Cross Reference: /freebsd-10.1-release/sys/netpfil/pf/pf.c

Deleted Added

sdiff udiff text old ( 145398 ) new ( 145836 )

full compact

pf.c (145398)	pf.c (145836)
1/* $FreeBSD: head/sys/contrib/pf/net/pf.c 145398 2005-04-22 09:53:46Z glebius $ / 2/ $OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ / 3/ add $OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ / 4/ add $OpenBSD: pf.c,v 1.483 2005/03/15 17:38:43 dhartmei Exp $ */	1/* $FreeBSD: head/sys/contrib/pf/net/pf.c 145836 2005-05-03 16:43:32Z mlaier $ / 2/ $OpenBSD: pf.c,v 1.483 2005/03/15 17:38:43 dhartmei Exp $ */
5 6/* 7 * Copyright (c) 2001 Daniel Hartmeier 8 * Copyright (c) 2002,2003 Henning Brauer 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions --- 71 unchanged lines hidden (view full) --- 84#include <netinet/tcp_seq.h> 85#include <netinet/udp.h> 86#include <netinet/ip_icmp.h> 87#include <netinet/in_pcb.h> 88#include <netinet/tcp_timer.h> 89#include <netinet/tcp_var.h> 90#include <netinet/udp_var.h> 91#include <netinet/icmp_var.h>	3 4/* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * Copyright (c) 2002,2003 Henning Brauer 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions --- 71 unchanged lines hidden (view full) --- 82#include <netinet/tcp_seq.h> 83#include <netinet/udp.h> 84#include <netinet/ip_icmp.h> 85#include <netinet/in_pcb.h> 86#include <netinet/tcp_timer.h> 87#include <netinet/tcp_var.h> 88#include <netinet/udp_var.h> 89#include <netinet/icmp_var.h>
	90#include <netinet/if_ether.h>
92 93#ifndef __FreeBSD__ 94#include <dev/rndvar.h> 95#endif 96#include <net/pfvar.h> 97#include <net/if_pflog.h> 98 99#if NPFSYNC > 0 --- 20 unchanged lines hidden (view full) --- 120#endif 121 122#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 123 124/* 125 * Global variables 126 / 127*	91 92#ifndef __FreeBSD__ 93#include <dev/rndvar.h> 94#endif 95#include <net/pfvar.h> 96#include <net/if_pflog.h> 97 98#if NPFSYNC > 0 --- 20 unchanged lines hidden (view full) --- 119#endif 120 121#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 122 123/* 124 * Global variables 125 / 126*
128struct pf_anchorqueue pf_anchors;	127struct pf_anchor_global pf_anchors;
129struct pf_ruleset pf_main_ruleset; 130struct pf_altqqueue pf_altqs[2]; 131struct pf_palist pf_pabuf; 132struct pf_altqqueue pf_altqs_active; 133struct pf_altqqueue pf_altqs_inactive; 134struct pf_status pf_status; 135 136u_int32_t ticket_altqs_active; 137u_int32_t ticket_altqs_inactive; 138int altqs_inactive_open; 139u_int32_t ticket_pabuf; 140 141#ifdef __FreeBSD__ 142struct callout pf_expire_to; /* expire timeout / 143#else 144struct timeout pf_expire_to; / expire timeout / 145#endif 146*	128struct pf_ruleset pf_main_ruleset; 129struct pf_altqqueue pf_altqs[2]; 130struct pf_palist pf_pabuf; 131struct pf_altqqueue pf_altqs_active; 132struct pf_altqqueue pf_altqs_inactive; 133struct pf_status pf_status; 134 135u_int32_t ticket_altqs_active; 136u_int32_t ticket_altqs_inactive; 137int altqs_inactive_open; 138u_int32_t ticket_pabuf; 139 140#ifdef __FreeBSD__ 141struct callout pf_expire_to; /* expire timeout / 142#else 143struct timeout pf_expire_to; / expire timeout / 144#endif 145*
	146struct pf_anchor_stackframe { 147 struct pf_ruleset rs; 148* struct pf_rule r; 149* struct pf_anchor_node parent; 150* struct pf_anchor child; 151*} pf_anchor_stack[64];
147 148#ifdef __FreeBSD__ 149uma_zone_t pf_src_tree_pl, pf_rule_pl; 150uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 151#else 152struct pool pf_src_tree_pl, pf_rule_pl; 153struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 154#endif 155 156void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);	152 153#ifdef __FreeBSD__ 154uma_zone_t pf_src_tree_pl, pf_rule_pl; 155uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 156#else 157struct pool pf_src_tree_pl, pf_rule_pl; 158struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 159#endif 160 161void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
157void pf_print_state(struct pf_state ); 158*void pf_print_flags(u_int8_t);
159	162
	163void pf_init_threshold(struct pf_threshold , u_int32_t, 164* u_int32_t); 165void pf_add_threshold(struct pf_threshold ); 166int pf_check_threshold(struct pf_threshold ); 167
160void pf_change_ap(struct pf_addr , u_int16_t , 161 u_int16_t , u_int16_t , struct pf_addr , 162* u_int16_t, u_int8_t, sa_family_t); 163#ifdef INET6 164void pf_change_a6(struct pf_addr , u_int16_t , 165 struct pf_addr , u_int8_t); 166#endif / INET6 / 167void pf_change_icmp(struct pf_addr , u_int16_t , 168* struct pf_addr , struct pf_addr , u_int16_t, 169 u_int16_t , u_int16_t , u_int16_t , 170* u_int16_t , u_int8_t, sa_family_t); 171void pf_send_tcp(const struct pf_rule , sa_family_t, 172 const struct pf_addr , const struct pf_addr , 173 u_int16_t, u_int16_t, u_int32_t, u_int32_t,	168void pf_change_ap(struct pf_addr , u_int16_t , 169 u_int16_t , u_int16_t , struct pf_addr , 170* u_int16_t, u_int8_t, sa_family_t); 171#ifdef INET6 172void pf_change_a6(struct pf_addr , u_int16_t , 173 struct pf_addr , u_int8_t); 174#endif / INET6 / 175void pf_change_icmp(struct pf_addr , u_int16_t , 176* struct pf_addr , struct pf_addr , u_int16_t, 177 u_int16_t , u_int16_t , u_int16_t , 178* u_int16_t , u_int8_t, sa_family_t); 179void pf_send_tcp(const struct pf_rule , sa_family_t, 180 const struct pf_addr , const struct pf_addr , 181 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
174 u_int8_t, u_int16_t, u_int16_t, u_int8_t);	182 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, 183 struct ether_header , struct ifnet );
175void pf_send_icmp(struct mbuf , u_int8_t, u_int8_t, 176* sa_family_t, struct pf_rule ); 177struct pf_rule pf_match_translation(struct pf_pdesc , struct mbuf , 178 int, int, struct pfi_kif , 179* struct pf_addr , u_int16_t, struct pf_addr , 180 u_int16_t, int); 181struct pf_rule pf_get_translation(struct pf_pdesc , struct mbuf , 182* int, int, struct pfi_kif , struct pf_src_node , 183* struct pf_addr , u_int16_t, 184* struct pf_addr , u_int16_t, 185* struct pf_addr , u_int16_t ); 186int pf_test_tcp(struct pf_rule , struct pf_state , 187 int, struct pfi_kif , struct mbuf , int, 188 void , struct pf_pdesc , struct pf_rule *, 189*#ifdef __FreeBSD__	184void pf_send_icmp(struct mbuf , u_int8_t, u_int8_t, 185* sa_family_t, struct pf_rule ); 186struct pf_rule pf_match_translation(struct pf_pdesc , struct mbuf , 187 int, int, struct pfi_kif , 188* struct pf_addr , u_int16_t, struct pf_addr , 189 u_int16_t, int); 190struct pf_rule pf_get_translation(struct pf_pdesc , struct mbuf , 191* int, int, struct pfi_kif , struct pf_src_node , 192* struct pf_addr , u_int16_t, 193* struct pf_addr , u_int16_t, 194* struct pf_addr , u_int16_t ); 195int pf_test_tcp(struct pf_rule , struct pf_state , 196 int, struct pfi_kif , struct mbuf , int, 197 void , struct pf_pdesc , struct pf_rule *, 198*#ifdef __FreeBSD__
190 struct pf_ruleset *, struct inpcb );	199 struct pf_ruleset *, struct ifqueue , 200 struct inpcb *);
191#else	201#else
192 struct pf_ruleset **);	202 struct pf_ruleset *, struct ifqueue );
193#endif 194int pf_test_udp(struct pf_rule , struct pf_state , 195 int, struct pfi_kif , struct mbuf , int, 196 void , struct pf_pdesc , struct pf_rule *, 197*#ifdef __FreeBSD__	203#endif 204int pf_test_udp(struct pf_rule , struct pf_state , 205 int, struct pfi_kif , struct mbuf , int, 206 void , struct pf_pdesc , struct pf_rule *, 207*#ifdef __FreeBSD__
198 struct pf_ruleset *, struct inpcb );	208 struct pf_ruleset *, struct ifqueue , 209 struct inpcb *);
199#else	210#else
200 struct pf_ruleset **);	211 struct pf_ruleset *, struct ifqueue );
201#endif 202int pf_test_icmp(struct pf_rule , struct pf_state , 203 int, struct pfi_kif , struct mbuf , int, 204 void , struct pf_pdesc , struct pf_rule **,	212#endif 213int pf_test_icmp(struct pf_rule , struct pf_state , 214 int, struct pfi_kif , struct mbuf , int, 215 void , struct pf_pdesc , struct pf_rule **,
205 struct pf_ruleset **);	216 struct pf_ruleset *, struct ifqueue );
206int pf_test_other(struct pf_rule , struct pf_state , 207 int, struct pfi_kif , struct mbuf , int, void , 208* struct pf_pdesc , struct pf_rule *,	217int pf_test_other(struct pf_rule , struct pf_state , 218 int, struct pfi_kif , struct mbuf , int, void , 219* struct pf_pdesc , struct pf_rule *,
209 struct pf_ruleset **);	220 struct pf_ruleset *, struct ifqueue );
210int pf_test_fragment(struct pf_rule *, int, 211* struct pfi_kif , struct mbuf , void , 212* struct pf_pdesc , struct pf_rule , 213* struct pf_ruleset *); 214int pf_test_state_tcp(struct pf_state , int, 215* struct pfi_kif , struct mbuf , int, 216 void , struct pf_pdesc , u_short ); 217int pf_test_state_udp(struct pf_state , int, 218* struct pfi_kif , struct mbuf , int, 219 void , struct pf_pdesc ); 220int pf_test_state_icmp(struct pf_state *, int, 221* struct pfi_kif , struct mbuf , int,	221int pf_test_fragment(struct pf_rule *, int, 222* struct pfi_kif , struct mbuf , void , 223* struct pf_pdesc , struct pf_rule , 224* struct pf_ruleset *); 225int pf_test_state_tcp(struct pf_state , int, 226* struct pfi_kif , struct mbuf , int, 227 void , struct pf_pdesc , u_short ); 228int pf_test_state_udp(struct pf_state , int, 229* struct pfi_kif , struct mbuf , int, 230 void , struct pf_pdesc ); 231int pf_test_state_icmp(struct pf_state *, int, 232* struct pfi_kif , struct mbuf , int,
222 void , struct pf_pdesc );	233 void , struct pf_pdesc , u_short *);
223int pf_test_state_other(struct pf_state *, int, 224* struct pfi_kif , struct pf_pdesc ); 225struct pf_tag pf_get_tag(struct mbuf ); 226int pf_match_tag(struct mbuf , struct pf_rule ,	234int pf_test_state_other(struct pf_state *, int, 235* struct pfi_kif , struct pf_pdesc ); 236struct pf_tag pf_get_tag(struct mbuf ); 237int pf_match_tag(struct mbuf , struct pf_rule ,
227 struct pf_rule , struct pf_tag , int *);	238 struct pf_tag *, int );
228void pf_hash(struct pf_addr , struct pf_addr , 229 struct pf_poolhashkey , sa_family_t); 230int pf_map_addr(u_int8_t, struct pf_rule , 231 struct pf_addr , struct pf_addr , 232 struct pf_addr , struct pf_src_node ); 233int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule , 234 struct pf_addr , struct pf_addr , u_int16_t, 235 struct pf_addr , u_int16_t, u_int16_t, u_int16_t, --- 19 unchanged lines hidden (view full) --- 255 struct pf_addr ); 256int pf_check_proto_cksum(struct mbuf , int, int, 257 u_int8_t, sa_family_t); 258int pf_addr_wrap_neq(struct pf_addr_wrap , 259* struct pf_addr_wrap ); 260static int pf_add_mbuf_tag(struct mbuf , u_int); 261struct pf_state pf_find_state_recurse(struct pfi_kif , 262 struct pf_state *, u_int8_t);	239void pf_hash(struct pf_addr , struct pf_addr , 240 struct pf_poolhashkey , sa_family_t); 241int pf_map_addr(u_int8_t, struct pf_rule , 242 struct pf_addr , struct pf_addr , 243 struct pf_addr , struct pf_src_node ); 244int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule , 245 struct pf_addr , struct pf_addr , u_int16_t, 246 struct pf_addr , u_int16_t, u_int16_t, u_int16_t, --- 19 unchanged lines hidden (view full) --- 266 struct pf_addr ); 267int pf_check_proto_cksum(struct mbuf , int, int, 268 u_int8_t, sa_family_t); 269int pf_addr_wrap_neq(struct pf_addr_wrap , 270* struct pf_addr_wrap ); 271static int pf_add_mbuf_tag(struct mbuf , u_int); 272struct pf_state pf_find_state_recurse(struct pfi_kif , 273 struct pf_state *, u_int8_t);
	274int pf_src_connlimit(struct pf_state *); 275int pf_check_congestion(struct ifqueue );
263 264#ifdef __FreeBSD__ 265int in4_cksum(struct mbuf m, u_int8_t nxt, int off, int len); 266* 267struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];	276 277#ifdef __FreeBSD__ 278int in4_cksum(struct mbuf m, u_int8_t nxt, int off, int len); 279* 280struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
	281
268#else 269struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { 270 { &pf_state_pl, PFSTATE_HIWAT }, 271 { &pf_src_tree_pl, PFSNODE_HIWAT }, 272 { &pf_frent_pl, PFFRAG_FRENT_HIWAT } 273}; 274#endif 275 276#define STATE_LOOKUP() \ 277 do { \ 278 if (direction == PF_IN) \	282#else 283struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { 284 { &pf_state_pl, PFSTATE_HIWAT }, 285 { &pf_src_tree_pl, PFSNODE_HIWAT }, 286 { &pf_frent_pl, PFFRAG_FRENT_HIWAT } 287}; 288#endif 289 290#define STATE_LOOKUP() \ 291 do { \ 292 if (direction == PF_IN) \
279 *state = pf_find_state_recurse( \	293 *state = pf_find_state_recurse( \
280 kif, &key, PF_EXT_GWY); \ 281 else \	294 kif, &key, PF_EXT_GWY); \ 295 else \
282 *state = pf_find_state_recurse( \	296 *state = pf_find_state_recurse( \
283 kif, &key, PF_LAN_EXT); \	297 kif, &key, PF_LAN_EXT); \
284 if (*state == NULL) \	298 if (state == NULL \|\| (state)->timeout == PFTM_PURGE) \
285 return (PF_DROP); \ 286 if (direction == PF_OUT && \ 287 (((state)->rule.ptr->rt == PF_ROUTETO && \ 288* (state)->rule.ptr->direction == PF_OUT) \|\| \ 289* ((state)->rule.ptr->rt == PF_REPLYTO && \ 290* (state)->rule.ptr->direction == PF_IN)) && \ 291* (state)->rt_kif != NULL && \ 292* (state)->rt_kif != kif) \ --- 7 unchanged lines hidden* (view full) --- 300 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] \|\| \ 301 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) \|\| \ 302 (s)->lan.port != (s)->gwy.port 303 304#define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \ 305 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \ 306 (k)->pfik_parent->pfik_parent) 307	299 return (PF_DROP); \ 300 if (direction == PF_OUT && \ 301 (((state)->rule.ptr->rt == PF_ROUTETO && \ 302* (state)->rule.ptr->direction == PF_OUT) \|\| \ 303* ((state)->rule.ptr->rt == PF_REPLYTO && \ 304* (state)->rule.ptr->direction == PF_IN)) && \ 305* (state)->rt_kif != NULL && \ 306* (state)->rt_kif != kif) \ --- 7 unchanged lines hidden* (view full) --- 314 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] \|\| \ 315 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) \|\| \ 316 (s)->lan.port != (s)->gwy.port 317 318#define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \ 319 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \ 320 (k)->pfik_parent->pfik_parent) 321
	322#define STATE_INC_COUNTERS(s) \ 323 do { \ 324 s->rule.ptr->states++; \ 325 if (s->anchor.ptr != NULL) \ 326 s->anchor.ptr->states++; \ 327 if (s->nat_rule.ptr != NULL) \ 328 s->nat_rule.ptr->states++; \ 329 } while (0) 330 331#define STATE_DEC_COUNTERS(s) \ 332 do { \ 333 if (s->nat_rule.ptr != NULL) \ 334 s->nat_rule.ptr->states--; \ 335 if (s->anchor.ptr != NULL) \ 336 s->anchor.ptr->states--; \ 337 s->rule.ptr->states--; \ 338 } while (0) 339
308#ifndef __FreeBSD__ 309static __inline int pf_src_compare(struct pf_src_node , struct pf_src_node ); 310static __inline int pf_state_compare_lan_ext(struct pf_state , 311* struct pf_state ); 312static __inline int pf_state_compare_ext_gwy(struct pf_state , 313 struct pf_state ); 314static __inline int pf_state_compare_id(struct pf_state , 315 struct pf_state *);	340#ifndef __FreeBSD__ 341static __inline int pf_src_compare(struct pf_src_node , struct pf_src_node ); 342static __inline int pf_state_compare_lan_ext(struct pf_state , 343* struct pf_state ); 344static __inline int pf_state_compare_ext_gwy(struct pf_state , 345 struct pf_state ); 346static __inline int pf_state_compare_id(struct pf_state , 347 struct pf_state *);
	348static __inline int pf_anchor_compare(struct pf_anchor , struct pf_anchor );
316#else 317static int pf_src_compare(struct pf_src_node , struct pf_src_node ); 318static int pf_state_compare_lan_ext(struct pf_state , 319* struct pf_state ); 320static int pf_state_compare_ext_gwy(struct pf_state , 321 struct pf_state ); 322static int pf_state_compare_id(struct pf_state , 323 struct pf_state *);	349#else 350static int pf_src_compare(struct pf_src_node , struct pf_src_node ); 351static int pf_state_compare_lan_ext(struct pf_state , 352* struct pf_state ); 353static int pf_state_compare_ext_gwy(struct pf_state , 354 struct pf_state ); 355static int pf_state_compare_id(struct pf_state , 356 struct pf_state *);
	357static int pf_anchor_compare(struct pf_anchor , struct pf_anchor );
324#endif 325 326struct pf_src_tree tree_src_tracking; 327 328struct pf_state_tree_id tree_id; 329struct pf_state_queue state_updates; 330 331RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 332RB_GENERATE(pf_state_tree_lan_ext, pf_state, 333 u.s.entry_lan_ext, pf_state_compare_lan_ext); 334RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 335 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 336RB_GENERATE(pf_state_tree_id, pf_state, 337 u.s.entry_id, pf_state_compare_id);	358#endif 359 360struct pf_src_tree tree_src_tracking; 361 362struct pf_state_tree_id tree_id; 363struct pf_state_queue state_updates; 364 365RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 366RB_GENERATE(pf_state_tree_lan_ext, pf_state, 367 u.s.entry_lan_ext, pf_state_compare_lan_ext); 368RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 369 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 370RB_GENERATE(pf_state_tree_id, pf_state, 371 u.s.entry_id, pf_state_compare_id);
	372RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); 373RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
338 339#ifdef __FreeBSD__ 340static int 341#else 342static __inline int 343#endif 344pf_src_compare(struct pf_src_node a, struct pf_src_node b) 345{ --- 196 unchanged lines hidden (view full) --- 542 if (a->creatorid > b->creatorid) 543 return (1); 544 if (a->creatorid < b->creatorid) 545 return (-1); 546 547 return (0); 548} 549	374 375#ifdef __FreeBSD__ 376static int 377#else 378static __inline int 379#endif 380pf_src_compare(struct pf_src_node a, struct pf_src_node b) 381{ --- 196 unchanged lines hidden (view full) --- 578 if (a->creatorid > b->creatorid) 579 return (1); 580 if (a->creatorid < b->creatorid) 581 return (-1); 582 583 return (0); 584} 585
	586#ifdef __FreeBSD__ 587static int 588#else 589static __inline int 590#endif 591pf_anchor_compare(struct pf_anchor a, struct pf_anchor b) 592{ 593 int c = strcmp(a->path, b->path); 594 595 return (c ? (c < 0 ? -1 : 1) : 0); 596} 597
550#ifdef INET6 551void 552pf_addrcpy(struct pf_addr dst, struct pf_addr src, sa_family_t af) 553{ 554 switch (af) { 555#ifdef INET 556 case AF_INET: 557 dst->addr32[0] = src->addr32[0]; 558 break; 559#endif /* INET / 560* case AF_INET6: 561 dst->addr32[0] = src->addr32[0]; 562 dst->addr32[1] = src->addr32[1]; 563 dst->addr32[2] = src->addr32[2]; 564 dst->addr32[3] = src->addr32[3]; 565 break; 566 } 567}	598#ifdef INET6 599void 600pf_addrcpy(struct pf_addr dst, struct pf_addr src, sa_family_t af) 601{ 602 switch (af) { 603#ifdef INET 604 case AF_INET: 605 dst->addr32[0] = src->addr32[0]; 606 break; 607#endif /* INET / 608* case AF_INET6: 609 dst->addr32[0] = src->addr32[0]; 610 dst->addr32[1] = src->addr32[1]; 611 dst->addr32[2] = src->addr32[2]; 612 dst->addr32[3] = src->addr32[3]; 613 break; 614 } 615}
568#endif	616#endif /* INET6 */
569 570struct pf_state * 571pf_find_state_byid(struct pf_state key) 572{ 573* pf_status.fcounters[FCNT_STATE_SEARCH]++; 574 return (RB_FIND(pf_state_tree_id, &tree_id, key)); 575} 576 --- 59 unchanged lines hidden (view full) --- 636 (more)++; 637* } 638 return (ss); 639 default: 640 panic("pf_find_state_all"); 641 } 642} 643	617 618struct pf_state * 619pf_find_state_byid(struct pf_state key) 620{ 621* pf_status.fcounters[FCNT_STATE_SEARCH]++; 622 return (RB_FIND(pf_state_tree_id, &tree_id, key)); 623} 624 --- 59 unchanged lines hidden (view full) --- 684 (more)++; 685* } 686 return (ss); 687 default: 688 panic("pf_find_state_all"); 689 } 690} 691
	692void 693pf_init_threshold(struct pf_threshold threshold, 694* u_int32_t limit, u_int32_t seconds) 695{ 696 threshold->limit = limit * PF_THRESHOLD_MULT; 697 threshold->seconds = seconds; 698 threshold->count = 0; 699 threshold->last = time_second; 700} 701 702void 703pf_add_threshold(struct pf_threshold threshold) 704{ 705* u_int32_t t = time_second, diff = t - threshold->last; 706 707 if (diff >= threshold->seconds) 708 threshold->count = 0; 709 else 710 threshold->count -= threshold->count * diff / 711 threshold->seconds; 712 threshold->count += PF_THRESHOLD_MULT; 713 threshold->last = t; 714} 715
644int	716int
	717pf_check_threshold(struct pf_threshold threshold) 718{ 719* return (threshold->count > threshold->limit); 720} 721 722int 723pf_src_connlimit(struct pf_state *state) 724{ 725* struct pf_state s; 726* int bad = 0; 727 728 (state)->src_node->conn++; 729* pf_add_threshold(&(state)->src_node->conn_rate); 730* 731 if ((state)->rule.ptr->max_src_conn && 732* (state)->rule.ptr->max_src_conn < 733* (state)->src_node->conn) { 734* pf_status.lcounters[LCNT_SRCCONN]++; 735 bad++; 736 } 737 738 if ((state)->rule.ptr->max_src_conn_rate.limit && 739* pf_check_threshold(&(state)->src_node->conn_rate)) { 740* pf_status.lcounters[LCNT_SRCCONNRATE]++; 741 bad++; 742 } 743 744 if (!bad) 745 return (0); 746 747 if ((state)->rule.ptr->overload_tbl) { 748* struct pfr_addr p; 749 u_int32_t killed = 0; 750 751 pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; 752 if (pf_status.debug >= PF_DEBUG_MISC) { 753 printf("pf_src_connlimit: blocking address "); 754 pf_print_host(&(state)->src_node->addr, 0, 755* (state)->af); 756* } 757 758 bzero(&p, sizeof(p)); 759 p.pfra_af = (state)->af; 760* switch ((state)->af) { 761#ifdef INET 762* case AF_INET: 763 p.pfra_net = 32; 764 p.pfra_ip4addr = (state)->src_node->addr.v4; 765* break; 766#endif /* INET / 767#ifdef INET6 768* case AF_INET6: 769 p.pfra_net = 128; 770 p.pfra_ip6addr = (state)->src_node->addr.v6; 771* break; 772#endif /* INET6 / 773* } 774 775 pfr_insert_kentry((state)->rule.ptr->overload_tbl, 776* &p, time_second); 777 778 /* kill existing states if that's required. / 779* if ((state)->rule.ptr->flush) { 780* pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; 781 782 RB_FOREACH(s, pf_state_tree_id, &tree_id) { 783 /* 784 * Kill states from this source. (Only those 785 * from the same rule if PF_FLUSH_GLOBAL is not 786 * set) 787 / 788* if (s->af == (state)->af && 789* (((state)->direction == PF_OUT && 790* PF_AEQ(&(state)->src_node->addr, 791* &s->lan.addr, s->af)) \|\| 792 ((state)->direction == PF_IN && 793* PF_AEQ(&(state)->src_node->addr, 794* &s->ext.addr, s->af))) && 795 ((state)->rule.ptr->flush & 796* PF_FLUSH_GLOBAL \|\| 797 (state)->rule.ptr == s->rule.ptr)) { 798* s->timeout = PFTM_PURGE; 799 s->src.state = s->dst.state = 800 TCPS_CLOSED; 801 killed++; 802 } 803 } 804 if (pf_status.debug >= PF_DEBUG_MISC) 805 printf(", %u states killed", killed); 806 } 807 if (pf_status.debug >= PF_DEBUG_MISC) 808 printf("\n"); 809 } 810 811 /* kill this state / 812* (state)->timeout = PFTM_PURGE; 813* (state)->src.state = (state)->dst.state = TCPS_CLOSED; 814 return (1); 815} 816 817int
645pf_insert_src_node(struct pf_src_node *sn, struct pf_rule rule, 646 struct pf_addr src, sa_family_t af) 647{ 648* struct pf_src_node k; 649 650 if (sn == NULL) { 651* k.af = af; 652 PF_ACPY(&k.addr, src, af); --- 4 unchanged lines hidden (view full) --- 657 k.rule.ptr = NULL; 658 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 659 sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 660* } 661 if (sn == NULL) { 662* if (!rule->max_src_nodes \|\| 663 rule->src_nodes < rule->max_src_nodes) 664 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);	818pf_insert_src_node(struct pf_src_node *sn, struct pf_rule rule, 819 struct pf_addr src, sa_family_t af) 820{ 821* struct pf_src_node k; 822 823 if (sn == NULL) { 824* k.af = af; 825 PF_ACPY(&k.addr, src, af); --- 4 unchanged lines hidden (view full) --- 830 k.rule.ptr = NULL; 831 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 832 sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 833* } 834 if (sn == NULL) { 835* if (!rule->max_src_nodes \|\| 836 rule->src_nodes < rule->max_src_nodes) 837 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
	838 else 839 pf_status.lcounters[LCNT_SRCNODES]++;
665 if ((sn) == NULL) 666* return (-1); 667 bzero(*sn, sizeof(struct pf_src_node));	840 if ((sn) == NULL) 841* return (-1); 842 bzero(*sn, sizeof(struct pf_src_node));
	843 844 pf_init_threshold(&(sn)->conn_rate, 845* rule->max_src_conn_rate.limit, 846 rule->max_src_conn_rate.seconds); 847
668 (sn)->af = af; 669* if (rule->rule_flag & PFRULE_RULESRCTRACK \|\| 670 rule->rpool.opts & PF_POOL_STICKYADDR) 671 (sn)->rule.ptr = rule; 672* else 673 (sn)->rule.ptr = NULL; 674* PF_ACPY(&(sn)->addr, src, af); 675* if (RB_INSERT(pf_src_tree, 676 &tree_src_tracking, sn) != NULL) { 677* if (pf_status.debug >= PF_DEBUG_MISC) { 678 printf("pf: src_tree insert failed: "); 679 pf_print_host(&(sn)->addr, 0, af); 680* printf("\n"); 681 } 682 pool_put(&pf_src_tree_pl, sn); 683* return (-1); 684 }	848 (sn)->af = af; 849* if (rule->rule_flag & PFRULE_RULESRCTRACK \|\| 850 rule->rpool.opts & PF_POOL_STICKYADDR) 851 (sn)->rule.ptr = rule; 852* else 853 (sn)->rule.ptr = NULL; 854* PF_ACPY(&(sn)->addr, src, af); 855* if (RB_INSERT(pf_src_tree, 856 &tree_src_tracking, sn) != NULL) { 857* if (pf_status.debug >= PF_DEBUG_MISC) { 858 printf("pf: src_tree insert failed: "); 859 pf_print_host(&(sn)->addr, 0, af); 860* printf("\n"); 861 } 862 pool_put(&pf_src_tree_pl, sn); 863* return (-1); 864 }
685#ifdef __FreeBSD__
686 (*sn)->creation = time_second;	865 (*sn)->creation = time_second;
687#else 688 (sn)->creation = time.tv_sec; 689*#endif
690 (sn)->ruletype = rule->action; 691* if ((sn)->rule.ptr != NULL) 692* (sn)->rule.ptr->src_nodes++; 693* pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 694 pf_status.src_nodes++; 695 } else { 696 if (rule->max_src_states &&	866 (sn)->ruletype = rule->action; 867* if ((sn)->rule.ptr != NULL) 868* (sn)->rule.ptr->src_nodes++; 869* pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 870 pf_status.src_nodes++; 871 } else { 872 if (rule->max_src_states &&
697 (*sn)->states >= rule->max_src_states)	873 (sn)->states >= rule->max_src_states) { 874* pf_status.lcounters[LCNT_SRCSTATES]++;
698 return (-1);	875 return (-1);
	876 }
699 } 700 return (0); 701} 702 703int 704pf_insert_state(struct pfi_kif kif, struct pf_state state) 705{ 706 /* Thou MUST NOT insert multiple duplicate keys / --- 107 unchanged lines hidden* (view full) --- 814{ 815 u_int32_t timeout; 816 u_int32_t start; 817 u_int32_t end; 818 u_int32_t states; 819 820 /* handle all PFTM_* > PFTM_MAX here / 821* if (state->timeout == PFTM_PURGE)	877 } 878 return (0); 879} 880 881int 882pf_insert_state(struct pfi_kif kif, struct pf_state state) 883{ 884 /* Thou MUST NOT insert multiple duplicate keys / --- 107 unchanged lines hidden* (view full) --- 992{ 993 u_int32_t timeout; 994 u_int32_t start; 995 u_int32_t end; 996 u_int32_t states; 997 998 /* handle all PFTM_* > PFTM_MAX here / 999* if (state->timeout == PFTM_PURGE)
822#ifdef __FreeBSD__
823 return (time_second);	1000 return (time_second);
824#else 825 return (time.tv_sec); 826#endif
827 if (state->timeout == PFTM_UNTIL_PACKET) 828 return (0); 829#ifdef __FreeBSD__ 830 KASSERT((state->timeout < PFTM_MAX), 831 ("pf_state_expires: timeout > PFTM_MAX")); 832#else 833 KASSERT(state->timeout < PFTM_MAX); 834#endif --- 9 unchanged lines hidden (view full) --- 844 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 845 states = pf_status.states; 846 } 847 if (end && states > start && start < end) { 848 if (states < end) 849 return (state->expire + timeout * (end - states) / 850 (end - start)); 851 else	1001 if (state->timeout == PFTM_UNTIL_PACKET) 1002 return (0); 1003#ifdef __FreeBSD__ 1004 KASSERT((state->timeout < PFTM_MAX), 1005 ("pf_state_expires: timeout > PFTM_MAX")); 1006#else 1007 KASSERT(state->timeout < PFTM_MAX); 1008#endif --- 9 unchanged lines hidden (view full) --- 1018 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 1019 states = pf_status.states; 1020 } 1021 if (end && states > start && start < end) { 1022 if (states < end) 1023 return (state->expire + timeout * (end - states) / 1024 (end - start)); 1025 else
852#ifdef __FreeBSD__
853 return (time_second);	1026 return (time_second);
854#else 855 return (time.tv_sec); 856#endif
857 } 858 return (state->expire + timeout); 859} 860 861void 862pf_purge_expired_src_nodes(void) 863{ 864 struct pf_src_node cur, next; 865 866 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 867 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 868	1027 } 1028 return (state->expire + timeout); 1029} 1030 1031void 1032pf_purge_expired_src_nodes(void) 1033{ 1034 struct pf_src_node cur, next; 1035 1036 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 1037 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 1038
869#ifdef __FreeBSD__
870 if (cur->states <= 0 && cur->expire <= time_second) {	1039 if (cur->states <= 0 && cur->expire <= time_second) {
871#else 872 if (cur->states <= 0 && cur->expire <= time.tv_sec) { 873#endif
874 if (cur->rule.ptr != NULL) { 875 cur->rule.ptr->src_nodes--; 876 if (cur->rule.ptr->states <= 0 && 877 cur->rule.ptr->max_src_nodes <= 0) 878 pf_rm_rule(NULL, cur->rule.ptr); 879 } 880 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 881 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; --- 4 unchanged lines hidden (view full) --- 886} 887 888void 889pf_src_tree_remove_state(struct pf_state s) 890{ 891* u_int32_t timeout; 892 893 if (s->src_node != NULL) {	1040 if (cur->rule.ptr != NULL) { 1041 cur->rule.ptr->src_nodes--; 1042 if (cur->rule.ptr->states <= 0 && 1043 cur->rule.ptr->max_src_nodes <= 0) 1044 pf_rm_rule(NULL, cur->rule.ptr); 1045 } 1046 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 1047 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; --- 4 unchanged lines hidden (view full) --- 1052} 1053 1054void 1055pf_src_tree_remove_state(struct pf_state s) 1056{ 1057* u_int32_t timeout; 1058 1059 if (s->src_node != NULL) {
	1060 if (s->proto == IPPROTO_TCP) { 1061 if (s->src.state == PF_TCPS_PROXY_DST \|\| 1062 s->timeout >= PFTM_TCP_ESTABLISHED) 1063 --s->src_node->conn; 1064 }
894 if (--s->src_node->states <= 0) { 895 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 896 if (!timeout) 897 timeout = 898 pf_default_rule.timeout[PFTM_SRC_NODE];	1065 if (--s->src_node->states <= 0) { 1066 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 1067 if (!timeout) 1068 timeout = 1069 pf_default_rule.timeout[PFTM_SRC_NODE];
899#ifdef __FreeBSD__
900 s->src_node->expire = time_second + timeout;	1070 s->src_node->expire = time_second + timeout;
901#else 902 s->src_node->expire = time.tv_sec + timeout; 903#endif
904 } 905 } 906 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 907 if (--s->nat_src_node->states <= 0) { 908 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 909 if (!timeout) 910 timeout = 911 pf_default_rule.timeout[PFTM_SRC_NODE];	1071 } 1072 } 1073 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 1074 if (--s->nat_src_node->states <= 0) { 1075 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 1076 if (!timeout) 1077 timeout = 1078 pf_default_rule.timeout[PFTM_SRC_NODE];
912#ifdef __FreeBSD__
913 s->nat_src_node->expire = time_second + timeout;	1079 s->nat_src_node->expire = time_second + timeout;
914#else 915 s->nat_src_node->expire = time.tv_sec + timeout; 916#endif
917 } 918 } 919 s->src_node = s->nat_src_node = NULL; 920} 921 922void	1080 } 1081 } 1082 s->src_node = s->nat_src_node = NULL; 1083} 1084 1085void
	1086pf_purge_expired_state(struct pf_state cur) 1087{ 1088* if (cur->src.state == PF_TCPS_PROXY_DST) 1089 pf_send_tcp(cur->rule.ptr, cur->af, 1090 &cur->ext.addr, &cur->lan.addr, 1091 cur->ext.port, cur->lan.port, 1092 cur->src.seqhi, cur->src.seqlo + 1, 1093 TH_RST\|TH_ACK, 0, 0, 0, 1, NULL, NULL); 1094 RB_REMOVE(pf_state_tree_ext_gwy, 1095 &cur->u.s.kif->pfik_ext_gwy, cur); 1096 RB_REMOVE(pf_state_tree_lan_ext, 1097 &cur->u.s.kif->pfik_lan_ext, cur); 1098 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 1099#if NPFSYNC 1100 pfsync_delete_state(cur); 1101#endif 1102 pf_src_tree_remove_state(cur); 1103 if (--cur->rule.ptr->states <= 0 && 1104 cur->rule.ptr->src_nodes <= 0) 1105 pf_rm_rule(NULL, cur->rule.ptr); 1106 if (cur->nat_rule.ptr != NULL) 1107 if (--cur->nat_rule.ptr->states <= 0 && 1108 cur->nat_rule.ptr->src_nodes <= 0) 1109 pf_rm_rule(NULL, cur->nat_rule.ptr); 1110 if (cur->anchor.ptr != NULL) 1111 if (--cur->anchor.ptr->states <= 0) 1112 pf_rm_rule(NULL, cur->anchor.ptr); 1113 pf_normalize_tcp_cleanup(cur); 1114 pfi_detach_state(cur->u.s.kif); 1115 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); 1116 if (cur->tag) 1117 pf_tag_unref(cur->tag); 1118 pool_put(&pf_state_pl, cur); 1119 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 1120 pf_status.states--; 1121} 1122 1123void
923pf_purge_expired_states(void) 924{ 925 struct pf_state cur, next; 926 927 for (cur = RB_MIN(pf_state_tree_id, &tree_id); 928 cur; cur = next) { 929 next = RB_NEXT(pf_state_tree_id, &tree_id, cur);	1124pf_purge_expired_states(void) 1125{ 1126 struct pf_state cur, next; 1127 1128 for (cur = RB_MIN(pf_state_tree_id, &tree_id); 1129 cur; cur = next) { 1130 next = RB_NEXT(pf_state_tree_id, &tree_id, cur);
930 931#ifdef __FreeBSD__ 932 if (pf_state_expires(cur) <= time_second) { 933#else 934 if (pf_state_expires(cur) <= time.tv_sec) { 935#endif 936 if (cur->src.state == PF_TCPS_PROXY_DST) 937 pf_send_tcp(cur->rule.ptr, cur->af, 938 &cur->ext.addr, &cur->lan.addr, 939 cur->ext.port, cur->lan.port, 940 cur->src.seqhi, cur->src.seqlo + 1, 0, 941 TH_RST\|TH_ACK, 0, 0); 942 RB_REMOVE(pf_state_tree_ext_gwy, 943 &cur->u.s.kif->pfik_ext_gwy, cur); 944 RB_REMOVE(pf_state_tree_lan_ext, 945 &cur->u.s.kif->pfik_lan_ext, cur); 946 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 947#if NPFSYNC 948 pfsync_delete_state(cur); 949#endif 950 pf_src_tree_remove_state(cur); 951 if (--cur->rule.ptr->states <= 0 && 952 cur->rule.ptr->src_nodes <= 0) 953 pf_rm_rule(NULL, cur->rule.ptr); 954 if (cur->nat_rule.ptr != NULL) 955 if (--cur->nat_rule.ptr->states <= 0 && 956 cur->nat_rule.ptr->src_nodes <= 0) 957 pf_rm_rule(NULL, cur->nat_rule.ptr); 958 if (cur->anchor.ptr != NULL) 959 if (--cur->anchor.ptr->states <= 0) 960 pf_rm_rule(NULL, cur->anchor.ptr); 961 pf_normalize_tcp_cleanup(cur); 962 pfi_detach_state(cur->u.s.kif); 963 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); 964 pool_put(&pf_state_pl, cur); 965 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 966 pf_status.states--; 967 }	1131 if (pf_state_expires(cur) <= time_second) 1132 pf_purge_expired_state(cur);
968 } 969} 970 971int 972pf_tbladdr_setup(struct pf_ruleset rs, struct pf_addr_wrap aw) 973{ 974 if (aw->type != PF_ADDR_TABLE) 975 return (0); --- 173 unchanged lines hidden (view full) --- 1149 if (cur->kif != prev->kif \|\| cur->ifnot != prev->ifnot) 1150 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1151 if (cur->direction != prev->direction) 1152 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1153 if (cur->af != prev->af) 1154 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1155 if (cur->proto != prev->proto) 1156 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);	1133 } 1134} 1135 1136int 1137pf_tbladdr_setup(struct pf_ruleset rs, struct pf_addr_wrap aw) 1138{ 1139 if (aw->type != PF_ADDR_TABLE) 1140 return (0); --- 173 unchanged lines hidden (view full) --- 1314 if (cur->kif != prev->kif \|\| cur->ifnot != prev->ifnot) 1315 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1316 if (cur->direction != prev->direction) 1317 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1318 if (cur->af != prev->af) 1319 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1320 if (cur->proto != prev->proto) 1321 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1157 if (cur->src.not != prev->src.not \|\|	1322 if (cur->src.neg != prev->src.neg \|\|
1158 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1159 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1160 if (cur->src.port[0] != prev->src.port[0] \|\| 1161 cur->src.port[1] != prev->src.port[1] \|\| 1162 cur->src.port_op != prev->src.port_op) 1163 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);	1323 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1324 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1325 if (cur->src.port[0] != prev->src.port[0] \|\| 1326 cur->src.port[1] != prev->src.port[1] \|\| 1327 cur->src.port_op != prev->src.port_op) 1328 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1164 if (cur->dst.not != prev->dst.not \|\|	1329 if (cur->dst.neg != prev->dst.neg \|\|
1165 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1166 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1167 if (cur->dst.port[0] != prev->dst.port[0] \|\| 1168 cur->dst.port[1] != prev->dst.port[1] \|\| 1169 cur->dst.port_op != prev->dst.port_op) 1170 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1171 1172 prev = cur; --- 22 unchanged lines hidden (view full) --- 1195 case PF_ADDR_TABLE: 1196 return (aw1->p.tbl != aw2->p.tbl); 1197 default: 1198 printf("invalid address type: %d\n", aw1->type); 1199 return (1); 1200 } 1201} 1202	1330 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1331 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1332 if (cur->dst.port[0] != prev->dst.port[0] \|\| 1333 cur->dst.port[1] != prev->dst.port[1] \|\| 1334 cur->dst.port_op != prev->dst.port_op) 1335 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1336 1337 prev = cur; --- 22 unchanged lines hidden (view full) --- 1360 case PF_ADDR_TABLE: 1361 return (aw1->p.tbl != aw2->p.tbl); 1362 default: 1363 printf("invalid address type: %d\n", aw1->type); 1364 return (1); 1365 } 1366} 1367
1203void 1204pf_update_anchor_rules() 1205{ 1206 struct pf_rule rule; 1207* int i; 1208 1209 for (i = 0; i < PF_RULESET_MAX; ++i) 1210 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 1211 entries) 1212 if (rule->anchorname[0]) 1213 rule->anchor = pf_find_anchor(rule->anchorname); 1214 else 1215 rule->anchor = NULL; 1216} 1217
1218u_int16_t 1219pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1220{ 1221 u_int32_t l; 1222 1223 if (udp && !cksum) 1224 return (0x0000); 1225 l = cksum + old - new; --- 168 unchanged lines hidden (view full) --- 1394#endif /* INET6 / 1395* } 1396} 1397 1398void 1399pf_send_tcp(const struct pf_rule r, sa_family_t af, 1400* const struct pf_addr saddr, const struct pf_addr daddr, 1401 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,	1368u_int16_t 1369pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1370{ 1371 u_int32_t l; 1372 1373 if (udp && !cksum) 1374 return (0x0000); 1375 l = cksum + old - new; --- 168 unchanged lines hidden (view full) --- 1544#endif /* INET6 / 1545* } 1546} 1547 1548void 1549pf_send_tcp(const struct pf_rule r, sa_family_t af, 1550* const struct pf_addr saddr, const struct pf_addr daddr, 1551 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1402 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl)	1552 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, 1553 struct ether_header eh, struct ifnet ifp)
1403{ 1404 struct mbuf *m;	1554{ 1555 struct mbuf *m;
1405#ifdef ALTQ 1406 struct m_tag mtag; 1407*#endif
1408 int len = 0, tlen; /* make the compiler happy / 1409#ifdef INET 1410* struct ip h = NULL; / make the compiler happy / 1411#endif / INET / 1412#ifdef INET6 1413* struct ip6_hdr h6 = NULL; / make the compiler happy / 1414#endif / INET6 / 1415* struct tcphdr th = NULL; / make the compiler happy */	1556 int len = 0, tlen; /* make the compiler happy / 1557#ifdef INET 1558* struct ip h = NULL; / make the compiler happy / 1559#endif / INET / 1560#ifdef INET6 1561* struct ip6_hdr h6 = NULL; / make the compiler happy / 1562#endif / INET6 / 1563* struct tcphdr th = NULL; / make the compiler happy */
1416#ifdef __FreeBSD__ 1417 struct ip ip; 1418*#endif
1419 char opt; 1420* 1421 /* maximum segment size tcp option / 1422* tlen = sizeof(struct tcphdr); 1423 if (mss) 1424 tlen += 4; 1425 1426 switch (af) { --- 5 unchanged lines hidden (view full) --- 1432#ifdef INET6 1433 case AF_INET6: 1434 len = sizeof(struct ip6_hdr) + tlen; 1435 break; 1436#endif /* INET6 / 1437* } 1438 1439 /* create outgoing mbuf */	1564 char opt; 1565* 1566 /* maximum segment size tcp option / 1567* tlen = sizeof(struct tcphdr); 1568 if (mss) 1569 tlen += 4; 1570 1571 switch (af) { --- 5 unchanged lines hidden (view full) --- 1577#ifdef INET6 1578 case AF_INET6: 1579 len = sizeof(struct ip6_hdr) + tlen; 1580 break; 1581#endif /* INET6 / 1582* } 1583 1584 /* create outgoing mbuf */
1440#ifdef __FreeBSD__
1441 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1442 if (m == NULL) 1443 return;	1585 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1586 if (m == NULL) 1587 return;
1444 m->m_flags \|= M_SKIP_FIREWALL;	1588 if (tag) { 1589#ifdef __FreeBSD__ 1590 m->m_flags \|= M_SKIP_FIREWALL;
1445#else	1591#else
1446 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1447 if (mtag == NULL) 1448 return; 1449 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1450 if (m == NULL) { 1451 m_tag_free(mtag); 1452 return; 1453 } 1454 m_tag_prepend(m, mtag);	1592 struct m_tag mtag; 1593* 1594 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1595 if (mtag == NULL) { 1596 m_freem(m); 1597 return; 1598 } 1599 m_tag_prepend(m, mtag);
1455#endif	1600#endif
	1601 }
1456#ifdef ALTQ 1457 if (r != NULL && r->qid) {	1602#ifdef ALTQ 1603 if (r != NULL && r->qid) {
	1604 struct m_tag *mtag;
1458 struct altq_tag atag; 1459* 1460 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(atag), M_NOWAIT); 1461* if (mtag != NULL) { 1462 atag = (struct altq_tag )(mtag + 1); 1463* atag->qid = r->qid; 1464 /* add hints for ecn / 1465* atag->af = af; 1466 atag->hdr = mtod(m, struct ip ); 1467* m_tag_prepend(m, mtag); 1468 } 1469 }	1605 struct altq_tag atag; 1606* 1607 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(atag), M_NOWAIT); 1608* if (mtag != NULL) { 1609 atag = (struct altq_tag )(mtag + 1); 1610* atag->qid = r->qid; 1611 /* add hints for ecn / 1612* atag->af = af; 1613 atag->hdr = mtod(m, struct ip ); 1614* m_tag_prepend(m, mtag); 1615 } 1616 }
1470#endif	1617#endif /* ALTQ */
1471 m->m_data += max_linkhdr; 1472 m->m_pkthdr.len = m->m_len = len; 1473 m->m_pkthdr.rcvif = NULL; 1474 bzero(m->m_data, len); 1475 switch (af) { 1476#ifdef INET 1477 case AF_INET: 1478 h = mtod(m, struct ip ); --- 53 unchanged lines hidden* (view full) --- 1532 h->ip_off = path_mtu_discovery ? IP_DF : 0; 1533 h->ip_len = len; 1534#else 1535 h->ip_off = htons(ip_mtudisc ? IP_DF : 0); 1536 h->ip_len = htons(len); 1537#endif 1538 h->ip_ttl = ttl ? ttl : ip_defttl; 1539 h->ip_sum = 0;	1618 m->m_data += max_linkhdr; 1619 m->m_pkthdr.len = m->m_len = len; 1620 m->m_pkthdr.rcvif = NULL; 1621 bzero(m->m_data, len); 1622 switch (af) { 1623#ifdef INET 1624 case AF_INET: 1625 h = mtod(m, struct ip ); --- 53 unchanged lines hidden* (view full) --- 1679 h->ip_off = path_mtu_discovery ? IP_DF : 0; 1680 h->ip_len = len; 1681#else 1682 h->ip_off = htons(ip_mtudisc ? IP_DF : 0); 1683 h->ip_len = htons(len); 1684#endif 1685 h->ip_ttl = ttl ? ttl : ip_defttl; 1686 h->ip_sum = 0;
	1687 if (eh == NULL) {
1540#ifdef __FreeBSD__	1688#ifdef __FreeBSD__
1541 ip = mtod(m, struct ip ); 1542* PF_UNLOCK(); 1543 ip_output(m, (void )NULL, (void )NULL, 0, (void )NULL, 1544* (void )NULL); 1545* PF_LOCK();	1689 PF_UNLOCK(); 1690 ip_output(m, (void )NULL, (void )NULL, 0, 1691 (void )NULL, (void )NULL); 1692 PF_LOCK();
1546#else /* ! __FreeBSD__ */	1693#else /* ! __FreeBSD__ */
1547 ip_output(m, (void )NULL, (void )NULL, 0, (void )NULL, 1548* (void *)NULL);	1694 ip_output(m, (void )NULL, (void )NULL, 0, 1695 (void )NULL, (void )NULL);
1549#endif	1696#endif
	1697 } else { 1698 struct route ro; 1699 struct rtentry rt; 1700 struct ether_header e = (void )ro.ro_dst.sa_data; 1701 1702 if (ifp == NULL) { 1703 m_freem(m); 1704 return; 1705 } 1706 rt.rt_ifp = ifp; 1707 ro.ro_rt = &rt; 1708 ro.ro_dst.sa_len = sizeof(ro.ro_dst); 1709 ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT; 1710 bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN); 1711 bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN); 1712 e->ether_type = eh->ether_type; 1713#ifdef __FreeBSD__ 1714 PF_UNLOCK(); 1715 /* XXX_IMPORT: later / 1716* ip_output(m, (void )NULL, &ro, 0, 1717* (void )NULL, (void )NULL); 1718 PF_LOCK(); 1719#else /* ! __FreeBSD__ / 1720* ip_output(m, (void )NULL, &ro, IP_ROUTETOETHER, 1721* (void )NULL, (void )NULL); 1722#endif 1723 }
1550 break; 1551#endif /* INET / 1552#ifdef INET6 1553* case AF_INET6: 1554 /* TCP checksum / 1555* th->th_sum = in6_cksum(m, IPPROTO_TCP, 1556 sizeof(struct ip6_hdr), tlen); 1557 --- 50 unchanged lines hidden (view full) --- 1608 atag = (struct altq_tag )(mtag + 1); 1609* atag->qid = r->qid; 1610 /* add hints for ecn / 1611* atag->af = af; 1612 atag->hdr = mtod(m0, struct ip ); 1613* m_tag_prepend(m0, mtag); 1614 } 1615 }	1724 break; 1725#endif /* INET / 1726#ifdef INET6 1727* case AF_INET6: 1728 /* TCP checksum / 1729* th->th_sum = in6_cksum(m, IPPROTO_TCP, 1730 sizeof(struct ip6_hdr), tlen); 1731 --- 50 unchanged lines hidden (view full) --- 1782 atag = (struct altq_tag )(mtag + 1); 1783* atag->qid = r->qid; 1784 /* add hints for ecn / 1785* atag->af = af; 1786 atag->hdr = mtod(m0, struct ip ); 1787* m_tag_prepend(m0, mtag); 1788 } 1789 }
1616#endif	1790#endif /* ALTQ */
1617 1618 switch (af) { 1619#ifdef INET 1620 case AF_INET: 1621#ifdef __FreeBSD__ 1622 /* icmp_error() expects host byte ordering / 1623* ip = mtod(m0, struct ip ); 1624* NTOHS(ip->ip_len); --- 124 unchanged lines hidden (view full) --- 1749 1750 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 1751 return ((struct pf_tag )(mtag + 1)); 1752* else 1753 return (NULL); 1754} 1755 1756int	1791 1792 switch (af) { 1793#ifdef INET 1794 case AF_INET: 1795#ifdef __FreeBSD__ 1796 /* icmp_error() expects host byte ordering / 1797* ip = mtod(m0, struct ip ); 1798* NTOHS(ip->ip_len); --- 124 unchanged lines hidden (view full) --- 1923 1924 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 1925 return ((struct pf_tag )(mtag + 1)); 1926* else 1927 return (NULL); 1928} 1929 1930int
1757pf_match_tag(struct mbuf m, struct pf_rule r, struct pf_rule nat_rule, 1758* struct pf_tag pftag, int tag)	1931pf_match_tag(struct mbuf m, struct pf_rule r, struct pf_tag *pftag, int tag)
1759{ 1760 if (tag == -1) { / find mbuf tag */	1932{ 1933 if (tag == -1) { / find mbuf tag */
1761 pftag = pf_get_tag(m); 1762 if (pftag != NULL) 1763 *tag = pftag->tag;	1934 pftag = pf_get_tag(m); 1935* if (pftag != NULL) 1936* tag = (pftag)->tag;
1764 else 1765 *tag = 0;	1937 else 1938 *tag = 0;
1766 if (nat_rule != NULL && nat_rule->tag) 1767 *tag = nat_rule->tag;
1768 } 1769 1770 return ((!r->match_tag_not && r->match_tag == tag) \|\| 1771* (r->match_tag_not && r->match_tag != tag)); 1772} 1773* 1774int 1775pf_tag_packet(struct mbuf m, struct pf_tag pftag, int tag) --- 10 unchanged lines hidden (view full) --- 1786 ((struct pf_tag )(mtag + 1))->tag = tag; 1787* m_tag_prepend(m, mtag); 1788 } else 1789 pftag->tag = tag; 1790 1791 return (0); 1792} 1793	1939 } 1940 1941 return ((!r->match_tag_not && r->match_tag == tag) \|\| 1942* (r->match_tag_not && r->match_tag != tag)); 1943} 1944* 1945int 1946pf_tag_packet(struct mbuf m, struct pf_tag pftag, int tag) --- 10 unchanged lines hidden (view full) --- 1957 ((struct pf_tag )(mtag + 1))->tag = tag; 1958* m_tag_prepend(m, mtag); 1959 } else 1960 pftag->tag = tag; 1961 1962 return (0); 1963} 1964
1794#define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1795 do { \ 1796 if ((r) == NULL \|\| (r)->anchor == NULL \|\| \ 1797 (s) != NULL \|\| (a) != NULL) \ 1798 panic("PF_STEP_INTO_ANCHOR"); \ 1799 (a) = (r); \ 1800 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1801 (r) = NULL; \ 1802 while ((s) != NULL && ((r) = \ 1803 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1804 (s) = TAILQ_NEXT((s), entries); \ 1805 if ((r) == NULL) { \ 1806 (r) = TAILQ_NEXT((a), entries); \ 1807 (a) = NULL; \ 1808 } \ 1809 } while (0)	1965static void 1966pf_step_into_anchor(int depth, struct pf_ruleset rs, int n, 1967* struct pf_rule r, struct pf_rule a) 1968{ 1969 struct pf_anchor_stackframe *f;
1810	1970
1811#define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1812 do { \ 1813 if ((r) != NULL \|\| (a) == NULL \|\| (s) == NULL) \ 1814 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1815 (s) = TAILQ_NEXT((s), entries); \ 1816 while ((s) != NULL && ((r) = \ 1817 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1818 (s) = TAILQ_NEXT((s), entries); \ 1819 if ((r) == NULL) { \ 1820 (r) = TAILQ_NEXT((a), entries); \ 1821 (a) = NULL; \ 1822 } \ 1823 } while (0)	1971 if (depth >= sizeof(pf_anchor_stack) / 1972* sizeof(pf_anchor_stack[0])) { 1973 printf("pf_step_into_anchor: stack overflow\n"); 1974 r = TAILQ_NEXT(r, entries); 1975 return; 1976 } else if (depth == 0 && a != NULL) 1977* a = r; 1978 f = pf_anchor_stack + (depth)++; 1979* f->rs = rs; 1980* f->r = r; 1981* if ((r)->anchor_wildcard) { 1982* f->parent = &(r)->anchor->children; 1983* if ((f->child = RB_MIN(pf_anchor_node, f->parent)) == 1984 NULL) { 1985 r = NULL; 1986* return; 1987 } 1988 rs = &f->child->ruleset; 1989* } else { 1990 f->parent = NULL; 1991 f->child = NULL; 1992 rs = &(r)->anchor->ruleset; 1993 } 1994 r = TAILQ_FIRST((rs)->rules[n].active.ptr); 1995}
1824	1996
	1997static void 1998pf_step_out_of_anchor(int depth, struct pf_ruleset rs, int n, 1999* struct pf_rule r, struct pf_rule a) 2000{ 2001 struct pf_anchor_stackframe f; 2002* 2003 do { 2004 if (depth <= 0) 2005* break; 2006 f = pf_anchor_stack + depth - 1; 2007* if (f->parent != NULL && f->child != NULL) { 2008 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child); 2009 if (f->child != NULL) { 2010 rs = &f->child->ruleset; 2011* r = TAILQ_FIRST((rs)->rules[n].active.ptr); 2012 if (r == NULL) 2013* continue; 2014 else 2015 break; 2016 } 2017 } 2018 (depth)--; 2019* if (depth == 0 && a != NULL) 2020* a = NULL; 2021* rs = f->rs; 2022* r = TAILQ_NEXT(f->r, entries); 2023* } while (r == NULL); 2024} 2025*
1825#ifdef INET6 1826void 1827pf_poolmask(struct pf_addr naddr, struct pf_addr raddr, 1828 struct pf_addr rmask, struct pf_addr saddr, sa_family_t af) 1829{ 1830 switch (af) { 1831#ifdef INET 1832 case AF_INET: --- 136 unchanged lines hidden (view full) --- 1969 } 1970 return (0); 1971 } 1972 } 1973 1974 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1975 return (1); 1976 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {	2026#ifdef INET6 2027void 2028pf_poolmask(struct pf_addr naddr, struct pf_addr raddr, 2029 struct pf_addr rmask, struct pf_addr saddr, sa_family_t af) 2030{ 2031 switch (af) { 2032#ifdef INET 2033 case AF_INET: --- 136 unchanged lines hidden (view full) --- 2170 } 2171 return (0); 2172 } 2173 } 2174 2175 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 2176 return (1); 2177 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1977 if (af == AF_INET) {	2178 switch (af) { 2179#ifdef INET 2180 case AF_INET:
1978 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 1979 (rpool->opts & PF_POOL_TYPEMASK) != 1980 PF_POOL_ROUNDROBIN) 1981 return (1); 1982 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 1983 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;	2181 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 2182 (rpool->opts & PF_POOL_TYPEMASK) != 2183 PF_POOL_ROUNDROBIN) 2184 return (1); 2185 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 2186 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
1984 } else {	2187 break; 2188#endif /* INET / 2189#ifdef INET6 2190* case AF_INET6:
1985 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 1986 (rpool->opts & PF_POOL_TYPEMASK) != 1987 PF_POOL_ROUNDROBIN) 1988 return (1); 1989 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 1990 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;	2191 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 2192 (rpool->opts & PF_POOL_TYPEMASK) != 2193 PF_POOL_ROUNDROBIN) 2194 return (1); 2195 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 2196 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
	2197 break; 2198#endif /* INET6 */
1991 } 1992 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1993 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1994 return (1); /* unsupported / 1995* } else { 1996 raddr = &rpool->cur->addr.v.a.addr; 1997 rmask = &rpool->cur->addr.v.a.mask; 1998 } --- 5 unchanged lines hidden (view full) --- 2004 case PF_POOL_BITMASK: 2005 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 2006 break; 2007 case PF_POOL_RANDOM: 2008 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 2009 switch (af) { 2010#ifdef INET 2011 case AF_INET:	2199 } 2200 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 2201 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 2202 return (1); /* unsupported / 2203* } else { 2204 raddr = &rpool->cur->addr.v.a.addr; 2205 rmask = &rpool->cur->addr.v.a.mask; 2206 } --- 5 unchanged lines hidden (view full) --- 2212 case PF_POOL_BITMASK: 2213 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 2214 break; 2215 case PF_POOL_RANDOM: 2216 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 2217 switch (af) { 2218#ifdef INET 2219 case AF_INET:
2012 rpool->counter.addr32[0] = arc4random();	2220 rpool->counter.addr32[0] = htonl(arc4random());
2013 break; 2014#endif /* INET / 2015#ifdef INET6 2016* case AF_INET6: 2017 if (rmask->addr32[3] != 0xffffffff)	2221 break; 2222#endif /* INET / 2223#ifdef INET6 2224* case AF_INET6: 2225 if (rmask->addr32[3] != 0xffffffff)
2018 rpool->counter.addr32[3] = arc4random();	2226 rpool->counter.addr32[3] = 2227 htonl(arc4random());
2019 else 2020 break; 2021 if (rmask->addr32[2] != 0xffffffff)	2228 else 2229 break; 2230 if (rmask->addr32[2] != 0xffffffff)
2022 rpool->counter.addr32[2] = arc4random();	2231 rpool->counter.addr32[2] = 2232 htonl(arc4random());
2023 else 2024 break; 2025 if (rmask->addr32[1] != 0xffffffff)	2233 else 2234 break; 2235 if (rmask->addr32[1] != 0xffffffff)
2026 rpool->counter.addr32[1] = arc4random();	2236 rpool->counter.addr32[1] = 2237 htonl(arc4random());
2027 else 2028 break; 2029 if (rmask->addr32[0] != 0xffffffff)	2238 else 2239 break; 2240 if (rmask->addr32[0] != 0xffffffff)
2030 rpool->counter.addr32[0] = arc4random();	2241 rpool->counter.addr32[0] = 2242 htonl(arc4random());
2031 break; 2032#endif /* INET6 / 2033* } 2034 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 2035 PF_ACPY(init_addr, naddr, af); 2036 2037 } else { 2038 PF_AINC(&rpool->counter, af); --- 110 unchanged lines hidden (view full) --- 2149 u_int16_t tmp; 2150 2151 if (low > high) { 2152 tmp = low; 2153 low = high; 2154 high = tmp; 2155 } 2156 /* low < high */	2243 break; 2244#endif /* INET6 / 2245* } 2246 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 2247 PF_ACPY(init_addr, naddr, af); 2248 2249 } else { 2250 PF_AINC(&rpool->counter, af); --- 110 unchanged lines hidden (view full) --- 2361 u_int16_t tmp; 2362 2363 if (low > high) { 2364 tmp = low; 2365 low = high; 2366 high = tmp; 2367 } 2368 /* low < high */
2157 cut = arc4random() % (1 + high - low) + low;	2369 cut = htonl(arc4random()) % (1 + high - low) + low;
2158 /* low <= cut <= high / 2159* for (tmp = cut; tmp <= high; ++(tmp)) { 2160 key.gwy.port = htons(tmp); 2161 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 2162 NULL) { 2163 nport = htons(tmp); 2164* return (0); 2165 } --- 25 unchanged lines hidden (view full) --- 2191 return (1); /* none available / 2192} 2193* 2194struct pf_rule * 2195pf_match_translation(struct pf_pdesc pd, struct mbuf m, int off, 2196 int direction, struct pfi_kif kif, struct pf_addr saddr, u_int16_t sport, 2197 struct pf_addr daddr, u_int16_t dport, int rs_num) 2198*{	2370 /* low <= cut <= high / 2371* for (tmp = cut; tmp <= high; ++(tmp)) { 2372 key.gwy.port = htons(tmp); 2373 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 2374 NULL) { 2375 nport = htons(tmp); 2376* return (0); 2377 } --- 25 unchanged lines hidden (view full) --- 2403 return (1); /* none available / 2404} 2405* 2406struct pf_rule * 2407pf_match_translation(struct pf_pdesc pd, struct mbuf m, int off, 2408 int direction, struct pfi_kif kif, struct pf_addr saddr, u_int16_t sport, 2409 struct pf_addr daddr, u_int16_t dport, int rs_num) 2410*{
2199 struct pf_rule r, rm = NULL, *anchorrule = NULL;	2411 struct pf_rule r, rm = NULL;
2200 struct pf_ruleset *ruleset = NULL;	2412 struct pf_ruleset *ruleset = NULL;
	2413 struct pf_tag pftag = NULL; 2414* int tag = -1; 2415 int asd = 0;
2201 2202 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 2203 while (r && rm == NULL) { 2204 struct pf_rule_addr src = NULL, dst = NULL; 2205 struct pf_addr_wrap xdst = NULL; 2206* 2207 if (r->action == PF_BINAT && direction == PF_IN) { 2208 src = &r->dst; --- 9 unchanged lines hidden (view full) --- 2218 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2219 r = r->skip[PF_SKIP_IFP].ptr; 2220 else if (r->direction && r->direction != direction) 2221 r = r->skip[PF_SKIP_DIR].ptr; 2222 else if (r->af && r->af != pd->af) 2223 r = r->skip[PF_SKIP_AF].ptr; 2224 else if (r->proto && r->proto != pd->proto) 2225 r = r->skip[PF_SKIP_PROTO].ptr;	2416 2417 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 2418 while (r && rm == NULL) { 2419 struct pf_rule_addr src = NULL, dst = NULL; 2420 struct pf_addr_wrap xdst = NULL; 2421* 2422 if (r->action == PF_BINAT && direction == PF_IN) { 2423 src = &r->dst; --- 9 unchanged lines hidden (view full) --- 2433 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2434 r = r->skip[PF_SKIP_IFP].ptr; 2435 else if (r->direction && r->direction != direction) 2436 r = r->skip[PF_SKIP_DIR].ptr; 2437 else if (r->af && r->af != pd->af) 2438 r = r->skip[PF_SKIP_AF].ptr; 2439 else if (r->proto && r->proto != pd->proto) 2440 r = r->skip[PF_SKIP_PROTO].ptr;
2226 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not))	2441 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->neg))
2227 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 2228 PF_SKIP_DST_ADDR].ptr; 2229 else if (src->port_op && !pf_match_port(src->port_op, 2230 src->port[0], src->port[1], sport)) 2231 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 2232 PF_SKIP_DST_PORT].ptr; 2233 else if (dst != NULL &&	2442 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 2443 PF_SKIP_DST_ADDR].ptr; 2444 else if (src->port_op && !pf_match_port(src->port_op, 2445 src->port[0], src->port[1], sport)) 2446 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 2447 PF_SKIP_DST_PORT].ptr; 2448 else if (dst != NULL &&
2234 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not))	2449 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg))
2235 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2236 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 2237 r = TAILQ_NEXT(r, entries); 2238 else if (dst != NULL && dst->port_op && 2239 !pf_match_port(dst->port_op, dst->port[0], 2240 dst->port[1], dport)) 2241 r = r->skip[PF_SKIP_DST_PORT].ptr;	2450 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2451 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 2452 r = TAILQ_NEXT(r, entries); 2453 else if (dst != NULL && dst->port_op && 2454 !pf_match_port(dst->port_op, dst->port[0], 2455 dst->port[1], dport)) 2456 r = r->skip[PF_SKIP_DST_PORT].ptr;
	2457 else if (r->match_tag && !pf_match_tag(m, r, &pftag, &tag)) 2458 r = TAILQ_NEXT(r, entries);
2242 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2243 IPPROTO_TCP \|\| !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2244 off, pd->hdr.tcp), r->os_fingerprint))) 2245 r = TAILQ_NEXT(r, entries);	2459 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2460 IPPROTO_TCP \|\| !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2461 off, pd->hdr.tcp), r->os_fingerprint))) 2462 r = TAILQ_NEXT(r, entries);
2246 else if (r->anchorname[0] && r->anchor == NULL) 2247 r = TAILQ_NEXT(r, entries); 2248 else if (r->anchor == NULL)	2463 else { 2464 if (r->tag) 2465 tag = r->tag; 2466 if (r->anchor == NULL) {
2249 rm = r;	2467 rm = r;
2250 else 2251 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 2252 if (r == NULL && anchorrule != NULL) 2253 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 2254 rs_num);	2468 } else 2469 pf_step_into_anchor(&asd, &ruleset, rs_num, &r, NULL); 2470 } 2471 if (r == NULL) 2472 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r, NULL);
2255 }	2473 }
	2474 if (pf_tag_packet(m, pftag, tag)) 2475 return (NULL);
2256 if (rm != NULL && (rm->action == PF_NONAT \|\| 2257 rm->action == PF_NORDR \|\| rm->action == PF_NOBINAT)) 2258 return (NULL); 2259 return (rm); 2260} 2261 2262struct pf_rule * 2263pf_get_translation(struct pf_pdesc pd, struct mbuf m, int off, int direction, --- 35 unchanged lines hidden (view full) --- 2299 r->rpool.proxy_port[1])); 2300 return (NULL); 2301 } 2302 break; 2303 case PF_BINAT: 2304 switch (direction) { 2305 case PF_OUT: 2306 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){	2476 if (rm != NULL && (rm->action == PF_NONAT \|\| 2477 rm->action == PF_NORDR \|\| rm->action == PF_NOBINAT)) 2478 return (NULL); 2479 return (rm); 2480} 2481 2482struct pf_rule * 2483pf_get_translation(struct pf_pdesc pd, struct mbuf m, int off, int direction, --- 35 unchanged lines hidden (view full) --- 2519 r->rpool.proxy_port[1])); 2520 return (NULL); 2521 } 2522 break; 2523 case PF_BINAT: 2524 switch (direction) { 2525 case PF_OUT: 2526 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
2307 if (pd->af == AF_INET) {	2527 switch (pd->af) { 2528#ifdef INET 2529 case AF_INET:
2308 if (r->rpool.cur->addr.p.dyn-> 2309 pfid_acnt4 < 1) 2310 return (NULL); 2311 PF_POOLMASK(naddr, 2312 &r->rpool.cur->addr.p.dyn-> 2313 pfid_addr4, 2314 &r->rpool.cur->addr.p.dyn-> 2315 pfid_mask4, 2316 saddr, AF_INET);	2530 if (r->rpool.cur->addr.p.dyn-> 2531 pfid_acnt4 < 1) 2532 return (NULL); 2533 PF_POOLMASK(naddr, 2534 &r->rpool.cur->addr.p.dyn-> 2535 pfid_addr4, 2536 &r->rpool.cur->addr.p.dyn-> 2537 pfid_mask4, 2538 saddr, AF_INET);
2317 } else {	2539 break; 2540#endif /* INET / 2541#ifdef INET6 2542* case AF_INET6:
2318 if (r->rpool.cur->addr.p.dyn-> 2319 pfid_acnt6 < 1) 2320 return (NULL); 2321 PF_POOLMASK(naddr, 2322 &r->rpool.cur->addr.p.dyn-> 2323 pfid_addr6, 2324 &r->rpool.cur->addr.p.dyn-> 2325 pfid_mask6, 2326 saddr, AF_INET6);	2543 if (r->rpool.cur->addr.p.dyn-> 2544 pfid_acnt6 < 1) 2545 return (NULL); 2546 PF_POOLMASK(naddr, 2547 &r->rpool.cur->addr.p.dyn-> 2548 pfid_addr6, 2549 &r->rpool.cur->addr.p.dyn-> 2550 pfid_mask6, 2551 saddr, AF_INET6);
	2552 break; 2553#endif /* INET6 */
2327 } 2328 } else 2329 PF_POOLMASK(naddr, 2330 &r->rpool.cur->addr.v.a.addr, 2331 &r->rpool.cur->addr.v.a.mask, 2332 saddr, pd->af); 2333 break; 2334 case PF_IN: 2335 if (r->src.addr.type == PF_ADDR_DYNIFTL) {	2554 } 2555 } else 2556 PF_POOLMASK(naddr, 2557 &r->rpool.cur->addr.v.a.addr, 2558 &r->rpool.cur->addr.v.a.mask, 2559 saddr, pd->af); 2560 break; 2561 case PF_IN: 2562 if (r->src.addr.type == PF_ADDR_DYNIFTL) {
2336 if (pd->af == AF_INET) {	2563 switch (pd->af) { 2564#ifdef INET 2565 case AF_INET:
2337 if (r->src.addr.p.dyn-> 2338 pfid_acnt4 < 1) 2339 return (NULL); 2340 PF_POOLMASK(naddr, 2341 &r->src.addr.p.dyn-> 2342 pfid_addr4, 2343 &r->src.addr.p.dyn-> 2344 pfid_mask4, 2345 daddr, AF_INET);	2566 if (r->src.addr.p.dyn-> 2567 pfid_acnt4 < 1) 2568 return (NULL); 2569 PF_POOLMASK(naddr, 2570 &r->src.addr.p.dyn-> 2571 pfid_addr4, 2572 &r->src.addr.p.dyn-> 2573 pfid_mask4, 2574 daddr, AF_INET);
2346 } else {	2575 break; 2576#endif /* INET / 2577#ifdef INET6 2578* case AF_INET6:
2347 if (r->src.addr.p.dyn-> 2348 pfid_acnt6 < 1) 2349 return (NULL); 2350 PF_POOLMASK(naddr, 2351 &r->src.addr.p.dyn-> 2352 pfid_addr6, 2353 &r->src.addr.p.dyn-> 2354 pfid_mask6, 2355 daddr, AF_INET6);	2579 if (r->src.addr.p.dyn-> 2580 pfid_acnt6 < 1) 2581 return (NULL); 2582 PF_POOLMASK(naddr, 2583 &r->src.addr.p.dyn-> 2584 pfid_addr6, 2585 &r->src.addr.p.dyn-> 2586 pfid_mask6, 2587 daddr, AF_INET6);
	2588 break; 2589#endif /* INET6 */
2356 } 2357 } else 2358 PF_POOLMASK(naddr, 2359 &r->src.addr.v.a.addr, 2360 &r->src.addr.v.a.mask, daddr, 2361 pd->af); 2362 break; 2363 } --- 87 unchanged lines hidden (view full) --- 2451 2452 p = sport; 2453 sport = dport; 2454 dport = p; 2455 saddr = pd->dst; 2456 daddr = pd->src; 2457 } 2458 switch (pd->af) {	2590 } 2591 } else 2592 PF_POOLMASK(naddr, 2593 &r->src.addr.v.a.addr, 2594 &r->src.addr.v.a.mask, daddr, 2595 pd->af); 2596 break; 2597 } --- 87 unchanged lines hidden (view full) --- 2685 2686 p = sport; 2687 sport = dport; 2688 dport = p; 2689 saddr = pd->dst; 2690 daddr = pd->src; 2691 } 2692 switch (pd->af) {
	2693#ifdef INET
2459 case AF_INET: 2460#ifdef __FreeBSD__ 2461 INP_INFO_RLOCK(pi); /* XXX LOR / 2462* inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4, 2463 dport, 0, NULL); 2464 if (inp == NULL) { 2465 inp = in_pcblookup_hash(pi, saddr->v4, sport, 2466 daddr->v4, dport, INPLOOKUP_WILDCARD, NULL); --- 6 unchanged lines hidden (view full) --- 2473 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); 2474 if (inp == NULL) { 2475 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0); 2476 if (inp == NULL) 2477 return (0); 2478 } 2479#endif 2480 break;	2694 case AF_INET: 2695#ifdef __FreeBSD__ 2696 INP_INFO_RLOCK(pi); /* XXX LOR / 2697* inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4, 2698 dport, 0, NULL); 2699 if (inp == NULL) { 2700 inp = in_pcblookup_hash(pi, saddr->v4, sport, 2701 daddr->v4, dport, INPLOOKUP_WILDCARD, NULL); --- 6 unchanged lines hidden (view full) --- 2708 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); 2709 if (inp == NULL) { 2710 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0); 2711 if (inp == NULL) 2712 return (0); 2713 } 2714#endif 2715 break;
	2716#endif /* INET */
2481#ifdef INET6 2482 case AF_INET6: 2483#ifdef __FreeBSD__ 2484 INP_INFO_RLOCK(pi); 2485 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2486 &daddr->v6, dport, 0, NULL); 2487 if (inp == NULL) { 2488 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, --- 209 unchanged lines hidden (view full) --- 2698 } 2699} 2700 2701int 2702pf_test_tcp(struct pf_rule rm, struct pf_state sm, int direction, 2703 struct pfi_kif kif, struct mbuf m, int off, void h, 2704#ifdef __FreeBSD__ 2705* struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm,	2717#ifdef INET6 2718 case AF_INET6: 2719#ifdef __FreeBSD__ 2720 INP_INFO_RLOCK(pi); 2721 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2722 &daddr->v6, dport, 0, NULL); 2723 if (inp == NULL) { 2724 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, --- 209 unchanged lines hidden (view full) --- 2934 } 2935} 2936 2937int 2938pf_test_tcp(struct pf_rule rm, struct pf_state sm, int direction, 2939 struct pfi_kif kif, struct mbuf m, int off, void h, 2940#ifdef __FreeBSD__ 2941* struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm,
2706 struct inpcb *inp)	2942 struct ifqueue ifq, struct inpcb inp)
2707#else	2943#else
2708 struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm)	2944 struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset rsm, 2945* struct ifqueue *ifq)
2709#endif 2710{ 2711 struct pf_rule nr = NULL; 2712* struct pf_addr saddr = pd->src, daddr = pd->dst; 2713 struct tcphdr th = pd->hdr.tcp; 2714* u_int16_t bport, nport = 0; 2715 sa_family_t af = pd->af; 2716 int lookup = -1; 2717 uid_t uid; 2718 gid_t gid; 2719 struct pf_rule r, a = NULL; 2720 struct pf_ruleset ruleset = NULL; 2721* struct pf_src_node nsn = NULL; 2722* u_short reason; 2723 int rewrite = 0; 2724 struct pf_tag pftag = NULL; 2725* int tag = -1; 2726 u_int16_t mss = tcp_mssdflt;	2946#endif 2947{ 2948 struct pf_rule nr = NULL; 2949* struct pf_addr saddr = pd->src, daddr = pd->dst; 2950 struct tcphdr th = pd->hdr.tcp; 2951* u_int16_t bport, nport = 0; 2952 sa_family_t af = pd->af; 2953 int lookup = -1; 2954 uid_t uid; 2955 gid_t gid; 2956 struct pf_rule r, a = NULL; 2957 struct pf_ruleset ruleset = NULL; 2958* struct pf_src_node nsn = NULL; 2959* u_short reason; 2960 int rewrite = 0; 2961 struct pf_tag pftag = NULL; 2962* int tag = -1; 2963 u_int16_t mss = tcp_mssdflt;
	2964 int asd = 0;
2727	2965
	2966 if (pf_check_congestion(ifq)) { 2967 REASON_SET(&reason, PFRES_CONGEST); 2968 return (PF_DROP); 2969 } 2970
2728 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2729 2730 if (direction == PF_OUT) { 2731 bport = nport = th->th_sport; 2732 /* check outgoing packet for BINAT/NAT / 2733* if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2734 saddr, th->th_sport, daddr, th->th_dport, 2735 &pd->naddr, &nport)) != NULL) { --- 27 unchanged lines hidden (view full) --- 2763 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2764 r = r->skip[PF_SKIP_IFP].ptr; 2765 else if (r->direction && r->direction != direction) 2766 r = r->skip[PF_SKIP_DIR].ptr; 2767 else if (r->af && r->af != af) 2768 r = r->skip[PF_SKIP_AF].ptr; 2769 else if (r->proto && r->proto != IPPROTO_TCP) 2770 r = r->skip[PF_SKIP_PROTO].ptr;	2971 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2972 2973 if (direction == PF_OUT) { 2974 bport = nport = th->th_sport; 2975 /* check outgoing packet for BINAT/NAT / 2976* if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2977 saddr, th->th_sport, daddr, th->th_dport, 2978 &pd->naddr, &nport)) != NULL) { --- 27 unchanged lines hidden (view full) --- 3006 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3007 r = r->skip[PF_SKIP_IFP].ptr; 3008 else if (r->direction && r->direction != direction) 3009 r = r->skip[PF_SKIP_DIR].ptr; 3010 else if (r->af && r->af != af) 3011 r = r->skip[PF_SKIP_AF].ptr; 3012 else if (r->proto && r->proto != IPPROTO_TCP) 3013 r = r->skip[PF_SKIP_PROTO].ptr;
2771 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))	3014 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.neg))
2772 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2773 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2774 r->src.port[0], r->src.port[1], th->th_sport)) 2775 r = r->skip[PF_SKIP_SRC_PORT].ptr;	3015 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3016 else if (r->src.port_op && !pf_match_port(r->src.port_op, 3017 r->src.port[0], r->src.port[1], th->th_sport)) 3018 r = r->skip[PF_SKIP_SRC_PORT].ptr;
2776 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))	3019 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.neg))
2777 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2778 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2779 r->dst.port[0], r->dst.port[1], th->th_dport)) 2780 r = r->skip[PF_SKIP_DST_PORT].ptr; 2781 else if (r->tos && !(r->tos & pd->tos)) 2782 r = TAILQ_NEXT(r, entries); 2783 else if (r->rule_flag & PFRULE_FRAGMENT) 2784 r = TAILQ_NEXT(r, entries); --- 12 unchanged lines hidden (view full) --- 2797#ifdef __FreeBSD__ 2798 pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && 2799#else 2800 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2801#endif 2802 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2803 gid)) 2804 r = TAILQ_NEXT(r, entries);	3020 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3021 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 3022 r->dst.port[0], r->dst.port[1], th->th_dport)) 3023 r = r->skip[PF_SKIP_DST_PORT].ptr; 3024 else if (r->tos && !(r->tos & pd->tos)) 3025 r = TAILQ_NEXT(r, entries); 3026 else if (r->rule_flag & PFRULE_FRAGMENT) 3027 r = TAILQ_NEXT(r, entries); --- 12 unchanged lines hidden (view full) --- 3040#ifdef __FreeBSD__ 3041 pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && 3042#else 3043 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 3044#endif 3045 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 3046 gid)) 3047 r = TAILQ_NEXT(r, entries);
2805 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag))	3048 else if (r->prob && r->prob <= arc4random())
2806 r = TAILQ_NEXT(r, entries);	3049 r = TAILQ_NEXT(r, entries);
2807 else if (r->anchorname[0] && r->anchor == NULL)	3050 else if (r->match_tag && !pf_match_tag(m, r, &pftag, &tag))
2808 r = TAILQ_NEXT(r, entries); 2809 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2810 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2811 r = TAILQ_NEXT(r, entries); 2812 else { 2813 if (r->tag) 2814 tag = r->tag; 2815 if (r->anchor == NULL) { 2816 rm = r; 2817* am = a; 2818* rsm = ruleset; 2819* if ((rm)->quick) 2820* break; 2821 r = TAILQ_NEXT(r, entries); 2822 } else	3051 r = TAILQ_NEXT(r, entries); 3052 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 3053 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 3054 r = TAILQ_NEXT(r, entries); 3055 else { 3056 if (r->tag) 3057 tag = r->tag; 3058 if (r->anchor == NULL) { 3059 rm = r; 3060* am = a; 3061* rsm = ruleset; 3062* if ((rm)->quick) 3063* break; 3064 r = TAILQ_NEXT(r, entries); 3065 } else
2823 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2824 PF_RULESET_FILTER);	3066 pf_step_into_anchor(&asd, &ruleset, 3067 PF_RULESET_FILTER, &r, &a);
2825 }	3068 }
2826 if (r == NULL && a != NULL) 2827 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2828 PF_RULESET_FILTER);	3069 if (r == NULL) 3070 pf_step_out_of_anchor(&asd, &ruleset, 3071 PF_RULESET_FILTER, &r, &a);
2829 } 2830 r = rm; 2831* a = am; 2832* ruleset = rsm; 2833* 2834 REASON_SET(&reason, PFRES_MATCH); 2835 2836 if (r->log) { --- 25 unchanged lines hidden (view full) --- 2862 2863 if (th->th_flags & TH_SYN) 2864 ack++; 2865 if (th->th_flags & TH_FIN) 2866 ack++; 2867 pf_send_tcp(r, af, pd->dst, 2868 pd->src, th->th_dport, th->th_sport, 2869 ntohl(th->th_ack), ack, TH_RST\|TH_ACK, 0, 0,	3072 } 3073 r = rm; 3074* a = am; 3075* ruleset = rsm; 3076* 3077 REASON_SET(&reason, PFRES_MATCH); 3078 3079 if (r->log) { --- 25 unchanged lines hidden (view full) --- 3105 3106 if (th->th_flags & TH_SYN) 3107 ack++; 3108 if (th->th_flags & TH_FIN) 3109 ack++; 3110 pf_send_tcp(r, af, pd->dst, 3111 pd->src, th->th_dport, th->th_sport, 3112 ntohl(th->th_ack), ack, TH_RST\|TH_ACK, 0, 0,
2870 r->return_ttl);	3113 r->return_ttl, 1, pd->eh, kif->pfik_ifp);
2871 } else if ((af == AF_INET) && r->return_icmp) 2872 pf_send_icmp(m, r->return_icmp >> 8, 2873 r->return_icmp & 255, af, r); 2874 else if ((af == AF_INET6) && r->return_icmp6) 2875 pf_send_icmp(m, r->return_icmp6 >> 8, 2876 r->return_icmp6 & 255, af, r); 2877 } 2878 --- 10 unchanged lines hidden (view full) --- 2889 /* create new state / 2890* u_int16_t len; 2891 struct pf_state s = NULL; 2892* struct pf_src_node sn = NULL; 2893* 2894 len = pd->tot_len - off - (th->th_off << 2); 2895 2896 /* check maximums */	3114 } else if ((af == AF_INET) && r->return_icmp) 3115 pf_send_icmp(m, r->return_icmp >> 8, 3116 r->return_icmp & 255, af, r); 3117 else if ((af == AF_INET6) && r->return_icmp6) 3118 pf_send_icmp(m, r->return_icmp6 >> 8, 3119 r->return_icmp6 & 255, af, r); 3120 } 3121 --- 10 unchanged lines hidden (view full) --- 3132 /* create new state / 3133* u_int16_t len; 3134 struct pf_state s = NULL; 3135* struct pf_src_node sn = NULL; 3136* 3137 len = pd->tot_len - off - (th->th_off << 2); 3138 3139 /* check maximums */
2897 if (r->max_states && (r->states >= r->max_states))	3140 if (r->max_states && (r->states >= r->max_states)) { 3141 pf_status.lcounters[LCNT_STATES]++; 3142 REASON_SET(&reason, PFRES_MAXSTATES);
2898 goto cleanup;	3143 goto cleanup;
	3144 }
2899 /* src node for flter rule / 2900* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 2901 r->rpool.opts & PF_POOL_STICKYADDR) &&	3145 /* src node for flter rule / 3146* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 3147 r->rpool.opts & PF_POOL_STICKYADDR) &&
2902 pf_insert_src_node(&sn, r, saddr, af) != 0)	3148 pf_insert_src_node(&sn, r, saddr, af) != 0) { 3149 REASON_SET(&reason, PFRES_SRCLIMIT);
2903 goto cleanup;	3150 goto cleanup;
	3151 }
2904 /* src node for translation rule / 2905* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2906 ((direction == PF_OUT && 2907 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|	3152 /* src node for translation rule / 3153* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3154 ((direction == PF_OUT && 3155 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|
2908 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))	3156 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) { 3157 REASON_SET(&reason, PFRES_SRCLIMIT);
2909 goto cleanup;	3158 goto cleanup;
	3159 }
2910 s = pool_get(&pf_state_pl, PR_NOWAIT); 2911 if (s == NULL) {	3160 s = pool_get(&pf_state_pl, PR_NOWAIT); 3161 if (s == NULL) {
	3162 REASON_SET(&reason, PFRES_MEMORY);
2912cleanup: 2913 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2914 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2915 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2916 pf_status.src_nodes--; 2917 pool_put(&pf_src_tree_pl, sn); 2918 } 2919 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2920 nsn->expire == 0) { 2921 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2922 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2923 pf_status.src_nodes--; 2924 pool_put(&pf_src_tree_pl, nsn); 2925 }	3163cleanup: 3164 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3165 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3166 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3167 pf_status.src_nodes--; 3168 pool_put(&pf_src_tree_pl, sn); 3169 } 3170 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3171 nsn->expire == 0) { 3172 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3173 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3174 pf_status.src_nodes--; 3175 pool_put(&pf_src_tree_pl, nsn); 3176 }
2926 REASON_SET(&reason, PFRES_MEMORY);
2927 return (PF_DROP); 2928 } 2929 bzero(s, sizeof(*s));	3177 return (PF_DROP); 3178 } 3179 bzero(s, sizeof(*s));
2930 r->states++; 2931 if (a != NULL) 2932 a->states++;
2933 s->rule.ptr = r; 2934 s->nat_rule.ptr = nr;	3180 s->rule.ptr = r; 3181 s->nat_rule.ptr = nr;
2935 if (s->nat_rule.ptr != NULL) 2936 s->nat_rule.ptr->states++;
2937 s->anchor.ptr = a;	3182 s->anchor.ptr = a;
	3183 STATE_INC_COUNTERS(s);
2938 s->allow_opts = r->allow_opts; 2939 s->log = r->log & 2; 2940 s->proto = IPPROTO_TCP; 2941 s->direction = direction; 2942 s->af = af; 2943 if (direction == PF_OUT) { 2944 PF_ACPY(&s->gwy.addr, saddr, af); 2945 s->gwy.port = th->th_sport; /* sport / --- 20 unchanged lines hidden* (view full) --- 2966 } 2967 } 2968 2969 s->src.seqlo = ntohl(th->th_seq); 2970 s->src.seqhi = s->src.seqlo + len + 1; 2971 if ((th->th_flags & (TH_SYN\|TH_ACK)) == TH_SYN && 2972 r->keep_state == PF_STATE_MODULATE) { 2973 /* Generate sequence number modulator */	3184 s->allow_opts = r->allow_opts; 3185 s->log = r->log & 2; 3186 s->proto = IPPROTO_TCP; 3187 s->direction = direction; 3188 s->af = af; 3189 if (direction == PF_OUT) { 3190 PF_ACPY(&s->gwy.addr, saddr, af); 3191 s->gwy.port = th->th_sport; /* sport / --- 20 unchanged lines hidden* (view full) --- 3212 } 3213 } 3214 3215 s->src.seqlo = ntohl(th->th_seq); 3216 s->src.seqhi = s->src.seqlo + len + 1; 3217 if ((th->th_flags & (TH_SYN\|TH_ACK)) == TH_SYN && 3218 r->keep_state == PF_STATE_MODULATE) { 3219 /* Generate sequence number modulator */
2974 while ((s->src.seqdiff = arc4random()) == 0)	3220 while ((s->src.seqdiff = htonl(arc4random())) == 0)
2975 ; 2976 pf_change_a(&th->th_seq, &th->th_sum, 2977 htonl(s->src.seqlo + s->src.seqdiff), 0); 2978 rewrite = 1; 2979 } else 2980 s->src.seqdiff = 0; 2981 if (th->th_flags & TH_SYN) { 2982 s->src.seqhi++; --- 8 unchanged lines hidden (view full) --- 2991 (s->src.wscale & PF_WSCALE_MASK); 2992 } 2993 if (th->th_flags & TH_FIN) 2994 s->src.seqhi++; 2995 s->dst.seqhi = 1; 2996 s->dst.max_win = 1; 2997 s->src.state = TCPS_SYN_SENT; 2998 s->dst.state = TCPS_CLOSED;	3221 ; 3222 pf_change_a(&th->th_seq, &th->th_sum, 3223 htonl(s->src.seqlo + s->src.seqdiff), 0); 3224 rewrite = 1; 3225 } else 3226 s->src.seqdiff = 0; 3227 if (th->th_flags & TH_SYN) { 3228 s->src.seqhi++; --- 8 unchanged lines hidden (view full) --- 3237 (s->src.wscale & PF_WSCALE_MASK); 3238 } 3239 if (th->th_flags & TH_FIN) 3240 s->src.seqhi++; 3241 s->dst.seqhi = 1; 3242 s->dst.max_win = 1; 3243 s->src.state = TCPS_SYN_SENT; 3244 s->dst.state = TCPS_CLOSED;
2999#ifdef __FreeBSD__
3000 s->creation = time_second; 3001 s->expire = time_second;	3245 s->creation = time_second; 3246 s->expire = time_second;
3002#else 3003 s->creation = time.tv_sec; 3004 s->expire = time.tv_sec; 3005#endif
3006 s->timeout = PFTM_TCP_FIRST_PACKET; 3007 pf_set_rt_ifp(s, saddr); 3008 if (sn != NULL) { 3009 s->src_node = sn; 3010 s->src_node->states++; 3011 } 3012 if (nsn != NULL) { 3013 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3014 s->nat_src_node = nsn; 3015 s->nat_src_node->states++; 3016 } 3017 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 3018 off, pd, th, &s->src, &s->dst)) { 3019 REASON_SET(&reason, PFRES_MEMORY); 3020 pf_src_tree_remove_state(s);	3247 s->timeout = PFTM_TCP_FIRST_PACKET; 3248 pf_set_rt_ifp(s, saddr); 3249 if (sn != NULL) { 3250 s->src_node = sn; 3251 s->src_node->states++; 3252 } 3253 if (nsn != NULL) { 3254 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3255 s->nat_src_node = nsn; 3256 s->nat_src_node->states++; 3257 } 3258 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 3259 off, pd, th, &s->src, &s->dst)) { 3260 REASON_SET(&reason, PFRES_MEMORY); 3261 pf_src_tree_remove_state(s);
	3262 STATE_DEC_COUNTERS(s);
3021 pool_put(&pf_state_pl, s); 3022 return (PF_DROP); 3023 } 3024 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&	3263 pool_put(&pf_state_pl, s); 3264 return (PF_DROP); 3265 } 3266 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3025 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 3026 &s->dst, &rewrite)) {	3267 pf_normalize_tcp_stateful(m, off, pd, &reason, th, s, 3268 &s->src, &s->dst, &rewrite)) { 3269 /* This really shouldn't happen!!! / 3270* DPFPRINTF(PF_DEBUG_URGENT, 3271 ("pf_normalize_tcp_stateful failed on first pkt"));
3027 pf_normalize_tcp_cleanup(s); 3028 pf_src_tree_remove_state(s);	3272 pf_normalize_tcp_cleanup(s); 3273 pf_src_tree_remove_state(s);
	3274 STATE_DEC_COUNTERS(s);
3029 pool_put(&pf_state_pl, s); 3030 return (PF_DROP); 3031 } 3032 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3033 pf_normalize_tcp_cleanup(s);	3275 pool_put(&pf_state_pl, s); 3276 return (PF_DROP); 3277 } 3278 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3279 pf_normalize_tcp_cleanup(s);
3034 REASON_SET(&reason, PFRES_MEMORY);	3280 REASON_SET(&reason, PFRES_STATEINS);
3035 pf_src_tree_remove_state(s);	3281 pf_src_tree_remove_state(s);
	3282 STATE_DEC_COUNTERS(s);
3036 pool_put(&pf_state_pl, s); 3037 return (PF_DROP); 3038 } else 3039 *sm = s;	3283 pool_put(&pf_state_pl, s); 3284 return (PF_DROP); 3285 } else 3286 *sm = s;
	3287 if (tag > 0) { 3288 pf_tag_ref(tag); 3289 s->tag = tag; 3290 }
3040 if ((th->th_flags & (TH_SYN\|TH_ACK)) == TH_SYN && 3041 r->keep_state == PF_STATE_SYNPROXY) { 3042 s->src.state = PF_TCPS_PROXY_SRC; 3043 if (nr != NULL) { 3044 if (direction == PF_OUT) { 3045 pf_change_ap(saddr, &th->th_sport, 3046 pd->ip_sum, &th->th_sum, &pd->baddr, 3047 bport, 0, af); 3048 } else { 3049 pf_change_ap(daddr, &th->th_dport, 3050 pd->ip_sum, &th->th_sum, &pd->baddr, 3051 bport, 0, af); 3052 } 3053 }	3291 if ((th->th_flags & (TH_SYN\|TH_ACK)) == TH_SYN && 3292 r->keep_state == PF_STATE_SYNPROXY) { 3293 s->src.state = PF_TCPS_PROXY_SRC; 3294 if (nr != NULL) { 3295 if (direction == PF_OUT) { 3296 pf_change_ap(saddr, &th->th_sport, 3297 pd->ip_sum, &th->th_sum, &pd->baddr, 3298 bport, 0, af); 3299 } else { 3300 pf_change_ap(daddr, &th->th_dport, 3301 pd->ip_sum, &th->th_sum, &pd->baddr, 3302 bport, 0, af); 3303 } 3304 }
3054 s->src.seqhi = arc4random();	3305 s->src.seqhi = htonl(arc4random());
3055 /* Find mss option / 3056* mss = pf_get_mss(m, off, th->th_off, af); 3057 mss = pf_calc_mss(saddr, af, mss); 3058 mss = pf_calc_mss(daddr, af, mss); 3059 s->src.mss = mss; 3060 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 3061 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,	3306 /* Find mss option / 3307* mss = pf_get_mss(m, off, th->th_off, af); 3308 mss = pf_calc_mss(saddr, af, mss); 3309 mss = pf_calc_mss(daddr, af, mss); 3310 s->src.mss = mss; 3311 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 3312 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3062 TH_SYN\|TH_ACK, 0, s->src.mss, 0);	3313 TH_SYN\|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL); 3314 REASON_SET(&reason, PFRES_SYNPROXY);
3063 return (PF_SYNPROXY_DROP); 3064 } 3065 } 3066 3067 /* copy back packet headers if we performed NAT operations / 3068* if (rewrite) 3069 m_copyback(m, off, sizeof(th), (caddr_t)th); 3070* 3071 return (PF_PASS); 3072} 3073 3074int 3075pf_test_udp(struct pf_rule rm, struct pf_state sm, int direction, 3076 struct pfi_kif kif, struct mbuf m, int off, void h, 3077#ifdef __FreeBSD__ 3078* struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm,	3315 return (PF_SYNPROXY_DROP); 3316 } 3317 } 3318 3319 /* copy back packet headers if we performed NAT operations / 3320* if (rewrite) 3321 m_copyback(m, off, sizeof(th), (caddr_t)th); 3322* 3323 return (PF_PASS); 3324} 3325 3326int 3327pf_test_udp(struct pf_rule rm, struct pf_state sm, int direction, 3328 struct pfi_kif kif, struct mbuf m, int off, void h, 3329#ifdef __FreeBSD__ 3330* struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm,
3079 struct inpcb *inp)	3331 struct ifqueue ifq, struct inpcb inp)
3080#else	3332#else
3081 struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm)	3333 struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset rsm, 3334* struct ifqueue *ifq)
3082#endif 3083{ 3084 struct pf_rule nr = NULL; 3085* struct pf_addr saddr = pd->src, daddr = pd->dst; 3086 struct udphdr uh = pd->hdr.udp; 3087* u_int16_t bport, nport = 0; 3088 sa_family_t af = pd->af; 3089 int lookup = -1; 3090 uid_t uid; 3091 gid_t gid; 3092 struct pf_rule r, a = NULL; 3093 struct pf_ruleset ruleset = NULL; 3094* struct pf_src_node nsn = NULL; 3095* u_short reason; 3096 int rewrite = 0; 3097 struct pf_tag pftag = NULL; 3098* int tag = -1;	3335#endif 3336{ 3337 struct pf_rule nr = NULL; 3338* struct pf_addr saddr = pd->src, daddr = pd->dst; 3339 struct udphdr uh = pd->hdr.udp; 3340* u_int16_t bport, nport = 0; 3341 sa_family_t af = pd->af; 3342 int lookup = -1; 3343 uid_t uid; 3344 gid_t gid; 3345 struct pf_rule r, a = NULL; 3346 struct pf_ruleset ruleset = NULL; 3347* struct pf_src_node nsn = NULL; 3348* u_short reason; 3349 int rewrite = 0; 3350 struct pf_tag pftag = NULL; 3351* int tag = -1;
	3352 int asd = 0;
3099	3353
	3354 if (pf_check_congestion(ifq)) { 3355 REASON_SET(&reason, PFRES_CONGEST); 3356 return (PF_DROP); 3357 } 3358
3100 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3101 3102 if (direction == PF_OUT) { 3103 bport = nport = uh->uh_sport; 3104 /* check outgoing packet for BINAT/NAT / 3105* if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3106 saddr, uh->uh_sport, daddr, uh->uh_dport, 3107 &pd->naddr, &nport)) != NULL) { --- 27 unchanged lines hidden (view full) --- 3135 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3136 r = r->skip[PF_SKIP_IFP].ptr; 3137 else if (r->direction && r->direction != direction) 3138 r = r->skip[PF_SKIP_DIR].ptr; 3139 else if (r->af && r->af != af) 3140 r = r->skip[PF_SKIP_AF].ptr; 3141 else if (r->proto && r->proto != IPPROTO_UDP) 3142 r = r->skip[PF_SKIP_PROTO].ptr;	3359 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3360 3361 if (direction == PF_OUT) { 3362 bport = nport = uh->uh_sport; 3363 /* check outgoing packet for BINAT/NAT / 3364* if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3365 saddr, uh->uh_sport, daddr, uh->uh_dport, 3366 &pd->naddr, &nport)) != NULL) { --- 27 unchanged lines hidden (view full) --- 3394 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3395 r = r->skip[PF_SKIP_IFP].ptr; 3396 else if (r->direction && r->direction != direction) 3397 r = r->skip[PF_SKIP_DIR].ptr; 3398 else if (r->af && r->af != af) 3399 r = r->skip[PF_SKIP_AF].ptr; 3400 else if (r->proto && r->proto != IPPROTO_UDP) 3401 r = r->skip[PF_SKIP_PROTO].ptr;
3143 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))	3402 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.neg))
3144 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3145 else if (r->src.port_op && !pf_match_port(r->src.port_op, 3146 r->src.port[0], r->src.port[1], uh->uh_sport)) 3147 r = r->skip[PF_SKIP_SRC_PORT].ptr;	3403 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3404 else if (r->src.port_op && !pf_match_port(r->src.port_op, 3405 r->src.port[0], r->src.port[1], uh->uh_sport)) 3406 r = r->skip[PF_SKIP_SRC_PORT].ptr;
3148 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))	3407 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.neg))
3149 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3150 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 3151 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 3152 r = r->skip[PF_SKIP_DST_PORT].ptr; 3153 else if (r->tos && !(r->tos & pd->tos)) 3154 r = TAILQ_NEXT(r, entries); 3155 else if (r->rule_flag & PFRULE_FRAGMENT) 3156 r = TAILQ_NEXT(r, entries); --- 10 unchanged lines hidden (view full) --- 3167#ifdef __FreeBSD__ 3168 pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && 3169#else 3170 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 3171#endif 3172 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 3173 gid)) 3174 r = TAILQ_NEXT(r, entries);	3408 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3409 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 3410 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 3411 r = r->skip[PF_SKIP_DST_PORT].ptr; 3412 else if (r->tos && !(r->tos & pd->tos)) 3413 r = TAILQ_NEXT(r, entries); 3414 else if (r->rule_flag & PFRULE_FRAGMENT) 3415 r = TAILQ_NEXT(r, entries); --- 10 unchanged lines hidden (view full) --- 3426#ifdef __FreeBSD__ 3427 pf_socket_lookup(&uid, &gid, direction, pd, inp), 1)) && 3428#else 3429 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 3430#endif 3431 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 3432 gid)) 3433 r = TAILQ_NEXT(r, entries);
3175 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag))	3434 else if (r->prob && r->prob <= arc4random())
3176 r = TAILQ_NEXT(r, entries);	3435 r = TAILQ_NEXT(r, entries);
3177 else if (r->anchorname[0] && r->anchor == NULL)	3436 else if (r->match_tag && !pf_match_tag(m, r, &pftag, &tag))
3178 r = TAILQ_NEXT(r, entries); 3179 else if (r->os_fingerprint != PF_OSFP_ANY) 3180 r = TAILQ_NEXT(r, entries); 3181 else { 3182 if (r->tag) 3183 tag = r->tag; 3184 if (r->anchor == NULL) { 3185 rm = r; 3186* am = a; 3187* rsm = ruleset; 3188* if ((rm)->quick) 3189* break; 3190 r = TAILQ_NEXT(r, entries); 3191 } else	3437 r = TAILQ_NEXT(r, entries); 3438 else if (r->os_fingerprint != PF_OSFP_ANY) 3439 r = TAILQ_NEXT(r, entries); 3440 else { 3441 if (r->tag) 3442 tag = r->tag; 3443 if (r->anchor == NULL) { 3444 rm = r; 3445* am = a; 3446* rsm = ruleset; 3447* if ((rm)->quick) 3448* break; 3449 r = TAILQ_NEXT(r, entries); 3450 } else
3192 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3193 PF_RULESET_FILTER);	3451 pf_step_into_anchor(&asd, &ruleset, 3452 PF_RULESET_FILTER, &r, &a);
3194 }	3453 }
3195 if (r == NULL && a != NULL) 3196 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3197 PF_RULESET_FILTER);	3454 if (r == NULL) 3455 pf_step_out_of_anchor(&asd, &ruleset, 3456 PF_RULESET_FILTER, &r, &a);
3198 } 3199 r = rm; 3200* a = am; 3201* ruleset = rsm; 3202* 3203 REASON_SET(&reason, PFRES_MATCH); 3204 3205 if (r->log) { --- 34 unchanged lines hidden (view full) --- 3240 } 3241 3242 if (r->keep_state \|\| nr != NULL) { 3243 /* create new state / 3244* struct pf_state s = NULL; 3245* struct pf_src_node sn = NULL; 3246* 3247 /* check maximums */	3457 } 3458 r = rm; 3459* a = am; 3460* ruleset = rsm; 3461* 3462 REASON_SET(&reason, PFRES_MATCH); 3463 3464 if (r->log) { --- 34 unchanged lines hidden (view full) --- 3499 } 3500 3501 if (r->keep_state \|\| nr != NULL) { 3502 /* create new state / 3503* struct pf_state s = NULL; 3504* struct pf_src_node sn = NULL; 3505* 3506 /* check maximums */
3248 if (r->max_states && (r->states >= r->max_states))	3507 if (r->max_states && (r->states >= r->max_states)) { 3508 pf_status.lcounters[LCNT_STATES]++; 3509 REASON_SET(&reason, PFRES_MAXSTATES);
3249 goto cleanup;	3510 goto cleanup;
	3511 }
3250 /* src node for flter rule / 3251* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 3252 r->rpool.opts & PF_POOL_STICKYADDR) &&	3512 /* src node for flter rule / 3513* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 3514 r->rpool.opts & PF_POOL_STICKYADDR) &&
3253 pf_insert_src_node(&sn, r, saddr, af) != 0)	3515 pf_insert_src_node(&sn, r, saddr, af) != 0) { 3516 REASON_SET(&reason, PFRES_SRCLIMIT);
3254 goto cleanup;	3517 goto cleanup;
	3518 }
3255 /* src node for translation rule / 3256* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3257 ((direction == PF_OUT && 3258 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|	3519 /* src node for translation rule / 3520* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3521 ((direction == PF_OUT && 3522 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|
3259 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))	3523 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) { 3524 REASON_SET(&reason, PFRES_SRCLIMIT);
3260 goto cleanup;	3525 goto cleanup;
	3526 }
3261 s = pool_get(&pf_state_pl, PR_NOWAIT); 3262 if (s == NULL) {	3527 s = pool_get(&pf_state_pl, PR_NOWAIT); 3528 if (s == NULL) {
	3529 REASON_SET(&reason, PFRES_MEMORY);
3263cleanup: 3264 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3265 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3266 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3267 pf_status.src_nodes--; 3268 pool_put(&pf_src_tree_pl, sn); 3269 } 3270 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3271 nsn->expire == 0) { 3272 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3273 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3274 pf_status.src_nodes--; 3275 pool_put(&pf_src_tree_pl, nsn); 3276 }	3530cleanup: 3531 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3532 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3533 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3534 pf_status.src_nodes--; 3535 pool_put(&pf_src_tree_pl, sn); 3536 } 3537 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3538 nsn->expire == 0) { 3539 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3540 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3541 pf_status.src_nodes--; 3542 pool_put(&pf_src_tree_pl, nsn); 3543 }
3277 REASON_SET(&reason, PFRES_MEMORY);
3278 return (PF_DROP); 3279 } 3280 bzero(s, sizeof(*s));	3544 return (PF_DROP); 3545 } 3546 bzero(s, sizeof(*s));
3281 r->states++; 3282 if (a != NULL) 3283 a->states++;
3284 s->rule.ptr = r; 3285 s->nat_rule.ptr = nr;	3547 s->rule.ptr = r; 3548 s->nat_rule.ptr = nr;
3286 if (s->nat_rule.ptr != NULL) 3287 s->nat_rule.ptr->states++;
3288 s->anchor.ptr = a;	3549 s->anchor.ptr = a;
	3550 STATE_INC_COUNTERS(s);
3289 s->allow_opts = r->allow_opts; 3290 s->log = r->log & 2; 3291 s->proto = IPPROTO_UDP; 3292 s->direction = direction; 3293 s->af = af; 3294 if (direction == PF_OUT) { 3295 PF_ACPY(&s->gwy.addr, saddr, af); 3296 s->gwy.port = uh->uh_sport; --- 16 unchanged lines hidden (view full) --- 3313 s->gwy.port = bport; 3314 } else { 3315 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3316 s->gwy.port = s->lan.port; 3317 } 3318 } 3319 s->src.state = PFUDPS_SINGLE; 3320 s->dst.state = PFUDPS_NO_TRAFFIC;	3551 s->allow_opts = r->allow_opts; 3552 s->log = r->log & 2; 3553 s->proto = IPPROTO_UDP; 3554 s->direction = direction; 3555 s->af = af; 3556 if (direction == PF_OUT) { 3557 PF_ACPY(&s->gwy.addr, saddr, af); 3558 s->gwy.port = uh->uh_sport; --- 16 unchanged lines hidden (view full) --- 3575 s->gwy.port = bport; 3576 } else { 3577 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3578 s->gwy.port = s->lan.port; 3579 } 3580 } 3581 s->src.state = PFUDPS_SINGLE; 3582 s->dst.state = PFUDPS_NO_TRAFFIC;
3321#ifdef __FreeBSD__
3322 s->creation = time_second; 3323 s->expire = time_second;	3583 s->creation = time_second; 3584 s->expire = time_second;
3324#else 3325 s->creation = time.tv_sec; 3326 s->expire = time.tv_sec; 3327#endif
3328 s->timeout = PFTM_UDP_FIRST_PACKET; 3329 pf_set_rt_ifp(s, saddr); 3330 if (sn != NULL) { 3331 s->src_node = sn; 3332 s->src_node->states++; 3333 } 3334 if (nsn != NULL) { 3335 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3336 s->nat_src_node = nsn; 3337 s->nat_src_node->states++; 3338 } 3339 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {	3585 s->timeout = PFTM_UDP_FIRST_PACKET; 3586 pf_set_rt_ifp(s, saddr); 3587 if (sn != NULL) { 3588 s->src_node = sn; 3589 s->src_node->states++; 3590 } 3591 if (nsn != NULL) { 3592 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3593 s->nat_src_node = nsn; 3594 s->nat_src_node->states++; 3595 } 3596 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3340 REASON_SET(&reason, PFRES_MEMORY);	3597 REASON_SET(&reason, PFRES_STATEINS);
3341 pf_src_tree_remove_state(s);	3598 pf_src_tree_remove_state(s);
	3599 STATE_DEC_COUNTERS(s);
3342 pool_put(&pf_state_pl, s); 3343 return (PF_DROP); 3344 } else 3345 *sm = s;	3600 pool_put(&pf_state_pl, s); 3601 return (PF_DROP); 3602 } else 3603 *sm = s;
	3604 if (tag > 0) { 3605 pf_tag_ref(tag); 3606 s->tag = tag; 3607 }
3346 } 3347 3348 /* copy back packet headers if we performed NAT operations / 3349* if (rewrite) 3350 m_copyback(m, off, sizeof(uh), (caddr_t)uh); 3351* 3352 return (PF_PASS); 3353} 3354 3355int 3356pf_test_icmp(struct pf_rule rm, struct pf_state sm, int direction, 3357 struct pfi_kif kif, struct mbuf m, int off, void *h,	3608 } 3609 3610 /* copy back packet headers if we performed NAT operations / 3611* if (rewrite) 3612 m_copyback(m, off, sizeof(uh), (caddr_t)uh); 3613* 3614 return (PF_PASS); 3615} 3616 3617int 3618pf_test_icmp(struct pf_rule rm, struct pf_state sm, int direction, 3619 struct pfi_kif kif, struct mbuf m, int off, void *h,
3358 struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset *rsm)	3620 struct pf_pdesc pd, struct pf_rule am, struct pf_ruleset rsm, 3621* struct ifqueue *ifq)
3359{ 3360 struct pf_rule nr = NULL; 3361* struct pf_addr saddr = pd->src, daddr = pd->dst; 3362 struct pf_rule r, a = NULL; 3363 struct pf_ruleset ruleset = NULL; 3364* struct pf_src_node nsn = NULL; 3365* u_short reason; 3366 u_int16_t icmpid = 0; /* make the compiler happy / 3367* sa_family_t af = pd->af; 3368 u_int8_t icmptype = 0; /* make the compiler happy / 3369* u_int8_t icmpcode = 0; /* make the compiler happy / 3370* int state_icmp = 0; 3371 struct pf_tag pftag = NULL; 3372* int tag = -1; 3373#ifdef INET6 3374 int rewrite = 0; 3375#endif /* INET6 */	3622{ 3623 struct pf_rule nr = NULL; 3624* struct pf_addr saddr = pd->src, daddr = pd->dst; 3625 struct pf_rule r, a = NULL; 3626 struct pf_ruleset ruleset = NULL; 3627* struct pf_src_node nsn = NULL; 3628* u_short reason; 3629 u_int16_t icmpid = 0; /* make the compiler happy / 3630* sa_family_t af = pd->af; 3631 u_int8_t icmptype = 0; /* make the compiler happy / 3632* u_int8_t icmpcode = 0; /* make the compiler happy / 3633* int state_icmp = 0; 3634 struct pf_tag pftag = NULL; 3635* int tag = -1; 3636#ifdef INET6 3637 int rewrite = 0; 3638#endif /* INET6 */
	3639 int asd = 0;
3376	3640
	3641 if (pf_check_congestion(ifq)) { 3642 REASON_SET(&reason, PFRES_CONGEST); 3643 return (PF_DROP); 3644 } 3645
3377 switch (pd->proto) { 3378#ifdef INET 3379 case IPPROTO_ICMP: 3380 icmptype = pd->hdr.icmp->icmp_type; 3381 icmpcode = pd->hdr.icmp->icmp_code; 3382 icmpid = pd->hdr.icmp->icmp_id; 3383 3384 if (icmptype == ICMP_UNREACH \|\| --- 77 unchanged lines hidden (view full) --- 3462 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3463 r = r->skip[PF_SKIP_IFP].ptr; 3464 else if (r->direction && r->direction != direction) 3465 r = r->skip[PF_SKIP_DIR].ptr; 3466 else if (r->af && r->af != af) 3467 r = r->skip[PF_SKIP_AF].ptr; 3468 else if (r->proto && r->proto != pd->proto) 3469 r = r->skip[PF_SKIP_PROTO].ptr;	3646 switch (pd->proto) { 3647#ifdef INET 3648 case IPPROTO_ICMP: 3649 icmptype = pd->hdr.icmp->icmp_type; 3650 icmpcode = pd->hdr.icmp->icmp_code; 3651 icmpid = pd->hdr.icmp->icmp_id; 3652 3653 if (icmptype == ICMP_UNREACH \|\| --- 77 unchanged lines hidden (view full) --- 3731 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3732 r = r->skip[PF_SKIP_IFP].ptr; 3733 else if (r->direction && r->direction != direction) 3734 r = r->skip[PF_SKIP_DIR].ptr; 3735 else if (r->af && r->af != af) 3736 r = r->skip[PF_SKIP_AF].ptr; 3737 else if (r->proto && r->proto != pd->proto) 3738 r = r->skip[PF_SKIP_PROTO].ptr;
3470 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))	3739 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.neg))
3471 r = r->skip[PF_SKIP_SRC_ADDR].ptr;	3740 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3472 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))	3741 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.neg))
3473 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3474 else if (r->type && r->type != icmptype + 1) 3475 r = TAILQ_NEXT(r, entries); 3476 else if (r->code && r->code != icmpcode + 1) 3477 r = TAILQ_NEXT(r, entries); 3478 else if (r->tos && !(r->tos & pd->tos)) 3479 r = TAILQ_NEXT(r, entries); 3480 else if (r->rule_flag & PFRULE_FRAGMENT) 3481 r = TAILQ_NEXT(r, entries);	3742 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3743 else if (r->type && r->type != icmptype + 1) 3744 r = TAILQ_NEXT(r, entries); 3745 else if (r->code && r->code != icmpcode + 1) 3746 r = TAILQ_NEXT(r, entries); 3747 else if (r->tos && !(r->tos & pd->tos)) 3748 r = TAILQ_NEXT(r, entries); 3749 else if (r->rule_flag & PFRULE_FRAGMENT) 3750 r = TAILQ_NEXT(r, entries);
3482 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag))	3751 else if (r->prob && r->prob <= arc4random())
3483 r = TAILQ_NEXT(r, entries);	3752 r = TAILQ_NEXT(r, entries);
3484 else if (r->anchorname[0] && r->anchor == NULL)	3753 else if (r->match_tag && !pf_match_tag(m, r, &pftag, &tag))
3485 r = TAILQ_NEXT(r, entries); 3486 else if (r->os_fingerprint != PF_OSFP_ANY) 3487 r = TAILQ_NEXT(r, entries); 3488 else { 3489 if (r->tag) 3490 tag = r->tag; 3491 if (r->anchor == NULL) { 3492 rm = r; 3493* am = a; 3494* rsm = ruleset; 3495* if ((rm)->quick) 3496* break; 3497 r = TAILQ_NEXT(r, entries); 3498 } else	3754 r = TAILQ_NEXT(r, entries); 3755 else if (r->os_fingerprint != PF_OSFP_ANY) 3756 r = TAILQ_NEXT(r, entries); 3757 else { 3758 if (r->tag) 3759 tag = r->tag; 3760 if (r->anchor == NULL) { 3761 rm = r; 3762* am = a; 3763* rsm = ruleset; 3764* if ((rm)->quick) 3765* break; 3766 r = TAILQ_NEXT(r, entries); 3767 } else
3499 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3500 PF_RULESET_FILTER);	3768 pf_step_into_anchor(&asd, &ruleset, 3769 PF_RULESET_FILTER, &r, &a);
3501 }	3770 }
3502 if (r == NULL && a != NULL) 3503 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3504 PF_RULESET_FILTER);	3771 if (r == NULL) 3772 pf_step_out_of_anchor(&asd, &ruleset, 3773 PF_RULESET_FILTER, &r, &a);
3505 } 3506 r = rm; 3507* a = am; 3508* ruleset = rsm; 3509* 3510 REASON_SET(&reason, PFRES_MATCH); 3511 3512 if (r->log) { --- 14 unchanged lines hidden (view full) --- 3527 } 3528 3529 if (!state_icmp && (r->keep_state \|\| nr != NULL)) { 3530 /* create new state / 3531* struct pf_state s = NULL; 3532* struct pf_src_node sn = NULL; 3533* 3534 /* check maximums */	3774 } 3775 r = rm; 3776* a = am; 3777* ruleset = rsm; 3778* 3779 REASON_SET(&reason, PFRES_MATCH); 3780 3781 if (r->log) { --- 14 unchanged lines hidden (view full) --- 3796 } 3797 3798 if (!state_icmp && (r->keep_state \|\| nr != NULL)) { 3799 /* create new state / 3800* struct pf_state s = NULL; 3801* struct pf_src_node sn = NULL; 3802* 3803 /* check maximums */
3535 if (r->max_states && (r->states >= r->max_states))	3804 if (r->max_states && (r->states >= r->max_states)) { 3805 pf_status.lcounters[LCNT_STATES]++; 3806 REASON_SET(&reason, PFRES_MAXSTATES);
3536 goto cleanup;	3807 goto cleanup;
	3808 }
3537 /* src node for flter rule / 3538* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 3539 r->rpool.opts & PF_POOL_STICKYADDR) &&	3809 /* src node for flter rule / 3810* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 3811 r->rpool.opts & PF_POOL_STICKYADDR) &&
3540 pf_insert_src_node(&sn, r, saddr, af) != 0)	3812 pf_insert_src_node(&sn, r, saddr, af) != 0) { 3813 REASON_SET(&reason, PFRES_SRCLIMIT);
3541 goto cleanup;	3814 goto cleanup;
	3815 }
3542 /* src node for translation rule / 3543* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3544 ((direction == PF_OUT && 3545 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|	3816 /* src node for translation rule / 3817* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3818 ((direction == PF_OUT && 3819 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|
3546 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))	3820 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) { 3821 REASON_SET(&reason, PFRES_SRCLIMIT);
3547 goto cleanup;	3822 goto cleanup;
	3823 }
3548 s = pool_get(&pf_state_pl, PR_NOWAIT); 3549 if (s == NULL) {	3824 s = pool_get(&pf_state_pl, PR_NOWAIT); 3825 if (s == NULL) {
	3826 REASON_SET(&reason, PFRES_MEMORY);
3550cleanup: 3551 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3552 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3553 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3554 pf_status.src_nodes--; 3555 pool_put(&pf_src_tree_pl, sn); 3556 } 3557 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3558 nsn->expire == 0) { 3559 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3560 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3561 pf_status.src_nodes--; 3562 pool_put(&pf_src_tree_pl, nsn); 3563 }	3827cleanup: 3828 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3829 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3830 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3831 pf_status.src_nodes--; 3832 pool_put(&pf_src_tree_pl, sn); 3833 } 3834 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3835 nsn->expire == 0) { 3836 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3837 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3838 pf_status.src_nodes--; 3839 pool_put(&pf_src_tree_pl, nsn); 3840 }
3564 REASON_SET(&reason, PFRES_MEMORY);
3565 return (PF_DROP); 3566 } 3567 bzero(s, sizeof(*s));	3841 return (PF_DROP); 3842 } 3843 bzero(s, sizeof(*s));
3568 r->states++; 3569 if (a != NULL) 3570 a->states++;
3571 s->rule.ptr = r; 3572 s->nat_rule.ptr = nr;	3844 s->rule.ptr = r; 3845 s->nat_rule.ptr = nr;
3573 if (s->nat_rule.ptr != NULL) 3574 s->nat_rule.ptr->states++;
3575 s->anchor.ptr = a;	3846 s->anchor.ptr = a;
	3847 STATE_INC_COUNTERS(s);
3576 s->allow_opts = r->allow_opts; 3577 s->log = r->log & 2; 3578 s->proto = pd->proto; 3579 s->direction = direction; 3580 s->af = af; 3581 if (direction == PF_OUT) { 3582 PF_ACPY(&s->gwy.addr, saddr, af); 3583 s->gwy.port = icmpid; --- 10 unchanged lines hidden (view full) --- 3594 PF_ACPY(&s->ext.addr, saddr, af); 3595 s->ext.port = icmpid; 3596 if (nr != NULL) 3597 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3598 else 3599 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3600 s->gwy.port = icmpid; 3601 }	3848 s->allow_opts = r->allow_opts; 3849 s->log = r->log & 2; 3850 s->proto = pd->proto; 3851 s->direction = direction; 3852 s->af = af; 3853 if (direction == PF_OUT) { 3854 PF_ACPY(&s->gwy.addr, saddr, af); 3855 s->gwy.port = icmpid; --- 10 unchanged lines hidden (view full) --- 3866 PF_ACPY(&s->ext.addr, saddr, af); 3867 s->ext.port = icmpid; 3868 if (nr != NULL) 3869 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3870 else 3871 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3872 s->gwy.port = icmpid; 3873 }
3602#ifdef __FreeBSD__
3603 s->creation = time_second; 3604 s->expire = time_second;	3874 s->creation = time_second; 3875 s->expire = time_second;
3605#else 3606 s->creation = time.tv_sec; 3607 s->expire = time.tv_sec; 3608#endif
3609 s->timeout = PFTM_ICMP_FIRST_PACKET; 3610 pf_set_rt_ifp(s, saddr); 3611 if (sn != NULL) { 3612 s->src_node = sn; 3613 s->src_node->states++; 3614 } 3615 if (nsn != NULL) { 3616 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3617 s->nat_src_node = nsn; 3618 s->nat_src_node->states++; 3619 } 3620 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {	3876 s->timeout = PFTM_ICMP_FIRST_PACKET; 3877 pf_set_rt_ifp(s, saddr); 3878 if (sn != NULL) { 3879 s->src_node = sn; 3880 s->src_node->states++; 3881 } 3882 if (nsn != NULL) { 3883 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3884 s->nat_src_node = nsn; 3885 s->nat_src_node->states++; 3886 } 3887 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3621 REASON_SET(&reason, PFRES_MEMORY);	3888 REASON_SET(&reason, PFRES_STATEINS);
3622 pf_src_tree_remove_state(s);	3889 pf_src_tree_remove_state(s);
	3890 STATE_DEC_COUNTERS(s);
3623 pool_put(&pf_state_pl, s); 3624 return (PF_DROP); 3625 } else 3626 *sm = s;	3891 pool_put(&pf_state_pl, s); 3892 return (PF_DROP); 3893 } else 3894 *sm = s;
	3895 if (tag > 0) { 3896 pf_tag_ref(tag); 3897 s->tag = tag; 3898 }
3627 } 3628 3629#ifdef INET6 3630 /* copy back packet headers if we performed IPv6 NAT operations / 3631* if (rewrite) 3632 m_copyback(m, off, sizeof(struct icmp6_hdr), 3633 (caddr_t)pd->hdr.icmp6); 3634#endif /* INET6 / 3635* 3636 return (PF_PASS); 3637} 3638 3639int 3640pf_test_other(struct pf_rule rm, struct pf_state sm, int direction, 3641 struct pfi_kif kif, struct mbuf m, int off, void h, struct pf_pdesc pd,	3899 } 3900 3901#ifdef INET6 3902 /* copy back packet headers if we performed IPv6 NAT operations / 3903* if (rewrite) 3904 m_copyback(m, off, sizeof(struct icmp6_hdr), 3905 (caddr_t)pd->hdr.icmp6); 3906#endif /* INET6 / 3907* 3908 return (PF_PASS); 3909} 3910 3911int 3912pf_test_other(struct pf_rule rm, struct pf_state sm, int direction, 3913 struct pfi_kif kif, struct mbuf m, int off, void h, struct pf_pdesc pd,
3642 struct pf_rule am, struct pf_ruleset rsm)	3914 struct pf_rule am, struct pf_ruleset rsm, struct ifqueue *ifq)
3643{ 3644 struct pf_rule nr = NULL; 3645* struct pf_rule r, a = NULL; 3646 struct pf_ruleset ruleset = NULL; 3647* struct pf_src_node nsn = NULL; 3648* struct pf_addr saddr = pd->src, daddr = pd->dst; 3649 sa_family_t af = pd->af; 3650 u_short reason; 3651 struct pf_tag pftag = NULL; 3652* int tag = -1;	3915{ 3916 struct pf_rule nr = NULL; 3917* struct pf_rule r, a = NULL; 3918 struct pf_ruleset ruleset = NULL; 3919* struct pf_src_node nsn = NULL; 3920* struct pf_addr saddr = pd->src, daddr = pd->dst; 3921 sa_family_t af = pd->af; 3922 u_short reason; 3923 struct pf_tag pftag = NULL; 3924* int tag = -1;
	3925 int asd = 0;
3653	3926
	3927 if (pf_check_congestion(ifq)) { 3928 REASON_SET(&reason, PFRES_CONGEST); 3929 return (PF_DROP); 3930 } 3931
3654 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3655 3656 if (direction == PF_OUT) { 3657 /* check outgoing packet for BINAT/NAT / 3658* if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3659 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3660 PF_ACPY(&pd->baddr, saddr, af); 3661 switch (af) { --- 43 unchanged lines hidden (view full) --- 3705 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3706 r = r->skip[PF_SKIP_IFP].ptr; 3707 else if (r->direction && r->direction != direction) 3708 r = r->skip[PF_SKIP_DIR].ptr; 3709 else if (r->af && r->af != af) 3710 r = r->skip[PF_SKIP_AF].ptr; 3711 else if (r->proto && r->proto != pd->proto) 3712 r = r->skip[PF_SKIP_PROTO].ptr;	3932 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3933 3934 if (direction == PF_OUT) { 3935 /* check outgoing packet for BINAT/NAT / 3936* if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3937 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3938 PF_ACPY(&pd->baddr, saddr, af); 3939 switch (af) { --- 43 unchanged lines hidden (view full) --- 3983 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3984 r = r->skip[PF_SKIP_IFP].ptr; 3985 else if (r->direction && r->direction != direction) 3986 r = r->skip[PF_SKIP_DIR].ptr; 3987 else if (r->af && r->af != af) 3988 r = r->skip[PF_SKIP_AF].ptr; 3989 else if (r->proto && r->proto != pd->proto) 3990 r = r->skip[PF_SKIP_PROTO].ptr;
3713 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))	3991 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.neg))
3714 r = r->skip[PF_SKIP_SRC_ADDR].ptr;	3992 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3715 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))	3993 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.neg))
3716 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3717 else if (r->tos && !(r->tos & pd->tos)) 3718 r = TAILQ_NEXT(r, entries); 3719 else if (r->rule_flag & PFRULE_FRAGMENT) 3720 r = TAILQ_NEXT(r, entries);	3994 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3995 else if (r->tos && !(r->tos & pd->tos)) 3996 r = TAILQ_NEXT(r, entries); 3997 else if (r->rule_flag & PFRULE_FRAGMENT) 3998 r = TAILQ_NEXT(r, entries);
3721 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag))	3999 else if (r->prob && r->prob <= arc4random())
3722 r = TAILQ_NEXT(r, entries);	4000 r = TAILQ_NEXT(r, entries);
3723 else if (r->anchorname[0] && r->anchor == NULL)	4001 else if (r->match_tag && !pf_match_tag(m, r, &pftag, &tag))
3724 r = TAILQ_NEXT(r, entries); 3725 else if (r->os_fingerprint != PF_OSFP_ANY) 3726 r = TAILQ_NEXT(r, entries); 3727 else { 3728 if (r->tag) 3729 tag = r->tag; 3730 if (r->anchor == NULL) { 3731 rm = r; 3732* am = a; 3733* rsm = ruleset; 3734* if ((rm)->quick) 3735* break; 3736 r = TAILQ_NEXT(r, entries); 3737 } else	4002 r = TAILQ_NEXT(r, entries); 4003 else if (r->os_fingerprint != PF_OSFP_ANY) 4004 r = TAILQ_NEXT(r, entries); 4005 else { 4006 if (r->tag) 4007 tag = r->tag; 4008 if (r->anchor == NULL) { 4009 rm = r; 4010* am = a; 4011* rsm = ruleset; 4012* if ((rm)->quick) 4013* break; 4014 r = TAILQ_NEXT(r, entries); 4015 } else
3738 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3739 PF_RULESET_FILTER);	4016 pf_step_into_anchor(&asd, &ruleset, 4017 PF_RULESET_FILTER, &r, &a);
3740 }	4018 }
3741 if (r == NULL && a != NULL) 3742 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3743 PF_RULESET_FILTER);	4019 if (r == NULL) 4020 pf_step_out_of_anchor(&asd, &ruleset, 4021 PF_RULESET_FILTER, &r, &a);
3744 } 3745 r = rm; 3746* a = am; 3747* ruleset = rsm; 3748* 3749 REASON_SET(&reason, PFRES_MATCH); 3750 3751 if (r->log) --- 42 unchanged lines hidden (view full) --- 3794 } 3795 3796 if (r->keep_state \|\| nr != NULL) { 3797 /* create new state / 3798* struct pf_state s = NULL; 3799* struct pf_src_node sn = NULL; 3800* 3801 /* check maximums */	4022 } 4023 r = rm; 4024* a = am; 4025* ruleset = rsm; 4026* 4027 REASON_SET(&reason, PFRES_MATCH); 4028 4029 if (r->log) --- 42 unchanged lines hidden (view full) --- 4072 } 4073 4074 if (r->keep_state \|\| nr != NULL) { 4075 /* create new state / 4076* struct pf_state s = NULL; 4077* struct pf_src_node sn = NULL; 4078* 4079 /* check maximums */
3802 if (r->max_states && (r->states >= r->max_states))	4080 if (r->max_states && (r->states >= r->max_states)) { 4081 pf_status.lcounters[LCNT_STATES]++; 4082 REASON_SET(&reason, PFRES_MAXSTATES);
3803 goto cleanup;	4083 goto cleanup;
	4084 }
3804 /* src node for flter rule / 3805* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 3806 r->rpool.opts & PF_POOL_STICKYADDR) &&	4085 /* src node for flter rule / 4086* if ((r->rule_flag & PFRULE_SRCTRACK \|\| 4087 r->rpool.opts & PF_POOL_STICKYADDR) &&
3807 pf_insert_src_node(&sn, r, saddr, af) != 0)	4088 pf_insert_src_node(&sn, r, saddr, af) != 0) { 4089 REASON_SET(&reason, PFRES_SRCLIMIT);
3808 goto cleanup;	4090 goto cleanup;
	4091 }
3809 /* src node for translation rule / 3810* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3811 ((direction == PF_OUT && 3812 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|	4092 /* src node for translation rule / 4093* if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 4094 ((direction == PF_OUT && 4095 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) \|\|
3813 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))	4096 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) { 4097 REASON_SET(&reason, PFRES_SRCLIMIT);
3814 goto cleanup;	4098 goto cleanup;
	4099 }
3815 s = pool_get(&pf_state_pl, PR_NOWAIT); 3816 if (s == NULL) {	4100 s = pool_get(&pf_state_pl, PR_NOWAIT); 4101 if (s == NULL) {
	4102 REASON_SET(&reason, PFRES_MEMORY);
3817cleanup: 3818 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3819 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3820 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3821 pf_status.src_nodes--; 3822 pool_put(&pf_src_tree_pl, sn); 3823 } 3824 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3825 nsn->expire == 0) { 3826 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3827 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3828 pf_status.src_nodes--; 3829 pool_put(&pf_src_tree_pl, nsn); 3830 }	4103cleanup: 4104 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 4105 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 4106 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 4107 pf_status.src_nodes--; 4108 pool_put(&pf_src_tree_pl, sn); 4109 } 4110 if (nsn != sn && nsn != NULL && nsn->states == 0 && 4111 nsn->expire == 0) { 4112 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 4113 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 4114 pf_status.src_nodes--; 4115 pool_put(&pf_src_tree_pl, nsn); 4116 }
3831 REASON_SET(&reason, PFRES_MEMORY);
3832 return (PF_DROP); 3833 } 3834 bzero(s, sizeof(*s));	4117 return (PF_DROP); 4118 } 4119 bzero(s, sizeof(*s));
3835 r->states++; 3836 if (a != NULL) 3837 a->states++;
3838 s->rule.ptr = r; 3839 s->nat_rule.ptr = nr;	4120 s->rule.ptr = r; 4121 s->nat_rule.ptr = nr;
3840 if (s->nat_rule.ptr != NULL) 3841 s->nat_rule.ptr->states++;
3842 s->anchor.ptr = a;	4122 s->anchor.ptr = a;
	4123 STATE_INC_COUNTERS(s);
3843 s->allow_opts = r->allow_opts; 3844 s->log = r->log & 2; 3845 s->proto = pd->proto; 3846 s->direction = direction; 3847 s->af = af; 3848 if (direction == PF_OUT) { 3849 PF_ACPY(&s->gwy.addr, saddr, af); 3850 PF_ACPY(&s->ext.addr, daddr, af); --- 6 unchanged lines hidden (view full) --- 3857 PF_ACPY(&s->ext.addr, saddr, af); 3858 if (nr != NULL) 3859 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3860 else 3861 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3862 } 3863 s->src.state = PFOTHERS_SINGLE; 3864 s->dst.state = PFOTHERS_NO_TRAFFIC;	4124 s->allow_opts = r->allow_opts; 4125 s->log = r->log & 2; 4126 s->proto = pd->proto; 4127 s->direction = direction; 4128 s->af = af; 4129 if (direction == PF_OUT) { 4130 PF_ACPY(&s->gwy.addr, saddr, af); 4131 PF_ACPY(&s->ext.addr, daddr, af); --- 6 unchanged lines hidden (view full) --- 4138 PF_ACPY(&s->ext.addr, saddr, af); 4139 if (nr != NULL) 4140 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 4141 else 4142 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 4143 } 4144 s->src.state = PFOTHERS_SINGLE; 4145 s->dst.state = PFOTHERS_NO_TRAFFIC;
3865#ifdef __FreeBSD__
3866 s->creation = time_second; 3867 s->expire = time_second;	4146 s->creation = time_second; 4147 s->expire = time_second;
3868#else 3869 s->creation = time.tv_sec; 3870 s->expire = time.tv_sec; 3871#endif
3872 s->timeout = PFTM_OTHER_FIRST_PACKET; 3873 pf_set_rt_ifp(s, saddr); 3874 if (sn != NULL) { 3875 s->src_node = sn; 3876 s->src_node->states++; 3877 } 3878 if (nsn != NULL) { 3879 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3880 s->nat_src_node = nsn; 3881 s->nat_src_node->states++; 3882 } 3883 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {	4148 s->timeout = PFTM_OTHER_FIRST_PACKET; 4149 pf_set_rt_ifp(s, saddr); 4150 if (sn != NULL) { 4151 s->src_node = sn; 4152 s->src_node->states++; 4153 } 4154 if (nsn != NULL) { 4155 PF_ACPY(&nsn->raddr, &pd->naddr, af); 4156 s->nat_src_node = nsn; 4157 s->nat_src_node->states++; 4158 } 4159 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3884 REASON_SET(&reason, PFRES_MEMORY);	4160 REASON_SET(&reason, PFRES_STATEINS);
3885 pf_src_tree_remove_state(s);	4161 pf_src_tree_remove_state(s);
	4162 STATE_DEC_COUNTERS(s);
3886 pool_put(&pf_state_pl, s); 3887 return (PF_DROP); 3888 } else 3889 *sm = s;	4163 pool_put(&pf_state_pl, s); 4164 return (PF_DROP); 4165 } else 4166 *sm = s;
	4167 if (tag > 0) { 4168 pf_tag_ref(tag); 4169 s->tag = tag; 4170 }
3890 } 3891 3892 return (PF_PASS); 3893} 3894 3895int 3896pf_test_fragment(struct pf_rule *rm, int direction, struct pfi_kif kif, 3897 struct mbuf m, void h, struct pf_pdesc pd, struct pf_rule am, 3898* struct pf_ruleset *rsm) 3899{ 3900* struct pf_rule r, a = NULL; 3901 struct pf_ruleset ruleset = NULL; 3902* sa_family_t af = pd->af; 3903 u_short reason; 3904 struct pf_tag pftag = NULL; 3905* int tag = -1;	4171 } 4172 4173 return (PF_PASS); 4174} 4175 4176int 4177pf_test_fragment(struct pf_rule *rm, int direction, struct pfi_kif kif, 4178 struct mbuf m, void h, struct pf_pdesc pd, struct pf_rule am, 4179* struct pf_ruleset *rsm) 4180{ 4181* struct pf_rule r, a = NULL; 4182 struct pf_ruleset ruleset = NULL; 4183* sa_family_t af = pd->af; 4184 u_short reason; 4185 struct pf_tag pftag = NULL; 4186* int tag = -1;
	4187 int asd = 0;
3906 3907 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3908 while (r != NULL) { 3909 r->evaluations++; 3910 if (r->kif != NULL && 3911 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3912 r = r->skip[PF_SKIP_IFP].ptr; 3913 else if (r->direction && r->direction != direction) 3914 r = r->skip[PF_SKIP_DIR].ptr; 3915 else if (r->af && r->af != af) 3916 r = r->skip[PF_SKIP_AF].ptr; 3917 else if (r->proto && r->proto != pd->proto) 3918 r = r->skip[PF_SKIP_PROTO].ptr;	4188 4189 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 4190 while (r != NULL) { 4191 r->evaluations++; 4192 if (r->kif != NULL && 4193 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 4194 r = r->skip[PF_SKIP_IFP].ptr; 4195 else if (r->direction && r->direction != direction) 4196 r = r->skip[PF_SKIP_DIR].ptr; 4197 else if (r->af && r->af != af) 4198 r = r->skip[PF_SKIP_AF].ptr; 4199 else if (r->proto && r->proto != pd->proto) 4200 r = r->skip[PF_SKIP_PROTO].ptr;
3919 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))	4201 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.neg))
3920 r = r->skip[PF_SKIP_SRC_ADDR].ptr;	4202 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3921 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))	4203 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.neg))
3922 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3923 else if (r->tos && !(r->tos & pd->tos)) 3924 r = TAILQ_NEXT(r, entries); 3925 else if (r->src.port_op \|\| r->dst.port_op \|\| 3926 r->flagset \|\| r->type \|\| r->code \|\| 3927 r->os_fingerprint != PF_OSFP_ANY) 3928 r = TAILQ_NEXT(r, entries);	4204 r = r->skip[PF_SKIP_DST_ADDR].ptr; 4205 else if (r->tos && !(r->tos & pd->tos)) 4206 r = TAILQ_NEXT(r, entries); 4207 else if (r->src.port_op \|\| r->dst.port_op \|\| 4208 r->flagset \|\| r->type \|\| r->code \|\| 4209 r->os_fingerprint != PF_OSFP_ANY) 4210 r = TAILQ_NEXT(r, entries);
3929 else if (r->match_tag && !pf_match_tag(m, r, NULL, pftag, &tag))	4211 else if (r->prob && r->prob <= arc4random())
3930 r = TAILQ_NEXT(r, entries);	4212 r = TAILQ_NEXT(r, entries);
3931 else if (r->anchorname[0] && r->anchor == NULL)	4213 else if (r->match_tag && !pf_match_tag(m, r, &pftag, &tag))
3932 r = TAILQ_NEXT(r, entries); 3933 else { 3934 if (r->anchor == NULL) { 3935 rm = r; 3936* am = a; 3937* rsm = ruleset; 3938* if ((rm)->quick) 3939* break; 3940 r = TAILQ_NEXT(r, entries); 3941 } else	4214 r = TAILQ_NEXT(r, entries); 4215 else { 4216 if (r->anchor == NULL) { 4217 rm = r; 4218* am = a; 4219* rsm = ruleset; 4220* if ((rm)->quick) 4221* break; 4222 r = TAILQ_NEXT(r, entries); 4223 } else
3942 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3943 PF_RULESET_FILTER);	4224 pf_step_into_anchor(&asd, &ruleset, 4225 PF_RULESET_FILTER, &r, &a);
3944 }	4226 }
3945 if (r == NULL && a != NULL) 3946 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3947 PF_RULESET_FILTER);	4227 if (r == NULL) 4228 pf_step_out_of_anchor(&asd, &ruleset, 4229 PF_RULESET_FILTER, &r, &a);
3948 } 3949 r = rm; 3950* a = am; 3951* ruleset = rsm; 3952* 3953 REASON_SET(&reason, PFRES_MATCH); 3954 3955 if (r->log) --- 13 unchanged lines hidden (view full) --- 3969int 3970pf_test_state_tcp(struct pf_state *state, int direction, struct pfi_kif kif, 3971 struct mbuf m, int off, void h, struct pf_pdesc pd, 3972* u_short reason) 3973{ 3974* struct pf_state key; 3975 struct tcphdr th = pd->hdr.tcp; 3976* u_int16_t win = ntohs(th->th_win);	4230 } 4231 r = rm; 4232* a = am; 4233* ruleset = rsm; 4234* 4235 REASON_SET(&reason, PFRES_MATCH); 4236 4237 if (r->log) --- 13 unchanged lines hidden (view full) --- 4251int 4252pf_test_state_tcp(struct pf_state *state, int direction, struct pfi_kif kif, 4253 struct mbuf m, int off, void h, struct pf_pdesc pd, 4254* u_short reason) 4255{ 4256* struct pf_state key; 4257 struct tcphdr th = pd->hdr.tcp; 4258* u_int16_t win = ntohs(th->th_win);
3977 u_int32_t ack, end, seq;	4259 u_int32_t ack, end, seq, orig_seq;
3978 u_int8_t sws, dws; 3979 int ackskew; 3980 int copyback = 0; 3981 struct pf_state_peer src, dst; 3982 3983 key.af = pd->af; 3984 key.proto = IPPROTO_TCP; 3985 if (direction == PF_IN) { --- 14 unchanged lines hidden (view full) --- 4000 src = &(state)->src; 4001* dst = &(state)->dst; 4002* } else { 4003 src = &(state)->dst; 4004* dst = &(state)->src; 4005* } 4006 4007 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {	4260 u_int8_t sws, dws; 4261 int ackskew; 4262 int copyback = 0; 4263 struct pf_state_peer src, dst; 4264 4265 key.af = pd->af; 4266 key.proto = IPPROTO_TCP; 4267 if (direction == PF_IN) { --- 14 unchanged lines hidden (view full) --- 4282 src = &(state)->src; 4283* dst = &(state)->dst; 4284* } else { 4285 src = &(state)->dst; 4286* dst = &(state)->src; 4287* } 4288 4289 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
4008 if (direction != (*state)->direction)	4290 if (direction != (state)->direction) { 4291* REASON_SET(reason, PFRES_SYNPROXY);
4009 return (PF_SYNPROXY_DROP);	4292 return (PF_SYNPROXY_DROP);
	4293 }
4010 if (th->th_flags & TH_SYN) {	4294 if (th->th_flags & TH_SYN) {
4011 if (ntohl(th->th_seq) != (*state)->src.seqlo)	4295 if (ntohl(th->th_seq) != (state)->src.seqlo) { 4296* REASON_SET(reason, PFRES_SYNPROXY);
4012 return (PF_DROP);	4297 return (PF_DROP);
	4298 }
4013 pf_send_tcp((state)->rule.ptr, pd->af, pd->dst, 4014* pd->src, th->th_dport, th->th_sport, 4015 (*state)->src.seqhi, ntohl(th->th_seq) + 1,	4299 pf_send_tcp((state)->rule.ptr, pd->af, pd->dst, 4300* pd->src, th->th_dport, th->th_sport, 4301 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4016 TH_SYN\|TH_ACK, 0, (*state)->src.mss, 0);	4302 TH_SYN\|TH_ACK, 0, (state)->src.mss, 0, 1, 4303* NULL, NULL); 4304 REASON_SET(reason, PFRES_SYNPROXY);
4017 return (PF_SYNPROXY_DROP); 4018 } else if (!(th->th_flags & TH_ACK) \|\| 4019 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) \|\|	4305 return (PF_SYNPROXY_DROP); 4306 } else if (!(th->th_flags & TH_ACK) \|\| 4307 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) \|\|
4020 (ntohl(th->th_seq) != (*state)->src.seqlo + 1))	4308 (ntohl(th->th_seq) != (state)->src.seqlo + 1)) { 4309* REASON_SET(reason, PFRES_SYNPROXY);
4021 return (PF_DROP);	4310 return (PF_DROP);
4022 else	4311 } else if ((state)->src_node != NULL && 4312* pf_src_connlimit(state)) { 4313 REASON_SET(reason, PFRES_SRCLIMIT); 4314 return (PF_DROP); 4315 } else
4023 (state)->src.state = PF_TCPS_PROXY_DST; 4024* } 4025 if ((state)->src.state == PF_TCPS_PROXY_DST) { 4026* struct pf_state_host src, dst; 4027 4028 if (direction == PF_OUT) { 4029 src = &(state)->gwy; 4030* dst = &(state)->ext; 4031* } else { 4032 src = &(state)->ext; 4033* dst = &(state)->lan; 4034* } 4035 if (direction == (state)->direction) { 4036* if (((th->th_flags & (TH_SYN\|TH_ACK)) != TH_ACK) \|\| 4037 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) \|\|	4316 (state)->src.state = PF_TCPS_PROXY_DST; 4317* } 4318 if ((state)->src.state == PF_TCPS_PROXY_DST) { 4319* struct pf_state_host src, dst; 4320 4321 if (direction == PF_OUT) { 4322 src = &(state)->gwy; 4323* dst = &(state)->ext; 4324* } else { 4325 src = &(state)->ext; 4326* dst = &(state)->lan; 4327* } 4328 if (direction == (state)->direction) { 4329* if (((th->th_flags & (TH_SYN\|TH_ACK)) != TH_ACK) \|\| 4330 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) \|\|
4038 (ntohl(th->th_seq) != (*state)->src.seqlo + 1))	4331 (ntohl(th->th_seq) != (state)->src.seqlo + 1)) { 4332* REASON_SET(reason, PFRES_SYNPROXY);
4039 return (PF_DROP);	4333 return (PF_DROP);
	4334 }
4040 (state)->src.max_win = MAX(ntohs(th->th_win), 1); 4041* if ((*state)->dst.seqhi == 1)	4335 (state)->src.max_win = MAX(ntohs(th->th_win), 1); 4336* if ((*state)->dst.seqhi == 1)
4042 (*state)->dst.seqhi = arc4random();	4337 (*state)->dst.seqhi = htonl(arc4random());
4043 pf_send_tcp((state)->rule.ptr, pd->af, &src->addr, 4044* &dst->addr, src->port, dst->port, 4045 (*state)->dst.seqhi, 0, TH_SYN, 0,	4338 pf_send_tcp((state)->rule.ptr, pd->af, &src->addr, 4339* &dst->addr, src->port, dst->port, 4340 (*state)->dst.seqhi, 0, TH_SYN, 0,
4046 (*state)->src.mss, 0);	4341 (state)->src.mss, 0, 0, NULL, NULL); 4342* REASON_SET(reason, PFRES_SYNPROXY);
4047 return (PF_SYNPROXY_DROP); 4048 } else if (((th->th_flags & (TH_SYN\|TH_ACK)) != 4049 (TH_SYN\|TH_ACK)) \|\|	4343 return (PF_SYNPROXY_DROP); 4344 } else if (((th->th_flags & (TH_SYN\|TH_ACK)) != 4345 (TH_SYN\|TH_ACK)) \|\|
4050 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1))	4346 (ntohl(th->th_ack) != (state)->dst.seqhi + 1)) { 4347* REASON_SET(reason, PFRES_SYNPROXY);
4051 return (PF_DROP);	4348 return (PF_DROP);
4052 else {	4349 } else {
4053 (state)->dst.max_win = MAX(ntohs(th->th_win), 1); 4054* (state)->dst.seqlo = ntohl(th->th_seq); 4055* pf_send_tcp((state)->rule.ptr, pd->af, pd->dst, 4056* pd->src, th->th_dport, th->th_sport, 4057 ntohl(th->th_ack), ntohl(th->th_seq) + 1,	4350 (state)->dst.max_win = MAX(ntohs(th->th_win), 1); 4351* (state)->dst.seqlo = ntohl(th->th_seq); 4352* pf_send_tcp((state)->rule.ptr, pd->af, pd->dst, 4353* pd->src, th->th_dport, th->th_sport, 4354 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4058 TH_ACK, (*state)->src.max_win, 0, 0);	4355 TH_ACK, (state)->src.max_win, 0, 0, 0, 4356* NULL, NULL);
4059 pf_send_tcp((state)->rule.ptr, pd->af, &src->addr, 4060* &dst->addr, src->port, dst->port, 4061 (state)->src.seqhi + 1, (state)->src.seqlo + 1,	4357 pf_send_tcp((state)->rule.ptr, pd->af, &src->addr, 4358* &dst->addr, src->port, dst->port, 4359 (state)->src.seqhi + 1, (state)->src.seqlo + 1,
4062 TH_ACK, (*state)->dst.max_win, 0, 0);	4360 TH_ACK, (state)->dst.max_win, 0, 0, 1, 4361* NULL, NULL);
4063 (state)->src.seqdiff = (state)->dst.seqhi - 4064 (state)->src.seqlo; 4065* (state)->dst.seqdiff = (state)->src.seqhi - 4066 (state)->dst.seqlo; 4067* (state)->src.seqhi = (state)->src.seqlo +	4362 (state)->src.seqdiff = (state)->dst.seqhi - 4363 (state)->src.seqlo; 4364* (state)->dst.seqdiff = (state)->src.seqhi - 4365 (state)->dst.seqlo; 4366* (state)->src.seqhi = (state)->src.seqlo +
4068 (state)->dst.max_win; 4069* (state)->dst.seqhi = (state)->dst.seqlo +
4070 (*state)->src.max_win;	4367 (*state)->src.max_win;
	4368 (state)->dst.seqhi = (state)->dst.seqlo + 4369 (*state)->dst.max_win;
4071 (state)->src.wscale = (state)->dst.wscale = 0; 4072 (state)->src.state = (state)->dst.state = 4073 TCPS_ESTABLISHED;	4370 (state)->src.wscale = (state)->dst.wscale = 0; 4371 (state)->src.state = (state)->dst.state = 4372 TCPS_ESTABLISHED;
	4373 REASON_SET(reason, PFRES_SYNPROXY);
4074 return (PF_SYNPROXY_DROP); 4075 } 4076 } 4077 4078 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 4079 sws = src->wscale & PF_WSCALE_MASK; 4080 dws = dst->wscale & PF_WSCALE_MASK; 4081 } else 4082 sws = dws = 0; 4083 4084 /* 4085 * Sequence tracking algorithm from Guido van Rooij's paper: 4086 * http://www.madison-gurkha.com/publications/tcp_filtering/ 4087 * tcp_filtering.ps 4088 / 4089*	4374 return (PF_SYNPROXY_DROP); 4375 } 4376 } 4377 4378 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 4379 sws = src->wscale & PF_WSCALE_MASK; 4380 dws = dst->wscale & PF_WSCALE_MASK; 4381 } else 4382 sws = dws = 0; 4383 4384 /* 4385 * Sequence tracking algorithm from Guido van Rooij's paper: 4386 * http://www.madison-gurkha.com/publications/tcp_filtering/ 4387 * tcp_filtering.ps 4388 / 4389*
4090 seq = ntohl(th->th_seq);	4390 orig_seq = seq = ntohl(th->th_seq);
4091 if (src->seqlo == 0) { 4092 /* First packet from this end. Set its state / 4093* 4094 if ((pd->flags & PFDESC_TCP_NORM \|\| dst->scrub) && 4095 src->scrub == NULL) { 4096 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 4097 REASON_SET(reason, PFRES_MEMORY); 4098 return (PF_DROP); 4099 } 4100 } 4101 4102 /* Deferred generation of sequence number modulator / 4103* if (dst->seqdiff && !src->seqdiff) {	4391 if (src->seqlo == 0) { 4392 /* First packet from this end. Set its state / 4393* 4394 if ((pd->flags & PFDESC_TCP_NORM \|\| dst->scrub) && 4395 src->scrub == NULL) { 4396 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 4397 REASON_SET(reason, PFRES_MEMORY); 4398 return (PF_DROP); 4399 } 4400 } 4401 4402 /* Deferred generation of sequence number modulator / 4403* if (dst->seqdiff && !src->seqdiff) {
4104 while ((src->seqdiff = arc4random()) == 0)	4404 while ((src->seqdiff = htonl(arc4random())) == 0)
4105 ; 4106 ack = ntohl(th->th_ack) - dst->seqdiff; 4107 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 4108 src->seqdiff), 0); 4109 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 4110 copyback = 1; 4111 } else { 4112 ack = ntohl(th->th_ack); --- 79 unchanged lines hidden (view full) --- 4192 4193#define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor / 4194* if (SEQ_GEQ(src->seqhi, end) && 4195 /* Last octet inside other's window space / 4196* SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 4197 /* Retrans: not more than one window back / 4198* (ackskew >= -MAXACKWINDOW) && 4199 /* Acking not more than one reassembled fragment backwards */	4405 ; 4406 ack = ntohl(th->th_ack) - dst->seqdiff; 4407 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 4408 src->seqdiff), 0); 4409 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 4410 copyback = 1; 4411 } else { 4412 ack = ntohl(th->th_ack); --- 79 unchanged lines hidden (view full) --- 4492 4493#define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor / 4494* if (SEQ_GEQ(src->seqhi, end) && 4495 /* Last octet inside other's window space / 4496* SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 4497 /* Retrans: not more than one window back / 4498* (ackskew >= -MAXACKWINDOW) && 4499 /* Acking not more than one reassembled fragment backwards */
4200 (ackskew <= (MAXACKWINDOW << sws))) {	4500 (ackskew <= (MAXACKWINDOW << sws)) &&
4201 /* Acking not more than one window forward */	4501 /* Acking not more than one window forward */
	4502 ((th->th_flags & TH_RST) == 0 \|\| orig_seq == src->seqlo \|\| 4503 (pd->flags & PFDESC_IP_REAS) == 0)) { 4504 /* Require an exact sequence match on resets when possible */
4202	4505
	4506 if (dst->scrub \|\| src->scrub) { 4507 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4508 state, src, dst, &copyback)) 4509* return (PF_DROP); 4510 } 4511
4203 /* update max window / 4204* if (src->max_win < win) 4205 src->max_win = win; 4206 /* synchronize sequencing / 4207* if (SEQ_GT(end, src->seqlo)) 4208 src->seqlo = end; 4209 /* slide the window of what the other end can send / 4210* if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 4211 dst->seqhi = ack + MAX((win << sws), 1); 4212 4213 4214 /* update states / 4215* if (th->th_flags & TH_SYN) 4216 if (src->state < TCPS_SYN_SENT) 4217 src->state = TCPS_SYN_SENT; 4218 if (th->th_flags & TH_FIN) 4219 if (src->state < TCPS_CLOSING) 4220 src->state = TCPS_CLOSING; 4221 if (th->th_flags & TH_ACK) {	4512 /* update max window / 4513* if (src->max_win < win) 4514 src->max_win = win; 4515 /* synchronize sequencing / 4516* if (SEQ_GT(end, src->seqlo)) 4517 src->seqlo = end; 4518 /* slide the window of what the other end can send / 4519* if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 4520 dst->seqhi = ack + MAX((win << sws), 1); 4521 4522 4523 /* update states / 4524* if (th->th_flags & TH_SYN) 4525 if (src->state < TCPS_SYN_SENT) 4526 src->state = TCPS_SYN_SENT; 4527 if (th->th_flags & TH_FIN) 4528 if (src->state < TCPS_CLOSING) 4529 src->state = TCPS_CLOSING; 4530 if (th->th_flags & TH_ACK) {
4222 if (dst->state == TCPS_SYN_SENT)	4531 if (dst->state == TCPS_SYN_SENT) {
4223 dst->state = TCPS_ESTABLISHED;	4532 dst->state = TCPS_ESTABLISHED;
4224 else if (dst->state == TCPS_CLOSING)	4533 if (src->state == TCPS_ESTABLISHED && 4534 (state)->src_node != NULL && 4535* pf_src_connlimit(state)) { 4536 REASON_SET(reason, PFRES_SRCLIMIT); 4537 return (PF_DROP); 4538 } 4539 } else if (dst->state == TCPS_CLOSING)
4225 dst->state = TCPS_FIN_WAIT_2; 4226 } 4227 if (th->th_flags & TH_RST) 4228 src->state = dst->state = TCPS_TIME_WAIT; 4229 4230 /* update expire time */	4540 dst->state = TCPS_FIN_WAIT_2; 4541 } 4542 if (th->th_flags & TH_RST) 4543 src->state = dst->state = TCPS_TIME_WAIT; 4544 4545 /* update expire time */
4231#ifdef __FreeBSD__
4232 (*state)->expire = time_second;	4546 (*state)->expire = time_second;
4233#else 4234 (state)->expire = time.tv_sec; 4235*#endif
4236 if (src->state >= TCPS_FIN_WAIT_2 && 4237 dst->state >= TCPS_FIN_WAIT_2) 4238 (state)->timeout = PFTM_TCP_CLOSED; 4239* else if (src->state >= TCPS_FIN_WAIT_2 \|\| 4240 dst->state >= TCPS_FIN_WAIT_2) 4241 (state)->timeout = PFTM_TCP_FIN_WAIT; 4242* else if (src->state < TCPS_ESTABLISHED \|\| 4243 dst->state < TCPS_ESTABLISHED) --- 39 unchanged lines hidden (view full) --- 4283 printf("pf: loose state match: "); 4284 pf_print_state(state); 4285* pf_print_flags(th->th_flags); 4286 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 4287 seq, ack, pd->p_len, ackskew, 4288 (state)->packets[0], (state)->packets[1]); 4289 } 4290	4547 if (src->state >= TCPS_FIN_WAIT_2 && 4548 dst->state >= TCPS_FIN_WAIT_2) 4549 (state)->timeout = PFTM_TCP_CLOSED; 4550* else if (src->state >= TCPS_FIN_WAIT_2 \|\| 4551 dst->state >= TCPS_FIN_WAIT_2) 4552 (state)->timeout = PFTM_TCP_FIN_WAIT; 4553* else if (src->state < TCPS_ESTABLISHED \|\| 4554 dst->state < TCPS_ESTABLISHED) --- 39 unchanged lines hidden (view full) --- 4594 printf("pf: loose state match: "); 4595 pf_print_state(state); 4596* pf_print_flags(th->th_flags); 4597 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 4598 seq, ack, pd->p_len, ackskew, 4599 (state)->packets[0], (state)->packets[1]); 4600 } 4601
	4602 if (dst->scrub \|\| src->scrub) { 4603 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4604 state, src, dst, &copyback)) 4605* return (PF_DROP); 4606 } 4607
4291 /* update max window / 4292* if (src->max_win < win) 4293 src->max_win = win; 4294 /* synchronize sequencing / 4295* if (SEQ_GT(end, src->seqlo)) 4296 src->seqlo = end; 4297 /* slide the window of what the other end can send / 4298* if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) --- 11 unchanged lines hidden (view full) --- 4310 src->state = dst->state = TCPS_TIME_WAIT; 4311 4312 /* Fall through to PASS packet / 4313* 4314 } else { 4315 if ((state)->dst.state == TCPS_SYN_SENT && 4316* (state)->src.state == TCPS_SYN_SENT) { 4317* /* Send RST for state mismatches during handshake */	4608 /* update max window / 4609* if (src->max_win < win) 4610 src->max_win = win; 4611 /* synchronize sequencing / 4612* if (SEQ_GT(end, src->seqlo)) 4613 src->seqlo = end; 4614 /* slide the window of what the other end can send / 4615* if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) --- 11 unchanged lines hidden (view full) --- 4627 src->state = dst->state = TCPS_TIME_WAIT; 4628 4629 /* Fall through to PASS packet / 4630* 4631 } else { 4632 if ((state)->dst.state == TCPS_SYN_SENT && 4633* (state)->src.state == TCPS_SYN_SENT) { 4634* /* Send RST for state mismatches during handshake */
4318 if (!(th->th_flags & TH_RST)) { 4319 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 4320 4321 if (th->th_flags & TH_SYN) 4322 ack++; 4323 if (th->th_flags & TH_FIN) 4324 ack++;	4635 if (!(th->th_flags & TH_RST))
4325 pf_send_tcp((state)->rule.ptr, pd->af, 4326* pd->dst, pd->src, th->th_dport,	4636 pf_send_tcp((state)->rule.ptr, pd->af, 4637* pd->dst, pd->src, th->th_dport,
4327 th->th_sport, ntohl(th->th_ack), ack, 4328 TH_RST\|TH_ACK, 0, 0, 4329 (state)->rule.ptr->return_ttl); 4330* }	4638 th->th_sport, ntohl(th->th_ack), 0, 4639 TH_RST, 0, 0, 4640 (state)->rule.ptr->return_ttl, 1, 4641* pd->eh, kif->pfik_ifp);
4331 src->seqlo = 0; 4332 src->seqhi = 1; 4333 src->max_win = 1; 4334 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4335 printf("pf: BAD state: "); 4336 pf_print_state(state); 4337* pf_print_flags(th->th_flags); 4338 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " --- 5 unchanged lines hidden (view full) --- 4344 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4345 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4346 ' ': '2', 4347 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4348 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4349 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4350 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4351 }	4642 src->seqlo = 0; 4643 src->seqhi = 1; 4644 src->max_win = 1; 4645 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4646 printf("pf: BAD state: "); 4647 pf_print_state(state); 4648* pf_print_flags(th->th_flags); 4649 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " --- 5 unchanged lines hidden (view full) --- 4655 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4656 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4657 ' ': '2', 4658 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4659 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4660 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4661 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4662 }
	4663 REASON_SET(reason, PFRES_BADSTATE);
4352 return (PF_DROP); 4353 } 4354	4664 return (PF_DROP); 4665 } 4666
4355 if (dst->scrub \|\| src->scrub) { 4356 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4357 src, dst, &copyback)) 4358 return (PF_DROP); 4359 } 4360
4361 /* Any packets which have gotten here are to be passed / 4362* 4363 /* translate source/destination address, if necessary / 4364* if (STATE_TRANSLATE(state)) { 4365* if (direction == PF_OUT) 4366 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4367 &th->th_sum, &(state)->gwy.addr, 4368* (state)->gwy.port, 0, pd->af); --- 44 unchanged lines hidden* (view full) --- 4413 4414 /* update states / 4415* if (src->state < PFUDPS_SINGLE) 4416 src->state = PFUDPS_SINGLE; 4417 if (dst->state == PFUDPS_SINGLE) 4418 dst->state = PFUDPS_MULTIPLE; 4419 4420 /* update expire time */	4667 /* Any packets which have gotten here are to be passed / 4668* 4669 /* translate source/destination address, if necessary / 4670* if (STATE_TRANSLATE(state)) { 4671* if (direction == PF_OUT) 4672 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4673 &th->th_sum, &(state)->gwy.addr, 4674* (state)->gwy.port, 0, pd->af); --- 44 unchanged lines hidden* (view full) --- 4719 4720 /* update states / 4721* if (src->state < PFUDPS_SINGLE) 4722 src->state = PFUDPS_SINGLE; 4723 if (dst->state == PFUDPS_SINGLE) 4724 dst->state = PFUDPS_MULTIPLE; 4725 4726 /* update expire time */
4421#ifdef __FreeBSD__
4422 (*state)->expire = time_second;	4727 (*state)->expire = time_second;
4423#else 4424 (state)->expire = time.tv_sec; 4425*#endif
4426 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4427 (state)->timeout = PFTM_UDP_MULTIPLE; 4428* else 4429 (state)->timeout = PFTM_UDP_SINGLE; 4430* 4431 /* translate source/destination address, if necessary / 4432* if (STATE_TRANSLATE(state)) { 4433* if (direction == PF_OUT) --- 7 unchanged lines hidden (view full) --- 4441 m_copyback(m, off, sizeof(uh), (caddr_t)uh); 4442* } 4443 4444 return (PF_PASS); 4445} 4446 4447int 4448pf_test_state_icmp(struct pf_state *state, int direction, struct pfi_kif kif,	4728 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4729 (state)->timeout = PFTM_UDP_MULTIPLE; 4730* else 4731 (state)->timeout = PFTM_UDP_SINGLE; 4732* 4733 /* translate source/destination address, if necessary / 4734* if (STATE_TRANSLATE(state)) { 4735* if (direction == PF_OUT) --- 7 unchanged lines hidden (view full) --- 4743 m_copyback(m, off, sizeof(uh), (caddr_t)uh); 4744* } 4745 4746 return (PF_PASS); 4747} 4748 4749int 4750pf_test_state_icmp(struct pf_state *state, int direction, struct pfi_kif kif,
4449 struct mbuf m, int off, void h, struct pf_pdesc *pd)	4751 struct mbuf m, int off, void h, struct pf_pdesc pd, u_short reason)
4450{ 4451 struct pf_addr saddr = pd->src, daddr = pd->dst; 4452 u_int16_t icmpid = 0; /* make the compiler happy / 4453* u_int16_t icmpsum = NULL; / make the compiler happy / 4454* u_int8_t icmptype = 0; /* make the compiler happy / 4455* int state_icmp = 0; 4456 4457 switch (pd->proto) { --- 45 unchanged lines hidden (view full) --- 4503 PF_ACPY(&key.lan.addr, pd->src, key.af); 4504 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4505 key.lan.port = icmpid; 4506 key.ext.port = icmpid; 4507 } 4508 4509 STATE_LOOKUP(); 4510	4752{ 4753 struct pf_addr saddr = pd->src, daddr = pd->dst; 4754 u_int16_t icmpid = 0; /* make the compiler happy / 4755* u_int16_t icmpsum = NULL; / make the compiler happy / 4756* u_int8_t icmptype = 0; /* make the compiler happy / 4757* int state_icmp = 0; 4758 4759 switch (pd->proto) { --- 45 unchanged lines hidden (view full) --- 4805 PF_ACPY(&key.lan.addr, pd->src, key.af); 4806 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4807 key.lan.port = icmpid; 4808 key.ext.port = icmpid; 4809 } 4810 4811 STATE_LOOKUP(); 4812
4511#ifdef __FreeBSD__
4512 (*state)->expire = time_second;	4813 (*state)->expire = time_second;
4513#else 4514 (state)->expire = time.tv_sec; 4515*#endif
4516 (state)->timeout = PFTM_ICMP_ERROR_REPLY; 4517* 4518 /* translate source/destination address, if necessary / 4519* if (PF_ANEQ(&(state)->lan.addr, &(state)->gwy.addr, pd->af)) { 4520 if (direction == PF_OUT) { 4521 switch (pd->af) { 4522#ifdef INET 4523 case AF_INET: --- 58 unchanged lines hidden (view full) --- 4582 pd2.af = pd->af; 4583 switch (pd->af) { 4584#ifdef INET 4585 case AF_INET: 4586 /* offset of h2 in mbuf chain / 4587* ipoff2 = off + ICMP_MINLEN; 4588 4589 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),	4814 (state)->timeout = PFTM_ICMP_ERROR_REPLY; 4815* 4816 /* translate source/destination address, if necessary / 4817* if (PF_ANEQ(&(state)->lan.addr, &(state)->gwy.addr, pd->af)) { 4818 if (direction == PF_OUT) { 4819 switch (pd->af) { 4820#ifdef INET 4821 case AF_INET: --- 58 unchanged lines hidden (view full) --- 4880 pd2.af = pd->af; 4881 switch (pd->af) { 4882#ifdef INET 4883 case AF_INET: 4884 /* offset of h2 in mbuf chain / 4885* ipoff2 = off + ICMP_MINLEN; 4886 4887 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
4590 NULL, NULL, pd2.af)) {	4888 NULL, reason, pd2.af)) {
4591 DPFPRINTF(PF_DEBUG_MISC, 4592 ("pf: ICMP error message too short " 4593 "(ip)\n")); 4594 return (PF_DROP); 4595 } 4596 /* 4597 * ICMP error messages don't refer to non-first 4598 * fragments 4599 */	4889 DPFPRINTF(PF_DEBUG_MISC, 4890 ("pf: ICMP error message too short " 4891 "(ip)\n")); 4892 return (PF_DROP); 4893 } 4894 /* 4895 * ICMP error messages don't refer to non-first 4896 * fragments 4897 */
4600 if (h2.ip_off & htons(IP_OFFMASK))	4898 if (h2.ip_off & htons(IP_OFFMASK)) { 4899 REASON_SET(reason, PFRES_FRAG);
4601 return (PF_DROP);	4900 return (PF_DROP);
	4901 }
4602 4603 /* offset of protocol header that follows h2 / 4604* off2 = ipoff2 + (h2.ip_hl << 2); 4605 4606 pd2.proto = h2.ip_p; 4607 pd2.src = (struct pf_addr )&h2.ip_src; 4608* pd2.dst = (struct pf_addr )&h2.ip_dst; 4609* pd2.ip_sum = &h2.ip_sum; 4610 break; 4611#endif /* INET / 4612#ifdef INET6 4613* case AF_INET6: 4614 ipoff2 = off + sizeof(struct icmp6_hdr); 4615 4616 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),	4902 4903 /* offset of protocol header that follows h2 / 4904* off2 = ipoff2 + (h2.ip_hl << 2); 4905 4906 pd2.proto = h2.ip_p; 4907 pd2.src = (struct pf_addr )&h2.ip_src; 4908* pd2.dst = (struct pf_addr )&h2.ip_dst; 4909* pd2.ip_sum = &h2.ip_sum; 4910 break; 4911#endif /* INET / 4912#ifdef INET6 4913* case AF_INET6: 4914 ipoff2 = off + sizeof(struct icmp6_hdr); 4915 4916 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
4617 NULL, NULL, pd2.af)) {	4917 NULL, reason, pd2.af)) {
4618 DPFPRINTF(PF_DEBUG_MISC, 4619 ("pf: ICMP error message too short " 4620 "(ip6)\n")); 4621 return (PF_DROP); 4622 } 4623 pd2.proto = h2_6.ip6_nxt; 4624 pd2.src = (struct pf_addr )&h2_6.ip6_src; 4625* pd2.dst = (struct pf_addr )&h2_6.ip6_dst; 4626* pd2.ip_sum = NULL; 4627 off2 = ipoff2 + sizeof(h2_6); 4628 do { 4629 switch (pd2.proto) { 4630 case IPPROTO_FRAGMENT: 4631 /* 4632 * ICMPv6 error messages for 4633 * non-first fragments 4634 */	4918 DPFPRINTF(PF_DEBUG_MISC, 4919 ("pf: ICMP error message too short " 4920 "(ip6)\n")); 4921 return (PF_DROP); 4922 } 4923 pd2.proto = h2_6.ip6_nxt; 4924 pd2.src = (struct pf_addr )&h2_6.ip6_src; 4925* pd2.dst = (struct pf_addr )&h2_6.ip6_dst; 4926* pd2.ip_sum = NULL; 4927 off2 = ipoff2 + sizeof(h2_6); 4928 do { 4929 switch (pd2.proto) { 4930 case IPPROTO_FRAGMENT: 4931 /* 4932 * ICMPv6 error messages for 4933 * non-first fragments 4934 */
	4935 REASON_SET(reason, PFRES_FRAG);
4635 return (PF_DROP); 4636 case IPPROTO_AH: 4637 case IPPROTO_HOPOPTS: 4638 case IPPROTO_ROUTING: 4639 case IPPROTO_DSTOPTS: { 4640 /* get next header and header length / 4641* struct ip6_ext opt6; 4642 4643 if (!pf_pull_hdr(m, off2, &opt6,	4936 return (PF_DROP); 4937 case IPPROTO_AH: 4938 case IPPROTO_HOPOPTS: 4939 case IPPROTO_ROUTING: 4940 case IPPROTO_DSTOPTS: { 4941 /* get next header and header length / 4942* struct ip6_ext opt6; 4943 4944 if (!pf_pull_hdr(m, off2, &opt6,
4644 sizeof(opt6), NULL, NULL, pd2.af)) {	4945 sizeof(opt6), NULL, reason, 4946 pd2.af)) {
4645 DPFPRINTF(PF_DEBUG_MISC, 4646 ("pf: ICMPv6 short opt\n")); 4647 return (PF_DROP); 4648 } 4649 if (pd2.proto == IPPROTO_AH) 4650 off2 += (opt6.ip6e_len + 2) * 4; 4651 else 4652 off2 += (opt6.ip6e_len + 1) * 8; --- 19 unchanged lines hidden (view full) --- 4672 u_int8_t dws; 4673 int copyback = 0; 4674 4675 /* 4676 * Only the first 8 bytes of the TCP header can be 4677 * expected. Don't access any TCP header fields after 4678 * th_seq, an ackskew test is not possible. 4679 */	4947 DPFPRINTF(PF_DEBUG_MISC, 4948 ("pf: ICMPv6 short opt\n")); 4949 return (PF_DROP); 4950 } 4951 if (pd2.proto == IPPROTO_AH) 4952 off2 += (opt6.ip6e_len + 2) * 4; 4953 else 4954 off2 += (opt6.ip6e_len + 1) * 8; --- 19 unchanged lines hidden (view full) --- 4974 u_int8_t dws; 4975 int copyback = 0; 4976 4977 /* 4978 * Only the first 8 bytes of the TCP header can be 4979 * expected. Don't access any TCP header fields after 4980 * th_seq, an ackskew test is not possible. 4981 */
4680 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) {	4982 if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason, 4983 pd2.af)) {
4681 DPFPRINTF(PF_DEBUG_MISC, 4682 ("pf: ICMP error message too short " 4683 "(tcp)\n")); 4684 return (PF_DROP); 4685 } 4686 4687 key.af = pd2.af; 4688 key.proto = IPPROTO_TCP; --- 40 unchanged lines hidden (view full) --- 4729 icmptype, pd->hdr.icmp->icmp_code); 4730 pf_print_host(pd->src, 0, pd->af); 4731 printf(" -> "); 4732 pf_print_host(pd->dst, 0, pd->af); 4733 printf(" state: "); 4734 pf_print_state(state); 4735* printf(" seq=%u\n", seq); 4736 }	4984 DPFPRINTF(PF_DEBUG_MISC, 4985 ("pf: ICMP error message too short " 4986 "(tcp)\n")); 4987 return (PF_DROP); 4988 } 4989 4990 key.af = pd2.af; 4991 key.proto = IPPROTO_TCP; --- 40 unchanged lines hidden (view full) --- 5032 icmptype, pd->hdr.icmp->icmp_code); 5033 pf_print_host(pd->src, 0, pd->af); 5034 printf(" -> "); 5035 pf_print_host(pd->dst, 0, pd->af); 5036 printf(" state: "); 5037 pf_print_state(state); 5038* printf(" seq=%u\n", seq); 5039 }
	5040 REASON_SET(reason, PFRES_BADSTATE);
4737 return (PF_DROP); 4738 } 4739 4740 if (STATE_TRANSLATE(state)) { 4741* if (direction == PF_IN) { 4742 pf_change_icmp(pd2.src, &th.th_sport, 4743 daddr, &(state)->lan.addr, 4744* (state)->lan.port, NULL, --- 35 unchanged lines hidden* (view full) --- 4780 return (PF_PASS); 4781 break; 4782 } 4783 case IPPROTO_UDP: { 4784 struct udphdr uh; 4785 struct pf_state key; 4786 4787 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),	5041 return (PF_DROP); 5042 } 5043 5044 if (STATE_TRANSLATE(state)) { 5045* if (direction == PF_IN) { 5046 pf_change_icmp(pd2.src, &th.th_sport, 5047 daddr, &(state)->lan.addr, 5048* (state)->lan.port, NULL, --- 35 unchanged lines hidden* (view full) --- 5084 return (PF_PASS); 5085 break; 5086 } 5087 case IPPROTO_UDP: { 5088 struct udphdr uh; 5089 struct pf_state key; 5090 5091 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
4788 NULL, NULL, pd2.af)) {	5092 NULL, reason, pd2.af)) {
4789 DPFPRINTF(PF_DEBUG_MISC, 4790 ("pf: ICMP error message too short " 4791 "(udp)\n")); 4792 return (PF_DROP); 4793 } 4794 4795 key.af = pd2.af; 4796 key.proto = IPPROTO_UDP; --- 52 unchanged lines hidden (view full) --- 4849 break; 4850 } 4851#ifdef INET 4852 case IPPROTO_ICMP: { 4853 struct icmp iih; 4854 struct pf_state key; 4855 4856 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,	5093 DPFPRINTF(PF_DEBUG_MISC, 5094 ("pf: ICMP error message too short " 5095 "(udp)\n")); 5096 return (PF_DROP); 5097 } 5098 5099 key.af = pd2.af; 5100 key.proto = IPPROTO_UDP; --- 52 unchanged lines hidden (view full) --- 5153 break; 5154 } 5155#ifdef INET 5156 case IPPROTO_ICMP: { 5157 struct icmp iih; 5158 struct pf_state key; 5159 5160 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
4857 NULL, NULL, pd2.af)) {	5161 NULL, reason, pd2.af)) {
4858 DPFPRINTF(PF_DEBUG_MISC, 4859 ("pf: ICMP error message too short i" 4860 "(icmp)\n")); 4861 return (PF_DROP); 4862 } 4863 4864 key.af = pd2.af; 4865 key.proto = IPPROTO_ICMP; --- 38 unchanged lines hidden (view full) --- 4904 } 4905#endif /* INET / 4906#ifdef INET6 4907* case IPPROTO_ICMPV6: { 4908 struct icmp6_hdr iih; 4909 struct pf_state key; 4910 4911 if (!pf_pull_hdr(m, off2, &iih,	5162 DPFPRINTF(PF_DEBUG_MISC, 5163 ("pf: ICMP error message too short i" 5164 "(icmp)\n")); 5165 return (PF_DROP); 5166 } 5167 5168 key.af = pd2.af; 5169 key.proto = IPPROTO_ICMP; --- 38 unchanged lines hidden (view full) --- 5208 } 5209#endif /* INET / 5210#ifdef INET6 5211* case IPPROTO_ICMPV6: { 5212 struct icmp6_hdr iih; 5213 struct pf_state key; 5214 5215 if (!pf_pull_hdr(m, off2, &iih,
4912 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) {	5216 sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
4913 DPFPRINTF(PF_DEBUG_MISC, 4914 ("pf: ICMP error message too short " 4915 "(icmp6)\n")); 4916 return (PF_DROP); 4917 } 4918 4919 key.af = pd2.af; 4920 key.proto = IPPROTO_ICMPV6; --- 131 unchanged lines hidden (view full) --- 5052 5053 /* update states / 5054* if (src->state < PFOTHERS_SINGLE) 5055 src->state = PFOTHERS_SINGLE; 5056 if (dst->state == PFOTHERS_SINGLE) 5057 dst->state = PFOTHERS_MULTIPLE; 5058 5059 /* update expire time */	5217 DPFPRINTF(PF_DEBUG_MISC, 5218 ("pf: ICMP error message too short " 5219 "(icmp6)\n")); 5220 return (PF_DROP); 5221 } 5222 5223 key.af = pd2.af; 5224 key.proto = IPPROTO_ICMPV6; --- 131 unchanged lines hidden (view full) --- 5356 5357 /* update states / 5358* if (src->state < PFOTHERS_SINGLE) 5359 src->state = PFOTHERS_SINGLE; 5360 if (dst->state == PFOTHERS_SINGLE) 5361 dst->state = PFOTHERS_MULTIPLE; 5362 5363 /* update expire time */
5060#ifdef __FreeBSD__
5061 (*state)->expire = time_second;	5364 (*state)->expire = time_second;
5062#else 5063 (state)->expire = time.tv_sec; 5064*#endif
5065 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 5066 (state)->timeout = PFTM_OTHER_MULTIPLE; 5067* else 5068 (state)->timeout = PFTM_OTHER_SINGLE; 5069* 5070 /* translate source/destination address, if necessary / 5071* if (STATE_TRANSLATE(state)) { 5072* if (direction == PF_OUT) --- 81 unchanged lines hidden (view full) --- 5154 m_copydata(m, off, len, p); 5155 return (p); 5156} 5157 5158int 5159pf_routable(struct pf_addr addr, sa_family_t af) 5160{ 5161* struct sockaddr_in *dst;	5365 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 5366 (state)->timeout = PFTM_OTHER_MULTIPLE; 5367* else 5368 (state)->timeout = PFTM_OTHER_SINGLE; 5369* 5370 /* translate source/destination address, if necessary / 5371* if (STATE_TRANSLATE(state)) { 5372* if (direction == PF_OUT) --- 81 unchanged lines hidden (view full) --- 5454 m_copydata(m, off, len, p); 5455 return (p); 5456} 5457 5458int 5459pf_routable(struct pf_addr addr, sa_family_t af) 5460{ 5461* struct sockaddr_in *dst;
	5462#ifdef INET6 5463 struct sockaddr_in6 dst6; 5464* struct route_in6 ro; 5465#else
5162 struct route ro;	5466 struct route ro;
5163 int ret = 0;	5467#endif
5164 5165 bzero(&ro, sizeof(ro));	5468 5469 bzero(&ro, sizeof(ro));
5166 dst = satosin(&ro.ro_dst); 5167 dst->sin_family = af; 5168 dst->sin_len = sizeof(dst); 5169* dst->sin_addr = addr->v4;	5470 switch (af) { 5471 case AF_INET: 5472 dst = satosin(&ro.ro_dst); 5473 dst->sin_family = AF_INET; 5474 dst->sin_len = sizeof(dst); 5475* dst->sin_addr = addr->v4; 5476 break; 5477#ifdef INET6 5478 case AF_INET6: 5479 dst6 = (struct sockaddr_in6 )&ro.ro_dst; 5480* dst6->sin6_family = AF_INET6; 5481 dst6->sin6_len = sizeof(dst6); 5482* dst6->sin6_addr = addr->v6; 5483 break; 5484#endif /* INET6 / 5485* default: 5486 return (0); 5487 } 5488
5170#ifdef __FreeBSD__ 5171#ifdef RTF_PRCLONING	5489#ifdef __FreeBSD__ 5490#ifdef RTF_PRCLONING
5172 rtalloc_ign(&ro, (RTF_CLONING\|RTF_PRCLONING));	5491 rtalloc_ign((struct route *)&ro, (RTF_CLONING \| RTF_PRCLONING));
5173#else /* !RTF_PRCLONING */	5492#else /* !RTF_PRCLONING */
5174 rtalloc_ign(&ro, RTF_CLONING);	5493 rtalloc_ign((struct route *)&ro, RTF_CLONING);
5175#endif 5176#else /* ! __FreeBSD__ */	5494#endif 5495#else /* ! __FreeBSD__ */
5177 rtalloc_noclone(&ro, NO_CLONING);	5496 rtalloc_noclone((struct route *)&ro, NO_CLONING);
5178#endif 5179 5180 if (ro.ro_rt != NULL) {	5497#endif 5498 5499 if (ro.ro_rt != NULL) {
5181 ret = 1;
5182 RTFREE(ro.ro_rt);	5500 RTFREE(ro.ro_rt);
	5501 return (1);
5183 } 5184	5502 } 5503
	5504 return (0); 5505} 5506 5507int 5508pf_rtlabel_match(struct pf_addr addr, sa_family_t af, struct pf_addr_wrap aw) 5509{ 5510 struct sockaddr_in dst; 5511#ifdef INET6 5512* struct sockaddr_in6 dst6; 5513* struct route_in6 ro; 5514#else 5515 struct route ro; 5516#endif 5517 int ret = 0; 5518 5519 bzero(&ro, sizeof(ro)); 5520 switch (af) { 5521 case AF_INET: 5522 dst = satosin(&ro.ro_dst); 5523 dst->sin_family = AF_INET; 5524 dst->sin_len = sizeof(dst); 5525* dst->sin_addr = addr->v4; 5526 break; 5527#ifdef INET6 5528 case AF_INET6: 5529 dst6 = (struct sockaddr_in6 )&ro.ro_dst; 5530* dst6->sin6_family = AF_INET6; 5531 dst6->sin6_len = sizeof(dst6); 5532* dst6->sin6_addr = addr->v6; 5533 break; 5534#endif /* INET6 / 5535* default: 5536 return (0); 5537 } 5538 5539#ifdef __FreeBSD__ 5540# ifdef RTF_PRCLONING 5541 rtalloc_ign((struct route )&ro, (RTF_CLONING\|RTF_PRCLONING)); 5542# else / !RTF_PRCLONING / 5543* rtalloc_ign((struct route )&ro, RTF_CLONING); 5544# endif 5545#else / ! __FreeBSD__ / 5546* rtalloc_noclone((struct route )&ro, NO_CLONING); 5547#endif 5548* 5549 if (ro.ro_rt != NULL) { 5550#ifdef __FreeBSD__ 5551 /* XXX_IMPORT: later / 5552#else 5553* if (ro.ro_rt->rt_labelid == aw->v.rtlabel) 5554 ret = 1; 5555#endif 5556 RTFREE(ro.ro_rt); 5557 } 5558
5185 return (ret); 5186} 5187 5188#ifdef INET 5189 5190void 5191pf_route(struct mbuf *m, struct pf_rule r, int dir, struct ifnet oifp, 5192* struct pf_state s) --- 36 unchanged lines hidden* (view full) --- 5229 5230 if (r->rt == PF_DUPTO) { 5231#ifdef __FreeBSD__ 5232 if ((m0 = m_dup(m, M_DONTWAIT)) == NULL) 5233#else 5234* if ((m0 = m_copym2(m, 0, M_COPYALL, M_NOWAIT)) == NULL) 5235#endif 5236* return;	5559 return (ret); 5560} 5561 5562#ifdef INET 5563 5564void 5565pf_route(struct mbuf *m, struct pf_rule r, int dir, struct ifnet oifp, 5566* struct pf_state s) --- 36 unchanged lines hidden* (view full) --- 5603 5604 if (r->rt == PF_DUPTO) { 5605#ifdef __FreeBSD__ 5606 if ((m0 = m_dup(m, M_DONTWAIT)) == NULL) 5607#else 5608* if ((m0 = m_copym2(m, 0, M_COPYALL, M_NOWAIT)) == NULL) 5609#endif 5610* return;
5237#ifdef __FreeBSD__ 5238 if ((mtag = m_tag_copy(mtag, M_DONTWAIT)) == NULL) 5239#else 5240 if ((mtag = m_tag_copy(mtag)) == NULL) 5241#endif 5242 goto bad; 5243 m_tag_prepend(m0, mtag);
5244 } else { 5245 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5246 return; 5247 m0 = m; 5248* } 5249	5611 } else { 5612 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5613 return; 5614 m0 = m; 5615* } 5616
5250 if (m0->m_len < sizeof(struct ip)) 5251 panic("pf_route: m0->m_len < sizeof(struct ip)");	5617 if (m0->m_len < sizeof(struct ip)) { 5618 DPFPRINTF(PF_DEBUG_URGENT, 5619 ("pf_route: m0->m_len < sizeof(struct ip)\n")); 5620 goto bad; 5621 } 5622
5252 ip = mtod(m0, struct ip ); 5253* 5254 ro = &iproute; 5255 bzero((caddr_t)ro, sizeof(ro)); 5256* dst = satosin(&ro->ro_dst); 5257 dst->sin_family = AF_INET; 5258 dst->sin_len = sizeof(dst); 5259* dst->sin_addr = ip->ip_dst; --- 6 unchanged lines hidden (view full) --- 5266 } 5267 5268 ifp = ro->ro_rt->rt_ifp; 5269 ro->ro_rt->rt_use++; 5270 5271 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 5272 dst = satosin(ro->ro_rt->rt_gateway); 5273 } else {	5623 ip = mtod(m0, struct ip ); 5624* 5625 ro = &iproute; 5626 bzero((caddr_t)ro, sizeof(ro)); 5627* dst = satosin(&ro->ro_dst); 5628 dst->sin_family = AF_INET; 5629 dst->sin_len = sizeof(dst); 5630* dst->sin_addr = ip->ip_dst; --- 6 unchanged lines hidden (view full) --- 5637 } 5638 5639 ifp = ro->ro_rt->rt_ifp; 5640 ro->ro_rt->rt_use++; 5641 5642 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 5643 dst = satosin(ro->ro_rt->rt_gateway); 5644 } else {
5274 if (TAILQ_EMPTY(&r->rpool.list)) 5275 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)");	5645 if (TAILQ_EMPTY(&r->rpool.list)) { 5646 DPFPRINTF(PF_DEBUG_URGENT, 5647 ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n")); 5648 goto bad; 5649 }
5276 if (s == NULL) { 5277 pf_map_addr(AF_INET, r, (struct pf_addr )&ip->ip_src, 5278* &naddr, NULL, &sn); 5279 if (!PF_AZERO(&naddr, AF_INET)) 5280 dst->sin_addr.s_addr = naddr.v4.s_addr; 5281 ifp = r->rpool.cur->kif ? 5282 r->rpool.cur->kif->pfik_ifp : NULL; 5283 } else { --- 4 unchanged lines hidden (view full) --- 5288 } 5289 } 5290 if (ifp == NULL) 5291 goto bad; 5292 5293 if (oifp != ifp) { 5294#ifdef __FreeBSD__ 5295 PF_UNLOCK();	5650 if (s == NULL) { 5651 pf_map_addr(AF_INET, r, (struct pf_addr )&ip->ip_src, 5652* &naddr, NULL, &sn); 5653 if (!PF_AZERO(&naddr, AF_INET)) 5654 dst->sin_addr.s_addr = naddr.v4.s_addr; 5655 ifp = r->rpool.cur->kif ? 5656 r->rpool.cur->kif->pfik_ifp : NULL; 5657 } else { --- 4 unchanged lines hidden (view full) --- 5662 } 5663 } 5664 if (ifp == NULL) 5665 goto bad; 5666 5667 if (oifp != ifp) { 5668#ifdef __FreeBSD__ 5669 PF_UNLOCK();
5296 if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) {	5670 if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
5297 PF_LOCK(); 5298 goto bad; 5299 } else if (m0 == NULL) { 5300 PF_LOCK(); 5301 goto done; 5302 } 5303 PF_LOCK(); 5304#else	5671 PF_LOCK(); 5672 goto bad; 5673 } else if (m0 == NULL) { 5674 PF_LOCK(); 5675 goto done; 5676 } 5677 PF_LOCK(); 5678#else
5305 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS)	5679 if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS)
5306 goto bad; 5307 else if (m0 == NULL) 5308 goto done; 5309#endif	5680 goto bad; 5681 else if (m0 == NULL) 5682 goto done; 5683#endif
5310 if (m0->m_len < sizeof(struct ip)) 5311 panic("pf_route: m0->m_len < sizeof(struct ip)");	5684 if (m0->m_len < sizeof(struct ip)) { 5685 DPFPRINTF(PF_DEBUG_URGENT, 5686 ("pf_route: m0->m_len < sizeof(struct ip)\n")); 5687 goto bad; 5688 }
5312 ip = mtod(m0, struct ip ); 5313* } 5314 5315#ifdef __FreeBSD__ 5316 /* Copied from FreeBSD 5.1-CURRENT ip_output. / 5317* m0->m_pkthdr.csum_flags \|= CSUM_IP; 5318 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; 5319 if (sw_csum & CSUM_DELAY_DATA) { --- 196 unchanged lines hidden (view full) --- 5516 5517 if (r->rt == PF_DUPTO) { 5518#ifdef __FreeBSD__ 5519 if ((m0 = m_dup(m, M_DONTWAIT)) == NULL) 5520#else 5521* if ((m0 = m_copym2(m, 0, M_COPYALL, M_NOWAIT)) == NULL) 5522#endif 5523* return;	5689 ip = mtod(m0, struct ip ); 5690* } 5691 5692#ifdef __FreeBSD__ 5693 /* Copied from FreeBSD 5.1-CURRENT ip_output. / 5694* m0->m_pkthdr.csum_flags \|= CSUM_IP; 5695 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; 5696 if (sw_csum & CSUM_DELAY_DATA) { --- 196 unchanged lines hidden (view full) --- 5893 5894 if (r->rt == PF_DUPTO) { 5895#ifdef __FreeBSD__ 5896 if ((m0 = m_dup(m, M_DONTWAIT)) == NULL) 5897#else 5898* if ((m0 = m_copym2(m, 0, M_COPYALL, M_NOWAIT)) == NULL) 5899#endif 5900* return;
5524#ifdef __FreeBSD__ 5525 if ((mtag = m_tag_copy(mtag, M_DONTWAIT)) == NULL) 5526#else 5527 if ((mtag = m_tag_copy(mtag)) == NULL) 5528#endif 5529 goto bad; 5530 m_tag_prepend(m0, mtag);
5531 } else { 5532 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5533 return; 5534 m0 = m; 5535* } 5536	5901 } else { 5902 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5903 return; 5904 m0 = m; 5905* } 5906
5537 if (m0->m_len < sizeof(struct ip6_hdr)) 5538 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");	5907 if (m0->m_len < sizeof(struct ip6_hdr)) { 5908 DPFPRINTF(PF_DEBUG_URGENT, 5909 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); 5910 goto bad; 5911 }
5539 ip6 = mtod(m0, struct ip6_hdr ); 5540* 5541 ro = &ip6route; 5542 bzero((caddr_t)ro, sizeof(ro)); 5543* dst = (struct sockaddr_in6 )&ro->ro_dst; 5544* dst->sin6_family = AF_INET6; 5545 dst->sin6_len = sizeof(dst); 5546* dst->sin6_addr = ip6->ip6_dst; --- 10 unchanged lines hidden (view full) --- 5557 if (mtag == NULL) 5558 goto bad; 5559 m_tag_prepend(m0, mtag); 5560 ip6_output(m0, NULL, NULL, 0, NULL, NULL); 5561#endif 5562 return; 5563 } 5564	5912 ip6 = mtod(m0, struct ip6_hdr ); 5913* 5914 ro = &ip6route; 5915 bzero((caddr_t)ro, sizeof(ro)); 5916* dst = (struct sockaddr_in6 )&ro->ro_dst; 5917* dst->sin6_family = AF_INET6; 5918 dst->sin6_len = sizeof(dst); 5919* dst->sin6_addr = ip6->ip6_dst; --- 10 unchanged lines hidden (view full) --- 5930 if (mtag == NULL) 5931 goto bad; 5932 m_tag_prepend(m0, mtag); 5933 ip6_output(m0, NULL, NULL, 0, NULL, NULL); 5934#endif 5935 return; 5936 } 5937
5565 if (TAILQ_EMPTY(&r->rpool.list)) 5566 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)");	5938 if (TAILQ_EMPTY(&r->rpool.list)) { 5939 DPFPRINTF(PF_DEBUG_URGENT, 5940 ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n")); 5941 goto bad; 5942 }
5567 if (s == NULL) { 5568 pf_map_addr(AF_INET6, r, (struct pf_addr )&ip6->ip6_src, 5569* &naddr, NULL, &sn); 5570 if (!PF_AZERO(&naddr, AF_INET6)) 5571 PF_ACPY((struct pf_addr )&dst->sin6_addr, 5572* &naddr, AF_INET6); 5573 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5574 } else { 5575 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5576 PF_ACPY((struct pf_addr )&dst->sin6_addr, 5577* &s->rt_addr, AF_INET6); 5578 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5579 } 5580 if (ifp == NULL) 5581 goto bad; 5582 5583 if (oifp != ifp) { 5584#ifdef __FreeBSD__ 5585 PF_UNLOCK();	5943 if (s == NULL) { 5944 pf_map_addr(AF_INET6, r, (struct pf_addr )&ip6->ip6_src, 5945* &naddr, NULL, &sn); 5946 if (!PF_AZERO(&naddr, AF_INET6)) 5947 PF_ACPY((struct pf_addr )&dst->sin6_addr, 5948* &naddr, AF_INET6); 5949 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5950 } else { 5951 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5952 PF_ACPY((struct pf_addr )&dst->sin6_addr, 5953* &s->rt_addr, AF_INET6); 5954 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5955 } 5956 if (ifp == NULL) 5957 goto bad; 5958 5959 if (oifp != ifp) { 5960#ifdef __FreeBSD__ 5961 PF_UNLOCK();
5586 if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS) {	5962 if (pf_test6(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
5587 PF_LOCK(); 5588 goto bad; 5589 } else if (m0 == NULL) { 5590 PF_LOCK(); 5591 goto done; 5592 } 5593 PF_LOCK(); 5594#else	5963 PF_LOCK(); 5964 goto bad; 5965 } else if (m0 == NULL) { 5966 PF_LOCK(); 5967 goto done; 5968 } 5969 PF_LOCK(); 5970#else
5595 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS)	5971 if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS)
5596 goto bad; 5597 else if (m0 == NULL) 5598 goto done; 5599#endif	5972 goto bad; 5973 else if (m0 == NULL) 5974 goto done; 5975#endif
5600 if (m0->m_len < sizeof(struct ip6_hdr)) 5601 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");	5976 if (m0->m_len < sizeof(struct ip6_hdr)) { 5977 DPFPRINTF(PF_DEBUG_URGENT, 5978 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); 5979 goto bad; 5980 }
5602 ip6 = mtod(m0, struct ip6_hdr ); 5603* } 5604 5605 /* 5606 * If the packet is too large for the outgoing interface, 5607 * send back an icmp6 error. 5608 / 5609* if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) --- 193 unchanged lines hidden (view full) --- 5803 if (m->m_pkthdr.csum & flag_ok) 5804 return (0); 5805 if (m->m_pkthdr.csum & flag_bad) 5806 return (1); 5807 if (off < sizeof(struct ip) \|\| len < sizeof(struct udphdr)) 5808 return (1); 5809 if (m->m_pkthdr.len < off + len) 5810 return (1);	5981 ip6 = mtod(m0, struct ip6_hdr ); 5982* } 5983 5984 /* 5985 * If the packet is too large for the outgoing interface, 5986 * send back an icmp6 error. 5987 / 5988* if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) --- 193 unchanged lines hidden (view full) --- 6182 if (m->m_pkthdr.csum & flag_ok) 6183 return (0); 6184 if (m->m_pkthdr.csum & flag_bad) 6185 return (1); 6186 if (off < sizeof(struct ip) \|\| len < sizeof(struct udphdr)) 6187 return (1); 6188 if (m->m_pkthdr.len < off + len) 6189 return (1);
5811 switch (af) {	6190 switch (af) { 6191#ifdef INET
5812 case AF_INET: 5813 if (p == IPPROTO_ICMP) { 5814 if (m->m_len < off) 5815 return (1); 5816 m->m_data += off; 5817 m->m_len -= off; 5818 sum = in_cksum(m, len); 5819 m->m_data -= off; 5820 m->m_len += off; 5821 } else { 5822 if (m->m_len < sizeof(struct ip)) 5823 return (1); 5824 sum = in4_cksum(m, p, off, len); 5825 } 5826 break;	6192 case AF_INET: 6193 if (p == IPPROTO_ICMP) { 6194 if (m->m_len < off) 6195 return (1); 6196 m->m_data += off; 6197 m->m_len -= off; 6198 sum = in_cksum(m, len); 6199 m->m_data -= off; 6200 m->m_len += off; 6201 } else { 6202 if (m->m_len < sizeof(struct ip)) 6203 return (1); 6204 sum = in4_cksum(m, p, off, len); 6205 } 6206 break;
	6207#endif /* INET */
5827#ifdef INET6 5828 case AF_INET6: 5829 if (m->m_len < sizeof(struct ip6_hdr)) 5830 return (1); 5831 sum = in6_cksum(m, p, off, len); 5832 break; 5833#endif /* INET6 / 5834* default: --- 36 unchanged lines hidden (view full) --- 5871 return (1); 5872 m_tag_prepend(m, mtag); 5873 return (0); 5874} 5875 5876#ifdef INET 5877int 5878#ifdef __FreeBSD__	6208#ifdef INET6 6209 case AF_INET6: 6210 if (m->m_len < sizeof(struct ip6_hdr)) 6211 return (1); 6212 sum = in6_cksum(m, p, off, len); 6213 break; 6214#endif /* INET6 / 6215* default: --- 36 unchanged lines hidden (view full) --- 6252 return (1); 6253 m_tag_prepend(m, mtag); 6254 return (0); 6255} 6256 6257#ifdef INET 6258int 6259#ifdef __FreeBSD__
5879pf_test(int dir, struct ifnet ifp, struct mbuf m0, struct inpcb inp)	6260pf_test(int dir, struct ifnet ifp, struct mbuf m0, 6261* struct ether_header eh, struct inpcb inp)
5880#else	6262#else
5881pf_test(int dir, struct ifnet ifp, struct mbuf *m0)	6263pf_test(int dir, struct ifnet ifp, struct mbuf m0, 6264* struct ether_header *eh)
5882#endif 5883{ 5884 struct pfi_kif kif; 5885* u_short action, reason = 0, log = 0; 5886 struct mbuf m = m0; 5887 struct ip h = NULL; / make the compiler happy / 5888* struct pf_rule a = NULL, r = &pf_default_rule, tr, nr; 5889 struct pf_state s = NULL; --- 9 unchanged lines hidden* (view full) --- 5899 (m->m_flags & M_SKIP_FIREWALL)) { 5900 PF_UNLOCK(); 5901#else 5902 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { 5903#endif 5904 return (PF_PASS); 5905 } 5906	6265#endif 6266{ 6267 struct pfi_kif kif; 6268* u_short action, reason = 0, log = 0; 6269 struct mbuf m = m0; 6270 struct ip h = NULL; / make the compiler happy / 6271* struct pf_rule a = NULL, r = &pf_default_rule, tr, nr; 6272 struct pf_state s = NULL; --- 9 unchanged lines hidden* (view full) --- 6282 (m->m_flags & M_SKIP_FIREWALL)) { 6283 PF_UNLOCK(); 6284#else 6285 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { 6286#endif 6287 return (PF_PASS); 6288 } 6289
	6290#ifdef __FreeBSD__ 6291 /* XXX_IMPORT: later / 6292#else 6293* if (ifp->if_type == IFT_CARP && ifp->if_carpdev) 6294 ifp = ifp->if_carpdev; 6295#endif 6296
5907 kif = pfi_index2kif[ifp->if_index]; 5908 if (kif == NULL) { 5909#ifdef __FreeBSD__ 5910 PF_UNLOCK(); 5911#endif	6297 kif = pfi_index2kif[ifp->if_index]; 6298 if (kif == NULL) { 6299#ifdef __FreeBSD__ 6300 PF_UNLOCK(); 6301#endif
	6302 DPFPRINTF(PF_DEBUG_URGENT, 6303 ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
5912 return (PF_DROP); 5913 }	6304 return (PF_DROP); 6305 }
	6306 if (kif->pfik_flags & PFI_IFLAG_SKIP) { 6307#ifdef __FreeBSD__ 6308 PF_UNLOCK(); 6309#endif 6310 return (PF_PASS); 6311 }
5914 5915#ifdef __FreeBSD__ 5916 M_ASSERTPKTHDR(m); 5917#else 5918#ifdef DIAGNOSTIC 5919 if ((m->m_flags & M_PKTHDR) == 0) 5920 panic("non-M_PKTHDR is passed to pf_test");	6312 6313#ifdef __FreeBSD__ 6314 M_ASSERTPKTHDR(m); 6315#else 6316#ifdef DIAGNOSTIC 6317 if ((m->m_flags & M_PKTHDR) == 0) 6318 panic("non-M_PKTHDR is passed to pf_test");
5921#endif 5922#endif	6319#endif /* DIAGNOSTIC / 6320#endif / __FreeBSD__ */
5923 5924 memset(&pd, 0, sizeof(pd)); 5925 if (m->m_pkthdr.len < (int)sizeof(h)) { 5926* action = PF_DROP; 5927 REASON_SET(&reason, PFRES_SHORT); 5928 log = 1; 5929 goto done; 5930 } 5931 5932 /* We do IP header normalization and packet reassembly here */	6321 6322 memset(&pd, 0, sizeof(pd)); 6323 if (m->m_pkthdr.len < (int)sizeof(h)) { 6324* action = PF_DROP; 6325 REASON_SET(&reason, PFRES_SHORT); 6326 log = 1; 6327 goto done; 6328 } 6329 6330 /* We do IP header normalization and packet reassembly here */
5933 if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) {	6331 if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
5934 action = PF_DROP; 5935 goto done; 5936 } 5937 m = m0; 5938* h = mtod(m, struct ip ); 5939* 5940 off = h->ip_hl << 2; 5941 if (off < (int)sizeof(h)) { --- 6 unchanged lines hidden* (view full) --- 5948 pd.src = (struct pf_addr )&h->ip_src; 5949* pd.dst = (struct pf_addr )&h->ip_dst; 5950* PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 5951 pd.ip_sum = &h->ip_sum; 5952 pd.proto = h->ip_p; 5953 pd.af = AF_INET; 5954 pd.tos = h->ip_tos; 5955 pd.tot_len = ntohs(h->ip_len);	6332 action = PF_DROP; 6333 goto done; 6334 } 6335 m = m0; 6336* h = mtod(m, struct ip ); 6337* 6338 off = h->ip_hl << 2; 6339 if (off < (int)sizeof(h)) { --- 6 unchanged lines hidden* (view full) --- 6346 pd.src = (struct pf_addr )&h->ip_src; 6347* pd.dst = (struct pf_addr )&h->ip_dst; 6348* PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 6349 pd.ip_sum = &h->ip_sum; 6350 pd.proto = h->ip_p; 6351 pd.af = AF_INET; 6352 pd.tos = h->ip_tos; 6353 pd.tot_len = ntohs(h->ip_len);
	6354 pd.eh = eh;
5956 5957 /* handle fragments that didn't get reassembled by normalization / 5958* if (h->ip_off & htons(IP_MF \| IP_OFFMASK)) { 5959 action = pf_test_fragment(&r, dir, kif, m, h, 5960 &pd, &a, &ruleset); 5961 goto done; 5962 } 5963 --- 19 unchanged lines hidden (view full) --- 5983 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5984 if (action == PF_DROP) 5985 goto done; 5986 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5987 &reason); 5988 if (action == PF_PASS) { 5989#if NPFSYNC 5990 pfsync_update_state(s);	6355 6356 /* handle fragments that didn't get reassembled by normalization / 6357* if (h->ip_off & htons(IP_MF \| IP_OFFMASK)) { 6358 action = pf_test_fragment(&r, dir, kif, m, h, 6359 &pd, &a, &ruleset); 6360 goto done; 6361 } 6362 --- 19 unchanged lines hidden (view full) --- 6382 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 6383 if (action == PF_DROP) 6384 goto done; 6385 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 6386 &reason); 6387 if (action == PF_PASS) { 6388#if NPFSYNC 6389 pfsync_update_state(s);
5991#endif	6390#endif /* NPFSYNC */
5992 r = s->rule.ptr; 5993 a = s->anchor.ptr; 5994 log = s->log; 5995 } else if (s == NULL) 5996#ifdef __FreeBSD__ 5997 action = pf_test_tcp(&r, &s, dir, kif,	6391 r = s->rule.ptr; 6392 a = s->anchor.ptr; 6393 log = s->log; 6394 } else if (s == NULL) 6395#ifdef __FreeBSD__ 6396 action = pf_test_tcp(&r, &s, dir, kif,
5998 m, off, h, &pd, &a, &ruleset, inp);	6397 m, off, h, &pd, &a, &ruleset, NULL, inp);
5999#else 6000 action = pf_test_tcp(&r, &s, dir, kif,	6398#else 6399 action = pf_test_tcp(&r, &s, dir, kif,
6001 m, off, h, &pd, &a, &ruleset);	6400 m, off, h, &pd, &a, &ruleset, &ipintrq);
6002#endif 6003 break; 6004 } 6005 6006 case IPPROTO_UDP: { 6007 struct udphdr uh; 6008 6009 pd.hdr.udp = &uh; --- 12 unchanged lines hidden (view full) --- 6022 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 6023 action = PF_DROP; 6024 goto done; 6025 } 6026 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 6027 if (action == PF_PASS) { 6028#if NPFSYNC 6029 pfsync_update_state(s);	6401#endif 6402 break; 6403 } 6404 6405 case IPPROTO_UDP: { 6406 struct udphdr uh; 6407 6408 pd.hdr.udp = &uh; --- 12 unchanged lines hidden (view full) --- 6421 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 6422 action = PF_DROP; 6423 goto done; 6424 } 6425 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 6426 if (action == PF_PASS) { 6427#if NPFSYNC 6428 pfsync_update_state(s);
6030#endif	6429#endif /* NPFSYNC */
6031 r = s->rule.ptr; 6032 a = s->anchor.ptr; 6033 log = s->log; 6034 } else if (s == NULL) 6035#ifdef __FreeBSD__ 6036 action = pf_test_udp(&r, &s, dir, kif,	6430 r = s->rule.ptr; 6431 a = s->anchor.ptr; 6432 log = s->log; 6433 } else if (s == NULL) 6434#ifdef __FreeBSD__ 6435 action = pf_test_udp(&r, &s, dir, kif,
6037 m, off, h, &pd, &a, &ruleset, inp);	6436 m, off, h, &pd, &a, &ruleset, NULL, inp);
6038#else 6039 action = pf_test_udp(&r, &s, dir, kif,	6437#else 6438 action = pf_test_udp(&r, &s, dir, kif,
6040 m, off, h, &pd, &a, &ruleset);	6439 m, off, h, &pd, &a, &ruleset, &ipintrq);
6041#endif 6042 break; 6043 } 6044 6045 case IPPROTO_ICMP: { 6046 struct icmp ih; 6047 6048 pd.hdr.icmp = &ih; 6049 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 6050 &action, &reason, AF_INET)) { 6051 log = action != PF_PASS; 6052 goto done; 6053 } 6054 if (dir == PF_IN && pf_check_proto_cksum(m, off, 6055 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) { 6056 action = PF_DROP; 6057 goto done; 6058 }	6440#endif 6441 break; 6442 } 6443 6444 case IPPROTO_ICMP: { 6445 struct icmp ih; 6446 6447 pd.hdr.icmp = &ih; 6448 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 6449 &action, &reason, AF_INET)) { 6450 log = action != PF_PASS; 6451 goto done; 6452 } 6453 if (dir == PF_IN && pf_check_proto_cksum(m, off, 6454 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) { 6455 action = PF_DROP; 6456 goto done; 6457 }
6059 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd);	6458 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, 6459 &reason);
6060 if (action == PF_PASS) { 6061#if NPFSYNC 6062 pfsync_update_state(s);	6460 if (action == PF_PASS) { 6461#if NPFSYNC 6462 pfsync_update_state(s);
6063#endif	6463#endif /* NPFSYNC */
6064 r = s->rule.ptr; 6065 a = s->anchor.ptr; 6066 log = s->log; 6067 } else if (s == NULL)	6464 r = s->rule.ptr; 6465 a = s->anchor.ptr; 6466 log = s->log; 6467 } else if (s == NULL)
	6468#ifdef __FreeBSD__
6068 action = pf_test_icmp(&r, &s, dir, kif,	6469 action = pf_test_icmp(&r, &s, dir, kif,
6069 m, off, h, &pd, &a, &ruleset);	6470 m, off, h, &pd, &a, &ruleset, NULL); 6471#else 6472 action = pf_test_icmp(&r, &s, dir, kif, 6473 m, off, h, &pd, &a, &ruleset, &ipintrq); 6474#endif
6070 break; 6071 } 6072 6073 default: 6074 action = pf_test_state_other(&s, dir, kif, &pd); 6075 if (action == PF_PASS) { 6076#if NPFSYNC 6077 pfsync_update_state(s);	6475 break; 6476 } 6477 6478 default: 6479 action = pf_test_state_other(&s, dir, kif, &pd); 6480 if (action == PF_PASS) { 6481#if NPFSYNC 6482 pfsync_update_state(s);
6078#endif	6483#endif /* NPFSYNC */
6079 r = s->rule.ptr; 6080 a = s->anchor.ptr; 6081 log = s->log; 6082 } else if (s == NULL)	6484 r = s->rule.ptr; 6485 a = s->anchor.ptr; 6486 log = s->log; 6487 } else if (s == NULL)
	6488#ifdef __FreeBSD__
6083 action = pf_test_other(&r, &s, dir, kif, m, off, h,	6489 action = pf_test_other(&r, &s, dir, kif, m, off, h,
6084 &pd, &a, &ruleset);	6490 &pd, &a, &ruleset, NULL); 6491#else 6492 action = pf_test_other(&r, &s, dir, kif, m, off, h, 6493 &pd, &a, &ruleset, &ipintrq); 6494#endif
6085 break; 6086 } 6087 6088done: 6089 if (action == PF_PASS && h->ip_hl > 5 && 6090 !((s && s->allow_opts) \|\| r->allow_opts)) { 6091 action = PF_DROP;	6495 break; 6496 } 6497 6498done: 6499 if (action == PF_PASS && h->ip_hl > 5 && 6500 !((s && s->allow_opts) \|\| r->allow_opts)) { 6501 action = PF_DROP;
6092 REASON_SET(&reason, PFRES_SHORT);	6502 REASON_SET(&reason, PFRES_IPOPTIONS);
6093 log = 1; 6094 DPFPRINTF(PF_DEBUG_MISC, 6095 ("pf: dropping packet with ip options\n")); 6096 } 6097	6503 log = 1; 6504 DPFPRINTF(PF_DEBUG_MISC, 6505 ("pf: dropping packet with ip options\n")); 6506 } 6507
	6508 if (s && s->tag) 6509 pf_tag_packet(m, pf_get_tag(m), s->tag); 6510
6098#ifdef ALTQ 6099 if (action == PF_PASS && r->qid) { 6100 struct m_tag mtag; 6101* struct altq_tag atag; 6102* 6103 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(atag), M_NOWAIT); 6104* if (mtag != NULL) { 6105 atag = (struct altq_tag )(mtag + 1); 6106* if (pqid \|\| pd.tos == IPTOS_LOWDELAY) 6107 atag->qid = r->pqid; 6108 else 6109 atag->qid = r->qid; 6110 /* add hints for ecn / 6111* atag->af = AF_INET; 6112 atag->hdr = h; 6113 m_tag_prepend(m, mtag); 6114 } 6115 }	6511#ifdef ALTQ 6512 if (action == PF_PASS && r->qid) { 6513 struct m_tag mtag; 6514* struct altq_tag atag; 6515* 6516 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(atag), M_NOWAIT); 6517* if (mtag != NULL) { 6518 atag = (struct altq_tag )(mtag + 1); 6519* if (pqid \|\| pd.tos == IPTOS_LOWDELAY) 6520 atag->qid = r->pqid; 6521 else 6522 atag->qid = r->qid; 6523 /* add hints for ecn / 6524* atag->af = AF_INET; 6525 atag->hdr = h; 6526 m_tag_prepend(m, mtag); 6527 } 6528 }
6116#endif	6529#endif /* ALTQ */
6117 6118 /* 6119 * connections redirected to loopback should not match sockets 6120 * bound specifically to loopback due to security implications, 6121 * see tcp_input() and in_pcblookup_listen(). 6122 / 6123* if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP \|\| 6124 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && --- 58 unchanged lines hidden (view full) --- 6183 else 6184 pd.dst = x; 6185 } 6186 } 6187 if (tr->src.addr.type == PF_ADDR_TABLE) 6188 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL \|\| 6189 s->direction == dir) ? pd.src : pd.dst, pd.af, 6190 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,	6530 6531 /* 6532 * connections redirected to loopback should not match sockets 6533 * bound specifically to loopback due to security implications, 6534 * see tcp_input() and in_pcblookup_listen(). 6535 / 6536* if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP \|\| 6537 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && --- 58 unchanged lines hidden (view full) --- 6596 else 6597 pd.dst = x; 6598 } 6599 } 6600 if (tr->src.addr.type == PF_ADDR_TABLE) 6601 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL \|\| 6602 s->direction == dir) ? pd.src : pd.dst, pd.af, 6603 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6191 tr->src.not);	6604 tr->src.neg);
6192 if (tr->dst.addr.type == PF_ADDR_TABLE) 6193 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL \|\| 6194 s->direction == dir) ? pd.dst : pd.src, pd.af, 6195 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,	6605 if (tr->dst.addr.type == PF_ADDR_TABLE) 6606 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL \|\| 6607 s->direction == dir) ? pd.dst : pd.src, pd.af, 6608 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6196 tr->dst.not);	6609 tr->dst.neg);
6197 } 6198 6199 6200 if (action == PF_SYNPROXY_DROP) { 6201 m_freem(m0); 6202* m0 = NULL; 6203* action = PF_PASS; 6204 } else if (r->rt) --- 6 unchanged lines hidden (view full) --- 6211 6212 return (action); 6213} 6214#endif /* INET / 6215* 6216#ifdef INET6 6217int 6218#ifdef __FreeBSD__	6610 } 6611 6612 6613 if (action == PF_SYNPROXY_DROP) { 6614 m_freem(m0); 6615* m0 = NULL; 6616* action = PF_PASS; 6617 } else if (r->rt) --- 6 unchanged lines hidden (view full) --- 6624 6625 return (action); 6626} 6627#endif /* INET / 6628* 6629#ifdef INET6 6630int 6631#ifdef __FreeBSD__
6219pf_test6(int dir, struct ifnet ifp, struct mbuf m0, struct inpcb inp)	6632pf_test6(int dir, struct ifnet ifp, struct mbuf m0, 6633* struct ether_header eh, struct inpcb inp)
6220#else	6634#else
6221pf_test6(int dir, struct ifnet ifp, struct mbuf *m0)	6635pf_test6(int dir, struct ifnet ifp, struct mbuf m0, 6636* struct ether_header *eh)
6222#endif 6223{ 6224 struct pfi_kif kif; 6225* u_short action, reason = 0, log = 0; 6226 struct mbuf m = m0; 6227 struct ip6_hdr h = NULL; / make the compiler happy / 6228* struct pf_rule a = NULL, r = &pf_default_rule, tr, nr; 6229 struct pf_state s = NULL; --- 10 unchanged lines hidden* (view full) --- 6240 (m->m_flags & M_SKIP_FIREWALL)) { 6241 PF_UNLOCK(); 6242#else 6243 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { 6244#endif 6245 return (PF_PASS); 6246 } 6247	6637#endif 6638{ 6639 struct pfi_kif kif; 6640* u_short action, reason = 0, log = 0; 6641 struct mbuf m = m0; 6642 struct ip6_hdr h = NULL; / make the compiler happy / 6643* struct pf_rule a = NULL, r = &pf_default_rule, tr, nr; 6644 struct pf_state s = NULL; --- 10 unchanged lines hidden* (view full) --- 6655 (m->m_flags & M_SKIP_FIREWALL)) { 6656 PF_UNLOCK(); 6657#else 6658 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { 6659#endif 6660 return (PF_PASS); 6661 } 6662
	6663#ifdef __FreeBSD__ 6664 /* XXX_IMPORT: later / 6665#else 6666* if (ifp->if_type == IFT_CARP && ifp->if_carpdev) 6667 ifp = ifp->if_carpdev; 6668#endif 6669
6248 kif = pfi_index2kif[ifp->if_index]; 6249 if (kif == NULL) { 6250#ifdef __FreeBSD__ 6251 PF_UNLOCK(); 6252#endif	6670 kif = pfi_index2kif[ifp->if_index]; 6671 if (kif == NULL) { 6672#ifdef __FreeBSD__ 6673 PF_UNLOCK(); 6674#endif
	6675 DPFPRINTF(PF_DEBUG_URGENT, 6676 ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
6253 return (PF_DROP); 6254 }	6677 return (PF_DROP); 6678 }
	6679 if (kif->pfik_flags & PFI_IFLAG_SKIP) { 6680#ifdef __FreeBSD__ 6681 PF_UNLOCK(); 6682#endif 6683 return (PF_PASS); 6684 }
6255 6256#ifdef __FreeBSD__ 6257 M_ASSERTPKTHDR(m); 6258#else 6259#ifdef DIAGNOSTIC 6260 if ((m->m_flags & M_PKTHDR) == 0)	6685 6686#ifdef __FreeBSD__ 6687 M_ASSERTPKTHDR(m); 6688#else 6689#ifdef DIAGNOSTIC 6690 if ((m->m_flags & M_PKTHDR) == 0)
6261 panic("non-M_PKTHDR is passed to pf_test");	6691 panic("non-M_PKTHDR is passed to pf_test6"); 6692#endif /* DIAGNOSTIC */
6262#endif	6693#endif
6263#endif
6264 6265 memset(&pd, 0, sizeof(pd)); 6266 if (m->m_pkthdr.len < (int)sizeof(h)) { 6267* action = PF_DROP; 6268 REASON_SET(&reason, PFRES_SHORT); 6269 log = 1; 6270 goto done; 6271 } 6272 6273 /* We do IP header normalization and packet reassembly here */	6694 6695 memset(&pd, 0, sizeof(pd)); 6696 if (m->m_pkthdr.len < (int)sizeof(h)) { 6697* action = PF_DROP; 6698 REASON_SET(&reason, PFRES_SHORT); 6699 log = 1; 6700 goto done; 6701 } 6702 6703 /* We do IP header normalization and packet reassembly here */
6274 if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) {	6704 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
6275 action = PF_DROP; 6276 goto done; 6277 } 6278 m = m0; 6279* h = mtod(m, struct ip6_hdr ); 6280* 6281 pd.src = (struct pf_addr )&h->ip6_src; 6282* pd.dst = (struct pf_addr )&h->ip6_dst; 6283* PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 6284 pd.ip_sum = NULL; 6285 pd.af = AF_INET6; 6286 pd.tos = 0; 6287 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);	6705 action = PF_DROP; 6706 goto done; 6707 } 6708 m = m0; 6709* h = mtod(m, struct ip6_hdr ); 6710* 6711 pd.src = (struct pf_addr )&h->ip6_src; 6712* pd.dst = (struct pf_addr )&h->ip6_dst; 6713* PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 6714 pd.ip_sum = NULL; 6715 pd.af = AF_INET6; 6716 pd.tos = 0; 6717 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
	6718 pd.eh = eh;
6288 6289 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 6290 pd.proto = h->ip6_nxt; 6291 do { 6292 switch (pd.proto) { 6293 case IPPROTO_FRAGMENT: 6294 action = pf_test_fragment(&r, dir, kif, m, h, 6295 &pd, &a, &ruleset); 6296 if (action == PF_DROP) 6297 REASON_SET(&reason, PFRES_FRAG); 6298 goto done; 6299 case IPPROTO_AH: 6300 case IPPROTO_HOPOPTS: 6301 case IPPROTO_ROUTING: 6302 case IPPROTO_DSTOPTS: { 6303 /* get next header and header length / 6304* struct ip6_ext opt6; 6305 6306 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),	6719 6720 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 6721 pd.proto = h->ip6_nxt; 6722 do { 6723 switch (pd.proto) { 6724 case IPPROTO_FRAGMENT: 6725 action = pf_test_fragment(&r, dir, kif, m, h, 6726 &pd, &a, &ruleset); 6727 if (action == PF_DROP) 6728 REASON_SET(&reason, PFRES_FRAG); 6729 goto done; 6730 case IPPROTO_AH: 6731 case IPPROTO_HOPOPTS: 6732 case IPPROTO_ROUTING: 6733 case IPPROTO_DSTOPTS: { 6734 /* get next header and header length / 6735* struct ip6_ext opt6; 6736 6737 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
6307 NULL, NULL, pd.af)) {	6738 NULL, &reason, pd.af)) {
6308 DPFPRINTF(PF_DEBUG_MISC, 6309 ("pf: IPv6 short opt\n")); 6310 action = PF_DROP;	6739 DPFPRINTF(PF_DEBUG_MISC, 6740 ("pf: IPv6 short opt\n")); 6741 action = PF_DROP;
6311 REASON_SET(&reason, PFRES_SHORT);
6312 log = 1; 6313 goto done; 6314 } 6315 if (pd.proto == IPPROTO_AH) 6316 off += (opt6.ip6e_len + 2) * 4; 6317 else 6318 off += (opt6.ip6e_len + 1) * 8; 6319 pd.proto = opt6.ip6e_nxt; --- 16 unchanged lines hidden (view full) --- 6336 &action, &reason, AF_INET6)) { 6337 log = action != PF_PASS; 6338 goto done; 6339 } 6340 if (dir == PF_IN && pf_check_proto_cksum(m, off, 6341 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), 6342 IPPROTO_TCP, AF_INET6)) { 6343 action = PF_DROP;	6742 log = 1; 6743 goto done; 6744 } 6745 if (pd.proto == IPPROTO_AH) 6746 off += (opt6.ip6e_len + 2) * 4; 6747 else 6748 off += (opt6.ip6e_len + 1) * 8; 6749 pd.proto = opt6.ip6e_nxt; --- 16 unchanged lines hidden (view full) --- 6766 &action, &reason, AF_INET6)) { 6767 log = action != PF_PASS; 6768 goto done; 6769 } 6770 if (dir == PF_IN && pf_check_proto_cksum(m, off, 6771 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), 6772 IPPROTO_TCP, AF_INET6)) { 6773 action = PF_DROP;
	6774 REASON_SET(&reason, PFRES_PROTCKSUM);
6344 goto done; 6345 } 6346 pd.p_len = pd.tot_len - off - (th.th_off << 2); 6347 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 6348 if (action == PF_DROP) 6349 goto done; 6350 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 6351 &reason); 6352 if (action == PF_PASS) { 6353#if NPFSYNC 6354 pfsync_update_state(s);	6775 goto done; 6776 } 6777 pd.p_len = pd.tot_len - off - (th.th_off << 2); 6778 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 6779 if (action == PF_DROP) 6780 goto done; 6781 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 6782 &reason); 6783 if (action == PF_PASS) { 6784#if NPFSYNC 6785 pfsync_update_state(s);
6355#endif	6786#endif /* NPFSYNC */
6356 r = s->rule.ptr; 6357 a = s->anchor.ptr; 6358 log = s->log; 6359 } else if (s == NULL) 6360#ifdef __FreeBSD__ 6361 action = pf_test_tcp(&r, &s, dir, kif,	6787 r = s->rule.ptr; 6788 a = s->anchor.ptr; 6789 log = s->log; 6790 } else if (s == NULL) 6791#ifdef __FreeBSD__ 6792 action = pf_test_tcp(&r, &s, dir, kif,
6362 m, off, h, &pd, &a, &ruleset, inp);	6793 m, off, h, &pd, &a, &ruleset, NULL, inp);
6363#else 6364 action = pf_test_tcp(&r, &s, dir, kif,	6794#else 6795 action = pf_test_tcp(&r, &s, dir, kif,
6365 m, off, h, &pd, &a, &ruleset);	6796 m, off, h, &pd, &a, &ruleset, &ip6intrq);
6366#endif 6367 break; 6368 } 6369 6370 case IPPROTO_UDP: { 6371 struct udphdr uh; 6372 6373 pd.hdr.udp = &uh; 6374 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 6375 &action, &reason, AF_INET6)) { 6376 log = action != PF_PASS; 6377 goto done; 6378 } 6379 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 6380 off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), 6381 IPPROTO_UDP, AF_INET6)) { 6382 action = PF_DROP;	6797#endif 6798 break; 6799 } 6800 6801 case IPPROTO_UDP: { 6802 struct udphdr uh; 6803 6804 pd.hdr.udp = &uh; 6805 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 6806 &action, &reason, AF_INET6)) { 6807 log = action != PF_PASS; 6808 goto done; 6809 } 6810 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 6811 off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)), 6812 IPPROTO_UDP, AF_INET6)) { 6813 action = PF_DROP;
	6814 REASON_SET(&reason, PFRES_PROTCKSUM);
6383 goto done; 6384 } 6385 if (uh.uh_dport == 0 \|\| 6386 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off \|\| 6387 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 6388 action = PF_DROP; 6389 goto done; 6390 } 6391 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 6392 if (action == PF_PASS) { 6393#if NPFSYNC 6394 pfsync_update_state(s);	6815 goto done; 6816 } 6817 if (uh.uh_dport == 0 \|\| 6818 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off \|\| 6819 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 6820 action = PF_DROP; 6821 goto done; 6822 } 6823 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 6824 if (action == PF_PASS) { 6825#if NPFSYNC 6826 pfsync_update_state(s);
6395#endif	6827#endif /* NPFSYNC */
6396 r = s->rule.ptr; 6397 a = s->anchor.ptr; 6398 log = s->log; 6399 } else if (s == NULL) 6400#ifdef __FreeBSD__ 6401 action = pf_test_udp(&r, &s, dir, kif,	6828 r = s->rule.ptr; 6829 a = s->anchor.ptr; 6830 log = s->log; 6831 } else if (s == NULL) 6832#ifdef __FreeBSD__ 6833 action = pf_test_udp(&r, &s, dir, kif,
6402 m, off, h, &pd, &a, &ruleset, inp);	6834 m, off, h, &pd, &a, &ruleset, NULL, inp);
6403#else 6404 action = pf_test_udp(&r, &s, dir, kif,	6835#else 6836 action = pf_test_udp(&r, &s, dir, kif,
6405 m, off, h, &pd, &a, &ruleset);	6837 m, off, h, &pd, &a, &ruleset, &ip6intrq);
6406#endif 6407 break; 6408 } 6409 6410 case IPPROTO_ICMPV6: { 6411 struct icmp6_hdr ih; 6412 6413 pd.hdr.icmp6 = &ih; 6414 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 6415 &action, &reason, AF_INET6)) { 6416 log = action != PF_PASS; 6417 goto done; 6418 } 6419 if (dir == PF_IN && pf_check_proto_cksum(m, off,	6838#endif 6839 break; 6840 } 6841 6842 case IPPROTO_ICMPV6: { 6843 struct icmp6_hdr ih; 6844 6845 pd.hdr.icmp6 = &ih; 6846 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 6847 &action, &reason, AF_INET6)) { 6848 log = action != PF_PASS; 6849 goto done; 6850 } 6851 if (dir == PF_IN && pf_check_proto_cksum(m, off,
6420 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),	6852 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
6421 IPPROTO_ICMPV6, AF_INET6)) { 6422 action = PF_DROP;	6853 IPPROTO_ICMPV6, AF_INET6)) { 6854 action = PF_DROP;
	6855 REASON_SET(&reason, PFRES_PROTCKSUM);
6423 goto done; 6424 } 6425 action = pf_test_state_icmp(&s, dir, kif,	6856 goto done; 6857 } 6858 action = pf_test_state_icmp(&s, dir, kif,
6426 m, off, h, &pd);	6859 m, off, h, &pd, &reason);
6427 if (action == PF_PASS) { 6428#if NPFSYNC 6429 pfsync_update_state(s);	6860 if (action == PF_PASS) { 6861#if NPFSYNC 6862 pfsync_update_state(s);
6430#endif	6863#endif /* NPFSYNC */
6431 r = s->rule.ptr; 6432 a = s->anchor.ptr; 6433 log = s->log; 6434 } else if (s == NULL)	6864 r = s->rule.ptr; 6865 a = s->anchor.ptr; 6866 log = s->log; 6867 } else if (s == NULL)
	6868#ifdef __FreeBSD__
6435 action = pf_test_icmp(&r, &s, dir, kif,	6869 action = pf_test_icmp(&r, &s, dir, kif,
6436 m, off, h, &pd, &a, &ruleset);	6870 m, off, h, &pd, &a, &ruleset, NULL); 6871#else 6872 action = pf_test_icmp(&r, &s, dir, kif, 6873 m, off, h, &pd, &a, &ruleset, &ip6intrq); 6874#endif
6437 break; 6438 } 6439 6440 default: 6441 action = pf_test_state_other(&s, dir, kif, &pd); 6442 if (action == PF_PASS) {	6875 break; 6876 } 6877 6878 default: 6879 action = pf_test_state_other(&s, dir, kif, &pd); 6880 if (action == PF_PASS) {
	6881#if NPFSYNC 6882 pfsync_update_state(s); 6883#endif /* NPFSYNC */
6443 r = s->rule.ptr; 6444 a = s->anchor.ptr; 6445 log = s->log; 6446 } else if (s == NULL)	6884 r = s->rule.ptr; 6885 a = s->anchor.ptr; 6886 log = s->log; 6887 } else if (s == NULL)
	6888#ifdef __FreeBSD__
6447 action = pf_test_other(&r, &s, dir, kif, m, off, h,	6889 action = pf_test_other(&r, &s, dir, kif, m, off, h,
6448 &pd, &a, &ruleset);	6890 &pd, &a, &ruleset, NULL); 6891#else 6892 action = pf_test_other(&r, &s, dir, kif, m, off, h, 6893 &pd, &a, &ruleset, &ip6intrq); 6894#endif
6449 break; 6450 } 6451 6452done: 6453 /* XXX handle IPv6 options, if not allowed. not implemented. / 6454*	6895 break; 6896 } 6897 6898done: 6899 /* XXX handle IPv6 options, if not allowed. not implemented. / 6900*
	6901 if (s && s->tag) 6902 pf_tag_packet(m, pf_get_tag(m), s->tag); 6903
6455#ifdef ALTQ 6456 if (action == PF_PASS && r->qid) { 6457 struct m_tag mtag; 6458* struct altq_tag atag; 6459* 6460 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(atag), M_NOWAIT); 6461* if (mtag != NULL) { 6462 atag = (struct altq_tag )(mtag + 1); 6463* if (pd.tos == IPTOS_LOWDELAY) 6464 atag->qid = r->pqid; 6465 else 6466 atag->qid = r->qid; 6467 /* add hints for ecn / 6468* atag->af = AF_INET6; 6469 atag->hdr = h; 6470 m_tag_prepend(m, mtag); 6471 } 6472 }	6904#ifdef ALTQ 6905 if (action == PF_PASS && r->qid) { 6906 struct m_tag mtag; 6907* struct altq_tag atag; 6908* 6909 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(atag), M_NOWAIT); 6910* if (mtag != NULL) { 6911 atag = (struct altq_tag )(mtag + 1); 6912* if (pd.tos == IPTOS_LOWDELAY) 6913 atag->qid = r->pqid; 6914 else 6915 atag->qid = r->qid; 6916 /* add hints for ecn / 6917* atag->af = AF_INET6; 6918 atag->hdr = h; 6919 m_tag_prepend(m, mtag); 6920 } 6921 }
6473#endif	6922#endif /* ALTQ */
6474 6475 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP \|\| 6476 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 6477 (s->nat_rule.ptr->action == PF_RDR \|\| 6478 s->nat_rule.ptr->action == PF_BINAT) && 6479 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6) && 6480 pf_add_mbuf_tag(m, PACKET_TAG_PF_TRANSLATE_LOCALHOST)) { 6481 action = PF_DROP; --- 53 unchanged lines hidden (view full) --- 6535 else 6536 pd.dst = x; 6537 } 6538 } 6539 if (tr->src.addr.type == PF_ADDR_TABLE) 6540 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL \|\| 6541 s->direction == dir) ? pd.src : pd.dst, pd.af, 6542 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,	6923 6924 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP \|\| 6925 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 6926 (s->nat_rule.ptr->action == PF_RDR \|\| 6927 s->nat_rule.ptr->action == PF_BINAT) && 6928 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6) && 6929 pf_add_mbuf_tag(m, PACKET_TAG_PF_TRANSLATE_LOCALHOST)) { 6930 action = PF_DROP; --- 53 unchanged lines hidden (view full) --- 6984 else 6985 pd.dst = x; 6986 } 6987 } 6988 if (tr->src.addr.type == PF_ADDR_TABLE) 6989 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL \|\| 6990 s->direction == dir) ? pd.src : pd.dst, pd.af, 6991 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6543 tr->src.not);	6992 tr->src.neg);
6544 if (tr->dst.addr.type == PF_ADDR_TABLE) 6545 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL \|\| 6546 s->direction == dir) ? pd.dst : pd.src, pd.af, 6547 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,	6993 if (tr->dst.addr.type == PF_ADDR_TABLE) 6994 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL \|\| 6995 s->direction == dir) ? pd.dst : pd.src, pd.af, 6996 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6548 tr->dst.not);	6997 tr->dst.neg);
6549 } 6550 6551 6552 if (action == PF_SYNPROXY_DROP) { 6553 m_freem(m0); 6554* m0 = NULL; 6555* action = PF_PASS; 6556 } else if (r->rt) 6557 /* pf_route6 can free the mbuf causing m0 to become NULL / 6558 pf_route6(m0, r, dir, ifp, s); 6559 6560#ifdef __FreeBSD__ 6561 PF_UNLOCK(); 6562#endif 6563 return (action); 6564} 6565#endif /* INET6 */	6998 } 6999 7000 7001 if (action == PF_SYNPROXY_DROP) { 7002 m_freem(m0); 7003* m0 = NULL; 7004* action = PF_PASS; 7005 } else if (r->rt) 7006 /* pf_route6 can free the mbuf causing m0 to become NULL / 7007 pf_route6(m0, r, dir, ifp, s); 7008 7009#ifdef __FreeBSD__ 7010 PF_UNLOCK(); 7011#endif 7012 return (action); 7013} 7014#endif /* INET6 */
	7015 7016int 7017pf_check_congestion(struct ifqueue ifq) 7018{ 7019#ifdef __FreeBSD__ 7020* /* XXX_IMPORT: later / 7021* return (0); 7022#else 7023 if (ifq->ifq_congestion) 7024 return (1); 7025 else 7026 return (0); 7027#endif 7028}