| pf.c (293893) | pf.c (286014) |
|---|---|
| 1/*- 2 * Copyright (c) 2001 Daniel Hartmeier 3 * Copyright (c) 2002 - 2008 Henning Brauer 4 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 22 unchanged lines hidden (view full) --- 31 * Effort sponsored in part by the Defense Advanced Research Projects 32 * Agency (DARPA) and Air Force Research Laboratory, Air Force 33 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 34 * 35 * $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $ 36 */ 37 38#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 2001 Daniel Hartmeier 3 * Copyright (c) 2002 - 2008 Henning Brauer 4 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 22 unchanged lines hidden (view full) --- 31 * Effort sponsored in part by the Defense Advanced Research Projects 32 * Agency (DARPA) and Air Force Research Laboratory, Air Force 33 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 34 * 35 * $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $ 36 */ 37 38#include <sys/cdefs.h> |
| 39__FBSDID("$FreeBSD: releng/10.2/sys/netpfil/pf/pf.c 293893 2016-01-14 09:10:46Z glebius $"); | 39__FBSDID("$FreeBSD: releng/10.2/sys/netpfil/pf/pf.c 286014 2015-07-29 14:16:25Z glebius $"); |
| 40 41#include "opt_inet.h" 42#include "opt_inet6.h" 43#include "opt_bpf.h" 44#include "opt_pf.h" 45 46#include <sys/param.h> 47#include <sys/bus.h> --- 150 unchanged lines hidden (view full) --- 198CTASSERT((1 << PFID_CPUBITS) >= MAXCPU); 199 200static void pf_src_tree_remove_state(struct pf_state *); 201static void pf_init_threshold(struct pf_threshold *, u_int32_t, 202 u_int32_t); 203static void pf_add_threshold(struct pf_threshold *); 204static int pf_check_threshold(struct pf_threshold *); 205 | 40 41#include "opt_inet.h" 42#include "opt_inet6.h" 43#include "opt_bpf.h" 44#include "opt_pf.h" 45 46#include <sys/param.h> 47#include <sys/bus.h> --- 150 unchanged lines hidden (view full) --- 198CTASSERT((1 << PFID_CPUBITS) >= MAXCPU); 199 200static void pf_src_tree_remove_state(struct pf_state *); 201static void pf_init_threshold(struct pf_threshold *, u_int32_t, 202 u_int32_t); 203static void pf_add_threshold(struct pf_threshold *); 204static int pf_check_threshold(struct pf_threshold *); 205 |
| 206static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *, | 206static void pf_change_ap(struct pf_addr *, u_int16_t *, |
| 207 u_int16_t *, u_int16_t *, struct pf_addr *, 208 u_int16_t, u_int8_t, sa_family_t); 209static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, 210 struct tcphdr *, struct pf_state_peer *); 211static void pf_change_icmp(struct pf_addr *, u_int16_t *, 212 struct pf_addr *, struct pf_addr *, u_int16_t, 213 u_int16_t *, u_int16_t *, u_int16_t *, 214 u_int16_t *, u_int8_t, sa_family_t); --- 1769 unchanged lines hidden (view full) --- 1984 case PF_ADDR_TABLE: 1985 return (aw1->p.tbl != aw2->p.tbl); 1986 default: 1987 printf("invalid address type: %d\n", aw1->type); 1988 return (1); 1989 } 1990} 1991 | 207 u_int16_t *, u_int16_t *, struct pf_addr *, 208 u_int16_t, u_int8_t, sa_family_t); 209static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, 210 struct tcphdr *, struct pf_state_peer *); 211static void pf_change_icmp(struct pf_addr *, u_int16_t *, 212 struct pf_addr *, struct pf_addr *, u_int16_t, 213 u_int16_t *, u_int16_t *, u_int16_t *, 214 u_int16_t *, u_int8_t, sa_family_t); --- 1769 unchanged lines hidden (view full) --- 1984 case PF_ADDR_TABLE: 1985 return (aw1->p.tbl != aw2->p.tbl); 1986 default: 1987 printf("invalid address type: %d\n", aw1->type); 1988 return (1); 1989 } 1990} 1991 |
| 1992/** 1993 * Checksum updates are a little complicated because the checksum in the TCP/UDP 1994 * header isn't always a full checksum. In some cases (i.e. output) it's a 1995 * pseudo-header checksum, which is a partial checksum over src/dst IP 1996 * addresses, protocol number and length. 1997 * 1998 * That means we have the following cases: 1999 * * Input or forwarding: we don't have TSO, the checksum fields are full 2000 * checksums, we need to update the checksum whenever we change anything. 2001 * * Output (i.e. the checksum is a pseudo-header checksum): 2002 * x The field being updated is src/dst address or affects the length of 2003 * the packet. We need to update the pseudo-header checksum (note that this 2004 * checksum is not ones' complement). 2005 * x Some other field is being modified (e.g. src/dst port numbers): We 2006 * don't have to update anything. 2007 **/ | |
| 2008u_int16_t 2009pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 2010{ 2011 u_int32_t l; 2012 2013 if (udp && !cksum) 2014 return (0x0000); 2015 l = cksum + old - new; 2016 l = (l >> 16) + (l & 65535); 2017 l = l & 65535; 2018 if (udp && !l) 2019 return (0xFFFF); 2020 return (l); 2021} 2022 | 1992u_int16_t 1993pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1994{ 1995 u_int32_t l; 1996 1997 if (udp && !cksum) 1998 return (0x0000); 1999 l = cksum + old - new; 2000 l = (l >> 16) + (l & 65535); 2001 l = l & 65535; 2002 if (udp && !l) 2003 return (0xFFFF); 2004 return (l); 2005} 2006 |
| 2023u_int16_t 2024pf_proto_cksum_fixup(struct mbuf *m, u_int16_t cksum, u_int16_t old, 2025 u_int16_t new, u_int8_t udp) 2026{ 2027 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6)) 2028 return (cksum); 2029 2030 return (pf_cksum_fixup(cksum, old, new, udp)); 2031} 2032 | |
| 2033static void | 2007static void |
| 2034pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic, 2035 u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u, 2036 sa_family_t af) | 2008pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 2009 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) |
| 2037{ 2038 struct pf_addr ao; 2039 u_int16_t po = *p; 2040 2041 PF_ACPY(&ao, a, af); 2042 PF_ACPY(a, an, af); 2043 | 2010{ 2011 struct pf_addr ao; 2012 u_int16_t po = *p; 2013 2014 PF_ACPY(&ao, a, af); 2015 PF_ACPY(a, an, af); 2016 |
| 2044 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6)) 2045 *pc = ~*pc; 2046 | |
| 2047 *p = pn; 2048 2049 switch (af) { 2050#ifdef INET 2051 case AF_INET: 2052 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 2053 ao.addr16[0], an->addr16[0], 0), 2054 ao.addr16[1], an->addr16[1], 0); 2055 *p = pn; | 2017 *p = pn; 2018 2019 switch (af) { 2020#ifdef INET 2021 case AF_INET: 2022 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 2023 ao.addr16[0], an->addr16[0], 0), 2024 ao.addr16[1], an->addr16[1], 0); 2025 *p = pn; |
| 2056 2057 *pc = pf_cksum_fixup(pf_cksum_fixup(*pc, | 2026 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, |
| 2058 ao.addr16[0], an->addr16[0], u), | 2027 ao.addr16[0], an->addr16[0], u), |
| 2059 ao.addr16[1], an->addr16[1], u); 2060 2061 *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u); | 2028 ao.addr16[1], an->addr16[1], u), 2029 po, pn, u); |
| 2062 break; 2063#endif /* INET */ 2064#ifdef INET6 2065 case AF_INET6: 2066 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 2067 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( | 2030 break; 2031#endif /* INET */ 2032#ifdef INET6 2033 case AF_INET6: 2034 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 2035 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( |
| 2068 pf_cksum_fixup(pf_cksum_fixup(*pc, | 2036 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, |
| 2069 ao.addr16[0], an->addr16[0], u), 2070 ao.addr16[1], an->addr16[1], u), 2071 ao.addr16[2], an->addr16[2], u), 2072 ao.addr16[3], an->addr16[3], u), 2073 ao.addr16[4], an->addr16[4], u), 2074 ao.addr16[5], an->addr16[5], u), 2075 ao.addr16[6], an->addr16[6], u), | 2037 ao.addr16[0], an->addr16[0], u), 2038 ao.addr16[1], an->addr16[1], u), 2039 ao.addr16[2], an->addr16[2], u), 2040 ao.addr16[3], an->addr16[3], u), 2041 ao.addr16[4], an->addr16[4], u), 2042 ao.addr16[5], an->addr16[5], u), 2043 ao.addr16[6], an->addr16[6], u), |
| 2076 ao.addr16[7], an->addr16[7], u); 2077 2078 *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u); | 2044 ao.addr16[7], an->addr16[7], u), 2045 po, pn, u); |
| 2079 break; 2080#endif /* INET6 */ 2081 } | 2046 break; 2047#endif /* INET6 */ 2048 } |
| 2082 2083 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | 2084 CSUM_DELAY_DATA_IPV6)) { 2085 *pc = ~*pc; 2086 if (! *pc) 2087 *pc = 0xffff; 2088 } | |
| 2089} 2090 | 2049} 2050 |
| 2051 |
|
| 2091/* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 2092void 2093pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 2094{ 2095 u_int32_t ao; 2096 2097 memcpy(&ao, a, sizeof(ao)); 2098 memcpy(a, &an, sizeof(u_int32_t)); 2099 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 2100 ao % 65536, an % 65536, u); 2101} 2102 | 2052/* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 2053void 2054pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 2055{ 2056 u_int32_t ao; 2057 2058 memcpy(&ao, a, sizeof(ao)); 2059 memcpy(a, &an, sizeof(u_int32_t)); 2060 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 2061 ao % 65536, an % 65536, u); 2062} 2063 |
| 2103void 2104pf_change_proto_a(struct mbuf *m, void *a, u_int16_t *c, u_int32_t an, u_int8_t udp) 2105{ 2106 u_int32_t ao; 2107 2108 memcpy(&ao, a, sizeof(ao)); 2109 memcpy(a, &an, sizeof(u_int32_t)); 2110 2111 *c = pf_proto_cksum_fixup(m, 2112 pf_proto_cksum_fixup(m, *c, ao / 65536, an / 65536, udp), 2113 ao % 65536, an % 65536, udp); 2114} 2115 | |
| 2116#ifdef INET6 2117static void 2118pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 2119{ 2120 struct pf_addr ao; 2121 2122 PF_ACPY(&ao, a, AF_INET6); 2123 PF_ACPY(a, an, AF_INET6); --- 129 unchanged lines hidden (view full) --- 2253 break; 2254 case TCPOPT_SACK: 2255 if (olen > hlen) 2256 olen = hlen; 2257 if (olen >= TCPOLEN_SACKLEN) { 2258 for (i = 2; i + TCPOLEN_SACK <= olen; 2259 i += TCPOLEN_SACK) { 2260 memcpy(&sack, &opt[i], sizeof(sack)); | 2064#ifdef INET6 2065static void 2066pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 2067{ 2068 struct pf_addr ao; 2069 2070 PF_ACPY(&ao, a, AF_INET6); 2071 PF_ACPY(a, an, AF_INET6); --- 129 unchanged lines hidden (view full) --- 2201 break; 2202 case TCPOPT_SACK: 2203 if (olen > hlen) 2204 olen = hlen; 2205 if (olen >= TCPOLEN_SACKLEN) { 2206 for (i = 2; i + TCPOLEN_SACK <= olen; 2207 i += TCPOLEN_SACK) { 2208 memcpy(&sack, &opt[i], sizeof(sack)); |
| 2261 pf_change_proto_a(m, &sack.start, &th->th_sum, 2262 htonl(ntohl(sack.start) - dst->seqdiff), 0); 2263 pf_change_proto_a(m, &sack.end, &th->th_sum, 2264 htonl(ntohl(sack.end) - dst->seqdiff), 0); | 2209 pf_change_a(&sack.start, &th->th_sum, 2210 htonl(ntohl(sack.start) - 2211 dst->seqdiff), 0); 2212 pf_change_a(&sack.end, &th->th_sum, 2213 htonl(ntohl(sack.end) - 2214 dst->seqdiff), 0); |
| 2265 memcpy(&opt[i], &sack, sizeof(sack)); 2266 } 2267 copyback = 1; 2268 } 2269 /* FALLTHROUGH */ 2270 default: 2271 if (olen < 2) 2272 olen = 2; --- 887 unchanged lines hidden (view full) --- 3160 3161 switch (pd->proto) { 3162 case IPPROTO_TCP: 3163 bproto_sum = th->th_sum; 3164 pd->proto_sum = &th->th_sum; 3165 3166 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) || 3167 nk->port[pd->sidx] != sport) { | 2215 memcpy(&opt[i], &sack, sizeof(sack)); 2216 } 2217 copyback = 1; 2218 } 2219 /* FALLTHROUGH */ 2220 default: 2221 if (olen < 2) 2222 olen = 2; --- 887 unchanged lines hidden (view full) --- 3110 3111 switch (pd->proto) { 3112 case IPPROTO_TCP: 3113 bproto_sum = th->th_sum; 3114 pd->proto_sum = &th->th_sum; 3115 3116 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) || 3117 nk->port[pd->sidx] != sport) { |
| 3168 pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum, | 3118 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, |
| 3169 &th->th_sum, &nk->addr[pd->sidx], 3170 nk->port[pd->sidx], 0, af); 3171 pd->sport = &th->th_sport; 3172 sport = th->th_sport; 3173 } 3174 3175 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) || 3176 nk->port[pd->didx] != dport) { | 3119 &th->th_sum, &nk->addr[pd->sidx], 3120 nk->port[pd->sidx], 0, af); 3121 pd->sport = &th->th_sport; 3122 sport = th->th_sport; 3123 } 3124 3125 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) || 3126 nk->port[pd->didx] != dport) { |
| 3177 pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum, | 3127 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, |
| 3178 &th->th_sum, &nk->addr[pd->didx], 3179 nk->port[pd->didx], 0, af); 3180 dport = th->th_dport; 3181 pd->dport = &th->th_dport; 3182 } 3183 rewrite++; 3184 break; 3185 case IPPROTO_UDP: 3186 bproto_sum = pd->hdr.udp->uh_sum; 3187 pd->proto_sum = &pd->hdr.udp->uh_sum; 3188 3189 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) || 3190 nk->port[pd->sidx] != sport) { | 3128 &th->th_sum, &nk->addr[pd->didx], 3129 nk->port[pd->didx], 0, af); 3130 dport = th->th_dport; 3131 pd->dport = &th->th_dport; 3132 } 3133 rewrite++; 3134 break; 3135 case IPPROTO_UDP: 3136 bproto_sum = pd->hdr.udp->uh_sum; 3137 pd->proto_sum = &pd->hdr.udp->uh_sum; 3138 3139 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) || 3140 nk->port[pd->sidx] != sport) { |
| 3191 pf_change_ap(m, saddr, &pd->hdr.udp->uh_sport, | 3141 pf_change_ap(saddr, &pd->hdr.udp->uh_sport, |
| 3192 pd->ip_sum, &pd->hdr.udp->uh_sum, 3193 &nk->addr[pd->sidx], 3194 nk->port[pd->sidx], 1, af); 3195 sport = pd->hdr.udp->uh_sport; 3196 pd->sport = &pd->hdr.udp->uh_sport; 3197 } 3198 3199 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) || 3200 nk->port[pd->didx] != dport) { | 3142 pd->ip_sum, &pd->hdr.udp->uh_sum, 3143 &nk->addr[pd->sidx], 3144 nk->port[pd->sidx], 1, af); 3145 sport = pd->hdr.udp->uh_sport; 3146 pd->sport = &pd->hdr.udp->uh_sport; 3147 } 3148 3149 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) || 3150 nk->port[pd->didx] != dport) { |
| 3201 pf_change_ap(m, daddr, &pd->hdr.udp->uh_dport, | 3151 pf_change_ap(daddr, &pd->hdr.udp->uh_dport, |
| 3202 pd->ip_sum, &pd->hdr.udp->uh_sum, 3203 &nk->addr[pd->didx], 3204 nk->port[pd->didx], 1, af); 3205 dport = pd->hdr.udp->uh_dport; 3206 pd->dport = &pd->hdr.udp->uh_dport; 3207 } 3208 rewrite++; 3209 break; --- 335 unchanged lines hidden (view full) --- 3545 s->src.seqlo = ntohl(th->th_seq); 3546 s->src.seqhi = s->src.seqlo + pd->p_len + 1; 3547 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 3548 r->keep_state == PF_STATE_MODULATE) { 3549 /* Generate sequence number modulator */ 3550 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == 3551 0) 3552 s->src.seqdiff = 1; | 3152 pd->ip_sum, &pd->hdr.udp->uh_sum, 3153 &nk->addr[pd->didx], 3154 nk->port[pd->didx], 1, af); 3155 dport = pd->hdr.udp->uh_dport; 3156 pd->dport = &pd->hdr.udp->uh_dport; 3157 } 3158 rewrite++; 3159 break; --- 335 unchanged lines hidden (view full) --- 3495 s->src.seqlo = ntohl(th->th_seq); 3496 s->src.seqhi = s->src.seqlo + pd->p_len + 1; 3497 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 3498 r->keep_state == PF_STATE_MODULATE) { 3499 /* Generate sequence number modulator */ 3500 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == 3501 0) 3502 s->src.seqdiff = 1; |
| 3553 pf_change_proto_a(m, &th->th_seq, &th->th_sum, | 3503 pf_change_a(&th->th_seq, &th->th_sum, |
| 3554 htonl(s->src.seqlo + s->src.seqdiff), 0); 3555 *rewrite = 1; 3556 } else 3557 s->src.seqdiff = 0; 3558 if (th->th_flags & TH_SYN) { 3559 s->src.seqhi++; 3560 s->src.wscale = pf_get_wscale(m, off, 3561 th->th_off, pd->af); --- 307 unchanged lines hidden (view full) --- 3869 } 3870 3871 /* Deferred generation of sequence number modulator */ 3872 if (dst->seqdiff && !src->seqdiff) { 3873 /* use random iss for the TCP server */ 3874 while ((src->seqdiff = arc4random() - seq) == 0) 3875 ; 3876 ack = ntohl(th->th_ack) - dst->seqdiff; | 3504 htonl(s->src.seqlo + s->src.seqdiff), 0); 3505 *rewrite = 1; 3506 } else 3507 s->src.seqdiff = 0; 3508 if (th->th_flags & TH_SYN) { 3509 s->src.seqhi++; 3510 s->src.wscale = pf_get_wscale(m, off, 3511 th->th_off, pd->af); --- 307 unchanged lines hidden (view full) --- 3819 } 3820 3821 /* Deferred generation of sequence number modulator */ 3822 if (dst->seqdiff && !src->seqdiff) { 3823 /* use random iss for the TCP server */ 3824 while ((src->seqdiff = arc4random() - seq) == 0) 3825 ; 3826 ack = ntohl(th->th_ack) - dst->seqdiff; |
| 3877 pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq + | 3827 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + |
| 3878 src->seqdiff), 0); | 3828 src->seqdiff), 0); |
| 3879 pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0); | 3829 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); |
| 3880 *copyback = 1; 3881 } else { 3882 ack = ntohl(th->th_ack); 3883 } 3884 3885 end = seq + pd->p_len; 3886 if (th->th_flags & TH_SYN) { 3887 end++; --- 33 unchanged lines hidden (view full) --- 3921 src->seqhi = end + MAX(1, dst->max_win << dws); 3922 if (win > src->max_win) 3923 src->max_win = win; 3924 3925 } else { 3926 ack = ntohl(th->th_ack) - dst->seqdiff; 3927 if (src->seqdiff) { 3928 /* Modulate sequence numbers */ | 3830 *copyback = 1; 3831 } else { 3832 ack = ntohl(th->th_ack); 3833 } 3834 3835 end = seq + pd->p_len; 3836 if (th->th_flags & TH_SYN) { 3837 end++; --- 33 unchanged lines hidden (view full) --- 3871 src->seqhi = end + MAX(1, dst->max_win << dws); 3872 if (win > src->max_win) 3873 src->max_win = win; 3874 3875 } else { 3876 ack = ntohl(th->th_ack) - dst->seqdiff; 3877 if (src->seqdiff) { 3878 /* Modulate sequence numbers */ |
| 3929 pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq + | 3879 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + |
| 3930 src->seqdiff), 0); | 3880 src->seqdiff), 0); |
| 3931 pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0); | 3881 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); |
| 3932 *copyback = 1; 3933 } 3934 end = seq + pd->p_len; 3935 if (th->th_flags & TH_SYN) 3936 end++; 3937 if (th->th_flags & TH_FIN) 3938 end++; 3939 } --- 437 unchanged lines hidden (view full) --- 4377 } 4378 4379 /* translate source/destination address, if necessary */ 4380 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { 4381 struct pf_state_key *nk = (*state)->key[pd->didx]; 4382 4383 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || 4384 nk->port[pd->sidx] != th->th_sport) | 3882 *copyback = 1; 3883 } 3884 end = seq + pd->p_len; 3885 if (th->th_flags & TH_SYN) 3886 end++; 3887 if (th->th_flags & TH_FIN) 3888 end++; 3889 } --- 437 unchanged lines hidden (view full) --- 4327 } 4328 4329 /* translate source/destination address, if necessary */ 4330 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { 4331 struct pf_state_key *nk = (*state)->key[pd->didx]; 4332 4333 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || 4334 nk->port[pd->sidx] != th->th_sport) |
| 4385 pf_change_ap(m, pd->src, &th->th_sport, 4386 pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], | 4335 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4336 &th->th_sum, &nk->addr[pd->sidx], |
| 4387 nk->port[pd->sidx], 0, pd->af); 4388 4389 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || 4390 nk->port[pd->didx] != th->th_dport) | 4337 nk->port[pd->sidx], 0, pd->af); 4338 4339 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || 4340 nk->port[pd->didx] != th->th_dport) |
| 4391 pf_change_ap(m, pd->dst, &th->th_dport, 4392 pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], | 4341 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 4342 &th->th_sum, &nk->addr[pd->didx], |
| 4393 nk->port[pd->didx], 0, pd->af); 4394 copyback = 1; 4395 } 4396 4397 /* Copyback sequence modulation or stateful scrub changes if needed */ 4398 if (copyback) 4399 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4400 --- 47 unchanged lines hidden (view full) --- 4448 (*state)->timeout = PFTM_UDP_SINGLE; 4449 4450 /* translate source/destination address, if necessary */ 4451 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { 4452 struct pf_state_key *nk = (*state)->key[pd->didx]; 4453 4454 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || 4455 nk->port[pd->sidx] != uh->uh_sport) | 4343 nk->port[pd->didx], 0, pd->af); 4344 copyback = 1; 4345 } 4346 4347 /* Copyback sequence modulation or stateful scrub changes if needed */ 4348 if (copyback) 4349 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4350 --- 47 unchanged lines hidden (view full) --- 4398 (*state)->timeout = PFTM_UDP_SINGLE; 4399 4400 /* translate source/destination address, if necessary */ 4401 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { 4402 struct pf_state_key *nk = (*state)->key[pd->didx]; 4403 4404 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || 4405 nk->port[pd->sidx] != uh->uh_sport) |
| 4456 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, | 4406 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, |
| 4457 &uh->uh_sum, &nk->addr[pd->sidx], 4458 nk->port[pd->sidx], 1, pd->af); 4459 4460 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || 4461 nk->port[pd->didx] != uh->uh_dport) | 4407 &uh->uh_sum, &nk->addr[pd->sidx], 4408 nk->port[pd->sidx], 1, pd->af); 4409 4410 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || 4411 nk->port[pd->didx] != uh->uh_dport) |
| 4462 pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, | 4412 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, |
| 4463 &uh->uh_sum, &nk->addr[pd->didx], 4464 nk->port[pd->didx], 1, pd->af); 4465 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 4466 } 4467 4468 return (PF_PASS); 4469} 4470 --- 1100 unchanged lines hidden (view full) --- 5571 goto bad; 5572 } 5573 ip6 = mtod(m0, struct ip6_hdr *); 5574 } 5575 5576 if (ifp->if_flags & IFF_LOOPBACK) 5577 m0->m_flags |= M_SKIP_FIREWALL; 5578 | 4413 &uh->uh_sum, &nk->addr[pd->didx], 4414 nk->port[pd->didx], 1, pd->af); 4415 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 4416 } 4417 4418 return (PF_PASS); 4419} 4420 --- 1100 unchanged lines hidden (view full) --- 5521 goto bad; 5522 } 5523 ip6 = mtod(m0, struct ip6_hdr *); 5524 } 5525 5526 if (ifp->if_flags & IFF_LOOPBACK) 5527 m0->m_flags |= M_SKIP_FIREWALL; 5528 |
| 5579 if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 & 5580 ~ifp->if_hwassist) { 5581 uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6); 5582 in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr)); 5583 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; 5584 } 5585 | |
| 5586 /* 5587 * If the packet is too large for the outgoing interface, 5588 * send back an icmp6 error. 5589 */ 5590 if (IN6_IS_SCOPE_EMBED(&dst.sin6_addr)) 5591 dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5592 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) 5593 nd6_output(ifp, ifp, m0, &dst, NULL); --- 921 unchanged lines hidden --- | 5529 /* 5530 * If the packet is too large for the outgoing interface, 5531 * send back an icmp6 error. 5532 */ 5533 if (IN6_IS_SCOPE_EMBED(&dst.sin6_addr)) 5534 dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5535 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) 5536 nd6_output(ifp, ifp, m0, &dst, NULL); --- 921 unchanged lines hidden --- |