Lines Matching full:pd
429 if ((pd->dir) == PF_OUT) \
436 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
437 (pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
439 #define STATE_LOOKUP(k, s, pd) \
441 (s) = pf_find_state((pd->kif), (k), (pd->dir)); \
442 SDT_PROBE5(pf, ip, state, lookup, pd->kif, k, (pd->dir), pd, (s)); \
445 if (PACKET_LOOPED(pd)) \
450 BOUND_IFACE(struct pf_kstate *st, struct pf_pdesc *pd)
452 struct pfi_kkif *k = pd->kif;
464 if (st->rule->rt == PF_REPLYTO || (pd->af != pd->naf))
472 if (pd->related_rule)
623 pf_packet_rework_nat(struct mbuf *m, struct pf_pdesc *pd, int off,
627 switch (pd->proto) {
629 struct tcphdr *th = &pd->hdr.tcp;
631 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af))
632 pf_change_ap(m, pd->src, &th->th_sport, pd->ip_sum,
633 &th->th_sum, &nk->addr[pd->sidx],
634 nk->port[pd->sidx], 0, pd->af, pd->naf);
635 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af))
636 pf_change_ap(m, pd->dst, &th->th_dport, pd->ip_sum,
637 &th->th_sum, &nk->addr[pd->didx],
638 nk->port[pd->didx], 0, pd->af, pd->naf);
643 struct udphdr *uh = &pd->hdr.udp;
645 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af))
646 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
647 &uh->uh_sum, &nk->addr[pd->sidx],
648 nk->port[pd->sidx], 1, pd->af, pd->naf);
649 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af))
650 pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
651 &uh->uh_sum, &nk->addr[pd->didx],
652 nk->port[pd->didx], 1, pd->af, pd->naf);
657 struct sctphdr *sh = &pd->hdr.sctp;
660 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) {
661 pf_change_ap(m, pd->src, &sh->src_port, pd->ip_sum,
662 &checksum, &nk->addr[pd->sidx],
663 nk->port[pd->sidx], 1, pd->af, pd->naf);
665 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) {
666 pf_change_ap(m, pd->dst, &sh->dest_port, pd->ip_sum,
667 &checksum, &nk->addr[pd->didx],
668 nk->port[pd->didx], 1, pd->af, pd->naf);
674 struct icmp *ih = &pd->hdr.icmp;
676 if (nk->port[pd->sidx] != ih->icmp_id) {
677 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup(
679 nk->port[pd->sidx], 0);
680 ih->icmp_id = nk->port[pd->sidx];
681 pd->sport = &ih->icmp_id;
688 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) {
689 switch (pd->af) {
691 pf_change_a(&pd->src->v4.s_addr,
692 pd->ip_sum, nk->addr[pd->sidx].v4.s_addr,
696 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
700 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) {
701 switch (pd->af) {
703 pf_change_a(&pd->dst->v4.s_addr,
704 pd->ip_sum, nk->addr[pd->didx].v4.s_addr,
708 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
1631 pf_state_key_addr_setup(struct pf_pdesc *pd,
1634 struct pf_addr *saddr = pd->src;
1635 struct pf_addr *daddr = pd->dst;
1641 if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6)
1644 switch (pd->hdr.icmp6.icmp6_type) {
1648 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
1656 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
1660 if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) {
1661 key->addr[pd->didx].addr32[0] = 0;
1662 key->addr[pd->didx].addr32[1] = 0;
1663 key->addr[pd->didx].addr32[2] = 0;
1664 key->addr[pd->didx].addr32[3] = 0;
1670 key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL;
1671 key->addr[pd->sidx].addr32[1] = 0;
1672 key->addr[pd->sidx].addr32[2] = 0;
1673 key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE;
1680 PF_ACPY(&key->addr[pd->sidx], saddr, pd->af);
1682 PF_ACPY(&key->addr[pd->didx], daddr, pd->af);
1688 pf_state_key_setup(struct pf_pdesc *pd, u_int16_t sport, u_int16_t dport,
1695 if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)*sk,
1702 (*sk)->port[pd->sidx] = sport;
1703 (*sk)->port[pd->didx] = dport;
1704 (*sk)->proto = pd->proto;
1705 (*sk)->af = pd->af;
1714 if (pd->af != pd->naf) {
1715 (*sk)->port[pd->sidx] = pd->osport;
1716 (*sk)->port[pd->didx] = pd->odport;
1718 (*nk)->af = pd->naf;
1727 PF_ACPY(&(*nk)->addr[pd->didx], &pd->nsaddr, pd->naf);
1728 PF_ACPY(&(*nk)->addr[pd->sidx], &pd->ndaddr, pd->naf);
1729 (*nk)->port[pd->didx] = pd->nsport;
1730 (*nk)->port[pd->sidx] = pd->ndport;
1731 switch (pd->proto) {
1739 (*nk)->proto = pd->proto;
2156 pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
2167 switch (pd->af) {
2175 *virtual_id = pd->hdr.icmp.icmp_id;
2182 *virtual_id = pd->hdr.icmp.icmp_id;
2189 *virtual_id = pd->hdr.icmp.icmp_id;
2196 *virtual_id = pd->hdr.icmp.icmp_id;
2252 *virtual_id = pd->hdr.icmp6.icmp6_id;
3454 pf_translate_af(struct pf_pdesc *pd)
3465 hlen = pd->naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6);
3468 m_adj(pd->m, pd->off);
3471 M_PREPEND(pd->m, hlen, M_NOWAIT);
3472 if (pd->m == NULL)
3475 switch (pd->naf) {
3477 ip4 = mtod(pd->m, struct ip *);
3481 ip4->ip_tos = pd->tos;
3482 ip4->ip_len = htons(hlen + (pd->tot_len - pd->off));
3484 ip4->ip_ttl = pd->ttl;
3485 ip4->ip_p = pd->proto;
3486 ip4->ip_src = pd->nsaddr.v4;
3487 ip4->ip_dst = pd->ndaddr.v4;
3488 pd->src = (struct pf_addr *)&ip4->ip_src;
3489 pd->dst = (struct pf_addr *)&ip4->ip_dst;
3490 pd->off = sizeof(struct ip);
3493 ip6 = mtod(pd->m, struct ip6_hdr *);
3496 ip6->ip6_flow |= htonl((u_int32_t)pd->tos << 20);
3497 ip6->ip6_plen = htons(pd->tot_len - pd->off);
3498 ip6->ip6_nxt = pd->proto;
3499 if (!pd->ttl || pd->ttl > IPV6_DEFHLIM)
3502 ip6->ip6_hlim = pd->ttl;
3503 ip6->ip6_src = pd->nsaddr.v6;
3504 ip6->ip6_dst = pd->ndaddr.v6;
3505 pd->src = (struct pf_addr *)&ip6->ip6_src;
3506 pd->dst = (struct pf_addr *)&ip6->ip6_dst;
3507 pd->off = sizeof(struct ip6_hdr);
3514 mtag = m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL);
3527 if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) {
3529 if ((mp = m_pulldown(pd->m, hlen, sizeof(*icmp), &off)) ==
3531 pd->m = NULL;
3536 icmp->icmp6_cksum = pd->naf == AF_INET ?
3537 in4_cksum(pd->m, 0, hlen, ntohs(ip4->ip_len) - hlen) :
3538 in6_cksum(pd->m, IPPROTO_ICMPV6, hlen,
3547 pf_change_icmp_af(struct mbuf *m, int off, struct pf_pdesc *pd,
3619 pd->tot_len += hlen - olen;
3864 pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th,
3874 !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
3893 pf_patch_32_unaligned(pd->m,
3898 pf_patch_32_unaligned(pd->m, &th->th_sum,
3917 m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts);
4071 pf_send_sctp_abort(sa_family_t af, struct pf_pdesc *pd,
4086 MPASS(af == pd->af);
4111 h->ip_src = pd->dst->v4;
4112 h->ip_dst = pd->src->v4;
4128 memcpy(&h6->ip6_src, &pd->dst->v6, sizeof(struct in6_addr));
4129 memcpy(&h6->ip6_dst, &pd->src->v6, sizeof(struct in6_addr));
4139 hdr->src_port = pd->hdr.sctp.dest_port;
4140 hdr->dest_port = pd->hdr.sctp.src_port;
4141 hdr->v_tag = pd->sctp_initiate_tag;
4224 pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
4229 struct pf_addr * const saddr = pd->src;
4230 struct pf_addr * const daddr = pd->dst;
4234 PF_ACPY(saddr, &sk->addr[pd->sidx], pd->af);
4235 PF_ACPY(daddr, &sk->addr[pd->didx], pd->af);
4236 if (pd->sport)
4237 *pd->sport = sk->port[pd->sidx];
4238 if (pd->dport)
4239 *pd->dport = sk->port[pd->didx];
4240 if (pd->ip_sum)
4241 *pd->ip_sum = bip_sum;
4242 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
4244 if (pd->proto == IPPROTO_TCP &&
4248 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
4250 if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off,
4251 IPPROTO_TCP, pd->af))
4258 pf_send_tcp(r, pd->af, pd->dst,
4259 pd->src, th->th_dport, th->th_sport,
4263 } else if (pd->proto == IPPROTO_SCTP &&
4265 pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid);
4266 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET &&
4268 pf_send_icmp(pd->m, r->return_icmp >> 8,
4269 r->return_icmp & 255, pd->af, r, rtableid);
4270 else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 &&
4272 pf_send_icmp(pd->m, r->return_icmp6 >> 8,
4273 r->return_icmp6 & 255, pd->af, r, rtableid);
4539 pf_tag_packet(struct pf_pdesc *pd, int tag)
4544 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL))
4547 pd->pf_mtag->tag = tag;
4867 pf_socket_lookup(struct pf_pdesc *pd)
4874 pd->lookup.uid = UID_MAX;
4875 pd->lookup.gid = GID_MAX;
4877 switch (pd->proto) {
4879 sport = pd->hdr.tcp.th_sport;
4880 dport = pd->hdr.tcp.th_dport;
4884 sport = pd->hdr.udp.uh_sport;
4885 dport = pd->hdr.udp.uh_dport;
4891 if (pd->dir == PF_IN) {
4892 saddr = pd->src;
4893 daddr = pd->dst;
4900 saddr = pd->dst;
4901 daddr = pd->src;
4903 switch (pd->af) {
4907 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m);
4911 INPLOOKUP_RLOCKPCB, NULL, pd->m);
4920 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m);
4924 INPLOOKUP_RLOCKPCB, NULL, pd->m);
4932 pd->lookup.uid = inp->inp_cred->cr_uid;
4933 pd->lookup.gid = inp->inp_cred->cr_groups[0];
4940 pf_get_wscale(struct pf_pdesc *pd)
4942 struct tcphdr *th = &pd->hdr.tcp;
4951 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af))
4981 pf_get_mss(struct pf_pdesc *pd)
4983 struct tcphdr *th = &pd->hdr.tcp;
4992 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af))
5059 pf_tcp_iss(struct pf_pdesc *pd)
5074 MD5Update(&ctx, (char *)&pd->hdr.tcp.th_sport, sizeof(u_short));
5075 MD5Update(&ctx, (char *)&pd->hdr.tcp.th_dport, sizeof(u_short));
5076 switch (pd->af) {
5078 MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr));
5079 MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr));
5082 MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr));
5083 MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr));
5437 struct pf_pdesc *pd, struct pf_krule **am,
5445 struct tcphdr *th = &pd->hdr.tcp;
5461 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5462 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5468 pd->lookup.uid = inp->inp_cred->cr_uid;
5469 pd->lookup.gid = inp->inp_cred->cr_groups[0];
5470 pd->lookup.done = 1;
5473 switch (pd->virtual_proto) {
5475 pd->nsport = th->th_sport;
5476 pd->ndport = th->th_dport;
5479 pd->nsport = pd->hdr.udp.uh_sport;
5480 pd->ndport = pd->hdr.udp.uh_dport;
5483 pd->nsport = pd->hdr.sctp.src_port;
5484 pd->ndport = pd->hdr.sctp.dest_port;
5488 MPASS(pd->af == AF_INET);
5489 icmptype = pd->hdr.icmp.icmp_type;
5490 icmpcode = pd->hdr.icmp.icmp_code;
5491 state_icmp = pf_icmp_mapping(pd, icmptype,
5494 pd->nsport = virtual_id;
5495 pd->ndport = virtual_type;
5497 pd->nsport = virtual_type;
5498 pd->ndport = virtual_id;
5504 MPASS(pd->af == AF_INET6);
5505 icmptype = pd->hdr.icmp6.icmp6_type;
5506 icmpcode = pd->hdr.icmp6.icmp6_code;
5507 state_icmp = pf_icmp_mapping(pd, icmptype,
5510 pd->nsport = virtual_id;
5511 pd->ndport = virtual_type;
5513 pd->nsport = virtual_type;
5514 pd->ndport = virtual_id;
5520 pd->nsport = pd->ndport = 0;
5523 pd->osport = pd->nsport;
5524 pd->odport = pd->ndport;
5529 transerror = pf_get_translation(pd, pd->off, &sk, &nk, anchor_stack,
5545 ruleset, pd, 1);
5548 if (pd->ip_sum)
5549 bip_sum = *pd->ip_sum;
5551 switch (pd->proto) {
5555 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) ||
5556 nk->port[pd->sidx] != pd->nsport) {
5557 pf_change_ap(pd->m, pd->src, &th->th_sport,
5558 pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
5559 nk->port[pd->sidx], 0, pd->af, pd->naf);
5560 pd->sport = &th->th_sport;
5561 pd->nsport = th->th_sport;
5562 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5565 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) ||
5566 nk->port[pd->didx] != pd->ndport) {
5567 pf_change_ap(pd->m, pd->dst, &th->th_dport,
5568 pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
5569 nk->port[pd->didx], 0, pd->af, pd->naf);
5570 pd->dport = &th->th_dport;
5571 pd->ndport = th->th_dport;
5572 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5577 bproto_sum = pd->hdr.udp.uh_sum;
5579 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) ||
5580 nk->port[pd->sidx] != pd->nsport) {
5581 pf_change_ap(pd->m, pd->src,
5582 &pd->hdr.udp.uh_sport,
5583 pd->ip_sum, &pd->hdr.udp.uh_sum,
5584 &nk->addr[pd->sidx],
5585 nk->port[pd->sidx], 1, pd->af, pd->naf);
5586 pd->sport = &pd->hdr.udp.uh_sport;
5587 pd->nsport = pd->hdr.udp.uh_sport;
5588 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5591 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) ||
5592 nk->port[pd->didx] != pd->ndport) {
5593 pf_change_ap(pd->m, pd->dst,
5594 &pd->hdr.udp.uh_dport,
5595 pd->ip_sum, &pd->hdr.udp.uh_sum,
5596 &nk->addr[pd->didx],
5597 nk->port[pd->didx], 1, pd->af, pd->naf);
5598 pd->dport = &pd->hdr.udp.uh_dport;
5599 pd->ndport = pd->hdr.udp.uh_dport;
5600 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5607 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) ||
5608 nk->port[pd->sidx] != pd->nsport) {
5609 pf_change_ap(pd->m, pd->src,
5610 &pd->hdr.sctp.src_port, pd->ip_sum, &checksum,
5611 &nk->addr[pd->sidx],
5612 nk->port[pd->sidx], 1, pd->af, pd->naf);
5613 pd->sport = &pd->hdr.sctp.src_port;
5614 pd->nsport = pd->hdr.sctp.src_port;
5615 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5617 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) ||
5618 nk->port[pd->didx] != pd->ndport) {
5619 pf_change_ap(pd->m, pd->dst,
5620 &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum,
5621 &nk->addr[pd->didx],
5622 nk->port[pd->didx], 1, pd->af, pd->naf);
5623 pd->dport = &pd->hdr.sctp.dest_port;
5624 pd->ndport = pd->hdr.sctp.dest_port;
5625 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5631 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET)) {
5632 pf_change_a(&pd->src->v4.s_addr, pd->ip_sum,
5633 nk->addr[pd->sidx].v4.s_addr, 0);
5634 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5637 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET)) {
5638 pf_change_a(&pd->dst->v4.s_addr, pd->ip_sum,
5639 nk->addr[pd->didx].v4.s_addr, 0);
5640 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5644 nk->port[pd->sidx] != pd->hdr.icmp.icmp_id) {
5645 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup(
5646 pd->hdr.icmp.icmp_cksum, pd->nsport,
5647 nk->port[pd->sidx], 0);
5648 pd->hdr.icmp.icmp_id = nk->port[pd->sidx];
5649 pd->sport = &pd->hdr.icmp.icmp_id;
5651 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
5656 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET6)) {
5657 pf_change_a6(pd->src, &pd->hdr.icmp6.icmp6_cksum,
5658 &nk->addr[pd->sidx], 0);
5659 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5662 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET6)) {
5663 pf_change_a6(pd->dst, &pd->hdr.icmp6.icmp6_cksum,
5664 &nk->addr[pd->didx], 0);
5665 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5671 switch (pd->af) {
5674 if (PF_ANEQ(&pd->nsaddr,
5675 &nk->addr[pd->sidx], AF_INET)) {
5676 pf_change_a(&pd->src->v4.s_addr,
5677 pd->ip_sum,
5678 nk->addr[pd->sidx].v4.s_addr, 0);
5679 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5682 if (PF_ANEQ(&pd->ndaddr,
5683 &nk->addr[pd->didx], AF_INET)) {
5684 pf_change_a(&pd->dst->v4.s_addr,
5685 pd->ip_sum,
5686 nk->addr[pd->didx].v4.s_addr, 0);
5687 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5693 if (PF_ANEQ(&pd->nsaddr,
5694 &nk->addr[pd->sidx], AF_INET6)) {
5695 PF_ACPY(&pd->nsaddr, &nk->addr[pd->sidx], pd->af);
5696 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
5699 if (PF_ANEQ(&pd->ndaddr,
5700 &nk->addr[pd->didx], AF_INET6)) {
5701 PF_ACPY(&pd->ndaddr, &nk->addr[pd->didx], pd->af);
5702 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
5714 if (pd->related_rule) {
5715 *rm = pd->related_rule;
5719 PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot,
5721 PF_TEST_ATTRIB(r->direction && r->direction != pd->dir,
5723 PF_TEST_ATTRIB(r->af && r->af != pd->af,
5725 PF_TEST_ATTRIB(r->proto && r->proto != pd->proto,
5727 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, pd->naf,
5728 r->src.neg, pd->kif, M_GETFIB(pd->m)),
5730 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, pd->af,
5731 r->dst.neg, NULL, M_GETFIB(pd->m)),
5733 switch (pd->virtual_proto) {
5738 PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP && r->flagset),
5756 r->src.port[0], r->src.port[1], pd->nsport),
5760 r->dst.port[0], r->dst.port[1], pd->ndport),
5763 PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done =
5764 pf_socket_lookup(pd), 1)) &&
5766 pd->lookup.uid),
5769 PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done =
5770 pf_socket_lookup(pd), 1)) &&
5772 pd->lookup.gid),
5789 PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos),
5792 !pf_match_ieee8021q_pcp(r->prio, pd->m),
5797 PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag,
5798 pd->pf_mtag ? pd->pf_mtag->tag : 0),
5800 PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r),
5803 pd->virtual_proto != PF_VPROTO_FRAGMENT),
5806 (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match(
5807 pf_osfp_fingerprint(pd, th),
5823 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
5824 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
5826 pf_rule_to_actions(r, &pd->act);
5828 pd->naf = r->naf;
5829 if (pd->af != pd->naf) {
5830 if (pf_get_transaddr_af(r, pd) == -1) {
5835 if (r->log || pd->act.log & PF_LOG_MATCHES)
5837 a, ruleset, pd, 1);
5843 if (pd->act.log & PF_LOG_MATCHES)
5845 a, ruleset, pd, 1);
5866 pf_rule_to_actions(r, &pd->act);
5868 pd->naf = r->naf;
5869 if (pd->af != pd->naf) {
5870 if (pf_get_transaddr_af(r, pd) == -1) {
5876 if (r->log || pd->act.log & PF_LOG_MATCHES) {
5878 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
5879 PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1);
5882 if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
5887 pf_return(r, nr, pd, sk, th, bproto_sum,
5894 if (tag > 0 && pf_tag_packet(pd, tag)) {
5898 if (pd->act.rtableid >= 0)
5899 M_SETFIB(pd->m, pd->act.rtableid);
5914 pd->act.rt = r->rt;
5916 reason = pf_map_addr_sn(pd->af, r, pd->src, &pd->act.rt_addr,
5917 &pd->act.rt_kif, NULL, &sn, &snh, pool);
5922 if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
5924 (pd->flags & PFDESC_TCP_NORM)))) {
5928 action = pf_create_state(r, nr, a, pd, nk, sk,
5933 pd->act.log |= PF_LOG_FORCE;
5936 pf_return(r, nr, pd, sk, th,
5938 pd->act.rtableid);
5942 nat64 = pd->af != pd->naf;
5948 sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK : PF_SK_WIRE];
5950 nk = (*sm)->key[pd->dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK];
5951 if (pd->dir == PF_IN)
5956 ret = pf_translate(pd,
5957 &_sk->addr[pd->didx],
5958 _sk->port[pd->didx],
5959 &_sk->addr[pd->sidx],
5960 _sk->port[pd->sidx],
5980 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
5983 pd->dir == PF_OUT &&
5984 V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m))
6013 struct pf_pdesc *pd, struct pf_state_key *nk, struct pf_state_key *sk,
6023 struct tcphdr *th = &pd->hdr.tcp;
6038 (sn_reason = pf_insert_src_node(&sn, &snh, r, pd->src, pd->af,
6039 &pd->act.rt_addr, pd->act.rt_kif)) != 0) {
6045 (sn_reason = pf_insert_src_node(&nsn, &nsnh, nr, &sk->addr[pd->sidx],
6046 pd->af, &nk->addr[1], NULL)) != 0 ) {
6059 memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions));
6066 if (pd->flags & PFDESC_TCP_NORM) /* Set by old-style scrub rules */
6072 s->act.log = pd->act.log & PF_LOG_ALL;
6074 s->state_flags |= pd->act.flags; /* Only needed for pfsync and state export */
6078 switch (pd->proto) {
6081 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
6085 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
6088 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum,
6095 s->src.wscale = pf_get_wscale(pd);
6138 if (pd->proto == IPPROTO_TCP) {
6140 pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) {
6145 pf_normalize_tcp_stateful(pd, &reason, th, s,
6153 } else if (pd->proto == IPPROTO_SCTP) {
6154 if (pf_normalize_sctp_init(pd, &s->src, &s->dst))
6156 if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP)))
6159 s->direction = pd->dir;
6167 MPASS(pd->sport == NULL || (pd->osport == *pd->sport));
6168 MPASS(pd->dport == NULL || (pd->odport == *pd->dport));
6169 if (pf_state_key_setup(pd, pd->nsport, pd->ndport, &sk, &nk)) {
6177 if (pf_state_insert(BOUND_IFACE(s, pd), pd->kif,
6178 (pd->dir == PF_IN) ? sk : nk,
6179 (pd->dir == PF_IN) ? nk : sk, s)) {
6199 if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) ==
6205 if (pd->dir == PF_OUT)
6207 PF_ACPY(pd->src, &skt->addr[pd->sidx], pd->af);
6208 PF_ACPY(pd->dst, &skt->addr[pd->didx], pd->af);
6209 if (pd->sport)
6210 *pd->sport = skt->port[pd->sidx];
6211 if (pd->dport)
6212 *pd->dport = skt->port[pd->didx];
6213 if (pd->ip_sum)
6214 *pd->ip_sum = bip_sum;
6215 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
6219 int rtid = M_GETFIB(pd->m);
6220 mss = pf_get_mss(pd);
6221 mss = pf_calc_mss(pd->src, pd->af, rtid, mss);
6222 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss);
6224 pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport,
6227 pd->act.rtableid);
6277 pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport,
6292 int afto = pd->af != pd->naf;
6296 switch (pd->proto) {
6298 if (afto || *pd->sport != sport) {
6299 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.tcp.th_sum,
6300 saddr, sport, 0, pd->af, pd->naf);
6303 if (afto || *pd->dport != dport) {
6304 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.tcp.th_sum,
6305 daddr, dport, 0, pd->af, pd->naf);
6311 if (afto || *pd->sport != sport) {
6312 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.udp.uh_sum,
6313 saddr, sport, 1, pd->af, pd->naf);
6316 if (afto || *pd->dport != dport) {
6317 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.udp.uh_sum,
6318 daddr, dport, 1, pd->af, pd->naf);
6325 if (afto || *pd->sport != sport) {
6326 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &checksum,
6327 saddr, sport, 1, pd->af, pd->naf);
6330 if (afto || *pd->dport != dport) {
6331 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &checksum,
6332 daddr, dport, 1, pd->af, pd->naf);
6341 if (pd->af != AF_INET)
6345 if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp))
6347 pd->proto = IPPROTO_ICMPV6;
6353 if (icmpid != pd->hdr.icmp.icmp_id) {
6354 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup(
6355 pd->hdr.icmp.icmp_cksum,
6356 pd->hdr.icmp.icmp_id, icmpid, 0);
6357 pd->hdr.icmp.icmp_id = icmpid;
6368 if (pd->af != AF_INET6)
6373 if (pf_translate_icmp_af(AF_INET, &pd->hdr.icmp6))
6375 pd->proto = IPPROTO_ICMP;
6389 pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
6392 struct tcphdr *th = &pd->hdr.tcp;
6399 if (pd->dir == (*state)->direction) {
6400 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
6410 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
6439 if (pf_normalize_tcp_init(pd, th, src, dst)) {
6451 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq +
6453 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0);
6459 end = seq + pd->p_len;
6463 src->wscale = pf_get_wscale(pd);
6504 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq +
6506 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0);
6509 end = seq + pd->p_len;
6552 if (pf_modulate_sack(pd, th, dst))
6570 if (pf_normalize_tcp_stateful(pd, reason, th,
6663 pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
6665 pd->dir == PF_IN ? "in" : "out",
6666 pd->dir == (*state)->direction ? "fwd" : "rev");
6670 if (pf_normalize_tcp_stateful(pd, reason, th,
6703 pf_send_tcp((*state)->rule, pd->af,
6704 pd->dst, pd->src, th->th_dport,
6718 seq, orig_seq, ack, pd->p_len, ackskew,
6721 pd->dir == PF_IN ? "in" : "out",
6722 pd->dir == (*state)->direction ? "fwd" : "rev");
6740 pf_tcp_track_sloppy(struct pf_kstate **state, struct pf_pdesc *pd, u_short *reason)
6742 struct tcphdr *th = &pd->hdr.tcp;
6746 if (pd->dir == (*state)->direction) {
6826 pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
6828 struct pf_state_key *sk = (*state)->key[pd->didx];
6829 struct tcphdr *th = &pd->hdr.tcp;
6832 if (pd->dir != (*state)->direction) {
6841 pf_send_tcp((*state)->rule, pd->af, pd->dst,
6842 pd->src, th->th_dport, th->th_sport,
6862 if (pd->dir == (*state)->direction) {
6872 pf_send_tcp((*state)->rule, pd->af,
6873 &sk->addr[pd->sidx], &sk->addr[pd->didx],
6874 sk->port[pd->sidx], sk->port[pd->didx],
6889 pf_send_tcp((*state)->rule, pd->af, pd->dst,
6890 pd->src, th->th_dport, th->th_sport,
6894 pf_send_tcp((*state)->rule, pd->af,
6895 &sk->addr[pd->sidx], &sk->addr[pd->didx],
6896 sk->port[pd->sidx], sk->port[pd->didx],
6920 pf_test_state_tcp(struct pf_kstate **state, struct pf_pdesc *pd,
6924 struct tcphdr *th = &pd->hdr.tcp;
6930 key.af = pd->af;
6932 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
6933 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
6934 key.port[pd->sidx] = th->th_sport;
6935 key.port[pd->didx] = th->th_dport;
6937 STATE_LOOKUP(&key, *state, pd);
6939 if (pd->dir == (*state)->direction) {
6947 if ((action = pf_synproxy(pd, state, reason)) != PF_PASS)
6954 pf_syncookie_check(pd) && pd->dir == PF_IN))) {
6969 if (pf_tcp_track_sloppy(state, pd, reason) == PF_DROP)
6974 ret = pf_tcp_track_full(state, pd, reason,
6985 if (PF_REVERSED_KEY((*state)->key, pd->af))
6986 nk = (*state)->key[pd->sidx];
6988 nk = (*state)->key[pd->didx];
6990 afto = pd->af != nk->af;
6991 sidx = afto ? pd->didx : pd->sidx;
6992 didx = afto ? pd->sidx : pd->didx;
6994 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) ||
6996 pf_change_ap(pd->m, pd->src, &th->th_sport,
6997 pd->ip_sum, &th->th_sum, &nk->addr[sidx],
6998 nk->port[sidx], 0, pd->af, nk->af);
7000 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) ||
7002 pf_change_ap(pd->m, pd->dst, &th->th_dport,
7003 pd->ip_sum, &th->th_sum, &nk->addr[didx],
7004 nk->port[didx], 0, pd->af, nk->af);
7007 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7008 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7009 pd->naf = nk->af;
7018 m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th);
7024 pf_test_state_udp(struct pf_kstate **state, struct pf_pdesc *pd)
7028 struct udphdr *uh = &pd->hdr.udp;
7033 key.af = pd->af;
7035 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
7036 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
7037 key.port[pd->sidx] = uh->uh_sport;
7038 key.port[pd->didx] = uh->uh_dport;
7040 STATE_LOOKUP(&key, *state, pd);
7042 if (pd->dir == (*state)->direction) {
7072 if (PF_REVERSED_KEY((*state)->key, pd->af))
7073 nk = (*state)->key[pd->sidx];
7075 nk = (*state)->key[pd->didx];
7077 afto = pd->af != nk->af;
7078 sidx = afto ? pd->didx : pd->sidx;
7079 didx = afto ? pd->sidx : pd->didx;
7081 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) ||
7083 pf_change_ap(pd->m, pd->src, &uh->uh_sport, pd->ip_sum,
7084 &uh->uh_sum, &nk->addr[pd->sidx],
7085 nk->port[sidx], 1, pd->af, nk->af);
7087 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) ||
7089 pf_change_ap(pd->m, pd->dst, &uh->uh_dport, pd->ip_sum,
7090 &uh->uh_sum, &nk->addr[pd->didx],
7091 nk->port[didx], 1, pd->af, nk->af);
7094 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7095 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7096 pd->naf = nk->af;
7100 m_copyback(pd->m, pd->off, sizeof(*uh), (caddr_t)uh);
7107 pf_sctp_track(struct pf_kstate *state, struct pf_pdesc *pd,
7111 if (pd->dir == state->direction) {
7112 if (PF_REVERSED_KEY(state->key, pd->af))
7117 if (PF_REVERSED_KEY(state->key, pd->af))
7125 src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
7126 else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
7134 pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd,
7139 struct sctphdr *sh = &pd->hdr.sctp;
7143 key.af = pd->af;
7145 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
7146 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
7147 key.port[pd->sidx] = sh->src_port;
7148 key.port[pd->didx] = sh->dest_port;
7150 STATE_LOOKUP(&key, *state, pd);
7152 if (pd->dir == (*state)->direction) {
7164 pd->sctp_flags & PFDESC_SCTP_INIT) {
7171 if (pf_sctp_track(*state, pd, reason) != PF_PASS)
7175 if (pd->sctp_flags & PFDESC_SCTP_INIT) {
7181 if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) {
7184 dst->scrub->pfss_v_tag = pd->sctp_initiate_tag;
7194 (*state)->kif = pd->kif;
7196 if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) {
7202 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN |
7209 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE | PFDESC_SCTP_ABORT)) {
7222 if (PF_REVERSED_KEY((*state)->key, pd->af))
7223 nk = (*state)->key[pd->sidx];
7225 nk = (*state)->key[pd->didx];
7227 afto = pd->af != nk->af;
7228 sidx = afto ? pd->didx : pd->sidx;
7229 didx = afto ? pd->sidx : pd->didx;
7231 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) ||
7232 nk->port[sidx] != pd->hdr.sctp.src_port) {
7233 pf_change_ap(pd->m, pd->src, &pd->hdr.sctp.src_port,
7234 pd->ip_sum, &checksum, &nk->addr[sidx],
7235 nk->port[sidx], 1, pd->af, pd->naf);
7238 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) ||
7239 nk->port[didx] != pd->hdr.sctp.dest_port) {
7240 pf_change_ap(pd->m, pd->dst, &pd->hdr.sctp.dest_port,
7241 pd->ip_sum, &checksum, &nk->addr[didx],
7242 nk->port[didx], 1, pd->af, pd->naf);
7246 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7247 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7248 pd->naf = nk->af;
7316 pf_sctp_multihome_add_addr(struct pf_pdesc *pd, struct pf_addr *a, uint32_t v_tag)
7342 if (pf_addr_cmp(&i->addr, a, pd->af) == 0) {
7354 i->af = pd->af;
7363 pf_sctp_multihome_delayed(struct pf_pdesc *pd, struct pfi_kkif *kif,
7378 TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) {
7383 MPASS(! (pd->sctp_flags & PFDESC_SCTP_ADD_IP));
7387 uint32_t v_tag = pd->sctp_initiate_tag;
7390 if (s->direction == pd->dir)
7402 if (pf_addr_cmp(&j->src, pd->src, pd->af) == 0) {
7406 j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP;
7410 j->pd.related_rule = s->rule;
7413 &j->pd, &ra, &rs, NULL);
7415 SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret);
7432 pf_sctp_multihome_add_addr(pd, &j->src, v_tag);
7442 .v_tag = pd->hdr.sctp.v_tag,
7458 if (i->af != pd->af)
7465 memcpy(&nj->pd, &j->pd, sizeof(j->pd));
7467 nj->pd.src = &nj->src;
7470 nj->pd.dst = &nj->dst;
7471 nj->pd.m = j->pd.m;
7474 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next);
7485 key.af = j->pd.af;
7487 if (j->pd.dir == PF_IN) { /* wire side, straight */
7488 PF_ACPY(&key.addr[0], j->pd.src, key.af);
7489 PF_ACPY(&key.addr[1], j->pd.dst, key.af);
7490 key.port[0] = j->pd.hdr.sctp.src_port;
7491 key.port[1] = j->pd.hdr.sctp.dest_port;
7493 PF_ACPY(&key.addr[1], j->pd.src, key.af);
7494 PF_ACPY(&key.addr[0], j->pd.dst, key.af);
7495 key.port[1] = j->pd.hdr.sctp.src_port;
7496 key.port[0] = j->pd.hdr.sctp.dest_port;
7499 sm = pf_find_state(kif, &key, j->pd.dir);
7502 if (j->pd.dir == sm->direction) {
7518 TAILQ_REMOVE(&pd->sctp_multihome_jobs, j, next);
7523 if (! TAILQ_EMPTY(&pd->sctp_multihome_jobs)) {
7530 pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op)
7535 SDT_PROBE4(pf, sctp, multihome_scan, entry, start, len, pd, op);
7540 if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, NULL,
7541 pd->af))
7559 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t),
7560 NULL, NULL, pd->af))
7564 t.s_addr = pd->src->v4.s_addr;
7582 memcpy(&job->pd, pd, sizeof(*pd));
7586 job->pd.src = &job->src;
7587 memcpy(&job->dst, pd->dst, sizeof(job->dst));
7588 job->pd.dst = &job->dst;
7589 job->pd.m = pd->m;
7592 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next);
7603 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t),
7604 NULL, NULL, pd->af))
7606 if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0)
7609 memcpy(&t, &pd->src->v6, sizeof(t));
7617 memcpy(&job->pd, pd, sizeof(*pd));
7619 job->pd.src = &job->src;
7620 memcpy(&job->dst, pd->dst, sizeof(job->dst));
7621 job->pd.dst = &job->dst;
7622 job->pd.m = pd->m;
7625 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next);
7633 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
7634 NULL, NULL, pd->af))
7638 ntohs(ah.ph.param_length) - sizeof(ah), pd,
7648 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
7649 NULL, NULL, pd->af))
7652 ntohs(ah.ph.param_length) - sizeof(ah), pd,
7669 pf_multihome_scan_init(int start, int len, struct pf_pdesc *pd)
7674 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS));
7678 pf_multihome_scan_asconf(int start, int len, struct pf_pdesc *pd)
7683 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS));
7687 pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
7692 key->af = pd->af;
7693 key->proto = pd->proto;
7695 *iidx = pd->sidx;
7696 key->port[pd->sidx] = icmpid;
7697 key->port[pd->didx] = type;
7699 *iidx = pd->didx;
7700 key->port[pd->sidx] = type;
7701 key->port[pd->didx] = icmpid;
7703 if (pf_state_key_addr_setup(pd, key, multi))
7706 STATE_LOOKUP(key, *state, pd);
7713 direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
7718 (((!inner && direction == pd->dir) ||
7719 (inner && direction != pd->dir)) ?
7735 pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
7738 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
7750 switch (pd->proto) {
7753 icmptype = pd->hdr.icmp.icmp_type;
7754 icmpcode = pd->hdr.icmp.icmp_code;
7755 icmpid = pd->hdr.icmp.icmp_id;
7756 icmpsum = &pd->hdr.icmp.icmp_cksum;
7761 icmptype = pd->hdr.icmp6.icmp6_type;
7762 icmpcode = pd->hdr.icmp6.icmp6_code;
7764 icmpid = pd->hdr.icmp6.icmp6_id;
7766 icmpsum = &pd->hdr.icmp6.icmp6_cksum;
7771 if (pf_icmp_mapping(pd, icmptype, &icmp_dir, &multi,
7777 ret = pf_icmp_state_lookup(&key, pd, state, pd->dir,
7782 if (ret == PF_DROP && pd->af == AF_INET6 &&
7784 ret = pf_icmp_state_lookup(&key, pd, state,
7785 pd->dir, virtual_id, virtual_type,
7803 if (PF_REVERSED_KEY((*state)->key, pd->af))
7804 nk = (*state)->key[pd->sidx];
7806 nk = (*state)->key[pd->didx];
7808 afto = pd->af != nk->af;
7809 sidx = afto ? pd->didx : pd->sidx;
7810 didx = afto ? pd->sidx : pd->didx;
7813 switch (pd->af) {
7819 &pd->hdr.icmp))
7821 pd->proto = IPPROTO_ICMPV6;
7825 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET))
7827 pd->ip_sum,
7831 if (!afto && PF_ANEQ(pd->dst,
7834 pd->ip_sum,
7838 pd->hdr.icmp.icmp_id) {
7839 pd->hdr.icmp.icmp_cksum =
7841 pd->hdr.icmp.icmp_cksum, icmpid,
7843 pd->hdr.icmp.icmp_id =
7847 m_copyback(pd->m, pd->off, ICMP_MINLEN,
7848 (caddr_t )&pd->hdr.icmp);
7856 &pd->hdr.icmp6))
7858 pd->proto = IPPROTO_ICMP;
7862 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET6))
7864 &pd->hdr.icmp6.icmp6_cksum,
7867 if (!afto && PF_ANEQ(pd->dst,
7870 &pd->hdr.icmp6.icmp6_cksum,
7873 if (nk->port[iidx] != pd->hdr.icmp6.icmp6_id)
7874 pd->hdr.icmp6.icmp6_id =
7877 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr),
7878 (caddr_t )&pd->hdr.icmp6);
7883 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7884 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7885 pd->naf = nk->af;
7907 pd2.af = pd->af;
7908 pd2.dir = pd->dir;
7910 pd2.sidx = (pd->dir == PF_IN) ? 1 : 0;
7911 pd2.didx = (pd->dir == PF_IN) ? 0 : 1;
7912 pd2.m = pd->m;
7913 switch (pd->af) {
7917 ipoff2 = pd->off + ICMP_MINLEN;
7919 if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2),
7946 ipoff2 = pd->off + sizeof(struct icmp6_hdr);
7948 if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6),
7966 if (PF_ANEQ(pd->dst, pd2.src, pd->af)) {
7970 pf_print_host(pd->src, 0, pd->af);
7972 pf_print_host(pd->dst, 0, pd->af);
7996 if (!pf_pull_hdr(pd->m, pd2.off, &th, 8, NULL, reason,
8011 STATE_LOOKUP(&key, *state, pd);
8013 if (pd->dir == (*state)->direction) {
8014 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
8022 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
8050 pf_print_host(pd->src, 0, pd->af);
8052 pf_print_host(pd->dst, 0, pd->af);
8063 pf_print_host(pd->src, 0, pd->af);
8065 pf_print_host(pd->dst, 0, pd->af);
8078 if (PF_REVERSED_KEY((*state)->key, pd->af))
8079 nk = (*state)->key[pd->sidx];
8081 nk = (*state)->key[pd->didx];
8086 afto = pd->af != nk->af;
8092 &pd->hdr.icmp))
8094 m_copyback(pd->m, pd->off,
8096 (c_caddr_t)&pd->hdr.icmp6);
8097 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8099 &nk->addr[didx], pd->af,
8103 pd->proto = IPPROTO_ICMP;
8105 pd->proto = IPPROTO_ICMPV6;
8109 PF_ACPY(pd->src,
8111 PF_ACPY(pd->dst,
8113 pd->naf = nk->af;
8125 pd->ip_sum, 0, pd2.af);
8134 pd->ip_sum, 0, pd2.af);
8142 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8143 (caddr_t )&pd->hdr.icmp);
8144 m_copyback(pd->m, ipoff2, sizeof(h2),
8150 m_copyback(pd->m, pd->off,
8152 (caddr_t )&pd->hdr.icmp6);
8153 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8158 m_copyback(pd->m, pd2.off, 8, (caddr_t)&th);
8167 if (!pf_pull_hdr(pd->m, pd2.off, &uh, sizeof(uh),
8182 STATE_LOOKUP(&key, *state, pd);
8189 if (PF_REVERSED_KEY((*state)->key, pd->af))
8190 nk = (*state)->key[pd->sidx];
8192 nk = (*state)->key[pd->didx];
8197 afto = pd->af != nk->af;
8203 &pd->hdr.icmp))
8205 m_copyback(pd->m, pd->off,
8207 (c_caddr_t)&pd->hdr.icmp6);
8208 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8210 &nk->addr[didx], pd->af,
8214 pd->proto = IPPROTO_ICMP;
8216 pd->proto = IPPROTO_ICMPV6;
8217 pf_change_ap(pd->m, pd2.src, &uh.uh_sport,
8218 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.sidx],
8219 nk->port[sidx], 1, pd->af, nk->af);
8220 pf_change_ap(pd->m, pd2.dst, &uh.uh_dport,
8221 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.didx],
8222 nk->port[didx], 1, pd->af, nk->af);
8225 PF_ACPY(&pd->nsaddr,
8227 PF_ACPY(&pd->ndaddr,
8229 pd->naf = nk->af;
8241 pd->ip_sum, 1, pd2.af);
8250 pd->ip_sum, 1, pd2.af);
8255 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8256 (caddr_t )&pd->hdr.icmp);
8257 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
8262 m_copyback(pd->m, pd->off,
8264 (caddr_t )&pd->hdr.icmp6);
8265 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8270 m_copyback(pd->m, pd2.off, sizeof(uh), (caddr_t)&uh);
8281 if (! pf_pull_hdr(pd->m, pd2.off, &sh, sizeof(sh), NULL, reason,
8296 STATE_LOOKUP(&key, *state, pd);
8298 if (pd->dir == (*state)->direction) {
8299 if (PF_REVERSED_KEY((*state)->key, pd->af))
8304 if (PF_REVERSED_KEY((*state)->key, pd->af))
8323 if (PF_REVERSED_KEY((*state)->key, pd->af))
8324 nk = (*state)->key[pd->sidx];
8326 nk = (*state)->key[pd->didx];
8331 afto = pd->af != nk->af;
8337 &pd->hdr.icmp))
8339 m_copyback(pd->m, pd->off,
8341 (c_caddr_t)&pd->hdr.icmp6);
8342 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8344 &nk->addr[didx], pd->af,
8348 pd->proto = IPPROTO_ICMP;
8350 pd->proto = IPPROTO_ICMPV6;
8354 PF_ACPY(pd->src,
8356 PF_ACPY(pd->dst,
8358 pd->naf = nk->af;
8370 pd->ip_sum, 0, pd2.af);
8379 pd->ip_sum, 0, pd2.af);
8387 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8388 (caddr_t )&pd->hdr.icmp);
8389 m_copyback(pd->m, ipoff2, sizeof(h2),
8395 m_copyback(pd->m, pd->off,
8397 (caddr_t )&pd->hdr.icmp6);
8398 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8403 m_copyback(pd->m, pd2.off, sizeof(sh), (caddr_t)&sh);
8417 if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN,
8442 if (PF_REVERSED_KEY((*state)->key, pd->af))
8443 nk = (*state)->key[pd->sidx];
8445 nk = (*state)->key[pd->didx];
8450 afto = pd->af != nk->af;
8459 &pd->hdr.icmp))
8461 m_copyback(pd->m, pd->off,
8463 (c_caddr_t)&pd->hdr.icmp6);
8464 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8466 &nk->addr[didx], pd->af,
8469 pd->proto = IPPROTO_ICMPV6;
8477 PF_ACPY(&pd->nsaddr,
8479 PF_ACPY(&pd->ndaddr,
8481 pd->naf = nk->af;
8497 pd->ip_sum, 0, AF_INET);
8503 pd2.ip_sum, icmpsum, pd->ip_sum, 0,
8506 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
8507 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
8508 m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih);
8523 if (!pf_pull_hdr(pd->m, pd2.off, iih,
8535 pd->dir, virtual_id, virtual_type,
8542 state, pd->dir,
8558 if (PF_REVERSED_KEY((*state)->key, pd->af))
8559 nk = (*state)->key[pd->sidx];
8561 nk = (*state)->key[pd->didx];
8566 afto = pd->af != nk->af;
8575 &pd->hdr.icmp))
8577 m_copyback(pd->m, pd->off,
8579 (c_caddr_t)&pd->hdr.icmp6);
8580 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8582 &nk->addr[didx], pd->af,
8585 pd->proto = IPPROTO_ICMP;
8594 PF_ACPY(&pd->nsaddr,
8596 PF_ACPY(&pd->ndaddr,
8598 pd->naf = nk->af;
8614 pd->ip_sum, 0, AF_INET6);
8621 pd->ip_sum, 0, AF_INET6);
8623 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr),
8624 (caddr_t)&pd->hdr.icmp6);
8625 m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
8626 m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr),
8640 STATE_LOOKUP(&key, *state, pd);
8646 (*state)->key[pd->didx];
8653 pd->ip_sum, 0, pd2.af);
8660 pd->ip_sum, 0, pd2.af);
8665 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8666 (caddr_t)&pd->hdr.icmp);
8667 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
8672 m_copyback(pd->m, pd->off,
8674 (caddr_t )&pd->hdr.icmp6);
8675 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8689 pf_test_state_other(struct pf_kstate **state, struct pf_pdesc *pd)
8697 key.af = pd->af;
8698 key.proto = pd->proto;
8699 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
8700 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
8703 STATE_LOOKUP(&key, *state, pd);
8705 if (pd->dir == (*state)->direction) {
8735 if (PF_REVERSED_KEY((*state)->key, pd->af))
8736 nk = (*state)->key[pd->sidx];
8738 nk = (*state)->key[pd->didx];
8741 KASSERT(pd, ("%s: pd is null", __func__));
8742 KASSERT(pd->src, ("%s: pd->src is null", __func__));
8743 KASSERT(pd->dst, ("%s: pd->dst is null", __func__));
8745 afto = pd->af != nk->af;
8747 switch (pd->af) {
8751 PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET))
8752 pf_change_a(&pd->src->v4.s_addr,
8753 pd->ip_sum,
8754 nk->addr[pd->sidx].v4.s_addr,
8758 PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET))
8759 pf_change_a(&pd->dst->v4.s_addr,
8760 pd->ip_sum,
8761 nk->addr[pd->didx].v4.s_addr,
8769 PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET6))
8770 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
8773 PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET6))
8774 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
8778 PF_ACPY(&pd->nsaddr,
8779 &nk->addr[afto ? pd->didx : pd->sidx], nk->af);
8780 PF_ACPY(&pd->ndaddr,
8781 &nk->addr[afto ? pd->sidx : pd->didx], nk->af);
8782 pd->naf = nk->af;
8884 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp)
8898 SDT_PROBE4(pf, ip, route_to, entry, *m, pd, s, oifp);
8906 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
8910 if ((pd->pf_mtag == NULL &&
8911 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
8912 pd->pf_mtag->routed++ > 3) {
8919 if (pd->act.rt_kif != NULL)
8920 ifp = pd->act.rt_kif->pfik_ifp;
8922 if (pd->act.rt == PF_DUPTO) {
8923 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) {
8937 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED;
8945 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) {
8946 if (pd->af == pd->naf) {
8947 pf_dummynet(pd, s, r, m);
8960 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp &&
8961 pd->af != pd->naf) {
8962 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET) {
8966 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET6) {
8980 dst.sin_addr.s_addr = pd->act.rt_addr.v4.s_addr;
8983 if (ifp == NULL && (pd->af != pd->naf)) {
9009 pd->act.rt == PF_REPLYTO &&
9011 s->kif = pd->act.rt_kif;
9025 if (pd->dir == PF_IN && !skip_test) {
9027 &pd->act) != PF_PASS) {
9060 if (pd->dir == PF_IN) {
9065 pd->dir = PF_OUT;
9076 tmp = pd->act.dnrpipe;
9077 pd->act.dnrpipe = pd->act.dnpipe;
9078 pd->act.dnpipe = tmp;
9095 error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md);
9107 if (pd->act.rt != PF_DUPTO) {
9109 PACKET_UNDO_NAT(m0, pd,
9135 pd->pf_mtag = pf_find_mtag(md);
9136 error = pf_dummynet_route(pd, s, r, ifp,
9151 if (pd->act.rt != PF_DUPTO)
9167 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp)
9179 SDT_PROBE4(pf, ip6, route_to, entry, *m, pd, s, oifp);
9187 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
9191 if ((pd->pf_mtag == NULL &&
9192 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
9193 pd->pf_mtag->routed++ > 3) {
9200 if (pd->act.rt_kif != NULL)
9201 ifp = pd->act.rt_kif->pfik_ifp;
9203 if (pd->act.rt == PF_DUPTO) {
9204 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) {
9218 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED;
9226 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) {
9227 if (pd->af == pd->naf) {
9228 pf_dummynet(pd, s, r, m);
9241 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp &&
9242 pd->af != pd->naf) {
9243 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET6) {
9247 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET) {
9261 PF_ACPY((struct pf_addr *)&dst.sin6_addr, &pd->act.rt_addr, AF_INET6);
9264 if (ifp == NULL && (pd->af != pd->naf)) {
9290 pd->act.rt == PF_REPLYTO &&
9292 s->kif = pd->act.rt_kif;
9299 if (pd->af != pd->naf) {
9300 struct udphdr *uh = &pd->hdr.udp;
9302 if (pd->proto == IPPROTO_UDP && uh->uh_sum == 0) {
9305 m_copyback(m0, pd->off, sizeof(*uh), pd->hdr.any);
9316 if (pd->dir == PF_IN && !skip_test) {
9318 ifp, &m0, inp, &pd->act) != PF_PASS) {
9345 if (pd->dir == PF_IN) {
9351 pd->dir = PF_OUT;
9362 tmp = pd->act.dnrpipe;
9363 pd->act.dnrpipe = pd->act.dnpipe;
9364 pd->act.dnpipe = tmp;
9383 pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md);
9392 if (pd->act.rt != PF_DUPTO) {
9394 PACKET_UNDO_NAT(m0, pd,
9407 if (pd->act.rt != PF_DUPTO)
9552 pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r,
9562 dndir = pd->dir;
9565 if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED)
9570 if (pd->dport != NULL)
9571 dnflow->f_id.dst_port = ntohs(*pd->dport);
9572 if (pd->sport != NULL)
9573 dnflow->f_id.src_port = ntohs(*pd->sport);
9575 if (pd->dir == PF_IN)
9580 if (pd->dir != dndir && pd->act.dnrpipe) {
9581 dnflow->rule.info = pd->act.dnrpipe;
9583 else if (pd->dir == dndir && pd->act.dnpipe) {
9584 dnflow->rule.info = pd->act.dnpipe;
9591 if (r->free_flags & PFRULE_DN_IS_PIPE || pd->act.flags & PFSTATE_DN_IS_PIPE)
9594 dnflow->f_id.proto = pd->proto;
9596 switch (pd->naf) {
9599 dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr);
9600 dnflow->f_id.dst_ip = ntohl(pd->dst->v4.s_addr);
9605 dnflow->f_id.src_ip6 = pd->src->v6;
9606 dnflow->f_id.dst_ip6 = pd->dst->v6;
9666 pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s,
9669 return (pf_dummynet_route(pd, s, r, NULL, NULL, m0));
9673 pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s,
9681 if (pd->act.dnpipe == 0 && pd->act.dnrpipe == 0)
9690 if (pd->pf_mtag == NULL &&
9691 ((pd->pf_mtag = pf_get_mtag(*m0)) == NULL)) {
9698 pd->pf_mtag->flags |= PF_MTAG_FLAG_ROUTE_TO;
9700 pd->pf_mtag->if_index = ifp->if_index;
9701 pd->pf_mtag->if_idxgen = ifp->if_idxgen;
9705 switch (pd->naf) {
9707 memcpy(&pd->pf_mtag->dst, sa,
9711 memcpy(&pd->pf_mtag->dst, sa,
9721 (pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) ||
9723 (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) {
9732 if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) {
9733 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET;
9734 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED;
9737 pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO;
9738 pf_dummynet_flag_remove(*m0, pd->pf_mtag);
9747 pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h, int off, int end,
9754 if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type,
9763 if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt), NULL,
9775 if (pd->jumbolen != 0) {
9785 if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo), NULL,
9790 memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len,
9791 sizeof(pd->jumbolen));
9792 pd->jumbolen = ntohl(pd->jumbolen);
9793 if (pd->jumbolen < IPV6_MAXPACKET) {
9809 pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
9817 pd->off += sizeof(struct ip6_hdr);
9818 end = pd->off + ntohs(h->ip6_plen);
9819 pd->fragoff = pd->extoff = pd->jumbolen = 0;
9820 pd->proto = h->ip6_nxt;
9822 switch (pd->proto) {
9824 if (pd->fragoff != 0) {
9830 if (pd->jumbolen != 0) {
9835 if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag),
9840 pd->fragoff = pd->off;
9844 pd->off += sizeof(frag);
9845 pd->proto = frag.ip6f_nxt;
9854 if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) {
9855 pd->off = pd->fragoff;
9856 pd->proto = IPPROTO_FRAGMENT;
9859 if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr),
9873 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
9879 if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) {
9880 pd->off = pd->fragoff;
9881 pd->proto = IPPROTO_FRAGMENT;
9885 if (pd->fragoff == 0)
9886 pd->extoff = pd->off;
9887 if (pd->proto == IPPROTO_HOPOPTS && pd->fragoff == 0) {
9888 if (pf_walk_option6(pd, h,
9889 pd->off + sizeof(ext),
9890 pd->off + (ext.ip6e_len + 1) * 8, reason)
9893 if (ntohs(h->ip6_plen) == 0 && pd->jumbolen != 0) {
9900 if (pd->proto == IPPROTO_AH)
9901 pd->off += (ext.ip6e_len + 2) * 4;
9903 pd->off += (ext.ip6e_len + 1) * 8;
9904 pd->proto = ext.ip6e_nxt;
9911 if (pd->fragoff != 0 && end < pd->off +
9912 (pd->proto == IPPROTO_TCP ? sizeof(struct tcphdr) :
9913 pd->proto == IPPROTO_UDP ? sizeof(struct udphdr) :
9914 pd->proto == IPPROTO_SCTP ? sizeof(struct sctphdr) :
9916 pd->off = pd->fragoff;
9917 pd->proto = IPPROTO_FRAGMENT;
9928 pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m)
9930 memset(pd, 0, sizeof(*pd));
9931 pd->pf_mtag = pf_find_mtag(m);
9932 pd->m = m;
9936 pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
9940 pd->dir = dir;
9941 pd->kif = kif;
9942 pd->m = *m0;
9943 pd->sidx = (dir == PF_IN) ? 0 : 1;
9944 pd->didx = (dir == PF_IN) ? 1 : 0;
9945 pd->af = pd->naf = af;
9947 TAILQ_INIT(&pd->sctp_multihome_jobs);
9949 memcpy(&pd->act, default_actions, sizeof(pd->act));
9951 if (pd->pf_mtag && pd->pf_mtag->dnpipe) {
9952 pd->act.dnpipe = pd->pf_mtag->dnpipe;
9953 pd->act.flags = pd->pf_mtag->dnflags;
9962 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) {
9970 if (pf_normalize_ip(reason, pd) != PF_PASS) {
9972 *m0 = pd->m;
9976 *m0 = pd->m;
9978 h = mtod(pd->m, struct ip *);
9979 pd->off = h->ip_hl << 2;
9980 if (pd->off < (int)sizeof(*h)) {
9985 pd->src = (struct pf_addr *)&h->ip_src;
9986 pd->dst = (struct pf_addr *)&h->ip_dst;
9987 pd->ip_sum = &h->ip_sum;
9988 pd->virtual_proto = pd->proto = h->ip_p;
9989 pd->tos = h->ip_tos & ~IPTOS_ECN_MASK;
9990 pd->ttl = h->ip_ttl;
9991 pd->tot_len = ntohs(h->ip_len);
9992 pd->act.rtableid = -1;
9995 pd->badopts++;
9998 pd->virtual_proto = PF_VPROTO_FRAGMENT;
10008 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) {
10017 h = mtod(pd->m, struct ip6_hdr *);
10018 pd->off = 0;
10019 if (pf_walk_header6(pd, h, reason) != PF_PASS) {
10024 h = mtod(pd->m, struct ip6_hdr *);
10025 pd->src = (struct pf_addr *)&h->ip6_src;
10026 pd->dst = (struct pf_addr *)&h->ip6_dst;
10027 pd->ip_sum = NULL;
10028 pd->tos = IPV6_DSCP(h);
10029 pd->ttl = h->ip6_hlim;
10030 pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
10031 pd->virtual_proto = pd->proto = h->ip6_nxt;
10032 pd->act.rtableid = -1;
10034 if (pd->fragoff != 0)
10035 pd->virtual_proto = PF_VPROTO_FRAGMENT;
10047 if (pf_normalize_ip6(pd->fragoff, reason, pd) !=
10049 *m0 = pd->m;
10053 *m0 = pd->m;
10054 if (pd->m == NULL) {
10061 h = mtod(pd->m, struct ip6_hdr *);
10062 pd->src = (struct pf_addr *)&h->ip6_src;
10063 pd->dst = (struct pf_addr *)&h->ip6_dst;
10065 pd->off = 0;
10067 if (pf_walk_header6(pd, h, reason) != PF_PASS) {
10072 if (m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL) != NULL) {
10077 pd->virtual_proto = pd->proto;
10078 MPASS(pd->fragoff == 0);
10081 if (pd->fragoff != 0)
10082 pd->virtual_proto = PF_VPROTO_FRAGMENT;
10091 switch (pd->virtual_proto) {
10093 struct tcphdr *th = &pd->hdr.tcp;
10095 if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), action,
10101 pd->hdrlen = sizeof(*th);
10102 pd->p_len = pd->tot_len - pd->off - (th->th_off << 2);
10103 pd->sport = &th->th_sport;
10104 pd->dport = &th->th_dport;
10108 struct udphdr *uh = &pd->hdr.udp;
10110 if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), action,
10116 pd->hdrlen = sizeof(*uh);
10118 ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off ||
10124 pd->sport = &uh->uh_sport;
10125 pd->dport = &uh->uh_dport;
10129 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp),
10135 pd->hdrlen = sizeof(pd->hdr.sctp);
10136 pd->p_len = pd->tot_len - pd->off;
10138 pd->sport = &pd->hdr.sctp.src_port;
10139 pd->dport = &pd->hdr.sctp.dest_port;
10140 if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) {
10145 if (pf_scan_sctp(pd) != PF_PASS) {
10153 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN,
10159 pd->hdrlen = ICMP_MINLEN;
10166 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
10173 switch (pd->hdr.icmp6.icmp6_type) {
10184 !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
10190 pd->hdrlen = icmp_hlen;
10199 pf_counters_inc(int action, struct pf_pdesc *pd,
10203 int dir = pd->dir;
10208 &pd->kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
10209 pd->tot_len);
10211 &pd->kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
10217 pf_counter_u64_add_protected(&r->bytes[dirndx], pd->tot_len);
10222 pf_counter_u64_add_protected(&a->bytes[dirndx], pd->tot_len);
10231 pd->tot_len);
10237 pd->tot_len);
10243 pd->tot_len);
10247 s->bytes[dirndx] += pd->tot_len;
10251 pf_counter_u64_add_protected(&ri->r->bytes[dirndx], pd->tot_len);
10262 (s == NULL) ? pd->src :
10265 pd->af, pd->tot_len, dir == PF_OUT,
10269 (s == NULL) ? pd->dst :
10272 pd->af, pd->tot_len, dir == PF_OUT,
10289 struct pf_pdesc pd;
10343 pf_init_pdesc(&pd, *m0);
10345 if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) {
10346 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO;
10348 ifp = ifnet_byindexgen(pd.pf_mtag->if_index,
10349 pd.pf_mtag->if_idxgen);
10357 (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL);
10362 if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL &&
10363 pd.pf_mtag->flags & PF_MTAG_FLAG_DUMMYNET) {
10370 pf_dummynet_flag_remove(pd.m, pd.pf_mtag);
10376 if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason,
10379 pd.act.log |= PF_LOG_FORCE;
10384 ((mtag = m_tag_locate(pd.m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) {
10388 if (pd.pf_mtag == NULL &&
10389 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) {
10393 pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED;
10395 if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) {
10396 pd.m->m_flags |= M_FASTFWD_OURS;
10397 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
10399 m_tag_delete(pd.m, mtag);
10401 mtag = m_tag_locate(pd.m, MTAG_IPFW_RULE, 0, NULL);
10403 m_tag_delete(pd.m, mtag);
10406 switch (pd.virtual_proto) {
10415 action = pf_test_rule(&r, &s, &pd, &a,
10423 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
10424 pd.dir == PF_IN && pf_synflood_check(&pd)) {
10425 pf_syncookie_send(&pd);
10430 if ((tcp_get_flags(&pd.hdr.tcp) & TH_ACK) && pd.p_len == 0)
10432 action = pf_normalize_tcp(&pd);
10435 action = pf_test_state_tcp(&s, &pd, &reason);
10444 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) ==
10445 TH_ACK && pf_syncookie_validate(&pd) &&
10446 pd.dir == PF_IN) {
10449 msyn = pf_syncookie_recreate_syn(&pd);
10456 &pd.act);
10461 action = pf_test_state_tcp(&s, &pd, &reason);
10467 s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1;
10468 s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1;
10470 action = pf_synproxy(&pd, &s, &reason);
10473 action = pf_test_rule(&r, &s, &pd,
10481 action = pf_test_state_udp(&s, &pd);
10488 action = pf_test_rule(&r, &s, &pd,
10494 action = pf_normalize_sctp(&pd);
10497 action = pf_test_state_sctp(&s, &pd, &reason);
10505 &pd, &a, &ruleset, inp);
10512 if (pd.virtual_proto == IPPROTO_ICMP && af != AF_INET) {
10519 if (pd.virtual_proto == IPPROTO_ICMPV6 && af != AF_INET6) {
10526 action = pf_test_state_icmp(&s, &pd, &reason);
10533 action = pf_test_rule(&r, &s, &pd,
10539 action = pf_test_state_other(&s, &pd);
10546 action = pf_test_rule(&r, &s, &pd,
10554 if (pd.m == NULL)
10557 if (action == PF_PASS && pd.badopts &&
10561 pd.act.log = PF_LOG_FORCE;
10567 uint8_t log = pd.act.log;
10568 memcpy(&pd.act, &s->act, sizeof(struct pf_rule_actions));
10569 pd.act.log |= log;
10575 if (tag > 0 && pf_tag_packet(&pd, tag)) {
10580 pf_scrub(&pd);
10581 if (pd.proto == IPPROTO_TCP && pd.act.max_mss)
10582 pf_normalize_mss(&pd);
10584 if (pd.act.rtableid >= 0)
10585 M_SETFIB(pd.m, pd.act.rtableid);
10587 if (pd.act.flags & PFSTATE_SETPRIO) {
10588 if (pd.tos & IPTOS_LOWDELAY)
10590 if (vlan_set_pcp(pd.m, pd.act.set_prio[use_2nd_queue])) {
10593 pd.act.log = PF_LOG_FORCE;
10600 if (action == PF_PASS && pd.act.qid) {
10601 if (pd.pf_mtag == NULL &&
10602 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) {
10607 pd.pf_mtag->qid_hash = pf_state_hash(s);
10608 if (use_2nd_queue || (pd.tos & IPTOS_LOWDELAY))
10609 pd.pf_mtag->qid = pd.act.pqid;
10611 pd.pf_mtag->qid = pd.act.qid;
10613 pd.pf_mtag->hdr = mtod(pd.m, void *);
10623 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
10624 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL &&
10627 pf_is_loopback(af, pd.dst))
10628 pd.m->m_flags |= M_SKIP_FIREWALL;
10631 action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) {
10644 m_tag_prepend(pd.m, mtag);
10645 if (pd.m->m_flags & M_FASTFWD_OURS) {
10646 if (pd.pf_mtag == NULL &&
10647 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) {
10650 pd.act.log = PF_LOG_FORCE;
10654 pd.pf_mtag->flags |=
10656 pd.m->m_flags &= ~M_FASTFWD_OURS;
10667 pd.act.log = PF_LOG_FORCE;
10677 if (pd.pf_mtag)
10678 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_PACKET_LOOPED;
10680 if (pd.act.log) {
10690 if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
10692 ruleset, &pd, (s == NULL));
10697 reason, ri->r, a, ruleset, &pd, 0);
10701 pf_counters_inc(action, &pd, s, r, a);
10715 if (pf_translate_af(&pd)) {
10716 if (!pd.m)
10721 *m0 = pd.m; /* pf_translate_af may change pd.m */
10723 if (pd.naf == AF_INET)
10724 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp);
10727 if (pd.naf == AF_INET6)
10728 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp);
10735 if (pd.act.rt) {
10740 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp);
10746 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp);
10752 if (pf_dummynet(&pd, s, r, m0) != 0) {
10777 (mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL)
10781 pf_sctp_multihome_delayed(&pd, kif, s, action);