1 /* $NetBSD: pf.c,v 1.4 2004/09/08 12:11:25 yamt Exp $ */ 2 /* $OpenBSD: pf.c,v 1.433 2004/03/26 22:20:57 dhartmei Exp $ */ 3 4 /* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * Copyright (c) 2002,2003 Henning Brauer 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * - Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * - Redistributions in binary form must reproduce the above 16 * copyright notice, this list of conditions and the following 17 * disclaimer in the documentation and/or other materials provided 18 * with the distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * Effort sponsored in part by the Defense Advanced Research Projects 34 * Agency (DARPA) and Air Force Research Laboratory, Air Force 35 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 36 * 37 */ 38 39 #include "bpfilter.h" 40 #include "pflog.h" 41 #ifdef __OpenBSD__ 42 #include "pfsync.h" 43 #else 44 #define NPFSYNC 0 45 #endif 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/filio.h> 51 #include <sys/socket.h> 52 #include <sys/socketvar.h> 53 #include <sys/kernel.h> 54 #include <sys/time.h> 55 #include <sys/pool.h> 56 #ifdef __NetBSD__ 57 #include <sys/endian.h> 58 #endif 59 60 #include <net/if.h> 61 #include <net/if_types.h> 62 #include <net/bpf.h> 63 #include <net/route.h> 64 65 #include <netinet/in.h> 66 #include <netinet/in_var.h> 67 #include <netinet/in_systm.h> 68 #include <netinet/ip.h> 69 #include <netinet/ip_var.h> 70 #include <netinet/tcp.h> 71 #include <netinet/tcp_seq.h> 72 #include <netinet/udp.h> 73 #include <netinet/ip_icmp.h> 74 #include <netinet/in_pcb.h> 75 #include <netinet/tcp_timer.h> 76 #include <netinet/tcp_var.h> 77 #include <netinet/udp_var.h> 78 #include <netinet/icmp_var.h> 79 80 #ifdef __OpenBSD__ 81 #include <dev/rndvar.h> 82 #else 83 #include <sys/rnd.h> 84 #endif 85 #include <net/pfvar.h> 86 #include <net/if_pflog.h> 87 88 #if NPFSYNC > 0 89 #include <net/if_pfsync.h> 90 #endif /* NPFSYNC > 0 */ 91 92 #ifdef INET6 93 #include <netinet/ip6.h> 94 #include <netinet6/ip6_var.h> 95 #ifdef __NetBSD__ 96 #include <netinet6/in6_pcb.h> 97 #endif 98 #include <netinet/icmp6.h> 99 #include <netinet6/nd6.h> 100 #endif /* INET6 */ 101 102 103 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 104 105 /* 106 * Global variables 107 */ 108 109 struct pf_anchorqueue pf_anchors; 110 struct pf_ruleset pf_main_ruleset; 111 struct pf_altqqueue pf_altqs[2]; 112 struct pf_palist pf_pabuf; 113 struct pf_altqqueue *pf_altqs_active; 114 struct pf_altqqueue *pf_altqs_inactive; 115 struct pf_status pf_status; 116 117 u_int32_t ticket_altqs_active; 118 u_int32_t ticket_altqs_inactive; 119 int altqs_inactive_open; 120 u_int32_t ticket_pabuf; 121 122 #ifdef __OpenBSD__ 123 struct timeout pf_expire_to; /* expire timeout */ 124 #else 125 struct callout pf_expire_to; /* expire timeout */ 126 #endif 127 128 struct pool pf_src_tree_pl, pf_rule_pl; 129 struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 130 131 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 132 void pf_print_state(struct pf_state *); 133 void pf_print_flags(u_int8_t); 134 135 u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 136 u_int8_t); 137 void pf_change_ap(struct pf_addr *, u_int16_t *, 138 u_int16_t *, u_int16_t *, struct pf_addr *, 139 u_int16_t, u_int8_t, sa_family_t); 140 #ifdef INET6 141 void pf_change_a6(struct pf_addr *, u_int16_t *, 142 struct pf_addr *, u_int8_t); 143 #endif /* INET6 */ 144 void pf_change_icmp(struct pf_addr *, u_int16_t *, 145 struct pf_addr *, struct pf_addr *, u_int16_t, 146 u_int16_t *, u_int16_t *, u_int16_t *, 147 u_int16_t *, u_int8_t, sa_family_t); 148 void pf_send_tcp(const struct pf_rule *, sa_family_t, 149 const struct pf_addr *, const struct pf_addr *, 150 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 151 u_int8_t, u_int16_t, u_int16_t, u_int8_t); 152 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 153 sa_family_t, struct pf_rule *); 154 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 155 int, int, struct pfi_kif *, 156 struct pf_addr *, u_int16_t, struct pf_addr *, 157 u_int16_t, int); 158 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 159 int, int, struct pfi_kif *, struct pf_src_node **, 160 struct pf_addr *, u_int16_t, 161 struct pf_addr *, u_int16_t, 162 struct pf_addr *, u_int16_t *); 163 int pf_test_tcp(struct pf_rule **, struct pf_state **, 164 int, struct pfi_kif *, struct mbuf *, int, 165 void *, struct pf_pdesc *, struct pf_rule **, 166 struct pf_ruleset **); 167 int pf_test_udp(struct pf_rule **, struct pf_state **, 168 int, struct pfi_kif *, struct mbuf *, int, 169 void *, struct pf_pdesc *, struct pf_rule **, 170 struct pf_ruleset **); 171 int pf_test_icmp(struct pf_rule **, struct pf_state **, 172 int, struct pfi_kif *, struct mbuf *, int, 173 void *, struct pf_pdesc *, struct pf_rule **, 174 struct pf_ruleset **); 175 int pf_test_other(struct pf_rule **, struct pf_state **, 176 int, struct pfi_kif *, struct mbuf *, int, void *, 177 struct pf_pdesc *, struct pf_rule **, 178 struct pf_ruleset **); 179 int pf_test_fragment(struct pf_rule **, int, 180 struct pfi_kif *, struct mbuf *, void *, 181 struct pf_pdesc *, struct pf_rule **, 182 struct pf_ruleset **); 183 int pf_test_state_tcp(struct pf_state **, int, 184 struct pfi_kif *, struct mbuf *, int, 185 void *, struct pf_pdesc *, u_short *); 186 int pf_test_state_udp(struct pf_state **, int, 187 struct pfi_kif *, struct mbuf *, int, 188 void *, struct pf_pdesc *); 189 int pf_test_state_icmp(struct pf_state **, int, 190 struct pfi_kif *, struct mbuf *, int, 191 void *, struct pf_pdesc *); 192 int pf_test_state_other(struct pf_state **, int, 193 struct pfi_kif *, struct pf_pdesc *); 194 struct pf_tag *pf_get_tag(struct mbuf *); 195 int pf_match_tag(struct mbuf *, struct pf_rule *, 196 struct pf_rule *, struct pf_tag *, int *); 197 void pf_hash(struct pf_addr *, struct pf_addr *, 198 struct pf_poolhashkey *, sa_family_t); 199 int pf_map_addr(u_int8_t, struct pf_rule *, 200 struct pf_addr *, struct pf_addr *, 201 struct pf_addr *, struct pf_src_node **); 202 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 203 struct pf_addr *, struct pf_addr *, u_int16_t, 204 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 205 struct pf_src_node **); 206 void pf_route(struct mbuf **, struct pf_rule *, int, 207 struct ifnet *, struct pf_state *); 208 void pf_route6(struct mbuf **, struct pf_rule *, int, 209 struct ifnet *, struct pf_state *); 210 int pf_socket_lookup(uid_t *, gid_t *, 211 int, struct pf_pdesc *); 212 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 213 sa_family_t); 214 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 215 sa_family_t); 216 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 217 u_int16_t); 218 void pf_set_rt_ifp(struct pf_state *, 219 struct pf_addr *); 220 int pf_check_proto_cksum(struct mbuf *, int, int, 221 u_int8_t, sa_family_t); 222 int pf_addr_wrap_neq(struct pf_addr_wrap *, 223 struct pf_addr_wrap *); 224 static int pf_add_mbuf_tag(struct mbuf *, u_int); 225 struct pf_state *pf_find_state_recurse(struct pfi_kif *, 226 struct pf_state *, u_int8_t); 227 228 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { 229 { &pf_state_pl, PFSTATE_HIWAT }, 230 { &pf_src_tree_pl, PFSNODE_HIWAT }, 231 { &pf_frent_pl, PFFRAG_FRENT_HIWAT } 232 }; 233 234 #define STATE_LOOKUP() \ 235 do { \ 236 if (direction == PF_IN) \ 237 *state = pf_find_state_recurse( \ 238 kif, &key, PF_EXT_GWY); \ 239 else \ 240 *state = pf_find_state_recurse( \ 241 kif, &key, PF_LAN_EXT); \ 242 if (*state == NULL) \ 243 return (PF_DROP); \ 244 if (direction == PF_OUT && \ 245 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 246 (*state)->rule.ptr->direction == PF_OUT) || \ 247 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 248 (*state)->rule.ptr->direction == PF_IN)) && \ 249 (*state)->rt_kif != NULL && \ 250 (*state)->rt_kif != kif) \ 251 return (PF_PASS); \ 252 } while (0) 253 254 #define STATE_TRANSLATE(s) \ 255 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \ 256 ((s)->af == AF_INET6 && \ 257 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \ 258 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \ 259 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \ 260 (s)->lan.port != (s)->gwy.port 261 262 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \ 263 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \ 264 (k)->pfik_parent->pfik_parent) 265 266 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *); 267 static __inline int pf_state_compare_lan_ext(struct pf_state *, 268 struct pf_state *); 269 static __inline int pf_state_compare_ext_gwy(struct pf_state *, 270 struct pf_state *); 271 static __inline int pf_state_compare_id(struct pf_state *, 272 struct pf_state *); 273 274 struct pf_src_tree tree_src_tracking; 275 276 struct pf_state_tree_id tree_id; 277 struct pf_state_queue state_updates; 278 279 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 280 RB_GENERATE(pf_state_tree_lan_ext, pf_state, 281 u.s.entry_lan_ext, pf_state_compare_lan_ext); 282 RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 283 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 284 RB_GENERATE(pf_state_tree_id, pf_state, 285 u.s.entry_id, pf_state_compare_id); 286 287 static __inline int 288 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b) 289 { 290 int diff; 291 292 if (a->rule.ptr > b->rule.ptr) 293 return (1); 294 if (a->rule.ptr < b->rule.ptr) 295 return (-1); 296 if ((diff = a->af - b->af) != 0) 297 return (diff); 298 switch (a->af) { 299 #ifdef INET 300 case AF_INET: 301 if (a->addr.addr32[0] > b->addr.addr32[0]) 302 return (1); 303 if (a->addr.addr32[0] < b->addr.addr32[0]) 304 return (-1); 305 break; 306 #endif /* INET */ 307 #ifdef INET6 308 case AF_INET6: 309 if (a->addr.addr32[3] > b->addr.addr32[3]) 310 return (1); 311 if (a->addr.addr32[3] < b->addr.addr32[3]) 312 return (-1); 313 if (a->addr.addr32[2] > b->addr.addr32[2]) 314 return (1); 315 if (a->addr.addr32[2] < b->addr.addr32[2]) 316 return (-1); 317 if (a->addr.addr32[1] > b->addr.addr32[1]) 318 return (1); 319 if (a->addr.addr32[1] < b->addr.addr32[1]) 320 return (-1); 321 if (a->addr.addr32[0] > b->addr.addr32[0]) 322 return (1); 323 if (a->addr.addr32[0] < b->addr.addr32[0]) 324 return (-1); 325 break; 326 #endif /* INET6 */ 327 } 328 return (0); 329 } 330 331 static __inline int 332 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b) 333 { 334 int diff; 335 336 if ((diff = a->proto - b->proto) != 0) 337 return (diff); 338 if ((diff = a->af - b->af) != 0) 339 return (diff); 340 switch (a->af) { 341 #ifdef INET 342 case AF_INET: 343 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 344 return (1); 345 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 346 return (-1); 347 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 348 return (1); 349 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 350 return (-1); 351 break; 352 #endif /* INET */ 353 #ifdef INET6 354 case AF_INET6: 355 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3]) 356 return (1); 357 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3]) 358 return (-1); 359 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 360 return (1); 361 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 362 return (-1); 363 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2]) 364 return (1); 365 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2]) 366 return (-1); 367 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 368 return (1); 369 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 370 return (-1); 371 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1]) 372 return (1); 373 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1]) 374 return (-1); 375 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 376 return (1); 377 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 378 return (-1); 379 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 380 return (1); 381 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 382 return (-1); 383 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 384 return (1); 385 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 386 return (-1); 387 break; 388 #endif /* INET6 */ 389 } 390 391 if ((diff = a->lan.port - b->lan.port) != 0) 392 return (diff); 393 if ((diff = a->ext.port - b->ext.port) != 0) 394 return (diff); 395 396 return (0); 397 } 398 399 static __inline int 400 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b) 401 { 402 int diff; 403 404 if ((diff = a->proto - b->proto) != 0) 405 return (diff); 406 if ((diff = a->af - b->af) != 0) 407 return (diff); 408 switch (a->af) { 409 #ifdef INET 410 case AF_INET: 411 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 412 return (1); 413 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 414 return (-1); 415 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 416 return (1); 417 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 418 return (-1); 419 break; 420 #endif /* INET */ 421 #ifdef INET6 422 case AF_INET6: 423 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 424 return (1); 425 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 426 return (-1); 427 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3]) 428 return (1); 429 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3]) 430 return (-1); 431 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 432 return (1); 433 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 434 return (-1); 435 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2]) 436 return (1); 437 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2]) 438 return (-1); 439 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 440 return (1); 441 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 442 return (-1); 443 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1]) 444 return (1); 445 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1]) 446 return (-1); 447 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 448 return (1); 449 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 450 return (-1); 451 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 452 return (1); 453 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 454 return (-1); 455 break; 456 #endif /* INET6 */ 457 } 458 459 if ((diff = a->ext.port - b->ext.port) != 0) 460 return (diff); 461 if ((diff = a->gwy.port - b->gwy.port) != 0) 462 return (diff); 463 464 return (0); 465 } 466 467 static __inline int 468 pf_state_compare_id(struct pf_state *a, struct pf_state *b) 469 { 470 if (a->id > b->id) 471 return (1); 472 if (a->id < b->id) 473 return (-1); 474 if (a->creatorid > b->creatorid) 475 return (1); 476 if (a->creatorid < b->creatorid) 477 return (-1); 478 479 return (0); 480 } 481 482 #ifdef INET6 483 void 484 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) 485 { 486 switch (af) { 487 #ifdef INET 488 case AF_INET: 489 dst->addr32[0] = src->addr32[0]; 490 break; 491 #endif /* INET */ 492 case AF_INET6: 493 dst->addr32[0] = src->addr32[0]; 494 dst->addr32[1] = src->addr32[1]; 495 dst->addr32[2] = src->addr32[2]; 496 dst->addr32[3] = src->addr32[3]; 497 break; 498 } 499 } 500 #endif 501 502 struct pf_state * 503 pf_find_state_byid(struct pf_state *key) 504 { 505 pf_status.fcounters[FCNT_STATE_SEARCH]++; 506 return (RB_FIND(pf_state_tree_id, &tree_id, key)); 507 } 508 509 struct pf_state * 510 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree) 511 { 512 struct pf_state *s; 513 514 pf_status.fcounters[FCNT_STATE_SEARCH]++; 515 516 switch (tree) { 517 case PF_LAN_EXT: 518 for (; kif != NULL; kif = kif->pfik_parent) { 519 s = RB_FIND(pf_state_tree_lan_ext, 520 &kif->pfik_lan_ext, key); 521 if (s != NULL) 522 return (s); 523 } 524 return (NULL); 525 case PF_EXT_GWY: 526 for (; kif != NULL; kif = kif->pfik_parent) { 527 s = RB_FIND(pf_state_tree_ext_gwy, 528 &kif->pfik_ext_gwy, key); 529 if (s != NULL) 530 return (s); 531 } 532 return (NULL); 533 default: 534 panic("pf_find_state_recurse"); 535 } 536 } 537 538 struct pf_state * 539 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more) 540 { 541 struct pf_state *s, *ss = NULL; 542 struct pfi_kif *kif; 543 544 pf_status.fcounters[FCNT_STATE_SEARCH]++; 545 546 switch (tree) { 547 case PF_LAN_EXT: 548 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 549 s = RB_FIND(pf_state_tree_lan_ext, 550 &kif->pfik_lan_ext, key); 551 if (s == NULL) 552 continue; 553 if (more == NULL) 554 return (s); 555 ss = s; 556 (*more)++; 557 } 558 return (ss); 559 case PF_EXT_GWY: 560 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 561 s = RB_FIND(pf_state_tree_ext_gwy, 562 &kif->pfik_ext_gwy, key); 563 if (s == NULL) 564 continue; 565 if (more == NULL) 566 return (s); 567 ss = s; 568 (*more)++; 569 } 570 return (ss); 571 default: 572 panic("pf_find_state_all"); 573 } 574 } 575 576 int 577 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, 578 struct pf_addr *src, sa_family_t af) 579 { 580 struct pf_src_node k; 581 582 if (*sn == NULL) { 583 k.af = af; 584 PF_ACPY(&k.addr, src, af); 585 if (rule->rule_flag & PFRULE_RULESRCTRACK || 586 rule->rpool.opts & PF_POOL_STICKYADDR) 587 k.rule.ptr = rule; 588 else 589 k.rule.ptr = NULL; 590 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 591 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 592 } 593 if (*sn == NULL) { 594 if (!rule->max_src_nodes || 595 rule->src_nodes < rule->max_src_nodes) 596 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT); 597 if ((*sn) == NULL) 598 return (-1); 599 bzero(*sn, sizeof(struct pf_src_node)); 600 (*sn)->af = af; 601 if (rule->rule_flag & PFRULE_RULESRCTRACK || 602 rule->rpool.opts & PF_POOL_STICKYADDR) 603 (*sn)->rule.ptr = rule; 604 else 605 (*sn)->rule.ptr = NULL; 606 PF_ACPY(&(*sn)->addr, src, af); 607 if (RB_INSERT(pf_src_tree, 608 &tree_src_tracking, *sn) != NULL) { 609 if (pf_status.debug >= PF_DEBUG_MISC) { 610 printf("pf: src_tree insert failed: "); 611 pf_print_host(&(*sn)->addr, 0, af); 612 printf("\n"); 613 } 614 pool_put(&pf_src_tree_pl, *sn); 615 return (-1); 616 } 617 (*sn)->creation = time.tv_sec; 618 (*sn)->ruletype = rule->action; 619 if ((*sn)->rule.ptr != NULL) 620 (*sn)->rule.ptr->src_nodes++; 621 pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 622 pf_status.src_nodes++; 623 } else { 624 if (rule->max_src_states && 625 (*sn)->states >= rule->max_src_states) 626 return (-1); 627 } 628 return (0); 629 } 630 631 int 632 pf_insert_state(struct pfi_kif *kif, struct pf_state *state) 633 { 634 /* Thou MUST NOT insert multiple duplicate keys */ 635 state->u.s.kif = kif; 636 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) { 637 if (pf_status.debug >= PF_DEBUG_MISC) { 638 printf("pf: state insert failed: tree_lan_ext"); 639 printf(" lan: "); 640 pf_print_host(&state->lan.addr, state->lan.port, 641 state->af); 642 printf(" gwy: "); 643 pf_print_host(&state->gwy.addr, state->gwy.port, 644 state->af); 645 printf(" ext: "); 646 pf_print_host(&state->ext.addr, state->ext.port, 647 state->af); 648 if (state->sync_flags & PFSTATE_FROMSYNC) 649 printf(" (from sync)"); 650 printf("\n"); 651 } 652 return (-1); 653 } 654 655 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) { 656 if (pf_status.debug >= PF_DEBUG_MISC) { 657 printf("pf: state insert failed: tree_ext_gwy"); 658 printf(" lan: "); 659 pf_print_host(&state->lan.addr, state->lan.port, 660 state->af); 661 printf(" gwy: "); 662 pf_print_host(&state->gwy.addr, state->gwy.port, 663 state->af); 664 printf(" ext: "); 665 pf_print_host(&state->ext.addr, state->ext.port, 666 state->af); 667 if (state->sync_flags & PFSTATE_FROMSYNC) 668 printf(" (from sync)"); 669 printf("\n"); 670 } 671 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 672 return (-1); 673 } 674 675 if (state->id == 0 && state->creatorid == 0) { 676 state->id = htobe64(pf_status.stateid++); 677 state->creatorid = pf_status.hostid; 678 } 679 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) { 680 if (pf_status.debug >= PF_DEBUG_MISC) { 681 #ifdef __OpenBSD__ 682 printf("pf: state insert failed: " 683 "id: %016llx creatorid: %08x", 684 betoh64(state->id), ntohl(state->creatorid)); 685 #else 686 printf("pf: state insert failed: " 687 "id: %016" PRIx64 " creatorid: %08x", 688 be64toh(state->id), ntohl(state->creatorid)); 689 #endif 690 if (state->sync_flags & PFSTATE_FROMSYNC) 691 printf(" (from sync)"); 692 printf("\n"); 693 } 694 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 695 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state); 696 return (-1); 697 } 698 TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates); 699 700 pf_status.fcounters[FCNT_STATE_INSERT]++; 701 pf_status.states++; 702 pfi_attach_state(kif); 703 #if NPFSYNC 704 pfsync_insert_state(state); 705 #endif 706 return (0); 707 } 708 709 void 710 pf_purge_timeout(void *arg) 711 { 712 #ifdef __OpenBSD__ 713 struct timeout *to = arg; 714 #else 715 struct callout *to = arg; 716 #endif 717 int s; 718 719 s = splsoftnet(); 720 pf_purge_expired_states(); 721 pf_purge_expired_fragments(); 722 pf_purge_expired_src_nodes(); 723 splx(s); 724 725 #ifdef __OpenBSD__ 726 timeout_add(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz); 727 #else 728 callout_schedule(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz); 729 #endif 730 } 731 732 u_int32_t 733 pf_state_expires(const struct pf_state *state) 734 { 735 u_int32_t timeout; 736 u_int32_t start; 737 u_int32_t end; 738 u_int32_t states; 739 740 /* handle all PFTM_* > PFTM_MAX here */ 741 if (state->timeout == PFTM_PURGE) 742 return (time.tv_sec); 743 if (state->timeout == PFTM_UNTIL_PACKET) 744 return (0); 745 KASSERT(state->timeout < PFTM_MAX); 746 timeout = state->rule.ptr->timeout[state->timeout]; 747 if (!timeout) 748 timeout = pf_default_rule.timeout[state->timeout]; 749 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 750 if (start) { 751 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 752 states = state->rule.ptr->states; 753 } else { 754 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 755 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 756 states = pf_status.states; 757 } 758 if (end && states > start && start < end) { 759 if (states < end) 760 return (state->expire + timeout * (end - states) / 761 (end - start)); 762 else 763 return (time.tv_sec); 764 } 765 return (state->expire + timeout); 766 } 767 768 void 769 pf_purge_expired_src_nodes(void) 770 { 771 struct pf_src_node *cur, *next; 772 773 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 774 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 775 776 if (cur->states <= 0 && cur->expire <= time.tv_sec) { 777 if (cur->rule.ptr != NULL) { 778 cur->rule.ptr->src_nodes--; 779 if (cur->rule.ptr->states <= 0 && 780 cur->rule.ptr->max_src_nodes <= 0) 781 pf_rm_rule(NULL, cur->rule.ptr); 782 } 783 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 784 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 785 pf_status.src_nodes--; 786 pool_put(&pf_src_tree_pl, cur); 787 } 788 } 789 } 790 791 void 792 pf_src_tree_remove_state(struct pf_state *s) 793 { 794 u_int32_t timeout; 795 796 if (s->src_node != NULL) { 797 if (--s->src_node->states <= 0) { 798 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 799 if (!timeout) 800 timeout = 801 pf_default_rule.timeout[PFTM_SRC_NODE]; 802 s->src_node->expire = time.tv_sec + timeout; 803 } 804 } 805 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 806 if (--s->nat_src_node->states <= 0) { 807 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 808 if (!timeout) 809 timeout = 810 pf_default_rule.timeout[PFTM_SRC_NODE]; 811 s->nat_src_node->expire = time.tv_sec + timeout; 812 } 813 } 814 s->src_node = s->nat_src_node = NULL; 815 } 816 817 void 818 pf_purge_expired_states(void) 819 { 820 struct pf_state *cur, *next; 821 822 for (cur = RB_MIN(pf_state_tree_id, &tree_id); 823 cur; cur = next) { 824 next = RB_NEXT(pf_state_tree_id, &tree_id, cur); 825 826 if (pf_state_expires(cur) <= time.tv_sec) { 827 if (cur->src.state == PF_TCPS_PROXY_DST) 828 pf_send_tcp(cur->rule.ptr, cur->af, 829 &cur->ext.addr, &cur->lan.addr, 830 cur->ext.port, cur->lan.port, 831 cur->src.seqhi, cur->src.seqlo + 1, 0, 832 TH_RST|TH_ACK, 0, 0); 833 RB_REMOVE(pf_state_tree_ext_gwy, 834 &cur->u.s.kif->pfik_ext_gwy, cur); 835 RB_REMOVE(pf_state_tree_lan_ext, 836 &cur->u.s.kif->pfik_lan_ext, cur); 837 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 838 #if NPFSYNC 839 pfsync_delete_state(cur); 840 #endif 841 pf_src_tree_remove_state(cur); 842 if (--cur->rule.ptr->states <= 0 && 843 cur->rule.ptr->src_nodes <= 0) 844 pf_rm_rule(NULL, cur->rule.ptr); 845 if (cur->nat_rule.ptr != NULL) 846 if (--cur->nat_rule.ptr->states <= 0 && 847 cur->nat_rule.ptr->src_nodes <= 0) 848 pf_rm_rule(NULL, cur->nat_rule.ptr); 849 if (cur->anchor.ptr != NULL) 850 if (--cur->anchor.ptr->states <= 0) 851 pf_rm_rule(NULL, cur->anchor.ptr); 852 pf_normalize_tcp_cleanup(cur); 853 pfi_detach_state(cur->u.s.kif); 854 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); 855 pool_put(&pf_state_pl, cur); 856 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 857 pf_status.states--; 858 } 859 } 860 } 861 862 int 863 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 864 { 865 if (aw->type != PF_ADDR_TABLE) 866 return (0); 867 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 868 return (1); 869 return (0); 870 } 871 872 void 873 pf_tbladdr_remove(struct pf_addr_wrap *aw) 874 { 875 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 876 return; 877 pfr_detach_table(aw->p.tbl); 878 aw->p.tbl = NULL; 879 } 880 881 void 882 pf_tbladdr_copyout(struct pf_addr_wrap *aw) 883 { 884 struct pfr_ktable *kt = aw->p.tbl; 885 886 if (aw->type != PF_ADDR_TABLE || kt == NULL) 887 return; 888 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 889 kt = kt->pfrkt_root; 890 aw->p.tbl = NULL; 891 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 892 kt->pfrkt_cnt : -1; 893 } 894 895 void 896 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 897 { 898 switch (af) { 899 #ifdef INET 900 case AF_INET: { 901 u_int32_t a = ntohl(addr->addr32[0]); 902 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 903 (a>>8)&255, a&255); 904 if (p) { 905 p = ntohs(p); 906 printf(":%u", p); 907 } 908 break; 909 } 910 #endif /* INET */ 911 #ifdef INET6 912 case AF_INET6: { 913 u_int16_t b; 914 u_int8_t i, curstart = 255, curend = 0, 915 maxstart = 0, maxend = 0; 916 for (i = 0; i < 8; i++) { 917 if (!addr->addr16[i]) { 918 if (curstart == 255) 919 curstart = i; 920 else 921 curend = i; 922 } else { 923 if (curstart) { 924 if ((curend - curstart) > 925 (maxend - maxstart)) { 926 maxstart = curstart; 927 maxend = curend; 928 curstart = 255; 929 } 930 } 931 } 932 } 933 for (i = 0; i < 8; i++) { 934 if (i >= maxstart && i <= maxend) { 935 if (maxend != 7) { 936 if (i == maxstart) 937 printf(":"); 938 } else { 939 if (i == maxend) 940 printf(":"); 941 } 942 } else { 943 b = ntohs(addr->addr16[i]); 944 printf("%x", b); 945 if (i < 7) 946 printf(":"); 947 } 948 } 949 if (p) { 950 p = ntohs(p); 951 printf("[%u]", p); 952 } 953 break; 954 } 955 #endif /* INET6 */ 956 } 957 } 958 959 void 960 pf_print_state(struct pf_state *s) 961 { 962 switch (s->proto) { 963 case IPPROTO_TCP: 964 printf("TCP "); 965 break; 966 case IPPROTO_UDP: 967 printf("UDP "); 968 break; 969 case IPPROTO_ICMP: 970 printf("ICMP "); 971 break; 972 case IPPROTO_ICMPV6: 973 printf("ICMPV6 "); 974 break; 975 default: 976 printf("%u ", s->proto); 977 break; 978 } 979 pf_print_host(&s->lan.addr, s->lan.port, s->af); 980 printf(" "); 981 pf_print_host(&s->gwy.addr, s->gwy.port, s->af); 982 printf(" "); 983 pf_print_host(&s->ext.addr, s->ext.port, s->af); 984 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 985 s->src.seqhi, s->src.max_win, s->src.seqdiff); 986 if (s->src.wscale && s->dst.wscale) 987 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 988 printf("]"); 989 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 990 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 991 if (s->src.wscale && s->dst.wscale) 992 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 993 printf("]"); 994 printf(" %u:%u", s->src.state, s->dst.state); 995 } 996 997 void 998 pf_print_flags(u_int8_t f) 999 { 1000 if (f) 1001 printf(" "); 1002 if (f & TH_FIN) 1003 printf("F"); 1004 if (f & TH_SYN) 1005 printf("S"); 1006 if (f & TH_RST) 1007 printf("R"); 1008 if (f & TH_PUSH) 1009 printf("P"); 1010 if (f & TH_ACK) 1011 printf("A"); 1012 if (f & TH_URG) 1013 printf("U"); 1014 if (f & TH_ECE) 1015 printf("E"); 1016 if (f & TH_CWR) 1017 printf("W"); 1018 } 1019 1020 #define PF_SET_SKIP_STEPS(i) \ 1021 do { \ 1022 while (head[i] != cur) { \ 1023 head[i]->skip[i].ptr = cur; \ 1024 head[i] = TAILQ_NEXT(head[i], entries); \ 1025 } \ 1026 } while (0) 1027 1028 void 1029 pf_calc_skip_steps(struct pf_rulequeue *rules) 1030 { 1031 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 1032 int i; 1033 1034 cur = TAILQ_FIRST(rules); 1035 prev = cur; 1036 for (i = 0; i < PF_SKIP_COUNT; ++i) 1037 head[i] = cur; 1038 while (cur != NULL) { 1039 1040 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) 1041 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1042 if (cur->direction != prev->direction) 1043 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1044 if (cur->af != prev->af) 1045 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1046 if (cur->proto != prev->proto) 1047 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 1048 if (cur->src.not != prev->src.not || 1049 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1050 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1051 if (cur->src.port[0] != prev->src.port[0] || 1052 cur->src.port[1] != prev->src.port[1] || 1053 cur->src.port_op != prev->src.port_op) 1054 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 1055 if (cur->dst.not != prev->dst.not || 1056 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1057 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1058 if (cur->dst.port[0] != prev->dst.port[0] || 1059 cur->dst.port[1] != prev->dst.port[1] || 1060 cur->dst.port_op != prev->dst.port_op) 1061 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1062 1063 prev = cur; 1064 cur = TAILQ_NEXT(cur, entries); 1065 } 1066 for (i = 0; i < PF_SKIP_COUNT; ++i) 1067 PF_SET_SKIP_STEPS(i); 1068 } 1069 1070 int 1071 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 1072 { 1073 if (aw1->type != aw2->type) 1074 return (1); 1075 switch (aw1->type) { 1076 case PF_ADDR_ADDRMASK: 1077 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 1078 return (1); 1079 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 1080 return (1); 1081 return (0); 1082 case PF_ADDR_DYNIFTL: 1083 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt); 1084 case PF_ADDR_NOROUTE: 1085 return (0); 1086 case PF_ADDR_TABLE: 1087 return (aw1->p.tbl != aw2->p.tbl); 1088 default: 1089 printf("invalid address type: %d\n", aw1->type); 1090 return (1); 1091 } 1092 } 1093 1094 void 1095 pf_update_anchor_rules() 1096 { 1097 struct pf_rule *rule; 1098 int i; 1099 1100 for (i = 0; i < PF_RULESET_MAX; ++i) 1101 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 1102 entries) 1103 if (rule->anchorname[0]) 1104 rule->anchor = pf_find_anchor(rule->anchorname); 1105 else 1106 rule->anchor = NULL; 1107 } 1108 1109 u_int16_t 1110 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1111 { 1112 u_int32_t l; 1113 1114 if (udp && !cksum) 1115 return (0x0000); 1116 l = cksum + old - new; 1117 l = (l >> 16) + (l & 65535); 1118 l = l & 65535; 1119 if (udp && !l) 1120 return (0xFFFF); 1121 return (l); 1122 } 1123 1124 void 1125 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 1126 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 1127 { 1128 struct pf_addr ao; 1129 u_int16_t po = *p; 1130 1131 PF_ACPY(&ao, a, af); 1132 PF_ACPY(a, an, af); 1133 1134 *p = pn; 1135 1136 switch (af) { 1137 #ifdef INET 1138 case AF_INET: 1139 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1140 ao.addr16[0], an->addr16[0], 0), 1141 ao.addr16[1], an->addr16[1], 0); 1142 *p = pn; 1143 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1144 ao.addr16[0], an->addr16[0], u), 1145 ao.addr16[1], an->addr16[1], u), 1146 po, pn, u); 1147 break; 1148 #endif /* INET */ 1149 #ifdef INET6 1150 case AF_INET6: 1151 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1152 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1153 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1154 ao.addr16[0], an->addr16[0], u), 1155 ao.addr16[1], an->addr16[1], u), 1156 ao.addr16[2], an->addr16[2], u), 1157 ao.addr16[3], an->addr16[3], u), 1158 ao.addr16[4], an->addr16[4], u), 1159 ao.addr16[5], an->addr16[5], u), 1160 ao.addr16[6], an->addr16[6], u), 1161 ao.addr16[7], an->addr16[7], u), 1162 po, pn, u); 1163 break; 1164 #endif /* INET6 */ 1165 } 1166 } 1167 1168 1169 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 1170 void 1171 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1172 { 1173 u_int32_t ao; 1174 1175 memcpy(&ao, a, sizeof(ao)); 1176 memcpy(a, &an, sizeof(u_int32_t)); 1177 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1178 ao % 65536, an % 65536, u); 1179 } 1180 1181 #ifdef INET6 1182 void 1183 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1184 { 1185 struct pf_addr ao; 1186 1187 PF_ACPY(&ao, a, AF_INET6); 1188 PF_ACPY(a, an, AF_INET6); 1189 1190 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1191 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1192 pf_cksum_fixup(pf_cksum_fixup(*c, 1193 ao.addr16[0], an->addr16[0], u), 1194 ao.addr16[1], an->addr16[1], u), 1195 ao.addr16[2], an->addr16[2], u), 1196 ao.addr16[3], an->addr16[3], u), 1197 ao.addr16[4], an->addr16[4], u), 1198 ao.addr16[5], an->addr16[5], u), 1199 ao.addr16[6], an->addr16[6], u), 1200 ao.addr16[7], an->addr16[7], u); 1201 } 1202 #endif /* INET6 */ 1203 1204 void 1205 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1206 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1207 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1208 { 1209 struct pf_addr oia, ooa; 1210 1211 PF_ACPY(&oia, ia, af); 1212 PF_ACPY(&ooa, oa, af); 1213 1214 /* Change inner protocol port, fix inner protocol checksum. */ 1215 if (ip != NULL) { 1216 u_int16_t oip = *ip; 1217 u_int32_t opc = 0; 1218 1219 if (pc != NULL) 1220 opc = *pc; 1221 *ip = np; 1222 if (pc != NULL) 1223 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1224 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1225 if (pc != NULL) 1226 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1227 } 1228 /* Change inner ip address, fix inner ip and icmp checksums. */ 1229 PF_ACPY(ia, na, af); 1230 switch (af) { 1231 #ifdef INET 1232 case AF_INET: { 1233 u_int32_t oh2c = *h2c; 1234 1235 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1236 oia.addr16[0], ia->addr16[0], 0), 1237 oia.addr16[1], ia->addr16[1], 0); 1238 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1239 oia.addr16[0], ia->addr16[0], 0), 1240 oia.addr16[1], ia->addr16[1], 0); 1241 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1242 break; 1243 } 1244 #endif /* INET */ 1245 #ifdef INET6 1246 case AF_INET6: 1247 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1248 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1249 pf_cksum_fixup(pf_cksum_fixup(*ic, 1250 oia.addr16[0], ia->addr16[0], u), 1251 oia.addr16[1], ia->addr16[1], u), 1252 oia.addr16[2], ia->addr16[2], u), 1253 oia.addr16[3], ia->addr16[3], u), 1254 oia.addr16[4], ia->addr16[4], u), 1255 oia.addr16[5], ia->addr16[5], u), 1256 oia.addr16[6], ia->addr16[6], u), 1257 oia.addr16[7], ia->addr16[7], u); 1258 break; 1259 #endif /* INET6 */ 1260 } 1261 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1262 PF_ACPY(oa, na, af); 1263 switch (af) { 1264 #ifdef INET 1265 case AF_INET: 1266 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1267 ooa.addr16[0], oa->addr16[0], 0), 1268 ooa.addr16[1], oa->addr16[1], 0); 1269 break; 1270 #endif /* INET */ 1271 #ifdef INET6 1272 case AF_INET6: 1273 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1274 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1275 pf_cksum_fixup(pf_cksum_fixup(*ic, 1276 ooa.addr16[0], oa->addr16[0], u), 1277 ooa.addr16[1], oa->addr16[1], u), 1278 ooa.addr16[2], oa->addr16[2], u), 1279 ooa.addr16[3], oa->addr16[3], u), 1280 ooa.addr16[4], oa->addr16[4], u), 1281 ooa.addr16[5], oa->addr16[5], u), 1282 ooa.addr16[6], oa->addr16[6], u), 1283 ooa.addr16[7], oa->addr16[7], u); 1284 break; 1285 #endif /* INET6 */ 1286 } 1287 } 1288 1289 void 1290 pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1291 const struct pf_addr *saddr, const struct pf_addr *daddr, 1292 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1293 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) 1294 { 1295 struct mbuf *m; 1296 struct m_tag *mtag; 1297 int len, tlen; 1298 #ifdef INET 1299 struct ip *h = NULL; 1300 #endif /* INET */ 1301 #ifdef INET6 1302 struct ip6_hdr *h6 = NULL; 1303 #endif /* INET6 */ 1304 struct tcphdr *th; 1305 char *opt; 1306 1307 /* maximum segment size tcp option */ 1308 tlen = sizeof(struct tcphdr); 1309 if (mss) 1310 tlen += 4; 1311 1312 switch (af) { 1313 #ifdef INET 1314 case AF_INET: 1315 len = sizeof(struct ip) + tlen; 1316 break; 1317 #endif /* INET */ 1318 #ifdef INET6 1319 case AF_INET6: 1320 len = sizeof(struct ip6_hdr) + tlen; 1321 break; 1322 #endif /* INET6 */ 1323 default: 1324 return; 1325 } 1326 1327 /* create outgoing mbuf */ 1328 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1329 if (mtag == NULL) 1330 return; 1331 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1332 if (m == NULL) { 1333 m_tag_free(mtag); 1334 return; 1335 } 1336 m_tag_prepend(m, mtag); 1337 #ifdef ALTQ 1338 if (r != NULL && r->qid) { 1339 struct altq_tag *atag; 1340 1341 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 1342 if (mtag != NULL) { 1343 atag = (struct altq_tag *)(mtag + 1); 1344 atag->qid = r->qid; 1345 /* add hints for ecn */ 1346 atag->af = af; 1347 atag->hdr = mtod(m, struct ip *); 1348 m_tag_prepend(m, mtag); 1349 } 1350 } 1351 #endif 1352 m->m_data += max_linkhdr; 1353 m->m_pkthdr.len = m->m_len = len; 1354 m->m_pkthdr.rcvif = NULL; 1355 bzero(m->m_data, len); 1356 switch (af) { 1357 #ifdef INET 1358 case AF_INET: 1359 h = mtod(m, struct ip *); 1360 1361 /* IP header fields included in the TCP checksum */ 1362 h->ip_p = IPPROTO_TCP; 1363 h->ip_len = htons(tlen); 1364 h->ip_src.s_addr = saddr->v4.s_addr; 1365 h->ip_dst.s_addr = daddr->v4.s_addr; 1366 1367 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); 1368 break; 1369 #endif /* INET */ 1370 #ifdef INET6 1371 case AF_INET6: 1372 h6 = mtod(m, struct ip6_hdr *); 1373 1374 /* IP header fields included in the TCP checksum */ 1375 h6->ip6_nxt = IPPROTO_TCP; 1376 h6->ip6_plen = htons(tlen); 1377 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1378 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1379 1380 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); 1381 break; 1382 #endif /* INET6 */ 1383 default: 1384 m_freem(m); 1385 return; 1386 } 1387 1388 /* TCP header */ 1389 th->th_sport = sport; 1390 th->th_dport = dport; 1391 th->th_seq = htonl(seq); 1392 th->th_ack = htonl(ack); 1393 th->th_off = tlen >> 2; 1394 th->th_flags = flags; 1395 th->th_win = htons(win); 1396 1397 if (mss) { 1398 opt = (char *)(th + 1); 1399 opt[0] = TCPOPT_MAXSEG; 1400 opt[1] = 4; 1401 HTONS(mss); 1402 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); 1403 } 1404 1405 switch (af) { 1406 #ifdef INET 1407 case AF_INET: 1408 /* TCP checksum */ 1409 th->th_sum = in_cksum(m, len); 1410 1411 /* Finish the IP header */ 1412 h->ip_v = 4; 1413 h->ip_hl = sizeof(*h) >> 2; 1414 h->ip_tos = IPTOS_LOWDELAY; 1415 h->ip_len = htons(len); 1416 h->ip_off = htons(ip_mtudisc ? IP_DF : 0); 1417 h->ip_ttl = ttl ? ttl : ip_defttl; 1418 h->ip_sum = 0; 1419 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1420 (void *)NULL); 1421 break; 1422 #endif /* INET */ 1423 #ifdef INET6 1424 case AF_INET6: 1425 /* TCP checksum */ 1426 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1427 sizeof(struct ip6_hdr), tlen); 1428 1429 h6->ip6_vfc |= IPV6_VERSION; 1430 h6->ip6_hlim = IPV6_DEFHLIM; 1431 1432 #ifdef __OpenBSD__ 1433 ip6_output(m, NULL, NULL, 0, NULL, NULL); 1434 #else 1435 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 1436 #endif 1437 break; 1438 #endif /* INET6 */ 1439 } 1440 } 1441 1442 void 1443 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1444 struct pf_rule *r) 1445 { 1446 struct m_tag *mtag; 1447 struct mbuf *m0; 1448 1449 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1450 if (mtag == NULL) 1451 return; 1452 m0 = m_copy(m, 0, M_COPYALL); 1453 if (m0 == NULL) { 1454 m_tag_free(mtag); 1455 return; 1456 } 1457 m_tag_prepend(m0, mtag); 1458 1459 #ifdef ALTQ 1460 if (r->qid) { 1461 struct altq_tag *atag; 1462 1463 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 1464 if (mtag != NULL) { 1465 atag = (struct altq_tag *)(mtag + 1); 1466 atag->qid = r->qid; 1467 /* add hints for ecn */ 1468 atag->af = af; 1469 atag->hdr = mtod(m0, struct ip *); 1470 m_tag_prepend(m0, mtag); 1471 } 1472 } 1473 #endif 1474 1475 switch (af) { 1476 #ifdef INET 1477 case AF_INET: 1478 icmp_error(m0, type, code, 0, (void *)NULL); 1479 break; 1480 #endif /* INET */ 1481 #ifdef INET6 1482 case AF_INET6: 1483 icmp6_error(m0, type, code, 0); 1484 break; 1485 #endif /* INET6 */ 1486 } 1487 } 1488 1489 /* 1490 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1491 * If n is 0, they match if they are equal. If n is != 0, they match if they 1492 * are different. 1493 */ 1494 int 1495 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1496 struct pf_addr *b, sa_family_t af) 1497 { 1498 int match = 0; 1499 1500 switch (af) { 1501 #ifdef INET 1502 case AF_INET: 1503 if ((a->addr32[0] & m->addr32[0]) == 1504 (b->addr32[0] & m->addr32[0])) 1505 match++; 1506 break; 1507 #endif /* INET */ 1508 #ifdef INET6 1509 case AF_INET6: 1510 if (((a->addr32[0] & m->addr32[0]) == 1511 (b->addr32[0] & m->addr32[0])) && 1512 ((a->addr32[1] & m->addr32[1]) == 1513 (b->addr32[1] & m->addr32[1])) && 1514 ((a->addr32[2] & m->addr32[2]) == 1515 (b->addr32[2] & m->addr32[2])) && 1516 ((a->addr32[3] & m->addr32[3]) == 1517 (b->addr32[3] & m->addr32[3]))) 1518 match++; 1519 break; 1520 #endif /* INET6 */ 1521 } 1522 if (match) { 1523 if (n) 1524 return (0); 1525 else 1526 return (1); 1527 } else { 1528 if (n) 1529 return (1); 1530 else 1531 return (0); 1532 } 1533 } 1534 1535 int 1536 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1537 { 1538 switch (op) { 1539 case PF_OP_IRG: 1540 return ((p > a1) && (p < a2)); 1541 case PF_OP_XRG: 1542 return ((p < a1) || (p > a2)); 1543 case PF_OP_RRG: 1544 return ((p >= a1) && (p <= a2)); 1545 case PF_OP_EQ: 1546 return (p == a1); 1547 case PF_OP_NE: 1548 return (p != a1); 1549 case PF_OP_LT: 1550 return (p < a1); 1551 case PF_OP_LE: 1552 return (p <= a1); 1553 case PF_OP_GT: 1554 return (p > a1); 1555 case PF_OP_GE: 1556 return (p >= a1); 1557 } 1558 return (0); /* never reached */ 1559 } 1560 1561 int 1562 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1563 { 1564 NTOHS(a1); 1565 NTOHS(a2); 1566 NTOHS(p); 1567 return (pf_match(op, a1, a2, p)); 1568 } 1569 1570 int 1571 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1572 { 1573 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1574 return (0); 1575 return (pf_match(op, a1, a2, u)); 1576 } 1577 1578 int 1579 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1580 { 1581 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1582 return (0); 1583 return (pf_match(op, a1, a2, g)); 1584 } 1585 1586 struct pf_tag * 1587 pf_get_tag(struct mbuf *m) 1588 { 1589 struct m_tag *mtag; 1590 1591 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 1592 return ((struct pf_tag *)(mtag + 1)); 1593 else 1594 return (NULL); 1595 } 1596 1597 int 1598 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule, 1599 struct pf_tag *pftag, int *tag) 1600 { 1601 if (*tag == -1) { /* find mbuf tag */ 1602 pftag = pf_get_tag(m); 1603 if (pftag != NULL) 1604 *tag = pftag->tag; 1605 else 1606 *tag = 0; 1607 if (nat_rule != NULL && nat_rule->tag) 1608 *tag = nat_rule->tag; 1609 } 1610 1611 return ((!r->match_tag_not && r->match_tag == *tag) || 1612 (r->match_tag_not && r->match_tag != *tag)); 1613 } 1614 1615 int 1616 pf_tag_packet(struct mbuf *m, struct pf_tag *pftag, int tag) 1617 { 1618 struct m_tag *mtag; 1619 1620 if (tag <= 0) 1621 return (0); 1622 1623 if (pftag == NULL) { 1624 mtag = m_tag_get(PACKET_TAG_PF_TAG, sizeof(*pftag), M_NOWAIT); 1625 if (mtag == NULL) 1626 return (1); 1627 ((struct pf_tag *)(mtag + 1))->tag = tag; 1628 m_tag_prepend(m, mtag); 1629 } else 1630 pftag->tag = tag; 1631 1632 return (0); 1633 } 1634 1635 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1636 do { \ 1637 if ((r) == NULL || (r)->anchor == NULL || \ 1638 (s) != NULL || (a) != NULL) \ 1639 panic("PF_STEP_INTO_ANCHOR"); \ 1640 (a) = (r); \ 1641 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1642 (r) = NULL; \ 1643 while ((s) != NULL && ((r) = \ 1644 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1645 (s) = TAILQ_NEXT((s), entries); \ 1646 if ((r) == NULL) { \ 1647 (r) = TAILQ_NEXT((a), entries); \ 1648 (a) = NULL; \ 1649 } \ 1650 } while (0) 1651 1652 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1653 do { \ 1654 if ((r) != NULL || (a) == NULL || (s) == NULL) \ 1655 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1656 (s) = TAILQ_NEXT((s), entries); \ 1657 while ((s) != NULL && ((r) = \ 1658 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1659 (s) = TAILQ_NEXT((s), entries); \ 1660 if ((r) == NULL) { \ 1661 (r) = TAILQ_NEXT((a), entries); \ 1662 (a) = NULL; \ 1663 } \ 1664 } while (0) 1665 1666 #ifdef INET6 1667 void 1668 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 1669 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) 1670 { 1671 switch (af) { 1672 #ifdef INET 1673 case AF_INET: 1674 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1675 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1676 break; 1677 #endif /* INET */ 1678 case AF_INET6: 1679 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1680 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1681 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 1682 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 1683 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 1684 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 1685 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 1686 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 1687 break; 1688 } 1689 } 1690 1691 void 1692 pf_addr_inc(struct pf_addr *addr, sa_family_t af) 1693 { 1694 switch (af) { 1695 #ifdef INET 1696 case AF_INET: 1697 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 1698 break; 1699 #endif /* INET */ 1700 case AF_INET6: 1701 if (addr->addr32[3] == 0xffffffff) { 1702 addr->addr32[3] = 0; 1703 if (addr->addr32[2] == 0xffffffff) { 1704 addr->addr32[2] = 0; 1705 if (addr->addr32[1] == 0xffffffff) { 1706 addr->addr32[1] = 0; 1707 addr->addr32[0] = 1708 htonl(ntohl(addr->addr32[0]) + 1); 1709 } else 1710 addr->addr32[1] = 1711 htonl(ntohl(addr->addr32[1]) + 1); 1712 } else 1713 addr->addr32[2] = 1714 htonl(ntohl(addr->addr32[2]) + 1); 1715 } else 1716 addr->addr32[3] = 1717 htonl(ntohl(addr->addr32[3]) + 1); 1718 break; 1719 } 1720 } 1721 #endif /* INET6 */ 1722 1723 #define mix(a,b,c) \ 1724 do { \ 1725 a -= b; a -= c; a ^= (c >> 13); \ 1726 b -= c; b -= a; b ^= (a << 8); \ 1727 c -= a; c -= b; c ^= (b >> 13); \ 1728 a -= b; a -= c; a ^= (c >> 12); \ 1729 b -= c; b -= a; b ^= (a << 16); \ 1730 c -= a; c -= b; c ^= (b >> 5); \ 1731 a -= b; a -= c; a ^= (c >> 3); \ 1732 b -= c; b -= a; b ^= (a << 10); \ 1733 c -= a; c -= b; c ^= (b >> 15); \ 1734 } while (0) 1735 1736 /* 1737 * hash function based on bridge_hash in if_bridge.c 1738 */ 1739 void 1740 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 1741 struct pf_poolhashkey *key, sa_family_t af) 1742 { 1743 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 1744 1745 switch (af) { 1746 #ifdef INET 1747 case AF_INET: 1748 a += inaddr->addr32[0]; 1749 b += key->key32[1]; 1750 mix(a, b, c); 1751 hash->addr32[0] = c + key->key32[2]; 1752 break; 1753 #endif /* INET */ 1754 #ifdef INET6 1755 case AF_INET6: 1756 a += inaddr->addr32[0]; 1757 b += inaddr->addr32[2]; 1758 mix(a, b, c); 1759 hash->addr32[0] = c; 1760 a += inaddr->addr32[1]; 1761 b += inaddr->addr32[3]; 1762 c += key->key32[1]; 1763 mix(a, b, c); 1764 hash->addr32[1] = c; 1765 a += inaddr->addr32[2]; 1766 b += inaddr->addr32[1]; 1767 c += key->key32[2]; 1768 mix(a, b, c); 1769 hash->addr32[2] = c; 1770 a += inaddr->addr32[3]; 1771 b += inaddr->addr32[0]; 1772 c += key->key32[3]; 1773 mix(a, b, c); 1774 hash->addr32[3] = c; 1775 break; 1776 #endif /* INET6 */ 1777 } 1778 } 1779 1780 int 1781 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 1782 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 1783 { 1784 unsigned char hash[16]; 1785 struct pf_pool *rpool = &r->rpool; 1786 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr; 1787 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask; 1788 struct pf_pooladdr *acur = rpool->cur; 1789 struct pf_src_node k; 1790 1791 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 1792 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1793 k.af = af; 1794 PF_ACPY(&k.addr, saddr, af); 1795 if (r->rule_flag & PFRULE_RULESRCTRACK || 1796 r->rpool.opts & PF_POOL_STICKYADDR) 1797 k.rule.ptr = r; 1798 else 1799 k.rule.ptr = NULL; 1800 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 1801 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 1802 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 1803 PF_ACPY(naddr, &(*sn)->raddr, af); 1804 if (pf_status.debug >= PF_DEBUG_MISC) { 1805 printf("pf_map_addr: src tracking maps "); 1806 pf_print_host(&k.addr, 0, af); 1807 printf(" to "); 1808 pf_print_host(naddr, 0, af); 1809 printf("\n"); 1810 } 1811 return (0); 1812 } 1813 } 1814 1815 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1816 return (1); 1817 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1818 if (af == AF_INET) { 1819 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 1820 (rpool->opts & PF_POOL_TYPEMASK) != 1821 PF_POOL_ROUNDROBIN) 1822 return (1); 1823 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 1824 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 1825 } else { 1826 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 1827 (rpool->opts & PF_POOL_TYPEMASK) != 1828 PF_POOL_ROUNDROBIN) 1829 return (1); 1830 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 1831 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 1832 } 1833 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1834 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1835 return (1); /* unsupported */ 1836 } else { 1837 raddr = &rpool->cur->addr.v.a.addr; 1838 rmask = &rpool->cur->addr.v.a.mask; 1839 } 1840 1841 switch (rpool->opts & PF_POOL_TYPEMASK) { 1842 case PF_POOL_NONE: 1843 PF_ACPY(naddr, raddr, af); 1844 break; 1845 case PF_POOL_BITMASK: 1846 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 1847 break; 1848 case PF_POOL_RANDOM: 1849 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 1850 switch (af) { 1851 #ifdef INET 1852 case AF_INET: 1853 rpool->counter.addr32[0] = arc4random(); 1854 break; 1855 #endif /* INET */ 1856 #ifdef INET6 1857 case AF_INET6: 1858 if (rmask->addr32[3] != 0xffffffff) 1859 rpool->counter.addr32[3] = arc4random(); 1860 else 1861 break; 1862 if (rmask->addr32[2] != 0xffffffff) 1863 rpool->counter.addr32[2] = arc4random(); 1864 else 1865 break; 1866 if (rmask->addr32[1] != 0xffffffff) 1867 rpool->counter.addr32[1] = arc4random(); 1868 else 1869 break; 1870 if (rmask->addr32[0] != 0xffffffff) 1871 rpool->counter.addr32[0] = arc4random(); 1872 break; 1873 #endif /* INET6 */ 1874 } 1875 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1876 PF_ACPY(init_addr, naddr, af); 1877 1878 } else { 1879 PF_AINC(&rpool->counter, af); 1880 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1881 } 1882 break; 1883 case PF_POOL_SRCHASH: 1884 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 1885 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 1886 break; 1887 case PF_POOL_ROUNDROBIN: 1888 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1889 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 1890 &rpool->tblidx, &rpool->counter, 1891 &raddr, &rmask, af)) 1892 goto get_addr; 1893 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1894 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1895 &rpool->tblidx, &rpool->counter, 1896 &raddr, &rmask, af)) 1897 goto get_addr; 1898 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 1899 goto get_addr; 1900 1901 try_next: 1902 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 1903 rpool->cur = TAILQ_FIRST(&rpool->list); 1904 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1905 rpool->tblidx = -1; 1906 if (pfr_pool_get(rpool->cur->addr.p.tbl, 1907 &rpool->tblidx, &rpool->counter, 1908 &raddr, &rmask, af)) { 1909 /* table contains no address of type 'af' */ 1910 if (rpool->cur != acur) 1911 goto try_next; 1912 return (1); 1913 } 1914 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1915 rpool->tblidx = -1; 1916 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1917 &rpool->tblidx, &rpool->counter, 1918 &raddr, &rmask, af)) { 1919 /* table contains no address of type 'af' */ 1920 if (rpool->cur != acur) 1921 goto try_next; 1922 return (1); 1923 } 1924 } else { 1925 raddr = &rpool->cur->addr.v.a.addr; 1926 rmask = &rpool->cur->addr.v.a.mask; 1927 PF_ACPY(&rpool->counter, raddr, af); 1928 } 1929 1930 get_addr: 1931 PF_ACPY(naddr, &rpool->counter, af); 1932 PF_AINC(&rpool->counter, af); 1933 break; 1934 } 1935 if (*sn != NULL) 1936 PF_ACPY(&(*sn)->raddr, naddr, af); 1937 1938 if (pf_status.debug >= PF_DEBUG_MISC && 1939 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1940 printf("pf_map_addr: selected address "); 1941 pf_print_host(naddr, 0, af); 1942 printf("\n"); 1943 } 1944 1945 return (0); 1946 } 1947 1948 int 1949 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 1950 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 1951 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 1952 struct pf_src_node **sn) 1953 { 1954 struct pf_state key; 1955 struct pf_addr init_addr; 1956 u_int16_t cut; 1957 1958 bzero(&init_addr, sizeof(init_addr)); 1959 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1960 return (1); 1961 1962 do { 1963 key.af = af; 1964 key.proto = proto; 1965 PF_ACPY(&key.ext.addr, daddr, key.af); 1966 PF_ACPY(&key.gwy.addr, naddr, key.af); 1967 key.ext.port = dport; 1968 1969 /* 1970 * port search; start random, step; 1971 * similar 2 portloop in in_pcbbind 1972 */ 1973 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { 1974 key.gwy.port = 0; 1975 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1976 return (0); 1977 } else if (low == 0 && high == 0) { 1978 key.gwy.port = *nport; 1979 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1980 return (0); 1981 } else if (low == high) { 1982 key.gwy.port = htons(low); 1983 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) { 1984 *nport = htons(low); 1985 return (0); 1986 } 1987 } else { 1988 u_int16_t tmp; 1989 1990 if (low > high) { 1991 tmp = low; 1992 low = high; 1993 high = tmp; 1994 } 1995 /* low < high */ 1996 cut = arc4random() % (1 + high - low) + low; 1997 /* low <= cut <= high */ 1998 for (tmp = cut; tmp <= high; ++(tmp)) { 1999 key.gwy.port = htons(tmp); 2000 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 2001 NULL) { 2002 *nport = htons(tmp); 2003 return (0); 2004 } 2005 } 2006 for (tmp = cut - 1; tmp >= low; --(tmp)) { 2007 key.gwy.port = htons(tmp); 2008 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 2009 NULL) { 2010 *nport = htons(tmp); 2011 return (0); 2012 } 2013 } 2014 } 2015 2016 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 2017 case PF_POOL_RANDOM: 2018 case PF_POOL_ROUNDROBIN: 2019 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 2020 return (1); 2021 break; 2022 case PF_POOL_NONE: 2023 case PF_POOL_SRCHASH: 2024 case PF_POOL_BITMASK: 2025 default: 2026 return (1); 2027 } 2028 } while (! PF_AEQ(&init_addr, naddr, af) ); 2029 2030 return (1); /* none available */ 2031 } 2032 2033 struct pf_rule * 2034 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 2035 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 2036 struct pf_addr *daddr, u_int16_t dport, int rs_num) 2037 { 2038 struct pf_rule *r, *rm = NULL, *anchorrule = NULL; 2039 struct pf_ruleset *ruleset = NULL; 2040 2041 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 2042 while (r && rm == NULL) { 2043 struct pf_rule_addr *src = NULL, *dst = NULL; 2044 struct pf_addr_wrap *xdst = NULL; 2045 2046 if (r->action == PF_BINAT && direction == PF_IN) { 2047 src = &r->dst; 2048 if (r->rpool.cur != NULL) 2049 xdst = &r->rpool.cur->addr; 2050 } else { 2051 src = &r->src; 2052 dst = &r->dst; 2053 } 2054 2055 r->evaluations++; 2056 if (r->kif != NULL && 2057 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2058 r = r->skip[PF_SKIP_IFP].ptr; 2059 else if (r->direction && r->direction != direction) 2060 r = r->skip[PF_SKIP_DIR].ptr; 2061 else if (r->af && r->af != pd->af) 2062 r = r->skip[PF_SKIP_AF].ptr; 2063 else if (r->proto && r->proto != pd->proto) 2064 r = r->skip[PF_SKIP_PROTO].ptr; 2065 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not)) 2066 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 2067 PF_SKIP_DST_ADDR].ptr; 2068 else if (src->port_op && !pf_match_port(src->port_op, 2069 src->port[0], src->port[1], sport)) 2070 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 2071 PF_SKIP_DST_PORT].ptr; 2072 else if (dst != NULL && 2073 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not)) 2074 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2075 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 2076 r = TAILQ_NEXT(r, entries); 2077 else if (dst != NULL && dst->port_op && 2078 !pf_match_port(dst->port_op, dst->port[0], 2079 dst->port[1], dport)) 2080 r = r->skip[PF_SKIP_DST_PORT].ptr; 2081 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2082 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2083 off, pd->hdr.tcp), r->os_fingerprint))) 2084 r = TAILQ_NEXT(r, entries); 2085 else if (r->anchorname[0] && r->anchor == NULL) 2086 r = TAILQ_NEXT(r, entries); 2087 else if (r->anchor == NULL) 2088 rm = r; 2089 else 2090 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 2091 if (r == NULL && anchorrule != NULL) 2092 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 2093 rs_num); 2094 } 2095 if (rm != NULL && (rm->action == PF_NONAT || 2096 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 2097 return (NULL); 2098 return (rm); 2099 } 2100 2101 struct pf_rule * 2102 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 2103 struct pfi_kif *kif, struct pf_src_node **sn, 2104 struct pf_addr *saddr, u_int16_t sport, 2105 struct pf_addr *daddr, u_int16_t dport, 2106 struct pf_addr *naddr, u_int16_t *nport) 2107 { 2108 struct pf_rule *r = NULL; 2109 2110 if (direction == PF_OUT) { 2111 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2112 sport, daddr, dport, PF_RULESET_BINAT); 2113 if (r == NULL) 2114 r = pf_match_translation(pd, m, off, direction, kif, 2115 saddr, sport, daddr, dport, PF_RULESET_NAT); 2116 } else { 2117 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2118 sport, daddr, dport, PF_RULESET_RDR); 2119 if (r == NULL) 2120 r = pf_match_translation(pd, m, off, direction, kif, 2121 saddr, sport, daddr, dport, PF_RULESET_BINAT); 2122 } 2123 2124 if (r != NULL) { 2125 switch (r->action) { 2126 case PF_NONAT: 2127 case PF_NOBINAT: 2128 case PF_NORDR: 2129 return (NULL); 2130 case PF_NAT: 2131 if (pf_get_sport(pd->af, pd->proto, r, saddr, 2132 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 2133 r->rpool.proxy_port[1], sn)) { 2134 DPFPRINTF(PF_DEBUG_MISC, 2135 ("pf: NAT proxy port allocation " 2136 "(%u-%u) failed\n", 2137 r->rpool.proxy_port[0], 2138 r->rpool.proxy_port[1])); 2139 return (NULL); 2140 } 2141 break; 2142 case PF_BINAT: 2143 switch (direction) { 2144 case PF_OUT: 2145 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2146 if (pd->af == AF_INET) { 2147 if (r->rpool.cur->addr.p.dyn-> 2148 pfid_acnt4 < 1) 2149 return (NULL); 2150 PF_POOLMASK(naddr, 2151 &r->rpool.cur->addr.p.dyn-> 2152 pfid_addr4, 2153 &r->rpool.cur->addr.p.dyn-> 2154 pfid_mask4, 2155 saddr, AF_INET); 2156 } else { 2157 if (r->rpool.cur->addr.p.dyn-> 2158 pfid_acnt6 < 1) 2159 return (NULL); 2160 PF_POOLMASK(naddr, 2161 &r->rpool.cur->addr.p.dyn-> 2162 pfid_addr6, 2163 &r->rpool.cur->addr.p.dyn-> 2164 pfid_mask6, 2165 saddr, AF_INET6); 2166 } 2167 } else 2168 PF_POOLMASK(naddr, 2169 &r->rpool.cur->addr.v.a.addr, 2170 &r->rpool.cur->addr.v.a.mask, 2171 saddr, pd->af); 2172 break; 2173 case PF_IN: 2174 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2175 if (pd->af == AF_INET) { 2176 if (r->src.addr.p.dyn-> 2177 pfid_acnt4 < 1) 2178 return (NULL); 2179 PF_POOLMASK(naddr, 2180 &r->src.addr.p.dyn-> 2181 pfid_addr4, 2182 &r->src.addr.p.dyn-> 2183 pfid_mask4, 2184 daddr, AF_INET); 2185 } else { 2186 if (r->src.addr.p.dyn-> 2187 pfid_acnt6 < 1) 2188 return (NULL); 2189 PF_POOLMASK(naddr, 2190 &r->src.addr.p.dyn-> 2191 pfid_addr6, 2192 &r->src.addr.p.dyn-> 2193 pfid_mask6, 2194 daddr, AF_INET6); 2195 } 2196 } else 2197 PF_POOLMASK(naddr, 2198 &r->src.addr.v.a.addr, 2199 &r->src.addr.v.a.mask, daddr, 2200 pd->af); 2201 break; 2202 } 2203 break; 2204 case PF_RDR: { 2205 if (pf_map_addr(r->af, r, saddr, naddr, NULL, sn)) 2206 return (NULL); 2207 2208 if (r->rpool.proxy_port[1]) { 2209 u_int32_t tmp_nport; 2210 2211 tmp_nport = ((ntohs(dport) - 2212 ntohs(r->dst.port[0])) % 2213 (r->rpool.proxy_port[1] - 2214 r->rpool.proxy_port[0] + 1)) + 2215 r->rpool.proxy_port[0]; 2216 2217 /* wrap around if necessary */ 2218 if (tmp_nport > 65535) 2219 tmp_nport -= 65535; 2220 *nport = htons((u_int16_t)tmp_nport); 2221 } else if (r->rpool.proxy_port[0]) 2222 *nport = htons(r->rpool.proxy_port[0]); 2223 break; 2224 } 2225 default: 2226 return (NULL); 2227 } 2228 } 2229 2230 return (r); 2231 } 2232 2233 int 2234 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) 2235 { 2236 struct pf_addr *saddr, *daddr; 2237 u_int16_t sport, dport; 2238 struct inpcbtable *tb; 2239 struct inpcb *inp = NULL; 2240 #if defined(__NetBSD__) && defined(INET6) 2241 struct in6pcb *in6p = NULL; 2242 #endif 2243 2244 *uid = UID_MAX; 2245 *gid = GID_MAX; 2246 switch (pd->proto) { 2247 case IPPROTO_TCP: 2248 sport = pd->hdr.tcp->th_sport; 2249 dport = pd->hdr.tcp->th_dport; 2250 tb = &tcbtable; 2251 break; 2252 case IPPROTO_UDP: 2253 sport = pd->hdr.udp->uh_sport; 2254 dport = pd->hdr.udp->uh_dport; 2255 tb = &udbtable; 2256 break; 2257 default: 2258 return (0); 2259 } 2260 if (direction == PF_IN) { 2261 saddr = pd->src; 2262 daddr = pd->dst; 2263 } else { 2264 u_int16_t p; 2265 2266 p = sport; 2267 sport = dport; 2268 dport = p; 2269 saddr = pd->dst; 2270 daddr = pd->src; 2271 } 2272 switch (pd->af) { 2273 case AF_INET: 2274 #ifdef __OpenBSD__ 2275 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); 2276 if (inp == NULL) { 2277 inp = in_pcblookup_listen(tb, daddr->v4, dport, 0); 2278 if (inp == NULL) 2279 return (0); 2280 } 2281 #else 2282 inp = in_pcblookup_connect(tb, saddr->v4, sport, daddr->v4, 2283 dport); 2284 if (inp == NULL) { 2285 inp = in_pcblookup_bind(tb, daddr->v4, dport); 2286 if (inp == NULL) 2287 return (0); 2288 } 2289 #endif 2290 break; 2291 #ifdef INET6 2292 case AF_INET6: 2293 #ifdef __OpenBSD__ 2294 inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6, 2295 dport); 2296 if (inp == NULL) { 2297 inp = in6_pcblookup_listen(tb, &daddr->v6, dport, 0); 2298 if (inp == NULL) 2299 return (0); 2300 } 2301 #else 2302 in6p = in6_pcblookup_connect(tb, &saddr->v6, sport, &daddr->v6, 2303 dport, 0); 2304 if (in6p == NULL) { 2305 in6p = in6_pcblookup_bind(tb, &daddr->v6, dport, 0); 2306 if (inp == NULL) 2307 return (0); 2308 } 2309 #endif 2310 break; 2311 #endif /* INET6 */ 2312 2313 default: 2314 return (0); 2315 } 2316 #ifdef __OpenBSD__ 2317 *uid = inp->inp_socket->so_euid; 2318 *gid = inp->inp_socket->so_egid; 2319 #else 2320 switch (pd->af) { 2321 case AF_INET: 2322 *uid = inp->inp_socket->so_uid; 2323 /* XXX gid */ 2324 break; 2325 #ifdef INET6 2326 case AF_INET6: 2327 *uid = in6p->in6p_socket->so_uid; 2328 /* XXX gid */ 2329 break; 2330 #endif 2331 } 2332 #endif 2333 return (1); 2334 } 2335 2336 u_int8_t 2337 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2338 { 2339 int hlen; 2340 u_int8_t hdr[60]; 2341 u_int8_t *opt, optlen; 2342 u_int8_t wscale = 0; 2343 2344 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2345 if (hlen <= sizeof(struct tcphdr)) 2346 return (0); 2347 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2348 return (0); 2349 opt = hdr + sizeof(struct tcphdr); 2350 hlen -= sizeof(struct tcphdr); 2351 while (hlen >= 3) { 2352 switch (*opt) { 2353 case TCPOPT_EOL: 2354 case TCPOPT_NOP: 2355 ++opt; 2356 --hlen; 2357 break; 2358 case TCPOPT_WINDOW: 2359 wscale = opt[2]; 2360 if (wscale > TCP_MAX_WINSHIFT) 2361 wscale = TCP_MAX_WINSHIFT; 2362 wscale |= PF_WSCALE_FLAG; 2363 /* FALLTHROUGH */ 2364 default: 2365 optlen = opt[1]; 2366 if (optlen < 2) 2367 optlen = 2; 2368 hlen -= optlen; 2369 opt += optlen; 2370 break; 2371 } 2372 } 2373 return (wscale); 2374 } 2375 2376 u_int16_t 2377 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2378 { 2379 int hlen; 2380 u_int8_t hdr[60]; 2381 u_int8_t *opt, optlen; 2382 u_int16_t mss = tcp_mssdflt; 2383 2384 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2385 if (hlen <= sizeof(struct tcphdr)) 2386 return (0); 2387 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2388 return (0); 2389 opt = hdr + sizeof(struct tcphdr); 2390 hlen -= sizeof(struct tcphdr); 2391 while (hlen >= TCPOLEN_MAXSEG) { 2392 switch (*opt) { 2393 case TCPOPT_EOL: 2394 case TCPOPT_NOP: 2395 ++opt; 2396 --hlen; 2397 break; 2398 case TCPOPT_MAXSEG: 2399 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); 2400 /* FALLTHROUGH */ 2401 default: 2402 optlen = opt[1]; 2403 if (optlen < 2) 2404 optlen = 2; 2405 hlen -= optlen; 2406 opt += optlen; 2407 break; 2408 } 2409 } 2410 return (mss); 2411 } 2412 2413 u_int16_t 2414 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2415 { 2416 #ifdef INET 2417 struct sockaddr_in *dst; 2418 struct route ro; 2419 #endif /* INET */ 2420 #ifdef INET6 2421 struct sockaddr_in6 *dst6; 2422 struct route_in6 ro6; 2423 #endif /* INET6 */ 2424 struct rtentry *rt = NULL; 2425 int hlen; 2426 u_int16_t mss = tcp_mssdflt; 2427 2428 switch (af) { 2429 #ifdef INET 2430 case AF_INET: 2431 hlen = sizeof(struct ip); 2432 bzero(&ro, sizeof(ro)); 2433 dst = (struct sockaddr_in *)&ro.ro_dst; 2434 dst->sin_family = AF_INET; 2435 dst->sin_len = sizeof(*dst); 2436 dst->sin_addr = addr->v4; 2437 #ifdef __OpenBSD__ 2438 rtalloc_noclone(&ro, NO_CLONING); 2439 #else 2440 rtalloc(&ro); 2441 #endif 2442 rt = ro.ro_rt; 2443 break; 2444 #endif /* INET */ 2445 #ifdef INET6 2446 case AF_INET6: 2447 hlen = sizeof(struct ip6_hdr); 2448 bzero(&ro6, sizeof(ro6)); 2449 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; 2450 dst6->sin6_family = AF_INET6; 2451 dst6->sin6_len = sizeof(*dst6); 2452 dst6->sin6_addr = addr->v6; 2453 #ifdef __OpenBSD__ 2454 rtalloc_noclone((struct route *)&ro6, NO_CLONING); 2455 #else 2456 rtalloc((struct route *)&ro6); 2457 #endif 2458 rt = ro6.ro_rt; 2459 break; 2460 #endif /* INET6 */ 2461 } 2462 2463 if (rt && rt->rt_ifp) { 2464 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2465 mss = max(tcp_mssdflt, mss); 2466 RTFREE(rt); 2467 } 2468 mss = min(mss, offer); 2469 mss = max(mss, 64); /* sanity - at least max opt space */ 2470 return (mss); 2471 } 2472 2473 void 2474 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2475 { 2476 struct pf_rule *r = s->rule.ptr; 2477 2478 s->rt_kif = NULL; 2479 if (!r->rt || r->rt == PF_FASTROUTE) 2480 return; 2481 switch (s->af) { 2482 #ifdef INET 2483 case AF_INET: 2484 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, 2485 &s->nat_src_node); 2486 s->rt_kif = r->rpool.cur->kif; 2487 break; 2488 #endif /* INET */ 2489 #ifdef INET6 2490 case AF_INET6: 2491 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, 2492 &s->nat_src_node); 2493 s->rt_kif = r->rpool.cur->kif; 2494 break; 2495 #endif /* INET6 */ 2496 } 2497 } 2498 2499 int 2500 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, 2501 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2502 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2503 { 2504 struct pf_rule *nr = NULL; 2505 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2506 struct tcphdr *th = pd->hdr.tcp; 2507 u_int16_t bport, nport = 0; 2508 sa_family_t af = pd->af; 2509 int lookup = -1; 2510 uid_t uid; 2511 gid_t gid; 2512 struct pf_rule *r, *a = NULL; 2513 struct pf_ruleset *ruleset = NULL; 2514 struct pf_src_node *nsn = NULL; 2515 u_short reason; 2516 int rewrite = 0; 2517 struct pf_tag *pftag = NULL; 2518 int tag = -1; 2519 u_int16_t mss = tcp_mssdflt; 2520 2521 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2522 2523 if (direction == PF_OUT) { 2524 bport = nport = th->th_sport; 2525 /* check outgoing packet for BINAT/NAT */ 2526 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2527 saddr, th->th_sport, daddr, th->th_dport, 2528 &pd->naddr, &nport)) != NULL) { 2529 PF_ACPY(&pd->baddr, saddr, af); 2530 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2531 &th->th_sum, &pd->naddr, nport, 0, af); 2532 rewrite++; 2533 if (nr->natpass) 2534 r = NULL; 2535 pd->nat_rule = nr; 2536 } 2537 } else { 2538 bport = nport = th->th_dport; 2539 /* check incoming packet for BINAT/RDR */ 2540 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2541 saddr, th->th_sport, daddr, th->th_dport, 2542 &pd->naddr, &nport)) != NULL) { 2543 PF_ACPY(&pd->baddr, daddr, af); 2544 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2545 &th->th_sum, &pd->naddr, nport, 0, af); 2546 rewrite++; 2547 if (nr->natpass) 2548 r = NULL; 2549 pd->nat_rule = nr; 2550 } 2551 } 2552 2553 while (r != NULL) { 2554 r->evaluations++; 2555 if (r->kif != NULL && 2556 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2557 r = r->skip[PF_SKIP_IFP].ptr; 2558 else if (r->direction && r->direction != direction) 2559 r = r->skip[PF_SKIP_DIR].ptr; 2560 else if (r->af && r->af != af) 2561 r = r->skip[PF_SKIP_AF].ptr; 2562 else if (r->proto && r->proto != IPPROTO_TCP) 2563 r = r->skip[PF_SKIP_PROTO].ptr; 2564 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2565 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2566 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2567 r->src.port[0], r->src.port[1], th->th_sport)) 2568 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2569 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2570 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2571 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2572 r->dst.port[0], r->dst.port[1], th->th_dport)) 2573 r = r->skip[PF_SKIP_DST_PORT].ptr; 2574 else if (r->tos && !(r->tos & pd->tos)) 2575 r = TAILQ_NEXT(r, entries); 2576 else if (r->rule_flag & PFRULE_FRAGMENT) 2577 r = TAILQ_NEXT(r, entries); 2578 else if ((r->flagset & th->th_flags) != r->flags) 2579 r = TAILQ_NEXT(r, entries); 2580 else if (r->uid.op && (lookup != -1 || (lookup = 2581 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2582 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2583 uid)) 2584 r = TAILQ_NEXT(r, entries); 2585 else if (r->gid.op && (lookup != -1 || (lookup = 2586 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2587 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2588 gid)) 2589 r = TAILQ_NEXT(r, entries); 2590 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag)) 2591 r = TAILQ_NEXT(r, entries); 2592 else if (r->anchorname[0] && r->anchor == NULL) 2593 r = TAILQ_NEXT(r, entries); 2594 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2595 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2596 r = TAILQ_NEXT(r, entries); 2597 else { 2598 if (r->tag) 2599 tag = r->tag; 2600 if (r->anchor == NULL) { 2601 *rm = r; 2602 *am = a; 2603 *rsm = ruleset; 2604 if ((*rm)->quick) 2605 break; 2606 r = TAILQ_NEXT(r, entries); 2607 } else 2608 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2609 PF_RULESET_FILTER); 2610 } 2611 if (r == NULL && a != NULL) 2612 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2613 PF_RULESET_FILTER); 2614 } 2615 r = *rm; 2616 a = *am; 2617 ruleset = *rsm; 2618 2619 REASON_SET(&reason, PFRES_MATCH); 2620 2621 if (r->log) { 2622 if (rewrite) 2623 m_copyback(m, off, sizeof(*th), th); 2624 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2625 } 2626 2627 if ((r->action == PF_DROP) && 2628 ((r->rule_flag & PFRULE_RETURNRST) || 2629 (r->rule_flag & PFRULE_RETURNICMP) || 2630 (r->rule_flag & PFRULE_RETURN))) { 2631 /* undo NAT changes, if they have taken place */ 2632 if (nr != NULL) { 2633 if (direction == PF_OUT) { 2634 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2635 &th->th_sum, &pd->baddr, bport, 0, af); 2636 rewrite++; 2637 } else { 2638 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2639 &th->th_sum, &pd->baddr, bport, 0, af); 2640 rewrite++; 2641 } 2642 } 2643 if (((r->rule_flag & PFRULE_RETURNRST) || 2644 (r->rule_flag & PFRULE_RETURN)) && 2645 !(th->th_flags & TH_RST)) { 2646 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 2647 2648 if (th->th_flags & TH_SYN) 2649 ack++; 2650 if (th->th_flags & TH_FIN) 2651 ack++; 2652 pf_send_tcp(r, af, pd->dst, 2653 pd->src, th->th_dport, th->th_sport, 2654 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 2655 r->return_ttl); 2656 } else if ((af == AF_INET) && r->return_icmp) 2657 pf_send_icmp(m, r->return_icmp >> 8, 2658 r->return_icmp & 255, af, r); 2659 else if ((af == AF_INET6) && r->return_icmp6) 2660 pf_send_icmp(m, r->return_icmp6 >> 8, 2661 r->return_icmp6 & 255, af, r); 2662 } 2663 2664 if (r->action == PF_DROP) 2665 return (PF_DROP); 2666 2667 if (pf_tag_packet(m, pftag, tag)) { 2668 REASON_SET(&reason, PFRES_MEMORY); 2669 return (PF_DROP); 2670 } 2671 2672 if (r->keep_state || nr != NULL || 2673 (pd->flags & PFDESC_TCP_NORM)) { 2674 /* create new state */ 2675 u_int16_t len; 2676 struct pf_state *s = NULL; 2677 struct pf_src_node *sn = NULL; 2678 2679 len = pd->tot_len - off - (th->th_off << 2); 2680 2681 /* check maximums */ 2682 if (r->max_states && (r->states >= r->max_states)) 2683 goto cleanup; 2684 /* src node for flter rule */ 2685 if ((r->rule_flag & PFRULE_SRCTRACK || 2686 r->rpool.opts & PF_POOL_STICKYADDR) && 2687 pf_insert_src_node(&sn, r, saddr, af) != 0) 2688 goto cleanup; 2689 /* src node for translation rule */ 2690 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2691 ((direction == PF_OUT && 2692 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2693 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2694 goto cleanup; 2695 s = pool_get(&pf_state_pl, PR_NOWAIT); 2696 if (s == NULL) { 2697 cleanup: 2698 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2699 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2700 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2701 pf_status.src_nodes--; 2702 pool_put(&pf_src_tree_pl, sn); 2703 } 2704 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2705 nsn->expire == 0) { 2706 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2707 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2708 pf_status.src_nodes--; 2709 pool_put(&pf_src_tree_pl, nsn); 2710 } 2711 REASON_SET(&reason, PFRES_MEMORY); 2712 return (PF_DROP); 2713 } 2714 bzero(s, sizeof(*s)); 2715 r->states++; 2716 if (a != NULL) 2717 a->states++; 2718 s->rule.ptr = r; 2719 s->nat_rule.ptr = nr; 2720 if (s->nat_rule.ptr != NULL) 2721 s->nat_rule.ptr->states++; 2722 s->anchor.ptr = a; 2723 s->allow_opts = r->allow_opts; 2724 s->log = r->log & 2; 2725 s->proto = IPPROTO_TCP; 2726 s->direction = direction; 2727 s->af = af; 2728 if (direction == PF_OUT) { 2729 PF_ACPY(&s->gwy.addr, saddr, af); 2730 s->gwy.port = th->th_sport; /* sport */ 2731 PF_ACPY(&s->ext.addr, daddr, af); 2732 s->ext.port = th->th_dport; 2733 if (nr != NULL) { 2734 PF_ACPY(&s->lan.addr, &pd->baddr, af); 2735 s->lan.port = bport; 2736 } else { 2737 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2738 s->lan.port = s->gwy.port; 2739 } 2740 } else { 2741 PF_ACPY(&s->lan.addr, daddr, af); 2742 s->lan.port = th->th_dport; 2743 PF_ACPY(&s->ext.addr, saddr, af); 2744 s->ext.port = th->th_sport; 2745 if (nr != NULL) { 2746 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 2747 s->gwy.port = bport; 2748 } else { 2749 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2750 s->gwy.port = s->lan.port; 2751 } 2752 } 2753 2754 s->src.seqlo = ntohl(th->th_seq); 2755 s->src.seqhi = s->src.seqlo + len + 1; 2756 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2757 r->keep_state == PF_STATE_MODULATE) { 2758 /* Generate sequence number modulator */ 2759 while ((s->src.seqdiff = arc4random()) == 0) 2760 ; 2761 pf_change_a(&th->th_seq, &th->th_sum, 2762 htonl(s->src.seqlo + s->src.seqdiff), 0); 2763 rewrite = 1; 2764 } else 2765 s->src.seqdiff = 0; 2766 if (th->th_flags & TH_SYN) { 2767 s->src.seqhi++; 2768 s->src.wscale = pf_get_wscale(m, off, th->th_off, af); 2769 } 2770 s->src.max_win = MAX(ntohs(th->th_win), 1); 2771 if (s->src.wscale & PF_WSCALE_MASK) { 2772 /* Remove scale factor from initial window */ 2773 int win = s->src.max_win; 2774 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 2775 s->src.max_win = (win - 1) >> 2776 (s->src.wscale & PF_WSCALE_MASK); 2777 } 2778 if (th->th_flags & TH_FIN) 2779 s->src.seqhi++; 2780 s->dst.seqhi = 1; 2781 s->dst.max_win = 1; 2782 s->src.state = TCPS_SYN_SENT; 2783 s->dst.state = TCPS_CLOSED; 2784 s->creation = time.tv_sec; 2785 s->expire = time.tv_sec; 2786 s->timeout = PFTM_TCP_FIRST_PACKET; 2787 pf_set_rt_ifp(s, saddr); 2788 if (sn != NULL) { 2789 s->src_node = sn; 2790 s->src_node->states++; 2791 } 2792 if (nsn != NULL) { 2793 PF_ACPY(&nsn->raddr, &pd->naddr, af); 2794 s->nat_src_node = nsn; 2795 s->nat_src_node->states++; 2796 } 2797 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 2798 off, pd, th, &s->src, &s->dst)) { 2799 REASON_SET(&reason, PFRES_MEMORY); 2800 pf_src_tree_remove_state(s); 2801 pool_put(&pf_state_pl, s); 2802 return (PF_DROP); 2803 } 2804 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 2805 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 2806 &s->dst, &rewrite)) { 2807 pf_normalize_tcp_cleanup(s); 2808 pf_src_tree_remove_state(s); 2809 pool_put(&pf_state_pl, s); 2810 return (PF_DROP); 2811 } 2812 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 2813 pf_normalize_tcp_cleanup(s); 2814 REASON_SET(&reason, PFRES_MEMORY); 2815 pf_src_tree_remove_state(s); 2816 pool_put(&pf_state_pl, s); 2817 return (PF_DROP); 2818 } else 2819 *sm = s; 2820 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2821 r->keep_state == PF_STATE_SYNPROXY) { 2822 s->src.state = PF_TCPS_PROXY_SRC; 2823 if (nr != NULL) { 2824 if (direction == PF_OUT) { 2825 pf_change_ap(saddr, &th->th_sport, 2826 pd->ip_sum, &th->th_sum, &pd->baddr, 2827 bport, 0, af); 2828 } else { 2829 pf_change_ap(daddr, &th->th_dport, 2830 pd->ip_sum, &th->th_sum, &pd->baddr, 2831 bport, 0, af); 2832 } 2833 } 2834 s->src.seqhi = arc4random(); 2835 /* Find mss option */ 2836 mss = pf_get_mss(m, off, th->th_off, af); 2837 mss = pf_calc_mss(saddr, af, mss); 2838 mss = pf_calc_mss(daddr, af, mss); 2839 s->src.mss = mss; 2840 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 2841 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, 2842 TH_SYN|TH_ACK, 0, s->src.mss, 0); 2843 return (PF_SYNPROXY_DROP); 2844 } 2845 } 2846 2847 /* copy back packet headers if we performed NAT operations */ 2848 if (rewrite) 2849 m_copyback(m, off, sizeof(*th), th); 2850 2851 return (PF_PASS); 2852 } 2853 2854 int 2855 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, 2856 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2857 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2858 { 2859 struct pf_rule *nr = NULL; 2860 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2861 struct udphdr *uh = pd->hdr.udp; 2862 u_int16_t bport, nport = 0; 2863 sa_family_t af = pd->af; 2864 int lookup = -1; 2865 uid_t uid; 2866 gid_t gid; 2867 struct pf_rule *r, *a = NULL; 2868 struct pf_ruleset *ruleset = NULL; 2869 struct pf_src_node *nsn = NULL; 2870 u_short reason; 2871 int rewrite = 0; 2872 struct pf_tag *pftag = NULL; 2873 int tag = -1; 2874 2875 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2876 2877 if (direction == PF_OUT) { 2878 bport = nport = uh->uh_sport; 2879 /* check outgoing packet for BINAT/NAT */ 2880 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2881 saddr, uh->uh_sport, daddr, uh->uh_dport, 2882 &pd->naddr, &nport)) != NULL) { 2883 PF_ACPY(&pd->baddr, saddr, af); 2884 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2885 &uh->uh_sum, &pd->naddr, nport, 1, af); 2886 rewrite++; 2887 if (nr->natpass) 2888 r = NULL; 2889 pd->nat_rule = nr; 2890 } 2891 } else { 2892 bport = nport = uh->uh_dport; 2893 /* check incoming packet for BINAT/RDR */ 2894 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2895 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr, 2896 &nport)) != NULL) { 2897 PF_ACPY(&pd->baddr, daddr, af); 2898 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2899 &uh->uh_sum, &pd->naddr, nport, 1, af); 2900 rewrite++; 2901 if (nr->natpass) 2902 r = NULL; 2903 pd->nat_rule = nr; 2904 } 2905 } 2906 2907 while (r != NULL) { 2908 r->evaluations++; 2909 if (r->kif != NULL && 2910 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2911 r = r->skip[PF_SKIP_IFP].ptr; 2912 else if (r->direction && r->direction != direction) 2913 r = r->skip[PF_SKIP_DIR].ptr; 2914 else if (r->af && r->af != af) 2915 r = r->skip[PF_SKIP_AF].ptr; 2916 else if (r->proto && r->proto != IPPROTO_UDP) 2917 r = r->skip[PF_SKIP_PROTO].ptr; 2918 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2919 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2920 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2921 r->src.port[0], r->src.port[1], uh->uh_sport)) 2922 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2923 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2924 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2925 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2926 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 2927 r = r->skip[PF_SKIP_DST_PORT].ptr; 2928 else if (r->tos && !(r->tos & pd->tos)) 2929 r = TAILQ_NEXT(r, entries); 2930 else if (r->rule_flag & PFRULE_FRAGMENT) 2931 r = TAILQ_NEXT(r, entries); 2932 else if (r->uid.op && (lookup != -1 || (lookup = 2933 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2934 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2935 uid)) 2936 r = TAILQ_NEXT(r, entries); 2937 else if (r->gid.op && (lookup != -1 || (lookup = 2938 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2939 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2940 gid)) 2941 r = TAILQ_NEXT(r, entries); 2942 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag)) 2943 r = TAILQ_NEXT(r, entries); 2944 else if (r->anchorname[0] && r->anchor == NULL) 2945 r = TAILQ_NEXT(r, entries); 2946 else if (r->os_fingerprint != PF_OSFP_ANY) 2947 r = TAILQ_NEXT(r, entries); 2948 else { 2949 if (r->tag) 2950 tag = r->tag; 2951 if (r->anchor == NULL) { 2952 *rm = r; 2953 *am = a; 2954 *rsm = ruleset; 2955 if ((*rm)->quick) 2956 break; 2957 r = TAILQ_NEXT(r, entries); 2958 } else 2959 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2960 PF_RULESET_FILTER); 2961 } 2962 if (r == NULL && a != NULL) 2963 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2964 PF_RULESET_FILTER); 2965 } 2966 r = *rm; 2967 a = *am; 2968 ruleset = *rsm; 2969 2970 REASON_SET(&reason, PFRES_MATCH); 2971 2972 if (r->log) { 2973 if (rewrite) 2974 m_copyback(m, off, sizeof(*uh), uh); 2975 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2976 } 2977 2978 if ((r->action == PF_DROP) && 2979 ((r->rule_flag & PFRULE_RETURNICMP) || 2980 (r->rule_flag & PFRULE_RETURN))) { 2981 /* undo NAT changes, if they have taken place */ 2982 if (nr != NULL) { 2983 if (direction == PF_OUT) { 2984 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2985 &uh->uh_sum, &pd->baddr, bport, 1, af); 2986 rewrite++; 2987 } else { 2988 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2989 &uh->uh_sum, &pd->baddr, bport, 1, af); 2990 rewrite++; 2991 } 2992 } 2993 if ((af == AF_INET) && r->return_icmp) 2994 pf_send_icmp(m, r->return_icmp >> 8, 2995 r->return_icmp & 255, af, r); 2996 else if ((af == AF_INET6) && r->return_icmp6) 2997 pf_send_icmp(m, r->return_icmp6 >> 8, 2998 r->return_icmp6 & 255, af, r); 2999 } 3000 3001 if (r->action == PF_DROP) 3002 return (PF_DROP); 3003 3004 if (pf_tag_packet(m, pftag, tag)) { 3005 REASON_SET(&reason, PFRES_MEMORY); 3006 return (PF_DROP); 3007 } 3008 3009 if (r->keep_state || nr != NULL) { 3010 /* create new state */ 3011 struct pf_state *s = NULL; 3012 struct pf_src_node *sn = NULL; 3013 3014 /* check maximums */ 3015 if (r->max_states && (r->states >= r->max_states)) 3016 goto cleanup; 3017 /* src node for flter rule */ 3018 if ((r->rule_flag & PFRULE_SRCTRACK || 3019 r->rpool.opts & PF_POOL_STICKYADDR) && 3020 pf_insert_src_node(&sn, r, saddr, af) != 0) 3021 goto cleanup; 3022 /* src node for translation rule */ 3023 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3024 ((direction == PF_OUT && 3025 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3026 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3027 goto cleanup; 3028 s = pool_get(&pf_state_pl, PR_NOWAIT); 3029 if (s == NULL) { 3030 cleanup: 3031 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3032 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3033 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3034 pf_status.src_nodes--; 3035 pool_put(&pf_src_tree_pl, sn); 3036 } 3037 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3038 nsn->expire == 0) { 3039 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3040 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3041 pf_status.src_nodes--; 3042 pool_put(&pf_src_tree_pl, nsn); 3043 } 3044 REASON_SET(&reason, PFRES_MEMORY); 3045 return (PF_DROP); 3046 } 3047 bzero(s, sizeof(*s)); 3048 r->states++; 3049 if (a != NULL) 3050 a->states++; 3051 s->rule.ptr = r; 3052 s->nat_rule.ptr = nr; 3053 if (s->nat_rule.ptr != NULL) 3054 s->nat_rule.ptr->states++; 3055 s->anchor.ptr = a; 3056 s->allow_opts = r->allow_opts; 3057 s->log = r->log & 2; 3058 s->proto = IPPROTO_UDP; 3059 s->direction = direction; 3060 s->af = af; 3061 if (direction == PF_OUT) { 3062 PF_ACPY(&s->gwy.addr, saddr, af); 3063 s->gwy.port = uh->uh_sport; 3064 PF_ACPY(&s->ext.addr, daddr, af); 3065 s->ext.port = uh->uh_dport; 3066 if (nr != NULL) { 3067 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3068 s->lan.port = bport; 3069 } else { 3070 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3071 s->lan.port = s->gwy.port; 3072 } 3073 } else { 3074 PF_ACPY(&s->lan.addr, daddr, af); 3075 s->lan.port = uh->uh_dport; 3076 PF_ACPY(&s->ext.addr, saddr, af); 3077 s->ext.port = uh->uh_sport; 3078 if (nr != NULL) { 3079 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3080 s->gwy.port = bport; 3081 } else { 3082 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3083 s->gwy.port = s->lan.port; 3084 } 3085 } 3086 s->src.state = PFUDPS_SINGLE; 3087 s->dst.state = PFUDPS_NO_TRAFFIC; 3088 s->creation = time.tv_sec; 3089 s->expire = time.tv_sec; 3090 s->timeout = PFTM_UDP_FIRST_PACKET; 3091 pf_set_rt_ifp(s, saddr); 3092 if (sn != NULL) { 3093 s->src_node = sn; 3094 s->src_node->states++; 3095 } 3096 if (nsn != NULL) { 3097 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3098 s->nat_src_node = nsn; 3099 s->nat_src_node->states++; 3100 } 3101 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3102 REASON_SET(&reason, PFRES_MEMORY); 3103 pf_src_tree_remove_state(s); 3104 pool_put(&pf_state_pl, s); 3105 return (PF_DROP); 3106 } else 3107 *sm = s; 3108 } 3109 3110 /* copy back packet headers if we performed NAT operations */ 3111 if (rewrite) 3112 m_copyback(m, off, sizeof(*uh), uh); 3113 3114 return (PF_PASS); 3115 } 3116 3117 int 3118 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, 3119 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 3120 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 3121 { 3122 struct pf_rule *nr = NULL; 3123 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3124 struct pf_rule *r, *a = NULL; 3125 struct pf_ruleset *ruleset = NULL; 3126 struct pf_src_node *nsn = NULL; 3127 u_short reason; 3128 u_int16_t icmpid = 0; 3129 sa_family_t af = pd->af; 3130 u_int8_t icmptype = 0, icmpcode = 0; 3131 int state_icmp = 0; 3132 struct pf_tag *pftag = NULL; 3133 int tag = -1; 3134 #ifdef INET6 3135 int rewrite = 0; 3136 #endif /* INET6 */ 3137 3138 switch (pd->proto) { 3139 #ifdef INET 3140 case IPPROTO_ICMP: 3141 icmptype = pd->hdr.icmp->icmp_type; 3142 icmpcode = pd->hdr.icmp->icmp_code; 3143 icmpid = pd->hdr.icmp->icmp_id; 3144 3145 if (icmptype == ICMP_UNREACH || 3146 icmptype == ICMP_SOURCEQUENCH || 3147 icmptype == ICMP_REDIRECT || 3148 icmptype == ICMP_TIMXCEED || 3149 icmptype == ICMP_PARAMPROB) 3150 state_icmp++; 3151 break; 3152 #endif /* INET */ 3153 #ifdef INET6 3154 case IPPROTO_ICMPV6: 3155 icmptype = pd->hdr.icmp6->icmp6_type; 3156 icmpcode = pd->hdr.icmp6->icmp6_code; 3157 icmpid = pd->hdr.icmp6->icmp6_id; 3158 3159 if (icmptype == ICMP6_DST_UNREACH || 3160 icmptype == ICMP6_PACKET_TOO_BIG || 3161 icmptype == ICMP6_TIME_EXCEEDED || 3162 icmptype == ICMP6_PARAM_PROB) 3163 state_icmp++; 3164 break; 3165 #endif /* INET6 */ 3166 } 3167 3168 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3169 3170 if (direction == PF_OUT) { 3171 /* check outgoing packet for BINAT/NAT */ 3172 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3173 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3174 PF_ACPY(&pd->baddr, saddr, af); 3175 switch (af) { 3176 #ifdef INET 3177 case AF_INET: 3178 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3179 pd->naddr.v4.s_addr, 0); 3180 break; 3181 #endif /* INET */ 3182 #ifdef INET6 3183 case AF_INET6: 3184 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 3185 &pd->naddr, 0); 3186 rewrite++; 3187 break; 3188 #endif /* INET6 */ 3189 } 3190 if (nr->natpass) 3191 r = NULL; 3192 pd->nat_rule = nr; 3193 } 3194 } else { 3195 /* check incoming packet for BINAT/RDR */ 3196 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3197 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3198 PF_ACPY(&pd->baddr, daddr, af); 3199 switch (af) { 3200 #ifdef INET 3201 case AF_INET: 3202 pf_change_a(&daddr->v4.s_addr, 3203 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3204 break; 3205 #endif /* INET */ 3206 #ifdef INET6 3207 case AF_INET6: 3208 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 3209 &pd->naddr, 0); 3210 rewrite++; 3211 break; 3212 #endif /* INET6 */ 3213 } 3214 if (nr->natpass) 3215 r = NULL; 3216 pd->nat_rule = nr; 3217 } 3218 } 3219 3220 while (r != NULL) { 3221 r->evaluations++; 3222 if (r->kif != NULL && 3223 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3224 r = r->skip[PF_SKIP_IFP].ptr; 3225 else if (r->direction && r->direction != direction) 3226 r = r->skip[PF_SKIP_DIR].ptr; 3227 else if (r->af && r->af != af) 3228 r = r->skip[PF_SKIP_AF].ptr; 3229 else if (r->proto && r->proto != pd->proto) 3230 r = r->skip[PF_SKIP_PROTO].ptr; 3231 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 3232 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3233 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 3234 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3235 else if (r->type && r->type != icmptype + 1) 3236 r = TAILQ_NEXT(r, entries); 3237 else if (r->code && r->code != icmpcode + 1) 3238 r = TAILQ_NEXT(r, entries); 3239 else if (r->tos && !(r->tos & pd->tos)) 3240 r = TAILQ_NEXT(r, entries); 3241 else if (r->rule_flag & PFRULE_FRAGMENT) 3242 r = TAILQ_NEXT(r, entries); 3243 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag)) 3244 r = TAILQ_NEXT(r, entries); 3245 else if (r->anchorname[0] && r->anchor == NULL) 3246 r = TAILQ_NEXT(r, entries); 3247 else if (r->os_fingerprint != PF_OSFP_ANY) 3248 r = TAILQ_NEXT(r, entries); 3249 else { 3250 if (r->tag) 3251 tag = r->tag; 3252 if (r->anchor == NULL) { 3253 *rm = r; 3254 *am = a; 3255 *rsm = ruleset; 3256 if ((*rm)->quick) 3257 break; 3258 r = TAILQ_NEXT(r, entries); 3259 } else 3260 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3261 PF_RULESET_FILTER); 3262 } 3263 if (r == NULL && a != NULL) 3264 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3265 PF_RULESET_FILTER); 3266 } 3267 r = *rm; 3268 a = *am; 3269 ruleset = *rsm; 3270 3271 REASON_SET(&reason, PFRES_MATCH); 3272 3273 if (r->log) { 3274 #ifdef INET6 3275 if (rewrite) 3276 m_copyback(m, off, sizeof(struct icmp6_hdr), 3277 pd->hdr.icmp6); 3278 #endif /* INET6 */ 3279 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3280 } 3281 3282 if (r->action != PF_PASS) 3283 return (PF_DROP); 3284 3285 if (pf_tag_packet(m, pftag, tag)) { 3286 REASON_SET(&reason, PFRES_MEMORY); 3287 return (PF_DROP); 3288 } 3289 3290 if (!state_icmp && (r->keep_state || nr != NULL)) { 3291 /* create new state */ 3292 struct pf_state *s = NULL; 3293 struct pf_src_node *sn = NULL; 3294 3295 /* check maximums */ 3296 if (r->max_states && (r->states >= r->max_states)) 3297 goto cleanup; 3298 /* src node for flter rule */ 3299 if ((r->rule_flag & PFRULE_SRCTRACK || 3300 r->rpool.opts & PF_POOL_STICKYADDR) && 3301 pf_insert_src_node(&sn, r, saddr, af) != 0) 3302 goto cleanup; 3303 /* src node for translation rule */ 3304 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3305 ((direction == PF_OUT && 3306 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3307 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3308 goto cleanup; 3309 s = pool_get(&pf_state_pl, PR_NOWAIT); 3310 if (s == NULL) { 3311 cleanup: 3312 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3313 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3314 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3315 pf_status.src_nodes--; 3316 pool_put(&pf_src_tree_pl, sn); 3317 } 3318 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3319 nsn->expire == 0) { 3320 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3321 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3322 pf_status.src_nodes--; 3323 pool_put(&pf_src_tree_pl, nsn); 3324 } 3325 REASON_SET(&reason, PFRES_MEMORY); 3326 return (PF_DROP); 3327 } 3328 bzero(s, sizeof(*s)); 3329 r->states++; 3330 if (a != NULL) 3331 a->states++; 3332 s->rule.ptr = r; 3333 s->nat_rule.ptr = nr; 3334 if (s->nat_rule.ptr != NULL) 3335 s->nat_rule.ptr->states++; 3336 s->anchor.ptr = a; 3337 s->allow_opts = r->allow_opts; 3338 s->log = r->log & 2; 3339 s->proto = pd->proto; 3340 s->direction = direction; 3341 s->af = af; 3342 if (direction == PF_OUT) { 3343 PF_ACPY(&s->gwy.addr, saddr, af); 3344 s->gwy.port = icmpid; 3345 PF_ACPY(&s->ext.addr, daddr, af); 3346 s->ext.port = icmpid; 3347 if (nr != NULL) 3348 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3349 else 3350 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3351 s->lan.port = icmpid; 3352 } else { 3353 PF_ACPY(&s->lan.addr, daddr, af); 3354 s->lan.port = icmpid; 3355 PF_ACPY(&s->ext.addr, saddr, af); 3356 s->ext.port = icmpid; 3357 if (nr != NULL) 3358 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3359 else 3360 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3361 s->gwy.port = icmpid; 3362 } 3363 s->creation = time.tv_sec; 3364 s->expire = time.tv_sec; 3365 s->timeout = PFTM_ICMP_FIRST_PACKET; 3366 pf_set_rt_ifp(s, saddr); 3367 if (sn != NULL) { 3368 s->src_node = sn; 3369 s->src_node->states++; 3370 } 3371 if (nsn != NULL) { 3372 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3373 s->nat_src_node = nsn; 3374 s->nat_src_node->states++; 3375 } 3376 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3377 REASON_SET(&reason, PFRES_MEMORY); 3378 pf_src_tree_remove_state(s); 3379 pool_put(&pf_state_pl, s); 3380 return (PF_DROP); 3381 } else 3382 *sm = s; 3383 } 3384 3385 #ifdef INET6 3386 /* copy back packet headers if we performed IPv6 NAT operations */ 3387 if (rewrite) 3388 m_copyback(m, off, sizeof(struct icmp6_hdr), 3389 pd->hdr.icmp6); 3390 #endif /* INET6 */ 3391 3392 return (PF_PASS); 3393 } 3394 3395 int 3396 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, 3397 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3398 struct pf_rule **am, struct pf_ruleset **rsm) 3399 { 3400 struct pf_rule *nr = NULL; 3401 struct pf_rule *r, *a = NULL; 3402 struct pf_ruleset *ruleset = NULL; 3403 struct pf_src_node *nsn = NULL; 3404 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3405 sa_family_t af = pd->af; 3406 u_short reason; 3407 struct pf_tag *pftag = NULL; 3408 int tag = -1; 3409 3410 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3411 3412 if (direction == PF_OUT) { 3413 /* check outgoing packet for BINAT/NAT */ 3414 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3415 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3416 PF_ACPY(&pd->baddr, saddr, af); 3417 switch (af) { 3418 #ifdef INET 3419 case AF_INET: 3420 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3421 pd->naddr.v4.s_addr, 0); 3422 break; 3423 #endif /* INET */ 3424 #ifdef INET6 3425 case AF_INET6: 3426 PF_ACPY(saddr, &pd->naddr, af); 3427 break; 3428 #endif /* INET6 */ 3429 } 3430 if (nr->natpass) 3431 r = NULL; 3432 pd->nat_rule = nr; 3433 } 3434 } else { 3435 /* check incoming packet for BINAT/RDR */ 3436 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3437 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3438 PF_ACPY(&pd->baddr, daddr, af); 3439 switch (af) { 3440 #ifdef INET 3441 case AF_INET: 3442 pf_change_a(&daddr->v4.s_addr, 3443 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3444 break; 3445 #endif /* INET */ 3446 #ifdef INET6 3447 case AF_INET6: 3448 PF_ACPY(daddr, &pd->naddr, af); 3449 break; 3450 #endif /* INET6 */ 3451 } 3452 if (nr->natpass) 3453 r = NULL; 3454 pd->nat_rule = nr; 3455 } 3456 } 3457 3458 while (r != NULL) { 3459 r->evaluations++; 3460 if (r->kif != NULL && 3461 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3462 r = r->skip[PF_SKIP_IFP].ptr; 3463 else if (r->direction && r->direction != direction) 3464 r = r->skip[PF_SKIP_DIR].ptr; 3465 else if (r->af && r->af != af) 3466 r = r->skip[PF_SKIP_AF].ptr; 3467 else if (r->proto && r->proto != pd->proto) 3468 r = r->skip[PF_SKIP_PROTO].ptr; 3469 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3470 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3471 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3472 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3473 else if (r->tos && !(r->tos & pd->tos)) 3474 r = TAILQ_NEXT(r, entries); 3475 else if (r->rule_flag & PFRULE_FRAGMENT) 3476 r = TAILQ_NEXT(r, entries); 3477 else if (r->match_tag && !pf_match_tag(m, r, nr, pftag, &tag)) 3478 r = TAILQ_NEXT(r, entries); 3479 else if (r->anchorname[0] && r->anchor == NULL) 3480 r = TAILQ_NEXT(r, entries); 3481 else if (r->os_fingerprint != PF_OSFP_ANY) 3482 r = TAILQ_NEXT(r, entries); 3483 else { 3484 if (r->tag) 3485 tag = r->tag; 3486 if (r->anchor == NULL) { 3487 *rm = r; 3488 *am = a; 3489 *rsm = ruleset; 3490 if ((*rm)->quick) 3491 break; 3492 r = TAILQ_NEXT(r, entries); 3493 } else 3494 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3495 PF_RULESET_FILTER); 3496 } 3497 if (r == NULL && a != NULL) 3498 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3499 PF_RULESET_FILTER); 3500 } 3501 r = *rm; 3502 a = *am; 3503 ruleset = *rsm; 3504 3505 REASON_SET(&reason, PFRES_MATCH); 3506 3507 if (r->log) 3508 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3509 3510 if ((r->action == PF_DROP) && 3511 ((r->rule_flag & PFRULE_RETURNICMP) || 3512 (r->rule_flag & PFRULE_RETURN))) { 3513 struct pf_addr *a = NULL; 3514 3515 if (nr != NULL) { 3516 if (direction == PF_OUT) 3517 a = saddr; 3518 else 3519 a = daddr; 3520 } 3521 if (a != NULL) { 3522 switch (af) { 3523 #ifdef INET 3524 case AF_INET: 3525 pf_change_a(&a->v4.s_addr, pd->ip_sum, 3526 pd->baddr.v4.s_addr, 0); 3527 break; 3528 #endif /* INET */ 3529 #ifdef INET6 3530 case AF_INET6: 3531 PF_ACPY(a, &pd->baddr, af); 3532 break; 3533 #endif /* INET6 */ 3534 } 3535 } 3536 if ((af == AF_INET) && r->return_icmp) 3537 pf_send_icmp(m, r->return_icmp >> 8, 3538 r->return_icmp & 255, af, r); 3539 else if ((af == AF_INET6) && r->return_icmp6) 3540 pf_send_icmp(m, r->return_icmp6 >> 8, 3541 r->return_icmp6 & 255, af, r); 3542 } 3543 3544 if (r->action != PF_PASS) 3545 return (PF_DROP); 3546 3547 if (pf_tag_packet(m, pftag, tag)) { 3548 REASON_SET(&reason, PFRES_MEMORY); 3549 return (PF_DROP); 3550 } 3551 3552 if (r->keep_state || nr != NULL) { 3553 /* create new state */ 3554 struct pf_state *s = NULL; 3555 struct pf_src_node *sn = NULL; 3556 3557 /* check maximums */ 3558 if (r->max_states && (r->states >= r->max_states)) 3559 goto cleanup; 3560 /* src node for flter rule */ 3561 if ((r->rule_flag & PFRULE_SRCTRACK || 3562 r->rpool.opts & PF_POOL_STICKYADDR) && 3563 pf_insert_src_node(&sn, r, saddr, af) != 0) 3564 goto cleanup; 3565 /* src node for translation rule */ 3566 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3567 ((direction == PF_OUT && 3568 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3569 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3570 goto cleanup; 3571 s = pool_get(&pf_state_pl, PR_NOWAIT); 3572 if (s == NULL) { 3573 cleanup: 3574 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3575 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3576 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3577 pf_status.src_nodes--; 3578 pool_put(&pf_src_tree_pl, sn); 3579 } 3580 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3581 nsn->expire == 0) { 3582 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3583 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3584 pf_status.src_nodes--; 3585 pool_put(&pf_src_tree_pl, nsn); 3586 } 3587 REASON_SET(&reason, PFRES_MEMORY); 3588 return (PF_DROP); 3589 } 3590 bzero(s, sizeof(*s)); 3591 r->states++; 3592 if (a != NULL) 3593 a->states++; 3594 s->rule.ptr = r; 3595 s->nat_rule.ptr = nr; 3596 if (s->nat_rule.ptr != NULL) 3597 s->nat_rule.ptr->states++; 3598 s->anchor.ptr = a; 3599 s->allow_opts = r->allow_opts; 3600 s->log = r->log & 2; 3601 s->proto = pd->proto; 3602 s->direction = direction; 3603 s->af = af; 3604 if (direction == PF_OUT) { 3605 PF_ACPY(&s->gwy.addr, saddr, af); 3606 PF_ACPY(&s->ext.addr, daddr, af); 3607 if (nr != NULL) 3608 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3609 else 3610 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3611 } else { 3612 PF_ACPY(&s->lan.addr, daddr, af); 3613 PF_ACPY(&s->ext.addr, saddr, af); 3614 if (nr != NULL) 3615 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3616 else 3617 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3618 } 3619 s->src.state = PFOTHERS_SINGLE; 3620 s->dst.state = PFOTHERS_NO_TRAFFIC; 3621 s->creation = time.tv_sec; 3622 s->expire = time.tv_sec; 3623 s->timeout = PFTM_OTHER_FIRST_PACKET; 3624 pf_set_rt_ifp(s, saddr); 3625 if (sn != NULL) { 3626 s->src_node = sn; 3627 s->src_node->states++; 3628 } 3629 if (nsn != NULL) { 3630 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3631 s->nat_src_node = nsn; 3632 s->nat_src_node->states++; 3633 } 3634 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3635 REASON_SET(&reason, PFRES_MEMORY); 3636 pf_src_tree_remove_state(s); 3637 pool_put(&pf_state_pl, s); 3638 return (PF_DROP); 3639 } else 3640 *sm = s; 3641 } 3642 3643 return (PF_PASS); 3644 } 3645 3646 int 3647 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, 3648 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3649 struct pf_ruleset **rsm) 3650 { 3651 struct pf_rule *r, *a = NULL; 3652 struct pf_ruleset *ruleset = NULL; 3653 sa_family_t af = pd->af; 3654 u_short reason; 3655 struct pf_tag *pftag = NULL; 3656 int tag = -1; 3657 3658 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3659 while (r != NULL) { 3660 r->evaluations++; 3661 if (r->kif != NULL && 3662 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3663 r = r->skip[PF_SKIP_IFP].ptr; 3664 else if (r->direction && r->direction != direction) 3665 r = r->skip[PF_SKIP_DIR].ptr; 3666 else if (r->af && r->af != af) 3667 r = r->skip[PF_SKIP_AF].ptr; 3668 else if (r->proto && r->proto != pd->proto) 3669 r = r->skip[PF_SKIP_PROTO].ptr; 3670 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3671 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3672 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3673 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3674 else if (r->tos && !(r->tos & pd->tos)) 3675 r = TAILQ_NEXT(r, entries); 3676 else if (r->src.port_op || r->dst.port_op || 3677 r->flagset || r->type || r->code || 3678 r->os_fingerprint != PF_OSFP_ANY) 3679 r = TAILQ_NEXT(r, entries); 3680 else if (r->match_tag && !pf_match_tag(m, r, NULL, pftag, &tag)) 3681 r = TAILQ_NEXT(r, entries); 3682 else if (r->anchorname[0] && r->anchor == NULL) 3683 r = TAILQ_NEXT(r, entries); 3684 else { 3685 if (r->anchor == NULL) { 3686 *rm = r; 3687 *am = a; 3688 *rsm = ruleset; 3689 if ((*rm)->quick) 3690 break; 3691 r = TAILQ_NEXT(r, entries); 3692 } else 3693 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3694 PF_RULESET_FILTER); 3695 } 3696 if (r == NULL && a != NULL) 3697 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3698 PF_RULESET_FILTER); 3699 } 3700 r = *rm; 3701 a = *am; 3702 ruleset = *rsm; 3703 3704 REASON_SET(&reason, PFRES_MATCH); 3705 3706 if (r->log) 3707 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3708 3709 if (r->action != PF_PASS) 3710 return (PF_DROP); 3711 3712 if (pf_tag_packet(m, pftag, tag)) { 3713 REASON_SET(&reason, PFRES_MEMORY); 3714 return (PF_DROP); 3715 } 3716 3717 return (PF_PASS); 3718 } 3719 3720 int 3721 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, 3722 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3723 u_short *reason) 3724 { 3725 struct pf_state key; 3726 struct tcphdr *th = pd->hdr.tcp; 3727 u_int16_t win = ntohs(th->th_win); 3728 u_int32_t ack, end, seq; 3729 u_int8_t sws, dws; 3730 int ackskew; 3731 int copyback = 0; 3732 struct pf_state_peer *src, *dst; 3733 3734 key.af = pd->af; 3735 key.proto = IPPROTO_TCP; 3736 if (direction == PF_IN) { 3737 PF_ACPY(&key.ext.addr, pd->src, key.af); 3738 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3739 key.ext.port = th->th_sport; 3740 key.gwy.port = th->th_dport; 3741 } else { 3742 PF_ACPY(&key.lan.addr, pd->src, key.af); 3743 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3744 key.lan.port = th->th_sport; 3745 key.ext.port = th->th_dport; 3746 } 3747 3748 STATE_LOOKUP(); 3749 3750 if (direction == (*state)->direction) { 3751 src = &(*state)->src; 3752 dst = &(*state)->dst; 3753 } else { 3754 src = &(*state)->dst; 3755 dst = &(*state)->src; 3756 } 3757 3758 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3759 if (direction != (*state)->direction) 3760 return (PF_SYNPROXY_DROP); 3761 if (th->th_flags & TH_SYN) { 3762 if (ntohl(th->th_seq) != (*state)->src.seqlo) 3763 return (PF_DROP); 3764 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3765 pd->src, th->th_dport, th->th_sport, 3766 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3767 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0); 3768 return (PF_SYNPROXY_DROP); 3769 } else if (!(th->th_flags & TH_ACK) || 3770 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3771 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3772 return (PF_DROP); 3773 else 3774 (*state)->src.state = PF_TCPS_PROXY_DST; 3775 } 3776 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3777 struct pf_state_host *src, *dst; 3778 3779 if (direction == PF_OUT) { 3780 src = &(*state)->gwy; 3781 dst = &(*state)->ext; 3782 } else { 3783 src = &(*state)->ext; 3784 dst = &(*state)->lan; 3785 } 3786 if (direction == (*state)->direction) { 3787 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3788 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3789 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3790 return (PF_DROP); 3791 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3792 if ((*state)->dst.seqhi == 1) 3793 (*state)->dst.seqhi = arc4random(); 3794 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3795 &dst->addr, src->port, dst->port, 3796 (*state)->dst.seqhi, 0, TH_SYN, 0, 3797 (*state)->src.mss, 0); 3798 return (PF_SYNPROXY_DROP); 3799 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3800 (TH_SYN|TH_ACK)) || 3801 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) 3802 return (PF_DROP); 3803 else { 3804 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3805 (*state)->dst.seqlo = ntohl(th->th_seq); 3806 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3807 pd->src, th->th_dport, th->th_sport, 3808 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3809 TH_ACK, (*state)->src.max_win, 0, 0); 3810 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3811 &dst->addr, src->port, dst->port, 3812 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3813 TH_ACK, (*state)->dst.max_win, 0, 0); 3814 (*state)->src.seqdiff = (*state)->dst.seqhi - 3815 (*state)->src.seqlo; 3816 (*state)->dst.seqdiff = (*state)->src.seqhi - 3817 (*state)->dst.seqlo; 3818 (*state)->src.seqhi = (*state)->src.seqlo + 3819 (*state)->src.max_win; 3820 (*state)->dst.seqhi = (*state)->dst.seqlo + 3821 (*state)->dst.max_win; 3822 (*state)->src.wscale = (*state)->dst.wscale = 0; 3823 (*state)->src.state = (*state)->dst.state = 3824 TCPS_ESTABLISHED; 3825 return (PF_SYNPROXY_DROP); 3826 } 3827 } 3828 3829 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3830 sws = src->wscale & PF_WSCALE_MASK; 3831 dws = dst->wscale & PF_WSCALE_MASK; 3832 } else 3833 sws = dws = 0; 3834 3835 /* 3836 * Sequence tracking algorithm from Guido van Rooij's paper: 3837 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3838 * tcp_filtering.ps 3839 */ 3840 3841 seq = ntohl(th->th_seq); 3842 if (src->seqlo == 0) { 3843 /* First packet from this end. Set its state */ 3844 3845 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3846 src->scrub == NULL) { 3847 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3848 REASON_SET(reason, PFRES_MEMORY); 3849 return (PF_DROP); 3850 } 3851 } 3852 3853 /* Deferred generation of sequence number modulator */ 3854 if (dst->seqdiff && !src->seqdiff) { 3855 while ((src->seqdiff = arc4random()) == 0) 3856 ; 3857 ack = ntohl(th->th_ack) - dst->seqdiff; 3858 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3859 src->seqdiff), 0); 3860 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3861 copyback = 1; 3862 } else { 3863 ack = ntohl(th->th_ack); 3864 } 3865 3866 end = seq + pd->p_len; 3867 if (th->th_flags & TH_SYN) { 3868 end++; 3869 if (dst->wscale & PF_WSCALE_FLAG) { 3870 src->wscale = pf_get_wscale(m, off, th->th_off, 3871 pd->af); 3872 if (src->wscale & PF_WSCALE_FLAG) { 3873 /* Remove scale factor from initial 3874 * window */ 3875 sws = src->wscale & PF_WSCALE_MASK; 3876 win = ((u_int32_t)win + (1 << sws) - 1) 3877 >> sws; 3878 dws = dst->wscale & PF_WSCALE_MASK; 3879 } else { 3880 /* fixup other window */ 3881 dst->max_win <<= dst->wscale & 3882 PF_WSCALE_MASK; 3883 /* in case of a retrans SYN|ACK */ 3884 dst->wscale = 0; 3885 } 3886 } 3887 } 3888 if (th->th_flags & TH_FIN) 3889 end++; 3890 3891 src->seqlo = seq; 3892 if (src->state < TCPS_SYN_SENT) 3893 src->state = TCPS_SYN_SENT; 3894 3895 /* 3896 * May need to slide the window (seqhi may have been set by 3897 * the crappy stack check or if we picked up the connection 3898 * after establishment) 3899 */ 3900 if (src->seqhi == 1 || 3901 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 3902 src->seqhi = end + MAX(1, dst->max_win << dws); 3903 if (win > src->max_win) 3904 src->max_win = win; 3905 3906 } else { 3907 ack = ntohl(th->th_ack) - dst->seqdiff; 3908 if (src->seqdiff) { 3909 /* Modulate sequence numbers */ 3910 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3911 src->seqdiff), 0); 3912 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3913 copyback = 1; 3914 } 3915 end = seq + pd->p_len; 3916 if (th->th_flags & TH_SYN) 3917 end++; 3918 if (th->th_flags & TH_FIN) 3919 end++; 3920 } 3921 3922 if ((th->th_flags & TH_ACK) == 0) { 3923 /* Let it pass through the ack skew check */ 3924 ack = dst->seqlo; 3925 } else if ((ack == 0 && 3926 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 3927 /* broken tcp stacks do not set ack */ 3928 (dst->state < TCPS_SYN_SENT)) { 3929 /* 3930 * Many stacks (ours included) will set the ACK number in an 3931 * FIN|ACK if the SYN times out -- no sequence to ACK. 3932 */ 3933 ack = dst->seqlo; 3934 } 3935 3936 if (seq == end) { 3937 /* Ease sequencing restrictions on no data packets */ 3938 seq = src->seqlo; 3939 end = seq; 3940 } 3941 3942 ackskew = dst->seqlo - ack; 3943 3944 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 3945 if (SEQ_GEQ(src->seqhi, end) && 3946 /* Last octet inside other's window space */ 3947 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 3948 /* Retrans: not more than one window back */ 3949 (ackskew >= -MAXACKWINDOW) && 3950 /* Acking not more than one reassembled fragment backwards */ 3951 (ackskew <= (MAXACKWINDOW << sws))) { 3952 /* Acking not more than one window forward */ 3953 3954 /* update max window */ 3955 if (src->max_win < win) 3956 src->max_win = win; 3957 /* synchronize sequencing */ 3958 if (SEQ_GT(end, src->seqlo)) 3959 src->seqlo = end; 3960 /* slide the window of what the other end can send */ 3961 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3962 dst->seqhi = ack + MAX((win << sws), 1); 3963 3964 3965 /* update states */ 3966 if (th->th_flags & TH_SYN) 3967 if (src->state < TCPS_SYN_SENT) 3968 src->state = TCPS_SYN_SENT; 3969 if (th->th_flags & TH_FIN) 3970 if (src->state < TCPS_CLOSING) 3971 src->state = TCPS_CLOSING; 3972 if (th->th_flags & TH_ACK) { 3973 if (dst->state == TCPS_SYN_SENT) 3974 dst->state = TCPS_ESTABLISHED; 3975 else if (dst->state == TCPS_CLOSING) 3976 dst->state = TCPS_FIN_WAIT_2; 3977 } 3978 if (th->th_flags & TH_RST) 3979 src->state = dst->state = TCPS_TIME_WAIT; 3980 3981 /* update expire time */ 3982 (*state)->expire = time.tv_sec; 3983 if (src->state >= TCPS_FIN_WAIT_2 && 3984 dst->state >= TCPS_FIN_WAIT_2) 3985 (*state)->timeout = PFTM_TCP_CLOSED; 3986 else if (src->state >= TCPS_FIN_WAIT_2 || 3987 dst->state >= TCPS_FIN_WAIT_2) 3988 (*state)->timeout = PFTM_TCP_FIN_WAIT; 3989 else if (src->state < TCPS_ESTABLISHED || 3990 dst->state < TCPS_ESTABLISHED) 3991 (*state)->timeout = PFTM_TCP_OPENING; 3992 else if (src->state >= TCPS_CLOSING || 3993 dst->state >= TCPS_CLOSING) 3994 (*state)->timeout = PFTM_TCP_CLOSING; 3995 else 3996 (*state)->timeout = PFTM_TCP_ESTABLISHED; 3997 3998 /* Fall through to PASS packet */ 3999 4000 } else if ((dst->state < TCPS_SYN_SENT || 4001 dst->state >= TCPS_FIN_WAIT_2 || 4002 src->state >= TCPS_FIN_WAIT_2) && 4003 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 4004 /* Within a window forward of the originating packet */ 4005 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 4006 /* Within a window backward of the originating packet */ 4007 4008 /* 4009 * This currently handles three situations: 4010 * 1) Stupid stacks will shotgun SYNs before their peer 4011 * replies. 4012 * 2) When PF catches an already established stream (the 4013 * firewall rebooted, the state table was flushed, routes 4014 * changed...) 4015 * 3) Packets get funky immediately after the connection 4016 * closes (this should catch Solaris spurious ACK|FINs 4017 * that web servers like to spew after a close) 4018 * 4019 * This must be a little more careful than the above code 4020 * since packet floods will also be caught here. We don't 4021 * update the TTL here to mitigate the damage of a packet 4022 * flood and so the same code can handle awkward establishment 4023 * and a loosened connection close. 4024 * In the establishment case, a correct peer response will 4025 * validate the connection, go through the normal state code 4026 * and keep updating the state TTL. 4027 */ 4028 4029 if (pf_status.debug >= PF_DEBUG_MISC) { 4030 printf("pf: loose state match: "); 4031 pf_print_state(*state); 4032 pf_print_flags(th->th_flags); 4033 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 4034 seq, ack, pd->p_len, ackskew, 4035 (*state)->packets[0], (*state)->packets[1]); 4036 } 4037 4038 /* update max window */ 4039 if (src->max_win < win) 4040 src->max_win = win; 4041 /* synchronize sequencing */ 4042 if (SEQ_GT(end, src->seqlo)) 4043 src->seqlo = end; 4044 /* slide the window of what the other end can send */ 4045 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 4046 dst->seqhi = ack + MAX((win << sws), 1); 4047 4048 /* 4049 * Cannot set dst->seqhi here since this could be a shotgunned 4050 * SYN and not an already established connection. 4051 */ 4052 4053 if (th->th_flags & TH_FIN) 4054 if (src->state < TCPS_CLOSING) 4055 src->state = TCPS_CLOSING; 4056 if (th->th_flags & TH_RST) 4057 src->state = dst->state = TCPS_TIME_WAIT; 4058 4059 /* Fall through to PASS packet */ 4060 4061 } else { 4062 if ((*state)->dst.state == TCPS_SYN_SENT && 4063 (*state)->src.state == TCPS_SYN_SENT) { 4064 /* Send RST for state mismatches during handshake */ 4065 if (!(th->th_flags & TH_RST)) { 4066 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 4067 4068 if (th->th_flags & TH_SYN) 4069 ack++; 4070 if (th->th_flags & TH_FIN) 4071 ack++; 4072 pf_send_tcp((*state)->rule.ptr, pd->af, 4073 pd->dst, pd->src, th->th_dport, 4074 th->th_sport, ntohl(th->th_ack), ack, 4075 TH_RST|TH_ACK, 0, 0, 4076 (*state)->rule.ptr->return_ttl); 4077 } 4078 src->seqlo = 0; 4079 src->seqhi = 1; 4080 src->max_win = 1; 4081 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4082 printf("pf: BAD state: "); 4083 pf_print_state(*state); 4084 pf_print_flags(th->th_flags); 4085 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " 4086 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, 4087 (*state)->packets[0], (*state)->packets[1], 4088 direction == PF_IN ? "in" : "out", 4089 direction == (*state)->direction ? "fwd" : "rev"); 4090 printf("pf: State failure on: %c %c %c %c | %c %c\n", 4091 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4092 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4093 ' ': '2', 4094 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4095 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4096 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4097 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4098 } 4099 return (PF_DROP); 4100 } 4101 4102 if (dst->scrub || src->scrub) { 4103 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4104 src, dst, ©back)) 4105 return (PF_DROP); 4106 } 4107 4108 /* Any packets which have gotten here are to be passed */ 4109 4110 /* translate source/destination address, if necessary */ 4111 if (STATE_TRANSLATE(*state)) { 4112 if (direction == PF_OUT) 4113 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4114 &th->th_sum, &(*state)->gwy.addr, 4115 (*state)->gwy.port, 0, pd->af); 4116 else 4117 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 4118 &th->th_sum, &(*state)->lan.addr, 4119 (*state)->lan.port, 0, pd->af); 4120 m_copyback(m, off, sizeof(*th), th); 4121 } else if (copyback) { 4122 /* Copyback sequence modulation or stateful scrub changes */ 4123 m_copyback(m, off, sizeof(*th), th); 4124 } 4125 4126 return (PF_PASS); 4127 } 4128 4129 int 4130 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, 4131 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4132 { 4133 struct pf_state_peer *src, *dst; 4134 struct pf_state key; 4135 struct udphdr *uh = pd->hdr.udp; 4136 4137 key.af = pd->af; 4138 key.proto = IPPROTO_UDP; 4139 if (direction == PF_IN) { 4140 PF_ACPY(&key.ext.addr, pd->src, key.af); 4141 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4142 key.ext.port = uh->uh_sport; 4143 key.gwy.port = uh->uh_dport; 4144 } else { 4145 PF_ACPY(&key.lan.addr, pd->src, key.af); 4146 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4147 key.lan.port = uh->uh_sport; 4148 key.ext.port = uh->uh_dport; 4149 } 4150 4151 STATE_LOOKUP(); 4152 4153 if (direction == (*state)->direction) { 4154 src = &(*state)->src; 4155 dst = &(*state)->dst; 4156 } else { 4157 src = &(*state)->dst; 4158 dst = &(*state)->src; 4159 } 4160 4161 /* update states */ 4162 if (src->state < PFUDPS_SINGLE) 4163 src->state = PFUDPS_SINGLE; 4164 if (dst->state == PFUDPS_SINGLE) 4165 dst->state = PFUDPS_MULTIPLE; 4166 4167 /* update expire time */ 4168 (*state)->expire = time.tv_sec; 4169 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4170 (*state)->timeout = PFTM_UDP_MULTIPLE; 4171 else 4172 (*state)->timeout = PFTM_UDP_SINGLE; 4173 4174 /* translate source/destination address, if necessary */ 4175 if (STATE_TRANSLATE(*state)) { 4176 if (direction == PF_OUT) 4177 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 4178 &uh->uh_sum, &(*state)->gwy.addr, 4179 (*state)->gwy.port, 1, pd->af); 4180 else 4181 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 4182 &uh->uh_sum, &(*state)->lan.addr, 4183 (*state)->lan.port, 1, pd->af); 4184 m_copyback(m, off, sizeof(*uh), uh); 4185 } 4186 4187 return (PF_PASS); 4188 } 4189 4190 int 4191 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, 4192 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4193 { 4194 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 4195 u_int16_t icmpid = 0, *icmpsum; 4196 u_int8_t icmptype; 4197 int state_icmp = 0; 4198 4199 switch (pd->proto) { 4200 #ifdef INET 4201 case IPPROTO_ICMP: 4202 icmptype = pd->hdr.icmp->icmp_type; 4203 icmpid = pd->hdr.icmp->icmp_id; 4204 icmpsum = &pd->hdr.icmp->icmp_cksum; 4205 4206 if (icmptype == ICMP_UNREACH || 4207 icmptype == ICMP_SOURCEQUENCH || 4208 icmptype == ICMP_REDIRECT || 4209 icmptype == ICMP_TIMXCEED || 4210 icmptype == ICMP_PARAMPROB) 4211 state_icmp++; 4212 break; 4213 #endif /* INET */ 4214 #ifdef INET6 4215 case IPPROTO_ICMPV6: 4216 icmptype = pd->hdr.icmp6->icmp6_type; 4217 icmpid = pd->hdr.icmp6->icmp6_id; 4218 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 4219 4220 if (icmptype == ICMP6_DST_UNREACH || 4221 icmptype == ICMP6_PACKET_TOO_BIG || 4222 icmptype == ICMP6_TIME_EXCEEDED || 4223 icmptype == ICMP6_PARAM_PROB) 4224 state_icmp++; 4225 break; 4226 #endif /* INET6 */ 4227 } 4228 4229 if (!state_icmp) { 4230 4231 /* 4232 * ICMP query/reply message not related to a TCP/UDP packet. 4233 * Search for an ICMP state. 4234 */ 4235 struct pf_state key; 4236 4237 key.af = pd->af; 4238 key.proto = pd->proto; 4239 if (direction == PF_IN) { 4240 PF_ACPY(&key.ext.addr, pd->src, key.af); 4241 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4242 key.ext.port = icmpid; 4243 key.gwy.port = icmpid; 4244 } else { 4245 PF_ACPY(&key.lan.addr, pd->src, key.af); 4246 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4247 key.lan.port = icmpid; 4248 key.ext.port = icmpid; 4249 } 4250 4251 STATE_LOOKUP(); 4252 4253 (*state)->expire = time.tv_sec; 4254 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 4255 4256 /* translate source/destination address, if necessary */ 4257 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { 4258 if (direction == PF_OUT) { 4259 switch (pd->af) { 4260 #ifdef INET 4261 case AF_INET: 4262 pf_change_a(&saddr->v4.s_addr, 4263 pd->ip_sum, 4264 (*state)->gwy.addr.v4.s_addr, 0); 4265 break; 4266 #endif /* INET */ 4267 #ifdef INET6 4268 case AF_INET6: 4269 pf_change_a6(saddr, 4270 &pd->hdr.icmp6->icmp6_cksum, 4271 &(*state)->gwy.addr, 0); 4272 m_copyback(m, off, 4273 sizeof(struct icmp6_hdr), 4274 pd->hdr.icmp6); 4275 break; 4276 #endif /* INET6 */ 4277 } 4278 } else { 4279 switch (pd->af) { 4280 #ifdef INET 4281 case AF_INET: 4282 pf_change_a(&daddr->v4.s_addr, 4283 pd->ip_sum, 4284 (*state)->lan.addr.v4.s_addr, 0); 4285 break; 4286 #endif /* INET */ 4287 #ifdef INET6 4288 case AF_INET6: 4289 pf_change_a6(daddr, 4290 &pd->hdr.icmp6->icmp6_cksum, 4291 &(*state)->lan.addr, 0); 4292 m_copyback(m, off, 4293 sizeof(struct icmp6_hdr), 4294 pd->hdr.icmp6); 4295 break; 4296 #endif /* INET6 */ 4297 } 4298 } 4299 } 4300 4301 return (PF_PASS); 4302 4303 } else { 4304 /* 4305 * ICMP error message in response to a TCP/UDP packet. 4306 * Extract the inner TCP/UDP header and search for that state. 4307 */ 4308 4309 struct pf_pdesc pd2; 4310 #ifdef INET 4311 struct ip h2; 4312 #endif /* INET */ 4313 #ifdef INET6 4314 struct ip6_hdr h2_6; 4315 int terminal = 0; 4316 #endif /* INET6 */ 4317 int ipoff2 = 0; 4318 int off2 = 0; 4319 4320 pd2.af = pd->af; 4321 switch (pd->af) { 4322 #ifdef INET 4323 case AF_INET: 4324 /* offset of h2 in mbuf chain */ 4325 ipoff2 = off + ICMP_MINLEN; 4326 4327 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 4328 NULL, NULL, pd2.af)) { 4329 DPFPRINTF(PF_DEBUG_MISC, 4330 ("pf: ICMP error message too short " 4331 "(ip)\n")); 4332 return (PF_DROP); 4333 } 4334 /* 4335 * ICMP error messages don't refer to non-first 4336 * fragments 4337 */ 4338 if (h2.ip_off & htons(IP_OFFMASK)) 4339 return (PF_DROP); 4340 4341 /* offset of protocol header that follows h2 */ 4342 off2 = ipoff2 + (h2.ip_hl << 2); 4343 4344 pd2.proto = h2.ip_p; 4345 pd2.src = (struct pf_addr *)&h2.ip_src; 4346 pd2.dst = (struct pf_addr *)&h2.ip_dst; 4347 pd2.ip_sum = &h2.ip_sum; 4348 break; 4349 #endif /* INET */ 4350 #ifdef INET6 4351 case AF_INET6: 4352 ipoff2 = off + sizeof(struct icmp6_hdr); 4353 4354 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 4355 NULL, NULL, pd2.af)) { 4356 DPFPRINTF(PF_DEBUG_MISC, 4357 ("pf: ICMP error message too short " 4358 "(ip6)\n")); 4359 return (PF_DROP); 4360 } 4361 pd2.proto = h2_6.ip6_nxt; 4362 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 4363 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 4364 pd2.ip_sum = NULL; 4365 off2 = ipoff2 + sizeof(h2_6); 4366 do { 4367 switch (pd2.proto) { 4368 case IPPROTO_FRAGMENT: 4369 /* 4370 * ICMPv6 error messages for 4371 * non-first fragments 4372 */ 4373 return (PF_DROP); 4374 case IPPROTO_AH: 4375 case IPPROTO_HOPOPTS: 4376 case IPPROTO_ROUTING: 4377 case IPPROTO_DSTOPTS: { 4378 /* get next header and header length */ 4379 struct ip6_ext opt6; 4380 4381 if (!pf_pull_hdr(m, off2, &opt6, 4382 sizeof(opt6), NULL, NULL, pd2.af)) { 4383 DPFPRINTF(PF_DEBUG_MISC, 4384 ("pf: ICMPv6 short opt\n")); 4385 return (PF_DROP); 4386 } 4387 if (pd2.proto == IPPROTO_AH) 4388 off2 += (opt6.ip6e_len + 2) * 4; 4389 else 4390 off2 += (opt6.ip6e_len + 1) * 8; 4391 pd2.proto = opt6.ip6e_nxt; 4392 /* goto the next header */ 4393 break; 4394 } 4395 default: 4396 terminal++; 4397 break; 4398 } 4399 } while (!terminal); 4400 break; 4401 #endif /* INET6 */ 4402 } 4403 4404 switch (pd2.proto) { 4405 case IPPROTO_TCP: { 4406 struct tcphdr th; 4407 u_int32_t seq; 4408 struct pf_state key; 4409 struct pf_state_peer *src, *dst; 4410 u_int8_t dws; 4411 int copyback = 0; 4412 4413 /* 4414 * Only the first 8 bytes of the TCP header can be 4415 * expected. Don't access any TCP header fields after 4416 * th_seq, an ackskew test is not possible. 4417 */ 4418 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) { 4419 DPFPRINTF(PF_DEBUG_MISC, 4420 ("pf: ICMP error message too short " 4421 "(tcp)\n")); 4422 return (PF_DROP); 4423 } 4424 4425 key.af = pd2.af; 4426 key.proto = IPPROTO_TCP; 4427 if (direction == PF_IN) { 4428 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4429 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4430 key.ext.port = th.th_dport; 4431 key.gwy.port = th.th_sport; 4432 } else { 4433 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4434 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4435 key.lan.port = th.th_dport; 4436 key.ext.port = th.th_sport; 4437 } 4438 4439 STATE_LOOKUP(); 4440 4441 if (direction == (*state)->direction) { 4442 src = &(*state)->dst; 4443 dst = &(*state)->src; 4444 } else { 4445 src = &(*state)->src; 4446 dst = &(*state)->dst; 4447 } 4448 4449 if (src->wscale && dst->wscale && 4450 !(th.th_flags & TH_SYN)) 4451 dws = dst->wscale & PF_WSCALE_MASK; 4452 else 4453 dws = 0; 4454 4455 /* Demodulate sequence number */ 4456 seq = ntohl(th.th_seq) - src->seqdiff; 4457 if (src->seqdiff) { 4458 pf_change_a(&th.th_seq, icmpsum, 4459 htonl(seq), 0); 4460 copyback = 1; 4461 } 4462 4463 if (!SEQ_GEQ(src->seqhi, seq) || 4464 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 4465 if (pf_status.debug >= PF_DEBUG_MISC) { 4466 printf("pf: BAD ICMP %d:%d ", 4467 icmptype, pd->hdr.icmp->icmp_code); 4468 pf_print_host(pd->src, 0, pd->af); 4469 printf(" -> "); 4470 pf_print_host(pd->dst, 0, pd->af); 4471 printf(" state: "); 4472 pf_print_state(*state); 4473 printf(" seq=%u\n", seq); 4474 } 4475 return (PF_DROP); 4476 } 4477 4478 if (STATE_TRANSLATE(*state)) { 4479 if (direction == PF_IN) { 4480 pf_change_icmp(pd2.src, &th.th_sport, 4481 daddr, &(*state)->lan.addr, 4482 (*state)->lan.port, NULL, 4483 pd2.ip_sum, icmpsum, 4484 pd->ip_sum, 0, pd2.af); 4485 } else { 4486 pf_change_icmp(pd2.dst, &th.th_dport, 4487 saddr, &(*state)->gwy.addr, 4488 (*state)->gwy.port, NULL, 4489 pd2.ip_sum, icmpsum, 4490 pd->ip_sum, 0, pd2.af); 4491 } 4492 copyback = 1; 4493 } 4494 4495 if (copyback) { 4496 switch (pd2.af) { 4497 #ifdef INET 4498 case AF_INET: 4499 m_copyback(m, off, ICMP_MINLEN, 4500 pd->hdr.icmp); 4501 m_copyback(m, ipoff2, sizeof(h2), 4502 &h2); 4503 break; 4504 #endif /* INET */ 4505 #ifdef INET6 4506 case AF_INET6: 4507 m_copyback(m, off, 4508 sizeof(struct icmp6_hdr), 4509 pd->hdr.icmp6); 4510 m_copyback(m, ipoff2, sizeof(h2_6), 4511 &h2_6); 4512 break; 4513 #endif /* INET6 */ 4514 } 4515 m_copyback(m, off2, 8, &th); 4516 } 4517 4518 return (PF_PASS); 4519 break; 4520 } 4521 case IPPROTO_UDP: { 4522 struct udphdr uh; 4523 struct pf_state key; 4524 4525 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4526 NULL, NULL, pd2.af)) { 4527 DPFPRINTF(PF_DEBUG_MISC, 4528 ("pf: ICMP error message too short " 4529 "(udp)\n")); 4530 return (PF_DROP); 4531 } 4532 4533 key.af = pd2.af; 4534 key.proto = IPPROTO_UDP; 4535 if (direction == PF_IN) { 4536 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4537 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4538 key.ext.port = uh.uh_dport; 4539 key.gwy.port = uh.uh_sport; 4540 } else { 4541 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4542 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4543 key.lan.port = uh.uh_dport; 4544 key.ext.port = uh.uh_sport; 4545 } 4546 4547 STATE_LOOKUP(); 4548 4549 if (STATE_TRANSLATE(*state)) { 4550 if (direction == PF_IN) { 4551 pf_change_icmp(pd2.src, &uh.uh_sport, 4552 daddr, &(*state)->lan.addr, 4553 (*state)->lan.port, &uh.uh_sum, 4554 pd2.ip_sum, icmpsum, 4555 pd->ip_sum, 1, pd2.af); 4556 } else { 4557 pf_change_icmp(pd2.dst, &uh.uh_dport, 4558 saddr, &(*state)->gwy.addr, 4559 (*state)->gwy.port, &uh.uh_sum, 4560 pd2.ip_sum, icmpsum, 4561 pd->ip_sum, 1, pd2.af); 4562 } 4563 switch (pd2.af) { 4564 #ifdef INET 4565 case AF_INET: 4566 m_copyback(m, off, ICMP_MINLEN, 4567 pd->hdr.icmp); 4568 m_copyback(m, ipoff2, sizeof(h2), &h2); 4569 break; 4570 #endif /* INET */ 4571 #ifdef INET6 4572 case AF_INET6: 4573 m_copyback(m, off, 4574 sizeof(struct icmp6_hdr), 4575 pd->hdr.icmp6); 4576 m_copyback(m, ipoff2, sizeof(h2_6), 4577 &h2_6); 4578 break; 4579 #endif /* INET6 */ 4580 } 4581 m_copyback(m, off2, sizeof(uh), &uh); 4582 } 4583 4584 return (PF_PASS); 4585 break; 4586 } 4587 #ifdef INET 4588 case IPPROTO_ICMP: { 4589 struct icmp iih; 4590 struct pf_state key; 4591 4592 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4593 NULL, NULL, pd2.af)) { 4594 DPFPRINTF(PF_DEBUG_MISC, 4595 ("pf: ICMP error message too short i" 4596 "(icmp)\n")); 4597 return (PF_DROP); 4598 } 4599 4600 key.af = pd2.af; 4601 key.proto = IPPROTO_ICMP; 4602 if (direction == PF_IN) { 4603 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4604 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4605 key.ext.port = iih.icmp_id; 4606 key.gwy.port = iih.icmp_id; 4607 } else { 4608 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4609 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4610 key.lan.port = iih.icmp_id; 4611 key.ext.port = iih.icmp_id; 4612 } 4613 4614 STATE_LOOKUP(); 4615 4616 if (STATE_TRANSLATE(*state)) { 4617 if (direction == PF_IN) { 4618 pf_change_icmp(pd2.src, &iih.icmp_id, 4619 daddr, &(*state)->lan.addr, 4620 (*state)->lan.port, NULL, 4621 pd2.ip_sum, icmpsum, 4622 pd->ip_sum, 0, AF_INET); 4623 } else { 4624 pf_change_icmp(pd2.dst, &iih.icmp_id, 4625 saddr, &(*state)->gwy.addr, 4626 (*state)->gwy.port, NULL, 4627 pd2.ip_sum, icmpsum, 4628 pd->ip_sum, 0, AF_INET); 4629 } 4630 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp); 4631 m_copyback(m, ipoff2, sizeof(h2), &h2); 4632 m_copyback(m, off2, ICMP_MINLEN, &iih); 4633 } 4634 4635 return (PF_PASS); 4636 break; 4637 } 4638 #endif /* INET */ 4639 #ifdef INET6 4640 case IPPROTO_ICMPV6: { 4641 struct icmp6_hdr iih; 4642 struct pf_state key; 4643 4644 if (!pf_pull_hdr(m, off2, &iih, 4645 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) { 4646 DPFPRINTF(PF_DEBUG_MISC, 4647 ("pf: ICMP error message too short " 4648 "(icmp6)\n")); 4649 return (PF_DROP); 4650 } 4651 4652 key.af = pd2.af; 4653 key.proto = IPPROTO_ICMPV6; 4654 if (direction == PF_IN) { 4655 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4656 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4657 key.ext.port = iih.icmp6_id; 4658 key.gwy.port = iih.icmp6_id; 4659 } else { 4660 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4661 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4662 key.lan.port = iih.icmp6_id; 4663 key.ext.port = iih.icmp6_id; 4664 } 4665 4666 STATE_LOOKUP(); 4667 4668 if (STATE_TRANSLATE(*state)) { 4669 if (direction == PF_IN) { 4670 pf_change_icmp(pd2.src, &iih.icmp6_id, 4671 daddr, &(*state)->lan.addr, 4672 (*state)->lan.port, NULL, 4673 pd2.ip_sum, icmpsum, 4674 pd->ip_sum, 0, AF_INET6); 4675 } else { 4676 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4677 saddr, &(*state)->gwy.addr, 4678 (*state)->gwy.port, NULL, 4679 pd2.ip_sum, icmpsum, 4680 pd->ip_sum, 0, AF_INET6); 4681 } 4682 m_copyback(m, off, sizeof(struct icmp6_hdr), 4683 pd->hdr.icmp6); 4684 m_copyback(m, ipoff2, sizeof(h2_6), &h2_6); 4685 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4686 &iih); 4687 } 4688 4689 return (PF_PASS); 4690 break; 4691 } 4692 #endif /* INET6 */ 4693 default: { 4694 struct pf_state key; 4695 4696 key.af = pd2.af; 4697 key.proto = pd2.proto; 4698 if (direction == PF_IN) { 4699 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4700 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4701 key.ext.port = 0; 4702 key.gwy.port = 0; 4703 } else { 4704 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4705 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4706 key.lan.port = 0; 4707 key.ext.port = 0; 4708 } 4709 4710 STATE_LOOKUP(); 4711 4712 if (STATE_TRANSLATE(*state)) { 4713 if (direction == PF_IN) { 4714 pf_change_icmp(pd2.src, NULL, 4715 daddr, &(*state)->lan.addr, 4716 0, NULL, 4717 pd2.ip_sum, icmpsum, 4718 pd->ip_sum, 0, pd2.af); 4719 } else { 4720 pf_change_icmp(pd2.dst, NULL, 4721 saddr, &(*state)->gwy.addr, 4722 0, NULL, 4723 pd2.ip_sum, icmpsum, 4724 pd->ip_sum, 0, pd2.af); 4725 } 4726 switch (pd2.af) { 4727 #ifdef INET 4728 case AF_INET: 4729 m_copyback(m, off, ICMP_MINLEN, 4730 pd->hdr.icmp); 4731 m_copyback(m, ipoff2, sizeof(h2), &h2); 4732 break; 4733 #endif /* INET */ 4734 #ifdef INET6 4735 case AF_INET6: 4736 m_copyback(m, off, 4737 sizeof(struct icmp6_hdr), 4738 pd->hdr.icmp6); 4739 m_copyback(m, ipoff2, sizeof(h2_6), 4740 &h2_6); 4741 break; 4742 #endif /* INET6 */ 4743 } 4744 } 4745 4746 return (PF_PASS); 4747 break; 4748 } 4749 } 4750 } 4751 } 4752 4753 int 4754 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, 4755 struct pf_pdesc *pd) 4756 { 4757 struct pf_state_peer *src, *dst; 4758 struct pf_state key; 4759 4760 key.af = pd->af; 4761 key.proto = pd->proto; 4762 if (direction == PF_IN) { 4763 PF_ACPY(&key.ext.addr, pd->src, key.af); 4764 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4765 key.ext.port = 0; 4766 key.gwy.port = 0; 4767 } else { 4768 PF_ACPY(&key.lan.addr, pd->src, key.af); 4769 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4770 key.lan.port = 0; 4771 key.ext.port = 0; 4772 } 4773 4774 STATE_LOOKUP(); 4775 4776 if (direction == (*state)->direction) { 4777 src = &(*state)->src; 4778 dst = &(*state)->dst; 4779 } else { 4780 src = &(*state)->dst; 4781 dst = &(*state)->src; 4782 } 4783 4784 /* update states */ 4785 if (src->state < PFOTHERS_SINGLE) 4786 src->state = PFOTHERS_SINGLE; 4787 if (dst->state == PFOTHERS_SINGLE) 4788 dst->state = PFOTHERS_MULTIPLE; 4789 4790 /* update expire time */ 4791 (*state)->expire = time.tv_sec; 4792 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4793 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4794 else 4795 (*state)->timeout = PFTM_OTHER_SINGLE; 4796 4797 /* translate source/destination address, if necessary */ 4798 if (STATE_TRANSLATE(*state)) { 4799 if (direction == PF_OUT) 4800 switch (pd->af) { 4801 #ifdef INET 4802 case AF_INET: 4803 pf_change_a(&pd->src->v4.s_addr, 4804 pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 4805 0); 4806 break; 4807 #endif /* INET */ 4808 #ifdef INET6 4809 case AF_INET6: 4810 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af); 4811 break; 4812 #endif /* INET6 */ 4813 } 4814 else 4815 switch (pd->af) { 4816 #ifdef INET 4817 case AF_INET: 4818 pf_change_a(&pd->dst->v4.s_addr, 4819 pd->ip_sum, (*state)->lan.addr.v4.s_addr, 4820 0); 4821 break; 4822 #endif /* INET */ 4823 #ifdef INET6 4824 case AF_INET6: 4825 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af); 4826 break; 4827 #endif /* INET6 */ 4828 } 4829 } 4830 4831 return (PF_PASS); 4832 } 4833 4834 /* 4835 * ipoff and off are measured from the start of the mbuf chain. 4836 * h must be at "ipoff" on the mbuf chain. 4837 */ 4838 void * 4839 pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 4840 u_short *actionp, u_short *reasonp, sa_family_t af) 4841 { 4842 switch (af) { 4843 #ifdef INET 4844 case AF_INET: { 4845 struct ip *h = mtod(m, struct ip *); 4846 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; 4847 4848 if (fragoff) { 4849 if (fragoff >= len) 4850 ACTION_SET(actionp, PF_PASS); 4851 else { 4852 ACTION_SET(actionp, PF_DROP); 4853 REASON_SET(reasonp, PFRES_FRAG); 4854 } 4855 return (NULL); 4856 } 4857 if (m->m_pkthdr.len < off + len || 4858 ntohs(h->ip_len) < off + len) { 4859 ACTION_SET(actionp, PF_DROP); 4860 REASON_SET(reasonp, PFRES_SHORT); 4861 return (NULL); 4862 } 4863 break; 4864 } 4865 #endif /* INET */ 4866 #ifdef INET6 4867 case AF_INET6: { 4868 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 4869 4870 if (m->m_pkthdr.len < off + len || 4871 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 4872 (unsigned)(off + len)) { 4873 ACTION_SET(actionp, PF_DROP); 4874 REASON_SET(reasonp, PFRES_SHORT); 4875 return (NULL); 4876 } 4877 break; 4878 } 4879 #endif /* INET6 */ 4880 } 4881 m_copydata(m, off, len, p); 4882 return (p); 4883 } 4884 4885 int 4886 pf_routable(struct pf_addr *addr, sa_family_t af) 4887 { 4888 struct sockaddr_in *dst; 4889 struct route ro; 4890 int ret = 0; 4891 4892 bzero(&ro, sizeof(ro)); 4893 dst = satosin(&ro.ro_dst); 4894 dst->sin_family = af; 4895 dst->sin_len = sizeof(*dst); 4896 dst->sin_addr = addr->v4; 4897 #ifdef __OpenBSD__ 4898 rtalloc_noclone(&ro, NO_CLONING); 4899 #else 4900 rtalloc(&ro); 4901 #endif 4902 4903 if (ro.ro_rt != NULL) { 4904 ret = 1; 4905 RTFREE(ro.ro_rt); 4906 } 4907 4908 return (ret); 4909 } 4910 4911 #ifdef INET 4912 void 4913 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4914 struct pf_state *s) 4915 { 4916 struct mbuf *m0, *m1; 4917 struct route iproute; 4918 struct route *ro = NULL; 4919 struct sockaddr_in *dst; 4920 struct ip *ip; 4921 struct ifnet *ifp = NULL; 4922 struct m_tag *mtag; 4923 struct pf_addr naddr; 4924 struct pf_src_node *sn = NULL; 4925 int error = 0; 4926 #ifdef __NetBSD__ 4927 struct tcphdr th; 4928 #endif 4929 4930 if (m == NULL || *m == NULL || r == NULL || 4931 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4932 panic("pf_route: invalid parameters"); 4933 4934 if (r->rt == PF_DUPTO) { 4935 m0 = *m; 4936 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 4937 if (mtag == NULL) { 4938 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 4939 if (mtag == NULL) 4940 goto bad; 4941 m_tag_prepend(m0, mtag); 4942 } 4943 #ifdef __OpenBSD__ 4944 m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT); 4945 #else 4946 m0 = m_dup(*m, 0, M_COPYALL, M_NOWAIT); 4947 #endif 4948 if (m0 == NULL) 4949 return; 4950 } else { 4951 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4952 return; 4953 m0 = *m; 4954 } 4955 4956 if (m0->m_len < sizeof(struct ip)) 4957 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4958 ip = mtod(m0, struct ip *); 4959 4960 ro = &iproute; 4961 bzero((caddr_t)ro, sizeof(*ro)); 4962 dst = satosin(&ro->ro_dst); 4963 dst->sin_family = AF_INET; 4964 dst->sin_len = sizeof(*dst); 4965 dst->sin_addr = ip->ip_dst; 4966 4967 if (r->rt == PF_FASTROUTE) { 4968 rtalloc(ro); 4969 if (ro->ro_rt == 0) { 4970 ipstat.ips_noroute++; 4971 goto bad; 4972 } 4973 4974 ifp = ro->ro_rt->rt_ifp; 4975 ro->ro_rt->rt_use++; 4976 4977 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 4978 dst = satosin(ro->ro_rt->rt_gateway); 4979 } else { 4980 if (TAILQ_EMPTY(&r->rpool.list)) 4981 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)"); 4982 if (s == NULL) { 4983 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, 4984 &naddr, NULL, &sn); 4985 if (!PF_AZERO(&naddr, AF_INET)) 4986 dst->sin_addr.s_addr = naddr.v4.s_addr; 4987 ifp = r->rpool.cur->kif ? 4988 r->rpool.cur->kif->pfik_ifp : NULL; 4989 } else { 4990 if (!PF_AZERO(&s->rt_addr, AF_INET)) 4991 dst->sin_addr.s_addr = 4992 s->rt_addr.v4.s_addr; 4993 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 4994 } 4995 } 4996 4997 if (ifp == NULL) 4998 goto bad; 4999 5000 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 5001 if (mtag == NULL) { 5002 struct m_tag *mtag; 5003 5004 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 5005 if (mtag == NULL) 5006 goto bad; 5007 m_tag_prepend(m0, mtag); 5008 } 5009 5010 if (oifp != ifp && mtag == NULL) { 5011 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) 5012 goto bad; 5013 else if (m0 == NULL) 5014 goto done; 5015 if (m0->m_len < sizeof(struct ip)) 5016 panic("pf_route: m0->m_len < sizeof(struct ip)"); 5017 ip = mtod(m0, struct ip *); 5018 } 5019 5020 /* Copied from ip_output. */ 5021 #ifdef IPSEC 5022 /* 5023 * If deferred crypto processing is needed, check that the 5024 * interface supports it. 5025 */ 5026 if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) 5027 != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 5028 /* Notify IPsec to do its own crypto. */ 5029 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 5030 goto bad; 5031 } 5032 #endif /* IPSEC */ 5033 5034 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ 5035 #ifdef __OpenBSD__ 5036 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) { 5037 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 5038 ifp->if_bridge != NULL) { 5039 in_delayed_cksum(m0); 5040 m0->m_pkthdr.csum &= ~M_TCPV4_CSUM_OUT; /* Clear */ 5041 } 5042 } else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) { 5043 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 5044 ifp->if_bridge != NULL) { 5045 in_delayed_cksum(m0); 5046 m0->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */ 5047 } 5048 } 5049 #else 5050 m_copydata(m0, sizeof(*ip), sizeof(th), &th); 5051 th.th_sum = 0; 5052 m_copyback(m0, sizeof(*ip), sizeof(th), &th); 5053 in4_cksum(m0, IPPROTO_TCP, sizeof(*ip), m0->m_pkthdr.len - sizeof(*ip)); 5054 #endif 5055 5056 if (ntohs(ip->ip_len) <= ifp->if_mtu) { 5057 #ifdef __OpenBSD__ 5058 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 5059 ifp->if_bridge == NULL) { 5060 m0->m_pkthdr.csum |= M_IPV4_CSUM_OUT; 5061 ipstat.ips_outhwcsum++; 5062 } else { 5063 ip->ip_sum = 0; 5064 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 5065 } 5066 #else 5067 ip->ip_sum = 0; 5068 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 5069 #endif 5070 #ifdef __OpenBSD__ 5071 /* Update relevant hardware checksum stats for TCP/UDP */ 5072 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) 5073 tcpstat.tcps_outhwcsum++; 5074 else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) 5075 udpstat.udps_outhwcsum++; 5076 #endif 5077 error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL); 5078 goto done; 5079 } 5080 5081 /* 5082 * Too large for interface; fragment if possible. 5083 * Must be able to put at least 8 bytes per fragment. 5084 */ 5085 if (ip->ip_off & htons(IP_DF)) { 5086 ipstat.ips_cantfrag++; 5087 if (r->rt != PF_DUPTO) { 5088 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 5089 ifp); 5090 goto done; 5091 } else 5092 goto bad; 5093 } 5094 5095 m1 = m0; 5096 error = ip_fragment(m0, ifp, ifp->if_mtu); 5097 if (error) { 5098 m0 = NULL; 5099 goto bad; 5100 } 5101 5102 for (m0 = m1; m0; m0 = m1) { 5103 m1 = m0->m_nextpkt; 5104 m0->m_nextpkt = 0; 5105 if (error == 0) 5106 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 5107 NULL); 5108 else 5109 m_freem(m0); 5110 } 5111 5112 if (error == 0) 5113 ipstat.ips_fragmented++; 5114 5115 done: 5116 if (r->rt != PF_DUPTO) 5117 *m = NULL; 5118 if (ro == &iproute && ro->ro_rt) 5119 RTFREE(ro->ro_rt); 5120 return; 5121 5122 bad: 5123 m_freem(m0); 5124 goto done; 5125 } 5126 #endif /* INET */ 5127 5128 #ifdef INET6 5129 void 5130 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5131 struct pf_state *s) 5132 { 5133 struct mbuf *m0; 5134 struct m_tag *mtag; 5135 struct route_in6 ip6route; 5136 struct route_in6 *ro; 5137 struct sockaddr_in6 *dst; 5138 struct ip6_hdr *ip6; 5139 struct ifnet *ifp = NULL; 5140 struct pf_addr naddr; 5141 struct pf_src_node *sn = NULL; 5142 int error = 0; 5143 5144 if (m == NULL || *m == NULL || r == NULL || 5145 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5146 panic("pf_route6: invalid parameters"); 5147 5148 if (r->rt == PF_DUPTO) { 5149 m0 = *m; 5150 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 5151 if (mtag == NULL) { 5152 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 5153 if (mtag == NULL) 5154 goto bad; 5155 m_tag_prepend(m0, mtag); 5156 } 5157 #ifdef __OpenBSD__ 5158 m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT); 5159 #else 5160 m0 = m_dup(*m, 0, M_COPYALL, M_NOWAIT); 5161 #endif 5162 if (m0 == NULL) 5163 return; 5164 } else { 5165 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5166 return; 5167 m0 = *m; 5168 } 5169 5170 if (m0->m_len < sizeof(struct ip6_hdr)) 5171 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5172 ip6 = mtod(m0, struct ip6_hdr *); 5173 5174 ro = &ip6route; 5175 bzero((caddr_t)ro, sizeof(*ro)); 5176 dst = (struct sockaddr_in6 *)&ro->ro_dst; 5177 dst->sin6_family = AF_INET6; 5178 dst->sin6_len = sizeof(*dst); 5179 dst->sin6_addr = ip6->ip6_dst; 5180 5181 /* Cheat. */ 5182 if (r->rt == PF_FASTROUTE) { 5183 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 5184 if (mtag == NULL) 5185 goto bad; 5186 m_tag_prepend(m0, mtag); 5187 #ifdef __OpenBSD__ 5188 ip6_output(m0, NULL, NULL, 0, NULL, NULL); 5189 #else 5190 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); 5191 #endif 5192 return; 5193 } 5194 5195 if (TAILQ_EMPTY(&r->rpool.list)) 5196 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)"); 5197 if (s == NULL) { 5198 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, 5199 &naddr, NULL, &sn); 5200 if (!PF_AZERO(&naddr, AF_INET6)) 5201 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5202 &naddr, AF_INET6); 5203 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5204 } else { 5205 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5206 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5207 &s->rt_addr, AF_INET6); 5208 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5209 } 5210 5211 if (ifp == NULL) 5212 goto bad; 5213 5214 if (oifp != ifp) { 5215 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 5216 if (mtag == NULL) { 5217 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 5218 if (mtag == NULL) 5219 goto bad; 5220 m_tag_prepend(m0, mtag); 5221 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) 5222 goto bad; 5223 else if (m0 == NULL) 5224 goto done; 5225 } 5226 } 5227 5228 /* 5229 * If the packet is too large for the outgoing interface, 5230 * send back an icmp6 error. 5231 */ 5232 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) 5233 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5234 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 5235 error = nd6_output(ifp, ifp, m0, dst, NULL); 5236 } else { 5237 in6_ifstat_inc(ifp, ifs6_in_toobig); 5238 if (r->rt != PF_DUPTO) 5239 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5240 else 5241 goto bad; 5242 } 5243 5244 done: 5245 if (r->rt != PF_DUPTO) 5246 *m = NULL; 5247 return; 5248 5249 bad: 5250 m_freem(m0); 5251 goto done; 5252 } 5253 #endif /* INET6 */ 5254 5255 5256 /* 5257 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 5258 * off is the offset where the protocol header starts 5259 * len is the total length of protocol header plus payload 5260 * returns 0 when the checksum is valid, otherwise returns 1. 5261 */ 5262 int 5263 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, 5264 sa_family_t af) 5265 { 5266 #ifdef __OpenBSD__ 5267 u_int16_t flag_ok, flag_bad; 5268 #endif 5269 u_int16_t sum; 5270 5271 #ifdef __OpenBSD__ 5272 switch (p) { 5273 case IPPROTO_TCP: 5274 flag_ok = M_TCP_CSUM_IN_OK; 5275 flag_bad = M_TCP_CSUM_IN_BAD; 5276 break; 5277 case IPPROTO_UDP: 5278 flag_ok = M_UDP_CSUM_IN_OK; 5279 flag_bad = M_UDP_CSUM_IN_BAD; 5280 break; 5281 case IPPROTO_ICMP: 5282 #ifdef INET6 5283 case IPPROTO_ICMPV6: 5284 #endif /* INET6 */ 5285 flag_ok = flag_bad = 0; 5286 break; 5287 default: 5288 return (1); 5289 } 5290 if (m->m_pkthdr.csum & flag_ok) 5291 return (0); 5292 if (m->m_pkthdr.csum & flag_bad) 5293 return (1); 5294 #endif 5295 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5296 return (1); 5297 if (m->m_pkthdr.len < off + len) 5298 return (1); 5299 switch (af) { 5300 case AF_INET: 5301 if (p == IPPROTO_ICMP) { 5302 if (m->m_len < off) 5303 return (1); 5304 m->m_data += off; 5305 m->m_len -= off; 5306 sum = in_cksum(m, len); 5307 m->m_data -= off; 5308 m->m_len += off; 5309 } else { 5310 if (m->m_len < sizeof(struct ip)) 5311 return (1); 5312 sum = in4_cksum(m, p, off, len); 5313 } 5314 break; 5315 #ifdef INET6 5316 case AF_INET6: 5317 if (m->m_len < sizeof(struct ip6_hdr)) 5318 return (1); 5319 sum = in6_cksum(m, p, off, len); 5320 break; 5321 #endif /* INET6 */ 5322 default: 5323 return (1); 5324 } 5325 if (sum) { 5326 #ifdef __OpenBSD__ 5327 m->m_pkthdr.csum |= flag_bad; 5328 #endif 5329 switch (p) { 5330 case IPPROTO_TCP: 5331 tcpstat.tcps_rcvbadsum++; 5332 break; 5333 case IPPROTO_UDP: 5334 udpstat.udps_badsum++; 5335 break; 5336 case IPPROTO_ICMP: 5337 icmpstat.icps_checksum++; 5338 break; 5339 #ifdef INET6 5340 case IPPROTO_ICMPV6: 5341 icmp6stat.icp6s_checksum++; 5342 break; 5343 #endif /* INET6 */ 5344 } 5345 return (1); 5346 } 5347 #ifdef __OpenBSD__ 5348 m->m_pkthdr.csum |= flag_ok; 5349 #endif 5350 return (0); 5351 } 5352 5353 static int 5354 pf_add_mbuf_tag(struct mbuf *m, u_int tag) 5355 { 5356 struct m_tag *mtag; 5357 5358 if (m_tag_find(m, tag, NULL) != NULL) 5359 return (0); 5360 mtag = m_tag_get(tag, 0, M_NOWAIT); 5361 if (mtag == NULL) 5362 return (1); 5363 m_tag_prepend(m, mtag); 5364 return (0); 5365 } 5366 5367 #ifdef INET 5368 int 5369 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) 5370 { 5371 struct pfi_kif *kif; 5372 u_short action, reason = 0, log = 0; 5373 struct mbuf *m = *m0; 5374 struct ip *h = NULL; 5375 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5376 struct pf_state *s = NULL; 5377 struct pf_ruleset *ruleset = NULL; 5378 struct pf_pdesc pd; 5379 int off, dirndx, pqid = 0; 5380 5381 if (!pf_status.running || 5382 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) 5383 return (PF_PASS); 5384 5385 kif = pfi_index2kif[ifp->if_index]; 5386 if (kif == NULL) 5387 return (PF_DROP); 5388 5389 #ifdef DIAGNOSTIC 5390 if ((m->m_flags & M_PKTHDR) == 0) 5391 panic("non-M_PKTHDR is passed to pf_test"); 5392 #endif 5393 5394 memset(&pd, 0, sizeof(pd)); 5395 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5396 action = PF_DROP; 5397 REASON_SET(&reason, PFRES_SHORT); 5398 log = 1; 5399 goto done; 5400 } 5401 5402 /* We do IP header normalization and packet reassembly here */ 5403 if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) { 5404 action = PF_DROP; 5405 goto done; 5406 } 5407 m = *m0; 5408 h = mtod(m, struct ip *); 5409 5410 off = h->ip_hl << 2; 5411 if (off < (int)sizeof(*h)) { 5412 action = PF_DROP; 5413 REASON_SET(&reason, PFRES_SHORT); 5414 log = 1; 5415 goto done; 5416 } 5417 5418 pd.src = (struct pf_addr *)&h->ip_src; 5419 pd.dst = (struct pf_addr *)&h->ip_dst; 5420 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 5421 pd.ip_sum = &h->ip_sum; 5422 pd.proto = h->ip_p; 5423 pd.af = AF_INET; 5424 pd.tos = h->ip_tos; 5425 pd.tot_len = ntohs(h->ip_len); 5426 5427 /* handle fragments that didn't get reassembled by normalization */ 5428 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { 5429 action = pf_test_fragment(&r, dir, kif, m, h, 5430 &pd, &a, &ruleset); 5431 goto done; 5432 } 5433 5434 switch (h->ip_p) { 5435 5436 case IPPROTO_TCP: { 5437 struct tcphdr th; 5438 5439 pd.hdr.tcp = &th; 5440 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5441 &action, &reason, AF_INET)) { 5442 log = action != PF_PASS; 5443 goto done; 5444 } 5445 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5446 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) { 5447 action = PF_DROP; 5448 goto done; 5449 } 5450 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5451 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 5452 pqid = 1; 5453 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5454 if (action == PF_DROP) 5455 goto done; 5456 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5457 &reason); 5458 if (action == PF_PASS) { 5459 #if NPFSYNC 5460 pfsync_update_state(s); 5461 #endif 5462 r = s->rule.ptr; 5463 a = s->anchor.ptr; 5464 log = s->log; 5465 } else if (s == NULL) 5466 action = pf_test_tcp(&r, &s, dir, kif, 5467 m, off, h, &pd, &a, &ruleset); 5468 break; 5469 } 5470 5471 case IPPROTO_UDP: { 5472 struct udphdr uh; 5473 5474 pd.hdr.udp = &uh; 5475 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5476 &action, &reason, AF_INET)) { 5477 log = action != PF_PASS; 5478 goto done; 5479 } 5480 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5481 off, ntohs(h->ip_len) - off, IPPROTO_UDP, AF_INET)) { 5482 action = PF_DROP; 5483 goto done; 5484 } 5485 if (uh.uh_dport == 0 || 5486 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5487 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5488 action = PF_DROP; 5489 goto done; 5490 } 5491 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5492 if (action == PF_PASS) { 5493 #if NPFSYNC 5494 pfsync_update_state(s); 5495 #endif 5496 r = s->rule.ptr; 5497 a = s->anchor.ptr; 5498 log = s->log; 5499 } else if (s == NULL) 5500 action = pf_test_udp(&r, &s, dir, kif, 5501 m, off, h, &pd, &a, &ruleset); 5502 break; 5503 } 5504 5505 case IPPROTO_ICMP: { 5506 struct icmp ih; 5507 5508 pd.hdr.icmp = &ih; 5509 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 5510 &action, &reason, AF_INET)) { 5511 log = action != PF_PASS; 5512 goto done; 5513 } 5514 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5515 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) { 5516 action = PF_DROP; 5517 goto done; 5518 } 5519 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd); 5520 if (action == PF_PASS) { 5521 #if NPFSYNC 5522 pfsync_update_state(s); 5523 #endif 5524 r = s->rule.ptr; 5525 a = s->anchor.ptr; 5526 log = s->log; 5527 } else if (s == NULL) 5528 action = pf_test_icmp(&r, &s, dir, kif, 5529 m, off, h, &pd, &a, &ruleset); 5530 break; 5531 } 5532 5533 default: 5534 action = pf_test_state_other(&s, dir, kif, &pd); 5535 if (action == PF_PASS) { 5536 #if NPFSYNC 5537 pfsync_update_state(s); 5538 #endif 5539 r = s->rule.ptr; 5540 a = s->anchor.ptr; 5541 log = s->log; 5542 } else if (s == NULL) 5543 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5544 &pd, &a, &ruleset); 5545 break; 5546 } 5547 5548 done: 5549 if (action == PF_PASS && h->ip_hl > 5 && 5550 !((s && s->allow_opts) || r->allow_opts)) { 5551 action = PF_DROP; 5552 REASON_SET(&reason, PFRES_SHORT); 5553 log = 1; 5554 DPFPRINTF(PF_DEBUG_MISC, 5555 ("pf: dropping packet with ip options\n")); 5556 } 5557 5558 #ifdef ALTQ 5559 if (action == PF_PASS && r->qid) { 5560 struct m_tag *mtag; 5561 struct altq_tag *atag; 5562 5563 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 5564 if (mtag != NULL) { 5565 atag = (struct altq_tag *)(mtag + 1); 5566 if (pqid || pd.tos == IPTOS_LOWDELAY) 5567 atag->qid = r->pqid; 5568 else 5569 atag->qid = r->qid; 5570 /* add hints for ecn */ 5571 atag->af = AF_INET; 5572 atag->hdr = h; 5573 m_tag_prepend(m, mtag); 5574 } 5575 } 5576 #endif 5577 5578 /* 5579 * connections redirected to loopback should not match sockets 5580 * bound specifically to loopback due to security implications, 5581 * see tcp_input() and in_pcblookup_listen(). 5582 */ 5583 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5584 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5585 (s->nat_rule.ptr->action == PF_RDR || 5586 s->nat_rule.ptr->action == PF_BINAT) && 5587 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET && 5588 pf_add_mbuf_tag(m, PACKET_TAG_PF_TRANSLATE_LOCALHOST)) { 5589 action = PF_DROP; 5590 REASON_SET(&reason, PFRES_MEMORY); 5591 } 5592 5593 if (log) 5594 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset); 5595 5596 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5597 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; 5598 5599 if (action == PF_PASS || r->action == PF_DROP) { 5600 r->packets++; 5601 r->bytes += pd.tot_len; 5602 if (a != NULL) { 5603 a->packets++; 5604 a->bytes += pd.tot_len; 5605 } 5606 if (s != NULL) { 5607 dirndx = (dir == s->direction) ? 0 : 1; 5608 s->packets[dirndx]++; 5609 s->bytes[dirndx] += pd.tot_len; 5610 if (s->nat_rule.ptr != NULL) { 5611 s->nat_rule.ptr->packets++; 5612 s->nat_rule.ptr->bytes += pd.tot_len; 5613 } 5614 if (s->src_node != NULL) { 5615 s->src_node->packets++; 5616 s->src_node->bytes += pd.tot_len; 5617 } 5618 if (s->nat_src_node != NULL) { 5619 s->nat_src_node->packets++; 5620 s->nat_src_node->bytes += pd.tot_len; 5621 } 5622 } 5623 tr = r; 5624 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5625 if (nr != NULL) { 5626 struct pf_addr *x; 5627 /* 5628 * XXX: we need to make sure that the addresses 5629 * passed to pfr_update_stats() are the same than 5630 * the addresses used during matching (pfr_match) 5631 */ 5632 if (r == &pf_default_rule) { 5633 tr = nr; 5634 x = (s == NULL || s->direction == dir) ? 5635 &pd.baddr : &pd.naddr; 5636 } else 5637 x = (s == NULL || s->direction == dir) ? 5638 &pd.naddr : &pd.baddr; 5639 if (x == &pd.baddr || s == NULL) { 5640 /* we need to change the address */ 5641 if (dir == PF_OUT) 5642 pd.src = x; 5643 else 5644 pd.dst = x; 5645 } 5646 } 5647 if (tr->src.addr.type == PF_ADDR_TABLE) 5648 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5649 s->direction == dir) ? pd.src : pd.dst, pd.af, 5650 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5651 tr->src.not); 5652 if (tr->dst.addr.type == PF_ADDR_TABLE) 5653 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5654 s->direction == dir) ? pd.dst : pd.src, pd.af, 5655 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5656 tr->dst.not); 5657 } 5658 5659 5660 if (action == PF_SYNPROXY_DROP) { 5661 m_freem(*m0); 5662 *m0 = NULL; 5663 action = PF_PASS; 5664 } else if (r->rt) 5665 /* pf_route can free the mbuf causing *m0 to become NULL */ 5666 pf_route(m0, r, dir, ifp, s); 5667 5668 return (action); 5669 } 5670 #endif /* INET */ 5671 5672 #ifdef INET6 5673 int 5674 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) 5675 { 5676 struct pfi_kif *kif; 5677 u_short action, reason = 0, log = 0; 5678 struct mbuf *m = *m0; 5679 struct ip6_hdr *h; 5680 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5681 struct pf_state *s = NULL; 5682 struct pf_ruleset *ruleset = NULL; 5683 struct pf_pdesc pd; 5684 int off, terminal = 0, dirndx; 5685 5686 if (!pf_status.running || 5687 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) 5688 return (PF_PASS); 5689 5690 kif = pfi_index2kif[ifp->if_index]; 5691 if (kif == NULL) 5692 return (PF_DROP); 5693 5694 #ifdef DIAGNOSTIC 5695 if ((m->m_flags & M_PKTHDR) == 0) 5696 panic("non-M_PKTHDR is passed to pf_test"); 5697 #endif 5698 5699 memset(&pd, 0, sizeof(pd)); 5700 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5701 action = PF_DROP; 5702 REASON_SET(&reason, PFRES_SHORT); 5703 log = 1; 5704 goto done; 5705 } 5706 5707 /* We do IP header normalization and packet reassembly here */ 5708 if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) { 5709 action = PF_DROP; 5710 goto done; 5711 } 5712 m = *m0; 5713 h = mtod(m, struct ip6_hdr *); 5714 5715 pd.src = (struct pf_addr *)&h->ip6_src; 5716 pd.dst = (struct pf_addr *)&h->ip6_dst; 5717 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 5718 pd.ip_sum = NULL; 5719 pd.af = AF_INET6; 5720 pd.tos = 0; 5721 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 5722 5723 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 5724 pd.proto = h->ip6_nxt; 5725 do { 5726 switch (pd.proto) { 5727 case IPPROTO_FRAGMENT: 5728 action = pf_test_fragment(&r, dir, kif, m, h, 5729 &pd, &a, &ruleset); 5730 if (action == PF_DROP) 5731 REASON_SET(&reason, PFRES_FRAG); 5732 goto done; 5733 case IPPROTO_AH: 5734 case IPPROTO_HOPOPTS: 5735 case IPPROTO_ROUTING: 5736 case IPPROTO_DSTOPTS: { 5737 /* get next header and header length */ 5738 struct ip6_ext opt6; 5739 5740 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 5741 NULL, NULL, pd.af)) { 5742 DPFPRINTF(PF_DEBUG_MISC, 5743 ("pf: IPv6 short opt\n")); 5744 action = PF_DROP; 5745 REASON_SET(&reason, PFRES_SHORT); 5746 log = 1; 5747 goto done; 5748 } 5749 if (pd.proto == IPPROTO_AH) 5750 off += (opt6.ip6e_len + 2) * 4; 5751 else 5752 off += (opt6.ip6e_len + 1) * 8; 5753 pd.proto = opt6.ip6e_nxt; 5754 /* goto the next header */ 5755 break; 5756 } 5757 default: 5758 terminal++; 5759 break; 5760 } 5761 } while (!terminal); 5762 5763 switch (pd.proto) { 5764 5765 case IPPROTO_TCP: { 5766 struct tcphdr th; 5767 5768 pd.hdr.tcp = &th; 5769 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5770 &action, &reason, AF_INET6)) { 5771 log = action != PF_PASS; 5772 goto done; 5773 } 5774 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5775 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { 5776 action = PF_DROP; 5777 goto done; 5778 } 5779 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5780 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5781 if (action == PF_DROP) 5782 goto done; 5783 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5784 &reason); 5785 if (action == PF_PASS) { 5786 #if NPFSYNC 5787 pfsync_update_state(s); 5788 #endif 5789 r = s->rule.ptr; 5790 a = s->anchor.ptr; 5791 log = s->log; 5792 } else if (s == NULL) 5793 action = pf_test_tcp(&r, &s, dir, kif, 5794 m, off, h, &pd, &a, &ruleset); 5795 break; 5796 } 5797 5798 case IPPROTO_UDP: { 5799 struct udphdr uh; 5800 5801 pd.hdr.udp = &uh; 5802 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5803 &action, &reason, AF_INET6)) { 5804 log = action != PF_PASS; 5805 goto done; 5806 } 5807 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5808 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { 5809 action = PF_DROP; 5810 goto done; 5811 } 5812 if (uh.uh_dport == 0 || 5813 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5814 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5815 action = PF_DROP; 5816 goto done; 5817 } 5818 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5819 if (action == PF_PASS) { 5820 #if NPFSYNC 5821 pfsync_update_state(s); 5822 #endif 5823 r = s->rule.ptr; 5824 a = s->anchor.ptr; 5825 log = s->log; 5826 } else if (s == NULL) 5827 action = pf_test_udp(&r, &s, dir, kif, 5828 m, off, h, &pd, &a, &ruleset); 5829 break; 5830 } 5831 5832 case IPPROTO_ICMPV6: { 5833 struct icmp6_hdr ih; 5834 5835 pd.hdr.icmp6 = &ih; 5836 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 5837 &action, &reason, AF_INET6)) { 5838 log = action != PF_PASS; 5839 goto done; 5840 } 5841 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5842 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { 5843 action = PF_DROP; 5844 goto done; 5845 } 5846 action = pf_test_state_icmp(&s, dir, kif, 5847 m, off, h, &pd); 5848 if (action == PF_PASS) { 5849 #if NPFSYNC 5850 pfsync_update_state(s); 5851 #endif 5852 r = s->rule.ptr; 5853 a = s->anchor.ptr; 5854 log = s->log; 5855 } else if (s == NULL) 5856 action = pf_test_icmp(&r, &s, dir, kif, 5857 m, off, h, &pd, &a, &ruleset); 5858 break; 5859 } 5860 5861 default: 5862 action = pf_test_state_other(&s, dir, kif, &pd); 5863 if (action == PF_PASS) { 5864 r = s->rule.ptr; 5865 a = s->anchor.ptr; 5866 log = s->log; 5867 } else if (s == NULL) 5868 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5869 &pd, &a, &ruleset); 5870 break; 5871 } 5872 5873 done: 5874 /* XXX handle IPv6 options, if not allowed. not implemented. */ 5875 5876 #ifdef ALTQ 5877 if (action == PF_PASS && r->qid) { 5878 struct m_tag *mtag; 5879 struct altq_tag *atag; 5880 5881 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 5882 if (mtag != NULL) { 5883 atag = (struct altq_tag *)(mtag + 1); 5884 if (pd.tos == IPTOS_LOWDELAY) 5885 atag->qid = r->pqid; 5886 else 5887 atag->qid = r->qid; 5888 /* add hints for ecn */ 5889 atag->af = AF_INET6; 5890 atag->hdr = h; 5891 m_tag_prepend(m, mtag); 5892 } 5893 } 5894 #endif 5895 5896 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5897 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5898 (s->nat_rule.ptr->action == PF_RDR || 5899 s->nat_rule.ptr->action == PF_BINAT) && 5900 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6) && 5901 pf_add_mbuf_tag(m, PACKET_TAG_PF_TRANSLATE_LOCALHOST)) { 5902 action = PF_DROP; 5903 REASON_SET(&reason, PFRES_MEMORY); 5904 } 5905 5906 if (log) 5907 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset); 5908 5909 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5910 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; 5911 5912 if (action == PF_PASS || r->action == PF_DROP) { 5913 r->packets++; 5914 r->bytes += pd.tot_len; 5915 if (a != NULL) { 5916 a->packets++; 5917 a->bytes += pd.tot_len; 5918 } 5919 if (s != NULL) { 5920 dirndx = (dir == s->direction) ? 0 : 1; 5921 s->packets[dirndx]++; 5922 s->bytes[dirndx] += pd.tot_len; 5923 if (s->nat_rule.ptr != NULL) { 5924 s->nat_rule.ptr->packets++; 5925 s->nat_rule.ptr->bytes += pd.tot_len; 5926 } 5927 if (s->src_node != NULL) { 5928 s->src_node->packets++; 5929 s->src_node->bytes += pd.tot_len; 5930 } 5931 if (s->nat_src_node != NULL) { 5932 s->nat_src_node->packets++; 5933 s->nat_src_node->bytes += pd.tot_len; 5934 } 5935 } 5936 tr = r; 5937 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5938 if (nr != NULL) { 5939 struct pf_addr *x; 5940 /* 5941 * XXX: we need to make sure that the addresses 5942 * passed to pfr_update_stats() are the same than 5943 * the addresses used during matching (pfr_match) 5944 */ 5945 if (r == &pf_default_rule) { 5946 tr = nr; 5947 x = (s == NULL || s->direction == dir) ? 5948 &pd.baddr : &pd.naddr; 5949 } else { 5950 x = (s == NULL || s->direction == dir) ? 5951 &pd.naddr : &pd.baddr; 5952 } 5953 if (x == &pd.baddr || s == NULL) { 5954 if (dir == PF_OUT) 5955 pd.src = x; 5956 else 5957 pd.dst = x; 5958 } 5959 } 5960 if (tr->src.addr.type == PF_ADDR_TABLE) 5961 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5962 s->direction == dir) ? pd.src : pd.dst, pd.af, 5963 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5964 tr->src.not); 5965 if (tr->dst.addr.type == PF_ADDR_TABLE) 5966 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5967 s->direction == dir) ? pd.dst : pd.src, pd.af, 5968 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5969 tr->dst.not); 5970 } 5971 5972 5973 if (action == PF_SYNPROXY_DROP) { 5974 m_freem(*m0); 5975 *m0 = NULL; 5976 action = PF_PASS; 5977 } else if (r->rt) 5978 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 5979 pf_route6(m0, r, dir, ifp, s); 5980 5981 return (action); 5982 } 5983 #endif /* INET6 */ 5984