704 		(*sn)->ruletype = rule->action;
3375 	if ((r->action == PF_DROP) &&
3443 	if (r->action == PF_DROP)
3455 		int action;
3456 		action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
3459 		if (action != PF_PASS)
3460 			return (action);
3825 	if (r->action != PF_PASS)
5756 	u_short			 action, reason = 0, log = 0;
5796 				action = PF_DROP;
5808 		action = PF_DROP;
5816 		action = PF_DROP;
5837 		action = pf_test_fragment(&r, dir, kif, m, h,
5849 		    &action, &reason, AF_INET)) {
5850 			log = action != PF_PASS;
5856 		action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5857 		if (action == PF_DROP)
5859 		action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5861 		if (action == PF_PASS) {
5868 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5878 		    &action, &reason, AF_INET)) {
5879 			log = action != PF_PASS;
5885 			action = PF_DROP;
5889 		action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5890 		if (action == PF_PASS) {
5897 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5907 		    &action, &reason, AF_INET)) {
5908 			log = action != PF_PASS;
5911 		action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
5913 		if (action == PF_PASS) {
5920 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5927 		action = PF_DROP;
5935 		action = pf_test_state_other(&s, dir, kif, m, &pd);
5936 		if (action == PF_PASS) {
5943 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
5950 	if (action == PF_PASS && h->ip_hl > 5 &&
5952 		action = PF_DROP;
5960 		action = PF_DROP;
5967 	if (action == PF_PASS && r->qid) {
5970 			action = PF_DROP;
5989 	if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5991 	    (s->nat_rule.ptr->action == PF_RDR ||
5992 	    s->nat_rule.ptr->action == PF_BINAT) &&
5996 	if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&
6013 					action = PF_DROP;
6027 			return (action);
6030 			action = PF_DROP;
6050 	kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6051 	kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
6053 	if (action == PF_PASS || r->action == PF_DROP) {
6088 			    r->action == PF_PASS, tr->src.neg);
6095 			    r->action == PF_PASS, tr->dst.neg);
6098 	switch (action) {
6103 		action = PF_PASS;
6113 			return (action);
6120 	return (action);
6129 	u_short			 action, reason = 0, log = 0;
6170 		action = PF_DROP;
6182 		action = PF_DROP;
6205 			action = pf_test_fragment(&r, dir, kif, m, h,
6207 			if (action == PF_DROP)
6216 				action = PF_DROP;
6225 				action = PF_DROP;
6233 				action = PF_DROP;
6250 				action = PF_DROP;
6279 		    &action, &reason, AF_INET6)) {
6280 			log = action != PF_PASS;
6284 		action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6285 		if (action == PF_DROP)
6287 		action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6289 		if (action == PF_PASS) {
6296 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6306 		    &action, &reason, AF_INET6)) {
6307 			log = action != PF_PASS;
6313 			action = PF_DROP;
6317 		action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6318 		if (action == PF_PASS) {
6325 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6331 		action = PF_DROP;
6342 		    &action, &reason, AF_INET6)) {
6343 			log = action != PF_PASS;
6346 		action = pf_test_state_icmp(&s, dir, kif,
6348 		if (action == PF_PASS) {
6355 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6361 		action = pf_test_state_other(&s, dir, kif, m, &pd);
6362 		if (action == PF_PASS) {
6369 			action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
6382 	if (action == PF_PASS && rh_cnt &&
6384 		action = PF_DROP;
6392 		action = PF_DROP;
6399 	if (action == PF_PASS && r->qid) {
6402 			action = PF_DROP;
6415 	if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
6417 	    (s->nat_rule.ptr->action == PF_RDR ||
6418 	    s->nat_rule.ptr->action == PF_BINAT) &&
6438 	kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6439 	kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
6441 	if (action == PF_PASS || r->action == PF_DROP) {
6475 			    r->action == PF_PASS, tr->src.neg);
6481 			    r->action == PF_PASS, tr->dst.neg);
6484 	switch (action) {
6489 		action = PF_PASS;
6499 			return (action);
6508 	if (action == PF_PASS && *m0 && fwdir == PF_FWD &&
6510 		action = pf_refragment6(ifp, m0, mtag);
6512 	return (action);

Indexes created Thu Sep 05 03:17:26 MDT 2024