113 /* state tables */
517 pf_src_connlimit(struct pf_state **state)
522 	PF_STATE_LOCK_ASSERT(*state);
524 	(*state)->src_node->conn++;
525 	(*state)->src.tcp_est = 1;
526 	pf_add_threshold(&(*state)->src_node->conn_rate);
528 	if ((*state)->rule.ptr->max_src_conn &&
529 	    (*state)->rule.ptr->max_src_conn <
530 	    (*state)->src_node->conn) {
535 	if ((*state)->rule.ptr->max_src_conn_rate.limit &&
536 	    pf_check_threshold(&(*state)->src_node->conn_rate)) {
544 	/* Kill this state. */
545 	(*state)->timeout = PFTM_PURGE;
546 	(*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
548 	if ((*state)->rule.ptr->overload_tbl == NULL)
556 	bcopy(&(*state)->src_node->addr, &pfoe->addr, sizeof(pfoe->addr));
557 	pfoe->af = (*state)->key[PF_SK_WIRE]->af;
558 	pfoe->rule = (*state)->rule.ptr;
559 	pfoe->dir = (*state)->direction;
647 				s->src.state = s->dst.state = TCPS_CLOSED;
795 	/* States and state keys storage. */
802 	V_pf_state_key_z = uma_zcreate("pf state keys",
962 	KASSERT(s->refs == 0, ("%s: state not pristine", __func__));
963 	KASSERT(s->key[PF_SK_WIRE] == NULL, ("%s: state has key", __func__));
964 	KASSERT(s->key[PF_SK_STACK] == NULL, ("%s: state has key", __func__));
1021 				    si->src.state >= TCPS_FIN_WAIT_2 &&
1022 				    si->dst.state >= TCPS_FIN_WAIT_2) {
1024 					 * New state matches an old >FIN_WAIT_2
1025 					 * state. We can't drop key hash locks,
1029 					 * TCPS_CLOSED state, schedule purge
1032 					 * conflict with our new state.
1034 					si->src.state = si->dst.state =
1226 	KASSERT(s->refs == 0, ("%s: state not pristine", __func__));
1252 			printf("pf: state ID collision: "
1273  * Find state by ID: returns with locked row on success.
1297  * Find state by key.
1400 /* END state table stuff */
1483 		/* Process 1/interval fraction of the state table every run. */
1536 pf_state_expires(const struct pf_state *state)
1544 	if (state->timeout == PFTM_PURGE)
1546 	KASSERT(state->timeout != PFTM_UNLINKED,
1548 	KASSERT((state->timeout < PFTM_MAX),
1550 	timeout = state->rule.ptr->timeout[state->timeout];
1552 		timeout = V_pf_default_rule.timeout[state->timeout];
1553 	start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1554 	if (start && state->rule.ptr != &V_pf_default_rule) {
1555 		end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1556 		states = counter_u64_fetch(state->rule.ptr->states_cur);
1566 			return (state->expire + timeout);
1571 	return (state->expire + timeout);
1632  * Unlink and potentilly free a state. Function may be
1656 	if (s->src.state == PF_TCPS_PROXY_DST) {
1945 		printf(" %u:%u", s->src.state, s->dst.state);
3580 		 * We want the state created, but we dont
3679 		s->src.state = TCPS_SYN_SENT;
3680 		s->dst.state = TCPS_CLOSED;
3684 		s->src.state = PFUDPS_SINGLE;
3685 		s->dst.state = PFUDPS_NO_TRAFFIC;
3695 		s->src.state = PFOTHERS_SINGLE;
3696 		s->dst.state = PFOTHERS_NO_TRAFFIC;
3777 		s->src.state = PF_TCPS_PROXY_SRC;
3945 	struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off,
3968 		/* First packet from this end. Set its state */
4018 		if (src->state < TCPS_SYN_SENT)
4019 			src->state = TCPS_SYN_SENT;
4054 	    (dst->state < TCPS_SYN_SENT)) {
4105 			    *state, src, dst, copyback))
4122 			if (src->state < TCPS_SYN_SENT)
4123 				src->state = TCPS_SYN_SENT;
4125 			if (src->state < TCPS_CLOSING)
4126 				src->state = TCPS_CLOSING;
4128 			if (dst->state == TCPS_SYN_SENT) {
4129 				dst->state = TCPS_ESTABLISHED;
4130 				if (src->state == TCPS_ESTABLISHED &&
4131 				    (*state)->src_node != NULL &&
4132 				    pf_src_connlimit(state)) {
4136 			} else if (dst->state == TCPS_CLOSING)
4137 				dst->state = TCPS_FIN_WAIT_2;
4140 			src->state = dst->state = TCPS_TIME_WAIT;
4143 		(*state)->expire = time_uptime;
4144 		if (src->state >= TCPS_FIN_WAIT_2 &&
4145 		    dst->state >= TCPS_FIN_WAIT_2)
4146 			(*state)->timeout = PFTM_TCP_CLOSED;
4147 		else if (src->state >= TCPS_CLOSING &&
4148 		    dst->state >= TCPS_CLOSING)
4149 			(*state)->timeout = PFTM_TCP_FIN_WAIT;
4150 		else if (src->state < TCPS_ESTABLISHED ||
4151 		    dst->state < TCPS_ESTABLISHED)
4152 			(*state)->timeout = PFTM_TCP_OPENING;
4153 		else if (src->state >= TCPS_CLOSING ||
4154 		    dst->state >= TCPS_CLOSING)
4155 			(*state)->timeout = PFTM_TCP_CLOSING;
4157 			(*state)->timeout = PFTM_TCP_ESTABLISHED;
4161 	} else if ((dst->state < TCPS_SYN_SENT ||
4162 		dst->state >= TCPS_FIN_WAIT_2 ||
4163 		src->state >= TCPS_FIN_WAIT_2) &&
4174 		 *     firewall rebooted, the state table was flushed, routes
4186 		 * validate the connection, go through the normal state code
4187 		 * and keep updating the state TTL.
4191 			printf("pf: loose state match: ");
4192 			pf_print_state(*state);
4196 			    pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
4197 			    (unsigned long long)(*state)->packets[1],
4199 			    pd->dir == (*state)->direction ? "fwd" : "rev");
4204 			    *state, src, dst, copyback))
4224 			if (src->state < TCPS_CLOSING)
4225 				src->state = TCPS_CLOSING;
4227 			src->state = dst->state = TCPS_TIME_WAIT;
4232 		if ((*state)->dst.state == TCPS_SYN_SENT &&
4233 		    (*state)->src.state == TCPS_SYN_SENT) {
4234 			/* Send RST for state mismatches during handshake */
4236 				pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4240 				    (*state)->rule.ptr->return_ttl, 1, 0,
4246 			printf("pf: BAD state: ");
4247 			pf_print_state(*state);
4252 			    (unsigned long long)(*state)->packets[0],
4253 			    (unsigned long long)(*state)->packets[1],
4255 			    pd->dir == (*state)->direction ? "fwd" : "rev");
4274 	struct pf_state **state, struct pf_pdesc *pd, u_short *reason)
4279 		if (src->state < TCPS_SYN_SENT)
4280 			src->state = TCPS_SYN_SENT;
4282 		if (src->state < TCPS_CLOSING)
4283 			src->state = TCPS_CLOSING;
4285 		if (dst->state == TCPS_SYN_SENT) {
4286 			dst->state = TCPS_ESTABLISHED;
4287 			if (src->state == TCPS_ESTABLISHED &&
4288 			    (*state)->src_node != NULL &&
4289 			    pf_src_connlimit(state)) {
4293 		} else if (dst->state == TCPS_CLOSING) {
4294 			dst->state = TCPS_FIN_WAIT_2;
4295 		} else if (src->state == TCPS_SYN_SENT &&
4296 		    dst->state < TCPS_SYN_SENT) {
4303 			dst->state = src->state = TCPS_ESTABLISHED;
4304 			if ((*state)->src_node != NULL &&
4305 			    pf_src_connlimit(state)) {
4309 		} else if (src->state == TCPS_CLOSING &&
4310 		    dst->state == TCPS_ESTABLISHED &&
4317 			dst->state = TCPS_CLOSING;
4321 		src->state = dst->state = TCPS_TIME_WAIT;
4324 	(*state)->expire = time_uptime;
4325 	if (src->state >= TCPS_FIN_WAIT_2 &&
4326 	    dst->state >= TCPS_FIN_WAIT_2)
4327 		(*state)->timeout = PFTM_TCP_CLOSED;
4328 	else if (src->state >= TCPS_CLOSING &&
4329 	    dst->state >= TCPS_CLOSING)
4330 		(*state)->timeout = PFTM_TCP_FIN_WAIT;
4331 	else if (src->state < TCPS_ESTABLISHED ||
4332 	    dst->state < TCPS_ESTABLISHED)
4333 		(*state)->timeout = PFTM_TCP_OPENING;
4334 	else if (src->state >= TCPS_CLOSING ||
4335 	    dst->state >= TCPS_CLOSING)
4336 		(*state)->timeout = PFTM_TCP_CLOSING;
4338 		(*state)->timeout = PFTM_TCP_ESTABLISHED;
4344 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
4369 	STATE_LOOKUP(kif, &key, direction, *state, pd);
4371 	if (direction == (*state)->direction) {
4372 		src = &(*state)->src;
4373 		dst = &(*state)->dst;
4375 		src = &(*state)->dst;
4376 		dst = &(*state)->src;
4379 	sk = (*state)->key[pd->didx];
4381 	if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
4382 		if (direction != (*state)->direction) {
4387 			if (ntohl(th->th_seq) != (*state)->src.seqlo) {
4391 			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4393 			    (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4394 			    TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
4398 		    (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4399 		    (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4402 		} else if ((*state)->src_node != NULL &&
4403 		    pf_src_connlimit(state)) {
4407 			(*state)->src.state = PF_TCPS_PROXY_DST;
4409 	if ((*state)->src.state == PF_TCPS_PROXY_DST) {
4410 		if (direction == (*state)->direction) {
4412 			    (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4413 			    (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4417 			(*state)->src.max_win = MAX(ntohs(th->th_win), 1);
4418 			if ((*state)->dst.seqhi == 1)
4419 				(*state)->dst.seqhi = htonl(arc4random());
4420 			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4423 			    (*state)->dst.seqhi, 0, TH_SYN, 0,
4424 			    (*state)->src.mss, 0, 0, (*state)->tag, NULL);
4429 		    (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
4433 			(*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
4434 			(*state)->dst.seqlo = ntohl(th->th_seq);
4435 			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4438 			    TH_ACK, (*state)->src.max_win, 0, 0, 0,
4439 			    (*state)->tag, NULL);
4440 			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4443 			    (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4444 			    TH_ACK, (*state)->dst.max_win, 0, 0, 1, 0, NULL);
4445 			(*state)->src.seqdiff = (*state)->dst.seqhi -
4446 			    (*state)->src.seqlo;
4447 			(*state)->dst.seqdiff = (*state)->src.seqhi -
4448 			    (*state)->dst.seqlo;
4449 			(*state)->src.seqhi = (*state)->src.seqlo +
4450 			    (*state)->dst.max_win;
4451 			(*state)->dst.seqhi = (*state)->dst.seqlo +
4452 			    (*state)->src.max_win;
4453 			(*state)->src.wscale = (*state)->dst.wscale = 0;
4454 			(*state)->src.state = (*state)->dst.state =
4462 	    dst->state >= TCPS_FIN_WAIT_2 &&
4463 	    src->state >= TCPS_FIN_WAIT_2) {
4465 			printf("pf: state reuse ");
4466 			pf_print_state(*state);
4471 		(*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
4472 		pf_unlink_state(*state, PF_ENTER_LOCKED);
4473 		*state = NULL;
4477 	if ((*state)->state_flags & PFSTATE_SLOPPY) {
4478 		if (pf_tcp_track_sloppy(src, dst, state, pd, reason) == PF_DROP)
4481 		if (pf_tcp_track_full(src, dst, state, kif, m, off, pd, reason,
4487 	if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4488 		struct pf_state_key *nk = (*state)->key[pd->didx];
4512 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
4534 	STATE_LOOKUP(kif, &key, direction, *state, pd);
4536 	if (direction == (*state)->direction) {
4537 		src = &(*state)->src;
4538 		dst = &(*state)->dst;
4540 		src = &(*state)->dst;
4541 		dst = &(*state)->src;
4545 	if (src->state < PFUDPS_SINGLE)
4546 		src->state = PFUDPS_SINGLE;
4547 	if (dst->state == PFUDPS_SINGLE)
4548 		dst->state = PFUDPS_MULTIPLE;
4551 	(*state)->expire = time_uptime;
4552 	if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
4553 		(*state)->timeout = PFTM_UDP_MULTIPLE;
4555 		(*state)->timeout = PFTM_UDP_SINGLE;
4558 	if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4559 		struct pf_state_key *nk = (*state)->key[pd->didx];
4579 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
4625 		 * Search for an ICMP state.
4638 		STATE_LOOKUP(kif, &key, direction, *state, pd);
4640 		(*state)->expire = time_uptime;
4641 		(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
4644 		if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
4645 			struct pf_state_key *nk = (*state)->key[pd->didx];
4701 		 * Extract the inner TCP/UDP header and search for that state.
4852 			STATE_LOOKUP(kif, &key, direction, *state, pd);
4854 			if (direction == (*state)->direction) {
4855 				src = &(*state)->dst;
4856 				dst = &(*state)->src;
4858 				src = &(*state)->src;
4859 				dst = &(*state)->dst;
4875 			if (!((*state)->state_flags & PFSTATE_SLOPPY) &&
4884 					printf(" state: ");
4885 					pf_print_state(*state);
4897 					printf(" state: ");
4898 					pf_print_state(*state);
4904 			if ((*state)->key[PF_SK_WIRE] !=
4905 			    (*state)->key[PF_SK_STACK]) {
4907 				    (*state)->key[pd->didx];
4973 			STATE_LOOKUP(kif, &key, direction, *state, pd);
4976 			if ((*state)->key[PF_SK_WIRE] !=
4977 			    (*state)->key[PF_SK_STACK]) {
4979 				    (*state)->key[pd->didx];
5040 			STATE_LOOKUP(kif, &key, direction, *state, pd);
5043 			if ((*state)->key[PF_SK_WIRE] !=
5044 			    (*state)->key[PF_SK_STACK]) {
5046 				    (*state)->key[pd->didx];
5092 			STATE_LOOKUP(kif, &key, direction, *state, pd);
5095 			if ((*state)->key[PF_SK_WIRE] !=
5096 			    (*state)->key[PF_SK_STACK]) {
5098 				    (*state)->key[pd->didx];
5135 			STATE_LOOKUP(kif, &key, direction, *state, pd);
5138 			if ((*state)->key[PF_SK_WIRE] !=
5139 			    (*state)->key[PF_SK_STACK]) {
5141 				    (*state)->key[pd->didx];
5184 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
5203 	STATE_LOOKUP(kif, &key, direction, *state, pd);
5205 	if (direction == (*state)->direction) {
5206 		src = &(*state)->src;
5207 		dst = &(*state)->dst;
5209 		src = &(*state)->dst;
5210 		dst = &(*state)->src;
5214 	if (src->state < PFOTHERS_SINGLE)
5215 		src->state = PFOTHERS_SINGLE;
5216 	if (dst->state == PFOTHERS_SINGLE)
5217 		dst->state = PFOTHERS_MULTIPLE;
5220 	(*state)->expire = time_uptime;
5221 	if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
5222 		(*state)->timeout = PFTM_OTHER_MULTIPLE;
5224 		(*state)->timeout = PFTM_OTHER_SINGLE;
5227 	if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
5228 		struct pf_state_key *nk = (*state)->key[pd->didx];

Indexes created Wed Jun 26 11:41:58 MDT 2024