xref: /dflybsd-src/sys/net/pf/pf.c (revision 0bb7d8c82a64940013681cf515d16f3e62eb7e3c) 
1 /*	$FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.19 2004/09/11 11:18:25 mlaier Exp $	*/
2 /*	$OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ */
3 /* add	$OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ */
4 /*	$DragonFly: src/sys/net/pf/pf.c,v 1.20 2008/06/05 18:06:32 swildner Exp $ */
5 /*	$OpenBSD: pf.c,v 1.527 2007/02/22 15:23:23 pyr Exp $ */
6 
7 /*
8  * Copyright (c) 2004 The DragonFly Project.  All rights reserved.
9  *
10  * Copyright (c) 2001 Daniel Hartmeier
11  * Copyright (c) 2002,2003 Henning Brauer
12  * All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  *
18  *    - Redistributions of source code must retain the above copyright
19  *      notice, this list of conditions and the following disclaimer.
20  *    - Redistributions in binary form must reproduce the above
21  *      copyright notice, this list of conditions and the following
22  *      disclaimer in the documentation and/or other materials provided
23  *      with the distribution.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
26  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
27  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
28  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
29  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
30  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
31  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
32  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
33  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
35  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
36  * POSSIBILITY OF SUCH DAMAGE.
37  *
38  * Effort sponsored in part by the Defense Advanced Research Projects
39  * Agency (DARPA) and Air Force Research Laboratory, Air Force
40  * Materiel Command, USAF, under agreement number F30602-01-2-0537.
41  *
42  */
43 
44 #include "opt_inet.h"
45 #include "opt_inet6.h"
46 #include "use_pfsync.h"
47 
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/filio.h>
53 #include <sys/socket.h>
54 #include <sys/socketvar.h>
55 #include <sys/kernel.h>
56 #include <sys/time.h>
57 #include <sys/sysctl.h>
58 #include <sys/endian.h>
59 #include <vm/vm_zone.h>
60 #include <sys/proc.h>
61 #include <sys/kthread.h>
62 
63 #include <sys/mplock2.h>
64 
65 #include <machine/inttypes.h>
66 
67 #include <net/if.h>
68 #include <net/if_types.h>
69 #include <net/bpf.h>
70 #include <net/netisr.h>
71 #include <net/route.h>
72 
73 #include <netinet/in.h>
74 #include <netinet/in_var.h>
75 #include <netinet/in_systm.h>
76 #include <netinet/ip.h>
77 #include <netinet/ip_var.h>
78 #include <netinet/tcp.h>
79 #include <netinet/tcp_seq.h>
80 #include <netinet/udp.h>
81 #include <netinet/ip_icmp.h>
82 #include <netinet/in_pcb.h>
83 #include <netinet/tcp_timer.h>
84 #include <netinet/tcp_var.h>
85 #include <netinet/udp_var.h>
86 #include <netinet/icmp_var.h>
87 #include <netinet/if_ether.h>
88 
89 #include <net/pf/pfvar.h>
90 #include <net/pf/if_pflog.h>
91 
92 #if NPFSYNC > 0
93 #include <net/pf/if_pfsync.h>
94 #endif /* NPFSYNC > 0 */
95 
96 #ifdef INET6
97 #include <netinet/ip6.h>
98 #include <netinet/in_pcb.h>
99 #include <netinet/icmp6.h>
100 #include <netinet6/nd6.h>
101 #include <netinet6/ip6_var.h>
102 #include <netinet6/in6_pcb.h>
103 #endif /* INET6 */
104 
105 #include <sys/in_cksum.h>
106 #include <sys/ucred.h>
107 #include <machine/limits.h>
108 #include <sys/msgport2.h>
109 #include <net/netmsg2.h>
110 
111 extern int ip_optcopy(struct ip *, struct ip *);
112 extern int debug_pfugidhack;
113 
114 #define DPFPRINTF(n, x)	if (pf_status.debug >= (n)) kprintf x
115 
116 /*
117  * Global variables
118  */
119 
120 struct pf_altqqueue	 pf_altqs[2];
121 struct pf_palist	 pf_pabuf;
122 struct pf_altqqueue	*pf_altqs_active;
123 struct pf_altqqueue	*pf_altqs_inactive;
124 struct pf_status	 pf_status;
125 
126 u_int32_t		 ticket_altqs_active;
127 u_int32_t		 ticket_altqs_inactive;
128 int			 altqs_inactive_open;
129 u_int32_t		 ticket_pabuf;
130 
131 struct pf_anchor_stackframe {
132 	struct pf_ruleset			*rs;
133 	struct pf_rule				*r;
134 	struct pf_anchor_node			*parent;
135 	struct pf_anchor			*child;
136 } pf_anchor_stack[64];
137 
138 vm_zone_t		 pf_src_tree_pl, pf_rule_pl;
139 vm_zone_t		 pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
140 
141 void			 pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
142 
143 void			 pf_init_threshold(struct pf_threshold *, u_int32_t,
144 			    u_int32_t);
145 void			 pf_add_threshold(struct pf_threshold *);
146 int			 pf_check_threshold(struct pf_threshold *);
147 
148 void			 pf_change_ap(struct pf_addr *, u_int16_t *,
149 			    u_int16_t *, u_int16_t *, struct pf_addr *,
150 			    u_int16_t, u_int8_t, sa_family_t);
151 int			 pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
152 			    struct tcphdr *, struct pf_state_peer *);
153 #ifdef INET6
154 void			 pf_change_a6(struct pf_addr *, u_int16_t *,
155 			    struct pf_addr *, u_int8_t);
156 #endif /* INET6 */
157 void			 pf_change_icmp(struct pf_addr *, u_int16_t *,
158 			    struct pf_addr *, struct pf_addr *, u_int16_t,
159 			    u_int16_t *, u_int16_t *, u_int16_t *,
160 			    u_int16_t *, u_int8_t, sa_family_t);
161 void			 pf_send_tcp(const struct pf_rule *, sa_family_t,
162 			    const struct pf_addr *, const struct pf_addr *,
163 			    u_int16_t, u_int16_t, u_int32_t, u_int32_t,
164 			    u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
165 			    u_int16_t, struct ether_header *, struct ifnet *);
166 void			 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
167 			    sa_family_t, struct pf_rule *);
168 struct pf_rule		*pf_match_translation(struct pf_pdesc *, struct mbuf *,
169 			    int, int, struct pfi_kif *,
170 			    struct pf_addr *, u_int16_t, struct pf_addr *,
171 			    u_int16_t, int);
172 struct pf_rule		*pf_get_translation(struct pf_pdesc *, struct mbuf *,
173 			    int, int, struct pfi_kif *, struct pf_src_node **,
174 			    struct pf_addr *, u_int16_t,
175 			    struct pf_addr *, u_int16_t,
176 			    struct pf_addr *, u_int16_t *);
177 int			 pf_test_tcp(struct pf_rule **, struct pf_state **,
178 			    int, struct pfi_kif *, struct mbuf *, int,
179 			    void *, struct pf_pdesc *, struct pf_rule **,
180 			    struct pf_ruleset **, struct ifqueue *, struct inpcb *);
181 int			 pf_test_udp(struct pf_rule **, struct pf_state **,
182 			    int, struct pfi_kif *, struct mbuf *, int,
183 			    void *, struct pf_pdesc *, struct pf_rule **,
184 			    struct pf_ruleset **, struct ifqueue *, struct inpcb *);
185 int			 pf_test_icmp(struct pf_rule **, struct pf_state **,
186 			    int, struct pfi_kif *, struct mbuf *, int,
187 			    void *, struct pf_pdesc *, struct pf_rule **,
188 			    struct pf_ruleset **, struct ifqueue *);
189 int			 pf_test_other(struct pf_rule **, struct pf_state **,
190 			    int, struct pfi_kif *, struct mbuf *, int, void *,
191 			    struct pf_pdesc *, struct pf_rule **,
192 			    struct pf_ruleset **, struct ifqueue *);
193 int			 pf_test_fragment(struct pf_rule **, int,
194 			    struct pfi_kif *, struct mbuf *, void *,
195 			    struct pf_pdesc *, struct pf_rule **,
196 			    struct pf_ruleset **);
197 int			 pf_test_state_tcp(struct pf_state **, int,
198 			    struct pfi_kif *, struct mbuf *, int,
199 			    void *, struct pf_pdesc *, u_short *);
200 int			 pf_test_state_udp(struct pf_state **, int,
201 			    struct pfi_kif *, struct mbuf *, int,
202 			    void *, struct pf_pdesc *);
203 int			 pf_test_state_icmp(struct pf_state **, int,
204 			    struct pfi_kif *, struct mbuf *, int,
205 			    void *, struct pf_pdesc *, u_short *);
206 int			 pf_test_state_other(struct pf_state **, int,
207 			    struct pfi_kif *, struct pf_pdesc *);
208 int			 pf_match_tag(struct mbuf *, struct pf_rule *,
209 			     struct pf_mtag *, int *);
210 int			 pf_step_out_of_anchor(int *, struct pf_ruleset **,
211 			     int, struct pf_rule **, struct pf_rule **,
212 			     int *);
213 void			 pf_hash(struct pf_addr *, struct pf_addr *,
214 			    struct pf_poolhashkey *, sa_family_t);
215 int			 pf_map_addr(u_int8_t, struct pf_rule *,
216 			    struct pf_addr *, struct pf_addr *,
217 			    struct pf_addr *, struct pf_src_node **);
218 int			 pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
219 			    struct pf_addr *, struct pf_addr *, u_int16_t,
220 			    struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
221 			    struct pf_src_node **);
222 void			 pf_route(struct mbuf **, struct pf_rule *, int,
223 			    struct ifnet *, struct pf_state *,
224 			    struct pf_pdesc *);
225 void			 pf_route6(struct mbuf **, struct pf_rule *, int,
226 			    struct ifnet *, struct pf_state *,
227 			    struct pf_pdesc *);
228 u_int8_t		 pf_get_wscale(struct mbuf *, int, u_int16_t,
229 			    sa_family_t);
230 u_int16_t		 pf_get_mss(struct mbuf *, int, u_int16_t,
231 			    sa_family_t);
232 u_int16_t		 pf_calc_mss(struct pf_addr *, sa_family_t,
233 				u_int16_t);
234 void			 pf_set_rt_ifp(struct pf_state *,
235 			    struct pf_addr *);
236 int			 pf_check_proto_cksum(struct mbuf *, int, int,
237 			    u_int8_t, sa_family_t);
238 int			 pf_addr_wrap_neq(struct pf_addr_wrap *,
239 			    struct pf_addr_wrap *);
240 struct pf_state		*pf_find_state_recurse(struct pfi_kif *,
241 			    struct pf_state_cmp *, u_int8_t);
242 int			 pf_src_connlimit(struct pf_state **);
243 int			 pf_check_congestion(struct ifqueue *);
244 
245 extern int pf_end_threads;
246 
247 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
248 	{ &pf_state_pl, PFSTATE_HIWAT },
249 	{ &pf_src_tree_pl, PFSNODE_HIWAT },
250 	{ &pf_frent_pl, PFFRAG_FRENT_HIWAT },
251 	{ &pfr_ktable_pl, PFR_KTABLE_HIWAT },
252 	{ &pfr_kentry_pl, PFR_KENTRY_HIWAT }
253 };
254 
255 #define STATE_LOOKUP()							\
256 	do {								\
257 		if (direction == PF_IN)					\
258 			*state = pf_find_state_recurse(			\
259 			    kif, &key, PF_EXT_GWY);			\
260 		else							\
261 			*state = pf_find_state_recurse(		\
262 			    kif, &key, PF_LAN_EXT);			\
263 		if (*state == NULL || (*state)->timeout == PFTM_PURGE)	\
264 			return (PF_DROP);				\
265 		if (direction == PF_OUT &&				\
266 		    (((*state)->rule.ptr->rt == PF_ROUTETO &&		\
267 		    (*state)->rule.ptr->direction == PF_OUT) ||		\
268 		    ((*state)->rule.ptr->rt == PF_REPLYTO &&		\
269 		    (*state)->rule.ptr->direction == PF_IN)) &&		\
270 		    (*state)->rt_kif != NULL &&				\
271 		    (*state)->rt_kif != kif)				\
272 			return (PF_PASS);				\
273 	} while (0)
274 
275 #define	STATE_TRANSLATE(s) \
276 	(s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
277 	((s)->af == AF_INET6 && \
278 	((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \
279 	(s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \
280 	(s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \
281 	(s)->lan.port != (s)->gwy.port
282 
283 #define BOUND_IFACE(r, k) \
284 	((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all
285 
286 #define STATE_INC_COUNTERS(s)				\
287 	do {						\
288 		s->rule.ptr->states++;			\
289 		if (s->anchor.ptr != NULL)		\
290 			s->anchor.ptr->states++;	\
291 		if (s->nat_rule.ptr != NULL)		\
292 			s->nat_rule.ptr->states++;	\
293 	} while (0)
294 
295 #define STATE_DEC_COUNTERS(s)				\
296 	do {						\
297 		if (s->nat_rule.ptr != NULL)		\
298 			s->nat_rule.ptr->states--;	\
299 		if (s->anchor.ptr != NULL)		\
300 			s->anchor.ptr->states--;	\
301 		s->rule.ptr->states--;			\
302 	} while (0)
303 
304 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
305 static __inline int pf_state_compare_lan_ext(struct pf_state *,
306 	struct pf_state *);
307 static __inline int pf_state_compare_ext_gwy(struct pf_state *,
308 	struct pf_state *);
309 static __inline int pf_state_compare_id(struct pf_state *,
310 	struct pf_state *);
311 
312 struct pf_src_tree tree_src_tracking;
313 
314 struct pf_state_tree_id tree_id;
315 struct pf_state_queue state_list;
316 
317 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
318 RB_GENERATE(pf_state_tree_lan_ext, pf_state,
319     u.s.entry_lan_ext, pf_state_compare_lan_ext);
320 RB_GENERATE(pf_state_tree_ext_gwy, pf_state,
321     u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
322 RB_GENERATE(pf_state_tree_id, pf_state,
323     u.s.entry_id, pf_state_compare_id);
324 
325 static __inline int
326 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
327 {
328 	int	diff;
329 
330 	if (a->rule.ptr > b->rule.ptr)
331 		return (1);
332 	if (a->rule.ptr < b->rule.ptr)
333 		return (-1);
334 	if ((diff = a->af - b->af) != 0)
335 		return (diff);
336 	switch (a->af) {
337 #ifdef INET
338 	case AF_INET:
339 		if (a->addr.addr32[0] > b->addr.addr32[0])
340 			return (1);
341 		if (a->addr.addr32[0] < b->addr.addr32[0])
342 			return (-1);
343 		break;
344 #endif /* INET */
345 #ifdef INET6
346 	case AF_INET6:
347 		if (a->addr.addr32[3] > b->addr.addr32[3])
348 			return (1);
349 		if (a->addr.addr32[3] < b->addr.addr32[3])
350 			return (-1);
351 		if (a->addr.addr32[2] > b->addr.addr32[2])
352 			return (1);
353 		if (a->addr.addr32[2] < b->addr.addr32[2])
354 			return (-1);
355 		if (a->addr.addr32[1] > b->addr.addr32[1])
356 			return (1);
357 		if (a->addr.addr32[1] < b->addr.addr32[1])
358 			return (-1);
359 		if (a->addr.addr32[0] > b->addr.addr32[0])
360 			return (1);
361 		if (a->addr.addr32[0] < b->addr.addr32[0])
362 			return (-1);
363 		break;
364 #endif /* INET6 */
365 	}
366 	return (0);
367 }
368 
369 u_int32_t
370 pf_state_hash(struct pf_state *s)
371 {
372 	u_int32_t hv = (intptr_t)s / sizeof(*s);
373 
374 	hv ^= crc32(&s->lan, sizeof(s->lan));
375 	hv ^= crc32(&s->gwy, sizeof(s->gwy));
376 	hv ^= crc32(&s->ext, sizeof(s->ext));
377 	if (hv == 0)	/* disallow 0 */
378 		hv = 1;
379 	return(hv);
380 }
381 
382 static __inline int
383 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b)
384 {
385 	int	diff;
386 
387 	if ((diff = a->proto - b->proto) != 0)
388 		return (diff);
389 	if ((diff = a->af - b->af) != 0)
390 		return (diff);
391 	switch (a->af) {
392 #ifdef INET
393 	case AF_INET:
394 		if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
395 			return (1);
396 		if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
397 			return (-1);
398 		if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
399 			return (1);
400 		if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
401 			return (-1);
402 		break;
403 #endif /* INET */
404 #ifdef INET6
405 	case AF_INET6:
406 		if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3])
407 			return (1);
408 		if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3])
409 			return (-1);
410 		if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
411 			return (1);
412 		if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
413 			return (-1);
414 		if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2])
415 			return (1);
416 		if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2])
417 			return (-1);
418 		if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
419 			return (1);
420 		if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
421 			return (-1);
422 		if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1])
423 			return (1);
424 		if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1])
425 			return (-1);
426 		if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
427 			return (1);
428 		if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
429 			return (-1);
430 		if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
431 			return (1);
432 		if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
433 			return (-1);
434 		if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
435 			return (1);
436 		if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
437 			return (-1);
438 		break;
439 #endif /* INET6 */
440 	}
441 
442 	if ((diff = a->lan.port - b->lan.port) != 0)
443 		return (diff);
444 	if ((diff = a->ext.port - b->ext.port) != 0)
445 		return (diff);
446 
447 	return (0);
448 }
449 
450 static __inline int
451 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b)
452 {
453 	int	diff;
454 
455 	if ((diff = a->proto - b->proto) != 0)
456 		return (diff);
457 	if ((diff = a->af - b->af) != 0)
458 		return (diff);
459 	switch (a->af) {
460 #ifdef INET
461 	case AF_INET:
462 		if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
463 			return (1);
464 		if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
465 			return (-1);
466 		if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
467 			return (1);
468 		if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
469 			return (-1);
470 		break;
471 #endif /* INET */
472 #ifdef INET6
473 	case AF_INET6:
474 		if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
475 			return (1);
476 		if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
477 			return (-1);
478 		if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3])
479 			return (1);
480 		if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3])
481 			return (-1);
482 		if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
483 			return (1);
484 		if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
485 			return (-1);
486 		if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2])
487 			return (1);
488 		if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2])
489 			return (-1);
490 		if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
491 			return (1);
492 		if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
493 			return (-1);
494 		if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1])
495 			return (1);
496 		if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1])
497 			return (-1);
498 		if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
499 			return (1);
500 		if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
501 			return (-1);
502 		if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
503 			return (1);
504 		if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
505 			return (-1);
506 		break;
507 #endif /* INET6 */
508 	}
509 
510 	if ((diff = a->ext.port - b->ext.port) != 0)
511 		return (diff);
512 	if ((diff = a->gwy.port - b->gwy.port) != 0)
513 		return (diff);
514 
515 	return (0);
516 }
517 
518 static __inline int
519 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
520 {
521 	if (a->id > b->id)
522 		return (1);
523 	if (a->id < b->id)
524 		return (-1);
525 	if (a->creatorid > b->creatorid)
526 		return (1);
527 	if (a->creatorid < b->creatorid)
528 		return (-1);
529 
530 	return (0);
531 }
532 
533 #ifdef INET6
534 void
535 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
536 {
537 	switch (af) {
538 #ifdef INET
539 	case AF_INET:
540 		dst->addr32[0] = src->addr32[0];
541 		break;
542 #endif /* INET */
543 	case AF_INET6:
544 		dst->addr32[0] = src->addr32[0];
545 		dst->addr32[1] = src->addr32[1];
546 		dst->addr32[2] = src->addr32[2];
547 		dst->addr32[3] = src->addr32[3];
548 		break;
549 	}
550 }
551 #endif /* INET6 */
552 
553 struct pf_state *
554 pf_find_state_byid(struct pf_state_cmp *key)
555 {
556 	pf_status.fcounters[FCNT_STATE_SEARCH]++;
557 	return (RB_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key));
558 }
559 
560 struct pf_state *
561 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state_cmp *key, u_int8_t tree)
562 {
563 	struct pf_state *s;
564 
565 	pf_status.fcounters[FCNT_STATE_SEARCH]++;
566 
567 	switch (tree) {
568 	case PF_LAN_EXT:
569 		if ((s = RB_FIND(pf_state_tree_lan_ext, &kif->pfik_lan_ext,
570 		    (struct pf_state *)key)) != NULL)
571 			return (s);
572 		if ((s = RB_FIND(pf_state_tree_lan_ext, &pfi_all->pfik_lan_ext,
573 		    (struct pf_state *)key)) != NULL)
574 			return (s);
575 		return (NULL);
576 	case PF_EXT_GWY:
577 		if ((s = RB_FIND(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy,
578 		    (struct pf_state *)key)) != NULL)
579 			return (s);
580 		if ((s = RB_FIND(pf_state_tree_ext_gwy, &pfi_all->pfik_ext_gwy,
581 		    (struct pf_state *)key)) != NULL)
582 			return (s);
583 		return (NULL);
584 	default:
585 		panic("pf_find_state_recurse");
586 	}
587 }
588 
589 struct pf_state *
590 pf_find_state_all(struct pf_state_cmp *key, u_int8_t tree, int *more)
591 {
592 	struct pf_state *s, *ss = NULL;
593 	struct pfi_kif	*kif;
594 
595 	pf_status.fcounters[FCNT_STATE_SEARCH]++;
596 
597 	switch (tree) {
598 	case PF_LAN_EXT:
599 		TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
600 			s = RB_FIND(pf_state_tree_lan_ext,
601 			    &kif->pfik_lan_ext, (struct pf_state *)key);
602 			if (s == NULL)
603 				continue;
604 			if (more == NULL)
605 				return (s);
606 			ss = s;
607 			(*more)++;
608 		}
609 		return (ss);
610 	case PF_EXT_GWY:
611 		TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
612 			s = RB_FIND(pf_state_tree_ext_gwy,
613 			    &kif->pfik_ext_gwy, (struct pf_state *)key);
614 			if (s == NULL)
615 				continue;
616 			if (more == NULL)
617 				return (s);
618 			ss = s;
619 			(*more)++;
620 		}
621 		return (ss);
622 	default:
623 		panic("pf_find_state_all");
624 	}
625 }
626 
627 void
628 pf_init_threshold(struct pf_threshold *threshold,
629     u_int32_t limit, u_int32_t seconds)
630 {
631 	threshold->limit = limit * PF_THRESHOLD_MULT;
632 	threshold->seconds = seconds;
633 	threshold->count = 0;
634 	threshold->last = time_second;
635 }
636 
637 void
638 pf_add_threshold(struct pf_threshold *threshold)
639 {
640 	u_int32_t t = time_second, diff = t - threshold->last;
641 
642 	if (diff >= threshold->seconds)
643 		threshold->count = 0;
644 	else
645 		threshold->count -= threshold->count * diff /
646 		    threshold->seconds;
647 	threshold->count += PF_THRESHOLD_MULT;
648 	threshold->last = t;
649 }
650 
651 int
652 pf_check_threshold(struct pf_threshold *threshold)
653 {
654 	return (threshold->count > threshold->limit);
655 }
656 
657 int
658 pf_src_connlimit(struct pf_state **state)
659 {
660 	struct pf_state	*s;
661 	int bad = 0;
662 
663 	(*state)->src_node->conn++;
664 	(*state)->src.tcp_est = 1;
665 	pf_add_threshold(&(*state)->src_node->conn_rate);
666 
667 	if ((*state)->rule.ptr->max_src_conn &&
668 	    (*state)->rule.ptr->max_src_conn <
669 	    (*state)->src_node->conn) {
670 		pf_status.lcounters[LCNT_SRCCONN]++;
671 		bad++;
672 	}
673 
674 	if ((*state)->rule.ptr->max_src_conn_rate.limit &&
675 	    pf_check_threshold(&(*state)->src_node->conn_rate)) {
676 		pf_status.lcounters[LCNT_SRCCONNRATE]++;
677 		bad++;
678 	}
679 
680 	if (!bad)
681 		return (0);
682 
683 	if ((*state)->rule.ptr->overload_tbl) {
684 		struct pfr_addr p;
685 		u_int32_t	killed = 0;
686 
687 		pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
688 		if (pf_status.debug >= PF_DEBUG_MISC) {
689 			kprintf("pf_src_connlimit: blocking address ");
690 			pf_print_host(&(*state)->src_node->addr, 0,
691 			    (*state)->af);
692 		}
693 
694 		bzero(&p, sizeof(p));
695 		p.pfra_af = (*state)->af;
696 		switch ((*state)->af) {
697 #ifdef INET
698 		case AF_INET:
699 			p.pfra_net = 32;
700 			p.pfra_ip4addr = (*state)->src_node->addr.v4;
701 			break;
702 #endif /* INET */
703 #ifdef INET6
704 		case AF_INET6:
705 			p.pfra_net = 128;
706 			p.pfra_ip6addr = (*state)->src_node->addr.v6;
707 			break;
708 #endif /* INET6 */
709 		}
710 
711 		pfr_insert_kentry((*state)->rule.ptr->overload_tbl,
712 		    &p, time_second);
713 
714 		/* kill existing states if that's required. */
715 		if ((*state)->rule.ptr->flush) {
716 			pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
717 
718 			RB_FOREACH(s, pf_state_tree_id, &tree_id) {
719 				/*
720 				 * Kill states from this source.  (Only those
721 				 * from the same rule if PF_FLUSH_GLOBAL is not
722 				 * set)
723 				 */
724 				if (s->af == (*state)->af &&
725 				    (((*state)->direction == PF_OUT &&
726 				    PF_AEQ(&(*state)->src_node->addr,
727 				    &s->lan.addr, s->af)) ||
728 				    ((*state)->direction == PF_IN &&
729 				    PF_AEQ(&(*state)->src_node->addr,
730 				    &s->ext.addr, s->af))) &&
731 				    ((*state)->rule.ptr->flush &
732 				    PF_FLUSH_GLOBAL ||
733 				    (*state)->rule.ptr == s->rule.ptr)) {
734 					s->timeout = PFTM_PURGE;
735 					s->src.state = s->dst.state =
736 					    TCPS_CLOSED;
737 					killed++;
738 				}
739 			}
740 			if (pf_status.debug >= PF_DEBUG_MISC)
741 				kprintf(", %u states killed", killed);
742 		}
743 		if (pf_status.debug >= PF_DEBUG_MISC)
744 			kprintf("\n");
745 	}
746 
747 	/* kill this state */
748 	(*state)->timeout = PFTM_PURGE;
749 	(*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
750 	return (1);
751 }
752 
753 int
754 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
755     struct pf_addr *src, sa_family_t af)
756 {
757 	struct pf_src_node	k;
758 
759 	if (*sn == NULL) {
760 		k.af = af;
761 		PF_ACPY(&k.addr, src, af);
762 		if (rule->rule_flag & PFRULE_RULESRCTRACK ||
763 		    rule->rpool.opts & PF_POOL_STICKYADDR)
764 			k.rule.ptr = rule;
765 		else
766 			k.rule.ptr = NULL;
767 		pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
768 		*sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
769 	}
770 	if (*sn == NULL) {
771 		if (!rule->max_src_nodes ||
772 		    rule->src_nodes < rule->max_src_nodes)
773 			(*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
774 		else
775 			pf_status.lcounters[LCNT_SRCNODES]++;
776 		if ((*sn) == NULL)
777 			return (-1);
778 		bzero(*sn, sizeof(struct pf_src_node));
779 
780 		pf_init_threshold(&(*sn)->conn_rate,
781 		    rule->max_src_conn_rate.limit,
782 		    rule->max_src_conn_rate.seconds);
783 
784 		(*sn)->af = af;
785 		if (rule->rule_flag & PFRULE_RULESRCTRACK ||
786 		    rule->rpool.opts & PF_POOL_STICKYADDR)
787 			(*sn)->rule.ptr = rule;
788 		else
789 			(*sn)->rule.ptr = NULL;
790 		PF_ACPY(&(*sn)->addr, src, af);
791 		if (RB_INSERT(pf_src_tree,
792 		    &tree_src_tracking, *sn) != NULL) {
793 			if (pf_status.debug >= PF_DEBUG_MISC) {
794 				kprintf("pf: src_tree insert failed: ");
795 				pf_print_host(&(*sn)->addr, 0, af);
796 				kprintf("\n");
797 			}
798 			pool_put(&pf_src_tree_pl, *sn);
799 			return (-1);
800 		}
801 		(*sn)->creation = time_second;
802 		(*sn)->ruletype = rule->action;
803 		if ((*sn)->rule.ptr != NULL)
804 			(*sn)->rule.ptr->src_nodes++;
805 		pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
806 		pf_status.src_nodes++;
807 	} else {
808 		if (rule->max_src_states &&
809 		    (*sn)->states >= rule->max_src_states) {
810 			pf_status.lcounters[LCNT_SRCSTATES]++;
811 			return (-1);
812 		}
813 	}
814 	return (0);
815 }
816 
817 int
818 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
819 {
820 	/* Thou MUST NOT insert multiple duplicate keys */
821 	state->u.s.kif = kif;
822 	if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) {
823 		if (pf_status.debug >= PF_DEBUG_MISC) {
824 			kprintf("pf: state insert failed: tree_lan_ext");
825 			kprintf(" lan: ");
826 			pf_print_host(&state->lan.addr, state->lan.port,
827 			    state->af);
828 			kprintf(" gwy: ");
829 			pf_print_host(&state->gwy.addr, state->gwy.port,
830 			    state->af);
831 			kprintf(" ext: ");
832 			pf_print_host(&state->ext.addr, state->ext.port,
833 			    state->af);
834 			if (state->sync_flags & PFSTATE_FROMSYNC)
835 				kprintf(" (from sync)");
836 			kprintf("\n");
837 		}
838 		return (-1);
839 	}
840 
841 	if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) {
842 		if (pf_status.debug >= PF_DEBUG_MISC) {
843 			kprintf("pf: state insert failed: tree_ext_gwy");
844 			kprintf(" lan: ");
845 			pf_print_host(&state->lan.addr, state->lan.port,
846 			    state->af);
847 			kprintf(" gwy: ");
848 			pf_print_host(&state->gwy.addr, state->gwy.port,
849 			    state->af);
850 			kprintf(" ext: ");
851 			pf_print_host(&state->ext.addr, state->ext.port,
852 			    state->af);
853 			if (state->sync_flags & PFSTATE_FROMSYNC)
854 				kprintf(" (from sync)");
855 			kprintf("\n");
856 		}
857 		RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
858 		return (-1);
859 	}
860 
861 	if (state->id == 0 && state->creatorid == 0) {
862 		state->id = htobe64(pf_status.stateid++);
863 		state->creatorid = pf_status.hostid;
864 	}
865 	if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) {
866 		if (pf_status.debug >= PF_DEBUG_MISC) {
867 			kprintf("pf: state insert failed: "
868 			    "id: %016" PRIx64 " creatorid: %08" PRIx32,
869 			    be64toh(state->id), ntohl(state->creatorid));
870 			if (state->sync_flags & PFSTATE_FROMSYNC)
871 				kprintf(" (from sync)");
872 			kprintf("\n");
873 		}
874 		RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
875 		RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state);
876 		return (-1);
877 	}
878 	TAILQ_INSERT_TAIL(&state_list, state, u.s.entry_list);
879 	pf_status.fcounters[FCNT_STATE_INSERT]++;
880 	pf_status.states++;
881 	pfi_kif_ref(kif, PFI_KIF_REF_STATE);
882 #if NPFSYNC
883 	pfsync_insert_state(state);
884 #endif
885 	return (0);
886 }
887 
888 void
889 pf_purge_thread(void *v)
890 {
891 	int nloops = 0;
892 	int locked = 0;
893 
894 	get_mplock();
895 	for (;;) {
896 		tsleep(pf_purge_thread, PWAIT, "pftm", 1 * hz);
897 
898 		lockmgr(&pf_consistency_lock, LK_EXCLUSIVE);
899 
900 		if (pf_end_threads) {
901 			pf_purge_expired_states(pf_status.states, 1);
902 			pf_purge_expired_fragments();
903 			pf_purge_expired_src_nodes(1);
904 			pf_end_threads++;
905 
906 			lockmgr(&pf_consistency_lock, LK_RELEASE);
907 			wakeup(pf_purge_thread);
908 			kthread_exit();
909 		}
910 		crit_enter();
911 
912 		/* process a fraction of the state table every second */
913 		if(!pf_purge_expired_states(1 + (pf_status.states
914 		    / pf_default_rule.timeout[PFTM_INTERVAL]), 0)) {
915 
916 			pf_purge_expired_states(1 + (pf_status.states
917 			    / pf_default_rule.timeout[PFTM_INTERVAL]), 1);
918 		}
919 
920 		/* purge other expired types every PFTM_INTERVAL seconds */
921 		if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) {
922 			pf_purge_expired_fragments();
923 			if (!pf_purge_expired_src_nodes(locked)) {
924 				pf_purge_expired_src_nodes(1);
925 			}
926 			nloops = 0;
927 		}
928 		crit_exit();
929 		lockmgr(&pf_consistency_lock, LK_RELEASE);
930 	}
931 	rel_mplock();
932 }
933 
934 u_int32_t
935 pf_state_expires(const struct pf_state *state)
936 {
937 	u_int32_t	timeout;
938 	u_int32_t	start;
939 	u_int32_t	end;
940 	u_int32_t	states;
941 
942 	/* handle all PFTM_* > PFTM_MAX here */
943 	if (state->timeout == PFTM_PURGE)
944 		return (time_second);
945 	if (state->timeout == PFTM_UNTIL_PACKET)
946 		return (0);
947 	KKASSERT(state->timeout != PFTM_UNLINKED);
948 	KASSERT((state->timeout < PFTM_MAX),
949 		("pf_state_expires: timeout > PFTM_MAX"));
950 	timeout = state->rule.ptr->timeout[state->timeout];
951 	if (!timeout)
952 		timeout = pf_default_rule.timeout[state->timeout];
953 	start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
954 	if (start) {
955 		end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
956 		states = state->rule.ptr->states;
957 	} else {
958 		start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
959 		end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
960 		states = pf_status.states;
961 	}
962 	if (end && states > start && start < end) {
963 		if (states < end)
964 			return (state->expire + timeout * (end - states) /
965 			    (end - start));
966 		else
967 			return (time_second);
968 	}
969 	return (state->expire + timeout);
970 }
971 
972 int
973 pf_purge_expired_src_nodes(int waslocked)
974 {
975 	 struct pf_src_node		*cur, *next;
976 	 int				 locked = waslocked;
977 
978 	 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
979 		 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
980 
981 		 if (cur->states <= 0 && cur->expire <= time_second) {
982 			 if (! locked) {
983 				 lockmgr(&pf_consistency_lock, LK_EXCLUSIVE);
984 			 	 next = RB_NEXT(pf_src_tree,
985 				     &tree_src_tracking, cur);
986 				 locked = 1;
987 			 }
988 			 if (cur->rule.ptr != NULL) {
989 				 cur->rule.ptr->src_nodes--;
990 				 if (cur->rule.ptr->states <= 0 &&
991 				     cur->rule.ptr->max_src_nodes <= 0)
992 					 pf_rm_rule(NULL, cur->rule.ptr);
993 			 }
994 			 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
995 			 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
996 			 pf_status.src_nodes--;
997 			 pool_put(&pf_src_tree_pl, cur);
998 		 }
999 	 }
1000 
1001 	 if (locked && !waslocked)
1002 		lockmgr(&pf_consistency_lock, LK_RELEASE);
1003 	return(1);
1004 }
1005 
1006 void
1007 pf_src_tree_remove_state(struct pf_state *s)
1008 {
1009 	u_int32_t timeout;
1010 
1011 	if (s->src_node != NULL) {
1012 		if (s->proto == IPPROTO_TCP) {
1013 			if (s->src.tcp_est)
1014 				--s->src_node->conn;
1015 		}
1016 		if (--s->src_node->states <= 0) {
1017 			timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1018 			if (!timeout)
1019 				timeout =
1020 				    pf_default_rule.timeout[PFTM_SRC_NODE];
1021 			s->src_node->expire = time_second + timeout;
1022 		}
1023 	}
1024 	if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
1025 		if (--s->nat_src_node->states <= 0) {
1026 			timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
1027 			if (!timeout)
1028 				timeout =
1029 				    pf_default_rule.timeout[PFTM_SRC_NODE];
1030 			s->nat_src_node->expire = time_second + timeout;
1031 		}
1032 	}
1033 	s->src_node = s->nat_src_node = NULL;
1034 }
1035 
1036 /* callers should be at crit_enter() */
1037 void
1038 pf_unlink_state(struct pf_state *cur)
1039 {
1040 	if (cur->src.state == PF_TCPS_PROXY_DST) {
1041 		pf_send_tcp(cur->rule.ptr, cur->af,
1042 		    &cur->ext.addr, &cur->lan.addr,
1043 		    cur->ext.port, cur->lan.port,
1044 		    cur->src.seqhi, cur->src.seqlo + 1,
1045 		    TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);
1046 	}
1047 	RB_REMOVE(pf_state_tree_ext_gwy,
1048 	    &cur->u.s.kif->pfik_ext_gwy, cur);
1049 	RB_REMOVE(pf_state_tree_lan_ext,
1050 	    &cur->u.s.kif->pfik_lan_ext, cur);
1051 	RB_REMOVE(pf_state_tree_id, &tree_id, cur);
1052 #if NPFSYNC
1053 	if (cur->creatorid == pf_status.hostid)
1054 		pfsync_delete_state(cur);
1055 #endif
1056 	cur->timeout = PFTM_UNLINKED;
1057 	pf_src_tree_remove_state(cur);
1058 }
1059 
1060 /* callers should be at crit_enter() and hold the
1061  * write_lock on pf_consistency_lock */
1062 void
1063 pf_free_state(struct pf_state *cur)
1064 {
1065 #if NPFSYNC
1066 	if (pfsyncif != NULL &&
1067 	    (pfsyncif->sc_bulk_send_next == cur ||
1068 	    pfsyncif->sc_bulk_terminator == cur))
1069 		return;
1070 #endif
1071 	KKASSERT(cur->timeout == PFTM_UNLINKED);
1072 	if (--cur->rule.ptr->states <= 0 &&
1073 	    cur->rule.ptr->src_nodes <= 0)
1074 		pf_rm_rule(NULL, cur->rule.ptr);
1075 	if (cur->nat_rule.ptr != NULL)
1076 		if (--cur->nat_rule.ptr->states <= 0 &&
1077 			cur->nat_rule.ptr->src_nodes <= 0)
1078 			pf_rm_rule(NULL, cur->nat_rule.ptr);
1079 	if (cur->anchor.ptr != NULL)
1080 		if (--cur->anchor.ptr->states <= 0)
1081 			pf_rm_rule(NULL, cur->anchor.ptr);
1082 	pf_normalize_tcp_cleanup(cur);
1083 	pfi_kif_unref(cur->u.s.kif, PFI_KIF_REF_STATE);
1084 	TAILQ_REMOVE(&state_list, cur, u.s.entry_list);
1085 	if (cur->tag)
1086 		pf_tag_unref(cur->tag);
1087 	pool_put(&pf_state_pl, cur);
1088 	pf_status.fcounters[FCNT_STATE_REMOVALS]++;
1089 	pf_status.states--;
1090 }
1091 
1092 int
1093 pf_purge_expired_states(u_int32_t maxcheck, int waslocked)
1094 {
1095 	static struct pf_state	*cur = NULL;
1096 	struct pf_state		*next;
1097 	int 			 locked = waslocked;
1098 
1099 	while (maxcheck--) {
1100 		/* wrap to start of list when we hit the end */
1101 		if (cur == NULL) {
1102 			cur = TAILQ_FIRST(&state_list);
1103 			if (cur == NULL)
1104 				break;	/* list empty */
1105 		}
1106 
1107 		/* get next state, as cur may get deleted */
1108 		next = TAILQ_NEXT(cur, u.s.entry_list);
1109 
1110 		if (cur->timeout == PFTM_UNLINKED) {
1111 			/* free unlinked state */
1112 			if (! locked) {
1113 				lockmgr(&pf_consistency_lock, LK_EXCLUSIVE);
1114 				locked = 1;
1115 			}
1116 			pf_free_state(cur);
1117 		} else if (pf_state_expires(cur) <= time_second) {
1118 			/* unlink and free expired state */
1119 			pf_unlink_state(cur);
1120 			if (! locked) {
1121 				if (!lockmgr(&pf_consistency_lock, LK_EXCLUSIVE))
1122 					return (0);
1123 				locked = 1;
1124 			}
1125 			pf_free_state(cur);
1126 		}
1127 		cur = next;
1128 	}
1129 
1130 	if (locked)
1131 		lockmgr(&pf_consistency_lock, LK_RELEASE);
1132 	return (1);
1133 }
1134 
1135 int
1136 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
1137 {
1138 	if (aw->type != PF_ADDR_TABLE)
1139 		return (0);
1140 	if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
1141 		return (1);
1142 	return (0);
1143 }
1144 
1145 void
1146 pf_tbladdr_remove(struct pf_addr_wrap *aw)
1147 {
1148 	if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
1149 		return;
1150 	pfr_detach_table(aw->p.tbl);
1151 	aw->p.tbl = NULL;
1152 }
1153 
1154 void
1155 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
1156 {
1157 	struct pfr_ktable *kt = aw->p.tbl;
1158 
1159 	if (aw->type != PF_ADDR_TABLE || kt == NULL)
1160 		return;
1161 	if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1162 		kt = kt->pfrkt_root;
1163 	aw->p.tbl = NULL;
1164 	aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
1165 		kt->pfrkt_cnt : -1;
1166 }
1167 
1168 void
1169 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
1170 {
1171 	switch (af) {
1172 #ifdef INET
1173 	case AF_INET: {
1174 		u_int32_t a = ntohl(addr->addr32[0]);
1175 		kprintf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
1176 		    (a>>8)&255, a&255);
1177 		if (p) {
1178 			p = ntohs(p);
1179 			kprintf(":%u", p);
1180 		}
1181 		break;
1182 	}
1183 #endif /* INET */
1184 #ifdef INET6
1185 	case AF_INET6: {
1186 		u_int16_t b;
1187 		u_int8_t i, curstart = 255, curend = 0,
1188 		    maxstart = 0, maxend = 0;
1189 		for (i = 0; i < 8; i++) {
1190 			if (!addr->addr16[i]) {
1191 				if (curstart == 255)
1192 					curstart = i;
1193 				else
1194 					curend = i;
1195 			} else {
1196 				if (curstart) {
1197 					if ((curend - curstart) >
1198 					    (maxend - maxstart)) {
1199 						maxstart = curstart;
1200 						maxend = curend;
1201 						curstart = 255;
1202 					}
1203 				}
1204 			}
1205 		}
1206 		for (i = 0; i < 8; i++) {
1207 			if (i >= maxstart && i <= maxend) {
1208 				if (maxend != 7) {
1209 					if (i == maxstart)
1210 						kprintf(":");
1211 				} else {
1212 					if (i == maxend)
1213 						kprintf(":");
1214 				}
1215 			} else {
1216 				b = ntohs(addr->addr16[i]);
1217 				kprintf("%x", b);
1218 				if (i < 7)
1219 					kprintf(":");
1220 			}
1221 		}
1222 		if (p) {
1223 			p = ntohs(p);
1224 			kprintf("[%u]", p);
1225 		}
1226 		break;
1227 	}
1228 #endif /* INET6 */
1229 	}
1230 }
1231 
1232 void
1233 pf_print_state(struct pf_state *s)
1234 {
1235 	switch (s->proto) {
1236 	case IPPROTO_TCP:
1237 		kprintf("TCP ");
1238 		break;
1239 	case IPPROTO_UDP:
1240 		kprintf("UDP ");
1241 		break;
1242 	case IPPROTO_ICMP:
1243 		kprintf("ICMP ");
1244 		break;
1245 	case IPPROTO_ICMPV6:
1246 		kprintf("ICMPV6 ");
1247 		break;
1248 	default:
1249 		kprintf("%u ", s->proto);
1250 		break;
1251 	}
1252 	pf_print_host(&s->lan.addr, s->lan.port, s->af);
1253 	kprintf(" ");
1254 	pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
1255 	kprintf(" ");
1256 	pf_print_host(&s->ext.addr, s->ext.port, s->af);
1257 	kprintf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
1258 	    s->src.seqhi, s->src.max_win, s->src.seqdiff);
1259 	if (s->src.wscale && s->dst.wscale)
1260 		kprintf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
1261 	kprintf("]");
1262 	kprintf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
1263 	    s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
1264 	if (s->src.wscale && s->dst.wscale)
1265 		kprintf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
1266 	kprintf("]");
1267 	kprintf(" %u:%u", s->src.state, s->dst.state);
1268 }
1269 
1270 void
1271 pf_print_flags(u_int8_t f)
1272 {
1273 	if (f)
1274 		kprintf(" ");
1275 	if (f & TH_FIN)
1276 		kprintf("F");
1277 	if (f & TH_SYN)
1278 		kprintf("S");
1279 	if (f & TH_RST)
1280 		kprintf("R");
1281 	if (f & TH_PUSH)
1282 		kprintf("P");
1283 	if (f & TH_ACK)
1284 		kprintf("A");
1285 	if (f & TH_URG)
1286 		kprintf("U");
1287 	if (f & TH_ECE)
1288 		kprintf("E");
1289 	if (f & TH_CWR)
1290 		kprintf("W");
1291 }
1292 
1293 #define	PF_SET_SKIP_STEPS(i)					\
1294 	do {							\
1295 		while (head[i] != cur) {			\
1296 			head[i]->skip[i].ptr = cur;		\
1297 			head[i] = TAILQ_NEXT(head[i], entries);	\
1298 		}						\
1299 	} while (0)
1300 
1301 void
1302 pf_calc_skip_steps(struct pf_rulequeue *rules)
1303 {
1304 	struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1305 	int i;
1306 
1307 	cur = TAILQ_FIRST(rules);
1308 	prev = cur;
1309 	for (i = 0; i < PF_SKIP_COUNT; ++i)
1310 		head[i] = cur;
1311 	while (cur != NULL) {
1312 
1313 		if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1314 			PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1315 		if (cur->direction != prev->direction)
1316 			PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1317 		if (cur->af != prev->af)
1318 			PF_SET_SKIP_STEPS(PF_SKIP_AF);
1319 		if (cur->proto != prev->proto)
1320 			PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1321 		if (cur->src.neg != prev->src.neg ||
1322 		    pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1323 			PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1324 		if (cur->src.port[0] != prev->src.port[0] ||
1325 		    cur->src.port[1] != prev->src.port[1] ||
1326 		    cur->src.port_op != prev->src.port_op)
1327 			PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1328 		if (cur->dst.neg != prev->dst.neg ||
1329 		    pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1330 			PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1331 		if (cur->dst.port[0] != prev->dst.port[0] ||
1332 		    cur->dst.port[1] != prev->dst.port[1] ||
1333 		    cur->dst.port_op != prev->dst.port_op)
1334 			PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1335 
1336 		prev = cur;
1337 		cur = TAILQ_NEXT(cur, entries);
1338 	}
1339 	for (i = 0; i < PF_SKIP_COUNT; ++i)
1340 		PF_SET_SKIP_STEPS(i);
1341 }
1342 
1343 int
1344 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1345 {
1346 	if (aw1->type != aw2->type)
1347 		return (1);
1348 	switch (aw1->type) {
1349 	case PF_ADDR_ADDRMASK:
1350 		if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1351 			return (1);
1352 		if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1353 			return (1);
1354 		return (0);
1355 	case PF_ADDR_DYNIFTL:
1356 		return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
1357 	case PF_ADDR_NOROUTE:
1358 	case PF_ADDR_URPFFAILED:
1359 		return (0);
1360 	case PF_ADDR_TABLE:
1361 		return (aw1->p.tbl != aw2->p.tbl);
1362 	case PF_ADDR_RTLABEL:
1363 		return (aw1->v.rtlabel != aw2->v.rtlabel);
1364 	default:
1365 		kprintf("invalid address type: %d\n", aw1->type);
1366 		return (1);
1367 	}
1368 }
1369 
1370 u_int16_t
1371 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1372 {
1373 	u_int32_t	l;
1374 
1375 	if (udp && !cksum)
1376 		return (0x0000);
1377 	l = cksum + old - new;
1378 	l = (l >> 16) + (l & 65535);
1379 	l = l & 65535;
1380 	if (udp && !l)
1381 		return (0xFFFF);
1382 	return (l);
1383 }
1384 
1385 void
1386 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1387     struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1388 {
1389 	struct pf_addr	ao;
1390 	u_int16_t	po = *p;
1391 
1392 	PF_ACPY(&ao, a, af);
1393 	PF_ACPY(a, an, af);
1394 
1395 	*p = pn;
1396 
1397 	switch (af) {
1398 #ifdef INET
1399 	case AF_INET:
1400 		*ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1401 		    ao.addr16[0], an->addr16[0], 0),
1402 		    ao.addr16[1], an->addr16[1], 0);
1403 		*p = pn;
1404 		*pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1405 		    ao.addr16[0], an->addr16[0], u),
1406 		    ao.addr16[1], an->addr16[1], u),
1407 		    po, pn, u);
1408 		break;
1409 #endif /* INET */
1410 #ifdef INET6
1411 	case AF_INET6:
1412 		*pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1413 		    pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1414 		    pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1415 		    ao.addr16[0], an->addr16[0], u),
1416 		    ao.addr16[1], an->addr16[1], u),
1417 		    ao.addr16[2], an->addr16[2], u),
1418 		    ao.addr16[3], an->addr16[3], u),
1419 		    ao.addr16[4], an->addr16[4], u),
1420 		    ao.addr16[5], an->addr16[5], u),
1421 		    ao.addr16[6], an->addr16[6], u),
1422 		    ao.addr16[7], an->addr16[7], u),
1423 		    po, pn, u);
1424 		break;
1425 #endif /* INET6 */
1426 	}
1427 }
1428 
1429 
1430 /* Changes a u_int32_t.  Uses a void * so there are no align restrictions */
1431 void
1432 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1433 {
1434 	u_int32_t	ao;
1435 
1436 	memcpy(&ao, a, sizeof(ao));
1437 	memcpy(a, &an, sizeof(u_int32_t));
1438 	*c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1439 	    ao % 65536, an % 65536, u);
1440 }
1441 
1442 #ifdef INET6
1443 void
1444 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1445 {
1446 	struct pf_addr	ao;
1447 
1448 	PF_ACPY(&ao, a, AF_INET6);
1449 	PF_ACPY(a, an, AF_INET6);
1450 
1451 	*c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1452 	    pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1453 	    pf_cksum_fixup(pf_cksum_fixup(*c,
1454 	    ao.addr16[0], an->addr16[0], u),
1455 	    ao.addr16[1], an->addr16[1], u),
1456 	    ao.addr16[2], an->addr16[2], u),
1457 	    ao.addr16[3], an->addr16[3], u),
1458 	    ao.addr16[4], an->addr16[4], u),
1459 	    ao.addr16[5], an->addr16[5], u),
1460 	    ao.addr16[6], an->addr16[6], u),
1461 	    ao.addr16[7], an->addr16[7], u);
1462 }
1463 #endif /* INET6 */
1464 
1465 void
1466 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1467     struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1468     u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1469 {
1470 	struct pf_addr	oia, ooa;
1471 
1472 	PF_ACPY(&oia, ia, af);
1473 	PF_ACPY(&ooa, oa, af);
1474 
1475 	/* Change inner protocol port, fix inner protocol checksum. */
1476 	if (ip != NULL) {
1477 		u_int16_t	oip = *ip;
1478 		u_int32_t	opc = 0;
1479 
1480 		if (pc != NULL)
1481 			opc = *pc;
1482 		*ip = np;
1483 		if (pc != NULL)
1484 			*pc = pf_cksum_fixup(*pc, oip, *ip, u);
1485 		*ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1486 		if (pc != NULL)
1487 			*ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1488 	}
1489 	/* Change inner ip address, fix inner ip and icmp checksums. */
1490 	PF_ACPY(ia, na, af);
1491 	switch (af) {
1492 #ifdef INET
1493 	case AF_INET: {
1494 		u_int32_t	 oh2c = *h2c;
1495 
1496 		*h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1497 		    oia.addr16[0], ia->addr16[0], 0),
1498 		    oia.addr16[1], ia->addr16[1], 0);
1499 		*ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1500 		    oia.addr16[0], ia->addr16[0], 0),
1501 		    oia.addr16[1], ia->addr16[1], 0);
1502 		*ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1503 		break;
1504 	}
1505 #endif /* INET */
1506 #ifdef INET6
1507 	case AF_INET6:
1508 		*ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1509 		    pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1510 		    pf_cksum_fixup(pf_cksum_fixup(*ic,
1511 		    oia.addr16[0], ia->addr16[0], u),
1512 		    oia.addr16[1], ia->addr16[1], u),
1513 		    oia.addr16[2], ia->addr16[2], u),
1514 		    oia.addr16[3], ia->addr16[3], u),
1515 		    oia.addr16[4], ia->addr16[4], u),
1516 		    oia.addr16[5], ia->addr16[5], u),
1517 		    oia.addr16[6], ia->addr16[6], u),
1518 		    oia.addr16[7], ia->addr16[7], u);
1519 		break;
1520 #endif /* INET6 */
1521 	}
1522 	/* Change outer ip address, fix outer ip or icmpv6 checksum. */
1523 	PF_ACPY(oa, na, af);
1524 	switch (af) {
1525 #ifdef INET
1526 	case AF_INET:
1527 		*hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
1528 		    ooa.addr16[0], oa->addr16[0], 0),
1529 		    ooa.addr16[1], oa->addr16[1], 0);
1530 		break;
1531 #endif /* INET */
1532 #ifdef INET6
1533 	case AF_INET6:
1534 		*ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1535 		    pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1536 		    pf_cksum_fixup(pf_cksum_fixup(*ic,
1537 		    ooa.addr16[0], oa->addr16[0], u),
1538 		    ooa.addr16[1], oa->addr16[1], u),
1539 		    ooa.addr16[2], oa->addr16[2], u),
1540 		    ooa.addr16[3], oa->addr16[3], u),
1541 		    ooa.addr16[4], oa->addr16[4], u),
1542 		    ooa.addr16[5], oa->addr16[5], u),
1543 		    ooa.addr16[6], oa->addr16[6], u),
1544 		    ooa.addr16[7], oa->addr16[7], u);
1545 		break;
1546 #endif /* INET6 */
1547 	}
1548 }
1549 
1550 
1551 /*
1552  * Need to modulate the sequence numbers in the TCP SACK option
1553  * (credits to Krzysztof Pfaff for report and patch)
1554  */
1555 int
1556 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
1557     struct tcphdr *th, struct pf_state_peer *dst)
1558 {
1559 	int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
1560 	u_int8_t opts[TCP_MAXOLEN], *opt = opts;
1561 	int copyback = 0, i, olen;
1562 	struct raw_sackblock sack;
1563 
1564 #define TCPOLEN_SACKLEN	(TCPOLEN_SACK + 2)
1565 	if (hlen < TCPOLEN_SACKLEN ||
1566 	    !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
1567 		return 0;
1568 
1569 	while (hlen >= TCPOLEN_SACKLEN) {
1570 		olen = opt[1];
1571 		switch (*opt) {
1572 		case TCPOPT_EOL:	/* FALLTHROUGH */
1573 		case TCPOPT_NOP:
1574 			opt++;
1575 			hlen--;
1576 			break;
1577 		case TCPOPT_SACK:
1578 			if (olen > hlen)
1579 				olen = hlen;
1580 			if (olen >= TCPOLEN_SACKLEN) {
1581 				for (i = 2; i + TCPOLEN_SACK <= olen;
1582 				    i += TCPOLEN_SACK) {
1583 					memcpy(&sack, &opt[i], sizeof(sack));
1584 					pf_change_a(&sack.rblk_start, &th->th_sum,
1585 					    htonl(ntohl(sack.rblk_start) -
1586 					    dst->seqdiff), 0);
1587 					pf_change_a(&sack.rblk_end, &th->th_sum,
1588 					    htonl(ntohl(sack.rblk_end) -
1589 					    dst->seqdiff), 0);
1590 					memcpy(&opt[i], &sack, sizeof(sack));
1591 				}
1592 				copyback = 1;
1593 			}
1594 			/* FALLTHROUGH */
1595 		default:
1596 			if (olen < 2)
1597 				olen = 2;
1598 			hlen -= olen;
1599 			opt += olen;
1600 		}
1601 	}
1602 
1603 	if (copyback)
1604 		m_copyback(m, off + sizeof(*th), thoptlen, opts);
1605 	return (copyback);
1606 }
1607 
1608 void
1609 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
1610     const struct pf_addr *saddr, const struct pf_addr *daddr,
1611     u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1612     u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
1613     u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp)
1614 {
1615 	struct mbuf	*m;
1616 	int		 len = 0, tlen;
1617 #ifdef INET
1618 	struct ip	*h = NULL;
1619 #endif /* INET */
1620 #ifdef INET6
1621 	struct ip6_hdr	*h6 = NULL;
1622 #endif /* INET6 */
1623 	struct tcphdr	*th = NULL;
1624 	char		*opt;
1625 	struct pf_mtag	*pf_mtag;
1626 
1627 	/* maximum segment size tcp option */
1628 	tlen = sizeof(struct tcphdr);
1629 	if (mss)
1630 		tlen += 4;
1631 
1632 	switch (af) {
1633 #ifdef INET
1634 	case AF_INET:
1635 		len = sizeof(struct ip) + tlen;
1636 		break;
1637 #endif /* INET */
1638 #ifdef INET6
1639 	case AF_INET6:
1640 		len = sizeof(struct ip6_hdr) + tlen;
1641 		break;
1642 #endif /* INET6 */
1643 	}
1644 
1645 	/* create outgoing mbuf */
1646 	m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1647 	if (m == NULL)
1648 		return;
1649 	if ((pf_mtag = pf_get_mtag(m)) == NULL) {
1650 		m_freem(m);
1651 		return;
1652 	}
1653 	if (tag)
1654 		pf_mtag->flags |= PF_TAG_GENERATED;
1655 
1656 	pf_mtag->tag = rtag;
1657 
1658 	if (r != NULL && r->rtableid >= 0)
1659 		pf_mtag->rtableid = r->rtableid;
1660 
1661 #ifdef ALTQ
1662 	if (r != NULL && r->qid) {
1663 		pf_mtag->qid = r->qid;
1664 		/* add hints for ecn */
1665 		pf_mtag->af = af;
1666 		pf_mtag->hdr = mtod(m, struct ip *);
1667 	}
1668 #endif /* ALTQ */
1669 	m->m_data += max_linkhdr;
1670 	m->m_pkthdr.len = m->m_len = len;
1671 	m->m_pkthdr.rcvif = NULL;
1672 	bzero(m->m_data, len);
1673 	switch (af) {
1674 #ifdef INET
1675 	case AF_INET:
1676 		h = mtod(m, struct ip *);
1677 
1678 		/* IP header fields included in the TCP checksum */
1679 		h->ip_p = IPPROTO_TCP;
1680 		h->ip_len = tlen;
1681 		h->ip_src.s_addr = saddr->v4.s_addr;
1682 		h->ip_dst.s_addr = daddr->v4.s_addr;
1683 
1684 		th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
1685 		break;
1686 #endif /* INET */
1687 #ifdef INET6
1688 	case AF_INET6:
1689 		h6 = mtod(m, struct ip6_hdr *);
1690 
1691 		/* IP header fields included in the TCP checksum */
1692 		h6->ip6_nxt = IPPROTO_TCP;
1693 		h6->ip6_plen = htons(tlen);
1694 		memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
1695 		memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
1696 
1697 		th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
1698 		break;
1699 #endif /* INET6 */
1700 	}
1701 
1702 	/* TCP header */
1703 	th->th_sport = sport;
1704 	th->th_dport = dport;
1705 	th->th_seq = htonl(seq);
1706 	th->th_ack = htonl(ack);
1707 	th->th_off = tlen >> 2;
1708 	th->th_flags = flags;
1709 	th->th_win = htons(win);
1710 
1711 	if (mss) {
1712 		opt = (char *)(th + 1);
1713 		opt[0] = TCPOPT_MAXSEG;
1714 		opt[1] = 4;
1715 		mss = htons(mss);
1716 		bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
1717 	}
1718 
1719 	switch (af) {
1720 #ifdef INET
1721 	case AF_INET:
1722 		/* TCP checksum */
1723 		th->th_sum = in_cksum(m, len);
1724 
1725 		/* Finish the IP header */
1726 		h->ip_v = 4;
1727 		h->ip_hl = sizeof(*h) >> 2;
1728 		h->ip_tos = IPTOS_LOWDELAY;
1729 		h->ip_len = len;
1730 		h->ip_off = path_mtu_discovery ? IP_DF : 0;
1731 		h->ip_ttl = ttl ? ttl : ip_defttl;
1732 		h->ip_sum = 0;
1733 		if (eh == NULL) {
1734 			ip_output(m, NULL, NULL, 0, NULL, NULL);
1735 		} else {
1736 			struct route		 ro;
1737 			struct rtentry		 rt;
1738 			struct ether_header	*e = (void *)ro.ro_dst.sa_data;
1739 
1740 			if (ifp == NULL) {
1741 				m_freem(m);
1742 				return;
1743 			}
1744 			rt.rt_ifp = ifp;
1745 			ro.ro_rt = &rt;
1746 			ro.ro_dst.sa_len = sizeof(ro.ro_dst);
1747 			ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT;
1748 			bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN);
1749 			bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN);
1750 			e->ether_type = eh->ether_type;
1751 			/* XXX_IMPORT: later */
1752 			ip_output(m, (void *)NULL, &ro, 0,
1753 			    (void *)NULL, (void *)NULL);
1754 		}
1755 		break;
1756 #endif /* INET */
1757 #ifdef INET6
1758 	case AF_INET6:
1759 		/* TCP checksum */
1760 		th->th_sum = in6_cksum(m, IPPROTO_TCP,
1761 		    sizeof(struct ip6_hdr), tlen);
1762 
1763 		h6->ip6_vfc |= IPV6_VERSION;
1764 		h6->ip6_hlim = IPV6_DEFHLIM;
1765 
1766 		ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1767 		break;
1768 #endif /* INET6 */
1769 	}
1770 }
1771 
1772 void
1773 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
1774     struct pf_rule *r)
1775 {
1776 	struct pf_mtag	*pf_mtag;
1777 	struct mbuf	*m0;
1778 
1779 	m0 = m_copy(m, 0, M_COPYALL);
1780 
1781 	if ((pf_mtag = pf_get_mtag(m0)) == NULL)
1782 		return;
1783 	pf_mtag->flags |= PF_TAG_GENERATED;
1784 
1785 	if (r->rtableid >= 0)
1786 		pf_mtag->rtableid = r->rtableid;
1787 
1788 #ifdef ALTQ
1789 	if (r->qid) {
1790 		pf_mtag->qid = r->qid;
1791 		/* add hints for ecn */
1792 		pf_mtag->af = af;
1793 		pf_mtag->hdr = mtod(m0, struct ip *);
1794 	}
1795 #endif /* ALTQ */
1796 
1797 	switch (af) {
1798 #ifdef INET
1799 	case AF_INET:
1800 		icmp_error(m0, type, code, 0, 0);
1801 		break;
1802 #endif /* INET */
1803 #ifdef INET6
1804 	case AF_INET6:
1805 		icmp6_error(m0, type, code, 0);
1806 		break;
1807 #endif /* INET6 */
1808 	}
1809 }
1810 
1811 /*
1812  * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
1813  * If n is 0, they match if they are equal. If n is != 0, they match if they
1814  * are different.
1815  */
1816 int
1817 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
1818     struct pf_addr *b, sa_family_t af)
1819 {
1820 	int	match = 0;
1821 
1822 	switch (af) {
1823 #ifdef INET
1824 	case AF_INET:
1825 		if ((a->addr32[0] & m->addr32[0]) ==
1826 		    (b->addr32[0] & m->addr32[0]))
1827 			match++;
1828 		break;
1829 #endif /* INET */
1830 #ifdef INET6
1831 	case AF_INET6:
1832 		if (((a->addr32[0] & m->addr32[0]) ==
1833 		     (b->addr32[0] & m->addr32[0])) &&
1834 		    ((a->addr32[1] & m->addr32[1]) ==
1835 		     (b->addr32[1] & m->addr32[1])) &&
1836 		    ((a->addr32[2] & m->addr32[2]) ==
1837 		     (b->addr32[2] & m->addr32[2])) &&
1838 		    ((a->addr32[3] & m->addr32[3]) ==
1839 		     (b->addr32[3] & m->addr32[3])))
1840 			match++;
1841 		break;
1842 #endif /* INET6 */
1843 	}
1844 	if (match) {
1845 		if (n)
1846 			return (0);
1847 		else
1848 			return (1);
1849 	} else {
1850 		if (n)
1851 			return (1);
1852 		else
1853 			return (0);
1854 	}
1855 }
1856 
1857 int
1858 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
1859 {
1860 	switch (op) {
1861 	case PF_OP_IRG:
1862 		return ((p > a1) && (p < a2));
1863 	case PF_OP_XRG:
1864 		return ((p < a1) || (p > a2));
1865 	case PF_OP_RRG:
1866 		return ((p >= a1) && (p <= a2));
1867 	case PF_OP_EQ:
1868 		return (p == a1);
1869 	case PF_OP_NE:
1870 		return (p != a1);
1871 	case PF_OP_LT:
1872 		return (p < a1);
1873 	case PF_OP_LE:
1874 		return (p <= a1);
1875 	case PF_OP_GT:
1876 		return (p > a1);
1877 	case PF_OP_GE:
1878 		return (p >= a1);
1879 	}
1880 	return (0); /* never reached */
1881 }
1882 
1883 int
1884 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
1885 {
1886 	a1 = ntohs(a1);
1887 	a2 = ntohs(a2);
1888 	p = ntohs(p);
1889 	return (pf_match(op, a1, a2, p));
1890 }
1891 
1892 int
1893 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
1894 {
1895 	if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1896 		return (0);
1897 	return (pf_match(op, a1, a2, u));
1898 }
1899 
1900 int
1901 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
1902 {
1903 	if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1904 		return (0);
1905 	return (pf_match(op, a1, a2, g));
1906 }
1907 
1908 struct pf_mtag *
1909 pf_find_mtag(struct mbuf *m)
1910 {
1911 	struct m_tag	*mtag;
1912 
1913 	if ((mtag = m_tag_find(m, PF_MBUF_TAGGED, NULL)) == NULL)
1914 		return (NULL);
1915 
1916 	return ((struct pf_mtag *)(mtag + 1));
1917 }
1918 
1919 struct pf_mtag *
1920 pf_get_mtag(struct mbuf *m)
1921 {
1922 	struct m_tag	*mtag;
1923 
1924 	if ((mtag = m_tag_find(m, PF_MBUF_TAGGED, NULL)) == NULL) {
1925 		mtag = m_tag_get(PF_MBUF_TAGGED, sizeof(struct pf_mtag),
1926 		    M_NOWAIT);
1927 		if (mtag == NULL)
1928 			return (NULL);
1929 		bzero(mtag + 1, sizeof(struct pf_mtag));
1930 		m_tag_prepend(m, mtag);
1931 	}
1932 
1933 	return ((struct pf_mtag *)(mtag + 1));
1934 }
1935 
1936 int
1937 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_mtag *pf_mtag,
1938     int *tag)
1939 {
1940 	if (*tag == -1)
1941 		*tag = pf_mtag->tag;
1942 
1943 	return ((!r->match_tag_not && r->match_tag == *tag) ||
1944 	    (r->match_tag_not && r->match_tag != *tag));
1945 }
1946 
1947 int
1948 pf_tag_packet(struct mbuf *m, struct pf_mtag *pf_mtag, int tag, int rtableid)
1949 {
1950 	if (tag <= 0 && rtableid < 0)
1951 		return (0);
1952 
1953 	if (pf_mtag == NULL)
1954 		if ((pf_mtag = pf_get_mtag(m)) == NULL)
1955 			return (1);
1956 	if (tag > 0)
1957 		pf_mtag->tag = tag;
1958 	if (rtableid >= 0)
1959 		pf_mtag->rtableid = rtableid;
1960 
1961 	return (0);
1962 }
1963 
1964 static void
1965 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
1966     struct pf_rule **r, struct pf_rule **a,  int *match)
1967 {
1968 	struct pf_anchor_stackframe	*f;
1969 
1970 	(*r)->anchor->match = 0;
1971 	if (match)
1972 		*match = 0;
1973 	if (*depth >= sizeof(pf_anchor_stack) /
1974 	    sizeof(pf_anchor_stack[0])) {
1975 		kprintf("pf_step_into_anchor: stack overflow\n");
1976 		*r = TAILQ_NEXT(*r, entries);
1977 		return;
1978 	} else if (*depth == 0 && a != NULL)
1979 		*a = *r;
1980 	f = pf_anchor_stack + (*depth)++;
1981 	f->rs = *rs;
1982 	f->r = *r;
1983 	if ((*r)->anchor_wildcard) {
1984 		f->parent = &(*r)->anchor->children;
1985 		if ((f->child = RB_MIN(pf_anchor_node, f->parent)) ==
1986 		    NULL) {
1987 			*r = NULL;
1988 			return;
1989 		}
1990 		*rs = &f->child->ruleset;
1991 	} else {
1992 		f->parent = NULL;
1993 		f->child = NULL;
1994 		*rs = &(*r)->anchor->ruleset;
1995 	}
1996 	*r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
1997 }
1998 
1999 int
2000 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
2001     struct pf_rule **r, struct pf_rule **a, int *match)
2002 {
2003 	struct pf_anchor_stackframe	*f;
2004 	int quick = 0;
2005 
2006 	do {
2007 		if (*depth <= 0)
2008 			break;
2009 		f = pf_anchor_stack + *depth - 1;
2010 		if (f->parent != NULL && f->child != NULL) {
2011 			if (f->child->match ||
2012 			    (match != NULL && *match)) {
2013 				f->r->anchor->match = 1;
2014 				*match = 0;
2015 			}
2016 			f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
2017 			if (f->child != NULL) {
2018 				*rs = &f->child->ruleset;
2019 				*r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2020 				if (*r == NULL)
2021 					continue;
2022 				else
2023 					break;
2024 			}
2025 		}
2026 		(*depth)--;
2027 		if (*depth == 0 && a != NULL)
2028 			*a = NULL;
2029 		*rs = f->rs;
2030 		if (f->r->anchor->match || (match  != NULL && *match))
2031 			quick = f->r->quick;
2032 		*r = TAILQ_NEXT(f->r, entries);
2033 	} while (*r == NULL);
2034 
2035 	return (quick);
2036 }
2037 
2038 #ifdef INET6
2039 void
2040 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
2041     struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
2042 {
2043 	switch (af) {
2044 #ifdef INET
2045 	case AF_INET:
2046 		naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2047 		((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2048 		break;
2049 #endif /* INET */
2050 	case AF_INET6:
2051 		naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2052 		((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
2053 		naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
2054 		((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
2055 		naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
2056 		((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
2057 		naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
2058 		((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
2059 		break;
2060 	}
2061 }
2062 
2063 void
2064 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
2065 {
2066 	switch (af) {
2067 #ifdef INET
2068 	case AF_INET:
2069 		addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
2070 		break;
2071 #endif /* INET */
2072 	case AF_INET6:
2073 		if (addr->addr32[3] == 0xffffffff) {
2074 			addr->addr32[3] = 0;
2075 			if (addr->addr32[2] == 0xffffffff) {
2076 				addr->addr32[2] = 0;
2077 				if (addr->addr32[1] == 0xffffffff) {
2078 					addr->addr32[1] = 0;
2079 					addr->addr32[0] =
2080 					    htonl(ntohl(addr->addr32[0]) + 1);
2081 				} else
2082 					addr->addr32[1] =
2083 					    htonl(ntohl(addr->addr32[1]) + 1);
2084 			} else
2085 				addr->addr32[2] =
2086 				    htonl(ntohl(addr->addr32[2]) + 1);
2087 		} else
2088 			addr->addr32[3] =
2089 			    htonl(ntohl(addr->addr32[3]) + 1);
2090 		break;
2091 	}
2092 }
2093 #endif /* INET6 */
2094 
2095 #define mix(a,b,c) \
2096 	do {					\
2097 		a -= b; a -= c; a ^= (c >> 13);	\
2098 		b -= c; b -= a; b ^= (a << 8);	\
2099 		c -= a; c -= b; c ^= (b >> 13);	\
2100 		a -= b; a -= c; a ^= (c >> 12);	\
2101 		b -= c; b -= a; b ^= (a << 16);	\
2102 		c -= a; c -= b; c ^= (b >> 5);	\
2103 		a -= b; a -= c; a ^= (c >> 3);	\
2104 		b -= c; b -= a; b ^= (a << 10);	\
2105 		c -= a; c -= b; c ^= (b >> 15);	\
2106 	} while (0)
2107 
2108 /*
2109  * hash function based on bridge_hash in if_bridge.c
2110  */
2111 void
2112 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
2113     struct pf_poolhashkey *key, sa_family_t af)
2114 {
2115 	u_int32_t	a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
2116 
2117 	switch (af) {
2118 #ifdef INET
2119 	case AF_INET:
2120 		a += inaddr->addr32[0];
2121 		b += key->key32[1];
2122 		mix(a, b, c);
2123 		hash->addr32[0] = c + key->key32[2];
2124 		break;
2125 #endif /* INET */
2126 #ifdef INET6
2127 	case AF_INET6:
2128 		a += inaddr->addr32[0];
2129 		b += inaddr->addr32[2];
2130 		mix(a, b, c);
2131 		hash->addr32[0] = c;
2132 		a += inaddr->addr32[1];
2133 		b += inaddr->addr32[3];
2134 		c += key->key32[1];
2135 		mix(a, b, c);
2136 		hash->addr32[1] = c;
2137 		a += inaddr->addr32[2];
2138 		b += inaddr->addr32[1];
2139 		c += key->key32[2];
2140 		mix(a, b, c);
2141 		hash->addr32[2] = c;
2142 		a += inaddr->addr32[3];
2143 		b += inaddr->addr32[0];
2144 		c += key->key32[3];
2145 		mix(a, b, c);
2146 		hash->addr32[3] = c;
2147 		break;
2148 #endif /* INET6 */
2149 	}
2150 }
2151 
2152 int
2153 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
2154     struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
2155 {
2156 	unsigned char		 hash[16];
2157 	struct pf_pool		*rpool = &r->rpool;
2158 	struct pf_addr		*raddr = &rpool->cur->addr.v.a.addr;
2159 	struct pf_addr		*rmask = &rpool->cur->addr.v.a.mask;
2160 	struct pf_pooladdr	*acur = rpool->cur;
2161 	struct pf_src_node	 k;
2162 
2163 	if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
2164 	    (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
2165 		k.af = af;
2166 		PF_ACPY(&k.addr, saddr, af);
2167 		if (r->rule_flag & PFRULE_RULESRCTRACK ||
2168 		    r->rpool.opts & PF_POOL_STICKYADDR)
2169 			k.rule.ptr = r;
2170 		else
2171 			k.rule.ptr = NULL;
2172 		pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
2173 		*sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
2174 		if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
2175 			PF_ACPY(naddr, &(*sn)->raddr, af);
2176 			if (pf_status.debug >= PF_DEBUG_MISC) {
2177 				kprintf("pf_map_addr: src tracking maps ");
2178 				pf_print_host(&k.addr, 0, af);
2179 				kprintf(" to ");
2180 				pf_print_host(naddr, 0, af);
2181 				kprintf("\n");
2182 			}
2183 			return (0);
2184 		}
2185 	}
2186 
2187 	if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
2188 		return (1);
2189 	if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2190 		switch (af) {
2191 #ifdef INET
2192 		case AF_INET:
2193 			if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
2194 			    (rpool->opts & PF_POOL_TYPEMASK) !=
2195 			    PF_POOL_ROUNDROBIN)
2196 				return (1);
2197 			 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
2198 			 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
2199 			break;
2200 #endif /* INET */
2201 #ifdef INET6
2202 		case AF_INET6:
2203 			if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
2204 			    (rpool->opts & PF_POOL_TYPEMASK) !=
2205 			    PF_POOL_ROUNDROBIN)
2206 				return (1);
2207 			raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
2208 			rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
2209 			break;
2210 #endif /* INET6 */
2211 		}
2212 	} else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2213 		if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
2214 			return (1); /* unsupported */
2215 	} else {
2216 		raddr = &rpool->cur->addr.v.a.addr;
2217 		rmask = &rpool->cur->addr.v.a.mask;
2218 	}
2219 
2220 	switch (rpool->opts & PF_POOL_TYPEMASK) {
2221 	case PF_POOL_NONE:
2222 		PF_ACPY(naddr, raddr, af);
2223 		break;
2224 	case PF_POOL_BITMASK:
2225 		PF_POOLMASK(naddr, raddr, rmask, saddr, af);
2226 		break;
2227 	case PF_POOL_RANDOM:
2228 		if (init_addr != NULL && PF_AZERO(init_addr, af)) {
2229 			switch (af) {
2230 #ifdef INET
2231 			case AF_INET:
2232 				rpool->counter.addr32[0] = htonl(karc4random());
2233 				break;
2234 #endif /* INET */
2235 #ifdef INET6
2236 			case AF_INET6:
2237 				if (rmask->addr32[3] != 0xffffffff)
2238 					rpool->counter.addr32[3] =
2239 					    htonl(karc4random());
2240 				else
2241 					break;
2242 				if (rmask->addr32[2] != 0xffffffff)
2243 					rpool->counter.addr32[2] =
2244 					    htonl(karc4random());
2245 				else
2246 					break;
2247 				if (rmask->addr32[1] != 0xffffffff)
2248 					rpool->counter.addr32[1] =
2249 					    htonl(karc4random());
2250 				else
2251 					break;
2252 				if (rmask->addr32[0] != 0xffffffff)
2253 					rpool->counter.addr32[0] =
2254 					    htonl(karc4random());
2255 				break;
2256 #endif /* INET6 */
2257 			}
2258 			PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
2259 			PF_ACPY(init_addr, naddr, af);
2260 
2261 		} else {
2262 			PF_AINC(&rpool->counter, af);
2263 			PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
2264 		}
2265 		break;
2266 	case PF_POOL_SRCHASH:
2267 		pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
2268 		PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
2269 		break;
2270 	case PF_POOL_ROUNDROBIN:
2271 		if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2272 			if (!pfr_pool_get(rpool->cur->addr.p.tbl,
2273 			    &rpool->tblidx, &rpool->counter,
2274 			    &raddr, &rmask, af))
2275 				goto get_addr;
2276 		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2277 			if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
2278 			    &rpool->tblidx, &rpool->counter,
2279 			    &raddr, &rmask, af))
2280 				goto get_addr;
2281 		} else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
2282 			goto get_addr;
2283 
2284 	try_next:
2285 		if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
2286 			rpool->cur = TAILQ_FIRST(&rpool->list);
2287 		if (rpool->cur->addr.type == PF_ADDR_TABLE) {
2288 			rpool->tblidx = -1;
2289 			if (pfr_pool_get(rpool->cur->addr.p.tbl,
2290 			    &rpool->tblidx, &rpool->counter,
2291 			    &raddr, &rmask, af)) {
2292 				/* table contains no address of type 'af' */
2293 				if (rpool->cur != acur)
2294 					goto try_next;
2295 				return (1);
2296 			}
2297 		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
2298 			rpool->tblidx = -1;
2299 			if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
2300 			    &rpool->tblidx, &rpool->counter,
2301 			    &raddr, &rmask, af)) {
2302 				/* table contains no address of type 'af' */
2303 				if (rpool->cur != acur)
2304 					goto try_next;
2305 				return (1);
2306 			}
2307 		} else {
2308 			raddr = &rpool->cur->addr.v.a.addr;
2309 			rmask = &rpool->cur->addr.v.a.mask;
2310 			PF_ACPY(&rpool->counter, raddr, af);
2311 		}
2312 
2313 	get_addr:
2314 		PF_ACPY(naddr, &rpool->counter, af);
2315 		if (init_addr != NULL && PF_AZERO(init_addr, af))
2316 			PF_ACPY(init_addr, naddr, af);
2317 		PF_AINC(&rpool->counter, af);
2318 		break;
2319 	}
2320 	if (*sn != NULL)
2321 		PF_ACPY(&(*sn)->raddr, naddr, af);
2322 
2323 	if (pf_status.debug >= PF_DEBUG_MISC &&
2324 	    (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
2325 		kprintf("pf_map_addr: selected address ");
2326 		pf_print_host(naddr, 0, af);
2327 		kprintf("\n");
2328 	}
2329 
2330 	return (0);
2331 }
2332 
2333 int
2334 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
2335     struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
2336     struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
2337     struct pf_src_node **sn)
2338 {
2339 	struct pf_state_cmp	key;
2340 	struct pf_addr		init_addr;
2341 	u_int16_t		cut;
2342 
2343 	bzero(&init_addr, sizeof(init_addr));
2344 	if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
2345 		return (1);
2346 
2347 	if (proto == IPPROTO_ICMP) {
2348 		low = 1;
2349 		high = 65535;
2350 	}
2351 
2352 	do {
2353 		key.af = af;
2354 		key.proto = proto;
2355 		PF_ACPY(&key.ext.addr, daddr, key.af);
2356 		PF_ACPY(&key.gwy.addr, naddr, key.af);
2357 		key.ext.port = dport;
2358 
2359 		/*
2360 		 * port search; start random, step;
2361 		 * similar 2 portloop in in_pcbbind
2362 		 */
2363 		if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
2364 		    proto == IPPROTO_ICMP)) {
2365 			key.gwy.port = dport;
2366 			if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
2367 				return (0);
2368 		} else if (low == 0 && high == 0) {
2369 			key.gwy.port = *nport;
2370 			if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
2371 				return (0);
2372 		} else if (low == high) {
2373 			key.gwy.port = htons(low);
2374 			if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) {
2375 				*nport = htons(low);
2376 				return (0);
2377 			}
2378 		} else {
2379 			u_int16_t tmp;
2380 
2381 			if (low > high) {
2382 				tmp = low;
2383 				low = high;
2384 				high = tmp;
2385 			}
2386 			/* low < high */
2387 			cut = htonl(karc4random()) % (1 + high - low) + low;
2388 			/* low <= cut <= high */
2389 			for (tmp = cut; tmp <= high; ++(tmp)) {
2390 				key.gwy.port = htons(tmp);
2391 				if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
2392 				    NULL) {
2393 					*nport = htons(tmp);
2394 					return (0);
2395 				}
2396 			}
2397 			for (tmp = cut - 1; tmp >= low; --(tmp)) {
2398 				key.gwy.port = htons(tmp);
2399 				if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
2400 				    NULL) {
2401 					*nport = htons(tmp);
2402 					return (0);
2403 				}
2404 			}
2405 		}
2406 
2407 		switch (r->rpool.opts & PF_POOL_TYPEMASK) {
2408 		case PF_POOL_RANDOM:
2409 		case PF_POOL_ROUNDROBIN:
2410 			if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
2411 				return (1);
2412 			break;
2413 		case PF_POOL_NONE:
2414 		case PF_POOL_SRCHASH:
2415 		case PF_POOL_BITMASK:
2416 		default:
2417 			return (1);
2418 		}
2419 	} while (! PF_AEQ(&init_addr, naddr, af) );
2420 
2421 	return (1);					/* none available */
2422 }
2423 
2424 struct pf_rule *
2425 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
2426     int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
2427     struct pf_addr *daddr, u_int16_t dport, int rs_num)
2428 {
2429 	struct pf_rule		*r, *rm = NULL;
2430 	struct pf_ruleset	*ruleset = NULL;
2431 	int			 tag = -1;
2432 	int			 rtableid = -1;
2433 	int			 asd = 0;
2434 
2435 	r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
2436 	while (r && rm == NULL) {
2437 		struct pf_rule_addr	*src = NULL, *dst = NULL;
2438 		struct pf_addr_wrap	*xdst = NULL;
2439 
2440 		if (r->action == PF_BINAT && direction == PF_IN) {
2441 			src = &r->dst;
2442 			if (r->rpool.cur != NULL)
2443 				xdst = &r->rpool.cur->addr;
2444 		} else {
2445 			src = &r->src;
2446 			dst = &r->dst;
2447 		}
2448 
2449 		r->evaluations++;
2450 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
2451 			r = r->skip[PF_SKIP_IFP].ptr;
2452 		else if (r->direction && r->direction != direction)
2453 			r = r->skip[PF_SKIP_DIR].ptr;
2454 		else if (r->af && r->af != pd->af)
2455 			r = r->skip[PF_SKIP_AF].ptr;
2456 		else if (r->proto && r->proto != pd->proto)
2457 			r = r->skip[PF_SKIP_PROTO].ptr;
2458 		else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
2459 		    src->neg, kif))
2460 			r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
2461 			    PF_SKIP_DST_ADDR].ptr;
2462 		else if (src->port_op && !pf_match_port(src->port_op,
2463 		    src->port[0], src->port[1], sport))
2464 			r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
2465 			    PF_SKIP_DST_PORT].ptr;
2466 		else if (dst != NULL &&
2467 		    PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
2468 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
2469 		else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
2470 		    0, NULL))
2471 			r = TAILQ_NEXT(r, entries);
2472 		else if (dst != NULL && dst->port_op &&
2473 		    !pf_match_port(dst->port_op, dst->port[0],
2474 		    dst->port[1], dport))
2475 			r = r->skip[PF_SKIP_DST_PORT].ptr;
2476 		else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
2477 			r = TAILQ_NEXT(r, entries);
2478 		else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2479 		    IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2480 		    off, pd->hdr.tcp), r->os_fingerprint)))
2481 			r = TAILQ_NEXT(r, entries);
2482 		else {
2483 			if (r->tag)
2484 				tag = r->tag;
2485 			if (r->rtableid >= 0)
2486 				rtableid = r->rtableid;
2487 			if (r->anchor == NULL) {
2488 				rm = r;
2489 			} else
2490 				pf_step_into_anchor(&asd, &ruleset, rs_num,
2491 				    &r, NULL, NULL);
2492 		}
2493 		if (r == NULL)
2494 			pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
2495 			    NULL, NULL);
2496 	}
2497 	if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid))
2498 		return (NULL);
2499 	if (rm != NULL && (rm->action == PF_NONAT ||
2500 	    rm->action == PF_NORDR || rm->action == PF_NOBINAT))
2501 		return (NULL);
2502 	return (rm);
2503 }
2504 
2505 struct pf_rule *
2506 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2507     struct pfi_kif *kif, struct pf_src_node **sn,
2508     struct pf_addr *saddr, u_int16_t sport,
2509     struct pf_addr *daddr, u_int16_t dport,
2510     struct pf_addr *naddr, u_int16_t *nport)
2511 {
2512 	struct pf_rule	*r = NULL;
2513 
2514 	if (direction == PF_OUT) {
2515 		r = pf_match_translation(pd, m, off, direction, kif, saddr,
2516 		    sport, daddr, dport, PF_RULESET_BINAT);
2517 		if (r == NULL)
2518 			r = pf_match_translation(pd, m, off, direction, kif,
2519 			    saddr, sport, daddr, dport, PF_RULESET_NAT);
2520 	} else {
2521 		r = pf_match_translation(pd, m, off, direction, kif, saddr,
2522 		    sport, daddr, dport, PF_RULESET_RDR);
2523 		if (r == NULL)
2524 			r = pf_match_translation(pd, m, off, direction, kif,
2525 			    saddr, sport, daddr, dport, PF_RULESET_BINAT);
2526 	}
2527 
2528 	if (r != NULL) {
2529 		switch (r->action) {
2530 		case PF_NONAT:
2531 		case PF_NOBINAT:
2532 		case PF_NORDR:
2533 			return (NULL);
2534 		case PF_NAT:
2535 			if (pf_get_sport(pd->af, pd->proto, r, saddr,
2536 			    daddr, dport, naddr, nport, r->rpool.proxy_port[0],
2537 			    r->rpool.proxy_port[1], sn)) {
2538 				DPFPRINTF(PF_DEBUG_MISC,
2539 				    ("pf: NAT proxy port allocation "
2540 				    "(%u-%u) failed\n",
2541 				    r->rpool.proxy_port[0],
2542 				    r->rpool.proxy_port[1]));
2543 				return (NULL);
2544 			}
2545 			break;
2546 		case PF_BINAT:
2547 			switch (direction) {
2548 			case PF_OUT:
2549 				if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
2550 					switch (pd->af) {
2551 #ifdef INET
2552 					case AF_INET:
2553 						if (r->rpool.cur->addr.p.dyn->
2554 						    pfid_acnt4 < 1)
2555 							return (NULL);
2556 						PF_POOLMASK(naddr,
2557 						    &r->rpool.cur->addr.p.dyn->
2558 						    pfid_addr4,
2559 						    &r->rpool.cur->addr.p.dyn->
2560 						    pfid_mask4,
2561 						    saddr, AF_INET);
2562 						break;
2563 #endif /* INET */
2564 #ifdef INET6
2565 					case AF_INET6:
2566 						if (r->rpool.cur->addr.p.dyn->
2567 						    pfid_acnt6 < 1)
2568 							return (NULL);
2569 						PF_POOLMASK(naddr,
2570 						    &r->rpool.cur->addr.p.dyn->
2571 						    pfid_addr6,
2572 						    &r->rpool.cur->addr.p.dyn->
2573 						    pfid_mask6,
2574 						    saddr, AF_INET6);
2575 						break;
2576 #endif /* INET6 */
2577 					}
2578 				} else
2579 					PF_POOLMASK(naddr,
2580 					    &r->rpool.cur->addr.v.a.addr,
2581 					    &r->rpool.cur->addr.v.a.mask,
2582 					    saddr, pd->af);
2583 				break;
2584 			case PF_IN:
2585 				if (r->src.addr.type == PF_ADDR_DYNIFTL) {
2586 					switch (pd->af) {
2587 #ifdef INET
2588 					case AF_INET:
2589 						if (r->src.addr.p.dyn->
2590 						    pfid_acnt4 < 1)
2591 							return (NULL);
2592 						PF_POOLMASK(naddr,
2593 						    &r->src.addr.p.dyn->
2594 						    pfid_addr4,
2595 						    &r->src.addr.p.dyn->
2596 						    pfid_mask4,
2597 						    daddr, AF_INET);
2598 						break;
2599 #endif /* INET */
2600 #ifdef INET6
2601 					case AF_INET6:
2602 						if (r->src.addr.p.dyn->
2603 						    pfid_acnt6 < 1)
2604 							return (NULL);
2605 						PF_POOLMASK(naddr,
2606 						    &r->src.addr.p.dyn->
2607 						    pfid_addr6,
2608 						    &r->src.addr.p.dyn->
2609 						    pfid_mask6,
2610 						    daddr, AF_INET6);
2611 						break;
2612 #endif /* INET6 */
2613 					}
2614 				} else
2615 					PF_POOLMASK(naddr,
2616 					    &r->src.addr.v.a.addr,
2617 					    &r->src.addr.v.a.mask, daddr,
2618 					    pd->af);
2619 				break;
2620 			}
2621 			break;
2622 		case PF_RDR: {
2623 			if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
2624 				return (NULL);
2625 			if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
2626 			    PF_POOL_BITMASK)
2627 				PF_POOLMASK(naddr, naddr,
2628 				    &r->rpool.cur->addr.v.a.mask, daddr,
2629 				    pd->af);
2630 			if (r->rpool.proxy_port[1]) {
2631 				u_int32_t	tmp_nport;
2632 
2633 				tmp_nport = ((ntohs(dport) -
2634 				    ntohs(r->dst.port[0])) %
2635 				    (r->rpool.proxy_port[1] -
2636 				    r->rpool.proxy_port[0] + 1)) +
2637 				    r->rpool.proxy_port[0];
2638 
2639 				/* wrap around if necessary */
2640 				if (tmp_nport > 65535)
2641 					tmp_nport -= 65535;
2642 				*nport = htons((u_int16_t)tmp_nport);
2643 			} else if (r->rpool.proxy_port[0])
2644 				*nport = htons(r->rpool.proxy_port[0]);
2645 			break;
2646 		}
2647 		default:
2648 			return (NULL);
2649 		}
2650 	}
2651 
2652 	return (r);
2653 }
2654 
2655 #ifdef SMP
2656 struct netmsg_hashlookup {
2657 	struct netmsg		nm_netmsg;
2658 	struct inpcb		**nm_pinp;
2659 	struct inpcbinfo    	*nm_pcbinfo;
2660 	struct pf_addr		*nm_saddr;
2661 	struct pf_addr		*nm_daddr;
2662 	uint16_t		nm_sport;
2663 	uint16_t		nm_dport;
2664 	sa_family_t		nm_af;
2665 };
2666 
2667 static void
2668 in_pcblookup_hash_handler(struct netmsg *msg0)
2669 {
2670 	struct netmsg_hashlookup *msg = (struct netmsg_hashlookup *)msg0;
2671 
2672 	if (msg->nm_af == AF_INET)
2673 		*msg->nm_pinp = in_pcblookup_hash(msg->nm_pcbinfo,
2674 		    msg->nm_saddr->v4, msg->nm_sport, msg->nm_daddr->v4,
2675 		    msg->nm_dport, INPLOOKUP_WILDCARD, NULL);
2676 #ifdef INET6
2677 	else
2678 		*msg->nm_pinp = in6_pcblookup_hash(msg->nm_pcbinfo,
2679 		    &msg->nm_saddr->v6, msg->nm_sport, &msg->nm_daddr->v6,
2680 		    msg->nm_dport, INPLOOKUP_WILDCARD, NULL);
2681 #endif /* INET6 */
2682 	lwkt_replymsg(&msg->nm_netmsg.nm_lmsg, 0);
2683 }
2684 #endif /* SMP */
2685 
2686 int
2687 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg)
2688 {
2689 	struct pf_addr		*saddr, *daddr;
2690 	u_int16_t		 sport, dport;
2691 	struct inpcbinfo	*pi;
2692 	struct inpcb		*inp;
2693 #ifdef SMP
2694 	struct netmsg_hashlookup *msg = NULL;
2695 #endif
2696 	int			 pi_cpu = 0;
2697 
2698 	if (pd == NULL)
2699 		return (-1);
2700 	pd->lookup.uid = UID_MAX;
2701 	pd->lookup.gid = GID_MAX;
2702 	pd->lookup.pid = NO_PID;
2703 	if (direction == PF_IN) {
2704 		saddr = pd->src;
2705 		daddr = pd->dst;
2706 	} else {
2707 		saddr = pd->dst;
2708 		daddr = pd->src;
2709 	}
2710 	switch (pd->proto) {
2711 	case IPPROTO_TCP:
2712 		sport = pd->hdr.tcp->th_sport;
2713 		dport = pd->hdr.tcp->th_dport;
2714 
2715 		pi_cpu = tcp_addrcpu(saddr->v4.s_addr, sport, daddr->v4.s_addr, dport);
2716 		pi = &tcbinfo[pi_cpu];
2717 #ifdef SMP
2718 		/*
2719 		 * Our netstack runs lockless on MP systems
2720 		 * (only for TCP connections at the moment).
2721 		 *
2722 		 * As we are not allowed to read another CPU's tcbinfo,
2723 		 * we have to ask that CPU via remote call to search the
2724 		 * table for us.
2725 		 *
2726 		 * Prepare a msg iff data belongs to another CPU.
2727 		 */
2728 		if (pi_cpu != mycpu->gd_cpuid) {
2729 			msg = kmalloc(sizeof(*msg), M_LWKTMSG, M_INTWAIT);
2730 			netmsg_init(&msg->nm_netmsg, NULL, &netisr_afree_rport,
2731 				    0, in_pcblookup_hash_handler);
2732 			msg->nm_pinp = &inp;
2733 			msg->nm_pcbinfo = pi;
2734 			msg->nm_saddr = saddr;
2735 			msg->nm_sport = sport;
2736 			msg->nm_daddr = daddr;
2737 			msg->nm_dport = dport;
2738 			msg->nm_af = pd->af;
2739 		}
2740 #endif /* SMP */
2741 		break;
2742 	case IPPROTO_UDP:
2743 		sport = pd->hdr.udp->uh_sport;
2744 		dport = pd->hdr.udp->uh_dport;
2745 		pi = &udbinfo;
2746 		break;
2747 	default:
2748 		return (0);
2749 	}
2750 	if (direction != PF_IN) {
2751 		u_int16_t	p;
2752 
2753 		p = sport;
2754 		sport = dport;
2755 		dport = p;
2756 	}
2757 	switch (pd->af) {
2758 #ifdef INET6
2759 	case AF_INET6:
2760 #ifdef SMP
2761 		/*
2762 		 * Query other CPU, second part
2763 		 *
2764 		 * msg only gets initialized when:
2765 		 * 1) packet is TCP
2766 		 * 2) the info belongs to another CPU
2767 		 *
2768 		 * Use some switch/case magic to avoid code duplication.
2769 		 */
2770 		if (msg == NULL)
2771 #endif /* SMP */
2772 		{
2773 			inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
2774 			    &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
2775 
2776 			if (inp == NULL)
2777 				return (-1);
2778 			break;
2779 		}
2780 		/* FALLTHROUGH if SMP and on other CPU */
2781 #endif /* INET6 */
2782 	case AF_INET:
2783 #ifdef SMP
2784 		if (msg != NULL) {
2785 			lwkt_sendmsg(tcp_cport(pi_cpu),
2786 				     &msg->nm_netmsg.nm_lmsg);
2787 		} else
2788 #endif /* SMP */
2789 		{
2790 			inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
2791 			    dport, INPLOOKUP_WILDCARD, NULL);
2792 		}
2793 		if (inp == NULL)
2794 			return (0);
2795 		break;
2796 
2797 	default:
2798 		return (-1);
2799 	}
2800 	pd->lookup.uid = inp->inp_socket->so_cred->cr_uid;
2801 	pd->lookup.gid = inp->inp_socket->so_cred->cr_groups[0];
2802 	return (1);
2803 }
2804 
2805 u_int8_t
2806 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2807 {
2808 	int		 hlen;
2809 	u_int8_t	 hdr[60];
2810 	u_int8_t	*opt, optlen;
2811 	u_int8_t	 wscale = 0;
2812 
2813 	hlen = th_off << 2;		/* hlen <= sizeof(hdr) */
2814 	if (hlen <= sizeof(struct tcphdr))
2815 		return (0);
2816 	if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2817 		return (0);
2818 	opt = hdr + sizeof(struct tcphdr);
2819 	hlen -= sizeof(struct tcphdr);
2820 	while (hlen >= 3) {
2821 		switch (*opt) {
2822 		case TCPOPT_EOL:
2823 		case TCPOPT_NOP:
2824 			++opt;
2825 			--hlen;
2826 			break;
2827 		case TCPOPT_WINDOW:
2828 			wscale = opt[2];
2829 			if (wscale > TCP_MAX_WINSHIFT)
2830 				wscale = TCP_MAX_WINSHIFT;
2831 			wscale |= PF_WSCALE_FLAG;
2832 			/* FALLTHROUGH */
2833 		default:
2834 			optlen = opt[1];
2835 			if (optlen < 2)
2836 				optlen = 2;
2837 			hlen -= optlen;
2838 			opt += optlen;
2839 			break;
2840 		}
2841 	}
2842 	return (wscale);
2843 }
2844 
2845 u_int16_t
2846 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2847 {
2848 	int		 hlen;
2849 	u_int8_t	 hdr[60];
2850 	u_int8_t	*opt, optlen;
2851 	u_int16_t	 mss = tcp_mssdflt;
2852 
2853 	hlen = th_off << 2;	/* hlen <= sizeof(hdr) */
2854 	if (hlen <= sizeof(struct tcphdr))
2855 		return (0);
2856 	if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2857 		return (0);
2858 	opt = hdr + sizeof(struct tcphdr);
2859 	hlen -= sizeof(struct tcphdr);
2860 	while (hlen >= TCPOLEN_MAXSEG) {
2861 		switch (*opt) {
2862 		case TCPOPT_EOL:
2863 		case TCPOPT_NOP:
2864 			++opt;
2865 			--hlen;
2866 			break;
2867 		case TCPOPT_MAXSEG:
2868 			bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
2869 			NTOHS(mss);
2870 			/* FALLTHROUGH */
2871 		default:
2872 			optlen = opt[1];
2873 			if (optlen < 2)
2874 				optlen = 2;
2875 			hlen -= optlen;
2876 			opt += optlen;
2877 			break;
2878 		}
2879 	}
2880 	return (mss);
2881 }
2882 
2883 u_int16_t
2884 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
2885 {
2886 #ifdef INET
2887 	struct sockaddr_in	*dst;
2888 	struct route		 ro;
2889 #endif /* INET */
2890 #ifdef INET6
2891 	struct sockaddr_in6	*dst6;
2892 	struct route_in6	 ro6;
2893 #endif /* INET6 */
2894 	struct rtentry		*rt = NULL;
2895 	int			 hlen = 0;
2896 	u_int16_t		 mss = tcp_mssdflt;
2897 
2898 	switch (af) {
2899 #ifdef INET
2900 	case AF_INET:
2901 		hlen = sizeof(struct ip);
2902 		bzero(&ro, sizeof(ro));
2903 		dst = (struct sockaddr_in *)&ro.ro_dst;
2904 		dst->sin_family = AF_INET;
2905 		dst->sin_len = sizeof(*dst);
2906 		dst->sin_addr = addr->v4;
2907 		rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
2908 		rt = ro.ro_rt;
2909 		break;
2910 #endif /* INET */
2911 #ifdef INET6
2912 	case AF_INET6:
2913 		hlen = sizeof(struct ip6_hdr);
2914 		bzero(&ro6, sizeof(ro6));
2915 		dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
2916 		dst6->sin6_family = AF_INET6;
2917 		dst6->sin6_len = sizeof(*dst6);
2918 		dst6->sin6_addr = addr->v6;
2919 		rtalloc_ign((struct route *)&ro6, (RTF_CLONING | RTF_PRCLONING));
2920 		rt = ro6.ro_rt;
2921 		break;
2922 #endif /* INET6 */
2923 	}
2924 
2925 	if (rt && rt->rt_ifp) {
2926 		mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
2927 		mss = max(tcp_mssdflt, mss);
2928 		RTFREE(rt);
2929 	}
2930 	mss = min(mss, offer);
2931 	mss = max(mss, 64);		/* sanity - at least max opt space */
2932 	return (mss);
2933 }
2934 
2935 void
2936 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
2937 {
2938 	struct pf_rule *r = s->rule.ptr;
2939 
2940 	s->rt_kif = NULL;
2941 	if (!r->rt || r->rt == PF_FASTROUTE)
2942 		return;
2943 	switch (s->af) {
2944 #ifdef INET
2945 	case AF_INET:
2946 		pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
2947 		    &s->nat_src_node);
2948 		s->rt_kif = r->rpool.cur->kif;
2949 		break;
2950 #endif /* INET */
2951 #ifdef INET6
2952 	case AF_INET6:
2953 		pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
2954 		    &s->nat_src_node);
2955 		s->rt_kif = r->rpool.cur->kif;
2956 		break;
2957 #endif /* INET6 */
2958 	}
2959 }
2960 
2961 int
2962 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
2963     struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2964     struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
2965     struct ifqueue *ifq, struct inpcb *inp)
2966 {
2967 	struct pf_rule		*nr = NULL;
2968 	struct pf_addr		*saddr = pd->src, *daddr = pd->dst;
2969 	struct tcphdr		*th = pd->hdr.tcp;
2970 	u_int16_t		 bport, nport = 0;
2971 	sa_family_t		 af = pd->af;
2972 	struct pf_rule		*r, *a = NULL;
2973 	struct pf_ruleset	*ruleset = NULL;
2974 	struct pf_src_node	*nsn = NULL;
2975 	u_short			 reason;
2976 	int			 rewrite = 0;
2977 	int			 tag = -1, rtableid = -1;
2978 	u_int16_t		 mss = tcp_mssdflt;
2979 	int			 asd = 0;
2980 	int			 match = 0;
2981 
2982 	if (pf_check_congestion(ifq)) {
2983 		REASON_SET(&reason, PFRES_CONGEST);
2984 		return (PF_DROP);
2985 	}
2986 
2987 	if (inp != NULL)
2988 		pd->lookup.done = pf_socket_lookup(direction, pd, inp);
2989 	else if (debug_pfugidhack) {
2990 		crit_exit();
2991 		DPFPRINTF(PF_DEBUG_MISC, ("pf: unlocked lookup\n"));
2992 		pd->lookup.done = pf_socket_lookup(direction, pd, inp);
2993 		crit_enter();
2994 	}
2995 
2996 
2997 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2998 
2999 	if (direction == PF_OUT) {
3000 		bport = nport = th->th_sport;
3001 		/* check outgoing packet for BINAT/NAT */
3002 		if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3003 		    saddr, th->th_sport, daddr, th->th_dport,
3004 		    &pd->naddr, &nport)) != NULL) {
3005 			PF_ACPY(&pd->baddr, saddr, af);
3006 			pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3007 			    &th->th_sum, &pd->naddr, nport, 0, af);
3008 			rewrite++;
3009 			if (nr->natpass)
3010 				r = NULL;
3011 			pd->nat_rule = nr;
3012 		}
3013 	} else {
3014 		bport = nport = th->th_dport;
3015 		/* check incoming packet for BINAT/RDR */
3016 		if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3017 		    saddr, th->th_sport, daddr, th->th_dport,
3018 		    &pd->naddr, &nport)) != NULL) {
3019 			PF_ACPY(&pd->baddr, daddr, af);
3020 			pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3021 			    &th->th_sum, &pd->naddr, nport, 0, af);
3022 			rewrite++;
3023 			if (nr->natpass)
3024 				r = NULL;
3025 			pd->nat_rule = nr;
3026 		}
3027 	}
3028 
3029 	while (r != NULL) {
3030 		r->evaluations++;
3031 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
3032 			r = r->skip[PF_SKIP_IFP].ptr;
3033 		else if (r->direction && r->direction != direction)
3034 			r = r->skip[PF_SKIP_DIR].ptr;
3035 		else if (r->af && r->af != af)
3036 			r = r->skip[PF_SKIP_AF].ptr;
3037 		else if (r->proto && r->proto != IPPROTO_TCP)
3038 			r = r->skip[PF_SKIP_PROTO].ptr;
3039 		else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3040 		    r->src.neg, kif))
3041 			r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3042 		else if (r->src.port_op && !pf_match_port(r->src.port_op,
3043 		    r->src.port[0], r->src.port[1], th->th_sport))
3044 			r = r->skip[PF_SKIP_SRC_PORT].ptr;
3045 		else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3046 		    r->dst.neg, NULL))
3047 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
3048 		else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3049 		    r->dst.port[0], r->dst.port[1], th->th_dport))
3050 			r = r->skip[PF_SKIP_DST_PORT].ptr;
3051 		else if (r->tos && !(r->tos == pd->tos))
3052 			r = TAILQ_NEXT(r, entries);
3053 		else if (r->rule_flag & PFRULE_FRAGMENT)
3054 			r = TAILQ_NEXT(r, entries);
3055 		else if ((r->flagset & th->th_flags) != r->flags)
3056 			r = TAILQ_NEXT(r, entries);
3057 		else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3058 		    pf_socket_lookup(direction, pd, inp), 1)) &&
3059 		    !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3060 		    pd->lookup.uid))
3061 			r = TAILQ_NEXT(r, entries);
3062 		else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3063 		    pf_socket_lookup(direction, pd, inp), 1)) &&
3064 		    !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3065 		    pd->lookup.gid))
3066 			r = TAILQ_NEXT(r, entries);
3067 		else if (r->prob && r->prob <= karc4random())
3068 			r = TAILQ_NEXT(r, entries);
3069 		else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3070 			r = TAILQ_NEXT(r, entries);
3071 		else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
3072 		    pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint))
3073 			r = TAILQ_NEXT(r, entries);
3074 		else {
3075 			if (r->tag)
3076 				tag = r->tag;
3077 			if (r->rtableid >= 0)
3078 				rtableid = r->rtableid;
3079 			if (r->anchor == NULL) {
3080 				match = 1;
3081 				*rm = r;
3082 				*am = a;
3083 				*rsm = ruleset;
3084 				if ((*rm)->quick)
3085 					break;
3086 				r = TAILQ_NEXT(r, entries);
3087 			} else
3088 				pf_step_into_anchor(&asd, &ruleset,
3089 				    PF_RULESET_FILTER, &r, &a, &match);
3090 		}
3091 		if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3092 		    PF_RULESET_FILTER, &r, &a, &match))
3093 			break;
3094 	}
3095 	r = *rm;
3096 	a = *am;
3097 	ruleset = *rsm;
3098 
3099 	REASON_SET(&reason, PFRES_MATCH);
3100 
3101 	if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3102 		if (rewrite)
3103 			m_copyback(m, off, sizeof(*th), (caddr_t)th);
3104 		PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3105 		    a, ruleset, pd);
3106 	}
3107 
3108 	if ((r->action == PF_DROP) &&
3109 	    ((r->rule_flag & PFRULE_RETURNRST) ||
3110 	    (r->rule_flag & PFRULE_RETURNICMP) ||
3111 	    (r->rule_flag & PFRULE_RETURN))) {
3112 		/* undo NAT changes, if they have taken place */
3113 		if (nr != NULL) {
3114 			if (direction == PF_OUT) {
3115 				pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3116 				    &th->th_sum, &pd->baddr, bport, 0, af);
3117 				rewrite++;
3118 			} else {
3119 				pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3120 				    &th->th_sum, &pd->baddr, bport, 0, af);
3121 				rewrite++;
3122 			}
3123 		}
3124 		if (((r->rule_flag & PFRULE_RETURNRST) ||
3125 		    (r->rule_flag & PFRULE_RETURN)) &&
3126 		    !(th->th_flags & TH_RST)) {
3127 			u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
3128 
3129 			if (th->th_flags & TH_SYN)
3130 				ack++;
3131 			if (th->th_flags & TH_FIN)
3132 				ack++;
3133 			pf_send_tcp(r, af, pd->dst,
3134 			    pd->src, th->th_dport, th->th_sport,
3135 			    ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
3136 			    r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
3137 		} else if ((af == AF_INET) && r->return_icmp)
3138 			pf_send_icmp(m, r->return_icmp >> 8,
3139 			    r->return_icmp & 255, af, r);
3140 		else if ((af == AF_INET6) && r->return_icmp6)
3141 			pf_send_icmp(m, r->return_icmp6 >> 8,
3142 			    r->return_icmp6 & 255, af, r);
3143 	}
3144 
3145 	if (r->action == PF_DROP) {
3146 		return (PF_DROP);
3147 	}
3148 
3149 	if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3150 		REASON_SET(&reason, PFRES_MEMORY);
3151 		return (PF_DROP);
3152 	}
3153 
3154 	if (r->keep_state || nr != NULL ||
3155 	    (pd->flags & PFDESC_TCP_NORM)) {
3156 		/* create new state */
3157 		u_int16_t	 len;
3158 		struct pf_state	*s = NULL;
3159 		struct pf_src_node *sn = NULL;
3160 
3161 		len = pd->tot_len - off - (th->th_off << 2);
3162 
3163 		/* check maximums */
3164 		if (r->max_states && (r->states >= r->max_states)) {
3165 			pf_status.lcounters[LCNT_STATES]++;
3166 			REASON_SET(&reason, PFRES_MAXSTATES);
3167 			goto cleanup;
3168 		}
3169 		/* src node for filter rule */
3170 		if ((r->rule_flag & PFRULE_SRCTRACK ||
3171 		    r->rpool.opts & PF_POOL_STICKYADDR) &&
3172 		    pf_insert_src_node(&sn, r, saddr, af) != 0) {
3173 			REASON_SET(&reason, PFRES_SRCLIMIT);
3174 			goto cleanup;
3175 		}
3176 		/* src node for translation rule */
3177 		if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3178 		    ((direction == PF_OUT &&
3179 		    pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3180 		    (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3181 			REASON_SET(&reason, PFRES_SRCLIMIT);
3182 			goto cleanup;
3183 		}
3184 		s = pool_get(&pf_state_pl, PR_NOWAIT);
3185 		if (s == NULL) {
3186 			REASON_SET(&reason, PFRES_MEMORY);
3187 cleanup:
3188 			if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3189 				RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3190 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3191 				pf_status.src_nodes--;
3192 				pool_put(&pf_src_tree_pl, sn);
3193 			}
3194 			if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3195 			    nsn->expire == 0) {
3196 				RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3197 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3198 				pf_status.src_nodes--;
3199 				pool_put(&pf_src_tree_pl, nsn);
3200 			}
3201 			return (PF_DROP);
3202 		}
3203 		bzero(s, sizeof(*s));
3204 		s->rule.ptr = r;
3205 		s->nat_rule.ptr = nr;
3206 		s->anchor.ptr = a;
3207 		STATE_INC_COUNTERS(s);
3208 		s->allow_opts = r->allow_opts;
3209 		s->log = r->log & PF_LOG_ALL;
3210 		if (nr != NULL)
3211 			s->log |= nr->log & PF_LOG_ALL;
3212 		s->proto = IPPROTO_TCP;
3213 		s->direction = direction;
3214 		s->af = af;
3215 		if (direction == PF_OUT) {
3216 			PF_ACPY(&s->gwy.addr, saddr, af);
3217 			s->gwy.port = th->th_sport;		/* sport */
3218 			PF_ACPY(&s->ext.addr, daddr, af);
3219 			s->ext.port = th->th_dport;
3220 			if (nr != NULL) {
3221 				PF_ACPY(&s->lan.addr, &pd->baddr, af);
3222 				s->lan.port = bport;
3223 			} else {
3224 				PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3225 				s->lan.port = s->gwy.port;
3226 			}
3227 		} else {
3228 			PF_ACPY(&s->lan.addr, daddr, af);
3229 			s->lan.port = th->th_dport;
3230 			PF_ACPY(&s->ext.addr, saddr, af);
3231 			s->ext.port = th->th_sport;
3232 			if (nr != NULL) {
3233 				PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3234 				s->gwy.port = bport;
3235 			} else {
3236 				PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3237 				s->gwy.port = s->lan.port;
3238 			}
3239 		}
3240 
3241 		s->hash = pf_state_hash(s);
3242 		s->src.seqlo = ntohl(th->th_seq);
3243 		s->src.seqhi = s->src.seqlo + len + 1;
3244 		s->pickup_mode = r->pickup_mode;
3245 
3246 		if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3247 		    r->keep_state == PF_STATE_MODULATE) {
3248 			/* Generate sequence number modulator */
3249 			while ((s->src.seqdiff =
3250 			    pf_new_isn(s) - s->src.seqlo) == 0)
3251 				;
3252 			pf_change_a(&th->th_seq, &th->th_sum,
3253 			    htonl(s->src.seqlo + s->src.seqdiff), 0);
3254 			rewrite = 1;
3255 		} else
3256 			s->src.seqdiff = 0;
3257 		if (th->th_flags & TH_SYN) {
3258 			s->src.seqhi++;
3259 			s->src.wscale = pf_get_wscale(m, off, th->th_off, af);
3260 			s->sync_flags |= PFSTATE_GOT_SYN1;
3261 		}
3262 		s->src.max_win = MAX(ntohs(th->th_win), 1);
3263 		if (s->src.wscale & PF_WSCALE_MASK) {
3264 			/* Remove scale factor from initial window */
3265 			u_int win = s->src.max_win;
3266 			win += 1 << (s->src.wscale & PF_WSCALE_MASK);
3267 			s->src.max_win = (win - 1) >>
3268 			    (s->src.wscale & PF_WSCALE_MASK);
3269 		}
3270 		if (th->th_flags & TH_FIN)
3271 			s->src.seqhi++;
3272 		s->dst.seqhi = 1;
3273 		s->dst.max_win = 1;
3274 		s->src.state = TCPS_SYN_SENT;
3275 		s->dst.state = TCPS_CLOSED;
3276 		s->creation = time_second;
3277 		s->expire = time_second;
3278 		s->timeout = PFTM_TCP_FIRST_PACKET;
3279 		pf_set_rt_ifp(s, saddr);
3280 		if (sn != NULL) {
3281 			s->src_node = sn;
3282 			s->src_node->states++;
3283 		}
3284 		if (nsn != NULL) {
3285 			PF_ACPY(&nsn->raddr, &pd->naddr, af);
3286 			s->nat_src_node = nsn;
3287 			s->nat_src_node->states++;
3288 		}
3289 		if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
3290 		    off, pd, th, &s->src, &s->dst)) {
3291 			REASON_SET(&reason, PFRES_MEMORY);
3292 			pf_src_tree_remove_state(s);
3293 			STATE_DEC_COUNTERS(s);
3294 			pool_put(&pf_state_pl, s);
3295 			return (PF_DROP);
3296 		}
3297 		if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3298 		    pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
3299 		    &s->src, &s->dst, &rewrite)) {
3300 			/* This really shouldn't happen!!! */
3301 			DPFPRINTF(PF_DEBUG_URGENT,
3302 			    ("pf_normalize_tcp_stateful failed on first pkt"));
3303 			pf_normalize_tcp_cleanup(s);
3304 			pf_src_tree_remove_state(s);
3305 			STATE_DEC_COUNTERS(s);
3306 			pool_put(&pf_state_pl, s);
3307 			return (PF_DROP);
3308 		}
3309 		if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3310 			pf_normalize_tcp_cleanup(s);
3311 			REASON_SET(&reason, PFRES_STATEINS);
3312 			pf_src_tree_remove_state(s);
3313 			STATE_DEC_COUNTERS(s);
3314 			pool_put(&pf_state_pl, s);
3315 			return (PF_DROP);
3316 		} else
3317 			*sm = s;
3318 		if (tag > 0) {
3319 			pf_tag_ref(tag);
3320 			s->tag = tag;
3321 		}
3322 		if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
3323 		    r->keep_state == PF_STATE_SYNPROXY) {
3324 			s->src.state = PF_TCPS_PROXY_SRC;
3325 			if (nr != NULL) {
3326 				if (direction == PF_OUT) {
3327 					pf_change_ap(saddr, &th->th_sport,
3328 					    pd->ip_sum, &th->th_sum, &pd->baddr,
3329 					    bport, 0, af);
3330 				} else {
3331 					pf_change_ap(daddr, &th->th_dport,
3332 					    pd->ip_sum, &th->th_sum, &pd->baddr,
3333 					    bport, 0, af);
3334 				}
3335 			}
3336 			s->src.seqhi = htonl(karc4random());
3337 			/* Find mss option */
3338 			mss = pf_get_mss(m, off, th->th_off, af);
3339 			mss = pf_calc_mss(saddr, af, mss);
3340 			mss = pf_calc_mss(daddr, af, mss);
3341 			s->src.mss = mss;
3342 			pf_send_tcp(r, af, daddr, saddr, th->th_dport,
3343 			    th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3344 			    TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);
3345 			REASON_SET(&reason, PFRES_SYNPROXY);
3346 			return (PF_SYNPROXY_DROP);
3347 		}
3348 	}
3349 
3350 	/* copy back packet headers if we performed NAT operations */
3351 	if (rewrite)
3352 		m_copyback(m, off, sizeof(*th), (caddr_t)th);
3353 
3354 	return (PF_PASS);
3355 }
3356 
3357 int
3358 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
3359     struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3360     struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3361     struct ifqueue *ifq, struct inpcb *inp)
3362 {
3363 	struct pf_rule		*nr = NULL;
3364 	struct pf_addr		*saddr = pd->src, *daddr = pd->dst;
3365 	struct udphdr		*uh = pd->hdr.udp;
3366 	u_int16_t		 bport, nport = 0;
3367 	sa_family_t		 af = pd->af;
3368 	struct pf_rule		*r, *a = NULL;
3369 	struct pf_ruleset	*ruleset = NULL;
3370 	struct pf_src_node	*nsn = NULL;
3371 	u_short			 reason;
3372 	int			 rewrite = 0;
3373 	int			 tag = -1, rtableid = -1;
3374 	int			 asd = 0;
3375 	int			 match = 0;
3376 
3377 	if (pf_check_congestion(ifq)) {
3378 		REASON_SET(&reason, PFRES_CONGEST);
3379 		return (PF_DROP);
3380 	}
3381 
3382 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3383 
3384 	if (direction == PF_OUT) {
3385 		bport = nport = uh->uh_sport;
3386 		/* check outgoing packet for BINAT/NAT */
3387 		if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3388 		    saddr, uh->uh_sport, daddr, uh->uh_dport,
3389 		    &pd->naddr, &nport)) != NULL) {
3390 			PF_ACPY(&pd->baddr, saddr, af);
3391 			pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
3392 			    &uh->uh_sum, &pd->naddr, nport, 1, af);
3393 			rewrite++;
3394 			if (nr->natpass)
3395 				r = NULL;
3396 			pd->nat_rule = nr;
3397 		}
3398 	} else {
3399 		bport = nport = uh->uh_dport;
3400 		/* check incoming packet for BINAT/RDR */
3401 		if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3402 		    saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr,
3403 		    &nport)) != NULL) {
3404 			PF_ACPY(&pd->baddr, daddr, af);
3405 			pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
3406 			    &uh->uh_sum, &pd->naddr, nport, 1, af);
3407 			rewrite++;
3408 			if (nr->natpass)
3409 				r = NULL;
3410 			pd->nat_rule = nr;
3411 		}
3412 	}
3413 
3414 	while (r != NULL) {
3415 		r->evaluations++;
3416 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
3417 			r = r->skip[PF_SKIP_IFP].ptr;
3418 		else if (r->direction && r->direction != direction)
3419 			r = r->skip[PF_SKIP_DIR].ptr;
3420 		else if (r->af && r->af != af)
3421 			r = r->skip[PF_SKIP_AF].ptr;
3422 		else if (r->proto && r->proto != IPPROTO_UDP)
3423 			r = r->skip[PF_SKIP_PROTO].ptr;
3424 		else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3425 		    r->src.neg, kif))
3426 			r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3427 		else if (r->src.port_op && !pf_match_port(r->src.port_op,
3428 		    r->src.port[0], r->src.port[1], uh->uh_sport))
3429 			r = r->skip[PF_SKIP_SRC_PORT].ptr;
3430 		else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3431 		    r->dst.neg, NULL))
3432 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
3433 		else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
3434 		    r->dst.port[0], r->dst.port[1], uh->uh_dport))
3435 			r = r->skip[PF_SKIP_DST_PORT].ptr;
3436 		else if (r->tos && !(r->tos == pd->tos))
3437 			r = TAILQ_NEXT(r, entries);
3438 		else if (r->rule_flag & PFRULE_FRAGMENT)
3439 			r = TAILQ_NEXT(r, entries);
3440 		else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3441 		    pf_socket_lookup(direction, pd, inp), 1)) &&
3442 		    !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
3443 		    pd->lookup.uid))
3444 			r = TAILQ_NEXT(r, entries);
3445 		else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3446 		    pf_socket_lookup(direction, pd, inp), 1)) &&
3447 		    !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
3448 		    pd->lookup.gid))
3449 			r = TAILQ_NEXT(r, entries);
3450 		else if (r->prob && r->prob <= karc4random())
3451 			r = TAILQ_NEXT(r, entries);
3452 		else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3453 			r = TAILQ_NEXT(r, entries);
3454 		else if (r->os_fingerprint != PF_OSFP_ANY)
3455 			r = TAILQ_NEXT(r, entries);
3456 		else {
3457 			if (r->tag)
3458 				tag = r->tag;
3459 			if (r->rtableid >= 0)
3460 				rtableid = r->rtableid;
3461 			if (r->anchor == NULL) {
3462 				match = 1;
3463 				*rm = r;
3464 				*am = a;
3465 				*rsm = ruleset;
3466 				if ((*rm)->quick)
3467 					break;
3468 				r = TAILQ_NEXT(r, entries);
3469 			} else
3470 				pf_step_into_anchor(&asd, &ruleset,
3471 				    PF_RULESET_FILTER, &r, &a, &match);
3472 		}
3473 		if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3474 		    PF_RULESET_FILTER, &r, &a, &match))
3475 			break;
3476 	}
3477 	r = *rm;
3478 	a = *am;
3479 	ruleset = *rsm;
3480 
3481 	REASON_SET(&reason, PFRES_MATCH);
3482 
3483 	if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3484 		if (rewrite)
3485 			m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3486 		PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3487 		    a, ruleset, pd);
3488 	}
3489 
3490 	if ((r->action == PF_DROP) &&
3491 	    ((r->rule_flag & PFRULE_RETURNICMP) ||
3492 	    (r->rule_flag & PFRULE_RETURN))) {
3493 		/* undo NAT changes, if they have taken place */
3494 		if (nr != NULL) {
3495 			if (direction == PF_OUT) {
3496 				pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
3497 				    &uh->uh_sum, &pd->baddr, bport, 1, af);
3498 				rewrite++;
3499 			} else {
3500 				pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
3501 				    &uh->uh_sum, &pd->baddr, bport, 1, af);
3502 				rewrite++;
3503 			}
3504 		}
3505 		if ((af == AF_INET) && r->return_icmp)
3506 			pf_send_icmp(m, r->return_icmp >> 8,
3507 			    r->return_icmp & 255, af, r);
3508 		else if ((af == AF_INET6) && r->return_icmp6)
3509 			pf_send_icmp(m, r->return_icmp6 >> 8,
3510 			    r->return_icmp6 & 255, af, r);
3511 	}
3512 
3513 	if (r->action == PF_DROP)
3514 		return (PF_DROP);
3515 
3516 	if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3517 		REASON_SET(&reason, PFRES_MEMORY);
3518 		return (PF_DROP);
3519 	}
3520 
3521 	if (r->keep_state || nr != NULL) {
3522 		/* create new state */
3523 		struct pf_state	*s = NULL;
3524 		struct pf_src_node *sn = NULL;
3525 
3526 		/* check maximums */
3527 		if (r->max_states && (r->states >= r->max_states)) {
3528 			pf_status.lcounters[LCNT_STATES]++;
3529 			REASON_SET(&reason, PFRES_MAXSTATES);
3530 			goto cleanup;
3531 		}
3532 		/* src node for filter rule */
3533 		if ((r->rule_flag & PFRULE_SRCTRACK ||
3534 		    r->rpool.opts & PF_POOL_STICKYADDR) &&
3535 		    pf_insert_src_node(&sn, r, saddr, af) != 0) {
3536 			REASON_SET(&reason, PFRES_SRCLIMIT);
3537 			goto cleanup;
3538 		}
3539 		/* src node for translation rule */
3540 		if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3541 		    ((direction == PF_OUT &&
3542 		    pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3543 		    (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3544 			REASON_SET(&reason, PFRES_SRCLIMIT);
3545 			goto cleanup;
3546 		}
3547 		s = pool_get(&pf_state_pl, PR_NOWAIT);
3548 		if (s == NULL) {
3549 			REASON_SET(&reason, PFRES_MEMORY);
3550 cleanup:
3551 			if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3552 				RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3553 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3554 				pf_status.src_nodes--;
3555 				pool_put(&pf_src_tree_pl, sn);
3556 			}
3557 			if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3558 			    nsn->expire == 0) {
3559 				RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3560 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3561 				pf_status.src_nodes--;
3562 				pool_put(&pf_src_tree_pl, nsn);
3563 			}
3564 			return (PF_DROP);
3565 		}
3566 		bzero(s, sizeof(*s));
3567 		s->rule.ptr = r;
3568 		s->nat_rule.ptr = nr;
3569 		s->anchor.ptr = a;
3570 		STATE_INC_COUNTERS(s);
3571 		s->allow_opts = r->allow_opts;
3572 		s->log = r->log & PF_LOG_ALL;
3573 		if (nr != NULL)
3574 			s->log |= nr->log & PF_LOG_ALL;
3575 		s->proto = IPPROTO_UDP;
3576 		s->direction = direction;
3577 		s->af = af;
3578 		if (direction == PF_OUT) {
3579 			PF_ACPY(&s->gwy.addr, saddr, af);
3580 			s->gwy.port = uh->uh_sport;
3581 			PF_ACPY(&s->ext.addr, daddr, af);
3582 			s->ext.port = uh->uh_dport;
3583 			if (nr != NULL) {
3584 				PF_ACPY(&s->lan.addr, &pd->baddr, af);
3585 				s->lan.port = bport;
3586 			} else {
3587 				PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3588 				s->lan.port = s->gwy.port;
3589 			}
3590 		} else {
3591 			PF_ACPY(&s->lan.addr, daddr, af);
3592 			s->lan.port = uh->uh_dport;
3593 			PF_ACPY(&s->ext.addr, saddr, af);
3594 			s->ext.port = uh->uh_sport;
3595 			if (nr != NULL) {
3596 				PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3597 				s->gwy.port = bport;
3598 			} else {
3599 				PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3600 				s->gwy.port = s->lan.port;
3601 			}
3602 		}
3603 		s->hash = pf_state_hash(s);
3604 		s->src.state = PFUDPS_SINGLE;
3605 		s->dst.state = PFUDPS_NO_TRAFFIC;
3606 		s->creation = time_second;
3607 		s->expire = time_second;
3608 		s->timeout = PFTM_UDP_FIRST_PACKET;
3609 		pf_set_rt_ifp(s, saddr);
3610 		if (sn != NULL) {
3611 			s->src_node = sn;
3612 			s->src_node->states++;
3613 		}
3614 		if (nsn != NULL) {
3615 			PF_ACPY(&nsn->raddr, &pd->naddr, af);
3616 			s->nat_src_node = nsn;
3617 			s->nat_src_node->states++;
3618 		}
3619 		if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3620 			REASON_SET(&reason, PFRES_STATEINS);
3621 			pf_src_tree_remove_state(s);
3622 			STATE_DEC_COUNTERS(s);
3623 			pool_put(&pf_state_pl, s);
3624 			return (PF_DROP);
3625 		} else
3626 			*sm = s;
3627 		if (tag > 0) {
3628 			pf_tag_ref(tag);
3629 			s->tag = tag;
3630 		}
3631 	}
3632 
3633 	/* copy back packet headers if we performed NAT operations */
3634 	if (rewrite)
3635 		m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3636 
3637 	return (PF_PASS);
3638 }
3639 
3640 int
3641 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
3642     struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3643     struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3644     struct ifqueue *ifq)
3645 {
3646 	struct pf_rule		*nr = NULL;
3647 	struct pf_addr		*saddr = pd->src, *daddr = pd->dst;
3648 	struct pf_rule		*r, *a = NULL;
3649 	struct pf_ruleset	*ruleset = NULL;
3650 	struct pf_src_node	*nsn = NULL;
3651 	u_short			 reason;
3652 	u_int16_t		 icmpid = 0, bport, nport = 0;
3653 	sa_family_t		 af = pd->af;
3654 	u_int8_t		 icmptype = 0, icmpcode = 0;
3655 	int			 state_icmp = 0;
3656 	int			 tag = -1, rtableid = -1;
3657 #ifdef INET6
3658 	int			 rewrite = 0;
3659 #endif /* INET6 */
3660 	int			 asd = 0;
3661 	int			 match = 0;
3662 
3663 	if (pf_check_congestion(ifq)) {
3664 		REASON_SET(&reason, PFRES_CONGEST);
3665 		return (PF_DROP);
3666 	}
3667 
3668 	switch (pd->proto) {
3669 #ifdef INET
3670 	case IPPROTO_ICMP:
3671 		icmptype = pd->hdr.icmp->icmp_type;
3672 		icmpcode = pd->hdr.icmp->icmp_code;
3673 		icmpid = pd->hdr.icmp->icmp_id;
3674 
3675 		if (icmptype == ICMP_UNREACH ||
3676 		    icmptype == ICMP_SOURCEQUENCH ||
3677 		    icmptype == ICMP_REDIRECT ||
3678 		    icmptype == ICMP_TIMXCEED ||
3679 		    icmptype == ICMP_PARAMPROB)
3680 			state_icmp++;
3681 		break;
3682 #endif /* INET */
3683 #ifdef INET6
3684 	case IPPROTO_ICMPV6:
3685 		icmptype = pd->hdr.icmp6->icmp6_type;
3686 		icmpcode = pd->hdr.icmp6->icmp6_code;
3687 		icmpid = pd->hdr.icmp6->icmp6_id;
3688 
3689 		if (icmptype == ICMP6_DST_UNREACH ||
3690 		    icmptype == ICMP6_PACKET_TOO_BIG ||
3691 		    icmptype == ICMP6_TIME_EXCEEDED ||
3692 		    icmptype == ICMP6_PARAM_PROB)
3693 			state_icmp++;
3694 		break;
3695 #endif /* INET6 */
3696 	}
3697 
3698 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3699 
3700 	if (direction == PF_OUT) {
3701 		bport = nport = icmpid;
3702 		/* check outgoing packet for BINAT/NAT */
3703 		if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3704 		    saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) !=
3705 		    NULL) {
3706 			PF_ACPY(&pd->baddr, saddr, af);
3707 			switch (af) {
3708 #ifdef INET
3709 			case AF_INET:
3710 				pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3711 				    pd->naddr.v4.s_addr, 0);
3712 				pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
3713 				    pd->hdr.icmp->icmp_cksum, icmpid, nport, 0);
3714 				pd->hdr.icmp->icmp_id = nport;
3715 				m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
3716 				break;
3717 #endif /* INET */
3718 #ifdef INET6
3719 			case AF_INET6:
3720 				pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3721 				    &pd->naddr, 0);
3722 				rewrite++;
3723 				break;
3724 #endif /* INET6 */
3725 			}
3726 			if (nr->natpass)
3727 				r = NULL;
3728 			pd->nat_rule = nr;
3729 		}
3730 	} else {
3731 		bport = nport = icmpid;
3732 		/* check incoming packet for BINAT/RDR */
3733 		if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3734 		    saddr, icmpid, daddr, icmpid, &pd->naddr, &nport)) !=
3735 		    NULL) {
3736 			PF_ACPY(&pd->baddr, daddr, af);
3737 			switch (af) {
3738 #ifdef INET
3739 			case AF_INET:
3740 				pf_change_a(&daddr->v4.s_addr,
3741 				    pd->ip_sum, pd->naddr.v4.s_addr, 0);
3742 				break;
3743 #endif /* INET */
3744 #ifdef INET6
3745 			case AF_INET6:
3746 				pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3747 				    &pd->naddr, 0);
3748 				rewrite++;
3749 				break;
3750 #endif /* INET6 */
3751 			}
3752 			if (nr->natpass)
3753 				r = NULL;
3754 			pd->nat_rule = nr;
3755 		}
3756 	}
3757 
3758 	while (r != NULL) {
3759 		r->evaluations++;
3760 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
3761 			r = r->skip[PF_SKIP_IFP].ptr;
3762 		else if (r->direction && r->direction != direction)
3763 			r = r->skip[PF_SKIP_DIR].ptr;
3764 		else if (r->af && r->af != af)
3765 			r = r->skip[PF_SKIP_AF].ptr;
3766 		else if (r->proto && r->proto != pd->proto)
3767 			r = r->skip[PF_SKIP_PROTO].ptr;
3768 		else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
3769 		    r->src.neg, kif))
3770 			r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3771 		else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
3772 		    r->dst.neg, NULL))
3773 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
3774 		else if (r->type && r->type != icmptype + 1)
3775 			r = TAILQ_NEXT(r, entries);
3776 		else if (r->code && r->code != icmpcode + 1)
3777 			r = TAILQ_NEXT(r, entries);
3778 		else if (r->tos && !(r->tos == pd->tos))
3779 			r = TAILQ_NEXT(r, entries);
3780 		else if (r->rule_flag & PFRULE_FRAGMENT)
3781 			r = TAILQ_NEXT(r, entries);
3782 		else if (r->prob && r->prob <= karc4random())
3783 			r = TAILQ_NEXT(r, entries);
3784 		else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
3785 			r = TAILQ_NEXT(r, entries);
3786 		else if (r->os_fingerprint != PF_OSFP_ANY)
3787 			r = TAILQ_NEXT(r, entries);
3788 		else {
3789 			if (r->tag)
3790 				tag = r->tag;
3791 			if (r->rtableid >= 0)
3792 				rtableid = r->rtableid;
3793 			if (r->anchor == NULL) {
3794 				match = 1;
3795 				*rm = r;
3796 				*am = a;
3797 				*rsm = ruleset;
3798 				if ((*rm)->quick)
3799 					break;
3800 				r = TAILQ_NEXT(r, entries);
3801 			} else
3802 				pf_step_into_anchor(&asd, &ruleset,
3803 				    PF_RULESET_FILTER, &r, &a, &match);
3804 		}
3805 		if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
3806 		    PF_RULESET_FILTER, &r, &a, &match))
3807 			break;
3808 	}
3809 	r = *rm;
3810 	a = *am;
3811 	ruleset = *rsm;
3812 
3813 	REASON_SET(&reason, PFRES_MATCH);
3814 
3815 	if (r->log || (nr != NULL && nr->natpass && nr->log)) {
3816 #ifdef INET6
3817 		if (rewrite)
3818 			m_copyback(m, off, sizeof(struct icmp6_hdr),
3819 			    (caddr_t)pd->hdr.icmp6);
3820 #endif /* INET6 */
3821 		PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
3822 		    a, ruleset, pd);
3823 	}
3824 
3825 	if (r->action != PF_PASS)
3826 		return (PF_DROP);
3827 
3828 	if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
3829 		REASON_SET(&reason, PFRES_MEMORY);
3830 		return (PF_DROP);
3831 	}
3832 
3833 	if (!state_icmp && (r->keep_state || nr != NULL)) {
3834 		/* create new state */
3835 		struct pf_state	*s = NULL;
3836 		struct pf_src_node *sn = NULL;
3837 
3838 		/* check maximums */
3839 		if (r->max_states && (r->states >= r->max_states)) {
3840 			pf_status.lcounters[LCNT_STATES]++;
3841 			REASON_SET(&reason, PFRES_MAXSTATES);
3842 			goto cleanup;
3843 		}
3844 		/* src node for filter rule */
3845 		if ((r->rule_flag & PFRULE_SRCTRACK ||
3846 		    r->rpool.opts & PF_POOL_STICKYADDR) &&
3847 		    pf_insert_src_node(&sn, r, saddr, af) != 0) {
3848 			REASON_SET(&reason, PFRES_SRCLIMIT);
3849 			goto cleanup;
3850 		}
3851 		/* src node for translation rule */
3852 		if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3853 		    ((direction == PF_OUT &&
3854 		    pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3855 		    (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
3856 			REASON_SET(&reason, PFRES_SRCLIMIT);
3857 			goto cleanup;
3858 		}
3859 		s = pool_get(&pf_state_pl, PR_NOWAIT);
3860 		if (s == NULL) {
3861 			REASON_SET(&reason, PFRES_MEMORY);
3862 cleanup:
3863 			if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3864 				RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3865 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3866 				pf_status.src_nodes--;
3867 				pool_put(&pf_src_tree_pl, sn);
3868 			}
3869 			if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3870 			    nsn->expire == 0) {
3871 				RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3872 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3873 				pf_status.src_nodes--;
3874 				pool_put(&pf_src_tree_pl, nsn);
3875 			}
3876 			return (PF_DROP);
3877 		}
3878 		bzero(s, sizeof(*s));
3879 		s->rule.ptr = r;
3880 		s->nat_rule.ptr = nr;
3881 		s->anchor.ptr = a;
3882 		STATE_INC_COUNTERS(s);
3883 		s->allow_opts = r->allow_opts;
3884 		s->log = r->log & PF_LOG_ALL;
3885 		if (nr != NULL)
3886 			s->log |= nr->log & PF_LOG_ALL;
3887 		s->proto = pd->proto;
3888 		s->direction = direction;
3889 		s->af = af;
3890 		if (direction == PF_OUT) {
3891 			PF_ACPY(&s->gwy.addr, saddr, af);
3892 			s->gwy.port = nport;
3893 			PF_ACPY(&s->ext.addr, daddr, af);
3894 			s->ext.port = 0;
3895 			if (nr != NULL) {
3896 				PF_ACPY(&s->lan.addr, &pd->baddr, af);
3897 				s->lan.port = bport;
3898 			} else {
3899 				PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3900 				s->lan.port = s->gwy.port;
3901 			}
3902 		} else {
3903 			PF_ACPY(&s->lan.addr, daddr, af);
3904 			s->lan.port = nport;
3905 			PF_ACPY(&s->ext.addr, saddr, af);
3906 			s->ext.port = 0;
3907 			if (nr != NULL) {
3908 				PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3909 				s->gwy.port = bport;
3910 			} else {
3911 				PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3912 				s->gwy.port = s->lan.port;
3913 			}
3914 		}
3915 		s->hash = pf_state_hash(s);
3916 		s->creation = time_second;
3917 		s->expire = time_second;
3918 		s->timeout = PFTM_ICMP_FIRST_PACKET;
3919 		pf_set_rt_ifp(s, saddr);
3920 		if (sn != NULL) {
3921 			s->src_node = sn;
3922 			s->src_node->states++;
3923 		}
3924 		if (nsn != NULL) {
3925 			PF_ACPY(&nsn->raddr, &pd->naddr, af);
3926 			s->nat_src_node = nsn;
3927 			s->nat_src_node->states++;
3928 		}
3929 		if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3930 			REASON_SET(&reason, PFRES_STATEINS);
3931 			pf_src_tree_remove_state(s);
3932 			STATE_DEC_COUNTERS(s);
3933 			pool_put(&pf_state_pl, s);
3934 			return (PF_DROP);
3935 		} else
3936 			*sm = s;
3937 		if (tag > 0) {
3938 			pf_tag_ref(tag);
3939 			s->tag = tag;
3940 		}
3941 	}
3942 
3943 #ifdef INET6
3944 	/* copy back packet headers if we performed IPv6 NAT operations */
3945 	if (rewrite)
3946 		m_copyback(m, off, sizeof(struct icmp6_hdr),
3947 		    (caddr_t)pd->hdr.icmp6);
3948 #endif /* INET6 */
3949 
3950 	return (PF_PASS);
3951 }
3952 
3953 int
3954 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
3955     struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3956     struct pf_rule **am, struct pf_ruleset **rsm, struct ifqueue *ifq)
3957 {
3958 	struct pf_rule		*nr = NULL;
3959 	struct pf_rule		*r, *a = NULL;
3960 	struct pf_ruleset	*ruleset = NULL;
3961 	struct pf_src_node	*nsn = NULL;
3962 	struct pf_addr		*saddr = pd->src, *daddr = pd->dst;
3963 	sa_family_t		 af = pd->af;
3964 	u_short			 reason;
3965 	int			 tag = -1, rtableid = -1;
3966 	int			 asd = 0;
3967 	int			 match = 0;
3968 
3969 	if (pf_check_congestion(ifq)) {
3970 		REASON_SET(&reason, PFRES_CONGEST);
3971 		return (PF_DROP);
3972 	}
3973 
3974 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3975 
3976 	if (direction == PF_OUT) {
3977 		/* check outgoing packet for BINAT/NAT */
3978 		if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3979 		    saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3980 			PF_ACPY(&pd->baddr, saddr, af);
3981 			switch (af) {
3982 #ifdef INET
3983 			case AF_INET:
3984 				pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3985 				    pd->naddr.v4.s_addr, 0);
3986 				break;
3987 #endif /* INET */
3988 #ifdef INET6
3989 			case AF_INET6:
3990 				PF_ACPY(saddr, &pd->naddr, af);
3991 				break;
3992 #endif /* INET6 */
3993 			}
3994 			if (nr->natpass)
3995 				r = NULL;
3996 			pd->nat_rule = nr;
3997 		}
3998 	} else {
3999 		/* check incoming packet for BINAT/RDR */
4000 		if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
4001 		    saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
4002 			PF_ACPY(&pd->baddr, daddr, af);
4003 			switch (af) {
4004 #ifdef INET
4005 			case AF_INET:
4006 				pf_change_a(&daddr->v4.s_addr,
4007 				    pd->ip_sum, pd->naddr.v4.s_addr, 0);
4008 				break;
4009 #endif /* INET */
4010 #ifdef INET6
4011 			case AF_INET6:
4012 				PF_ACPY(daddr, &pd->naddr, af);
4013 				break;
4014 #endif /* INET6 */
4015 			}
4016 			if (nr->natpass)
4017 				r = NULL;
4018 			pd->nat_rule = nr;
4019 		}
4020 	}
4021 
4022 	while (r != NULL) {
4023 		r->evaluations++;
4024 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
4025 			r = r->skip[PF_SKIP_IFP].ptr;
4026 		else if (r->direction && r->direction != direction)
4027 			r = r->skip[PF_SKIP_DIR].ptr;
4028 		else if (r->af && r->af != af)
4029 			r = r->skip[PF_SKIP_AF].ptr;
4030 		else if (r->proto && r->proto != pd->proto)
4031 			r = r->skip[PF_SKIP_PROTO].ptr;
4032 		else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
4033 		    r->src.neg, kif))
4034 			r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4035 		else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
4036 		    r->dst.neg, NULL))
4037 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
4038 		else if (r->tos && !(r->tos == pd->tos))
4039 			r = TAILQ_NEXT(r, entries);
4040 		else if (r->rule_flag & PFRULE_FRAGMENT)
4041 			r = TAILQ_NEXT(r, entries);
4042 		else if (r->prob && r->prob <= karc4random())
4043 			r = TAILQ_NEXT(r, entries);
4044 		else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag))
4045 			r = TAILQ_NEXT(r, entries);
4046 		else if (r->os_fingerprint != PF_OSFP_ANY)
4047 			r = TAILQ_NEXT(r, entries);
4048 		else {
4049 			if (r->tag)
4050 				tag = r->tag;
4051 			if (r->rtableid >= 0)
4052 				rtableid = r->rtableid;
4053 			if (r->anchor == NULL) {
4054 				match = 1;
4055 				*rm = r;
4056 				*am = a;
4057 				*rsm = ruleset;
4058 				if ((*rm)->quick)
4059 					break;
4060 				r = TAILQ_NEXT(r, entries);
4061 			} else
4062 				pf_step_into_anchor(&asd, &ruleset,
4063 				    PF_RULESET_FILTER, &r, &a, &match);
4064 		}
4065 		if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4066 		    PF_RULESET_FILTER, &r, &a, &match))
4067 			break;
4068 	}
4069 	r = *rm;
4070 	a = *am;
4071 	ruleset = *rsm;
4072 
4073 	REASON_SET(&reason, PFRES_MATCH);
4074 
4075 	if (r->log || (nr != NULL && nr->natpass && nr->log))
4076 		PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr,
4077 		    a, ruleset, pd);
4078 
4079 	if ((r->action == PF_DROP) &&
4080 	    ((r->rule_flag & PFRULE_RETURNICMP) ||
4081 	    (r->rule_flag & PFRULE_RETURN))) {
4082 		struct pf_addr *a = NULL;
4083 
4084 		if (nr != NULL) {
4085 			if (direction == PF_OUT)
4086 				a = saddr;
4087 			else
4088 				a = daddr;
4089 		}
4090 		if (a != NULL) {
4091 			switch (af) {
4092 #ifdef INET
4093 			case AF_INET:
4094 				pf_change_a(&a->v4.s_addr, pd->ip_sum,
4095 				    pd->baddr.v4.s_addr, 0);
4096 				break;
4097 #endif /* INET */
4098 #ifdef INET6
4099 			case AF_INET6:
4100 				PF_ACPY(a, &pd->baddr, af);
4101 				break;
4102 #endif /* INET6 */
4103 			}
4104 		}
4105 		if ((af == AF_INET) && r->return_icmp)
4106 			pf_send_icmp(m, r->return_icmp >> 8,
4107 			    r->return_icmp & 255, af, r);
4108 		else if ((af == AF_INET6) && r->return_icmp6)
4109 			pf_send_icmp(m, r->return_icmp6 >> 8,
4110 			    r->return_icmp6 & 255, af, r);
4111 	}
4112 
4113 	if (r->action != PF_PASS)
4114 		return (PF_DROP);
4115 
4116 	if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) {
4117 		REASON_SET(&reason, PFRES_MEMORY);
4118 		return (PF_DROP);
4119 	}
4120 
4121 	if (r->keep_state || nr != NULL) {
4122 		/* create new state */
4123 		struct pf_state	*s = NULL;
4124 		struct pf_src_node *sn = NULL;
4125 
4126 		/* check maximums */
4127 		if (r->max_states && (r->states >= r->max_states)) {
4128 			pf_status.lcounters[LCNT_STATES]++;
4129 			REASON_SET(&reason, PFRES_MAXSTATES);
4130 			goto cleanup;
4131 		}
4132 		/* src node for filter rule */
4133 		if ((r->rule_flag & PFRULE_SRCTRACK ||
4134 		    r->rpool.opts & PF_POOL_STICKYADDR) &&
4135 		    pf_insert_src_node(&sn, r, saddr, af) != 0) {
4136 			REASON_SET(&reason, PFRES_SRCLIMIT);
4137 			goto cleanup;
4138 		}
4139 		/* src node for translation rule */
4140 		if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
4141 		    ((direction == PF_OUT &&
4142 		    pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
4143 		    (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
4144 			REASON_SET(&reason, PFRES_SRCLIMIT);
4145 			goto cleanup;
4146 		}
4147 		s = pool_get(&pf_state_pl, PR_NOWAIT);
4148 		if (s == NULL) {
4149 			REASON_SET(&reason, PFRES_MEMORY);
4150 cleanup:
4151 			if (sn != NULL && sn->states == 0 && sn->expire == 0) {
4152 				RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
4153 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4154 				pf_status.src_nodes--;
4155 				pool_put(&pf_src_tree_pl, sn);
4156 			}
4157 			if (nsn != sn && nsn != NULL && nsn->states == 0 &&
4158 			    nsn->expire == 0) {
4159 				RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
4160 				pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
4161 				pf_status.src_nodes--;
4162 				pool_put(&pf_src_tree_pl, nsn);
4163 			}
4164 			return (PF_DROP);
4165 		}
4166 		bzero(s, sizeof(*s));
4167 		s->rule.ptr = r;
4168 		s->nat_rule.ptr = nr;
4169 		s->anchor.ptr = a;
4170 		STATE_INC_COUNTERS(s);
4171 		s->allow_opts = r->allow_opts;
4172 		s->log = r->log & PF_LOG_ALL;
4173 		if (nr != NULL)
4174 			s->log |= nr->log & PF_LOG_ALL;
4175 		s->proto = pd->proto;
4176 		s->direction = direction;
4177 		s->af = af;
4178 		if (direction == PF_OUT) {
4179 			PF_ACPY(&s->gwy.addr, saddr, af);
4180 			PF_ACPY(&s->ext.addr, daddr, af);
4181 			if (nr != NULL)
4182 				PF_ACPY(&s->lan.addr, &pd->baddr, af);
4183 			else
4184 				PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
4185 		} else {
4186 			PF_ACPY(&s->lan.addr, daddr, af);
4187 			PF_ACPY(&s->ext.addr, saddr, af);
4188 			if (nr != NULL)
4189 				PF_ACPY(&s->gwy.addr, &pd->baddr, af);
4190 			else
4191 				PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
4192 		}
4193 		s->hash = pf_state_hash(s);
4194 		s->src.state = PFOTHERS_SINGLE;
4195 		s->dst.state = PFOTHERS_NO_TRAFFIC;
4196 		s->creation = time_second;
4197 		s->expire = time_second;
4198 		s->timeout = PFTM_OTHER_FIRST_PACKET;
4199 		pf_set_rt_ifp(s, saddr);
4200 		if (sn != NULL) {
4201 			s->src_node = sn;
4202 			s->src_node->states++;
4203 		}
4204 		if (nsn != NULL) {
4205 			PF_ACPY(&nsn->raddr, &pd->naddr, af);
4206 			s->nat_src_node = nsn;
4207 			s->nat_src_node->states++;
4208 		}
4209 		if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
4210 			REASON_SET(&reason, PFRES_STATEINS);
4211 			pf_src_tree_remove_state(s);
4212 			STATE_DEC_COUNTERS(s);
4213 			pool_put(&pf_state_pl, s);
4214 			return (PF_DROP);
4215 		} else
4216 			*sm = s;
4217 		if (tag > 0) {
4218 			pf_tag_ref(tag);
4219 			s->tag = tag;
4220 		}
4221 	}
4222 
4223 	return (PF_PASS);
4224 }
4225 
4226 int
4227 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
4228     struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
4229     struct pf_ruleset **rsm)
4230 {
4231 	struct pf_rule		*r, *a = NULL;
4232 	struct pf_ruleset	*ruleset = NULL;
4233 	sa_family_t		 af = pd->af;
4234 	u_short			 reason;
4235 	int			 tag = -1;
4236 	int			 asd = 0;
4237 	int			 match = 0;
4238 
4239 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4240 	while (r != NULL) {
4241 		r->evaluations++;
4242 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
4243 			r = r->skip[PF_SKIP_IFP].ptr;
4244 		else if (r->direction && r->direction != direction)
4245 			r = r->skip[PF_SKIP_DIR].ptr;
4246 		else if (r->af && r->af != af)
4247 			r = r->skip[PF_SKIP_AF].ptr;
4248 		else if (r->proto && r->proto != pd->proto)
4249 			r = r->skip[PF_SKIP_PROTO].ptr;
4250 		else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
4251 		    r->src.neg, kif))
4252 			r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4253 		else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
4254 		    r->dst.neg, NULL))
4255 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
4256 		else if (r->tos && !(r->tos == pd->tos))
4257 			r = TAILQ_NEXT(r, entries);
4258 		else if (r->os_fingerprint != PF_OSFP_ANY)
4259 			r = TAILQ_NEXT(r, entries);
4260 		else if (pd->proto == IPPROTO_UDP &&
4261 		    (r->src.port_op || r->dst.port_op))
4262 			r = TAILQ_NEXT(r, entries);
4263 		else if (pd->proto == IPPROTO_TCP &&
4264 		    (r->src.port_op || r->dst.port_op || r->flagset))
4265 			r = TAILQ_NEXT(r, entries);
4266 		else if ((pd->proto == IPPROTO_ICMP ||
4267 		    pd->proto == IPPROTO_ICMPV6) &&
4268 		    (r->type || r->code))
4269 			r = TAILQ_NEXT(r, entries);
4270 		else if (r->prob && r->prob <= karc4random())
4271 			r = TAILQ_NEXT(r, entries);
4272 		else if (r->match_tag && !pf_match_tag(m, r, NULL, &tag))
4273 			r = TAILQ_NEXT(r, entries);
4274 		else {
4275 			if (r->anchor == NULL) {
4276 				match = 1;
4277 				*rm = r;
4278 				*am = a;
4279 				*rsm = ruleset;
4280 				if ((*rm)->quick)
4281 					break;
4282 				r = TAILQ_NEXT(r, entries);
4283 			} else
4284 				pf_step_into_anchor(&asd, &ruleset,
4285 				    PF_RULESET_FILTER, &r, &a, &match);
4286 		}
4287 		if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4288 		    PF_RULESET_FILTER, &r, &a, &match))
4289 			break;
4290 	}
4291 	r = *rm;
4292 	a = *am;
4293 	ruleset = *rsm;
4294 
4295 	REASON_SET(&reason, PFRES_MATCH);
4296 
4297 	if (r->log)
4298 		PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset,
4299 		    pd);
4300 
4301 	if (r->action != PF_PASS)
4302 		return (PF_DROP);
4303 
4304 	if (pf_tag_packet(m, pd->pf_mtag, tag, -1)) {
4305 		REASON_SET(&reason, PFRES_MEMORY);
4306 		return (PF_DROP);
4307 	}
4308 
4309 	return (PF_PASS);
4310 }
4311 
4312 int
4313 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
4314     struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4315     u_short *reason)
4316 {
4317 	struct pf_state_cmp	 key;
4318 	struct tcphdr		*th = pd->hdr.tcp;
4319 	u_int16_t		 win = ntohs(th->th_win);
4320 	u_int32_t		 ack, end, seq, orig_seq;
4321 	u_int8_t		 sws, dws;
4322 	int			 ackskew;
4323 	int			 copyback = 0;
4324 	struct pf_state_peer	*src, *dst;
4325 
4326 	key.af = pd->af;
4327 	key.proto = IPPROTO_TCP;
4328 	if (direction == PF_IN)	{
4329 		PF_ACPY(&key.ext.addr, pd->src, key.af);
4330 		PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4331 		key.ext.port = th->th_sport;
4332 		key.gwy.port = th->th_dport;
4333 	} else {
4334 		PF_ACPY(&key.lan.addr, pd->src, key.af);
4335 		PF_ACPY(&key.ext.addr, pd->dst, key.af);
4336 		key.lan.port = th->th_sport;
4337 		key.ext.port = th->th_dport;
4338 	}
4339 
4340 	STATE_LOOKUP();
4341 
4342 	if (direction == (*state)->direction) {
4343 		src = &(*state)->src;
4344 		dst = &(*state)->dst;
4345 	} else {
4346 		src = &(*state)->dst;
4347 		dst = &(*state)->src;
4348 	}
4349 
4350 	if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
4351 		if (direction != (*state)->direction) {
4352 			REASON_SET(reason, PFRES_SYNPROXY);
4353 			return (PF_SYNPROXY_DROP);
4354 		}
4355 		if (th->th_flags & TH_SYN) {
4356 			if (ntohl(th->th_seq) != (*state)->src.seqlo) {
4357 				REASON_SET(reason, PFRES_SYNPROXY);
4358 				return (PF_DROP);
4359 			}
4360 			pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
4361 			    pd->src, th->th_dport, th->th_sport,
4362 			    (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4363 			    TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,
4364 			    0, NULL, NULL);
4365 			REASON_SET(reason, PFRES_SYNPROXY);
4366 			return (PF_SYNPROXY_DROP);
4367 		} else if (!(th->th_flags & TH_ACK) ||
4368 		    (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4369 		    (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4370 			REASON_SET(reason, PFRES_SYNPROXY);
4371 			return (PF_DROP);
4372 		} else if ((*state)->src_node != NULL &&
4373 		    pf_src_connlimit(state)) {
4374 			REASON_SET(reason, PFRES_SRCLIMIT);
4375 			return (PF_DROP);
4376 		} else
4377 			(*state)->src.state = PF_TCPS_PROXY_DST;
4378 	}
4379 	if ((*state)->src.state == PF_TCPS_PROXY_DST) {
4380 		struct pf_state_host *src, *dst;
4381 
4382 		if (direction == PF_OUT) {
4383 			src = &(*state)->gwy;
4384 			dst = &(*state)->ext;
4385 		} else {
4386 			src = &(*state)->ext;
4387 			dst = &(*state)->lan;
4388 		}
4389 		if (direction == (*state)->direction) {
4390 			if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
4391 			    (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
4392 			    (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
4393 				REASON_SET(reason, PFRES_SYNPROXY);
4394 				return (PF_DROP);
4395 			}
4396 			(*state)->src.max_win = MAX(ntohs(th->th_win), 1);
4397 			if ((*state)->dst.seqhi == 1)
4398 				(*state)->dst.seqhi = htonl(karc4random());
4399 			pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
4400 			    &dst->addr, src->port, dst->port,
4401 			    (*state)->dst.seqhi, 0, TH_SYN, 0,
4402 			    (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL);
4403 			REASON_SET(reason, PFRES_SYNPROXY);
4404 			return (PF_SYNPROXY_DROP);
4405 		} else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
4406 		    (TH_SYN|TH_ACK)) ||
4407 		    (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
4408 			REASON_SET(reason, PFRES_SYNPROXY);
4409 			return (PF_DROP);
4410 		} else {
4411 			(*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
4412 			(*state)->dst.seqlo = ntohl(th->th_seq);
4413 			pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
4414 			    pd->src, th->th_dport, th->th_sport,
4415 			    ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4416 			    TH_ACK, (*state)->src.max_win, 0, 0, 0,
4417 			    (*state)->tag, NULL, NULL);
4418 			pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
4419 			    &dst->addr, src->port, dst->port,
4420 			    (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4421 			    TH_ACK, (*state)->dst.max_win, 0, 0, 1,
4422 			    0, NULL, NULL);
4423 			(*state)->src.seqdiff = (*state)->dst.seqhi -
4424 			    (*state)->src.seqlo;
4425 			(*state)->dst.seqdiff = (*state)->src.seqhi -
4426 			    (*state)->dst.seqlo;
4427 			(*state)->src.seqhi = (*state)->src.seqlo +
4428 			    (*state)->dst.max_win;
4429 			(*state)->dst.seqhi = (*state)->dst.seqlo +
4430 			    (*state)->src.max_win;
4431 			(*state)->src.wscale = (*state)->dst.wscale = 0;
4432 			(*state)->src.state = (*state)->dst.state =
4433 			    TCPS_ESTABLISHED;
4434 			REASON_SET(reason, PFRES_SYNPROXY);
4435 			return (PF_SYNPROXY_DROP);
4436 		}
4437 	}
4438 
4439 	if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
4440 		sws = src->wscale & PF_WSCALE_MASK;
4441 		dws = dst->wscale & PF_WSCALE_MASK;
4442 	} else
4443 		sws = dws = 0;
4444 
4445 	/*
4446 	 * Sequence tracking algorithm from Guido van Rooij's paper:
4447 	 *   http://www.madison-gurkha.com/publications/tcp_filtering/
4448 	 *	tcp_filtering.ps
4449 	 */
4450 
4451 	orig_seq = seq = ntohl(th->th_seq);
4452 	if (src->seqlo == 0) {
4453 		/* First packet from this end. Set its state */
4454 
4455 		if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
4456 		    src->scrub == NULL) {
4457 			if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
4458 				REASON_SET(reason, PFRES_MEMORY);
4459 				return (PF_DROP);
4460 			}
4461 		}
4462 
4463 		/* Deferred generation of sequence number modulator */
4464 		if (dst->seqdiff && !src->seqdiff) {
4465 			while ((src->seqdiff = pf_new_isn(*state) - seq) == 0)
4466 				;
4467 			ack = ntohl(th->th_ack) - dst->seqdiff;
4468 			pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
4469 			    src->seqdiff), 0);
4470 			pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
4471 			copyback = 1;
4472 		} else {
4473 			ack = ntohl(th->th_ack);
4474 		}
4475 
4476 		end = seq + pd->p_len;
4477 		if (th->th_flags & TH_SYN) {
4478 			end++;
4479 			(*state)->sync_flags |= PFSTATE_GOT_SYN2;
4480 			if (dst->wscale & PF_WSCALE_FLAG) {
4481 				src->wscale = pf_get_wscale(m, off, th->th_off,
4482 				    pd->af);
4483 				if (src->wscale & PF_WSCALE_FLAG) {
4484 					/* Remove scale factor from initial
4485 					 * window */
4486 					sws = src->wscale & PF_WSCALE_MASK;
4487 					win = ((u_int32_t)win + (1 << sws) - 1)
4488 					    >> sws;
4489 					dws = dst->wscale & PF_WSCALE_MASK;
4490 				} else {
4491 					/* fixup other window */
4492 					dst->max_win <<= dst->wscale &
4493 					    PF_WSCALE_MASK;
4494 					/* in case of a retrans SYN|ACK */
4495 					dst->wscale = 0;
4496 				}
4497 			}
4498 		}
4499 		if (th->th_flags & TH_FIN)
4500 			end++;
4501 
4502 		src->seqlo = seq;
4503 		if (src->state < TCPS_SYN_SENT)
4504 			src->state = TCPS_SYN_SENT;
4505 
4506 		/*
4507 		 * May need to slide the window (seqhi may have been set by
4508 		 * the crappy stack check or if we picked up the connection
4509 		 * after establishment)
4510 		 */
4511 		if (src->seqhi == 1 ||
4512 		    SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
4513 			src->seqhi = end + MAX(1, dst->max_win << dws);
4514 		if (win > src->max_win)
4515 			src->max_win = win;
4516 
4517 	} else {
4518 		ack = ntohl(th->th_ack) - dst->seqdiff;
4519 		if (src->seqdiff) {
4520 			/* Modulate sequence numbers */
4521 			pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
4522 			    src->seqdiff), 0);
4523 			pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
4524 			copyback = 1;
4525 		}
4526 		end = seq + pd->p_len;
4527 		if (th->th_flags & TH_SYN)
4528 			end++;
4529 		if (th->th_flags & TH_FIN)
4530 			end++;
4531 	}
4532 
4533 	if ((th->th_flags & TH_ACK) == 0) {
4534 		/* Let it pass through the ack skew check */
4535 		ack = dst->seqlo;
4536 	} else if ((ack == 0 &&
4537 	    (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
4538 	    /* broken tcp stacks do not set ack */
4539 	    (dst->state < TCPS_SYN_SENT)) {
4540 		/*
4541 		 * Many stacks (ours included) will set the ACK number in an
4542 		 * FIN|ACK if the SYN times out -- no sequence to ACK.
4543 		 */
4544 		ack = dst->seqlo;
4545 	}
4546 
4547 	if (seq == end) {
4548 		/* Ease sequencing restrictions on no data packets */
4549 		seq = src->seqlo;
4550 		end = seq;
4551 	}
4552 
4553 	ackskew = dst->seqlo - ack;
4554 
4555 
4556 	/*
4557 	 * Need to demodulate the sequence numbers in any TCP SACK options
4558 	 * (Selective ACK). We could optionally validate the SACK values
4559 	 * against the current ACK window, either forwards or backwards, but
4560 	 * I'm not confident that SACK has been implemented properly
4561 	 * everywhere. It wouldn't surprise me if several stacks accidently
4562 	 * SACK too far backwards of previously ACKed data. There really aren't
4563 	 * any security implications of bad SACKing unless the target stack
4564 	 * doesn't validate the option length correctly. Someone trying to
4565 	 * spoof into a TCP connection won't bother blindly sending SACK
4566 	 * options anyway.
4567 	 */
4568 	if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
4569 		if (pf_modulate_sack(m, off, pd, th, dst))
4570 			copyback = 1;
4571 	}
4572 
4573 
4574 #define MAXACKWINDOW (0xffff + 1500)	/* 1500 is an arbitrary fudge factor */
4575 	if (SEQ_GEQ(src->seqhi, end) &&
4576 	    /* Last octet inside other's window space */
4577 	    SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
4578 	    /* Retrans: not more than one window back */
4579 	    (ackskew >= -MAXACKWINDOW) &&
4580 	    /* Acking not more than one reassembled fragment backwards */
4581 	    (ackskew <= (MAXACKWINDOW << sws)) &&
4582 	    /* Acking not more than one window forward */
4583 	    ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
4584 	    (orig_seq == src->seqlo + 1) || (pd->flags & PFDESC_IP_REAS) == 0)) {
4585 	    /* Require an exact/+1 sequence match on resets when possible */
4586 
4587 		if (dst->scrub || src->scrub) {
4588 			if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4589 			    *state, src, dst, &copyback))
4590 				return (PF_DROP);
4591 		}
4592 
4593 		/* update max window */
4594 		if (src->max_win < win)
4595 			src->max_win = win;
4596 		/* synchronize sequencing */
4597 		if (SEQ_GT(end, src->seqlo))
4598 			src->seqlo = end;
4599 		/* slide the window of what the other end can send */
4600 		if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
4601 			dst->seqhi = ack + MAX((win << sws), 1);
4602 
4603 
4604 		/* update states */
4605 		if (th->th_flags & TH_SYN)
4606 			if (src->state < TCPS_SYN_SENT)
4607 				src->state = TCPS_SYN_SENT;
4608 		if (th->th_flags & TH_FIN)
4609 			if (src->state < TCPS_CLOSING)
4610 				src->state = TCPS_CLOSING;
4611 		if (th->th_flags & TH_ACK) {
4612 			if (dst->state == TCPS_SYN_SENT) {
4613 				dst->state = TCPS_ESTABLISHED;
4614 				if (src->state == TCPS_ESTABLISHED &&
4615 				    (*state)->src_node != NULL &&
4616 				    pf_src_connlimit(state)) {
4617 					REASON_SET(reason, PFRES_SRCLIMIT);
4618 					return (PF_DROP);
4619 				}
4620 			} else if (dst->state == TCPS_CLOSING)
4621 				dst->state = TCPS_FIN_WAIT_2;
4622 		}
4623 		if (th->th_flags & TH_RST)
4624 			src->state = dst->state = TCPS_TIME_WAIT;
4625 
4626 		/* update expire time */
4627 		(*state)->expire = time_second;
4628 		if (src->state >= TCPS_FIN_WAIT_2 &&
4629 		    dst->state >= TCPS_FIN_WAIT_2)
4630 			(*state)->timeout = PFTM_TCP_CLOSED;
4631 		else if (src->state >= TCPS_CLOSING &&
4632 		    dst->state >= TCPS_CLOSING)
4633 			(*state)->timeout = PFTM_TCP_FIN_WAIT;
4634 		else if (src->state < TCPS_ESTABLISHED ||
4635 		    dst->state < TCPS_ESTABLISHED)
4636 			(*state)->timeout = PFTM_TCP_OPENING;
4637 		else if (src->state >= TCPS_CLOSING ||
4638 		    dst->state >= TCPS_CLOSING)
4639 			(*state)->timeout = PFTM_TCP_CLOSING;
4640 		else
4641 			(*state)->timeout = PFTM_TCP_ESTABLISHED;
4642 
4643 		/* Fall through to PASS packet */
4644 
4645 	} else if ((dst->state < TCPS_SYN_SENT ||
4646 		dst->state >= TCPS_FIN_WAIT_2 ||
4647 		src->state >= TCPS_FIN_WAIT_2) &&
4648 	    SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
4649 	    /* Within a window forward of the originating packet */
4650 	    SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
4651 	    /* Within a window backward of the originating packet */
4652 
4653 		/*
4654 		 * This currently handles three situations:
4655 		 *  1) Stupid stacks will shotgun SYNs before their peer
4656 		 *     replies.
4657 		 *  2) When PF catches an already established stream (the
4658 		 *     firewall rebooted, the state table was flushed, routes
4659 		 *     changed...)
4660 		 *  3) Packets get funky immediately after the connection
4661 		 *     closes (this should catch Solaris spurious ACK|FINs
4662 		 *     that web servers like to spew after a close)
4663 		 *
4664 		 * This must be a little more careful than the above code
4665 		 * since packet floods will also be caught here. We don't
4666 		 * update the TTL here to mitigate the damage of a packet
4667 		 * flood and so the same code can handle awkward establishment
4668 		 * and a loosened connection close.
4669 		 * In the establishment case, a correct peer response will
4670 		 * validate the connection, go through the normal state code
4671 		 * and keep updating the state TTL.
4672 		 */
4673 
4674 		if (pf_status.debug >= PF_DEBUG_MISC) {
4675 			kprintf("pf: loose state match: ");
4676 			pf_print_state(*state);
4677 			pf_print_flags(th->th_flags);
4678 			kprintf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
4679 			    "pkts=%llu:%llu\n", seq, orig_seq, ack, pd->p_len,
4680 			    ackskew, (unsigned long long)(*state)->packets[0],
4681 			    (unsigned long long)(*state)->packets[1]);
4682 		}
4683 
4684 		if (dst->scrub || src->scrub) {
4685 			if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4686 			    *state, src, dst, &copyback))
4687 				return (PF_DROP);
4688 		}
4689 
4690 		/* update max window */
4691 		if (src->max_win < win)
4692 			src->max_win = win;
4693 		/* synchronize sequencing */
4694 		if (SEQ_GT(end, src->seqlo))
4695 			src->seqlo = end;
4696 		/* slide the window of what the other end can send */
4697 		if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
4698 			dst->seqhi = ack + MAX((win << sws), 1);
4699 
4700 		/*
4701 		 * Cannot set dst->seqhi here since this could be a shotgunned
4702 		 * SYN and not an already established connection.
4703 		 */
4704 
4705 		if (th->th_flags & TH_FIN)
4706 			if (src->state < TCPS_CLOSING)
4707 				src->state = TCPS_CLOSING;
4708 		if (th->th_flags & TH_RST)
4709 			src->state = dst->state = TCPS_TIME_WAIT;
4710 
4711 		/* Fall through to PASS packet */
4712 
4713 	} else if ((*state)->pickup_mode == PF_PICKUPS_HASHONLY ||
4714 		    ((*state)->pickup_mode == PF_PICKUPS_ENABLED &&
4715 		     ((*state)->sync_flags & PFSTATE_GOT_SYN_MASK) !=
4716 		      PFSTATE_GOT_SYN_MASK)) {
4717 		/*
4718 		 * If pickup mode is hash only, do not fail on sequence checks.
4719 		 *
4720 		 * If pickup mode is enabled and we did not see the SYN in
4721 		 * both direction, do not fail on sequence checks because
4722 		 * we do not have complete information on window scale.
4723 		 *
4724 		 * Adjust expiration and fall through to PASS packet.
4725 		 * XXX Add a FIN check to reduce timeout?
4726 		 */
4727 		(*state)->expire = time_second;
4728 	} else  {
4729 		/*
4730 		 * Failure processing
4731 		 */
4732 		if ((*state)->dst.state == TCPS_SYN_SENT &&
4733 		    (*state)->src.state == TCPS_SYN_SENT) {
4734 			/* Send RST for state mismatches during handshake */
4735 			if (!(th->th_flags & TH_RST))
4736 				pf_send_tcp((*state)->rule.ptr, pd->af,
4737 				    pd->dst, pd->src, th->th_dport,
4738 				    th->th_sport, ntohl(th->th_ack), 0,
4739 				    TH_RST, 0, 0,
4740 				    (*state)->rule.ptr->return_ttl, 1, 0,
4741 				    pd->eh, kif->pfik_ifp);
4742 			src->seqlo = 0;
4743 			src->seqhi = 1;
4744 			src->max_win = 1;
4745 		} else if (pf_status.debug >= PF_DEBUG_MISC) {
4746 			kprintf("pf: BAD state: ");
4747 			pf_print_state(*state);
4748 			pf_print_flags(th->th_flags);
4749 			kprintf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
4750 			    "pkts=%llu:%llu dir=%s,%s\n",
4751 			    seq, orig_seq, ack, pd->p_len, ackskew,
4752 			    (unsigned long long)(*state)->packets[0],
4753 				(unsigned long long)(*state)->packets[1],
4754 			    direction == PF_IN ? "in" : "out",
4755 			    direction == (*state)->direction ? "fwd" : "rev");
4756 			kprintf("pf: State failure on: %c %c %c %c | %c %c\n",
4757 			    SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
4758 			    SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
4759 			    ' ': '2',
4760 			    (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
4761 			    (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
4762 			    SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
4763 			    SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
4764 		}
4765 		REASON_SET(reason, PFRES_BADSTATE);
4766 		return (PF_DROP);
4767 	}
4768 
4769 	/* Any packets which have gotten here are to be passed */
4770 
4771 	/* translate source/destination address, if necessary */
4772 	if (STATE_TRANSLATE(*state)) {
4773 		if (direction == PF_OUT) {
4774 			pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
4775 			    &th->th_sum, &(*state)->gwy.addr,
4776 			    (*state)->gwy.port, 0, pd->af);
4777 		} else {
4778 			/*
4779 			 * If we don't redispatch the packet will go into
4780 			 * the protocol stack on the wrong cpu for the
4781 			 * post-translated address.
4782 			 */
4783 			m->m_pkthdr.fw_flags |= FW_MBUF_REDISPATCH;
4784 			pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
4785 			    &th->th_sum, &(*state)->lan.addr,
4786 			    (*state)->lan.port, 0, pd->af);
4787 		}
4788 		m_copyback(m, off, sizeof(*th), (caddr_t)th);
4789 	} else if (copyback) {
4790 		/* Copyback sequence modulation or stateful scrub changes */
4791 		m_copyback(m, off, sizeof(*th), (caddr_t)th);
4792 	}
4793 
4794 	return (PF_PASS);
4795 }
4796 
4797 int
4798 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
4799     struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4800 {
4801 	struct pf_state_peer	*src, *dst;
4802 	struct pf_state_cmp	 key;
4803 	struct udphdr		*uh = pd->hdr.udp;
4804 
4805 	key.af = pd->af;
4806 	key.proto = IPPROTO_UDP;
4807 	if (direction == PF_IN)	{
4808 		PF_ACPY(&key.ext.addr, pd->src, key.af);
4809 		PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4810 		key.ext.port = uh->uh_sport;
4811 		key.gwy.port = uh->uh_dport;
4812 	} else {
4813 		PF_ACPY(&key.lan.addr, pd->src, key.af);
4814 		PF_ACPY(&key.ext.addr, pd->dst, key.af);
4815 		key.lan.port = uh->uh_sport;
4816 		key.ext.port = uh->uh_dport;
4817 	}
4818 
4819 	STATE_LOOKUP();
4820 
4821 	if (direction == (*state)->direction) {
4822 		src = &(*state)->src;
4823 		dst = &(*state)->dst;
4824 	} else {
4825 		src = &(*state)->dst;
4826 		dst = &(*state)->src;
4827 	}
4828 
4829 	/* update states */
4830 	if (src->state < PFUDPS_SINGLE)
4831 		src->state = PFUDPS_SINGLE;
4832 	if (dst->state == PFUDPS_SINGLE)
4833 		dst->state = PFUDPS_MULTIPLE;
4834 
4835 	/* update expire time */
4836 	(*state)->expire = time_second;
4837 	if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
4838 		(*state)->timeout = PFTM_UDP_MULTIPLE;
4839 	else
4840 		(*state)->timeout = PFTM_UDP_SINGLE;
4841 
4842 	/* translate source/destination address, if necessary */
4843 	if (STATE_TRANSLATE(*state)) {
4844 		if (direction == PF_OUT) {
4845 			pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
4846 			    &uh->uh_sum, &(*state)->gwy.addr,
4847 			    (*state)->gwy.port, 1, pd->af);
4848 		} else {
4849 			/*
4850 			 * If we don't redispatch the packet will go into
4851 			 * the protocol stack on the wrong cpu for the
4852 			 * post-translated address.
4853 			 */
4854 			m->m_pkthdr.fw_flags |= FW_MBUF_REDISPATCH;
4855 			pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
4856 			    &uh->uh_sum, &(*state)->lan.addr,
4857 			    (*state)->lan.port, 1, pd->af);
4858 		}
4859 		m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
4860 	}
4861 
4862 	return (PF_PASS);
4863 }
4864 
4865 int
4866 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
4867     struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
4868 {
4869 	struct pf_addr	*saddr = pd->src, *daddr = pd->dst;
4870 	u_int16_t	 icmpid = 0, *icmpsum;
4871 	u_int8_t	 icmptype;
4872 	int		 state_icmp = 0;
4873 	struct pf_state_cmp key;
4874 
4875 	switch (pd->proto) {
4876 #ifdef INET
4877 	case IPPROTO_ICMP:
4878 		icmptype = pd->hdr.icmp->icmp_type;
4879 		icmpid = pd->hdr.icmp->icmp_id;
4880 		icmpsum = &pd->hdr.icmp->icmp_cksum;
4881 
4882 		if (icmptype == ICMP_UNREACH ||
4883 		    icmptype == ICMP_SOURCEQUENCH ||
4884 		    icmptype == ICMP_REDIRECT ||
4885 		    icmptype == ICMP_TIMXCEED ||
4886 		    icmptype == ICMP_PARAMPROB)
4887 			state_icmp++;
4888 		break;
4889 #endif /* INET */
4890 #ifdef INET6
4891 	case IPPROTO_ICMPV6:
4892 		icmptype = pd->hdr.icmp6->icmp6_type;
4893 		icmpid = pd->hdr.icmp6->icmp6_id;
4894 		icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4895 
4896 		if (icmptype == ICMP6_DST_UNREACH ||
4897 		    icmptype == ICMP6_PACKET_TOO_BIG ||
4898 		    icmptype == ICMP6_TIME_EXCEEDED ||
4899 		    icmptype == ICMP6_PARAM_PROB)
4900 			state_icmp++;
4901 		break;
4902 #endif /* INET6 */
4903 	}
4904 
4905 	if (!state_icmp) {
4906 
4907 		/*
4908 		 * ICMP query/reply message not related to a TCP/UDP packet.
4909 		 * Search for an ICMP state.
4910 		 */
4911 		key.af = pd->af;
4912 		key.proto = pd->proto;
4913 		if (direction == PF_IN)	{
4914 			PF_ACPY(&key.ext.addr, pd->src, key.af);
4915 			PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4916 			key.ext.port = 0;
4917 			key.gwy.port = icmpid;
4918 		} else {
4919 			PF_ACPY(&key.lan.addr, pd->src, key.af);
4920 			PF_ACPY(&key.ext.addr, pd->dst, key.af);
4921 			key.lan.port = icmpid;
4922 			key.ext.port = 0;
4923 		}
4924 
4925 		STATE_LOOKUP();
4926 
4927 		(*state)->expire = time_second;
4928 		(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
4929 
4930 		/* translate source/destination address, if necessary */
4931 		if (STATE_TRANSLATE(*state)) {
4932 			if (direction == PF_OUT) {
4933 				switch (pd->af) {
4934 #ifdef INET
4935 				case AF_INET:
4936 					pf_change_a(&saddr->v4.s_addr,
4937 					    pd->ip_sum,
4938 					    (*state)->gwy.addr.v4.s_addr, 0);
4939 					pd->hdr.icmp->icmp_cksum =
4940 					    pf_cksum_fixup(
4941 					    pd->hdr.icmp->icmp_cksum, icmpid,
4942 					    (*state)->gwy.port, 0);
4943 					pd->hdr.icmp->icmp_id =
4944 					    (*state)->gwy.port;
4945 					m_copyback(m, off, ICMP_MINLEN,
4946 					    (caddr_t)pd->hdr.icmp);
4947 					break;
4948 #endif /* INET */
4949 #ifdef INET6
4950 				case AF_INET6:
4951 					pf_change_a6(saddr,
4952 					    &pd->hdr.icmp6->icmp6_cksum,
4953 					    &(*state)->gwy.addr, 0);
4954 					m_copyback(m, off,
4955 					    sizeof(struct icmp6_hdr),
4956 					    (caddr_t)pd->hdr.icmp6);
4957 					break;
4958 #endif /* INET6 */
4959 				}
4960 			} else {
4961 				switch (pd->af) {
4962 #ifdef INET
4963 				case AF_INET:
4964 					pf_change_a(&daddr->v4.s_addr,
4965 					    pd->ip_sum,
4966 					    (*state)->lan.addr.v4.s_addr, 0);
4967 					pd->hdr.icmp->icmp_cksum =
4968 					    pf_cksum_fixup(
4969 					    pd->hdr.icmp->icmp_cksum, icmpid,
4970 					    (*state)->lan.port, 0);
4971 					pd->hdr.icmp->icmp_id =
4972 					    (*state)->lan.port;
4973 					m_copyback(m, off, ICMP_MINLEN,
4974 					    (caddr_t)pd->hdr.icmp);
4975 					break;
4976 #endif /* INET */
4977 #ifdef INET6
4978 				case AF_INET6:
4979 					pf_change_a6(daddr,
4980 					    &pd->hdr.icmp6->icmp6_cksum,
4981 					    &(*state)->lan.addr, 0);
4982 					m_copyback(m, off,
4983 					    sizeof(struct icmp6_hdr),
4984 					    (caddr_t)pd->hdr.icmp6);
4985 					break;
4986 #endif /* INET6 */
4987 				}
4988 			}
4989 		}
4990 
4991 		return (PF_PASS);
4992 
4993 	} else {
4994 		/*
4995 		 * ICMP error message in response to a TCP/UDP packet.
4996 		 * Extract the inner TCP/UDP header and search for that state.
4997 		 */
4998 
4999 		struct pf_pdesc	pd2;
5000 #ifdef INET
5001 		struct ip	h2;
5002 #endif /* INET */
5003 #ifdef INET6
5004 		struct ip6_hdr	h2_6;
5005 		int		terminal = 0;
5006 #endif /* INET6 */
5007 		int		ipoff2;
5008 		int		off2;
5009 
5010 		pd2.af = pd->af;
5011 		switch (pd->af) {
5012 #ifdef INET
5013 		case AF_INET:
5014 			/* offset of h2 in mbuf chain */
5015 			ipoff2 = off + ICMP_MINLEN;
5016 
5017 			if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
5018 			    NULL, reason, pd2.af)) {
5019 				DPFPRINTF(PF_DEBUG_MISC,
5020 				    ("pf: ICMP error message too short "
5021 				    "(ip)\n"));
5022 				return (PF_DROP);
5023 			}
5024 			/*
5025 			 * ICMP error messages don't refer to non-first
5026 			 * fragments
5027 			 */
5028 			if (h2.ip_off & htons(IP_OFFMASK)) {
5029 				REASON_SET(reason, PFRES_FRAG);
5030 				return (PF_DROP);
5031 			}
5032 
5033 			/* offset of protocol header that follows h2 */
5034 			off2 = ipoff2 + (h2.ip_hl << 2);
5035 
5036 			pd2.proto = h2.ip_p;
5037 			pd2.src = (struct pf_addr *)&h2.ip_src;
5038 			pd2.dst = (struct pf_addr *)&h2.ip_dst;
5039 			pd2.ip_sum = &h2.ip_sum;
5040 			break;
5041 #endif /* INET */
5042 #ifdef INET6
5043 		case AF_INET6:
5044 			ipoff2 = off + sizeof(struct icmp6_hdr);
5045 
5046 			if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
5047 			    NULL, reason, pd2.af)) {
5048 				DPFPRINTF(PF_DEBUG_MISC,
5049 				    ("pf: ICMP error message too short "
5050 				    "(ip6)\n"));
5051 				return (PF_DROP);
5052 			}
5053 			pd2.proto = h2_6.ip6_nxt;
5054 			pd2.src = (struct pf_addr *)&h2_6.ip6_src;
5055 			pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
5056 			pd2.ip_sum = NULL;
5057 			off2 = ipoff2 + sizeof(h2_6);
5058 			do {
5059 				switch (pd2.proto) {
5060 				case IPPROTO_FRAGMENT:
5061 					/*
5062 					 * ICMPv6 error messages for
5063 					 * non-first fragments
5064 					 */
5065 					REASON_SET(reason, PFRES_FRAG);
5066 					return (PF_DROP);
5067 				case IPPROTO_AH:
5068 				case IPPROTO_HOPOPTS:
5069 				case IPPROTO_ROUTING:
5070 				case IPPROTO_DSTOPTS: {
5071 					/* get next header and header length */
5072 					struct ip6_ext opt6;
5073 
5074 					if (!pf_pull_hdr(m, off2, &opt6,
5075 					    sizeof(opt6), NULL, reason,
5076 					    pd2.af)) {
5077 						DPFPRINTF(PF_DEBUG_MISC,
5078 						    ("pf: ICMPv6 short opt\n"));
5079 						return (PF_DROP);
5080 					}
5081 					if (pd2.proto == IPPROTO_AH)
5082 						off2 += (opt6.ip6e_len + 2) * 4;
5083 					else
5084 						off2 += (opt6.ip6e_len + 1) * 8;
5085 					pd2.proto = opt6.ip6e_nxt;
5086 					/* goto the next header */
5087 					break;
5088 				}
5089 				default:
5090 					terminal++;
5091 					break;
5092 				}
5093 			} while (!terminal);
5094 			break;
5095 #endif /* INET6 */
5096 		default:
5097 			DPFPRINTF(PF_DEBUG_MISC,
5098 			    ("pf: ICMP AF %d unknown (ip6)\n", pd->af));
5099 			return (PF_DROP);
5100 			break;
5101 		}
5102 
5103 		switch (pd2.proto) {
5104 		case IPPROTO_TCP: {
5105 			struct tcphdr		 th;
5106 			u_int32_t		 seq;
5107 			struct pf_state_cmp		 key;
5108 			struct pf_state_peer	*src, *dst;
5109 			u_int8_t		 dws;
5110 			int			 copyback = 0;
5111 
5112 			/*
5113 			 * Only the first 8 bytes of the TCP header can be
5114 			 * expected. Don't access any TCP header fields after
5115 			 * th_seq, an ackskew test is not possible.
5116 			 */
5117 			if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason,
5118 			    pd2.af)) {
5119 				DPFPRINTF(PF_DEBUG_MISC,
5120 				    ("pf: ICMP error message too short "
5121 				    "(tcp)\n"));
5122 				return (PF_DROP);
5123 			}
5124 
5125 			key.af = pd2.af;
5126 			key.proto = IPPROTO_TCP;
5127 			if (direction == PF_IN)	{
5128 				PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5129 				PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5130 				key.ext.port = th.th_dport;
5131 				key.gwy.port = th.th_sport;
5132 			} else {
5133 				PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5134 				PF_ACPY(&key.ext.addr, pd2.src, key.af);
5135 				key.lan.port = th.th_dport;
5136 				key.ext.port = th.th_sport;
5137 			}
5138 
5139 			STATE_LOOKUP();
5140 
5141 			if (direction == (*state)->direction) {
5142 				src = &(*state)->dst;
5143 				dst = &(*state)->src;
5144 			} else {
5145 				src = &(*state)->src;
5146 				dst = &(*state)->dst;
5147 			}
5148 
5149 			if (src->wscale && dst->wscale &&
5150 			    !(th.th_flags & TH_SYN))
5151 				dws = dst->wscale & PF_WSCALE_MASK;
5152 			else
5153 				dws = 0;
5154 
5155 			/* Demodulate sequence number */
5156 			seq = ntohl(th.th_seq) - src->seqdiff;
5157 			if (src->seqdiff) {
5158 				pf_change_a(&th.th_seq, icmpsum,
5159 				    htonl(seq), 0);
5160 				copyback = 1;
5161 			}
5162 
5163 			if (!SEQ_GEQ(src->seqhi, seq) ||
5164 			    !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) {
5165 				if (pf_status.debug >= PF_DEBUG_MISC) {
5166 					kprintf("pf: BAD ICMP %d:%d ",
5167 					    icmptype, pd->hdr.icmp->icmp_code);
5168 					pf_print_host(pd->src, 0, pd->af);
5169 					kprintf(" -> ");
5170 					pf_print_host(pd->dst, 0, pd->af);
5171 					kprintf(" state: ");
5172 					pf_print_state(*state);
5173 					kprintf(" seq=%u\n", seq);
5174 				}
5175 				REASON_SET(reason, PFRES_BADSTATE);
5176 				return (PF_DROP);
5177 			}
5178 
5179 			if (STATE_TRANSLATE(*state)) {
5180 				if (direction == PF_IN) {
5181 					pf_change_icmp(pd2.src, &th.th_sport,
5182 					    daddr, &(*state)->lan.addr,
5183 					    (*state)->lan.port, NULL,
5184 					    pd2.ip_sum, icmpsum,
5185 					    pd->ip_sum, 0, pd2.af);
5186 				} else {
5187 					pf_change_icmp(pd2.dst, &th.th_dport,
5188 					    saddr, &(*state)->gwy.addr,
5189 					    (*state)->gwy.port, NULL,
5190 					    pd2.ip_sum, icmpsum,
5191 					    pd->ip_sum, 0, pd2.af);
5192 				}
5193 				copyback = 1;
5194 			}
5195 
5196 			if (copyback) {
5197 				switch (pd2.af) {
5198 #ifdef INET
5199 				case AF_INET:
5200 					m_copyback(m, off, ICMP_MINLEN,
5201 					    (caddr_t)pd->hdr.icmp);
5202 					m_copyback(m, ipoff2, sizeof(h2),
5203 					    (caddr_t)&h2);
5204 					break;
5205 #endif /* INET */
5206 #ifdef INET6
5207 				case AF_INET6:
5208 					m_copyback(m, off,
5209 					    sizeof(struct icmp6_hdr),
5210 					    (caddr_t)pd->hdr.icmp6);
5211 					m_copyback(m, ipoff2, sizeof(h2_6),
5212 					    (caddr_t)&h2_6);
5213 					break;
5214 #endif /* INET6 */
5215 				}
5216 				m_copyback(m, off2, 8, (caddr_t)&th);
5217 			}
5218 
5219 			return (PF_PASS);
5220 			break;
5221 		}
5222 		case IPPROTO_UDP: {
5223 			struct udphdr		uh;
5224 
5225 			if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
5226 			    NULL, reason, pd2.af)) {
5227 				DPFPRINTF(PF_DEBUG_MISC,
5228 				    ("pf: ICMP error message too short "
5229 				    "(udp)\n"));
5230 				return (PF_DROP);
5231 			}
5232 
5233 			key.af = pd2.af;
5234 			key.proto = IPPROTO_UDP;
5235 			if (direction == PF_IN)	{
5236 				PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5237 				PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5238 				key.ext.port = uh.uh_dport;
5239 				key.gwy.port = uh.uh_sport;
5240 			} else {
5241 				PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5242 				PF_ACPY(&key.ext.addr, pd2.src, key.af);
5243 				key.lan.port = uh.uh_dport;
5244 				key.ext.port = uh.uh_sport;
5245 			}
5246 
5247 			STATE_LOOKUP();
5248 
5249 			if (STATE_TRANSLATE(*state)) {
5250 				if (direction == PF_IN) {
5251 					pf_change_icmp(pd2.src, &uh.uh_sport,
5252 					    daddr, &(*state)->lan.addr,
5253 					    (*state)->lan.port, &uh.uh_sum,
5254 					    pd2.ip_sum, icmpsum,
5255 					    pd->ip_sum, 1, pd2.af);
5256 				} else {
5257 					pf_change_icmp(pd2.dst, &uh.uh_dport,
5258 					    saddr, &(*state)->gwy.addr,
5259 					    (*state)->gwy.port, &uh.uh_sum,
5260 					    pd2.ip_sum, icmpsum,
5261 					    pd->ip_sum, 1, pd2.af);
5262 				}
5263 				switch (pd2.af) {
5264 #ifdef INET
5265 				case AF_INET:
5266 					m_copyback(m, off, ICMP_MINLEN,
5267 					    (caddr_t)pd->hdr.icmp);
5268 					m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
5269 					break;
5270 #endif /* INET */
5271 #ifdef INET6
5272 				case AF_INET6:
5273 					m_copyback(m, off,
5274 					    sizeof(struct icmp6_hdr),
5275 					    (caddr_t)pd->hdr.icmp6);
5276 					m_copyback(m, ipoff2, sizeof(h2_6),
5277 					    (caddr_t)&h2_6);
5278 					break;
5279 #endif /* INET6 */
5280 				}
5281 				m_copyback(m, off2, sizeof(uh), (caddr_t)&uh);
5282 			}
5283 
5284 			return (PF_PASS);
5285 			break;
5286 		}
5287 #ifdef INET
5288 		case IPPROTO_ICMP: {
5289 			struct icmp		iih;
5290 
5291 			if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
5292 			    NULL, reason, pd2.af)) {
5293 				DPFPRINTF(PF_DEBUG_MISC,
5294 				    ("pf: ICMP error message too short i"
5295 				    "(icmp)\n"));
5296 				return (PF_DROP);
5297 			}
5298 
5299 			key.af = pd2.af;
5300 			key.proto = IPPROTO_ICMP;
5301 			if (direction == PF_IN)	{
5302 				PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5303 				PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5304 				key.ext.port = 0;
5305 				key.gwy.port = iih.icmp_id;
5306 			} else {
5307 				PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5308 				PF_ACPY(&key.ext.addr, pd2.src, key.af);
5309 				key.lan.port = iih.icmp_id;
5310 				key.ext.port = 0;
5311 			}
5312 
5313 			STATE_LOOKUP();
5314 
5315 			if (STATE_TRANSLATE(*state)) {
5316 				if (direction == PF_IN) {
5317 					pf_change_icmp(pd2.src, &iih.icmp_id,
5318 					    daddr, &(*state)->lan.addr,
5319 					    (*state)->lan.port, NULL,
5320 					    pd2.ip_sum, icmpsum,
5321 					    pd->ip_sum, 0, AF_INET);
5322 				} else {
5323 					pf_change_icmp(pd2.dst, &iih.icmp_id,
5324 					    saddr, &(*state)->gwy.addr,
5325 					    (*state)->gwy.port, NULL,
5326 					    pd2.ip_sum, icmpsum,
5327 					    pd->ip_sum, 0, AF_INET);
5328 				}
5329 				m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
5330 				m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
5331 				m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih);
5332 			}
5333 
5334 			return (PF_PASS);
5335 			break;
5336 		}
5337 #endif /* INET */
5338 #ifdef INET6
5339 		case IPPROTO_ICMPV6: {
5340 			struct icmp6_hdr	iih;
5341 
5342 			if (!pf_pull_hdr(m, off2, &iih,
5343 			    sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
5344 				DPFPRINTF(PF_DEBUG_MISC,
5345 				    ("pf: ICMP error message too short "
5346 				    "(icmp6)\n"));
5347 				return (PF_DROP);
5348 			}
5349 
5350 			key.af = pd2.af;
5351 			key.proto = IPPROTO_ICMPV6;
5352 			if (direction == PF_IN)	{
5353 				PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5354 				PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5355 				key.ext.port = 0;
5356 				key.gwy.port = iih.icmp6_id;
5357 			} else {
5358 				PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5359 				PF_ACPY(&key.ext.addr, pd2.src, key.af);
5360 				key.lan.port = iih.icmp6_id;
5361 				key.ext.port = 0;
5362 			}
5363 
5364 			STATE_LOOKUP();
5365 
5366 			if (STATE_TRANSLATE(*state)) {
5367 				if (direction == PF_IN) {
5368 					pf_change_icmp(pd2.src, &iih.icmp6_id,
5369 					    daddr, &(*state)->lan.addr,
5370 					    (*state)->lan.port, NULL,
5371 					    pd2.ip_sum, icmpsum,
5372 					    pd->ip_sum, 0, AF_INET6);
5373 				} else {
5374 					pf_change_icmp(pd2.dst, &iih.icmp6_id,
5375 					    saddr, &(*state)->gwy.addr,
5376 					    (*state)->gwy.port, NULL,
5377 					    pd2.ip_sum, icmpsum,
5378 					    pd->ip_sum, 0, AF_INET6);
5379 				}
5380 				m_copyback(m, off, sizeof(struct icmp6_hdr),
5381 				    (caddr_t)pd->hdr.icmp6);
5382 				m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
5383 				m_copyback(m, off2, sizeof(struct icmp6_hdr),
5384 				    (caddr_t)&iih);
5385 			}
5386 
5387 			return (PF_PASS);
5388 			break;
5389 		}
5390 #endif /* INET6 */
5391 		default: {
5392 			key.af = pd2.af;
5393 			key.proto = pd2.proto;
5394 			if (direction == PF_IN)	{
5395 				PF_ACPY(&key.ext.addr, pd2.dst, key.af);
5396 				PF_ACPY(&key.gwy.addr, pd2.src, key.af);
5397 				key.ext.port = 0;
5398 				key.gwy.port = 0;
5399 			} else {
5400 				PF_ACPY(&key.lan.addr, pd2.dst, key.af);
5401 				PF_ACPY(&key.ext.addr, pd2.src, key.af);
5402 				key.lan.port = 0;
5403 				key.ext.port = 0;
5404 			}
5405 
5406 			STATE_LOOKUP();
5407 
5408 			if (STATE_TRANSLATE(*state)) {
5409 				if (direction == PF_IN) {
5410 					pf_change_icmp(pd2.src, NULL,
5411 					    daddr, &(*state)->lan.addr,
5412 					    0, NULL,
5413 					    pd2.ip_sum, icmpsum,
5414 					    pd->ip_sum, 0, pd2.af);
5415 				} else {
5416 					pf_change_icmp(pd2.dst, NULL,
5417 					    saddr, &(*state)->gwy.addr,
5418 					    0, NULL,
5419 					    pd2.ip_sum, icmpsum,
5420 					    pd->ip_sum, 0, pd2.af);
5421 				}
5422 				switch (pd2.af) {
5423 #ifdef INET
5424 				case AF_INET:
5425 					m_copyback(m, off, ICMP_MINLEN,
5426 					    (caddr_t)pd->hdr.icmp);
5427 					m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
5428 					break;
5429 #endif /* INET */
5430 #ifdef INET6
5431 				case AF_INET6:
5432 					m_copyback(m, off,
5433 					    sizeof(struct icmp6_hdr),
5434 					    (caddr_t)pd->hdr.icmp6);
5435 					m_copyback(m, ipoff2, sizeof(h2_6),
5436 					    (caddr_t)&h2_6);
5437 					break;
5438 #endif /* INET6 */
5439 				}
5440 			}
5441 
5442 			return (PF_PASS);
5443 			break;
5444 		}
5445 		}
5446 	}
5447 }
5448 
5449 int
5450 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
5451     struct pf_pdesc *pd)
5452 {
5453 	struct pf_state_peer	*src, *dst;
5454 	struct pf_state_cmp	 key;
5455 
5456 	key.af = pd->af;
5457 	key.proto = pd->proto;
5458 	if (direction == PF_IN)	{
5459 		PF_ACPY(&key.ext.addr, pd->src, key.af);
5460 		PF_ACPY(&key.gwy.addr, pd->dst, key.af);
5461 		key.ext.port = 0;
5462 		key.gwy.port = 0;
5463 	} else {
5464 		PF_ACPY(&key.lan.addr, pd->src, key.af);
5465 		PF_ACPY(&key.ext.addr, pd->dst, key.af);
5466 		key.lan.port = 0;
5467 		key.ext.port = 0;
5468 	}
5469 
5470 	STATE_LOOKUP();
5471 
5472 	if (direction == (*state)->direction) {
5473 		src = &(*state)->src;
5474 		dst = &(*state)->dst;
5475 	} else {
5476 		src = &(*state)->dst;
5477 		dst = &(*state)->src;
5478 	}
5479 
5480 	/* update states */
5481 	if (src->state < PFOTHERS_SINGLE)
5482 		src->state = PFOTHERS_SINGLE;
5483 	if (dst->state == PFOTHERS_SINGLE)
5484 		dst->state = PFOTHERS_MULTIPLE;
5485 
5486 	/* update expire time */
5487 	(*state)->expire = time_second;
5488 	if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
5489 		(*state)->timeout = PFTM_OTHER_MULTIPLE;
5490 	else
5491 		(*state)->timeout = PFTM_OTHER_SINGLE;
5492 
5493 	/* translate source/destination address, if necessary */
5494 	if (STATE_TRANSLATE(*state)) {
5495 		if (direction == PF_OUT)
5496 			switch (pd->af) {
5497 #ifdef INET
5498 			case AF_INET:
5499 				pf_change_a(&pd->src->v4.s_addr,
5500 				    pd->ip_sum, (*state)->gwy.addr.v4.s_addr,
5501 				    0);
5502 				break;
5503 #endif /* INET */
5504 #ifdef INET6
5505 			case AF_INET6:
5506 				PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af);
5507 				break;
5508 #endif /* INET6 */
5509 			}
5510 		else
5511 			switch (pd->af) {
5512 #ifdef INET
5513 			case AF_INET:
5514 				pf_change_a(&pd->dst->v4.s_addr,
5515 				    pd->ip_sum, (*state)->lan.addr.v4.s_addr,
5516 				    0);
5517 				break;
5518 #endif /* INET */
5519 #ifdef INET6
5520 			case AF_INET6:
5521 				PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af);
5522 				break;
5523 #endif /* INET6 */
5524 			}
5525 	}
5526 
5527 	return (PF_PASS);
5528 }
5529 
5530 /*
5531  * ipoff and off are measured from the start of the mbuf chain.
5532  * h must be at "ipoff" on the mbuf chain.
5533  */
5534 void *
5535 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
5536     u_short *actionp, u_short *reasonp, sa_family_t af)
5537 {
5538 	switch (af) {
5539 #ifdef INET
5540 	case AF_INET: {
5541 		struct ip	*h = mtod(m, struct ip *);
5542 		u_int16_t	 fragoff = (h->ip_off & IP_OFFMASK) << 3;
5543 
5544 		if (fragoff) {
5545 			if (fragoff >= len)
5546 				ACTION_SET(actionp, PF_PASS);
5547 			else {
5548 				ACTION_SET(actionp, PF_DROP);
5549 				REASON_SET(reasonp, PFRES_FRAG);
5550 			}
5551 			return (NULL);
5552 		}
5553 		if (m->m_pkthdr.len < off + len ||
5554 		    h->ip_len < off + len) {
5555 			ACTION_SET(actionp, PF_DROP);
5556 			REASON_SET(reasonp, PFRES_SHORT);
5557 			return (NULL);
5558 		}
5559 		break;
5560 	}
5561 #endif /* INET */
5562 #ifdef INET6
5563 	case AF_INET6: {
5564 		struct ip6_hdr	*h = mtod(m, struct ip6_hdr *);
5565 
5566 		if (m->m_pkthdr.len < off + len ||
5567 		    (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
5568 		    (unsigned)(off + len)) {
5569 			ACTION_SET(actionp, PF_DROP);
5570 			REASON_SET(reasonp, PFRES_SHORT);
5571 			return (NULL);
5572 		}
5573 		break;
5574 	}
5575 #endif /* INET6 */
5576 	}
5577 	m_copydata(m, off, len, p);
5578 	return (p);
5579 }
5580 
5581 int
5582 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
5583 {
5584 	struct sockaddr_in	*dst;
5585 	int			 ret = 1;
5586 	int			 check_mpath;
5587 #ifdef INET6
5588 	struct sockaddr_in6	*dst6;
5589 	struct route_in6	 ro;
5590 #else
5591 	struct route		 ro;
5592 #endif
5593 	struct radix_node	*rn;
5594 	struct rtentry		*rt;
5595 	struct ifnet		*ifp;
5596 
5597 	check_mpath = 0;
5598 	bzero(&ro, sizeof(ro));
5599 	switch (af) {
5600 	case AF_INET:
5601 		dst = satosin(&ro.ro_dst);
5602 		dst->sin_family = AF_INET;
5603 		dst->sin_len = sizeof(*dst);
5604 		dst->sin_addr = addr->v4;
5605 		break;
5606 #ifdef INET6
5607 	case AF_INET6:
5608 		dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
5609 		dst6->sin6_family = AF_INET6;
5610 		dst6->sin6_len = sizeof(*dst6);
5611 		dst6->sin6_addr = addr->v6;
5612 		break;
5613 #endif /* INET6 */
5614 	default:
5615 		return (0);
5616 	}
5617 
5618 	/* Skip checks for ipsec interfaces */
5619 	if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
5620 		goto out;
5621 
5622 	rtalloc_ign((struct route *)&ro, 0);
5623 
5624 	if (ro.ro_rt != NULL) {
5625 		/* No interface given, this is a no-route check */
5626 		if (kif == NULL)
5627 			goto out;
5628 
5629 		if (kif->pfik_ifp == NULL) {
5630 			ret = 0;
5631 			goto out;
5632 		}
5633 
5634 		/* Perform uRPF check if passed input interface */
5635 		ret = 0;
5636 		rn = (struct radix_node *)ro.ro_rt;
5637 		do {
5638 			rt = (struct rtentry *)rn;
5639 			ifp = rt->rt_ifp;
5640 
5641 			if (kif->pfik_ifp == ifp)
5642 				ret = 1;
5643 			rn = NULL;
5644 		} while (check_mpath == 1 && rn != NULL && ret == 0);
5645 	} else
5646 		ret = 0;
5647 out:
5648 	if (ro.ro_rt != NULL)
5649 		RTFREE(ro.ro_rt);
5650 	return (ret);
5651 }
5652 
5653 int
5654 pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw)
5655 {
5656 	struct sockaddr_in	*dst;
5657 #ifdef INET6
5658 	struct sockaddr_in6	*dst6;
5659 	struct route_in6	 ro;
5660 #else
5661 	struct route		 ro;
5662 #endif
5663 	int			 ret = 0;
5664 
5665 	bzero(&ro, sizeof(ro));
5666 	switch (af) {
5667 	case AF_INET:
5668 		dst = satosin(&ro.ro_dst);
5669 		dst->sin_family = AF_INET;
5670 		dst->sin_len = sizeof(*dst);
5671 		dst->sin_addr = addr->v4;
5672 		break;
5673 #ifdef INET6
5674 	case AF_INET6:
5675 		dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
5676 		dst6->sin6_family = AF_INET6;
5677 		dst6->sin6_len = sizeof(*dst6);
5678 		dst6->sin6_addr = addr->v6;
5679 		break;
5680 #endif /* INET6 */
5681 	default:
5682 		return (0);
5683 	}
5684 
5685 rtalloc_ign((struct route *)&ro, (RTF_CLONING | RTF_PRCLONING));
5686 
5687 	if (ro.ro_rt != NULL) {
5688 		RTFREE(ro.ro_rt);
5689 	}
5690 
5691 	return (ret);
5692 }
5693 
5694 #ifdef INET
5695 void
5696 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
5697     struct pf_state *s, struct pf_pdesc *pd)
5698 {
5699 	struct mbuf		*m0, *m1;
5700 	struct route		 iproute;
5701 	struct route		*ro = NULL;
5702 	struct sockaddr_in	*dst;
5703 	struct ip		*ip;
5704 	struct ifnet		*ifp = NULL;
5705 	struct pf_addr		 naddr;
5706 	struct pf_src_node	*sn = NULL;
5707 	int			 error = 0;
5708 	int sw_csum;
5709 #ifdef IPSEC
5710 	struct m_tag		*mtag;
5711 #endif /* IPSEC */
5712 
5713 	if (m == NULL || *m == NULL || r == NULL ||
5714 	    (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
5715 		panic("pf_route: invalid parameters");
5716 
5717 	if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) {
5718 		(*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED;
5719 		(*m)->m_pkthdr.pf_routed = 1;
5720 	} else {
5721 		if ((*m)->m_pkthdr.pf_routed > 3) {
5722 			m0 = *m;
5723 			*m = NULL;
5724 			goto bad;
5725 		}
5726 		(*m)->m_pkthdr.pf_routed++;
5727 	}
5728 
5729 	if (r->rt == PF_DUPTO) {
5730 		if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL)
5731 			return;
5732 	} else {
5733 		if ((r->rt == PF_REPLYTO) == (r->direction == dir))
5734 			return;
5735 		m0 = *m;
5736 	}
5737 
5738 	if (m0->m_len < sizeof(struct ip)) {
5739 		DPFPRINTF(PF_DEBUG_URGENT,
5740 		    ("pf_route: m0->m_len < sizeof(struct ip)\n"));
5741 		goto bad;
5742 	}
5743 
5744 	ip = mtod(m0, struct ip *);
5745 
5746 	ro = &iproute;
5747 	bzero((caddr_t)ro, sizeof(*ro));
5748 	dst = satosin(&ro->ro_dst);
5749 	dst->sin_family = AF_INET;
5750 	dst->sin_len = sizeof(*dst);
5751 	dst->sin_addr = ip->ip_dst;
5752 
5753 	if (r->rt == PF_FASTROUTE) {
5754 		rtalloc(ro);
5755 		if (ro->ro_rt == 0) {
5756 			ipstat.ips_noroute++;
5757 			goto bad;
5758 		}
5759 
5760 		ifp = ro->ro_rt->rt_ifp;
5761 		ro->ro_rt->rt_use++;
5762 
5763 		if (ro->ro_rt->rt_flags & RTF_GATEWAY)
5764 			dst = satosin(ro->ro_rt->rt_gateway);
5765 	} else {
5766 		if (TAILQ_EMPTY(&r->rpool.list)) {
5767 			DPFPRINTF(PF_DEBUG_URGENT,
5768 			    ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n"));
5769 			goto bad;
5770 		}
5771 		if (s == NULL) {
5772 			pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
5773 			    &naddr, NULL, &sn);
5774 			if (!PF_AZERO(&naddr, AF_INET))
5775 				dst->sin_addr.s_addr = naddr.v4.s_addr;
5776 			ifp = r->rpool.cur->kif ?
5777 			    r->rpool.cur->kif->pfik_ifp : NULL;
5778 		} else {
5779 			if (!PF_AZERO(&s->rt_addr, AF_INET))
5780 				dst->sin_addr.s_addr =
5781 				    s->rt_addr.v4.s_addr;
5782 			ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5783 		}
5784 	}
5785 	if (ifp == NULL)
5786 		goto bad;
5787 
5788 	if (oifp != ifp) {
5789 		crit_exit();
5790 		if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
5791 			crit_enter();
5792 			goto bad;
5793 		} else if (m0 == NULL) {
5794 			crit_enter();
5795 			goto done;
5796 		}
5797 		crit_enter();
5798 		if (m0->m_len < sizeof(struct ip)) {
5799 			DPFPRINTF(PF_DEBUG_URGENT,
5800 			    ("pf_route: m0->m_len < sizeof(struct ip)\n"));
5801 			goto bad;
5802 		}
5803 		ip = mtod(m0, struct ip *);
5804 	}
5805 
5806 	/* Copied from FreeBSD 5.1-CURRENT ip_output. */
5807 	m0->m_pkthdr.csum_flags |= CSUM_IP;
5808 	sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist;
5809 	if (sw_csum & CSUM_DELAY_DATA) {
5810 		/*
5811 		 * XXX: in_delayed_cksum assumes HBO for ip->ip_len (at least)
5812 		 */
5813 		NTOHS(ip->ip_len);
5814 		NTOHS(ip->ip_off);	 /* XXX: needed? */
5815 		in_delayed_cksum(m0);
5816 		HTONS(ip->ip_len);
5817 		HTONS(ip->ip_off);
5818 		sw_csum &= ~CSUM_DELAY_DATA;
5819 	}
5820 	m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
5821 
5822 	if (ntohs(ip->ip_len) <= ifp->if_mtu ||
5823 	    (ifp->if_hwassist & CSUM_FRAGMENT &&
5824 		((ip->ip_off & htons(IP_DF)) == 0))) {
5825 		/*
5826 		 * ip->ip_len = htons(ip->ip_len);
5827 		 * ip->ip_off = htons(ip->ip_off);
5828 		 */
5829 		ip->ip_sum = 0;
5830 		if (sw_csum & CSUM_DELAY_IP) {
5831 			/* From KAME */
5832 			if (ip->ip_v == IPVERSION &&
5833 			    (ip->ip_hl << 2) == sizeof(*ip)) {
5834 				ip->ip_sum = in_cksum_hdr(ip);
5835 			} else {
5836 				ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
5837 			}
5838 		}
5839 		crit_exit();
5840 		error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt);
5841 		crit_enter();
5842 		goto done;
5843 	}
5844 
5845 	/*
5846 	 * Too large for interface; fragment if possible.
5847 	 * Must be able to put at least 8 bytes per fragment.
5848 	 */
5849 	if (ip->ip_off & htons(IP_DF)) {
5850 		ipstat.ips_cantfrag++;
5851 		if (r->rt != PF_DUPTO) {
5852 			/* icmp_error() expects host byte ordering */
5853 			NTOHS(ip->ip_len);
5854 			NTOHS(ip->ip_off);
5855 			crit_exit();
5856 			icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
5857 			    ifp->if_mtu);
5858 			crit_enter();
5859 			goto done;
5860 		} else
5861 			goto bad;
5862 	}
5863 
5864 	m1 = m0;
5865 	/*
5866 	 * XXX: is cheaper + less error prone than own function
5867 	 */
5868 	NTOHS(ip->ip_len);
5869 	NTOHS(ip->ip_off);
5870 	error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
5871 	if (error) {
5872 		goto bad;
5873 	}
5874 
5875 	for (m0 = m1; m0; m0 = m1) {
5876 		m1 = m0->m_nextpkt;
5877 		m0->m_nextpkt = 0;
5878 		if (error == 0) {
5879 			crit_exit();
5880 			error = (*ifp->if_output)(ifp, m0, sintosa(dst),
5881 			    NULL);
5882 			crit_enter();
5883 		} else
5884 			m_freem(m0);
5885 	}
5886 
5887 	if (error == 0)
5888 		ipstat.ips_fragmented++;
5889 
5890 done:
5891 	if (r->rt != PF_DUPTO)
5892 		*m = NULL;
5893 	if (ro == &iproute && ro->ro_rt)
5894 		RTFREE(ro->ro_rt);
5895 	return;
5896 
5897 bad:
5898 	m_freem(m0);
5899 	goto done;
5900 }
5901 #endif /* INET */
5902 
5903 #ifdef INET6
5904 void
5905 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
5906     struct pf_state *s, struct pf_pdesc *pd)
5907 {
5908 	struct mbuf		*m0;
5909 	struct route_in6	 ip6route;
5910 	struct route_in6	*ro;
5911 	struct sockaddr_in6	*dst;
5912 	struct ip6_hdr		*ip6;
5913 	struct ifnet		*ifp = NULL;
5914 	struct pf_addr		 naddr;
5915 	struct pf_src_node	*sn = NULL;
5916 	int			 error = 0;
5917 
5918 	if (m == NULL || *m == NULL || r == NULL ||
5919 	    (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
5920 		panic("pf_route6: invalid parameters");
5921 
5922 	if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) {
5923 		(*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED;
5924 		(*m)->m_pkthdr.pf_routed = 1;
5925 	} else {
5926 		if ((*m)->m_pkthdr.pf_routed > 3) {
5927 			m0 = *m;
5928 			*m = NULL;
5929 			goto bad;
5930 		}
5931 		(*m)->m_pkthdr.pf_routed++;
5932 	}
5933 
5934 	if (r->rt == PF_DUPTO) {
5935 		if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL)
5936 			return;
5937 	} else {
5938 		if ((r->rt == PF_REPLYTO) == (r->direction == dir))
5939 			return;
5940 		m0 = *m;
5941 	}
5942 
5943 	if (m0->m_len < sizeof(struct ip6_hdr)) {
5944 		DPFPRINTF(PF_DEBUG_URGENT,
5945 		    ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
5946 		goto bad;
5947 	}
5948 	ip6 = mtod(m0, struct ip6_hdr *);
5949 
5950 	ro = &ip6route;
5951 	bzero((caddr_t)ro, sizeof(*ro));
5952 	dst = (struct sockaddr_in6 *)&ro->ro_dst;
5953 	dst->sin6_family = AF_INET6;
5954 	dst->sin6_len = sizeof(*dst);
5955 	dst->sin6_addr = ip6->ip6_dst;
5956 
5957 	/* Cheat. XXX why only in the v6 case??? */
5958 	if (r->rt == PF_FASTROUTE) {
5959 		pd->pf_mtag->flags |= PF_TAG_GENERATED;
5960 		crit_exit();
5961 		ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
5962 		crit_enter();
5963 		return;
5964 	}
5965 
5966 	if (TAILQ_EMPTY(&r->rpool.list)) {
5967 		DPFPRINTF(PF_DEBUG_URGENT,
5968 		    ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n"));
5969 		goto bad;
5970 	}
5971 	if (s == NULL) {
5972 		pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
5973 		    &naddr, NULL, &sn);
5974 		if (!PF_AZERO(&naddr, AF_INET6))
5975 			PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5976 			    &naddr, AF_INET6);
5977 		ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
5978 	} else {
5979 		if (!PF_AZERO(&s->rt_addr, AF_INET6))
5980 			PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5981 			    &s->rt_addr, AF_INET6);
5982 		ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5983 	}
5984 	if (ifp == NULL)
5985 		goto bad;
5986 
5987 	if (oifp != ifp) {
5988 		crit_exit();
5989 		if (pf_test6(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
5990 			crit_enter();
5991 			goto bad;
5992 		} else if (m0 == NULL) {
5993 			crit_enter();
5994 			goto done;
5995 		}
5996 		crit_enter();
5997 		if (m0->m_len < sizeof(struct ip6_hdr)) {
5998 			DPFPRINTF(PF_DEBUG_URGENT,
5999 			    ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n"));
6000 			goto bad;
6001 		}
6002 		ip6 = mtod(m0, struct ip6_hdr *);
6003 	}
6004 
6005 	/*
6006 	 * If the packet is too large for the outgoing interface,
6007 	 * send back an icmp6 error.
6008 	 */
6009 	if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr))
6010 		dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
6011 	if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
6012 		crit_exit();
6013 		error = nd6_output(ifp, ifp, m0, dst, NULL);
6014 		crit_enter();
6015 	} else {
6016 		in6_ifstat_inc(ifp, ifs6_in_toobig);
6017 		if (r->rt != PF_DUPTO) {
6018 			crit_exit();
6019 			icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
6020 			crit_enter();
6021 		 } else
6022 			goto bad;
6023 	}
6024 
6025 done:
6026 	if (r->rt != PF_DUPTO)
6027 		*m = NULL;
6028 	return;
6029 
6030 bad:
6031 	m_freem(m0);
6032 	goto done;
6033 }
6034 
6035 #endif /* INET6 */
6036 
6037 
6038 /*
6039  * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
6040  *   off is the offset where the protocol header starts
6041  *   len is the total length of protocol header plus payload
6042  * returns 0 when the checksum is valid, otherwise returns 1.
6043  */
6044 /*
6045  * XXX
6046  * FreeBSD supports cksum offload for the following drivers.
6047  * em(4), gx(4), lge(4), nge(4), ti(4), xl(4)
6048  * If we can make full use of it we would outperform ipfw/ipfilter in
6049  * very heavy traffic.
6050  * I have not tested 'cause I don't have NICs that supports cksum offload.
6051  * (There might be problems. Typical phenomena would be
6052  *   1. No route message for UDP packet.
6053  *   2. No connection acceptance from external hosts regardless of rule set.)
6054  */
6055 int
6056 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p,
6057     sa_family_t af)
6058 {
6059 	u_int16_t sum = 0;
6060 	int hw_assist = 0;
6061 	struct ip *ip;
6062 
6063 	if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
6064 		return (1);
6065 	if (m->m_pkthdr.len < off + len)
6066 		return (1);
6067 
6068 	switch (p) {
6069 	case IPPROTO_TCP:
6070 	case IPPROTO_UDP:
6071 		if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
6072 			if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
6073 				sum = m->m_pkthdr.csum_data;
6074 			} else {
6075 				ip = mtod(m, struct ip *);
6076 				sum = in_pseudo(ip->ip_src.s_addr,
6077 					ip->ip_dst.s_addr, htonl((u_short)len +
6078 					m->m_pkthdr.csum_data + p));
6079 			}
6080 			sum ^= 0xffff;
6081 			++hw_assist;
6082 		}
6083 		break;
6084 	case IPPROTO_ICMP:
6085 #ifdef INET6
6086 	case IPPROTO_ICMPV6:
6087 #endif /* INET6 */
6088 		break;
6089 	default:
6090 		return (1);
6091 	}
6092 
6093 	if (!hw_assist) {
6094 		switch (af) {
6095 		case AF_INET:
6096 			if (p == IPPROTO_ICMP) {
6097 				if (m->m_len < off)
6098 					return (1);
6099 				m->m_data += off;
6100 				m->m_len -= off;
6101 				sum = in_cksum(m, len);
6102 				m->m_data -= off;
6103 				m->m_len += off;
6104 			} else {
6105 				if (m->m_len < sizeof(struct ip))
6106 					return (1);
6107 				sum = in_cksum_range(m, p, off, len);
6108 				if (sum == 0) {
6109 					m->m_pkthdr.csum_flags |=
6110 					    (CSUM_DATA_VALID |
6111 					     CSUM_PSEUDO_HDR);
6112 					m->m_pkthdr.csum_data = 0xffff;
6113 				}
6114 			}
6115 			break;
6116 #ifdef INET6
6117 		case AF_INET6:
6118 			if (m->m_len < sizeof(struct ip6_hdr))
6119 				return (1);
6120 			sum = in6_cksum(m, p, off, len);
6121 			/*
6122 			 * XXX
6123 			 * IPv6 H/W cksum off-load not supported yet!
6124 			 *
6125 			 * if (sum == 0) {
6126 			 *	m->m_pkthdr.csum_flags |=
6127 			 *	    (CSUM_DATA_VALID|CSUM_PSEUDO_HDR);
6128 			 *	m->m_pkthdr.csum_data = 0xffff;
6129 			 *}
6130 			 */
6131 			break;
6132 #endif /* INET6 */
6133 		default:
6134 			return (1);
6135 		}
6136 	}
6137 	if (sum) {
6138 		switch (p) {
6139 		case IPPROTO_TCP:
6140 			tcpstat.tcps_rcvbadsum++;
6141 			break;
6142 		case IPPROTO_UDP:
6143 			udpstat.udps_badsum++;
6144 			break;
6145 		case IPPROTO_ICMP:
6146 			icmpstat.icps_checksum++;
6147 			break;
6148 #ifdef INET6
6149 		case IPPROTO_ICMPV6:
6150 			icmp6stat.icp6s_checksum++;
6151 			break;
6152 #endif /* INET6 */
6153 		}
6154 		return (1);
6155 	}
6156 	return (0);
6157 }
6158 
6159 #ifdef INET
6160 int
6161 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
6162     struct ether_header *eh, struct inpcb *inp)
6163 {
6164 	struct pfi_kif		*kif;
6165 	u_short			 action, reason = 0, log = 0;
6166 	struct mbuf		*m = *m0;
6167 	struct ip		*h = NULL;
6168 	struct pf_rule		*a = NULL, *r = &pf_default_rule, *tr, *nr;
6169 	struct pf_state		*s = NULL;
6170 	struct pf_ruleset	*ruleset = NULL;
6171 	struct pf_pdesc		 pd;
6172 	int			 off, dirndx, pqid = 0;
6173 
6174 	if (!pf_status.running)
6175 		return (PF_PASS);
6176 
6177 	memset(&pd, 0, sizeof(pd));
6178 	if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
6179 		DPFPRINTF(PF_DEBUG_URGENT,
6180 		    ("pf_test: pf_get_mtag returned NULL\n"));
6181 		return (PF_DROP);
6182 	}
6183 	if (pd.pf_mtag->flags & PF_TAG_GENERATED)
6184 		return (PF_PASS);
6185 	kif = (struct pfi_kif *)ifp->if_pf_kif;
6186 	if (kif == NULL) {
6187 		DPFPRINTF(PF_DEBUG_URGENT,
6188 		    ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname));
6189 		return (PF_DROP);
6190 	}
6191 	if (kif->pfik_flags & PFI_IFLAG_SKIP)
6192 		return (PF_PASS);
6193 
6194 #ifdef DIAGNOSTIC
6195 	if ((m->m_flags & M_PKTHDR) == 0)
6196 		panic("non-M_PKTHDR is passed to pf_test");
6197 #endif /* DIAGNOSTIC */
6198 
6199 	if (m->m_pkthdr.len < (int)sizeof(*h)) {
6200 		action = PF_DROP;
6201 		REASON_SET(&reason, PFRES_SHORT);
6202 		log = 1;
6203 		panic("debug");
6204 		goto done;
6205 	}
6206 
6207 	/* We do IP header normalization and packet reassembly here */
6208 	if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
6209 		action = PF_DROP;
6210 		goto done;
6211 	}
6212 	m = *m0;
6213 	h = mtod(m, struct ip *);
6214 
6215 	off = h->ip_hl << 2;
6216 	if (off < (int)sizeof(*h)) {
6217 		action = PF_DROP;
6218 		REASON_SET(&reason, PFRES_SHORT);
6219 		log = 1;
6220 		panic("debug");
6221 		goto done;
6222 	}
6223 
6224 	pd.src = (struct pf_addr *)&h->ip_src;
6225 	pd.dst = (struct pf_addr *)&h->ip_dst;
6226 	PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
6227 	pd.ip_sum = &h->ip_sum;
6228 	pd.proto = h->ip_p;
6229 	pd.af = AF_INET;
6230 	pd.tos = h->ip_tos;
6231 	pd.tot_len = h->ip_len;
6232 	pd.eh = eh;
6233 
6234 	/* handle fragments that didn't get reassembled by normalization */
6235 	if (h->ip_off & (IP_MF | IP_OFFMASK)) {
6236 		action = pf_test_fragment(&r, dir, kif, m, h,
6237 		    &pd, &a, &ruleset);
6238 		goto done;
6239 	}
6240 	switch (h->ip_p) {
6241 
6242 	case IPPROTO_TCP: {
6243 		struct tcphdr	th;
6244 
6245 		pd.hdr.tcp = &th;
6246 		if (!pf_pull_hdr(m, off, &th, sizeof(th),
6247 		    &action, &reason, AF_INET)) {
6248 			log = action != PF_PASS;
6249 			goto done;
6250 		}
6251 		if (dir == PF_IN && pf_check_proto_cksum(m, off,
6252 		    h->ip_len - off, IPPROTO_TCP, AF_INET)) {
6253 			REASON_SET(&reason, PFRES_PROTCKSUM);
6254 			action = PF_DROP;
6255 			goto done;
6256 		}
6257 		pd.p_len = pd.tot_len - off - (th.th_off << 2);
6258 		if ((th.th_flags & TH_ACK) && pd.p_len == 0)
6259 			pqid = 1;
6260 		action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6261 		if (action == PF_DROP)
6262 			goto done;
6263 		action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6264 		    &reason);
6265 		if (action == PF_PASS) {
6266 #if NPFSYNC
6267 			pfsync_update_state(s);
6268 #endif /* NPFSYNC */
6269 			r = s->rule.ptr;
6270 			a = s->anchor.ptr;
6271 			log = s->log;
6272 		} else if (s == NULL) {
6273 			action = pf_test_tcp(&r, &s, dir, kif,
6274 			    m, off, h, &pd, &a, &ruleset, NULL, inp);
6275 			}
6276 		break;
6277 	}
6278 
6279 	case IPPROTO_UDP: {
6280 		struct udphdr	uh;
6281 
6282 		pd.hdr.udp = &uh;
6283 		if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
6284 		    &action, &reason, AF_INET)) {
6285 			log = action != PF_PASS;
6286 			goto done;
6287 		}
6288 		if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
6289 		    off, h->ip_len - off, IPPROTO_UDP, AF_INET)) {
6290 			action = PF_DROP;
6291 			REASON_SET(&reason, PFRES_PROTCKSUM);
6292 			goto done;
6293 		}
6294 		if (uh.uh_dport == 0 ||
6295 		    ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
6296 		    ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
6297 			action = PF_DROP;
6298 			REASON_SET(&reason, PFRES_SHORT);
6299 			goto done;
6300 		}
6301 		action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6302 		if (action == PF_PASS) {
6303 #if NPFSYNC
6304 			pfsync_update_state(s);
6305 #endif /* NPFSYNC */
6306 			r = s->rule.ptr;
6307 			a = s->anchor.ptr;
6308 			log = s->log;
6309 		} else if (s == NULL)
6310 			action = pf_test_udp(&r, &s, dir, kif,
6311 			    m, off, h, &pd, &a, &ruleset, NULL, inp);
6312 		break;
6313 	}
6314 
6315 	case IPPROTO_ICMP: {
6316 		struct icmp	ih;
6317 
6318 		pd.hdr.icmp = &ih;
6319 		if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
6320 		    &action, &reason, AF_INET)) {
6321 			log = action != PF_PASS;
6322 			goto done;
6323 		}
6324 		if (dir == PF_IN && pf_check_proto_cksum(m, off,
6325 		    h->ip_len - off, IPPROTO_ICMP, AF_INET)) {
6326 			action = PF_DROP;
6327 			REASON_SET(&reason, PFRES_PROTCKSUM);
6328 			goto done;
6329 		}
6330 		action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
6331 		    &reason);
6332 		if (action == PF_PASS) {
6333 #if NPFSYNC
6334 			pfsync_update_state(s);
6335 #endif /* NPFSYNC */
6336 			r = s->rule.ptr;
6337 			a = s->anchor.ptr;
6338 			log = s->log;
6339 		} else if (s == NULL)
6340 			action = pf_test_icmp(&r, &s, dir, kif,
6341 			    m, off, h, &pd, &a, &ruleset, NULL);
6342 		break;
6343 	}
6344 
6345 	default:
6346 		action = pf_test_state_other(&s, dir, kif, &pd);
6347 		if (action == PF_PASS) {
6348 #if NPFSYNC
6349 			pfsync_update_state(s);
6350 #endif /* NPFSYNC */
6351 			r = s->rule.ptr;
6352 			a = s->anchor.ptr;
6353 			log = s->log;
6354 		} else if (s == NULL)
6355 			action = pf_test_other(&r, &s, dir, kif, m, off, h,
6356 			    &pd, &a, &ruleset, NULL);
6357 		break;
6358 	}
6359 
6360 done:
6361 	if (action == PF_PASS && h->ip_hl > 5 &&
6362 	    !((s && s->allow_opts) || r->allow_opts)) {
6363 		action = PF_DROP;
6364 		REASON_SET(&reason, PFRES_IPOPTIONS);
6365 		log = 1;
6366 		DPFPRINTF(PF_DEBUG_MISC,
6367 		    ("pf: dropping packet with ip options\n"));
6368 	}
6369 
6370 	if ((s && s->tag) || r->rtableid)
6371 		pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid);
6372 
6373 #ifdef ALTQ
6374 	if (action == PF_PASS && r->qid) {
6375 		if (pqid || (pd.tos & IPTOS_LOWDELAY))
6376 			pd.pf_mtag->qid = r->pqid;
6377 		else
6378 			pd.pf_mtag->qid = r->qid;
6379 		/* add hints for ecn */
6380 		pd.pf_mtag->af = AF_INET;
6381 		pd.pf_mtag->hdr = h;
6382 		/* add connection hash for fairq */
6383 		if (s) {
6384 			KKASSERT(s->hash != 0);
6385 			pd.pf_mtag->flags |= PF_TAG_STATE_HASHED;
6386 			pd.pf_mtag->state_hash = s->hash;
6387 		}
6388 	}
6389 #endif /* ALTQ */
6390 
6391 	/*
6392 	 * connections redirected to loopback should not match sockets
6393 	 * bound specifically to loopback due to security implications,
6394 	 * see tcp_input() and in_pcblookup_listen().
6395 	 */
6396 	if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
6397 	    pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
6398 	    (s->nat_rule.ptr->action == PF_RDR ||
6399 	    s->nat_rule.ptr->action == PF_BINAT) &&
6400 	    (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
6401 		pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST;
6402 
6403 	if (log) {
6404 		struct pf_rule *lr;
6405 
6406 		if (s != NULL && s->nat_rule.ptr != NULL &&
6407 		    s->nat_rule.ptr->log & PF_LOG_ALL)
6408 			lr = s->nat_rule.ptr;
6409 		else
6410 			lr = r;
6411 		PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset,
6412 		    &pd);
6413 	}
6414 
6415 	kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6416 	kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
6417 
6418 	if (action == PF_PASS || r->action == PF_DROP) {
6419 		dirndx = (dir == PF_OUT);
6420 		r->packets[dirndx]++;
6421 		r->bytes[dirndx] += pd.tot_len;
6422 		if (a != NULL) {
6423 			a->packets[dirndx]++;
6424 			a->bytes[dirndx] += pd.tot_len;
6425 		}
6426 		if (s != NULL) {
6427 			if (s->nat_rule.ptr != NULL) {
6428 				s->nat_rule.ptr->packets[dirndx]++;
6429 				s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6430 			}
6431 			if (s->src_node != NULL) {
6432 				s->src_node->packets[dirndx]++;
6433 				s->src_node->bytes[dirndx] += pd.tot_len;
6434 			}
6435 			if (s->nat_src_node != NULL) {
6436 				s->nat_src_node->packets[dirndx]++;
6437 				s->nat_src_node->bytes[dirndx] += pd.tot_len;
6438 			}
6439 			dirndx = (dir == s->direction) ? 0 : 1;
6440 			s->packets[dirndx]++;
6441 			s->bytes[dirndx] += pd.tot_len;
6442 		}
6443 		tr = r;
6444 		nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6445 		if (nr != NULL) {
6446 			struct pf_addr *x;
6447 			/*
6448 			 * XXX: we need to make sure that the addresses
6449 			 * passed to pfr_update_stats() are the same than
6450 			 * the addresses used during matching (pfr_match)
6451 			 */
6452 			if (r == &pf_default_rule) {
6453 				tr = nr;
6454 				x = (s == NULL || s->direction == dir) ?
6455 				    &pd.baddr : &pd.naddr;
6456 			} else
6457 				x = (s == NULL || s->direction == dir) ?
6458 				    &pd.naddr : &pd.baddr;
6459 			if (x == &pd.baddr || s == NULL) {
6460 				/* we need to change the address */
6461 				if (dir == PF_OUT)
6462 					pd.src = x;
6463 				else
6464 					pd.dst = x;
6465 			}
6466 		}
6467 		if (tr->src.addr.type == PF_ADDR_TABLE)
6468 			pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
6469 			    s->direction == dir) ? pd.src : pd.dst, pd.af,
6470 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6471 			    tr->src.neg);
6472 		if (tr->dst.addr.type == PF_ADDR_TABLE)
6473 			pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
6474 			    s->direction == dir) ? pd.dst : pd.src, pd.af,
6475 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6476 			    tr->dst.neg);
6477 	}
6478 
6479 
6480 	if (action == PF_SYNPROXY_DROP) {
6481 		m_freem(*m0);
6482 		*m0 = NULL;
6483 		action = PF_PASS;
6484 	} else if (r->rt)
6485 		/* pf_route can free the mbuf causing *m0 to become NULL */
6486 		pf_route(m0, r, dir, ifp, s, &pd);
6487 	return (action);
6488 }
6489 #endif /* INET */
6490 
6491 #ifdef INET6
6492 int
6493 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
6494     struct ether_header *eh, struct inpcb *inp)
6495 {
6496 	struct pfi_kif		*kif;
6497 	u_short			 action, reason = 0, log = 0;
6498 	struct mbuf		*m = *m0, *n = NULL;
6499 	struct ip6_hdr		*h = NULL;
6500 	struct pf_rule		*a = NULL, *r = &pf_default_rule, *tr, *nr;
6501 	struct pf_state		*s = NULL;
6502 	struct pf_ruleset	*ruleset = NULL;
6503 	struct pf_pdesc		 pd;
6504 	int			 off, terminal = 0, dirndx;
6505 
6506 	if (!pf_status.running)
6507 		return (PF_PASS);
6508 
6509 	memset(&pd, 0, sizeof(pd));
6510 	if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
6511 		DPFPRINTF(PF_DEBUG_URGENT,
6512 		    ("pf_test6: pf_get_mtag returned NULL\n"));
6513 		return (PF_DROP);
6514 	}
6515 	if (pd.pf_mtag->flags & PF_TAG_GENERATED)
6516 		return (PF_PASS);
6517 
6518 	kif = (struct pfi_kif *)ifp->if_pf_kif;
6519 	if (kif == NULL) {
6520 		DPFPRINTF(PF_DEBUG_URGENT,
6521 		    ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname));
6522 		return (PF_DROP);
6523 	}
6524 	if (kif->pfik_flags & PFI_IFLAG_SKIP)
6525 		return (PF_PASS);
6526 
6527 #ifdef DIAGNOSTIC
6528 	if ((m->m_flags & M_PKTHDR) == 0)
6529 		panic("non-M_PKTHDR is passed to pf_test6");
6530 #endif /* DIAGNOSTIC */
6531 
6532 	if (m->m_pkthdr.len < (int)sizeof(*h)) {
6533 		action = PF_DROP;
6534 		REASON_SET(&reason, PFRES_SHORT);
6535 		log = 1;
6536 		goto done;
6537 	}
6538 
6539 	/* We do IP header normalization and packet reassembly here */
6540 	if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
6541 		action = PF_DROP;
6542 		goto done;
6543 	}
6544 	m = *m0;
6545 	h = mtod(m, struct ip6_hdr *);
6546 
6547 #if 1
6548 	/*
6549 	 * we do not support jumbogram yet.  if we keep going, zero ip6_plen
6550 	 * will do something bad, so drop the packet for now.
6551 	 */
6552 	if (htons(h->ip6_plen) == 0) {
6553 		action = PF_DROP;
6554 		REASON_SET(&reason, PFRES_NORM);	/*XXX*/
6555 		goto done;
6556 	}
6557 #endif
6558 
6559 	pd.src = (struct pf_addr *)&h->ip6_src;
6560 	pd.dst = (struct pf_addr *)&h->ip6_dst;
6561 	PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
6562 	pd.ip_sum = NULL;
6563 	pd.af = AF_INET6;
6564 	pd.tos = 0;
6565 	pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
6566 	pd.eh = eh;
6567 
6568 	off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
6569 	pd.proto = h->ip6_nxt;
6570 	do {
6571 		switch (pd.proto) {
6572 		case IPPROTO_FRAGMENT:
6573 			action = pf_test_fragment(&r, dir, kif, m, h,
6574 			    &pd, &a, &ruleset);
6575 			if (action == PF_DROP)
6576 				REASON_SET(&reason, PFRES_FRAG);
6577 			goto done;
6578 		case IPPROTO_ROUTING: {
6579 			struct ip6_rthdr rthdr;
6580 
6581 			if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL,
6582 			    &reason, pd.af)) {
6583 				DPFPRINTF(PF_DEBUG_MISC,
6584 				    ("pf: IPv6 short rthdr\n"));
6585 				action = PF_DROP;
6586 				log = 1;
6587 				goto done;
6588 			}
6589 			if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
6590 				DPFPRINTF(PF_DEBUG_MISC,
6591 				    ("pf: IPv6 rthdr0\n"));
6592 				action = PF_DROP;
6593 				REASON_SET(&reason, PFRES_IPOPTIONS);
6594 				log = 1;
6595 				goto done;
6596 			}
6597 			/* FALLTHROUGH */
6598 		}
6599 		case IPPROTO_AH:
6600 		case IPPROTO_HOPOPTS:
6601 		case IPPROTO_DSTOPTS: {
6602 			/* get next header and header length */
6603 			struct ip6_ext	opt6;
6604 
6605 			if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
6606 			    NULL, &reason, pd.af)) {
6607 				DPFPRINTF(PF_DEBUG_MISC,
6608 				    ("pf: IPv6 short opt\n"));
6609 				action = PF_DROP;
6610 				log = 1;
6611 				goto done;
6612 			}
6613 			if (pd.proto == IPPROTO_AH)
6614 				off += (opt6.ip6e_len + 2) * 4;
6615 			else
6616 				off += (opt6.ip6e_len + 1) * 8;
6617 			pd.proto = opt6.ip6e_nxt;
6618 			/* goto the next header */
6619 			break;
6620 		}
6621 		default:
6622 			terminal++;
6623 			break;
6624 		}
6625 	} while (!terminal);
6626 
6627 	/* if there's no routing header, use unmodified mbuf for checksumming */
6628 	if (!n)
6629 		n = m;
6630 
6631 	switch (pd.proto) {
6632 
6633 	case IPPROTO_TCP: {
6634 		struct tcphdr	th;
6635 
6636 		pd.hdr.tcp = &th;
6637 		if (!pf_pull_hdr(m, off, &th, sizeof(th),
6638 		    &action, &reason, AF_INET6)) {
6639 			log = action != PF_PASS;
6640 			goto done;
6641 		}
6642 		if (dir == PF_IN && pf_check_proto_cksum(n, off,
6643 		    ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
6644 		    IPPROTO_TCP, AF_INET6)) {
6645 			action = PF_DROP;
6646 			REASON_SET(&reason, PFRES_PROTCKSUM);
6647 			goto done;
6648 		}
6649 		pd.p_len = pd.tot_len - off - (th.th_off << 2);
6650 		action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6651 		if (action == PF_DROP)
6652 			goto done;
6653 		action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6654 		    &reason);
6655 		if (action == PF_PASS) {
6656 #if NPFSYNC
6657 			pfsync_update_state(s);
6658 #endif /* NPFSYNC */
6659 			r = s->rule.ptr;
6660 			a = s->anchor.ptr;
6661 			log = s->log;
6662 		} else if (s == NULL)
6663 			action = pf_test_tcp(&r, &s, dir, kif,
6664 			    m, off, h, &pd, &a, &ruleset, NULL, inp);
6665 		break;
6666 	}
6667 
6668 	case IPPROTO_UDP: {
6669 		struct udphdr	uh;
6670 
6671 		pd.hdr.udp = &uh;
6672 		if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
6673 		    &action, &reason, AF_INET6)) {
6674 			log = action != PF_PASS;
6675 			goto done;
6676 		}
6677 		if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(n,
6678 		    off, ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
6679 		    IPPROTO_UDP, AF_INET6)) {
6680 			action = PF_DROP;
6681 			REASON_SET(&reason, PFRES_PROTCKSUM);
6682 			goto done;
6683 		}
6684 		if (uh.uh_dport == 0 ||
6685 		    ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
6686 		    ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
6687 			action = PF_DROP;
6688 			REASON_SET(&reason, PFRES_SHORT);
6689 			goto done;
6690 		}
6691 		action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6692 		if (action == PF_PASS) {
6693 #if NPFSYNC
6694 			pfsync_update_state(s);
6695 #endif /* NPFSYNC */
6696 			r = s->rule.ptr;
6697 			a = s->anchor.ptr;
6698 			log = s->log;
6699 		} else if (s == NULL)
6700 			action = pf_test_udp(&r, &s, dir, kif,
6701 			    m, off, h, &pd, &a, &ruleset, NULL, inp);
6702 		break;
6703 	}
6704 
6705 	case IPPROTO_ICMPV6: {
6706 		struct icmp6_hdr	ih;
6707 
6708 		pd.hdr.icmp6 = &ih;
6709 		if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
6710 		    &action, &reason, AF_INET6)) {
6711 			log = action != PF_PASS;
6712 			goto done;
6713 		}
6714 		if (dir == PF_IN && pf_check_proto_cksum(n, off,
6715 		    ntohs(h->ip6_plen) - (off - sizeof(struct ip6_hdr)),
6716 		    IPPROTO_ICMPV6, AF_INET6)) {
6717 			action = PF_DROP;
6718 			REASON_SET(&reason, PFRES_PROTCKSUM);
6719 			goto done;
6720 		}
6721 		action = pf_test_state_icmp(&s, dir, kif,
6722 		    m, off, h, &pd, &reason);
6723 		if (action == PF_PASS) {
6724 #if NPFSYNC
6725 			pfsync_update_state(s);
6726 #endif /* NPFSYNC */
6727 			r = s->rule.ptr;
6728 			a = s->anchor.ptr;
6729 			log = s->log;
6730 		} else if (s == NULL)
6731 			action = pf_test_icmp(&r, &s, dir, kif,
6732 			    m, off, h, &pd, &a, &ruleset, NULL);
6733 		break;
6734 	}
6735 
6736 	default:
6737 		action = pf_test_state_other(&s, dir, kif, &pd);
6738 		if (action == PF_PASS) {
6739 #if NPFSYNC
6740 			pfsync_update_state(s);
6741 #endif /* NPFSYNC */
6742 			r = s->rule.ptr;
6743 			a = s->anchor.ptr;
6744 			log = s->log;
6745 		} else if (s == NULL)
6746 			action = pf_test_other(&r, &s, dir, kif, m, off, h,
6747 			    &pd, &a, &ruleset, NULL);
6748 		break;
6749 	}
6750 
6751 done:
6752 	if (n != m) {
6753 		m_freem(n);
6754 		n = NULL;
6755 	}
6756 
6757 	/* XXX handle IPv6 options, if not allowed.  not implemented. */
6758 
6759 	if ((s && s->tag) || r->rtableid)
6760 		pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid);
6761 
6762 #ifdef ALTQ
6763 	if (action == PF_PASS && r->qid) {
6764 		if (pd.tos & IPTOS_LOWDELAY)
6765 			pd.pf_mtag->qid = r->pqid;
6766 		else
6767 			pd.pf_mtag->qid = r->qid;
6768 		/* add hints for ecn */
6769 		pd.pf_mtag->af = AF_INET6;
6770 		pd.pf_mtag->hdr = h;
6771 		/* add connection hash for fairq */
6772 		if (s) {
6773 			KKASSERT(s->hash != 0);
6774 			pd.pf_mtag->flags |= PF_TAG_STATE_HASHED;
6775 			pd.pf_mtag->state_hash = s->hash;
6776 		}
6777 	}
6778 #endif /* ALTQ */
6779 
6780 	if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
6781 	    pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
6782 	    (s->nat_rule.ptr->action == PF_RDR ||
6783 	    s->nat_rule.ptr->action == PF_BINAT) &&
6784 	    IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
6785 		pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST;
6786 
6787 	if (log) {
6788 		struct pf_rule *lr;
6789 
6790 		if (s != NULL && s->nat_rule.ptr != NULL &&
6791 		    s->nat_rule.ptr->log & PF_LOG_ALL)
6792 			lr = s->nat_rule.ptr;
6793 		else
6794 			lr = r;
6795 		PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset,
6796 		    &pd);
6797 	}
6798 
6799 	kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6800 	kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
6801 
6802 	if (action == PF_PASS || r->action == PF_DROP) {
6803 		dirndx = (dir == PF_OUT);
6804 		r->packets[dirndx]++;
6805 		r->bytes[dirndx] += pd.tot_len;
6806 		if (a != NULL) {
6807 			a->packets[dirndx]++;
6808 			a->bytes[dirndx] += pd.tot_len;
6809 		}
6810 		if (s != NULL) {
6811 			if (s->nat_rule.ptr != NULL) {
6812 				s->nat_rule.ptr->packets[dirndx]++;
6813 				s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6814 			}
6815 			if (s->src_node != NULL) {
6816 				s->src_node->packets[dirndx]++;
6817 				s->src_node->bytes[dirndx] += pd.tot_len;
6818 			}
6819 			if (s->nat_src_node != NULL) {
6820 				s->nat_src_node->packets[dirndx]++;
6821 				s->nat_src_node->bytes[dirndx] += pd.tot_len;
6822 			}
6823 			dirndx = (dir == s->direction) ? 0 : 1;
6824 			s->packets[dirndx]++;
6825 			s->bytes[dirndx] += pd.tot_len;
6826 		}
6827 		tr = r;
6828 		nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6829 		if (nr != NULL) {
6830 			struct pf_addr *x;
6831 			/*
6832 			 * XXX: we need to make sure that the addresses
6833 			 * passed to pfr_update_stats() are the same than
6834 			 * the addresses used during matching (pfr_match)
6835 			 */
6836 			if (r == &pf_default_rule) {
6837 				tr = nr;
6838 				x = (s == NULL || s->direction == dir) ?
6839 				    &pd.baddr : &pd.naddr;
6840 			} else {
6841 				x = (s == NULL || s->direction == dir) ?
6842 				    &pd.naddr : &pd.baddr;
6843 			}
6844 			if (x == &pd.baddr || s == NULL) {
6845 				if (dir == PF_OUT)
6846 					pd.src = x;
6847 				else
6848 					pd.dst = x;
6849 			}
6850 		}
6851 		if (tr->src.addr.type == PF_ADDR_TABLE)
6852 			pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
6853 			    s->direction == dir) ? pd.src : pd.dst, pd.af,
6854 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6855 			    tr->src.neg);
6856 		if (tr->dst.addr.type == PF_ADDR_TABLE)
6857 			pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
6858 			    s->direction == dir) ? pd.dst : pd.src, pd.af,
6859 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6860 			    tr->dst.neg);
6861 	}
6862 
6863 
6864 	if (action == PF_SYNPROXY_DROP) {
6865 		m_freem(*m0);
6866 		*m0 = NULL;
6867 		action = PF_PASS;
6868 	} else if (r->rt)
6869 		/* pf_route6 can free the mbuf causing *m0 to become NULL */
6870 		pf_route6(m0, r, dir, ifp, s, &pd);
6871 
6872 	return (action);
6873 }
6874 #endif /* INET6 */
6875 
6876 int
6877 pf_check_congestion(struct ifqueue *ifq)
6878 {
6879 		return (0);
6880 }
6881