search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Clean up the routing and networking code before I parallelize routing.
[dragonfly.git] / sys / net / pf / pf.c
blobf664adad94b60a826c87256d4007164ff06ee044
1 /* $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.19 2004/09/11 11:18:25 mlaier Exp $ */
2 /* $OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ */
3 /* add $OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ */
4 /* $DragonFly: src/sys/net/pf/pf.c,v 1.3 2004/12/21 02:54:15 hsu Exp $ */
5
6 /*
7 * Copyright (c) 2004 The DragonFly Project. All rights reserved.
8 *
9 * Copyright (c) 2001 Daniel Hartmeier
10 * Copyright (c) 2002,2003 Henning Brauer
11 * All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * - Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * - Redistributions in binary form must reproduce the above
20 * copyright notice, this list of conditions and the following
21 * disclaimer in the documentation and/or other materials provided
22 * with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
27 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
28 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
30 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
31 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
32 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
34 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
36 *
37 * Effort sponsored in part by the Defense Advanced Research Projects
38 * Agency (DARPA) and Air Force Research Laboratory, Air Force
39 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
40 *
41 */
42
43 #include "opt_inet.h"
44 #include "opt_inet6.h"
45 #include "use_pfsync.h"
46
47 #include <sys/param.h>
48 #include <sys/systm.h>
49 #include <sys/malloc.h>
50 #include <sys/mbuf.h>
51 #include <sys/filio.h>
52 #include <sys/socket.h>
53 #include <sys/socketvar.h>
54 #include <sys/kernel.h>
55 #include <sys/time.h>
56 #include <sys/sysctl.h>
57 #include <sys/endian.h>
58 #include <vm/vm_zone.h>
59
60 #include <machine/inttypes.h>
61
62 #include <net/if.h>
63 #include <net/if_types.h>
64 #include <net/bpf.h>
65 #include <net/route.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_var.h>
69 #include <netinet/in_systm.h>
70 #include <netinet/ip.h>
71 #include <netinet/ip_var.h>
72 #include <netinet/tcp.h>
73 #include <netinet/tcp_seq.h>
74 #include <netinet/udp.h>
75 #include <netinet/ip_icmp.h>
76 #include <netinet/in_pcb.h>
77 #include <netinet/tcp_timer.h>
78 #include <netinet/tcp_var.h>
79 #include <netinet/udp_var.h>
80 #include <netinet/icmp_var.h>
81
82 #include <net/pf/pfvar.h>
83 #include <net/pf/if_pflog.h>
84
85 #if NPFSYNC > 0
86 #include <net/pf/if_pfsync.h>
87 #endif /* NPFSYNC > 0 */
88
89 #ifdef INET6
90 #include <netinet/ip6.h>
91 #include <netinet/in_pcb.h>
92 #include <netinet/icmp6.h>
93 #include <netinet6/nd6.h>
94 #include <netinet6/ip6_var.h>
95 #include <netinet6/in6_pcb.h>
96 #endif /* INET6 */
97
98 #include <sys/in_cksum.h>
99 #include <machine/limits.h>
100 #include <sys/msgport2.h>
101 #include <sys/ucred.h>
102
103 extern int ip_optcopy(struct ip *, struct ip *);
104
105 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
106
107 /*
108 * Global variables
109 */
110
111 struct pf_anchorqueue pf_anchors;
112 struct pf_ruleset pf_main_ruleset;
113 struct pf_altqqueue pf_altqs[2];
114 struct pf_palist pf_pabuf;
115 struct pf_altqqueue *pf_altqs_active;
116 struct pf_altqqueue *pf_altqs_inactive;
117 struct pf_status pf_status;
118
119 u_int32_t ticket_altqs_active;
120 u_int32_t ticket_altqs_inactive;
121 int altqs_inactive_open;
122 u_int32_t ticket_pabuf;
123
124 struct callout pf_expire_to; /* expire timeout */
125
126 vm_zone_t pf_src_tree_pl, pf_rule_pl;
127 vm_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
128
129 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
130 void pf_print_state(struct pf_state *);
131 void pf_print_flags(u_int8_t);
132
133 u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
134 u_int8_t);
135 void pf_change_ap(struct pf_addr *, u_int16_t *,
136 u_int16_t *, u_int16_t *, struct pf_addr *,
137 u_int16_t, u_int8_t, sa_family_t);
138 #ifdef INET6
139 void pf_change_a6(struct pf_addr *, u_int16_t *,
140 struct pf_addr *, u_int8_t);
141 #endif /* INET6 */
142 void pf_change_icmp(struct pf_addr *, u_int16_t *,
143 struct pf_addr *, struct pf_addr *, u_int16_t,
144 u_int16_t *, u_int16_t *, u_int16_t *,
145 u_int16_t *, u_int8_t, sa_family_t);
146 void pf_send_tcp(const struct pf_rule *, sa_family_t,
147 const struct pf_addr *, const struct pf_addr *,
148 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
149 u_int8_t, u_int16_t, u_int16_t, u_int8_t);
150 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
151 sa_family_t, struct pf_rule *);
152 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
153 int, int, struct pfi_kif *,
154 struct pf_addr *, u_int16_t, struct pf_addr *,
155 u_int16_t, int);
156 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
157 int, int, struct pfi_kif *, struct pf_src_node **,
158 struct pf_addr *, u_int16_t,
159 struct pf_addr *, u_int16_t,
160 struct pf_addr *, u_int16_t *);
161 int pf_test_tcp(struct pf_rule **, struct pf_state **,
162 int, struct pfi_kif *, struct mbuf *, int,
163 void *, struct pf_pdesc *, struct pf_rule **,
164 struct pf_ruleset **);
165 int pf_test_udp(struct pf_rule **, struct pf_state **,
166 int, struct pfi_kif *, struct mbuf *, int,
167 void *, struct pf_pdesc *, struct pf_rule **,
168 struct pf_ruleset **);
169 int pf_test_icmp(struct pf_rule **, struct pf_state **,
170 int, struct pfi_kif *, struct mbuf *, int,
171 void *, struct pf_pdesc *, struct pf_rule **,
172 struct pf_ruleset **);
173 int pf_test_other(struct pf_rule **, struct pf_state **,
174 int, struct pfi_kif *, struct mbuf *, int, void *,
175 struct pf_pdesc *, struct pf_rule **,
176 struct pf_ruleset **);
177 int pf_test_fragment(struct pf_rule **, int,
178 struct pfi_kif *, struct mbuf *, void *,
179 struct pf_pdesc *, struct pf_rule **,
180 struct pf_ruleset **);
181 int pf_test_state_tcp(struct pf_state **, int,
182 struct pfi_kif *, struct mbuf *, int,
183 void *, struct pf_pdesc *, u_short *);
184 int pf_test_state_udp(struct pf_state **, int,
185 struct pfi_kif *, struct mbuf *, int,
186 void *, struct pf_pdesc *);
187 int pf_test_state_icmp(struct pf_state **, int,
188 struct pfi_kif *, struct mbuf *, int,
189 void *, struct pf_pdesc *);
190 int pf_test_state_other(struct pf_state **, int,
191 struct pfi_kif *, struct pf_pdesc *);
192 static int pf_match_tag(struct mbuf *, struct pf_rule *,
193 struct pf_rule *, int *);
194 void pf_hash(struct pf_addr *, struct pf_addr *,
195 struct pf_poolhashkey *, sa_family_t);
196 int pf_map_addr(u_int8_t, struct pf_rule *,
197 struct pf_addr *, struct pf_addr *,
198 struct pf_addr *, struct pf_src_node **);
199 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
200 struct pf_addr *, struct pf_addr *, u_int16_t,
201 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
202 struct pf_src_node **);
203 void pf_route(struct mbuf **, struct pf_rule *, int,
204 struct ifnet *, struct pf_state *);
205 void pf_route6(struct mbuf **, struct pf_rule *, int,
206 struct ifnet *, struct pf_state *);
207 int pf_socket_lookup(uid_t *, gid_t *,
208 int, struct pf_pdesc *);
209 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
210 sa_family_t);
211 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t,
212 sa_family_t);
213 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
214 u_int16_t);
215 void pf_set_rt_ifp(struct pf_state *,
216 struct pf_addr *);
217 int pf_check_proto_cksum(struct mbuf *, int, int,
218 u_int8_t, sa_family_t);
219 int pf_addr_wrap_neq(struct pf_addr_wrap *,
220 struct pf_addr_wrap *);
221 struct pf_state *pf_find_state_recurse(struct pfi_kif *,
222 struct pf_state *, u_int8_t);
223
224 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
225
226 #define STATE_LOOKUP() \
227 do { \
228 if (direction == PF_IN) \
229 *state = pf_find_state_recurse( \
230 kif, &key, PF_EXT_GWY); \
231 else \
232 *state = pf_find_state_recurse( \
233 kif, &key, PF_LAN_EXT); \
234 if (*state == NULL) \
235 return (PF_DROP); \
236 if (direction == PF_OUT && \
237 (((*state)->rule.ptr->rt == PF_ROUTETO && \
238 (*state)->rule.ptr->direction == PF_OUT) || \
239 ((*state)->rule.ptr->rt == PF_REPLYTO && \
240 (*state)->rule.ptr->direction == PF_IN)) && \
241 (*state)->rt_kif != NULL && \
242 (*state)->rt_kif != kif) \
243 return (PF_PASS); \
244 } while (0)
245
246 #define STATE_TRANSLATE(s) \
247 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
248 ((s)->af == AF_INET6 && \
249 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \
250 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \
251 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \
252 (s)->lan.port != (s)->gwy.port
253
254 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \
255 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \
256 (k)->pfik_parent->pfik_parent)
257
258 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
259 static int pf_state_compare_lan_ext(struct pf_state *,
260 struct pf_state *);
261 static int pf_state_compare_ext_gwy(struct pf_state *,
262 struct pf_state *);
263 static int pf_state_compare_id(struct pf_state *,
264 struct pf_state *);
265
266 struct pf_src_tree tree_src_tracking;
267
268 struct pf_state_tree_id tree_id;
269 struct pf_state_queue state_updates;
270
271 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
272 RB_GENERATE(pf_state_tree_lan_ext, pf_state,
273 u.s.entry_lan_ext, pf_state_compare_lan_ext);
274 RB_GENERATE(pf_state_tree_ext_gwy, pf_state,
275 u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
276 RB_GENERATE(pf_state_tree_id, pf_state,
277 u.s.entry_id, pf_state_compare_id);
278
279 static int
280 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
281 {
282 int diff;
283
284 if (a->rule.ptr > b->rule.ptr)
285 return (1);
286 if (a->rule.ptr < b->rule.ptr)
287 return (-1);
288 if ((diff = a->af - b->af) != 0)
289 return (diff);
290 switch (a->af) {
291 #ifdef INET
292 case AF_INET:
293 if (a->addr.addr32[0] > b->addr.addr32[0])
294 return (1);
295 if (a->addr.addr32[0] < b->addr.addr32[0])
296 return (-1);
297 break;
298 #endif /* INET */
299 #ifdef INET6
300 case AF_INET6:
301 if (a->addr.addr32[3] > b->addr.addr32[3])
302 return (1);
303 if (a->addr.addr32[3] < b->addr.addr32[3])
304 return (-1);
305 if (a->addr.addr32[2] > b->addr.addr32[2])
306 return (1);
307 if (a->addr.addr32[2] < b->addr.addr32[2])
308 return (-1);
309 if (a->addr.addr32[1] > b->addr.addr32[1])
310 return (1);
311 if (a->addr.addr32[1] < b->addr.addr32[1])
312 return (-1);
313 if (a->addr.addr32[0] > b->addr.addr32[0])
314 return (1);
315 if (a->addr.addr32[0] < b->addr.addr32[0])
316 return (-1);
317 break;
318 #endif /* INET6 */
319 }
320 return (0);
321 }
322
323 static int
324 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b)
325 {
326 int diff;
327
328 if ((diff = a->proto - b->proto) != 0)
329 return (diff);
330 if ((diff = a->af - b->af) != 0)
331 return (diff);
332 switch (a->af) {
333 #ifdef INET
334 case AF_INET:
335 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
336 return (1);
337 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
338 return (-1);
339 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
340 return (1);
341 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
342 return (-1);
343 break;
344 #endif /* INET */
345 #ifdef INET6
346 case AF_INET6:
347 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3])
348 return (1);
349 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3])
350 return (-1);
351 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
352 return (1);
353 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
354 return (-1);
355 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2])
356 return (1);
357 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2])
358 return (-1);
359 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
360 return (1);
361 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
362 return (-1);
363 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1])
364 return (1);
365 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1])
366 return (-1);
367 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
368 return (1);
369 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
370 return (-1);
371 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
372 return (1);
373 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
374 return (-1);
375 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
376 return (1);
377 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
378 return (-1);
379 break;
380 #endif /* INET6 */
381 }
382
383 if ((diff = a->lan.port - b->lan.port) != 0)
384 return (diff);
385 if ((diff = a->ext.port - b->ext.port) != 0)
386 return (diff);
387
388 return (0);
389 }
390
391 static int
392 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b)
393 {
394 int diff;
395
396 if ((diff = a->proto - b->proto) != 0)
397 return (diff);
398 if ((diff = a->af - b->af) != 0)
399 return (diff);
400 switch (a->af) {
401 #ifdef INET
402 case AF_INET:
403 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
404 return (1);
405 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
406 return (-1);
407 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
408 return (1);
409 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
410 return (-1);
411 break;
412 #endif /* INET */
413 #ifdef INET6
414 case AF_INET6:
415 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
416 return (1);
417 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
418 return (-1);
419 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3])
420 return (1);
421 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3])
422 return (-1);
423 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
424 return (1);
425 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
426 return (-1);
427 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2])
428 return (1);
429 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2])
430 return (-1);
431 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
432 return (1);
433 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
434 return (-1);
435 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1])
436 return (1);
437 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1])
438 return (-1);
439 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
440 return (1);
441 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
442 return (-1);
443 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
444 return (1);
445 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
446 return (-1);
447 break;
448 #endif /* INET6 */
449 }
450
451 if ((diff = a->ext.port - b->ext.port) != 0)
452 return (diff);
453 if ((diff = a->gwy.port - b->gwy.port) != 0)
454 return (diff);
455
456 return (0);
457 }
458
459 static int
460 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
461 {
462 if (a->id > b->id)
463 return (1);
464 if (a->id < b->id)
465 return (-1);
466 if (a->creatorid > b->creatorid)
467 return (1);
468 if (a->creatorid < b->creatorid)
469 return (-1);
470
471 return (0);
472 }
473
474 #ifdef INET6
475 void
476 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
477 {
478 switch (af) {
479 #ifdef INET
480 case AF_INET:
481 dst->addr32[0] = src->addr32[0];
482 break;
483 #endif /* INET */
484 case AF_INET6:
485 dst->addr32[0] = src->addr32[0];
486 dst->addr32[1] = src->addr32[1];
487 dst->addr32[2] = src->addr32[2];
488 dst->addr32[3] = src->addr32[3];
489 break;
490 }
491 }
492 #endif
493
494 struct pf_state *
495 pf_find_state_byid(struct pf_state *key)
496 {
497 pf_status.fcounters[FCNT_STATE_SEARCH]++;
498 return (RB_FIND(pf_state_tree_id, &tree_id, key));
499 }
500
501 struct pf_state *
502 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree)
503 {
504 struct pf_state *s;
505
506 pf_status.fcounters[FCNT_STATE_SEARCH]++;
507
508 switch (tree) {
509 case PF_LAN_EXT:
510 for (; kif != NULL; kif = kif->pfik_parent) {
511 s = RB_FIND(pf_state_tree_lan_ext,
512 &kif->pfik_lan_ext, key);
513 if (s != NULL)
514 return (s);
515 }
516 return (NULL);
517 case PF_EXT_GWY:
518 for (; kif != NULL; kif = kif->pfik_parent) {
519 s = RB_FIND(pf_state_tree_ext_gwy,
520 &kif->pfik_ext_gwy, key);
521 if (s != NULL)
522 return (s);
523 }
524 return (NULL);
525 default:
526 panic("pf_find_state_recurse");
527 }
528 }
529
530 struct pf_state *
531 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more)
532 {
533 struct pf_state *s, *ss = NULL;
534 struct pfi_kif *kif;
535
536 pf_status.fcounters[FCNT_STATE_SEARCH]++;
537
538 switch (tree) {
539 case PF_LAN_EXT:
540 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
541 s = RB_FIND(pf_state_tree_lan_ext,
542 &kif->pfik_lan_ext, key);
543 if (s == NULL)
544 continue;
545 if (more == NULL)
546 return (s);
547 ss = s;
548 (*more)++;
549 }
550 return (ss);
551 case PF_EXT_GWY:
552 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
553 s = RB_FIND(pf_state_tree_ext_gwy,
554 &kif->pfik_ext_gwy, key);
555 if (s == NULL)
556 continue;
557 if (more == NULL)
558 return (s);
559 ss = s;
560 (*more)++;
561 }
562 return (ss);
563 default:
564 panic("pf_find_state_all");
565 }
566 }
567
568 int
569 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
570 struct pf_addr *src, sa_family_t af)
571 {
572 struct pf_src_node k;
573
574 if (*sn == NULL) {
575 k.af = af;
576 PF_ACPY(&k.addr, src, af);
577 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
578 rule->rpool.opts & PF_POOL_STICKYADDR)
579 k.rule.ptr = rule;
580 else
581 k.rule.ptr = NULL;
582 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
583 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
584 }
585 if (*sn == NULL) {
586 if (!rule->max_src_nodes ||
587 rule->src_nodes < rule->max_src_nodes)
588 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
589 if ((*sn) == NULL)
590 return (-1);
591 bzero(*sn, sizeof(struct pf_src_node));
592 (*sn)->af = af;
593 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
594 rule->rpool.opts & PF_POOL_STICKYADDR)
595 (*sn)->rule.ptr = rule;
596 else
597 (*sn)->rule.ptr = NULL;
598 PF_ACPY(&(*sn)->addr, src, af);
599 if (RB_INSERT(pf_src_tree,
600 &tree_src_tracking, *sn) != NULL) {
601 if (pf_status.debug >= PF_DEBUG_MISC) {
602 printf("pf: src_tree insert failed: ");
603 pf_print_host(&(*sn)->addr, 0, af);
604 printf("\n");
605 }
606 pool_put(&pf_src_tree_pl, *sn);
607 return (-1);
608 }
609 (*sn)->creation = time_second;
610 (*sn)->ruletype = rule->action;
611 if ((*sn)->rule.ptr != NULL)
612 (*sn)->rule.ptr->src_nodes++;
613 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
614 pf_status.src_nodes++;
615 } else {
616 if (rule->max_src_states &&
617 (*sn)->states >= rule->max_src_states)
618 return (-1);
619 }
620 return (0);
621 }
622
623 int
624 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
625 {
626 /* Thou MUST NOT insert multiple duplicate keys */
627 state->u.s.kif = kif;
628 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) {
629 if (pf_status.debug >= PF_DEBUG_MISC) {
630 printf("pf: state insert failed: tree_lan_ext");
631 printf(" lan: ");
632 pf_print_host(&state->lan.addr, state->lan.port,
633 state->af);
634 printf(" gwy: ");
635 pf_print_host(&state->gwy.addr, state->gwy.port,
636 state->af);
637 printf(" ext: ");
638 pf_print_host(&state->ext.addr, state->ext.port,
639 state->af);
640 if (state->sync_flags & PFSTATE_FROMSYNC)
641 printf(" (from sync)");
642 printf("\n");
643 }
644 return (-1);
645 }
646
647 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) {
648 if (pf_status.debug >= PF_DEBUG_MISC) {
649 printf("pf: state insert failed: tree_ext_gwy");
650 printf(" lan: ");
651 pf_print_host(&state->lan.addr, state->lan.port,
652 state->af);
653 printf(" gwy: ");
654 pf_print_host(&state->gwy.addr, state->gwy.port,
655 state->af);
656 printf(" ext: ");
657 pf_print_host(&state->ext.addr, state->ext.port,
658 state->af);
659 if (state->sync_flags & PFSTATE_FROMSYNC)
660 printf(" (from sync)");
661 printf("\n");
662 }
663 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
664 return (-1);
665 }
666
667 if (state->id == 0 && state->creatorid == 0) {
668 state->id = htobe64(pf_status.stateid++);
669 state->creatorid = pf_status.hostid;
670 }
671 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) {
672 if (pf_status.debug >= PF_DEBUG_MISC) {
673 printf("pf: state insert failed: "
674 "id: %016" PRIx64 " creatorid: %08" PRIx32,
675 be64toh(state->id), ntohl(state->creatorid));
676 if (state->sync_flags & PFSTATE_FROMSYNC)
677 printf(" (from sync)");
678 printf("\n");
679 }
680 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
681 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state);
682 return (-1);
683 }
684 TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates);
685
686 pf_status.fcounters[FCNT_STATE_INSERT]++;
687 pf_status.states++;
688 pfi_attach_state(kif);
689 #if NPFSYNC
690 pfsync_insert_state(state);
691 #endif
692 return (0);
693 }
694
695 void
696 pf_purge_timeout(void *arg)
697 {
698 struct callout *to = arg;
699 int s;
700
701 s = splsoftnet();
702 pf_purge_expired_states();
703 pf_purge_expired_fragments();
704 pf_purge_expired_src_nodes();
705 splx(s);
706
707 callout_reset(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz,
708 pf_purge_timeout, to);
709 }
710
711 u_int32_t
712 pf_state_expires(const struct pf_state *state)
713 {
714 u_int32_t timeout;
715 u_int32_t start;
716 u_int32_t end;
717 u_int32_t states;
718
719 /* handle all PFTM_* > PFTM_MAX here */
720 if (state->timeout == PFTM_PURGE)
721 return (time_second);
722 if (state->timeout == PFTM_UNTIL_PACKET)
723 return (0);
724 KASSERT((state->timeout < PFTM_MAX),
725 ("pf_state_expires: timeout > PFTM_MAX"));
726 timeout = state->rule.ptr->timeout[state->timeout];
727 if (!timeout)
728 timeout = pf_default_rule.timeout[state->timeout];
729 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
730 if (start) {
731 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
732 states = state->rule.ptr->states;
733 } else {
734 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
735 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
736 states = pf_status.states;
737 }
738 if (end && states > start && start < end) {
739 if (states < end)
740 return (state->expire + timeout * (end - states) /
741 (end - start));
742 else
743 return (time_second);
744 }
745 return (state->expire + timeout);
746 }
747
748 void
749 pf_purge_expired_src_nodes(void)
750 {
751 struct pf_src_node *cur, *next;
752
753 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
754 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
755
756 if (cur->states <= 0 && cur->expire <= time_second) {
757 if (cur->rule.ptr != NULL) {
758 cur->rule.ptr->src_nodes--;
759 if (cur->rule.ptr->states <= 0 &&
760 cur->rule.ptr->max_src_nodes <= 0)
761 pf_rm_rule(NULL, cur->rule.ptr);
762 }
763 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
764 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
765 pf_status.src_nodes--;
766 pool_put(&pf_src_tree_pl, cur);
767 }
768 }
769 }
770
771 void
772 pf_src_tree_remove_state(struct pf_state *s)
773 {
774 u_int32_t timeout;
775
776 if (s->src_node != NULL) {
777 if (--s->src_node->states <= 0) {
778 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
779 if (!timeout)
780 timeout =
781 pf_default_rule.timeout[PFTM_SRC_NODE];
782 s->src_node->expire = time_second + timeout;
783 }
784 }
785 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
786 if (--s->nat_src_node->states <= 0) {
787 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
788 if (!timeout)
789 timeout =
790 pf_default_rule.timeout[PFTM_SRC_NODE];
791 s->nat_src_node->expire = time_second + timeout;
792 }
793 }
794 s->src_node = s->nat_src_node = NULL;
795 }
796
797 void
798 pf_purge_expired_states(void)
799 {
800 struct pf_state *cur, *next;
801
802 for (cur = RB_MIN(pf_state_tree_id, &tree_id);
803 cur; cur = next) {
804 next = RB_NEXT(pf_state_tree_id, &tree_id, cur);
805
806 if (pf_state_expires(cur) <= time_second) {
807 if (cur->src.state == PF_TCPS_PROXY_DST)
808 pf_send_tcp(cur->rule.ptr, cur->af,
809 &cur->ext.addr, &cur->lan.addr,
810 cur->ext.port, cur->lan.port,
811 cur->src.seqhi, cur->src.seqlo + 1, 0,
812 TH_RST|TH_ACK, 0, 0);
813 RB_REMOVE(pf_state_tree_ext_gwy,
814 &cur->u.s.kif->pfik_ext_gwy, cur);
815 RB_REMOVE(pf_state_tree_lan_ext,
816 &cur->u.s.kif->pfik_lan_ext, cur);
817 RB_REMOVE(pf_state_tree_id, &tree_id, cur);
818 #if NPFSYNC
819 pfsync_delete_state(cur);
820 #endif
821 pf_src_tree_remove_state(cur);
822 if (--cur->rule.ptr->states <= 0 &&
823 cur->rule.ptr->src_nodes <= 0)
824 pf_rm_rule(NULL, cur->rule.ptr);
825 if (cur->nat_rule.ptr != NULL)
826 if (--cur->nat_rule.ptr->states <= 0 &&
827 cur->nat_rule.ptr->src_nodes <= 0)
828 pf_rm_rule(NULL, cur->nat_rule.ptr);
829 if (cur->anchor.ptr != NULL)
830 if (--cur->anchor.ptr->states <= 0)
831 pf_rm_rule(NULL, cur->anchor.ptr);
832 pf_normalize_tcp_cleanup(cur);
833 pfi_detach_state(cur->u.s.kif);
834 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates);
835 pool_put(&pf_state_pl, cur);
836 pf_status.fcounters[FCNT_STATE_REMOVALS]++;
837 pf_status.states--;
838 }
839 }
840 }
841
842 int
843 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
844 {
845 if (aw->type != PF_ADDR_TABLE)
846 return (0);
847 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
848 return (1);
849 return (0);
850 }
851
852 void
853 pf_tbladdr_remove(struct pf_addr_wrap *aw)
854 {
855 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
856 return;
857 pfr_detach_table(aw->p.tbl);
858 aw->p.tbl = NULL;
859 }
860
861 void
862 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
863 {
864 struct pfr_ktable *kt = aw->p.tbl;
865
866 if (aw->type != PF_ADDR_TABLE || kt == NULL)
867 return;
868 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
869 kt = kt->pfrkt_root;
870 aw->p.tbl = NULL;
871 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
872 kt->pfrkt_cnt : -1;
873 }
874
875 void
876 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
877 {
878 switch (af) {
879 #ifdef INET
880 case AF_INET: {
881 u_int32_t a = ntohl(addr->addr32[0]);
882 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
883 (a>>8)&255, a&255);
884 if (p) {
885 p = ntohs(p);
886 printf(":%u", p);
887 }
888 break;
889 }
890 #endif /* INET */
891 #ifdef INET6
892 case AF_INET6: {
893 u_int16_t b;
894 u_int8_t i, curstart = 255, curend = 0,
895 maxstart = 0, maxend = 0;
896 for (i = 0; i < 8; i++) {
897 if (!addr->addr16[i]) {
898 if (curstart == 255)
899 curstart = i;
900 else
901 curend = i;
902 } else {
903 if (curstart) {
904 if ((curend - curstart) >
905 (maxend - maxstart)) {
906 maxstart = curstart;
907 maxend = curend;
908 curstart = 255;
909 }
910 }
911 }
912 }
913 for (i = 0; i < 8; i++) {
914 if (i >= maxstart && i <= maxend) {
915 if (maxend != 7) {
916 if (i == maxstart)
917 printf(":");
918 } else {
919 if (i == maxend)
920 printf(":");
921 }
922 } else {
923 b = ntohs(addr->addr16[i]);
924 printf("%x", b);
925 if (i < 7)
926 printf(":");
927 }
928 }
929 if (p) {
930 p = ntohs(p);
931 printf("[%u]", p);
932 }
933 break;
934 }
935 #endif /* INET6 */
936 }
937 }
938
939 void
940 pf_print_state(struct pf_state *s)
941 {
942 switch (s->proto) {
943 case IPPROTO_TCP:
944 printf("TCP ");
945 break;
946 case IPPROTO_UDP:
947 printf("UDP ");
948 break;
949 case IPPROTO_ICMP:
950 printf("ICMP ");
951 break;
952 case IPPROTO_ICMPV6:
953 printf("ICMPV6 ");
954 break;
955 default:
956 printf("%u ", s->proto);
957 break;
958 }
959 pf_print_host(&s->lan.addr, s->lan.port, s->af);
960 printf(" ");
961 pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
962 printf(" ");
963 pf_print_host(&s->ext.addr, s->ext.port, s->af);
964 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
965 s->src.seqhi, s->src.max_win, s->src.seqdiff);
966 if (s->src.wscale && s->dst.wscale)
967 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
968 printf("]");
969 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
970 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
971 if (s->src.wscale && s->dst.wscale)
972 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
973 printf("]");
974 printf(" %u:%u", s->src.state, s->dst.state);
975 }
976
977 void
978 pf_print_flags(u_int8_t f)
979 {
980 if (f)
981 printf(" ");
982 if (f & TH_FIN)
983 printf("F");
984 if (f & TH_SYN)
985 printf("S");
986 if (f & TH_RST)
987 printf("R");
988 if (f & TH_PUSH)
989 printf("P");
990 if (f & TH_ACK)
991 printf("A");
992 if (f & TH_URG)
993 printf("U");
994 if (f & TH_ECE)
995 printf("E");
996 if (f & TH_CWR)
997 printf("W");
998 }
999
1000 #define PF_SET_SKIP_STEPS(i) \
1001 do { \
1002 while (head[i] != cur) { \
1003 head[i]->skip[i].ptr = cur; \
1004 head[i] = TAILQ_NEXT(head[i], entries); \
1005 } \
1006 } while (0)
1007
1008 void
1009 pf_calc_skip_steps(struct pf_rulequeue *rules)
1010 {
1011 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1012 int i;
1013
1014 cur = TAILQ_FIRST(rules);
1015 prev = cur;
1016 for (i = 0; i < PF_SKIP_COUNT; ++i)
1017 head[i] = cur;
1018 while (cur != NULL) {
1019
1020 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1021 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1022 if (cur->direction != prev->direction)
1023 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1024 if (cur->af != prev->af)
1025 PF_SET_SKIP_STEPS(PF_SKIP_AF);
1026 if (cur->proto != prev->proto)
1027 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1028 if (cur->src.not != prev->src.not ||
1029 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1030 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1031 if (cur->src.port[0] != prev->src.port[0] ||
1032 cur->src.port[1] != prev->src.port[1] ||
1033 cur->src.port_op != prev->src.port_op)
1034 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1035 if (cur->dst.not != prev->dst.not ||
1036 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1037 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1038 if (cur->dst.port[0] != prev->dst.port[0] ||
1039 cur->dst.port[1] != prev->dst.port[1] ||
1040 cur->dst.port_op != prev->dst.port_op)
1041 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1042
1043 prev = cur;
1044 cur = TAILQ_NEXT(cur, entries);
1045 }
1046 for (i = 0; i < PF_SKIP_COUNT; ++i)
1047 PF_SET_SKIP_STEPS(i);
1048 }
1049
1050 int
1051 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1052 {
1053 if (aw1->type != aw2->type)
1054 return (1);
1055 switch (aw1->type) {
1056 case PF_ADDR_ADDRMASK:
1057 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1058 return (1);
1059 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1060 return (1);
1061 return (0);
1062 case PF_ADDR_DYNIFTL:
1063 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
1064 case PF_ADDR_NOROUTE:
1065 return (0);
1066 case PF_ADDR_TABLE:
1067 return (aw1->p.tbl != aw2->p.tbl);
1068 default:
1069 printf("invalid address type: %d\n", aw1->type);
1070 return (1);
1071 }
1072 }
1073
1074 void
1075 pf_update_anchor_rules()
1076 {
1077 struct pf_rule *rule;
1078 int i;
1079
1080 for (i = 0; i < PF_RULESET_MAX; ++i)
1081 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr,
1082 entries)
1083 if (rule->anchorname[0])
1084 rule->anchor = pf_find_anchor(rule->anchorname);
1085 else
1086 rule->anchor = NULL;
1087 }
1088
1089 u_int16_t
1090 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1091 {
1092 u_int32_t l;
1093
1094 if (udp && !cksum)
1095 return (0x0000);
1096 l = cksum + old - new;
1097 l = (l >> 16) + (l & 65535);
1098 l = l & 65535;
1099 if (udp && !l)
1100 return (0xFFFF);
1101 return (l);
1102 }
1103
1104 void
1105 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1106 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1107 {
1108 struct pf_addr ao;
1109 u_int16_t po = *p;
1110
1111 PF_ACPY(&ao, a, af);
1112 PF_ACPY(a, an, af);
1113
1114 *p = pn;
1115
1116 switch (af) {
1117 #ifdef INET
1118 case AF_INET:
1119 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1120 ao.addr16[0], an->addr16[0], 0),
1121 ao.addr16[1], an->addr16[1], 0);
1122 *p = pn;
1123 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1124 ao.addr16[0], an->addr16[0], u),
1125 ao.addr16[1], an->addr16[1], u),
1126 po, pn, u);
1127 break;
1128 #endif /* INET */
1129 #ifdef INET6
1130 case AF_INET6:
1131 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1132 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1133 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1134 ao.addr16[0], an->addr16[0], u),
1135 ao.addr16[1], an->addr16[1], u),
1136 ao.addr16[2], an->addr16[2], u),
1137 ao.addr16[3], an->addr16[3], u),
1138 ao.addr16[4], an->addr16[4], u),
1139 ao.addr16[5], an->addr16[5], u),
1140 ao.addr16[6], an->addr16[6], u),
1141 ao.addr16[7], an->addr16[7], u),
1142 po, pn, u);
1143 break;
1144 #endif /* INET6 */
1145 }
1146 }
1147
1148
1149 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
1150 void
1151 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1152 {
1153 u_int32_t ao;
1154
1155 memcpy(&ao, a, sizeof(ao));
1156 memcpy(a, &an, sizeof(u_int32_t));
1157 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1158 ao % 65536, an % 65536, u);
1159 }
1160
1161 #ifdef INET6
1162 void
1163 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1164 {
1165 struct pf_addr ao;
1166
1167 PF_ACPY(&ao, a, AF_INET6);
1168 PF_ACPY(a, an, AF_INET6);
1169
1170 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1171 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1172 pf_cksum_fixup(pf_cksum_fixup(*c,
1173 ao.addr16[0], an->addr16[0], u),
1174 ao.addr16[1], an->addr16[1], u),
1175 ao.addr16[2], an->addr16[2], u),
1176 ao.addr16[3], an->addr16[3], u),
1177 ao.addr16[4], an->addr16[4], u),
1178 ao.addr16[5], an->addr16[5], u),
1179 ao.addr16[6], an->addr16[6], u),
1180 ao.addr16[7], an->addr16[7], u);
1181 }
1182 #endif /* INET6 */
1183
1184 void
1185 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1186 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1187 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1188 {
1189 struct pf_addr oia, ooa;
1190
1191 PF_ACPY(&oia, ia, af);
1192 PF_ACPY(&ooa, oa, af);
1193
1194 /* Change inner protocol port, fix inner protocol checksum. */
1195 if (ip != NULL) {
1196 u_int16_t oip = *ip;
1197 u_int32_t opc = 0;
1198
1199 if (pc != NULL)
1200 opc = *pc;
1201 *ip = np;
1202 if (pc != NULL)
1203 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
1204 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1205 if (pc != NULL)
1206 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1207 }
1208 /* Change inner ip address, fix inner ip and icmp checksums. */
1209 PF_ACPY(ia, na, af);
1210 switch (af) {
1211 #ifdef INET
1212 case AF_INET: {
1213 u_int32_t oh2c = *h2c;
1214
1215 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1216 oia.addr16[0], ia->addr16[0], 0),
1217 oia.addr16[1], ia->addr16[1], 0);
1218 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1219 oia.addr16[0], ia->addr16[0], 0),
1220 oia.addr16[1], ia->addr16[1], 0);
1221 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1222 break;
1223 }
1224 #endif /* INET */
1225 #ifdef INET6
1226 case AF_INET6:
1227 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1228 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1229 pf_cksum_fixup(pf_cksum_fixup(*ic,
1230 oia.addr16[0], ia->addr16[0], u),
1231 oia.addr16[1], ia->addr16[1], u),
1232 oia.addr16[2], ia->addr16[2], u),
1233 oia.addr16[3], ia->addr16[3], u),
1234 oia.addr16[4], ia->addr16[4], u),
1235 oia.addr16[5], ia->addr16[5], u),
1236 oia.addr16[6], ia->addr16[6], u),
1237 oia.addr16[7], ia->addr16[7], u);
1238 break;
1239 #endif /* INET6 */
1240 }
1241 /* Change outer ip address, fix outer ip or icmpv6 checksum. */
1242 PF_ACPY(oa, na, af);
1243 switch (af) {
1244 #ifdef INET
1245 case AF_INET:
1246 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
1247 ooa.addr16[0], oa->addr16[0], 0),
1248 ooa.addr16[1], oa->addr16[1], 0);
1249 break;
1250 #endif /* INET */
1251 #ifdef INET6
1252 case AF_INET6:
1253 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1254 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1255 pf_cksum_fixup(pf_cksum_fixup(*ic,
1256 ooa.addr16[0], oa->addr16[0], u),
1257 ooa.addr16[1], oa->addr16[1], u),
1258 ooa.addr16[2], oa->addr16[2], u),
1259 ooa.addr16[3], oa->addr16[3], u),
1260 ooa.addr16[4], oa->addr16[4], u),
1261 ooa.addr16[5], oa->addr16[5], u),
1262 ooa.addr16[6], oa->addr16[6], u),
1263 ooa.addr16[7], oa->addr16[7], u);
1264 break;
1265 #endif /* INET6 */
1266 }
1267 }
1268
1269 void
1270 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
1271 const struct pf_addr *saddr, const struct pf_addr *daddr,
1272 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1273 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl)
1274 {
1275 struct mbuf *m;
1276 int len = 0, tlen;
1277 #ifdef INET
1278 struct ip *h = NULL;
1279 #endif /* INET */
1280 #ifdef INET6
1281 struct ip6_hdr *h6 = NULL;
1282 #endif /* INET6 */
1283 struct tcphdr *th = NULL;
1284 char *opt;
1285
1286 /* maximum segment size tcp option */
1287 tlen = sizeof(struct tcphdr);
1288 if (mss)
1289 tlen += 4;
1290
1291 switch (af) {
1292 #ifdef INET
1293 case AF_INET:
1294 len = sizeof(struct ip) + tlen;
1295 break;
1296 #endif /* INET */
1297 #ifdef INET6
1298 case AF_INET6:
1299 len = sizeof(struct ip6_hdr) + tlen;
1300 break;
1301 #endif /* INET6 */
1302 }
1303
1304 /* create outgoing mbuf */
1305 m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1306 if (m == NULL)
1307 return;
1308 m->m_pkthdr.pf_flags |= PF_MBUF_GENERATED;
1309 #ifdef ALTQ
1310 if (r != NULL && r->qid) {
1311 struct altq_tag *atag;
1312
1313 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT);
1314 if (mtag != NULL) {
1315 atag = (struct altq_tag *)(mtag + 1);
1316 atag->qid = r->qid;
1317 /* add hints for ecn */
1318 atag->af = af;
1319 atag->hdr = mtod(m, struct ip *);
1320 m_tag_prepend(m, mtag);
1321 }
1322 }
1323 #endif
1324 m->m_data += max_linkhdr;
1325 m->m_pkthdr.len = m->m_len = len;
1326 m->m_pkthdr.rcvif = NULL;
1327 bzero(m->m_data, len);
1328 switch (af) {
1329 #ifdef INET
1330 case AF_INET:
1331 h = mtod(m, struct ip *);
1332
1333 /* IP header fields included in the TCP checksum */
1334 h->ip_p = IPPROTO_TCP;
1335 h->ip_len = tlen;
1336 h->ip_src.s_addr = saddr->v4.s_addr;
1337 h->ip_dst.s_addr = daddr->v4.s_addr;
1338
1339 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
1340 break;
1341 #endif /* INET */
1342 #ifdef INET6
1343 case AF_INET6:
1344 h6 = mtod(m, struct ip6_hdr *);
1345
1346 /* IP header fields included in the TCP checksum */
1347 h6->ip6_nxt = IPPROTO_TCP;
1348 h6->ip6_plen = htons(tlen);
1349 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
1350 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
1351
1352 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
1353 break;
1354 #endif /* INET6 */
1355 }
1356
1357 /* TCP header */
1358 th->th_sport = sport;
1359 th->th_dport = dport;
1360 th->th_seq = htonl(seq);
1361 th->th_ack = htonl(ack);
1362 th->th_off = tlen >> 2;
1363 th->th_flags = flags;
1364 th->th_win = htons(win);
1365
1366 if (mss) {
1367 opt = (char *)(th + 1);
1368 opt[0] = TCPOPT_MAXSEG;
1369 opt[1] = 4;
1370 mss = htons(mss);
1371 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
1372 }
1373
1374 switch (af) {
1375 #ifdef INET
1376 case AF_INET:
1377 /* TCP checksum */
1378 th->th_sum = in_cksum(m, len);
1379
1380 /* Finish the IP header */
1381 h->ip_v = 4;
1382 h->ip_hl = sizeof(*h) >> 2;
1383 h->ip_tos = IPTOS_LOWDELAY;
1384 h->ip_len = len;
1385 h->ip_off = path_mtu_discovery ? IP_DF : 0;
1386 h->ip_ttl = ttl ? ttl : ip_defttl;
1387 h->ip_sum = 0;
1388 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
1389 (void *)NULL);
1390 break;
1391 #endif /* INET */
1392 #ifdef INET6
1393 case AF_INET6:
1394 /* TCP checksum */
1395 th->th_sum = in6_cksum(m, IPPROTO_TCP,
1396 sizeof(struct ip6_hdr), tlen);
1397
1398 h6->ip6_vfc |= IPV6_VERSION;
1399 h6->ip6_hlim = IPV6_DEFHLIM;
1400
1401 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1402 break;
1403 #endif /* INET6 */
1404 }
1405 }
1406
1407 void
1408 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
1409 struct pf_rule *r)
1410 {
1411 struct mbuf *m0;
1412
1413 m0 = m_copypacket(m, MB_DONTWAIT);
1414 if (m0 == NULL)
1415 return;
1416 m0->m_pkthdr.pf_flags |= PF_MBUF_GENERATED;
1417
1418 #ifdef ALTQ
1419 if (r->qid) {
1420 struct altq_tag *atag;
1421
1422 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT);
1423 if (mtag != NULL) {
1424 atag = (struct altq_tag *)(mtag + 1);
1425 atag->qid = r->qid;
1426 /* add hints for ecn */
1427 atag->af = af;
1428 atag->hdr = mtod(m0, struct ip *);
1429 m_tag_prepend(m0, mtag);
1430 }
1431 }
1432 #endif
1433
1434 switch (af) {
1435 #ifdef INET
1436 case AF_INET:
1437 icmp_error(m0, type, code, 0, (void *)NULL);
1438 break;
1439 #endif /* INET */
1440 #ifdef INET6
1441 case AF_INET6:
1442 icmp6_error(m0, type, code, 0);
1443 break;
1444 #endif /* INET6 */
1445 }
1446 }
1447
1448 /*
1449 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
1450 * If n is 0, they match if they are equal. If n is != 0, they match if they
1451 * are different.
1452 */
1453 int
1454 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
1455 struct pf_addr *b, sa_family_t af)
1456 {
1457 int match = 0;
1458
1459 switch (af) {
1460 #ifdef INET
1461 case AF_INET:
1462 if ((a->addr32[0] & m->addr32[0]) ==
1463 (b->addr32[0] & m->addr32[0]))
1464 match++;
1465 break;
1466 #endif /* INET */
1467 #ifdef INET6
1468 case AF_INET6:
1469 if (((a->addr32[0] & m->addr32[0]) ==
1470 (b->addr32[0] & m->addr32[0])) &&
1471 ((a->addr32[1] & m->addr32[1]) ==
1472 (b->addr32[1] & m->addr32[1])) &&
1473 ((a->addr32[2] & m->addr32[2]) ==
1474 (b->addr32[2] & m->addr32[2])) &&
1475 ((a->addr32[3] & m->addr32[3]) ==
1476 (b->addr32[3] & m->addr32[3])))
1477 match++;
1478 break;
1479 #endif /* INET6 */
1480 }
1481 if (match) {
1482 if (n)
1483 return (0);
1484 else
1485 return (1);
1486 } else {
1487 if (n)
1488 return (1);
1489 else
1490 return (0);
1491 }
1492 }
1493
1494 int
1495 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
1496 {
1497 switch (op) {
1498 case PF_OP_IRG:
1499 return ((p > a1) && (p < a2));
1500 case PF_OP_XRG:
1501 return ((p < a1) || (p > a2));
1502 case PF_OP_RRG:
1503 return ((p >= a1) && (p <= a2));
1504 case PF_OP_EQ:
1505 return (p == a1);
1506 case PF_OP_NE:
1507 return (p != a1);
1508 case PF_OP_LT:
1509 return (p < a1);
1510 case PF_OP_LE:
1511 return (p <= a1);
1512 case PF_OP_GT:
1513 return (p > a1);
1514 case PF_OP_GE:
1515 return (p >= a1);
1516 }
1517 return (0); /* never reached */
1518 }
1519
1520 int
1521 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
1522 {
1523 a1 = ntohs(a1);
1524 a2 = ntohs(a2);
1525 p = ntohs(p);
1526 return (pf_match(op, a1, a2, p));
1527 }
1528
1529 int
1530 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
1531 {
1532 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1533 return (0);
1534 return (pf_match(op, a1, a2, u));
1535 }
1536
1537 int
1538 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
1539 {
1540 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1541 return (0);
1542 return (pf_match(op, a1, a2, g));
1543 }
1544
1545 static int
1546 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule,
1547 int *tag)
1548 {
1549 if (*tag == -1) { /* find mbuf tag */
1550 if (nat_rule != NULL && nat_rule->tag)
1551 *tag = nat_rule->tag;
1552 else if (m->m_pkthdr.pf_flags & PF_MBUF_TAGGED)
1553 *tag = m->m_pkthdr.pf_tag;
1554 else
1555 *tag = 0;
1556 }
1557
1558 return ((!r->match_tag_not && r->match_tag == *tag) ||
1559 (r->match_tag_not && r->match_tag != *tag));
1560 }
1561
1562 void
1563 pf_tag_packet(struct mbuf *m, int tag)
1564 {
1565 if (tag <= 0)
1566 return;
1567
1568 m->m_pkthdr.pf_flags |= PF_MBUF_TAGGED;
1569 m->m_pkthdr.pf_tag = tag;
1570 }
1571
1572 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \
1573 do { \
1574 if ((r) == NULL || (r)->anchor == NULL || \
1575 (s) != NULL || (a) != NULL) \
1576 panic("PF_STEP_INTO_ANCHOR"); \
1577 (a) = (r); \
1578 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \
1579 (r) = NULL; \
1580 while ((s) != NULL && ((r) = \
1581 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \
1582 (s) = TAILQ_NEXT((s), entries); \
1583 if ((r) == NULL) { \
1584 (r) = TAILQ_NEXT((a), entries); \
1585 (a) = NULL; \
1586 } \
1587 } while (0)
1588
1589 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \
1590 do { \
1591 if ((r) != NULL || (a) == NULL || (s) == NULL) \
1592 panic("PF_STEP_OUT_OF_ANCHOR"); \
1593 (s) = TAILQ_NEXT((s), entries); \
1594 while ((s) != NULL && ((r) = \
1595 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \
1596 (s) = TAILQ_NEXT((s), entries); \
1597 if ((r) == NULL) { \
1598 (r) = TAILQ_NEXT((a), entries); \
1599 (a) = NULL; \
1600 } \
1601 } while (0)
1602
1603 #ifdef INET6
1604 void
1605 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
1606 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
1607 {
1608 switch (af) {
1609 #ifdef INET
1610 case AF_INET:
1611 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
1612 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
1613 break;
1614 #endif /* INET */
1615 case AF_INET6:
1616 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
1617 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
1618 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
1619 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
1620 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
1621 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
1622 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
1623 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
1624 break;
1625 }
1626 }
1627
1628 void
1629 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
1630 {
1631 switch (af) {
1632 #ifdef INET
1633 case AF_INET:
1634 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
1635 break;
1636 #endif /* INET */
1637 case AF_INET6:
1638 if (addr->addr32[3] == 0xffffffff) {
1639 addr->addr32[3] = 0;
1640 if (addr->addr32[2] == 0xffffffff) {
1641 addr->addr32[2] = 0;
1642 if (addr->addr32[1] == 0xffffffff) {
1643 addr->addr32[1] = 0;
1644 addr->addr32[0] =
1645 htonl(ntohl(addr->addr32[0]) + 1);
1646 } else
1647 addr->addr32[1] =
1648 htonl(ntohl(addr->addr32[1]) + 1);
1649 } else
1650 addr->addr32[2] =
1651 htonl(ntohl(addr->addr32[2]) + 1);
1652 } else
1653 addr->addr32[3] =
1654 htonl(ntohl(addr->addr32[3]) + 1);
1655 break;
1656 }
1657 }
1658 #endif /* INET6 */
1659
1660 #define mix(a,b,c) \
1661 do { \
1662 a -= b; a -= c; a ^= (c >> 13); \
1663 b -= c; b -= a; b ^= (a << 8); \
1664 c -= a; c -= b; c ^= (b >> 13); \
1665 a -= b; a -= c; a ^= (c >> 12); \
1666 b -= c; b -= a; b ^= (a << 16); \
1667 c -= a; c -= b; c ^= (b >> 5); \
1668 a -= b; a -= c; a ^= (c >> 3); \
1669 b -= c; b -= a; b ^= (a << 10); \
1670 c -= a; c -= b; c ^= (b >> 15); \
1671 } while (0)
1672
1673 /*
1674 * hash function based on bridge_hash in if_bridge.c
1675 */
1676 void
1677 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
1678 struct pf_poolhashkey *key, sa_family_t af)
1679 {
1680 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
1681
1682 switch (af) {
1683 #ifdef INET
1684 case AF_INET:
1685 a += inaddr->addr32[0];
1686 b += key->key32[1];
1687 mix(a, b, c);
1688 hash->addr32[0] = c + key->key32[2];
1689 break;
1690 #endif /* INET */
1691 #ifdef INET6
1692 case AF_INET6:
1693 a += inaddr->addr32[0];
1694 b += inaddr->addr32[2];
1695 mix(a, b, c);
1696 hash->addr32[0] = c;
1697 a += inaddr->addr32[1];
1698 b += inaddr->addr32[3];
1699 c += key->key32[1];
1700 mix(a, b, c);
1701 hash->addr32[1] = c;
1702 a += inaddr->addr32[2];
1703 b += inaddr->addr32[1];
1704 c += key->key32[2];
1705 mix(a, b, c);
1706 hash->addr32[2] = c;
1707 a += inaddr->addr32[3];
1708 b += inaddr->addr32[0];
1709 c += key->key32[3];
1710 mix(a, b, c);
1711 hash->addr32[3] = c;
1712 break;
1713 #endif /* INET6 */
1714 }
1715 }
1716
1717 int
1718 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
1719 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
1720 {
1721 unsigned char hash[16];
1722 struct pf_pool *rpool = &r->rpool;
1723 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
1724 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
1725 struct pf_pooladdr *acur = rpool->cur;
1726 struct pf_src_node k;
1727
1728 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
1729 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
1730 k.af = af;
1731 PF_ACPY(&k.addr, saddr, af);
1732 if (r->rule_flag & PFRULE_RULESRCTRACK ||
1733 r->rpool.opts & PF_POOL_STICKYADDR)
1734 k.rule.ptr = r;
1735 else
1736 k.rule.ptr = NULL;
1737 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
1738 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
1739 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
1740 PF_ACPY(naddr, &(*sn)->raddr, af);
1741 if (pf_status.debug >= PF_DEBUG_MISC) {
1742 printf("pf_map_addr: src tracking maps ");
1743 pf_print_host(&k.addr, 0, af);
1744 printf(" to ");
1745 pf_print_host(naddr, 0, af);
1746 printf("\n");
1747 }
1748 return (0);
1749 }
1750 }
1751
1752 if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
1753 return (1);
1754 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1755 if (af == AF_INET) {
1756 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
1757 (rpool->opts & PF_POOL_TYPEMASK) !=
1758 PF_POOL_ROUNDROBIN)
1759 return (1);
1760 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
1761 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
1762 } else {
1763 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
1764 (rpool->opts & PF_POOL_TYPEMASK) !=
1765 PF_POOL_ROUNDROBIN)
1766 return (1);
1767 raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
1768 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
1769 }
1770 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1771 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
1772 return (1); /* unsupported */
1773 } else {
1774 raddr = &rpool->cur->addr.v.a.addr;
1775 rmask = &rpool->cur->addr.v.a.mask;
1776 }
1777
1778 switch (rpool->opts & PF_POOL_TYPEMASK) {
1779 case PF_POOL_NONE:
1780 PF_ACPY(naddr, raddr, af);
1781 break;
1782 case PF_POOL_BITMASK:
1783 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
1784 break;
1785 case PF_POOL_RANDOM:
1786 if (init_addr != NULL && PF_AZERO(init_addr, af)) {
1787 switch (af) {
1788 #ifdef INET
1789 case AF_INET:
1790 rpool->counter.addr32[0] = arc4random();
1791 break;
1792 #endif /* INET */
1793 #ifdef INET6
1794 case AF_INET6:
1795 if (rmask->addr32[3] != 0xffffffff)
1796 rpool->counter.addr32[3] = arc4random();
1797 else
1798 break;
1799 if (rmask->addr32[2] != 0xffffffff)
1800 rpool->counter.addr32[2] = arc4random();
1801 else
1802 break;
1803 if (rmask->addr32[1] != 0xffffffff)
1804 rpool->counter.addr32[1] = arc4random();
1805 else
1806 break;
1807 if (rmask->addr32[0] != 0xffffffff)
1808 rpool->counter.addr32[0] = arc4random();
1809 break;
1810 #endif /* INET6 */
1811 }
1812 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
1813 PF_ACPY(init_addr, naddr, af);
1814
1815 } else {
1816 PF_AINC(&rpool->counter, af);
1817 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
1818 }
1819 break;
1820 case PF_POOL_SRCHASH:
1821 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
1822 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
1823 break;
1824 case PF_POOL_ROUNDROBIN:
1825 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1826 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
1827 &rpool->tblidx, &rpool->counter,
1828 &raddr, &rmask, af))
1829 goto get_addr;
1830 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1831 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
1832 &rpool->tblidx, &rpool->counter,
1833 &raddr, &rmask, af))
1834 goto get_addr;
1835 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
1836 goto get_addr;
1837
1838 try_next:
1839 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
1840 rpool->cur = TAILQ_FIRST(&rpool->list);
1841 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1842 rpool->tblidx = -1;
1843 if (pfr_pool_get(rpool->cur->addr.p.tbl,
1844 &rpool->tblidx, &rpool->counter,
1845 &raddr, &rmask, af)) {
1846 /* table contains no address of type 'af' */
1847 if (rpool->cur != acur)
1848 goto try_next;
1849 return (1);
1850 }
1851 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1852 rpool->tblidx = -1;
1853 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
1854 &rpool->tblidx, &rpool->counter,
1855 &raddr, &rmask, af)) {
1856 /* table contains no address of type 'af' */
1857 if (rpool->cur != acur)
1858 goto try_next;
1859 return (1);
1860 }
1861 } else {
1862 raddr = &rpool->cur->addr.v.a.addr;
1863 rmask = &rpool->cur->addr.v.a.mask;
1864 PF_ACPY(&rpool->counter, raddr, af);
1865 }
1866
1867 get_addr:
1868 PF_ACPY(naddr, &rpool->counter, af);
1869 PF_AINC(&rpool->counter, af);
1870 break;
1871 }
1872 if (*sn != NULL)
1873 PF_ACPY(&(*sn)->raddr, naddr, af);
1874
1875 if (pf_status.debug >= PF_DEBUG_MISC &&
1876 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
1877 printf("pf_map_addr: selected address ");
1878 pf_print_host(naddr, 0, af);
1879 printf("\n");
1880 }
1881
1882 return (0);
1883 }
1884
1885 int
1886 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
1887 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
1888 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
1889 struct pf_src_node **sn)
1890 {
1891 struct pf_state key;
1892 struct pf_addr init_addr;
1893 u_int16_t cut;
1894
1895 bzero(&init_addr, sizeof(init_addr));
1896 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
1897 return (1);
1898
1899 do {
1900 key.af = af;
1901 key.proto = proto;
1902 PF_ACPY(&key.ext.addr, daddr, key.af);
1903 PF_ACPY(&key.gwy.addr, naddr, key.af);
1904 key.ext.port = dport;
1905
1906 /*
1907 * port search; start random, step;
1908 * similar 2 portloop in in_pcbbind
1909 */
1910 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {
1911 key.gwy.port = 0;
1912 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
1913 return (0);
1914 } else if (low == 0 && high == 0) {
1915 key.gwy.port = *nport;
1916 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
1917 return (0);
1918 } else if (low == high) {
1919 key.gwy.port = htons(low);
1920 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) {
1921 *nport = htons(low);
1922 return (0);
1923 }
1924 } else {
1925 u_int16_t tmp;
1926
1927 if (low > high) {
1928 tmp = low;
1929 low = high;
1930 high = tmp;
1931 }
1932 /* low < high */
1933 cut = arc4random() % (1 + high - low) + low;
1934 /* low <= cut <= high */
1935 for (tmp = cut; tmp <= high; ++(tmp)) {
1936 key.gwy.port = htons(tmp);
1937 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
1938 NULL) {
1939 *nport = htons(tmp);
1940 return (0);
1941 }
1942 }
1943 for (tmp = cut - 1; tmp >= low; --(tmp)) {
1944 key.gwy.port = htons(tmp);
1945 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
1946 NULL) {
1947 *nport = htons(tmp);
1948 return (0);
1949 }
1950 }
1951 }
1952
1953 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
1954 case PF_POOL_RANDOM:
1955 case PF_POOL_ROUNDROBIN:
1956 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
1957 return (1);
1958 break;
1959 case PF_POOL_NONE:
1960 case PF_POOL_SRCHASH:
1961 case PF_POOL_BITMASK:
1962 default:
1963 return (1);
1964 }
1965 } while (! PF_AEQ(&init_addr, naddr, af) );
1966
1967 return (1); /* none available */
1968 }
1969
1970 struct pf_rule *
1971 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
1972 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
1973 struct pf_addr *daddr, u_int16_t dport, int rs_num)
1974 {
1975 struct pf_rule *r, *rm = NULL, *anchorrule = NULL;
1976 struct pf_ruleset *ruleset = NULL;
1977
1978 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
1979 while (r && rm == NULL) {
1980 struct pf_rule_addr *src = NULL, *dst = NULL;
1981 struct pf_addr_wrap *xdst = NULL;
1982
1983 if (r->action == PF_BINAT && direction == PF_IN) {
1984 src = &r->dst;
1985 if (r->rpool.cur != NULL)
1986 xdst = &r->rpool.cur->addr;
1987 } else {
1988 src = &r->src;
1989 dst = &r->dst;
1990 }
1991
1992 r->evaluations++;
1993 if (r->kif != NULL &&
1994 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
1995 r = r->skip[PF_SKIP_IFP].ptr;
1996 else if (r->direction && r->direction != direction)
1997 r = r->skip[PF_SKIP_DIR].ptr;
1998 else if (r->af && r->af != pd->af)
1999 r = r->skip[PF_SKIP_AF].ptr;
2000 else if (r->proto && r->proto != pd->proto)
2001 r = r->skip[PF_SKIP_PROTO].ptr;
2002 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not))
2003 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
2004 PF_SKIP_DST_ADDR].ptr;
2005 else if (src->port_op && !pf_match_port(src->port_op,
2006 src->port[0], src->port[1], sport))
2007 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
2008 PF_SKIP_DST_PORT].ptr;
2009 else if (dst != NULL &&
2010 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not))
2011 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2012 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0))
2013 r = TAILQ_NEXT(r, entries);
2014 else if (dst != NULL && dst->port_op &&
2015 !pf_match_port(dst->port_op, dst->port[0],
2016 dst->port[1], dport))
2017 r = r->skip[PF_SKIP_DST_PORT].ptr;
2018 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2019 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2020 off, pd->hdr.tcp), r->os_fingerprint)))
2021 r = TAILQ_NEXT(r, entries);
2022 else if (r->anchorname[0] && r->anchor == NULL)
2023 r = TAILQ_NEXT(r, entries);
2024 else if (r->anchor == NULL)
2025 rm = r;
2026 else
2027 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num);
2028 if (r == NULL && anchorrule != NULL)
2029 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
2030 rs_num);
2031 }
2032 if (rm != NULL && (rm->action == PF_NONAT ||
2033 rm->action == PF_NORDR || rm->action == PF_NOBINAT))
2034 return (NULL);
2035 return (rm);
2036 }
2037
2038 struct pf_rule *
2039 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2040 struct pfi_kif *kif, struct pf_src_node **sn,
2041 struct pf_addr *saddr, u_int16_t sport,
2042 struct pf_addr *daddr, u_int16_t dport,
2043 struct pf_addr *naddr, u_int16_t *nport)
2044 {
2045 struct pf_rule *r = NULL;
2046
2047 if (direction == PF_OUT) {
2048 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2049 sport, daddr, dport, PF_RULESET_BINAT);
2050 if (r == NULL)
2051 r = pf_match_translation(pd, m, off, direction, kif,
2052 saddr, sport, daddr, dport, PF_RULESET_NAT);
2053 } else {
2054 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2055 sport, daddr, dport, PF_RULESET_RDR);
2056 if (r == NULL)
2057 r = pf_match_translation(pd, m, off, direction, kif,
2058 saddr, sport, daddr, dport, PF_RULESET_BINAT);
2059 }
2060
2061 if (r != NULL) {
2062 switch (r->action) {
2063 case PF_NONAT:
2064 case PF_NOBINAT:
2065 case PF_NORDR:
2066 return (NULL);
2067 case PF_NAT:
2068 if (pf_get_sport(pd->af, pd->proto, r, saddr,
2069 daddr, dport, naddr, nport, r->rpool.proxy_port[0],
2070 r->rpool.proxy_port[1], sn)) {
2071 DPFPRINTF(PF_DEBUG_MISC,
2072 ("pf: NAT proxy port allocation "
2073 "(%u-%u) failed\n",
2074 r->rpool.proxy_port[0],
2075 r->rpool.proxy_port[1]));
2076 return (NULL);
2077 }
2078 break;
2079 case PF_BINAT:
2080 switch (direction) {
2081 case PF_OUT:
2082 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
2083 if (pd->af == AF_INET) {
2084 if (r->rpool.cur->addr.p.dyn->
2085 pfid_acnt4 < 1)
2086 return (NULL);
2087 PF_POOLMASK(naddr,
2088 &r->rpool.cur->addr.p.dyn->
2089 pfid_addr4,
2090 &r->rpool.cur->addr.p.dyn->
2091 pfid_mask4,
2092 saddr, AF_INET);
2093 } else {
2094 if (r->rpool.cur->addr.p.dyn->
2095 pfid_acnt6 < 1)
2096 return (NULL);
2097 PF_POOLMASK(naddr,
2098 &r->rpool.cur->addr.p.dyn->
2099 pfid_addr6,
2100 &r->rpool.cur->addr.p.dyn->
2101 pfid_mask6,
2102 saddr, AF_INET6);
2103 }
2104 } else
2105 PF_POOLMASK(naddr,
2106 &r->rpool.cur->addr.v.a.addr,
2107 &r->rpool.cur->addr.v.a.mask,
2108 saddr, pd->af);
2109 break;
2110 case PF_IN:
2111 if (r->src.addr.type == PF_ADDR_DYNIFTL){
2112 if (pd->af == AF_INET) {
2113 if (r->src.addr.p.dyn->
2114 pfid_acnt4 < 1)
2115 return (NULL);
2116 PF_POOLMASK(naddr,
2117 &r->src.addr.p.dyn->
2118 pfid_addr4,
2119 &r->src.addr.p.dyn->
2120 pfid_mask4,
2121 daddr, AF_INET);
2122 } else {
2123 if (r->src.addr.p.dyn->
2124 pfid_acnt6 < 1)
2125 return (NULL);
2126 PF_POOLMASK(naddr,
2127 &r->src.addr.p.dyn->
2128 pfid_addr6,
2129 &r->src.addr.p.dyn->
2130 pfid_mask6,
2131 daddr, AF_INET6);
2132 }
2133 } else
2134 PF_POOLMASK(naddr,
2135 &r->src.addr.v.a.addr,
2136 &r->src.addr.v.a.mask, daddr,
2137 pd->af);
2138 break;
2139 }
2140 break;
2141 case PF_RDR: {
2142 if (pf_map_addr(r->af, r, saddr, naddr, NULL, sn))
2143 return (NULL);
2144
2145 if (r->rpool.proxy_port[1]) {
2146 u_int32_t tmp_nport;
2147
2148 tmp_nport = ((ntohs(dport) -
2149 ntohs(r->dst.port[0])) %
2150 (r->rpool.proxy_port[1] -
2151 r->rpool.proxy_port[0] + 1)) +
2152 r->rpool.proxy_port[0];
2153
2154 /* wrap around if necessary */
2155 if (tmp_nport > 65535)
2156 tmp_nport -= 65535;
2157 *nport = htons((u_int16_t)tmp_nport);
2158 } else if (r->rpool.proxy_port[0])
2159 *nport = htons(r->rpool.proxy_port[0]);
2160 break;
2161 }
2162 default:
2163 return (NULL);
2164 }
2165 }
2166
2167 return (r);
2168 }
2169
2170 #ifdef SMP
2171 struct netmsg_hashlookup {
2172 struct lwkt_msg nm_lmsg;
2173 struct inpcb **nm_pinp;
2174 struct inpcbinfo *nm_pcbinfo;
2175 struct pf_addr *nm_saddr;
2176 struct pf_addr *nm_daddr;
2177 uint16_t nm_sport;
2178 uint16_t nm_dport;
2179 sa_family_t nm_af;
2180 };
2181
2182 static int
2183 in_pcblookup_hash_handler(struct lwkt_msg *msg0)
2184 {
2185 struct netmsg_hashlookup *msg = (struct netmsg_hashlookup *)msg0;
2186
2187 if (msg->nm_af == AF_INET)
2188 *msg->nm_pinp = in_pcblookup_hash(msg->nm_pcbinfo,
2189 msg->nm_saddr->v4, msg->nm_sport, msg->nm_daddr->v4,
2190 msg->nm_dport, INPLOOKUP_WILDCARD, NULL);
2191 #ifdef INET6
2192 else
2193 *msg->nm_pinp = in6_pcblookup_hash(msg->nm_pcbinfo,
2194 &msg->nm_saddr->v6, msg->nm_sport, &msg->nm_daddr->v6,
2195 msg->nm_dport, INPLOOKUP_WILDCARD, NULL);
2196 #endif /* INET6 */
2197 lwkt_replymsg(&msg->nm_lmsg, 0);
2198 return (EASYNC);
2199 }
2200 #endif /* SMP */
2201
2202 int
2203 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd)
2204 {
2205 struct pf_addr *saddr, *daddr;
2206 u_int16_t sport, dport;
2207 struct inpcbinfo *pi;
2208 struct inpcb *inp;
2209 #ifdef SMP
2210 struct netmsg_hashlookup *msg = NULL;
2211 #endif
2212 int pi_cpu = 0;
2213
2214 *uid = UID_MAX;
2215 *gid = GID_MAX;
2216 if (direction == PF_IN) {
2217 saddr = pd->src;
2218 daddr = pd->dst;
2219 } else {
2220 saddr = pd->dst;
2221 daddr = pd->src;
2222 }
2223 switch (pd->proto) {
2224 case IPPROTO_TCP:
2225 sport = pd->hdr.tcp->th_sport;
2226 dport = pd->hdr.tcp->th_dport;
2227
2228 pi_cpu = tcp_addrcpu(saddr->v4.s_addr, sport, daddr->v4.s_addr, dport);
2229 pi = &tcbinfo[pi_cpu];
2230 #ifdef SMP
2231 /*
2232 * Our netstack runs lockless on MP systems
2233 * (only for TCP connections at the moment).
2234 *
2235 * As we are not allowed to read another CPU's tcbinfo,
2236 * we have to ask that CPU via remote call to search the
2237 * table for us.
2238 *
2239 * Prepare a msg iff data belongs to another CPU.
2240 */
2241 if (pi_cpu != mycpu->gd_cpuid) {
2242 msg = malloc(sizeof(*msg), M_LWKTMSG, M_INTWAIT);
2243 lwkt_initmsg(&msg->nm_lmsg, &netisr_afree_rport, 0,
2244 lwkt_cmd_func(in_pcblookup_hash_handler),
2245 lwkt_cmd_op_none);
2246 msg->nm_pinp = &inp;
2247 msg->nm_pcbinfo = pi;
2248 msg->nm_saddr = saddr;
2249 msg->nm_sport = sport;
2250 msg->nm_daddr = daddr;
2251 msg->nm_dport = dport;
2252 msg->nm_af = pd->af;
2253 }
2254 #endif /* SMP */
2255 break;
2256 case IPPROTO_UDP:
2257 sport = pd->hdr.udp->uh_sport;
2258 dport = pd->hdr.udp->uh_dport;
2259 pi = &udbinfo;
2260 break;
2261 default:
2262 return (0);
2263 }
2264 if (direction != PF_IN) {
2265 u_int16_t p;
2266
2267 p = sport;
2268 sport = dport;
2269 dport = p;
2270 }
2271 switch (pd->af) {
2272 #ifdef INET6
2273 case AF_INET6:
2274 #ifdef SMP
2275 /*
2276 * Query other CPU, second part
2277 *
2278 * msg only gets initialized when:
2279 * 1) packet is TCP
2280 * 2) the info belongs to another CPU
2281 *
2282 * Use some switch/case magic to avoid code duplication.
2283 */
2284 if (msg == NULL)
2285 #endif /* SMP */
2286 {
2287 inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
2288 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
2289
2290 if (inp == NULL)
2291 return (0);
2292 break;
2293 }
2294 /* FALLTHROUGH if SMP and on other CPU */
2295 #endif /* INET6 */
2296 case AF_INET:
2297 #ifdef SMP
2298 if (msg != NULL) {
2299 lwkt_sendmsg(tcp_cport(pi_cpu), &msg->nm_lmsg);
2300 } else
2301 #endif /* SMP */
2302 {
2303 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
2304 dport, INPLOOKUP_WILDCARD, NULL);
2305 }
2306 if (inp == NULL)
2307 return (0);
2308 break;
2309
2310 default:
2311 return (0);
2312 }
2313 *uid = inp->inp_socket->so_cred->cr_uid;
2314 *gid = inp->inp_socket->so_cred->cr_groups[0];
2315 return (1);
2316 }
2317
2318 u_int8_t
2319 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2320 {
2321 int hlen;
2322 u_int8_t hdr[60];
2323 u_int8_t *opt, optlen;
2324 u_int8_t wscale = 0;
2325
2326 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
2327 if (hlen <= sizeof(struct tcphdr))
2328 return (0);
2329 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2330 return (0);
2331 opt = hdr + sizeof(struct tcphdr);
2332 hlen -= sizeof(struct tcphdr);
2333 while (hlen >= 3) {
2334 switch (*opt) {
2335 case TCPOPT_EOL:
2336 case TCPOPT_NOP:
2337 ++opt;
2338 --hlen;
2339 break;
2340 case TCPOPT_WINDOW:
2341 wscale = opt[2];
2342 if (wscale > TCP_MAX_WINSHIFT)
2343 wscale = TCP_MAX_WINSHIFT;
2344 wscale |= PF_WSCALE_FLAG;
2345 /* FALLTHROUGH */
2346 default:
2347 optlen = opt[1];
2348 if (optlen < 2)
2349 optlen = 2;
2350 hlen -= optlen;
2351 opt += optlen;
2352 break;
2353 }
2354 }
2355 return (wscale);
2356 }
2357
2358 u_int16_t
2359 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2360 {
2361 int hlen;
2362 u_int8_t hdr[60];
2363 u_int8_t *opt, optlen;
2364 u_int16_t mss = tcp_mssdflt;
2365
2366 hlen = th_off << 2; /* hlen <= sizeof(hdr) */
2367 if (hlen <= sizeof(struct tcphdr))
2368 return (0);
2369 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2370 return (0);
2371 opt = hdr + sizeof(struct tcphdr);
2372 hlen -= sizeof(struct tcphdr);
2373 while (hlen >= TCPOLEN_MAXSEG) {
2374 switch (*opt) {
2375 case TCPOPT_EOL:
2376 case TCPOPT_NOP:
2377 ++opt;
2378 --hlen;
2379 break;
2380 case TCPOPT_MAXSEG:
2381 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
2382 /* FALLTHROUGH */
2383 default:
2384 optlen = opt[1];
2385 if (optlen < 2)
2386 optlen = 2;
2387 hlen -= optlen;
2388 opt += optlen;
2389 break;
2390 }
2391 }
2392 return (mss);
2393 }
2394
2395 u_int16_t
2396 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
2397 {
2398 #ifdef INET
2399 struct sockaddr_in *dst;
2400 struct route ro;
2401 #endif /* INET */
2402 #ifdef INET6
2403 struct sockaddr_in6 *dst6;
2404 struct route_in6 ro6;
2405 #endif /* INET6 */
2406 struct rtentry *rt = NULL;
2407 int hlen = 0;
2408 u_int16_t mss = tcp_mssdflt;
2409
2410 switch (af) {
2411 #ifdef INET
2412 case AF_INET:
2413 hlen = sizeof(struct ip);
2414 bzero(&ro, sizeof(ro));
2415 dst = (struct sockaddr_in *)&ro.ro_dst;
2416 dst->sin_family = AF_INET;
2417 dst->sin_len = sizeof(*dst);
2418 dst->sin_addr = addr->v4;
2419 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
2420 rt = ro.ro_rt;
2421 break;
2422 #endif /* INET */
2423 #ifdef INET6
2424 case AF_INET6:
2425 hlen = sizeof(struct ip6_hdr);
2426 bzero(&ro6, sizeof(ro6));
2427 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
2428 dst6->sin6_family = AF_INET6;
2429 dst6->sin6_len = sizeof(*dst6);
2430 dst6->sin6_addr = addr->v6;
2431 rtalloc_ign((struct route *)&ro6, (RTF_CLONING | RTF_PRCLONING));
2432 rt = ro6.ro_rt;
2433 break;
2434 #endif /* INET6 */
2435 }
2436
2437 if (rt && rt->rt_ifp) {
2438 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
2439 mss = max(tcp_mssdflt, mss);
2440 RTFREE(rt);
2441 }
2442 mss = min(mss, offer);
2443 mss = max(mss, 64); /* sanity - at least max opt space */
2444 return (mss);
2445 }
2446
2447 void
2448 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
2449 {
2450 struct pf_rule *r = s->rule.ptr;
2451
2452 s->rt_kif = NULL;
2453 if (!r->rt || r->rt == PF_FASTROUTE)
2454 return;
2455 switch (s->af) {
2456 #ifdef INET
2457 case AF_INET:
2458 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
2459 &s->nat_src_node);
2460 s->rt_kif = r->rpool.cur->kif;
2461 break;
2462 #endif /* INET */
2463 #ifdef INET6
2464 case AF_INET6:
2465 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
2466 &s->nat_src_node);
2467 s->rt_kif = r->rpool.cur->kif;
2468 break;
2469 #endif /* INET6 */
2470 }
2471 }
2472
2473 int
2474 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
2475 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2476 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
2477 {
2478 struct pf_rule *nr = NULL;
2479 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
2480 struct tcphdr *th = pd->hdr.tcp;
2481 u_int16_t bport, nport = 0;
2482 sa_family_t af = pd->af;
2483 int lookup = -1;
2484 uid_t uid;
2485 gid_t gid;
2486 struct pf_rule *r, *a = NULL;
2487 struct pf_ruleset *ruleset = NULL;
2488 struct pf_src_node *nsn = NULL;
2489 u_short reason;
2490 int rewrite = 0;
2491 int tag = -1;
2492 u_int16_t mss = tcp_mssdflt;
2493
2494 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2495
2496 if (direction == PF_OUT) {
2497 bport = nport = th->th_sport;
2498 /* check outgoing packet for BINAT/NAT */
2499 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
2500 saddr, th->th_sport, daddr, th->th_dport,
2501 &pd->naddr, &nport)) != NULL) {
2502 PF_ACPY(&pd->baddr, saddr, af);
2503 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2504 &th->th_sum, &pd->naddr, nport, 0, af);
2505 rewrite++;
2506 if (nr->natpass)
2507 r = NULL;
2508 pd->nat_rule = nr;
2509 }
2510 } else {
2511 bport = nport = th->th_dport;
2512 /* check incoming packet for BINAT/RDR */
2513 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
2514 saddr, th->th_sport, daddr, th->th_dport,
2515 &pd->naddr, &nport)) != NULL) {
2516 PF_ACPY(&pd->baddr, daddr, af);
2517 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2518 &th->th_sum, &pd->naddr, nport, 0, af);
2519 rewrite++;
2520 if (nr->natpass)
2521 r = NULL;
2522 pd->nat_rule = nr;
2523 }
2524 }
2525
2526 while (r != NULL) {
2527 r->evaluations++;
2528 if (r->kif != NULL &&
2529 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2530 r = r->skip[PF_SKIP_IFP].ptr;
2531 else if (r->direction && r->direction != direction)
2532 r = r->skip[PF_SKIP_DIR].ptr;
2533 else if (r->af && r->af != af)
2534 r = r->skip[PF_SKIP_AF].ptr;
2535 else if (r->proto && r->proto != IPPROTO_TCP)
2536 r = r->skip[PF_SKIP_PROTO].ptr;
2537 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
2538 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
2539 else if (r->src.port_op && !pf_match_port(r->src.port_op,
2540 r->src.port[0], r->src.port[1], th->th_sport))
2541 r = r->skip[PF_SKIP_SRC_PORT].ptr;
2542 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
2543 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2544 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
2545 r->dst.port[0], r->dst.port[1], th->th_dport))
2546 r = r->skip[PF_SKIP_DST_PORT].ptr;
2547 else if (r->tos && !(r->tos & pd->tos))
2548 r = TAILQ_NEXT(r, entries);
2549 else if (r->rule_flag & PFRULE_FRAGMENT)
2550 r = TAILQ_NEXT(r, entries);
2551 else if ((r->flagset & th->th_flags) != r->flags)
2552 r = TAILQ_NEXT(r, entries);
2553 else if (r->uid.op && (lookup != -1 || (lookup =
2554 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2555 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
2556 uid))
2557 r = TAILQ_NEXT(r, entries);
2558 else if (r->gid.op && (lookup != -1 || (lookup =
2559 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2560 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
2561 gid))
2562 r = TAILQ_NEXT(r, entries);
2563 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
2564 r = TAILQ_NEXT(r, entries);
2565 else if (r->anchorname[0] && r->anchor == NULL)
2566 r = TAILQ_NEXT(r, entries);
2567 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
2568 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint))
2569 r = TAILQ_NEXT(r, entries);
2570 else {
2571 if (r->tag)
2572 tag = r->tag;
2573 if (r->anchor == NULL) {
2574 *rm = r;
2575 *am = a;
2576 *rsm = ruleset;
2577 if ((*rm)->quick)
2578 break;
2579 r = TAILQ_NEXT(r, entries);
2580 } else
2581 PF_STEP_INTO_ANCHOR(r, a, ruleset,
2582 PF_RULESET_FILTER);
2583 }
2584 if (r == NULL && a != NULL)
2585 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
2586 PF_RULESET_FILTER);
2587 }
2588 r = *rm;
2589 a = *am;
2590 ruleset = *rsm;
2591
2592 REASON_SET(&reason, PFRES_MATCH);
2593
2594 if (r->log) {
2595 if (rewrite)
2596 m_copyback(m, off, sizeof(*th), (caddr_t)th);
2597 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
2598 }
2599
2600 if ((r->action == PF_DROP) &&
2601 ((r->rule_flag & PFRULE_RETURNRST) ||
2602 (r->rule_flag & PFRULE_RETURNICMP) ||
2603 (r->rule_flag & PFRULE_RETURN))) {
2604 /* undo NAT changes, if they have taken place */
2605 if (nr != NULL) {
2606 if (direction == PF_OUT) {
2607 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2608 &th->th_sum, &pd->baddr, bport, 0, af);
2609 rewrite++;
2610 } else {
2611 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2612 &th->th_sum, &pd->baddr, bport, 0, af);
2613 rewrite++;
2614 }
2615 }
2616 if (((r->rule_flag & PFRULE_RETURNRST) ||
2617 (r->rule_flag & PFRULE_RETURN)) &&
2618 !(th->th_flags & TH_RST)) {
2619 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
2620
2621 if (th->th_flags & TH_SYN)
2622 ack++;
2623 if (th->th_flags & TH_FIN)
2624 ack++;
2625 pf_send_tcp(r, af, pd->dst,
2626 pd->src, th->th_dport, th->th_sport,
2627 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
2628 r->return_ttl);
2629 } else if ((af == AF_INET) && r->return_icmp)
2630 pf_send_icmp(m, r->return_icmp >> 8,
2631 r->return_icmp & 255, af, r);
2632 else if ((af == AF_INET6) && r->return_icmp6)
2633 pf_send_icmp(m, r->return_icmp6 >> 8,
2634 r->return_icmp6 & 255, af, r);
2635 }
2636
2637 if (r->action == PF_DROP)
2638 return (PF_DROP);
2639
2640 pf_tag_packet(m, tag);
2641
2642 if (r->keep_state || nr != NULL ||
2643 (pd->flags & PFDESC_TCP_NORM)) {
2644 /* create new state */
2645 u_int16_t len;
2646 struct pf_state *s = NULL;
2647 struct pf_src_node *sn = NULL;
2648
2649 len = pd->tot_len - off - (th->th_off << 2);
2650
2651 /* check maximums */
2652 if (r->max_states && (r->states >= r->max_states))
2653 goto cleanup;
2654 /* src node for flter rule */
2655 if ((r->rule_flag & PFRULE_SRCTRACK ||
2656 r->rpool.opts & PF_POOL_STICKYADDR) &&
2657 pf_insert_src_node(&sn, r, saddr, af) != 0)
2658 goto cleanup;
2659 /* src node for translation rule */
2660 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
2661 ((direction == PF_OUT &&
2662 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
2663 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
2664 goto cleanup;
2665 s = pool_get(&pf_state_pl, PR_NOWAIT);
2666 if (s == NULL) {
2667 cleanup:
2668 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
2669 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
2670 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2671 pf_status.src_nodes--;
2672 pool_put(&pf_src_tree_pl, sn);
2673 }
2674 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
2675 nsn->expire == 0) {
2676 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
2677 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2678 pf_status.src_nodes--;
2679 pool_put(&pf_src_tree_pl, nsn);
2680 }
2681 REASON_SET(&reason, PFRES_MEMORY);
2682 return (PF_DROP);
2683 }
2684 bzero(s, sizeof(*s));
2685 r->states++;
2686 if (a != NULL)
2687 a->states++;
2688 s->rule.ptr = r;
2689 s->nat_rule.ptr = nr;
2690 if (s->nat_rule.ptr != NULL)
2691 s->nat_rule.ptr->states++;
2692 s->anchor.ptr = a;
2693 s->allow_opts = r->allow_opts;
2694 s->log = r->log & 2;
2695 s->proto = IPPROTO_TCP;
2696 s->direction = direction;
2697 s->af = af;
2698 if (direction == PF_OUT) {
2699 PF_ACPY(&s->gwy.addr, saddr, af);
2700 s->gwy.port = th->th_sport; /* sport */
2701 PF_ACPY(&s->ext.addr, daddr, af);
2702 s->ext.port = th->th_dport;
2703 if (nr != NULL) {
2704 PF_ACPY(&s->lan.addr, &pd->baddr, af);
2705 s->lan.port = bport;
2706 } else {
2707 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
2708 s->lan.port = s->gwy.port;
2709 }
2710 } else {
2711 PF_ACPY(&s->lan.addr, daddr, af);
2712 s->lan.port = th->th_dport;
2713 PF_ACPY(&s->ext.addr, saddr, af);
2714 s->ext.port = th->th_sport;
2715 if (nr != NULL) {
2716 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
2717 s->gwy.port = bport;
2718 } else {
2719 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
2720 s->gwy.port = s->lan.port;
2721 }
2722 }
2723
2724 s->src.seqlo = ntohl(th->th_seq);
2725 s->src.seqhi = s->src.seqlo + len + 1;
2726 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
2727 r->keep_state == PF_STATE_MODULATE) {
2728 /* Generate sequence number modulator */
2729 while ((s->src.seqdiff = arc4random()) == 0)
2730 ;
2731 pf_change_a(&th->th_seq, &th->th_sum,
2732 htonl(s->src.seqlo + s->src.seqdiff), 0);
2733 rewrite = 1;
2734 } else
2735 s->src.seqdiff = 0;
2736 if (th->th_flags & TH_SYN) {
2737 s->src.seqhi++;
2738 s->src.wscale = pf_get_wscale(m, off, th->th_off, af);
2739 }
2740 s->src.max_win = MAX(ntohs(th->th_win), 1);
2741 if (s->src.wscale & PF_WSCALE_MASK) {
2742 /* Remove scale factor from initial window */
2743 int win = s->src.max_win;
2744 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
2745 s->src.max_win = (win - 1) >>
2746 (s->src.wscale & PF_WSCALE_MASK);
2747 }
2748 if (th->th_flags & TH_FIN)
2749 s->src.seqhi++;
2750 s->dst.seqhi = 1;
2751 s->dst.max_win = 1;
2752 s->src.state = TCPS_SYN_SENT;
2753 s->dst.state = TCPS_CLOSED;
2754 s->creation = time_second;
2755 s->expire = time_second;
2756 s->timeout = PFTM_TCP_FIRST_PACKET;
2757 pf_set_rt_ifp(s, saddr);
2758 if (sn != NULL) {
2759 s->src_node = sn;
2760 s->src_node->states++;
2761 }
2762 if (nsn != NULL) {
2763 PF_ACPY(&nsn->raddr, &pd->naddr, af);
2764 s->nat_src_node = nsn;
2765 s->nat_src_node->states++;
2766 }
2767 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
2768 off, pd, th, &s->src, &s->dst)) {
2769 REASON_SET(&reason, PFRES_MEMORY);
2770 pf_src_tree_remove_state(s);
2771 pool_put(&pf_state_pl, s);
2772 return (PF_DROP);
2773 }
2774 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
2775 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src,
2776 &s->dst, &rewrite)) {
2777 pf_normalize_tcp_cleanup(s);
2778 pf_src_tree_remove_state(s);
2779 pool_put(&pf_state_pl, s);
2780 return (PF_DROP);
2781 }
2782 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
2783 pf_normalize_tcp_cleanup(s);
2784 REASON_SET(&reason, PFRES_MEMORY);
2785 pf_src_tree_remove_state(s);
2786 pool_put(&pf_state_pl, s);
2787 return (PF_DROP);
2788 } else
2789 *sm = s;
2790 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
2791 r->keep_state == PF_STATE_SYNPROXY) {
2792 s->src.state = PF_TCPS_PROXY_SRC;
2793 if (nr != NULL) {
2794 if (direction == PF_OUT) {
2795 pf_change_ap(saddr, &th->th_sport,
2796 pd->ip_sum, &th->th_sum, &pd->baddr,
2797 bport, 0, af);
2798 } else {
2799 pf_change_ap(daddr, &th->th_dport,
2800 pd->ip_sum, &th->th_sum, &pd->baddr,
2801 bport, 0, af);
2802 }
2803 }
2804 s->src.seqhi = arc4random();
2805 /* Find mss option */
2806 mss = pf_get_mss(m, off, th->th_off, af);
2807 mss = pf_calc_mss(saddr, af, mss);
2808 mss = pf_calc_mss(daddr, af, mss);
2809 s->src.mss = mss;
2810 pf_send_tcp(r, af, daddr, saddr, th->th_dport,
2811 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
2812 TH_SYN|TH_ACK, 0, s->src.mss, 0);
2813 return (PF_SYNPROXY_DROP);
2814 }
2815 }
2816
2817 /* copy back packet headers if we performed NAT operations */
2818 if (rewrite)
2819 m_copyback(m, off, sizeof(*th), (caddr_t)th);
2820
2821 return (PF_PASS);
2822 }
2823
2824 int
2825 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
2826 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2827 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
2828 {
2829 struct pf_rule *nr = NULL;
2830 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
2831 struct udphdr *uh = pd->hdr.udp;
2832 u_int16_t bport, nport = 0;
2833 sa_family_t af = pd->af;
2834 int lookup = -1;
2835 uid_t uid;
2836 gid_t gid;
2837 struct pf_rule *r, *a = NULL;
2838 struct pf_ruleset *ruleset = NULL;
2839 struct pf_src_node *nsn = NULL;
2840 u_short reason;
2841 int rewrite = 0;
2842 int tag = -1;
2843
2844 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2845
2846 if (direction == PF_OUT) {
2847 bport = nport = uh->uh_sport;
2848 /* check outgoing packet for BINAT/NAT */
2849 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
2850 saddr, uh->uh_sport, daddr, uh->uh_dport,
2851 &pd->naddr, &nport)) != NULL) {
2852 PF_ACPY(&pd->baddr, saddr, af);
2853 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
2854 &uh->uh_sum, &pd->naddr, nport, 1, af);
2855 rewrite++;
2856 if (nr->natpass)
2857 r = NULL;
2858 pd->nat_rule = nr;
2859 }
2860 } else {
2861 bport = nport = uh->uh_dport;
2862 /* check incoming packet for BINAT/RDR */
2863 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
2864 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr,
2865 &nport)) != NULL) {
2866 PF_ACPY(&pd->baddr, daddr, af);
2867 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
2868 &uh->uh_sum, &pd->naddr, nport, 1, af);
2869 rewrite++;
2870 if (nr->natpass)
2871 r = NULL;
2872 pd->nat_rule = nr;
2873 }
2874 }
2875
2876 while (r != NULL) {
2877 r->evaluations++;
2878 if (r->kif != NULL &&
2879 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2880 r = r->skip[PF_SKIP_IFP].ptr;
2881 else if (r->direction && r->direction != direction)
2882 r = r->skip[PF_SKIP_DIR].ptr;
2883 else if (r->af && r->af != af)
2884 r = r->skip[PF_SKIP_AF].ptr;
2885 else if (r->proto && r->proto != IPPROTO_UDP)
2886 r = r->skip[PF_SKIP_PROTO].ptr;
2887 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
2888 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
2889 else if (r->src.port_op && !pf_match_port(r->src.port_op,
2890 r->src.port[0], r->src.port[1], uh->uh_sport))
2891 r = r->skip[PF_SKIP_SRC_PORT].ptr;
2892 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
2893 r = r->skip[PF_SKIP_DST_ADDR].ptr;
2894 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
2895 r->dst.port[0], r->dst.port[1], uh->uh_dport))
2896 r = r->skip[PF_SKIP_DST_PORT].ptr;
2897 else if (r->tos && !(r->tos & pd->tos))
2898 r = TAILQ_NEXT(r, entries);
2899 else if (r->rule_flag & PFRULE_FRAGMENT)
2900 r = TAILQ_NEXT(r, entries);
2901 else if (r->uid.op && (lookup != -1 || (lookup =
2902 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2903 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
2904 uid))
2905 r = TAILQ_NEXT(r, entries);
2906 else if (r->gid.op && (lookup != -1 || (lookup =
2907 pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2908 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
2909 gid))
2910 r = TAILQ_NEXT(r, entries);
2911 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
2912 r = TAILQ_NEXT(r, entries);
2913 else if (r->anchorname[0] && r->anchor == NULL)
2914 r = TAILQ_NEXT(r, entries);
2915 else if (r->os_fingerprint != PF_OSFP_ANY)
2916 r = TAILQ_NEXT(r, entries);
2917 else {
2918 if (r->tag)
2919 tag = r->tag;
2920 if (r->anchor == NULL) {
2921 *rm = r;
2922 *am = a;
2923 *rsm = ruleset;
2924 if ((*rm)->quick)
2925 break;
2926 r = TAILQ_NEXT(r, entries);
2927 } else
2928 PF_STEP_INTO_ANCHOR(r, a, ruleset,
2929 PF_RULESET_FILTER);
2930 }
2931 if (r == NULL && a != NULL)
2932 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
2933 PF_RULESET_FILTER);
2934 }
2935 r = *rm;
2936 a = *am;
2937 ruleset = *rsm;
2938
2939 REASON_SET(&reason, PFRES_MATCH);
2940
2941 if (r->log) {
2942 if (rewrite)
2943 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
2944 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
2945 }
2946
2947 if ((r->action == PF_DROP) &&
2948 ((r->rule_flag & PFRULE_RETURNICMP) ||
2949 (r->rule_flag & PFRULE_RETURN))) {
2950 /* undo NAT changes, if they have taken place */
2951 if (nr != NULL) {
2952 if (direction == PF_OUT) {
2953 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
2954 &uh->uh_sum, &pd->baddr, bport, 1, af);
2955 rewrite++;
2956 } else {
2957 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
2958 &uh->uh_sum, &pd->baddr, bport, 1, af);
2959 rewrite++;
2960 }
2961 }
2962 if ((af == AF_INET) && r->return_icmp)
2963 pf_send_icmp(m, r->return_icmp >> 8,
2964 r->return_icmp & 255, af, r);
2965 else if ((af == AF_INET6) && r->return_icmp6)
2966 pf_send_icmp(m, r->return_icmp6 >> 8,
2967 r->return_icmp6 & 255, af, r);
2968 }
2969
2970 if (r->action == PF_DROP)
2971 return (PF_DROP);
2972
2973 pf_tag_packet(m, tag);
2974
2975 if (r->keep_state || nr != NULL) {
2976 /* create new state */
2977 struct pf_state *s = NULL;
2978 struct pf_src_node *sn = NULL;
2979
2980 /* check maximums */
2981 if (r->max_states && (r->states >= r->max_states))
2982 goto cleanup;
2983 /* src node for flter rule */
2984 if ((r->rule_flag & PFRULE_SRCTRACK ||
2985 r->rpool.opts & PF_POOL_STICKYADDR) &&
2986 pf_insert_src_node(&sn, r, saddr, af) != 0)
2987 goto cleanup;
2988 /* src node for translation rule */
2989 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
2990 ((direction == PF_OUT &&
2991 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
2992 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
2993 goto cleanup;
2994 s = pool_get(&pf_state_pl, PR_NOWAIT);
2995 if (s == NULL) {
2996 cleanup:
2997 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
2998 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
2999 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3000 pf_status.src_nodes--;
3001 pool_put(&pf_src_tree_pl, sn);
3002 }
3003 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3004 nsn->expire == 0) {
3005 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3006 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3007 pf_status.src_nodes--;
3008 pool_put(&pf_src_tree_pl, nsn);
3009 }
3010 REASON_SET(&reason, PFRES_MEMORY);
3011 return (PF_DROP);
3012 }
3013 bzero(s, sizeof(*s));
3014 r->states++;
3015 if (a != NULL)
3016 a->states++;
3017 s->rule.ptr = r;
3018 s->nat_rule.ptr = nr;
3019 if (s->nat_rule.ptr != NULL)
3020 s->nat_rule.ptr->states++;
3021 s->anchor.ptr = a;
3022 s->allow_opts = r->allow_opts;
3023 s->log = r->log & 2;
3024 s->proto = IPPROTO_UDP;
3025 s->direction = direction;
3026 s->af = af;
3027 if (direction == PF_OUT) {
3028 PF_ACPY(&s->gwy.addr, saddr, af);
3029 s->gwy.port = uh->uh_sport;
3030 PF_ACPY(&s->ext.addr, daddr, af);
3031 s->ext.port = uh->uh_dport;
3032 if (nr != NULL) {
3033 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3034 s->lan.port = bport;
3035 } else {
3036 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3037 s->lan.port = s->gwy.port;
3038 }
3039 } else {
3040 PF_ACPY(&s->lan.addr, daddr, af);
3041 s->lan.port = uh->uh_dport;
3042 PF_ACPY(&s->ext.addr, saddr, af);
3043 s->ext.port = uh->uh_sport;
3044 if (nr != NULL) {
3045 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3046 s->gwy.port = bport;
3047 } else {
3048 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3049 s->gwy.port = s->lan.port;
3050 }
3051 }
3052 s->src.state = PFUDPS_SINGLE;
3053 s->dst.state = PFUDPS_NO_TRAFFIC;
3054 s->creation = time_second;
3055 s->expire = time_second;
3056 s->timeout = PFTM_UDP_FIRST_PACKET;
3057 pf_set_rt_ifp(s, saddr);
3058 if (sn != NULL) {
3059 s->src_node = sn;
3060 s->src_node->states++;
3061 }
3062 if (nsn != NULL) {
3063 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3064 s->nat_src_node = nsn;
3065 s->nat_src_node->states++;
3066 }
3067 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3068 REASON_SET(&reason, PFRES_MEMORY);
3069 pf_src_tree_remove_state(s);
3070 pool_put(&pf_state_pl, s);
3071 return (PF_DROP);
3072 } else
3073 *sm = s;
3074 }
3075
3076 /* copy back packet headers if we performed NAT operations */
3077 if (rewrite)
3078 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3079
3080 return (PF_PASS);
3081 }
3082
3083 int
3084 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
3085 struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3086 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
3087 {
3088 struct pf_rule *nr = NULL;
3089 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3090 struct pf_rule *r, *a = NULL;
3091 struct pf_ruleset *ruleset = NULL;
3092 struct pf_src_node *nsn = NULL;
3093 u_short reason;
3094 u_int16_t icmpid = 0;
3095 sa_family_t af = pd->af;
3096 u_int8_t icmptype = 0, icmpcode = 0;
3097 int state_icmp = 0;
3098 int tag = -1;
3099 #ifdef INET6
3100 int rewrite = 0;
3101 #endif /* INET6 */
3102
3103 switch (pd->proto) {
3104 #ifdef INET
3105 case IPPROTO_ICMP:
3106 icmptype = pd->hdr.icmp->icmp_type;
3107 icmpcode = pd->hdr.icmp->icmp_code;
3108 icmpid = pd->hdr.icmp->icmp_id;
3109
3110 if (icmptype == ICMP_UNREACH ||
3111 icmptype == ICMP_SOURCEQUENCH ||
3112 icmptype == ICMP_REDIRECT ||
3113 icmptype == ICMP_TIMXCEED ||
3114 icmptype == ICMP_PARAMPROB)
3115 state_icmp++;
3116 break;
3117 #endif /* INET */
3118 #ifdef INET6
3119 case IPPROTO_ICMPV6:
3120 icmptype = pd->hdr.icmp6->icmp6_type;
3121 icmpcode = pd->hdr.icmp6->icmp6_code;
3122 icmpid = pd->hdr.icmp6->icmp6_id;
3123
3124 if (icmptype == ICMP6_DST_UNREACH ||
3125 icmptype == ICMP6_PACKET_TOO_BIG ||
3126 icmptype == ICMP6_TIME_EXCEEDED ||
3127 icmptype == ICMP6_PARAM_PROB)
3128 state_icmp++;
3129 break;
3130 #endif /* INET6 */
3131 }
3132
3133 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3134
3135 if (direction == PF_OUT) {
3136 /* check outgoing packet for BINAT/NAT */
3137 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3138 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3139 PF_ACPY(&pd->baddr, saddr, af);
3140 switch (af) {
3141 #ifdef INET
3142 case AF_INET:
3143 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3144 pd->naddr.v4.s_addr, 0);
3145 break;
3146 #endif /* INET */
3147 #ifdef INET6
3148 case AF_INET6:
3149 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3150 &pd->naddr, 0);
3151 rewrite++;
3152 break;
3153 #endif /* INET6 */
3154 }
3155 if (nr->natpass)
3156 r = NULL;
3157 pd->nat_rule = nr;
3158 }
3159 } else {
3160 /* check incoming packet for BINAT/RDR */
3161 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3162 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3163 PF_ACPY(&pd->baddr, daddr, af);
3164 switch (af) {
3165 #ifdef INET
3166 case AF_INET:
3167 pf_change_a(&daddr->v4.s_addr,
3168 pd->ip_sum, pd->naddr.v4.s_addr, 0);
3169 break;
3170 #endif /* INET */
3171 #ifdef INET6
3172 case AF_INET6:
3173 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3174 &pd->naddr, 0);
3175 rewrite++;
3176 break;
3177 #endif /* INET6 */
3178 }
3179 if (nr->natpass)
3180 r = NULL;
3181 pd->nat_rule = nr;
3182 }
3183 }
3184
3185 while (r != NULL) {
3186 r->evaluations++;
3187 if (r->kif != NULL &&
3188 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3189 r = r->skip[PF_SKIP_IFP].ptr;
3190 else if (r->direction && r->direction != direction)
3191 r = r->skip[PF_SKIP_DIR].ptr;
3192 else if (r->af && r->af != af)
3193 r = r->skip[PF_SKIP_AF].ptr;
3194 else if (r->proto && r->proto != pd->proto)
3195 r = r->skip[PF_SKIP_PROTO].ptr;
3196 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
3197 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3198 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
3199 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3200 else if (r->type && r->type != icmptype + 1)
3201 r = TAILQ_NEXT(r, entries);
3202 else if (r->code && r->code != icmpcode + 1)
3203 r = TAILQ_NEXT(r, entries);
3204 else if (r->tos && !(r->tos & pd->tos))
3205 r = TAILQ_NEXT(r, entries);
3206 else if (r->rule_flag & PFRULE_FRAGMENT)
3207 r = TAILQ_NEXT(r, entries);
3208 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
3209 r = TAILQ_NEXT(r, entries);
3210 else if (r->anchorname[0] && r->anchor == NULL)
3211 r = TAILQ_NEXT(r, entries);
3212 else if (r->os_fingerprint != PF_OSFP_ANY)
3213 r = TAILQ_NEXT(r, entries);
3214 else {
3215 if (r->tag)
3216 tag = r->tag;
3217 if (r->anchor == NULL) {
3218 *rm = r;
3219 *am = a;
3220 *rsm = ruleset;
3221 if ((*rm)->quick)
3222 break;
3223 r = TAILQ_NEXT(r, entries);
3224 } else
3225 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3226 PF_RULESET_FILTER);
3227 }
3228 if (r == NULL && a != NULL)
3229 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3230 PF_RULESET_FILTER);
3231 }
3232 r = *rm;
3233 a = *am;
3234 ruleset = *rsm;
3235
3236 REASON_SET(&reason, PFRES_MATCH);
3237
3238 if (r->log) {
3239 #ifdef INET6
3240 if (rewrite)
3241 m_copyback(m, off, sizeof(struct icmp6_hdr),
3242 (caddr_t)pd->hdr.icmp6);
3243 #endif /* INET6 */
3244 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3245 }
3246
3247 if (r->action != PF_PASS)
3248 return (PF_DROP);
3249
3250 pf_tag_packet(m, tag);
3251
3252 if (!state_icmp && (r->keep_state || nr != NULL)) {
3253 /* create new state */
3254 struct pf_state *s = NULL;
3255 struct pf_src_node *sn = NULL;
3256
3257 /* check maximums */
3258 if (r->max_states && (r->states >= r->max_states))
3259 goto cleanup;
3260 /* src node for flter rule */
3261 if ((r->rule_flag & PFRULE_SRCTRACK ||
3262 r->rpool.opts & PF_POOL_STICKYADDR) &&
3263 pf_insert_src_node(&sn, r, saddr, af) != 0)
3264 goto cleanup;
3265 /* src node for translation rule */
3266 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3267 ((direction == PF_OUT &&
3268 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3269 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
3270 goto cleanup;
3271 s = pool_get(&pf_state_pl, PR_NOWAIT);
3272 if (s == NULL) {
3273 cleanup:
3274 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3275 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3276 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3277 pf_status.src_nodes--;
3278 pool_put(&pf_src_tree_pl, sn);
3279 }
3280 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3281 nsn->expire == 0) {
3282 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3283 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3284 pf_status.src_nodes--;
3285 pool_put(&pf_src_tree_pl, nsn);
3286 }
3287 REASON_SET(&reason, PFRES_MEMORY);
3288 return (PF_DROP);
3289 }
3290 bzero(s, sizeof(*s));
3291 r->states++;
3292 if (a != NULL)
3293 a->states++;
3294 s->rule.ptr = r;
3295 s->nat_rule.ptr = nr;
3296 if (s->nat_rule.ptr != NULL)
3297 s->nat_rule.ptr->states++;
3298 s->anchor.ptr = a;
3299 s->allow_opts = r->allow_opts;
3300 s->log = r->log & 2;
3301 s->proto = pd->proto;
3302 s->direction = direction;
3303 s->af = af;
3304 if (direction == PF_OUT) {
3305 PF_ACPY(&s->gwy.addr, saddr, af);
3306 s->gwy.port = icmpid;
3307 PF_ACPY(&s->ext.addr, daddr, af);
3308 s->ext.port = icmpid;
3309 if (nr != NULL)
3310 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3311 else
3312 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3313 s->lan.port = icmpid;
3314 } else {
3315 PF_ACPY(&s->lan.addr, daddr, af);
3316 s->lan.port = icmpid;
3317 PF_ACPY(&s->ext.addr, saddr, af);
3318 s->ext.port = icmpid;
3319 if (nr != NULL)
3320 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3321 else
3322 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3323 s->gwy.port = icmpid;
3324 }
3325 s->creation = time_second;
3326 s->expire = time_second;
3327 s->timeout = PFTM_ICMP_FIRST_PACKET;
3328 pf_set_rt_ifp(s, saddr);
3329 if (sn != NULL) {
3330 s->src_node = sn;
3331 s->src_node->states++;
3332 }
3333 if (nsn != NULL) {
3334 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3335 s->nat_src_node = nsn;
3336 s->nat_src_node->states++;
3337 }
3338 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3339 REASON_SET(&reason, PFRES_MEMORY);
3340 pf_src_tree_remove_state(s);
3341 pool_put(&pf_state_pl, s);
3342 return (PF_DROP);
3343 } else
3344 *sm = s;
3345 }
3346
3347 #ifdef INET6
3348 /* copy back packet headers if we performed IPv6 NAT operations */
3349 if (rewrite)
3350 m_copyback(m, off, sizeof(struct icmp6_hdr),
3351 (caddr_t)pd->hdr.icmp6);
3352 #endif /* INET6 */
3353
3354 return (PF_PASS);
3355 }
3356
3357 int
3358 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
3359 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3360 struct pf_rule **am, struct pf_ruleset **rsm)
3361 {
3362 struct pf_rule *nr = NULL;
3363 struct pf_rule *r, *a = NULL;
3364 struct pf_ruleset *ruleset = NULL;
3365 struct pf_src_node *nsn = NULL;
3366 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3367 sa_family_t af = pd->af;
3368 u_short reason;
3369 int tag = -1;
3370
3371 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3372
3373 if (direction == PF_OUT) {
3374 /* check outgoing packet for BINAT/NAT */
3375 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3376 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3377 PF_ACPY(&pd->baddr, saddr, af);
3378 switch (af) {
3379 #ifdef INET
3380 case AF_INET:
3381 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3382 pd->naddr.v4.s_addr, 0);
3383 break;
3384 #endif /* INET */
3385 #ifdef INET6
3386 case AF_INET6:
3387 PF_ACPY(saddr, &pd->naddr, af);
3388 break;
3389 #endif /* INET6 */
3390 }
3391 if (nr->natpass)
3392 r = NULL;
3393 pd->nat_rule = nr;
3394 }
3395 } else {
3396 /* check incoming packet for BINAT/RDR */
3397 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3398 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3399 PF_ACPY(&pd->baddr, daddr, af);
3400 switch (af) {
3401 #ifdef INET
3402 case AF_INET:
3403 pf_change_a(&daddr->v4.s_addr,
3404 pd->ip_sum, pd->naddr.v4.s_addr, 0);
3405 break;
3406 #endif /* INET */
3407 #ifdef INET6
3408 case AF_INET6:
3409 PF_ACPY(daddr, &pd->naddr, af);
3410 break;
3411 #endif /* INET6 */
3412 }
3413 if (nr->natpass)
3414 r = NULL;
3415 pd->nat_rule = nr;
3416 }
3417 }
3418
3419 while (r != NULL) {
3420 r->evaluations++;
3421 if (r->kif != NULL &&
3422 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3423 r = r->skip[PF_SKIP_IFP].ptr;
3424 else if (r->direction && r->direction != direction)
3425 r = r->skip[PF_SKIP_DIR].ptr;
3426 else if (r->af && r->af != af)
3427 r = r->skip[PF_SKIP_AF].ptr;
3428 else if (r->proto && r->proto != pd->proto)
3429 r = r->skip[PF_SKIP_PROTO].ptr;
3430 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))
3431 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3432 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))
3433 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3434 else if (r->tos && !(r->tos & pd->tos))
3435 r = TAILQ_NEXT(r, entries);
3436 else if (r->rule_flag & PFRULE_FRAGMENT)
3437 r = TAILQ_NEXT(r, entries);
3438 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
3439 r = TAILQ_NEXT(r, entries);
3440 else if (r->anchorname[0] && r->anchor == NULL)
3441 r = TAILQ_NEXT(r, entries);
3442 else if (r->os_fingerprint != PF_OSFP_ANY)
3443 r = TAILQ_NEXT(r, entries);
3444 else {
3445 if (r->tag)
3446 tag = r->tag;
3447 if (r->anchor == NULL) {
3448 *rm = r;
3449 *am = a;
3450 *rsm = ruleset;
3451 if ((*rm)->quick)
3452 break;
3453 r = TAILQ_NEXT(r, entries);
3454 } else
3455 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3456 PF_RULESET_FILTER);
3457 }
3458 if (r == NULL && a != NULL)
3459 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3460 PF_RULESET_FILTER);
3461 }
3462 r = *rm;
3463 a = *am;
3464 ruleset = *rsm;
3465
3466 REASON_SET(&reason, PFRES_MATCH);
3467
3468 if (r->log)
3469 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3470
3471 if ((r->action == PF_DROP) &&
3472 ((r->rule_flag & PFRULE_RETURNICMP) ||
3473 (r->rule_flag & PFRULE_RETURN))) {
3474 struct pf_addr *a = NULL;
3475
3476 if (nr != NULL) {
3477 if (direction == PF_OUT)
3478 a = saddr;
3479 else
3480 a = daddr;
3481 }
3482 if (a != NULL) {
3483 switch (af) {
3484 #ifdef INET
3485 case AF_INET:
3486 pf_change_a(&a->v4.s_addr, pd->ip_sum,
3487 pd->baddr.v4.s_addr, 0);
3488 break;
3489 #endif /* INET */
3490 #ifdef INET6
3491 case AF_INET6:
3492 PF_ACPY(a, &pd->baddr, af);
3493 break;
3494 #endif /* INET6 */
3495 }
3496 }
3497 if ((af == AF_INET) && r->return_icmp)
3498 pf_send_icmp(m, r->return_icmp >> 8,
3499 r->return_icmp & 255, af, r);
3500 else if ((af == AF_INET6) && r->return_icmp6)
3501 pf_send_icmp(m, r->return_icmp6 >> 8,
3502 r->return_icmp6 & 255, af, r);
3503 }
3504
3505 if (r->action != PF_PASS)
3506 return (PF_DROP);
3507
3508 pf_tag_packet(m, tag);
3509
3510 if (r->keep_state || nr != NULL) {
3511 /* create new state */
3512 struct pf_state *s = NULL;
3513 struct pf_src_node *sn = NULL;
3514
3515 /* check maximums */
3516 if (r->max_states && (r->states >= r->max_states))
3517 goto cleanup;
3518 /* src node for flter rule */
3519 if ((r->rule_flag & PFRULE_SRCTRACK ||
3520 r->rpool.opts & PF_POOL_STICKYADDR) &&
3521 pf_insert_src_node(&sn, r, saddr, af) != 0)
3522 goto cleanup;
3523 /* src node for translation rule */
3524 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3525 ((direction == PF_OUT &&
3526 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3527 (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
3528 goto cleanup;
3529 s = pool_get(&pf_state_pl, PR_NOWAIT);
3530 if (s == NULL) {
3531 cleanup:
3532 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3533 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3534 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3535 pf_status.src_nodes--;
3536 pool_put(&pf_src_tree_pl, sn);
3537 }
3538 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3539 nsn->expire == 0) {
3540 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3541 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3542 pf_status.src_nodes--;
3543 pool_put(&pf_src_tree_pl, nsn);
3544 }
3545 REASON_SET(&reason, PFRES_MEMORY);
3546 return (PF_DROP);
3547 }
3548 bzero(s, sizeof(*s));
3549 r->states++;
3550 if (a != NULL)
3551 a->states++;
3552 s->rule.ptr = r;
3553 s->nat_rule.ptr = nr;
3554 if (s->nat_rule.ptr != NULL)
3555 s->nat_rule.ptr->states++;
3556 s->anchor.ptr = a;
3557 s->allow_opts = r->allow_opts;
3558 s->log = r->log & 2;
3559 s->proto = pd->proto;
3560 s->direction = direction;
3561 s->af = af;
3562 if (direction == PF_OUT) {
3563 PF_ACPY(&s->gwy.addr, saddr, af);
3564 PF_ACPY(&s->ext.addr, daddr, af);
3565 if (nr != NULL)
3566 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3567 else
3568 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3569 } else {
3570 PF_ACPY(&s->lan.addr, daddr, af);
3571 PF_ACPY(&s->ext.addr, saddr, af);
3572 if (nr != NULL)
3573 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3574 else
3575 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3576 }
3577 s->src.state = PFOTHERS_SINGLE;
3578 s->dst.state = PFOTHERS_NO_TRAFFIC;
3579 s->creation = time_second;
3580 s->expire = time_second;
3581 s->timeout = PFTM_OTHER_FIRST_PACKET;
3582 pf_set_rt_ifp(s, saddr);
3583 if (sn != NULL) {
3584 s->src_node = sn;
3585 s->src_node->states++;
3586 }
3587 if (nsn != NULL) {
3588 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3589 s->nat_src_node = nsn;
3590 s->nat_src_node->states++;
3591 }
3592 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3593 REASON_SET(&reason, PFRES_MEMORY);
3594 pf_src_tree_remove_state(s);
3595 pool_put(&pf_state_pl, s);
3596 return (PF_DROP);
3597 } else
3598 *sm = s;
3599 }
3600
3601 return (PF_PASS);
3602 }
3603
3604 int
3605 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
3606 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
3607 struct pf_ruleset **rsm)
3608 {
3609 struct pf_rule *r, *a = NULL;
3610 struct pf_ruleset *ruleset = NULL;
3611 sa_family_t af = pd->af;
3612 u_short reason;
3613 int tag = -1;
3614
3615 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3616 while (r != NULL) {
3617 r->evaluations++;
3618 if (r->kif != NULL &&
3619 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3620 r = r->skip[PF_SKIP_IFP].ptr;
3621 else if (r->direction && r->direction != direction)
3622 r = r->skip[PF_SKIP_DIR].ptr;
3623 else if (r->af && r->af != af)
3624 r = r->skip[PF_SKIP_AF].ptr;
3625 else if (r->proto && r->proto != pd->proto)
3626 r = r->skip[PF_SKIP_PROTO].ptr;
3627 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))
3628 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3629 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))
3630 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3631 else if (r->tos && !(r->tos & pd->tos))
3632 r = TAILQ_NEXT(r, entries);
3633 else if (r->src.port_op || r->dst.port_op ||
3634 r->flagset || r->type || r->code ||
3635 r->os_fingerprint != PF_OSFP_ANY)
3636 r = TAILQ_NEXT(r, entries);
3637 else if (r->match_tag && !pf_match_tag(m, r, NULL, &tag))
3638 r = TAILQ_NEXT(r, entries);
3639 else if (r->anchorname[0] && r->anchor == NULL)
3640 r = TAILQ_NEXT(r, entries);
3641 else {
3642 if (r->anchor == NULL) {
3643 *rm = r;
3644 *am = a;
3645 *rsm = ruleset;
3646 if ((*rm)->quick)
3647 break;
3648 r = TAILQ_NEXT(r, entries);
3649 } else
3650 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3651 PF_RULESET_FILTER);
3652 }
3653 if (r == NULL && a != NULL)
3654 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3655 PF_RULESET_FILTER);
3656 }
3657 r = *rm;
3658 a = *am;
3659 ruleset = *rsm;
3660
3661 REASON_SET(&reason, PFRES_MATCH);
3662
3663 if (r->log)
3664 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3665
3666 if (r->action != PF_PASS)
3667 return (PF_DROP);
3668
3669 pf_tag_packet(m, tag);
3670
3671 return (PF_PASS);
3672 }
3673
3674 int
3675 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
3676 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3677 u_short *reason)
3678 {
3679 struct pf_state key;
3680 struct tcphdr *th = pd->hdr.tcp;
3681 u_int16_t win = ntohs(th->th_win);
3682 u_int32_t ack, end, seq;
3683 u_int8_t sws, dws;
3684 int ackskew;
3685 int copyback = 0;
3686 struct pf_state_peer *src, *dst;
3687
3688 key.af = pd->af;
3689 key.proto = IPPROTO_TCP;
3690 if (direction == PF_IN) {
3691 PF_ACPY(&key.ext.addr, pd->src, key.af);
3692 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
3693 key.ext.port = th->th_sport;
3694 key.gwy.port = th->th_dport;
3695 } else {
3696 PF_ACPY(&key.lan.addr, pd->src, key.af);
3697 PF_ACPY(&key.ext.addr, pd->dst, key.af);
3698 key.lan.port = th->th_sport;
3699 key.ext.port = th->th_dport;
3700 }
3701
3702 STATE_LOOKUP();
3703
3704 if (direction == (*state)->direction) {
3705 src = &(*state)->src;
3706 dst = &(*state)->dst;
3707 } else {
3708 src = &(*state)->dst;
3709 dst = &(*state)->src;
3710 }
3711
3712 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
3713 if (direction != (*state)->direction)
3714 return (PF_SYNPROXY_DROP);
3715 if (th->th_flags & TH_SYN) {
3716 if (ntohl(th->th_seq) != (*state)->src.seqlo)
3717 return (PF_DROP);
3718 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3719 pd->src, th->th_dport, th->th_sport,
3720 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
3721 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0);
3722 return (PF_SYNPROXY_DROP);
3723 } else if (!(th->th_flags & TH_ACK) ||
3724 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
3725 (ntohl(th->th_seq) != (*state)->src.seqlo + 1))
3726 return (PF_DROP);
3727 else
3728 (*state)->src.state = PF_TCPS_PROXY_DST;
3729 }
3730 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
3731 struct pf_state_host *src, *dst;
3732
3733 if (direction == PF_OUT) {
3734 src = &(*state)->gwy;
3735 dst = &(*state)->ext;
3736 } else {
3737 src = &(*state)->ext;
3738 dst = &(*state)->lan;
3739 }
3740 if (direction == (*state)->direction) {
3741 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
3742 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
3743 (ntohl(th->th_seq) != (*state)->src.seqlo + 1))
3744 return (PF_DROP);
3745 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
3746 if ((*state)->dst.seqhi == 1)
3747 (*state)->dst.seqhi = arc4random();
3748 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
3749 &dst->addr, src->port, dst->port,
3750 (*state)->dst.seqhi, 0, TH_SYN, 0,
3751 (*state)->src.mss, 0);
3752 return (PF_SYNPROXY_DROP);
3753 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
3754 (TH_SYN|TH_ACK)) ||
3755 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1))
3756 return (PF_DROP);
3757 else {
3758 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
3759 (*state)->dst.seqlo = ntohl(th->th_seq);
3760 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3761 pd->src, th->th_dport, th->th_sport,
3762 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
3763 TH_ACK, (*state)->src.max_win, 0, 0);
3764 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
3765 &dst->addr, src->port, dst->port,
3766 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
3767 TH_ACK, (*state)->dst.max_win, 0, 0);
3768 (*state)->src.seqdiff = (*state)->dst.seqhi -
3769 (*state)->src.seqlo;
3770 (*state)->dst.seqdiff = (*state)->src.seqhi -
3771 (*state)->dst.seqlo;
3772 (*state)->src.seqhi = (*state)->src.seqlo +
3773 (*state)->src.max_win;
3774 (*state)->dst.seqhi = (*state)->dst.seqlo +
3775 (*state)->dst.max_win;
3776 (*state)->src.wscale = (*state)->dst.wscale = 0;
3777 (*state)->src.state = (*state)->dst.state =
3778 TCPS_ESTABLISHED;
3779 return (PF_SYNPROXY_DROP);
3780 }
3781 }
3782
3783 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
3784 sws = src->wscale & PF_WSCALE_MASK;
3785 dws = dst->wscale & PF_WSCALE_MASK;
3786 } else
3787 sws = dws = 0;
3788
3789 /*
3790 * Sequence tracking algorithm from Guido van Rooij's paper:
3791 * http://www.madison-gurkha.com/publications/tcp_filtering/
3792 * tcp_filtering.ps
3793 */
3794
3795 seq = ntohl(th->th_seq);
3796 if (src->seqlo == 0) {
3797 /* First packet from this end. Set its state */
3798
3799 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
3800 src->scrub == NULL) {
3801 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
3802 REASON_SET(reason, PFRES_MEMORY);
3803 return (PF_DROP);
3804 }
3805 }
3806
3807 /* Deferred generation of sequence number modulator */
3808 if (dst->seqdiff && !src->seqdiff) {
3809 while ((src->seqdiff = arc4random()) == 0)
3810 ;
3811 ack = ntohl(th->th_ack) - dst->seqdiff;
3812 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3813 src->seqdiff), 0);
3814 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3815 copyback = 1;
3816 } else {
3817 ack = ntohl(th->th_ack);
3818 }
3819
3820 end = seq + pd->p_len;
3821 if (th->th_flags & TH_SYN) {
3822 end++;
3823 if (dst->wscale & PF_WSCALE_FLAG) {
3824 src->wscale = pf_get_wscale(m, off, th->th_off,
3825 pd->af);
3826 if (src->wscale & PF_WSCALE_FLAG) {
3827 /* Remove scale factor from initial
3828 * window */
3829 sws = src->wscale & PF_WSCALE_MASK;
3830 win = ((u_int32_t)win + (1 << sws) - 1)
3831 >> sws;
3832 dws = dst->wscale & PF_WSCALE_MASK;
3833 } else {
3834 /* fixup other window */
3835 dst->max_win <<= dst->wscale &
3836 PF_WSCALE_MASK;
3837 /* in case of a retrans SYN|ACK */
3838 dst->wscale = 0;
3839 }
3840 }
3841 }
3842 if (th->th_flags & TH_FIN)
3843 end++;
3844
3845 src->seqlo = seq;
3846 if (src->state < TCPS_SYN_SENT)
3847 src->state = TCPS_SYN_SENT;
3848
3849 /*
3850 * May need to slide the window (seqhi may have been set by
3851 * the crappy stack check or if we picked up the connection
3852 * after establishment)
3853 */
3854 if (src->seqhi == 1 ||
3855 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
3856 src->seqhi = end + MAX(1, dst->max_win << dws);
3857 if (win > src->max_win)
3858 src->max_win = win;
3859
3860 } else {
3861 ack = ntohl(th->th_ack) - dst->seqdiff;
3862 if (src->seqdiff) {
3863 /* Modulate sequence numbers */
3864 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3865 src->seqdiff), 0);
3866 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3867 copyback = 1;
3868 }
3869 end = seq + pd->p_len;
3870 if (th->th_flags & TH_SYN)
3871 end++;
3872 if (th->th_flags & TH_FIN)
3873 end++;
3874 }
3875
3876 if ((th->th_flags & TH_ACK) == 0) {
3877 /* Let it pass through the ack skew check */
3878 ack = dst->seqlo;
3879 } else if ((ack == 0 &&
3880 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
3881 /* broken tcp stacks do not set ack */
3882 (dst->state < TCPS_SYN_SENT)) {
3883 /*
3884 * Many stacks (ours included) will set the ACK number in an
3885 * FIN|ACK if the SYN times out -- no sequence to ACK.
3886 */
3887 ack = dst->seqlo;
3888 }
3889
3890 if (seq == end) {
3891 /* Ease sequencing restrictions on no data packets */
3892 seq = src->seqlo;
3893 end = seq;
3894 }
3895
3896 ackskew = dst->seqlo - ack;
3897
3898 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
3899 if (SEQ_GEQ(src->seqhi, end) &&
3900 /* Last octet inside other's window space */
3901 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
3902 /* Retrans: not more than one window back */
3903 (ackskew >= -MAXACKWINDOW) &&
3904 /* Acking not more than one reassembled fragment backwards */
3905 (ackskew <= (MAXACKWINDOW << sws))) {
3906 /* Acking not more than one window forward */
3907
3908 /* update max window */
3909 if (src->max_win < win)
3910 src->max_win = win;
3911 /* synchronize sequencing */
3912 if (SEQ_GT(end, src->seqlo))
3913 src->seqlo = end;
3914 /* slide the window of what the other end can send */
3915 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3916 dst->seqhi = ack + MAX((win << sws), 1);
3917
3918
3919 /* update states */
3920 if (th->th_flags & TH_SYN)
3921 if (src->state < TCPS_SYN_SENT)
3922 src->state = TCPS_SYN_SENT;
3923 if (th->th_flags & TH_FIN)
3924 if (src->state < TCPS_CLOSING)
3925 src->state = TCPS_CLOSING;
3926 if (th->th_flags & TH_ACK) {
3927 if (dst->state == TCPS_SYN_SENT)
3928 dst->state = TCPS_ESTABLISHED;
3929 else if (dst->state == TCPS_CLOSING)
3930 dst->state = TCPS_FIN_WAIT_2;
3931 }
3932 if (th->th_flags & TH_RST)
3933 src->state = dst->state = TCPS_TIME_WAIT;
3934
3935 /* update expire time */
3936 (*state)->expire = time_second;
3937 if (src->state >= TCPS_FIN_WAIT_2 &&
3938 dst->state >= TCPS_FIN_WAIT_2)
3939 (*state)->timeout = PFTM_TCP_CLOSED;
3940 else if (src->state >= TCPS_FIN_WAIT_2 ||
3941 dst->state >= TCPS_FIN_WAIT_2)
3942 (*state)->timeout = PFTM_TCP_FIN_WAIT;
3943 else if (src->state < TCPS_ESTABLISHED ||
3944 dst->state < TCPS_ESTABLISHED)
3945 (*state)->timeout = PFTM_TCP_OPENING;
3946 else if (src->state >= TCPS_CLOSING ||
3947 dst->state >= TCPS_CLOSING)
3948 (*state)->timeout = PFTM_TCP_CLOSING;
3949 else
3950 (*state)->timeout = PFTM_TCP_ESTABLISHED;
3951
3952 /* Fall through to PASS packet */
3953
3954 } else if ((dst->state < TCPS_SYN_SENT ||
3955 dst->state >= TCPS_FIN_WAIT_2 ||
3956 src->state >= TCPS_FIN_WAIT_2) &&
3957 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
3958 /* Within a window forward of the originating packet */
3959 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
3960 /* Within a window backward of the originating packet */
3961
3962 /*
3963 * This currently handles three situations:
3964 * 1) Stupid stacks will shotgun SYNs before their peer
3965 * replies.
3966 * 2) When PF catches an already established stream (the
3967 * firewall rebooted, the state table was flushed, routes
3968 * changed...)
3969 * 3) Packets get funky immediately after the connection
3970 * closes (this should catch Solaris spurious ACK|FINs
3971 * that web servers like to spew after a close)
3972 *
3973 * This must be a little more careful than the above code
3974 * since packet floods will also be caught here. We don't
3975 * update the TTL here to mitigate the damage of a packet
3976 * flood and so the same code can handle awkward establishment
3977 * and a loosened connection close.
3978 * In the establishment case, a correct peer response will
3979 * validate the connection, go through the normal state code
3980 * and keep updating the state TTL.
3981 */
3982
3983 if (pf_status.debug >= PF_DEBUG_MISC) {
3984 printf("pf: loose state match: ");
3985 pf_print_state(*state);
3986 pf_print_flags(th->th_flags);
3987 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n",
3988 seq, ack, pd->p_len, ackskew,
3989 (*state)->packets[0], (*state)->packets[1]);
3990 }
3991
3992 /* update max window */
3993 if (src->max_win < win)
3994 src->max_win = win;
3995 /* synchronize sequencing */
3996 if (SEQ_GT(end, src->seqlo))
3997 src->seqlo = end;
3998 /* slide the window of what the other end can send */
3999 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
4000 dst->seqhi = ack + MAX((win << sws), 1);
4001
4002 /*
4003 * Cannot set dst->seqhi here since this could be a shotgunned
4004 * SYN and not an already established connection.
4005 */
4006
4007 if (th->th_flags & TH_FIN)
4008 if (src->state < TCPS_CLOSING)
4009 src->state = TCPS_CLOSING;
4010 if (th->th_flags & TH_RST)
4011 src->state = dst->state = TCPS_TIME_WAIT;
4012
4013 /* Fall through to PASS packet */
4014
4015 } else {
4016 if ((*state)->dst.state == TCPS_SYN_SENT &&
4017 (*state)->src.state == TCPS_SYN_SENT) {
4018 /* Send RST for state mismatches during handshake */
4019 if (!(th->th_flags & TH_RST)) {
4020 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
4021
4022 if (th->th_flags & TH_SYN)
4023 ack++;
4024 if (th->th_flags & TH_FIN)
4025 ack++;
4026 pf_send_tcp((*state)->rule.ptr, pd->af,
4027 pd->dst, pd->src, th->th_dport,
4028 th->th_sport, ntohl(th->th_ack), ack,
4029 TH_RST|TH_ACK, 0, 0,
4030 (*state)->rule.ptr->return_ttl);
4031 }
4032 src->seqlo = 0;
4033 src->seqhi = 1;
4034 src->max_win = 1;
4035 } else if (pf_status.debug >= PF_DEBUG_MISC) {
4036 printf("pf: BAD state: ");
4037 pf_print_state(*state);
4038 pf_print_flags(th->th_flags);
4039 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d "
4040 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew,
4041 (*state)->packets[0], (*state)->packets[1],
4042 direction == PF_IN ? "in" : "out",
4043 direction == (*state)->direction ? "fwd" : "rev");
4044 printf("pf: State failure on: %c %c %c %c | %c %c\n",
4045 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
4046 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
4047 ' ': '2',
4048 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
4049 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
4050 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
4051 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
4052 }
4053 return (PF_DROP);
4054 }
4055
4056 if (dst->scrub || src->scrub) {
4057 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4058 src, dst, &copyback))
4059 return (PF_DROP);
4060 }
4061
4062 /* Any packets which have gotten here are to be passed */
4063
4064 /* translate source/destination address, if necessary */
4065 if (STATE_TRANSLATE(*state)) {
4066 if (direction == PF_OUT)
4067 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
4068 &th->th_sum, &(*state)->gwy.addr,
4069 (*state)->gwy.port, 0, pd->af);
4070 else
4071 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
4072 &th->th_sum, &(*state)->lan.addr,
4073 (*state)->lan.port, 0, pd->af);
4074 m_copyback(m, off, sizeof(*th), (caddr_t)th);
4075 } else if (copyback) {
4076 /* Copyback sequence modulation or stateful scrub changes */
4077 m_copyback(m, off, sizeof(*th), (caddr_t)th);
4078 }
4079
4080 return (PF_PASS);
4081 }
4082
4083 int
4084 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
4085 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4086 {
4087 struct pf_state_peer *src, *dst;
4088 struct pf_state key;
4089 struct udphdr *uh = pd->hdr.udp;
4090
4091 key.af = pd->af;
4092 key.proto = IPPROTO_UDP;
4093 if (direction == PF_IN) {
4094 PF_ACPY(&key.ext.addr, pd->src, key.af);
4095 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4096 key.ext.port = uh->uh_sport;
4097 key.gwy.port = uh->uh_dport;
4098 } else {
4099 PF_ACPY(&key.lan.addr, pd->src, key.af);
4100 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4101 key.lan.port = uh->uh_sport;
4102 key.ext.port = uh->uh_dport;
4103 }
4104
4105 STATE_LOOKUP();
4106
4107 if (direction == (*state)->direction) {
4108 src = &(*state)->src;
4109 dst = &(*state)->dst;
4110 } else {
4111 src = &(*state)->dst;
4112 dst = &(*state)->src;
4113 }
4114
4115 /* update states */
4116 if (src->state < PFUDPS_SINGLE)
4117 src->state = PFUDPS_SINGLE;
4118 if (dst->state == PFUDPS_SINGLE)
4119 dst->state = PFUDPS_MULTIPLE;
4120
4121 /* update expire time */
4122 (*state)->expire = time_second;
4123 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
4124 (*state)->timeout = PFTM_UDP_MULTIPLE;
4125 else
4126 (*state)->timeout = PFTM_UDP_SINGLE;
4127
4128 /* translate source/destination address, if necessary */
4129 if (STATE_TRANSLATE(*state)) {
4130 if (direction == PF_OUT)
4131 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
4132 &uh->uh_sum, &(*state)->gwy.addr,
4133 (*state)->gwy.port, 1, pd->af);
4134 else
4135 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
4136 &uh->uh_sum, &(*state)->lan.addr,
4137 (*state)->lan.port, 1, pd->af);
4138 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
4139 }
4140
4141 return (PF_PASS);
4142 }
4143
4144 int
4145 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
4146 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4147 {
4148 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4149 u_int16_t icmpid = 0;
4150 u_int16_t *icmpsum = NULL;
4151 u_int8_t icmptype = 0;
4152 int state_icmp = 0;
4153
4154 switch (pd->proto) {
4155 #ifdef INET
4156 case IPPROTO_ICMP:
4157 icmptype = pd->hdr.icmp->icmp_type;
4158 icmpid = pd->hdr.icmp->icmp_id;
4159 icmpsum = &pd->hdr.icmp->icmp_cksum;
4160
4161 if (icmptype == ICMP_UNREACH ||
4162 icmptype == ICMP_SOURCEQUENCH ||
4163 icmptype == ICMP_REDIRECT ||
4164 icmptype == ICMP_TIMXCEED ||
4165 icmptype == ICMP_PARAMPROB)
4166 state_icmp++;
4167 break;
4168 #endif /* INET */
4169 #ifdef INET6
4170 case IPPROTO_ICMPV6:
4171 icmptype = pd->hdr.icmp6->icmp6_type;
4172 icmpid = pd->hdr.icmp6->icmp6_id;
4173 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4174
4175 if (icmptype == ICMP6_DST_UNREACH ||
4176 icmptype == ICMP6_PACKET_TOO_BIG ||
4177 icmptype == ICMP6_TIME_EXCEEDED ||
4178 icmptype == ICMP6_PARAM_PROB)
4179 state_icmp++;
4180 break;
4181 #endif /* INET6 */
4182 }
4183
4184 if (!state_icmp) {
4185
4186 /*
4187 * ICMP query/reply message not related to a TCP/UDP packet.
4188 * Search for an ICMP state.
4189 */
4190 struct pf_state key;
4191
4192 key.af = pd->af;
4193 key.proto = pd->proto;
4194 if (direction == PF_IN) {
4195 PF_ACPY(&key.ext.addr, pd->src, key.af);
4196 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4197 key.ext.port = icmpid;
4198 key.gwy.port = icmpid;
4199 } else {
4200 PF_ACPY(&key.lan.addr, pd->src, key.af);
4201 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4202 key.lan.port = icmpid;
4203 key.ext.port = icmpid;
4204 }
4205
4206 STATE_LOOKUP();
4207
4208 (*state)->expire = time_second;
4209 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
4210
4211 /* translate source/destination address, if necessary */
4212 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) {
4213 if (direction == PF_OUT) {
4214 switch (pd->af) {
4215 #ifdef INET
4216 case AF_INET:
4217 pf_change_a(&saddr->v4.s_addr,
4218 pd->ip_sum,
4219 (*state)->gwy.addr.v4.s_addr, 0);
4220 break;
4221 #endif /* INET */
4222 #ifdef INET6
4223 case AF_INET6:
4224 pf_change_a6(saddr,
4225 &pd->hdr.icmp6->icmp6_cksum,
4226 &(*state)->gwy.addr, 0);
4227 m_copyback(m, off,
4228 sizeof(struct icmp6_hdr),
4229 (caddr_t)pd->hdr.icmp6);
4230 break;
4231 #endif /* INET6 */
4232 }
4233 } else {
4234 switch (pd->af) {
4235 #ifdef INET
4236 case AF_INET:
4237 pf_change_a(&daddr->v4.s_addr,
4238 pd->ip_sum,
4239 (*state)->lan.addr.v4.s_addr, 0);
4240 break;
4241 #endif /* INET */
4242 #ifdef INET6
4243 case AF_INET6:
4244 pf_change_a6(daddr,
4245 &pd->hdr.icmp6->icmp6_cksum,
4246 &(*state)->lan.addr, 0);
4247 m_copyback(m, off,
4248 sizeof(struct icmp6_hdr),
4249 (caddr_t)pd->hdr.icmp6);
4250 break;
4251 #endif /* INET6 */
4252 }
4253 }
4254 }
4255
4256 return (PF_PASS);
4257
4258 } else {
4259 /*
4260 * ICMP error message in response to a TCP/UDP packet.
4261 * Extract the inner TCP/UDP header and search for that state.
4262 */
4263
4264 struct pf_pdesc pd2;
4265 #ifdef INET
4266 struct ip h2;
4267 #endif /* INET */
4268 #ifdef INET6
4269 struct ip6_hdr h2_6;
4270 int terminal = 0;
4271 #endif /* INET6 */
4272 int ipoff2 = 0;
4273 int off2 = 0;
4274
4275 pd2.af = pd->af;
4276 switch (pd->af) {
4277 #ifdef INET
4278 case AF_INET:
4279 /* offset of h2 in mbuf chain */
4280 ipoff2 = off + ICMP_MINLEN;
4281
4282 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
4283 NULL, NULL, pd2.af)) {
4284 DPFPRINTF(PF_DEBUG_MISC,
4285 ("pf: ICMP error message too short "
4286 "(ip)\n"));
4287 return (PF_DROP);
4288 }
4289 /*
4290 * ICMP error messages don't refer to non-first
4291 * fragments
4292 */
4293 /*
4294 * Note: We are dealing with an encapsulated
4295 * header. This means ip_off/ip_len are not
4296 * in host byte order!
4297 */
4298 if (h2.ip_off & htons(IP_OFFMASK))
4299 return (PF_DROP);
4300
4301 /* offset of protocol header that follows h2 */
4302 off2 = ipoff2 + (h2.ip_hl << 2);
4303
4304 pd2.proto = h2.ip_p;
4305 pd2.src = (struct pf_addr *)&h2.ip_src;
4306 pd2.dst = (struct pf_addr *)&h2.ip_dst;
4307 pd2.ip_sum = &h2.ip_sum;
4308 break;
4309 #endif /* INET */
4310 #ifdef INET6
4311 case AF_INET6:
4312 ipoff2 = off + sizeof(struct icmp6_hdr);
4313
4314 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
4315 NULL, NULL, pd2.af)) {
4316 DPFPRINTF(PF_DEBUG_MISC,
4317 ("pf: ICMP error message too short "
4318 "(ip6)\n"));
4319 return (PF_DROP);
4320 }
4321 pd2.proto = h2_6.ip6_nxt;
4322 pd2.src = (struct pf_addr *)&h2_6.ip6_src;
4323 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
4324 pd2.ip_sum = NULL;
4325 off2 = ipoff2 + sizeof(h2_6);
4326 do {
4327 switch (pd2.proto) {
4328 case IPPROTO_FRAGMENT:
4329 /*
4330 * ICMPv6 error messages for
4331 * non-first fragments
4332 */
4333 return (PF_DROP);
4334 case IPPROTO_AH:
4335 case IPPROTO_HOPOPTS:
4336 case IPPROTO_ROUTING:
4337 case IPPROTO_DSTOPTS: {
4338 /* get next header and header length */
4339 struct ip6_ext opt6;
4340
4341 if (!pf_pull_hdr(m, off2, &opt6,
4342 sizeof(opt6), NULL, NULL, pd2.af)) {
4343 DPFPRINTF(PF_DEBUG_MISC,
4344 ("pf: ICMPv6 short opt\n"));
4345 return (PF_DROP);
4346 }
4347 if (pd2.proto == IPPROTO_AH)
4348 off2 += (opt6.ip6e_len + 2) * 4;
4349 else
4350 off2 += (opt6.ip6e_len + 1) * 8;
4351 pd2.proto = opt6.ip6e_nxt;
4352 /* goto the next header */
4353 break;
4354 }
4355 default:
4356 terminal++;
4357 break;
4358 }
4359 } while (!terminal);
4360 break;
4361 #endif /* INET6 */
4362 }
4363
4364 switch (pd2.proto) {
4365 case IPPROTO_TCP: {
4366 struct tcphdr th;
4367 u_int32_t seq;
4368 struct pf_state key;
4369 struct pf_state_peer *src, *dst;
4370 u_int8_t dws;
4371 int copyback = 0;
4372
4373 /*
4374 * Only the first 8 bytes of the TCP header can be
4375 * expected. Don't access any TCP header fields after
4376 * th_seq, an ackskew test is not possible.
4377 */
4378 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) {
4379 DPFPRINTF(PF_DEBUG_MISC,
4380 ("pf: ICMP error message too short "
4381 "(tcp)\n"));
4382 return (PF_DROP);
4383 }
4384
4385 key.af = pd2.af;
4386 key.proto = IPPROTO_TCP;
4387 if (direction == PF_IN) {
4388 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4389 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4390 key.ext.port = th.th_dport;
4391 key.gwy.port = th.th_sport;
4392 } else {
4393 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4394 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4395 key.lan.port = th.th_dport;
4396 key.ext.port = th.th_sport;
4397 }
4398
4399 STATE_LOOKUP();
4400
4401 if (direction == (*state)->direction) {
4402 src = &(*state)->dst;
4403 dst = &(*state)->src;
4404 } else {
4405 src = &(*state)->src;
4406 dst = &(*state)->dst;
4407 }
4408
4409 if (src->wscale && dst->wscale &&
4410 !(th.th_flags & TH_SYN))
4411 dws = dst->wscale & PF_WSCALE_MASK;
4412 else
4413 dws = 0;
4414
4415 /* Demodulate sequence number */
4416 seq = ntohl(th.th_seq) - src->seqdiff;
4417 if (src->seqdiff) {
4418 pf_change_a(&th.th_seq, icmpsum,
4419 htonl(seq), 0);
4420 copyback = 1;
4421 }
4422
4423 if (!SEQ_GEQ(src->seqhi, seq) ||
4424 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) {
4425 if (pf_status.debug >= PF_DEBUG_MISC) {
4426 printf("pf: BAD ICMP %d:%d ",
4427 icmptype, pd->hdr.icmp->icmp_code);
4428 pf_print_host(pd->src, 0, pd->af);
4429 printf(" -> ");
4430 pf_print_host(pd->dst, 0, pd->af);
4431 printf(" state: ");
4432 pf_print_state(*state);
4433 printf(" seq=%u\n", seq);
4434 }
4435 return (PF_DROP);
4436 }
4437
4438 if (STATE_TRANSLATE(*state)) {
4439 if (direction == PF_IN) {
4440 pf_change_icmp(pd2.src, &th.th_sport,
4441 daddr, &(*state)->lan.addr,
4442 (*state)->lan.port, NULL,
4443 pd2.ip_sum, icmpsum,
4444 pd->ip_sum, 0, pd2.af);
4445 } else {
4446 pf_change_icmp(pd2.dst, &th.th_dport,
4447 saddr, &(*state)->gwy.addr,
4448 (*state)->gwy.port, NULL,
4449 pd2.ip_sum, icmpsum,
4450 pd->ip_sum, 0, pd2.af);
4451 }
4452 copyback = 1;
4453 }
4454
4455 if (copyback) {
4456 switch (pd2.af) {
4457 #ifdef INET
4458 case AF_INET:
4459 m_copyback(m, off, ICMP_MINLEN,
4460 (caddr_t)pd->hdr.icmp);
4461 m_copyback(m, ipoff2, sizeof(h2),
4462 (caddr_t)&h2);
4463 break;
4464 #endif /* INET */
4465 #ifdef INET6
4466 case AF_INET6:
4467 m_copyback(m, off,
4468 sizeof(struct icmp6_hdr),
4469 (caddr_t)pd->hdr.icmp6);
4470 m_copyback(m, ipoff2, sizeof(h2_6),
4471 (caddr_t)&h2_6);
4472 break;
4473 #endif /* INET6 */
4474 }
4475 m_copyback(m, off2, 8, (caddr_t)&th);
4476 }
4477
4478 return (PF_PASS);
4479 break;
4480 }
4481 case IPPROTO_UDP: {
4482 struct udphdr uh;
4483 struct pf_state key;
4484
4485 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
4486 NULL, NULL, pd2.af)) {
4487 DPFPRINTF(PF_DEBUG_MISC,
4488 ("pf: ICMP error message too short "
4489 "(udp)\n"));
4490 return (PF_DROP);
4491 }
4492
4493 key.af = pd2.af;
4494 key.proto = IPPROTO_UDP;
4495 if (direction == PF_IN) {
4496 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4497 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4498 key.ext.port = uh.uh_dport;
4499 key.gwy.port = uh.uh_sport;
4500 } else {
4501 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4502 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4503 key.lan.port = uh.uh_dport;
4504 key.ext.port = uh.uh_sport;
4505 }
4506
4507 STATE_LOOKUP();
4508
4509 if (STATE_TRANSLATE(*state)) {
4510 if (direction == PF_IN) {
4511 pf_change_icmp(pd2.src, &uh.uh_sport,
4512 daddr, &(*state)->lan.addr,
4513 (*state)->lan.port, &uh.uh_sum,
4514 pd2.ip_sum, icmpsum,
4515 pd->ip_sum, 1, pd2.af);
4516 } else {
4517 pf_change_icmp(pd2.dst, &uh.uh_dport,
4518 saddr, &(*state)->gwy.addr,
4519 (*state)->gwy.port, &uh.uh_sum,
4520 pd2.ip_sum, icmpsum,
4521 pd->ip_sum, 1, pd2.af);
4522 }
4523 switch (pd2.af) {
4524 #ifdef INET
4525 case AF_INET:
4526 m_copyback(m, off, ICMP_MINLEN,
4527 (caddr_t)pd->hdr.icmp);
4528 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4529 break;
4530 #endif /* INET */
4531 #ifdef INET6
4532 case AF_INET6:
4533 m_copyback(m, off,
4534 sizeof(struct icmp6_hdr),
4535 (caddr_t)pd->hdr.icmp6);
4536 m_copyback(m, ipoff2, sizeof(h2_6),
4537 (caddr_t)&h2_6);
4538 break;
4539 #endif /* INET6 */
4540 }
4541 m_copyback(m, off2, sizeof(uh), (caddr_t)&uh);
4542 }
4543
4544 return (PF_PASS);
4545 break;
4546 }
4547 #ifdef INET
4548 case IPPROTO_ICMP: {
4549 struct icmp iih;
4550 struct pf_state key;
4551
4552 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
4553 NULL, NULL, pd2.af)) {
4554 DPFPRINTF(PF_DEBUG_MISC,
4555 ("pf: ICMP error message too short i"
4556 "(icmp)\n"));
4557 return (PF_DROP);
4558 }
4559
4560 key.af = pd2.af;
4561 key.proto = IPPROTO_ICMP;
4562 if (direction == PF_IN) {
4563 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4564 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4565 key.ext.port = iih.icmp_id;
4566 key.gwy.port = iih.icmp_id;
4567 } else {
4568 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4569 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4570 key.lan.port = iih.icmp_id;
4571 key.ext.port = iih.icmp_id;
4572 }
4573
4574 STATE_LOOKUP();
4575
4576 if (STATE_TRANSLATE(*state)) {
4577 if (direction == PF_IN) {
4578 pf_change_icmp(pd2.src, &iih.icmp_id,
4579 daddr, &(*state)->lan.addr,
4580 (*state)->lan.port, NULL,
4581 pd2.ip_sum, icmpsum,
4582 pd->ip_sum, 0, AF_INET);
4583 } else {
4584 pf_change_icmp(pd2.dst, &iih.icmp_id,
4585 saddr, &(*state)->gwy.addr,
4586 (*state)->gwy.port, NULL,
4587 pd2.ip_sum, icmpsum,
4588 pd->ip_sum, 0, AF_INET);
4589 }
4590 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
4591 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4592 m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih);
4593 }
4594
4595 return (PF_PASS);
4596 break;
4597 }
4598 #endif /* INET */
4599 #ifdef INET6
4600 case IPPROTO_ICMPV6: {
4601 struct icmp6_hdr iih;
4602 struct pf_state key;
4603
4604 if (!pf_pull_hdr(m, off2, &iih,
4605 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) {
4606 DPFPRINTF(PF_DEBUG_MISC,
4607 ("pf: ICMP error message too short "
4608 "(icmp6)\n"));
4609 return (PF_DROP);
4610 }
4611
4612 key.af = pd2.af;
4613 key.proto = IPPROTO_ICMPV6;
4614 if (direction == PF_IN) {
4615 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4616 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4617 key.ext.port = iih.icmp6_id;
4618 key.gwy.port = iih.icmp6_id;
4619 } else {
4620 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4621 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4622 key.lan.port = iih.icmp6_id;
4623 key.ext.port = iih.icmp6_id;
4624 }
4625
4626 STATE_LOOKUP();
4627
4628 if (STATE_TRANSLATE(*state)) {
4629 if (direction == PF_IN) {
4630 pf_change_icmp(pd2.src, &iih.icmp6_id,
4631 daddr, &(*state)->lan.addr,
4632 (*state)->lan.port, NULL,
4633 pd2.ip_sum, icmpsum,
4634 pd->ip_sum, 0, AF_INET6);
4635 } else {
4636 pf_change_icmp(pd2.dst, &iih.icmp6_id,
4637 saddr, &(*state)->gwy.addr,
4638 (*state)->gwy.port, NULL,
4639 pd2.ip_sum, icmpsum,
4640 pd->ip_sum, 0, AF_INET6);
4641 }
4642 m_copyback(m, off, sizeof(struct icmp6_hdr),
4643 (caddr_t)pd->hdr.icmp6);
4644 m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
4645 m_copyback(m, off2, sizeof(struct icmp6_hdr),
4646 (caddr_t)&iih);
4647 }
4648
4649 return (PF_PASS);
4650 break;
4651 }
4652 #endif /* INET6 */
4653 default: {
4654 struct pf_state key;
4655
4656 key.af = pd2.af;
4657 key.proto = pd2.proto;
4658 if (direction == PF_IN) {
4659 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4660 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4661 key.ext.port = 0;
4662 key.gwy.port = 0;
4663 } else {
4664 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4665 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4666 key.lan.port = 0;
4667 key.ext.port = 0;
4668 }
4669
4670 STATE_LOOKUP();
4671
4672 if (STATE_TRANSLATE(*state)) {
4673 if (direction == PF_IN) {
4674 pf_change_icmp(pd2.src, NULL,
4675 daddr, &(*state)->lan.addr,
4676 0, NULL,
4677 pd2.ip_sum, icmpsum,
4678 pd->ip_sum, 0, pd2.af);
4679 } else {
4680 pf_change_icmp(pd2.dst, NULL,
4681 saddr, &(*state)->gwy.addr,
4682 0, NULL,
4683 pd2.ip_sum, icmpsum,
4684 pd->ip_sum, 0, pd2.af);
4685 }
4686 switch (pd2.af) {
4687 #ifdef INET
4688 case AF_INET:
4689 m_copyback(m, off, ICMP_MINLEN,
4690 (caddr_t)pd->hdr.icmp);
4691 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4692 break;
4693 #endif /* INET */
4694 #ifdef INET6
4695 case AF_INET6:
4696 m_copyback(m, off,
4697 sizeof(struct icmp6_hdr),
4698 (caddr_t)pd->hdr.icmp6);
4699 m_copyback(m, ipoff2, sizeof(h2_6),
4700 (caddr_t)&h2_6);
4701 break;
4702 #endif /* INET6 */
4703 }
4704 }
4705
4706 return (PF_PASS);
4707 break;
4708 }
4709 }
4710 }
4711 }
4712
4713 int
4714 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
4715 struct pf_pdesc *pd)
4716 {
4717 struct pf_state_peer *src, *dst;
4718 struct pf_state key;
4719
4720 key.af = pd->af;
4721 key.proto = pd->proto;
4722 if (direction == PF_IN) {
4723 PF_ACPY(&key.ext.addr, pd->src, key.af);
4724 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4725 key.ext.port = 0;
4726 key.gwy.port = 0;
4727 } else {
4728 PF_ACPY(&key.lan.addr, pd->src, key.af);
4729 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4730 key.lan.port = 0;
4731 key.ext.port = 0;
4732 }
4733
4734 STATE_LOOKUP();
4735
4736 if (direction == (*state)->direction) {
4737 src = &(*state)->src;
4738 dst = &(*state)->dst;
4739 } else {
4740 src = &(*state)->dst;
4741 dst = &(*state)->src;
4742 }
4743
4744 /* update states */
4745 if (src->state < PFOTHERS_SINGLE)
4746 src->state = PFOTHERS_SINGLE;
4747 if (dst->state == PFOTHERS_SINGLE)
4748 dst->state = PFOTHERS_MULTIPLE;
4749
4750 /* update expire time */
4751 (*state)->expire = time_second;
4752 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
4753 (*state)->timeout = PFTM_OTHER_MULTIPLE;
4754 else
4755 (*state)->timeout = PFTM_OTHER_SINGLE;
4756
4757 /* translate source/destination address, if necessary */
4758 if (STATE_TRANSLATE(*state)) {
4759 if (direction == PF_OUT)
4760 switch (pd->af) {
4761 #ifdef INET
4762 case AF_INET:
4763 pf_change_a(&pd->src->v4.s_addr,
4764 pd->ip_sum, (*state)->gwy.addr.v4.s_addr,
4765 0);
4766 break;
4767 #endif /* INET */
4768 #ifdef INET6
4769 case AF_INET6:
4770 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af);
4771 break;
4772 #endif /* INET6 */
4773 }
4774 else
4775 switch (pd->af) {
4776 #ifdef INET
4777 case AF_INET:
4778 pf_change_a(&pd->dst->v4.s_addr,
4779 pd->ip_sum, (*state)->lan.addr.v4.s_addr,
4780 0);
4781 break;
4782 #endif /* INET */
4783 #ifdef INET6
4784 case AF_INET6:
4785 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af);
4786 break;
4787 #endif /* INET6 */
4788 }
4789 }
4790
4791 return (PF_PASS);
4792 }
4793
4794 /*
4795 * ipoff and off are measured from the start of the mbuf chain.
4796 * h must be at "ipoff" on the mbuf chain.
4797 */
4798 void *
4799 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
4800 u_short *actionp, u_short *reasonp, sa_family_t af)
4801 {
4802 switch (af) {
4803 #ifdef INET
4804 case AF_INET: {
4805 struct ip *h = mtod(m, struct ip *);
4806 u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3;
4807
4808 if (fragoff) {
4809 if (fragoff >= len)
4810 ACTION_SET(actionp, PF_PASS);
4811 else {
4812 ACTION_SET(actionp, PF_DROP);
4813 REASON_SET(reasonp, PFRES_FRAG);
4814 }
4815 return (NULL);
4816 }
4817 if (m->m_pkthdr.len < off + len ||
4818 h->ip_len < off + len) {
4819 ACTION_SET(actionp, PF_DROP);
4820 REASON_SET(reasonp, PFRES_SHORT);
4821 return (NULL);
4822 }
4823 break;
4824 }
4825 #endif /* INET */
4826 #ifdef INET6
4827 case AF_INET6: {
4828 struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
4829
4830 if (m->m_pkthdr.len < off + len ||
4831 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
4832 (unsigned)(off + len)) {
4833 ACTION_SET(actionp, PF_DROP);
4834 REASON_SET(reasonp, PFRES_SHORT);
4835 return (NULL);
4836 }
4837 break;
4838 }
4839 #endif /* INET6 */
4840 }
4841 m_copydata(m, off, len, p);
4842 return (p);
4843 }
4844
4845 int
4846 pf_routable(struct pf_addr *addr, sa_family_t af)
4847 {
4848 struct sockaddr_in *dst;
4849 struct route ro;
4850 int ret = 0;
4851
4852 bzero(&ro, sizeof(ro));
4853 dst = satosin(&ro.ro_dst);
4854 dst->sin_family = af;
4855 dst->sin_len = sizeof(*dst);
4856 dst->sin_addr = addr->v4;
4857 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
4858
4859 if (ro.ro_rt != NULL) {
4860 ret = 1;
4861 RTFREE(ro.ro_rt);
4862 }
4863
4864 return (ret);
4865 }
4866
4867 #ifdef INET
4868 void
4869 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
4870 struct pf_state *s)
4871 {
4872 struct mbuf *m0, *m1;
4873 struct route iproute;
4874 struct route *ro = NULL;
4875 struct sockaddr_in *dst;
4876 struct ip *ip;
4877 struct ifnet *ifp = NULL;
4878 struct pf_addr naddr;
4879 struct pf_src_node *sn = NULL;
4880 int error = 0;
4881 int sw_csum;
4882
4883 if (m == NULL || *m == NULL || r == NULL ||
4884 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
4885 panic("pf_route: invalid parameters");
4886
4887 if (((*m)->m_pkthdr.pf_flags & PF_MBUF_ROUTED) == 0) {
4888 (*m)->m_pkthdr.pf_flags |= PF_MBUF_ROUTED;
4889 (*m)->m_pkthdr.pf_routed = 1;
4890 } else {
4891 if ((*m)->m_pkthdr.pf_routed > 3) {
4892 m0 = *m;
4893 *m = NULL;
4894 goto bad;
4895 }
4896 (*m)->m_pkthdr.pf_routed++;
4897 }
4898
4899 if (r->rt == PF_DUPTO) {
4900 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL)
4901 return;
4902 } else {
4903 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
4904 return;
4905 m0 = *m;
4906 }
4907
4908 if (m0->m_len < sizeof(struct ip))
4909 panic("pf_route: m0->m_len < sizeof(struct ip)");
4910 ip = mtod(m0, struct ip *);
4911
4912 ro = &iproute;
4913 bzero((caddr_t)ro, sizeof(*ro));
4914 dst = satosin(&ro->ro_dst);
4915 dst->sin_family = AF_INET;
4916 dst->sin_len = sizeof(*dst);
4917 dst->sin_addr = ip->ip_dst;
4918
4919 if (r->rt == PF_FASTROUTE) {
4920 rtalloc(ro);
4921 if (ro->ro_rt == 0) {
4922 ipstat.ips_noroute++;
4923 goto bad;
4924 }
4925
4926 ifp = ro->ro_rt->rt_ifp;
4927 ro->ro_rt->rt_use++;
4928
4929 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
4930 dst = satosin(ro->ro_rt->rt_gateway);
4931 } else {
4932 if (TAILQ_EMPTY(&r->rpool.list))
4933 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)");
4934 if (s == NULL) {
4935 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
4936 &naddr, NULL, &sn);
4937 if (!PF_AZERO(&naddr, AF_INET))
4938 dst->sin_addr.s_addr = naddr.v4.s_addr;
4939 ifp = r->rpool.cur->kif ?
4940 r->rpool.cur->kif->pfik_ifp : NULL;
4941 } else {
4942 if (!PF_AZERO(&s->rt_addr, AF_INET))
4943 dst->sin_addr.s_addr =
4944 s->rt_addr.v4.s_addr;
4945 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
4946 }
4947 }
4948 if (ifp == NULL)
4949 goto bad;
4950
4951 if (oifp != ifp) {
4952 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS)
4953 goto bad;
4954 else if (m0 == NULL)
4955 goto done;
4956 if (m0->m_len < sizeof(struct ip))
4957 panic("pf_route: m0->m_len < sizeof(struct ip)");
4958 ip = mtod(m0, struct ip *);
4959 }
4960
4961 /* Copied from ip_output. */
4962 m0->m_pkthdr.csum_flags |= CSUM_IP;
4963 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist;
4964 if (sw_csum & CSUM_DELAY_DATA) {
4965 in_delayed_cksum(m0);
4966 sw_csum &= ~CSUM_DELAY_DATA;
4967 }
4968 m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
4969
4970 /*
4971 * If small enough for interface, or the interface will take
4972 * care of the fragmentation for us, can just send directly.
4973 */
4974 if (ip->ip_len <= ifp->if_mtu || ((ifp->if_hwassist & CSUM_FRAGMENT) &&
4975 (ip->ip_off & IP_DF) == 0)) {
4976 ip->ip_len = htons(ip->ip_len);
4977 ip->ip_off = htons(ip->ip_off);
4978 ip->ip_sum = 0;
4979 if (sw_csum & CSUM_DELAY_IP) {
4980 /* From KAME */
4981 if (ip->ip_v == IPVERSION &&
4982 (ip->ip_hl << 2) == sizeof(*ip)) {
4983 ip->ip_sum = in_cksum_hdr(ip);
4984 } else {
4985 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
4986 }
4987 }
4988
4989 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt);
4990 goto done;
4991 }
4992
4993 /*
4994 * Too large for interface; fragment if possible.
4995 * Must be able to put at least 8 bytes per fragment.
4996 */
4997 if (ip->ip_off & IP_DF) {
4998 ipstat.ips_cantfrag++;
4999 if (r->rt != PF_DUPTO) {
5000 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
5001 ifp);
5002 goto done;
5003 } else
5004 goto bad;
5005 }
5006
5007 m1 = m0;
5008 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
5009 if (error)
5010 goto bad;
5011
5012 for (m0 = m1; m0; m0 = m1) {
5013 m1 = m0->m_nextpkt;
5014 m0->m_nextpkt = 0;
5015 if (error == 0)
5016 error = (*ifp->if_output)(ifp, m0, sintosa(dst),
5017 NULL);
5018 else
5019 m_freem(m0);
5020 }
5021
5022 if (error == 0)
5023 ipstat.ips_fragmented++;
5024
5025 done:
5026 if (r->rt != PF_DUPTO)
5027 *m = NULL;
5028 if (ro == &iproute && ro->ro_rt)
5029 RTFREE(ro->ro_rt);
5030 return;
5031
5032 bad:
5033 m_freem(m0);
5034 goto done;
5035 }
5036 #endif /* INET */
5037
5038 #ifdef INET6
5039 void
5040 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
5041 struct pf_state *s)
5042 {
5043 struct mbuf *m0;
5044 struct route_in6 ip6route;
5045 struct route_in6 *ro;
5046 struct sockaddr_in6 *dst;
5047 struct ip6_hdr *ip6;
5048 struct ifnet *ifp = NULL;
5049 struct pf_addr naddr;
5050 struct pf_src_node *sn = NULL;
5051 int error = 0;
5052
5053 if (m == NULL || *m == NULL || r == NULL ||
5054 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
5055 panic("pf_route6: invalid parameters");
5056
5057 if (((*m)->m_pkthdr.pf_flags & PF_MBUF_ROUTED) == 0) {
5058 (*m)->m_pkthdr.pf_flags |= PF_MBUF_ROUTED;
5059 (*m)->m_pkthdr.pf_routed = 1;
5060 } else {
5061 if ((*m)->m_pkthdr.pf_routed > 3) {
5062 m0 = *m;
5063 *m = NULL;
5064 goto bad;
5065 }
5066 (*m)->m_pkthdr.pf_routed++;
5067 }
5068
5069 if (r->rt == PF_DUPTO) {
5070 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL)
5071 return;
5072 } else {
5073 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
5074 return;
5075 m0 = *m;
5076 }
5077
5078 if (m0->m_len < sizeof(struct ip6_hdr))
5079 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
5080 ip6 = mtod(m0, struct ip6_hdr *);
5081
5082 ro = &ip6route;
5083 bzero((caddr_t)ro, sizeof(*ro));
5084 dst = (struct sockaddr_in6 *)&ro->ro_dst;
5085 dst->sin6_family = AF_INET6;
5086 dst->sin6_len = sizeof(*dst);
5087 dst->sin6_addr = ip6->ip6_dst;
5088
5089 /* Cheat. */
5090 if (r->rt == PF_FASTROUTE) {
5091 m0->m_pkthdr.pf_flags |= PF_MBUF_GENERATED;
5092 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
5093 return;
5094 }
5095
5096 if (TAILQ_EMPTY(&r->rpool.list))
5097 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)");
5098 if (s == NULL) {
5099 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
5100 &naddr, NULL, &sn);
5101 if (!PF_AZERO(&naddr, AF_INET6))
5102 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5103 &naddr, AF_INET6);
5104 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
5105 } else {
5106 if (!PF_AZERO(&s->rt_addr, AF_INET6))
5107 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5108 &s->rt_addr, AF_INET6);
5109 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5110 }
5111 if (ifp == NULL)
5112 goto bad;
5113
5114 if (oifp != ifp) {
5115 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS)
5116 goto bad;
5117 else if (m0 == NULL)
5118 goto done;
5119 if (m0->m_len < sizeof(struct ip6_hdr))
5120 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
5121 ip6 = mtod(m0, struct ip6_hdr *);
5122 }
5123
5124 /*
5125 * If the packet is too large for the outgoing interface,
5126 * send back an icmp6 error.
5127 */
5128 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr))
5129 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
5130 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
5131 error = nd6_output(ifp, ifp, m0, dst, NULL);
5132 } else {
5133 in6_ifstat_inc(ifp, ifs6_in_toobig);
5134 if (r->rt != PF_DUPTO)
5135 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
5136 else
5137 goto bad;
5138 }
5139
5140 done:
5141 if (r->rt != PF_DUPTO)
5142 *m = NULL;
5143 return;
5144
5145 bad:
5146 m_freem(m0);
5147 goto done;
5148 }
5149 #endif /* INET6 */
5150
5151
5152 /*
5153 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
5154 * off is the offset where the protocol header starts
5155 * len is the total length of protocol header plus payload
5156 * returns 0 when the checksum is valid, otherwise returns 1.
5157 */
5158 /*
5159 * XXX
5160 * FreeBSD supports cksum offload for the following drivers.
5161 * em(4), gx(4), lge(4), nge(4), ti(4), xl(4)
5162 * If we can make full use of it we would outperform ipfw/ipfilter in
5163 * very heavy traffic.
5164 * I have not tested 'cause I don't have NICs that supports cksum offload.
5165 * (There might be problems. Typical phenomena would be
5166 * 1. No route message for UDP packet.
5167 * 2. No connection acceptance from external hosts regardless of rule set.)
5168 */
5169 int
5170 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p,
5171 sa_family_t af)
5172 {
5173 u_int16_t sum = 0;
5174 int hw_assist = 0;
5175 struct ip *ip;
5176
5177 if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
5178 return (1);
5179 if (m->m_pkthdr.len < off + len)
5180 return (1);
5181
5182 switch (p) {
5183 case IPPROTO_TCP:
5184 case IPPROTO_UDP:
5185 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
5186 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
5187 sum = m->m_pkthdr.csum_data;
5188 } else {
5189 ip = mtod(m, struct ip *);
5190 sum = in_pseudo(ip->ip_src.s_addr,
5191 ip->ip_dst.s_addr, htonl((u_short)len +
5192 m->m_pkthdr.csum_data + p));
5193 }
5194 sum ^= 0xffff;
5195 ++hw_assist;
5196 }
5197 break;
5198 case IPPROTO_ICMP:
5199 #ifdef INET6
5200 case IPPROTO_ICMPV6:
5201 #endif /* INET6 */
5202 break;
5203 default:
5204 return (1);
5205 }
5206
5207 if (!hw_assist) {
5208 switch (af) {
5209 case AF_INET:
5210 if (p == IPPROTO_ICMP) {
5211 if (m->m_len < off)
5212 return (1);
5213 m->m_data += off;
5214 m->m_len -= off;
5215 sum = in_cksum(m, len);
5216 m->m_data -= off;
5217 m->m_len += off;
5218 } else {
5219 if (m->m_len < sizeof(struct ip))
5220 return (1);
5221 sum = in_cksum_range(m, p, off, len);
5222 if (sum == 0) {
5223 m->m_pkthdr.csum_flags |=
5224 (CSUM_DATA_VALID |
5225 CSUM_PSEUDO_HDR);
5226 m->m_pkthdr.csum_data = 0xffff;
5227 }
5228 }
5229 break;
5230 #ifdef INET6
5231 case AF_INET6:
5232 if (m->m_len < sizeof(struct ip6_hdr))
5233 return (1);
5234 sum = in6_cksum(m, p, off, len);
5235 /*
5236 * XXX
5237 * IPv6 H/W cksum off-load not supported yet!
5238 *
5239 * if (sum == 0) {
5240 * m->m_pkthdr.csum_flags |=
5241 * (CSUM_DATA_VALID|CSUM_PSEUDO_HDR);
5242 * m->m_pkthdr.csum_data = 0xffff;
5243 *}
5244 */
5245 break;
5246 #endif /* INET6 */
5247 default:
5248 return (1);
5249 }
5250 }
5251 if (sum) {
5252 switch (p) {
5253 case IPPROTO_TCP:
5254 tcpstat.tcps_rcvbadsum++;
5255 break;
5256 case IPPROTO_UDP:
5257 udpstat.udps_badsum++;
5258 break;
5259 case IPPROTO_ICMP:
5260 icmpstat.icps_checksum++;
5261 break;
5262 #ifdef INET6
5263 case IPPROTO_ICMPV6:
5264 icmp6stat.icp6s_checksum++;
5265 break;
5266 #endif /* INET6 */
5267 }
5268 return (1);
5269 }
5270 return (0);
5271 }
5272
5273 #ifdef INET
5274 int
5275 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
5276 {
5277 struct pfi_kif *kif;
5278 u_short action, reason = 0, log = 0;
5279 struct mbuf *m = *m0;
5280 struct ip *h = NULL;
5281 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
5282 struct pf_state *s = NULL;
5283 struct pf_ruleset *ruleset = NULL;
5284 struct pf_pdesc pd;
5285 int off, dirndx, pqid = 0;
5286
5287 if (!pf_status.running || (m->m_pkthdr.pf_flags & PF_MBUF_GENERATED))
5288 return (PF_PASS);
5289
5290 kif = pfi_index2kif[ifp->if_index];
5291 if (kif == NULL)
5292 return (PF_DROP);
5293
5294 #ifdef DIAGNOSTIC
5295 if ((m->m_flags & M_PKTHDR) == 0)
5296 panic("non-M_PKTHDR is passed to pf_test");
5297 #endif
5298
5299 memset(&pd, 0, sizeof(pd));
5300 if (m->m_pkthdr.len < (int)sizeof(*h)) {
5301 action = PF_DROP;
5302 REASON_SET(&reason, PFRES_SHORT);
5303 log = 1;
5304 goto done;
5305 }
5306
5307 /* We do IP header normalization and packet reassembly here */
5308 if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) {
5309 action = PF_DROP;
5310 goto done;
5311 }
5312 m = *m0;
5313 h = mtod(m, struct ip *);
5314
5315 off = h->ip_hl << 2;
5316 if (off < (int)sizeof(*h)) {
5317 action = PF_DROP;
5318 REASON_SET(&reason, PFRES_SHORT);
5319 log = 1;
5320 goto done;
5321 }
5322
5323 pd.src = (struct pf_addr *)&h->ip_src;
5324 pd.dst = (struct pf_addr *)&h->ip_dst;
5325 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
5326 pd.ip_sum = &h->ip_sum;
5327 pd.proto = h->ip_p;
5328 pd.af = AF_INET;
5329 pd.tos = h->ip_tos;
5330 pd.tot_len = h->ip_len;
5331
5332 /* handle fragments that didn't get reassembled by normalization */
5333 if (h->ip_off & (IP_MF | IP_OFFMASK)) {
5334 action = pf_test_fragment(&r, dir, kif, m, h,
5335 &pd, &a, &ruleset);
5336 goto done;
5337 }
5338
5339 switch (h->ip_p) {
5340
5341 case IPPROTO_TCP: {
5342 struct tcphdr th;
5343
5344 pd.hdr.tcp = &th;
5345 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5346 &action, &reason, AF_INET)) {
5347 log = action != PF_PASS;
5348 goto done;
5349 }
5350 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5351 h->ip_len - off, IPPROTO_TCP, AF_INET)) {
5352 action = PF_DROP;
5353 goto done;
5354 }
5355 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5356 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
5357 pqid = 1;
5358 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5359 if (action == PF_DROP)
5360 goto done;
5361 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5362 &reason);
5363 if (action == PF_PASS) {
5364 #if NPFSYNC
5365 pfsync_update_state(s);
5366 #endif
5367 r = s->rule.ptr;
5368 a = s->anchor.ptr;
5369 log = s->log;
5370 } else if (s == NULL)
5371 action = pf_test_tcp(&r, &s, dir, kif,
5372 m, off, h, &pd, &a, &ruleset);
5373 break;
5374 }
5375
5376 case IPPROTO_UDP: {
5377 struct udphdr uh;
5378
5379 pd.hdr.udp = &uh;
5380 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5381 &action, &reason, AF_INET)) {
5382 log = action != PF_PASS;
5383 goto done;
5384 }
5385 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
5386 off, h->ip_len - off, IPPROTO_UDP, AF_INET)) {
5387 action = PF_DROP;
5388 goto done;
5389 }
5390 if (uh.uh_dport == 0 ||
5391 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5392 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5393 action = PF_DROP;
5394 goto done;
5395 }
5396 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5397 if (action == PF_PASS) {
5398 #if NPFSYNC
5399 pfsync_update_state(s);
5400 #endif
5401 r = s->rule.ptr;
5402 a = s->anchor.ptr;
5403 log = s->log;
5404 } else if (s == NULL)
5405 action = pf_test_udp(&r, &s, dir, kif,
5406 m, off, h, &pd, &a, &ruleset);
5407 break;
5408 }
5409
5410 case IPPROTO_ICMP: {
5411 struct icmp ih;
5412
5413 pd.hdr.icmp = &ih;
5414 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
5415 &action, &reason, AF_INET)) {
5416 log = action != PF_PASS;
5417 goto done;
5418 }
5419 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5420 h->ip_len - off, IPPROTO_ICMP, AF_INET)) {
5421 action = PF_DROP;
5422 goto done;
5423 }
5424 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd);
5425 if (action == PF_PASS) {
5426 #if NPFSYNC
5427 pfsync_update_state(s);
5428 #endif
5429 r = s->rule.ptr;
5430 a = s->anchor.ptr;
5431 log = s->log;
5432 } else if (s == NULL)
5433 action = pf_test_icmp(&r, &s, dir, kif,
5434 m, off, h, &pd, &a, &ruleset);
5435 break;
5436 }
5437
5438 default:
5439 action = pf_test_state_other(&s, dir, kif, &pd);
5440 if (action == PF_PASS) {
5441 #if NPFSYNC
5442 pfsync_update_state(s);
5443 #endif
5444 r = s->rule.ptr;
5445 a = s->anchor.ptr;
5446 log = s->log;
5447 } else if (s == NULL)
5448 action = pf_test_other(&r, &s, dir, kif, m, off, h,
5449 &pd, &a, &ruleset);
5450 break;
5451 }
5452
5453 done:
5454 if (action == PF_PASS && h->ip_hl > 5 &&
5455 !((s && s->allow_opts) || r->allow_opts)) {
5456 action = PF_DROP;
5457 REASON_SET(&reason, PFRES_SHORT);
5458 log = 1;
5459 DPFPRINTF(PF_DEBUG_MISC,
5460 ("pf: dropping packet with ip options\n"));
5461 }
5462
5463 #ifdef ALTQ
5464 if (action == PF_PASS && r->qid) {
5465 struct m_tag *mtag;
5466 struct altq_tag *atag;
5467
5468 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT);
5469 if (mtag != NULL) {
5470 atag = (struct altq_tag *)(mtag + 1);
5471 if (pqid || pd.tos == IPTOS_LOWDELAY)
5472 atag->qid = r->pqid;
5473 else
5474 atag->qid = r->qid;
5475 /* add hints for ecn */
5476 atag->af = AF_INET;
5477 atag->hdr = h;
5478 m_tag_prepend(m, mtag);
5479 }
5480 }
5481 #endif
5482
5483 /*
5484 * connections redirected to loopback should not match sockets
5485 * bound specifically to loopback due to security implications,
5486 * see tcp_input() and in_pcblookup_listen().
5487 */
5488 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5489 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5490 (s->nat_rule.ptr->action == PF_RDR ||
5491 s->nat_rule.ptr->action == PF_BINAT) &&
5492 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
5493 action = PF_DROP;
5494 REASON_SET(&reason, PFRES_MEMORY);
5495 }
5496
5497 m->m_pkthdr.pf_flags |= PF_MBUF_TRANSLATE_LOCALHOST;
5498
5499 if (log)
5500 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset);
5501
5502 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5503 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
5504
5505 if (action == PF_PASS || r->action == PF_DROP) {
5506 r->packets++;
5507 r->bytes += pd.tot_len;
5508 if (a != NULL) {
5509 a->packets++;
5510 a->bytes += pd.tot_len;
5511 }
5512 if (s != NULL) {
5513 dirndx = (dir == s->direction) ? 0 : 1;
5514 s->packets[dirndx]++;
5515 s->bytes[dirndx] += pd.tot_len;
5516 if (s->nat_rule.ptr != NULL) {
5517 s->nat_rule.ptr->packets++;
5518 s->nat_rule.ptr->bytes += pd.tot_len;
5519 }
5520 if (s->src_node != NULL) {
5521 s->src_node->packets++;
5522 s->src_node->bytes += pd.tot_len;
5523 }
5524 if (s->nat_src_node != NULL) {
5525 s->nat_src_node->packets++;
5526 s->nat_src_node->bytes += pd.tot_len;
5527 }
5528 }
5529 tr = r;
5530 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5531 if (nr != NULL) {
5532 struct pf_addr *x;
5533 /*
5534 * XXX: we need to make sure that the addresses
5535 * passed to pfr_update_stats() are the same than
5536 * the addresses used during matching (pfr_match)
5537 */
5538 if (r == &pf_default_rule) {
5539 tr = nr;
5540 x = (s == NULL || s->direction == dir) ?
5541 &pd.baddr : &pd.naddr;
5542 } else
5543 x = (s == NULL || s->direction == dir) ?
5544 &pd.naddr : &pd.baddr;
5545 if (x == &pd.baddr || s == NULL) {
5546 /* we need to change the address */
5547 if (dir == PF_OUT)
5548 pd.src = x;
5549 else
5550 pd.dst = x;
5551 }
5552 }
5553 if (tr->src.addr.type == PF_ADDR_TABLE)
5554 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
5555 s->direction == dir) ? pd.src : pd.dst, pd.af,
5556 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5557 tr->src.not);
5558 if (tr->dst.addr.type == PF_ADDR_TABLE)
5559 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
5560 s->direction == dir) ? pd.dst : pd.src, pd.af,
5561 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5562 tr->dst.not);
5563 }
5564
5565
5566 if (action == PF_SYNPROXY_DROP) {
5567 m_freem(*m0);
5568 *m0 = NULL;
5569 action = PF_PASS;
5570 } else if (r->rt)
5571 /* pf_route can free the mbuf causing *m0 to become NULL */
5572 pf_route(m0, r, dir, ifp, s);
5573
5574 return (action);
5575 }
5576 #endif /* INET */
5577
5578 #ifdef INET6
5579 int
5580 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
5581 {
5582 struct pfi_kif *kif;
5583 u_short action, reason = 0, log = 0;
5584 struct mbuf *m = *m0;
5585 struct ip6_hdr *h;
5586 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
5587 struct pf_state *s = NULL;
5588 struct pf_ruleset *ruleset = NULL;
5589 struct pf_pdesc pd;
5590 int off, terminal = 0, dirndx;
5591
5592 if (!pf_status.running || (m->m_pkthdr.pf_flags & PF_MBUF_GENERATED))
5593 return (PF_PASS);
5594
5595 kif = pfi_index2kif[ifp->if_index];
5596 if (kif == NULL)
5597 return (PF_DROP);
5598
5599 #ifdef DIAGNOSTIC
5600 if ((m->m_flags & M_PKTHDR) == 0)
5601 panic("non-M_PKTHDR is passed to pf_test");
5602 #endif
5603
5604 memset(&pd, 0, sizeof(pd));
5605 if (m->m_pkthdr.len < (int)sizeof(*h)) {
5606 action = PF_DROP;
5607 REASON_SET(&reason, PFRES_SHORT);
5608 log = 1;
5609 goto done;
5610 }
5611
5612 /* We do IP header normalization and packet reassembly here */
5613 if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) {
5614 action = PF_DROP;
5615 goto done;
5616 }
5617 m = *m0;
5618 h = mtod(m, struct ip6_hdr *);
5619
5620 pd.src = (struct pf_addr *)&h->ip6_src;
5621 pd.dst = (struct pf_addr *)&h->ip6_dst;
5622 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
5623 pd.ip_sum = NULL;
5624 pd.af = AF_INET6;
5625 pd.tos = 0;
5626 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
5627
5628 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
5629 pd.proto = h->ip6_nxt;
5630 do {
5631 switch (pd.proto) {
5632 case IPPROTO_FRAGMENT:
5633 action = pf_test_fragment(&r, dir, kif, m, h,
5634 &pd, &a, &ruleset);
5635 if (action == PF_DROP)
5636 REASON_SET(&reason, PFRES_FRAG);
5637 goto done;
5638 case IPPROTO_AH:
5639 case IPPROTO_HOPOPTS:
5640 case IPPROTO_ROUTING:
5641 case IPPROTO_DSTOPTS: {
5642 /* get next header and header length */
5643 struct ip6_ext opt6;
5644
5645 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
5646 NULL, NULL, pd.af)) {
5647 DPFPRINTF(PF_DEBUG_MISC,
5648 ("pf: IPv6 short opt\n"));
5649 action = PF_DROP;
5650 REASON_SET(&reason, PFRES_SHORT);
5651 log = 1;
5652 goto done;
5653 }
5654 if (pd.proto == IPPROTO_AH)
5655 off += (opt6.ip6e_len + 2) * 4;
5656 else
5657 off += (opt6.ip6e_len + 1) * 8;
5658 pd.proto = opt6.ip6e_nxt;
5659 /* goto the next header */
5660 break;
5661 }
5662 default:
5663 terminal++;
5664 break;
5665 }
5666 } while (!terminal);
5667
5668 switch (pd.proto) {
5669
5670 case IPPROTO_TCP: {
5671 struct tcphdr th;
5672
5673 pd.hdr.tcp = &th;
5674 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5675 &action, &reason, AF_INET6)) {
5676 log = action != PF_PASS;
5677 goto done;
5678 }
5679 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5680 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) {
5681 action = PF_DROP;
5682 goto done;
5683 }
5684 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5685 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5686 if (action == PF_DROP)
5687 goto done;
5688 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5689 &reason);
5690 if (action == PF_PASS) {
5691 #if NPFSYNC
5692 pfsync_update_state(s);
5693 #endif
5694 r = s->rule.ptr;
5695 a = s->anchor.ptr;
5696 log = s->log;
5697 } else if (s == NULL)
5698 action = pf_test_tcp(&r, &s, dir, kif,
5699 m, off, h, &pd, &a, &ruleset);
5700 break;
5701 }
5702
5703 case IPPROTO_UDP: {
5704 struct udphdr uh;
5705
5706 pd.hdr.udp = &uh;
5707 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5708 &action, &reason, AF_INET6)) {
5709 log = action != PF_PASS;
5710 goto done;
5711 }
5712 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
5713 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) {
5714 action = PF_DROP;
5715 goto done;
5716 }
5717 if (uh.uh_dport == 0 ||
5718 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5719 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5720 action = PF_DROP;
5721 goto done;
5722 }
5723 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5724 if (action == PF_PASS) {
5725 #if NPFSYNC
5726 pfsync_update_state(s);
5727 #endif
5728 r = s->rule.ptr;
5729 a = s->anchor.ptr;
5730 log = s->log;
5731 } else if (s == NULL)
5732 action = pf_test_udp(&r, &s, dir, kif,
5733 m, off, h, &pd, &a, &ruleset);
5734 break;
5735 }
5736
5737 case IPPROTO_ICMPV6: {
5738 struct icmp6_hdr ih;
5739
5740 pd.hdr.icmp6 = &ih;
5741 if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
5742 &action, &reason, AF_INET6)) {
5743 log = action != PF_PASS;
5744 goto done;
5745 }
5746 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5747 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) {
5748 action = PF_DROP;
5749 goto done;
5750 }
5751 action = pf_test_state_icmp(&s, dir, kif,
5752 m, off, h, &pd);
5753 if (action == PF_PASS) {
5754 #if NPFSYNC
5755 pfsync_update_state(s);
5756 #endif
5757 r = s->rule.ptr;
5758 a = s->anchor.ptr;
5759 log = s->log;
5760 } else if (s == NULL)
5761 action = pf_test_icmp(&r, &s, dir, kif,
5762 m, off, h, &pd, &a, &ruleset);
5763 break;
5764 }
5765
5766 default:
5767 action = pf_test_state_other(&s, dir, kif, &pd);
5768 if (action == PF_PASS) {
5769 r = s->rule.ptr;
5770 a = s->anchor.ptr;
5771 log = s->log;
5772 } else if (s == NULL)
5773 action = pf_test_other(&r, &s, dir, kif, m, off, h,
5774 &pd, &a, &ruleset);
5775 break;
5776 }
5777
5778 done:
5779 /* XXX handle IPv6 options, if not allowed. not implemented. */
5780
5781 #ifdef ALTQ
5782 if (action == PF_PASS && r->qid) {
5783 struct m_tag *mtag;
5784 struct altq_tag *atag;
5785
5786 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT);
5787 if (mtag != NULL) {
5788 atag = (struct altq_tag *)(mtag + 1);
5789 if (pd.tos == IPTOS_LOWDELAY)
5790 atag->qid = r->pqid;
5791 else
5792 atag->qid = r->qid;
5793 /* add hints for ecn */
5794 atag->af = AF_INET6;
5795 atag->hdr = h;
5796 m_tag_prepend(m, mtag);
5797 }
5798 }
5799 #endif
5800
5801 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5802 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5803 (s->nat_rule.ptr->action == PF_RDR ||
5804 s->nat_rule.ptr->action == PF_BINAT) &&
5805 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) {
5806 action = PF_DROP;
5807 REASON_SET(&reason, PFRES_MEMORY);
5808 }
5809
5810 m->m_pkthdr.pf_flags |= PF_MBUF_TRANSLATE_LOCALHOST;
5811
5812 if (log)
5813 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset);
5814
5815 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5816 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
5817
5818 if (action == PF_PASS || r->action == PF_DROP) {
5819 r->packets++;
5820 r->bytes += pd.tot_len;
5821 if (a != NULL) {
5822 a->packets++;
5823 a->bytes += pd.tot_len;
5824 }
5825 if (s != NULL) {
5826 dirndx = (dir == s->direction) ? 0 : 1;
5827 s->packets[dirndx]++;
5828 s->bytes[dirndx] += pd.tot_len;
5829 if (s->nat_rule.ptr != NULL) {
5830 s->nat_rule.ptr->packets++;
5831 s->nat_rule.ptr->bytes += pd.tot_len;
5832 }
5833 if (s->src_node != NULL) {
5834 s->src_node->packets++;
5835 s->src_node->bytes += pd.tot_len;
5836 }
5837 if (s->nat_src_node != NULL) {
5838 s->nat_src_node->packets++;
5839 s->nat_src_node->bytes += pd.tot_len;
5840 }
5841 }
5842 tr = r;
5843 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5844 if (nr != NULL) {
5845 struct pf_addr *x;
5846 /*
5847 * XXX: we need to make sure that the addresses
5848 * passed to pfr_update_stats() are the same than
5849 * the addresses used during matching (pfr_match)
5850 */
5851 if (r == &pf_default_rule) {
5852 tr = nr;
5853 x = (s == NULL || s->direction == dir) ?
5854 &pd.baddr : &pd.naddr;
5855 } else {
5856 x = (s == NULL || s->direction == dir) ?
5857 &pd.naddr : &pd.baddr;
5858 }
5859 if (x == &pd.baddr || s == NULL) {
5860 if (dir == PF_OUT)
5861 pd.src = x;
5862 else
5863 pd.dst = x;
5864 }
5865 }
5866 if (tr->src.addr.type == PF_ADDR_TABLE)
5867 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
5868 s->direction == dir) ? pd.src : pd.dst, pd.af,
5869 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5870 tr->src.not);
5871 if (tr->dst.addr.type == PF_ADDR_TABLE)
5872 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
5873 s->direction == dir) ? pd.dst : pd.src, pd.af,
5874 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5875 tr->dst.not);
5876 }
5877
5878
5879 if (action == PF_SYNPROXY_DROP) {
5880 m_freem(*m0);
5881 *m0 = NULL;
5882 action = PF_PASS;
5883 } else if (r->rt)
5884 /* pf_route6 can free the mbuf causing *m0 to become NULL */
5885 pf_route6(m0, r, dir, ifp, s);
5886
5887 return (action);
5888 }
5889 #endif /* INET6 */
DragonFly BSD