1 /* $OpenBSD: pf.c,v 1.527 2007/02/22 15:23:23 pyr Exp $ */
2 /* add: $OpenBSD: pf.c,v 1.559 2007/09/18 18:45:59 markus Exp $ */
5 * Copyright (c) 2001 Daniel Hartmeier
6 * Copyright (c) 2002,2003 Henning Brauer
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
41 #include "opt_inet6.h"
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
52 #define NBPFILTER DEV_BPF
58 #define NPFLOG DEV_PFLOG
64 #define NPFSYNC DEV_PFSYNC
75 #include <sys/param.h>
76 #include <sys/systm.h>
78 #include <sys/filio.h>
79 #include <sys/socket.h>
80 #include <sys/socketvar.h>
81 #include <sys/kernel.h>
84 #include <sys/sysctl.h>
85 #include <sys/endian.h>
91 #include <sys/kthread.h>
95 #include <sys/rwlock.h>
99 #include <net/if_types.h>
101 #include <net/route.h>
103 #include <net/radix_mpath.h>
106 #include <netinet/in.h>
107 #include <netinet/in_var.h>
108 #include <netinet/in_systm.h>
109 #include <netinet/ip.h>
110 #include <netinet/ip_var.h>
111 #include <netinet/tcp.h>
112 #include <netinet/tcp_seq.h>
113 #include <netinet/udp.h>
114 #include <netinet/ip_icmp.h>
115 #include <netinet/in_pcb.h>
116 #include <netinet/tcp_timer.h>
117 #include <netinet/tcp_var.h>
118 #include <netinet/udp_var.h>
119 #include <netinet/icmp_var.h>
120 #include <netinet/if_ether.h>
123 #include <dev/rndvar.h>
125 #include <net/pfvar.h>
126 #include <net/if_pflog.h>
129 #include <net/if_pfsync.h>
130 #endif /* NPFSYNC > 0 */
133 #include <netinet/ip6.h>
134 #include <netinet/in_pcb.h>
135 #include <netinet/icmp6.h>
136 #include <netinet6/nd6.h>
138 #include <netinet6/ip6_var.h>
139 #include <netinet6/in6_pcb.h>
144 #include <machine/in_cksum.h>
145 #include <sys/limits.h>
146 #include <sys/ucred.h>
147 #include <security/mac/mac_framework.h>
149 extern int ip_optcopy(struct ip *, struct ip *);
150 extern int debug_pfugidhack;
153 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
159 struct pf_altqqueue pf_altqs[2];
160 struct pf_palist pf_pabuf;
161 struct pf_altqqueue *pf_altqs_active;
162 struct pf_altqqueue *pf_altqs_inactive;
163 struct pf_status pf_status;
165 u_int32_t ticket_altqs_active;
166 u_int32_t ticket_altqs_inactive;
167 int altqs_inactive_open;
168 u_int32_t ticket_pabuf;
170 struct pf_anchor_stackframe {
171 struct pf_ruleset *rs;
173 struct pf_anchor_node *parent;
174 struct pf_anchor *child;
175 } pf_anchor_stack[64];
178 uma_zone_t pf_src_tree_pl, pf_rule_pl;
179 uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
181 struct pool pf_src_tree_pl, pf_rule_pl;
182 struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
185 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
187 void pf_init_threshold(struct pf_threshold *, u_int32_t,
189 void pf_add_threshold(struct pf_threshold *);
190 int pf_check_threshold(struct pf_threshold *);
192 void pf_change_ap(struct pf_addr *, u_int16_t *,
193 u_int16_t *, u_int16_t *, struct pf_addr *,
194 u_int16_t, u_int8_t, sa_family_t);
195 int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
196 struct tcphdr *, struct pf_state_peer *);
198 void pf_change_a6(struct pf_addr *, u_int16_t *,
199 struct pf_addr *, u_int8_t);
201 void pf_change_icmp(struct pf_addr *, u_int16_t *,
202 struct pf_addr *, struct pf_addr *, u_int16_t,
203 u_int16_t *, u_int16_t *, u_int16_t *,
204 u_int16_t *, u_int8_t, sa_family_t);
206 void pf_send_tcp(struct mbuf *,
207 const struct pf_rule *, sa_family_t,
209 void pf_send_tcp(const struct pf_rule *, sa_family_t,
211 const struct pf_addr *, const struct pf_addr *,
212 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
213 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
214 u_int16_t, struct ether_header *, struct ifnet *);
215 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
216 sa_family_t, struct pf_rule *);
217 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
218 int, int, struct pfi_kif *,
219 struct pf_addr *, u_int16_t, struct pf_addr *,
221 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
222 int, int, struct pfi_kif *, struct pf_src_node **,
223 struct pf_addr *, u_int16_t,
224 struct pf_addr *, u_int16_t,
225 struct pf_addr *, u_int16_t *);
226 int pf_test_tcp(struct pf_rule **, struct pf_state **,
227 int, struct pfi_kif *, struct mbuf *, int,
228 void *, struct pf_pdesc *, struct pf_rule **,
230 struct pf_ruleset **, struct ifqueue *,
233 struct pf_ruleset **, struct ifqueue *);
235 int pf_test_udp(struct pf_rule **, struct pf_state **,
236 int, struct pfi_kif *, struct mbuf *, int,
237 void *, struct pf_pdesc *, struct pf_rule **,
239 struct pf_ruleset **, struct ifqueue *,
242 struct pf_ruleset **, struct ifqueue *);
244 int pf_test_icmp(struct pf_rule **, struct pf_state **,
245 int, struct pfi_kif *, struct mbuf *, int,
246 void *, struct pf_pdesc *, struct pf_rule **,
247 struct pf_ruleset **, struct ifqueue *);
248 int pf_test_other(struct pf_rule **, struct pf_state **,
249 int, struct pfi_kif *, struct mbuf *, int, void *,
250 struct pf_pdesc *, struct pf_rule **,
251 struct pf_ruleset **, struct ifqueue *);
252 int pf_test_fragment(struct pf_rule **, int,
253 struct pfi_kif *, struct mbuf *, void *,
254 struct pf_pdesc *, struct pf_rule **,
255 struct pf_ruleset **);
256 int pf_test_state_tcp(struct pf_state **, int,
257 struct pfi_kif *, struct mbuf *, int,
258 void *, struct pf_pdesc *, u_short *);
259 int pf_test_state_udp(struct pf_state **, int,
260 struct pfi_kif *, struct mbuf *, int,
261 void *, struct pf_pdesc *);
262 int pf_test_state_icmp(struct pf_state **, int,
263 struct pfi_kif *, struct mbuf *, int,
264 void *, struct pf_pdesc *, u_short *);
265 int pf_test_state_other(struct pf_state **, int,
266 struct pfi_kif *, struct pf_pdesc *);
267 int pf_match_tag(struct mbuf *, struct pf_rule *,
268 struct pf_mtag *, int *);
269 int pf_step_out_of_anchor(int *, struct pf_ruleset **,
270 int, struct pf_rule **, struct pf_rule **,
272 void pf_hash(struct pf_addr *, struct pf_addr *,
273 struct pf_poolhashkey *, sa_family_t);
274 int pf_map_addr(u_int8_t, struct pf_rule *,
275 struct pf_addr *, struct pf_addr *,
276 struct pf_addr *, struct pf_src_node **);
277 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
278 struct pf_addr *, struct pf_addr *, u_int16_t,
279 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
280 struct pf_src_node **);
281 void pf_route(struct mbuf **, struct pf_rule *, int,
282 struct ifnet *, struct pf_state *,
284 void pf_route6(struct mbuf **, struct pf_rule *, int,
285 struct ifnet *, struct pf_state *,
290 int pf_socket_lookup(int, struct pf_pdesc *);
292 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
294 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
296 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
298 void pf_set_rt_ifp(struct pf_state *,
300 int pf_check_proto_cksum(struct mbuf *, int, int,
301 u_int8_t, sa_family_t);
302 int pf_addr_wrap_neq(struct pf_addr_wrap *,
303 struct pf_addr_wrap *);
304 struct pf_state *pf_find_state_recurse(struct pfi_kif *,
305 struct pf_state_cmp *, u_int8_t);
306 int pf_src_connlimit(struct pf_state **);
307 int pf_check_congestion(struct ifqueue *);
310 int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len);
312 extern int pf_end_threads;
314 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
316 extern struct pool pfr_ktable_pl;
317 extern struct pool pfr_kentry_pl;
319 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
320 { &pf_state_pl, PFSTATE_HIWAT },
321 { &pf_src_tree_pl, PFSNODE_HIWAT },
322 { &pf_frent_pl, PFFRAG_FRENT_HIWAT },
323 { &pfr_ktable_pl, PFR_KTABLE_HIWAT },
324 { &pfr_kentry_pl, PFR_KENTRY_HIWAT }
328 #define STATE_LOOKUP() \
330 if (direction == PF_IN) \
331 *state = pf_find_state_recurse( \
332 kif, &key, PF_EXT_GWY); \
334 *state = pf_find_state_recurse( \
335 kif, &key, PF_LAN_EXT); \
336 if (*state == NULL || (*state)->timeout == PFTM_PURGE) \
338 if (direction == PF_OUT && \
339 (((*state)->rule.ptr->rt == PF_ROUTETO && \
340 (*state)->rule.ptr->direction == PF_OUT) || \
341 ((*state)->rule.ptr->rt == PF_REPLYTO && \
342 (*state)->rule.ptr->direction == PF_IN)) && \
343 (*state)->rt_kif != NULL && \
344 (*state)->rt_kif != kif) \
348 #define STATE_TRANSLATE(s) \
349 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
350 ((s)->af == AF_INET6 && \
351 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \
352 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \
353 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \
354 (s)->lan.port != (s)->gwy.port
356 #define BOUND_IFACE(r, k) \
357 ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all
359 #define STATE_INC_COUNTERS(s) \
361 s->rule.ptr->states++; \
362 if (s->anchor.ptr != NULL) \
363 s->anchor.ptr->states++; \
364 if (s->nat_rule.ptr != NULL) \
365 s->nat_rule.ptr->states++; \
368 #define STATE_DEC_COUNTERS(s) \
370 if (s->nat_rule.ptr != NULL) \
371 s->nat_rule.ptr->states--; \
372 if (s->anchor.ptr != NULL) \
373 s->anchor.ptr->states--; \
374 s->rule.ptr->states--; \
377 struct pf_src_tree tree_src_tracking;
379 struct pf_state_tree_id tree_id;
380 struct pf_state_queue state_list;
383 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
384 static int pf_state_compare_lan_ext(struct pf_state *, struct pf_state *);
385 static int pf_state_compare_ext_gwy(struct pf_state *, struct pf_state *);
386 static int pf_state_compare_id(struct pf_state *, struct pf_state *);
389 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
390 RB_GENERATE(pf_state_tree_lan_ext, pf_state,
391 u.s.entry_lan_ext, pf_state_compare_lan_ext);
392 RB_GENERATE(pf_state_tree_ext_gwy, pf_state,
393 u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
394 RB_GENERATE(pf_state_tree_id, pf_state,
395 u.s.entry_id, pf_state_compare_id);
402 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
406 if (a->rule.ptr > b->rule.ptr)
408 if (a->rule.ptr < b->rule.ptr)
410 if ((diff = a->af - b->af) != 0)
415 if (a->addr.addr32[0] > b->addr.addr32[0])
417 if (a->addr.addr32[0] < b->addr.addr32[0])
423 if (a->addr.addr32[3] > b->addr.addr32[3])
425 if (a->addr.addr32[3] < b->addr.addr32[3])
427 if (a->addr.addr32[2] > b->addr.addr32[2])
429 if (a->addr.addr32[2] < b->addr.addr32[2])
431 if (a->addr.addr32[1] > b->addr.addr32[1])
433 if (a->addr.addr32[1] < b->addr.addr32[1])
435 if (a->addr.addr32[0] > b->addr.addr32[0])
437 if (a->addr.addr32[0] < b->addr.addr32[0])
450 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b)
454 if ((diff = a->proto - b->proto) != 0)
456 if ((diff = a->af - b->af) != 0)
461 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
463 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
465 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
467 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
473 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3])
475 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3])
477 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
479 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
481 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2])
483 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2])
485 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
487 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
489 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1])
491 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1])
493 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
495 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
497 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
499 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
501 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
503 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
509 if ((diff = a->lan.port - b->lan.port) != 0)
511 if ((diff = a->ext.port - b->ext.port) != 0)
522 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b)
526 if ((diff = a->proto - b->proto) != 0)
528 if ((diff = a->af - b->af) != 0)
533 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
535 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
537 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
539 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
545 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
547 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
549 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3])
551 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3])
553 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
555 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
557 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2])
559 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2])
561 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
563 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
565 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1])
567 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1])
569 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
571 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
573 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
575 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
581 if ((diff = a->ext.port - b->ext.port) != 0)
583 if ((diff = a->gwy.port - b->gwy.port) != 0)
594 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
600 if (a->creatorid > b->creatorid)
602 if (a->creatorid < b->creatorid)
610 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
615 dst->addr32[0] = src->addr32[0];
619 dst->addr32[0] = src->addr32[0];
620 dst->addr32[1] = src->addr32[1];
621 dst->addr32[2] = src->addr32[2];
622 dst->addr32[3] = src->addr32[3];
629 pf_find_state_byid(struct pf_state_cmp *key)
631 pf_status.fcounters[FCNT_STATE_SEARCH]++;
632 return (RB_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key));
636 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state_cmp *key, u_int8_t tree)
640 pf_status.fcounters[FCNT_STATE_SEARCH]++;
644 if ((s = RB_FIND(pf_state_tree_lan_ext, &kif->pfik_lan_ext,
645 (struct pf_state *)key)) != NULL)
647 if ((s = RB_FIND(pf_state_tree_lan_ext, &pfi_all->pfik_lan_ext,
648 (struct pf_state *)key)) != NULL)
652 if ((s = RB_FIND(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy,
653 (struct pf_state *)key)) != NULL)
655 if ((s = RB_FIND(pf_state_tree_ext_gwy, &pfi_all->pfik_ext_gwy,
656 (struct pf_state *)key)) != NULL)
660 panic("pf_find_state_recurse");
665 pf_find_state_all(struct pf_state_cmp *key, u_int8_t tree, int *more)
667 struct pf_state *s, *ss = NULL;
670 pf_status.fcounters[FCNT_STATE_SEARCH]++;
674 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
675 s = RB_FIND(pf_state_tree_lan_ext,
676 &kif->pfik_lan_ext, (struct pf_state *)key);
686 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
687 s = RB_FIND(pf_state_tree_ext_gwy,
688 &kif->pfik_ext_gwy, (struct pf_state *)key);
698 panic("pf_find_state_all");
703 pf_init_threshold(struct pf_threshold *threshold,
704 u_int32_t limit, u_int32_t seconds)
706 threshold->limit = limit * PF_THRESHOLD_MULT;
707 threshold->seconds = seconds;
708 threshold->count = 0;
709 threshold->last = time_second;
713 pf_add_threshold(struct pf_threshold *threshold)
715 u_int32_t t = time_second, diff = t - threshold->last;
717 if (diff >= threshold->seconds)
718 threshold->count = 0;
720 threshold->count -= threshold->count * diff /
722 threshold->count += PF_THRESHOLD_MULT;
727 pf_check_threshold(struct pf_threshold *threshold)
729 return (threshold->count > threshold->limit);
733 pf_src_connlimit(struct pf_state **state)
738 (*state)->src_node->conn++;
739 (*state)->src.tcp_est = 1;
740 pf_add_threshold(&(*state)->src_node->conn_rate);
742 if ((*state)->rule.ptr->max_src_conn &&
743 (*state)->rule.ptr->max_src_conn <
744 (*state)->src_node->conn) {
745 pf_status.lcounters[LCNT_SRCCONN]++;
749 if ((*state)->rule.ptr->max_src_conn_rate.limit &&
750 pf_check_threshold(&(*state)->src_node->conn_rate)) {
751 pf_status.lcounters[LCNT_SRCCONNRATE]++;
758 if ((*state)->rule.ptr->overload_tbl) {
760 u_int32_t killed = 0;
762 pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
763 if (pf_status.debug >= PF_DEBUG_MISC) {
764 printf("pf_src_connlimit: blocking address ");
765 pf_print_host(&(*state)->src_node->addr, 0,
769 bzero(&p, sizeof(p));
770 p.pfra_af = (*state)->af;
771 switch ((*state)->af) {
775 p.pfra_ip4addr = (*state)->src_node->addr.v4;
781 p.pfra_ip6addr = (*state)->src_node->addr.v6;
786 pfr_insert_kentry((*state)->rule.ptr->overload_tbl,
789 /* kill existing states if that's required. */
790 if ((*state)->rule.ptr->flush) {
791 pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
793 RB_FOREACH(s, pf_state_tree_id, &tree_id) {
795 * Kill states from this source. (Only those
796 * from the same rule if PF_FLUSH_GLOBAL is not
799 if (s->af == (*state)->af &&
800 (((*state)->direction == PF_OUT &&
801 PF_AEQ(&(*state)->src_node->addr,
802 &s->lan.addr, s->af)) ||
803 ((*state)->direction == PF_IN &&
804 PF_AEQ(&(*state)->src_node->addr,
805 &s->ext.addr, s->af))) &&
806 ((*state)->rule.ptr->flush &
808 (*state)->rule.ptr == s->rule.ptr)) {
809 s->timeout = PFTM_PURGE;
810 s->src.state = s->dst.state =
815 if (pf_status.debug >= PF_DEBUG_MISC)
816 printf(", %u states killed", killed);
818 if (pf_status.debug >= PF_DEBUG_MISC)
822 /* kill this state */
823 (*state)->timeout = PFTM_PURGE;
824 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
829 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
830 struct pf_addr *src, sa_family_t af)
832 struct pf_src_node k;
836 PF_ACPY(&k.addr, src, af);
837 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
838 rule->rpool.opts & PF_POOL_STICKYADDR)
842 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
843 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
846 if (!rule->max_src_nodes ||
847 rule->src_nodes < rule->max_src_nodes)
848 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
850 pf_status.lcounters[LCNT_SRCNODES]++;
853 bzero(*sn, sizeof(struct pf_src_node));
855 pf_init_threshold(&(*sn)->conn_rate,
856 rule->max_src_conn_rate.limit,
857 rule->max_src_conn_rate.seconds);
860 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
861 rule->rpool.opts & PF_POOL_STICKYADDR)
862 (*sn)->rule.ptr = rule;
864 (*sn)->rule.ptr = NULL;
865 PF_ACPY(&(*sn)->addr, src, af);
866 if (RB_INSERT(pf_src_tree,
867 &tree_src_tracking, *sn) != NULL) {
868 if (pf_status.debug >= PF_DEBUG_MISC) {
869 printf("pf: src_tree insert failed: ");
870 pf_print_host(&(*sn)->addr, 0, af);
873 pool_put(&pf_src_tree_pl, *sn);
876 (*sn)->creation = time_second;
877 (*sn)->ruletype = rule->action;
878 if ((*sn)->rule.ptr != NULL)
879 (*sn)->rule.ptr->src_nodes++;
880 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
881 pf_status.src_nodes++;
883 if (rule->max_src_states &&
884 (*sn)->states >= rule->max_src_states) {
885 pf_status.lcounters[LCNT_SRCSTATES]++;
893 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
895 /* Thou MUST NOT insert multiple duplicate keys */
896 state->u.s.kif = kif;
897 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) {
898 if (pf_status.debug >= PF_DEBUG_MISC) {
899 printf("pf: state insert failed: tree_lan_ext");
901 pf_print_host(&state->lan.addr, state->lan.port,
904 pf_print_host(&state->gwy.addr, state->gwy.port,
907 pf_print_host(&state->ext.addr, state->ext.port,
909 if (state->sync_flags & PFSTATE_FROMSYNC)
910 printf(" (from sync)");
916 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) {
917 if (pf_status.debug >= PF_DEBUG_MISC) {
918 printf("pf: state insert failed: tree_ext_gwy");
920 pf_print_host(&state->lan.addr, state->lan.port,
923 pf_print_host(&state->gwy.addr, state->gwy.port,
926 pf_print_host(&state->ext.addr, state->ext.port,
928 if (state->sync_flags & PFSTATE_FROMSYNC)
929 printf(" (from sync)");
932 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
936 if (state->id == 0 && state->creatorid == 0) {
937 state->id = htobe64(pf_status.stateid++);
938 state->creatorid = pf_status.hostid;
940 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) {
941 if (pf_status.debug >= PF_DEBUG_MISC) {
943 printf("pf: state insert failed: "
944 "id: %016llx creatorid: %08x",
945 (long long)be64toh(state->id),
946 ntohl(state->creatorid));
948 printf("pf: state insert failed: "
949 "id: %016llx creatorid: %08x",
950 betoh64(state->id), ntohl(state->creatorid));
952 if (state->sync_flags & PFSTATE_FROMSYNC)
953 printf(" (from sync)");
956 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
957 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state);
960 TAILQ_INSERT_TAIL(&state_list, state, u.s.entry_list);
961 pf_status.fcounters[FCNT_STATE_INSERT]++;
963 pfi_kif_ref(kif, PFI_KIF_REF_STATE);
965 pfsync_insert_state(state);
971 pf_purge_thread(void *v)
979 tsleep(pf_purge_thread, PWAIT, "pftm", 1 * hz);
982 sx_slock(&pf_consistency_lock);
986 if (pf_end_threads) {
988 sx_sunlock(&pf_consistency_lock);
989 sx_xlock(&pf_consistency_lock);
991 pf_purge_expired_states(pf_status.states, 1);
992 pf_purge_expired_fragments();
993 pf_purge_expired_src_nodes(1);
996 sx_xunlock(&pf_consistency_lock);
998 wakeup(pf_purge_thread);
1004 /* process a fraction of the state table every second */
1006 if(!pf_purge_expired_states(1 + (pf_status.states
1007 / pf_default_rule.timeout[PFTM_INTERVAL]), 0)) {
1009 sx_sunlock(&pf_consistency_lock);
1010 sx_xlock(&pf_consistency_lock);
1014 pf_purge_expired_states(1 + (pf_status.states
1015 / pf_default_rule.timeout[PFTM_INTERVAL]), 1);
1018 pf_purge_expired_states(1 + (pf_status.states
1019 / pf_default_rule.timeout[PFTM_INTERVAL]));
1022 /* purge other expired types every PFTM_INTERVAL seconds */
1023 if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) {
1024 pf_purge_expired_fragments();
1025 if (!pf_purge_expired_src_nodes(locked)) {
1027 sx_sunlock(&pf_consistency_lock);
1028 sx_xlock(&pf_consistency_lock);
1031 pf_purge_expired_src_nodes(1);
1040 sx_xunlock(&pf_consistency_lock);
1042 sx_sunlock(&pf_consistency_lock);
1048 pf_state_expires(const struct pf_state *state)
1055 /* handle all PFTM_* > PFTM_MAX here */
1056 if (state->timeout == PFTM_PURGE)
1057 return (time_second);
1058 if (state->timeout == PFTM_UNTIL_PACKET)
1061 KASSERT(state->timeout != PFTM_UNLINKED,
1062 ("pf_state_expires: timeout == PFTM_UNLINKED"));
1063 KASSERT((state->timeout < PFTM_MAX),
1064 ("pf_state_expires: timeout > PFTM_MAX"));
1066 KASSERT(state->timeout != PFTM_UNLINKED);
1067 KASSERT(state->timeout < PFTM_MAX);
1069 timeout = state->rule.ptr->timeout[state->timeout];
1071 timeout = pf_default_rule.timeout[state->timeout];
1072 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1074 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1075 states = state->rule.ptr->states;
1077 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
1078 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
1079 states = pf_status.states;
1081 if (end && states > start && start < end) {
1083 return (state->expire + timeout * (end - states) /
1086 return (time_second);
1088 return (state->expire + timeout);
1093 pf_purge_expired_src_nodes(int waslocked)
1096 pf_purge_expired_src_nodes(int waslocked)
1099 struct pf_src_node *cur, *next;
1100 int locked = waslocked;
1102 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
1103 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
1105 if (cur->states <= 0 && cur->expire <= time_second) {
1108 if (!sx_try_upgrade(&pf_consistency_lock))
1111 rw_enter_write(&pf_consistency_lock);
1113 next = RB_NEXT(pf_src_tree,
1114 &tree_src_tracking, cur);
1117 if (cur->rule.ptr != NULL) {
1118 cur->rule.ptr->src_nodes--;
1119 if (cur->rule.ptr->states <= 0 &&
1120 cur->rule.ptr->max_src_nodes <= 0)
1121 pf_rm_rule(NULL, cur->rule.ptr);
1123 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
1124 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
1125 pf_status.src_nodes--;
1126 pool_put(&pf_src_tree_pl, cur);
1130 if (locked && !waslocked)
1132 sx_downgrade(&pf_consistency_lock);
1134 rw_exit_write(&pf_consistency_lock);
1143 pf_src_tree_remove_state(struct pf_state *s)
1147 if (s->src_node != NULL) {
1148 if (s->proto == IPPROTO_TCP) {
1150 --s->src_node->conn;
1152 if (--s->src_node->states <= 0) {
1153 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1156 pf_default_rule.timeout[PFTM_SRC_NODE];
1157 s->src_node->expire = time_second + timeout;
1160 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
1161 if (--s->nat_src_node->states <= 0) {
1162 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1165 pf_default_rule.timeout[PFTM_SRC_NODE];
1166 s->nat_src_node->expire = time_second + timeout;
1169 s->src_node = s->nat_src_node = NULL;
1172 /* callers should be at splsoftnet */
1174 pf_unlink_state(struct pf_state *cur)
1177 if (cur->local_flags & PFSTATE_EXPIRING)
1179 cur->local_flags |= PFSTATE_EXPIRING;
1181 if (cur->src.state == PF_TCPS_PROXY_DST) {
1183 pf_send_tcp(NULL, cur->rule.ptr, cur->af,
1185 pf_send_tcp(cur->rule.ptr, cur->af,
1187 &cur->ext.addr, &cur->lan.addr,
1188 cur->ext.port, cur->lan.port,
1189 cur->src.seqhi, cur->src.seqlo + 1,
1190 TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);
1192 RB_REMOVE(pf_state_tree_ext_gwy,
1193 &cur->u.s.kif->pfik_ext_gwy, cur);
1194 RB_REMOVE(pf_state_tree_lan_ext,
1195 &cur->u.s.kif->pfik_lan_ext, cur);
1196 RB_REMOVE(pf_state_tree_id, &tree_id, cur);
1198 if (cur->creatorid == pf_status.hostid)
1199 pfsync_delete_state(cur);
1201 cur->timeout = PFTM_UNLINKED;
1202 pf_src_tree_remove_state(cur);
1205 /* callers should be at splsoftnet and hold the
1206 * write_lock on pf_consistency_lock */
1208 pf_free_state(struct pf_state *cur)
1211 if (pfsyncif != NULL &&
1212 (pfsyncif->sc_bulk_send_next == cur ||
1213 pfsyncif->sc_bulk_terminator == cur))
1217 KASSERT(cur->timeout == PFTM_UNLINKED,
1218 ("pf_free_state: cur->timeout != PFTM_UNLINKED"));
1220 KASSERT(cur->timeout == PFTM_UNLINKED);
1222 if (--cur->rule.ptr->states <= 0 &&
1223 cur->rule.ptr->src_nodes <= 0)
1224 pf_rm_rule(NULL, cur->rule.ptr);
1225 if (cur->nat_rule.ptr != NULL)
1226 if (--cur->nat_rule.ptr->states <= 0 &&
1227 cur->nat_rule.ptr->src_nodes <= 0)
1228 pf_rm_rule(NULL, cur->nat_rule.ptr);
1229 if (cur->anchor.ptr != NULL)
1230 if (--cur->anchor.ptr->states <= 0)
1231 pf_rm_rule(NULL, cur->anchor.ptr);
1232 pf_normalize_tcp_cleanup(cur);
1233 pfi_kif_unref(cur->u.s.kif, PFI_KIF_REF_STATE);
1234 TAILQ_REMOVE(&state_list, cur, u.s.entry_list);
1236 pf_tag_unref(cur->tag);
1237 pool_put(&pf_state_pl, cur);
1238 pf_status.fcounters[FCNT_STATE_REMOVALS]++;
1244 pf_purge_expired_states(u_int32_t maxcheck, int waslocked)
1247 pf_purge_expired_states(u_int32_t maxcheck)
1250 static struct pf_state *cur = NULL;
1251 struct pf_state *next;
1253 int locked = waslocked;
1258 while (maxcheck--) {
1259 /* wrap to start of list when we hit the end */
1261 cur = TAILQ_FIRST(&state_list);
1263 break; /* list empty */
1266 /* get next state, as cur may get deleted */
1267 next = TAILQ_NEXT(cur, u.s.entry_list);
1269 if (cur->timeout == PFTM_UNLINKED) {
1270 /* free unlinked state */
1273 if (!sx_try_upgrade(&pf_consistency_lock))
1276 rw_enter_write(&pf_consistency_lock);
1281 } else if (pf_state_expires(cur) <= time_second) {
1282 /* unlink and free expired state */
1283 pf_unlink_state(cur);
1286 if (!sx_try_upgrade(&pf_consistency_lock))
1289 rw_enter_write(&pf_consistency_lock);
1299 if (!waslocked && locked)
1300 sx_downgrade(&pf_consistency_lock);
1305 rw_exit_write(&pf_consistency_lock);
1310 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
1312 if (aw->type != PF_ADDR_TABLE)
1314 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
1320 pf_tbladdr_remove(struct pf_addr_wrap *aw)
1322 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
1324 pfr_detach_table(aw->p.tbl);
1329 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
1331 struct pfr_ktable *kt = aw->p.tbl;
1333 if (aw->type != PF_ADDR_TABLE || kt == NULL)
1335 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1336 kt = kt->pfrkt_root;
1338 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
1343 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
1348 u_int32_t a = ntohl(addr->addr32[0]);
1349 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
1361 u_int8_t i, curstart = 255, curend = 0,
1362 maxstart = 0, maxend = 0;
1363 for (i = 0; i < 8; i++) {
1364 if (!addr->addr16[i]) {
1365 if (curstart == 255)
1371 if ((curend - curstart) >
1372 (maxend - maxstart)) {
1373 maxstart = curstart;
1380 for (i = 0; i < 8; i++) {
1381 if (i >= maxstart && i <= maxend) {
1390 b = ntohs(addr->addr16[i]);
1407 pf_print_state(struct pf_state *s)
1419 case IPPROTO_ICMPV6:
1423 printf("%u ", s->proto);
1426 pf_print_host(&s->lan.addr, s->lan.port, s->af);
1428 pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
1430 pf_print_host(&s->ext.addr, s->ext.port, s->af);
1431 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
1432 s->src.seqhi, s->src.max_win, s->src.seqdiff);
1433 if (s->src.wscale && s->dst.wscale)
1434 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
1436 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
1437 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
1438 if (s->src.wscale && s->dst.wscale)
1439 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
1441 printf(" %u:%u", s->src.state, s->dst.state);
1445 pf_print_flags(u_int8_t f)
1467 #define PF_SET_SKIP_STEPS(i) \
1469 while (head[i] != cur) { \
1470 head[i]->skip[i].ptr = cur; \
1471 head[i] = TAILQ_NEXT(head[i], entries); \
1476 pf_calc_skip_steps(struct pf_rulequeue *rules)
1478 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1481 cur = TAILQ_FIRST(rules);
1483 for (i = 0; i < PF_SKIP_COUNT; ++i)
1485 while (cur != NULL) {
1487 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1488 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1489 if (cur->direction != prev->direction)
1490 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1491 if (cur->af != prev->af)
1492 PF_SET_SKIP_STEPS(PF_SKIP_AF);
1493 if (cur->proto != prev->proto)
1494 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1495 if (cur->src.neg != prev->src.neg ||
1496 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1497 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1498 if (cur->src.port[0] != prev->src.port[0] ||
1499 cur->src.port[1] != prev->src.port[1] ||
1500 cur->src.port_op != prev->src.port_op)
1501 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1502 if (cur->dst.neg != prev->dst.neg ||
1503 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1504 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1505 if (cur->dst.port[0] != prev->dst.port[0] ||
1506 cur->dst.port[1] != prev->dst.port[1] ||
1507 cur->dst.port_op != prev->dst.port_op)
1508 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1511 cur = TAILQ_NEXT(cur, entries);
1513 for (i = 0; i < PF_SKIP_COUNT; ++i)
1514 PF_SET_SKIP_STEPS(i);
1518 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1520 if (aw1->type != aw2->type)
1522 switch (aw1->type) {
1523 case PF_ADDR_ADDRMASK:
1524 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1526 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1529 case PF_ADDR_DYNIFTL:
1530 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
1531 case PF_ADDR_NOROUTE:
1532 case PF_ADDR_URPFFAILED:
1535 return (aw1->p.tbl != aw2->p.tbl);
1536 case PF_ADDR_RTLABEL:
1537 return (aw1->v.rtlabel != aw2->v.rtlabel);
1539 printf("invalid address type: %d\n", aw1->type);
1545 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1551 l = cksum + old - new;
1552 l = (l >> 16) + (l & 65535);
1560 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1561 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1566 PF_ACPY(&ao, a, af);
1574 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1575 ao.addr16[0], an->addr16[0], 0),
1576 ao.addr16[1], an->addr16[1], 0);
1578 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1579 ao.addr16[0], an->addr16[0], u),
1580 ao.addr16[1], an->addr16[1], u),
1586 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1587 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1588 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1589 ao.addr16[0], an->addr16[0], u),
1590 ao.addr16[1], an->addr16[1], u),
1591 ao.addr16[2], an->addr16[2], u),
1592 ao.addr16[3], an->addr16[3], u),
1593 ao.addr16[4], an->addr16[4], u),
1594 ao.addr16[5], an->addr16[5], u),
1595 ao.addr16[6], an->addr16[6], u),
1596 ao.addr16[7], an->addr16[7], u),
1604 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
1606 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1610 memcpy(&ao, a, sizeof(ao));
1611 memcpy(a, &an, sizeof(u_int32_t));
1612 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1613 ao % 65536, an % 65536, u);
1618 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1622 PF_ACPY(&ao, a, AF_INET6);
1623 PF_ACPY(a, an, AF_INET6);
1625 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1626 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1627 pf_cksum_fixup(pf_cksum_fixup(*c,
1628 ao.addr16[0], an->addr16[0], u),
1629 ao.addr16[1], an->addr16[1], u),
1630 ao.addr16[2], an->addr16[2], u),
1631 ao.addr16[3], an->addr16[3], u),
1632 ao.addr16[4], an->addr16[4], u),
1633 ao.addr16[5], an->addr16[5], u),
1634 ao.addr16[6], an->addr16[6], u),
1635 ao.addr16[7], an->addr16[7], u);
1640 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1641 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1642 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1644 struct pf_addr oia, ooa;
1646 PF_ACPY(&oia, ia, af);
1647 PF_ACPY(&ooa, oa, af);
1649 /* Change inner protocol port, fix inner protocol checksum. */
1651 u_int16_t oip = *ip;
1652 u_int32_t opc = 0; /* make the compiler happy */
1658 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
1659 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1661 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1663 /* Change inner ip address, fix inner ip and icmp checksums. */
1664 PF_ACPY(ia, na, af);
1668 u_int32_t oh2c = *h2c;
1670 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1671 oia.addr16[0], ia->addr16[0], 0),
1672 oia.addr16[1], ia->addr16[1], 0);
1673 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1674 oia.addr16[0], ia->addr16[0], 0),
1675 oia.addr16[1], ia->addr16[1], 0);
1676 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1682 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1683 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1684 pf_cksum_fixup(pf_cksum_fixup(*ic,
1685 oia.addr16[0], ia->addr16[0], u),
1686 oia.addr16[1], ia->addr16[1], u),
1687 oia.addr16[2], ia->addr16[2], u),
1688 oia.addr16[3], ia->addr16[3], u),
1689 oia.addr16[4], ia->addr16[4], u),
1690 oia.addr16[5], ia->addr16[5], u),
1691 oia.addr16[6], ia->addr16[6], u),
1692 oia.addr16[7], ia->addr16[7], u);
1696 /* Change outer ip address, fix outer ip or icmpv6 checksum. */
1697 PF_ACPY(oa, na, af);
1701 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
1702 ooa.addr16[0], oa->addr16[0], 0),
1703 ooa.addr16[1], oa->addr16[1], 0);
1708 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1709 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1710 pf_cksum_fixup(pf_cksum_fixup(*ic,
1711 ooa.addr16[0], oa->addr16[0], u),
1712 ooa.addr16[1], oa->addr16[1], u),
1713 ooa.addr16[2], oa->addr16[2], u),
1714 ooa.addr16[3], oa->addr16[3], u),
1715 ooa.addr16[4], oa->addr16[4], u),
1716 ooa.addr16[5], oa->addr16[5], u),
1717 ooa.addr16[6], oa->addr16[6], u),
1718 ooa.addr16[7], oa->addr16[7], u);
1726 * Need to modulate the sequence numbers in the TCP SACK option
1727 * (credits to Krzysztof Pfaff for report and patch)
1730 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
1731 struct tcphdr *th, struct pf_state_peer *dst)
1733 int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
1735 u_int8_t opts[TCP_MAXOLEN], *opt = opts;
1737 u_int8_t opts[MAX_TCPOPTLEN], *opt = opts;
1739 int copyback = 0, i, olen;
1740 struct sackblk sack;
1742 #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
1743 if (hlen < TCPOLEN_SACKLEN ||
1744 !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
1747 while (hlen >= TCPOLEN_SACKLEN) {
1750 case TCPOPT_EOL: /* FALLTHROUGH */
1758 if (olen >= TCPOLEN_SACKLEN) {
1759 for (i = 2; i + TCPOLEN_SACK <= olen;
1760 i += TCPOLEN_SACK) {
1761 memcpy(&sack, &opt[i], sizeof(sack));
1762 pf_change_a(&sack.start, &th->th_sum,
1763 htonl(ntohl(sack.start) -
1765 pf_change_a(&sack.end, &th->th_sum,
1766 htonl(ntohl(sack.end) -
1768 memcpy(&opt[i], &sack, sizeof(sack));
1783 m_copyback(m, off + sizeof(*th), thoptlen, (caddr_t)opts);
1785 m_copyback(m, off + sizeof(*th), thoptlen, opts);
1792 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
1794 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
1796 const struct pf_addr *saddr, const struct pf_addr *daddr,
1797 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1798 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
1799 u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp)
1811 struct pf_mtag *pf_mtag;
1826 , ("Unsupported AF %d", af));
1837 /* maximum segment size tcp option */
1838 tlen = sizeof(struct tcphdr);
1845 len = sizeof(struct ip) + tlen;
1850 len = sizeof(struct ip6_hdr) + tlen;
1855 /* create outgoing mbuf */
1856 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1862 mac_netinet_firewall_reply(replyto, m);
1864 mac_netinet_firewall_send(m);
1869 if ((pf_mtag = pf_get_mtag(m)) == NULL) {
1875 m->m_flags |= M_SKIP_FIREWALL;
1877 pf_mtag->flags |= PF_TAG_GENERATED;
1880 pf_mtag->tag = rtag;
1882 if (r != NULL && r->rtableid >= 0)
1885 M_SETFIB(m, r->rtableid);
1887 pf_mtag->rtableid = r->rtableid;
1892 if (r != NULL && r->qid) {
1893 pf_mtag->qid = r->qid;
1894 /* add hints for ecn */
1896 pf_mtag->hdr = mtod(m, struct ip *);
1899 m->m_data += max_linkhdr;
1900 m->m_pkthdr.len = m->m_len = len;
1901 m->m_pkthdr.rcvif = NULL;
1902 bzero(m->m_data, len);
1906 h = mtod(m, struct ip *);
1908 /* IP header fields included in the TCP checksum */
1909 h->ip_p = IPPROTO_TCP;
1910 h->ip_len = htons(tlen);
1911 h->ip_src.s_addr = saddr->v4.s_addr;
1912 h->ip_dst.s_addr = daddr->v4.s_addr;
1914 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
1919 h6 = mtod(m, struct ip6_hdr *);
1921 /* IP header fields included in the TCP checksum */
1922 h6->ip6_nxt = IPPROTO_TCP;
1923 h6->ip6_plen = htons(tlen);
1924 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
1925 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
1927 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
1933 th->th_sport = sport;
1934 th->th_dport = dport;
1935 th->th_seq = htonl(seq);
1936 th->th_ack = htonl(ack);
1937 th->th_off = tlen >> 2;
1938 th->th_flags = flags;
1939 th->th_win = htons(win);
1942 opt = (char *)(th + 1);
1943 opt[0] = TCPOPT_MAXSEG;
1946 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
1953 th->th_sum = in_cksum(m, len);
1955 /* Finish the IP header */
1957 h->ip_hl = sizeof(*h) >> 2;
1958 h->ip_tos = IPTOS_LOWDELAY;
1960 h->ip_off = V_path_mtu_discovery ? IP_DF : 0;
1963 h->ip_off = htons(ip_mtudisc ? IP_DF : 0);
1964 h->ip_len = htons(len);
1966 h->ip_ttl = ttl ? ttl : V_ip_defttl;
1971 ip_output(m, (void *)NULL, (void *)NULL, 0,
1972 (void *)NULL, (void *)NULL);
1974 #else /* ! __FreeBSD__ */
1975 ip_output(m, (void *)NULL, (void *)NULL, 0,
1976 (void *)NULL, (void *)NULL);
1981 struct ether_header *e = (void *)ro.ro_dst.sa_data;
1989 ro.ro_dst.sa_len = sizeof(ro.ro_dst);
1990 ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT;
1991 bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN);
1992 bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN);
1993 e->ether_type = eh->ether_type;
1996 /* XXX_IMPORT: later */
1997 ip_output(m, (void *)NULL, &ro, 0,
1998 (void *)NULL, (void *)NULL);
2000 #else /* ! __FreeBSD__ */
2001 ip_output(m, (void *)NULL, &ro, IP_ROUTETOETHER,
2002 (void *)NULL, (void *)NULL);
2010 th->th_sum = in6_cksum(m, IPPROTO_TCP,
2011 sizeof(struct ip6_hdr), tlen);
2013 h6->ip6_vfc |= IPV6_VERSION;
2014 h6->ip6_hlim = IPV6_DEFHLIM;
2018 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
2021 ip6_output(m, NULL, NULL, 0, NULL, NULL);
2029 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
2032 struct pf_mtag *pf_mtag;
2039 m0 = m_copypacket(m, M_DONTWAIT);
2043 m0 = m_copy(m, 0, M_COPYALL);
2045 if ((pf_mtag = pf_get_mtag(m0)) == NULL)
2049 m0->m_flags |= M_SKIP_FIREWALL;
2051 pf_mtag->flags |= PF_TAG_GENERATED;
2054 if (r->rtableid >= 0)
2057 M_SETFIB(m0, r->rtableid);
2059 pf_mtag->rtableid = r->rtableid;
2066 pf_mtag->qid = r->qid;
2067 /* add hints for ecn */
2069 pf_mtag->hdr = mtod(m0, struct ip *);
2077 /* icmp_error() expects host byte ordering */
2078 ip = mtod(m0, struct ip *);
2082 icmp_error(m0, type, code, 0, 0);
2085 icmp_error(m0, type, code, 0, 0);
2094 icmp6_error(m0, type, code, 0);
2104 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
2105 * If n is 0, they match if they are equal. If n is != 0, they match if they
2109 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
2110 struct pf_addr *b, sa_family_t af)
2117 if ((a->addr32[0] & m->addr32[0]) ==
2118 (b->addr32[0] & m->addr32[0]))
2124 if (((a->addr32[0] & m->addr32[0]) ==
2125 (b->addr32[0] & m->addr32[0])) &&
2126 ((a->addr32[1] & m->addr32[1]) ==
2127 (b->addr32[1] & m->addr32[1])) &&
2128 ((a->addr32[2] & m->addr32[2]) ==
2129 (b->addr32[2] & m->addr32[2])) &&
2130 ((a->addr32[3] & m->addr32[3]) ==
2131 (b->addr32[3] & m->addr32[3])))
2150 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
2154 return ((p > a1) && (p < a2));
2156 return ((p < a1) || (p > a2));
2158 return ((p >= a1) && (p <= a2));
2172 return (0); /* never reached */
2176 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
2181 return (pf_match(op, a1, a2, p));
2185 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
2187 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2189 return (pf_match(op, a1, a2, u));
2193 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
2195 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2197 return (pf_match(op, a1, a2, g));
2202 pf_find_mtag(struct mbuf *m)
2206 if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL)
2209 return ((struct pf_mtag *)(mtag + 1));
2213 pf_get_mtag(struct mbuf *m)
2217 if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) {
2218 mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag),
2222 bzero(mtag + 1, sizeof(struct pf_mtag));
2223 m_tag_prepend(m, mtag);
2226 return ((struct pf_mtag *)(mtag + 1));
2231 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_mtag *pf_mtag,
2235 *tag = pf_mtag->tag;
2237 return ((!r->match_tag_not && r->match_tag == *tag) ||
2238 (r->match_tag_not && r->match_tag != *tag));
2242 pf_tag_packet(struct mbuf *m, struct pf_mtag *pf_mtag, int tag, int rtableid)
2244 if (tag <= 0 && rtableid < 0)
2247 if (pf_mtag == NULL)
2248 if ((pf_mtag = pf_get_mtag(m)) == NULL)
2255 M_SETFIB(m, rtableid);
2257 pf_mtag->rtableid = rtableid;
2266 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
2267 struct pf_rule **r, struct pf_rule **a, int *match)
2269 struct pf_anchor_stackframe *f;
2271 (*r)->anchor->match = 0;
2274 if (*depth >= sizeof(pf_anchor_stack) /
2275 sizeof(pf_anchor_stack[0])) {
2276 printf("pf_step_into_anchor: stack overflow\n");
2277 *r = TAILQ_NEXT(*r, entries);
2279 } else if (*depth == 0 && a != NULL)
2281 f = pf_anchor_stack + (*depth)++;
2284 if ((*r)->anchor_wildcard) {
2285 f->parent = &(*r)->anchor->children;
2286 if ((f->child = RB_MIN(pf_anchor_node, f->parent)) ==
2291 *rs = &f->child->ruleset;
2295 *rs = &(*r)->anchor->ruleset;
2297 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2301 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
2302 struct pf_rule **r, struct pf_rule **a, int *match)
2304 struct pf_anchor_stackframe *f;
2310 f = pf_anchor_stack + *depth - 1;
2311 if (f->parent != NULL && f->child != NULL) {
2312 if (f->child->match ||
2313 (match != NULL && *match)) {
2314 f->r->anchor->match = 1;
2317 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
2318 if (f->child != NULL) {
2319 *rs = &f->child->ruleset;
2320 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2328 if (*depth == 0 && a != NULL)
2331 if (f->r->anchor->match || (match != NULL && *match))
2332 quick = f->r->quick;
2333 *r = TAILQ_NEXT(f->r, entries);
2334 } while (*r == NULL);
2341 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
2342 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
2347 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2348 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2352 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2353 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2354 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
2355 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
2356 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
2357 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
2358 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
2359 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
2365 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
2370 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
2374 if (addr->addr32[3] == 0xffffffff) {
2375 addr->addr32[3] = 0;
2376 if (addr->addr32[2] == 0xffffffff) {
2377 addr->addr32[2] = 0;
2378 if (addr->addr32[1] == 0xffffffff) {
2379 addr->addr32[1] = 0;
2381 htonl(ntohl(addr->addr32[0]) + 1);
2384 htonl(ntohl(addr->addr32[1]) + 1);
2387 htonl(ntohl(addr->addr32[2]) + 1);
2390 htonl(ntohl(addr->addr32[3]) + 1);
2396 #define mix(a,b,c) \
2398 a -= b; a -= c; a ^= (c >> 13); \
2399 b -= c; b -= a; b ^= (a << 8); \
2400 c -= a; c -= b; c ^= (b >> 13); \
2401 a -= b; a -= c; a ^= (c >> 12); \
2402 b -= c; b -= a; b ^= (a << 16); \
2403 c -= a; c -= b; c ^= (b >> 5); \
2404 a -= b; a -= c; a ^= (c >> 3); \
2405 b -= c; b -= a; b ^= (a << 10); \
2406 c -= a; c -= b; c ^= (b >> 15); \
2410 * hash function based on bridge_hash in if_bridge.c
2413 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
2414 struct pf_poolhashkey *key, sa_family_t af)
2416 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
2421 a += inaddr->addr32[0];
2424 hash->addr32[0] = c + key->key32[2];
2429 a += inaddr->addr32[0];
2430 b += inaddr->addr32[2];
2432 hash->addr32[0] = c;
2433 a += inaddr->addr32[1];
2434 b += inaddr->addr32[3];
2437 hash->addr32[1] = c;
2438 a += inaddr->addr32[2];
2439 b += inaddr->addr32[1];
2442 hash->addr32[2] = c;
2443 a += inaddr->addr32[3];
2444 b += inaddr->addr32[0];
2447 hash->addr32[3] = c;
2454 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
2455 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
2457 unsigned char hash[16];
2458 struct pf_pool *rpool = &r->rpool;
2459 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
2460 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
2461 struct pf_pooladdr *acur = rpool->cur;
2462 struct pf_src_node k;
2464 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
2465 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
2467 PF_ACPY(&k.addr, saddr, af);
2468 if (r->rule_flag & PFRULE_RULESRCTRACK ||
2469 r->rpool.opts & PF_POOL_STICKYADDR)
2473 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
2474 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
2475 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
2476 PF_ACPY(naddr, &(*sn)->raddr, af);
2477 if (pf_status.debug >= PF_DEBUG_MISC) {
2478 printf("pf_map_addr: src tracking maps ");
2479 pf_print_host(&k.addr, 0, af);
2481 pf_print_host(naddr, 0, af);
2488 if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
2490 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2494 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
2495 (rpool->opts & PF_POOL_TYPEMASK) !=
2498 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
2499 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
2504 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
2505 (rpool->opts & PF_POOL_TYPEMASK) !=
2508 raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
2509 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
2513 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2514 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
2515 return (1); /* unsupported */
2517 raddr = &rpool->cur->addr.v.a.addr;
2518 rmask = &rpool->cur->addr.v.a.mask;
2521 switch (rpool->opts & PF_POOL_TYPEMASK) {
2523 PF_ACPY(naddr, raddr, af);
2525 case PF_POOL_BITMASK:
2526 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
2528 case PF_POOL_RANDOM:
2529 if (init_addr != NULL && PF_AZERO(init_addr, af)) {
2533 rpool->counter.addr32[0] = htonl(arc4random());
2538 if (rmask->addr32[3] != 0xffffffff)
2539 rpool->counter.addr32[3] =
2540 htonl(arc4random());
2543 if (rmask->addr32[2] != 0xffffffff)
2544 rpool->counter.addr32[2] =
2545 htonl(arc4random());
2548 if (rmask->addr32[1] != 0xffffffff)
2549 rpool->counter.addr32[1] =
2550 htonl(arc4random());
2553 if (rmask->addr32[0] != 0xffffffff)
2554 rpool->counter.addr32[0] =
2555 htonl(arc4random());
2559 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
2560 PF_ACPY(init_addr, naddr, af);
2563 PF_AINC(&rpool->counter, af);
2564 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
2567 case PF_POOL_SRCHASH:
2568 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
2569 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
2571 case PF_POOL_ROUNDROBIN:
2572 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2573 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
2574 &rpool->tblidx, &rpool->counter,
2575 &raddr, &rmask, af))
2577 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2578 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
2579 &rpool->tblidx, &rpool->counter,
2580 &raddr, &rmask, af))
2582 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
2586 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
2587 rpool->cur = TAILQ_FIRST(&rpool->list);
2588 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2590 if (pfr_pool_get(rpool->cur->addr.p.tbl,
2591 &rpool->tblidx, &rpool->counter,
2592 &raddr, &rmask, af)) {
2593 /* table contains no address of type 'af' */
2594 if (rpool->cur != acur)
2598 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2600 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
2601 &rpool->tblidx, &rpool->counter,
2602 &raddr, &rmask, af)) {
2603 /* table contains no address of type 'af' */
2604 if (rpool->cur != acur)
2609 raddr = &rpool->cur->addr.v.a.addr;
2610 rmask = &rpool->cur->addr.v.a.mask;
2611 PF_ACPY(&rpool->counter, raddr, af);
2615 PF_ACPY(naddr, &rpool->counter, af);
2616 if (init_addr != NULL && PF_AZERO(init_addr, af))
2617 PF_ACPY(init_addr, naddr, af);
2618 PF_AINC(&rpool->counter, af);
2622 PF_ACPY(&(*sn)->raddr, naddr, af);
2624 if (pf_status.debug >= PF_DEBUG_MISC &&
2625 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
2626 printf("pf_map_addr: selected address ");
2627 pf_print_host(naddr, 0, af);
2635 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
2636 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
2637 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
2638 struct pf_src_node **sn)
2640 struct pf_state_cmp key;
2641 struct pf_addr init_addr;
2644 bzero(&init_addr, sizeof(init_addr));
2645 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
2648 if (proto == IPPROTO_ICMP) {
2656 PF_ACPY(&key.ext.addr, daddr, key.af);
2657 PF_ACPY(&key.gwy.addr, naddr, key.af);
2658 key.ext.port = dport;
2661 * port search; start random, step;
2662 * similar 2 portloop in in_pcbbind
2664 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
2665 proto == IPPROTO_ICMP)) {
2666 key.gwy.port = dport;
2667 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
2669 } else if (low == 0 && high == 0) {
2670 key.gwy.port = *nport;
2671 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
2673 } else if (low == high) {
2674 key.gwy.port = htons(low);
2675 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) {
2676 *nport = htons(low);
2688 cut = htonl(arc4random()) % (1 + high - low) + low;
2689 /* low <= cut <= high */
2690 for (tmp = cut; tmp <= high; ++(tmp)) {
2691 key.gwy.port = htons(tmp);
2692 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
2694 *nport = htons(tmp);
2698 for (tmp = cut - 1; tmp >= low; --(tmp)) {
2699 key.gwy.port = htons(tmp);
2700 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
2702 *nport = htons(tmp);
2708 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
2709 case PF_POOL_RANDOM:
2710 case PF_POOL_ROUNDROBIN:
2711 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
2715 case PF_POOL_SRCHASH:
2716 case PF_POOL_BITMASK:
2720 } while (! PF_AEQ(&init_addr, naddr, af) );
2722 return (1); /* none available */
2726 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
2727 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
2728 struct pf_addr *daddr, u_int16_t dport, int rs_num)
2730 struct pf_rule *r, *rm = NULL;
2731 struct pf_ruleset *ruleset = NULL;
2736 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
2737 while (r && rm == NULL) {
2738 struct pf_rule_addr *src = NULL, *dst = NULL;
2739 struct pf_addr_wrap *xdst = NULL;
2741 if (r->action == PF_BINAT && direction == PF_IN) {
2743 if (r->rpool.cur != NULL)
2744 xdst = &r->rpool.cur->addr;
2751 if (pfi_kif_match(r->kif, kif) == r->ifnot)
2752 r = r->skip[PF_SKIP_IFP].ptr;
2753 else if (r->direction && r->direction != direction)
2754 r = r->skip[PF_SKIP_DIR].ptr;
2755 else if (r->af && r->af != pd->af)
2756 r = r->skip[PF_SKIP_AF].ptr;
2757 else if (r->proto && r->proto != pd->proto)
2758 r = r->skip[PF_SKIP_PROTO].ptr;
2759 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
2761 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
2762 PF_SKIP_DST_ADDR].ptr;
2763 else if (src->port_op && !pf_match_port(src->port_op,
2764 src->port[0], src->port[1], sport))
2765 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
2766 PF_SKIP_DST_PORT].ptr;
2767 else if (dst != NULL &&
2768 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
2769 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2770 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
2772 r = TAILQ_NEXT(r, entries);
2773 else if (dst != NULL && dst->port_op &&
2774 !pf_match_port(dst->port_op, dst->port[0],
2775 dst->port[1], dport))
2776 r = r->skip[PF_SKIP_DST_PORT].ptr;
2777 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
2778 r = TAILQ_NEXT(r, entries);
2779 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2780 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2781 off, pd->hdr.tcp), r->os_fingerprint)))
2782 r = TAILQ_NEXT(r, entries);
2786 if (r->rtableid >= 0)
2787 rtableid = r->rtableid;
2788 if (r->anchor == NULL) {
2791 pf_step_into_anchor(&asd, &ruleset, rs_num,
2795 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
2798 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid))
2800 if (rm != NULL && (rm->action == PF_NONAT ||
2801 rm->action == PF_NORDR || rm->action == PF_NOBINAT))
2807 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2808 struct pfi_kif *kif, struct pf_src_node **sn,
2809 struct pf_addr *saddr, u_int16_t sport,
2810 struct pf_addr *daddr, u_int16_t dport,
2811 struct pf_addr *naddr, u_int16_t *nport)
2813 struct pf_rule *r = NULL;
2815 if (direction == PF_OUT) {
2816 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2817 sport, daddr, dport, PF_RULESET_BINAT);
2819 r = pf_match_translation(pd, m, off, direction, kif,
2820 saddr, sport, daddr, dport, PF_RULESET_NAT);
2822 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2823 sport, daddr, dport, PF_RULESET_RDR);
2825 r = pf_match_translation(pd, m, off, direction, kif,
2826 saddr, sport, daddr, dport, PF_RULESET_BINAT);
2830 switch (r->action) {
2836 if (pf_get_sport(pd->af, pd->proto, r, saddr,
2837 daddr, dport, naddr, nport, r->rpool.proxy_port[0],
2838 r->rpool.proxy_port[1], sn)) {
2839 DPFPRINTF(PF_DEBUG_MISC,
2840 ("pf: NAT proxy port allocation "
2842 r->rpool.proxy_port[0],
2843 r->rpool.proxy_port[1]));
2848 switch (direction) {
2850 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
2854 if (r->rpool.cur->addr.p.dyn->
2858 &r->rpool.cur->addr.p.dyn->
2860 &r->rpool.cur->addr.p.dyn->
2867 if (r->rpool.cur->addr.p.dyn->
2871 &r->rpool.cur->addr.p.dyn->
2873 &r->rpool.cur->addr.p.dyn->
2881 &r->rpool.cur->addr.v.a.addr,
2882 &r->rpool.cur->addr.v.a.mask,
2886 if (r->src.addr.type == PF_ADDR_DYNIFTL) {
2890 if (r->src.addr.p.dyn->
2894 &r->src.addr.p.dyn->
2896 &r->src.addr.p.dyn->
2903 if (r->src.addr.p.dyn->
2907 &r->src.addr.p.dyn->
2909 &r->src.addr.p.dyn->
2917 &r->src.addr.v.a.addr,
2918 &r->src.addr.v.a.mask, daddr,
2924 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
2926 if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
2928 PF_POOLMASK(naddr, naddr,
2929 &r->rpool.cur->addr.v.a.mask, daddr,
2932 if (r->rpool.proxy_port[1]) {
2933 u_int32_t tmp_nport;
2935 tmp_nport = ((ntohs(dport) -
2936 ntohs(r->dst.port[0])) %
2937 (r->rpool.proxy_port[1] -
2938 r->rpool.proxy_port[0] + 1)) +
2939 r->rpool.proxy_port[0];
2941 /* wrap around if necessary */
2942 if (tmp_nport > 65535)
2944 *nport = htons((u_int16_t)tmp_nport);
2945 } else if (r->rpool.proxy_port[0])
2946 *nport = htons(r->rpool.proxy_port[0]);
2959 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg)
2961 pf_socket_lookup(int direction, struct pf_pdesc *pd)
2964 struct pf_addr *saddr, *daddr;
2965 u_int16_t sport, dport;
2967 struct inpcbinfo *pi;
2969 struct inpcbtable *tb;
2975 pd->lookup.uid = UID_MAX;
2976 pd->lookup.gid = GID_MAX;
2977 pd->lookup.pid = NO_PID; /* XXX: revisit */
2979 if (inp_arg != NULL) {
2980 INP_LOCK_ASSERT(inp_arg);
2981 pd->lookup.uid = inp_arg->inp_cred->cr_uid;
2982 pd->lookup.gid = inp_arg->inp_cred->cr_groups[0];
2986 switch (pd->proto) {
2988 if (pd->hdr.tcp == NULL)
2990 sport = pd->hdr.tcp->th_sport;
2991 dport = pd->hdr.tcp->th_dport;
2999 if (pd->hdr.udp == NULL)
3001 sport = pd->hdr.udp->uh_sport;
3002 dport = pd->hdr.udp->uh_dport;
3012 if (direction == PF_IN) {
3028 INP_INFO_RLOCK(pi); /* XXX LOR */
3029 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
3032 inp = in_pcblookup_hash(pi, saddr->v4, sport,
3033 daddr->v4, dport, INPLOOKUP_WILDCARD, NULL);
3035 INP_INFO_RUNLOCK(pi);
3040 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport);
3042 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0);
3053 inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
3054 &daddr->v6, dport, 0, NULL);
3056 inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
3057 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
3059 INP_INFO_RUNLOCK(pi);
3064 inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6,
3067 inp = in6_pcblookup_listen(tb, &daddr->v6, dport, 0);
3079 pd->lookup.uid = inp->inp_cred->cr_uid;
3080 pd->lookup.gid = inp->inp_cred->cr_groups[0];
3081 INP_INFO_RUNLOCK(pi);
3083 pd->lookup.uid = inp->inp_socket->so_euid;
3084 pd->lookup.gid = inp->inp_socket->so_egid;
3085 pd->lookup.pid = inp->inp_socket->so_cpid;
3091 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
3095 u_int8_t *opt, optlen;
3096 u_int8_t wscale = 0;
3098 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
3099 if (hlen <= sizeof(struct tcphdr))
3101 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
3103 opt = hdr + sizeof(struct tcphdr);
3104 hlen -= sizeof(struct tcphdr);
3114 if (wscale > TCP_MAX_WINSHIFT)
3115 wscale = TCP_MAX_WINSHIFT;
3116 wscale |= PF_WSCALE_FLAG;
3131 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
3135 u_int8_t *opt, optlen;
3136 u_int16_t mss = V_tcp_mssdflt;
3138 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
3139 if (hlen <= sizeof(struct tcphdr))
3141 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
3143 opt = hdr + sizeof(struct tcphdr);
3144 hlen -= sizeof(struct tcphdr);
3145 while (hlen >= TCPOLEN_MAXSEG) {
3153 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
3169 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
3172 struct sockaddr_in *dst;
3176 struct sockaddr_in6 *dst6;
3177 struct route_in6 ro6;
3179 struct rtentry *rt = NULL;
3180 int hlen = 0; /* make the compiler happy */
3181 u_int16_t mss = V_tcp_mssdflt;
3186 hlen = sizeof(struct ip);
3187 bzero(&ro, sizeof(ro));
3188 dst = (struct sockaddr_in *)&ro.ro_dst;
3189 dst->sin_family = AF_INET;
3190 dst->sin_len = sizeof(*dst);
3191 dst->sin_addr = addr->v4;
3193 #ifdef RTF_PRCLONING
3194 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
3195 #else /* !RTF_PRCLONING */
3196 in_rtalloc_ign(&ro, 0, 0);
3198 #else /* ! __FreeBSD__ */
3199 rtalloc_noclone(&ro, NO_CLONING);
3206 hlen = sizeof(struct ip6_hdr);
3207 bzero(&ro6, sizeof(ro6));
3208 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
3209 dst6->sin6_family = AF_INET6;
3210 dst6->sin6_len = sizeof(*dst6);
3211 dst6->sin6_addr = addr->v6;
3213 #ifdef RTF_PRCLONING
3214 rtalloc_ign((struct route *)&ro6,
3215 (RTF_CLONING | RTF_PRCLONING));
3216 #else /* !RTF_PRCLONING */
3217 rtalloc_ign((struct route *)&ro6, 0);
3219 #else /* ! __FreeBSD__ */
3220 rtalloc_noclone((struct route *)&ro6, NO_CLONING);
3227 if (rt && rt->rt_ifp) {
3228 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
3229 mss = max(V_tcp_mssdflt, mss);
3232 mss = min(mss, offer);
3233 mss = max(mss, 64); /* sanity - at least max opt space */
3238 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
3240 struct pf_rule *r = s->rule.ptr;
3243 if (!r->rt || r->rt == PF_FASTROUTE)
3248 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
3250 s->rt_kif = r->rpool.cur->kif;
3255 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
3257 s->rt_kif = r->rpool.cur->kif;
3264 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
3265 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3267 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3268 struct ifqueue *ifq, struct inpcb *inp)
3270 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3271 struct ifqueue *ifq)
3274 struct pf_rule *nr = NULL;
3275 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3276 struct tcphdr *th = pd->hdr.tcp;
3277 u_int16_t bport, nport = 0;
3278 sa_family_t af = pd->af;
3279 struct pf_rule *r, *a = NULL;
3280 struct pf_ruleset *ruleset = NULL;
3281 struct pf_src_node *nsn = NULL;
3284 int tag = -1, rtableid = -1;
3285 u_int16_t mss = V_tcp_mssdflt;
3289 if (pf_check_congestion(ifq)) {
3290 REASON_SET(&reason, PFRES_CONGEST);
3296 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3297 else if (debug_pfugidhack) {
3299 DPFPRINTF(PF_DEBUG_MISC, ("pf: unlocked lookup\n"));
3300 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3305 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3307 if (direction == PF_OUT) {
3308 bport = nport = th->th_sport;
3309 /* check outgoing packet for BINAT/NAT */
3310 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3311 saddr, th->th_sport, daddr, th->th_dport,
3312 &pd->naddr, &nport)) != NULL) {
3313 PF_ACPY(&pd->baddr, saddr, af);
3314 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3315 &th->th_sum, &pd->naddr, nport, 0, af);
3322 bport = nport = th->th_dport;
3323 /* check incoming packet for BINAT/RDR */
3324 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3325 saddr, th->th_sport, daddr, th->th_dport,
3326 &pd->naddr, &nport)) != NULL) {
3327 PF_ACPY(&pd->baddr, daddr, af);
3328 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3329 &th->th_sum, &pd->naddr, nport, 0, af);
3339 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3340 r = r->skip[PF_SKIP_IFP].ptr;
3341 else if (r->direction && r->direction != direction)
3342 r = r->skip[PF_SKIP_DIR].ptr;
3343 else if (r->af && r->af != af)
3344 r = r->skip[PF_SKIP_AF].ptr;
3345 else if (r->proto && r->proto != IPPROTO_TCP)
3346 r = r->skip[PF_SKIP_PROTO].ptr;
3347 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3349 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3350 else if (r->src.port_op && !pf_match_port(r->src.port_op,
3351 r->src.port[0], r->src.port[1], th->th_sport))
3352 r = r->skip[PF_SKIP_SRC_PORT].ptr;
3353 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3355 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3356 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3357 r->dst.port[0], r->dst.port[1], th->th_dport))
3358 r = r->skip[PF_SKIP_DST_PORT].ptr;
3359 else if (r->tos && !(r->tos == pd->tos))
3360 r = TAILQ_NEXT(r, entries);
3361 else if (r->rule_flag & PFRULE_FRAGMENT)
3362 r = TAILQ_NEXT(r, entries);
3363 else if ((r->flagset & th->th_flags) != r->flags)
3364 r = TAILQ_NEXT(r, entries);
3365 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3367 pf_socket_lookup(direction, pd, inp), 1)) &&
3369 pf_socket_lookup(direction, pd), 1)) &&
3371 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3373 r = TAILQ_NEXT(r, entries);
3374 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3376 pf_socket_lookup(direction, pd, inp), 1)) &&
3378 pf_socket_lookup(direction, pd), 1)) &&
3380 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3382 r = TAILQ_NEXT(r, entries);
3383 else if (r->prob && r->prob <= arc4random())
3384 r = TAILQ_NEXT(r, entries);
3385 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3386 r = TAILQ_NEXT(r, entries);
3387 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
3388 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint))
3389 r = TAILQ_NEXT(r, entries);
3393 if (r->rtableid >= 0)
3394 rtableid = r->rtableid;
3395 if (r->anchor == NULL) {
3402 r = TAILQ_NEXT(r, entries);
3404 pf_step_into_anchor(&asd, &ruleset,
3405 PF_RULESET_FILTER, &r, &a, &match);
3407 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3408 PF_RULESET_FILTER, &r, &a, &match))
3415 REASON_SET(&reason, PFRES_MATCH);
3417 if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3420 m_copyback(m, off, sizeof(*th), (caddr_t)th);
3422 m_copyback(m, off, sizeof(*th), th);
3424 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3428 if ((r->action == PF_DROP) &&
3429 ((r->rule_flag & PFRULE_RETURNRST) ||
3430 (r->rule_flag & PFRULE_RETURNICMP) ||
3431 (r->rule_flag & PFRULE_RETURN))) {
3432 /* undo NAT changes, if they have taken place */
3434 if (direction == PF_OUT) {
3435 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3436 &th->th_sum, &pd->baddr, bport, 0, af);
3439 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3440 &th->th_sum, &pd->baddr, bport, 0, af);
3444 if (((r->rule_flag & PFRULE_RETURNRST) ||
3445 (r->rule_flag & PFRULE_RETURN)) &&
3446 !(th->th_flags & TH_RST)) {
3447 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
3449 if (th->th_flags & TH_SYN)
3451 if (th->th_flags & TH_FIN)
3454 pf_send_tcp(m, r, af, pd->dst,
3456 pf_send_tcp(r, af, pd->dst,
3458 pd->src, th->th_dport, th->th_sport,
3459 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
3460 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
3461 } else if ((af == AF_INET) && r->return_icmp)
3462 pf_send_icmp(m, r->return_icmp >> 8,
3463 r->return_icmp & 255, af, r);
3464 else if ((af == AF_INET6) && r->return_icmp6)
3465 pf_send_icmp(m, r->return_icmp6 >> 8,
3466 r->return_icmp6 & 255, af, r);
3469 if (r->action == PF_DROP)
3472 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3473 REASON_SET(&reason, PFRES_MEMORY);
3477 if (r->keep_state || nr != NULL ||
3478 (pd->flags & PFDESC_TCP_NORM)) {
3479 /* create new state */
3481 struct pf_state *s = NULL;
3482 struct pf_src_node *sn = NULL;
3484 len = pd->tot_len - off - (th->th_off << 2);
3486 /* check maximums */
3487 if (r->max_states && (r->states >= r->max_states)) {
3488 pf_status.lcounters[LCNT_STATES]++;
3489 REASON_SET(&reason, PFRES_MAXSTATES);
3492 /* src node for filter rule */
3493 if ((r->rule_flag & PFRULE_SRCTRACK ||
3494 r->rpool.opts & PF_POOL_STICKYADDR) &&
3495 pf_insert_src_node(&sn, r, saddr, af) != 0) {
3496 REASON_SET(&reason, PFRES_SRCLIMIT);
3499 /* src node for translation rule */
3500 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3501 ((direction == PF_OUT &&
3502 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3503 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3504 REASON_SET(&reason, PFRES_SRCLIMIT);
3507 s = pool_get(&pf_state_pl, PR_NOWAIT);
3509 REASON_SET(&reason, PFRES_MEMORY);
3511 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3512 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3513 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3514 pf_status.src_nodes--;
3515 pool_put(&pf_src_tree_pl, sn);
3517 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3519 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3520 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3521 pf_status.src_nodes--;
3522 pool_put(&pf_src_tree_pl, nsn);
3526 bzero(s, sizeof(*s));
3528 s->nat_rule.ptr = nr;
3530 STATE_INC_COUNTERS(s);
3531 s->allow_opts = r->allow_opts;
3532 s->log = r->log & PF_LOG_ALL;
3534 s->log |= nr->log & PF_LOG_ALL;
3535 s->proto = IPPROTO_TCP;
3536 s->direction = direction;
3538 if (direction == PF_OUT) {
3539 PF_ACPY(&s->gwy.addr, saddr, af);
3540 s->gwy.port = th->th_sport; /* sport */
3541 PF_ACPY(&s->ext.addr, daddr, af);
3542 s->ext.port = th->th_dport;
3544 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3545 s->lan.port = bport;
3547 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3548 s->lan.port = s->gwy.port;
3551 PF_ACPY(&s->lan.addr, daddr, af);
3552 s->lan.port = th->th_dport;
3553 PF_ACPY(&s->ext.addr, saddr, af);
3554 s->ext.port = th->th_sport;
3556 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3557 s->gwy.port = bport;
3559 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3560 s->gwy.port = s->lan.port;
3564 s->src.seqlo = ntohl(th->th_seq);
3565 s->src.seqhi = s->src.seqlo + len + 1;
3566 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3567 r->keep_state == PF_STATE_MODULATE) {
3568 /* Generate sequence number modulator */
3570 while ((s->src.seqdiff =
3571 pf_new_isn(s) - s->src.seqlo) == 0)
3574 while ((s->src.seqdiff =
3575 tcp_rndiss_next() - s->src.seqlo) == 0)
3578 pf_change_a(&th->th_seq, &th->th_sum,
3579 htonl(s->src.seqlo + s->src.seqdiff), 0);
3583 if (th->th_flags & TH_SYN) {
3585 s->src.wscale = pf_get_wscale(m, off, th->th_off, af);
3587 s->src.max_win = MAX(ntohs(th->th_win), 1);
3588 if (s->src.wscale & PF_WSCALE_MASK) {
3589 /* Remove scale factor from initial window */
3590 int win = s->src.max_win;
3591 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
3592 s->src.max_win = (win - 1) >>
3593 (s->src.wscale & PF_WSCALE_MASK);
3595 if (th->th_flags & TH_FIN)
3599 s->src.state = TCPS_SYN_SENT;
3600 s->dst.state = TCPS_CLOSED;
3601 s->creation = time_second;
3602 s->expire = time_second;
3603 s->timeout = PFTM_TCP_FIRST_PACKET;
3604 pf_set_rt_ifp(s, saddr);
3607 s->src_node->states++;
3610 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3611 s->nat_src_node = nsn;
3612 s->nat_src_node->states++;
3614 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
3615 off, pd, th, &s->src, &s->dst)) {
3616 REASON_SET(&reason, PFRES_MEMORY);
3617 pf_src_tree_remove_state(s);
3618 STATE_DEC_COUNTERS(s);
3619 pool_put(&pf_state_pl, s);
3622 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3623 pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
3624 &s->src, &s->dst, &rewrite)) {
3625 /* This really shouldn't happen!!! */
3626 DPFPRINTF(PF_DEBUG_URGENT,
3627 ("pf_normalize_tcp_stateful failed on first pkt"));
3628 pf_normalize_tcp_cleanup(s);
3629 pf_src_tree_remove_state(s);
3630 STATE_DEC_COUNTERS(s);
3631 pool_put(&pf_state_pl, s);
3634 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3635 pf_normalize_tcp_cleanup(s);
3636 REASON_SET(&reason, PFRES_STATEINS);
3637 pf_src_tree_remove_state(s);
3638 STATE_DEC_COUNTERS(s);
3639 pool_put(&pf_state_pl, s);
3647 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3648 r->keep_state == PF_STATE_SYNPROXY) {
3649 s->src.state = PF_TCPS_PROXY_SRC;
3651 if (direction == PF_OUT) {
3652 pf_change_ap(saddr, &th->th_sport,
3653 pd->ip_sum, &th->th_sum, &pd->baddr,
3656 pf_change_ap(daddr, &th->th_dport,
3657 pd->ip_sum, &th->th_sum, &pd->baddr,
3661 s->src.seqhi = htonl(arc4random());
3662 /* Find mss option */
3663 mss = pf_get_mss(m, off, th->th_off, af);
3664 mss = pf_calc_mss(saddr, af, mss);
3665 mss = pf_calc_mss(daddr, af, mss);
3668 pf_send_tcp(NULL, r, af, daddr, saddr, th->th_dport,
3670 pf_send_tcp(r, af, daddr, saddr, th->th_dport,
3672 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3673 TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);
3674 REASON_SET(&reason, PFRES_SYNPROXY);
3675 return (PF_SYNPROXY_DROP);
3679 /* copy back packet headers if we performed NAT operations */
3681 m_copyback(m, off, sizeof(*th), (caddr_t)th);
3687 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
3688 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3690 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3691 struct ifqueue *ifq, struct inpcb *inp)
3693 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3694 struct ifqueue *ifq)
3697 struct pf_rule *nr = NULL;
3698 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3699 struct udphdr *uh = pd->hdr.udp;
3700 u_int16_t bport, nport = 0;
3701 sa_family_t af = pd->af;
3702 struct pf_rule *r, *a = NULL;
3703 struct pf_ruleset *ruleset = NULL;
3704 struct pf_src_node *nsn = NULL;
3707 int tag = -1, rtableid = -1;
3711 if (pf_check_congestion(ifq)) {
3712 REASON_SET(&reason, PFRES_CONGEST);
3718 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3719 else if (debug_pfugidhack) {
3721 DPFPRINTF(PF_DEBUG_MISC, ("pf: unlocked lookup\n"));
3722 pd->lookup.done = pf_socket_lookup(direction, pd, inp);
3727 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3729 if (direction == PF_OUT) {
3730 bport = nport = uh->uh_sport;
3731 /* check outgoing packet for BINAT/NAT */
3732 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3733 saddr, uh->uh_sport, daddr, uh->uh_dport,
3734 &pd->naddr, &nport)) != NULL) {
3735 PF_ACPY(&pd->baddr, saddr, af);
3736 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
3737 &uh->uh_sum, &pd->naddr, nport, 1, af);
3744 bport = nport = uh->uh_dport;
3745 /* check incoming packet for BINAT/RDR */
3746 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3747 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr,
3749 PF_ACPY(&pd->baddr, daddr, af);
3750 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
3751 &uh->uh_sum, &pd->naddr, nport, 1, af);
3761 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3762 r = r->skip[PF_SKIP_IFP].ptr;
3763 else if (r->direction && r->direction != direction)
3764 r = r->skip[PF_SKIP_DIR].ptr;
3765 else if (r->af && r->af != af)
3766 r = r->skip[PF_SKIP_AF].ptr;
3767 else if (r->proto && r->proto != IPPROTO_UDP)
3768 r = r->skip[PF_SKIP_PROTO].ptr;
3769 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3771 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3772 else if (r->src.port_op && !pf_match_port(r->src.port_op,
3773 r->src.port[0], r->src.port[1], uh->uh_sport))
3774 r = r->skip[PF_SKIP_SRC_PORT].ptr;
3775 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3777 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3778 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3779 r->dst.port[0], r->dst.port[1], uh->uh_dport))
3780 r = r->skip[PF_SKIP_DST_PORT].ptr;
3781 else if (r->tos && !(r->tos == pd->tos))
3782 r = TAILQ_NEXT(r, entries);
3783 else if (r->rule_flag & PFRULE_FRAGMENT)
3784 r = TAILQ_NEXT(r, entries);
3785 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3787 pf_socket_lookup(direction, pd, inp), 1)) &&
3789 pf_socket_lookup(direction, pd), 1)) &&
3791 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3793 r = TAILQ_NEXT(r, entries);
3794 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3796 pf_socket_lookup(direction, pd, inp), 1)) &&
3798 pf_socket_lookup(direction, pd), 1)) &&
3800 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3802 r = TAILQ_NEXT(r, entries);
3803 else if (r->prob && r->prob <= arc4random())
3804 r = TAILQ_NEXT(r, entries);
3805 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3806 r = TAILQ_NEXT(r, entries);
3807 else if (r->os_fingerprint != PF_OSFP_ANY)
3808 r = TAILQ_NEXT(r, entries);
3812 if (r->rtableid >= 0)
3813 rtableid = r->rtableid;
3814 if (r->anchor == NULL) {
3821 r = TAILQ_NEXT(r, entries);
3823 pf_step_into_anchor(&asd, &ruleset,
3824 PF_RULESET_FILTER, &r, &a, &match);
3826 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3827 PF_RULESET_FILTER, &r, &a, &match))
3834 REASON_SET(&reason, PFRES_MATCH);
3836 if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3839 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3841 m_copyback(m, off, sizeof(*uh), uh);
3843 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3847 if ((r->action == PF_DROP) &&
3848 ((r->rule_flag & PFRULE_RETURNICMP) ||
3849 (r->rule_flag & PFRULE_RETURN))) {
3850 /* undo NAT changes, if they have taken place */
3852 if (direction == PF_OUT) {
3853 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
3854 &uh->uh_sum, &pd->baddr, bport, 1, af);
3857 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
3858 &uh->uh_sum, &pd->baddr, bport, 1, af);
3862 if ((af == AF_INET) && r->return_icmp)
3863 pf_send_icmp(m, r->return_icmp >> 8,
3864 r->return_icmp & 255, af, r);
3865 else if ((af == AF_INET6) && r->return_icmp6)
3866 pf_send_icmp(m, r->return_icmp6 >> 8,
3867 r->return_icmp6 & 255, af, r);
3870 if (r->action == PF_DROP)
3873 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3874 REASON_SET(&reason, PFRES_MEMORY);
3878 if (r->keep_state || nr != NULL) {
3879 /* create new state */
3880 struct pf_state *s = NULL;
3881 struct pf_src_node *sn = NULL;
3883 /* check maximums */
3884 if (r->max_states && (r->states >= r->max_states)) {
3885 pf_status.lcounters[LCNT_STATES]++;
3886 REASON_SET(&reason, PFRES_MAXSTATES);
3889 /* src node for filter rule */
3890 if ((r->rule_flag & PFRULE_SRCTRACK ||
3891 r->rpool.opts & PF_POOL_STICKYADDR) &&
3892 pf_insert_src_node(&sn, r, saddr, af) != 0) {
3893 REASON_SET(&reason, PFRES_SRCLIMIT);
3896 /* src node for translation rule */
3897 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3898 ((direction == PF_OUT &&
3899 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3900 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3901 REASON_SET(&reason, PFRES_SRCLIMIT);
3904 s = pool_get(&pf_state_pl, PR_NOWAIT);
3906 REASON_SET(&reason, PFRES_MEMORY);
3908 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3909 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3910 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3911 pf_status.src_nodes--;
3912 pool_put(&pf_src_tree_pl, sn);
3914 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3916 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3917 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3918 pf_status.src_nodes--;
3919 pool_put(&pf_src_tree_pl, nsn);
3923 bzero(s, sizeof(*s));
3925 s->nat_rule.ptr = nr;
3927 STATE_INC_COUNTERS(s);
3928 s->allow_opts = r->allow_opts;
3929 s->log = r->log & PF_LOG_ALL;
3931 s->log |= nr->log & PF_LOG_ALL;
3932 s->proto = IPPROTO_UDP;
3933 s->direction = direction;
3935 if (direction == PF_OUT) {
3936 PF_ACPY(&s->gwy.addr, saddr, af);
3937 s->gwy.port = uh->uh_sport;
3938 PF_ACPY(&s->ext.addr, daddr, af);
3939 s->ext.port = uh->uh_dport;
3941 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3942 s->lan.port = bport;
3944 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3945 s->lan.port = s->gwy.port;
3948 PF_ACPY(&s->lan.addr, daddr, af);
3949 s->lan.port = uh->uh_dport;
3950 PF_ACPY(&s->ext.addr, saddr, af);
3951 s->ext.port = uh->uh_sport;
3953 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3954 s->gwy.port = bport;
3956 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3957 s->gwy.port = s->lan.port;
3960 s->src.state = PFUDPS_SINGLE;
3961 s->dst.state = PFUDPS_NO_TRAFFIC;
3962 s->creation = time_second;
3963 s->expire = time_second;
3964 s->timeout = PFTM_UDP_FIRST_PACKET;
3965 pf_set_rt_ifp(s, saddr);
3968 s->src_node->states++;
3971 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3972 s->nat_src_node = nsn;
3973 s->nat_src_node->states++;
3975 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3976 REASON_SET(&reason, PFRES_STATEINS);
3977 pf_src_tree_remove_state(s);
3978 STATE_DEC_COUNTERS(s);
3979 pool_put(&pf_state_pl, s);
3989 /* copy back packet headers if we performed NAT operations */
3991 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3997 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
3998 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3999 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
4000 struct ifqueue *ifq)
4002 struct pf_rule *nr = NULL;
4003 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4004 struct pf_rule *r, *a = NULL;
4005 struct pf_ruleset *ruleset = NULL;
4006 struct pf_src_node *nsn = NULL;
4008 u_int16_t icmpid = 0, bport, nport = 0;
4009 sa_family_t af = pd->af;
4010 u_int8_t icmptype = 0; /* make the compiler happy */
4011 u_int8_t icmpcode = 0; /* make the compiler happy */
4013 int tag = -1, rtableid = -1;
4020 if (pf_check_congestion(ifq)) {
4021 REASON_SET(&reason, PFRES_CONGEST);
4025 switch (pd->proto) {
4028 icmptype = pd->hdr.icmp->icmp_type;
4029 icmpcode = pd->hdr.icmp->icmp_code;
4030 icmpid = pd->hdr.icmp->icmp_id;
4032 if (icmptype == ICMP_UNREACH ||
4033 icmptype == ICMP_SOURCEQUENCH ||
4034 icmptype == ICMP_REDIRECT ||
4035 icmptype == ICMP_TIMXCEED ||
4036 icmptype == ICMP_PARAMPROB)
4041 case IPPROTO_ICMPV6:
4042 icmptype = pd->hdr.icmp6->icmp6_type;
4043 icmpcode = pd->hdr.icmp6->icmp6_code;
4044 icmpid = pd->hdr.icmp6->icmp6_id;
4046 if (icmptype == ICMP6_DST_UNREACH ||
4047 icmptype == ICMP6_PACKET_TOO_BIG ||
4048 icmptype == ICMP6_TIME_EXCEEDED ||
4049 icmptype == ICMP6_PARAM_PROB)
4055 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4057 if (direction == PF_OUT) {
4058 bport = nport = icmpid;
4059 /* check outgoing packet for BINAT/NAT */
4060 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
4061 saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) !=
4063 PF_ACPY(&pd->baddr, saddr, af);
4067 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
4068 pd->naddr.v4.s_addr, 0);
4069 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
4070 pd->hdr.icmp->icmp_cksum, icmpid, nport, 0);
4071 pd->hdr.icmp->icmp_id = nport;
4072 m_copyback(m, off, ICMP_MINLEN,
4073 (caddr_t)pd->hdr.icmp);
4078 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
4089 bport = nport = icmpid;
4090 /* check incoming packet for BINAT/RDR */
4091 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
4092 saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) !=
4094 PF_ACPY(&pd->baddr, daddr, af);
4098 pf_change_a(&daddr->v4.s_addr,
4099 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4104 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
4118 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4119 r = r->skip[PF_SKIP_IFP].ptr;
4120 else if (r->direction && r->direction != direction)
4121 r = r->skip[PF_SKIP_DIR].ptr;
4122 else if (r->af && r->af != af)
4123 r = r->skip[PF_SKIP_AF].ptr;
4124 else if (r->proto && r->proto != pd->proto)
4125 r = r->skip[PF_SKIP_PROTO].ptr;
4126 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
4128 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4129 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
4131 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4132 else if (r->type && r->type != icmptype + 1)
4133 r = TAILQ_NEXT(r, entries);
4134 else if (r->code && r->code != icmpcode + 1)
4135 r = TAILQ_NEXT(r, entries);
4136 else if (r->tos && !(r->tos == pd->tos))
4137 r = TAILQ_NEXT(r, entries);
4138 else if (r->rule_flag & PFRULE_FRAGMENT)
4139 r = TAILQ_NEXT(r, entries);
4140 else if (r->prob && r->prob <= arc4random())
4141 r = TAILQ_NEXT(r, entries);
4142 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4143 r = TAILQ_NEXT(r, entries);
4144 else if (r->os_fingerprint != PF_OSFP_ANY)
4145 r = TAILQ_NEXT(r, entries);
4149 if (r->rtableid >= 0)
4150 rtableid = r->rtableid;
4151 if (r->anchor == NULL) {
4158 r = TAILQ_NEXT(r, entries);
4160 pf_step_into_anchor(&asd, &ruleset,
4161 PF_RULESET_FILTER, &r, &a, &match);
4163 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4164 PF_RULESET_FILTER, &r, &a, &match))
4171 REASON_SET(&reason, PFRES_MATCH);
4173 if (r->log || (nr != NULL && nr->natpass && nr->log)) {
4176 m_copyback(m, off, sizeof(struct icmp6_hdr),
4177 (caddr_t)pd->hdr.icmp6);
4179 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
4183 if (r->action != PF_PASS)
4186 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
4187 REASON_SET(&reason, PFRES_MEMORY);
4191 if (!state_icmp && (r->keep_state || nr != NULL)) {
4192 /* create new state */
4193 struct pf_state *s = NULL;
4194 struct pf_src_node *sn = NULL;
4196 /* check maximums */
4197 if (r->max_states && (r->states >= r->max_states)) {
4198 pf_status.lcounters[LCNT_STATES]++;
4199 REASON_SET(&reason, PFRES_MAXSTATES);
4202 /* src node for filter rule */
4203 if ((r->rule_flag & PFRULE_SRCTRACK ||
4204 r->rpool.opts & PF_POOL_STICKYADDR) &&
4205 pf_insert_src_node(&sn, r, saddr, af) != 0) {
4206 REASON_SET(&reason, PFRES_SRCLIMIT);
4209 /* src node for translation rule */
4210 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
4211 ((direction == PF_OUT &&
4212 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
4213 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
4214 REASON_SET(&reason, PFRES_SRCLIMIT);
4217 s = pool_get(&pf_state_pl, PR_NOWAIT);
4219 REASON_SET(&reason, PFRES_MEMORY);
4221 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
4222 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
4223 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4224 pf_status.src_nodes--;
4225 pool_put(&pf_src_tree_pl, sn);
4227 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
4229 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
4230 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4231 pf_status.src_nodes--;
4232 pool_put(&pf_src_tree_pl, nsn);
4236 bzero(s, sizeof(*s));
4238 s->nat_rule.ptr = nr;
4240 STATE_INC_COUNTERS(s);
4241 s->allow_opts = r->allow_opts;
4242 s->log = r->log & PF_LOG_ALL;
4244 s->log |= nr->log & PF_LOG_ALL;
4245 s->proto = pd->proto;
4246 s->direction = direction;
4248 if (direction == PF_OUT) {
4249 PF_ACPY(&s->gwy.addr, saddr, af);
4250 s->gwy.port = nport;
4251 PF_ACPY(&s->ext.addr, daddr, af);
4254 PF_ACPY(&s->lan.addr, &pd->baddr, af);
4255 s->lan.port = bport;
4257 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
4258 s->lan.port = s->gwy.port;
4261 PF_ACPY(&s->lan.addr, daddr, af);
4262 s->lan.port = nport;
4263 PF_ACPY(&s->ext.addr, saddr, af);
4266 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
4267 s->gwy.port = bport;
4269 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
4270 s->gwy.port = s->lan.port;
4273 s->creation = time_second;
4274 s->expire = time_second;
4275 s->timeout = PFTM_ICMP_FIRST_PACKET;
4276 pf_set_rt_ifp(s, saddr);
4279 s->src_node->states++;
4282 PF_ACPY(&nsn->raddr, &pd->naddr, af);
4283 s->nat_src_node = nsn;
4284 s->nat_src_node->states++;
4286 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
4287 REASON_SET(&reason, PFRES_STATEINS);
4288 pf_src_tree_remove_state(s);
4289 STATE_DEC_COUNTERS(s);
4290 pool_put(&pf_state_pl, s);
4301 /* copy back packet headers if we performed IPv6 NAT operations */
4303 m_copyback(m, off, sizeof(struct icmp6_hdr),
4304 (caddr_t)pd->hdr.icmp6);
4311 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
4312 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4313 struct pf_rule **am, struct pf_ruleset **rsm, struct ifqueue *ifq)
4315 struct pf_rule *nr = NULL;
4316 struct pf_rule *r, *a = NULL;
4317 struct pf_ruleset *ruleset = NULL;
4318 struct pf_src_node *nsn = NULL;
4319 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4320 sa_family_t af = pd->af;
4322 int tag = -1, rtableid = -1;
4326 if (pf_check_congestion(ifq)) {
4327 REASON_SET(&reason, PFRES_CONGEST);
4331 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4333 if (direction == PF_OUT) {
4334 /* check outgoing packet for BINAT/NAT */
4335 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
4336 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
4337 PF_ACPY(&pd->baddr, saddr, af);
4341 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
4342 pd->naddr.v4.s_addr, 0);
4347 PF_ACPY(saddr, &pd->naddr, af);
4356 /* check incoming packet for BINAT/RDR */
4357 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
4358 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
4359 PF_ACPY(&pd->baddr, daddr, af);
4363 pf_change_a(&daddr->v4.s_addr,
4364 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4369 PF_ACPY(daddr, &pd->naddr, af);
4381 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4382 r = r->skip[PF_SKIP_IFP].ptr;
4383 else if (r->direction && r->direction != direction)
4384 r = r->skip[PF_SKIP_DIR].ptr;
4385 else if (r->af && r->af != af)
4386 r = r->skip[PF_SKIP_AF].ptr;
4387 else if (r->proto && r->proto != pd->proto)
4388 r = r->skip[PF_SKIP_PROTO].ptr;
4389 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
4391 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4392 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
4394 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4395 else if (r->tos && !(r->tos == pd->tos))
4396 r = TAILQ_NEXT(r, entries);
4397 else if (r->rule_flag & PFRULE_FRAGMENT)
4398 r = TAILQ_NEXT(r, entries);
4399 else if (r->prob && r->prob <= arc4random())
4400 r = TAILQ_NEXT(r, entries);
4401 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4402 r = TAILQ_NEXT(r, entries);
4403 else if (r->os_fingerprint != PF_OSFP_ANY)
4404 r = TAILQ_NEXT(r, entries);
4408 if (r->rtableid >= 0)
4409 rtableid = r->rtableid;
4410 if (r->anchor == NULL) {
4417 r = TAILQ_NEXT(r, entries);
4419 pf_step_into_anchor(&asd, &ruleset,
4420 PF_RULESET_FILTER, &r, &a, &match);
4422 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4423 PF_RULESET_FILTER, &r, &a, &match))
4430 REASON_SET(&reason, PFRES_MATCH);
4432 if (r->log || (nr != NULL && nr->natpass && nr->log))
4433 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
4436 if ((r->action == PF_DROP) &&
4437 ((r->rule_flag & PFRULE_RETURNICMP) ||
4438 (r->rule_flag & PFRULE_RETURN))) {
4439 struct pf_addr *a = NULL;
4442 if (direction == PF_OUT)
4451 pf_change_a(&a->v4.s_addr, pd->ip_sum,
4452 pd->baddr.v4.s_addr, 0);
4457 PF_ACPY(a, &pd->baddr, af);
4462 if ((af == AF_INET) && r->return_icmp)
4463 pf_send_icmp(m, r->return_icmp >> 8,
4464 r->return_icmp & 255, af, r);
4465 else if ((af == AF_INET6) && r->return_icmp6)
4466 pf_send_icmp(m, r->return_icmp6 >> 8,
4467 r->return_icmp6 & 255, af, r);
4470 if (r->action != PF_PASS)
4473 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
4474 REASON_SET(&reason, PFRES_MEMORY);
4478 if (r->keep_state || nr != NULL) {
4479 /* create new state */
4480 struct pf_state *s = NULL;
4481 struct pf_src_node *sn = NULL;
4483 /* check maximums */
4484 if (r->max_states && (r->states >= r->max_states)) {
4485 pf_status.lcounters[LCNT_STATES]++;
4486 REASON_SET(&reason, PFRES_MAXSTATES);
4489 /* src node for filter rule */
4490 if ((r->rule_flag & PFRULE_SRCTRACK ||
4491 r->rpool.opts & PF_POOL_STICKYADDR) &&
4492 pf_insert_src_node(&sn, r, saddr, af) != 0) {
4493 REASON_SET(&reason, PFRES_SRCLIMIT);
4496 /* src node for translation rule */
4497 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
4498 ((direction == PF_OUT &&
4499 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
4500 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
4501 REASON_SET(&reason, PFRES_SRCLIMIT);
4504 s = pool_get(&pf_state_pl, PR_NOWAIT);
4506 REASON_SET(&reason, PFRES_MEMORY);
4508 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
4509 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
4510 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4511 pf_status.src_nodes--;
4512 pool_put(&pf_src_tree_pl, sn);
4514 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
4516 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
4517 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4518 pf_status.src_nodes--;
4519 pool_put(&pf_src_tree_pl, nsn);
4523 bzero(s, sizeof(*s));
4525 s->nat_rule.ptr = nr;
4527 STATE_INC_COUNTERS(s);
4528 s->allow_opts = r->allow_opts;
4529 s->log = r->log & PF_LOG_ALL;
4531 s->log |= nr->log & PF_LOG_ALL;
4532 s->proto = pd->proto;
4533 s->direction = direction;
4535 if (direction == PF_OUT) {
4536 PF_ACPY(&s->gwy.addr, saddr, af);
4537 PF_ACPY(&s->ext.addr, daddr, af);
4539 PF_ACPY(&s->lan.addr, &pd->baddr, af);
4541 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
4543 PF_ACPY(&s->lan.addr, daddr, af);
4544 PF_ACPY(&s->ext.addr, saddr, af);
4546 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
4548 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
4550 s->src.state = PFOTHERS_SINGLE;
4551 s->dst.state = PFOTHERS_NO_TRAFFIC;
4552 s->creation = time_second;
4553 s->expire = time_second;
4554 s->timeout = PFTM_OTHER_FIRST_PACKET;
4555 pf_set_rt_ifp(s, saddr);
4558 s->src_node->states++;
4561 PF_ACPY(&nsn->raddr, &pd->naddr, af);
4562 s->nat_src_node = nsn;
4563 s->nat_src_node->states++;
4565 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
4566 REASON_SET(&reason, PFRES_STATEINS);
4567 pf_src_tree_remove_state(s);
4568 STATE_DEC_COUNTERS(s);
4569 pool_put(&pf_state_pl, s);
4583 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
4584 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
4585 struct pf_ruleset **rsm)
4587 struct pf_rule *r, *a = NULL;
4588 struct pf_ruleset *ruleset = NULL;
4589 sa_family_t af = pd->af;
4595 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4598 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4599 r = r->skip[PF_SKIP_IFP].ptr;
4600 else if (r->direction && r->direction != direction)
4601 r = r->skip[PF_SKIP_DIR].ptr;
4602 else if (r->af && r->af != af)
4603 r = r->skip[PF_SKIP_AF].ptr;
4604 else if (r->proto && r->proto != pd->proto)
4605 r = r->skip[PF_SKIP_PROTO].ptr;
4606 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
4608 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4609 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
4611 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4612 else if (r->tos && !(r->tos == pd->tos))
4613 r = TAILQ_NEXT(r, entries);
4614 else if (r->os_fingerprint != PF_OSFP_ANY)
4615 r = TAILQ_NEXT(r, entries);
4616 else if (pd->proto == IPPROTO_UDP &&
4617 (r->src.port_op || r->dst.port_op))
4618 r = TAILQ_NEXT(r, entries);
4619 else if (pd->proto == IPPROTO_TCP &&
4620 (r->src.port_op || r->dst.port_op || r->flagset))
4621 r = TAILQ_NEXT(r, entries);
4622 else if ((pd->proto == IPPROTO_ICMP ||
4623 pd->proto == IPPROTO_ICMPV6) &&
4624 (r->type || r->code))
4625 r = TAILQ_NEXT(r, entries);
4626 else if (r->prob && r->prob <= arc4random())
4627 r = TAILQ_NEXT(r, entries);
4628 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4629 r = TAILQ_NEXT(r, entries);
4631 if (r->anchor == NULL) {
4638 r = TAILQ_NEXT(r, entries);
4640 pf_step_into_anchor(&asd, &ruleset,
4641 PF_RULESET_FILTER, &r, &a, &match);
4643 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4644 PF_RULESET_FILTER, &r, &a, &match))
4651 REASON_SET(&reason, PFRES_MATCH);
4654 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset,
4657 if (r->action != PF_PASS)
4660 if (pf_tag_packet(m, pd->pf_mtag, tag, -1)) {
4661 REASON_SET(&reason, PFRES_MEMORY);
4669 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
4670 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4673 struct pf_state_cmp key;
4674 struct tcphdr *th = pd->hdr.tcp;
4675 u_int16_t win = ntohs(th->th_win);
4676 u_int32_t ack, end, seq, orig_seq;
4680 struct pf_state_peer *src, *dst;
4683 key.proto = IPPROTO_TCP;
4684 if (direction == PF_IN) {
4685 PF_ACPY(&key.ext.addr, pd->src, key.af);
4686 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4687 key.ext.port = th->th_sport;
4688 key.gwy.port = th->th_dport;
4690 PF_ACPY(&key.lan.addr, pd->src, key.af);
4691 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4692 key.lan.port = th->th_sport;
4693 key.ext.port = th->th_dport;
4698 if (direction == (*state)->direction) {
4699 src = &(*state)->src;
4700 dst = &(*state)->dst;
4702 src = &(*state)->dst;
4703 dst = &(*state)->src;
4706 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
4707 if (direction != (*state)->direction) {
4708 REASON_SET(reason, PFRES_SYNPROXY);
4709 return (PF_SYNPROXY_DROP);
4711 if (th->th_flags & TH_SYN) {
4712 if (ntohl(th->th_seq) != (*state)->src.seqlo) {
4713 REASON_SET(reason, PFRES_SYNPROXY);
4717 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4719 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
4721 pd->src, th->th_dport, th->th_sport,
4722 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4723 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,
4725 REASON_SET(reason, PFRES_SYNPROXY);
4726 return (PF_SYNPROXY_DROP);
4727 } else if (!(th->th_flags & TH_ACK) ||
4728 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4729 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4730 REASON_SET(reason, PFRES_SYNPROXY);
4732 } else if ((*state)->src_node != NULL &&
4733 pf_src_connlimit(state)) {
4734 REASON_SET(reason, PFRES_SRCLIMIT);
4737 (*state)->src.state = PF_TCPS_PROXY_DST;
4739 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
4740 struct pf_state_host *src, *dst;
4742 if (direction == PF_OUT) {
4743 src = &(*state)->gwy;
4744 dst = &(*state)->ext;
4746 src = &(*state)->ext;
4747 dst = &(*state)->lan;
4749 if (direction == (*state)->direction) {
4750 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
4751 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4752 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4753 REASON_SET(reason, PFRES_SYNPROXY);
4756 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
4757 if ((*state)->dst.seqhi == 1)
4758 (*state)->dst.seqhi = htonl(arc4random());
4760 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4763 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
4765 &dst->addr, src->port, dst->port,
4766 (*state)->dst.seqhi, 0, TH_SYN, 0,
4767 (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL);
4768 REASON_SET(reason, PFRES_SYNPROXY);
4769 return (PF_SYNPROXY_DROP);
4770 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
4772 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
4773 REASON_SET(reason, PFRES_SYNPROXY);
4776 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
4777 (*state)->dst.seqlo = ntohl(th->th_seq);
4779 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4781 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
4783 pd->src, th->th_dport, th->th_sport,
4784 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4785 TH_ACK, (*state)->src.max_win, 0, 0, 0,
4786 (*state)->tag, NULL, NULL);
4788 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4791 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
4793 &dst->addr, src->port, dst->port,
4794 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4795 TH_ACK, (*state)->dst.max_win, 0, 0, 1,
4797 (*state)->src.seqdiff = (*state)->dst.seqhi -
4798 (*state)->src.seqlo;
4799 (*state)->dst.seqdiff = (*state)->src.seqhi -
4800 (*state)->dst.seqlo;
4801 (*state)->src.seqhi = (*state)->src.seqlo +
4802 (*state)->dst.max_win;
4803 (*state)->dst.seqhi = (*state)->dst.seqlo +
4804 (*state)->src.max_win;
4805 (*state)->src.wscale = (*state)->dst.wscale = 0;
4806 (*state)->src.state = (*state)->dst.state =
4808 REASON_SET(reason, PFRES_SYNPROXY);
4809 return (PF_SYNPROXY_DROP);
4813 if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
4814 dst->state >= TCPS_FIN_WAIT_2 &&
4815 src->state >= TCPS_FIN_WAIT_2) {
4816 if (pf_status.debug >= PF_DEBUG_MISC) {
4817 printf("pf: state reuse ");
4818 pf_print_state(*state);
4819 pf_print_flags(th->th_flags);
4822 /* XXX make sure it's the same direction ?? */
4823 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
4824 pf_unlink_state(*state);
4829 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
4830 sws = src->wscale & PF_WSCALE_MASK;
4831 dws = dst->wscale & PF_WSCALE_MASK;
4836 * Sequence tracking algorithm from Guido van Rooij's paper:
4837 * http://www.madison-gurkha.com/publications/tcp_filtering/
4841 orig_seq = seq = ntohl(th->th_seq);
4842 if (src->seqlo == 0) {
4843 /* First packet from this end. Set its state */
4845 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
4846 src->scrub == NULL) {
4847 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
4848 REASON_SET(reason, PFRES_MEMORY);
4853 /* Deferred generation of sequence number modulator */
4854 if (dst->seqdiff && !src->seqdiff) {
4856 while ((src->seqdiff = pf_new_isn(*state) - seq) == 0)
4859 while ((src->seqdiff = tcp_rndiss_next() - seq) == 0)
4862 ack = ntohl(th->th_ack) - dst->seqdiff;
4863 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
4865 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
4868 ack = ntohl(th->th_ack);
4871 end = seq + pd->p_len;
4872 if (th->th_flags & TH_SYN) {
4874 if (dst->wscale & PF_WSCALE_FLAG) {
4875 src->wscale = pf_get_wscale(m, off, th->th_off,
4877 if (src->wscale & PF_WSCALE_FLAG) {
4878 /* Remove scale factor from initial
4880 sws = src->wscale & PF_WSCALE_MASK;
4881 win = ((u_int32_t)win + (1 << sws) - 1)
4883 dws = dst->wscale & PF_WSCALE_MASK;
4885 /* fixup other window */
4886 dst->max_win <<= dst->wscale &
4888 /* in case of a retrans SYN|ACK */
4893 if (th->th_flags & TH_FIN)
4897 if (src->state < TCPS_SYN_SENT)
4898 src->state = TCPS_SYN_SENT;
4901 * May need to slide the window (seqhi may have been set by
4902 * the crappy stack check or if we picked up the connection
4903 * after establishment)
4905 if (src->seqhi == 1 ||
4906 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
4907 src->seqhi = end + MAX(1, dst->max_win << dws);
4908 if (win > src->max_win)
4912 ack = ntohl(th->th_ack) - dst->seqdiff;
4914 /* Modulate sequence numbers */
4915 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
4917 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
4920 end = seq + pd->p_len;
4921 if (th->th_flags & TH_SYN)
4923 if (th->th_flags & TH_FIN)
4927 if ((th->th_flags & TH_ACK) == 0) {
4928 /* Let it pass through the ack skew check */
4930 } else if ((ack == 0 &&
4931 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
4932 /* broken tcp stacks do not set ack */
4933 (dst->state < TCPS_SYN_SENT)) {
4935 * Many stacks (ours included) will set the ACK number in an
4936 * FIN|ACK if the SYN times out -- no sequence to ACK.
4942 /* Ease sequencing restrictions on no data packets */
4947 ackskew = dst->seqlo - ack;
4951 * Need to demodulate the sequence numbers in any TCP SACK options
4952 * (Selective ACK). We could optionally validate the SACK values
4953 * against the current ACK window, either forwards or backwards, but
4954 * I'm not confident that SACK has been implemented properly
4955 * everywhere. It wouldn't surprise me if several stacks accidently
4956 * SACK too far backwards of previously ACKed data. There really aren't
4957 * any security implications of bad SACKing unless the target stack
4958 * doesn't validate the option length correctly. Someone trying to
4959 * spoof into a TCP connection won't bother blindly sending SACK
4962 if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
4963 if (pf_modulate_sack(m, off, pd, th, dst))
4968 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
4969 if (SEQ_GEQ(src->seqhi, end) &&
4970 /* Last octet inside other's window space */
4971 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
4972 /* Retrans: not more than one window back */
4973 (ackskew >= -MAXACKWINDOW) &&
4974 /* Acking not more than one reassembled fragment backwards */
4975 (ackskew <= (MAXACKWINDOW << sws)) &&
4976 /* Acking not more than one window forward */
4977 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
4978 (orig_seq == src->seqlo + 1) || (pd->flags & PFDESC_IP_REAS) == 0)) {
4979 /* Require an exact/+1 sequence match on resets when possible */
4981 if (dst->scrub || src->scrub) {
4982 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4983 *state, src, dst, ©back))
4987 /* update max window */
4988 if (src->max_win < win)
4990 /* synchronize sequencing */
4991 if (SEQ_GT(end, src->seqlo))
4993 /* slide the window of what the other end can send */
4994 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
4995 dst->seqhi = ack + MAX((win << sws), 1);
4999 if (th->th_flags & TH_SYN)
5000 if (src->state < TCPS_SYN_SENT)
5001 src->state = TCPS_SYN_SENT;
5002 if (th->th_flags & TH_FIN)
5003 if (src->state < TCPS_CLOSING)
5004 src->state = TCPS_CLOSING;
5005 if (th->th_flags & TH_ACK) {
5006 if (dst->state == TCPS_SYN_SENT) {
5007 dst->state = TCPS_ESTABLISHED;
5008 if (src->state == TCPS_ESTABLISHED &&
5009 (*state)->src_node != NULL &&
5010 pf_src_connlimit(state)) {
5011 REASON_SET(reason, PFRES_SRCLIMIT);
5014 } else if (dst->state == TCPS_CLOSING)
5015 dst->state = TCPS_FIN_WAIT_2;
5017 if (th->th_flags & TH_RST)
5018 src->state = dst->state = TCPS_TIME_WAIT;
5020 /* update expire time */
5021 (*state)->expire = time_second;
5022 if (src->state >= TCPS_FIN_WAIT_2 &&
5023 dst->state >= TCPS_FIN_WAIT_2)
5024 (*state)->timeout = PFTM_TCP_CLOSED;
5025 else if (src->state >= TCPS_CLOSING &&
5026 dst->state >= TCPS_CLOSING)
5027 (*state)->timeout = PFTM_TCP_FIN_WAIT;
5028 else if (src->state < TCPS_ESTABLISHED ||
5029 dst->state < TCPS_ESTABLISHED)
5030 (*state)->timeout = PFTM_TCP_OPENING;
5031 else if (src->state >= TCPS_CLOSING ||
5032 dst->state >= TCPS_CLOSING)
5033 (*state)->timeout = PFTM_TCP_CLOSING;
5035 (*state)->timeout = PFTM_TCP_ESTABLISHED;
5037 /* Fall through to PASS packet */
5039 } else if ((dst->state < TCPS_SYN_SENT ||
5040 dst->state >= TCPS_FIN_WAIT_2 ||
5041 src->state >= TCPS_FIN_WAIT_2) &&
5042 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
5043 /* Within a window forward of the originating packet */
5044 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
5045 /* Within a window backward of the originating packet */
5048 * This currently handles three situations:
5049 * 1) Stupid stacks will shotgun SYNs before their peer
5051 * 2) When PF catches an already established stream (the
5052 * firewall rebooted, the state table was flushed, routes
5054 * 3) Packets get funky immediately after the connection
5055 * closes (this should catch Solaris spurious ACK|FINs
5056 * that web servers like to spew after a close)
5058 * This must be a little more careful than the above code
5059 * since packet floods will also be caught here. We don't
5060 * update the TTL here to mitigate the damage of a packet
5061 * flood and so the same code can handle awkward establishment
5062 * and a loosened connection close.
5063 * In the establishment case, a correct peer response will
5064 * validate the connection, go through the normal state code
5065 * and keep updating the state TTL.
5068 if (pf_status.debug >= PF_DEBUG_MISC) {
5069 printf("pf: loose state match: ");
5070 pf_print_state(*state);
5071 pf_print_flags(th->th_flags);
5072 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
5073 "pkts=%llu:%llu\n", seq, orig_seq, ack, pd->p_len,
5075 ackskew, (unsigned long long)(*state)->packets[0],
5076 (unsigned long long)(*state)->packets[1]);
5078 ackskew, (*state)->packets[0],
5079 (*state)->packets[1]);
5083 if (dst->scrub || src->scrub) {
5084 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
5085 *state, src, dst, ©back))
5089 /* update max window */
5090 if (src->max_win < win)
5092 /* synchronize sequencing */
5093 if (SEQ_GT(end, src->seqlo))
5095 /* slide the window of what the other end can send */
5096 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
5097 dst->seqhi = ack + MAX((win << sws), 1);
5100 * Cannot set dst->seqhi here since this could be a shotgunned
5101 * SYN and not an already established connection.
5104 if (th->th_flags & TH_FIN)
5105 if (src->state < TCPS_CLOSING)
5106 src->state = TCPS_CLOSING;
5107 if (th->th_flags & TH_RST)
5108 src->state = dst->state = TCPS_TIME_WAIT;
5110 /* Fall through to PASS packet */
5113 if ((*state)->dst.state == TCPS_SYN_SENT &&
5114 (*state)->src.state == TCPS_SYN_SENT) {
5115 /* Send RST for state mismatches during handshake */
5116 if (!(th->th_flags & TH_RST))
5118 pf_send_tcp(m, (*state)->rule.ptr, pd->af,
5120 pf_send_tcp((*state)->rule.ptr, pd->af,
5122 pd->dst, pd->src, th->th_dport,
5123 th->th_sport, ntohl(th->th_ack), 0,
5125 (*state)->rule.ptr->return_ttl, 1, 0,
5126 pd->eh, kif->pfik_ifp);
5130 } else if (pf_status.debug >= PF_DEBUG_MISC) {
5131 printf("pf: BAD state: ");
5132 pf_print_state(*state);
5133 pf_print_flags(th->th_flags);
5134 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
5135 "pkts=%llu:%llu dir=%s,%s\n",
5136 seq, orig_seq, ack, pd->p_len, ackskew,
5138 (unsigned long long)(*state)->packets[0],
5139 (unsigned long long)(*state)->packets[1],
5141 (*state)->packets[0], (*state)->packets[1],
5143 direction == PF_IN ? "in" : "out",
5144 direction == (*state)->direction ? "fwd" : "rev");
5145 printf("pf: State failure on: %c %c %c %c | %c %c\n",
5146 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
5147 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
5149 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
5150 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
5151 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
5152 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
5154 REASON_SET(reason, PFRES_BADSTATE);
5158 /* Any packets which have gotten here are to be passed */
5160 /* translate source/destination address, if necessary */
5161 if (STATE_TRANSLATE(*state)) {
5162 if (direction == PF_OUT)
5163 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
5164 &th->th_sum, &(*state)->gwy.addr,
5165 (*state)->gwy.port, 0, pd->af);
5167 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
5168 &th->th_sum, &(*state)->lan.addr,
5169 (*state)->lan.port, 0, pd->af);
5170 m_copyback(m, off, sizeof(*th), (caddr_t)th);
5171 } else if (copyback) {
5172 /* Copyback sequence modulation or stateful scrub changes */
5173 m_copyback(m, off, sizeof(*th), (caddr_t)th);
5180 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
5181 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
5183 struct pf_state_peer *src, *dst;
5184 struct pf_state_cmp key;
5185 struct udphdr *uh = pd->hdr.udp;
5188 key.proto = IPPROTO_UDP;
5189 if (direction == PF_IN) {
5190 PF_ACPY(&key.ext.addr, pd->src, key.af);
5191 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5192 key.ext.port = uh->uh_sport;
5193 key.gwy.port = uh->uh_dport;
5195 PF_ACPY(&key.lan.addr, pd->src, key.af);
5196 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5197 key.lan.port = uh->uh_sport;
5198 key.ext.port = uh->uh_dport;
5203 if (direction == (*state)->direction) {
5204 src = &(*state)->src;
5205 dst = &(*state)->dst;
5207 src = &(*state)->dst;
5208 dst = &(*state)->src;
5212 if (src->state < PFUDPS_SINGLE)
5213 src->state = PFUDPS_SINGLE;
5214 if (dst->state == PFUDPS_SINGLE)
5215 dst->state = PFUDPS_MULTIPLE;
5217 /* update expire time */
5218 (*state)->expire = time_second;
5219 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
5220 (*state)->timeout = PFTM_UDP_MULTIPLE;
5222 (*state)->timeout = PFTM_UDP_SINGLE;
5224 /* translate source/destination address, if necessary */
5225 if (STATE_TRANSLATE(*state)) {
5226 if (direction == PF_OUT)
5227 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
5228 &uh->uh_sum, &(*state)->gwy.addr,
5229 (*state)->gwy.port, 1, pd->af);
5231 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
5232 &uh->uh_sum, &(*state)->lan.addr,
5233 (*state)->lan.port, 1, pd->af);
5234 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
5241 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
5242 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
5244 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
5245 u_int16_t icmpid = 0; /* make the compiler happy */
5246 u_int16_t *icmpsum = NULL; /* make the compiler happy */
5247 u_int8_t icmptype = 0; /* make the compiler happy */
5249 struct pf_state_cmp key;
5251 switch (pd->proto) {
5254 icmptype = pd->hdr.icmp->icmp_type;
5255 icmpid = pd->hdr.icmp->icmp_id;
5256 icmpsum = &pd->hdr.icmp->icmp_cksum;
5258 if (icmptype == ICMP_UNREACH ||
5259 icmptype == ICMP_SOURCEQUENCH ||
5260 icmptype == ICMP_REDIRECT ||
5261 icmptype == ICMP_TIMXCEED ||
5262 icmptype == ICMP_PARAMPROB)
5267 case IPPROTO_ICMPV6:
5268 icmptype = pd->hdr.icmp6->icmp6_type;
5269 icmpid = pd->hdr.icmp6->icmp6_id;
5270 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
5272 if (icmptype == ICMP6_DST_UNREACH ||
5273 icmptype == ICMP6_PACKET_TOO_BIG ||
5274 icmptype == ICMP6_TIME_EXCEEDED ||
5275 icmptype == ICMP6_PARAM_PROB)
5284 * ICMP query/reply message not related to a TCP/UDP packet.
5285 * Search for an ICMP state.
5288 key.proto = pd->proto;
5289 if (direction == PF_IN) {
5290 PF_ACPY(&key.ext.addr, pd->src, key.af);
5291 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5293 key.gwy.port = icmpid;
5295 PF_ACPY(&key.lan.addr, pd->src, key.af);
5296 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5297 key.lan.port = icmpid;
5303 (*state)->expire = time_second;
5304 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
5306 /* translate source/destination address, if necessary */
5307 if (STATE_TRANSLATE(*state)) {
5308 if (direction == PF_OUT) {
5312 pf_change_a(&saddr->v4.s_addr,
5314 (*state)->gwy.addr.v4.s_addr, 0);
5315 pd->hdr.icmp->icmp_cksum =
5317 pd->hdr.icmp->icmp_cksum, icmpid,
5318 (*state)->gwy.port, 0);
5319 pd->hdr.icmp->icmp_id =
5321 m_copyback(m, off, ICMP_MINLEN,
5322 (caddr_t)pd->hdr.icmp);
5328 &pd->hdr.icmp6->icmp6_cksum,
5329 &(*state)->gwy.addr, 0);
5331 sizeof(struct icmp6_hdr),
5332 (caddr_t)pd->hdr.icmp6);
5340 pf_change_a(&daddr->v4.s_addr,
5342 (*state)->lan.addr.v4.s_addr, 0);
5343 pd->hdr.icmp->icmp_cksum =
5345 pd->hdr.icmp->icmp_cksum, icmpid,
5346 (*state)->lan.port, 0);
5347 pd->hdr.icmp->icmp_id =
5349 m_copyback(m, off, ICMP_MINLEN,
5350 (caddr_t)pd->hdr.icmp);
5356 &pd->hdr.icmp6->icmp6_cksum,
5357 &(*state)->lan.addr, 0);
5359 sizeof(struct icmp6_hdr),
5360 (caddr_t)pd->hdr.icmp6);
5371 * ICMP error message in response to a TCP/UDP packet.
5372 * Extract the inner TCP/UDP header and search for that state.
5375 struct pf_pdesc pd2;
5380 struct ip6_hdr h2_6;
5383 int ipoff2 = 0; /* make the compiler happy */
5384 int off2 = 0; /* make the compiler happy */
5390 /* offset of h2 in mbuf chain */
5391 ipoff2 = off + ICMP_MINLEN;
5393 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
5394 NULL, reason, pd2.af)) {
5395 DPFPRINTF(PF_DEBUG_MISC,
5396 ("pf: ICMP error message too short "
5401 * ICMP error messages don't refer to non-first
5404 if (h2.ip_off & htons(IP_OFFMASK)) {
5405 REASON_SET(reason, PFRES_FRAG);
5409 /* offset of protocol header that follows h2 */
5410 off2 = ipoff2 + (h2.ip_hl << 2);
5412 pd2.proto = h2.ip_p;
5413 pd2.src = (struct pf_addr *)&h2.ip_src;
5414 pd2.dst = (struct pf_addr *)&h2.ip_dst;
5415 pd2.ip_sum = &h2.ip_sum;
5420 ipoff2 = off + sizeof(struct icmp6_hdr);
5422 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
5423 NULL, reason, pd2.af)) {
5424 DPFPRINTF(PF_DEBUG_MISC,
5425 ("pf: ICMP error message too short "
5429 pd2.proto = h2_6.ip6_nxt;
5430 pd2.src = (struct pf_addr *)&h2_6.ip6_src;
5431 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
5433 off2 = ipoff2 + sizeof(h2_6);
5435 switch (pd2.proto) {
5436 case IPPROTO_FRAGMENT:
5438 * ICMPv6 error messages for
5439 * non-first fragments
5441 REASON_SET(reason, PFRES_FRAG);
5444 case IPPROTO_HOPOPTS:
5445 case IPPROTO_ROUTING:
5446 case IPPROTO_DSTOPTS: {
5447 /* get next header and header length */
5448 struct ip6_ext opt6;
5450 if (!pf_pull_hdr(m, off2, &opt6,
5451 sizeof(opt6), NULL, reason,
5453 DPFPRINTF(PF_DEBUG_MISC,
5454 ("pf: ICMPv6 short opt\n"));
5457 if (pd2.proto == IPPROTO_AH)
5458 off2 += (opt6.ip6e_len + 2) * 4;
5460 off2 += (opt6.ip6e_len + 1) * 8;
5461 pd2.proto = opt6.ip6e_nxt;
5462 /* goto the next header */
5469 } while (!terminal);
5474 panic("AF not supported: %d", pd->af);
5478 switch (pd2.proto) {
5482 struct pf_state_peer *src, *dst;
5487 * Only the first 8 bytes of the TCP header can be
5488 * expected. Don't access any TCP header fields after
5489 * th_seq, an ackskew test is not possible.
5491 if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason,
5493 DPFPRINTF(PF_DEBUG_MISC,
5494 ("pf: ICMP error message too short "
5500 key.proto = IPPROTO_TCP;
5501 if (direction == PF_IN) {
5502 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5503 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5504 key.ext.port = th.th_dport;
5505 key.gwy.port = th.th_sport;
5507 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5508 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5509 key.lan.port = th.th_dport;
5510 key.ext.port = th.th_sport;
5515 if (direction == (*state)->direction) {
5516 src = &(*state)->dst;
5517 dst = &(*state)->src;
5519 src = &(*state)->src;
5520 dst = &(*state)->dst;
5523 if (src->wscale && dst->wscale)
5524 dws = dst->wscale & PF_WSCALE_MASK;
5528 /* Demodulate sequence number */
5529 seq = ntohl(th.th_seq) - src->seqdiff;
5531 pf_change_a(&th.th_seq, icmpsum,
5536 if (!SEQ_GEQ(src->seqhi, seq) ||
5537 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) {
5538 if (pf_status.debug >= PF_DEBUG_MISC) {
5539 printf("pf: BAD ICMP %d:%d ",
5540 icmptype, pd->hdr.icmp->icmp_code);
5541 pf_print_host(pd->src, 0, pd->af);
5543 pf_print_host(pd->dst, 0, pd->af);
5545 pf_print_state(*state);
5546 printf(" seq=%u\n", seq);
5548 REASON_SET(reason, PFRES_BADSTATE);
5552 if (STATE_TRANSLATE(*state)) {
5553 if (direction == PF_IN) {
5554 pf_change_icmp(pd2.src, &th.th_sport,
5555 daddr, &(*state)->lan.addr,
5556 (*state)->lan.port, NULL,
5557 pd2.ip_sum, icmpsum,
5558 pd->ip_sum, 0, pd2.af);
5560 pf_change_icmp(pd2.dst, &th.th_dport,
5561 saddr, &(*state)->gwy.addr,
5562 (*state)->gwy.port, NULL,
5563 pd2.ip_sum, icmpsum,
5564 pd->ip_sum, 0, pd2.af);
5573 m_copyback(m, off, ICMP_MINLEN,
5574 (caddr_t)pd->hdr.icmp);
5575 m_copyback(m, ipoff2, sizeof(h2),
5582 sizeof(struct icmp6_hdr),
5583 (caddr_t)pd->hdr.icmp6);
5584 m_copyback(m, ipoff2, sizeof(h2_6),
5589 m_copyback(m, off2, 8, (caddr_t)&th);
5598 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
5599 NULL, reason, pd2.af)) {
5600 DPFPRINTF(PF_DEBUG_MISC,
5601 ("pf: ICMP error message too short "
5607 key.proto = IPPROTO_UDP;
5608 if (direction == PF_IN) {
5609 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5610 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5611 key.ext.port = uh.uh_dport;
5612 key.gwy.port = uh.uh_sport;
5614 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5615 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5616 key.lan.port = uh.uh_dport;
5617 key.ext.port = uh.uh_sport;
5622 if (STATE_TRANSLATE(*state)) {
5623 if (direction == PF_IN) {
5624 pf_change_icmp(pd2.src, &uh.uh_sport,
5625 daddr, &(*state)->lan.addr,
5626 (*state)->lan.port, &uh.uh_sum,
5627 pd2.ip_sum, icmpsum,
5628 pd->ip_sum, 1, pd2.af);
5630 pf_change_icmp(pd2.dst, &uh.uh_dport,
5631 saddr, &(*state)->gwy.addr,
5632 (*state)->gwy.port, &uh.uh_sum,
5633 pd2.ip_sum, icmpsum,
5634 pd->ip_sum, 1, pd2.af);
5639 m_copyback(m, off, ICMP_MINLEN,
5640 (caddr_t)pd->hdr.icmp);
5641 m_copyback(m, ipoff2, sizeof(h2),
5648 sizeof(struct icmp6_hdr),
5649 (caddr_t)pd->hdr.icmp6);
5650 m_copyback(m, ipoff2, sizeof(h2_6),
5655 m_copyback(m, off2, sizeof(uh),
5663 case IPPROTO_ICMP: {
5666 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
5667 NULL, reason, pd2.af)) {
5668 DPFPRINTF(PF_DEBUG_MISC,
5669 ("pf: ICMP error message too short i"
5675 key.proto = IPPROTO_ICMP;
5676 if (direction == PF_IN) {
5677 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5678 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5680 key.gwy.port = iih.icmp_id;
5682 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5683 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5684 key.lan.port = iih.icmp_id;
5690 if (STATE_TRANSLATE(*state)) {
5691 if (direction == PF_IN) {
5692 pf_change_icmp(pd2.src, &iih.icmp_id,
5693 daddr, &(*state)->lan.addr,
5694 (*state)->lan.port, NULL,
5695 pd2.ip_sum, icmpsum,
5696 pd->ip_sum, 0, AF_INET);
5698 pf_change_icmp(pd2.dst, &iih.icmp_id,
5699 saddr, &(*state)->gwy.addr,
5700 (*state)->gwy.port, NULL,
5701 pd2.ip_sum, icmpsum,
5702 pd->ip_sum, 0, AF_INET);
5704 m_copyback(m, off, ICMP_MINLEN,
5705 (caddr_t)pd->hdr.icmp);
5706 m_copyback(m, ipoff2, sizeof(h2),
5708 m_copyback(m, off2, ICMP_MINLEN,
5717 case IPPROTO_ICMPV6: {
5718 struct icmp6_hdr iih;
5720 if (!pf_pull_hdr(m, off2, &iih,
5721 sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
5722 DPFPRINTF(PF_DEBUG_MISC,
5723 ("pf: ICMP error message too short "
5729 key.proto = IPPROTO_ICMPV6;
5730 if (direction == PF_IN) {
5731 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5732 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5734 key.gwy.port = iih.icmp6_id;
5736 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5737 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5738 key.lan.port = iih.icmp6_id;
5744 if (STATE_TRANSLATE(*state)) {
5745 if (direction == PF_IN) {
5746 pf_change_icmp(pd2.src, &iih.icmp6_id,
5747 daddr, &(*state)->lan.addr,
5748 (*state)->lan.port, NULL,
5749 pd2.ip_sum, icmpsum,
5750 pd->ip_sum, 0, AF_INET6);
5752 pf_change_icmp(pd2.dst, &iih.icmp6_id,
5753 saddr, &(*state)->gwy.addr,
5754 (*state)->gwy.port, NULL,
5755 pd2.ip_sum, icmpsum,
5756 pd->ip_sum, 0, AF_INET6);
5758 m_copyback(m, off, sizeof(struct icmp6_hdr),
5759 (caddr_t)pd->hdr.icmp6);
5760 m_copyback(m, ipoff2, sizeof(h2_6),
5762 m_copyback(m, off2, sizeof(struct icmp6_hdr),
5772 key.proto = pd2.proto;
5773 if (direction == PF_IN) {
5774 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5775 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5779 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5780 PF_ACPY(&key.ext.addr, pd2.src, key.af);
5787 if (STATE_TRANSLATE(*state)) {
5788 if (direction == PF_IN) {
5789 pf_change_icmp(pd2.src, NULL,
5790 daddr, &(*state)->lan.addr,
5792 pd2.ip_sum, icmpsum,
5793 pd->ip_sum, 0, pd2.af);
5795 pf_change_icmp(pd2.dst, NULL,
5796 saddr, &(*state)->gwy.addr,
5798 pd2.ip_sum, icmpsum,
5799 pd->ip_sum, 0, pd2.af);
5804 m_copyback(m, off, ICMP_MINLEN,
5805 (caddr_t)pd->hdr.icmp);
5806 m_copyback(m, ipoff2, sizeof(h2),
5813 sizeof(struct icmp6_hdr),
5814 (caddr_t)pd->hdr.icmp6);
5815 m_copyback(m, ipoff2, sizeof(h2_6),
5830 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
5831 struct pf_pdesc *pd)
5833 struct pf_state_peer *src, *dst;
5834 struct pf_state_cmp key;
5837 key.proto = pd->proto;
5838 if (direction == PF_IN) {
5839 PF_ACPY(&key.ext.addr, pd->src, key.af);
5840 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5844 PF_ACPY(&key.lan.addr, pd->src, key.af);
5845 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5852 if (direction == (*state)->direction) {
5853 src = &(*state)->src;
5854 dst = &(*state)->dst;
5856 src = &(*state)->dst;
5857 dst = &(*state)->src;
5861 if (src->state < PFOTHERS_SINGLE)
5862 src->state = PFOTHERS_SINGLE;
5863 if (dst->state == PFOTHERS_SINGLE)
5864 dst->state = PFOTHERS_MULTIPLE;
5866 /* update expire time */
5867 (*state)->expire = time_second;
5868 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
5869 (*state)->timeout = PFTM_OTHER_MULTIPLE;
5871 (*state)->timeout = PFTM_OTHER_SINGLE;
5873 /* translate source/destination address, if necessary */
5874 if (STATE_TRANSLATE(*state)) {
5875 if (direction == PF_OUT)
5879 pf_change_a(&pd->src->v4.s_addr,
5880 pd->ip_sum, (*state)->gwy.addr.v4.s_addr,
5886 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af);
5894 pf_change_a(&pd->dst->v4.s_addr,
5895 pd->ip_sum, (*state)->lan.addr.v4.s_addr,
5901 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af);
5911 * ipoff and off are measured from the start of the mbuf chain.
5912 * h must be at "ipoff" on the mbuf chain.
5915 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
5916 u_short *actionp, u_short *reasonp, sa_family_t af)
5921 struct ip *h = mtod(m, struct ip *);
5922 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
5926 ACTION_SET(actionp, PF_PASS);
5928 ACTION_SET(actionp, PF_DROP);
5929 REASON_SET(reasonp, PFRES_FRAG);
5933 if (m->m_pkthdr.len < off + len ||
5934 ntohs(h->ip_len) < off + len) {
5935 ACTION_SET(actionp, PF_DROP);
5936 REASON_SET(reasonp, PFRES_SHORT);
5944 struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
5946 if (m->m_pkthdr.len < off + len ||
5947 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
5948 (unsigned)(off + len)) {
5949 ACTION_SET(actionp, PF_DROP);
5950 REASON_SET(reasonp, PFRES_SHORT);
5957 m_copydata(m, off, len, p);
5962 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
5964 struct sockaddr_in *dst;
5968 extern int ipmultipath;
5972 extern int ip6_multipath;
5974 struct sockaddr_in6 *dst6;
5975 struct route_in6 ro;
5979 struct radix_node *rn;
5984 bzero(&ro, sizeof(ro));
5987 dst = satosin(&ro.ro_dst);
5988 dst->sin_family = AF_INET;
5989 dst->sin_len = sizeof(*dst);
5990 dst->sin_addr = addr->v4;
5991 #ifndef __FreeBSD__ /* MULTIPATH_ROUTING */
5998 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
5999 dst6->sin6_family = AF_INET6;
6000 dst6->sin6_len = sizeof(*dst6);
6001 dst6->sin6_addr = addr->v6;
6002 #ifndef __FreeBSD__ /* MULTIPATH_ROUTING */
6012 /* Skip checks for ipsec interfaces */
6013 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
6017 /* XXX MRT not always INET */ /* stick with table 0 though */
6019 in_rtalloc_ign((struct route *)&ro, 0, 0);
6021 rtalloc_ign((struct route *)&ro, 0);
6022 #else /* ! __FreeBSD__ */
6023 rtalloc_noclone((struct route *)&ro, NO_CLONING);
6026 if (ro.ro_rt != NULL) {
6027 /* No interface given, this is a no-route check */
6031 if (kif->pfik_ifp == NULL) {
6036 /* Perform uRPF check if passed input interface */
6038 rn = (struct radix_node *)ro.ro_rt;
6040 rt = (struct rtentry *)rn;
6041 #ifndef __FreeBSD__ /* CARPDEV */
6042 if (rt->rt_ifp->if_type == IFT_CARP)
6043 ifp = rt->rt_ifp->if_carpdev;
6048 if (kif->pfik_ifp == ifp)
6050 #ifdef __FreeBSD__ /* MULTIPATH_ROUTING */
6053 rn = rn_mpath_next(rn);
6055 } while (check_mpath == 1 && rn != NULL && ret == 0);
6059 if (ro.ro_rt != NULL)
6065 pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw)
6067 struct sockaddr_in *dst;
6069 struct sockaddr_in6 *dst6;
6070 struct route_in6 ro;
6076 bzero(&ro, sizeof(ro));
6079 dst = satosin(&ro.ro_dst);
6080 dst->sin_family = AF_INET;
6081 dst->sin_len = sizeof(*dst);
6082 dst->sin_addr = addr->v4;
6086 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
6087 dst6->sin6_family = AF_INET6;
6088 dst6->sin6_len = sizeof(*dst6);
6089 dst6->sin6_addr = addr->v6;
6097 # ifdef RTF_PRCLONING
6098 rtalloc_ign((struct route *)&ro, (RTF_CLONING|RTF_PRCLONING));
6099 # else /* !RTF_PRCLONING */
6101 in_rtalloc_ign((struct route *)&ro, 0, 0);
6103 rtalloc_ign((struct route *)&ro, 0);
6105 #else /* ! __FreeBSD__ */
6106 rtalloc_noclone((struct route *)&ro, NO_CLONING);
6109 if (ro.ro_rt != NULL) {
6111 /* XXX_IMPORT: later */
6113 if (ro.ro_rt->rt_labelid == aw->v.rtlabel)
6125 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
6126 struct pf_state *s, struct pf_pdesc *pd)
6128 struct mbuf *m0, *m1;
6129 struct route iproute;
6130 struct route *ro = NULL;
6131 struct sockaddr_in *dst;
6133 struct ifnet *ifp = NULL;
6134 struct pf_addr naddr;
6135 struct pf_src_node *sn = NULL;
6144 if (m == NULL || *m == NULL || r == NULL ||
6145 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
6146 panic("pf_route: invalid parameters");
6148 if (pd->pf_mtag->routed++ > 3) {
6154 if (r->rt == PF_DUPTO) {
6156 if ((m0 = m_dup(*m, M_DONTWAIT)) == NULL)
6158 if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL)
6162 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
6167 if (m0->m_len < sizeof(struct ip)) {
6168 DPFPRINTF(PF_DEBUG_URGENT,
6169 ("pf_route: m0->m_len < sizeof(struct ip)\n"));
6173 ip = mtod(m0, struct ip *);
6176 bzero((caddr_t)ro, sizeof(*ro));
6177 dst = satosin(&ro->ro_dst);
6178 dst->sin_family = AF_INET;
6179 dst->sin_len = sizeof(*dst);
6180 dst->sin_addr = ip->ip_dst;
6182 if (r->rt == PF_FASTROUTE) {
6184 if (ro->ro_rt == 0) {
6185 KMOD_IPSTAT_INC(ips_noroute);
6189 ifp = ro->ro_rt->rt_ifp;
6190 ro->ro_rt->rt_use++;
6192 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
6193 dst = satosin(ro->ro_rt->rt_gateway);
6195 if (TAILQ_EMPTY(&r->rpool.list)) {
6196 DPFPRINTF(PF_DEBUG_URGENT,
6197 ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n"));
6201 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
6203 if (!PF_AZERO(&naddr, AF_INET))
6204 dst->sin_addr.s_addr = naddr.v4.s_addr;
6205 ifp = r->rpool.cur->kif ?
6206 r->rpool.cur->kif->pfik_ifp : NULL;
6208 if (!PF_AZERO(&s->rt_addr, AF_INET))
6209 dst->sin_addr.s_addr =
6210 s->rt_addr.v4.s_addr;
6211 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
6220 if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
6223 } else if (m0 == NULL) {
6229 if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS)
6231 else if (m0 == NULL)
6234 if (m0->m_len < sizeof(struct ip)) {
6235 DPFPRINTF(PF_DEBUG_URGENT,
6236 ("pf_route: m0->m_len < sizeof(struct ip)\n"));
6239 ip = mtod(m0, struct ip *);
6243 /* Copied from FreeBSD 5.1-CURRENT ip_output. */
6244 m0->m_pkthdr.csum_flags |= CSUM_IP;
6245 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist;
6246 if (sw_csum & CSUM_DELAY_DATA) {
6248 * XXX: in_delayed_cksum assumes HBO for ip->ip_len (at least)
6251 NTOHS(ip->ip_off); /* XXX: needed? */
6252 in_delayed_cksum(m0);
6255 sw_csum &= ~CSUM_DELAY_DATA;
6257 m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
6259 if (ntohs(ip->ip_len) <= ifp->if_mtu ||
6260 (ifp->if_hwassist & CSUM_FRAGMENT &&
6261 ((ip->ip_off & htons(IP_DF)) == 0))) {
6263 * ip->ip_len = htons(ip->ip_len);
6264 * ip->ip_off = htons(ip->ip_off);
6267 if (sw_csum & CSUM_DELAY_IP) {
6269 if (ip->ip_v == IPVERSION &&
6270 (ip->ip_hl << 2) == sizeof(*ip)) {
6271 ip->ip_sum = in_cksum_hdr(ip);
6273 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
6277 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro);
6283 /* Copied from ip_output. */
6286 * If deferred crypto processing is needed, check that the
6287 * interface supports it.
6289 if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL))
6290 != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) {
6291 /* Notify IPsec to do its own crypto. */
6292 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
6297 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
6298 if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) {
6299 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) ||
6300 ifp->if_bridge != NULL) {
6301 in_delayed_cksum(m0);
6302 m0->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */
6304 } else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) {
6305 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) ||
6306 ifp->if_bridge != NULL) {
6307 in_delayed_cksum(m0);
6308 m0->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */
6312 if (ntohs(ip->ip_len) <= ifp->if_mtu) {
6313 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
6314 ifp->if_bridge == NULL) {
6315 m0->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
6316 KMOD_IPSTAT_INC(ips_outhwcsum);
6319 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
6321 /* Update relevant hardware checksum stats for TCP/UDP */
6322 if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT)
6323 KMOD_TCPSTAT_INC(tcps_outhwcsum);
6324 else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT)
6325 KMOD_UDPSTAT_INC(udps_outhwcsum);
6326 error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL);
6331 * Too large for interface; fragment if possible.
6332 * Must be able to put at least 8 bytes per fragment.
6334 if (ip->ip_off & htons(IP_DF)) {
6335 KMOD_IPSTAT_INC(ips_cantfrag);
6336 if (r->rt != PF_DUPTO) {
6338 /* icmp_error() expects host byte ordering */
6342 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
6346 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
6357 * XXX: is cheaper + less error prone than own function
6361 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
6363 error = ip_fragment(m0, ifp, ifp->if_mtu);
6366 #ifndef __FreeBSD__ /* ip_fragment does not do m_freem() on FreeBSD */
6372 for (m0 = m1; m0; m0 = m1) {
6378 error = (*ifp->if_output)(ifp, m0, sintosa(dst),
6384 error = (*ifp->if_output)(ifp, m0, sintosa(dst),
6392 KMOD_IPSTAT_INC(ips_fragmented);
6395 if (r->rt != PF_DUPTO)
6397 if (ro == &iproute && ro->ro_rt)
6409 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
6410 struct pf_state *s, struct pf_pdesc *pd)
6413 struct route_in6 ip6route;
6414 struct route_in6 *ro;
6415 struct sockaddr_in6 *dst;
6416 struct ip6_hdr *ip6;
6417 struct ifnet *ifp = NULL;
6418 struct pf_addr naddr;
6419 struct pf_src_node *sn = NULL;
6422 if (m == NULL || *m == NULL || r == NULL ||
6423 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
6424 panic("pf_route6: invalid parameters");
6426 if (pd->pf_mtag->routed++ > 3) {
6432 if (r->rt == PF_DUPTO) {
6434 if ((m0 = m_dup(*m, M_DONTWAIT)) == NULL)
6436 if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL)
6440 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
6445 if (m0->m_len < sizeof(struct ip6_hdr)) {
6446 DPFPRINTF(PF_DEBUG_URGENT,
6447 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
6450 ip6 = mtod(m0, struct ip6_hdr *);
6453 bzero((caddr_t)ro, sizeof(*ro));
6454 dst = (struct sockaddr_in6 *)&ro->ro_dst;
6455 dst->sin6_family = AF_INET6;
6456 dst->sin6_len = sizeof(*dst);
6457 dst->sin6_addr = ip6->ip6_dst;
6459 /* Cheat. XXX why only in the v6 case??? */
6460 if (r->rt == PF_FASTROUTE) {
6462 m0->m_flags |= M_SKIP_FIREWALL;
6464 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
6467 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
6470 m_tag_prepend(m0, mtag);
6471 pd->pf_mtag->flags |= PF_TAG_GENERATED;
6472 ip6_output(m0, NULL, NULL, 0, NULL, NULL);
6477 if (TAILQ_EMPTY(&r->rpool.list)) {
6478 DPFPRINTF(PF_DEBUG_URGENT,
6479 ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n"));
6483 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
6485 if (!PF_AZERO(&naddr, AF_INET6))
6486 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
6488 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
6490 if (!PF_AZERO(&s->rt_addr, AF_INET6))
6491 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
6492 &s->rt_addr, AF_INET6);
6493 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
6501 if (pf_test6(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
6504 } else if (m0 == NULL) {
6510 if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS)
6512 else if (m0 == NULL)
6515 if (m0->m_len < sizeof(struct ip6_hdr)) {
6516 DPFPRINTF(PF_DEBUG_URGENT,
6517 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
6520 ip6 = mtod(m0, struct ip6_hdr *);
6524 * If the packet is too large for the outgoing interface,
6525 * send back an icmp6 error.
6527 if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr))
6528 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
6529 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
6533 error = nd6_output(ifp, ifp, m0, dst, NULL);
6538 in6_ifstat_inc(ifp, ifs6_in_toobig);
6540 if (r->rt != PF_DUPTO) {
6542 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
6546 if (r->rt != PF_DUPTO)
6547 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
6554 if (r->rt != PF_DUPTO)
6567 * FreeBSD supports cksum offloads for the following drivers.
6568 * em(4), fxp(4), ixgb(4), lge(4), ndis(4), nge(4), re(4),
6569 * ti(4), txp(4), xl(4)
6571 * CSUM_DATA_VALID | CSUM_PSEUDO_HDR :
6572 * network driver performed cksum including pseudo header, need to verify
6575 * network driver performed cksum, needs to additional pseudo header
6576 * cksum computation with partial csum_data(i.e. lack of H/W support for
6577 * pseudo header, for instance hme(4), sk(4) and possibly gem(4))
6579 * After validating the cksum of packet, set both flag CSUM_DATA_VALID and
6580 * CSUM_PSEUDO_HDR in order to avoid recomputation of the cksum in upper
6582 * Also, set csum_data to 0xffff to force cksum validation.
6585 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af)
6591 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
6593 if (m->m_pkthdr.len < off + len)
6598 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
6599 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
6600 sum = m->m_pkthdr.csum_data;
6602 ip = mtod(m, struct ip *);
6603 sum = in_pseudo(ip->ip_src.s_addr,
6604 ip->ip_dst.s_addr, htonl((u_short)len +
6605 m->m_pkthdr.csum_data + IPPROTO_TCP));
6612 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
6613 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
6614 sum = m->m_pkthdr.csum_data;
6616 ip = mtod(m, struct ip *);
6617 sum = in_pseudo(ip->ip_src.s_addr,
6618 ip->ip_dst.s_addr, htonl((u_short)len +
6619 m->m_pkthdr.csum_data + IPPROTO_UDP));
6627 case IPPROTO_ICMPV6:
6637 if (p == IPPROTO_ICMP) {
6642 sum = in_cksum(m, len);
6646 if (m->m_len < sizeof(struct ip))
6648 sum = in4_cksum(m, p, off, len);
6653 if (m->m_len < sizeof(struct ip6_hdr))
6655 sum = in6_cksum(m, p, off, len);
6666 KMOD_TCPSTAT_INC(tcps_rcvbadsum);
6671 KMOD_UDPSTAT_INC(udps_badsum);
6676 KMOD_ICMPSTAT_INC(icps_checksum);
6680 case IPPROTO_ICMPV6:
6682 KMOD_ICMP6STAT_INC(icp6s_checksum);
6689 if (p == IPPROTO_TCP || p == IPPROTO_UDP) {
6690 m->m_pkthdr.csum_flags |=
6691 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
6692 m->m_pkthdr.csum_data = 0xffff;
6697 #else /* !__FreeBSD__ */
6699 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
6700 * off is the offset where the protocol header starts
6701 * len is the total length of protocol header plus payload
6702 * returns 0 when the checksum is valid, otherwise returns 1.
6705 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p,
6708 u_int16_t flag_ok, flag_bad;
6713 flag_ok = M_TCP_CSUM_IN_OK;
6714 flag_bad = M_TCP_CSUM_IN_BAD;
6717 flag_ok = M_UDP_CSUM_IN_OK;
6718 flag_bad = M_UDP_CSUM_IN_BAD;
6722 case IPPROTO_ICMPV6:
6724 flag_ok = flag_bad = 0;
6729 if (m->m_pkthdr.csum_flags & flag_ok)
6731 if (m->m_pkthdr.csum_flags & flag_bad)
6733 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
6735 if (m->m_pkthdr.len < off + len)
6740 if (p == IPPROTO_ICMP) {
6745 sum = in_cksum(m, len);
6749 if (m->m_len < sizeof(struct ip))
6751 sum = in4_cksum(m, p, off, len);
6757 if (m->m_len < sizeof(struct ip6_hdr))
6759 sum = in6_cksum(m, p, off, len);
6766 m->m_pkthdr.csum_flags |= flag_bad;
6769 KMOD_TCPSTAT_INC(tcps_rcvbadsum);
6772 KMOD_UDPSTAT_INC(udps_badsum);
6775 KMOD_ICMPSTAT_INC(icps_checksum);
6778 case IPPROTO_ICMPV6:
6779 KMOD_ICMP6STAT_INC(icp6s_checksum);
6785 m->m_pkthdr.csum_flags |= flag_ok;
6788 #endif /* __FreeBSD__ */
6793 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
6794 struct ether_header *eh, struct inpcb *inp)
6796 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
6797 struct ether_header *eh)
6800 struct pfi_kif *kif;
6801 u_short action, reason = 0, log = 0;
6802 struct mbuf *m = *m0;
6803 struct ip *h = NULL; /* make the compiler happy */
6804 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
6805 struct pf_state *s = NULL;
6806 struct pf_ruleset *ruleset = NULL;
6808 int off, dirndx, pqid = 0;
6813 if (!pf_status.running)
6823 memset(&pd, 0, sizeof(pd));
6824 if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
6828 DPFPRINTF(PF_DEBUG_URGENT,
6829 ("pf_test: pf_get_mtag returned NULL\n"));
6833 if (m->m_flags & M_SKIP_FIREWALL) {
6838 if (pd.pf_mtag->flags & PF_TAG_GENERATED)
6843 /* XXX_IMPORT: later */
6845 if (ifp->if_type == IFT_CARP && ifp->if_carpdev)
6846 ifp = ifp->if_carpdev;
6849 kif = (struct pfi_kif *)ifp->if_pf_kif;
6854 DPFPRINTF(PF_DEBUG_URGENT,
6855 ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
6858 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
6869 if ((m->m_flags & M_PKTHDR) == 0)
6870 panic("non-M_PKTHDR is passed to pf_test");
6871 #endif /* DIAGNOSTIC */
6872 #endif /* __FreeBSD__ */
6874 if (m->m_pkthdr.len < (int)sizeof(*h)) {
6876 REASON_SET(&reason, PFRES_SHORT);
6881 /* We do IP header normalization and packet reassembly here */
6882 if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
6887 h = mtod(m, struct ip *);
6889 off = h->ip_hl << 2;
6890 if (off < (int)sizeof(*h)) {
6892 REASON_SET(&reason, PFRES_SHORT);
6897 pd.src = (struct pf_addr *)&h->ip_src;
6898 pd.dst = (struct pf_addr *)&h->ip_dst;
6899 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
6900 pd.ip_sum = &h->ip_sum;
6904 pd.tot_len = ntohs(h->ip_len);
6907 /* handle fragments that didn't get reassembled by normalization */
6908 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
6909 action = pf_test_fragment(&r, dir, kif, m, h,
6920 if (!pf_pull_hdr(m, off, &th, sizeof(th),
6921 &action, &reason, AF_INET)) {
6922 log = action != PF_PASS;
6925 if (dir == PF_IN && pf_check_proto_cksum(m, off,
6926 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) {
6927 REASON_SET(&reason, PFRES_PROTCKSUM);
6931 pd.p_len = pd.tot_len - off - (th.th_off << 2);
6932 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
6934 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6935 if (action == PF_DROP)
6937 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6939 if (action == PF_PASS) {
6941 pfsync_update_state(s);
6942 #endif /* NPFSYNC */
6946 } else if (s == NULL)
6948 action = pf_test_tcp(&r, &s, dir, kif,
6949 m, off, h, &pd, &a, &ruleset, NULL, inp);
6951 action = pf_test_tcp(&r, &s, dir, kif,
6952 m, off, h, &pd, &a, &ruleset, &ipintrq);
6961 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
6962 &action, &reason, AF_INET)) {
6963 log = action != PF_PASS;
6966 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
6967 off, ntohs(h->ip_len) - off, IPPROTO_UDP, AF_INET)) {
6969 REASON_SET(&reason, PFRES_PROTCKSUM);
6972 if (uh.uh_dport == 0 ||
6973 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
6974 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
6976 REASON_SET(&reason, PFRES_SHORT);
6979 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6980 if (action == PF_PASS) {
6982 pfsync_update_state(s);
6983 #endif /* NPFSYNC */
6987 } else if (s == NULL)
6989 action = pf_test_udp(&r, &s, dir, kif,
6990 m, off, h, &pd, &a, &ruleset, NULL, inp);
6992 action = pf_test_udp(&r, &s, dir, kif,
6993 m, off, h, &pd, &a, &ruleset, &ipintrq);
6998 case IPPROTO_ICMP: {
7002 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
7003 &action, &reason, AF_INET)) {
7004 log = action != PF_PASS;
7007 if (dir == PF_IN && pf_check_proto_cksum(m, off,
7008 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) {
7010 REASON_SET(&reason, PFRES_PROTCKSUM);
7013 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
7015 if (action == PF_PASS) {
7017 pfsync_update_state(s);
7018 #endif /* NPFSYNC */
7022 } else if (s == NULL)
7024 action = pf_test_icmp(&r, &s, dir, kif,
7025 m, off, h, &pd, &a, &ruleset, NULL);
7027 action = pf_test_icmp(&r, &s, dir, kif,
7028 m, off, h, &pd, &a, &ruleset, &ipintrq);
7034 action = pf_test_state_other(&s, dir, kif, &pd);
7035 if (action == PF_PASS) {
7037 pfsync_update_state(s);
7038 #endif /* NPFSYNC */
7042 } else if (s == NULL)
7044 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7045 &pd, &a, &ruleset, NULL);
7047 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7048 &pd, &a, &ruleset, &ipintrq);
7054 if (action == PF_PASS && h->ip_hl > 5 &&
7055 !((s && s->allow_opts) || r->allow_opts)) {
7057 REASON_SET(&reason, PFRES_IPOPTIONS);
7059 DPFPRINTF(PF_DEBUG_MISC,
7060 ("pf: dropping packet with ip options\n"));
7063 if ((s && s->tag) || r->rtableid)
7064 pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid);
7067 if (action == PF_PASS && r->qid) {
7068 if (pqid || (pd.tos & IPTOS_LOWDELAY))
7069 pd.pf_mtag->qid = r->pqid;
7071 pd.pf_mtag->qid = r->qid;
7072 /* add hints for ecn */
7073 pd.pf_mtag->af = AF_INET;
7074 pd.pf_mtag->hdr = h;
7079 * connections redirected to loopback should not match sockets
7080 * bound specifically to loopback due to security implications,
7081 * see tcp_input() and in_pcblookup_listen().
7083 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
7084 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
7085 (s->nat_rule.ptr->action == PF_RDR ||
7086 s->nat_rule.ptr->action == PF_BINAT) &&
7087 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
7088 pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST;
7093 if (s != NULL && s->nat_rule.ptr != NULL &&
7094 s->nat_rule.ptr->log & PF_LOG_ALL)
7095 lr = s->nat_rule.ptr;
7098 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset,
7102 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
7103 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
7105 if (action == PF_PASS || r->action == PF_DROP) {
7106 dirndx = (dir == PF_OUT);
7107 r->packets[dirndx]++;
7108 r->bytes[dirndx] += pd.tot_len;
7110 a->packets[dirndx]++;
7111 a->bytes[dirndx] += pd.tot_len;
7114 if (s->nat_rule.ptr != NULL) {
7115 s->nat_rule.ptr->packets[dirndx]++;
7116 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
7118 if (s->src_node != NULL) {
7119 s->src_node->packets[dirndx]++;
7120 s->src_node->bytes[dirndx] += pd.tot_len;
7122 if (s->nat_src_node != NULL) {
7123 s->nat_src_node->packets[dirndx]++;
7124 s->nat_src_node->bytes[dirndx] += pd.tot_len;
7126 dirndx = (dir == s->direction) ? 0 : 1;
7127 s->packets[dirndx]++;
7128 s->bytes[dirndx] += pd.tot_len;
7131 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
7135 * XXX: we need to make sure that the addresses
7136 * passed to pfr_update_stats() are the same than
7137 * the addresses used during matching (pfr_match)
7139 if (r == &pf_default_rule) {
7141 x = (s == NULL || s->direction == dir) ?
7142 &pd.baddr : &pd.naddr;
7144 x = (s == NULL || s->direction == dir) ?
7145 &pd.naddr : &pd.baddr;
7146 if (x == &pd.baddr || s == NULL) {
7147 /* we need to change the address */
7154 if (tr->src.addr.type == PF_ADDR_TABLE)
7155 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
7156 s->direction == dir) ? pd.src : pd.dst, pd.af,
7157 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7159 if (tr->dst.addr.type == PF_ADDR_TABLE)
7160 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
7161 s->direction == dir) ? pd.dst : pd.src, pd.af,
7162 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7167 if (action == PF_SYNPROXY_DROP) {
7172 /* pf_route can free the mbuf causing *m0 to become NULL */
7173 pf_route(m0, r, dir, ifp, s, &pd);
7186 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
7187 struct ether_header *eh, struct inpcb *inp)
7189 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
7190 struct ether_header *eh)
7193 struct pfi_kif *kif;
7194 u_short action, reason = 0, log = 0;
7195 struct mbuf *m = *m0, *n = NULL;
7197 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
7198 struct pf_state *s = NULL;
7199 struct pf_ruleset *ruleset = NULL;
7201 int off, terminal = 0, dirndx, rh_cnt = 0;
7207 if (!pf_status.running)
7217 memset(&pd, 0, sizeof(pd));
7218 if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
7222 DPFPRINTF(PF_DEBUG_URGENT,
7223 ("pf_test6: pf_get_mtag returned NULL\n"));
7226 if (pd.pf_mtag->flags & PF_TAG_GENERATED)
7230 /* XXX_IMPORT: later */
7232 if (ifp->if_type == IFT_CARP && ifp->if_carpdev)
7233 ifp = ifp->if_carpdev;
7236 kif = (struct pfi_kif *)ifp->if_pf_kif;
7241 DPFPRINTF(PF_DEBUG_URGENT,
7242 ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
7245 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
7256 if ((m->m_flags & M_PKTHDR) == 0)
7257 panic("non-M_PKTHDR is passed to pf_test6");
7258 #endif /* DIAGNOSTIC */
7262 h = NULL; /* make the compiler happy */
7265 if (m->m_pkthdr.len < (int)sizeof(*h)) {
7267 REASON_SET(&reason, PFRES_SHORT);
7272 /* We do IP header normalization and packet reassembly here */
7273 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
7278 h = mtod(m, struct ip6_hdr *);
7282 * we do not support jumbogram yet. if we keep going, zero ip6_plen
7283 * will do something bad, so drop the packet for now.
7285 if (htons(h->ip6_plen) == 0) {
7287 REASON_SET(&reason, PFRES_NORM); /*XXX*/
7292 pd.src = (struct pf_addr *)&h->ip6_src;
7293 pd.dst = (struct pf_addr *)&h->ip6_dst;
7294 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
7298 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
7301 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
7302 pd.proto = h->ip6_nxt;
7305 case IPPROTO_FRAGMENT:
7306 action = pf_test_fragment(&r, dir, kif, m, h,
7308 if (action == PF_DROP)
7309 REASON_SET(&reason, PFRES_FRAG);
7311 case IPPROTO_ROUTING: {
7312 struct ip6_rthdr rthdr;
7315 DPFPRINTF(PF_DEBUG_MISC,
7316 ("pf: IPv6 more than one rthdr\n"));
7318 REASON_SET(&reason, PFRES_IPOPTIONS);
7322 if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
7324 DPFPRINTF(PF_DEBUG_MISC,
7325 ("pf: IPv6 short rthdr\n"));
7327 REASON_SET(&reason, PFRES_SHORT);
7331 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
7332 DPFPRINTF(PF_DEBUG_MISC,
7333 ("pf: IPv6 rthdr0\n"));
7335 REASON_SET(&reason, PFRES_IPOPTIONS);
7342 case IPPROTO_HOPOPTS:
7343 case IPPROTO_DSTOPTS: {
7344 /* get next header and header length */
7345 struct ip6_ext opt6;
7347 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
7348 NULL, &reason, pd.af)) {
7349 DPFPRINTF(PF_DEBUG_MISC,
7350 ("pf: IPv6 short opt\n"));
7355 if (pd.proto == IPPROTO_AH)
7356 off += (opt6.ip6e_len + 2) * 4;
7358 off += (opt6.ip6e_len + 1) * 8;
7359 pd.proto = opt6.ip6e_nxt;
7360 /* goto the next header */
7367 } while (!terminal);
7369 /* if there's no routing header, use unmodified mbuf for checksumming */
7379 if (!pf_pull_hdr(m, off, &th, sizeof(th),
7380 &action, &reason, AF_INET6)) {
7381 log = action != PF_PASS;
7384 if (dir == PF_IN && pf_check_proto_cksum(n, off,
7385 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
7386 IPPROTO_TCP, AF_INET6)) {
7388 REASON_SET(&reason, PFRES_PROTCKSUM);
7391 pd.p_len = pd.tot_len - off - (th.th_off << 2);
7392 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
7393 if (action == PF_DROP)
7395 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
7397 if (action == PF_PASS) {
7399 pfsync_update_state(s);
7400 #endif /* NPFSYNC */
7404 } else if (s == NULL)
7406 action = pf_test_tcp(&r, &s, dir, kif,
7407 m, off, h, &pd, &a, &ruleset, NULL, inp);
7409 action = pf_test_tcp(&r, &s, dir, kif,
7410 m, off, h, &pd, &a, &ruleset, &ip6intrq);
7419 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
7420 &action, &reason, AF_INET6)) {
7421 log = action != PF_PASS;
7424 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(n,
7425 off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
7426 IPPROTO_UDP, AF_INET6)) {
7428 REASON_SET(&reason, PFRES_PROTCKSUM);
7431 if (uh.uh_dport == 0 ||
7432 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
7433 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
7435 REASON_SET(&reason, PFRES_SHORT);
7438 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
7439 if (action == PF_PASS) {
7441 pfsync_update_state(s);
7442 #endif /* NPFSYNC */
7446 } else if (s == NULL)
7448 action = pf_test_udp(&r, &s, dir, kif,
7449 m, off, h, &pd, &a, &ruleset, NULL, inp);
7451 action = pf_test_udp(&r, &s, dir, kif,
7452 m, off, h, &pd, &a, &ruleset, &ip6intrq);
7457 case IPPROTO_ICMPV6: {
7458 struct icmp6_hdr ih;
7461 if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
7462 &action, &reason, AF_INET6)) {
7463 log = action != PF_PASS;
7466 if (dir == PF_IN && pf_check_proto_cksum(n, off,
7467 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
7468 IPPROTO_ICMPV6, AF_INET6)) {
7470 REASON_SET(&reason, PFRES_PROTCKSUM);
7473 action = pf_test_state_icmp(&s, dir, kif,
7474 m, off, h, &pd, &reason);
7475 if (action == PF_PASS) {
7477 pfsync_update_state(s);
7478 #endif /* NPFSYNC */
7482 } else if (s == NULL)
7484 action = pf_test_icmp(&r, &s, dir, kif,
7485 m, off, h, &pd, &a, &ruleset, NULL);
7487 action = pf_test_icmp(&r, &s, dir, kif,
7488 m, off, h, &pd, &a, &ruleset, &ip6intrq);
7494 action = pf_test_state_other(&s, dir, kif, &pd);
7495 if (action == PF_PASS) {
7497 pfsync_update_state(s);
7498 #endif /* NPFSYNC */
7502 } else if (s == NULL)
7504 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7505 &pd, &a, &ruleset, NULL);
7507 action = pf_test_other(&r, &s, dir, kif, m, off, h,
7508 &pd, &a, &ruleset, &ip6intrq);
7514 /* handle dangerous IPv6 extension headers. */
7515 if (action == PF_PASS && rh_cnt &&
7516 !((s && s->allow_opts) || r->allow_opts)) {
7518 REASON_SET(&reason, PFRES_IPOPTIONS);
7520 DPFPRINTF(PF_DEBUG_MISC,
7521 ("pf: dropping packet with dangerous v6 headers\n"));
7524 if ((s && s->tag) || r->rtableid)
7525 pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid);
7528 if (action == PF_PASS && r->qid) {
7529 if (pd.tos & IPTOS_LOWDELAY)
7530 pd.pf_mtag->qid = r->pqid;
7532 pd.pf_mtag->qid = r->qid;
7533 /* add hints for ecn */
7534 pd.pf_mtag->af = AF_INET6;
7535 pd.pf_mtag->hdr = h;
7539 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
7540 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
7541 (s->nat_rule.ptr->action == PF_RDR ||
7542 s->nat_rule.ptr->action == PF_BINAT) &&
7543 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
7544 pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST;
7549 if (s != NULL && s->nat_rule.ptr != NULL &&
7550 s->nat_rule.ptr->log & PF_LOG_ALL)
7551 lr = s->nat_rule.ptr;
7554 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset,
7558 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
7559 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
7561 if (action == PF_PASS || r->action == PF_DROP) {
7562 dirndx = (dir == PF_OUT);
7563 r->packets[dirndx]++;
7564 r->bytes[dirndx] += pd.tot_len;
7566 a->packets[dirndx]++;
7567 a->bytes[dirndx] += pd.tot_len;
7570 if (s->nat_rule.ptr != NULL) {
7571 s->nat_rule.ptr->packets[dirndx]++;
7572 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
7574 if (s->src_node != NULL) {
7575 s->src_node->packets[dirndx]++;
7576 s->src_node->bytes[dirndx] += pd.tot_len;
7578 if (s->nat_src_node != NULL) {
7579 s->nat_src_node->packets[dirndx]++;
7580 s->nat_src_node->bytes[dirndx] += pd.tot_len;
7582 dirndx = (dir == s->direction) ? 0 : 1;
7583 s->packets[dirndx]++;
7584 s->bytes[dirndx] += pd.tot_len;
7587 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
7591 * XXX: we need to make sure that the addresses
7592 * passed to pfr_update_stats() are the same than
7593 * the addresses used during matching (pfr_match)
7595 if (r == &pf_default_rule) {
7597 x = (s == NULL || s->direction == dir) ?
7598 &pd.baddr : &pd.naddr;
7600 x = (s == NULL || s->direction == dir) ?
7601 &pd.naddr : &pd.baddr;
7603 if (x == &pd.baddr || s == NULL) {
7610 if (tr->src.addr.type == PF_ADDR_TABLE)
7611 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
7612 s->direction == dir) ? pd.src : pd.dst, pd.af,
7613 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7615 if (tr->dst.addr.type == PF_ADDR_TABLE)
7616 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
7617 s->direction == dir) ? pd.dst : pd.src, pd.af,
7618 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
7623 if (action == PF_SYNPROXY_DROP) {
7628 /* pf_route6 can free the mbuf causing *m0 to become NULL */
7629 pf_route6(m0, r, dir, ifp, s, &pd);
7639 pf_check_congestion(struct ifqueue *ifq)
7642 /* XXX_IMPORT: later */
7645 if (ifq->ifq_congestion)
projects / FreeBSD / releng / 8.0.git / blob