NULL);
4104 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4105 &sk->addr[pd->sidx], &sk->addr[pd->didx],
4106 sk->port[pd->sidx], sk->port[pd->didx],
4107 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4108 TH_ACK, (*state)->dst.max_win, 0, 0, 1, 0, NULL);
4109 (*state)->src.seqdiff = (*state)->dst.seqhi -
4110 (*state)->src.seqlo;
4111 (*state)->dst.seqdiff = (*state)->src.seqhi -
4112 (*state)->dst.seqlo;
4113 (*state)->src.seqhi = (*state)->src.seqlo +
4114 (*state)->dst.max_win;
4115 (*state)->dst.seqhi = (*state)->dst.seqlo +
4116 (*state)->src.max_win;
4117 (*state)->src.wscale = (*state)->dst.wscale = 0;
4118 (*state)->src.state = (*state)->dst.state =
4120 REASON_SET(reason, PFRES_SYNPROXY);
4121 return (PF_SYNPROXY_DROP);
4125 if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
4126 dst->state >= TCPS_FIN_WAIT_2 &&
4127 src->state >= TCPS_FIN_WAIT_2) {
4128 if (V_pf_status.debug >= PF_DEBUG_MISC) {
4129 printf("pf: state reuse ");
4130 pf_print_state(*state);
4131 pf_print_flags(th->th_flags);
4134 /* XXX make sure it's the same direction ?? */
4135 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
4136 pf_unlink_state(*state, PF_ENTER_LOCKED);
4141 if ((*state)->state_flags & PFSTATE_SLOPPY) {
4142 if (pf_tcp_track_sloppy(src, dst, state, pd, reason) == PF_DROP)
4145 if (pf_tcp_track_full(src, dst, state, kif, m, off, pd, reason,
4146 ©back) == PF_DROP)
4150 /* translate source/destination address, if necessary */
4151 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4152 struct pf_state_key *nk = (*state)->key[pd->didx];
4154 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
4155 nk->port[pd->sidx] != th->th_sport)
4156 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
4157 &th->th_sum, &nk->addr[pd->sidx],
4158 nk->port[pd->sidx], 0, pd->af);
4160 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
4161 nk->port[pd->didx] != th->th_dport)
4162 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
4163 &th->th_sum, &nk->addr[pd->didx],
4164 nk->port[pd->didx], 0, pd->af);
4168 /* Copyback sequence modulation or stateful scrub changes if needed */
4170 m_copyback(m, off, sizeof(*th), (caddr_t)th);
4176 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
4177 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4179 struct pf_state_peer *src, *dst;
4180 struct pf_state_key_cmp key;
4181 struct udphdr *uh = pd->hdr.udp;
4183 bzero(&key, sizeof(key));
4185 key.proto = IPPROTO_UDP;
4186 if (direction == PF_IN) { /* wire side, straight */
4187 PF_ACPY(&key.addr[0], pd->src, key.af);
4188 PF_ACPY(&key.addr[1], pd->dst, key.af);
4189 key.port[0] = uh->uh_sport;
4190 key.port[1] = uh->uh_dport;
4191 } else { /* stack side, reverse */
4192 PF_ACPY(&key.addr[1], pd->src, key.af);
4193 PF_ACPY(&key.addr[0], pd->dst, key.af);
4194 key.port[1] = uh->uh_sport;
4195 key.port[0] = uh->uh_dport;
4198 STATE_LOOKUP(kif, &key, direction, *state, pd);
4200 if (direction == (*state)->direction) {
4201 src = &(*state)->src;
4202 dst = &(*state)->dst;
4204 src = &(*state)->dst;
4205 dst = &(*state)->src;
4209 if (src->state < PFUDPS_SINGLE)
4210 src->state = PFUDPS_SINGLE;
4211 if (dst->state == PFUDPS_SINGLE)
4212 dst->state = PFUDPS_MULTIPLE;
4214 /* update expire time */
4215 (*state)->expire = time_uptime;
4216 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
4217 (*state)->timeout = PFTM_UDP_MULTIPLE;
4219 (*state)->timeout = PFTM_UDP_SINGLE;
4221 /* translate source/destination address, if necessary */
4222 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4223 struct pf_state_key *nk = (*state)->key[pd->didx];
4225 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
4226 nk->port[pd->sidx] != uh->uh_sport)
4227 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
4228 &uh->uh_sum, &nk->addr[pd->sidx],
4229 nk->port[pd->sidx], 1, pd->af);
4231 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
4232 nk->port[pd->didx] != uh->uh_dport)
4233 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
4234 &uh->uh_sum, &nk->addr[pd->didx],
4235 nk->port[pd->didx], 1, pd->af);
4236 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
4243 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
4244 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
4246 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4247 u_int16_t icmpid = 0, *icmpsum;
4250 struct pf_state_key_cmp key;
4252 bzero(&key, sizeof(key));
4253 switch (pd->proto) {
4256 icmptype = pd->hdr.icmp->icmp_type;
4257 icmpid = pd->hdr.icmp->icmp_id;
4258 icmpsum = &pd->hdr.icmp->icmp_cksum;
4260 if (icmptype == ICMP_UNREACH ||
4261 icmptype == ICMP_SOURCEQUENCH ||
4262 icmptype == ICMP_REDIRECT ||
4263 icmptype == ICMP_TIMXCEED ||
4264 icmptype == ICMP_PARAMPROB)
4269 case IPPROTO_ICMPV6:
4270 icmptype = pd->hdr.icmp6->icmp6_type;
4271 icmpid = pd->hdr.icmp6->icmp6_id;
4272 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4274 if (icmptype == ICMP6_DST_UNREACH ||
4275 icmptype == ICMP6_PACKET_TOO_BIG ||
4276 icmptype == ICMP6_TIME_EXCEEDED ||
4277 icmptype == ICMP6_PARAM_PROB)
4286 * ICMP query/reply message not related to a TCP/UDP packet.
4287 * Search for an ICMP state.
4290 key.proto = pd->proto;
4291 key.port[0] = key.port[1] = icmpid;
4292 if (direction == PF_IN) { /* wire side, straight */
4293 PF_ACPY(&key.addr[0], pd->src, key.af);
4294 PF_ACPY(&key.addr[1], pd->dst, key.af);
4295 } else { /* stack side, reverse */
4296 PF_ACPY(&key.addr[1], pd->src, key.af);
4297 PF_ACPY(&key.addr[0], pd->dst, key.af);
4300 STATE_LOOKUP(kif, &key, direction, *state, pd);
4302 (*state)->expire = time_uptime;
4303 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
4305 /* translate source/destination address, if necessary */
4306 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4307 struct pf_state_key *nk = (*state)->key[pd->didx];
4312 if (PF_ANEQ(pd->src,
4313 &nk->addr[pd->sidx], AF_INET))
4314 pf_change_a(&saddr->v4.s_addr,
4316 nk->addr[pd->sidx].v4.s_addr, 0);
4318 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx],
4320 pf_change_a(&daddr->v4.s_addr,
4322 nk->addr[pd->didx].v4.s_addr, 0);
4325 pd->hdr.icmp->icmp_id) {
4326 pd->hdr.icmp->icmp_cksum =
4328 pd->hdr.icmp->icmp_cksum, icmpid,
4329 nk->port[pd->sidx], 0);
4330 pd->hdr.icmp->icmp_id =
4334 m_copyback(m, off, ICMP_MINLEN,
4335 (caddr_t )pd->hdr.icmp);
4340 if (PF_ANEQ(pd->src,
4341 &nk->addr[pd->sidx], AF_INET6))
4343 &pd->hdr.icmp6->icmp6_cksum,
4344 &nk->addr[pd->sidx], 0);
4346 if (PF_ANEQ(pd->dst,
4347 &nk->addr[pd->didx], AF_INET6))
4349 &pd->hdr.icmp6->icmp6_cksum,
4350 &nk->addr[pd->didx], 0);
4352 m_copyback(m, off, sizeof(struct icmp6_hdr),
4353 (caddr_t )pd->hdr.icmp6);
4362 * ICMP error message in response to a TCP/UDP packet.
4363 * Extract the inner TCP/UDP header and search for that state.
4366 struct pf_pdesc pd2;
4367 bzero(&pd2, sizeof pd2);
4372 struct ip6_hdr h2_6;
4379 /* Payload packet is from the opposite direction. */
4380 pd2.sidx = (direction == PF_IN) ? 1 : 0;
4381 pd2.didx = (direction == PF_IN) ? 0 : 1;
4385 /* offset of h2 in mbuf chain */
4386 ipoff2 = off + ICMP_MINLEN;
4388 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
4389 NULL, reason, pd2.af)) {
4390 DPFPRINTF(PF_DEBUG_MISC,
4391 ("pf: ICMP error message too short "
4396 * ICMP error messages don't refer to non-first
4399 if (h2.ip_off & htons(IP_OFFMASK)) {
4400 REASON_SET(reason, PFRES_FRAG);
4404 /* offset of protocol header that follows h2 */
4405 off2 = ipoff2 + (h2.ip_hl << 2);
4407 pd2.proto = h2.ip_p;
4408 pd2.src = (struct pf_addr *)&h2.ip_src;
4409 pd2.dst = (struct pf_addr *)&h2.ip_dst;
4410 pd2.ip_sum = &h2.ip_sum;
4415 ipoff2 = off + sizeof(struct icmp6_hdr);
4417 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
4418 NULL, reason, pd2.af)) {
4419 DPFPRINTF(PF_DEBUG_MISC,
4420 ("pf: ICMP error message too short "
4424 pd2.proto = h2_6.ip6_nxt;
4425 pd2.src = (struct pf_addr *)&h2_6.ip6_src;
4426 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
4428 off2 = ipoff2 + sizeof(h2_6);
4430 switch (pd2.proto) {
4431 case IPPROTO_FRAGMENT:
4433 * ICMPv6 error messages for
4434 * non-first fragments
4436 REASON_SET(reason, PFRES_FRAG);
4439 case IPPROTO_HOPOPTS:
4440 case IPPROTO_ROUTING:
4441 case IPPROTO_DSTOPTS: {
4442 /* get next header and header length */
4443 struct ip6_ext opt6;
4445 if (!pf_pull_hdr(m, off2, &opt6,
4446 sizeof(opt6), NULL, reason,
4448 DPFPRINTF(PF_DEBUG_MISC,
4449 ("pf: ICMPv6 short opt\n"));
4452 if (pd2.proto == IPPROTO_AH)
4453 off2 += (opt6.ip6e_len + 2) * 4;
4455 off2 += (opt6.ip6e_len + 1) * 8;
4456 pd2.proto = opt6.ip6e_nxt;
4457 /* goto the next header */
4464 } while (!terminal);
4469 switch (pd2.proto) {
4473 struct pf_state_peer *src, *dst;
4478 * Only the first 8 bytes of the TCP header can be
4479 * expected. Don't access any TCP header fields after
4480 * th_seq, an ackskew test is not possible.
4482 if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason,
4484 DPFPRINTF(PF_DEBUG_MISC,
4485 ("pf: ICMP error message too short "
4491 key.proto = IPPROTO_TCP;
4492 PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
4493 PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
4494 key.port[pd2.sidx] = th.th_sport;
4495 key.port[pd2.didx] = th.th_dport;
4497 STATE_LOOKUP(kif, &key, direction, *state, pd);
4499 if (direction == (*state)->direction) {
4500 src = &(*state)->dst;
4501 dst = &(*state)->src;
4503 src = &(*state)->src;
4504 dst = &(*state)->dst;
4507 if (src->wscale && dst->wscale)
4508 dws = dst->wscale & PF_WSCALE_MASK;
4512 /* Demodulate sequence number */
4513 seq = ntohl(th.th_seq) - src->seqdiff;
4515 pf_change_a(&th.th_seq, icmpsum,
4520 if (!((*state)->state_flags & PFSTATE_SLOPPY) &&
4521 (!SEQ_GEQ(src->seqhi, seq) ||
4522 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)))) {
4523 if (V_pf_status.debug >= PF_DEBUG_MISC) {
4524 printf("pf: BAD ICMP %d:%d ",
4525 icmptype, pd->hdr.icmp->icmp_code);
4526 pf_print_host(pd->src, 0, pd->af);
4528 pf_print_host(pd->dst, 0, pd->af);
4530 pf_print_state(*state);
4531 printf(" seq=%u\n", seq);
4533 REASON_SET(reason, PFRES_BADSTATE);
4536 if (V_pf_status.debug >= PF_DEBUG_MISC) {
4537 printf("pf: OK ICMP %d:%d ",
4538 icmptype, pd->hdr.icmp->icmp_code);
4539 pf_print_host(pd->src, 0, pd->af);
4541 pf_print_host(pd->dst, 0, pd->af);
4543 pf_print_state(*state);
4544 printf(" seq=%u\n", seq);
4548 /* translate source/destination address, if necessary */
4549 if ((*state)->key[PF_SK_WIRE] !=
4550 (*state)->key[PF_SK_STACK]) {
4551 struct pf_state_key *nk =
4552 (*state)->key[pd->didx];
4554 if (PF_ANEQ(pd2.src,
4555 &nk->addr[pd2.sidx], pd2.af) ||
4556 nk->port[pd2.sidx] != th.th_sport)
4557 pf_change_icmp(pd2.src, &th.th_sport,
4558 daddr, &nk->addr[pd2.sidx],
4559 nk->port[pd2.sidx], NULL,
4560 pd2.ip_sum, icmpsum,
4561 pd->ip_sum, 0, pd2.af);
4563 if (PF_ANEQ(pd2.dst,
4564 &nk->addr[pd2.didx], pd2.af) ||
4565 nk->port[pd2.didx] != th.th_dport)
4566 pf_change_icmp(pd2.dst, &th.th_dport,
4567 NULL, /* XXX Inbound NAT? */
4568 &nk->addr[pd2.didx],
4569 nk->port[pd2.didx], NULL,
4570 pd2.ip_sum, icmpsum,
4571 pd->ip_sum, 0, pd2.af);
4579 m_copyback(m, off, ICMP_MINLEN,
4580 (caddr_t )pd->hdr.icmp);
4581 m_copyback(m, ipoff2, sizeof(h2),
4588 sizeof(struct icmp6_hdr),
4589 (caddr_t )pd->hdr.icmp6);
4590 m_copyback(m, ipoff2, sizeof(h2_6),
4595 m_copyback(m, off2, 8, (caddr_t)&th);
4604 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
4605 NULL, reason, pd2.af)) {
4606 DPFPRINTF(PF_DEBUG_MISC,
4607 ("pf: ICMP error message too short "
4613 key.proto = IPPROTO_UDP;
4614 PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
4615 PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
4616 key.port[pd2.sidx] = uh.uh_sport;
4617 key.port[pd2.didx] = uh.uh_dport;
4619 STATE_LOOKUP(kif, &key, direction, *state, pd);
4621 /* translate source/destination address, if necessary */
4622 if ((*state)->key[PF_SK_WIRE] !=
4623 (*state)->key[PF_SK_STACK]) {
4624 struct pf_state_key *nk =
4625 (*state)->key[pd->didx];
4627 if (PF_ANEQ(pd2.src,
4628 &nk->addr[pd2.sidx], pd2.af) ||
4629 nk->port[pd2.sidx] != uh.uh_sport)
4630 pf_change_icmp(pd2.src, &uh.uh_sport,
4631 daddr, &nk->addr[pd2.sidx],
4632 nk->port[pd2.sidx], &uh.uh_sum,
4633 pd2.ip_sum, icmpsum,
4634 pd->ip_sum, 1, pd2.af);
4636 if (PF_ANEQ(pd2.dst,
4637 &nk->addr[pd2.didx], pd2.af) ||
4638 nk->port[pd2.didx] != uh.uh_dport)
4639 pf_change_icmp(pd2.dst, &uh.uh_dport,
4640 NULL, /* XXX Inbound NAT? */
4641 &nk->addr[pd2.didx],
4642 nk->port[pd2.didx], &uh.uh_sum,
4643 pd2.ip_sum, icmpsum,
4644 pd->ip_sum, 1, pd2.af);
4649 m_copyback(m, off, ICMP_MINLEN,
4650 (caddr_t )pd->hdr.icmp);
4651 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4657 sizeof(struct icmp6_hdr),
4658 (caddr_t )pd->hdr.icmp6);
4659 m_copyback(m, ipoff2, sizeof(h2_6),
4664 m_copyback(m, off2, sizeof(uh), (caddr_t)&uh);
4670 case IPPROTO_ICMP: {
4673 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
4674 NULL, reason, pd2.af)) {
4675 DPFPRINTF(PF_DEBUG_MISC,
4676 ("pf: ICMP error message too short i"
4682 key.proto = IPPROTO_ICMP;
4683 PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
4684 PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
4685 key.port[0] = key.port[1] = iih.icmp_id;
4687 STATE_LOOKUP(kif, &key, direction, *state, pd);
4689 /* translate source/destination address, if necessary */
4690 if ((*state)->key[PF_SK_WIRE] !=
4691 (*state)->key[PF_SK_STACK]) {
4692 struct pf_state_key *nk =
4693 (*state)->key[pd->didx];
4695 if (PF_ANEQ(pd2.src,
4696 &nk->addr[pd2.sidx], pd2.af) ||
4697 nk->port[pd2.sidx] != iih.icmp_id)
4698 pf_change_icmp(pd2.src, &iih.icmp_id,
4699 daddr, &nk->addr[pd2.sidx],
4700 nk->port[pd2.sidx], NULL,
4701 pd2.ip_sum, icmpsum,
4702 pd->ip_sum, 0, AF_INET);
4704 if (PF_ANEQ(pd2.dst,
4705 &nk->addr[pd2.didx], pd2.af) ||
4706 nk->port[pd2.didx] != iih.icmp_id)
4707 pf_change_icmp(pd2.dst, &iih.icmp_id,
4708 NULL, /* XXX Inbound NAT? */
4709 &nk->addr[pd2.didx],
4710 nk->port[pd2.didx], NULL,
4711 pd2.ip_sum, icmpsum,
4712 pd->ip_sum, 0, AF_INET);
4714 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
4715 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4716 m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih);
4723 case IPPROTO_ICMPV6: {
4724 struct icmp6_hdr iih;
4726 if (!pf_pull_hdr(m, off2, &iih,
4727 sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
4728 DPFPRINTF(PF_DEBUG_MISC,
4729 ("pf: ICMP error message too short "
4735 key.proto = IPPROTO_ICMPV6;
4736 PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
4737 PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
4738 key.port[0] = key.port[1] = iih.icmp6_id;
4740 STATE_LOOKUP(kif, &key, direction, *state, pd);
4742 /* translate source/destination address, if necessary */
4743 if ((*state)->key[PF_SK_WIRE] !=
4744 (*state)->key[PF_SK_STACK]) {
4745 struct pf_state_key *nk =
4746 (*state)->key[pd->didx];
4748 if (PF_ANEQ(pd2.src,
4749 &nk->addr[pd2.sidx], pd2.af) ||
4750 nk->port[pd2.sidx] != iih.icmp6_id)
4751 pf_change_icmp(pd2.src, &iih.icmp6_id,
4752 daddr, &nk->addr[pd2.sidx],
4753 nk->port[pd2.sidx], NULL,
4754 pd2.ip_sum, icmpsum,
4755 pd->ip_sum, 0, AF_INET6);
4757 if (PF_ANEQ(pd2.dst,
4758 &nk->addr[pd2.didx], pd2.af) ||
4759 nk->port[pd2.didx] != iih.icmp6_id)
4760 pf_change_icmp(pd2.dst, &iih.icmp6_id,
4761 NULL, /* XXX Inbound NAT? */
4762 &nk->addr[pd2.didx],
4763 nk->port[pd2.didx], NULL,
4764 pd2.ip_sum, icmpsum,
4765 pd->ip_sum, 0, AF_INET6);
4767 m_copyback(m, off, sizeof(struct icmp6_hdr),
4768 (caddr_t)pd->hdr.icmp6);
4769 m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
4770 m_copyback(m, off2, sizeof(struct icmp6_hdr),
4779 key.proto = pd2.proto;
4780 PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af);
4781 PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
4782 key.port[0] = key.port[1] = 0;
4784 STATE_LOOKUP(kif, &key, direction, *state, pd);
4786 /* translate source/destination address, if necessary */
4787 if ((*state)->key[PF_SK_WIRE] !=
4788 (*state)->key[PF_SK_STACK]) {
4789 struct pf_state_key *nk =
4790 (*state)->key[pd->didx];
4792 if (PF_ANEQ(pd2.src,
4793 &nk->addr[pd2.sidx], pd2.af))
4794 pf_change_icmp(pd2.src, NULL, daddr,
4795 &nk->addr[pd2.sidx], 0, NULL,
4796 pd2.ip_sum, icmpsum,
4797 pd->ip_sum, 0, pd2.af);
4799 if (PF_ANEQ(pd2.dst,
4800 &nk->addr[pd2.didx], pd2.af))
4801 pf_change_icmp(pd2.src, NULL,
4802 NULL, /* XXX Inbound NAT? */
4803 &nk->addr[pd2.didx], 0, NULL,
4804 pd2.ip_sum, icmpsum,
4805 pd->ip_sum, 0, pd2.af);
4810 m_copyback(m, off, ICMP_MINLEN,
4811 (caddr_t)pd->hdr.icmp);
4812 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4818 sizeof(struct icmp6_hdr),
4819 (caddr_t )pd->hdr.icmp6);
4820 m_copyback(m, ipoff2, sizeof(h2_6),
4834 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
4835 struct mbuf *m, struct pf_pdesc *pd)
4837 struct pf_state_peer *src, *dst;
4838 struct pf_state_key_cmp key;
4840 bzero(&key, sizeof(key));
4842 key.proto = pd->proto;
4843 if (direction == PF_IN) {
4844 PF_ACPY(&key.addr[0], pd->src, key.af);
4845 PF_ACPY(&key.addr[1], pd->dst, key.af);
4846 key.port[0] = key.port[1] = 0;
4848 PF_ACPY(&key.addr[1], pd->src, key.af);
4849 PF_ACPY(&key.addr[0], pd->dst, key.af);
4850 key.port[1] = key.port[0] = 0;
4853 STATE_LOOKUP(kif, &key, direction, *state, pd);
4855 if (direction == (*state)->direction) {
4856 src = &(*state)->src;
4857 dst = &(*state)->dst;
4859 src = &(*state)->dst;
4860 dst = &(*state)->src;
4864 if (src->state < PFOTHERS_SINGLE)
4865 src->state = PFOTHERS_SINGLE;
4866 if (dst->state == PFOTHERS_SINGLE)
4867 dst->state = PFOTHERS_MULTIPLE;
4869 /* update expire time */
4870 (*state)->expire = time_uptime;
4871 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
4872 (*state)->timeout = PFTM_OTHER_MULTIPLE;
4874 (*state)->timeout = PFTM_OTHER_SINGLE;
4876 /* translate source/destination address, if necessary */
4877 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4878 struct pf_state_key *nk = (*state)->key[pd->didx];
4880 KASSERT(nk, ("%s: nk is null", __func__));
4881 KASSERT(pd, ("%s: pd is null", __func__));
4882 KASSERT(pd->src, ("%s: pd->src is null", __func__));
4883 KASSERT(pd->dst, ("%s: pd->dst is null", __func__));
4887 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET))
4888 pf_change_a(&pd->src->v4.s_addr,
4890 nk->addr[pd->sidx].v4.s_addr,
4894 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET))
4895 pf_change_a(&pd->dst->v4.s_addr,
4897 nk->addr[pd->didx].v4.s_addr,
4904 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET))
4905 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
4907 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET))
4908 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
4916 * ipoff and off are measured from the start of the mbuf chain.
4917 * h must be at "ipoff" on the mbuf chain.
4920 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
4921 u_short *actionp, u_short *reasonp, sa_family_t af)
4926 struct ip *h = mtod(m, struct ip *);
4927 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
4931 ACTION_SET(actionp, PF_PASS);
4933 ACTION_SET(actionp, PF_DROP);
4934 REASON_SET(reasonp, PFRES_FRAG);
4938 if (m->m_pkthdr.len < off + len ||
4939 ntohs(h->ip_len) < off + len) {
4940 ACTION_SET(actionp, PF_DROP);
4941 REASON_SET(reasonp, PFRES_SHORT);
4949 struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
4951 if (m->m_pkthdr.len < off + len ||
4952 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
4953 (unsigned)(off + len)) {
4954 ACTION_SET(actionp, PF_DROP);
4955 REASON_SET(reasonp, PFRES_SHORT);
4962 m_copydata(m, off, len, p);
4967 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif,
4971 struct radix_node_head *rnh;
4973 struct sockaddr_in *dst;
4977 struct sockaddr_in6 *dst6;
4978 struct route_in6 ro;
4982 struct radix_node *rn;
4988 /* XXX: stick to table 0 for now */
4989 rnh = rt_tables_get_rnh(0, af);
4990 if (rnh != NULL && rn_mpath_capable(rnh))
4993 bzero(&ro, sizeof(ro));
4996 dst = satosin(&ro.ro_dst);
4997 dst->sin_family = AF_INET;
4998 dst->sin_len = sizeof(*dst);
4999 dst->sin_addr = addr->v4;
5004 * Skip check for addresses with embedded interface scope,
5005 * as they would always match anyway.
5007 if (IN6_IS_SCOPE_EMBED(&addr->v6))
5009 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
5010 dst6->sin6_family = AF_INET6;
5011 dst6->sin6_len = sizeof(*dst6);
5012 dst6->sin6_addr = addr->v6;
5019 /* Skip checks for ipsec interfaces */
5020 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
5026 in6_rtalloc_ign(&ro, 0, rtableid);
5031 in_rtalloc_ign((struct route *)&ro, 0, rtableid);
5035 rtalloc_ign((struct route *)&ro, 0); /* No/default FIB. */
5039 if (ro.ro_rt != NULL) {
5040 /* No interface given, this is a no-route check */
5044 if (kif->pfik_ifp == NULL) {
5049 /* Perform uRPF check if passed input interface */
5051 rn = (struct radix_node *)ro.ro_rt;
5053 rt = (struct rtentry *)rn;
5056 if (kif->pfik_ifp == ifp)
5059 rn = rn_mpath_next(rn);
5061 } while (check_mpath == 1 && rn != NULL && ret == 0);
5065 if (ro.ro_rt != NULL)
5072 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
5073 struct pf_state *s, struct pf_pdesc *pd)
5075 struct mbuf *m0, *m1;
5076 struct sockaddr_in dst;
5078 struct ifnet *ifp = NULL;
5079 struct pf_addr naddr;
5080 struct pf_src_node *sn = NULL;
5084 KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__));
5085 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction",
5088 if ((pd->pf_mtag == NULL &&
5089 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
5090 pd->pf_mtag->routed++ > 3) {
5096 if (r->rt == PF_DUPTO) {
5097 if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
5103 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) {
5111 ip = mtod(m0, struct ip *);
5113 bzero(&dst, sizeof(dst));
5114 dst.sin_family = AF_INET;
5115 dst.sin_len = sizeof(dst);
5116 dst.sin_addr = ip->ip_dst;
5118 if (r->rt == PF_FASTROUTE) {
5123 rt = rtalloc1_fib(sintosa(&dst), 0, 0, M_GETFIB(m0));
5126 KMOD_IPSTAT_INC(ips_noroute);
5127 error = EHOSTUNREACH;
5132 rt->rt_rmx.rmx_pksent++;
5134 if (rt->rt_flags & RTF_GATEWAY)
5135 bcopy(satosin(rt->rt_gateway), &dst, sizeof(dst));
5138 if (TAILQ_EMPTY(&r->rpool.list)) {
5139 DPFPRINTF(PF_DEBUG_URGENT,
5140 ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
5144 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
5146 if (!PF_AZERO(&naddr, AF_INET))
5147 dst.sin_addr.s_addr = naddr.v4.s_addr;
5148 ifp = r->rpool.cur->kif ?
5149 r->rpool.cur->kif->pfik_ifp : NULL;
5151 if (!PF_AZERO(&s->rt_addr, AF_INET))
5152 dst.sin_addr.s_addr =
5153 s->rt_addr.v4.s_addr;
5154 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5162 if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS)
5164 else if (m0 == NULL)
5166 if (m0->m_len < sizeof(struct ip)) {
5167 DPFPRINTF(PF_DEBUG_URGENT,
5168 ("%s: m0->m_len < sizeof(struct ip)\n", __func__));
5171 ip = mtod(m0, struct ip *);
5174 if (ifp->if_flags & IFF_LOOPBACK)
5175 m0->m_flags |= M_SKIP_FIREWALL;
5177 /* Back to host byte order. */
5178 ip->ip_len = ntohs(ip->ip_len);
5179 ip->ip_off = ntohs(ip->ip_off);
5181 /* Copied from FreeBSD 10.0-CURRENT ip_output. */
5182 m0->m_pkthdr.csum_flags |= CSUM_IP;
5183 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist;
5184 if (sw_csum & CSUM_DELAY_DATA) {
5185 in_delayed_cksum(m0);
5186 sw_csum &= ~CSUM_DELAY_DATA;
5189 if (sw_csum & CSUM_SCTP) {
5190 sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2));
5191 sw_csum &= ~CSUM_SCTP;
5194 m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
5197 * If small enough for interface, or the interface will take
5198 * care of the fragmentation for us, we can just send directly.
5200 if (ip->ip_len <= ifp->if_mtu ||
5201 (m0->m_pkthdr.csum_flags & ifp->if_hwassist & CSUM_TSO) != 0 ||
5202 ((ip->ip_off & IP_DF) == 0 && (ifp->if_hwassist & CSUM_FRAGMENT))) {
5203 ip->ip_len = htons(ip->ip_len);
5204 ip->ip_off = htons(ip->ip_off);
5206 if (sw_csum & CSUM_DELAY_IP)
5207 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
5208 m0->m_flags &= ~(M_PROTOFLAGS);
5209 error = (*ifp->if_output)(ifp, m0, sintosa(&dst), NULL);
5213 /* Balk when DF bit is set or the interface didn't support TSO. */
5214 if ((ip->ip_off & IP_DF) || (m0->m_pkthdr.csum_flags & CSUM_TSO)) {
5216 KMOD_IPSTAT_INC(ips_cantfrag);
5217 if (r->rt != PF_DUPTO) {
5218 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
5225 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
5229 for (; m0; m0 = m1) {
5231 m0->m_nextpkt = NULL;
5233 m0->m_flags &= ~(M_PROTOFLAGS);
5234 error = (*ifp->if_output)(ifp, m0, sintosa(&dst), NULL);
5240 KMOD_IPSTAT_INC(ips_fragmented);
5243 if (r->rt != PF_DUPTO)
5258 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
5259 struct pf_state *s, struct pf_pdesc *pd)
5262 struct sockaddr_in6 dst;
5263 struct ip6_hdr *ip6;
5264 struct ifnet *ifp = NULL;
5265 struct pf_addr naddr;
5266 struct pf_src_node *sn = NULL;
5268 KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__));
5269 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction",
5272 if ((pd->pf_mtag == NULL &&
5273 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
5274 pd->pf_mtag->routed++ > 3) {
5280 if (r->rt == PF_DUPTO) {
5281 if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
5287 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) {
5295 ip6 = mtod(m0, struct ip6_hdr *);
5297 bzero(&dst, sizeof(dst));
5298 dst.sin6_family = AF_INET6;
5299 dst.sin6_len = sizeof(dst);
5300 dst.sin6_addr = ip6->ip6_dst;
5302 /* Cheat. XXX why only in the v6 case??? */
5303 if (r->rt == PF_FASTROUTE) {
5306 m0->m_flags |= M_SKIP_FIREWALL;
5307 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
5311 if (TAILQ_EMPTY(&r->rpool.list)) {
5312 DPFPRINTF(PF_DEBUG_URGENT,
5313 ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
5317 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
5319 if (!PF_AZERO(&naddr, AF_INET6))
5320 PF_ACPY((struct pf_addr *)&dst.sin6_addr,
5322 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
5324 if (!PF_AZERO(&s->rt_addr, AF_INET6))
5325 PF_ACPY((struct pf_addr *)&dst.sin6_addr,
5326 &s->rt_addr, AF_INET6);
5327 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5337 if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS)
5339 else if (m0 == NULL)
5341 if (m0->m_len < sizeof(struct ip6_hdr)) {
5342 DPFPRINTF(PF_DEBUG_URGENT,
5343 ("%s: m0->m_len < sizeof(struct ip6_hdr)\n",
5347 ip6 = mtod(m0, struct ip6_hdr *);
5350 if (ifp->if_flags & IFF_LOOPBACK)
5351 m0->m_flags |= M_SKIP_FIREWALL;
5354 * If the packet is too large for the outgoing interface,
5355 * send back an icmp6 error.
5357 if (IN6_IS_SCOPE_EMBED(&dst.sin6_addr))
5358 dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
5359 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu)
5360 nd6_output(ifp, ifp, m0, &dst, NULL);
5362 in6_ifstat_inc(ifp, ifs6_in_toobig);
5363 if (r->rt != PF_DUPTO)
5364 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
5370 if (r->rt != PF_DUPTO)
5384 * FreeBSD supports cksum offloads for the following drivers.
5385 * em(4), fxp(4), ixgb(4), lge(4), ndis(4), nge(4), re(4),
5386 * ti(4), txp(4), xl(4)
5388 * CSUM_DATA_VALID | CSUM_PSEUDO_HDR :
5389 * network driver performed cksum including pseudo header, need to verify
5392 * network driver performed cksum, needs to additional pseudo header
5393 * cksum computation with partial csum_data(i.e. lack of H/W support for
5394 * pseudo header, for instance hme(4), sk(4) and possibly gem(4))
5396 * After validating the cksum of packet, set both flag CSUM_DATA_VALID and
5397 * CSUM_PSEUDO_HDR in order to avoid recomputation of the cksum in upper
5399 * Also, set csum_data to 0xffff to force cksum validation.
5402 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af)
5408 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
5410 if (m->m_pkthdr.len < off + len)
5415 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
5416 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
5417 sum = m->m_pkthdr.csum_data;
5419 ip = mtod(m, struct ip *);
5420 sum = in_pseudo(ip->ip_src.s_addr,
5421 ip->ip_dst.s_addr, htonl((u_short)len +
5422 m->m_pkthdr.csum_data + IPPROTO_TCP));
5429 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
5430 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
5431 sum = m->m_pkthdr.csum_data;
5433 ip = mtod(m, struct ip *);
5434 sum = in_pseudo(ip->ip_src.s_addr,
5435 ip->ip_dst.s_addr, htonl((u_short)len +
5436 m->m_pkthdr.csum_data + IPPROTO_UDP));
5444 case IPPROTO_ICMPV6:
5454 if (p == IPPROTO_ICMP) {
5459 sum = in_cksum(m, len);
5463 if (m->m_len < sizeof(struct ip))
5465 sum = in4_cksum(m, p, off, len);
5470 if (m->m_len < sizeof(struct ip6_hdr))
5472 sum = in6_cksum(m, p, off, len);
5483 KMOD_TCPSTAT_INC(tcps_rcvbadsum);
5488 KMOD_UDPSTAT_INC(udps_badsum);
5494 KMOD_ICMPSTAT_INC(icps_checksum);
5499 case IPPROTO_ICMPV6:
5501 KMOD_ICMP6STAT_INC(icp6s_checksum);
5508 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
5509 m->m_pkthdr.csum_flags |=
5510 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
5511 m->m_pkthdr.csum_data = 0xffff;
5520 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
5522 struct pfi_kif *kif;
5523 u_short action, reason = 0, log = 0;
5524 struct mbuf *m = *m0;
5525 struct ip *h = NULL;
5526 struct m_tag *ipfwtag;
5527 struct pf_rule *a = NULL, *r = &V_pf_default_rule, *tr, *nr;
5528 struct pf_state *s = NULL;
5529 struct pf_ruleset *ruleset = NULL;
5531 int off, dirndx, pqid = 0;
5535 if (!V_pf_status.running)
5538 memset(&pd, 0, sizeof(pd));
5540 kif = (struct pfi_kif *)ifp->if_pf_kif;
5543 DPFPRINTF(PF_DEBUG_URGENT,
5544 ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
5547 if (kif->pfik_flags & PFI_IFLAG_SKIP)
5550 if (m->m_flags & M_SKIP_FIREWALL)
5553 if (m->m_pkthdr.len < (int)sizeof(struct ip)) {
5555 REASON_SET(&reason, PFRES_SHORT);
5560 pd.pf_mtag = pf_find_mtag(m);
5564 if (ip_divert_ptr != NULL &&
5565 ((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) {
5566 struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1);
5567 if (rr->info & IPFW_IS_DIVERT && rr->rulenum == 0) {
5568 if (pd.pf_mtag == NULL &&
5569 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
5573 pd.pf_mtag->flags |= PF_PACKET_LOOPED;
5574 m_tag_delete(m, ipfwtag);
5576 if (pd.pf_mtag && pd.pf_mtag->flags & PF_FASTFWD_OURS_PRESENT) {
5577 m->m_flags |= M_FASTFWD_OURS;
5578 pd.pf_mtag->flags &= ~PF_FASTFWD_OURS_PRESENT;
5580 } else if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
5581 /* We do IP header normalization and packet reassembly here */
5585 m = *m0; /* pf_normalize messes with m0 */
5586 h = mtod(m, struct ip *);
5588 off = h->ip_hl << 2;
5589 if (off < (int)sizeof(struct ip)) {
5591 REASON_SET(&reason, PFRES_SHORT);
5596 pd.src = (struct pf_addr *)&h->ip_src;
5597 pd.dst = (struct pf_addr *)&h->ip_dst;
5598 pd.sport = pd.dport = NULL;
5599 pd.ip_sum = &h->ip_sum;
5600 pd.proto_sum = NULL;
5603 pd.sidx = (dir == PF_IN) ? 0 : 1;
5604 pd.didx = (dir == PF_IN) ? 1 : 0;
5607 pd.tot_len = ntohs(h->ip_len);
5609 /* handle fragments that didn't get reassembled by normalization */
5610 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
5611 action = pf_test_fragment(&r, dir, kif, m, h,
5622 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5623 &action, &reason, AF_INET)) {
5624 log = action != PF_PASS;
5627 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5628 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
5630 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5631 if (action == PF_DROP)
5633 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5635 if (action == PF_PASS) {
5636 if (pfsync_update_state_ptr != NULL)
5637 pfsync_update_state_ptr(s);
5641 } else if (s == NULL)
5642 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5651 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5652 &action, &reason, AF_INET)) {
5653 log = action != PF_PASS;
5656 if (uh.uh_dport == 0 ||
5657 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5658 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5660 REASON_SET(&reason, PFRES_SHORT);
5663 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5664 if (action == PF_PASS) {
5665 if (pfsync_update_state_ptr != NULL)
5666 pfsync_update_state_ptr(s);
5670 } else if (s == NULL)
5671 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5676 case IPPROTO_ICMP: {
5680 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
5681 &action, &reason, AF_INET)) {
5682 log = action != PF_PASS;
5685 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
5687 if (action == PF_PASS) {
5688 if (pfsync_update_state_ptr != NULL)
5689 pfsync_update_state_ptr(s);
5693 } else if (s == NULL)
5694 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5700 case IPPROTO_ICMPV6: {
5702 DPFPRINTF(PF_DEBUG_MISC,
5703 ("pf: dropping IPv4 packet with ICMPv6 payload\n"));
5709 action = pf_test_state_other(&s, dir, kif, m, &pd);
5710 if (action == PF_PASS) {
5711 if (pfsync_update_state_ptr != NULL)
5712 pfsync_update_state_ptr(s);
5716 } else if (s == NULL)
5717 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5724 if (action == PF_PASS && h->ip_hl > 5 &&
5725 !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
5727 REASON_SET(&reason, PFRES_IPOPTIONS);
5729 DPFPRINTF(PF_DEBUG_MISC,
5730 ("pf: dropping packet with ip options\n"));
5733 if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) {
5735 REASON_SET(&reason, PFRES_MEMORY);
5737 if (r->rtableid >= 0)
5738 M_SETFIB(m, r->rtableid);
5741 if (action == PF_PASS && r->qid) {
5742 if (pd.pf_mtag == NULL &&
5743 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
5745 REASON_SET(&reason, PFRES_MEMORY);
5747 if (pqid || (pd.tos & IPTOS_LOWDELAY))
5748 pd.pf_mtag->qid = r->pqid;
5750 pd.pf_mtag->qid = r->qid;
5751 /* add hints for ecn */
5752 pd.pf_mtag->hdr = h;
5758 * connections redirected to loopback should not match sockets
5759 * bound specifically to loopback due to security implications,
5760 * see tcp_input() and in_pcblookup_listen().
5762 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5763 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5764 (s->nat_rule.ptr->action == PF_RDR ||
5765 s->nat_rule.ptr->action == PF_BINAT) &&
5766 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
5767 m->m_flags |= M_SKIP_FIREWALL;
5769 if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&
5770 !PACKET_LOOPED(&pd)) {
5772 ipfwtag = m_tag_alloc(MTAG_IPFW_RULE, 0,
5773 sizeof(struct ipfw_rule_ref), M_NOWAIT | M_ZERO);
5774 if (ipfwtag != NULL) {
5775 ((struct ipfw_rule_ref *)(ipfwtag+1))->info =
5776 ntohs(r->divert.port);
5777 ((struct ipfw_rule_ref *)(ipfwtag+1))->rulenum = dir;
5782 m_tag_prepend(m, ipfwtag);
5783 if (m->m_flags & M_FASTFWD_OURS) {
5784 if (pd.pf_mtag == NULL &&
5785 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
5787 REASON_SET(&reason, PFRES_MEMORY);
5789 DPFPRINTF(PF_DEBUG_MISC,
5790 ("pf: failed to allocate tag\n"));
5792 pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT;
5793 m->m_flags &= ~M_FASTFWD_OURS;
5795 ip_divert_ptr(*m0, dir == PF_IN ? DIR_IN : DIR_OUT);
5800 /* XXX: ipfw has the same behaviour! */
5802 REASON_SET(&reason, PFRES_MEMORY);
5804 DPFPRINTF(PF_DEBUG_MISC,
5805 ("pf: failed to allocate divert tag\n"));
5812 if (s != NULL && s->nat_rule.ptr != NULL &&
5813 s->nat_rule.ptr->log & PF_LOG_ALL)
5814 lr = s->nat_rule.ptr;
5817 PFLOG_PACKET(kif, m, AF_INET, dir, reason, lr, a, ruleset, &pd,
5821 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5822 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
5824 if (action == PF_PASS || r->action == PF_DROP) {
5825 dirndx = (dir == PF_OUT);
5826 r->packets[dirndx]++;
5827 r->bytes[dirndx] += pd.tot_len;
5829 a->packets[dirndx]++;
5830 a->bytes[dirndx] += pd.tot_len;
5833 if (s->nat_rule.ptr != NULL) {
5834 s->nat_rule.ptr->packets[dirndx]++;
5835 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
5837 if (s->src_node != NULL) {
5838 s->src_node->packets[dirndx]++;
5839 s->src_node->bytes[dirndx] += pd.tot_len;
5841 if (s->nat_src_node != NULL) {
5842 s->nat_src_node->packets[dirndx]++;
5843 s->nat_src_node->bytes[dirndx] += pd.tot_len;
5845 dirndx = (dir == s->direction) ? 0 : 1;
5846 s->packets[dirndx]++;
5847 s->bytes[dirndx] += pd.tot_len;
5850 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5851 if (nr != NULL && r == &V_pf_default_rule)
5853 if (tr->src.addr.type == PF_ADDR_TABLE)
5854 pfr_update_stats(tr->src.addr.p.tbl,
5855 (s == NULL) ? pd.src :
5856 &s->key[(s->direction == PF_IN)]->
5857 addr[(s->direction == PF_OUT)],
5858 pd.af, pd.tot_len, dir == PF_OUT,
5859 r->action == PF_PASS, tr->src.neg);
5860 if (tr->dst.addr.type == PF_ADDR_TABLE)
5861 pfr_update_stats(tr->dst.addr.p.tbl,
5862 (s == NULL) ? pd.dst :
5863 &s->key[(s->direction == PF_IN)]->
5864 addr[(s->direction == PF_IN)],
5865 pd.af, pd.tot_len, dir == PF_OUT,
5866 r->action == PF_PASS, tr->dst.neg);
5870 case PF_SYNPROXY_DROP:
5877 /* pf_route() returns unlocked. */
5879 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
5893 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
5895 struct pfi_kif *kif;
5896 u_short action, reason = 0, log = 0;
5897 struct mbuf *m = *m0, *n = NULL;
5898 struct ip6_hdr *h = NULL;
5899 struct pf_rule *a = NULL, *r = &V_pf_default_rule, *tr, *nr;
5900 struct pf_state *s = NULL;
5901 struct pf_ruleset *ruleset = NULL;
5903 int off, terminal = 0, dirndx, rh_cnt = 0;
5907 if (!V_pf_status.running)
5910 memset(&pd, 0, sizeof(pd));
5911 pd.pf_mtag = pf_find_mtag(m);
5913 if (pd.pf_mtag && pd.pf_mtag->flags & PF_TAG_GENERATED)
5916 kif = (struct pfi_kif *)ifp->if_pf_kif;
5918 DPFPRINTF(PF_DEBUG_URGENT,
5919 ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
5922 if (kif->pfik_flags & PFI_IFLAG_SKIP)
5925 if (m->m_pkthdr.len < (int)sizeof(*h)) {
5927 REASON_SET(&reason, PFRES_SHORT);
5934 /* We do IP header normalization and packet reassembly here */
5935 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
5939 m = *m0; /* pf_normalize messes with m0 */
5940 h = mtod(m, struct ip6_hdr *);
5944 * we do not support jumbogram yet. if we keep going, zero ip6_plen
5945 * will do something bad, so drop the packet for now.
5947 if (htons(h->ip6_plen) == 0) {
5949 REASON_SET(&reason, PFRES_NORM); /*XXX*/
5954 pd.src = (struct pf_addr *)&h->ip6_src;
5955 pd.dst = (struct pf_addr *)&h->ip6_dst;
5956 pd.sport = pd.dport = NULL;
5958 pd.proto_sum = NULL;
5960 pd.sidx = (dir == PF_IN) ? 0 : 1;
5961 pd.didx = (dir == PF_IN) ? 1 : 0;
5964 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
5966 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
5967 pd.proto = h->ip6_nxt;
5970 case IPPROTO_FRAGMENT:
5971 action = pf_test_fragment(&r, dir, kif, m, h,
5973 if (action == PF_DROP)
5974 REASON_SET(&reason, PFRES_FRAG);
5976 case IPPROTO_ROUTING: {
5977 struct ip6_rthdr rthdr;
5980 DPFPRINTF(PF_DEBUG_MISC,
5981 ("pf: IPv6 more than one rthdr\n"));
5983 REASON_SET(&reason, PFRES_IPOPTIONS);
5987 if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
5989 DPFPRINTF(PF_DEBUG_MISC,
5990 ("pf: IPv6 short rthdr\n"));
5992 REASON_SET(&reason, PFRES_SHORT);
5996 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
5997 DPFPRINTF(PF_DEBUG_MISC,
5998 ("pf: IPv6 rthdr0\n"));
6000 REASON_SET(&reason, PFRES_IPOPTIONS);
6007 case IPPROTO_HOPOPTS:
6008 case IPPROTO_DSTOPTS: {
6009 /* get next header and header length */
6010 struct ip6_ext opt6;
6012 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
6013 NULL, &reason, pd.af)) {
6014 DPFPRINTF(PF_DEBUG_MISC,
6015 ("pf: IPv6 short opt\n"));
6020 if (pd.proto == IPPROTO_AH)
6021 off += (opt6.ip6e_len + 2) * 4;
6023 off += (opt6.ip6e_len + 1) * 8;
6024 pd.proto = opt6.ip6e_nxt;
6025 /* goto the next header */
6032 } while (!terminal);
6034 /* if there's no routing header, use unmodified mbuf for checksumming */
6044 if (!pf_pull_hdr(m, off, &th, sizeof(th),
6045 &action, &reason, AF_INET6)) {
6046 log = action != PF_PASS;
6049 pd.p_len = pd.tot_len - off - (th.th_off << 2);
6050 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6051 if (action == PF_DROP)
6053 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6055 if (action == PF_PASS) {
6056 if (pfsync_update_state_ptr != NULL)
6057 pfsync_update_state_ptr(s);
6061 } else if (s == NULL)
6062 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6071 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
6072 &action, &reason, AF_INET6)) {
6073 log = action != PF_PASS;
6076 if (uh.uh_dport == 0 ||
6077 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
6078 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
6080 REASON_SET(&reason, PFRES_SHORT);
6083 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6084 if (action == PF_PASS) {
6085 if (pfsync_update_state_ptr != NULL)
6086 pfsync_update_state_ptr(s);
6090 } else if (s == NULL)
6091 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6096 case IPPROTO_ICMP: {
6098 DPFPRINTF(PF_DEBUG_MISC,
6099 ("pf: dropping IPv6 packet with ICMPv4 payload\n"));
6103 case IPPROTO_ICMPV6: {
6104 struct icmp6_hdr ih;
6107 if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
6108 &action, &reason, AF_INET6)) {
6109 log = action != PF_PASS;
6112 action = pf_test_state_icmp(&s, dir, kif,
6113 m, off, h, &pd, &reason);
6114 if (action == PF_PASS) {
6115 if (pfsync_update_state_ptr != NULL)
6116 pfsync_update_state_ptr(s);
6120 } else if (s == NULL)
6121 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6127 action = pf_test_state_other(&s, dir, kif, m, &pd);
6128 if (action == PF_PASS) {
6129 if (pfsync_update_state_ptr != NULL)
6130 pfsync_update_state_ptr(s);
6134 } else if (s == NULL)
6135 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6147 /* handle dangerous IPv6 extension headers. */
6148 if (action == PF_PASS && rh_cnt &&
6149 !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
6151 REASON_SET(&reason, PFRES_IPOPTIONS);
6153 DPFPRINTF(PF_DEBUG_MISC,
6154 ("pf: dropping packet with dangerous v6 headers\n"));
6157 if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) {
6159 REASON_SET(&reason, PFRES_MEMORY);
6161 if (r->rtableid >= 0)
6162 M_SETFIB(m, r->rtableid);
6165 if (action == PF_PASS && r->qid) {
6166 if (pd.pf_mtag == NULL &&
6167 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
6169 REASON_SET(&reason, PFRES_MEMORY);
6171 if (pd.tos & IPTOS_LOWDELAY)
6172 pd.pf_mtag->qid = r->pqid;
6174 pd.pf_mtag->qid = r->qid;
6175 /* add hints for ecn */
6176 pd.pf_mtag->hdr = h;
6180 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
6181 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
6182 (s->nat_rule.ptr->action == PF_RDR ||
6183 s->nat_rule.ptr->action == PF_BINAT) &&
6184 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
6185 m->m_flags |= M_SKIP_FIREWALL;
6187 /* XXX: Anybody working on it?! */
6189 printf("pf: divert(9) is not supported for IPv6\n");
6194 if (s != NULL && s->nat_rule.ptr != NULL &&
6195 s->nat_rule.ptr->log & PF_LOG_ALL)
6196 lr = s->nat_rule.ptr;
6199 PFLOG_PACKET(kif, m, AF_INET6, dir, reason, lr, a, ruleset,
6203 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6204 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
6206 if (action == PF_PASS || r->action == PF_DROP) {
6207 dirndx = (dir == PF_OUT);
6208 r->packets[dirndx]++;
6209 r->bytes[dirndx] += pd.tot_len;
6211 a->packets[dirndx]++;
6212 a->bytes[dirndx] += pd.tot_len;
6215 if (s->nat_rule.ptr != NULL) {
6216 s->nat_rule.ptr->packets[dirndx]++;
6217 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6219 if (s->src_node != NULL) {
6220 s->src_node->packets[dirndx]++;
6221 s->src_node->bytes[dirndx] += pd.tot_len;
6223 if (s->nat_src_node != NULL) {
6224 s->nat_src_node->packets[dirndx]++;
6225 s->nat_src_node->bytes[dirndx] += pd.tot_len;
6227 dirndx = (dir == s->direction) ? 0 : 1;
6228 s->packets[dirndx]++;
6229 s->bytes[dirndx] += pd.tot_len;
6232 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6233 if (nr != NULL && r == &V_pf_default_rule)
6235 if (tr->src.addr.type == PF_ADDR_TABLE)
6236 pfr_update_stats(tr->src.addr.p.tbl,
6237 (s == NULL) ? pd.src :
6238 &s->key[(s->direction == PF_IN)]->addr[0],
6239 pd.af, pd.tot_len, dir == PF_OUT,
6240 r->action == PF_PASS, tr->src.neg);
6241 if (tr->dst.addr.type == PF_ADDR_TABLE)
6242 pfr_update_stats(tr->dst.addr.p.tbl,
6243 (s == NULL) ? pd.dst :
6244 &s->key[(s->direction == PF_IN)]->addr[1],
6245 pd.af, pd.tot_len, dir == PF_OUT,
6246 r->action == PF_PASS, tr->dst.neg);
6250 case PF_SYNPROXY_DROP:
6257 /* pf_route6() returns unlocked. */
6259 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);