1 /** $MirOS: src/sys/net/pf.c,v 1.11 2011/07/17 22:33:42 tg Exp $ */
2 /* $OpenBSD: pf.c,v 1.433.2.8 2005/02/19 22:47:44 brad Exp $ */
3
4 /*
5 * Copyright (c) 2001 Daniel Hartmeier
6 * Copyright (c) 2002,2003 Henning Brauer
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 *
33 * Effort sponsored in part by the Defense Advanced Research Projects
34 * Agency (DARPA) and Air Force Research Laboratory, Air Force
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
36 *
37 */
38
39 #include "bpfilter.h"
40 #include "pflog.h"
41 #include "pfsync.h"
42
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/mbuf.h>
46 #include <sys/filio.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/kernel.h>
50 #include <sys/time.h>
51 #include <sys/pool.h>
52
53 #include <net/if.h>
54 #include <net/if_types.h>
55 #include <net/bpf.h>
56 #include <net/route.h>
57
58 #include <netinet/in.h>
59 #include <netinet/in_var.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/tcp.h>
64 #include <netinet/tcp_seq.h>
65 #include <netinet/udp.h>
66 #include <netinet/ip_icmp.h>
67 #include <netinet/in_pcb.h>
68 #include <netinet/tcp_timer.h>
69 #include <netinet/tcp_var.h>
70 #include <netinet/udp_var.h>
71 #include <netinet/icmp_var.h>
72 #include <netinet/if_ether.h>
73
74 #include <dev/rndvar.h>
75 #include <net/pfvar.h>
76 #include <net/if_pflog.h>
77
78 #if NPFSYNC > 0
79 #include <net/if_pfsync.h>
80 #endif /* NPFSYNC > 0 */
81
82 #ifdef INET6
83 #include <netinet/ip6.h>
84 #include <netinet/in_pcb.h>
85 #include <netinet/icmp6.h>
86 #include <netinet6/nd6.h>
87 #endif /* INET6 */
88
89
90 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
91
92 /*
93 * Global variables
94 */
95
96 struct pf_anchorqueue pf_anchors;
97 struct pf_ruleset pf_main_ruleset;
98 struct pf_altqqueue pf_altqs[2];
99 struct pf_palist pf_pabuf;
100 struct pf_altqqueue *pf_altqs_active;
101 struct pf_altqqueue *pf_altqs_inactive;
102 struct pf_status pf_status;
103
104 u_int32_t ticket_altqs_active;
105 u_int32_t ticket_altqs_inactive;
106 int altqs_inactive_open;
107 u_int32_t ticket_pabuf;
108
109 struct timeout pf_expire_to; /* expire timeout */
110
111 struct pool pf_src_tree_pl, pf_rule_pl;
112 struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
113
114 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
115
116 void pf_change_ap(struct pf_addr *, u_int16_t *,
117 u_int16_t *, u_int16_t *, struct pf_addr *,
118 u_int16_t, u_int8_t, sa_family_t);
119 #ifdef INET6
120 void pf_change_a6(struct pf_addr *, u_int16_t *,
121 struct pf_addr *, u_int8_t);
122 #endif /* INET6 */
123 void pf_change_icmp(struct pf_addr *, u_int16_t *,
124 struct pf_addr *, struct pf_addr *, u_int16_t,
125 u_int16_t *, u_int16_t *, u_int16_t *,
126 u_int16_t *, u_int8_t, sa_family_t);
127 void pf_send_tcp(const struct pf_rule *, sa_family_t,
128 const struct pf_addr *, const struct pf_addr *,
129 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
130 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
131 struct ether_header *, struct ifnet *);
132 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
133 sa_family_t, struct pf_rule *);
134 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
135 int, int, struct pfi_kif *,
136 struct pf_addr *, u_int16_t, struct pf_addr *,
137 u_int16_t, int);
138 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
139 int, int, struct pfi_kif *, struct pf_src_node **,
140 struct pf_addr *, u_int16_t,
141 struct pf_addr *, u_int16_t,
142 struct pf_addr *, u_int16_t *);
143 int pf_test_tcp(struct pf_rule **, struct pf_state **,
144 int, struct pfi_kif *, struct mbuf *, int,
145 void *, struct pf_pdesc *, struct pf_rule **,
146 struct pf_ruleset **, struct ifqueue *);
147 int pf_test_udp(struct pf_rule **, struct pf_state **,
148 int, struct pfi_kif *, struct mbuf *, int,
149 void *, struct pf_pdesc *, struct pf_rule **,
150 struct pf_ruleset **, struct ifqueue *);
151 int pf_test_icmp(struct pf_rule **, struct pf_state **,
152 int, struct pfi_kif *, struct mbuf *, int,
153 void *, struct pf_pdesc *, struct pf_rule **,
154 struct pf_ruleset **, struct ifqueue *);
155 int pf_test_other(struct pf_rule **, struct pf_state **,
156 int, struct pfi_kif *, struct mbuf *, int, void *,
157 struct pf_pdesc *, struct pf_rule **,
158 struct pf_ruleset **, struct ifqueue *);
159 int pf_test_fragment(struct pf_rule **, int,
160 struct pfi_kif *, struct mbuf *, void *,
161 struct pf_pdesc *, struct pf_rule **,
162 struct pf_ruleset **);
163 int pf_test_state_tcp(struct pf_state **, int,
164 struct pfi_kif *, struct mbuf *, int,
165 void *, struct pf_pdesc *, u_short *);
166 int pf_test_state_udp(struct pf_state **, int,
167 struct pfi_kif *, struct mbuf *, int,
168 void *, struct pf_pdesc *);
169 int pf_test_state_icmp(struct pf_state **, int,
170 struct pfi_kif *, struct mbuf *, int,
171 void *, struct pf_pdesc *);
172 int pf_test_state_other(struct pf_state **, int,
173 struct pfi_kif *, struct pf_pdesc *);
174 struct pf_tag *pf_get_tag(struct mbuf *);
175 int pf_match_tag(struct mbuf *, struct pf_rule *,
176 struct pf_rule *, struct pf_tag **, int *);
177 void pf_hash(struct pf_addr *, struct pf_addr *,
178 struct pf_poolhashkey *, sa_family_t);
179 int pf_map_addr(u_int8_t, struct pf_rule *,
180 struct pf_addr *, struct pf_addr *,
181 struct pf_addr *, struct pf_src_node **);
182 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
183 struct pf_addr *, struct pf_addr *, u_int16_t,
184 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
185 struct pf_src_node **);
186 void pf_route(struct mbuf **, struct pf_rule *, int,
187 struct ifnet *, struct pf_state *);
188 void pf_route6(struct mbuf **, struct pf_rule *, int,
189 struct ifnet *, struct pf_state *);
190 int pf_socket_lookup(uid_t *, gid_t *,
191 int, struct pf_pdesc *);
192 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
193 sa_family_t);
194 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
195 sa_family_t);
196 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
197 u_int16_t);
198 void pf_set_rt_ifp(struct pf_state *,
199 struct pf_addr *);
200 int pf_check_proto_cksum(struct mbuf *, int, int,
201 u_int8_t, sa_family_t);
202 int pf_addr_wrap_neq(struct pf_addr_wrap *,
203 struct pf_addr_wrap *);
204 static int pf_add_mbuf_tag(struct mbuf *, u_int);
205 struct pf_state *pf_find_state_recurse(struct pfi_kif *,
206 struct pf_state *, u_int8_t);
207 int pf_check_congestion(struct ifqueue *);
208
209 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
210 { &pf_state_pl, PFSTATE_HIWAT },
211 { &pf_src_tree_pl, PFSNODE_HIWAT },
212 { &pf_frent_pl, PFFRAG_FRENT_HIWAT }
213 };
214
215 #define STATE_LOOKUP() \
216 do { \
217 if (direction == PF_IN) \
218 *state = pf_find_state_recurse( \
219 kif, &key, PF_EXT_GWY); \
220 else \
221 *state = pf_find_state_recurse( \
222 kif, &key, PF_LAN_EXT); \
223 if (*state == NULL) \
224 return (PF_DROP); \
225 if (direction == PF_OUT && \
226 (((*state)->rule.ptr->rt == PF_ROUTETO && \
227 (*state)->rule.ptr->direction == PF_OUT) || \
228 ((*state)->rule.ptr->rt == PF_REPLYTO && \
229 (*state)->rule.ptr->direction == PF_IN)) && \
230 (*state)->rt_kif != NULL && \
231 (*state)->rt_kif != kif) \
232 return (PF_PASS); \
233 } while (0)
234
235 #define STATE_TRANSLATE(s) \
236 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
237 ((s)->af == AF_INET6 && \
238 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \
239 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \
240 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \
241 (s)->lan.port != (s)->gwy.port
242
243 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \
244 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \
245 (k)->pfik_parent->pfik_parent)
246
247 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
248 static __inline int pf_state_compare_lan_ext(struct pf_state *,
249 struct pf_state *);
250 static __inline int pf_state_compare_ext_gwy(struct pf_state *,
251 struct pf_state *);
252 static __inline int pf_state_compare_id(struct pf_state *,
253 struct pf_state *);
254
255 struct pf_src_tree tree_src_tracking;
256
257 struct pf_state_tree_id tree_id;
258 struct pf_state_queue state_updates;
259
260 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
261 RB_GENERATE(pf_state_tree_lan_ext, pf_state,
262 u.s.entry_lan_ext, pf_state_compare_lan_ext);
263 RB_GENERATE(pf_state_tree_ext_gwy, pf_state,
264 u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
265 RB_GENERATE(pf_state_tree_id, pf_state,
266 u.s.entry_id, pf_state_compare_id);
267
268 static __inline int
pf_src_compare(struct pf_src_node * a,struct pf_src_node * b)269 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
270 {
271 int diff;
272
273 if (a->rule.ptr > b->rule.ptr)
274 return (1);
275 if (a->rule.ptr < b->rule.ptr)
276 return (-1);
277 if ((diff = a->af - b->af) != 0)
278 return (diff);
279 switch (a->af) {
280 #ifdef INET
281 case AF_INET:
282 if (a->addr.addr32[0] > b->addr.addr32[0])
283 return (1);
284 if (a->addr.addr32[0] < b->addr.addr32[0])
285 return (-1);
286 break;
287 #endif /* INET */
288 #ifdef INET6
289 case AF_INET6:
290 if (a->addr.addr32[3] > b->addr.addr32[3])
291 return (1);
292 if (a->addr.addr32[3] < b->addr.addr32[3])
293 return (-1);
294 if (a->addr.addr32[2] > b->addr.addr32[2])
295 return (1);
296 if (a->addr.addr32[2] < b->addr.addr32[2])
297 return (-1);
298 if (a->addr.addr32[1] > b->addr.addr32[1])
299 return (1);
300 if (a->addr.addr32[1] < b->addr.addr32[1])
301 return (-1);
302 if (a->addr.addr32[0] > b->addr.addr32[0])
303 return (1);
304 if (a->addr.addr32[0] < b->addr.addr32[0])
305 return (-1);
306 break;
307 #endif /* INET6 */
308 }
309 return (0);
310 }
311
312 static __inline int
pf_state_compare_lan_ext(struct pf_state * a,struct pf_state * b)313 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b)
314 {
315 int diff;
316
317 if ((diff = a->proto - b->proto) != 0)
318 return (diff);
319 if ((diff = a->af - b->af) != 0)
320 return (diff);
321 switch (a->af) {
322 #ifdef INET
323 case AF_INET:
324 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
325 return (1);
326 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
327 return (-1);
328 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
329 return (1);
330 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
331 return (-1);
332 break;
333 #endif /* INET */
334 #ifdef INET6
335 case AF_INET6:
336 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3])
337 return (1);
338 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3])
339 return (-1);
340 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
341 return (1);
342 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
343 return (-1);
344 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2])
345 return (1);
346 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2])
347 return (-1);
348 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
349 return (1);
350 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
351 return (-1);
352 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1])
353 return (1);
354 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1])
355 return (-1);
356 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
357 return (1);
358 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
359 return (-1);
360 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
361 return (1);
362 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
363 return (-1);
364 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
365 return (1);
366 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
367 return (-1);
368 break;
369 #endif /* INET6 */
370 }
371
372 if ((diff = a->lan.port - b->lan.port) != 0)
373 return (diff);
374 if ((diff = a->ext.port - b->ext.port) != 0)
375 return (diff);
376
377 return (0);
378 }
379
380 static __inline int
pf_state_compare_ext_gwy(struct pf_state * a,struct pf_state * b)381 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b)
382 {
383 int diff;
384
385 if ((diff = a->proto - b->proto) != 0)
386 return (diff);
387 if ((diff = a->af - b->af) != 0)
388 return (diff);
389 switch (a->af) {
390 #ifdef INET
391 case AF_INET:
392 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
393 return (1);
394 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
395 return (-1);
396 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
397 return (1);
398 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
399 return (-1);
400 break;
401 #endif /* INET */
402 #ifdef INET6
403 case AF_INET6:
404 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
405 return (1);
406 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
407 return (-1);
408 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3])
409 return (1);
410 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3])
411 return (-1);
412 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
413 return (1);
414 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
415 return (-1);
416 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2])
417 return (1);
418 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2])
419 return (-1);
420 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
421 return (1);
422 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
423 return (-1);
424 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1])
425 return (1);
426 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1])
427 return (-1);
428 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
429 return (1);
430 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
431 return (-1);
432 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
433 return (1);
434 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
435 return (-1);
436 break;
437 #endif /* INET6 */
438 }
439
440 if ((diff = a->ext.port - b->ext.port) != 0)
441 return (diff);
442 if ((diff = a->gwy.port - b->gwy.port) != 0)
443 return (diff);
444
445 return (0);
446 }
447
448 static __inline int
pf_state_compare_id(struct pf_state * a,struct pf_state * b)449 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
450 {
451 if (a->id > b->id)
452 return (1);
453 if (a->id < b->id)
454 return (-1);
455 if (a->creatorid > b->creatorid)
456 return (1);
457 if (a->creatorid < b->creatorid)
458 return (-1);
459
460 return (0);
461 }
462
463 #ifdef INET6
464 void
pf_addrcpy(struct pf_addr * dst,struct pf_addr * src,sa_family_t af)465 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
466 {
467 switch (af) {
468 #ifdef INET
469 case AF_INET:
470 dst->addr32[0] = src->addr32[0];
471 break;
472 #endif /* INET */
473 case AF_INET6:
474 dst->addr32[0] = src->addr32[0];
475 dst->addr32[1] = src->addr32[1];
476 dst->addr32[2] = src->addr32[2];
477 dst->addr32[3] = src->addr32[3];
478 break;
479 }
480 }
481 #endif /* INET6 */
482
483 struct pf_state *
pf_find_state_byid(struct pf_state * key)484 pf_find_state_byid(struct pf_state *key)
485 {
486 pf_status.fcounters[FCNT_STATE_SEARCH]++;
487 return (RB_FIND(pf_state_tree_id, &tree_id, key));
488 }
489
490 struct pf_state *
pf_find_state_recurse(struct pfi_kif * kif,struct pf_state * key,u_int8_t tree)491 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree)
492 {
493 struct pf_state *s;
494
495 pf_status.fcounters[FCNT_STATE_SEARCH]++;
496
497 switch (tree) {
498 case PF_LAN_EXT:
499 for (; kif != NULL; kif = kif->pfik_parent) {
500 s = RB_FIND(pf_state_tree_lan_ext,
501 &kif->pfik_lan_ext, key);
502 if (s != NULL)
503 return (s);
504 }
505 return (NULL);
506 case PF_EXT_GWY:
507 for (; kif != NULL; kif = kif->pfik_parent) {
508 s = RB_FIND(pf_state_tree_ext_gwy,
509 &kif->pfik_ext_gwy, key);
510 if (s != NULL)
511 return (s);
512 }
513 return (NULL);
514 default:
515 panic("pf_find_state_recurse");
516 }
517 }
518
519 struct pf_state *
pf_find_state_all(struct pf_state * key,u_int8_t tree,int * more)520 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more)
521 {
522 struct pf_state *s, *ss = NULL;
523 struct pfi_kif *kif;
524
525 pf_status.fcounters[FCNT_STATE_SEARCH]++;
526
527 switch (tree) {
528 case PF_LAN_EXT:
529 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
530 s = RB_FIND(pf_state_tree_lan_ext,
531 &kif->pfik_lan_ext, key);
532 if (s == NULL)
533 continue;
534 if (more == NULL)
535 return (s);
536 ss = s;
537 (*more)++;
538 }
539 return (ss);
540 case PF_EXT_GWY:
541 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
542 s = RB_FIND(pf_state_tree_ext_gwy,
543 &kif->pfik_ext_gwy, key);
544 if (s == NULL)
545 continue;
546 if (more == NULL)
547 return (s);
548 ss = s;
549 (*more)++;
550 }
551 return (ss);
552 default:
553 panic("pf_find_state_all");
554 }
555 }
556
557 int
pf_insert_src_node(struct pf_src_node ** sn,struct pf_rule * rule,struct pf_addr * src,sa_family_t af)558 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
559 struct pf_addr *src, sa_family_t af)
560 {
561 struct pf_src_node k;
562
563 if (*sn == NULL) {
564 k.af = af;
565 PF_ACPY(&k.addr, src, af);
566 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
567 rule->rpool.opts & PF_POOL_STICKYADDR)
568 k.rule.ptr = rule;
569 else
570 k.rule.ptr = NULL;
571 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
572 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
573 }
574 if (*sn == NULL) {
575 if (!rule->max_src_nodes ||
576 rule->src_nodes < rule->max_src_nodes)
577 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
578 if ((*sn) == NULL)
579 return (-1);
580 bzero(*sn, sizeof(struct pf_src_node));
581 (*sn)->af = af;
582 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
583 rule->rpool.opts & PF_POOL_STICKYADDR)
584 (*sn)->rule.ptr = rule;
585 else
586 (*sn)->rule.ptr = NULL;
587 PF_ACPY(&(*sn)->addr, src, af);
588 if (RB_INSERT(pf_src_tree,
589 &tree_src_tracking, *sn) != NULL) {
590 if (pf_status.debug >= PF_DEBUG_MISC) {
591 printf("pf: src_tree insert failed: ");
592 pf_print_host(&(*sn)->addr, 0, af);
593 printf("\n");
594 }
595 pool_put(&pf_src_tree_pl, *sn);
596 return (-1);
597 }
598 (*sn)->creation = time.tv_sec;
599 (*sn)->ruletype = rule->action;
600 if ((*sn)->rule.ptr != NULL)
601 (*sn)->rule.ptr->src_nodes++;
602 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
603 pf_status.src_nodes++;
604 } else {
605 if (rule->max_src_states &&
606 (*sn)->states >= rule->max_src_states)
607 return (-1);
608 }
609 return (0);
610 }
611
612 int
pf_insert_state(struct pfi_kif * kif,struct pf_state * state)613 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
614 {
615 /* Thou MUST NOT insert multiple duplicate keys */
616 state->u.s.kif = kif;
617 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) {
618 if (pf_status.debug >= PF_DEBUG_MISC) {
619 printf("pf: state insert failed: tree_lan_ext");
620 printf(" lan: ");
621 pf_print_host(&state->lan.addr, state->lan.port,
622 state->af);
623 printf(" gwy: ");
624 pf_print_host(&state->gwy.addr, state->gwy.port,
625 state->af);
626 printf(" ext: ");
627 pf_print_host(&state->ext.addr, state->ext.port,
628 state->af);
629 if (state->sync_flags & PFSTATE_FROMSYNC)
630 printf(" (from sync)");
631 printf("\n");
632 }
633 return (-1);
634 }
635
636 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) {
637 if (pf_status.debug >= PF_DEBUG_MISC) {
638 printf("pf: state insert failed: tree_ext_gwy");
639 printf(" lan: ");
640 pf_print_host(&state->lan.addr, state->lan.port,
641 state->af);
642 printf(" gwy: ");
643 pf_print_host(&state->gwy.addr, state->gwy.port,
644 state->af);
645 printf(" ext: ");
646 pf_print_host(&state->ext.addr, state->ext.port,
647 state->af);
648 if (state->sync_flags & PFSTATE_FROMSYNC)
649 printf(" (from sync)");
650 printf("\n");
651 }
652 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
653 return (-1);
654 }
655
656 if (state->id == 0 && state->creatorid == 0) {
657 state->id = htobe64(pf_status.stateid++);
658 state->creatorid = pf_status.hostid;
659 }
660 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) {
661 if (pf_status.debug >= PF_DEBUG_MISC) {
662 printf("pf: state insert failed: "
663 "id: %016llx creatorid: %08x",
664 betoh64(state->id), ntohl(state->creatorid));
665 if (state->sync_flags & PFSTATE_FROMSYNC)
666 printf(" (from sync)");
667 printf("\n");
668 }
669 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
670 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state);
671 return (-1);
672 }
673 TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates);
674
675 pf_status.fcounters[FCNT_STATE_INSERT]++;
676 pf_status.states++;
677 pfi_attach_state(kif);
678 #if NPFSYNC
679 pfsync_insert_state(state);
680 #endif
681 return (0);
682 }
683
684 void
pf_purge_timeout(void * arg)685 pf_purge_timeout(void *arg)
686 {
687 struct timeout *to = arg;
688 int s;
689
690 s = splsoftnet();
691 pf_purge_expired_states();
692 pf_purge_expired_fragments();
693 pf_purge_expired_src_nodes();
694 splx(s);
695
696 timeout_add(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz);
697 }
698
699 u_int32_t
pf_state_expires(const struct pf_state * state)700 pf_state_expires(const struct pf_state *state)
701 {
702 u_int32_t timeout;
703 u_int32_t start;
704 u_int32_t end;
705 u_int32_t states;
706
707 /* handle all PFTM_* > PFTM_MAX here */
708 if (state->timeout == PFTM_PURGE)
709 return (time.tv_sec);
710 if (state->timeout == PFTM_UNTIL_PACKET)
711 return (0);
712 KASSERT(state->timeout < PFTM_MAX);
713 timeout = state->rule.ptr->timeout[state->timeout];
714 if (!timeout)
715 timeout = pf_default_rule.timeout[state->timeout];
716 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
717 if (start) {
718 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
719 states = state->rule.ptr->states;
720 } else {
721 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
722 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
723 states = pf_status.states;
724 }
725 if (end && states > start && start < end) {
726 if (states < end)
727 return (state->expire + timeout * (end - states) /
728 (end - start));
729 else
730 return (time.tv_sec);
731 }
732 return (state->expire + timeout);
733 }
734
735 void
pf_purge_expired_src_nodes(void)736 pf_purge_expired_src_nodes(void)
737 {
738 struct pf_src_node *cur, *next;
739
740 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
741 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
742
743 if (cur->states <= 0 && cur->expire <= time.tv_sec) {
744 if (cur->rule.ptr != NULL) {
745 cur->rule.ptr->src_nodes--;
746 if (cur->rule.ptr->states <= 0 &&
747 cur->rule.ptr->max_src_nodes <= 0)
748 pf_rm_rule(NULL, cur->rule.ptr);
749 }
750 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
751 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
752 pf_status.src_nodes--;
753 pool_put(&pf_src_tree_pl, cur);
754 }
755 }
756 }
757
758 void
pf_src_tree_remove_state(struct pf_state * s)759 pf_src_tree_remove_state(struct pf_state *s)
760 {
761 u_int32_t timeout;
762
763 if (s->src_node != NULL) {
764 if (--s->src_node->states <= 0) {
765 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
766 if (!timeout)
767 timeout =
768 pf_default_rule.timeout[PFTM_SRC_NODE];
769 s->src_node->expire = time.tv_sec + timeout;
770 }
771 }
772 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
773 if (--s->nat_src_node->states <= 0) {
774 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
775 if (!timeout)
776 timeout =
777 pf_default_rule.timeout[PFTM_SRC_NODE];
778 s->nat_src_node->expire = time.tv_sec + timeout;
779 }
780 }
781 s->src_node = s->nat_src_node = NULL;
782 }
783
784 void
pf_purge_expired_state(struct pf_state * cur)785 pf_purge_expired_state(struct pf_state *cur)
786 {
787 if (cur->src.state == PF_TCPS_PROXY_DST)
788 pf_send_tcp(cur->rule.ptr, cur->af,
789 &cur->ext.addr, &cur->lan.addr,
790 cur->ext.port, cur->lan.port,
791 cur->src.seqhi, cur->src.seqlo + 1,
792 TH_RST|TH_ACK, 0, 0, 0, 1, NULL, NULL);
793 RB_REMOVE(pf_state_tree_ext_gwy,
794 &cur->u.s.kif->pfik_ext_gwy, cur);
795 RB_REMOVE(pf_state_tree_lan_ext,
796 &cur->u.s.kif->pfik_lan_ext, cur);
797 RB_REMOVE(pf_state_tree_id, &tree_id, cur);
798 #if NPFSYNC
799 pfsync_delete_state(cur);
800 #endif
801 pf_src_tree_remove_state(cur);
802 if (--cur->rule.ptr->states <= 0 &&
803 cur->rule.ptr->src_nodes <= 0)
804 pf_rm_rule(NULL, cur->rule.ptr);
805 if (cur->nat_rule.ptr != NULL)
806 if (--cur->nat_rule.ptr->states <= 0 &&
807 cur->nat_rule.ptr->src_nodes <= 0)
808 pf_rm_rule(NULL, cur->nat_rule.ptr);
809 if (cur->anchor.ptr != NULL)
810 if (--cur->anchor.ptr->states <= 0)
811 pf_rm_rule(NULL, cur->anchor.ptr);
812 pf_normalize_tcp_cleanup(cur);
813 pfi_detach_state(cur->u.s.kif);
814 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates);
815 pool_put(&pf_state_pl, cur);
816 pf_status.fcounters[FCNT_STATE_REMOVALS]++;
817 pf_status.states--;
818 }
819
820 void
pf_purge_expired_states(void)821 pf_purge_expired_states(void)
822 {
823 struct pf_state *cur, *next;
824
825 for (cur = RB_MIN(pf_state_tree_id, &tree_id);
826 cur; cur = next) {
827 next = RB_NEXT(pf_state_tree_id, &tree_id, cur);
828 if (pf_state_expires(cur) <= time.tv_sec)
829 pf_purge_expired_state(cur);
830 }
831 }
832
833 int
pf_tbladdr_setup(struct pf_ruleset * rs,struct pf_addr_wrap * aw)834 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
835 {
836 if (aw->type != PF_ADDR_TABLE)
837 return (0);
838 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
839 return (1);
840 return (0);
841 }
842
843 void
pf_tbladdr_remove(struct pf_addr_wrap * aw)844 pf_tbladdr_remove(struct pf_addr_wrap *aw)
845 {
846 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
847 return;
848 pfr_detach_table(aw->p.tbl);
849 aw->p.tbl = NULL;
850 }
851
852 void
pf_tbladdr_copyout(struct pf_addr_wrap * aw)853 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
854 {
855 struct pfr_ktable *kt = aw->p.tbl;
856
857 if (aw->type != PF_ADDR_TABLE || kt == NULL)
858 return;
859 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
860 kt = kt->pfrkt_root;
861 aw->p.tbl = NULL;
862 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
863 kt->pfrkt_cnt : -1;
864 }
865
866 void
pf_print_host(struct pf_addr * addr,u_int16_t p,sa_family_t af)867 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
868 {
869 switch (af) {
870 #ifdef INET
871 case AF_INET: {
872 u_int32_t a = ntohl(addr->addr32[0]);
873 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
874 (a>>8)&255, a&255);
875 if (p) {
876 p = ntohs(p);
877 printf(":%u", p);
878 }
879 break;
880 }
881 #endif /* INET */
882 #ifdef INET6
883 case AF_INET6: {
884 u_int16_t b;
885 u_int8_t i, curstart = 255, curend = 0,
886 maxstart = 0, maxend = 0;
887 for (i = 0; i < 8; i++) {
888 if (!addr->addr16[i]) {
889 if (curstart == 255)
890 curstart = i;
891 else
892 curend = i;
893 } else {
894 if (curstart) {
895 if ((curend - curstart) >
896 (maxend - maxstart)) {
897 maxstart = curstart;
898 maxend = curend;
899 curstart = 255;
900 }
901 }
902 }
903 }
904 for (i = 0; i < 8; i++) {
905 if (i >= maxstart && i <= maxend) {
906 if (maxend != 7) {
907 if (i == maxstart)
908 printf(":");
909 } else {
910 if (i == maxend)
911 printf(":");
912 }
913 } else {
914 b = ntohs(addr->addr16[i]);
915 printf("%x", b);
916 if (i < 7)
917 printf(":");
918 }
919 }
920 if (p) {
921 p = ntohs(p);
922 printf("[%u]", p);
923 }
924 break;
925 }
926 #endif /* INET6 */
927 }
928 }
929
930 void
pf_print_state(struct pf_state * s)931 pf_print_state(struct pf_state *s)
932 {
933 switch (s->proto) {
934 case IPPROTO_TCP:
935 printf("TCP ");
936 break;
937 case IPPROTO_UDP:
938 printf("UDP ");
939 break;
940 case IPPROTO_ICMP:
941 printf("ICMP ");
942 break;
943 case IPPROTO_ICMPV6:
944 printf("ICMPV6 ");
945 break;
946 default:
947 printf("%u ", s->proto);
948 break;
949 }
950 pf_print_host(&s->lan.addr, s->lan.port, s->af);
951 printf(" ");
952 pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
953 printf(" ");
954 pf_print_host(&s->ext.addr, s->ext.port, s->af);
955 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
956 s->src.seqhi, s->src.max_win, s->src.seqdiff);
957 if (s->src.wscale && s->dst.wscale)
958 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
959 printf("]");
960 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
961 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
962 if (s->src.wscale && s->dst.wscale)
963 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
964 printf("]");
965 printf(" %u:%u", s->src.state, s->dst.state);
966 }
967
968 void
pf_print_flags(u_int8_t f)969 pf_print_flags(u_int8_t f)
970 {
971 if (f)
972 printf(" ");
973 if (f & TH_FIN)
974 printf("F");
975 if (f & TH_SYN)
976 printf("S");
977 if (f & TH_RST)
978 printf("R");
979 if (f & TH_PUSH)
980 printf("P");
981 if (f & TH_ACK)
982 printf("A");
983 if (f & TH_URG)
984 printf("U");
985 if (f & TH_ECE)
986 printf("E");
987 if (f & TH_CWR)
988 printf("W");
989 }
990
991 #define PF_SET_SKIP_STEPS(i) \
992 do { \
993 while (head[i] != cur) { \
994 head[i]->skip[i].ptr = cur; \
995 head[i] = TAILQ_NEXT(head[i], entries); \
996 } \
997 } while (0)
998
999 void
pf_calc_skip_steps(struct pf_rulequeue * rules)1000 pf_calc_skip_steps(struct pf_rulequeue *rules)
1001 {
1002 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1003 int i;
1004
1005 cur = TAILQ_FIRST(rules);
1006 prev = cur;
1007 for (i = 0; i < PF_SKIP_COUNT; ++i)
1008 head[i] = cur;
1009 while (cur != NULL) {
1010
1011 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1012 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1013 if (cur->direction != prev->direction)
1014 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1015 if (cur->af != prev->af)
1016 PF_SET_SKIP_STEPS(PF_SKIP_AF);
1017 if (cur->proto != prev->proto)
1018 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1019 if (cur->src.not != prev->src.not ||
1020 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1021 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1022 if (cur->src.port[0] != prev->src.port[0] ||
1023 cur->src.port[1] != prev->src.port[1] ||
1024 cur->src.port_op != prev->src.port_op)
1025 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1026 if (cur->dst.not != prev->dst.not ||
1027 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1028 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1029 if (cur->dst.port[0] != prev->dst.port[0] ||
1030 cur->dst.port[1] != prev->dst.port[1] ||
1031 cur->dst.port_op != prev->dst.port_op)
1032 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1033
1034 prev = cur;
1035 cur = TAILQ_NEXT(cur, entries);
1036 }
1037 for (i = 0; i < PF_SKIP_COUNT; ++i)
1038 PF_SET_SKIP_STEPS(i);
1039 }
1040
1041 int
pf_addr_wrap_neq(struct pf_addr_wrap * aw1,struct pf_addr_wrap * aw2)1042 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1043 {
1044 if (aw1->type != aw2->type)
1045 return (1);
1046 switch (aw1->type) {
1047 case PF_ADDR_ADDRMASK:
1048 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1049 return (1);
1050 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1051 return (1);
1052 return (0);
1053 case PF_ADDR_NOROUTE:
1054 return (0);
1055 case PF_ADDR_TABLE:
1056 return (aw1->p.tbl != aw2->p.tbl);
1057 default:
1058 printf("invalid address type: %d\n", aw1->type);
1059 return (1);
1060 }
1061 }
1062
1063 u_int16_t
pf_cksum_fixup(u_int16_t cksum,u_int16_t old,u_int16_t new,u_int8_t udp)1064 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1065 {
1066 u_int32_t l;
1067
1068 if (udp && !cksum)
1069 return (0x0000);
1070 l = cksum + old - new;
1071 l = (l >> 16) + (l & 65535);
1072 l = l & 65535;
1073 if (udp && !l)
1074 return (0xFFFF);
1075 return (l);
1076 }
1077
1078 void
pf_change_ap(struct pf_addr * a,u_int16_t * p,u_int16_t * ic,u_int16_t * pc,struct pf_addr * an,u_int16_t pn,u_int8_t u,sa_family_t af)1079 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1080 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1081 {
1082 struct pf_addr ao;
1083 u_int16_t po = *p;
1084
1085 PF_ACPY(&ao, a, af);
1086 PF_ACPY(a, an, af);
1087
1088 *p = pn;
1089
1090 switch (af) {
1091 #ifdef INET
1092 case AF_INET:
1093 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1094 ao.addr16[0], an->addr16[0], 0),
1095 ao.addr16[1], an->addr16[1], 0);
1096 *p = pn;
1097 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1098 ao.addr16[0], an->addr16[0], u),
1099 ao.addr16[1], an->addr16[1], u),
1100 po, pn, u);
1101 break;
1102 #endif /* INET */
1103 #ifdef INET6
1104 case AF_INET6:
1105 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1106 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1107 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1108 ao.addr16[0], an->addr16[0], u),
1109 ao.addr16[1], an->addr16[1], u),
1110 ao.addr16[2], an->addr16[2], u),
1111 ao.addr16[3], an->addr16[3], u),
1112 ao.addr16[4], an->addr16[4], u),
1113 ao.addr16[5], an->addr16[5], u),
1114 ao.addr16[6], an->addr16[6], u),
1115 ao.addr16[7], an->addr16[7], u),
1116 po, pn, u);
1117 break;
1118 #endif /* INET6 */
1119 }
1120 }
1121
1122
1123 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
1124 void
pf_change_a(void * a,u_int16_t * c,u_int32_t an,u_int8_t u)1125 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1126 {
1127 u_int32_t ao;
1128
1129 memcpy(&ao, a, sizeof(ao));
1130 memcpy(a, &an, sizeof(u_int32_t));
1131 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1132 ao % 65536, an % 65536, u);
1133 }
1134
1135 #ifdef INET6
1136 void
pf_change_a6(struct pf_addr * a,u_int16_t * c,struct pf_addr * an,u_int8_t u)1137 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1138 {
1139 struct pf_addr ao;
1140
1141 PF_ACPY(&ao, a, AF_INET6);
1142 PF_ACPY(a, an, AF_INET6);
1143
1144 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1145 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1146 pf_cksum_fixup(pf_cksum_fixup(*c,
1147 ao.addr16[0], an->addr16[0], u),
1148 ao.addr16[1], an->addr16[1], u),
1149 ao.addr16[2], an->addr16[2], u),
1150 ao.addr16[3], an->addr16[3], u),
1151 ao.addr16[4], an->addr16[4], u),
1152 ao.addr16[5], an->addr16[5], u),
1153 ao.addr16[6], an->addr16[6], u),
1154 ao.addr16[7], an->addr16[7], u);
1155 }
1156 #endif /* INET6 */
1157
1158 void
pf_change_icmp(struct pf_addr * ia,u_int16_t * ip,struct pf_addr * oa,struct pf_addr * na,u_int16_t np,u_int16_t * pc,u_int16_t * h2c,u_int16_t * ic,u_int16_t * hc,u_int8_t u,sa_family_t af)1159 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1160 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1161 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1162 {
1163 struct pf_addr oia, ooa;
1164
1165 PF_ACPY(&oia, ia, af);
1166 PF_ACPY(&ooa, oa, af);
1167
1168 /* Change inner protocol port, fix inner protocol checksum. */
1169 if (ip != NULL) {
1170 u_int16_t oip = *ip;
1171 u_int32_t opc;
1172
1173 if (pc != NULL)
1174 opc = *pc;
1175 *ip = np;
1176 if (pc != NULL)
1177 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
1178 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1179 if (pc != NULL)
1180 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1181 }
1182 /* Change inner ip address, fix inner ip and icmp checksums. */
1183 PF_ACPY(ia, na, af);
1184 switch (af) {
1185 #ifdef INET
1186 case AF_INET: {
1187 u_int32_t oh2c = *h2c;
1188
1189 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1190 oia.addr16[0], ia->addr16[0], 0),
1191 oia.addr16[1], ia->addr16[1], 0);
1192 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1193 oia.addr16[0], ia->addr16[0], 0),
1194 oia.addr16[1], ia->addr16[1], 0);
1195 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1196 break;
1197 }
1198 #endif /* INET */
1199 #ifdef INET6
1200 case AF_INET6:
1201 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1202 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1203 pf_cksum_fixup(pf_cksum_fixup(*ic,
1204 oia.addr16[0], ia->addr16[0], u),
1205 oia.addr16[1], ia->addr16[1], u),
1206 oia.addr16[2], ia->addr16[2], u),
1207 oia.addr16[3], ia->addr16[3], u),
1208 oia.addr16[4], ia->addr16[4], u),
1209 oia.addr16[5], ia->addr16[5], u),
1210 oia.addr16[6], ia->addr16[6], u),
1211 oia.addr16[7], ia->addr16[7], u);
1212 break;
1213 #endif /* INET6 */
1214 }
1215 /* Change outer ip address, fix outer ip or icmpv6 checksum. */
1216 PF_ACPY(oa, na, af);
1217 switch (af) {
1218 #ifdef INET
1219 case AF_INET:
1220 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
1221 ooa.addr16[0], oa->addr16[0], 0),
1222 ooa.addr16[1], oa->addr16[1], 0);
1223 break;
1224 #endif /* INET */
1225 #ifdef INET6
1226 case AF_INET6:
1227 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1228 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1229 pf_cksum_fixup(pf_cksum_fixup(*ic,
1230 ooa.addr16[0], oa->addr16[0], u),
1231 ooa.addr16[1], oa->addr16[1], u),
1232 ooa.addr16[2], oa->addr16[2], u),
1233 ooa.addr16[3], oa->addr16[3], u),
1234 ooa.addr16[4], oa->addr16[4], u),
1235 ooa.addr16[5], oa->addr16[5], u),
1236 ooa.addr16[6], oa->addr16[6], u),
1237 ooa.addr16[7], oa->addr16[7], u);
1238 break;
1239 #endif /* INET6 */
1240 }
1241 }
1242
1243 void
pf_send_tcp(const struct pf_rule * r,sa_family_t af,const struct pf_addr * saddr,const struct pf_addr * daddr,u_int16_t sport,u_int16_t dport,u_int32_t seq,u_int32_t ack,u_int8_t flags,u_int16_t win,u_int16_t mss,u_int8_t ttl,int tag,struct ether_header * eh,struct ifnet * ifp)1244 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
1245 const struct pf_addr *saddr, const struct pf_addr *daddr,
1246 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1247 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
1248 struct ether_header *eh, struct ifnet *ifp)
1249 {
1250 struct mbuf *m;
1251 int len, tlen;
1252 #ifdef INET
1253 struct ip *h;
1254 #endif /* INET */
1255 #ifdef INET6
1256 struct ip6_hdr *h6;
1257 #endif /* INET6 */
1258 struct tcphdr *th;
1259 char *opt;
1260
1261 /* maximum segment size tcp option */
1262 tlen = sizeof(struct tcphdr);
1263 if (mss)
1264 tlen += 4;
1265
1266 switch (af) {
1267 #ifdef INET
1268 case AF_INET:
1269 len = sizeof(struct ip) + tlen;
1270 break;
1271 #endif /* INET */
1272 #ifdef INET6
1273 case AF_INET6:
1274 len = sizeof(struct ip6_hdr) + tlen;
1275 break;
1276 #endif /* INET6 */
1277 }
1278
1279 /* create outgoing mbuf */
1280 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1281 if (m == NULL)
1282 return;
1283 if (tag) {
1284 struct m_tag *mtag;
1285
1286 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
1287 if (mtag == NULL) {
1288 m_freem(m);
1289 return;
1290 }
1291 m_tag_prepend(m, mtag);
1292 }
1293 #ifdef ALTQ
1294 if (r != NULL && r->qid) {
1295 struct m_tag *mtag;
1296 struct altq_tag *atag;
1297
1298 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT);
1299 if (mtag != NULL) {
1300 atag = (struct altq_tag *)(mtag + 1);
1301 atag->qid = r->qid;
1302 /* add hints for ecn */
1303 atag->af = af;
1304 atag->hdr = mtod(m, struct ip *);
1305 m_tag_prepend(m, mtag);
1306 }
1307 }
1308 #endif /* ALTQ */
1309 m->m_data += max_linkhdr;
1310 m->m_pkthdr.len = m->m_len = len;
1311 m->m_pkthdr.rcvif = NULL;
1312 bzero(m->m_data, len);
1313 switch (af) {
1314 #ifdef INET
1315 case AF_INET:
1316 h = mtod(m, struct ip *);
1317
1318 /* IP header fields included in the TCP checksum */
1319 h->ip_p = IPPROTO_TCP;
1320 h->ip_len = htons(tlen);
1321 h->ip_src.s_addr = saddr->v4.s_addr;
1322 h->ip_dst.s_addr = daddr->v4.s_addr;
1323
1324 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
1325 break;
1326 #endif /* INET */
1327 #ifdef INET6
1328 case AF_INET6:
1329 h6 = mtod(m, struct ip6_hdr *);
1330
1331 /* IP header fields included in the TCP checksum */
1332 h6->ip6_nxt = IPPROTO_TCP;
1333 h6->ip6_plen = htons(tlen);
1334 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
1335 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
1336
1337 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
1338 break;
1339 #endif /* INET6 */
1340 }
1341
1342 /* TCP header */
1343 th->th_sport = sport;
1344 th->th_dport = dport;
1345 th->th_seq = htonl(seq);
1346 th->th_ack = htonl(ack);
1347 th->th_off = tlen >> 2;
1348 th->th_flags = flags;
1349 th->th_win = htons(win);
1350
1351 if (mss) {
1352 opt = (char *)(th + 1);
1353 opt[0] = TCPOPT_MAXSEG;
1354 opt[1] = 4;
1355 HTONS(mss);
1356 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
1357 }
1358
1359 switch (af) {
1360 #ifdef INET
1361 case AF_INET:
1362 /* TCP checksum */
1363 th->th_sum = in_cksum(m, len);
1364
1365 /* Finish the IP header */
1366 h->ip_v = 4;
1367 h->ip_hl = sizeof(*h) >> 2;
1368 h->ip_tos = IPTOS_LOWDELAY;
1369 h->ip_len = htons(len);
1370 h->ip_off = htons(ip_mtudisc ? IP_DF : 0);
1371 h->ip_ttl = ttl ? ttl : ip_defttl;
1372 h->ip_sum = 0;
1373 if (eh == NULL) {
1374 ip_output(m, (void *)NULL, (void *)NULL, 0,
1375 (void *)NULL, (void *)NULL);
1376 } else {
1377 struct route ro;
1378 struct rtentry rt;
1379 struct ether_header *e = (void *)ro.ro_dst.sa_data;
1380
1381 if (ifp == NULL) {
1382 m_freem(m);
1383 return;
1384 }
1385 rt.rt_ifp = ifp;
1386 ro.ro_rt = &rt;
1387 ro.ro_dst.sa_len = sizeof(ro.ro_dst);
1388 ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT;
1389 bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN);
1390 bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN);
1391 e->ether_type = eh->ether_type;
1392 ip_output(m, (void *)NULL, &ro, IP_ROUTETOETHER,
1393 (void *)NULL, (void *)NULL);
1394 }
1395 break;
1396 #endif /* INET */
1397 #ifdef INET6
1398 case AF_INET6:
1399 /* TCP checksum */
1400 th->th_sum = in6_cksum(m, IPPROTO_TCP,
1401 sizeof(struct ip6_hdr), tlen);
1402
1403 h6->ip6_vfc |= IPV6_VERSION;
1404 h6->ip6_hlim = IPV6_DEFHLIM;
1405
1406 ip6_output(m, NULL, NULL, 0, NULL, NULL);
1407 break;
1408 #endif /* INET6 */
1409 }
1410 }
1411
1412 void
pf_send_icmp(struct mbuf * m,u_int8_t type,u_int8_t code,sa_family_t af,struct pf_rule * r)1413 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
1414 struct pf_rule *r)
1415 {
1416 struct m_tag *mtag;
1417 struct mbuf *m0;
1418
1419 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
1420 if (mtag == NULL)
1421 return;
1422 m0 = m_copy(m, 0, M_COPYALL);
1423 if (m0 == NULL) {
1424 m_tag_free(mtag);
1425 return;
1426 }
1427 m_tag_prepend(m0, mtag);
1428
1429 #ifdef ALTQ
1430 if (r->qid) {
1431 struct altq_tag *atag;
1432
1433 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT);
1434 if (mtag != NULL) {
1435 atag = (struct altq_tag *)(mtag + 1);
1436 atag->qid = r->qid;
1437 /* add hints for ecn */
1438 atag->af = af;
1439 atag->hdr = mtod(m0, struct ip *);
1440 m_tag_prepend(m0, mtag);
1441 }
1442 }
1443 #endif /* ALTQ */
1444
1445 switch (af) {
1446 #ifdef INET
1447 case AF_INET:
1448 icmp_error(m0, type, code, 0, (void *)NULL);
1449 break;
1450 #endif /* INET */
1451 #ifdef INET6
1452 case AF_INET6:
1453 icmp6_error(m0, type, code, 0);
1454 break;
1455 #endif /* INET6 */
1456 }
1457 }
1458
1459 /*
1460 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
1461 * If n is 0, they match if they are equal. If n is != 0, they match if they
1462 * are different.
1463 */
1464 int
pf_match_addr(u_int8_t n,struct pf_addr * a,struct pf_addr * m,struct pf_addr * b,sa_family_t af)1465 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
1466 struct pf_addr *b, sa_family_t af)
1467 {
1468 int match = 0;
1469
1470 switch (af) {
1471 #ifdef INET
1472 case AF_INET:
1473 if ((a->addr32[0] & m->addr32[0]) ==
1474 (b->addr32[0] & m->addr32[0]))
1475 match++;
1476 break;
1477 #endif /* INET */
1478 #ifdef INET6
1479 case AF_INET6:
1480 if (((a->addr32[0] & m->addr32[0]) ==
1481 (b->addr32[0] & m->addr32[0])) &&
1482 ((a->addr32[1] & m->addr32[1]) ==
1483 (b->addr32[1] & m->addr32[1])) &&
1484 ((a->addr32[2] & m->addr32[2]) ==
1485 (b->addr32[2] & m->addr32[2])) &&
1486 ((a->addr32[3] & m->addr32[3]) ==
1487 (b->addr32[3] & m->addr32[3])))
1488 match++;
1489 break;
1490 #endif /* INET6 */
1491 }
1492 if (match) {
1493 if (n)
1494 return (0);
1495 else
1496 return (1);
1497 } else {
1498 if (n)
1499 return (1);
1500 else
1501 return (0);
1502 }
1503 }
1504
1505 int
pf_match(u_int8_t op,u_int32_t a1,u_int32_t a2,u_int32_t p)1506 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
1507 {
1508 switch (op) {
1509 case PF_OP_IRG:
1510 return ((p > a1) && (p < a2));
1511 case PF_OP_XRG:
1512 return ((p < a1) || (p > a2));
1513 case PF_OP_RRG:
1514 return ((p >= a1) && (p <= a2));
1515 case PF_OP_EQ:
1516 return (p == a1);
1517 case PF_OP_NE:
1518 return (p != a1);
1519 case PF_OP_LT:
1520 return (p < a1);
1521 case PF_OP_LE:
1522 return (p <= a1);
1523 case PF_OP_GT:
1524 return (p > a1);
1525 case PF_OP_GE:
1526 return (p >= a1);
1527 }
1528 return (0); /* never reached */
1529 }
1530
1531 int
pf_match_port(u_int8_t op,u_int16_t a1,u_int16_t a2,u_int16_t p)1532 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
1533 {
1534 NTOHS(a1);
1535 NTOHS(a2);
1536 NTOHS(p);
1537 return (pf_match(op, a1, a2, p));
1538 }
1539
1540 int
pf_match_uid(u_int8_t op,uid_t a1,uid_t a2,uid_t u)1541 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
1542 {
1543 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1544 return (0);
1545 return (pf_match(op, a1, a2, u));
1546 }
1547
1548 int
pf_match_gid(u_int8_t op,gid_t a1,gid_t a2,gid_t g)1549 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
1550 {
1551 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1552 return (0);
1553 return (pf_match(op, a1, a2, g));
1554 }
1555
1556 struct pf_tag *
pf_get_tag(struct mbuf * m)1557 pf_get_tag(struct mbuf *m)
1558 {
1559 struct m_tag *mtag;
1560
1561 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
1562 return ((struct pf_tag *)(mtag + 1));
1563 else
1564 return (NULL);
1565 }
1566
1567 int
pf_match_tag(struct mbuf * m,struct pf_rule * r,struct pf_rule * nat_rule,struct pf_tag ** pftag,int * tag)1568 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule,
1569 struct pf_tag **pftag, int *tag)
1570 {
1571 if (*tag == -1) { /* find mbuf tag */
1572 *pftag = pf_get_tag(m);
1573 if (*pftag != NULL)
1574 *tag = (*pftag)->tag;
1575 else
1576 *tag = 0;
1577 if (nat_rule != NULL && nat_rule->tag)
1578 *tag = nat_rule->tag;
1579 }
1580
1581 return ((!r->match_tag_not && r->match_tag == *tag) ||
1582 (r->match_tag_not && r->match_tag != *tag));
1583 }
1584
1585 int
pf_tag_packet(struct mbuf * m,struct pf_tag * pftag,int tag)1586 pf_tag_packet(struct mbuf *m, struct pf_tag *pftag, int tag)
1587 {
1588 struct m_tag *mtag;
1589
1590 if (tag <= 0)
1591 return (0);
1592
1593 if (pftag == NULL) {
1594 mtag = m_tag_get(PACKET_TAG_PF_TAG, sizeof(*pftag), M_NOWAIT);
1595 if (mtag == NULL)
1596 return (1);
1597 ((struct pf_tag *)(mtag + 1))->tag = tag;
1598 m_tag_prepend(m, mtag);
1599 } else
1600 pftag->tag = tag;
1601
1602 return (0);
1603 }
1604
1605 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \
1606 do { \
1607 if ((r) == NULL || (r)->anchor == NULL || \
1608 (s) != NULL || (a) != NULL) \
1609 panic("PF_STEP_INTO_ANCHOR"); \
1610 (a) = (r); \
1611 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \
1612 (r) = NULL; \
1613 while ((s) != NULL && ((r) = \
1614 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \
1615 (s) = TAILQ_NEXT((s), entries); \
1616 if ((r) == NULL) { \
1617 (r) = TAILQ_NEXT((a), entries); \
1618 (a) = NULL; \
1619 } \
1620 } while (0)
1621
1622 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \
1623 do { \
1624 if ((r) != NULL || (a) == NULL || (s) == NULL) \
1625 panic("PF_STEP_OUT_OF_ANCHOR"); \
1626 (s) = TAILQ_NEXT((s), entries); \
1627 while ((s) != NULL && ((r) = \
1628 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \
1629 (s) = TAILQ_NEXT((s), entries); \
1630 if ((r) == NULL) { \
1631 (r) = TAILQ_NEXT((a), entries); \
1632 (a) = NULL; \
1633 } \
1634 } while (0)
1635
1636 #ifdef INET6
1637 void
pf_poolmask(struct pf_addr * naddr,struct pf_addr * raddr,struct pf_addr * rmask,struct pf_addr * saddr,sa_family_t af)1638 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
1639 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
1640 {
1641 switch (af) {
1642 #ifdef INET
1643 case AF_INET:
1644 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
1645 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
1646 break;
1647 #endif /* INET */
1648 case AF_INET6:
1649 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
1650 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
1651 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
1652 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
1653 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
1654 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
1655 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
1656 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
1657 break;
1658 }
1659 }
1660
1661 void
pf_addr_inc(struct pf_addr * addr,sa_family_t af)1662 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
1663 {
1664 switch (af) {
1665 #ifdef INET
1666 case AF_INET:
1667 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
1668 break;
1669 #endif /* INET */
1670 case AF_INET6:
1671 if (addr->addr32[3] == 0xffffffff) {
1672 addr->addr32[3] = 0;
1673 if (addr->addr32[2] == 0xffffffff) {
1674 addr->addr32[2] = 0;
1675 if (addr->addr32[1] == 0xffffffff) {
1676 addr->addr32[1] = 0;
1677 addr->addr32[0] =
1678 htonl(ntohl(addr->addr32[0]) + 1);
1679 } else
1680 addr->addr32[1] =
1681 htonl(ntohl(addr->addr32[1]) + 1);
1682 } else
1683 addr->addr32[2] =
1684 htonl(ntohl(addr->addr32[2]) + 1);
1685 } else
1686 addr->addr32[3] =
1687 htonl(ntohl(addr->addr32[3]) + 1);
1688 break;
1689 }
1690 }
1691 #endif /* INET6 */
1692
1693 #define mix(a,b,c) \
1694 do { \
1695 a -= b; a -= c; a ^= (c >> 13); \
1696 b -= c; b -= a; b ^= (a << 8); \
1697 c -= a; c -= b; c ^= (b >> 13); \
1698 a -= b; a -= c; a ^= (c >> 12); \
1699 b -= c; b -= a; b ^= (a << 16); \
1700 c -= a; c -= b; c ^= (b >> 5); \
1701 a -= b; a -= c; a ^= (c >> 3); \
1702 b -= c; b -= a; b ^= (a << 10); \
1703 c -= a; c -= b; c ^= (b >> 15); \
1704 } while (0)
1705
1706 /*
1707 * hash function based on bridge_hash in if_bridge.c
1708 */
1709 void
pf_hash(struct pf_addr * inaddr,struct pf_addr * hash,struct pf_poolhashkey * key,sa_family_t af)1710 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
1711 struct pf_poolhashkey *key, sa_family_t af)
1712 {
1713 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
1714
1715 switch (af) {
1716 #ifdef INET
1717 case AF_INET:
1718 a += inaddr->addr32[0];
1719 b += key->key32[1];
1720 mix(a, b, c);
1721 hash->addr32[0] = c + key->key32[2];
1722 break;
1723 #endif /* INET */
1724 #ifdef INET6
1725 case AF_INET6:
1726 a += inaddr->addr32[0];
1727 b += inaddr->addr32[2];
1728 mix(a, b, c);
1729 hash->addr32[0] = c;
1730 a += inaddr->addr32[1];
1731 b += inaddr->addr32[3];
1732 c += key->key32[1];
1733 mix(a, b, c);
1734 hash->addr32[1] = c;
1735 a += inaddr->addr32[2];
1736 b += inaddr->addr32[1];
1737 c += key->key32[2];
1738 mix(a, b, c);
1739 hash->addr32[2] = c;
1740 a += inaddr->addr32[3];
1741 b += inaddr->addr32[0];
1742 c += key->key32[3];
1743 mix(a, b, c);
1744 hash->addr32[3] = c;
1745 break;
1746 #endif /* INET6 */
1747 }
1748 }
1749
1750 int
pf_map_addr(sa_family_t af,struct pf_rule * r,struct pf_addr * saddr,struct pf_addr * naddr,struct pf_addr * init_addr,struct pf_src_node ** sn)1751 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
1752 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
1753 {
1754 unsigned char hash[16];
1755 struct pf_pool *rpool = &r->rpool;
1756 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
1757 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
1758 struct pf_pooladdr *acur = rpool->cur;
1759 struct pf_src_node k;
1760
1761 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
1762 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
1763 k.af = af;
1764 PF_ACPY(&k.addr, saddr, af);
1765 if (r->rule_flag & PFRULE_RULESRCTRACK ||
1766 r->rpool.opts & PF_POOL_STICKYADDR)
1767 k.rule.ptr = r;
1768 else
1769 k.rule.ptr = NULL;
1770 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
1771 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
1772 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
1773 PF_ACPY(naddr, &(*sn)->raddr, af);
1774 if (pf_status.debug >= PF_DEBUG_MISC) {
1775 printf("pf_map_addr: src tracking maps ");
1776 pf_print_host(&k.addr, 0, af);
1777 printf(" to ");
1778 pf_print_host(naddr, 0, af);
1779 printf("\n");
1780 }
1781 return (0);
1782 }
1783 }
1784
1785 if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
1786 return (1);
1787 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1788 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
1789 return (1); /* unsupported */
1790 } else {
1791 raddr = &rpool->cur->addr.v.a.addr;
1792 rmask = &rpool->cur->addr.v.a.mask;
1793 }
1794
1795 switch (rpool->opts & PF_POOL_TYPEMASK) {
1796 case PF_POOL_NONE:
1797 PF_ACPY(naddr, raddr, af);
1798 break;
1799 case PF_POOL_BITMASK:
1800 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
1801 break;
1802 case PF_POOL_RANDOM:
1803 if (init_addr != NULL && PF_AZERO(init_addr, af)) {
1804 switch (af) {
1805 #ifdef INET
1806 case AF_INET:
1807 rpool->counter.addr32[0] = arc4random();
1808 break;
1809 #endif /* INET */
1810 #ifdef INET6
1811 case AF_INET6:
1812 if (rmask->addr32[3] != 0xffffffff)
1813 rpool->counter.addr32[3] =
1814 arc4random();
1815 else
1816 break;
1817 if (rmask->addr32[2] != 0xffffffff)
1818 rpool->counter.addr32[2] =
1819 arc4random();
1820 else
1821 break;
1822 if (rmask->addr32[1] != 0xffffffff)
1823 rpool->counter.addr32[1] =
1824 arc4random();
1825 else
1826 break;
1827 if (rmask->addr32[0] != 0xffffffff)
1828 rpool->counter.addr32[0] =
1829 arc4random();
1830 break;
1831 #endif /* INET6 */
1832 }
1833 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
1834 PF_ACPY(init_addr, naddr, af);
1835
1836 } else {
1837 PF_AINC(&rpool->counter, af);
1838 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
1839 }
1840 break;
1841 case PF_POOL_SRCHASH:
1842 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
1843 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
1844 break;
1845 case PF_POOL_ROUNDROBIN:
1846 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1847 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
1848 &rpool->tblidx, &rpool->counter,
1849 &raddr, &rmask, af))
1850 goto get_addr;
1851 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
1852 goto get_addr;
1853
1854 try_next:
1855 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
1856 rpool->cur = TAILQ_FIRST(&rpool->list);
1857 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1858 rpool->tblidx = -1;
1859 if (pfr_pool_get(rpool->cur->addr.p.tbl,
1860 &rpool->tblidx, &rpool->counter,
1861 &raddr, &rmask, af)) {
1862 /* table contains no address of type 'af' */
1863 if (rpool->cur != acur)
1864 goto try_next;
1865 return (1);
1866 }
1867 } else {
1868 raddr = &rpool->cur->addr.v.a.addr;
1869 rmask = &rpool->cur->addr.v.a.mask;
1870 PF_ACPY(&rpool->counter, raddr, af);
1871 }
1872
1873 get_addr:
1874 PF_ACPY(naddr, &rpool->counter, af);
1875 if (init_addr != NULL && PF_AZERO(init_addr, af))
1876 PF_ACPY(init_addr, naddr, af);
1877 PF_AINC(&rpool->counter, af);
1878 break;
1879 }
1880 if (*sn != NULL)
1881 PF_ACPY(&(*sn)->raddr, naddr, af);
1882
1883 if (pf_status.debug >= PF_DEBUG_MISC &&
1884 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
1885 printf("pf_map_addr: selected address ");
1886 pf_print_host(naddr, 0, af);
1887 printf("\n");
1888 }
1889
1890 return (0);
1891 }
1892
1893 int
pf_get_sport(sa_family_t af,u_int8_t proto,struct pf_rule * r,struct pf_addr * saddr,struct pf_addr * daddr,u_int16_t dport,struct pf_addr * naddr,u_int16_t * nport,u_int16_t low,u_int16_t high,struct pf_src_node ** sn)1894 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
1895 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
1896 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
1897 struct pf_src_node **sn)
1898 {
1899 struct pf_state key;
1900 struct pf_addr init_addr;
1901 u_int16_t cut;
1902
1903 bzero(&init_addr, sizeof(init_addr));
1904 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
1905 return (1);
1906
1907 do {
1908 key.af = af;
1909 key.proto = proto;
1910 PF_ACPY(&key.ext.addr, daddr, key.af);
1911 PF_ACPY(&key.gwy.addr, naddr, key.af);
1912 key.ext.port = dport;
1913
1914 /*
1915 * port search; start random, step;
1916 * similar 2 portloop in in_pcbbind
1917 */
1918 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {
1919 key.gwy.port = dport;
1920 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
1921 return (0);
1922 } else if (low == 0 && high == 0) {
1923 key.gwy.port = *nport;
1924 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
1925 return (0);
1926 } else if (low == high) {
1927 key.gwy.port = htons(low);
1928 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) {
1929 *nport = htons(low);
1930 return (0);
1931 }
1932 } else {
1933 u_int16_t tmp;
1934
1935 if (low > high) {
1936 tmp = low;
1937 low = high;
1938 high = tmp;
1939 }
1940 /* low < high */
1941 cut = arc4random_uniform((1 + high - low) + low);
1942 /* low <= cut <= high */
1943 for (tmp = cut; tmp <= high; ++(tmp)) {
1944 key.gwy.port = htons(tmp);
1945 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
1946 NULL) {
1947 *nport = htons(tmp);
1948 return (0);
1949 }
1950 }
1951 for (tmp = cut - 1; tmp >= low; --(tmp)) {
1952 key.gwy.port = htons(tmp);
1953 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
1954 NULL) {
1955 *nport = htons(tmp);
1956 return (0);
1957 }
1958 }
1959 }
1960
1961 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
1962 case PF_POOL_RANDOM:
1963 case PF_POOL_ROUNDROBIN:
1964 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
1965 return (1);
1966 break;
1967 case PF_POOL_NONE:
1968 case PF_POOL_SRCHASH:
1969 case PF_POOL_BITMASK:
1970 default:
1971 return (1);
1972 }
1973 } while (! PF_AEQ(&init_addr, naddr, af) );
1974
1975 return (1); /* none available */
1976 }
1977
1978 struct pf_rule *
pf_match_translation(struct pf_pdesc * pd,struct mbuf * m,int off,int direction,struct pfi_kif * kif,struct pf_addr * saddr,u_int16_t sport,struct pf_addr * daddr,u_int16_t dport,int rs_num)1979 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
1980 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
1981 struct pf_addr *daddr, u_int16_t dport, int rs_num)
1982 {
1983 struct pf_rule *r, *rm = NULL, *anchorrule = NULL;
1984 struct pf_ruleset *ruleset = NULL;
1985
1986 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
1987 while (r && rm == NULL) {
1988 struct pf_rule_addr *src = NULL, *dst = NULL;
1989 struct pf_addr_wrap *xdst = NULL;
1990
1991 if (r->action == PF_BINAT && direction == PF_IN) {
1992 src = &r->dst;
1993 if (r->rpool.cur != NULL)
1994 xdst = &r->rpool.cur->addr;
1995 } else {
1996 src = &r->src;
1997 dst = &r->dst;
1998 }
1999
2000 r->evaluations++;
2001 if (r->kif != NULL &&
2002 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2003 r = r->skip[PF_SKIP_IFP].ptr;
2004 else if (r->direction && r->direction != direction)
2005 r = r->skip[PF_SKIP_DIR].ptr;
2006 else if (r->af && r->af != pd->af)
2007 r = r->skip[PF_SKIP_AF].ptr;
2008 else if (r->proto && r->proto != pd->proto)
2009 r = r->skip[PF_SKIP_PROTO].ptr;
2010 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not))
2011 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
2012 PF_SKIP_DST_ADDR].ptr;
2013 else if (src->port_op && !pf_match_port(src->port_op,
2014 src->port[0], src->port[1], sport))
2015 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
2016 PF_SKIP_DST_PORT].ptr;
2017 else if (dst != NULL &&
2018 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not))
2019 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2020 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0))
2021 r = TAILQ_NEXT(r, entries);
2022 else if (dst != NULL && dst->port_op &&
2023 !pf_match_port(dst->port_op, dst->port[0],
2024 dst->port[1], dport))
2025 r = r->skip[PF_SKIP_DST_PORT].ptr;
2026 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2027 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2028 off, pd->hdr.tcp), r->os_fingerprint)))
2029 r = TAILQ_NEXT(r, entries);
2030 else if (r->anchor == NULL)
2031 rm = r;
2032 else
2033 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num);
2034 if (r == NULL && anchorrule != NULL)
2035 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
2036 rs_num);
2037 }
2038 if (rm != NULL && (rm->action == PF_NONAT ||
2039 rm->action == PF_NORDR || rm->action == PF_NOBINAT))
2040 return (NULL);
2041 return (rm);
2042 }
2043
2044 struct pf_rule *
pf_get_translation(struct pf_pdesc * pd,struct mbuf * m,int off,int direction,struct pfi_kif * kif,struct pf_src_node ** sn,struct pf_addr * saddr,u_int16_t sport,struct pf_addr * daddr,u_int16_t dport,struct pf_addr * naddr,u_int16_t * nport)2045 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2046 struct pfi_kif *kif, struct pf_src_node **sn,
2047 struct pf_addr *saddr, u_int16_t sport,
2048 struct pf_addr *daddr, u_int16_t dport,
2049 struct pf_addr *naddr, u_int16_t *nport)
2050 {
2051 struct pf_rule *r = NULL;
2052
2053 if (direction == PF_OUT) {
2054 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2055 sport, daddr, dport, PF_RULESET_BINAT);
2056 if (r == NULL)
2057 r = pf_match_translation(pd, m, off, direction, kif,
2058 saddr, sport, daddr, dport, PF_RULESET_NAT);
2059 } else {
2060 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2061 sport, daddr, dport, PF_RULESET_RDR);
2062 if (r == NULL)
2063 r = pf_match_translation(pd, m, off, direction, kif,
2064 saddr, sport, daddr, dport, PF_RULESET_BINAT);
2065 }
2066
2067 if (r != NULL) {
2068 switch (r->action) {
2069 case PF_NONAT:
2070 case PF_NOBINAT:
2071 case PF_NORDR:
2072 return (NULL);
2073 case PF_NAT:
2074 if (pf_get_sport(pd->af, pd->proto, r, saddr,
2075 daddr, dport, naddr, nport, r->rpool.proxy_port[0],
2076 r->rpool.proxy_port[1], sn)) {
2077 DPFPRINTF(PF_DEBUG_MISC,
2078 ("pf: NAT proxy port allocation "
2079 "(%u-%u) failed\n",
2080 r->rpool.proxy_port[0],
2081 r->rpool.proxy_port[1]));
2082 return (NULL);
2083 }
2084 break;
2085 case PF_BINAT:
2086 switch (direction) {
2087 case PF_OUT:
2088 PF_POOLMASK(naddr,
2089 &r->rpool.cur->addr.v.a.addr,
2090 &r->rpool.cur->addr.v.a.mask,
2091 saddr, pd->af);
2092 break;
2093 case PF_IN:
2094 PF_POOLMASK(naddr,
2095 &r->src.addr.v.a.addr,
2096 &r->src.addr.v.a.mask, daddr,
2097 pd->af);
2098 break;
2099 }
2100 break;
2101 case PF_RDR: {
2102 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
2103 return (NULL);
2104
2105 if (r->rpool.proxy_port[1]) {
2106 u_int32_t tmp_nport;
2107
2108 tmp_nport = ((ntohs(dport) -
2109 ntohs(r->dst.port[0])) %
2110 (r->rpool.proxy_port[1] -
2111 r->rpool.proxy_port[0] + 1)) +
2112 r->rpool.proxy_port[0];
2113
2114 /* wrap around if necessary */
2115 if (tmp_nport > 65535)
2116 tmp_nport -= 65535;
2117 *nport = htons((u_int16_t)tmp_nport);
2118 } else if (r->rpool.proxy_port[0])
2119 *nport = htons(r->rpool.proxy_port[0]);
2120 break;
2121 }
2122 default:
2123 return (NULL);
2124 }
2125 }
2126
2127 return (r);
2128 }
2129
2130 int
pf_socket_lookup(uid_t * uid,gid_t * gid,int direction,struct pf_pdesc * pd)2131 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd)
2132 {
2133 struct pf_addr *saddr, *daddr;
2134 u_int16_t sport, dport;
2135 struct inpcbtable *tb;
2136 struct inpcb *inp;
2137
2138 *uid = UID_MAX;
2139 *gid = GID_MAX;
2140 switch (pd->proto) {
2141 case IPPROTO_TCP:
2142 sport = pd->hdr.tcp->th_sport;
2143 dport = pd->hdr.tcp->th_dport;
2144 tb = &tcbtable;
2145 break;
2146 case IPPROTO_UDP:
2147 sport = pd->hdr.udp->uh_sport;
2148 dport = pd->hdr.udp->uh_dport;
2149 tb = &udbtable;
2150 break;
2151 default:
2152 return (0);
2153 }
2154 if (direction == PF_IN) {
2155 saddr = pd->src;
2156 daddr = pd->dst;
2157 } else {
2158 u_int16_t p;
2159
2160 p = sport;
2161 sport = dport;
2162 dport = p;
2163 saddr = pd->dst;
2164 daddr = pd->src;
2165 }
2166 switch (pd->af) {
2167 #ifdef INET
2168 case AF_INET:
2169 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport);
2170 if (inp == NULL) {
2171 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0);
2172 if (inp == NULL)
2173 return (0);
2174 }
2175 break;
2176 #endif /* INET */
2177 #ifdef INET6
2178 case AF_INET6:
2179 inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6,
2180 dport);
2181 if (inp == NULL) {
2182 inp = in6_pcblookup_listen(tb, &daddr->v6, dport, 0);
2183 if (inp == NULL)
2184 return (0);
2185 }
2186 break;
2187 #endif /* INET6 */
2188
2189 default:
2190 return (0);
2191 }
2192 *uid = inp->inp_socket->so_euid;
2193 *gid = inp->inp_socket->so_egid;
2194 return (1);
2195 }
2196
2197 u_int8_t
pf_get_wscale(struct mbuf * m,int off,u_int16_t th_off,sa_family_t af)2198 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2199 {
2200 int hlen;
2201 u_int8_t hdr[60];
2202 u_int8_t *opt, optlen;
2203 u_int8_t wscale = 0;
2204
2205 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
2206 if (hlen <= sizeof(struct tcphdr))
2207 return (0);
2208 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2209 return (0);
2210 opt = hdr + sizeof(struct tcphdr);
2211 hlen -= sizeof(struct tcphdr);
2212 while (hlen >= 3) {
2213 switch (*opt) {
2214 case TCPOPT_EOL:
2215 case TCPOPT_NOP:
2216 ++opt;
2217 --hlen;
2218 break;
2219 case TCPOPT_WINDOW:
2220 wscale = opt[2];
2221 if (wscale > TCP_MAX_WINSHIFT)
2222 wscale = TCP_MAX_WINSHIFT;
2223 wscale |= PF_WSCALE_FLAG;
2224 /* FALLTHROUGH */
2225 default:
2226 optlen = opt[1];
2227 if (optlen < 2)
2228 optlen = 2;
2229 hlen -= optlen;
2230 opt += optlen;
2231 break;
2232 }
2233 }
2234 return (wscale);
2235 }
2236
2237 u_int16_t
pf_get_mss(struct mbuf * m,int off,u_int16_t th_off,sa_family_t af)2238 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2239 {
2240 int hlen;
2241 u_int8_t hdr[60];
2242 u_int8_t *opt, optlen;
2243 u_int16_t mss = tcp_mssdflt;
2244
2245 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
2246 if (hlen <= sizeof(struct tcphdr))
2247 return (0);
2248 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2249 return (0);
2250 opt = hdr + sizeof(struct tcphdr);
2251 hlen -= sizeof(struct tcphdr);
2252 while (hlen >= TCPOLEN_MAXSEG) {
2253 switch (*opt) {
2254 case TCPOPT_EOL:
2255 case TCPOPT_NOP:
2256 ++opt;
2257 --hlen;
2258 break;
2259 case TCPOPT_MAXSEG:
2260 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
2261 /* FALLTHROUGH */
2262 default:
2263 optlen = opt[1];
2264 if (optlen < 2)
2265 optlen = 2;
2266 hlen -= optlen;
2267 opt += optlen;
2268 break;
2269 }
2270 }
2271 return (mss);
2272 }
2273
2274 u_int16_t
pf_calc_mss(struct pf_addr * addr,sa_family_t af,u_int16_t offer)2275 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
2276 {
2277 #ifdef INET
2278 struct sockaddr_in *dst;
2279 struct route ro;
2280 #endif /* INET */
2281 #ifdef INET6
2282 struct sockaddr_in6 *dst6;
2283 struct route_in6 ro6;
2284 #endif /* INET6 */
2285 struct rtentry *rt = NULL;
2286 int hlen;
2287 u_int16_t mss = tcp_mssdflt;
2288
2289 switch (af) {
2290 #ifdef INET
2291 case AF_INET:
2292 hlen = sizeof(struct ip);
2293 bzero(&ro, sizeof(ro));
2294 dst = (struct sockaddr_in *)&ro.ro_dst;
2295 dst->sin_family = AF_INET;
2296 dst->sin_len = sizeof(*dst);
2297 dst->sin_addr = addr->v4;
2298 rtalloc_noclone(&ro, NO_CLONING);
2299 rt = ro.ro_rt;
2300 break;
2301 #endif /* INET */
2302 #ifdef INET6
2303 case AF_INET6:
2304 hlen = sizeof(struct ip6_hdr);
2305 bzero(&ro6, sizeof(ro6));
2306 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
2307 dst6->sin6_family = AF_INET6;
2308 dst6->sin6_len = sizeof(*dst6);
2309 dst6->sin6_addr = addr->v6;
2310 rtalloc_noclone((struct route *)&ro6, NO_CLONING);
2311 rt = ro6.ro_rt;
2312 break;
2313 #endif /* INET6 */
2314 }
2315
2316 if (rt && rt->rt_ifp) {
2317 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
2318 mss = max(tcp_mssdflt, mss);
2319 RTFREE(rt);
2320 }
2321 mss = min(mss, offer);
2322 mss = max(mss, 64); /* sanity - at least max opt space */
2323 return (mss);
2324 }
2325
2326 void
pf_set_rt_ifp(struct pf_state * s,struct pf_addr * saddr)2327 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
2328 {
2329 struct pf_rule *r = s->rule.ptr;
2330
2331 s->rt_kif = NULL;
2332 if (!r->rt || r->rt == PF_FASTROUTE)
2333 return;
2334 switch (s->af) {
2335 #ifdef INET
2336 case AF_INET:
2337 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
2338 &s->nat_src_node);
2339 s->rt_kif = r->rpool.cur->kif;
2340 break;
2341 #endif /* INET */
2342 #ifdef INET6
2343 case AF_INET6:
2344 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
2345 &s->nat_src_node);
2346 s->rt_kif = r->rpool.cur->kif;
2347 break;
2348 #endif /* INET6 */
2349 }
2350 }
2351
2352 int
pf_test_tcp(struct pf_rule ** rm,struct pf_state ** sm,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd,struct pf_rule ** am,struct pf_ruleset ** rsm,struct ifqueue * ifq)2353 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
2354 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2355 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
2356 struct ifqueue *ifq)
2357 {
2358 struct pf_rule *nr = NULL;
2359 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
2360 struct tcphdr *th = pd->hdr.tcp;
2361 u_int16_t bport, nport = 0;
2362 sa_family_t af = pd->af;
2363 int lookup = -1;
2364 uid_t uid;
2365 gid_t gid;
2366 struct pf_rule *r, *a = NULL;
2367 struct pf_ruleset *ruleset = NULL;
2368 struct pf_src_node *nsn = NULL;
2369 u_short reason;
2370 int rewrite = 0;
2371 struct pf_tag *pftag = NULL;
2372 int tag = -1;
2373 u_int16_t mss = tcp_mssdflt;
2374
2375 if (pf_check_congestion(ifq))
2376 return (PF_DROP);
2377
2378 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2379
2380 if (direction == PF_OUT) {
2381 bport = nport = th->th_sport;
2382 /* check outgoing packet for BINAT/NAT */
2383 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
2384 saddr, th->th_sport, daddr, th->th_dport,
2385 &pd->naddr, &nport)) != NULL) {
2386 PF_ACPY(&pd->baddr, saddr, af);
2387 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2388 &th->th_sum, &pd->naddr, nport, 0, af);
2389 rewrite++;
2390 if (nr->natpass)
2391 r = NULL;
2392 pd->nat_rule = nr;
2393 }
2394 } else {
2395 bport = nport = th->th_dport;
2396 /* check incoming packet for BINAT/RDR */
2397 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
2398 saddr, th->th_sport, daddr, th->th_dport,
2399 &pd->naddr, &nport)) != NULL) {
2400 PF_ACPY(&pd->baddr, daddr, af);
2401 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2402 &th->th_sum, &pd->naddr, nport, 0, af);
2403 rewrite++;
2404 if (nr->natpass)
2405 r = NULL;
2406 pd->nat_rule = nr;
2407 }
2408 }
2409
2410 while (r != NULL) {
2411 r->evaluations++;
2412 if (r->kif != NULL &&
2413 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2414 r = r->skip[PF_SKIP_IFP].ptr;
2415 else if (r->direction && r->direction != direction)
2416 r = r->skip[PF_SKIP_DIR].ptr;
2417 else if (r->af && r->af != af)
2418 r = r->skip[PF_SKIP_AF].ptr;
2419 else if (r->proto && r->proto != IPPROTO_TCP)
2420 r = r->skip[PF_SKIP_PROTO].ptr;
2421 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
2422 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
2423 else if (r->src.port_op && !pf_match_port(r->src.port_op,
2424 r->src.port[0], r->src.port[1], th->th_sport))
2425 r = r->skip[PF_SKIP_SRC_PORT].ptr;
2426 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
2427 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2428 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
2429 r->dst.port[0], r->dst.port[1], th->th_dport))
2430 r = r->skip[PF_SKIP_DST_PORT].ptr;
2431 else if (r->tos && !(r->tos & pd->tos))
2432 r = TAILQ_NEXT(r, entries);
2433 else if (r->rule_flag & PFRULE_FRAGMENT)
2434 r = TAILQ_NEXT(r, entries);
2435 else if ((r->flagset & th->th_flags) != r->flags)
2436 r = TAILQ_NEXT(r, entries);
2437 else if (r->uid.op && (lookup != -1 || (lookup =
2438 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2439 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
2440 uid))
2441 r = TAILQ_NEXT(r, entries);
2442 else if (r->gid.op && (lookup != -1 || (lookup =
2443 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2444 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
2445 gid))
2446 r = TAILQ_NEXT(r, entries);
2447 else if (r->prob && r->prob <= arc4random())
2448 r = TAILQ_NEXT(r, entries);
2449 else if (r->match_tag && !pf_match_tag(m, r, nr, &pftag, &tag))
2450 r = TAILQ_NEXT(r, entries);
2451 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
2452 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint))
2453 r = TAILQ_NEXT(r, entries);
2454 else {
2455 if (r->tag)
2456 tag = r->tag;
2457 if (r->anchor == NULL) {
2458 *rm = r;
2459 *am = a;
2460 *rsm = ruleset;
2461 if ((*rm)->quick)
2462 break;
2463 r = TAILQ_NEXT(r, entries);
2464 } else
2465 PF_STEP_INTO_ANCHOR(r, a, ruleset,
2466 PF_RULESET_FILTER);
2467 }
2468 if (r == NULL && a != NULL)
2469 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
2470 PF_RULESET_FILTER);
2471 }
2472 r = *rm;
2473 a = *am;
2474 ruleset = *rsm;
2475
2476 REASON_SET(&reason, PFRES_MATCH);
2477
2478 if (r->log) {
2479 if (rewrite)
2480 m_copyback(m, off, sizeof(*th), th);
2481 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
2482 }
2483
2484 if ((r->action == PF_DROP) &&
2485 ((r->rule_flag & PFRULE_RETURNRST) ||
2486 (r->rule_flag & PFRULE_RETURNICMP) ||
2487 (r->rule_flag & PFRULE_RETURN))) {
2488 /* undo NAT changes, if they have taken place */
2489 if (nr != NULL) {
2490 if (direction == PF_OUT) {
2491 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2492 &th->th_sum, &pd->baddr, bport, 0, af);
2493 rewrite++;
2494 } else {
2495 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2496 &th->th_sum, &pd->baddr, bport, 0, af);
2497 rewrite++;
2498 }
2499 }
2500 if (((r->rule_flag & PFRULE_RETURNRST) ||
2501 (r->rule_flag & PFRULE_RETURN)) &&
2502 !(th->th_flags & TH_RST)) {
2503 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
2504
2505 if (th->th_flags & TH_SYN)
2506 ack++;
2507 if (th->th_flags & TH_FIN)
2508 ack++;
2509 pf_send_tcp(r, af, pd->dst,
2510 pd->src, th->th_dport, th->th_sport,
2511 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
2512 r->return_ttl, 1, pd->eh, kif->pfik_ifp);
2513 } else if ((af == AF_INET) && r->return_icmp)
2514 pf_send_icmp(m, r->return_icmp >> 8,
2515 r->return_icmp & 255, af, r);
2516 else if ((af == AF_INET6) && r->return_icmp6)
2517 pf_send_icmp(m, r->return_icmp6 >> 8,
2518 r->return_icmp6 & 255, af, r);
2519 }
2520
2521 if (r->action == PF_DROP)
2522 return (PF_DROP);
2523
2524 if (pf_tag_packet(m, pftag, tag)) {
2525 REASON_SET(&reason, PFRES_MEMORY);
2526 return (PF_DROP);
2527 }
2528
2529 if (r->keep_state || nr != NULL ||
2530 (pd->flags & PFDESC_TCP_NORM)) {
2531 /* create new state */
2532 u_int16_t len;
2533 struct pf_state *s = NULL;
2534 struct pf_src_node *sn = NULL;
2535
2536 len = pd->tot_len - off - (th->th_off << 2);
2537
2538 /* check maximums */
2539 if (r->max_states && (r->states >= r->max_states))
2540 goto cleanup;
2541 /* src node for flter rule */
2542 if ((r->rule_flag & PFRULE_SRCTRACK ||
2543 r->rpool.opts & PF_POOL_STICKYADDR) &&
2544 pf_insert_src_node(&sn, r, saddr, af) != 0)
2545 goto cleanup;
2546 /* src node for translation rule */
2547 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
2548 ((direction == PF_OUT &&
2549 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
2550 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
2551 goto cleanup;
2552 s = pool_get(&pf_state_pl, PR_NOWAIT);
2553 if (s == NULL) {
2554 cleanup:
2555 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
2556 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
2557 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2558 pf_status.src_nodes--;
2559 pool_put(&pf_src_tree_pl, sn);
2560 }
2561 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
2562 nsn->expire == 0) {
2563 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
2564 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2565 pf_status.src_nodes--;
2566 pool_put(&pf_src_tree_pl, nsn);
2567 }
2568 REASON_SET(&reason, PFRES_MEMORY);
2569 return (PF_DROP);
2570 }
2571 bzero(s, sizeof(*s));
2572 r->states++;
2573 if (a != NULL)
2574 a->states++;
2575 s->rule.ptr = r;
2576 s->nat_rule.ptr = nr;
2577 if (s->nat_rule.ptr != NULL)
2578 s->nat_rule.ptr->states++;
2579 s->anchor.ptr = a;
2580 s->allow_opts = r->allow_opts;
2581 s->log = r->log & 2;
2582 s->proto = IPPROTO_TCP;
2583 s->direction = direction;
2584 s->af = af;
2585 if (direction == PF_OUT) {
2586 PF_ACPY(&s->gwy.addr, saddr, af);
2587 s->gwy.port = th->th_sport; /* sport */
2588 PF_ACPY(&s->ext.addr, daddr, af);
2589 s->ext.port = th->th_dport;
2590 if (nr != NULL) {
2591 PF_ACPY(&s->lan.addr, &pd->baddr, af);
2592 s->lan.port = bport;
2593 } else {
2594 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
2595 s->lan.port = s->gwy.port;
2596 }
2597 } else {
2598 PF_ACPY(&s->lan.addr, daddr, af);
2599 s->lan.port = th->th_dport;
2600 PF_ACPY(&s->ext.addr, saddr, af);
2601 s->ext.port = th->th_sport;
2602 if (nr != NULL) {
2603 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
2604 s->gwy.port = bport;
2605 } else {
2606 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
2607 s->gwy.port = s->lan.port;
2608 }
2609 }
2610
2611 s->src.seqlo = ntohl(th->th_seq);
2612 s->src.seqhi = s->src.seqlo + len + 1;
2613 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
2614 r->keep_state == PF_STATE_MODULATE) {
2615 /* Generate sequence number modulator */
2616 while ((s->src.seqdiff = arc4random()) == 0)
2617 ;
2618 pf_change_a(&th->th_seq, &th->th_sum,
2619 htonl(s->src.seqlo + s->src.seqdiff), 0);
2620 rewrite = 1;
2621 } else
2622 s->src.seqdiff = 0;
2623 if (th->th_flags & TH_SYN) {
2624 s->src.seqhi++;
2625 s->src.wscale = pf_get_wscale(m, off, th->th_off, af);
2626 }
2627 s->src.max_win = MAX(ntohs(th->th_win), 1);
2628 if (s->src.wscale & PF_WSCALE_MASK) {
2629 /* Remove scale factor from initial window */
2630 int win = s->src.max_win;
2631 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
2632 s->src.max_win = (win - 1) >>
2633 (s->src.wscale & PF_WSCALE_MASK);
2634 }
2635 if (th->th_flags & TH_FIN)
2636 s->src.seqhi++;
2637 s->dst.seqhi = 1;
2638 s->dst.max_win = 1;
2639 s->src.state = TCPS_SYN_SENT;
2640 s->dst.state = TCPS_CLOSED;
2641 s->creation = time.tv_sec;
2642 s->expire = time.tv_sec;
2643 s->timeout = PFTM_TCP_FIRST_PACKET;
2644 pf_set_rt_ifp(s, saddr);
2645 if (sn != NULL) {
2646 s->src_node = sn;
2647 s->src_node->states++;
2648 }
2649 if (nsn != NULL) {
2650 PF_ACPY(&nsn->raddr, &pd->naddr, af);
2651 s->nat_src_node = nsn;
2652 s->nat_src_node->states++;
2653 }
2654 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
2655 off, pd, th, &s->src, &s->dst)) {
2656 REASON_SET(&reason, PFRES_MEMORY);
2657 pf_src_tree_remove_state(s);
2658 pool_put(&pf_state_pl, s);
2659 return (PF_DROP);
2660 }
2661 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
2662 pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
2663 &s->src, &s->dst, &rewrite)) {
2664 /* This really shouldn't happen!!! */
2665 DPFPRINTF(PF_DEBUG_URGENT,
2666 ("pf_normalize_tcp_stateful failed on first pkt"));
2667 pf_normalize_tcp_cleanup(s);
2668 pf_src_tree_remove_state(s);
2669 pool_put(&pf_state_pl, s);
2670 return (PF_DROP);
2671 }
2672 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
2673 pf_normalize_tcp_cleanup(s);
2674 REASON_SET(&reason, PFRES_MEMORY);
2675 pf_src_tree_remove_state(s);
2676 pool_put(&pf_state_pl, s);
2677 return (PF_DROP);
2678 } else
2679 *sm = s;
2680 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
2681 r->keep_state == PF_STATE_SYNPROXY) {
2682 s->src.state = PF_TCPS_PROXY_SRC;
2683 if (nr != NULL) {
2684 if (direction == PF_OUT) {
2685 pf_change_ap(saddr, &th->th_sport,
2686 pd->ip_sum, &th->th_sum, &pd->baddr,
2687 bport, 0, af);
2688 } else {
2689 pf_change_ap(daddr, &th->th_dport,
2690 pd->ip_sum, &th->th_sum, &pd->baddr,
2691 bport, 0, af);
2692 }
2693 }
2694 s->src.seqhi = arc4random();
2695 /* Find mss option */
2696 mss = pf_get_mss(m, off, th->th_off, af);
2697 mss = pf_calc_mss(saddr, af, mss);
2698 mss = pf_calc_mss(daddr, af, mss);
2699 s->src.mss = mss;
2700 pf_send_tcp(r, af, daddr, saddr, th->th_dport,
2701 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
2702 TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL);
2703 return (PF_SYNPROXY_DROP);
2704 }
2705 }
2706
2707 /* copy back packet headers if we performed NAT operations */
2708 if (rewrite)
2709 m_copyback(m, off, sizeof(*th), th);
2710
2711 return (PF_PASS);
2712 }
2713
2714 int
pf_test_udp(struct pf_rule ** rm,struct pf_state ** sm,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd,struct pf_rule ** am,struct pf_ruleset ** rsm,struct ifqueue * ifq)2715 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
2716 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2717 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
2718 struct ifqueue *ifq)
2719 {
2720 struct pf_rule *nr = NULL;
2721 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
2722 struct udphdr *uh = pd->hdr.udp;
2723 u_int16_t bport, nport = 0;
2724 sa_family_t af = pd->af;
2725 int lookup = -1;
2726 uid_t uid;
2727 gid_t gid;
2728 struct pf_rule *r, *a = NULL;
2729 struct pf_ruleset *ruleset = NULL;
2730 struct pf_src_node *nsn = NULL;
2731 u_short reason;
2732 int rewrite = 0;
2733 struct pf_tag *pftag = NULL;
2734 int tag = -1;
2735
2736 if (pf_check_congestion(ifq))
2737 return (PF_DROP);
2738
2739 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2740
2741 if (direction == PF_OUT) {
2742 bport = nport = uh->uh_sport;
2743 /* check outgoing packet for BINAT/NAT */
2744 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
2745 saddr, uh->uh_sport, daddr, uh->uh_dport,
2746 &pd->naddr, &nport)) != NULL) {
2747 PF_ACPY(&pd->baddr, saddr, af);
2748 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
2749 &uh->uh_sum, &pd->naddr, nport, 1, af);
2750 rewrite++;
2751 if (nr->natpass)
2752 r = NULL;
2753 pd->nat_rule = nr;
2754 }
2755 } else {
2756 bport = nport = uh->uh_dport;
2757 /* check incoming packet for BINAT/RDR */
2758 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
2759 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr,
2760 &nport)) != NULL) {
2761 PF_ACPY(&pd->baddr, daddr, af);
2762 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
2763 &uh->uh_sum, &pd->naddr, nport, 1, af);
2764 rewrite++;
2765 if (nr->natpass)
2766 r = NULL;
2767 pd->nat_rule = nr;
2768 }
2769 }
2770
2771 while (r != NULL) {
2772 r->evaluations++;
2773 if (r->kif != NULL &&
2774 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2775 r = r->skip[PF_SKIP_IFP].ptr;
2776 else if (r->direction && r->direction != direction)
2777 r = r->skip[PF_SKIP_DIR].ptr;
2778 else if (r->af && r->af != af)
2779 r = r->skip[PF_SKIP_AF].ptr;
2780 else if (r->proto && r->proto != IPPROTO_UDP)
2781 r = r->skip[PF_SKIP_PROTO].ptr;
2782 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
2783 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
2784 else if (r->src.port_op && !pf_match_port(r->src.port_op,
2785 r->src.port[0], r->src.port[1], uh->uh_sport))
2786 r = r->skip[PF_SKIP_SRC_PORT].ptr;
2787 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
2788 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2789 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
2790 r->dst.port[0], r->dst.port[1], uh->uh_dport))
2791 r = r->skip[PF_SKIP_DST_PORT].ptr;
2792 else if (r->tos && !(r->tos & pd->tos))
2793 r = TAILQ_NEXT(r, entries);
2794 else if (r->rule_flag & PFRULE_FRAGMENT)
2795 r = TAILQ_NEXT(r, entries);
2796 else if (r->uid.op && (lookup != -1 || (lookup =
2797 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2798 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
2799 uid))
2800 r = TAILQ_NEXT(r, entries);
2801 else if (r->gid.op && (lookup != -1 || (lookup =
2802 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2803 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
2804 gid))
2805 r = TAILQ_NEXT(r, entries);
2806 else if (r->prob && r->prob <= arc4random())
2807 r = TAILQ_NEXT(r, entries);
2808 else if (r->match_tag && !pf_match_tag(m, r, nr, &pftag, &tag))
2809 r = TAILQ_NEXT(r, entries);
2810 else if (r->os_fingerprint != PF_OSFP_ANY)
2811 r = TAILQ_NEXT(r, entries);
2812 else {
2813 if (r->tag)
2814 tag = r->tag;
2815 if (r->anchor == NULL) {
2816 *rm = r;
2817 *am = a;
2818 *rsm = ruleset;
2819 if ((*rm)->quick)
2820 break;
2821 r = TAILQ_NEXT(r, entries);
2822 } else
2823 PF_STEP_INTO_ANCHOR(r, a, ruleset,
2824 PF_RULESET_FILTER);
2825 }
2826 if (r == NULL && a != NULL)
2827 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
2828 PF_RULESET_FILTER);
2829 }
2830 r = *rm;
2831 a = *am;
2832 ruleset = *rsm;
2833
2834 REASON_SET(&reason, PFRES_MATCH);
2835
2836 if (r->log) {
2837 if (rewrite)
2838 m_copyback(m, off, sizeof(*uh), uh);
2839 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
2840 }
2841
2842 if ((r->action == PF_DROP) &&
2843 ((r->rule_flag & PFRULE_RETURNICMP) ||
2844 (r->rule_flag & PFRULE_RETURN))) {
2845 /* undo NAT changes, if they have taken place */
2846 if (nr != NULL) {
2847 if (direction == PF_OUT) {
2848 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
2849 &uh->uh_sum, &pd->baddr, bport, 1, af);
2850 rewrite++;
2851 } else {
2852 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
2853 &uh->uh_sum, &pd->baddr, bport, 1, af);
2854 rewrite++;
2855 }
2856 }
2857 if ((af == AF_INET) && r->return_icmp)
2858 pf_send_icmp(m, r->return_icmp >> 8,
2859 r->return_icmp & 255, af, r);
2860 else if ((af == AF_INET6) && r->return_icmp6)
2861 pf_send_icmp(m, r->return_icmp6 >> 8,
2862 r->return_icmp6 & 255, af, r);
2863 }
2864
2865 if (r->action == PF_DROP)
2866 return (PF_DROP);
2867
2868 if (pf_tag_packet(m, pftag, tag)) {
2869 REASON_SET(&reason, PFRES_MEMORY);
2870 return (PF_DROP);
2871 }
2872
2873 if (r->keep_state || nr != NULL) {
2874 /* create new state */
2875 struct pf_state *s = NULL;
2876 struct pf_src_node *sn = NULL;
2877
2878 /* check maximums */
2879 if (r->max_states && (r->states >= r->max_states))
2880 goto cleanup;
2881 /* src node for flter rule */
2882 if ((r->rule_flag & PFRULE_SRCTRACK ||
2883 r->rpool.opts & PF_POOL_STICKYADDR) &&
2884 pf_insert_src_node(&sn, r, saddr, af) != 0)
2885 goto cleanup;
2886 /* src node for translation rule */
2887 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
2888 ((direction == PF_OUT &&
2889 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
2890 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
2891 goto cleanup;
2892 s = pool_get(&pf_state_pl, PR_NOWAIT);
2893 if (s == NULL) {
2894 cleanup:
2895 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
2896 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
2897 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2898 pf_status.src_nodes--;
2899 pool_put(&pf_src_tree_pl, sn);
2900 }
2901 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
2902 nsn->expire == 0) {
2903 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
2904 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2905 pf_status.src_nodes--;
2906 pool_put(&pf_src_tree_pl, nsn);
2907 }
2908 REASON_SET(&reason, PFRES_MEMORY);
2909 return (PF_DROP);
2910 }
2911 bzero(s, sizeof(*s));
2912 r->states++;
2913 if (a != NULL)
2914 a->states++;
2915 s->rule.ptr = r;
2916 s->nat_rule.ptr = nr;
2917 if (s->nat_rule.ptr != NULL)
2918 s->nat_rule.ptr->states++;
2919 s->anchor.ptr = a;
2920 s->allow_opts = r->allow_opts;
2921 s->log = r->log & 2;
2922 s->proto = IPPROTO_UDP;
2923 s->direction = direction;
2924 s->af = af;
2925 if (direction == PF_OUT) {
2926 PF_ACPY(&s->gwy.addr, saddr, af);
2927 s->gwy.port = uh->uh_sport;
2928 PF_ACPY(&s->ext.addr, daddr, af);
2929 s->ext.port = uh->uh_dport;
2930 if (nr != NULL) {
2931 PF_ACPY(&s->lan.addr, &pd->baddr, af);
2932 s->lan.port = bport;
2933 } else {
2934 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
2935 s->lan.port = s->gwy.port;
2936 }
2937 } else {
2938 PF_ACPY(&s->lan.addr, daddr, af);
2939 s->lan.port = uh->uh_dport;
2940 PF_ACPY(&s->ext.addr, saddr, af);
2941 s->ext.port = uh->uh_sport;
2942 if (nr != NULL) {
2943 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
2944 s->gwy.port = bport;
2945 } else {
2946 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
2947 s->gwy.port = s->lan.port;
2948 }
2949 }
2950 s->src.state = PFUDPS_SINGLE;
2951 s->dst.state = PFUDPS_NO_TRAFFIC;
2952 s->creation = time.tv_sec;
2953 s->expire = time.tv_sec;
2954 s->timeout = PFTM_UDP_FIRST_PACKET;
2955 pf_set_rt_ifp(s, saddr);
2956 if (sn != NULL) {
2957 s->src_node = sn;
2958 s->src_node->states++;
2959 }
2960 if (nsn != NULL) {
2961 PF_ACPY(&nsn->raddr, &pd->naddr, af);
2962 s->nat_src_node = nsn;
2963 s->nat_src_node->states++;
2964 }
2965 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
2966 REASON_SET(&reason, PFRES_MEMORY);
2967 pf_src_tree_remove_state(s);
2968 pool_put(&pf_state_pl, s);
2969 return (PF_DROP);
2970 } else
2971 *sm = s;
2972 }
2973
2974 /* copy back packet headers if we performed NAT operations */
2975 if (rewrite)
2976 m_copyback(m, off, sizeof(*uh), uh);
2977
2978 return (PF_PASS);
2979 }
2980
2981 int
pf_test_icmp(struct pf_rule ** rm,struct pf_state ** sm,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd,struct pf_rule ** am,struct pf_ruleset ** rsm,struct ifqueue * ifq)2982 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
2983 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2984 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
2985 struct ifqueue *ifq)
2986 {
2987 struct pf_rule *nr = NULL;
2988 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
2989 struct pf_rule *r, *a = NULL;
2990 struct pf_ruleset *ruleset = NULL;
2991 struct pf_src_node *nsn = NULL;
2992 u_short reason;
2993 u_int16_t icmpid;
2994 sa_family_t af = pd->af;
2995 u_int8_t icmptype, icmpcode;
2996 int state_icmp = 0;
2997 struct pf_tag *pftag = NULL;
2998 int tag = -1;
2999 #ifdef INET6
3000 int rewrite = 0;
3001 #endif /* INET6 */
3002
3003 if (pf_check_congestion(ifq))
3004 return (PF_DROP);
3005
3006 switch (pd->proto) {
3007 #ifdef INET
3008 case IPPROTO_ICMP:
3009 icmptype = pd->hdr.icmp->icmp_type;
3010 icmpcode = pd->hdr.icmp->icmp_code;
3011 icmpid = pd->hdr.icmp->icmp_id;
3012
3013 if (icmptype == ICMP_UNREACH ||
3014 icmptype == ICMP_SOURCEQUENCH ||
3015 icmptype == ICMP_REDIRECT ||
3016 icmptype == ICMP_TIMXCEED ||
3017 icmptype == ICMP_PARAMPROB)
3018 state_icmp++;
3019 break;
3020 #endif /* INET */
3021 #ifdef INET6
3022 case IPPROTO_ICMPV6:
3023 icmptype = pd->hdr.icmp6->icmp6_type;
3024 icmpcode = pd->hdr.icmp6->icmp6_code;
3025 icmpid = pd->hdr.icmp6->icmp6_id;
3026
3027 if (icmptype == ICMP6_DST_UNREACH ||
3028 icmptype == ICMP6_PACKET_TOO_BIG ||
3029 icmptype == ICMP6_TIME_EXCEEDED ||
3030 icmptype == ICMP6_PARAM_PROB)
3031 state_icmp++;
3032 break;
3033 #endif /* INET6 */
3034 }
3035
3036 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3037
3038 if (direction == PF_OUT) {
3039 /* check outgoing packet for BINAT/NAT */
3040 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3041 saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) {
3042 PF_ACPY(&pd->baddr, saddr, af);
3043 switch (af) {
3044 #ifdef INET
3045 case AF_INET:
3046 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3047 pd->naddr.v4.s_addr, 0);
3048 break;
3049 #endif /* INET */
3050 #ifdef INET6
3051 case AF_INET6:
3052 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3053 &pd->naddr, 0);
3054 rewrite++;
3055 break;
3056 #endif /* INET6 */
3057 }
3058 if (nr->natpass)
3059 r = NULL;
3060 pd->nat_rule = nr;
3061 }
3062 } else {
3063 /* check incoming packet for BINAT/RDR */
3064 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3065 saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) {
3066 PF_ACPY(&pd->baddr, daddr, af);
3067 switch (af) {
3068 #ifdef INET
3069 case AF_INET:
3070 pf_change_a(&daddr->v4.s_addr,
3071 pd->ip_sum, pd->naddr.v4.s_addr, 0);
3072 break;
3073 #endif /* INET */
3074 #ifdef INET6
3075 case AF_INET6:
3076 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3077 &pd->naddr, 0);
3078 rewrite++;
3079 break;
3080 #endif /* INET6 */
3081 }
3082 if (nr->natpass)
3083 r = NULL;
3084 pd->nat_rule = nr;
3085 }
3086 }
3087
3088 while (r != NULL) {
3089 r->evaluations++;
3090 if (r->kif != NULL &&
3091 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3092 r = r->skip[PF_SKIP_IFP].ptr;
3093 else if (r->direction && r->direction != direction)
3094 r = r->skip[PF_SKIP_DIR].ptr;
3095 else if (r->af && r->af != af)
3096 r = r->skip[PF_SKIP_AF].ptr;
3097 else if (r->proto && r->proto != pd->proto)
3098 r = r->skip[PF_SKIP_PROTO].ptr;
3099 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
3100 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3101 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
3102 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3103 else if (r->type && r->type != icmptype + 1)
3104 r = TAILQ_NEXT(r, entries);
3105 else if (r->code && r->code != icmpcode + 1)
3106 r = TAILQ_NEXT(r, entries);
3107 else if (r->tos && !(r->tos & pd->tos))
3108 r = TAILQ_NEXT(r, entries);
3109 else if (r->rule_flag & PFRULE_FRAGMENT)
3110 r = TAILQ_NEXT(r, entries);
3111 else if (r->prob && r->prob <= arc4random())
3112 r = TAILQ_NEXT(r, entries);
3113 else if (r->match_tag && !pf_match_tag(m, r, nr, &pftag, &tag))
3114 r = TAILQ_NEXT(r, entries);
3115 else if (r->os_fingerprint != PF_OSFP_ANY)
3116 r = TAILQ_NEXT(r, entries);
3117 else {
3118 if (r->tag)
3119 tag = r->tag;
3120 if (r->anchor == NULL) {
3121 *rm = r;
3122 *am = a;
3123 *rsm = ruleset;
3124 if ((*rm)->quick)
3125 break;
3126 r = TAILQ_NEXT(r, entries);
3127 } else
3128 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3129 PF_RULESET_FILTER);
3130 }
3131 if (r == NULL && a != NULL)
3132 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3133 PF_RULESET_FILTER);
3134 }
3135 r = *rm;
3136 a = *am;
3137 ruleset = *rsm;
3138
3139 REASON_SET(&reason, PFRES_MATCH);
3140
3141 if (r->log) {
3142 #ifdef INET6
3143 if (rewrite)
3144 m_copyback(m, off, sizeof(struct icmp6_hdr),
3145 pd->hdr.icmp6);
3146 #endif /* INET6 */
3147 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3148 }
3149
3150 if (r->action != PF_PASS)
3151 return (PF_DROP);
3152
3153 if (pf_tag_packet(m, pftag, tag)) {
3154 REASON_SET(&reason, PFRES_MEMORY);
3155 return (PF_DROP);
3156 }
3157
3158 if (!state_icmp && (r->keep_state || nr != NULL)) {
3159 /* create new state */
3160 struct pf_state *s = NULL;
3161 struct pf_src_node *sn = NULL;
3162
3163 /* check maximums */
3164 if (r->max_states && (r->states >= r->max_states))
3165 goto cleanup;
3166 /* src node for flter rule */
3167 if ((r->rule_flag & PFRULE_SRCTRACK ||
3168 r->rpool.opts & PF_POOL_STICKYADDR) &&
3169 pf_insert_src_node(&sn, r, saddr, af) != 0)
3170 goto cleanup;
3171 /* src node for translation rule */
3172 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3173 ((direction == PF_OUT &&
3174 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3175 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
3176 goto cleanup;
3177 s = pool_get(&pf_state_pl, PR_NOWAIT);
3178 if (s == NULL) {
3179 cleanup:
3180 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3181 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3182 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3183 pf_status.src_nodes--;
3184 pool_put(&pf_src_tree_pl, sn);
3185 }
3186 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3187 nsn->expire == 0) {
3188 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3189 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3190 pf_status.src_nodes--;
3191 pool_put(&pf_src_tree_pl, nsn);
3192 }
3193 REASON_SET(&reason, PFRES_MEMORY);
3194 return (PF_DROP);
3195 }
3196 bzero(s, sizeof(*s));
3197 r->states++;
3198 if (a != NULL)
3199 a->states++;
3200 s->rule.ptr = r;
3201 s->nat_rule.ptr = nr;
3202 if (s->nat_rule.ptr != NULL)
3203 s->nat_rule.ptr->states++;
3204 s->anchor.ptr = a;
3205 s->allow_opts = r->allow_opts;
3206 s->log = r->log & 2;
3207 s->proto = pd->proto;
3208 s->direction = direction;
3209 s->af = af;
3210 if (direction == PF_OUT) {
3211 PF_ACPY(&s->gwy.addr, saddr, af);
3212 s->gwy.port = icmpid;
3213 PF_ACPY(&s->ext.addr, daddr, af);
3214 s->ext.port = icmpid;
3215 if (nr != NULL)
3216 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3217 else
3218 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3219 s->lan.port = icmpid;
3220 } else {
3221 PF_ACPY(&s->lan.addr, daddr, af);
3222 s->lan.port = icmpid;
3223 PF_ACPY(&s->ext.addr, saddr, af);
3224 s->ext.port = icmpid;
3225 if (nr != NULL)
3226 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3227 else
3228 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3229 s->gwy.port = icmpid;
3230 }
3231 s->creation = time.tv_sec;
3232 s->expire = time.tv_sec;
3233 s->timeout = PFTM_ICMP_FIRST_PACKET;
3234 pf_set_rt_ifp(s, saddr);
3235 if (sn != NULL) {
3236 s->src_node = sn;
3237 s->src_node->states++;
3238 }
3239 if (nsn != NULL) {
3240 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3241 s->nat_src_node = nsn;
3242 s->nat_src_node->states++;
3243 }
3244 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3245 REASON_SET(&reason, PFRES_MEMORY);
3246 pf_src_tree_remove_state(s);
3247 pool_put(&pf_state_pl, s);
3248 return (PF_DROP);
3249 } else
3250 *sm = s;
3251 }
3252
3253 #ifdef INET6
3254 /* copy back packet headers if we performed IPv6 NAT operations */
3255 if (rewrite)
3256 m_copyback(m, off, sizeof(struct icmp6_hdr),
3257 pd->hdr.icmp6);
3258 #endif /* INET6 */
3259
3260 return (PF_PASS);
3261 }
3262
3263 int
pf_test_other(struct pf_rule ** rm,struct pf_state ** sm,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd,struct pf_rule ** am,struct pf_ruleset ** rsm,struct ifqueue * ifq)3264 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
3265 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3266 struct pf_rule **am, struct pf_ruleset **rsm, struct ifqueue *ifq)
3267 {
3268 struct pf_rule *nr = NULL;
3269 struct pf_rule *r, *a = NULL;
3270 struct pf_ruleset *ruleset = NULL;
3271 struct pf_src_node *nsn = NULL;
3272 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3273 sa_family_t af = pd->af;
3274 u_short reason;
3275 struct pf_tag *pftag = NULL;
3276 int tag = -1;
3277
3278 if (pf_check_congestion(ifq))
3279 return (PF_DROP);
3280
3281 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3282
3283 if (direction == PF_OUT) {
3284 /* check outgoing packet for BINAT/NAT */
3285 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3286 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3287 PF_ACPY(&pd->baddr, saddr, af);
3288 switch (af) {
3289 #ifdef INET
3290 case AF_INET:
3291 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3292 pd->naddr.v4.s_addr, 0);
3293 break;
3294 #endif /* INET */
3295 #ifdef INET6
3296 case AF_INET6:
3297 PF_ACPY(saddr, &pd->naddr, af);
3298 break;
3299 #endif /* INET6 */
3300 }
3301 if (nr->natpass)
3302 r = NULL;
3303 pd->nat_rule = nr;
3304 }
3305 } else {
3306 /* check incoming packet for BINAT/RDR */
3307 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3308 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3309 PF_ACPY(&pd->baddr, daddr, af);
3310 switch (af) {
3311 #ifdef INET
3312 case AF_INET:
3313 pf_change_a(&daddr->v4.s_addr,
3314 pd->ip_sum, pd->naddr.v4.s_addr, 0);
3315 break;
3316 #endif /* INET */
3317 #ifdef INET6
3318 case AF_INET6:
3319 PF_ACPY(daddr, &pd->naddr, af);
3320 break;
3321 #endif /* INET6 */
3322 }
3323 if (nr->natpass)
3324 r = NULL;
3325 pd->nat_rule = nr;
3326 }
3327 }
3328
3329 while (r != NULL) {
3330 r->evaluations++;
3331 if (r->kif != NULL &&
3332 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3333 r = r->skip[PF_SKIP_IFP].ptr;
3334 else if (r->direction && r->direction != direction)
3335 r = r->skip[PF_SKIP_DIR].ptr;
3336 else if (r->af && r->af != af)
3337 r = r->skip[PF_SKIP_AF].ptr;
3338 else if (r->proto && r->proto != pd->proto)
3339 r = r->skip[PF_SKIP_PROTO].ptr;
3340 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))
3341 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3342 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))
3343 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3344 else if (r->tos && !(r->tos & pd->tos))
3345 r = TAILQ_NEXT(r, entries);
3346 else if (r->rule_flag & PFRULE_FRAGMENT)
3347 r = TAILQ_NEXT(r, entries);
3348 else if (r->prob && r->prob <= arc4random())
3349 r = TAILQ_NEXT(r, entries);
3350 else if (r->match_tag && !pf_match_tag(m, r, nr, &pftag, &tag))
3351 r = TAILQ_NEXT(r, entries);
3352 else if (r->os_fingerprint != PF_OSFP_ANY)
3353 r = TAILQ_NEXT(r, entries);
3354 else {
3355 if (r->tag)
3356 tag = r->tag;
3357 if (r->anchor == NULL) {
3358 *rm = r;
3359 *am = a;
3360 *rsm = ruleset;
3361 if ((*rm)->quick)
3362 break;
3363 r = TAILQ_NEXT(r, entries);
3364 } else
3365 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3366 PF_RULESET_FILTER);
3367 }
3368 if (r == NULL && a != NULL)
3369 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3370 PF_RULESET_FILTER);
3371 }
3372 r = *rm;
3373 a = *am;
3374 ruleset = *rsm;
3375
3376 REASON_SET(&reason, PFRES_MATCH);
3377
3378 if (r->log)
3379 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3380
3381 if ((r->action == PF_DROP) &&
3382 ((r->rule_flag & PFRULE_RETURNICMP) ||
3383 (r->rule_flag & PFRULE_RETURN))) {
3384 struct pf_addr *a = NULL;
3385
3386 if (nr != NULL) {
3387 if (direction == PF_OUT)
3388 a = saddr;
3389 else
3390 a = daddr;
3391 }
3392 if (a != NULL) {
3393 switch (af) {
3394 #ifdef INET
3395 case AF_INET:
3396 pf_change_a(&a->v4.s_addr, pd->ip_sum,
3397 pd->baddr.v4.s_addr, 0);
3398 break;
3399 #endif /* INET */
3400 #ifdef INET6
3401 case AF_INET6:
3402 PF_ACPY(a, &pd->baddr, af);
3403 break;
3404 #endif /* INET6 */
3405 }
3406 }
3407 if ((af == AF_INET) && r->return_icmp)
3408 pf_send_icmp(m, r->return_icmp >> 8,
3409 r->return_icmp & 255, af, r);
3410 else if ((af == AF_INET6) && r->return_icmp6)
3411 pf_send_icmp(m, r->return_icmp6 >> 8,
3412 r->return_icmp6 & 255, af, r);
3413 }
3414
3415 if (r->action != PF_PASS)
3416 return (PF_DROP);
3417
3418 if (pf_tag_packet(m, pftag, tag)) {
3419 REASON_SET(&reason, PFRES_MEMORY);
3420 return (PF_DROP);
3421 }
3422
3423 if (r->keep_state || nr != NULL) {
3424 /* create new state */
3425 struct pf_state *s = NULL;
3426 struct pf_src_node *sn = NULL;
3427
3428 /* check maximums */
3429 if (r->max_states && (r->states >= r->max_states))
3430 goto cleanup;
3431 /* src node for flter rule */
3432 if ((r->rule_flag & PFRULE_SRCTRACK ||
3433 r->rpool.opts & PF_POOL_STICKYADDR) &&
3434 pf_insert_src_node(&sn, r, saddr, af) != 0)
3435 goto cleanup;
3436 /* src node for translation rule */
3437 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3438 ((direction == PF_OUT &&
3439 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3440 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
3441 goto cleanup;
3442 s = pool_get(&pf_state_pl, PR_NOWAIT);
3443 if (s == NULL) {
3444 cleanup:
3445 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3446 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3447 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3448 pf_status.src_nodes--;
3449 pool_put(&pf_src_tree_pl, sn);
3450 }
3451 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3452 nsn->expire == 0) {
3453 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3454 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3455 pf_status.src_nodes--;
3456 pool_put(&pf_src_tree_pl, nsn);
3457 }
3458 REASON_SET(&reason, PFRES_MEMORY);
3459 return (PF_DROP);
3460 }
3461 bzero(s, sizeof(*s));
3462 r->states++;
3463 if (a != NULL)
3464 a->states++;
3465 s->rule.ptr = r;
3466 s->nat_rule.ptr = nr;
3467 if (s->nat_rule.ptr != NULL)
3468 s->nat_rule.ptr->states++;
3469 s->anchor.ptr = a;
3470 s->allow_opts = r->allow_opts;
3471 s->log = r->log & 2;
3472 s->proto = pd->proto;
3473 s->direction = direction;
3474 s->af = af;
3475 if (direction == PF_OUT) {
3476 PF_ACPY(&s->gwy.addr, saddr, af);
3477 PF_ACPY(&s->ext.addr, daddr, af);
3478 if (nr != NULL)
3479 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3480 else
3481 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3482 } else {
3483 PF_ACPY(&s->lan.addr, daddr, af);
3484 PF_ACPY(&s->ext.addr, saddr, af);
3485 if (nr != NULL)
3486 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3487 else
3488 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3489 }
3490 s->src.state = PFOTHERS_SINGLE;
3491 s->dst.state = PFOTHERS_NO_TRAFFIC;
3492 s->creation = time.tv_sec;
3493 s->expire = time.tv_sec;
3494 s->timeout = PFTM_OTHER_FIRST_PACKET;
3495 pf_set_rt_ifp(s, saddr);
3496 if (sn != NULL) {
3497 s->src_node = sn;
3498 s->src_node->states++;
3499 }
3500 if (nsn != NULL) {
3501 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3502 s->nat_src_node = nsn;
3503 s->nat_src_node->states++;
3504 }
3505 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3506 REASON_SET(&reason, PFRES_MEMORY);
3507 pf_src_tree_remove_state(s);
3508 pool_put(&pf_state_pl, s);
3509 return (PF_DROP);
3510 } else
3511 *sm = s;
3512 }
3513
3514 return (PF_PASS);
3515 }
3516
3517 int
pf_test_fragment(struct pf_rule ** rm,int direction,struct pfi_kif * kif,struct mbuf * m,void * h,struct pf_pdesc * pd,struct pf_rule ** am,struct pf_ruleset ** rsm)3518 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
3519 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
3520 struct pf_ruleset **rsm)
3521 {
3522 struct pf_rule *r, *a = NULL;
3523 struct pf_ruleset *ruleset = NULL;
3524 sa_family_t af = pd->af;
3525 u_short reason;
3526 struct pf_tag *pftag = NULL;
3527 int tag = -1;
3528
3529 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3530 while (r != NULL) {
3531 r->evaluations++;
3532 if (r->kif != NULL &&
3533 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3534 r = r->skip[PF_SKIP_IFP].ptr;
3535 else if (r->direction && r->direction != direction)
3536 r = r->skip[PF_SKIP_DIR].ptr;
3537 else if (r->af && r->af != af)
3538 r = r->skip[PF_SKIP_AF].ptr;
3539 else if (r->proto && r->proto != pd->proto)
3540 r = r->skip[PF_SKIP_PROTO].ptr;
3541 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))
3542 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3543 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))
3544 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3545 else if (r->tos && !(r->tos & pd->tos))
3546 r = TAILQ_NEXT(r, entries);
3547 else if (r->src.port_op || r->dst.port_op ||
3548 r->flagset || r->type || r->code ||
3549 r->os_fingerprint != PF_OSFP_ANY)
3550 r = TAILQ_NEXT(r, entries);
3551 else if (r->prob && r->prob <= arc4random())
3552 r = TAILQ_NEXT(r, entries);
3553 else if (r->match_tag && !pf_match_tag(m, r, NULL, &pftag, &tag))
3554 r = TAILQ_NEXT(r, entries);
3555 else {
3556 if (r->anchor == NULL) {
3557 *rm = r;
3558 *am = a;
3559 *rsm = ruleset;
3560 if ((*rm)->quick)
3561 break;
3562 r = TAILQ_NEXT(r, entries);
3563 } else
3564 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3565 PF_RULESET_FILTER);
3566 }
3567 if (r == NULL && a != NULL)
3568 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3569 PF_RULESET_FILTER);
3570 }
3571 r = *rm;
3572 a = *am;
3573 ruleset = *rsm;
3574
3575 REASON_SET(&reason, PFRES_MATCH);
3576
3577 if (r->log)
3578 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3579
3580 if (r->action != PF_PASS)
3581 return (PF_DROP);
3582
3583 if (pf_tag_packet(m, pftag, tag)) {
3584 REASON_SET(&reason, PFRES_MEMORY);
3585 return (PF_DROP);
3586 }
3587
3588 return (PF_PASS);
3589 }
3590
3591 int
pf_test_state_tcp(struct pf_state ** state,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd,u_short * reason)3592 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
3593 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3594 u_short *reason)
3595 {
3596 struct pf_state key;
3597 struct tcphdr *th = pd->hdr.tcp;
3598 u_int16_t win = ntohs(th->th_win);
3599 u_int32_t ack, end, seq, orig_seq;
3600 u_int8_t sws, dws;
3601 int ackskew;
3602 int copyback = 0;
3603 struct pf_state_peer *src, *dst;
3604
3605 key.af = pd->af;
3606 key.proto = IPPROTO_TCP;
3607 if (direction == PF_IN) {
3608 PF_ACPY(&key.ext.addr, pd->src, key.af);
3609 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
3610 key.ext.port = th->th_sport;
3611 key.gwy.port = th->th_dport;
3612 } else {
3613 PF_ACPY(&key.lan.addr, pd->src, key.af);
3614 PF_ACPY(&key.ext.addr, pd->dst, key.af);
3615 key.lan.port = th->th_sport;
3616 key.ext.port = th->th_dport;
3617 }
3618
3619 STATE_LOOKUP();
3620
3621 if (direction == (*state)->direction) {
3622 src = &(*state)->src;
3623 dst = &(*state)->dst;
3624 } else {
3625 src = &(*state)->dst;
3626 dst = &(*state)->src;
3627 }
3628
3629 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
3630 if (direction != (*state)->direction)
3631 return (PF_SYNPROXY_DROP);
3632 if (th->th_flags & TH_SYN) {
3633 if (ntohl(th->th_seq) != (*state)->src.seqlo)
3634 return (PF_DROP);
3635 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3636 pd->src, th->th_dport, th->th_sport,
3637 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
3638 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,
3639 NULL, NULL);
3640 return (PF_SYNPROXY_DROP);
3641 } else if (!(th->th_flags & TH_ACK) ||
3642 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
3643 (ntohl(th->th_seq) != (*state)->src.seqlo + 1))
3644 return (PF_DROP);
3645 else
3646 (*state)->src.state = PF_TCPS_PROXY_DST;
3647 }
3648 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
3649 struct pf_state_host *src, *dst;
3650
3651 if (direction == PF_OUT) {
3652 src = &(*state)->gwy;
3653 dst = &(*state)->ext;
3654 } else {
3655 src = &(*state)->ext;
3656 dst = &(*state)->lan;
3657 }
3658 if (direction == (*state)->direction) {
3659 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
3660 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
3661 (ntohl(th->th_seq) != (*state)->src.seqlo + 1))
3662 return (PF_DROP);
3663 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
3664 if ((*state)->dst.seqhi == 1)
3665 (*state)->dst.seqhi = arc4random();
3666 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
3667 &dst->addr, src->port, dst->port,
3668 (*state)->dst.seqhi, 0, TH_SYN, 0,
3669 (*state)->src.mss, 0, 0, NULL, NULL);
3670 return (PF_SYNPROXY_DROP);
3671 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
3672 (TH_SYN|TH_ACK)) ||
3673 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1))
3674 return (PF_DROP);
3675 else {
3676 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
3677 (*state)->dst.seqlo = ntohl(th->th_seq);
3678 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3679 pd->src, th->th_dport, th->th_sport,
3680 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
3681 TH_ACK, (*state)->src.max_win, 0, 0, 1,
3682 NULL, NULL);
3683 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
3684 &dst->addr, src->port, dst->port,
3685 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
3686 TH_ACK, (*state)->dst.max_win, 0, 0, 0,
3687 NULL, NULL);
3688 (*state)->src.seqdiff = (*state)->dst.seqhi -
3689 (*state)->src.seqlo;
3690 (*state)->dst.seqdiff = (*state)->src.seqhi -
3691 (*state)->dst.seqlo;
3692 (*state)->src.seqhi = (*state)->src.seqlo +
3693 (*state)->src.max_win;
3694 (*state)->dst.seqhi = (*state)->dst.seqlo +
3695 (*state)->dst.max_win;
3696 (*state)->src.wscale = (*state)->dst.wscale = 0;
3697 (*state)->src.state = (*state)->dst.state =
3698 TCPS_ESTABLISHED;
3699 return (PF_SYNPROXY_DROP);
3700 }
3701 }
3702
3703 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
3704 sws = src->wscale & PF_WSCALE_MASK;
3705 dws = dst->wscale & PF_WSCALE_MASK;
3706 } else
3707 sws = dws = 0;
3708
3709 /*
3710 * Sequence tracking algorithm from Guido van Rooij's paper:
3711 * http://www.madison-gurkha.com/publications/tcp_filtering/
3712 * tcp_filtering.ps
3713 */
3714
3715 orig_seq = seq = ntohl(th->th_seq);
3716 if (src->seqlo == 0) {
3717 /* First packet from this end. Set its state */
3718
3719 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
3720 src->scrub == NULL) {
3721 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
3722 REASON_SET(reason, PFRES_MEMORY);
3723 return (PF_DROP);
3724 }
3725 }
3726
3727 /* Deferred generation of sequence number modulator */
3728 if (dst->seqdiff && !src->seqdiff) {
3729 while ((src->seqdiff = arc4random()) == 0)
3730 ;
3731 ack = ntohl(th->th_ack) - dst->seqdiff;
3732 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3733 src->seqdiff), 0);
3734 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3735 copyback = 1;
3736 } else {
3737 ack = ntohl(th->th_ack);
3738 }
3739
3740 end = seq + pd->p_len;
3741 if (th->th_flags & TH_SYN) {
3742 end++;
3743 if (dst->wscale & PF_WSCALE_FLAG) {
3744 src->wscale = pf_get_wscale(m, off, th->th_off,
3745 pd->af);
3746 if (src->wscale & PF_WSCALE_FLAG) {
3747 /* Remove scale factor from initial
3748 * window */
3749 sws = src->wscale & PF_WSCALE_MASK;
3750 win = ((u_int32_t)win + (1 << sws) - 1)
3751 >> sws;
3752 dws = dst->wscale & PF_WSCALE_MASK;
3753 } else {
3754 /* fixup other window */
3755 dst->max_win <<= dst->wscale &
3756 PF_WSCALE_MASK;
3757 /* in case of a retrans SYN|ACK */
3758 dst->wscale = 0;
3759 }
3760 }
3761 }
3762 if (th->th_flags & TH_FIN)
3763 end++;
3764
3765 src->seqlo = seq;
3766 if (src->state < TCPS_SYN_SENT)
3767 src->state = TCPS_SYN_SENT;
3768
3769 /*
3770 * May need to slide the window (seqhi may have been set by
3771 * the crappy stack check or if we picked up the connection
3772 * after establishment)
3773 */
3774 if (src->seqhi == 1 ||
3775 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
3776 src->seqhi = end + MAX(1, dst->max_win << dws);
3777 if (win > src->max_win)
3778 src->max_win = win;
3779
3780 } else {
3781 ack = ntohl(th->th_ack) - dst->seqdiff;
3782 if (src->seqdiff) {
3783 /* Modulate sequence numbers */
3784 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3785 src->seqdiff), 0);
3786 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3787 copyback = 1;
3788 }
3789 end = seq + pd->p_len;
3790 if (th->th_flags & TH_SYN)
3791 end++;
3792 if (th->th_flags & TH_FIN)
3793 end++;
3794 }
3795
3796 if ((th->th_flags & TH_ACK) == 0) {
3797 /* Let it pass through the ack skew check */
3798 ack = dst->seqlo;
3799 } else if ((ack == 0 &&
3800 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
3801 /* broken tcp stacks do not set ack */
3802 (dst->state < TCPS_SYN_SENT)) {
3803 /*
3804 * Many stacks (ours included) will set the ACK number in an
3805 * FIN|ACK if the SYN times out -- no sequence to ACK.
3806 */
3807 ack = dst->seqlo;
3808 }
3809
3810 if (seq == end) {
3811 /* Ease sequencing restrictions on no data packets */
3812 seq = src->seqlo;
3813 end = seq;
3814 }
3815
3816 ackskew = dst->seqlo - ack;
3817
3818 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
3819 if (SEQ_GEQ(src->seqhi, end) &&
3820 /* Last octet inside other's window space */
3821 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
3822 /* Retrans: not more than one window back */
3823 (ackskew >= -MAXACKWINDOW) &&
3824 /* Acking not more than one reassembled fragment backwards */
3825 (ackskew <= (MAXACKWINDOW << sws)) &&
3826 /* Acking not more than one window forward */
3827 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
3828 (pd->flags & PFDESC_IP_REAS) == 0)) {
3829 /* Require an exact sequence match on resets when possible */
3830
3831 if (dst->scrub || src->scrub) {
3832 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
3833 *state, src, dst, ©back))
3834 return (PF_DROP);
3835 }
3836
3837 /* update max window */
3838 if (src->max_win < win)
3839 src->max_win = win;
3840 /* synchronize sequencing */
3841 if (SEQ_GT(end, src->seqlo))
3842 src->seqlo = end;
3843 /* slide the window of what the other end can send */
3844 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3845 dst->seqhi = ack + MAX((win << sws), 1);
3846
3847
3848 /* update states */
3849 if (th->th_flags & TH_SYN)
3850 if (src->state < TCPS_SYN_SENT)
3851 src->state = TCPS_SYN_SENT;
3852 if (th->th_flags & TH_FIN)
3853 if (src->state < TCPS_CLOSING)
3854 src->state = TCPS_CLOSING;
3855 if (th->th_flags & TH_ACK) {
3856 if (dst->state == TCPS_SYN_SENT)
3857 dst->state = TCPS_ESTABLISHED;
3858 else if (dst->state == TCPS_CLOSING)
3859 dst->state = TCPS_FIN_WAIT_2;
3860 }
3861 if (th->th_flags & TH_RST)
3862 src->state = dst->state = TCPS_TIME_WAIT;
3863
3864 /* update expire time */
3865 (*state)->expire = time.tv_sec;
3866 if (src->state >= TCPS_FIN_WAIT_2 &&
3867 dst->state >= TCPS_FIN_WAIT_2)
3868 (*state)->timeout = PFTM_TCP_CLOSED;
3869 else if (src->state >= TCPS_CLOSING &&
3870 dst->state >= TCPS_CLOSING)
3871 (*state)->timeout = PFTM_TCP_FIN_WAIT;
3872 else if (src->state < TCPS_ESTABLISHED ||
3873 dst->state < TCPS_ESTABLISHED)
3874 (*state)->timeout = PFTM_TCP_OPENING;
3875 else if (src->state >= TCPS_CLOSING ||
3876 dst->state >= TCPS_CLOSING)
3877 (*state)->timeout = PFTM_TCP_CLOSING;
3878 else
3879 (*state)->timeout = PFTM_TCP_ESTABLISHED;
3880
3881 /* Fall through to PASS packet */
3882
3883 } else if ((dst->state < TCPS_SYN_SENT ||
3884 dst->state >= TCPS_FIN_WAIT_2 ||
3885 src->state >= TCPS_FIN_WAIT_2) &&
3886 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
3887 /* Within a window forward of the originating packet */
3888 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
3889 /* Within a window backward of the originating packet */
3890
3891 /*
3892 * This currently handles three situations:
3893 * 1) Stupid stacks will shotgun SYNs before their peer
3894 * replies.
3895 * 2) When PF catches an already established stream (the
3896 * firewall rebooted, the state table was flushed, routes
3897 * changed...)
3898 * 3) Packets get funky immediately after the connection
3899 * closes (this should catch Solaris spurious ACK|FINs
3900 * that web servers like to spew after a close)
3901 *
3902 * This must be a little more careful than the above code
3903 * since packet floods will also be caught here. We don't
3904 * update the TTL here to mitigate the damage of a packet
3905 * flood and so the same code can handle awkward establishment
3906 * and a loosened connection close.
3907 * In the establishment case, a correct peer response will
3908 * validate the connection, go through the normal state code
3909 * and keep updating the state TTL.
3910 */
3911
3912 if (pf_status.debug >= PF_DEBUG_MISC) {
3913 printf("pf: loose state match: ");
3914 pf_print_state(*state);
3915 pf_print_flags(th->th_flags);
3916 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n",
3917 seq, ack, pd->p_len, ackskew,
3918 (*state)->packets[0], (*state)->packets[1]);
3919 }
3920
3921 if (dst->scrub || src->scrub) {
3922 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
3923 *state, src, dst, ©back))
3924 return (PF_DROP);
3925 }
3926
3927 /* update max window */
3928 if (src->max_win < win)
3929 src->max_win = win;
3930 /* synchronize sequencing */
3931 if (SEQ_GT(end, src->seqlo))
3932 src->seqlo = end;
3933 /* slide the window of what the other end can send */
3934 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3935 dst->seqhi = ack + MAX((win << sws), 1);
3936
3937 /*
3938 * Cannot set dst->seqhi here since this could be a shotgunned
3939 * SYN and not an already established connection.
3940 */
3941
3942 if (th->th_flags & TH_FIN)
3943 if (src->state < TCPS_CLOSING)
3944 src->state = TCPS_CLOSING;
3945 if (th->th_flags & TH_RST)
3946 src->state = dst->state = TCPS_TIME_WAIT;
3947
3948 /* Fall through to PASS packet */
3949
3950 } else {
3951 if ((*state)->dst.state == TCPS_SYN_SENT &&
3952 (*state)->src.state == TCPS_SYN_SENT) {
3953 /* Send RST for state mismatches during handshake */
3954 if (!(th->th_flags & TH_RST))
3955 pf_send_tcp((*state)->rule.ptr, pd->af,
3956 pd->dst, pd->src, th->th_dport,
3957 th->th_sport, ntohl(th->th_ack), 0,
3958 TH_RST, 0, 0,
3959 (*state)->rule.ptr->return_ttl, 1,
3960 pd->eh, kif->pfik_ifp);
3961 src->seqlo = 0;
3962 src->seqhi = 1;
3963 src->max_win = 1;
3964 } else if (pf_status.debug >= PF_DEBUG_MISC) {
3965 printf("pf: BAD state: ");
3966 pf_print_state(*state);
3967 pf_print_flags(th->th_flags);
3968 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d "
3969 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew,
3970 (*state)->packets[0], (*state)->packets[1],
3971 direction == PF_IN ? "in" : "out",
3972 direction == (*state)->direction ? "fwd" : "rev");
3973 printf("pf: State failure on: %c %c %c %c | %c %c\n",
3974 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
3975 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
3976 ' ': '2',
3977 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
3978 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
3979 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
3980 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
3981 }
3982 return (PF_DROP);
3983 }
3984
3985
3986 /* Any packets which have gotten here are to be passed */
3987
3988 /* translate source/destination address, if necessary */
3989 if (STATE_TRANSLATE(*state)) {
3990 if (direction == PF_OUT)
3991 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
3992 &th->th_sum, &(*state)->gwy.addr,
3993 (*state)->gwy.port, 0, pd->af);
3994 else
3995 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
3996 &th->th_sum, &(*state)->lan.addr,
3997 (*state)->lan.port, 0, pd->af);
3998 m_copyback(m, off, sizeof(*th), th);
3999 } else if (copyback) {
4000 /* Copyback sequence modulation or stateful scrub changes */
4001 m_copyback(m, off, sizeof(*th), th);
4002 }
4003
4004 return (PF_PASS);
4005 }
4006
4007 int
pf_test_state_udp(struct pf_state ** state,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd)4008 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
4009 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4010 {
4011 struct pf_state_peer *src, *dst;
4012 struct pf_state key;
4013 struct udphdr *uh = pd->hdr.udp;
4014
4015 key.af = pd->af;
4016 key.proto = IPPROTO_UDP;
4017 if (direction == PF_IN) {
4018 PF_ACPY(&key.ext.addr, pd->src, key.af);
4019 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4020 key.ext.port = uh->uh_sport;
4021 key.gwy.port = uh->uh_dport;
4022 } else {
4023 PF_ACPY(&key.lan.addr, pd->src, key.af);
4024 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4025 key.lan.port = uh->uh_sport;
4026 key.ext.port = uh->uh_dport;
4027 }
4028
4029 STATE_LOOKUP();
4030
4031 if (direction == (*state)->direction) {
4032 src = &(*state)->src;
4033 dst = &(*state)->dst;
4034 } else {
4035 src = &(*state)->dst;
4036 dst = &(*state)->src;
4037 }
4038
4039 /* update states */
4040 if (src->state < PFUDPS_SINGLE)
4041 src->state = PFUDPS_SINGLE;
4042 if (dst->state == PFUDPS_SINGLE)
4043 dst->state = PFUDPS_MULTIPLE;
4044
4045 /* update expire time */
4046 (*state)->expire = time.tv_sec;
4047 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
4048 (*state)->timeout = PFTM_UDP_MULTIPLE;
4049 else
4050 (*state)->timeout = PFTM_UDP_SINGLE;
4051
4052 /* translate source/destination address, if necessary */
4053 if (STATE_TRANSLATE(*state)) {
4054 if (direction == PF_OUT)
4055 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
4056 &uh->uh_sum, &(*state)->gwy.addr,
4057 (*state)->gwy.port, 1, pd->af);
4058 else
4059 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
4060 &uh->uh_sum, &(*state)->lan.addr,
4061 (*state)->lan.port, 1, pd->af);
4062 m_copyback(m, off, sizeof(*uh), uh);
4063 }
4064
4065 return (PF_PASS);
4066 }
4067
4068 int
pf_test_state_icmp(struct pf_state ** state,int direction,struct pfi_kif * kif,struct mbuf * m,int off,void * h,struct pf_pdesc * pd)4069 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
4070 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4071 {
4072 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4073 u_int16_t icmpid, *icmpsum;
4074 u_int8_t icmptype;
4075 int state_icmp = 0;
4076
4077 switch (pd->proto) {
4078 #ifdef INET
4079 case IPPROTO_ICMP:
4080 icmptype = pd->hdr.icmp->icmp_type;
4081 icmpid = pd->hdr.icmp->icmp_id;
4082 icmpsum = &pd->hdr.icmp->icmp_cksum;
4083
4084 if (icmptype == ICMP_UNREACH ||
4085 icmptype == ICMP_SOURCEQUENCH ||
4086 icmptype == ICMP_REDIRECT ||
4087 icmptype == ICMP_TIMXCEED ||
4088 icmptype == ICMP_PARAMPROB)
4089 state_icmp++;
4090 break;
4091 #endif /* INET */
4092 #ifdef INET6
4093 case IPPROTO_ICMPV6:
4094 icmptype = pd->hdr.icmp6->icmp6_type;
4095 icmpid = pd->hdr.icmp6->icmp6_id;
4096 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4097
4098 if (icmptype == ICMP6_DST_UNREACH ||
4099 icmptype == ICMP6_PACKET_TOO_BIG ||
4100 icmptype == ICMP6_TIME_EXCEEDED ||
4101 icmptype == ICMP6_PARAM_PROB)
4102 state_icmp++;
4103 break;
4104 #endif /* INET6 */
4105 }
4106
4107 if (!state_icmp) {
4108
4109 /*
4110 * ICMP query/reply message not related to a TCP/UDP packet.
4111 * Search for an ICMP state.
4112 */
4113 struct pf_state key;
4114
4115 key.af = pd->af;
4116 key.proto = pd->proto;
4117 if (direction == PF_IN) {
4118 PF_ACPY(&key.ext.addr, pd->src, key.af);
4119 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4120 key.ext.port = icmpid;
4121 key.gwy.port = icmpid;
4122 } else {
4123 PF_ACPY(&key.lan.addr, pd->src, key.af);
4124 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4125 key.lan.port = icmpid;
4126 key.ext.port = icmpid;
4127 }
4128
4129 STATE_LOOKUP();
4130
4131 (*state)->expire = time.tv_sec;
4132 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
4133
4134 /* translate source/destination address, if necessary */
4135 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) {
4136 if (direction == PF_OUT) {
4137 switch (pd->af) {
4138 #ifdef INET
4139 case AF_INET:
4140 pf_change_a(&saddr->v4.s_addr,
4141 pd->ip_sum,
4142 (*state)->gwy.addr.v4.s_addr, 0);
4143 break;
4144 #endif /* INET */
4145 #ifdef INET6
4146 case AF_INET6:
4147 pf_change_a6(saddr,
4148 &pd->hdr.icmp6->icmp6_cksum,
4149 &(*state)->gwy.addr, 0);
4150 m_copyback(m, off,
4151 sizeof(struct icmp6_hdr),
4152 pd->hdr.icmp6);
4153 break;
4154 #endif /* INET6 */
4155 }
4156 } else {
4157 switch (pd->af) {
4158 #ifdef INET
4159 case AF_INET:
4160 pf_change_a(&daddr->v4.s_addr,
4161 pd->ip_sum,
4162 (*state)->lan.addr.v4.s_addr, 0);
4163 break;
4164 #endif /* INET */
4165 #ifdef INET6
4166 case AF_INET6:
4167 pf_change_a6(daddr,
4168 &pd->hdr.icmp6->icmp6_cksum,
4169 &(*state)->lan.addr, 0);
4170 m_copyback(m, off,
4171 sizeof(struct icmp6_hdr),
4172 pd->hdr.icmp6);
4173 break;
4174 #endif /* INET6 */
4175 }
4176 }
4177 }
4178
4179 return (PF_PASS);
4180
4181 } else {
4182 /*
4183 * ICMP error message in response to a TCP/UDP packet.
4184 * Extract the inner TCP/UDP header and search for that state.
4185 */
4186
4187 struct pf_pdesc pd2;
4188 #ifdef INET
4189 struct ip h2;
4190 #endif /* INET */
4191 #ifdef INET6
4192 struct ip6_hdr h2_6;
4193 int terminal = 0;
4194 #endif /* INET6 */
4195 int ipoff2;
4196 int off2;
4197
4198 pd2.af = pd->af;
4199 switch (pd->af) {
4200 #ifdef INET
4201 case AF_INET:
4202 /* offset of h2 in mbuf chain */
4203 ipoff2 = off + ICMP_MINLEN;
4204
4205 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
4206 NULL, NULL, pd2.af)) {
4207 DPFPRINTF(PF_DEBUG_MISC,
4208 ("pf: ICMP error message too short "
4209 "(ip)\n"));
4210 return (PF_DROP);
4211 }
4212 /*
4213 * ICMP error messages don't refer to non-first
4214 * fragments
4215 */
4216 if (h2.ip_off & htons(IP_OFFMASK))
4217 return (PF_DROP);
4218
4219 /* offset of protocol header that follows h2 */
4220 off2 = ipoff2 + (h2.ip_hl << 2);
4221
4222 pd2.proto = h2.ip_p;
4223 pd2.src = (struct pf_addr *)&h2.ip_src;
4224 pd2.dst = (struct pf_addr *)&h2.ip_dst;
4225 pd2.ip_sum = &h2.ip_sum;
4226 break;
4227 #endif /* INET */
4228 #ifdef INET6
4229 case AF_INET6:
4230 ipoff2 = off + sizeof(struct icmp6_hdr);
4231
4232 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
4233 NULL, NULL, pd2.af)) {
4234 DPFPRINTF(PF_DEBUG_MISC,
4235 ("pf: ICMP error message too short "
4236 "(ip6)\n"));
4237 return (PF_DROP);
4238 }
4239 pd2.proto = h2_6.ip6_nxt;
4240 pd2.src = (struct pf_addr *)&h2_6.ip6_src;
4241 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
4242 pd2.ip_sum = NULL;
4243 off2 = ipoff2 + sizeof(h2_6);
4244 do {
4245 switch (pd2.proto) {
4246 case IPPROTO_FRAGMENT:
4247 /*
4248 * ICMPv6 error messages for
4249 * non-first fragments
4250 */
4251 return (PF_DROP);
4252 case IPPROTO_AH:
4253 case IPPROTO_HOPOPTS:
4254 case IPPROTO_ROUTING:
4255 case IPPROTO_DSTOPTS: {
4256 /* get next header and header length */
4257 struct ip6_ext opt6;
4258
4259 if (!pf_pull_hdr(m, off2, &opt6,
4260 sizeof(opt6), NULL, NULL, pd2.af)) {
4261 DPFPRINTF(PF_DEBUG_MISC,
4262 ("pf: ICMPv6 short opt\n"));
4263 return (PF_DROP);
4264 }
4265 if (pd2.proto == IPPROTO_AH)
4266 off2 += (opt6.ip6e_len + 2) * 4;
4267 else
4268 off2 += (opt6.ip6e_len + 1) * 8;
4269 pd2.proto = opt6.ip6e_nxt;
4270 /* goto the next header */
4271 break;
4272 }
4273 default:
4274 terminal++;
4275 break;
4276 }
4277 } while (!terminal);
4278 break;
4279 #endif /* INET6 */
4280 }
4281
4282 switch (pd2.proto) {
4283 case IPPROTO_TCP: {
4284 struct tcphdr th;
4285 u_int32_t seq;
4286 struct pf_state key;
4287 struct pf_state_peer *src, *dst;
4288 u_int8_t dws;
4289 int copyback = 0;
4290
4291 /*
4292 * Only the first 8 bytes of the TCP header can be
4293 * expected. Don't access any TCP header fields after
4294 * th_seq, an ackskew test is not possible.
4295 */
4296 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) {
4297 DPFPRINTF(PF_DEBUG_MISC,
4298 ("pf: ICMP error message too short "
4299 "(tcp)\n"));
4300 return (PF_DROP);
4301 }
4302
4303 key.af = pd2.af;
4304 key.proto = IPPROTO_TCP;
4305 if (direction == PF_IN) {
4306 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4307 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4308 key.ext.port = th.th_dport;
4309 key.gwy.port = th.th_sport;
4310 } else {
4311 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4312 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4313 key.lan.port = th.th_dport;
4314 key.ext.port = th.th_sport;
4315 }
4316
4317 STATE_LOOKUP();
4318
4319 if (direction == (*state)->direction) {
4320 src = &(*state)->dst;
4321 dst = &(*state)->src;
4322 } else {
4323 src = &(*state)->src;
4324 dst = &(*state)->dst;
4325 }
4326
4327 if (src->wscale && dst->wscale &&
4328 !(th.th_flags & TH_SYN))
4329 dws = dst->wscale & PF_WSCALE_MASK;
4330 else
4331 dws = 0;
4332
4333 /* Demodulate sequence number */
4334 seq = ntohl(th.th_seq) - src->seqdiff;
4335 if (src->seqdiff) {
4336 pf_change_a(&th.th_seq, icmpsum,
4337 htonl(seq), 0);
4338 copyback = 1;
4339 }
4340
4341 if (!SEQ_GEQ(src->seqhi, seq) ||
4342 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) {
4343 if (pf_status.debug >= PF_DEBUG_MISC) {
4344 printf("pf: BAD ICMP %d:%d ",
4345 icmptype, pd->hdr.icmp->icmp_code);
4346 pf_print_host(pd->src, 0, pd->af);
4347 printf(" -> ");
4348 pf_print_host(pd->dst, 0, pd->af);
4349 printf(" state: ");
4350 pf_print_state(*state);
4351 printf(" seq=%u\n", seq);
4352 }
4353 return (PF_DROP);
4354 }
4355
4356 if (STATE_TRANSLATE(*state)) {
4357 if (direction == PF_IN) {
4358 pf_change_icmp(pd2.src, &th.th_sport,
4359 daddr, &(*state)->lan.addr,
4360 (*state)->lan.port, NULL,
4361 pd2.ip_sum, icmpsum,
4362 pd->ip_sum, 0, pd2.af);
4363 } else {
4364 pf_change_icmp(pd2.dst, &th.th_dport,
4365 saddr, &(*state)->gwy.addr,
4366 (*state)->gwy.port, NULL,
4367 pd2.ip_sum, icmpsum,
4368 pd->ip_sum, 0, pd2.af);
4369 }
4370 copyback = 1;
4371 }
4372
4373 if (copyback) {
4374 switch (pd2.af) {
4375 #ifdef INET
4376 case AF_INET:
4377 m_copyback(m, off, ICMP_MINLEN,
4378 pd->hdr.icmp);
4379 m_copyback(m, ipoff2, sizeof(h2),
4380 &h2);
4381 break;
4382 #endif /* INET */
4383 #ifdef INET6
4384 case AF_INET6:
4385 m_copyback(m, off,
4386 sizeof(struct icmp6_hdr),
4387 pd->hdr.icmp6);
4388 m_copyback(m, ipoff2, sizeof(h2_6),
4389 &h2_6);
4390 break;
4391 #endif /* INET6 */
4392 }
4393 m_copyback(m, off2, 8, &th);
4394 }
4395
4396 return (PF_PASS);
4397 break;
4398 }
4399 case IPPROTO_UDP: {
4400 struct udphdr uh;
4401 struct pf_state key;
4402
4403 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
4404 NULL, NULL, pd2.af)) {
4405 DPFPRINTF(PF_DEBUG_MISC,
4406 ("pf: ICMP error message too short "
4407 "(udp)\n"));
4408 return (PF_DROP);
4409 }
4410
4411 key.af = pd2.af;
4412 key.proto = IPPROTO_UDP;
4413 if (direction == PF_IN) {
4414 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4415 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4416 key.ext.port = uh.uh_dport;
4417 key.gwy.port = uh.uh_sport;
4418 } else {
4419 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4420 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4421 key.lan.port = uh.uh_dport;
4422 key.ext.port = uh.uh_sport;
4423 }
4424
4425 STATE_LOOKUP();
4426
4427 if (STATE_TRANSLATE(*state)) {
4428 if (direction == PF_IN) {
4429 pf_change_icmp(pd2.src, &uh.uh_sport,
4430 daddr, &(*state)->lan.addr,
4431 (*state)->lan.port, &uh.uh_sum,
4432 pd2.ip_sum, icmpsum,
4433 pd->ip_sum, 1, pd2.af);
4434 } else {
4435 pf_change_icmp(pd2.dst, &uh.uh_dport,
4436 saddr, &(*state)->gwy.addr,
4437 (*state)->gwy.port, &uh.uh_sum,
4438 pd2.ip_sum, icmpsum,
4439 pd->ip_sum, 1, pd2.af);
4440 }
4441 switch (pd2.af) {
4442 #ifdef INET
4443 case AF_INET:
4444 m_copyback(m, off, ICMP_MINLEN,
4445 pd->hdr.icmp);
4446 m_copyback(m, ipoff2, sizeof(h2), &h2);
4447 break;
4448 #endif /* INET */
4449 #ifdef INET6
4450 case AF_INET6:
4451 m_copyback(m, off,
4452 sizeof(struct icmp6_hdr),
4453 pd->hdr.icmp6);
4454 m_copyback(m, ipoff2, sizeof(h2_6),
4455 &h2_6);
4456 break;
4457 #endif /* INET6 */
4458 }
4459 m_copyback(m, off2, sizeof(uh), &uh);
4460 }
4461
4462 return (PF_PASS);
4463 break;
4464 }
4465 #ifdef INET
4466 case IPPROTO_ICMP: {
4467 struct icmp iih;
4468 struct pf_state key;
4469
4470 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
4471 NULL, NULL, pd2.af)) {
4472 DPFPRINTF(PF_DEBUG_MISC,
4473 ("pf: ICMP error message too short i"
4474 "(icmp)\n"));
4475 return (PF_DROP);
4476 }
4477
4478 key.af = pd2.af;
4479 key.proto = IPPROTO_ICMP;
4480 if (direction == PF_IN) {
4481 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4482 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4483 key.ext.port = iih.icmp_id;
4484 key.gwy.port = iih.icmp_id;
4485 } else {
4486 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4487 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4488 key.lan.port = iih.icmp_id;
4489 key.ext.port = iih.icmp_id;
4490 }
4491
4492 STATE_LOOKUP();
4493
4494 if (STATE_TRANSLATE(*state)) {
4495 if (direction == PF_IN) {
4496 pf_change_icmp(pd2.src, &iih.icmp_id,
4497 daddr, &(*state)->lan.addr,
4498 (*state)->lan.port, NULL,
4499 pd2.ip_sum, icmpsum,
4500 pd->ip_sum, 0, AF_INET);
4501 } else {
4502 pf_change_icmp(pd2.dst, &iih.icmp_id,
4503 saddr, &(*state)->gwy.addr,
4504 (*state)->gwy.port, NULL,
4505 pd2.ip_sum, icmpsum,
4506 pd->ip_sum, 0, AF_INET);
4507 }
4508 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp);
4509 m_copyback(m, ipoff2, sizeof(h2), &h2);
4510 m_copyback(m, off2, ICMP_MINLEN, &iih);
4511 }
4512
4513 return (PF_PASS);
4514 break;
4515 }
4516 #endif /* INET */
4517 #ifdef INET6
4518 case IPPROTO_ICMPV6: {
4519 struct icmp6_hdr iih;
4520 struct pf_state key;
4521
4522 if (!pf_pull_hdr(m, off2, &iih,
4523 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) {
4524 DPFPRINTF(PF_DEBUG_MISC,
4525 ("pf: ICMP error message too short "
4526 "(icmp6)\n"));
4527 return (PF_DROP);
4528 }
4529
4530 key.af = pd2.af;
4531 key.proto = IPPROTO_ICMPV6;
4532 if (direction == PF_IN) {
4533 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4534 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4535 key.ext.port = iih.icmp6_id;
4536 key.gwy.port = iih.icmp6_id;
4537 } else {
4538 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4539 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4540 key.lan.port = iih.icmp6_id;
4541 key.ext.port = iih.icmp6_id;
4542 }
4543
4544 STATE_LOOKUP();
4545
4546 if (STATE_TRANSLATE(*state)) {
4547 if (direction == PF_IN) {
4548 pf_change_icmp(pd2.src, &iih.icmp6_id,
4549 daddr, &(*state)->lan.addr,
4550 (*state)->lan.port, NULL,
4551 pd2.ip_sum, icmpsum,
4552 pd->ip_sum, 0, AF_INET6);
4553 } else {
4554 pf_change_icmp(pd2.dst, &iih.icmp6_id,
4555 saddr, &(*state)->gwy.addr,
4556 (*state)->gwy.port, NULL,
4557 pd2.ip_sum, icmpsum,
4558 pd->ip_sum, 0, AF_INET6);
4559 }
4560 m_copyback(m, off, sizeof(struct icmp6_hdr),
4561 pd->hdr.icmp6);
4562 m_copyback(m, ipoff2, sizeof(h2_6), &h2_6);
4563 m_copyback(m, off2, sizeof(struct icmp6_hdr),
4564 &iih);
4565 }
4566
4567 return (PF_PASS);
4568 break;
4569 }
4570 #endif /* INET6 */
4571 default: {
4572 struct pf_state key;
4573
4574 key.af = pd2.af;
4575 key.proto = pd2.proto;
4576 if (direction == PF_IN) {
4577 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4578 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4579 key.ext.port = 0;
4580 key.gwy.port = 0;
4581 } else {
4582 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4583 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4584 key.lan.port = 0;
4585 key.ext.port = 0;
4586 }
4587
4588 STATE_LOOKUP();
4589
4590 if (STATE_TRANSLATE(*state)) {
4591 if (direction == PF_IN) {
4592 pf_change_icmp(pd2.src, NULL,
4593 daddr, &(*state)->lan.addr,
4594 0, NULL,
4595 pd2.ip_sum, icmpsum,
4596 pd->ip_sum, 0, pd2.af);
4597 } else {
4598 pf_change_icmp(pd2.dst, NULL,
4599 saddr, &(*state)->gwy.addr,
4600 0, NULL,
4601 pd2.ip_sum, icmpsum,
4602 pd->ip_sum, 0, pd2.af);
4603 }
4604 switch (pd2.af) {
4605 #ifdef INET
4606 case AF_INET:
4607 m_copyback(m, off, ICMP_MINLEN,
4608 pd->hdr.icmp);
4609 m_copyback(m, ipoff2, sizeof(h2), &h2);
4610 break;
4611 #endif /* INET */
4612 #ifdef INET6
4613 case AF_INET6:
4614 m_copyback(m, off,
4615 sizeof(struct icmp6_hdr),
4616 pd->hdr.icmp6);
4617 m_copyback(m, ipoff2, sizeof(h2_6),
4618 &h2_6);
4619 break;
4620 #endif /* INET6 */
4621 }
4622 }
4623
4624 return (PF_PASS);
4625 break;
4626 }
4627 }
4628 }
4629 }
4630
4631 int
pf_test_state_other(struct pf_state ** state,int direction,struct pfi_kif * kif,struct pf_pdesc * pd)4632 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
4633 struct pf_pdesc *pd)
4634 {
4635 struct pf_state_peer *src, *dst;
4636 struct pf_state key;
4637
4638 key.af = pd->af;
4639 key.proto = pd->proto;
4640 if (direction == PF_IN) {
4641 PF_ACPY(&key.ext.addr, pd->src, key.af);
4642 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4643 key.ext.port = 0;
4644 key.gwy.port = 0;
4645 } else {
4646 PF_ACPY(&key.lan.addr, pd->src, key.af);
4647 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4648 key.lan.port = 0;
4649 key.ext.port = 0;
4650 }
4651
4652 STATE_LOOKUP();
4653
4654 if (direction == (*state)->direction) {
4655 src = &(*state)->src;
4656 dst = &(*state)->dst;
4657 } else {
4658 src = &(*state)->dst;
4659 dst = &(*state)->src;
4660 }
4661
4662 /* update states */
4663 if (src->state < PFOTHERS_SINGLE)
4664 src->state = PFOTHERS_SINGLE;
4665 if (dst->state == PFOTHERS_SINGLE)
4666 dst->state = PFOTHERS_MULTIPLE;
4667
4668 /* update expire time */
4669 (*state)->expire = time.tv_sec;
4670 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
4671 (*state)->timeout = PFTM_OTHER_MULTIPLE;
4672 else
4673 (*state)->timeout = PFTM_OTHER_SINGLE;
4674
4675 /* translate source/destination address, if necessary */
4676 if (STATE_TRANSLATE(*state)) {
4677 if (direction == PF_OUT)
4678 switch (pd->af) {
4679 #ifdef INET
4680 case AF_INET:
4681 pf_change_a(&pd->src->v4.s_addr,
4682 pd->ip_sum, (*state)->gwy.addr.v4.s_addr,
4683 0);
4684 break;
4685 #endif /* INET */
4686 #ifdef INET6
4687 case AF_INET6:
4688 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af);
4689 break;
4690 #endif /* INET6 */
4691 }
4692 else
4693 switch (pd->af) {
4694 #ifdef INET
4695 case AF_INET:
4696 pf_change_a(&pd->dst->v4.s_addr,
4697 pd->ip_sum, (*state)->lan.addr.v4.s_addr,
4698 0);
4699 break;
4700 #endif /* INET */
4701 #ifdef INET6
4702 case AF_INET6:
4703 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af);
4704 break;
4705 #endif /* INET6 */
4706 }
4707 }
4708
4709 return (PF_PASS);
4710 }
4711
4712 /*
4713 * ipoff and off are measured from the start of the mbuf chain.
4714 * h must be at "ipoff" on the mbuf chain.
4715 */
4716 void *
pf_pull_hdr(struct mbuf * m,int off,void * p,int len,u_short * actionp,u_short * reasonp,sa_family_t af)4717 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
4718 u_short *actionp, u_short *reasonp, sa_family_t af)
4719 {
4720 switch (af) {
4721 #ifdef INET
4722 case AF_INET: {
4723 struct ip *h = mtod(m, struct ip *);
4724 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
4725
4726 if (fragoff) {
4727 if (fragoff >= len)
4728 ACTION_SET(actionp, PF_PASS);
4729 else {
4730 ACTION_SET(actionp, PF_DROP);
4731 REASON_SET(reasonp, PFRES_FRAG);
4732 }
4733 return (NULL);
4734 }
4735 if (m->m_pkthdr.len < off + len ||
4736 ntohs(h->ip_len) < off + len) {
4737 ACTION_SET(actionp, PF_DROP);
4738 REASON_SET(reasonp, PFRES_SHORT);
4739 return (NULL);
4740 }
4741 break;
4742 }
4743 #endif /* INET */
4744 #ifdef INET6
4745 case AF_INET6: {
4746 struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
4747
4748 if (m->m_pkthdr.len < off + len ||
4749 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
4750 (unsigned)(off + len)) {
4751 ACTION_SET(actionp, PF_DROP);
4752 REASON_SET(reasonp, PFRES_SHORT);
4753 return (NULL);
4754 }
4755 break;
4756 }
4757 #endif /* INET6 */
4758 }
4759 m_copydata(m, off, len, p);
4760 return (p);
4761 }
4762
4763 int
pf_routable(struct pf_addr * addr,sa_family_t af)4764 pf_routable(struct pf_addr *addr, sa_family_t af)
4765 {
4766 struct sockaddr_in *dst;
4767 struct route ro;
4768 int ret = 0;
4769
4770 bzero(&ro, sizeof(ro));
4771 dst = satosin(&ro.ro_dst);
4772 dst->sin_family = af;
4773 dst->sin_len = sizeof(*dst);
4774 dst->sin_addr = addr->v4;
4775 rtalloc_noclone(&ro, NO_CLONING);
4776
4777 if (ro.ro_rt != NULL) {
4778 ret = 1;
4779 RTFREE(ro.ro_rt);
4780 }
4781
4782 return (ret);
4783 }
4784
4785 #ifdef INET
4786 void
pf_route(struct mbuf ** m,struct pf_rule * r,int dir,struct ifnet * oifp,struct pf_state * s)4787 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
4788 struct pf_state *s)
4789 {
4790 struct mbuf *m0, *m1;
4791 struct m_tag *mtag;
4792 struct route iproute;
4793 struct route *ro;
4794 struct sockaddr_in *dst;
4795 struct ip *ip;
4796 struct ifnet *ifp = NULL;
4797 struct pf_addr naddr;
4798 struct pf_src_node *sn = NULL;
4799 int error = 0;
4800
4801 if (m == NULL || *m == NULL || r == NULL ||
4802 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
4803 panic("pf_route: invalid parameters");
4804
4805 if ((mtag = m_tag_find(*m, PACKET_TAG_PF_ROUTED, NULL)) == NULL) {
4806 if ((mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 1, M_NOWAIT)) ==
4807 NULL) {
4808 m0 = *m;
4809 *m = NULL;
4810 goto bad;
4811 }
4812 *(char *)(mtag + 1) = 1;
4813 m_tag_prepend(*m, mtag);
4814 } else {
4815 if (*(char *)(mtag + 1) > 3) {
4816 m0 = *m;
4817 *m = NULL;
4818 goto bad;
4819 }
4820 (*(char *)(mtag + 1))++;
4821 }
4822
4823 if (r->rt == PF_DUPTO) {
4824 if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL)
4825 return;
4826 if ((mtag = m_tag_copy(mtag)) == NULL)
4827 goto bad;
4828 m_tag_prepend(m0, mtag);
4829 } else {
4830 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
4831 return;
4832 m0 = *m;
4833 }
4834
4835 if (m0->m_len < sizeof(struct ip))
4836 panic("pf_route: m0->m_len < sizeof(struct ip)");
4837 ip = mtod(m0, struct ip *);
4838
4839 ro = &iproute;
4840 bzero((caddr_t)ro, sizeof(*ro));
4841 dst = satosin(&ro->ro_dst);
4842 dst->sin_family = AF_INET;
4843 dst->sin_len = sizeof(*dst);
4844 dst->sin_addr = ip->ip_dst;
4845
4846 if (r->rt == PF_FASTROUTE) {
4847 rtalloc(ro);
4848 if (ro->ro_rt == 0) {
4849 ipstat.ips_noroute++;
4850 goto bad;
4851 }
4852
4853 ifp = ro->ro_rt->rt_ifp;
4854 ro->ro_rt->rt_use++;
4855
4856 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
4857 dst = satosin(ro->ro_rt->rt_gateway);
4858 } else {
4859 if (TAILQ_EMPTY(&r->rpool.list))
4860 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)");
4861 if (s == NULL) {
4862 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
4863 &naddr, NULL, &sn);
4864 if (!PF_AZERO(&naddr, AF_INET))
4865 dst->sin_addr.s_addr = naddr.v4.s_addr;
4866 ifp = r->rpool.cur->kif ?
4867 r->rpool.cur->kif->pfik_ifp : NULL;
4868 } else {
4869 if (!PF_AZERO(&s->rt_addr, AF_INET))
4870 dst->sin_addr.s_addr =
4871 s->rt_addr.v4.s_addr;
4872 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
4873 }
4874 }
4875 if (ifp == NULL)
4876 goto bad;
4877
4878 if (oifp != ifp) {
4879 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS)
4880 goto bad;
4881 else if (m0 == NULL)
4882 goto done;
4883 if (m0->m_len < sizeof(struct ip))
4884 panic("pf_route: m0->m_len < sizeof(struct ip)");
4885 ip = mtod(m0, struct ip *);
4886 }
4887
4888 /* Copied from ip_output. */
4889 #ifdef IPSEC
4890 /*
4891 * If deferred crypto processing is needed, check that the
4892 * interface supports it.
4893 */
4894 if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL))
4895 != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) {
4896 /* Notify IPsec to do its own crypto. */
4897 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
4898 goto bad;
4899 }
4900 #endif /* IPSEC */
4901
4902 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
4903 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) {
4904 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) ||
4905 ifp->if_bridge != NULL) {
4906 in_delayed_cksum(m0);
4907 m0->m_pkthdr.csum &= ~M_TCPV4_CSUM_OUT; /* Clear */
4908 }
4909 } else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) {
4910 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) ||
4911 ifp->if_bridge != NULL) {
4912 in_delayed_cksum(m0);
4913 m0->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */
4914 }
4915 }
4916
4917 if (ntohs(ip->ip_len) <= ifp->if_mtu) {
4918 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
4919 ifp->if_bridge == NULL) {
4920 m0->m_pkthdr.csum |= M_IPV4_CSUM_OUT;
4921 ipstat.ips_outhwcsum++;
4922 } else {
4923 ip->ip_sum = 0;
4924 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
4925 }
4926 /* Update relevant hardware checksum stats for TCP/UDP */
4927 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT)
4928 tcpstat.tcps_outhwcsum++;
4929 else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT)
4930 udpstat.udps_outhwcsum++;
4931 error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL);
4932 goto done;
4933 }
4934
4935 /*
4936 * Too large for interface; fragment if possible.
4937 * Must be able to put at least 8 bytes per fragment.
4938 */
4939 if (ip->ip_off & htons(IP_DF)) {
4940 ipstat.ips_cantfrag++;
4941 if (r->rt != PF_DUPTO) {
4942 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
4943 ifp);
4944 goto done;
4945 } else
4946 goto bad;
4947 }
4948
4949 m1 = m0;
4950 error = ip_fragment(m0, ifp, ifp->if_mtu);
4951 if (error) {
4952 m0 = NULL;
4953 goto bad;
4954 }
4955
4956 for (m0 = m1; m0; m0 = m1) {
4957 m1 = m0->m_nextpkt;
4958 m0->m_nextpkt = 0;
4959 if (error == 0)
4960 error = (*ifp->if_output)(ifp, m0, sintosa(dst),
4961 NULL);
4962 else
4963 m_freem(m0);
4964 }
4965
4966 if (error == 0)
4967 ipstat.ips_fragmented++;
4968
4969 done:
4970 if (r->rt != PF_DUPTO)
4971 *m = NULL;
4972 if (ro == &iproute && ro->ro_rt)
4973 RTFREE(ro->ro_rt);
4974 return;
4975
4976 bad:
4977 m_freem(m0);
4978 goto done;
4979 }
4980 #endif /* INET */
4981
4982 #ifdef INET6
4983 void
pf_route6(struct mbuf ** m,struct pf_rule * r,int dir,struct ifnet * oifp,struct pf_state * s)4984 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
4985 struct pf_state *s)
4986 {
4987 struct mbuf *m0;
4988 struct m_tag *mtag;
4989 struct route_in6 ip6route;
4990 struct route_in6 *ro;
4991 struct sockaddr_in6 *dst;
4992 struct ip6_hdr *ip6;
4993 struct ifnet *ifp = NULL;
4994 struct pf_addr naddr;
4995 struct pf_src_node *sn = NULL;
4996 int error = 0;
4997
4998 if (m == NULL || *m == NULL || r == NULL ||
4999 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
5000 panic("pf_route6: invalid parameters");
5001
5002 if ((mtag = m_tag_find(*m, PACKET_TAG_PF_ROUTED, NULL)) == NULL) {
5003 if ((mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 1, M_NOWAIT)) ==
5004 NULL) {
5005 m0 = *m;
5006 *m = NULL;
5007 goto bad;
5008 }
5009 *(char *)(mtag + 1) = 1;
5010 m_tag_prepend(*m, mtag);
5011 } else {
5012 if (*(char *)(mtag + 1) > 3) {
5013 m0 = *m;
5014 *m = NULL;
5015 goto bad;
5016 }
5017 (*(char *)(mtag + 1))++;
5018 }
5019
5020 if (r->rt == PF_DUPTO) {
5021 if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL)
5022 return;
5023 if ((mtag = m_tag_copy(mtag)) == NULL)
5024 goto bad;
5025 m_tag_prepend(m0, mtag);
5026 } else {
5027 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
5028 return;
5029 m0 = *m;
5030 }
5031
5032 if (m0->m_len < sizeof(struct ip6_hdr))
5033 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
5034 ip6 = mtod(m0, struct ip6_hdr *);
5035
5036 ro = &ip6route;
5037 bzero((caddr_t)ro, sizeof(*ro));
5038 dst = (struct sockaddr_in6 *)&ro->ro_dst;
5039 dst->sin6_family = AF_INET6;
5040 dst->sin6_len = sizeof(*dst);
5041 dst->sin6_addr = ip6->ip6_dst;
5042
5043 /* Cheat. */
5044 if (r->rt == PF_FASTROUTE) {
5045 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
5046 if (mtag == NULL)
5047 goto bad;
5048 m_tag_prepend(m0, mtag);
5049 ip6_output(m0, NULL, NULL, 0, NULL, NULL);
5050 return;
5051 }
5052
5053 if (TAILQ_EMPTY(&r->rpool.list))
5054 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)");
5055 if (s == NULL) {
5056 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
5057 &naddr, NULL, &sn);
5058 if (!PF_AZERO(&naddr, AF_INET6))
5059 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5060 &naddr, AF_INET6);
5061 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
5062 } else {
5063 if (!PF_AZERO(&s->rt_addr, AF_INET6))
5064 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5065 &s->rt_addr, AF_INET6);
5066 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5067 }
5068 if (ifp == NULL)
5069 goto bad;
5070
5071 if (oifp != ifp) {
5072 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS)
5073 goto bad;
5074 else if (m0 == NULL)
5075 goto done;
5076 if (m0->m_len < sizeof(struct ip6_hdr))
5077 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
5078 ip6 = mtod(m0, struct ip6_hdr *);
5079 }
5080
5081 /*
5082 * If the packet is too large for the outgoing interface,
5083 * send back an icmp6 error.
5084 */
5085 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr))
5086 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
5087 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
5088 error = nd6_output(ifp, ifp, m0, dst, NULL);
5089 } else {
5090 in6_ifstat_inc(ifp, ifs6_in_toobig);
5091 if (r->rt != PF_DUPTO)
5092 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
5093 else
5094 goto bad;
5095 }
5096
5097 done:
5098 if (r->rt != PF_DUPTO)
5099 *m = NULL;
5100 return;
5101
5102 bad:
5103 m_freem(m0);
5104 goto done;
5105 }
5106 #endif /* INET6 */
5107
5108
5109 /*
5110 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
5111 * off is the offset where the protocol header starts
5112 * len is the total length of protocol header plus payload
5113 * returns 0 when the checksum is valid, otherwise returns 1.
5114 */
5115 int
pf_check_proto_cksum(struct mbuf * m,int off,int len,u_int8_t p,sa_family_t af)5116 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p,
5117 sa_family_t af)
5118 {
5119 u_int16_t flag_ok, flag_bad;
5120 u_int16_t sum;
5121
5122 switch (p) {
5123 case IPPROTO_TCP:
5124 flag_ok = M_TCP_CSUM_IN_OK;
5125 flag_bad = M_TCP_CSUM_IN_BAD;
5126 break;
5127 case IPPROTO_UDP:
5128 flag_ok = M_UDP_CSUM_IN_OK;
5129 flag_bad = M_UDP_CSUM_IN_BAD;
5130 break;
5131 case IPPROTO_ICMP:
5132 #ifdef INET6
5133 case IPPROTO_ICMPV6:
5134 #endif /* INET6 */
5135 flag_ok = flag_bad = 0;
5136 break;
5137 default:
5138 return (1);
5139 }
5140 if (m->m_pkthdr.csum & flag_ok)
5141 return (0);
5142 if (m->m_pkthdr.csum & flag_bad)
5143 return (1);
5144 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
5145 return (1);
5146 if (m->m_pkthdr.len < off + len)
5147 return (1);
5148 switch (af) {
5149 #ifdef INET
5150 case AF_INET:
5151 if (p == IPPROTO_ICMP) {
5152 if (m->m_len < off)
5153 return (1);
5154 m->m_data += off;
5155 m->m_len -= off;
5156 sum = in_cksum(m, len);
5157 m->m_data -= off;
5158 m->m_len += off;
5159 } else {
5160 if (m->m_len < sizeof(struct ip))
5161 return (1);
5162 sum = in4_cksum(m, p, off, len);
5163 }
5164 break;
5165 #endif /* INET */
5166 #ifdef INET6
5167 case AF_INET6:
5168 if (m->m_len < sizeof(struct ip6_hdr))
5169 return (1);
5170 sum = in6_cksum(m, p, off, len);
5171 break;
5172 #endif /* INET6 */
5173 default:
5174 return (1);
5175 }
5176 if (sum) {
5177 m->m_pkthdr.csum |= flag_bad;
5178 switch (p) {
5179 case IPPROTO_TCP:
5180 tcpstat.tcps_rcvbadsum++;
5181 break;
5182 case IPPROTO_UDP:
5183 udpstat.udps_badsum++;
5184 break;
5185 case IPPROTO_ICMP:
5186 icmpstat.icps_checksum++;
5187 break;
5188 #ifdef INET6
5189 case IPPROTO_ICMPV6:
5190 icmp6stat.icp6s_checksum++;
5191 break;
5192 #endif /* INET6 */
5193 }
5194 return (1);
5195 }
5196 m->m_pkthdr.csum |= flag_ok;
5197 return (0);
5198 }
5199
5200 static int
pf_add_mbuf_tag(struct mbuf * m,u_int tag)5201 pf_add_mbuf_tag(struct mbuf *m, u_int tag)
5202 {
5203 struct m_tag *mtag;
5204
5205 if (m_tag_find(m, tag, NULL) != NULL)
5206 return (0);
5207 mtag = m_tag_get(tag, 0, M_NOWAIT);
5208 if (mtag == NULL)
5209 return (1);
5210 m_tag_prepend(m, mtag);
5211 return (0);
5212 }
5213
5214 #ifdef INET
5215 int
pf_test(int dir,struct ifnet * ifp,struct mbuf ** m0)5216 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
5217 {
5218 return pf_test_eh(dir, ifp, m0, NULL);
5219 }
5220
5221 int
pf_test_eh(int dir,struct ifnet * ifp,struct mbuf ** m0,struct ether_header * eh)5222 pf_test_eh(int dir, struct ifnet *ifp, struct mbuf **m0,
5223 struct ether_header *eh)
5224 {
5225 struct pfi_kif *kif;
5226 u_short action, reason = 0, log = 0;
5227 struct mbuf *m = *m0;
5228 struct ip *h;
5229 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
5230 struct pf_state *s = NULL;
5231 struct pf_ruleset *ruleset = NULL;
5232 struct pf_pdesc pd;
5233 int off, dirndx, pqid = 0;
5234
5235 if (!pf_status.running ||
5236 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL))
5237 return (PF_PASS);
5238
5239 kif = pfi_index2kif[ifp->if_index];
5240 if (kif == NULL)
5241 return (PF_DROP);
5242
5243 #ifdef DIAGNOSTIC
5244 if ((m->m_flags & M_PKTHDR) == 0)
5245 panic("non-M_PKTHDR is passed to pf_test");
5246 #endif /* DIAGNOSTIC */
5247
5248 memset(&pd, 0, sizeof(pd));
5249 if (m->m_pkthdr.len < (int)sizeof(*h)) {
5250 action = PF_DROP;
5251 REASON_SET(&reason, PFRES_SHORT);
5252 log = 1;
5253 goto done;
5254 }
5255
5256 /* We do IP header normalization and packet reassembly here */
5257 if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
5258 action = PF_DROP;
5259 goto done;
5260 }
5261 m = *m0;
5262 h = mtod(m, struct ip *);
5263
5264 off = h->ip_hl << 2;
5265 if (off < (int)sizeof(*h)) {
5266 action = PF_DROP;
5267 REASON_SET(&reason, PFRES_SHORT);
5268 log = 1;
5269 goto done;
5270 }
5271
5272 pd.src = (struct pf_addr *)&h->ip_src;
5273 pd.dst = (struct pf_addr *)&h->ip_dst;
5274 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
5275 pd.ip_sum = &h->ip_sum;
5276 pd.proto = h->ip_p;
5277 pd.af = AF_INET;
5278 pd.tos = h->ip_tos;
5279 pd.tot_len = ntohs(h->ip_len);
5280 pd.eh = eh;
5281
5282 /* handle fragments that didn't get reassembled by normalization */
5283 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
5284 action = pf_test_fragment(&r, dir, kif, m, h,
5285 &pd, &a, &ruleset);
5286 goto done;
5287 }
5288
5289 switch (h->ip_p) {
5290
5291 case IPPROTO_TCP: {
5292 struct tcphdr th;
5293
5294 pd.hdr.tcp = &th;
5295 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5296 &action, &reason, AF_INET)) {
5297 log = action != PF_PASS;
5298 goto done;
5299 }
5300 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5301 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) {
5302 action = PF_DROP;
5303 goto done;
5304 }
5305 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5306 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
5307 pqid = 1;
5308 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5309 if (action == PF_DROP)
5310 goto done;
5311 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5312 &reason);
5313 if (action == PF_PASS) {
5314 #if NPFSYNC
5315 pfsync_update_state(s);
5316 #endif /* NPFSYNC */
5317 r = s->rule.ptr;
5318 a = s->anchor.ptr;
5319 log = s->log;
5320 } else if (s == NULL)
5321 action = pf_test_tcp(&r, &s, dir, kif,
5322 m, off, h, &pd, &a, &ruleset, &ipintrq);
5323 break;
5324 }
5325
5326 case IPPROTO_UDP: {
5327 struct udphdr uh;
5328
5329 pd.hdr.udp = &uh;
5330 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5331 &action, &reason, AF_INET)) {
5332 log = action != PF_PASS;
5333 goto done;
5334 }
5335 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
5336 off, ntohs(h->ip_len) - off, IPPROTO_UDP, AF_INET)) {
5337 action = PF_DROP;
5338 goto done;
5339 }
5340 if (uh.uh_dport == 0 ||
5341 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5342 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5343 action = PF_DROP;
5344 goto done;
5345 }
5346 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5347 if (action == PF_PASS) {
5348 #if NPFSYNC
5349 pfsync_update_state(s);
5350 #endif /* NPFSYNC */
5351 r = s->rule.ptr;
5352 a = s->anchor.ptr;
5353 log = s->log;
5354 } else if (s == NULL)
5355 action = pf_test_udp(&r, &s, dir, kif,
5356 m, off, h, &pd, &a, &ruleset, &ipintrq);
5357 break;
5358 }
5359
5360 case IPPROTO_ICMP: {
5361 struct icmp ih;
5362
5363 pd.hdr.icmp = &ih;
5364 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
5365 &action, &reason, AF_INET)) {
5366 log = action != PF_PASS;
5367 goto done;
5368 }
5369 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5370 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) {
5371 action = PF_DROP;
5372 goto done;
5373 }
5374 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd);
5375 if (action == PF_PASS) {
5376 #if NPFSYNC
5377 pfsync_update_state(s);
5378 #endif /* NPFSYNC */
5379 r = s->rule.ptr;
5380 a = s->anchor.ptr;
5381 log = s->log;
5382 } else if (s == NULL)
5383 action = pf_test_icmp(&r, &s, dir, kif,
5384 m, off, h, &pd, &a, &ruleset, &ipintrq);
5385 break;
5386 }
5387
5388 #ifdef INET6
5389 case IPPROTO_ICMPV6: {
5390 action = PF_DROP;
5391 DPFPRINTF(PF_DEBUG_MISC,
5392 ("pf: dropping IPv4 packet with ICMPv6 payload\n"));
5393 goto done;
5394 }
5395 #endif
5396
5397 default:
5398 action = pf_test_state_other(&s, dir, kif, &pd);
5399 if (action == PF_PASS) {
5400 #if NPFSYNC
5401 pfsync_update_state(s);
5402 #endif /* NPFSYNC */
5403 r = s->rule.ptr;
5404 a = s->anchor.ptr;
5405 log = s->log;
5406 } else if (s == NULL)
5407 action = pf_test_other(&r, &s, dir, kif, m, off, h,
5408 &pd, &a, &ruleset, &ipintrq);
5409 break;
5410 }
5411
5412 done:
5413 if (action == PF_PASS && h->ip_hl > 5 &&
5414 !((s && s->allow_opts) || r->allow_opts)) {
5415 action = PF_DROP;
5416 REASON_SET(&reason, PFRES_SHORT);
5417 log = 1;
5418 DPFPRINTF(PF_DEBUG_MISC,
5419 ("pf: dropping packet with ip options\n"));
5420 }
5421
5422 #ifdef ALTQ
5423 if (action == PF_PASS && r->qid) {
5424 struct m_tag *mtag;
5425 struct altq_tag *atag;
5426
5427 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT);
5428 if (mtag != NULL) {
5429 atag = (struct altq_tag *)(mtag + 1);
5430 if (pqid || pd.tos == IPTOS_LOWDELAY)
5431 atag->qid = r->pqid;
5432 else
5433 atag->qid = r->qid;
5434 /* add hints for ecn */
5435 atag->af = AF_INET;
5436 atag->hdr = h;
5437 m_tag_prepend(m, mtag);
5438 }
5439 }
5440 #endif /* ALTQ */
5441
5442 /*
5443 * connections redirected to loopback should not match sockets
5444 * bound specifically to loopback due to security implications,
5445 * see tcp_input() and in_pcblookup_listen().
5446 */
5447 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5448 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5449 (s->nat_rule.ptr->action == PF_RDR ||
5450 s->nat_rule.ptr->action == PF_BINAT) &&
5451 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET &&
5452 pf_add_mbuf_tag(m, PACKET_TAG_PF_TRANSLATE_LOCALHOST)) {
5453 action = PF_DROP;
5454 REASON_SET(&reason, PFRES_MEMORY);
5455 }
5456
5457 if (log)
5458 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset);
5459
5460 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5461 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
5462
5463 if (action == PF_PASS || r->action == PF_DROP) {
5464 r->packets++;
5465 r->bytes += pd.tot_len;
5466 if (a != NULL) {
5467 a->packets++;
5468 a->bytes += pd.tot_len;
5469 }
5470 if (s != NULL) {
5471 dirndx = (dir == s->direction) ? 0 : 1;
5472 s->packets[dirndx]++;
5473 s->bytes[dirndx] += pd.tot_len;
5474 if (s->nat_rule.ptr != NULL) {
5475 s->nat_rule.ptr->packets++;
5476 s->nat_rule.ptr->bytes += pd.tot_len;
5477 }
5478 if (s->src_node != NULL) {
5479 s->src_node->packets++;
5480 s->src_node->bytes += pd.tot_len;
5481 }
5482 if (s->nat_src_node != NULL) {
5483 s->nat_src_node->packets++;
5484 s->nat_src_node->bytes += pd.tot_len;
5485 }
5486 }
5487 tr = r;
5488 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5489 if (nr != NULL) {
5490 struct pf_addr *x;
5491 /*
5492 * XXX: we need to make sure that the addresses
5493 * passed to pfr_update_stats() are the same than
5494 * the addresses used during matching (pfr_match)
5495 */
5496 if (r == &pf_default_rule) {
5497 tr = nr;
5498 x = (s == NULL || s->direction == dir) ?
5499 &pd.baddr : &pd.naddr;
5500 } else
5501 x = (s == NULL || s->direction == dir) ?
5502 &pd.naddr : &pd.baddr;
5503 if (x == &pd.baddr || s == NULL) {
5504 /* we need to change the address */
5505 if (dir == PF_OUT)
5506 pd.src = x;
5507 else
5508 pd.dst = x;
5509 }
5510 }
5511 if (tr->src.addr.type == PF_ADDR_TABLE)
5512 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
5513 s->direction == dir) ? pd.src : pd.dst, pd.af,
5514 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5515 tr->src.not);
5516 if (tr->dst.addr.type == PF_ADDR_TABLE)
5517 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
5518 s->direction == dir) ? pd.dst : pd.src, pd.af,
5519 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5520 tr->dst.not);
5521 }
5522
5523
5524 if (action == PF_SYNPROXY_DROP) {
5525 m_freem(*m0);
5526 *m0 = NULL;
5527 action = PF_PASS;
5528 } else if (r->rt)
5529 /* pf_route can free the mbuf causing *m0 to become NULL */
5530 pf_route(m0, r, dir, ifp, s);
5531
5532 return (action);
5533 }
5534 #endif /* INET */
5535
5536 #ifdef INET6
5537 int
pf_test6(int dir,struct ifnet * ifp,struct mbuf ** m0)5538 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
5539 {
5540 return pf_test6_eh(dir, ifp, m0, NULL);
5541 }
5542
5543 int
pf_test6_eh(int dir,struct ifnet * ifp,struct mbuf ** m0,struct ether_header * eh)5544 pf_test6_eh(int dir, struct ifnet *ifp, struct mbuf **m0,
5545 struct ether_header *eh)
5546 {
5547 struct pfi_kif *kif;
5548 u_short action, reason = 0, log = 0;
5549 struct mbuf *m = *m0;
5550 struct ip6_hdr *h;
5551 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
5552 struct pf_state *s = NULL;
5553 struct pf_ruleset *ruleset = NULL;
5554 struct pf_pdesc pd;
5555 int off, terminal = 0, dirndx;
5556
5557 if (!pf_status.running ||
5558 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL))
5559 return (PF_PASS);
5560
5561 kif = pfi_index2kif[ifp->if_index];
5562 if (kif == NULL)
5563 return (PF_DROP);
5564
5565 #ifdef DIAGNOSTIC
5566 if ((m->m_flags & M_PKTHDR) == 0)
5567 panic("non-M_PKTHDR is passed to pf_test");
5568 #endif /* DIAGNOSTIC */
5569
5570 memset(&pd, 0, sizeof(pd));
5571 if (m->m_pkthdr.len < (int)sizeof(*h)) {
5572 action = PF_DROP;
5573 REASON_SET(&reason, PFRES_SHORT);
5574 log = 1;
5575 goto done;
5576 }
5577
5578 /* We do IP header normalization and packet reassembly here */
5579 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
5580 action = PF_DROP;
5581 goto done;
5582 }
5583 m = *m0;
5584 h = mtod(m, struct ip6_hdr *);
5585
5586 pd.src = (struct pf_addr *)&h->ip6_src;
5587 pd.dst = (struct pf_addr *)&h->ip6_dst;
5588 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
5589 pd.ip_sum = NULL;
5590 pd.af = AF_INET6;
5591 pd.tos = 0;
5592 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
5593 pd.eh = eh;
5594
5595 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
5596 pd.proto = h->ip6_nxt;
5597 do {
5598 switch (pd.proto) {
5599 case IPPROTO_FRAGMENT:
5600 action = pf_test_fragment(&r, dir, kif, m, h,
5601 &pd, &a, &ruleset);
5602 if (action == PF_DROP)
5603 REASON_SET(&reason, PFRES_FRAG);
5604 goto done;
5605 case IPPROTO_AH:
5606 case IPPROTO_HOPOPTS:
5607 case IPPROTO_ROUTING:
5608 case IPPROTO_DSTOPTS: {
5609 /* get next header and header length */
5610 struct ip6_ext opt6;
5611
5612 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
5613 NULL, NULL, pd.af)) {
5614 DPFPRINTF(PF_DEBUG_MISC,
5615 ("pf: IPv6 short opt\n"));
5616 action = PF_DROP;
5617 REASON_SET(&reason, PFRES_SHORT);
5618 log = 1;
5619 goto done;
5620 }
5621 if (pd.proto == IPPROTO_AH)
5622 off += (opt6.ip6e_len + 2) * 4;
5623 else
5624 off += (opt6.ip6e_len + 1) * 8;
5625 pd.proto = opt6.ip6e_nxt;
5626 /* goto the next header */
5627 break;
5628 }
5629 default:
5630 terminal++;
5631 break;
5632 }
5633 } while (!terminal);
5634
5635 switch (pd.proto) {
5636
5637 case IPPROTO_TCP: {
5638 struct tcphdr th;
5639
5640 pd.hdr.tcp = &th;
5641 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5642 &action, &reason, AF_INET6)) {
5643 log = action != PF_PASS;
5644 goto done;
5645 }
5646 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5647 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
5648 IPPROTO_TCP, AF_INET6)) {
5649 action = PF_DROP;
5650 goto done;
5651 }
5652 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5653 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5654 if (action == PF_DROP)
5655 goto done;
5656 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5657 &reason);
5658 if (action == PF_PASS) {
5659 #if NPFSYNC
5660 pfsync_update_state(s);
5661 #endif /* NPFSYNC */
5662 r = s->rule.ptr;
5663 a = s->anchor.ptr;
5664 log = s->log;
5665 } else if (s == NULL)
5666 action = pf_test_tcp(&r, &s, dir, kif,
5667 m, off, h, &pd, &a, &ruleset, &ip6intrq);
5668 break;
5669 }
5670
5671 case IPPROTO_UDP: {
5672 struct udphdr uh;
5673
5674 pd.hdr.udp = &uh;
5675 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5676 &action, &reason, AF_INET6)) {
5677 log = action != PF_PASS;
5678 goto done;
5679 }
5680 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
5681 off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
5682 IPPROTO_UDP, AF_INET6)) {
5683 action = PF_DROP;
5684 goto done;
5685 }
5686 if (uh.uh_dport == 0 ||
5687 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5688 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5689 action = PF_DROP;
5690 goto done;
5691 }
5692 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5693 if (action == PF_PASS) {
5694 #if NPFSYNC
5695 pfsync_update_state(s);
5696 #endif /* NPFSYNC */
5697 r = s->rule.ptr;
5698 a = s->anchor.ptr;
5699 log = s->log;
5700 } else if (s == NULL)
5701 action = pf_test_udp(&r, &s, dir, kif,
5702 m, off, h, &pd, &a, &ruleset, &ip6intrq);
5703 break;
5704 }
5705
5706 case IPPROTO_ICMP: {
5707 action = PF_DROP;
5708 DPFPRINTF(PF_DEBUG_MISC,
5709 ("pf: dropping IPv6 packet with ICMPv4 payload\n"));
5710 goto done;
5711 }
5712
5713 case IPPROTO_ICMPV6: {
5714 struct icmp6_hdr ih;
5715
5716 pd.hdr.icmp6 = &ih;
5717 if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
5718 &action, &reason, AF_INET6)) {
5719 log = action != PF_PASS;
5720 goto done;
5721 }
5722 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5723 ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
5724 IPPROTO_ICMPV6, AF_INET6)) {
5725 action = PF_DROP;
5726 goto done;
5727 }
5728 action = pf_test_state_icmp(&s, dir, kif,
5729 m, off, h, &pd);
5730 if (action == PF_PASS) {
5731 #if NPFSYNC
5732 pfsync_update_state(s);
5733 #endif /* NPFSYNC */
5734 r = s->rule.ptr;
5735 a = s->anchor.ptr;
5736 log = s->log;
5737 } else if (s == NULL)
5738 action = pf_test_icmp(&r, &s, dir, kif,
5739 m, off, h, &pd, &a, &ruleset, &ip6intrq);
5740 break;
5741 }
5742
5743 default:
5744 action = pf_test_state_other(&s, dir, kif, &pd);
5745 if (action == PF_PASS) {
5746 #if NPFSYNC
5747 pfsync_update_state(s);
5748 #endif /* NPFSYNC */
5749 r = s->rule.ptr;
5750 a = s->anchor.ptr;
5751 log = s->log;
5752 } else if (s == NULL)
5753 action = pf_test_other(&r, &s, dir, kif, m, off, h,
5754 &pd, &a, &ruleset, &ip6intrq);
5755 break;
5756 }
5757
5758 done:
5759 /* XXX handle IPv6 options, if not allowed. not implemented. */
5760
5761 #ifdef ALTQ
5762 if (action == PF_PASS && r->qid) {
5763 struct m_tag *mtag;
5764 struct altq_tag *atag;
5765
5766 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT);
5767 if (mtag != NULL) {
5768 atag = (struct altq_tag *)(mtag + 1);
5769 if (pd.tos == IPTOS_LOWDELAY)
5770 atag->qid = r->pqid;
5771 else
5772 atag->qid = r->qid;
5773 /* add hints for ecn */
5774 atag->af = AF_INET6;
5775 atag->hdr = h;
5776 m_tag_prepend(m, mtag);
5777 }
5778 }
5779 #endif /* ALTQ */
5780
5781 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5782 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5783 (s->nat_rule.ptr->action == PF_RDR ||
5784 s->nat_rule.ptr->action == PF_BINAT) &&
5785 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6) &&
5786 pf_add_mbuf_tag(m, PACKET_TAG_PF_TRANSLATE_LOCALHOST)) {
5787 action = PF_DROP;
5788 REASON_SET(&reason, PFRES_MEMORY);
5789 }
5790
5791 if (log)
5792 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset);
5793
5794 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5795 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
5796
5797 if (action == PF_PASS || r->action == PF_DROP) {
5798 r->packets++;
5799 r->bytes += pd.tot_len;
5800 if (a != NULL) {
5801 a->packets++;
5802 a->bytes += pd.tot_len;
5803 }
5804 if (s != NULL) {
5805 dirndx = (dir == s->direction) ? 0 : 1;
5806 s->packets[dirndx]++;
5807 s->bytes[dirndx] += pd.tot_len;
5808 if (s->nat_rule.ptr != NULL) {
5809 s->nat_rule.ptr->packets++;
5810 s->nat_rule.ptr->bytes += pd.tot_len;
5811 }
5812 if (s->src_node != NULL) {
5813 s->src_node->packets++;
5814 s->src_node->bytes += pd.tot_len;
5815 }
5816 if (s->nat_src_node != NULL) {
5817 s->nat_src_node->packets++;
5818 s->nat_src_node->bytes += pd.tot_len;
5819 }
5820 }
5821 tr = r;
5822 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5823 if (nr != NULL) {
5824 struct pf_addr *x;
5825 /*
5826 * XXX: we need to make sure that the addresses
5827 * passed to pfr_update_stats() are the same than
5828 * the addresses used during matching (pfr_match)
5829 */
5830 if (r == &pf_default_rule) {
5831 tr = nr;
5832 x = (s == NULL || s->direction == dir) ?
5833 &pd.baddr : &pd.naddr;
5834 } else {
5835 x = (s == NULL || s->direction == dir) ?
5836 &pd.naddr : &pd.baddr;
5837 }
5838 if (x == &pd.baddr || s == NULL) {
5839 if (dir == PF_OUT)
5840 pd.src = x;
5841 else
5842 pd.dst = x;
5843 }
5844 }
5845 if (tr->src.addr.type == PF_ADDR_TABLE)
5846 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
5847 s->direction == dir) ? pd.src : pd.dst, pd.af,
5848 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5849 tr->src.not);
5850 if (tr->dst.addr.type == PF_ADDR_TABLE)
5851 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
5852 s->direction == dir) ? pd.dst : pd.src, pd.af,
5853 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5854 tr->dst.not);
5855 }
5856
5857
5858 if (action == PF_SYNPROXY_DROP) {
5859 m_freem(*m0);
5860 *m0 = NULL;
5861 action = PF_PASS;
5862 } else if (r->rt)
5863 /* pf_route6 can free the mbuf causing *m0 to become NULL */
5864 pf_route6(m0, r, dir, ifp, s);
5865
5866 return (action);
5867 }
5868 #endif /* INET6 */
5869
5870 int
pf_check_congestion(struct ifqueue * ifq)5871 pf_check_congestion(struct ifqueue *ifq)
5872 {
5873 if (ifq->ifq_congestion)
5874 return (1);
5875 else
5876 return (0);
5877 }
5878