Lines Matching defs:pd
337 pf_lazy_makewritable(struct pf_pdesc *pd, struct mbuf *m, int len)
339 if (pd->lmw < 0)
342 VERIFY(m == pd->mp);
344 if (len > pd->lmw) {
347 pd->lmw = len;
348 if (len >= 0 && m != pd->mp) {
349 pd->mp = m;
350 pd->pf_mtag = pf_find_mtag(m);
352 switch (pd->af) {
355 pd->src = (struct pf_addr *)&h->ip_src;
356 pd->dst = (struct pf_addr *)&h->ip_dst;
357 pd->ip_sum = &h->ip_sum;
363 pd->src = (struct pf_addr *)&h->ip6_src;
364 pd->dst = (struct pf_addr *)&h->ip6_dst;
401 if (*state != NULL && pd != NULL && \
402 pd->flowhash == 0) { \
403 pd->flowhash = (*state)->state_key->flowhash; \
2291 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
2301 !pf_pull_hdr(m, off + sizeof (*th), opts, hlen, NULL, NULL, pd->af))
2339 m = pf_lazy_makewritable(pd, m, copyback);
2773 unsigned int rtableid, struct pf_pdesc *pd)
2776 (pd == NULL || pd->flowhash == 0))
2786 if (pd != NULL && pd->flowhash != 0) {
2788 pf_mtag->pftag_flowhash = pd->flowhash;
2789 pf_mtag->pftag_flags |= (pd->flags & PFDESC_FLOW_ADV) ?
3168 pf_get_sport(struct pf_pdesc *pd, struct pfi_kif *kif, struct pf_rule *r,
3177 sa_family_t af = pd->af;
3178 u_int8_t proto = pd->proto;
3336 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
3377 else if (r->af && r->af != pd->af)
3379 else if (r->proto && r->proto != pd->proto)
3381 else if (xsrc && PF_MISMATCHAW(xsrc, saddr, pd->af, 0, NULL))
3383 else if (!xsrc && PF_MISMATCHAW(&src->addr, saddr, pd->af,
3395 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
3397 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
3403 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3405 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
3406 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
3407 off, pd->hdr.tcp), r->os_fingerprint)))
3424 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid, NULL))
3433 pf_get_translation_aux(struct pf_pdesc *pd, struct mbuf *m, int off,
3442 r = pf_match_translation(pd, m, off, direction, kif, saddr,
3445 r = pf_match_translation(pd, m, off, direction, kif,
3448 r = pf_match_translation(pd, m, off, direction, kif,
3451 r = pf_match_translation(pd, m, off, direction, kif, saddr,
3454 r = pf_match_translation(pd, m, off, direction, kif,
3465 if (pf_get_sport(pd, kif, r, saddr, sxport, daddr,
3480 switch (pd->af) {
3512 saddr, pd->af);
3517 switch (pd->af) {
3549 pd->af);
3557 switch (pd->af) {
3589 daddr, pd->af);
3596 if (pf_map_addr(pd->af, r, saddr,
3603 pd->af);
3640 pf_socket_lookup(int direction, struct pf_pdesc *pd)
3647 if (pd == NULL)
3649 pd->lookup.uid = UID_MAX;
3650 pd->lookup.gid = GID_MAX;
3651 pd->lookup.pid = NO_PID;
3653 switch (pd->proto) {
3655 if (pd->hdr.tcp == NULL)
3657 sport = pd->hdr.tcp->th_sport;
3658 dport = pd->hdr.tcp->th_dport;
3662 if (pd->hdr.udp == NULL)
3664 sport = pd->hdr.udp->uh_sport;
3665 dport = pd->hdr.udp->uh_dport;
3672 saddr = pd->src;
3673 daddr = pd->dst;
3680 saddr = pd->dst;
3681 daddr = pd->src;
3683 switch (pd->af) {
3687 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
3703 &d6, dport, 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
3706 daddr->v4, dport, INPLOOKUP_WILDCARD, &pd->lookup.uid, &pd->lookup.gid, NULL);
3710 &pd->lookup.uid, &pd->lookup.gid, NULL);
3720 &pd->lookup.uid, &pd->lookup.gid, NULL);
3730 dport, 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
3734 &pd->lookup.uid, &pd->lookup.gid, NULL);
3974 pf_tcp_iss(struct pf_pdesc *pd)
3988 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof (u_short));
3989 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof (u_short));
3990 if (pd->af == AF_INET6) {
3991 MD5Update(&ctx, (char *)&pd->src->v6, sizeof (struct in6_addr));
3992 MD5Update(&ctx, (char *)&pd->dst->v6, sizeof (struct in6_addr));
3994 MD5Update(&ctx, (char *)&pd->src->v4, sizeof (struct in_addr));
3995 MD5Update(&ctx, (char *)&pd->dst->v4, sizeof (struct in_addr));
4005 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
4010 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4011 sa_family_t af = pd->af;
4015 struct tcphdr *th = pd->hdr.tcp;
4026 struct pf_grev1_hdr *grev1 = pd->hdr.grev1;
4042 switch (pd->proto) {
4049 sxport.port = pd->hdr.udp->uh_sport;
4050 dxport.port = pd->hdr.udp->uh_dport;
4051 hdrlen = sizeof (*pd->hdr.udp);
4055 if (pd->af != AF_INET)
4057 sxport.port = dxport.port = pd->hdr.icmp->icmp_id;
4059 icmptype = pd->hdr.icmp->icmp_type;
4060 icmpcode = pd->hdr.icmp->icmp_code;
4072 if (pd->af != AF_INET6)
4074 sxport.port = dxport.port = pd->hdr.icmp6->icmp6_id;
4075 hdrlen = sizeof (*pd->hdr.icmp6);
4076 icmptype = pd->hdr.icmp6->icmp6_type;
4077 icmpcode = pd->hdr.icmp6->icmp6_code;
4087 if (pd->proto_variant == PF_GRE_PPTP_VARIANT) {
4089 pd->hdr.grev1->call_id;
4090 hdrlen = sizeof (*pd->hdr.grev1);
4095 dxport.spi = pd->hdr.esp->spi;
4096 hdrlen = sizeof (*pd->hdr.esp);
4105 if ((nr = pf_get_translation_aux(pd, m, off, PF_OUT, kif, &nsn,
4106 saddr, &sxport, daddr, &dxport, &pd->naddr, &nxport)) !=
4108 PF_ACPY(&pd->baddr, saddr, af);
4109 switch (pd->proto) {
4111 pf_change_ap(direction, pd->mp, saddr,
4112 &th->th_sport, pd->ip_sum, &th->th_sum,
4113 &pd->naddr, nxport.port, 0, af);
4118 pf_change_ap(direction, pd->mp, saddr,
4119 &pd->hdr.udp->uh_sport, pd->ip_sum,
4120 &pd->hdr.udp->uh_sum, &pd->naddr,
4122 sxport.port = pd->hdr.udp->uh_sport;
4127 if (pd->af == AF_INET) {
4128 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
4129 pd->naddr.v4.s_addr, 0);
4130 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
4131 pd->hdr.icmp->icmp_cksum, sxport.port,
4133 pd->hdr.icmp->icmp_id = nxport.port;
4140 if (pd->af == AF_INET6) {
4141 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
4142 &pd->naddr, 0);
4152 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4157 PF_ACPY(saddr, &pd->naddr, AF_INET6);
4169 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4174 PF_ACPY(saddr, &pd->naddr, AF_INET6);
4184 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4189 PF_ACPY(saddr, &pd->naddr, af);
4198 pd->nat_rule = nr;
4203 if ((nr = pf_get_translation_aux(pd, m, off, PF_IN, kif, &nsn,
4204 saddr, &sxport, daddr, &dxport, &pd->naddr, &nxport)) !=
4206 PF_ACPY(&pd->baddr, daddr, af);
4207 switch (pd->proto) {
4209 pf_change_ap(direction, pd->mp, daddr,
4210 &th->th_dport, pd->ip_sum, &th->th_sum,
4211 &pd->naddr, nxport.port, 0, af);
4216 pf_change_ap(direction, pd->mp, daddr,
4217 &pd->hdr.udp->uh_dport, pd->ip_sum,
4218 &pd->hdr.udp->uh_sum, &pd->naddr,
4220 dxport.port = pd->hdr.udp->uh_dport;
4225 if (pd->af == AF_INET) {
4226 pf_change_a(&daddr->v4.s_addr, pd->ip_sum,
4227 pd->naddr.v4.s_addr, 0);
4233 if (pd->af == AF_INET6) {
4234 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
4235 &pd->naddr, 0);
4241 if (pd->proto_variant == PF_GRE_PPTP_VARIANT)
4248 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4253 PF_ACPY(daddr, &pd->naddr, AF_INET6);
4264 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4269 PF_ACPY(daddr, &pd->naddr, AF_INET6);
4279 pd->ip_sum, pd->naddr.v4.s_addr, 0);
4284 PF_ACPY(daddr, &pd->naddr, af);
4293 pd->nat_rule = nr;
4308 else if (r->proto && r->proto != pd->proto)
4314 else if (r->proto == pd->proto &&
4325 else if (r->proto == pd->proto &&
4339 !(r->tos & pd->tos))
4342 !(r->tos & (pd->tos & DSCP_MASK)))
4345 ((r->tos & SCIDX_MASK) != pd->sc))
4349 else if (pd->proto == IPPROTO_TCP &&
4353 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
4354 pf_socket_lookup(direction, pd), 1)) &&
4356 pd->lookup.uid))
4359 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
4360 pf_socket_lookup(direction, pd), 1)) &&
4362 pd->lookup.gid))
4366 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4369 (pd->proto != IPPROTO_TCP || !pf_osfp_match(
4370 pf_osfp_fingerprint(pd, m, off, th),
4405 m = pf_lazy_makewritable(pd, m, rewrite);
4411 m_copyback(m, off, hdrlen, pd->hdr.any);
4414 a, ruleset, pd);
4424 switch (pd->proto) {
4426 pf_change_ap(direction, pd->mp, saddr,
4427 &th->th_sport, pd->ip_sum,
4428 &th->th_sum, &pd->baddr,
4434 pf_change_ap(direction, pd->mp, saddr,
4435 &pd->hdr.udp->uh_sport, pd->ip_sum,
4436 &pd->hdr.udp->uh_sum, &pd->baddr,
4438 sxport.port = pd->hdr.udp->uh_sport;
4448 PF_ACPY(&pd->baddr, saddr, af);
4454 pd->ip_sum,
4455 pd->baddr.v4.s_addr, 0);
4460 PF_ACPY(saddr, &pd->baddr,
4467 PF_ACPY(&pd->baddr, saddr, af);
4472 pd->ip_sum,
4473 pd->baddr.v4.s_addr, 0);
4478 PF_ACPY(saddr, &pd->baddr,
4488 pd->ip_sum,
4489 pd->baddr.v4.s_addr, 0);
4492 PF_ACPY(saddr, &pd->baddr, af);
4497 switch (pd->proto) {
4499 pf_change_ap(direction, pd->mp, daddr,
4500 &th->th_dport, pd->ip_sum,
4501 &th->th_sum, &pd->baddr,
4507 pf_change_ap(direction, pd->mp, daddr,
4508 &pd->hdr.udp->uh_dport, pd->ip_sum,
4509 &pd->hdr.udp->uh_sum, &pd->baddr,
4511 dxport.port = pd->hdr.udp->uh_dport;
4521 if (pd->proto_variant ==
4529 pd->ip_sum,
4530 pd->baddr.v4.s_addr, 0);
4535 PF_ACPY(daddr, &pd->baddr,
4546 pd->ip_sum,
4547 pd->baddr.v4.s_addr, 0);
4552 PF_ACPY(daddr, &pd->baddr,
4562 pd->ip_sum,
4563 pd->baddr.v4.s_addr, 0);
4567 PF_ACPY(daddr, &pd->baddr, af);
4574 if (pd->proto == IPPROTO_TCP &&
4578 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
4606 pf_send_tcp(r, af, pd->dst,
4607 pd->src, th->th_dport, th->th_sport,
4609 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
4611 } else if (pd->proto != IPPROTO_ICMP && af == AF_INET &&
4612 pd->proto != IPPROTO_ESP && pd->proto != IPPROTO_AH &&
4616 else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 &&
4617 pd->proto != IPPROTO_ESP && pd->proto != IPPROTO_AH &&
4628 psk.proto = pd->proto;
4631 if (pd->proto == IPPROTO_UDP) {
4632 if (ntohs(pd->hdr.udp->uh_sport) == PF_IKE_PORT &&
4633 ntohs(pd->hdr.udp->uh_dport) == PF_IKE_PORT) {
4640 } else if (pd->proto == IPPROTO_GRE) {
4641 psk.proto_variant = pd->proto_variant;
4646 switch (pd->proto) {
4653 psk.ext.xport.spi = pd->hdr.esp->spi;
4668 PF_ACPY(&psk.lan.addr, &pd->baddr, af);
4677 switch (pd->proto) {
4687 psk.lan.xport.spi = pd->hdr.esp->spi;
4695 PF_ACPY(&psk.gwy.addr, &pd->baddr, af);
4702 if (pd->flowhash != 0) {
4704 psk.flowhash = pd->flowhash;
4707 pd->flowhash = psk.flowhash;
4710 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid, pd)) {
4716 (pd->flags & PFDESC_TCP_NORM))) {
4723 if (pd->proto == IPPROTO_UDP) {
4724 struct udphdr *uh = pd->hdr.udp;
4736 if (nr != NULL && pd->proto == IPPROTO_ESP &&
4749 sk0.af = pd->af;
4756 pd->src, pd->af)) {
4779 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
4819 switch (pd->proto) {
4822 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
4826 if ((s->src.seqdiff = pf_tcp_iss(pd) -
4891 PF_ACPY(&nsn->raddr, &pd->naddr, af);
4896 if (pd->proto == IPPROTO_TCP) {
4897 if ((pd->flags & PFDESC_TCP_NORM) &&
4898 pf_normalize_tcp_init(m, off, pd, th, &s->src,
4906 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
4907 pf_normalize_tcp_stateful(m, off, pd, &reason,
4929 m = pd->mp;
4932 switch (pd->proto) {
4962 struct udphdr *uh = pd->hdr.udp;
4992 if (pd->proto == IPPROTO_TCP)
5005 if (pd->proto == IPPROTO_TCP &&
5011 pf_change_ap(direction, pd->mp, saddr,
5012 &th->th_sport, pd->ip_sum,
5013 &th->th_sum, &pd->baddr,
5017 pf_change_ap(direction, pd->mp, daddr,
5018 &th->th_dport, pd->ip_sum,
5019 &th->th_sum, &pd->baddr,
5040 switch (pd->proto) {
5045 offx += pd->hdr.udp->uh_ulen << 2;
5054 pd, kif);
5055 if (pd->lmw < 0) {
5059 m = pd->mp;
5069 m = pf_lazy_makewritable(pd, pd->mp, rewrite);
5075 m_copyback(m, off, hdrlen, pd->hdr.any);
5091 struct mbuf **m0, struct pf_pdesc *pd, struct ip_fw_args *fwa)
5096 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
5097 sa_family_t af = pd->af;
5100 struct tcphdr *th = pd->hdr.tcp;
5125 if (!(pd->flags & PFDESC_IP_FRAG))
5126 switch (pd->proto) {
5128 dnflow.fwa_id.flags = pd->hdr.tcp->th_flags;
5129 dnflow.fwa_id.dst_port = ntohs(pd->hdr.tcp->th_dport);
5130 dnflow.fwa_id.src_port = ntohs(pd->hdr.tcp->th_sport);
5134 dnflow.fwa_id.dst_port = ntohs(pd->hdr.udp->uh_dport);
5135 dnflow.fwa_id.src_port = ntohs(pd->hdr.udp->uh_sport);
5136 hdrlen = sizeof (*pd->hdr.udp);
5143 icmptype = pd->hdr.icmp->icmp_type;
5144 icmpcode = pd->hdr.icmp->icmp_code;
5151 hdrlen = sizeof (*pd->hdr.icmp6);
5152 icmptype = pd->hdr.icmp6->icmp6_type;
5153 icmpcode = pd->hdr.icmp6->icmp6_code;
5157 if (pd->proto_variant == PF_GRE_PPTP_VARIANT)
5158 hdrlen = sizeof (*pd->hdr.grev1);
5161 hdrlen = sizeof (*pd->hdr.esp);
5175 else if (r->proto && r->proto != pd->proto)
5181 else if (r->proto == pd->proto &&
5183 ((pd->flags & PFDESC_IP_FRAG) ||
5193 else if (r->proto == pd->proto &&
5196 ((pd->flags & PFDESC_IP_FRAG) ||
5203 ((pd->flags & PFDESC_IP_FRAG) ||
5208 ((pd->flags & PFDESC_IP_FRAG) ||
5211 else if (r->tos && !(r->tos == pd->tos))
5215 else if (pd->proto == IPPROTO_TCP &&
5216 ((pd->flags & PFDESC_IP_FRAG) ||
5219 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
5261 a, ruleset, pd);
5268 r->bytes[dirndx] += pd->tot_len;
5272 if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid, pd)) {
5282 r->bytes[dirndx] += pd->tot_len;
5286 dnflow.fwa_id.proto = pd->proto;
5351 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
5357 sa_family_t af = pd->af;
5372 else if (r->proto && r->proto != pd->proto)
5374 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
5377 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
5381 !(r->tos & pd->tos))
5384 !(r->tos & (pd->tos & DSCP_MASK)))
5387 ((r->tos & SCIDX_MASK) != pd->sc))
5391 else if (pd->proto == IPPROTO_UDP &&
5394 else if (pd->proto == IPPROTO_TCP &&
5398 else if ((pd->proto == IPPROTO_ICMP ||
5399 pd->proto == IPPROTO_ICMPV6) &&
5404 else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
5431 pd);
5436 if (pf_tag_packet(m, pd->pf_mtag, tag, -1, NULL)) {
5446 struct pf_pdesc *pd, struct pfi_kif *kif)
5473 m = pd->mp;
5678 th = pd->hdr.tcp;
5691 m = pf_lazy_makewritable(pd, m, off + plen);
5738 pd->lmw = -1; /* Force PF_DROP on PFRES_MEMORY */
5791 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
5796 struct tcphdr *th = pd->hdr.tcp;
5805 key.af = pd->af;
5808 PF_ACPY(&key.ext.addr, pd->src, key.af);
5809 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5813 PF_ACPY(&key.lan.addr, pd->src, key.af);
5814 PF_ACPY(&key.ext.addr, pd->dst, key.af);
5839 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
5840 pd->src, th->th_dport, th->th_sport,
5878 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
5892 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
5893 pd->src, th->th_dport, th->th_sport,
5897 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
5950 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
5952 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
5972 end = seq + pd->p_len;
5977 pd->af);
6035 end = seq + pd->p_len;
6078 copyback = pf_modulate_sack(m, off, pd, th, dst);
6084 m = pd->mp;
6099 (pd->flags & PFDESC_IP_REAS) == 0)) {
6103 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
6107 m = pd->mp;
6195 pd->p_len, ackskew, (*state)->packets[0],
6203 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
6206 m = pd->mp;
6237 pf_send_tcp((*state)->rule.ptr, pd->af,
6238 pd->dst, pd->src, th->th_dport,
6242 pd->eh, kif->pfik_ifp);
6252 seq, orig_seq, ack, pd->p_len, ackskew,
6276 off + (th->th_off << 2), pd, kif);
6277 if (pd->lmw < 0) {
6281 m = pd->mp;
6287 pf_change_ap(direction, pd->mp, pd->src, &th->th_sport,
6288 pd->ip_sum, &th->th_sum,
6290 (*state)->state_key->gwy.xport.port, 0, pd->af);
6292 pf_change_ap(direction, pd->mp, pd->dst, &th->th_dport,
6293 pd->ip_sum, &th->th_sum,
6295 (*state)->state_key->lan.xport.port, 0, pd->af);
6300 m = pf_lazy_makewritable(pd, m, copyback);
6315 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
6320 struct udphdr *uh = pd->hdr.udp;
6326 key.af = pd->af;
6329 PF_ACPY(&key.ext.addr, pd->src, key.af);
6330 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
6335 PF_ACPY(&key.lan.addr, pd->src, key.af);
6336 PF_ACPY(&key.ext.addr, pd->dst, key.af);
6386 if ((*state) != NULL && pd != NULL &&
6387 pd->flowhash == 0)
6388 pd->flowhash = (*state)->state_key->flowhash;
6425 off + uh->uh_ulen, pd, kif);
6426 if (pd->lmw < 0) {
6430 m = pd->mp;
6435 m = pf_lazy_makewritable(pd, m, off + sizeof (*uh));
6442 pf_change_ap(direction, pd->mp, pd->src, &uh->uh_sport,
6443 pd->ip_sum, &uh->uh_sum,
6445 (*state)->state_key->gwy.xport.port, 1, pd->af);
6447 pf_change_ap(direction, pd->mp, pd->dst, &uh->uh_dport,
6448 pd->ip_sum, &uh->uh_sum,
6450 (*state)->state_key->lan.xport.port, 1, pd->af);
6459 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
6462 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
6471 switch (pd->proto) {
6474 icmptype = pd->hdr.icmp->icmp_type;
6475 icmpid = pd->hdr.icmp->icmp_id;
6476 icmpsum = &pd->hdr.icmp->icmp_cksum;
6488 icmptype = pd->hdr.icmp6->icmp6_type;
6489 icmpid = pd->hdr.icmp6->icmp6_id;
6490 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
6507 key.af = pd->af;
6508 key.proto = pd->proto;
6510 PF_ACPY(&key.ext.addr, pd->src, key.af);
6511 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
6515 PF_ACPY(&key.lan.addr, pd->src, key.af);
6516 PF_ACPY(&key.ext.addr, pd->dst, key.af);
6529 switch (pd->af) {
6533 pd->ip_sum,
6535 pd->hdr.icmp->icmp_cksum =
6537 pd->hdr.icmp->icmp_cksum, icmpid,
6539 pd->hdr.icmp->icmp_id =
6541 m = pf_lazy_makewritable(pd, m,
6546 pd->hdr.icmp);
6552 &pd->hdr.icmp6->icmp6_cksum,
6554 m = pf_lazy_makewritable(pd, m,
6560 pd->hdr.icmp6);
6565 switch (pd->af) {
6569 pd->ip_sum,
6571 pd->hdr.icmp->icmp_cksum =
6573 pd->hdr.icmp->icmp_cksum, icmpid,
6575 pd->hdr.icmp->icmp_id =
6577 m = pf_lazy_makewritable(pd, m,
6582 pd->hdr.icmp);
6588 &pd->hdr.icmp6->icmp6_cksum,
6590 m = pf_lazy_makewritable(pd, m,
6596 pd->hdr.icmp6);
6624 pd2.af = pd->af;
6625 switch (pd->af) {
6775 icmptype, pd->hdr.icmp->icmp_code);
6776 pf_print_host(pd->src, 0, pd->af);
6778 pf_print_host(pd->dst, 0, pd->af);
6793 pd->ip_sum, 0, pd2.af);
6799 pd->ip_sum, 0, pd2.af);
6805 m = pf_lazy_makewritable(pd, m, off2 + 8);
6812 pd->hdr.icmp);
6821 pd->hdr.icmp6);
6902 if (*state != NULL && pd != NULL &&
6903 pd->flowhash == 0)
6904 pd->flowhash = (*state)->state_key->flowhash;
6915 pd->ip_sum, 1, pd2.af);
6921 pd->ip_sum, 1, pd2.af);
6923 m = pf_lazy_makewritable(pd, m,
6931 pd->hdr.icmp);
6939 pd->hdr.icmp6);
6985 pd->ip_sum, 0, AF_INET);
6991 pd->ip_sum, 0, AF_INET);
6993 m = pf_lazy_makewritable(pd, m, off2 + ICMP_MINLEN);
6996 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp);
7039 pd->ip_sum, 0, AF_INET6);
7045 pd->ip_sum, 0, AF_INET6);
7047 m = pf_lazy_makewritable(pd, m, off2 +
7052 pd->hdr.icmp6);
7085 pd->ip_sum, 0, pd2.af);
7091 pd->ip_sum, 0, pd2.af);
7096 m = pf_lazy_makewritable(pd, m,
7103 m = pf_lazy_makewritable(pd, m,
7109 pd->hdr.icmp6);
7126 struct pfi_kif *kif, int off, struct pf_pdesc *pd)
7131 struct pf_grev1_hdr *grev1 = pd->hdr.grev1;
7135 key.af = pd->af;
7139 PF_ACPY(&key.ext.addr, pd->src, key.af);
7140 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
7143 PF_ACPY(&key.lan.addr, pd->src, key.af);
7144 PF_ACPY(&key.ext.addr, pd->dst, key.af);
7181 switch (pd->af) {
7184 pf_change_a(&pd->src->v4.s_addr,
7185 pd->ip_sum,
7191 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
7192 pd->af);
7199 switch (pd->af) {
7202 pf_change_a(&pd->dst->v4.s_addr,
7203 pd->ip_sum,
7209 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
7210 pd->af);
7216 m = pf_lazy_makewritable(pd, pd->mp, off + sizeof (*grev1));
7227 int off, struct pf_pdesc *pd)
7233 struct pf_esp_hdr *esp = pd->hdr.esp;
7237 key.af = pd->af;
7240 PF_ACPY(&key.ext.addr, pd->src, key.af);
7241 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
7244 PF_ACPY(&key.lan.addr, pd->src, key.af);
7245 PF_ACPY(&key.ext.addr, pd->dst, key.af);
7313 if (*state != NULL && pd != NULL &&
7314 pd->flowhash == 0) {
7315 pd->flowhash = (*state)->state_key->flowhash;
7346 switch (pd->af) {
7349 pf_change_a(&pd->src->v4.s_addr,
7350 pd->ip_sum,
7356 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
7357 pd->af);
7362 switch (pd->af) {
7365 pf_change_a(&pd->dst->v4.s_addr,
7366 pd->ip_sum,
7372 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
7373 pd->af);
7385 struct pf_pdesc *pd)
7391 key.af = pd->af;
7392 key.proto = pd->proto;
7394 PF_ACPY(&key.ext.addr, pd->src, key.af);
7395 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
7399 PF_ACPY(&key.lan.addr, pd->src, key.af);
7400 PF_ACPY(&key.ext.addr, pd->dst, key.af);
7431 switch (pd->af) {
7434 pf_change_a(&pd->src->v4.s_addr,
7435 pd->ip_sum,
7442 PF_ACPY(pd->src,
7443 &(*state)->state_key->gwy.addr, pd->af);
7448 switch (pd->af) {
7451 pf_change_a(&pd->dst->v4.s_addr,
7452 pd->ip_sum,
7459 PF_ACPY(pd->dst,
7460 &(*state)->state_key->lan.addr, pd->af);
7612 struct pf_state *s, struct pf_pdesc *pd)
7614 #pragma unused(pd)
7630 if (pd->pf_mtag->pftag_routed++ > 3) {
7827 struct pf_state *s, struct pf_pdesc *pd)
7829 #pragma unused(pd)
7844 if (pd->pf_mtag->pftag_routed++ > 3) {
8038 if (m && pd.mp && m != pd.mp) { \
8039 m = pd.mp; \
8041 pd.pf_mtag = pf_get_mtag(m); \
8060 struct pf_pdesc pd;
8068 memset(&pd, 0, sizeof (pd));
8070 if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
8076 if (pd.pf_mtag->pftag_flags & PF_TAG_GENERATED)
8094 /* initialize enough of pd for the done label */
8096 pd.mp = m;
8097 pd.lmw = 0;
8098 pd.pf_mtag = pf_get_mtag(m);
8099 pd.src = (struct pf_addr *)&h->ip_src;
8100 pd.dst = (struct pf_addr *)&h->ip_dst;
8101 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
8102 pd.ip_sum = &h->ip_sum;
8103 pd.proto = h->ip_p;
8104 pd.proto_variant = 0;
8105 pd.af = AF_INET;
8106 pd.tos = h->ip_tos;
8107 pd.tot_len = ntohs(h->ip_len);
8108 pd.eh = eh;
8123 action = pf_normalize_ip(m0, dir, kif, &reason, &pd);
8124 pd.mp = m = *m0;
8125 if (action != PF_PASS || pd.lmw < 0) {
8144 pd.src = (struct pf_addr *)&h->ip_src;
8145 pd.dst = (struct pf_addr *)&h->ip_dst;
8146 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
8147 pd.ip_sum = &h->ip_sum;
8148 pd.proto = h->ip_p;
8149 pd.proto_variant = 0;
8150 pd.mp = m;
8151 pd.lmw = 0;
8152 pd.pf_mtag = pf_get_mtag(m);
8153 pd.af = AF_INET;
8154 pd.tos = h->ip_tos;
8155 pd.sc = MBUF_SCIDX(mbuf_get_service_class(m));
8156 pd.tot_len = ntohs(h->ip_len);
8157 pd.eh = eh;
8158 if (pd.pf_mtag != NULL && pd.pf_mtag->pftag_flowhash != 0) {
8159 pd.flowhash = pd.pf_mtag->pftag_flowhash;
8160 pd.flags |= (m->m_pkthdr.m_fhflags & PF_TAG_FLOWADV) ?
8166 pd.flags |= PFDESC_IP_FRAG;
8169 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8176 &pd, &a, &ruleset);
8184 pd.hdr.tcp = &th;
8190 pd.p_len = pd.tot_len - off - (th.th_off << 2);
8191 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
8195 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8201 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
8202 if (pd.lmw < 0)
8207 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
8209 if (pd.lmw < 0)
8221 m, off, h, &pd, &a, &ruleset, &ipintrq);
8228 pd.hdr.udp = &uh;
8243 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8249 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd,
8251 if (pd.lmw < 0)
8263 m, off, h, &pd, &a, &ruleset, &ipintrq);
8270 pd.hdr.icmp = &ih;
8278 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8284 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
8286 if (pd.lmw < 0)
8298 m, off, h, &pd, &a, &ruleset, &ipintrq);
8305 pd.hdr.esp = &esp;
8313 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8319 action = pf_test_state_esp(&s, dir, kif, off, &pd);
8320 if (pd.lmw < 0)
8332 m, off, h, &pd, &a, &ruleset, &ipintrq);
8338 pd.hdr.grev1 = &grev1;
8346 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8360 pd.proto_variant = PF_GRE_PPTP_VARIANT;
8361 action = pf_test_state_grev1(&s, dir, kif, off, &pd);
8362 if (pd.lmw < 0) goto done;
8374 h, &pd, &a, &ruleset, &ipintrq);
8386 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8392 action = pf_test_state_other(&s, dir, kif, &pd);
8393 if (pd.lmw < 0)
8405 &pd, &a, &ruleset, &ipintrq);
8410 *m0 = pd.mp;
8424 pd.flowhash != 0)
8425 (void) pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0,
8426 r->rtableid, &pd);
8431 if (pqid || (pd.tos & IPTOS_LOWDELAY))
8432 pd.pf_mtag->pftag_qid = r->pqid;
8434 pd.pf_mtag->pftag_qid = r->qid;
8438 pd.pf_mtag->pftag_hdr = h;
8440 pd.pf_mtag->pftag_flags &= ~PF_TAG_HDR_INET6;
8441 pd.pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
8443 if (pd.proto == IPPROTO_TCP)
8444 pd.pf_mtag->pftag_flags |= PF_TAG_TCP;
8446 pd.pf_mtag->pftag_flags &= ~PF_TAG_TCP;
8454 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
8455 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
8458 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
8459 pd.pf_mtag->pftag_flags |= PF_TAG_TRANSLATE_LOCALHOST;
8470 &pd);
8473 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
8479 r->bytes[dirndx] += pd.tot_len;
8482 a->bytes[dirndx] += pd.tot_len;
8488 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
8492 s->src_node->bytes[dirndx] += pd.tot_len;
8496 s->nat_src_node->bytes[dirndx] += pd.tot_len;
8500 s->bytes[dirndx] += pd.tot_len;
8503 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
8514 &pd.baddr : &pd.naddr;
8517 &pd.naddr : &pd.baddr;
8518 if (x == &pd.baddr || s == NULL) {
8521 pd.src = x;
8523 pd.dst = x;
8529 pd.src : pd.dst, pd.af,
8530 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
8534 sk->direction == dir) ? pd.dst : pd.src, pd.af,
8535 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
8539 VERIFY(m == NULL || pd.mp == NULL || pd.mp == m);
8542 if (pd.lmw < 0) {
8562 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
8571 if (m && pd.mp && m != pd.mp) { \
8573 n = pd.mp; \
8574 m = pd.mp; \
8594 struct pf_pdesc pd;
8603 memset(&pd, 0, sizeof (pd));
8605 if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
8611 if (pd.pf_mtag->pftag_flags & PF_TAG_GENERATED)
8633 pd.mp = m;
8634 pd.lmw = 0;
8635 pd.pf_mtag = pf_get_mtag(m);
8636 pd.src = (struct pf_addr *)&h->ip6_src;
8637 pd.dst = (struct pf_addr *)&h->ip6_dst;
8638 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
8639 pd.ip_sum = NULL;
8640 pd.af = AF_INET6;
8641 pd.proto = nxt;
8642 pd.proto_variant = 0;
8643 pd.tos = 0;
8644 pd.sc = MBUF_SCIDX(mbuf_get_service_class(m));
8645 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
8646 pd.eh = eh;
8648 if (pd.pf_mtag->pftag_flowhash != 0) {
8649 pd.flowhash = pd.pf_mtag->pftag_flowhash;
8650 pd.flags |= (m->m_pkthdr.m_fhflags & PF_TAG_FLOWADV) ?
8667 action = pf_normalize_ip6(m0, dir, kif, &reason, &pd);
8668 pd.mp = m = *m0;
8669 if (action != PF_PASS || pd.lmw < 0) {
8691 pd.src = (struct pf_addr *)&h->ip6_src;
8692 pd.dst = (struct pf_addr *)&h->ip6_dst;
8693 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
8694 pd.ip_sum = NULL;
8695 pd.af = AF_INET6;
8696 pd.tos = 0;
8697 pd.tot_len = ntohs(h->ip6_plen) + sizeof (struct ip6_hdr);
8698 pd.eh = eh;
8701 pd.proto = h->ip6_nxt;
8702 pd.proto_variant = 0;
8703 pd.mp = m;
8704 pd.lmw = 0;
8705 pd.pf_mtag = pf_get_mtag(m);
8712 pd.flags |= PFDESC_IP_FRAG;
8714 &reason, pd.af)) {
8722 pd.proto = nxt = ip6f.ip6f_nxt;
8725 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8731 action = pf_test_fragment(&r, dir, kif, m, h, &pd, &a,
8750 NULL, &reason, pd.af)) {
8757 if (pd.proto == IPPROTO_AH)
8775 switch (pd.proto) {
8780 pd.hdr.tcp = &th;
8786 pd.p_len = pd.tot_len - off - (th.th_off << 2);
8789 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8795 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
8796 if (pd.lmw < 0)
8801 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
8803 if (pd.lmw < 0)
8815 m, off, h, &pd, &a, &ruleset, &ip6intrq);
8822 pd.hdr.udp = &uh;
8837 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8843 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd,
8845 if (pd.lmw < 0)
8857 m, off, h, &pd, &a, &ruleset, &ip6intrq);
8864 pd.hdr.icmp6 = &ih;
8872 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8879 m, off, h, &pd, &reason);
8880 if (pd.lmw < 0)
8892 m, off, h, &pd, &a, &ruleset, &ip6intrq);
8899 pd.hdr.esp = &esp;
8907 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8913 action = pf_test_state_esp(&s, dir, kif, off, &pd);
8914 if (pd.lmw < 0)
8926 m, off, h, &pd, &a, &ruleset, &ip6intrq);
8933 pd.hdr.grev1 = &grev1;
8941 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8955 action = pf_test_state_grev1(&s, dir, kif, off, &pd);
8956 if (pd.lmw < 0)
8969 h, &pd, &a, &ruleset, &ip6intrq);
8981 action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8987 action = pf_test_state_other(&s, dir, kif, &pd);
8988 if (pd.lmw < 0)
9000 &pd, &a, &ruleset, &ip6intrq);
9005 *m0 = pd.mp;
9023 if ((s && s->tag) || PF_RTABLEID_IS_VALID(r->rtableid) || pd.flowhash != 0)
9024 (void) pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0,
9025 r->rtableid, &pd);
9030 if (pd.tos & IPTOS_LOWDELAY)
9031 pd.pf_mtag->pftag_qid = r->pqid;
9033 pd.pf_mtag->pftag_qid = r->qid;
9037 pd.pf_mtag->pftag_hdr = h;
9039 pd.pf_mtag->pftag_flags &= ~PF_TAG_HDR_INET;
9040 pd.pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
9042 if (pd.proto == IPPROTO_TCP)
9043 pd.pf_mtag->pftag_flags |= PF_TAG_TCP;
9045 pd.pf_mtag->pftag_flags &= ~PF_TAG_TCP;
9048 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
9049 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
9052 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
9053 pd.pf_mtag->pftag_flags |= PF_TAG_TRANSLATE_LOCALHOST;
9064 &pd);
9067 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
9073 r->bytes[dirndx] += pd.tot_len;
9076 a->bytes[dirndx] += pd.tot_len;
9082 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
9086 s->src_node->bytes[dirndx] += pd.tot_len;
9090 s->nat_src_node->bytes[dirndx] += pd.tot_len;
9094 s->bytes[dirndx] += pd.tot_len;
9097 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
9108 &pd.baddr : &pd.naddr;
9111 &pd.naddr : &pd.baddr;
9113 if (x == &pd.baddr || s == NULL) {
9115 pd.src = x;
9117 pd.dst = x;
9122 sk->direction == dir) ? pd.src : pd.dst, pd.af,
9123 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
9127 sk->direction == dir) ? pd.dst : pd.src, pd.af,
9128 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
9139 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
9141 VERIFY(m == NULL || pd.mp == NULL || pd.mp == m);
9144 if (pd.lmw < 0) {
9169 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);