Lines Matching +full:pc +full:- +full:ack
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
5 * Copyright (c) 2002 - 2008 Henning Brauer
13 * - Redistributions of source code must retain the above copyright
15 * - Redistributions in binary form must reproduce the above
35 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
219 return (a->v_tag - b->v_tag);
429 if ((pd->dir) == PF_OUT) \
430 nk = (_s)->key[PF_SK_STACK]; \
432 nk = (_s)->key[PF_SK_WIRE]; \
436 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
437 (pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
441 (s) = pf_find_state((pd->kif), (k), (pd->dir)); \
442 SDT_PROBE5(pf, ip, state, lookup, pd->kif, k, (pd->dir), pd, (s)); \
452 struct pfi_kkif *k = pd->kif;
457 if (! (st->rule->rule_flag & PFRULE_IFBOUND))
464 if (st->rule->rt == PF_REPLYTO || (pd->af != pd->naf))
472 if (pd->related_rule)
476 if (st->direction == PF_IN)
479 /* No route-to, so don't overrule. */
480 if (st->act.rt != PF_ROUTETO)
483 /* Bind to the route-to interface. */
484 return (st->act.rt_kif);
490 counter_u64_add(s->rule->states_cur, 1); \
491 counter_u64_add(s->rule->states_tot, 1); \
492 if (s->anchor != NULL) { \
493 counter_u64_add(s->anchor->states_cur, 1); \
494 counter_u64_add(s->anchor->states_tot, 1); \
496 if (s->nat_rule != NULL) { \
497 counter_u64_add(s->nat_rule->states_cur, 1);\
498 counter_u64_add(s->nat_rule->states_tot, 1);\
500 SLIST_FOREACH(mrm, &s->match_rules, entry) { \
501 counter_u64_add(mrm->r->states_cur, 1); \
502 counter_u64_add(mrm->r->states_tot, 1); \
509 if (s->nat_rule != NULL) \
510 counter_u64_add(s->nat_rule->states_cur, -1);\
511 if (s->anchor != NULL) \
512 counter_u64_add(s->anchor->states_cur, -1); \
513 counter_u64_add(s->rule->states_cur, -1); \
514 SLIST_FOREACH(mrm, &s->match_rules, entry) \
515 counter_u64_add(mrm->r->states_cur, -1); \
577 if (a->addr32[0] > b->addr32[0])
579 if (a->addr32[0] < b->addr32[0])
580 return (-1);
585 if (a->addr32[3] > b->addr32[3])
587 if (a->addr32[3] < b->addr32[3])
588 return (-1);
589 if (a->addr32[2] > b->addr32[2])
591 if (a->addr32[2] < b->addr32[2])
592 return (-1);
593 if (a->addr32[1] > b->addr32[1])
595 if (a->addr32[1] < b->addr32[1])
596 return (-1);
597 if (a->addr32[0] > b->addr32[0])
599 if (a->addr32[0] < b->addr32[0])
600 return (-1);
613 return IN_LOOPBACK(ntohl(addr->v4.s_addr));
616 return IN6_IS_ADDR_LOOPBACK(&addr->v6);
627 switch (pd->proto) {
629 struct tcphdr *th = &pd->hdr.tcp;
631 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af))
632 pf_change_ap(m, pd->src, &th->th_sport, pd->ip_sum,
633 &th->th_sum, &nk->addr[pd->sidx],
634 nk->port[pd->sidx], 0, pd->af, pd->naf);
635 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af))
636 pf_change_ap(m, pd->dst, &th->th_dport, pd->ip_sum,
637 &th->th_sum, &nk->addr[pd->didx],
638 nk->port[pd->didx], 0, pd->af, pd->naf);
643 struct udphdr *uh = &pd->hdr.udp;
645 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af))
646 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
647 &uh->uh_sum, &nk->addr[pd->sidx],
648 nk->port[pd->sidx], 1, pd->af, pd->naf);
649 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af))
650 pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
651 &uh->uh_sum, &nk->addr[pd->didx],
652 nk->port[pd->didx], 1, pd->af, pd->naf);
657 struct sctphdr *sh = &pd->hdr.sctp;
660 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) {
661 pf_change_ap(m, pd->src, &sh->src_port, pd->ip_sum,
662 &checksum, &nk->addr[pd->sidx],
663 nk->port[pd->sidx], 1, pd->af, pd->naf);
665 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) {
666 pf_change_ap(m, pd->dst, &sh->dest_port, pd->ip_sum,
667 &checksum, &nk->addr[pd->didx],
668 nk->port[pd->didx], 1, pd->af, pd->naf);
674 struct icmp *ih = &pd->hdr.icmp;
676 if (nk->port[pd->sidx] != ih->icmp_id) {
677 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup(
678 ih->icmp_cksum, ih->icmp_id,
679 nk->port[pd->sidx], 0);
680 ih->icmp_id = nk->port[pd->sidx];
681 pd->sport = &ih->icmp_id;
688 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) {
689 switch (pd->af) {
691 pf_change_a(&pd->src->v4.s_addr,
692 pd->ip_sum, nk->addr[pd->sidx].v4.s_addr,
696 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
700 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) {
701 switch (pd->af) {
703 pf_change_a(&pd->dst->v4.s_addr,
704 pd->ip_sum, nk->addr[pd->didx].v4.s_addr,
708 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
735 h = murmur3_32_hash32((uint32_t *)&addr->v4,
736 sizeof(addr->v4)/sizeof(uint32_t), V_pf_hashseed);
739 h = murmur3_32_hash32((uint32_t *)&addr->v6,
740 sizeof(addr->v6)/sizeof(uint32_t), V_pf_hashseed);
764 hv ^= crc32(&s->src, sizeof(s->src));
765 hv ^= crc32(&s->dst, sizeof(s->dst));
776 s->dst.state = newstate;
779 if (s->src.state == newstate)
781 if (s->creatorid == V_pf_status.hostid &&
782 s->key[PF_SK_STACK] != NULL &&
783 s->key[PF_SK_STACK]->proto == IPPROTO_TCP &&
784 !(TCPS_HAVEESTABLISHED(s->src.state) ||
785 s->src.state == TCPS_CLOSED) &&
787 atomic_add_32(&V_pf_status.states_halfopen, -1);
789 s->src.state = newstate;
799 memcpy(&dst->v4, &src->v4, sizeof(dst->v4));
803 memcpy(&dst->v6, &src->v6, sizeof(dst->v6));
813 threshold->limit = limit * PF_THRESHOLD_MULT;
814 threshold->seconds = seconds;
815 threshold->count = 0;
816 threshold->last = time_uptime;
822 u_int32_t t = time_uptime, diff = t - threshold->last;
824 if (diff >= threshold->seconds)
825 threshold->count = 0;
827 threshold->count -= threshold->count * diff /
828 threshold->seconds;
829 threshold->count += PF_THRESHOLD_MULT;
830 threshold->last = t;
836 return (threshold->count > threshold->limit);
846 PF_SRC_NODE_LOCK(state->src_node);
848 state->src_node->conn++;
849 state->src.tcp_est = 1;
850 pf_add_threshold(&state->src_node->conn_rate);
852 if (state->rule->max_src_conn &&
853 state->rule->max_src_conn <
854 state->src_node->conn) {
859 if (state->rule->max_src_conn_rate.limit &&
860 pf_check_threshold(&state->src_node->conn_rate)) {
869 state->timeout = PFTM_PURGE;
872 if (state->rule->overload_tbl == NULL)
880 bcopy(&state->src_node->addr, &pfoe->addr, sizeof(pfoe->addr));
881 pfoe->af = state->key[PF_SK_WIRE]->af;
882 pfoe->rule = state->rule;
883 pfoe->dir = state->direction;
890 PF_SRC_NODE_UNLOCK(state->src_node);
914 pf_print_host(&pfoe->addr, 0, pfoe->af);
918 p.pfra_af = pfoe->af;
919 switch (pfoe->af) {
923 p.pfra_ip4addr = pfoe->addr.v4;
929 p.pfra_ip6addr = pfoe->addr.v6;
935 pfr_insert_kentry(pfoe->rule->overload_tbl, &p, time_second);
943 if (pfoe->rule->flush == 0) {
962 LIST_FOREACH(s, &ih->states, entry) {
963 sk = s->key[PF_SK_WIRE];
965 if (sk->af == pfoe->af &&
966 ((pfoe->rule->flush & PF_FLUSH_GLOBAL) ||
967 pfoe->rule == s->rule) &&
968 ((pfoe->dir == PF_OUT &&
969 PF_AEQ(&pfoe->addr, &sk->addr[1], sk->af)) ||
970 (pfoe->dir == PF_IN &&
971 PF_AEQ(&pfoe->addr, &sk->addr[0], sk->af)))) {
972 s->timeout = PFTM_PURGE;
1000 LIST_FOREACH(n, &(*sh)->nodes, entry)
1001 if (n->rule == rule && n->af == af &&
1002 ((af == AF_INET && n->addr.v4.s_addr == src->v4.s_addr) ||
1003 (af == AF_INET6 && bcmp(&n->addr, src, sizeof(*src)) == 0)))
1024 LIST_FOREACH(cur, &(sh->nodes), entry) {
1026 cur->expire != 1) /* Ignore nodes being killed */
1039 counter_u64_free(sn->bytes[i]);
1040 counter_u64_free(sn->packets[i]);
1052 KASSERT((rule->rule_flag & PFRULE_SRCTRACK ||
1053 rule->rdr.opts & PF_POOL_STICKYADDR),
1054 ("%s for non-tracking rule %p", __func__, rule));
1065 if (rule->max_src_nodes &&
1066 counter_u64_fetch(rule->src_nodes) >= rule->max_src_nodes) {
1079 (*sn)->bytes[i] = counter_u64_alloc(M_NOWAIT);
1080 (*sn)->packets[i] = counter_u64_alloc(M_NOWAIT);
1082 if ((*sn)->bytes[i] == NULL || (*sn)->packets[i] == NULL) {
1089 pf_init_threshold(&(*sn)->conn_rate,
1090 rule->max_src_conn_rate.limit,
1091 rule->max_src_conn_rate.seconds);
1093 MPASS((*sn)->lock == NULL);
1094 (*sn)->lock = &(*sh)->lock;
1096 (*sn)->af = af;
1097 (*sn)->rule = rule;
1098 PF_ACPY(&(*sn)->addr, src, af);
1099 PF_ACPY(&(*sn)->raddr, raddr, af);
1100 (*sn)->rkif = rkif;
1101 LIST_INSERT_HEAD(&(*sh)->nodes, *sn, entry);
1102 (*sn)->creation = time_uptime;
1103 (*sn)->ruletype = rule->action;
1104 if ((*sn)->rule != NULL)
1105 counter_u64_add((*sn)->rule->src_nodes, 1);
1108 if (rule->max_src_states &&
1109 (*sn)->states >= rule->max_src_states) {
1118 (*sn)->states++;
1132 if (src->rule)
1133 counter_u64_add(src->rule->src_nodes, -1);
1161 /* Per-vnet data storage structures initialization. */
1209 V_pf_hashmask = V_pf_hashsize - 1;
1212 mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK);
1213 mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF);
1235 V_pf_srchashmask = V_pf_srchashsize - 1;
1237 mtx_init(&sh->lock, "pf_srchash", NULL, MTX_DEF);
1255 V_pf_udpendpointhashmask = V_pf_udpendpointhashsize - 1;
1259 mtx_init(&uh->lock, "pf_udpendpointhash", NULL,
1305 KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty",
1307 KASSERT(LIST_EMPTY(&ih->states), ("%s: id hash not empty",
1309 mtx_destroy(&kh->lock);
1310 mtx_destroy(&ih->lock);
1316 KASSERT(LIST_EMPTY(&sh->nodes),
1318 mtx_destroy(&sh->lock);
1325 KASSERT(LIST_EMPTY(&uh->endpoints),
1327 mtx_destroy(&uh->lock);
1332 m_freem(pfse->pfse_m);
1349 t->m_tag_cookie = MTAG_ABI_COMPAT;
1350 t->m_tag_id = PACKET_TAG_PF;
1351 t->m_tag_len = sizeof(struct pf_mtag);
1352 t->m_tag_free = pf_mtag_free;
1391 KASSERT(s->refs == 0, ("%s: state not pristine", __func__));
1392 KASSERT(s->key[PF_SK_WIRE] == NULL, ("%s: state has key", __func__));
1393 KASSERT(s->key[PF_SK_STACK] == NULL, ("%s: state has key", __func__));
1436 MPASS(s->lock == NULL);
1437 s->lock = &V_pf_idhash[PF_IDHASH(s)].lock;
1440 LIST_FOREACH(cur, &kh->keys, entry)
1446 TAILQ_FOREACH(si, &cur->states[idx], key_list[idx]) {
1450 if (si->kif == s->kif &&
1451 ((si->key[PF_SK_WIRE]->af == sk->af &&
1452 si->direction == s->direction) ||
1453 (si->key[PF_SK_WIRE]->af !=
1454 si->key[PF_SK_STACK]->af &&
1455 sk->af == si->key[PF_SK_STACK]->af &&
1456 si->direction != s->direction))) {
1457 if (sk->proto == IPPROTO_TCP &&
1458 si->src.state >= TCPS_FIN_WAIT_2 &&
1459 si->dst.state >= TCPS_FIN_WAIT_2) {
1473 si->timeout = PFTM_PURGE;
1481 s->kif->pfik_name);
1495 s->timeout = PFTM_UNLINKED;
1511 s->key[idx] = cur;
1513 LIST_INSERT_HEAD(&kh->keys, sk, entry);
1514 s->key[idx] = sk;
1518 /* List is sorted, if-bound states before floating. */
1519 if (s->kif == V_pfi_all)
1520 TAILQ_INSERT_TAIL(&s->key[idx]->states[idx], s, key_list[idx]);
1522 TAILQ_INSERT_HEAD(&s->key[idx]->states[idx], s, key_list[idx]);
1525 TAILQ_REMOVE(&s->key[idx]->states[idx], olds, key_list[idx]);
1526 TAILQ_INSERT_TAIL(&s->key[idx]->states[idx], olds,
1536 s->key[PF_SK_STACK] = s->key[PF_SK_WIRE];
1554 KASSERT(s->key[PF_SK_WIRE] != NULL && s->key[PF_SK_STACK] != NULL,
1564 struct pf_state_key *sks = s->key[PF_SK_STACK];
1568 MPASS(s->timeout >= PFTM_MAX);
1572 if ((s->state_flags & PFSTATE_PFLOW) && V_pflow_export_state_ptr)
1578 if (s->key[PF_SK_STACK] != NULL)
1583 if (sks == s->key[PF_SK_WIRE]) {
1591 if (s->key[PF_SK_WIRE] != NULL) {
1592 kh = &V_pf_keyhash[pf_hashkey(s->key[PF_SK_WIRE])];
1594 if (s->key[PF_SK_WIRE] != NULL)
1603 struct pf_state_key *sk = s->key[idx];
1609 TAILQ_REMOVE(&sk->states[idx], s, key_list[idx]);
1610 s->key[idx] = NULL;
1612 if (TAILQ_EMPTY(&sk->states[0]) && TAILQ_EMPTY(&sk->states[1])) {
1624 TAILQ_INIT(&sk->states[PF_SK_WIRE]);
1625 TAILQ_INIT(&sk->states[PF_SK_STACK]);
1634 struct pf_addr *saddr = pd->src;
1635 struct pf_addr *daddr = pd->dst;
1641 if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6)
1644 switch (pd->hdr.icmp6.icmp6_type) {
1647 return (-1);
1648 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
1649 return (-1);
1655 return (-1);
1656 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
1657 return (-1);
1660 if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) {
1661 key->addr[pd->didx].addr32[0] = 0;
1662 key->addr[pd->didx].addr32[1] = 0;
1663 key->addr[pd->didx].addr32[2] = 0;
1664 key->addr[pd->didx].addr32[3] = 0;
1670 key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL;
1671 key->addr[pd->sidx].addr32[1] = 0;
1672 key->addr[pd->sidx].addr32[2] = 0;
1673 key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE;
1680 PF_ACPY(&key->addr[pd->sidx], saddr, pd->af);
1682 PF_ACPY(&key->addr[pd->didx], daddr, pd->af);
1702 (*sk)->port[pd->sidx] = sport;
1703 (*sk)->port[pd->didx] = dport;
1704 (*sk)->proto = pd->proto;
1705 (*sk)->af = pd->af;
1714 if (pd->af != pd->naf) {
1715 (*sk)->port[pd->sidx] = pd->osport;
1716 (*sk)->port[pd->didx] = pd->odport;
1718 (*nk)->af = pd->naf;
1724 bzero(&(*nk)->addr[0], sizeof((*nk)->addr[0]));
1725 bzero(&(*nk)->addr[1], sizeof((*nk)->addr[1]));
1727 PF_ACPY(&(*nk)->addr[pd->didx], &pd->nsaddr, pd->naf);
1728 PF_ACPY(&(*nk)->addr[pd->sidx], &pd->ndaddr, pd->naf);
1729 (*nk)->port[pd->didx] = pd->nsport;
1730 (*nk)->port[pd->sidx] = pd->ndport;
1731 switch (pd->proto) {
1733 (*nk)->proto = IPPROTO_ICMPV6;
1736 (*nk)->proto = IPPROTO_ICMP;
1739 (*nk)->proto = pd->proto;
1770 KASSERT(TAILQ_EMPTY(&sks->states[0]) && TAILQ_EMPTY(&sks->states[1]),
1772 KASSERT(TAILQ_EMPTY(&skw->states[0]) && TAILQ_EMPTY(&skw->states[1]),
1774 KASSERT(s->refs == 0, ("%s: state not pristine", __func__));
1776 s->kif = kif;
1777 s->orig_kif = orig_kif;
1779 if (s->id == 0 && s->creatorid == 0) {
1780 s->id = alloc_unr64(&V_pf_stateid);
1781 s->id = htobe64(s->id);
1782 s->creatorid = V_pf_status.hostid;
1791 LIST_FOREACH(cur, &ih->states, entry)
1792 if (cur->id == s->id && cur->creatorid == s->creatorid)
1796 s->timeout = PFTM_UNLINKED;
1801 (unsigned long long)be64toh(s->id),
1802 ntohl(s->creatorid));
1807 LIST_INSERT_HEAD(&ih->states, s, entry);
1809 refcount_init(&s->refs, 2);
1833 LIST_FOREACH(s, &ih->states, entry)
1834 if (s->id == id && s->creatorid == creatorid)
1861 LIST_FOREACH(sk, &kh->keys, entry)
1871 /* List is sorted, if-bound states before floating ones. */
1872 TAILQ_FOREACH(s, &sk->states[idx], key_list[idx])
1873 if (s->kif == V_pfi_all || s->kif == kif || s->orig_kif == kif) {
1876 if (__predict_false(s->timeout >= PFTM_MAX)) {
1888 /* Look through the other list, in case of AF-TO */
1890 TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) {
1891 if (s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af)
1893 if (s->kif == V_pfi_all || s->kif == kif || s->orig_kif == kif) {
1896 if (__predict_false(s->timeout >= PFTM_MAX)) {
1933 LIST_FOREACH(sk, &kh->keys, entry)
1955 TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) {
1981 * This routine is inefficient -- locks the state only to unlock immediately on
1983 * It is racy -- after the state is unlocked nothing stops other threads from
2008 PF_ACPY(&mapping->endpoints[0].addr, src_addr, af);
2009 mapping->endpoints[0].port = src_port;
2010 mapping->endpoints[0].af = af;
2011 mapping->endpoints[0].mapping = mapping;
2012 PF_ACPY(&mapping->endpoints[1].addr, nat_addr, af);
2013 mapping->endpoints[1].port = nat_port;
2014 mapping->endpoints[1].af = af;
2015 mapping->endpoints[1].mapping = mapping;
2016 refcount_init(&mapping->refs, 1);
2027 h0 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[0])];
2028 h1 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[1])];
2039 LIST_FOREACH(endpoint, &h0->endpoints, entry) {
2040 if (bcmp(endpoint, &mapping->endpoints[0],
2046 LIST_FOREACH(endpoint, &h1->endpoints, entry) {
2047 if (bcmp(endpoint, &mapping->endpoints[1],
2053 LIST_INSERT_HEAD(&h0->endpoints, &mapping->endpoints[0], entry);
2054 LIST_INSERT_HEAD(&h1->endpoints, &mapping->endpoints[1], entry);
2076 h0 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[0])];
2078 if (refcount_release(&mapping->refs)) {
2079 LIST_REMOVE(&mapping->endpoints[0], entry);
2081 h1 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[1])];
2083 LIST_REMOVE(&mapping->endpoints[1], entry);
2102 LIST_FOREACH(endpoint, &uh->endpoints, entry) {
2104 bcmp(endpoint, &endpoint->mapping->endpoints[0],
2112 refcount_acquire(&endpoint->mapping->refs);
2114 return (endpoint->mapping);
2136 return (in_localip(ip->ip_dst));
2144 ia = in6ifa_ifwithaddr(&ip6->ip6_dst, 0 /* XXX */, false);
2147 return (! (ia->ia6_flags & IN6_IFF_NOTREADY));
2167 switch (pd->af) {
2175 *virtual_id = pd->hdr.icmp.icmp_id;
2182 *virtual_id = pd->hdr.icmp.icmp_id;
2189 *virtual_id = pd->hdr.icmp.icmp_id;
2196 *virtual_id = pd->hdr.icmp.icmp_id;
2252 *virtual_id = pd->hdr.icmp6.icmp6_id;
2333 switch (pfse->pfse_type) {
2336 if (pf_isforlocal(pfse->pfse_m, AF_INET)) {
2337 KASSERT(pfse->pfse_m->m_pkthdr.rcvif == V_loif,
2340 pfse->pfse_m->m_flags |= M_SKIP_FIREWALL;
2341 pfse->pfse_m->m_pkthdr.csum_flags |=
2343 ip_input(pfse->pfse_m);
2345 ip_output(pfse->pfse_m, NULL, NULL, 0, NULL,
2351 icmp_error(pfse->pfse_m, pfse->icmpopts.type,
2352 pfse->icmpopts.code, 0, pfse->icmpopts.mtu);
2357 if (pf_isforlocal(pfse->pfse_m, AF_INET6)) {
2358 KASSERT(pfse->pfse_m->m_pkthdr.rcvif == V_loif,
2361 pfse->pfse_m->m_flags |= M_SKIP_FIREWALL |
2363 ip6_input(pfse->pfse_m);
2365 ip6_output(pfse->pfse_m, NULL, NULL, 0, NULL,
2370 icmp6_error(pfse->pfse_m, pfse->icmpopts.type,
2371 pfse->icmpopts.code, pfse->icmpopts.mtu);
2435 pf_counter_u64_periodic(&kif->pfik_packets[i][j][k]);
2436 pf_counter_u64_periodic(&kif->pfik_bytes[i][j][k]);
2474 pf_counter_u64_periodic(&rule->evaluations);
2476 pf_counter_u64_periodic(&rule->packets[i]);
2477 pf_counter_u64_periodic(&rule->bytes[i]);
2540 * - states and src nodes reference rules
2541 * - states and rules reference kifs
2596 if (state->timeout == PFTM_PURGE)
2598 KASSERT(state->timeout != PFTM_UNLINKED,
2600 KASSERT((state->timeout < PFTM_MAX),
2602 timeout = state->rule->timeout[state->timeout];
2604 timeout = V_pf_default_rule.timeout[state->timeout];
2605 start = state->rule->timeout[PFTM_ADAPTIVE_START];
2606 if (start && state->rule != &V_pf_default_rule) {
2607 end = state->rule->timeout[PFTM_ADAPTIVE_END];
2608 states = counter_u64_fetch(state->rule->states_cur);
2616 timeout = (u_int64_t)timeout * (end - states) /
2617 (end - start);
2618 return ((state->expire / 1000) + timeout);
2623 return ((state->expire / 1000) + timeout);
2637 LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next)
2638 if (cur->states == 0 && cur->expire <= time_uptime) {
2641 } else if (cur->rule != NULL)
2642 cur->rule->rule_ref |= PFRULE_REFS;
2657 timeout = s->rule->timeout[PFTM_SRC_NODE] ?
2658 s->rule->timeout[PFTM_SRC_NODE] :
2661 if (s->src_node != NULL) {
2662 sn = s->src_node;
2664 if (s->src.tcp_est)
2665 --sn->conn;
2666 if (--sn->states == 0)
2667 sn->expire = time_uptime + timeout;
2670 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
2671 sn = s->nat_src_node;
2673 if (--sn->states == 0)
2674 sn->expire = time_uptime + timeout;
2677 s->src_node = s->nat_src_node = NULL;
2693 if (s->timeout == PFTM_UNLINKED) {
2703 if (s->src.state == PF_TCPS_PROXY_DST) {
2705 pf_send_tcp(s->rule, s->key[PF_SK_WIRE]->af,
2706 &s->key[PF_SK_WIRE]->addr[1],
2707 &s->key[PF_SK_WIRE]->addr[0],
2708 s->key[PF_SK_WIRE]->port[1],
2709 s->key[PF_SK_WIRE]->port[0],
2710 s->src.seqhi, s->src.seqlo + 1,
2711 TH_RST|TH_ACK, 0, 0, 0, M_SKIP_FIREWALL, s->tag, 0,
2712 s->act.rtableid);
2723 s->timeout = PFTM_UNLINKED;
2726 if (s->key[PF_SK_STACK] != NULL &&
2727 s->key[PF_SK_STACK]->proto == IPPROTO_TCP)
2734 pf_udp_mapping_release(s->udp_mapping);
2752 KASSERT(cur->refs == 0, ("%s: %p has refs", __func__, cur));
2753 KASSERT(cur->timeout == PFTM_UNLINKED, ("%s: timeout %u", __func__,
2754 cur->timeout));
2756 while ((ri = SLIST_FIRST(&cur->match_rules))) {
2757 SLIST_REMOVE_HEAD(&cur->match_rules, entry);
2787 if (!LIST_EMPTY(&ih->states)) {
2790 LIST_FOREACH(s, &ih->states, entry) {
2792 V_pf_status.states -=
2796 s->rule->rule_ref |= PFRULE_REFS;
2797 if (s->nat_rule != NULL)
2798 s->nat_rule->rule_ref |= PFRULE_REFS;
2799 if (s->anchor != NULL)
2800 s->anchor->rule_ref |= PFRULE_REFS;
2801 s->kif->pfik_flags |= PFI_IFLAG_REFS;
2802 SLIST_FOREACH(mrm, &s->match_rules, entry)
2803 mrm->r->rule_ref |= PFRULE_REFS;
2804 if (s->act.rt_kif)
2805 s->act.rt_kif->pfik_flags |= PFI_IFLAG_REFS;
2819 maxcheck--;
2847 * Do naive mark-and-sweep garbage collecting of old rules.
2857 if (!(r->rule_ref & PFRULE_REFS)) {
2861 r->rule_ref &= ~PFRULE_REFS;
2883 u_int32_t a = ntohl(addr->addr32[0]);
2899 if (!addr->addr16[i]) {
2904 if ((curend - curstart) >
2905 (maxend - maxstart)) {
2912 if ((curend - curstart) >
2913 (maxend - maxstart)) {
2924 b = ntohs(addr->addr16[i]);
2954 skw = skwp ? skwp : (s ? s->key[PF_SK_WIRE] : NULL);
2955 sks = sksp ? sksp : (s ? s->key[PF_SK_STACK] : NULL);
2956 proto = skw ? skw->proto : (sks ? sks->proto : 0);
2957 dir = s ? s->direction : 0;
2992 pf_print_host(&skw->addr[0], skw->port[0], skw->af);
2994 pf_print_host(&skw->addr[1], skw->port[1], skw->af);
2999 pf_print_host(&sks->addr[0], sks->port[0], sks->af);
3001 pf_print_host(&sks->addr[1], sks->port[1], sks->af);
3003 printf("-");
3008 s->src.seqlo, s->src.seqhi,
3009 s->src.max_win, s->src.seqdiff);
3010 if (s->src.wscale && s->dst.wscale)
3012 s->src.wscale & PF_WSCALE_MASK);
3015 s->dst.seqlo, s->dst.seqhi,
3016 s->dst.max_win, s->dst.seqdiff);
3017 if (s->src.wscale && s->dst.wscale)
3019 s->dst.wscale & PF_WSCALE_MASK);
3022 printf(" %u:%u", s->src.state, s->dst.state);
3023 if (s->rule)
3024 printf(" @%d", s->rule->nr);
3056 head[i]->skip[i] = cur; \
3072 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
3074 if (cur->direction != prev->direction)
3076 if (cur->af != prev->af)
3078 if (cur->proto != prev->proto)
3080 if (cur->src.neg != prev->src.neg ||
3081 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
3083 if (cur->dst.neg != prev->dst.neg ||
3084 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
3086 if (cur->src.port[0] != prev->src.port[0] ||
3087 cur->src.port[1] != prev->src.port[1] ||
3088 cur->src.port_op != prev->src.port_op)
3090 if (cur->dst.port[0] != prev->dst.port[0] ||
3091 cur->dst.port[1] != prev->dst.port[1] ||
3092 cur->dst.port_op != prev->dst.port_op)
3105 if (aw1->type != aw2->type)
3107 switch (aw1->type) {
3110 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, AF_INET6))
3112 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, AF_INET6))
3116 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
3122 return (aw1->p.tbl != aw2->p.tbl);
3124 printf("invalid address type: %d\n", aw1->type);
3132 * pseudo-header checksum, which is a partial checksum over src/dst IP
3138 * * Output (i.e. the checksum is a pseudo-header checksum):
3140 * the packet. We need to update the pseudo-header checksum (note that this
3150 x = cksum + old - new;
3174 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
3208 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
3216 u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u,
3226 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
3227 *pc = ~*pc;
3237 ao.addr16[0], an->addr16[0], 0),
3238 ao.addr16[1], an->addr16[1], 0);
3241 *pc = pf_cksum_fixup(pf_cksum_fixup(*pc,
3242 ao.addr16[0], an->addr16[0], u),
3243 ao.addr16[1], an->addr16[1], u);
3245 *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
3249 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
3251 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
3252 ao.addr16[0], an->addr16[0], u),
3253 ao.addr16[1], an->addr16[1], u),
3254 0, an->addr16[2], u),
3255 0, an->addr16[3], u),
3256 0, an->addr16[4], u),
3257 0, an->addr16[5], u),
3258 0, an->addr16[6], u),
3259 0, an->addr16[7], u),
3273 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
3275 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
3276 ao.addr16[0], an->addr16[0], u),
3277 ao.addr16[1], an->addr16[1], u),
3290 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
3292 pf_cksum_fixup(pf_cksum_fixup(*pc,
3293 ao.addr16[0], an->addr16[0], u),
3294 ao.addr16[1], an->addr16[1], u),
3295 ao.addr16[2], an->addr16[2], u),
3296 ao.addr16[3], an->addr16[3], u),
3297 ao.addr16[4], an->addr16[4], u),
3298 ao.addr16[5], an->addr16[5], u),
3299 ao.addr16[6], an->addr16[6], u),
3300 ao.addr16[7], an->addr16[7], u);
3302 *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
3309 if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
3311 *pc = ~*pc;
3312 if (! *pc)
3313 *pc = 0xffff;
3354 ao.addr16[0], an->addr16[0], u),
3355 ao.addr16[1], an->addr16[1], u),
3356 ao.addr16[2], an->addr16[2], u),
3357 ao.addr16[3], an->addr16[3], u),
3358 ao.addr16[4], an->addr16[4], u),
3359 ao.addr16[5], an->addr16[5], u),
3360 ao.addr16[6], an->addr16[6], u),
3361 ao.addr16[7], an->addr16[7], u);
3367 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
3381 if (pc != NULL)
3382 opc = *pc;
3384 if (pc != NULL)
3385 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
3387 if (pc != NULL)
3388 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
3398 oia.addr16[0], ia->addr16[0], 0),
3399 oia.addr16[1], ia->addr16[1], 0);
3401 oia.addr16[0], ia->addr16[0], 0),
3402 oia.addr16[1], ia->addr16[1], 0);
3412 oia.addr16[0], ia->addr16[0], u),
3413 oia.addr16[1], ia->addr16[1], u),
3414 oia.addr16[2], ia->addr16[2], u),
3415 oia.addr16[3], ia->addr16[3], u),
3416 oia.addr16[4], ia->addr16[4], u),
3417 oia.addr16[5], ia->addr16[5], u),
3418 oia.addr16[6], ia->addr16[6], u),
3419 oia.addr16[7], ia->addr16[7], u);
3430 ooa.addr16[0], oa->addr16[0], 0),
3431 ooa.addr16[1], oa->addr16[1], 0);
3439 ooa.addr16[0], oa->addr16[0], u),
3440 ooa.addr16[1], oa->addr16[1], u),
3441 ooa.addr16[2], oa->addr16[2], u),
3442 ooa.addr16[3], oa->addr16[3], u),
3443 ooa.addr16[4], oa->addr16[4], u),
3444 ooa.addr16[5], oa->addr16[5], u),
3445 ooa.addr16[6], oa->addr16[6], u),
3446 ooa.addr16[7], oa->addr16[7], u);
3465 hlen = pd->naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6);
3468 m_adj(pd->m, pd->off);
3471 M_PREPEND(pd->m, hlen, M_NOWAIT);
3472 if (pd->m == NULL)
3473 return (-1);
3475 switch (pd->naf) {
3477 ip4 = mtod(pd->m, struct ip *);
3479 ip4->ip_v = IPVERSION;
3480 ip4->ip_hl = hlen >> 2;
3481 ip4->ip_tos = pd->tos;
3482 ip4->ip_len = htons(hlen + (pd->tot_len - pd->off));
3484 ip4->ip_ttl = pd->ttl;
3485 ip4->ip_p = pd->proto;
3486 ip4->ip_src = pd->nsaddr.v4;
3487 ip4->ip_dst = pd->ndaddr.v4;
3488 pd->src = (struct pf_addr *)&ip4->ip_src;
3489 pd->dst = (struct pf_addr *)&ip4->ip_dst;
3490 pd->off = sizeof(struct ip);
3493 ip6 = mtod(pd->m, struct ip6_hdr *);
3495 ip6->ip6_vfc = IPV6_VERSION;
3496 ip6->ip6_flow |= htonl((u_int32_t)pd->tos << 20);
3497 ip6->ip6_plen = htons(pd->tot_len - pd->off);
3498 ip6->ip6_nxt = pd->proto;
3499 if (!pd->ttl || pd->ttl > IPV6_DEFHLIM)
3500 ip6->ip6_hlim = IPV6_DEFHLIM;
3502 ip6->ip6_hlim = pd->ttl;
3503 ip6->ip6_src = pd->nsaddr.v6;
3504 ip6->ip6_dst = pd->ndaddr.v6;
3505 pd->src = (struct pf_addr *)&ip6->ip6_src;
3506 pd->dst = (struct pf_addr *)&ip6->ip6_dst;
3507 pd->off = sizeof(struct ip6_hdr);
3514 mtag = m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL);
3517 ftag->ft_hdrlen = sizeof(*ip6);
3518 ftag->ft_maxlen -= sizeof(struct ip6_hdr) -
3523 return (-1);
3527 if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) {
3529 if ((mp = m_pulldown(pd->m, hlen, sizeof(*icmp), &off)) ==
3531 pd->m = NULL;
3532 return (-1);
3534 icmp = (struct icmp6_hdr *)(mp->m_data + off);
3535 icmp->icmp6_cksum = 0;
3536 icmp->icmp6_cksum = pd->naf == AF_INET ?
3537 in4_cksum(pd->m, 0, hlen, ntohs(ip4->ip_len) - hlen) :
3538 in6_cksum(pd->m, IPPROTO_ICMPV6, hlen,
3539 ntohs(ip6->ip6_plen));
3559 return (-1);
3563 return (-1);
3566 olen = pd2->off - off;
3570 mlen = m->m_pkthdr.len - pd2->off;
3578 return (-1);
3585 ip4->ip_v = IPVERSION;
3586 ip4->ip_hl = sizeof(*ip4) >> 2;
3587 ip4->ip_len = htons(sizeof(*ip4) + mlen);
3589 ip4->ip_off = htons(IP_DF);
3590 ip4->ip_ttl = pd2->ttl;
3591 if (pd2->proto == IPPROTO_ICMPV6)
3592 ip4->ip_p = IPPROTO_ICMP;
3594 ip4->ip_p = pd2->proto;
3595 ip4->ip_src = src->v4;
3596 ip4->ip_dst = dst->v4;
3597 ip4->ip_sum = in_cksum(n, ip4->ip_hl << 2);
3602 ip6->ip6_vfc = IPV6_VERSION;
3603 ip6->ip6_plen = htons(mlen);
3604 if (pd2->proto == IPPROTO_ICMP)
3605 ip6->ip6_nxt = IPPROTO_ICMPV6;
3607 ip6->ip6_nxt = pd2->proto;
3608 if (!pd2->ttl || pd2->ttl > IPV6_DEFHLIM)
3609 ip6->ip6_hlim = IPV6_DEFHLIM;
3611 ip6->ip6_hlim = pd2->ttl;
3612 ip6->ip6_src = src->v6;
3613 ip6->ip6_dst = dst->v6;
3618 pd2->off += hlen - olen;
3619 pd->tot_len += hlen - olen;
3622 mlen = n->m_pkthdr.len;
3624 m->m_pkthdr.len += mlen;
3640 int32_t ptr = -1;
3647 type = icmp6->icmp6_type;
3648 code = icmp6->icmp6_code;
3649 mtu = ntohl(icmp6->icmp6_mtu);
3673 return (-1);
3679 mtu -= 20;
3689 ptr = ntohl(icmp6->icmp6_pptr);
3709 return (-1);
3717 return (-1);
3721 return (-1);
3723 if (icmp6->icmp6_type != type) {
3724 icmp6->icmp6_cksum = pf_cksum_fixup(icmp6->icmp6_cksum,
3725 icmp6->icmp6_type, type, 0);
3726 icmp6->icmp6_type = type;
3728 if (icmp6->icmp6_code != code) {
3729 icmp6->icmp6_cksum = pf_cksum_fixup(icmp6->icmp6_cksum,
3730 icmp6->icmp6_code, code, 0);
3731 icmp6->icmp6_code = code;
3733 if (icmp6->icmp6_mtu != htonl(mtu)) {
3734 icmp6->icmp6_cksum = pf_cksum_fixup(icmp6->icmp6_cksum,
3735 htons(ntohl(icmp6->icmp6_mtu)), htons(mtu), 0);
3737 icmp6->icmp6_mtu = htonl(mtu);
3739 if (ptr >= 0 && icmp6->icmp6_pptr != htonl(ptr)) {
3740 icmp6->icmp6_cksum = pf_cksum_fixup(icmp6->icmp6_cksum,
3741 htons(ntohl(icmp6->icmp6_pptr)), htons(ptr), 0);
3743 icmp6->icmp6_pptr = htonl(ptr << 24);
3748 type = icmp4->icmp_type;
3749 code = icmp4->icmp_code;
3750 mtu = ntohs(icmp4->icmp_nextmtu);
3791 return (-1);
3807 return (-1);
3810 ptr = icmp4->icmp_pptr;
3826 return (-1);
3830 return (-1);
3832 if (icmp4->icmp_type != type) {
3833 icmp4->icmp_cksum = pf_cksum_fixup(icmp4->icmp_cksum,
3834 icmp4->icmp_type, type, 0);
3835 icmp4->icmp_type = type;
3837 if (icmp4->icmp_code != code) {
3838 icmp4->icmp_cksum = pf_cksum_fixup(icmp4->icmp_cksum,
3839 icmp4->icmp_code, code, 0);
3840 icmp4->icmp_code = code;
3842 if (icmp4->icmp_nextmtu != htons(mtu)) {
3843 icmp4->icmp_cksum = pf_cksum_fixup(icmp4->icmp_cksum,
3844 icmp4->icmp_nextmtu, htons(mtu), 0);
3845 icmp4->icmp_nextmtu = htons(mtu);
3847 if (ptr >= 0 && icmp4->icmp_void != ptr) {
3848 icmp4->icmp_cksum = pf_cksum_fixup(icmp4->icmp_cksum,
3849 htons(icmp4->icmp_pptr), htons(ptr), 0);
3850 icmp4->icmp_void = htonl(ptr);
3867 int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
3874 !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
3878 size_t startoff = opt - opts;
3884 hlen--;
3893 pf_patch_32_unaligned(pd->m,
3894 &th->th_sum, &sack.start,
3895 htonl(ntohl(sack.start) - dst->seqdiff),
3898 pf_patch_32_unaligned(pd->m, &th->th_sum,
3900 htonl(ntohl(sack.end) - dst->seqdiff),
3911 hlen -= olen;
3917 m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts);
3924 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
3972 m->m_flags |= mbuf_flags;
3973 pf_mtag->tag = mtag_tag;
3974 pf_mtag->flags = mtag_flags;
3980 if (r != NULL && r->qid) {
3981 pf_mtag->qid = r->qid;
3984 pf_mtag->hdr = mtod(m, struct ip *);
3987 m->m_data += max_linkhdr;
3988 m->m_pkthdr.len = m->m_len = len;
3991 m->m_pkthdr.rcvif = V_loif;
3992 bzero(m->m_data, len);
3999 h->ip_p = IPPROTO_TCP;
4000 h->ip_len = htons(tlen);
4001 h->ip_src.s_addr = saddr->v4.s_addr;
4002 h->ip_dst.s_addr = daddr->v4.s_addr;
4012 h6->ip6_nxt = IPPROTO_TCP;
4013 h6->ip6_plen = htons(tlen);
4014 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
4015 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
4023 th->th_sport = sport;
4024 th->th_dport = dport;
4025 th->th_seq = htonl(seq);
4026 th->th_ack = htonl(ack);
4027 th->th_off = tlen >> 2;
4029 th->th_win = htons(win);
4043 th->th_sum = in_cksum(m, len);
4046 h->ip_v = 4;
4047 h->ip_hl = sizeof(*h) >> 2;
4048 h->ip_tos = IPTOS_LOWDELAY;
4049 h->ip_off = htons(V_path_mtu_discovery ? IP_DF : 0);
4050 h->ip_len = htons(len);
4051 h->ip_ttl = ttl ? ttl : V_ip_defttl;
4052 h->ip_sum = 0;
4058 th->th_sum = in6_cksum(m, IPPROTO_TCP,
4061 h6->ip6_vfc |= IPV6_VERSION;
4062 h6->ip6_hlim = IPV6_DEFHLIM;
4086 MPASS(af == pd->af);
4092 m->m_data += max_linkhdr;
4093 m->m_flags |= M_SKIP_FIREWALL;
4096 m->m_pkthdr.rcvif = V_loif;
4102 bzero(m->m_data, sizeof(struct ip) + sizeof(*hdr) + sizeof(*chunk));
4108 h->ip_p = IPPROTO_SCTP;
4109 h->ip_len = htons(sizeof(*h) + sizeof(*hdr) + sizeof(*chunk));
4110 h->ip_ttl = ttl ? ttl : V_ip_defttl;
4111 h->ip_src = pd->dst->v4;
4112 h->ip_dst = pd->src->v4;
4119 bzero(m->m_data, sizeof(struct ip6_hdr) + sizeof(*hdr) + sizeof(*chunk));
4124 h6->ip6_vfc |= IPV6_VERSION;
4125 h6->ip6_nxt = IPPROTO_SCTP;
4126 h6->ip6_plen = htons(sizeof(*h6) + sizeof(*hdr) + sizeof(*chunk));
4127 h6->ip6_hlim = ttl ? ttl : V_ip6_defhlim;
4128 memcpy(&h6->ip6_src, &pd->dst->v6, sizeof(struct in6_addr));
4129 memcpy(&h6->ip6_dst, &pd->src->v6, sizeof(struct in6_addr));
4139 hdr->src_port = pd->hdr.sctp.dest_port;
4140 hdr->dest_port = pd->hdr.sctp.src_port;
4141 hdr->v_tag = pd->sctp_initiate_tag;
4142 hdr->checksum = 0;
4148 chunk->chunk_type = SCTP_ABORT_ASSOCIATION;
4149 chunk->chunk_length = htons(sizeof(*chunk));
4153 m->m_pkthdr.len = m->m_len = off;
4155 pf_sctp_checksum(m, off - sizeof(*hdr) - sizeof(*chunk));
4170 pfse->pfse_type = PFSE_IP;
4175 pfse->pfse_type = PFSE_IP6;
4180 pfse->pfse_m = m;
4187 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
4194 m = pf_build_tcp(r, af, saddr, daddr, sport, dport, seq, ack, tcp_flags,
4209 pfse->pfse_type = PFSE_IP;
4214 pfse->pfse_type = PFSE_IP6;
4219 pfse->pfse_m = m;
4229 struct pf_addr * const saddr = pd->src;
4230 struct pf_addr * const daddr = pd->dst;
4234 PF_ACPY(saddr, &sk->addr[pd->sidx], pd->af);
4235 PF_ACPY(daddr, &sk->addr[pd->didx], pd->af);
4236 if (pd->sport)
4237 *pd->sport = sk->port[pd->sidx];
4238 if (pd->dport)
4239 *pd->dport = sk->port[pd->didx];
4240 if (pd->ip_sum)
4241 *pd->ip_sum = bip_sum;
4242 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
4244 if (pd->proto == IPPROTO_TCP &&
4245 ((r->rule_flag & PFRULE_RETURNRST) ||
4246 (r->rule_flag & PFRULE_RETURN)) &&
4248 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
4250 if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off,
4251 IPPROTO_TCP, pd->af))
4255 ack++;
4257 ack++;
4258 pf_send_tcp(r, pd->af, pd->dst,
4259 pd->src, th->th_dport, th->th_sport,
4260 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
4261 r->return_ttl, M_SKIP_FIREWALL, 0, 0, rtableid);
4263 } else if (pd->proto == IPPROTO_SCTP &&
4264 (r->rule_flag & PFRULE_RETURN)) {
4265 pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid);
4266 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET &&
4267 r->return_icmp)
4268 pf_send_icmp(pd->m, r->return_icmp >> 8,
4269 r->return_icmp & 255, pd->af, r, rtableid);
4270 else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 &&
4271 r->return_icmp6)
4272 pf_send_icmp(pd->m, r->return_icmp6 >> 8,
4273 r->return_icmp6 & 255, pd->af, r, rtableid);
4349 m0->m_flags |= M_SKIP_FIREWALL;
4355 if (r->qid) {
4356 pf_mtag->qid = r->qid;
4358 pf_mtag->hdr = mtod(m0, struct ip *);
4365 pfse->pfse_type = PFSE_ICMP;
4370 pfse->pfse_type = PFSE_ICMP6;
4374 pfse->pfse_m = m0;
4375 pfse->icmpopts.type = type;
4376 pfse->icmpopts.code = code;
4394 if (IN_ARE_MASKED_ADDR_EQUAL(a->v4, b->v4, m->v4))
4400 if (IN6_ARE_MASKED_ADDR_EQUAL(&a->v6, &b->v6, &m->v6))
4428 if ((ntohl(a->addr32[0]) < ntohl(b->addr32[0])) ||
4429 (ntohl(a->addr32[0]) > ntohl(e->addr32[0])))
4439 if (ntohl(a->addr32[i]) > ntohl(b->addr32[i]))
4441 else if (ntohl(a->addr32[i]) < ntohl(b->addr32[i]))
4445 if (ntohl(a->addr32[i]) < ntohl(e->addr32[i]))
4447 else if (ntohl(a->addr32[i]) > ntohl(e->addr32[i]))
4510 if (*tag == -1)
4513 return ((!r->match_tag_not && r->match_tag == *tag) ||
4514 (r->match_tag_not && r->match_tag != *tag));
4520 struct ifnet *ifp = m->m_pkthdr.rcvif;
4526 kif = (struct pfi_kkif *)ifp->if_pf_kif;
4530 ("pf_test_via: kif == NULL, @%d via %s\n", r->nr,
4531 r->rcv_ifname));
4535 return (pfi_kkif_match(r->rcv_kif, kif));
4544 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL))
4547 pd->pf_mtag->tag = tag;
4565 #define PF_ANCHOR_MATCH(f) ((uintptr_t)(f)->r & PF_ANCHORSTACK_MATCH)
4567 ((uintptr_t)(f)->r & ~PF_ANCHORSTACK_MASK)
4568 #define PF_ANCHOR_SET_MATCH(f) do { (f)->r = (void *) \
4569 ((uintptr_t)(f)->r | PF_ANCHORSTACK_MATCH); \
4585 __func__, (*r)->anchor->name);
4591 f->rs = *rs;
4592 f->r = *r;
4593 if ((*r)->anchor_wildcard) {
4594 struct pf_kanchor_node *parent = &(*r)->anchor->children;
4596 if ((f->child = RB_MIN(pf_kanchor_node, parent)) == NULL) {
4600 *rs = &f->child->ruleset;
4602 f->child = NULL;
4603 *rs = &(*r)->anchor->ruleset;
4605 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
4622 f = stack + *depth - 1;
4624 if (f->child != NULL) {
4638 f->child = RB_NEXT(pf_kanchor_node,
4639 &fr->anchor->children, f->child);
4640 if (f->child != NULL) {
4641 *rs = &f->child->ruleset;
4642 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
4649 (*depth)--;
4652 *rs = f->rs;
4654 quick = fr->quick;
4667 #define PF_ETH_ANCHOR_MATCH(f) ((uintptr_t)(f)->r & PF_ANCHORSTACK_MATCH)
4669 ((uintptr_t)(f)->r & ~PF_ANCHORSTACK_MASK)
4670 #define PF_ETH_ANCHOR_SET_MATCH(f) do { (f)->r = (void *) \
4671 ((uintptr_t)(f)->r | PF_ANCHORSTACK_MATCH); \
4687 __func__, (*r)->anchor->name);
4693 f->rs = *rs;
4694 f->r = *r;
4695 if ((*r)->anchor_wildcard) {
4696 struct pf_keth_anchor_node *parent = &(*r)->anchor->children;
4698 if ((f->child = RB_MIN(pf_keth_anchor_node, parent)) == NULL) {
4702 *rs = &f->child->ruleset;
4704 f->child = NULL;
4705 *rs = &(*r)->anchor->ruleset;
4707 *r = TAILQ_FIRST((*rs)->active.rules);
4724 f = stack + *depth - 1;
4726 if (f->child != NULL) {
4740 f->child = RB_NEXT(pf_keth_anchor_node,
4741 &fr->anchor->children, f->child);
4742 if (f->child != NULL) {
4743 *rs = &f->child->ruleset;
4744 *r = TAILQ_FIRST((*rs)->active.rules);
4751 (*depth)--;
4754 *rs = f->rs;
4756 quick = fr->quick;
4771 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
4772 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
4776 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
4777 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
4778 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
4779 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
4780 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
4781 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
4782 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
4783 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
4794 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
4798 if (addr->addr32[3] == 0xffffffff) {
4799 addr->addr32[3] = 0;
4800 if (addr->addr32[2] == 0xffffffff) {
4801 addr->addr32[2] = 0;
4802 if (addr->addr32[1] == 0xffffffff) {
4803 addr->addr32[1] = 0;
4804 addr->addr32[0] =
4805 htonl(ntohl(addr->addr32[0]) + 1);
4807 addr->addr32[1] =
4808 htonl(ntohl(addr->addr32[1]) + 1);
4810 addr->addr32[2] =
4811 htonl(ntohl(addr->addr32[2]) + 1);
4813 addr->addr32[3] =
4814 htonl(ntohl(addr->addr32[3]) + 1);
4826 a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID|
4830 * Old-style scrub rules have different flags which need to be translated.
4832 if (r->rule_flag & PFRULE_RANDOMID)
4833 a->flags |= PFSTATE_RANDOMID;
4834 if (r->scrub_flags & PFSTATE_SETTOS || r->rule_flag & PFRULE_SET_TOS ) {
4835 a->flags |= PFSTATE_SETTOS;
4836 a->set_tos = r->set_tos;
4839 if (r->qid)
4840 a->qid = r->qid;
4841 if (r->pqid)
4842 a->pqid = r->pqid;
4843 if (r->rtableid >= 0)
4844 a->rtableid = r->rtableid;
4845 a->log |= r->log;
4846 if (r->min_ttl)
4847 a->min_ttl = r->min_ttl;
4848 if (r->max_mss)
4849 a->max_mss = r->max_mss;
4850 if (r->dnpipe)
4851 a->dnpipe = r->dnpipe;
4852 if (r->dnrpipe)
4853 a->dnrpipe = r->dnrpipe;
4854 if (r->dnpipe || r->dnrpipe) {
4855 if (r->free_flags & PFRULE_DN_IS_PIPE)
4856 a->flags |= PFSTATE_DN_IS_PIPE;
4858 a->flags &= ~PFSTATE_DN_IS_PIPE;
4860 if (r->scrub_flags & PFSTATE_SETPRIO) {
4861 a->set_prio[0] = r->set_prio[0];
4862 a->set_prio[1] = r->set_prio[1];
4874 pd->lookup.uid = UID_MAX;
4875 pd->lookup.gid = GID_MAX;
4877 switch (pd->proto) {
4879 sport = pd->hdr.tcp.th_sport;
4880 dport = pd->hdr.tcp.th_dport;
4884 sport = pd->hdr.udp.uh_sport;
4885 dport = pd->hdr.udp.uh_dport;
4889 return (-1);
4891 if (pd->dir == PF_IN) {
4892 saddr = pd->src;
4893 daddr = pd->dst;
4900 saddr = pd->dst;
4901 daddr = pd->src;
4903 switch (pd->af) {
4906 inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4,
4907 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m);
4909 inp = in_pcblookup_mbuf(pi, saddr->v4, sport,
4910 daddr->v4, dport, INPLOOKUP_WILDCARD |
4911 INPLOOKUP_RLOCKPCB, NULL, pd->m);
4913 return (-1);
4919 inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6,
4920 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m);
4922 inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport,
4923 &daddr->v6, dport, INPLOOKUP_WILDCARD |
4924 INPLOOKUP_RLOCKPCB, NULL, pd->m);
4926 return (-1);
4932 pd->lookup.uid = inp->inp_cred->cr_uid;
4933 pd->lookup.gid = inp->inp_cred->cr_groups[0];
4942 struct tcphdr *th = &pd->hdr.tcp;
4948 hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */
4951 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af))
4954 hlen -= sizeof(struct tcphdr);
4960 --hlen;
4972 hlen -= optlen;
4983 struct tcphdr *th = &pd->hdr.tcp;
4989 hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */
4992 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af))
4995 hlen -= sizeof(struct tcphdr);
5001 --hlen;
5011 hlen -= optlen;
5036 nh = fib4_lookup(rtableid, addr->v4, 0, 0, 0);
5038 mss = nh->nh_mtu - hlen - sizeof(struct tcphdr);
5044 in6_splitscope(&addr->v6, &dst6, &scopeid);
5047 mss = nh->nh_mtu - hlen - sizeof(struct tcphdr);
5054 mss = max(mss, 64); /* sanity - at least max opt space */
5074 MD5Update(&ctx, (char *)&pd->hdr.tcp.th_sport, sizeof(u_short));
5075 MD5Update(&ctx, (char *)&pd->hdr.tcp.th_dport, sizeof(u_short));
5076 switch (pd->af) {
5078 MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr));
5079 MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr));
5082 MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr));
5083 MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr));
5088 #define ISN_RANDOM_INCREMENT (4096 - 1)
5100 if (! r->isset)
5101 return (!r->neg);
5104 if ((a[i] & r->mask[i]) != (r->addr[i] & r->mask[i])) {
5110 return (match ^ r->neg);
5116 if (*tag == -1)
5119 return ((!r->match_tag_not && r->match_tag == *tag) ||
5120 (r->match_tag_not && r->match_tag != *tag));
5132 switch (ifp->if_type) {
5144 ifp->if_transmit(ifp, m);
5167 int tag = -1;
5171 MPASS(kif->pfik_ifp->if_vnet == curvnet);
5176 SDT_PROBE3(pf, eth, test_rule, entry, dir, kif->pfik_ifp, m);
5179 if (mtag != NULL && mtag->flags & PF_MTAG_FLAG_DUMMYNET) {
5180 /* Dummynet re-injects packets after they've
5192 rules = ck_pr_load_ptr(&ruleset->active.rules);
5196 if (__predict_false(m->m_len < sizeof(struct ether_header)) &&
5204 proto = ntohs(e->ether_type);
5240 counter_u64_add(r->evaluations, 1);
5241 SDT_PROBE2(pf, eth, test_rule, test, r->nr, r);
5243 if (pfi_kkif_match(r->kif, kif) == r->ifnot) {
5244 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5246 r = r->skip[PFE_SKIP_IFP].ptr;
5248 else if (r->direction && r->direction != dir) {
5249 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5251 r = r->skip[PFE_SKIP_DIR].ptr;
5253 else if (r->proto && r->proto != proto) {
5254 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5256 r = r->skip[PFE_SKIP_PROTO].ptr;
5258 else if (! pf_match_eth_addr(e->ether_shost, &r->src)) {
5259 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5261 r = r->skip[PFE_SKIP_SRC_ADDR].ptr;
5263 else if (! pf_match_eth_addr(e->ether_dhost, &r->dst)) {
5264 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5266 r = r->skip[PFE_SKIP_DST_ADDR].ptr;
5268 else if (src != NULL && PF_MISMATCHAW(&r->ipsrc.addr, src, af,
5269 r->ipsrc.neg, kif, M_GETFIB(m))) {
5270 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5272 r = r->skip[PFE_SKIP_SRC_IP_ADDR].ptr;
5274 else if (dst != NULL && PF_MISMATCHAW(&r->ipdst.addr, dst, af,
5275 r->ipdst.neg, kif, M_GETFIB(m))) {
5276 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5278 r = r->skip[PFE_SKIP_DST_IP_ADDR].ptr;
5280 else if (r->match_tag && !pf_match_eth_tag(m, r, &tag,
5281 mtag ? mtag->tag : 0)) {
5282 SDT_PROBE3(pf, eth, test_rule, mismatch, r->nr, r,
5287 if (r->tag)
5288 tag = r->tag;
5289 if (r->anchor == NULL) {
5293 SDT_PROBE2(pf, eth, test_rule, match, r->nr, r);
5295 if (r->quick)
5311 SDT_PROBE2(pf, eth, test_rule, final_match, (r != NULL ? r->nr : -1), r);
5320 counter_u64_add(r->packets[dir == PF_OUT], 1);
5321 counter_u64_add(r->bytes[dir == PF_OUT], m_length(m, NULL));
5325 if (r->action == PF_DROP) {
5338 mtag->tag = tag;
5341 if (r->qid != 0) {
5349 mtag->qid = r->qid;
5352 action = r->action;
5353 bridge_to = r->bridge_to;
5356 if (r->dnpipe) {
5384 dnflow.rule.info = r->dnpipe;
5386 if (r->dnflags & PFRULE_DN_IS_PIPE)
5393 dnflow.ifp = kif->pfik_ifp;
5398 dnflow.f_id.src_ip = src->v4.s_addr;
5399 dnflow.f_id.dst_ip = dst->v4.s_addr;
5404 dnflow.f_id.src_ip6 = src->v6;
5405 dnflow.f_id.dst_ip6 = dst->v6;
5411 mtag->flags |= PF_MTAG_FLAG_DUMMYNET;
5420 pf_bridge_to(bridge_to->pfik_ifp, *m0);
5445 struct tcphdr *th = &pd->hdr.tcp;
5449 int tag = -1;
5461 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5462 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5468 pd->lookup.uid = inp->inp_cred->cr_uid;
5469 pd->lookup.gid = inp->inp_cred->cr_groups[0];
5470 pd->lookup.done = 1;
5473 switch (pd->virtual_proto) {
5475 pd->nsport = th->th_sport;
5476 pd->ndport = th->th_dport;
5479 pd->nsport = pd->hdr.udp.uh_sport;
5480 pd->ndport = pd->hdr.udp.uh_dport;
5483 pd->nsport = pd->hdr.sctp.src_port;
5484 pd->ndport = pd->hdr.sctp.dest_port;
5488 MPASS(pd->af == AF_INET);
5489 icmptype = pd->hdr.icmp.icmp_type;
5490 icmpcode = pd->hdr.icmp.icmp_code;
5494 pd->nsport = virtual_id;
5495 pd->ndport = virtual_type;
5497 pd->nsport = virtual_type;
5498 pd->ndport = virtual_id;
5504 MPASS(pd->af == AF_INET6);
5505 icmptype = pd->hdr.icmp6.icmp6_type;
5506 icmpcode = pd->hdr.icmp6.icmp6_code;
5510 pd->nsport = virtual_id;
5511 pd->ndport = virtual_type;
5513 pd->nsport = virtual_type;
5514 pd->ndport = virtual_id;
5520 pd->nsport = pd->ndport = 0;
5523 pd->osport = pd->nsport;
5524 pd->odport = pd->ndport;
5529 transerror = pf_get_translation(pd, pd->off, &sk, &nk, anchor_stack,
5543 if (nr->log) {
5548 if (pd->ip_sum)
5549 bip_sum = *pd->ip_sum;
5551 switch (pd->proto) {
5553 bproto_sum = th->th_sum;
5555 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) ||
5556 nk->port[pd->sidx] != pd->nsport) {
5557 pf_change_ap(pd->m, pd->src, &th->th_sport,
5558 pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
5559 nk->port[pd->sidx], 0, pd->af, pd->naf);
5560 pd->sport = &th->th_sport;
5561 pd->nsport = th->th_sport;
5562 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5565 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) ||
5566 nk->port[pd->didx] != pd->ndport) {
5567 pf_change_ap(pd->m, pd->dst, &th->th_dport,
5568 pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
5569 nk->port[pd->didx], 0, pd->af, pd->naf);
5570 pd->dport = &th->th_dport;
5571 pd->ndport = th->th_dport;
5572 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5577 bproto_sum = pd->hdr.udp.uh_sum;
5579 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) ||
5580 nk->port[pd->sidx] != pd->nsport) {
5581 pf_change_ap(pd->m, pd->src,
5582 &pd->hdr.udp.uh_sport,
5583 pd->ip_sum, &pd->hdr.udp.uh_sum,
5584 &nk->addr[pd->sidx],
5585 nk->port[pd->sidx], 1, pd->af, pd->naf);
5586 pd->sport = &pd->hdr.udp.uh_sport;
5587 pd->nsport = pd->hdr.udp.uh_sport;
5588 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5591 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) ||
5592 nk->port[pd->didx] != pd->ndport) {
5593 pf_change_ap(pd->m, pd->dst,
5594 &pd->hdr.udp.uh_dport,
5595 pd->ip_sum, &pd->hdr.udp.uh_sum,
5596 &nk->addr[pd->didx],
5597 nk->port[pd->didx], 1, pd->af, pd->naf);
5598 pd->dport = &pd->hdr.udp.uh_dport;
5599 pd->ndport = pd->hdr.udp.uh_dport;
5600 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5607 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) ||
5608 nk->port[pd->sidx] != pd->nsport) {
5609 pf_change_ap(pd->m, pd->src,
5610 &pd->hdr.sctp.src_port, pd->ip_sum, &checksum,
5611 &nk->addr[pd->sidx],
5612 nk->port[pd->sidx], 1, pd->af, pd->naf);
5613 pd->sport = &pd->hdr.sctp.src_port;
5614 pd->nsport = pd->hdr.sctp.src_port;
5615 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5617 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) ||
5618 nk->port[pd->didx] != pd->ndport) {
5619 pf_change_ap(pd->m, pd->dst,
5620 &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum,
5621 &nk->addr[pd->didx],
5622 nk->port[pd->didx], 1, pd->af, pd->naf);
5623 pd->dport = &pd->hdr.sctp.dest_port;
5624 pd->ndport = pd->hdr.sctp.dest_port;
5625 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5631 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET)) {
5632 pf_change_a(&pd->src->v4.s_addr, pd->ip_sum,
5633 nk->addr[pd->sidx].v4.s_addr, 0);
5634 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5637 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET)) {
5638 pf_change_a(&pd->dst->v4.s_addr, pd->ip_sum,
5639 nk->addr[pd->didx].v4.s_addr, 0);
5640 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5644 nk->port[pd->sidx] != pd->hdr.icmp.icmp_id) {
5645 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup(
5646 pd->hdr.icmp.icmp_cksum, pd->nsport,
5647 nk->port[pd->sidx], 0);
5648 pd->hdr.icmp.icmp_id = nk->port[pd->sidx];
5649 pd->sport = &pd->hdr.icmp.icmp_id;
5651 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
5656 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET6)) {
5657 pf_change_a6(pd->src, &pd->hdr.icmp6.icmp6_cksum,
5658 &nk->addr[pd->sidx], 0);
5659 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5662 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET6)) {
5663 pf_change_a6(pd->dst, &pd->hdr.icmp6.icmp6_cksum,
5664 &nk->addr[pd->didx], 0);
5665 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5671 switch (pd->af) {
5674 if (PF_ANEQ(&pd->nsaddr,
5675 &nk->addr[pd->sidx], AF_INET)) {
5676 pf_change_a(&pd->src->v4.s_addr,
5677 pd->ip_sum,
5678 nk->addr[pd->sidx].v4.s_addr, 0);
5679 PF_ACPY(&pd->nsaddr, pd->src, pd->af);
5682 if (PF_ANEQ(&pd->ndaddr,
5683 &nk->addr[pd->didx], AF_INET)) {
5684 pf_change_a(&pd->dst->v4.s_addr,
5685 pd->ip_sum,
5686 nk->addr[pd->didx].v4.s_addr, 0);
5687 PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
5693 if (PF_ANEQ(&pd->nsaddr,
5694 &nk->addr[pd->sidx], AF_INET6)) {
5695 PF_ACPY(&pd->nsaddr, &nk->addr[pd->sidx], pd->af);
5696 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
5699 if (PF_ANEQ(&pd->ndaddr,
5700 &nk->addr[pd->didx], AF_INET6)) {
5701 PF_ACPY(&pd->ndaddr, &nk->addr[pd->didx], pd->af);
5702 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
5709 if (nr->natpass)
5714 if (pd->related_rule) {
5715 *rm = pd->related_rule;
5718 pf_counter_u64_add(&r->evaluations, 1);
5719 PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot,
5720 r->skip[PF_SKIP_IFP]);
5721 PF_TEST_ATTRIB(r->direction && r->direction != pd->dir,
5722 r->skip[PF_SKIP_DIR]);
5723 PF_TEST_ATTRIB(r->af && r->af != pd->af,
5724 r->skip[PF_SKIP_AF]);
5725 PF_TEST_ATTRIB(r->proto && r->proto != pd->proto,
5726 r->skip[PF_SKIP_PROTO]);
5727 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, pd->naf,
5728 r->src.neg, pd->kif, M_GETFIB(pd->m)),
5729 r->skip[PF_SKIP_SRC_ADDR]);
5730 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, pd->af,
5731 r->dst.neg, NULL, M_GETFIB(pd->m)),
5732 r->skip[PF_SKIP_DST_ADDR]);
5733 switch (pd->virtual_proto) {
5736 PF_TEST_ATTRIB((r->src.port_op || r->dst.port_op),
5738 PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP && r->flagset),
5741 PF_TEST_ATTRIB((r->type || r->code),
5744 PF_TEST_ATTRIB((r->gid.op || r->uid.op),
5749 PF_TEST_ATTRIB((r->flagset & tcp_get_flags(th)) != r->flags,
5755 PF_TEST_ATTRIB(r->src.port_op && !pf_match_port(r->src.port_op,
5756 r->src.port[0], r->src.port[1], pd->nsport),
5757 r->skip[PF_SKIP_SRC_PORT]);
5759 PF_TEST_ATTRIB(r->dst.port_op && !pf_match_port(r->dst.port_op,
5760 r->dst.port[0], r->dst.port[1], pd->ndport),
5761 r->skip[PF_SKIP_DST_PORT]);
5763 PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done =
5765 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
5766 pd->lookup.uid),
5769 PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done =
5771 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
5772 pd->lookup.gid),
5779 PF_TEST_ATTRIB(r->type && r->type != icmptype + 1,
5782 PF_TEST_ATTRIB(r->code && r->code != icmpcode + 1,
5789 PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos),
5791 PF_TEST_ATTRIB(r->prio &&
5792 !pf_match_ieee8021q_pcp(r->prio, pd->m),
5794 PF_TEST_ATTRIB(r->prob &&
5795 r->prob <= arc4random(),
5797 PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag,
5798 pd->pf_mtag ? pd->pf_mtag->tag : 0),
5800 PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r),
5802 PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT &&
5803 pd->virtual_proto != PF_VPROTO_FRAGMENT),
5805 PF_TEST_ATTRIB(r->os_fingerprint != PF_OSFP_ANY &&
5806 (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match(
5808 r->os_fingerprint)),
5811 if (r->tag)
5812 tag = r->tag;
5813 if (r->anchor == NULL) {
5814 if (r->action == PF_MATCH) {
5820 ri->r = r;
5823 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
5824 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
5826 pf_rule_to_actions(r, &pd->act);
5827 if (r->rule_flag & PFRULE_AFTO)
5828 pd->naf = r->naf;
5829 if (pd->af != pd->naf) {
5830 if (pf_get_transaddr_af(r, pd) == -1) {
5835 if (r->log || pd->act.log & PF_LOG_MATCHES)
5836 PFLOG_PACKET(r->action, PFRES_MATCH, r,
5843 if (pd->act.log & PF_LOG_MATCHES)
5844 PFLOG_PACKET(r->action, PFRES_MATCH, r,
5847 if ((*rm)->quick)
5866 pf_rule_to_actions(r, &pd->act);
5867 if (r->rule_flag & PFRULE_AFTO)
5868 pd->naf = r->naf;
5869 if (pd->af != pd->naf) {
5870 if (pf_get_transaddr_af(r, pd) == -1) {
5876 if (r->log || pd->act.log & PF_LOG_MATCHES) {
5878 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
5879 PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1);
5882 if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
5883 (r->action == PF_DROP) &&
5884 ((r->rule_flag & PFRULE_RETURNRST) ||
5885 (r->rule_flag & PFRULE_RETURNICMP) ||
5886 (r->rule_flag & PFRULE_RETURN))) {
5888 bip_sum, &reason, r->rtableid);
5891 if (r->action == PF_DROP)
5898 if (pd->act.rtableid >= 0)
5899 M_SETFIB(pd->m, pd->act.rtableid);
5901 if (r->rt) {
5904 struct pf_kpool *pool = &r->route;
5907 if (TAILQ_EMPTY(&pool->list))
5908 pool = &r->rdr;
5914 pd->act.rt = r->rt;
5916 reason = pf_map_addr_sn(pd->af, r, pd->src, &pd->act.rt_addr,
5917 &pd->act.rt_kif, NULL, &sn, &snh, pool);
5922 if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
5923 (!state_icmp && (r->keep_state || nr != NULL ||
5924 (pd->flags & PFDESC_TCP_NORM)))) {
5933 pd->act.log |= PF_LOG_FORCE;
5935 (r->rule_flag & PFRULE_RETURN))
5938 pd->act.rtableid);
5942 nat64 = pd->af != pd->naf;
5948 sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK : PF_SK_WIRE];
5950 nk = (*sm)->key[pd->dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK];
5951 if (pd->dir == PF_IN)
5957 &_sk->addr[pd->didx],
5958 _sk->port[pd->didx],
5959 &_sk->addr[pd->sidx],
5960 _sk->port[pd->sidx],
5980 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
5982 if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) &&
5983 pd->dir == PF_OUT &&
5984 V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m))
5993 if (rewrite && sk != NULL && nk != NULL && sk->af != nk->af) {
6023 struct tcphdr *th = &pd->hdr.tcp;
6029 if (r->max_states &&
6030 (counter_u64_fetch(r->states_cur) >= r->max_states)) {
6036 if ((r->rule_flag & PFRULE_SRCTRACK ||
6037 r->rdr.opts & PF_POOL_STICKYADDR) &&
6038 (sn_reason = pf_insert_src_node(&sn, &snh, r, pd->src, pd->af,
6039 &pd->act.rt_addr, pd->act.rt_kif)) != 0) {
6044 if (nr != NULL && (nr->rdr.opts & PF_POOL_STICKYADDR) &&
6045 (sn_reason = pf_insert_src_node(&nsn, &nsnh, nr, &sk->addr[pd->sidx],
6046 pd->af, &nk->addr[1], NULL)) != 0 ) {
6055 s->rule = r;
6056 s->nat_rule = nr;
6057 s->anchor = a;
6058 bcopy(match_rules, &s->match_rules, sizeof(s->match_rules));
6059 memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions));
6062 if (r->allow_opts)
6063 s->state_flags |= PFSTATE_ALLOWOPTS;
6064 if (r->rule_flag & PFRULE_STATESLOPPY)
6065 s->state_flags |= PFSTATE_SLOPPY;
6066 if (pd->flags & PFDESC_TCP_NORM) /* Set by old-style scrub rules */
6067 s->state_flags |= PFSTATE_SCRUB_TCP;
6068 if ((r->rule_flag & PFRULE_PFLOW) ||
6069 (nr != NULL && nr->rule_flag & PFRULE_PFLOW))
6070 s->state_flags |= PFSTATE_PFLOW;
6072 s->act.log = pd->act.log & PF_LOG_ALL;
6073 s->sync_state = PFSYNC_S_NONE;
6074 s->state_flags |= pd->act.flags; /* Only needed for pfsync and state export */
6077 s->act.log |= nr->log & PF_LOG_ALL;
6078 switch (pd->proto) {
6080 s->src.seqlo = ntohl(th->th_seq);
6081 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
6083 r->keep_state == PF_STATE_MODULATE) {
6085 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
6087 s->src.seqdiff = 1;
6088 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum,
6089 htonl(s->src.seqlo + s->src.seqdiff), 0);
6092 s->src.seqdiff = 0;
6094 s->src.seqhi++;
6095 s->src.wscale = pf_get_wscale(pd);
6097 s->src.max_win = MAX(ntohs(th->th_win), 1);
6098 if (s->src.wscale & PF_WSCALE_MASK) {
6100 int win = s->src.max_win;
6101 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
6102 s->src.max_win = (win - 1) >>
6103 (s->src.wscale & PF_WSCALE_MASK);
6106 s->src.seqhi++;
6107 s->dst.seqhi = 1;
6108 s->dst.max_win = 1;
6111 s->timeout = PFTM_TCP_FIRST_PACKET;
6117 s->timeout = PFTM_UDP_FIRST_PACKET;
6122 s->timeout = PFTM_SCTP_FIRST_PACKET;
6128 s->timeout = PFTM_ICMP_FIRST_PACKET;
6133 s->timeout = PFTM_OTHER_FIRST_PACKET;
6136 s->creation = s->expire = pf_get_uptime();
6138 if (pd->proto == IPPROTO_TCP) {
6139 if (s->state_flags & PFSTATE_SCRUB_TCP &&
6140 pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) {
6144 if (s->state_flags & PFSTATE_SCRUB_TCP && s->src.scrub &&
6146 &s->src, &s->dst, rewrite)) {
6153 } else if (pd->proto == IPPROTO_SCTP) {
6154 if (pf_normalize_sctp_init(pd, &s->src, &s->dst))
6156 if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP)))
6159 s->direction = pd->dir;
6167 MPASS(pd->sport == NULL || (pd->osport == *pd->sport));
6168 MPASS(pd->dport == NULL || (pd->odport == *pd->dport));
6169 if (pf_state_key_setup(pd, pd->nsport, pd->ndport, &sk, &nk)) {
6177 if (pf_state_insert(BOUND_IFACE(s, pd), pd->kif,
6178 (pd->dir == PF_IN) ? sk : nk,
6179 (pd->dir == PF_IN) ? nk : sk, s)) {
6189 s->src_node = sn;
6193 s->nat_src_node = nsn;
6198 s->tag = tag;
6199 if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) ==
6200 TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
6204 struct pf_state_key *skt = s->key[PF_SK_WIRE];
6205 if (pd->dir == PF_OUT)
6206 skt = s->key[PF_SK_STACK];
6207 PF_ACPY(pd->src, &skt->addr[pd->sidx], pd->af);
6208 PF_ACPY(pd->dst, &skt->addr[pd->didx], pd->af);
6209 if (pd->sport)
6210 *pd->sport = skt->port[pd->sidx];
6211 if (pd->dport)
6212 *pd->dport = skt->port[pd->didx];
6213 if (pd->ip_sum)
6214 *pd->ip_sum = bip_sum;
6215 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
6217 s->src.seqhi = htonl(arc4random());
6219 int rtid = M_GETFIB(pd->m);
6221 mss = pf_calc_mss(pd->src, pd->af, rtid, mss);
6222 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss);
6223 s->src.mss = mss;
6224 pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport,
6225 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
6226 TH_SYN|TH_ACK, 0, s->src.mss, 0, M_SKIP_FIREWALL, 0, 0,
6227 pd->act.rtableid);
6232 s->udp_mapping = udp_mapping;
6246 if (--sn->states == 0 && sn->expire == 0) {
6256 if (--nsn->states == 0 && nsn->expire == 0) {
6268 s->timeout = PFTM_UNLINKED;
6292 int afto = pd->af != pd->naf;
6296 switch (pd->proto) {
6298 if (afto || *pd->sport != sport) {
6299 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.tcp.th_sum,
6300 saddr, sport, 0, pd->af, pd->naf);
6303 if (afto || *pd->dport != dport) {
6304 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.tcp.th_sum,
6305 daddr, dport, 0, pd->af, pd->naf);
6311 if (afto || *pd->sport != sport) {
6312 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.udp.uh_sum,
6313 saddr, sport, 1, pd->af, pd->naf);
6316 if (afto || *pd->dport != dport) {
6317 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.udp.uh_sum,
6318 daddr, dport, 1, pd->af, pd->naf);
6325 if (afto || *pd->sport != sport) {
6326 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &checksum,
6327 saddr, sport, 1, pd->af, pd->naf);
6330 if (afto || *pd->dport != dport) {
6331 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &checksum,
6332 daddr, dport, 1, pd->af, pd->naf);
6341 if (pd->af != AF_INET)
6345 if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp))
6346 return (-1);
6347 pd->proto = IPPROTO_ICMPV6;
6353 if (icmpid != pd->hdr.icmp.icmp_id) {
6354 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup(
6355 pd->hdr.icmp.icmp_cksum,
6356 pd->hdr.icmp.icmp_id, icmpid, 0);
6357 pd->hdr.icmp.icmp_id = icmpid;
6368 if (pd->af != AF_INET6)
6373 if (pf_translate_icmp_af(AF_INET, &pd->hdr.icmp6))
6375 pd->proto = IPPROTO_ICMP;
6392 struct tcphdr *th = &pd->hdr.tcp;
6394 u_int16_t win = ntohs(th->th_win);
6395 u_int32_t ack, end, data_end, seq, orig_seq;
6399 if (pd->dir == (*state)->direction) {
6400 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
6401 src = &(*state)->dst;
6402 dst = &(*state)->src;
6404 src = &(*state)->src;
6405 dst = &(*state)->dst;
6410 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
6411 src = &(*state)->src;
6412 dst = &(*state)->dst;
6414 src = &(*state)->dst;
6415 dst = &(*state)->src;
6421 if (src->wscale && dst->wscale && !(tcp_get_flags(th) & TH_SYN)) {
6422 sws = src->wscale & PF_WSCALE_MASK;
6423 dws = dst->wscale & PF_WSCALE_MASK;
6429 * http://www.madison-gurkha.com/publications/tcp_filtering/
6433 orig_seq = seq = ntohl(th->th_seq);
6434 if (src->seqlo == 0) {
6437 if (((*state)->state_flags & PFSTATE_SCRUB_TCP || dst->scrub) &&
6438 src->scrub == NULL) {
6446 if (dst->seqdiff && !src->seqdiff) {
6448 while ((src->seqdiff = arc4random() - seq) == 0)
6450 ack = ntohl(th->th_ack) - dst->seqdiff;
6451 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq +
6452 src->seqdiff), 0);
6453 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0);
6456 ack = ntohl(th->th_ack);
6459 end = seq + pd->p_len;
6462 if (dst->wscale & PF_WSCALE_FLAG) {
6463 src->wscale = pf_get_wscale(pd);
6464 if (src->wscale & PF_WSCALE_FLAG) {
6467 sws = src->wscale & PF_WSCALE_MASK;
6468 win = ((u_int32_t)win + (1 << sws) - 1)
6470 dws = dst->wscale & PF_WSCALE_MASK;
6473 dst->max_win = MIN(TCP_MAXWIN,
6474 (u_int32_t)dst->max_win <<
6475 (dst->wscale & PF_WSCALE_MASK));
6476 /* in case of a retrans SYN|ACK */
6477 dst->wscale = 0;
6485 src->seqlo = seq;
6486 if (src->state < TCPS_SYN_SENT)
6494 if (src->seqhi == 1 ||
6495 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
6496 src->seqhi = end + MAX(1, dst->max_win << dws);
6497 if (win > src->max_win)
6498 src->max_win = win;
6501 ack = ntohl(th->th_ack) - dst->seqdiff;
6502 if (src->seqdiff) {
6504 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq +
6505 src->seqdiff), 0);
6506 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0);
6509 end = seq + pd->p_len;
6518 /* Let it pass through the ack skew check */
6519 ack = dst->seqlo;
6520 } else if ((ack == 0 &&
6522 /* broken tcp stacks do not set ack */
6523 (dst->state < TCPS_SYN_SENT)) {
6525 * Many stacks (ours included) will set the ACK number in an
6526 * FIN|ACK if the SYN times out -- no sequence to ACK.
6528 ack = dst->seqlo;
6533 seq = src->seqlo;
6537 ackskew = dst->seqlo - ack;
6541 * (Selective ACK). We could optionally validate the SACK values
6542 * against the current ACK window, either forwards or backwards, but
6551 if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
6557 if (SEQ_GEQ(src->seqhi, data_end) &&
6559 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
6561 (ackskew >= -MAXACKWINDOW) &&
6565 ((tcp_get_flags(th) & TH_RST) == 0 || orig_seq == src->seqlo ||
6566 (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) {
6569 if (dst->scrub || src->scrub) {
6576 if (src->max_win < win)
6577 src->max_win = win;
6579 if (SEQ_GT(end, src->seqlo))
6580 src->seqlo = end;
6582 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
6583 dst->seqhi = ack + MAX((win << sws), 1);
6587 if (src->state < TCPS_SYN_SENT)
6590 if (src->state < TCPS_CLOSING)
6593 if (dst->state == TCPS_SYN_SENT) {
6596 if (src->state == TCPS_ESTABLISHED &&
6597 (*state)->src_node != NULL &&
6602 } else if (dst->state == TCPS_CLOSING)
6610 (*state)->expire = pf_get_uptime();
6611 if (src->state >= TCPS_FIN_WAIT_2 &&
6612 dst->state >= TCPS_FIN_WAIT_2)
6613 (*state)->timeout = PFTM_TCP_CLOSED;
6614 else if (src->state >= TCPS_CLOSING &&
6615 dst->state >= TCPS_CLOSING)
6616 (*state)->timeout = PFTM_TCP_FIN_WAIT;
6617 else if (src->state < TCPS_ESTABLISHED ||
6618 dst->state < TCPS_ESTABLISHED)
6619 (*state)->timeout = PFTM_TCP_OPENING;
6620 else if (src->state >= TCPS_CLOSING ||
6621 dst->state >= TCPS_CLOSING)
6622 (*state)->timeout = PFTM_TCP_CLOSING;
6624 (*state)->timeout = PFTM_TCP_ESTABLISHED;
6628 } else if ((dst->state < TCPS_SYN_SENT ||
6629 dst->state >= TCPS_FIN_WAIT_2 ||
6630 src->state >= TCPS_FIN_WAIT_2) &&
6631 SEQ_GEQ(src->seqhi + MAXACKWINDOW, data_end) &&
6633 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
6644 * closes (this should catch Solaris spurious ACK|FINs
6661 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
6662 "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
6663 pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
6664 (unsigned long long)(*state)->packets[1],
6665 pd->dir == PF_IN ? "in" : "out",
6666 pd->dir == (*state)->direction ? "fwd" : "rev");
6669 if (dst->scrub || src->scrub) {
6676 if (src->max_win < win)
6677 src->max_win = win;
6679 if (SEQ_GT(end, src->seqlo))
6680 src->seqlo = end;
6682 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
6683 dst->seqhi = ack + MAX((win << sws), 1);
6686 * Cannot set dst->seqhi here since this could be a shotgunned
6691 if (src->state < TCPS_CLOSING)
6699 if ((*state)->dst.state == TCPS_SYN_SENT &&
6700 (*state)->src.state == TCPS_SYN_SENT) {
6703 pf_send_tcp((*state)->rule, pd->af,
6704 pd->dst, pd->src, th->th_dport,
6705 th->th_sport, ntohl(th->th_ack), 0,
6707 (*state)->rule->return_ttl, M_SKIP_FIREWALL,
6708 0, 0, (*state)->act.rtableid);
6709 src->seqlo = 0;
6710 src->seqhi = 1;
6711 src->max_win = 1;
6716 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
6718 seq, orig_seq, ack, pd->p_len, ackskew,
6719 (unsigned long long)(*state)->packets[0],
6720 (unsigned long long)(*state)->packets[1],
6721 pd->dir == PF_IN ? "in" : "out",
6722 pd->dir == (*state)->direction ? "fwd" : "rev");
6724 SEQ_GEQ(src->seqhi, data_end) ? ' ' : '1',
6725 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
6727 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
6729 SEQ_GEQ(src->seqhi + MAXACKWINDOW, data_end) ?' ' :'5',
6730 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
6742 struct tcphdr *th = &pd->hdr.tcp;
6746 if (pd->dir == (*state)->direction) {
6747 src = &(*state)->src;
6748 dst = &(*state)->dst;
6752 src = &(*state)->dst;
6753 dst = &(*state)->src;
6759 if (src->state < TCPS_SYN_SENT)
6762 if (src->state < TCPS_CLOSING)
6765 if (dst->state == TCPS_SYN_SENT) {
6767 if (src->state == TCPS_ESTABLISHED &&
6768 (*state)->src_node != NULL &&
6773 } else if (dst->state == TCPS_CLOSING) {
6775 } else if (src->state == TCPS_SYN_SENT &&
6776 dst->state < TCPS_SYN_SENT) {
6779 * half of the connection. If there is a ACK after
6785 dst->state = src->state = TCPS_ESTABLISHED;
6786 if ((*state)->src_node != NULL &&
6791 } else if (src->state == TCPS_CLOSING &&
6792 dst->state == TCPS_ESTABLISHED &&
6793 dst->seqlo == 0) {
6796 * don't see the full bidirectional FIN/ACK+ACK
6806 (*state)->expire = pf_get_uptime();
6807 if (src->state >= TCPS_FIN_WAIT_2 &&
6808 dst->state >= TCPS_FIN_WAIT_2)
6809 (*state)->timeout = PFTM_TCP_CLOSED;
6810 else if (src->state >= TCPS_CLOSING &&
6811 dst->state >= TCPS_CLOSING)
6812 (*state)->timeout = PFTM_TCP_FIN_WAIT;
6813 else if (src->state < TCPS_ESTABLISHED ||
6814 dst->state < TCPS_ESTABLISHED)
6815 (*state)->timeout = PFTM_TCP_OPENING;
6816 else if (src->state >= TCPS_CLOSING ||
6817 dst->state >= TCPS_CLOSING)
6818 (*state)->timeout = PFTM_TCP_CLOSING;
6820 (*state)->timeout = PFTM_TCP_ESTABLISHED;
6828 struct pf_state_key *sk = (*state)->key[pd->didx];
6829 struct tcphdr *th = &pd->hdr.tcp;
6831 if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
6832 if (pd->dir != (*state)->direction) {
6837 if (ntohl(th->th_seq) != (*state)->src.seqlo) {
6841 pf_send_tcp((*state)->rule, pd->af, pd->dst,
6842 pd->src, th->th_dport, th->th_sport,
6843 (*state)->src.seqhi, ntohl(th->th_seq) + 1,
6844 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0,
6845 M_SKIP_FIREWALL, 0, 0, (*state)->act.rtableid);
6849 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
6850 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
6853 } else if ((*state)->src_node != NULL &&
6861 if ((*state)->src.state == PF_TCPS_PROXY_DST) {
6862 if (pd->dir == (*state)->direction) {
6864 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
6865 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
6869 (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
6870 if ((*state)->dst.seqhi == 1)
6871 (*state)->dst.seqhi = htonl(arc4random());
6872 pf_send_tcp((*state)->rule, pd->af,
6873 &sk->addr[pd->sidx], &sk->addr[pd->didx],
6874 sk->port[pd->sidx], sk->port[pd->didx],
6875 (*state)->dst.seqhi, 0, TH_SYN, 0,
6876 (*state)->src.mss, 0,
6877 (*state)->orig_kif->pfik_ifp == V_loif ? M_LOOP : 0,
6878 (*state)->tag, 0, (*state)->act.rtableid);
6883 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
6887 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
6888 (*state)->dst.seqlo = ntohl(th->th_seq);
6889 pf_send_tcp((*state)->rule, pd->af, pd->dst,
6890 pd->src, th->th_dport, th->th_sport,
6891 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
6892 TH_ACK, (*state)->src.max_win, 0, 0, 0,
6893 (*state)->tag, 0, (*state)->act.rtableid);
6894 pf_send_tcp((*state)->rule, pd->af,
6895 &sk->addr[pd->sidx], &sk->addr[pd->didx],
6896 sk->port[pd->sidx], sk->port[pd->didx],
6897 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
6898 TH_ACK, (*state)->dst.max_win, 0, 0,
6899 M_SKIP_FIREWALL, 0, 0, (*state)->act.rtableid);
6900 (*state)->src.seqdiff = (*state)->dst.seqhi -
6901 (*state)->src.seqlo;
6902 (*state)->dst.seqdiff = (*state)->src.seqhi -
6903 (*state)->dst.seqlo;
6904 (*state)->src.seqhi = (*state)->src.seqlo +
6905 (*state)->dst.max_win;
6906 (*state)->dst.seqhi = (*state)->dst.seqlo +
6907 (*state)->src.max_win;
6908 (*state)->src.wscale = (*state)->dst.wscale = 0;
6924 struct tcphdr *th = &pd->hdr.tcp;
6930 key.af = pd->af;
6932 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
6933 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
6934 key.port[pd->sidx] = th->th_sport;
6935 key.port[pd->didx] = th->th_dport;
6939 if (pd->dir == (*state)->direction) {
6940 src = &(*state)->src;
6941 dst = &(*state)->dst;
6943 src = &(*state)->dst;
6944 dst = &(*state)->src;
6950 if (dst->state >= TCPS_FIN_WAIT_2 &&
6951 src->state >= TCPS_FIN_WAIT_2 &&
6954 pf_syncookie_check(pd) && pd->dir == PF_IN))) {
6968 if ((*state)->state_flags & PFSTATE_SLOPPY) {
6981 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
6985 if (PF_REVERSED_KEY((*state)->key, pd->af))
6986 nk = (*state)->key[pd->sidx];
6988 nk = (*state)->key[pd->didx];
6990 afto = pd->af != nk->af;
6991 sidx = afto ? pd->didx : pd->sidx;
6992 didx = afto ? pd->sidx : pd->didx;
6994 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) ||
6995 nk->port[sidx] != th->th_sport)
6996 pf_change_ap(pd->m, pd->src, &th->th_sport,
6997 pd->ip_sum, &th->th_sum, &nk->addr[sidx],
6998 nk->port[sidx], 0, pd->af, nk->af);
7000 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) ||
7001 nk->port[didx] != th->th_dport)
7002 pf_change_ap(pd->m, pd->dst, &th->th_dport,
7003 pd->ip_sum, &th->th_sum, &nk->addr[didx],
7004 nk->port[didx], 0, pd->af, nk->af);
7007 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7008 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7009 pd->naf = nk->af;
7018 m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th);
7028 struct udphdr *uh = &pd->hdr.udp;
7033 key.af = pd->af;
7035 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
7036 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
7037 key.port[pd->sidx] = uh->uh_sport;
7038 key.port[pd->didx] = uh->uh_dport;
7042 if (pd->dir == (*state)->direction) {
7043 src = &(*state)->src;
7044 dst = &(*state)->dst;
7048 src = &(*state)->dst;
7049 dst = &(*state)->src;
7055 if (src->state < PFUDPS_SINGLE)
7057 if (dst->state == PFUDPS_SINGLE)
7061 (*state)->expire = pf_get_uptime();
7062 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
7063 (*state)->timeout = PFTM_UDP_MULTIPLE;
7065 (*state)->timeout = PFTM_UDP_SINGLE;
7068 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
7072 if (PF_REVERSED_KEY((*state)->key, pd->af))
7073 nk = (*state)->key[pd->sidx];
7075 nk = (*state)->key[pd->didx];
7077 afto = pd->af != nk->af;
7078 sidx = afto ? pd->didx : pd->sidx;
7079 didx = afto ? pd->sidx : pd->didx;
7081 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) ||
7082 nk->port[sidx] != uh->uh_sport)
7083 pf_change_ap(pd->m, pd->src, &uh->uh_sport, pd->ip_sum,
7084 &uh->uh_sum, &nk->addr[pd->sidx],
7085 nk->port[sidx], 1, pd->af, nk->af);
7087 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) ||
7088 nk->port[didx] != uh->uh_dport)
7089 pf_change_ap(pd->m, pd->dst, &uh->uh_dport, pd->ip_sum,
7090 &uh->uh_sum, &nk->addr[pd->didx],
7091 nk->port[didx], 1, pd->af, nk->af);
7094 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7095 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7096 pd->naf = nk->af;
7100 m_copyback(pd->m, pd->off, sizeof(*uh), (caddr_t)uh);
7111 if (pd->dir == state->direction) {
7112 if (PF_REVERSED_KEY(state->key, pd->af))
7113 src = &state->dst;
7115 src = &state->src;
7117 if (PF_REVERSED_KEY(state->key, pd->af))
7118 src = &state->src;
7120 src = &state->dst;
7123 if (src->scrub != NULL) {
7124 if (src->scrub->pfss_v_tag == 0)
7125 src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
7126 else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
7139 struct sctphdr *sh = &pd->hdr.sctp;
7143 key.af = pd->af;
7145 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
7146 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
7147 key.port[pd->sidx] = sh->src_port;
7148 key.port[pd->didx] = sh->dest_port;
7152 if (pd->dir == (*state)->direction) {
7153 src = &(*state)->src;
7154 dst = &(*state)->dst;
7157 src = &(*state)->dst;
7158 dst = &(*state)->src;
7162 if ((src->state >= SCTP_SHUTDOWN_SENT || src->state == SCTP_CLOSED) &&
7163 (dst->state >= SCTP_SHUTDOWN_SENT || dst->state == SCTP_CLOSED) &&
7164 pd->sctp_flags & PFDESC_SCTP_INIT) {
7175 if (pd->sctp_flags & PFDESC_SCTP_INIT) {
7176 if (src->state < SCTP_COOKIE_WAIT) {
7178 (*state)->timeout = PFTM_SCTP_OPENING;
7181 if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) {
7182 MPASS(dst->scrub != NULL);
7183 if (dst->scrub->pfss_v_tag == 0)
7184 dst->scrub->pfss_v_tag = pd->sctp_initiate_tag;
7188 * Bind to the correct interface if we're if-bound. For multihomed
7192 if ((*state)->kif == V_pfi_all &&
7193 (*state)->rule->rule_flag & PFRULE_IFBOUND)
7194 (*state)->kif = pd->kif;
7196 if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) {
7197 if (src->state < SCTP_ESTABLISHED) {
7199 (*state)->timeout = PFTM_SCTP_ESTABLISHED;
7202 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN |
7204 if (src->state < SCTP_SHUTDOWN_PENDING) {
7206 (*state)->timeout = PFTM_SCTP_CLOSING;
7209 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE | PFDESC_SCTP_ABORT)) {
7211 (*state)->timeout = PFTM_SCTP_CLOSED;
7214 (*state)->expire = pf_get_uptime();
7217 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
7222 if (PF_REVERSED_KEY((*state)->key, pd->af))
7223 nk = (*state)->key[pd->sidx];
7225 nk = (*state)->key[pd->didx];
7227 afto = pd->af != nk->af;
7228 sidx = afto ? pd->didx : pd->sidx;
7229 didx = afto ? pd->sidx : pd->didx;
7231 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) ||
7232 nk->port[sidx] != pd->hdr.sctp.src_port) {
7233 pf_change_ap(pd->m, pd->src, &pd->hdr.sctp.src_port,
7234 pd->ip_sum, &checksum, &nk->addr[sidx],
7235 nk->port[sidx], 1, pd->af, pd->naf);
7238 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) ||
7239 nk->port[didx] != pd->hdr.sctp.dest_port) {
7240 pf_change_ap(pd->m, pd->dst, &pd->hdr.sctp.dest_port,
7241 pd->ip_sum, &checksum, &nk->addr[didx],
7242 nk->port[didx], 1, pd->af, pd->naf);
7246 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7247 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7248 pd->naf = nk->af;
7261 struct pf_state_key *sks = s->key[PF_SK_STACK];
7264 if (sks == NULL || sks->proto != IPPROTO_SCTP || s->dst.scrub == NULL)
7269 key.v_tag = s->dst.scrub->pfss_v_tag;
7272 TAILQ_FOREACH_SAFE(i, &ep->sources, entry, tmp) {
7273 if (pf_addr_cmp(&i->addr,
7274 &s->key[PF_SK_WIRE]->addr[s->direction == PF_OUT],
7275 s->key[PF_SK_WIRE]->af) == 0) {
7278 TAILQ_REMOVE(&ep->sources, i, entry);
7284 if (TAILQ_EMPTY(&ep->sources)) {
7291 key.v_tag = s->src.scrub->pfss_v_tag;
7294 TAILQ_FOREACH_SAFE(i, &ep->sources, entry, tmp) {
7295 if (pf_addr_cmp(&i->addr,
7296 &s->key[PF_SK_WIRE]->addr[s->direction == PF_IN],
7297 s->key[PF_SK_WIRE]->af) == 0) {
7300 TAILQ_REMOVE(&ep->sources, i, entry);
7306 if (TAILQ_EMPTY(&ep->sources)) {
7335 ep->v_tag = v_tag;
7336 TAILQ_INIT(&ep->sources);
7341 TAILQ_FOREACH(i, &ep->sources, entry) {
7342 if (pf_addr_cmp(&i->addr, a, pd->af) == 0) {
7354 i->af = pd->af;
7355 memcpy(&i->addr, a, sizeof(*a));
7356 TAILQ_INSERT_TAIL(&ep->sources, i, entry);
7378 TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) {
7383 MPASS(! (pd->sctp_flags & PFDESC_SCTP_ADD_IP));
7385 switch (j->op) {
7387 uint32_t v_tag = pd->sctp_initiate_tag;
7390 if (s->direction == pd->dir)
7391 v_tag = s->src.scrub->pfss_v_tag;
7393 v_tag = s->dst.scrub->pfss_v_tag;
7402 if (pf_addr_cmp(&j->src, pd->src, pd->af) == 0) {
7406 j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP;
7409 if (s->rule->rule_flag & PFRULE_ALLOW_RELATED) {
7410 j->pd.related_rule = s->rule;
7413 &j->pd, &ra, &rs, NULL);
7415 SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret);
7418 if (sm->direction == s->direction) {
7419 sm->src.scrub->pfss_v_tag = s->src.scrub->pfss_v_tag;
7420 sm->dst.scrub->pfss_v_tag = s->dst.scrub->pfss_v_tag;
7422 sm->src.scrub->pfss_v_tag = s->dst.scrub->pfss_v_tag;
7423 sm->dst.scrub->pfss_v_tag = s->src.scrub->pfss_v_tag;
7432 pf_sctp_multihome_add_addr(pd, &j->src, v_tag);
7442 .v_tag = pd->hdr.sctp.v_tag,
7454 TAILQ_FOREACH(i, &ep->sources, entry) {
7458 if (i->af != pd->af)
7465 memcpy(&nj->pd, &j->pd, sizeof(j->pd));
7466 memcpy(&nj->src, &j->src, sizeof(nj->src));
7467 nj->pd.src = &nj->src;
7469 memcpy(&nj->dst, &i->addr, sizeof(nj->dst));
7470 nj->pd.dst = &nj->dst;
7471 nj->pd.m = j->pd.m;
7472 nj->op = j->op;
7474 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next);
7485 key.af = j->pd.af;
7487 if (j->pd.dir == PF_IN) { /* wire side, straight */
7488 PF_ACPY(&key.addr[0], j->pd.src, key.af);
7489 PF_ACPY(&key.addr[1], j->pd.dst, key.af);
7490 key.port[0] = j->pd.hdr.sctp.src_port;
7491 key.port[1] = j->pd.hdr.sctp.dest_port;
7493 PF_ACPY(&key.addr[1], j->pd.src, key.af);
7494 PF_ACPY(&key.addr[0], j->pd.dst, key.af);
7495 key.port[1] = j->pd.hdr.sctp.src_port;
7496 key.port[0] = j->pd.hdr.sctp.dest_port;
7499 sm = pf_find_state(kif, &key, j->pd.dir);
7502 if (j->pd.dir == sm->direction) {
7508 sm->timeout = PFTM_SCTP_CLOSING;
7513 panic("Unknown op %#x", j->op);
7518 TAILQ_REMOVE(&pd->sctp_multihome_jobs, j, next);
7523 if (! TAILQ_EMPTY(&pd->sctp_multihome_jobs)) {
7540 if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, NULL,
7541 pd->af))
7559 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t),
7560 NULL, NULL, pd->af))
7564 t.s_addr = pd->src->v4.s_addr;
7569 * LOR (and potentially double-lock things too). We also
7582 memcpy(&job->pd, pd, sizeof(*pd));
7585 memcpy(&job->src, &t, sizeof(t));
7586 job->pd.src = &job->src;
7587 memcpy(&job->dst, pd->dst, sizeof(job->dst));
7588 job->pd.dst = &job->dst;
7589 job->pd.m = pd->m;
7590 job->op = op;
7592 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next);
7603 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t),
7604 NULL, NULL, pd->af))
7606 if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0)
7609 memcpy(&t, &pd->src->v6, sizeof(t));
7617 memcpy(&job->pd, pd, sizeof(*pd));
7618 memcpy(&job->src, &t, sizeof(t));
7619 job->pd.src = &job->src;
7620 memcpy(&job->dst, pd->dst, sizeof(job->dst));
7621 job->pd.dst = &job->dst;
7622 job->pd.m = pd->m;
7623 job->op = op;
7625 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next);
7633 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
7634 NULL, NULL, pd->af))
7638 ntohs(ah.ph.param_length) - sizeof(ah), pd,
7648 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
7649 NULL, NULL, pd->af))
7652 ntohs(ah.ph.param_length) - sizeof(ah), pd,
7672 len -= sizeof(struct sctp_init_chunk);
7681 len -= sizeof(struct sctp_asconf_chunk);
7692 key->af = pd->af;
7693 key->proto = pd->proto;
7695 *iidx = pd->sidx;
7696 key->port[pd->sidx] = icmpid;
7697 key->port[pd->didx] = type;
7699 *iidx = pd->didx;
7700 key->port[pd->sidx] = type;
7701 key->port[pd->didx] = icmpid;
7708 if ((*state)->state_flags & PFSTATE_SLOPPY)
7709 return (-1);
7712 if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af)
7713 direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
7716 direction = (*state)->direction;
7717 if ((*state)->rule->type &&
7718 (((!inner && direction == pd->dir) ||
7719 (inner && direction != pd->dir)) ?
7731 return (-1);
7738 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
7750 switch (pd->proto) {
7753 icmptype = pd->hdr.icmp.icmp_type;
7754 icmpcode = pd->hdr.icmp.icmp_code;
7755 icmpid = pd->hdr.icmp.icmp_id;
7756 icmpsum = &pd->hdr.icmp.icmp_cksum;
7761 icmptype = pd->hdr.icmp6.icmp6_type;
7762 icmpcode = pd->hdr.icmp6.icmp6_code;
7764 icmpid = pd->hdr.icmp6.icmp6_id;
7766 icmpsum = &pd->hdr.icmp6.icmp6_cksum;
7777 ret = pf_icmp_state_lookup(&key, pd, state, pd->dir,
7782 if (ret == PF_DROP && pd->af == AF_INET6 &&
7785 pd->dir, virtual_id, virtual_type,
7795 (*state)->expire = pf_get_uptime();
7796 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
7799 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
7803 if (PF_REVERSED_KEY((*state)->key, pd->af))
7804 nk = (*state)->key[pd->sidx];
7806 nk = (*state)->key[pd->didx];
7808 afto = pd->af != nk->af;
7809 sidx = afto ? pd->didx : pd->sidx;
7810 didx = afto ? pd->sidx : pd->didx;
7813 switch (pd->af) {
7819 &pd->hdr.icmp))
7821 pd->proto = IPPROTO_ICMPV6;
7825 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET))
7826 pf_change_a(&saddr->v4.s_addr,
7827 pd->ip_sum,
7828 nk->addr[sidx].v4.s_addr,
7831 if (!afto && PF_ANEQ(pd->dst,
7832 &nk->addr[didx], AF_INET))
7833 pf_change_a(&daddr->v4.s_addr,
7834 pd->ip_sum,
7835 nk->addr[didx].v4.s_addr, 0);
7837 if (nk->port[iidx] !=
7838 pd->hdr.icmp.icmp_id) {
7839 pd->hdr.icmp.icmp_cksum =
7841 pd->hdr.icmp.icmp_cksum, icmpid,
7842 nk->port[iidx], 0);
7843 pd->hdr.icmp.icmp_id =
7844 nk->port[iidx];
7847 m_copyback(pd->m, pd->off, ICMP_MINLEN,
7848 (caddr_t )&pd->hdr.icmp);
7856 &pd->hdr.icmp6))
7858 pd->proto = IPPROTO_ICMP;
7862 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET6))
7864 &pd->hdr.icmp6.icmp6_cksum,
7865 &nk->addr[sidx], 0);
7867 if (!afto && PF_ANEQ(pd->dst,
7868 &nk->addr[didx], AF_INET6))
7870 &pd->hdr.icmp6.icmp6_cksum,
7871 &nk->addr[didx], 0);
7873 if (nk->port[iidx] != pd->hdr.icmp6.icmp6_id)
7874 pd->hdr.icmp6.icmp6_id =
7875 nk->port[iidx];
7877 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr),
7878 (caddr_t )&pd->hdr.icmp6);
7883 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af);
7884 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af);
7885 pd->naf = nk->af;
7907 pd2.af = pd->af;
7908 pd2.dir = pd->dir;
7910 pd2.sidx = (pd->dir == PF_IN) ? 1 : 0;
7911 pd2.didx = (pd->dir == PF_IN) ? 0 : 1;
7912 pd2.m = pd->m;
7913 switch (pd->af) {
7917 ipoff2 = pd->off + ICMP_MINLEN;
7919 if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2),
7927 * ICMP error messages don't refer to non-first
7946 ipoff2 = pd->off + sizeof(struct icmp6_hdr);
7948 if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6),
7966 if (PF_ANEQ(pd->dst, pd2.src, pd->af)) {
7970 pf_print_host(pd->src, 0, pd->af);
7971 printf(" -> ");
7972 pf_print_host(pd->dst, 0, pd->af);
7975 printf(" -> ");
7996 if (!pf_pull_hdr(pd->m, pd2.off, &th, 8, NULL, reason,
8013 if (pd->dir == (*state)->direction) {
8014 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
8015 src = &(*state)->src;
8016 dst = &(*state)->dst;
8018 src = &(*state)->dst;
8019 dst = &(*state)->src;
8022 if (PF_REVERSED_KEY((*state)->key, pd->af)) {
8023 src = &(*state)->dst;
8024 dst = &(*state)->src;
8026 src = &(*state)->src;
8027 dst = &(*state)->dst;
8031 if (src->wscale && dst->wscale)
8032 dws = dst->wscale & PF_WSCALE_MASK;
8037 seq = ntohl(th.th_seq) - src->seqdiff;
8038 if (src->seqdiff) {
8044 if (!((*state)->state_flags & PFSTATE_SLOPPY) &&
8045 (!SEQ_GEQ(src->seqhi, seq) ||
8046 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)))) {
8050 pf_print_host(pd->src, 0, pd->af);
8051 printf(" -> ");
8052 pf_print_host(pd->dst, 0, pd->af);
8063 pf_print_host(pd->src, 0, pd->af);
8064 printf(" -> ");
8065 pf_print_host(pd->dst, 0, pd->af);
8073 if ((*state)->key[PF_SK_WIRE] !=
8074 (*state)->key[PF_SK_STACK]) {
8078 if (PF_REVERSED_KEY((*state)->key, pd->af))
8079 nk = (*state)->key[pd->sidx];
8081 nk = (*state)->key[pd->didx];
8086 afto = pd->af != nk->af;
8091 if (pf_translate_icmp_af(nk->af,
8092 &pd->hdr.icmp))
8094 m_copyback(pd->m, pd->off,
8096 (c_caddr_t)&pd->hdr.icmp6);
8097 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8098 &pd2, &nk->addr[sidx],
8099 &nk->addr[didx], pd->af,
8100 nk->af))
8102 if (nk->af == AF_INET)
8103 pd->proto = IPPROTO_ICMP;
8105 pd->proto = IPPROTO_ICMPV6;
8106 th.th_sport = nk->port[sidx];
8107 th.th_dport = nk->port[didx];
8109 PF_ACPY(pd->src,
8110 &nk->addr[pd2.sidx], nk->af);
8111 PF_ACPY(pd->dst,
8112 &nk->addr[pd2.didx], nk->af);
8113 pd->naf = nk->af;
8119 &nk->addr[pd2.sidx], pd2.af) ||
8120 nk->port[pd2.sidx] != th.th_sport)
8122 daddr, &nk->addr[pd2.sidx],
8123 nk->port[pd2.sidx], NULL,
8125 pd->ip_sum, 0, pd2.af);
8128 &nk->addr[pd2.didx], pd2.af) ||
8129 nk->port[pd2.didx] != th.th_dport)
8131 saddr, &nk->addr[pd2.didx],
8132 nk->port[pd2.didx], NULL,
8134 pd->ip_sum, 0, pd2.af);
8142 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8143 (caddr_t )&pd->hdr.icmp);
8144 m_copyback(pd->m, ipoff2, sizeof(h2),
8150 m_copyback(pd->m, pd->off,
8152 (caddr_t )&pd->hdr.icmp6);
8153 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8158 m_copyback(pd->m, pd2.off, 8, (caddr_t)&th);
8167 if (!pf_pull_hdr(pd->m, pd2.off, &uh, sizeof(uh),
8185 if ((*state)->key[PF_SK_WIRE] !=
8186 (*state)->key[PF_SK_STACK]) {
8189 if (PF_REVERSED_KEY((*state)->key, pd->af))
8190 nk = (*state)->key[pd->sidx];
8192 nk = (*state)->key[pd->didx];
8197 afto = pd->af != nk->af;
8202 if (pf_translate_icmp_af(nk->af,
8203 &pd->hdr.icmp))
8205 m_copyback(pd->m, pd->off,
8207 (c_caddr_t)&pd->hdr.icmp6);
8208 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8209 &pd2, &nk->addr[sidx],
8210 &nk->addr[didx], pd->af,
8211 nk->af))
8213 if (nk->af == AF_INET)
8214 pd->proto = IPPROTO_ICMP;
8216 pd->proto = IPPROTO_ICMPV6;
8217 pf_change_ap(pd->m, pd2.src, &uh.uh_sport,
8218 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.sidx],
8219 nk->port[sidx], 1, pd->af, nk->af);
8220 pf_change_ap(pd->m, pd2.dst, &uh.uh_dport,
8221 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.didx],
8222 nk->port[didx], 1, pd->af, nk->af);
8225 PF_ACPY(&pd->nsaddr,
8226 &nk->addr[pd2.sidx], nk->af);
8227 PF_ACPY(&pd->ndaddr,
8228 &nk->addr[pd2.didx], nk->af);
8229 pd->naf = nk->af;
8235 &nk->addr[pd2.sidx], pd2.af) ||
8236 nk->port[pd2.sidx] != uh.uh_sport)
8238 daddr, &nk->addr[pd2.sidx],
8239 nk->port[pd2.sidx], &uh.uh_sum,
8241 pd->ip_sum, 1, pd2.af);
8244 &nk->addr[pd2.didx], pd2.af) ||
8245 nk->port[pd2.didx] != uh.uh_dport)
8247 saddr, &nk->addr[pd2.didx],
8248 nk->port[pd2.didx], &uh.uh_sum,
8250 pd->ip_sum, 1, pd2.af);
8255 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8256 (caddr_t )&pd->hdr.icmp);
8257 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
8262 m_copyback(pd->m, pd->off,
8264 (caddr_t )&pd->hdr.icmp6);
8265 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8270 m_copyback(pd->m, pd2.off, sizeof(uh), (caddr_t)&uh);
8281 if (! pf_pull_hdr(pd->m, pd2.off, &sh, sizeof(sh), NULL, reason,
8298 if (pd->dir == (*state)->direction) {
8299 if (PF_REVERSED_KEY((*state)->key, pd->af))
8300 src = &(*state)->src;
8302 src = &(*state)->dst;
8304 if (PF_REVERSED_KEY((*state)->key, pd->af))
8305 src = &(*state)->dst;
8307 src = &(*state)->src;
8310 if (src->scrub->pfss_v_tag != sh.v_tag) {
8318 if ((*state)->key[PF_SK_WIRE] !=
8319 (*state)->key[PF_SK_STACK]) {
8323 if (PF_REVERSED_KEY((*state)->key, pd->af))
8324 nk = (*state)->key[pd->sidx];
8326 nk = (*state)->key[pd->didx];
8331 afto = pd->af != nk->af;
8336 if (pf_translate_icmp_af(nk->af,
8337 &pd->hdr.icmp))
8339 m_copyback(pd->m, pd->off,
8341 (c_caddr_t)&pd->hdr.icmp6);
8342 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8343 &pd2, &nk->addr[sidx],
8344 &nk->addr[didx], pd->af,
8345 nk->af))
8347 if (nk->af == AF_INET)
8348 pd->proto = IPPROTO_ICMP;
8350 pd->proto = IPPROTO_ICMPV6;
8351 sh.src_port = nk->port[sidx];
8352 sh.dest_port = nk->port[didx];
8354 PF_ACPY(pd->src,
8355 &nk->addr[pd2.sidx], nk->af);
8356 PF_ACPY(pd->dst,
8357 &nk->addr[pd2.didx], nk->af);
8358 pd->naf = nk->af;
8364 &nk->addr[pd2.sidx], pd2.af) ||
8365 nk->port[pd2.sidx] != sh.src_port)
8367 daddr, &nk->addr[pd2.sidx],
8368 nk->port[pd2.sidx], NULL,
8370 pd->ip_sum, 0, pd2.af);
8373 &nk->addr[pd2.didx], pd2.af) ||
8374 nk->port[pd2.didx] != sh.dest_port)
8376 saddr, &nk->addr[pd2.didx],
8377 nk->port[pd2.didx], NULL,
8379 pd->ip_sum, 0, pd2.af);
8387 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8388 (caddr_t )&pd->hdr.icmp);
8389 m_copyback(pd->m, ipoff2, sizeof(h2),
8395 m_copyback(pd->m, pd->off,
8397 (caddr_t )&pd->hdr.icmp6);
8398 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8403 m_copyback(pd->m, pd2.off, sizeof(sh), (caddr_t)&sh);
8417 if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN,
8425 icmpid = iih->icmp_id;
8426 pf_icmp_mapping(&pd2, iih->icmp_type,
8438 if ((*state)->key[PF_SK_WIRE] !=
8439 (*state)->key[PF_SK_STACK]) {
8442 if (PF_REVERSED_KEY((*state)->key, pd->af))
8443 nk = (*state)->key[pd->sidx];
8445 nk = (*state)->key[pd->didx];
8450 afto = pd->af != nk->af;
8456 if (nk->af != AF_INET6)
8458 if (pf_translate_icmp_af(nk->af,
8459 &pd->hdr.icmp))
8461 m_copyback(pd->m, pd->off,
8463 (c_caddr_t)&pd->hdr.icmp6);
8464 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8465 &pd2, &nk->addr[sidx],
8466 &nk->addr[didx], pd->af,
8467 nk->af))
8469 pd->proto = IPPROTO_ICMPV6;
8470 if (pf_translate_icmp_af(nk->af, &iih))
8473 nk->port[iidx] != iih->icmp_id)
8474 iih->icmp_id = nk->port[iidx];
8477 PF_ACPY(&pd->nsaddr,
8478 &nk->addr[pd2.sidx], nk->af);
8479 PF_ACPY(&pd->ndaddr,
8480 &nk->addr[pd2.didx], nk->af);
8481 pd->naf = nk->af;
8487 &nk->addr[pd2.sidx], pd2.af) ||
8489 nk->port[iidx] != iih->icmp_id))
8492 &iih->icmp_id : NULL,
8493 daddr, &nk->addr[pd2.sidx],
8495 nk->port[iidx] : 0, NULL,
8497 pd->ip_sum, 0, AF_INET);
8500 &nk->addr[pd2.didx], pd2.af))
8502 &nk->addr[pd2.didx], 0, NULL,
8503 pd2.ip_sum, icmpsum, pd->ip_sum, 0,
8506 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
8507 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
8508 m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih);
8523 if (!pf_pull_hdr(pd->m, pd2.off, iih,
8531 pf_icmp_mapping(&pd2, iih->icmp6_type,
8535 pd->dir, virtual_id, virtual_type,
8542 state, pd->dir,
8554 if ((*state)->key[PF_SK_WIRE] !=
8555 (*state)->key[PF_SK_STACK]) {
8558 if (PF_REVERSED_KEY((*state)->key, pd->af))
8559 nk = (*state)->key[pd->sidx];
8561 nk = (*state)->key[pd->didx];
8566 afto = pd->af != nk->af;
8572 if (nk->af != AF_INET)
8574 if (pf_translate_icmp_af(nk->af,
8575 &pd->hdr.icmp))
8577 m_copyback(pd->m, pd->off,
8579 (c_caddr_t)&pd->hdr.icmp6);
8580 if (pf_change_icmp_af(pd->m, ipoff2, pd,
8581 &pd2, &nk->addr[sidx],
8582 &nk->addr[didx], pd->af,
8583 nk->af))
8585 pd->proto = IPPROTO_ICMP;
8586 if (pf_translate_icmp_af(nk->af, &iih))
8590 nk->port[iidx] != iih->icmp6_id)
8591 iih->icmp6_id = nk->port[iidx];
8594 PF_ACPY(&pd->nsaddr,
8595 &nk->addr[pd2.sidx], nk->af);
8596 PF_ACPY(&pd->ndaddr,
8597 &nk->addr[pd2.didx], nk->af);
8598 pd->naf = nk->af;
8604 &nk->addr[pd2.sidx], pd2.af) ||
8606 nk->port[pd2.sidx] != iih->icmp6_id))
8609 ? &iih->icmp6_id : NULL,
8610 daddr, &nk->addr[pd2.sidx],
8612 ? nk->port[iidx] : 0, NULL,
8614 pd->ip_sum, 0, AF_INET6);
8617 &nk->addr[pd2.didx], pd2.af))
8619 &nk->addr[pd2.didx], 0, NULL,
8621 pd->ip_sum, 0, AF_INET6);
8623 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr),
8624 (caddr_t)&pd->hdr.icmp6);
8625 m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
8626 m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr),
8643 if ((*state)->key[PF_SK_WIRE] !=
8644 (*state)->key[PF_SK_STACK]) {
8646 (*state)->key[pd->didx];
8649 &nk->addr[pd2.sidx], pd2.af))
8651 &nk->addr[pd2.sidx], 0, NULL,
8653 pd->ip_sum, 0, pd2.af);
8656 &nk->addr[pd2.didx], pd2.af))
8658 &nk->addr[pd2.didx], 0, NULL,
8660 pd->ip_sum, 0, pd2.af);
8665 m_copyback(pd->m, pd->off, ICMP_MINLEN,
8666 (caddr_t)&pd->hdr.icmp);
8667 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
8672 m_copyback(pd->m, pd->off,
8674 (caddr_t )&pd->hdr.icmp6);
8675 m_copyback(pd->m, ipoff2, sizeof(h2_6),
8697 key.af = pd->af;
8698 key.proto = pd->proto;
8699 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af);
8700 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af);
8705 if (pd->dir == (*state)->direction) {
8706 src = &(*state)->src;
8707 dst = &(*state)->dst;
8711 src = &(*state)->dst;
8712 dst = &(*state)->src;
8718 if (src->state < PFOTHERS_SINGLE)
8720 if (dst->state == PFOTHERS_SINGLE)
8724 (*state)->expire = pf_get_uptime();
8725 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
8726 (*state)->timeout = PFTM_OTHER_MULTIPLE;
8728 (*state)->timeout = PFTM_OTHER_SINGLE;
8731 if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) {
8735 if (PF_REVERSED_KEY((*state)->key, pd->af))
8736 nk = (*state)->key[pd->sidx];
8738 nk = (*state)->key[pd->didx];
8742 KASSERT(pd->src, ("%s: pd->src is null", __func__));
8743 KASSERT(pd->dst, ("%s: pd->dst is null", __func__));
8745 afto = pd->af != nk->af;
8747 switch (pd->af) {
8751 PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET))
8752 pf_change_a(&pd->src->v4.s_addr,
8753 pd->ip_sum,
8754 nk->addr[pd->sidx].v4.s_addr,
8758 PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET))
8759 pf_change_a(&pd->dst->v4.s_addr,
8760 pd->ip_sum,
8761 nk->addr[pd->didx].v4.s_addr,
8769 PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET6))
8770 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af);
8773 PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET6))
8774 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af);
8778 PF_ACPY(&pd->nsaddr,
8779 &nk->addr[afto ? pd->didx : pd->sidx], nk->af);
8780 PF_ACPY(&pd->ndaddr,
8781 &nk->addr[afto ? pd->sidx : pd->didx], nk->af);
8782 pd->naf = nk->af;
8801 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
8812 if (m->m_pkthdr.len < off + len ||
8813 ntohs(h->ip_len) < off + len) {
8825 if (m->m_pkthdr.len < off + len ||
8826 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
8850 if (af == AF_INET6 && IN6_IS_SCOPE_EMBED(&addr->v6))
8860 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
8863 ifp = (kif != NULL) ? kif->pfik_ifp : NULL;
8868 return (fib6_check_urpf(rtableid, &addr->v6, 0, NHR_NONE,
8873 return (fib4_check_urpf(rtableid, addr->v4, 0, NHR_NONE,
8901 r_dir = s->direction;
8903 r_dir = r->direction;
8906 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
8910 if ((pd->pf_mtag == NULL &&
8911 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
8912 pd->pf_mtag->routed++ > 3) {
8919 if (pd->act.rt_kif != NULL)
8920 ifp = pd->act.rt_kif->pfik_ifp;
8922 if (pd->act.rt == PF_DUPTO) {
8923 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) {
8937 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED;
8945 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) {
8946 if (pd->af == pd->naf) {
8957 * If we're actually doing route-to and af-to and are in the
8960 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp &&
8961 pd->af != pd->naf) {
8962 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET) {
8963 /* Un-set ifp so we do a plain route lookup. */
8966 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET6) {
8967 /* Un-set ifp so we do a plain route lookup. */
8979 dst.sin_addr = ip->ip_dst;
8980 dst.sin_addr.s_addr = pd->act.rt_addr.v4.s_addr;
8983 if (ifp == NULL && (pd->af != pd->naf)) {
8986 nh = fib4_lookup(M_GETFIB(*m), ip->ip_dst, 0, NHR_NONE, 0);
8988 ifp = nh->nh_ifp;
8991 if (nh->nh_flags & NHF_GATEWAY)
8992 dst.sin_addr = nh->gw4_sa.sin_addr;
8994 dst.sin_addr = ip->ip_dst;
8998 * if-bound. We don't know which interface
9002 if (s->kif == V_pfi_all && ifp != NULL &&
9003 r->rule_flag & PFRULE_IFBOUND)
9004 s->kif = ifp->if_pf_kif;
9008 if (r->rule_flag & PFRULE_IFBOUND &&
9009 pd->act.rt == PF_REPLYTO &&
9010 s->kif == V_pfi_all) {
9011 s->kif = pd->act.rt_kif;
9012 s->orig_kif = oifp->if_pf_kif;
9025 if (pd->dir == PF_IN && !skip_test) {
9027 &pd->act) != PF_PASS) {
9034 if (m0->m_len < sizeof(struct ip)) {
9036 ("%s: m0->m_len < sizeof(struct ip)\n", __func__));
9043 if (ifp->if_flags & IFF_LOOPBACK)
9044 m0->m_flags |= M_SKIP_FIREWALL;
9046 ip_len = ntohs(ip->ip_len);
9047 ip_off = ntohs(ip->ip_off);
9049 /* Copied from FreeBSD 10.0-CURRENT ip_output. */
9050 m0->m_pkthdr.csum_flags |= CSUM_IP;
9051 if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA & ~ifp->if_hwassist) {
9053 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
9055 if (m0->m_pkthdr.csum_flags & CSUM_SCTP & ~ifp->if_hwassist) {
9056 pf_sctp_checksum(m0, (uint32_t)(ip->ip_hl << 2));
9057 m0->m_pkthdr.csum_flags &= ~CSUM_SCTP;
9060 if (pd->dir == PF_IN) {
9063 * re-inject later.
9065 pd->dir = PF_OUT;
9073 * will re-inject incorrectly. Swapping the pipe numbers means that its incorrect
9076 tmp = pd->act.dnrpipe;
9077 pd->act.dnrpipe = pd->act.dnpipe;
9078 pd->act.dnpipe = tmp;
9085 if (ip_len <= ifp->if_mtu ||
9086 (m0->m_pkthdr.csum_flags & ifp->if_hwassist & CSUM_TSO) != 0) {
9087 ip->ip_sum = 0;
9088 if (m0->m_pkthdr.csum_flags & CSUM_IP & ~ifp->if_hwassist) {
9089 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
9090 m0->m_pkthdr.csum_flags &= ~CSUM_IP;
9097 error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL);
9104 if ((ip_off & IP_DF) || (m0->m_pkthdr.csum_flags & CSUM_TSO)) {
9107 if (pd->act.rt != PF_DUPTO) {
9108 if (s && s->nat_rule != NULL)
9110 (ip->ip_hl << 2) + (ip_off & IP_OFFMASK),
9114 ifp->if_mtu);
9123 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist);
9130 m1 = m0->m_nextpkt;
9131 m0->m_nextpkt = NULL;
9135 pd->pf_mtag = pf_find_mtag(md);
9139 error = (*ifp->if_output)(ifp, md,
9151 if (pd->act.rt != PF_DUPTO)
9182 r_dir = s->direction;
9184 r_dir = r->direction;
9187 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
9191 if ((pd->pf_mtag == NULL &&
9192 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||
9193 pd->pf_mtag->routed++ > 3) {
9200 if (pd->act.rt_kif != NULL)
9201 ifp = pd->act.rt_kif->pfik_ifp;
9203 if (pd->act.rt == PF_DUPTO) {
9204 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) {
9218 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED;
9226 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) {
9227 if (pd->af == pd->naf) {
9238 * If we're actually doing route-to and af-to and are in the
9241 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp &&
9242 pd->af != pd->naf) {
9243 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET6) {
9244 /* Un-set ifp so we do a plain route lookup. */
9247 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET) {
9248 /* Un-set ifp so we do a plain route lookup. */
9260 dst.sin6_addr = ip6->ip6_dst;
9261 PF_ACPY((struct pf_addr *)&dst.sin6_addr, &pd->act.rt_addr, AF_INET6);
9264 if (ifp == NULL && (pd->af != pd->naf)) {
9266 nh = fib6_lookup(M_GETFIB(*m), &ip6->ip6_dst, 0, NHR_NONE, 0);
9268 ifp = nh->nh_ifp;
9271 if (nh->nh_flags & NHF_GATEWAY)
9272 bcopy(&nh->gw6_sa.sin6_addr, &dst.sin6_addr,
9275 dst.sin6_addr = ip6->ip6_dst;
9279 * if-bound. We don't know which interface
9283 if (s->kif == V_pfi_all && ifp != NULL &&
9284 r->rule_flag & PFRULE_IFBOUND)
9285 s->kif = ifp->if_pf_kif;
9289 if (r->rule_flag & PFRULE_IFBOUND &&
9290 pd->act.rt == PF_REPLYTO &&
9291 s->kif == V_pfi_all) {
9292 s->kif = pd->act.rt_kif;
9293 s->orig_kif = oifp->if_pf_kif;
9299 if (pd->af != pd->naf) {
9300 struct udphdr *uh = &pd->hdr.udp;
9302 if (pd->proto == IPPROTO_UDP && uh->uh_sum == 0) {
9303 uh->uh_sum = in6_cksum_pseudo(ip6,
9304 ntohs(uh->uh_ulen), IPPROTO_UDP, 0);
9305 m_copyback(m0, pd->off, sizeof(*uh), pd->hdr.any);
9316 if (pd->dir == PF_IN && !skip_test) {
9318 ifp, &m0, inp, &pd->act) != PF_PASS) {
9325 if (m0->m_len < sizeof(struct ip6_hdr)) {
9327 ("%s: m0->m_len < sizeof(struct ip6_hdr)\n",
9335 if (ifp->if_flags & IFF_LOOPBACK)
9336 m0->m_flags |= M_SKIP_FIREWALL;
9338 if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
9339 ~ifp->if_hwassist) {
9340 uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
9342 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
9345 if (pd->dir == PF_IN) {
9349 * re-inject later.
9351 pd->dir = PF_OUT;
9359 * will re-inject incorrectly. Swapping the pipe numbers means that its incorrect
9362 tmp = pd->act.dnrpipe;
9363 pd->act.dnrpipe = pd->act.dnpipe;
9364 pd->act.dnpipe = tmp;
9372 dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
9381 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
9392 if (pd->act.rt != PF_DUPTO) {
9393 if (s && s->nat_rule != NULL)
9395 ((caddr_t)ip6 - m0->m_data) +
9398 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
9407 if (pd->act.rt != PF_DUPTO)
9446 if (m->m_pkthdr.len < off + len)
9451 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
9452 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
9453 sum = m->m_pkthdr.csum_data;
9456 sum = in_pseudo(ip->ip_src.s_addr,
9457 ip->ip_dst.s_addr, htonl((u_short)len +
9458 m->m_pkthdr.csum_data + IPPROTO_TCP));
9465 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
9466 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
9467 sum = m->m_pkthdr.csum_data;
9470 sum = in_pseudo(ip->ip_src.s_addr,
9471 ip->ip_dst.s_addr, htonl((u_short)len +
9472 m->m_pkthdr.csum_data + IPPROTO_UDP));
9491 if (m->m_len < off)
9493 m->m_data += off;
9494 m->m_len -= off;
9496 m->m_data -= off;
9497 m->m_len += off;
9499 if (m->m_len < sizeof(struct ip))
9506 if (m->m_len < sizeof(struct ip6_hdr))
9543 m->m_pkthdr.csum_flags |=
9545 m->m_pkthdr.csum_data = 0xffff;
9555 int dndir = r->direction;
9558 dndir = s->direction;
9562 dndir = pd->dir;
9565 if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED)
9570 if (pd->dport != NULL)
9571 dnflow->f_id.dst_port = ntohs(*pd->dport);
9572 if (pd->sport != NULL)
9573 dnflow->f_id.src_port = ntohs(*pd->sport);
9575 if (pd->dir == PF_IN)
9576 dnflow->flags |= IPFW_ARGS_IN;
9578 dnflow->flags |= IPFW_ARGS_OUT;
9580 if (pd->dir != dndir && pd->act.dnrpipe) {
9581 dnflow->rule.info = pd->act.dnrpipe;
9583 else if (pd->dir == dndir && pd->act.dnpipe) {
9584 dnflow->rule.info = pd->act.dnpipe;
9590 dnflow->rule.info |= IPFW_IS_DUMMYNET;
9591 if (r->free_flags & PFRULE_DN_IS_PIPE || pd->act.flags & PFSTATE_DN_IS_PIPE)
9592 dnflow->rule.info |= IPFW_IS_PIPE;
9594 dnflow->f_id.proto = pd->proto;
9595 dnflow->f_id.extra = dnflow->rule.info;
9596 switch (pd->naf) {
9598 dnflow->f_id.addr_type = 4;
9599 dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr);
9600 dnflow->f_id.dst_ip = ntohl(pd->dst->v4.s_addr);
9603 dnflow->flags |= IPFW_ARGS_IP6;
9604 dnflow->f_id.addr_type = 6;
9605 dnflow->f_id.src_ip6 = pd->src->v6;
9606 dnflow->f_id.dst_ip6 = pd->dst->v6;
9621 MPASS(ifp->if_vnet == curvnet);
9627 kif = (struct pfi_kkif *)ifp->if_pf_kif;
9631 ("%s: kif == NULL, if_xname %s\n", __func__, ifp->if_xname));
9634 if (kif->pfik_flags & PFI_IFLAG_SKIP)
9637 if (m->m_flags & M_SKIP_FIREWALL)
9655 pf_mtag->flags &= ~PF_MTAG_FLAG_DUMMYNET;
9681 if (pd->act.dnpipe == 0 && pd->act.dnrpipe == 0)
9690 if (pd->pf_mtag == NULL &&
9691 ((pd->pf_mtag = pf_get_mtag(*m0)) == NULL)) {
9698 pd->pf_mtag->flags |= PF_MTAG_FLAG_ROUTE_TO;
9700 pd->pf_mtag->if_index = ifp->if_index;
9701 pd->pf_mtag->if_idxgen = ifp->if_idxgen;
9705 switch (pd->naf) {
9707 memcpy(&pd->pf_mtag->dst, sa,
9711 memcpy(&pd->pf_mtag->dst, sa,
9717 if (s != NULL && s->nat_rule != NULL &&
9718 s->nat_rule->action == PF_RDR &&
9721 (pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) ||
9723 (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) {
9727 * if dummynet re-injects.
9729 (*m0)->m_pkthdr.rcvif = V_loif;
9733 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET;
9734 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED;
9737 pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO;
9738 pf_dummynet_flag_remove(*m0, pd->pf_mtag);
9754 if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type,
9763 if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt), NULL,
9775 if (pd->jumbolen != 0) {
9780 if (ntohs(h->ip6_plen) != 0) {
9785 if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo), NULL,
9790 memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len,
9791 sizeof(pd->jumbolen));
9792 pd->jumbolen = ntohl(pd->jumbolen);
9793 if (pd->jumbolen < IPV6_MAXPACKET) {
9817 pd->off += sizeof(struct ip6_hdr);
9818 end = pd->off + ntohs(h->ip6_plen);
9819 pd->fragoff = pd->extoff = pd->jumbolen = 0;
9820 pd->proto = h->ip6_nxt;
9822 switch (pd->proto) {
9824 if (pd->fragoff != 0) {
9830 if (pd->jumbolen != 0) {
9835 if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag),
9840 pd->fragoff = pd->off;
9844 pd->off += sizeof(frag);
9845 pd->proto = frag.ip6f_nxt;
9854 if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) {
9855 pd->off = pd->fragoff;
9856 pd->proto = IPPROTO_FRAGMENT;
9859 if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr),
9873 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
9879 if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) {
9880 pd->off = pd->fragoff;
9881 pd->proto = IPPROTO_FRAGMENT;
9885 if (pd->fragoff == 0)
9886 pd->extoff = pd->off;
9887 if (pd->proto == IPPROTO_HOPOPTS && pd->fragoff == 0) {
9889 pd->off + sizeof(ext),
9890 pd->off + (ext.ip6e_len + 1) * 8, reason)
9893 if (ntohs(h->ip6_plen) == 0 && pd->jumbolen != 0) {
9900 if (pd->proto == IPPROTO_AH)
9901 pd->off += (ext.ip6e_len + 2) * 4;
9903 pd->off += (ext.ip6e_len + 1) * 8;
9904 pd->proto = ext.ip6e_nxt;
9911 if (pd->fragoff != 0 && end < pd->off +
9912 (pd->proto == IPPROTO_TCP ? sizeof(struct tcphdr) :
9913 pd->proto == IPPROTO_UDP ? sizeof(struct udphdr) :
9914 pd->proto == IPPROTO_SCTP ? sizeof(struct sctphdr) :
9916 pd->off = pd->fragoff;
9917 pd->proto = IPPROTO_FRAGMENT;
9931 pd->pf_mtag = pf_find_mtag(m);
9932 pd->m = m;
9940 pd->dir = dir;
9941 pd->kif = kif;
9942 pd->m = *m0;
9943 pd->sidx = (dir == PF_IN) ? 0 : 1;
9944 pd->didx = (dir == PF_IN) ? 1 : 0;
9945 pd->af = pd->naf = af;
9947 TAILQ_INIT(&pd->sctp_multihome_jobs);
9949 memcpy(&pd->act, default_actions, sizeof(pd->act));
9951 if (pd->pf_mtag && pd->pf_mtag->dnpipe) {
9952 pd->act.dnpipe = pd->pf_mtag->dnpipe;
9953 pd->act.flags = pd->pf_mtag->dnflags;
9961 if (__predict_false((*m0)->m_len < sizeof(struct ip)) &&
9962 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) {
9967 return (-1);
9972 *m0 = pd->m;
9974 return (-1);
9976 *m0 = pd->m;
9978 h = mtod(pd->m, struct ip *);
9979 pd->off = h->ip_hl << 2;
9980 if (pd->off < (int)sizeof(*h)) {
9983 return (-1);
9985 pd->src = (struct pf_addr *)&h->ip_src;
9986 pd->dst = (struct pf_addr *)&h->ip_dst;
9987 pd->ip_sum = &h->ip_sum;
9988 pd->virtual_proto = pd->proto = h->ip_p;
9989 pd->tos = h->ip_tos & ~IPTOS_ECN_MASK;
9990 pd->ttl = h->ip_ttl;
9991 pd->tot_len = ntohs(h->ip_len);
9992 pd->act.rtableid = -1;
9994 if (h->ip_hl > 5) /* has options */
9995 pd->badopts++;
9997 if (h->ip_off & htons(IP_MF | IP_OFFMASK))
9998 pd->virtual_proto = PF_VPROTO_FRAGMENT;
10007 if (__predict_false((*m0)->m_len < sizeof(struct ip6_hdr)) &&
10008 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) {
10014 return (-1);
10017 h = mtod(pd->m, struct ip6_hdr *);
10018 pd->off = 0;
10021 return (-1);
10024 h = mtod(pd->m, struct ip6_hdr *);
10025 pd->src = (struct pf_addr *)&h->ip6_src;
10026 pd->dst = (struct pf_addr *)&h->ip6_dst;
10027 pd->ip_sum = NULL;
10028 pd->tos = IPV6_DSCP(h);
10029 pd->ttl = h->ip6_hlim;
10030 pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
10031 pd->virtual_proto = pd->proto = h->ip6_nxt;
10032 pd->act.rtableid = -1;
10034 if (pd->fragoff != 0)
10035 pd->virtual_proto = PF_VPROTO_FRAGMENT;
10041 if (htons(h->ip6_plen) == 0) {
10043 return (-1);
10047 if (pf_normalize_ip6(pd->fragoff, reason, pd) !=
10049 *m0 = pd->m;
10051 return (-1);
10053 *m0 = pd->m;
10054 if (pd->m == NULL) {
10057 return (-1);
10061 h = mtod(pd->m, struct ip6_hdr *);
10062 pd->src = (struct pf_addr *)&h->ip6_src;
10063 pd->dst = (struct pf_addr *)&h->ip6_dst;
10065 pd->off = 0;
10069 return (-1);
10072 if (m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL) != NULL) {
10077 pd->virtual_proto = pd->proto;
10078 MPASS(pd->fragoff == 0);
10081 if (pd->fragoff != 0)
10082 pd->virtual_proto = PF_VPROTO_FRAGMENT;
10091 switch (pd->virtual_proto) {
10093 struct tcphdr *th = &pd->hdr.tcp;
10095 if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), action,
10099 return (-1);
10101 pd->hdrlen = sizeof(*th);
10102 pd->p_len = pd->tot_len - pd->off - (th->th_off << 2);
10103 pd->sport = &th->th_sport;
10104 pd->dport = &th->th_dport;
10108 struct udphdr *uh = &pd->hdr.udp;
10110 if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), action,
10114 return (-1);
10116 pd->hdrlen = sizeof(*uh);
10117 if (uh->uh_dport == 0 ||
10118 ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off ||
10119 ntohs(uh->uh_ulen) < sizeof(struct udphdr)) {
10122 return (-1);
10124 pd->sport = &uh->uh_sport;
10125 pd->dport = &uh->uh_dport;
10129 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp),
10133 return (-1);
10135 pd->hdrlen = sizeof(pd->hdr.sctp);
10136 pd->p_len = pd->tot_len - pd->off;
10138 pd->sport = &pd->hdr.sctp.src_port;
10139 pd->dport = &pd->hdr.sctp.dest_port;
10140 if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) {
10143 return (-1);
10148 return (-1);
10153 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN,
10157 return (-1);
10159 pd->hdrlen = ICMP_MINLEN;
10166 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
10170 return (-1);
10173 switch (pd->hdr.icmp6.icmp6_type) {
10184 !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
10188 return (-1);
10190 pd->hdrlen = icmp_hlen;
10203 int dir = pd->dir;
10208 &pd->kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
10209 pd->tot_len);
10211 &pd->kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS],
10214 if (action == PF_PASS || action == PF_AFRT || r->action == PF_DROP) {
10216 pf_counter_u64_add_protected(&r->packets[dirndx], 1);
10217 pf_counter_u64_add_protected(&r->bytes[dirndx], pd->tot_len);
10221 pf_counter_u64_add_protected(&a->packets[dirndx], 1);
10222 pf_counter_u64_add_protected(&a->bytes[dirndx], pd->tot_len);
10227 if (s->nat_rule != NULL) {
10228 pf_counter_u64_add_protected(&s->nat_rule->packets[dirndx],
10230 pf_counter_u64_add_protected(&s->nat_rule->bytes[dirndx],
10231 pd->tot_len);
10233 if (s->src_node != NULL) {
10234 counter_u64_add(s->src_node->packets[dirndx],
10236 counter_u64_add(s->src_node->bytes[dirndx],
10237 pd->tot_len);
10239 if (s->nat_src_node != NULL) {
10240 counter_u64_add(s->nat_src_node->packets[dirndx],
10242 counter_u64_add(s->nat_src_node->bytes[dirndx],
10243 pd->tot_len);
10245 dirndx = (dir == s->direction) ? 0 : 1;
10246 s->packets[dirndx]++;
10247 s->bytes[dirndx] += pd->tot_len;
10249 SLIST_FOREACH(ri, &s->match_rules, entry) {
10250 pf_counter_u64_add_protected(&ri->r->packets[dirndx], 1);
10251 pf_counter_u64_add_protected(&ri->r->bytes[dirndx], pd->tot_len);
10256 if (s != NULL && s->nat_rule != NULL &&
10258 tr = s->nat_rule;
10260 if (tr->src.addr.type == PF_ADDR_TABLE)
10261 pfr_update_stats(tr->src.addr.p.tbl,
10262 (s == NULL) ? pd->src :
10263 &s->key[(s->direction == PF_IN)]->
10264 addr[(s->direction == PF_OUT)],
10265 pd->af, pd->tot_len, dir == PF_OUT,
10266 r->action == PF_PASS, tr->src.neg);
10267 if (tr->dst.addr.type == PF_ADDR_TABLE)
10268 pfr_update_stats(tr->dst.addr.p.tbl,
10269 (s == NULL) ? pd->dst :
10270 &s->key[(s->direction == PF_IN)]->
10271 addr[(s->direction == PF_IN)],
10272 pd->af, pd->tot_len, dir == PF_OUT,
10273 r->action == PF_PASS, tr->dst.neg);
10302 kif = (struct pfi_kkif *)ifp->if_pf_kif;
10306 ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
10310 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
10315 if ((*m0)->m_flags & M_SKIP_FIREWALL) {
10345 if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) {
10346 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO;
10348 ifp = ifnet_byindexgen(pd.pf_mtag->if_index,
10349 pd.pf_mtag->if_idxgen);
10350 if (ifp == NULL || ifp->if_flags & IFF_DYING) {
10357 (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL);
10363 pd.pf_mtag->flags & PF_MTAG_FLAG_DUMMYNET) {
10364 /* Dummynet re-injects packets after they've
10377 kif, default_actions) == -1) {
10386 if ((dt->idir == PF_DIVERT_MTAG_DIR_IN && dir == PF_IN) ||
10387 (dt->idir == PF_DIVERT_MTAG_DIR_OUT && dir == PF_OUT)) {
10393 pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED;
10395 if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) {
10396 pd.m->m_flags |= M_FASTFWD_OURS;
10397 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
10439 r = s->rule;
10440 a = s->anchor;
10442 /* Validate remote SYN|ACK, re-create original SYN if
10467 s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1;
10468 s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1;
10485 r = s->rule;
10486 a = s->anchor;
10501 r = s->rule;
10502 a = s->anchor;
10530 r = s->rule;
10531 a = s->anchor;
10543 r = s->rule;
10544 a = s->anchor;
10558 !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
10568 memcpy(&pd.act, &s->act, sizeof(struct pf_rule_actions));
10570 tag = s->tag;
10572 tag = r->tag;
10607 pd.pf_mtag->qid_hash = pf_state_hash(s);
10609 pd.pf_mtag->qid = pd.act.pqid;
10611 pd.pf_mtag->qid = pd.act.qid;
10613 pd.pf_mtag->hdr = mtod(pd.m, void *);
10624 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL &&
10625 (s->nat_rule->action == PF_RDR ||
10626 s->nat_rule->action == PF_BINAT) &&
10628 pd.m->m_flags |= M_SKIP_FIREWALL;
10631 action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) {
10635 ((struct pf_divert_mtag *)(mtag+1))->port =
10636 ntohs(r->divert.port);
10637 ((struct pf_divert_mtag *)(mtag+1))->idir =
10645 if (pd.m->m_flags & M_FASTFWD_OURS) {
10654 pd.pf_mtag->flags |=
10656 pd.m->m_flags &= ~M_FASTFWD_OURS;
10673 if (af == AF_INET6 && r->divert.port)
10678 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_PACKET_LOOPED;
10684 if (s != NULL && s->nat_rule != NULL &&
10685 s->nat_rule->log & PF_LOG_ALL)
10686 lr = s->nat_rule;
10690 if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
10694 SLIST_FOREACH(ri, &s->match_rules, entry)
10695 if (ri->r->log & PF_LOG_ALL)
10697 reason, ri->r, a, ruleset, &pd, 0);
10724 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp);
10728 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp);
10740 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp);
10746 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp);
10763 if (!s->if_index_in && dir == PF_IN)
10764 s->if_index_in = ifp->if_index;
10765 else if (!s->if_index_out && dir == PF_OUT)
10766 s->if_index_out = ifp->if_index;