1 /* $NetBSD: pf.c,v 1.63 2010/04/12 13:57:38 ahoka Exp $ */ 2 /* $OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */ 3 4 /* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * Copyright (c) 2002,2003 Henning Brauer 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * - Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * - Redistributions in binary form must reproduce the above 16 * copyright notice, this list of conditions and the following 17 * disclaimer in the documentation and/or other materials provided 18 * with the distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * Effort sponsored in part by the Defense Advanced Research Projects 34 * Agency (DARPA) and Air Force Research Laboratory, Air Force 35 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 36 * 37 */ 38 39 #include <sys/cdefs.h> 40 __KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.63 2010/04/12 13:57:38 ahoka Exp $"); 41 42 #include "pflog.h" 43 44 #include "pfsync.h" 45 46 #include <sys/param.h> 47 #include <sys/systm.h> 48 #include <sys/mbuf.h> 49 #include <sys/filio.h> 50 #include <sys/socket.h> 51 #include <sys/socketvar.h> 52 #include <sys/kernel.h> 53 #include <sys/time.h> 54 #include <sys/pool.h> 55 #include <sys/proc.h> 56 #include <sys/rwlock.h> 57 #ifdef __NetBSD__ 58 #include <sys/kthread.h> 59 #include <sys/kauth.h> 60 #endif /* __NetBSD__ */ 61 62 #include <net/if.h> 63 #include <net/if_types.h> 64 #include <net/bpf.h> 65 #include <net/route.h> 66 #ifndef __NetBSD__ 67 #include <net/radix_mpath.h> 68 #endif /* !__NetBSD__ */ 69 70 #include <netinet/in.h> 71 #ifdef __NetBSD__ 72 #include <netinet/in_offload.h> 73 #endif /* __NetBSD__ */ 74 #include <netinet/in_var.h> 75 #include <netinet/in_systm.h> 76 #include <netinet/ip.h> 77 #include <netinet/ip_var.h> 78 #include <netinet/tcp.h> 79 #include <netinet/tcp_seq.h> 80 #include <netinet/udp.h> 81 #include <netinet/ip_icmp.h> 82 #include <netinet/in_pcb.h> 83 #include <netinet/tcp_timer.h> 84 #include <netinet/tcp_var.h> 85 #include <netinet/udp_var.h> 86 #include <netinet/icmp_var.h> 87 #ifndef __NetBSD__ 88 #include <netinet/if_ether.h> 89 #else 90 #include <net/if_ether.h> 91 #endif /* __NetBSD__ */ 92 93 #ifndef __NetBSD__ 94 #include <dev/rndvar.h> 95 #else 96 #include <sys/rnd.h> 97 #endif /* __NetBSD__ */ 98 99 #include <net/pfvar.h> 100 #include <net/if_pflog.h> 101 102 #if NPFSYNC > 0 103 #include <net/if_pfsync.h> 104 #endif /* NPFSYNC > 0 */ 105 106 #ifdef INET6 107 #include <netinet/ip6.h> 108 #include <netinet6/ip6_var.h> 109 #ifdef __NetBSD__ 110 #include <netinet6/in6_pcb.h> 111 #endif /* __NetBSD__ */ 112 #include <netinet/icmp6.h> 113 #include <netinet6/nd6.h> 114 #endif /* INET6 */ 115 116 #ifdef __NetBSD__ 117 #include <netinet/tcp_rndiss.h> 118 #endif /* __NetBSD__ */ 119 120 121 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 122 123 /* 124 * Global variables 125 */ 126 127 /* state tables */ 128 struct pf_state_tree_lan_ext pf_statetbl_lan_ext; 129 struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy; 130 131 struct pf_altqqueue pf_altqs[2]; 132 struct pf_palist pf_pabuf; 133 struct pf_altqqueue *pf_altqs_active; 134 struct pf_altqqueue *pf_altqs_inactive; 135 struct pf_status pf_status; 136 137 u_int32_t ticket_altqs_active; 138 u_int32_t ticket_altqs_inactive; 139 int altqs_inactive_open; 140 u_int32_t ticket_pabuf; 141 142 struct pf_anchor_stackframe { 143 struct pf_ruleset *rs; 144 struct pf_rule *r; 145 struct pf_anchor_node *parent; 146 struct pf_anchor *child; 147 } pf_anchor_stack[64]; 148 149 struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl; 150 struct pool pf_state_pl, pf_state_key_pl; 151 struct pool pf_altq_pl; 152 153 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 154 155 void pf_init_threshold(struct pf_threshold *, u_int32_t, 156 u_int32_t); 157 void pf_add_threshold(struct pf_threshold *); 158 int pf_check_threshold(struct pf_threshold *); 159 160 void pf_change_ap(struct pf_addr *, u_int16_t *, 161 u_int16_t *, u_int16_t *, struct pf_addr *, 162 u_int16_t, u_int8_t, sa_family_t); 163 int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, 164 struct tcphdr *, struct pf_state_peer *); 165 #ifdef INET6 166 void pf_change_a6(struct pf_addr *, u_int16_t *, 167 struct pf_addr *, u_int8_t); 168 #endif /* INET6 */ 169 void pf_change_icmp(struct pf_addr *, u_int16_t *, 170 struct pf_addr *, struct pf_addr *, u_int16_t, 171 u_int16_t *, u_int16_t *, u_int16_t *, 172 u_int16_t *, u_int8_t, sa_family_t); 173 void pf_send_tcp(const struct pf_rule *, sa_family_t, 174 const struct pf_addr *, const struct pf_addr *, 175 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 176 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, 177 u_int16_t, struct ether_header *, struct ifnet *); 178 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 179 sa_family_t, struct pf_rule *); 180 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 181 int, int, struct pfi_kif *, 182 struct pf_addr *, u_int16_t, struct pf_addr *, 183 u_int16_t, int); 184 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 185 int, int, struct pfi_kif *, struct pf_src_node **, 186 struct pf_addr *, u_int16_t, 187 struct pf_addr *, u_int16_t, 188 struct pf_addr *, u_int16_t *); 189 void pf_attach_state(struct pf_state_key *, 190 struct pf_state *, int); 191 void pf_detach_state(struct pf_state *, int); 192 int pf_test_rule(struct pf_rule **, struct pf_state **, 193 int, struct pfi_kif *, struct mbuf *, int, 194 void *, struct pf_pdesc *, struct pf_rule **, 195 struct pf_ruleset **, struct ifqueue *); 196 int pf_test_fragment(struct pf_rule **, int, 197 struct pfi_kif *, struct mbuf *, void *, 198 struct pf_pdesc *, struct pf_rule **, 199 struct pf_ruleset **); 200 int pf_test_state_tcp(struct pf_state **, int, 201 struct pfi_kif *, struct mbuf *, int, 202 void *, struct pf_pdesc *, u_short *); 203 int pf_test_state_udp(struct pf_state **, int, 204 struct pfi_kif *, struct mbuf *, int, 205 void *, struct pf_pdesc *); 206 int pf_test_state_icmp(struct pf_state **, int, 207 struct pfi_kif *, struct mbuf *, int, 208 void *, struct pf_pdesc *, u_short *); 209 int pf_test_state_other(struct pf_state **, int, 210 struct pfi_kif *, struct pf_pdesc *); 211 int pf_match_tag(struct mbuf *, struct pf_rule *, int *); 212 void pf_step_into_anchor(int *, struct pf_ruleset **, int, 213 struct pf_rule **, struct pf_rule **, int *); 214 int pf_step_out_of_anchor(int *, struct pf_ruleset **, 215 int, struct pf_rule **, struct pf_rule **, 216 int *); 217 void pf_hash(const struct pf_addr *, struct pf_addr *, 218 struct pf_poolhashkey *, sa_family_t); 219 int pf_map_addr(u_int8_t, struct pf_rule *, 220 const struct pf_addr *, struct pf_addr *, 221 struct pf_addr *, struct pf_src_node **); 222 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 223 struct pf_addr *, struct pf_addr *, u_int16_t, 224 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 225 struct pf_src_node **); 226 void pf_route(struct mbuf **, struct pf_rule *, int, 227 struct ifnet *, struct pf_state *, 228 struct pf_pdesc *); 229 void pf_route6(struct mbuf **, struct pf_rule *, int, 230 struct ifnet *, struct pf_state *, 231 struct pf_pdesc *); 232 int pf_socket_lookup(int, struct pf_pdesc *); 233 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 234 sa_family_t); 235 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 236 sa_family_t); 237 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 238 u_int16_t); 239 void pf_set_rt_ifp(struct pf_state *, 240 struct pf_addr *); 241 #ifdef __NetBSD__ 242 int pf_check_proto_cksum(struct mbuf *, int, int, int, 243 u_int8_t, sa_family_t); 244 #else 245 int pf_check_proto_cksum(struct mbuf *, int, int, 246 u_int8_t, sa_family_t); 247 #endif /* !__NetBSD__ */ 248 int pf_addr_wrap_neq(struct pf_addr_wrap *, 249 struct pf_addr_wrap *); 250 struct pf_state *pf_find_state(struct pfi_kif *, 251 struct pf_state_key_cmp *, u_int8_t); 252 int pf_src_connlimit(struct pf_state **); 253 void pf_stateins_err(const char *, struct pf_state *, 254 struct pfi_kif *); 255 int pf_check_congestion(struct ifqueue *); 256 257 extern struct pool pfr_ktable_pl; 258 extern struct pool pfr_kentry_pl; 259 260 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { 261 { &pf_state_pl, PFSTATE_HIWAT }, 262 { &pf_src_tree_pl, PFSNODE_HIWAT }, 263 { &pf_frent_pl, PFFRAG_FRENT_HIWAT }, 264 { &pfr_ktable_pl, PFR_KTABLE_HIWAT }, 265 { &pfr_kentry_pl, PFR_KENTRY_HIWAT } 266 }; 267 268 #define STATE_LOOKUP() \ 269 do { \ 270 if (direction == PF_IN) \ 271 *state = pf_find_state(kif, &key, PF_EXT_GWY); \ 272 else \ 273 *state = pf_find_state(kif, &key, PF_LAN_EXT); \ 274 if (*state == NULL || (*state)->timeout == PFTM_PURGE) \ 275 return (PF_DROP); \ 276 if (direction == PF_OUT && \ 277 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 278 (*state)->rule.ptr->direction == PF_OUT) || \ 279 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 280 (*state)->rule.ptr->direction == PF_IN)) && \ 281 (*state)->rt_kif != NULL && \ 282 (*state)->rt_kif != kif) \ 283 return (PF_PASS); \ 284 } while (0) 285 286 #define STATE_TRANSLATE(sk) \ 287 (sk)->lan.addr.addr32[0] != (sk)->gwy.addr.addr32[0] || \ 288 ((sk)->af == AF_INET6 && \ 289 ((sk)->lan.addr.addr32[1] != (sk)->gwy.addr.addr32[1] || \ 290 (sk)->lan.addr.addr32[2] != (sk)->gwy.addr.addr32[2] || \ 291 (sk)->lan.addr.addr32[3] != (sk)->gwy.addr.addr32[3])) || \ 292 (sk)->lan.port != (sk)->gwy.port 293 294 #define BOUND_IFACE(r, k) \ 295 ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all 296 297 #define STATE_INC_COUNTERS(s) \ 298 do { \ 299 s->rule.ptr->states++; \ 300 if (s->anchor.ptr != NULL) \ 301 s->anchor.ptr->states++; \ 302 if (s->nat_rule.ptr != NULL) \ 303 s->nat_rule.ptr->states++; \ 304 } while (0) 305 306 #define STATE_DEC_COUNTERS(s) \ 307 do { \ 308 if (s->nat_rule.ptr != NULL) \ 309 s->nat_rule.ptr->states--; \ 310 if (s->anchor.ptr != NULL) \ 311 s->anchor.ptr->states--; \ 312 s->rule.ptr->states--; \ 313 } while (0) 314 315 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *); 316 static __inline int pf_state_compare_lan_ext(struct pf_state_key *, 317 struct pf_state_key *); 318 static __inline int pf_state_compare_ext_gwy(struct pf_state_key *, 319 struct pf_state_key *); 320 static __inline int pf_state_compare_id(struct pf_state *, 321 struct pf_state *); 322 323 struct pf_src_tree tree_src_tracking; 324 325 struct pf_state_tree_id tree_id; 326 struct pf_state_queue state_list; 327 328 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 329 RB_GENERATE(pf_state_tree_lan_ext, pf_state_key, 330 entry_lan_ext, pf_state_compare_lan_ext); 331 RB_GENERATE(pf_state_tree_ext_gwy, pf_state_key, 332 entry_ext_gwy, pf_state_compare_ext_gwy); 333 RB_GENERATE(pf_state_tree_id, pf_state, 334 entry_id, pf_state_compare_id); 335 336 #define PF_DT_SKIP_LANEXT 0x01 337 #define PF_DT_SKIP_EXTGWY 0x02 338 339 #ifdef __NetBSD__ 340 static __inline struct pfi_kif * 341 bound_iface(const struct pf_rule *r, const struct pf_rule *nr, 342 struct pfi_kif *k) 343 { 344 uint32_t rule_flag; 345 346 rule_flag = r->rule_flag; 347 if (nr != NULL) 348 rule_flag |= nr->rule_flag; 349 350 return ((rule_flag & PFRULE_IFBOUND) != 0) ? k : pfi_all; 351 } 352 #endif /* __NetBSD__ */ 353 354 static __inline int 355 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b) 356 { 357 int diff; 358 359 if (a->rule.ptr > b->rule.ptr) 360 return (1); 361 if (a->rule.ptr < b->rule.ptr) 362 return (-1); 363 if ((diff = a->af - b->af) != 0) 364 return (diff); 365 switch (a->af) { 366 #ifdef INET 367 case AF_INET: 368 if (a->addr.addr32[0] > b->addr.addr32[0]) 369 return (1); 370 if (a->addr.addr32[0] < b->addr.addr32[0]) 371 return (-1); 372 break; 373 #endif /* INET */ 374 #ifdef INET6 375 case AF_INET6: 376 if (a->addr.addr32[3] > b->addr.addr32[3]) 377 return (1); 378 if (a->addr.addr32[3] < b->addr.addr32[3]) 379 return (-1); 380 if (a->addr.addr32[2] > b->addr.addr32[2]) 381 return (1); 382 if (a->addr.addr32[2] < b->addr.addr32[2]) 383 return (-1); 384 if (a->addr.addr32[1] > b->addr.addr32[1]) 385 return (1); 386 if (a->addr.addr32[1] < b->addr.addr32[1]) 387 return (-1); 388 if (a->addr.addr32[0] > b->addr.addr32[0]) 389 return (1); 390 if (a->addr.addr32[0] < b->addr.addr32[0]) 391 return (-1); 392 break; 393 #endif /* INET6 */ 394 } 395 return (0); 396 } 397 398 static __inline int 399 pf_state_compare_lan_ext(struct pf_state_key *a, struct pf_state_key *b) 400 { 401 int diff; 402 403 if ((diff = a->proto - b->proto) != 0) 404 return (diff); 405 if ((diff = a->af - b->af) != 0) 406 return (diff); 407 switch (a->af) { 408 #ifdef INET 409 case AF_INET: 410 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 411 return (1); 412 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 413 return (-1); 414 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 415 return (1); 416 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 417 return (-1); 418 break; 419 #endif /* INET */ 420 #ifdef INET6 421 case AF_INET6: 422 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3]) 423 return (1); 424 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3]) 425 return (-1); 426 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 427 return (1); 428 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 429 return (-1); 430 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2]) 431 return (1); 432 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2]) 433 return (-1); 434 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 435 return (1); 436 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 437 return (-1); 438 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1]) 439 return (1); 440 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1]) 441 return (-1); 442 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 443 return (1); 444 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 445 return (-1); 446 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 447 return (1); 448 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 449 return (-1); 450 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 451 return (1); 452 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 453 return (-1); 454 break; 455 #endif /* INET6 */ 456 } 457 458 if ((diff = a->lan.port - b->lan.port) != 0) 459 return (diff); 460 if ((diff = a->ext.port - b->ext.port) != 0) 461 return (diff); 462 463 return (0); 464 } 465 466 static __inline int 467 pf_state_compare_ext_gwy(struct pf_state_key *a, struct pf_state_key *b) 468 { 469 int diff; 470 471 if ((diff = a->proto - b->proto) != 0) 472 return (diff); 473 if ((diff = a->af - b->af) != 0) 474 return (diff); 475 switch (a->af) { 476 #ifdef INET 477 case AF_INET: 478 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 479 return (1); 480 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 481 return (-1); 482 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 483 return (1); 484 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 485 return (-1); 486 break; 487 #endif /* INET */ 488 #ifdef INET6 489 case AF_INET6: 490 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 491 return (1); 492 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 493 return (-1); 494 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3]) 495 return (1); 496 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3]) 497 return (-1); 498 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 499 return (1); 500 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 501 return (-1); 502 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2]) 503 return (1); 504 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2]) 505 return (-1); 506 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 507 return (1); 508 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 509 return (-1); 510 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1]) 511 return (1); 512 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1]) 513 return (-1); 514 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 515 return (1); 516 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 517 return (-1); 518 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 519 return (1); 520 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 521 return (-1); 522 break; 523 #endif /* INET6 */ 524 } 525 526 if ((diff = a->ext.port - b->ext.port) != 0) 527 return (diff); 528 if ((diff = a->gwy.port - b->gwy.port) != 0) 529 return (diff); 530 531 return (0); 532 } 533 534 static __inline int 535 pf_state_compare_id(struct pf_state *a, struct pf_state *b) 536 { 537 if (a->id > b->id) 538 return (1); 539 if (a->id < b->id) 540 return (-1); 541 if (a->creatorid > b->creatorid) 542 return (1); 543 if (a->creatorid < b->creatorid) 544 return (-1); 545 546 return (0); 547 } 548 549 #ifdef INET6 550 void 551 pf_addrcpy(struct pf_addr *dst, const struct pf_addr *src, sa_family_t af) 552 { 553 switch (af) { 554 #ifdef INET 555 case AF_INET: 556 dst->addr32[0] = src->addr32[0]; 557 break; 558 #endif /* INET */ 559 case AF_INET6: 560 dst->addr32[0] = src->addr32[0]; 561 dst->addr32[1] = src->addr32[1]; 562 dst->addr32[2] = src->addr32[2]; 563 dst->addr32[3] = src->addr32[3]; 564 break; 565 } 566 } 567 #endif /* INET6 */ 568 569 struct pf_state * 570 pf_find_state_byid(struct pf_state_cmp *key) 571 { 572 pf_status.fcounters[FCNT_STATE_SEARCH]++; 573 574 return (RB_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key)); 575 } 576 577 struct pf_state * 578 pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int8_t tree) 579 { 580 struct pf_state_key *sk; 581 struct pf_state *s; 582 583 pf_status.fcounters[FCNT_STATE_SEARCH]++; 584 585 switch (tree) { 586 case PF_LAN_EXT: 587 sk = RB_FIND(pf_state_tree_lan_ext, &pf_statetbl_lan_ext, 588 (struct pf_state_key *)key); 589 break; 590 case PF_EXT_GWY: 591 sk = RB_FIND(pf_state_tree_ext_gwy, &pf_statetbl_ext_gwy, 592 (struct pf_state_key *)key); 593 break; 594 default: 595 panic("pf_find_state"); 596 } 597 598 /* list is sorted, if-bound states before floating ones */ 599 if (sk != NULL) 600 TAILQ_FOREACH(s, &sk->states, next) 601 if (s->kif == pfi_all || s->kif == kif) 602 return (s); 603 604 return (NULL); 605 } 606 607 struct pf_state * 608 pf_find_state_all(struct pf_state_key_cmp *key, u_int8_t tree, int *more) 609 { 610 struct pf_state_key *sk; 611 struct pf_state *s, *ret = NULL; 612 613 pf_status.fcounters[FCNT_STATE_SEARCH]++; 614 615 switch (tree) { 616 case PF_LAN_EXT: 617 sk = RB_FIND(pf_state_tree_lan_ext, 618 &pf_statetbl_lan_ext, (struct pf_state_key *)key); 619 break; 620 case PF_EXT_GWY: 621 sk = RB_FIND(pf_state_tree_ext_gwy, 622 &pf_statetbl_ext_gwy, (struct pf_state_key *)key); 623 break; 624 default: 625 panic("pf_find_state_all"); 626 } 627 628 if (sk != NULL) { 629 ret = TAILQ_FIRST(&sk->states); 630 if (more == NULL) 631 return (ret); 632 633 TAILQ_FOREACH(s, &sk->states, next) 634 (*more)++; 635 } 636 637 return (ret); 638 } 639 640 void 641 pf_init_threshold(struct pf_threshold *threshold, 642 u_int32_t limit, u_int32_t seconds) 643 { 644 threshold->limit = limit * PF_THRESHOLD_MULT; 645 threshold->seconds = seconds; 646 threshold->count = 0; 647 threshold->last = time_second; 648 } 649 650 void 651 pf_add_threshold(struct pf_threshold *threshold) 652 { 653 u_int32_t t = time_second, diff = t - threshold->last; 654 655 if (diff >= threshold->seconds) 656 threshold->count = 0; 657 else 658 threshold->count -= threshold->count * diff / 659 threshold->seconds; 660 threshold->count += PF_THRESHOLD_MULT; 661 threshold->last = t; 662 } 663 664 int 665 pf_check_threshold(struct pf_threshold *threshold) 666 { 667 return (threshold->count > threshold->limit); 668 } 669 670 int 671 pf_src_connlimit(struct pf_state **state) 672 { 673 int bad = 0; 674 675 (*state)->src_node->conn++; 676 (*state)->src.tcp_est = 1; 677 pf_add_threshold(&(*state)->src_node->conn_rate); 678 679 if ((*state)->rule.ptr->max_src_conn && 680 (*state)->rule.ptr->max_src_conn < 681 (*state)->src_node->conn) { 682 pf_status.lcounters[LCNT_SRCCONN]++; 683 bad++; 684 } 685 686 if ((*state)->rule.ptr->max_src_conn_rate.limit && 687 pf_check_threshold(&(*state)->src_node->conn_rate)) { 688 pf_status.lcounters[LCNT_SRCCONNRATE]++; 689 bad++; 690 } 691 692 if (!bad) 693 return (0); 694 695 if ((*state)->rule.ptr->overload_tbl) { 696 struct pfr_addr p; 697 u_int32_t killed = 0; 698 699 pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; 700 if (pf_status.debug >= PF_DEBUG_MISC) { 701 printf("pf_src_connlimit: blocking address "); 702 pf_print_host(&(*state)->src_node->addr, 0, 703 (*state)->state_key->af); 704 } 705 706 bzero(&p, sizeof(p)); 707 p.pfra_af = (*state)->state_key->af; 708 switch ((*state)->state_key->af) { 709 #ifdef INET 710 case AF_INET: 711 p.pfra_net = 32; 712 p.pfra_ip4addr = (*state)->src_node->addr.v4; 713 break; 714 #endif /* INET */ 715 #ifdef INET6 716 case AF_INET6: 717 p.pfra_net = 128; 718 p.pfra_ip6addr = (*state)->src_node->addr.v6; 719 break; 720 #endif /* INET6 */ 721 } 722 723 pfr_insert_kentry((*state)->rule.ptr->overload_tbl, 724 &p, time_second); 725 726 /* kill existing states if that's required. */ 727 if ((*state)->rule.ptr->flush) { 728 struct pf_state_key *sk; 729 struct pf_state *st; 730 731 pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; 732 RB_FOREACH(st, pf_state_tree_id, &tree_id) { 733 sk = st->state_key; 734 /* 735 * Kill states from this source. (Only those 736 * from the same rule if PF_FLUSH_GLOBAL is not 737 * set) 738 */ 739 if (sk->af == 740 (*state)->state_key->af && 741 (((*state)->state_key->direction == 742 PF_OUT && 743 PF_AEQ(&(*state)->src_node->addr, 744 &sk->lan.addr, sk->af)) || 745 ((*state)->state_key->direction == PF_IN && 746 PF_AEQ(&(*state)->src_node->addr, 747 &sk->ext.addr, sk->af))) && 748 ((*state)->rule.ptr->flush & 749 PF_FLUSH_GLOBAL || 750 (*state)->rule.ptr == st->rule.ptr)) { 751 st->timeout = PFTM_PURGE; 752 st->src.state = st->dst.state = 753 TCPS_CLOSED; 754 killed++; 755 } 756 } 757 if (pf_status.debug >= PF_DEBUG_MISC) 758 printf(", %u states killed", killed); 759 } 760 if (pf_status.debug >= PF_DEBUG_MISC) 761 printf("\n"); 762 } 763 764 /* kill this state */ 765 (*state)->timeout = PFTM_PURGE; 766 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; 767 return (1); 768 } 769 770 int 771 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, 772 struct pf_addr *src, sa_family_t af) 773 { 774 struct pf_src_node k; 775 776 if (*sn == NULL) { 777 k.af = af; 778 PF_ACPY(&k.addr, src, af); 779 if (rule->rule_flag & PFRULE_RULESRCTRACK || 780 rule->rpool.opts & PF_POOL_STICKYADDR) 781 k.rule.ptr = rule; 782 else 783 k.rule.ptr = NULL; 784 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 785 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 786 } 787 if (*sn == NULL) { 788 if (!rule->max_src_nodes || 789 rule->src_nodes < rule->max_src_nodes) 790 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT); 791 else 792 pf_status.lcounters[LCNT_SRCNODES]++; 793 if ((*sn) == NULL) 794 return (-1); 795 bzero(*sn, sizeof(struct pf_src_node)); 796 797 pf_init_threshold(&(*sn)->conn_rate, 798 rule->max_src_conn_rate.limit, 799 rule->max_src_conn_rate.seconds); 800 801 (*sn)->af = af; 802 if (rule->rule_flag & PFRULE_RULESRCTRACK || 803 rule->rpool.opts & PF_POOL_STICKYADDR) 804 (*sn)->rule.ptr = rule; 805 else 806 (*sn)->rule.ptr = NULL; 807 PF_ACPY(&(*sn)->addr, src, af); 808 if (RB_INSERT(pf_src_tree, 809 &tree_src_tracking, *sn) != NULL) { 810 if (pf_status.debug >= PF_DEBUG_MISC) { 811 printf("pf: src_tree insert failed: "); 812 pf_print_host(&(*sn)->addr, 0, af); 813 printf("\n"); 814 } 815 pool_put(&pf_src_tree_pl, *sn); 816 return (-1); 817 } 818 (*sn)->creation = time_second; 819 (*sn)->ruletype = rule->action; 820 if ((*sn)->rule.ptr != NULL) 821 (*sn)->rule.ptr->src_nodes++; 822 pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 823 pf_status.src_nodes++; 824 } else { 825 if (rule->max_src_states && 826 (*sn)->states >= rule->max_src_states) { 827 pf_status.lcounters[LCNT_SRCSTATES]++; 828 return (-1); 829 } 830 } 831 return (0); 832 } 833 834 void 835 pf_stateins_err(const char *tree, struct pf_state *s, struct pfi_kif *kif) 836 { 837 struct pf_state_key *sk = s->state_key; 838 839 if (pf_status.debug >= PF_DEBUG_MISC) { 840 printf("pf: state insert failed: %s %s", tree, kif->pfik_name); 841 printf(" lan: "); 842 pf_print_host(&sk->lan.addr, sk->lan.port, 843 sk->af); 844 printf(" gwy: "); 845 pf_print_host(&sk->gwy.addr, sk->gwy.port, 846 sk->af); 847 printf(" ext: "); 848 pf_print_host(&sk->ext.addr, sk->ext.port, 849 sk->af); 850 if (s->sync_flags & PFSTATE_FROMSYNC) 851 printf(" (from sync)"); 852 printf("\n"); 853 } 854 } 855 856 int 857 pf_insert_state(struct pfi_kif *kif, struct pf_state *s) 858 { 859 struct pf_state_key *cur; 860 struct pf_state *sp; 861 862 KASSERT(s->state_key != NULL); 863 s->kif = kif; 864 865 if ((cur = RB_INSERT(pf_state_tree_lan_ext, &pf_statetbl_lan_ext, 866 s->state_key)) != NULL) { 867 /* key exists. check for same kif, if none, add to key */ 868 TAILQ_FOREACH(sp, &cur->states, next) 869 if (sp->kif == kif) { /* collision! */ 870 pf_stateins_err("tree_lan_ext", s, kif); 871 pf_detach_state(s, 872 PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY); 873 return (-1); 874 } 875 pf_detach_state(s, PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY); 876 pf_attach_state(cur, s, kif == pfi_all ? 1 : 0); 877 } 878 879 /* if cur != NULL, we already found a state key and attached to it */ 880 if (cur == NULL && (cur = RB_INSERT(pf_state_tree_ext_gwy, 881 &pf_statetbl_ext_gwy, s->state_key)) != NULL) { 882 /* must not happen. we must have found the sk above! */ 883 pf_stateins_err("tree_ext_gwy", s, kif); 884 pf_detach_state(s, PF_DT_SKIP_EXTGWY); 885 return (-1); 886 } 887 888 if (s->id == 0 && s->creatorid == 0) { 889 s->id = htobe64(pf_status.stateid++); 890 s->creatorid = pf_status.hostid; 891 } 892 if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) { 893 if (pf_status.debug >= PF_DEBUG_MISC) { 894 #ifdef __NetBSD__ 895 printf("pf: state insert failed: " 896 "id: %016" PRIx64 " creatorid: %08x", 897 be64toh(s->id), ntohl(s->creatorid)); 898 #else 899 printf("pf: state insert failed: " 900 "id: %016llx creatorid: %08x", 901 betoh64(s->id), ntohl(s->creatorid)); 902 #endif /* !__NetBSD__ */ 903 if (s->sync_flags & PFSTATE_FROMSYNC) 904 printf(" (from sync)"); 905 printf("\n"); 906 } 907 pf_detach_state(s, 0); 908 return (-1); 909 } 910 TAILQ_INSERT_TAIL(&state_list, s, entry_list); 911 pf_status.fcounters[FCNT_STATE_INSERT]++; 912 pf_status.states++; 913 pfi_kif_ref(kif, PFI_KIF_REF_STATE); 914 #if NPFSYNC 915 pfsync_insert_state(s); 916 #endif 917 return (0); 918 } 919 920 #ifdef _LKM 921 volatile int pf_purge_thread_stop; 922 volatile int pf_purge_thread_running; 923 #endif 924 925 void 926 pf_purge_thread(void *v) 927 { 928 int nloops = 0, s; 929 930 #ifdef _LKM 931 pf_purge_thread_running = 1; 932 pf_purge_thread_stop = 0; 933 934 while (!pf_purge_thread_stop) { 935 #else 936 for (;;) { 937 #endif /* !_LKM */ 938 tsleep(pf_purge_thread, PWAIT, "pftm", 1 * hz); 939 940 s = splsoftnet(); 941 942 /* process a fraction of the state table every second */ 943 pf_purge_expired_states(1 + (pf_status.states 944 / pf_default_rule.timeout[PFTM_INTERVAL])); 945 946 /* purge other expired types every PFTM_INTERVAL seconds */ 947 if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) { 948 pf_purge_expired_fragments(); 949 pf_purge_expired_src_nodes(0); 950 nloops = 0; 951 } 952 953 splx(s); 954 } 955 956 #ifdef _LKM 957 pf_purge_thread_running = 0; 958 wakeup(&pf_purge_thread_running); 959 kthread_exit(0); 960 #endif /* _LKM */ 961 } 962 963 u_int32_t 964 pf_state_expires(const struct pf_state *state) 965 { 966 u_int32_t timeout; 967 u_int32_t start; 968 u_int32_t end; 969 u_int32_t states; 970 971 /* handle all PFTM_* > PFTM_MAX here */ 972 if (state->timeout == PFTM_PURGE) 973 return (time_second); 974 if (state->timeout == PFTM_UNTIL_PACKET) 975 return (0); 976 KASSERT(state->timeout != PFTM_UNLINKED); 977 KASSERT(state->timeout < PFTM_MAX); 978 timeout = state->rule.ptr->timeout[state->timeout]; 979 if (!timeout) 980 timeout = pf_default_rule.timeout[state->timeout]; 981 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 982 if (start) { 983 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 984 states = state->rule.ptr->states; 985 } else { 986 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 987 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 988 states = pf_status.states; 989 } 990 if (end && states > start && start < end) { 991 if (states < end) 992 return (state->expire + timeout * (end - states) / 993 (end - start)); 994 else 995 return (time_second); 996 } 997 return (state->expire + timeout); 998 } 999 1000 void 1001 pf_purge_expired_src_nodes(int waslocked) 1002 { 1003 struct pf_src_node *cur, *next; 1004 int locked = waslocked; 1005 1006 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 1007 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 1008 1009 if (cur->states <= 0 && cur->expire <= time_second) { 1010 if (! locked) { 1011 rw_enter_write(&pf_consistency_lock); 1012 next = RB_NEXT(pf_src_tree, 1013 &tree_src_tracking, cur); 1014 locked = 1; 1015 } 1016 if (cur->rule.ptr != NULL) { 1017 cur->rule.ptr->src_nodes--; 1018 if (cur->rule.ptr->states <= 0 && 1019 cur->rule.ptr->max_src_nodes <= 0) 1020 pf_rm_rule(NULL, cur->rule.ptr); 1021 } 1022 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 1023 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 1024 pf_status.src_nodes--; 1025 pool_put(&pf_src_tree_pl, cur); 1026 } 1027 } 1028 1029 if (locked && !waslocked) 1030 rw_exit_write(&pf_consistency_lock); 1031 } 1032 1033 void 1034 pf_src_tree_remove_state(struct pf_state *s) 1035 { 1036 u_int32_t timeout; 1037 1038 if (s->src_node != NULL) { 1039 if (s->src.tcp_est) 1040 --s->src_node->conn; 1041 if (--s->src_node->states <= 0) { 1042 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 1043 if (!timeout) 1044 timeout = 1045 pf_default_rule.timeout[PFTM_SRC_NODE]; 1046 s->src_node->expire = time_second + timeout; 1047 } 1048 } 1049 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 1050 if (--s->nat_src_node->states <= 0) { 1051 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 1052 if (!timeout) 1053 timeout = 1054 pf_default_rule.timeout[PFTM_SRC_NODE]; 1055 s->nat_src_node->expire = time_second + timeout; 1056 } 1057 } 1058 s->src_node = s->nat_src_node = NULL; 1059 } 1060 1061 /* callers should be at splsoftnet */ 1062 void 1063 pf_unlink_state(struct pf_state *cur) 1064 { 1065 if (cur->src.state == PF_TCPS_PROXY_DST) { 1066 pf_send_tcp(cur->rule.ptr, cur->state_key->af, 1067 &cur->state_key->ext.addr, &cur->state_key->lan.addr, 1068 cur->state_key->ext.port, cur->state_key->lan.port, 1069 cur->src.seqhi, cur->src.seqlo + 1, 1070 TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL); 1071 } 1072 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 1073 #if NPFSYNC 1074 if (cur->creatorid == pf_status.hostid) 1075 pfsync_delete_state(cur); 1076 #endif 1077 cur->timeout = PFTM_UNLINKED; 1078 pf_src_tree_remove_state(cur); 1079 pf_detach_state(cur, 0); 1080 } 1081 1082 /* callers should be at splsoftnet and hold the 1083 * write_lock on pf_consistency_lock */ 1084 void 1085 pf_free_state(struct pf_state *cur) 1086 { 1087 #if NPFSYNC 1088 if (pfsyncif != NULL && 1089 (pfsyncif->sc_bulk_send_next == cur || 1090 pfsyncif->sc_bulk_terminator == cur)) 1091 return; 1092 #endif 1093 KASSERT(cur->timeout == PFTM_UNLINKED); 1094 if (--cur->rule.ptr->states <= 0 && 1095 cur->rule.ptr->src_nodes <= 0) 1096 pf_rm_rule(NULL, cur->rule.ptr); 1097 if (cur->nat_rule.ptr != NULL) 1098 if (--cur->nat_rule.ptr->states <= 0 && 1099 cur->nat_rule.ptr->src_nodes <= 0) 1100 pf_rm_rule(NULL, cur->nat_rule.ptr); 1101 if (cur->anchor.ptr != NULL) 1102 if (--cur->anchor.ptr->states <= 0) 1103 pf_rm_rule(NULL, cur->anchor.ptr); 1104 pf_normalize_tcp_cleanup(cur); 1105 pfi_kif_unref(cur->kif, PFI_KIF_REF_STATE); 1106 TAILQ_REMOVE(&state_list, cur, entry_list); 1107 if (cur->tag) 1108 pf_tag_unref(cur->tag); 1109 pool_put(&pf_state_pl, cur); 1110 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 1111 pf_status.states--; 1112 } 1113 1114 void 1115 pf_purge_expired_states(u_int32_t maxcheck) 1116 { 1117 static struct pf_state *cur = NULL; 1118 struct pf_state *next; 1119 int locked = 0; 1120 1121 while (maxcheck--) { 1122 /* wrap to start of list when we hit the end */ 1123 if (cur == NULL) { 1124 cur = TAILQ_FIRST(&state_list); 1125 if (cur == NULL) 1126 break; /* list empty */ 1127 } 1128 1129 /* get next state, as cur may get deleted */ 1130 next = TAILQ_NEXT(cur, entry_list); 1131 1132 if (cur->timeout == PFTM_UNLINKED) { 1133 /* free unlinked state */ 1134 if (! locked) { 1135 rw_enter_write(&pf_consistency_lock); 1136 locked = 1; 1137 } 1138 pf_free_state(cur); 1139 } else if (pf_state_expires(cur) <= time_second) { 1140 /* unlink and free expired state */ 1141 pf_unlink_state(cur); 1142 if (! locked) { 1143 rw_enter_write(&pf_consistency_lock); 1144 locked = 1; 1145 } 1146 pf_free_state(cur); 1147 } 1148 cur = next; 1149 } 1150 1151 if (locked) 1152 rw_exit_write(&pf_consistency_lock); 1153 } 1154 1155 int 1156 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 1157 { 1158 if (aw->type != PF_ADDR_TABLE) 1159 return (0); 1160 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 1161 return (1); 1162 return (0); 1163 } 1164 1165 void 1166 pf_tbladdr_remove(struct pf_addr_wrap *aw) 1167 { 1168 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 1169 return; 1170 pfr_detach_table(aw->p.tbl); 1171 aw->p.tbl = NULL; 1172 } 1173 1174 void 1175 pf_tbladdr_copyout(struct pf_addr_wrap *aw) 1176 { 1177 struct pfr_ktable *kt = aw->p.tbl; 1178 1179 if (aw->type != PF_ADDR_TABLE || kt == NULL) 1180 return; 1181 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 1182 kt = kt->pfrkt_root; 1183 aw->p.tbl = NULL; 1184 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 1185 kt->pfrkt_cnt : -1; 1186 } 1187 1188 void 1189 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 1190 { 1191 switch (af) { 1192 #ifdef INET 1193 case AF_INET: { 1194 u_int32_t a = ntohl(addr->addr32[0]); 1195 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 1196 (a>>8)&255, a&255); 1197 if (p) { 1198 p = ntohs(p); 1199 printf(":%u", p); 1200 } 1201 break; 1202 } 1203 #endif /* INET */ 1204 #ifdef INET6 1205 case AF_INET6: { 1206 u_int16_t b; 1207 u_int8_t i, curstart = 255, curend = 0, 1208 maxstart = 0, maxend = 0; 1209 for (i = 0; i < 8; i++) { 1210 if (!addr->addr16[i]) { 1211 if (curstart == 255) 1212 curstart = i; 1213 else 1214 curend = i; 1215 } else { 1216 if (curstart) { 1217 if ((curend - curstart) > 1218 (maxend - maxstart)) { 1219 maxstart = curstart; 1220 maxend = curend; 1221 curstart = 255; 1222 } 1223 } 1224 } 1225 } 1226 for (i = 0; i < 8; i++) { 1227 if (i >= maxstart && i <= maxend) { 1228 if (maxend != 7) { 1229 if (i == maxstart) 1230 printf(":"); 1231 } else { 1232 if (i == maxend) 1233 printf(":"); 1234 } 1235 } else { 1236 b = ntohs(addr->addr16[i]); 1237 printf("%x", b); 1238 if (i < 7) 1239 printf(":"); 1240 } 1241 } 1242 if (p) { 1243 p = ntohs(p); 1244 printf("[%u]", p); 1245 } 1246 break; 1247 } 1248 #endif /* INET6 */ 1249 } 1250 } 1251 1252 void 1253 pf_print_state(struct pf_state *s) 1254 { 1255 struct pf_state_key *sk = s->state_key; 1256 switch (sk->proto) { 1257 case IPPROTO_TCP: 1258 printf("TCP "); 1259 break; 1260 case IPPROTO_UDP: 1261 printf("UDP "); 1262 break; 1263 case IPPROTO_ICMP: 1264 printf("ICMP "); 1265 break; 1266 case IPPROTO_ICMPV6: 1267 printf("ICMPV6 "); 1268 break; 1269 default: 1270 printf("%u ", sk->proto); 1271 break; 1272 } 1273 pf_print_host(&sk->lan.addr, sk->lan.port, sk->af); 1274 printf(" "); 1275 pf_print_host(&sk->gwy.addr, sk->gwy.port, sk->af); 1276 printf(" "); 1277 pf_print_host(&sk->ext.addr, sk->ext.port, sk->af); 1278 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 1279 s->src.seqhi, s->src.max_win, s->src.seqdiff); 1280 if (s->src.wscale && s->dst.wscale) 1281 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 1282 printf("]"); 1283 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 1284 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 1285 if (s->src.wscale && s->dst.wscale) 1286 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 1287 printf("]"); 1288 printf(" %u:%u", s->src.state, s->dst.state); 1289 } 1290 1291 void 1292 pf_print_flags(u_int8_t f) 1293 { 1294 if (f) 1295 printf(" "); 1296 if (f & TH_FIN) 1297 printf("F"); 1298 if (f & TH_SYN) 1299 printf("S"); 1300 if (f & TH_RST) 1301 printf("R"); 1302 if (f & TH_PUSH) 1303 printf("P"); 1304 if (f & TH_ACK) 1305 printf("A"); 1306 if (f & TH_URG) 1307 printf("U"); 1308 if (f & TH_ECE) 1309 printf("E"); 1310 if (f & TH_CWR) 1311 printf("W"); 1312 } 1313 1314 #define PF_SET_SKIP_STEPS(i) \ 1315 do { \ 1316 while (head[i] != cur) { \ 1317 head[i]->skip[i].ptr = cur; \ 1318 head[i] = TAILQ_NEXT(head[i], entries); \ 1319 } \ 1320 } while (0) 1321 1322 void 1323 pf_calc_skip_steps(struct pf_rulequeue *rules) 1324 { 1325 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 1326 int i; 1327 1328 cur = TAILQ_FIRST(rules); 1329 prev = cur; 1330 for (i = 0; i < PF_SKIP_COUNT; ++i) 1331 head[i] = cur; 1332 while (cur != NULL) { 1333 1334 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) 1335 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1336 if (cur->direction != prev->direction) 1337 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1338 if (cur->af != prev->af) 1339 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1340 if (cur->proto != prev->proto) 1341 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 1342 if (cur->src.neg != prev->src.neg || 1343 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1344 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1345 if (cur->src.port[0] != prev->src.port[0] || 1346 cur->src.port[1] != prev->src.port[1] || 1347 cur->src.port_op != prev->src.port_op) 1348 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 1349 if (cur->dst.neg != prev->dst.neg || 1350 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1351 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1352 if (cur->dst.port[0] != prev->dst.port[0] || 1353 cur->dst.port[1] != prev->dst.port[1] || 1354 cur->dst.port_op != prev->dst.port_op) 1355 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1356 1357 prev = cur; 1358 cur = TAILQ_NEXT(cur, entries); 1359 } 1360 for (i = 0; i < PF_SKIP_COUNT; ++i) 1361 PF_SET_SKIP_STEPS(i); 1362 } 1363 1364 int 1365 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 1366 { 1367 if (aw1->type != aw2->type) 1368 return (1); 1369 switch (aw1->type) { 1370 case PF_ADDR_ADDRMASK: 1371 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 1372 return (1); 1373 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 1374 return (1); 1375 return (0); 1376 case PF_ADDR_DYNIFTL: 1377 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt); 1378 case PF_ADDR_NOROUTE: 1379 case PF_ADDR_URPFFAILED: 1380 return (0); 1381 case PF_ADDR_TABLE: 1382 return (aw1->p.tbl != aw2->p.tbl); 1383 case PF_ADDR_RTLABEL: 1384 return (aw1->v.rtlabel != aw2->v.rtlabel); 1385 default: 1386 printf("invalid address type: %d\n", aw1->type); 1387 return (1); 1388 } 1389 } 1390 1391 u_int16_t 1392 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1393 { 1394 u_int32_t l; 1395 1396 if (udp && !cksum) 1397 return (0x0000); 1398 l = cksum + old - new; 1399 l = (l >> 16) + (l & 65535); 1400 l = l & 65535; 1401 if (udp && !l) 1402 return (0xFFFF); 1403 return (l); 1404 } 1405 1406 void 1407 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 1408 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 1409 { 1410 struct pf_addr ao; 1411 u_int16_t po = *p; 1412 1413 PF_ACPY(&ao, a, af); 1414 PF_ACPY(a, an, af); 1415 1416 *p = pn; 1417 1418 switch (af) { 1419 #ifdef INET 1420 case AF_INET: 1421 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1422 ao.addr16[0], an->addr16[0], 0), 1423 ao.addr16[1], an->addr16[1], 0); 1424 *p = pn; 1425 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1426 ao.addr16[0], an->addr16[0], u), 1427 ao.addr16[1], an->addr16[1], u), 1428 po, pn, u); 1429 break; 1430 #endif /* INET */ 1431 #ifdef INET6 1432 case AF_INET6: 1433 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1434 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1435 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1436 ao.addr16[0], an->addr16[0], u), 1437 ao.addr16[1], an->addr16[1], u), 1438 ao.addr16[2], an->addr16[2], u), 1439 ao.addr16[3], an->addr16[3], u), 1440 ao.addr16[4], an->addr16[4], u), 1441 ao.addr16[5], an->addr16[5], u), 1442 ao.addr16[6], an->addr16[6], u), 1443 ao.addr16[7], an->addr16[7], u), 1444 po, pn, u); 1445 break; 1446 #endif /* INET6 */ 1447 } 1448 } 1449 1450 1451 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 1452 void 1453 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1454 { 1455 u_int32_t ao; 1456 1457 memcpy(&ao, a, sizeof(ao)); 1458 memcpy(a, &an, sizeof(u_int32_t)); 1459 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1460 ao % 65536, an % 65536, u); 1461 } 1462 1463 #ifdef INET6 1464 void 1465 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1466 { 1467 struct pf_addr ao; 1468 1469 PF_ACPY(&ao, a, AF_INET6); 1470 PF_ACPY(a, an, AF_INET6); 1471 1472 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1473 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1474 pf_cksum_fixup(pf_cksum_fixup(*c, 1475 ao.addr16[0], an->addr16[0], u), 1476 ao.addr16[1], an->addr16[1], u), 1477 ao.addr16[2], an->addr16[2], u), 1478 ao.addr16[3], an->addr16[3], u), 1479 ao.addr16[4], an->addr16[4], u), 1480 ao.addr16[5], an->addr16[5], u), 1481 ao.addr16[6], an->addr16[6], u), 1482 ao.addr16[7], an->addr16[7], u); 1483 } 1484 #endif /* INET6 */ 1485 1486 void 1487 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1488 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1489 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1490 { 1491 struct pf_addr oia, ooa; 1492 1493 PF_ACPY(&oia, ia, af); 1494 PF_ACPY(&ooa, oa, af); 1495 1496 /* Change inner protocol port, fix inner protocol checksum. */ 1497 if (ip != NULL) { 1498 u_int16_t oip = *ip; 1499 u_int32_t opc = 0; 1500 1501 if (pc != NULL) 1502 opc = *pc; 1503 *ip = np; 1504 if (pc != NULL) 1505 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1506 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1507 if (pc != NULL) 1508 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1509 } 1510 /* Change inner ip address, fix inner ip and icmp checksums. */ 1511 PF_ACPY(ia, na, af); 1512 switch (af) { 1513 #ifdef INET 1514 case AF_INET: { 1515 u_int32_t oh2c = *h2c; 1516 1517 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1518 oia.addr16[0], ia->addr16[0], 0), 1519 oia.addr16[1], ia->addr16[1], 0); 1520 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1521 oia.addr16[0], ia->addr16[0], 0), 1522 oia.addr16[1], ia->addr16[1], 0); 1523 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1524 break; 1525 } 1526 #endif /* INET */ 1527 #ifdef INET6 1528 case AF_INET6: 1529 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1530 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1531 pf_cksum_fixup(pf_cksum_fixup(*ic, 1532 oia.addr16[0], ia->addr16[0], u), 1533 oia.addr16[1], ia->addr16[1], u), 1534 oia.addr16[2], ia->addr16[2], u), 1535 oia.addr16[3], ia->addr16[3], u), 1536 oia.addr16[4], ia->addr16[4], u), 1537 oia.addr16[5], ia->addr16[5], u), 1538 oia.addr16[6], ia->addr16[6], u), 1539 oia.addr16[7], ia->addr16[7], u); 1540 break; 1541 #endif /* INET6 */ 1542 } 1543 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1544 PF_ACPY(oa, na, af); 1545 switch (af) { 1546 #ifdef INET 1547 case AF_INET: 1548 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1549 ooa.addr16[0], oa->addr16[0], 0), 1550 ooa.addr16[1], oa->addr16[1], 0); 1551 break; 1552 #endif /* INET */ 1553 #ifdef INET6 1554 case AF_INET6: 1555 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1556 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1557 pf_cksum_fixup(pf_cksum_fixup(*ic, 1558 ooa.addr16[0], oa->addr16[0], u), 1559 ooa.addr16[1], oa->addr16[1], u), 1560 ooa.addr16[2], oa->addr16[2], u), 1561 ooa.addr16[3], oa->addr16[3], u), 1562 ooa.addr16[4], oa->addr16[4], u), 1563 ooa.addr16[5], oa->addr16[5], u), 1564 ooa.addr16[6], oa->addr16[6], u), 1565 ooa.addr16[7], oa->addr16[7], u); 1566 break; 1567 #endif /* INET6 */ 1568 } 1569 } 1570 1571 1572 /* 1573 * Need to modulate the sequence numbers in the TCP SACK option 1574 * (credits to Krzysztof Pfaff for report and patch) 1575 */ 1576 int 1577 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd, 1578 struct tcphdr *th, struct pf_state_peer *dst) 1579 { 1580 int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen; 1581 u_int8_t opts[MAX_TCPOPTLEN], *opt = opts; 1582 int copyback = 0, i, olen; 1583 struct sackblk sack; 1584 1585 #ifdef __NetBSD__ 1586 #define TCPOLEN_SACK (2 * sizeof(uint32_t)) 1587 #endif 1588 1589 #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) 1590 if (hlen < TCPOLEN_SACKLEN || 1591 !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) 1592 return 0; 1593 1594 while (hlen >= TCPOLEN_SACKLEN) { 1595 olen = opt[1]; 1596 switch (*opt) { 1597 case TCPOPT_EOL: /* FALLTHROUGH */ 1598 case TCPOPT_NOP: 1599 opt++; 1600 hlen--; 1601 break; 1602 case TCPOPT_SACK: 1603 if (olen > hlen) 1604 olen = hlen; 1605 if (olen >= TCPOLEN_SACKLEN) { 1606 for (i = 2; i + TCPOLEN_SACK <= olen; 1607 i += TCPOLEN_SACK) { 1608 memcpy(&sack, &opt[i], sizeof(sack)); 1609 #ifdef __NetBSD__ 1610 #define SACK_START sack.left 1611 #define SACK_END sack.right 1612 #else 1613 #define SACK_START sack.start 1614 #define SACK_END sack.end 1615 #endif 1616 pf_change_a(&SACK_START, &th->th_sum, 1617 htonl(ntohl(SACK_START) - 1618 dst->seqdiff), 0); 1619 pf_change_a(&SACK_END, &th->th_sum, 1620 htonl(ntohl(SACK_END) - 1621 dst->seqdiff), 0); 1622 #undef SACK_START 1623 #undef SACK_END 1624 memcpy(&opt[i], &sack, sizeof(sack)); 1625 } 1626 copyback = 1; 1627 } 1628 /* FALLTHROUGH */ 1629 default: 1630 if (olen < 2) 1631 olen = 2; 1632 hlen -= olen; 1633 opt += olen; 1634 } 1635 } 1636 1637 if (copyback) 1638 m_copyback(m, off + sizeof(*th), thoptlen, opts); 1639 return (copyback); 1640 } 1641 1642 void 1643 pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1644 const struct pf_addr *saddr, const struct pf_addr *daddr, 1645 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1646 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, 1647 u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp) 1648 { 1649 struct mbuf *m; 1650 int len, tlen; 1651 #ifdef INET 1652 struct ip *h = NULL; 1653 #endif /* INET */ 1654 #ifdef INET6 1655 struct ip6_hdr *h6 = NULL; 1656 #endif /* INET6 */ 1657 struct tcphdr *th; 1658 char *opt; 1659 #ifdef __NetBSD__ 1660 struct pf_mtag *pf_mtag; 1661 #endif /* __NetBSD__ */ 1662 1663 /* maximum segment size tcp option */ 1664 tlen = sizeof(struct tcphdr); 1665 if (mss) 1666 tlen += 4; 1667 1668 switch (af) { 1669 #ifdef INET 1670 case AF_INET: 1671 len = sizeof(struct ip) + tlen; 1672 break; 1673 #endif /* INET */ 1674 #ifdef INET6 1675 case AF_INET6: 1676 len = sizeof(struct ip6_hdr) + tlen; 1677 break; 1678 #endif /* INET6 */ 1679 default: 1680 return; 1681 } 1682 1683 /* create outgoing mbuf */ 1684 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1685 if (m == NULL) 1686 return; 1687 #ifdef __NetBSD__ 1688 if ((pf_mtag = pf_get_mtag(m)) == NULL) { 1689 m_freem(m); 1690 return; 1691 } 1692 if (tag) 1693 pf_mtag->flags |= PF_TAG_GENERATED; 1694 pf_mtag->tag = rtag; 1695 1696 if (r != NULL && r->rtableid >= 0) 1697 pf_mtag->rtableid = r->rtableid; 1698 #else 1699 if (tag) 1700 m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; 1701 m->m_pkthdr.pf.tag = rtag; 1702 1703 if (r != NULL && r->rtableid >= 0) 1704 m->m_pkthdr.pf.rtableid = m->m_pkthdr.pf.rtableid; 1705 #endif /* !__NetBSD__ */ 1706 1707 #ifdef ALTQ 1708 if (r != NULL && r->qid) { 1709 #ifdef __NetBSD__ 1710 struct m_tag *mtag; 1711 struct altq_tag *atag; 1712 1713 mtag = m_tag_get(PACKET_TAG_ALTQ_QID, sizeof(*atag), M_NOWAIT); 1714 if (mtag != NULL) { 1715 atag = (struct altq_tag *)(mtag + 1); 1716 atag->qid = r->qid; 1717 /* add hints for ecn */ 1718 atag->af = af; 1719 atag->hdr = mtod(m, struct ip *); 1720 m_tag_prepend(m, mtag); 1721 } 1722 #else 1723 m->m_pkthdr.pf.qid = r->qid; 1724 /* add hints for ecn */ 1725 m->m_pkthdr.pf.hdr = mtod(m, struct ip *); 1726 #endif /* !__NetBSD__ */ 1727 } 1728 #endif /* ALTQ */ 1729 m->m_data += max_linkhdr; 1730 m->m_pkthdr.len = m->m_len = len; 1731 m->m_pkthdr.rcvif = NULL; 1732 bzero(m->m_data, len); 1733 switch (af) { 1734 #ifdef INET 1735 case AF_INET: 1736 h = mtod(m, struct ip *); 1737 1738 /* IP header fields included in the TCP checksum */ 1739 h->ip_p = IPPROTO_TCP; 1740 h->ip_len = htons(tlen); 1741 h->ip_src.s_addr = saddr->v4.s_addr; 1742 h->ip_dst.s_addr = daddr->v4.s_addr; 1743 1744 th = (struct tcphdr *)((char *)h + sizeof(struct ip)); 1745 break; 1746 #endif /* INET */ 1747 #ifdef INET6 1748 case AF_INET6: 1749 h6 = mtod(m, struct ip6_hdr *); 1750 1751 /* IP header fields included in the TCP checksum */ 1752 h6->ip6_nxt = IPPROTO_TCP; 1753 h6->ip6_plen = htons(tlen); 1754 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1755 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1756 1757 th = (struct tcphdr *)((char *)h6 + sizeof(struct ip6_hdr)); 1758 break; 1759 #endif /* INET6 */ 1760 default: 1761 m_freem(m); 1762 return; 1763 } 1764 1765 /* TCP header */ 1766 th->th_sport = sport; 1767 th->th_dport = dport; 1768 th->th_seq = htonl(seq); 1769 th->th_ack = htonl(ack); 1770 th->th_off = tlen >> 2; 1771 th->th_flags = flags; 1772 th->th_win = htons(win); 1773 1774 if (mss) { 1775 opt = (char *)(th + 1); 1776 opt[0] = TCPOPT_MAXSEG; 1777 opt[1] = 4; 1778 HTONS(mss); 1779 bcopy((void *)&mss, (void *)(opt + 2), 2); 1780 } 1781 1782 switch (af) { 1783 #ifdef INET 1784 case AF_INET: 1785 /* TCP checksum */ 1786 th->th_sum = in_cksum(m, len); 1787 1788 /* Finish the IP header */ 1789 h->ip_v = 4; 1790 h->ip_hl = sizeof(*h) >> 2; 1791 h->ip_tos = IPTOS_LOWDELAY; 1792 h->ip_len = htons(len); 1793 h->ip_off = htons(ip_mtudisc ? IP_DF : 0); 1794 h->ip_ttl = ttl ? ttl : ip_defttl; 1795 h->ip_sum = 0; 1796 if (eh == NULL) { 1797 ip_output(m, (void *)NULL, (void *)NULL, 0, 1798 (void *)NULL, (void *)NULL); 1799 } else { 1800 #ifdef __NetBSD__ 1801 /* 1802 * On netbsd, pf_test and pf_test6 are always called 1803 * with eh == NULL. 1804 */ 1805 panic("pf_send_tcp: eh != NULL"); 1806 #else 1807 struct route ro; 1808 struct rtentry rt; 1809 struct ether_header *e = (void *)ro.ro_dst.sa_data; 1810 1811 if (ifp == NULL) { 1812 m_freem(m); 1813 return; 1814 } 1815 rt.rt_ifp = ifp; 1816 ro.ro_rt = &rt; 1817 ro.ro_dst.sa_len = sizeof(ro.ro_dst); 1818 ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT; 1819 bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN); 1820 bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN); 1821 e->ether_type = eh->ether_type; 1822 ip_output(m, (void *)NULL, &ro, IP_ROUTETOETHER, 1823 (void *)NULL, (void *)NULL); 1824 #endif /* !__NetBSD__ */ 1825 } 1826 break; 1827 #endif /* INET */ 1828 #ifdef INET6 1829 case AF_INET6: 1830 /* TCP checksum */ 1831 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1832 sizeof(struct ip6_hdr), tlen); 1833 1834 h6->ip6_vfc |= IPV6_VERSION; 1835 h6->ip6_hlim = IPV6_DEFHLIM; 1836 1837 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 1838 break; 1839 #endif /* INET6 */ 1840 } 1841 } 1842 1843 void 1844 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1845 struct pf_rule *r) 1846 { 1847 struct mbuf *m0; 1848 #ifdef __NetBSD__ 1849 struct pf_mtag *pf_mtag; 1850 #endif /* __NetBSD__ */ 1851 1852 m0 = m_copy(m, 0, M_COPYALL); 1853 1854 #ifdef __NetBSD__ 1855 if ((pf_mtag = pf_get_mtag(m0)) == NULL) 1856 return; 1857 pf_mtag->flags |= PF_TAG_GENERATED; 1858 1859 if (r->rtableid >= 0) 1860 pf_mtag->rtableid = r->rtableid; 1861 #else 1862 m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; 1863 1864 if (r->rtableid >= 0) 1865 m0->m_pkthdr.pf.rtableid = r->rtableid; 1866 #endif /* !__NetBSD__ */ 1867 1868 #ifdef ALTQ 1869 if (r->qid) { 1870 #ifdef __NetBSD__ 1871 struct m_tag *mtag; 1872 struct altq_tag *atag; 1873 1874 mtag = m_tag_get(PACKET_TAG_ALTQ_QID, sizeof(*atag), M_NOWAIT); 1875 if (mtag != NULL) { 1876 atag = (struct altq_tag *)(mtag + 1); 1877 atag->qid = r->qid; 1878 /* add hints for ecn */ 1879 atag->af = af; 1880 atag->hdr = mtod(m0, struct ip *); 1881 m_tag_prepend(m0, mtag); 1882 } 1883 #else 1884 m0->m_pkthdr.pf.qid = r->qid; 1885 /* add hints for ecn */ 1886 m0->m_pkthdr.pf.hdr = mtod(m0, struct ip *); 1887 #endif /* !__NetBSD__ */ 1888 } 1889 #endif /* ALTQ */ 1890 1891 switch (af) { 1892 #ifdef INET 1893 case AF_INET: 1894 icmp_error(m0, type, code, 0, 0); 1895 break; 1896 #endif /* INET */ 1897 #ifdef INET6 1898 case AF_INET6: 1899 icmp6_error(m0, type, code, 0); 1900 break; 1901 #endif /* INET6 */ 1902 } 1903 } 1904 1905 /* 1906 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1907 * If n is 0, they match if they are equal. If n is != 0, they match if they 1908 * are different. 1909 */ 1910 int 1911 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1912 struct pf_addr *b, sa_family_t af) 1913 { 1914 int match = 0; 1915 1916 switch (af) { 1917 #ifdef INET 1918 case AF_INET: 1919 if ((a->addr32[0] & m->addr32[0]) == 1920 (b->addr32[0] & m->addr32[0])) 1921 match++; 1922 break; 1923 #endif /* INET */ 1924 #ifdef INET6 1925 case AF_INET6: 1926 if (((a->addr32[0] & m->addr32[0]) == 1927 (b->addr32[0] & m->addr32[0])) && 1928 ((a->addr32[1] & m->addr32[1]) == 1929 (b->addr32[1] & m->addr32[1])) && 1930 ((a->addr32[2] & m->addr32[2]) == 1931 (b->addr32[2] & m->addr32[2])) && 1932 ((a->addr32[3] & m->addr32[3]) == 1933 (b->addr32[3] & m->addr32[3]))) 1934 match++; 1935 break; 1936 #endif /* INET6 */ 1937 } 1938 if (match) { 1939 if (n) 1940 return (0); 1941 else 1942 return (1); 1943 } else { 1944 if (n) 1945 return (1); 1946 else 1947 return (0); 1948 } 1949 } 1950 1951 int 1952 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1953 { 1954 switch (op) { 1955 case PF_OP_IRG: 1956 return ((p > a1) && (p < a2)); 1957 case PF_OP_XRG: 1958 return ((p < a1) || (p > a2)); 1959 case PF_OP_RRG: 1960 return ((p >= a1) && (p <= a2)); 1961 case PF_OP_EQ: 1962 return (p == a1); 1963 case PF_OP_NE: 1964 return (p != a1); 1965 case PF_OP_LT: 1966 return (p < a1); 1967 case PF_OP_LE: 1968 return (p <= a1); 1969 case PF_OP_GT: 1970 return (p > a1); 1971 case PF_OP_GE: 1972 return (p >= a1); 1973 } 1974 return (0); /* never reached */ 1975 } 1976 1977 int 1978 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1979 { 1980 NTOHS(a1); 1981 NTOHS(a2); 1982 NTOHS(p); 1983 return (pf_match(op, a1, a2, p)); 1984 } 1985 1986 int 1987 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1988 { 1989 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1990 return (0); 1991 return (pf_match(op, a1, a2, u)); 1992 } 1993 1994 int 1995 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1996 { 1997 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1998 return (0); 1999 return (pf_match(op, a1, a2, g)); 2000 } 2001 2002 int 2003 pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag) 2004 { 2005 #ifdef __NetBSD__ 2006 if (*tag == -1) { 2007 struct pf_mtag *pf_mtag = pf_get_mtag(m); 2008 if (pf_mtag == NULL) 2009 return (0); 2010 2011 *tag = pf_mtag->tag; 2012 } 2013 #else 2014 if (*tag == -1) 2015 *tag = m->m_pkthdr.pf.tag; 2016 #endif /* !__NetBSD__ */ 2017 2018 return ((!r->match_tag_not && r->match_tag == *tag) || 2019 (r->match_tag_not && r->match_tag != *tag)); 2020 } 2021 2022 int 2023 pf_tag_packet(struct mbuf *m, int tag, int rtableid) 2024 { 2025 if (tag <= 0 && rtableid < 0) 2026 return (0); 2027 2028 #ifdef __NetBSD__ 2029 if (tag > 0 || rtableid > 0) { 2030 struct pf_mtag *pf_mtag = pf_get_mtag(m); 2031 if (pf_mtag == NULL) 2032 return (1); 2033 2034 if (tag > 0) 2035 pf_mtag->tag = tag; 2036 if (rtableid > 0) 2037 pf_mtag->rtableid = rtableid; 2038 } 2039 #else 2040 if (tag > 0) 2041 m->m_pkthdr.pf.tag = tag; 2042 if (rtableid >= 0) 2043 m->m_pkthdr.pf.rtableid = rtableid; 2044 #endif /* !__NetBSD__ */ 2045 2046 return (0); 2047 } 2048 2049 void 2050 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n, 2051 struct pf_rule **r, struct pf_rule **a, int *match) 2052 { 2053 struct pf_anchor_stackframe *f; 2054 2055 (*r)->anchor->match = 0; 2056 if (match) 2057 *match = 0; 2058 if (*depth >= sizeof(pf_anchor_stack) / 2059 sizeof(pf_anchor_stack[0])) { 2060 printf("pf_step_into_anchor: stack overflow\n"); 2061 *r = TAILQ_NEXT(*r, entries); 2062 return; 2063 } else if (*depth == 0 && a != NULL) 2064 *a = *r; 2065 f = pf_anchor_stack + (*depth)++; 2066 f->rs = *rs; 2067 f->r = *r; 2068 if ((*r)->anchor_wildcard) { 2069 f->parent = &(*r)->anchor->children; 2070 if ((f->child = RB_MIN(pf_anchor_node, f->parent)) == 2071 NULL) { 2072 *r = NULL; 2073 return; 2074 } 2075 *rs = &f->child->ruleset; 2076 } else { 2077 f->parent = NULL; 2078 f->child = NULL; 2079 *rs = &(*r)->anchor->ruleset; 2080 } 2081 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr); 2082 } 2083 2084 int 2085 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n, 2086 struct pf_rule **r, struct pf_rule **a, int *match) 2087 { 2088 struct pf_anchor_stackframe *f; 2089 int quick = 0; 2090 2091 do { 2092 if (*depth <= 0) 2093 break; 2094 f = pf_anchor_stack + *depth - 1; 2095 if (f->parent != NULL && f->child != NULL) { 2096 if (f->child->match || 2097 (match != NULL && *match)) { 2098 f->r->anchor->match = 1; 2099 *match = 0; 2100 } 2101 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child); 2102 if (f->child != NULL) { 2103 *rs = &f->child->ruleset; 2104 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr); 2105 if (*r == NULL) 2106 continue; 2107 else 2108 break; 2109 } 2110 } 2111 (*depth)--; 2112 if (*depth == 0 && a != NULL) 2113 *a = NULL; 2114 *rs = f->rs; 2115 if (f->r->anchor->match || (match != NULL && *match)) 2116 quick = f->r->quick; 2117 *r = TAILQ_NEXT(f->r, entries); 2118 } while (*r == NULL); 2119 2120 return (quick); 2121 } 2122 2123 #ifdef INET6 2124 void 2125 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 2126 struct pf_addr *rmask, const struct pf_addr *saddr, sa_family_t af) 2127 { 2128 switch (af) { 2129 #ifdef INET 2130 case AF_INET: 2131 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 2132 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 2133 break; 2134 #endif /* INET */ 2135 case AF_INET6: 2136 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 2137 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 2138 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 2139 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 2140 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 2141 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 2142 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 2143 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 2144 break; 2145 } 2146 } 2147 2148 void 2149 pf_addr_inc(struct pf_addr *addr, sa_family_t af) 2150 { 2151 switch (af) { 2152 #ifdef INET 2153 case AF_INET: 2154 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 2155 break; 2156 #endif /* INET */ 2157 case AF_INET6: 2158 if (addr->addr32[3] == 0xffffffff) { 2159 addr->addr32[3] = 0; 2160 if (addr->addr32[2] == 0xffffffff) { 2161 addr->addr32[2] = 0; 2162 if (addr->addr32[1] == 0xffffffff) { 2163 addr->addr32[1] = 0; 2164 addr->addr32[0] = 2165 htonl(ntohl(addr->addr32[0]) + 1); 2166 } else 2167 addr->addr32[1] = 2168 htonl(ntohl(addr->addr32[1]) + 1); 2169 } else 2170 addr->addr32[2] = 2171 htonl(ntohl(addr->addr32[2]) + 1); 2172 } else 2173 addr->addr32[3] = 2174 htonl(ntohl(addr->addr32[3]) + 1); 2175 break; 2176 } 2177 } 2178 #endif /* INET6 */ 2179 2180 #define mix(a,b,c) \ 2181 do { \ 2182 a -= b; a -= c; a ^= (c >> 13); \ 2183 b -= c; b -= a; b ^= (a << 8); \ 2184 c -= a; c -= b; c ^= (b >> 13); \ 2185 a -= b; a -= c; a ^= (c >> 12); \ 2186 b -= c; b -= a; b ^= (a << 16); \ 2187 c -= a; c -= b; c ^= (b >> 5); \ 2188 a -= b; a -= c; a ^= (c >> 3); \ 2189 b -= c; b -= a; b ^= (a << 10); \ 2190 c -= a; c -= b; c ^= (b >> 15); \ 2191 } while (0) 2192 2193 /* 2194 * hash function based on bridge_hash in if_bridge.c 2195 */ 2196 void 2197 pf_hash(const struct pf_addr *inaddr, struct pf_addr *hash, 2198 struct pf_poolhashkey *key, sa_family_t af) 2199 { 2200 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 2201 2202 switch (af) { 2203 #ifdef INET 2204 case AF_INET: 2205 a += inaddr->addr32[0]; 2206 b += key->key32[1]; 2207 mix(a, b, c); 2208 hash->addr32[0] = c + key->key32[2]; 2209 break; 2210 #endif /* INET */ 2211 #ifdef INET6 2212 case AF_INET6: 2213 a += inaddr->addr32[0]; 2214 b += inaddr->addr32[2]; 2215 mix(a, b, c); 2216 hash->addr32[0] = c; 2217 a += inaddr->addr32[1]; 2218 b += inaddr->addr32[3]; 2219 c += key->key32[1]; 2220 mix(a, b, c); 2221 hash->addr32[1] = c; 2222 a += inaddr->addr32[2]; 2223 b += inaddr->addr32[1]; 2224 c += key->key32[2]; 2225 mix(a, b, c); 2226 hash->addr32[2] = c; 2227 a += inaddr->addr32[3]; 2228 b += inaddr->addr32[0]; 2229 c += key->key32[3]; 2230 mix(a, b, c); 2231 hash->addr32[3] = c; 2232 break; 2233 #endif /* INET6 */ 2234 } 2235 } 2236 2237 int 2238 pf_map_addr(sa_family_t af, struct pf_rule *r, const struct pf_addr *saddr, 2239 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 2240 { 2241 unsigned char hash[16]; 2242 struct pf_pool *rpool = &r->rpool; 2243 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr; 2244 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask; 2245 struct pf_pooladdr *acur = rpool->cur; 2246 struct pf_src_node k; 2247 2248 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 2249 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 2250 k.af = af; 2251 PF_ACPY(&k.addr, saddr, af); 2252 if (r->rule_flag & PFRULE_RULESRCTRACK || 2253 r->rpool.opts & PF_POOL_STICKYADDR) 2254 k.rule.ptr = r; 2255 else 2256 k.rule.ptr = NULL; 2257 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 2258 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 2259 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 2260 PF_ACPY(naddr, &(*sn)->raddr, af); 2261 if (pf_status.debug >= PF_DEBUG_MISC) { 2262 printf("pf_map_addr: src tracking maps "); 2263 pf_print_host(&k.addr, 0, af); 2264 printf(" to "); 2265 pf_print_host(naddr, 0, af); 2266 printf("\n"); 2267 } 2268 return (0); 2269 } 2270 } 2271 2272 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 2273 return (1); 2274 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 2275 switch (af) { 2276 #ifdef INET 2277 case AF_INET: 2278 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 2279 (rpool->opts & PF_POOL_TYPEMASK) != 2280 PF_POOL_ROUNDROBIN) 2281 return (1); 2282 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 2283 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 2284 break; 2285 #endif /* INET */ 2286 #ifdef INET6 2287 case AF_INET6: 2288 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 2289 (rpool->opts & PF_POOL_TYPEMASK) != 2290 PF_POOL_ROUNDROBIN) 2291 return (1); 2292 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 2293 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 2294 break; 2295 #endif /* INET6 */ 2296 } 2297 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 2298 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 2299 return (1); /* unsupported */ 2300 } else { 2301 raddr = &rpool->cur->addr.v.a.addr; 2302 rmask = &rpool->cur->addr.v.a.mask; 2303 } 2304 2305 switch (rpool->opts & PF_POOL_TYPEMASK) { 2306 case PF_POOL_NONE: 2307 PF_ACPY(naddr, raddr, af); 2308 break; 2309 case PF_POOL_BITMASK: 2310 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 2311 break; 2312 case PF_POOL_RANDOM: 2313 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 2314 switch (af) { 2315 #ifdef INET 2316 case AF_INET: 2317 rpool->counter.addr32[0] = htonl(arc4random()); 2318 break; 2319 #endif /* INET */ 2320 #ifdef INET6 2321 case AF_INET6: 2322 if (rmask->addr32[3] != 0xffffffff) 2323 rpool->counter.addr32[3] = 2324 htonl(arc4random()); 2325 else 2326 break; 2327 if (rmask->addr32[2] != 0xffffffff) 2328 rpool->counter.addr32[2] = 2329 htonl(arc4random()); 2330 else 2331 break; 2332 if (rmask->addr32[1] != 0xffffffff) 2333 rpool->counter.addr32[1] = 2334 htonl(arc4random()); 2335 else 2336 break; 2337 if (rmask->addr32[0] != 0xffffffff) 2338 rpool->counter.addr32[0] = 2339 htonl(arc4random()); 2340 break; 2341 #endif /* INET6 */ 2342 } 2343 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 2344 PF_ACPY(init_addr, naddr, af); 2345 2346 } else { 2347 PF_AINC(&rpool->counter, af); 2348 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 2349 } 2350 break; 2351 case PF_POOL_SRCHASH: 2352 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 2353 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 2354 break; 2355 case PF_POOL_ROUNDROBIN: 2356 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 2357 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 2358 &rpool->tblidx, &rpool->counter, 2359 &raddr, &rmask, af)) 2360 goto get_addr; 2361 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 2362 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 2363 &rpool->tblidx, &rpool->counter, 2364 &raddr, &rmask, af)) 2365 goto get_addr; 2366 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 2367 goto get_addr; 2368 2369 try_next: 2370 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 2371 rpool->cur = TAILQ_FIRST(&rpool->list); 2372 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 2373 rpool->tblidx = -1; 2374 if (pfr_pool_get(rpool->cur->addr.p.tbl, 2375 &rpool->tblidx, &rpool->counter, 2376 &raddr, &rmask, af)) { 2377 /* table contains no address of type 'af' */ 2378 if (rpool->cur != acur) 2379 goto try_next; 2380 return (1); 2381 } 2382 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 2383 rpool->tblidx = -1; 2384 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 2385 &rpool->tblidx, &rpool->counter, 2386 &raddr, &rmask, af)) { 2387 /* table contains no address of type 'af' */ 2388 if (rpool->cur != acur) 2389 goto try_next; 2390 return (1); 2391 } 2392 } else { 2393 raddr = &rpool->cur->addr.v.a.addr; 2394 rmask = &rpool->cur->addr.v.a.mask; 2395 PF_ACPY(&rpool->counter, raddr, af); 2396 } 2397 2398 get_addr: 2399 PF_ACPY(naddr, &rpool->counter, af); 2400 if (init_addr != NULL && PF_AZERO(init_addr, af)) 2401 PF_ACPY(init_addr, naddr, af); 2402 PF_AINC(&rpool->counter, af); 2403 break; 2404 } 2405 if (*sn != NULL) 2406 PF_ACPY(&(*sn)->raddr, naddr, af); 2407 2408 if (pf_status.debug >= PF_DEBUG_MISC && 2409 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 2410 printf("pf_map_addr: selected address "); 2411 pf_print_host(naddr, 0, af); 2412 printf("\n"); 2413 } 2414 2415 return (0); 2416 } 2417 2418 int 2419 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 2420 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 2421 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 2422 struct pf_src_node **sn) 2423 { 2424 struct pf_state_key_cmp key; 2425 struct pf_addr init_addr; 2426 u_int16_t cut; 2427 2428 bzero(&init_addr, sizeof(init_addr)); 2429 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 2430 return (1); 2431 2432 if (proto == IPPROTO_ICMP) { 2433 low = 1; 2434 high = 65535; 2435 } 2436 2437 do { 2438 key.af = af; 2439 key.proto = proto; 2440 PF_ACPY(&key.ext.addr, daddr, key.af); 2441 PF_ACPY(&key.gwy.addr, naddr, key.af); 2442 key.ext.port = dport; 2443 2444 /* 2445 * port search; start random, step; 2446 * similar 2 portloop in in_pcbbind 2447 */ 2448 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 2449 proto == IPPROTO_ICMP)) { 2450 key.gwy.port = dport; 2451 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 2452 return (0); 2453 } else if (low == 0 && high == 0) { 2454 key.gwy.port = *nport; 2455 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 2456 return (0); 2457 } else if (low == high) { 2458 key.gwy.port = htons(low); 2459 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) { 2460 *nport = htons(low); 2461 return (0); 2462 } 2463 } else { 2464 u_int16_t tmp; 2465 2466 if (low > high) { 2467 tmp = low; 2468 low = high; 2469 high = tmp; 2470 } 2471 /* low < high */ 2472 cut = htonl(arc4random()) % (1 + high - low) + low; 2473 /* low <= cut <= high */ 2474 for (tmp = cut; tmp <= high; ++(tmp)) { 2475 key.gwy.port = htons(tmp); 2476 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 2477 NULL) { 2478 *nport = htons(tmp); 2479 return (0); 2480 } 2481 } 2482 for (tmp = cut - 1; tmp >= low; --(tmp)) { 2483 key.gwy.port = htons(tmp); 2484 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 2485 NULL) { 2486 *nport = htons(tmp); 2487 return (0); 2488 } 2489 } 2490 } 2491 2492 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 2493 case PF_POOL_RANDOM: 2494 case PF_POOL_ROUNDROBIN: 2495 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 2496 return (1); 2497 break; 2498 case PF_POOL_NONE: 2499 case PF_POOL_SRCHASH: 2500 case PF_POOL_BITMASK: 2501 default: 2502 return (1); 2503 } 2504 } while (! PF_AEQ(&init_addr, naddr, af) ); 2505 2506 return (1); /* none available */ 2507 } 2508 2509 struct pf_rule * 2510 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 2511 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 2512 struct pf_addr *daddr, u_int16_t dport, int rs_num) 2513 { 2514 struct pf_rule *r, *rm = NULL; 2515 struct pf_ruleset *ruleset = NULL; 2516 int tag = -1; 2517 int rtableid = -1; 2518 int asd = 0; 2519 2520 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 2521 while (r && rm == NULL) { 2522 struct pf_rule_addr *src = NULL, *dst = NULL; 2523 struct pf_addr_wrap *xdst = NULL; 2524 2525 if (r->action == PF_BINAT && direction == PF_IN) { 2526 src = &r->dst; 2527 if (r->rpool.cur != NULL) 2528 xdst = &r->rpool.cur->addr; 2529 } else { 2530 src = &r->src; 2531 dst = &r->dst; 2532 } 2533 2534 r->evaluations++; 2535 if (pfi_kif_match(r->kif, kif) == r->ifnot) 2536 r = r->skip[PF_SKIP_IFP].ptr; 2537 else if (r->direction && r->direction != direction) 2538 r = r->skip[PF_SKIP_DIR].ptr; 2539 else if (r->af && r->af != pd->af) 2540 r = r->skip[PF_SKIP_AF].ptr; 2541 else if (r->proto && r->proto != pd->proto) 2542 r = r->skip[PF_SKIP_PROTO].ptr; 2543 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 2544 src->neg, kif)) 2545 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 2546 PF_SKIP_DST_ADDR].ptr; 2547 else if (src->port_op && !pf_match_port(src->port_op, 2548 src->port[0], src->port[1], sport)) 2549 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 2550 PF_SKIP_DST_PORT].ptr; 2551 else if (dst != NULL && 2552 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL)) 2553 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2554 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 2555 0, NULL)) 2556 r = TAILQ_NEXT(r, entries); 2557 else if (dst != NULL && dst->port_op && 2558 !pf_match_port(dst->port_op, dst->port[0], 2559 dst->port[1], dport)) 2560 r = r->skip[PF_SKIP_DST_PORT].ptr; 2561 else if (r->match_tag && !pf_match_tag(m, r, &tag)) 2562 r = TAILQ_NEXT(r, entries); 2563 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2564 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2565 off, pd->hdr.tcp), r->os_fingerprint))) 2566 r = TAILQ_NEXT(r, entries); 2567 else { 2568 if (r->tag) 2569 tag = r->tag; 2570 if (r->rtableid >= 0) 2571 rtableid = r->rtableid; 2572 if (r->anchor == NULL) { 2573 rm = r; 2574 } else 2575 pf_step_into_anchor(&asd, &ruleset, rs_num, 2576 &r, NULL, NULL); 2577 } 2578 if (r == NULL) 2579 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r, 2580 NULL, NULL); 2581 } 2582 if (pf_tag_packet(m, tag, rtableid)) 2583 return (NULL); 2584 if (rm != NULL && (rm->action == PF_NONAT || 2585 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 2586 return (NULL); 2587 return (rm); 2588 } 2589 2590 struct pf_rule * 2591 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 2592 struct pfi_kif *kif, struct pf_src_node **sn, 2593 struct pf_addr *saddr, u_int16_t sport, 2594 struct pf_addr *daddr, u_int16_t dport, 2595 struct pf_addr *naddr, u_int16_t *nport) 2596 { 2597 struct pf_rule *r = NULL; 2598 2599 if (direction == PF_OUT) { 2600 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2601 sport, daddr, dport, PF_RULESET_BINAT); 2602 if (r == NULL) 2603 r = pf_match_translation(pd, m, off, direction, kif, 2604 saddr, sport, daddr, dport, PF_RULESET_NAT); 2605 } else { 2606 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2607 sport, daddr, dport, PF_RULESET_RDR); 2608 if (r == NULL) 2609 r = pf_match_translation(pd, m, off, direction, kif, 2610 saddr, sport, daddr, dport, PF_RULESET_BINAT); 2611 } 2612 2613 if (r != NULL) { 2614 switch (r->action) { 2615 case PF_NONAT: 2616 case PF_NOBINAT: 2617 case PF_NORDR: 2618 return (NULL); 2619 case PF_NAT: 2620 if (pf_get_sport(pd->af, pd->proto, r, saddr, 2621 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 2622 r->rpool.proxy_port[1], sn)) { 2623 DPFPRINTF(PF_DEBUG_MISC, 2624 ("pf: NAT proxy port allocation " 2625 "(%u-%u) failed\n", 2626 r->rpool.proxy_port[0], 2627 r->rpool.proxy_port[1])); 2628 return (NULL); 2629 } 2630 break; 2631 case PF_BINAT: 2632 switch (direction) { 2633 case PF_OUT: 2634 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2635 switch (pd->af) { 2636 #ifdef INET 2637 case AF_INET: 2638 if (r->rpool.cur->addr.p.dyn-> 2639 pfid_acnt4 < 1) 2640 return (NULL); 2641 PF_POOLMASK(naddr, 2642 &r->rpool.cur->addr.p.dyn-> 2643 pfid_addr4, 2644 &r->rpool.cur->addr.p.dyn-> 2645 pfid_mask4, 2646 saddr, AF_INET); 2647 break; 2648 #endif /* INET */ 2649 #ifdef INET6 2650 case AF_INET6: 2651 if (r->rpool.cur->addr.p.dyn-> 2652 pfid_acnt6 < 1) 2653 return (NULL); 2654 PF_POOLMASK(naddr, 2655 &r->rpool.cur->addr.p.dyn-> 2656 pfid_addr6, 2657 &r->rpool.cur->addr.p.dyn-> 2658 pfid_mask6, 2659 saddr, AF_INET6); 2660 break; 2661 #endif /* INET6 */ 2662 } 2663 } else 2664 PF_POOLMASK(naddr, 2665 &r->rpool.cur->addr.v.a.addr, 2666 &r->rpool.cur->addr.v.a.mask, 2667 saddr, pd->af); 2668 break; 2669 case PF_IN: 2670 if (r->src.addr.type == PF_ADDR_DYNIFTL) { 2671 switch (pd->af) { 2672 #ifdef INET 2673 case AF_INET: 2674 if (r->src.addr.p.dyn-> 2675 pfid_acnt4 < 1) 2676 return (NULL); 2677 PF_POOLMASK(naddr, 2678 &r->src.addr.p.dyn-> 2679 pfid_addr4, 2680 &r->src.addr.p.dyn-> 2681 pfid_mask4, 2682 daddr, AF_INET); 2683 break; 2684 #endif /* INET */ 2685 #ifdef INET6 2686 case AF_INET6: 2687 if (r->src.addr.p.dyn-> 2688 pfid_acnt6 < 1) 2689 return (NULL); 2690 PF_POOLMASK(naddr, 2691 &r->src.addr.p.dyn-> 2692 pfid_addr6, 2693 &r->src.addr.p.dyn-> 2694 pfid_mask6, 2695 daddr, AF_INET6); 2696 break; 2697 #endif /* INET6 */ 2698 } 2699 } else 2700 PF_POOLMASK(naddr, 2701 &r->src.addr.v.a.addr, 2702 &r->src.addr.v.a.mask, daddr, 2703 pd->af); 2704 break; 2705 } 2706 break; 2707 case PF_RDR: { 2708 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 2709 return (NULL); 2710 if ((r->rpool.opts & PF_POOL_TYPEMASK) == 2711 PF_POOL_BITMASK) 2712 PF_POOLMASK(naddr, naddr, 2713 &r->rpool.cur->addr.v.a.mask, daddr, 2714 pd->af); 2715 2716 if (r->rpool.proxy_port[1]) { 2717 u_int32_t tmp_nport; 2718 2719 tmp_nport = ((ntohs(dport) - 2720 ntohs(r->dst.port[0])) % 2721 (r->rpool.proxy_port[1] - 2722 r->rpool.proxy_port[0] + 1)) + 2723 r->rpool.proxy_port[0]; 2724 2725 /* wrap around if necessary */ 2726 if (tmp_nport > 65535) 2727 tmp_nport -= 65535; 2728 *nport = htons((u_int16_t)tmp_nport); 2729 } else if (r->rpool.proxy_port[0]) 2730 *nport = htons(r->rpool.proxy_port[0]); 2731 break; 2732 } 2733 default: 2734 return (NULL); 2735 } 2736 } 2737 2738 return (r); 2739 } 2740 2741 int 2742 pf_socket_lookup(int direction, struct pf_pdesc *pd) 2743 { 2744 struct pf_addr *saddr, *daddr; 2745 u_int16_t sport, dport; 2746 struct inpcbtable *tb; 2747 struct inpcb *inp = NULL; 2748 struct socket *so = NULL; 2749 #if defined(__NetBSD__) && defined(INET6) 2750 struct in6pcb *in6p = NULL; 2751 #else 2752 #define in6p inp 2753 #endif /* __NetBSD__ && INET6 */ 2754 2755 if (pd == NULL) 2756 return (-1); 2757 pd->lookup.uid = UID_MAX; 2758 pd->lookup.gid = GID_MAX; 2759 pd->lookup.pid = NO_PID; 2760 switch (pd->proto) { 2761 case IPPROTO_TCP: 2762 if (pd->hdr.tcp == NULL) 2763 return (-1); 2764 sport = pd->hdr.tcp->th_sport; 2765 dport = pd->hdr.tcp->th_dport; 2766 tb = &tcbtable; 2767 break; 2768 case IPPROTO_UDP: 2769 if (pd->hdr.udp == NULL) 2770 return (-1); 2771 sport = pd->hdr.udp->uh_sport; 2772 dport = pd->hdr.udp->uh_dport; 2773 tb = &udbtable; 2774 break; 2775 default: 2776 return (-1); 2777 } 2778 if (direction == PF_IN) { 2779 saddr = pd->src; 2780 daddr = pd->dst; 2781 } else { 2782 u_int16_t p; 2783 2784 p = sport; 2785 sport = dport; 2786 dport = p; 2787 saddr = pd->dst; 2788 daddr = pd->src; 2789 } 2790 switch (pd->af) { 2791 2792 #ifdef __NetBSD__ 2793 #define in_pcbhashlookup(tbl, saddr, sport, daddr, dport) \ 2794 in_pcblookup_connect(tbl, saddr, sport, daddr, dport) 2795 #define in6_pcbhashlookup(tbl, saddr, sport, daddr, dport) \ 2796 in6_pcblookup_connect(tbl, saddr, sport, daddr, dport, 0) 2797 #define in_pcblookup_listen(tbl, addr, port, zero) \ 2798 in_pcblookup_bind(tbl, addr, port) 2799 #define in6_pcblookup_listen(tbl, addr, port, zero) \ 2800 in6_pcblookup_bind(tbl, addr, port, zero) 2801 #endif 2802 2803 #ifdef INET 2804 case AF_INET: 2805 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); 2806 if (inp == NULL) { 2807 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0); 2808 if (inp == NULL) 2809 return (-1); 2810 } 2811 break; 2812 #endif /* INET */ 2813 #ifdef INET6 2814 case AF_INET6: 2815 /*###2817 [cc] warning: assignment from incompatible pointer type%%%*/ 2816 in6p = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6, 2817 dport); 2818 if (inp == NULL) { 2819 in6p = in6_pcblookup_listen(tb, &daddr->v6, dport, 0); 2820 if (inp == NULL) 2821 return (-1); 2822 } 2823 break; 2824 #endif /* INET6 */ 2825 2826 default: 2827 return (-1); 2828 } 2829 2830 #ifdef __NetBSD__ 2831 switch (pd->af) { 2832 #ifdef INET 2833 case AF_INET: 2834 so = inp->inp_socket; 2835 break; 2836 #endif 2837 #ifdef INET6 2838 case AF_INET6: 2839 /*###2840 [cc] error: 'struct inpcb' has no member named 'in6p_head'%%%*/ 2840 so = in6p->in6p_socket; 2841 break; 2842 #endif /* INET6 */ 2843 } 2844 pd->lookup.uid = kauth_cred_geteuid(so->so_cred); 2845 pd->lookup.gid = kauth_cred_getegid(so->so_cred); 2846 #else 2847 so = inp->inp_socket; 2848 pd->lookup.uid = so->so_euid; 2849 pd->lookup.gid = so->so_egid; 2850 #endif /* !__NetBSD__ */ 2851 pd->lookup.pid = so->so_cpid; 2852 return (1); 2853 } 2854 2855 u_int8_t 2856 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2857 { 2858 int hlen; 2859 u_int8_t hdr[60]; 2860 u_int8_t *opt, optlen; 2861 u_int8_t wscale = 0; 2862 2863 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2864 if (hlen <= sizeof(struct tcphdr)) 2865 return (0); 2866 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2867 return (0); 2868 opt = hdr + sizeof(struct tcphdr); 2869 hlen -= sizeof(struct tcphdr); 2870 while (hlen >= 3) { 2871 switch (*opt) { 2872 case TCPOPT_EOL: 2873 case TCPOPT_NOP: 2874 ++opt; 2875 --hlen; 2876 break; 2877 case TCPOPT_WINDOW: 2878 wscale = opt[2]; 2879 if (wscale > TCP_MAX_WINSHIFT) 2880 wscale = TCP_MAX_WINSHIFT; 2881 wscale |= PF_WSCALE_FLAG; 2882 /* FALLTHROUGH */ 2883 default: 2884 optlen = opt[1]; 2885 if (optlen < 2) 2886 optlen = 2; 2887 hlen -= optlen; 2888 opt += optlen; 2889 break; 2890 } 2891 } 2892 return (wscale); 2893 } 2894 2895 u_int16_t 2896 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2897 { 2898 int hlen; 2899 u_int8_t hdr[60]; 2900 u_int8_t *opt, optlen; 2901 u_int16_t mss = tcp_mssdflt; 2902 2903 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2904 if (hlen <= sizeof(struct tcphdr)) 2905 return (0); 2906 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2907 return (0); 2908 opt = hdr + sizeof(struct tcphdr); 2909 hlen -= sizeof(struct tcphdr); 2910 while (hlen >= TCPOLEN_MAXSEG) { 2911 switch (*opt) { 2912 case TCPOPT_EOL: 2913 case TCPOPT_NOP: 2914 ++opt; 2915 --hlen; 2916 break; 2917 case TCPOPT_MAXSEG: 2918 bcopy((void *)(opt + 2), (void *)&mss, 2); 2919 NTOHS(mss); 2920 /* FALLTHROUGH */ 2921 default: 2922 optlen = opt[1]; 2923 if (optlen < 2) 2924 optlen = 2; 2925 hlen -= optlen; 2926 opt += optlen; 2927 break; 2928 } 2929 } 2930 return (mss); 2931 } 2932 2933 u_int16_t 2934 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2935 { 2936 union { 2937 struct sockaddr dst; 2938 struct sockaddr_in dst4; 2939 struct sockaddr_in6 dst6; 2940 } u; 2941 struct route ro; 2942 struct route *rop = &ro; 2943 struct rtentry *rt; 2944 int hlen; 2945 u_int16_t mss = tcp_mssdflt; 2946 2947 hlen = 0; /* XXXGCC -Wuninitialized m68k */ 2948 2949 memset(&ro, 0, sizeof(ro)); 2950 switch (af) { 2951 #ifdef INET 2952 case AF_INET: 2953 hlen = sizeof(struct ip); 2954 sockaddr_in_init(&u.dst4, &addr->v4, 0); 2955 rtcache_setdst(rop, &u.dst); 2956 break; 2957 #endif /* INET */ 2958 #ifdef INET6 2959 case AF_INET6: 2960 hlen = sizeof(struct ip6_hdr); 2961 sockaddr_in6_init(&u.dst6, &addr->v6, 0, 0, 0); 2962 rtcache_setdst(rop, &u.dst); 2963 break; 2964 #endif /* INET6 */ 2965 } 2966 2967 #ifndef __NetBSD__ 2968 rtalloc_noclone(rop, NO_CLONING); 2969 if ((rt = ro->ro_rt) != NULL) { 2970 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2971 mss = max(tcp_mssdflt, mss); 2972 } 2973 #else 2974 if ((rt = rtcache_init_noclone(rop)) != NULL) { 2975 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2976 mss = max(tcp_mssdflt, mss); 2977 } 2978 rtcache_free(rop); 2979 #endif 2980 mss = min(mss, offer); 2981 mss = max(mss, 64); /* sanity - at least max opt space */ 2982 return (mss); 2983 } 2984 2985 void 2986 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2987 { 2988 struct pf_rule *r = s->rule.ptr; 2989 2990 s->rt_kif = NULL; 2991 if (!r->rt || r->rt == PF_FASTROUTE) 2992 return; 2993 switch (s->state_key->af) { 2994 #ifdef INET 2995 case AF_INET: 2996 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, 2997 &s->nat_src_node); 2998 s->rt_kif = r->rpool.cur->kif; 2999 break; 3000 #endif /* INET */ 3001 #ifdef INET6 3002 case AF_INET6: 3003 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, 3004 &s->nat_src_node); 3005 s->rt_kif = r->rpool.cur->kif; 3006 break; 3007 #endif /* INET6 */ 3008 } 3009 } 3010 3011 void 3012 pf_attach_state(struct pf_state_key *sk, struct pf_state *s, int tail) 3013 { 3014 s->state_key = sk; 3015 sk->refcnt++; 3016 3017 /* list is sorted, if-bound states before floating */ 3018 if (tail) 3019 TAILQ_INSERT_TAIL(&sk->states, s, next); 3020 else 3021 TAILQ_INSERT_HEAD(&sk->states, s, next); 3022 } 3023 3024 void 3025 pf_detach_state(struct pf_state *s, int flags) 3026 { 3027 struct pf_state_key *sk = s->state_key; 3028 3029 if (sk == NULL) 3030 return; 3031 3032 s->state_key = NULL; 3033 TAILQ_REMOVE(&sk->states, s, next); 3034 if (--sk->refcnt == 0) { 3035 if (!(flags & PF_DT_SKIP_EXTGWY)) 3036 RB_REMOVE(pf_state_tree_ext_gwy, 3037 &pf_statetbl_ext_gwy, sk); 3038 if (!(flags & PF_DT_SKIP_LANEXT)) 3039 RB_REMOVE(pf_state_tree_lan_ext, 3040 &pf_statetbl_lan_ext, sk); 3041 pool_put(&pf_state_key_pl, sk); 3042 } 3043 } 3044 3045 struct pf_state_key * 3046 pf_alloc_state_key(struct pf_state *s) 3047 { 3048 struct pf_state_key *sk; 3049 3050 if ((sk = pool_get(&pf_state_key_pl, PR_NOWAIT)) == NULL) 3051 return (NULL); 3052 bzero(sk, sizeof(*sk)); 3053 TAILQ_INIT(&sk->states); 3054 pf_attach_state(sk, s, 0); 3055 3056 return (sk); 3057 } 3058 3059 int 3060 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, 3061 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 3062 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm, 3063 struct ifqueue *ifq) 3064 { 3065 struct pf_rule *nr = NULL; 3066 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3067 u_int16_t bport, nport = 0; 3068 sa_family_t af = pd->af; 3069 struct pf_rule *r, *a = NULL; 3070 struct pf_ruleset *ruleset = NULL; 3071 struct pf_src_node *nsn = NULL; 3072 struct tcphdr *th = pd->hdr.tcp; 3073 u_short reason; 3074 int rewrite = 0, hdrlen = 0; 3075 int tag = -1, rtableid = -1; 3076 int asd = 0; 3077 int match = 0; 3078 int state_icmp = 0; 3079 u_int16_t mss = tcp_mssdflt; 3080 u_int16_t sport, dport; 3081 u_int8_t icmptype = 0, icmpcode = 0; 3082 3083 if (direction == PF_IN && pf_check_congestion(ifq)) { 3084 REASON_SET(&reason, PFRES_CONGEST); 3085 return (PF_DROP); 3086 } 3087 3088 sport = dport = hdrlen = 0; 3089 3090 switch (pd->proto) { 3091 case IPPROTO_TCP: 3092 sport = th->th_sport; 3093 dport = th->th_dport; 3094 hdrlen = sizeof(*th); 3095 break; 3096 case IPPROTO_UDP: 3097 sport = pd->hdr.udp->uh_sport; 3098 dport = pd->hdr.udp->uh_dport; 3099 hdrlen = sizeof(*pd->hdr.udp); 3100 break; 3101 #ifdef INET 3102 case IPPROTO_ICMP: 3103 if (pd->af != AF_INET) 3104 break; 3105 sport = dport = pd->hdr.icmp->icmp_id; 3106 icmptype = pd->hdr.icmp->icmp_type; 3107 icmpcode = pd->hdr.icmp->icmp_code; 3108 3109 if (icmptype == ICMP_UNREACH || 3110 icmptype == ICMP_SOURCEQUENCH || 3111 icmptype == ICMP_REDIRECT || 3112 icmptype == ICMP_TIMXCEED || 3113 icmptype == ICMP_PARAMPROB) 3114 state_icmp++; 3115 break; 3116 #endif /* INET */ 3117 3118 #ifdef INET6 3119 case IPPROTO_ICMPV6: 3120 if (pd->af != AF_INET6) 3121 break; 3122 sport = dport = pd->hdr.icmp6->icmp6_id; 3123 hdrlen = sizeof(*pd->hdr.icmp6); 3124 icmptype = pd->hdr.icmp6->icmp6_type; 3125 icmpcode = pd->hdr.icmp6->icmp6_code; 3126 3127 if (icmptype == ICMP6_DST_UNREACH || 3128 icmptype == ICMP6_PACKET_TOO_BIG || 3129 icmptype == ICMP6_TIME_EXCEEDED || 3130 icmptype == ICMP6_PARAM_PROB) 3131 state_icmp++; 3132 break; 3133 #endif /* INET6 */ 3134 } 3135 3136 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3137 3138 if (direction == PF_OUT) { 3139 bport = nport = sport; 3140 /* check outgoing packet for BINAT/NAT */ 3141 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3142 saddr, sport, daddr, dport, &pd->naddr, &nport)) != NULL) { 3143 PF_ACPY(&pd->baddr, saddr, af); 3144 switch (pd->proto) { 3145 case IPPROTO_TCP: 3146 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 3147 &th->th_sum, &pd->naddr, nport, 0, af); 3148 sport = th->th_sport; 3149 rewrite++; 3150 break; 3151 case IPPROTO_UDP: 3152 pf_change_ap(saddr, &pd->hdr.udp->uh_sport, 3153 pd->ip_sum, &pd->hdr.udp->uh_sum, 3154 &pd->naddr, nport, 1, af); 3155 sport = pd->hdr.udp->uh_sport; 3156 rewrite++; 3157 break; 3158 #ifdef INET 3159 case IPPROTO_ICMP: 3160 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3161 pd->naddr.v4.s_addr, 0); 3162 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup( 3163 pd->hdr.icmp->icmp_cksum, sport, nport, 0); 3164 pd->hdr.icmp->icmp_id = nport; 3165 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp); 3166 break; 3167 #endif /* INET */ 3168 #ifdef INET6 3169 case IPPROTO_ICMPV6: 3170 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 3171 &pd->naddr, 0); 3172 rewrite++; 3173 break; 3174 #endif /* INET */ 3175 default: 3176 switch (af) { 3177 #ifdef INET 3178 case AF_INET: 3179 pf_change_a(&saddr->v4.s_addr, 3180 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3181 break; 3182 #endif /* INET */ 3183 #ifdef INET6 3184 case AF_INET6: 3185 PF_ACPY(saddr, &pd->naddr, af); 3186 break; 3187 #endif /* INET */ 3188 } 3189 break; 3190 } 3191 3192 if (nr->natpass) 3193 r = NULL; 3194 pd->nat_rule = nr; 3195 } 3196 } else { 3197 bport = nport = dport; 3198 /* check incoming packet for BINAT/RDR */ 3199 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3200 saddr, sport, daddr, dport, &pd->naddr, &nport)) != NULL) { 3201 PF_ACPY(&pd->baddr, daddr, af); 3202 switch (pd->proto) { 3203 case IPPROTO_TCP: 3204 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 3205 &th->th_sum, &pd->naddr, nport, 0, af); 3206 dport = th->th_dport; 3207 rewrite++; 3208 break; 3209 case IPPROTO_UDP: 3210 pf_change_ap(daddr, &pd->hdr.udp->uh_dport, 3211 pd->ip_sum, &pd->hdr.udp->uh_sum, 3212 &pd->naddr, nport, 1, af); 3213 dport = pd->hdr.udp->uh_dport; 3214 rewrite++; 3215 break; 3216 #ifdef INET 3217 case IPPROTO_ICMP: 3218 pf_change_a(&daddr->v4.s_addr, pd->ip_sum, 3219 pd->naddr.v4.s_addr, 0); 3220 break; 3221 #endif /* INET */ 3222 #ifdef INET6 3223 case IPPROTO_ICMPV6: 3224 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 3225 &pd->naddr, 0); 3226 rewrite++; 3227 break; 3228 #endif /* INET6 */ 3229 default: 3230 switch (af) { 3231 #ifdef INET 3232 case AF_INET: 3233 pf_change_a(&daddr->v4.s_addr, 3234 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3235 break; 3236 #endif /* INET */ 3237 #ifdef INET6 3238 case AF_INET6: 3239 PF_ACPY(daddr, &pd->naddr, af); 3240 break; 3241 #endif /* INET */ 3242 } 3243 break; 3244 } 3245 3246 if (nr->natpass) 3247 r = NULL; 3248 pd->nat_rule = nr; 3249 } 3250 } 3251 3252 while (r != NULL) { 3253 r->evaluations++; 3254 if (pfi_kif_match(r->kif, kif) == r->ifnot) 3255 r = r->skip[PF_SKIP_IFP].ptr; 3256 else if (r->direction && r->direction != direction) 3257 r = r->skip[PF_SKIP_DIR].ptr; 3258 else if (r->af && r->af != af) 3259 r = r->skip[PF_SKIP_AF].ptr; 3260 else if (r->proto && r->proto != pd->proto) 3261 r = r->skip[PF_SKIP_PROTO].ptr; 3262 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, 3263 r->src.neg, kif)) 3264 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3265 /* tcp/udp only. port_op always 0 in other cases */ 3266 else if (r->src.port_op && !pf_match_port(r->src.port_op, 3267 r->src.port[0], r->src.port[1], sport)) 3268 r = r->skip[PF_SKIP_SRC_PORT].ptr; 3269 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, 3270 r->dst.neg, NULL)) 3271 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3272 /* tcp/udp only. port_op always 0 in other cases */ 3273 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 3274 r->dst.port[0], r->dst.port[1], dport)) 3275 r = r->skip[PF_SKIP_DST_PORT].ptr; 3276 /* icmp only. type always 0 in other cases */ 3277 else if (r->type && r->type != icmptype + 1) 3278 r = TAILQ_NEXT(r, entries); 3279 /* icmp only. type always 0 in other cases */ 3280 else if (r->code && r->code != icmpcode + 1) 3281 r = TAILQ_NEXT(r, entries); 3282 else if (r->tos && !(r->tos == pd->tos)) 3283 r = TAILQ_NEXT(r, entries); 3284 else if (r->rule_flag & PFRULE_FRAGMENT) 3285 r = TAILQ_NEXT(r, entries); 3286 else if (pd->proto == IPPROTO_TCP && 3287 (r->flagset & th->th_flags) != r->flags) 3288 r = TAILQ_NEXT(r, entries); 3289 /* tcp/udp only. uid.op always 0 in other cases */ 3290 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = 3291 pf_socket_lookup(direction, pd), 1)) && 3292 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 3293 pd->lookup.uid)) 3294 r = TAILQ_NEXT(r, entries); 3295 /* tcp/udp only. gid.op always 0 in other cases */ 3296 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done = 3297 pf_socket_lookup(direction, pd), 1)) && 3298 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 3299 pd->lookup.gid)) 3300 r = TAILQ_NEXT(r, entries); 3301 else if (r->prob && r->prob <= arc4random()) 3302 r = TAILQ_NEXT(r, entries); 3303 else if (r->match_tag && !pf_match_tag(m, r, &tag)) 3304 r = TAILQ_NEXT(r, entries); 3305 else if (r->os_fingerprint != PF_OSFP_ANY && 3306 (pd->proto != IPPROTO_TCP || !pf_osfp_match( 3307 pf_osfp_fingerprint(pd, m, off, th), 3308 r->os_fingerprint))) 3309 r = TAILQ_NEXT(r, entries); 3310 else { 3311 if (r->tag) 3312 tag = r->tag; 3313 if (r->rtableid >= 0) 3314 rtableid = r->rtableid; 3315 if (r->anchor == NULL) { 3316 match = 1; 3317 *rm = r; 3318 *am = a; 3319 *rsm = ruleset; 3320 if ((*rm)->quick) 3321 break; 3322 r = TAILQ_NEXT(r, entries); 3323 } else 3324 pf_step_into_anchor(&asd, &ruleset, 3325 PF_RULESET_FILTER, &r, &a, &match); 3326 } 3327 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, 3328 PF_RULESET_FILTER, &r, &a, &match)) 3329 break; 3330 } 3331 r = *rm; 3332 a = *am; 3333 ruleset = *rsm; 3334 3335 REASON_SET(&reason, PFRES_MATCH); 3336 3337 if (r->log || (nr != NULL && nr->log)) { 3338 if (rewrite) 3339 m_copyback(m, off, hdrlen, pd->hdr.any); 3340 PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, 3341 a, ruleset, pd); 3342 } 3343 3344 if ((r->action == PF_DROP) && 3345 ((r->rule_flag & PFRULE_RETURNRST) || 3346 (r->rule_flag & PFRULE_RETURNICMP) || 3347 (r->rule_flag & PFRULE_RETURN))) { 3348 /* undo NAT changes, if they have taken place */ 3349 if (nr != NULL) { 3350 if (direction == PF_OUT) { 3351 switch (pd->proto) { 3352 case IPPROTO_TCP: 3353 pf_change_ap(saddr, &th->th_sport, 3354 pd->ip_sum, &th->th_sum, 3355 &pd->baddr, bport, 0, af); 3356 sport = th->th_sport; 3357 rewrite++; 3358 break; 3359 case IPPROTO_UDP: 3360 pf_change_ap(saddr, 3361 &pd->hdr.udp->uh_sport, pd->ip_sum, 3362 &pd->hdr.udp->uh_sum, &pd->baddr, 3363 bport, 1, af); 3364 sport = pd->hdr.udp->uh_sport; 3365 rewrite++; 3366 break; 3367 case IPPROTO_ICMP: 3368 #ifdef INET6 3369 case IPPROTO_ICMPV6: 3370 #endif 3371 /* nothing! */ 3372 break; 3373 default: 3374 switch (af) { 3375 case AF_INET: 3376 pf_change_a(&saddr->v4.s_addr, 3377 pd->ip_sum, 3378 pd->baddr.v4.s_addr, 0); 3379 break; 3380 case AF_INET6: 3381 PF_ACPY(saddr, &pd->baddr, af); 3382 break; 3383 } 3384 } 3385 } else { 3386 switch (pd->proto) { 3387 case IPPROTO_TCP: 3388 pf_change_ap(daddr, &th->th_dport, 3389 pd->ip_sum, &th->th_sum, 3390 &pd->baddr, bport, 0, af); 3391 dport = th->th_dport; 3392 rewrite++; 3393 break; 3394 case IPPROTO_UDP: 3395 pf_change_ap(daddr, 3396 &pd->hdr.udp->uh_dport, pd->ip_sum, 3397 &pd->hdr.udp->uh_sum, &pd->baddr, 3398 bport, 1, af); 3399 dport = pd->hdr.udp->uh_dport; 3400 rewrite++; 3401 break; 3402 case IPPROTO_ICMP: 3403 #ifdef INET6 3404 case IPPROTO_ICMPV6: 3405 #endif 3406 /* nothing! */ 3407 break; 3408 default: 3409 switch (af) { 3410 case AF_INET: 3411 pf_change_a(&daddr->v4.s_addr, 3412 pd->ip_sum, 3413 pd->baddr.v4.s_addr, 0); 3414 break; 3415 case AF_INET6: 3416 PF_ACPY(daddr, &pd->baddr, af); 3417 break; 3418 } 3419 } 3420 } 3421 } 3422 if (pd->proto == IPPROTO_TCP && 3423 ((r->rule_flag & PFRULE_RETURNRST) || 3424 (r->rule_flag & PFRULE_RETURN)) && 3425 !(th->th_flags & TH_RST)) { 3426 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 3427 struct ip *h = mtod(m, struct ip *); 3428 3429 #ifdef __NetBSD__ 3430 if (pf_check_proto_cksum(m, direction, off, 3431 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) 3432 #else 3433 if (pf_check_proto_cksum(m, off, 3434 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) 3435 #endif /* !__NetBSD__ */ 3436 REASON_SET(&reason, PFRES_PROTCKSUM); 3437 else { 3438 if (th->th_flags & TH_SYN) 3439 ack++; 3440 if (th->th_flags & TH_FIN) 3441 ack++; 3442 pf_send_tcp(r, af, pd->dst, 3443 pd->src, th->th_dport, th->th_sport, 3444 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 3445 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp); 3446 } 3447 } else if ((af == AF_INET) && r->return_icmp) 3448 pf_send_icmp(m, r->return_icmp >> 8, 3449 r->return_icmp & 255, af, r); 3450 else if ((af == AF_INET6) && r->return_icmp6) 3451 pf_send_icmp(m, r->return_icmp6 >> 8, 3452 r->return_icmp6 & 255, af, r); 3453 } 3454 3455 if (r->action == PF_DROP) 3456 return (PF_DROP); 3457 3458 if (pf_tag_packet(m, tag, rtableid)) { 3459 REASON_SET(&reason, PFRES_MEMORY); 3460 return (PF_DROP); 3461 } 3462 3463 if (!state_icmp && (r->keep_state || nr != NULL || 3464 (pd->flags & PFDESC_TCP_NORM))) { 3465 /* create new state */ 3466 u_int16_t len; 3467 struct pf_state *s = NULL; 3468 struct pf_state_key *sk = NULL; 3469 struct pf_src_node *sn = NULL; 3470 3471 /* check maximums */ 3472 if (r->max_states && (r->states >= r->max_states)) { 3473 pf_status.lcounters[LCNT_STATES]++; 3474 REASON_SET(&reason, PFRES_MAXSTATES); 3475 goto cleanup; 3476 } 3477 /* src node for filter rule */ 3478 if ((r->rule_flag & PFRULE_SRCTRACK || 3479 r->rpool.opts & PF_POOL_STICKYADDR) && 3480 pf_insert_src_node(&sn, r, saddr, af) != 0) { 3481 REASON_SET(&reason, PFRES_SRCLIMIT); 3482 goto cleanup; 3483 } 3484 /* src node for translation rule */ 3485 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3486 ((direction == PF_OUT && 3487 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3488 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) { 3489 REASON_SET(&reason, PFRES_SRCLIMIT); 3490 goto cleanup; 3491 } 3492 s = pool_get(&pf_state_pl, PR_NOWAIT); 3493 if (s == NULL) { 3494 REASON_SET(&reason, PFRES_MEMORY); 3495 cleanup: 3496 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3497 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3498 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3499 pf_status.src_nodes--; 3500 pool_put(&pf_src_tree_pl, sn); 3501 } 3502 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3503 nsn->expire == 0) { 3504 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3505 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3506 pf_status.src_nodes--; 3507 pool_put(&pf_src_tree_pl, nsn); 3508 } 3509 if (sk != NULL) { 3510 pool_put(&pf_state_key_pl, sk); 3511 } 3512 return (PF_DROP); 3513 } 3514 bzero(s, sizeof(*s)); 3515 s->rule.ptr = r; 3516 s->nat_rule.ptr = nr; 3517 s->anchor.ptr = a; 3518 STATE_INC_COUNTERS(s); 3519 s->allow_opts = r->allow_opts; 3520 s->log = r->log & PF_LOG_ALL; 3521 if (nr != NULL) 3522 s->log |= nr->log & PF_LOG_ALL; 3523 switch (pd->proto) { 3524 case IPPROTO_TCP: 3525 len = pd->tot_len - off - (th->th_off << 2); 3526 s->src.seqlo = ntohl(th->th_seq); 3527 s->src.seqhi = s->src.seqlo + len + 1; 3528 if ((th->th_flags & (TH_SYN|TH_ACK)) == 3529 TH_SYN && r->keep_state == PF_STATE_MODULATE) { 3530 /* Generate sequence number modulator */ 3531 while ((s->src.seqdiff = 3532 tcp_rndiss_next() - s->src.seqlo) == 0) 3533 ; 3534 pf_change_a(&th->th_seq, &th->th_sum, 3535 htonl(s->src.seqlo + s->src.seqdiff), 0); 3536 rewrite = 1; 3537 } else 3538 s->src.seqdiff = 0; 3539 if (th->th_flags & TH_SYN) { 3540 s->src.seqhi++; 3541 s->src.wscale = pf_get_wscale(m, off, 3542 th->th_off, af); 3543 } 3544 s->src.max_win = MAX(ntohs(th->th_win), 1); 3545 if (s->src.wscale & PF_WSCALE_MASK) { 3546 /* Remove scale factor from initial window */ 3547 int win = s->src.max_win; 3548 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 3549 s->src.max_win = (win - 1) >> 3550 (s->src.wscale & PF_WSCALE_MASK); 3551 } 3552 if (th->th_flags & TH_FIN) 3553 s->src.seqhi++; 3554 s->dst.seqhi = 1; 3555 s->dst.max_win = 1; 3556 s->src.state = TCPS_SYN_SENT; 3557 s->dst.state = TCPS_CLOSED; 3558 s->timeout = PFTM_TCP_FIRST_PACKET; 3559 break; 3560 case IPPROTO_UDP: 3561 s->src.state = PFUDPS_SINGLE; 3562 s->dst.state = PFUDPS_NO_TRAFFIC; 3563 s->timeout = PFTM_UDP_FIRST_PACKET; 3564 break; 3565 case IPPROTO_ICMP: 3566 #ifdef INET6 3567 case IPPROTO_ICMPV6: 3568 #endif 3569 s->timeout = PFTM_ICMP_FIRST_PACKET; 3570 break; 3571 default: 3572 s->src.state = PFOTHERS_SINGLE; 3573 s->dst.state = PFOTHERS_NO_TRAFFIC; 3574 s->timeout = PFTM_OTHER_FIRST_PACKET; 3575 } 3576 3577 s->creation = time_second; 3578 s->expire = time_second; 3579 3580 if (sn != NULL) { 3581 s->src_node = sn; 3582 s->src_node->states++; 3583 } 3584 if (nsn != NULL) { 3585 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3586 s->nat_src_node = nsn; 3587 s->nat_src_node->states++; 3588 } 3589 if (pd->proto == IPPROTO_TCP) { 3590 if ((pd->flags & PFDESC_TCP_NORM) && 3591 pf_normalize_tcp_init(m, off, pd, th, &s->src, 3592 &s->dst)) { 3593 REASON_SET(&reason, PFRES_MEMORY); 3594 pf_src_tree_remove_state(s); 3595 STATE_DEC_COUNTERS(s); 3596 pool_put(&pf_state_pl, s); 3597 return (PF_DROP); 3598 } 3599 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 3600 pf_normalize_tcp_stateful(m, off, pd, &reason, 3601 th, s, &s->src, &s->dst, &rewrite)) { 3602 /* This really shouldn't happen!!! */ 3603 DPFPRINTF(PF_DEBUG_URGENT, 3604 ("pf_normalize_tcp_stateful failed on " 3605 "first pkt")); 3606 pf_normalize_tcp_cleanup(s); 3607 pf_src_tree_remove_state(s); 3608 STATE_DEC_COUNTERS(s); 3609 pool_put(&pf_state_pl, s); 3610 return (PF_DROP); 3611 } 3612 } 3613 3614 if ((sk = pf_alloc_state_key(s)) == NULL) { 3615 REASON_SET(&reason, PFRES_MEMORY); 3616 goto cleanup; 3617 } 3618 3619 sk->proto = pd->proto; 3620 sk->direction = direction; 3621 sk->af = af; 3622 if (direction == PF_OUT) { 3623 PF_ACPY(&sk->gwy.addr, saddr, af); 3624 PF_ACPY(&sk->ext.addr, daddr, af); 3625 switch (pd->proto) { 3626 case IPPROTO_ICMP: 3627 #ifdef INET6 3628 case IPPROTO_ICMPV6: 3629 #endif 3630 sk->gwy.port = nport; 3631 sk->ext.port = 0; 3632 break; 3633 default: 3634 sk->gwy.port = sport; 3635 sk->ext.port = dport; 3636 } 3637 if (nr != NULL) { 3638 PF_ACPY(&sk->lan.addr, &pd->baddr, af); 3639 sk->lan.port = bport; 3640 } else { 3641 PF_ACPY(&sk->lan.addr, &sk->gwy.addr, af); 3642 sk->lan.port = sk->gwy.port; 3643 } 3644 } else { 3645 PF_ACPY(&sk->lan.addr, daddr, af); 3646 PF_ACPY(&sk->ext.addr, saddr, af); 3647 switch (pd->proto) { 3648 case IPPROTO_ICMP: 3649 #ifdef INET6 3650 case IPPROTO_ICMPV6: 3651 #endif 3652 sk->lan.port = nport; 3653 sk->ext.port = 0; 3654 break; 3655 default: 3656 sk->lan.port = dport; 3657 sk->ext.port = sport; 3658 } 3659 if (nr != NULL) { 3660 PF_ACPY(&sk->gwy.addr, &pd->baddr, af); 3661 sk->gwy.port = bport; 3662 } else { 3663 PF_ACPY(&sk->gwy.addr, &sk->lan.addr, af); 3664 sk->gwy.port = sk->lan.port; 3665 } 3666 } 3667 3668 pf_set_rt_ifp(s, saddr); /* needs s->state_key set */ 3669 3670 if (pf_insert_state(bound_iface(r, nr, kif), s)) { 3671 if (pd->proto == IPPROTO_TCP) 3672 pf_normalize_tcp_cleanup(s); 3673 REASON_SET(&reason, PFRES_STATEINS); 3674 pf_src_tree_remove_state(s); 3675 STATE_DEC_COUNTERS(s); 3676 pool_put(&pf_state_pl, s); 3677 return (PF_DROP); 3678 } else 3679 *sm = s; 3680 if (tag > 0) { 3681 pf_tag_ref(tag); 3682 s->tag = tag; 3683 } 3684 if (pd->proto == IPPROTO_TCP && 3685 (th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 3686 r->keep_state == PF_STATE_SYNPROXY) { 3687 s->src.state = PF_TCPS_PROXY_SRC; 3688 if (nr != NULL) { 3689 if (direction == PF_OUT) { 3690 pf_change_ap(saddr, &th->th_sport, 3691 pd->ip_sum, &th->th_sum, &pd->baddr, 3692 bport, 0, af); 3693 sport = th->th_sport; 3694 } else { 3695 pf_change_ap(daddr, &th->th_dport, 3696 pd->ip_sum, &th->th_sum, &pd->baddr, 3697 bport, 0, af); 3698 sport = th->th_dport; 3699 } 3700 } 3701 s->src.seqhi = htonl(arc4random()); 3702 /* Find mss option */ 3703 mss = pf_get_mss(m, off, th->th_off, af); 3704 mss = pf_calc_mss(saddr, af, mss); 3705 mss = pf_calc_mss(daddr, af, mss); 3706 s->src.mss = mss; 3707 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 3708 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, 3709 TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL); 3710 REASON_SET(&reason, PFRES_SYNPROXY); 3711 return (PF_SYNPROXY_DROP); 3712 } 3713 } 3714 3715 /* copy back packet headers if we performed NAT operations */ 3716 if (rewrite) 3717 m_copyback(m, off, hdrlen, pd->hdr.any); 3718 3719 return (PF_PASS); 3720 } 3721 3722 int 3723 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, 3724 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3725 struct pf_ruleset **rsm) 3726 { 3727 struct pf_rule *r, *a = NULL; 3728 struct pf_ruleset *ruleset = NULL; 3729 sa_family_t af = pd->af; 3730 u_short reason; 3731 int tag = -1; 3732 int asd = 0; 3733 int match = 0; 3734 3735 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3736 while (r != NULL) { 3737 r->evaluations++; 3738 if (pfi_kif_match(r->kif, kif) == r->ifnot) 3739 r = r->skip[PF_SKIP_IFP].ptr; 3740 else if (r->direction && r->direction != direction) 3741 r = r->skip[PF_SKIP_DIR].ptr; 3742 else if (r->af && r->af != af) 3743 r = r->skip[PF_SKIP_AF].ptr; 3744 else if (r->proto && r->proto != pd->proto) 3745 r = r->skip[PF_SKIP_PROTO].ptr; 3746 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, 3747 r->src.neg, kif)) 3748 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3749 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, 3750 r->dst.neg, NULL)) 3751 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3752 else if (r->tos && !(r->tos == pd->tos)) 3753 r = TAILQ_NEXT(r, entries); 3754 else if (r->src.port_op || r->dst.port_op || 3755 r->flagset || r->type || r->code || 3756 r->os_fingerprint != PF_OSFP_ANY) 3757 r = TAILQ_NEXT(r, entries); 3758 else if (r->prob && r->prob <= arc4random()) 3759 r = TAILQ_NEXT(r, entries); 3760 else if (r->match_tag && !pf_match_tag(m, r, &tag)) 3761 r = TAILQ_NEXT(r, entries); 3762 else { 3763 if (r->anchor == NULL) { 3764 match = 1; 3765 *rm = r; 3766 *am = a; 3767 *rsm = ruleset; 3768 if ((*rm)->quick) 3769 break; 3770 r = TAILQ_NEXT(r, entries); 3771 } else 3772 pf_step_into_anchor(&asd, &ruleset, 3773 PF_RULESET_FILTER, &r, &a, &match); 3774 } 3775 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, 3776 PF_RULESET_FILTER, &r, &a, &match)) 3777 break; 3778 } 3779 r = *rm; 3780 a = *am; 3781 ruleset = *rsm; 3782 3783 REASON_SET(&reason, PFRES_MATCH); 3784 3785 if (r->log) 3786 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset, 3787 pd); 3788 3789 if (r->action != PF_PASS) 3790 return (PF_DROP); 3791 3792 if (pf_tag_packet(m, tag, -1)) { 3793 REASON_SET(&reason, PFRES_MEMORY); 3794 return (PF_DROP); 3795 } 3796 3797 return (PF_PASS); 3798 } 3799 3800 int 3801 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, 3802 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3803 u_short *reason) 3804 { 3805 struct pf_state_key_cmp key; 3806 struct tcphdr *th = pd->hdr.tcp; 3807 u_int16_t win = ntohs(th->th_win); 3808 u_int32_t ack, end, seq, orig_seq; 3809 u_int8_t sws, dws; 3810 int ackskew; 3811 int copyback = 0; 3812 struct pf_state_peer *src, *dst; 3813 3814 key.af = pd->af; 3815 key.proto = IPPROTO_TCP; 3816 if (direction == PF_IN) { 3817 PF_ACPY(&key.ext.addr, pd->src, key.af); 3818 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3819 key.ext.port = th->th_sport; 3820 key.gwy.port = th->th_dport; 3821 } else { 3822 PF_ACPY(&key.lan.addr, pd->src, key.af); 3823 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3824 key.lan.port = th->th_sport; 3825 key.ext.port = th->th_dport; 3826 } 3827 3828 STATE_LOOKUP(); 3829 3830 if (direction == (*state)->state_key->direction) { 3831 src = &(*state)->src; 3832 dst = &(*state)->dst; 3833 } else { 3834 src = &(*state)->dst; 3835 dst = &(*state)->src; 3836 } 3837 3838 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3839 if (direction != (*state)->state_key->direction) { 3840 REASON_SET(reason, PFRES_SYNPROXY); 3841 return (PF_SYNPROXY_DROP); 3842 } 3843 if (th->th_flags & TH_SYN) { 3844 if (ntohl(th->th_seq) != (*state)->src.seqlo) { 3845 REASON_SET(reason, PFRES_SYNPROXY); 3846 return (PF_DROP); 3847 } 3848 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3849 pd->src, th->th_dport, th->th_sport, 3850 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3851 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 3852 0, NULL, NULL); 3853 REASON_SET(reason, PFRES_SYNPROXY); 3854 return (PF_SYNPROXY_DROP); 3855 } else if (!(th->th_flags & TH_ACK) || 3856 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3857 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { 3858 REASON_SET(reason, PFRES_SYNPROXY); 3859 return (PF_DROP); 3860 } else if ((*state)->src_node != NULL && 3861 pf_src_connlimit(state)) { 3862 REASON_SET(reason, PFRES_SRCLIMIT); 3863 return (PF_DROP); 3864 } else 3865 (*state)->src.state = PF_TCPS_PROXY_DST; 3866 } 3867 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3868 struct pf_state_host *src, *dst; 3869 3870 if (direction == PF_OUT) { 3871 src = &(*state)->state_key->gwy; 3872 dst = &(*state)->state_key->ext; 3873 } else { 3874 src = &(*state)->state_key->ext; 3875 dst = &(*state)->state_key->lan; 3876 } 3877 if (direction == (*state)->state_key->direction) { 3878 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3879 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3880 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { 3881 REASON_SET(reason, PFRES_SYNPROXY); 3882 return (PF_DROP); 3883 } 3884 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3885 if ((*state)->dst.seqhi == 1) 3886 (*state)->dst.seqhi = htonl(arc4random()); 3887 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3888 &dst->addr, src->port, dst->port, 3889 (*state)->dst.seqhi, 0, TH_SYN, 0, 3890 (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL); 3891 REASON_SET(reason, PFRES_SYNPROXY); 3892 return (PF_SYNPROXY_DROP); 3893 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3894 (TH_SYN|TH_ACK)) || 3895 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) { 3896 REASON_SET(reason, PFRES_SYNPROXY); 3897 return (PF_DROP); 3898 } else { 3899 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3900 (*state)->dst.seqlo = ntohl(th->th_seq); 3901 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3902 pd->src, th->th_dport, th->th_sport, 3903 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3904 TH_ACK, (*state)->src.max_win, 0, 0, 0, 3905 (*state)->tag, NULL, NULL); 3906 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3907 &dst->addr, src->port, dst->port, 3908 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3909 TH_ACK, (*state)->dst.max_win, 0, 0, 1, 3910 0, NULL, NULL); 3911 (*state)->src.seqdiff = (*state)->dst.seqhi - 3912 (*state)->src.seqlo; 3913 (*state)->dst.seqdiff = (*state)->src.seqhi - 3914 (*state)->dst.seqlo; 3915 (*state)->src.seqhi = (*state)->src.seqlo + 3916 (*state)->dst.max_win; 3917 (*state)->dst.seqhi = (*state)->dst.seqlo + 3918 (*state)->src.max_win; 3919 (*state)->src.wscale = (*state)->dst.wscale = 0; 3920 (*state)->src.state = (*state)->dst.state = 3921 TCPS_ESTABLISHED; 3922 REASON_SET(reason, PFRES_SYNPROXY); 3923 return (PF_SYNPROXY_DROP); 3924 } 3925 } 3926 3927 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3928 sws = src->wscale & PF_WSCALE_MASK; 3929 dws = dst->wscale & PF_WSCALE_MASK; 3930 } else 3931 sws = dws = 0; 3932 3933 /* 3934 * Sequence tracking algorithm from Guido van Rooij's paper: 3935 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3936 * tcp_filtering.ps 3937 */ 3938 3939 orig_seq = seq = ntohl(th->th_seq); 3940 if (src->seqlo == 0) { 3941 /* First packet from this end. Set its state */ 3942 3943 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3944 src->scrub == NULL) { 3945 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3946 REASON_SET(reason, PFRES_MEMORY); 3947 return (PF_DROP); 3948 } 3949 } 3950 3951 /* Deferred generation of sequence number modulator */ 3952 if (dst->seqdiff && !src->seqdiff) { 3953 while ((src->seqdiff = tcp_rndiss_next() - seq) == 0) 3954 ; 3955 ack = ntohl(th->th_ack) - dst->seqdiff; 3956 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3957 src->seqdiff), 0); 3958 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3959 copyback = 1; 3960 } else { 3961 ack = ntohl(th->th_ack); 3962 } 3963 3964 end = seq + pd->p_len; 3965 if (th->th_flags & TH_SYN) { 3966 end++; 3967 if (dst->wscale & PF_WSCALE_FLAG) { 3968 src->wscale = pf_get_wscale(m, off, th->th_off, 3969 pd->af); 3970 if (src->wscale & PF_WSCALE_FLAG) { 3971 /* Remove scale factor from initial 3972 * window */ 3973 sws = src->wscale & PF_WSCALE_MASK; 3974 win = ((u_int32_t)win + (1 << sws) - 1) 3975 >> sws; 3976 dws = dst->wscale & PF_WSCALE_MASK; 3977 } else { 3978 /* fixup other window */ 3979 dst->max_win <<= dst->wscale & 3980 PF_WSCALE_MASK; 3981 /* in case of a retrans SYN|ACK */ 3982 dst->wscale = 0; 3983 } 3984 } 3985 } 3986 if (th->th_flags & TH_FIN) 3987 end++; 3988 3989 src->seqlo = seq; 3990 if (src->state < TCPS_SYN_SENT) 3991 src->state = TCPS_SYN_SENT; 3992 3993 /* 3994 * May need to slide the window (seqhi may have been set by 3995 * the crappy stack check or if we picked up the connection 3996 * after establishment) 3997 */ 3998 if (src->seqhi == 1 || 3999 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 4000 src->seqhi = end + MAX(1, dst->max_win << dws); 4001 if (win > src->max_win) 4002 src->max_win = win; 4003 4004 } else { 4005 ack = ntohl(th->th_ack) - dst->seqdiff; 4006 if (src->seqdiff) { 4007 /* Modulate sequence numbers */ 4008 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 4009 src->seqdiff), 0); 4010 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 4011 copyback = 1; 4012 } 4013 end = seq + pd->p_len; 4014 if (th->th_flags & TH_SYN) 4015 end++; 4016 if (th->th_flags & TH_FIN) 4017 end++; 4018 } 4019 4020 if ((th->th_flags & TH_ACK) == 0) { 4021 /* Let it pass through the ack skew check */ 4022 ack = dst->seqlo; 4023 } else if ((ack == 0 && 4024 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 4025 /* broken tcp stacks do not set ack */ 4026 (dst->state < TCPS_SYN_SENT)) { 4027 /* 4028 * Many stacks (ours included) will set the ACK number in an 4029 * FIN|ACK if the SYN times out -- no sequence to ACK. 4030 */ 4031 ack = dst->seqlo; 4032 } 4033 4034 if (seq == end) { 4035 /* Ease sequencing restrictions on no data packets */ 4036 seq = src->seqlo; 4037 end = seq; 4038 } 4039 4040 ackskew = dst->seqlo - ack; 4041 4042 4043 /* 4044 * Need to demodulate the sequence numbers in any TCP SACK options 4045 * (Selective ACK). We could optionally validate the SACK values 4046 * against the current ACK window, either forwards or backwards, but 4047 * I'm not confident that SACK has been implemented properly 4048 * everywhere. It wouldn't surprise me if several stacks accidently 4049 * SACK too far backwards of previously ACKed data. There really aren't 4050 * any security implications of bad SACKing unless the target stack 4051 * doesn't validate the option length correctly. Someone trying to 4052 * spoof into a TCP connection won't bother blindly sending SACK 4053 * options anyway. 4054 */ 4055 if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) { 4056 if (pf_modulate_sack(m, off, pd, th, dst)) 4057 copyback = 1; 4058 } 4059 4060 4061 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 4062 if (SEQ_GEQ(src->seqhi, end) && 4063 /* Last octet inside other's window space */ 4064 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 4065 /* Retrans: not more than one window back */ 4066 (ackskew >= -MAXACKWINDOW) && 4067 /* Acking not more than one reassembled fragment backwards */ 4068 (ackskew <= (MAXACKWINDOW << sws)) && 4069 /* Acking not more than one window forward */ 4070 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || 4071 (orig_seq == src->seqlo + 1) || (pd->flags & PFDESC_IP_REAS) == 0)) { 4072 /* Require an exact/+1 sequence match on resets when possible */ 4073 4074 if (dst->scrub || src->scrub) { 4075 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4076 *state, src, dst, ©back)) 4077 return (PF_DROP); 4078 } 4079 4080 /* update max window */ 4081 if (src->max_win < win) 4082 src->max_win = win; 4083 /* synchronize sequencing */ 4084 if (SEQ_GT(end, src->seqlo)) 4085 src->seqlo = end; 4086 /* slide the window of what the other end can send */ 4087 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 4088 dst->seqhi = ack + MAX((win << sws), 1); 4089 4090 4091 /* update states */ 4092 if (th->th_flags & TH_SYN) 4093 if (src->state < TCPS_SYN_SENT) 4094 src->state = TCPS_SYN_SENT; 4095 if (th->th_flags & TH_FIN) 4096 if (src->state < TCPS_CLOSING) 4097 src->state = TCPS_CLOSING; 4098 if (th->th_flags & TH_ACK) { 4099 if (dst->state == TCPS_SYN_SENT) { 4100 dst->state = TCPS_ESTABLISHED; 4101 if (src->state == TCPS_ESTABLISHED && 4102 (*state)->src_node != NULL && 4103 pf_src_connlimit(state)) { 4104 REASON_SET(reason, PFRES_SRCLIMIT); 4105 return (PF_DROP); 4106 } 4107 } else if (dst->state == TCPS_CLOSING) 4108 dst->state = TCPS_FIN_WAIT_2; 4109 } 4110 if (th->th_flags & TH_RST) 4111 src->state = dst->state = TCPS_TIME_WAIT; 4112 4113 /* update expire time */ 4114 (*state)->expire = time_second; 4115 if (src->state >= TCPS_FIN_WAIT_2 && 4116 dst->state >= TCPS_FIN_WAIT_2) 4117 (*state)->timeout = PFTM_TCP_CLOSED; 4118 else if (src->state >= TCPS_CLOSING && 4119 dst->state >= TCPS_CLOSING) 4120 (*state)->timeout = PFTM_TCP_FIN_WAIT; 4121 else if (src->state < TCPS_ESTABLISHED || 4122 dst->state < TCPS_ESTABLISHED) 4123 (*state)->timeout = PFTM_TCP_OPENING; 4124 else if (src->state >= TCPS_CLOSING || 4125 dst->state >= TCPS_CLOSING) 4126 (*state)->timeout = PFTM_TCP_CLOSING; 4127 else 4128 (*state)->timeout = PFTM_TCP_ESTABLISHED; 4129 4130 /* Fall through to PASS packet */ 4131 4132 } else if ((dst->state < TCPS_SYN_SENT || 4133 dst->state >= TCPS_FIN_WAIT_2 || 4134 src->state >= TCPS_FIN_WAIT_2) && 4135 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 4136 /* Within a window forward of the originating packet */ 4137 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 4138 /* Within a window backward of the originating packet */ 4139 4140 /* 4141 * This currently handles three situations: 4142 * 1) Stupid stacks will shotgun SYNs before their peer 4143 * replies. 4144 * 2) When PF catches an already established stream (the 4145 * firewall rebooted, the state table was flushed, routes 4146 * changed...) 4147 * 3) Packets get funky immediately after the connection 4148 * closes (this should catch Solaris spurious ACK|FINs 4149 * that web servers like to spew after a close) 4150 * 4151 * This must be a little more careful than the above code 4152 * since packet floods will also be caught here. We don't 4153 * update the TTL here to mitigate the damage of a packet 4154 * flood and so the same code can handle awkward establishment 4155 * and a loosened connection close. 4156 * In the establishment case, a correct peer response will 4157 * validate the connection, go through the normal state code 4158 * and keep updating the state TTL. 4159 */ 4160 4161 if (pf_status.debug >= PF_DEBUG_MISC) { 4162 printf("pf: loose state match: "); 4163 pf_print_state(*state); 4164 pf_print_flags(th->th_flags); 4165 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " 4166 "pkts=%llu:%llu\n", seq, orig_seq, ack, pd->p_len, 4167 ackskew, 4168 (unsigned long long int)(*state)->packets[0], 4169 (unsigned long long int)(*state)->packets[1]); 4170 } 4171 4172 if (dst->scrub || src->scrub) { 4173 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4174 *state, src, dst, ©back)) 4175 return (PF_DROP); 4176 } 4177 4178 /* update max window */ 4179 if (src->max_win < win) 4180 src->max_win = win; 4181 /* synchronize sequencing */ 4182 if (SEQ_GT(end, src->seqlo)) 4183 src->seqlo = end; 4184 /* slide the window of what the other end can send */ 4185 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 4186 dst->seqhi = ack + MAX((win << sws), 1); 4187 4188 /* 4189 * Cannot set dst->seqhi here since this could be a shotgunned 4190 * SYN and not an already established connection. 4191 */ 4192 4193 if (th->th_flags & TH_FIN) 4194 if (src->state < TCPS_CLOSING) 4195 src->state = TCPS_CLOSING; 4196 if (th->th_flags & TH_RST) 4197 src->state = dst->state = TCPS_TIME_WAIT; 4198 4199 /* Fall through to PASS packet */ 4200 4201 } else { 4202 if ((*state)->dst.state == TCPS_SYN_SENT && 4203 (*state)->src.state == TCPS_SYN_SENT) { 4204 /* Send RST for state mismatches during handshake */ 4205 if (!(th->th_flags & TH_RST)) 4206 pf_send_tcp((*state)->rule.ptr, pd->af, 4207 pd->dst, pd->src, th->th_dport, 4208 th->th_sport, ntohl(th->th_ack), 0, 4209 TH_RST, 0, 0, 4210 (*state)->rule.ptr->return_ttl, 1, 0, 4211 pd->eh, kif->pfik_ifp); 4212 src->seqlo = 0; 4213 src->seqhi = 1; 4214 src->max_win = 1; 4215 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4216 printf("pf: BAD state: "); 4217 pf_print_state(*state); 4218 pf_print_flags(th->th_flags); 4219 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " 4220 "pkts=%llu:%llu dir=%s,%s\n", 4221 seq, orig_seq, ack, pd->p_len, ackskew, 4222 (unsigned long long int)(*state)->packets[0], 4223 (unsigned long long int)(*state)->packets[1], 4224 direction == PF_IN ? "in" : "out", 4225 direction == (*state)->state_key->direction ? 4226 "fwd" : "rev"); 4227 printf("pf: State failure on: %c %c %c %c | %c %c\n", 4228 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4229 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4230 ' ': '2', 4231 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4232 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4233 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4234 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4235 } 4236 REASON_SET(reason, PFRES_BADSTATE); 4237 return (PF_DROP); 4238 } 4239 4240 /* Any packets which have gotten here are to be passed */ 4241 4242 /* translate source/destination address, if necessary */ 4243 if (STATE_TRANSLATE((*state)->state_key)) { 4244 if (direction == PF_OUT) 4245 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4246 &th->th_sum, &(*state)->state_key->gwy.addr, 4247 (*state)->state_key->gwy.port, 0, pd->af); 4248 else 4249 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 4250 &th->th_sum, &(*state)->state_key->lan.addr, 4251 (*state)->state_key->lan.port, 0, pd->af); 4252 m_copyback(m, off, sizeof(*th), th); 4253 } else if (copyback) { 4254 /* Copyback sequence modulation or stateful scrub changes */ 4255 m_copyback(m, off, sizeof(*th), th); 4256 } 4257 4258 return (PF_PASS); 4259 } 4260 4261 int 4262 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, 4263 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4264 { 4265 struct pf_state_peer *src, *dst; 4266 struct pf_state_key_cmp key; 4267 struct udphdr *uh = pd->hdr.udp; 4268 4269 key.af = pd->af; 4270 key.proto = IPPROTO_UDP; 4271 if (direction == PF_IN) { 4272 PF_ACPY(&key.ext.addr, pd->src, key.af); 4273 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4274 key.ext.port = uh->uh_sport; 4275 key.gwy.port = uh->uh_dport; 4276 } else { 4277 PF_ACPY(&key.lan.addr, pd->src, key.af); 4278 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4279 key.lan.port = uh->uh_sport; 4280 key.ext.port = uh->uh_dport; 4281 } 4282 4283 STATE_LOOKUP(); 4284 4285 if (direction == (*state)->state_key->direction) { 4286 src = &(*state)->src; 4287 dst = &(*state)->dst; 4288 } else { 4289 src = &(*state)->dst; 4290 dst = &(*state)->src; 4291 } 4292 4293 /* update states */ 4294 if (src->state < PFUDPS_SINGLE) 4295 src->state = PFUDPS_SINGLE; 4296 if (dst->state == PFUDPS_SINGLE) 4297 dst->state = PFUDPS_MULTIPLE; 4298 4299 /* update expire time */ 4300 (*state)->expire = time_second; 4301 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4302 (*state)->timeout = PFTM_UDP_MULTIPLE; 4303 else 4304 (*state)->timeout = PFTM_UDP_SINGLE; 4305 4306 /* translate source/destination address, if necessary */ 4307 if (STATE_TRANSLATE((*state)->state_key)) { 4308 if (direction == PF_OUT) 4309 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 4310 &uh->uh_sum, &(*state)->state_key->gwy.addr, 4311 (*state)->state_key->gwy.port, 1, pd->af); 4312 else 4313 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 4314 &uh->uh_sum, &(*state)->state_key->lan.addr, 4315 (*state)->state_key->lan.port, 1, pd->af); 4316 m_copyback(m, off, sizeof(*uh), uh); 4317 } 4318 4319 return (PF_PASS); 4320 } 4321 4322 int 4323 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, 4324 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 4325 u_short *reason) 4326 { 4327 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 4328 u_int16_t icmpid = 0, *icmpsum; 4329 u_int8_t icmptype; 4330 int state_icmp = 0; 4331 struct pf_state_key_cmp key; 4332 4333 icmpsum = NULL; /* XXXGCC -Wuninitialized m68k */ 4334 icmptype = 0; /* XXXGCC -Wuninitialized m68k */ 4335 4336 switch (pd->proto) { 4337 #ifdef INET 4338 case IPPROTO_ICMP: 4339 icmptype = pd->hdr.icmp->icmp_type; 4340 icmpid = pd->hdr.icmp->icmp_id; 4341 icmpsum = &pd->hdr.icmp->icmp_cksum; 4342 4343 if (icmptype == ICMP_UNREACH || 4344 icmptype == ICMP_SOURCEQUENCH || 4345 icmptype == ICMP_REDIRECT || 4346 icmptype == ICMP_TIMXCEED || 4347 icmptype == ICMP_PARAMPROB) 4348 state_icmp++; 4349 break; 4350 #endif /* INET */ 4351 #ifdef INET6 4352 case IPPROTO_ICMPV6: 4353 icmptype = pd->hdr.icmp6->icmp6_type; 4354 icmpid = pd->hdr.icmp6->icmp6_id; 4355 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 4356 4357 if (icmptype == ICMP6_DST_UNREACH || 4358 icmptype == ICMP6_PACKET_TOO_BIG || 4359 icmptype == ICMP6_TIME_EXCEEDED || 4360 icmptype == ICMP6_PARAM_PROB) 4361 state_icmp++; 4362 break; 4363 #endif /* INET6 */ 4364 } 4365 4366 if (!state_icmp) { 4367 4368 /* 4369 * ICMP query/reply message not related to a TCP/UDP packet. 4370 * Search for an ICMP state. 4371 */ 4372 key.af = pd->af; 4373 key.proto = pd->proto; 4374 if (direction == PF_IN) { 4375 PF_ACPY(&key.ext.addr, pd->src, key.af); 4376 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4377 key.ext.port = 0; 4378 key.gwy.port = icmpid; 4379 } else { 4380 PF_ACPY(&key.lan.addr, pd->src, key.af); 4381 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4382 key.lan.port = icmpid; 4383 key.ext.port = 0; 4384 } 4385 4386 STATE_LOOKUP(); 4387 4388 (*state)->expire = time_second; 4389 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 4390 4391 /* translate source/destination address, if necessary */ 4392 if (STATE_TRANSLATE((*state)->state_key)) { 4393 if (direction == PF_OUT) { 4394 switch (pd->af) { 4395 #ifdef INET 4396 case AF_INET: 4397 pf_change_a(&saddr->v4.s_addr, 4398 pd->ip_sum, 4399 (*state)->state_key->gwy.addr.v4.s_addr, 0); 4400 pd->hdr.icmp->icmp_cksum = 4401 pf_cksum_fixup( 4402 pd->hdr.icmp->icmp_cksum, icmpid, 4403 (*state)->state_key->gwy.port, 0); 4404 pd->hdr.icmp->icmp_id = 4405 (*state)->state_key->gwy.port; 4406 m_copyback(m, off, ICMP_MINLEN, 4407 pd->hdr.icmp); 4408 break; 4409 #endif /* INET */ 4410 #ifdef INET6 4411 case AF_INET6: 4412 pf_change_a6(saddr, 4413 &pd->hdr.icmp6->icmp6_cksum, 4414 &(*state)->state_key->gwy.addr, 0); 4415 m_copyback(m, off, 4416 sizeof(struct icmp6_hdr), 4417 pd->hdr.icmp6); 4418 break; 4419 #endif /* INET6 */ 4420 } 4421 } else { 4422 switch (pd->af) { 4423 #ifdef INET 4424 case AF_INET: 4425 pf_change_a(&daddr->v4.s_addr, 4426 pd->ip_sum, 4427 (*state)->state_key->lan.addr.v4.s_addr, 0); 4428 pd->hdr.icmp->icmp_cksum = 4429 pf_cksum_fixup( 4430 pd->hdr.icmp->icmp_cksum, icmpid, 4431 (*state)->state_key->lan.port, 0); 4432 pd->hdr.icmp->icmp_id = 4433 (*state)->state_key->lan.port; 4434 m_copyback(m, off, ICMP_MINLEN, 4435 pd->hdr.icmp); 4436 break; 4437 #endif /* INET */ 4438 #ifdef INET6 4439 case AF_INET6: 4440 pf_change_a6(daddr, 4441 &pd->hdr.icmp6->icmp6_cksum, 4442 &(*state)->state_key->lan.addr, 0); 4443 m_copyback(m, off, 4444 sizeof(struct icmp6_hdr), 4445 pd->hdr.icmp6); 4446 break; 4447 #endif /* INET6 */ 4448 } 4449 } 4450 } 4451 4452 return (PF_PASS); 4453 4454 } else { 4455 /* 4456 * ICMP error message in response to a TCP/UDP packet. 4457 * Extract the inner TCP/UDP header and search for that state. 4458 */ 4459 4460 struct pf_pdesc pd2; 4461 #ifdef INET 4462 struct ip h2; 4463 #endif /* INET */ 4464 #ifdef INET6 4465 struct ip6_hdr h2_6; 4466 int terminal = 0; 4467 #endif /* INET6 */ 4468 int ipoff2 = 0; 4469 int off2 = 0; 4470 4471 memset(&pd2, 0, sizeof pd2); /* XXX gcc */ 4472 4473 pd2.af = pd->af; 4474 switch (pd->af) { 4475 #ifdef INET 4476 case AF_INET: 4477 /* offset of h2 in mbuf chain */ 4478 ipoff2 = off + ICMP_MINLEN; 4479 4480 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 4481 NULL, reason, pd2.af)) { 4482 DPFPRINTF(PF_DEBUG_MISC, 4483 ("pf: ICMP error message too short " 4484 "(ip)\n")); 4485 return (PF_DROP); 4486 } 4487 /* 4488 * ICMP error messages don't refer to non-first 4489 * fragments 4490 */ 4491 if (h2.ip_off & htons(IP_OFFMASK)) { 4492 REASON_SET(reason, PFRES_FRAG); 4493 return (PF_DROP); 4494 } 4495 4496 /* offset of protocol header that follows h2 */ 4497 off2 = ipoff2 + (h2.ip_hl << 2); 4498 4499 pd2.proto = h2.ip_p; 4500 pd2.src = (struct pf_addr *)&h2.ip_src; 4501 pd2.dst = (struct pf_addr *)&h2.ip_dst; 4502 pd2.ip_sum = &h2.ip_sum; 4503 break; 4504 #endif /* INET */ 4505 #ifdef INET6 4506 case AF_INET6: 4507 ipoff2 = off + sizeof(struct icmp6_hdr); 4508 4509 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 4510 NULL, reason, pd2.af)) { 4511 DPFPRINTF(PF_DEBUG_MISC, 4512 ("pf: ICMP error message too short " 4513 "(ip6)\n")); 4514 return (PF_DROP); 4515 } 4516 pd2.proto = h2_6.ip6_nxt; 4517 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 4518 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 4519 pd2.ip_sum = NULL; 4520 off2 = ipoff2 + sizeof(h2_6); 4521 do { 4522 switch (pd2.proto) { 4523 case IPPROTO_FRAGMENT: 4524 /* 4525 * ICMPv6 error messages for 4526 * non-first fragments 4527 */ 4528 REASON_SET(reason, PFRES_FRAG); 4529 return (PF_DROP); 4530 case IPPROTO_AH: 4531 case IPPROTO_HOPOPTS: 4532 case IPPROTO_ROUTING: 4533 case IPPROTO_DSTOPTS: { 4534 /* get next header and header length */ 4535 struct ip6_ext opt6; 4536 4537 if (!pf_pull_hdr(m, off2, &opt6, 4538 sizeof(opt6), NULL, reason, 4539 pd2.af)) { 4540 DPFPRINTF(PF_DEBUG_MISC, 4541 ("pf: ICMPv6 short opt\n")); 4542 return (PF_DROP); 4543 } 4544 if (pd2.proto == IPPROTO_AH) 4545 off2 += (opt6.ip6e_len + 2) * 4; 4546 else 4547 off2 += (opt6.ip6e_len + 1) * 8; 4548 pd2.proto = opt6.ip6e_nxt; 4549 /* goto the next header */ 4550 break; 4551 } 4552 default: 4553 terminal++; 4554 break; 4555 } 4556 } while (!terminal); 4557 break; 4558 #endif /* INET6 */ 4559 } 4560 4561 switch (pd2.proto) { 4562 case IPPROTO_TCP: { 4563 struct tcphdr th; 4564 u_int32_t seq; 4565 struct pf_state_peer *src, *dst; 4566 u_int8_t dws; 4567 int copyback = 0; 4568 4569 /* 4570 * Only the first 8 bytes of the TCP header can be 4571 * expected. Don't access any TCP header fields after 4572 * th_seq, an ackskew test is not possible. 4573 */ 4574 if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason, 4575 pd2.af)) { 4576 DPFPRINTF(PF_DEBUG_MISC, 4577 ("pf: ICMP error message too short " 4578 "(tcp)\n")); 4579 return (PF_DROP); 4580 } 4581 4582 key.af = pd2.af; 4583 key.proto = IPPROTO_TCP; 4584 if (direction == PF_IN) { 4585 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4586 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4587 key.ext.port = th.th_dport; 4588 key.gwy.port = th.th_sport; 4589 } else { 4590 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4591 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4592 key.lan.port = th.th_dport; 4593 key.ext.port = th.th_sport; 4594 } 4595 4596 STATE_LOOKUP(); 4597 4598 if (direction == (*state)->state_key->direction) { 4599 src = &(*state)->dst; 4600 dst = &(*state)->src; 4601 } else { 4602 src = &(*state)->src; 4603 dst = &(*state)->dst; 4604 } 4605 4606 if (src->wscale && dst->wscale) 4607 dws = dst->wscale & PF_WSCALE_MASK; 4608 else 4609 dws = 0; 4610 4611 /* Demodulate sequence number */ 4612 seq = ntohl(th.th_seq) - src->seqdiff; 4613 if (src->seqdiff) { 4614 pf_change_a(&th.th_seq, icmpsum, 4615 htonl(seq), 0); 4616 copyback = 1; 4617 } 4618 4619 if (!SEQ_GEQ(src->seqhi, seq) || 4620 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 4621 if (pf_status.debug >= PF_DEBUG_MISC) { 4622 printf("pf: BAD ICMP %d:%d ", 4623 icmptype, pd->hdr.icmp->icmp_code); 4624 pf_print_host(pd->src, 0, pd->af); 4625 printf(" -> "); 4626 pf_print_host(pd->dst, 0, pd->af); 4627 printf(" state: "); 4628 pf_print_state(*state); 4629 printf(" seq=%u\n", seq); 4630 } 4631 REASON_SET(reason, PFRES_BADSTATE); 4632 return (PF_DROP); 4633 } 4634 4635 if (STATE_TRANSLATE((*state)->state_key)) { 4636 if (direction == PF_IN) { 4637 pf_change_icmp(pd2.src, &th.th_sport, 4638 daddr, &(*state)->state_key->lan.addr, 4639 (*state)->state_key->lan.port, NULL, 4640 pd2.ip_sum, icmpsum, 4641 pd->ip_sum, 0, pd2.af); 4642 } else { 4643 pf_change_icmp(pd2.dst, &th.th_dport, 4644 saddr, &(*state)->state_key->gwy.addr, 4645 (*state)->state_key->gwy.port, NULL, 4646 pd2.ip_sum, icmpsum, 4647 pd->ip_sum, 0, pd2.af); 4648 } 4649 copyback = 1; 4650 } 4651 4652 if (copyback) { 4653 switch (pd2.af) { 4654 #ifdef INET 4655 case AF_INET: 4656 m_copyback(m, off, ICMP_MINLEN, 4657 pd->hdr.icmp); 4658 m_copyback(m, ipoff2, sizeof(h2), 4659 &h2); 4660 break; 4661 #endif /* INET */ 4662 #ifdef INET6 4663 case AF_INET6: 4664 m_copyback(m, off, 4665 sizeof(struct icmp6_hdr), 4666 pd->hdr.icmp6); 4667 m_copyback(m, ipoff2, sizeof(h2_6), 4668 &h2_6); 4669 break; 4670 #endif /* INET6 */ 4671 } 4672 m_copyback(m, off2, 8, &th); 4673 } 4674 4675 return (PF_PASS); 4676 break; 4677 } 4678 case IPPROTO_UDP: { 4679 struct udphdr uh; 4680 4681 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4682 NULL, reason, pd2.af)) { 4683 DPFPRINTF(PF_DEBUG_MISC, 4684 ("pf: ICMP error message too short " 4685 "(udp)\n")); 4686 return (PF_DROP); 4687 } 4688 4689 key.af = pd2.af; 4690 key.proto = IPPROTO_UDP; 4691 if (direction == PF_IN) { 4692 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4693 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4694 key.ext.port = uh.uh_dport; 4695 key.gwy.port = uh.uh_sport; 4696 } else { 4697 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4698 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4699 key.lan.port = uh.uh_dport; 4700 key.ext.port = uh.uh_sport; 4701 } 4702 4703 STATE_LOOKUP(); 4704 4705 if (STATE_TRANSLATE((*state)->state_key)) { 4706 if (direction == PF_IN) { 4707 pf_change_icmp(pd2.src, &uh.uh_sport, 4708 daddr, 4709 &(*state)->state_key->lan.addr, 4710 (*state)->state_key->lan.port, 4711 &uh.uh_sum, 4712 pd2.ip_sum, icmpsum, 4713 pd->ip_sum, 1, pd2.af); 4714 } else { 4715 pf_change_icmp(pd2.dst, &uh.uh_dport, 4716 saddr, 4717 &(*state)->state_key->gwy.addr, 4718 (*state)->state_key->gwy.port, &uh.uh_sum, 4719 pd2.ip_sum, icmpsum, 4720 pd->ip_sum, 1, pd2.af); 4721 } 4722 switch (pd2.af) { 4723 #ifdef INET 4724 case AF_INET: 4725 m_copyback(m, off, ICMP_MINLEN, 4726 pd->hdr.icmp); 4727 m_copyback(m, ipoff2, sizeof(h2), &h2); 4728 break; 4729 #endif /* INET */ 4730 #ifdef INET6 4731 case AF_INET6: 4732 m_copyback(m, off, 4733 sizeof(struct icmp6_hdr), 4734 pd->hdr.icmp6); 4735 m_copyback(m, ipoff2, sizeof(h2_6), 4736 &h2_6); 4737 break; 4738 #endif /* INET6 */ 4739 } 4740 m_copyback(m, off2, sizeof(uh), &uh); 4741 } 4742 4743 return (PF_PASS); 4744 break; 4745 } 4746 #ifdef INET 4747 case IPPROTO_ICMP: { 4748 struct icmp iih; 4749 4750 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4751 NULL, reason, pd2.af)) { 4752 DPFPRINTF(PF_DEBUG_MISC, 4753 ("pf: ICMP error message too short i" 4754 "(icmp)\n")); 4755 return (PF_DROP); 4756 } 4757 4758 key.af = pd2.af; 4759 key.proto = IPPROTO_ICMP; 4760 if (direction == PF_IN) { 4761 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4762 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4763 key.ext.port = 0; 4764 key.gwy.port = iih.icmp_id; 4765 } else { 4766 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4767 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4768 key.lan.port = iih.icmp_id; 4769 key.ext.port = 0; 4770 } 4771 4772 STATE_LOOKUP(); 4773 4774 if (STATE_TRANSLATE((*state)->state_key)) { 4775 if (direction == PF_IN) { 4776 pf_change_icmp(pd2.src, &iih.icmp_id, 4777 daddr, 4778 &(*state)->state_key->lan.addr, 4779 (*state)->state_key->lan.port, NULL, 4780 pd2.ip_sum, icmpsum, 4781 pd->ip_sum, 0, AF_INET); 4782 } else { 4783 pf_change_icmp(pd2.dst, &iih.icmp_id, 4784 saddr, 4785 &(*state)->state_key->gwy.addr, 4786 (*state)->state_key->gwy.port, NULL, 4787 pd2.ip_sum, icmpsum, 4788 pd->ip_sum, 0, AF_INET); 4789 } 4790 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp); 4791 m_copyback(m, ipoff2, sizeof(h2), &h2); 4792 m_copyback(m, off2, ICMP_MINLEN, &iih); 4793 } 4794 4795 return (PF_PASS); 4796 break; 4797 } 4798 #endif /* INET */ 4799 #ifdef INET6 4800 case IPPROTO_ICMPV6: { 4801 struct icmp6_hdr iih; 4802 4803 if (!pf_pull_hdr(m, off2, &iih, 4804 sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { 4805 DPFPRINTF(PF_DEBUG_MISC, 4806 ("pf: ICMP error message too short " 4807 "(icmp6)\n")); 4808 return (PF_DROP); 4809 } 4810 4811 key.af = pd2.af; 4812 key.proto = IPPROTO_ICMPV6; 4813 if (direction == PF_IN) { 4814 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4815 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4816 key.ext.port = 0; 4817 key.gwy.port = iih.icmp6_id; 4818 } else { 4819 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4820 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4821 key.lan.port = iih.icmp6_id; 4822 key.ext.port = 0; 4823 } 4824 4825 STATE_LOOKUP(); 4826 4827 if (STATE_TRANSLATE((*state)->state_key)) { 4828 if (direction == PF_IN) { 4829 pf_change_icmp(pd2.src, &iih.icmp6_id, 4830 daddr, 4831 &(*state)->state_key->lan.addr, 4832 (*state)->state_key->lan.port, NULL, 4833 pd2.ip_sum, icmpsum, 4834 pd->ip_sum, 0, AF_INET6); 4835 } else { 4836 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4837 saddr, &(*state)->state_key->gwy.addr, 4838 (*state)->state_key->gwy.port, NULL, 4839 pd2.ip_sum, icmpsum, 4840 pd->ip_sum, 0, AF_INET6); 4841 } 4842 m_copyback(m, off, sizeof(struct icmp6_hdr), 4843 pd->hdr.icmp6); 4844 m_copyback(m, ipoff2, sizeof(h2_6), &h2_6); 4845 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4846 &iih); 4847 } 4848 4849 return (PF_PASS); 4850 break; 4851 } 4852 #endif /* INET6 */ 4853 default: { 4854 key.af = pd2.af; 4855 key.proto = pd2.proto; 4856 if (direction == PF_IN) { 4857 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4858 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4859 key.ext.port = 0; 4860 key.gwy.port = 0; 4861 } else { 4862 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4863 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4864 key.lan.port = 0; 4865 key.ext.port = 0; 4866 } 4867 4868 STATE_LOOKUP(); 4869 4870 if (STATE_TRANSLATE((*state)->state_key)) { 4871 if (direction == PF_IN) { 4872 pf_change_icmp(pd2.src, NULL, 4873 daddr, 4874 &(*state)->state_key->lan.addr, 4875 0, NULL, 4876 pd2.ip_sum, icmpsum, 4877 pd->ip_sum, 0, pd2.af); 4878 } else { 4879 pf_change_icmp(pd2.dst, NULL, 4880 saddr, 4881 &(*state)->state_key->gwy.addr, 4882 0, NULL, 4883 pd2.ip_sum, icmpsum, 4884 pd->ip_sum, 0, pd2.af); 4885 } 4886 switch (pd2.af) { 4887 #ifdef INET 4888 case AF_INET: 4889 m_copyback(m, off, ICMP_MINLEN, 4890 pd->hdr.icmp); 4891 m_copyback(m, ipoff2, sizeof(h2), &h2); 4892 break; 4893 #endif /* INET */ 4894 #ifdef INET6 4895 case AF_INET6: 4896 m_copyback(m, off, 4897 sizeof(struct icmp6_hdr), 4898 pd->hdr.icmp6); 4899 m_copyback(m, ipoff2, sizeof(h2_6), 4900 &h2_6); 4901 break; 4902 #endif /* INET6 */ 4903 } 4904 } 4905 4906 return (PF_PASS); 4907 break; 4908 } 4909 } 4910 } 4911 } 4912 4913 int 4914 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, 4915 struct pf_pdesc *pd) 4916 { 4917 struct pf_state_peer *src, *dst; 4918 struct pf_state_key_cmp key; 4919 4920 key.af = pd->af; 4921 key.proto = pd->proto; 4922 if (direction == PF_IN) { 4923 PF_ACPY(&key.ext.addr, pd->src, key.af); 4924 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4925 key.ext.port = 0; 4926 key.gwy.port = 0; 4927 } else { 4928 PF_ACPY(&key.lan.addr, pd->src, key.af); 4929 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4930 key.lan.port = 0; 4931 key.ext.port = 0; 4932 } 4933 4934 STATE_LOOKUP(); 4935 4936 if (direction == (*state)->state_key->direction) { 4937 src = &(*state)->src; 4938 dst = &(*state)->dst; 4939 } else { 4940 src = &(*state)->dst; 4941 dst = &(*state)->src; 4942 } 4943 4944 /* update states */ 4945 if (src->state < PFOTHERS_SINGLE) 4946 src->state = PFOTHERS_SINGLE; 4947 if (dst->state == PFOTHERS_SINGLE) 4948 dst->state = PFOTHERS_MULTIPLE; 4949 4950 /* update expire time */ 4951 (*state)->expire = time_second; 4952 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4953 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4954 else 4955 (*state)->timeout = PFTM_OTHER_SINGLE; 4956 4957 /* translate source/destination address, if necessary */ 4958 if (STATE_TRANSLATE((*state)->state_key)) { 4959 if (direction == PF_OUT) 4960 switch (pd->af) { 4961 #ifdef INET 4962 case AF_INET: 4963 pf_change_a(&pd->src->v4.s_addr, 4964 pd->ip_sum, 4965 (*state)->state_key->gwy.addr.v4.s_addr, 4966 0); 4967 break; 4968 #endif /* INET */ 4969 #ifdef INET6 4970 case AF_INET6: 4971 PF_ACPY(pd->src, 4972 &(*state)->state_key->gwy.addr, pd->af); 4973 break; 4974 #endif /* INET6 */ 4975 } 4976 else 4977 switch (pd->af) { 4978 #ifdef INET 4979 case AF_INET: 4980 pf_change_a(&pd->dst->v4.s_addr, 4981 pd->ip_sum, 4982 (*state)->state_key->lan.addr.v4.s_addr, 4983 0); 4984 break; 4985 #endif /* INET */ 4986 #ifdef INET6 4987 case AF_INET6: 4988 PF_ACPY(pd->dst, 4989 &(*state)->state_key->lan.addr, pd->af); 4990 break; 4991 #endif /* INET6 */ 4992 } 4993 } 4994 4995 return (PF_PASS); 4996 } 4997 4998 /* 4999 * ipoff and off are measured from the start of the mbuf chain. 5000 * h must be at "ipoff" on the mbuf chain. 5001 */ 5002 void * 5003 pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 5004 u_short *actionp, u_short *reasonp, sa_family_t af) 5005 { 5006 switch (af) { 5007 #ifdef INET 5008 case AF_INET: { 5009 struct ip *h = mtod(m, struct ip *); 5010 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; 5011 5012 if (fragoff) { 5013 if (fragoff >= len) 5014 ACTION_SET(actionp, PF_PASS); 5015 else { 5016 ACTION_SET(actionp, PF_DROP); 5017 REASON_SET(reasonp, PFRES_FRAG); 5018 } 5019 return (NULL); 5020 } 5021 if (m->m_pkthdr.len < off + len || 5022 ntohs(h->ip_len) < off + len) { 5023 ACTION_SET(actionp, PF_DROP); 5024 REASON_SET(reasonp, PFRES_SHORT); 5025 return (NULL); 5026 } 5027 break; 5028 } 5029 #endif /* INET */ 5030 #ifdef INET6 5031 case AF_INET6: { 5032 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 5033 5034 if (m->m_pkthdr.len < off + len || 5035 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 5036 (unsigned)(off + len)) { 5037 ACTION_SET(actionp, PF_DROP); 5038 REASON_SET(reasonp, PFRES_SHORT); 5039 return (NULL); 5040 } 5041 break; 5042 } 5043 #endif /* INET6 */ 5044 } 5045 m_copydata(m, off, len, p); 5046 return (p); 5047 } 5048 5049 int 5050 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif) 5051 { 5052 #ifdef __NetBSD__ 5053 union { 5054 struct sockaddr dst; 5055 struct sockaddr_in dst4; 5056 struct sockaddr_in6 dst6; 5057 } u; 5058 struct route ro; 5059 int ret = 1; 5060 5061 bzero(&ro, sizeof(ro)); 5062 switch (af) { 5063 case AF_INET: 5064 sockaddr_in_init(&u.dst4, &addr->v4, 0); 5065 break; 5066 #ifdef INET6 5067 case AF_INET6: 5068 sockaddr_in6_init(&u.dst6, &addr->v6, 0, 0, 0); 5069 break; 5070 #endif /* INET6 */ 5071 default: 5072 return (0); 5073 } 5074 rtcache_setdst(&ro, &u.dst); 5075 5076 ret = rtcache_init(&ro) != NULL ? 1 : 0; 5077 rtcache_free(&ro); 5078 5079 return (ret); 5080 #else /* !__NetBSD__ */ 5081 struct sockaddr_in *dst; 5082 int ret = 1; 5083 int check_mpath; 5084 extern int ipmultipath; 5085 #ifdef INET6 5086 extern int ip6_multipath; 5087 struct sockaddr_in6 *dst6; 5088 struct route_in6 ro; 5089 #else 5090 struct route ro; 5091 #endif 5092 struct radix_node *rn; 5093 struct rtentry *rt; 5094 struct ifnet *ifp; 5095 5096 check_mpath = 0; 5097 bzero(&ro, sizeof(ro)); 5098 switch (af) { 5099 case AF_INET: 5100 dst = satosin(&ro.ro_dst); 5101 dst->sin_family = AF_INET; 5102 dst->sin_len = sizeof(*dst); 5103 dst->sin_addr = addr->v4; 5104 if (ipmultipath) 5105 check_mpath = 1; 5106 break; 5107 #ifdef INET6 5108 case AF_INET6: 5109 dst6 = (struct sockaddr_in6 *)&ro.ro_dst; 5110 dst6->sin6_family = AF_INET6; 5111 dst6->sin6_len = sizeof(*dst6); 5112 dst6->sin6_addr = addr->v6; 5113 if (ip6_multipath) 5114 check_mpath = 1; 5115 break; 5116 #endif /* INET6 */ 5117 default: 5118 return (0); 5119 } 5120 5121 /* Skip checks for ipsec interfaces */ 5122 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC) 5123 goto out; 5124 5125 rtalloc_noclone((struct route *)&ro, NO_CLONING); 5126 5127 if (ro.ro_rt != NULL) { 5128 /* No interface given, this is a no-route check */ 5129 if (kif == NULL) 5130 goto out; 5131 5132 if (kif->pfik_ifp == NULL) { 5133 ret = 0; 5134 goto out; 5135 } 5136 5137 /* Perform uRPF check if passed input interface */ 5138 ret = 0; 5139 rn = (struct radix_node *)ro.ro_rt; 5140 do { 5141 rt = (struct rtentry *)rn; 5142 if (rt->rt_ifp->if_type == IFT_CARP) 5143 ifp = rt->rt_ifp->if_carpdev; 5144 else 5145 ifp = rt->rt_ifp; 5146 5147 if (kif->pfik_ifp == ifp) 5148 ret = 1; 5149 rn = rn_mpath_next(rn); 5150 } while (check_mpath == 1 && rn != NULL && ret == 0); 5151 } else 5152 ret = 0; 5153 out: 5154 if (ro.ro_rt != NULL) 5155 RTFREE(ro.ro_rt); 5156 return (ret); 5157 #endif /* !__NetBSD__ */ 5158 } 5159 5160 int 5161 pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw) 5162 { 5163 #ifdef __NetBSD__ 5164 /* NetBSD doesn't have route labels. */ 5165 5166 return (0); 5167 #else 5168 struct sockaddr_in *dst; 5169 #ifdef INET6 5170 struct sockaddr_in6 *dst6; 5171 struct route_in6 ro; 5172 #else 5173 struct route ro; 5174 #endif 5175 int ret = 0; 5176 5177 bzero(&ro, sizeof(ro)); 5178 switch (af) { 5179 case AF_INET: 5180 dst = satosin(&ro.ro_dst); 5181 dst->sin_family = AF_INET; 5182 dst->sin_len = sizeof(*dst); 5183 dst->sin_addr = addr->v4; 5184 break; 5185 #ifdef INET6 5186 case AF_INET6: 5187 dst6 = (struct sockaddr_in6 *)&ro.ro_dst; 5188 dst6->sin6_family = AF_INET6; 5189 dst6->sin6_len = sizeof(*dst6); 5190 dst6->sin6_addr = addr->v6; 5191 break; 5192 #endif /* INET6 */ 5193 default: 5194 return (0); 5195 } 5196 5197 rtalloc_noclone((struct route *)&ro, NO_CLONING); 5198 5199 if (ro.ro_rt != NULL) { 5200 if (ro.ro_rt->rt_labelid == aw->v.rtlabel) 5201 ret = 1; 5202 RTFREE(ro.ro_rt); 5203 } 5204 5205 return (ret); 5206 #endif /* !__NetBSD__ */ 5207 } 5208 5209 #ifdef INET 5210 void 5211 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5212 struct pf_state *s, struct pf_pdesc *pd) 5213 { 5214 struct mbuf *m0, *m1; 5215 struct route iproute; 5216 struct route *ro = NULL; 5217 const struct sockaddr *dst; 5218 union { 5219 struct sockaddr dst; 5220 struct sockaddr_in dst4; 5221 } u; 5222 struct ip *ip; 5223 struct ifnet *ifp = NULL; 5224 struct pf_addr naddr; 5225 struct pf_src_node *sn = NULL; 5226 int error = 0; 5227 #ifdef IPSEC 5228 struct m_tag *mtag; 5229 #endif /* IPSEC */ 5230 #ifdef __NetBSD__ 5231 struct pf_mtag *pf_mtag; 5232 #endif /* __NetBSD__ */ 5233 5234 if (m == NULL || *m == NULL || r == NULL || 5235 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5236 panic("pf_route: invalid parameters"); 5237 5238 #ifdef __NetBSD__ 5239 if ((pf_mtag = pf_get_mtag(*m)) == NULL) { 5240 m0 = *m; 5241 *m = NULL; 5242 goto bad; 5243 } 5244 if (pf_mtag->routed++ > 3) { 5245 m0 = *m; 5246 *m = NULL; 5247 goto bad; 5248 } 5249 #else 5250 if ((*m)->m_pkthdr.pf.routed++ > 3) { 5251 m0 = *m; 5252 *m = NULL; 5253 goto bad; 5254 } 5255 #endif /* !__NetBSD__ */ 5256 5257 if (r->rt == PF_DUPTO) { 5258 if ((m0 = m_dup(*m, 0, M_COPYALL, M_NOWAIT)) == NULL) 5259 return; 5260 } else { 5261 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5262 return; 5263 m0 = *m; 5264 } 5265 5266 if (m0->m_len < sizeof(struct ip)) { 5267 DPFPRINTF(PF_DEBUG_URGENT, 5268 ("pf_route: m0->m_len < sizeof(struct ip)\n")); 5269 goto bad; 5270 } 5271 5272 ip = mtod(m0, struct ip *); 5273 5274 ro = &iproute; 5275 memset(ro, 0, sizeof(*ro)); 5276 sockaddr_in_init(&u.dst4, &ip->ip_dst, 0); 5277 dst = &u.dst; 5278 rtcache_setdst(ro, dst); 5279 5280 if (r->rt == PF_FASTROUTE) { 5281 struct rtentry *rt; 5282 5283 rt = rtcache_init(ro); 5284 5285 if (rt == NULL) { 5286 ip_statinc(IP_STAT_NOROUTE); 5287 goto bad; 5288 } 5289 5290 ifp = rt->rt_ifp; 5291 rt->rt_use++; 5292 5293 if (rt->rt_flags & RTF_GATEWAY) 5294 dst = rt->rt_gateway; 5295 } else { 5296 if (TAILQ_EMPTY(&r->rpool.list)) { 5297 DPFPRINTF(PF_DEBUG_URGENT, 5298 ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n")); 5299 goto bad; 5300 } 5301 if (s == NULL) { 5302 pf_map_addr(AF_INET, r, 5303 (const struct pf_addr *)&ip->ip_src, 5304 &naddr, NULL, &sn); 5305 if (!PF_AZERO(&naddr, AF_INET)) 5306 u.dst4.sin_addr.s_addr = naddr.v4.s_addr; 5307 ifp = r->rpool.cur->kif ? 5308 r->rpool.cur->kif->pfik_ifp : NULL; 5309 } else { 5310 if (!PF_AZERO(&s->rt_addr, AF_INET)) 5311 u.dst4.sin_addr.s_addr = s->rt_addr.v4.s_addr; 5312 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5313 } 5314 } 5315 if (ifp == NULL) 5316 goto bad; 5317 5318 if (oifp != ifp) { 5319 if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) 5320 goto bad; 5321 else if (m0 == NULL) 5322 goto done; 5323 if (m0->m_len < sizeof(struct ip)) { 5324 DPFPRINTF(PF_DEBUG_URGENT, 5325 ("pf_route: m0->m_len < sizeof(struct ip)\n")); 5326 goto bad; 5327 } 5328 ip = mtod(m0, struct ip *); 5329 } 5330 5331 /* Copied from ip_output. */ 5332 #ifdef IPSEC 5333 /* 5334 * If deferred crypto processing is needed, check that the 5335 * interface supports it. 5336 */ 5337 if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) 5338 != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 5339 /* Notify IPsec to do its own crypto. */ 5340 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 5341 goto bad; 5342 } 5343 #endif /* IPSEC */ 5344 5345 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ 5346 #ifdef __NetBSD__ 5347 if (m0->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) { 5348 in_delayed_cksum(m0); 5349 m0->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4); 5350 } 5351 #else 5352 if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) { 5353 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 5354 ifp->if_bridge != NULL) { 5355 in_delayed_cksum(m0); 5356 m0->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */ 5357 } 5358 } else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) { 5359 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 5360 ifp->if_bridge != NULL) { 5361 in_delayed_cksum(m0); 5362 m0->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */ 5363 } 5364 } 5365 #endif /* !__NetBSD__ */ 5366 5367 if (ntohs(ip->ip_len) <= ifp->if_mtu) { 5368 #ifdef __NetBSD__ 5369 ip->ip_sum = 0; 5370 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 5371 5372 m0->m_pkthdr.csum_flags &= ~M_CSUM_IPv4; 5373 #else 5374 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 5375 ifp->if_bridge == NULL) { 5376 m0->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 5377 ipstat.ips_outhwcsum++; 5378 } else { 5379 ip->ip_sum = 0; 5380 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 5381 } 5382 /* Update relevant hardware checksum stats for TCP/UDP */ 5383 if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) 5384 tcpstat.tcps_outhwcsum++; 5385 else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) 5386 udpstat.udps_outhwcsum++; 5387 #endif /* !__NetBSD__ */ 5388 error = (*ifp->if_output)(ifp, m0, dst, NULL); 5389 goto done; 5390 } 5391 5392 /* 5393 * Too large for interface; fragment if possible. 5394 * Must be able to put at least 8 bytes per fragment. 5395 */ 5396 if (ip->ip_off & htons(IP_DF)) { 5397 ip_statinc(IP_STAT_CANTFRAG); 5398 if (r->rt != PF_DUPTO) { 5399 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 5400 ifp->if_mtu); 5401 goto done; 5402 } else 5403 goto bad; 5404 } 5405 5406 #ifdef __NetBSD__ 5407 /* Make ip_fragment re-compute checksums. */ 5408 if (IN_NEED_CHECKSUM(ifp, M_CSUM_IPv4)) { 5409 m0->m_pkthdr.csum_flags |= M_CSUM_IPv4; 5410 } 5411 #endif /* __NetBSD__ */ 5412 m1 = m0; 5413 error = ip_fragment(m0, ifp, ifp->if_mtu); 5414 if (error) { 5415 m0 = NULL; 5416 goto bad; 5417 } 5418 5419 for (m0 = m1; m0; m0 = m1) { 5420 m1 = m0->m_nextpkt; 5421 m0->m_nextpkt = 0; 5422 if (error == 0) 5423 error = (*ifp->if_output)(ifp, m0, dst, NULL); 5424 else 5425 m_freem(m0); 5426 } 5427 5428 if (error == 0) 5429 ip_statinc(IP_STAT_FRAGMENTED); 5430 5431 done: 5432 if (r->rt != PF_DUPTO) 5433 *m = NULL; 5434 if (ro == &iproute) 5435 rtcache_free(ro); 5436 return; 5437 5438 bad: 5439 m_freem(m0); 5440 goto done; 5441 } 5442 #endif /* INET */ 5443 5444 #ifdef INET6 5445 void 5446 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5447 struct pf_state *s, struct pf_pdesc *pd) 5448 { 5449 struct mbuf *m0; 5450 struct sockaddr_in6 dst; 5451 struct ip6_hdr *ip6; 5452 struct ifnet *ifp = NULL; 5453 struct pf_addr naddr; 5454 struct pf_src_node *sn = NULL; 5455 int error = 0; 5456 #ifdef __NetBSD__ 5457 struct pf_mtag *pf_mtag; 5458 #endif /* __NetBSD__ */ 5459 5460 if (m == NULL || *m == NULL || r == NULL || 5461 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5462 panic("pf_route6: invalid parameters"); 5463 5464 #ifdef __NetBSD__ 5465 if ((pf_mtag = pf_get_mtag(*m)) == NULL) { 5466 m0 = *m; 5467 *m = NULL; 5468 goto bad; 5469 } 5470 if (pf_mtag->routed++ > 3) { 5471 m0 = *m; 5472 *m = NULL; 5473 goto bad; 5474 } 5475 #else 5476 if ((*m)->m_pkthdr.pf.routed++ > 3) { 5477 m0 = *m; 5478 *m = NULL; 5479 goto bad; 5480 } 5481 #endif /* !__NetBSD__ */ 5482 5483 if (r->rt == PF_DUPTO) { 5484 if ((m0 = m_dup(*m, 0, M_COPYALL, M_NOWAIT)) == NULL) 5485 return; 5486 } else { 5487 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5488 return; 5489 m0 = *m; 5490 } 5491 5492 if (m0->m_len < sizeof(struct ip6_hdr)) { 5493 DPFPRINTF(PF_DEBUG_URGENT, 5494 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); 5495 goto bad; 5496 } 5497 ip6 = mtod(m0, struct ip6_hdr *); 5498 5499 dst.sin6_family = AF_INET6; 5500 dst.sin6_len = sizeof(dst); 5501 dst.sin6_addr = ip6->ip6_dst; 5502 5503 /* Cheat. XXX why only in the v6 case??? */ 5504 if (r->rt == PF_FASTROUTE) { 5505 #ifdef __NetBSD__ 5506 pf_mtag->flags |= PF_TAG_GENERATED; 5507 #else 5508 m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; 5509 #endif /* !__NetBSD__ */ 5510 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); 5511 return; 5512 } 5513 5514 if (TAILQ_EMPTY(&r->rpool.list)) { 5515 DPFPRINTF(PF_DEBUG_URGENT, 5516 ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n")); 5517 goto bad; 5518 } 5519 if (s == NULL) { 5520 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, 5521 &naddr, NULL, &sn); 5522 if (!PF_AZERO(&naddr, AF_INET6)) 5523 PF_ACPY((struct pf_addr *)&dst.sin6_addr, 5524 &naddr, AF_INET6); 5525 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5526 } else { 5527 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5528 PF_ACPY((struct pf_addr *)&dst.sin6_addr, 5529 &s->rt_addr, AF_INET6); 5530 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5531 } 5532 if (ifp == NULL) 5533 goto bad; 5534 5535 if (oifp != ifp) { 5536 if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS) 5537 goto bad; 5538 else if (m0 == NULL) 5539 goto done; 5540 if (m0->m_len < sizeof(struct ip6_hdr)) { 5541 DPFPRINTF(PF_DEBUG_URGENT, 5542 ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); 5543 goto bad; 5544 } 5545 ip6 = mtod(m0, struct ip6_hdr *); 5546 } 5547 5548 /* 5549 * If the packet is too large for the outgoing interface, 5550 * send back an icmp6 error. 5551 */ 5552 if (IN6_IS_SCOPE_EMBEDDABLE(&dst.sin6_addr)) 5553 dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5554 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 5555 error = nd6_output(ifp, ifp, m0, &dst, NULL); 5556 } else { 5557 in6_ifstat_inc(ifp, ifs6_in_toobig); 5558 if (r->rt != PF_DUPTO) 5559 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5560 else 5561 goto bad; 5562 } 5563 5564 done: 5565 if (r->rt != PF_DUPTO) 5566 *m = NULL; 5567 return; 5568 5569 bad: 5570 m_freem(m0); 5571 goto done; 5572 } 5573 #endif /* INET6 */ 5574 5575 5576 /* 5577 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 5578 * off is the offset where the protocol header starts 5579 * len is the total length of protocol header plus payload 5580 * returns 0 when the checksum is valid, otherwise returns 1. 5581 */ 5582 #ifdef __NetBSD__ 5583 int 5584 pf_check_proto_cksum(struct mbuf *m, int direction, int off, int len, 5585 u_int8_t p, sa_family_t af) 5586 #else 5587 int 5588 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, 5589 sa_family_t af) 5590 #endif /* !__NetBSD__ */ 5591 { 5592 #ifndef __NetBSD__ 5593 u_int16_t flag_ok, flag_bad; 5594 #endif /* !__NetBSD__ */ 5595 u_int16_t sum; 5596 5597 #ifndef __NetBSD__ 5598 switch (p) { 5599 case IPPROTO_TCP: 5600 flag_ok = M_TCP_CSUM_IN_OK; 5601 flag_bad = M_TCP_CSUM_IN_BAD; 5602 break; 5603 case IPPROTO_UDP: 5604 flag_ok = M_UDP_CSUM_IN_OK; 5605 flag_bad = M_UDP_CSUM_IN_BAD; 5606 break; 5607 case IPPROTO_ICMP: 5608 #ifdef INET6 5609 case IPPROTO_ICMPV6: 5610 #endif /* INET6 */ 5611 flag_ok = flag_bad = 0; 5612 break; 5613 default: 5614 return (1); 5615 } 5616 if (m->m_pkthdr.csum_flags & flag_ok) 5617 return (0); 5618 if (m->m_pkthdr.csum_flags & flag_bad) 5619 return (1); 5620 #endif /* !__NetBSD__ */ 5621 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5622 return (1); 5623 if (m->m_pkthdr.len < off + len) 5624 return (1); 5625 #ifdef __NetBSD__ 5626 if (direction == PF_IN) { 5627 switch (p) { 5628 case IPPROTO_TCP: { 5629 struct tcphdr th; /* XXX */ 5630 int thlen; 5631 5632 m_copydata(m, off, sizeof(th), &th); /* XXX */ 5633 thlen = th.th_off << 2; 5634 return tcp_input_checksum(af, m, &th, off, 5635 thlen, len - thlen) != 0; 5636 } 5637 5638 case IPPROTO_UDP: { 5639 struct udphdr uh; /* XXX */ 5640 5641 m_copydata(m, off, sizeof(uh), &uh); /* XXX */ 5642 return udp_input_checksum(af, m, &uh, off, len) != 0; 5643 } 5644 } 5645 } 5646 #endif /* __NetBSD__ */ 5647 switch (af) { 5648 #ifdef INET 5649 case AF_INET: 5650 if (p == IPPROTO_ICMP) { 5651 if (m->m_len < off) 5652 return (1); 5653 m->m_data += off; 5654 m->m_len -= off; 5655 sum = in_cksum(m, len); 5656 m->m_data -= off; 5657 m->m_len += off; 5658 } else { 5659 if (m->m_len < sizeof(struct ip)) 5660 return (1); 5661 sum = in4_cksum(m, p, off, len); 5662 } 5663 break; 5664 #endif /* INET */ 5665 #ifdef INET6 5666 case AF_INET6: 5667 if (m->m_len < sizeof(struct ip6_hdr)) 5668 return (1); 5669 sum = in6_cksum(m, p, off, len); 5670 break; 5671 #endif /* INET6 */ 5672 default: 5673 return (1); 5674 } 5675 if (sum) { 5676 #ifndef __NetBSD__ 5677 m->m_pkthdr.csum_flags |= flag_bad; 5678 #endif /* !__NetBSD__ */ 5679 switch (p) { 5680 case IPPROTO_TCP: 5681 tcp_statinc(TCP_STAT_RCVBADSUM); 5682 break; 5683 case IPPROTO_UDP: 5684 udp_statinc(UDP_STAT_BADSUM); 5685 break; 5686 case IPPROTO_ICMP: 5687 icmp_statinc(ICMP_STAT_CHECKSUM); 5688 break; 5689 #ifdef INET6 5690 case IPPROTO_ICMPV6: 5691 icmp6_statinc(ICMP6_STAT_CHECKSUM); 5692 break; 5693 #endif /* INET6 */ 5694 } 5695 return (1); 5696 } 5697 #ifndef __NetBSD__ 5698 m->m_pkthdr.csum_flags |= flag_ok; 5699 #endif /* !__NetBSD__ */ 5700 return (0); 5701 } 5702 5703 #ifdef INET 5704 int 5705 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, 5706 struct ether_header *eh) 5707 { 5708 struct pfi_kif *kif; 5709 u_short action, reason = 0, log = 0; 5710 struct mbuf *m = *m0; 5711 struct ip *h = NULL; 5712 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5713 struct pf_state *s = NULL; 5714 struct pf_state_key *sk = NULL; 5715 struct pf_ruleset *ruleset = NULL; 5716 struct pf_pdesc pd; 5717 int off, dirndx, pqid = 0; 5718 #ifdef __NetBSD__ 5719 struct pf_mtag *pf_mtag = NULL; /* XXX gcc */ 5720 #endif /* __NetBSD__ */ 5721 5722 if (!pf_status.running) 5723 return (PF_PASS); 5724 5725 memset(&pd, 0, sizeof(pd)); 5726 if (ifp->if_type == IFT_CARP && ifp->if_carpdev) 5727 kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; 5728 else 5729 kif = (struct pfi_kif *)ifp->if_pf_kif; 5730 5731 if (kif == NULL) { 5732 DPFPRINTF(PF_DEBUG_URGENT, 5733 ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname)); 5734 return (PF_DROP); 5735 } 5736 if (kif->pfik_flags & PFI_IFLAG_SKIP) 5737 return (PF_PASS); 5738 5739 #ifdef DIAGNOSTIC 5740 if ((m->m_flags & M_PKTHDR) == 0) 5741 panic("non-M_PKTHDR is passed to pf_test"); 5742 #endif /* DIAGNOSTIC */ 5743 5744 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5745 action = PF_DROP; 5746 REASON_SET(&reason, PFRES_SHORT); 5747 log = 1; 5748 goto done; 5749 } 5750 5751 #ifdef __NetBSD__ 5752 if ((pf_mtag = pf_get_mtag(m)) == NULL) { 5753 DPFPRINTF(PF_DEBUG_URGENT, 5754 ("pf_test: pf_get_mtag returned NULL\n")); 5755 return (PF_DROP); 5756 } 5757 if (pf_mtag->flags & PF_TAG_GENERATED) 5758 return (PF_PASS); 5759 #else 5760 if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) 5761 return (PF_PASS); 5762 #endif /* !__NetBSD__ */ 5763 5764 /* We do IP header normalization and packet reassembly here */ 5765 if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { 5766 action = PF_DROP; 5767 goto done; 5768 } 5769 m = *m0; /* pf_normalize messes with m0 */ 5770 h = mtod(m, struct ip *); 5771 5772 off = h->ip_hl << 2; 5773 if (off < (int)sizeof(*h)) { 5774 action = PF_DROP; 5775 REASON_SET(&reason, PFRES_SHORT); 5776 log = 1; 5777 goto done; 5778 } 5779 5780 pd.src = (struct pf_addr *)&h->ip_src; 5781 pd.dst = (struct pf_addr *)&h->ip_dst; 5782 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 5783 pd.ip_sum = &h->ip_sum; 5784 pd.proto = h->ip_p; 5785 pd.af = AF_INET; 5786 pd.tos = h->ip_tos; 5787 pd.tot_len = ntohs(h->ip_len); 5788 pd.eh = eh; 5789 5790 /* handle fragments that didn't get reassembled by normalization */ 5791 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { 5792 action = pf_test_fragment(&r, dir, kif, m, h, 5793 &pd, &a, &ruleset); 5794 goto done; 5795 } 5796 5797 switch (h->ip_p) { 5798 5799 case IPPROTO_TCP: { 5800 struct tcphdr th; 5801 5802 pd.hdr.tcp = &th; 5803 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5804 &action, &reason, AF_INET)) { 5805 log = action != PF_PASS; 5806 goto done; 5807 } 5808 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5809 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 5810 pqid = 1; 5811 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5812 if (action == PF_DROP) 5813 goto done; 5814 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5815 &reason); 5816 if (action == PF_PASS) { 5817 #if NPFSYNC 5818 pfsync_update_state(s); 5819 #endif /* NPFSYNC */ 5820 r = s->rule.ptr; 5821 a = s->anchor.ptr; 5822 log = s->log; 5823 } else if (s == NULL) 5824 action = pf_test_rule(&r, &s, dir, kif, 5825 m, off, h, &pd, &a, &ruleset, &ipintrq); 5826 break; 5827 } 5828 5829 case IPPROTO_UDP: { 5830 struct udphdr uh; 5831 5832 pd.hdr.udp = &uh; 5833 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5834 &action, &reason, AF_INET)) { 5835 log = action != PF_PASS; 5836 goto done; 5837 } 5838 if (uh.uh_dport == 0 || 5839 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5840 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5841 action = PF_DROP; 5842 REASON_SET(&reason, PFRES_SHORT); 5843 goto done; 5844 } 5845 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5846 if (action == PF_PASS) { 5847 #if NPFSYNC 5848 pfsync_update_state(s); 5849 #endif /* NPFSYNC */ 5850 r = s->rule.ptr; 5851 a = s->anchor.ptr; 5852 log = s->log; 5853 } else if (s == NULL) 5854 action = pf_test_rule(&r, &s, dir, kif, 5855 m, off, h, &pd, &a, &ruleset, &ipintrq); 5856 break; 5857 } 5858 5859 case IPPROTO_ICMP: { 5860 struct icmp ih; 5861 5862 pd.hdr.icmp = &ih; 5863 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 5864 &action, &reason, AF_INET)) { 5865 log = action != PF_PASS; 5866 goto done; 5867 } 5868 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, 5869 &reason); 5870 if (action == PF_PASS) { 5871 #if NPFSYNC 5872 pfsync_update_state(s); 5873 #endif /* NPFSYNC */ 5874 r = s->rule.ptr; 5875 a = s->anchor.ptr; 5876 log = s->log; 5877 } else if (s == NULL) 5878 action = pf_test_rule(&r, &s, dir, kif, 5879 m, off, h, &pd, &a, &ruleset, &ipintrq); 5880 break; 5881 } 5882 5883 #ifdef INET6 5884 case IPPROTO_ICMPV6: { 5885 action = PF_DROP; 5886 DPFPRINTF(PF_DEBUG_MISC, 5887 ("pf: dropping IPv4 packet with ICMPv6 payload\n")); 5888 goto done; 5889 } 5890 #endif 5891 5892 default: 5893 action = pf_test_state_other(&s, dir, kif, &pd); 5894 if (action == PF_PASS) { 5895 #if NPFSYNC 5896 pfsync_update_state(s); 5897 #endif /* NPFSYNC */ 5898 r = s->rule.ptr; 5899 a = s->anchor.ptr; 5900 log = s->log; 5901 } else if (s == NULL) 5902 action = pf_test_rule(&r, &s, dir, kif, m, off, h, 5903 &pd, &a, &ruleset, &ipintrq); 5904 break; 5905 } 5906 5907 done: 5908 if (action == PF_PASS && h->ip_hl > 5 && 5909 !((s && s->allow_opts) || r->allow_opts)) { 5910 action = PF_DROP; 5911 REASON_SET(&reason, PFRES_IPOPTIONS); 5912 log = 1; 5913 DPFPRINTF(PF_DEBUG_MISC, 5914 ("pf: dropping packet with ip options\n")); 5915 } 5916 5917 if ((s && s->tag) || r->rtableid) 5918 pf_tag_packet(m, s ? s->tag : 0, r->rtableid); 5919 5920 #ifdef ALTQ 5921 if (action == PF_PASS && r->qid) { 5922 #ifdef __NetBSD__ 5923 struct m_tag *mtag; 5924 struct altq_tag *atag; 5925 5926 mtag = m_tag_get(PACKET_TAG_ALTQ_QID, sizeof(*atag), M_NOWAIT); 5927 if (mtag != NULL) { 5928 atag = (struct altq_tag *)(mtag + 1); 5929 if (pqid || (pd.tos & IPTOS_LOWDELAY)) 5930 atag->qid = r->pqid; 5931 else 5932 atag->qid = r->qid; 5933 /* add hints for ecn */ 5934 atag->af = AF_INET; 5935 atag->hdr = h; 5936 m_tag_prepend(m, mtag); 5937 } 5938 #else 5939 if (pqid || (pd.tos & IPTOS_LOWDELAY)) 5940 m->m_pkthdr.pf.qid = r->pqid; 5941 else 5942 m->m_pkthdr.pf.qid = r->qid; 5943 /* add hints for ecn */ 5944 m->m_pkthdr.pf.hdr = h; 5945 #endif /* !__NetBSD__ */ 5946 } 5947 #endif /* ALTQ */ 5948 5949 /* 5950 * connections redirected to loopback should not match sockets 5951 * bound specifically to loopback due to security implications, 5952 * see tcp_input() and in_pcblookup_listen(). 5953 */ 5954 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5955 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5956 (s->nat_rule.ptr->action == PF_RDR || 5957 s->nat_rule.ptr->action == PF_BINAT) && 5958 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) 5959 #ifdef __NetBSD__ 5960 pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST; 5961 #else 5962 m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; 5963 #endif /* !__NetBSD__ */ 5964 5965 if (log) { 5966 struct pf_rule *lr; 5967 5968 if (s != NULL && s->nat_rule.ptr != NULL && 5969 s->nat_rule.ptr->log & PF_LOG_ALL) 5970 lr = s->nat_rule.ptr; 5971 else 5972 lr = r; 5973 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset, 5974 &pd); 5975 } 5976 5977 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5978 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; 5979 5980 if (action == PF_PASS || r->action == PF_DROP) { 5981 dirndx = (dir == PF_OUT); 5982 r->packets[dirndx]++; 5983 r->bytes[dirndx] += pd.tot_len; 5984 if (a != NULL) { 5985 a->packets[dirndx]++; 5986 a->bytes[dirndx] += pd.tot_len; 5987 } 5988 if (s != NULL) { 5989 sk = s->state_key; 5990 if (s->nat_rule.ptr != NULL) { 5991 s->nat_rule.ptr->packets[dirndx]++; 5992 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len; 5993 } 5994 if (s->src_node != NULL) { 5995 s->src_node->packets[dirndx]++; 5996 s->src_node->bytes[dirndx] += pd.tot_len; 5997 } 5998 if (s->nat_src_node != NULL) { 5999 s->nat_src_node->packets[dirndx]++; 6000 s->nat_src_node->bytes[dirndx] += pd.tot_len; 6001 } 6002 dirndx = (dir == sk->direction) ? 0 : 1; 6003 s->packets[dirndx]++; 6004 s->bytes[dirndx] += pd.tot_len; 6005 } 6006 tr = r; 6007 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 6008 if (nr != NULL) { 6009 struct pf_addr *x; 6010 /* 6011 * XXX: we need to make sure that the addresses 6012 * passed to pfr_update_stats() are the same than 6013 * the addresses used during matching (pfr_match) 6014 */ 6015 if (r == &pf_default_rule) { 6016 tr = nr; 6017 x = (sk == NULL || sk->direction == dir) ? 6018 &pd.baddr : &pd.naddr; 6019 } else 6020 x = (sk == NULL || sk->direction == dir) ? 6021 &pd.naddr : &pd.baddr; 6022 if (x == &pd.baddr || s == NULL) { 6023 /* we need to change the address */ 6024 if (dir == PF_OUT) 6025 pd.src = x; 6026 else 6027 pd.dst = x; 6028 } 6029 } 6030 if (tr->src.addr.type == PF_ADDR_TABLE) 6031 pfr_update_stats(tr->src.addr.p.tbl, (sk == NULL || 6032 sk->direction == dir) ? 6033 pd.src : pd.dst, pd.af, 6034 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 6035 tr->src.neg); 6036 if (tr->dst.addr.type == PF_ADDR_TABLE) 6037 pfr_update_stats(tr->dst.addr.p.tbl, (sk == NULL || 6038 sk->direction == dir) ? pd.dst : pd.src, pd.af, 6039 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 6040 tr->dst.neg); 6041 } 6042 6043 6044 if (action == PF_SYNPROXY_DROP) { 6045 m_freem(*m0); 6046 *m0 = NULL; 6047 action = PF_PASS; 6048 } else if (r->rt) 6049 /* pf_route can free the mbuf causing *m0 to become NULL */ 6050 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd); 6051 6052 return (action); 6053 } 6054 #endif /* INET */ 6055 6056 #ifdef INET6 6057 int 6058 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, 6059 struct ether_header *eh) 6060 { 6061 struct pfi_kif *kif; 6062 u_short action, reason = 0, log = 0; 6063 struct mbuf *m = *m0, *n = NULL; 6064 struct ip6_hdr *h = NULL; /* XXX gcc */ 6065 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 6066 struct pf_state *s = NULL; 6067 struct pf_state_key *sk = NULL; 6068 struct pf_ruleset *ruleset = NULL; 6069 struct pf_pdesc pd; 6070 int off, terminal = 0, dirndx, rh_cnt = 0; 6071 #ifdef __NetBSD__ 6072 struct pf_mtag *pf_mtag = NULL; /* XXX gcc */ 6073 #endif /* __NetBSD__ */ 6074 6075 if (!pf_status.running) 6076 return (PF_PASS); 6077 6078 memset(&pd, 0, sizeof(pd)); 6079 if (ifp->if_type == IFT_CARP && ifp->if_carpdev) 6080 kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; 6081 else 6082 kif = (struct pfi_kif *)ifp->if_pf_kif; 6083 6084 if (kif == NULL) { 6085 DPFPRINTF(PF_DEBUG_URGENT, 6086 ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname)); 6087 return (PF_DROP); 6088 } 6089 if (kif->pfik_flags & PFI_IFLAG_SKIP) 6090 return (PF_PASS); 6091 6092 #ifdef DIAGNOSTIC 6093 if ((m->m_flags & M_PKTHDR) == 0) 6094 panic("non-M_PKTHDR is passed to pf_test6"); 6095 #endif /* DIAGNOSTIC */ 6096 6097 if (m->m_pkthdr.len < (int)sizeof(*h)) { 6098 action = PF_DROP; 6099 REASON_SET(&reason, PFRES_SHORT); 6100 log = 1; 6101 goto done; 6102 } 6103 6104 #ifdef __NetBSD__ 6105 if ((pf_mtag = pf_get_mtag(m)) == NULL) { 6106 DPFPRINTF(PF_DEBUG_URGENT, 6107 ("pf_test6: pf_get_mtag returned NULL\n")); 6108 return (PF_DROP); 6109 } 6110 if (pf_mtag->flags & PF_TAG_GENERATED) 6111 return (PF_PASS); 6112 #else 6113 if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) 6114 return (PF_PASS); 6115 #endif /* !__NetBSD__ */ 6116 6117 /* We do IP header normalization and packet reassembly here */ 6118 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { 6119 action = PF_DROP; 6120 goto done; 6121 } 6122 m = *m0; /* pf_normalize messes with m0 */ 6123 h = mtod(m, struct ip6_hdr *); 6124 6125 #if 1 6126 /* 6127 * we do not support jumbogram yet. if we keep going, zero ip6_plen 6128 * will do something bad, so drop the packet for now. 6129 */ 6130 if (htons(h->ip6_plen) == 0) { 6131 action = PF_DROP; 6132 REASON_SET(&reason, PFRES_NORM); /*XXX*/ 6133 goto done; 6134 } 6135 #endif 6136 6137 pd.src = (struct pf_addr *)&h->ip6_src; 6138 pd.dst = (struct pf_addr *)&h->ip6_dst; 6139 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 6140 pd.ip_sum = NULL; 6141 pd.af = AF_INET6; 6142 pd.tos = 0; 6143 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 6144 pd.eh = eh; 6145 6146 off = ((char *)h - m->m_data) + sizeof(struct ip6_hdr); 6147 pd.proto = h->ip6_nxt; 6148 do { 6149 switch (pd.proto) { 6150 case IPPROTO_FRAGMENT: 6151 action = pf_test_fragment(&r, dir, kif, m, h, 6152 &pd, &a, &ruleset); 6153 if (action == PF_DROP) 6154 REASON_SET(&reason, PFRES_FRAG); 6155 goto done; 6156 case IPPROTO_ROUTING: { 6157 struct ip6_rthdr rthdr; 6158 6159 if (rh_cnt++) { 6160 DPFPRINTF(PF_DEBUG_MISC, 6161 ("pf: IPv6 more than one rthdr\n")); 6162 action = PF_DROP; 6163 REASON_SET(&reason, PFRES_IPOPTIONS); 6164 log = 1; 6165 goto done; 6166 } 6167 if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL, 6168 &reason, pd.af)) { 6169 DPFPRINTF(PF_DEBUG_MISC, 6170 ("pf: IPv6 short rthdr\n")); 6171 action = PF_DROP; 6172 REASON_SET(&reason, PFRES_SHORT); 6173 log = 1; 6174 goto done; 6175 } 6176 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { 6177 DPFPRINTF(PF_DEBUG_MISC, 6178 ("pf: IPv6 rthdr0\n")); 6179 action = PF_DROP; 6180 REASON_SET(&reason, PFRES_IPOPTIONS); 6181 log = 1; 6182 goto done; 6183 } 6184 /* FALLTHROUGH */ 6185 } 6186 case IPPROTO_AH: 6187 case IPPROTO_HOPOPTS: 6188 case IPPROTO_DSTOPTS: { 6189 /* get next header and header length */ 6190 struct ip6_ext opt6; 6191 6192 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 6193 NULL, &reason, pd.af)) { 6194 DPFPRINTF(PF_DEBUG_MISC, 6195 ("pf: IPv6 short opt\n")); 6196 action = PF_DROP; 6197 log = 1; 6198 goto done; 6199 } 6200 if (pd.proto == IPPROTO_AH) 6201 off += (opt6.ip6e_len + 2) * 4; 6202 else 6203 off += (opt6.ip6e_len + 1) * 8; 6204 pd.proto = opt6.ip6e_nxt; 6205 /* goto the next header */ 6206 break; 6207 } 6208 default: 6209 terminal++; 6210 break; 6211 } 6212 } while (!terminal); 6213 6214 /* if there's no routing header, use unmodified mbuf for checksumming */ 6215 if (!n) 6216 n = m; 6217 6218 switch (pd.proto) { 6219 6220 case IPPROTO_TCP: { 6221 struct tcphdr th; 6222 6223 pd.hdr.tcp = &th; 6224 if (!pf_pull_hdr(m, off, &th, sizeof(th), 6225 &action, &reason, AF_INET6)) { 6226 log = action != PF_PASS; 6227 goto done; 6228 } 6229 pd.p_len = pd.tot_len - off - (th.th_off << 2); 6230 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 6231 if (action == PF_DROP) 6232 goto done; 6233 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 6234 &reason); 6235 if (action == PF_PASS) { 6236 #if NPFSYNC 6237 pfsync_update_state(s); 6238 #endif /* NPFSYNC */ 6239 r = s->rule.ptr; 6240 a = s->anchor.ptr; 6241 log = s->log; 6242 } else if (s == NULL) 6243 action = pf_test_rule(&r, &s, dir, kif, 6244 m, off, h, &pd, &a, &ruleset, &ip6intrq); 6245 break; 6246 } 6247 6248 case IPPROTO_UDP: { 6249 struct udphdr uh; 6250 6251 pd.hdr.udp = &uh; 6252 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 6253 &action, &reason, AF_INET6)) { 6254 log = action != PF_PASS; 6255 goto done; 6256 } 6257 if (uh.uh_dport == 0 || 6258 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 6259 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 6260 action = PF_DROP; 6261 REASON_SET(&reason, PFRES_SHORT); 6262 goto done; 6263 } 6264 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 6265 if (action == PF_PASS) { 6266 #if NPFSYNC 6267 pfsync_update_state(s); 6268 #endif /* NPFSYNC */ 6269 r = s->rule.ptr; 6270 a = s->anchor.ptr; 6271 log = s->log; 6272 } else if (s == NULL) 6273 action = pf_test_rule(&r, &s, dir, kif, 6274 m, off, h, &pd, &a, &ruleset, &ip6intrq); 6275 break; 6276 } 6277 6278 #ifdef INET 6279 case IPPROTO_ICMP: { 6280 action = PF_DROP; 6281 DPFPRINTF(PF_DEBUG_MISC, 6282 ("pf: dropping IPv6 packet with ICMPv4 payload\n")); 6283 goto done; 6284 } 6285 #endif 6286 6287 case IPPROTO_ICMPV6: { 6288 struct icmp6_hdr ih; 6289 6290 pd.hdr.icmp6 = &ih; 6291 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 6292 &action, &reason, AF_INET6)) { 6293 log = action != PF_PASS; 6294 goto done; 6295 } 6296 action = pf_test_state_icmp(&s, dir, kif, 6297 m, off, h, &pd, &reason); 6298 if (action == PF_PASS) { 6299 #if NPFSYNC 6300 pfsync_update_state(s); 6301 #endif /* NPFSYNC */ 6302 r = s->rule.ptr; 6303 a = s->anchor.ptr; 6304 log = s->log; 6305 } else if (s == NULL) 6306 action = pf_test_rule(&r, &s, dir, kif, 6307 m, off, h, &pd, &a, &ruleset, &ip6intrq); 6308 break; 6309 } 6310 6311 default: 6312 action = pf_test_state_other(&s, dir, kif, &pd); 6313 if (action == PF_PASS) { 6314 #if NPFSYNC 6315 pfsync_update_state(s); 6316 #endif /* NPFSYNC */ 6317 r = s->rule.ptr; 6318 a = s->anchor.ptr; 6319 log = s->log; 6320 } else if (s == NULL) 6321 action = pf_test_rule(&r, &s, dir, kif, m, off, h, 6322 &pd, &a, &ruleset, &ip6intrq); 6323 break; 6324 } 6325 6326 done: 6327 if (n != m) { 6328 m_freem(n); 6329 n = NULL; 6330 } 6331 6332 /* handle dangerous IPv6 extension headers. */ 6333 if (action == PF_PASS && rh_cnt && 6334 !((s && s->allow_opts) || r->allow_opts)) { 6335 action = PF_DROP; 6336 REASON_SET(&reason, PFRES_IPOPTIONS); 6337 log = 1; 6338 DPFPRINTF(PF_DEBUG_MISC, 6339 ("pf: dropping packet with dangerous v6 headers\n")); 6340 } 6341 6342 if ((s && s->tag) || r->rtableid) 6343 pf_tag_packet(m, s ? s->tag : 0, r->rtableid); 6344 6345 #ifdef ALTQ 6346 if (action == PF_PASS && r->qid) { 6347 #ifdef __NetBSD__ 6348 struct m_tag *mtag; 6349 struct altq_tag *atag; 6350 6351 mtag = m_tag_get(PACKET_TAG_ALTQ_QID, sizeof(*atag), M_NOWAIT); 6352 if (mtag != NULL) { 6353 atag = (struct altq_tag *)(mtag + 1); 6354 if (pd.tos & IPTOS_LOWDELAY) 6355 atag->qid = r->pqid; 6356 else 6357 atag->qid = r->qid; 6358 /* add hints for ecn */ 6359 atag->af = AF_INET6; 6360 atag->hdr = h; 6361 m_tag_prepend(m, mtag); 6362 } 6363 #else 6364 if (pd.tos & IPTOS_LOWDELAY) 6365 m->m_pkthdr.pf.qid = r->pqid; 6366 else 6367 m->m_pkthdr.pf.qid = r->qid; 6368 /* add hints for ecn */ 6369 m->m_pkthdr.pf.hdr = h; 6370 #endif /* !__NetBSD__ */ 6371 } 6372 #endif /* ALTQ */ 6373 6374 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 6375 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 6376 (s->nat_rule.ptr->action == PF_RDR || 6377 s->nat_rule.ptr->action == PF_BINAT) && 6378 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) 6379 #ifdef __NetBSD__ 6380 pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST; 6381 #else 6382 m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; 6383 #endif /* !__NetBSD__ */ 6384 6385 if (log) { 6386 struct pf_rule *lr; 6387 6388 if (s != NULL && s->nat_rule.ptr != NULL && 6389 s->nat_rule.ptr->log & PF_LOG_ALL) 6390 lr = s->nat_rule.ptr; 6391 else 6392 lr = r; 6393 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset, 6394 &pd); 6395 } 6396 6397 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 6398 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; 6399 6400 if (action == PF_PASS || r->action == PF_DROP) { 6401 dirndx = (dir == PF_OUT); 6402 r->packets[dirndx]++; 6403 r->bytes[dirndx] += pd.tot_len; 6404 if (a != NULL) { 6405 a->packets[dirndx]++; 6406 a->bytes[dirndx] += pd.tot_len; 6407 } 6408 if (s != NULL) { 6409 sk = s->state_key; 6410 if (s->nat_rule.ptr != NULL) { 6411 s->nat_rule.ptr->packets[dirndx]++; 6412 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len; 6413 } 6414 if (s->src_node != NULL) { 6415 s->src_node->packets[dirndx]++; 6416 s->src_node->bytes[dirndx] += pd.tot_len; 6417 } 6418 if (s->nat_src_node != NULL) { 6419 s->nat_src_node->packets[dirndx]++; 6420 s->nat_src_node->bytes[dirndx] += pd.tot_len; 6421 } 6422 dirndx = (dir == sk->direction) ? 0 : 1; 6423 s->packets[dirndx]++; 6424 s->bytes[dirndx] += pd.tot_len; 6425 } 6426 tr = r; 6427 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 6428 if (nr != NULL) { 6429 struct pf_addr *x; 6430 /* 6431 * XXX: we need to make sure that the addresses 6432 * passed to pfr_update_stats() are the same than 6433 * the addresses used during matching (pfr_match) 6434 */ 6435 if (r == &pf_default_rule) { 6436 tr = nr; 6437 x = (s == NULL || sk->direction == dir) ? 6438 &pd.baddr : &pd.naddr; 6439 } else { 6440 x = (s == NULL || sk->direction == dir) ? 6441 &pd.naddr : &pd.baddr; 6442 } 6443 if (x == &pd.baddr || s == NULL) { 6444 if (dir == PF_OUT) 6445 pd.src = x; 6446 else 6447 pd.dst = x; 6448 } 6449 } 6450 if (tr->src.addr.type == PF_ADDR_TABLE) 6451 pfr_update_stats(tr->src.addr.p.tbl, (sk == NULL || 6452 sk->direction == dir) ? pd.src : pd.dst, pd.af, 6453 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 6454 tr->src.neg); 6455 if (tr->dst.addr.type == PF_ADDR_TABLE) 6456 pfr_update_stats(tr->dst.addr.p.tbl, (sk == NULL || 6457 sk->direction == dir) ? pd.dst : pd.src, pd.af, 6458 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 6459 tr->dst.neg); 6460 } 6461 6462 6463 if (action == PF_SYNPROXY_DROP) { 6464 m_freem(*m0); 6465 *m0 = NULL; 6466 action = PF_PASS; 6467 } else if (r->rt) 6468 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 6469 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd); 6470 6471 return (action); 6472 } 6473 #endif /* INET6 */ 6474 6475 int 6476 pf_check_congestion(struct ifqueue *ifq) 6477 { 6478 #ifdef __NetBSD__ 6479 return (0); 6480 #else 6481 if (ifq->ifq_congestion) 6482 return (1); 6483 else 6484 return (0); 6485 #endif /* !__NetBSD__ */ 6486 } 6487