1 /* $OpenBSD: pf.c,v 1.527 2007/02/22 15:23:23 pyr Exp $ */
2 /* add: $OpenBSD: pf.c,v 1.559 2007/09/18 18:45:59 markus Exp $ */
5 * Copyright (c) 2001 Daniel Hartmeier
6 * Copyright (c) 2002,2003 Henning Brauer
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
41 #include "opt_inet6.h"
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
53 #define NBPFILTER DEV_BPF
59 #define NPFLOG DEV_PFLOG
65 #define NPFSYNC DEV_PFSYNC
76 #include <sys/param.h>
77 #include <sys/systm.h>
79 #include <sys/filio.h>
80 #include <sys/socket.h>
81 #include <sys/socketvar.h>
82 #include <sys/kernel.h>
85 #include <sys/sysctl.h>
86 #include <sys/endian.h>
92 #include <sys/kthread.h>
96 #include <sys/rwlock.h>
100 #include <net/if_types.h>
102 #include <net/route.h>
104 #include <net/radix_mpath.h>
107 #include <netinet/in.h>
108 #include <netinet/in_var.h>
109 #include <netinet/in_systm.h>
110 #include <netinet/ip.h>
111 #include <netinet/ip_var.h>
112 #include <netinet/tcp.h>
113 #include <netinet/tcp_seq.h>
114 #include <netinet/udp.h>
115 #include <netinet/ip_icmp.h>
116 #include <netinet/in_pcb.h>
117 #include <netinet/tcp_timer.h>
118 #include <netinet/tcp_var.h>
119 #include <netinet/udp_var.h>
120 #include <netinet/icmp_var.h>
121 #include <netinet/if_ether.h>
124 #include <dev/rndvar.h>
126 #include <net/pfvar.h>
127 #include <net/if_pflog.h>
130 #include <net/if_pfsync.h>
131 #endif /* NPFSYNC > 0 */
134 #include <netinet/ip6.h>
135 #include <netinet/in_pcb.h>
136 #include <netinet/icmp6.h>
137 #include <netinet6/nd6.h>
139 #include <netinet6/ip6_var.h>
140 #include <netinet6/in6_pcb.h>
145 #include <machine/in_cksum.h>
146 #include <sys/limits.h>
147 #include <sys/ucred.h>
148 #include <security/mac/mac_framework.h>
150 extern int ip_optcopy(struct ip *, struct ip *);
151 extern int debug_pfugidhack;
154 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
160 struct pf_altqqueue pf_altqs[2];
161 struct pf_palist pf_pabuf;
162 struct pf_altqqueue *pf_altqs_active;
163 struct pf_altqqueue *pf_altqs_inactive;
164 struct pf_status pf_status;
166 u_int32_t ticket_altqs_active;
167 u_int32_t ticket_altqs_inactive;
168 int altqs_inactive_open;
169 u_int32_t ticket_pabuf;
171 struct pf_anchor_stackframe {
172 struct pf_ruleset *rs;
174 struct pf_anchor_node *parent;
175 struct pf_anchor *child;
176 } pf_anchor_stack[64];
179 uma_zone_t pf_src_tree_pl, pf_rule_pl;
180 uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
182 struct pool pf_src_tree_pl, pf_rule_pl;
183 struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
186 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
188 void pf_init_threshold(struct pf_threshold *, u_int32_t,
190 void pf_add_threshold(struct pf_threshold *);
191 int pf_check_threshold(struct pf_threshold *);
193 void pf_change_ap(struct pf_addr *, u_int16_t *,
194 u_int16_t *, u_int16_t *, struct pf_addr *,
195 u_int16_t, u_int8_t, sa_family_t);
196 int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
197 struct tcphdr *, struct pf_state_peer *);
199 void pf_change_a6(struct pf_addr *, u_int16_t *,
200 struct pf_addr *, u_int8_t);
202 void pf_change_icmp(struct pf_addr *, u_int16_t *,
203 struct pf_addr *, struct pf_addr *, u_int16_t,
204 u_int16_t *, u_int16_t *, u_int16_t *,
205 u_int16_t *, u_int8_t, sa_family_t);
207 void pf_send_tcp(struct mbuf *,
208 const struct pf_rule *, sa_family_t,
210 void pf_send_tcp(const struct pf_rule *, sa_family_t,
212 const struct pf_addr *, const struct pf_addr *,
213 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
214 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
215 u_int16_t, struct ether_header *, struct ifnet *);
216 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
217 sa_family_t, struct pf_rule *);
218 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
219 int, int, struct pfi_kif *,
220 struct pf_addr *, u_int16_t, struct pf_addr *,
222 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
223 int, int, struct pfi_kif *, struct pf_src_node **,
224 struct pf_addr *, u_int16_t,
225 struct pf_addr *, u_int16_t,
226 struct pf_addr *, u_int16_t *);
227 int pf_test_tcp(struct pf_rule **, struct pf_state **,
228 int, struct pfi_kif *, struct mbuf *, int,
229 void *, struct pf_pdesc *, struct pf_rule **,
231 struct pf_ruleset **, struct ifqueue *,
234 struct pf_ruleset **, struct ifqueue *);
236 int pf_test_udp(struct pf_rule **, struct pf_state **,
237 int, struct pfi_kif *, struct mbuf *, int,
238 void *, struct pf_pdesc *, struct pf_rule **,
240 struct pf_ruleset **, struct ifqueue *,
243 struct pf_ruleset **, struct ifqueue *);
245 int pf_test_icmp(struct pf_rule **, struct pf_state **,
246 int, struct pfi_kif *, struct mbuf *, int,
247 void *, struct pf_pdesc *, struct pf_rule **,
248 struct pf_ruleset **, struct ifqueue *);
249 int pf_test_other(struct pf_rule **, struct pf_state **,
250 int, struct pfi_kif *, struct mbuf *, int, void *,
251 struct pf_pdesc *, struct pf_rule **,
252 struct pf_ruleset **, struct ifqueue *);
253 int pf_test_fragment(struct pf_rule **, int,
254 struct pfi_kif *, struct mbuf *, void *,
255 struct pf_pdesc *, struct pf_rule **,
256 struct pf_ruleset **);
257 int pf_test_state_tcp(struct pf_state **, int,
258 struct pfi_kif *, struct mbuf *, int,
259 void *, struct pf_pdesc *, u_short *);
260 int pf_test_state_udp(struct pf_state **, int,
261 struct pfi_kif *, struct mbuf *, int,
262 void *, struct pf_pdesc *);
263 int pf_test_state_icmp(struct pf_state **, int,
264 struct pfi_kif *, struct mbuf *, int,
265 void *, struct pf_pdesc *, u_short *);
266 int pf_test_state_other(struct pf_state **, int,
267 struct pfi_kif *, struct pf_pdesc *);
268 int pf_match_tag(struct mbuf *, struct pf_rule *,
269 struct pf_mtag *, int *);
270 int pf_step_out_of_anchor(int *, struct pf_ruleset **,
271 int, struct pf_rule **, struct pf_rule **,
273 void pf_hash(struct pf_addr *, struct pf_addr *,
274 struct pf_poolhashkey *, sa_family_t);
275 int pf_map_addr(u_int8_t, struct pf_rule *,
276 struct pf_addr *, struct pf_addr *,
277 struct pf_addr *, struct pf_src_node **);
278 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
279 struct pf_addr *, struct pf_addr *, u_int16_t,
280 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
281 struct pf_src_node **);
282 void pf_route(struct mbuf **, struct pf_rule *, int,
283 struct ifnet *, struct pf_state *,
285 void pf_route6(struct mbuf **, struct pf_rule *, int,
286 struct ifnet *, struct pf_state *,
291 int pf_socket_lookup(int, struct pf_pdesc *);
293 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
295 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
297 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
299 void pf_set_rt_ifp(struct pf_state *,
301 int pf_check_proto_cksum(struct mbuf *, int, int,
302 u_int8_t, sa_family_t);
303 int pf_addr_wrap_neq(struct pf_addr_wrap *,
304 struct pf_addr_wrap *);
305 struct pf_state *pf_find_state_recurse(struct pfi_kif *,
306 struct pf_state_cmp *, u_int8_t);
307 int pf_src_connlimit(struct pf_state **);
308 int pf_check_congestion(struct ifqueue *);
311 int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len);
313 extern int pf_end_threads;
315 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
317 extern struct pool pfr_ktable_pl;
318 extern struct pool pfr_kentry_pl;
320 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
321 { &pf_state_pl, PFSTATE_HIWAT },
322 { &pf_src_tree_pl, PFSNODE_HIWAT },
323 { &pf_frent_pl, PFFRAG_FRENT_HIWAT },
324 { &pfr_ktable_pl, PFR_KTABLE_HIWAT },
325 { &pfr_kentry_pl, PFR_KENTRY_HIWAT }
329 #define STATE_LOOKUP() \
331 if (direction == PF_IN) \
332 *state = pf_find_state_recurse( \
333 kif, &key, PF_EXT_GWY); \
335 *state = pf_find_state_recurse( \
336 kif, &key, PF_LAN_EXT); \
337 if (*state == NULL || (*state)->timeout == PFTM_PURGE) \
339 if (direction == PF_OUT && \
340 (((*state)->rule.ptr->rt == PF_ROUTETO && \
341 (*state)->rule.ptr->direction == PF_OUT) || \
342 ((*state)->rule.ptr->rt == PF_REPLYTO && \
343 (*state)->rule.ptr->direction == PF_IN)) && \
344 (*state)->rt_kif != NULL && \
345 (*state)->rt_kif != kif) \
349 #define STATE_TRANSLATE(s) \
350 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
351 ((s)->af == AF_INET6 && \
352 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \
353 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \
354 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \
355 (s)->lan.port != (s)->gwy.port
357 #define BOUND_IFACE(r, k) \
358 ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all
360 #define STATE_INC_COUNTERS(s) \
362 s->rule.ptr->states++; \
363 if (s->anchor.ptr != NULL) \
364 s->anchor.ptr->states++; \
365 if (s->nat_rule.ptr != NULL) \
366 s->nat_rule.ptr->states++; \
369 #define STATE_DEC_COUNTERS(s) \
371 if (s->nat_rule.ptr != NULL) \
372 s->nat_rule.ptr->states--; \
373 if (s->anchor.ptr != NULL) \
374 s->anchor.ptr->states--; \
375 s->rule.ptr->states--; \
378 struct pf_src_tree tree_src_tracking;
380 struct pf_state_tree_id tree_id;
381 struct pf_state_queue state_list;
384 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
385 static int pf_state_compare_lan_ext(struct pf_state *, struct pf_state *);
386 static int pf_state_compare_ext_gwy(struct pf_state *, struct pf_state *);
387 static int pf_state_compare_id(struct pf_state *, struct pf_state *);
390 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
391 RB_GENERATE(pf_state_tree_lan_ext, pf_state,
392 u.s.entry_lan_ext, pf_state_compare_lan_ext);
393 RB_GENERATE(pf_state_tree_ext_gwy, pf_state,
394 u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
395 RB_GENERATE(pf_state_tree_id, pf_state,
396 u.s.entry_id, pf_state_compare_id);
403 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
407 if (a->rule.ptr > b->rule.ptr)
409 if (a->rule.ptr < b->rule.ptr)
411 if ((diff = a->af - b->af) != 0)
416 if (a->addr.addr32[0] > b->addr.addr32[0])
418 if (a->addr.addr32[0] < b->addr.addr32[0])
424 if (a->addr.addr32[3] > b->addr.addr32[3])
426 if (a->addr.addr32[3] < b->addr.addr32[3])
428 if (a->addr.addr32[2] > b->addr.addr32[2])
430 if (a->addr.addr32[2] < b->addr.addr32[2])
432 if (a->addr.addr32[1] > b->addr.addr32[1])
434 if (a->addr.addr32[1] < b->addr.addr32[1])
436 if (a->addr.addr32[0] > b->addr.addr32[0])
438 if (a->addr.addr32[0] < b->addr.addr32[0])
451 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b)
455 if ((diff = a->proto - b->proto) != 0)
457 if ((diff = a->af - b->af) != 0)
462 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
464 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
466 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
468 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
474 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3])
476 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3])
478 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
480 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
482 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2])
484 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2])
486 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
488 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
490 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1])
492 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1])
494 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
496 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
498 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
500 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
502 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
504 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
510 if ((diff = a->lan.port - b->lan.port) != 0)
512 if ((diff = a->ext.port - b->ext.port) != 0)
523 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b)
527 if ((diff = a->proto - b->proto) != 0)
529 if ((diff = a->af - b->af) != 0)
534 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
536 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
538 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
540 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
546 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
548 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
550 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3])
552 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3])
554 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
556 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
558 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2])
560 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2])
562 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
564 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
566 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1])
568 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1])
570 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
572 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
574 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
576 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
582 if ((diff = a->ext.port - b->ext.port) != 0)
584 if ((diff = a->gwy.port - b->gwy.port) != 0)
595 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
601 if (a->creatorid > b->creatorid)
603 if (a->creatorid < b->creatorid)
611 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
616 dst->addr32[0] = src->addr32[0];
620 dst->addr32[0] = src->addr32[0];
621 dst->addr32[1] = src->addr32[1];
622 dst->addr32[2] = src->addr32[2];
623 dst->addr32[3] = src->addr32[3];
630 pf_find_state_byid(struct pf_state_cmp *key)
632 pf_status.fcounters[FCNT_STATE_SEARCH]++;
633 return (RB_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key));
637 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state_cmp *key, u_int8_t tree)
641 pf_status.fcounters[FCNT_STATE_SEARCH]++;
645 if ((s = RB_FIND(pf_state_tree_lan_ext, &kif->pfik_lan_ext,
646 (struct pf_state *)key)) != NULL)
648 if ((s = RB_FIND(pf_state_tree_lan_ext, &pfi_all->pfik_lan_ext,
649 (struct pf_state *)key)) != NULL)
653 if ((s = RB_FIND(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy,
654 (struct pf_state *)key)) != NULL)
656 if ((s = RB_FIND(pf_state_tree_ext_gwy, &pfi_all->pfik_ext_gwy,
657 (struct pf_state *)key)) != NULL)
661 panic("pf_find_state_recurse");
666 pf_find_state_all(struct pf_state_cmp *key, u_int8_t tree, int *more)
668 struct pf_state *s, *ss = NULL;
671 pf_status.fcounters[FCNT_STATE_SEARCH]++;
675 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
676 s = RB_FIND(pf_state_tree_lan_ext,
677 &kif->pfik_lan_ext, (struct pf_state *)key);
687 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
688 s = RB_FIND(pf_state_tree_ext_gwy,
689 &kif->pfik_ext_gwy, (struct pf_state *)key);
699 panic("pf_find_state_all");
704 pf_init_threshold(struct pf_threshold *threshold,
705 u_int32_t limit, u_int32_t seconds)
707 threshold->limit = limit * PF_THRESHOLD_MULT;
708 threshold->seconds = seconds;
709 threshold->count = 0;
710 threshold->last = time_second;
714 pf_add_threshold(struct pf_threshold *threshold)
716 u_int32_t t = time_second, diff = t - threshold->last;
718 if (diff >= threshold->seconds)
719 threshold->count = 0;
721 threshold->count -= threshold->count * diff /
723 threshold->count += PF_THRESHOLD_MULT;
728 pf_check_threshold(struct pf_threshold *threshold)
730 return (threshold->count > threshold->limit);
734 pf_src_connlimit(struct pf_state **state)
739 (*state)->src_node->conn++;
740 (*state)->src.tcp_est = 1;
741 pf_add_threshold(&(*state)->src_node->conn_rate);
743 if ((*state)->rule.ptr->max_src_conn &&
744 (*state)->rule.ptr->max_src_conn <
745 (*state)->src_node->conn) {
746 pf_status.lcounters[LCNT_SRCCONN]++;
750 if ((*state)->rule.ptr->max_src_conn_rate.limit &&
751 pf_check_threshold(&(*state)->src_node->conn_rate)) {
752 pf_status.lcounters[LCNT_SRCCONNRATE]++;
759 if ((*state)->rule.ptr->overload_tbl) {
761 u_int32_t killed = 0;
763 pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
764 if (pf_status.debug >= PF_DEBUG_MISC) {
765 printf("pf_src_connlimit: blocking address ");
766 pf_print_host(&(*state)->src_node->addr, 0,
770 bzero(&p, sizeof(p));
771 p.pfra_af = (*state)->af;
772 switch ((*state)->af) {
776 p.pfra_ip4addr = (*state)->src_node->addr.v4;
782 p.pfra_ip6addr = (*state)->src_node->addr.v6;
787 pfr_insert_kentry((*state)->rule.ptr->overload_tbl,
790 /* kill existing states if that's required. */
791 if ((*state)->rule.ptr->flush) {
792 pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
794 RB_FOREACH(s, pf_state_tree_id, &tree_id) {
796 * Kill states from this source. (Only those
797 * from the same rule if PF_FLUSH_GLOBAL is not
800 if (s->af == (*state)->af &&
801 (((*state)->direction == PF_OUT &&
802 PF_AEQ(&(*state)->src_node->addr,
803 &s->lan.addr, s->af)) ||
804 ((*state)->direction == PF_IN &&
805 PF_AEQ(&(*state)->src_node->addr,
806 &s->ext.addr, s->af))) &&
807 ((*state)->rule.ptr->flush &
809 (*state)->rule.ptr == s->rule.ptr)) {
810 s->timeout = PFTM_PURGE;
811 s->src.state = s->dst.state =
816 if (pf_status.debug >= PF_DEBUG_MISC)
817 printf(", %u states killed", killed);
819 if (pf_status.debug >= PF_DEBUG_MISC)
823 /* kill this state */
824 (*state)->timeout = PFTM_PURGE;
825 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
830 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
831 struct pf_addr *src, sa_family_t af)
833 struct pf_src_node k;
837 PF_ACPY(&k.addr, src, af);
838 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
839 rule->rpool.opts & PF_POOL_STICKYADDR)
843 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
844 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
847 if (!rule->max_src_nodes ||
848 rule->src_nodes < rule->max_src_nodes)
849 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
851 pf_status.lcounters[LCNT_SRCNODES]++;
854 bzero(*sn, sizeof(struct pf_src_node));
856 pf_init_threshold(&(*sn)->conn_rate,
857 rule->max_src_conn_rate.limit,
858 rule->max_src_conn_rate.seconds);
861 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
862 rule->rpool.opts & PF_POOL_STICKYADDR)
863 (*sn)->rule.ptr = rule;
865 (*sn)->rule.ptr = NULL;
866 PF_ACPY(&(*sn)->addr, src, af);
867 if (RB_INSERT(pf_src_tree,
868 &tree_src_tracking, *sn) != NULL) {
869 if (pf_status.debug >= PF_DEBUG_MISC) {
870 printf("pf: src_tree insert failed: ");
871 pf_print_host(&(*sn)->addr, 0, af);
874 pool_put(&pf_src_tree_pl, *sn);
877 (*sn)->creation = time_second;
878 (*sn)->ruletype = rule->action;
879 if ((*sn)->rule.ptr != NULL)
880 (*sn)->rule.ptr->src_nodes++;
881 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
882 pf_status.src_nodes++;
884 if (rule->max_src_states &&
885 (*sn)->states >= rule->max_src_states) {
886 pf_status.lcounters[LCNT_SRCSTATES]++;
894 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
896 /* Thou MUST NOT insert multiple duplicate keys */
897 state->u.s.kif = kif;
898 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) {
899 if (pf_status.debug >= PF_DEBUG_MISC) {
900 printf("pf: state insert failed: tree_lan_ext");
902 pf_print_host(&state->lan.addr, state->lan.port,
905 pf_print_host(&state->gwy.addr, state->gwy.port,
908 pf_print_host(&state->ext.addr, state->ext.port,
910 if (state->sync_flags & PFSTATE_FROMSYNC)
911 printf(" (from sync)");
917 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) {
918 if (pf_status.debug >= PF_DEBUG_MISC) {
919 printf("pf: state insert failed: tree_ext_gwy");
921 pf_print_host(&state->lan.addr, state->lan.port,
924 pf_print_host(&state->gwy.addr, state->gwy.port,
927 pf_print_host(&state->ext.addr, state->ext.port,
929 if (state->sync_flags & PFSTATE_FROMSYNC)
930 printf(" (from sync)");
933 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
937 if (state->id == 0 && state->creatorid == 0) {
938 state->id = htobe64(pf_status.stateid++);
939 state->creatorid = pf_status.hostid;
941 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) {
942 if (pf_status.debug >= PF_DEBUG_MISC) {
944 printf("pf: state insert failed: "
945 "id: %016llx creatorid: %08x",
946 (long long)be64toh(state->id),
947 ntohl(state->creatorid));
949 printf("pf: state insert failed: "
950 "id: %016llx creatorid: %08x",
951 betoh64(state->id), ntohl(state->creatorid));
953 if (state->sync_flags & PFSTATE_FROMSYNC)
954 printf(" (from sync)");
957 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
958 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state);
961 TAILQ_INSERT_TAIL(&state_list, state, u.s.entry_list);
962 pf_status.fcounters[FCNT_STATE_INSERT]++;
964 pfi_kif_ref(kif, PFI_KIF_REF_STATE);
966 pfsync_insert_state(state);
972 pf_purge_thread(void *v)
977 tsleep(pf_purge_thread, PWAIT, "pftm", 1 * hz);
980 sx_slock(&pf_consistency_lock);
983 if (pf_end_threads) {
984 pf_purge_expired_states(pf_status.states);
985 pf_purge_expired_fragments();
986 pf_purge_expired_src_nodes(0);
989 sx_sunlock(&pf_consistency_lock);
991 wakeup(pf_purge_thread);
997 /* process a fraction of the state table every second */
998 pf_purge_expired_states(1 + (pf_status.states
999 / pf_default_rule.timeout[PFTM_INTERVAL]));
1001 /* purge other expired types every PFTM_INTERVAL seconds */
1002 if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) {
1003 pf_purge_expired_fragments();
1004 pf_purge_expired_src_nodes(0);
1011 sx_sunlock(&pf_consistency_lock);
1017 pf_state_expires(const struct pf_state *state)
1024 /* handle all PFTM_* > PFTM_MAX here */
1025 if (state->timeout == PFTM_PURGE)
1026 return (time_second);
1027 if (state->timeout == PFTM_UNTIL_PACKET)
1030 KASSERT(state->timeout != PFTM_UNLINKED,
1031 ("pf_state_expires: timeout == PFTM_UNLINKED"));
1032 KASSERT((state->timeout < PFTM_MAX),
1033 ("pf_state_expires: timeout > PFTM_MAX"));
1035 KASSERT(state->timeout != PFTM_UNLINKED);
1036 KASSERT(state->timeout < PFTM_MAX);
1038 timeout = state->rule.ptr->timeout[state->timeout];
1040 timeout = pf_default_rule.timeout[state->timeout];
1041 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1043 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1044 states = state->rule.ptr->states;
1046 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
1047 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
1048 states = pf_status.states;
1050 if (end && states > start && start < end) {
1052 return (state->expire + timeout * (end - states) /
1055 return (time_second);
1057 return (state->expire + timeout);
1061 pf_purge_expired_src_nodes(int waslocked)
1063 struct pf_src_node *cur, *next;
1064 int locked = waslocked;
1066 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
1067 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
1069 if (cur->states <= 0 && cur->expire <= time_second) {
1072 if (!sx_try_upgrade(&pf_consistency_lock)) {
1074 sx_sunlock(&pf_consistency_lock);
1075 sx_xlock(&pf_consistency_lock);
1079 rw_enter_write(&pf_consistency_lock);
1081 next = RB_NEXT(pf_src_tree,
1082 &tree_src_tracking, cur);
1085 if (cur->rule.ptr != NULL) {
1086 cur->rule.ptr->src_nodes--;
1087 if (cur->rule.ptr->states <= 0 &&
1088 cur->rule.ptr->max_src_nodes <= 0)
1089 pf_rm_rule(NULL, cur->rule.ptr);
1091 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
1092 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
1093 pf_status.src_nodes--;
1094 pool_put(&pf_src_tree_pl, cur);
1098 if (locked && !waslocked)
1100 sx_downgrade(&pf_consistency_lock);
1102 rw_exit_write(&pf_consistency_lock);
1107 pf_src_tree_remove_state(struct pf_state *s)
1111 if (s->src_node != NULL) {
1112 if (s->proto == IPPROTO_TCP) {
1114 --s->src_node->conn;
1116 if (--s->src_node->states <= 0) {
1117 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1120 pf_default_rule.timeout[PFTM_SRC_NODE];
1121 s->src_node->expire = time_second + timeout;
1124 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
1125 if (--s->nat_src_node->states <= 0) {
1126 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1129 pf_default_rule.timeout[PFTM_SRC_NODE];
1130 s->nat_src_node->expire = time_second + timeout;
1133 s->src_node = s->nat_src_node = NULL;
1136 /* callers should be at splsoftnet */
1138 pf_unlink_state(struct pf_state *cur)
1141 if (cur->local_flags & PFSTATE_EXPIRING)
1143 cur->local_flags |= PFSTATE_EXPIRING;
1145 if (cur->src.state == PF_TCPS_PROXY_DST) {
1147 pf_send_tcp(NULL, cur->rule.ptr, cur->af,
1149 pf_send_tcp(cur->rule.ptr, cur->af,
1151 &cur->ext.addr, &cur->lan.addr,
1152 cur->ext.port, cur->lan.port,
1153 cur->src.seqhi, cur->src.seqlo + 1,
1154 TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);
1156 RB_REMOVE(pf_state_tree_ext_gwy,
1157 &cur->u.s.kif->pfik_ext_gwy, cur);
1158 RB_REMOVE(pf_state_tree_lan_ext,
1159 &cur->u.s.kif->pfik_lan_ext, cur);
1160 RB_REMOVE(pf_state_tree_id, &tree_id, cur);
1162 if (cur->creatorid == pf_status.hostid)
1163 pfsync_delete_state(cur);
1165 cur->timeout = PFTM_UNLINKED;
1166 pf_src_tree_remove_state(cur);
1169 /* callers should be at splsoftnet and hold the
1170 * write_lock on pf_consistency_lock */
1172 pf_free_state(struct pf_state *cur)
1175 if (pfsyncif != NULL &&
1176 (pfsyncif->sc_bulk_send_next == cur ||
1177 pfsyncif->sc_bulk_terminator == cur))
1181 KASSERT(cur->timeout == PFTM_UNLINKED,
1182 ("pf_free_state: cur->timeout != PFTM_UNLINKED"));
1184 KASSERT(cur->timeout == PFTM_UNLINKED);
1186 if (--cur->rule.ptr->states <= 0 &&
1187 cur->rule.ptr->src_nodes <= 0)
1188 pf_rm_rule(NULL, cur->rule.ptr);
1189 if (cur->nat_rule.ptr != NULL)
1190 if (--cur->nat_rule.ptr->states <= 0 &&
1191 cur->nat_rule.ptr->src_nodes <= 0)
1192 pf_rm_rule(NULL, cur->nat_rule.ptr);
1193 if (cur->anchor.ptr != NULL)
1194 if (--cur->anchor.ptr->states <= 0)
1195 pf_rm_rule(NULL, cur->anchor.ptr);
1196 pf_normalize_tcp_cleanup(cur);
1197 pfi_kif_unref(cur->u.s.kif, PFI_KIF_REF_STATE);
1198 TAILQ_REMOVE(&state_list, cur, u.s.entry_list);
1200 pf_tag_unref(cur->tag);
1201 pool_put(&pf_state_pl, cur);
1202 pf_status.fcounters[FCNT_STATE_REMOVALS]++;
1207 pf_purge_expired_states(u_int32_t maxcheck)
1209 static struct pf_state *cur = NULL;
1210 struct pf_state *next;
1213 while (maxcheck--) {
1214 /* wrap to start of list when we hit the end */
1216 cur = TAILQ_FIRST(&state_list);
1218 break; /* list empty */
1221 /* get next state, as cur may get deleted */
1222 next = TAILQ_NEXT(cur, u.s.entry_list);
1224 if (cur->timeout == PFTM_UNLINKED) {
1225 /* free unlinked state */
1228 if (!sx_try_upgrade(&pf_consistency_lock)) {
1230 sx_sunlock(&pf_consistency_lock);
1231 sx_xlock(&pf_consistency_lock);
1235 rw_enter_write(&pf_consistency_lock);
1240 } else if (pf_state_expires(cur) <= time_second) {
1241 /* unlink and free expired state */
1242 pf_unlink_state(cur);
1245 if (!sx_try_upgrade(&pf_consistency_lock)) {
1247 sx_sunlock(&pf_consistency_lock);
1248 sx_xlock(&pf_consistency_lock);
1252 rw_enter_write(&pf_consistency_lock);
1263 sx_downgrade(&pf_consistency_lock);
1265 rw_exit_write(&pf_consistency_lock);
1270 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
1272 if (aw->type != PF_ADDR_TABLE)
1274 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
1280 pf_tbladdr_remove(struct pf_addr_wrap *aw)
1282 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
1284 pfr_detach_table(aw->p.tbl);
1289 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
1291 struct pfr_ktable *kt = aw->p.tbl;
1293 if (aw->type != PF_ADDR_TABLE || kt == NULL)
1295 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1296 kt = kt->pfrkt_root;
1298 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
1303 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
1308 u_int32_t a = ntohl(addr->addr32[0]);
1309 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
1321 u_int8_t i, curstart = 255, curend = 0,
1322 maxstart = 0, maxend = 0;
1323 for (i = 0; i < 8; i++) {
1324 if (!addr->addr16[i]) {
1325 if (curstart == 255)
1331 if ((curend - curstart) >
1332 (maxend - maxstart)) {
1333 maxstart = curstart;
1340 for (i = 0; i < 8; i++) {
1341 if (i >= maxstart && i <= maxend) {
1350 b = ntohs(addr->addr16[i]);
1367 pf_print_state(struct pf_state *s)
1379 case IPPROTO_ICMPV6:
1383 printf("%u ", s->proto);
1386 pf_print_host(&s->lan.addr, s->lan.port, s->af);
1388 pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
1390 pf_print_host(&s->ext.addr, s->ext.port, s->af);
1391 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
1392 s->src.seqhi, s->src.max_win, s->src.seqdiff);
1393 if (s->src.wscale && s->dst.wscale)
1394 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
1396 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
1397 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
1398 if (s->src.wscale && s->dst.wscale)
1399 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
1401 printf(" %u:%u", s->src.state, s->dst.state);
1405 pf_print_flags(u_int8_t f)
1427 #define PF_SET_SKIP_STEPS(i) \
1429 while (head[i] != cur) { \
1430 head[i]->skip[i].ptr = cur; \
1431 head[i] = TAILQ_NEXT(head[i], entries); \
1436 pf_calc_skip_steps(struct pf_rulequeue *rules)
1438 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1441 cur = TAILQ_FIRST(rules);
1443 for (i = 0; i < PF_SKIP_COUNT; ++i)
1445 while (cur != NULL) {
1447 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1448 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1449 if (cur->direction != prev->direction)
1450 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1451 if (cur->af != prev->af)
1452 PF_SET_SKIP_STEPS(PF_SKIP_AF);
1453 if (cur->proto != prev->proto)
1454 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1455 if (cur->src.neg != prev->src.neg ||
1456 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1457 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1458 if (cur->src.port[0] != prev->src.port[0] ||
1459 cur->src.port[1] != prev->src.port[1] ||
1460 cur->src.port_op != prev->src.port_op)
1461 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1462 if (cur->dst.neg != prev->dst.neg ||
1463 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1464 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1465 if (cur->dst.port[0] != prev->dst.port[0] ||
1466 cur->dst.port[1] != prev->dst.port[1] ||
1467 cur->dst.port_op != prev->dst.port_op)
1468 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1471 cur = TAILQ_NEXT(cur, entries);
1473 for (i = 0; i < PF_SKIP_COUNT; ++i)
1474 PF_SET_SKIP_STEPS(i);
1478 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1480 if (aw1->type != aw2->type)
1482 switch (aw1->type) {
1483 case PF_ADDR_ADDRMASK:
1484 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1486 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1489 case PF_ADDR_DYNIFTL:
1490 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
1491 case PF_ADDR_NOROUTE:
1492 case PF_ADDR_URPFFAILED:
1495 return (aw1->p.tbl != aw2->p.tbl);
1496 case PF_ADDR_RTLABEL:
1497 return (aw1->v.rtlabel != aw2->v.rtlabel);
1499 printf("invalid address type: %d\n", aw1->type);
1505 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1511 l = cksum + old - new;
1512 l = (l >> 16) + (l & 65535);
1520 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1521 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1526 PF_ACPY(&ao, a, af);
1534 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1535 ao.addr16[0], an->addr16[0], 0),
1536 ao.addr16[1], an->addr16[1], 0);
1538 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1539 ao.addr16[0], an->addr16[0], u),
1540 ao.addr16[1], an->addr16[1], u),
1546 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1547 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1548 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1549 ao.addr16[0], an->addr16[0], u),
1550 ao.addr16[1], an->addr16[1], u),
1551 ao.addr16[2], an->addr16[2], u),
1552 ao.addr16[3], an->addr16[3], u),
1553 ao.addr16[4], an->addr16[4], u),
1554 ao.addr16[5], an->addr16[5], u),
1555 ao.addr16[6], an->addr16[6], u),
1556 ao.addr16[7], an->addr16[7], u),
1564 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
1566 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1570 memcpy(&ao, a, sizeof(ao));
1571 memcpy(a, &an, sizeof(u_int32_t));
1572 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1573 ao % 65536, an % 65536, u);
1578 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1582 PF_ACPY(&ao, a, AF_INET6);
1583 PF_ACPY(a, an, AF_INET6);
1585 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1586 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1587 pf_cksum_fixup(pf_cksum_fixup(*c,
1588 ao.addr16[0], an->addr16[0], u),
1589 ao.addr16[1], an->addr16[1], u),
1590 ao.addr16[2], an->addr16[2], u),
1591 ao.addr16[3], an->addr16[3], u),
1592 ao.addr16[4], an->addr16[4], u),
1593 ao.addr16[5], an->addr16[5], u),
1594 ao.addr16[6], an->addr16[6], u),
1595 ao.addr16[7], an->addr16[7], u);
1600 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1601 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1602 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1604 struct pf_addr oia, ooa;
1606 PF_ACPY(&oia, ia, af);
1607 PF_ACPY(&ooa, oa, af);
1609 /* Change inner protocol port, fix inner protocol checksum. */
1611 u_int16_t oip = *ip;
1612 u_int32_t opc = 0; /* make the compiler happy */
1618 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
1619 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1621 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1623 /* Change inner ip address, fix inner ip and icmp checksums. */
1624 PF_ACPY(ia, na, af);
1628 u_int32_t oh2c = *h2c;
1630 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1631 oia.addr16[0], ia->addr16[0], 0),
1632 oia.addr16[1], ia->addr16[1], 0);
1633 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1634 oia.addr16[0], ia->addr16[0], 0),
1635 oia.addr16[1], ia->addr16[1], 0);
1636 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1642 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1643 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1644 pf_cksum_fixup(pf_cksum_fixup(*ic,
1645 oia.addr16[0], ia->addr16[0], u),
1646 oia.addr16[1], ia->addr16[1], u),
1647 oia.addr16[2], ia->addr16[2], u),
1648 oia.addr16[3], ia->addr16[3], u),
1649 oia.addr16[4], ia->addr16[4], u),
1650 oia.addr16[5], ia->addr16[5], u),
1651 oia.addr16[6], ia->addr16[6], u),
1652 oia.addr16[7], ia->addr16[7], u);
1656 /* Change outer ip address, fix outer ip or icmpv6 checksum. */
1657 PF_ACPY(oa, na, af);
1661 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
1662 ooa.addr16[0], oa->addr16[0], 0),
1663 ooa.addr16[1], oa->addr16[1], 0);
1668 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1669 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1670 pf_cksum_fixup(pf_cksum_fixup(*ic,
1671 ooa.addr16[0], oa->addr16[0], u),
1672 ooa.addr16[1], oa->addr16[1], u),
1673 ooa.addr16[2], oa->addr16[2], u),
1674 ooa.addr16[3], oa->addr16[3], u),
1675 ooa.addr16[4], oa->addr16[4], u),
1676 ooa.addr16[5], oa->addr16[5], u),
1677 ooa.addr16[6], oa->addr16[6], u),
1678 ooa.addr16[7], oa->addr16[7], u);
1686 * Need to modulate the sequence numbers in the TCP SACK option
1687 * (credits to Krzysztof Pfaff for report and patch)
1690 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
1691 struct tcphdr *th, struct pf_state_peer *dst)
1693 int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
1695 u_int8_t opts[TCP_MAXOLEN], *opt = opts;
1697 u_int8_t opts[MAX_TCPOPTLEN], *opt = opts;
1699 int copyback = 0, i, olen;
1700 struct sackblk sack;
1702 #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
1703 if (hlen < TCPOLEN_SACKLEN ||
1704 !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
1707 while (hlen >= TCPOLEN_SACKLEN) {
1710 case TCPOPT_EOL: /* FALLTHROUGH */
1718 if (olen >= TCPOLEN_SACKLEN) {
1719 for (i = 2; i + TCPOLEN_SACK <= olen;
1720 i += TCPOLEN_SACK) {
1721 memcpy(&sack, &opt[i], sizeof(sack));
1722 pf_change_a(&sack.start, &th->th_sum,
1723 htonl(ntohl(sack.start) -
1725 pf_change_a(&sack.end, &th->th_sum,
1726 htonl(ntohl(sack.end) -
1728 memcpy(&opt[i], &sack, sizeof(sack));
1743 m_copyback(m, off + sizeof(*th), thoptlen, (caddr_t)opts);
1745 m_copyback(m, off + sizeof(*th), thoptlen, opts);
1752 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
1754 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
1756 const struct pf_addr *saddr, const struct pf_addr *daddr,
1757 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1758 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
1759 u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp)
1771 struct pf_mtag *pf_mtag;
1786 , ("Unsupported AF %d", af));
1797 /* maximum segment size tcp option */
1798 tlen = sizeof(struct tcphdr);
1805 len = sizeof(struct ip) + tlen;
1810 len = sizeof(struct ip6_hdr) + tlen;
1815 /* create outgoing mbuf */
1816 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1822 mac_create_mbuf_netlayer(replyto, m);
1824 mac_create_mbuf_from_firewall(m);
1829 if ((pf_mtag = pf_get_mtag(m)) == NULL) {
1835 m->m_flags |= M_SKIP_FIREWALL;
1837 pf_mtag->flags |= PF_TAG_GENERATED;
1840 pf_mtag->tag = rtag;
1842 if (r != NULL && r->rtableid >= 0)
1845 M_SETFIB(m, r->rtableid);
1847 pf_mtag->rtableid = r->rtableid;
1852 if (r != NULL && r->qid) {
1853 pf_mtag->qid = r->qid;
1854 /* add hints for ecn */
1856 pf_mtag->hdr = mtod(m, struct ip *);
1859 m->m_data += max_linkhdr;
1860 m->m_pkthdr.len = m->m_len = len;
1861 m->m_pkthdr.rcvif = NULL;
1862 bzero(m->m_data, len);
1866 h = mtod(m, struct ip *);
1868 /* IP header fields included in the TCP checksum */
1869 h->ip_p = IPPROTO_TCP;
1870 h->ip_len = htons(tlen);
1871 h->ip_src.s_addr = saddr->v4.s_addr;
1872 h->ip_dst.s_addr = daddr->v4.s_addr;
1874 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
1879 h6 = mtod(m, struct ip6_hdr *);
1881 /* IP header fields included in the TCP checksum */
1882 h6->ip6_nxt = IPPROTO_TCP;
1883 h6->ip6_plen = htons(tlen);
1884 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
1885 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
1887 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
1893 th->th_sport = sport;
1894 th->th_dport = dport;
1895 th->th_seq = htonl(seq);
1896 th->th_ack = htonl(ack);
1897 th->th_off = tlen >> 2;
1898 th->th_flags = flags;
1899 th->th_win = htons(win);
1902 opt = (char *)(th + 1);
1903 opt[0] = TCPOPT_MAXSEG;
1906 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
1913 th->th_sum = in_cksum(m, len);
1915 /* Finish the IP header */
1917 h->ip_hl = sizeof(*h) >> 2;
1918 h->ip_tos = IPTOS_LOWDELAY;
1920 h->ip_off = path_mtu_discovery ? IP_DF : 0;
1923 h->ip_off = htons(ip_mtudisc ? IP_DF : 0);
1924 h->ip_len = htons(len);
1926 h->ip_ttl = ttl ? ttl : ip_defttl;
1931 ip_output(m, (void *)NULL, (void *)NULL, 0,
1932 (void *)NULL, (void *)NULL);
1934 #else /* ! __FreeBSD__ */
1935 ip_output(m, (void *)NULL, (void *)NULL, 0,
1936 (void *)NULL, (void *)NULL);
1941 struct ether_header *e = (void *)ro.ro_dst.sa_data;
1949 ro.ro_dst.sa_len = sizeof(ro.ro_dst);
1950 ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT;
1951 bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN);
1952 bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN);
1953 e->ether_type = eh->ether_type;
1956 /* XXX_IMPORT: later */
1957 ip_output(m, (void *)NULL, &ro, 0,
1958 (void *)NULL, (void *)NULL);
1960 #else /* ! __FreeBSD__ */
1961 ip_output(m, (void *)NULL, &ro, IP_ROUTETOETHER,
1962 (void *)NULL, (void *)NULL);
1970 th->th_sum = in6_cksum(m, IPPROTO_TCP,
1971 sizeof(struct ip6_hdr), tlen);
1973 h6->ip6_vfc |= IPV6_VERSION;
1974 h6->ip6_hlim = IPV6_DEFHLIM;
1978 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1981 ip6_output(m, NULL, NULL, 0, NULL, NULL);
1989 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
1992 struct pf_mtag *pf_mtag;
1999 m0 = m_copypacket(m, M_DONTWAIT);
2003 m0 = m_copy(m, 0, M_COPYALL);
2005 if ((pf_mtag = pf_get_mtag(m0)) == NULL)
2009 m0->m_flags |= M_SKIP_FIREWALL;
2011 pf_mtag->flags |= PF_TAG_GENERATED;
2014 if (r->rtableid >= 0)
2017 M_SETFIB(m0, r->rtableid);
2019 pf_mtag->rtableid = r->rtableid;
2026 pf_mtag->qid = r->qid;
2027 /* add hints for ecn */
2029 pf_mtag->hdr = mtod(m0, struct ip *);
2037 /* icmp_error() expects host byte ordering */
2038 ip = mtod(m0, struct ip *);
2042 icmp_error(m0, type, code, 0, 0);
2045 icmp_error(m0, type, code, 0, 0);
2054 icmp6_error(m0, type, code, 0);
2064 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
2065 * If n is 0, they match if they are equal. If n is != 0, they match if they
2069 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
2070 struct pf_addr *b, sa_family_t af)
2077 if ((a->addr32[0] & m->addr32[0]) ==
2078 (b->addr32[0] & m->addr32[0]))
2084 if (((a->addr32[0] & m->addr32[0]) ==
2085 (b->addr32[0] & m->addr32[0])) &&
2086 ((a->addr32[1] & m->addr32[1]) ==
2087 (b->addr32[1] & m->addr32[1])) &&
2088 ((a->addr32[2] & m->addr32[2]) ==
2089 (b->addr32[2] & m->addr32[2])) &&
2090 ((a->addr32[3] & m->addr32[3]) ==
2091 (b->addr32[3] & m->addr32[3])))
2110 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
2114 return ((p > a1) && (p < a2));
2116 return ((p < a1) || (p > a2));
2118 return ((p >= a1) && (p <= a2));
2132 return (0); /* never reached */
2136 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
2141 return (pf_match(op, a1, a2, p));
2145 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
2147 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2149 return (pf_match(op, a1, a2, u));
2153 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
2155 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2157 return (pf_match(op, a1, a2, g));
2162 pf_find_mtag(struct mbuf *m)
2166 if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL)
2169 return ((struct pf_mtag *)(mtag + 1));
2173 pf_get_mtag(struct mbuf *m)
2177 if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) {
2178 mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag),
2182 bzero(mtag + 1, sizeof(struct pf_mtag));
2183 m_tag_prepend(m, mtag);
2186 return ((struct pf_mtag *)(mtag + 1));
2191 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_mtag *pf_mtag,
2195 *tag = pf_mtag->tag;
2197 return ((!r->match_tag_not && r->match_tag == *tag) ||
2198 (r->match_tag_not && r->match_tag != *tag));
2202 pf_tag_packet(struct mbuf *m, struct pf_mtag *pf_mtag, int tag, int rtableid)
2204 if (tag <= 0 && rtableid < 0)
2207 if (pf_mtag == NULL)
2208 if ((pf_mtag = pf_get_mtag(m)) == NULL)
2215 M_SETFIB(m, rtableid);
2217 pf_mtag->rtableid = rtableid;
2226 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
2227 struct pf_rule **r, struct pf_rule **a, int *match)
2229 struct pf_anchor_stackframe *f;
2231 (*r)->anchor->match = 0;
2234 if (*depth >= sizeof(pf_anchor_stack) /
2235 sizeof(pf_anchor_stack[0])) {
2236 printf("pf_step_into_anchor: stack overflow\n");
2237 *r = TAILQ_NEXT(*r, entries);
2239 } else if (*depth == 0 && a != NULL)
2241 f = pf_anchor_stack + (*depth)++;
2244 if ((*r)->anchor_wildcard) {
2245 f->parent = &(*r)->anchor->children;
2246 if ((f->child = RB_MIN(pf_anchor_node, f->parent)) ==
2251 *rs = &f->child->ruleset;
2255 *rs = &(*r)->anchor->ruleset;
2257 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2261 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
2262 struct pf_rule **r, struct pf_rule **a, int *match)
2264 struct pf_anchor_stackframe *f;
2270 f = pf_anchor_stack + *depth - 1;
2271 if (f->parent != NULL && f->child != NULL) {
2272 if (f->child->match ||
2273 (match != NULL && *match)) {
2274 f->r->anchor->match = 1;
2277 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
2278 if (f->child != NULL) {
2279 *rs = &f->child->ruleset;
2280 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2288 if (*depth == 0 && a != NULL)
2291 if (f->r->anchor->match || (match != NULL && *match))
2292 quick = f->r->quick;
2293 *r = TAILQ_NEXT(f->r, entries);
2294 } while (*r == NULL);
2301 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
2302 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
2307 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2308 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2312 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2313 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2314 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
2315 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
2316 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
2317 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
2318 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
2319 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
2325 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
2330 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
2334 if (addr->addr32[3] == 0xffffffff) {
2335 addr->addr32[3] = 0;
2336 if (addr->addr32[2] == 0xffffffff) {
2337 addr->addr32[2] = 0;
2338 if (addr->addr32[1] == 0xffffffff) {
2339 addr->addr32[1] = 0;
2341 htonl(ntohl(addr->addr32[0]) + 1);
2344 htonl(ntohl(addr->addr32[1]) + 1);
2347 htonl(ntohl(addr->addr32[2]) + 1);
2350 htonl(ntohl(addr->addr32[3]) + 1);
2356 #define mix(a,b,c) \
2358 a -= b; a -= c; a ^= (c >> 13); \
2359 b -= c; b -= a; b ^= (a << 8); \
2360 c -= a; c -= b; c ^= (b >> 13); \
2361 a -= b; a -= c; a ^= (c >> 12); \
2362 b -= c; b -= a; b ^= (a << 16); \
2363 c -= a; c -= b; c ^= (b >> 5); \
2364 a -= b; a -= c; a ^= (c >> 3); \
2365 b -= c; b -= a; b ^= (a << 10); \
2366 c -= a; c -= b; c ^= (b >> 15); \
2370 * hash function based on bridge_hash in if_bridge.c
2373 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
2374 struct pf_poolhashkey *key, sa_family_t af)
2376 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
2381 a += inaddr->addr32[0];
2384 hash->addr32[0] = c + key->key32[2];
2389 a += inaddr->addr32[0];
2390 b += inaddr->addr32[2];
2392 hash->addr32[0] = c;
2393 a += inaddr->addr32[1];
2394 b += inaddr->addr32[3];
2397 hash->addr32[1] = c;
2398 a += inaddr->addr32[2];
2399 b += inaddr->addr32[1];
2402 hash->addr32[2] = c;
2403 a += inaddr->addr32[3];
2404 b += inaddr->addr32[0];
2407 hash->addr32[3] = c;
2414 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
2415 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
2417 unsigned char hash[16];
2418 struct pf_pool *rpool = &r->rpool;
2419 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
2420 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
2421 struct pf_pooladdr *acur = rpool->cur;
2422 struct pf_src_node k;
2424 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
2425 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
2427 PF_ACPY(&k.addr, saddr, af);
2428 if (r->rule_flag & PFRULE_RULESRCTRACK ||
2429 r->rpool.opts & PF_POOL_STICKYADDR)
2433 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
2434 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
2435 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
2436 PF_ACPY(naddr, &(*sn)->raddr, af);
2437 if (pf_status.debug >= PF_DEBUG_MISC) {
2438 printf("pf_map_addr: src tracking maps ");
2439 pf_print_host(&k.addr, 0, af);
2441 pf_print_host(naddr, 0, af);
2448 if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
2450 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2454 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
2455 (rpool->opts & PF_POOL_TYPEMASK) !=
2458 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
2459 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
2464 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
2465 (rpool->opts & PF_POOL_TYPEMASK) !=
2468 raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
2469 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
2473 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2474 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
2475 return (1); /* unsupported */
2477 raddr = &rpool->cur->addr.v.a.addr;
2478 rmask = &rpool->cur->addr.v.a.mask;
2481 switch (rpool->opts & PF_POOL_TYPEMASK) {
2483 PF_ACPY(naddr, raddr, af);
2485 case PF_POOL_BITMASK:
2486 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
2488 case PF_POOL_RANDOM:
2489 if (init_addr != NULL && PF_AZERO(init_addr, af)) {
2493 rpool->counter.addr32[0] = htonl(arc4random());
2498 if (rmask->addr32[3] != 0xffffffff)
2499 rpool->counter.addr32[3] =
2500 htonl(arc4random());
2503 if (rmask->addr32[2] != 0xffffffff)
2504 rpool->counter.addr32[2] =
2505 htonl(arc4random());
2508 if (rmask->addr32[1] != 0xffffffff)
2509 rpool->counter.addr32[1] =
2510 htonl(arc4random());
2513 if (rmask->addr32[0] != 0xffffffff)
2514 rpool->counter.addr32[0] =
2515 htonl(arc4random());
2519 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
2520 PF_ACPY(init_addr, naddr, af);
2523 PF_AINC(&rpool->counter, af);
2524 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
2527 case PF_POOL_SRCHASH:
2528 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
2529 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
2531 case PF_POOL_ROUNDROBIN:
2532 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2533 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
2534 &rpool->tblidx, &rpool->counter,
2535 &raddr, &rmask, af))
2537 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2538 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
2539 &rpool->tblidx, &rpool->counter,
2540 &raddr, &rmask, af))
2542 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
2546 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
2547 rpool->cur = TAILQ_FIRST(&rpool->list);
2548 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2550 if (pfr_pool_get(rpool->cur->addr.p.tbl,
2551 &rpool->tblidx, &rpool->counter,
2552 &raddr, &rmask, af)) {
2553 /* table contains no address of type 'af' */
2554 if (rpool->cur != acur)
2558 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2560 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
2561 &rpool->tblidx, &rpool->counter,
2562 &raddr, &rmask, af)) {
2563 /* table contains no address of type 'af' */
2564 if (rpool->cur != acur)
2569 raddr = &rpool->cur->addr.v.a.addr;
2570 rmask = &rpool->cur->addr.v.a.mask;
2571 PF_ACPY(&rpool->counter, raddr, af);
2575 PF_ACPY(naddr, &rpool->counter, af);
2576 if (init_addr != NULL && PF_AZERO(init_addr, af))
2577 PF_ACPY(init_addr, naddr, af);
2578 PF_AINC(&rpool->counter, af);
2582 PF_ACPY(&(*sn)->raddr, naddr, af);
2584 if (pf_status.debug >= PF_DEBUG_MISC &&
2585 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
2586 printf("pf_map_addr: selected address ");
2587 pf_print_host(naddr, 0, af);
2595 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
2596 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
2597 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
2598 struct pf_src_node **sn)
2600 struct pf_state_cmp key;
2601 struct pf_addr init_addr;
2604 bzero(&init_addr, sizeof(init_addr));
2605 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
2608 if (proto == IPPROTO_ICMP) {
2616 PF_ACPY(&key.ext.addr, daddr, key.af);
2617 PF_ACPY(&key.gwy.addr, naddr, key.af);
2618 key.ext.port = dport;
2621 * port search; start random, step;
2622 * similar 2 portloop in in_pcbbind
2624 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
2625 proto == IPPROTO_ICMP)) {
2626 key.gwy.port = dport;
2627 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
2629 } else if (low == 0 && high == 0) {
2630 key.gwy.port = *nport;
2631 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
2633 } else if (low == high) {
2634 key.gwy.port = htons(low);
2635 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) {
2636 *nport = htons(low);
2648 cut = htonl(arc4random()) % (1 + high - low) + low;
2649 /* low <= cut <= high */
2650 for (tmp = cut; tmp <= high; ++(tmp)) {
2651 key.gwy.port = htons(tmp);
2652 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
2654 *nport = htons(tmp);
2658 for (tmp = cut - 1; tmp >= low; --(tmp)) {
2659 key.gwy.port = htons(tmp);
2660 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
2662 *nport = htons(tmp);
2668 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
2669 case PF_POOL_RANDOM:
2670 case PF_POOL_ROUNDROBIN:
2671 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
2675 case PF_POOL_SRCHASH:
2676 case PF_POOL_BITMASK:
2680 } while (! PF_AEQ(&init_addr, naddr, af) );
2682 return (1); /* none available */
2686 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
2687 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
2688 struct pf_addr *daddr, u_int16_t dport, int rs_num)
2690 struct pf_rule *r, *rm = NULL;
2691 struct pf_ruleset *ruleset = NULL;
2696 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
2697 while (r && rm == NULL) {
2698 struct pf_rule_addr *src = NULL, *dst = NULL;
2699 struct pf_addr_wrap *xdst = NULL;
2701 if (r->action == PF_BINAT && direction == PF_IN) {
2703 if (r->rpool.cur != NULL)
2704 xdst = &r->rpool.cur->addr;
2711 if (pfi_kif_match(r->kif, kif) == r->ifnot)
2712 r = r->skip[PF_SKIP_IFP].ptr;
2713 else if (r->direction && r->direction != direction)
2714 r = r->skip[PF_SKIP_DIR].ptr;
2715 else if (r->af && r->af != pd->af)
2716 r = r->skip[PF_SKIP_AF].ptr;
2717 else if (r->proto && r->proto != pd->proto)
2718 r = r->skip[PF_SKIP_PROTO].ptr;
2719 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
2721 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
2722 PF_SKIP_DST_ADDR].ptr;
2723 else if (src->port_op && !pf_match_port(src->port_op,
2724 src->port[0], src->port[1], sport))
2725 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
2726 PF_SKIP_DST_PORT].ptr;
2727 else if (dst != NULL &&
2728 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
2729 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2730 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
2732 r = TAILQ_NEXT(r, entries);
2733 else if (dst != NULL && dst->port_op &&
2734 !pf_match_port(dst->port_op, dst->port[0],
2735 dst->port[1], dport))
2736 r = r->skip[PF_SKIP_DST_PORT].ptr;
2737 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
2738 r = TAILQ_NEXT(r, entries);
2739 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2740 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2741 off, pd->hdr.tcp), r->os_fingerprint)))
2742 r = TAILQ_NEXT(r, entries);
2746 if (r->rtableid >= 0)
2747 rtableid = r->rtableid;
2748 if (r->anchor == NULL) {
2751 pf_step_into_anchor(&asd, &ruleset, rs_num,
2755 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
2758 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid))
2760 if (rm != NULL && (rm->action == PF_NONAT ||
2761 rm->action == PF_NORDR || rm->action == PF_NOBINAT))
2767 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2768 struct pfi_kif *kif, struct pf_src_node **sn,
2769 struct pf_addr *saddr, u_int16_t sport,
2770 struct pf_addr *daddr, u_int16_t dport,
2771 struct pf_addr *naddr, u_int16_t *nport)
2773 struct pf_rule *r = NULL;
2775 if (direction == PF_OUT) {
2776 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2777 sport, daddr, dport, PF_RULESET_BINAT);
2779 r = pf_match_translation(pd, m, off, direction, kif,
2780 saddr, sport, daddr, dport, PF_RULESET_NAT);
2782 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2783 sport, daddr, dport, PF_RULESET_RDR);
2785 r = pf_match_translation(pd, m, off, direction, kif,
2786 saddr, sport, daddr, dport, PF_RULESET_BINAT);
2790 switch (r->action) {
2796 if (pf_get_sport(pd->af, pd->proto, r, saddr,
2797 daddr, dport, naddr, nport, r->rpool.proxy_port[0],
2798 r->rpool.proxy_port[1], sn)) {
2799 DPFPRINTF(PF_DEBUG_MISC,
2800 ("pf: NAT proxy port allocation "
2802 r->rpool.proxy_port[0],
2803 r->rpool.proxy_port[1]));
2808 switch (direction) {
2810 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
2814 if (r->rpool.cur->addr.p.dyn->
2818 &r->rpool.cur->addr.p.dyn->
2820 &r->rpool.cur->addr.p.dyn->
2827 if (r->rpool.cur->addr.p.dyn->
2831 &r->rpool.cur->addr.p.dyn->
2833 &r->rpool.cur->addr.p.dyn->
2841 &r->rpool.cur->addr.v.a.addr,
2842 &r->rpool.cur->addr.v.a.mask,
2846 if (r->src.addr.type == PF_ADDR_DYNIFTL) {
2850 if (r->src.addr.p.dyn->
2854 &r->src.addr.p.dyn->
2856 &r->src.addr.p.dyn->
2863 if (r->src.addr.p.dyn->
2867 &r->src.addr.p.dyn->
2869 &r->src.addr.p.dyn->
2877 &r->src.addr.v.a.addr,
2878 &r->src.addr.v.a.mask, daddr,
2884 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
2886 if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
2888 PF_POOLMASK(naddr, naddr,
2889 &r->rpool.cur->addr.v.a.mask, daddr,
2892 if (r->rpool.proxy_port[1]) {
2893 u_int32_t tmp_nport;
2895 tmp_nport = ((ntohs(dport) -
2896 ntohs(r->dst.port[0])) %
2897 (r->rpool.proxy_port[1] -
2898 r->rpool.proxy_port[0] + 1)) +
2899 r->rpool.proxy_port[0];
2901 /* wrap around if necessary */
2902 if (tmp_nport > 65535)
2904 *nport = htons((u_int16_t)tmp_nport);
2905 } else if (r->rpool.proxy_port[0])
2906 *nport = htons(r->rpool.proxy_port[0]);
2919 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg)
2921 pf_socket_lookup(int direction, struct pf_pdesc *pd)
2924 struct pf_addr *saddr, *daddr;
2925 u_int16_t sport, dport;
2927 struct inpcbinfo *pi;
2929 struct inpcbtable *tb;
2935 pd->lookup.uid = UID_MAX;
2936 pd->lookup.gid = GID_MAX;
2937 pd->lookup.pid = NO_PID; /* XXX: revisit */
2939 if (inp_arg != NULL) {
2940 INP_LOCK_ASSERT(inp_arg);
2941 pd->lookup.uid = inp_arg->inp_cred->cr_uid;
2942 pd->lookup.gid = inp_arg->inp_cred->cr_groups[0];
2946 switch (pd->proto) {
2948 if (pd->hdr.tcp == NULL)
2950 sport = pd->hdr.tcp->th_sport;
2951 dport = pd->hdr.tcp->th_dport;
2959 if (pd->hdr.udp == NULL)
2961 sport = pd->hdr.udp->uh_sport;
2962 dport = pd->hdr.udp->uh_dport;
2972 if (direction == PF_IN) {
2988 INP_INFO_RLOCK(pi); /* XXX LOR */
2989 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
2992 inp = in_pcblookup_hash(pi, saddr->v4, sport,
2993 daddr->v4, dport, INPLOOKUP_WILDCARD, NULL);
2995 INP_INFO_RUNLOCK(pi);
3000 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport);
3002 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0);
3013 inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
3014 &daddr->v6, dport, 0, NULL);
3016 inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
3017 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
3019 INP_INFO_RUNLOCK(pi);
3024 inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6,
3027 inp = in6_pcblookup_listen(tb, &daddr->v6, dport, 0);
3039 pd->lookup.uid = inp->inp_cred->cr_uid;
3040 pd->lookup.gid = inp->inp_cred->cr_groups[0];
3041 INP_INFO_RUNLOCK(pi);
3043 pd->lookup.uid = inp->inp_socket->so_euid;
3044 pd->lookup.gid = inp->inp_socket->so_egid;
3045 pd->lookup.pid = inp->inp_socket->so_cpid;
3051 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
3055 u_int8_t *opt, optlen;
3056 u_int8_t wscale = 0;
3058 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
3059 if (hlen <= sizeof(struct tcphdr))
3061 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
3063 opt = hdr + sizeof(struct tcphdr);
3064 hlen -= sizeof(struct tcphdr);
3074 if (wscale > TCP_MAX_WINSHIFT)
3075 wscale = TCP_MAX_WINSHIFT;
3076 wscale |= PF_WSCALE_FLAG;
3091 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
3095 u_int8_t *opt, optlen;
3096 u_int16_t mss = tcp_mssdflt;
3098 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
3099 if (hlen <= sizeof(struct tcphdr))
3101 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
3103 opt = hdr + sizeof(struct tcphdr);
3104 hlen -= sizeof(struct tcphdr);
3105 while (hlen >= TCPOLEN_MAXSEG) {
3113 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
3129 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
3132 struct sockaddr_in *dst;
3136 struct sockaddr_in6 *dst6;
3137 struct route_in6 ro6;
3139 struct rtentry *rt = NULL;
3140 int hlen = 0; /* make the compiler happy */
3141 u_int16_t mss = tcp_mssdflt;
3146 hlen = sizeof(struct ip);
3147 bzero(&ro, sizeof(ro));
3148 dst = (struct sockaddr_in *)&ro.ro_dst;
3149 dst->sin_family = AF_INET;
3150 dst->sin_len = sizeof(*dst);
3151 dst->sin_addr = addr->v4;
3153 #ifdef RTF_PRCLONING
3154 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
3155 #else /* !RTF_PRCLONING */
3156 in_rtalloc_ign(&ro, RTF_CLONING, 0);
3158 #else /* ! __FreeBSD__ */
3159 rtalloc_noclone(&ro, NO_CLONING);
3166 hlen = sizeof(struct ip6_hdr);
3167 bzero(&ro6, sizeof(ro6));
3168 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
3169 dst6->sin6_family = AF_INET6;
3170 dst6->sin6_len = sizeof(*dst6);
3171 dst6->sin6_addr = addr->v6;
3173 #ifdef RTF_PRCLONING
3174 rtalloc_ign((struct route *)&ro6,
3175 (RTF_CLONING | RTF_PRCLONING));
3176 #else /* !RTF_PRCLONING */
3177 rtalloc_ign((struct route *)&ro6, RTF_CLONING);
3179 #else /* ! __FreeBSD__ */
3180 rtalloc_noclone((struct route *)&ro6, NO_CLONING);
3187 if (rt && rt->rt_ifp) {
3188 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
3189 mss = max(tcp_mssdflt, mss);
3192 mss = min(mss, offer);
3193 mss = max(mss, 64); /* sanity - at least max opt space */
3198 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
3200 struct pf_rule *r = s->rule.ptr;
3203 if (!r->rt || r->rt == PF_FASTROUTE)
3208 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
3210 s->rt_kif = r->rpool.cur->kif;
3215 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
3217 s->rt_kif = r->rpool.cur->kif;
3224 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
3225 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3227 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3228 struct ifqueue *ifq, struct inpcb *inp)
3230 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3231 struct ifqueue *ifq)
3234 struct pf_rule *nr = NULL;
3235 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3236 struct tcphdr *th = pd->hdr.tcp;
3237 u_int16_t bport, nport = 0;
3238 sa_family_t af = pd->af;
3239 struct pf_rule *r, *a = NULL;
3240 struct pf_ruleset *ruleset = NULL;
3241 struct pf_src_node *nsn = NULL;
3244 int tag = -1, rtableid = -1;
3245 u_int16_t mss = tcp_mssdflt;
3249 if (pf_check_congestion(ifq)) {
3250 REASON_SET(&reason, PFRES_CONGEST);
3256 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3257 else if (debug_pfugidhack) {
3259 DPFPRINTF(PF_DEBUG_MISC, ("pf: unlocked lookup\n"));
3260 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3265 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3267 if (direction == PF_OUT) {
3268 bport = nport = th->th_sport;
3269 /* check outgoing packet for BINAT/NAT */
3270 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3271 saddr, th->th_sport, daddr, th->th_dport,
3272 &pd->naddr, &nport)) != NULL) {
3273 PF_ACPY(&pd->baddr, saddr, af);
3274 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3275 &th->th_sum, &pd->naddr, nport, 0, af);
3282 bport = nport = th->th_dport;
3283 /* check incoming packet for BINAT/RDR */
3284 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3285 saddr, th->th_sport, daddr, th->th_dport,
3286 &pd->naddr, &nport)) != NULL) {
3287 PF_ACPY(&pd->baddr, daddr, af);
3288 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3289 &th->th_sum, &pd->naddr, nport, 0, af);
3299 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3300 r = r->skip[PF_SKIP_IFP].ptr;
3301 else if (r->direction && r->direction != direction)
3302 r = r->skip[PF_SKIP_DIR].ptr;
3303 else if (r->af && r->af != af)
3304 r = r->skip[PF_SKIP_AF].ptr;
3305 else if (r->proto && r->proto != IPPROTO_TCP)
3306 r = r->skip[PF_SKIP_PROTO].ptr;
3307 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3309 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3310 else if (r->src.port_op && !pf_match_port(r->src.port_op,
3311 r->src.port[0], r->src.port[1], th->th_sport))
3312 r = r->skip[PF_SKIP_SRC_PORT].ptr;
3313 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3315 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3316 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3317 r->dst.port[0], r->dst.port[1], th->th_dport))
3318 r = r->skip[PF_SKIP_DST_PORT].ptr;
3319 else if (r->tos && !(r->tos == pd->tos))
3320 r = TAILQ_NEXT(r, entries);
3321 else if (r->rule_flag & PFRULE_FRAGMENT)
3322 r = TAILQ_NEXT(r, entries);
3323 else if ((r->flagset & th->th_flags) != r->flags)
3324 r = TAILQ_NEXT(r, entries);
3325 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3327 pf_socket_lookup(direction, pd, inp), 1)) &&
3329 pf_socket_lookup(direction, pd), 1)) &&
3331 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3333 r = TAILQ_NEXT(r, entries);
3334 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3336 pf_socket_lookup(direction, pd, inp), 1)) &&
3338 pf_socket_lookup(direction, pd), 1)) &&
3340 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3342 r = TAILQ_NEXT(r, entries);
3343 else if (r->prob && r->prob <= arc4random())
3344 r = TAILQ_NEXT(r, entries);
3345 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3346 r = TAILQ_NEXT(r, entries);
3347 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
3348 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint))
3349 r = TAILQ_NEXT(r, entries);
3353 if (r->rtableid >= 0)
3354 rtableid = r->rtableid;
3355 if (r->anchor == NULL) {
3362 r = TAILQ_NEXT(r, entries);
3364 pf_step_into_anchor(&asd, &ruleset,
3365 PF_RULESET_FILTER, &r, &a, &match);
3367 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3368 PF_RULESET_FILTER, &r, &a, &match))
3375 REASON_SET(&reason, PFRES_MATCH);
3377 if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3380 m_copyback(m, off, sizeof(*th), (caddr_t)th);
3382 m_copyback(m, off, sizeof(*th), th);
3384 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3388 if ((r->action == PF_DROP) &&
3389 ((r->rule_flag & PFRULE_RETURNRST) ||
3390 (r->rule_flag & PFRULE_RETURNICMP) ||
3391 (r->rule_flag & PFRULE_RETURN))) {
3392 /* undo NAT changes, if they have taken place */
3394 if (direction == PF_OUT) {
3395 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3396 &th->th_sum, &pd->baddr, bport, 0, af);
3399 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3400 &th->th_sum, &pd->baddr, bport, 0, af);
3404 if (((r->rule_flag & PFRULE_RETURNRST) ||
3405 (r->rule_flag & PFRULE_RETURN)) &&
3406 !(th->th_flags & TH_RST)) {
3407 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
3409 if (th->th_flags & TH_SYN)
3411 if (th->th_flags & TH_FIN)
3414 pf_send_tcp(m, r, af, pd->dst,
3416 pf_send_tcp(r, af, pd->dst,
3418 pd->src, th->th_dport, th->th_sport,
3419 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
3420 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
3421 } else if ((af == AF_INET) && r->return_icmp)
3422 pf_send_icmp(m, r->return_icmp >> 8,
3423 r->return_icmp & 255, af, r);
3424 else if ((af == AF_INET6) && r->return_icmp6)
3425 pf_send_icmp(m, r->return_icmp6 >> 8,
3426 r->return_icmp6 & 255, af, r);
3429 if (r->action == PF_DROP)
3432 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3433 REASON_SET(&reason, PFRES_MEMORY);
3437 if (r->keep_state || nr != NULL ||
3438 (pd->flags & PFDESC_TCP_NORM)) {
3439 /* create new state */
3441 struct pf_state *s = NULL;
3442 struct pf_src_node *sn = NULL;
3444 len = pd->tot_len - off - (th->th_off << 2);
3446 /* check maximums */
3447 if (r->max_states && (r->states >= r->max_states)) {
3448 pf_status.lcounters[LCNT_STATES]++;
3449 REASON_SET(&reason, PFRES_MAXSTATES);
3452 /* src node for filter rule */
3453 if ((r->rule_flag & PFRULE_SRCTRACK ||
3454 r->rpool.opts & PF_POOL_STICKYADDR) &&
3455 pf_insert_src_node(&sn, r, saddr, af) != 0) {
3456 REASON_SET(&reason, PFRES_SRCLIMIT);
3459 /* src node for translation rule */
3460 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3461 ((direction == PF_OUT &&
3462 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3463 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3464 REASON_SET(&reason, PFRES_SRCLIMIT);
3467 s = pool_get(&pf_state_pl, PR_NOWAIT);
3469 REASON_SET(&reason, PFRES_MEMORY);
3471 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3472 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3473 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3474 pf_status.src_nodes--;
3475 pool_put(&pf_src_tree_pl, sn);
3477 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3479 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3480 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3481 pf_status.src_nodes--;
3482 pool_put(&pf_src_tree_pl, nsn);
3486 bzero(s, sizeof(*s));
3488 s->nat_rule.ptr = nr;
3490 STATE_INC_COUNTERS(s);
3491 s->allow_opts = r->allow_opts;
3492 s->log = r->log & PF_LOG_ALL;
3494 s->log |= nr->log & PF_LOG_ALL;
3495 s->proto = IPPROTO_TCP;
3496 s->direction = direction;
3498 if (direction == PF_OUT) {
3499 PF_ACPY(&s->gwy.addr, saddr, af);
3500 s->gwy.port = th->th_sport; /* sport */
3501 PF_ACPY(&s->ext.addr, daddr, af);
3502 s->ext.port = th->th_dport;
3504 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3505 s->lan.port = bport;
3507 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3508 s->lan.port = s->gwy.port;
3511 PF_ACPY(&s->lan.addr, daddr, af);
3512 s->lan.port = th->th_dport;
3513 PF_ACPY(&s->ext.addr, saddr, af);
3514 s->ext.port = th->th_sport;
3516 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3517 s->gwy.port = bport;
3519 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3520 s->gwy.port = s->lan.port;
3524 s->src.seqlo = ntohl(th->th_seq);
3525 s->src.seqhi = s->src.seqlo + len + 1;
3526 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3527 r->keep_state == PF_STATE_MODULATE) {
3528 /* Generate sequence number modulator */
3530 while ((s->src.seqdiff =
3531 pf_new_isn(s) - s->src.seqlo) == 0)
3534 while ((s->src.seqdiff =
3535 tcp_rndiss_next() - s->src.seqlo) == 0)
3538 pf_change_a(&th->th_seq, &th->th_sum,
3539 htonl(s->src.seqlo + s->src.seqdiff), 0);
3543 if (th->th_flags & TH_SYN) {
3545 s->src.wscale = pf_get_wscale(m, off, th->th_off, af);
3547 s->src.max_win = MAX(ntohs(th->th_win), 1);
3548 if (s->src.wscale & PF_WSCALE_MASK) {
3549 /* Remove scale factor from initial window */
3550 int win = s->src.max_win;
3551 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
3552 s->src.max_win = (win - 1) >>
3553 (s->src.wscale & PF_WSCALE_MASK);
3555 if (th->th_flags & TH_FIN)
3559 s->src.state = TCPS_SYN_SENT;
3560 s->dst.state = TCPS_CLOSED;
3561 s->creation = time_second;
3562 s->expire = time_second;
3563 s->timeout = PFTM_TCP_FIRST_PACKET;
3564 pf_set_rt_ifp(s, saddr);
3567 s->src_node->states++;
3570 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3571 s->nat_src_node = nsn;
3572 s->nat_src_node->states++;
3574 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
3575 off, pd, th, &s->src, &s->dst)) {
3576 REASON_SET(&reason, PFRES_MEMORY);
3577 pf_src_tree_remove_state(s);
3578 STATE_DEC_COUNTERS(s);
3579 pool_put(&pf_state_pl, s);
3582 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3583 pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
3584 &s->src, &s->dst, &rewrite)) {
3585 /* This really shouldn't happen!!! */
3586 DPFPRINTF(PF_DEBUG_URGENT,
3587 ("pf_normalize_tcp_stateful failed on first pkt"));
3588 pf_normalize_tcp_cleanup(s);
3589 pf_src_tree_remove_state(s);
3590 STATE_DEC_COUNTERS(s);
3591 pool_put(&pf_state_pl, s);
3594 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3595 pf_normalize_tcp_cleanup(s);
3596 REASON_SET(&reason, PFRES_STATEINS);
3597 pf_src_tree_remove_state(s);
3598 STATE_DEC_COUNTERS(s);
3599 pool_put(&pf_state_pl, s);
3607 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3608 r->keep_state == PF_STATE_SYNPROXY) {
3609 s->src.state = PF_TCPS_PROXY_SRC;
3611 if (direction == PF_OUT) {
3612 pf_change_ap(saddr, &th->th_sport,
3613 pd->ip_sum, &th->th_sum, &pd->baddr,
3616 pf_change_ap(daddr, &th->th_dport,
3617 pd->ip_sum, &th->th_sum, &pd->baddr,
3621 s->src.seqhi = htonl(arc4random());
3622 /* Find mss option */
3623 mss = pf_get_mss(m, off, th->th_off, af);
3624 mss = pf_calc_mss(saddr, af, mss);
3625 mss = pf_calc_mss(daddr, af, mss);
3628 pf_send_tcp(NULL, r, af, daddr, saddr, th->th_dport,
3630 pf_send_tcp(r, af, daddr, saddr, th->th_dport,
3632 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3633 TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);
3634 REASON_SET(&reason, PFRES_SYNPROXY);
3635 return (PF_SYNPROXY_DROP);
3639 /* copy back packet headers if we performed NAT operations */
3641 m_copyback(m, off, sizeof(*th), (caddr_t)th);
3647 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
3648 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3650 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3651 struct ifqueue *ifq, struct inpcb *inp)
3653 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3654 struct ifqueue *ifq)
3657 struct pf_rule *nr = NULL;
3658 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3659 struct udphdr *uh = pd->hdr.udp;
3660 u_int16_t bport, nport = 0;
3661 sa_family_t af = pd->af;
3662 struct pf_rule *r, *a = NULL;
3663 struct pf_ruleset *ruleset = NULL;
3664 struct pf_src_node *nsn = NULL;
3667 int tag = -1, rtableid = -1;
3671 if (pf_check_congestion(ifq)) {
3672 REASON_SET(&reason, PFRES_CONGEST);
3678 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3679 else if (debug_pfugidhack) {
3681 DPFPRINTF(PF_DEBUG_MISC, ("pf: unlocked lookup\n"));
3682 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3687 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3689 if (direction == PF_OUT) {
3690 bport = nport = uh->uh_sport;
3691 /* check outgoing packet for BINAT/NAT */
3692 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3693 saddr, uh->uh_sport, daddr, uh->uh_dport,
3694 &pd->naddr, &nport)) != NULL) {
3695 PF_ACPY(&pd->baddr, saddr, af);
3696 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
3697 &uh->uh_sum, &pd->naddr, nport, 1, af);
3704 bport = nport = uh->uh_dport;
3705 /* check incoming packet for BINAT/RDR */
3706 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3707 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr,
3709 PF_ACPY(&pd->baddr, daddr, af);
3710 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
3711 &uh->uh_sum, &pd->naddr, nport, 1, af);
3721 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3722 r = r->skip[PF_SKIP_IFP].ptr;
3723 else if (r->direction && r->direction != direction)
3724 r = r->skip[PF_SKIP_DIR].ptr;
3725 else if (r->af && r->af != af)
3726 r = r->skip[PF_SKIP_AF].ptr;
3727 else if (r->proto && r->proto != IPPROTO_UDP)
3728 r = r->skip[PF_SKIP_PROTO].ptr;
3729 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3731 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3732 else if (r->src.port_op && !pf_match_port(r->src.port_op,
3733 r->src.port[0], r->src.port[1], uh->uh_sport))
3734 r = r->skip[PF_SKIP_SRC_PORT].ptr;
3735 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3737 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3738 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3739 r->dst.port[0], r->dst.port[1], uh->uh_dport))
3740 r = r->skip[PF_SKIP_DST_PORT].ptr;
3741 else if (r->tos && !(r->tos == pd->tos))
3742 r = TAILQ_NEXT(r, entries);
3743 else if (r->rule_flag & PFRULE_FRAGMENT)
3744 r = TAILQ_NEXT(r, entries);
3745 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3747 pf_socket_lookup(direction, pd, inp), 1)) &&
3749 pf_socket_lookup(direction, pd), 1)) &&
3751 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3753 r = TAILQ_NEXT(r, entries);
3754 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3756 pf_socket_lookup(direction, pd, inp), 1)) &&
3758 pf_socket_lookup(direction, pd), 1)) &&
3760 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3762 r = TAILQ_NEXT(r, entries);
3763 else if (r->prob && r->prob <= arc4random())
3764 r = TAILQ_NEXT(r, entries);
3765 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3766 r = TAILQ_NEXT(r, entries);
3767 else if (r->os_fingerprint != PF_OSFP_ANY)
3768 r = TAILQ_NEXT(r, entries);
3772 if (r->rtableid >= 0)
3773 rtableid = r->rtableid;
3774 if (r->anchor == NULL) {
3781 r = TAILQ_NEXT(r, entries);
3783 pf_step_into_anchor(&asd, &ruleset,
3784 PF_RULESET_FILTER, &r, &a, &match);
3786 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3787 PF_RULESET_FILTER, &r, &a, &match))
3794 REASON_SET(&reason, PFRES_MATCH);
3796 if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3799 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3801 m_copyback(m, off, sizeof(*uh), uh);
3803 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3807 if ((r->action == PF_DROP) &&
3808 ((r->rule_flag & PFRULE_RETURNICMP) ||
3809 (r->rule_flag & PFRULE_RETURN))) {
3810 /* undo NAT changes, if they have taken place */
3812 if (direction == PF_OUT) {
3813 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
3814 &uh->uh_sum, &pd->baddr, bport, 1, af);
3817 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
3818 &uh->uh_sum, &pd->baddr, bport, 1, af);
3822 if ((af == AF_INET) && r->return_icmp)
3823 pf_send_icmp(m, r->return_icmp >> 8,
3824 r->return_icmp & 255, af, r);
3825 else if ((af == AF_INET6) && r->return_icmp6)
3826 pf_send_icmp(m, r->return_icmp6 >> 8,
3827 r->return_icmp6 & 255, af, r);
3830 if (r->action == PF_DROP)
3833 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3834 REASON_SET(&reason, PFRES_MEMORY);
3838 if (r->keep_state || nr != NULL) {
3839 /* create new state */
3840 struct pf_state *s = NULL;
3841 struct pf_src_node *sn = NULL;
3843 /* check maximums */
3844 if (r->max_states && (r->states >= r->max_states)) {
3845 pf_status.lcounters[LCNT_STATES]++;
3846 REASON_SET(&reason, PFRES_MAXSTATES);
3849 /* src node for filter rule */
3850 if ((r->rule_flag & PFRULE_SRCTRACK ||
3851 r->rpool.opts & PF_POOL_STICKYADDR) &&
3852 pf_insert_src_node(&sn, r, saddr, af) != 0) {
3853 REASON_SET(&reason, PFRES_SRCLIMIT);
3856 /* src node for translation rule */
3857 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3858 ((direction == PF_OUT &&
3859 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3860 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3861 REASON_SET(&reason, PFRES_SRCLIMIT);
3864 s = pool_get(&pf_state_pl, PR_NOWAIT);
3866 REASON_SET(&reason, PFRES_MEMORY);
3868 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3869 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3870 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3871 pf_status.src_nodes--;
3872 pool_put(&pf_src_tree_pl, sn);
3874 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3876 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3877 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3878 pf_status.src_nodes--;
3879 pool_put(&pf_src_tree_pl, nsn);
3883 bzero(s, sizeof(*s));
3885 s->nat_rule.ptr = nr;
3887 STATE_INC_COUNTERS(s);
3888 s->allow_opts = r->allow_opts;
3889 s->log = r->log & PF_LOG_ALL;
3891 s->log |= nr->log & PF_LOG_ALL;
3892 s->proto = IPPROTO_UDP;
3893 s->direction = direction;
3895 if (direction == PF_OUT) {
3896 PF_ACPY(&s->gwy.addr, saddr, af);
3897 s->gwy.port = uh->uh_sport;
3898 PF_ACPY(&s->ext.addr, daddr, af);
3899 s->ext.port = uh->uh_dport;
3901 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3902 s->lan.port = bport;
3904 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3905 s->lan.port = s->gwy.port;
3908 PF_ACPY(&s->lan.addr, daddr, af);
3909 s->lan.port = uh->uh_dport;
3910 PF_ACPY(&s->ext.addr, saddr, af);
3911 s->ext.port = uh->uh_sport;
3913 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3914 s->gwy.port = bport;
3916 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3917 s->gwy.port = s->lan.port;
3920 s->src.state = PFUDPS_SINGLE;
3921 s->dst.state = PFUDPS_NO_TRAFFIC;
3922 s->creation = time_second;
3923 s->expire = time_second;
3924 s->timeout = PFTM_UDP_FIRST_PACKET;
3925 pf_set_rt_ifp(s, saddr);
3928 s->src_node->states++;
3931 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3932 s->nat_src_node = nsn;
3933 s->nat_src_node->states++;
3935 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3936 REASON_SET(&reason, PFRES_STATEINS);
3937 pf_src_tree_remove_state(s);
3938 STATE_DEC_COUNTERS(s);
3939 pool_put(&pf_state_pl, s);
3949 /* copy back packet headers if we performed NAT operations */
3951 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3957 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
3958 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3959 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3960 struct ifqueue *ifq)
3962 struct pf_rule *nr = NULL;
3963 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3964 struct pf_rule *r, *a = NULL;
3965 struct pf_ruleset *ruleset = NULL;
3966 struct pf_src_node *nsn = NULL;
3968 u_int16_t icmpid = 0, bport, nport = 0;
3969 sa_family_t af = pd->af;
3970 u_int8_t icmptype = 0; /* make the compiler happy */
3971 u_int8_t icmpcode = 0; /* make the compiler happy */
3973 int tag = -1, rtableid = -1;
3980 if (pf_check_congestion(ifq)) {
3981 REASON_SET(&reason, PFRES_CONGEST);
3985 switch (pd->proto) {
3988 icmptype = pd->hdr.icmp->icmp_type;
3989 icmpcode = pd->hdr.icmp->icmp_code;
3990 icmpid = pd->hdr.icmp->icmp_id;
3992 if (icmptype == ICMP_UNREACH ||
3993 icmptype == ICMP_SOURCEQUENCH ||
3994 icmptype == ICMP_REDIRECT ||
3995 icmptype == ICMP_TIMXCEED ||
3996 icmptype == ICMP_PARAMPROB)
4001 case IPPROTO_ICMPV6:
4002 icmptype = pd->hdr.icmp6->icmp6_type;
4003 icmpcode = pd->hdr.icmp6->icmp6_code;
4004 icmpid = pd->hdr.icmp6->icmp6_id;
4006 if (icmptype == ICMP6_DST_UNREACH ||
4007 icmptype == ICMP6_PACKET_TOO_BIG ||
4008 icmptype == ICMP6_TIME_EXCEEDED ||
4009 icmptype == ICMP6_PARAM_PROB)
4015 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4017 if (direction == PF_OUT) {
4018 bport = nport = icmpid;
4019 /* check outgoing packet for BINAT/NAT */
4020 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
4021 saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) !=
4023 PF_ACPY(&pd->baddr, saddr, af);
4027 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
4028 pd->naddr.v4.s_addr, 0);
4029 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
4030 pd->hdr.icmp->icmp_cksum, icmpid, nport, 0);
4031 pd->hdr.icmp->icmp_id = nport;
4032 m_copyback(m, off, ICMP_MINLEN,
4033 (caddr_t)pd->hdr.icmp);
4038 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
4049 bport = nport = icmpid;
4050 /* check incoming packet for BINAT/RDR */
4051 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
4052 saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) !=
4054 PF_ACPY(&pd->baddr, daddr, af);
4058 pf_change_a(&daddr->v4.s_addr,
4059 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4064 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
4078 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4079 r = r->skip[PF_SKIP_IFP].ptr;
4080 else if (r->direction && r->direction != direction)
4081 r = r->skip[PF_SKIP_DIR].ptr;
4082 else if (r->af && r->af != af)
4083 r = r->skip[PF_SKIP_AF].ptr;
4084 else if (r->proto && r->proto != pd->proto)
4085 r = r->skip[PF_SKIP_PROTO].ptr;
4086 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
4088 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4089 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
4091 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4092 else if (r->type && r->type != icmptype + 1)
4093 r = TAILQ_NEXT(r, entries);
4094 else if (r->code && r->code != icmpcode + 1)
4095 r = TAILQ_NEXT(r, entries);
4096 else if (r->tos && !(r->tos == pd->tos))
4097 r = TAILQ_NEXT(r, entries);
4098 else if (r->rule_flag & PFRULE_FRAGMENT)
4099 r = TAILQ_NEXT(r, entries);
4100 else if (r->prob && r->prob <= arc4random())
4101 r = TAILQ_NEXT(r, entries);
4102 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4103 r = TAILQ_NEXT(r, entries);
4104 else if (r->os_fingerprint != PF_OSFP_ANY)
4105 r = TAILQ_NEXT(r, entries);
4109 if (r->rtableid >= 0)
4110 rtableid = r->rtableid;
4111 if (r->anchor == NULL) {
4118 r = TAILQ_NEXT(r, entries);
4120 pf_step_into_anchor(&asd, &ruleset,
4121 PF_RULESET_FILTER, &r, &a, &match);
4123 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4124 PF_RULESET_FILTER, &r, &a, &match))
4131 REASON_SET(&reason, PFRES_MATCH);
4133 if (r->log || (nr != NULL && nr->natpass && nr->log)) {
4136 m_copyback(m, off, sizeof(struct icmp6_hdr),
4137 (caddr_t)pd->hdr.icmp6);
4139 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
4143 if (r->action != PF_PASS)
4146 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
4147 REASON_SET(&reason, PFRES_MEMORY);
4151 if (!state_icmp && (r->keep_state || nr != NULL)) {
4152 /* create new state */
4153 struct pf_state *s = NULL;
4154 struct pf_src_node *sn = NULL;
4156 /* check maximums */
4157 if (r->max_states && (r->states >= r->max_states)) {
4158 pf_status.lcounters[LCNT_STATES]++;
4159 REASON_SET(&reason, PFRES_MAXSTATES);
4162 /* src node for filter rule */
4163 if ((r->rule_flag & PFRULE_SRCTRACK ||
4164 r->rpool.opts & PF_POOL_STICKYADDR) &&
4165 pf_insert_src_node(&sn, r, saddr, af) != 0) {
4166 REASON_SET(&reason, PFRES_SRCLIMIT);
4169 /* src node for translation rule */
4170 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
4171 ((direction == PF_OUT &&
4172 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
4173 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
4174 REASON_SET(&reason, PFRES_SRCLIMIT);
4177 s = pool_get(&pf_state_pl, PR_NOWAIT);
4179 REASON_SET(&reason, PFRES_MEMORY);
4181 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
4182 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
4183 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4184 pf_status.src_nodes--;
4185 pool_put(&pf_src_tree_pl, sn);
4187 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
4189 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
4190 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4191 pf_status.src_nodes--;
4192 pool_put(&pf_src_tree_pl, nsn);
4196 bzero(s, sizeof(*s));
4198 s->nat_rule.ptr = nr;
4200 STATE_INC_COUNTERS(s);
4201 s->allow_opts = r->allow_opts;
4202 s->log = r->log & PF_LOG_ALL;
4204 s->log |= nr->log & PF_LOG_ALL;
4205 s->proto = pd->proto;
4206 s->direction = direction;
4208 if (direction == PF_OUT) {
4209 PF_ACPY(&s->gwy.addr, saddr, af);
4210 s->gwy.port = nport;
4211 PF_ACPY(&s->ext.addr, daddr, af);
4214 PF_ACPY(&s->lan.addr, &pd->baddr, af);
4215 s->lan.port = bport;
4217 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
4218 s->lan.port = s->gwy.port;
4221 PF_ACPY(&s->lan.addr, daddr, af);
4222 s->lan.port = nport;
4223 PF_ACPY(&s->ext.addr, saddr, af);
4226 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
4227 s->gwy.port = bport;
4229 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
4230 s->gwy.port = s->lan.port;
4233 s->creation = time_second;
4234 s->expire = time_second;
4235 s->timeout = PFTM_ICMP_FIRST_PACKET;
4236 pf_set_rt_ifp(s, saddr);
4239 s->src_node->states++;
4242 PF_ACPY(&nsn->raddr, &pd->naddr, af);
4243 s->nat_src_node = nsn;
4244 s->nat_src_node->states++;
4246 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
4247 REASON_SET(&reason, PFRES_STATEINS);
4248 pf_src_tree_remove_state(s);
4249 STATE_DEC_COUNTERS(s);
4250 pool_put(&pf_state_pl, s);
4261 /* copy back packet headers if we performed IPv6 NAT operations */
4263 m_copyback(m, off, sizeof(struct icmp6_hdr),
4264 (caddr_t)pd->hdr.icmp6);
4271 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
4272 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4273 struct pf_rule **am, struct pf_ruleset **rsm, struct ifqueue *ifq)
4275 struct pf_rule *nr = NULL;
4276 struct pf_rule *r, *a = NULL;
4277 struct pf_ruleset *ruleset = NULL;
4278 struct pf_src_node *nsn = NULL;
4279 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4280 sa_family_t af = pd->af;
4282 int tag = -1, rtableid = -1;
4286 if (pf_check_congestion(ifq)) {
4287 REASON_SET(&reason, PFRES_CONGEST);
4291 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4293 if (direction == PF_OUT) {
4294 /* check outgoing packet for BINAT/NAT */
4295 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
4296 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
4297 PF_ACPY(&pd->baddr, saddr, af);
4301 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
4302 pd->naddr.v4.s_addr, 0);
4307 PF_ACPY(saddr, &pd->naddr, af);
4316 /* check incoming packet for BINAT/RDR */
4317 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
4318 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
4319 PF_ACPY(&pd->baddr, daddr, af);
4323 pf_change_a(&daddr->v4.s_addr,
4324 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4329 PF_ACPY(daddr, &pd->naddr, af);
4341 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4342 r = r->skip[PF_SKIP_IFP].ptr;
4343 else if (r->direction && r->direction != direction)
4344 r = r->skip[PF_SKIP_DIR].ptr;
4345 else if (r->af && r->af != af)
4346 r = r->skip[PF_SKIP_AF].ptr;
4347 else if (r->proto && r->proto != pd->proto)
4348 r = r->skip[PF_SKIP_PROTO].ptr;
4349 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
4351 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4352 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
4354 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4355 else if (r->tos && !(r->tos == pd->tos))
4356 r = TAILQ_NEXT(r, entries);
4357 else if (r->rule_flag & PFRULE_FRAGMENT)
4358 r = TAILQ_NEXT(r, entries);
4359 else if (r->prob && r->prob <= arc4random())
4360 r = TAILQ_NEXT(r, entries);
4361 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4362 r = TAILQ_NEXT(r, entries);
4363 else if (r->os_fingerprint != PF_OSFP_ANY)
4364 r = TAILQ_NEXT(r, entries);
4368 if (r->rtableid >= 0)
4369 rtableid = r->rtableid;
4370 if (r->anchor == NULL) {
4377 r = TAILQ_NEXT(r, entries);
4379 pf_step_into_anchor(&asd, &ruleset,
4380 PF_RULESET_FILTER, &r, &a, &match);
4382 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4383 PF_RULESET_FILTER, &r, &a, &match))
4390 REASON_SET(&reason, PFRES_MATCH);
4392 if (r->log || (nr != NULL && nr->natpass && nr->log))
4393 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
4396 if ((r->action == PF_DROP) &&
4397 ((r->rule_flag & PFRULE_RETURNICMP) ||
4398 (r->rule_flag & PFRULE_RETURN))) {
4399 struct pf_addr *a = NULL;
4402 if (direction == PF_OUT)
4411 pf_change_a(&a->v4.s_addr, pd->ip_sum,
4412 pd->baddr.v4.s_addr, 0);
4417 PF_ACPY(a, &pd->baddr, af);
4422 if ((af == AF_INET) && r->return_icmp)
4423 pf_send_icmp(m, r->return_icmp >> 8,
4424 r->return_icmp & 255, af, r);
4425 else if ((af == AF_INET6) && r->return_icmp6)
4426 pf_send_icmp(m, r->return_icmp6 >> 8,
4427 r->return_icmp6 & 255, af, r);
4430 if (r->action != PF_PASS)
4433 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
4434 REASON_SET(&reason, PFRES_MEMORY);
4438 if (r->keep_state || nr != NULL) {
4439 /* create new state */
4440 struct pf_state *s = NULL;
4441 struct pf_src_node *sn = NULL;
4443 /* check maximums */
4444 if (r->max_states && (r->states >= r->max_states)) {
4445 pf_status.lcounters[LCNT_STATES]++;
4446 REASON_SET(&reason, PFRES_MAXSTATES);
4449 /* src node for filter rule */
4450 if ((r->rule_flag & PFRULE_SRCTRACK ||
4451 r->rpool.opts & PF_POOL_STICKYADDR) &&
4452 pf_insert_src_node(&sn, r, saddr, af) != 0) {
4453 REASON_SET(&reason, PFRES_SRCLIMIT);
4456 /* src node for translation rule */
4457 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
4458 ((direction == PF_OUT &&
4459 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
4460 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
4461 REASON_SET(&reason, PFRES_SRCLIMIT);
4464 s = pool_get(&pf_state_pl, PR_NOWAIT);
4466 REASON_SET(&reason, PFRES_MEMORY);
4468 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
4469 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
4470 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4471 pf_status.src_nodes--;
4472 pool_put(&pf_src_tree_pl, sn);
4474 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
4476 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
4477 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4478 pf_status.src_nodes--;
4479 pool_put(&pf_src_tree_pl, nsn);
4483 bzero(s, sizeof(*s));
4485 s->nat_rule.ptr = nr;
4487 STATE_INC_COUNTERS(s);
4488 s->allow_opts = r->allow_opts;
4489 s->log = r->log & PF_LOG_ALL;
4491 s->log |= nr->log & PF_LOG_ALL;
4492 s->proto = pd->proto;
4493 s->direction = direction;
4495 if (direction == PF_OUT) {
4496 PF_ACPY(&s->gwy.addr, saddr, af);
4497 PF_ACPY(&s->ext.addr, daddr, af);
4499 PF_ACPY(&s->lan.addr, &pd->baddr, af);
4501 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
4503 PF_ACPY(&s->lan.addr, daddr, af);
4504 PF_ACPY(&s->ext.addr, saddr, af);
4506 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
4508 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
4510 s->src.state = PFOTHERS_SINGLE;
4511 s->dst.state = PFOTHERS_NO_TRAFFIC;
4512 s->creation = time_second;
4513 s->expire = time_second;
4514 s->timeout = PFTM_OTHER_FIRST_PACKET;
4515 pf_set_rt_ifp(s, saddr);
4518 s->src_node->states++;
4521 PF_ACPY(&nsn->raddr, &pd->naddr, af);
4522 s->nat_src_node = nsn;
4523 s->nat_src_node->states++;
4525 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
4526 REASON_SET(&reason, PFRES_STATEINS);
4527 pf_src_tree_remove_state(s);
4528 STATE_DEC_COUNTERS(s);
4529 pool_put(&pf_state_pl, s);
4543 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
4544 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
4545 struct pf_ruleset **rsm)
4547 struct pf_rule *r, *a = NULL;
4548 struct pf_ruleset *ruleset = NULL;
4549 sa_family_t af = pd->af;
4555 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4558 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4559 r = r->skip[PF_SKIP_IFP].ptr;
4560 else if (r->direction && r->direction != direction)
4561 r = r->skip[PF_SKIP_DIR].ptr;
4562 else if (r->af && r->af != af)
4563 r = r->skip[PF_SKIP_AF].ptr;
4564 else if (r->proto && r->proto != pd->proto)
4565 r = r->skip[PF_SKIP_PROTO].ptr;
4566 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
4568 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4569 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
4571 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4572 else if (r->tos && !(r->tos == pd->tos))
4573 r = TAILQ_NEXT(r, entries);
4574 else if (r->os_fingerprint != PF_OSFP_ANY)
4575 r = TAILQ_NEXT(r, entries);
4576 else if (pd->proto == IPPROTO_UDP &&
4577 (r->src.port_op || r->dst.port_op))
4578 r = TAILQ_NEXT(r, entries);
4579 else if (pd->proto == IPPROTO_TCP &&
4580 (r->src.port_op || r->dst.port_op || r->flagset))
4581 r = TAILQ_NEXT(r, entries);
4582 else if ((pd->proto == IPPROTO_ICMP ||
4583 pd->proto == IPPROTO_ICMPV6) &&
4584 (r->type || r->code))
4585 r = TAILQ_NEXT(r, entries);
4586 else if (r->prob && r->prob <= arc4random())
4587 r = TAILQ_NEXT(r, entries);
4588 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4589 r = TAILQ_NEXT(r, entries);
4591 if (r->anchor == NULL) {
4598 r = TAILQ_NEXT(r, entries);
4600 pf_step_into_anchor(&asd, &ruleset,
4601 PF_RULESET_FILTER, &r, &a, &match);
4603 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4604 PF_RULESET_FILTER, &r, &a, &match))
4611 REASON_SET(&reason, PFRES_MATCH);
4614 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset,
4617 if (r->action != PF_PASS)
4620 if (pf_tag_packet(m, pd->pf_mtag, tag, -1)) {
4621 REASON_SET(&reason, PFRES_MEMORY);
4629 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
4630 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4633 struct pf_state_cmp key;
4634 struct tcphdr *th = pd->hdr.tcp;
4635 u_int16_t win = ntohs(th->th_win);
4636 u_int32_t ack, end, seq, orig_seq;
4640 struct pf_state_peer *src, *dst;
4643 key.proto = IPPROTO_TCP;
4644 if (direction == PF_IN) {
4645 PF_ACPY(&key.ext.addr, pd->src, key.af);
4646 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4647 key.ext.port = th->th_sport;
4648 key.gwy.port = th->th_dport;
4650 PF_ACPY(&key.lan.addr, pd->src, key.af);
4651 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4652 key.lan.port = th->th_sport;
4653 key.ext.port = th->th_dport;
4658 if (direction == (*state)->direction) {
4659 src = &(*state)->src;
4660 dst = &(*state)->dst;
4662 src = &(*state)->dst;
4663 dst = &(*state)->src;
4666 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
4667 if (direction != (*state)->direction) {
4668 REASON_SET(reason, PFRES_SYNPROXY);
4669 return (PF_SYNPROXY_DROP);
4671 if (th->th_flags & TH_SYN) {
4672 if (ntohl(th->th_seq) != (*state)->src.seqlo) {
4673 REASON_SET(reason, PFRES_SYNPROXY);
4677 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4679 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
4681 pd->src, th->th_dport, th->th_sport,
4682 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4683 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,
4685 REASON_SET(reason, PFRES_SYNPROXY);
4686 return (PF_SYNPROXY_DROP);
4687 } else if (!(th->th_flags & TH_ACK) ||
4688 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4689 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4690 REASON_SET(reason, PFRES_SYNPROXY);
4692 } else if ((*state)->src_node != NULL &&
4693 pf_src_connlimit(state)) {
4694 REASON_SET(reason, PFRES_SRCLIMIT);
4697 (*state)->src.state = PF_TCPS_PROXY_DST;
4699 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
4700 struct pf_state_host *src, *dst;
4702 if (direction == PF_OUT) {
4703 src = &(*state)->gwy;
4704 dst = &(*state)->ext;
4706 src = &(*state)->ext;
4707 dst = &(*state)->lan;
4709 if (direction == (*state)->direction) {
4710 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
4711 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4712 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4713 REASON_SET(reason, PFRES_SYNPROXY);
4716 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
4717 if ((*state)->dst.seqhi == 1)
4718 (*state)->dst.seqhi = htonl(arc4random());
4720 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4723 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
4725 &dst->addr, src->port, dst->port,
4726 (*state)->dst.seqhi, 0, TH_SYN, 0,
4727 (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL);
4728 REASON_SET(reason, PFRES_SYNPROXY);
4729 return (PF_SYNPROXY_DROP);
4730 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
4732 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
4733 REASON_SET(reason, PFRES_SYNPROXY);
4736 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
4737 (*state)->dst.seqlo = ntohl(th->th_seq);
4739 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4741 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
4743 pd->src, th->th_dport, th->th_sport,
4744 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4745 TH_ACK, (*state)->src.max_win, 0, 0, 0,
4746 (*state)->tag, NULL, NULL);
4748 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4751 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
4753 &dst->addr, src->port, dst->port,
4754 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4755 TH_ACK, (*state)->dst.max_win, 0, 0, 1,
4757 (*state)->src.seqdiff = (*state)->dst.seqhi -
4758 (*state)->src.seqlo;
4759 (*state)->dst.seqdiff = (*state)->src.seqhi -
4760 (*state)->dst.seqlo;
4761 (*state)->src.seqhi = (*state)->src.seqlo +
4762 (*state)->dst.max_win;
4763 (*state)->dst.seqhi = (*state)->dst.seqlo +
4764 (*state)->src.max_win;
4765 (*state)->src.wscale = (*state)->dst.wscale = 0;
4766 (*state)->src.state = (*state)->dst.state =
4768 REASON_SET(reason, PFRES_SYNPROXY);
4769 return (PF_SYNPROXY_DROP);
4773 if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
4774 dst->state >= TCPS_FIN_WAIT_2 &&
4775 src->state >= TCPS_FIN_WAIT_2) {
4776 if (pf_status.debug >= PF_DEBUG_MISC) {
4777 printf("pf: state reuse ");
4778 pf_print_state(*state);
4779 pf_print_flags(th->th_flags);
4782 /* XXX make sure it's the same direction ?? */
4783 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
4784 pf_unlink_state(*state);
4789 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
4790 sws = src->wscale & PF_WSCALE_MASK;
4791 dws = dst->wscale & PF_WSCALE_MASK;
4796 * Sequence tracking algorithm from Guido van Rooij's paper:
4797 * http://www.madison-gurkha.com/publications/tcp_filtering/
4801 orig_seq = seq = ntohl(th->th_seq);
4802 if (src->seqlo == 0) {
4803 /* First packet from this end. Set its state */
4805 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
4806 src->scrub == NULL) {
4807 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
4808 REASON_SET(reason, PFRES_MEMORY);
4813 /* Deferred generation of sequence number modulator */
4814 if (dst->seqdiff && !src->seqdiff) {
4816 while ((src->seqdiff = pf_new_isn(*state) - seq) == 0)
4819 while ((src->seqdiff = tcp_rndiss_next() - seq) == 0)
4822 ack = ntohl(th->th_ack) - dst->seqdiff;
4823 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
4825 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
4828 ack = ntohl(th->th_ack);
4831 end = seq + pd->p_len;
4832 if (th->th_flags & TH_SYN) {
4834 if (dst->wscale & PF_WSCALE_FLAG) {
4835 src->wscale = pf_get_wscale(m, off, th->th_off,
4837 if (src->wscale & PF_WSCALE_FLAG) {
4838 /* Remove scale factor from initial
4840 sws = src->wscale & PF_WSCALE_MASK;
4841 win = ((u_int32_t)win + (1 << sws) - 1)
4843 dws = dst->wscale & PF_WSCALE_MASK;
4845 /* fixup other window */
4846 dst->max_win <<= dst->wscale &
4848 /* in case of a retrans SYN|ACK */
4853 if (th->th_flags & TH_FIN)
4857 if (src->state < TCPS_SYN_SENT)
4858 src->state = TCPS_SYN_SENT;
4861 * May need to slide the window (seqhi may have been set by
4862 * the crappy stack check or if we picked up the connection
4863 * after establishment)
4865 if (src->seqhi == 1 ||
4866 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
4867 src->seqhi = end + MAX(1, dst->max_win << dws);
4868 if (win > src->max_win)
4872 ack = ntohl(th->th_ack) - dst->seqdiff;
4874 /* Modulate sequence numbers */
4875 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
4877 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
4880 end = seq + pd->p_len;
4881 if (th->th_flags & TH_SYN)
4883 if (th->th_flags & TH_FIN)
4887 if ((th->th_flags & TH_ACK) == 0) {
4888 /* Let it pass through the ack skew check */
4890 } else if ((ack == 0 &&
4891 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
4892 /* broken tcp stacks do not set ack */
4893 (dst->state < TCPS_SYN_SENT)) {
4895 * Many stacks (ours included) will set the ACK number in an
4896 * FIN|ACK if the SYN times out -- no sequence to ACK.
4902 /* Ease sequencing restrictions on no data packets */
4907 ackskew = dst->seqlo - ack;
4911 * Need to demodulate the sequence numbers in any TCP SACK options
4912 * (Selective ACK). We could optionally validate the SACK values
4913 * against the current ACK window, either forwards or backwards, but
4914 * I'm not confident that SACK has been implemented properly
4915 * everywhere. It wouldn't surprise me if several stacks accidently
4916 * SACK too far backwards of previously ACKed data. There really aren't
4917 * any security implications of bad SACKing unless the target stack
4918 * doesn't validate the option length correctly. Someone trying to
4919 * spoof into a TCP connection won't bother blindly sending SACK
4922 if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
4923 if (pf_modulate_sack(m, off, pd, th, dst))
4928 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
4929 if (SEQ_GEQ(src->seqhi, end) &&
4930 /* Last octet inside other's window space */
4931 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
4932 /* Retrans: not more than one window back */
4933 (ackskew >= -MAXACKWINDOW) &&
4934 /* Acking not more than one reassembled fragment backwards */
4935 (ackskew <= (MAXACKWINDOW << sws)) &&
4936 /* Acking not more than one window forward */
4937 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
4938 (orig_seq == src->seqlo + 1) || (pd->flags & PFDESC_IP_REAS) == 0)) {
4939 /* Require an exact/+1 sequence match on resets when possible */
4941 if (dst->scrub || src->scrub) {
4942 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4943 *state, src, dst, ©back))
4947 /* update max window */
4948 if (src->max_win < win)
4950 /* synchronize sequencing */
4951 if (SEQ_GT(end, src->seqlo))
4953 /* slide the window of what the other end can send */
4954 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
4955 dst->seqhi = ack + MAX((win << sws), 1);
4959 if (th->th_flags & TH_SYN)
4960 if (src->state < TCPS_SYN_SENT)
4961 src->state = TCPS_SYN_SENT;
4962 if (th->th_flags & TH_FIN)
4963 if (src->state < TCPS_CLOSING)
4964 src->state = TCPS_CLOSING;
4965 if (th->th_flags & TH_ACK) {
4966 if (dst->state == TCPS_SYN_SENT) {
4967 dst->state = TCPS_ESTABLISHED;
4968 if (src->state == TCPS_ESTABLISHED &&
4969 (*state)->src_node != NULL &&
4970 pf_src_connlimit(state)) {
4971 REASON_SET(reason, PFRES_SRCLIMIT);
4974 } else if (dst->state == TCPS_CLOSING)
4975 dst->state = TCPS_FIN_WAIT_2;
4977 if (th->th_flags & TH_RST)
4978 src->state = dst->state = TCPS_TIME_WAIT;
4980 /* update expire time */
4981 (*state)->expire = time_second;
4982 if (src->state >= TCPS_FIN_WAIT_2 &&
4983 dst->state >= TCPS_FIN_WAIT_2)
4984 (*state)->timeout = PFTM_TCP_CLOSED;
4985 else if (src->state >= TCPS_CLOSING &&
4986 dst->state >= TCPS_CLOSING)
4987 (*state)->timeout = PFTM_TCP_FIN_WAIT;
4988 else if (src->state < TCPS_ESTABLISHED ||
4989 dst->state < TCPS_ESTABLISHED)
4990 (*state)->timeout = PFTM_TCP_OPENING;
4991 else if (src->state >= TCPS_CLOSING ||
4992 dst->state >= TCPS_CLOSING)
4993 (*state)->timeout = PFTM_TCP_CLOSING;
4995 (*state)->timeout = PFTM_TCP_ESTABLISHED;
4997 /* Fall through to PASS packet */
4999 } else if ((dst->state < TCPS_SYN_SENT ||
5000 dst->state >= TCPS_FIN_WAIT_2 ||
5001 src->state >= TCPS_FIN_WAIT_2) &&
5002 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
5003 /* Within a window forward of the originating packet */
5004 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
5005 /* Within a window backward of the originating packet */
5008 * This currently handles three situations:
5009 * 1) Stupid stacks will shotgun SYNs before their peer
5011 * 2) When PF catches an already established stream (the
5012 * firewall rebooted, the state table was flushed, routes
5014 * 3) Packets get funky immediately after the connection
5015 * closes (this should catch Solaris spurious ACK|FINs
5016 * that web servers like to spew after a close)
5018 * This must be a little more careful than the above code
5019 * since packet floods will also be caught here. We don't
5020 * update the TTL here to mitigate the damage of a packet
5021 * flood and so the same code can handle awkward establishment
5022 * and a loosened connection close.
5023 * In the establishment case, a correct peer response will
5024 * validate the connection, go through the normal state code
5025 * and keep updating the state TTL.
5028 if (pf_status.debug >= PF_DEBUG_MISC) {
5029 printf("pf: loose state match: ");
5030 pf_print_state(*state);
5031 pf_print_flags(th->th_flags);
5032 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
5033 "pkts=%llu:%llu\n", seq, orig_seq, ack, pd->p_len,
5035 ackskew, (unsigned long long)(*state)->packets[0],
5036 (unsigned long long)(*state)->packets[1]);
5038 ackskew, (*state)->packets[0],
5039 (*state)->packets[1]);
5043 if (dst->scrub || src->scrub) {
5044 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
5045 *state, src, dst, ©back))
5049 /* update max window */
5050 if (src->max_win < win)
5052 /* synchronize sequencing */
5053 if (SEQ_GT(end, src->seqlo))
5055 /* slide the window of what the other end can send */
5056 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
5057 dst->seqhi = ack + MAX((win << sws), 1);
5060 * Cannot set dst->seqhi here since this could be a shotgunned
5061 * SYN and not an already established connection.
5064 if (th->th_flags & TH_FIN)
5065 if (src->state < TCPS_CLOSING)
5066 src->state = TCPS_CLOSING;
5067 if (th->th_flags & TH_RST)
5068 src->state = dst->state = TCPS_TIME_WAIT;
5070 /* Fall through to PASS packet */
5073 if ((*state)->dst.state == TCPS_SYN_SENT &&
5074 (*state)->src.state == TCPS_SYN_SENT) {
5075 /* Send RST for state mismatches during handshake */
5076 if (!(th->th_flags & TH_RST))
5078 pf_send_tcp(m, (*state)->rule.ptr, pd->af,
5080 pf_send_tcp((*state)->rule.ptr, pd->af,
5082 pd->dst, pd->src, th->th_dport,
5083 th->th_sport, ntohl(th->th_ack), 0,
5085 (*state)->rule.ptr->return_ttl, 1, 0,
5086 pd->eh, kif->pfik_ifp);
5090 } else if (pf_status.debug >= PF_DEBUG_MISC) {
5091 printf("pf: BAD state: ");
5092 pf_print_state(*state);
5093 pf_print_flags(th->th_flags);
5094 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
5095 "pkts=%llu:%llu dir=%s,%s\n",
5096 seq, orig_seq, ack, pd->p_len, ackskew,
5098 (unsigned long long)(*state)->packets[0],
5099 (unsigned long long)(*state)->packets[1],
5101 (*state)->packets[0], (*state)->packets[1],
5103 direction == PF_IN ? "in" : "out",
5104 direction == (*state)->direction ? "fwd" : "rev");
5105 printf("pf: State failure on: %c %c %c %c | %c %c\n",
5106 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
5107 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
5109 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
5110 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
5111 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
5112 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
5114 REASON_SET(reason, PFRES_BADSTATE);
5118 /* Any packets which have gotten here are to be passed */
5120 /* translate source/destination address, if necessary */
5121 if (STATE_TRANSLATE(*state)) {
5122 if (direction == PF_OUT)
5123 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
5124 &th->th_sum, &(*state)->gwy.addr,
5125 (*state)->gwy.port, 0, pd->af);
5127 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
5128 &th->th_sum, &(*state)->lan.addr,
5129 (*state)->lan.port, 0, pd->af);
5130 m_copyback(m, off, sizeof(*th), (caddr_t)th);
5131 } else if (copyback) {
5132 /* Copyback sequence modulation or stateful scrub changes */
5133 m_copyback(m, off, sizeof(*th), (caddr_t)th);
5140 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
5141 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
5143 struct pf_state_peer *src, *dst;
5144 struct pf_state_cmp key;
5145 struct udphdr *uh = pd->hdr.udp;
5148 key.proto = IPPROTO_UDP;
5149 if (direction == PF_IN) {
5150 PF_ACPY(&key.ext.addr, pd->src, key.af);
5151 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5152 key.ext.port = uh->uh_sport;
5153 key.gwy.port = uh->uh_dport;
5155 PF_ACPY(&key.lan.addr, pd->src, key.af);
5156 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5157 key.lan.port = uh->uh_sport;
5158 key.ext.port = uh->uh_dport;
5163 if (direction == (*state)->direction) {
5164 src = &(*state)->src;
5165 dst = &(*state)->dst;
5167 src = &(*state)->dst;
5168 dst = &(*state)->src;
5172 if (src->state < PFUDPS_SINGLE)
5173 src->state = PFUDPS_SINGLE;
5174 if (dst->state == PFUDPS_SINGLE)
5175 dst->state = PFUDPS_MULTIPLE;
5177 /* update expire time */
5178 (*state)->expire = time_second;
5179 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
5180 (*state)->timeout = PFTM_UDP_MULTIPLE;
5182 (*state)->timeout = PFTM_UDP_SINGLE;
5184 /* translate source/destination address, if necessary */
5185 if (STATE_TRANSLATE(*state)) {
5186 if (direction == PF_OUT)
5187 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
5188 &uh->uh_sum, &(*state)->gwy.addr,
5189 (*state)->gwy.port, 1, pd->af);
5191 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
5192 &uh->uh_sum, &(*state)->lan.addr,
5193 (*state)->lan.port, 1, pd->af);
5194 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
5201 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
5202 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
5204 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
5205 u_int16_t icmpid = 0; /* make the compiler happy */
5206 u_int16_t *icmpsum = NULL; /* make the compiler happy */
5207 u_int8_t icmptype = 0; /* make the compiler happy */
5209 struct pf_state_cmp key;
5211 switch (pd->proto) {
5214 icmptype = pd->hdr.icmp->icmp_type;
5215 icmpid = pd->hdr.icmp->icmp_id;
5216 icmpsum = &pd->hdr.icmp->icmp_cksum;
5218 if (icmptype == ICMP_UNREACH ||
5219 icmptype == ICMP_SOURCEQUENCH ||
5220 icmptype == ICMP_REDIRECT ||
5221 icmptype == ICMP_TIMXCEED ||
5222 icmptype == ICMP_PARAMPROB)
5227 case IPPROTO_ICMPV6:
5228 icmptype = pd->hdr.icmp6->icmp6_type;
5229 icmpid = pd->hdr.icmp6->icmp6_id;
5230 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
5232 if (icmptype == ICMP6_DST_UNREACH ||
5233 icmptype == ICMP6_PACKET_TOO_BIG ||
5234 icmptype == ICMP6_TIME_EXCEEDED ||
5235 icmptype == ICMP6_PARAM_PROB)
5244 * ICMP query/reply message not related to a TCP/UDP packet.
5245 * Search for an ICMP state.
5248 key.proto = pd->proto;
5249 if (direction == PF_IN) {
5250 PF_ACPY(&key.ext.addr, pd->src, key.af);
5251 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5253 key.gwy.port = icmpid;
5255 PF_ACPY(&key.lan.addr, pd->src, key.af);
5256 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5257 key.lan.port = icmpid;
5263 (*state)->expire = time_second;
5264 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
5266 /* translate source/destination address, if necessary */
5267 if (STATE_TRANSLATE(*state)) {
5268 if (direction == PF_OUT) {
5272 pf_change_a(&saddr->v4.s_addr,
5274 (*state)->gwy.addr.v4.s_addr, 0);
5275 pd->hdr.icmp->icmp_cksum =
5277 pd->hdr.icmp->icmp_cksum, icmpid,
5278 (*state)->gwy.port, 0);
5279 pd->hdr.icmp->icmp_id =
5281 m_copyback(m, off, ICMP_MINLEN,
5282 (caddr_t)pd->hdr.icmp);
5288 &pd->hdr.icmp6->icmp6_cksum,
5289 &(*state)->gwy.addr, 0);
5291 sizeof(struct icmp6_hdr),
5292 (caddr_t)pd->hdr.icmp6);
5300 pf_change_a(&daddr->v4.s_addr,
5302 (*state)->lan.addr.v4.s_addr, 0);
5303 pd->hdr.icmp->icmp_cksum =
5305 pd->hdr.icmp->icmp_cksum, icmpid,
5306 (*state)->lan.port, 0);
5307 pd->hdr.icmp->icmp_id =
5309 m_copyback(m, off, ICMP_MINLEN,
5310 (caddr_t)pd->hdr.icmp);
5316 &pd->hdr.icmp6->icmp6_cksum,
5317 &(*state)->lan.addr, 0);
5319 sizeof(struct icmp6_hdr),
5320 (caddr_t)pd->hdr.icmp6);
5331 * ICMP error message in response to a TCP/UDP packet.
5332 * Extract the inner TCP/UDP header and search for that state.
5335 struct pf_pdesc pd2;
5340 struct ip6_hdr h2_6;
5343 int ipoff2 = 0; /* make the compiler happy */
5344 int off2 = 0; /* make the compiler happy */
5350 /* offset of h2 in mbuf chain */
5351 ipoff2 = off + ICMP_MINLEN;
5353 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
5354 NULL, reason, pd2.af)) {
5355 DPFPRINTF(PF_DEBUG_MISC,
5356 ("pf: ICMP error message too short "
5361 * ICMP error messages don't refer to non-first
5364 if (h2.ip_off & htons(IP_OFFMASK)) {
5365 REASON_SET(reason, PFRES_FRAG);
5369 /* offset of protocol header that follows h2 */
5370 off2 = ipoff2 + (h2.ip_hl << 2);
5372 pd2.proto = h2.ip_p;
5373 pd2.src = (struct pf_addr *)&h2.ip_src;
5374 pd2.dst = (struct pf_addr *)&h2.ip_dst;
5375 pd2.ip_sum = &h2.ip_sum;
5380 ipoff2 = off + sizeof(struct icmp6_hdr);
5382 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
5383 NULL, reason, pd2.af)) {
5384 DPFPRINTF(PF_DEBUG_MISC,
5385 ("pf: ICMP error message too short "
5389 pd2.proto = h2_6.ip6_nxt;
5390 pd2.src = (struct pf_addr *)&h2_6.ip6_src;
5391 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
5393 off2 = ipoff2 + sizeof(h2_6);
5395 switch (pd2.proto) {
5396 case IPPROTO_FRAGMENT:
5398 * ICMPv6 error messages for
5399 * non-first fragments
5401 REASON_SET(reason, PFRES_FRAG);
5404 case IPPROTO_HOPOPTS:
5405 case IPPROTO_ROUTING:
5406 case IPPROTO_DSTOPTS: {
5407 /* get next header and header length */
5408 struct ip6_ext opt6;
5410 if (!pf_pull_hdr(m, off2, &opt6,
5411 sizeof(opt6), NULL, reason,
5413 DPFPRINTF(PF_DEBUG_MISC,
5414 ("pf: ICMPv6 short opt\n"));
5417 if (pd2.proto == IPPROTO_AH)
5418 off2 += (opt6.ip6e_len + 2) * 4;
5420 off2 += (opt6.ip6e_len + 1) * 8;
5421 pd2.proto = opt6.ip6e_nxt;
5422 /* goto the next header */
5429 } while (!terminal);
5434 panic("AF not supported: %d", pd->af);
5438 switch (pd2.proto) {
5442 struct pf_state_peer *src, *dst;
5447 * Only the first 8 bytes of the TCP header can be
5448 * expected. Don't access any TCP header fields after
5449 * th_seq, an ackskew test is not possible.
5451 if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason,
5453 DPFPRINTF(PF_DEBUG_MISC,
5454 ("pf: ICMP error message too short "
5460 key.proto = IPPROTO_TCP;
5461 if (direction == PF_IN) {
5462 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5463 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5464 key.ext.port = th.th_dport;
5465 key.gwy.port = th.th_sport;
5467 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5468 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5469 key.lan.port = th.th_dport;
5470 key.ext.port = th.th_sport;
5475 if (direction == (*state)->direction) {
5476 src = &(*state)->dst;
5477 dst = &(*state)->src;
5479 src = &(*state)->src;
5480 dst = &(*state)->dst;
5483 if (src->wscale && dst->wscale)
5484 dws = dst->wscale & PF_WSCALE_MASK;
5488 /* Demodulate sequence number */
5489 seq = ntohl(th.th_seq) - src->seqdiff;
5491 pf_change_a(&th.th_seq, icmpsum,
5496 if (!SEQ_GEQ(src->seqhi, seq) ||
5497 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) {
5498 if (pf_status.debug >= PF_DEBUG_MISC) {
5499 printf("pf: BAD ICMP %d:%d ",
5500 icmptype, pd->hdr.icmp->icmp_code);
5501 pf_print_host(pd->src, 0, pd->af);
5503 pf_print_host(pd->dst, 0, pd->af);
5505 pf_print_state(*state);
5506 printf(" seq=%u\n", seq);
5508 REASON_SET(reason, PFRES_BADSTATE);
5512 if (STATE_TRANSLATE(*state)) {
5513 if (direction == PF_IN) {
5514 pf_change_icmp(pd2.src, &th.th_sport,
5515 daddr, &(*state)->lan.addr,
5516 (*state)->lan.port, NULL,
5517 pd2.ip_sum, icmpsum,
5518 pd->ip_sum, 0, pd2.af);
5520 pf_change_icmp(pd2.dst, &th.th_dport,
5521 saddr, &(*state)->gwy.addr,
5522 (*state)->gwy.port, NULL,
5523 pd2.ip_sum, icmpsum,
5524 pd->ip_sum, 0, pd2.af);
5533 m_copyback(m, off, ICMP_MINLEN,
5534 (caddr_t)pd->hdr.icmp);
5535 m_copyback(m, ipoff2, sizeof(h2),
5542 sizeof(struct icmp6_hdr),
5543 (caddr_t)pd->hdr.icmp6);
5544 m_copyback(m, ipoff2, sizeof(h2_6),
5549 m_copyback(m, off2, 8, (caddr_t)&th);
5558 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
5559 NULL, reason, pd2.af)) {
5560 DPFPRINTF(PF_DEBUG_MISC,
5561 ("pf: ICMP error message too short "
5567 key.proto = IPPROTO_UDP;
5568 if (direction == PF_IN) {
5569 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5570 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5571 key.ext.port = uh.uh_dport;
5572 key.gwy.port = uh.uh_sport;
5574 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5575 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5576 key.lan.port = uh.uh_dport;
5577 key.ext.port = uh.uh_sport;
5582 if (STATE_TRANSLATE(*state)) {
5583 if (direction == PF_IN) {
5584 pf_change_icmp(pd2.src, &uh.uh_sport,
5585 daddr, &(*state)->lan.addr,
5586 (*state)->lan.port, &uh.uh_sum,
5587 pd2.ip_sum, icmpsum,
5588 pd->ip_sum, 1, pd2.af);
5590 pf_change_icmp(pd2.dst, &uh.uh_dport,
5591 saddr, &(*state)->gwy.addr,
5592 (*state)->gwy.port, &uh.uh_sum,
5593 pd2.ip_sum, icmpsum,
5594 pd->ip_sum, 1, pd2.af);
5599 m_copyback(m, off, ICMP_MINLEN,
5600 (caddr_t)pd->hdr.icmp);
5601 m_copyback(m, ipoff2, sizeof(h2),
5608 sizeof(struct icmp6_hdr),
5609 (caddr_t)pd->hdr.icmp6);
5610 m_copyback(m, ipoff2, sizeof(h2_6),
5615 m_copyback(m, off2, sizeof(uh),
5623 case IPPROTO_ICMP: {
5626 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
5627 NULL, reason, pd2.af)) {
5628 DPFPRINTF(PF_DEBUG_MISC,
5629 ("pf: ICMP error message too short i"
5635 key.proto = IPPROTO_ICMP;
5636 if (direction == PF_IN) {
5637 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5638 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5640 key.gwy.port = iih.icmp_id;
5642 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5643 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5644 key.lan.port = iih.icmp_id;
5650 if (STATE_TRANSLATE(*state)) {
5651 if (direction == PF_IN) {
5652 pf_change_icmp(pd2.src, &iih.icmp_id,
5653 daddr, &(*state)->lan.addr,
5654 (*state)->lan.port, NULL,
5655 pd2.ip_sum, icmpsum,
5656 pd->ip_sum, 0, AF_INET);
5658 pf_change_icmp(pd2.dst, &iih.icmp_id,
5659 saddr, &(*state)->gwy.addr,
5660 (*state)->gwy.port, NULL,
5661 pd2.ip_sum, icmpsum,
5662 pd->ip_sum, 0, AF_INET);
5664 m_copyback(m, off, ICMP_MINLEN,
5665 (caddr_t)pd->hdr.icmp);
5666 m_copyback(m, ipoff2, sizeof(h2),
5668 m_copyback(m, off2, ICMP_MINLEN,
5677 case IPPROTO_ICMPV6: {
5678 struct icmp6_hdr iih;
5680 if (!pf_pull_hdr(m, off2, &iih,
5681 sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
5682 DPFPRINTF(PF_DEBUG_MISC,
5683 ("pf: ICMP error message too short "
5689 key.proto = IPPROTO_ICMPV6;
5690 if (direction == PF_IN) {
5691 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5692 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5694 key.gwy.port = iih.icmp6_id;
5696 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5697 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5698 key.lan.port = iih.icmp6_id;
5704 if (STATE_TRANSLATE(*state)) {
5705 if (direction == PF_IN) {
5706 pf_change_icmp(pd2.src, &iih.icmp6_id,
5707 daddr, &(*state)->lan.addr,
5708 (*state)->lan.port, NULL,
5709 pd2.ip_sum, icmpsum,
5710 pd->ip_sum, 0, AF_INET6);
5712 pf_change_icmp(pd2.dst, &iih.icmp6_id,
5713 saddr, &(*state)->gwy.addr,
5714 (*state)->gwy.port, NULL,
5715 pd2.ip_sum, icmpsum,
5716 pd->ip_sum, 0, AF_INET6);
5718 m_copyback(m, off, sizeof(struct icmp6_hdr),
5719 (caddr_t)pd->hdr.icmp6);
5720 m_copyback(m, ipoff2, sizeof(h2_6),
5722 m_copyback(m, off2, sizeof(struct icmp6_hdr),
5732 key.proto = pd2.proto;
5733 if (direction == PF_IN) {
5734 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5735 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5739 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5740 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5747 if (STATE_TRANSLATE(*state)) {
5748 if (direction == PF_IN) {
5749 pf_change_icmp(pd2.src, NULL,
5750 daddr, &(*state)->lan.addr,
5752 pd2.ip_sum, icmpsum,
5753 pd->ip_sum, 0, pd2.af);
5755 pf_change_icmp(pd2.dst, NULL,
5756 saddr, &(*state)->gwy.addr,
5758 pd2.ip_sum, icmpsum,
5759 pd->ip_sum, 0, pd2.af);
5764 m_copyback(m, off, ICMP_MINLEN,
5765 (caddr_t)pd->hdr.icmp);
5766 m_copyback(m, ipoff2, sizeof(h2),
5773 sizeof(struct icmp6_hdr),
5774 (caddr_t)pd->hdr.icmp6);
5775 m_copyback(m, ipoff2, sizeof(h2_6),
5790 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
5791 struct pf_pdesc *pd)
5793 struct pf_state_peer *src, *dst;
5794 struct pf_state_cmp key;
5797 key.proto = pd->proto;
5798 if (direction == PF_IN) {
5799 PF_ACPY(&key.ext.addr, pd->src, key.af);
5800 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5804 PF_ACPY(&key.lan.addr, pd->src, key.af);
5805 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5812 if (direction == (*state)->direction) {
5813 src = &(*state)->src;
5814 dst = &(*state)->dst;
5816 src = &(*state)->dst;
5817 dst = &(*state)->src;
5821 if (src->state < PFOTHERS_SINGLE)
5822 src->state = PFOTHERS_SINGLE;
5823 if (dst->state == PFOTHERS_SINGLE)
5824 dst->state = PFOTHERS_MULTIPLE;
5826 /* update expire time */
5827 (*state)->expire = time_second;
5828 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
5829 (*state)->timeout = PFTM_OTHER_MULTIPLE;
5831 (*state)->timeout = PFTM_OTHER_SINGLE;
5833 /* translate source/destination address, if necessary */
5834 if (STATE_TRANSLATE(*state)) {
5835 if (direction == PF_OUT)
5839 pf_change_a(&pd->src->v4.s_addr,
5840 pd->ip_sum, (*state)->gwy.addr.v4.s_addr,
5846 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af);
5854 pf_change_a(&pd->dst->v4.s_addr,
5855 pd->ip_sum, (*state)->lan.addr.v4.s_addr,
5861 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af);
5871 * ipoff and off are measured from the start of the mbuf chain.
5872 * h must be at "ipoff" on the mbuf chain.
5875 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
5876 u_short *actionp, u_short *reasonp, sa_family_t af)
5881 struct ip *h = mtod(m, struct ip *);
5882 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
5886 ACTION_SET(actionp, PF_PASS);
5888 ACTION_SET(actionp, PF_DROP);
5889 REASON_SET(reasonp, PFRES_FRAG);
5893 if (m->m_pkthdr.len < off + len ||
5894 ntohs(h->ip_len) < off + len) {
5895 ACTION_SET(actionp, PF_DROP);
5896 REASON_SET(reasonp, PFRES_SHORT);
5904 struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
5906 if (m->m_pkthdr.len < off + len ||
5907 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
5908 (unsigned)(off + len)) {
5909 ACTION_SET(actionp, PF_DROP);
5910 REASON_SET(reasonp, PFRES_SHORT);
5917 m_copydata(m, off, len, p);
5922 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
5924 struct sockaddr_in *dst;
5928 extern int ipmultipath;
5932 extern int ip6_multipath;
5934 struct sockaddr_in6 *dst6;
5935 struct route_in6 ro;
5939 struct radix_node *rn;
5944 bzero(&ro, sizeof(ro));
5947 dst = satosin(&ro.ro_dst);
5948 dst->sin_family = AF_INET;
5949 dst->sin_len = sizeof(*dst);
5950 dst->sin_addr = addr->v4;
5951 #ifndef __FreeBSD__ /* MULTIPATH_ROUTING */
5958 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
5959 dst6->sin6_family = AF_INET6;
5960 dst6->sin6_len = sizeof(*dst6);
5961 dst6->sin6_addr = addr->v6;
5962 #ifndef __FreeBSD__ /* MULTIPATH_ROUTING */
5972 /* Skip checks for ipsec interfaces */
5973 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
5977 /* XXX MRT not always INET */ /* stick with table 0 though */
5979 in_rtalloc_ign((struct route *)&ro, RTF_CLONING, 0);
5981 rtalloc_ign((struct route *)&ro, RTF_CLONING);
5982 #else /* ! __FreeBSD__ */
5983 rtalloc_noclone((struct route *)&ro, NO_CLONING);
5986 if (ro.ro_rt != NULL) {
5987 /* No interface given, this is a no-route check */
5991 if (kif->pfik_ifp == NULL) {
5996 /* Perform uRPF check if passed input interface */
5998 rn = (struct radix_node *)ro.ro_rt;
6000 rt = (struct rtentry *)rn;
6001 #ifndef __FreeBSD__ /* CARPDEV */
6002 if (rt->rt_ifp->if_type == IFT_CARP)
6003 ifp = rt->rt_ifp->if_carpdev;
6008 if (kif->pfik_ifp == ifp)
6010 #ifdef __FreeBSD__ /* MULTIPATH_ROUTING */
6013 rn = rn_mpath_next(rn);
6015 } while (check_mpath == 1 && rn != NULL && ret == 0);
6019 if (ro.ro_rt != NULL)
6025 pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw)
6027 struct sockaddr_in *dst;
6029 struct sockaddr_in6 *dst6;
6030 struct route_in6 ro;
6036 bzero(&ro, sizeof(ro));
6039 dst = satosin(&ro.ro_dst);
6040 dst->sin_family = AF_INET;
6041 dst->sin_len = sizeof(*dst);
6042 dst->sin_addr = addr->v4;
6046 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
6047 dst6->sin6_family = AF_INET6;
6048 dst6->sin6_len = sizeof(*dst6);
6049 dst6->sin6_addr = addr->v6;
6057 # ifdef RTF_PRCLONING
6058 rtalloc_ign((struct route *)&ro, (RTF_CLONING|RTF_PRCLONING));
6059 # else /* !RTF_PRCLONING */
6061 in_rtalloc_ign((struct route *)&ro, RTF_CLONING, 0);
6063 rtalloc_ign((struct route *)&ro, RTF_CLONING);
6065 #else /* ! __FreeBSD__ */
6066 rtalloc_noclone((struct route *)&ro, NO_CLONING);
6069 if (ro.ro_rt != NULL) {
6071 /* XXX_IMPORT: later */
6073 if (ro.ro_rt->rt_labelid == aw->v.rtlabel)
6085 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
6086 struct pf_state *s, struct pf_pdesc *pd)
6088 struct mbuf *m0, *m1;
6089 struct route iproute;
6090 struct route *ro = NULL;
6091 struct sockaddr_in *dst;
6093 struct ifnet *ifp = NULL;
6094 struct pf_addr naddr;
6095 struct pf_src_node *sn = NULL;
6104 if (m == NULL || *m == NULL || r == NULL ||
6105 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
6106 panic("pf_route: invalid parameters");
6108 if (pd->pf_mtag->routed++ > 3) {
6114 if (r->rt == PF_DUPTO) {
6116 if ((m0 = m_dup(*m, M_DONTWAIT)) == NULL)
6118 if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL)
6122 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
6127 if (m0->m_len < sizeof(struct ip)) {
6128 DPFPRINTF(PF_DEBUG_URGENT,
6129 ("pf_route: m0->m_len < sizeof(struct ip)\n"));
6133 ip = mtod(m0, struct ip *);
6136 bzero((caddr_t)ro, sizeof(*ro));
6137 dst = satosin(&ro->ro_dst);
6138 dst->sin_family = AF_INET;
6139 dst->sin_len = sizeof(*dst);
6140 dst->sin_addr = ip->ip_dst;
6142 if (r->rt == PF_FASTROUTE) {
6144 if (ro->ro_rt == 0) {
6145 ipstat.ips_noroute++;
6149 ifp = ro->ro_rt->rt_ifp;
6150 ro->ro_rt->rt_use++;
6152 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
6153 dst = satosin(ro->ro_rt->rt_gateway);
6155 if (TAILQ_EMPTY(&r->rpool.list)) {
6156 DPFPRINTF(PF_DEBUG_URGENT,
6157 ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n"));
6161 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
6163 if (!PF_AZERO(&naddr, AF_INET))
6164 dst->sin_addr.s_addr = naddr.v4.s_addr;
6165 ifp = r->rpool.cur->kif ?
6166 r->rpool.cur->kif->pfik_ifp : NULL;
6168 if (!PF_AZERO(&s->rt_addr, AF_INET))
6169 dst->sin_addr.s_addr =
6170 s->rt_addr.v4.s_addr;
6171 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
6180 if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
6183 } else if (m0 == NULL) {
6189 if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS)
6191 else if (m0 == NULL)
6194 if (m0->m_len < sizeof(struct ip)) {
6195 DPFPRINTF(PF_DEBUG_URGENT,
6196 ("pf_route: m0->m_len < sizeof(struct ip)\n"));
6199 ip = mtod(m0, struct ip *);
6203 /* Copied from FreeBSD 5.1-CURRENT ip_output. */
6204 m0->m_pkthdr.csum_flags |= CSUM_IP;
6205 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist;
6206 if (sw_csum & CSUM_DELAY_DATA) {
6208 * XXX: in_delayed_cksum assumes HBO for ip->ip_len (at least)
6211 NTOHS(ip->ip_off); /* XXX: needed? */
6212 in_delayed_cksum(m0);
6215 sw_csum &= ~CSUM_DELAY_DATA;
6217 m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
6219 if (ntohs(ip->ip_len) <= ifp->if_mtu ||
6220 (ifp->if_hwassist & CSUM_FRAGMENT &&
6221 ((ip->ip_off & htons(IP_DF)) == 0))) {
6223 * ip->ip_len = htons(ip->ip_len);
6224 * ip->ip_off = htons(ip->ip_off);
6227 if (sw_csum & CSUM_DELAY_IP) {
6229 if (ip->ip_v == IPVERSION &&
6230 (ip->ip_hl << 2) == sizeof(*ip)) {
6231 ip->ip_sum = in_cksum_hdr(ip);
6233 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
6237 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt);
6243 /* Copied from ip_output. */
6246 * If deferred crypto processing is needed, check that the
6247 * interface supports it.
6249 if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL))
6250 != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) {
6251 /* Notify IPsec to do its own crypto. */
6252 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
6257 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
6258 if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) {
6259 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) ||
6260 ifp->if_bridge != NULL) {
6261 in_delayed_cksum(m0);
6262 m0->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */
6264 } else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) {
6265 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) ||
6266 ifp->if_bridge != NULL) {
6267 in_delayed_cksum(m0);
6268 m0->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */
6272 if (ntohs(ip->ip_len) <= ifp->if_mtu) {
6273 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
6274 ifp->if_bridge == NULL) {
6275 m0->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
6276 ipstat.ips_outhwcsum++;
6279 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
6281 /* Update relevant hardware checksum stats for TCP/UDP */
6282 if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT)
6283 tcpstat.tcps_outhwcsum++;
6284 else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT)
6285 udpstat.udps_outhwcsum++;
6286 error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL);
6291 * Too large for interface; fragment if possible.
6292 * Must be able to put at least 8 bytes per fragment.
6294 if (ip->ip_off & htons(IP_DF)) {
6295 ipstat.ips_cantfrag++;
6296 if (r->rt != PF_DUPTO) {
6298 /* icmp_error() expects host byte ordering */
6302 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
6306 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
6317 * XXX: is cheaper + less error prone than own function
6321 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
6323 error = ip_fragment(m0, ifp, ifp->if_mtu);
6326 #ifndef __FreeBSD__ /* ip_fragment does not do m_freem() on FreeBSD */
6332 for (m0 = m1; m0; m0 = m1) {
6338 error = (*ifp->if_output)(ifp, m0, sintosa(dst),
6344 error = (*ifp->if_output)(ifp, m0, sintosa(dst),
6352 ipstat.ips_fragmented++;
6355 if (r->rt != PF_DUPTO)
6357 if (ro == &iproute && ro->ro_rt)
6369 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
6370 struct pf_state *s, struct pf_pdesc *pd)
6373 struct route_in6 ip6route;
6374 struct route_in6 *ro;
6375 struct sockaddr_in6 *dst;
6376 struct ip6_hdr *ip6;
6377 struct ifnet *ifp = NULL;
6378 struct pf_addr naddr;
6379 struct pf_src_node *sn = NULL;
6382 if (m == NULL || *m == NULL || r == NULL ||
6383 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
6384 panic("pf_route6: invalid parameters");
6386 if (pd->pf_mtag->routed++ > 3) {
6392 if (r->rt == PF_DUPTO) {
6394 if ((m0 = m_dup(*m, M_DONTWAIT)) == NULL)
6396 if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL)
6400 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
6405 if (m0->m_len < sizeof(struct ip6_hdr)) {
6406 DPFPRINTF(PF_DEBUG_URGENT,
6407 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
6410 ip6 = mtod(m0, struct ip6_hdr *);
6413 bzero((caddr_t)ro, sizeof(*ro));
6414 dst = (struct sockaddr_in6 *)&ro->ro_dst;
6415 dst->sin6_family = AF_INET6;
6416 dst->sin6_len = sizeof(*dst);
6417 dst->sin6_addr = ip6->ip6_dst;
6419 /* Cheat. XXX why only in the v6 case??? */
6420 if (r->rt == PF_FASTROUTE) {
6422 m0->m_flags |= M_SKIP_FIREWALL;
6424 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
6427 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
6430 m_tag_prepend(m0, mtag);
6431 pd->pf_mtag->flags |= PF_TAG_GENERATED;
6432 ip6_output(m0, NULL, NULL, 0, NULL, NULL);
6437 if (TAILQ_EMPTY(&r->rpool.list)) {
6438 DPFPRINTF(PF_DEBUG_URGENT,
6439 ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n"));
6443 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
6445 if (!PF_AZERO(&naddr, AF_INET6))
6446 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
6448 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
6450 if (!PF_AZERO(&s->rt_addr, AF_INET6))
6451 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
6452 &s->rt_addr, AF_INET6);
6453 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
6461 if (pf_test6(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
6464 } else if (m0 == NULL) {
6470 if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS)
6472 else if (m0 == NULL)
6475 if (m0->m_len < sizeof(struct ip6_hdr)) {
6476 DPFPRINTF(PF_DEBUG_URGENT,
6477 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
6480 ip6 = mtod(m0, struct ip6_hdr *);
6484 * If the packet is too large for the outgoing interface,
6485 * send back an icmp6 error.
6487 if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr))
6488 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
6489 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
6493 error = nd6_output(ifp, ifp, m0, dst, NULL);
6498 in6_ifstat_inc(ifp, ifs6_in_toobig);
6500 if (r->rt != PF_DUPTO) {
6502 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
6506 if (r->rt != PF_DUPTO)
6507 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
6514 if (r->rt != PF_DUPTO)
6527 * FreeBSD supports cksum offloads for the following drivers.
6528 * em(4), fxp(4), ixgb(4), lge(4), ndis(4), nge(4), re(4),
6529 * ti(4), txp(4), xl(4)
6531 * CSUM_DATA_VALID | CSUM_PSEUDO_HDR :
6532 * network driver performed cksum including pseudo header, need to verify
6535 * network driver performed cksum, needs to additional pseudo header
6536 * cksum computation with partial csum_data(i.e. lack of H/W support for
6537 * pseudo header, for instance hme(4), sk(4) and possibly gem(4))
6539 * After validating the cksum of packet, set both flag CSUM_DATA_VALID and
6540 * CSUM_PSEUDO_HDR in order to avoid recomputation of the cksum in upper
6542 * Also, set csum_data to 0xffff to force cksum validation.
6545 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af)
6551 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
6553 if (m->m_pkthdr.len < off + len)
6558 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
6559 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
6560 sum = m->m_pkthdr.csum_data;
6562 ip = mtod(m, struct ip *);
6563 sum = in_pseudo(ip->ip_src.s_addr,
6564 ip->ip_dst.s_addr, htonl((u_short)len +
6565 m->m_pkthdr.csum_data + IPPROTO_TCP));
6572 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
6573 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
6574 sum = m->m_pkthdr.csum_data;
6576 ip = mtod(m, struct ip *);
6577 sum = in_pseudo(ip->ip_src.s_addr,
6578 ip->ip_dst.s_addr, htonl((u_short)len +
6579 m->m_pkthdr.csum_data + IPPROTO_UDP));
6587 case IPPROTO_ICMPV6:
6597 if (p == IPPROTO_ICMP) {
6602 sum = in_cksum(m, len);
6606 if (m->m_len < sizeof(struct ip))
6608 sum = in4_cksum(m, p, off, len);
6613 if (m->m_len < sizeof(struct ip6_hdr))
6615 sum = in6_cksum(m, p, off, len);
6625 tcpstat.tcps_rcvbadsum++;
6628 udpstat.udps_badsum++;
6631 icmpstat.icps_checksum++;
6634 case IPPROTO_ICMPV6:
6635 icmp6stat.icp6s_checksum++;
6641 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
6642 m->m_pkthdr.csum_flags |=
6643 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
6644 m->m_pkthdr.csum_data = 0xffff;
6649 #else /* !__FreeBSD__ */
6651 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
6652 * off is the offset where the protocol header starts
6653 * len is the total length of protocol header plus payload
6654 * returns 0 when the checksum is valid, otherwise returns 1.
6657 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p,
6660 u_int16_t flag_ok, flag_bad;
6665 flag_ok = M_TCP_CSUM_IN_OK;
6666 flag_bad = M_TCP_CSUM_IN_BAD;
6669 flag_ok = M_UDP_CSUM_IN_OK;
6670 flag_bad = M_UDP_CSUM_IN_BAD;
6674 case IPPROTO_ICMPV6:
6676 flag_ok = flag_bad = 0;
6681 if (m->m_pkthdr.csum_flags & flag_ok)
6683 if (m->m_pkthdr.csum_flags & flag_bad)
6685 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
6687 if (m->m_pkthdr.len < off + len)
6692 if (p == IPPROTO_ICMP) {
6697 sum = in_cksum(m, len);
6701 if (m->m_len < sizeof(struct ip))
6703 sum = in4_cksum(m, p, off, len);
6709 if (m->m_len < sizeof(struct ip6_hdr))
6711 sum = in6_cksum(m, p, off, len);
6718 m->m_pkthdr.csum_flags |= flag_bad;
6721 tcpstat.tcps_rcvbadsum++;
6724 udpstat.udps_badsum++;
6727 icmpstat.icps_checksum++;
6730 case IPPROTO_ICMPV6:
6731 icmp6stat.icp6s_checksum++;
6737 m->m_pkthdr.csum_flags |= flag_ok;
6740 #endif /* __FreeBSD__ */
6745 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
6746 struct ether_header *eh, struct inpcb *inp)
6748 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
6749 struct ether_header *eh)
6752 struct pfi_kif *kif;
6753 u_short action, reason = 0, log = 0;
6754 struct mbuf *m = *m0;
6755 struct ip *h = NULL; /* make the compiler happy */
6756 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
6757 struct pf_state *s = NULL;
6758 struct pf_ruleset *ruleset = NULL;
6760 int off, dirndx, pqid = 0;
6765 if (!pf_status.running)
6775 memset(&pd, 0, sizeof(pd));
6776 if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
6780 DPFPRINTF(PF_DEBUG_URGENT,
6781 ("pf_test: pf_get_mtag returned NULL\n"));
6785 if (m->m_flags & M_SKIP_FIREWALL) {
6790 if (pd.pf_mtag->flags & PF_TAG_GENERATED)
6795 /* XXX_IMPORT: later */
6797 if (ifp->if_type == IFT_CARP && ifp->if_carpdev)
6798 ifp = ifp->if_carpdev;
6801 kif = (struct pfi_kif *)ifp->if_pf_kif;
6806 DPFPRINTF(PF_DEBUG_URGENT,
6807 ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
6810 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
6821 if ((m->m_flags & M_PKTHDR) == 0)
6822 panic("non-M_PKTHDR is passed to pf_test");
6823 #endif /* DIAGNOSTIC */
6824 #endif /* __FreeBSD__ */
6826 if (m->m_pkthdr.len < (int)sizeof(*h)) {
6828 REASON_SET(&reason, PFRES_SHORT);
6833 /* We do IP header normalization and packet reassembly here */
6834 if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
6839 h = mtod(m, struct ip *);
6841 off = h->ip_hl << 2;
6842 if (off < (int)sizeof(*h)) {
6844 REASON_SET(&reason, PFRES_SHORT);
6849 pd.src = (struct pf_addr *)&h->ip_src;
6850 pd.dst = (struct pf_addr *)&h->ip_dst;
6851 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
6852 pd.ip_sum = &h->ip_sum;
6856 pd.tot_len = ntohs(h->ip_len);
6859 /* handle fragments that didn't get reassembled by normalization */
6860 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
6861 action = pf_test_fragment(&r, dir, kif, m, h,
6872 if (!pf_pull_hdr(m, off, &th, sizeof(th),
6873 &action, &reason, AF_INET)) {
6874 log = action != PF_PASS;
6877 if (dir == PF_IN && pf_check_proto_cksum(m, off,
6878 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) {
6879 REASON_SET(&reason, PFRES_PROTCKSUM);
6883 pd.p_len = pd.tot_len - off - (th.th_off << 2);
6884 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
6886 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6887 if (action == PF_DROP)
6889 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6891 if (action == PF_PASS) {
6893 pfsync_update_state(s);
6894 #endif /* NPFSYNC */
6898 } else if (s == NULL)
6900 action = pf_test_tcp(&r, &s, dir, kif,
6901 m, off, h, &pd, &a, &ruleset, NULL, inp);
6903 action = pf_test_tcp(&r, &s, dir, kif,
6904 m, off, h, &pd, &a, &ruleset, &ipintrq);
6913 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
6914 &action, &reason, AF_INET)) {
6915 log = action != PF_PASS;
6918 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
6919 off, ntohs(h->ip_len) - off, IPPROTO_UDP, AF_INET)) {
6921 REASON_SET(&reason, PFRES_PROTCKSUM);
6924 if (uh.uh_dport == 0 ||
6925 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
6926 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
6928 REASON_SET(&reason, PFRES_SHORT);
6931 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6932 if (action == PF_PASS) {
6934 pfsync_update_state(s);
6935 #endif /* NPFSYNC */
6939 } else if (s == NULL)
6941 action = pf_test_udp(&r, &s, dir, kif,
6942 m, off, h, &pd, &a, &ruleset, NULL, inp);
6944 action = pf_test_udp(&r, &s, dir, kif,
6945 m, off, h, &pd, &a, &ruleset, &ipintrq);
6950 case IPPROTO_ICMP: {
6954 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
6955 &action, &reason, AF_INET)) {
6956 log = action != PF_PASS;
6959 if (dir == PF_IN && pf_check_proto_cksum(m, off,
6960 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) {
6962 REASON_SET(&reason, PFRES_PROTCKSUM);
6965 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
6967 if (action == PF_PASS) {
6969 pfsync_update_state(s);
6970 #endif /* NPFSYNC */
6974 } else if (s == NULL)
6976 action = pf_test_icmp(&r, &s, dir, kif,
6977 m, off, h, &pd, &a, &ruleset, NULL);
6979 action = pf_test_icmp(&r, &s, dir, kif,
6980 m, off, h, &pd, &a, &ruleset, &ipintrq);
6986 action = pf_test_state_other(&s, dir, kif, &pd);
6987 if (action == PF_PASS) {
6989 pfsync_update_state(s);
6990 #endif /* NPFSYNC */
6994 } else if (s == NULL)
6996 action = pf_test_other(&r, &s, dir, kif, m, off, h,
6997 &pd, &a, &ruleset, NULL);
6999 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7000 &pd, &a, &ruleset, &ipintrq);
7006 if (action == PF_PASS && h->ip_hl > 5 &&
7007 !((s && s->allow_opts) || r->allow_opts)) {
7009 REASON_SET(&reason, PFRES_IPOPTIONS);
7011 DPFPRINTF(PF_DEBUG_MISC,
7012 ("pf: dropping packet with ip options\n"));
7015 if ((s && s->tag) || r->rtableid)
7016 pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid);
7019 if (action == PF_PASS && r->qid) {
7020 if (pqid || (pd.tos & IPTOS_LOWDELAY))
7021 pd.pf_mtag->qid = r->pqid;
7023 pd.pf_mtag->qid = r->qid;
7024 /* add hints for ecn */
7025 pd.pf_mtag->af = AF_INET;
7026 pd.pf_mtag->hdr = h;
7031 * connections redirected to loopback should not match sockets
7032 * bound specifically to loopback due to security implications,
7033 * see tcp_input() and in_pcblookup_listen().
7035 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
7036 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
7037 (s->nat_rule.ptr->action == PF_RDR ||
7038 s->nat_rule.ptr->action == PF_BINAT) &&
7039 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
7040 pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST;
7045 if (s != NULL && s->nat_rule.ptr != NULL &&
7046 s->nat_rule.ptr->log & PF_LOG_ALL)
7047 lr = s->nat_rule.ptr;
7050 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset,
7054 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
7055 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
7057 if (action == PF_PASS || r->action == PF_DROP) {
7058 dirndx = (dir == PF_OUT);
7059 r->packets[dirndx]++;
7060 r->bytes[dirndx] += pd.tot_len;
7062 a->packets[dirndx]++;
7063 a->bytes[dirndx] += pd.tot_len;
7066 if (s->nat_rule.ptr != NULL) {
7067 s->nat_rule.ptr->packets[dirndx]++;
7068 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
7070 if (s->src_node != NULL) {
7071 s->src_node->packets[dirndx]++;
7072 s->src_node->bytes[dirndx] += pd.tot_len;
7074 if (s->nat_src_node != NULL) {
7075 s->nat_src_node->packets[dirndx]++;
7076 s->nat_src_node->bytes[dirndx] += pd.tot_len;
7078 dirndx = (dir == s->direction) ? 0 : 1;
7079 s->packets[dirndx]++;
7080 s->bytes[dirndx] += pd.tot_len;
7083 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
7087 * XXX: we need to make sure that the addresses
7088 * passed to pfr_update_stats() are the same than
7089 * the addresses used during matching (pfr_match)
7091 if (r == &pf_default_rule) {
7093 x = (s == NULL || s->direction == dir) ?
7094 &pd.baddr : &pd.naddr;
7096 x = (s == NULL || s->direction == dir) ?
7097 &pd.naddr : &pd.baddr;
7098 if (x == &pd.baddr || s == NULL) {
7099 /* we need to change the address */
7106 if (tr->src.addr.type == PF_ADDR_TABLE)
7107 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
7108 s->direction == dir) ? pd.src : pd.dst, pd.af,
7109 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7111 if (tr->dst.addr.type == PF_ADDR_TABLE)
7112 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
7113 s->direction == dir) ? pd.dst : pd.src, pd.af,
7114 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7119 if (action == PF_SYNPROXY_DROP) {
7124 /* pf_route can free the mbuf causing *m0 to become NULL */
7125 pf_route(m0, r, dir, ifp, s, &pd);
7138 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
7139 struct ether_header *eh, struct inpcb *inp)
7141 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
7142 struct ether_header *eh)
7145 struct pfi_kif *kif;
7146 u_short action, reason = 0, log = 0;
7147 struct mbuf *m = *m0, *n = NULL;
7149 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
7150 struct pf_state *s = NULL;
7151 struct pf_ruleset *ruleset = NULL;
7153 int off, terminal = 0, dirndx, rh_cnt = 0;
7159 if (!pf_status.running)
7169 memset(&pd, 0, sizeof(pd));
7170 if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
7174 DPFPRINTF(PF_DEBUG_URGENT,
7175 ("pf_test6: pf_get_mtag returned NULL\n"));
7178 if (pd.pf_mtag->flags & PF_TAG_GENERATED)
7182 /* XXX_IMPORT: later */
7184 if (ifp->if_type == IFT_CARP && ifp->if_carpdev)
7185 ifp = ifp->if_carpdev;
7188 kif = (struct pfi_kif *)ifp->if_pf_kif;
7193 DPFPRINTF(PF_DEBUG_URGENT,
7194 ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
7197 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
7208 if ((m->m_flags & M_PKTHDR) == 0)
7209 panic("non-M_PKTHDR is passed to pf_test6");
7210 #endif /* DIAGNOSTIC */
7214 h = NULL; /* make the compiler happy */
7217 if (m->m_pkthdr.len < (int)sizeof(*h)) {
7219 REASON_SET(&reason, PFRES_SHORT);
7224 /* We do IP header normalization and packet reassembly here */
7225 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
7230 h = mtod(m, struct ip6_hdr *);
7234 * we do not support jumbogram yet. if we keep going, zero ip6_plen
7235 * will do something bad, so drop the packet for now.
7237 if (htons(h->ip6_plen) == 0) {
7239 REASON_SET(&reason, PFRES_NORM); /*XXX*/
7244 pd.src = (struct pf_addr *)&h->ip6_src;
7245 pd.dst = (struct pf_addr *)&h->ip6_dst;
7246 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
7250 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
7253 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
7254 pd.proto = h->ip6_nxt;
7257 case IPPROTO_FRAGMENT:
7258 action = pf_test_fragment(&r, dir, kif, m, h,
7260 if (action == PF_DROP)
7261 REASON_SET(&reason, PFRES_FRAG);
7263 case IPPROTO_ROUTING: {
7264 struct ip6_rthdr rthdr;
7267 DPFPRINTF(PF_DEBUG_MISC,
7268 ("pf: IPv6 more than one rthdr\n"));
7270 REASON_SET(&reason, PFRES_IPOPTIONS);
7274 if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
7276 DPFPRINTF(PF_DEBUG_MISC,
7277 ("pf: IPv6 short rthdr\n"));
7279 REASON_SET(&reason, PFRES_SHORT);
7283 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
7284 DPFPRINTF(PF_DEBUG_MISC,
7285 ("pf: IPv6 rthdr0\n"));
7287 REASON_SET(&reason, PFRES_IPOPTIONS);
7294 case IPPROTO_HOPOPTS:
7295 case IPPROTO_DSTOPTS: {
7296 /* get next header and header length */
7297 struct ip6_ext opt6;
7299 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
7300 NULL, &reason, pd.af)) {
7301 DPFPRINTF(PF_DEBUG_MISC,
7302 ("pf: IPv6 short opt\n"));
7307 if (pd.proto == IPPROTO_AH)
7308 off += (opt6.ip6e_len + 2) * 4;
7310 off += (opt6.ip6e_len + 1) * 8;
7311 pd.proto = opt6.ip6e_nxt;
7312 /* goto the next header */
7319 } while (!terminal);
7321 /* if there's no routing header, use unmodified mbuf for checksumming */
7331 if (!pf_pull_hdr(m, off, &th, sizeof(th),
7332 &action, &reason, AF_INET6)) {
7333 log = action != PF_PASS;
7336 if (dir == PF_IN && pf_check_proto_cksum(n, off,
7337 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
7338 IPPROTO_TCP, AF_INET6)) {
7340 REASON_SET(&reason, PFRES_PROTCKSUM);
7343 pd.p_len = pd.tot_len - off - (th.th_off << 2);
7344 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
7345 if (action == PF_DROP)
7347 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
7349 if (action == PF_PASS) {
7351 pfsync_update_state(s);
7352 #endif /* NPFSYNC */
7356 } else if (s == NULL)
7358 action = pf_test_tcp(&r, &s, dir, kif,
7359 m, off, h, &pd, &a, &ruleset, NULL, inp);
7361 action = pf_test_tcp(&r, &s, dir, kif,
7362 m, off, h, &pd, &a, &ruleset, &ip6intrq);
7371 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
7372 &action, &reason, AF_INET6)) {
7373 log = action != PF_PASS;
7376 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(n,
7377 off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
7378 IPPROTO_UDP, AF_INET6)) {
7380 REASON_SET(&reason, PFRES_PROTCKSUM);
7383 if (uh.uh_dport == 0 ||
7384 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
7385 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
7387 REASON_SET(&reason, PFRES_SHORT);
7390 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
7391 if (action == PF_PASS) {
7393 pfsync_update_state(s);
7394 #endif /* NPFSYNC */
7398 } else if (s == NULL)
7400 action = pf_test_udp(&r, &s, dir, kif,
7401 m, off, h, &pd, &a, &ruleset, NULL, inp);
7403 action = pf_test_udp(&r, &s, dir, kif,
7404 m, off, h, &pd, &a, &ruleset, &ip6intrq);
7409 case IPPROTO_ICMPV6: {
7410 struct icmp6_hdr ih;
7413 if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
7414 &action, &reason, AF_INET6)) {
7415 log = action != PF_PASS;
7418 if (dir == PF_IN && pf_check_proto_cksum(n, off,
7419 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
7420 IPPROTO_ICMPV6, AF_INET6)) {
7422 REASON_SET(&reason, PFRES_PROTCKSUM);
7425 action = pf_test_state_icmp(&s, dir, kif,
7426 m, off, h, &pd, &reason);
7427 if (action == PF_PASS) {
7429 pfsync_update_state(s);
7430 #endif /* NPFSYNC */
7434 } else if (s == NULL)
7436 action = pf_test_icmp(&r, &s, dir, kif,
7437 m, off, h, &pd, &a, &ruleset, NULL);
7439 action = pf_test_icmp(&r, &s, dir, kif,
7440 m, off, h, &pd, &a, &ruleset, &ip6intrq);
7446 action = pf_test_state_other(&s, dir, kif, &pd);
7447 if (action == PF_PASS) {
7449 pfsync_update_state(s);
7450 #endif /* NPFSYNC */
7454 } else if (s == NULL)
7456 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7457 &pd, &a, &ruleset, NULL);
7459 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7460 &pd, &a, &ruleset, &ip6intrq);
7466 /* handle dangerous IPv6 extension headers. */
7467 if (action == PF_PASS && rh_cnt &&
7468 !((s && s->allow_opts) || r->allow_opts)) {
7470 REASON_SET(&reason, PFRES_IPOPTIONS);
7472 DPFPRINTF(PF_DEBUG_MISC,
7473 ("pf: dropping packet with dangerous v6 headers\n"));
7476 if ((s && s->tag) || r->rtableid)
7477 pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid);
7480 if (action == PF_PASS && r->qid) {
7481 if (pd.tos & IPTOS_LOWDELAY)
7482 pd.pf_mtag->qid = r->pqid;
7484 pd.pf_mtag->qid = r->qid;
7485 /* add hints for ecn */
7486 pd.pf_mtag->af = AF_INET6;
7487 pd.pf_mtag->hdr = h;
7491 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
7492 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
7493 (s->nat_rule.ptr->action == PF_RDR ||
7494 s->nat_rule.ptr->action == PF_BINAT) &&
7495 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
7496 pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST;
7501 if (s != NULL && s->nat_rule.ptr != NULL &&
7502 s->nat_rule.ptr->log & PF_LOG_ALL)
7503 lr = s->nat_rule.ptr;
7506 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset,
7510 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
7511 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
7513 if (action == PF_PASS || r->action == PF_DROP) {
7514 dirndx = (dir == PF_OUT);
7515 r->packets[dirndx]++;
7516 r->bytes[dirndx] += pd.tot_len;
7518 a->packets[dirndx]++;
7519 a->bytes[dirndx] += pd.tot_len;
7522 if (s->nat_rule.ptr != NULL) {
7523 s->nat_rule.ptr->packets[dirndx]++;
7524 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
7526 if (s->src_node != NULL) {
7527 s->src_node->packets[dirndx]++;
7528 s->src_node->bytes[dirndx] += pd.tot_len;
7530 if (s->nat_src_node != NULL) {
7531 s->nat_src_node->packets[dirndx]++;
7532 s->nat_src_node->bytes[dirndx] += pd.tot_len;
7534 dirndx = (dir == s->direction) ? 0 : 1;
7535 s->packets[dirndx]++;
7536 s->bytes[dirndx] += pd.tot_len;
7539 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
7543 * XXX: we need to make sure that the addresses
7544 * passed to pfr_update_stats() are the same than
7545 * the addresses used during matching (pfr_match)
7547 if (r == &pf_default_rule) {
7549 x = (s == NULL || s->direction == dir) ?
7550 &pd.baddr : &pd.naddr;
7552 x = (s == NULL || s->direction == dir) ?
7553 &pd.naddr : &pd.baddr;
7555 if (x == &pd.baddr || s == NULL) {
7562 if (tr->src.addr.type == PF_ADDR_TABLE)
7563 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
7564 s->direction == dir) ? pd.src : pd.dst, pd.af,
7565 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7567 if (tr->dst.addr.type == PF_ADDR_TABLE)
7568 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
7569 s->direction == dir) ? pd.dst : pd.src, pd.af,
7570 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7575 if (action == PF_SYNPROXY_DROP) {
7580 /* pf_route6 can free the mbuf causing *m0 to become NULL */
7581 pf_route6(m0, r, dir, ifp, s, &pd);
7591 pf_check_congestion(struct ifqueue *ifq)
7594 /* XXX_IMPORT: later */
7597 if (ifq->ifq_congestion)
projects / FreeBSD / releng / 7.2.git / blob