Lines Matching refs:pd
303 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
304 (pd)->pf_mtag->flags & PF_PACKET_LOOPED)
306 #define STATE_LOOKUP(i, k, d, s, pd) \
311 if (PACKET_LOOPED(pd)) \
1125 pf_state_key_setup(struct pf_pdesc *pd, struct pf_addr *saddr,
1134 PF_ACPY(&sk->addr[pd->sidx], saddr, pd->af);
1135 PF_ACPY(&sk->addr[pd->didx], daddr, pd->af);
1136 sk->port[pd->sidx] = sport;
1137 sk->port[pd->didx] = dport;
1138 sk->proto = pd->proto;
1139 sk->af = pd->af;
2210 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
2220 !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
2620 pf_tag_packet(struct mbuf *m, struct pf_pdesc *pd, int tag)
2625 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(m)) == NULL))
2628 pd->pf_mtag->tag = tag;
2802 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
2809 pd->lookup.uid = UID_MAX;
2810 pd->lookup.gid = GID_MAX;
2812 switch (pd->proto) {
2814 if (pd->hdr.tcp == NULL)
2816 sport = pd->hdr.tcp->th_sport;
2817 dport = pd->hdr.tcp->th_dport;
2821 if (pd->hdr.udp == NULL)
2823 sport = pd->hdr.udp->uh_sport;
2824 dport = pd->hdr.udp->uh_dport;
2831 saddr = pd->src;
2832 daddr = pd->dst;
2839 saddr = pd->dst;
2840 daddr = pd->src;
2842 switch (pd->af) {
2874 pd->lookup.uid = inp->inp_cred->cr_uid;
2875 pd->lookup.gid = inp->inp_cred->cr_groups[0];
3012 pf_tcp_iss(struct pf_pdesc *pd)
3027 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof(u_short));
3028 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof(u_short));
3029 if (pd->af == AF_INET6) {
3030 MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr));
3031 MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr));
3033 MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr));
3034 MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr));
3046 struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
3050 struct pf_addr * const saddr = pd->src;
3051 struct pf_addr * const daddr = pd->dst;
3052 sa_family_t af = pd->af;
3056 struct tcphdr *th = pd->hdr.tcp;
3073 pd->lookup.uid = inp->inp_cred->cr_uid;
3074 pd->lookup.gid = inp->inp_cred->cr_groups[0];
3075 pd->lookup.done = 1;
3078 switch (pd->proto) {
3085 sport = pd->hdr.udp->uh_sport;
3086 dport = pd->hdr.udp->uh_dport;
3087 hdrlen = sizeof(*pd->hdr.udp);
3091 if (pd->af != AF_INET)
3093 sport = dport = pd->hdr.icmp->icmp_id;
3094 hdrlen = sizeof(*pd->hdr.icmp);
3095 icmptype = pd->hdr.icmp->icmp_type;
3096 icmpcode = pd->hdr.icmp->icmp_code;
3110 sport = dport = pd->hdr.icmp6->icmp6_id;
3111 hdrlen = sizeof(*pd->hdr.icmp6);
3112 icmptype = pd->hdr.icmp6->icmp6_type;
3113 icmpcode = pd->hdr.icmp6->icmp6_code;
3130 if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk,
3135 if (pd->ip_sum)
3136 bip_sum = *pd->ip_sum;
3138 switch (pd->proto) {
3141 pd->proto_sum = &th->th_sum;
3143 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
3144 nk->port[pd->sidx] != sport) {
3145 pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum,
3146 &th->th_sum, &nk->addr[pd->sidx],
3147 nk->port[pd->sidx], 0, af);
3148 pd->sport = &th->th_sport;
3152 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
3153 nk->port[pd->didx] != dport) {
3154 pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum,
3155 &th->th_sum, &nk->addr[pd->didx],
3156 nk->port[pd->didx], 0, af);
3158 pd->dport = &th->th_dport;
3163 bproto_sum = pd->hdr.udp->uh_sum;
3164 pd->proto_sum = &pd->hdr.udp->uh_sum;
3166 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
3167 nk->port[pd->sidx] != sport) {
3168 pf_change_ap(m, saddr, &pd->hdr.udp->uh_sport,
3169 pd->ip_sum, &pd->hdr.udp->uh_sum,
3170 &nk->addr[pd->sidx],
3171 nk->port[pd->sidx], 1, af);
3172 sport = pd->hdr.udp->uh_sport;
3173 pd->sport = &pd->hdr.udp->uh_sport;
3176 if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
3177 nk->port[pd->didx] != dport) {
3178 pf_change_ap(m, daddr, &pd->hdr.udp->uh_dport,
3179 pd->ip_sum, &pd->hdr.udp->uh_sum,
3180 &nk->addr[pd->didx],
3181 nk->port[pd->didx], 1, af);
3182 dport = pd->hdr.udp->uh_dport;
3183 pd->dport = &pd->hdr.udp->uh_dport;
3190 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET))
3191 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3192 nk->addr[pd->sidx].v4.s_addr, 0);
3194 if (PF_ANEQ(daddr, &nk->addr[pd->didx], AF_INET))
3195 pf_change_a(&daddr->v4.s_addr, pd->ip_sum,
3196 nk->addr[pd->didx].v4.s_addr, 0);
3198 if (nk->port[1] != pd->hdr.icmp->icmp_id) {
3199 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
3200 pd->hdr.icmp->icmp_cksum, sport,
3202 pd->hdr.icmp->icmp_id = nk->port[1];
3203 pd->sport = &pd->hdr.icmp->icmp_id;
3205 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
3211 if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET6))
3212 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3213 &nk->addr[pd->sidx], 0);
3215 if (PF_ANEQ(daddr, &nk->addr[pd->didx], AF_INET6))
3216 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3217 &nk->addr[pd->didx], 0);
3226 &nk->addr[pd->sidx], AF_INET))
3228 pd->ip_sum,
3229 nk->addr[pd->sidx].v4.s_addr, 0);
3232 &nk->addr[pd->didx], AF_INET))
3234 pd->ip_sum,
3235 nk->addr[pd->didx].v4.s_addr, 0);
3241 &nk->addr[pd->sidx], AF_INET6))
3242 PF_ACPY(saddr, &nk->addr[pd->sidx], af);
3245 &nk->addr[pd->didx], AF_INET6))
3246 PF_ACPY(saddr, &nk->addr[pd->didx], af);
3254 pd->nat_rule = nr;
3265 else if (r->proto && r->proto != pd->proto)
3287 else if (r->tos && !(r->tos == pd->tos))
3291 else if (pd->proto == IPPROTO_TCP &&
3295 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3296 pf_socket_lookup(direction, pd, m), 1)) &&
3298 pd->lookup.uid))
3301 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3302 pf_socket_lookup(direction, pd, m), 1)) &&
3304 pd->lookup.gid))
3310 pd->pf_mtag ? pd->pf_mtag->tag : 0))
3313 (pd->proto != IPPROTO_TCP || !pf_osfp_match(
3314 pf_osfp_fingerprint(pd, m, off, th),
3347 m_copyback(m, off, hdrlen, pd->hdr.any);
3349 ruleset, pd, 1);
3358 PF_ACPY(saddr, &sk->addr[pd->sidx], af);
3359 PF_ACPY(daddr, &sk->addr[pd->didx], af);
3360 if (pd->sport)
3361 *pd->sport = sk->port[pd->sidx];
3362 if (pd->dport)
3363 *pd->dport = sk->port[pd->didx];
3364 if (pd->proto_sum)
3365 *pd->proto_sum = bproto_sum;
3366 if (pd->ip_sum)
3367 *pd->ip_sum = bip_sum;
3368 m_copyback(m, off, hdrlen, pd->hdr.any);
3370 if (pd->proto == IPPROTO_TCP &&
3374 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
3405 pf_send_tcp(m, r, af, pd->dst,
3406 pd->src, th->th_dport, th->th_sport,
3410 } else if (pd->proto != IPPROTO_ICMP && af == AF_INET &&
3414 else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 &&
3423 if (tag > 0 && pf_tag_packet(m, pd, tag)) {
3431 (pd->flags & PFDESC_TCP_NORM))) {
3433 action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
3447 m_copyback(m, off, hdrlen, pd->hdr.any);
3472 struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *nk,
3479 struct tcphdr *th = pd->hdr.tcp;
3493 pf_insert_src_node(&sn, r, pd->src, pd->af) != 0) {
3499 pf_insert_src_node(&nsn, nr, &sk->addr[pd->sidx], pd->af)) {
3520 switch (pd->proto) {
3523 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
3527 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
3538 th->th_off, pd->af);
3574 if (pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, &sn)) {
3593 PF_ACPY(&nsn->raddr, &nk->addr[1], pd->af);
3597 if (pd->proto == IPPROTO_TCP) {
3598 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
3599 off, pd, th, &s->src, &s->dst)) {
3606 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3607 pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
3619 s->direction = pd->dir;
3627 sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport);
3637 (pd->dir == PF_IN) ? sk : nk,
3638 (pd->dir == PF_IN) ? nk : sk, s)) {
3639 if (pd->proto == IPPROTO_TCP)
3651 if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
3657 if (pd->dir == PF_OUT)
3659 PF_ACPY(pd->src, &skt->addr[pd->sidx], pd->af);
3660 PF_ACPY(pd->dst, &skt->addr[pd->didx], pd->af);
3661 if (pd->sport)
3662 *pd->sport = skt->port[pd->sidx];
3663 if (pd->dport)
3664 *pd->dport = skt->port[pd->didx];
3665 if (pd->proto_sum)
3666 *pd->proto_sum = bproto_sum;
3667 if (pd->ip_sum)
3668 *pd->ip_sum = bip_sum;
3669 m_copyback(m, off, hdrlen, pd->hdr.any);
3674 mss = pf_get_mss(m, off, th->th_off, pd->af);
3675 mss = pf_calc_mss(pd->src, pd->af, rtid, mss);
3676 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss);
3678 pf_send_tcp(NULL, r, pd->af, pd->dst, pd->src, th->th_dport,
3708 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
3713 sa_family_t af = pd->af;
3731 else if (r->proto && r->proto != pd->proto)
3733 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
3736 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
3739 else if (r->tos && !(r->tos == pd->tos))
3743 else if (pd->proto == IPPROTO_UDP &&
3746 else if (pd->proto == IPPROTO_TCP &&
3749 else if ((pd->proto == IPPROTO_ICMP ||
3750 pd->proto == IPPROTO_ICMPV6) &&
3757 pd->pf_mtag ? pd->pf_mtag->tag : 0))
3784 PFLOG_PACKET(kif, m, af, direction, reason, r, a, ruleset, pd,
3790 if (tag > 0 && pf_tag_packet(m, pd, tag)) {
3801 struct pf_pdesc *pd, u_short *reason, int *copyback)
3803 struct tcphdr *th = pd->hdr.tcp;
3825 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
3827 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
3847 end = seq + pd->p_len;
3852 pd->af);
3896 end = seq + pd->p_len;
3939 if (pf_modulate_sack(m, off, pd, th, dst))
3955 (pd->flags & PFDESC_IP_REAS) == 0)) {
3959 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4051 pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
4053 pd->dir == PF_IN ? "in" : "out",
4054 pd->dir == (*state)->direction ? "fwd" : "rev");
4058 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4091 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4092 pd->dst, pd->src, th->th_dport,
4106 seq, orig_seq, ack, pd->p_len, ackskew,
4109 pd->dir == PF_IN ? "in" : "out",
4110 pd->dir == (*state)->direction ? "fwd" : "rev");
4129 struct pf_state **state, struct pf_pdesc *pd, u_short *reason)
4131 struct tcphdr *th = pd->hdr.tcp;
4200 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4204 struct tcphdr *th = pd->hdr.tcp;
4210 key.af = pd->af;
4213 PF_ACPY(&key.addr[0], pd->src, key.af);
4214 PF_ACPY(&key.addr[1], pd->dst, key.af);
4218 PF_ACPY(&key.addr[1], pd->src, key.af);
4219 PF_ACPY(&key.addr[0], pd->dst, key.af);
4224 STATE_LOOKUP(kif, &key, direction, *state, pd);
4234 sk = (*state)->key[pd->didx];
4246 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4247 pd->src, th->th_dport, th->th_sport,
4275 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4276 &sk->addr[pd->sidx], &sk->addr[pd->didx],
4277 sk->port[pd->sidx], sk->port[pd->didx],
4290 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4291 pd->src, th->th_dport, th->th_sport,
4295 pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4296 &sk->addr[pd->sidx], &sk->addr[pd->didx],
4297 sk->port[pd->sidx], sk->port[pd->didx],
4333 if (pf_tcp_track_sloppy(src, dst, state, pd, reason) == PF_DROP)
4336 if (pf_tcp_track_full(src, dst, state, kif, m, off, pd, reason,
4343 struct pf_state_key *nk = (*state)->key[pd->didx];
4345 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
4346 nk->port[pd->sidx] != th->th_sport)
4347 pf_change_ap(m, pd->src, &th->th_sport,
4348 pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
4349 nk->port[pd->sidx], 0, pd->af);
4351 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
4352 nk->port[pd->didx] != th->th_dport)
4353 pf_change_ap(m, pd->dst, &th->th_dport,
4354 pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
4355 nk->port[pd->didx], 0, pd->af);
4368 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4372 struct udphdr *uh = pd->hdr.udp;
4375 key.af = pd->af;
4378 PF_ACPY(&key.addr[0], pd->src, key.af);
4379 PF_ACPY(&key.addr[1], pd->dst, key.af);
4383 PF_ACPY(&key.addr[1], pd->src, key.af);
4384 PF_ACPY(&key.addr[0], pd->dst, key.af);
4389 STATE_LOOKUP(kif, &key, direction, *state, pd);
4414 struct pf_state_key *nk = (*state)->key[pd->didx];
4416 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
4417 nk->port[pd->sidx] != uh->uh_sport)
4418 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
4419 &uh->uh_sum, &nk->addr[pd->sidx],
4420 nk->port[pd->sidx], 1, pd->af);
4422 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
4423 nk->port[pd->didx] != uh->uh_dport)
4424 pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
4425 &uh->uh_sum, &nk->addr[pd->didx],
4426 nk->port[pd->didx], 1, pd->af);
4435 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
4437 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4444 switch (pd->proto) {
4447 icmptype = pd->hdr.icmp->icmp_type;
4448 icmpid = pd->hdr.icmp->icmp_id;
4449 icmpsum = &pd->hdr.icmp->icmp_cksum;
4461 icmptype = pd->hdr.icmp6->icmp6_type;
4462 icmpid = pd->hdr.icmp6->icmp6_id;
4463 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4480 key.af = pd->af;
4481 key.proto = pd->proto;
4484 PF_ACPY(&key.addr[0], pd->src, key.af);
4485 PF_ACPY(&key.addr[1], pd->dst, key.af);
4487 PF_ACPY(&key.addr[1], pd->src, key.af);
4488 PF_ACPY(&key.addr[0], pd->dst, key.af);
4491 STATE_LOOKUP(kif, &key, direction, *state, pd);
4498 struct pf_state_key *nk = (*state)->key[pd->didx];
4500 switch (pd->af) {
4503 if (PF_ANEQ(pd->src,
4504 &nk->addr[pd->sidx], AF_INET))
4506 pd->ip_sum,
4507 nk->addr[pd->sidx].v4.s_addr, 0);
4509 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx],
4512 pd->ip_sum,
4513 nk->addr[pd->didx].v4.s_addr, 0);
4516 pd->hdr.icmp->icmp_id) {
4517 pd->hdr.icmp->icmp_cksum =
4519 pd->hdr.icmp->icmp_cksum, icmpid,
4520 nk->port[pd->sidx], 0);
4521 pd->hdr.icmp->icmp_id =
4522 nk->port[pd->sidx];
4526 (caddr_t )pd->hdr.icmp);
4531 if (PF_ANEQ(pd->src,
4532 &nk->addr[pd->sidx], AF_INET6))
4534 &pd->hdr.icmp6->icmp6_cksum,
4535 &nk->addr[pd->sidx], 0);
4537 if (PF_ANEQ(pd->dst,
4538 &nk->addr[pd->didx], AF_INET6))
4540 &pd->hdr.icmp6->icmp6_cksum,
4541 &nk->addr[pd->didx], 0);
4544 (caddr_t )pd->hdr.icmp6);
4569 pd2.af = pd->af;
4573 switch (pd->af) {
4688 STATE_LOOKUP(kif, &key, direction, *state, pd);
4716 icmptype, pd->hdr.icmp->icmp_code);
4717 pf_print_host(pd->src, 0, pd->af);
4719 pf_print_host(pd->dst, 0, pd->af);
4729 icmptype, pd->hdr.icmp->icmp_code);
4730 pf_print_host(pd->src, 0, pd->af);
4732 pf_print_host(pd->dst, 0, pd->af);
4743 (*state)->key[pd->didx];
4752 pd->ip_sum, 0, pd2.af);
4762 pd->ip_sum, 0, pd2.af);
4771 (caddr_t )pd->hdr.icmp);
4780 (caddr_t )pd->hdr.icmp6);
4810 STATE_LOOKUP(kif, &key, direction, *state, pd);
4816 (*state)->key[pd->didx];
4825 pd->ip_sum, 1, pd2.af);
4835 pd->ip_sum, 1, pd2.af);
4841 (caddr_t )pd->hdr.icmp);
4849 (caddr_t )pd->hdr.icmp6);
4878 STATE_LOOKUP(kif, &key, direction, *state, pd);
4884 (*state)->key[pd->didx];
4893 pd->ip_sum, 0, AF_INET);
4903 pd->ip_sum, 0, AF_INET);
4905 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
4931 STATE_LOOKUP(kif, &key, direction, *state, pd);
4937 (*state)->key[pd->didx];
4946 pd->ip_sum, 0, AF_INET6);
4956 pd->ip_sum, 0, AF_INET6);
4959 (caddr_t)pd->hdr.icmp6);
4975 STATE_LOOKUP(kif, &key, direction, *state, pd);
4981 (*state)->key[pd->didx];
4988 pd->ip_sum, 0, pd2.af);
4996 pd->ip_sum, 0, pd2.af);
5002 (caddr_t)pd->hdr.icmp);
5010 (caddr_t )pd->hdr.icmp6);
5026 struct mbuf *m, struct pf_pdesc *pd)
5032 key.af = pd->af;
5033 key.proto = pd->proto;
5035 PF_ACPY(&key.addr[0], pd->src, key.af);
5036 PF_ACPY(&key.addr[1], pd->dst, key.af);
5039 PF_ACPY(&key.addr[1], pd->src, key.af);
5040 PF_ACPY(&key.addr[0], pd->dst, key.af);
5044 STATE_LOOKUP(kif, &key, direction, *state, pd);
5069 struct pf_state_key *nk = (*state)->key[pd->didx];
5072 KASSERT(pd, ("%s: pd is null", __func__));
5073 KASSERT(pd->src, ("%s: pd->src is null", __func__));
5074 KASSERT(pd->dst, ("%s: pd->dst is null", __func__));
5075 switch (pd->af) {
5078 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET))
5079 pf_change_a(&pd->src->v4.s_addr,
5080 pd->ip_sum,
5081 nk->addr[pd->sidx].v4.s_addr,
5085 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET))
5086 pf_change_a(&pd->dst->v4.s_addr,
5087 pd->ip_sum,
5088 nk->addr[pd->didx].v4.s_addr,
5095 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET))
5096 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
5098 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET))
5099 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
5264 struct pf_state *s, struct pf_pdesc *pd)
5279 if ((pd->pf_mtag == NULL &&
5280 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
5281 pd->pf_mtag->routed++ > 3) {
5446 struct pf_state *s, struct pf_pdesc *pd)
5459 if ((pd->pf_mtag == NULL &&
5460 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
5461 pd->pf_mtag->routed++ > 3) {
5724 struct pf_pdesc pd;
5732 memset(&pd, 0, sizeof(pd));
5747 pd.pf_mtag = pf_find_mtag(m);
5755 if (pd.pf_mtag == NULL &&
5756 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
5760 pd.pf_mtag->flags |= PF_PACKET_LOOPED;
5763 if (pd.pf_mtag && pd.pf_mtag->flags & PF_FASTFWD_OURS_PRESENT) {
5765 pd.pf_mtag->flags &= ~PF_FASTFWD_OURS_PRESENT;
5767 } else if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
5783 pd.src = (struct pf_addr *)&h->ip_src;
5784 pd.dst = (struct pf_addr *)&h->ip_dst;
5785 pd.sport = pd.dport = NULL;
5786 pd.ip_sum = &h->ip_sum;
5787 pd.proto_sum = NULL;
5788 pd.proto = h->ip_p;
5789 pd.dir = dir;
5790 pd.sidx = (dir == PF_IN) ? 0 : 1;
5791 pd.didx = (dir == PF_IN) ? 1 : 0;
5792 pd.af = AF_INET;
5793 pd.tos = h->ip_tos;
5794 pd.tot_len = ntohs(h->ip_len);
5799 &pd, &a, &ruleset);
5808 pd.hdr.tcp = &th;
5814 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5815 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
5817 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5820 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5829 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5837 pd.hdr.udp = &uh;
5850 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5858 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5866 pd.hdr.icmp = &ih;
5872 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
5881 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5896 action = pf_test_state_other(&s, dir, kif, m, &pd);
5904 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5920 if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) {
5929 if (pd.pf_mtag == NULL &&
5930 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
5934 if (pqid || (pd.tos & IPTOS_LOWDELAY))
5935 pd.pf_mtag->qid = r->pqid;
5937 pd.pf_mtag->qid = r->qid;
5939 pd.pf_mtag->hdr = h;
5949 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5950 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5953 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
5957 !PACKET_LOOPED(&pd)) {
5971 if (pd.pf_mtag == NULL &&
5972 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
5979 pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT;
6004 PFLOG_PACKET(kif, m, AF_INET, dir, reason, lr, a, ruleset, &pd,
6008 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6014 r->bytes[dirndx] += pd.tot_len;
6017 a->bytes[dirndx] += pd.tot_len;
6022 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6026 s->src_node->bytes[dirndx] += pd.tot_len;
6030 s->nat_src_node->bytes[dirndx] += pd.tot_len;
6034 s->bytes[dirndx] += pd.tot_len;
6037 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6042 (s == NULL) ? pd.src :
6045 pd.af, pd.tot_len, dir == PF_OUT,
6049 (s == NULL) ? pd.dst :
6052 pd.af, pd.tot_len, dir == PF_OUT,
6070 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
6093 struct pf_pdesc pd;
6101 memset(&pd, 0, sizeof(pd));
6102 pd.pf_mtag = pf_find_mtag(m);
6104 if (pd.pf_mtag && pd.pf_mtag->flags & PF_TAG_GENERATED)
6122 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
6141 pd.src = (struct pf_addr *)&h->ip6_src;
6142 pd.dst = (struct pf_addr *)&h->ip6_dst;
6143 pd.sport = pd.dport = NULL;
6144 pd.ip_sum = NULL;
6145 pd.proto_sum = NULL;
6146 pd.dir = dir;
6147 pd.sidx = (dir == PF_IN) ? 0 : 1;
6148 pd.didx = (dir == PF_IN) ? 1 : 0;
6149 pd.af = AF_INET6;
6150 pd.tos = 0;
6151 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
6154 pd.proto = h->ip6_nxt;
6156 switch (pd.proto) {
6159 &pd, &a, &ruleset);
6175 &reason, pd.af)) {
6200 NULL, &reason, pd.af)) {
6207 if (pd.proto == IPPROTO_AH)
6211 pd.proto = opt6.ip6e_nxt;
6225 switch (pd.proto) {
6230 pd.hdr.tcp = &th;
6236 pd.p_len = pd.tot_len - off - (th.th_off << 2);
6237 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6240 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6249 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6257 pd.hdr.udp = &uh;
6270 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6278 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6293 pd.hdr.icmp6 = &ih;
6300 m, off, h, &pd, &reason);
6308 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6314 action = pf_test_state_other(&s, dir, kif, m, &pd);
6322 action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6344 if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) {
6353 if (pd.pf_mtag == NULL &&
6354 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
6358 if (pd.tos & IPTOS_LOWDELAY)
6359 pd.pf_mtag->qid = r->pqid;
6361 pd.pf_mtag->qid = r->qid;
6363 pd.pf_mtag->hdr = h;
6367 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
6368 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
6371 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
6387 &pd, (s == NULL));
6390 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6396 r->bytes[dirndx] += pd.tot_len;
6399 a->bytes[dirndx] += pd.tot_len;
6404 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6408 s->src_node->bytes[dirndx] += pd.tot_len;
6412 s->nat_src_node->bytes[dirndx] += pd.tot_len;
6416 s->bytes[dirndx] += pd.tot_len;
6419 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6424 (s == NULL) ? pd.src :
6426 pd.af, pd.tot_len, dir == PF_OUT,
6430 (s == NULL) ? pd.dst :
6432 pd.af, pd.tot_len, dir == PF_OUT,
6450 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);