pf.c revision 127531
1/* $FreeBSD: head/sys/contrib/pf/net/pf.c 127531 2004-03-28 20:04:12Z mlaier $ */ 2/* $OpenBSD: pf.c,v 1.389.2.2 2004/03/14 00:13:42 brad Exp $ */ 3 4/* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * - Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * - Redistributions in binary form must reproduce the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer in the documentation and/or other materials provided 17 * with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 * Effort sponsored in part by the Defense Advanced Research Projects 33 * Agency (DARPA) and Air Force Research Laboratory, Air Force 34 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 35 * 36 */ 37 38#ifdef __FreeBSD__ 39#include "opt_inet.h" 40#include "opt_inet6.h" 41#endif 42 43#ifdef __FreeBSD__ 44#include "opt_bpf.h" 45#include "opt_pf.h" 46#define NBPFILTER DEV_BPF 47#define NPFLOG DEV_PFLOG 48#define NPFSYNC DEV_PFSYNC 49#else 50#include "bpfilter.h" 51#include "pflog.h" 52#include "pfsync.h" 53#endif 54 55#include <sys/param.h> 56#include <sys/systm.h> 57#include <sys/mbuf.h> 58#include <sys/filio.h> 59#include <sys/socket.h> 60#include <sys/socketvar.h> 61#include <sys/kernel.h> 62#include <sys/time.h> 63#ifdef __FreeBSD__ 64#include <sys/sysctl.h> 65#else 66#include <sys/pool.h> 67#endif 68 69#include <net/if.h> 70#include <net/if_types.h> 71#include <net/bpf.h> 72#include <net/route.h> 73 74#include <netinet/in.h> 75#include <netinet/in_var.h> 76#include <netinet/in_systm.h> 77#include <netinet/ip.h> 78#include <netinet/ip_var.h> 79#include <netinet/tcp.h> 80#include <netinet/tcp_seq.h> 81#include <netinet/udp.h> 82#include <netinet/ip_icmp.h> 83#include <netinet/in_pcb.h> 84#include <netinet/tcp_timer.h> 85#include <netinet/tcp_var.h> 86#include <netinet/udp_var.h> 87#include <netinet/icmp_var.h> 88 89#ifndef __FreeBSD__ 90#include <dev/rndvar.h> 91#endif 92#include <net/pfvar.h> 93#include <net/if_pflog.h> 94#include <net/if_pfsync.h> 95 96#ifdef INET6 97#include <netinet/ip6.h> 98#include <netinet/in_pcb.h> 99#include <netinet/icmp6.h> 100#include <netinet6/nd6.h> 101#ifdef __FreeBSD__ 102#include <netinet6/ip6_var.h> 103#include <netinet6/in6_pcb.h> 104#endif 105#endif /* INET6 */ 106 107#ifdef ALTQ 108#include <altq/if_altq.h> 109#endif 110 111#ifdef __FreeBSD__ 112#include <machine/in_cksum.h> 113#if (__FreeBSD_version >= 500112) 114#include <sys/limits.h> 115#else 116#include <machine/limits.h> 117#endif 118#include <sys/ucred.h> 119#endif 120 121#ifdef __FreeBSD__ 122extern int ip_optcopy(struct ip *, struct ip *); 123#if (__FreeBSD_version < 501105) 124int ip_fragment(struct ip *ip, struct mbuf **m_frag, int mtu, 125 u_long if_hwassist_flags, int sw_csum); 126#endif 127#endif 128 129#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 130struct pf_state_tree; 131 132/* 133 * Global variables 134 */ 135 136struct pf_anchorqueue pf_anchors; 137struct pf_ruleset pf_main_ruleset; 138struct pf_altqqueue pf_altqs[2]; 139struct pf_palist pf_pabuf; 140struct pf_altqqueue *pf_altqs_active; 141struct pf_altqqueue *pf_altqs_inactive; 142struct pf_status pf_status; 143struct ifnet *status_ifp; 144 145u_int32_t ticket_altqs_active; 146u_int32_t ticket_altqs_inactive; 147u_int32_t ticket_pabuf; 148 149#ifdef __FreeBSD__ 150struct callout pf_expire_to; /* expire timeout */ 151#else 152struct timeout pf_expire_to; /* expire timeout */ 153#endif 154 155 156#ifdef __FreeBSD__ 157uma_zone_t pf_tree_pl, pf_rule_pl, pf_addr_pl; 158uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 159#else 160struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl; 161struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 162#endif 163 164void pf_dynaddr_update(void *); 165#ifdef __FreeBSD__ 166void pf_dynaddr_update_event(void *arg, struct ifnet *ifp); 167#endif 168void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 169void pf_print_state(struct pf_state *); 170void pf_print_flags(u_int8_t); 171 172u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 173 u_int8_t); 174void pf_change_ap(struct pf_addr *, u_int16_t *, 175 u_int16_t *, u_int16_t *, struct pf_addr *, 176 u_int16_t, u_int8_t, sa_family_t); 177#ifdef INET6 178void pf_change_a6(struct pf_addr *, u_int16_t *, 179 struct pf_addr *, u_int8_t); 180#endif /* INET6 */ 181void pf_change_icmp(struct pf_addr *, u_int16_t *, 182 struct pf_addr *, struct pf_addr *, u_int16_t, 183 u_int16_t *, u_int16_t *, u_int16_t *, 184 u_int16_t *, u_int8_t, sa_family_t); 185void pf_send_tcp(const struct pf_rule *, sa_family_t, 186 const struct pf_addr *, const struct pf_addr *, 187 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 188 u_int8_t, u_int16_t, u_int16_t, u_int8_t); 189void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 190 sa_family_t, struct pf_rule *); 191struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 192 int, int, struct ifnet *, 193 struct pf_addr *, u_int16_t, struct pf_addr *, 194 u_int16_t, int); 195struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 196 int, int, struct ifnet *, 197 struct pf_addr *, u_int16_t, 198 struct pf_addr *, u_int16_t, 199 struct pf_addr *, u_int16_t *); 200int pf_test_tcp(struct pf_rule **, struct pf_state **, 201 int, struct ifnet *, struct mbuf *, int, int, 202 void *, struct pf_pdesc *, struct pf_rule **, 203 struct pf_ruleset **); 204int pf_test_udp(struct pf_rule **, struct pf_state **, 205 int, struct ifnet *, struct mbuf *, int, int, 206 void *, struct pf_pdesc *, struct pf_rule **, 207 struct pf_ruleset **); 208int pf_test_icmp(struct pf_rule **, struct pf_state **, 209 int, struct ifnet *, struct mbuf *, int, int, 210 void *, struct pf_pdesc *, struct pf_rule **, 211 struct pf_ruleset **); 212int pf_test_other(struct pf_rule **, struct pf_state **, 213 int, struct ifnet *, struct mbuf *, int, void *, 214 struct pf_pdesc *, struct pf_rule **, 215 struct pf_ruleset **); 216int pf_test_fragment(struct pf_rule **, int, 217 struct ifnet *, struct mbuf *, void *, 218 struct pf_pdesc *, struct pf_rule **, 219 struct pf_ruleset **); 220int pf_test_state_tcp(struct pf_state **, int, 221 struct ifnet *, struct mbuf *, int, int, 222 void *, struct pf_pdesc *, u_short *); 223int pf_test_state_udp(struct pf_state **, int, 224 struct ifnet *, struct mbuf *, int, int, 225 void *, struct pf_pdesc *); 226int pf_test_state_icmp(struct pf_state **, int, 227 struct ifnet *, struct mbuf *, int, int, 228 void *, struct pf_pdesc *); 229int pf_test_state_other(struct pf_state **, int, 230 struct ifnet *, struct pf_pdesc *); 231struct pf_tag *pf_get_tag(struct mbuf *); 232int pf_match_tag(struct mbuf *, struct pf_rule *, 233 struct pf_rule *, struct pf_rule *, 234 struct pf_tag *, int *); 235void pf_hash(struct pf_addr *, struct pf_addr *, 236 struct pf_poolhashkey *, sa_family_t); 237int pf_map_addr(u_int8_t, struct pf_pool *, 238 struct pf_addr *, struct pf_addr *, 239 struct pf_addr *); 240int pf_get_sport(sa_family_t, u_int8_t, struct pf_pool *, 241 struct pf_addr *, struct pf_addr *, u_int16_t, 242 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t); 243void pf_route(struct mbuf **, struct pf_rule *, int, 244 struct ifnet *, struct pf_state *); 245void pf_route6(struct mbuf **, struct pf_rule *, int, 246 struct ifnet *, struct pf_state *); 247int pf_socket_lookup(uid_t *, gid_t *, int, sa_family_t, 248 int, struct pf_pdesc *); 249u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 250 sa_family_t); 251u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 252 sa_family_t); 253u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 254 u_int16_t); 255void pf_set_rt_ifp(struct pf_state *, 256 struct pf_addr *); 257int pf_check_proto_cksum(struct mbuf *, int, int, 258 u_int8_t, sa_family_t); 259int pf_addr_wrap_neq(struct pf_addr_wrap *, 260 struct pf_addr_wrap *); 261 262#ifdef __FreeBSD__ 263int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); 264 265struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 266#else 267struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = 268 { { &pf_state_pl, PFSTATE_HIWAT }, { &pf_frent_pl, PFFRAG_FRENT_HIWAT } }; 269#endif 270 271#define STATE_LOOKUP() \ 272 do { \ 273 if (direction == PF_IN) \ 274 *state = pf_find_state(&tree_ext_gwy, &key); \ 275 else \ 276 *state = pf_find_state(&tree_lan_ext, &key); \ 277 if (*state == NULL) \ 278 return (PF_DROP); \ 279 if (direction == PF_OUT && \ 280 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 281 (*state)->rule.ptr->direction == PF_OUT) || \ 282 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 283 (*state)->rule.ptr->direction == PF_IN)) && \ 284 (*state)->rt_ifp != NULL && \ 285 (*state)->rt_ifp != ifp) \ 286 return (PF_PASS); \ 287 } while (0) 288 289#define STATE_TRANSLATE(s) \ 290 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \ 291 ((s)->af == AF_INET6 && \ 292 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \ 293 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \ 294 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \ 295 (s)->lan.port != (s)->gwy.port 296 297static __inline int pf_state_compare(struct pf_tree_node *, 298 struct pf_tree_node *); 299 300struct pf_state_tree tree_lan_ext, tree_ext_gwy; 301RB_GENERATE(pf_state_tree, pf_tree_node, entry, pf_state_compare); 302 303#ifdef __FreeBSD__ 304static int 305#else 306static __inline int 307#endif 308pf_state_compare(struct pf_tree_node *a, struct pf_tree_node *b) 309{ 310 int diff; 311 312 if ((diff = a->proto - b->proto) != 0) 313 return (diff); 314 if ((diff = a->af - b->af) != 0) 315 return (diff); 316 switch (a->af) { 317#ifdef INET 318 case AF_INET: 319 if (a->addr[0].addr32[0] > b->addr[0].addr32[0]) 320 return (1); 321 if (a->addr[0].addr32[0] < b->addr[0].addr32[0]) 322 return (-1); 323 if (a->addr[1].addr32[0] > b->addr[1].addr32[0]) 324 return (1); 325 if (a->addr[1].addr32[0] < b->addr[1].addr32[0]) 326 return (-1); 327 break; 328#endif /* INET */ 329#ifdef INET6 330 case AF_INET6: 331 if (a->addr[0].addr32[3] > b->addr[0].addr32[3]) 332 return (1); 333 if (a->addr[0].addr32[3] < b->addr[0].addr32[3]) 334 return (-1); 335 if (a->addr[1].addr32[3] > b->addr[1].addr32[3]) 336 return (1); 337 if (a->addr[1].addr32[3] < b->addr[1].addr32[3]) 338 return (-1); 339 if (a->addr[0].addr32[2] > b->addr[0].addr32[2]) 340 return (1); 341 if (a->addr[0].addr32[2] < b->addr[0].addr32[2]) 342 return (-1); 343 if (a->addr[1].addr32[2] > b->addr[1].addr32[2]) 344 return (1); 345 if (a->addr[1].addr32[2] < b->addr[1].addr32[2]) 346 return (-1); 347 if (a->addr[0].addr32[1] > b->addr[0].addr32[1]) 348 return (1); 349 if (a->addr[0].addr32[1] < b->addr[0].addr32[1]) 350 return (-1); 351 if (a->addr[1].addr32[1] > b->addr[1].addr32[1]) 352 return (1); 353 if (a->addr[1].addr32[1] < b->addr[1].addr32[1]) 354 return (-1); 355 if (a->addr[0].addr32[0] > b->addr[0].addr32[0]) 356 return (1); 357 if (a->addr[0].addr32[0] < b->addr[0].addr32[0]) 358 return (-1); 359 if (a->addr[1].addr32[0] > b->addr[1].addr32[0]) 360 return (1); 361 if (a->addr[1].addr32[0] < b->addr[1].addr32[0]) 362 return (-1); 363 break; 364#endif /* INET6 */ 365 } 366 367 if ((diff = a->port[0] - b->port[0]) != 0) 368 return (diff); 369 if ((diff = a->port[1] - b->port[1]) != 0) 370 return (diff); 371 372 return (0); 373} 374 375#ifdef INET6 376void 377pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) 378{ 379 switch (af) { 380#ifdef INET 381 case AF_INET: 382 dst->addr32[0] = src->addr32[0]; 383 break; 384#endif /* INET */ 385 case AF_INET6: 386 dst->addr32[0] = src->addr32[0]; 387 dst->addr32[1] = src->addr32[1]; 388 dst->addr32[2] = src->addr32[2]; 389 dst->addr32[3] = src->addr32[3]; 390 break; 391 } 392} 393#endif 394 395struct pf_state * 396pf_find_state(struct pf_state_tree *tree, struct pf_tree_node *key) 397{ 398 struct pf_tree_node *k; 399 400 pf_status.fcounters[FCNT_STATE_SEARCH]++; 401 k = RB_FIND(pf_state_tree, tree, key); 402 if (k) 403 return (k->state); 404 else 405 return (NULL); 406} 407 408int 409pf_insert_state(struct pf_state *state) 410{ 411 struct pf_tree_node *keya, *keyb; 412 413 keya = pool_get(&pf_tree_pl, PR_NOWAIT); 414 if (keya == NULL) 415 return (-1); 416 keya->state = state; 417 keya->proto = state->proto; 418 keya->af = state->af; 419 PF_ACPY(&keya->addr[0], &state->lan.addr, state->af); 420 keya->port[0] = state->lan.port; 421 PF_ACPY(&keya->addr[1], &state->ext.addr, state->af); 422 keya->port[1] = state->ext.port; 423 424 /* Thou MUST NOT insert multiple duplicate keys */ 425 if (RB_INSERT(pf_state_tree, &tree_lan_ext, keya) != NULL) { 426 if (pf_status.debug >= PF_DEBUG_MISC) { 427 printf("pf: state insert failed: tree_lan_ext"); 428 printf(" lan: "); 429 pf_print_host(&state->lan.addr, state->lan.port, 430 state->af); 431 printf(" gwy: "); 432 pf_print_host(&state->gwy.addr, state->gwy.port, 433 state->af); 434 printf(" ext: "); 435 pf_print_host(&state->ext.addr, state->ext.port, 436 state->af); 437 printf("\n"); 438 } 439 pool_put(&pf_tree_pl, keya); 440 return (-1); 441 } 442 443 keyb = pool_get(&pf_tree_pl, PR_NOWAIT); 444 if (keyb == NULL) { 445 /* Need to pull out the other state */ 446 RB_REMOVE(pf_state_tree, &tree_lan_ext, keya); 447 pool_put(&pf_tree_pl, keya); 448 return (-1); 449 } 450 keyb->state = state; 451 keyb->proto = state->proto; 452 keyb->af = state->af; 453 PF_ACPY(&keyb->addr[0], &state->ext.addr, state->af); 454 keyb->port[0] = state->ext.port; 455 PF_ACPY(&keyb->addr[1], &state->gwy.addr, state->af); 456 keyb->port[1] = state->gwy.port; 457 458 if (RB_INSERT(pf_state_tree, &tree_ext_gwy, keyb) != NULL) { 459 if (pf_status.debug >= PF_DEBUG_MISC) { 460 printf("pf: state insert failed: tree_ext_gwy"); 461 printf(" lan: "); 462 pf_print_host(&state->lan.addr, state->lan.port, 463 state->af); 464 printf(" gwy: "); 465 pf_print_host(&state->gwy.addr, state->gwy.port, 466 state->af); 467 printf(" ext: "); 468 pf_print_host(&state->ext.addr, state->ext.port, 469 state->af); 470 printf("\n"); 471 } 472 RB_REMOVE(pf_state_tree, &tree_lan_ext, keya); 473 pool_put(&pf_tree_pl, keya); 474 pool_put(&pf_tree_pl, keyb); 475 return (-1); 476 } 477 478 pf_status.fcounters[FCNT_STATE_INSERT]++; 479 pf_status.states++; 480#if NPFSYNC 481 pfsync_insert_state(state); 482#endif 483 return (0); 484} 485 486void 487pf_purge_timeout(void *arg) 488{ 489#ifdef __FreeBSD__ 490 struct callout *to = arg; 491#else 492 struct timeout *to = arg; 493#endif 494 int s; 495 496#ifdef __FreeBSD__ 497 PF_LOCK(); 498#endif 499 s = splsoftnet(); 500 pf_purge_expired_states(); 501 pf_purge_expired_fragments(); 502 splx(s); 503#ifdef __FreeBSD__ 504 PF_UNLOCK(); 505#endif 506 507#ifdef __FreeBSD__ 508 callout_reset(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz, 509 pf_purge_timeout, to); 510#else 511 timeout_add(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz); 512#endif 513} 514 515u_int32_t 516pf_state_expires(const struct pf_state *state) 517{ 518 u_int32_t timeout; 519 u_int32_t start; 520 u_int32_t end; 521 u_int32_t states; 522 523 /* handle all PFTM_* > PFTM_MAX here */ 524 if (state->timeout == PFTM_PURGE) 525#ifdef __FreeBSD__ 526 return (time_second); 527#else 528 return (time.tv_sec); 529#endif 530 if (state->timeout == PFTM_UNTIL_PACKET) 531 return (0); 532#ifdef __FreeBSD__ 533 KASSERT((state->timeout < PFTM_MAX), 534 ("pf_state_expires: timeout > PFTM_MAX")); 535#else 536 KASSERT(state->timeout < PFTM_MAX); 537#endif 538 timeout = state->rule.ptr->timeout[state->timeout]; 539 if (!timeout) 540 timeout = pf_default_rule.timeout[state->timeout]; 541 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 542 if (start) { 543 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 544 states = state->rule.ptr->states; 545 } else { 546 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 547 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 548 states = pf_status.states; 549 } 550 if (end && states > start && start < end) { 551 if (states < end) 552 return (state->expire + timeout * (end - states) / 553 (end - start)); 554 else 555#ifdef __FreeBSD__ 556 return (time_second); 557#else 558 return (time.tv_sec); 559#endif 560 } 561 return (state->expire + timeout); 562} 563 564void 565pf_purge_expired_states(void) 566{ 567 struct pf_tree_node *cur, *peer, *next; 568 struct pf_tree_node key; 569 570 for (cur = RB_MIN(pf_state_tree, &tree_ext_gwy); cur; cur = next) { 571 next = RB_NEXT(pf_state_tree, &tree_ext_gwy, cur); 572 573#ifdef __FreeBSD__ 574 if (pf_state_expires(cur->state) <= (u_int32_t)time_second) { 575#else 576 if (pf_state_expires(cur->state) <= time.tv_sec) { 577#endif 578 if (cur->state->src.state == PF_TCPS_PROXY_DST) 579 pf_send_tcp(cur->state->rule.ptr, 580 cur->state->af, 581 &cur->state->ext.addr, 582 &cur->state->lan.addr, 583 cur->state->ext.port, 584 cur->state->lan.port, 585 cur->state->src.seqhi, 586 cur->state->src.seqlo + 1, 587 0, 588 TH_RST|TH_ACK, 0, 0); 589 RB_REMOVE(pf_state_tree, &tree_ext_gwy, cur); 590 591 /* Need this key's peer (in the other tree) */ 592 key.state = cur->state; 593 key.proto = cur->state->proto; 594 key.af = cur->state->af; 595 PF_ACPY(&key.addr[0], &cur->state->lan.addr, 596 cur->state->af); 597 key.port[0] = cur->state->lan.port; 598 PF_ACPY(&key.addr[1], &cur->state->ext.addr, 599 cur->state->af); 600 key.port[1] = cur->state->ext.port; 601 602 peer = RB_FIND(pf_state_tree, &tree_lan_ext, &key); 603#ifdef __FreeBSD__ 604 KASSERT((peer), ("peer null :%s", __FUNCTION__)); 605 KASSERT((peer->state == cur->state), 606 ("peer->state != cur->state: %s", __FUNCTION__)); 607#else 608 KASSERT(peer); 609 KASSERT(peer->state == cur->state); 610#endif 611 RB_REMOVE(pf_state_tree, &tree_lan_ext, peer); 612 613#if NPFSYNC 614 pfsync_delete_state(cur->state); 615#endif 616 if (--cur->state->rule.ptr->states <= 0) 617 pf_rm_rule(NULL, cur->state->rule.ptr); 618 if (cur->state->nat_rule.ptr != NULL) 619 if (--cur->state->nat_rule.ptr->states <= 0) 620 pf_rm_rule(NULL, 621 cur->state->nat_rule.ptr); 622 if (cur->state->anchor.ptr != NULL) 623 if (--cur->state->anchor.ptr->states <= 0) 624 pf_rm_rule(NULL, 625 cur->state->anchor.ptr); 626 pf_normalize_tcp_cleanup(cur->state); 627 pool_put(&pf_state_pl, cur->state); 628 pool_put(&pf_tree_pl, cur); 629 pool_put(&pf_tree_pl, peer); 630 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 631 pf_status.states--; 632 } 633 } 634} 635 636int 637pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 638{ 639 if (aw->type != PF_ADDR_TABLE) 640 return (0); 641 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 642 return (1); 643 return (0); 644} 645 646void 647pf_tbladdr_remove(struct pf_addr_wrap *aw) 648{ 649 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 650 return; 651 pfr_detach_table(aw->p.tbl); 652 aw->p.tbl = NULL; 653} 654 655void 656pf_tbladdr_copyout(struct pf_addr_wrap *aw) 657{ 658 struct pfr_ktable *kt = aw->p.tbl; 659 660 if (aw->type != PF_ADDR_TABLE || kt == NULL) 661 return; 662 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 663 kt = kt->pfrkt_root; 664 aw->p.tbl = NULL; 665 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 666 kt->pfrkt_cnt : -1; 667} 668 669int 670pf_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) 671{ 672 if (aw->type != PF_ADDR_DYNIFTL) 673 return (0); 674 aw->p.dyn = pool_get(&pf_addr_pl, PR_NOWAIT); 675 if (aw->p.dyn == NULL) 676 return (1); 677 bcopy(aw->v.ifname, aw->p.dyn->ifname, sizeof(aw->p.dyn->ifname)); 678 aw->p.dyn->ifp = ifunit(aw->p.dyn->ifname); 679 if (aw->p.dyn->ifp == NULL) { 680 pool_put(&pf_addr_pl, aw->p.dyn); 681 aw->p.dyn = NULL; 682 return (1); 683 } 684 aw->p.dyn->addr = &aw->v.a.addr; 685 aw->p.dyn->af = af; 686 aw->p.dyn->undefined = 1; 687#ifndef __FreeBSD__ 688 aw->p.dyn->hook_cookie = hook_establish( 689 aw->p.dyn->ifp->if_addrhooks, 1, 690 pf_dynaddr_update, aw->p.dyn); 691 if (aw->p.dyn->hook_cookie == NULL) { 692 pool_put(&pf_addr_pl, aw->p.dyn); 693 aw->p.dyn = NULL; 694 return (1); 695 } 696#else 697 PF_UNLOCK(); 698 aw->p.dyn->hook_cookie = EVENTHANDLER_REGISTER(ifaddr_event, 699 pf_dynaddr_update_event, aw->p.dyn, EVENTHANDLER_PRI_ANY); 700 PF_LOCK(); 701 if (aw->p.dyn->hook_cookie == NULL) { 702 pool_put(&pf_addr_pl, aw->p.dyn); 703 aw->p.dyn = NULL; 704 return (1); 705 } 706#endif 707 pf_dynaddr_update(aw->p.dyn); 708 return (0); 709} 710 711#ifdef __FreeBSD__ 712void 713pf_dynaddr_update_event(void *arg, struct ifnet *ifp) 714{ 715 PF_LOCK(); 716 pf_dynaddr_update(arg); 717 PF_UNLOCK(); 718} 719#endif 720 721void 722pf_dynaddr_update(void *p) 723{ 724 struct pf_addr_dyn *ad = (struct pf_addr_dyn *)p; 725 struct ifaddr *ia; 726 int s, changed = 0; 727 728 if (ad == NULL || ad->ifp == NULL) 729 panic("pf_dynaddr_update"); 730 s = splsoftnet(); 731 TAILQ_FOREACH(ia, &ad->ifp->if_addrlist, ifa_list) 732 if (ia->ifa_addr != NULL && 733 ia->ifa_addr->sa_family == ad->af) { 734 if (ad->af == AF_INET) { 735 struct in_addr *a, *b; 736 737 a = &ad->addr->v4; 738 b = &((struct sockaddr_in *)ia->ifa_addr) 739 ->sin_addr; 740 if (ad->undefined || 741 memcmp(a, b, sizeof(*a))) { 742 bcopy(b, a, sizeof(*a)); 743 changed = 1; 744 } 745 } else if (ad->af == AF_INET6) { 746 struct in6_addr *a, *b; 747 748 a = &ad->addr->v6; 749 b = &((struct sockaddr_in6 *)ia->ifa_addr) 750 ->sin6_addr; 751 if (ad->undefined || 752 memcmp(a, b, sizeof(*a))) { 753 bcopy(b, a, sizeof(*a)); 754 changed = 1; 755 } 756 } 757 if (changed) 758 ad->undefined = 0; 759 break; 760 } 761 if (ia == NULL) 762 ad->undefined = 1; 763 splx(s); 764} 765 766void 767pf_dynaddr_remove(struct pf_addr_wrap *aw) 768{ 769 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL) 770 return; 771#ifndef __FreeBSD__ 772 hook_disestablish(aw->p.dyn->ifp->if_addrhooks, 773 aw->p.dyn->hook_cookie); 774#else 775 PF_UNLOCK(); 776 EVENTHANDLER_DEREGISTER(ifaddr_event, aw->p.dyn->hook_cookie); 777 PF_LOCK(); 778#endif 779 pool_put(&pf_addr_pl, aw->p.dyn); 780 aw->p.dyn = NULL; 781} 782 783void 784pf_dynaddr_copyout(struct pf_addr_wrap *aw) 785{ 786 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL) 787 return; 788 bcopy(aw->p.dyn->ifname, aw->v.ifname, sizeof(aw->v.ifname)); 789 aw->p.dyn = (struct pf_addr_dyn *)1; 790} 791 792void 793pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 794{ 795 switch (af) { 796#ifdef INET 797 case AF_INET: { 798 u_int32_t a = ntohl(addr->addr32[0]); 799 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 800 (a>>8)&255, a&255); 801 if (p) { 802 p = ntohs(p); 803 printf(":%u", p); 804 } 805 break; 806 } 807#endif /* INET */ 808#ifdef INET6 809 case AF_INET6: { 810 u_int16_t b; 811 u_int8_t i, curstart = 255, curend = 0, 812 maxstart = 0, maxend = 0; 813 for (i = 0; i < 8; i++) { 814 if (!addr->addr16[i]) { 815 if (curstart == 255) 816 curstart = i; 817 else 818 curend = i; 819 } else { 820 if (curstart) { 821 if ((curend - curstart) > 822 (maxend - maxstart)) { 823 maxstart = curstart; 824 maxend = curend; 825 curstart = 255; 826 } 827 } 828 } 829 } 830 for (i = 0; i < 8; i++) { 831 if (i >= maxstart && i <= maxend) { 832 if (maxend != 7) { 833 if (i == maxstart) 834 printf(":"); 835 } else { 836 if (i == maxend) 837 printf(":"); 838 } 839 } else { 840 b = ntohs(addr->addr16[i]); 841 printf("%x", b); 842 if (i < 7) 843 printf(":"); 844 } 845 } 846 if (p) { 847 p = ntohs(p); 848 printf("[%u]", p); 849 } 850 break; 851 } 852#endif /* INET6 */ 853 } 854} 855 856void 857pf_print_state(struct pf_state *s) 858{ 859 switch (s->proto) { 860 case IPPROTO_TCP: 861 printf("TCP "); 862 break; 863 case IPPROTO_UDP: 864 printf("UDP "); 865 break; 866 case IPPROTO_ICMP: 867 printf("ICMP "); 868 break; 869 case IPPROTO_ICMPV6: 870 printf("ICMPV6 "); 871 break; 872 default: 873 printf("%u ", s->proto); 874 break; 875 } 876 pf_print_host(&s->lan.addr, s->lan.port, s->af); 877 printf(" "); 878 pf_print_host(&s->gwy.addr, s->gwy.port, s->af); 879 printf(" "); 880 pf_print_host(&s->ext.addr, s->ext.port, s->af); 881 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 882 s->src.seqhi, s->src.max_win, s->src.seqdiff); 883 if (s->src.wscale && s->dst.wscale) 884 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 885 printf("]"); 886 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 887 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 888 if (s->src.wscale && s->dst.wscale) 889 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 890 printf("]"); 891 printf(" %u:%u", s->src.state, s->dst.state); 892} 893 894void 895pf_print_flags(u_int8_t f) 896{ 897 if (f) 898 printf(" "); 899 if (f & TH_FIN) 900 printf("F"); 901 if (f & TH_SYN) 902 printf("S"); 903 if (f & TH_RST) 904 printf("R"); 905 if (f & TH_PUSH) 906 printf("P"); 907 if (f & TH_ACK) 908 printf("A"); 909 if (f & TH_URG) 910 printf("U"); 911 if (f & TH_ECE) 912 printf("E"); 913 if (f & TH_CWR) 914 printf("W"); 915} 916 917#define PF_SET_SKIP_STEPS(i) \ 918 do { \ 919 while (head[i] != cur) { \ 920 head[i]->skip[i].ptr = cur; \ 921 head[i] = TAILQ_NEXT(head[i], entries); \ 922 } \ 923 } while (0) 924 925void 926pf_calc_skip_steps(struct pf_rulequeue *rules) 927{ 928 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 929 int i; 930 931 cur = TAILQ_FIRST(rules); 932 prev = cur; 933 for (i = 0; i < PF_SKIP_COUNT; ++i) 934 head[i] = cur; 935 while (cur != NULL) { 936 937 if (cur->ifp != prev->ifp || cur->ifnot != prev->ifnot) 938 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 939 if (cur->direction != prev->direction) 940 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 941 if (cur->af != prev->af) 942 PF_SET_SKIP_STEPS(PF_SKIP_AF); 943 if (cur->proto != prev->proto) 944 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 945 if (cur->src.not != prev->src.not || 946 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 947 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 948 if (cur->src.port[0] != prev->src.port[0] || 949 cur->src.port[1] != prev->src.port[1] || 950 cur->src.port_op != prev->src.port_op) 951 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 952 if (cur->dst.not != prev->dst.not || 953 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 954 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 955 if (cur->dst.port[0] != prev->dst.port[0] || 956 cur->dst.port[1] != prev->dst.port[1] || 957 cur->dst.port_op != prev->dst.port_op) 958 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 959 960 prev = cur; 961 cur = TAILQ_NEXT(cur, entries); 962 } 963 for (i = 0; i < PF_SKIP_COUNT; ++i) 964 PF_SET_SKIP_STEPS(i); 965} 966 967int 968pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 969{ 970 if (aw1->type != aw2->type) 971 return (1); 972 switch (aw1->type) { 973 case PF_ADDR_ADDRMASK: 974 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 975 return (1); 976 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 977 return (1); 978 return (0); 979 case PF_ADDR_DYNIFTL: 980 if (aw1->p.dyn->ifp != aw2->p.dyn->ifp) 981 return (1); 982 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 983 return (1); 984 return (0); 985 case PF_ADDR_NOROUTE: 986 return (0); 987 case PF_ADDR_TABLE: 988 return (aw1->p.tbl != aw2->p.tbl); 989 default: 990 printf("invalid address type: %d\n", aw1->type); 991 return (1); 992 } 993} 994 995void 996pf_rule_set_qid(struct pf_rulequeue *rules) 997{ 998 struct pf_rule *rule; 999 1000 TAILQ_FOREACH(rule, rules, entries) 1001 if (rule->qname[0] != 0) { 1002 rule->qid = pf_qname_to_qid(rule->qname); 1003 if (rule->pqname[0] != 0) 1004 rule->pqid = pf_qname_to_qid(rule->pqname); 1005 else 1006 rule->pqid = rule->qid; 1007 } 1008} 1009 1010u_int32_t 1011pf_qname_to_qid(char *qname) 1012{ 1013 struct pf_altq *altq; 1014 1015 TAILQ_FOREACH(altq, pf_altqs_active, entries) 1016 if (!strcmp(altq->qname, qname)) 1017 return (altq->qid); 1018 1019 return (0); 1020} 1021 1022void 1023pf_update_anchor_rules() 1024{ 1025 struct pf_rule *rule; 1026 int i; 1027 1028 for (i = 0; i < PF_RULESET_MAX; ++i) 1029 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 1030 entries) 1031 if (rule->anchorname[0]) 1032 rule->anchor = pf_find_anchor(rule->anchorname); 1033 else 1034 rule->anchor = NULL; 1035} 1036 1037u_int16_t 1038pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1039{ 1040 u_int32_t l; 1041 1042 if (udp && !cksum) 1043 return (0x0000); 1044 l = cksum + old - new; 1045 l = (l >> 16) + (l & 65535); 1046 l = l & 65535; 1047 if (udp && !l) 1048 return (0xFFFF); 1049 return (l); 1050} 1051 1052void 1053pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 1054 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 1055{ 1056 struct pf_addr ao; 1057 u_int16_t po = *p; 1058 1059 PF_ACPY(&ao, a, af); 1060 PF_ACPY(a, an, af); 1061 1062 *p = pn; 1063 1064 switch (af) { 1065#ifdef INET 1066 case AF_INET: 1067 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1068 ao.addr16[0], an->addr16[0], 0), 1069 ao.addr16[1], an->addr16[1], 0); 1070 *p = pn; 1071 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1072 ao.addr16[0], an->addr16[0], u), 1073 ao.addr16[1], an->addr16[1], u), 1074 po, pn, u); 1075 break; 1076#endif /* INET */ 1077#ifdef INET6 1078 case AF_INET6: 1079 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1080 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1081 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1082 ao.addr16[0], an->addr16[0], u), 1083 ao.addr16[1], an->addr16[1], u), 1084 ao.addr16[2], an->addr16[2], u), 1085 ao.addr16[3], an->addr16[3], u), 1086 ao.addr16[4], an->addr16[4], u), 1087 ao.addr16[5], an->addr16[5], u), 1088 ao.addr16[6], an->addr16[6], u), 1089 ao.addr16[7], an->addr16[7], u), 1090 po, pn, u); 1091 break; 1092#endif /* INET6 */ 1093 } 1094} 1095 1096 1097/* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 1098void 1099pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1100{ 1101 u_int32_t ao; 1102 1103 memcpy(&ao, a, sizeof(ao)); 1104 memcpy(a, &an, sizeof(u_int32_t)); 1105 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1106 ao % 65536, an % 65536, u); 1107} 1108 1109#ifdef INET6 1110void 1111pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1112{ 1113 struct pf_addr ao; 1114 1115 PF_ACPY(&ao, a, AF_INET6); 1116 PF_ACPY(a, an, AF_INET6); 1117 1118 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1119 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1120 pf_cksum_fixup(pf_cksum_fixup(*c, 1121 ao.addr16[0], an->addr16[0], u), 1122 ao.addr16[1], an->addr16[1], u), 1123 ao.addr16[2], an->addr16[2], u), 1124 ao.addr16[3], an->addr16[3], u), 1125 ao.addr16[4], an->addr16[4], u), 1126 ao.addr16[5], an->addr16[5], u), 1127 ao.addr16[6], an->addr16[6], u), 1128 ao.addr16[7], an->addr16[7], u); 1129} 1130#endif /* INET6 */ 1131 1132void 1133pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1134 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1135 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1136{ 1137 struct pf_addr oia, ooa; 1138 1139 PF_ACPY(&oia, ia, af); 1140 PF_ACPY(&ooa, oa, af); 1141 1142 /* Change inner protocol port, fix inner protocol checksum. */ 1143 if (ip != NULL) { 1144 u_int16_t oip = *ip; 1145 u_int32_t opc; 1146 1147 if (pc != NULL) 1148 opc = *pc; 1149 *ip = np; 1150 if (pc != NULL) 1151 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1152 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1153 if (pc != NULL) 1154 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1155 } 1156 /* Change inner ip address, fix inner ip and icmp checksums. */ 1157 PF_ACPY(ia, na, af); 1158 switch (af) { 1159#ifdef INET 1160 case AF_INET: { 1161 u_int32_t oh2c = *h2c; 1162 1163 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1164 oia.addr16[0], ia->addr16[0], 0), 1165 oia.addr16[1], ia->addr16[1], 0); 1166 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1167 oia.addr16[0], ia->addr16[0], 0), 1168 oia.addr16[1], ia->addr16[1], 0); 1169 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1170 break; 1171 } 1172#endif /* INET */ 1173#ifdef INET6 1174 case AF_INET6: 1175 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1176 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1177 pf_cksum_fixup(pf_cksum_fixup(*ic, 1178 oia.addr16[0], ia->addr16[0], u), 1179 oia.addr16[1], ia->addr16[1], u), 1180 oia.addr16[2], ia->addr16[2], u), 1181 oia.addr16[3], ia->addr16[3], u), 1182 oia.addr16[4], ia->addr16[4], u), 1183 oia.addr16[5], ia->addr16[5], u), 1184 oia.addr16[6], ia->addr16[6], u), 1185 oia.addr16[7], ia->addr16[7], u); 1186 break; 1187#endif /* INET6 */ 1188 } 1189 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1190 PF_ACPY(oa, na, af); 1191 switch (af) { 1192#ifdef INET 1193 case AF_INET: 1194 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1195 ooa.addr16[0], oa->addr16[0], 0), 1196 ooa.addr16[1], oa->addr16[1], 0); 1197 break; 1198#endif /* INET */ 1199#ifdef INET6 1200 case AF_INET6: 1201 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1202 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1203 pf_cksum_fixup(pf_cksum_fixup(*ic, 1204 ooa.addr16[0], oa->addr16[0], u), 1205 ooa.addr16[1], oa->addr16[1], u), 1206 ooa.addr16[2], oa->addr16[2], u), 1207 ooa.addr16[3], oa->addr16[3], u), 1208 ooa.addr16[4], oa->addr16[4], u), 1209 ooa.addr16[5], oa->addr16[5], u), 1210 ooa.addr16[6], oa->addr16[6], u), 1211 ooa.addr16[7], oa->addr16[7], u); 1212 break; 1213#endif /* INET6 */ 1214 } 1215} 1216 1217void 1218pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1219 const struct pf_addr *saddr, const struct pf_addr *daddr, 1220 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1221 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) 1222{ 1223 struct mbuf *m; 1224 struct m_tag *mtag; 1225 int len, tlen; 1226#ifdef INET 1227 struct ip *h; 1228#endif /* INET */ 1229#ifdef INET6 1230 struct ip6_hdr *h6; 1231#endif /* INET6 */ 1232 struct tcphdr *th; 1233#ifdef __FreeBSD__ 1234 struct ip *ip; 1235#if (__FreeBSD_version < 501114) 1236 struct route ro; 1237#endif 1238#endif 1239 char *opt; 1240 1241 /* maximum segment size tcp option */ 1242 tlen = sizeof(struct tcphdr); 1243 if (mss) 1244 tlen += 4; 1245 1246 switch (af) { 1247#ifdef INET 1248 case AF_INET: 1249 len = sizeof(struct ip) + tlen; 1250 break; 1251#endif /* INET */ 1252#ifdef INET6 1253 case AF_INET6: 1254 len = sizeof(struct ip6_hdr) + tlen; 1255 break; 1256#endif /* INET6 */ 1257 } 1258 1259 /* create outgoing mbuf */ 1260 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1261 if (mtag == NULL) 1262 return; 1263 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1264 if (m == NULL) { 1265 m_tag_free(mtag); 1266 return; 1267 } 1268 m_tag_prepend(m, mtag); 1269#ifdef ALTQ 1270 if (r != NULL && r->qid) { 1271 struct altq_tag *atag; 1272 1273 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 1274 if (mtag != NULL) { 1275 atag = (struct altq_tag *)(mtag + 1); 1276 atag->qid = r->qid; 1277 /* add hints for ecn */ 1278 atag->af = af; 1279 atag->hdr = mtod(m, struct ip *); 1280 m_tag_prepend(m, mtag); 1281 } 1282 } 1283#endif 1284 m->m_data += max_linkhdr; 1285 m->m_pkthdr.len = m->m_len = len; 1286 m->m_pkthdr.rcvif = NULL; 1287 bzero(m->m_data, len); 1288 switch (af) { 1289#ifdef INET 1290 case AF_INET: 1291 h = mtod(m, struct ip *); 1292 1293 /* IP header fields included in the TCP checksum */ 1294 h->ip_p = IPPROTO_TCP; 1295 h->ip_len = htons(tlen); 1296 h->ip_src.s_addr = saddr->v4.s_addr; 1297 h->ip_dst.s_addr = daddr->v4.s_addr; 1298 1299 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); 1300 break; 1301#endif /* INET */ 1302#ifdef INET6 1303 case AF_INET6: 1304 h6 = mtod(m, struct ip6_hdr *); 1305 1306 /* IP header fields included in the TCP checksum */ 1307 h6->ip6_nxt = IPPROTO_TCP; 1308 h6->ip6_plen = htons(tlen); 1309 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1310 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1311 1312 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); 1313 break; 1314#endif /* INET6 */ 1315 } 1316 1317 /* TCP header */ 1318 th->th_sport = sport; 1319 th->th_dport = dport; 1320 th->th_seq = htonl(seq); 1321 th->th_ack = htonl(ack); 1322 th->th_off = tlen >> 2; 1323 th->th_flags = flags; 1324 th->th_win = htons(win); 1325 1326 if (mss) { 1327 opt = (char *)(th + 1); 1328 opt[0] = TCPOPT_MAXSEG; 1329 opt[1] = 4; 1330 HTONS(mss); 1331 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); 1332 } 1333 1334 switch (af) { 1335#ifdef INET 1336 case AF_INET: 1337 /* TCP checksum */ 1338 th->th_sum = in_cksum(m, len); 1339 1340 /* Finish the IP header */ 1341 h->ip_v = 4; 1342 h->ip_hl = sizeof(*h) >> 2; 1343 h->ip_tos = IPTOS_LOWDELAY; 1344#ifdef __FreeBSD__ 1345 h->ip_off = htons(path_mtu_discovery ? IP_DF : 0); 1346#else 1347 h->ip_off = htons(ip_mtudisc ? IP_DF : 0); 1348#endif 1349 h->ip_len = htons(len); 1350 h->ip_ttl = ttl ? ttl : ip_defttl; 1351 h->ip_sum = 0; 1352#ifdef __FreeBSD__ 1353 ip = mtod(m, struct ip *); 1354 /* 1355 * XXX 1356 * OpenBSD changed ip_len/ip_off byte ordering! 1357 * Because FreeBSD assumes host byte ordering we need to 1358 * change here. 1359 */ 1360 NTOHS(ip->ip_len); 1361 NTOHS(ip->ip_off); 1362#if (__FreeBSD_version < 501114) 1363 bzero(&ro, sizeof(ro)); 1364 ip_rtaddr(ip->ip_dst, &ro); 1365 PF_UNLOCK(); 1366 ip_output(m, (void *)NULL, &ro, 0, (void *)NULL, 1367 (void *)NULL); 1368 PF_LOCK(); 1369 if(ro.ro_rt) { 1370 RTFREE(ro.ro_rt); 1371 } 1372#else /* __FreeBSD_version >= 501114 */ 1373 PF_UNLOCK(); 1374 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1375 (void *)NULL); 1376 PF_LOCK(); 1377#endif 1378#else /* ! __FreeBSD__ */ 1379 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1380 (void *)NULL); 1381#endif 1382 break; 1383#endif /* INET */ 1384#ifdef INET6 1385 case AF_INET6: 1386 /* TCP checksum */ 1387 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1388 sizeof(struct ip6_hdr), tlen); 1389 1390 h6->ip6_vfc |= IPV6_VERSION; 1391 h6->ip6_hlim = IPV6_DEFHLIM; 1392 1393#ifdef __FreeBSD__ 1394 PF_UNLOCK(); 1395 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 1396 PF_LOCK(); 1397#else 1398 ip6_output(m, NULL, NULL, 0, NULL, NULL); 1399#endif 1400 break; 1401#endif /* INET6 */ 1402 } 1403} 1404 1405void 1406pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1407 struct pf_rule *r) 1408{ 1409 struct m_tag *mtag; 1410 struct mbuf *m0; 1411#ifdef __FreeBSD__ 1412 struct ip *ip; 1413#endif 1414 1415 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1416 if (mtag == NULL) 1417 return; 1418#ifdef __FreeBSD__ 1419 m0 = m_copypacket(m, M_DONTWAIT); 1420#else 1421 m0 = m_copy(m, 0, M_COPYALL); 1422#endif 1423 if (m0 == NULL) { 1424 m_tag_free(mtag); 1425 return; 1426 } 1427 m_tag_prepend(m0, mtag); 1428 1429#ifdef ALTQ 1430 if (r->qid) { 1431 struct altq_tag *atag; 1432 1433 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 1434 if (mtag != NULL) { 1435 atag = (struct altq_tag *)(mtag + 1); 1436 atag->qid = r->qid; 1437 /* add hints for ecn */ 1438 atag->af = af; 1439 atag->hdr = mtod(m0, struct ip *); 1440 m_tag_prepend(m0, mtag); 1441 } 1442 } 1443#endif 1444 1445 switch (af) { 1446#ifdef INET 1447 case AF_INET: 1448#ifdef __FreeBSD__ 1449 /* icmp_error() expects host byte ordering */ 1450 ip = mtod(m0, struct ip *); 1451 NTOHS(ip->ip_len); 1452 NTOHS(ip->ip_off); 1453 PF_UNLOCK(); 1454#endif 1455 icmp_error(m0, type, code, 0, NULL); 1456#ifdef __FreeBSD__ 1457 PF_LOCK(); 1458#endif 1459 break; 1460#endif /* INET */ 1461#ifdef INET6 1462 case AF_INET6: 1463#ifdef __FreeBSD__ 1464 PF_UNLOCK(); 1465#endif 1466 icmp6_error(m0, type, code, 0); 1467#ifdef __FreeBSD__ 1468 PF_LOCK(); 1469#endif 1470 break; 1471#endif /* INET6 */ 1472 } 1473} 1474 1475/* 1476 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1477 * If n is 0, they match if they are equal. If n is != 0, they match if they 1478 * are different. 1479 */ 1480int 1481pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1482 struct pf_addr *b, sa_family_t af) 1483{ 1484 int match = 0; 1485 1486 switch (af) { 1487#ifdef INET 1488 case AF_INET: 1489 if ((a->addr32[0] & m->addr32[0]) == 1490 (b->addr32[0] & m->addr32[0])) 1491 match++; 1492 break; 1493#endif /* INET */ 1494#ifdef INET6 1495 case AF_INET6: 1496 if (((a->addr32[0] & m->addr32[0]) == 1497 (b->addr32[0] & m->addr32[0])) && 1498 ((a->addr32[1] & m->addr32[1]) == 1499 (b->addr32[1] & m->addr32[1])) && 1500 ((a->addr32[2] & m->addr32[2]) == 1501 (b->addr32[2] & m->addr32[2])) && 1502 ((a->addr32[3] & m->addr32[3]) == 1503 (b->addr32[3] & m->addr32[3]))) 1504 match++; 1505 break; 1506#endif /* INET6 */ 1507 } 1508 if (match) { 1509 if (n) 1510 return (0); 1511 else 1512 return (1); 1513 } else { 1514 if (n) 1515 return (1); 1516 else 1517 return (0); 1518 } 1519} 1520 1521int 1522pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1523{ 1524 switch (op) { 1525 case PF_OP_IRG: 1526 return ((p > a1) && (p < a2)); 1527 case PF_OP_XRG: 1528 return ((p < a1) || (p > a2)); 1529 case PF_OP_RRG: 1530 return ((p >= a1) && (p <= a2)); 1531 case PF_OP_EQ: 1532 return (p == a1); 1533 case PF_OP_NE: 1534 return (p != a1); 1535 case PF_OP_LT: 1536 return (p < a1); 1537 case PF_OP_LE: 1538 return (p <= a1); 1539 case PF_OP_GT: 1540 return (p > a1); 1541 case PF_OP_GE: 1542 return (p >= a1); 1543 } 1544 return (0); /* never reached */ 1545} 1546 1547int 1548pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1549{ 1550 NTOHS(a1); 1551 NTOHS(a2); 1552 NTOHS(p); 1553 return (pf_match(op, a1, a2, p)); 1554} 1555 1556int 1557pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1558{ 1559 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1560 return (0); 1561 return (pf_match(op, a1, a2, u)); 1562} 1563 1564int 1565pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1566{ 1567 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1568 return (0); 1569 return (pf_match(op, a1, a2, g)); 1570} 1571 1572struct pf_tag * 1573pf_get_tag(struct mbuf *m) 1574{ 1575 struct m_tag *mtag; 1576 1577 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 1578 return ((struct pf_tag *)(mtag + 1)); 1579 else 1580 return (NULL); 1581} 1582 1583int 1584pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat, 1585 struct pf_rule *rdr, struct pf_tag *pftag, int *tag) 1586{ 1587 if (*tag == -1) { /* find mbuf tag */ 1588 pftag = pf_get_tag(m); 1589 if (pftag != NULL) 1590 *tag = pftag->tag; 1591 else 1592 *tag = 0; 1593 if (nat != NULL && nat->tag) 1594 *tag = nat->tag; 1595 if (rdr != NULL && rdr->tag) 1596 *tag = rdr->tag; 1597 } 1598 1599 return ((!r->match_tag_not && r->match_tag == *tag) || 1600 (r->match_tag_not && r->match_tag != *tag)); 1601} 1602 1603int 1604pf_tag_packet(struct mbuf *m, struct pf_tag *pftag, int tag) 1605{ 1606 struct m_tag *mtag; 1607 1608 if (tag <= 0) 1609 return (0); 1610 1611 if (pftag == NULL) { 1612 mtag = m_tag_get(PACKET_TAG_PF_TAG, sizeof(*pftag), M_NOWAIT); 1613 if (mtag == NULL) 1614 return (1); 1615 ((struct pf_tag *)(mtag + 1))->tag = tag; 1616 m_tag_prepend(m, mtag); 1617 } else 1618 pftag->tag = tag; 1619 1620 return (0); 1621} 1622 1623#define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1624 do { \ 1625 if ((r) == NULL || (r)->anchor == NULL || \ 1626 (s) != NULL || (a) != NULL) \ 1627 panic("PF_STEP_INTO_ANCHOR"); \ 1628 (a) = (r); \ 1629 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1630 (r) = NULL; \ 1631 while ((s) != NULL && ((r) = \ 1632 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1633 (s) = TAILQ_NEXT((s), entries); \ 1634 if ((r) == NULL) { \ 1635 (r) = TAILQ_NEXT((a), entries); \ 1636 (a) = NULL; \ 1637 } \ 1638 } while (0) 1639 1640#define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1641 do { \ 1642 if ((r) != NULL || (a) == NULL || (s) == NULL) \ 1643 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1644 (s) = TAILQ_NEXT((s), entries); \ 1645 while ((s) != NULL && ((r) = \ 1646 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1647 (s) = TAILQ_NEXT((s), entries); \ 1648 if ((r) == NULL) { \ 1649 (r) = TAILQ_NEXT((a), entries); \ 1650 (a) = NULL; \ 1651 } \ 1652 } while (0) 1653 1654#ifdef INET6 1655void 1656pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 1657 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) 1658{ 1659 switch (af) { 1660#ifdef INET 1661 case AF_INET: 1662 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1663 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1664 break; 1665#endif /* INET */ 1666 case AF_INET6: 1667 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1668 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1669 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 1670 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 1671 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 1672 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 1673 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 1674 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 1675 break; 1676 } 1677} 1678 1679void 1680pf_addr_inc(struct pf_addr *addr, u_int8_t af) 1681{ 1682 switch (af) { 1683#ifdef INET 1684 case AF_INET: 1685 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 1686 break; 1687#endif /* INET */ 1688 case AF_INET6: 1689 if (addr->addr32[3] == 0xffffffff) { 1690 addr->addr32[3] = 0; 1691 if (addr->addr32[2] == 0xffffffff) { 1692 addr->addr32[2] = 0; 1693 if (addr->addr32[1] == 0xffffffff) { 1694 addr->addr32[1] = 0; 1695 addr->addr32[0] = 1696 htonl(ntohl(addr->addr32[0]) + 1); 1697 } else 1698 addr->addr32[1] = 1699 htonl(ntohl(addr->addr32[1]) + 1); 1700 } else 1701 addr->addr32[2] = 1702 htonl(ntohl(addr->addr32[2]) + 1); 1703 } else 1704 addr->addr32[3] = 1705 htonl(ntohl(addr->addr32[3]) + 1); 1706 break; 1707 } 1708} 1709#endif /* INET6 */ 1710 1711#define mix(a,b,c) \ 1712 do { \ 1713 a -= b; a -= c; a ^= (c >> 13); \ 1714 b -= c; b -= a; b ^= (a << 8); \ 1715 c -= a; c -= b; c ^= (b >> 13); \ 1716 a -= b; a -= c; a ^= (c >> 12); \ 1717 b -= c; b -= a; b ^= (a << 16); \ 1718 c -= a; c -= b; c ^= (b >> 5); \ 1719 a -= b; a -= c; a ^= (c >> 3); \ 1720 b -= c; b -= a; b ^= (a << 10); \ 1721 c -= a; c -= b; c ^= (b >> 15); \ 1722 } while (0) 1723 1724/* 1725 * hash function based on bridge_hash in if_bridge.c 1726 */ 1727void 1728pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 1729 struct pf_poolhashkey *key, sa_family_t af) 1730{ 1731 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 1732 1733 switch (af) { 1734#ifdef INET 1735 case AF_INET: 1736 a += inaddr->addr32[0]; 1737 b += key->key32[1]; 1738 mix(a, b, c); 1739 hash->addr32[0] = c + key->key32[2]; 1740 break; 1741#endif /* INET */ 1742#ifdef INET6 1743 case AF_INET6: 1744 a += inaddr->addr32[0]; 1745 b += inaddr->addr32[2]; 1746 mix(a, b, c); 1747 hash->addr32[0] = c; 1748 a += inaddr->addr32[1]; 1749 b += inaddr->addr32[3]; 1750 c += key->key32[1]; 1751 mix(a, b, c); 1752 hash->addr32[1] = c; 1753 a += inaddr->addr32[2]; 1754 b += inaddr->addr32[1]; 1755 c += key->key32[2]; 1756 mix(a, b, c); 1757 hash->addr32[2] = c; 1758 a += inaddr->addr32[3]; 1759 b += inaddr->addr32[0]; 1760 c += key->key32[3]; 1761 mix(a, b, c); 1762 hash->addr32[3] = c; 1763 break; 1764#endif /* INET6 */ 1765 } 1766} 1767 1768int 1769pf_map_addr(u_int8_t af, struct pf_pool *rpool, struct pf_addr *saddr, 1770 struct pf_addr *naddr, struct pf_addr *init_addr) 1771{ 1772 unsigned char hash[16]; 1773 struct pf_addr *raddr; 1774 struct pf_addr *rmask; 1775 struct pf_pooladdr *acur = rpool->cur; 1776 1777 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1778 return (1); 1779 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL && 1780 rpool->cur->addr.p.dyn->undefined) 1781 return (1); 1782 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1783 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1784 return (1); /* unsupported */ 1785 } else { 1786 raddr = &rpool->cur->addr.v.a.addr; 1787 rmask = &rpool->cur->addr.v.a.mask; 1788 } 1789 1790 switch (rpool->opts & PF_POOL_TYPEMASK) { 1791 case PF_POOL_NONE: 1792 PF_ACPY(naddr, raddr, af); 1793 break; 1794 case PF_POOL_BITMASK: 1795 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 1796 break; 1797 case PF_POOL_RANDOM: 1798 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 1799 switch (af) { 1800#ifdef INET 1801 case AF_INET: 1802 rpool->counter.addr32[0] = arc4random(); 1803 break; 1804#endif /* INET */ 1805#ifdef INET6 1806 case AF_INET6: 1807 if (rmask->addr32[3] != 0xffffffff) 1808 rpool->counter.addr32[3] = arc4random(); 1809 else 1810 break; 1811 if (rmask->addr32[2] != 0xffffffff) 1812 rpool->counter.addr32[2] = arc4random(); 1813 else 1814 break; 1815 if (rmask->addr32[1] != 0xffffffff) 1816 rpool->counter.addr32[1] = arc4random(); 1817 else 1818 break; 1819 if (rmask->addr32[0] != 0xffffffff) 1820 rpool->counter.addr32[0] = arc4random(); 1821 break; 1822#endif /* INET6 */ 1823 } 1824 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1825 PF_ACPY(init_addr, naddr, af); 1826 1827 } else { 1828 PF_AINC(&rpool->counter, af); 1829 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1830 } 1831 break; 1832 case PF_POOL_SRCHASH: 1833 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 1834 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 1835 break; 1836 case PF_POOL_ROUNDROBIN: 1837 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1838 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 1839 &rpool->tblidx, &rpool->counter, 1840 &raddr, &rmask, af)) 1841 goto get_addr; 1842 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 1843 goto get_addr; 1844 1845 try_next: 1846 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 1847 rpool->cur = TAILQ_FIRST(&rpool->list); 1848 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1849 rpool->tblidx = -1; 1850 if (pfr_pool_get(rpool->cur->addr.p.tbl, 1851 &rpool->tblidx, &rpool->counter, 1852 &raddr, &rmask, af)) { 1853 /* table contain no address of type 'af' */ 1854 if (rpool->cur != acur) 1855 goto try_next; 1856 return (1); 1857 } 1858 } else { 1859 raddr = &rpool->cur->addr.v.a.addr; 1860 rmask = &rpool->cur->addr.v.a.mask; 1861 PF_ACPY(&rpool->counter, raddr, af); 1862 } 1863 1864 get_addr: 1865 PF_ACPY(naddr, &rpool->counter, af); 1866 PF_AINC(&rpool->counter, af); 1867 break; 1868 } 1869 1870 if (pf_status.debug >= PF_DEBUG_MISC && 1871 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1872 printf("pf_map_addr: selected address: "); 1873 pf_print_host(naddr, 0, af); 1874 printf("\n"); 1875 } 1876 1877 return (0); 1878} 1879 1880int 1881pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_pool *rpool, 1882 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 1883 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high) 1884{ 1885 struct pf_tree_node key; 1886 struct pf_addr init_addr; 1887 u_int16_t cut; 1888 1889 bzero(&init_addr, sizeof(init_addr)); 1890 if (pf_map_addr(af, rpool, saddr, naddr, &init_addr)) 1891 return (1); 1892 1893 do { 1894 key.af = af; 1895 key.proto = proto; 1896 PF_ACPY(&key.addr[0], daddr, key.af); 1897 PF_ACPY(&key.addr[1], naddr, key.af); 1898 key.port[0] = dport; 1899 1900 /* 1901 * port search; start random, step; 1902 * similar 2 portloop in in_pcbbind 1903 */ 1904 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { 1905 key.port[1] = 0; 1906 if (pf_find_state(&tree_ext_gwy, &key) == NULL) 1907 return (0); 1908 } else if (low == 0 && high == 0) { 1909 key.port[1] = *nport; 1910 if (pf_find_state(&tree_ext_gwy, &key) == NULL) { 1911 return (0); 1912 } 1913 } else if (low == high) { 1914 key.port[1] = htons(low); 1915 if (pf_find_state(&tree_ext_gwy, &key) == NULL) { 1916 *nport = htons(low); 1917 return (0); 1918 } 1919 } else { 1920 u_int16_t tmp; 1921 1922 if (low > high) { 1923 tmp = low; 1924 low = high; 1925 high = tmp; 1926 } 1927 /* low < high */ 1928 cut = arc4random() % (1 + high - low) + low; 1929 /* low <= cut <= high */ 1930 for (tmp = cut; tmp <= high; ++(tmp)) { 1931 key.port[1] = htons(tmp); 1932 if (pf_find_state(&tree_ext_gwy, &key) == 1933 NULL) { 1934 *nport = htons(tmp); 1935 return (0); 1936 } 1937 } 1938 for (tmp = cut - 1; tmp >= low; --(tmp)) { 1939 key.port[1] = htons(tmp); 1940 if (pf_find_state(&tree_ext_gwy, &key) == 1941 NULL) { 1942 *nport = htons(tmp); 1943 return (0); 1944 } 1945 } 1946 } 1947 1948 switch (rpool->opts & PF_POOL_TYPEMASK) { 1949 case PF_POOL_RANDOM: 1950 case PF_POOL_ROUNDROBIN: 1951 if (pf_map_addr(af, rpool, saddr, naddr, &init_addr)) 1952 return (1); 1953 break; 1954 case PF_POOL_NONE: 1955 case PF_POOL_SRCHASH: 1956 case PF_POOL_BITMASK: 1957 default: 1958 return (1); 1959 break; 1960 } 1961 } while (! PF_AEQ(&init_addr, naddr, af) ); 1962 1963 return (1); /* none available */ 1964} 1965 1966struct pf_rule * 1967pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 1968 int direction, struct ifnet *ifp, struct pf_addr *saddr, u_int16_t sport, 1969 struct pf_addr *daddr, u_int16_t dport, int rs_num) 1970{ 1971 struct pf_rule *r, *rm = NULL, *anchorrule = NULL; 1972 struct pf_ruleset *ruleset = NULL; 1973 1974 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 1975 while (r && rm == NULL) { 1976 struct pf_rule_addr *src = NULL, *dst = NULL; 1977 struct pf_addr_wrap *xdst = NULL; 1978 1979 if (r->action == PF_BINAT && direction == PF_IN) { 1980 src = &r->dst; 1981 if (r->rpool.cur != NULL) 1982 xdst = &r->rpool.cur->addr; 1983 } else { 1984 src = &r->src; 1985 dst = &r->dst; 1986 } 1987 1988 r->evaluations++; 1989 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 1990 (r->ifp == ifp && r->ifnot))) 1991 r = r->skip[PF_SKIP_IFP].ptr; 1992 else if (r->direction && r->direction != direction) 1993 r = r->skip[PF_SKIP_DIR].ptr; 1994 else if (r->af && r->af != pd->af) 1995 r = r->skip[PF_SKIP_AF].ptr; 1996 else if (r->proto && r->proto != pd->proto) 1997 r = r->skip[PF_SKIP_PROTO].ptr; 1998 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not)) 1999 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 2000 PF_SKIP_DST_ADDR].ptr; 2001 else if (src->port_op && !pf_match_port(src->port_op, 2002 src->port[0], src->port[1], sport)) 2003 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 2004 PF_SKIP_DST_PORT].ptr; 2005 else if (dst != NULL && 2006 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not)) 2007 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2008 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 2009 r = TAILQ_NEXT(r, entries); 2010 else if (dst != NULL && dst->port_op && 2011 !pf_match_port(dst->port_op, dst->port[0], 2012 dst->port[1], dport)) 2013 r = r->skip[PF_SKIP_DST_PORT].ptr; 2014 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2015 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2016 off, pd->hdr.tcp), r->os_fingerprint))) 2017 r = TAILQ_NEXT(r, entries); 2018 else if (r->anchorname[0] && r->anchor == NULL) 2019 r = TAILQ_NEXT(r, entries); 2020 else if (r->anchor == NULL) 2021 rm = r; 2022 else 2023 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 2024 if (r == NULL && anchorrule != NULL) 2025 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 2026 rs_num); 2027 } 2028 if (rm != NULL && (rm->action == PF_NONAT || 2029 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 2030 return (NULL); 2031 return (rm); 2032} 2033 2034struct pf_rule * 2035pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 2036 struct ifnet *ifp, 2037 struct pf_addr *saddr, u_int16_t sport, 2038 struct pf_addr *daddr, u_int16_t dport, 2039 struct pf_addr *naddr, u_int16_t *nport) 2040{ 2041 struct pf_rule *r = NULL; 2042 2043 if (direction == PF_OUT) { 2044 r = pf_match_translation(pd, m, off, direction, ifp, saddr, 2045 sport, daddr, dport, PF_RULESET_BINAT); 2046 if (r == NULL) 2047 r = pf_match_translation(pd, m, off, direction, ifp, 2048 saddr, sport, daddr, dport, PF_RULESET_NAT); 2049 } else { 2050 r = pf_match_translation(pd, m, off, direction, ifp, saddr, 2051 sport, daddr, dport, PF_RULESET_RDR); 2052 if (r == NULL) 2053 r = pf_match_translation(pd, m, off, direction, ifp, 2054 saddr, sport, daddr, dport, PF_RULESET_BINAT); 2055 } 2056 2057 if (r != NULL) { 2058 switch (r->action) { 2059 case PF_NONAT: 2060 case PF_NOBINAT: 2061 case PF_NORDR: 2062 return (NULL); 2063 break; 2064 case PF_NAT: 2065 if (pf_get_sport(pd->af, pd->proto, &r->rpool, saddr, 2066 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 2067 r->rpool.proxy_port[1])) { 2068 DPFPRINTF(PF_DEBUG_MISC, 2069 ("pf: NAT proxy port allocation " 2070 "(%u-%u) failed\n", 2071 r->rpool.proxy_port[0], 2072 r->rpool.proxy_port[1])); 2073 return (NULL); 2074 } 2075 break; 2076 case PF_BINAT: 2077 switch (direction) { 2078 case PF_OUT: 2079 if (r->rpool.cur->addr.type == 2080 PF_ADDR_DYNIFTL && 2081 r->rpool.cur->addr.p.dyn->undefined) 2082 return (NULL); 2083 else 2084 PF_POOLMASK(naddr, 2085 &r->rpool.cur->addr.v.a.addr, 2086 &r->rpool.cur->addr.v.a.mask, 2087 saddr, pd->af); 2088 break; 2089 case PF_IN: 2090 if (r->src.addr.type == PF_ADDR_DYNIFTL && 2091 r->src.addr.p.dyn->undefined) 2092 return (NULL); 2093 else 2094 PF_POOLMASK(naddr, 2095 &r->src.addr.v.a.addr, 2096 &r->src.addr.v.a.mask, daddr, 2097 pd->af); 2098 break; 2099 } 2100 break; 2101 case PF_RDR: { 2102 if (pf_map_addr(r->af, &r->rpool, saddr, naddr, NULL)) 2103 return (NULL); 2104 2105 if (r->rpool.proxy_port[1]) { 2106 u_int32_t tmp_nport; 2107 2108 tmp_nport = ((ntohs(dport) - 2109 ntohs(r->dst.port[0])) % 2110 (r->rpool.proxy_port[1] - 2111 r->rpool.proxy_port[0] + 1)) + 2112 r->rpool.proxy_port[0]; 2113 2114 /* wrap around if necessary */ 2115 if (tmp_nport > 65535) 2116 tmp_nport -= 65535; 2117 *nport = htons((u_int16_t)tmp_nport); 2118 } else if (r->rpool.proxy_port[0]) 2119 *nport = htons(r->rpool.proxy_port[0]); 2120 break; 2121 } 2122 default: 2123 return (NULL); 2124 break; 2125 } 2126 } 2127 2128 return (r); 2129} 2130 2131int 2132pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, sa_family_t af, 2133 int proto, struct pf_pdesc *pd) 2134{ 2135 struct pf_addr *saddr, *daddr; 2136 u_int16_t sport, dport; 2137#ifdef __FreeBSD__ 2138 struct inpcbinfo *pi; 2139#else 2140 struct inpcbtable *tb; 2141#endif 2142 struct inpcb *inp; 2143 2144 *uid = UID_MAX; 2145 *gid = GID_MAX; 2146 switch (proto) { 2147 case IPPROTO_TCP: 2148 sport = pd->hdr.tcp->th_sport; 2149 dport = pd->hdr.tcp->th_dport; 2150#ifdef __FreeBSD__ 2151 pi = &tcbinfo; 2152#else 2153 tb = &tcbtable; 2154#endif 2155 break; 2156 case IPPROTO_UDP: 2157 sport = pd->hdr.udp->uh_sport; 2158 dport = pd->hdr.udp->uh_dport; 2159#ifdef __FreeBSD__ 2160 pi = &udbinfo; 2161#else 2162 tb = &udbtable; 2163#endif 2164 break; 2165 default: 2166 return (0); 2167 } 2168 if (direction == PF_IN) { 2169 saddr = pd->src; 2170 daddr = pd->dst; 2171 } else { 2172 u_int16_t p; 2173 2174 p = sport; 2175 sport = dport; 2176 dport = p; 2177 saddr = pd->dst; 2178 daddr = pd->src; 2179 } 2180 switch(af) { 2181 case AF_INET: 2182#ifdef __FreeBSD__ 2183#if (__FreeBSD_version >= 500043) 2184 INP_INFO_RLOCK(pi); /* XXX LOR */ 2185#endif 2186 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4, 2187 dport, 0, NULL); 2188 if (inp == NULL) { 2189 inp = in_pcblookup_hash(pi, saddr->v4, sport, 2190 daddr->v4, dport, INPLOOKUP_WILDCARD, NULL); 2191 if(inp == NULL) { 2192#if (__FreeBSD_version >= 500043) 2193 INP_INFO_RUNLOCK(pi); 2194#endif 2195 return (0); 2196 } 2197 } 2198#else 2199 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); 2200 if (inp == NULL) { 2201 inp = in_pcblookup(tb, &saddr->v4, sport, &daddr->v4, 2202 dport, INPLOOKUP_WILDCARD); 2203 if (inp == NULL) 2204 return (0); 2205 } 2206#endif 2207 break; 2208#ifdef INET6 2209 case AF_INET6: 2210#ifdef __FreeBSD__ 2211#if (__FreeBSD_version >= 500043) 2212 INP_INFO_RLOCK(pi); 2213#endif 2214 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2215 &daddr->v6, dport, 0, NULL); 2216 if (inp == NULL) { 2217 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2218 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL); 2219 if (inp == NULL) { 2220#if (__FreeBSD_version >= 500043) 2221 INP_INFO_RUNLOCK(pi); 2222#endif 2223 return (0); 2224 } 2225 } 2226#else 2227 inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6, 2228 dport); 2229 if (inp == NULL) { 2230 inp = in_pcblookup(tb, &saddr->v6, sport, &daddr->v6, 2231 dport, INPLOOKUP_WILDCARD | INPLOOKUP_IPV6); 2232 if (inp == NULL) 2233 return (0); 2234 } 2235#endif 2236 break; 2237#endif /* INET6 */ 2238 2239 default: 2240 return (0); 2241 } 2242#ifdef __FreeBSD__ 2243#if (__FreeBSD_version >= 500043) 2244 INP_LOCK(inp); 2245#endif 2246 *uid = inp->inp_socket->so_cred->cr_uid; 2247 *gid = inp->inp_socket->so_cred->cr_groups[0]; 2248#if (__FreeBSD_version >= 500043) 2249 INP_UNLOCK(inp); 2250 INP_INFO_RUNLOCK(pi); 2251#endif 2252#else 2253 *uid = inp->inp_socket->so_euid; 2254 *gid = inp->inp_socket->so_egid; 2255#endif 2256 return (1); 2257} 2258 2259u_int8_t 2260pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2261{ 2262 int hlen; 2263 u_int8_t hdr[60]; 2264 u_int8_t *opt, optlen; 2265 u_int8_t wscale = 0; 2266 2267 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2268 if (hlen <= sizeof(struct tcphdr)) 2269 return (0); 2270 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2271 return (0); 2272 opt = hdr + sizeof(struct tcphdr); 2273 hlen -= sizeof(struct tcphdr); 2274 while (hlen >= 3) { 2275 switch (*opt) { 2276 case TCPOPT_EOL: 2277 case TCPOPT_NOP: 2278 ++opt; 2279 --hlen; 2280 break; 2281 case TCPOPT_WINDOW: 2282 wscale = opt[2]; 2283 if (wscale > TCP_MAX_WINSHIFT) 2284 wscale = TCP_MAX_WINSHIFT; 2285 wscale |= PF_WSCALE_FLAG; 2286 /* fallthrough */ 2287 default: 2288 optlen = opt[1]; 2289 if (optlen < 2) 2290 optlen = 2; 2291 hlen -= optlen; 2292 opt += optlen; 2293 } 2294 } 2295 return (wscale); 2296} 2297 2298u_int16_t 2299pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2300{ 2301 int hlen; 2302 u_int8_t hdr[60]; 2303 u_int8_t *opt, optlen; 2304 u_int16_t mss = tcp_mssdflt; 2305 2306 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2307 if (hlen <= sizeof(struct tcphdr)) 2308 return (0); 2309 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2310 return (0); 2311 opt = hdr + sizeof(struct tcphdr); 2312 hlen -= sizeof(struct tcphdr); 2313 while (hlen >= TCPOLEN_MAXSEG) { 2314 switch (*opt) { 2315 case TCPOPT_EOL: 2316 case TCPOPT_NOP: 2317 ++opt; 2318 --hlen; 2319 break; 2320 case TCPOPT_MAXSEG: 2321 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); 2322 /* fallthrough */ 2323 default: 2324 optlen = opt[1]; 2325 if (optlen < 2) 2326 optlen = 2; 2327 hlen -= optlen; 2328 opt += optlen; 2329 } 2330 } 2331 return (mss); 2332} 2333 2334u_int16_t 2335pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2336{ 2337#ifdef INET 2338 struct sockaddr_in *dst; 2339 struct route ro; 2340#endif /* INET */ 2341#ifdef INET6 2342 struct sockaddr_in6 *dst6; 2343 struct route_in6 ro6; 2344#endif /* INET6 */ 2345 struct rtentry *rt = NULL; 2346 int hlen; 2347 u_int16_t mss = tcp_mssdflt; 2348 2349 switch (af) { 2350#ifdef INET 2351 case AF_INET: 2352 hlen = sizeof(struct ip); 2353 bzero(&ro, sizeof(ro)); 2354 dst = (struct sockaddr_in *)&ro.ro_dst; 2355 dst->sin_family = AF_INET; 2356 dst->sin_len = sizeof(*dst); 2357 dst->sin_addr = addr->v4; 2358#ifdef __FreeBSD__ 2359#ifdef RTF_PRCLONING 2360 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); 2361#else /* !RTF_PRCLONING */ 2362 rtalloc_ign(&ro, RTF_CLONING); 2363#endif 2364#else /* ! __FreeBSD__ */ 2365 rtalloc_noclone(&ro, NO_CLONING); 2366#endif 2367 rt = ro.ro_rt; 2368 break; 2369#endif /* INET */ 2370#ifdef INET6 2371 case AF_INET6: 2372 hlen = sizeof(struct ip6_hdr); 2373 bzero(&ro6, sizeof(ro6)); 2374 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; 2375 dst6->sin6_family = AF_INET6; 2376 dst6->sin6_len = sizeof(*dst6); 2377 dst6->sin6_addr = addr->v6; 2378#ifdef __FreeBSD__ 2379#ifdef RTF_PRCLONING 2380 rtalloc_ign((struct route *)&ro6, 2381 (RTF_CLONING | RTF_PRCLONING)); 2382#else /* !RTF_PRCLONING */ 2383 rtalloc_ign((struct route *)&ro6, RTF_CLONING); 2384#endif 2385#else /* ! __FreeBSD__ */ 2386 rtalloc_noclone((struct route *)&ro6, NO_CLONING); 2387#endif 2388 rt = ro6.ro_rt; 2389 break; 2390#endif /* INET6 */ 2391 } 2392 2393 if (rt && rt->rt_ifp) { 2394 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2395 mss = max(tcp_mssdflt, mss); 2396 RTFREE(rt); 2397 } 2398 mss = min(mss, offer); 2399 mss = max(mss, 64); /* sanity - at least max opt space */ 2400 return (mss); 2401} 2402 2403void 2404pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2405{ 2406 struct pf_rule *r = s->rule.ptr; 2407 2408 s->rt_ifp = NULL; 2409 if (!r->rt || r->rt == PF_FASTROUTE) 2410 return; 2411 switch (s->af) { 2412#ifdef INET 2413 case AF_INET: 2414 pf_map_addr(AF_INET, &r->rpool, saddr, 2415 &s->rt_addr, NULL); 2416 s->rt_ifp = r->rpool.cur->ifp; 2417 break; 2418#endif /* INET */ 2419#ifdef INET6 2420 case AF_INET6: 2421 pf_map_addr(AF_INET6, &r->rpool, saddr, 2422 &s->rt_addr, NULL); 2423 s->rt_ifp = r->rpool.cur->ifp; 2424 break; 2425#endif /* INET6 */ 2426 } 2427} 2428 2429int 2430pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, 2431 struct ifnet *ifp, struct mbuf *m, int ipoff, int off, void *h, 2432 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2433{ 2434 struct pf_rule *nat = NULL, *rdr = NULL; 2435 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2436 struct pf_addr baddr, naddr; 2437 struct tcphdr *th = pd->hdr.tcp; 2438 u_int16_t bport, nport = 0; 2439 sa_family_t af = pd->af; 2440 int lookup = -1; 2441 uid_t uid; 2442 gid_t gid; 2443 struct pf_rule *r, *a = NULL; 2444 struct pf_ruleset *ruleset = NULL; 2445 u_short reason; 2446 int rewrite = 0; 2447 struct pf_tag *pftag = NULL; 2448 int tag = -1; 2449 u_int16_t mss = tcp_mssdflt; 2450 2451 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2452 2453 if (direction == PF_OUT) { 2454 bport = nport = th->th_sport; 2455 /* check outgoing packet for BINAT/NAT */ 2456 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, 2457 saddr, th->th_sport, daddr, th->th_dport, 2458 &naddr, &nport)) != NULL) { 2459 PF_ACPY(&baddr, saddr, af); 2460 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2461 &th->th_sum, &naddr, nport, 0, af); 2462 rewrite++; 2463 if (nat->natpass) 2464 r = NULL; 2465 } 2466 } else { 2467 bport = nport = th->th_dport; 2468 /* check incoming packet for BINAT/RDR */ 2469 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 2470 th->th_sport, daddr, th->th_dport, 2471 &naddr, &nport)) != NULL) { 2472 PF_ACPY(&baddr, daddr, af); 2473 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2474 &th->th_sum, &naddr, nport, 0, af); 2475 rewrite++; 2476 if (rdr->natpass) 2477 r = NULL; 2478 } 2479 } 2480 2481 while (r != NULL) { 2482 r->evaluations++; 2483 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 2484 (r->ifp == ifp && r->ifnot))) 2485 r = r->skip[PF_SKIP_IFP].ptr; 2486 else if (r->direction && r->direction != direction) 2487 r = r->skip[PF_SKIP_DIR].ptr; 2488 else if (r->af && r->af != af) 2489 r = r->skip[PF_SKIP_AF].ptr; 2490 else if (r->proto && r->proto != IPPROTO_TCP) 2491 r = r->skip[PF_SKIP_PROTO].ptr; 2492 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2493 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2494 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2495 r->src.port[0], r->src.port[1], th->th_sport)) 2496 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2497 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2498 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2499 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2500 r->dst.port[0], r->dst.port[1], th->th_dport)) 2501 r = r->skip[PF_SKIP_DST_PORT].ptr; 2502 else if (r->tos && !(r->tos & pd->tos)) 2503 r = TAILQ_NEXT(r, entries); 2504 else if (r->rule_flag & PFRULE_FRAGMENT) 2505 r = TAILQ_NEXT(r, entries); 2506 else if ((r->flagset & th->th_flags) != r->flags) 2507 r = TAILQ_NEXT(r, entries); 2508 else if (r->uid.op && (lookup != -1 || (lookup = 2509 pf_socket_lookup(&uid, &gid, direction, af, IPPROTO_TCP, 2510 pd), 1)) && 2511 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2512 uid)) 2513 r = TAILQ_NEXT(r, entries); 2514 else if (r->gid.op && (lookup != -1 || (lookup = 2515 pf_socket_lookup(&uid, &gid, direction, af, IPPROTO_TCP, 2516 pd), 1)) && 2517 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2518 gid)) 2519 r = TAILQ_NEXT(r, entries); 2520 else if (r->match_tag && 2521 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 2522 r = TAILQ_NEXT(r, entries); 2523 else if (r->anchorname[0] && r->anchor == NULL) 2524 r = TAILQ_NEXT(r, entries); 2525 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2526 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2527 r = TAILQ_NEXT(r, entries); 2528 else { 2529 if (r->tag) 2530 tag = r->tag; 2531 if (r->anchor == NULL) { 2532 *rm = r; 2533 *am = a; 2534 *rsm = ruleset; 2535 if ((*rm)->quick) 2536 break; 2537 r = TAILQ_NEXT(r, entries); 2538 } else 2539 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2540 PF_RULESET_FILTER); 2541 } 2542 if (r == NULL && a != NULL) 2543 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2544 PF_RULESET_FILTER); 2545 } 2546 r = *rm; 2547 a = *am; 2548 ruleset = *rsm; 2549 2550 r->packets++; 2551 r->bytes += pd->tot_len; 2552 if (a != NULL) { 2553 a->packets++; 2554 a->bytes += pd->tot_len; 2555 } 2556 REASON_SET(&reason, PFRES_MATCH); 2557 2558 if (r->log) { 2559 if (rewrite) 2560 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2561 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 2562 } 2563 2564 if ((r->action == PF_DROP) && 2565 ((r->rule_flag & PFRULE_RETURNRST) || 2566 (r->rule_flag & PFRULE_RETURNICMP) || 2567 (r->rule_flag & PFRULE_RETURN))) { 2568 /* undo NAT changes, if they have taken place */ 2569 if (nat != NULL) { 2570 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2571 &th->th_sum, &baddr, bport, 0, af); 2572 rewrite++; 2573 } else if (rdr != NULL) { 2574 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2575 &th->th_sum, &baddr, bport, 0, af); 2576 rewrite++; 2577 } 2578 if (((r->rule_flag & PFRULE_RETURNRST) || 2579 (r->rule_flag & PFRULE_RETURN)) && 2580 !(th->th_flags & TH_RST)) { 2581 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 2582 2583 if (th->th_flags & TH_SYN) 2584 ack++; 2585 if (th->th_flags & TH_FIN) 2586 ack++; 2587 pf_send_tcp(r, af, pd->dst, 2588 pd->src, th->th_dport, th->th_sport, 2589 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 2590 r->return_ttl); 2591 } else if ((af == AF_INET) && r->return_icmp) 2592 pf_send_icmp(m, r->return_icmp >> 8, 2593 r->return_icmp & 255, af, r); 2594 else if ((af == AF_INET6) && r->return_icmp6) 2595 pf_send_icmp(m, r->return_icmp6 >> 8, 2596 r->return_icmp6 & 255, af, r); 2597 } 2598 2599 if (r->action == PF_DROP) 2600 return (PF_DROP); 2601 2602 if (pf_tag_packet(m, pftag, tag)) { 2603 REASON_SET(&reason, PFRES_MEMORY); 2604 return (PF_DROP); 2605 } 2606 2607 if (r->keep_state || nat != NULL || rdr != NULL || 2608 (pd->flags & PFDESC_TCP_NORM)) { 2609 /* create new state */ 2610 u_int16_t len; 2611 struct pf_state *s = NULL; 2612 2613 len = pd->tot_len - off - (th->th_off << 2); 2614 if (!r->max_states || r->states < r->max_states) 2615 s = pool_get(&pf_state_pl, PR_NOWAIT); 2616 if (s == NULL) { 2617 REASON_SET(&reason, PFRES_MEMORY); 2618 return (PF_DROP); 2619 } 2620 bzero(s, sizeof(*s)); 2621 r->states++; 2622 if (a != NULL) 2623 a->states++; 2624 s->rule.ptr = r; 2625 if (nat != NULL) 2626 s->nat_rule.ptr = nat; 2627 else 2628 s->nat_rule.ptr = rdr; 2629 if (s->nat_rule.ptr != NULL) 2630 s->nat_rule.ptr->states++; 2631 s->anchor.ptr = a; 2632 s->allow_opts = r->allow_opts; 2633 s->log = r->log & 2; 2634 s->proto = IPPROTO_TCP; 2635 s->direction = direction; 2636 s->af = af; 2637 if (direction == PF_OUT) { 2638 PF_ACPY(&s->gwy.addr, saddr, af); 2639 s->gwy.port = th->th_sport; /* sport */ 2640 PF_ACPY(&s->ext.addr, daddr, af); 2641 s->ext.port = th->th_dport; 2642 if (nat != NULL) { 2643 PF_ACPY(&s->lan.addr, &baddr, af); 2644 s->lan.port = bport; 2645 } else { 2646 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2647 s->lan.port = s->gwy.port; 2648 } 2649 } else { 2650 PF_ACPY(&s->lan.addr, daddr, af); 2651 s->lan.port = th->th_dport; 2652 PF_ACPY(&s->ext.addr, saddr, af); 2653 s->ext.port = th->th_sport; 2654 if (rdr != NULL) { 2655 PF_ACPY(&s->gwy.addr, &baddr, af); 2656 s->gwy.port = bport; 2657 } else { 2658 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2659 s->gwy.port = s->lan.port; 2660 } 2661 } 2662 2663 s->src.seqlo = ntohl(th->th_seq); 2664 s->src.seqhi = s->src.seqlo + len + 1; 2665 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2666 r->keep_state == PF_STATE_MODULATE) { 2667 /* Generate sequence number modulator */ 2668 while ((s->src.seqdiff = arc4random()) == 0) 2669 ; 2670 pf_change_a(&th->th_seq, &th->th_sum, 2671 htonl(s->src.seqlo + s->src.seqdiff), 0); 2672 rewrite = 1; 2673 } else 2674 s->src.seqdiff = 0; 2675 if (th->th_flags & TH_SYN) { 2676 s->src.seqhi++; 2677 s->src.wscale = pf_get_wscale(m, off, th->th_off, af); 2678 } 2679 s->src.max_win = MAX(ntohs(th->th_win), 1); 2680 if (s->src.wscale & PF_WSCALE_MASK) { 2681 /* Remove scale factor from initial window */ 2682 int win = s->src.max_win; 2683 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 2684 s->src.max_win = (win - 1) >> 2685 (s->src.wscale & PF_WSCALE_MASK); 2686 } 2687 if (th->th_flags & TH_FIN) 2688 s->src.seqhi++; 2689 s->dst.seqlo = 0; /* Haven't seen these yet */ 2690 s->dst.seqhi = 1; 2691 s->dst.max_win = 1; 2692 s->dst.seqdiff = 0; /* Defer random generation */ 2693 s->src.state = TCPS_SYN_SENT; 2694 s->dst.state = TCPS_CLOSED; 2695#ifdef __FreeBSD__ 2696 s->creation = time_second; 2697 s->expire = time_second; 2698#else 2699 s->creation = time.tv_sec; 2700 s->expire = time.tv_sec; 2701#endif 2702 s->timeout = PFTM_TCP_FIRST_PACKET; 2703 s->packets[0] = 1; 2704 s->bytes[0] = pd->tot_len; 2705 pf_set_rt_ifp(s, saddr); 2706 2707 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 2708 off, pd, th, &s->src, &s->dst)) { 2709 REASON_SET(&reason, PFRES_MEMORY); 2710 pool_put(&pf_state_pl, s); 2711 return (PF_DROP); 2712 } 2713 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 2714 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 2715 &s->dst, &rewrite)) { 2716 pf_normalize_tcp_cleanup(s); 2717 pool_put(&pf_state_pl, s); 2718 return (PF_DROP); 2719 } 2720 if (pf_insert_state(s)) { 2721 pf_normalize_tcp_cleanup(s); 2722 REASON_SET(&reason, PFRES_MEMORY); 2723 pool_put(&pf_state_pl, s); 2724 return (PF_DROP); 2725 } else 2726 *sm = s; 2727 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2728 r->keep_state == PF_STATE_SYNPROXY) { 2729 s->src.state = PF_TCPS_PROXY_SRC; 2730 if (nat != NULL) 2731 pf_change_ap(saddr, &th->th_sport, 2732 pd->ip_sum, &th->th_sum, &baddr, 2733 bport, 0, af); 2734 else if (rdr != NULL) 2735 pf_change_ap(daddr, &th->th_dport, 2736 pd->ip_sum, &th->th_sum, &baddr, 2737 bport, 0, af); 2738 s->src.seqhi = arc4random(); 2739 /* Find mss option */ 2740 mss = pf_get_mss(m, off, th->th_off, af); 2741 mss = pf_calc_mss(saddr, af, mss); 2742 mss = pf_calc_mss(daddr, af, mss); 2743 s->src.mss = mss; 2744 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 2745 th->th_sport, s->src.seqhi, 2746 ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, s->src.mss, 0); 2747 return (PF_SYNPROXY_DROP); 2748 } 2749 } 2750 2751 /* copy back packet headers if we performed NAT operations */ 2752 if (rewrite) 2753 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2754 2755 return (PF_PASS); 2756} 2757 2758int 2759pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, 2760 struct ifnet *ifp, struct mbuf *m, int ipoff, int off, void *h, 2761 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2762{ 2763 struct pf_rule *nat = NULL, *rdr = NULL; 2764 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2765 struct pf_addr baddr, naddr; 2766 struct udphdr *uh = pd->hdr.udp; 2767 u_int16_t bport, nport = 0; 2768 sa_family_t af = pd->af; 2769 int lookup = -1; 2770 uid_t uid; 2771 gid_t gid; 2772 struct pf_rule *r, *a = NULL; 2773 struct pf_ruleset *ruleset = NULL; 2774 u_short reason; 2775 int rewrite = 0; 2776 struct pf_tag *pftag = NULL; 2777 int tag = -1; 2778 2779 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2780 2781 if (direction == PF_OUT) { 2782 bport = nport = uh->uh_sport; 2783 /* check outgoing packet for BINAT/NAT */ 2784 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, 2785 saddr, uh->uh_sport, daddr, uh->uh_dport, 2786 &naddr, &nport)) != NULL) { 2787 PF_ACPY(&baddr, saddr, af); 2788 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2789 &uh->uh_sum, &naddr, nport, 1, af); 2790 rewrite++; 2791 if (nat->natpass) 2792 r = NULL; 2793 } 2794 } else { 2795 bport = nport = uh->uh_dport; 2796 /* check incoming packet for BINAT/RDR */ 2797 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 2798 uh->uh_sport, daddr, uh->uh_dport, &naddr, &nport)) 2799 != NULL) { 2800 PF_ACPY(&baddr, daddr, af); 2801 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2802 &uh->uh_sum, &naddr, nport, 1, af); 2803 rewrite++; 2804 if (rdr->natpass) 2805 r = NULL; 2806 } 2807 } 2808 2809 while (r != NULL) { 2810 r->evaluations++; 2811 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 2812 (r->ifp == ifp && r->ifnot))) 2813 r = r->skip[PF_SKIP_IFP].ptr; 2814 else if (r->direction && r->direction != direction) 2815 r = r->skip[PF_SKIP_DIR].ptr; 2816 else if (r->af && r->af != af) 2817 r = r->skip[PF_SKIP_AF].ptr; 2818 else if (r->proto && r->proto != IPPROTO_UDP) 2819 r = r->skip[PF_SKIP_PROTO].ptr; 2820 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2821 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2822 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2823 r->src.port[0], r->src.port[1], uh->uh_sport)) 2824 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2825 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2826 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2827 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2828 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 2829 r = r->skip[PF_SKIP_DST_PORT].ptr; 2830 else if (r->tos && !(r->tos & pd->tos)) 2831 r = TAILQ_NEXT(r, entries); 2832 else if (r->rule_flag & PFRULE_FRAGMENT) 2833 r = TAILQ_NEXT(r, entries); 2834 else if (r->uid.op && (lookup != -1 || (lookup = 2835 pf_socket_lookup(&uid, &gid, direction, af, IPPROTO_UDP, 2836 pd), 1)) && 2837 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2838 uid)) 2839 r = TAILQ_NEXT(r, entries); 2840 else if (r->gid.op && (lookup != -1 || (lookup = 2841 pf_socket_lookup(&uid, &gid, direction, af, IPPROTO_UDP, 2842 pd), 1)) && 2843 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2844 gid)) 2845 r = TAILQ_NEXT(r, entries); 2846 else if (r->match_tag && 2847 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 2848 r = TAILQ_NEXT(r, entries); 2849 else if (r->anchorname[0] && r->anchor == NULL) 2850 r = TAILQ_NEXT(r, entries); 2851 else if (r->os_fingerprint != PF_OSFP_ANY) 2852 r = TAILQ_NEXT(r, entries); 2853 else { 2854 if (r->tag) 2855 tag = r->tag; 2856 if (r->anchor == NULL) { 2857 *rm = r; 2858 *am = a; 2859 *rsm = ruleset; 2860 if ((*rm)->quick) 2861 break; 2862 r = TAILQ_NEXT(r, entries); 2863 } else 2864 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2865 PF_RULESET_FILTER); 2866 } 2867 if (r == NULL && a != NULL) 2868 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2869 PF_RULESET_FILTER); 2870 } 2871 r = *rm; 2872 a = *am; 2873 ruleset = *rsm; 2874 2875 r->packets++; 2876 r->bytes += pd->tot_len; 2877 if (a != NULL) { 2878 a->packets++; 2879 a->bytes += pd->tot_len; 2880 } 2881 REASON_SET(&reason, PFRES_MATCH); 2882 2883 if (r->log) { 2884 if (rewrite) 2885 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 2886 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 2887 } 2888 2889 if ((r->action == PF_DROP) && 2890 ((r->rule_flag & PFRULE_RETURNICMP) || 2891 (r->rule_flag & PFRULE_RETURN))) { 2892 /* undo NAT changes, if they have taken place */ 2893 if (nat != NULL) { 2894 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2895 &uh->uh_sum, &baddr, bport, 1, af); 2896 rewrite++; 2897 } else if (rdr != NULL) { 2898 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2899 &uh->uh_sum, &baddr, bport, 1, af); 2900 rewrite++; 2901 } 2902 if ((af == AF_INET) && r->return_icmp) 2903 pf_send_icmp(m, r->return_icmp >> 8, 2904 r->return_icmp & 255, af, r); 2905 else if ((af == AF_INET6) && r->return_icmp6) 2906 pf_send_icmp(m, r->return_icmp6 >> 8, 2907 r->return_icmp6 & 255, af, r); 2908 } 2909 2910 if (r->action == PF_DROP) 2911 return (PF_DROP); 2912 2913 if (pf_tag_packet(m, pftag, tag)) { 2914 REASON_SET(&reason, PFRES_MEMORY); 2915 return (PF_DROP); 2916 } 2917 2918 if (r->keep_state || nat != NULL || rdr != NULL) { 2919 /* create new state */ 2920 struct pf_state *s = NULL; 2921 2922 if (!r->max_states || r->states < r->max_states) 2923 s = pool_get(&pf_state_pl, PR_NOWAIT); 2924 if (s == NULL) { 2925 REASON_SET(&reason, PFRES_MEMORY); 2926 return (PF_DROP); 2927 } 2928 bzero(s, sizeof(*s)); 2929 r->states++; 2930 if (a != NULL) 2931 a->states++; 2932 s->rule.ptr = r; 2933 if (nat != NULL) 2934 s->nat_rule.ptr = nat; 2935 else 2936 s->nat_rule.ptr = rdr; 2937 if (s->nat_rule.ptr != NULL) 2938 s->nat_rule.ptr->states++; 2939 s->anchor.ptr = a; 2940 s->allow_opts = r->allow_opts; 2941 s->log = r->log & 2; 2942 s->proto = IPPROTO_UDP; 2943 s->direction = direction; 2944 s->af = af; 2945 if (direction == PF_OUT) { 2946 PF_ACPY(&s->gwy.addr, saddr, af); 2947 s->gwy.port = uh->uh_sport; 2948 PF_ACPY(&s->ext.addr, daddr, af); 2949 s->ext.port = uh->uh_dport; 2950 if (nat != NULL) { 2951 PF_ACPY(&s->lan.addr, &baddr, af); 2952 s->lan.port = bport; 2953 } else { 2954 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2955 s->lan.port = s->gwy.port; 2956 } 2957 } else { 2958 PF_ACPY(&s->lan.addr, daddr, af); 2959 s->lan.port = uh->uh_dport; 2960 PF_ACPY(&s->ext.addr, saddr, af); 2961 s->ext.port = uh->uh_sport; 2962 if (rdr != NULL) { 2963 PF_ACPY(&s->gwy.addr, &baddr, af); 2964 s->gwy.port = bport; 2965 } else { 2966 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2967 s->gwy.port = s->lan.port; 2968 } 2969 } 2970 s->src.seqlo = 0; 2971 s->src.seqhi = 0; 2972 s->src.seqdiff = 0; 2973 s->src.max_win = 0; 2974 s->src.state = PFUDPS_SINGLE; 2975 s->dst.seqlo = 0; 2976 s->dst.seqhi = 0; 2977 s->dst.seqdiff = 0; 2978 s->dst.max_win = 0; 2979 s->dst.state = PFUDPS_NO_TRAFFIC; 2980#ifdef __FreeBSD__ 2981 s->creation = time_second; 2982 s->expire = time_second; 2983#else 2984 s->creation = time.tv_sec; 2985 s->expire = time.tv_sec; 2986#endif 2987 s->timeout = PFTM_UDP_FIRST_PACKET; 2988 s->packets[0] = 1; 2989 s->bytes[0] = pd->tot_len; 2990 pf_set_rt_ifp(s, saddr); 2991 if (pf_insert_state(s)) { 2992 REASON_SET(&reason, PFRES_MEMORY); 2993 pool_put(&pf_state_pl, s); 2994 return (PF_DROP); 2995 } else 2996 *sm = s; 2997 } 2998 2999 /* copy back packet headers if we performed NAT operations */ 3000 if (rewrite) 3001 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 3002 3003 return (PF_PASS); 3004} 3005 3006int 3007pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, 3008 struct ifnet *ifp, struct mbuf *m, int ipoff, int off, void *h, 3009 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 3010{ 3011 struct pf_rule *nat = NULL, *rdr = NULL; 3012 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3013 struct pf_addr baddr, naddr; 3014 struct pf_rule *r, *a = NULL; 3015 struct pf_ruleset *ruleset = NULL; 3016 u_short reason; 3017 u_int16_t icmpid; 3018 sa_family_t af = pd->af; 3019 u_int8_t icmptype, icmpcode; 3020 int state_icmp = 0; 3021 struct pf_tag *pftag = NULL; 3022 int tag = -1; 3023#ifdef INET6 3024 int rewrite = 0; 3025#endif /* INET6 */ 3026 3027 switch (pd->proto) { 3028#ifdef INET 3029 case IPPROTO_ICMP: 3030 icmptype = pd->hdr.icmp->icmp_type; 3031 icmpcode = pd->hdr.icmp->icmp_code; 3032 icmpid = pd->hdr.icmp->icmp_id; 3033 3034 if (icmptype == ICMP_UNREACH || 3035 icmptype == ICMP_SOURCEQUENCH || 3036 icmptype == ICMP_REDIRECT || 3037 icmptype == ICMP_TIMXCEED || 3038 icmptype == ICMP_PARAMPROB) 3039 state_icmp++; 3040 break; 3041#endif /* INET */ 3042#ifdef INET6 3043 case IPPROTO_ICMPV6: 3044 icmptype = pd->hdr.icmp6->icmp6_type; 3045 icmpcode = pd->hdr.icmp6->icmp6_code; 3046 icmpid = pd->hdr.icmp6->icmp6_id; 3047 3048 if (icmptype == ICMP6_DST_UNREACH || 3049 icmptype == ICMP6_PACKET_TOO_BIG || 3050 icmptype == ICMP6_TIME_EXCEEDED || 3051 icmptype == ICMP6_PARAM_PROB) 3052 state_icmp++; 3053 break; 3054#endif /* INET6 */ 3055 } 3056 3057 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3058 3059 if (direction == PF_OUT) { 3060 /* check outgoing packet for BINAT/NAT */ 3061 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, saddr, 0, 3062 daddr, 0, &naddr, NULL)) != NULL) { 3063 PF_ACPY(&baddr, saddr, af); 3064 switch (af) { 3065#ifdef INET 3066 case AF_INET: 3067 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3068 naddr.v4.s_addr, 0); 3069 break; 3070#endif /* INET */ 3071#ifdef INET6 3072 case AF_INET6: 3073 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 3074 &naddr, 0); 3075 rewrite++; 3076 break; 3077#endif /* INET6 */ 3078 } 3079 if (nat->natpass) 3080 r = NULL; 3081 } 3082 } else { 3083 /* check incoming packet for BINAT/RDR */ 3084 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 0, 3085 daddr, 0, &naddr, NULL)) != NULL) { 3086 PF_ACPY(&baddr, daddr, af); 3087 switch (af) { 3088#ifdef INET 3089 case AF_INET: 3090 pf_change_a(&daddr->v4.s_addr, 3091 pd->ip_sum, naddr.v4.s_addr, 0); 3092 break; 3093#endif /* INET */ 3094#ifdef INET6 3095 case AF_INET6: 3096 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 3097 &naddr, 0); 3098 rewrite++; 3099 break; 3100#endif /* INET6 */ 3101 } 3102 if (rdr->natpass) 3103 r = NULL; 3104 } 3105 } 3106 3107 while (r != NULL) { 3108 r->evaluations++; 3109 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 3110 (r->ifp == ifp && r->ifnot))) 3111 r = r->skip[PF_SKIP_IFP].ptr; 3112 else if (r->direction && r->direction != direction) 3113 r = r->skip[PF_SKIP_DIR].ptr; 3114 else if (r->af && r->af != af) 3115 r = r->skip[PF_SKIP_AF].ptr; 3116 else if (r->proto && r->proto != pd->proto) 3117 r = r->skip[PF_SKIP_PROTO].ptr; 3118 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 3119 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3120 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 3121 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3122 else if (r->type && r->type != icmptype + 1) 3123 r = TAILQ_NEXT(r, entries); 3124 else if (r->code && r->code != icmpcode + 1) 3125 r = TAILQ_NEXT(r, entries); 3126 else if (r->tos && !(r->tos & pd->tos)) 3127 r = TAILQ_NEXT(r, entries); 3128 else if (r->rule_flag & PFRULE_FRAGMENT) 3129 r = TAILQ_NEXT(r, entries); 3130 else if (r->match_tag && 3131 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 3132 r = TAILQ_NEXT(r, entries); 3133 else if (r->anchorname[0] && r->anchor == NULL) 3134 r = TAILQ_NEXT(r, entries); 3135 else if (r->os_fingerprint != PF_OSFP_ANY) 3136 r = TAILQ_NEXT(r, entries); 3137 else { 3138 if (r->tag) 3139 tag = r->tag; 3140 if (r->anchor == NULL) { 3141 *rm = r; 3142 *am = a; 3143 *rsm = ruleset; 3144 if ((*rm)->quick) 3145 break; 3146 r = TAILQ_NEXT(r, entries); 3147 } else 3148 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3149 PF_RULESET_FILTER); 3150 } 3151 if (r == NULL && a != NULL) 3152 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3153 PF_RULESET_FILTER); 3154 } 3155 r = *rm; 3156 a = *am; 3157 ruleset = *rsm; 3158 3159 r->packets++; 3160 r->bytes += pd->tot_len; 3161 if (a != NULL) { 3162 a->packets++; 3163 a->bytes += pd->tot_len; 3164 } 3165 REASON_SET(&reason, PFRES_MATCH); 3166 3167 if (r->log) { 3168#ifdef INET6 3169 if (rewrite) 3170 m_copyback(m, off, sizeof(struct icmp6_hdr), 3171 (caddr_t)pd->hdr.icmp6); 3172#endif /* INET6 */ 3173 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 3174 } 3175 3176 if (r->action != PF_PASS) 3177 return (PF_DROP); 3178 3179 if (pf_tag_packet(m, pftag, tag)) { 3180 REASON_SET(&reason, PFRES_MEMORY); 3181 return (PF_DROP); 3182 } 3183 3184 if (!state_icmp && (r->keep_state || 3185 nat != NULL || rdr != NULL)) { 3186 /* create new state */ 3187 struct pf_state *s = NULL; 3188 3189 if (!r->max_states || r->states < r->max_states) 3190 s = pool_get(&pf_state_pl, PR_NOWAIT); 3191 if (s == NULL) { 3192 REASON_SET(&reason, PFRES_MEMORY); 3193 return (PF_DROP); 3194 } 3195 bzero(s, sizeof(*s)); 3196 r->states++; 3197 if (a != NULL) 3198 a->states++; 3199 s->rule.ptr = r; 3200 if (nat != NULL) 3201 s->nat_rule.ptr = nat; 3202 else 3203 s->nat_rule.ptr = rdr; 3204 if (s->nat_rule.ptr != NULL) 3205 s->nat_rule.ptr->states++; 3206 s->anchor.ptr = a; 3207 s->allow_opts = r->allow_opts; 3208 s->log = r->log & 2; 3209 s->proto = pd->proto; 3210 s->direction = direction; 3211 s->af = af; 3212 if (direction == PF_OUT) { 3213 PF_ACPY(&s->gwy.addr, saddr, af); 3214 s->gwy.port = icmpid; 3215 PF_ACPY(&s->ext.addr, daddr, af); 3216 s->ext.port = icmpid; 3217 if (nat != NULL) 3218 PF_ACPY(&s->lan.addr, &baddr, af); 3219 else 3220 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3221 s->lan.port = icmpid; 3222 } else { 3223 PF_ACPY(&s->lan.addr, daddr, af); 3224 s->lan.port = icmpid; 3225 PF_ACPY(&s->ext.addr, saddr, af); 3226 s->ext.port = icmpid; 3227 if (rdr != NULL) 3228 PF_ACPY(&s->gwy.addr, &baddr, af); 3229 else 3230 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3231 s->gwy.port = icmpid; 3232 } 3233 3234 s->src.seqlo = 0; 3235 s->src.seqhi = 0; 3236 s->src.seqdiff = 0; 3237 s->src.max_win = 0; 3238 s->src.state = 0; 3239 s->dst.seqlo = 0; 3240 s->dst.seqhi = 0; 3241 s->dst.seqdiff = 0; 3242 s->dst.max_win = 0; 3243 s->dst.state = 0; 3244#ifdef __FreeBSD__ 3245 s->creation = time_second; 3246 s->expire = time_second; 3247#else 3248 s->creation = time.tv_sec; 3249 s->expire = time.tv_sec; 3250#endif 3251 s->timeout = PFTM_ICMP_FIRST_PACKET; 3252 s->packets[0] = 1; 3253 s->bytes[0] = pd->tot_len; 3254 pf_set_rt_ifp(s, saddr); 3255 if (pf_insert_state(s)) { 3256 REASON_SET(&reason, PFRES_MEMORY); 3257 pool_put(&pf_state_pl, s); 3258 return (PF_DROP); 3259 } else 3260 *sm = s; 3261 } 3262 3263#ifdef INET6 3264 /* copy back packet headers if we performed IPv6 NAT operations */ 3265 if (rewrite) 3266 m_copyback(m, off, sizeof(struct icmp6_hdr), 3267 (caddr_t)pd->hdr.icmp6); 3268#endif /* INET6 */ 3269 3270 return (PF_PASS); 3271} 3272 3273int 3274pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, 3275 struct ifnet *ifp, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3276 struct pf_rule **am, struct pf_ruleset **rsm) 3277{ 3278 struct pf_rule *nat = NULL, *rdr = NULL; 3279 struct pf_rule *r, *a = NULL; 3280 struct pf_ruleset *ruleset = NULL; 3281 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3282 struct pf_addr baddr, naddr; 3283 sa_family_t af = pd->af; 3284 u_short reason; 3285 struct pf_tag *pftag = NULL; 3286 int tag = -1; 3287 3288 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3289 3290 if (direction == PF_OUT) { 3291 /* check outgoing packet for BINAT/NAT */ 3292 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, saddr, 0, 3293 daddr, 0, &naddr, NULL)) != NULL) { 3294 PF_ACPY(&baddr, saddr, af); 3295 switch (af) { 3296#ifdef INET 3297 case AF_INET: 3298 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3299 naddr.v4.s_addr, 0); 3300 break; 3301#endif /* INET */ 3302#ifdef INET6 3303 case AF_INET6: 3304 PF_ACPY(saddr, &naddr, af); 3305 break; 3306#endif /* INET6 */ 3307 } 3308 if (nat->natpass) 3309 r = NULL; 3310 } 3311 } else { 3312 /* check incoming packet for BINAT/RDR */ 3313 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 0, 3314 daddr, 0, &naddr, NULL)) != NULL) { 3315 PF_ACPY(&baddr, daddr, af); 3316 switch (af) { 3317#ifdef INET 3318 case AF_INET: 3319 pf_change_a(&daddr->v4.s_addr, 3320 pd->ip_sum, naddr.v4.s_addr, 0); 3321 break; 3322#endif /* INET */ 3323#ifdef INET6 3324 case AF_INET6: 3325 PF_ACPY(daddr, &naddr, af); 3326 break; 3327#endif /* INET6 */ 3328 } 3329 if (rdr->natpass) 3330 r = NULL; 3331 } 3332 } 3333 3334 while (r != NULL) { 3335 r->evaluations++; 3336 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 3337 (r->ifp == ifp && r->ifnot))) 3338 r = r->skip[PF_SKIP_IFP].ptr; 3339 else if (r->direction && r->direction != direction) 3340 r = r->skip[PF_SKIP_DIR].ptr; 3341 else if (r->af && r->af != af) 3342 r = r->skip[PF_SKIP_AF].ptr; 3343 else if (r->proto && r->proto != pd->proto) 3344 r = r->skip[PF_SKIP_PROTO].ptr; 3345 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3346 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3347 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3348 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3349 else if (r->tos && !(r->tos & pd->tos)) 3350 r = TAILQ_NEXT(r, entries); 3351 else if (r->rule_flag & PFRULE_FRAGMENT) 3352 r = TAILQ_NEXT(r, entries); 3353 else if (r->match_tag && 3354 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 3355 r = TAILQ_NEXT(r, entries); 3356 else if (r->anchorname[0] && r->anchor == NULL) 3357 r = TAILQ_NEXT(r, entries); 3358 else if (r->os_fingerprint != PF_OSFP_ANY) 3359 r = TAILQ_NEXT(r, entries); 3360 else { 3361 if (r->tag) 3362 tag = r->tag; 3363 if (r->anchor == NULL) { 3364 *rm = r; 3365 *am = a; 3366 *rsm = ruleset; 3367 if ((*rm)->quick) 3368 break; 3369 r = TAILQ_NEXT(r, entries); 3370 } else 3371 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3372 PF_RULESET_FILTER); 3373 } 3374 if (r == NULL && a != NULL) 3375 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3376 PF_RULESET_FILTER); 3377 } 3378 r = *rm; 3379 a = *am; 3380 ruleset = *rsm; 3381 3382 r->packets++; 3383 r->bytes += pd->tot_len; 3384 if (a != NULL) { 3385 a->packets++; 3386 a->bytes += pd->tot_len; 3387 } 3388 REASON_SET(&reason, PFRES_MATCH); 3389 if (r->log) 3390 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 3391 3392 if ((r->action == PF_DROP) && 3393 ((r->rule_flag & PFRULE_RETURNICMP) || 3394 (r->rule_flag & PFRULE_RETURN))) { 3395 struct pf_addr *a = NULL; 3396 3397 if (nat != NULL) 3398 a = saddr; 3399 else if (rdr != NULL) 3400 a = daddr; 3401 if (a != NULL) { 3402 switch (af) { 3403#ifdef INET 3404 case AF_INET: 3405 pf_change_a(&a->v4.s_addr, pd->ip_sum, 3406 baddr.v4.s_addr, 0); 3407 break; 3408#endif /* INET */ 3409#ifdef INET6 3410 case AF_INET6: 3411 PF_ACPY(a, &baddr, af); 3412 break; 3413#endif /* INET6 */ 3414 } 3415 } 3416 if ((af == AF_INET) && r->return_icmp) 3417 pf_send_icmp(m, r->return_icmp >> 8, 3418 r->return_icmp & 255, af, r); 3419 else if ((af == AF_INET6) && r->return_icmp6) 3420 pf_send_icmp(m, r->return_icmp6 >> 8, 3421 r->return_icmp6 & 255, af, r); 3422 } 3423 3424 if (r->action != PF_PASS) 3425 return (PF_DROP); 3426 3427 if (pf_tag_packet(m, pftag, tag)) { 3428 REASON_SET(&reason, PFRES_MEMORY); 3429 return (PF_DROP); 3430 } 3431 3432 if (r->keep_state || nat != NULL || rdr != NULL) { 3433 /* create new state */ 3434 struct pf_state *s = NULL; 3435 3436 if (!r->max_states || r->states < r->max_states) 3437 s = pool_get(&pf_state_pl, PR_NOWAIT); 3438 if (s == NULL) { 3439 REASON_SET(&reason, PFRES_MEMORY); 3440 return (PF_DROP); 3441 } 3442 bzero(s, sizeof(*s)); 3443 r->states++; 3444 if (a != NULL) 3445 a->states++; 3446 s->rule.ptr = r; 3447 if (nat != NULL) 3448 s->nat_rule.ptr = nat; 3449 else 3450 s->nat_rule.ptr = rdr; 3451 if (s->nat_rule.ptr != NULL) 3452 s->nat_rule.ptr->states++; 3453 s->anchor.ptr = a; 3454 s->allow_opts = r->allow_opts; 3455 s->log = r->log & 2; 3456 s->proto = pd->proto; 3457 s->direction = direction; 3458 s->af = af; 3459 if (direction == PF_OUT) { 3460 PF_ACPY(&s->gwy.addr, saddr, af); 3461 s->gwy.port = 0; 3462 PF_ACPY(&s->ext.addr, daddr, af); 3463 s->ext.port = 0; 3464 if (nat != NULL) 3465 PF_ACPY(&s->lan.addr, &baddr, af); 3466 else 3467 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3468 s->lan.port = 0; 3469 } else { 3470 PF_ACPY(&s->lan.addr, daddr, af); 3471 s->lan.port = 0; 3472 PF_ACPY(&s->ext.addr, saddr, af); 3473 s->ext.port = 0; 3474 if (rdr != NULL) 3475 PF_ACPY(&s->gwy.addr, &baddr, af); 3476 else 3477 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3478 s->gwy.port = 0; 3479 } 3480 s->src.seqlo = 0; 3481 s->src.seqhi = 0; 3482 s->src.seqdiff = 0; 3483 s->src.max_win = 0; 3484 s->src.state = PFOTHERS_SINGLE; 3485 s->dst.seqlo = 0; 3486 s->dst.seqhi = 0; 3487 s->dst.seqdiff = 0; 3488 s->dst.max_win = 0; 3489 s->dst.state = PFOTHERS_NO_TRAFFIC; 3490#ifdef __FreeBSD__ 3491 s->creation = time_second; 3492 s->expire = time_second; 3493#else 3494 s->creation = time.tv_sec; 3495 s->expire = time.tv_sec; 3496#endif 3497 s->timeout = PFTM_OTHER_FIRST_PACKET; 3498 s->packets[0] = 1; 3499 s->bytes[0] = pd->tot_len; 3500 pf_set_rt_ifp(s, saddr); 3501 if (pf_insert_state(s)) { 3502 REASON_SET(&reason, PFRES_MEMORY); 3503 if (r->log) 3504 PFLOG_PACKET(ifp, h, m, af, direction, reason, 3505 r, a, ruleset); 3506 pool_put(&pf_state_pl, s); 3507 return (PF_DROP); 3508 } else 3509 *sm = s; 3510 } 3511 3512 return (PF_PASS); 3513} 3514 3515int 3516pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp, 3517 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3518 struct pf_ruleset **rsm) 3519{ 3520 struct pf_rule *r, *a = NULL; 3521 struct pf_ruleset *ruleset = NULL; 3522 sa_family_t af = pd->af; 3523 u_short reason; 3524 struct pf_tag *pftag = NULL; 3525 int tag = -1; 3526 3527 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3528 while (r != NULL) { 3529 r->evaluations++; 3530 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 3531 (r->ifp == ifp && r->ifnot))) 3532 r = r->skip[PF_SKIP_IFP].ptr; 3533 else if (r->direction && r->direction != direction) 3534 r = r->skip[PF_SKIP_DIR].ptr; 3535 else if (r->af && r->af != af) 3536 r = r->skip[PF_SKIP_AF].ptr; 3537 else if (r->proto && r->proto != pd->proto) 3538 r = r->skip[PF_SKIP_PROTO].ptr; 3539 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3540 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3541 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3542 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3543 else if (r->tos && !(r->tos & pd->tos)) 3544 r = TAILQ_NEXT(r, entries); 3545 else if (r->src.port_op || r->dst.port_op || 3546 r->flagset || r->type || r->code || 3547 r->os_fingerprint != PF_OSFP_ANY) 3548 r = TAILQ_NEXT(r, entries); 3549 else if (r->match_tag && 3550 !pf_match_tag(m, r, NULL, NULL, pftag, &tag)) 3551 r = TAILQ_NEXT(r, entries); 3552 else if (r->anchorname[0] && r->anchor == NULL) 3553 r = TAILQ_NEXT(r, entries); 3554 else { 3555 if (r->anchor == NULL) { 3556 *rm = r; 3557 *am = a; 3558 *rsm = ruleset; 3559 if ((*rm)->quick) 3560 break; 3561 r = TAILQ_NEXT(r, entries); 3562 } else 3563 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3564 PF_RULESET_FILTER); 3565 } 3566 if (r == NULL && a != NULL) 3567 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3568 PF_RULESET_FILTER); 3569 } 3570 r = *rm; 3571 a = *am; 3572 ruleset = *rsm; 3573 3574 r->packets++; 3575 r->bytes += pd->tot_len; 3576 if (a != NULL) { 3577 a->packets++; 3578 a->bytes += pd->tot_len; 3579 } 3580 REASON_SET(&reason, PFRES_MATCH); 3581 if (r->log) 3582 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 3583 3584 if (r->action != PF_PASS) 3585 return (PF_DROP); 3586 3587 if (pf_tag_packet(m, pftag, tag)) { 3588 REASON_SET(&reason, PFRES_MEMORY); 3589 return (PF_DROP); 3590 } 3591 3592 return (PF_PASS); 3593} 3594 3595int 3596pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, 3597 struct mbuf *m, int ipoff, int off, void *h, struct pf_pdesc *pd, 3598 u_short *reason) 3599{ 3600 struct pf_tree_node key; 3601 struct tcphdr *th = pd->hdr.tcp; 3602 u_int16_t win = ntohs(th->th_win); 3603 u_int32_t ack, end, seq; 3604 u_int8_t sws, dws; 3605 int ackskew, dirndx; 3606 int copyback = 0; 3607 struct pf_state_peer *src, *dst; 3608 3609 key.af = pd->af; 3610 key.proto = IPPROTO_TCP; 3611 PF_ACPY(&key.addr[0], pd->src, key.af); 3612 PF_ACPY(&key.addr[1], pd->dst, key.af); 3613 key.port[0] = th->th_sport; 3614 key.port[1] = th->th_dport; 3615 3616 STATE_LOOKUP(); 3617 3618 if (direction == (*state)->direction) { 3619 src = &(*state)->src; 3620 dst = &(*state)->dst; 3621 dirndx = 0; 3622 } else { 3623 src = &(*state)->dst; 3624 dst = &(*state)->src; 3625 dirndx = 1; 3626 } 3627 3628 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3629 if (direction != (*state)->direction) 3630 return (PF_SYNPROXY_DROP); 3631 if (th->th_flags & TH_SYN) { 3632 if (ntohl(th->th_seq) != (*state)->src.seqlo) 3633 return (PF_DROP); 3634 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3635 pd->src, th->th_dport, th->th_sport, 3636 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3637 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0); 3638 return (PF_SYNPROXY_DROP); 3639 } else if (!(th->th_flags & TH_ACK) || 3640 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3641 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3642 return (PF_DROP); 3643 else 3644 (*state)->src.state = PF_TCPS_PROXY_DST; 3645 } 3646 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3647 struct pf_state_host *src, *dst; 3648 3649 if (direction == PF_OUT) { 3650 src = &(*state)->gwy; 3651 dst = &(*state)->ext; 3652 } else { 3653 src = &(*state)->ext; 3654 dst = &(*state)->lan; 3655 } 3656 if (direction == (*state)->direction) { 3657 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3658 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3659 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3660 return (PF_DROP); 3661 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3662 if ((*state)->dst.seqhi == 1) 3663 (*state)->dst.seqhi = arc4random(); 3664 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3665 &dst->addr, src->port, dst->port, 3666 (*state)->dst.seqhi, 0, TH_SYN, 0, (*state)->src.mss, 0); 3667 return (PF_SYNPROXY_DROP); 3668 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3669 (TH_SYN|TH_ACK)) || 3670 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) 3671 return (PF_DROP); 3672 else { 3673 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3674 (*state)->dst.seqlo = ntohl(th->th_seq); 3675 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3676 pd->src, th->th_dport, th->th_sport, 3677 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3678 TH_ACK, (*state)->src.max_win, 0, 0); 3679 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3680 &dst->addr, src->port, dst->port, 3681 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3682 TH_ACK, (*state)->dst.max_win, 0, 0); 3683 (*state)->src.seqdiff = (*state)->dst.seqhi - 3684 (*state)->src.seqlo; 3685 (*state)->dst.seqdiff = (*state)->src.seqhi - 3686 (*state)->dst.seqlo; 3687 (*state)->src.seqhi = (*state)->src.seqlo + 3688 (*state)->src.max_win; 3689 (*state)->dst.seqhi = (*state)->dst.seqlo + 3690 (*state)->dst.max_win; 3691 (*state)->src.wscale = (*state)->dst.wscale = 0; 3692 (*state)->src.state = (*state)->dst.state = 3693 TCPS_ESTABLISHED; 3694 return (PF_SYNPROXY_DROP); 3695 } 3696 } 3697 3698 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3699 sws = src->wscale & PF_WSCALE_MASK; 3700 dws = dst->wscale & PF_WSCALE_MASK; 3701 } else 3702 sws = dws = 0; 3703 3704 /* 3705 * Sequence tracking algorithm from Guido van Rooij's paper: 3706 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3707 * tcp_filtering.ps 3708 */ 3709 3710 seq = ntohl(th->th_seq); 3711 if (src->seqlo == 0) { 3712 /* First packet from this end. Set its state */ 3713 3714 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3715 src->scrub == NULL) { 3716 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3717 REASON_SET(reason, PFRES_MEMORY); 3718 return (PF_DROP); 3719 } 3720 } 3721 3722 /* Deferred generation of sequence number modulator */ 3723 if (dst->seqdiff && !src->seqdiff) { 3724 while ((src->seqdiff = arc4random()) == 0) 3725 ; 3726 ack = ntohl(th->th_ack) - dst->seqdiff; 3727 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3728 src->seqdiff), 0); 3729 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3730 copyback = 1; 3731 } else { 3732 ack = ntohl(th->th_ack); 3733 } 3734 3735 end = seq + pd->p_len; 3736 if (th->th_flags & TH_SYN) { 3737 end++; 3738 if (dst->wscale & PF_WSCALE_FLAG) { 3739 src->wscale = pf_get_wscale(m, off, th->th_off, 3740 pd->af); 3741 if (src->wscale & PF_WSCALE_FLAG) { 3742 /* Remove scale factor from initial 3743 * window */ 3744 sws = src->wscale & PF_WSCALE_MASK; 3745 win = ((u_int32_t)win + (1 << sws) - 1) 3746 >> sws; 3747 dws = dst->wscale & PF_WSCALE_MASK; 3748 } else { 3749 /* fixup other window */ 3750 dst->max_win <<= dst->wscale & 3751 PF_WSCALE_MASK; 3752 /* in case of a retrans SYN|ACK */ 3753 dst->wscale = 0; 3754 } 3755 } 3756 } 3757 if (th->th_flags & TH_FIN) 3758 end++; 3759 3760 src->seqlo = seq; 3761 if (src->state < TCPS_SYN_SENT) 3762 src->state = TCPS_SYN_SENT; 3763 3764 /* 3765 * May need to slide the window (seqhi may have been set by 3766 * the crappy stack check or if we picked up the connection 3767 * after establishment) 3768 */ 3769 if (src->seqhi == 1 || 3770 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 3771 src->seqhi = end + MAX(1, dst->max_win << dws); 3772 if (win > src->max_win) 3773 src->max_win = win; 3774 3775 } else { 3776 ack = ntohl(th->th_ack) - dst->seqdiff; 3777 if (src->seqdiff) { 3778 /* Modulate sequence numbers */ 3779 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3780 src->seqdiff), 0); 3781 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3782 copyback = 1; 3783 } 3784 end = seq + pd->p_len; 3785 if (th->th_flags & TH_SYN) 3786 end++; 3787 if (th->th_flags & TH_FIN) 3788 end++; 3789 } 3790 3791 if ((th->th_flags & TH_ACK) == 0) { 3792 /* Let it pass through the ack skew check */ 3793 ack = dst->seqlo; 3794 } else if ((ack == 0 && 3795 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 3796 /* broken tcp stacks do not set ack */ 3797 (dst->state < TCPS_SYN_SENT)) { 3798 /* 3799 * Many stacks (ours included) will set the ACK number in an 3800 * FIN|ACK if the SYN times out -- no sequence to ACK. 3801 */ 3802 ack = dst->seqlo; 3803 } 3804 3805 if (seq == end) { 3806 /* Ease sequencing restrictions on no data packets */ 3807 seq = src->seqlo; 3808 end = seq; 3809 } 3810 3811 ackskew = dst->seqlo - ack; 3812 3813#define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 3814 if (SEQ_GEQ(src->seqhi, end) && 3815 /* Last octet inside other's window space */ 3816 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 3817 /* Retrans: not more than one window back */ 3818 (ackskew >= -MAXACKWINDOW) && 3819 /* Acking not more than one reassembled fragment backwards */ 3820 (ackskew <= (MAXACKWINDOW << sws))) { 3821 /* Acking not more than one window forward */ 3822 3823 (*state)->packets[dirndx]++; 3824 (*state)->bytes[dirndx] += pd->tot_len; 3825 3826 /* update max window */ 3827 if (src->max_win < win) 3828 src->max_win = win; 3829 /* synchronize sequencing */ 3830 if (SEQ_GT(end, src->seqlo)) 3831 src->seqlo = end; 3832 /* slide the window of what the other end can send */ 3833 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3834 dst->seqhi = ack + MAX((win << sws), 1); 3835 3836 3837 /* update states */ 3838 if (th->th_flags & TH_SYN) 3839 if (src->state < TCPS_SYN_SENT) 3840 src->state = TCPS_SYN_SENT; 3841 if (th->th_flags & TH_FIN) 3842 if (src->state < TCPS_CLOSING) 3843 src->state = TCPS_CLOSING; 3844 if (th->th_flags & TH_ACK) { 3845 if (dst->state == TCPS_SYN_SENT) 3846 dst->state = TCPS_ESTABLISHED; 3847 else if (dst->state == TCPS_CLOSING) 3848 dst->state = TCPS_FIN_WAIT_2; 3849 } 3850 if (th->th_flags & TH_RST) 3851 src->state = dst->state = TCPS_TIME_WAIT; 3852 3853 /* update expire time */ 3854#ifdef __FreeBSD__ 3855 (*state)->expire = time_second; 3856#else 3857 (*state)->expire = time.tv_sec; 3858#endif 3859 if (src->state >= TCPS_FIN_WAIT_2 && 3860 dst->state >= TCPS_FIN_WAIT_2) 3861 (*state)->timeout = PFTM_TCP_CLOSED; 3862 else if (src->state >= TCPS_FIN_WAIT_2 || 3863 dst->state >= TCPS_FIN_WAIT_2) 3864 (*state)->timeout = PFTM_TCP_FIN_WAIT; 3865 else if (src->state < TCPS_ESTABLISHED || 3866 dst->state < TCPS_ESTABLISHED) 3867 (*state)->timeout = PFTM_TCP_OPENING; 3868 else if (src->state >= TCPS_CLOSING || 3869 dst->state >= TCPS_CLOSING) 3870 (*state)->timeout = PFTM_TCP_CLOSING; 3871 else 3872 (*state)->timeout = PFTM_TCP_ESTABLISHED; 3873 3874 /* Fall through to PASS packet */ 3875 3876 } else if ((dst->state < TCPS_SYN_SENT || 3877 dst->state >= TCPS_FIN_WAIT_2 || 3878 src->state >= TCPS_FIN_WAIT_2) && 3879 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 3880 /* Within a window forward of the originating packet */ 3881 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 3882 /* Within a window backward of the originating packet */ 3883 3884 /* 3885 * This currently handles three situations: 3886 * 1) Stupid stacks will shotgun SYNs before their peer 3887 * replies. 3888 * 2) When PF catches an already established stream (the 3889 * firewall rebooted, the state table was flushed, routes 3890 * changed...) 3891 * 3) Packets get funky immediately after the connection 3892 * closes (this should catch Solaris spurious ACK|FINs 3893 * that web servers like to spew after a close) 3894 * 3895 * This must be a little more careful than the above code 3896 * since packet floods will also be caught here. We don't 3897 * update the TTL here to mitigate the damage of a packet 3898 * flood and so the same code can handle awkward establishment 3899 * and a loosened connection close. 3900 * In the establishment case, a correct peer response will 3901 * validate the connection, go through the normal state code 3902 * and keep updating the state TTL. 3903 */ 3904 3905 if (pf_status.debug >= PF_DEBUG_MISC) { 3906 printf("pf: loose state match: "); 3907 pf_print_state(*state); 3908 pf_print_flags(th->th_flags); 3909 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 3910 seq, ack, pd->p_len, ackskew, 3911 (*state)->packets[0], (*state)->packets[1]); 3912 } 3913 3914 (*state)->packets[dirndx]++; 3915 (*state)->bytes[dirndx] += pd->tot_len; 3916 3917 /* update max window */ 3918 if (src->max_win < win) 3919 src->max_win = win; 3920 /* synchronize sequencing */ 3921 if (SEQ_GT(end, src->seqlo)) 3922 src->seqlo = end; 3923 /* slide the window of what the other end can send */ 3924 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3925 dst->seqhi = ack + MAX((win << sws), 1); 3926 3927 /* 3928 * Cannot set dst->seqhi here since this could be a shotgunned 3929 * SYN and not an already established connection. 3930 */ 3931 3932 if (th->th_flags & TH_FIN) 3933 if (src->state < TCPS_CLOSING) 3934 src->state = TCPS_CLOSING; 3935 if (th->th_flags & TH_RST) 3936 src->state = dst->state = TCPS_TIME_WAIT; 3937 3938 /* Fall through to PASS packet */ 3939 3940 } else { 3941 if ((*state)->dst.state == TCPS_SYN_SENT && 3942 (*state)->src.state == TCPS_SYN_SENT) { 3943 /* Send RST for state mismatches during handshake */ 3944 if (!(th->th_flags & TH_RST)) { 3945 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 3946 3947 if (th->th_flags & TH_SYN) 3948 ack++; 3949 if (th->th_flags & TH_FIN) 3950 ack++; 3951 pf_send_tcp((*state)->rule.ptr, pd->af, 3952 pd->dst, pd->src, th->th_dport, 3953 th->th_sport, ntohl(th->th_ack), ack, 3954 TH_RST|TH_ACK, 0, 0, 3955 (*state)->rule.ptr->return_ttl); 3956 } 3957 src->seqlo = 0; 3958 src->seqhi = 1; 3959 src->max_win = 1; 3960 } else if (pf_status.debug >= PF_DEBUG_MISC) { 3961 printf("pf: BAD state: "); 3962 pf_print_state(*state); 3963 pf_print_flags(th->th_flags); 3964 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " 3965 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, 3966 (*state)->packets[0], (*state)->packets[1], 3967 direction == PF_IN ? "in" : "out", 3968 direction == (*state)->direction ? "fwd" : "rev"); 3969 printf("pf: State failure on: %c %c %c %c | %c %c\n", 3970 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 3971 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 3972 ' ': '2', 3973 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 3974 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 3975 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 3976 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 3977 } 3978 return (PF_DROP); 3979 } 3980 3981 if (dst->scrub || src->scrub) { 3982 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, src, dst, 3983 ©back)) 3984 return (PF_DROP); 3985 } 3986 3987 /* Any packets which have gotten here are to be passed */ 3988 3989 /* translate source/destination address, if necessary */ 3990 if (STATE_TRANSLATE(*state)) { 3991 if (direction == PF_OUT) 3992 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 3993 &th->th_sum, &(*state)->gwy.addr, 3994 (*state)->gwy.port, 0, pd->af); 3995 else 3996 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 3997 &th->th_sum, &(*state)->lan.addr, 3998 (*state)->lan.port, 0, pd->af); 3999 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4000 } else if (copyback) { 4001 /* Copyback sequence modulation or stateful scrub changes */ 4002 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4003 } 4004 4005 (*state)->rule.ptr->packets++; 4006 (*state)->rule.ptr->bytes += pd->tot_len; 4007 if ((*state)->nat_rule.ptr != NULL) { 4008 (*state)->nat_rule.ptr->packets++; 4009 (*state)->nat_rule.ptr->bytes += pd->tot_len; 4010 } 4011 if ((*state)->anchor.ptr != NULL) { 4012 (*state)->anchor.ptr->packets++; 4013 (*state)->anchor.ptr->bytes += pd->tot_len; 4014 } 4015 return (PF_PASS); 4016} 4017 4018int 4019pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp, 4020 struct mbuf *m, int ipoff, int off, void *h, struct pf_pdesc *pd) 4021{ 4022 struct pf_state_peer *src, *dst; 4023 struct pf_tree_node key; 4024 struct udphdr *uh = pd->hdr.udp; 4025 int dirndx; 4026 4027 key.af = pd->af; 4028 key.proto = IPPROTO_UDP; 4029 PF_ACPY(&key.addr[0], pd->src, key.af); 4030 PF_ACPY(&key.addr[1], pd->dst, key.af); 4031 key.port[0] = uh->uh_sport; 4032 key.port[1] = uh->uh_dport; 4033 4034 STATE_LOOKUP(); 4035 4036 if (direction == (*state)->direction) { 4037 src = &(*state)->src; 4038 dst = &(*state)->dst; 4039 dirndx = 0; 4040 } else { 4041 src = &(*state)->dst; 4042 dst = &(*state)->src; 4043 dirndx = 1; 4044 } 4045 4046 (*state)->packets[dirndx]++; 4047 (*state)->bytes[dirndx] += pd->tot_len; 4048 4049 /* update states */ 4050 if (src->state < PFUDPS_SINGLE) 4051 src->state = PFUDPS_SINGLE; 4052 if (dst->state == PFUDPS_SINGLE) 4053 dst->state = PFUDPS_MULTIPLE; 4054 4055 /* update expire time */ 4056#ifdef __FreeBSD__ 4057 (*state)->expire = time_second; 4058#else 4059 (*state)->expire = time.tv_sec; 4060#endif 4061 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4062 (*state)->timeout = PFTM_UDP_MULTIPLE; 4063 else 4064 (*state)->timeout = PFTM_UDP_SINGLE; 4065 4066 /* translate source/destination address, if necessary */ 4067 if (STATE_TRANSLATE(*state)) { 4068 if (direction == PF_OUT) 4069 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 4070 &uh->uh_sum, &(*state)->gwy.addr, 4071 (*state)->gwy.port, 1, pd->af); 4072 else 4073 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 4074 &uh->uh_sum, &(*state)->lan.addr, 4075 (*state)->lan.port, 1, pd->af); 4076 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 4077 } 4078 4079 (*state)->rule.ptr->packets++; 4080 (*state)->rule.ptr->bytes += pd->tot_len; 4081 if ((*state)->nat_rule.ptr != NULL) { 4082 (*state)->nat_rule.ptr->packets++; 4083 (*state)->nat_rule.ptr->bytes += pd->tot_len; 4084 } 4085 if ((*state)->anchor.ptr != NULL) { 4086 (*state)->anchor.ptr->packets++; 4087 (*state)->anchor.ptr->bytes += pd->tot_len; 4088 } 4089 return (PF_PASS); 4090} 4091 4092int 4093pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, 4094 struct mbuf *m, int ipoff, int off, void *h, struct pf_pdesc *pd) 4095{ 4096 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 4097 u_int16_t icmpid, *icmpsum; 4098 u_int8_t icmptype; 4099 int state_icmp = 0, dirndx; 4100 4101 switch (pd->proto) { 4102#ifdef INET 4103 case IPPROTO_ICMP: 4104 icmptype = pd->hdr.icmp->icmp_type; 4105 icmpid = pd->hdr.icmp->icmp_id; 4106 icmpsum = &pd->hdr.icmp->icmp_cksum; 4107 4108 if (icmptype == ICMP_UNREACH || 4109 icmptype == ICMP_SOURCEQUENCH || 4110 icmptype == ICMP_REDIRECT || 4111 icmptype == ICMP_TIMXCEED || 4112 icmptype == ICMP_PARAMPROB) 4113 state_icmp++; 4114 break; 4115#endif /* INET */ 4116#ifdef INET6 4117 case IPPROTO_ICMPV6: 4118 icmptype = pd->hdr.icmp6->icmp6_type; 4119 icmpid = pd->hdr.icmp6->icmp6_id; 4120 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 4121 4122 if (icmptype == ICMP6_DST_UNREACH || 4123 icmptype == ICMP6_PACKET_TOO_BIG || 4124 icmptype == ICMP6_TIME_EXCEEDED || 4125 icmptype == ICMP6_PARAM_PROB) 4126 state_icmp++; 4127 break; 4128#endif /* INET6 */ 4129 } 4130 4131 if (!state_icmp) { 4132 4133 /* 4134 * ICMP query/reply message not related to a TCP/UDP packet. 4135 * Search for an ICMP state. 4136 */ 4137 struct pf_tree_node key; 4138 4139 key.af = pd->af; 4140 key.proto = pd->proto; 4141 PF_ACPY(&key.addr[0], saddr, key.af); 4142 PF_ACPY(&key.addr[1], daddr, key.af); 4143 key.port[0] = icmpid; 4144 key.port[1] = icmpid; 4145 4146 STATE_LOOKUP(); 4147 4148 dirndx = (direction == (*state)->direction) ? 0 : 1; 4149 (*state)->packets[dirndx]++; 4150 (*state)->bytes[dirndx] += pd->tot_len; 4151#ifdef __FreeBSD__ 4152 (*state)->expire = time_second; 4153#else 4154 (*state)->expire = time.tv_sec; 4155#endif 4156 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 4157 4158 /* translate source/destination address, if necessary */ 4159 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { 4160 if (direction == PF_OUT) { 4161 switch (pd->af) { 4162#ifdef INET 4163 case AF_INET: 4164 pf_change_a(&saddr->v4.s_addr, 4165 pd->ip_sum, 4166 (*state)->gwy.addr.v4.s_addr, 0); 4167 break; 4168#endif /* INET */ 4169#ifdef INET6 4170 case AF_INET6: 4171 pf_change_a6(saddr, 4172 &pd->hdr.icmp6->icmp6_cksum, 4173 &(*state)->gwy.addr, 0); 4174 m_copyback(m, off, 4175 sizeof(struct icmp6_hdr), 4176 (caddr_t)pd->hdr.icmp6); 4177 break; 4178#endif /* INET6 */ 4179 } 4180 } else { 4181 switch (pd->af) { 4182#ifdef INET 4183 case AF_INET: 4184 pf_change_a(&daddr->v4.s_addr, 4185 pd->ip_sum, 4186 (*state)->lan.addr.v4.s_addr, 0); 4187 break; 4188#endif /* INET */ 4189#ifdef INET6 4190 case AF_INET6: 4191 pf_change_a6(daddr, 4192 &pd->hdr.icmp6->icmp6_cksum, 4193 &(*state)->lan.addr, 0); 4194 m_copyback(m, off, 4195 sizeof(struct icmp6_hdr), 4196 (caddr_t)pd->hdr.icmp6); 4197 break; 4198#endif /* INET6 */ 4199 } 4200 } 4201 } 4202 4203 return (PF_PASS); 4204 4205 } else { 4206 /* 4207 * ICMP error message in response to a TCP/UDP packet. 4208 * Extract the inner TCP/UDP header and search for that state. 4209 */ 4210 4211 struct pf_pdesc pd2; 4212#ifdef INET 4213 struct ip h2; 4214#endif /* INET */ 4215#ifdef INET6 4216 struct ip6_hdr h2_6; 4217 int terminal = 0; 4218#endif /* INET6 */ 4219 int ipoff2; 4220 int off2; 4221 4222 pd2.af = pd->af; 4223 switch (pd->af) { 4224#ifdef INET 4225 case AF_INET: 4226 /* offset of h2 in mbuf chain */ 4227 ipoff2 = off + ICMP_MINLEN; 4228 4229 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 4230 NULL, NULL, pd2.af)) { 4231 DPFPRINTF(PF_DEBUG_MISC, 4232 ("pf: ICMP error message too short " 4233 "(ip)\n")); 4234 return (PF_DROP); 4235 } 4236 /* 4237 * ICMP error messages don't refer to non-first 4238 * fragments 4239 */ 4240 if (h2.ip_off & htons(IP_OFFMASK)) 4241 return (PF_DROP); 4242 4243 /* offset of protocol header that follows h2 */ 4244 off2 = ipoff2 + (h2.ip_hl << 2); 4245 4246 pd2.proto = h2.ip_p; 4247 pd2.src = (struct pf_addr *)&h2.ip_src; 4248 pd2.dst = (struct pf_addr *)&h2.ip_dst; 4249 pd2.ip_sum = &h2.ip_sum; 4250 break; 4251#endif /* INET */ 4252#ifdef INET6 4253 case AF_INET6: 4254 ipoff2 = off + sizeof(struct icmp6_hdr); 4255 4256 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 4257 NULL, NULL, pd2.af)) { 4258 DPFPRINTF(PF_DEBUG_MISC, 4259 ("pf: ICMP error message too short " 4260 "(ip6)\n")); 4261 return (PF_DROP); 4262 } 4263 pd2.proto = h2_6.ip6_nxt; 4264 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 4265 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 4266 pd2.ip_sum = NULL; 4267 off2 = ipoff2 + sizeof(h2_6); 4268 do { 4269 switch (pd2.proto) { 4270 case IPPROTO_FRAGMENT: 4271 /* 4272 * ICMPv6 error messages for 4273 * non-first fragments 4274 */ 4275 return (PF_DROP); 4276 case IPPROTO_AH: 4277 case IPPROTO_HOPOPTS: 4278 case IPPROTO_ROUTING: 4279 case IPPROTO_DSTOPTS: { 4280 /* get next header and header length */ 4281 struct ip6_ext opt6; 4282 4283 if (!pf_pull_hdr(m, off2, &opt6, 4284 sizeof(opt6), NULL, NULL, pd2.af)) { 4285 DPFPRINTF(PF_DEBUG_MISC, 4286 ("pf: ICMPv6 short opt\n")); 4287 return (PF_DROP); 4288 } 4289 if (pd2.proto == IPPROTO_AH) 4290 off2 += (opt6.ip6e_len + 2) * 4; 4291 else 4292 off2 += (opt6.ip6e_len + 1) * 8; 4293 pd2.proto = opt6.ip6e_nxt; 4294 /* goto the next header */ 4295 break; 4296 } 4297 default: 4298 terminal++; 4299 break; 4300 } 4301 } while (!terminal); 4302 break; 4303#endif /* INET6 */ 4304 } 4305 4306 switch (pd2.proto) { 4307 case IPPROTO_TCP: { 4308 struct tcphdr th; 4309 u_int32_t seq; 4310 struct pf_tree_node key; 4311 struct pf_state_peer *src, *dst; 4312 u_int8_t dws; 4313 4314 /* 4315 * Only the first 8 bytes of the TCP header can be 4316 * expected. Don't access any TCP header fields after 4317 * th_seq, an ackskew test is not possible. 4318 */ 4319 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) { 4320 DPFPRINTF(PF_DEBUG_MISC, 4321 ("pf: ICMP error message too short " 4322 "(tcp)\n")); 4323 return (PF_DROP); 4324 } 4325 4326 key.af = pd2.af; 4327 key.proto = IPPROTO_TCP; 4328 PF_ACPY(&key.addr[0], pd2.dst, pd2.af); 4329 key.port[0] = th.th_dport; 4330 PF_ACPY(&key.addr[1], pd2.src, pd2.af); 4331 key.port[1] = th.th_sport; 4332 4333 STATE_LOOKUP(); 4334 4335 if (direction == (*state)->direction) { 4336 src = &(*state)->dst; 4337 dst = &(*state)->src; 4338 } else { 4339 src = &(*state)->src; 4340 dst = &(*state)->dst; 4341 } 4342 4343 if (src->wscale && dst->wscale && !(th.th_flags & TH_SYN)) 4344 dws = dst->wscale & PF_WSCALE_MASK; 4345 else 4346 dws = 0; 4347 4348 /* Demodulate sequence number */ 4349 seq = ntohl(th.th_seq) - src->seqdiff; 4350 if (src->seqdiff) 4351 pf_change_a(&th.th_seq, &th.th_sum, 4352 htonl(seq), 0); 4353 4354 if (!SEQ_GEQ(src->seqhi, seq) || 4355 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 4356 if (pf_status.debug >= PF_DEBUG_MISC) { 4357 printf("pf: BAD ICMP %d:%d ", 4358 icmptype, pd->hdr.icmp->icmp_code); 4359 pf_print_host(pd->src, 0, pd->af); 4360 printf(" -> "); 4361 pf_print_host(pd->dst, 0, pd->af); 4362 printf(" state: "); 4363 pf_print_state(*state); 4364 printf(" seq=%u\n", seq); 4365 } 4366 return (PF_DROP); 4367 } 4368 4369 if (STATE_TRANSLATE(*state)) { 4370 if (direction == PF_IN) { 4371 pf_change_icmp(pd2.src, &th.th_sport, 4372 saddr, &(*state)->lan.addr, 4373 (*state)->lan.port, NULL, 4374 pd2.ip_sum, icmpsum, 4375 pd->ip_sum, 0, pd2.af); 4376 } else { 4377 pf_change_icmp(pd2.dst, &th.th_dport, 4378 saddr, &(*state)->gwy.addr, 4379 (*state)->gwy.port, NULL, 4380 pd2.ip_sum, icmpsum, 4381 pd->ip_sum, 0, pd2.af); 4382 } 4383 switch (pd2.af) { 4384#ifdef INET 4385 case AF_INET: 4386 m_copyback(m, off, ICMP_MINLEN, 4387 (caddr_t)pd->hdr.icmp); 4388 m_copyback(m, ipoff2, sizeof(h2), 4389 (caddr_t)&h2); 4390 break; 4391#endif /* INET */ 4392#ifdef INET6 4393 case AF_INET6: 4394 m_copyback(m, off, 4395 sizeof(struct icmp6_hdr), 4396 (caddr_t)pd->hdr.icmp6); 4397 m_copyback(m, ipoff2, sizeof(h2_6), 4398 (caddr_t)&h2_6); 4399 break; 4400#endif /* INET6 */ 4401 } 4402 m_copyback(m, off2, 8, (caddr_t)&th); 4403 } else if (src->seqdiff) { 4404 m_copyback(m, off2, 8, (caddr_t)&th); 4405 } 4406 4407 return (PF_PASS); 4408 break; 4409 } 4410 case IPPROTO_UDP: { 4411 struct udphdr uh; 4412 struct pf_tree_node key; 4413 4414 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4415 NULL, NULL, pd2.af)) { 4416 DPFPRINTF(PF_DEBUG_MISC, 4417 ("pf: ICMP error message too short " 4418 "(udp)\n")); 4419 return (PF_DROP); 4420 } 4421 4422 key.af = pd2.af; 4423 key.proto = IPPROTO_UDP; 4424 PF_ACPY(&key.addr[0], pd2.dst, pd2.af); 4425 key.port[0] = uh.uh_dport; 4426 PF_ACPY(&key.addr[1], pd2.src, pd2.af); 4427 key.port[1] = uh.uh_sport; 4428 4429 STATE_LOOKUP(); 4430 4431 if (STATE_TRANSLATE(*state)) { 4432 if (direction == PF_IN) { 4433 pf_change_icmp(pd2.src, &uh.uh_sport, 4434 daddr, &(*state)->lan.addr, 4435 (*state)->lan.port, &uh.uh_sum, 4436 pd2.ip_sum, icmpsum, 4437 pd->ip_sum, 1, pd2.af); 4438 } else { 4439 pf_change_icmp(pd2.dst, &uh.uh_dport, 4440 saddr, &(*state)->gwy.addr, 4441 (*state)->gwy.port, &uh.uh_sum, 4442 pd2.ip_sum, icmpsum, 4443 pd->ip_sum, 1, pd2.af); 4444 } 4445 switch (pd2.af) { 4446#ifdef INET 4447 case AF_INET: 4448 m_copyback(m, off, ICMP_MINLEN, 4449 (caddr_t)pd->hdr.icmp); 4450 m_copyback(m, ipoff2, sizeof(h2), 4451 (caddr_t)&h2); 4452 break; 4453#endif /* INET */ 4454#ifdef INET6 4455 case AF_INET6: 4456 m_copyback(m, off, 4457 sizeof(struct icmp6_hdr), 4458 (caddr_t)pd->hdr.icmp6); 4459 m_copyback(m, ipoff2, sizeof(h2_6), 4460 (caddr_t)&h2_6); 4461 break; 4462#endif /* INET6 */ 4463 } 4464 m_copyback(m, off2, sizeof(uh), 4465 (caddr_t)&uh); 4466 } 4467 4468 return (PF_PASS); 4469 break; 4470 } 4471#ifdef INET 4472 case IPPROTO_ICMP: { 4473 struct icmp iih; 4474 struct pf_tree_node key; 4475 4476 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4477 NULL, NULL, pd2.af)) { 4478 DPFPRINTF(PF_DEBUG_MISC, 4479 ("pf: ICMP error message too short i" 4480 "(icmp)\n")); 4481 return (PF_DROP); 4482 } 4483 4484 key.af = pd2.af; 4485 key.proto = IPPROTO_ICMP; 4486 PF_ACPY(&key.addr[0], pd2.dst, pd2.af); 4487 key.port[0] = iih.icmp_id; 4488 PF_ACPY(&key.addr[1], pd2.src, pd2.af); 4489 key.port[1] = iih.icmp_id; 4490 4491 STATE_LOOKUP(); 4492 4493 if (STATE_TRANSLATE(*state)) { 4494 if (direction == PF_IN) { 4495 pf_change_icmp(pd2.src, &iih.icmp_id, 4496 daddr, &(*state)->lan.addr, 4497 (*state)->lan.port, NULL, 4498 pd2.ip_sum, icmpsum, 4499 pd->ip_sum, 0, AF_INET); 4500 } else { 4501 pf_change_icmp(pd2.dst, &iih.icmp_id, 4502 saddr, &(*state)->gwy.addr, 4503 (*state)->gwy.port, NULL, 4504 pd2.ip_sum, icmpsum, 4505 pd->ip_sum, 0, AF_INET); 4506 } 4507 m_copyback(m, off, ICMP_MINLEN, 4508 (caddr_t)pd->hdr.icmp); 4509 m_copyback(m, ipoff2, sizeof(h2), 4510 (caddr_t)&h2); 4511 m_copyback(m, off2, ICMP_MINLEN, 4512 (caddr_t)&iih); 4513 } 4514 4515 return (PF_PASS); 4516 break; 4517 } 4518#endif /* INET */ 4519#ifdef INET6 4520 case IPPROTO_ICMPV6: { 4521 struct icmp6_hdr iih; 4522 struct pf_tree_node key; 4523 4524 if (!pf_pull_hdr(m, off2, &iih, 4525 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) { 4526 DPFPRINTF(PF_DEBUG_MISC, 4527 ("pf: ICMP error message too short " 4528 "(icmp6)\n")); 4529 return (PF_DROP); 4530 } 4531 4532 key.af = pd2.af; 4533 key.proto = IPPROTO_ICMPV6; 4534 PF_ACPY(&key.addr[0], pd2.dst, pd2.af); 4535 key.port[0] = iih.icmp6_id; 4536 PF_ACPY(&key.addr[1], pd2.src, pd2.af); 4537 key.port[1] = iih.icmp6_id; 4538 4539 STATE_LOOKUP(); 4540 4541 if (STATE_TRANSLATE(*state)) { 4542 if (direction == PF_IN) { 4543 pf_change_icmp(pd2.src, &iih.icmp6_id, 4544 daddr, &(*state)->lan.addr, 4545 (*state)->lan.port, NULL, 4546 pd2.ip_sum, icmpsum, 4547 pd->ip_sum, 0, AF_INET6); 4548 } else { 4549 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4550 saddr, &(*state)->gwy.addr, 4551 (*state)->gwy.port, NULL, 4552 pd2.ip_sum, icmpsum, 4553 pd->ip_sum, 0, AF_INET6); 4554 } 4555 m_copyback(m, off, sizeof(struct icmp6_hdr), 4556 (caddr_t)pd->hdr.icmp6); 4557 m_copyback(m, ipoff2, sizeof(h2_6), 4558 (caddr_t)&h2_6); 4559 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4560 (caddr_t)&iih); 4561 } 4562 4563 return (PF_PASS); 4564 break; 4565 } 4566#endif /* INET6 */ 4567 default: { 4568 struct pf_tree_node key; 4569 4570 key.af = pd2.af; 4571 key.proto = pd2.proto; 4572 PF_ACPY(&key.addr[0], pd2.dst, pd2.af); 4573 key.port[0] = 0; 4574 PF_ACPY(&key.addr[1], pd2.src, pd2.af); 4575 key.port[1] = 0; 4576 4577 STATE_LOOKUP(); 4578 4579 if (STATE_TRANSLATE(*state)) { 4580 if (direction == PF_IN) { 4581 pf_change_icmp(pd2.src, NULL, 4582 daddr, &(*state)->lan.addr, 4583 0, NULL, 4584 pd2.ip_sum, icmpsum, 4585 pd->ip_sum, 0, pd2.af); 4586 } else { 4587 pf_change_icmp(pd2.dst, NULL, 4588 saddr, &(*state)->gwy.addr, 4589 0, NULL, 4590 pd2.ip_sum, icmpsum, 4591 pd->ip_sum, 0, pd2.af); 4592 } 4593 switch (pd2.af) { 4594#ifdef INET 4595 case AF_INET: 4596 m_copyback(m, off, ICMP_MINLEN, 4597 (caddr_t)pd->hdr.icmp); 4598 m_copyback(m, ipoff2, sizeof(h2), 4599 (caddr_t)&h2); 4600 break; 4601#endif /* INET */ 4602#ifdef INET6 4603 case AF_INET6: 4604 m_copyback(m, off, 4605 sizeof(struct icmp6_hdr), 4606 (caddr_t)pd->hdr.icmp6); 4607 m_copyback(m, ipoff2, sizeof(h2_6), 4608 (caddr_t)&h2_6); 4609 break; 4610#endif /* INET6 */ 4611 } 4612 } 4613 4614 return (PF_PASS); 4615 break; 4616 } 4617 } 4618 } 4619} 4620 4621int 4622pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp, 4623 struct pf_pdesc *pd) 4624{ 4625 struct pf_state_peer *src, *dst; 4626 struct pf_tree_node key; 4627 int dirndx; 4628 4629 key.af = pd->af; 4630 key.proto = pd->proto; 4631 PF_ACPY(&key.addr[0], pd->src, key.af); 4632 PF_ACPY(&key.addr[1], pd->dst, key.af); 4633 key.port[0] = 0; 4634 key.port[1] = 0; 4635 4636 STATE_LOOKUP(); 4637 4638 if (direction == (*state)->direction) { 4639 src = &(*state)->src; 4640 dst = &(*state)->dst; 4641 dirndx = 0; 4642 } else { 4643 src = &(*state)->dst; 4644 dst = &(*state)->src; 4645 dirndx = 1; 4646 } 4647 4648 (*state)->packets[dirndx]++; 4649 (*state)->bytes[dirndx] += pd->tot_len; 4650 4651 /* update states */ 4652 if (src->state < PFOTHERS_SINGLE) 4653 src->state = PFOTHERS_SINGLE; 4654 if (dst->state == PFOTHERS_SINGLE) 4655 dst->state = PFOTHERS_MULTIPLE; 4656 4657 /* update expire time */ 4658#ifdef __FreeBSD__ 4659 (*state)->expire = time_second; 4660#else 4661 (*state)->expire = time.tv_sec; 4662#endif 4663 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4664 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4665 else 4666 (*state)->timeout = PFTM_OTHER_SINGLE; 4667 4668 /* translate source/destination address, if necessary */ 4669 if (STATE_TRANSLATE(*state)) { 4670 if (direction == PF_OUT) 4671 switch (pd->af) { 4672#ifdef INET 4673 case AF_INET: 4674 pf_change_a(&pd->src->v4.s_addr, 4675 pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 4676 0); 4677 break; 4678#endif /* INET */ 4679#ifdef INET6 4680 case AF_INET6: 4681 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af); 4682 break; 4683#endif /* INET6 */ 4684 } 4685 else 4686 switch (pd->af) { 4687#ifdef INET 4688 case AF_INET: 4689 pf_change_a(&pd->dst->v4.s_addr, 4690 pd->ip_sum, (*state)->lan.addr.v4.s_addr, 4691 0); 4692 break; 4693#endif /* INET */ 4694#ifdef INET6 4695 case AF_INET6: 4696 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af); 4697 break; 4698#endif /* INET6 */ 4699 } 4700 } 4701 4702 (*state)->rule.ptr->packets++; 4703 (*state)->rule.ptr->bytes += pd->tot_len; 4704 if ((*state)->nat_rule.ptr != NULL) { 4705 (*state)->nat_rule.ptr->packets++; 4706 (*state)->nat_rule.ptr->bytes += pd->tot_len; 4707 } 4708 if ((*state)->anchor.ptr != NULL) { 4709 (*state)->anchor.ptr->packets++; 4710 (*state)->anchor.ptr->bytes += pd->tot_len; 4711 } 4712 return (PF_PASS); 4713} 4714 4715/* 4716 * ipoff and off are measured from the start of the mbuf chain. 4717 * h must be at "ipoff" on the mbuf chain. 4718 */ 4719void * 4720pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 4721 u_short *actionp, u_short *reasonp, sa_family_t af) 4722{ 4723 switch (af) { 4724#ifdef INET 4725 case AF_INET: { 4726 struct ip *h = mtod(m, struct ip *); 4727 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; 4728 4729 if (fragoff) { 4730 if (fragoff >= len) 4731 ACTION_SET(actionp, PF_PASS); 4732 else { 4733 ACTION_SET(actionp, PF_DROP); 4734 REASON_SET(reasonp, PFRES_FRAG); 4735 } 4736 return (NULL); 4737 } 4738 if (m->m_pkthdr.len < off + len || ntohs(h->ip_len) < off + len) { 4739 ACTION_SET(actionp, PF_DROP); 4740 REASON_SET(reasonp, PFRES_SHORT); 4741 return (NULL); 4742 } 4743 break; 4744 } 4745#endif /* INET */ 4746#ifdef INET6 4747 case AF_INET6: { 4748 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 4749 4750 if (m->m_pkthdr.len < off + len || 4751 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 4752 (unsigned)(off + len)) { 4753 ACTION_SET(actionp, PF_DROP); 4754 REASON_SET(reasonp, PFRES_SHORT); 4755 return (NULL); 4756 } 4757 break; 4758 } 4759#endif /* INET6 */ 4760 } 4761 m_copydata(m, off, len, p); 4762 return (p); 4763} 4764 4765int 4766pf_routable(struct pf_addr *addr, sa_family_t af) 4767{ 4768 struct sockaddr_in *dst; 4769 struct route ro; 4770 int ret = 0; 4771 4772 bzero(&ro, sizeof(ro)); 4773 dst = satosin(&ro.ro_dst); 4774 dst->sin_family = af; 4775 dst->sin_len = sizeof(*dst); 4776 dst->sin_addr = addr->v4; 4777#ifdef __FreeBSD__ 4778#ifdef RTF_PRCLONING 4779 rtalloc_ign(&ro, (RTF_CLONING|RTF_PRCLONING)); 4780#else /* !RTF_PRCLONING */ 4781 rtalloc_ign(&ro, RTF_CLONING); 4782#endif 4783#else /* ! __FreeBSD__ */ 4784 rtalloc_noclone(&ro, NO_CLONING); 4785#endif 4786 4787 if (ro.ro_rt != NULL) { 4788 ret = 1; 4789 RTFREE(ro.ro_rt); 4790 } 4791 4792 return (ret); 4793} 4794 4795#ifdef INET 4796 4797#if defined(__FreeBSD__) && (__FreeBSD_version < 501105) 4798int 4799ip_fragment(struct ip *ip, struct mbuf **m_frag, int mtu, 4800 u_long if_hwassist_flags, int sw_csum) 4801{ 4802 int error = 0; 4803 int hlen = ip->ip_hl << 2; 4804 int len = (mtu - hlen) & ~7; /* size of payload in each fragment */ 4805 int off; 4806 struct mbuf *m0 = *m_frag; /* the original packet */ 4807 int firstlen; 4808 struct mbuf **mnext; 4809 int nfrags; 4810 4811 if (ip->ip_off & IP_DF) { /* Fragmentation not allowed */ 4812 ipstat.ips_cantfrag++; 4813 return EMSGSIZE; 4814 } 4815 4816 /* 4817 * Must be able to put at least 8 bytes per fragment. 4818 */ 4819 if (len < 8) 4820 return EMSGSIZE; 4821 4822 /* 4823 * If the interface will not calculate checksums on 4824 * fragmented packets, then do it here. 4825 */ 4826 if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA && 4827 (if_hwassist_flags & CSUM_IP_FRAGS) == 0) { 4828 in_delayed_cksum(m0); 4829 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 4830 } 4831 4832 if (len > PAGE_SIZE) { 4833 /* 4834 * Fragment large datagrams such that each segment 4835 * contains a multiple of PAGE_SIZE amount of data, 4836 * plus headers. This enables a receiver to perform 4837 * page-flipping zero-copy optimizations. 4838 * 4839 * XXX When does this help given that sender and receiver 4840 * could have different page sizes, and also mtu could 4841 * be less than the receiver's page size ? 4842 */ 4843 int newlen; 4844 struct mbuf *m; 4845 4846 for (m = m0, off = 0; m && (off+m->m_len) <= mtu; m = m->m_next) 4847 off += m->m_len; 4848 4849 /* 4850 * firstlen (off - hlen) must be aligned on an 4851 * 8-byte boundary 4852 */ 4853 if (off < hlen) 4854 goto smart_frag_failure; 4855 off = ((off - hlen) & ~7) + hlen; 4856 newlen = (~PAGE_MASK) & mtu; 4857 if ((newlen + sizeof (struct ip)) > mtu) { 4858 /* we failed, go back the default */ 4859smart_frag_failure: 4860 newlen = len; 4861 off = hlen + len; 4862 } 4863 len = newlen; 4864 4865 } else { 4866 off = hlen + len; 4867 } 4868 4869 firstlen = off - hlen; 4870 mnext = &m0->m_nextpkt; /* pointer to next packet */ 4871 4872 /* 4873 * Loop through length of segment after first fragment, 4874 * make new header and copy data of each part and link onto chain. 4875 * Here, m0 is the original packet, m is the fragment being created. 4876 * The fragments are linked off the m_nextpkt of the original 4877 * packet, which after processing serves as the first fragment. 4878 */ 4879 for (nfrags = 1; off < ip->ip_len; off += len, nfrags++) { 4880 struct ip *mhip; /* ip header on the fragment */ 4881 struct mbuf *m; 4882 int mhlen = sizeof (struct ip); 4883 4884 MGETHDR(m, M_DONTWAIT, MT_HEADER); 4885 if (m == 0) { 4886 error = ENOBUFS; 4887 ipstat.ips_odropped++; 4888 goto done; 4889 } 4890 m->m_flags |= (m0->m_flags & M_MCAST) | M_FRAG; 4891 /* 4892 * In the first mbuf, leave room for the link header, then 4893 * copy the original IP header including options. The payload 4894 * goes into an additional mbuf chain returned by m_copy(). 4895 */ 4896 m->m_data += max_linkhdr; 4897 mhip = mtod(m, struct ip *); 4898 *mhip = *ip; 4899 if (hlen > sizeof (struct ip)) { 4900 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); 4901 mhip->ip_v = IPVERSION; 4902 mhip->ip_hl = mhlen >> 2; 4903 } 4904 m->m_len = mhlen; 4905 /* XXX do we need to add ip->ip_off below ? */ 4906 mhip->ip_off = ((off - hlen) >> 3) + ip->ip_off; 4907 if (off + len >= ip->ip_len) { /* last fragment */ 4908 len = ip->ip_len - off; 4909 m->m_flags |= M_LASTFRAG; 4910 } else 4911 mhip->ip_off |= IP_MF; 4912 mhip->ip_len = htons((u_short)(len + mhlen)); 4913 m->m_next = m_copy(m0, off, len); 4914 if (m->m_next == 0) { /* copy failed */ 4915 m_free(m); 4916 error = ENOBUFS; /* ??? */ 4917 ipstat.ips_odropped++; 4918 goto done; 4919 } 4920 m->m_pkthdr.len = mhlen + len; 4921 m->m_pkthdr.rcvif = (struct ifnet *)0; 4922#ifdef MAC 4923 mac_create_fragment(m0, m); 4924#endif 4925 m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; 4926 mhip->ip_off = htons(mhip->ip_off); 4927 mhip->ip_sum = 0; 4928 if (sw_csum & CSUM_DELAY_IP) 4929 mhip->ip_sum = in_cksum(m, mhlen); 4930 *mnext = m; 4931 mnext = &m->m_nextpkt; 4932 } 4933 ipstat.ips_ofragments += nfrags; 4934 4935 /* set first marker for fragment chain */ 4936 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 4937 m0->m_pkthdr.csum_data = nfrags; 4938 4939 /* 4940 * Update first fragment by trimming what's been copied out 4941 * and updating header. 4942 */ 4943 m_adj(m0, hlen + firstlen - ip->ip_len); 4944 m0->m_pkthdr.len = hlen + firstlen; 4945 ip->ip_len = htons((u_short)m0->m_pkthdr.len); 4946 ip->ip_off |= IP_MF; 4947 ip->ip_off = htons(ip->ip_off); 4948 ip->ip_sum = 0; 4949 if (sw_csum & CSUM_DELAY_IP) 4950 ip->ip_sum = in_cksum(m0, hlen); 4951 4952done: 4953 *m_frag = m0; 4954 return error; 4955} 4956#endif /* __FreeBSD__ && __FreeBSD_version > 501105 */ 4957 4958void 4959pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4960 struct pf_state *s) 4961{ 4962 struct mbuf *m0, *m1; 4963 struct route iproute; 4964 struct route *ro; 4965 struct sockaddr_in *dst; 4966 struct ip *ip; 4967 struct ifnet *ifp = NULL; 4968 struct m_tag *mtag; 4969 struct pf_addr naddr; 4970 int error = 0; 4971#ifdef __FreeBSD__ 4972 int sw_csum; 4973#endif 4974 4975 if (m == NULL || *m == NULL || r == NULL || 4976 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4977 panic("pf_route: invalid parameters"); 4978 4979 if (r->rt == PF_DUPTO) { 4980 m0 = *m; 4981 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 4982 if (mtag == NULL) { 4983 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 4984 if (mtag == NULL) 4985 goto bad; 4986 m_tag_prepend(m0, mtag); 4987 } 4988#ifdef __FreeBSD__ 4989 m0 = m_dup(*m, M_DONTWAIT); 4990#else 4991 m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT); 4992#endif 4993 if (m0 == NULL) 4994 return; 4995 } else { 4996 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4997 return; 4998 m0 = *m; 4999 } 5000 5001 if (m0->m_len < sizeof(struct ip)) 5002 panic("pf_route: m0->m_len < sizeof(struct ip)"); 5003 ip = mtod(m0, struct ip *); 5004 5005 ro = &iproute; 5006 bzero((caddr_t)ro, sizeof(*ro)); 5007 dst = satosin(&ro->ro_dst); 5008 dst->sin_family = AF_INET; 5009 dst->sin_len = sizeof(*dst); 5010 dst->sin_addr = ip->ip_dst; 5011 5012 if (r->rt == PF_FASTROUTE) { 5013 rtalloc(ro); 5014 if (ro->ro_rt == 0) { 5015 ipstat.ips_noroute++; 5016 goto bad; 5017 } 5018 5019 ifp = ro->ro_rt->rt_ifp; 5020 ro->ro_rt->rt_use++; 5021 5022 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 5023 dst = satosin(ro->ro_rt->rt_gateway); 5024 } else { 5025 if (TAILQ_EMPTY(&r->rpool.list)) 5026 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)"); 5027 if (s == NULL) { 5028 pf_map_addr(AF_INET, &r->rpool, 5029 (struct pf_addr *)&ip->ip_src, 5030 &naddr, NULL); 5031 if (!PF_AZERO(&naddr, AF_INET)) 5032 dst->sin_addr.s_addr = naddr.v4.s_addr; 5033 ifp = r->rpool.cur->ifp; 5034 } else { 5035 if (!PF_AZERO(&s->rt_addr, AF_INET)) 5036 dst->sin_addr.s_addr = 5037 s->rt_addr.v4.s_addr; 5038 ifp = s->rt_ifp; 5039 } 5040 } 5041 5042 if (ifp == NULL) 5043 goto bad; 5044 5045 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 5046 if (mtag == NULL) { 5047 struct m_tag *mtag; 5048 5049 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 5050 if (mtag == NULL) 5051 goto bad; 5052 m_tag_prepend(m0, mtag); 5053 } 5054 5055 if (oifp != ifp && mtag == NULL) { 5056#ifdef __FreeBSD__ 5057 PF_UNLOCK(); 5058 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) { 5059 PF_LOCK(); 5060 goto bad; 5061 } else if (m0 == NULL) { 5062 PF_LOCK(); 5063 goto done; 5064 } 5065 PF_LOCK(); 5066#else 5067 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) 5068 goto bad; 5069 else if (m0 == NULL) 5070 goto done; 5071#endif 5072 if (m0->m_len < sizeof(struct ip)) 5073 panic("pf_route: m0->m_len < sizeof(struct ip)"); 5074 ip = mtod(m0, struct ip *); 5075 } 5076 5077#ifdef __FreeBSD__ 5078 /* Copied from FreeBSD 5.1-CURRENT ip_output. */ 5079 m0->m_pkthdr.csum_flags |= CSUM_IP; 5080 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; 5081 if (sw_csum & CSUM_DELAY_DATA) { 5082 /* 5083 * XXX: in_delayed_cksum assumes HBO for ip->ip_len (at least) 5084 */ 5085 NTOHS(ip->ip_len); 5086 NTOHS(ip->ip_off); /* XXX: needed? */ 5087 in_delayed_cksum(m0); 5088 HTONS(ip->ip_len); 5089 HTONS(ip->ip_off); 5090 sw_csum &= ~CSUM_DELAY_DATA; 5091 } 5092 m0->m_pkthdr.csum_flags &= ifp->if_hwassist; 5093 5094 if (ntohs(ip->ip_len) <= ifp->if_mtu || 5095 (ifp->if_hwassist & CSUM_FRAGMENT && 5096 ((ip->ip_off & htons(IP_DF)) == 0))) { 5097 /* 5098 * ip->ip_len = htons(ip->ip_len); 5099 * ip->ip_off = htons(ip->ip_off); 5100 */ 5101 ip->ip_sum = 0; 5102 if (sw_csum & CSUM_DELAY_IP) { 5103 /* From KAME */ 5104 if (ip->ip_v == IPVERSION && 5105 (ip->ip_hl << 2) == sizeof(*ip)) { 5106 ip->ip_sum = in_cksum_hdr(ip); 5107 } else { 5108 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 5109 } 5110 } 5111 PF_UNLOCK(); 5112 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); 5113 PF_LOCK(); 5114 goto done; 5115 } 5116 5117#else 5118 /* Copied from ip_output. */ 5119 if (ntohs(ip->ip_len) <= ifp->if_mtu) { 5120 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 5121 ifp->if_bridge == NULL) { 5122 m0->m_pkthdr.csum |= M_IPV4_CSUM_OUT; 5123 ipstat.ips_outhwcsum++; 5124 } else { 5125 ip->ip_sum = 0; 5126 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 5127 } 5128 /* Update relevant hardware checksum stats for TCP/UDP */ 5129 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) 5130 tcpstat.tcps_outhwcsum++; 5131 else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) 5132 udpstat.udps_outhwcsum++; 5133 error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL); 5134 goto done; 5135 } 5136#endif 5137 /* 5138 * Too large for interface; fragment if possible. 5139 * Must be able to put at least 8 bytes per fragment. 5140 */ 5141 if (ip->ip_off & htons(IP_DF)) { 5142 ipstat.ips_cantfrag++; 5143 if (r->rt != PF_DUPTO) { 5144#ifdef __FreeBSD__ 5145 /* icmp_error() expects host byte ordering */ 5146 NTOHS(ip->ip_len); 5147 NTOHS(ip->ip_off); 5148 PF_UNLOCK(); 5149#endif 5150 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 5151 ifp); 5152#ifdef __FreeBSD__ 5153 PF_LOCK(); 5154#endif 5155 goto done; 5156 } else 5157 goto bad; 5158 } 5159 5160 m1 = m0; 5161#ifdef __FreeBSD__ 5162 /* 5163 * XXX: is cheaper + less error prone than own function 5164 */ 5165 NTOHS(ip->ip_len); 5166 NTOHS(ip->ip_off); 5167 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum); 5168#else 5169 error = ip_fragment(m0, ifp, ifp->if_mtu); 5170#endif 5171 if (error) { 5172#ifndef __FreeBSD__ /* ip_fragment does not do m_freem() on FreeBSD */ 5173 m0 = NULL; 5174#endif 5175 goto bad; 5176 } 5177 5178 for (m0 = m1; m0; m0 = m1) { 5179 m1 = m0->m_nextpkt; 5180 m0->m_nextpkt = 0; 5181#ifdef __FreeBSD__ 5182 if (error == 0) { 5183 PF_UNLOCK(); 5184 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 5185 NULL); 5186 PF_LOCK(); 5187 } else 5188#else 5189 if (error == 0) 5190 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 5191 NULL); 5192 else 5193#endif 5194 m_freem(m0); 5195 } 5196 5197 if (error == 0) 5198 ipstat.ips_fragmented++; 5199 5200done: 5201 if (r->rt != PF_DUPTO) 5202 *m = NULL; 5203 if (ro == &iproute && ro->ro_rt) 5204 RTFREE(ro->ro_rt); 5205 return; 5206 5207bad: 5208 m_freem(m0); 5209 goto done; 5210} 5211#endif /* INET */ 5212 5213#ifdef INET6 5214void 5215pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5216 struct pf_state *s) 5217{ 5218 struct mbuf *m0; 5219 struct m_tag *mtag; 5220 struct route_in6 ip6route; 5221 struct route_in6 *ro; 5222 struct sockaddr_in6 *dst; 5223 struct ip6_hdr *ip6; 5224 struct ifnet *ifp = NULL; 5225 struct pf_addr naddr; 5226 int error = 0; 5227 5228 if (m == NULL || *m == NULL || r == NULL || 5229 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5230 panic("pf_route6: invalid parameters"); 5231 5232 if (r->rt == PF_DUPTO) { 5233 m0 = *m; 5234 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 5235 if (mtag == NULL) { 5236 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 5237 if (mtag == NULL) 5238 goto bad; 5239 m_tag_prepend(m0, mtag); 5240 } 5241#ifdef __FreeBSD__ 5242 m0 = m_dup(*m, M_DONTWAIT); 5243#else 5244 m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT); 5245#endif 5246 if (m0 == NULL) 5247 return; 5248 } else { 5249 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5250 return; 5251 m0 = *m; 5252 } 5253 5254 if (m0->m_len < sizeof(struct ip6_hdr)) 5255 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5256 ip6 = mtod(m0, struct ip6_hdr *); 5257 5258 ro = &ip6route; 5259 bzero((caddr_t)ro, sizeof(*ro)); 5260 dst = (struct sockaddr_in6 *)&ro->ro_dst; 5261 dst->sin6_family = AF_INET6; 5262 dst->sin6_len = sizeof(*dst); 5263 dst->sin6_addr = ip6->ip6_dst; 5264 5265 /* Cheat. */ 5266 if (r->rt == PF_FASTROUTE) { 5267 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 5268 if (mtag == NULL) 5269 goto bad; 5270 m_tag_prepend(m0, mtag); 5271#ifdef __FreeBSD__ 5272 PF_UNLOCK(); 5273 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); 5274 PF_LOCK(); 5275#else 5276 ip6_output(m0, NULL, NULL, 0, NULL, NULL); 5277#endif 5278 return; 5279 } 5280 5281 if (TAILQ_EMPTY(&r->rpool.list)) 5282 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)"); 5283 if (s == NULL) { 5284 pf_map_addr(AF_INET6, &r->rpool, 5285 (struct pf_addr *)&ip6->ip6_src, &naddr, NULL); 5286 if (!PF_AZERO(&naddr, AF_INET6)) 5287 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5288 &naddr, AF_INET6); 5289 ifp = r->rpool.cur->ifp; 5290 } else { 5291 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5292 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5293 &s->rt_addr, AF_INET6); 5294 ifp = s->rt_ifp; 5295 } 5296 5297 if (ifp == NULL) 5298 goto bad; 5299 5300 if (oifp != ifp) { 5301 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 5302 if (mtag == NULL) { 5303 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 5304 if (mtag == NULL) 5305 goto bad; 5306 m_tag_prepend(m0, mtag); 5307#ifdef __FreeBSD__ 5308 PF_UNLOCK(); 5309 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) { 5310 PF_LOCK(); 5311 goto bad; 5312 } else if (m0 == NULL) { 5313 PF_LOCK(); 5314 goto done; 5315 } 5316 PF_LOCK(); 5317#else 5318 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) 5319 goto bad; 5320 else if (m0 == NULL) 5321 goto done; 5322#endif 5323 } 5324 } 5325 5326 /* 5327 * If the packet is too large for the outgoing interface, 5328 * send back an icmp6 error. 5329 */ 5330 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) 5331 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5332 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 5333#ifdef __FreeBSD__ 5334 PF_UNLOCK(); 5335#endif 5336 error = nd6_output(ifp, ifp, m0, dst, NULL); 5337#ifdef __FreeBSD__ 5338 PF_LOCK(); 5339#endif 5340 } else { 5341 in6_ifstat_inc(ifp, ifs6_in_toobig); 5342#ifdef __FreeBSD__ 5343 if (r->rt != PF_DUPTO) { 5344 PF_UNLOCK(); 5345 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5346 PF_LOCK(); 5347 } else 5348#else 5349 if (r->rt != PF_DUPTO) 5350 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5351 else 5352#endif 5353 goto bad; 5354 } 5355 5356done: 5357 if (r->rt != PF_DUPTO) 5358 *m = NULL; 5359 return; 5360 5361bad: 5362 m_freem(m0); 5363 goto done; 5364} 5365#endif /* INET6 */ 5366 5367 5368#ifdef __FreeBSD__ 5369/* 5370 * XXX 5371 * FreeBSD supports cksum offload for the following drivers. 5372 * em(4), gx(4), lge(4), nge(4), ti(4), xl(4) 5373 * If we can make full use of it we would outperform ipfw/ipfilter in 5374 * very heavy traffic. 5375 * I have not tested 'cause I don't have NICs that supports cksum offload. 5376 * (There might be problems. Typical phenomena would be 5377 * 1. No route message for UDP packet. 5378 * 2. No connection acceptance from external hosts regardless of rule set.) 5379 */ 5380int 5381pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af) 5382{ 5383 u_int16_t sum = 0; 5384 int hw_assist = 0; 5385 struct ip *ip; 5386 5387 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5388 return (1); 5389 if (m->m_pkthdr.len < off + len) 5390 return (1); 5391 5392 switch (p) { 5393 case IPPROTO_TCP: 5394 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { 5395 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { 5396 sum = m->m_pkthdr.csum_data; 5397 } else { 5398 ip = mtod(m, struct ip *); 5399 sum = in_pseudo(ip->ip_src.s_addr, 5400 ip->ip_dst.s_addr, 5401 htonl(m->m_pkthdr.csum_data + 5402 IPPROTO_TCP) + ip->ip_len); 5403 } 5404 sum ^= 0xffff; 5405 ++hw_assist; 5406 } 5407 break; 5408 case IPPROTO_UDP: 5409 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { 5410 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { 5411 sum = m->m_pkthdr.csum_data; 5412 } else { 5413 ip = mtod(m, struct ip *); 5414 sum = in_pseudo(ip->ip_src.s_addr, 5415 ip->ip_dst.s_addr, htonl((u_short)len + 5416 m->m_pkthdr.csum_data + IPPROTO_UDP)); 5417 } 5418 sum ^= 0xffff; 5419 ++hw_assist; 5420 } 5421 break; 5422 case IPPROTO_ICMP: 5423#ifdef INET6 5424 case IPPROTO_ICMPV6: 5425#endif /* INET6 */ 5426 break; 5427 default: 5428 return (1); 5429 } 5430 5431 if (!hw_assist) { 5432 switch (af) { 5433 case AF_INET: 5434 if (p == IPPROTO_ICMP) { 5435 if (m->m_len < off) 5436 return (1); 5437 m->m_data += off; 5438 m->m_len -= off; 5439 sum = in_cksum(m, len); 5440 m->m_data -= off; 5441 m->m_len += off; 5442 } else { 5443 if (m->m_len < sizeof(struct ip)) 5444 return (1); 5445 sum = in4_cksum(m, p, off, len); 5446 if (sum == 0) { 5447 m->m_pkthdr.csum_flags |= 5448 (CSUM_DATA_VALID | 5449 CSUM_PSEUDO_HDR); 5450 m->m_pkthdr.csum_data = 0xffff; 5451 } 5452 } 5453 break; 5454#ifdef INET6 5455 case AF_INET6: 5456 if (m->m_len < sizeof(struct ip6_hdr)) 5457 return (1); 5458 sum = in6_cksum(m, p, off, len); 5459 /* 5460 * XXX 5461 * IPv6 H/W cksum off-load not supported yet! 5462 * 5463 * if (sum == 0) { 5464 * m->m_pkthdr.csum_flags |= 5465 * (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); 5466 * m->m_pkthdr.csum_data = 0xffff; 5467 *} 5468 */ 5469 break; 5470#endif /* INET6 */ 5471 default: 5472 return (1); 5473 } 5474 } 5475 if (sum) { 5476 switch (p) { 5477 case IPPROTO_TCP: 5478 tcpstat.tcps_rcvbadsum++; 5479 break; 5480 case IPPROTO_UDP: 5481 udpstat.udps_badsum++; 5482 break; 5483 case IPPROTO_ICMP: 5484 icmpstat.icps_checksum++; 5485 break; 5486#ifdef INET6 5487 case IPPROTO_ICMPV6: 5488 icmp6stat.icp6s_checksum++; 5489 break; 5490#endif /* INET6 */ 5491 } 5492 return (1); 5493 } 5494 return (0); 5495} 5496#else 5497/* 5498 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 5499 * off is the offset where the protocol header starts 5500 * len is the total length of protocol header plus payload 5501 * returns 0 when the checksum is valid, otherwise returns 1. 5502 */ 5503int 5504pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af) 5505{ 5506 u_int16_t flag_ok, flag_bad; 5507 u_int16_t sum; 5508 5509 switch (p) { 5510 case IPPROTO_TCP: 5511 flag_ok = M_TCP_CSUM_IN_OK; 5512 flag_bad = M_TCP_CSUM_IN_BAD; 5513 break; 5514 case IPPROTO_UDP: 5515 flag_ok = M_UDP_CSUM_IN_OK; 5516 flag_bad = M_UDP_CSUM_IN_BAD; 5517 break; 5518 case IPPROTO_ICMP: 5519#ifdef INET6 5520 case IPPROTO_ICMPV6: 5521#endif /* INET6 */ 5522 flag_ok = flag_bad = 0; 5523 break; 5524 default: 5525 return (1); 5526 } 5527 if (m->m_pkthdr.csum & flag_ok) 5528 return (0); 5529 if (m->m_pkthdr.csum & flag_bad) 5530 return (1); 5531 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5532 return (1); 5533 if (m->m_pkthdr.len < off + len) 5534 return (1); 5535 switch (af) { 5536 case AF_INET: 5537 if (p == IPPROTO_ICMP) { 5538 if (m->m_len < off) 5539 return (1); 5540 m->m_data += off; 5541 m->m_len -= off; 5542 sum = in_cksum(m, len); 5543 m->m_data -= off; 5544 m->m_len += off; 5545 } else { 5546 if (m->m_len < sizeof(struct ip)) 5547 return (1); 5548 sum = in4_cksum(m, p, off, len); 5549 } 5550 break; 5551#ifdef INET6 5552 case AF_INET6: 5553 if (m->m_len < sizeof(struct ip6_hdr)) 5554 return (1); 5555 sum = in6_cksum(m, p, off, len); 5556 break; 5557#endif /* INET6 */ 5558 default: 5559 return (1); 5560 } 5561 if (sum) { 5562 m->m_pkthdr.csum |= flag_bad; 5563 switch (p) { 5564 case IPPROTO_TCP: 5565 tcpstat.tcps_rcvbadsum++; 5566 break; 5567 case IPPROTO_UDP: 5568 udpstat.udps_badsum++; 5569 break; 5570 case IPPROTO_ICMP: 5571 icmpstat.icps_checksum++; 5572 break; 5573#ifdef INET6 5574 case IPPROTO_ICMPV6: 5575 icmp6stat.icp6s_checksum++; 5576 break; 5577#endif /* INET6 */ 5578 } 5579 return (1); 5580 } 5581 m->m_pkthdr.csum |= flag_ok; 5582 return (0); 5583} 5584#endif 5585 5586#ifdef INET 5587int 5588pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) 5589{ 5590 u_short action, reason = 0, log = 0; 5591 struct mbuf *m = *m0; 5592 struct ip *h; 5593 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr; 5594 struct pf_state *s = NULL; 5595 struct pf_ruleset *ruleset = NULL; 5596 struct pf_pdesc pd; 5597 int off; 5598 int pqid = 0; 5599 5600#ifdef __FreeBSD__ 5601 PF_LOCK(); 5602#endif 5603 if (!pf_status.running || 5604 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { 5605#ifdef __FreeBSD__ 5606 PF_UNLOCK(); 5607#endif 5608 return (PF_PASS); 5609 } 5610 5611#if defined(__FreeBSD__) && (__FreeBSD_version >= 501000) 5612 M_ASSERTPKTHDR(m); 5613#else 5614#ifdef DIAGNOSTIC 5615 if ((m->m_flags & M_PKTHDR) == 0) 5616 panic("non-M_PKTHDR is passed to pf_test"); 5617#endif 5618#endif 5619 5620 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5621 action = PF_DROP; 5622 REASON_SET(&reason, PFRES_SHORT); 5623 log = 1; 5624 goto done; 5625 } 5626 5627 /* We do IP header normalization and packet reassembly here */ 5628 if (pf_normalize_ip(m0, dir, ifp, &reason) != PF_PASS) { 5629 action = PF_DROP; 5630 goto done; 5631 } 5632 m = *m0; 5633 h = mtod(m, struct ip *); 5634 5635 off = h->ip_hl << 2; 5636 if (off < (int)sizeof(*h)) { 5637 action = PF_DROP; 5638 REASON_SET(&reason, PFRES_SHORT); 5639 log = 1; 5640 goto done; 5641 } 5642 5643 memset(&pd, 0, sizeof(pd)); 5644 pd.src = (struct pf_addr *)&h->ip_src; 5645 pd.dst = (struct pf_addr *)&h->ip_dst; 5646 pd.ip_sum = &h->ip_sum; 5647 pd.proto = h->ip_p; 5648 pd.af = AF_INET; 5649 pd.tos = h->ip_tos; 5650 pd.tot_len = ntohs(h->ip_len); 5651 5652 /* handle fragments that didn't get reassembled by normalization */ 5653 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { 5654 action = pf_test_fragment(&r, dir, ifp, m, h, 5655 &pd, &a, &ruleset); 5656 goto done; 5657 } 5658 5659 switch (h->ip_p) { 5660 5661 case IPPROTO_TCP: { 5662 struct tcphdr th; 5663 5664 pd.hdr.tcp = &th; 5665 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5666 &action, &reason, AF_INET)) { 5667 log = action != PF_PASS; 5668 goto done; 5669 } 5670 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5671 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) { 5672 action = PF_DROP; 5673 goto done; 5674 } 5675 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5676 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 5677 pqid = 1; 5678 action = pf_normalize_tcp(dir, ifp, m, 0, off, h, &pd); 5679 if (action == PF_DROP) 5680 break; 5681 action = pf_test_state_tcp(&s, dir, ifp, m, 0, off, h, &pd, 5682 &reason); 5683 if (action == PF_PASS) { 5684 r = s->rule.ptr; 5685 log = s->log; 5686 } else if (s == NULL) 5687 action = pf_test_tcp(&r, &s, dir, ifp, 5688 m, 0, off, h, &pd, &a, &ruleset); 5689 break; 5690 } 5691 5692 case IPPROTO_UDP: { 5693 struct udphdr uh; 5694 5695 pd.hdr.udp = &uh; 5696 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5697 &action, &reason, AF_INET)) { 5698 log = action != PF_PASS; 5699 goto done; 5700 } 5701 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5702 off, ntohs(h->ip_len) - off, IPPROTO_UDP, AF_INET)) { 5703 action = PF_DROP; 5704 goto done; 5705 } 5706 action = pf_test_state_udp(&s, dir, ifp, m, 0, off, h, &pd); 5707 if (action == PF_PASS) { 5708 r = s->rule.ptr; 5709 a = s->anchor.ptr; 5710 log = s->log; 5711 } else if (s == NULL) 5712 action = pf_test_udp(&r, &s, dir, ifp, 5713 m, 0, off, h, &pd, &a, &ruleset); 5714 break; 5715 } 5716 5717 case IPPROTO_ICMP: { 5718 struct icmp ih; 5719 5720 pd.hdr.icmp = &ih; 5721 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 5722 &action, &reason, AF_INET)) { 5723 log = action != PF_PASS; 5724 goto done; 5725 } 5726 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5727 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) { 5728 action = PF_DROP; 5729 goto done; 5730 } 5731 action = pf_test_state_icmp(&s, dir, ifp, m, 0, off, h, &pd); 5732 if (action == PF_PASS) { 5733 r = s->rule.ptr; 5734 r->packets++; 5735 r->bytes += ntohs(h->ip_len); 5736 a = s->anchor.ptr; 5737 if (a != NULL) { 5738 a->packets++; 5739 a->bytes += ntohs(h->ip_len); 5740 } 5741 log = s->log; 5742 } else if (s == NULL) 5743 action = pf_test_icmp(&r, &s, dir, ifp, 5744 m, 0, off, h, &pd, &a, &ruleset); 5745 break; 5746 } 5747 5748 default: 5749 action = pf_test_state_other(&s, dir, ifp, &pd); 5750 if (action == PF_PASS) { 5751 r = s->rule.ptr; 5752 a = s->anchor.ptr; 5753 log = s->log; 5754 } else if (s == NULL) 5755 action = pf_test_other(&r, &s, dir, ifp, m, off, h, 5756 &pd, &a, &ruleset); 5757 break; 5758 } 5759 5760 if (ifp == status_ifp) { 5761 pf_status.bcounters[0][dir == PF_OUT] += pd.tot_len; 5762 pf_status.pcounters[0][dir == PF_OUT][action != PF_PASS]++; 5763 } 5764 5765done: 5766 tr = r; 5767 if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL) 5768 tr = s->nat_rule.ptr; 5769 if (tr->src.addr.type == PF_ADDR_TABLE) 5770 pfr_update_stats(tr->src.addr.p.tbl, 5771 (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af, 5772 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5773 tr->src.not); 5774 if (tr->dst.addr.type == PF_ADDR_TABLE) 5775 pfr_update_stats(tr->dst.addr.p.tbl, 5776 (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af, 5777 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5778 tr->dst.not); 5779 5780 if (action == PF_PASS && h->ip_hl > 5 && 5781 !((s && s->allow_opts) || r->allow_opts)) { 5782 action = PF_DROP; 5783 REASON_SET(&reason, PFRES_SHORT); 5784 log = 1; 5785 DPFPRINTF(PF_DEBUG_MISC, 5786 ("pf: dropping packet with ip options\n")); 5787 } 5788 5789#ifdef ALTQ 5790 if (action == PF_PASS && r->qid) { 5791 struct m_tag *mtag; 5792 struct altq_tag *atag; 5793 5794 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 5795 if (mtag != NULL) { 5796 atag = (struct altq_tag *)(mtag + 1); 5797 if (pqid || pd.tos == IPTOS_LOWDELAY) 5798 atag->qid = r->pqid; 5799 else 5800 atag->qid = r->qid; 5801 /* add hints for ecn */ 5802 atag->af = AF_INET; 5803 atag->hdr = h; 5804 m_tag_prepend(m, mtag); 5805 } 5806 } 5807#endif 5808 5809 if (log) 5810 PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, r, a, ruleset); 5811 5812 if (action == PF_SYNPROXY_DROP) { 5813 m_freem(*m0); 5814 *m0 = NULL; 5815 action = PF_PASS; 5816 } else if (r->rt) 5817 /* pf_route can free the mbuf causing *m0 to become NULL */ 5818 pf_route(m0, r, dir, ifp, s); 5819 5820#ifdef __FreeBSD__ 5821 PF_UNLOCK(); 5822#endif 5823 5824 return (action); 5825} 5826#endif /* INET */ 5827 5828#ifdef INET6 5829int 5830pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) 5831{ 5832 u_short action, reason = 0, log = 0; 5833 struct mbuf *m = *m0; 5834 struct ip6_hdr *h; 5835 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr; 5836 struct pf_state *s = NULL; 5837 struct pf_ruleset *ruleset = NULL; 5838 struct pf_pdesc pd; 5839 int off, terminal = 0; 5840 5841#ifdef __FreeBSD__ 5842 PF_LOCK(); 5843#endif 5844 5845 if (!pf_status.running || 5846 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { 5847#ifdef __FreeBSD__ 5848 PF_UNLOCK(); 5849#endif 5850 return (PF_PASS); 5851 } 5852 5853#if defined(__FreeBSD__) && (__FreeBSD_version >= 501000) 5854 M_ASSERTPKTHDR(m); 5855#else 5856#ifdef DIAGNOSTIC 5857 if ((m->m_flags & M_PKTHDR) == 0) 5858 panic("non-M_PKTHDR is passed to pf_test"); 5859#endif 5860#endif 5861 5862 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5863 action = PF_DROP; 5864 REASON_SET(&reason, PFRES_SHORT); 5865 log = 1; 5866 goto done; 5867 } 5868 5869 /* We do IP header normalization and packet reassembly here */ 5870 if (pf_normalize_ip6(m0, dir, ifp, &reason) != PF_PASS) { 5871 action = PF_DROP; 5872 goto done; 5873 } 5874 m = *m0; 5875 h = mtod(m, struct ip6_hdr *); 5876 5877 memset(&pd, 0, sizeof(pd)); 5878 pd.src = (struct pf_addr *)&h->ip6_src; 5879 pd.dst = (struct pf_addr *)&h->ip6_dst; 5880 pd.ip_sum = NULL; 5881 pd.af = AF_INET6; 5882 pd.tos = 0; 5883 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 5884 5885 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 5886 pd.proto = h->ip6_nxt; 5887 do { 5888 switch (pd.proto) { 5889 case IPPROTO_FRAGMENT: 5890 action = pf_test_fragment(&r, dir, ifp, m, h, 5891 &pd, &a, &ruleset); 5892 if (action == PF_DROP) 5893 REASON_SET(&reason, PFRES_FRAG); 5894 goto done; 5895 case IPPROTO_AH: 5896 case IPPROTO_HOPOPTS: 5897 case IPPROTO_ROUTING: 5898 case IPPROTO_DSTOPTS: { 5899 /* get next header and header length */ 5900 struct ip6_ext opt6; 5901 5902 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 5903 NULL, NULL, pd.af)) { 5904 DPFPRINTF(PF_DEBUG_MISC, 5905 ("pf: IPv6 short opt\n")); 5906 action = PF_DROP; 5907 REASON_SET(&reason, PFRES_SHORT); 5908 log = 1; 5909 goto done; 5910 } 5911 if (pd.proto == IPPROTO_AH) 5912 off += (opt6.ip6e_len + 2) * 4; 5913 else 5914 off += (opt6.ip6e_len + 1) * 8; 5915 pd.proto = opt6.ip6e_nxt; 5916 /* goto the next header */ 5917 break; 5918 } 5919 default: 5920 terminal++; 5921 break; 5922 } 5923 } while (!terminal); 5924 5925 switch (pd.proto) { 5926 5927 case IPPROTO_TCP: { 5928 struct tcphdr th; 5929 5930 pd.hdr.tcp = &th; 5931 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5932 &action, &reason, AF_INET6)) { 5933 log = action != PF_PASS; 5934 goto done; 5935 } 5936 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5937 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { 5938 action = PF_DROP; 5939 goto done; 5940 } 5941 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5942 action = pf_normalize_tcp(dir, ifp, m, 0, off, h, &pd); 5943 if (action == PF_DROP) 5944 break; 5945 action = pf_test_state_tcp(&s, dir, ifp, m, 0, off, h, &pd, 5946 &reason); 5947 if (action == PF_PASS) { 5948 r = s->rule.ptr; 5949 log = s->log; 5950 } else if (s == NULL) 5951 action = pf_test_tcp(&r, &s, dir, ifp, 5952 m, 0, off, h, &pd, &a, &ruleset); 5953 break; 5954 } 5955 5956 case IPPROTO_UDP: { 5957 struct udphdr uh; 5958 5959 pd.hdr.udp = &uh; 5960 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5961 &action, &reason, AF_INET6)) { 5962 log = action != PF_PASS; 5963 goto done; 5964 } 5965 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5966 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { 5967 action = PF_DROP; 5968 goto done; 5969 } 5970 action = pf_test_state_udp(&s, dir, ifp, m, 0, off, h, &pd); 5971 if (action == PF_PASS) { 5972 r = s->rule.ptr; 5973 log = s->log; 5974 } else if (s == NULL) 5975 action = pf_test_udp(&r, &s, dir, ifp, 5976 m, 0, off, h, &pd, &a, &ruleset); 5977 break; 5978 } 5979 5980 case IPPROTO_ICMPV6: { 5981 struct icmp6_hdr ih; 5982 5983 pd.hdr.icmp6 = &ih; 5984 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 5985 &action, &reason, AF_INET6)) { 5986 log = action != PF_PASS; 5987 goto done; 5988 } 5989 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5990 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { 5991 action = PF_DROP; 5992 goto done; 5993 } 5994 action = pf_test_state_icmp(&s, dir, ifp, 5995 m, 0, off, h, &pd); 5996 if (action == PF_PASS) { 5997 r = s->rule.ptr; 5998 r->packets++; 5999 r->bytes += h->ip6_plen; 6000 log = s->log; 6001 } else if (s == NULL) 6002 action = pf_test_icmp(&r, &s, dir, ifp, 6003 m, 0, off, h, &pd, &a, &ruleset); 6004 break; 6005 } 6006 6007 default: 6008 action = pf_test_other(&r, &s, dir, ifp, m, off, h, 6009 &pd, &a, &ruleset); 6010 break; 6011 } 6012 6013 if (ifp == status_ifp) { 6014 pf_status.bcounters[1][dir == PF_OUT] += pd.tot_len; 6015 pf_status.pcounters[1][dir == PF_OUT][action != PF_PASS]++; 6016 } 6017 6018done: 6019 tr = r; 6020 if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL) 6021 tr = s->nat_rule.ptr; 6022 if (tr->src.addr.type == PF_ADDR_TABLE) 6023 pfr_update_stats(tr->src.addr.p.tbl, 6024 (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af, 6025 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 6026 tr->src.not); 6027 if (tr->dst.addr.type == PF_ADDR_TABLE) 6028 pfr_update_stats(tr->dst.addr.p.tbl, 6029 (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af, 6030 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 6031 tr->dst.not); 6032 6033 /* XXX handle IPv6 options, if not allowed. not implemented. */ 6034 6035#ifdef ALTQ 6036 if (action == PF_PASS && r->qid) { 6037 struct m_tag *mtag; 6038 struct altq_tag *atag; 6039 6040 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 6041 if (mtag != NULL) { 6042 atag = (struct altq_tag *)(mtag + 1); 6043 if (pd.tos == IPTOS_LOWDELAY) 6044 atag->qid = r->pqid; 6045 else 6046 atag->qid = r->qid; 6047 /* add hints for ecn */ 6048 atag->af = AF_INET6; 6049 atag->hdr = h; 6050 m_tag_prepend(m, mtag); 6051 } 6052 } 6053#endif 6054 6055 if (log) 6056 PFLOG_PACKET(ifp, h, m, AF_INET6, dir, reason, r, a, ruleset); 6057 6058 if (action == PF_SYNPROXY_DROP) { 6059 m_freem(*m0); 6060 *m0 = NULL; 6061 action = PF_PASS; 6062 } else if (r->rt) 6063 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 6064 pf_route6(m0, r, dir, ifp, s); 6065 6066#ifdef __FreeBSD__ 6067 PF_UNLOCK(); 6068#endif 6069 return (action); 6070} 6071#endif /* INET6 */ 6072