ipfilter/netinet/ip_state.c

234353Sdim/*
234353Sdim * Copyright (C) 1995-1998 by Darren Reed.
193323Sed *
193323Sed * Redistribution and use in source and binary forms are permitted
193323Sed * provided that this notice is preserved and due credit is given
193323Sed * to the original author and the contributors.
234353Sdim */
193323Sed#if !defined(lint)
193323Sedstatic const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-1995 Darren Reed";
193323Sedstatic const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $";
193323Sed#endif
193323Sed
193323Sed#include <sys/errno.h>
193323Sed#include <sys/types.h>
193323Sed#include <sys/param.h>
193323Sed#include <sys/file.h>
193323Sed#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
193323Sed    defined(_KERNEL)
193323Sed# include "opt_ipfilter_log.h"
193323Sed#endif
193323Sed#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
193323Sed# include <stdio.h>
249423Sdim# include <stdlib.h>
249423Sdim# include <string.h>
249423Sdim#else
249423Sdim# ifdef linux
193323Sed#  include <linux/kernel.h>
193323Sed#  include <linux/module.h>
193323Sed# endif
193323Sed#endif
193323Sed#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
193323Sed# include <sys/filio.h>
193323Sed# include <sys/fcntl.h>
193323Sed# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
193323Sed#  include "opt_ipfilter.h"
193323Sed# endif
193323Sed#else
193323Sed# include <sys/ioctl.h>
193323Sed#endif
193323Sed#include <sys/time.h>
193323Sed#include <sys/uio.h>
198090Srdivacky#ifndef linux
249423Sdim# include <sys/protosw.h>
193323Sed#endif
198090Srdivacky#include <sys/socket.h>
249423Sdim#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
193323Sed# include <sys/systm.h>
193323Sed#endif
193323Sed#if !defined(__SVR4) && !defined(__svr4__)
193323Sed# ifndef linux
193323Sed#  include <sys/mbuf.h>
193323Sed# endif
193323Sed#else
193323Sed# include <sys/filio.h>
193323Sed# include <sys/byteorder.h>
193323Sed# ifdef _KERNEL
193323Sed#  include <sys/dditypes.h>
193323Sed# endif
193323Sed# include <sys/stream.h>
198090Srdivacky# include <sys/kmem.h>
193323Sed#endif
193323Sed
193323Sed#include <net/if.h>
193323Sed#ifdef sun
249423Sdim# include <net/af.h>
249423Sdim#endif
249423Sdim#include <net/route.h>
249423Sdim#include <netinet/in.h>
249423Sdim#include <netinet/in_systm.h>
249423Sdim#include <netinet/ip.h>
249423Sdim#include <netinet/tcp.h>
193323Sed#ifndef linux
193323Sed# include <netinet/ip_var.h>
249423Sdim# include <netinet/tcp_fsm.h>
249423Sdim#endif
193323Sed#include <netinet/udp.h>
193323Sed#include <netinet/ip_icmp.h>
249423Sdim#include "netinet/ip_compat.h"
249423Sdim#include <netinet/tcpip.h>
249423Sdim#include "netinet/ip_fil.h"
249423Sdim#include "netinet/ip_nat.h"
193323Sed#include "netinet/ip_frag.h"
249423Sdim#include "netinet/ip_proxy.h"
249423Sdim#include "netinet/ip_state.h"
249423Sdim#if (__FreeBSD_version >= 300000)
193323Sed# include <sys/malloc.h>
249423Sdim# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
249423Sdim#  include <sys/libkern.h>
249423Sdim#  include <sys/systm.h>
249423Sdim# endif
193323Sed#endif
193323Sed
193323Sed#ifndef	MIN
193323Sed# define	MIN(a,b)	(((a)<(b))?(a):(b))
193323Sed#endif
193323Sed
193323Sed#define	TCP_CLOSE	(TH_FIN|TH_RST)
198090Srdivacky
193323Sedipstate_t **ips_table = NULL;
193323Sedint	ips_num = 0;
193323Sedips_stat_t ips_stats;
249423Sdim#if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)
249423Sdimextern	KRWLOCK_T	ipf_state, ipf_mutex;
249423Sdimextern	kmutex_t	ipf_rw;
249423Sdim#endif
249423Sdim
249423Sdimstatic int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
249423Sdim			       fr_info_t *, tcphdr_t *));
249423Sdimstatic frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *));
249423Sdimstatic int fr_state_flush __P((int));
249423Sdimstatic ips_stat_t *fr_statetstats __P((void));
249423Sdimstatic void fr_delstate __P((ipstate_t *));
249423Sdim
249423Sdim
249423Sdim#define	FIVE_DAYS	(2 * 5 * 86400)	/* 5 days: half closed session */
193323Sed
193323Sed#define	TCP_MSL	240			/* 2 minutes */
193323Sedu_long	fr_tcpidletimeout = FIVE_DAYS,
193323Sed	fr_tcpclosewait = 2 * TCP_MSL,
193323Sed	fr_tcplastack = 2 * TCP_MSL,
193323Sed	fr_tcptimeout = 2 * TCP_MSL,
193323Sed	fr_tcpclosed = 1,
193323Sed	fr_udptimeout = 240,
193323Sed	fr_icmptimeout = 120;
193323Sedint	fr_statemax = IPSTATE_MAX,
218893Sdim	fr_statesize = IPSTATE_SIZE;
193323Sedint	fr_state_doflush = 0;
218893Sdim
193323Sed
193323Sedint fr_stateinit()
249423Sdim{
249423Sdim	KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
249423Sdim	if (ips_table != NULL)
249423Sdim		bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *));
249423Sdim	else
249423Sdim		return -1;
201360Srdivacky	return 0;
218893Sdim}
201360Srdivacky
243830Sdim
243830Sdimstatic ips_stat_t *fr_statetstats()
201360Srdivacky{
243830Sdim	ips_stats.iss_active = ips_num;
243830Sdim	ips_stats.iss_table = ips_table;
193323Sed	return &ips_stats;
218893Sdim}
249423Sdim
249423Sdim
249423Sdim/*
193323Sed * flush state tables.  two actions currently defined:
193323Sed * which == 0 : flush all state table entries
218893Sdim * which == 1 : flush TCP connections which have started to close but are
193323Sed *              stuck for some reason.
193323Sed */
218893Sdimstatic int fr_state_flush(which)
193323Sedint which;
249423Sdim{
249423Sdim	register int i;
249423Sdim	register ipstate_t *is, **isp;
249423Sdim#if defined(_KERNEL) && !SOLARIS
249423Sdim	int s;
249423Sdim#endif
249423Sdim	int delete, removed = 0;
249423Sdim
263508Sdim	SPL_NET(s);
263508Sdim	WRITE_ENTER(&ipf_state);
263508Sdim	for (i = fr_statesize - 1; i >= 0; i--)
263508Sdim		for (isp = &ips_table[i]; (is = *isp); ) {
193323Sed			delete = 0;
218893Sdim
193323Sed			switch (which)
193323Sed			{
218893Sdim			case 0 :
193323Sed				delete = 1;
193323Sed				break;
193323Sed			case 1 :
193323Sed				if (is->is_p != IPPROTO_TCP)
193323Sed					break;
193323Sed				if ((is->is_state[0] != TCPS_ESTABLISHED) ||
243830Sdim				    (is->is_state[1] != TCPS_ESTABLISHED))
243830Sdim					delete = 1;
243830Sdim				break;
243830Sdim			}
243830Sdim
243830Sdim			if (delete) {
193323Sed				*isp = is->is_next;
193323Sed				if (is->is_p == IPPROTO_TCP)
193323Sed					ips_stats.iss_fin++;
193323Sed				else
193323Sed					ips_stats.iss_expire++;
193323Sed				if (ips_table[i] == NULL)
249423Sdim					ips_stats.iss_inuse--;
249423Sdim#ifdef	IPFILTER_LOG
249423Sdim				ipstate_log(is, ISL_FLUSH);
249423Sdim#endif
249423Sdim				fr_delstate(is);
249423Sdim				ips_num--;
193323Sed				removed++;
193323Sed			} else
193323Sed				isp = &is->is_next;
193323Sed		}
193323Sed	RWLOCK_EXIT(&ipf_state);
193323Sed	SPL_X(s);
193323Sed	return removed;
193323Sed}
193323Sed
193323Sed
193323Sedint fr_state_ioctl(data, cmd, mode)
193323Sedcaddr_t data;
193323Sed#if defined(__NetBSD__) || defined(__OpenBSD__)
193323Sedu_long cmd;
193323Sed#else
193323Sedint cmd;
193323Sed#endif
193323Sedint mode;
193323Sed{
193323Sed	int	arg, ret, error = 0;
193323Sed
193323Sed	switch (cmd)
193323Sed	{
193323Sed	case SIOCIPFFL :
193323Sed		IRCOPY(data, (caddr_t)&arg, sizeof(arg));
193323Sed		if (arg == 0 || arg == 1) {
193323Sed			ret = fr_state_flush(arg);
193323Sed			IWCOPY((caddr_t)&ret, data, sizeof(ret));
193323Sed		} else
193323Sed			error = EINVAL;
193323Sed		break;
193323Sed#ifdef	IPFILTER_LOG
193323Sed	case SIOCIPFFB :
193323Sed		if (!(mode & FWRITE))
193323Sed			error = EPERM;
193323Sed		else
193323Sed			*(int *)data = ipflog_clear(IPL_LOGSTATE);
193323Sed		break;
193323Sed#endif
193323Sed	case SIOCGIPST :
193323Sed		IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
193323Sed		break;
193323Sed	case FIONREAD :
193323Sed#ifdef	IPFILTER_LOG
193323Sed		IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
193323Sed		       sizeof(iplused[IPL_LOGSTATE]));
193323Sed#endif
193323Sed		break;
193323Sed	default :
193323Sed		error = EINVAL;
193323Sed		break;
193323Sed	}
193323Sed	return error;
193323Sed}
193323Sed
263508Sdim
263508Sdim/*
263508Sdim * Create a new ipstate structure and hang it off the hash table.
263508Sdim */
193323Sedipstate_t *fr_addstate(ip, fin, flags)
263508Sdimip_t *ip;
263508Sdimfr_info_t *fin;
263508Sdimu_int flags;
263508Sdim{
263508Sdim	register ipstate_t *is;
193323Sed	register u_int hv;
193323Sed	ipstate_t ips;
193323Sed	u_int pass;
193323Sed
193323Sed	if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT))
193323Sed		return NULL;
193323Sed	if (ips_num == fr_statemax) {
193323Sed		ips_stats.iss_max++;
193323Sed		fr_state_doflush = 1;
193323Sed		return NULL;
193323Sed	}
193323Sed	is = &ips;
193323Sed	bzero((char *)is, sizeof(*is));
193323Sed	ips.is_age = 1;
193323Sed	ips.is_state[0] = 0;
193323Sed	ips.is_state[1] = 0;
193323Sed	/*
193323Sed	 * Copy and calculate...
193323Sed	 */
193323Sed	hv = (is->is_p = ip->ip_p);
193323Sed	hv += (is->is_src.s_addr = ip->ip_src.s_addr);
193323Sed	hv += (is->is_dst.s_addr = ip->ip_dst.s_addr);
193323Sed
193323Sed	switch (ip->ip_p)
193323Sed	{
193323Sed	case IPPROTO_ICMP :
193323Sed	    {
193323Sed		struct icmp *ic = (struct icmp *)fin->fin_dp;
249423Sdim
263508Sdim		switch (ic->icmp_type)
249423Sdim		{
249423Sdim		case ICMP_ECHO :
249423Sdim			is->is_icmp.ics_type = ICMP_ECHOREPLY;	/* XXX */
193323Sed			hv += (is->is_icmp.ics_id = ic->icmp_id);
249423Sdim			hv += (is->is_icmp.ics_seq = ic->icmp_seq);
249423Sdim			break;
249423Sdim		case ICMP_TSTAMP :
249423Sdim		case ICMP_IREQ :
249423Sdim		case ICMP_MASKREQ :
249423Sdim			is->is_icmp.ics_type = ic->icmp_type + 1;
249423Sdim			break;
249423Sdim		default :
249423Sdim			return NULL;
249423Sdim		}
249423Sdim		ATOMIC_INC(ips_stats.iss_icmp);
249423Sdim		is->is_age = fr_icmptimeout;
249423Sdim		break;
249423Sdim	    }
249423Sdim	case IPPROTO_TCP :
249423Sdim	    {
249423Sdim		register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
249423Sdim
249423Sdim		/*
249423Sdim		 * The endian of the ports doesn't matter, but the ack and
249423Sdim		 * sequence numbers do as we do mathematics on them later.
249423Sdim		 */
249423Sdim		is->is_dport = tcp->th_dport;
249423Sdim		is->is_sport = tcp->th_sport;
249423Sdim		if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) {
249423Sdim			hv += tcp->th_dport;
249423Sdim			hv += tcp->th_sport;
193323Sed		}
193323Sed		if (tcp->th_seq != 0) {
193323Sed			is->is_send = ntohl(tcp->th_seq) + ip->ip_len -
193323Sed				      fin->fin_hlen - (tcp->th_off << 2) +
251662Sdim				      ((tcp->th_flags & TH_SYN) ? 1 : 0) +
193323Sed				      ((tcp->th_flags & TH_FIN) ? 1 : 0);
193323Sed			is->is_maxsend = is->is_send + 1;
193323Sed		}
193323Sed		is->is_dend = 0;
193323Sed		is->is_maxswin = ntohs(tcp->th_win);
193323Sed		if (is->is_maxswin == 0)
193323Sed			is->is_maxswin = 1;
193323Sed		/*
193323Sed		 * If we're creating state for a starting connection, start the
193323Sed		 * timer on it as we'll never see an error if it fails to
193323Sed		 * connect.
193323Sed		 */
251662Sdim		MUTEX_ENTER(&ipf_rw);
251662Sdim		ips_stats.iss_tcp++;
251662Sdim		fr_tcp_age(&is->is_age, is->is_state, ip, fin,
251662Sdim			   tcp->th_sport == is->is_sport);
251662Sdim		MUTEX_EXIT(&ipf_rw);
251662Sdim		break;
251662Sdim	    }
251662Sdim	case IPPROTO_UDP :
251662Sdim	    {
251662Sdim		register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
251662Sdim
251662Sdim		is->is_dport = tcp->th_dport;
251662Sdim		is->is_sport = tcp->th_sport;
251662Sdim		if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) {
251662Sdim			hv += tcp->th_dport;
251662Sdim			hv += tcp->th_sport;
251662Sdim		}
251662Sdim		ATOMIC_INC(ips_stats.iss_udp);
251662Sdim		is->is_age = fr_udptimeout;
251662Sdim		break;
251662Sdim	    }
251662Sdim	default :
251662Sdim		return NULL;
251662Sdim	}
251662Sdim
251662Sdim	KMALLOC(is, ipstate_t *);
251662Sdim	if (is == NULL) {
251662Sdim		ATOMIC_INC(ips_stats.iss_nomem);
251662Sdim		return NULL;
251662Sdim	}
251662Sdim	bcopy((char *)&ips, (char *)is, sizeof(*is));
251662Sdim	hv %= fr_statesize;
251662Sdim	RW_UPGRADE(&ipf_mutex);
251662Sdim	is->is_rule = fin->fin_fr;
251662Sdim	if (is->is_rule != NULL) {
251662Sdim		is->is_rule->fr_ref++;
251662Sdim		pass = is->is_rule->fr_flags;
251662Sdim	} else
251662Sdim		pass = fr_flags;
251662Sdim	MUTEX_DOWNGRADE(&ipf_mutex);
251662Sdim	WRITE_ENTER(&ipf_state);
251662Sdim
251662Sdim	is->is_rout = pass & FR_OUTQUE ? 1 : 0;
251662Sdim	is->is_pass = pass;
251662Sdim	is->is_pkts = 1;
251662Sdim	is->is_bytes = ip->ip_len;
251662Sdim	/*
251662Sdim	 * We want to check everything that is a property of this packet,
251662Sdim	 * but we don't (automatically) care about it's fragment status as
251662Sdim	 * this may change.
251662Sdim	 */
251662Sdim	is->is_opt = fin->fin_fi.fi_optmsk;
251662Sdim	is->is_optmsk = 0xffffffff;
251662Sdim	is->is_sec = fin->fin_fi.fi_secmsk;
263508Sdim	is->is_secmsk = 0xffff;
251662Sdim	is->is_auth = fin->fin_fi.fi_auth;
251662Sdim	is->is_authmsk = 0xffff;
251662Sdim	is->is_flags = fin->fin_fi.fi_fl & FI_CMP;
251662Sdim	is->is_flags |= FI_CMP << 4;
251662Sdim	is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT);
251662Sdim	/*
251662Sdim	 * add into table.
251662Sdim	 */
251662Sdim	is->is_next = ips_table[hv];
251662Sdim	ips_table[hv] = is;
251662Sdim	if (is->is_next == NULL)
251662Sdim		ips_stats.iss_inuse++;
251662Sdim	if (fin->fin_out) {
251662Sdim		is->is_ifpin = NULL;
251662Sdim		is->is_ifpout = fin->fin_ifp;
193323Sed	} else {
193323Sed		is->is_ifpin = fin->fin_ifp;
251662Sdim		is->is_ifpout = NULL;
193323Sed	}
251662Sdim	if (pass & FR_LOGFIRST)
251662Sdim		is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
251662Sdim	ATOMIC_INC(ips_num);
251662Sdim#ifdef	IPFILTER_LOG
193323Sed	ipstate_log(is, ISL_NEW);
193323Sed#endif
251662Sdim	RWLOCK_EXIT(&ipf_state);
193323Sed	fin->fin_rev = (is->is_dst.s_addr != ip->ip_dst.s_addr);
251662Sdim	if (fin->fin_fi.fi_fl & FI_FRAG)
251662Sdim		ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
251662Sdim	return is;
251662Sdim}
193323Sed
193323Sed
251662Sdim
193323Sed/*
251662Sdim * check to see if a packet with TCP headers fits within the TCP window.
251662Sdim * change timeout depending on whether new packet is a SYN-ACK returning for a
251662Sdim * SYN or a RST or FIN which indicate time to close up shop.
251662Sdim */
193323Sedint fr_tcpstate(is, fin, ip, tcp)
193323Sedregister ipstate_t *is;
263508Sdimfr_info_t *fin;
251662Sdimip_t *ip;
193323Sedtcphdr_t *tcp;
251662Sdim{
251662Sdim	register tcp_seq seq, ack, end;
251662Sdim	register int ackskew;
251662Sdim	tcpdata_t  *fdata, *tdata;
193323Sed	u_short	win, maxwin;
193323Sed	int ret = 0;
263508Sdim	int source;
251662Sdim
193323Sed	/*
263508Sdim	 * Find difference between last checked packet and this packet.
263508Sdim	 */
263508Sdim	source = (ip->ip_src.s_addr == is->is_src.s_addr);
263508Sdim	fdata = &is->is_tcp.ts_data[!source];
263508Sdim	tdata = &is->is_tcp.ts_data[source];
263508Sdim	seq = ntohl(tcp->th_seq);
263508Sdim	ack = ntohl(tcp->th_ack);
263508Sdim	win = ntohs(tcp->th_win);
263508Sdim	end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) +
263508Sdim	       ((tcp->th_flags & TH_SYN) ? 1 : 0) +
263508Sdim	       ((tcp->th_flags & TH_FIN) ? 1 : 0);
263508Sdim
263508Sdim	if (fdata->td_end == 0) {
263508Sdim		/*
263508Sdim		 * Must be a (outgoing) SYN-ACK in reply to a SYN.
263508Sdim		 */
218893Sdim		fdata->td_end = end;
193323Sed		fdata->td_maxwin = 1;
218893Sdim		fdata->td_maxend = end + 1;
263508Sdim	}
193323Sed
263508Sdim	if (!(tcp->th_flags & TH_ACK)) {  /* Pretend an ack was sent */
263508Sdim		ack = tdata->td_end;
263508Sdim		win = 1;
263508Sdim		if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0))
263508Sdim			 tdata->td_maxwin = 1;
263508Sdim	} else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
263508Sdim		   (ack == 0)) {
263508Sdim		/* gross hack to get around certain broken tcp stacks */
263508Sdim		ack = tdata->td_end;
218893Sdim	}
218893Sdim
218893Sdim	if (seq == end)
263508Sdim		seq = end = fdata->td_end;
218893Sdim
263508Sdim	maxwin = tdata->td_maxwin;
263508Sdim	ackskew = tdata->td_end - ack;
263508Sdim
263508Sdim#define	SEQ_GE(a,b)	((int)((a) - (b)) >= 0)
263508Sdim#define	SEQ_GT(a,b)	((int)((a) - (b)) > 0)
193323Sed	if ((SEQ_GE(fdata->td_maxend, end)) &&
263508Sdim	    (SEQ_GE(seq, fdata->td_end - maxwin)) &&
218893Sdim/* XXX what about big packets */
263508Sdim#define MAXACKWINDOW 66000
193323Sed	    (ackskew >= -MAXACKWINDOW) &&
263508Sdim	    (ackskew <= MAXACKWINDOW)) {
263508Sdim		/* if ackskew < 0 then this should be due to fragented
263508Sdim		 * packets. There is no way to know the length of the
263508Sdim		 * total packet in advance.
193323Sed		 * We do know the total length from the fragment cache though.
251662Sdim		 * Note however that there might be more sessions with
251662Sdim		 * exactly the same source and destination paramters in the
251662Sdim		 * state cache (and source and destination is the only stuff
193323Sed		 * that is saved in the fragment cache). Note further that
193323Sed		 * some TCP connections in the state cache are hashed with
218893Sdim		 * sport and dport as well which makes it not worthwhile to
251662Sdim		 * look for them.
193323Sed		 * Thus, when ackskew is negative but still seems to belong
193323Sed		 * to this session, we bump up the destinations end value.
249423Sdim		 */
251662Sdim		if (ackskew < 0)
251662Sdim			tdata->td_end = ack;
251662Sdim
251662Sdim		/* update max window seen */
251662Sdim		if (fdata->td_maxwin < win)
251662Sdim			fdata->td_maxwin = win;
251662Sdim		if (SEQ_GT(end, fdata->td_end))
251662Sdim			fdata->td_end = end;
251662Sdim		if (SEQ_GE(ack + win, tdata->td_maxend)) {
251662Sdim			tdata->td_maxend = ack + win;
251662Sdim			if (win == 0)
251662Sdim				tdata->td_maxend++;
251662Sdim		}
249423Sdim
251662Sdim		ATOMIC_INC(ips_stats.iss_hits);
251662Sdim		is->is_pkts++;
263508Sdim		is->is_bytes += ip->ip_len;
251662Sdim		/*
251662Sdim		 * Nearing end of connection, start timeout.
251662Sdim		 */
251662Sdim		MUTEX_ENTER(&ipf_rw);
251662Sdim		fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
251662Sdim		MUTEX_EXIT(&ipf_rw);
263508Sdim		ret = 1;
251662Sdim	}
251662Sdim	return ret;
251662Sdim}
251662Sdim
249423Sdim
193323Sedstatic int fr_matchsrcdst(is, src, dst, fin, tcp)
193323Sedipstate_t *is;
249423Sdimstruct in_addr src, dst;
218893Sdimfr_info_t *fin;
193323Sedtcphdr_t *tcp;
193323Sed{
193323Sed	int ret = 0, rev, out, flags;
251662Sdim	u_short sp, dp;
193323Sed	void *ifp;
263508Sdim
263508Sdim	rev = fin->fin_rev = (is->is_dst.s_addr != dst.s_addr);
249423Sdim	ifp = fin->fin_ifp;
218893Sdim	out = fin->fin_out;
193323Sed
193323Sed	if (tcp != NULL) {
249423Sdim		flags = is->is_flags;
249423Sdim		sp = tcp->th_sport;
249423Sdim		dp = tcp->th_dport;
249423Sdim	} else {
249423Sdim		flags = 0;
249423Sdim		sp = 0;
249423Sdim		dp = 0;
249423Sdim	}
193323Sed
251662Sdim	if (rev == 0) {
193323Sed		if (!out) {
193323Sed			if (is->is_ifpin == ifp)
193323Sed				ret = 1;
193323Sed		} else {
193323Sed			if (is->is_ifpout == NULL || is->is_ifpout == ifp)
193323Sed				ret = 1;
263508Sdim		}
193323Sed	} else {
249423Sdim		if (out) {
249423Sdim			if (is->is_ifpin == ifp)
249423Sdim				ret = 1;
249423Sdim		} else {
193323Sed			if (is->is_ifpout == NULL || is->is_ifpout == ifp)
193323Sed				ret = 1;
193323Sed		}
193323Sed	}
193323Sed	if (ret == 0)
193323Sed		return 0;
193323Sed	ret = 0;
234353Sdim
266715Sdim	if (rev == 0) {
193323Sed		if ((is->is_dst.s_addr == dst.s_addr) &&
193323Sed		    (is->is_src.s_addr == src.s_addr) &&
251662Sdim		    (!tcp || ((sp == is->is_sport || flags & FI_W_SPORT) &&
251662Sdim		     (dp == is->is_dport || flags & FI_W_DPORT)))) {
251662Sdim			ret = 1;
251662Sdim		}
251662Sdim	} else {
251662Sdim		if ((is->is_dst.s_addr == src.s_addr) &&
251662Sdim		    (is->is_src.s_addr == dst.s_addr) &&
251662Sdim		    (!tcp || ((sp == is->is_dport || flags & FI_W_DPORT) &&
251662Sdim		     (dp == is->is_sport || flags & FI_W_SPORT)))) {
251662Sdim			ret = 1;
251662Sdim		}
251662Sdim	}
251662Sdim	if (ret == 0)
251662Sdim		return 0;
251662Sdim
251662Sdim	/*
251662Sdim	 * Whether or not this should be here, is questionable, but the aim
251662Sdim	 * is to get this out of the main line.
251662Sdim	 */
251662Sdim	if (tcp == NULL)
251662Sdim		flags = is->is_flags & (FI_CMP|(FI_CMP<<4));
251662Sdim
251662Sdim	if (((fin->fin_fi.fi_fl & (flags >> 4)) != (flags & FI_CMP)) ||
251662Sdim	    ((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) ||
251662Sdim	    ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) ||
251662Sdim	    ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth))
251662Sdim		return 0;
251662Sdim
251662Sdim	if ((flags & (FI_W_SPORT|FI_W_DPORT))) {
251662Sdim		if ((flags & FI_W_SPORT) != 0) {
251662Sdim			if (rev == 0) {
251662Sdim				is->is_sport = sp;
251662Sdim				is->is_send = htonl(tcp->th_seq);
251662Sdim			} else {
251662Sdim				is->is_sport = dp;
251662Sdim				is->is_send = htonl(tcp->th_ack);
251662Sdim			}
251662Sdim			is->is_maxsend = is->is_send + 1;
251662Sdim		} else if ((flags & FI_W_DPORT) != 0) {
251662Sdim			if (rev == 0) {
251662Sdim				is->is_dport = dp;
251662Sdim				is->is_dend = htonl(tcp->th_ack);
251662Sdim			} else {
251662Sdim				is->is_dport = sp;
251662Sdim				is->is_dend = htonl(tcp->th_seq);
251662Sdim			}
251662Sdim			is->is_maxdend = is->is_dend + 1;
251662Sdim		}
251662Sdim		is->is_flags &= ~(FI_W_SPORT|FI_W_DPORT);
251662Sdim	}
251662Sdim
251662Sdim	if (!rev) {
251662Sdim		if (out && (out == is->is_rout)) {
251662Sdim			if (!is->is_ifpout)
251662Sdim				is->is_ifpout = ifp;
251662Sdim		} else {
251662Sdim			if (!is->is_ifpin)
251662Sdim				is->is_ifpin = ifp;
251662Sdim		}
251662Sdim	} else {
251662Sdim		if (!out && (out != is->is_rout)) {
251662Sdim			if (!is->is_ifpin)
251662Sdim				is->is_ifpin = ifp;
251662Sdim		} else {
251662Sdim			if (!is->is_ifpout)
251662Sdim				is->is_ifpout = ifp;
251662Sdim		}
251662Sdim	}
251662Sdim	return 1;
251662Sdim}
251662Sdim
251662Sdimfrentry_t *fr_checkicmpmatchingstate(ip, fin)
251662Sdimip_t *ip;
251662Sdimfr_info_t *fin;
251662Sdim{
251662Sdim	register struct in_addr	dst, src;
251662Sdim	register ipstate_t *is, **isp;
251662Sdim	register u_short sport, dport;
251662Sdim	register u_char	pr;
251662Sdim	struct icmp *ic;
251662Sdim	u_short savelen;
251662Sdim	fr_info_t ofin;
251662Sdim	tcphdr_t *tcp;
251662Sdim	icmphdr_t *icmp;
251662Sdim	frentry_t *fr;
251662Sdim	ip_t *oip;
251662Sdim	int type;
251662Sdim	u_int hv;
251662Sdim
251662Sdim	/*
251662Sdim	 * Does it at least have the return (basic) IP header ?
251662Sdim	 * Only a basic IP header (no options) should be with
251662Sdim	 * an ICMP error header.
251662Sdim	 */
251662Sdim	if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN))
251662Sdim		return NULL;
251662Sdim	ic = (struct icmp *)((char *)ip + fin->fin_hlen);
251662Sdim	type = ic->icmp_type;
251662Sdim	/*
251662Sdim	 * If it's not an error type, then return
251662Sdim	 */
251662Sdim	if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
251662Sdim    	    (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
251662Sdim    	    (type != ICMP_PARAMPROB))
251662Sdim		return NULL;
251662Sdim
251662Sdim	oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
251662Sdim	if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
251662Sdim		return NULL;
251662Sdim
251662Sdim	if (oip->ip_p == IPPROTO_ICMP) {
251662Sdim
251662Sdim		icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2));
251662Sdim
251662Sdim		/*
251662Sdim		 * a ICMP error can only be generated as a result of an
251662Sdim		 * ICMP query, not as the response on an ICMP error
251662Sdim		 *
251662Sdim		 * XXX theoretically ICMP_ECHOREP and the other reply's are
251662Sdim		 * ICMP query's as well, but adding them here seems strange XXX
251662Sdim		 */
251662Sdim		 if ((icmp->icmp_type != ICMP_ECHO) &&
251662Sdim		     (icmp->icmp_type != ICMP_TSTAMP) &&
251662Sdim		     (icmp->icmp_type != ICMP_IREQ) &&
251662Sdim		     (icmp->icmp_type != ICMP_MASKREQ))
251662Sdim		    	return NULL;
251662Sdim
251662Sdim		/*
251662Sdim		 * perform a lookup of the ICMP packet in the state table
251662Sdim		 */
251662Sdim
251662Sdim		hv = (pr = oip->ip_p);
251662Sdim		hv += (src.s_addr = oip->ip_src.s_addr);
251662Sdim		hv += (dst.s_addr = oip->ip_dst.s_addr);
251662Sdim		if (icmp->icmp_type == ICMP_ECHO) {
251662Sdim			hv += icmp->icmp_id;
251662Sdim			hv += icmp->icmp_seq;
251662Sdim		}
251662Sdim		hv %= fr_statesize;
251662Sdim
251662Sdim		oip->ip_len = ntohs(oip->ip_len);
251662Sdim		fr_makefrip(oip->ip_hl << 2, oip, &ofin);
251662Sdim		oip->ip_len = htons(oip->ip_len);
251662Sdim		ofin.fin_ifp = fin->fin_ifp;
251662Sdim		ofin.fin_out = !fin->fin_out;
251662Sdim		ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
251662Sdim
251662Sdim		READ_ENTER(&ipf_state);
251662Sdim		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
251662Sdim			if ((is->is_p == pr) &&
251662Sdim			    fr_matchsrcdst(is, src, dst, &ofin, NULL)) {
251662Sdim			    	/*
251662Sdim			    	 * in the state table ICMP query's are stored
251662Sdim			    	 * with the type of the corresponding ICMP
251662Sdim			    	 * response. Correct here
251662Sdim			    	 */
251662Sdim				if (((is->is_type == ICMP_ECHOREPLY) &&
251662Sdim				     (icmp->icmp_id == is->is_icmp.ics_id) &&
251662Sdim				     (icmp->icmp_seq == is->is_icmp.ics_seq) &&
251662Sdim				     (icmp->icmp_type == ICMP_ECHO)) ||
251662Sdim				    (is->is_type - 1 == ic->icmp_type)) {
251662Sdim				    	ips_stats.iss_hits++;
251662Sdim    		                        is->is_pkts++;
251662Sdim                	                is->is_bytes += ip->ip_len;
251662Sdim					fr = is->is_rule;
251662Sdim					RWLOCK_EXIT(&ipf_state);
251662Sdim					return fr;
251662Sdim				}
251662Sdim			}
251662Sdim		RWLOCK_EXIT(&ipf_state);
251662Sdim		return NULL;
251662Sdim	};
251662Sdim
251662Sdim	if ((oip->ip_p != IPPROTO_TCP) && (oip->ip_p != IPPROTO_UDP))
251662Sdim		return NULL;
251662Sdim
251662Sdim	tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
251662Sdim	dport = tcp->th_dport;
251662Sdim	sport = tcp->th_sport;
251662Sdim
251662Sdim	hv = (pr = oip->ip_p);
251662Sdim	hv += (src.s_addr = oip->ip_src.s_addr);
251662Sdim	hv += (dst.s_addr = oip->ip_dst.s_addr);
251662Sdim	hv += dport;
251662Sdim	hv += sport;
251662Sdim	hv %= fr_statesize;
251662Sdim	/*
251662Sdim	 * we make an fin entry to be able to feed it to
251662Sdim	 * matchsrcdst note that not all fields are encessary
251662Sdim	 * but this is the cleanest way. Note further we fill
251662Sdim	 * in fin_mp such that if someone uses it we'll get
251662Sdim	 * a kernel panic. fr_matchsrcdst does not use this.
251662Sdim	 *
251662Sdim	 * watch out here, as ip is in host order and oip in network
251662Sdim	 * order. Any change we make must be undone afterwards.
251662Sdim	 */
251662Sdim	savelen = oip->ip_len;
251662Sdim	oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN;
251662Sdim	fr_makefrip(oip->ip_hl << 2, oip, &ofin);
251662Sdim	oip->ip_len = savelen;
251662Sdim	ofin.fin_ifp = fin->fin_ifp;
251662Sdim	ofin.fin_out = !fin->fin_out;
251662Sdim	ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
263508Sdim	READ_ENTER(&ipf_state);
263508Sdim	for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) {
263508Sdim		/*
263508Sdim		 * Only allow this icmp though if the
263508Sdim		 * encapsulated packet was allowed through the
263508Sdim		 * other way around. Note that the minimal amount
263508Sdim		 * of info present does not allow for checking against
263508Sdim		 * tcp internals such as seq and ack numbers.
263508Sdim		 */
263508Sdim		if ((is->is_p == pr) &&
263508Sdim		    fr_matchsrcdst(is, src, dst, &ofin, tcp)) {
263508Sdim			fr = is->is_rule;
263508Sdim			ips_stats.iss_hits++;
263508Sdim			/*
251662Sdim			 * we must swap src and dst here because the icmp
251662Sdim			 * comes the other way around
251662Sdim			 */
251662Sdim			is->is_pkts++;
251662Sdim			is->is_bytes += ip->ip_len;
251662Sdim			/*
251662Sdim			 * we deliberately do not touch the timeouts
251662Sdim			 * for the accompanying state table entry.
251662Sdim			 * It remains to be seen if that is correct. XXX
251662Sdim			 */
251662Sdim			RWLOCK_EXIT(&ipf_state);
251662Sdim			return fr;
251662Sdim		}
251662Sdim	}
251662Sdim	RWLOCK_EXIT(&ipf_state);
251662Sdim	return NULL;
251662Sdim}
251662Sdim
251662Sdim/*
251662Sdim * Check if a packet has a registered state.
251662Sdim */
251662Sdimfrentry_t *fr_checkstate(ip, fin)
251662Sdimip_t *ip;
251662Sdimfr_info_t *fin;
251662Sdim{
251662Sdim	register struct in_addr dst, src;
251662Sdim	register ipstate_t *is, **isp;
251662Sdim	register u_char pr;
251662Sdim	u_int hv, hvm, hlen, tryagain, pass;
251662Sdim	struct icmp *ic;
251662Sdim	frentry_t *fr;
251662Sdim	tcphdr_t *tcp;
251662Sdim
251662Sdim	if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT))
251662Sdim		return NULL;
251662Sdim
251662Sdim	is = NULL;
251662Sdim	hlen = fin->fin_hlen;
251662Sdim	tcp = (tcphdr_t *)((char *)ip + hlen);
251662Sdim	ic = (struct icmp *)tcp;
251662Sdim	hv = (pr = ip->ip_p);
251662Sdim	hv += (src.s_addr = ip->ip_src.s_addr);
251662Sdim	hv += (dst.s_addr = ip->ip_dst.s_addr);
193323Sed
193323Sed	/*
193323Sed	 * Search the hash table for matching packet header info.
193323Sed	 */
193323Sed	switch (ip->ip_p)
193323Sed	{
243830Sdim	case IPPROTO_ICMP :
193323Sed		if ((ic->icmp_type == ICMP_ECHO) ||
243830Sdim		    (ic->icmp_type == ICMP_ECHOREPLY)) {
193323Sed			hv += ic->icmp_id;
193323Sed			hv += ic->icmp_seq;
193323Sed		}
251662Sdim		hv %= fr_statesize;
193323Sed		READ_ENTER(&ipf_state);
193323Sed		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
193323Sed			if ((is->is_p == pr) &&
193323Sed			    fr_matchsrcdst(is, src, dst, fin, NULL)) {
251662Sdim				if ((is->is_type == ICMP_ECHOREPLY) &&
249423Sdim				    (ic->icmp_type == ICMP_ECHO) &&
249423Sdim				    (ic->icmp_id == is->is_icmp.ics_id) &&
193323Sed				    (ic->icmp_seq == is->is_icmp.ics_seq))
198892Srdivacky					;
198892Srdivacky				else if (is->is_type != ic->icmp_type)
198892Srdivacky					continue;
193323Sed				is->is_age = fr_icmptimeout;
249423Sdim				break;
249423Sdim			}
249423Sdim		if (is != NULL)
251662Sdim			break;
251662Sdim		RWLOCK_EXIT(&ipf_state);
243830Sdim		/*
193323Sed		 * No matching icmp state entry. Perhaps this is a
251662Sdim		 * response to another state entry.
251662Sdim		 */
243830Sdim		fr = fr_checkicmpmatchingstate(ip, fin);
193323Sed		if (fr)
251662Sdim			return fr;
243830Sdim		break;
193323Sed	case IPPROTO_TCP :
251662Sdim	    {
243830Sdim		register u_short dport = tcp->th_dport, sport = tcp->th_sport;
193323Sed
251662Sdim		tryagain = 0;
243830Sdimretry_tcp:
193323Sed		hvm = hv % fr_statesize;
193323Sed		WRITE_ENTER(&ipf_state);
193323Sed		for (isp = &ips_table[hvm]; (is = *isp);
193323Sed		     isp = &is->is_next)
193323Sed			if ((is->is_p == pr) &&
234353Sdim			    fr_matchsrcdst(is, src, dst, fin, tcp)) {
251662Sdim				if (fr_tcpstate(is, fin, ip, tcp)) {
243830Sdim#ifndef	_KERNEL
193323Sed					if (tcp->th_flags & TCP_CLOSE) {
234353Sdim						*isp = is->is_next;
234353Sdim						isp = &ips_table[hvm];
234353Sdim						if (ips_table[hvm] == NULL)
251662Sdim							ips_stats.iss_inuse--;
243830Sdim						fr_delstate(is);
234353Sdim						ips_num--;
193323Sed					}
249423Sdim#endif
249423Sdim					break;
249423Sdim				}
251662Sdim				is = NULL;
193323Sed				break;
251662Sdim			}
251662Sdim		if (is != NULL)
251662Sdim			break;
263508Sdim		RWLOCK_EXIT(&ipf_state);
251662Sdim		hv += dport;
193323Sed		hv += sport;
193323Sed		if (tryagain == 0) {
193323Sed			tryagain = 1;
243830Sdim			goto retry_tcp;
193323Sed		}
193323Sed		break;
193323Sed	    }
193323Sed	case IPPROTO_UDP :
218893Sdim	    {
193323Sed		register u_short dport = tcp->th_dport, sport = tcp->th_sport;
193323Sed
263508Sdim		tryagain = 0;
263508Sdimretry_udp:
193323Sed		hvm = hv % fr_statesize;
193323Sed		/*
193323Sed		 * Nothing else to match on but ports. and IP#'s
193323Sed		 */
243830Sdim		READ_ENTER(&ipf_state);
251662Sdim		for (is = ips_table[hvm]; is; is = is->is_next)
243830Sdim			if ((is->is_p == pr) &&
263508Sdim			    fr_matchsrcdst(is, src, dst, fin, tcp)) {
251662Sdim				is->is_age = fr_udptimeout;
263508Sdim				break;
263508Sdim			}
263508Sdim		if (is != NULL)
251662Sdim			break;
251662Sdim		RWLOCK_EXIT(&ipf_state);
263508Sdim		hv += dport;
263508Sdim		hv += sport;
239462Sdim		if (tryagain == 0) {
263508Sdim			tryagain = 1;
263508Sdim			goto retry_udp;
251662Sdim		}
263508Sdim		break;
251662Sdim	    }
263508Sdim	default :
263508Sdim		break;
263508Sdim	}
263508Sdim	if (is == NULL) {
263508Sdim		ATOMIC_INC(ips_stats.iss_miss);
263508Sdim		return NULL;
263508Sdim	}
263508Sdim	MUTEX_ENTER(&ipf_rw);
251662Sdim	is->is_bytes += ip->ip_len;
251662Sdim	ips_stats.iss_hits++;
239462Sdim	is->is_pkts++;
243830Sdim	MUTEX_EXIT(&ipf_rw);
243830Sdim	fr = is->is_rule;
243830Sdim	fin->fin_fr = fr;
243830Sdim	pass = is->is_pass;
263508Sdim	RWLOCK_EXIT(&ipf_state);
263508Sdim	if (fin->fin_fi.fi_fl & FI_FRAG)
263508Sdim		ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
263508Sdim	return fr;
263508Sdim}
263508Sdim
263508Sdim
263508Sdimstatic void fr_delstate(is)
263508Sdimipstate_t *is;
263508Sdim{
263508Sdim	frentry_t *fr;
263508Sdim
263508Sdim	fr = is->is_rule;
263508Sdim	if (fr != NULL) {
263508Sdim		ATOMIC_DEC(fr->fr_ref);
263508Sdim		if (fr->fr_ref == 0)
263508Sdim			KFREE(fr);
263508Sdim	}
263508Sdim	KFREE(is);
263508Sdim}
239462Sdim
193323Sed
193323Sed/*
249423Sdim * Free memory in use by all state info. kept.
249423Sdim */
249423Sdimvoid fr_stateunload()
249423Sdim{
249423Sdim	register int i;
193323Sed	register ipstate_t *is, **isp;
193323Sed
193323Sed	WRITE_ENTER(&ipf_state);
234353Sdim	for (i = fr_statesize - 1; i >= 0; i--)
193323Sed		for (isp = &ips_table[i]; (is = *isp); ) {
193323Sed			*isp = is->is_next;
249423Sdim			fr_delstate(is);
249423Sdim			ips_num--;
263508Sdim		}
249423Sdim	ips_stats.iss_inuse = 0;
263508Sdim	ips_num = 0;
263508Sdim	RWLOCK_EXIT(&ipf_state);
263508Sdim	KFREES(ips_table, fr_statesize * sizeof(ipstate_t *));
263508Sdim	ips_table = NULL;
263508Sdim}
263508Sdim
263508Sdim
193323Sed/*
193323Sed * Slowly expire held state for thingslike UDP and ICMP.  Timeouts are set
249423Sdim * in expectation of this being called twice per second.
249423Sdim */
249423Sdimvoid fr_timeoutstate()
251662Sdim{
251662Sdim	register int i;
251662Sdim	register ipstate_t *is, **isp;
263508Sdim#if defined(_KERNEL) && !SOLARIS
193323Sed	int s;
263508Sdim#endif
263508Sdim
263508Sdim	SPL_NET(s);
263508Sdim	WRITE_ENTER(&ipf_state);
263508Sdim	for (i = fr_statesize - 1; i >= 0; i--)
263508Sdim		for (isp = &ips_table[i]; (is = *isp); )
263508Sdim			if (is->is_age && !--is->is_age) {
263508Sdim				*isp = is->is_next;
263508Sdim				if (is->is_p == IPPROTO_TCP)
263508Sdim					ips_stats.iss_fin++;
263508Sdim				else
263508Sdim					ips_stats.iss_expire++;
263508Sdim				if (ips_table[i] == NULL)
263508Sdim					ips_stats.iss_inuse--;
263508Sdim#ifdef	IPFILTER_LOG
263508Sdim				ipstate_log(is, ISL_EXPIRE);
263508Sdim#endif
263508Sdim				fr_delstate(is);
263508Sdim				ips_num--;
263508Sdim			} else
263508Sdim				isp = &is->is_next;
263508Sdim	RWLOCK_EXIT(&ipf_state);
263508Sdim	SPL_X(s);
263508Sdim	if (fr_state_doflush) {
263508Sdim		(void) fr_state_flush(1);
263508Sdim		fr_state_doflush = 0;
263508Sdim	}
263508Sdim}
263508Sdim
263508Sdim
263508Sdim/*
263508Sdim * Original idea freom Pradeep Krishnan for use primarily with NAT code.
263508Sdim * (pkrishna@netcom.com)
263508Sdim */
263508Sdimvoid fr_tcp_age(age, state, ip, fin, dir)
263508Sdimu_long *age;
263508Sdimu_char *state;
263508Sdimip_t *ip;
263508Sdimfr_info_t *fin;
263508Sdimint dir;
263508Sdim{
263508Sdim	tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
263508Sdim	u_char flags = tcp->th_flags;
263508Sdim	int dlen, ostate;
263508Sdim
263508Sdim	ostate = state[1 - dir];
263508Sdim
263508Sdim	dlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
193323Sed
193323Sed	if (flags & TH_RST) {
193323Sed		if (!(tcp->th_flags & TH_PUSH) && !dlen) {
193323Sed			*age = fr_tcpclosed;
239462Sdim			state[dir] = TCPS_CLOSED;
193323Sed		} else {
193323Sed			*age = fr_tcpclosewait;
193323Sed			state[dir] = TCPS_CLOSE_WAIT;
193323Sed		}
193323Sed		return;
263508Sdim	}
193323Sed
193323Sed	*age = fr_tcptimeout; /* 1 min */
193323Sed
193323Sed	switch(state[dir])
239462Sdim	{
193323Sed	case TCPS_CLOSED:
193323Sed		if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) {
193323Sed			state[dir] = TCPS_ESTABLISHED;
193323Sed			*age = fr_tcpidletimeout;
249423Sdim		}
249423Sdim	case TCPS_FIN_WAIT_2:
193323Sed		if ((flags & TH_OPENING) == TH_OPENING)
193323Sed			state[dir] = TCPS_SYN_RECEIVED;
193323Sed		else if (flags & TH_SYN)
193323Sed			state[dir] = TCPS_SYN_SENT;
193323Sed		break;
193323Sed	case TCPS_SYN_RECEIVED:
193323Sed	case TCPS_SYN_SENT:
193323Sed		if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) {
193323Sed			state[dir] = TCPS_ESTABLISHED;
193323Sed			*age = fr_tcpidletimeout;
193323Sed		} else if ((flags & (TH_FIN|TH_ACK)) == (TH_FIN|TH_ACK)) {
193323Sed			state[dir] = TCPS_CLOSE_WAIT;
193323Sed			if (!(flags & TH_PUSH) && !dlen &&
263508Sdim			    ostate > TCPS_ESTABLISHED)
193323Sed				*age  = fr_tcplastack;
193323Sed			else
193323Sed				*age  = fr_tcpclosewait;
263508Sdim		}
263508Sdim		break;
249423Sdim	case TCPS_ESTABLISHED:
263508Sdim		if (flags & TH_FIN) {
251662Sdim			state[dir] = TCPS_CLOSE_WAIT;
249423Sdim			if (!(flags & TH_PUSH) && !dlen &&
249423Sdim			    ostate > TCPS_ESTABLISHED)
249423Sdim				*age  = fr_tcplastack;
249423Sdim			else
249423Sdim				*age  = fr_tcpclosewait;
249423Sdim		} else {
249423Sdim			if (ostate < TCPS_CLOSE_WAIT)
249423Sdim				*age = fr_tcpidletimeout;
249423Sdim		}
193323Sed		break;
249423Sdim	case TCPS_CLOSE_WAIT:
249423Sdim		if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen &&
249423Sdim		    ostate > TCPS_ESTABLISHED) {
249423Sdim			*age  = fr_tcplastack;
249423Sdim			state[dir] = TCPS_LAST_ACK;
263508Sdim		} else
263508Sdim			*age  = fr_tcpclosewait;
263508Sdim		break;
263508Sdim	case TCPS_LAST_ACK:
263508Sdim		if (flags & TH_ACK) {
263508Sdim			state[dir] = TCPS_FIN_WAIT_2;
193323Sed			if (!(flags & TH_PUSH) && !dlen &&
193323Sed			    ostate > TCPS_ESTABLISHED)
193323Sed				*age  = fr_tcplastack;
193323Sed			else {
193323Sed				*age  = fr_tcpclosewait;
193323Sed				state[dir] = TCPS_CLOSE_WAIT;
193323Sed			}
193323Sed		}
193323Sed		break;
193323Sed	}
193323Sed}
193323Sed
193323Sed
193323Sed#ifdef	IPFILTER_LOG
193323Sedvoid ipstate_log(is, type)
193323Sedstruct ipstate *is;
193323Sedu_int type;
193323Sed{
193323Sed	struct	ipslog	ipsl;
193323Sed	void *items[1];
193323Sed	size_t sizes[1];
193323Sed	int types[1];
193323Sed
193323Sed	ipsl.isl_type = type;
193323Sed	ipsl.isl_pkts = is->is_pkts;
193323Sed	ipsl.isl_bytes = is->is_bytes;
234353Sdim	ipsl.isl_src = is->is_src;
234353Sdim	ipsl.isl_dst = is->is_dst;
234353Sdim	ipsl.isl_p = is->is_p;
193323Sed	ipsl.isl_flags = is->is_flags;
198892Srdivacky	if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
221345Sdim		ipsl.isl_sport = is->is_sport;
193323Sed		ipsl.isl_dport = is->is_dport;
251662Sdim		if (ipsl.isl_p == IPPROTO_TCP) {
249423Sdim			ipsl.isl_state[0] = is->is_state[0];
193323Sed			ipsl.isl_state[1] = is->is_state[1];
251662Sdim		}
249423Sdim	} else if (ipsl.isl_p == IPPROTO_ICMP)
193323Sed		ipsl.isl_itype = is->is_icmp.ics_type;
251662Sdim	else {
249423Sdim		ipsl.isl_ps.isl_filler[0] = 0;
193323Sed		ipsl.isl_ps.isl_filler[1] = 0;
251662Sdim	}
249423Sdim	items[0] = &ipsl;
193323Sed	sizes[0] = sizeof(ipsl);
251662Sdim	types[0] = 0;
249423Sdim
193323Sed	(void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1);
251662Sdim}
249423Sdim#endif
193323Sed
251662Sdim
249423Sdimvoid ip_statesync(ifp)
193323Sedvoid *ifp;
251662Sdim{
249423Sdim	register ipstate_t *is;
193323Sed	register int i;
251662Sdim
249423Sdim	WRITE_ENTER(&ipf_state);
193323Sed	for (i = fr_statesize - 1; i >= 0; i--)
251662Sdim		for (is = ips_table[i]; is != NULL; is = is->is_next) {
249423Sdim			if (is->is_ifpin == ifp)
193323Sed				is->is_ifpin = NULL;
251662Sdim			if (is->is_ifpout == ifp)
249423Sdim				is->is_ifpout = NULL;
193323Sed		}
251662Sdim	RWLOCK_EXIT(&ipf_state);
249423Sdim}
193323Sed