1 /* $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ */
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002 - 2008 Henning Brauer
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
40 #include "opt_inet6.h"
42 #include <sys/cdefs.h>
43 __FBSDID("$FreeBSD$");
51 #define NBPFILTER DEV_BPF
57 #define NPFLOG DEV_PFLOG
63 #define NPFSYNC DEV_PFSYNC
69 #define NPFLOW DEV_PFLOW
81 #include <sys/param.h>
82 #include <sys/systm.h>
84 #include <sys/filio.h>
85 #include <sys/socket.h>
86 #include <sys/socketvar.h>
87 #include <sys/kernel.h>
90 #include <sys/sysctl.h>
97 #include <sys/kthread.h>
101 #include <sys/rwlock.h>
107 #include <crypto/md5.h>
111 #include <net/if_types.h>
113 #include <net/route.h>
114 #include <net/radix_mpath.h>
116 #include <netinet/in.h>
117 #include <netinet/in_var.h>
118 #include <netinet/in_systm.h>
119 #include <netinet/ip.h>
120 #include <netinet/ip_var.h>
121 #include <netinet/tcp.h>
122 #include <netinet/tcp_seq.h>
123 #include <netinet/udp.h>
124 #include <netinet/ip_icmp.h>
125 #include <netinet/in_pcb.h>
126 #include <netinet/tcp_timer.h>
127 #include <netinet/tcp_var.h>
128 #include <netinet/udp_var.h>
129 #include <netinet/icmp_var.h>
130 #include <netinet/if_ether.h>
133 #include <dev/rndvar.h>
135 #include <net/pfvar.h>
136 #include <net/if_pflog.h>
137 #include <net/if_pflow.h>
140 #include <net/if_pfsync.h>
141 #endif /* NPFSYNC > 0 */
144 #include <netinet/ip6.h>
145 #include <netinet/in_pcb.h>
146 #include <netinet/icmp6.h>
147 #include <netinet6/nd6.h>
152 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
154 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
161 void pf_hash(struct pf_addr *, struct pf_addr *,
162 struct pf_poolhashkey *, sa_family_t);
163 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
164 int, int, struct pfi_kif *,
165 struct pf_addr *, u_int16_t, struct pf_addr *,
167 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
168 struct pf_addr *, struct pf_addr *, u_int16_t,
169 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
170 struct pf_src_node **);
174 a -= b; a -= c; a ^= (c >> 13); \
175 b -= c; b -= a; b ^= (a << 8); \
176 c -= a; c -= b; c ^= (b >> 13); \
177 a -= b; a -= c; a ^= (c >> 12); \
178 b -= c; b -= a; b ^= (a << 16); \
179 c -= a; c -= b; c ^= (b >> 5); \
180 a -= b; a -= c; a ^= (c >> 3); \
181 b -= c; b -= a; b ^= (a << 10); \
182 c -= a; c -= b; c ^= (b >> 15); \
186 * hash function based on bridge_hash in if_bridge.c
189 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
190 struct pf_poolhashkey *key, sa_family_t af)
192 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
197 a += inaddr->addr32[0];
200 hash->addr32[0] = c + key->key32[2];
205 a += inaddr->addr32[0];
206 b += inaddr->addr32[2];
209 a += inaddr->addr32[1];
210 b += inaddr->addr32[3];
214 a += inaddr->addr32[2];
215 b += inaddr->addr32[1];
219 a += inaddr->addr32[3];
220 b += inaddr->addr32[0];
230 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
231 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
232 struct pf_addr *daddr, u_int16_t dport, int rs_num)
234 struct pf_rule *r, *rm = NULL;
235 struct pf_ruleset *ruleset = NULL;
240 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
241 while (r && rm == NULL) {
242 struct pf_rule_addr *src = NULL, *dst = NULL;
243 struct pf_addr_wrap *xdst = NULL;
245 if (r->action == PF_BINAT && direction == PF_IN) {
247 if (r->rpool.cur != NULL)
248 xdst = &r->rpool.cur->addr;
255 if (pfi_kif_match(r->kif, kif) == r->ifnot)
256 r = r->skip[PF_SKIP_IFP].ptr;
257 else if (r->direction && r->direction != direction)
258 r = r->skip[PF_SKIP_DIR].ptr;
259 else if (r->af && r->af != pd->af)
260 r = r->skip[PF_SKIP_AF].ptr;
261 else if (r->proto && r->proto != pd->proto)
262 r = r->skip[PF_SKIP_PROTO].ptr;
263 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
265 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
266 PF_SKIP_DST_ADDR].ptr;
267 else if (src->port_op && !pf_match_port(src->port_op,
268 src->port[0], src->port[1], sport))
269 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
270 PF_SKIP_DST_PORT].ptr;
271 else if (dst != NULL &&
272 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
273 r = r->skip[PF_SKIP_DST_ADDR].ptr;
274 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
276 r = TAILQ_NEXT(r, entries);
277 else if (dst != NULL && dst->port_op &&
278 !pf_match_port(dst->port_op, dst->port[0],
279 dst->port[1], dport))
280 r = r->skip[PF_SKIP_DST_PORT].ptr;
282 else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag))
284 else if (r->match_tag && !pf_match_tag(m, r, &tag))
286 r = TAILQ_NEXT(r, entries);
287 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
288 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
289 off, pd->hdr.tcp), r->os_fingerprint)))
290 r = TAILQ_NEXT(r, entries);
294 if (r->rtableid >= 0)
295 rtableid = r->rtableid;
296 if (r->anchor == NULL) {
299 pf_step_into_anchor(&asd, &ruleset, rs_num,
303 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
307 if (pf_tag_packet(m, tag, rtableid, pd->pf_mtag))
309 if (pf_tag_packet(m, tag, rtableid))
312 if (rm != NULL && (rm->action == PF_NONAT ||
313 rm->action == PF_NORDR || rm->action == PF_NOBINAT))
319 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
320 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
321 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
322 struct pf_src_node **sn)
324 struct pf_state_key_cmp key;
325 struct pf_addr init_addr;
328 bzero(&init_addr, sizeof(init_addr));
329 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
332 if (proto == IPPROTO_ICMP) {
340 PF_ACPY(&key.addr[1], daddr, key.af);
341 PF_ACPY(&key.addr[0], naddr, key.af);
345 * port search; start random, step;
346 * similar 2 portloop in in_pcbbind
348 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
349 proto == IPPROTO_ICMP)) {
351 if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
353 } else if (low == 0 && high == 0) {
354 key.port[0] = *nport;
355 if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
357 } else if (low == high) {
358 key.port[0] = htons(low);
359 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
373 cut = htonl(arc4random()) % (1 + high - low) + low;
375 cut = arc4random_uniform(1 + high - low) + low;
377 /* low <= cut <= high */
378 for (tmp = cut; tmp <= high; ++(tmp)) {
379 key.port[0] = htons(tmp);
380 if (pf_find_state_all(&key, PF_IN, NULL) ==
384 NULL && !in_baddynamic(tmp, proto)) {
390 for (tmp = cut - 1; tmp >= low; --(tmp)) {
391 key.port[0] = htons(tmp);
392 if (pf_find_state_all(&key, PF_IN, NULL) ==
396 NULL && !in_baddynamic(tmp, proto)) {
404 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
406 case PF_POOL_ROUNDROBIN:
407 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
411 case PF_POOL_SRCHASH:
412 case PF_POOL_BITMASK:
416 } while (! PF_AEQ(&init_addr, naddr, af) );
417 return (1); /* none available */
421 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
422 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
424 unsigned char hash[16];
425 struct pf_pool *rpool = &r->rpool;
426 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
427 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
428 struct pf_pooladdr *acur = rpool->cur;
429 struct pf_src_node k;
431 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
432 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
434 PF_ACPY(&k.addr, saddr, af);
435 if (r->rule_flag & PFRULE_RULESRCTRACK ||
436 r->rpool.opts & PF_POOL_STICKYADDR)
441 V_pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
442 *sn = RB_FIND(pf_src_tree, &V_tree_src_tracking, &k);
444 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
445 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
447 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
448 PF_ACPY(naddr, &(*sn)->raddr, af);
450 if (V_pf_status.debug >= PF_DEBUG_MISC) {
452 if (pf_status.debug >= PF_DEBUG_MISC) {
454 printf("pf_map_addr: src tracking maps ");
455 pf_print_host(&k.addr, 0, af);
457 pf_print_host(naddr, 0, af);
464 if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
466 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
470 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
471 (rpool->opts & PF_POOL_TYPEMASK) !=
474 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
475 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
480 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
481 (rpool->opts & PF_POOL_TYPEMASK) !=
484 raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
485 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
489 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
490 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
491 return (1); /* unsupported */
493 raddr = &rpool->cur->addr.v.a.addr;
494 rmask = &rpool->cur->addr.v.a.mask;
497 switch (rpool->opts & PF_POOL_TYPEMASK) {
499 PF_ACPY(naddr, raddr, af);
501 case PF_POOL_BITMASK:
502 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
505 if (init_addr != NULL && PF_AZERO(init_addr, af)) {
509 rpool->counter.addr32[0] = htonl(arc4random());
514 if (rmask->addr32[3] != 0xffffffff)
515 rpool->counter.addr32[3] =
519 if (rmask->addr32[2] != 0xffffffff)
520 rpool->counter.addr32[2] =
524 if (rmask->addr32[1] != 0xffffffff)
525 rpool->counter.addr32[1] =
529 if (rmask->addr32[0] != 0xffffffff)
530 rpool->counter.addr32[0] =
535 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
536 PF_ACPY(init_addr, naddr, af);
539 PF_AINC(&rpool->counter, af);
540 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
543 case PF_POOL_SRCHASH:
544 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
545 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
547 case PF_POOL_ROUNDROBIN:
548 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
549 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
550 &rpool->tblidx, &rpool->counter,
553 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
554 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
555 &rpool->tblidx, &rpool->counter,
558 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
562 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
563 rpool->cur = TAILQ_FIRST(&rpool->list);
564 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
566 if (pfr_pool_get(rpool->cur->addr.p.tbl,
567 &rpool->tblidx, &rpool->counter,
568 &raddr, &rmask, af)) {
569 /* table contains no address of type 'af' */
570 if (rpool->cur != acur)
574 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
576 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
577 &rpool->tblidx, &rpool->counter,
578 &raddr, &rmask, af)) {
579 /* table contains no address of type 'af' */
580 if (rpool->cur != acur)
585 raddr = &rpool->cur->addr.v.a.addr;
586 rmask = &rpool->cur->addr.v.a.mask;
587 PF_ACPY(&rpool->counter, raddr, af);
591 PF_ACPY(naddr, &rpool->counter, af);
592 if (init_addr != NULL && PF_AZERO(init_addr, af))
593 PF_ACPY(init_addr, naddr, af);
594 PF_AINC(&rpool->counter, af);
598 PF_ACPY(&(*sn)->raddr, naddr, af);
601 if (V_pf_status.debug >= PF_DEBUG_MISC &&
603 if (pf_status.debug >= PF_DEBUG_MISC &&
605 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
606 printf("pf_map_addr: selected address ");
607 pf_print_host(naddr, 0, af);
615 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
616 struct pfi_kif *kif, struct pf_src_node **sn,
617 struct pf_state_key **skw, struct pf_state_key **sks,
618 struct pf_state_key **skp, struct pf_state_key **nkp,
619 struct pf_addr *saddr, struct pf_addr *daddr,
620 u_int16_t sport, u_int16_t dport)
622 struct pf_rule *r = NULL;
625 if (direction == PF_OUT) {
626 r = pf_match_translation(pd, m, off, direction, kif, saddr,
627 sport, daddr, dport, PF_RULESET_BINAT);
629 r = pf_match_translation(pd, m, off, direction, kif,
630 saddr, sport, daddr, dport, PF_RULESET_NAT);
632 r = pf_match_translation(pd, m, off, direction, kif, saddr,
633 sport, daddr, dport, PF_RULESET_RDR);
635 r = pf_match_translation(pd, m, off, direction, kif,
636 saddr, sport, daddr, dport, PF_RULESET_BINAT);
640 struct pf_addr *naddr;
643 if (pf_state_key_setup(pd, r, skw, sks, skp, nkp,
644 saddr, daddr, sport, dport))
647 /* XXX We only modify one side for now. */
648 naddr = &(*nkp)->addr[1];
649 nport = &(*nkp)->port[1];
657 if (pf_get_sport(pd->af, pd->proto, r, saddr,
658 daddr, dport, naddr, nport, r->rpool.proxy_port[0],
659 r->rpool.proxy_port[1], sn)) {
660 DPFPRINTF(PF_DEBUG_MISC,
661 ("pf: NAT proxy port allocation "
663 r->rpool.proxy_port[0],
664 r->rpool.proxy_port[1]));
671 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
675 if (r->rpool.cur->addr.p.dyn->
679 &r->rpool.cur->addr.p.dyn->
681 &r->rpool.cur->addr.p.dyn->
688 if (r->rpool.cur->addr.p.dyn->
692 &r->rpool.cur->addr.p.dyn->
694 &r->rpool.cur->addr.p.dyn->
702 &r->rpool.cur->addr.v.a.addr,
703 &r->rpool.cur->addr.v.a.mask,
707 if (r->src.addr.type == PF_ADDR_DYNIFTL) {
711 if (r->src.addr.p.dyn->
724 if (r->src.addr.p.dyn->
738 &r->src.addr.v.a.addr,
739 &r->src.addr.v.a.mask, daddr,
745 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
747 if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
749 PF_POOLMASK(naddr, naddr,
750 &r->rpool.cur->addr.v.a.mask, daddr,
753 if (r->rpool.proxy_port[1]) {
756 tmp_nport = ((ntohs(dport) -
757 ntohs(r->dst.port[0])) %
758 (r->rpool.proxy_port[1] -
759 r->rpool.proxy_port[0] + 1)) +
760 r->rpool.proxy_port[0];
762 /* wrap around if necessary */
763 if (tmp_nport > 65535)
765 *nport = htons((u_int16_t)tmp_nport);
766 } else if (r->rpool.proxy_port[0])
767 *nport = htons(r->rpool.proxy_port[0]);
774 * Translation was a NOP.
775 * Pretend there was no match.
777 if (!bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) {
779 pool_put(&V_pf_state_key_pl, *nkp);
780 pool_put(&V_pf_state_key_pl, *skp);
782 pool_put(&pf_state_key_pl, *nkp);
783 pool_put(&pf_state_key_pl, *skp);
785 *skw = *sks = *nkp = *skp = NULL;