1 /* $OpenBSD: pf.c,v 1.404 2003/11/28 01:06:59 mcbride Exp $ */ 2 3 /* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * Effort sponsored in part by the Defense Advanced Research Projects 32 * Agency (DARPA) and Air Force Research Laboratory, Air Force 33 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 34 * 35 */ 36 37 #include "bpfilter.h" 38 #include "pflog.h" 39 #include "pfsync.h" 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/mbuf.h> 44 #include <sys/filio.h> 45 #include <sys/socket.h> 46 #include <sys/socketvar.h> 47 #include <sys/kernel.h> 48 #include <sys/time.h> 49 #include <sys/pool.h> 50 51 #include <net/if.h> 52 #include <net/if_types.h> 53 #include <net/bpf.h> 54 #include <net/route.h> 55 56 #include <netinet/in.h> 57 #include <netinet/in_var.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/ip.h> 60 #include <netinet/ip_var.h> 61 #include <netinet/tcp.h> 62 #include <netinet/tcp_seq.h> 63 #include <netinet/udp.h> 64 #include <netinet/ip_icmp.h> 65 #include <netinet/in_pcb.h> 66 #include <netinet/tcp_timer.h> 67 #include <netinet/tcp_var.h> 68 #include <netinet/udp_var.h> 69 #include <netinet/icmp_var.h> 70 71 #include <dev/rndvar.h> 72 #include <net/pfvar.h> 73 #include <net/if_pflog.h> 74 #include <net/if_pfsync.h> 75 76 #ifdef INET6 77 #include <netinet/ip6.h> 78 #include <netinet/in_pcb.h> 79 #include <netinet/icmp6.h> 80 #include <netinet6/nd6.h> 81 #endif /* INET6 */ 82 83 #ifdef ALTQ 84 #include <altq/if_altq.h> 85 #endif 86 87 88 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 89 90 /* 91 * Global variables 92 */ 93 94 struct pf_anchorqueue pf_anchors; 95 struct pf_ruleset pf_main_ruleset; 96 struct pf_altqqueue pf_altqs[2]; 97 struct pf_palist pf_pabuf; 98 struct pf_altqqueue *pf_altqs_active; 99 struct pf_altqqueue *pf_altqs_inactive; 100 struct pf_status pf_status; 101 struct ifnet *status_ifp; 102 103 u_int32_t ticket_altqs_active; 104 u_int32_t ticket_altqs_inactive; 105 int altqs_inactive_open; 106 u_int32_t ticket_pabuf; 107 108 struct timeout pf_expire_to; /* expire timeout */ 109 110 struct pool pf_rule_pl, pf_addr_pl; 111 struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 112 113 void pf_dynaddr_update(void *); 114 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 115 void pf_print_state(struct pf_state *); 116 void pf_print_flags(u_int8_t); 117 118 u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 119 u_int8_t); 120 void pf_change_ap(struct pf_addr *, u_int16_t *, 121 u_int16_t *, u_int16_t *, struct pf_addr *, 122 u_int16_t, u_int8_t, sa_family_t); 123 #ifdef INET6 124 void pf_change_a6(struct pf_addr *, u_int16_t *, 125 struct pf_addr *, u_int8_t); 126 #endif /* INET6 */ 127 void pf_change_icmp(struct pf_addr *, u_int16_t *, 128 struct pf_addr *, struct pf_addr *, u_int16_t, 129 u_int16_t *, u_int16_t *, u_int16_t *, 130 u_int16_t *, u_int8_t, sa_family_t); 131 void pf_send_tcp(const struct pf_rule *, sa_family_t, 132 const struct pf_addr *, const struct pf_addr *, 133 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 134 u_int8_t, u_int16_t, u_int16_t, u_int8_t); 135 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 136 sa_family_t, struct pf_rule *); 137 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 138 int, int, struct ifnet *, 139 struct pf_addr *, u_int16_t, struct pf_addr *, 140 u_int16_t, int); 141 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 142 int, int, struct ifnet *, 143 struct pf_addr *, u_int16_t, 144 struct pf_addr *, u_int16_t, 145 struct pf_addr *, u_int16_t *); 146 int pf_test_tcp(struct pf_rule **, struct pf_state **, 147 int, struct ifnet *, struct mbuf *, int, 148 void *, struct pf_pdesc *, struct pf_rule **, 149 struct pf_ruleset **); 150 int pf_test_udp(struct pf_rule **, struct pf_state **, 151 int, struct ifnet *, struct mbuf *, int, 152 void *, struct pf_pdesc *, struct pf_rule **, 153 struct pf_ruleset **); 154 int pf_test_icmp(struct pf_rule **, struct pf_state **, 155 int, struct ifnet *, struct mbuf *, int, 156 void *, struct pf_pdesc *, struct pf_rule **, 157 struct pf_ruleset **); 158 int pf_test_other(struct pf_rule **, struct pf_state **, 159 int, struct ifnet *, struct mbuf *, int, void *, 160 struct pf_pdesc *, struct pf_rule **, 161 struct pf_ruleset **); 162 int pf_test_fragment(struct pf_rule **, int, 163 struct ifnet *, struct mbuf *, void *, 164 struct pf_pdesc *, struct pf_rule **, 165 struct pf_ruleset **); 166 int pf_test_state_tcp(struct pf_state **, int, 167 struct ifnet *, struct mbuf *, int, 168 void *, struct pf_pdesc *, u_short *); 169 int pf_test_state_udp(struct pf_state **, int, 170 struct ifnet *, struct mbuf *, int, 171 void *, struct pf_pdesc *); 172 int pf_test_state_icmp(struct pf_state **, int, 173 struct ifnet *, struct mbuf *, int, 174 void *, struct pf_pdesc *); 175 int pf_test_state_other(struct pf_state **, int, 176 struct ifnet *, struct pf_pdesc *); 177 struct pf_tag *pf_get_tag(struct mbuf *); 178 int pf_match_tag(struct mbuf *, struct pf_rule *, 179 struct pf_rule *, struct pf_rule *, 180 struct pf_tag *, int *); 181 void pf_hash(struct pf_addr *, struct pf_addr *, 182 struct pf_poolhashkey *, sa_family_t); 183 int pf_map_addr(u_int8_t, struct pf_pool *, 184 struct pf_addr *, struct pf_addr *, 185 struct pf_addr *); 186 int pf_get_sport(sa_family_t, u_int8_t, struct pf_pool *, 187 struct pf_addr *, struct pf_addr *, u_int16_t, 188 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t); 189 void pf_route(struct mbuf **, struct pf_rule *, int, 190 struct ifnet *, struct pf_state *); 191 void pf_route6(struct mbuf **, struct pf_rule *, int, 192 struct ifnet *, struct pf_state *); 193 int pf_socket_lookup(uid_t *, gid_t *, 194 int, struct pf_pdesc *); 195 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 196 sa_family_t); 197 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 198 sa_family_t); 199 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 200 u_int16_t); 201 void pf_set_rt_ifp(struct pf_state *, 202 struct pf_addr *); 203 int pf_check_proto_cksum(struct mbuf *, int, int, 204 u_int8_t, sa_family_t); 205 int pf_addr_wrap_neq(struct pf_addr_wrap *, 206 struct pf_addr_wrap *); 207 208 209 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = 210 { { &pf_state_pl, PFSTATE_HIWAT }, { &pf_frent_pl, PFFRAG_FRENT_HIWAT } }; 211 212 #define STATE_LOOKUP() \ 213 do { \ 214 if (direction == PF_IN) \ 215 *state = pf_find_state(&key, PF_EXT_GWY); \ 216 else \ 217 *state = pf_find_state(&key, PF_LAN_EXT); \ 218 if (*state == NULL) \ 219 return (PF_DROP); \ 220 if (direction == PF_OUT && \ 221 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 222 (*state)->rule.ptr->direction == PF_OUT) || \ 223 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 224 (*state)->rule.ptr->direction == PF_IN)) && \ 225 (*state)->rt_ifp != NULL && \ 226 (*state)->rt_ifp != ifp) \ 227 return (PF_PASS); \ 228 } while (0) 229 230 #define STATE_TRANSLATE(s) \ 231 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \ 232 ((s)->af == AF_INET6 && \ 233 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \ 234 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \ 235 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \ 236 (s)->lan.port != (s)->gwy.port 237 238 static __inline int pf_state_compare_lan_ext(struct pf_state *, 239 struct pf_state *); 240 static __inline int pf_state_compare_ext_gwy(struct pf_state *, 241 struct pf_state *); 242 243 struct pf_state_tree_lan_ext tree_lan_ext; 244 struct pf_state_tree_ext_gwy tree_ext_gwy; 245 246 RB_GENERATE(pf_state_tree_lan_ext, pf_state, 247 entry_lan_ext, pf_state_compare_lan_ext); 248 RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 249 entry_ext_gwy, pf_state_compare_ext_gwy); 250 251 static __inline int 252 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b) 253 { 254 int diff; 255 256 if ((diff = a->proto - b->proto) != 0) 257 return (diff); 258 if ((diff = a->af - b->af) != 0) 259 return (diff); 260 switch (a->af) { 261 #ifdef INET 262 case AF_INET: 263 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 264 return (1); 265 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 266 return (-1); 267 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 268 return (1); 269 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 270 return (-1); 271 break; 272 #endif /* INET */ 273 #ifdef INET6 274 case AF_INET6: 275 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3]) 276 return (1); 277 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3]) 278 return (-1); 279 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 280 return (1); 281 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 282 return (-1); 283 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2]) 284 return (1); 285 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2]) 286 return (-1); 287 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 288 return (1); 289 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 290 return (-1); 291 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1]) 292 return (1); 293 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1]) 294 return (-1); 295 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 296 return (1); 297 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 298 return (-1); 299 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 300 return (1); 301 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 302 return (-1); 303 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 304 return (1); 305 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 306 return (-1); 307 break; 308 #endif /* INET6 */ 309 } 310 311 if ((diff = a->lan.port - b->lan.port) != 0) 312 return (diff); 313 if ((diff = a->ext.port - b->ext.port) != 0) 314 return (diff); 315 316 return (0); 317 } 318 319 static __inline int 320 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b) 321 { 322 int diff; 323 324 if ((diff = a->proto - b->proto) != 0) 325 return (diff); 326 if ((diff = a->af - b->af) != 0) 327 return (diff); 328 switch (a->af) { 329 #ifdef INET 330 case AF_INET: 331 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 332 return (1); 333 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 334 return (-1); 335 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 336 return (1); 337 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 338 return (-1); 339 break; 340 #endif /* INET */ 341 #ifdef INET6 342 case AF_INET6: 343 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 344 return (1); 345 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 346 return (-1); 347 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3]) 348 return (1); 349 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3]) 350 return (-1); 351 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 352 return (1); 353 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 354 return (-1); 355 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2]) 356 return (1); 357 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2]) 358 return (-1); 359 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 360 return (1); 361 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 362 return (-1); 363 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1]) 364 return (1); 365 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1]) 366 return (-1); 367 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 368 return (1); 369 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 370 return (-1); 371 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 372 return (1); 373 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 374 return (-1); 375 break; 376 #endif /* INET6 */ 377 } 378 379 if ((diff = a->ext.port - b->ext.port) != 0) 380 return (diff); 381 if ((diff = a->gwy.port - b->gwy.port) != 0) 382 return (diff); 383 384 return (0); 385 } 386 387 #ifdef INET6 388 void 389 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) 390 { 391 switch (af) { 392 #ifdef INET 393 case AF_INET: 394 dst->addr32[0] = src->addr32[0]; 395 break; 396 #endif /* INET */ 397 case AF_INET6: 398 dst->addr32[0] = src->addr32[0]; 399 dst->addr32[1] = src->addr32[1]; 400 dst->addr32[2] = src->addr32[2]; 401 dst->addr32[3] = src->addr32[3]; 402 break; 403 } 404 } 405 #endif 406 407 struct pf_state * 408 pf_find_state(struct pf_state *key, u_int8_t tree) 409 { 410 struct pf_state *s; 411 412 pf_status.fcounters[FCNT_STATE_SEARCH]++; 413 414 switch (tree) { 415 case PF_LAN_EXT: 416 s = RB_FIND(pf_state_tree_lan_ext, &tree_lan_ext, key); 417 break; 418 case PF_EXT_GWY: 419 s = RB_FIND(pf_state_tree_ext_gwy, &tree_ext_gwy, key); 420 break; 421 default: 422 /* XXX should we just return NULL? */ 423 panic("pf_find_state"); 424 break; 425 } 426 427 return (s); 428 } 429 430 int 431 pf_insert_state(struct pf_state *state) 432 { 433 /* Thou MUST NOT insert multiple duplicate keys */ 434 if (RB_INSERT(pf_state_tree_lan_ext, &tree_lan_ext, state)) { 435 if (pf_status.debug >= PF_DEBUG_MISC) { 436 printf("pf: state insert failed: tree_lan_ext"); 437 printf(" lan: "); 438 pf_print_host(&state->lan.addr, state->lan.port, 439 state->af); 440 printf(" gwy: "); 441 pf_print_host(&state->gwy.addr, state->gwy.port, 442 state->af); 443 printf(" ext: "); 444 pf_print_host(&state->ext.addr, state->ext.port, 445 state->af); 446 printf("\n"); 447 } 448 return (-1); 449 } 450 451 if (RB_INSERT(pf_state_tree_ext_gwy, &tree_ext_gwy, state) != NULL) { 452 if (pf_status.debug >= PF_DEBUG_MISC) { 453 printf("pf: state insert failed: tree_ext_gwy"); 454 printf(" lan: "); 455 pf_print_host(&state->lan.addr, state->lan.port, 456 state->af); 457 printf(" gwy: "); 458 pf_print_host(&state->gwy.addr, state->gwy.port, 459 state->af); 460 printf(" ext: "); 461 pf_print_host(&state->ext.addr, state->ext.port, 462 state->af); 463 printf("\n"); 464 } 465 RB_REMOVE(pf_state_tree_lan_ext, &tree_lan_ext, state); 466 return (-1); 467 } 468 469 pf_status.fcounters[FCNT_STATE_INSERT]++; 470 pf_status.states++; 471 #if NPFSYNC 472 pfsync_insert_state(state); 473 #endif 474 return (0); 475 } 476 477 void 478 pf_purge_timeout(void *arg) 479 { 480 struct timeout *to = arg; 481 int s; 482 483 s = splsoftnet(); 484 pf_purge_expired_states(); 485 pf_purge_expired_fragments(); 486 splx(s); 487 488 timeout_add(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz); 489 } 490 491 u_int32_t 492 pf_state_expires(const struct pf_state *state) 493 { 494 u_int32_t timeout; 495 u_int32_t start; 496 u_int32_t end; 497 u_int32_t states; 498 499 /* handle all PFTM_* > PFTM_MAX here */ 500 if (state->timeout == PFTM_PURGE) 501 return (time.tv_sec); 502 if (state->timeout == PFTM_UNTIL_PACKET) 503 return (0); 504 KASSERT(state->timeout < PFTM_MAX); 505 timeout = state->rule.ptr->timeout[state->timeout]; 506 if (!timeout) 507 timeout = pf_default_rule.timeout[state->timeout]; 508 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 509 if (start) { 510 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 511 states = state->rule.ptr->states; 512 } else { 513 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 514 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 515 states = pf_status.states; 516 } 517 if (end && states > start && start < end) { 518 if (states < end) 519 return (state->expire + timeout * (end - states) / 520 (end - start)); 521 else 522 return (time.tv_sec); 523 } 524 return (state->expire + timeout); 525 } 526 527 void 528 pf_purge_expired_states(void) 529 { 530 struct pf_state *cur, *next; 531 532 for (cur = RB_MIN(pf_state_tree_ext_gwy, &tree_ext_gwy); cur; cur = next) { 533 next = RB_NEXT(pf_state_tree_ext_gwy, &tree_ext_gwy, cur); 534 535 if (pf_state_expires(cur) <= time.tv_sec) { 536 if (cur->src.state == PF_TCPS_PROXY_DST) 537 pf_send_tcp(cur->rule.ptr, cur->af, 538 &cur->ext.addr, &cur->lan.addr, 539 cur->ext.port, cur->lan.port, 540 cur->src.seqhi, cur->src.seqlo + 1, 0, 541 TH_RST|TH_ACK, 0, 0); 542 RB_REMOVE(pf_state_tree_ext_gwy, &tree_ext_gwy, cur); 543 RB_REMOVE(pf_state_tree_lan_ext, &tree_lan_ext, cur); 544 545 #if NPFSYNC 546 pfsync_delete_state(cur); 547 #endif 548 if (--cur->rule.ptr->states <= 0) 549 pf_rm_rule(NULL, cur->rule.ptr); 550 if (cur->nat_rule.ptr != NULL) 551 if (--cur->nat_rule.ptr->states <= 0) 552 pf_rm_rule(NULL, cur->nat_rule.ptr); 553 if (cur->anchor.ptr != NULL) 554 if (--cur->anchor.ptr->states <= 0) 555 pf_rm_rule(NULL, cur->anchor.ptr); 556 pf_normalize_tcp_cleanup(cur); 557 pool_put(&pf_state_pl, cur); 558 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 559 pf_status.states--; 560 } 561 } 562 } 563 564 int 565 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 566 { 567 if (aw->type != PF_ADDR_TABLE) 568 return (0); 569 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 570 return (1); 571 return (0); 572 } 573 574 void 575 pf_tbladdr_remove(struct pf_addr_wrap *aw) 576 { 577 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 578 return; 579 pfr_detach_table(aw->p.tbl); 580 aw->p.tbl = NULL; 581 } 582 583 void 584 pf_tbladdr_copyout(struct pf_addr_wrap *aw) 585 { 586 struct pfr_ktable *kt = aw->p.tbl; 587 588 if (aw->type != PF_ADDR_TABLE || kt == NULL) 589 return; 590 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 591 kt = kt->pfrkt_root; 592 aw->p.tbl = NULL; 593 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 594 kt->pfrkt_cnt : -1; 595 } 596 597 int 598 pf_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) 599 { 600 if (aw->type != PF_ADDR_DYNIFTL) 601 return (0); 602 aw->p.dyn = pool_get(&pf_addr_pl, PR_NOWAIT); 603 if (aw->p.dyn == NULL) 604 return (1); 605 bcopy(aw->v.ifname, aw->p.dyn->ifname, sizeof(aw->p.dyn->ifname)); 606 aw->p.dyn->ifp = ifunit(aw->p.dyn->ifname); 607 if (aw->p.dyn->ifp == NULL) { 608 pool_put(&pf_addr_pl, aw->p.dyn); 609 aw->p.dyn = NULL; 610 return (1); 611 } 612 aw->p.dyn->addr = &aw->v.a.addr; 613 aw->p.dyn->af = af; 614 aw->p.dyn->undefined = 1; 615 aw->p.dyn->hook_cookie = hook_establish( 616 aw->p.dyn->ifp->if_addrhooks, 1, 617 pf_dynaddr_update, aw->p.dyn); 618 if (aw->p.dyn->hook_cookie == NULL) { 619 pool_put(&pf_addr_pl, aw->p.dyn); 620 aw->p.dyn = NULL; 621 return (1); 622 } 623 pf_dynaddr_update(aw->p.dyn); 624 return (0); 625 } 626 627 void 628 pf_dynaddr_update(void *p) 629 { 630 struct pf_addr_dyn *ad = (struct pf_addr_dyn *)p; 631 struct ifaddr *ia; 632 int s, changed = 0; 633 634 if (ad == NULL || ad->ifp == NULL) 635 panic("pf_dynaddr_update"); 636 s = splsoftnet(); 637 TAILQ_FOREACH(ia, &ad->ifp->if_addrlist, ifa_list) 638 if (ia->ifa_addr != NULL && 639 ia->ifa_addr->sa_family == ad->af) { 640 if (ad->af == AF_INET) { 641 struct in_addr *a, *b; 642 643 a = &ad->addr->v4; 644 b = &((struct sockaddr_in *)ia->ifa_addr) 645 ->sin_addr; 646 if (ad->undefined || 647 memcmp(a, b, sizeof(*a))) { 648 bcopy(b, a, sizeof(*a)); 649 changed = 1; 650 } 651 } else if (ad->af == AF_INET6) { 652 struct in6_addr *a, *b; 653 654 a = &ad->addr->v6; 655 b = &((struct sockaddr_in6 *)ia->ifa_addr) 656 ->sin6_addr; 657 if (ad->undefined || 658 memcmp(a, b, sizeof(*a))) { 659 bcopy(b, a, sizeof(*a)); 660 changed = 1; 661 } 662 } 663 if (changed) 664 ad->undefined = 0; 665 break; 666 } 667 if (ia == NULL) 668 ad->undefined = 1; 669 splx(s); 670 } 671 672 void 673 pf_dynaddr_remove(struct pf_addr_wrap *aw) 674 { 675 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL) 676 return; 677 hook_disestablish(aw->p.dyn->ifp->if_addrhooks, 678 aw->p.dyn->hook_cookie); 679 pool_put(&pf_addr_pl, aw->p.dyn); 680 aw->p.dyn = NULL; 681 } 682 683 void 684 pf_dynaddr_copyout(struct pf_addr_wrap *aw) 685 { 686 if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL) 687 return; 688 bcopy(aw->p.dyn->ifname, aw->v.ifname, sizeof(aw->v.ifname)); 689 aw->p.dyn = (struct pf_addr_dyn *)1; 690 } 691 692 void 693 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 694 { 695 switch (af) { 696 #ifdef INET 697 case AF_INET: { 698 u_int32_t a = ntohl(addr->addr32[0]); 699 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 700 (a>>8)&255, a&255); 701 if (p) { 702 p = ntohs(p); 703 printf(":%u", p); 704 } 705 break; 706 } 707 #endif /* INET */ 708 #ifdef INET6 709 case AF_INET6: { 710 u_int16_t b; 711 u_int8_t i, curstart = 255, curend = 0, 712 maxstart = 0, maxend = 0; 713 for (i = 0; i < 8; i++) { 714 if (!addr->addr16[i]) { 715 if (curstart == 255) 716 curstart = i; 717 else 718 curend = i; 719 } else { 720 if (curstart) { 721 if ((curend - curstart) > 722 (maxend - maxstart)) { 723 maxstart = curstart; 724 maxend = curend; 725 curstart = 255; 726 } 727 } 728 } 729 } 730 for (i = 0; i < 8; i++) { 731 if (i >= maxstart && i <= maxend) { 732 if (maxend != 7) { 733 if (i == maxstart) 734 printf(":"); 735 } else { 736 if (i == maxend) 737 printf(":"); 738 } 739 } else { 740 b = ntohs(addr->addr16[i]); 741 printf("%x", b); 742 if (i < 7) 743 printf(":"); 744 } 745 } 746 if (p) { 747 p = ntohs(p); 748 printf("[%u]", p); 749 } 750 break; 751 } 752 #endif /* INET6 */ 753 } 754 } 755 756 void 757 pf_print_state(struct pf_state *s) 758 { 759 switch (s->proto) { 760 case IPPROTO_TCP: 761 printf("TCP "); 762 break; 763 case IPPROTO_UDP: 764 printf("UDP "); 765 break; 766 case IPPROTO_ICMP: 767 printf("ICMP "); 768 break; 769 case IPPROTO_ICMPV6: 770 printf("ICMPV6 "); 771 break; 772 default: 773 printf("%u ", s->proto); 774 break; 775 } 776 pf_print_host(&s->lan.addr, s->lan.port, s->af); 777 printf(" "); 778 pf_print_host(&s->gwy.addr, s->gwy.port, s->af); 779 printf(" "); 780 pf_print_host(&s->ext.addr, s->ext.port, s->af); 781 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 782 s->src.seqhi, s->src.max_win, s->src.seqdiff); 783 if (s->src.wscale && s->dst.wscale) 784 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 785 printf("]"); 786 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 787 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 788 if (s->src.wscale && s->dst.wscale) 789 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 790 printf("]"); 791 printf(" %u:%u", s->src.state, s->dst.state); 792 } 793 794 void 795 pf_print_flags(u_int8_t f) 796 { 797 if (f) 798 printf(" "); 799 if (f & TH_FIN) 800 printf("F"); 801 if (f & TH_SYN) 802 printf("S"); 803 if (f & TH_RST) 804 printf("R"); 805 if (f & TH_PUSH) 806 printf("P"); 807 if (f & TH_ACK) 808 printf("A"); 809 if (f & TH_URG) 810 printf("U"); 811 if (f & TH_ECE) 812 printf("E"); 813 if (f & TH_CWR) 814 printf("W"); 815 } 816 817 #define PF_SET_SKIP_STEPS(i) \ 818 do { \ 819 while (head[i] != cur) { \ 820 head[i]->skip[i].ptr = cur; \ 821 head[i] = TAILQ_NEXT(head[i], entries); \ 822 } \ 823 } while (0) 824 825 void 826 pf_calc_skip_steps(struct pf_rulequeue *rules) 827 { 828 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 829 int i; 830 831 cur = TAILQ_FIRST(rules); 832 prev = cur; 833 for (i = 0; i < PF_SKIP_COUNT; ++i) 834 head[i] = cur; 835 while (cur != NULL) { 836 837 if (cur->ifp != prev->ifp || cur->ifnot != prev->ifnot) 838 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 839 if (cur->direction != prev->direction) 840 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 841 if (cur->af != prev->af) 842 PF_SET_SKIP_STEPS(PF_SKIP_AF); 843 if (cur->proto != prev->proto) 844 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 845 if (cur->src.not != prev->src.not || 846 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 847 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 848 if (cur->src.port[0] != prev->src.port[0] || 849 cur->src.port[1] != prev->src.port[1] || 850 cur->src.port_op != prev->src.port_op) 851 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 852 if (cur->dst.not != prev->dst.not || 853 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 854 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 855 if (cur->dst.port[0] != prev->dst.port[0] || 856 cur->dst.port[1] != prev->dst.port[1] || 857 cur->dst.port_op != prev->dst.port_op) 858 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 859 860 prev = cur; 861 cur = TAILQ_NEXT(cur, entries); 862 } 863 for (i = 0; i < PF_SKIP_COUNT; ++i) 864 PF_SET_SKIP_STEPS(i); 865 } 866 867 int 868 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 869 { 870 if (aw1->type != aw2->type) 871 return (1); 872 switch (aw1->type) { 873 case PF_ADDR_ADDRMASK: 874 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 875 return (1); 876 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 877 return (1); 878 return (0); 879 case PF_ADDR_DYNIFTL: 880 if (aw1->p.dyn->ifp != aw2->p.dyn->ifp) 881 return (1); 882 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 883 return (1); 884 return (0); 885 case PF_ADDR_NOROUTE: 886 return (0); 887 case PF_ADDR_TABLE: 888 return (aw1->p.tbl != aw2->p.tbl); 889 default: 890 printf("invalid address type: %d\n", aw1->type); 891 return (1); 892 } 893 } 894 895 void 896 pf_rule_set_qid(struct pf_rulequeue *rules) 897 { 898 struct pf_rule *rule; 899 900 TAILQ_FOREACH(rule, rules, entries) 901 if (rule->qname[0] != 0) { 902 rule->qid = pf_qname_to_qid(rule->qname); 903 if (rule->pqname[0] != 0) 904 rule->pqid = pf_qname_to_qid(rule->pqname); 905 else 906 rule->pqid = rule->qid; 907 } 908 } 909 910 u_int32_t 911 pf_qname_to_qid(char *qname) 912 { 913 struct pf_altq *altq; 914 915 TAILQ_FOREACH(altq, pf_altqs_active, entries) 916 if (!strcmp(altq->qname, qname)) 917 return (altq->qid); 918 919 return (0); 920 } 921 922 void 923 pf_update_anchor_rules() 924 { 925 struct pf_rule *rule; 926 int i; 927 928 for (i = 0; i < PF_RULESET_MAX; ++i) 929 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 930 entries) 931 if (rule->anchorname[0]) 932 rule->anchor = pf_find_anchor(rule->anchorname); 933 else 934 rule->anchor = NULL; 935 } 936 937 u_int16_t 938 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 939 { 940 u_int32_t l; 941 942 if (udp && !cksum) 943 return (0x0000); 944 l = cksum + old - new; 945 l = (l >> 16) + (l & 65535); 946 l = l & 65535; 947 if (udp && !l) 948 return (0xFFFF); 949 return (l); 950 } 951 952 void 953 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 954 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 955 { 956 struct pf_addr ao; 957 u_int16_t po = *p; 958 959 PF_ACPY(&ao, a, af); 960 PF_ACPY(a, an, af); 961 962 *p = pn; 963 964 switch (af) { 965 #ifdef INET 966 case AF_INET: 967 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 968 ao.addr16[0], an->addr16[0], 0), 969 ao.addr16[1], an->addr16[1], 0); 970 *p = pn; 971 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 972 ao.addr16[0], an->addr16[0], u), 973 ao.addr16[1], an->addr16[1], u), 974 po, pn, u); 975 break; 976 #endif /* INET */ 977 #ifdef INET6 978 case AF_INET6: 979 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 980 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 981 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 982 ao.addr16[0], an->addr16[0], u), 983 ao.addr16[1], an->addr16[1], u), 984 ao.addr16[2], an->addr16[2], u), 985 ao.addr16[3], an->addr16[3], u), 986 ao.addr16[4], an->addr16[4], u), 987 ao.addr16[5], an->addr16[5], u), 988 ao.addr16[6], an->addr16[6], u), 989 ao.addr16[7], an->addr16[7], u), 990 po, pn, u); 991 break; 992 #endif /* INET6 */ 993 } 994 } 995 996 997 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 998 void 999 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1000 { 1001 u_int32_t ao; 1002 1003 memcpy(&ao, a, sizeof(ao)); 1004 memcpy(a, &an, sizeof(u_int32_t)); 1005 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1006 ao % 65536, an % 65536, u); 1007 } 1008 1009 #ifdef INET6 1010 void 1011 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1012 { 1013 struct pf_addr ao; 1014 1015 PF_ACPY(&ao, a, AF_INET6); 1016 PF_ACPY(a, an, AF_INET6); 1017 1018 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1019 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1020 pf_cksum_fixup(pf_cksum_fixup(*c, 1021 ao.addr16[0], an->addr16[0], u), 1022 ao.addr16[1], an->addr16[1], u), 1023 ao.addr16[2], an->addr16[2], u), 1024 ao.addr16[3], an->addr16[3], u), 1025 ao.addr16[4], an->addr16[4], u), 1026 ao.addr16[5], an->addr16[5], u), 1027 ao.addr16[6], an->addr16[6], u), 1028 ao.addr16[7], an->addr16[7], u); 1029 } 1030 #endif /* INET6 */ 1031 1032 void 1033 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1034 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1035 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1036 { 1037 struct pf_addr oia, ooa; 1038 1039 PF_ACPY(&oia, ia, af); 1040 PF_ACPY(&ooa, oa, af); 1041 1042 /* Change inner protocol port, fix inner protocol checksum. */ 1043 if (ip != NULL) { 1044 u_int16_t oip = *ip; 1045 u_int32_t opc; 1046 1047 if (pc != NULL) 1048 opc = *pc; 1049 *ip = np; 1050 if (pc != NULL) 1051 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1052 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1053 if (pc != NULL) 1054 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1055 } 1056 /* Change inner ip address, fix inner ip and icmp checksums. */ 1057 PF_ACPY(ia, na, af); 1058 switch (af) { 1059 #ifdef INET 1060 case AF_INET: { 1061 u_int32_t oh2c = *h2c; 1062 1063 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1064 oia.addr16[0], ia->addr16[0], 0), 1065 oia.addr16[1], ia->addr16[1], 0); 1066 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1067 oia.addr16[0], ia->addr16[0], 0), 1068 oia.addr16[1], ia->addr16[1], 0); 1069 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1070 break; 1071 } 1072 #endif /* INET */ 1073 #ifdef INET6 1074 case AF_INET6: 1075 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1076 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1077 pf_cksum_fixup(pf_cksum_fixup(*ic, 1078 oia.addr16[0], ia->addr16[0], u), 1079 oia.addr16[1], ia->addr16[1], u), 1080 oia.addr16[2], ia->addr16[2], u), 1081 oia.addr16[3], ia->addr16[3], u), 1082 oia.addr16[4], ia->addr16[4], u), 1083 oia.addr16[5], ia->addr16[5], u), 1084 oia.addr16[6], ia->addr16[6], u), 1085 oia.addr16[7], ia->addr16[7], u); 1086 break; 1087 #endif /* INET6 */ 1088 } 1089 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1090 PF_ACPY(oa, na, af); 1091 switch (af) { 1092 #ifdef INET 1093 case AF_INET: 1094 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1095 ooa.addr16[0], oa->addr16[0], 0), 1096 ooa.addr16[1], oa->addr16[1], 0); 1097 break; 1098 #endif /* INET */ 1099 #ifdef INET6 1100 case AF_INET6: 1101 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1102 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1103 pf_cksum_fixup(pf_cksum_fixup(*ic, 1104 ooa.addr16[0], oa->addr16[0], u), 1105 ooa.addr16[1], oa->addr16[1], u), 1106 ooa.addr16[2], oa->addr16[2], u), 1107 ooa.addr16[3], oa->addr16[3], u), 1108 ooa.addr16[4], oa->addr16[4], u), 1109 ooa.addr16[5], oa->addr16[5], u), 1110 ooa.addr16[6], oa->addr16[6], u), 1111 ooa.addr16[7], oa->addr16[7], u); 1112 break; 1113 #endif /* INET6 */ 1114 } 1115 } 1116 1117 void 1118 pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1119 const struct pf_addr *saddr, const struct pf_addr *daddr, 1120 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1121 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) 1122 { 1123 struct mbuf *m; 1124 struct m_tag *mtag; 1125 int len, tlen; 1126 #ifdef INET 1127 struct ip *h; 1128 #endif /* INET */ 1129 #ifdef INET6 1130 struct ip6_hdr *h6; 1131 #endif /* INET6 */ 1132 struct tcphdr *th; 1133 char *opt; 1134 1135 /* maximum segment size tcp option */ 1136 tlen = sizeof(struct tcphdr); 1137 if (mss) 1138 tlen += 4; 1139 1140 switch (af) { 1141 #ifdef INET 1142 case AF_INET: 1143 len = sizeof(struct ip) + tlen; 1144 break; 1145 #endif /* INET */ 1146 #ifdef INET6 1147 case AF_INET6: 1148 len = sizeof(struct ip6_hdr) + tlen; 1149 break; 1150 #endif /* INET6 */ 1151 } 1152 1153 /* create outgoing mbuf */ 1154 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1155 if (mtag == NULL) 1156 return; 1157 m = m_gethdr(M_DONTWAIT, MT_HEADER); 1158 if (m == NULL) { 1159 m_tag_free(mtag); 1160 return; 1161 } 1162 m_tag_prepend(m, mtag); 1163 #ifdef ALTQ 1164 if (r != NULL && r->qid) { 1165 struct altq_tag *atag; 1166 1167 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 1168 if (mtag != NULL) { 1169 atag = (struct altq_tag *)(mtag + 1); 1170 atag->qid = r->qid; 1171 /* add hints for ecn */ 1172 atag->af = af; 1173 atag->hdr = mtod(m, struct ip *); 1174 m_tag_prepend(m, mtag); 1175 } 1176 } 1177 #endif 1178 m->m_data += max_linkhdr; 1179 m->m_pkthdr.len = m->m_len = len; 1180 m->m_pkthdr.rcvif = NULL; 1181 bzero(m->m_data, len); 1182 switch (af) { 1183 #ifdef INET 1184 case AF_INET: 1185 h = mtod(m, struct ip *); 1186 1187 /* IP header fields included in the TCP checksum */ 1188 h->ip_p = IPPROTO_TCP; 1189 h->ip_len = htons(tlen); 1190 h->ip_src.s_addr = saddr->v4.s_addr; 1191 h->ip_dst.s_addr = daddr->v4.s_addr; 1192 1193 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); 1194 break; 1195 #endif /* INET */ 1196 #ifdef INET6 1197 case AF_INET6: 1198 h6 = mtod(m, struct ip6_hdr *); 1199 1200 /* IP header fields included in the TCP checksum */ 1201 h6->ip6_nxt = IPPROTO_TCP; 1202 h6->ip6_plen = htons(tlen); 1203 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1204 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1205 1206 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); 1207 break; 1208 #endif /* INET6 */ 1209 } 1210 1211 /* TCP header */ 1212 th->th_sport = sport; 1213 th->th_dport = dport; 1214 th->th_seq = htonl(seq); 1215 th->th_ack = htonl(ack); 1216 th->th_off = tlen >> 2; 1217 th->th_flags = flags; 1218 th->th_win = htons(win); 1219 1220 if (mss) { 1221 opt = (char *)(th + 1); 1222 opt[0] = TCPOPT_MAXSEG; 1223 opt[1] = 4; 1224 HTONS(mss); 1225 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); 1226 } 1227 1228 switch (af) { 1229 #ifdef INET 1230 case AF_INET: 1231 /* TCP checksum */ 1232 th->th_sum = in_cksum(m, len); 1233 1234 /* Finish the IP header */ 1235 h->ip_v = 4; 1236 h->ip_hl = sizeof(*h) >> 2; 1237 h->ip_tos = IPTOS_LOWDELAY; 1238 h->ip_len = htons(len); 1239 h->ip_off = htons(ip_mtudisc ? IP_DF : 0); 1240 h->ip_ttl = ttl ? ttl : ip_defttl; 1241 h->ip_sum = 0; 1242 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1243 (void *)NULL); 1244 break; 1245 #endif /* INET */ 1246 #ifdef INET6 1247 case AF_INET6: 1248 /* TCP checksum */ 1249 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1250 sizeof(struct ip6_hdr), tlen); 1251 1252 h6->ip6_vfc |= IPV6_VERSION; 1253 h6->ip6_hlim = IPV6_DEFHLIM; 1254 1255 ip6_output(m, NULL, NULL, 0, NULL, NULL); 1256 break; 1257 #endif /* INET6 */ 1258 } 1259 } 1260 1261 void 1262 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1263 struct pf_rule *r) 1264 { 1265 struct m_tag *mtag; 1266 struct mbuf *m0; 1267 1268 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 1269 if (mtag == NULL) 1270 return; 1271 m0 = m_copy(m, 0, M_COPYALL); 1272 if (m0 == NULL) { 1273 m_tag_free(mtag); 1274 return; 1275 } 1276 m_tag_prepend(m0, mtag); 1277 1278 #ifdef ALTQ 1279 if (r->qid) { 1280 struct altq_tag *atag; 1281 1282 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 1283 if (mtag != NULL) { 1284 atag = (struct altq_tag *)(mtag + 1); 1285 atag->qid = r->qid; 1286 /* add hints for ecn */ 1287 atag->af = af; 1288 atag->hdr = mtod(m0, struct ip *); 1289 m_tag_prepend(m0, mtag); 1290 } 1291 } 1292 #endif 1293 1294 switch (af) { 1295 #ifdef INET 1296 case AF_INET: 1297 icmp_error(m0, type, code, 0, 0); 1298 break; 1299 #endif /* INET */ 1300 #ifdef INET6 1301 case AF_INET6: 1302 icmp6_error(m0, type, code, 0); 1303 break; 1304 #endif /* INET6 */ 1305 } 1306 } 1307 1308 /* 1309 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1310 * If n is 0, they match if they are equal. If n is != 0, they match if they 1311 * are different. 1312 */ 1313 int 1314 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1315 struct pf_addr *b, sa_family_t af) 1316 { 1317 int match = 0; 1318 1319 switch (af) { 1320 #ifdef INET 1321 case AF_INET: 1322 if ((a->addr32[0] & m->addr32[0]) == 1323 (b->addr32[0] & m->addr32[0])) 1324 match++; 1325 break; 1326 #endif /* INET */ 1327 #ifdef INET6 1328 case AF_INET6: 1329 if (((a->addr32[0] & m->addr32[0]) == 1330 (b->addr32[0] & m->addr32[0])) && 1331 ((a->addr32[1] & m->addr32[1]) == 1332 (b->addr32[1] & m->addr32[1])) && 1333 ((a->addr32[2] & m->addr32[2]) == 1334 (b->addr32[2] & m->addr32[2])) && 1335 ((a->addr32[3] & m->addr32[3]) == 1336 (b->addr32[3] & m->addr32[3]))) 1337 match++; 1338 break; 1339 #endif /* INET6 */ 1340 } 1341 if (match) { 1342 if (n) 1343 return (0); 1344 else 1345 return (1); 1346 } else { 1347 if (n) 1348 return (1); 1349 else 1350 return (0); 1351 } 1352 } 1353 1354 int 1355 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1356 { 1357 switch (op) { 1358 case PF_OP_IRG: 1359 return ((p > a1) && (p < a2)); 1360 case PF_OP_XRG: 1361 return ((p < a1) || (p > a2)); 1362 case PF_OP_RRG: 1363 return ((p >= a1) && (p <= a2)); 1364 case PF_OP_EQ: 1365 return (p == a1); 1366 case PF_OP_NE: 1367 return (p != a1); 1368 case PF_OP_LT: 1369 return (p < a1); 1370 case PF_OP_LE: 1371 return (p <= a1); 1372 case PF_OP_GT: 1373 return (p > a1); 1374 case PF_OP_GE: 1375 return (p >= a1); 1376 } 1377 return (0); /* never reached */ 1378 } 1379 1380 int 1381 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1382 { 1383 NTOHS(a1); 1384 NTOHS(a2); 1385 NTOHS(p); 1386 return (pf_match(op, a1, a2, p)); 1387 } 1388 1389 int 1390 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1391 { 1392 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1393 return (0); 1394 return (pf_match(op, a1, a2, u)); 1395 } 1396 1397 int 1398 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1399 { 1400 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1401 return (0); 1402 return (pf_match(op, a1, a2, g)); 1403 } 1404 1405 struct pf_tag * 1406 pf_get_tag(struct mbuf *m) 1407 { 1408 struct m_tag *mtag; 1409 1410 if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL) 1411 return ((struct pf_tag *)(mtag + 1)); 1412 else 1413 return (NULL); 1414 } 1415 1416 int 1417 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat, 1418 struct pf_rule *rdr, struct pf_tag *pftag, int *tag) 1419 { 1420 if (*tag == -1) { /* find mbuf tag */ 1421 pftag = pf_get_tag(m); 1422 if (pftag != NULL) 1423 *tag = pftag->tag; 1424 else 1425 *tag = 0; 1426 if (nat != NULL && nat->tag) 1427 *tag = nat->tag; 1428 if (rdr != NULL && rdr->tag) 1429 *tag = rdr->tag; 1430 } 1431 1432 return ((!r->match_tag_not && r->match_tag == *tag) || 1433 (r->match_tag_not && r->match_tag != *tag)); 1434 } 1435 1436 int 1437 pf_tag_packet(struct mbuf *m, struct pf_tag *pftag, int tag) 1438 { 1439 struct m_tag *mtag; 1440 1441 if (tag <= 0) 1442 return (0); 1443 1444 if (pftag == NULL) { 1445 mtag = m_tag_get(PACKET_TAG_PF_TAG, sizeof(*pftag), M_NOWAIT); 1446 if (mtag == NULL) 1447 return (1); 1448 ((struct pf_tag *)(mtag + 1))->tag = tag; 1449 m_tag_prepend(m, mtag); 1450 } else 1451 pftag->tag = tag; 1452 1453 return (0); 1454 } 1455 1456 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1457 do { \ 1458 if ((r) == NULL || (r)->anchor == NULL || \ 1459 (s) != NULL || (a) != NULL) \ 1460 panic("PF_STEP_INTO_ANCHOR"); \ 1461 (a) = (r); \ 1462 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1463 (r) = NULL; \ 1464 while ((s) != NULL && ((r) = \ 1465 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1466 (s) = TAILQ_NEXT((s), entries); \ 1467 if ((r) == NULL) { \ 1468 (r) = TAILQ_NEXT((a), entries); \ 1469 (a) = NULL; \ 1470 } \ 1471 } while (0) 1472 1473 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1474 do { \ 1475 if ((r) != NULL || (a) == NULL || (s) == NULL) \ 1476 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1477 (s) = TAILQ_NEXT((s), entries); \ 1478 while ((s) != NULL && ((r) = \ 1479 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1480 (s) = TAILQ_NEXT((s), entries); \ 1481 if ((r) == NULL) { \ 1482 (r) = TAILQ_NEXT((a), entries); \ 1483 (a) = NULL; \ 1484 } \ 1485 } while (0) 1486 1487 #ifdef INET6 1488 void 1489 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 1490 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) 1491 { 1492 switch (af) { 1493 #ifdef INET 1494 case AF_INET: 1495 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1496 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1497 break; 1498 #endif /* INET */ 1499 case AF_INET6: 1500 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1501 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1502 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 1503 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 1504 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 1505 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 1506 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 1507 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 1508 break; 1509 } 1510 } 1511 1512 void 1513 pf_addr_inc(struct pf_addr *addr, u_int8_t af) 1514 { 1515 switch (af) { 1516 #ifdef INET 1517 case AF_INET: 1518 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 1519 break; 1520 #endif /* INET */ 1521 case AF_INET6: 1522 if (addr->addr32[3] == 0xffffffff) { 1523 addr->addr32[3] = 0; 1524 if (addr->addr32[2] == 0xffffffff) { 1525 addr->addr32[2] = 0; 1526 if (addr->addr32[1] == 0xffffffff) { 1527 addr->addr32[1] = 0; 1528 addr->addr32[0] = 1529 htonl(ntohl(addr->addr32[0]) + 1); 1530 } else 1531 addr->addr32[1] = 1532 htonl(ntohl(addr->addr32[1]) + 1); 1533 } else 1534 addr->addr32[2] = 1535 htonl(ntohl(addr->addr32[2]) + 1); 1536 } else 1537 addr->addr32[3] = 1538 htonl(ntohl(addr->addr32[3]) + 1); 1539 break; 1540 } 1541 } 1542 #endif /* INET6 */ 1543 1544 #define mix(a,b,c) \ 1545 do { \ 1546 a -= b; a -= c; a ^= (c >> 13); \ 1547 b -= c; b -= a; b ^= (a << 8); \ 1548 c -= a; c -= b; c ^= (b >> 13); \ 1549 a -= b; a -= c; a ^= (c >> 12); \ 1550 b -= c; b -= a; b ^= (a << 16); \ 1551 c -= a; c -= b; c ^= (b >> 5); \ 1552 a -= b; a -= c; a ^= (c >> 3); \ 1553 b -= c; b -= a; b ^= (a << 10); \ 1554 c -= a; c -= b; c ^= (b >> 15); \ 1555 } while (0) 1556 1557 /* 1558 * hash function based on bridge_hash in if_bridge.c 1559 */ 1560 void 1561 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 1562 struct pf_poolhashkey *key, sa_family_t af) 1563 { 1564 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 1565 1566 switch (af) { 1567 #ifdef INET 1568 case AF_INET: 1569 a += inaddr->addr32[0]; 1570 b += key->key32[1]; 1571 mix(a, b, c); 1572 hash->addr32[0] = c + key->key32[2]; 1573 break; 1574 #endif /* INET */ 1575 #ifdef INET6 1576 case AF_INET6: 1577 a += inaddr->addr32[0]; 1578 b += inaddr->addr32[2]; 1579 mix(a, b, c); 1580 hash->addr32[0] = c; 1581 a += inaddr->addr32[1]; 1582 b += inaddr->addr32[3]; 1583 c += key->key32[1]; 1584 mix(a, b, c); 1585 hash->addr32[1] = c; 1586 a += inaddr->addr32[2]; 1587 b += inaddr->addr32[1]; 1588 c += key->key32[2]; 1589 mix(a, b, c); 1590 hash->addr32[2] = c; 1591 a += inaddr->addr32[3]; 1592 b += inaddr->addr32[0]; 1593 c += key->key32[3]; 1594 mix(a, b, c); 1595 hash->addr32[3] = c; 1596 break; 1597 #endif /* INET6 */ 1598 } 1599 } 1600 1601 int 1602 pf_map_addr(u_int8_t af, struct pf_pool *rpool, struct pf_addr *saddr, 1603 struct pf_addr *naddr, struct pf_addr *init_addr) 1604 { 1605 unsigned char hash[16]; 1606 struct pf_addr *raddr; 1607 struct pf_addr *rmask; 1608 struct pf_pooladdr *acur = rpool->cur; 1609 1610 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1611 return (1); 1612 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL && 1613 rpool->cur->addr.p.dyn->undefined) 1614 return (1); 1615 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1616 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1617 return (1); /* unsupported */ 1618 } else { 1619 raddr = &rpool->cur->addr.v.a.addr; 1620 rmask = &rpool->cur->addr.v.a.mask; 1621 } 1622 1623 switch (rpool->opts & PF_POOL_TYPEMASK) { 1624 case PF_POOL_NONE: 1625 PF_ACPY(naddr, raddr, af); 1626 break; 1627 case PF_POOL_BITMASK: 1628 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 1629 break; 1630 case PF_POOL_RANDOM: 1631 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 1632 switch (af) { 1633 #ifdef INET 1634 case AF_INET: 1635 rpool->counter.addr32[0] = arc4random(); 1636 break; 1637 #endif /* INET */ 1638 #ifdef INET6 1639 case AF_INET6: 1640 if (rmask->addr32[3] != 0xffffffff) 1641 rpool->counter.addr32[3] = arc4random(); 1642 else 1643 break; 1644 if (rmask->addr32[2] != 0xffffffff) 1645 rpool->counter.addr32[2] = arc4random(); 1646 else 1647 break; 1648 if (rmask->addr32[1] != 0xffffffff) 1649 rpool->counter.addr32[1] = arc4random(); 1650 else 1651 break; 1652 if (rmask->addr32[0] != 0xffffffff) 1653 rpool->counter.addr32[0] = arc4random(); 1654 break; 1655 #endif /* INET6 */ 1656 } 1657 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1658 PF_ACPY(init_addr, naddr, af); 1659 1660 } else { 1661 PF_AINC(&rpool->counter, af); 1662 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1663 } 1664 break; 1665 case PF_POOL_SRCHASH: 1666 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 1667 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 1668 break; 1669 case PF_POOL_ROUNDROBIN: 1670 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1671 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 1672 &rpool->tblidx, &rpool->counter, 1673 &raddr, &rmask, af)) 1674 goto get_addr; 1675 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 1676 goto get_addr; 1677 1678 try_next: 1679 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 1680 rpool->cur = TAILQ_FIRST(&rpool->list); 1681 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1682 rpool->tblidx = -1; 1683 if (pfr_pool_get(rpool->cur->addr.p.tbl, 1684 &rpool->tblidx, &rpool->counter, 1685 &raddr, &rmask, af)) { 1686 /* table contain no address of type 'af' */ 1687 if (rpool->cur != acur) 1688 goto try_next; 1689 return (1); 1690 } 1691 } else { 1692 raddr = &rpool->cur->addr.v.a.addr; 1693 rmask = &rpool->cur->addr.v.a.mask; 1694 PF_ACPY(&rpool->counter, raddr, af); 1695 } 1696 1697 get_addr: 1698 PF_ACPY(naddr, &rpool->counter, af); 1699 PF_AINC(&rpool->counter, af); 1700 break; 1701 } 1702 1703 if (pf_status.debug >= PF_DEBUG_MISC && 1704 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1705 printf("pf_map_addr: selected address: "); 1706 pf_print_host(naddr, 0, af); 1707 printf("\n"); 1708 } 1709 1710 return (0); 1711 } 1712 1713 int 1714 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_pool *rpool, 1715 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 1716 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high) 1717 { 1718 struct pf_state key; 1719 struct pf_addr init_addr; 1720 u_int16_t cut; 1721 1722 bzero(&init_addr, sizeof(init_addr)); 1723 if (pf_map_addr(af, rpool, saddr, naddr, &init_addr)) 1724 return (1); 1725 1726 do { 1727 key.af = af; 1728 key.proto = proto; 1729 PF_ACPY(&key.ext.addr, daddr, key.af); 1730 PF_ACPY(&key.gwy.addr, naddr, key.af); 1731 key.ext.port = dport; 1732 1733 /* 1734 * port search; start random, step; 1735 * similar 2 portloop in in_pcbbind 1736 */ 1737 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { 1738 key.gwy.port = 0; 1739 if (pf_find_state(&key, PF_EXT_GWY) == NULL) 1740 return (0); 1741 } else if (low == 0 && high == 0) { 1742 key.gwy.port = *nport; 1743 if (pf_find_state(&key, PF_EXT_GWY) == NULL) { 1744 return (0); 1745 } 1746 } else if (low == high) { 1747 key.gwy.port = htons(low); 1748 if (pf_find_state(&key, PF_EXT_GWY) == NULL) { 1749 *nport = htons(low); 1750 return (0); 1751 } 1752 } else { 1753 u_int16_t tmp; 1754 1755 if (low > high) { 1756 tmp = low; 1757 low = high; 1758 high = tmp; 1759 } 1760 /* low < high */ 1761 cut = arc4random() % (1 + high - low) + low; 1762 /* low <= cut <= high */ 1763 for (tmp = cut; tmp <= high; ++(tmp)) { 1764 key.gwy.port = htons(tmp); 1765 if (pf_find_state(&key, PF_EXT_GWY) == 1766 NULL) { 1767 *nport = htons(tmp); 1768 return (0); 1769 } 1770 } 1771 for (tmp = cut - 1; tmp >= low; --(tmp)) { 1772 key.gwy.port = htons(tmp); 1773 if (pf_find_state(&key, PF_EXT_GWY) == 1774 NULL) { 1775 *nport = htons(tmp); 1776 return (0); 1777 } 1778 } 1779 } 1780 1781 switch (rpool->opts & PF_POOL_TYPEMASK) { 1782 case PF_POOL_RANDOM: 1783 case PF_POOL_ROUNDROBIN: 1784 if (pf_map_addr(af, rpool, saddr, naddr, &init_addr)) 1785 return (1); 1786 break; 1787 case PF_POOL_NONE: 1788 case PF_POOL_SRCHASH: 1789 case PF_POOL_BITMASK: 1790 default: 1791 return (1); 1792 break; 1793 } 1794 } while (! PF_AEQ(&init_addr, naddr, af) ); 1795 1796 return (1); /* none available */ 1797 } 1798 1799 struct pf_rule * 1800 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 1801 int direction, struct ifnet *ifp, struct pf_addr *saddr, u_int16_t sport, 1802 struct pf_addr *daddr, u_int16_t dport, int rs_num) 1803 { 1804 struct pf_rule *r, *rm = NULL, *anchorrule = NULL; 1805 struct pf_ruleset *ruleset = NULL; 1806 1807 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 1808 while (r && rm == NULL) { 1809 struct pf_rule_addr *src = NULL, *dst = NULL; 1810 struct pf_addr_wrap *xdst = NULL; 1811 1812 if (r->action == PF_BINAT && direction == PF_IN) { 1813 src = &r->dst; 1814 if (r->rpool.cur != NULL) 1815 xdst = &r->rpool.cur->addr; 1816 } else { 1817 src = &r->src; 1818 dst = &r->dst; 1819 } 1820 1821 r->evaluations++; 1822 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 1823 (r->ifp == ifp && r->ifnot))) 1824 r = r->skip[PF_SKIP_IFP].ptr; 1825 else if (r->direction && r->direction != direction) 1826 r = r->skip[PF_SKIP_DIR].ptr; 1827 else if (r->af && r->af != pd->af) 1828 r = r->skip[PF_SKIP_AF].ptr; 1829 else if (r->proto && r->proto != pd->proto) 1830 r = r->skip[PF_SKIP_PROTO].ptr; 1831 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not)) 1832 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 1833 PF_SKIP_DST_ADDR].ptr; 1834 else if (src->port_op && !pf_match_port(src->port_op, 1835 src->port[0], src->port[1], sport)) 1836 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 1837 PF_SKIP_DST_PORT].ptr; 1838 else if (dst != NULL && 1839 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not)) 1840 r = r->skip[PF_SKIP_DST_ADDR].ptr; 1841 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 1842 r = TAILQ_NEXT(r, entries); 1843 else if (dst != NULL && dst->port_op && 1844 !pf_match_port(dst->port_op, dst->port[0], 1845 dst->port[1], dport)) 1846 r = r->skip[PF_SKIP_DST_PORT].ptr; 1847 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 1848 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 1849 off, pd->hdr.tcp), r->os_fingerprint))) 1850 r = TAILQ_NEXT(r, entries); 1851 else if (r->anchorname[0] && r->anchor == NULL) 1852 r = TAILQ_NEXT(r, entries); 1853 else if (r->anchor == NULL) 1854 rm = r; 1855 else 1856 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 1857 if (r == NULL && anchorrule != NULL) 1858 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 1859 rs_num); 1860 } 1861 if (rm != NULL && (rm->action == PF_NONAT || 1862 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 1863 return (NULL); 1864 return (rm); 1865 } 1866 1867 struct pf_rule * 1868 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 1869 struct ifnet *ifp, 1870 struct pf_addr *saddr, u_int16_t sport, 1871 struct pf_addr *daddr, u_int16_t dport, 1872 struct pf_addr *naddr, u_int16_t *nport) 1873 { 1874 struct pf_rule *r = NULL; 1875 1876 if (direction == PF_OUT) { 1877 r = pf_match_translation(pd, m, off, direction, ifp, saddr, 1878 sport, daddr, dport, PF_RULESET_BINAT); 1879 if (r == NULL) 1880 r = pf_match_translation(pd, m, off, direction, ifp, 1881 saddr, sport, daddr, dport, PF_RULESET_NAT); 1882 } else { 1883 r = pf_match_translation(pd, m, off, direction, ifp, saddr, 1884 sport, daddr, dport, PF_RULESET_RDR); 1885 if (r == NULL) 1886 r = pf_match_translation(pd, m, off, direction, ifp, 1887 saddr, sport, daddr, dport, PF_RULESET_BINAT); 1888 } 1889 1890 if (r != NULL) { 1891 switch (r->action) { 1892 case PF_NONAT: 1893 case PF_NOBINAT: 1894 case PF_NORDR: 1895 return (NULL); 1896 break; 1897 case PF_NAT: 1898 if (pf_get_sport(pd->af, pd->proto, &r->rpool, saddr, 1899 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 1900 r->rpool.proxy_port[1])) { 1901 DPFPRINTF(PF_DEBUG_MISC, 1902 ("pf: NAT proxy port allocation " 1903 "(%u-%u) failed\n", 1904 r->rpool.proxy_port[0], 1905 r->rpool.proxy_port[1])); 1906 return (NULL); 1907 } 1908 break; 1909 case PF_BINAT: 1910 switch (direction) { 1911 case PF_OUT: 1912 if (r->rpool.cur->addr.type == 1913 PF_ADDR_DYNIFTL && 1914 r->rpool.cur->addr.p.dyn->undefined) 1915 return (NULL); 1916 else 1917 PF_POOLMASK(naddr, 1918 &r->rpool.cur->addr.v.a.addr, 1919 &r->rpool.cur->addr.v.a.mask, 1920 saddr, pd->af); 1921 break; 1922 case PF_IN: 1923 if (r->src.addr.type == PF_ADDR_DYNIFTL && 1924 r->src.addr.p.dyn->undefined) 1925 return (NULL); 1926 else 1927 PF_POOLMASK(naddr, 1928 &r->src.addr.v.a.addr, 1929 &r->src.addr.v.a.mask, daddr, 1930 pd->af); 1931 break; 1932 } 1933 break; 1934 case PF_RDR: { 1935 if (pf_map_addr(r->af, &r->rpool, saddr, naddr, NULL)) 1936 return (NULL); 1937 1938 if (r->rpool.proxy_port[1]) { 1939 u_int32_t tmp_nport; 1940 1941 tmp_nport = ((ntohs(dport) - 1942 ntohs(r->dst.port[0])) % 1943 (r->rpool.proxy_port[1] - 1944 r->rpool.proxy_port[0] + 1)) + 1945 r->rpool.proxy_port[0]; 1946 1947 /* wrap around if necessary */ 1948 if (tmp_nport > 65535) 1949 tmp_nport -= 65535; 1950 *nport = htons((u_int16_t)tmp_nport); 1951 } else if (r->rpool.proxy_port[0]) 1952 *nport = htons(r->rpool.proxy_port[0]); 1953 break; 1954 } 1955 default: 1956 return (NULL); 1957 break; 1958 } 1959 } 1960 1961 return (r); 1962 } 1963 1964 int 1965 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) 1966 { 1967 struct pf_addr *saddr, *daddr; 1968 u_int16_t sport, dport; 1969 struct inpcbtable *tb; 1970 struct inpcb *inp; 1971 1972 *uid = UID_MAX; 1973 *gid = GID_MAX; 1974 switch (pd->proto) { 1975 case IPPROTO_TCP: 1976 sport = pd->hdr.tcp->th_sport; 1977 dport = pd->hdr.tcp->th_dport; 1978 tb = &tcbtable; 1979 break; 1980 case IPPROTO_UDP: 1981 sport = pd->hdr.udp->uh_sport; 1982 dport = pd->hdr.udp->uh_dport; 1983 tb = &udbtable; 1984 break; 1985 default: 1986 return (0); 1987 } 1988 if (direction == PF_IN) { 1989 saddr = pd->src; 1990 daddr = pd->dst; 1991 } else { 1992 u_int16_t p; 1993 1994 p = sport; 1995 sport = dport; 1996 dport = p; 1997 saddr = pd->dst; 1998 daddr = pd->src; 1999 } 2000 switch(pd->af) { 2001 case AF_INET: 2002 inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); 2003 if (inp == NULL) { 2004 inp = in_pcblookup_listen(tb, daddr->v4, dport); 2005 if (inp == NULL) 2006 return (0); 2007 } 2008 break; 2009 #ifdef INET6 2010 case AF_INET6: 2011 inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6, 2012 dport); 2013 if (inp == NULL) { 2014 inp = in6_pcblookup_listen(tb, &daddr->v6, dport); 2015 if (inp == NULL) 2016 return (0); 2017 } 2018 break; 2019 #endif /* INET6 */ 2020 2021 default: 2022 return (0); 2023 } 2024 *uid = inp->inp_socket->so_euid; 2025 *gid = inp->inp_socket->so_egid; 2026 return (1); 2027 } 2028 2029 u_int8_t 2030 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2031 { 2032 int hlen; 2033 u_int8_t hdr[60]; 2034 u_int8_t *opt, optlen; 2035 u_int8_t wscale = 0; 2036 2037 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2038 if (hlen <= sizeof(struct tcphdr)) 2039 return (0); 2040 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2041 return (0); 2042 opt = hdr + sizeof(struct tcphdr); 2043 hlen -= sizeof(struct tcphdr); 2044 while (hlen >= 3) { 2045 switch (*opt) { 2046 case TCPOPT_EOL: 2047 case TCPOPT_NOP: 2048 ++opt; 2049 --hlen; 2050 break; 2051 case TCPOPT_WINDOW: 2052 wscale = opt[2]; 2053 if (wscale > TCP_MAX_WINSHIFT) 2054 wscale = TCP_MAX_WINSHIFT; 2055 wscale |= PF_WSCALE_FLAG; 2056 /* fallthrough */ 2057 default: 2058 optlen = opt[1]; 2059 if (optlen < 2) 2060 optlen = 2; 2061 hlen -= optlen; 2062 opt += optlen; 2063 } 2064 } 2065 return (wscale); 2066 } 2067 2068 u_int16_t 2069 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2070 { 2071 int hlen; 2072 u_int8_t hdr[60]; 2073 u_int8_t *opt, optlen; 2074 u_int16_t mss = tcp_mssdflt; 2075 2076 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2077 if (hlen <= sizeof(struct tcphdr)) 2078 return (0); 2079 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2080 return (0); 2081 opt = hdr + sizeof(struct tcphdr); 2082 hlen -= sizeof(struct tcphdr); 2083 while (hlen >= TCPOLEN_MAXSEG) { 2084 switch (*opt) { 2085 case TCPOPT_EOL: 2086 case TCPOPT_NOP: 2087 ++opt; 2088 --hlen; 2089 break; 2090 case TCPOPT_MAXSEG: 2091 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); 2092 /* fallthrough */ 2093 default: 2094 optlen = opt[1]; 2095 if (optlen < 2) 2096 optlen = 2; 2097 hlen -= optlen; 2098 opt += optlen; 2099 } 2100 } 2101 return (mss); 2102 } 2103 2104 u_int16_t 2105 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2106 { 2107 #ifdef INET 2108 struct sockaddr_in *dst; 2109 struct route ro; 2110 #endif /* INET */ 2111 #ifdef INET6 2112 struct sockaddr_in6 *dst6; 2113 struct route_in6 ro6; 2114 #endif /* INET6 */ 2115 struct rtentry *rt = NULL; 2116 int hlen; 2117 u_int16_t mss = tcp_mssdflt; 2118 2119 switch (af) { 2120 #ifdef INET 2121 case AF_INET: 2122 hlen = sizeof(struct ip); 2123 bzero(&ro, sizeof(ro)); 2124 dst = (struct sockaddr_in *)&ro.ro_dst; 2125 dst->sin_family = AF_INET; 2126 dst->sin_len = sizeof(*dst); 2127 dst->sin_addr = addr->v4; 2128 rtalloc_noclone(&ro, NO_CLONING); 2129 rt = ro.ro_rt; 2130 break; 2131 #endif /* INET */ 2132 #ifdef INET6 2133 case AF_INET6: 2134 hlen = sizeof(struct ip6_hdr); 2135 bzero(&ro6, sizeof(ro6)); 2136 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; 2137 dst6->sin6_family = AF_INET6; 2138 dst6->sin6_len = sizeof(*dst6); 2139 dst6->sin6_addr = addr->v6; 2140 rtalloc_noclone((struct route *)&ro6, NO_CLONING); 2141 rt = ro6.ro_rt; 2142 break; 2143 #endif /* INET6 */ 2144 } 2145 2146 if (rt && rt->rt_ifp) { 2147 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2148 mss = max(tcp_mssdflt, mss); 2149 RTFREE(rt); 2150 } 2151 mss = min(mss, offer); 2152 mss = max(mss, 64); /* sanity - at least max opt space */ 2153 return (mss); 2154 } 2155 2156 void 2157 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2158 { 2159 struct pf_rule *r = s->rule.ptr; 2160 2161 s->rt_ifp = NULL; 2162 if (!r->rt || r->rt == PF_FASTROUTE) 2163 return; 2164 switch (s->af) { 2165 #ifdef INET 2166 case AF_INET: 2167 pf_map_addr(AF_INET, &r->rpool, saddr, 2168 &s->rt_addr, NULL); 2169 s->rt_ifp = r->rpool.cur->ifp; 2170 break; 2171 #endif /* INET */ 2172 #ifdef INET6 2173 case AF_INET6: 2174 pf_map_addr(AF_INET6, &r->rpool, saddr, 2175 &s->rt_addr, NULL); 2176 s->rt_ifp = r->rpool.cur->ifp; 2177 break; 2178 #endif /* INET6 */ 2179 } 2180 } 2181 2182 int 2183 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, 2184 struct ifnet *ifp, struct mbuf *m, int off, void *h, 2185 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2186 { 2187 struct pf_rule *nat = NULL, *rdr = NULL; 2188 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2189 struct pf_addr baddr, naddr; 2190 struct tcphdr *th = pd->hdr.tcp; 2191 u_int16_t bport, nport = 0; 2192 sa_family_t af = pd->af; 2193 int lookup = -1; 2194 uid_t uid; 2195 gid_t gid; 2196 struct pf_rule *r, *a = NULL; 2197 struct pf_ruleset *ruleset = NULL; 2198 u_short reason; 2199 int rewrite = 0; 2200 struct pf_tag *pftag = NULL; 2201 int tag = -1; 2202 u_int16_t mss = tcp_mssdflt; 2203 2204 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2205 2206 if (direction == PF_OUT) { 2207 bport = nport = th->th_sport; 2208 /* check outgoing packet for BINAT/NAT */ 2209 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, 2210 saddr, th->th_sport, daddr, th->th_dport, 2211 &naddr, &nport)) != NULL) { 2212 PF_ACPY(&baddr, saddr, af); 2213 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2214 &th->th_sum, &naddr, nport, 0, af); 2215 rewrite++; 2216 if (nat->natpass) 2217 r = NULL; 2218 } 2219 } else { 2220 bport = nport = th->th_dport; 2221 /* check incoming packet for BINAT/RDR */ 2222 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 2223 th->th_sport, daddr, th->th_dport, 2224 &naddr, &nport)) != NULL) { 2225 PF_ACPY(&baddr, daddr, af); 2226 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2227 &th->th_sum, &naddr, nport, 0, af); 2228 rewrite++; 2229 if (rdr->natpass) 2230 r = NULL; 2231 } 2232 } 2233 2234 while (r != NULL) { 2235 r->evaluations++; 2236 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 2237 (r->ifp == ifp && r->ifnot))) 2238 r = r->skip[PF_SKIP_IFP].ptr; 2239 else if (r->direction && r->direction != direction) 2240 r = r->skip[PF_SKIP_DIR].ptr; 2241 else if (r->af && r->af != af) 2242 r = r->skip[PF_SKIP_AF].ptr; 2243 else if (r->proto && r->proto != IPPROTO_TCP) 2244 r = r->skip[PF_SKIP_PROTO].ptr; 2245 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2246 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2247 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2248 r->src.port[0], r->src.port[1], th->th_sport)) 2249 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2250 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2251 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2252 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2253 r->dst.port[0], r->dst.port[1], th->th_dport)) 2254 r = r->skip[PF_SKIP_DST_PORT].ptr; 2255 else if (r->tos && !(r->tos & pd->tos)) 2256 r = TAILQ_NEXT(r, entries); 2257 else if (r->rule_flag & PFRULE_FRAGMENT) 2258 r = TAILQ_NEXT(r, entries); 2259 else if ((r->flagset & th->th_flags) != r->flags) 2260 r = TAILQ_NEXT(r, entries); 2261 else if (r->uid.op && (lookup != -1 || (lookup = 2262 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2263 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2264 uid)) 2265 r = TAILQ_NEXT(r, entries); 2266 else if (r->gid.op && (lookup != -1 || (lookup = 2267 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2268 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2269 gid)) 2270 r = TAILQ_NEXT(r, entries); 2271 else if (r->match_tag && 2272 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 2273 r = TAILQ_NEXT(r, entries); 2274 else if (r->anchorname[0] && r->anchor == NULL) 2275 r = TAILQ_NEXT(r, entries); 2276 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2277 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2278 r = TAILQ_NEXT(r, entries); 2279 else { 2280 if (r->tag) 2281 tag = r->tag; 2282 if (r->anchor == NULL) { 2283 *rm = r; 2284 *am = a; 2285 *rsm = ruleset; 2286 if ((*rm)->quick) 2287 break; 2288 r = TAILQ_NEXT(r, entries); 2289 } else 2290 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2291 PF_RULESET_FILTER); 2292 } 2293 if (r == NULL && a != NULL) 2294 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2295 PF_RULESET_FILTER); 2296 } 2297 r = *rm; 2298 a = *am; 2299 ruleset = *rsm; 2300 2301 REASON_SET(&reason, PFRES_MATCH); 2302 2303 if (r->log) { 2304 if (rewrite) 2305 m_copyback(m, off, sizeof(*th), th); 2306 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 2307 } 2308 2309 if ((r->action == PF_DROP) && 2310 ((r->rule_flag & PFRULE_RETURNRST) || 2311 (r->rule_flag & PFRULE_RETURNICMP) || 2312 (r->rule_flag & PFRULE_RETURN))) { 2313 /* undo NAT changes, if they have taken place */ 2314 if (nat != NULL) { 2315 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2316 &th->th_sum, &baddr, bport, 0, af); 2317 rewrite++; 2318 } else if (rdr != NULL) { 2319 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2320 &th->th_sum, &baddr, bport, 0, af); 2321 rewrite++; 2322 } 2323 if (((r->rule_flag & PFRULE_RETURNRST) || 2324 (r->rule_flag & PFRULE_RETURN)) && 2325 !(th->th_flags & TH_RST)) { 2326 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 2327 2328 if (th->th_flags & TH_SYN) 2329 ack++; 2330 if (th->th_flags & TH_FIN) 2331 ack++; 2332 pf_send_tcp(r, af, pd->dst, 2333 pd->src, th->th_dport, th->th_sport, 2334 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 2335 r->return_ttl); 2336 } else if ((af == AF_INET) && r->return_icmp) 2337 pf_send_icmp(m, r->return_icmp >> 8, 2338 r->return_icmp & 255, af, r); 2339 else if ((af == AF_INET6) && r->return_icmp6) 2340 pf_send_icmp(m, r->return_icmp6 >> 8, 2341 r->return_icmp6 & 255, af, r); 2342 } 2343 2344 if (r->action == PF_DROP) 2345 return (PF_DROP); 2346 2347 if (pf_tag_packet(m, pftag, tag)) { 2348 REASON_SET(&reason, PFRES_MEMORY); 2349 return (PF_DROP); 2350 } 2351 2352 if (r->keep_state || nat != NULL || rdr != NULL || 2353 (pd->flags & PFDESC_TCP_NORM)) { 2354 /* create new state */ 2355 u_int16_t len; 2356 struct pf_state *s = NULL; 2357 2358 len = pd->tot_len - off - (th->th_off << 2); 2359 if (!r->max_states || r->states < r->max_states) 2360 s = pool_get(&pf_state_pl, PR_NOWAIT); 2361 if (s == NULL) { 2362 REASON_SET(&reason, PFRES_MEMORY); 2363 return (PF_DROP); 2364 } 2365 bzero(s, sizeof(*s)); 2366 r->states++; 2367 if (a != NULL) 2368 a->states++; 2369 s->rule.ptr = r; 2370 if (nat != NULL) 2371 s->nat_rule.ptr = nat; 2372 else 2373 s->nat_rule.ptr = rdr; 2374 if (s->nat_rule.ptr != NULL) 2375 s->nat_rule.ptr->states++; 2376 s->anchor.ptr = a; 2377 s->allow_opts = r->allow_opts; 2378 s->log = r->log & 2; 2379 s->proto = IPPROTO_TCP; 2380 s->direction = direction; 2381 s->af = af; 2382 if (direction == PF_OUT) { 2383 PF_ACPY(&s->gwy.addr, saddr, af); 2384 s->gwy.port = th->th_sport; /* sport */ 2385 PF_ACPY(&s->ext.addr, daddr, af); 2386 s->ext.port = th->th_dport; 2387 if (nat != NULL) { 2388 PF_ACPY(&s->lan.addr, &baddr, af); 2389 s->lan.port = bport; 2390 } else { 2391 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2392 s->lan.port = s->gwy.port; 2393 } 2394 } else { 2395 PF_ACPY(&s->lan.addr, daddr, af); 2396 s->lan.port = th->th_dport; 2397 PF_ACPY(&s->ext.addr, saddr, af); 2398 s->ext.port = th->th_sport; 2399 if (rdr != NULL) { 2400 PF_ACPY(&s->gwy.addr, &baddr, af); 2401 s->gwy.port = bport; 2402 } else { 2403 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2404 s->gwy.port = s->lan.port; 2405 } 2406 } 2407 2408 s->src.seqlo = ntohl(th->th_seq); 2409 s->src.seqhi = s->src.seqlo + len + 1; 2410 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2411 r->keep_state == PF_STATE_MODULATE) { 2412 /* Generate sequence number modulator */ 2413 while ((s->src.seqdiff = arc4random()) == 0) 2414 ; 2415 pf_change_a(&th->th_seq, &th->th_sum, 2416 htonl(s->src.seqlo + s->src.seqdiff), 0); 2417 rewrite = 1; 2418 } else 2419 s->src.seqdiff = 0; 2420 if (th->th_flags & TH_SYN) { 2421 s->src.seqhi++; 2422 s->src.wscale = pf_get_wscale(m, off, th->th_off, af); 2423 } 2424 s->src.max_win = MAX(ntohs(th->th_win), 1); 2425 if (s->src.wscale & PF_WSCALE_MASK) { 2426 /* Remove scale factor from initial window */ 2427 int win = s->src.max_win; 2428 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 2429 s->src.max_win = (win - 1) >> 2430 (s->src.wscale & PF_WSCALE_MASK); 2431 } 2432 if (th->th_flags & TH_FIN) 2433 s->src.seqhi++; 2434 s->dst.seqhi = 1; 2435 s->dst.max_win = 1; 2436 s->src.state = TCPS_SYN_SENT; 2437 s->dst.state = TCPS_CLOSED; 2438 s->creation = time.tv_sec; 2439 s->expire = time.tv_sec; 2440 s->timeout = PFTM_TCP_FIRST_PACKET; 2441 pf_set_rt_ifp(s, saddr); 2442 2443 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 2444 off, pd, th, &s->src, &s->dst)) { 2445 REASON_SET(&reason, PFRES_MEMORY); 2446 pool_put(&pf_state_pl, s); 2447 return (PF_DROP); 2448 } 2449 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 2450 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 2451 &s->dst, &rewrite)) { 2452 pf_normalize_tcp_cleanup(s); 2453 pool_put(&pf_state_pl, s); 2454 return (PF_DROP); 2455 } 2456 if (pf_insert_state(s)) { 2457 pf_normalize_tcp_cleanup(s); 2458 REASON_SET(&reason, PFRES_MEMORY); 2459 pool_put(&pf_state_pl, s); 2460 return (PF_DROP); 2461 } else 2462 *sm = s; 2463 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2464 r->keep_state == PF_STATE_SYNPROXY) { 2465 s->src.state = PF_TCPS_PROXY_SRC; 2466 if (nat != NULL) 2467 pf_change_ap(saddr, &th->th_sport, 2468 pd->ip_sum, &th->th_sum, &baddr, 2469 bport, 0, af); 2470 else if (rdr != NULL) 2471 pf_change_ap(daddr, &th->th_dport, 2472 pd->ip_sum, &th->th_sum, &baddr, 2473 bport, 0, af); 2474 s->src.seqhi = arc4random(); 2475 /* Find mss option */ 2476 mss = pf_get_mss(m, off, th->th_off, af); 2477 mss = pf_calc_mss(saddr, af, mss); 2478 mss = pf_calc_mss(daddr, af, mss); 2479 s->src.mss = mss; 2480 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 2481 th->th_sport, s->src.seqhi, 2482 ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, s->src.mss, 0); 2483 return (PF_SYNPROXY_DROP); 2484 } 2485 } 2486 2487 /* copy back packet headers if we performed NAT operations */ 2488 if (rewrite) 2489 m_copyback(m, off, sizeof(*th), th); 2490 2491 return (PF_PASS); 2492 } 2493 2494 int 2495 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, 2496 struct ifnet *ifp, struct mbuf *m, int off, void *h, 2497 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2498 { 2499 struct pf_rule *nat = NULL, *rdr = NULL; 2500 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2501 struct pf_addr baddr, naddr; 2502 struct udphdr *uh = pd->hdr.udp; 2503 u_int16_t bport, nport = 0; 2504 sa_family_t af = pd->af; 2505 int lookup = -1; 2506 uid_t uid; 2507 gid_t gid; 2508 struct pf_rule *r, *a = NULL; 2509 struct pf_ruleset *ruleset = NULL; 2510 u_short reason; 2511 int rewrite = 0; 2512 struct pf_tag *pftag = NULL; 2513 int tag = -1; 2514 2515 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2516 2517 if (direction == PF_OUT) { 2518 bport = nport = uh->uh_sport; 2519 /* check outgoing packet for BINAT/NAT */ 2520 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, 2521 saddr, uh->uh_sport, daddr, uh->uh_dport, 2522 &naddr, &nport)) != NULL) { 2523 PF_ACPY(&baddr, saddr, af); 2524 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2525 &uh->uh_sum, &naddr, nport, 1, af); 2526 rewrite++; 2527 if (nat->natpass) 2528 r = NULL; 2529 } 2530 } else { 2531 bport = nport = uh->uh_dport; 2532 /* check incoming packet for BINAT/RDR */ 2533 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 2534 uh->uh_sport, daddr, uh->uh_dport, &naddr, &nport)) 2535 != NULL) { 2536 PF_ACPY(&baddr, daddr, af); 2537 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2538 &uh->uh_sum, &naddr, nport, 1, af); 2539 rewrite++; 2540 if (rdr->natpass) 2541 r = NULL; 2542 } 2543 } 2544 2545 while (r != NULL) { 2546 r->evaluations++; 2547 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 2548 (r->ifp == ifp && r->ifnot))) 2549 r = r->skip[PF_SKIP_IFP].ptr; 2550 else if (r->direction && r->direction != direction) 2551 r = r->skip[PF_SKIP_DIR].ptr; 2552 else if (r->af && r->af != af) 2553 r = r->skip[PF_SKIP_AF].ptr; 2554 else if (r->proto && r->proto != IPPROTO_UDP) 2555 r = r->skip[PF_SKIP_PROTO].ptr; 2556 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2557 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2558 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2559 r->src.port[0], r->src.port[1], uh->uh_sport)) 2560 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2561 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2562 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2563 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2564 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 2565 r = r->skip[PF_SKIP_DST_PORT].ptr; 2566 else if (r->tos && !(r->tos & pd->tos)) 2567 r = TAILQ_NEXT(r, entries); 2568 else if (r->rule_flag & PFRULE_FRAGMENT) 2569 r = TAILQ_NEXT(r, entries); 2570 else if (r->uid.op && (lookup != -1 || (lookup = 2571 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2572 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2573 uid)) 2574 r = TAILQ_NEXT(r, entries); 2575 else if (r->gid.op && (lookup != -1 || (lookup = 2576 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2577 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2578 gid)) 2579 r = TAILQ_NEXT(r, entries); 2580 else if (r->match_tag && 2581 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 2582 r = TAILQ_NEXT(r, entries); 2583 else if (r->anchorname[0] && r->anchor == NULL) 2584 r = TAILQ_NEXT(r, entries); 2585 else if (r->os_fingerprint != PF_OSFP_ANY) 2586 r = TAILQ_NEXT(r, entries); 2587 else { 2588 if (r->tag) 2589 tag = r->tag; 2590 if (r->anchor == NULL) { 2591 *rm = r; 2592 *am = a; 2593 *rsm = ruleset; 2594 if ((*rm)->quick) 2595 break; 2596 r = TAILQ_NEXT(r, entries); 2597 } else 2598 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2599 PF_RULESET_FILTER); 2600 } 2601 if (r == NULL && a != NULL) 2602 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2603 PF_RULESET_FILTER); 2604 } 2605 r = *rm; 2606 a = *am; 2607 ruleset = *rsm; 2608 2609 REASON_SET(&reason, PFRES_MATCH); 2610 2611 if (r->log) { 2612 if (rewrite) 2613 m_copyback(m, off, sizeof(*uh), uh); 2614 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 2615 } 2616 2617 if ((r->action == PF_DROP) && 2618 ((r->rule_flag & PFRULE_RETURNICMP) || 2619 (r->rule_flag & PFRULE_RETURN))) { 2620 /* undo NAT changes, if they have taken place */ 2621 if (nat != NULL) { 2622 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2623 &uh->uh_sum, &baddr, bport, 1, af); 2624 rewrite++; 2625 } else if (rdr != NULL) { 2626 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2627 &uh->uh_sum, &baddr, bport, 1, af); 2628 rewrite++; 2629 } 2630 if ((af == AF_INET) && r->return_icmp) 2631 pf_send_icmp(m, r->return_icmp >> 8, 2632 r->return_icmp & 255, af, r); 2633 else if ((af == AF_INET6) && r->return_icmp6) 2634 pf_send_icmp(m, r->return_icmp6 >> 8, 2635 r->return_icmp6 & 255, af, r); 2636 } 2637 2638 if (r->action == PF_DROP) 2639 return (PF_DROP); 2640 2641 if (pf_tag_packet(m, pftag, tag)) { 2642 REASON_SET(&reason, PFRES_MEMORY); 2643 return (PF_DROP); 2644 } 2645 2646 if (r->keep_state || nat != NULL || rdr != NULL) { 2647 /* create new state */ 2648 struct pf_state *s = NULL; 2649 2650 if (!r->max_states || r->states < r->max_states) 2651 s = pool_get(&pf_state_pl, PR_NOWAIT); 2652 if (s == NULL) { 2653 REASON_SET(&reason, PFRES_MEMORY); 2654 return (PF_DROP); 2655 } 2656 bzero(s, sizeof(*s)); 2657 r->states++; 2658 if (a != NULL) 2659 a->states++; 2660 s->rule.ptr = r; 2661 if (nat != NULL) 2662 s->nat_rule.ptr = nat; 2663 else 2664 s->nat_rule.ptr = rdr; 2665 if (s->nat_rule.ptr != NULL) 2666 s->nat_rule.ptr->states++; 2667 s->anchor.ptr = a; 2668 s->allow_opts = r->allow_opts; 2669 s->log = r->log & 2; 2670 s->proto = IPPROTO_UDP; 2671 s->direction = direction; 2672 s->af = af; 2673 if (direction == PF_OUT) { 2674 PF_ACPY(&s->gwy.addr, saddr, af); 2675 s->gwy.port = uh->uh_sport; 2676 PF_ACPY(&s->ext.addr, daddr, af); 2677 s->ext.port = uh->uh_dport; 2678 if (nat != NULL) { 2679 PF_ACPY(&s->lan.addr, &baddr, af); 2680 s->lan.port = bport; 2681 } else { 2682 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2683 s->lan.port = s->gwy.port; 2684 } 2685 } else { 2686 PF_ACPY(&s->lan.addr, daddr, af); 2687 s->lan.port = uh->uh_dport; 2688 PF_ACPY(&s->ext.addr, saddr, af); 2689 s->ext.port = uh->uh_sport; 2690 if (rdr != NULL) { 2691 PF_ACPY(&s->gwy.addr, &baddr, af); 2692 s->gwy.port = bport; 2693 } else { 2694 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2695 s->gwy.port = s->lan.port; 2696 } 2697 } 2698 s->src.state = PFUDPS_SINGLE; 2699 s->dst.state = PFUDPS_NO_TRAFFIC; 2700 s->creation = time.tv_sec; 2701 s->expire = time.tv_sec; 2702 s->timeout = PFTM_UDP_FIRST_PACKET; 2703 pf_set_rt_ifp(s, saddr); 2704 if (pf_insert_state(s)) { 2705 REASON_SET(&reason, PFRES_MEMORY); 2706 pool_put(&pf_state_pl, s); 2707 return (PF_DROP); 2708 } else 2709 *sm = s; 2710 } 2711 2712 /* copy back packet headers if we performed NAT operations */ 2713 if (rewrite) 2714 m_copyback(m, off, sizeof(*uh), uh); 2715 2716 return (PF_PASS); 2717 } 2718 2719 int 2720 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, 2721 struct ifnet *ifp, struct mbuf *m, int off, void *h, 2722 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2723 { 2724 struct pf_rule *nat = NULL, *rdr = NULL; 2725 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2726 struct pf_addr baddr, naddr; 2727 struct pf_rule *r, *a = NULL; 2728 struct pf_ruleset *ruleset = NULL; 2729 u_short reason; 2730 u_int16_t icmpid; 2731 sa_family_t af = pd->af; 2732 u_int8_t icmptype, icmpcode; 2733 int state_icmp = 0; 2734 struct pf_tag *pftag = NULL; 2735 int tag = -1; 2736 #ifdef INET6 2737 int rewrite = 0; 2738 #endif /* INET6 */ 2739 2740 switch (pd->proto) { 2741 #ifdef INET 2742 case IPPROTO_ICMP: 2743 icmptype = pd->hdr.icmp->icmp_type; 2744 icmpcode = pd->hdr.icmp->icmp_code; 2745 icmpid = pd->hdr.icmp->icmp_id; 2746 2747 if (icmptype == ICMP_UNREACH || 2748 icmptype == ICMP_SOURCEQUENCH || 2749 icmptype == ICMP_REDIRECT || 2750 icmptype == ICMP_TIMXCEED || 2751 icmptype == ICMP_PARAMPROB) 2752 state_icmp++; 2753 break; 2754 #endif /* INET */ 2755 #ifdef INET6 2756 case IPPROTO_ICMPV6: 2757 icmptype = pd->hdr.icmp6->icmp6_type; 2758 icmpcode = pd->hdr.icmp6->icmp6_code; 2759 icmpid = pd->hdr.icmp6->icmp6_id; 2760 2761 if (icmptype == ICMP6_DST_UNREACH || 2762 icmptype == ICMP6_PACKET_TOO_BIG || 2763 icmptype == ICMP6_TIME_EXCEEDED || 2764 icmptype == ICMP6_PARAM_PROB) 2765 state_icmp++; 2766 break; 2767 #endif /* INET6 */ 2768 } 2769 2770 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2771 2772 if (direction == PF_OUT) { 2773 /* check outgoing packet for BINAT/NAT */ 2774 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, saddr, 0, 2775 daddr, 0, &naddr, NULL)) != NULL) { 2776 PF_ACPY(&baddr, saddr, af); 2777 switch (af) { 2778 #ifdef INET 2779 case AF_INET: 2780 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 2781 naddr.v4.s_addr, 0); 2782 break; 2783 #endif /* INET */ 2784 #ifdef INET6 2785 case AF_INET6: 2786 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 2787 &naddr, 0); 2788 rewrite++; 2789 break; 2790 #endif /* INET6 */ 2791 } 2792 if (nat->natpass) 2793 r = NULL; 2794 } 2795 } else { 2796 /* check incoming packet for BINAT/RDR */ 2797 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 0, 2798 daddr, 0, &naddr, NULL)) != NULL) { 2799 PF_ACPY(&baddr, daddr, af); 2800 switch (af) { 2801 #ifdef INET 2802 case AF_INET: 2803 pf_change_a(&daddr->v4.s_addr, 2804 pd->ip_sum, naddr.v4.s_addr, 0); 2805 break; 2806 #endif /* INET */ 2807 #ifdef INET6 2808 case AF_INET6: 2809 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 2810 &naddr, 0); 2811 rewrite++; 2812 break; 2813 #endif /* INET6 */ 2814 } 2815 if (rdr->natpass) 2816 r = NULL; 2817 } 2818 } 2819 2820 while (r != NULL) { 2821 r->evaluations++; 2822 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 2823 (r->ifp == ifp && r->ifnot))) 2824 r = r->skip[PF_SKIP_IFP].ptr; 2825 else if (r->direction && r->direction != direction) 2826 r = r->skip[PF_SKIP_DIR].ptr; 2827 else if (r->af && r->af != af) 2828 r = r->skip[PF_SKIP_AF].ptr; 2829 else if (r->proto && r->proto != pd->proto) 2830 r = r->skip[PF_SKIP_PROTO].ptr; 2831 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2832 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2833 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2834 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2835 else if (r->type && r->type != icmptype + 1) 2836 r = TAILQ_NEXT(r, entries); 2837 else if (r->code && r->code != icmpcode + 1) 2838 r = TAILQ_NEXT(r, entries); 2839 else if (r->tos && !(r->tos & pd->tos)) 2840 r = TAILQ_NEXT(r, entries); 2841 else if (r->rule_flag & PFRULE_FRAGMENT) 2842 r = TAILQ_NEXT(r, entries); 2843 else if (r->match_tag && 2844 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 2845 r = TAILQ_NEXT(r, entries); 2846 else if (r->anchorname[0] && r->anchor == NULL) 2847 r = TAILQ_NEXT(r, entries); 2848 else if (r->os_fingerprint != PF_OSFP_ANY) 2849 r = TAILQ_NEXT(r, entries); 2850 else { 2851 if (r->tag) 2852 tag = r->tag; 2853 if (r->anchor == NULL) { 2854 *rm = r; 2855 *am = a; 2856 *rsm = ruleset; 2857 if ((*rm)->quick) 2858 break; 2859 r = TAILQ_NEXT(r, entries); 2860 } else 2861 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2862 PF_RULESET_FILTER); 2863 } 2864 if (r == NULL && a != NULL) 2865 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2866 PF_RULESET_FILTER); 2867 } 2868 r = *rm; 2869 a = *am; 2870 ruleset = *rsm; 2871 2872 REASON_SET(&reason, PFRES_MATCH); 2873 2874 if (r->log) { 2875 #ifdef INET6 2876 if (rewrite) 2877 m_copyback(m, off, sizeof(struct icmp6_hdr), 2878 pd->hdr.icmp6); 2879 #endif /* INET6 */ 2880 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 2881 } 2882 2883 if (r->action != PF_PASS) 2884 return (PF_DROP); 2885 2886 if (pf_tag_packet(m, pftag, tag)) { 2887 REASON_SET(&reason, PFRES_MEMORY); 2888 return (PF_DROP); 2889 } 2890 2891 if (!state_icmp && (r->keep_state || 2892 nat != NULL || rdr != NULL)) { 2893 /* create new state */ 2894 struct pf_state *s = NULL; 2895 2896 if (!r->max_states || r->states < r->max_states) 2897 s = pool_get(&pf_state_pl, PR_NOWAIT); 2898 if (s == NULL) { 2899 REASON_SET(&reason, PFRES_MEMORY); 2900 return (PF_DROP); 2901 } 2902 bzero(s, sizeof(*s)); 2903 r->states++; 2904 if (a != NULL) 2905 a->states++; 2906 s->rule.ptr = r; 2907 if (nat != NULL) 2908 s->nat_rule.ptr = nat; 2909 else 2910 s->nat_rule.ptr = rdr; 2911 if (s->nat_rule.ptr != NULL) 2912 s->nat_rule.ptr->states++; 2913 s->anchor.ptr = a; 2914 s->allow_opts = r->allow_opts; 2915 s->log = r->log & 2; 2916 s->proto = pd->proto; 2917 s->direction = direction; 2918 s->af = af; 2919 if (direction == PF_OUT) { 2920 PF_ACPY(&s->gwy.addr, saddr, af); 2921 s->gwy.port = icmpid; 2922 PF_ACPY(&s->ext.addr, daddr, af); 2923 s->ext.port = icmpid; 2924 if (nat != NULL) 2925 PF_ACPY(&s->lan.addr, &baddr, af); 2926 else 2927 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2928 s->lan.port = icmpid; 2929 } else { 2930 PF_ACPY(&s->lan.addr, daddr, af); 2931 s->lan.port = icmpid; 2932 PF_ACPY(&s->ext.addr, saddr, af); 2933 s->ext.port = icmpid; 2934 if (rdr != NULL) 2935 PF_ACPY(&s->gwy.addr, &baddr, af); 2936 else 2937 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2938 s->gwy.port = icmpid; 2939 } 2940 s->creation = time.tv_sec; 2941 s->expire = time.tv_sec; 2942 s->timeout = PFTM_ICMP_FIRST_PACKET; 2943 pf_set_rt_ifp(s, saddr); 2944 if (pf_insert_state(s)) { 2945 REASON_SET(&reason, PFRES_MEMORY); 2946 pool_put(&pf_state_pl, s); 2947 return (PF_DROP); 2948 } else 2949 *sm = s; 2950 } 2951 2952 #ifdef INET6 2953 /* copy back packet headers if we performed IPv6 NAT operations */ 2954 if (rewrite) 2955 m_copyback(m, off, sizeof(struct icmp6_hdr), 2956 pd->hdr.icmp6); 2957 #endif /* INET6 */ 2958 2959 return (PF_PASS); 2960 } 2961 2962 int 2963 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, 2964 struct ifnet *ifp, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 2965 struct pf_rule **am, struct pf_ruleset **rsm) 2966 { 2967 struct pf_rule *nat = NULL, *rdr = NULL; 2968 struct pf_rule *r, *a = NULL; 2969 struct pf_ruleset *ruleset = NULL; 2970 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2971 struct pf_addr baddr, naddr; 2972 sa_family_t af = pd->af; 2973 u_short reason; 2974 struct pf_tag *pftag = NULL; 2975 int tag = -1; 2976 2977 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2978 2979 if (direction == PF_OUT) { 2980 /* check outgoing packet for BINAT/NAT */ 2981 if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, saddr, 0, 2982 daddr, 0, &naddr, NULL)) != NULL) { 2983 PF_ACPY(&baddr, saddr, af); 2984 switch (af) { 2985 #ifdef INET 2986 case AF_INET: 2987 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 2988 naddr.v4.s_addr, 0); 2989 break; 2990 #endif /* INET */ 2991 #ifdef INET6 2992 case AF_INET6: 2993 PF_ACPY(saddr, &naddr, af); 2994 break; 2995 #endif /* INET6 */ 2996 } 2997 if (nat->natpass) 2998 r = NULL; 2999 } 3000 } else { 3001 /* check incoming packet for BINAT/RDR */ 3002 if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 0, 3003 daddr, 0, &naddr, NULL)) != NULL) { 3004 PF_ACPY(&baddr, daddr, af); 3005 switch (af) { 3006 #ifdef INET 3007 case AF_INET: 3008 pf_change_a(&daddr->v4.s_addr, 3009 pd->ip_sum, naddr.v4.s_addr, 0); 3010 break; 3011 #endif /* INET */ 3012 #ifdef INET6 3013 case AF_INET6: 3014 PF_ACPY(daddr, &naddr, af); 3015 break; 3016 #endif /* INET6 */ 3017 } 3018 if (rdr->natpass) 3019 r = NULL; 3020 } 3021 } 3022 3023 while (r != NULL) { 3024 r->evaluations++; 3025 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 3026 (r->ifp == ifp && r->ifnot))) 3027 r = r->skip[PF_SKIP_IFP].ptr; 3028 else if (r->direction && r->direction != direction) 3029 r = r->skip[PF_SKIP_DIR].ptr; 3030 else if (r->af && r->af != af) 3031 r = r->skip[PF_SKIP_AF].ptr; 3032 else if (r->proto && r->proto != pd->proto) 3033 r = r->skip[PF_SKIP_PROTO].ptr; 3034 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3035 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3036 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3037 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3038 else if (r->tos && !(r->tos & pd->tos)) 3039 r = TAILQ_NEXT(r, entries); 3040 else if (r->rule_flag & PFRULE_FRAGMENT) 3041 r = TAILQ_NEXT(r, entries); 3042 else if (r->match_tag && 3043 !pf_match_tag(m, r, nat, rdr, pftag, &tag)) 3044 r = TAILQ_NEXT(r, entries); 3045 else if (r->anchorname[0] && r->anchor == NULL) 3046 r = TAILQ_NEXT(r, entries); 3047 else if (r->os_fingerprint != PF_OSFP_ANY) 3048 r = TAILQ_NEXT(r, entries); 3049 else { 3050 if (r->tag) 3051 tag = r->tag; 3052 if (r->anchor == NULL) { 3053 *rm = r; 3054 *am = a; 3055 *rsm = ruleset; 3056 if ((*rm)->quick) 3057 break; 3058 r = TAILQ_NEXT(r, entries); 3059 } else 3060 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3061 PF_RULESET_FILTER); 3062 } 3063 if (r == NULL && a != NULL) 3064 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3065 PF_RULESET_FILTER); 3066 } 3067 r = *rm; 3068 a = *am; 3069 ruleset = *rsm; 3070 3071 REASON_SET(&reason, PFRES_MATCH); 3072 3073 if (r->log) 3074 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 3075 3076 if ((r->action == PF_DROP) && 3077 ((r->rule_flag & PFRULE_RETURNICMP) || 3078 (r->rule_flag & PFRULE_RETURN))) { 3079 struct pf_addr *a = NULL; 3080 3081 if (nat != NULL) 3082 a = saddr; 3083 else if (rdr != NULL) 3084 a = daddr; 3085 if (a != NULL) { 3086 switch (af) { 3087 #ifdef INET 3088 case AF_INET: 3089 pf_change_a(&a->v4.s_addr, pd->ip_sum, 3090 baddr.v4.s_addr, 0); 3091 break; 3092 #endif /* INET */ 3093 #ifdef INET6 3094 case AF_INET6: 3095 PF_ACPY(a, &baddr, af); 3096 break; 3097 #endif /* INET6 */ 3098 } 3099 } 3100 if ((af == AF_INET) && r->return_icmp) 3101 pf_send_icmp(m, r->return_icmp >> 8, 3102 r->return_icmp & 255, af, r); 3103 else if ((af == AF_INET6) && r->return_icmp6) 3104 pf_send_icmp(m, r->return_icmp6 >> 8, 3105 r->return_icmp6 & 255, af, r); 3106 } 3107 3108 if (r->action != PF_PASS) 3109 return (PF_DROP); 3110 3111 if (pf_tag_packet(m, pftag, tag)) { 3112 REASON_SET(&reason, PFRES_MEMORY); 3113 return (PF_DROP); 3114 } 3115 3116 if (r->keep_state || nat != NULL || rdr != NULL) { 3117 /* create new state */ 3118 struct pf_state *s = NULL; 3119 3120 if (!r->max_states || r->states < r->max_states) 3121 s = pool_get(&pf_state_pl, PR_NOWAIT); 3122 if (s == NULL) { 3123 REASON_SET(&reason, PFRES_MEMORY); 3124 return (PF_DROP); 3125 } 3126 bzero(s, sizeof(*s)); 3127 r->states++; 3128 if (a != NULL) 3129 a->states++; 3130 s->rule.ptr = r; 3131 if (nat != NULL) 3132 s->nat_rule.ptr = nat; 3133 else 3134 s->nat_rule.ptr = rdr; 3135 if (s->nat_rule.ptr != NULL) 3136 s->nat_rule.ptr->states++; 3137 s->anchor.ptr = a; 3138 s->allow_opts = r->allow_opts; 3139 s->log = r->log & 2; 3140 s->proto = pd->proto; 3141 s->direction = direction; 3142 s->af = af; 3143 if (direction == PF_OUT) { 3144 PF_ACPY(&s->gwy.addr, saddr, af); 3145 PF_ACPY(&s->ext.addr, daddr, af); 3146 if (nat != NULL) 3147 PF_ACPY(&s->lan.addr, &baddr, af); 3148 else 3149 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3150 } else { 3151 PF_ACPY(&s->lan.addr, daddr, af); 3152 PF_ACPY(&s->ext.addr, saddr, af); 3153 if (rdr != NULL) 3154 PF_ACPY(&s->gwy.addr, &baddr, af); 3155 else 3156 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3157 } 3158 s->src.state = PFOTHERS_SINGLE; 3159 s->dst.state = PFOTHERS_NO_TRAFFIC; 3160 s->creation = time.tv_sec; 3161 s->expire = time.tv_sec; 3162 s->timeout = PFTM_OTHER_FIRST_PACKET; 3163 pf_set_rt_ifp(s, saddr); 3164 if (pf_insert_state(s)) { 3165 REASON_SET(&reason, PFRES_MEMORY); 3166 if (r->log) 3167 PFLOG_PACKET(ifp, h, m, af, direction, reason, 3168 r, a, ruleset); 3169 pool_put(&pf_state_pl, s); 3170 return (PF_DROP); 3171 } else 3172 *sm = s; 3173 } 3174 3175 return (PF_PASS); 3176 } 3177 3178 int 3179 pf_test_fragment(struct pf_rule **rm, int direction, struct ifnet *ifp, 3180 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3181 struct pf_ruleset **rsm) 3182 { 3183 struct pf_rule *r, *a = NULL; 3184 struct pf_ruleset *ruleset = NULL; 3185 sa_family_t af = pd->af; 3186 u_short reason; 3187 struct pf_tag *pftag = NULL; 3188 int tag = -1; 3189 3190 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3191 while (r != NULL) { 3192 r->evaluations++; 3193 if (r->ifp != NULL && ((r->ifp != ifp && !r->ifnot) || 3194 (r->ifp == ifp && r->ifnot))) 3195 r = r->skip[PF_SKIP_IFP].ptr; 3196 else if (r->direction && r->direction != direction) 3197 r = r->skip[PF_SKIP_DIR].ptr; 3198 else if (r->af && r->af != af) 3199 r = r->skip[PF_SKIP_AF].ptr; 3200 else if (r->proto && r->proto != pd->proto) 3201 r = r->skip[PF_SKIP_PROTO].ptr; 3202 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3203 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3204 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3205 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3206 else if (r->tos && !(r->tos & pd->tos)) 3207 r = TAILQ_NEXT(r, entries); 3208 else if (r->src.port_op || r->dst.port_op || 3209 r->flagset || r->type || r->code || 3210 r->os_fingerprint != PF_OSFP_ANY) 3211 r = TAILQ_NEXT(r, entries); 3212 else if (r->match_tag && 3213 !pf_match_tag(m, r, NULL, NULL, pftag, &tag)) 3214 r = TAILQ_NEXT(r, entries); 3215 else if (r->anchorname[0] && r->anchor == NULL) 3216 r = TAILQ_NEXT(r, entries); 3217 else { 3218 if (r->anchor == NULL) { 3219 *rm = r; 3220 *am = a; 3221 *rsm = ruleset; 3222 if ((*rm)->quick) 3223 break; 3224 r = TAILQ_NEXT(r, entries); 3225 } else 3226 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3227 PF_RULESET_FILTER); 3228 } 3229 if (r == NULL && a != NULL) 3230 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3231 PF_RULESET_FILTER); 3232 } 3233 r = *rm; 3234 a = *am; 3235 ruleset = *rsm; 3236 3237 REASON_SET(&reason, PFRES_MATCH); 3238 3239 if (r->log) 3240 PFLOG_PACKET(ifp, h, m, af, direction, reason, r, a, ruleset); 3241 3242 if (r->action != PF_PASS) 3243 return (PF_DROP); 3244 3245 if (pf_tag_packet(m, pftag, tag)) { 3246 REASON_SET(&reason, PFRES_MEMORY); 3247 return (PF_DROP); 3248 } 3249 3250 return (PF_PASS); 3251 } 3252 3253 int 3254 pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, 3255 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3256 u_short *reason) 3257 { 3258 struct pf_state key; 3259 struct tcphdr *th = pd->hdr.tcp; 3260 u_int16_t win = ntohs(th->th_win); 3261 u_int32_t ack, end, seq; 3262 u_int8_t sws, dws; 3263 int ackskew; 3264 int copyback = 0; 3265 struct pf_state_peer *src, *dst; 3266 3267 key.af = pd->af; 3268 key.proto = IPPROTO_TCP; 3269 if (direction == PF_IN) { 3270 PF_ACPY(&key.ext.addr, pd->src, key.af); 3271 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3272 key.ext.port = th->th_sport; 3273 key.gwy.port = th->th_dport; 3274 } else { 3275 PF_ACPY(&key.lan.addr, pd->src, key.af); 3276 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3277 key.lan.port = th->th_sport; 3278 key.ext.port = th->th_dport; 3279 } 3280 3281 STATE_LOOKUP(); 3282 3283 if (direction == (*state)->direction) { 3284 src = &(*state)->src; 3285 dst = &(*state)->dst; 3286 } else { 3287 src = &(*state)->dst; 3288 dst = &(*state)->src; 3289 } 3290 3291 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3292 if (direction != (*state)->direction) 3293 return (PF_SYNPROXY_DROP); 3294 if (th->th_flags & TH_SYN) { 3295 if (ntohl(th->th_seq) != (*state)->src.seqlo) 3296 return (PF_DROP); 3297 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3298 pd->src, th->th_dport, th->th_sport, 3299 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3300 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0); 3301 return (PF_SYNPROXY_DROP); 3302 } else if (!(th->th_flags & TH_ACK) || 3303 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3304 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3305 return (PF_DROP); 3306 else 3307 (*state)->src.state = PF_TCPS_PROXY_DST; 3308 } 3309 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3310 struct pf_state_host *src, *dst; 3311 3312 if (direction == PF_OUT) { 3313 src = &(*state)->gwy; 3314 dst = &(*state)->ext; 3315 } else { 3316 src = &(*state)->ext; 3317 dst = &(*state)->lan; 3318 } 3319 if (direction == (*state)->direction) { 3320 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3321 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3322 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3323 return (PF_DROP); 3324 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3325 if ((*state)->dst.seqhi == 1) 3326 (*state)->dst.seqhi = arc4random(); 3327 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3328 &dst->addr, src->port, dst->port, 3329 (*state)->dst.seqhi, 0, TH_SYN, 0, (*state)->src.mss, 0); 3330 return (PF_SYNPROXY_DROP); 3331 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3332 (TH_SYN|TH_ACK)) || 3333 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) 3334 return (PF_DROP); 3335 else { 3336 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3337 (*state)->dst.seqlo = ntohl(th->th_seq); 3338 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3339 pd->src, th->th_dport, th->th_sport, 3340 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3341 TH_ACK, (*state)->src.max_win, 0, 0); 3342 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3343 &dst->addr, src->port, dst->port, 3344 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3345 TH_ACK, (*state)->dst.max_win, 0, 0); 3346 (*state)->src.seqdiff = (*state)->dst.seqhi - 3347 (*state)->src.seqlo; 3348 (*state)->dst.seqdiff = (*state)->src.seqhi - 3349 (*state)->dst.seqlo; 3350 (*state)->src.seqhi = (*state)->src.seqlo + 3351 (*state)->src.max_win; 3352 (*state)->dst.seqhi = (*state)->dst.seqlo + 3353 (*state)->dst.max_win; 3354 (*state)->src.wscale = (*state)->dst.wscale = 0; 3355 (*state)->src.state = (*state)->dst.state = 3356 TCPS_ESTABLISHED; 3357 return (PF_SYNPROXY_DROP); 3358 } 3359 } 3360 3361 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3362 sws = src->wscale & PF_WSCALE_MASK; 3363 dws = dst->wscale & PF_WSCALE_MASK; 3364 } else 3365 sws = dws = 0; 3366 3367 /* 3368 * Sequence tracking algorithm from Guido van Rooij's paper: 3369 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3370 * tcp_filtering.ps 3371 */ 3372 3373 seq = ntohl(th->th_seq); 3374 if (src->seqlo == 0) { 3375 /* First packet from this end. Set its state */ 3376 3377 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3378 src->scrub == NULL) { 3379 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3380 REASON_SET(reason, PFRES_MEMORY); 3381 return (PF_DROP); 3382 } 3383 } 3384 3385 /* Deferred generation of sequence number modulator */ 3386 if (dst->seqdiff && !src->seqdiff) { 3387 while ((src->seqdiff = arc4random()) == 0) 3388 ; 3389 ack = ntohl(th->th_ack) - dst->seqdiff; 3390 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3391 src->seqdiff), 0); 3392 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3393 copyback = 1; 3394 } else { 3395 ack = ntohl(th->th_ack); 3396 } 3397 3398 end = seq + pd->p_len; 3399 if (th->th_flags & TH_SYN) { 3400 end++; 3401 if (dst->wscale & PF_WSCALE_FLAG) { 3402 src->wscale = pf_get_wscale(m, off, th->th_off, 3403 pd->af); 3404 if (src->wscale & PF_WSCALE_FLAG) { 3405 /* Remove scale factor from initial 3406 * window */ 3407 sws = src->wscale & PF_WSCALE_MASK; 3408 win = ((u_int32_t)win + (1 << sws) - 1) 3409 >> sws; 3410 dws = dst->wscale & PF_WSCALE_MASK; 3411 } else { 3412 /* fixup other window */ 3413 dst->max_win <<= dst->wscale & 3414 PF_WSCALE_MASK; 3415 /* in case of a retrans SYN|ACK */ 3416 dst->wscale = 0; 3417 } 3418 } 3419 } 3420 if (th->th_flags & TH_FIN) 3421 end++; 3422 3423 src->seqlo = seq; 3424 if (src->state < TCPS_SYN_SENT) 3425 src->state = TCPS_SYN_SENT; 3426 3427 /* 3428 * May need to slide the window (seqhi may have been set by 3429 * the crappy stack check or if we picked up the connection 3430 * after establishment) 3431 */ 3432 if (src->seqhi == 1 || 3433 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 3434 src->seqhi = end + MAX(1, dst->max_win << dws); 3435 if (win > src->max_win) 3436 src->max_win = win; 3437 3438 } else { 3439 ack = ntohl(th->th_ack) - dst->seqdiff; 3440 if (src->seqdiff) { 3441 /* Modulate sequence numbers */ 3442 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3443 src->seqdiff), 0); 3444 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3445 copyback = 1; 3446 } 3447 end = seq + pd->p_len; 3448 if (th->th_flags & TH_SYN) 3449 end++; 3450 if (th->th_flags & TH_FIN) 3451 end++; 3452 } 3453 3454 if ((th->th_flags & TH_ACK) == 0) { 3455 /* Let it pass through the ack skew check */ 3456 ack = dst->seqlo; 3457 } else if ((ack == 0 && 3458 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 3459 /* broken tcp stacks do not set ack */ 3460 (dst->state < TCPS_SYN_SENT)) { 3461 /* 3462 * Many stacks (ours included) will set the ACK number in an 3463 * FIN|ACK if the SYN times out -- no sequence to ACK. 3464 */ 3465 ack = dst->seqlo; 3466 } 3467 3468 if (seq == end) { 3469 /* Ease sequencing restrictions on no data packets */ 3470 seq = src->seqlo; 3471 end = seq; 3472 } 3473 3474 ackskew = dst->seqlo - ack; 3475 3476 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 3477 if (SEQ_GEQ(src->seqhi, end) && 3478 /* Last octet inside other's window space */ 3479 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 3480 /* Retrans: not more than one window back */ 3481 (ackskew >= -MAXACKWINDOW) && 3482 /* Acking not more than one reassembled fragment backwards */ 3483 (ackskew <= (MAXACKWINDOW << sws))) { 3484 /* Acking not more than one window forward */ 3485 3486 /* update max window */ 3487 if (src->max_win < win) 3488 src->max_win = win; 3489 /* synchronize sequencing */ 3490 if (SEQ_GT(end, src->seqlo)) 3491 src->seqlo = end; 3492 /* slide the window of what the other end can send */ 3493 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3494 dst->seqhi = ack + MAX((win << sws), 1); 3495 3496 3497 /* update states */ 3498 if (th->th_flags & TH_SYN) 3499 if (src->state < TCPS_SYN_SENT) 3500 src->state = TCPS_SYN_SENT; 3501 if (th->th_flags & TH_FIN) 3502 if (src->state < TCPS_CLOSING) 3503 src->state = TCPS_CLOSING; 3504 if (th->th_flags & TH_ACK) { 3505 if (dst->state == TCPS_SYN_SENT) 3506 dst->state = TCPS_ESTABLISHED; 3507 else if (dst->state == TCPS_CLOSING) 3508 dst->state = TCPS_FIN_WAIT_2; 3509 } 3510 if (th->th_flags & TH_RST) 3511 src->state = dst->state = TCPS_TIME_WAIT; 3512 3513 /* update expire time */ 3514 (*state)->expire = time.tv_sec; 3515 if (src->state >= TCPS_FIN_WAIT_2 && 3516 dst->state >= TCPS_FIN_WAIT_2) 3517 (*state)->timeout = PFTM_TCP_CLOSED; 3518 else if (src->state >= TCPS_FIN_WAIT_2 || 3519 dst->state >= TCPS_FIN_WAIT_2) 3520 (*state)->timeout = PFTM_TCP_FIN_WAIT; 3521 else if (src->state < TCPS_ESTABLISHED || 3522 dst->state < TCPS_ESTABLISHED) 3523 (*state)->timeout = PFTM_TCP_OPENING; 3524 else if (src->state >= TCPS_CLOSING || 3525 dst->state >= TCPS_CLOSING) 3526 (*state)->timeout = PFTM_TCP_CLOSING; 3527 else 3528 (*state)->timeout = PFTM_TCP_ESTABLISHED; 3529 3530 /* Fall through to PASS packet */ 3531 3532 } else if ((dst->state < TCPS_SYN_SENT || 3533 dst->state >= TCPS_FIN_WAIT_2 || 3534 src->state >= TCPS_FIN_WAIT_2) && 3535 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 3536 /* Within a window forward of the originating packet */ 3537 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 3538 /* Within a window backward of the originating packet */ 3539 3540 /* 3541 * This currently handles three situations: 3542 * 1) Stupid stacks will shotgun SYNs before their peer 3543 * replies. 3544 * 2) When PF catches an already established stream (the 3545 * firewall rebooted, the state table was flushed, routes 3546 * changed...) 3547 * 3) Packets get funky immediately after the connection 3548 * closes (this should catch Solaris spurious ACK|FINs 3549 * that web servers like to spew after a close) 3550 * 3551 * This must be a little more careful than the above code 3552 * since packet floods will also be caught here. We don't 3553 * update the TTL here to mitigate the damage of a packet 3554 * flood and so the same code can handle awkward establishment 3555 * and a loosened connection close. 3556 * In the establishment case, a correct peer response will 3557 * validate the connection, go through the normal state code 3558 * and keep updating the state TTL. 3559 */ 3560 3561 if (pf_status.debug >= PF_DEBUG_MISC) { 3562 printf("pf: loose state match: "); 3563 pf_print_state(*state); 3564 pf_print_flags(th->th_flags); 3565 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 3566 seq, ack, pd->p_len, ackskew, 3567 (*state)->packets[0], (*state)->packets[1]); 3568 } 3569 3570 /* update max window */ 3571 if (src->max_win < win) 3572 src->max_win = win; 3573 /* synchronize sequencing */ 3574 if (SEQ_GT(end, src->seqlo)) 3575 src->seqlo = end; 3576 /* slide the window of what the other end can send */ 3577 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3578 dst->seqhi = ack + MAX((win << sws), 1); 3579 3580 /* 3581 * Cannot set dst->seqhi here since this could be a shotgunned 3582 * SYN and not an already established connection. 3583 */ 3584 3585 if (th->th_flags & TH_FIN) 3586 if (src->state < TCPS_CLOSING) 3587 src->state = TCPS_CLOSING; 3588 if (th->th_flags & TH_RST) 3589 src->state = dst->state = TCPS_TIME_WAIT; 3590 3591 /* Fall through to PASS packet */ 3592 3593 } else { 3594 if ((*state)->dst.state == TCPS_SYN_SENT && 3595 (*state)->src.state == TCPS_SYN_SENT) { 3596 /* Send RST for state mismatches during handshake */ 3597 if (!(th->th_flags & TH_RST)) { 3598 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 3599 3600 if (th->th_flags & TH_SYN) 3601 ack++; 3602 if (th->th_flags & TH_FIN) 3603 ack++; 3604 pf_send_tcp((*state)->rule.ptr, pd->af, 3605 pd->dst, pd->src, th->th_dport, 3606 th->th_sport, ntohl(th->th_ack), ack, 3607 TH_RST|TH_ACK, 0, 0, 3608 (*state)->rule.ptr->return_ttl); 3609 } 3610 src->seqlo = 0; 3611 src->seqhi = 1; 3612 src->max_win = 1; 3613 } else if (pf_status.debug >= PF_DEBUG_MISC) { 3614 printf("pf: BAD state: "); 3615 pf_print_state(*state); 3616 pf_print_flags(th->th_flags); 3617 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " 3618 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, 3619 (*state)->packets[0], (*state)->packets[1], 3620 direction == PF_IN ? "in" : "out", 3621 direction == (*state)->direction ? "fwd" : "rev"); 3622 printf("pf: State failure on: %c %c %c %c | %c %c\n", 3623 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 3624 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 3625 ' ': '2', 3626 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 3627 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 3628 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 3629 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 3630 } 3631 return (PF_DROP); 3632 } 3633 3634 if (dst->scrub || src->scrub) { 3635 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, src, dst, 3636 ©back)) 3637 return (PF_DROP); 3638 } 3639 3640 /* Any packets which have gotten here are to be passed */ 3641 3642 /* translate source/destination address, if necessary */ 3643 if (STATE_TRANSLATE(*state)) { 3644 if (direction == PF_OUT) 3645 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 3646 &th->th_sum, &(*state)->gwy.addr, 3647 (*state)->gwy.port, 0, pd->af); 3648 else 3649 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 3650 &th->th_sum, &(*state)->lan.addr, 3651 (*state)->lan.port, 0, pd->af); 3652 m_copyback(m, off, sizeof(*th), th); 3653 } else if (copyback) { 3654 /* Copyback sequence modulation or stateful scrub changes */ 3655 m_copyback(m, off, sizeof(*th), th); 3656 } 3657 3658 return (PF_PASS); 3659 } 3660 3661 int 3662 pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp, 3663 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 3664 { 3665 struct pf_state_peer *src, *dst; 3666 struct pf_state key; 3667 struct udphdr *uh = pd->hdr.udp; 3668 3669 key.af = pd->af; 3670 key.proto = IPPROTO_UDP; 3671 if (direction == PF_IN) { 3672 PF_ACPY(&key.ext.addr, pd->src, key.af); 3673 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3674 key.ext.port = uh->uh_sport; 3675 key.gwy.port = uh->uh_dport; 3676 } else { 3677 PF_ACPY(&key.lan.addr, pd->src, key.af); 3678 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3679 key.lan.port = uh->uh_sport; 3680 key.ext.port = uh->uh_dport; 3681 } 3682 3683 STATE_LOOKUP(); 3684 3685 if (direction == (*state)->direction) { 3686 src = &(*state)->src; 3687 dst = &(*state)->dst; 3688 } else { 3689 src = &(*state)->dst; 3690 dst = &(*state)->src; 3691 } 3692 3693 /* update states */ 3694 if (src->state < PFUDPS_SINGLE) 3695 src->state = PFUDPS_SINGLE; 3696 if (dst->state == PFUDPS_SINGLE) 3697 dst->state = PFUDPS_MULTIPLE; 3698 3699 /* update expire time */ 3700 (*state)->expire = time.tv_sec; 3701 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 3702 (*state)->timeout = PFTM_UDP_MULTIPLE; 3703 else 3704 (*state)->timeout = PFTM_UDP_SINGLE; 3705 3706 /* translate source/destination address, if necessary */ 3707 if (STATE_TRANSLATE(*state)) { 3708 if (direction == PF_OUT) 3709 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 3710 &uh->uh_sum, &(*state)->gwy.addr, 3711 (*state)->gwy.port, 1, pd->af); 3712 else 3713 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 3714 &uh->uh_sum, &(*state)->lan.addr, 3715 (*state)->lan.port, 1, pd->af); 3716 m_copyback(m, off, sizeof(*uh), uh); 3717 } 3718 3719 return (PF_PASS); 3720 } 3721 3722 int 3723 pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, 3724 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 3725 { 3726 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3727 u_int16_t icmpid, *icmpsum; 3728 u_int8_t icmptype; 3729 int state_icmp = 0; 3730 3731 switch (pd->proto) { 3732 #ifdef INET 3733 case IPPROTO_ICMP: 3734 icmptype = pd->hdr.icmp->icmp_type; 3735 icmpid = pd->hdr.icmp->icmp_id; 3736 icmpsum = &pd->hdr.icmp->icmp_cksum; 3737 3738 if (icmptype == ICMP_UNREACH || 3739 icmptype == ICMP_SOURCEQUENCH || 3740 icmptype == ICMP_REDIRECT || 3741 icmptype == ICMP_TIMXCEED || 3742 icmptype == ICMP_PARAMPROB) 3743 state_icmp++; 3744 break; 3745 #endif /* INET */ 3746 #ifdef INET6 3747 case IPPROTO_ICMPV6: 3748 icmptype = pd->hdr.icmp6->icmp6_type; 3749 icmpid = pd->hdr.icmp6->icmp6_id; 3750 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 3751 3752 if (icmptype == ICMP6_DST_UNREACH || 3753 icmptype == ICMP6_PACKET_TOO_BIG || 3754 icmptype == ICMP6_TIME_EXCEEDED || 3755 icmptype == ICMP6_PARAM_PROB) 3756 state_icmp++; 3757 break; 3758 #endif /* INET6 */ 3759 } 3760 3761 if (!state_icmp) { 3762 3763 /* 3764 * ICMP query/reply message not related to a TCP/UDP packet. 3765 * Search for an ICMP state. 3766 */ 3767 struct pf_state key; 3768 3769 key.af = pd->af; 3770 key.proto = pd->proto; 3771 if (direction == PF_IN) { 3772 PF_ACPY(&key.ext.addr, pd->src, key.af); 3773 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3774 key.ext.port = icmpid; 3775 key.gwy.port = icmpid; 3776 } else { 3777 PF_ACPY(&key.lan.addr, pd->src, key.af); 3778 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3779 key.lan.port = icmpid; 3780 key.ext.port = icmpid; 3781 } 3782 3783 STATE_LOOKUP(); 3784 3785 (*state)->expire = time.tv_sec; 3786 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 3787 3788 /* translate source/destination address, if necessary */ 3789 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { 3790 if (direction == PF_OUT) { 3791 switch (pd->af) { 3792 #ifdef INET 3793 case AF_INET: 3794 pf_change_a(&saddr->v4.s_addr, 3795 pd->ip_sum, 3796 (*state)->gwy.addr.v4.s_addr, 0); 3797 break; 3798 #endif /* INET */ 3799 #ifdef INET6 3800 case AF_INET6: 3801 pf_change_a6(saddr, 3802 &pd->hdr.icmp6->icmp6_cksum, 3803 &(*state)->gwy.addr, 0); 3804 m_copyback(m, off, 3805 sizeof(struct icmp6_hdr), 3806 pd->hdr.icmp6); 3807 break; 3808 #endif /* INET6 */ 3809 } 3810 } else { 3811 switch (pd->af) { 3812 #ifdef INET 3813 case AF_INET: 3814 pf_change_a(&daddr->v4.s_addr, 3815 pd->ip_sum, 3816 (*state)->lan.addr.v4.s_addr, 0); 3817 break; 3818 #endif /* INET */ 3819 #ifdef INET6 3820 case AF_INET6: 3821 pf_change_a6(daddr, 3822 &pd->hdr.icmp6->icmp6_cksum, 3823 &(*state)->lan.addr, 0); 3824 m_copyback(m, off, 3825 sizeof(struct icmp6_hdr), 3826 pd->hdr.icmp6); 3827 break; 3828 #endif /* INET6 */ 3829 } 3830 } 3831 } 3832 3833 return (PF_PASS); 3834 3835 } else { 3836 /* 3837 * ICMP error message in response to a TCP/UDP packet. 3838 * Extract the inner TCP/UDP header and search for that state. 3839 */ 3840 3841 struct pf_pdesc pd2; 3842 #ifdef INET 3843 struct ip h2; 3844 #endif /* INET */ 3845 #ifdef INET6 3846 struct ip6_hdr h2_6; 3847 int terminal = 0; 3848 #endif /* INET6 */ 3849 int ipoff2; 3850 int off2; 3851 3852 pd2.af = pd->af; 3853 switch (pd->af) { 3854 #ifdef INET 3855 case AF_INET: 3856 /* offset of h2 in mbuf chain */ 3857 ipoff2 = off + ICMP_MINLEN; 3858 3859 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 3860 NULL, NULL, pd2.af)) { 3861 DPFPRINTF(PF_DEBUG_MISC, 3862 ("pf: ICMP error message too short " 3863 "(ip)\n")); 3864 return (PF_DROP); 3865 } 3866 /* 3867 * ICMP error messages don't refer to non-first 3868 * fragments 3869 */ 3870 if (h2.ip_off & htons(IP_OFFMASK)) 3871 return (PF_DROP); 3872 3873 /* offset of protocol header that follows h2 */ 3874 off2 = ipoff2 + (h2.ip_hl << 2); 3875 3876 pd2.proto = h2.ip_p; 3877 pd2.src = (struct pf_addr *)&h2.ip_src; 3878 pd2.dst = (struct pf_addr *)&h2.ip_dst; 3879 pd2.ip_sum = &h2.ip_sum; 3880 break; 3881 #endif /* INET */ 3882 #ifdef INET6 3883 case AF_INET6: 3884 ipoff2 = off + sizeof(struct icmp6_hdr); 3885 3886 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 3887 NULL, NULL, pd2.af)) { 3888 DPFPRINTF(PF_DEBUG_MISC, 3889 ("pf: ICMP error message too short " 3890 "(ip6)\n")); 3891 return (PF_DROP); 3892 } 3893 pd2.proto = h2_6.ip6_nxt; 3894 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 3895 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 3896 pd2.ip_sum = NULL; 3897 off2 = ipoff2 + sizeof(h2_6); 3898 do { 3899 switch (pd2.proto) { 3900 case IPPROTO_FRAGMENT: 3901 /* 3902 * ICMPv6 error messages for 3903 * non-first fragments 3904 */ 3905 return (PF_DROP); 3906 case IPPROTO_AH: 3907 case IPPROTO_HOPOPTS: 3908 case IPPROTO_ROUTING: 3909 case IPPROTO_DSTOPTS: { 3910 /* get next header and header length */ 3911 struct ip6_ext opt6; 3912 3913 if (!pf_pull_hdr(m, off2, &opt6, 3914 sizeof(opt6), NULL, NULL, pd2.af)) { 3915 DPFPRINTF(PF_DEBUG_MISC, 3916 ("pf: ICMPv6 short opt\n")); 3917 return (PF_DROP); 3918 } 3919 if (pd2.proto == IPPROTO_AH) 3920 off2 += (opt6.ip6e_len + 2) * 4; 3921 else 3922 off2 += (opt6.ip6e_len + 1) * 8; 3923 pd2.proto = opt6.ip6e_nxt; 3924 /* goto the next header */ 3925 break; 3926 } 3927 default: 3928 terminal++; 3929 break; 3930 } 3931 } while (!terminal); 3932 break; 3933 #endif /* INET6 */ 3934 } 3935 3936 switch (pd2.proto) { 3937 case IPPROTO_TCP: { 3938 struct tcphdr th; 3939 u_int32_t seq; 3940 struct pf_state key; 3941 struct pf_state_peer *src, *dst; 3942 u_int8_t dws; 3943 3944 /* 3945 * Only the first 8 bytes of the TCP header can be 3946 * expected. Don't access any TCP header fields after 3947 * th_seq, an ackskew test is not possible. 3948 */ 3949 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) { 3950 DPFPRINTF(PF_DEBUG_MISC, 3951 ("pf: ICMP error message too short " 3952 "(tcp)\n")); 3953 return (PF_DROP); 3954 } 3955 3956 key.af = pd2.af; 3957 key.proto = IPPROTO_TCP; 3958 if (direction == PF_IN) { 3959 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 3960 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 3961 key.ext.port = th.th_dport; 3962 key.gwy.port = th.th_sport; 3963 } else { 3964 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 3965 PF_ACPY(&key.ext.addr, pd2.src, key.af); 3966 key.lan.port = th.th_dport; 3967 key.ext.port = th.th_sport; 3968 } 3969 3970 STATE_LOOKUP(); 3971 3972 if (direction == (*state)->direction) { 3973 src = &(*state)->dst; 3974 dst = &(*state)->src; 3975 } else { 3976 src = &(*state)->src; 3977 dst = &(*state)->dst; 3978 } 3979 3980 if (src->wscale && dst->wscale && !(th.th_flags & TH_SYN)) 3981 dws = dst->wscale & PF_WSCALE_MASK; 3982 else 3983 dws = 0; 3984 3985 /* Demodulate sequence number */ 3986 seq = ntohl(th.th_seq) - src->seqdiff; 3987 if (src->seqdiff) 3988 pf_change_a(&th.th_seq, &th.th_sum, 3989 htonl(seq), 0); 3990 3991 if (!SEQ_GEQ(src->seqhi, seq) || 3992 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 3993 if (pf_status.debug >= PF_DEBUG_MISC) { 3994 printf("pf: BAD ICMP %d:%d ", 3995 icmptype, pd->hdr.icmp->icmp_code); 3996 pf_print_host(pd->src, 0, pd->af); 3997 printf(" -> "); 3998 pf_print_host(pd->dst, 0, pd->af); 3999 printf(" state: "); 4000 pf_print_state(*state); 4001 printf(" seq=%u\n", seq); 4002 } 4003 return (PF_DROP); 4004 } 4005 4006 if (STATE_TRANSLATE(*state)) { 4007 if (direction == PF_IN) { 4008 pf_change_icmp(pd2.src, &th.th_sport, 4009 saddr, &(*state)->lan.addr, 4010 (*state)->lan.port, NULL, 4011 pd2.ip_sum, icmpsum, 4012 pd->ip_sum, 0, pd2.af); 4013 } else { 4014 pf_change_icmp(pd2.dst, &th.th_dport, 4015 saddr, &(*state)->gwy.addr, 4016 (*state)->gwy.port, NULL, 4017 pd2.ip_sum, icmpsum, 4018 pd->ip_sum, 0, pd2.af); 4019 } 4020 switch (pd2.af) { 4021 #ifdef INET 4022 case AF_INET: 4023 m_copyback(m, off, ICMP_MINLEN, 4024 pd->hdr.icmp); 4025 m_copyback(m, ipoff2, sizeof(h2), 4026 &h2); 4027 break; 4028 #endif /* INET */ 4029 #ifdef INET6 4030 case AF_INET6: 4031 m_copyback(m, off, 4032 sizeof(struct icmp6_hdr), 4033 pd->hdr.icmp6); 4034 m_copyback(m, ipoff2, sizeof(h2_6), 4035 &h2_6); 4036 break; 4037 #endif /* INET6 */ 4038 } 4039 m_copyback(m, off2, 8, &th); 4040 } else if (src->seqdiff) { 4041 m_copyback(m, off2, 8, &th); 4042 } 4043 4044 return (PF_PASS); 4045 break; 4046 } 4047 case IPPROTO_UDP: { 4048 struct udphdr uh; 4049 struct pf_state key; 4050 4051 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4052 NULL, NULL, pd2.af)) { 4053 DPFPRINTF(PF_DEBUG_MISC, 4054 ("pf: ICMP error message too short " 4055 "(udp)\n")); 4056 return (PF_DROP); 4057 } 4058 4059 key.af = pd2.af; 4060 key.proto = IPPROTO_UDP; 4061 if (direction == PF_IN) { 4062 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4063 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4064 key.ext.port = uh.uh_dport; 4065 key.gwy.port = uh.uh_sport; 4066 } else { 4067 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4068 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4069 key.lan.port = uh.uh_dport; 4070 key.ext.port = uh.uh_sport; 4071 } 4072 4073 STATE_LOOKUP(); 4074 4075 if (STATE_TRANSLATE(*state)) { 4076 if (direction == PF_IN) { 4077 pf_change_icmp(pd2.src, &uh.uh_sport, 4078 daddr, &(*state)->lan.addr, 4079 (*state)->lan.port, &uh.uh_sum, 4080 pd2.ip_sum, icmpsum, 4081 pd->ip_sum, 1, pd2.af); 4082 } else { 4083 pf_change_icmp(pd2.dst, &uh.uh_dport, 4084 saddr, &(*state)->gwy.addr, 4085 (*state)->gwy.port, &uh.uh_sum, 4086 pd2.ip_sum, icmpsum, 4087 pd->ip_sum, 1, pd2.af); 4088 } 4089 switch (pd2.af) { 4090 #ifdef INET 4091 case AF_INET: 4092 m_copyback(m, off, ICMP_MINLEN, 4093 pd->hdr.icmp); 4094 m_copyback(m, ipoff2, sizeof(h2), &h2); 4095 break; 4096 #endif /* INET */ 4097 #ifdef INET6 4098 case AF_INET6: 4099 m_copyback(m, off, 4100 sizeof(struct icmp6_hdr), 4101 pd->hdr.icmp6); 4102 m_copyback(m, ipoff2, sizeof(h2_6), 4103 &h2_6); 4104 break; 4105 #endif /* INET6 */ 4106 } 4107 m_copyback(m, off2, sizeof(uh), &uh); 4108 } 4109 4110 return (PF_PASS); 4111 break; 4112 } 4113 #ifdef INET 4114 case IPPROTO_ICMP: { 4115 struct icmp iih; 4116 struct pf_state key; 4117 4118 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4119 NULL, NULL, pd2.af)) { 4120 DPFPRINTF(PF_DEBUG_MISC, 4121 ("pf: ICMP error message too short i" 4122 "(icmp)\n")); 4123 return (PF_DROP); 4124 } 4125 4126 key.af = pd2.af; 4127 key.proto = IPPROTO_ICMP; 4128 if (direction == PF_IN) { 4129 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4130 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4131 key.ext.port = iih.icmp_id; 4132 key.gwy.port = iih.icmp_id; 4133 } else { 4134 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4135 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4136 key.lan.port = iih.icmp_id; 4137 key.ext.port = iih.icmp_id; 4138 } 4139 4140 STATE_LOOKUP(); 4141 4142 if (STATE_TRANSLATE(*state)) { 4143 if (direction == PF_IN) { 4144 pf_change_icmp(pd2.src, &iih.icmp_id, 4145 daddr, &(*state)->lan.addr, 4146 (*state)->lan.port, NULL, 4147 pd2.ip_sum, icmpsum, 4148 pd->ip_sum, 0, AF_INET); 4149 } else { 4150 pf_change_icmp(pd2.dst, &iih.icmp_id, 4151 saddr, &(*state)->gwy.addr, 4152 (*state)->gwy.port, NULL, 4153 pd2.ip_sum, icmpsum, 4154 pd->ip_sum, 0, AF_INET); 4155 } 4156 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp); 4157 m_copyback(m, ipoff2, sizeof(h2), &h2); 4158 m_copyback(m, off2, ICMP_MINLEN, &iih); 4159 } 4160 4161 return (PF_PASS); 4162 break; 4163 } 4164 #endif /* INET */ 4165 #ifdef INET6 4166 case IPPROTO_ICMPV6: { 4167 struct icmp6_hdr iih; 4168 struct pf_state key; 4169 4170 if (!pf_pull_hdr(m, off2, &iih, 4171 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) { 4172 DPFPRINTF(PF_DEBUG_MISC, 4173 ("pf: ICMP error message too short " 4174 "(icmp6)\n")); 4175 return (PF_DROP); 4176 } 4177 4178 key.af = pd2.af; 4179 key.proto = IPPROTO_ICMPV6; 4180 if (direction == PF_IN) { 4181 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4182 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4183 key.ext.port = iih.icmp6_id; 4184 key.gwy.port = iih.icmp6_id; 4185 } else { 4186 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4187 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4188 key.lan.port = iih.icmp6_id; 4189 key.ext.port = iih.icmp6_id; 4190 } 4191 4192 STATE_LOOKUP(); 4193 4194 if (STATE_TRANSLATE(*state)) { 4195 if (direction == PF_IN) { 4196 pf_change_icmp(pd2.src, &iih.icmp6_id, 4197 daddr, &(*state)->lan.addr, 4198 (*state)->lan.port, NULL, 4199 pd2.ip_sum, icmpsum, 4200 pd->ip_sum, 0, AF_INET6); 4201 } else { 4202 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4203 saddr, &(*state)->gwy.addr, 4204 (*state)->gwy.port, NULL, 4205 pd2.ip_sum, icmpsum, 4206 pd->ip_sum, 0, AF_INET6); 4207 } 4208 m_copyback(m, off, sizeof(struct icmp6_hdr), 4209 pd->hdr.icmp6); 4210 m_copyback(m, ipoff2, sizeof(h2_6), &h2_6); 4211 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4212 &iih); 4213 } 4214 4215 return (PF_PASS); 4216 break; 4217 } 4218 #endif /* INET6 */ 4219 default: { 4220 struct pf_state key; 4221 4222 key.af = pd2.af; 4223 key.proto = pd2.proto; 4224 if (direction == PF_IN) { 4225 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4226 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4227 key.ext.port = 0; 4228 key.gwy.port = 0; 4229 } else { 4230 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4231 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4232 key.lan.port = 0; 4233 key.ext.port = 0; 4234 } 4235 4236 STATE_LOOKUP(); 4237 4238 if (STATE_TRANSLATE(*state)) { 4239 if (direction == PF_IN) { 4240 pf_change_icmp(pd2.src, NULL, 4241 daddr, &(*state)->lan.addr, 4242 0, NULL, 4243 pd2.ip_sum, icmpsum, 4244 pd->ip_sum, 0, pd2.af); 4245 } else { 4246 pf_change_icmp(pd2.dst, NULL, 4247 saddr, &(*state)->gwy.addr, 4248 0, NULL, 4249 pd2.ip_sum, icmpsum, 4250 pd->ip_sum, 0, pd2.af); 4251 } 4252 switch (pd2.af) { 4253 #ifdef INET 4254 case AF_INET: 4255 m_copyback(m, off, ICMP_MINLEN, 4256 pd->hdr.icmp); 4257 m_copyback(m, ipoff2, sizeof(h2), &h2); 4258 break; 4259 #endif /* INET */ 4260 #ifdef INET6 4261 case AF_INET6: 4262 m_copyback(m, off, 4263 sizeof(struct icmp6_hdr), 4264 pd->hdr.icmp6); 4265 m_copyback(m, ipoff2, sizeof(h2_6), 4266 &h2_6); 4267 break; 4268 #endif /* INET6 */ 4269 } 4270 } 4271 4272 return (PF_PASS); 4273 break; 4274 } 4275 } 4276 } 4277 } 4278 4279 int 4280 pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp, 4281 struct pf_pdesc *pd) 4282 { 4283 struct pf_state_peer *src, *dst; 4284 struct pf_state key; 4285 4286 key.af = pd->af; 4287 key.proto = pd->proto; 4288 if (direction == PF_IN) { 4289 PF_ACPY(&key.ext.addr, pd->src, key.af); 4290 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4291 key.ext.port = 0; 4292 key.gwy.port = 0; 4293 } else { 4294 PF_ACPY(&key.lan.addr, pd->src, key.af); 4295 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4296 key.lan.port = 0; 4297 key.ext.port = 0; 4298 } 4299 4300 STATE_LOOKUP(); 4301 4302 if (direction == (*state)->direction) { 4303 src = &(*state)->src; 4304 dst = &(*state)->dst; 4305 } else { 4306 src = &(*state)->dst; 4307 dst = &(*state)->src; 4308 } 4309 4310 /* update states */ 4311 if (src->state < PFOTHERS_SINGLE) 4312 src->state = PFOTHERS_SINGLE; 4313 if (dst->state == PFOTHERS_SINGLE) 4314 dst->state = PFOTHERS_MULTIPLE; 4315 4316 /* update expire time */ 4317 (*state)->expire = time.tv_sec; 4318 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4319 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4320 else 4321 (*state)->timeout = PFTM_OTHER_SINGLE; 4322 4323 /* translate source/destination address, if necessary */ 4324 if (STATE_TRANSLATE(*state)) { 4325 if (direction == PF_OUT) 4326 switch (pd->af) { 4327 #ifdef INET 4328 case AF_INET: 4329 pf_change_a(&pd->src->v4.s_addr, 4330 pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 4331 0); 4332 break; 4333 #endif /* INET */ 4334 #ifdef INET6 4335 case AF_INET6: 4336 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af); 4337 break; 4338 #endif /* INET6 */ 4339 } 4340 else 4341 switch (pd->af) { 4342 #ifdef INET 4343 case AF_INET: 4344 pf_change_a(&pd->dst->v4.s_addr, 4345 pd->ip_sum, (*state)->lan.addr.v4.s_addr, 4346 0); 4347 break; 4348 #endif /* INET */ 4349 #ifdef INET6 4350 case AF_INET6: 4351 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af); 4352 break; 4353 #endif /* INET6 */ 4354 } 4355 } 4356 4357 return (PF_PASS); 4358 } 4359 4360 /* 4361 * ipoff and off are measured from the start of the mbuf chain. 4362 * h must be at "ipoff" on the mbuf chain. 4363 */ 4364 void * 4365 pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 4366 u_short *actionp, u_short *reasonp, sa_family_t af) 4367 { 4368 switch (af) { 4369 #ifdef INET 4370 case AF_INET: { 4371 struct ip *h = mtod(m, struct ip *); 4372 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; 4373 4374 if (fragoff) { 4375 if (fragoff >= len) 4376 ACTION_SET(actionp, PF_PASS); 4377 else { 4378 ACTION_SET(actionp, PF_DROP); 4379 REASON_SET(reasonp, PFRES_FRAG); 4380 } 4381 return (NULL); 4382 } 4383 if (m->m_pkthdr.len < off + len || ntohs(h->ip_len) < off + len) { 4384 ACTION_SET(actionp, PF_DROP); 4385 REASON_SET(reasonp, PFRES_SHORT); 4386 return (NULL); 4387 } 4388 break; 4389 } 4390 #endif /* INET */ 4391 #ifdef INET6 4392 case AF_INET6: { 4393 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 4394 4395 if (m->m_pkthdr.len < off + len || 4396 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 4397 (unsigned)(off + len)) { 4398 ACTION_SET(actionp, PF_DROP); 4399 REASON_SET(reasonp, PFRES_SHORT); 4400 return (NULL); 4401 } 4402 break; 4403 } 4404 #endif /* INET6 */ 4405 } 4406 m_copydata(m, off, len, p); 4407 return (p); 4408 } 4409 4410 int 4411 pf_routable(struct pf_addr *addr, sa_family_t af) 4412 { 4413 struct sockaddr_in *dst; 4414 struct route ro; 4415 int ret = 0; 4416 4417 bzero(&ro, sizeof(ro)); 4418 dst = satosin(&ro.ro_dst); 4419 dst->sin_family = af; 4420 dst->sin_len = sizeof(*dst); 4421 dst->sin_addr = addr->v4; 4422 rtalloc_noclone(&ro, NO_CLONING); 4423 4424 if (ro.ro_rt != NULL) { 4425 ret = 1; 4426 RTFREE(ro.ro_rt); 4427 } 4428 4429 return (ret); 4430 } 4431 4432 #ifdef INET 4433 void 4434 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4435 struct pf_state *s) 4436 { 4437 struct mbuf *m0, *m1; 4438 struct route iproute; 4439 struct route *ro; 4440 struct sockaddr_in *dst; 4441 struct ip *ip; 4442 struct ifnet *ifp = NULL; 4443 struct m_tag *mtag; 4444 struct pf_addr naddr; 4445 int error = 0; 4446 4447 if (m == NULL || *m == NULL || r == NULL || 4448 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4449 panic("pf_route: invalid parameters"); 4450 4451 if (r->rt == PF_DUPTO) { 4452 m0 = *m; 4453 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 4454 if (mtag == NULL) { 4455 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 4456 if (mtag == NULL) 4457 goto bad; 4458 m_tag_prepend(m0, mtag); 4459 } 4460 m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT); 4461 if (m0 == NULL) 4462 return; 4463 } else { 4464 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4465 return; 4466 m0 = *m; 4467 } 4468 4469 if (m0->m_len < sizeof(struct ip)) 4470 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4471 ip = mtod(m0, struct ip *); 4472 4473 ro = &iproute; 4474 bzero((caddr_t)ro, sizeof(*ro)); 4475 dst = satosin(&ro->ro_dst); 4476 dst->sin_family = AF_INET; 4477 dst->sin_len = sizeof(*dst); 4478 dst->sin_addr = ip->ip_dst; 4479 4480 if (r->rt == PF_FASTROUTE) { 4481 rtalloc(ro); 4482 if (ro->ro_rt == 0) { 4483 ipstat.ips_noroute++; 4484 goto bad; 4485 } 4486 4487 ifp = ro->ro_rt->rt_ifp; 4488 ro->ro_rt->rt_use++; 4489 4490 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 4491 dst = satosin(ro->ro_rt->rt_gateway); 4492 } else { 4493 if (TAILQ_EMPTY(&r->rpool.list)) 4494 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)"); 4495 if (s == NULL) { 4496 pf_map_addr(AF_INET, &r->rpool, 4497 (struct pf_addr *)&ip->ip_src, 4498 &naddr, NULL); 4499 if (!PF_AZERO(&naddr, AF_INET)) 4500 dst->sin_addr.s_addr = naddr.v4.s_addr; 4501 ifp = r->rpool.cur->ifp; 4502 } else { 4503 if (!PF_AZERO(&s->rt_addr, AF_INET)) 4504 dst->sin_addr.s_addr = 4505 s->rt_addr.v4.s_addr; 4506 ifp = s->rt_ifp; 4507 } 4508 } 4509 4510 if (ifp == NULL) 4511 goto bad; 4512 4513 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 4514 if (mtag == NULL) { 4515 struct m_tag *mtag; 4516 4517 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 4518 if (mtag == NULL) 4519 goto bad; 4520 m_tag_prepend(m0, mtag); 4521 } 4522 4523 if (oifp != ifp && mtag == NULL) { 4524 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) 4525 goto bad; 4526 else if (m0 == NULL) 4527 goto done; 4528 if (m0->m_len < sizeof(struct ip)) 4529 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4530 ip = mtod(m0, struct ip *); 4531 } 4532 4533 /* Copied from ip_output. */ 4534 #ifdef IPSEC 4535 /* 4536 * If deferred crypto processing is needed, check that the 4537 * interface supports it. 4538 */ 4539 if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) 4540 != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 4541 /* Notify IPsec to do its own crypto. */ 4542 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 4543 goto bad; 4544 } 4545 #endif /* IPSEC */ 4546 4547 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ 4548 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) { 4549 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 4550 ifp->if_bridge != NULL) { 4551 in_delayed_cksum(m0); 4552 m0->m_pkthdr.csum &= ~M_TCPV4_CSUM_OUT; /* Clear */ 4553 } 4554 } else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) { 4555 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 4556 ifp->if_bridge != NULL) { 4557 in_delayed_cksum(m0); 4558 m0->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */ 4559 } 4560 } 4561 4562 if (ntohs(ip->ip_len) <= ifp->if_mtu) { 4563 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 4564 ifp->if_bridge == NULL) { 4565 m0->m_pkthdr.csum |= M_IPV4_CSUM_OUT; 4566 ipstat.ips_outhwcsum++; 4567 } else { 4568 ip->ip_sum = 0; 4569 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 4570 } 4571 /* Update relevant hardware checksum stats for TCP/UDP */ 4572 if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) 4573 tcpstat.tcps_outhwcsum++; 4574 else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) 4575 udpstat.udps_outhwcsum++; 4576 error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL); 4577 goto done; 4578 } 4579 4580 /* 4581 * Too large for interface; fragment if possible. 4582 * Must be able to put at least 8 bytes per fragment. 4583 */ 4584 if (ip->ip_off & htons(IP_DF)) { 4585 ipstat.ips_cantfrag++; 4586 if (r->rt != PF_DUPTO) { 4587 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 4588 ifp); 4589 goto done; 4590 } else 4591 goto bad; 4592 } 4593 4594 m1 = m0; 4595 error = ip_fragment(m0, ifp, ifp->if_mtu); 4596 if (error) 4597 goto bad; 4598 4599 for (m0 = m1; m0; m0 = m1) { 4600 m1 = m0->m_nextpkt; 4601 m0->m_nextpkt = 0; 4602 if (error == 0) 4603 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 4604 NULL); 4605 else 4606 m_freem(m0); 4607 } 4608 4609 if (error == 0) 4610 ipstat.ips_fragmented++; 4611 4612 done: 4613 if (r->rt != PF_DUPTO) 4614 *m = NULL; 4615 if (ro == &iproute && ro->ro_rt) 4616 RTFREE(ro->ro_rt); 4617 return; 4618 4619 bad: 4620 m_freem(m0); 4621 goto done; 4622 } 4623 #endif /* INET */ 4624 4625 #ifdef INET6 4626 void 4627 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4628 struct pf_state *s) 4629 { 4630 struct mbuf *m0; 4631 struct m_tag *mtag; 4632 struct route_in6 ip6route; 4633 struct route_in6 *ro; 4634 struct sockaddr_in6 *dst; 4635 struct ip6_hdr *ip6; 4636 struct ifnet *ifp = NULL; 4637 struct pf_addr naddr; 4638 int error = 0; 4639 4640 if (m == NULL || *m == NULL || r == NULL || 4641 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4642 panic("pf_route6: invalid parameters"); 4643 4644 if (r->rt == PF_DUPTO) { 4645 m0 = *m; 4646 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 4647 if (mtag == NULL) { 4648 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 4649 if (mtag == NULL) 4650 goto bad; 4651 m_tag_prepend(m0, mtag); 4652 } 4653 m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT); 4654 if (m0 == NULL) 4655 return; 4656 } else { 4657 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4658 return; 4659 m0 = *m; 4660 } 4661 4662 if (m0->m_len < sizeof(struct ip6_hdr)) 4663 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 4664 ip6 = mtod(m0, struct ip6_hdr *); 4665 4666 ro = &ip6route; 4667 bzero((caddr_t)ro, sizeof(*ro)); 4668 dst = (struct sockaddr_in6 *)&ro->ro_dst; 4669 dst->sin6_family = AF_INET6; 4670 dst->sin6_len = sizeof(*dst); 4671 dst->sin6_addr = ip6->ip6_dst; 4672 4673 /* Cheat. */ 4674 if (r->rt == PF_FASTROUTE) { 4675 mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); 4676 if (mtag == NULL) 4677 goto bad; 4678 m_tag_prepend(m0, mtag); 4679 ip6_output(m0, NULL, NULL, 0, NULL, NULL); 4680 return; 4681 } 4682 4683 if (TAILQ_EMPTY(&r->rpool.list)) 4684 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)"); 4685 if (s == NULL) { 4686 pf_map_addr(AF_INET6, &r->rpool, 4687 (struct pf_addr *)&ip6->ip6_src, &naddr, NULL); 4688 if (!PF_AZERO(&naddr, AF_INET6)) 4689 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 4690 &naddr, AF_INET6); 4691 ifp = r->rpool.cur->ifp; 4692 } else { 4693 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 4694 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 4695 &s->rt_addr, AF_INET6); 4696 ifp = s->rt_ifp; 4697 } 4698 4699 if (ifp == NULL) 4700 goto bad; 4701 4702 if (oifp != ifp) { 4703 mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL); 4704 if (mtag == NULL) { 4705 mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT); 4706 if (mtag == NULL) 4707 goto bad; 4708 m_tag_prepend(m0, mtag); 4709 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) 4710 goto bad; 4711 else if (m0 == NULL) 4712 goto done; 4713 } 4714 } 4715 4716 /* 4717 * If the packet is too large for the outgoing interface, 4718 * send back an icmp6 error. 4719 */ 4720 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) 4721 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); 4722 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 4723 error = nd6_output(ifp, ifp, m0, dst, NULL); 4724 } else { 4725 in6_ifstat_inc(ifp, ifs6_in_toobig); 4726 if (r->rt != PF_DUPTO) 4727 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 4728 else 4729 goto bad; 4730 } 4731 4732 done: 4733 if (r->rt != PF_DUPTO) 4734 *m = NULL; 4735 return; 4736 4737 bad: 4738 m_freem(m0); 4739 goto done; 4740 } 4741 #endif /* INET6 */ 4742 4743 4744 /* 4745 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 4746 * off is the offset where the protocol header starts 4747 * len is the total length of protocol header plus payload 4748 * returns 0 when the checksum is valid, otherwise returns 1. 4749 */ 4750 int 4751 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af) 4752 { 4753 u_int16_t flag_ok, flag_bad; 4754 u_int16_t sum; 4755 4756 switch (p) { 4757 case IPPROTO_TCP: 4758 flag_ok = M_TCP_CSUM_IN_OK; 4759 flag_bad = M_TCP_CSUM_IN_BAD; 4760 break; 4761 case IPPROTO_UDP: 4762 flag_ok = M_UDP_CSUM_IN_OK; 4763 flag_bad = M_UDP_CSUM_IN_BAD; 4764 break; 4765 case IPPROTO_ICMP: 4766 #ifdef INET6 4767 case IPPROTO_ICMPV6: 4768 #endif /* INET6 */ 4769 flag_ok = flag_bad = 0; 4770 break; 4771 default: 4772 return (1); 4773 } 4774 if (m->m_pkthdr.csum & flag_ok) 4775 return (0); 4776 if (m->m_pkthdr.csum & flag_bad) 4777 return (1); 4778 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 4779 return (1); 4780 if (m->m_pkthdr.len < off + len) 4781 return (1); 4782 switch (af) { 4783 case AF_INET: 4784 if (p == IPPROTO_ICMP) { 4785 if (m->m_len < off) 4786 return (1); 4787 m->m_data += off; 4788 m->m_len -= off; 4789 sum = in_cksum(m, len); 4790 m->m_data -= off; 4791 m->m_len += off; 4792 } else { 4793 if (m->m_len < sizeof(struct ip)) 4794 return (1); 4795 sum = in4_cksum(m, p, off, len); 4796 } 4797 break; 4798 #ifdef INET6 4799 case AF_INET6: 4800 if (m->m_len < sizeof(struct ip6_hdr)) 4801 return (1); 4802 sum = in6_cksum(m, p, off, len); 4803 break; 4804 #endif /* INET6 */ 4805 default: 4806 return (1); 4807 } 4808 if (sum) { 4809 m->m_pkthdr.csum |= flag_bad; 4810 switch (p) { 4811 case IPPROTO_TCP: 4812 tcpstat.tcps_rcvbadsum++; 4813 break; 4814 case IPPROTO_UDP: 4815 udpstat.udps_badsum++; 4816 break; 4817 case IPPROTO_ICMP: 4818 icmpstat.icps_checksum++; 4819 break; 4820 #ifdef INET6 4821 case IPPROTO_ICMPV6: 4822 icmp6stat.icp6s_checksum++; 4823 break; 4824 #endif /* INET6 */ 4825 } 4826 return (1); 4827 } 4828 m->m_pkthdr.csum |= flag_ok; 4829 return (0); 4830 } 4831 4832 #ifdef INET 4833 int 4834 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) 4835 { 4836 u_short action, reason = 0, log = 0; 4837 struct mbuf *m = *m0; 4838 struct ip *h; 4839 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr; 4840 struct pf_state *s = NULL; 4841 struct pf_ruleset *ruleset = NULL; 4842 struct pf_pdesc pd; 4843 int off, dirndx, pqid = 0; 4844 4845 if (!pf_status.running || 4846 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) 4847 return (PF_PASS); 4848 4849 #ifdef DIAGNOSTIC 4850 if ((m->m_flags & M_PKTHDR) == 0) 4851 panic("non-M_PKTHDR is passed to pf_test"); 4852 #endif 4853 4854 memset(&pd, 0, sizeof(pd)); 4855 if (m->m_pkthdr.len < (int)sizeof(*h)) { 4856 action = PF_DROP; 4857 REASON_SET(&reason, PFRES_SHORT); 4858 log = 1; 4859 goto done; 4860 } 4861 4862 /* We do IP header normalization and packet reassembly here */ 4863 if (pf_normalize_ip(m0, dir, ifp, &reason) != PF_PASS) { 4864 action = PF_DROP; 4865 goto done; 4866 } 4867 m = *m0; 4868 h = mtod(m, struct ip *); 4869 4870 off = h->ip_hl << 2; 4871 if (off < (int)sizeof(*h)) { 4872 action = PF_DROP; 4873 REASON_SET(&reason, PFRES_SHORT); 4874 log = 1; 4875 goto done; 4876 } 4877 4878 pd.src = (struct pf_addr *)&h->ip_src; 4879 pd.dst = (struct pf_addr *)&h->ip_dst; 4880 pd.ip_sum = &h->ip_sum; 4881 pd.proto = h->ip_p; 4882 pd.af = AF_INET; 4883 pd.tos = h->ip_tos; 4884 pd.tot_len = ntohs(h->ip_len); 4885 4886 /* handle fragments that didn't get reassembled by normalization */ 4887 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { 4888 action = pf_test_fragment(&r, dir, ifp, m, h, 4889 &pd, &a, &ruleset); 4890 goto done; 4891 } 4892 4893 switch (h->ip_p) { 4894 4895 case IPPROTO_TCP: { 4896 struct tcphdr th; 4897 4898 pd.hdr.tcp = &th; 4899 if (!pf_pull_hdr(m, off, &th, sizeof(th), 4900 &action, &reason, AF_INET)) { 4901 log = action != PF_PASS; 4902 goto done; 4903 } 4904 if (dir == PF_IN && pf_check_proto_cksum(m, off, 4905 ntohs(h->ip_len) - off, IPPROTO_TCP, AF_INET)) { 4906 action = PF_DROP; 4907 goto done; 4908 } 4909 pd.p_len = pd.tot_len - off - (th.th_off << 2); 4910 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 4911 pqid = 1; 4912 action = pf_normalize_tcp(dir, ifp, m, 0, off, h, &pd); 4913 if (action == PF_DROP) 4914 goto done; 4915 action = pf_test_state_tcp(&s, dir, ifp, m, off, h, &pd, 4916 &reason); 4917 if (action == PF_PASS) { 4918 r = s->rule.ptr; 4919 a = s->anchor.ptr; 4920 log = s->log; 4921 } else if (s == NULL) 4922 action = pf_test_tcp(&r, &s, dir, ifp, 4923 m, off, h, &pd, &a, &ruleset); 4924 break; 4925 } 4926 4927 case IPPROTO_UDP: { 4928 struct udphdr uh; 4929 4930 pd.hdr.udp = &uh; 4931 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 4932 &action, &reason, AF_INET)) { 4933 log = action != PF_PASS; 4934 goto done; 4935 } 4936 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 4937 off, ntohs(h->ip_len) - off, IPPROTO_UDP, AF_INET)) { 4938 action = PF_DROP; 4939 goto done; 4940 } 4941 action = pf_test_state_udp(&s, dir, ifp, m, off, h, &pd); 4942 if (action == PF_PASS) { 4943 r = s->rule.ptr; 4944 a = s->anchor.ptr; 4945 log = s->log; 4946 } else if (s == NULL) 4947 action = pf_test_udp(&r, &s, dir, ifp, 4948 m, off, h, &pd, &a, &ruleset); 4949 break; 4950 } 4951 4952 case IPPROTO_ICMP: { 4953 struct icmp ih; 4954 4955 pd.hdr.icmp = &ih; 4956 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 4957 &action, &reason, AF_INET)) { 4958 log = action != PF_PASS; 4959 goto done; 4960 } 4961 if (dir == PF_IN && pf_check_proto_cksum(m, off, 4962 ntohs(h->ip_len) - off, IPPROTO_ICMP, AF_INET)) { 4963 action = PF_DROP; 4964 goto done; 4965 } 4966 action = pf_test_state_icmp(&s, dir, ifp, m, off, h, &pd); 4967 if (action == PF_PASS) { 4968 r = s->rule.ptr; 4969 a = s->anchor.ptr; 4970 log = s->log; 4971 } else if (s == NULL) 4972 action = pf_test_icmp(&r, &s, dir, ifp, 4973 m, off, h, &pd, &a, &ruleset); 4974 break; 4975 } 4976 4977 default: 4978 action = pf_test_state_other(&s, dir, ifp, &pd); 4979 if (action == PF_PASS) { 4980 r = s->rule.ptr; 4981 a = s->anchor.ptr; 4982 log = s->log; 4983 } else if (s == NULL) 4984 action = pf_test_other(&r, &s, dir, ifp, m, off, h, 4985 &pd, &a, &ruleset); 4986 break; 4987 } 4988 4989 done: 4990 if (action == PF_PASS && h->ip_hl > 5 && 4991 !((s && s->allow_opts) || r->allow_opts)) { 4992 action = PF_DROP; 4993 REASON_SET(&reason, PFRES_SHORT); 4994 log = 1; 4995 DPFPRINTF(PF_DEBUG_MISC, 4996 ("pf: dropping packet with ip options\n")); 4997 } 4998 4999 #ifdef ALTQ 5000 if (action == PF_PASS && r->qid) { 5001 struct m_tag *mtag; 5002 struct altq_tag *atag; 5003 5004 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 5005 if (mtag != NULL) { 5006 atag = (struct altq_tag *)(mtag + 1); 5007 if (pqid || pd.tos == IPTOS_LOWDELAY) 5008 atag->qid = r->pqid; 5009 else 5010 atag->qid = r->qid; 5011 /* add hints for ecn */ 5012 atag->af = AF_INET; 5013 atag->hdr = h; 5014 m_tag_prepend(m, mtag); 5015 } 5016 } 5017 #endif 5018 5019 if (log) 5020 PFLOG_PACKET(ifp, h, m, AF_INET, dir, reason, r, a, ruleset); 5021 5022 if (ifp == status_ifp) { 5023 pf_status.bcounters[0][dir == PF_OUT] += pd.tot_len; 5024 pf_status.pcounters[0][dir == PF_OUT][action != PF_PASS]++; 5025 } 5026 5027 if (action == PF_PASS || r->action == PF_DROP) { 5028 r->packets++; 5029 r->bytes += pd.tot_len; 5030 if (a != NULL) { 5031 a->packets++; 5032 a->bytes += pd.tot_len; 5033 } 5034 if (s != NULL) { 5035 dirndx = (dir == s->direction) ? 0 : 1; 5036 s->packets[dirndx]++; 5037 s->bytes[dirndx] += pd.tot_len; 5038 if (s->nat_rule.ptr != NULL) { 5039 s->nat_rule.ptr->packets++; 5040 s->nat_rule.ptr->bytes += pd.tot_len; 5041 } 5042 } 5043 } 5044 tr = r; 5045 if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL) 5046 tr = s->nat_rule.ptr; 5047 if (tr->src.addr.type == PF_ADDR_TABLE) 5048 pfr_update_stats(tr->src.addr.p.tbl, 5049 (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af, 5050 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5051 tr->src.not); 5052 if (tr->dst.addr.type == PF_ADDR_TABLE) 5053 pfr_update_stats(tr->dst.addr.p.tbl, 5054 (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af, 5055 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5056 tr->dst.not); 5057 5058 5059 if (action == PF_SYNPROXY_DROP) { 5060 m_freem(*m0); 5061 *m0 = NULL; 5062 action = PF_PASS; 5063 } else if (r->rt) 5064 /* pf_route can free the mbuf causing *m0 to become NULL */ 5065 pf_route(m0, r, dir, ifp, s); 5066 5067 return (action); 5068 } 5069 #endif /* INET */ 5070 5071 #ifdef INET6 5072 int 5073 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) 5074 { 5075 u_short action, reason = 0, log = 0; 5076 struct mbuf *m = *m0; 5077 struct ip6_hdr *h; 5078 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr; 5079 struct pf_state *s = NULL; 5080 struct pf_ruleset *ruleset = NULL; 5081 struct pf_pdesc pd; 5082 int off, terminal = 0, dirndx; 5083 5084 if (!pf_status.running || 5085 (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) 5086 return (PF_PASS); 5087 5088 #ifdef DIAGNOSTIC 5089 if ((m->m_flags & M_PKTHDR) == 0) 5090 panic("non-M_PKTHDR is passed to pf_test"); 5091 #endif 5092 5093 memset(&pd, 0, sizeof(pd)); 5094 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5095 action = PF_DROP; 5096 REASON_SET(&reason, PFRES_SHORT); 5097 log = 1; 5098 goto done; 5099 } 5100 5101 /* We do IP header normalization and packet reassembly here */ 5102 if (pf_normalize_ip6(m0, dir, ifp, &reason) != PF_PASS) { 5103 action = PF_DROP; 5104 goto done; 5105 } 5106 m = *m0; 5107 h = mtod(m, struct ip6_hdr *); 5108 5109 pd.src = (struct pf_addr *)&h->ip6_src; 5110 pd.dst = (struct pf_addr *)&h->ip6_dst; 5111 pd.ip_sum = NULL; 5112 pd.af = AF_INET6; 5113 pd.tos = 0; 5114 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 5115 5116 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 5117 pd.proto = h->ip6_nxt; 5118 do { 5119 switch (pd.proto) { 5120 case IPPROTO_FRAGMENT: 5121 action = pf_test_fragment(&r, dir, ifp, m, h, 5122 &pd, &a, &ruleset); 5123 if (action == PF_DROP) 5124 REASON_SET(&reason, PFRES_FRAG); 5125 goto done; 5126 case IPPROTO_AH: 5127 case IPPROTO_HOPOPTS: 5128 case IPPROTO_ROUTING: 5129 case IPPROTO_DSTOPTS: { 5130 /* get next header and header length */ 5131 struct ip6_ext opt6; 5132 5133 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 5134 NULL, NULL, pd.af)) { 5135 DPFPRINTF(PF_DEBUG_MISC, 5136 ("pf: IPv6 short opt\n")); 5137 action = PF_DROP; 5138 REASON_SET(&reason, PFRES_SHORT); 5139 log = 1; 5140 goto done; 5141 } 5142 if (pd.proto == IPPROTO_AH) 5143 off += (opt6.ip6e_len + 2) * 4; 5144 else 5145 off += (opt6.ip6e_len + 1) * 8; 5146 pd.proto = opt6.ip6e_nxt; 5147 /* goto the next header */ 5148 break; 5149 } 5150 default: 5151 terminal++; 5152 break; 5153 } 5154 } while (!terminal); 5155 5156 switch (pd.proto) { 5157 5158 case IPPROTO_TCP: { 5159 struct tcphdr th; 5160 5161 pd.hdr.tcp = &th; 5162 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5163 &action, &reason, AF_INET6)) { 5164 log = action != PF_PASS; 5165 goto done; 5166 } 5167 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5168 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { 5169 action = PF_DROP; 5170 goto done; 5171 } 5172 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5173 action = pf_normalize_tcp(dir, ifp, m, 0, off, h, &pd); 5174 if (action == PF_DROP) 5175 goto done; 5176 action = pf_test_state_tcp(&s, dir, ifp, m, off, h, &pd, 5177 &reason); 5178 if (action == PF_PASS) { 5179 r = s->rule.ptr; 5180 a = s->anchor.ptr; 5181 log = s->log; 5182 } else if (s == NULL) 5183 action = pf_test_tcp(&r, &s, dir, ifp, 5184 m, off, h, &pd, &a, &ruleset); 5185 break; 5186 } 5187 5188 case IPPROTO_UDP: { 5189 struct udphdr uh; 5190 5191 pd.hdr.udp = &uh; 5192 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5193 &action, &reason, AF_INET6)) { 5194 log = action != PF_PASS; 5195 goto done; 5196 } 5197 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5198 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { 5199 action = PF_DROP; 5200 goto done; 5201 } 5202 action = pf_test_state_udp(&s, dir, ifp, m, off, h, &pd); 5203 if (action == PF_PASS) { 5204 r = s->rule.ptr; 5205 a = s->anchor.ptr; 5206 log = s->log; 5207 } else if (s == NULL) 5208 action = pf_test_udp(&r, &s, dir, ifp, 5209 m, off, h, &pd, &a, &ruleset); 5210 break; 5211 } 5212 5213 case IPPROTO_ICMPV6: { 5214 struct icmp6_hdr ih; 5215 5216 pd.hdr.icmp6 = &ih; 5217 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 5218 &action, &reason, AF_INET6)) { 5219 log = action != PF_PASS; 5220 goto done; 5221 } 5222 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5223 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { 5224 action = PF_DROP; 5225 goto done; 5226 } 5227 action = pf_test_state_icmp(&s, dir, ifp, 5228 m, off, h, &pd); 5229 if (action == PF_PASS) { 5230 r = s->rule.ptr; 5231 a = s->anchor.ptr; 5232 log = s->log; 5233 } else if (s == NULL) 5234 action = pf_test_icmp(&r, &s, dir, ifp, 5235 m, off, h, &pd, &a, &ruleset); 5236 break; 5237 } 5238 5239 default: 5240 action = pf_test_state_other(&s, dir, ifp, &pd); 5241 if (action == PF_PASS) { 5242 r = s->rule.ptr; 5243 a = s->anchor.ptr; 5244 log = s->log; 5245 } else if (s == NULL) 5246 action = pf_test_other(&r, &s, dir, ifp, m, off, h, 5247 &pd, &a, &ruleset); 5248 break; 5249 } 5250 5251 done: 5252 /* XXX handle IPv6 options, if not allowed. not implemented. */ 5253 5254 #ifdef ALTQ 5255 if (action == PF_PASS && r->qid) { 5256 struct m_tag *mtag; 5257 struct altq_tag *atag; 5258 5259 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), M_NOWAIT); 5260 if (mtag != NULL) { 5261 atag = (struct altq_tag *)(mtag + 1); 5262 if (pd.tos == IPTOS_LOWDELAY) 5263 atag->qid = r->pqid; 5264 else 5265 atag->qid = r->qid; 5266 /* add hints for ecn */ 5267 atag->af = AF_INET6; 5268 atag->hdr = h; 5269 m_tag_prepend(m, mtag); 5270 } 5271 } 5272 #endif 5273 5274 if (log) 5275 PFLOG_PACKET(ifp, h, m, AF_INET6, dir, reason, r, a, ruleset); 5276 5277 if (ifp == status_ifp) { 5278 pf_status.bcounters[1][dir == PF_OUT] += pd.tot_len; 5279 pf_status.pcounters[1][dir == PF_OUT][action != PF_PASS]++; 5280 } 5281 5282 if (action == PF_PASS || r->action == PF_DROP) { 5283 r->packets++; 5284 r->bytes += pd.tot_len; 5285 if (a != NULL) { 5286 a->packets++; 5287 a->bytes += pd.tot_len; 5288 } 5289 if (s != NULL) { 5290 dirndx = (dir == s->direction) ? 0 : 1; 5291 s->packets[dirndx]++; 5292 s->bytes[dirndx] += pd.tot_len; 5293 if (s->nat_rule.ptr != NULL) { 5294 s->nat_rule.ptr->packets++; 5295 s->nat_rule.ptr->bytes += pd.tot_len; 5296 } 5297 } 5298 } 5299 tr = r; 5300 if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL) 5301 tr = s->nat_rule.ptr; 5302 if (tr->src.addr.type == PF_ADDR_TABLE) 5303 pfr_update_stats(tr->src.addr.p.tbl, 5304 (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af, 5305 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5306 tr->src.not); 5307 if (tr->dst.addr.type == PF_ADDR_TABLE) 5308 pfr_update_stats(tr->dst.addr.p.tbl, 5309 (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af, 5310 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5311 tr->dst.not); 5312 5313 5314 if (action == PF_SYNPROXY_DROP) { 5315 m_freem(*m0); 5316 *m0 = NULL; 5317 action = PF_PASS; 5318 } else if (r->rt) 5319 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 5320 pf_route6(m0, r, dir, ifp, s); 5321 5322 return (action); 5323 } 5324 #endif /* INET6 */ 5325