Bug Summary

File:net/pf.c
Warning:line 477, column 6
Access to field 'timeout' results in a dereference of a null pointer (loaded from variable 'st')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name pf.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -ffreestanding -mcmodel=kernel -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse2 -target-feature -sse -target-feature -3dnow -target-feature -mmx -target-feature +save-args -target-feature +retpoline-external-thunk -disable-red-zone -no-implicit-float -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -nostdsysteminc -nobuiltininc -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/sys -I /usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -I /usr/src/sys/arch -I /usr/src/sys/dev/pci/drm/include -I /usr/src/sys/dev/pci/drm/include/uapi -I /usr/src/sys/dev/pci/drm/amd/include/asic_reg -I /usr/src/sys/dev/pci/drm/amd/include -I /usr/src/sys/dev/pci/drm/amd/amdgpu -I /usr/src/sys/dev/pci/drm/amd/display -I /usr/src/sys/dev/pci/drm/amd/display/include -I /usr/src/sys/dev/pci/drm/amd/display/dc -I /usr/src/sys/dev/pci/drm/amd/display/amdgpu_dm -I /usr/src/sys/dev/pci/drm/amd/pm/inc -I /usr/src/sys/dev/pci/drm/amd/pm/legacy-dpm -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu11 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu12 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu13 -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/inc -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/hwmgr -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/smumgr -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc/pmfw_if -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc/hw -I /usr/src/sys/dev/pci/drm/amd/display/dc/clk_mgr -I /usr/src/sys/dev/pci/drm/amd/display/modules/inc -I /usr/src/sys/dev/pci/drm/amd/display/modules/hdcp -I /usr/src/sys/dev/pci/drm/amd/display/dmub/inc -I /usr/src/sys/dev/pci/drm/i915 -D DDB -D DIAGNOSTIC -D KTRACE -D ACCOUNTING -D KMEMSTATS -D PTRACE -D POOL_DEBUG -D CRYPTO -D SYSVMSG -D SYSVSEM -D SYSVSHM -D UVM_SWAP_ENCRYPT -D FFS -D FFS2 -D FFS_SOFTUPDATES -D UFS_DIRHASH -D QUOTA -D EXT2FS -D MFS -D NFSCLIENT -D NFSSERVER -D CD9660 -D UDF -D MSDOSFS -D FIFO -D FUSE -D SOCKET_SPLICE -D TCP_ECN -D TCP_SIGNATURE -D INET6 -D IPSEC -D PPP_BSDCOMP -D PPP_DEFLATE -D PIPEX -D MROUTING -D MPLS -D BOOT_CONFIG -D USER_PCICONF -D APERTURE -D MTRR -D NTFS -D SUSPEND -D HIBERNATE -D PCIVERBOSE -D USBVERBOSE -D WSDISPLAY_COMPAT_USL -D WSDISPLAY_COMPAT_RAWKBD -D WSDISPLAY_DEFAULTSCREENS=6 -D X86EMU -D ONEWIREVERBOSE -D MULTIPROCESSOR -D MAXUSERS=80 -D _KERNEL -O2 -Wno-pointer-sign -Wno-address-of-packed-member -Wno-constant-conversion -Wno-unused-but-set-variable -Wno-gnu-folding-constant -fdebug-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /home/ben/Projects/scan/2024-01-11-110808-61670-1 -x c /usr/src/sys/net/pf.c
1/* $OpenBSD: pf.c,v 1.1193 2024/01/10 16:44:30 bluhm Exp $ */
2
3/*
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002 - 2013 Henning Brauer <henning@openbsd.org>
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 *
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
35 *
36 */
37
38#include "bpfilter.h"
39#include "carp.h"
40#include "pflog.h"
41#include "pfsync.h"
42#include "pflow.h"
43
44#include <sys/param.h>
45#include <sys/systm.h>
46#include <sys/mbuf.h>
47#include <sys/filio.h>
48#include <sys/socket.h>
49#include <sys/socketvar.h>
50#include <sys/kernel.h>
51#include <sys/time.h>
52#include <sys/pool.h>
53#include <sys/proc.h>
54#include <sys/rwlock.h>
55#include <sys/syslog.h>
56
57#include <crypto/sha2.h>
58
59#include <net/if.h>
60#include <net/if_var.h>
61#include <net/if_types.h>
62#include <net/route.h>
63#include <net/toeplitz.h>
64
65#include <netinet/in.h>
66#include <netinet/in_var.h>
67#include <netinet/ip.h>
68#include <netinet/in_pcb.h>
69#include <netinet/ip_var.h>
70#include <netinet/ip_icmp.h>
71#include <netinet/icmp_var.h>
72#include <netinet/tcp.h>
73#include <netinet/tcp_seq.h>
74#include <netinet/tcp_timer.h>
75#include <netinet/tcp_var.h>
76#include <netinet/tcp_fsm.h>
77#include <netinet/udp.h>
78#include <netinet/udp_var.h>
79#include <netinet/ip_divert.h>
80
81#ifdef INET61
82#include <netinet6/in6_var.h>
83#include <netinet/ip6.h>
84#include <netinet6/ip6_var.h>
85#include <netinet/icmp6.h>
86#include <netinet6/nd6.h>
87#include <netinet6/ip6_divert.h>
88#endif /* INET6 */
89
90#include <net/pfvar.h>
91#include <net/pfvar_priv.h>
92
93#if NPFLOG1 > 0
94#include <net/if_pflog.h>
95#endif /* NPFLOG > 0 */
96
97#if NPFLOW1 > 0
98#include <net/if_pflow.h>
99#endif /* NPFLOW > 0 */
100
101#if NPFSYNC1 > 0
102#include <net/if_pfsync.h>
103#endif /* NPFSYNC > 0 */
104
105/*
106 * Global variables
107 */
108struct pf_state_tree pf_statetbl;
109struct pf_queuehead pf_queues[2];
110struct pf_queuehead *pf_queues_active;
111struct pf_queuehead *pf_queues_inactive;
112
113struct pf_status pf_status;
114
115struct mutex pf_inp_mtx = MUTEX_INITIALIZER(IPL_SOFTNET){ ((void *)0), ((((0x2)) > 0x0 && ((0x2)) < 0x9
) ? 0x9 : ((0x2))), 0x0 };
116
117int pf_hdr_limit = 20; /* arbitrary limit, tune in ddb */
118
119SHA2_CTX pf_tcp_secret_ctx;
120u_char pf_tcp_secret[16];
121int pf_tcp_secret_init;
122int pf_tcp_iss_off;
123
124enum pf_test_status {
125 PF_TEST_FAIL = -1,
126 PF_TEST_OK,
127 PF_TEST_QUICK
128};
129
130struct pf_test_ctx {
131 struct pf_pdesc *pd;
132 struct pf_rule_actions act;
133 u_int8_t icmpcode;
134 u_int8_t icmptype;
135 int icmp_dir;
136 int state_icmp;
137 int tag;
138 u_short reason;
139 struct pf_rule_item *ri;
140 struct pf_src_node *sns[PF_SN_MAX];
141 struct pf_rule_slist rules;
142 struct pf_rule *nr;
143 struct pf_rule **rm;
144 struct pf_rule *a;
145 struct pf_rule **am;
146 struct pf_ruleset **rsm;
147 struct pf_ruleset *arsm;
148 struct pf_ruleset *aruleset;
149 struct tcphdr *th;
150};
151
152struct pool pf_src_tree_pl, pf_rule_pl, pf_queue_pl;
153struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl;
154struct pool pf_rule_item_pl, pf_sn_item_pl, pf_pktdelay_pl;
155
156void pf_add_threshold(struct pf_threshold *);
157int pf_check_threshold(struct pf_threshold *);
158int pf_check_tcp_cksum(struct mbuf *, int, int,
159 sa_family_t);
160__inline void pf_cksum_fixup(u_int16_t *, u_int16_t, u_int16_t,
161 u_int8_t);
162void pf_cksum_fixup_a(u_int16_t *, const struct pf_addr *,
163 const struct pf_addr *, sa_family_t, u_int8_t);
164int pf_modulate_sack(struct pf_pdesc *,
165 struct pf_state_peer *);
166int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *,
167 u_int16_t *, u_int16_t *);
168int pf_change_icmp_af(struct mbuf *, int,
169 struct pf_pdesc *, struct pf_pdesc *,
170 struct pf_addr *, struct pf_addr *, sa_family_t,
171 sa_family_t);
172int pf_translate_a(struct pf_pdesc *, struct pf_addr *,
173 struct pf_addr *);
174void pf_translate_icmp(struct pf_pdesc *, struct pf_addr *,
175 u_int16_t *, struct pf_addr *, struct pf_addr *,
176 u_int16_t);
177int pf_translate_icmp_af(struct pf_pdesc*, int, void *);
178void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, int,
179 sa_family_t, struct pf_rule *, u_int);
180void pf_detach_state(struct pf_state *);
181struct pf_state_key *pf_state_key_attach(struct pf_state_key *,
182 struct pf_state *, int);
183void pf_state_key_detach(struct pf_state *, int);
184u_int32_t pf_tcp_iss(struct pf_pdesc *);
185void pf_rule_to_actions(struct pf_rule *,
186 struct pf_rule_actions *);
187int pf_test_rule(struct pf_pdesc *, struct pf_rule **,
188 struct pf_state **, struct pf_rule **,
189 struct pf_ruleset **, u_short *);
190static __inline int pf_create_state(struct pf_pdesc *, struct pf_rule *,
191 struct pf_rule *, struct pf_rule *,
192 struct pf_state_key **, struct pf_state_key **,
193 int *, struct pf_state **, int,
194 struct pf_rule_slist *, struct pf_rule_actions *,
195 struct pf_src_node **);
196static __inline int pf_state_key_addr_setup(struct pf_pdesc *, void *,
197 int, struct pf_addr *, int, struct pf_addr *,
198 int, int);
199int pf_state_key_setup(struct pf_pdesc *, struct
200 pf_state_key **, struct pf_state_key **, int);
201int pf_tcp_track_full(struct pf_pdesc *,
202 struct pf_state **, u_short *, int *, int);
203int pf_tcp_track_sloppy(struct pf_pdesc *,
204 struct pf_state **, u_short *);
205static __inline int pf_synproxy(struct pf_pdesc *, struct pf_state **,
206 u_short *);
207int pf_test_state(struct pf_pdesc *, struct pf_state **,
208 u_short *);
209int pf_icmp_state_lookup(struct pf_pdesc *,
210 struct pf_state_key_cmp *, struct pf_state **,
211 u_int16_t, u_int16_t, int, int *, int, int);
212int pf_test_state_icmp(struct pf_pdesc *,
213 struct pf_state **, u_short *);
214u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, int,
215 u_int16_t);
216static __inline int pf_set_rt_ifp(struct pf_state *, struct pf_addr *,
217 sa_family_t, struct pf_src_node **);
218struct pf_divert *pf_get_divert(struct mbuf *);
219int pf_walk_option(struct pf_pdesc *, struct ip *,
220 int, int, u_short *);
221int pf_walk_header(struct pf_pdesc *, struct ip *,
222 u_short *);
223int pf_walk_option6(struct pf_pdesc *, struct ip6_hdr *,
224 int, int, u_short *);
225int pf_walk_header6(struct pf_pdesc *, struct ip6_hdr *,
226 u_short *);
227void pf_print_state_parts(struct pf_state *,
228 struct pf_state_key *, struct pf_state_key *);
229int pf_addr_wrap_neq(struct pf_addr_wrap *,
230 struct pf_addr_wrap *);
231int pf_compare_state_keys(struct pf_state_key *,
232 struct pf_state_key *, struct pfi_kif *, u_int);
233u_int16_t pf_pkt_hash(sa_family_t, uint8_t,
234 const struct pf_addr *, const struct pf_addr *,
235 uint16_t, uint16_t);
236int pf_find_state(struct pf_pdesc *,
237 struct pf_state_key_cmp *, struct pf_state **);
238int pf_src_connlimit(struct pf_state **);
239int pf_match_rcvif(struct mbuf *, struct pf_rule *);
240int pf_step_into_anchor(struct pf_test_ctx *,
241 struct pf_rule *);
242int pf_match_rule(struct pf_test_ctx *,
243 struct pf_ruleset *);
244void pf_counters_inc(int, struct pf_pdesc *,
245 struct pf_state *, struct pf_rule *,
246 struct pf_rule *);
247
248int pf_state_insert(struct pfi_kif *,
249 struct pf_state_key **, struct pf_state_key **,
250 struct pf_state *);
251
252int pf_state_key_isvalid(struct pf_state_key *);
253struct pf_state_key *pf_state_key_ref(struct pf_state_key *);
254void pf_state_key_unref(struct pf_state_key *);
255void pf_state_key_link_reverse(struct pf_state_key *,
256 struct pf_state_key *);
257void pf_state_key_unlink_reverse(struct pf_state_key *);
258void pf_state_key_link_inpcb(struct pf_state_key *,
259 struct inpcb *);
260void pf_state_key_unlink_inpcb(struct pf_state_key *);
261void pf_pktenqueue_delayed(void *);
262int32_t pf_state_expires(const struct pf_state *, uint8_t);
263
264#if NPFLOG1 > 0
265void pf_log_matches(struct pf_pdesc *, struct pf_rule *,
266 struct pf_rule *, struct pf_ruleset *,
267 struct pf_rule_slist *);
268#endif /* NPFLOG > 0 */
269
270extern struct pool pfr_ktable_pl;
271extern struct pool pfr_kentry_pl;
272
273struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
274 { &pf_state_pl, PFSTATE_HIWAT100000, PFSTATE_HIWAT100000 },
275 { &pf_src_tree_pl, PFSNODE_HIWAT10000, PFSNODE_HIWAT10000 },
276 { &pf_frent_pl, PFFRAG_FRENT_HIWAT((256 * 1024) / 16), PFFRAG_FRENT_HIWAT((256 * 1024) / 16) },
277 { &pfr_ktable_pl, PFR_KTABLE_HIWAT1000, PFR_KTABLE_HIWAT1000 },
278 { &pfr_kentry_pl, PFR_KENTRY_HIWAT200000, PFR_KENTRY_HIWAT200000 },
279 { &pf_pktdelay_pl, PF_PKTDELAY_MAXPKTS10000, PF_PKTDELAY_MAXPKTS10000 },
280 { &pf_anchor_pl, PF_ANCHOR_HIWAT512, PF_ANCHOR_HIWAT512 }
281};
282
283#define BOUND_IFACE(r, k)((r)->rule_flag & 0x00010000) ? (k) : pfi_all \
284 ((r)->rule_flag & PFRULE_IFBOUND0x00010000) ? (k) : pfi_all
285
286#define STATE_INC_COUNTERS(s)do { struct pf_rule_item *mrm; s->rule.ptr->states_cur++
; s->rule.ptr->states_tot++; if (s->anchor.ptr != ((
void *)0)) { s->anchor.ptr->states_cur++; s->anchor.
ptr->states_tot++; } for((mrm) = ((&s->match_rules)
->slh_first); (mrm) != ((void *)0); (mrm) = ((mrm)->entry
.sle_next)) mrm->r->states_cur++; } while (0) \
287 do { \
288 struct pf_rule_item *mrm; \
289 s->rule.ptr->states_cur++; \
290 s->rule.ptr->states_tot++; \
291 if (s->anchor.ptr != NULL((void *)0)) { \
292 s->anchor.ptr->states_cur++; \
293 s->anchor.ptr->states_tot++; \
294 } \
295 SLIST_FOREACH(mrm, &s->match_rules, entry)for((mrm) = ((&s->match_rules)->slh_first); (mrm) !=
((void *)0); (mrm) = ((mrm)->entry.sle_next)) \
296 mrm->r->states_cur++; \
297 } while (0)
298
299static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
300static inline int pf_state_compare_key(const struct pf_state_key *,
301 const struct pf_state_key *);
302static inline int pf_state_compare_id(const struct pf_state *,
303 const struct pf_state *);
304#ifdef INET61
305static __inline void pf_cksum_uncover(u_int16_t *, u_int16_t, u_int8_t);
306static __inline void pf_cksum_cover(u_int16_t *, u_int16_t, u_int8_t);
307#endif /* INET6 */
308static __inline void pf_set_protostate(struct pf_state *, int, u_int8_t);
309
310struct pf_src_tree tree_src_tracking;
311
312struct pf_state_tree_id tree_id;
313struct pf_state_list pf_state_list = PF_STATE_LIST_INITIALIZER(pf_state_list){ .pfs_list = { ((void *)0), &(pf_state_list.pfs_list).tqh_first
}, .pfs_mtx = { ((void *)0), ((((0x2)) > 0x0 && (
(0x2)) < 0x9) ? 0x9 : ((0x2))), 0x0 }, .pfs_rwl = { 0, "pfstates"
}, };
314
315RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare)void pf_src_tree_RB_INSERT_COLOR(struct pf_src_tree *head, struct
pf_src_node *elm) { struct pf_src_node *parent, *gparent, *tmp
; while ((parent = (elm)->entry.rbe_parent) && (parent
)->entry.rbe_color == 1) { gparent = (parent)->entry.rbe_parent
; if (parent == (gparent)->entry.rbe_left) { tmp = (gparent
)->entry.rbe_right; if (tmp && (tmp)->entry.rbe_color
== 1) { (tmp)->entry.rbe_color = 0; do { (parent)->entry
.rbe_color = 0; (gparent)->entry.rbe_color = 1; } while (0
); elm = gparent; continue; } if ((parent)->entry.rbe_right
== elm) { do { (tmp) = (parent)->entry.rbe_right; if (((parent
)->entry.rbe_right = (tmp)->entry.rbe_left)) { ((tmp)->
entry.rbe_left)->entry.rbe_parent = (parent); } do {} while
(0); if (((tmp)->entry.rbe_parent = (parent)->entry.rbe_parent
)) { if ((parent) == ((parent)->entry.rbe_parent)->entry
.rbe_left) ((parent)->entry.rbe_parent)->entry.rbe_left
= (tmp); else ((parent)->entry.rbe_parent)->entry.rbe_right
= (tmp); } else (head)->rbh_root = (tmp); (tmp)->entry
.rbe_left = (parent); (parent)->entry.rbe_parent = (tmp); do
{} while (0); if (((tmp)->entry.rbe_parent)) do {} while (
0); } while (0); tmp = parent; parent = elm; elm = tmp; } do {
(parent)->entry.rbe_color = 0; (gparent)->entry.rbe_color
= 1; } while (0); do { (tmp) = (gparent)->entry.rbe_left;
if (((gparent)->entry.rbe_left = (tmp)->entry.rbe_right
)) { ((tmp)->entry.rbe_right)->entry.rbe_parent = (gparent
); } do {} while (0); if (((tmp)->entry.rbe_parent = (gparent
)->entry.rbe_parent)) { if ((gparent) == ((gparent)->entry
.rbe_parent)->entry.rbe_left) ((gparent)->entry.rbe_parent
)->entry.rbe_left = (tmp); else ((gparent)->entry.rbe_parent
)->entry.rbe_right = (tmp); } else (head)->rbh_root = (
tmp); (tmp)->entry.rbe_right = (gparent); (gparent)->entry
.rbe_parent = (tmp); do {} while (0); if (((tmp)->entry.rbe_parent
)) do {} while (0); } while (0); } else { tmp = (gparent)->
entry.rbe_left; if (tmp && (tmp)->entry.rbe_color ==
1) { (tmp)->entry.rbe_color = 0; do { (parent)->entry.
rbe_color = 0; (gparent)->entry.rbe_color = 1; } while (0)
; elm = gparent; continue; } if ((parent)->entry.rbe_left ==
elm) { do { (tmp) = (parent)->entry.rbe_left; if (((parent
)->entry.rbe_left = (tmp)->entry.rbe_right)) { ((tmp)->
entry.rbe_right)->entry.rbe_parent = (parent); } do {} while
(0); if (((tmp)->entry.rbe_parent = (parent)->entry.rbe_parent
)) { if ((parent) == ((parent)->entry.rbe_parent)->entry
.rbe_left) ((parent)->entry.rbe_parent)->entry.rbe_left
= (tmp); else ((parent)->entry.rbe_parent)->entry.rbe_right
= (tmp); } else (head)->rbh_root = (tmp); (tmp)->entry
.rbe_right = (parent); (parent)->entry.rbe_parent = (tmp);
do {} while (0); if (((tmp)->entry.rbe_parent)) do {} while
(0); } while (0); tmp = parent; parent = elm; elm = tmp; } do
{ (parent)->entry.rbe_color = 0; (gparent)->entry.rbe_color
= 1; } while (0); do { (tmp) = (gparent)->entry.rbe_right
; if (((gparent)->entry.rbe_right = (tmp)->entry.rbe_left
)) { ((tmp)->entry.rbe_left)->entry.rbe_parent = (gparent
); } do {} while (0); if (((tmp)->entry.rbe_parent = (gparent
)->entry.rbe_parent)) { if ((gparent) == ((gparent)->entry
.rbe_parent)->entry.rbe_left) ((gparent)->entry.rbe_parent
)->entry.rbe_left = (tmp); else ((gparent)->entry.rbe_parent
)->entry.rbe_right = (tmp); } else (head)->rbh_root = (
tmp); (tmp)->entry.rbe_left = (gparent); (gparent)->entry
.rbe_parent = (tmp); do {} while (0); if (((tmp)->entry.rbe_parent
)) do {} while (0); } while (0); } } (head->rbh_root)->
entry.rbe_color = 0; } void pf_src_tree_RB_REMOVE_COLOR(struct
pf_src_tree *head, struct pf_src_node *parent, struct pf_src_node
*elm) { struct pf_src_node *tmp; while ((elm == ((void *)0) ||
(elm)->entry.rbe_color == 0) && elm != (head)->
rbh_root) { if ((parent)->entry.rbe_left == elm) { tmp = (
parent)->entry.rbe_right; if ((tmp)->entry.rbe_color ==
1) { do { (tmp)->entry.rbe_color = 0; (parent)->entry.
rbe_color = 1; } while (0); do { (tmp) = (parent)->entry.rbe_right
; if (((parent)->entry.rbe_right = (tmp)->entry.rbe_left
)) { ((tmp)->entry.rbe_left)->entry.rbe_parent = (parent
); } do {} while (0); if (((tmp)->entry.rbe_parent = (parent
)->entry.rbe_parent)) { if ((parent) == ((parent)->entry
.rbe_parent)->entry.rbe_left) ((parent)->entry.rbe_parent
)->entry.rbe_left = (tmp); else ((parent)->entry.rbe_parent
)->entry.rbe_right = (tmp); } else (head)->rbh_root = (
tmp); (tmp)->entry.rbe_left = (parent); (parent)->entry
.rbe_parent = (tmp); do {} while (0); if (((tmp)->entry.rbe_parent
)) do {} while (0); } while (0); tmp = (parent)->entry.rbe_right
; } if (((tmp)->entry.rbe_left == ((void *)0) || ((tmp)->
entry.rbe_left)->entry.rbe_color == 0) && ((tmp)->
entry.rbe_right == ((void *)0) || ((tmp)->entry.rbe_right)
->entry.rbe_color == 0)) { (tmp)->entry.rbe_color = 1; elm
= parent; parent = (elm)->entry.rbe_parent; } else { if (
(tmp)->entry.rbe_right == ((void *)0) || ((tmp)->entry.
rbe_right)->entry.rbe_color == 0) { struct pf_src_node *oleft
; if ((oleft = (tmp)->entry.rbe_left)) (oleft)->entry.rbe_color
= 0; (tmp)->entry.rbe_color = 1; do { (oleft) = (tmp)->
entry.rbe_left; if (((tmp)->entry.rbe_left = (oleft)->entry
.rbe_right)) { ((oleft)->entry.rbe_right)->entry.rbe_parent
= (tmp); } do {} while (0); if (((oleft)->entry.rbe_parent
= (tmp)->entry.rbe_parent)) { if ((tmp) == ((tmp)->entry
.rbe_parent)->entry.rbe_left) ((tmp)->entry.rbe_parent)
->entry.rbe_left = (oleft); else ((tmp)->entry.rbe_parent
)->entry.rbe_right = (oleft); } else (head)->rbh_root =
(oleft); (oleft)->entry.rbe_right = (tmp); (tmp)->entry
.rbe_parent = (oleft); do {} while (0); if (((oleft)->entry
.rbe_parent)) do {} while (0); } while (0); tmp = (parent)->
entry.rbe_right; } (tmp)->entry.rbe_color = (parent)->entry
.rbe_color; (parent)->entry.rbe_color = 0; if ((tmp)->entry
.rbe_right) ((tmp)->entry.rbe_right)->entry.rbe_color =
0; do { (tmp) = (parent)->entry.rbe_right; if (((parent)->
entry.rbe_right = (tmp)->entry.rbe_left)) { ((tmp)->entry
.rbe_left)->entry.rbe_parent = (parent); } do {} while (0)
; if (((tmp)->entry.rbe_parent = (parent)->entry.rbe_parent
)) { if ((parent) == ((parent)->entry.rbe_parent)->entry
.rbe_left) ((parent)->entry.rbe_parent)->entry.rbe_left
= (tmp); else ((parent)->entry.rbe_parent)->entry.rbe_right
= (tmp); } else (head)->rbh_root = (tmp); (tmp)->entry
.rbe_left = (parent); (parent)->entry.rbe_parent = (tmp); do
{} while (0); if (((tmp)->entry.rbe_parent)) do {} while (
0); } while (0); elm = (head)->rbh_root; break; } } else {
tmp = (parent)->entry.rbe_left; if ((tmp)->entry.rbe_color
== 1) { do { (tmp)->entry.rbe_color = 0; (parent)->entry
.rbe_color = 1; } while (0); do { (tmp) = (parent)->entry.
rbe_left; if (((parent)->entry.rbe_left = (tmp)->entry.
rbe_right)) { ((tmp)->entry.rbe_right)->entry.rbe_parent
= (parent); } do {} while (0); if (((tmp)->entry.rbe_parent
= (parent)->entry.rbe_parent)) { if ((parent) == ((parent
)->entry.rbe_parent)->entry.rbe_left) ((parent)->entry
.rbe_parent)->entry.rbe_left = (tmp); else ((parent)->entry
.rbe_parent)->entry.rbe_right = (tmp); } else (head)->rbh_root
= (tmp); (tmp)->entry.rbe_right = (parent); (parent)->
entry.rbe_parent = (tmp); do {} while (0); if (((tmp)->entry
.rbe_parent)) do {} while (0); } while (0); tmp = (parent)->
entry.rbe_left; } if (((tmp)->entry.rbe_left == ((void *)0
) || ((tmp)->entry.rbe_left)->entry.rbe_color == 0) &&
((tmp)->entry.rbe_right == ((void *)0) || ((tmp)->entry
.rbe_right)->entry.rbe_color == 0)) { (tmp)->entry.rbe_color
= 1; elm = parent; parent = (elm)->entry.rbe_parent; } else
{ if ((tmp)->entry.rbe_left == ((void *)0) || ((tmp)->
entry.rbe_left)->entry.rbe_color == 0) { struct pf_src_node
*oright; if ((oright = (tmp)->entry.rbe_right)) (oright)->
entry.rbe_color = 0; (tmp)->entry.rbe_color = 1; do { (oright
) = (tmp)->entry.rbe_right; if (((tmp)->entry.rbe_right
= (oright)->entry.rbe_left)) { ((oright)->entry.rbe_left
)->entry.rbe_parent = (tmp); } do {} while (0); if (((oright
)->entry.rbe_parent = (tmp)->entry.rbe_parent)) { if ((
tmp) == ((tmp)->entry.rbe_parent)->entry.rbe_left) ((tmp
)->entry.rbe_parent)->entry.rbe_left = (oright); else (
(tmp)->entry.rbe_parent)->entry.rbe_right = (oright); }
else (head)->rbh_root = (oright); (oright)->entry.rbe_left
= (tmp); (tmp)->entry.rbe_parent = (oright); do {} while (
0); if (((oright)->entry.rbe_parent)) do {} while (0); } while
(0); tmp = (parent)->entry.rbe_left; } (tmp)->entry.rbe_color
= (parent)->entry.rbe_color; (parent)->entry.rbe_color
= 0; if ((tmp)->entry.rbe_left) ((tmp)->entry.rbe_left
)->entry.rbe_color = 0; do { (tmp) = (parent)->entry.rbe_left
; if (((parent)->entry.rbe_left = (tmp)->entry.rbe_right
)) { ((tmp)->entry.rbe_right)->entry.rbe_parent = (parent
); } do {} while (0); if (((tmp)->entry.rbe_parent = (parent
)->entry.rbe_parent)) { if ((parent) == ((parent)->entry
.rbe_parent)->entry.rbe_left) ((parent)->entry.rbe_parent
)->entry.rbe_left = (tmp); else ((parent)->entry.rbe_parent
)->entry.rbe_right = (tmp); } else (head)->rbh_root = (
tmp); (tmp)->entry.rbe_right = (parent); (parent)->entry
.rbe_parent = (tmp); do {} while (0); if (((tmp)->entry.rbe_parent
)) do {} while (0); } while (0); elm = (head)->rbh_root; break
; } } } if (elm) (elm)->entry.rbe_color = 0; } struct pf_src_node
* pf_src_tree_RB_REMOVE(struct pf_src_tree *head, struct pf_src_node
*elm) { struct pf_src_node *child, *parent, *old = elm; int color
; if ((elm)->entry.rbe_left == ((void *)0)) child = (elm)->
entry.rbe_right; else if ((elm)->entry.rbe_right == ((void
*)0)) child = (elm)->entry.rbe_left; else { struct pf_src_node
*left; elm = (elm)->entry.rbe_right; while ((left = (elm)
->entry.rbe_left)) elm = left; child = (elm)->entry.rbe_right
; parent = (elm)->entry.rbe_parent; color = (elm)->entry
.rbe_color; if (child) (child)->entry.rbe_parent = parent;
if (parent) { if ((parent)->entry.rbe_left == elm) (parent
)->entry.rbe_left = child; else (parent)->entry.rbe_right
= child; do {} while (0); } else (head)->rbh_root = child
; if ((elm)->entry.rbe_parent == old) parent = elm; (elm)->
entry = (old)->entry; if ((old)->entry.rbe_parent) { if
(((old)->entry.rbe_parent)->entry.rbe_left == old) ((old
)->entry.rbe_parent)->entry.rbe_left = elm; else ((old)
->entry.rbe_parent)->entry.rbe_right = elm; do {} while
(0); } else (head)->rbh_root = elm; ((old)->entry.rbe_left
)->entry.rbe_parent = elm; if ((old)->entry.rbe_right) (
(old)->entry.rbe_right)->entry.rbe_parent = elm; if (parent
) { left = parent; do { do {} while (0); } while ((left = (left
)->entry.rbe_parent)); } goto color; } parent = (elm)->
entry.rbe_parent; color = (elm)->entry.rbe_color; if (child
) (child)->entry.rbe_parent = parent; if (parent) { if ((parent
)->entry.rbe_left == elm) (parent)->entry.rbe_left = child
; else (parent)->entry.rbe_right = child; do {} while (0);
} else (head)->rbh_root = child; color: if (color == 0) pf_src_tree_RB_REMOVE_COLOR
(head, parent, child); return (old); } struct pf_src_node * pf_src_tree_RB_INSERT
(struct pf_src_tree *head, struct pf_src_node *elm) { struct pf_src_node
*tmp; struct pf_src_node *parent = ((void *)0); int comp = 0
; tmp = (head)->rbh_root; while (tmp) { parent = tmp; comp
= (pf_src_compare)(elm, parent); if (comp < 0) tmp = (tmp
)->entry.rbe_left; else if (comp > 0) tmp = (tmp)->entry
.rbe_right; else return (tmp); } do { (elm)->entry.rbe_parent
= parent; (elm)->entry.rbe_left = (elm)->entry.rbe_right
= ((void *)0); (elm)->entry.rbe_color = 1; } while (0); if
(parent != ((void *)0)) { if (comp < 0) (parent)->entry
.rbe_left = elm; else (parent)->entry.rbe_right = elm; do {
} while (0); } else (head)->rbh_root = elm; pf_src_tree_RB_INSERT_COLOR
(head, elm); return (((void *)0)); } struct pf_src_node * pf_src_tree_RB_FIND
(struct pf_src_tree *head, struct pf_src_node *elm) { struct pf_src_node
*tmp = (head)->rbh_root; int comp; while (tmp) { comp = pf_src_compare
(elm, tmp); if (comp < 0) tmp = (tmp)->entry.rbe_left; else
if (comp > 0) tmp = (tmp)->entry.rbe_right; else return
(tmp); } return (((void *)0)); } struct pf_src_node * pf_src_tree_RB_NFIND
(struct pf_src_tree *head, struct pf_src_node *elm) { struct pf_src_node
*tmp = (head)->rbh_root; struct pf_src_node *res = ((void
*)0); int comp; while (tmp) { comp = pf_src_compare(elm, tmp
); if (comp < 0) { res = tmp; tmp = (tmp)->entry.rbe_left
; } else if (comp > 0) tmp = (tmp)->entry.rbe_right; else
return (tmp); } return (res); } struct pf_src_node * pf_src_tree_RB_NEXT
(struct pf_src_node *elm) { if ((elm)->entry.rbe_right) { elm
= (elm)->entry.rbe_right; while ((elm)->entry.rbe_left
) elm = (elm)->entry.rbe_left; } else { if ((elm)->entry
.rbe_parent && (elm == ((elm)->entry.rbe_parent)->
entry.rbe_left)) elm = (elm)->entry.rbe_parent; else { while
((elm)->entry.rbe_parent && (elm == ((elm)->entry
.rbe_parent)->entry.rbe_right)) elm = (elm)->entry.rbe_parent
; elm = (elm)->entry.rbe_parent; } } return (elm); } struct
pf_src_node * pf_src_tree_RB_PREV(struct pf_src_node *elm) {
if ((elm)->entry.rbe_left) { elm = (elm)->entry.rbe_left
; while ((elm)->entry.rbe_right) elm = (elm)->entry.rbe_right
; } else { if ((elm)->entry.rbe_parent && (elm == (
(elm)->entry.rbe_parent)->entry.rbe_right)) elm = (elm)
->entry.rbe_parent; else { while ((elm)->entry.rbe_parent
&& (elm == ((elm)->entry.rbe_parent)->entry.rbe_left
)) elm = (elm)->entry.rbe_parent; elm = (elm)->entry.rbe_parent
; } } return (elm); } struct pf_src_node * pf_src_tree_RB_MINMAX
(struct pf_src_tree *head, int val) { struct pf_src_node *tmp
= (head)->rbh_root; struct pf_src_node *parent = ((void *
)0); while (tmp) { parent = tmp; if (val < 0) tmp = (tmp)->
entry.rbe_left; else tmp = (tmp)->entry.rbe_right; } return
(parent); };
316RBT_GENERATE(pf_state_tree, pf_state_key, sk_entry, pf_state_compare_key)static int pf_state_tree_RBT_COMPARE(const void *lptr, const void
*rptr) { const struct pf_state_key *l = lptr, *r = rptr; return
pf_state_compare_key(l, r); } static const struct rb_type pf_state_tree_RBT_INFO
= { pf_state_tree_RBT_COMPARE, ((void *)0), __builtin_offsetof
(struct pf_state_key, sk_entry), }; const struct rb_type *const
pf_state_tree_RBT_TYPE = &pf_state_tree_RBT_INFO;
317RBT_GENERATE(pf_state_tree_id, pf_state, entry_id, pf_state_compare_id)static int pf_state_tree_id_RBT_COMPARE(const void *lptr, const
void *rptr) { const struct pf_state *l = lptr, *r = rptr; return
pf_state_compare_id(l, r); } static const struct rb_type pf_state_tree_id_RBT_INFO
= { pf_state_tree_id_RBT_COMPARE, ((void *)0), __builtin_offsetof
(struct pf_state, entry_id), }; const struct rb_type *const pf_state_tree_id_RBT_TYPE
= &pf_state_tree_id_RBT_INFO;
318
319int
320pf_addr_compare(const struct pf_addr *a, const struct pf_addr *b,
321 sa_family_t af)
322{
323 switch (af) {
324 case AF_INET2:
325 if (a->addr32pfa.addr32[0] > b->addr32pfa.addr32[0])
326 return (1);
327 if (a->addr32pfa.addr32[0] < b->addr32pfa.addr32[0])
328 return (-1);
329 break;
330#ifdef INET61
331 case AF_INET624:
332 if (a->addr32pfa.addr32[3] > b->addr32pfa.addr32[3])
333 return (1);
334 if (a->addr32pfa.addr32[3] < b->addr32pfa.addr32[3])
335 return (-1);
336 if (a->addr32pfa.addr32[2] > b->addr32pfa.addr32[2])
337 return (1);
338 if (a->addr32pfa.addr32[2] < b->addr32pfa.addr32[2])
339 return (-1);
340 if (a->addr32pfa.addr32[1] > b->addr32pfa.addr32[1])
341 return (1);
342 if (a->addr32pfa.addr32[1] < b->addr32pfa.addr32[1])
343 return (-1);
344 if (a->addr32pfa.addr32[0] > b->addr32pfa.addr32[0])
345 return (1);
346 if (a->addr32pfa.addr32[0] < b->addr32pfa.addr32[0])
347 return (-1);
348 break;
349#endif /* INET6 */
350 }
351 return (0);
352}
353
354static __inline int
355pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
356{
357 int diff;
358
359 if (a->rule.ptr > b->rule.ptr)
360 return (1);
361 if (a->rule.ptr < b->rule.ptr)
362 return (-1);
363 if ((diff = a->type - b->type) != 0)
364 return (diff);
365 if ((diff = a->af - b->af) != 0)
366 return (diff);
367 if ((diff = pf_addr_compare(&a->addr, &b->addr, a->af)) != 0)
368 return (diff);
369 return (0);
370}
371
372static __inline void
373pf_set_protostate(struct pf_state *st, int which, u_int8_t newstate)
374{
375 if (which == PF_PEER_DST || which == PF_PEER_BOTH)
376 st->dst.state = newstate;
377 if (which == PF_PEER_DST)
378 return;
379
380 if (st->src.state == newstate)
381 return;
382 if (st->creatorid == pf_status.hostid &&
383 st->key[PF_SK_STACK]->proto == IPPROTO_TCP6 &&
384 !(TCPS_HAVEESTABLISHED(st->src.state)((st->src.state) >= 4) ||
385 st->src.state == TCPS_CLOSED0) &&
386 (TCPS_HAVEESTABLISHED(newstate)((newstate) >= 4) || newstate == TCPS_CLOSED0))
387 pf_status.states_halfopen--;
388
389 st->src.state = newstate;
390}
391
392void
393pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
394{
395 switch (af) {
396 case AF_INET2:
397 dst->addr32pfa.addr32[0] = src->addr32pfa.addr32[0];
398 break;
399#ifdef INET61
400 case AF_INET624:
401 dst->addr32pfa.addr32[0] = src->addr32pfa.addr32[0];
402 dst->addr32pfa.addr32[1] = src->addr32pfa.addr32[1];
403 dst->addr32pfa.addr32[2] = src->addr32pfa.addr32[2];
404 dst->addr32pfa.addr32[3] = src->addr32pfa.addr32[3];
405 break;
406#endif /* INET6 */
407 default:
408 unhandled_af(af);
409 }
410}
411
412void
413pf_init_threshold(struct pf_threshold *threshold,
414 u_int32_t limit, u_int32_t seconds)
415{
416 threshold->limit = limit * PF_THRESHOLD_MULT1000;
417 threshold->seconds = seconds;
418 threshold->count = 0;
419 threshold->last = getuptime();
420}
421
422void
423pf_add_threshold(struct pf_threshold *threshold)
424{
425 u_int32_t t = getuptime(), diff = t - threshold->last;
426
427 if (diff >= threshold->seconds)
428 threshold->count = 0;
429 else
430 threshold->count -= threshold->count * diff /
431 threshold->seconds;
432 threshold->count += PF_THRESHOLD_MULT1000;
433 threshold->last = t;
434}
435
436int
437pf_check_threshold(struct pf_threshold *threshold)
438{
439 return (threshold->count > threshold->limit);
440}
441
442void
443pf_state_list_insert(struct pf_state_list *pfs, struct pf_state *st)
444{
445 /*
446 * we can always put states on the end of the list.
447 *
448 * things reading the list should take a read lock, then
449 * the mutex, get the head and tail pointers, release the
450 * mutex, and then they can iterate between the head and tail.
451 */
452
453 pf_state_ref(st); /* get a ref for the list */
454
455 mtx_enter(&pfs->pfs_mtx);
456 TAILQ_INSERT_TAIL(&pfs->pfs_list, st, entry_list)do { (st)->entry_list.tqe_next = ((void *)0); (st)->entry_list
.tqe_prev = (&pfs->pfs_list)->tqh_last; *(&pfs->
pfs_list)->tqh_last = (st); (&pfs->pfs_list)->tqh_last
= &(st)->entry_list.tqe_next; } while (0);
457 mtx_leave(&pfs->pfs_mtx);
458}
459
460void
461pf_state_list_remove(struct pf_state_list *pfs, struct pf_state *st)
462{
463 /* states can only be removed when the write lock is held */
464 rw_assert_wrlock(&pfs->pfs_rwl);
465
466 mtx_enter(&pfs->pfs_mtx);
467 TAILQ_REMOVE(&pfs->pfs_list, st, entry_list)do { if (((st)->entry_list.tqe_next) != ((void *)0)) (st)->
entry_list.tqe_next->entry_list.tqe_prev = (st)->entry_list
.tqe_prev; else (&pfs->pfs_list)->tqh_last = (st)->
entry_list.tqe_prev; *(st)->entry_list.tqe_prev = (st)->
entry_list.tqe_next; ((st)->entry_list.tqe_prev) = ((void *
)-1); ((st)->entry_list.tqe_next) = ((void *)-1); } while (
0);
468 mtx_leave(&pfs->pfs_mtx);
469
470 pf_state_unref(st); /* list no longer references the state */
471}
472
473void
474pf_update_state_timeout(struct pf_state *st, int to)
475{
476 mtx_enter(&st->mtx);
477 if (st->timeout != PFTM_UNLINKED)
61
Access to field 'timeout' results in a dereference of a null pointer (loaded from variable 'st')
478 st->timeout = to;
479 mtx_leave(&st->mtx);
480}
481
482int
483pf_src_connlimit(struct pf_state **stp)
484{
485 int bad = 0;
486 struct pf_src_node *sn;
487
488 if ((sn = pf_get_src_node((*stp), PF_SN_NONE)) == NULL((void *)0))
489 return (0);
490
491 sn->conn++;
492 (*stp)->src.tcp_est = 1;
493 pf_add_threshold(&sn->conn_rate);
494
495 if ((*stp)->rule.ptr->max_src_conn &&
496 (*stp)->rule.ptr->max_src_conn < sn->conn) {
497 pf_status.lcounters[LCNT_SRCCONN3]++;
498 bad++;
499 }
500
501 if ((*stp)->rule.ptr->max_src_conn_rate.limit &&
502 pf_check_threshold(&sn->conn_rate)) {
503 pf_status.lcounters[LCNT_SRCCONNRATE4]++;
504 bad++;
505 }
506
507 if (!bad)
508 return (0);
509
510 if ((*stp)->rule.ptr->overload_tbl) {
511 struct pfr_addr p;
512 u_int32_t killed = 0;
513
514 pf_status.lcounters[LCNT_OVERLOAD_TABLE5]++;
515 if (pf_status.debug >= LOG_NOTICE5) {
516 log(LOG_NOTICE5,
517 "pf: pf_src_connlimit: blocking address ");
518 pf_print_host(&sn->addr, 0,
519 (*stp)->key[PF_SK_WIRE]->af);
520 }
521
522 memset(&p, 0, sizeof(p))__builtin_memset((&p), (0), (sizeof(p)));
523 p.pfra_af = (*stp)->key[PF_SK_WIRE]->af;
524 switch ((*stp)->key[PF_SK_WIRE]->af) {
525 case AF_INET2:
526 p.pfra_net = 32;
527 p.pfra_ip4addrpfra_u._pfra_ip4addr = sn->addr.v4pfa.v4;
528 break;
529#ifdef INET61
530 case AF_INET624:
531 p.pfra_net = 128;
532 p.pfra_ip6addrpfra_u._pfra_ip6addr = sn->addr.v6pfa.v6;
533 break;
534#endif /* INET6 */
535 }
536
537 pfr_insert_kentry((*stp)->rule.ptr->overload_tbl,
538 &p, gettime());
539
540 /* kill existing states if that's required. */
541 if ((*stp)->rule.ptr->flush) {
542 struct pf_state_key *sk;
543 struct pf_state *st;
544
545 pf_status.lcounters[LCNT_OVERLOAD_FLUSH6]++;
546 RBT_FOREACH(st, pf_state_tree_id, &tree_id)for ((st) = pf_state_tree_id_RBT_MIN((&tree_id)); (st) !=
((void *)0); (st) = pf_state_tree_id_RBT_NEXT((st))) {
547 sk = st->key[PF_SK_WIRE];
548 /*
549 * Kill states from this source. (Only those
550 * from the same rule if PF_FLUSH_GLOBAL is not
551 * set)
552 */
553 if (sk->af ==
554 (*stp)->key[PF_SK_WIRE]->af &&
555 (((*stp)->direction == PF_OUT &&
556 PF_AEQ(&sn->addr, &sk->addr[1], sk->af)((sk->af == 2 && (&sn->addr)->pfa.addr32
[0] == (&sk->addr[1])->pfa.addr32[0]) || (sk->af
== 24 && (&sn->addr)->pfa.addr32[3] == (&
sk->addr[1])->pfa.addr32[3] && (&sn->addr
)->pfa.addr32[2] == (&sk->addr[1])->pfa.addr32[2
] && (&sn->addr)->pfa.addr32[1] == (&sk
->addr[1])->pfa.addr32[1] && (&sn->addr)
->pfa.addr32[0] == (&sk->addr[1])->pfa.addr32[0]
))) ||
557 ((*stp)->direction == PF_IN &&
558 PF_AEQ(&sn->addr, &sk->addr[0], sk->af)((sk->af == 2 && (&sn->addr)->pfa.addr32
[0] == (&sk->addr[0])->pfa.addr32[0]) || (sk->af
== 24 && (&sn->addr)->pfa.addr32[3] == (&
sk->addr[0])->pfa.addr32[3] && (&sn->addr
)->pfa.addr32[2] == (&sk->addr[0])->pfa.addr32[2
] && (&sn->addr)->pfa.addr32[1] == (&sk
->addr[0])->pfa.addr32[1] && (&sn->addr)
->pfa.addr32[0] == (&sk->addr[0])->pfa.addr32[0]
)))) &&
559 ((*stp)->rule.ptr->flush &
560 PF_FLUSH_GLOBAL0x02 ||
561 (*stp)->rule.ptr == st->rule.ptr)) {
562 pf_update_state_timeout(st, PFTM_PURGE);
563 pf_set_protostate(st, PF_PEER_BOTH,
564 TCPS_CLOSED0);
565 killed++;
566 }
567 }
568 if (pf_status.debug >= LOG_NOTICE5)
569 addlog(", %u states killed", killed);
570 }
571 if (pf_status.debug >= LOG_NOTICE5)
572 addlog("\n");
573 }
574
575 /* kill this state */
576 pf_update_state_timeout(*stp, PFTM_PURGE);
577 pf_set_protostate(*stp, PF_PEER_BOTH, TCPS_CLOSED0);
578 return (1);
579}
580
581int
582pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
583 enum pf_sn_types type, sa_family_t af, struct pf_addr *src,
584 struct pf_addr *raddr, struct pfi_kif *kif)
585{
586 struct pf_src_node k;
587
588 if (*sn == NULL((void *)0)) {
589 k.af = af;
590 k.type = type;
591 pf_addrcpy(&k.addr, src, af);
592 k.rule.ptr = rule;
593 pf_status.scounters[SCNT_SRC_NODE_SEARCH0]++;
594 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k)pf_src_tree_RB_FIND(&tree_src_tracking, &k);
595 }
596 if (*sn == NULL((void *)0)) {
597 if (!rule->max_src_nodes ||
598 rule->src_nodes < rule->max_src_nodes)
599 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT0x0002 | PR_ZERO0x0008);
600 else
601 pf_status.lcounters[LCNT_SRCNODES2]++;
602 if ((*sn) == NULL((void *)0))
603 return (-1);
604
605 pf_init_threshold(&(*sn)->conn_rate,
606 rule->max_src_conn_rate.limit,
607 rule->max_src_conn_rate.seconds);
608
609 (*sn)->type = type;
610 (*sn)->af = af;
611 (*sn)->rule.ptr = rule;
612 pf_addrcpy(&(*sn)->addr, src, af);
613 if (raddr)
614 pf_addrcpy(&(*sn)->raddr, raddr, af);
615 if (RB_INSERT(pf_src_tree,pf_src_tree_RB_INSERT(&tree_src_tracking, *sn)
616 &tree_src_tracking, *sn)pf_src_tree_RB_INSERT(&tree_src_tracking, *sn) != NULL((void *)0)) {
617 if (pf_status.debug >= LOG_NOTICE5) {
618 log(LOG_NOTICE5,
619 "pf: src_tree insert failed: ");
620 pf_print_host(&(*sn)->addr, 0, af);
621 addlog("\n");
622 }
623 pool_put(&pf_src_tree_pl, *sn);
624 return (-1);
625 }
626 (*sn)->creation = getuptime();
627 (*sn)->rule.ptr->src_nodes++;
628 if (kif != NULL((void *)0)) {
629 (*sn)->kif = kif;
630 pfi_kif_ref(kif, PFI_KIF_REF_SRCNODE);
631 }
632 pf_status.scounters[SCNT_SRC_NODE_INSERT1]++;
633 pf_status.src_nodes++;
634 } else {
635 if (rule->max_src_states &&
636 (*sn)->states >= rule->max_src_states) {
637 pf_status.lcounters[LCNT_SRCSTATES1]++;
638 return (-1);
639 }
640 }
641 return (0);
642}
643
644void
645pf_remove_src_node(struct pf_src_node *sn)
646{
647 if (sn->states > 0 || sn->expire > getuptime())
648 return;
649
650 sn->rule.ptr->src_nodes--;
651 if (sn->rule.ptr->states_cur == 0 &&
652 sn->rule.ptr->src_nodes == 0)
653 pf_rm_rule(NULL((void *)0), sn->rule.ptr);
654 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn)pf_src_tree_RB_REMOVE(&tree_src_tracking, sn);
655 pf_status.scounters[SCNT_SRC_NODE_REMOVALS2]++;
656 pf_status.src_nodes--;
657 pfi_kif_unref(sn->kif, PFI_KIF_REF_SRCNODE);
658 pool_put(&pf_src_tree_pl, sn);
659}
660
661struct pf_src_node *
662pf_get_src_node(struct pf_state *st, enum pf_sn_types type)
663{
664 struct pf_sn_item *sni;
665
666 SLIST_FOREACH(sni, &st->src_nodes, next)for((sni) = ((&st->src_nodes)->slh_first); (sni) !=
((void *)0); (sni) = ((sni)->next.sle_next))
667 if (sni->sn->type == type)
668 return (sni->sn);
669 return (NULL((void *)0));
670}
671
672void
673pf_state_rm_src_node(struct pf_state *st, struct pf_src_node *sn)
674{
675 struct pf_sn_item *sni, *snin, *snip = NULL((void *)0);
676
677 for (sni = SLIST_FIRST(&st->src_nodes)((&st->src_nodes)->slh_first); sni; sni = snin) {
678 snin = SLIST_NEXT(sni, next)((sni)->next.sle_next);
679 if (sni->sn == sn) {
680 if (snip)
681 SLIST_REMOVE_AFTER(snip, next)do { (snip)->next.sle_next = (snip)->next.sle_next->
next.sle_next; } while (0);
682 else
683 SLIST_REMOVE_HEAD(&st->src_nodes, next)do { (&st->src_nodes)->slh_first = (&st->src_nodes
)->slh_first->next.sle_next; } while (0);
684 pool_put(&pf_sn_item_pl, sni);
685 sni = NULL((void *)0);
686 sn->states--;
687 }
688 if (sni != NULL((void *)0))
689 snip = sni;
690 }
691}
692
693/* state table stuff */
694
695static inline int
696pf_state_compare_key(const struct pf_state_key *a,
697 const struct pf_state_key *b)
698{
699 int diff;
700
701 if ((diff = a->hash - b->hash) != 0)
702 return (diff);
703 if ((diff = a->proto - b->proto) != 0)
704 return (diff);
705 if ((diff = a->af - b->af) != 0)
706 return (diff);
707 if ((diff = pf_addr_compare(&a->addr[0], &b->addr[0], a->af)) != 0)
708 return (diff);
709 if ((diff = pf_addr_compare(&a->addr[1], &b->addr[1], a->af)) != 0)
710 return (diff);
711 if ((diff = a->port[0] - b->port[0]) != 0)
712 return (diff);
713 if ((diff = a->port[1] - b->port[1]) != 0)
714 return (diff);
715 if ((diff = a->rdomain - b->rdomain) != 0)
716 return (diff);
717 return (0);
718}
719
720static inline int
721pf_state_compare_id(const struct pf_state *a, const struct pf_state *b)
722{
723 if (a->id > b->id)
724 return (1);
725 if (a->id < b->id)
726 return (-1);
727 if (a->creatorid > b->creatorid)
728 return (1);
729 if (a->creatorid < b->creatorid)
730 return (-1);
731
732 return (0);
733}
734
735/*
736 * on failure, pf_state_key_attach() releases the pf_state_key
737 * reference and returns NULL.
738 */
739struct pf_state_key *
740pf_state_key_attach(struct pf_state_key *sk, struct pf_state *st, int idx)
741{
742 struct pf_state_item *si;
743 struct pf_state_key *cur;
744 struct pf_state *oldst = NULL((void *)0);
745
746 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
747
748 KASSERT(st->key[idx] == NULL)((st->key[idx] == ((void *)0)) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 748, "st->key[idx] == NULL"));
749 sk->sk_removed = 0;
750 cur = RBT_INSERT(pf_state_tree, &pf_statetbl, sk)pf_state_tree_RBT_INSERT(&pf_statetbl, sk);
751 if (cur != NULL((void *)0)) {
752 sk->sk_removed = 1;
753 /* key exists. check for same kif, if none, add to key */
754 TAILQ_FOREACH(si, &cur->sk_states, si_entry)for((si) = ((&cur->sk_states)->tqh_first); (si) != (
(void *)0); (si) = ((si)->si_entry.tqe_next)) {
755 struct pf_state *sist = si->si_st;
756 if (sist->kif == st->kif &&
757 ((sist->key[PF_SK_WIRE]->af == sk->af &&
758 sist->direction == st->direction) ||
759 (sist->key[PF_SK_WIRE]->af !=
760 sist->key[PF_SK_STACK]->af &&
761 sk->af == sist->key[PF_SK_STACK]->af &&
762 sist->direction != st->direction))) {
763 int reuse = 0;
764
765 if (sk->proto == IPPROTO_TCP6 &&
766 sist->src.state >= TCPS_FIN_WAIT_29 &&
767 sist->dst.state >= TCPS_FIN_WAIT_29)
768 reuse = 1;
769 if (pf_status.debug >= LOG_NOTICE5) {
770 log(LOG_NOTICE5,
771 "pf: %s key attach %s on %s: ",
772 (idx == PF_SK_WIRE) ?
773 "wire" : "stack",
774 reuse ? "reuse" : "failed",
775 st->kif->pfik_name);
776 pf_print_state_parts(st,
777 (idx == PF_SK_WIRE) ? sk : NULL((void *)0),
778 (idx == PF_SK_STACK) ? sk : NULL((void *)0));
779 addlog(", existing: ");
780 pf_print_state_parts(sist,
781 (idx == PF_SK_WIRE) ? sk : NULL((void *)0),
782 (idx == PF_SK_STACK) ? sk : NULL((void *)0));
783 addlog("\n");
784 }
785 if (reuse) {
786 pf_set_protostate(sist, PF_PEER_BOTH,
787 TCPS_CLOSED0);
788 /* remove late or sks can go away */
789 oldst = sist;
790 } else {
791 pf_state_key_unref(sk);
792 return (NULL((void *)0)); /* collision! */
793 }
794 }
795 }
796
797 /* reuse the existing state key */
798 pf_state_key_unref(sk);
799 sk = cur;
800 }
801
802 if ((si = pool_get(&pf_state_item_pl, PR_NOWAIT0x0002)) == NULL((void *)0)) {
803 if (TAILQ_EMPTY(&sk->sk_states)(((&sk->sk_states)->tqh_first) == ((void *)0))) {
804 KASSERT(cur == NULL)((cur == ((void *)0)) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 804, "cur == NULL"));
805 RBT_REMOVE(pf_state_tree, &pf_statetbl, sk)pf_state_tree_RBT_REMOVE(&pf_statetbl, sk);
806 sk->sk_removed = 1;
807 pf_state_key_unref(sk);
808 }
809
810 return (NULL((void *)0));
811 }
812
813 st->key[idx] = pf_state_key_ref(sk); /* give a ref to state */
814 si->si_st = pf_state_ref(st);
815
816 /* list is sorted, if-bound states before floating */
817 if (st->kif == pfi_all)
818 TAILQ_INSERT_TAIL(&sk->sk_states, si, si_entry)do { (si)->si_entry.tqe_next = ((void *)0); (si)->si_entry
.tqe_prev = (&sk->sk_states)->tqh_last; *(&sk->
sk_states)->tqh_last = (si); (&sk->sk_states)->tqh_last
= &(si)->si_entry.tqe_next; } while (0);
819 else
820 TAILQ_INSERT_HEAD(&sk->sk_states, si, si_entry)do { if (((si)->si_entry.tqe_next = (&sk->sk_states
)->tqh_first) != ((void *)0)) (&sk->sk_states)->
tqh_first->si_entry.tqe_prev = &(si)->si_entry.tqe_next
; else (&sk->sk_states)->tqh_last = &(si)->si_entry
.tqe_next; (&sk->sk_states)->tqh_first = (si); (si)
->si_entry.tqe_prev = &(&sk->sk_states)->tqh_first
; } while (0);
821
822 if (oldst)
823 pf_remove_state(oldst);
824
825 /* caller owns the pf_state ref, which owns a pf_state_key ref now */
826 return (sk);
827}
828
829void
830pf_detach_state(struct pf_state *st)
831{
832 KASSERT(st->key[PF_SK_WIRE] != NULL)((st->key[PF_SK_WIRE] != ((void *)0)) ? (void)0 : __assert
("diagnostic ", "/usr/src/sys/net/pf.c", 832, "st->key[PF_SK_WIRE] != NULL"
));
833 pf_state_key_detach(st, PF_SK_WIRE);
834
835 KASSERT(st->key[PF_SK_STACK] != NULL)((st->key[PF_SK_STACK] != ((void *)0)) ? (void)0 : __assert
("diagnostic ", "/usr/src/sys/net/pf.c", 835, "st->key[PF_SK_STACK] != NULL"
));
836 if (st->key[PF_SK_STACK] != st->key[PF_SK_WIRE])
837 pf_state_key_detach(st, PF_SK_STACK);
838}
839
840void
841pf_state_key_detach(struct pf_state *st, int idx)
842{
843 struct pf_state_item *si;
844 struct pf_state_key *sk;
845
846 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
847
848 sk = st->key[idx];
849 if (sk == NULL((void *)0))
850 return;
851
852 TAILQ_FOREACH(si, &sk->sk_states, si_entry)for((si) = ((&sk->sk_states)->tqh_first); (si) != (
(void *)0); (si) = ((si)->si_entry.tqe_next)) {
853 if (si->si_st == st)
854 break;
855 }
856 if (si == NULL((void *)0))
857 return;
858
859 TAILQ_REMOVE(&sk->sk_states, si, si_entry)do { if (((si)->si_entry.tqe_next) != ((void *)0)) (si)->
si_entry.tqe_next->si_entry.tqe_prev = (si)->si_entry.tqe_prev
; else (&sk->sk_states)->tqh_last = (si)->si_entry
.tqe_prev; *(si)->si_entry.tqe_prev = (si)->si_entry.tqe_next
; ((si)->si_entry.tqe_prev) = ((void *)-1); ((si)->si_entry
.tqe_next) = ((void *)-1); } while (0);
860 pool_put(&pf_state_item_pl, si);
861
862 if (TAILQ_EMPTY(&sk->sk_states)(((&sk->sk_states)->tqh_first) == ((void *)0))) {
863 RBT_REMOVE(pf_state_tree, &pf_statetbl, sk)pf_state_tree_RBT_REMOVE(&pf_statetbl, sk);
864 sk->sk_removed = 1;
865 pf_state_key_unlink_reverse(sk);
866 pf_state_key_unlink_inpcb(sk);
867 pf_state_key_unref(sk);
868 }
869
870 pf_state_unref(st);
871}
872
873struct pf_state_key *
874pf_alloc_state_key(int pool_flags)
875{
876 struct pf_state_key *sk;
877
878 if ((sk = pool_get(&pf_state_key_pl, pool_flags)) == NULL((void *)0))
879 return (NULL((void *)0));
880
881 PF_REF_INIT(sk->sk_refcnt)refcnt_init(&(sk->sk_refcnt));
882 TAILQ_INIT(&sk->sk_states)do { (&sk->sk_states)->tqh_first = ((void *)0); (&
sk->sk_states)->tqh_last = &(&sk->sk_states)
->tqh_first; } while (0);
883 sk->sk_removed = 1;
884
885 return (sk);
886}
887
888static __inline int
889pf_state_key_addr_setup(struct pf_pdesc *pd, void *arg, int sidx,
890 struct pf_addr *saddr, int didx, struct pf_addr *daddr, int af, int multi)
891{
892 struct pf_state_key_cmp *key = arg;
893#ifdef INET61
894 struct pf_addr *target;
895
896 if (af == AF_INET2 || pd->proto != IPPROTO_ICMPV658)
897 goto copy;
898
899 switch (pd->hdr.icmp6.icmp6_type) {
900 case ND_NEIGHBOR_SOLICIT135:
901 if (multi)
902 return (-1);
903 target = (struct pf_addr *)&pd->hdr.nd_ns.nd_ns_target;
904 daddr = target;
905 break;
906 case ND_NEIGHBOR_ADVERT136:
907 if (multi)
908 return (-1);
909 target = (struct pf_addr *)&pd->hdr.nd_ns.nd_ns_target;
910 saddr = target;
911 if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)((&pd->dst->pfa.v6)->__u6_addr.__u6_addr8[0] == 0xff
)) {
912 key->addr[didx].addr32pfa.addr32[0] = 0;
913 key->addr[didx].addr32pfa.addr32[1] = 0;
914 key->addr[didx].addr32pfa.addr32[2] = 0;
915 key->addr[didx].addr32pfa.addr32[3] = 0;
916 daddr = NULL((void *)0); /* overwritten */
917 }
918 break;
919 default:
920 if (multi) {
921 key->addr[sidx].addr32pfa.addr32[0] = __IPV6_ADDR_INT32_MLL(__uint32_t)(__builtin_constant_p(0xff020000) ? (__uint32_t)(
((__uint32_t)(0xff020000) & 0xff) << 24 | ((__uint32_t
)(0xff020000) & 0xff00) << 8 | ((__uint32_t)(0xff020000
) & 0xff0000) >> 8 | ((__uint32_t)(0xff020000) &
0xff000000) >> 24) : __swap32md(0xff020000));
922 key->addr[sidx].addr32pfa.addr32[1] = 0;
923 key->addr[sidx].addr32pfa.addr32[2] = 0;
924 key->addr[sidx].addr32pfa.addr32[3] = __IPV6_ADDR_INT32_ONE(__uint32_t)(__builtin_constant_p(1) ? (__uint32_t)(((__uint32_t
)(1) & 0xff) << 24 | ((__uint32_t)(1) & 0xff00)
<< 8 | ((__uint32_t)(1) & 0xff0000) >> 8 | (
(__uint32_t)(1) & 0xff000000) >> 24) : __swap32md(1
));
925 saddr = NULL((void *)0); /* overwritten */
926 }
927 }
928 copy:
929#endif /* INET6 */
930 if (saddr)
931 pf_addrcpy(&key->addr[sidx], saddr, af);
932 if (daddr)
933 pf_addrcpy(&key->addr[didx], daddr, af);
934
935 return (0);
936}
937
938int
939pf_state_key_setup(struct pf_pdesc *pd, struct pf_state_key **skw,
940 struct pf_state_key **sks, int rtableid)
941{
942 /* if returning error we MUST pool_put state keys ourselves */
943 struct pf_state_key *sk1, *sk2;
944 u_int wrdom = pd->rdomain;
945 int afto = pd->af != pd->naf;
946
947 if ((sk1 = pf_alloc_state_key(PR_NOWAIT0x0002 | PR_ZERO0x0008)) == NULL((void *)0))
948 return (ENOMEM12);
949
950 pf_state_key_addr_setup(pd, sk1, pd->sidx, pd->src, pd->didx, pd->dst,
951 pd->af, 0);
952 sk1->port[pd->sidx] = pd->osport;
953 sk1->port[pd->didx] = pd->odport;
954 sk1->proto = pd->proto;
955 sk1->af = pd->af;
956 sk1->rdomain = pd->rdomain;
957 sk1->hash = pf_pkt_hash(sk1->af, sk1->proto,
958 &sk1->addr[0], &sk1->addr[1], sk1->port[0], sk1->port[1]);
959 if (rtableid >= 0)
960 wrdom = rtable_l2(rtableid);
961
962 if (PF_ANEQ(&pd->nsaddr, pd->src, pd->af)((pd->af == 2 && (&pd->nsaddr)->pfa.addr32
[0] != (pd->src)->pfa.addr32[0]) || (pd->af == 24 &&
((&pd->nsaddr)->pfa.addr32[3] != (pd->src)->
pfa.addr32[3] || (&pd->nsaddr)->pfa.addr32[2] != (pd
->src)->pfa.addr32[2] || (&pd->nsaddr)->pfa.addr32
[1] != (pd->src)->pfa.addr32[1] || (&pd->nsaddr)
->pfa.addr32[0] != (pd->src)->pfa.addr32[0]))) ||
963 PF_ANEQ(&pd->ndaddr, pd->dst, pd->af)((pd->af == 2 && (&pd->ndaddr)->pfa.addr32
[0] != (pd->dst)->pfa.addr32[0]) || (pd->af == 24 &&
((&pd->ndaddr)->pfa.addr32[3] != (pd->dst)->
pfa.addr32[3] || (&pd->ndaddr)->pfa.addr32[2] != (pd
->dst)->pfa.addr32[2] || (&pd->ndaddr)->pfa.addr32
[1] != (pd->dst)->pfa.addr32[1] || (&pd->ndaddr)
->pfa.addr32[0] != (pd->dst)->pfa.addr32[0]))) ||
964 pd->nsport != pd->osport || pd->ndport != pd->odport ||
965 wrdom != pd->rdomain || afto) { /* NAT/NAT64 */
966 if ((sk2 = pf_alloc_state_key(PR_NOWAIT0x0002 | PR_ZERO0x0008)) == NULL((void *)0)) {
967 pf_state_key_unref(sk1);
968 return (ENOMEM12);
969 }
970 pf_state_key_addr_setup(pd, sk2, afto ? pd->didx : pd->sidx,
971 &pd->nsaddr, afto ? pd->sidx : pd->didx, &pd->ndaddr,
972 pd->naf, 0);
973 sk2->port[afto ? pd->didx : pd->sidx] = pd->nsport;
974 sk2->port[afto ? pd->sidx : pd->didx] = pd->ndport;
975 if (afto) {
976 switch (pd->proto) {
977 case IPPROTO_ICMP1:
978 sk2->proto = IPPROTO_ICMPV658;
979 break;
980 case IPPROTO_ICMPV658:
981 sk2->proto = IPPROTO_ICMP1;
982 break;
983 default:
984 sk2->proto = pd->proto;
985 }
986 } else
987 sk2->proto = pd->proto;
988 sk2->af = pd->naf;
989 sk2->rdomain = wrdom;
990 sk2->hash = pf_pkt_hash(sk2->af, sk2->proto,
991 &sk2->addr[0], &sk2->addr[1], sk2->port[0], sk2->port[1]);
992 } else
993 sk2 = pf_state_key_ref(sk1);
994
995 if (pd->dir == PF_IN) {
996 *skw = sk1;
997 *sks = sk2;
998 } else {
999 *sks = sk1;
1000 *skw = sk2;
1001 }
1002
1003 if (pf_status.debug >= LOG_DEBUG7) {
1004 log(LOG_DEBUG7, "pf: key setup: ");
1005 pf_print_state_parts(NULL((void *)0), *skw, *sks);
1006 addlog("\n");
1007 }
1008
1009 return (0);
1010}
1011
1012/*
1013 * pf_state_insert() does the following:
1014 * - links the pf_state up with pf_state_key(s).
1015 * - inserts the pf_state_keys into pf_state_tree.
1016 * - inserts the pf_state into the into pf_state_tree_id.
1017 * - tells pfsync about the state.
1018 *
1019 * pf_state_insert() owns the references to the pf_state_key structs
1020 * it is given. on failure to insert, these references are released.
1021 * on success, the caller owns a pf_state reference that allows it
1022 * to access the state keys.
1023 */
1024
1025int
1026pf_state_insert(struct pfi_kif *kif, struct pf_state_key **skwp,
1027 struct pf_state_key **sksp, struct pf_state *st)
1028{
1029 struct pf_state_key *skw = *skwp;
1030 struct pf_state_key *sks = *sksp;
1031 int same = (skw == sks);
1032
1033 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
1034
1035 st->kif = kif;
1036 PF_STATE_ENTER_WRITE()do { rw_enter_write(&pf_state_lock); } while (0);
1037
1038 skw = pf_state_key_attach(skw, st, PF_SK_WIRE);
1039 if (skw == NULL((void *)0)) {
1040 pf_state_key_unref(sks);
1041 PF_STATE_EXIT_WRITE()do { do { if (rw_status(&pf_state_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_state_lock), __func__); } while (
0); rw_exit_write(&pf_state_lock); } while (0);
1042 return (-1);
1043 }
1044
1045 if (same) {
1046 /* pf_state_key_attach might have swapped skw */
1047 pf_state_key_unref(sks);
1048 st->key[PF_SK_STACK] = sks = pf_state_key_ref(skw);
1049 } else if (pf_state_key_attach(sks, st, PF_SK_STACK) == NULL((void *)0)) {
1050 pf_state_key_detach(st, PF_SK_WIRE);
1051 PF_STATE_EXIT_WRITE()do { do { if (rw_status(&pf_state_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_state_lock), __func__); } while (
0); rw_exit_write(&pf_state_lock); } while (0);
1052 return (-1);
1053 }
1054
1055 if (st->id == 0 && st->creatorid == 0) {
1056 st->id = htobe64(pf_status.stateid++)(__uint64_t)(__builtin_constant_p(pf_status.stateid++) ? (__uint64_t
)((((__uint64_t)(pf_status.stateid++) & 0xff) << 56
) | ((__uint64_t)(pf_status.stateid++) & 0xff00ULL) <<
40 | ((__uint64_t)(pf_status.stateid++) & 0xff0000ULL) <<
24 | ((__uint64_t)(pf_status.stateid++) & 0xff000000ULL)
<< 8 | ((__uint64_t)(pf_status.stateid++) & 0xff00000000ULL
) >> 8 | ((__uint64_t)(pf_status.stateid++) & 0xff0000000000ULL
) >> 24 | ((__uint64_t)(pf_status.stateid++) & 0xff000000000000ULL
) >> 40 | ((__uint64_t)(pf_status.stateid++) & 0xff00000000000000ULL
) >> 56) : __swap64md(pf_status.stateid++));
1057 st->creatorid = pf_status.hostid;
1058 }
1059 if (RBT_INSERT(pf_state_tree_id, &tree_id, st)pf_state_tree_id_RBT_INSERT(&tree_id, st) != NULL((void *)0)) {
1060 if (pf_status.debug >= LOG_NOTICE5) {
1061 log(LOG_NOTICE5, "pf: state insert failed: "
1062 "id: %016llx creatorid: %08x",
1063 betoh64(st->id)(__uint64_t)(__builtin_constant_p(st->id) ? (__uint64_t)((
((__uint64_t)(st->id) & 0xff) << 56) | ((__uint64_t
)(st->id) & 0xff00ULL) << 40 | ((__uint64_t)(st->
id) & 0xff0000ULL) << 24 | ((__uint64_t)(st->id)
& 0xff000000ULL) << 8 | ((__uint64_t)(st->id) &
0xff00000000ULL) >> 8 | ((__uint64_t)(st->id) &
0xff0000000000ULL) >> 24 | ((__uint64_t)(st->id) &
0xff000000000000ULL) >> 40 | ((__uint64_t)(st->id) &
0xff00000000000000ULL) >> 56) : __swap64md(st->id)), ntohl(st->creatorid)(__uint32_t)(__builtin_constant_p(st->creatorid) ? (__uint32_t
)(((__uint32_t)(st->creatorid) & 0xff) << 24 | (
(__uint32_t)(st->creatorid) & 0xff00) << 8 | ((__uint32_t
)(st->creatorid) & 0xff0000) >> 8 | ((__uint32_t
)(st->creatorid) & 0xff000000) >> 24) : __swap32md
(st->creatorid)));
1064 addlog("\n");
1065 }
1066 pf_detach_state(st);
1067 PF_STATE_EXIT_WRITE()do { do { if (rw_status(&pf_state_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_state_lock), __func__); } while (
0); rw_exit_write(&pf_state_lock); } while (0);
1068 return (-1);
1069 }
1070 pf_state_list_insert(&pf_state_list, st);
1071 pf_status.fcounters[FCNT_STATE_INSERT1]++;
1072 pf_status.states++;
1073 pfi_kif_ref(kif, PFI_KIF_REF_STATE);
1074 PF_STATE_EXIT_WRITE()do { do { if (rw_status(&pf_state_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_state_lock), __func__); } while (
0); rw_exit_write(&pf_state_lock); } while (0);
1075
1076#if NPFSYNC1 > 0
1077 pfsync_insert_state(st);
1078#endif /* NPFSYNC > 0 */
1079
1080 *skwp = skw;
1081 *sksp = sks;
1082
1083 return (0);
1084}
1085
1086struct pf_state *
1087pf_find_state_byid(struct pf_state_cmp *key)
1088{
1089 pf_status.fcounters[FCNT_STATE_SEARCH0]++;
1090
1091 return (RBT_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key)pf_state_tree_id_RBT_FIND(&tree_id, (struct pf_state *)key
));
1092}
1093
1094int
1095pf_compare_state_keys(struct pf_state_key *a, struct pf_state_key *b,
1096 struct pfi_kif *kif, u_int dir)
1097{
1098 /* a (from hdr) and b (new) must be exact opposites of each other */
1099 if (a->af == b->af && a->proto == b->proto &&
1100 PF_AEQ(&a->addr[0], &b->addr[1], a->af)((a->af == 2 && (&a->addr[0])->pfa.addr32
[0] == (&b->addr[1])->pfa.addr32[0]) || (a->af ==
24 && (&a->addr[0])->pfa.addr32[3] == (&
b->addr[1])->pfa.addr32[3] && (&a->addr[
0])->pfa.addr32[2] == (&b->addr[1])->pfa.addr32[
2] && (&a->addr[0])->pfa.addr32[1] == (&
b->addr[1])->pfa.addr32[1] && (&a->addr[
0])->pfa.addr32[0] == (&b->addr[1])->pfa.addr32[
0])) &&
1101 PF_AEQ(&a->addr[1], &b->addr[0], a->af)((a->af == 2 && (&a->addr[1])->pfa.addr32
[0] == (&b->addr[0])->pfa.addr32[0]) || (a->af ==
24 && (&a->addr[1])->pfa.addr32[3] == (&
b->addr[0])->pfa.addr32[3] && (&a->addr[
1])->pfa.addr32[2] == (&b->addr[0])->pfa.addr32[
2] && (&a->addr[1])->pfa.addr32[1] == (&
b->addr[0])->pfa.addr32[1] && (&a->addr[
1])->pfa.addr32[0] == (&b->addr[0])->pfa.addr32[
0])) &&
1102 a->port[0] == b->port[1] &&
1103 a->port[1] == b->port[0] && a->rdomain == b->rdomain)
1104 return (0);
1105 else {
1106 /* mismatch. must not happen. */
1107 if (pf_status.debug >= LOG_ERR3) {
1108 log(LOG_ERR3,
1109 "pf: state key linking mismatch! dir=%s, "
1110 "if=%s, stored af=%u, a0: ",
1111 dir == PF_OUT ? "OUT" : "IN",
1112 kif->pfik_name, a->af);
1113 pf_print_host(&a->addr[0], a->port[0], a->af);
1114 addlog(", a1: ");
1115 pf_print_host(&a->addr[1], a->port[1], a->af);
1116 addlog(", proto=%u", a->proto);
1117 addlog(", found af=%u, a0: ", b->af);
1118 pf_print_host(&b->addr[0], b->port[0], b->af);
1119 addlog(", a1: ");
1120 pf_print_host(&b->addr[1], b->port[1], b->af);
1121 addlog(", proto=%u", b->proto);
1122 addlog("\n");
1123 }
1124 return (-1);
1125 }
1126}
1127
1128int
1129pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
1130 struct pf_state **stp)
1131{
1132 struct pf_state_key *sk, *pkt_sk;
1133 struct pf_state_item *si;
1134 struct pf_state *st = NULL((void *)0);
1135
1136 pf_status.fcounters[FCNT_STATE_SEARCH0]++;
1137 if (pf_status.debug >= LOG_DEBUG7) {
1138 log(LOG_DEBUG7, "pf: key search, %s on %s: ",
1139 pd->dir == PF_OUT ? "out" : "in", pd->kif->pfik_name);
1140 pf_print_state_parts(NULL((void *)0), (struct pf_state_key *)key, NULL((void *)0));
1141 addlog("\n");
1142 }
1143
1144 pkt_sk = NULL((void *)0);
1145 sk = NULL((void *)0);
1146 if (pd->dir == PF_OUT) {
1147 /* first if block deals with outbound forwarded packet */
1148 pkt_sk = pd->m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey;
1149
1150 if (!pf_state_key_isvalid(pkt_sk)) {
1151 pf_mbuf_unlink_state_key(pd->m);
1152 pkt_sk = NULL((void *)0);
1153 }
1154
1155 if (pkt_sk && pf_state_key_isvalid(pkt_sk->sk_reverse))
1156 sk = pkt_sk->sk_reverse;
1157
1158 if (pkt_sk == NULL((void *)0)) {
1159 struct inpcb *inp = pd->m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp;
1160
1161 /* here we deal with local outbound packet */
1162 if (inp != NULL((void *)0)) {
1163 struct pf_state_key *inp_sk;
1164
1165 mtx_enter(&pf_inp_mtx);
1166 inp_sk = inp->inp_pf_sk;
1167 if (pf_state_key_isvalid(inp_sk)) {
1168 sk = inp_sk;
1169 mtx_leave(&pf_inp_mtx);
1170 } else if (inp_sk != NULL((void *)0)) {
1171 KASSERT(inp_sk->sk_inp == inp)((inp_sk->sk_inp == inp) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 1171, "inp_sk->sk_inp == inp"));
1172 inp_sk->sk_inp = NULL((void *)0);
1173 inp->inp_pf_sk = NULL((void *)0);
1174 mtx_leave(&pf_inp_mtx);
1175
1176 pf_state_key_unref(inp_sk);
1177 in_pcbunref(inp);
1178 } else
1179 mtx_leave(&pf_inp_mtx);
1180 }
1181 }
1182 }
1183
1184 if (sk == NULL((void *)0)) {
1185 if ((sk = RBT_FIND(pf_state_tree, &pf_statetbl,pf_state_tree_RBT_FIND(&pf_statetbl, (struct pf_state_key
*)key)
1186 (struct pf_state_key *)key)pf_state_tree_RBT_FIND(&pf_statetbl, (struct pf_state_key
*)key)) == NULL((void *)0))
1187 return (PF_DROP);
1188 if (pd->dir == PF_OUT && pkt_sk &&
1189 pf_compare_state_keys(pkt_sk, sk, pd->kif, pd->dir) == 0)
1190 pf_state_key_link_reverse(sk, pkt_sk);
1191 else if (pd->dir == PF_OUT)
1192 pf_state_key_link_inpcb(sk, pd->m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp);
1193 }
1194
1195 /* remove firewall data from outbound packet */
1196 if (pd->dir == PF_OUT)
1197 pf_pkt_addr_changed(pd->m);
1198
1199 /* list is sorted, if-bound states before floating ones */
1200 TAILQ_FOREACH(si, &sk->sk_states, si_entry)for((si) = ((&sk->sk_states)->tqh_first); (si) != (
(void *)0); (si) = ((si)->si_entry.tqe_next)) {
1201 struct pf_state *sist = si->si_st;
1202 if (sist->timeout != PFTM_PURGE &&
1203 (sist->kif == pfi_all || sist->kif == pd->kif) &&
1204 ((sist->key[PF_SK_WIRE]->af == sist->key[PF_SK_STACK]->af &&
1205 sk == (pd->dir == PF_IN ? sist->key[PF_SK_WIRE] :
1206 sist->key[PF_SK_STACK])) ||
1207 (sist->key[PF_SK_WIRE]->af != sist->key[PF_SK_STACK]->af
1208 && pd->dir == PF_IN && (sk == sist->key[PF_SK_STACK] ||
1209 sk == sist->key[PF_SK_WIRE])))) {
1210 st = sist;
1211 break;
1212 }
1213 }
1214
1215 if (st == NULL((void *)0))
1216 return (PF_DROP);
1217 if (ISSET(st->state_flags, PFSTATE_INP_UNLINKED)((st->state_flags) & (0x0400)))
1218 return (PF_DROP);
1219
1220 if (st->rule.ptr->pktrate.limit && pd->dir == st->direction) {
1221 pf_add_threshold(&st->rule.ptr->pktrate);
1222 if (pf_check_threshold(&st->rule.ptr->pktrate))
1223 return (PF_DROP);
1224 }
1225
1226 *stp = st;
1227
1228 return (PF_MATCH);
1229}
1230
1231struct pf_state *
1232pf_find_state_all(struct pf_state_key_cmp *key, u_int dir, int *more)
1233{
1234 struct pf_state_key *sk;
1235 struct pf_state_item *si, *ret = NULL((void *)0);
1236
1237 pf_status.fcounters[FCNT_STATE_SEARCH0]++;
1238
1239 sk = RBT_FIND(pf_state_tree, &pf_statetbl, (struct pf_state_key *)key)pf_state_tree_RBT_FIND(&pf_statetbl, (struct pf_state_key
*)key);
1240
1241 if (sk != NULL((void *)0)) {
1242 TAILQ_FOREACH(si, &sk->sk_states, si_entry)for((si) = ((&sk->sk_states)->tqh_first); (si) != (
(void *)0); (si) = ((si)->si_entry.tqe_next)) {
1243 struct pf_state *sist = si->si_st;
1244 if (dir == PF_INOUT ||
1245 (sk == (dir == PF_IN ? sist->key[PF_SK_WIRE] :
1246 sist->key[PF_SK_STACK]))) {
1247 if (more == NULL((void *)0))
1248 return (sist);
1249
1250 if (ret)
1251 (*more)++;
1252 else
1253 ret = si;
1254 }
1255 }
1256 }
1257 return (ret ? ret->si_st : NULL((void *)0));
1258}
1259
1260void
1261pf_state_peer_hton(const struct pf_state_peer *s, struct pfsync_state_peer *d)
1262{
1263 d->seqlo = htonl(s->seqlo)(__uint32_t)(__builtin_constant_p(s->seqlo) ? (__uint32_t)
(((__uint32_t)(s->seqlo) & 0xff) << 24 | ((__uint32_t
)(s->seqlo) & 0xff00) << 8 | ((__uint32_t)(s->
seqlo) & 0xff0000) >> 8 | ((__uint32_t)(s->seqlo
) & 0xff000000) >> 24) : __swap32md(s->seqlo));
1264 d->seqhi = htonl(s->seqhi)(__uint32_t)(__builtin_constant_p(s->seqhi) ? (__uint32_t)
(((__uint32_t)(s->seqhi) & 0xff) << 24 | ((__uint32_t
)(s->seqhi) & 0xff00) << 8 | ((__uint32_t)(s->
seqhi) & 0xff0000) >> 8 | ((__uint32_t)(s->seqhi
) & 0xff000000) >> 24) : __swap32md(s->seqhi));
1265 d->seqdiff = htonl(s->seqdiff)(__uint32_t)(__builtin_constant_p(s->seqdiff) ? (__uint32_t
)(((__uint32_t)(s->seqdiff) & 0xff) << 24 | ((__uint32_t
)(s->seqdiff) & 0xff00) << 8 | ((__uint32_t)(s->
seqdiff) & 0xff0000) >> 8 | ((__uint32_t)(s->seqdiff
) & 0xff000000) >> 24) : __swap32md(s->seqdiff));
1266 d->max_win = htons(s->max_win)(__uint16_t)(__builtin_constant_p(s->max_win) ? (__uint16_t
)(((__uint16_t)(s->max_win) & 0xffU) << 8 | ((__uint16_t
)(s->max_win) & 0xff00U) >> 8) : __swap16md(s->
max_win));
1267 d->mss = htons(s->mss)(__uint16_t)(__builtin_constant_p(s->mss) ? (__uint16_t)((
(__uint16_t)(s->mss) & 0xffU) << 8 | ((__uint16_t
)(s->mss) & 0xff00U) >> 8) : __swap16md(s->mss
));
1268 d->state = s->state;
1269 d->wscale = s->wscale;
1270 if (s->scrub) {
1271 d->scrub.pfss_flags =
1272 htons(s->scrub->pfss_flags & PFSS_TIMESTAMP)(__uint16_t)(__builtin_constant_p(s->scrub->pfss_flags &
0x0001) ? (__uint16_t)(((__uint16_t)(s->scrub->pfss_flags
& 0x0001) & 0xffU) << 8 | ((__uint16_t)(s->
scrub->pfss_flags & 0x0001) & 0xff00U) >> 8)
: __swap16md(s->scrub->pfss_flags & 0x0001));
1273 d->scrub.pfss_ttl = (s)->scrub->pfss_ttl;
1274 d->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod)(__uint32_t)(__builtin_constant_p((s)->scrub->pfss_ts_mod
) ? (__uint32_t)(((__uint32_t)((s)->scrub->pfss_ts_mod)
& 0xff) << 24 | ((__uint32_t)((s)->scrub->pfss_ts_mod
) & 0xff00) << 8 | ((__uint32_t)((s)->scrub->
pfss_ts_mod) & 0xff0000) >> 8 | ((__uint32_t)((s)->
scrub->pfss_ts_mod) & 0xff000000) >> 24) : __swap32md
((s)->scrub->pfss_ts_mod));
1275 d->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID0x01;
1276 }
1277}
1278
1279void
1280pf_state_peer_ntoh(const struct pfsync_state_peer *s, struct pf_state_peer *d)
1281{
1282 d->seqlo = ntohl(s->seqlo)(__uint32_t)(__builtin_constant_p(s->seqlo) ? (__uint32_t)
(((__uint32_t)(s->seqlo) & 0xff) << 24 | ((__uint32_t
)(s->seqlo) & 0xff00) << 8 | ((__uint32_t)(s->
seqlo) & 0xff0000) >> 8 | ((__uint32_t)(s->seqlo
) & 0xff000000) >> 24) : __swap32md(s->seqlo));
1283 d->seqhi = ntohl(s->seqhi)(__uint32_t)(__builtin_constant_p(s->seqhi) ? (__uint32_t)
(((__uint32_t)(s->seqhi) & 0xff) << 24 | ((__uint32_t
)(s->seqhi) & 0xff00) << 8 | ((__uint32_t)(s->
seqhi) & 0xff0000) >> 8 | ((__uint32_t)(s->seqhi
) & 0xff000000) >> 24) : __swap32md(s->seqhi));
1284 d->seqdiff = ntohl(s->seqdiff)(__uint32_t)(__builtin_constant_p(s->seqdiff) ? (__uint32_t
)(((__uint32_t)(s->seqdiff) & 0xff) << 24 | ((__uint32_t
)(s->seqdiff) & 0xff00) << 8 | ((__uint32_t)(s->
seqdiff) & 0xff0000) >> 8 | ((__uint32_t)(s->seqdiff
) & 0xff000000) >> 24) : __swap32md(s->seqdiff));
1285 d->max_win = ntohs(s->max_win)(__uint16_t)(__builtin_constant_p(s->max_win) ? (__uint16_t
)(((__uint16_t)(s->max_win) & 0xffU) << 8 | ((__uint16_t
)(s->max_win) & 0xff00U) >> 8) : __swap16md(s->
max_win));
1286 d->mss = ntohs(s->mss)(__uint16_t)(__builtin_constant_p(s->mss) ? (__uint16_t)((
(__uint16_t)(s->mss) & 0xffU) << 8 | ((__uint16_t
)(s->mss) & 0xff00U) >> 8) : __swap16md(s->mss
));
1287 d->state = s->state;
1288 d->wscale = s->wscale;
1289 if (s->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID0x01 &&
1290 d->scrub != NULL((void *)0)) {
1291 d->scrub->pfss_flags =
1292 ntohs(s->scrub.pfss_flags)(__uint16_t)(__builtin_constant_p(s->scrub.pfss_flags) ? (
__uint16_t)(((__uint16_t)(s->scrub.pfss_flags) & 0xffU
) << 8 | ((__uint16_t)(s->scrub.pfss_flags) & 0xff00U
) >> 8) : __swap16md(s->scrub.pfss_flags)) & PFSS_TIMESTAMP0x0001;
1293 d->scrub->pfss_ttl = s->scrub.pfss_ttl;
1294 d->scrub->pfss_ts_mod = ntohl(s->scrub.pfss_ts_mod)(__uint32_t)(__builtin_constant_p(s->scrub.pfss_ts_mod) ? (
__uint32_t)(((__uint32_t)(s->scrub.pfss_ts_mod) & 0xff
) << 24 | ((__uint32_t)(s->scrub.pfss_ts_mod) & 0xff00
) << 8 | ((__uint32_t)(s->scrub.pfss_ts_mod) & 0xff0000
) >> 8 | ((__uint32_t)(s->scrub.pfss_ts_mod) & 0xff000000
) >> 24) : __swap32md(s->scrub.pfss_ts_mod));
1295 }
1296}
1297
1298void
1299pf_state_export(struct pfsync_state *sp, struct pf_state *st)
1300{
1301 int32_t expire;
1302
1303 memset(sp, 0, sizeof(struct pfsync_state))__builtin_memset((sp), (0), (sizeof(struct pfsync_state)));
1304
1305 /* copy from state key */
1306 sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
1307 sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1];
1308 sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0];
1309 sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1];
1310 sp->key[PF_SK_WIRE].rdomain = htons(st->key[PF_SK_WIRE]->rdomain)(__uint16_t)(__builtin_constant_p(st->key[PF_SK_WIRE]->
rdomain) ? (__uint16_t)(((__uint16_t)(st->key[PF_SK_WIRE]->
rdomain) & 0xffU) << 8 | ((__uint16_t)(st->key[PF_SK_WIRE
]->rdomain) & 0xff00U) >> 8) : __swap16md(st->
key[PF_SK_WIRE]->rdomain));
1311 sp->key[PF_SK_WIRE].af = st->key[PF_SK_WIRE]->af;
1312 sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0];
1313 sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1];
1314 sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0];
1315 sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1];
1316 sp->key[PF_SK_STACK].rdomain = htons(st->key[PF_SK_STACK]->rdomain)(__uint16_t)(__builtin_constant_p(st->key[PF_SK_STACK]->
rdomain) ? (__uint16_t)(((__uint16_t)(st->key[PF_SK_STACK]
->rdomain) & 0xffU) << 8 | ((__uint16_t)(st->
key[PF_SK_STACK]->rdomain) & 0xff00U) >> 8) : __swap16md
(st->key[PF_SK_STACK]->rdomain));
1317 sp->key[PF_SK_STACK].af = st->key[PF_SK_STACK]->af;
1318 sp->rtableid[PF_SK_WIRE] = htonl(st->rtableid[PF_SK_WIRE])(__uint32_t)(__builtin_constant_p(st->rtableid[PF_SK_WIRE]
) ? (__uint32_t)(((__uint32_t)(st->rtableid[PF_SK_WIRE]) &
0xff) << 24 | ((__uint32_t)(st->rtableid[PF_SK_WIRE
]) & 0xff00) << 8 | ((__uint32_t)(st->rtableid[PF_SK_WIRE
]) & 0xff0000) >> 8 | ((__uint32_t)(st->rtableid
[PF_SK_WIRE]) & 0xff000000) >> 24) : __swap32md(st->
rtableid[PF_SK_WIRE]));
1319 sp->rtableid[PF_SK_STACK] = htonl(st->rtableid[PF_SK_STACK])(__uint32_t)(__builtin_constant_p(st->rtableid[PF_SK_STACK
]) ? (__uint32_t)(((__uint32_t)(st->rtableid[PF_SK_STACK])
& 0xff) << 24 | ((__uint32_t)(st->rtableid[PF_SK_STACK
]) & 0xff00) << 8 | ((__uint32_t)(st->rtableid[PF_SK_STACK
]) & 0xff0000) >> 8 | ((__uint32_t)(st->rtableid
[PF_SK_STACK]) & 0xff000000) >> 24) : __swap32md(st
->rtableid[PF_SK_STACK]));
1320 sp->proto = st->key[PF_SK_WIRE]->proto;
1321 sp->af = st->key[PF_SK_WIRE]->af;
1322
1323 /* copy from state */
1324 strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
1325 sp->rt = st->rt;
1326 sp->rt_addr = st->rt_addr;
1327 sp->creation = htonl(getuptime() - st->creation)(__uint32_t)(__builtin_constant_p(getuptime() - st->creation
) ? (__uint32_t)(((__uint32_t)(getuptime() - st->creation)
& 0xff) << 24 | ((__uint32_t)(getuptime() - st->
creation) & 0xff00) << 8 | ((__uint32_t)(getuptime(
) - st->creation) & 0xff0000) >> 8 | ((__uint32_t
)(getuptime() - st->creation) & 0xff000000) >> 24
) : __swap32md(getuptime() - st->creation));
1328 expire = pf_state_expires(st, st->timeout);
1329 if (expire <= getuptime())
1330 sp->expire = htonl(0)(__uint32_t)(__builtin_constant_p(0) ? (__uint32_t)(((__uint32_t
)(0) & 0xff) << 24 | ((__uint32_t)(0) & 0xff00)
<< 8 | ((__uint32_t)(0) & 0xff0000) >> 8 | (
(__uint32_t)(0) & 0xff000000) >> 24) : __swap32md(0
));
1331 else
1332 sp->expire = htonl(expire - getuptime())(__uint32_t)(__builtin_constant_p(expire - getuptime()) ? (__uint32_t
)(((__uint32_t)(expire - getuptime()) & 0xff) << 24
| ((__uint32_t)(expire - getuptime()) & 0xff00) <<
8 | ((__uint32_t)(expire - getuptime()) & 0xff0000) >>
8 | ((__uint32_t)(expire - getuptime()) & 0xff000000) >>
24) : __swap32md(expire - getuptime()));
1333
1334 sp->direction = st->direction;
1335#if NPFLOG1 > 0
1336 sp->log = st->log;
1337#endif /* NPFLOG > 0 */
1338 sp->timeout = st->timeout;
1339 sp->state_flags = htons(st->state_flags)(__uint16_t)(__builtin_constant_p(st->state_flags) ? (__uint16_t
)(((__uint16_t)(st->state_flags) & 0xffU) << 8 |
((__uint16_t)(st->state_flags) & 0xff00U) >> 8)
: __swap16md(st->state_flags));
1340 if (READ_ONCE(st->sync_defer)({ typeof(st->sync_defer) __tmp = *(volatile typeof(st->
sync_defer) *)&(st->sync_defer); membar_datadep_consumer
(); __tmp; }) != NULL((void *)0))
1341 sp->state_flags |= htons(PFSTATE_ACK)(__uint16_t)(__builtin_constant_p(0x0010) ? (__uint16_t)(((__uint16_t
)(0x0010) & 0xffU) << 8 | ((__uint16_t)(0x0010) &
0xff00U) >> 8) : __swap16md(0x0010));
1342 if (!SLIST_EMPTY(&st->src_nodes)(((&st->src_nodes)->slh_first) == ((void *)0)))
1343 sp->sync_flags |= PFSYNC_FLAG_SRCNODE0x04;
1344
1345 sp->id = st->id;
1346 sp->creatorid = st->creatorid;
1347 pf_state_peer_hton(&st->src, &sp->src);
1348 pf_state_peer_hton(&st->dst, &sp->dst);
1349
1350 if (st->rule.ptr == NULL((void *)0))
1351 sp->rule = htonl(-1)(__uint32_t)(__builtin_constant_p(-1) ? (__uint32_t)(((__uint32_t
)(-1) & 0xff) << 24 | ((__uint32_t)(-1) & 0xff00
) << 8 | ((__uint32_t)(-1) & 0xff0000) >> 8 |
((__uint32_t)(-1) & 0xff000000) >> 24) : __swap32md
(-1));
1352 else
1353 sp->rule = htonl(st->rule.ptr->nr)(__uint32_t)(__builtin_constant_p(st->rule.ptr->nr) ? (
__uint32_t)(((__uint32_t)(st->rule.ptr->nr) & 0xff)
<< 24 | ((__uint32_t)(st->rule.ptr->nr) & 0xff00
) << 8 | ((__uint32_t)(st->rule.ptr->nr) & 0xff0000
) >> 8 | ((__uint32_t)(st->rule.ptr->nr) & 0xff000000
) >> 24) : __swap32md(st->rule.ptr->nr));
1354 if (st->anchor.ptr == NULL((void *)0))
1355 sp->anchor = htonl(-1)(__uint32_t)(__builtin_constant_p(-1) ? (__uint32_t)(((__uint32_t
)(-1) & 0xff) << 24 | ((__uint32_t)(-1) & 0xff00
) << 8 | ((__uint32_t)(-1) & 0xff0000) >> 8 |
((__uint32_t)(-1) & 0xff000000) >> 24) : __swap32md
(-1));
1356 else
1357 sp->anchor = htonl(st->anchor.ptr->nr)(__uint32_t)(__builtin_constant_p(st->anchor.ptr->nr) ?
(__uint32_t)(((__uint32_t)(st->anchor.ptr->nr) & 0xff
) << 24 | ((__uint32_t)(st->anchor.ptr->nr) &
0xff00) << 8 | ((__uint32_t)(st->anchor.ptr->nr)
& 0xff0000) >> 8 | ((__uint32_t)(st->anchor.ptr
->nr) & 0xff000000) >> 24) : __swap32md(st->anchor
.ptr->nr));
1358 sp->nat_rule = htonl(-1)(__uint32_t)(__builtin_constant_p(-1) ? (__uint32_t)(((__uint32_t
)(-1) & 0xff) << 24 | ((__uint32_t)(-1) & 0xff00
) << 8 | ((__uint32_t)(-1) & 0xff0000) >> 8 |
((__uint32_t)(-1) & 0xff000000) >> 24) : __swap32md
(-1)); /* left for compat, nat_rule is gone */
1359
1360 pf_state_counter_hton(st->packets[0], sp->packets[0])do { sp->packets[0][0] = (__uint32_t)(__builtin_constant_p
((st->packets[0]>>32)&0xffffffff) ? (__uint32_t)
(((__uint32_t)((st->packets[0]>>32)&0xffffffff) &
0xff) << 24 | ((__uint32_t)((st->packets[0]>>
32)&0xffffffff) & 0xff00) << 8 | ((__uint32_t)(
(st->packets[0]>>32)&0xffffffff) & 0xff0000)
>> 8 | ((__uint32_t)((st->packets[0]>>32)&
0xffffffff) & 0xff000000) >> 24) : __swap32md((st->
packets[0]>>32)&0xffffffff)); sp->packets[0][1] =
(__uint32_t)(__builtin_constant_p(st->packets[0]&0xffffffff
) ? (__uint32_t)(((__uint32_t)(st->packets[0]&0xffffffff
) & 0xff) << 24 | ((__uint32_t)(st->packets[0]&
0xffffffff) & 0xff00) << 8 | ((__uint32_t)(st->packets
[0]&0xffffffff) & 0xff0000) >> 8 | ((__uint32_t
)(st->packets[0]&0xffffffff) & 0xff000000) >>
24) : __swap32md(st->packets[0]&0xffffffff)); } while
(0);
1361 pf_state_counter_hton(st->packets[1], sp->packets[1])do { sp->packets[1][0] = (__uint32_t)(__builtin_constant_p
((st->packets[1]>>32)&0xffffffff) ? (__uint32_t)
(((__uint32_t)((st->packets[1]>>32)&0xffffffff) &
0xff) << 24 | ((__uint32_t)((st->packets[1]>>
32)&0xffffffff) & 0xff00) << 8 | ((__uint32_t)(
(st->packets[1]>>32)&0xffffffff) & 0xff0000)
>> 8 | ((__uint32_t)((st->packets[1]>>32)&
0xffffffff) & 0xff000000) >> 24) : __swap32md((st->
packets[1]>>32)&0xffffffff)); sp->packets[1][1] =
(__uint32_t)(__builtin_constant_p(st->packets[1]&0xffffffff
) ? (__uint32_t)(((__uint32_t)(st->packets[1]&0xffffffff
) & 0xff) << 24 | ((__uint32_t)(st->packets[1]&
0xffffffff) & 0xff00) << 8 | ((__uint32_t)(st->packets
[1]&0xffffffff) & 0xff0000) >> 8 | ((__uint32_t
)(st->packets[1]&0xffffffff) & 0xff000000) >>
24) : __swap32md(st->packets[1]&0xffffffff)); } while
(0);
1362 pf_state_counter_hton(st->bytes[0], sp->bytes[0])do { sp->bytes[0][0] = (__uint32_t)(__builtin_constant_p((
st->bytes[0]>>32)&0xffffffff) ? (__uint32_t)(((__uint32_t
)((st->bytes[0]>>32)&0xffffffff) & 0xff) <<
24 | ((__uint32_t)((st->bytes[0]>>32)&0xffffffff
) & 0xff00) << 8 | ((__uint32_t)((st->bytes[0]>>
32)&0xffffffff) & 0xff0000) >> 8 | ((__uint32_t
)((st->bytes[0]>>32)&0xffffffff) & 0xff000000
) >> 24) : __swap32md((st->bytes[0]>>32)&0xffffffff
)); sp->bytes[0][1] = (__uint32_t)(__builtin_constant_p(st
->bytes[0]&0xffffffff) ? (__uint32_t)(((__uint32_t)(st
->bytes[0]&0xffffffff) & 0xff) << 24 | ((__uint32_t
)(st->bytes[0]&0xffffffff) & 0xff00) << 8 | (
(__uint32_t)(st->bytes[0]&0xffffffff) & 0xff0000) >>
8 | ((__uint32_t)(st->bytes[0]&0xffffffff) & 0xff000000
) >> 24) : __swap32md(st->bytes[0]&0xffffffff));
} while (0);
1363 pf_state_counter_hton(st->bytes[1], sp->bytes[1])do { sp->bytes[1][0] = (__uint32_t)(__builtin_constant_p((
st->bytes[1]>>32)&0xffffffff) ? (__uint32_t)(((__uint32_t
)((st->bytes[1]>>32)&0xffffffff) & 0xff) <<
24 | ((__uint32_t)((st->bytes[1]>>32)&0xffffffff
) & 0xff00) << 8 | ((__uint32_t)((st->bytes[1]>>
32)&0xffffffff) & 0xff0000) >> 8 | ((__uint32_t
)((st->bytes[1]>>32)&0xffffffff) & 0xff000000
) >> 24) : __swap32md((st->bytes[1]>>32)&0xffffffff
)); sp->bytes[1][1] = (__uint32_t)(__builtin_constant_p(st
->bytes[1]&0xffffffff) ? (__uint32_t)(((__uint32_t)(st
->bytes[1]&0xffffffff) & 0xff) << 24 | ((__uint32_t
)(st->bytes[1]&0xffffffff) & 0xff00) << 8 | (
(__uint32_t)(st->bytes[1]&0xffffffff) & 0xff0000) >>
8 | ((__uint32_t)(st->bytes[1]&0xffffffff) & 0xff000000
) >> 24) : __swap32md(st->bytes[1]&0xffffffff));
} while (0);
1364
1365 sp->max_mss = htons(st->max_mss)(__uint16_t)(__builtin_constant_p(st->max_mss) ? (__uint16_t
)(((__uint16_t)(st->max_mss) & 0xffU) << 8 | ((__uint16_t
)(st->max_mss) & 0xff00U) >> 8) : __swap16md(st->
max_mss));
1366 sp->min_ttl = st->min_ttl;
1367 sp->set_tos = st->set_tos;
1368 sp->set_prio[0] = st->set_prio[0];
1369 sp->set_prio[1] = st->set_prio[1];
1370}
1371
1372int
1373pf_state_alloc_scrub_memory(const struct pfsync_state_peer *s,
1374 struct pf_state_peer *d)
1375{
1376 if (s->scrub.scrub_flag && d->scrub == NULL((void *)0))
1377 return (pf_normalize_tcp_alloc(d));
1378
1379 return (0);
1380}
1381
1382#if NPFSYNC1 > 0
1383int
1384pf_state_import(const struct pfsync_state *sp, int flags)
1385{
1386 struct pf_state *st = NULL((void *)0);
1387 struct pf_state_key *skw = NULL((void *)0), *sks = NULL((void *)0);
1388 struct pf_rule *r = NULL((void *)0);
1389 struct pfi_kif *kif;
1390 int pool_flags;
1391 int error = ENOMEM12;
1392 int n = 0;
1393
1394 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
1395
1396 if (sp->creatorid == 0) {
1397 DPFPRINTF(LOG_NOTICE, "%s: invalid creator id: %08x", __func__,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"%s: invalid creator id: %08x", __func__, (__uint32_t)(__builtin_constant_p
(sp->creatorid) ? (__uint32_t)(((__uint32_t)(sp->creatorid
) & 0xff) << 24 | ((__uint32_t)(sp->creatorid) &
0xff00) << 8 | ((__uint32_t)(sp->creatorid) & 0xff0000
) >> 8 | ((__uint32_t)(sp->creatorid) & 0xff000000
) >> 24) : __swap32md(sp->creatorid))); addlog("\n")
; } } while (0)
1398 ntohl(sp->creatorid))do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"%s: invalid creator id: %08x", __func__, (__uint32_t)(__builtin_constant_p
(sp->creatorid) ? (__uint32_t)(((__uint32_t)(sp->creatorid
) & 0xff) << 24 | ((__uint32_t)(sp->creatorid) &
0xff00) << 8 | ((__uint32_t)(sp->creatorid) & 0xff0000
) >> 8 | ((__uint32_t)(sp->creatorid) & 0xff000000
) >> 24) : __swap32md(sp->creatorid))); addlog("\n")
; } } while (0);
1399 return (EINVAL22);
1400 }
1401
1402 if ((kif = pfi_kif_get(sp->ifname, NULL((void *)0))) == NULL((void *)0)) {
1403 DPFPRINTF(LOG_NOTICE, "%s: unknown interface: %s", __func__,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"%s: unknown interface: %s", __func__, sp->ifname); addlog
("\n"); } } while (0)
1404 sp->ifname)do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"%s: unknown interface: %s", __func__, sp->ifname); addlog
("\n"); } } while (0);
1405 if (flags & PFSYNC_SI_IOCTL0x01)
1406 return (EINVAL22);
1407 return (0); /* skip this state */
1408 }
1409
1410 if (sp->af == 0)
1411 return (0); /* skip this state */
1412
1413 /*
1414 * If the ruleset checksums match or the state is coming from the ioctl,
1415 * it's safe to associate the state with the rule of that number.
1416 */
1417 if (sp->rule != htonl(-1)(__uint32_t)(__builtin_constant_p(-1) ? (__uint32_t)(((__uint32_t
)(-1) & 0xff) << 24 | ((__uint32_t)(-1) & 0xff00
) << 8 | ((__uint32_t)(-1) & 0xff0000) >> 8 |
((__uint32_t)(-1) & 0xff000000) >> 24) : __swap32md
(-1)) && sp->anchor == htonl(-1)(__uint32_t)(__builtin_constant_p(-1) ? (__uint32_t)(((__uint32_t
)(-1) & 0xff) << 24 | ((__uint32_t)(-1) & 0xff00
) << 8 | ((__uint32_t)(-1) & 0xff0000) >> 8 |
((__uint32_t)(-1) & 0xff000000) >> 24) : __swap32md
(-1)) &&
1418 (flags & (PFSYNC_SI_IOCTL0x01 | PFSYNC_SI_CKSUM0x02)) &&
1419 ntohl(sp->rule)(__uint32_t)(__builtin_constant_p(sp->rule) ? (__uint32_t)
(((__uint32_t)(sp->rule) & 0xff) << 24 | ((__uint32_t
)(sp->rule) & 0xff00) << 8 | ((__uint32_t)(sp->
rule) & 0xff0000) >> 8 | ((__uint32_t)(sp->rule)
& 0xff000000) >> 24) : __swap32md(sp->rule)) < pf_main_rulesetpf_main_anchor.ruleset.rules.active.rcount) {
1420 TAILQ_FOREACH(r, pf_main_ruleset.rules.active.ptr, entries)for((r) = ((pf_main_anchor.ruleset.rules.active.ptr)->tqh_first
); (r) != ((void *)0); (r) = ((r)->entries.tqe_next))
1421 if (ntohl(sp->rule)(__uint32_t)(__builtin_constant_p(sp->rule) ? (__uint32_t)
(((__uint32_t)(sp->rule) & 0xff) << 24 | ((__uint32_t
)(sp->rule) & 0xff00) << 8 | ((__uint32_t)(sp->
rule) & 0xff0000) >> 8 | ((__uint32_t)(sp->rule)
& 0xff000000) >> 24) : __swap32md(sp->rule)) == n++)
1422 break;
1423 } else
1424 r = &pf_default_rule;
1425
1426 if ((r->max_states && r->states_cur >= r->max_states))
1427 goto cleanup;
1428
1429 if (flags & PFSYNC_SI_IOCTL0x01)
1430 pool_flags = PR_WAITOK0x0001 | PR_LIMITFAIL0x0004 | PR_ZERO0x0008;
1431 else
1432 pool_flags = PR_NOWAIT0x0002 | PR_LIMITFAIL0x0004 | PR_ZERO0x0008;
1433
1434 if ((st = pool_get(&pf_state_pl, pool_flags)) == NULL((void *)0))
1435 goto cleanup;
1436
1437 if ((skw = pf_alloc_state_key(pool_flags)) == NULL((void *)0))
1438 goto cleanup;
1439
1440 if ((sp->key[PF_SK_WIRE].af &&
1441 (sp->key[PF_SK_WIRE].af != sp->key[PF_SK_STACK].af)) ||
1442 PF_ANEQ(&sp->key[PF_SK_WIRE].addr[0],((sp->af == 2 && (&sp->key[PF_SK_WIRE].addr
[0])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr[
0])->pfa.addr32[0]) || (sp->af == 24 && ((&
sp->key[PF_SK_WIRE].addr[0])->pfa.addr32[3] != (&sp
->key[PF_SK_STACK].addr[0])->pfa.addr32[3] || (&sp->
key[PF_SK_WIRE].addr[0])->pfa.addr32[2] != (&sp->key
[PF_SK_STACK].addr[0])->pfa.addr32[2] || (&sp->key[
PF_SK_WIRE].addr[0])->pfa.addr32[1] != (&sp->key[PF_SK_STACK
].addr[0])->pfa.addr32[1] || (&sp->key[PF_SK_WIRE].
addr[0])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr
[0])->pfa.addr32[0])))
1443 &sp->key[PF_SK_STACK].addr[0], sp->af)((sp->af == 2 && (&sp->key[PF_SK_WIRE].addr
[0])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr[
0])->pfa.addr32[0]) || (sp->af == 24 && ((&
sp->key[PF_SK_WIRE].addr[0])->pfa.addr32[3] != (&sp
->key[PF_SK_STACK].addr[0])->pfa.addr32[3] || (&sp->
key[PF_SK_WIRE].addr[0])->pfa.addr32[2] != (&sp->key
[PF_SK_STACK].addr[0])->pfa.addr32[2] || (&sp->key[
PF_SK_WIRE].addr[0])->pfa.addr32[1] != (&sp->key[PF_SK_STACK
].addr[0])->pfa.addr32[1] || (&sp->key[PF_SK_WIRE].
addr[0])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr
[0])->pfa.addr32[0]))) ||
1444 PF_ANEQ(&sp->key[PF_SK_WIRE].addr[1],((sp->af == 2 && (&sp->key[PF_SK_WIRE].addr
[1])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr[
1])->pfa.addr32[0]) || (sp->af == 24 && ((&
sp->key[PF_SK_WIRE].addr[1])->pfa.addr32[3] != (&sp
->key[PF_SK_STACK].addr[1])->pfa.addr32[3] || (&sp->
key[PF_SK_WIRE].addr[1])->pfa.addr32[2] != (&sp->key
[PF_SK_STACK].addr[1])->pfa.addr32[2] || (&sp->key[
PF_SK_WIRE].addr[1])->pfa.addr32[1] != (&sp->key[PF_SK_STACK
].addr[1])->pfa.addr32[1] || (&sp->key[PF_SK_WIRE].
addr[1])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr
[1])->pfa.addr32[0])))
1445 &sp->key[PF_SK_STACK].addr[1], sp->af)((sp->af == 2 && (&sp->key[PF_SK_WIRE].addr
[1])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr[
1])->pfa.addr32[0]) || (sp->af == 24 && ((&
sp->key[PF_SK_WIRE].addr[1])->pfa.addr32[3] != (&sp
->key[PF_SK_STACK].addr[1])->pfa.addr32[3] || (&sp->
key[PF_SK_WIRE].addr[1])->pfa.addr32[2] != (&sp->key
[PF_SK_STACK].addr[1])->pfa.addr32[2] || (&sp->key[
PF_SK_WIRE].addr[1])->pfa.addr32[1] != (&sp->key[PF_SK_STACK
].addr[1])->pfa.addr32[1] || (&sp->key[PF_SK_WIRE].
addr[1])->pfa.addr32[0] != (&sp->key[PF_SK_STACK].addr
[1])->pfa.addr32[0]))) ||
1446 sp->key[PF_SK_WIRE].port[0] != sp->key[PF_SK_STACK].port[0] ||
1447 sp->key[PF_SK_WIRE].port[1] != sp->key[PF_SK_STACK].port[1] ||
1448 sp->key[PF_SK_WIRE].rdomain != sp->key[PF_SK_STACK].rdomain) {
1449 if ((sks = pf_alloc_state_key(pool_flags)) == NULL((void *)0))
1450 goto cleanup;
1451 } else
1452 sks = pf_state_key_ref(skw);
1453
1454 /* allocate memory for scrub info */
1455 if (pf_state_alloc_scrub_memory(&sp->src, &st->src) ||
1456 pf_state_alloc_scrub_memory(&sp->dst, &st->dst))
1457 goto cleanup;
1458
1459 /* copy to state key(s) */
1460 skw->addr[0] = sp->key[PF_SK_WIRE].addr[0];
1461 skw->addr[1] = sp->key[PF_SK_WIRE].addr[1];
1462 skw->port[0] = sp->key[PF_SK_WIRE].port[0];
1463 skw->port[1] = sp->key[PF_SK_WIRE].port[1];
1464 skw->rdomain = ntohs(sp->key[PF_SK_WIRE].rdomain)(__uint16_t)(__builtin_constant_p(sp->key[PF_SK_WIRE].rdomain
) ? (__uint16_t)(((__uint16_t)(sp->key[PF_SK_WIRE].rdomain
) & 0xffU) << 8 | ((__uint16_t)(sp->key[PF_SK_WIRE
].rdomain) & 0xff00U) >> 8) : __swap16md(sp->key
[PF_SK_WIRE].rdomain));
1465 skw->proto = sp->proto;
1466 if (!(skw->af = sp->key[PF_SK_WIRE].af))
1467 skw->af = sp->af;
1468 skw->hash = pf_pkt_hash(skw->af, skw->proto,
1469 &skw->addr[0], &skw->addr[1], skw->port[0], skw->port[1]);
1470
1471 if (sks != skw) {
1472 sks->addr[0] = sp->key[PF_SK_STACK].addr[0];
1473 sks->addr[1] = sp->key[PF_SK_STACK].addr[1];
1474 sks->port[0] = sp->key[PF_SK_STACK].port[0];
1475 sks->port[1] = sp->key[PF_SK_STACK].port[1];
1476 sks->rdomain = ntohs(sp->key[PF_SK_STACK].rdomain)(__uint16_t)(__builtin_constant_p(sp->key[PF_SK_STACK].rdomain
) ? (__uint16_t)(((__uint16_t)(sp->key[PF_SK_STACK].rdomain
) & 0xffU) << 8 | ((__uint16_t)(sp->key[PF_SK_STACK
].rdomain) & 0xff00U) >> 8) : __swap16md(sp->key
[PF_SK_STACK].rdomain));
1477 if (!(sks->af = sp->key[PF_SK_STACK].af))
1478 sks->af = sp->af;
1479 if (sks->af != skw->af) {
1480 switch (sp->proto) {
1481 case IPPROTO_ICMP1:
1482 sks->proto = IPPROTO_ICMPV658;
1483 break;
1484 case IPPROTO_ICMPV658:
1485 sks->proto = IPPROTO_ICMP1;
1486 break;
1487 default:
1488 sks->proto = sp->proto;
1489 }
1490 } else
1491 sks->proto = sp->proto;
1492
1493 if (((sks->af != AF_INET2) && (sks->af != AF_INET624)) ||
1494 ((skw->af != AF_INET2) && (skw->af != AF_INET624))) {
1495 error = EINVAL22;
1496 goto cleanup;
1497 }
1498
1499 sks->hash = pf_pkt_hash(sks->af, sks->proto,
1500 &sks->addr[0], &sks->addr[1], sks->port[0], sks->port[1]);
1501
1502 } else if ((sks->af != AF_INET2) && (sks->af != AF_INET624)) {
1503 error = EINVAL22;
1504 goto cleanup;
1505 }
1506 st->rtableid[PF_SK_WIRE] = ntohl(sp->rtableid[PF_SK_WIRE])(__uint32_t)(__builtin_constant_p(sp->rtableid[PF_SK_WIRE]
) ? (__uint32_t)(((__uint32_t)(sp->rtableid[PF_SK_WIRE]) &
0xff) << 24 | ((__uint32_t)(sp->rtableid[PF_SK_WIRE
]) & 0xff00) << 8 | ((__uint32_t)(sp->rtableid[PF_SK_WIRE
]) & 0xff0000) >> 8 | ((__uint32_t)(sp->rtableid
[PF_SK_WIRE]) & 0xff000000) >> 24) : __swap32md(sp->
rtableid[PF_SK_WIRE]));
1507 st->rtableid[PF_SK_STACK] = ntohl(sp->rtableid[PF_SK_STACK])(__uint32_t)(__builtin_constant_p(sp->rtableid[PF_SK_STACK
]) ? (__uint32_t)(((__uint32_t)(sp->rtableid[PF_SK_STACK])
& 0xff) << 24 | ((__uint32_t)(sp->rtableid[PF_SK_STACK
]) & 0xff00) << 8 | ((__uint32_t)(sp->rtableid[PF_SK_STACK
]) & 0xff0000) >> 8 | ((__uint32_t)(sp->rtableid
[PF_SK_STACK]) & 0xff000000) >> 24) : __swap32md(sp
->rtableid[PF_SK_STACK]));
1508
1509 /* copy to state */
1510 st->rt_addr = sp->rt_addr;
1511 st->rt = sp->rt;
1512 st->creation = getuptime() - ntohl(sp->creation)(__uint32_t)(__builtin_constant_p(sp->creation) ? (__uint32_t
)(((__uint32_t)(sp->creation) & 0xff) << 24 | ((
__uint32_t)(sp->creation) & 0xff00) << 8 | ((__uint32_t
)(sp->creation) & 0xff0000) >> 8 | ((__uint32_t)
(sp->creation) & 0xff000000) >> 24) : __swap32md
(sp->creation));
1513 st->expire = getuptime();
1514 if (ntohl(sp->expire)(__uint32_t)(__builtin_constant_p(sp->expire) ? (__uint32_t
)(((__uint32_t)(sp->expire) & 0xff) << 24 | ((__uint32_t
)(sp->expire) & 0xff00) << 8 | ((__uint32_t)(sp->
expire) & 0xff0000) >> 8 | ((__uint32_t)(sp->expire
) & 0xff000000) >> 24) : __swap32md(sp->expire))) {
1515 u_int32_t timeout;
1516
1517 timeout = r->timeout[sp->timeout];
1518 if (!timeout)
1519 timeout = pf_default_rule.timeout[sp->timeout];
1520
1521 /* sp->expire may have been adaptively scaled by export. */
1522 st->expire -= timeout - ntohl(sp->expire)(__uint32_t)(__builtin_constant_p(sp->expire) ? (__uint32_t
)(((__uint32_t)(sp->expire) & 0xff) << 24 | ((__uint32_t
)(sp->expire) & 0xff00) << 8 | ((__uint32_t)(sp->
expire) & 0xff0000) >> 8 | ((__uint32_t)(sp->expire
) & 0xff000000) >> 24) : __swap32md(sp->expire));
1523 }
1524
1525 st->direction = sp->direction;
1526 st->log = sp->log;
1527 st->timeout = sp->timeout;
1528 st->state_flags = ntohs(sp->state_flags)(__uint16_t)(__builtin_constant_p(sp->state_flags) ? (__uint16_t
)(((__uint16_t)(sp->state_flags) & 0xffU) << 8 |
((__uint16_t)(sp->state_flags) & 0xff00U) >> 8)
: __swap16md(sp->state_flags));
1529 st->max_mss = ntohs(sp->max_mss)(__uint16_t)(__builtin_constant_p(sp->max_mss) ? (__uint16_t
)(((__uint16_t)(sp->max_mss) & 0xffU) << 8 | ((__uint16_t
)(sp->max_mss) & 0xff00U) >> 8) : __swap16md(sp->
max_mss));
1530 st->min_ttl = sp->min_ttl;
1531 st->set_tos = sp->set_tos;
1532 st->set_prio[0] = sp->set_prio[0];
1533 st->set_prio[1] = sp->set_prio[1];
1534
1535 st->id = sp->id;
1536 st->creatorid = sp->creatorid;
1537 pf_state_peer_ntoh(&sp->src, &st->src);
1538 pf_state_peer_ntoh(&sp->dst, &st->dst);
1539
1540 st->rule.ptr = r;
1541 st->anchor.ptr = NULL((void *)0);
1542
1543 PF_REF_INIT(st->refcnt)refcnt_init(&(st->refcnt));
1544 mtx_init(&st->mtx, IPL_NET)do { (void)(((void *)0)); (void)(0); __mtx_init((&st->
mtx), ((((0x4)) > 0x0 && ((0x4)) < 0x9) ? 0x9 :
((0x4)))); } while (0);
1545
1546 /* XXX when we have anchors, use STATE_INC_COUNTERS */
1547 r->states_cur++;
1548 r->states_tot++;
1549
1550 st->sync_state = PFSYNC_S_NONE0xd0;
1551 st->pfsync_time = getuptime();
1552#if NPFSYNC1 > 0
1553 pfsync_init_state(st, skw, sks, flags);
1554#endif
1555
1556 if (pf_state_insert(kif, &skw, &sks, st) != 0) {
1557 /* XXX when we have anchors, use STATE_DEC_COUNTERS */
1558 r->states_cur--;
1559 error = EEXIST17;
1560 goto cleanup_state;
1561 }
1562
1563 return (0);
1564
1565 cleanup:
1566 if (skw != NULL((void *)0))
1567 pf_state_key_unref(skw);
1568 if (sks != NULL((void *)0))
1569 pf_state_key_unref(sks);
1570
1571 cleanup_state: /* pf_state_insert frees the state keys */
1572 if (st) {
1573 if (st->dst.scrub)
1574 pool_put(&pf_state_scrub_pl, st->dst.scrub);
1575 if (st->src.scrub)
1576 pool_put(&pf_state_scrub_pl, st->src.scrub);
1577 pool_put(&pf_state_pl, st);
1578 }
1579 return (error);
1580}
1581#endif /* NPFSYNC > 0 */
1582
1583/* END state table stuff */
1584
1585void pf_purge_states(void *);
1586struct task pf_purge_states_task =
1587 TASK_INITIALIZER(pf_purge_states, NULL){{ ((void *)0), ((void *)0) }, (pf_purge_states), (((void *)0
)), 0 };
1588
1589void pf_purge_states_tick(void *);
1590struct timeout pf_purge_states_to =
1591 TIMEOUT_INITIALIZER(pf_purge_states_tick, NULL){ .to_list = { ((void *)0), ((void *)0) }, .to_abstime = { .tv_sec
= 0, .tv_nsec = 0 }, .to_func = ((pf_purge_states_tick)), .to_arg
= ((((void *)0))), .to_time = 0, .to_flags = (0) | 0x04, .to_kclock
= ((-1)) };
1592
1593unsigned int pf_purge_expired_states(unsigned int, unsigned int);
1594
1595/*
1596 * how many states to scan this interval.
1597 *
1598 * this is set when the timeout fires, and reduced by the task. the
1599 * task will reschedule itself until the limit is reduced to zero,
1600 * and then it adds the timeout again.
1601 */
1602unsigned int pf_purge_states_limit;
1603
1604/*
1605 * limit how many states are processed with locks held per run of
1606 * the state purge task.
1607 */
1608unsigned int pf_purge_states_collect = 64;
1609
1610 void
1611pf_purge_states_tick(void *null)
1612 {
1613 unsigned int limit = pf_status.states;
1614 unsigned int interval = pf_default_rule.timeout[PFTM_INTERVAL];
1615
1616 if (limit == 0) {
1617 timeout_add_sec(&pf_purge_states_to, 1);
1618 return;
1619 }
1620
1621 /*
1622 * process a fraction of the state table every second
1623 */
1624
1625 if (interval > 1)
1626 limit /= interval;
1627
1628 pf_purge_states_limit = limit;
1629 task_add(systqmp, &pf_purge_states_task);
1630}
1631
1632void
1633pf_purge_states(void *null)
1634{
1635 unsigned int limit;
1636 unsigned int scanned;
1637
1638 limit = pf_purge_states_limit;
1639 if (limit < pf_purge_states_collect)
1640 limit = pf_purge_states_collect;
1641
1642 scanned = pf_purge_expired_states(limit, pf_purge_states_collect);
1643 if (scanned >= pf_purge_states_limit) {
1644 /* we've run out of states to scan this "interval" */
1645 timeout_add_sec(&pf_purge_states_to, 1);
1646 return;
1647 }
1648
1649 pf_purge_states_limit -= scanned;
1650 task_add(systqmp, &pf_purge_states_task);
1651}
1652
1653void pf_purge_tick(void *);
1654struct timeout pf_purge_to =
1655 TIMEOUT_INITIALIZER(pf_purge_tick, NULL){ .to_list = { ((void *)0), ((void *)0) }, .to_abstime = { .tv_sec
= 0, .tv_nsec = 0 }, .to_func = ((pf_purge_tick)), .to_arg =
((((void *)0))), .to_time = 0, .to_flags = (0) | 0x04, .to_kclock
= ((-1)) };
1656
1657void pf_purge(void *);
1658struct task pf_purge_task =
1659 TASK_INITIALIZER(pf_purge, NULL){{ ((void *)0), ((void *)0) }, (pf_purge), (((void *)0)), 0 };
1660
1661void
1662pf_purge_tick(void *null)
1663{
1664 task_add(systqmp, &pf_purge_task);
1665}
1666
1667void
1668pf_purge(void *null)
1669{
1670 unsigned int interval = max(1, pf_default_rule.timeout[PFTM_INTERVAL]);
1671
1672 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
1673
1674 pf_purge_expired_src_nodes();
1675
1676 PF_UNLOCK()do { do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_lock),__func__); } while (0); rw_exit_write
(&pf_lock); } while (0);
1677
1678 /*
1679 * Fragments don't require PF_LOCK(), they use their own lock.
1680 */
1681 pf_purge_expired_fragments();
1682
1683 /* interpret the interval as idle time between runs */
1684 timeout_add_sec(&pf_purge_to, interval);
1685}
1686
1687int32_t
1688pf_state_expires(const struct pf_state *st, uint8_t stimeout)
1689{
1690 u_int32_t timeout;
1691 u_int32_t start;
1692 u_int32_t end;
1693 u_int32_t states;
1694
1695 /*
1696 * pf_state_expires is used by the state purge task to
1697 * decide if a state is a candidate for cleanup, and by the
1698 * pfsync state export code to populate an expiry time.
1699 *
1700 * this function may be called by the state purge task while
1701 * the state is being modified. avoid inconsistent reads of
1702 * state->timeout by having the caller do the read (and any
1703 * checks it needs to do on the same variable) and then pass
1704 * their view of the timeout in here for this function to use.
1705 * the only consequence of using a stale timeout value is
1706 * that the state won't be a candidate for purging until the
1707 * next pass of the purge task.
1708 */
1709
1710 /* handle all PFTM_* >= PFTM_MAX here */
1711 if (stimeout >= PFTM_MAX)
1712 return (0);
1713
1714 KASSERT(stimeout < PFTM_MAX)((stimeout < PFTM_MAX) ? (void)0 : __assert("diagnostic ",
"/usr/src/sys/net/pf.c", 1714, "stimeout < PFTM_MAX"));
1715
1716 timeout = st->rule.ptr->timeout[stimeout];
1717 if (!timeout)
1718 timeout = pf_default_rule.timeout[stimeout];
1719
1720 start = st->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1721 if (start) {
1722 end = st->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1723 states = st->rule.ptr->states_cur;
1724 } else {
1725 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
1726 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
1727 states = pf_status.states;
1728 }
1729 if (end && states > start && start < end) {
1730 if (states >= end)
1731 return (0);
1732
1733 timeout = (u_int64_t)timeout * (end - states) / (end - start);
1734 }
1735
1736 return (st->expire + timeout);
1737}
1738
1739void
1740pf_purge_expired_src_nodes(void)
1741{
1742 struct pf_src_node *cur, *next;
1743
1744 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
1745
1746 RB_FOREACH_SAFE(cur, pf_src_tree, &tree_src_tracking, next)for ((cur) = pf_src_tree_RB_MINMAX(&tree_src_tracking, -1
); ((cur) != ((void *)0)) && ((next) = pf_src_tree_RB_NEXT
(cur), 1); (cur) = (next)) {
1747 if (cur->states == 0 && cur->expire <= getuptime()) {
1748 pf_remove_src_node(cur);
1749 }
1750 }
1751}
1752
1753void
1754pf_src_tree_remove_state(struct pf_state *st)
1755{
1756 u_int32_t timeout;
1757 struct pf_sn_item *sni;
1758
1759 while ((sni = SLIST_FIRST(&st->src_nodes)((&st->src_nodes)->slh_first)) != NULL((void *)0)) {
1760 SLIST_REMOVE_HEAD(&st->src_nodes, next)do { (&st->src_nodes)->slh_first = (&st->src_nodes
)->slh_first->next.sle_next; } while (0);
1761 if (st->src.tcp_est)
1762 --sni->sn->conn;
1763 if (--sni->sn->states == 0) {
1764 timeout = st->rule.ptr->timeout[PFTM_SRC_NODE];
1765 if (!timeout)
1766 timeout =
1767 pf_default_rule.timeout[PFTM_SRC_NODE];
1768 sni->sn->expire = getuptime() + timeout;
1769 }
1770 pool_put(&pf_sn_item_pl, sni);
1771 }
1772}
1773
1774void
1775pf_remove_state(struct pf_state *st)
1776{
1777 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
1778
1779 mtx_enter(&st->mtx);
1780 if (st->timeout == PFTM_UNLINKED) {
1781 mtx_leave(&st->mtx);
1782 return;
1783 }
1784 st->timeout = PFTM_UNLINKED;
1785 mtx_leave(&st->mtx);
1786
1787 /* handle load balancing related tasks */
1788 pf_postprocess_addr(st);
1789
1790 if (st->src.state == PF_TCPS_PROXY_DST((11)+1)) {
1791 pf_send_tcp(st->rule.ptr, st->key[PF_SK_WIRE]->af,
1792 &st->key[PF_SK_WIRE]->addr[1],
1793 &st->key[PF_SK_WIRE]->addr[0],
1794 st->key[PF_SK_WIRE]->port[1],
1795 st->key[PF_SK_WIRE]->port[0],
1796 st->src.seqhi, st->src.seqlo + 1,
1797 TH_RST0x04|TH_ACK0x10, 0, 0, 0, 1, st->tag,
1798 st->key[PF_SK_WIRE]->rdomain);
1799 }
1800 if (st->key[PF_SK_STACK]->proto == IPPROTO_TCP6)
1801 pf_set_protostate(st, PF_PEER_BOTH, TCPS_CLOSED0);
1802
1803 RBT_REMOVE(pf_state_tree_id, &tree_id, st)pf_state_tree_id_RBT_REMOVE(&tree_id, st);
1804#if NPFLOW1 > 0
1805 if (st->state_flags & PFSTATE_PFLOW0x0004)
1806 export_pflow(st);
1807#endif /* NPFLOW > 0 */
1808#if NPFSYNC1 > 0
1809 pfsync_delete_state(st);
1810#endif /* NPFSYNC > 0 */
1811 pf_src_tree_remove_state(st);
1812 pf_detach_state(st);
1813}
1814
1815void
1816pf_remove_divert_state(struct inpcb *inp)
1817{
1818 struct pf_state_key *sk;
1819 struct pf_state_item *si;
1820
1821 PF_ASSERT_UNLOCKED()do { if (rw_status(&pf_lock) == 0x0001UL) splassert_fail(
0, rw_status(&pf_lock), __func__); } while (0);
1822
1823 if (READ_ONCE(inp->inp_pf_sk)({ typeof(inp->inp_pf_sk) __tmp = *(volatile typeof(inp->
inp_pf_sk) *)&(inp->inp_pf_sk); membar_datadep_consumer
(); __tmp; }) == NULL((void *)0))
1824 return;
1825
1826 mtx_enter(&pf_inp_mtx);
1827 sk = pf_state_key_ref(inp->inp_pf_sk);
1828 mtx_leave(&pf_inp_mtx);
1829 if (sk == NULL((void *)0))
1830 return;
1831
1832 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
1833 PF_STATE_ENTER_WRITE()do { rw_enter_write(&pf_state_lock); } while (0);
1834 TAILQ_FOREACH(si, &sk->sk_states, si_entry)for((si) = ((&sk->sk_states)->tqh_first); (si) != (
(void *)0); (si) = ((si)->si_entry.tqe_next)) {
1835 struct pf_state *sist = si->si_st;
1836 if (sk == sist->key[PF_SK_STACK] && sist->rule.ptr &&
1837 (sist->rule.ptr->divert.type == PF_DIVERT_TO ||
1838 sist->rule.ptr->divert.type == PF_DIVERT_REPLY)) {
1839 if (sist->key[PF_SK_STACK]->proto == IPPROTO_TCP6 &&
1840 sist->key[PF_SK_WIRE] != sist->key[PF_SK_STACK]) {
1841 /*
1842 * If the local address is translated, keep
1843 * the state for "tcp.closed" seconds to
1844 * prevent its source port from being reused.
1845 */
1846 if (sist->src.state < TCPS_FIN_WAIT_29 ||
1847 sist->dst.state < TCPS_FIN_WAIT_29) {
1848 pf_set_protostate(sist, PF_PEER_BOTH,
1849 TCPS_TIME_WAIT10);
1850 pf_update_state_timeout(sist,
1851 PFTM_TCP_CLOSED);
1852 sist->expire = getuptime();
1853 }
1854 sist->state_flags |= PFSTATE_INP_UNLINKED0x0400;
1855 } else
1856 pf_remove_state(sist);
1857 break;
1858 }
1859 }
1860 PF_STATE_EXIT_WRITE()do { do { if (rw_status(&pf_state_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_state_lock), __func__); } while (
0); rw_exit_write(&pf_state_lock); } while (0);
1861 PF_UNLOCK()do { do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_lock),__func__); } while (0); rw_exit_write
(&pf_lock); } while (0);
1862
1863 pf_state_key_unref(sk);
1864}
1865
1866void
1867pf_free_state(struct pf_state *st)
1868{
1869 struct pf_rule_item *ri;
1870
1871 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
1872
1873#if NPFSYNC1 > 0
1874 if (pfsync_state_in_use(st))
1875 return;
1876#endif /* NPFSYNC > 0 */
1877
1878 KASSERT(st->timeout == PFTM_UNLINKED)((st->timeout == PFTM_UNLINKED) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 1878, "st->timeout == PFTM_UNLINKED"
));
1879 if (--st->rule.ptr->states_cur == 0 &&
1880 st->rule.ptr->src_nodes == 0)
1881 pf_rm_rule(NULL((void *)0), st->rule.ptr);
1882 if (st->anchor.ptr != NULL((void *)0))
1883 if (--st->anchor.ptr->states_cur == 0)
1884 pf_rm_rule(NULL((void *)0), st->anchor.ptr);
1885 while ((ri = SLIST_FIRST(&st->match_rules)((&st->match_rules)->slh_first))) {
1886 SLIST_REMOVE_HEAD(&st->match_rules, entry)do { (&st->match_rules)->slh_first = (&st->match_rules
)->slh_first->entry.sle_next; } while (0);
1887 if (--ri->r->states_cur == 0 &&
1888 ri->r->src_nodes == 0)
1889 pf_rm_rule(NULL((void *)0), ri->r);
1890 pool_put(&pf_rule_item_pl, ri);
1891 }
1892 pf_normalize_tcp_cleanup(st);
1893 pfi_kif_unref(st->kif, PFI_KIF_REF_STATE);
1894 pf_state_list_remove(&pf_state_list, st);
1895 if (st->tag)
1896 pf_tag_unref(st->tag);
1897 pf_state_unref(st);
1898 pf_status.fcounters[FCNT_STATE_REMOVALS2]++;
1899 pf_status.states--;
1900}
1901
1902unsigned int
1903pf_purge_expired_states(const unsigned int limit, const unsigned int collect)
1904{
1905 /*
1906 * this task/thread/context/whatever is the only thing that
1907 * removes states from the pf_state_list, so the cur reference
1908 * it holds between calls is guaranteed to still be in the
1909 * list.
1910 */
1911 static struct pf_state *cur = NULL((void *)0);
1912
1913 struct pf_state *head, *tail;
1914 struct pf_state *st;
1915 SLIST_HEAD(pf_state_gcl, pf_state)struct pf_state_gcl { struct pf_state *slh_first; } gcl = SLIST_HEAD_INITIALIZER(gcl){ ((void *)0) };
1916 time_t now;
1917 unsigned int scanned;
1918 unsigned int collected = 0;
1919
1920 PF_ASSERT_UNLOCKED()do { if (rw_status(&pf_lock) == 0x0001UL) splassert_fail(
0, rw_status(&pf_lock), __func__); } while (0);
1921
1922 rw_enter_read(&pf_state_list.pfs_rwl);
1923
1924 mtx_enter(&pf_state_list.pfs_mtx);
1925 head = TAILQ_FIRST(&pf_state_list.pfs_list)((&pf_state_list.pfs_list)->tqh_first);
1926 tail = TAILQ_LAST(&pf_state_list.pfs_list, pf_state_queue)(*(((struct pf_state_queue *)((&pf_state_list.pfs_list)->
tqh_last))->tqh_last));
1927 mtx_leave(&pf_state_list.pfs_mtx);
1928
1929 if (head == NULL((void *)0)) {
1930 /* the list is empty */
1931 rw_exit_read(&pf_state_list.pfs_rwl);
1932 return (limit);
1933 }
1934
1935 /* (re)start at the front of the list */
1936 if (cur == NULL((void *)0))
1937 cur = head;
1938
1939 now = getuptime();
1940
1941 for (scanned = 0; scanned < limit; scanned++) {
1942 uint8_t stimeout = cur->timeout;
1943 unsigned int limited = 0;
1944
1945 if ((stimeout == PFTM_UNLINKED) ||
1946 (pf_state_expires(cur, stimeout) <= now)) {
1947 st = pf_state_ref(cur);
1948 SLIST_INSERT_HEAD(&gcl, st, gc_list)do { (st)->gc_list.sle_next = (&gcl)->slh_first; (&
gcl)->slh_first = (st); } while (0);
1949
1950 if (++collected >= collect)
1951 limited = 1;
1952 }
1953
1954 /* don't iterate past the end of our view of the list */
1955 if (cur == tail) {
1956 cur = NULL((void *)0);
1957 break;
1958 }
1959
1960 cur = TAILQ_NEXT(cur, entry_list)((cur)->entry_list.tqe_next);
1961
1962 /* don't spend too much time here. */
1963 if (ISSET(READ_ONCE(curcpu()->ci_schedstate.spc_schedflags),((({ typeof(({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0"
: "=r" (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self
))); __ci;})->ci_schedstate.spc_schedflags) __tmp = *(volatile
typeof(({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0"
: "=r" (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self
))); __ci;})->ci_schedstate.spc_schedflags) *)&(({struct
cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" : "=r" (__ci
) :"n" (__builtin_offsetof(struct cpu_info, ci_self))); __ci;
})->ci_schedstate.spc_schedflags); membar_datadep_consumer
(); __tmp; })) & (0x0002))
1964 SPCF_SHOULDYIELD)((({ typeof(({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0"
: "=r" (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self
))); __ci;})->ci_schedstate.spc_schedflags) __tmp = *(volatile
typeof(({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0"
: "=r" (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self
))); __ci;})->ci_schedstate.spc_schedflags) *)&(({struct
cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" : "=r" (__ci
) :"n" (__builtin_offsetof(struct cpu_info, ci_self))); __ci;
})->ci_schedstate.spc_schedflags); membar_datadep_consumer
(); __tmp; })) & (0x0002)) || limited)
1965 break;
1966 }
1967
1968 rw_exit_read(&pf_state_list.pfs_rwl);
1969
1970 if (SLIST_EMPTY(&gcl)(((&gcl)->slh_first) == ((void *)0)))
1971 return (scanned);
1972
1973 rw_enter_write(&pf_state_list.pfs_rwl);
1974 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
1975 PF_STATE_ENTER_WRITE()do { rw_enter_write(&pf_state_lock); } while (0);
1976 SLIST_FOREACH(st, &gcl, gc_list)for((st) = ((&gcl)->slh_first); (st) != ((void *)0); (
st) = ((st)->gc_list.sle_next)) {
1977 if (st->timeout != PFTM_UNLINKED)
1978 pf_remove_state(st);
1979
1980 pf_free_state(st);
1981 }
1982 PF_STATE_EXIT_WRITE()do { do { if (rw_status(&pf_state_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_state_lock), __func__); } while (
0); rw_exit_write(&pf_state_lock); } while (0);
1983 PF_UNLOCK()do { do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_lock),__func__); } while (0); rw_exit_write
(&pf_lock); } while (0);
1984 rw_exit_write(&pf_state_list.pfs_rwl);
1985
1986 while ((st = SLIST_FIRST(&gcl)((&gcl)->slh_first)) != NULL((void *)0)) {
1987 SLIST_REMOVE_HEAD(&gcl, gc_list)do { (&gcl)->slh_first = (&gcl)->slh_first->
gc_list.sle_next; } while (0);
1988 pf_state_unref(st);
1989 }
1990
1991 return (scanned);
1992}
1993
1994int
1995pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw, int wait)
1996{
1997 if (aw->type != PF_ADDR_TABLE)
1998 return (0);
1999 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname, wait)) == NULL((void *)0))
2000 return (1);
2001 return (0);
2002}
2003
2004void
2005pf_tbladdr_remove(struct pf_addr_wrap *aw)
2006{
2007 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL((void *)0))
2008 return;
2009 pfr_detach_table(aw->p.tbl);
2010 aw->p.tbl = NULL((void *)0);
2011}
2012
2013void
2014pf_tbladdr_copyout(struct pf_addr_wrap *aw)
2015{
2016 struct pfr_ktable *kt = aw->p.tbl;
2017
2018 if (aw->type != PF_ADDR_TABLE || kt == NULL((void *)0))
2019 return;
2020 if (!(kt->pfrkt_flagspfrkt_ts.pfrts_t.pfrt_flags & PFR_TFLAG_ACTIVE0x00000004) && kt->pfrkt_root != NULL((void *)0))
2021 kt = kt->pfrkt_root;
2022 aw->p.tbl = NULL((void *)0);
2023 aw->p.tblcnt = (kt->pfrkt_flagspfrkt_ts.pfrts_t.pfrt_flags & PFR_TFLAG_ACTIVE0x00000004) ?
2024 kt->pfrkt_cntpfrkt_ts.pfrts_cnt : -1;
2025}
2026
2027void
2028pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
2029{
2030 switch (af) {
2031 case AF_INET2: {
2032 u_int32_t a = ntohl(addr->addr32[0])(__uint32_t)(__builtin_constant_p(addr->pfa.addr32[0]) ? (
__uint32_t)(((__uint32_t)(addr->pfa.addr32[0]) & 0xff)
<< 24 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff00
) << 8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff0000
) >> 8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff000000
) >> 24) : __swap32md(addr->pfa.addr32[0]));
2033 addlog("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
2034 (a>>8)&255, a&255);
2035 if (p) {
2036 p = ntohs(p)(__uint16_t)(__builtin_constant_p(p) ? (__uint16_t)(((__uint16_t
)(p) & 0xffU) << 8 | ((__uint16_t)(p) & 0xff00U
) >> 8) : __swap16md(p));
2037 addlog(":%u", p);
2038 }
2039 break;
2040 }
2041#ifdef INET61
2042 case AF_INET624: {
2043 u_int16_t b;
2044 u_int8_t i, curstart, curend, maxstart, maxend;
2045 curstart = curend = maxstart = maxend = 255;
2046 for (i = 0; i < 8; i++) {
2047 if (!addr->addr16pfa.addr16[i]) {
2048 if (curstart == 255)
2049 curstart = i;
2050 curend = i;
2051 } else {
2052 if ((curend - curstart) >
2053 (maxend - maxstart)) {
2054 maxstart = curstart;
2055 maxend = curend;
2056 }
2057 curstart = curend = 255;
2058 }
2059 }
2060 if ((curend - curstart) >
2061 (maxend - maxstart)) {
2062 maxstart = curstart;
2063 maxend = curend;
2064 }
2065 for (i = 0; i < 8; i++) {
2066 if (i >= maxstart && i <= maxend) {
2067 if (i == 0)
2068 addlog(":");
2069 if (i == maxend)
2070 addlog(":");
2071 } else {
2072 b = ntohs(addr->addr16[i])(__uint16_t)(__builtin_constant_p(addr->pfa.addr16[i]) ? (
__uint16_t)(((__uint16_t)(addr->pfa.addr16[i]) & 0xffU
) << 8 | ((__uint16_t)(addr->pfa.addr16[i]) & 0xff00U
) >> 8) : __swap16md(addr->pfa.addr16[i]));
2073 addlog("%x", b);
2074 if (i < 7)
2075 addlog(":");
2076 }
2077 }
2078 if (p) {
2079 p = ntohs(p)(__uint16_t)(__builtin_constant_p(p) ? (__uint16_t)(((__uint16_t
)(p) & 0xffU) << 8 | ((__uint16_t)(p) & 0xff00U
) >> 8) : __swap16md(p));
2080 addlog("[%u]", p);
2081 }
2082 break;
2083 }
2084#endif /* INET6 */
2085 }
2086}
2087
2088void
2089pf_print_state(struct pf_state *st)
2090{
2091 pf_print_state_parts(st, NULL((void *)0), NULL((void *)0));
2092}
2093
2094void
2095pf_print_state_parts(struct pf_state *st,
2096 struct pf_state_key *skwp, struct pf_state_key *sksp)
2097{
2098 struct pf_state_key *skw, *sks;
2099 u_int8_t proto, dir;
2100
2101 /* Do our best to fill these, but they're skipped if NULL */
2102 skw = skwp ? skwp : (st ? st->key[PF_SK_WIRE] : NULL((void *)0));
2103 sks = sksp ? sksp : (st ? st->key[PF_SK_STACK] : NULL((void *)0));
2104 proto = skw ? skw->proto : (sks ? sks->proto : 0);
2105 dir = st ? st->direction : 0;
2106
2107 switch (proto) {
2108 case IPPROTO_IPV44:
2109 addlog("IPv4");
2110 break;
2111 case IPPROTO_IPV641:
2112 addlog("IPv6");
2113 break;
2114 case IPPROTO_TCP6:
2115 addlog("TCP");
2116 break;
2117 case IPPROTO_UDP17:
2118 addlog("UDP");
2119 break;
2120 case IPPROTO_ICMP1:
2121 addlog("ICMP");
2122 break;
2123 case IPPROTO_ICMPV658:
2124 addlog("ICMPv6");
2125 break;
2126 default:
2127 addlog("%u", proto);
2128 break;
2129 }
2130 switch (dir) {
2131 case PF_IN:
2132 addlog(" in");
2133 break;
2134 case PF_OUT:
2135 addlog(" out");
2136 break;
2137 }
2138 if (skw) {
2139 addlog(" wire: (%d) ", skw->rdomain);
2140 pf_print_host(&skw->addr[0], skw->port[0], skw->af);
2141 addlog(" ");
2142 pf_print_host(&skw->addr[1], skw->port[1], skw->af);
2143 }
2144 if (sks) {
2145 addlog(" stack: (%d) ", sks->rdomain);
2146 if (sks != skw) {
2147 pf_print_host(&sks->addr[0], sks->port[0], sks->af);
2148 addlog(" ");
2149 pf_print_host(&sks->addr[1], sks->port[1], sks->af);
2150 } else
2151 addlog("-");
2152 }
2153 if (st) {
2154 if (proto == IPPROTO_TCP6) {
2155 addlog(" [lo=%u high=%u win=%u modulator=%u",
2156 st->src.seqlo, st->src.seqhi,
2157 st->src.max_win, st->src.seqdiff);
2158 if (st->src.wscale && st->dst.wscale)
2159 addlog(" wscale=%u",
2160 st->src.wscale & PF_WSCALE_MASK0x0f);
2161 addlog("]");
2162 addlog(" [lo=%u high=%u win=%u modulator=%u",
2163 st->dst.seqlo, st->dst.seqhi,
2164 st->dst.max_win, st->dst.seqdiff);
2165 if (st->src.wscale && st->dst.wscale)
2166 addlog(" wscale=%u",
2167 st->dst.wscale & PF_WSCALE_MASK0x0f);
2168 addlog("]");
2169 }
2170 addlog(" %u:%u", st->src.state, st->dst.state);
2171 if (st->rule.ptr)
2172 addlog(" @%d", st->rule.ptr->nr);
2173 }
2174}
2175
2176void
2177pf_print_flags(u_int8_t f)
2178{
2179 if (f)
2180 addlog(" ");
2181 if (f & TH_FIN0x01)
2182 addlog("F");
2183 if (f & TH_SYN0x02)
2184 addlog("S");
2185 if (f & TH_RST0x04)
2186 addlog("R");
2187 if (f & TH_PUSH0x08)
2188 addlog("P");
2189 if (f & TH_ACK0x10)
2190 addlog("A");
2191 if (f & TH_URG0x20)
2192 addlog("U");
2193 if (f & TH_ECE0x40)
2194 addlog("E");
2195 if (f & TH_CWR0x80)
2196 addlog("W");
2197}
2198
2199#define PF_SET_SKIP_STEPS(i)do { while (head[i] != cur) { head[i]->skip[i].ptr = cur; head
[i] = ((head[i])->entries.tqe_next); } } while (0) \
2200 do { \
2201 while (head[i] != cur) { \
2202 head[i]->skip[i].ptr = cur; \
2203 head[i] = TAILQ_NEXT(head[i], entries)((head[i])->entries.tqe_next); \
2204 } \
2205 } while (0)
2206
2207void
2208pf_calc_skip_steps(struct pf_rulequeue *rules)
2209{
2210 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT9];
2211 int i;
2212
2213 cur = TAILQ_FIRST(rules)((rules)->tqh_first);
2214 prev = cur;
2215 for (i = 0; i < PF_SKIP_COUNT9; ++i)
2216 head[i] = cur;
2217 while (cur != NULL((void *)0)) {
2218 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
2219 PF_SET_SKIP_STEPS(PF_SKIP_IFP)do { while (head[0] != cur) { head[0]->skip[0].ptr = cur; head
[0] = ((head[0])->entries.tqe_next); } } while (0);
2220 if (cur->direction != prev->direction)
2221 PF_SET_SKIP_STEPS(PF_SKIP_DIR)do { while (head[1] != cur) { head[1]->skip[1].ptr = cur; head
[1] = ((head[1])->entries.tqe_next); } } while (0);
2222 if (cur->onrdomain != prev->onrdomain ||
2223 cur->ifnot != prev->ifnot)
2224 PF_SET_SKIP_STEPS(PF_SKIP_RDOM)do { while (head[2] != cur) { head[2]->skip[2].ptr = cur; head
[2] = ((head[2])->entries.tqe_next); } } while (0);
2225 if (cur->af != prev->af)
2226 PF_SET_SKIP_STEPS(PF_SKIP_AF)do { while (head[3] != cur) { head[3]->skip[3].ptr = cur; head
[3] = ((head[3])->entries.tqe_next); } } while (0);
2227 if (cur->proto != prev->proto)
2228 PF_SET_SKIP_STEPS(PF_SKIP_PROTO)do { while (head[4] != cur) { head[4]->skip[4].ptr = cur; head
[4] = ((head[4])->entries.tqe_next); } } while (0);
2229 if (cur->src.neg != prev->src.neg ||
2230 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
2231 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR)do { while (head[5] != cur) { head[5]->skip[5].ptr = cur; head
[5] = ((head[5])->entries.tqe_next); } } while (0);
2232 if (cur->dst.neg != prev->dst.neg ||
2233 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
2234 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR)do { while (head[6] != cur) { head[6]->skip[6].ptr = cur; head
[6] = ((head[6])->entries.tqe_next); } } while (0);
2235 if (cur->src.port[0] != prev->src.port[0] ||
2236 cur->src.port[1] != prev->src.port[1] ||
2237 cur->src.port_op != prev->src.port_op)
2238 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT)do { while (head[7] != cur) { head[7]->skip[7].ptr = cur; head
[7] = ((head[7])->entries.tqe_next); } } while (0);
2239 if (cur->dst.port[0] != prev->dst.port[0] ||
2240 cur->dst.port[1] != prev->dst.port[1] ||
2241 cur->dst.port_op != prev->dst.port_op)
2242 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT)do { while (head[8] != cur) { head[8]->skip[8].ptr = cur; head
[8] = ((head[8])->entries.tqe_next); } } while (0);
2243
2244 prev = cur;
2245 cur = TAILQ_NEXT(cur, entries)((cur)->entries.tqe_next);
2246 }
2247 for (i = 0; i < PF_SKIP_COUNT9; ++i)
2248 PF_SET_SKIP_STEPS(i)do { while (head[i] != cur) { head[i]->skip[i].ptr = cur; head
[i] = ((head[i])->entries.tqe_next); } } while (0);
2249}
2250
2251int
2252pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
2253{
2254 if (aw1->type != aw2->type)
2255 return (1);
2256 switch (aw1->type) {
2257 case PF_ADDR_ADDRMASK:
2258 case PF_ADDR_RANGE:
2259 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, AF_INET6)((24 == 2 && (&aw1->v.a.addr)->pfa.addr32[0
] != (&aw2->v.a.addr)->pfa.addr32[0]) || (24 == 24 &&
((&aw1->v.a.addr)->pfa.addr32[3] != (&aw2->
v.a.addr)->pfa.addr32[3] || (&aw1->v.a.addr)->pfa
.addr32[2] != (&aw2->v.a.addr)->pfa.addr32[2] || (&
aw1->v.a.addr)->pfa.addr32[1] != (&aw2->v.a.addr
)->pfa.addr32[1] || (&aw1->v.a.addr)->pfa.addr32
[0] != (&aw2->v.a.addr)->pfa.addr32[0]))))
2260 return (1);
2261 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, AF_INET6)((24 == 2 && (&aw1->v.a.mask)->pfa.addr32[0
] != (&aw2->v.a.mask)->pfa.addr32[0]) || (24 == 24 &&
((&aw1->v.a.mask)->pfa.addr32[3] != (&aw2->
v.a.mask)->pfa.addr32[3] || (&aw1->v.a.mask)->pfa
.addr32[2] != (&aw2->v.a.mask)->pfa.addr32[2] || (&
aw1->v.a.mask)->pfa.addr32[1] != (&aw2->v.a.mask
)->pfa.addr32[1] || (&aw1->v.a.mask)->pfa.addr32
[0] != (&aw2->v.a.mask)->pfa.addr32[0]))))
2262 return (1);
2263 return (0);
2264 case PF_ADDR_DYNIFTL:
2265 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
2266 case PF_ADDR_NONE:
2267 case PF_ADDR_NOROUTE:
2268 case PF_ADDR_URPFFAILED:
2269 return (0);
2270 case PF_ADDR_TABLE:
2271 return (aw1->p.tbl != aw2->p.tbl);
2272 case PF_ADDR_RTLABEL:
2273 return (aw1->v.rtlabel != aw2->v.rtlabel);
2274 default:
2275 addlog("invalid address type: %d\n", aw1->type);
2276 return (1);
2277 }
2278}
2279
2280/* This algorithm computes 'a + b - c' in ones-complement using a trick to
2281 * emulate at most one ones-complement subtraction. This thereby limits net
2282 * carries/borrows to at most one, eliminating a reduction step and saving one
2283 * each of +, >>, & and ~.
2284 *
2285 * def. x mod y = x - (x//y)*y for integer x,y
2286 * def. sum = x mod 2^16
2287 * def. accumulator = (x >> 16) mod 2^16
2288 *
2289 * The trick works as follows: subtracting exactly one u_int16_t from the
2290 * u_int32_t x incurs at most one underflow, wrapping its upper 16-bits, the
2291 * accumulator, to 2^16 - 1. Adding this to the 16-bit sum preserves the
2292 * ones-complement borrow:
2293 *
2294 * (sum + accumulator) mod 2^16
2295 * = { assume underflow: accumulator := 2^16 - 1 }
2296 * (sum + 2^16 - 1) mod 2^16
2297 * = { mod }
2298 * (sum - 1) mod 2^16
2299 *
2300 * Although this breaks for sum = 0, giving 0xffff, which is ones-complement's
2301 * other zero, not -1, that cannot occur: the 16-bit sum cannot be underflown
2302 * to zero as that requires subtraction of at least 2^16, which exceeds a
2303 * single u_int16_t's range.
2304 *
2305 * We use the following theorem to derive the implementation:
2306 *
2307 * th. (x + (y mod z)) mod z = (x + y) mod z (0)
2308 * proof.
2309 * (x + (y mod z)) mod z
2310 * = { def mod }
2311 * (x + y - (y//z)*z) mod z
2312 * = { (a + b*c) mod c = a mod c }
2313 * (x + y) mod z [end of proof]
2314 *
2315 * ... and thereby obtain:
2316 *
2317 * (sum + accumulator) mod 2^16
2318 * = { def. accumulator, def. sum }
2319 * (x mod 2^16 + (x >> 16) mod 2^16) mod 2^16
2320 * = { (0), twice }
2321 * (x + (x >> 16)) mod 2^16
2322 * = { x mod 2^n = x & (2^n - 1) }
2323 * (x + (x >> 16)) & 0xffff
2324 *
2325 * Note: this serves also as a reduction step for at most one add (as the
2326 * trailing mod 2^16 prevents further reductions by destroying carries).
2327 */
2328__inline void
2329pf_cksum_fixup(u_int16_t *cksum, u_int16_t was, u_int16_t now,
2330 u_int8_t proto)
2331{
2332 u_int32_t x;
2333 const int udp = proto == IPPROTO_UDP17;
2334
2335 x = *cksum + was - now;
2336 x = (x + (x >> 16)) & 0xffff;
2337
2338 /* optimise: eliminate a branch when not udp */
2339 if (udp && *cksum == 0x0000)
2340 return;
2341 if (udp && x == 0x0000)
2342 x = 0xffff;
2343
2344 *cksum = (u_int16_t)(x);
2345}
2346
2347#ifdef INET61
2348/* pre: coverage(cksum) is superset of coverage(covered_cksum) */
2349static __inline void
2350pf_cksum_uncover(u_int16_t *cksum, u_int16_t covered_cksum, u_int8_t proto)
2351{
2352 pf_cksum_fixup(cksum, ~covered_cksum, 0x0, proto);
2353}
2354
2355/* pre: disjoint(coverage(cksum), coverage(uncovered_cksum)) */
2356static __inline void
2357pf_cksum_cover(u_int16_t *cksum, u_int16_t uncovered_cksum, u_int8_t proto)
2358{
2359 pf_cksum_fixup(cksum, 0x0, ~uncovered_cksum, proto);
2360}
2361#endif /* INET6 */
2362
2363/* pre: *a is 16-bit aligned within its packet
2364 *
2365 * This algorithm emulates 16-bit ones-complement sums on a twos-complement
2366 * machine by conserving ones-complement's otherwise discarded carries in the
2367 * upper bits of x. These accumulated carries when added to the lower 16-bits
2368 * over at least zero 'reduction' steps then complete the ones-complement sum.
2369 *
2370 * def. sum = x mod 2^16
2371 * def. accumulator = (x >> 16)
2372 *
2373 * At most two reduction steps
2374 *
2375 * x := sum + accumulator
2376 * = { def sum, def accumulator }
2377 * x := x mod 2^16 + (x >> 16)
2378 * = { x mod 2^n = x & (2^n - 1) }
2379 * x := (x & 0xffff) + (x >> 16)
2380 *
2381 * are necessary to incorporate the accumulated carries (at most one per add)
2382 * i.e. to reduce x < 2^16 from at most 16 carries in the upper 16 bits.
2383 *
2384 * The function is also invariant over the endian of the host. Why?
2385 *
2386 * Define the unary transpose operator ~ on a bitstring in python slice
2387 * notation as lambda m: m[P:] + m[:P] , for some constant pivot P.
2388 *
2389 * th. ~ distributes over ones-complement addition, denoted by +_1, i.e.
2390 *
2391 * ~m +_1 ~n = ~(m +_1 n) (for all bitstrings m,n of equal length)
2392 *
2393 * proof. Regard the bitstrings in m +_1 n as split at P, forming at most two
2394 * 'half-adds'. Under ones-complement addition, each half-add carries to the
2395 * other, so the sum of each half-add is unaffected by their relative
2396 * order. Therefore:
2397 *
2398 * ~m +_1 ~n
2399 * = { half-adds invariant under transposition }
2400 * ~s
2401 * = { substitute }
2402 * ~(m +_1 n) [end of proof]
2403 *
2404 * th. Summing two in-memory ones-complement 16-bit variables m,n on a machine
2405 * with the converse endian does not alter the result.
2406 *
2407 * proof.
2408 * { converse machine endian: load/store transposes, P := 8 }
2409 * ~(~m +_1 ~n)
2410 * = { ~ over +_1 }
2411 * ~~m +_1 ~~n
2412 * = { ~ is an involution }
2413 * m +_1 n [end of proof]
2414 *
2415 */
2416#define NEG(x)((u_int16_t)~(x)) ((u_int16_t)~(x))
2417void
2418pf_cksum_fixup_a(u_int16_t *cksum, const struct pf_addr *a,
2419 const struct pf_addr *an, sa_family_t af, u_int8_t proto)
2420{
2421 u_int32_t x;
2422 const u_int16_t *n = an->addr16pfa.addr16;
2423 const u_int16_t *o = a->addr16pfa.addr16;
2424 const int udp = proto == IPPROTO_UDP17;
2425
2426 switch (af) {
2427 case AF_INET2:
2428 x = *cksum + o[0] + NEG(n[0])((u_int16_t)~(n[0])) + o[1] + NEG(n[1])((u_int16_t)~(n[1]));
2429 break;
2430#ifdef INET61
2431 case AF_INET624:
2432 x = *cksum + o[0] + NEG(n[0])((u_int16_t)~(n[0])) + o[1] + NEG(n[1])((u_int16_t)~(n[1])) +\
2433 o[2] + NEG(n[2])((u_int16_t)~(n[2])) + o[3] + NEG(n[3])((u_int16_t)~(n[3])) +\
2434 o[4] + NEG(n[4])((u_int16_t)~(n[4])) + o[5] + NEG(n[5])((u_int16_t)~(n[5])) +\
2435 o[6] + NEG(n[6])((u_int16_t)~(n[6])) + o[7] + NEG(n[7])((u_int16_t)~(n[7]));
2436 break;
2437#endif /* INET6 */
2438 default:
2439 unhandled_af(af);
2440 }
2441
2442 x = (x & 0xffff) + (x >> 16);
2443 x = (x & 0xffff) + (x >> 16);
2444
2445 /* optimise: eliminate a branch when not udp */
2446 if (udp && *cksum == 0x0000)
2447 return;
2448 if (udp && x == 0x0000)
2449 x = 0xffff;
2450
2451 *cksum = (u_int16_t)(x);
2452}
2453
2454int
2455pf_patch_8(struct pf_pdesc *pd, u_int8_t *f, u_int8_t v, bool_Bool hi)
2456{
2457 int rewrite = 0;
2458
2459 if (*f != v) {
2460 u_int16_t old = htons(hi ? (*f << 8) : *f)(__uint16_t)(__builtin_constant_p(hi ? (*f << 8) : *f) ?
(__uint16_t)(((__uint16_t)(hi ? (*f << 8) : *f) & 0xffU
) << 8 | ((__uint16_t)(hi ? (*f << 8) : *f) &
0xff00U) >> 8) : __swap16md(hi ? (*f << 8) : *f)
);
2461 u_int16_t new = htons(hi ? ( v << 8) : v)(__uint16_t)(__builtin_constant_p(hi ? ( v << 8) : v) ?
(__uint16_t)(((__uint16_t)(hi ? ( v << 8) : v) & 0xffU
) << 8 | ((__uint16_t)(hi ? ( v << 8) : v) & 0xff00U
) >> 8) : __swap16md(hi ? ( v << 8) : v));
2462
2463 pf_cksum_fixup(pd->pcksum, old, new, pd->proto);
2464 *f = v;
2465 rewrite = 1;
2466 }
2467
2468 return (rewrite);
2469}
2470
2471/* pre: *f is 16-bit aligned within its packet */
2472int
2473pf_patch_16(struct pf_pdesc *pd, u_int16_t *f, u_int16_t v)
2474{
2475 int rewrite = 0;
2476
2477 if (*f != v) {
2478 pf_cksum_fixup(pd->pcksum, *f, v, pd->proto);
2479 *f = v;
2480 rewrite = 1;
2481 }
2482
2483 return (rewrite);
2484}
2485
2486int
2487pf_patch_16_unaligned(struct pf_pdesc *pd, void *f, u_int16_t v, bool_Bool hi)
2488{
2489 int rewrite = 0;
2490 u_int8_t *fb = (u_int8_t*)f;
2491 u_int8_t *vb = (u_int8_t*)&v;
2492
2493 if (hi && ALIGNED_POINTER(f, u_int16_t)1) {
2494 return (pf_patch_16(pd, f, v)); /* optimise */
2495 }
2496
2497 rewrite += pf_patch_8(pd, fb++, *vb++, hi);
2498 rewrite += pf_patch_8(pd, fb++, *vb++,!hi);
2499
2500 return (rewrite);
2501}
2502
2503/* pre: *f is 16-bit aligned within its packet */
2504/* pre: pd->proto != IPPROTO_UDP */
2505int
2506pf_patch_32(struct pf_pdesc *pd, u_int32_t *f, u_int32_t v)
2507{
2508 int rewrite = 0;
2509 u_int16_t *pc = pd->pcksum;
2510 u_int8_t proto = pd->proto;
2511
2512 /* optimise: inline udp fixup code is unused; let compiler scrub it */
2513 if (proto == IPPROTO_UDP17)
2514 panic("%s: udp", __func__);
2515
2516 /* optimise: skip *f != v guard; true for all use-cases */
2517 pf_cksum_fixup(pc, *f / (1 << 16), v / (1 << 16), proto);
2518 pf_cksum_fixup(pc, *f % (1 << 16), v % (1 << 16), proto);
2519
2520 *f = v;
2521 rewrite = 1;
2522
2523 return (rewrite);
2524}
2525
2526int
2527pf_patch_32_unaligned(struct pf_pdesc *pd, void *f, u_int32_t v, bool_Bool hi)
2528{
2529 int rewrite = 0;
2530 u_int8_t *fb = (u_int8_t*)f;
2531 u_int8_t *vb = (u_int8_t*)&v;
2532
2533 if (hi && ALIGNED_POINTER(f, u_int32_t)1) {
2534 return (pf_patch_32(pd, f, v)); /* optimise */
2535 }
2536
2537 rewrite += pf_patch_8(pd, fb++, *vb++, hi);
2538 rewrite += pf_patch_8(pd, fb++, *vb++,!hi);
2539 rewrite += pf_patch_8(pd, fb++, *vb++, hi);
2540 rewrite += pf_patch_8(pd, fb++, *vb++,!hi);
2541
2542 return (rewrite);
2543}
2544
2545int
2546pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, int *icmp_dir,
2547 u_int16_t *virtual_id, u_int16_t *virtual_type)
2548{
2549 /*
2550 * ICMP types marked with PF_OUT are typically responses to
2551 * PF_IN, and will match states in the opposite direction.
2552 * PF_IN ICMP types need to match a state with that type.
2553 */
2554 *icmp_dir = PF_OUT;
2555
2556 /* Queries (and responses) */
2557 switch (pd->af) {
2558 case AF_INET2:
2559 switch (type) {
2560 case ICMP_ECHO8:
2561 *icmp_dir = PF_IN;
2562 /* FALLTHROUGH */
2563 case ICMP_ECHOREPLY0:
2564 *virtual_type = ICMP_ECHO8;
2565 *virtual_id = pd->hdr.icmp.icmp_idicmp_hun.ih_idseq.icd_id;
2566 break;
2567
2568 case ICMP_TSTAMP13:
2569 *icmp_dir = PF_IN;
2570 /* FALLTHROUGH */
2571 case ICMP_TSTAMPREPLY14:
2572 *virtual_type = ICMP_TSTAMP13;
2573 *virtual_id = pd->hdr.icmp.icmp_idicmp_hun.ih_idseq.icd_id;
2574 break;
2575
2576 case ICMP_IREQ15:
2577 *icmp_dir = PF_IN;
2578 /* FALLTHROUGH */
2579 case ICMP_IREQREPLY16:
2580 *virtual_type = ICMP_IREQ15;
2581 *virtual_id = pd->hdr.icmp.icmp_idicmp_hun.ih_idseq.icd_id;
2582 break;
2583
2584 case ICMP_MASKREQ17:
2585 *icmp_dir = PF_IN;
2586 /* FALLTHROUGH */
2587 case ICMP_MASKREPLY18:
2588 *virtual_type = ICMP_MASKREQ17;
2589 *virtual_id = pd->hdr.icmp.icmp_idicmp_hun.ih_idseq.icd_id;
2590 break;
2591
2592 case ICMP_IPV6_WHEREAREYOU33:
2593 *icmp_dir = PF_IN;
2594 /* FALLTHROUGH */
2595 case ICMP_IPV6_IAMHERE34:
2596 *virtual_type = ICMP_IPV6_WHEREAREYOU33;
2597 *virtual_id = 0; /* Nothing sane to match on! */
2598 break;
2599
2600 case ICMP_MOBILE_REGREQUEST35:
2601 *icmp_dir = PF_IN;
2602 /* FALLTHROUGH */
2603 case ICMP_MOBILE_REGREPLY36:
2604 *virtual_type = ICMP_MOBILE_REGREQUEST35;
2605 *virtual_id = 0; /* Nothing sane to match on! */
2606 break;
2607
2608 case ICMP_ROUTERSOLICIT10:
2609 *icmp_dir = PF_IN;
2610 /* FALLTHROUGH */
2611 case ICMP_ROUTERADVERT9:
2612 *virtual_type = ICMP_ROUTERSOLICIT10;
2613 *virtual_id = 0; /* Nothing sane to match on! */
2614 break;
2615
2616 /* These ICMP types map to other connections */
2617 case ICMP_UNREACH3:
2618 case ICMP_SOURCEQUENCH4:
2619 case ICMP_REDIRECT5:
2620 case ICMP_TIMXCEED11:
2621 case ICMP_PARAMPROB12:
2622 /* These will not be used, but set them anyway */
2623 *icmp_dir = PF_IN;
2624 *virtual_type = htons(type)(__uint16_t)(__builtin_constant_p(type) ? (__uint16_t)(((__uint16_t
)(type) & 0xffU) << 8 | ((__uint16_t)(type) & 0xff00U
) >> 8) : __swap16md(type));
2625 *virtual_id = 0;
2626 return (1); /* These types match to another state */
2627
2628 /*
2629 * All remaining ICMP types get their own states,
2630 * and will only match in one direction.
2631 */
2632 default:
2633 *icmp_dir = PF_IN;
2634 *virtual_type = type;
2635 *virtual_id = 0;
2636 break;
2637 }
2638 break;
2639#ifdef INET61
2640 case AF_INET624:
2641 switch (type) {
2642 case ICMP6_ECHO_REQUEST128:
2643 *icmp_dir = PF_IN;
2644 /* FALLTHROUGH */
2645 case ICMP6_ECHO_REPLY129:
2646 *virtual_type = ICMP6_ECHO_REQUEST128;
2647 *virtual_id = pd->hdr.icmp6.icmp6_idicmp6_dataun.icmp6_un_data16[0];
2648 break;
2649
2650 case MLD_LISTENER_QUERY130:
2651 case MLD_LISTENER_REPORT131: {
2652 struct mld_hdr *mld = &pd->hdr.mld;
2653 u_int32_t h;
2654
2655 /*
2656 * Listener Report can be sent by clients
2657 * without an associated Listener Query.
2658 * In addition to that, when Report is sent as a
2659 * reply to a Query its source and destination
2660 * address are different.
2661 */
2662 *icmp_dir = PF_IN;
2663 *virtual_type = MLD_LISTENER_QUERY130;
2664 /* generate fake id for these messages */
2665 h = mld->mld_addr.s6_addr32__u6_addr.__u6_addr32[0] ^
2666 mld->mld_addr.s6_addr32__u6_addr.__u6_addr32[1] ^
2667 mld->mld_addr.s6_addr32__u6_addr.__u6_addr32[2] ^
2668 mld->mld_addr.s6_addr32__u6_addr.__u6_addr32[3];
2669 *virtual_id = (h >> 16) ^ (h & 0xffff);
2670 break;
2671 }
2672
2673 /*
2674 * ICMP6_FQDN and ICMP6_NI query/reply are the same type as
2675 * ICMP6_WRU
2676 */
2677 case ICMP6_WRUREQUEST139:
2678 *icmp_dir = PF_IN;
2679 /* FALLTHROUGH */
2680 case ICMP6_WRUREPLY140:
2681 *virtual_type = ICMP6_WRUREQUEST139;
2682 *virtual_id = 0; /* Nothing sane to match on! */
2683 break;
2684
2685 case MLD_MTRACE201:
2686 *icmp_dir = PF_IN;
2687 /* FALLTHROUGH */
2688 case MLD_MTRACE_RESP200:
2689 *virtual_type = MLD_MTRACE201;
2690 *virtual_id = 0; /* Nothing sane to match on! */
2691 break;
2692
2693 case ND_NEIGHBOR_SOLICIT135:
2694 *icmp_dir = PF_IN;
2695 /* FALLTHROUGH */
2696 case ND_NEIGHBOR_ADVERT136: {
2697 struct nd_neighbor_solicit *nd = &pd->hdr.nd_ns;
2698 u_int32_t h;
2699
2700 *virtual_type = ND_NEIGHBOR_SOLICIT135;
2701 /* generate fake id for these messages */
2702 h = nd->nd_ns_target.s6_addr32__u6_addr.__u6_addr32[0] ^
2703 nd->nd_ns_target.s6_addr32__u6_addr.__u6_addr32[1] ^
2704 nd->nd_ns_target.s6_addr32__u6_addr.__u6_addr32[2] ^
2705 nd->nd_ns_target.s6_addr32__u6_addr.__u6_addr32[3];
2706 *virtual_id = (h >> 16) ^ (h & 0xffff);
2707 /*
2708 * the extra work here deals with 'keep state' option
2709 * at pass rule for unsolicited advertisement. By
2710 * returning 1 (state_icmp = 1) we override 'keep
2711 * state' to 'no state' so we don't create state for
2712 * unsolicited advertisements. No one expects answer to
2713 * unsolicited advertisements so we should be good.
2714 */
2715 if (type == ND_NEIGHBOR_ADVERT136) {
2716 *virtual_type = htons(*virtual_type)(__uint16_t)(__builtin_constant_p(*virtual_type) ? (__uint16_t
)(((__uint16_t)(*virtual_type) & 0xffU) << 8 | ((__uint16_t
)(*virtual_type) & 0xff00U) >> 8) : __swap16md(*virtual_type
));
2717 return (1);
2718 }
2719 break;
2720 }
2721
2722 /*
2723 * These ICMP types map to other connections.
2724 * ND_REDIRECT can't be in this list because the triggering
2725 * packet header is optional.
2726 */
2727 case ICMP6_DST_UNREACH1:
2728 case ICMP6_PACKET_TOO_BIG2:
2729 case ICMP6_TIME_EXCEEDED3:
2730 case ICMP6_PARAM_PROB4:
2731 /* These will not be used, but set them anyway */
2732 *icmp_dir = PF_IN;
2733 *virtual_type = htons(type)(__uint16_t)(__builtin_constant_p(type) ? (__uint16_t)(((__uint16_t
)(type) & 0xffU) << 8 | ((__uint16_t)(type) & 0xff00U
) >> 8) : __swap16md(type));
2734 *virtual_id = 0;
2735 return (1); /* These types match to another state */
2736 /*
2737 * All remaining ICMP6 types get their own states,
2738 * and will only match in one direction.
2739 */
2740 default:
2741 *icmp_dir = PF_IN;
2742 *virtual_type = type;
2743 *virtual_id = 0;
2744 break;
2745 }
2746 break;
2747#endif /* INET6 */
2748 }
2749 *virtual_type = htons(*virtual_type)(__uint16_t)(__builtin_constant_p(*virtual_type) ? (__uint16_t
)(((__uint16_t)(*virtual_type) & 0xffU) << 8 | ((__uint16_t
)(*virtual_type) & 0xff00U) >> 8) : __swap16md(*virtual_type
));
2750 return (0); /* These types match to their own state */
2751}
2752
2753void
2754pf_translate_icmp(struct pf_pdesc *pd, struct pf_addr *qa, u_int16_t *qp,
2755 struct pf_addr *oa, struct pf_addr *na, u_int16_t np)
2756{
2757 /* note: doesn't trouble to fixup quoted checksums, if any */
2758
2759 /* change quoted protocol port */
2760 if (qp != NULL((void *)0))
2761 pf_patch_16(pd, qp, np);
2762
2763 /* change quoted ip address */
2764 pf_cksum_fixup_a(pd->pcksum, qa, na, pd->af, pd->proto);
2765 pf_addrcpy(qa, na, pd->af);
2766
2767 /* change network-header's ip address */
2768 if (oa)
2769 pf_translate_a(pd, oa, na);
2770}
2771
2772/* pre: *a is 16-bit aligned within its packet */
2773/* *a is a network header src/dst address */
2774int
2775pf_translate_a(struct pf_pdesc *pd, struct pf_addr *a, struct pf_addr *an)
2776{
2777 int rewrite = 0;
2778
2779 /* warning: !PF_ANEQ != PF_AEQ */
2780 if (!PF_ANEQ(a, an, pd->af)((pd->af == 2 && (a)->pfa.addr32[0] != (an)->
pfa.addr32[0]) || (pd->af == 24 && ((a)->pfa.addr32
[3] != (an)->pfa.addr32[3] || (a)->pfa.addr32[2] != (an
)->pfa.addr32[2] || (a)->pfa.addr32[1] != (an)->pfa.
addr32[1] || (a)->pfa.addr32[0] != (an)->pfa.addr32[0])
)))
2781 return (0);
2782
2783 /* fixup transport pseudo-header, if any */
2784 switch (pd->proto) {
2785 case IPPROTO_TCP6: /* FALLTHROUGH */
2786 case IPPROTO_UDP17: /* FALLTHROUGH */
2787 case IPPROTO_ICMPV658:
2788 pf_cksum_fixup_a(pd->pcksum, a, an, pd->af, pd->proto);
2789 break;
2790 default:
2791 break; /* assume no pseudo-header */
2792 }
2793
2794 pf_addrcpy(a, an, pd->af);
2795 rewrite = 1;
2796
2797 return (rewrite);
2798}
2799
2800#ifdef INET61
2801/* pf_translate_af() may change pd->m, adjust local copies after calling */
2802int
2803pf_translate_af(struct pf_pdesc *pd)
2804{
2805 static const struct pf_addr zero;
2806 struct ip *ip4;
2807 struct ip6_hdr *ip6;
2808 int copyback = 0;
2809 u_int hlen, ohlen, dlen;
2810 u_int16_t *pc;
2811 u_int8_t af_proto, naf_proto;
2812
2813 hlen = (pd->naf == AF_INET2) ? sizeof(*ip4) : sizeof(*ip6);
2814 ohlen = pd->off;
2815 dlen = pd->tot_len - pd->off;
2816 pc = pd->pcksum;
2817
2818 af_proto = naf_proto = pd->proto;
2819 if (naf_proto == IPPROTO_ICMP1)
2820 af_proto = IPPROTO_ICMPV658;
2821 if (naf_proto == IPPROTO_ICMPV658)
2822 af_proto = IPPROTO_ICMP1;
2823
2824 /* uncover stale pseudo-header */
2825 switch (af_proto) {
2826 case IPPROTO_ICMPV658:
2827 /* optimise: unchanged for TCP/UDP */
2828 pf_cksum_fixup(pc, htons(af_proto)(__uint16_t)(__builtin_constant_p(af_proto) ? (__uint16_t)(((
__uint16_t)(af_proto) & 0xffU) << 8 | ((__uint16_t)
(af_proto) & 0xff00U) >> 8) : __swap16md(af_proto)), 0x0, af_proto);
2829 pf_cksum_fixup(pc, htons(dlen)(__uint16_t)(__builtin_constant_p(dlen) ? (__uint16_t)(((__uint16_t
)(dlen) & 0xffU) << 8 | ((__uint16_t)(dlen) & 0xff00U
) >> 8) : __swap16md(dlen)), 0x0, af_proto);
2830 /* FALLTHROUGH */
2831 case IPPROTO_UDP17: /* FALLTHROUGH */
2832 case IPPROTO_TCP6:
2833 pf_cksum_fixup_a(pc, pd->src, &zero, pd->af, af_proto);
2834 pf_cksum_fixup_a(pc, pd->dst, &zero, pd->af, af_proto);
2835 copyback = 1;
2836 break;
2837 default:
2838 break; /* assume no pseudo-header */
2839 }
2840
2841 /* replace the network header */
2842 m_adj(pd->m, pd->off);
2843 pd->src = NULL((void *)0);
2844 pd->dst = NULL((void *)0);
2845
2846 if ((M_PREPEND(pd->m, hlen, M_DONTWAIT)(pd->m) = m_prepend((pd->m), (hlen), (0x0002))) == NULL((void *)0)) {
2847 pd->m = NULL((void *)0);
2848 return (-1);
2849 }
2850
2851 pd->off = hlen;
2852 pd->tot_len += hlen - ohlen;
2853
2854 switch (pd->naf) {
2855 case AF_INET2:
2856 ip4 = mtod(pd->m, struct ip *)((struct ip *)((pd->m)->m_hdr.mh_data));
2857 memset(ip4, 0, hlen)__builtin_memset((ip4), (0), (hlen));
2858 ip4->ip_v = IPVERSION4;
2859 ip4->ip_hl = hlen >> 2;
2860 ip4->ip_tos = pd->tos;
2861 ip4->ip_len = htons(hlen + dlen)(__uint16_t)(__builtin_constant_p(hlen + dlen) ? (__uint16_t)
(((__uint16_t)(hlen + dlen) & 0xffU) << 8 | ((__uint16_t
)(hlen + dlen) & 0xff00U) >> 8) : __swap16md(hlen +
dlen));
2862 ip4->ip_id = htons(ip_randomid())(__uint16_t)(__builtin_constant_p(ip_randomid()) ? (__uint16_t
)(((__uint16_t)(ip_randomid()) & 0xffU) << 8 | ((__uint16_t
)(ip_randomid()) & 0xff00U) >> 8) : __swap16md(ip_randomid
()));
2863 ip4->ip_off = htons(IP_DF)(__uint16_t)(__builtin_constant_p(0x4000) ? (__uint16_t)(((__uint16_t
)(0x4000) & 0xffU) << 8 | ((__uint16_t)(0x4000) &
0xff00U) >> 8) : __swap16md(0x4000));
2864 ip4->ip_ttl = pd->ttl;
2865 ip4->ip_p = pd->proto;
2866 ip4->ip_src = pd->nsaddr.v4pfa.v4;
2867 ip4->ip_dst = pd->ndaddr.v4pfa.v4;
2868 break;
2869 case AF_INET624:
2870 ip6 = mtod(pd->m, struct ip6_hdr *)((struct ip6_hdr *)((pd->m)->m_hdr.mh_data));
2871 memset(ip6, 0, hlen)__builtin_memset((ip6), (0), (hlen));
2872 ip6->ip6_vfcip6_ctlun.ip6_un2_vfc = IPV6_VERSION0x60;
2873 ip6->ip6_flowip6_ctlun.ip6_un1.ip6_un1_flow |= htonl((u_int32_t)pd->tos << 20)(__uint32_t)(__builtin_constant_p((u_int32_t)pd->tos <<
20) ? (__uint32_t)(((__uint32_t)((u_int32_t)pd->tos <<
20) & 0xff) << 24 | ((__uint32_t)((u_int32_t)pd->
tos << 20) & 0xff00) << 8 | ((__uint32_t)((u_int32_t
)pd->tos << 20) & 0xff0000) >> 8 | ((__uint32_t
)((u_int32_t)pd->tos << 20) & 0xff000000) >>
24) : __swap32md((u_int32_t)pd->tos << 20));
2874 ip6->ip6_plenip6_ctlun.ip6_un1.ip6_un1_plen = htons(dlen)(__uint16_t)(__builtin_constant_p(dlen) ? (__uint16_t)(((__uint16_t
)(dlen) & 0xffU) << 8 | ((__uint16_t)(dlen) & 0xff00U
) >> 8) : __swap16md(dlen));
2875 ip6->ip6_nxtip6_ctlun.ip6_un1.ip6_un1_nxt = pd->proto;
2876 if (!pd->ttl || pd->ttl > IPV6_DEFHLIM64)
2877 ip6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim = IPV6_DEFHLIM64;
2878 else
2879 ip6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim = pd->ttl;
2880 ip6->ip6_src = pd->nsaddr.v6pfa.v6;
2881 ip6->ip6_dst = pd->ndaddr.v6pfa.v6;
2882 break;
2883 default:
2884 unhandled_af(pd->naf);
2885 }
2886
2887 /* UDP over IPv6 must be checksummed per rfc2460 p27 */
2888 if (naf_proto == IPPROTO_UDP17 && *pc == 0x0000 &&
2889 pd->naf == AF_INET624) {
2890 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.csum_flags |= M_UDP_CSUM_OUT0x0004;
2891 }
2892
2893 /* cover fresh pseudo-header */
2894 switch (naf_proto) {
2895 case IPPROTO_ICMPV658:
2896 /* optimise: unchanged for TCP/UDP */
2897 pf_cksum_fixup(pc, 0x0, htons(naf_proto)(__uint16_t)(__builtin_constant_p(naf_proto) ? (__uint16_t)((
(__uint16_t)(naf_proto) & 0xffU) << 8 | ((__uint16_t
)(naf_proto) & 0xff00U) >> 8) : __swap16md(naf_proto
)), naf_proto);
2898 pf_cksum_fixup(pc, 0x0, htons(dlen)(__uint16_t)(__builtin_constant_p(dlen) ? (__uint16_t)(((__uint16_t
)(dlen) & 0xffU) << 8 | ((__uint16_t)(dlen) & 0xff00U
) >> 8) : __swap16md(dlen)), naf_proto);
2899 /* FALLTHROUGH */
2900 case IPPROTO_UDP17: /* FALLTHROUGH */
2901 case IPPROTO_TCP6:
2902 pf_cksum_fixup_a(pc, &zero, &pd->nsaddr, pd->naf, naf_proto);
2903 pf_cksum_fixup_a(pc, &zero, &pd->ndaddr, pd->naf, naf_proto);
2904 copyback = 1;
2905 break;
2906 default:
2907 break; /* assume no pseudo-header */
2908 }
2909
2910 /* flush pd->pcksum */
2911 if (copyback)
2912 m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT0x0002);
2913
2914 return (0);
2915}
2916
2917int
2918pf_change_icmp_af(struct mbuf *m, int ipoff2, struct pf_pdesc *pd,
2919 struct pf_pdesc *pd2, struct pf_addr *src, struct pf_addr *dst,
2920 sa_family_t af, sa_family_t naf)
2921{
2922 struct mbuf *n = NULL((void *)0);
2923 struct ip *ip4;
2924 struct ip6_hdr *ip6;
2925 u_int hlen, ohlen, dlen;
2926 int d;
2927
2928 if (af == naf || (af != AF_INET2 && af != AF_INET624) ||
2929 (naf != AF_INET2 && naf != AF_INET624))
2930 return (-1);
2931
2932 /* split the mbuf chain on the quoted ip/ip6 header boundary */
2933 if ((n = m_split(m, ipoff2, M_DONTWAIT0x0002)) == NULL((void *)0))
2934 return (-1);
2935
2936 /* new quoted header */
2937 hlen = naf == AF_INET2 ? sizeof(*ip4) : sizeof(*ip6);
2938 /* old quoted header */
2939 ohlen = pd2->off - ipoff2;
2940
2941 /* trim old quoted header */
2942 pf_cksum_uncover(pd->pcksum, in_cksum(n, ohlen), pd->proto);
2943 m_adj(n, ohlen);
2944
2945 /* prepend a new, translated, quoted header */
2946 if ((M_PREPEND(n, hlen, M_DONTWAIT)(n) = m_prepend((n), (hlen), (0x0002))) == NULL((void *)0))
2947 return (-1);
2948
2949 switch (naf) {
2950 case AF_INET2:
2951 ip4 = mtod(n, struct ip *)((struct ip *)((n)->m_hdr.mh_data));
2952 memset(ip4, 0, sizeof(*ip4))__builtin_memset((ip4), (0), (sizeof(*ip4)));
2953 ip4->ip_v = IPVERSION4;
2954 ip4->ip_hl = sizeof(*ip4) >> 2;
2955 ip4->ip_len = htons(sizeof(*ip4) + pd2->tot_len - ohlen)(__uint16_t)(__builtin_constant_p(sizeof(*ip4) + pd2->tot_len
- ohlen) ? (__uint16_t)(((__uint16_t)(sizeof(*ip4) + pd2->
tot_len - ohlen) & 0xffU) << 8 | ((__uint16_t)(sizeof
(*ip4) + pd2->tot_len - ohlen) & 0xff00U) >> 8) :
__swap16md(sizeof(*ip4) + pd2->tot_len - ohlen));
2956 ip4->ip_id = htons(ip_randomid())(__uint16_t)(__builtin_constant_p(ip_randomid()) ? (__uint16_t
)(((__uint16_t)(ip_randomid()) & 0xffU) << 8 | ((__uint16_t
)(ip_randomid()) & 0xff00U) >> 8) : __swap16md(ip_randomid
()));
2957 ip4->ip_off = htons(IP_DF)(__uint16_t)(__builtin_constant_p(0x4000) ? (__uint16_t)(((__uint16_t
)(0x4000) & 0xffU) << 8 | ((__uint16_t)(0x4000) &
0xff00U) >> 8) : __swap16md(0x4000));
2958 ip4->ip_ttl = pd2->ttl;
2959 if (pd2->proto == IPPROTO_ICMPV658)
2960 ip4->ip_p = IPPROTO_ICMP1;
2961 else
2962 ip4->ip_p = pd2->proto;
2963 ip4->ip_src = src->v4pfa.v4;
2964 ip4->ip_dst = dst->v4pfa.v4;
2965 in_hdr_cksum_out(n, NULL((void *)0));
2966 break;
2967 case AF_INET624:
2968 ip6 = mtod(n, struct ip6_hdr *)((struct ip6_hdr *)((n)->m_hdr.mh_data));
2969 memset(ip6, 0, sizeof(*ip6))__builtin_memset((ip6), (0), (sizeof(*ip6)));
2970 ip6->ip6_vfcip6_ctlun.ip6_un2_vfc = IPV6_VERSION0x60;
2971 ip6->ip6_plenip6_ctlun.ip6_un1.ip6_un1_plen = htons(pd2->tot_len - ohlen)(__uint16_t)(__builtin_constant_p(pd2->tot_len - ohlen) ? (
__uint16_t)(((__uint16_t)(pd2->tot_len - ohlen) & 0xffU
) << 8 | ((__uint16_t)(pd2->tot_len - ohlen) & 0xff00U
) >> 8) : __swap16md(pd2->tot_len - ohlen));
2972 if (pd2->proto == IPPROTO_ICMP1)
2973 ip6->ip6_nxtip6_ctlun.ip6_un1.ip6_un1_nxt = IPPROTO_ICMPV658;
2974 else
2975 ip6->ip6_nxtip6_ctlun.ip6_un1.ip6_un1_nxt = pd2->proto;
2976 if (!pd2->ttl || pd2->ttl > IPV6_DEFHLIM64)
2977 ip6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim = IPV6_DEFHLIM64;
2978 else
2979 ip6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim = pd2->ttl;
2980 ip6->ip6_src = src->v6pfa.v6;
2981 ip6->ip6_dst = dst->v6pfa.v6;
2982 break;
2983 }
2984
2985 /* cover new quoted header */
2986 /* optimise: any new AF_INET header of ours sums to zero */
2987 if (naf != AF_INET2) {
2988 pf_cksum_cover(pd->pcksum, in_cksum(n, hlen), pd->proto);
2989 }
2990
2991 /* reattach modified quoted packet to outer header */
2992 {
2993 int nlen = n->m_pkthdrM_dat.MH.MH_pkthdr.len;
2994 m_cat(m, n);
2995 m->m_pkthdrM_dat.MH.MH_pkthdr.len += nlen;
2996 }
2997
2998 /* account for altered length */
2999 d = hlen - ohlen;
3000
3001 if (pd->proto == IPPROTO_ICMPV658) {
3002 /* fixup pseudo-header */
3003 dlen = pd->tot_len - pd->off;
3004 pf_cksum_fixup(pd->pcksum,
3005 htons(dlen)(__uint16_t)(__builtin_constant_p(dlen) ? (__uint16_t)(((__uint16_t
)(dlen) & 0xffU) << 8 | ((__uint16_t)(dlen) & 0xff00U
) >> 8) : __swap16md(dlen)), htons(dlen + d)(__uint16_t)(__builtin_constant_p(dlen + d) ? (__uint16_t)(((
__uint16_t)(dlen + d) & 0xffU) << 8 | ((__uint16_t)
(dlen + d) & 0xff00U) >> 8) : __swap16md(dlen + d)), pd->proto);
3006 }
3007
3008 pd->tot_len += d;
3009 pd2->tot_len += d;
3010 pd2->off += d;
3011
3012 /* note: not bothering to update network headers as
3013 these due for rewrite by pf_translate_af() */
3014
3015 return (0);
3016}
3017
3018
3019#define PTR_IP(field)(__builtin_offsetof(struct ip, field)) (offsetof(struct ip, field)__builtin_offsetof(struct ip, field))
3020#define PTR_IP6(field)(__builtin_offsetof(struct ip6_hdr, field)) (offsetof(struct ip6_hdr, field)__builtin_offsetof(struct ip6_hdr, field))
3021
3022int
3023pf_translate_icmp_af(struct pf_pdesc *pd, int af, void *arg)
3024{
3025 struct icmp *icmp4;
3026 struct icmp6_hdr *icmp6;
3027 u_int32_t mtu;
3028 int32_t ptr = -1;
3029 u_int8_t type;
3030 u_int8_t code;
3031
3032 switch (af) {
3033 case AF_INET2:
3034 icmp6 = arg;
3035 type = icmp6->icmp6_type;
3036 code = icmp6->icmp6_code;
3037 mtu = ntohl(icmp6->icmp6_mtu)(__uint32_t)(__builtin_constant_p(icmp6->icmp6_dataun.icmp6_un_data32
[0]) ? (__uint32_t)(((__uint32_t)(icmp6->icmp6_dataun.icmp6_un_data32
[0]) & 0xff) << 24 | ((__uint32_t)(icmp6->icmp6_dataun
.icmp6_un_data32[0]) & 0xff00) << 8 | ((__uint32_t)
(icmp6->icmp6_dataun.icmp6_un_data32[0]) & 0xff0000) >>
8 | ((__uint32_t)(icmp6->icmp6_dataun.icmp6_un_data32[0])
& 0xff000000) >> 24) : __swap32md(icmp6->icmp6_dataun
.icmp6_un_data32[0]));
3038
3039 switch (type) {
3040 case ICMP6_ECHO_REQUEST128:
3041 type = ICMP_ECHO8;
3042 break;
3043 case ICMP6_ECHO_REPLY129:
3044 type = ICMP_ECHOREPLY0;
3045 break;
3046 case ICMP6_DST_UNREACH1:
3047 type = ICMP_UNREACH3;
3048 switch (code) {
3049 case ICMP6_DST_UNREACH_NOROUTE0:
3050 case ICMP6_DST_UNREACH_BEYONDSCOPE2:
3051 case ICMP6_DST_UNREACH_ADDR3:
3052 code = ICMP_UNREACH_HOST1;
3053 break;
3054 case ICMP6_DST_UNREACH_ADMIN1:
3055 code = ICMP_UNREACH_HOST_PROHIB10;
3056 break;
3057 case ICMP6_DST_UNREACH_NOPORT4:
3058 code = ICMP_UNREACH_PORT3;
3059 break;
3060 default:
3061 return (-1);
3062 }
3063 break;
3064 case ICMP6_PACKET_TOO_BIG2:
3065 type = ICMP_UNREACH3;
3066 code = ICMP_UNREACH_NEEDFRAG4;
3067 mtu -= 20;
3068 break;
3069 case ICMP6_TIME_EXCEEDED3:
3070 type = ICMP_TIMXCEED11;
3071 break;
3072 case ICMP6_PARAM_PROB4:
3073 switch (code) {
3074 case ICMP6_PARAMPROB_HEADER0:
3075 type = ICMP_PARAMPROB12;
3076 code = ICMP_PARAMPROB_ERRATPTR0;
3077 ptr = ntohl(icmp6->icmp6_pptr)(__uint32_t)(__builtin_constant_p(icmp6->icmp6_dataun.icmp6_un_data32
[0]) ? (__uint32_t)(((__uint32_t)(icmp6->icmp6_dataun.icmp6_un_data32
[0]) & 0xff) << 24 | ((__uint32_t)(icmp6->icmp6_dataun
.icmp6_un_data32[0]) & 0xff00) << 8 | ((__uint32_t)
(icmp6->icmp6_dataun.icmp6_un_data32[0]) & 0xff0000) >>
8 | ((__uint32_t)(icmp6->icmp6_dataun.icmp6_un_data32[0])
& 0xff000000) >> 24) : __swap32md(icmp6->icmp6_dataun
.icmp6_un_data32[0]));
3078
3079 if (ptr == PTR_IP6(ip6_vfc)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un2_vfc)))
3080 ; /* preserve */
3081 else if (ptr == PTR_IP6(ip6_vfc)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un2_vfc)) + 1)
3082 ptr = PTR_IP(ip_tos)(__builtin_offsetof(struct ip, ip_tos));
3083 else if (ptr == PTR_IP6(ip6_plen)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_plen
)) ||
3084 ptr == PTR_IP6(ip6_plen)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_plen
)) + 1)
3085 ptr = PTR_IP(ip_len)(__builtin_offsetof(struct ip, ip_len));
3086 else if (ptr == PTR_IP6(ip6_nxt)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_nxt
)))
3087 ptr = PTR_IP(ip_p)(__builtin_offsetof(struct ip, ip_p));
3088 else if (ptr == PTR_IP6(ip6_hlim)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_hlim
)))
3089 ptr = PTR_IP(ip_ttl)(__builtin_offsetof(struct ip, ip_ttl));
3090 else if (ptr >= PTR_IP6(ip6_src)(__builtin_offsetof(struct ip6_hdr, ip6_src)) &&
3091 ptr < PTR_IP6(ip6_dst)(__builtin_offsetof(struct ip6_hdr, ip6_dst)))
3092 ptr = PTR_IP(ip_src)(__builtin_offsetof(struct ip, ip_src));
3093 else if (ptr >= PTR_IP6(ip6_dst)(__builtin_offsetof(struct ip6_hdr, ip6_dst)) &&
3094 ptr < sizeof(struct ip6_hdr))
3095 ptr = PTR_IP(ip_dst)(__builtin_offsetof(struct ip, ip_dst));
3096 else {
3097 return (-1);
3098 }
3099 break;
3100 case ICMP6_PARAMPROB_NEXTHEADER1:
3101 type = ICMP_UNREACH3;
3102 code = ICMP_UNREACH_PROTOCOL2;
3103 break;
3104 default:
3105 return (-1);
3106 }
3107 break;
3108 default:
3109 return (-1);
3110 }
3111
3112 pf_patch_8(pd, &icmp6->icmp6_type, type, PF_HI(1));
3113 pf_patch_8(pd, &icmp6->icmp6_code, code, PF_LO(!(1)));
3114
3115 /* aligns well with a icmpv4 nextmtu */
3116 pf_patch_32(pd, &icmp6->icmp6_mtuicmp6_dataun.icmp6_un_data32[0], htonl(mtu)(__uint32_t)(__builtin_constant_p(mtu) ? (__uint32_t)(((__uint32_t
)(mtu) & 0xff) << 24 | ((__uint32_t)(mtu) & 0xff00
) << 8 | ((__uint32_t)(mtu) & 0xff0000) >> 8 |
((__uint32_t)(mtu) & 0xff000000) >> 24) : __swap32md
(mtu)));
3117
3118 /* icmpv4 pptr is a one most significant byte */
3119 if (ptr >= 0)
3120 pf_patch_32(pd, &icmp6->icmp6_pptricmp6_dataun.icmp6_un_data32[0], htonl(ptr << 24)(__uint32_t)(__builtin_constant_p(ptr << 24) ? (__uint32_t
)(((__uint32_t)(ptr << 24) & 0xff) << 24 | ((
__uint32_t)(ptr << 24) & 0xff00) << 8 | ((__uint32_t
)(ptr << 24) & 0xff0000) >> 8 | ((__uint32_t)
(ptr << 24) & 0xff000000) >> 24) : __swap32md
(ptr << 24)));
3121 break;
3122 case AF_INET624:
3123 icmp4 = arg;
3124 type = icmp4->icmp_type;
3125 code = icmp4->icmp_code;
3126 mtu = ntohs(icmp4->icmp_nextmtu)(__uint16_t)(__builtin_constant_p(icmp4->icmp_hun.ih_pmtu.
ipm_nextmtu) ? (__uint16_t)(((__uint16_t)(icmp4->icmp_hun.
ih_pmtu.ipm_nextmtu) & 0xffU) << 8 | ((__uint16_t)(
icmp4->icmp_hun.ih_pmtu.ipm_nextmtu) & 0xff00U) >>
8) : __swap16md(icmp4->icmp_hun.ih_pmtu.ipm_nextmtu));
3127
3128 switch (type) {
3129 case ICMP_ECHO8:
3130 type = ICMP6_ECHO_REQUEST128;
3131 break;
3132 case ICMP_ECHOREPLY0:
3133 type = ICMP6_ECHO_REPLY129;
3134 break;
3135 case ICMP_UNREACH3:
3136 type = ICMP6_DST_UNREACH1;
3137 switch (code) {
3138 case ICMP_UNREACH_NET0:
3139 case ICMP_UNREACH_HOST1:
3140 case ICMP_UNREACH_NET_UNKNOWN6:
3141 case ICMP_UNREACH_HOST_UNKNOWN7:
3142 case ICMP_UNREACH_ISOLATED8:
3143 case ICMP_UNREACH_TOSNET11:
3144 case ICMP_UNREACH_TOSHOST12:
3145 code = ICMP6_DST_UNREACH_NOROUTE0;
3146 break;
3147 case ICMP_UNREACH_PORT3:
3148 code = ICMP6_DST_UNREACH_NOPORT4;
3149 break;
3150 case ICMP_UNREACH_NET_PROHIB9:
3151 case ICMP_UNREACH_HOST_PROHIB10:
3152 case ICMP_UNREACH_FILTER_PROHIB13:
3153 case ICMP_UNREACH_PRECEDENCE_CUTOFF15:
3154 code = ICMP6_DST_UNREACH_ADMIN1;
3155 break;
3156 case ICMP_UNREACH_PROTOCOL2:
3157 type = ICMP6_PARAM_PROB4;
3158 code = ICMP6_PARAMPROB_NEXTHEADER1;
3159 ptr = offsetof(struct ip6_hdr, ip6_nxt)__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_nxt
);
3160 break;
3161 case ICMP_UNREACH_NEEDFRAG4:
3162 type = ICMP6_PACKET_TOO_BIG2;
3163 code = 0;
3164 mtu += 20;
3165 break;
3166 default:
3167 return (-1);
3168 }
3169 break;
3170 case ICMP_TIMXCEED11:
3171 type = ICMP6_TIME_EXCEEDED3;
3172 break;
3173 case ICMP_PARAMPROB12:
3174 type = ICMP6_PARAM_PROB4;
3175 switch (code) {
3176 case ICMP_PARAMPROB_ERRATPTR0:
3177 code = ICMP6_PARAMPROB_HEADER0;
3178 break;
3179 case ICMP_PARAMPROB_LENGTH2:
3180 code = ICMP6_PARAMPROB_HEADER0;
3181 break;
3182 default:
3183 return (-1);
3184 }
3185
3186 ptr = icmp4->icmp_pptricmp_hun.ih_pptr;
3187 if (ptr == 0 || ptr == PTR_IP(ip_tos)(__builtin_offsetof(struct ip, ip_tos)))
3188 ; /* preserve */
3189 else if (ptr == PTR_IP(ip_len)(__builtin_offsetof(struct ip, ip_len)) ||
3190 ptr == PTR_IP(ip_len)(__builtin_offsetof(struct ip, ip_len)) + 1)
3191 ptr = PTR_IP6(ip6_plen)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_plen
));
3192 else if (ptr == PTR_IP(ip_ttl)(__builtin_offsetof(struct ip, ip_ttl)))
3193 ptr = PTR_IP6(ip6_hlim)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_hlim
));
3194 else if (ptr == PTR_IP(ip_p)(__builtin_offsetof(struct ip, ip_p)))
3195 ptr = PTR_IP6(ip6_nxt)(__builtin_offsetof(struct ip6_hdr, ip6_ctlun.ip6_un1.ip6_un1_nxt
));
3196 else if (ptr >= PTR_IP(ip_src)(__builtin_offsetof(struct ip, ip_src)) &&
3197 ptr < PTR_IP(ip_dst)(__builtin_offsetof(struct ip, ip_dst)))
3198 ptr = PTR_IP6(ip6_src)(__builtin_offsetof(struct ip6_hdr, ip6_src));
3199 else if (ptr >= PTR_IP(ip_dst)(__builtin_offsetof(struct ip, ip_dst)) &&
3200 ptr < sizeof(struct ip))
3201 ptr = PTR_IP6(ip6_dst)(__builtin_offsetof(struct ip6_hdr, ip6_dst));
3202 else {
3203 return (-1);
3204 }
3205 break;
3206 default:
3207 return (-1);
3208 }
3209
3210 pf_patch_8(pd, &icmp4->icmp_type, type, PF_HI(1));
3211 pf_patch_8(pd, &icmp4->icmp_code, code, PF_LO(!(1)));
3212 pf_patch_16(pd, &icmp4->icmp_nextmtuicmp_hun.ih_pmtu.ipm_nextmtu, htons(mtu)(__uint16_t)(__builtin_constant_p(mtu) ? (__uint16_t)(((__uint16_t
)(mtu) & 0xffU) << 8 | ((__uint16_t)(mtu) & 0xff00U
) >> 8) : __swap16md(mtu)));
3213 if (ptr >= 0)
3214 pf_patch_32(pd, &icmp4->icmp_voidicmp_hun.ih_void, htonl(ptr)(__uint32_t)(__builtin_constant_p(ptr) ? (__uint32_t)(((__uint32_t
)(ptr) & 0xff) << 24 | ((__uint32_t)(ptr) & 0xff00
) << 8 | ((__uint32_t)(ptr) & 0xff0000) >> 8 |
((__uint32_t)(ptr) & 0xff000000) >> 24) : __swap32md
(ptr)));
3215 break;
3216 }
3217
3218 return (0);
3219}
3220#endif /* INET6 */
3221
3222/*
3223 * Need to modulate the sequence numbers in the TCP SACK option
3224 * (credits to Krzysztof Pfaff for report and patch)
3225 */
3226int
3227pf_modulate_sack(struct pf_pdesc *pd, struct pf_state_peer *dst)
3228{
3229 struct sackblk sack;
3230 int copyback = 0, i;
3231 int olen, optsoff;
3232 u_int8_t opts[MAX_TCPOPTLEN40], *opt, *eoh;
3233
3234 olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr);
3235 optsoff = pd->off + sizeof(struct tcphdr);
3236#define TCPOLEN_MINSACK(8 + 2) (TCPOLEN_SACK8 + 2)
3237 if (olen < TCPOLEN_MINSACK(8 + 2) ||
3238 !pf_pull_hdr(pd->m, optsoff, opts, olen, NULL((void *)0), pd->af))
3239 return (0);
3240
3241 eoh = opts + olen;
3242 opt = opts;
3243 while ((opt = pf_find_tcpopt(opt, opts, olen,
3244 TCPOPT_SACK5, TCPOLEN_MINSACK(8 + 2))) != NULL((void *)0))
3245 {
3246 size_t safelen = MIN(opt[1], (eoh - opt))(((opt[1])<((eoh - opt)))?(opt[1]):((eoh - opt)));
3247 for (i = 2; i + TCPOLEN_SACK8 <= safelen; i += TCPOLEN_SACK8) {
3248 size_t startoff = (opt + i) - opts;
3249 memcpy(&sack, &opt[i], sizeof(sack))__builtin_memcpy((&sack), (&opt[i]), (sizeof(sack)));
3250 pf_patch_32_unaligned(pd, &sack.start,
3251 htonl(ntohl(sack.start) - dst->seqdiff)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(sack.start) ? (__uint32_t)(((__uint32_t)(sack.start) & 0xff
) << 24 | ((__uint32_t)(sack.start) & 0xff00) <<
8 | ((__uint32_t)(sack.start) & 0xff0000) >> 8 | (
(__uint32_t)(sack.start) & 0xff000000) >> 24) : __swap32md
(sack.start)) - dst->seqdiff) ? (__uint32_t)(((__uint32_t)
((__uint32_t)(__builtin_constant_p(sack.start) ? (__uint32_t)
(((__uint32_t)(sack.start) & 0xff) << 24 | ((__uint32_t
)(sack.start) & 0xff00) << 8 | ((__uint32_t)(sack.start
) & 0xff0000) >> 8 | ((__uint32_t)(sack.start) &
0xff000000) >> 24) : __swap32md(sack.start)) - dst->
seqdiff) & 0xff) << 24 | ((__uint32_t)((__uint32_t)
(__builtin_constant_p(sack.start) ? (__uint32_t)(((__uint32_t
)(sack.start) & 0xff) << 24 | ((__uint32_t)(sack.start
) & 0xff00) << 8 | ((__uint32_t)(sack.start) & 0xff0000
) >> 8 | ((__uint32_t)(sack.start) & 0xff000000) >>
24) : __swap32md(sack.start)) - dst->seqdiff) & 0xff00
) << 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(sack.start) ? (__uint32_t)(((__uint32_t)(sack.start) & 0xff
) << 24 | ((__uint32_t)(sack.start) & 0xff00) <<
8 | ((__uint32_t)(sack.start) & 0xff0000) >> 8 | (
(__uint32_t)(sack.start) & 0xff000000) >> 24) : __swap32md
(sack.start)) - dst->seqdiff) & 0xff0000) >> 8 |
((__uint32_t)((__uint32_t)(__builtin_constant_p(sack.start) ?
(__uint32_t)(((__uint32_t)(sack.start) & 0xff) << 24
| ((__uint32_t)(sack.start) & 0xff00) << 8 | ((__uint32_t
)(sack.start) & 0xff0000) >> 8 | ((__uint32_t)(sack
.start) & 0xff000000) >> 24) : __swap32md(sack.start
)) - dst->seqdiff) & 0xff000000) >> 24) : __swap32md
((__uint32_t)(__builtin_constant_p(sack.start) ? (__uint32_t)
(((__uint32_t)(sack.start) & 0xff) << 24 | ((__uint32_t
)(sack.start) & 0xff00) << 8 | ((__uint32_t)(sack.start
) & 0xff0000) >> 8 | ((__uint32_t)(sack.start) &
0xff000000) >> 24) : __swap32md(sack.start)) - dst->
seqdiff)),
3252 PF_ALGNMNT(startoff)(((startoff) % 2) == 0 ? (1) : (!(1))));
3253 pf_patch_32_unaligned(pd, &sack.end,
3254 htonl(ntohl(sack.end) - dst->seqdiff)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(sack.end) ? (__uint32_t)(((__uint32_t)(sack.end) & 0xff)
<< 24 | ((__uint32_t)(sack.end) & 0xff00) <<
8 | ((__uint32_t)(sack.end) & 0xff0000) >> 8 | ((__uint32_t
)(sack.end) & 0xff000000) >> 24) : __swap32md(sack.
end)) - dst->seqdiff) ? (__uint32_t)(((__uint32_t)((__uint32_t
)(__builtin_constant_p(sack.end) ? (__uint32_t)(((__uint32_t)
(sack.end) & 0xff) << 24 | ((__uint32_t)(sack.end) &
0xff00) << 8 | ((__uint32_t)(sack.end) & 0xff0000)
>> 8 | ((__uint32_t)(sack.end) & 0xff000000) >>
24) : __swap32md(sack.end)) - dst->seqdiff) & 0xff) <<
24 | ((__uint32_t)((__uint32_t)(__builtin_constant_p(sack.end
) ? (__uint32_t)(((__uint32_t)(sack.end) & 0xff) <<
24 | ((__uint32_t)(sack.end) & 0xff00) << 8 | ((__uint32_t
)(sack.end) & 0xff0000) >> 8 | ((__uint32_t)(sack.end
) & 0xff000000) >> 24) : __swap32md(sack.end)) - dst
->seqdiff) & 0xff00) << 8 | ((__uint32_t)((__uint32_t
)(__builtin_constant_p(sack.end) ? (__uint32_t)(((__uint32_t)
(sack.end) & 0xff) << 24 | ((__uint32_t)(sack.end) &
0xff00) << 8 | ((__uint32_t)(sack.end) & 0xff0000)
>> 8 | ((__uint32_t)(sack.end) & 0xff000000) >>
24) : __swap32md(sack.end)) - dst->seqdiff) & 0xff0000
) >> 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(sack.end) ? (__uint32_t)(((__uint32_t)(sack.end) & 0xff)
<< 24 | ((__uint32_t)(sack.end) & 0xff00) <<
8 | ((__uint32_t)(sack.end) & 0xff0000) >> 8 | ((__uint32_t
)(sack.end) & 0xff000000) >> 24) : __swap32md(sack.
end)) - dst->seqdiff) & 0xff000000) >> 24) : __swap32md
((__uint32_t)(__builtin_constant_p(sack.end) ? (__uint32_t)((
(__uint32_t)(sack.end) & 0xff) << 24 | ((__uint32_t
)(sack.end) & 0xff00) << 8 | ((__uint32_t)(sack.end
) & 0xff0000) >> 8 | ((__uint32_t)(sack.end) & 0xff000000
) >> 24) : __swap32md(sack.end)) - dst->seqdiff)),
3255 PF_ALGNMNT(startoff + sizeof(sack.start))(((startoff + sizeof(sack.start)) % 2) == 0 ? (1) : (!(1))));
3256 memcpy(&opt[i], &sack, sizeof(sack))__builtin_memcpy((&opt[i]), (&sack), (sizeof(sack)));
3257 }
3258 copyback = 1;
3259 opt += opt[1];
3260 }
3261
3262 if (copyback)
3263 m_copyback(pd->m, optsoff, olen, opts, M_NOWAIT0x0002);
3264 return (copyback);
3265}
3266
3267struct mbuf *
3268pf_build_tcp(const struct pf_rule *r, sa_family_t af,
3269 const struct pf_addr *saddr, const struct pf_addr *daddr,
3270 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
3271 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
3272 u_int16_t rtag, u_int sack, u_int rdom)
3273{
3274 struct mbuf *m;
3275 int len, tlen;
3276 struct ip *h;
3277#ifdef INET61
3278 struct ip6_hdr *h6;
3279#endif /* INET6 */
3280 struct tcphdr *th;
3281 char *opt;
3282
3283 /* maximum segment size tcp option */
3284 tlen = sizeof(struct tcphdr);
3285 if (mss)
3286 tlen += 4;
3287 if (sack)
3288 tlen += 2;
3289
3290 switch (af) {
3291 case AF_INET2:
3292 len = sizeof(struct ip) + tlen;
3293 break;
3294#ifdef INET61
3295 case AF_INET624:
3296 len = sizeof(struct ip6_hdr) + tlen;
3297 break;
3298#endif /* INET6 */
3299 default:
3300 unhandled_af(af);
3301 }
3302
3303 /* create outgoing mbuf */
3304 m = m_gethdr(M_DONTWAIT0x0002, MT_HEADER2);
3305 if (m == NULL((void *)0))
3306 return (NULL((void *)0));
3307 if (tag)
3308 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_GENERATED0x01;
3309 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.tag = rtag;
3310 m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = rdom;
3311 if (r && (r->scrub_flags & PFSTATE_SETPRIO0x0200))
3312 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.prio = r->set_prio[0];
3313 if (r && r->qid)
3314 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.qid = r->qid;
3315 m->m_datam_hdr.mh_data += max_linkhdr;
3316 m->m_pkthdrM_dat.MH.MH_pkthdr.len = m->m_lenm_hdr.mh_len = len;
3317 m->m_pkthdrM_dat.MH.MH_pkthdr.ph_ifidx = 0;
3318 m->m_pkthdrM_dat.MH.MH_pkthdr.csum_flags |= M_TCP_CSUM_OUT0x0002;
3319 memset(m->m_data, 0, len)__builtin_memset((m->m_hdr.mh_data), (0), (len));
3320 switch (af) {
3321 case AF_INET2:
3322 h = mtod(m, struct ip *)((struct ip *)((m)->m_hdr.mh_data));
3323 h->ip_p = IPPROTO_TCP6;
3324 h->ip_len = htons(tlen)(__uint16_t)(__builtin_constant_p(tlen) ? (__uint16_t)(((__uint16_t
)(tlen) & 0xffU) << 8 | ((__uint16_t)(tlen) & 0xff00U
) >> 8) : __swap16md(tlen));
3325 h->ip_v = 4;
3326 h->ip_hl = sizeof(*h) >> 2;
3327 h->ip_tos = IPTOS_LOWDELAY0x10;
3328 h->ip_len = htons(len)(__uint16_t)(__builtin_constant_p(len) ? (__uint16_t)(((__uint16_t
)(len) & 0xffU) << 8 | ((__uint16_t)(len) & 0xff00U
) >> 8) : __swap16md(len));
3329 h->ip_off = htons(ip_mtudisc ? IP_DF : 0)(__uint16_t)(__builtin_constant_p(ip_mtudisc ? 0x4000 : 0) ? (
__uint16_t)(((__uint16_t)(ip_mtudisc ? 0x4000 : 0) & 0xffU
) << 8 | ((__uint16_t)(ip_mtudisc ? 0x4000 : 0) & 0xff00U
) >> 8) : __swap16md(ip_mtudisc ? 0x4000 : 0));
3330 h->ip_ttl = ttl ? ttl : ip_defttl;
3331 h->ip_sum = 0;
3332 h->ip_src.s_addr = saddr->v4pfa.v4.s_addr;
3333 h->ip_dst.s_addr = daddr->v4pfa.v4.s_addr;
3334
3335 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
3336 break;
3337#ifdef INET61
3338 case AF_INET624:
3339 h6 = mtod(m, struct ip6_hdr *)((struct ip6_hdr *)((m)->m_hdr.mh_data));
3340 h6->ip6_nxtip6_ctlun.ip6_un1.ip6_un1_nxt = IPPROTO_TCP6;
3341 h6->ip6_plenip6_ctlun.ip6_un1.ip6_un1_plen = htons(tlen)(__uint16_t)(__builtin_constant_p(tlen) ? (__uint16_t)(((__uint16_t
)(tlen) & 0xffU) << 8 | ((__uint16_t)(tlen) & 0xff00U
) >> 8) : __swap16md(tlen));
3342 h6->ip6_vfcip6_ctlun.ip6_un2_vfc |= IPV6_VERSION0x60;
3343 h6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim = IPV6_DEFHLIM64;
3344 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr))__builtin_memcpy((&h6->ip6_src), (&saddr->pfa.v6
), (sizeof(struct in6_addr)));
3345 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr))__builtin_memcpy((&h6->ip6_dst), (&daddr->pfa.v6
), (sizeof(struct in6_addr)));
3346
3347 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
3348 break;
3349#endif /* INET6 */
3350 default:
3351 unhandled_af(af);
3352 }
3353
3354 /* TCP header */
3355 th->th_sport = sport;
3356 th->th_dport = dport;
3357 th->th_seq = htonl(seq)(__uint32_t)(__builtin_constant_p(seq) ? (__uint32_t)(((__uint32_t
)(seq) & 0xff) << 24 | ((__uint32_t)(seq) & 0xff00
) << 8 | ((__uint32_t)(seq) & 0xff0000) >> 8 |
((__uint32_t)(seq) & 0xff000000) >> 24) : __swap32md
(seq));
3358 th->th_ack = htonl(ack)(__uint32_t)(__builtin_constant_p(ack) ? (__uint32_t)(((__uint32_t
)(ack) & 0xff) << 24 | ((__uint32_t)(ack) & 0xff00
) << 8 | ((__uint32_t)(ack) & 0xff0000) >> 8 |
((__uint32_t)(ack) & 0xff000000) >> 24) : __swap32md
(ack));
3359 th->th_off = tlen >> 2;
3360 th->th_flags = flags;
3361 th->th_win = htons(win)(__uint16_t)(__builtin_constant_p(win) ? (__uint16_t)(((__uint16_t
)(win) & 0xffU) << 8 | ((__uint16_t)(win) & 0xff00U
) >> 8) : __swap16md(win));
3362
3363 opt = (char *)(th + 1);
3364 if (mss) {
3365 opt[0] = TCPOPT_MAXSEG2;
3366 opt[1] = 4;
3367 mss = htons(mss)(__uint16_t)(__builtin_constant_p(mss) ? (__uint16_t)(((__uint16_t
)(mss) & 0xffU) << 8 | ((__uint16_t)(mss) & 0xff00U
) >> 8) : __swap16md(mss));
3368 memcpy((opt + 2), &mss, 2)__builtin_memcpy(((opt + 2)), (&mss), (2));
3369 opt += 4;
3370 }
3371 if (sack) {
3372 opt[0] = TCPOPT_SACK_PERMITTED4;
3373 opt[1] = 2;
3374 opt += 2;
3375 }
3376
3377 return (m);
3378}
3379
3380void
3381pf_send_tcp(const struct pf_rule *r, sa_family_t af,
3382 const struct pf_addr *saddr, const struct pf_addr *daddr,
3383 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
3384 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
3385 u_int16_t rtag, u_int rdom)
3386{
3387 struct mbuf *m;
3388
3389 if ((m = pf_build_tcp(r, af, saddr, daddr, sport, dport, seq, ack,
3390 flags, win, mss, ttl, tag, rtag, 0, rdom)) == NULL((void *)0))
3391 return;
3392
3393 switch (af) {
3394 case AF_INET2:
3395 ip_send(m);
3396 break;
3397#ifdef INET61
3398 case AF_INET624:
3399 ip6_send(m);
3400 break;
3401#endif /* INET6 */
3402 }
3403}
3404
3405static void
3406pf_send_challenge_ack(struct pf_pdesc *pd, struct pf_state *st,
3407 struct pf_state_peer *src, struct pf_state_peer *dst)
3408{
3409 /*
3410 * We are sending challenge ACK as a response to SYN packet, which
3411 * matches existing state (modulo TCP window check). Therefore packet
3412 * must be sent on behalf of destination.
3413 *
3414 * We expect sender to remain either silent, or send RST packet
3415 * so both, firewall and remote peer, can purge dead state from
3416 * memory.
3417 */
3418 pf_send_tcp(st->rule.ptr, pd->af, pd->dst, pd->src,
3419 pd->hdr.tcp.th_dport, pd->hdr.tcp.th_sport, dst->seqlo,
3420 src->seqlo, TH_ACK0x10, 0, 0, st->rule.ptr->return_ttl, 1, 0,
3421 pd->rdomain);
3422}
3423
3424void
3425pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, int param,
3426 sa_family_t af, struct pf_rule *r, u_int rdomain)
3427{
3428 struct mbuf *m0;
3429
3430 if ((m0 = m_copym(m, 0, M_COPYALL1000000000, M_NOWAIT0x0002)) == NULL((void *)0))
3431 return;
3432
3433 m0->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_GENERATED0x01;
3434 m0->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = rdomain;
3435 if (r && (r->scrub_flags & PFSTATE_SETPRIO0x0200))
3436 m0->m_pkthdrM_dat.MH.MH_pkthdr.pf.prio = r->set_prio[0];
3437 if (r && r->qid)
3438 m0->m_pkthdrM_dat.MH.MH_pkthdr.pf.qid = r->qid;
3439
3440 switch (af) {
3441 case AF_INET2:
3442 icmp_error(m0, type, code, 0, param);
3443 break;
3444#ifdef INET61
3445 case AF_INET624:
3446 icmp6_error(m0, type, code, param);
3447 break;
3448#endif /* INET6 */
3449 }
3450}
3451
3452/*
3453 * Return ((n = 0) == (a = b [with mask m]))
3454 * Note: n != 0 => returns (a != b [with mask m])
3455 */
3456int
3457pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
3458 struct pf_addr *b, sa_family_t af)
3459{
3460 switch (af) {
3461 case AF_INET2:
3462 if ((a->addr32pfa.addr32[0] & m->addr32pfa.addr32[0]) ==
3463 (b->addr32pfa.addr32[0] & m->addr32pfa.addr32[0]))
3464 return (n == 0);
3465 break;
3466#ifdef INET61
3467 case AF_INET624:
3468 if (((a->addr32pfa.addr32[0] & m->addr32pfa.addr32[0]) ==
3469 (b->addr32pfa.addr32[0] & m->addr32pfa.addr32[0])) &&
3470 ((a->addr32pfa.addr32[1] & m->addr32pfa.addr32[1]) ==
3471 (b->addr32pfa.addr32[1] & m->addr32pfa.addr32[1])) &&
3472 ((a->addr32pfa.addr32[2] & m->addr32pfa.addr32[2]) ==
3473 (b->addr32pfa.addr32[2] & m->addr32pfa.addr32[2])) &&
3474 ((a->addr32pfa.addr32[3] & m->addr32pfa.addr32[3]) ==
3475 (b->addr32pfa.addr32[3] & m->addr32pfa.addr32[3])))
3476 return (n == 0);
3477 break;
3478#endif /* INET6 */
3479 }
3480
3481 return (n != 0);
3482}
3483
3484/*
3485 * Return 1 if b <= a <= e, otherwise return 0.
3486 */
3487int
3488pf_match_addr_range(struct pf_addr *b, struct pf_addr *e,
3489 struct pf_addr *a, sa_family_t af)
3490{
3491 switch (af) {
3492 case AF_INET2:
3493 if ((ntohl(a->addr32[0])(__uint32_t)(__builtin_constant_p(a->pfa.addr32[0]) ? (__uint32_t
)(((__uint32_t)(a->pfa.addr32[0]) & 0xff) << 24 |
((__uint32_t)(a->pfa.addr32[0]) & 0xff00) << 8 |
((__uint32_t)(a->pfa.addr32[0]) & 0xff0000) >> 8
| ((__uint32_t)(a->pfa.addr32[0]) & 0xff000000) >>
24) : __swap32md(a->pfa.addr32[0])) < ntohl(b->addr32[0])(__uint32_t)(__builtin_constant_p(b->pfa.addr32[0]) ? (__uint32_t
)(((__uint32_t)(b->pfa.addr32[0]) & 0xff) << 24 |
((__uint32_t)(b->pfa.addr32[0]) & 0xff00) << 8 |
((__uint32_t)(b->pfa.addr32[0]) & 0xff0000) >> 8
| ((__uint32_t)(b->pfa.addr32[0]) & 0xff000000) >>
24) : __swap32md(b->pfa.addr32[0]))) ||
3494 (ntohl(a->addr32[0])(__uint32_t)(__builtin_constant_p(a->pfa.addr32[0]) ? (__uint32_t
)(((__uint32_t)(a->pfa.addr32[0]) & 0xff) << 24 |
((__uint32_t)(a->pfa.addr32[0]) & 0xff00) << 8 |
((__uint32_t)(a->pfa.addr32[0]) & 0xff0000) >> 8
| ((__uint32_t)(a->pfa.addr32[0]) & 0xff000000) >>
24) : __swap32md(a->pfa.addr32[0])) > ntohl(e->addr32[0])(__uint32_t)(__builtin_constant_p(e->pfa.addr32[0]) ? (__uint32_t
)(((__uint32_t)(e->pfa.addr32[0]) & 0xff) << 24 |
((__uint32_t)(e->pfa.addr32[0]) & 0xff00) << 8 |
((__uint32_t)(e->pfa.addr32[0]) & 0xff0000) >> 8
| ((__uint32_t)(e->pfa.addr32[0]) & 0xff000000) >>
24) : __swap32md(e->pfa.addr32[0]))))
3495 return (0);
3496 break;
3497#ifdef INET61
3498 case AF_INET624: {
3499 int i;
3500
3501 /* check a >= b */
3502 for (i = 0; i < 4; ++i)
3503 if (ntohl(a->addr32[i])(__uint32_t)(__builtin_constant_p(a->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(a->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(a->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(a->pfa.addr32[i])) > ntohl(b->addr32[i])(__uint32_t)(__builtin_constant_p(b->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(b->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(b->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(b->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(b->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(b->pfa.addr32[i])))
3504 break;
3505 else if (ntohl(a->addr32[i])(__uint32_t)(__builtin_constant_p(a->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(a->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(a->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(a->pfa.addr32[i])) < ntohl(b->addr32[i])(__uint32_t)(__builtin_constant_p(b->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(b->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(b->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(b->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(b->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(b->pfa.addr32[i])))
3506 return (0);
3507 /* check a <= e */
3508 for (i = 0; i < 4; ++i)
3509 if (ntohl(a->addr32[i])(__uint32_t)(__builtin_constant_p(a->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(a->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(a->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(a->pfa.addr32[i])) < ntohl(e->addr32[i])(__uint32_t)(__builtin_constant_p(e->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(e->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(e->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(e->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(e->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(e->pfa.addr32[i])))
3510 break;
3511 else if (ntohl(a->addr32[i])(__uint32_t)(__builtin_constant_p(a->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(a->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(a->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(a->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(a->pfa.addr32[i])) > ntohl(e->addr32[i])(__uint32_t)(__builtin_constant_p(e->pfa.addr32[i]) ? (__uint32_t
)(((__uint32_t)(e->pfa.addr32[i]) & 0xff) << 24 |
((__uint32_t)(e->pfa.addr32[i]) & 0xff00) << 8 |
((__uint32_t)(e->pfa.addr32[i]) & 0xff0000) >> 8
| ((__uint32_t)(e->pfa.addr32[i]) & 0xff000000) >>
24) : __swap32md(e->pfa.addr32[i])))
3512 return (0);
3513 break;
3514 }
3515#endif /* INET6 */
3516 }
3517 return (1);
3518}
3519
3520int
3521pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
3522{
3523 switch (op) {
3524 case PF_OP_IRG:
3525 return ((p > a1) && (p < a2));
3526 case PF_OP_XRG:
3527 return ((p < a1) || (p > a2));
3528 case PF_OP_RRG:
3529 return ((p >= a1) && (p <= a2));
3530 case PF_OP_EQ:
3531 return (p == a1);
3532 case PF_OP_NE:
3533 return (p != a1);
3534 case PF_OP_LT:
3535 return (p < a1);
3536 case PF_OP_LE:
3537 return (p <= a1);
3538 case PF_OP_GT:
3539 return (p > a1);
3540 case PF_OP_GE:
3541 return (p >= a1);
3542 }
3543 return (0); /* never reached */
3544}
3545
3546int
3547pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
3548{
3549 return (pf_match(op, ntohs(a1)(__uint16_t)(__builtin_constant_p(a1) ? (__uint16_t)(((__uint16_t
)(a1) & 0xffU) << 8 | ((__uint16_t)(a1) & 0xff00U
) >> 8) : __swap16md(a1)), ntohs(a2)(__uint16_t)(__builtin_constant_p(a2) ? (__uint16_t)(((__uint16_t
)(a2) & 0xffU) << 8 | ((__uint16_t)(a2) & 0xff00U
) >> 8) : __swap16md(a2)), ntohs(p)(__uint16_t)(__builtin_constant_p(p) ? (__uint16_t)(((__uint16_t
)(p) & 0xffU) << 8 | ((__uint16_t)(p) & 0xff00U
) >> 8) : __swap16md(p))));
3550}
3551
3552int
3553pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
3554{
3555 if (u == -1 && op != PF_OP_EQ && op != PF_OP_NE)
3556 return (0);
3557 return (pf_match(op, a1, a2, u));
3558}
3559
3560int
3561pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
3562{
3563 if (g == -1 && op != PF_OP_EQ && op != PF_OP_NE)
3564 return (0);
3565 return (pf_match(op, a1, a2, g));
3566}
3567
3568int
3569pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag)
3570{
3571 if (*tag == -1)
3572 *tag = m->m_pkthdrM_dat.MH.MH_pkthdr.pf.tag;
3573
3574 return ((!r->match_tag_not && r->match_tag == *tag) ||
3575 (r->match_tag_not && r->match_tag != *tag));
3576}
3577
3578int
3579pf_match_rcvif(struct mbuf *m, struct pf_rule *r)
3580{
3581 struct ifnet *ifp;
3582#if NCARP1 > 0
3583 struct ifnet *ifp0;
3584#endif
3585 struct pfi_kif *kif;
3586
3587 ifp = if_get(m->m_pkthdrM_dat.MH.MH_pkthdr.ph_ifidx);
3588 if (ifp == NULL((void *)0))
3589 return (0);
3590
3591#if NCARP1 > 0
3592 if (ifp->if_typeif_data.ifi_type == IFT_CARP0xf7 &&
3593 (ifp0 = if_get(ifp->if_carpdevidxif_carp_ptr.carp_idx)) != NULL((void *)0)) {
3594 kif = (struct pfi_kif *)ifp0->if_pf_kif;
3595 if_put(ifp0);
3596 } else
3597#endif /* NCARP */
3598 kif = (struct pfi_kif *)ifp->if_pf_kif;
3599
3600 if_put(ifp);
3601
3602 if (kif == NULL((void *)0)) {
3603 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: kif == NULL, @%d via %s", __func__, r->nr, r->rcv_ifname
); addlog("\n"); } } while (0)
3604 "%s: kif == NULL, @%d via %s", __func__,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: kif == NULL, @%d via %s", __func__, r->nr, r->rcv_ifname
); addlog("\n"); } } while (0)
3605 r->nr, r->rcv_ifname)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: kif == NULL, @%d via %s", __func__, r->nr, r->rcv_ifname
); addlog("\n"); } } while (0);
3606 return (0);
3607 }
3608
3609 return (pfi_kif_match(r->rcv_kif, kif));
3610}
3611
3612void
3613pf_tag_packet(struct mbuf *m, int tag, int rtableid)
3614{
3615 if (tag > 0)
3616 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.tag = tag;
3617 if (rtableid >= 0)
3618 m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = (u_int)rtableid;
3619}
3620
3621void
3622pf_anchor_stack_init(void)
3623{
3624 struct pf_anchor_stackframe *stack;
3625
3626 stack = (struct pf_anchor_stackframe *)cpumem_enter(pf_anchor_stack);
3627 stack[PF_ANCHOR_STACK_MAX64].sf_stack_topu.u_stack_top = &stack[0];
3628 cpumem_leave(pf_anchor_stack, stack);
3629}
3630
3631int
3632pf_anchor_stack_is_full(struct pf_anchor_stackframe *sf)
3633{
3634 struct pf_anchor_stackframe *stack;
3635 int rv;
3636
3637 stack = (struct pf_anchor_stackframe *)cpumem_enter(pf_anchor_stack);
3638 rv = (sf == &stack[PF_ANCHOR_STACK_MAX64]);
3639 cpumem_leave(pf_anchor_stack, stack);
3640
3641 return (rv);
3642}
3643
3644int
3645pf_anchor_stack_is_empty(struct pf_anchor_stackframe *sf)
3646{
3647 struct pf_anchor_stackframe *stack;
3648 int rv;
3649
3650 stack = (struct pf_anchor_stackframe *)cpumem_enter(pf_anchor_stack);
3651 rv = (sf == &stack[0]);
3652 cpumem_leave(pf_anchor_stack, stack);
3653
3654 return (rv);
3655}
3656
3657struct pf_anchor_stackframe *
3658pf_anchor_stack_top(void)
3659{
3660 struct pf_anchor_stackframe *stack;
3661 struct pf_anchor_stackframe *top_sf;
3662
3663 stack = (struct pf_anchor_stackframe *)cpumem_enter(pf_anchor_stack);
3664 top_sf = stack[PF_ANCHOR_STACK_MAX64].sf_stack_topu.u_stack_top;
3665 cpumem_leave(pf_anchor_stack, stack);
3666
3667 return (top_sf);
3668}
3669
3670int
3671pf_anchor_stack_push(struct pf_ruleset *rs, struct pf_rule *r,
3672 struct pf_anchor *child, int jump_target)
3673{
3674 struct pf_anchor_stackframe *stack;
3675 struct pf_anchor_stackframe *top_sf = pf_anchor_stack_top();
3676
3677 top_sf++;
3678 if (pf_anchor_stack_is_full(top_sf))
3679 return (-1);
3680
3681 top_sf->sf_rs = rs;
3682 top_sf->sf_ru.u_r = r;
3683 top_sf->sf_child = child;
3684 top_sf->sf_jump_target = jump_target;
3685
3686 stack = (struct pf_anchor_stackframe *)cpumem_enter(pf_anchor_stack);
3687
3688 if ((top_sf <= &stack[0]) || (top_sf >= &stack[PF_ANCHOR_STACK_MAX64]))
3689 panic("%s: top frame outside of anchor stack range", __func__);
3690
3691 stack[PF_ANCHOR_STACK_MAX64].sf_stack_topu.u_stack_top = top_sf;
3692 cpumem_leave(pf_anchor_stack, stack);
3693
3694 return (0);
3695}
3696
3697int
3698pf_anchor_stack_pop(struct pf_ruleset **rs, struct pf_rule **r,
3699 struct pf_anchor **child, int *jump_target)
3700{
3701 struct pf_anchor_stackframe *top_sf = pf_anchor_stack_top();
3702 struct pf_anchor_stackframe *stack;
3703 int on_top;
3704
3705 stack = (struct pf_anchor_stackframe *)cpumem_enter(pf_anchor_stack);
3706 if (pf_anchor_stack_is_empty(top_sf)) {
3707 on_top = -1;
3708 } else {
3709 if ((top_sf <= &stack[0]) ||
3710 (top_sf >= &stack[PF_ANCHOR_STACK_MAX64]))
3711 panic("%s: top frame outside of anchor stack range",
3712 __func__);
3713
3714 *rs = top_sf->sf_rs;
3715 *r = top_sf->sf_ru.u_r;
3716 *child = top_sf->sf_child;
3717 *jump_target = top_sf->sf_jump_target;
3718 top_sf--;
3719 stack[PF_ANCHOR_STACK_MAX64].sf_stack_topu.u_stack_top = top_sf;
3720 on_top = 0;
3721 }
3722 cpumem_leave(pf_anchor_stack, stack);
3723
3724 return (on_top);
3725}
3726
3727void
3728pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
3729 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
3730{
3731 switch (af) {
3732 case AF_INET2:
3733 naddr->addr32pfa.addr32[0] = (raddr->addr32pfa.addr32[0] & rmask->addr32pfa.addr32[0]) |
3734 ((rmask->addr32pfa.addr32[0] ^ 0xffffffff ) & saddr->addr32pfa.addr32[0]);
3735 break;
3736#ifdef INET61
3737 case AF_INET624:
3738 naddr->addr32pfa.addr32[0] = (raddr->addr32pfa.addr32[0] & rmask->addr32pfa.addr32[0]) |
3739 ((rmask->addr32pfa.addr32[0] ^ 0xffffffff ) & saddr->addr32pfa.addr32[0]);
3740 naddr->addr32pfa.addr32[1] = (raddr->addr32pfa.addr32[1] & rmask->addr32pfa.addr32[1]) |
3741 ((rmask->addr32pfa.addr32[1] ^ 0xffffffff ) & saddr->addr32pfa.addr32[1]);
3742 naddr->addr32pfa.addr32[2] = (raddr->addr32pfa.addr32[2] & rmask->addr32pfa.addr32[2]) |
3743 ((rmask->addr32pfa.addr32[2] ^ 0xffffffff ) & saddr->addr32pfa.addr32[2]);
3744 naddr->addr32pfa.addr32[3] = (raddr->addr32pfa.addr32[3] & rmask->addr32pfa.addr32[3]) |
3745 ((rmask->addr32pfa.addr32[3] ^ 0xffffffff ) & saddr->addr32pfa.addr32[3]);
3746 break;
3747#endif /* INET6 */
3748 default:
3749 unhandled_af(af);
3750 }
3751}
3752
3753void
3754pf_addr_inc(struct pf_addr *addr, sa_family_t af)
3755{
3756 switch (af) {
3757 case AF_INET2:
3758 addr->addr32pfa.addr32[0] = htonl(ntohl(addr->addr32[0]) + 1)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[0]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[0]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[0])) + 1) ? (__uint32_t)(((__uint32_t)((
__uint32_t)(__builtin_constant_p(addr->pfa.addr32[0]) ? (__uint32_t
)(((__uint32_t)(addr->pfa.addr32[0]) & 0xff) << 24
| ((__uint32_t)(addr->pfa.addr32[0]) & 0xff00) <<
8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff0000) >>
8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff000000) >>
24) : __swap32md(addr->pfa.addr32[0])) + 1) & 0xff) <<
24 | ((__uint32_t)((__uint32_t)(__builtin_constant_p(addr->
pfa.addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32
[0]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[0]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[0])) + 1) & 0xff00) << 8 | ((__uint32_t)
((__uint32_t)(__builtin_constant_p(addr->pfa.addr32[0]) ? (
__uint32_t)(((__uint32_t)(addr->pfa.addr32[0]) & 0xff)
<< 24 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff00
) << 8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff0000
) >> 8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff000000
) >> 24) : __swap32md(addr->pfa.addr32[0])) + 1) &
0xff0000) >> 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[0]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[0]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[0])) + 1) & 0xff000000) >> 24)
: __swap32md((__uint32_t)(__builtin_constant_p(addr->pfa.
addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32[0
]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[0]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[0])) + 1));
3759 break;
3760#ifdef INET61
3761 case AF_INET624:
3762 if (addr->addr32pfa.addr32[3] == 0xffffffff) {
3763 addr->addr32pfa.addr32[3] = 0;
3764 if (addr->addr32pfa.addr32[2] == 0xffffffff) {
3765 addr->addr32pfa.addr32[2] = 0;
3766 if (addr->addr32pfa.addr32[1] == 0xffffffff) {
3767 addr->addr32pfa.addr32[1] = 0;
3768 addr->addr32pfa.addr32[0] =
3769 htonl(ntohl(addr->addr32[0]) + 1)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[0]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[0]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[0])) + 1) ? (__uint32_t)(((__uint32_t)((
__uint32_t)(__builtin_constant_p(addr->pfa.addr32[0]) ? (__uint32_t
)(((__uint32_t)(addr->pfa.addr32[0]) & 0xff) << 24
| ((__uint32_t)(addr->pfa.addr32[0]) & 0xff00) <<
8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff0000) >>
8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff000000) >>
24) : __swap32md(addr->pfa.addr32[0])) + 1) & 0xff) <<
24 | ((__uint32_t)((__uint32_t)(__builtin_constant_p(addr->
pfa.addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32
[0]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[0]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[0])) + 1) & 0xff00) << 8 | ((__uint32_t)
((__uint32_t)(__builtin_constant_p(addr->pfa.addr32[0]) ? (
__uint32_t)(((__uint32_t)(addr->pfa.addr32[0]) & 0xff)
<< 24 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff00
) << 8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff0000
) >> 8 | ((__uint32_t)(addr->pfa.addr32[0]) & 0xff000000
) >> 24) : __swap32md(addr->pfa.addr32[0])) + 1) &
0xff0000) >> 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[0]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[0]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[0])) + 1) & 0xff000000) >> 24)
: __swap32md((__uint32_t)(__builtin_constant_p(addr->pfa.
addr32[0]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32[0
]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[0]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[0]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[0])) + 1));
3770 } else
3771 addr->addr32pfa.addr32[1] =
3772 htonl(ntohl(addr->addr32[1]) + 1)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[1]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[1]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[1]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[1]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[1]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[1])) + 1) ? (__uint32_t)(((__uint32_t)((
__uint32_t)(__builtin_constant_p(addr->pfa.addr32[1]) ? (__uint32_t
)(((__uint32_t)(addr->pfa.addr32[1]) & 0xff) << 24
| ((__uint32_t)(addr->pfa.addr32[1]) & 0xff00) <<
8 | ((__uint32_t)(addr->pfa.addr32[1]) & 0xff0000) >>
8 | ((__uint32_t)(addr->pfa.addr32[1]) & 0xff000000) >>
24) : __swap32md(addr->pfa.addr32[1])) + 1) & 0xff) <<
24 | ((__uint32_t)((__uint32_t)(__builtin_constant_p(addr->
pfa.addr32[1]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32
[1]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[1]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[1]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[1]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[1])) + 1) & 0xff00) << 8 | ((__uint32_t)
((__uint32_t)(__builtin_constant_p(addr->pfa.addr32[1]) ? (
__uint32_t)(((__uint32_t)(addr->pfa.addr32[1]) & 0xff)
<< 24 | ((__uint32_t)(addr->pfa.addr32[1]) & 0xff00
) << 8 | ((__uint32_t)(addr->pfa.addr32[1]) & 0xff0000
) >> 8 | ((__uint32_t)(addr->pfa.addr32[1]) & 0xff000000
) >> 24) : __swap32md(addr->pfa.addr32[1])) + 1) &
0xff0000) >> 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[1]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[1]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[1]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[1]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[1]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[1])) + 1) & 0xff000000) >> 24)
: __swap32md((__uint32_t)(__builtin_constant_p(addr->pfa.
addr32[1]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32[1
]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[1]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[1]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[1]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[1])) + 1));
3773 } else
3774 addr->addr32pfa.addr32[2] =
3775 htonl(ntohl(addr->addr32[2]) + 1)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[2]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[2]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[2]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[2]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[2]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[2])) + 1) ? (__uint32_t)(((__uint32_t)((
__uint32_t)(__builtin_constant_p(addr->pfa.addr32[2]) ? (__uint32_t
)(((__uint32_t)(addr->pfa.addr32[2]) & 0xff) << 24
| ((__uint32_t)(addr->pfa.addr32[2]) & 0xff00) <<
8 | ((__uint32_t)(addr->pfa.addr32[2]) & 0xff0000) >>
8 | ((__uint32_t)(addr->pfa.addr32[2]) & 0xff000000) >>
24) : __swap32md(addr->pfa.addr32[2])) + 1) & 0xff) <<
24 | ((__uint32_t)((__uint32_t)(__builtin_constant_p(addr->
pfa.addr32[2]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32
[2]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[2]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[2]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[2]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[2])) + 1) & 0xff00) << 8 | ((__uint32_t)
((__uint32_t)(__builtin_constant_p(addr->pfa.addr32[2]) ? (
__uint32_t)(((__uint32_t)(addr->pfa.addr32[2]) & 0xff)
<< 24 | ((__uint32_t)(addr->pfa.addr32[2]) & 0xff00
) << 8 | ((__uint32_t)(addr->pfa.addr32[2]) & 0xff0000
) >> 8 | ((__uint32_t)(addr->pfa.addr32[2]) & 0xff000000
) >> 24) : __swap32md(addr->pfa.addr32[2])) + 1) &
0xff0000) >> 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[2]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[2]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[2]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[2]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[2]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[2])) + 1) & 0xff000000) >> 24)
: __swap32md((__uint32_t)(__builtin_constant_p(addr->pfa.
addr32[2]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32[2
]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[2]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[2]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[2]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[2])) + 1));
3776 } else
3777 addr->addr32pfa.addr32[3] =
3778 htonl(ntohl(addr->addr32[3]) + 1)(__uint32_t)(__builtin_constant_p((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[3]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[3]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[3]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[3]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[3]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[3])) + 1) ? (__uint32_t)(((__uint32_t)((
__uint32_t)(__builtin_constant_p(addr->pfa.addr32[3]) ? (__uint32_t
)(((__uint32_t)(addr->pfa.addr32[3]) & 0xff) << 24
| ((__uint32_t)(addr->pfa.addr32[3]) & 0xff00) <<
8 | ((__uint32_t)(addr->pfa.addr32[3]) & 0xff0000) >>
8 | ((__uint32_t)(addr->pfa.addr32[3]) & 0xff000000) >>
24) : __swap32md(addr->pfa.addr32[3])) + 1) & 0xff) <<
24 | ((__uint32_t)((__uint32_t)(__builtin_constant_p(addr->
pfa.addr32[3]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32
[3]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[3]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[3]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[3]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[3])) + 1) & 0xff00) << 8 | ((__uint32_t)
((__uint32_t)(__builtin_constant_p(addr->pfa.addr32[3]) ? (
__uint32_t)(((__uint32_t)(addr->pfa.addr32[3]) & 0xff)
<< 24 | ((__uint32_t)(addr->pfa.addr32[3]) & 0xff00
) << 8 | ((__uint32_t)(addr->pfa.addr32[3]) & 0xff0000
) >> 8 | ((__uint32_t)(addr->pfa.addr32[3]) & 0xff000000
) >> 24) : __swap32md(addr->pfa.addr32[3])) + 1) &
0xff0000) >> 8 | ((__uint32_t)((__uint32_t)(__builtin_constant_p
(addr->pfa.addr32[3]) ? (__uint32_t)(((__uint32_t)(addr->
pfa.addr32[3]) & 0xff) << 24 | ((__uint32_t)(addr->
pfa.addr32[3]) & 0xff00) << 8 | ((__uint32_t)(addr->
pfa.addr32[3]) & 0xff0000) >> 8 | ((__uint32_t)(addr
->pfa.addr32[3]) & 0xff000000) >> 24) : __swap32md
(addr->pfa.addr32[3])) + 1) & 0xff000000) >> 24)
: __swap32md((__uint32_t)(__builtin_constant_p(addr->pfa.
addr32[3]) ? (__uint32_t)(((__uint32_t)(addr->pfa.addr32[3
]) & 0xff) << 24 | ((__uint32_t)(addr->pfa.addr32
[3]) & 0xff00) << 8 | ((__uint32_t)(addr->pfa.addr32
[3]) & 0xff0000) >> 8 | ((__uint32_t)(addr->pfa.
addr32[3]) & 0xff000000) >> 24) : __swap32md(addr->
pfa.addr32[3])) + 1));
3779 break;
3780#endif /* INET6 */
3781 default:
3782 unhandled_af(af);
3783 }
3784}
3785
3786int
3787pf_socket_lookup(struct pf_pdesc *pd)
3788{
3789 struct pf_addr *saddr, *daddr;
3790 u_int16_t sport, dport;
3791 struct inpcbtable *tb;
3792 struct inpcb *inp;
3793
3794 pd->lookup.uid = -1;
3795 pd->lookup.gid = -1;
3796 pd->lookup.pid = NO_PID(99999 +1);
3797 switch (pd->virtual_proto) {
3798 case IPPROTO_TCP6:
3799 sport = pd->hdr.tcp.th_sport;
3800 dport = pd->hdr.tcp.th_dport;
3801 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
3802 NET_ASSERT_LOCKED()do { int _s = rw_status(&netlock); if ((splassert_ctl >
0) && (_s != 0x0001UL && _s != 0x0002UL)) splassert_fail
(0x0002UL, _s, __func__); } while (0);
3803 tb = &tcbtable;
3804 break;
3805 case IPPROTO_UDP17:
3806 sport = pd->hdr.udp.uh_sport;
3807 dport = pd->hdr.udp.uh_dport;
3808 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
3809 NET_ASSERT_LOCKED()do { int _s = rw_status(&netlock); if ((splassert_ctl >
0) && (_s != 0x0001UL && _s != 0x0002UL)) splassert_fail
(0x0002UL, _s, __func__); } while (0);
3810 tb = &udbtable;
3811 break;
3812 default:
3813 return (-1);
3814 }
3815 if (pd->dir == PF_IN) {
3816 saddr = pd->src;
3817 daddr = pd->dst;
3818 } else {
3819 u_int16_t p;
3820
3821 p = sport;
3822 sport = dport;
3823 dport = p;
3824 saddr = pd->dst;
3825 daddr = pd->src;
3826 }
3827 switch (pd->af) {
3828 case AF_INET2:
3829 /*
3830 * Fails when rtable is changed while evaluating the ruleset
3831 * The socket looked up will not match the one hit in the end.
3832 */
3833 inp = in_pcblookup(tb, saddr->v4pfa.v4, sport, daddr->v4pfa.v4, dport,
3834 pd->rdomain);
3835 if (inp == NULL((void *)0)) {
3836 inp = in_pcblookup_listen(tb, daddr->v4pfa.v4, dport,
3837 NULL((void *)0), pd->rdomain);
3838 if (inp == NULL((void *)0))
3839 return (-1);
3840 }
3841 break;
3842#ifdef INET61
3843 case AF_INET624:
3844 if (pd->virtual_proto == IPPROTO_UDP17)
3845 tb = &udb6table;
3846 inp = in6_pcblookup(tb, &saddr->v6pfa.v6, sport, &daddr->v6pfa.v6,
3847 dport, pd->rdomain);
3848 if (inp == NULL((void *)0)) {
3849 inp = in6_pcblookup_listen(tb, &daddr->v6pfa.v6, dport,
3850 NULL((void *)0), pd->rdomain);
3851 if (inp == NULL((void *)0))
3852 return (-1);
3853 }
3854 break;
3855#endif /* INET6 */
3856 default:
3857 unhandled_af(pd->af);
3858 }
3859 pd->lookup.uid = inp->inp_socket->so_euid;
3860 pd->lookup.gid = inp->inp_socket->so_egid;
3861 pd->lookup.pid = inp->inp_socket->so_cpid;
3862 in_pcbunref(inp);
3863 return (1);
3864}
3865
3866/* post: r => (r[0] == type /\ r[1] >= min_typelen >= 2 "validity"
3867 * /\ (eoh - r) >= min_typelen >= 2 "safety" )
3868 *
3869 * warning: r + r[1] may exceed opts bounds for r[1] > min_typelen
3870 */
3871u_int8_t*
3872pf_find_tcpopt(u_int8_t *opt, u_int8_t *opts, size_t hlen, u_int8_t type,
3873 u_int8_t min_typelen)
3874{
3875 u_int8_t *eoh = opts + hlen;
3876
3877 if (min_typelen < 2)
3878 return (NULL((void *)0));
3879
3880 while ((eoh - opt) >= min_typelen) {
3881 switch (*opt) {
3882 case TCPOPT_EOL0:
3883 /* FALLTHROUGH - Workaround the failure of some
3884 systems to NOP-pad their bzero'd option buffers,
3885 producing spurious EOLs */
3886 case TCPOPT_NOP1:
3887 opt++;
3888 continue;
3889 default:
3890 if (opt[0] == type &&
3891 opt[1] >= min_typelen)
3892 return (opt);
3893 }
3894
3895 opt += MAX(opt[1], 2)(((opt[1])>(2))?(opt[1]):(2)); /* evade infinite loops */
3896 }
3897
3898 return (NULL((void *)0));
3899}
3900
3901u_int8_t
3902pf_get_wscale(struct pf_pdesc *pd)
3903{
3904 int olen;
3905 u_int8_t opts[MAX_TCPOPTLEN40], *opt;
3906 u_int8_t wscale = 0;
3907
3908 olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr);
3909 if (olen < TCPOLEN_WINDOW3 || !pf_pull_hdr(pd->m,
3910 pd->off + sizeof(struct tcphdr), opts, olen, NULL((void *)0), pd->af))
3911 return (0);
3912
3913 opt = opts;
3914 while ((opt = pf_find_tcpopt(opt, opts, olen,
3915 TCPOPT_WINDOW3, TCPOLEN_WINDOW3)) != NULL((void *)0)) {
3916 wscale = opt[2];
3917 wscale = MIN(wscale, TCP_MAX_WINSHIFT)(((wscale)<(14))?(wscale):(14));
3918 wscale |= PF_WSCALE_FLAG0x80;
3919
3920 opt += opt[1];
3921 }
3922
3923 return (wscale);
3924}
3925
3926u_int16_t
3927pf_get_mss(struct pf_pdesc *pd)
3928{
3929 int olen;
3930 u_int8_t opts[MAX_TCPOPTLEN40], *opt;
3931 u_int16_t mss = tcp_mssdflt;
3932
3933 olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr);
3934 if (olen < TCPOLEN_MAXSEG4 || !pf_pull_hdr(pd->m,
3935 pd->off + sizeof(struct tcphdr), opts, olen, NULL((void *)0), pd->af))
3936 return (0);
3937
3938 opt = opts;
3939 while ((opt = pf_find_tcpopt(opt, opts, olen,
3940 TCPOPT_MAXSEG2, TCPOLEN_MAXSEG4)) != NULL((void *)0)) {
3941 memcpy(&mss, (opt + 2), 2)__builtin_memcpy((&mss), ((opt + 2)), (2));
3942 mss = ntohs(mss)(__uint16_t)(__builtin_constant_p(mss) ? (__uint16_t)(((__uint16_t
)(mss) & 0xffU) << 8 | ((__uint16_t)(mss) & 0xff00U
) >> 8) : __swap16md(mss));
3943
3944 opt += opt[1];
3945 }
3946 return (mss);
3947}
3948
3949u_int16_t
3950pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer)
3951{
3952 struct ifnet *ifp;
3953 struct sockaddr_in *dst;
3954#ifdef INET61
3955 struct sockaddr_in6 *dst6;
3956#endif /* INET6 */
3957 struct rtentry *rt = NULL((void *)0);
3958 struct sockaddr_storage ss;
3959 int hlen;
3960 u_int16_t mss = tcp_mssdflt;
3961
3962 memset(&ss, 0, sizeof(ss))__builtin_memset((&ss), (0), (sizeof(ss)));
3963
3964 switch (af) {
3965 case AF_INET2:
3966 hlen = sizeof(struct ip);
3967 dst = (struct sockaddr_in *)&ss;
3968 dst->sin_family = AF_INET2;
3969 dst->sin_len = sizeof(*dst);
3970 dst->sin_addr = addr->v4pfa.v4;
3971 rt = rtalloc(sintosa(dst), 0, rtableid);
3972 break;
3973#ifdef INET61
3974 case AF_INET624:
3975 hlen = sizeof(struct ip6_hdr);
3976 dst6 = (struct sockaddr_in6 *)&ss;
3977 dst6->sin6_family = AF_INET624;
3978 dst6->sin6_len = sizeof(*dst6);
3979 dst6->sin6_addr = addr->v6pfa.v6;
3980 rt = rtalloc(sin6tosa(dst6), 0, rtableid);
3981 break;
3982#endif /* INET6 */
3983 }
3984
3985 if (rt != NULL((void *)0) && (ifp = if_get(rt->rt_ifidx)) != NULL((void *)0)) {
3986 mss = ifp->if_mtuif_data.ifi_mtu - hlen - sizeof(struct tcphdr);
3987 mss = max(tcp_mssdflt, mss);
3988 if_put(ifp);
3989 }
3990 rtfree(rt);
3991 mss = min(mss, offer);
3992 mss = max(mss, 64); /* sanity - at least max opt space */
3993 return (mss);
3994}
3995
3996static __inline int
3997pf_set_rt_ifp(struct pf_state *st, struct pf_addr *saddr, sa_family_t af,
3998 struct pf_src_node **sns)
3999{
4000 struct pf_rule *r = st->rule.ptr;
4001 int rv;
4002
4003 if (!r->rt)
4004 return (0);
4005
4006 rv = pf_map_addr(af, r, saddr, &st->rt_addr, NULL((void *)0), sns,
4007 &r->route, PF_SN_ROUTE);
4008 if (rv == 0)
4009 st->rt = r->rt;
4010
4011 return (rv);
4012}
4013
4014u_int32_t
4015pf_tcp_iss(struct pf_pdesc *pd)
4016{
4017 SHA2_CTX ctx;
4018 union {
4019 uint8_t bytes[SHA512_DIGEST_LENGTH64];
4020 uint32_t words[1];
4021 } digest;
4022
4023 if (pf_tcp_secret_init == 0) {
4024 arc4random_buf(pf_tcp_secret, sizeof(pf_tcp_secret));
4025 SHA512Init(&pf_tcp_secret_ctx);
4026 SHA512Update(&pf_tcp_secret_ctx, pf_tcp_secret,
4027 sizeof(pf_tcp_secret));
4028 pf_tcp_secret_init = 1;
4029 }
4030 ctx = pf_tcp_secret_ctx;
4031
4032 SHA512Update(&ctx, &pd->rdomain, sizeof(pd->rdomain));
4033 SHA512Update(&ctx, &pd->hdr.tcp.th_sport, sizeof(u_short));
4034 SHA512Update(&ctx, &pd->hdr.tcp.th_dport, sizeof(u_short));
4035 switch (pd->af) {
4036 case AF_INET2:
4037 SHA512Update(&ctx, &pd->src->v4pfa.v4, sizeof(struct in_addr));
4038 SHA512Update(&ctx, &pd->dst->v4pfa.v4, sizeof(struct in_addr));
4039 break;
4040#ifdef INET61
4041 case AF_INET624:
4042 SHA512Update(&ctx, &pd->src->v6pfa.v6, sizeof(struct in6_addr));
4043 SHA512Update(&ctx, &pd->dst->v6pfa.v6, sizeof(struct in6_addr));
4044 break;
4045#endif /* INET6 */
4046 }
4047 SHA512Final(digest.bytes, &ctx);
4048 pf_tcp_iss_off += 4096;
4049 return (digest.words[0] + READ_ONCE(tcp_iss)({ typeof(tcp_iss) __tmp = *(volatile typeof(tcp_iss) *)&
(tcp_iss); membar_datadep_consumer(); __tmp; }) + pf_tcp_iss_off);
4050}
4051
4052void
4053pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a)
4054{
4055 if (r->qid)
4056 a->qid = r->qid;
4057 if (r->pqid)
4058 a->pqid = r->pqid;
4059 if (r->rtableid >= 0)
4060 a->rtableid = r->rtableid;
4061#if NPFLOG1 > 0
4062 a->log |= r->log;
4063#endif /* NPFLOG > 0 */
4064 if (r->scrub_flags & PFSTATE_SETTOS0x0040)
4065 a->set_tos = r->set_tos;
4066 if (r->min_ttl)
4067 a->min_ttl = r->min_ttl;
4068 if (r->max_mss)
4069 a->max_mss = r->max_mss;
4070 a->flags |= (r->scrub_flags & (PFSTATE_NODF0x0020|PFSTATE_RANDOMID0x0080|
4071 PFSTATE_SETTOS0x0040|PFSTATE_SCRUB_TCP0x0100|PFSTATE_SETPRIO0x0200));
4072 if (r->scrub_flags & PFSTATE_SETPRIO0x0200) {
4073 a->set_prio[0] = r->set_prio[0];
4074 a->set_prio[1] = r->set_prio[1];
4075 }
4076 if (r->rule_flag & PFRULE_SETDELAY0x0080)
4077 a->delay = r->delay;
4078}
4079
4080#define PF_TEST_ATTRIB(t, a)if (t) { r = a; continue; } else do { } while (0) \
4081 if (t) { \
4082 r = a; \
4083 continue; \
4084 } else do { \
4085 } while (0)
4086
4087enum pf_test_status
4088pf_match_rule(struct pf_test_ctx *ctx, struct pf_ruleset *ruleset)
4089{
4090 struct pf_rule *r;
4091 struct pf_anchor *child = NULL((void *)0);
4092 int target;
4093
4094 pf_anchor_stack_init();
4095enter_ruleset:
4096 r = TAILQ_FIRST(ruleset->rules.active.ptr)((ruleset->rules.active.ptr)->tqh_first);
4097 while (r != NULL((void *)0)) {
4098 PF_TEST_ATTRIB(r->rule_flag & PFRULE_EXPIRED,if (r->rule_flag & 0x00400000) { r = ((r)->entries.
tqe_next); continue; } else do { } while (0)
4099 TAILQ_NEXT(r, entries))if (r->rule_flag & 0x00400000) { r = ((r)->entries.
tqe_next); continue; } else do { } while (0);
4100 r->evaluations++;
4101 PF_TEST_ATTRIB(if ((pfi_kif_match(r->kif, ctx->pd->kif) == r->ifnot
)) { r = r->skip[0].ptr; continue; } else do { } while (0)
4102 (pfi_kif_match(r->kif, ctx->pd->kif) == r->ifnot),if ((pfi_kif_match(r->kif, ctx->pd->kif) == r->ifnot
)) { r = r->skip[0].ptr; continue; } else do { } while (0)
4103 r->skip[PF_SKIP_IFP].ptr)if ((pfi_kif_match(r->kif, ctx->pd->kif) == r->ifnot
)) { r = r->skip[0].ptr; continue; } else do { } while (0);
4104 PF_TEST_ATTRIB((r->direction && r->direction != ctx->pd->dir),if ((r->direction && r->direction != ctx->pd
->dir)) { r = r->skip[1].ptr; continue; } else do { } while
(0)
4105 r->skip[PF_SKIP_DIR].ptr)if ((r->direction && r->direction != ctx->pd
->dir)) { r = r->skip[1].ptr; continue; } else do { } while
(0);
4106 PF_TEST_ATTRIB((r->onrdomain >= 0 &&if ((r->onrdomain >= 0 && (r->onrdomain == ctx
->pd->rdomain) == r->ifnot)) { r = r->skip[2].ptr
; continue; } else do { } while (0)
4107 (r->onrdomain == ctx->pd->rdomain) == r->ifnot),if ((r->onrdomain >= 0 && (r->onrdomain == ctx
->pd->rdomain) == r->ifnot)) { r = r->skip[2].ptr
; continue; } else do { } while (0)
4108 r->skip[PF_SKIP_RDOM].ptr)if ((r->onrdomain >= 0 && (r->onrdomain == ctx
->pd->rdomain) == r->ifnot)) { r = r->skip[2].ptr
; continue; } else do { } while (0);
4109 PF_TEST_ATTRIB((r->af && r->af != ctx->pd->af),if ((r->af && r->af != ctx->pd->af)) { r =
r->skip[3].ptr; continue; } else do { } while (0)
4110 r->skip[PF_SKIP_AF].ptr)if ((r->af && r->af != ctx->pd->af)) { r =
r->skip[3].ptr; continue; } else do { } while (0);
4111 PF_TEST_ATTRIB((r->proto && r->proto != ctx->pd->proto),if ((r->proto && r->proto != ctx->pd->proto
)) { r = r->skip[4].ptr; continue; } else do { } while (0)
4112 r->skip[PF_SKIP_PROTO].ptr)if ((r->proto && r->proto != ctx->pd->proto
)) { r = r->skip[4].ptr; continue; } else do { } while (0);
4113 PF_TEST_ATTRIB((PF_MISMATCHAW(&r->src.addr, &ctx->pd->nsaddr,if ((( (((&r->src.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->nsaddr), (ctx->pd->naf
), ((void *)0), (ctx->act.rtableid))) || (((&r->src
.addr)->type == PF_ADDR_URPFFAILED && (ctx->pd->
kif) != ((void *)0) && pf_routable((&ctx->pd->
nsaddr), (ctx->pd->naf), (ctx->pd->kif), (ctx->
act.rtableid))) || ((&r->src.addr)->type == PF_ADDR_RTLABEL
&& !pf_rtlabel_match((&ctx->pd->nsaddr), (
ctx->pd->naf), (&r->src.addr), (ctx->act.rtableid
))) || ((&r->src.addr)->type == PF_ADDR_TABLE &&
!pfr_match_addr((&r->src.addr)->p.tbl, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_DYNIFTL && !pfi_match_addr((&
r->src.addr)->p.dyn, (&ctx->pd->nsaddr), (ctx
->pd->naf))) || ((&r->src.addr)->type == PF_ADDR_RANGE
&& !pf_match_addr_range(&(&r->src.addr)->
v.a.addr, &(&r->src.addr)->v.a.mask, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_ADDRMASK && !(((ctx->pd->
naf) == 2 && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[0]) || ((ctx->pd->naf) == 24 &&
!(&(&r->src.addr)->v.a.mask)->pfa.addr32[0]
&& !(&(&r->src.addr)->v.a.mask)->pfa
.addr32[1] && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[2] && !(&(&r->src.addr)->
v.a.mask)->pfa.addr32[3] )) && !pf_match_addr(0, &
(&r->src.addr)->v.a.addr, &(&r->src.addr
)->v.a.mask, (&ctx->pd->nsaddr), (ctx->pd->
naf))))) != (r->src.neg) ))) { r = r->skip[5].ptr; continue
; } else do { } while (0)
4114 ctx->pd->naf, r->src.neg, ctx->pd->kif,if ((( (((&r->src.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->nsaddr), (ctx->pd->naf
), ((void *)0), (ctx->act.rtableid))) || (((&r->src
.addr)->type == PF_ADDR_URPFFAILED && (ctx->pd->
kif) != ((void *)0) && pf_routable((&ctx->pd->
nsaddr), (ctx->pd->naf), (ctx->pd->kif), (ctx->
act.rtableid))) || ((&r->src.addr)->type == PF_ADDR_RTLABEL
&& !pf_rtlabel_match((&ctx->pd->nsaddr), (
ctx->pd->naf), (&r->src.addr), (ctx->act.rtableid
))) || ((&r->src.addr)->type == PF_ADDR_TABLE &&
!pfr_match_addr((&r->src.addr)->p.tbl, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_DYNIFTL && !pfi_match_addr((&
r->src.addr)->p.dyn, (&ctx->pd->nsaddr), (ctx
->pd->naf))) || ((&r->src.addr)->type == PF_ADDR_RANGE
&& !pf_match_addr_range(&(&r->src.addr)->
v.a.addr, &(&r->src.addr)->v.a.mask, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_ADDRMASK && !(((ctx->pd->
naf) == 2 && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[0]) || ((ctx->pd->naf) == 24 &&
!(&(&r->src.addr)->v.a.mask)->pfa.addr32[0]
&& !(&(&r->src.addr)->v.a.mask)->pfa
.addr32[1] && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[2] && !(&(&r->src.addr)->
v.a.mask)->pfa.addr32[3] )) && !pf_match_addr(0, &
(&r->src.addr)->v.a.addr, &(&r->src.addr
)->v.a.mask, (&ctx->pd->nsaddr), (ctx->pd->
naf))))) != (r->src.neg) ))) { r = r->skip[5].ptr; continue
; } else do { } while (0)
4115 ctx->act.rtableid)),if ((( (((&r->src.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->nsaddr), (ctx->pd->naf
), ((void *)0), (ctx->act.rtableid))) || (((&r->src
.addr)->type == PF_ADDR_URPFFAILED && (ctx->pd->
kif) != ((void *)0) && pf_routable((&ctx->pd->
nsaddr), (ctx->pd->naf), (ctx->pd->kif), (ctx->
act.rtableid))) || ((&r->src.addr)->type == PF_ADDR_RTLABEL
&& !pf_rtlabel_match((&ctx->pd->nsaddr), (
ctx->pd->naf), (&r->src.addr), (ctx->act.rtableid
))) || ((&r->src.addr)->type == PF_ADDR_TABLE &&
!pfr_match_addr((&r->src.addr)->p.tbl, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_DYNIFTL && !pfi_match_addr((&
r->src.addr)->p.dyn, (&ctx->pd->nsaddr), (ctx
->pd->naf))) || ((&r->src.addr)->type == PF_ADDR_RANGE
&& !pf_match_addr_range(&(&r->src.addr)->
v.a.addr, &(&r->src.addr)->v.a.mask, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_ADDRMASK && !(((ctx->pd->
naf) == 2 && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[0]) || ((ctx->pd->naf) == 24 &&
!(&(&r->src.addr)->v.a.mask)->pfa.addr32[0]
&& !(&(&r->src.addr)->v.a.mask)->pfa
.addr32[1] && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[2] && !(&(&r->src.addr)->
v.a.mask)->pfa.addr32[3] )) && !pf_match_addr(0, &
(&r->src.addr)->v.a.addr, &(&r->src.addr
)->v.a.mask, (&ctx->pd->nsaddr), (ctx->pd->
naf))))) != (r->src.neg) ))) { r = r->skip[5].ptr; continue
; } else do { } while (0)
4116 r->skip[PF_SKIP_SRC_ADDR].ptr)if ((( (((&r->src.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->nsaddr), (ctx->pd->naf
), ((void *)0), (ctx->act.rtableid))) || (((&r->src
.addr)->type == PF_ADDR_URPFFAILED && (ctx->pd->
kif) != ((void *)0) && pf_routable((&ctx->pd->
nsaddr), (ctx->pd->naf), (ctx->pd->kif), (ctx->
act.rtableid))) || ((&r->src.addr)->type == PF_ADDR_RTLABEL
&& !pf_rtlabel_match((&ctx->pd->nsaddr), (
ctx->pd->naf), (&r->src.addr), (ctx->act.rtableid
))) || ((&r->src.addr)->type == PF_ADDR_TABLE &&
!pfr_match_addr((&r->src.addr)->p.tbl, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_DYNIFTL && !pfi_match_addr((&
r->src.addr)->p.dyn, (&ctx->pd->nsaddr), (ctx
->pd->naf))) || ((&r->src.addr)->type == PF_ADDR_RANGE
&& !pf_match_addr_range(&(&r->src.addr)->
v.a.addr, &(&r->src.addr)->v.a.mask, (&ctx->
pd->nsaddr), (ctx->pd->naf))) || ((&r->src.addr
)->type == PF_ADDR_ADDRMASK && !(((ctx->pd->
naf) == 2 && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[0]) || ((ctx->pd->naf) == 24 &&
!(&(&r->src.addr)->v.a.mask)->pfa.addr32[0]
&& !(&(&r->src.addr)->v.a.mask)->pfa
.addr32[1] && !(&(&r->src.addr)->v.a.mask
)->pfa.addr32[2] && !(&(&r->src.addr)->
v.a.mask)->pfa.addr32[3] )) && !pf_match_addr(0, &
(&r->src.addr)->v.a.addr, &(&r->src.addr
)->v.a.mask, (&ctx->pd->nsaddr), (ctx->pd->
naf))))) != (r->src.neg) ))) { r = r->skip[5].ptr; continue
; } else do { } while (0);
4117 PF_TEST_ATTRIB((PF_MISMATCHAW(&r->dst.addr, &ctx->pd->ndaddr,if ((( (((&r->dst.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->ndaddr), (ctx->pd->af
), ((void *)0), (ctx->act.rtableid))) || (((&r->dst
.addr)->type == PF_ADDR_URPFFAILED && (((void *)0)
) != ((void *)0) && pf_routable((&ctx->pd->
ndaddr), (ctx->pd->af), (((void *)0)), (ctx->act.rtableid
))) || ((&r->dst.addr)->type == PF_ADDR_RTLABEL &&
!pf_rtlabel_match((&ctx->pd->ndaddr), (ctx->pd->
af), (&r->dst.addr), (ctx->act.rtableid))) || ((&
r->dst.addr)->type == PF_ADDR_TABLE && !pfr_match_addr
((&r->dst.addr)->p.tbl, (&ctx->pd->ndaddr
), (ctx->pd->af))) || ((&r->dst.addr)->type ==
PF_ADDR_DYNIFTL && !pfi_match_addr((&r->dst.addr
)->p.dyn, (&ctx->pd->ndaddr), (ctx->pd->af
))) || ((&r->dst.addr)->type == PF_ADDR_RANGE &&
!pf_match_addr_range(&(&r->dst.addr)->v.a.addr
, &(&r->dst.addr)->v.a.mask, (&ctx->pd->
ndaddr), (ctx->pd->af))) || ((&r->dst.addr)->
type == PF_ADDR_ADDRMASK && !(((ctx->pd->af) ==
2 && !(&(&r->dst.addr)->v.a.mask)->
pfa.addr32[0]) || ((ctx->pd->af) == 24 && !(&
(&r->dst.addr)->v.a.mask)->pfa.addr32[0] &&
!(&(&r->dst.addr)->v.a.mask)->pfa.addr32[1]
&& !(&(&r->dst.addr)->v.a.mask)->pfa
.addr32[2] && !(&(&r->dst.addr)->v.a.mask
)->pfa.addr32[3] )) && !pf_match_addr(0, &(&
r->dst.addr)->v.a.addr, &(&r->dst.addr)->
v.a.mask, (&ctx->pd->ndaddr), (ctx->pd->af)))
)) != (r->dst.neg) ))) { r = r->skip[6].ptr; continue; }
else do { } while (0)
4118 ctx->pd->af, r->dst.neg, NULL, ctx->act.rtableid)),if ((( (((&r->dst.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->ndaddr), (ctx->pd->af
), ((void *)0), (ctx->act.rtableid))) || (((&r->dst
.addr)->type == PF_ADDR_URPFFAILED && (((void *)0)
) != ((void *)0) && pf_routable((&ctx->pd->
ndaddr), (ctx->pd->af), (((void *)0)), (ctx->act.rtableid
))) || ((&r->dst.addr)->type == PF_ADDR_RTLABEL &&
!pf_rtlabel_match((&ctx->pd->ndaddr), (ctx->pd->
af), (&r->dst.addr), (ctx->act.rtableid))) || ((&
r->dst.addr)->type == PF_ADDR_TABLE && !pfr_match_addr
((&r->dst.addr)->p.tbl, (&ctx->pd->ndaddr
), (ctx->pd->af))) || ((&r->dst.addr)->type ==
PF_ADDR_DYNIFTL && !pfi_match_addr((&r->dst.addr
)->p.dyn, (&ctx->pd->ndaddr), (ctx->pd->af
))) || ((&r->dst.addr)->type == PF_ADDR_RANGE &&
!pf_match_addr_range(&(&r->dst.addr)->v.a.addr
, &(&r->dst.addr)->v.a.mask, (&ctx->pd->
ndaddr), (ctx->pd->af))) || ((&r->dst.addr)->
type == PF_ADDR_ADDRMASK && !(((ctx->pd->af) ==
2 && !(&(&r->dst.addr)->v.a.mask)->
pfa.addr32[0]) || ((ctx->pd->af) == 24 && !(&
(&r->dst.addr)->v.a.mask)->pfa.addr32[0] &&
!(&(&r->dst.addr)->v.a.mask)->pfa.addr32[1]
&& !(&(&r->dst.addr)->v.a.mask)->pfa
.addr32[2] && !(&(&r->dst.addr)->v.a.mask
)->pfa.addr32[3] )) && !pf_match_addr(0, &(&
r->dst.addr)->v.a.addr, &(&r->dst.addr)->
v.a.mask, (&ctx->pd->ndaddr), (ctx->pd->af)))
)) != (r->dst.neg) ))) { r = r->skip[6].ptr; continue; }
else do { } while (0)
4119 r->skip[PF_SKIP_DST_ADDR].ptr)if ((( (((&r->dst.addr)->type == PF_ADDR_NOROUTE &&
pf_routable((&ctx->pd->ndaddr), (ctx->pd->af
), ((void *)0), (ctx->act.rtableid))) || (((&r->dst
.addr)->type == PF_ADDR_URPFFAILED && (((void *)0)
) != ((void *)0) && pf_routable((&ctx->pd->
ndaddr), (ctx->pd->af), (((void *)0)), (ctx->act.rtableid
))) || ((&r->dst.addr)->type == PF_ADDR_RTLABEL &&
!pf_rtlabel_match((&ctx->pd->ndaddr), (ctx->pd->
af), (&r->dst.addr), (ctx->act.rtableid))) || ((&
r->dst.addr)->type == PF_ADDR_TABLE && !pfr_match_addr
((&r->dst.addr)->p.tbl, (&ctx->pd->ndaddr
), (ctx->pd->af))) || ((&r->dst.addr)->type ==
PF_ADDR_DYNIFTL && !pfi_match_addr((&r->dst.addr
)->p.dyn, (&ctx->pd->ndaddr), (ctx->pd->af
))) || ((&r->dst.addr)->type == PF_ADDR_RANGE &&
!pf_match_addr_range(&(&r->dst.addr)->v.a.addr
, &(&r->dst.addr)->v.a.mask, (&ctx->pd->
ndaddr), (ctx->pd->af))) || ((&r->dst.addr)->
type == PF_ADDR_ADDRMASK && !(((ctx->pd->af) ==
2 && !(&(&r->dst.addr)->v.a.mask)->
pfa.addr32[0]) || ((ctx->pd->af) == 24 && !(&
(&r->dst.addr)->v.a.mask)->pfa.addr32[0] &&
!(&(&r->dst.addr)->v.a.mask)->pfa.addr32[1]
&& !(&(&r->dst.addr)->v.a.mask)->pfa
.addr32[2] && !(&(&r->dst.addr)->v.a.mask
)->pfa.addr32[3] )) && !pf_match_addr(0, &(&
r->dst.addr)->v.a.addr, &(&r->dst.addr)->
v.a.mask, (&ctx->pd->ndaddr), (ctx->pd->af)))
)) != (r->dst.neg) ))) { r = r->skip[6].ptr; continue; }
else do { } while (0);
4120
4121 switch (ctx->pd->virtual_proto) {
4122 case PF_VPROTO_FRAGMENT256:
4123 /* tcp/udp only. port_op always 0 in other cases */
4124 PF_TEST_ATTRIB((r->src.port_op || r->dst.port_op),if ((r->src.port_op || r->dst.port_op)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0)
4125 TAILQ_NEXT(r, entries))if ((r->src.port_op || r->dst.port_op)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0);
4126 PF_TEST_ATTRIB((ctx->pd->proto == IPPROTO_TCP &&if ((ctx->pd->proto == 6 && r->flagset)) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0)
4127 r->flagset),if ((ctx->pd->proto == 6 && r->flagset)) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0)
4128 TAILQ_NEXT(r, entries))if ((ctx->pd->proto == 6 && r->flagset)) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0);
4129 /* icmp only. type/code always 0 in other cases */
4130 PF_TEST_ATTRIB((r->type || r->code),if ((r->type || r->code)) { r = ((r)->entries.tqe_next
); continue; } else do { } while (0)
4131 TAILQ_NEXT(r, entries))if ((r->type || r->code)) { r = ((r)->entries.tqe_next
); continue; } else do { } while (0);
4132 /* tcp/udp only. {uid|gid}.op always 0 in other cases */
4133 PF_TEST_ATTRIB((r->gid.op || r->uid.op),if ((r->gid.op || r->uid.op)) { r = ((r)->entries.tqe_next
); continue; } else do { } while (0)
4134 TAILQ_NEXT(r, entries))if ((r->gid.op || r->uid.op)) { r = ((r)->entries.tqe_next
); continue; } else do { } while (0);
4135 break;
4136
4137 case IPPROTO_TCP6:
4138 PF_TEST_ATTRIB(((r->flagset & ctx->th->th_flags) !=if (((r->flagset & ctx->th->th_flags) != r->flags
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4139 r->flags),if (((r->flagset & ctx->th->th_flags) != r->flags
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4140 TAILQ_NEXT(r, entries))if (((r->flagset & ctx->th->th_flags) != r->flags
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0);
4141 PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&if ((r->os_fingerprint != ((pf_osfp_t)0) && !pf_osfp_match
(pf_osfp_fingerprint(ctx->pd), r->os_fingerprint))) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0)
4142 !pf_osfp_match(pf_osfp_fingerprint(ctx->pd),if ((r->os_fingerprint != ((pf_osfp_t)0) && !pf_osfp_match
(pf_osfp_fingerprint(ctx->pd), r->os_fingerprint))) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0)
4143 r->os_fingerprint)),if ((r->os_fingerprint != ((pf_osfp_t)0) && !pf_osfp_match
(pf_osfp_fingerprint(ctx->pd), r->os_fingerprint))) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0)
4144 TAILQ_NEXT(r, entries))if ((r->os_fingerprint != ((pf_osfp_t)0) && !pf_osfp_match
(pf_osfp_fingerprint(ctx->pd), r->os_fingerprint))) { r
= ((r)->entries.tqe_next); continue; } else do { } while (
0);
4145 /* FALLTHROUGH */
4146
4147 case IPPROTO_UDP17:
4148 /* tcp/udp only. port_op always 0 in other cases */
4149 PF_TEST_ATTRIB((r->src.port_op &&if ((r->src.port_op && !pf_match_port(r->src.port_op
, r->src.port[0], r->src.port[1], ctx->pd->nsport
))) { r = r->skip[7].ptr; continue; } else do { } while (0
)
4150 !pf_match_port(r->src.port_op, r->src.port[0],if ((r->src.port_op && !pf_match_port(r->src.port_op
, r->src.port[0], r->src.port[1], ctx->pd->nsport
))) { r = r->skip[7].ptr; continue; } else do { } while (0
)
4151 r->src.port[1], ctx->pd->nsport)),if ((r->src.port_op && !pf_match_port(r->src.port_op
, r->src.port[0], r->src.port[1], ctx->pd->nsport
))) { r = r->skip[7].ptr; continue; } else do { } while (0
)
4152 r->skip[PF_SKIP_SRC_PORT].ptr)if ((r->src.port_op && !pf_match_port(r->src.port_op
, r->src.port[0], r->src.port[1], ctx->pd->nsport
))) { r = r->skip[7].ptr; continue; } else do { } while (0
);
4153 PF_TEST_ATTRIB((r->dst.port_op &&if ((r->dst.port_op && !pf_match_port(r->dst.port_op
, r->dst.port[0], r->dst.port[1], ctx->pd->ndport
))) { r = r->skip[8].ptr; continue; } else do { } while (0
)
4154 !pf_match_port(r->dst.port_op, r->dst.port[0],if ((r->dst.port_op && !pf_match_port(r->dst.port_op
, r->dst.port[0], r->dst.port[1], ctx->pd->ndport
))) { r = r->skip[8].ptr; continue; } else do { } while (0
)
4155 r->dst.port[1], ctx->pd->ndport)),if ((r->dst.port_op && !pf_match_port(r->dst.port_op
, r->dst.port[0], r->dst.port[1], ctx->pd->ndport
))) { r = r->skip[8].ptr; continue; } else do { } while (0
)
4156 r->skip[PF_SKIP_DST_PORT].ptr)if ((r->dst.port_op && !pf_match_port(r->dst.port_op
, r->dst.port[0], r->dst.port[1], ctx->pd->ndport
))) { r = r->skip[8].ptr; continue; } else do { } while (0
);
4157 /* tcp/udp only. uid.op always 0 in other cases */
4158 PF_TEST_ATTRIB((r->uid.op && (ctx->pd->lookup.done ||if ((r->uid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->
uid.uid[1], ctx->pd->lookup.uid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4159 (ctx->pd->lookup.done =if ((r->uid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->
uid.uid[1], ctx->pd->lookup.uid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4160 pf_socket_lookup(ctx->pd), 1)) &&if ((r->uid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->
uid.uid[1], ctx->pd->lookup.uid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4161 !pf_match_uid(r->uid.op, r->uid.uid[0],if ((r->uid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->
uid.uid[1], ctx->pd->lookup.uid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4162 r->uid.uid[1], ctx->pd->lookup.uid)),if ((r->uid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->
uid.uid[1], ctx->pd->lookup.uid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4163 TAILQ_NEXT(r, entries))if ((r->uid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->
uid.uid[1], ctx->pd->lookup.uid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0);
4164 /* tcp/udp only. gid.op always 0 in other cases */
4165 PF_TEST_ATTRIB((r->gid.op && (ctx->pd->lookup.done ||if ((r->gid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->
gid.gid[1], ctx->pd->lookup.gid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4166 (ctx->pd->lookup.done =if ((r->gid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->
gid.gid[1], ctx->pd->lookup.gid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4167 pf_socket_lookup(ctx->pd), 1)) &&if ((r->gid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->
gid.gid[1], ctx->pd->lookup.gid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4168 !pf_match_gid(r->gid.op, r->gid.gid[0],if ((r->gid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->
gid.gid[1], ctx->pd->lookup.gid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4169 r->gid.gid[1], ctx->pd->lookup.gid)),if ((r->gid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->
gid.gid[1], ctx->pd->lookup.gid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0)
4170 TAILQ_NEXT(r, entries))if ((r->gid.op && (ctx->pd->lookup.done || (
ctx->pd->lookup.done = pf_socket_lookup(ctx->pd), 1)
) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->
gid.gid[1], ctx->pd->lookup.gid))) { r = ((r)->entries
.tqe_next); continue; } else do { } while (0);
4171 break;
4172
4173 case IPPROTO_ICMP1:
4174 /* icmp only. type always 0 in other cases */
4175 PF_TEST_ATTRIB((r->type &&if ((r->type && r->type != ctx->icmptype + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4176 r->type != ctx->icmptype + 1),if ((r->type && r->type != ctx->icmptype + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4177 TAILQ_NEXT(r, entries))if ((r->type && r->type != ctx->icmptype + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0);
4178 /* icmp only. type always 0 in other cases */
4179 PF_TEST_ATTRIB((r->code &&if ((r->code && r->code != ctx->icmpcode + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4180 r->code != ctx->icmpcode + 1),if ((r->code && r->code != ctx->icmpcode + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4181 TAILQ_NEXT(r, entries))if ((r->code && r->code != ctx->icmpcode + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0);
4182 /* icmp only. don't create states on replies */
4183 PF_TEST_ATTRIB((r->keep_state && !ctx->state_icmp &&if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN)) { r = ((r)->entries.tqe_next); continue; } else
do { } while (0)
4184 (r->rule_flag & PFRULE_STATESLOPPY) == 0 &&if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN)) { r = ((r)->entries.tqe_next); continue; } else
do { } while (0)
4185 ctx->icmp_dir != PF_IN),if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN)) { r = ((r)->entries.tqe_next); continue; } else
do { } while (0)
4186 TAILQ_NEXT(r, entries))if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN)) { r = ((r)->entries.tqe_next); continue; } else
do { } while (0);
4187 break;
4188
4189 case IPPROTO_ICMPV658:
4190 /* icmp only. type always 0 in other cases */
4191 PF_TEST_ATTRIB((r->type &&if ((r->type && r->type != ctx->icmptype + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4192 r->type != ctx->icmptype + 1),if ((r->type && r->type != ctx->icmptype + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4193 TAILQ_NEXT(r, entries))if ((r->type && r->type != ctx->icmptype + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0);
4194 /* icmp only. type always 0 in other cases */
4195 PF_TEST_ATTRIB((r->code &&if ((r->code && r->code != ctx->icmpcode + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4196 r->code != ctx->icmpcode + 1),if ((r->code && r->code != ctx->icmpcode + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4197 TAILQ_NEXT(r, entries))if ((r->code && r->code != ctx->icmpcode + 1
)) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0);
4198 /* icmp only. don't create states on replies */
4199 PF_TEST_ATTRIB((r->keep_state && !ctx->state_icmp &&if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN && ctx->icmptype != 136)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0)
4200 (r->rule_flag & PFRULE_STATESLOPPY) == 0 &&if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN && ctx->icmptype != 136)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0)
4201 ctx->icmp_dir != PF_IN &&if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN && ctx->icmptype != 136)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0)
4202 ctx->icmptype != ND_NEIGHBOR_ADVERT),if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN && ctx->icmptype != 136)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0)
4203 TAILQ_NEXT(r, entries))if ((r->keep_state && !ctx->state_icmp &&
(r->rule_flag & 0x00020000) == 0 && ctx->icmp_dir
!= PF_IN && ctx->icmptype != 136)) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0);
4204 break;
4205
4206 default:
4207 break;
4208 }
4209
4210 PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT &&if ((r->rule_flag & 0x0002 && ctx->pd->virtual_proto
!= 256)) { r = ((r)->entries.tqe_next); continue; } else do
{ } while (0)
4211 ctx->pd->virtual_proto != PF_VPROTO_FRAGMENT),if ((r->rule_flag & 0x0002 && ctx->pd->virtual_proto
!= 256)) { r = ((r)->entries.tqe_next); continue; } else do
{ } while (0)
4212 TAILQ_NEXT(r, entries))if ((r->rule_flag & 0x0002 && ctx->pd->virtual_proto
!= 256)) { r = ((r)->entries.tqe_next); continue; } else do
{ } while (0);
4213 PF_TEST_ATTRIB((r->tos && !(r->tos == ctx->pd->tos)),if ((r->tos && !(r->tos == ctx->pd->tos))
) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0)
4214 TAILQ_NEXT(r, entries))if ((r->tos && !(r->tos == ctx->pd->tos))
) { r = ((r)->entries.tqe_next); continue; } else do { } while
(0);
4215 PF_TEST_ATTRIB((r->prob &&if ((r->prob && r->prob <= arc4random_uniform
(0xffffffffU - 1) + 1)) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0)
4216 r->prob <= arc4random_uniform(UINT_MAX - 1) + 1),if ((r->prob && r->prob <= arc4random_uniform
(0xffffffffU - 1) + 1)) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0)
4217 TAILQ_NEXT(r, entries))if ((r->prob && r->prob <= arc4random_uniform
(0xffffffffU - 1) + 1)) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0);
4218 PF_TEST_ATTRIB((r->match_tag &&if ((r->match_tag && !pf_match_tag(ctx->pd->
m, r, &ctx->tag))) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0)
4219 !pf_match_tag(ctx->pd->m, r, &ctx->tag)),if ((r->match_tag && !pf_match_tag(ctx->pd->
m, r, &ctx->tag))) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0)
4220 TAILQ_NEXT(r, entries))if ((r->match_tag && !pf_match_tag(ctx->pd->
m, r, &ctx->tag))) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0);
4221 PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(ctx->pd->m, r) ==if ((r->rcv_kif && pf_match_rcvif(ctx->pd->m
, r) == r->rcvifnot)) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0)
4222 r->rcvifnot),if ((r->rcv_kif && pf_match_rcvif(ctx->pd->m
, r) == r->rcvifnot)) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0)
4223 TAILQ_NEXT(r, entries))if ((r->rcv_kif && pf_match_rcvif(ctx->pd->m
, r) == r->rcvifnot)) { r = ((r)->entries.tqe_next); continue
; } else do { } while (0);
4224 PF_TEST_ATTRIB((r->prio &&if ((r->prio && (r->prio == 0xff ? 0 : r->prio
) != ctx->pd->m->M_dat.MH.MH_pkthdr.pf.prio)) { r = (
(r)->entries.tqe_next); continue; } else do { } while (0)
4225 (r->prio == PF_PRIO_ZERO ? 0 : r->prio) !=if ((r->prio && (r->prio == 0xff ? 0 : r->prio
) != ctx->pd->m->M_dat.MH.MH_pkthdr.pf.prio)) { r = (
(r)->entries.tqe_next); continue; } else do { } while (0)
4226 ctx->pd->m->m_pkthdr.pf.prio),if ((r->prio && (r->prio == 0xff ? 0 : r->prio
) != ctx->pd->m->M_dat.MH.MH_pkthdr.pf.prio)) { r = (
(r)->entries.tqe_next); continue; } else do { } while (0)
4227 TAILQ_NEXT(r, entries))if ((r->prio && (r->prio == 0xff ? 0 : r->prio
) != ctx->pd->m->M_dat.MH.MH_pkthdr.pf.prio)) { r = (
(r)->entries.tqe_next); continue; } else do { } while (0);
4228
4229 /* must be last! */
4230 if (r->pktrate.limit) {
4231 pf_add_threshold(&r->pktrate);
4232 PF_TEST_ATTRIB((pf_check_threshold(&r->pktrate)),if ((pf_check_threshold(&r->pktrate))) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0)
4233 TAILQ_NEXT(r, entries))if ((pf_check_threshold(&r->pktrate))) { r = ((r)->
entries.tqe_next); continue; } else do { } while (0);
4234 }
4235
4236 /* FALLTHROUGH */
4237 if (r->tag)
4238 ctx->tag = r->tag;
4239 if (r->anchor == NULL((void *)0)) {
4240
4241 if (r->rule_flag & PFRULE_ONCE0x00100000) {
4242 u_int32_t rule_flag;
4243
4244 rule_flag = r->rule_flag;
4245 if (((rule_flag & PFRULE_EXPIRED0x00400000) == 0) &&
4246 atomic_cas_uint(&r->rule_flag, rule_flag,_atomic_cas_uint((&r->rule_flag), (rule_flag), (rule_flag
| 0x00400000))
4247 rule_flag | PFRULE_EXPIRED)_atomic_cas_uint((&r->rule_flag), (rule_flag), (rule_flag
| 0x00400000)) == rule_flag) {
4248 r->exptime = gettime();
4249 } else {
4250 r = TAILQ_NEXT(r, entries)((r)->entries.tqe_next);
4251 continue;
4252 }
4253 }
4254
4255 if (r->action == PF_MATCH) {
4256 if ((ctx->ri = pool_get(&pf_rule_item_pl,
4257 PR_NOWAIT0x0002)) == NULL((void *)0)) {
4258 REASON_SET(&ctx->reason, PFRES_MEMORY)do { if ((void *)(&ctx->reason) != ((void *)0)) { *(&
ctx->reason) = (5); if (5 < 17) pf_status.counters[5]++
; } } while (0);
4259 return (PF_TEST_FAIL);
4260 }
4261 ctx->ri->r = r;
4262 /* order is irrelevant */
4263 SLIST_INSERT_HEAD(&ctx->rules, ctx->ri, entry)do { (ctx->ri)->entry.sle_next = (&ctx->rules)->
slh_first; (&ctx->rules)->slh_first = (ctx->ri);
} while (0);
4264 ctx->ri = NULL((void *)0);
4265 pf_rule_to_actions(r, &ctx->act);
4266 if (r->rule_flag & PFRULE_AFTO0x00200000)
4267 ctx->pd->naf = r->naf;
4268 if (pf_get_transaddr(r, ctx->pd, ctx->sns,
4269 &ctx->nr) == -1) {
4270 REASON_SET(&ctx->reason,do { if ((void *)(&ctx->reason) != ((void *)0)) { *(&
ctx->reason) = (15); if (15 < 17) pf_status.counters[15
]++; } } while (0)
4271 PFRES_TRANSLATE)do { if ((void *)(&ctx->reason) != ((void *)0)) { *(&
ctx->reason) = (15); if (15 < 17) pf_status.counters[15
]++; } } while (0);
4272 return (PF_TEST_FAIL);
4273 }
4274#if NPFLOG1 > 0
4275 if (r->log) {
4276 REASON_SET(&ctx->reason, PFRES_MATCH)do { if ((void *)(&ctx->reason) != ((void *)0)) { *(&
ctx->reason) = (0); if (0 < 17) pf_status.counters[0]++
; } } while (0);
4277 pflog_packet(ctx->pd, ctx->reason, r,
4278 ctx->a, ruleset, NULL((void *)0));
4279 }
4280#endif /* NPFLOG > 0 */
4281 } else {
4282 /*
4283 * found matching r
4284 */
4285 *ctx->rm = r;
4286 /*
4287 * anchor, with ruleset, where r belongs to
4288 */
4289 *ctx->am = ctx->a;
4290 /*
4291 * ruleset where r belongs to
4292 */
4293 *ctx->rsm = ruleset;
4294 /*
4295 * ruleset, where anchor belongs to.
4296 */
4297 ctx->arsm = ctx->aruleset;
4298 }
4299
4300#if NPFLOG1 > 0
4301 if (ctx->act.log & PF_LOG_MATCHES0x10)
4302 pf_log_matches(ctx->pd, r, ctx->a, ruleset,
4303 &ctx->rules);
4304#endif /* NPFLOG > 0 */
4305
4306 if (r->quick)
4307 return (PF_TEST_QUICK);
4308 } else {
4309 ctx->a = r;
4310 ctx->aruleset = &r->anchor->ruleset;
4311 if (r->anchor_wildcard) {
4312 RB_FOREACH(child, pf_anchor_node,for ((child) = pf_anchor_node_RB_MINMAX(&r->anchor->
children, -1); (child) != ((void *)0); (child) = pf_anchor_node_RB_NEXT
(child))
4313 &r->anchor->children)for ((child) = pf_anchor_node_RB_MINMAX(&r->anchor->
children, -1); (child) != ((void *)0); (child) = pf_anchor_node_RB_NEXT
(child)) {
4314 if (pf_anchor_stack_push(ruleset, r,
4315 child, PF_NEXT_CHILD) != 0)
4316 return (PF_TEST_FAIL);
4317
4318 ruleset = &child->ruleset;
4319 goto enter_ruleset;
4320next_child:
4321 continue; /* with RB_FOREACH() */
4322 }
4323 } else {
4324 if (pf_anchor_stack_push(ruleset, r, child,
4325 PF_NEXT_RULE) != 0)
4326 return (PF_TEST_FAIL);
4327
4328 ruleset = &r->anchor->ruleset;
4329 child = NULL((void *)0);
4330 goto enter_ruleset;
4331next_rule:
4332 ;
4333 }
4334 }
4335 r = TAILQ_NEXT(r, entries)((r)->entries.tqe_next);
4336 }
4337
4338 if (pf_anchor_stack_pop(&ruleset, &r, &child, &target) == 0) {
4339 /* stop if any rule matched within quick anchors. */
4340 if (r->quick == PF_TEST_QUICK && *ctx->am == r)
4341 return (PF_TEST_QUICK);
4342
4343 switch (target) {
4344 case PF_NEXT_CHILD:
4345 goto next_child;
4346 case PF_NEXT_RULE:
4347 goto next_rule;
4348 default:
4349 panic("%s: unknown jump target", __func__);
4350 }
4351 }
4352
4353 return (PF_TEST_OK);
4354}
4355
4356int
4357pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
4358 struct pf_rule **am, struct pf_ruleset **rsm, u_short *reason)
4359{
4360 struct pf_rule *r = NULL((void *)0);
4361 struct pf_rule *a = NULL((void *)0);
4362 struct pf_ruleset *ruleset = NULL((void *)0);
4363 struct pf_state_key *skw = NULL((void *)0), *sks = NULL((void *)0);
4364 int rewrite = 0;
4365 u_int16_t virtual_type, virtual_id;
4366 int action = PF_DROP;
4367 struct pf_test_ctx ctx;
4368 int rv;
4369
4370 PF_ASSERT_LOCKED()do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail(
0x0001UL, rw_status(&pf_lock),__func__); } while (0);
4371
4372 memset(&ctx, 0, sizeof(ctx))__builtin_memset((&ctx), (0), (sizeof(ctx)));
4373 ctx.pd = pd;
4374 ctx.rm = rm;
4375 ctx.am = am;
4376 ctx.rsm = rsm;
4377 ctx.th = &pd->hdr.tcp;
4378 ctx.act.rtableid = pd->rdomain;
4379 ctx.tag = -1;
4380 SLIST_INIT(&ctx.rules){ ((&ctx.rules)->slh_first) = ((void *)0); };
4381
4382 if (pd->dir == PF_IN && if_congested()) {
4383 REASON_SET(&ctx.reason, PFRES_CONGEST)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (7); if (7 < 17) pf_status.counters[7]++; } } while
(0);
4384 return (PF_DROP);
4385 }
4386
4387 switch (pd->virtual_proto) {
4388 case IPPROTO_ICMP1:
4389 ctx.icmptype = pd->hdr.icmp.icmp_type;
4390 ctx.icmpcode = pd->hdr.icmp.icmp_code;
4391 ctx.state_icmp = pf_icmp_mapping(pd, ctx.icmptype,
4392 &ctx.icmp_dir, &virtual_id, &virtual_type);
4393 if (ctx.icmp_dir == PF_IN) {
4394 pd->osport = pd->nsport = virtual_id;
4395 pd->odport = pd->ndport = virtual_type;
4396 } else {
4397 pd->osport = pd->nsport = virtual_type;
4398 pd->odport = pd->ndport = virtual_id;
4399 }
4400 break;
4401#ifdef INET61
4402 case IPPROTO_ICMPV658:
4403 ctx.icmptype = pd->hdr.icmp6.icmp6_type;
4404 ctx.icmpcode = pd->hdr.icmp6.icmp6_code;
4405 ctx.state_icmp = pf_icmp_mapping(pd, ctx.icmptype,
4406 &ctx.icmp_dir, &virtual_id, &virtual_type);
4407 if (ctx.icmp_dir == PF_IN) {
4408 pd->osport = pd->nsport = virtual_id;
4409 pd->odport = pd->ndport = virtual_type;
4410 } else {
4411 pd->osport = pd->nsport = virtual_type;
4412 pd->odport = pd->ndport = virtual_id;
4413 }
4414 break;
4415#endif /* INET6 */
4416 }
4417
4418 ruleset = &pf_main_rulesetpf_main_anchor.ruleset;
4419 rv = pf_match_rule(&ctx, ruleset);
4420 if (rv == PF_TEST_FAIL) {
4421 /*
4422 * Reason has been set in pf_match_rule() already.
4423 */
4424 goto cleanup;
4425 }
4426
4427 r = *ctx.rm; /* matching rule */
4428 a = *ctx.am; /* rule that defines an anchor containing 'r' */
4429 ruleset = *ctx.rsm;/* ruleset of the anchor defined by the rule 'a' */
4430 ctx.aruleset = ctx.arsm;/* ruleset of the 'a' rule itself */
4431
4432 /* apply actions for last matching pass/block rule */
4433 pf_rule_to_actions(r, &ctx.act);
4434 if (r->rule_flag & PFRULE_AFTO0x00200000)
4435 pd->naf = r->naf;
4436 if (pf_get_transaddr(r, pd, ctx.sns, &ctx.nr) == -1) {
4437 REASON_SET(&ctx.reason, PFRES_TRANSLATE)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (15); if (15 < 17) pf_status.counters[15]++; } }
while (0);
4438 goto cleanup;
4439 }
4440 REASON_SET(&ctx.reason, PFRES_MATCH)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (0); if (0 < 17) pf_status.counters[0]++; } } while
(0);
4441
4442#if NPFLOG1 > 0
4443 if (r->log)
4444 pflog_packet(pd, ctx.reason, r, a, ruleset, NULL((void *)0));
4445 if (ctx.act.log & PF_LOG_MATCHES0x10)
4446 pf_log_matches(pd, r, a, ruleset, &ctx.rules);
4447#endif /* NPFLOG > 0 */
4448
4449 if (pd->virtual_proto != PF_VPROTO_FRAGMENT256 &&
4450 (r->action == PF_DROP) &&
4451 ((r->rule_flag & PFRULE_RETURNRST0x0001) ||
4452 (r->rule_flag & PFRULE_RETURNICMP0x0004) ||
4453 (r->rule_flag & PFRULE_RETURN0x0008))) {
4454 if (pd->proto == IPPROTO_TCP6 &&
4455 ((r->rule_flag & PFRULE_RETURNRST0x0001) ||
4456 (r->rule_flag & PFRULE_RETURN0x0008)) &&
4457 !(ctx.th->th_flags & TH_RST0x04)) {
4458 u_int32_t ack =
4459 ntohl(ctx.th->th_seq)(__uint32_t)(__builtin_constant_p(ctx.th->th_seq) ? (__uint32_t
)(((__uint32_t)(ctx.th->th_seq) & 0xff) << 24 | (
(__uint32_t)(ctx.th->th_seq) & 0xff00) << 8 | ((
__uint32_t)(ctx.th->th_seq) & 0xff0000) >> 8 | (
(__uint32_t)(ctx.th->th_seq) & 0xff000000) >> 24
) : __swap32md(ctx.th->th_seq)) + pd->p_len;
4460
4461 if (pf_check_tcp_cksum(pd->m, pd->off,
4462 pd->tot_len - pd->off, pd->af))
4463 REASON_SET(&ctx.reason, PFRES_PROTCKSUM)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (9); if (9 < 17) pf_status.counters[9]++; } } while
(0);
4464 else {
4465 if (ctx.th->th_flags & TH_SYN0x02)
4466 ack++;
4467 if (ctx.th->th_flags & TH_FIN0x01)
4468 ack++;
4469 pf_send_tcp(r, pd->af, pd->dst,
4470 pd->src, ctx.th->th_dport,
4471 ctx.th->th_sport, ntohl(ctx.th->th_ack)(__uint32_t)(__builtin_constant_p(ctx.th->th_ack) ? (__uint32_t
)(((__uint32_t)(ctx.th->th_ack) & 0xff) << 24 | (
(__uint32_t)(ctx.th->th_ack) & 0xff00) << 8 | ((
__uint32_t)(ctx.th->th_ack) & 0xff0000) >> 8 | (
(__uint32_t)(ctx.th->th_ack) & 0xff000000) >> 24
) : __swap32md(ctx.th->th_ack)),
4472 ack, TH_RST0x04|TH_ACK0x10, 0, 0, r->return_ttl,
4473 1, 0, pd->rdomain);
4474 }
4475 } else if ((pd->proto != IPPROTO_ICMP1 ||
4476 ICMP_INFOTYPE(ctx.icmptype)((ctx.icmptype) == 0 || (ctx.icmptype) == 8 || (ctx.icmptype)
== 9 || (ctx.icmptype) == 10 || (ctx.icmptype) == 13 || (ctx
.icmptype) == 14 || (ctx.icmptype) == 15 || (ctx.icmptype) ==
16 || (ctx.icmptype) == 17 || (ctx.icmptype) == 18)) && pd->af == AF_INET2 &&
4477 r->return_icmp)
4478 pf_send_icmp(pd->m, r->return_icmp >> 8,
4479 r->return_icmp & 255, 0, pd->af, r, pd->rdomain);
4480 else if ((pd->proto != IPPROTO_ICMPV658 ||
4481 (ctx.icmptype >= ICMP6_ECHO_REQUEST128 &&
4482 ctx.icmptype != ND_REDIRECT137)) && pd->af == AF_INET624 &&
4483 r->return_icmp6)
4484 pf_send_icmp(pd->m, r->return_icmp6 >> 8,
4485 r->return_icmp6 & 255, 0, pd->af, r, pd->rdomain);
4486 }
4487
4488 if (r->action == PF_DROP)
4489 goto cleanup;
4490
4491 pf_tag_packet(pd->m, ctx.tag, ctx.act.rtableid);
4492 if (ctx.act.rtableid >= 0 &&
4493 rtable_l2(ctx.act.rtableid) != pd->rdomain)
4494 pd->destchg = 1;
4495
4496 if (r->action == PF_PASS && pd->badopts != 0 && ! r->allow_opts) {
4497 REASON_SET(&ctx.reason, PFRES_IPOPTIONS)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (8); if (8 < 17) pf_status.counters[8]++; } } while
(0);
4498#if NPFLOG1 > 0
4499 pd->pflog |= PF_LOG_FORCE0x08;
4500#endif /* NPFLOG > 0 */
4501 DPFPRINTF(LOG_NOTICE, "dropping packet with "do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping packet with " "ip/ipv6 options in pf_test_rule()");
addlog("\n"); } } while (0)
4502 "ip/ipv6 options in pf_test_rule()")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping packet with " "ip/ipv6 options in pf_test_rule()");
addlog("\n"); } } while (0);
4503 goto cleanup;
4504 }
4505
4506 if (pd->virtual_proto != PF_VPROTO_FRAGMENT256
4507 && !ctx.state_icmp && r->keep_state) {
4508
4509 if (r->rule_flag & PFRULE_SRCTRACK0x0020 &&
4510 pf_insert_src_node(&ctx.sns[PF_SN_NONE], r, PF_SN_NONE,
4511 pd->af, pd->src, NULL((void *)0), NULL((void *)0)) != 0) {
4512 REASON_SET(&ctx.reason, PFRES_SRCLIMIT)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (13); if (13 < 17) pf_status.counters[13]++; } }
while (0);
4513 goto cleanup;
4514 }
4515
4516 if (r->max_states && (r->states_cur >= r->max_states)) {
4517 pf_status.lcounters[LCNT_STATES0]++;
4518 REASON_SET(&ctx.reason, PFRES_MAXSTATES)do { if ((void *)(&ctx.reason) != ((void *)0)) { *(&ctx
.reason) = (12); if (12 < 17) pf_status.counters[12]++; } }
while (0);
4519 goto cleanup;
4520 }
4521
4522 action = pf_create_state(pd, r, a, ctx.nr, &skw, &sks,
4523 &rewrite, sm, ctx.tag, &ctx.rules, &ctx.act, ctx.sns);
4524
4525 if (action != PF_PASS)
4526 goto cleanup;
4527 if (sks != skw) {
4528 struct pf_state_key *sk;
4529
4530 if (pd->dir == PF_IN)
4531 sk = sks;
4532 else
4533 sk = skw;
4534 rewrite += pf_translate(pd,
4535 &sk->addr[pd->af == pd->naf ? pd->sidx : pd->didx],
4536 sk->port[pd->af == pd->naf ? pd->sidx : pd->didx],
4537 &sk->addr[pd->af == pd->naf ? pd->didx : pd->sidx],
4538 sk->port[pd->af == pd->naf ? pd->didx : pd->sidx],
4539 virtual_type, ctx.icmp_dir);
4540 }
4541
4542#ifdef INET61
4543 if (rewrite && skw->af != sks->af)
4544 action = PF_AFRT;
4545#endif /* INET6 */
4546
4547 } else {
4548 action = PF_PASS;
4549
4550 while ((ctx.ri = SLIST_FIRST(&ctx.rules)((&ctx.rules)->slh_first))) {
4551 SLIST_REMOVE_HEAD(&ctx.rules, entry)do { (&ctx.rules)->slh_first = (&ctx.rules)->slh_first
->entry.sle_next; } while (0);
4552 pool_put(&pf_rule_item_pl, ctx.ri);
4553 }
4554 }
4555
4556 /* copy back packet headers if needed */
4557 if (rewrite && pd->hdrlen) {
4558 m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT0x0002);
4559 }
4560
4561#if NPFSYNC1 > 0
4562 if (*sm != NULL((void *)0) && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC)(((*sm)->state_flags) & (0x0008)) &&
4563 pd->dir == PF_OUT && pfsync_is_up()) {
4564 /*
4565 * We want the state created, but we dont
4566 * want to send this in case a partner
4567 * firewall has to know about it to allow
4568 * replies through it.
4569 */
4570 if (pfsync_defer(*sm, pd->m))
4571 return (PF_DEFER);
4572 }
4573#endif /* NPFSYNC > 0 */
4574
4575 return (action);
4576
4577cleanup:
4578 while ((ctx.ri = SLIST_FIRST(&ctx.rules)((&ctx.rules)->slh_first))) {
4579 SLIST_REMOVE_HEAD(&ctx.rules, entry)do { (&ctx.rules)->slh_first = (&ctx.rules)->slh_first
->entry.sle_next; } while (0);
4580 pool_put(&pf_rule_item_pl, ctx.ri);
4581 }
4582
4583 return (action);
4584}
4585
4586static __inline int
4587pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
4588 struct pf_rule *nr, struct pf_state_key **skw, struct pf_state_key **sks,
4589 int *rewrite, struct pf_state **sm, int tag, struct pf_rule_slist *rules,
4590 struct pf_rule_actions *act, struct pf_src_node *sns[PF_SN_MAX])
4591{
4592 struct pf_state *st = NULL((void *)0);
4593 struct tcphdr *th = &pd->hdr.tcp;
4594 u_int16_t mss = tcp_mssdflt;
4595 u_short reason;
4596 u_int i;
4597
4598 st = pool_get(&pf_state_pl, PR_NOWAIT0x0002 | PR_ZERO0x0008);
4599 if (st == NULL((void *)0)) {
4600 REASON_SET(&reason, PFRES_MEMORY)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (5); if (5 < 17) pf_status.counters[5]++; } } while (0
);
4601 goto csfailed;
4602 }
4603 st->rule.ptr = r;
4604 st->anchor.ptr = a;
4605 st->natrule.ptr = nr;
4606 if (r->allow_opts)
4607 st->state_flags |= PFSTATE_ALLOWOPTS0x0001;
4608 if (r->rule_flag & PFRULE_STATESLOPPY0x00020000)
4609 st->state_flags |= PFSTATE_SLOPPY0x0002;
4610 if (r->rule_flag & PFRULE_PFLOW0x00040000)
4611 st->state_flags |= PFSTATE_PFLOW0x0004;
4612 if (r->rule_flag & PFRULE_NOSYNC0x0010)
4613 st->state_flags |= PFSTATE_NOSYNC0x0008;
4614#if NPFLOG1 > 0
4615 st->log = act->log & PF_LOG_ALL0x02;
4616#endif /* NPFLOG > 0 */
4617 st->qid = act->qid;
4618 st->pqid = act->pqid;
4619 st->rtableid[pd->didx] = act->rtableid;
4620 st->rtableid[pd->sidx] = -1; /* return traffic is routed normally */
4621 st->min_ttl = act->min_ttl;
4622 st->set_tos = act->set_tos;
4623 st->max_mss = act->max_mss;
4624 st->state_flags |= act->flags;
4625#if NPFSYNC1 > 0
4626 st->sync_state = PFSYNC_S_NONE0xd0;
4627#endif /* NPFSYNC > 0 */
4628 st->set_prio[0] = act->set_prio[0];
4629 st->set_prio[1] = act->set_prio[1];
4630 st->delay = act->delay;
4631 SLIST_INIT(&st->src_nodes){ ((&st->src_nodes)->slh_first) = ((void *)0); };
4632
4633 /*
4634 * must initialize refcnt, before pf_state_insert() gets called.
4635 * pf_state_inserts() grabs reference for pfsync!
4636 */
4637 PF_REF_INIT(st->refcnt)refcnt_init(&(st->refcnt));
4638 mtx_init(&st->mtx, IPL_NET)do { (void)(((void *)0)); (void)(0); __mtx_init((&st->
mtx), ((((0x4)) > 0x0 && ((0x4)) < 0x9) ? 0x9 :
((0x4)))); } while (0);
4639
4640 switch (pd->proto) {
4641 case IPPROTO_TCP6:
4642 st->src.seqlo = ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq));
4643 st->src.seqhi = st->src.seqlo + pd->p_len + 1;
4644 if ((th->th_flags & (TH_SYN0x02|TH_ACK0x10)) == TH_SYN0x02 &&
4645 r->keep_state == PF_STATE_MODULATE0x2) {
4646 /* Generate sequence number modulator */
4647 st->src.seqdiff = pf_tcp_iss(pd) - st->src.seqlo;
4648 if (st->src.seqdiff == 0)
4649 st->src.seqdiff = 1;
4650 pf_patch_32(pd, &th->th_seq,
4651 htonl(st->src.seqlo + st->src.seqdiff)(__uint32_t)(__builtin_constant_p(st->src.seqlo + st->src
.seqdiff) ? (__uint32_t)(((__uint32_t)(st->src.seqlo + st->
src.seqdiff) & 0xff) << 24 | ((__uint32_t)(st->src
.seqlo + st->src.seqdiff) & 0xff00) << 8 | ((__uint32_t
)(st->src.seqlo + st->src.seqdiff) & 0xff0000) >>
8 | ((__uint32_t)(st->src.seqlo + st->src.seqdiff) &
0xff000000) >> 24) : __swap32md(st->src.seqlo + st->
src.seqdiff)));
4652 *rewrite = 1;
4653 } else
4654 st->src.seqdiff = 0;
4655 if (th->th_flags & TH_SYN0x02) {
4656 st->src.seqhi++;
4657 st->src.wscale = pf_get_wscale(pd);
4658 }
4659 st->src.max_win = MAX(ntohs(th->th_win), 1)((((__uint16_t)(__builtin_constant_p(th->th_win) ? (__uint16_t
)(((__uint16_t)(th->th_win) & 0xffU) << 8 | ((__uint16_t
)(th->th_win) & 0xff00U) >> 8) : __swap16md(th->
th_win)))>(1))?((__uint16_t)(__builtin_constant_p(th->th_win
) ? (__uint16_t)(((__uint16_t)(th->th_win) & 0xffU) <<
8 | ((__uint16_t)(th->th_win) & 0xff00U) >> 8) :
__swap16md(th->th_win))):(1));
4660 if (st->src.wscale & PF_WSCALE_MASK0x0f) {
4661 /* Remove scale factor from initial window */
4662 int win = st->src.max_win;
4663 win += 1 << (st->src.wscale & PF_WSCALE_MASK0x0f);
4664 st->src.max_win = (win - 1) >>
4665 (st->src.wscale & PF_WSCALE_MASK0x0f);
4666 }
4667 if (th->th_flags & TH_FIN0x01)
4668 st->src.seqhi++;
4669 st->dst.seqhi = 1;
4670 st->dst.max_win = 1;
4671 pf_set_protostate(st, PF_PEER_SRC, TCPS_SYN_SENT2);
4672 pf_set_protostate(st, PF_PEER_DST, TCPS_CLOSED0);
4673 st->timeout = PFTM_TCP_FIRST_PACKET;
4674 pf_status.states_halfopen++;
4675 break;
4676 case IPPROTO_UDP17:
4677 pf_set_protostate(st, PF_PEER_SRC, PFUDPS_SINGLE1);
4678 pf_set_protostate(st, PF_PEER_DST, PFUDPS_NO_TRAFFIC0);
4679 st->timeout = PFTM_UDP_FIRST_PACKET;
4680 break;
4681 case IPPROTO_ICMP1:
4682#ifdef INET61
4683 case IPPROTO_ICMPV658:
4684#endif /* INET6 */
4685 st->timeout = PFTM_ICMP_FIRST_PACKET;
4686 break;
4687 default:
4688 pf_set_protostate(st, PF_PEER_SRC, PFOTHERS_SINGLE1);
4689 pf_set_protostate(st, PF_PEER_DST, PFOTHERS_NO_TRAFFIC0);
4690 st->timeout = PFTM_OTHER_FIRST_PACKET;
4691 }
4692
4693 st->creation = getuptime();
4694 st->expire = getuptime();
4695
4696 if (pd->proto == IPPROTO_TCP6) {
4697 if (st->state_flags & PFSTATE_SCRUB_TCP0x0100 &&
4698 pf_normalize_tcp_init(pd, &st->src)) {
4699 REASON_SET(&reason, PFRES_MEMORY)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (5); if (5 < 17) pf_status.counters[5]++; } } while (0
);
4700 goto csfailed;
4701 }
4702 if (st->state_flags & PFSTATE_SCRUB_TCP0x0100 && st->src.scrub &&
4703 pf_normalize_tcp_stateful(pd, &reason, st,
4704 &st->src, &st->dst, rewrite)) {
4705 /* This really shouldn't happen!!! */
4706 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: tcp normalize failed on first pkt", __func__); addlog("\n"
); } } while (0)
4707 "%s: tcp normalize failed on first pkt", __func__)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: tcp normalize failed on first pkt", __func__); addlog("\n"
); } } while (0);
4708 goto csfailed;
4709 }
4710 }
4711 st->direction = pd->dir;
4712
4713 if (pf_state_key_setup(pd, skw, sks, act->rtableid)) {
4714 REASON_SET(&reason, PFRES_MEMORY)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (5); if (5 < 17) pf_status.counters[5]++; } } while (0
);
4715 goto csfailed;
4716 }
4717
4718 if (pf_set_rt_ifp(st, pd->src, (*skw)->af, sns) != 0) {
4719 REASON_SET(&reason, PFRES_NOROUTE)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (16); if (16 < 17) pf_status.counters[16]++; } } while
(0);
4720 goto csfailed;
4721 }
4722
4723 for (i = 0; i < PF_SN_MAX; i++)
4724 if (sns[i] != NULL((void *)0)) {
4725 struct pf_sn_item *sni;
4726
4727 sni = pool_get(&pf_sn_item_pl, PR_NOWAIT0x0002);
4728 if (sni == NULL((void *)0)) {
4729 REASON_SET(&reason, PFRES_MEMORY)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (5); if (5 < 17) pf_status.counters[5]++; } } while (0
);
4730 goto csfailed;
4731 }
4732 sni->sn = sns[i];
4733 SLIST_INSERT_HEAD(&st->src_nodes, sni, next)do { (sni)->next.sle_next = (&st->src_nodes)->slh_first
; (&st->src_nodes)->slh_first = (sni); } while (0);
4734 sni->sn->states++;
4735 }
4736
4737#if NPFSYNC1 > 0
4738 pfsync_init_state(st, *skw, *sks, 0);
4739#endif
4740
4741 if (pf_state_insert(BOUND_IFACE(r, pd->kif)((r)->rule_flag & 0x00010000) ? (pd->kif) : pfi_all, skw, sks, st)) {
4742 *sks = *skw = NULL((void *)0);
4743 REASON_SET(&reason, PFRES_STATEINS)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (11); if (11 < 17) pf_status.counters[11]++; } } while
(0);
4744 goto csfailed;
4745 } else
4746 *sm = st;
4747
4748 /*
4749 * Make state responsible for rules it binds here.
4750 */
4751 memcpy(&st->match_rules, rules, sizeof(st->match_rules))__builtin_memcpy((&st->match_rules), (rules), (sizeof(
st->match_rules)));
4752 memset(rules, 0, sizeof(*rules))__builtin_memset((rules), (0), (sizeof(*rules)));
4753 STATE_INC_COUNTERS(st)do { struct pf_rule_item *mrm; st->rule.ptr->states_cur
++; st->rule.ptr->states_tot++; if (st->anchor.ptr !=
((void *)0)) { st->anchor.ptr->states_cur++; st->anchor
.ptr->states_tot++; } for((mrm) = ((&st->match_rules
)->slh_first); (mrm) != ((void *)0); (mrm) = ((mrm)->entry
.sle_next)) mrm->r->states_cur++; } while (0);
4754
4755 if (tag > 0) {
4756 pf_tag_ref(tag);
4757 st->tag = tag;
4758 }
4759 if (pd->proto == IPPROTO_TCP6 && (th->th_flags & (TH_SYN0x02|TH_ACK0x10)) ==
4760 TH_SYN0x02 && r->keep_state == PF_STATE_SYNPROXY0x3 && pd->dir == PF_IN) {
4761 int rtid = pd->rdomain;
4762 if (act->rtableid >= 0)
4763 rtid = act->rtableid;
4764 pf_set_protostate(st, PF_PEER_SRC, PF_TCPS_PROXY_SRC((11)+0));
4765 st->src.seqhi = arc4random();
4766 /* Find mss option */
4767 mss = pf_get_mss(pd);
4768 mss = pf_calc_mss(pd->src, pd->af, rtid, mss);
4769 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss);
4770 st->src.mss = mss;
4771 pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport,
4772 th->th_sport, st->src.seqhi, ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) + 1,
4773 TH_SYN0x02|TH_ACK0x10, 0, st->src.mss, 0, 1, 0, pd->rdomain);
4774 REASON_SET(&reason, PFRES_SYNPROXY)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (14); if (14 < 17) pf_status.counters[14]++; } } while
(0);
4775 return (PF_SYNPROXY_DROP);
4776 }
4777
4778 return (PF_PASS);
4779
4780csfailed:
4781 if (st) {
4782 pf_normalize_tcp_cleanup(st); /* safe even w/o init */
4783 pf_src_tree_remove_state(st);
4784 pool_put(&pf_state_pl, st);
4785 }
4786
4787 for (i = 0; i < PF_SN_MAX; i++)
4788 if (sns[i] != NULL((void *)0))
4789 pf_remove_src_node(sns[i]);
4790
4791 return (PF_DROP);
4792}
4793
4794int
4795pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport,
4796 struct pf_addr *daddr, u_int16_t dport, u_int16_t virtual_type,
4797 int icmp_dir)
4798{
4799 int rewrite = 0;
4800 int afto = pd->af != pd->naf;
4801
4802 if (afto || PF_ANEQ(daddr, pd->dst, pd->af)((pd->af == 2 && (daddr)->pfa.addr32[0] != (pd->
dst)->pfa.addr32[0]) || (pd->af == 24 && ((daddr
)->pfa.addr32[3] != (pd->dst)->pfa.addr32[3] || (daddr
)->pfa.addr32[2] != (pd->dst)->pfa.addr32[2] || (daddr
)->pfa.addr32[1] != (pd->dst)->pfa.addr32[1] || (daddr
)->pfa.addr32[0] != (pd->dst)->pfa.addr32[0]))))
4803 pd->destchg = 1;
4804
4805 switch (pd->proto) {
4806 case IPPROTO_TCP6: /* FALLTHROUGH */
4807 case IPPROTO_UDP17:
4808 rewrite += pf_patch_16(pd, pd->sport, sport);
4809 rewrite += pf_patch_16(pd, pd->dport, dport);
4810 break;
4811
4812 case IPPROTO_ICMP1:
4813 if (pd->af != AF_INET2)
4814 return (0);
4815
4816#ifdef INET61
4817 if (afto) {
4818 if (pf_translate_icmp_af(pd, AF_INET624, &pd->hdr.icmp))
4819 return (0);
4820 pd->proto = IPPROTO_ICMPV658;
4821 rewrite = 1;
4822 }
4823#endif /* INET6 */
4824 if (virtual_type == htons(ICMP_ECHO)(__uint16_t)(__builtin_constant_p(8) ? (__uint16_t)(((__uint16_t
)(8) & 0xffU) << 8 | ((__uint16_t)(8) & 0xff00U
) >> 8) : __swap16md(8))) {
4825 u_int16_t icmpid = (icmp_dir == PF_IN) ? sport : dport;
4826 rewrite += pf_patch_16(pd,
4827 &pd->hdr.icmp.icmp_idicmp_hun.ih_idseq.icd_id, icmpid);
4828 }
4829 break;
4830
4831#ifdef INET61
4832 case IPPROTO_ICMPV658:
4833 if (pd->af != AF_INET624)
4834 return (0);
4835
4836 if (afto) {
4837 if (pf_translate_icmp_af(pd, AF_INET2, &pd->hdr.icmp6))
4838 return (0);
4839 pd->proto = IPPROTO_ICMP1;
4840 rewrite = 1;
4841 }
4842 if (virtual_type == htons(ICMP6_ECHO_REQUEST)(__uint16_t)(__builtin_constant_p(128) ? (__uint16_t)(((__uint16_t
)(128) & 0xffU) << 8 | ((__uint16_t)(128) & 0xff00U
) >> 8) : __swap16md(128))) {
4843 u_int16_t icmpid = (icmp_dir == PF_IN) ? sport : dport;
4844 rewrite += pf_patch_16(pd,
4845 &pd->hdr.icmp6.icmp6_idicmp6_dataun.icmp6_un_data16[0], icmpid);
4846 }
4847 break;
4848#endif /* INET6 */
4849 }
4850
4851 if (!afto) {
4852 rewrite += pf_translate_a(pd, pd->src, saddr);
4853 rewrite += pf_translate_a(pd, pd->dst, daddr);
4854 }
4855
4856 return (rewrite);
4857}
4858
4859int
4860pf_tcp_track_full(struct pf_pdesc *pd, struct pf_state **stp, u_short *reason,
4861 int *copyback, int reverse)
4862{
4863 struct tcphdr *th = &pd->hdr.tcp;
4864 struct pf_state_peer *src, *dst;
4865 u_int16_t win = ntohs(th->th_win)(__uint16_t)(__builtin_constant_p(th->th_win) ? (__uint16_t
)(((__uint16_t)(th->th_win) & 0xffU) << 8 | ((__uint16_t
)(th->th_win) & 0xff00U) >> 8) : __swap16md(th->
th_win));
4866 u_int32_t ack, end, data_end, seq, orig_seq;
4867 u_int8_t sws, dws, psrc, pdst;
4868 int ackskew;
4869
4870 if ((pd->dir == (*stp)->direction && !reverse) ||
4871 (pd->dir != (*stp)->direction && reverse)) {
4872 src = &(*stp)->src;
4873 dst = &(*stp)->dst;
4874 psrc = PF_PEER_SRC;
4875 pdst = PF_PEER_DST;
4876 } else {
4877 src = &(*stp)->dst;
4878 dst = &(*stp)->src;
4879 psrc = PF_PEER_DST;
4880 pdst = PF_PEER_SRC;
4881 }
4882
4883 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN0x02)) {
4884 sws = src->wscale & PF_WSCALE_MASK0x0f;
4885 dws = dst->wscale & PF_WSCALE_MASK0x0f;
4886 } else
4887 sws = dws = 0;
4888
4889 /*
4890 * Sequence tracking algorithm from Guido van Rooij's paper:
4891 * http://www.madison-gurkha.com/publications/tcp_filtering/
4892 * tcp_filtering.ps
4893 */
4894
4895 orig_seq = seq = ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq));
4896 if (src->seqlo == 0) {
4897 /* First packet from this end. Set its state */
4898
4899 if (((*stp)->state_flags & PFSTATE_SCRUB_TCP0x0100 || dst->scrub) &&
4900 src->scrub == NULL((void *)0)) {
4901 if (pf_normalize_tcp_init(pd, src)) {
4902 REASON_SET(reason, PFRES_MEMORY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (5); if
(5 < 17) pf_status.counters[5]++; } } while (0);
4903 return (PF_DROP);
4904 }
4905 }
4906
4907 /* Deferred generation of sequence number modulator */
4908 if (dst->seqdiff && !src->seqdiff) {
4909 /* use random iss for the TCP server */
4910 while ((src->seqdiff = arc4random() - seq) == 0)
4911 continue;
4912 ack = ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)) - dst->seqdiff;
4913 pf_patch_32(pd, &th->th_seq, htonl(seq + src->seqdiff)(__uint32_t)(__builtin_constant_p(seq + src->seqdiff) ? (__uint32_t
)(((__uint32_t)(seq + src->seqdiff) & 0xff) << 24
| ((__uint32_t)(seq + src->seqdiff) & 0xff00) <<
8 | ((__uint32_t)(seq + src->seqdiff) & 0xff0000) >>
8 | ((__uint32_t)(seq + src->seqdiff) & 0xff000000) >>
24) : __swap32md(seq + src->seqdiff)));
4914 pf_patch_32(pd, &th->th_ack, htonl(ack)(__uint32_t)(__builtin_constant_p(ack) ? (__uint32_t)(((__uint32_t
)(ack) & 0xff) << 24 | ((__uint32_t)(ack) & 0xff00
) << 8 | ((__uint32_t)(ack) & 0xff0000) >> 8 |
((__uint32_t)(ack) & 0xff000000) >> 24) : __swap32md
(ack)));
4915 *copyback = 1;
4916 } else {
4917 ack = ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack));
4918 }
4919
4920 end = seq + pd->p_len;
4921 if (th->th_flags & TH_SYN0x02) {
4922 end++;
4923 if (dst->wscale & PF_WSCALE_FLAG0x80) {
4924 src->wscale = pf_get_wscale(pd);
4925 if (src->wscale & PF_WSCALE_FLAG0x80) {
4926 /* Remove scale factor from initial
4927 * window */
4928 sws = src->wscale & PF_WSCALE_MASK0x0f;
4929 win = ((u_int32_t)win + (1 << sws) - 1)
4930 >> sws;
4931 dws = dst->wscale & PF_WSCALE_MASK0x0f;
4932 } else {
4933 /* fixup other window */
4934 dst->max_win = MIN(TCP_MAXWIN,(((65535)<((u_int32_t)dst->max_win << (dst->wscale
& 0x0f)))?(65535):((u_int32_t)dst->max_win << (
dst->wscale & 0x0f)))
4935 (u_int32_t)dst->max_win <<(((65535)<((u_int32_t)dst->max_win << (dst->wscale
& 0x0f)))?(65535):((u_int32_t)dst->max_win << (
dst->wscale & 0x0f)))
4936 (dst->wscale & PF_WSCALE_MASK))(((65535)<((u_int32_t)dst->max_win << (dst->wscale
& 0x0f)))?(65535):((u_int32_t)dst->max_win << (
dst->wscale & 0x0f)));
4937 /* in case of a retrans SYN|ACK */
4938 dst->wscale = 0;
4939 }
4940 }
4941 }
4942 data_end = end;
4943 if (th->th_flags & TH_FIN0x01)
4944 end++;
4945
4946 src->seqlo = seq;
4947 if (src->state < TCPS_SYN_SENT2)
4948 pf_set_protostate(*stp, psrc, TCPS_SYN_SENT2);
4949
4950 /*
4951 * May need to slide the window (seqhi may have been set by
4952 * the crappy stack check or if we picked up the connection
4953 * after establishment)
4954 */
4955 if (src->seqhi == 1 ||
4956 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)((int)((end + (((1)>(dst->max_win << dws))?(1):(dst
->max_win << dws)))-(src->seqhi)) >= 0))
4957 src->seqhi = end + MAX(1, dst->max_win << dws)(((1)>(dst->max_win << dws))?(1):(dst->max_win
<< dws));
4958 if (win > src->max_win)
4959 src->max_win = win;
4960
4961 } else {
4962 ack = ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)) - dst->seqdiff;
4963 if (src->seqdiff) {
4964 /* Modulate sequence numbers */
4965 pf_patch_32(pd, &th->th_seq, htonl(seq + src->seqdiff)(__uint32_t)(__builtin_constant_p(seq + src->seqdiff) ? (__uint32_t
)(((__uint32_t)(seq + src->seqdiff) & 0xff) << 24
| ((__uint32_t)(seq + src->seqdiff) & 0xff00) <<
8 | ((__uint32_t)(seq + src->seqdiff) & 0xff0000) >>
8 | ((__uint32_t)(seq + src->seqdiff) & 0xff000000) >>
24) : __swap32md(seq + src->seqdiff)));
4966 pf_patch_32(pd, &th->th_ack, htonl(ack)(__uint32_t)(__builtin_constant_p(ack) ? (__uint32_t)(((__uint32_t
)(ack) & 0xff) << 24 | ((__uint32_t)(ack) & 0xff00
) << 8 | ((__uint32_t)(ack) & 0xff0000) >> 8 |
((__uint32_t)(ack) & 0xff000000) >> 24) : __swap32md
(ack)));
4967 *copyback = 1;
4968 }
4969 end = seq + pd->p_len;
4970 if (th->th_flags & TH_SYN0x02)
4971 end++;
4972 data_end = end;
4973 if (th->th_flags & TH_FIN0x01)
4974 end++;
4975 }
4976
4977 if ((th->th_flags & TH_ACK0x10) == 0) {
4978 /* Let it pass through the ack skew check */
4979 ack = dst->seqlo;
4980 } else if ((ack == 0 &&
4981 (th->th_flags & (TH_ACK0x10|TH_RST0x04)) == (TH_ACK0x10|TH_RST0x04)) ||
4982 /* broken tcp stacks do not set ack */
4983 (dst->state < TCPS_SYN_SENT2)) {
4984 /*
4985 * Many stacks (ours included) will set the ACK number in an
4986 * FIN|ACK if the SYN times out -- no sequence to ACK.
4987 */
4988 ack = dst->seqlo;
4989 }
4990
4991 if (seq == end) {
4992 /* Ease sequencing restrictions on no data packets */
4993 seq = src->seqlo;
4994 data_end = end = seq;
4995 }
4996
4997 ackskew = dst->seqlo - ack;
4998
4999
5000 /*
5001 * Need to demodulate the sequence numbers in any TCP SACK options
5002 * (Selective ACK). We could optionally validate the SACK values
5003 * against the current ACK window, either forwards or backwards, but
5004 * I'm not confident that SACK has been implemented properly
5005 * everywhere. It wouldn't surprise me if several stacks accidently
5006 * SACK too far backwards of previously ACKed data. There really aren't
5007 * any security implications of bad SACKing unless the target stack
5008 * doesn't validate the option length correctly. Someone trying to
5009 * spoof into a TCP connection won't bother blindly sending SACK
5010 * options anyway.
5011 */
5012 if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
5013 if (pf_modulate_sack(pd, dst))
5014 *copyback = 1;
5015 }
5016
5017
5018#define MAXACKWINDOW(0xffff + 1500) (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
5019 if (SEQ_GEQ(src->seqhi, data_end)((int)((src->seqhi)-(data_end)) >= 0) &&
5020 /* Last octet inside other's window space */
5021 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))((int)((seq)-(src->seqlo - (dst->max_win << dws))
) >= 0) &&
5022 /* Retrans: not more than one window back */
5023 (ackskew >= -MAXACKWINDOW(0xffff + 1500)) &&
5024 /* Acking not more than one reassembled fragment backwards */
5025 (ackskew <= (MAXACKWINDOW(0xffff + 1500) << sws)) &&
5026 /* Acking not more than one window forward */
5027 ((th->th_flags & TH_RST0x04) == 0 || orig_seq == src->seqlo ||
5028 (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) {
5029 /* Require an exact/+1 sequence match on resets when possible */
5030
5031 if (dst->scrub || src->scrub) {
5032 if (pf_normalize_tcp_stateful(pd, reason, *stp, src,
5033 dst, copyback))
5034 return (PF_DROP);
5035 }
5036
5037 /* update max window */
5038 if (src->max_win < win)
5039 src->max_win = win;
5040 /* synchronize sequencing */
5041 if (SEQ_GT(end, src->seqlo)((int)((end)-(src->seqlo)) > 0))
5042 src->seqlo = end;
5043 /* slide the window of what the other end can send */
5044 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)((int)((ack + (win << sws))-(dst->seqhi)) >= 0))
5045 dst->seqhi = ack + MAX((win << sws), 1)((((win << sws))>(1))?((win << sws)):(1));
5046
5047 /* update states */
5048 if (th->th_flags & TH_SYN0x02)
5049 if (src->state < TCPS_SYN_SENT2)
5050 pf_set_protostate(*stp, psrc, TCPS_SYN_SENT2);
5051 if (th->th_flags & TH_FIN0x01)
5052 if (src->state < TCPS_CLOSING7)
5053 pf_set_protostate(*stp, psrc, TCPS_CLOSING7);
5054 if (th->th_flags & TH_ACK0x10) {
5055 if (dst->state == TCPS_SYN_SENT2) {
5056 pf_set_protostate(*stp, pdst,
5057 TCPS_ESTABLISHED4);
5058 if (src->state == TCPS_ESTABLISHED4 &&
5059 !SLIST_EMPTY(&(*stp)->src_nodes)(((&(*stp)->src_nodes)->slh_first) == ((void *)0)) &&
5060 pf_src_connlimit(stp)) {
5061 REASON_SET(reason, PFRES_SRCLIMIT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (13);
if (13 < 17) pf_status.counters[13]++; } } while (0);
5062 return (PF_DROP);
5063 }
5064 } else if (dst->state == TCPS_CLOSING7)
5065 pf_set_protostate(*stp, pdst,
5066 TCPS_FIN_WAIT_29);
5067 }
5068 if (th->th_flags & TH_RST0x04)
5069 pf_set_protostate(*stp, PF_PEER_BOTH, TCPS_TIME_WAIT10);
5070
5071 /* update expire time */
5072 (*stp)->expire = getuptime();
5073 if (src->state >= TCPS_FIN_WAIT_29 &&
5074 dst->state >= TCPS_FIN_WAIT_29)
5075 pf_update_state_timeout(*stp, PFTM_TCP_CLOSED);
5076 else if (src->state >= TCPS_CLOSING7 &&
5077 dst->state >= TCPS_CLOSING7)
5078 pf_update_state_timeout(*stp, PFTM_TCP_FIN_WAIT);
5079 else if (src->state < TCPS_ESTABLISHED4 ||
5080 dst->state < TCPS_ESTABLISHED4)
5081 pf_update_state_timeout(*stp, PFTM_TCP_OPENING);
5082 else if (src->state >= TCPS_CLOSING7 ||
5083 dst->state >= TCPS_CLOSING7)
5084 pf_update_state_timeout(*stp, PFTM_TCP_CLOSING);
5085 else
5086 pf_update_state_timeout(*stp, PFTM_TCP_ESTABLISHED);
5087
5088 /* Fall through to PASS packet */
5089 } else if ((dst->state < TCPS_SYN_SENT2 ||
5090 dst->state >= TCPS_FIN_WAIT_29 ||
5091 src->state >= TCPS_FIN_WAIT_29) &&
5092 SEQ_GEQ(src->seqhi + MAXACKWINDOW, data_end)((int)((src->seqhi + (0xffff + 1500))-(data_end)) >= 0) &&
5093 /* Within a window forward of the originating packet */
5094 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)((int)((seq)-(src->seqlo - (0xffff + 1500))) >= 0)) {
5095 /* Within a window backward of the originating packet */
5096
5097 /*
5098 * This currently handles three situations:
5099 * 1) Stupid stacks will shotgun SYNs before their peer
5100 * replies.
5101 * 2) When PF catches an already established stream (the
5102 * firewall rebooted, the state table was flushed, routes
5103 * changed...)
5104 * 3) Packets get funky immediately after the connection
5105 * closes (this should catch Solaris spurious ACK|FINs
5106 * that web servers like to spew after a close)
5107 *
5108 * This must be a little more careful than the above code
5109 * since packet floods will also be caught here. We don't
5110 * update the TTL here to mitigate the damage of a packet
5111 * flood and so the same code can handle awkward establishment
5112 * and a loosened connection close.
5113 * In the establishment case, a correct peer response will
5114 * validate the connection, go through the normal state code
5115 * and keep updating the state TTL.
5116 */
5117
5118 if (pf_status.debug >= LOG_NOTICE5) {
5119 log(LOG_NOTICE5, "pf: loose state match: ");
5120 pf_print_state(*stp);
5121 pf_print_flags(th->th_flags);
5122 addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d "
5123 "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
5124 pd->p_len, ackskew, (*stp)->packets[0],
5125 (*stp)->packets[1],
5126 pd->dir == PF_IN ? "in" : "out",
5127 pd->dir == (*stp)->direction ? "fwd" : "rev");
5128 }
5129
5130 if (dst->scrub || src->scrub) {
5131 if (pf_normalize_tcp_stateful(pd, reason, *stp, src,
5132 dst, copyback))
5133 return (PF_DROP);
5134 }
5135
5136 /* update max window */
5137 if (src->max_win < win)
5138 src->max_win = win;
5139 /* synchronize sequencing */
5140 if (SEQ_GT(end, src->seqlo)((int)((end)-(src->seqlo)) > 0))
5141 src->seqlo = end;
5142 /* slide the window of what the other end can send */
5143 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)((int)((ack + (win << sws))-(dst->seqhi)) >= 0))
5144 dst->seqhi = ack + MAX((win << sws), 1)((((win << sws))>(1))?((win << sws)):(1));
5145
5146 /*
5147 * Cannot set dst->seqhi here since this could be a shotgunned
5148 * SYN and not an already established connection.
5149 */
5150 if (th->th_flags & TH_FIN0x01)
5151 if (src->state < TCPS_CLOSING7)
5152 pf_set_protostate(*stp, psrc, TCPS_CLOSING7);
5153 if (th->th_flags & TH_RST0x04)
5154 pf_set_protostate(*stp, PF_PEER_BOTH, TCPS_TIME_WAIT10);
5155
5156 /* Fall through to PASS packet */
5157 } else {
5158 if ((*stp)->dst.state == TCPS_SYN_SENT2 &&
5159 (*stp)->src.state == TCPS_SYN_SENT2) {
5160 /* Send RST for state mismatches during handshake */
5161 if (!(th->th_flags & TH_RST0x04))
5162 pf_send_tcp((*stp)->rule.ptr, pd->af,
5163 pd->dst, pd->src, th->th_dport,
5164 th->th_sport, ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)), 0,
5165 TH_RST0x04, 0, 0,
5166 (*stp)->rule.ptr->return_ttl, 1, 0,
5167 pd->rdomain);
5168 src->seqlo = 0;
5169 src->seqhi = 1;
5170 src->max_win = 1;
5171 } else if (pf_status.debug >= LOG_NOTICE5) {
5172 log(LOG_NOTICE5, "pf: BAD state: ");
5173 pf_print_state(*stp);
5174 pf_print_flags(th->th_flags);
5175 addlog(" seq=%u (%u) ack=%u len=%u ackskew=%d "
5176 "pkts=%llu:%llu dir=%s,%s\n",
5177 seq, orig_seq, ack, pd->p_len, ackskew,
5178 (*stp)->packets[0], (*stp)->packets[1],
5179 pd->dir == PF_IN ? "in" : "out",
5180 pd->dir == (*stp)->direction ? "fwd" : "rev");
5181 addlog("pf: State failure on: %c %c %c %c | %c %c\n",
5182 SEQ_GEQ(src->seqhi, data_end)((int)((src->seqhi)-(data_end)) >= 0) ? ' ' : '1',
5183 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))((int)((seq)-(src->seqlo - (dst->max_win << dws))
) >= 0) ?
5184 ' ': '2',
5185 (ackskew >= -MAXACKWINDOW(0xffff + 1500)) ? ' ' : '3',
5186 (ackskew <= (MAXACKWINDOW(0xffff + 1500) << sws)) ? ' ' : '4',
5187 SEQ_GEQ(src->seqhi + MAXACKWINDOW, data_end)((int)((src->seqhi + (0xffff + 1500))-(data_end)) >= 0) ?
5188 ' ' :'5',
5189 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)((int)((seq)-(src->seqlo - (0xffff + 1500))) >= 0) ?' ' :'6');
5190 }
5191 REASON_SET(reason, PFRES_BADSTATE)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (10);
if (10 < 17) pf_status.counters[10]++; } } while (0);
5192 return (PF_DROP);
5193 }
5194
5195 return (PF_PASS);
5196}
5197
5198int
5199pf_tcp_track_sloppy(struct pf_pdesc *pd, struct pf_state **stp,
5200 u_short *reason)
5201{
5202 struct tcphdr *th = &pd->hdr.tcp;
5203 struct pf_state_peer *src, *dst;
5204 u_int8_t psrc, pdst;
5205
5206 if (pd->dir == (*stp)->direction) {
5207 src = &(*stp)->src;
5208 dst = &(*stp)->dst;
5209 psrc = PF_PEER_SRC;
5210 pdst = PF_PEER_DST;
5211 } else {
5212 src = &(*stp)->dst;
5213 dst = &(*stp)->src;
5214 psrc = PF_PEER_DST;
5215 pdst = PF_PEER_SRC;
5216 }
5217
5218 if (th->th_flags & TH_SYN0x02)
5219 if (src->state < TCPS_SYN_SENT2)
5220 pf_set_protostate(*stp, psrc, TCPS_SYN_SENT2);
5221 if (th->th_flags & TH_FIN0x01)
5222 if (src->state < TCPS_CLOSING7)
5223 pf_set_protostate(*stp, psrc, TCPS_CLOSING7);
5224 if (th->th_flags & TH_ACK0x10) {
5225 if (dst->state == TCPS_SYN_SENT2) {
5226 pf_set_protostate(*stp, pdst, TCPS_ESTABLISHED4);
5227 if (src->state == TCPS_ESTABLISHED4 &&
5228 !SLIST_EMPTY(&(*stp)->src_nodes)(((&(*stp)->src_nodes)->slh_first) == ((void *)0)) &&
5229 pf_src_connlimit(stp)) {
5230 REASON_SET(reason, PFRES_SRCLIMIT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (13);
if (13 < 17) pf_status.counters[13]++; } } while (0);
5231 return (PF_DROP);
5232 }
5233 } else if (dst->state == TCPS_CLOSING7) {
5234 pf_set_protostate(*stp, pdst, TCPS_FIN_WAIT_29);
5235 } else if (src->state == TCPS_SYN_SENT2 &&
5236 dst->state < TCPS_SYN_SENT2) {
5237 /*
5238 * Handle a special sloppy case where we only see one
5239 * half of the connection. If there is a ACK after
5240 * the initial SYN without ever seeing a packet from
5241 * the destination, set the connection to established.
5242 */
5243 pf_set_protostate(*stp, PF_PEER_BOTH,
5244 TCPS_ESTABLISHED4);
5245 if (!SLIST_EMPTY(&(*stp)->src_nodes)(((&(*stp)->src_nodes)->slh_first) == ((void *)0)) &&
5246 pf_src_connlimit(stp)) {
5247 REASON_SET(reason, PFRES_SRCLIMIT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (13);
if (13 < 17) pf_status.counters[13]++; } } while (0);
5248 return (PF_DROP);
5249 }
5250 } else if (src->state == TCPS_CLOSING7 &&
5251 dst->state == TCPS_ESTABLISHED4 &&
5252 dst->seqlo == 0) {
5253 /*
5254 * Handle the closing of half connections where we
5255 * don't see the full bidirectional FIN/ACK+ACK
5256 * handshake.
5257 */
5258 pf_set_protostate(*stp, pdst, TCPS_CLOSING7);
5259 }
5260 }
5261 if (th->th_flags & TH_RST0x04)
5262 pf_set_protostate(*stp, PF_PEER_BOTH, TCPS_TIME_WAIT10);
5263
5264 /* update expire time */
5265 (*stp)->expire = getuptime();
5266 if (src->state >= TCPS_FIN_WAIT_29 &&
5267 dst->state >= TCPS_FIN_WAIT_29)
5268 pf_update_state_timeout(*stp, PFTM_TCP_CLOSED);
5269 else if (src->state >= TCPS_CLOSING7 &&
5270 dst->state >= TCPS_CLOSING7)
5271 pf_update_state_timeout(*stp, PFTM_TCP_FIN_WAIT);
5272 else if (src->state < TCPS_ESTABLISHED4 ||
5273 dst->state < TCPS_ESTABLISHED4)
5274 pf_update_state_timeout(*stp, PFTM_TCP_OPENING);
5275 else if (src->state >= TCPS_CLOSING7 ||
5276 dst->state >= TCPS_CLOSING7)
5277 pf_update_state_timeout(*stp, PFTM_TCP_CLOSING);
5278 else
5279 pf_update_state_timeout(*stp, PFTM_TCP_ESTABLISHED);
5280
5281 return (PF_PASS);
5282}
5283
5284static __inline int
5285pf_synproxy(struct pf_pdesc *pd, struct pf_state **stp, u_short *reason)
5286{
5287 struct pf_state_key *sk = (*stp)->key[pd->didx];
5288
5289 if ((*stp)->src.state == PF_TCPS_PROXY_SRC((11)+0)) {
5290 struct tcphdr *th = &pd->hdr.tcp;
5291
5292 if (pd->dir != (*stp)->direction) {
5293 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5294 return (PF_SYNPROXY_DROP);
5295 }
5296 if (th->th_flags & TH_SYN0x02) {
5297 if (ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) != (*stp)->src.seqlo) {
5298 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5299 return (PF_DROP);
5300 }
5301 pf_send_tcp((*stp)->rule.ptr, pd->af, pd->dst,
5302 pd->src, th->th_dport, th->th_sport,
5303 (*stp)->src.seqhi, ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) + 1,
5304 TH_SYN0x02|TH_ACK0x10, 0, (*stp)->src.mss, 0, 1,
5305 0, pd->rdomain);
5306 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5307 return (PF_SYNPROXY_DROP);
5308 } else if ((th->th_flags & (TH_ACK0x10|TH_RST0x04|TH_FIN0x01)) != TH_ACK0x10 ||
5309 (ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)) != (*stp)->src.seqhi + 1) ||
5310 (ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) != (*stp)->src.seqlo + 1)) {
5311 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5312 return (PF_DROP);
5313 } else if (!SLIST_EMPTY(&(*stp)->src_nodes)(((&(*stp)->src_nodes)->slh_first) == ((void *)0)) &&
5314 pf_src_connlimit(stp)) {
5315 REASON_SET(reason, PFRES_SRCLIMIT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (13);
if (13 < 17) pf_status.counters[13]++; } } while (0);
5316 return (PF_DROP);
5317 } else
5318 pf_set_protostate(*stp, PF_PEER_SRC,
5319 PF_TCPS_PROXY_DST((11)+1));
5320 }
5321 if ((*stp)->src.state == PF_TCPS_PROXY_DST((11)+1)) {
5322 struct tcphdr *th = &pd->hdr.tcp;
5323
5324 if (pd->dir == (*stp)->direction) {
5325 if (((th->th_flags & (TH_SYN0x02|TH_ACK0x10)) != TH_ACK0x10) ||
5326 (ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)) != (*stp)->src.seqhi + 1) ||
5327 (ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) != (*stp)->src.seqlo + 1)) {
5328 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5329 return (PF_DROP);
5330 }
5331 (*stp)->src.max_win = MAX(ntohs(th->th_win), 1)((((__uint16_t)(__builtin_constant_p(th->th_win) ? (__uint16_t
)(((__uint16_t)(th->th_win) & 0xffU) << 8 | ((__uint16_t
)(th->th_win) & 0xff00U) >> 8) : __swap16md(th->
th_win)))>(1))?((__uint16_t)(__builtin_constant_p(th->th_win
) ? (__uint16_t)(((__uint16_t)(th->th_win) & 0xffU) <<
8 | ((__uint16_t)(th->th_win) & 0xff00U) >> 8) :
__swap16md(th->th_win))):(1));
5332 if ((*stp)->dst.seqhi == 1)
5333 (*stp)->dst.seqhi = arc4random();
5334 pf_send_tcp((*stp)->rule.ptr, pd->af,
5335 &sk->addr[pd->sidx], &sk->addr[pd->didx],
5336 sk->port[pd->sidx], sk->port[pd->didx],
5337 (*stp)->dst.seqhi, 0, TH_SYN0x02, 0,
5338 (*stp)->src.mss, 0, 0, (*stp)->tag,
5339 sk->rdomain);
5340 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5341 return (PF_SYNPROXY_DROP);
5342 } else if (((th->th_flags & (TH_SYN0x02|TH_ACK0x10)) !=
5343 (TH_SYN0x02|TH_ACK0x10)) ||
5344 (ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)) != (*stp)->dst.seqhi + 1)) {
5345 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5346 return (PF_DROP);
5347 } else {
5348 (*stp)->dst.max_win = MAX(ntohs(th->th_win), 1)((((__uint16_t)(__builtin_constant_p(th->th_win) ? (__uint16_t
)(((__uint16_t)(th->th_win) & 0xffU) << 8 | ((__uint16_t
)(th->th_win) & 0xff00U) >> 8) : __swap16md(th->
th_win)))>(1))?((__uint16_t)(__builtin_constant_p(th->th_win
) ? (__uint16_t)(((__uint16_t)(th->th_win) & 0xffU) <<
8 | ((__uint16_t)(th->th_win) & 0xff00U) >> 8) :
__swap16md(th->th_win))):(1));
5349 (*stp)->dst.seqlo = ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq));
5350 pf_send_tcp((*stp)->rule.ptr, pd->af, pd->dst,
5351 pd->src, th->th_dport, th->th_sport,
5352 ntohl(th->th_ack)(__uint32_t)(__builtin_constant_p(th->th_ack) ? (__uint32_t
)(((__uint32_t)(th->th_ack) & 0xff) << 24 | ((__uint32_t
)(th->th_ack) & 0xff00) << 8 | ((__uint32_t)(th->
th_ack) & 0xff0000) >> 8 | ((__uint32_t)(th->th_ack
) & 0xff000000) >> 24) : __swap32md(th->th_ack)), ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) + 1,
5353 TH_ACK0x10, (*stp)->src.max_win, 0, 0, 0,
5354 (*stp)->tag, pd->rdomain);
5355 pf_send_tcp((*stp)->rule.ptr, pd->af,
5356 &sk->addr[pd->sidx], &sk->addr[pd->didx],
5357 sk->port[pd->sidx], sk->port[pd->didx],
5358 (*stp)->src.seqhi + 1, (*stp)->src.seqlo + 1,
5359 TH_ACK0x10, (*stp)->dst.max_win, 0, 0, 1,
5360 0, sk->rdomain);
5361 (*stp)->src.seqdiff = (*stp)->dst.seqhi -
5362 (*stp)->src.seqlo;
5363 (*stp)->dst.seqdiff = (*stp)->src.seqhi -
5364 (*stp)->dst.seqlo;
5365 (*stp)->src.seqhi = (*stp)->src.seqlo +
5366 (*stp)->dst.max_win;
5367 (*stp)->dst.seqhi = (*stp)->dst.seqlo +
5368 (*stp)->src.max_win;
5369 (*stp)->src.wscale = (*stp)->dst.wscale = 0;
5370 pf_set_protostate(*stp, PF_PEER_BOTH,
5371 TCPS_ESTABLISHED4);
5372 REASON_SET(reason, PFRES_SYNPROXY)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (14);
if (14 < 17) pf_status.counters[14]++; } } while (0);
5373 return (PF_SYNPROXY_DROP);
5374 }
5375 }
5376 return (PF_PASS);
5377}
5378
5379int
5380pf_test_state(struct pf_pdesc *pd, struct pf_state **stp, u_short *reason)
5381{
5382 int copyback = 0;
5383 struct pf_state_peer *src, *dst;
5384 int action;
5385 struct inpcb *inp = pd->m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp;
5386 u_int8_t psrc, pdst;
5387
5388 action = PF_PASS;
5389 if (pd->dir == (*stp)->direction) {
48
Assuming field 'dir' is not equal to field 'direction'
49
Taking false branch
5390 src = &(*stp)->src;
5391 dst = &(*stp)->dst;
5392 psrc = PF_PEER_SRC;
5393 pdst = PF_PEER_DST;
5394 } else {
5395 src = &(*stp)->dst;
5396 dst = &(*stp)->src;
5397 psrc = PF_PEER_DST;
5398 pdst = PF_PEER_SRC;
5399 }
5400
5401 switch (pd->virtual_proto) {
50
Control jumps to 'case 6:' at line 5402
5402 case IPPROTO_TCP6:
5403 if ((action = pf_synproxy(pd, stp, reason)) != PF_PASS)
51
Assuming the condition is false
52
Taking false branch
5404 return (action);
5405 if ((pd->hdr.tcp.th_flags & (TH_SYN0x02|TH_ACK0x10)) == TH_SYN0x02) {
53
Assuming the condition is true
5406
5407 if (dst->state >= TCPS_FIN_WAIT_29 &&
54
Assuming field 'state' is >= TCPS_FIN_WAIT_2
56
Taking true branch
5408 src->state >= TCPS_FIN_WAIT_29) {
55
Assuming field 'state' is >= TCPS_FIN_WAIT_2
5409 if (pf_status.debug >= LOG_NOTICE5) {
57
Assuming field 'debug' is >= LOG_NOTICE
58
Taking true branch
5410 log(LOG_NOTICE5, "pf: state reuse ");
5411 pf_print_state(*stp);
5412 pf_print_flags(pd->hdr.tcp.th_flags);
5413 addlog("\n");
5414 }
5415 /* XXX make sure it's the same direction ?? */
5416 pf_update_state_timeout(*stp, PFTM_PURGE);
59
Passing null pointer value via 1st parameter 'st'
60
Calling 'pf_update_state_timeout'
5417 pf_state_unref(*stp);
5418 *stp = NULL((void *)0);
5419 pf_mbuf_link_inpcb(pd->m, inp);
5420 return (PF_DROP);
5421 } else if (dst->state >= TCPS_ESTABLISHED4 &&
5422 src->state >= TCPS_ESTABLISHED4) {
5423 /*
5424 * SYN matches existing state???
5425 * Typically happens when sender boots up after
5426 * sudden panic. Certain protocols (NFSv3) are
5427 * always using same port numbers. Challenge
5428 * ACK enables all parties (firewall and peers)
5429 * to get in sync again.
5430 */
5431 pf_send_challenge_ack(pd, *stp, src, dst);
5432 return (PF_DROP);
5433 }
5434 }
5435
5436 if ((*stp)->state_flags & PFSTATE_SLOPPY0x0002) {
5437 if (pf_tcp_track_sloppy(pd, stp, reason) == PF_DROP)
5438 return (PF_DROP);
5439 } else {
5440 if (pf_tcp_track_full(pd, stp, reason, &copyback,
5441 PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af)))) == PF_DROP)
5442 return (PF_DROP);
5443 }
5444 break;
5445 case IPPROTO_UDP17:
5446 /* update states */
5447 if (src->state < PFUDPS_SINGLE1)
5448 pf_set_protostate(*stp, psrc, PFUDPS_SINGLE1);
5449 if (dst->state == PFUDPS_SINGLE1)
5450 pf_set_protostate(*stp, pdst, PFUDPS_MULTIPLE2);
5451
5452 /* update expire time */
5453 (*stp)->expire = getuptime();
5454 if (src->state == PFUDPS_MULTIPLE2 &&
5455 dst->state == PFUDPS_MULTIPLE2)
5456 pf_update_state_timeout(*stp, PFTM_UDP_MULTIPLE);
5457 else
5458 pf_update_state_timeout(*stp, PFTM_UDP_SINGLE);
5459 break;
5460 default:
5461 /* update states */
5462 if (src->state < PFOTHERS_SINGLE1)
5463 pf_set_protostate(*stp, psrc, PFOTHERS_SINGLE1);
5464 if (dst->state == PFOTHERS_SINGLE1)
5465 pf_set_protostate(*stp, pdst, PFOTHERS_MULTIPLE2);
5466
5467 /* update expire time */
5468 (*stp)->expire = getuptime();
5469 if (src->state == PFOTHERS_MULTIPLE2 &&
5470 dst->state == PFOTHERS_MULTIPLE2)
5471 pf_update_state_timeout(*stp, PFTM_OTHER_MULTIPLE);
5472 else
5473 pf_update_state_timeout(*stp, PFTM_OTHER_SINGLE);
5474 break;
5475 }
5476
5477 /* translate source/destination address, if necessary */
5478 if ((*stp)->key[PF_SK_WIRE] != (*stp)->key[PF_SK_STACK]) {
5479 struct pf_state_key *nk;
5480 int afto, sidx, didx;
5481
5482 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af))))
5483 nk = (*stp)->key[pd->sidx];
5484 else
5485 nk = (*stp)->key[pd->didx];
5486
5487 afto = pd->af != nk->af;
5488 sidx = afto ? pd->didx : pd->sidx;
5489 didx = afto ? pd->sidx : pd->didx;
5490
5491#ifdef INET61
5492 if (afto) {
5493 pf_addrcpy(&pd->nsaddr, &nk->addr[sidx], nk->af);
5494 pf_addrcpy(&pd->ndaddr, &nk->addr[didx], nk->af);
5495 pd->naf = nk->af;
5496 action = PF_AFRT;
5497 }
5498#endif /* INET6 */
5499
5500 if (!afto)
5501 pf_translate_a(pd, pd->src, &nk->addr[sidx]);
5502
5503 if (pd->sport != NULL((void *)0))
5504 pf_patch_16(pd, pd->sport, nk->port[sidx]);
5505
5506 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af)((pd->af == 2 && (pd->dst)->pfa.addr32[0] !=
(&nk->addr[didx])->pfa.addr32[0]) || (pd->af ==
24 && ((pd->dst)->pfa.addr32[3] != (&nk->
addr[didx])->pfa.addr32[3] || (pd->dst)->pfa.addr32[
2] != (&nk->addr[didx])->pfa.addr32[2] || (pd->dst
)->pfa.addr32[1] != (&nk->addr[didx])->pfa.addr32
[1] || (pd->dst)->pfa.addr32[0] != (&nk->addr[didx
])->pfa.addr32[0]))) ||
5507 pd->rdomain != nk->rdomain)
5508 pd->destchg = 1;
5509
5510 if (!afto)
5511 pf_translate_a(pd, pd->dst, &nk->addr[didx]);
5512
5513 if (pd->dport != NULL((void *)0))
5514 pf_patch_16(pd, pd->dport, nk->port[didx]);
5515
5516 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
5517 copyback = 1;
5518 }
5519
5520 if (copyback && pd->hdrlen > 0) {
5521 m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT0x0002);
5522 }
5523
5524 return (action);
5525}
5526
5527int
5528pf_icmp_state_lookup(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
5529 struct pf_state **stp, u_int16_t icmpid, u_int16_t type,
5530 int icmp_dir, int *iidx, int multi, int inner)
5531{
5532 int direction, action;
5533
5534 key->af = pd->af;
5535 key->proto = pd->proto;
5536 key->rdomain = pd->rdomain;
5537 if (icmp_dir == PF_IN) {
5538 *iidx = pd->sidx;
5539 key->port[pd->sidx] = icmpid;
5540 key->port[pd->didx] = type;
5541 } else {
5542 *iidx = pd->didx;
5543 key->port[pd->sidx] = type;
5544 key->port[pd->didx] = icmpid;
5545 }
5546
5547 if (pf_state_key_addr_setup(pd, key, pd->sidx, pd->src, pd->didx,
5548 pd->dst, pd->af, multi))
5549 return (PF_DROP);
5550
5551 key->hash = pf_pkt_hash(key->af, key->proto,
5552 &key->addr[0], &key->addr[1], 0, 0);
5553
5554 action = pf_find_state(pd, key, stp);
5555 if (action != PF_MATCH)
5556 return (action);
5557
5558 if ((*stp)->state_flags & PFSTATE_SLOPPY0x0002)
5559 return (-1);
5560
5561 /* Is this ICMP message flowing in right direction? */
5562 if ((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK]->af)
5563 direction = (pd->af == (*stp)->key[PF_SK_WIRE]->af) ?
5564 PF_IN : PF_OUT;
5565 else
5566 direction = (*stp)->direction;
5567 if ((((!inner && direction == pd->dir) ||
5568 (inner && direction != pd->dir)) ?
5569 PF_IN : PF_OUT) != icmp_dir) {
5570 if (pf_status.debug >= LOG_NOTICE5) {
5571 log(LOG_NOTICE5,
5572 "pf: icmp type %d in wrong direction (%d): ",
5573 ntohs(type)(__uint16_t)(__builtin_constant_p(type) ? (__uint16_t)(((__uint16_t
)(type) & 0xffU) << 8 | ((__uint16_t)(type) & 0xff00U
) >> 8) : __swap16md(type)), icmp_dir);
5574 pf_print_state(*stp);
5575 addlog("\n");
5576 }
5577 return (PF_DROP);
5578 }
5579 return (-1);
5580}
5581
5582int
5583pf_test_state_icmp(struct pf_pdesc *pd, struct pf_state **stp,
5584 u_short *reason)
5585{
5586 u_int16_t virtual_id, virtual_type;
5587 u_int8_t icmptype, icmpcode;
5588 int icmp_dir, iidx, ret, copyback = 0;
5589
5590 struct pf_state_key_cmp key;
5591
5592 switch (pd->proto) {
5593 case IPPROTO_ICMP1:
5594 icmptype = pd->hdr.icmp.icmp_type;
5595 icmpcode = pd->hdr.icmp.icmp_code;
5596 break;
5597#ifdef INET61
5598 case IPPROTO_ICMPV658:
5599 icmptype = pd->hdr.icmp6.icmp6_type;
5600 icmpcode = pd->hdr.icmp6.icmp6_code;
5601 break;
5602#endif /* INET6 */
5603 default:
5604 panic("unhandled proto %d", pd->proto);
5605 }
5606
5607 if (pf_icmp_mapping(pd, icmptype, &icmp_dir, &virtual_id,
5608 &virtual_type) == 0) {
5609 /*
5610 * ICMP query/reply message not related to a TCP/UDP packet.
5611 * Search for an ICMP state.
5612 */
5613 ret = pf_icmp_state_lookup(pd, &key, stp,
5614 virtual_id, virtual_type, icmp_dir, &iidx,
5615 0, 0);
5616 /* IPv6? try matching a multicast address */
5617 if (ret == PF_DROP && pd->af == AF_INET624 && icmp_dir == PF_OUT)
5618 ret = pf_icmp_state_lookup(pd, &key, stp, virtual_id,
5619 virtual_type, icmp_dir, &iidx, 1, 0);
5620 if (ret >= 0)
5621 return (ret);
5622
5623 (*stp)->expire = getuptime();
5624 pf_update_state_timeout(*stp, PFTM_ICMP_ERROR_REPLY);
5625
5626 /* translate source/destination address, if necessary */
5627 if ((*stp)->key[PF_SK_WIRE] != (*stp)->key[PF_SK_STACK]) {
5628 struct pf_state_key *nk;
5629 int afto, sidx, didx;
5630
5631 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af))))
5632 nk = (*stp)->key[pd->sidx];
5633 else
5634 nk = (*stp)->key[pd->didx];
5635
5636 afto = pd->af != nk->af;
5637 sidx = afto ? pd->didx : pd->sidx;
5638 didx = afto ? pd->sidx : pd->didx;
5639 iidx = afto ? !iidx : iidx;
5640#ifdef INET61
5641 if (afto) {
5642 pf_addrcpy(&pd->nsaddr, &nk->addr[sidx],
5643 nk->af);
5644 pf_addrcpy(&pd->ndaddr, &nk->addr[didx],
5645 nk->af);
5646 pd->naf = nk->af;
5647 }
5648#endif /* INET6 */
5649 if (!afto) {
5650 pf_translate_a(pd, pd->src, &nk->addr[sidx]);
5651 pf_translate_a(pd, pd->dst, &nk->addr[didx]);
5652 }
5653
5654 if (pd->rdomain != nk->rdomain)
5655 pd->destchg = 1;
5656 if (!afto && PF_ANEQ(pd->dst,((pd->af == 2 && (pd->dst)->pfa.addr32[0] !=
(&nk->addr[didx])->pfa.addr32[0]) || (pd->af ==
24 && ((pd->dst)->pfa.addr32[3] != (&nk->
addr[didx])->pfa.addr32[3] || (pd->dst)->pfa.addr32[
2] != (&nk->addr[didx])->pfa.addr32[2] || (pd->dst
)->pfa.addr32[1] != (&nk->addr[didx])->pfa.addr32
[1] || (pd->dst)->pfa.addr32[0] != (&nk->addr[didx
])->pfa.addr32[0])))
5657 &nk->addr[didx], pd->af)((pd->af == 2 && (pd->dst)->pfa.addr32[0] !=
(&nk->addr[didx])->pfa.addr32[0]) || (pd->af ==
24 && ((pd->dst)->pfa.addr32[3] != (&nk->
addr[didx])->pfa.addr32[3] || (pd->dst)->pfa.addr32[
2] != (&nk->addr[didx])->pfa.addr32[2] || (pd->dst
)->pfa.addr32[1] != (&nk->addr[didx])->pfa.addr32
[1] || (pd->dst)->pfa.addr32[0] != (&nk->addr[didx
])->pfa.addr32[0]))))
5658 pd->destchg = 1;
5659 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
5660
5661 switch (pd->af) {
5662 case AF_INET2:
5663#ifdef INET61
5664 if (afto) {
5665 if (pf_translate_icmp_af(pd, AF_INET624,
5666 &pd->hdr.icmp))
5667 return (PF_DROP);
5668 pd->proto = IPPROTO_ICMPV658;
5669 }
5670#endif /* INET6 */
5671 pf_patch_16(pd,
5672 &pd->hdr.icmp.icmp_idicmp_hun.ih_idseq.icd_id, nk->port[iidx]);
5673
5674 m_copyback(pd->m, pd->off, ICMP_MINLEN8,
5675 &pd->hdr.icmp, M_NOWAIT0x0002);
5676 copyback = 1;
5677 break;
5678#ifdef INET61
5679 case AF_INET624:
5680 if (afto) {
5681 if (pf_translate_icmp_af(pd, AF_INET2,
5682 &pd->hdr.icmp6))
5683 return (PF_DROP);
5684 pd->proto = IPPROTO_ICMP1;
5685 }
5686
5687 pf_patch_16(pd,
5688 &pd->hdr.icmp6.icmp6_idicmp6_dataun.icmp6_un_data16[0], nk->port[iidx]);
5689
5690 m_copyback(pd->m, pd->off,
5691 sizeof(struct icmp6_hdr), &pd->hdr.icmp6,
5692 M_NOWAIT0x0002);
5693 copyback = 1;
5694 break;
5695#endif /* INET6 */
5696 }
5697#ifdef INET61
5698 if (afto)
5699 return (PF_AFRT);
5700#endif /* INET6 */
5701 }
5702 } else {
5703 /*
5704 * ICMP error message in response to a TCP/UDP packet.
5705 * Extract the inner TCP/UDP header and search for that state.
5706 */
5707 struct pf_pdesc pd2;
5708 struct ip h2;
5709#ifdef INET61
5710 struct ip6_hdr h2_6;
5711#endif /* INET6 */
5712 int ipoff2;
5713
5714 /* Initialize pd2 fields valid for both packets with pd. */
5715 memset(&pd2, 0, sizeof(pd2))__builtin_memset((&pd2), (0), (sizeof(pd2)));
5716 pd2.af = pd->af;
5717 pd2.dir = pd->dir;
5718 pd2.kif = pd->kif;
5719 pd2.m = pd->m;
5720 pd2.rdomain = pd->rdomain;
5721 /* Payload packet is from the opposite direction. */
5722 pd2.sidx = (pd2.dir == PF_IN) ? 1 : 0;
5723 pd2.didx = (pd2.dir == PF_IN) ? 0 : 1;
5724 switch (pd->af) {
5725 case AF_INET2:
5726 /* offset of h2 in mbuf chain */
5727 ipoff2 = pd->off + ICMP_MINLEN8;
5728
5729 if (!pf_pull_hdr(pd2.m, ipoff2, &h2, sizeof(h2),
5730 reason, pd2.af)) {
5731 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (ip)"); addlog("\n"); } } while
(0)
5732 "ICMP error message too short (ip)")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (ip)"); addlog("\n"); } } while
(0);
5733 return (PF_DROP);
5734 }
5735 /*
5736 * ICMP error messages don't refer to non-first
5737 * fragments
5738 */
5739 if (h2.ip_off & htons(IP_OFFMASK)(__uint16_t)(__builtin_constant_p(0x1fff) ? (__uint16_t)(((__uint16_t
)(0x1fff) & 0xffU) << 8 | ((__uint16_t)(0x1fff) &
0xff00U) >> 8) : __swap16md(0x1fff))) {
5740 REASON_SET(reason, PFRES_FRAG)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (2); if
(2 < 17) pf_status.counters[2]++; } } while (0);
5741 return (PF_DROP);
5742 }
5743
5744 /* offset of protocol header that follows h2 */
5745 pd2.off = ipoff2;
5746 if (pf_walk_header(&pd2, &h2, reason) != PF_PASS)
5747 return (PF_DROP);
5748
5749 pd2.tot_len = ntohs(h2.ip_len)(__uint16_t)(__builtin_constant_p(h2.ip_len) ? (__uint16_t)((
(__uint16_t)(h2.ip_len) & 0xffU) << 8 | ((__uint16_t
)(h2.ip_len) & 0xff00U) >> 8) : __swap16md(h2.ip_len
));
5750 pd2.src = (struct pf_addr *)&h2.ip_src;
5751 pd2.dst = (struct pf_addr *)&h2.ip_dst;
5752 break;
5753#ifdef INET61
5754 case AF_INET624:
5755 ipoff2 = pd->off + sizeof(struct icmp6_hdr);
5756
5757 if (!pf_pull_hdr(pd2.m, ipoff2, &h2_6, sizeof(h2_6),
5758 reason, pd2.af)) {
5759 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (ip6)"); addlog("\n"); } } while
(0)
5760 "ICMP error message too short (ip6)")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (ip6)"); addlog("\n"); } } while
(0);
5761 return (PF_DROP);
5762 }
5763
5764 pd2.off = ipoff2;
5765 if (pf_walk_header6(&pd2, &h2_6, reason) != PF_PASS)
5766 return (PF_DROP);
5767
5768 pd2.tot_len = ntohs(h2_6.ip6_plen)(__uint16_t)(__builtin_constant_p(h2_6.ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h2_6.ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h2_6.ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h2_6.ip6_ctlun
.ip6_un1.ip6_un1_plen)) +
5769 sizeof(struct ip6_hdr);
5770 pd2.src = (struct pf_addr *)&h2_6.ip6_src;
5771 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
5772 break;
5773#endif /* INET6 */
5774 default:
5775 unhandled_af(pd->af);
5776 }
5777
5778 if (PF_ANEQ(pd->dst, pd2.src, pd->af)((pd->af == 2 && (pd->dst)->pfa.addr32[0] !=
(pd2.src)->pfa.addr32[0]) || (pd->af == 24 && (
(pd->dst)->pfa.addr32[3] != (pd2.src)->pfa.addr32[3]
|| (pd->dst)->pfa.addr32[2] != (pd2.src)->pfa.addr32
[2] || (pd->dst)->pfa.addr32[1] != (pd2.src)->pfa.addr32
[1] || (pd->dst)->pfa.addr32[0] != (pd2.src)->pfa.addr32
[0])))) {
5779 if (pf_status.debug >= LOG_NOTICE5) {
5780 log(LOG_NOTICE5,
5781 "pf: BAD ICMP %d:%d outer dst: ",
5782 icmptype, icmpcode);
5783 pf_print_host(pd->src, 0, pd->af);
5784 addlog(" -> ");
5785 pf_print_host(pd->dst, 0, pd->af);
5786 addlog(" inner src: ");
5787 pf_print_host(pd2.src, 0, pd2.af);
5788 addlog(" -> ");
5789 pf_print_host(pd2.dst, 0, pd2.af);
5790 addlog("\n");
5791 }
5792 REASON_SET(reason, PFRES_BADSTATE)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (10);
if (10 < 17) pf_status.counters[10]++; } } while (0);
5793 return (PF_DROP);
5794 }
5795
5796 switch (pd2.proto) {
5797 case IPPROTO_TCP6: {
5798 struct tcphdr *th = &pd2.hdr.tcp;
5799 u_int32_t seq;
5800 struct pf_state_peer *src, *dst;
5801 u_int8_t dws;
5802 int action;
5803
5804 /*
5805 * Only the first 8 bytes of the TCP header can be
5806 * expected. Don't access any TCP header fields after
5807 * th_seq, an ackskew test is not possible.
5808 */
5809 if (!pf_pull_hdr(pd2.m, pd2.off, th, 8, reason,
5810 pd2.af)) {
5811 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (tcp)"); addlog("\n"); } } while
(0)
5812 "ICMP error message too short (tcp)")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (tcp)"); addlog("\n"); } } while
(0);
5813 return (PF_DROP);
5814 }
5815
5816 key.af = pd2.af;
5817 key.proto = IPPROTO_TCP6;
5818 key.rdomain = pd2.rdomain;
5819 pf_addrcpy(&key.addr[pd2.sidx], pd2.src, key.af);
5820 pf_addrcpy(&key.addr[pd2.didx], pd2.dst, key.af);
5821 key.port[pd2.sidx] = th->th_sport;
5822 key.port[pd2.didx] = th->th_dport;
5823 key.hash = pf_pkt_hash(pd2.af, pd2.proto,
5824 pd2.src, pd2.dst, th->th_sport, th->th_dport);
5825
5826 action = pf_find_state(&pd2, &key, stp);
5827 if (action != PF_MATCH)
5828 return (action);
5829
5830 if (pd2.dir == (*stp)->direction) {
5831 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af)))) {
5832 src = &(*stp)->src;
5833 dst = &(*stp)->dst;
5834 } else {
5835 src = &(*stp)->dst;
5836 dst = &(*stp)->src;
5837 }
5838 } else {
5839 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af)))) {
5840 src = &(*stp)->dst;
5841 dst = &(*stp)->src;
5842 } else {
5843 src = &(*stp)->src;
5844 dst = &(*stp)->dst;
5845 }
5846 }
5847
5848 if (src->wscale && dst->wscale)
5849 dws = dst->wscale & PF_WSCALE_MASK0x0f;
5850 else
5851 dws = 0;
5852
5853 /* Demodulate sequence number */
5854 seq = ntohl(th->th_seq)(__uint32_t)(__builtin_constant_p(th->th_seq) ? (__uint32_t
)(((__uint32_t)(th->th_seq) & 0xff) << 24 | ((__uint32_t
)(th->th_seq) & 0xff00) << 8 | ((__uint32_t)(th->
th_seq) & 0xff0000) >> 8 | ((__uint32_t)(th->th_seq
) & 0xff000000) >> 24) : __swap32md(th->th_seq)) - src->seqdiff;
5855 if (src->seqdiff) {
5856 pf_patch_32(pd, &th->th_seq, htonl(seq)(__uint32_t)(__builtin_constant_p(seq) ? (__uint32_t)(((__uint32_t
)(seq) & 0xff) << 24 | ((__uint32_t)(seq) & 0xff00
) << 8 | ((__uint32_t)(seq) & 0xff0000) >> 8 |
((__uint32_t)(seq) & 0xff000000) >> 24) : __swap32md
(seq)));
5857 copyback = 1;
5858 }
5859
5860 if (!((*stp)->state_flags & PFSTATE_SLOPPY0x0002) &&
5861 (!SEQ_GEQ(src->seqhi, seq)((int)((src->seqhi)-(seq)) >= 0) || !SEQ_GEQ(seq,((int)((seq)-(src->seqlo - (dst->max_win << dws))
) >= 0)
5862 src->seqlo - (dst->max_win << dws))((int)((seq)-(src->seqlo - (dst->max_win << dws))
) >= 0))) {
5863 if (pf_status.debug >= LOG_NOTICE5) {
5864 log(LOG_NOTICE5,
5865 "pf: BAD ICMP %d:%d ",
5866 icmptype, icmpcode);
5867 pf_print_host(pd->src, 0, pd->af);
5868 addlog(" -> ");
5869 pf_print_host(pd->dst, 0, pd->af);
5870 addlog(" state: ");
5871 pf_print_state(*stp);
5872 addlog(" seq=%u\n", seq);
5873 }
5874 REASON_SET(reason, PFRES_BADSTATE)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (10);
if (10 < 17) pf_status.counters[10]++; } } while (0);
5875 return (PF_DROP);
5876 } else {
5877 if (pf_status.debug >= LOG_DEBUG7) {
5878 log(LOG_DEBUG7,
5879 "pf: OK ICMP %d:%d ",
5880 icmptype, icmpcode);
5881 pf_print_host(pd->src, 0, pd->af);
5882 addlog(" -> ");
5883 pf_print_host(pd->dst, 0, pd->af);
5884 addlog(" state: ");
5885 pf_print_state(*stp);
5886 addlog(" seq=%u\n", seq);
5887 }
5888 }
5889
5890 /* translate source/destination address, if necessary */
5891 if ((*stp)->key[PF_SK_WIRE] !=
5892 (*stp)->key[PF_SK_STACK]) {
5893 struct pf_state_key *nk;
5894 int afto, sidx, didx;
5895
5896 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af))))
5897 nk = (*stp)->key[pd->sidx];
5898 else
5899 nk = (*stp)->key[pd->didx];
5900
5901 afto = pd->af != nk->af;
5902 sidx = afto ? pd2.didx : pd2.sidx;
5903 didx = afto ? pd2.sidx : pd2.didx;
5904
5905#ifdef INET61
5906 if (afto) {
5907 if (pf_translate_icmp_af(pd, nk->af,
5908 &pd->hdr.icmp))
5909 return (PF_DROP);
5910 m_copyback(pd->m, pd->off,
5911 sizeof(struct icmp6_hdr),
5912 &pd->hdr.icmp6, M_NOWAIT0x0002);
5913 if (pf_change_icmp_af(pd->m, ipoff2,
5914 pd, &pd2, &nk->addr[sidx],
5915 &nk->addr[didx], pd->af, nk->af))
5916 return (PF_DROP);
5917 if (nk->af == AF_INET2)
5918 pd->proto = IPPROTO_ICMP1;
5919 else
5920 pd->proto = IPPROTO_ICMPV658;
5921 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid =
5922 nk->rdomain;
5923 pd->destchg = 1;
5924 pf_addrcpy(&pd->nsaddr,
5925 &nk->addr[pd2.sidx], nk->af);
5926 pf_addrcpy(&pd->ndaddr,
5927 &nk->addr[pd2.didx], nk->af);
5928 pd->naf = nk->af;
5929
5930 pf_patch_16(pd,
5931 &th->th_sport, nk->port[sidx]);
5932 pf_patch_16(pd,
5933 &th->th_dport, nk->port[didx]);
5934
5935 m_copyback(pd2.m, pd2.off, 8, th,
5936 M_NOWAIT0x0002);
5937 return (PF_AFRT);
5938 }
5939#endif /* INET6 */
5940 if (PF_ANEQ(pd2.src,((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0])))
5941 &nk->addr[pd2.sidx], pd2.af)((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0]))) ||
5942 nk->port[pd2.sidx] != th->th_sport)
5943 pf_translate_icmp(pd, pd2.src,
5944 &th->th_sport, pd->dst,
5945 &nk->addr[pd2.sidx],
5946 nk->port[pd2.sidx]);
5947
5948 if (PF_ANEQ(pd2.dst, &nk->addr[pd2.didx],((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
5949 pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) || pd2.rdomain != nk->rdomain)
5950 pd->destchg = 1;
5951 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
5952
5953 if (PF_ANEQ(pd2.dst,((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
5954 &nk->addr[pd2.didx], pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) ||
5955 nk->port[pd2.didx] != th->th_dport)
5956 pf_translate_icmp(pd, pd2.dst,
5957 &th->th_dport, pd->src,
5958 &nk->addr[pd2.didx],
5959 nk->port[pd2.didx]);
5960 copyback = 1;
5961 }
5962
5963 if (copyback) {
5964 switch (pd2.af) {
5965 case AF_INET2:
5966 m_copyback(pd->m, pd->off, ICMP_MINLEN8,
5967 &pd->hdr.icmp, M_NOWAIT0x0002);
5968 m_copyback(pd2.m, ipoff2, sizeof(h2),
5969 &h2, M_NOWAIT0x0002);
5970 break;
5971#ifdef INET61
5972 case AF_INET624:
5973 m_copyback(pd->m, pd->off,
5974 sizeof(struct icmp6_hdr),
5975 &pd->hdr.icmp6, M_NOWAIT0x0002);
5976 m_copyback(pd2.m, ipoff2, sizeof(h2_6),
5977 &h2_6, M_NOWAIT0x0002);
5978 break;
5979#endif /* INET6 */
5980 }
5981 m_copyback(pd2.m, pd2.off, 8, th, M_NOWAIT0x0002);
5982 }
5983 break;
5984 }
5985 case IPPROTO_UDP17: {
5986 struct udphdr *uh = &pd2.hdr.udp;
5987 int action;
5988
5989 if (!pf_pull_hdr(pd2.m, pd2.off, uh, sizeof(*uh),
5990 reason, pd2.af)) {
5991 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (udp)"); addlog("\n"); } } while
(0)
5992 "ICMP error message too short (udp)")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (udp)"); addlog("\n"); } } while
(0);
5993 return (PF_DROP);
5994 }
5995
5996 key.af = pd2.af;
5997 key.proto = IPPROTO_UDP17;
5998 key.rdomain = pd2.rdomain;
5999 pf_addrcpy(&key.addr[pd2.sidx], pd2.src, key.af);
6000 pf_addrcpy(&key.addr[pd2.didx], pd2.dst, key.af);
6001 key.port[pd2.sidx] = uh->uh_sport;
6002 key.port[pd2.didx] = uh->uh_dport;
6003 key.hash = pf_pkt_hash(pd2.af, pd2.proto,
6004 pd2.src, pd2.dst, uh->uh_sport, uh->uh_dport);
6005
6006 action = pf_find_state(&pd2, &key, stp);
6007 if (action != PF_MATCH)
6008 return (action);
6009
6010 /* translate source/destination address, if necessary */
6011 if ((*stp)->key[PF_SK_WIRE] !=
6012 (*stp)->key[PF_SK_STACK]) {
6013 struct pf_state_key *nk;
6014 int afto, sidx, didx;
6015
6016 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af))))
6017 nk = (*stp)->key[pd->sidx];
6018 else
6019 nk = (*stp)->key[pd->didx];
6020
6021 afto = pd->af != nk->af;
6022 sidx = afto ? pd2.didx : pd2.sidx;
6023 didx = afto ? pd2.sidx : pd2.didx;
6024
6025#ifdef INET61
6026 if (afto) {
6027 if (pf_translate_icmp_af(pd, nk->af,
6028 &pd->hdr.icmp))
6029 return (PF_DROP);
6030 m_copyback(pd->m, pd->off,
6031 sizeof(struct icmp6_hdr),
6032 &pd->hdr.icmp6, M_NOWAIT0x0002);
6033 if (pf_change_icmp_af(pd->m, ipoff2,
6034 pd, &pd2, &nk->addr[sidx],
6035 &nk->addr[didx], pd->af, nk->af))
6036 return (PF_DROP);
6037 if (nk->af == AF_INET2)
6038 pd->proto = IPPROTO_ICMP1;
6039 else
6040 pd->proto = IPPROTO_ICMPV658;
6041 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid =
6042 nk->rdomain;
6043 pd->destchg = 1;
6044 pf_addrcpy(&pd->nsaddr,
6045 &nk->addr[pd2.sidx], nk->af);
6046 pf_addrcpy(&pd->ndaddr,
6047 &nk->addr[pd2.didx], nk->af);
6048 pd->naf = nk->af;
6049
6050 pf_patch_16(pd,
6051 &uh->uh_sport, nk->port[sidx]);
6052 pf_patch_16(pd,
6053 &uh->uh_dport, nk->port[didx]);
6054
6055 m_copyback(pd2.m, pd2.off, sizeof(*uh),
6056 uh, M_NOWAIT0x0002);
6057 return (PF_AFRT);
6058 }
6059#endif /* INET6 */
6060
6061 if (PF_ANEQ(pd2.src,((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0])))
6062 &nk->addr[pd2.sidx], pd2.af)((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0]))) ||
6063 nk->port[pd2.sidx] != uh->uh_sport)
6064 pf_translate_icmp(pd, pd2.src,
6065 &uh->uh_sport, pd->dst,
6066 &nk->addr[pd2.sidx],
6067 nk->port[pd2.sidx]);
6068
6069 if (PF_ANEQ(pd2.dst, &nk->addr[pd2.didx],((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6070 pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) || pd2.rdomain != nk->rdomain)
6071 pd->destchg = 1;
6072 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
6073
6074 if (PF_ANEQ(pd2.dst,((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6075 &nk->addr[pd2.didx], pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) ||
6076 nk->port[pd2.didx] != uh->uh_dport)
6077 pf_translate_icmp(pd, pd2.dst,
6078 &uh->uh_dport, pd->src,
6079 &nk->addr[pd2.didx],
6080 nk->port[pd2.didx]);
6081
6082 switch (pd2.af) {
6083 case AF_INET2:
6084 m_copyback(pd->m, pd->off, ICMP_MINLEN8,
6085 &pd->hdr.icmp, M_NOWAIT0x0002);
6086 m_copyback(pd2.m, ipoff2, sizeof(h2),
6087 &h2, M_NOWAIT0x0002);
6088 break;
6089#ifdef INET61
6090 case AF_INET624:
6091 m_copyback(pd->m, pd->off,
6092 sizeof(struct icmp6_hdr),
6093 &pd->hdr.icmp6, M_NOWAIT0x0002);
6094 m_copyback(pd2.m, ipoff2, sizeof(h2_6),
6095 &h2_6, M_NOWAIT0x0002);
6096 break;
6097#endif /* INET6 */
6098 }
6099 /* Avoid recomputing quoted UDP checksum.
6100 * note: udp6 0 csum invalid per rfc2460 p27.
6101 * but presumed nothing cares in this context */
6102 pf_patch_16(pd, &uh->uh_sum, 0);
6103 m_copyback(pd2.m, pd2.off, sizeof(*uh), uh,
6104 M_NOWAIT0x0002);
6105 copyback = 1;
6106 }
6107 break;
6108 }
6109 case IPPROTO_ICMP1: {
6110 struct icmp *iih = &pd2.hdr.icmp;
6111
6112 if (pd2.af != AF_INET2) {
6113 REASON_SET(reason, PFRES_NORM)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (4); if
(4 < 17) pf_status.counters[4]++; } } while (0);
6114 return (PF_DROP);
6115 }
6116
6117 if (!pf_pull_hdr(pd2.m, pd2.off, iih, ICMP_MINLEN8,
6118 reason, pd2.af)) {
6119 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (icmp)"); addlog("\n"); } } while
(0)
6120 "ICMP error message too short (icmp)")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (icmp)"); addlog("\n"); } } while
(0);
6121 return (PF_DROP);
6122 }
6123
6124 pf_icmp_mapping(&pd2, iih->icmp_type,
6125 &icmp_dir, &virtual_id, &virtual_type);
6126
6127 ret = pf_icmp_state_lookup(&pd2, &key, stp,
6128 virtual_id, virtual_type, icmp_dir, &iidx, 0, 1);
6129 if (ret >= 0)
6130 return (ret);
6131
6132 /* translate source/destination address, if necessary */
6133 if ((*stp)->key[PF_SK_WIRE] !=
6134 (*stp)->key[PF_SK_STACK]) {
6135 struct pf_state_key *nk;
6136 int afto, sidx, didx;
6137
6138 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af))))
6139 nk = (*stp)->key[pd->sidx];
6140 else
6141 nk = (*stp)->key[pd->didx];
6142
6143 afto = pd->af != nk->af;
6144 sidx = afto ? pd2.didx : pd2.sidx;
6145 didx = afto ? pd2.sidx : pd2.didx;
6146 iidx = afto ? !iidx : iidx;
6147
6148#ifdef INET61
6149 if (afto) {
6150 if (nk->af != AF_INET624)
6151 return (PF_DROP);
6152 if (pf_translate_icmp_af(pd, nk->af,
6153 &pd->hdr.icmp))
6154 return (PF_DROP);
6155 m_copyback(pd->m, pd->off,
6156 sizeof(struct icmp6_hdr),
6157 &pd->hdr.icmp6, M_NOWAIT0x0002);
6158 if (pf_change_icmp_af(pd->m, ipoff2,
6159 pd, &pd2, &nk->addr[sidx],
6160 &nk->addr[didx], pd->af, nk->af))
6161 return (PF_DROP);
6162 pd->proto = IPPROTO_ICMPV658;
6163 if (pf_translate_icmp_af(pd,
6164 nk->af, iih))
6165 return (PF_DROP);
6166 if (virtual_type == htons(ICMP_ECHO)(__uint16_t)(__builtin_constant_p(8) ? (__uint16_t)(((__uint16_t
)(8) & 0xffU) << 8 | ((__uint16_t)(8) & 0xff00U
) >> 8) : __swap16md(8)))
6167 pf_patch_16(pd, &iih->icmp_idicmp_hun.ih_idseq.icd_id,
6168 nk->port[iidx]);
6169 m_copyback(pd2.m, pd2.off, ICMP_MINLEN8,
6170 iih, M_NOWAIT0x0002);
6171 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid =
6172 nk->rdomain;
6173 pd->destchg = 1;
6174 pf_addrcpy(&pd->nsaddr,
6175 &nk->addr[pd2.sidx], nk->af);
6176 pf_addrcpy(&pd->ndaddr,
6177 &nk->addr[pd2.didx], nk->af);
6178 pd->naf = nk->af;
6179 return (PF_AFRT);
6180 }
6181#endif /* INET6 */
6182
6183 if (PF_ANEQ(pd2.src,((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0])))
6184 &nk->addr[pd2.sidx], pd2.af)((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0]))) ||
6185 (virtual_type == htons(ICMP_ECHO)(__uint16_t)(__builtin_constant_p(8) ? (__uint16_t)(((__uint16_t
)(8) & 0xffU) << 8 | ((__uint16_t)(8) & 0xff00U
) >> 8) : __swap16md(8)) &&
6186 nk->port[iidx] != iih->icmp_idicmp_hun.ih_idseq.icd_id))
6187 pf_translate_icmp(pd, pd2.src,
6188 (virtual_type == htons(ICMP_ECHO)(__uint16_t)(__builtin_constant_p(8) ? (__uint16_t)(((__uint16_t
)(8) & 0xffU) << 8 | ((__uint16_t)(8) & 0xff00U
) >> 8) : __swap16md(8))) ?
6189 &iih->icmp_idicmp_hun.ih_idseq.icd_id : NULL((void *)0),
6190 pd->dst, &nk->addr[pd2.sidx],
6191 (virtual_type == htons(ICMP_ECHO)(__uint16_t)(__builtin_constant_p(8) ? (__uint16_t)(((__uint16_t
)(8) & 0xffU) << 8 | ((__uint16_t)(8) & 0xff00U
) >> 8) : __swap16md(8))) ?
6192 nk->port[iidx] : 0);
6193
6194 if (PF_ANEQ(pd2.dst, &nk->addr[pd2.didx],((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6195 pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) || pd2.rdomain != nk->rdomain)
6196 pd->destchg = 1;
6197 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
6198
6199 if (PF_ANEQ(pd2.dst,((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6200 &nk->addr[pd2.didx], pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))))
6201 pf_translate_icmp(pd, pd2.dst, NULL((void *)0),
6202 pd->src, &nk->addr[pd2.didx], 0);
6203
6204 m_copyback(pd->m, pd->off, ICMP_MINLEN8,
6205 &pd->hdr.icmp, M_NOWAIT0x0002);
6206 m_copyback(pd2.m, ipoff2, sizeof(h2), &h2,
6207 M_NOWAIT0x0002);
6208 m_copyback(pd2.m, pd2.off, ICMP_MINLEN8, iih,
6209 M_NOWAIT0x0002);
6210 copyback = 1;
6211 }
6212 break;
6213 }
6214#ifdef INET61
6215 case IPPROTO_ICMPV658: {
6216 struct icmp6_hdr *iih = &pd2.hdr.icmp6;
6217
6218 if (pd2.af != AF_INET624) {
6219 REASON_SET(reason, PFRES_NORM)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (4); if
(4 < 17) pf_status.counters[4]++; } } while (0);
6220 return (PF_DROP);
6221 }
6222
6223 if (!pf_pull_hdr(pd2.m, pd2.off, iih,
6224 sizeof(struct icmp6_hdr), reason, pd2.af)) {
6225 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (icmp6)"); addlog("\n"); } } while
(0)
6226 "ICMP error message too short (icmp6)")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"ICMP error message too short (icmp6)"); addlog("\n"); } } while
(0);
6227 return (PF_DROP);
6228 }
6229
6230 pf_icmp_mapping(&pd2, iih->icmp6_type,
6231 &icmp_dir, &virtual_id, &virtual_type);
6232 ret = pf_icmp_state_lookup(&pd2, &key, stp,
6233 virtual_id, virtual_type, icmp_dir, &iidx, 0, 1);
6234 /* IPv6? try matching a multicast address */
6235 if (ret == PF_DROP && pd2.af == AF_INET624 &&
6236 icmp_dir == PF_OUT)
6237 ret = pf_icmp_state_lookup(&pd2, &key, stp,
6238 virtual_id, virtual_type, icmp_dir, &iidx,
6239 1, 1);
6240 if (ret >= 0)
6241 return (ret);
6242
6243 /* translate source/destination address, if necessary */
6244 if ((*stp)->key[PF_SK_WIRE] !=
6245 (*stp)->key[PF_SK_STACK]) {
6246 struct pf_state_key *nk;
6247 int afto, sidx, didx;
6248
6249 if (PF_REVERSED_KEY((*stp)->key, pd->af)(((*stp)->key[PF_SK_WIRE]->af != (*stp)->key[PF_SK_STACK
]->af) && ((*stp)->key[PF_SK_WIRE]->af != (pd
->af))))
6250 nk = (*stp)->key[pd->sidx];
6251 else
6252 nk = (*stp)->key[pd->didx];
6253
6254 afto = pd->af != nk->af;
6255 sidx = afto ? pd2.didx : pd2.sidx;
6256 didx = afto ? pd2.sidx : pd2.didx;
6257 iidx = afto ? !iidx : iidx;
6258
6259 if (afto) {
6260 if (nk->af != AF_INET2)
6261 return (PF_DROP);
6262 if (pf_translate_icmp_af(pd, nk->af,
6263 &pd->hdr.icmp))
6264 return (PF_DROP);
6265 m_copyback(pd->m, pd->off,
6266 sizeof(struct icmp6_hdr),
6267 &pd->hdr.icmp6, M_NOWAIT0x0002);
6268 if (pf_change_icmp_af(pd->m, ipoff2,
6269 pd, &pd2, &nk->addr[sidx],
6270 &nk->addr[didx], pd->af, nk->af))
6271 return (PF_DROP);
6272 pd->proto = IPPROTO_ICMP1;
6273 if (pf_translate_icmp_af(pd,
6274 nk->af, iih))
6275 return (PF_DROP);
6276 if (virtual_type ==
6277 htons(ICMP6_ECHO_REQUEST)(__uint16_t)(__builtin_constant_p(128) ? (__uint16_t)(((__uint16_t
)(128) & 0xffU) << 8 | ((__uint16_t)(128) & 0xff00U
) >> 8) : __swap16md(128)))
6278 pf_patch_16(pd, &iih->icmp6_idicmp6_dataun.icmp6_un_data16[0],
6279 nk->port[iidx]);
6280 m_copyback(pd2.m, pd2.off,
6281 sizeof(struct icmp6_hdr), iih,
6282 M_NOWAIT0x0002);
6283 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid =
6284 nk->rdomain;
6285 pd->destchg = 1;
6286 pf_addrcpy(&pd->nsaddr,
6287 &nk->addr[pd2.sidx], nk->af);
6288 pf_addrcpy(&pd->ndaddr,
6289 &nk->addr[pd2.didx], nk->af);
6290 pd->naf = nk->af;
6291 return (PF_AFRT);
6292 }
6293
6294 if (PF_ANEQ(pd2.src,((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0])))
6295 &nk->addr[pd2.sidx], pd2.af)((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0]))) ||
6296 ((virtual_type ==
6297 htons(ICMP6_ECHO_REQUEST)(__uint16_t)(__builtin_constant_p(128) ? (__uint16_t)(((__uint16_t
)(128) & 0xffU) << 8 | ((__uint16_t)(128) & 0xff00U
) >> 8) : __swap16md(128))) &&
6298 nk->port[pd2.sidx] != iih->icmp6_idicmp6_dataun.icmp6_un_data16[0]))
6299 pf_translate_icmp(pd, pd2.src,
6300 (virtual_type ==
6301 htons(ICMP6_ECHO_REQUEST)(__uint16_t)(__builtin_constant_p(128) ? (__uint16_t)(((__uint16_t
)(128) & 0xffU) << 8 | ((__uint16_t)(128) & 0xff00U
) >> 8) : __swap16md(128)))
6302 ? &iih->icmp6_idicmp6_dataun.icmp6_un_data16[0] : NULL((void *)0),
6303 pd->dst, &nk->addr[pd2.sidx],
6304 (virtual_type ==
6305 htons(ICMP6_ECHO_REQUEST)(__uint16_t)(__builtin_constant_p(128) ? (__uint16_t)(((__uint16_t
)(128) & 0xffU) << 8 | ((__uint16_t)(128) & 0xff00U
) >> 8) : __swap16md(128)))
6306 ? nk->port[iidx] : 0);
6307
6308 if (PF_ANEQ(pd2.dst, &nk->addr[pd2.didx],((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6309 pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) || pd2.rdomain != nk->rdomain)
6310 pd->destchg = 1;
6311 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
6312
6313 if (PF_ANEQ(pd2.dst,((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6314 &nk->addr[pd2.didx], pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))))
6315 pf_translate_icmp(pd, pd2.dst, NULL((void *)0),
6316 pd->src, &nk->addr[pd2.didx], 0);
6317
6318 m_copyback(pd->m, pd->off,
6319 sizeof(struct icmp6_hdr), &pd->hdr.icmp6,
6320 M_NOWAIT0x0002);
6321 m_copyback(pd2.m, ipoff2, sizeof(h2_6), &h2_6,
6322 M_NOWAIT0x0002);
6323 m_copyback(pd2.m, pd2.off,
6324 sizeof(struct icmp6_hdr), iih, M_NOWAIT0x0002);
6325 copyback = 1;
6326 }
6327 break;
6328 }
6329#endif /* INET6 */
6330 default: {
6331 int action;
6332
6333 key.af = pd2.af;
6334 key.proto = pd2.proto;
6335 key.rdomain = pd2.rdomain;
6336 pf_addrcpy(&key.addr[pd2.sidx], pd2.src, key.af);
6337 pf_addrcpy(&key.addr[pd2.didx], pd2.dst, key.af);
6338 key.port[0] = key.port[1] = 0;
6339 key.hash = pf_pkt_hash(pd2.af, pd2.proto,
6340 pd2.src, pd2.dst, 0, 0);
6341
6342 action = pf_find_state(&pd2, &key, stp);
6343 if (action != PF_MATCH)
6344 return (action);
6345
6346 /* translate source/destination address, if necessary */
6347 if ((*stp)->key[PF_SK_WIRE] !=
6348 (*stp)->key[PF_SK_STACK]) {
6349 struct pf_state_key *nk =
6350 (*stp)->key[pd->didx];
6351
6352 if (PF_ANEQ(pd2.src,((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0])))
6353 &nk->addr[pd2.sidx], pd2.af)((pd2.af == 2 && (pd2.src)->pfa.addr32[0] != (&
nk->addr[pd2.sidx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.src)->pfa.addr32[3] != (&nk->addr[pd2.sidx])
->pfa.addr32[3] || (pd2.src)->pfa.addr32[2] != (&nk
->addr[pd2.sidx])->pfa.addr32[2] || (pd2.src)->pfa.addr32
[1] != (&nk->addr[pd2.sidx])->pfa.addr32[1] || (pd2
.src)->pfa.addr32[0] != (&nk->addr[pd2.sidx])->pfa
.addr32[0]))))
6354 pf_translate_icmp(pd, pd2.src, NULL((void *)0),
6355 pd->dst, &nk->addr[pd2.sidx], 0);
6356
6357 if (PF_ANEQ(pd2.dst, &nk->addr[pd2.didx],((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6358 pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))) || pd2.rdomain != nk->rdomain)
6359 pd->destchg = 1;
6360 pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid = nk->rdomain;
6361
6362 if (PF_ANEQ(pd2.dst,((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0])))
6363 &nk->addr[pd2.didx], pd2.af)((pd2.af == 2 && (pd2.dst)->pfa.addr32[0] != (&
nk->addr[pd2.didx])->pfa.addr32[0]) || (pd2.af == 24 &&
((pd2.dst)->pfa.addr32[3] != (&nk->addr[pd2.didx])
->pfa.addr32[3] || (pd2.dst)->pfa.addr32[2] != (&nk
->addr[pd2.didx])->pfa.addr32[2] || (pd2.dst)->pfa.addr32
[1] != (&nk->addr[pd2.didx])->pfa.addr32[1] || (pd2
.dst)->pfa.addr32[0] != (&nk->addr[pd2.didx])->pfa
.addr32[0]))))
6364 pf_translate_icmp(pd, pd2.dst, NULL((void *)0),
6365 pd->src, &nk->addr[pd2.didx], 0);
6366
6367 switch (pd2.af) {
6368 case AF_INET2:
6369 m_copyback(pd->m, pd->off, ICMP_MINLEN8,
6370 &pd->hdr.icmp, M_NOWAIT0x0002);
6371 m_copyback(pd2.m, ipoff2, sizeof(h2),
6372 &h2, M_NOWAIT0x0002);
6373 break;
6374#ifdef INET61
6375 case AF_INET624:
6376 m_copyback(pd->m, pd->off,
6377 sizeof(struct icmp6_hdr),
6378 &pd->hdr.icmp6, M_NOWAIT0x0002);
6379 m_copyback(pd2.m, ipoff2, sizeof(h2_6),
6380 &h2_6, M_NOWAIT0x0002);
6381 break;
6382#endif /* INET6 */
6383 }
6384 copyback = 1;
6385 }
6386 break;
6387 }
6388 }
6389 }
6390 if (copyback) {
6391 m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT0x0002);
6392 }
6393
6394 return (PF_PASS);
6395}
6396
6397/*
6398 * ipoff and off are measured from the start of the mbuf chain.
6399 * h must be at "ipoff" on the mbuf chain.
6400 */
6401void *
6402pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
6403 u_short *reasonp, sa_family_t af)
6404{
6405 int iplen = 0;
6406
6407 switch (af) {
6408 case AF_INET2: {
6409 struct ip *h = mtod(m, struct ip *)((struct ip *)((m)->m_hdr.mh_data));
6410 u_int16_t fragoff = (ntohs(h->ip_off)(__uint16_t)(__builtin_constant_p(h->ip_off) ? (__uint16_t
)(((__uint16_t)(h->ip_off) & 0xffU) << 8 | ((__uint16_t
)(h->ip_off) & 0xff00U) >> 8) : __swap16md(h->
ip_off)) & IP_OFFMASK0x1fff) << 3;
6411
6412 if (fragoff) {
6413 REASON_SET(reasonp, PFRES_FRAG)do { if ((void *)(reasonp) != ((void *)0)) { *(reasonp) = (2)
; if (2 < 17) pf_status.counters[2]++; } } while (0);
6414 return (NULL((void *)0));
6415 }
6416 iplen = ntohs(h->ip_len)(__uint16_t)(__builtin_constant_p(h->ip_len) ? (__uint16_t
)(((__uint16_t)(h->ip_len) & 0xffU) << 8 | ((__uint16_t
)(h->ip_len) & 0xff00U) >> 8) : __swap16md(h->
ip_len));
6417 break;
6418 }
6419#ifdef INET61
6420 case AF_INET624: {
6421 struct ip6_hdr *h = mtod(m, struct ip6_hdr *)((struct ip6_hdr *)((m)->m_hdr.mh_data));
6422
6423 iplen = ntohs(h->ip6_plen)(__uint16_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h->
ip6_ctlun.ip6_un1.ip6_un1_plen)) + sizeof(struct ip6_hdr);
6424 break;
6425 }
6426#endif /* INET6 */
6427 }
6428 if (m->m_pkthdrM_dat.MH.MH_pkthdr.len < off + len || iplen < off + len) {
6429 REASON_SET(reasonp, PFRES_SHORT)do { if ((void *)(reasonp) != ((void *)0)) { *(reasonp) = (3)
; if (3 < 17) pf_status.counters[3]++; } } while (0);
6430 return (NULL((void *)0));
6431 }
6432 m_copydata(m, off, len, p);
6433 return (p);
6434}
6435
6436int
6437pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif,
6438 int rtableid)
6439{
6440 struct sockaddr_storage ss;
6441 struct sockaddr_in *dst;
6442 int ret = 1;
6443 int check_mpath;
6444#ifdef INET61
6445 struct sockaddr_in6 *dst6;
6446#endif /* INET6 */
6447 struct rtentry *rt = NULL((void *)0);
6448
6449 check_mpath = 0;
6450 memset(&ss, 0, sizeof(ss))__builtin_memset((&ss), (0), (sizeof(ss)));
6451 switch (af) {
6452 case AF_INET2:
6453 dst = (struct sockaddr_in *)&ss;
6454 dst->sin_family = AF_INET2;
6455 dst->sin_len = sizeof(*dst);
6456 dst->sin_addr = addr->v4pfa.v4;
6457 if (ipmultipath)
6458 check_mpath = 1;
6459 break;
6460#ifdef INET61
6461 case AF_INET624:
6462 /*
6463 * Skip check for addresses with embedded interface scope,
6464 * as they would always match anyway.
6465 */
6466 if (IN6_IS_SCOPE_EMBED(&addr->v6)(((((&addr->pfa.v6)->__u6_addr.__u6_addr8[0] == 0xfe
) && (((&addr->pfa.v6)->__u6_addr.__u6_addr8
[1] & 0xc0) == 0x80))) || ((((&addr->pfa.v6)->__u6_addr
.__u6_addr8[0] == 0xff) && (((&addr->pfa.v6)->
__u6_addr.__u6_addr8[1] & 0x0f) == 0x02))) || ((((&addr
->pfa.v6)->__u6_addr.__u6_addr8[0] == 0xff) && (
((&addr->pfa.v6)->__u6_addr.__u6_addr8[1] & 0x0f
) == 0x01)))))
6467 goto out;
6468 dst6 = (struct sockaddr_in6 *)&ss;
6469 dst6->sin6_family = AF_INET624;
6470 dst6->sin6_len = sizeof(*dst6);
6471 dst6->sin6_addr = addr->v6pfa.v6;
6472 if (ip6_multipath)
6473 check_mpath = 1;
6474 break;
6475#endif /* INET6 */
6476 }
6477
6478 /* Skip checks for ipsec interfaces */
6479 if (kif != NULL((void *)0) && kif->pfik_ifp->if_typeif_data.ifi_type == IFT_ENC0xf4)
6480 goto out;
6481
6482 rt = rtalloc(sstosa(&ss), 0, rtableid);
6483 if (rt != NULL((void *)0)) {
6484 /* No interface given, this is a no-route check */
6485 if (kif == NULL((void *)0))
6486 goto out;
6487
6488 if (kif->pfik_ifp == NULL((void *)0)) {
6489 ret = 0;
6490 goto out;
6491 }
6492
6493 /* Perform uRPF check if passed input interface */
6494 ret = 0;
6495 do {
6496 if (rt->rt_ifidx == kif->pfik_ifp->if_index) {
6497 ret = 1;
6498#if NCARP1 > 0
6499 } else {
6500 struct ifnet *ifp;
6501
6502 ifp = if_get(rt->rt_ifidx);
6503 if (ifp != NULL((void *)0) && ifp->if_typeif_data.ifi_type == IFT_CARP0xf7 &&
6504 ifp->if_carpdevidxif_carp_ptr.carp_idx ==
6505 kif->pfik_ifp->if_index)
6506 ret = 1;
6507 if_put(ifp);
6508#endif /* NCARP */
6509 }
6510
6511 rt = rtable_iterate(rt);
6512 } while (check_mpath == 1 && rt != NULL((void *)0) && ret == 0);
6513 } else
6514 ret = 0;
6515out:
6516 rtfree(rt);
6517 return (ret);
6518}
6519
6520int
6521pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw,
6522 int rtableid)
6523{
6524 struct sockaddr_storage ss;
6525 struct sockaddr_in *dst;
6526#ifdef INET61
6527 struct sockaddr_in6 *dst6;
6528#endif /* INET6 */
6529 struct rtentry *rt;
6530 int ret = 0;
6531
6532 memset(&ss, 0, sizeof(ss))__builtin_memset((&ss), (0), (sizeof(ss)));
6533 switch (af) {
6534 case AF_INET2:
6535 dst = (struct sockaddr_in *)&ss;
6536 dst->sin_family = AF_INET2;
6537 dst->sin_len = sizeof(*dst);
6538 dst->sin_addr = addr->v4pfa.v4;
6539 break;
6540#ifdef INET61
6541 case AF_INET624:
6542 dst6 = (struct sockaddr_in6 *)&ss;
6543 dst6->sin6_family = AF_INET624;
6544 dst6->sin6_len = sizeof(*dst6);
6545 dst6->sin6_addr = addr->v6pfa.v6;
6546 break;
6547#endif /* INET6 */
6548 }
6549
6550 rt = rtalloc(sstosa(&ss), RT_RESOLVE1, rtableid);
6551 if (rt != NULL((void *)0)) {
6552 if (rt->rt_labelid == aw->v.rtlabel)
6553 ret = 1;
6554 rtfree(rt);
6555 }
6556
6557 return (ret);
6558}
6559
6560/* pf_route() may change pd->m, adjust local copies after calling */
6561void
6562pf_route(struct pf_pdesc *pd, struct pf_state *st)
6563{
6564 struct mbuf *m0;
6565 struct mbuf_list ml;
6566 struct sockaddr_in *dst, sin;
6567 struct rtentry *rt = NULL((void *)0);
6568 struct ip *ip;
6569 struct ifnet *ifp = NULL((void *)0);
6570 unsigned int rtableid;
6571
6572 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.pf.routed++ > 3) {
6573 m_freem(pd->m);
6574 pd->m = NULL((void *)0);
6575 return;
6576 }
6577
6578 if (st->rt == PF_DUPTO) {
6579 if ((m0 = m_dup_pkt(pd->m, max_linkhdr, M_NOWAIT0x0002)) == NULL((void *)0))
6580 return;
6581 } else {
6582 if ((st->rt == PF_REPLYTO) == (st->direction == pd->dir))
6583 return;
6584 m0 = pd->m;
6585 pd->m = NULL((void *)0);
6586 }
6587
6588 if (m0->m_lenm_hdr.mh_len < sizeof(struct ip)) {
6589 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip)", __func__); addlog(
"\n"); } } while (0)
6590 "%s: m0->m_len < sizeof(struct ip)", __func__)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip)", __func__); addlog(
"\n"); } } while (0);
6591 goto bad;
6592 }
6593
6594 ip = mtod(m0, struct ip *)((struct ip *)((m0)->m_hdr.mh_data));
6595
6596 if (pd->dir == PF_IN) {
6597 if (ip->ip_ttl <= IPTTLDEC1) {
6598 if (st->rt != PF_DUPTO) {
6599 pf_send_icmp(m0, ICMP_TIMXCEED11,
6600 ICMP_TIMXCEED_INTRANS0, 0,
6601 pd->af, st->rule.ptr, pd->rdomain);
6602 }
6603 goto bad;
6604 }
6605 ip->ip_ttl -= IPTTLDEC1;
6606 }
6607
6608 memset(&sin, 0, sizeof(sin))__builtin_memset((&sin), (0), (sizeof(sin)));
6609 dst = &sin;
6610 dst->sin_family = AF_INET2;
6611 dst->sin_len = sizeof(*dst);
6612 dst->sin_addr = st->rt_addr.v4pfa.v4;
6613 rtableid = m0->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid;
6614
6615 rt = rtalloc_mpath(sintosa(dst), &ip->ip_src.s_addr, rtableid);
6616 if (!rtisvalid(rt)) {
6617 if (st->rt != PF_DUPTO) {
6618 pf_send_icmp(m0, ICMP_UNREACH3, ICMP_UNREACH_HOST1,
6619 0, pd->af, st->rule.ptr, pd->rdomain);
6620 }
6621 ipstat_inc(ips_noroute);
6622 goto bad;
6623 }
6624
6625 ifp = if_get(rt->rt_ifidx);
6626 if (ifp == NULL((void *)0))
6627 goto bad;
6628
6629 /* A locally generated packet may have invalid source address. */
6630 if ((ntohl(ip->ip_src.s_addr)(__uint32_t)(__builtin_constant_p(ip->ip_src.s_addr) ? (__uint32_t
)(((__uint32_t)(ip->ip_src.s_addr) & 0xff) << 24
| ((__uint32_t)(ip->ip_src.s_addr) & 0xff00) <<
8 | ((__uint32_t)(ip->ip_src.s_addr) & 0xff0000) >>
8 | ((__uint32_t)(ip->ip_src.s_addr) & 0xff000000) >>
24) : __swap32md(ip->ip_src.s_addr)) >> IN_CLASSA_NSHIFT24) == IN_LOOPBACKNET127 &&
6631 (ifp->if_flags & IFF_LOOPBACK0x8) == 0)
6632 ip->ip_src = ifatoia(rt->rt_ifa)->ia_addr.sin_addr;
6633
6634 if (st->rt != PF_DUPTO && pd->dir == PF_IN) {
6635 if (pf_test(AF_INET2, PF_OUT, ifp, &m0) != PF_PASS)
6636 goto bad;
6637 else if (m0 == NULL((void *)0))
6638 goto done;
6639 if (m0->m_lenm_hdr.mh_len < sizeof(struct ip)) {
6640 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip)", __func__); addlog(
"\n"); } } while (0)
6641 "%s: m0->m_len < sizeof(struct ip)", __func__)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip)", __func__); addlog(
"\n"); } } while (0);
6642 goto bad;
6643 }
6644 ip = mtod(m0, struct ip *)((struct ip *)((m0)->m_hdr.mh_data));
6645 }
6646
6647 if (if_output_tso(ifp, &m0, sintosa(dst), rt, ifp->if_mtuif_data.ifi_mtu) ||
6648 m0 == NULL((void *)0))
6649 goto done;
6650
6651 /*
6652 * Too large for interface; fragment if possible.
6653 * Must be able to put at least 8 bytes per fragment.
6654 */
6655 if (ip->ip_off & htons(IP_DF)(__uint16_t)(__builtin_constant_p(0x4000) ? (__uint16_t)(((__uint16_t
)(0x4000) & 0xffU) << 8 | ((__uint16_t)(0x4000) &
0xff00U) >> 8) : __swap16md(0x4000))) {
6656 ipstat_inc(ips_cantfrag);
6657 if (st->rt != PF_DUPTO)
6658 pf_send_icmp(m0, ICMP_UNREACH3, ICMP_UNREACH_NEEDFRAG4,
6659 ifp->if_mtuif_data.ifi_mtu, pd->af, st->rule.ptr, pd->rdomain);
6660 goto bad;
6661 }
6662
6663 if (ip_fragment(m0, &ml, ifp, ifp->if_mtuif_data.ifi_mtu) ||
6664 if_output_ml(ifp, &ml, sintosa(dst), rt))
6665 goto done;
6666 ipstat_inc(ips_fragmented);
6667
6668done:
6669 if_put(ifp);
6670 rtfree(rt);
6671 return;
6672
6673bad:
6674 m_freem(m0);
6675 goto done;
6676}
6677
6678#ifdef INET61
6679/* pf_route6() may change pd->m, adjust local copies after calling */
6680void
6681pf_route6(struct pf_pdesc *pd, struct pf_state *st)
6682{
6683 struct mbuf *m0;
6684 struct sockaddr_in6 *dst, sin6;
6685 struct rtentry *rt = NULL((void *)0);
6686 struct ip6_hdr *ip6;
6687 struct ifnet *ifp = NULL((void *)0);
6688 struct m_tag *mtag;
6689 unsigned int rtableid;
6690
6691 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.pf.routed++ > 3) {
6692 m_freem(pd->m);
6693 pd->m = NULL((void *)0);
6694 return;
6695 }
6696
6697 if (st->rt == PF_DUPTO) {
6698 if ((m0 = m_dup_pkt(pd->m, max_linkhdr, M_NOWAIT0x0002)) == NULL((void *)0))
6699 return;
6700 } else {
6701 if ((st->rt == PF_REPLYTO) == (st->direction == pd->dir))
6702 return;
6703 m0 = pd->m;
6704 pd->m = NULL((void *)0);
6705 }
6706
6707 if (m0->m_lenm_hdr.mh_len < sizeof(struct ip6_hdr)) {
6708 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip6_hdr)", __func__); addlog
("\n"); } } while (0)
6709 "%s: m0->m_len < sizeof(struct ip6_hdr)", __func__)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip6_hdr)", __func__); addlog
("\n"); } } while (0);
6710 goto bad;
6711 }
6712 ip6 = mtod(m0, struct ip6_hdr *)((struct ip6_hdr *)((m0)->m_hdr.mh_data));
6713
6714 if (pd->dir == PF_IN) {
6715 if (ip6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim <= IPV6_HLIMDEC1) {
6716 if (st->rt != PF_DUPTO) {
6717 pf_send_icmp(m0, ICMP6_TIME_EXCEEDED3,
6718 ICMP6_TIME_EXCEED_TRANSIT0, 0,
6719 pd->af, st->rule.ptr, pd->rdomain);
6720 }
6721 goto bad;
6722 }
6723 ip6->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim -= IPV6_HLIMDEC1;
6724 }
6725
6726 memset(&sin6, 0, sizeof(sin6))__builtin_memset((&sin6), (0), (sizeof(sin6)));
6727 dst = &sin6;
6728 dst->sin6_family = AF_INET624;
6729 dst->sin6_len = sizeof(*dst);
6730 dst->sin6_addr = st->rt_addr.v6pfa.v6;
6731 rtableid = m0->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid;
6732
6733 rt = rtalloc_mpath(sin6tosa(dst), &ip6->ip6_src.s6_addr32__u6_addr.__u6_addr32[0],
6734 rtableid);
6735 if (!rtisvalid(rt)) {
6736 if (st->rt != PF_DUPTO) {
6737 pf_send_icmp(m0, ICMP6_DST_UNREACH1,
6738 ICMP6_DST_UNREACH_NOROUTE0, 0,
6739 pd->af, st->rule.ptr, pd->rdomain);
6740 }
6741 ip6stat_inc(ip6s_noroute);
6742 goto bad;
6743 }
6744
6745 ifp = if_get(rt->rt_ifidx);
6746 if (ifp == NULL((void *)0))
6747 goto bad;
6748
6749 /* A locally generated packet may have invalid source address. */
6750 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src)((*(const u_int32_t *)(const void *)(&(&ip6->ip6_src
)->__u6_addr.__u6_addr8[0]) == 0) && (*(const u_int32_t
*)(const void *)(&(&ip6->ip6_src)->__u6_addr.__u6_addr8
[4]) == 0) && (*(const u_int32_t *)(const void *)(&
(&ip6->ip6_src)->__u6_addr.__u6_addr8[8]) == 0) &&
(*(const u_int32_t *)(const void *)(&(&ip6->ip6_src
)->__u6_addr.__u6_addr8[12]) == (__uint32_t)(__builtin_constant_p
(1) ? (__uint32_t)(((__uint32_t)(1) & 0xff) << 24 |
((__uint32_t)(1) & 0xff00) << 8 | ((__uint32_t)(1)
& 0xff0000) >> 8 | ((__uint32_t)(1) & 0xff000000
) >> 24) : __swap32md(1)))) &&
6751 (ifp->if_flags & IFF_LOOPBACK0x8) == 0)
6752 ip6->ip6_src = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
6753
6754 if (st->rt != PF_DUPTO && pd->dir == PF_IN) {
6755 if (pf_test(AF_INET624, PF_OUT, ifp, &m0) != PF_PASS)
6756 goto bad;
6757 else if (m0 == NULL((void *)0))
6758 goto done;
6759 if (m0->m_lenm_hdr.mh_len < sizeof(struct ip6_hdr)) {
6760 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip6_hdr)", __func__); addlog
("\n"); } } while (0)
6761 "%s: m0->m_len < sizeof(struct ip6_hdr)", __func__)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: m0->m_len < sizeof(struct ip6_hdr)", __func__); addlog
("\n"); } } while (0);
6762 goto bad;
6763 }
6764 }
6765
6766 /*
6767 * If packet has been reassembled by PF earlier, we have to
6768 * use pf_refragment6() here to turn it back to fragments.
6769 */
6770 if ((mtag = m_tag_find(m0, PACKET_TAG_PF_REASSEMBLED0x0800, NULL((void *)0)))) {
6771 (void) pf_refragment6(&m0, mtag, dst, ifp, rt);
6772 goto done;
6773 }
6774
6775 if (if_output_tso(ifp, &m0, sin6tosa(dst), rt, ifp->if_mtuif_data.ifi_mtu) ||
6776 m0 == NULL((void *)0))
6777 goto done;
6778
6779 ip6stat_inc(ip6s_cantfrag);
6780 if (st->rt != PF_DUPTO)
6781 pf_send_icmp(m0, ICMP6_PACKET_TOO_BIG2, 0,
6782 ifp->if_mtuif_data.ifi_mtu, pd->af, st->rule.ptr, pd->rdomain);
6783 goto bad;
6784
6785done:
6786 if_put(ifp);
6787 rtfree(rt);
6788 return;
6789
6790bad:
6791 m_freem(m0);
6792 goto done;
6793}
6794#endif /* INET6 */
6795
6796/*
6797 * check TCP checksum and set mbuf flag
6798 * off is the offset where the protocol header starts
6799 * len is the total length of protocol header plus payload
6800 * returns 0 when the checksum is valid, otherwise returns 1.
6801 * if the _OUT flag is set the checksum isn't done yet, consider these ok
6802 */
6803int
6804pf_check_tcp_cksum(struct mbuf *m, int off, int len, sa_family_t af)
6805{
6806 u_int16_t sum;
6807
6808 if (m->m_pkthdrM_dat.MH.MH_pkthdr.csum_flags &
6809 (M_TCP_CSUM_IN_OK0x0020 | M_TCP_CSUM_OUT0x0002)) {
6810 return (0);
6811 }
6812 if (m->m_pkthdrM_dat.MH.MH_pkthdr.csum_flags & M_TCP_CSUM_IN_BAD0x0040 ||
6813 off < sizeof(struct ip) ||
6814 m->m_pkthdrM_dat.MH.MH_pkthdr.len < off + len) {
6815 return (1);
6816 }
6817
6818 /* need to do it in software */
6819 tcpstat_inc(tcps_inswcsum);
6820
6821 switch (af) {
6822 case AF_INET2:
6823 if (m->m_lenm_hdr.mh_len < sizeof(struct ip))
6824 return (1);
6825
6826 sum = in4_cksum(m, IPPROTO_TCP6, off, len);
6827 break;
6828#ifdef INET61
6829 case AF_INET624:
6830 if (m->m_lenm_hdr.mh_len < sizeof(struct ip6_hdr))
6831 return (1);
6832
6833 sum = in6_cksum(m, IPPROTO_TCP6, off, len);
6834 break;
6835#endif /* INET6 */
6836 default:
6837 unhandled_af(af);
6838 }
6839 if (sum) {
6840 tcpstat_inc(tcps_rcvbadsum);
6841 m->m_pkthdrM_dat.MH.MH_pkthdr.csum_flags |= M_TCP_CSUM_IN_BAD0x0040;
6842 return (1);
6843 }
6844
6845 m->m_pkthdrM_dat.MH.MH_pkthdr.csum_flags |= M_TCP_CSUM_IN_OK0x0020;
6846 return (0);
6847}
6848
6849struct pf_divert *
6850pf_find_divert(struct mbuf *m)
6851{
6852 struct m_tag *mtag;
6853
6854 if ((mtag = m_tag_find(m, PACKET_TAG_PF_DIVERT0x0200, NULL((void *)0))) == NULL((void *)0))
6855 return (NULL((void *)0));
6856
6857 return ((struct pf_divert *)(mtag + 1));
6858}
6859
6860struct pf_divert *
6861pf_get_divert(struct mbuf *m)
6862{
6863 struct m_tag *mtag;
6864
6865 if ((mtag = m_tag_find(m, PACKET_TAG_PF_DIVERT0x0200, NULL((void *)0))) == NULL((void *)0)) {
6866 mtag = m_tag_get(PACKET_TAG_PF_DIVERT0x0200, sizeof(struct pf_divert),
6867 M_NOWAIT0x0002);
6868 if (mtag == NULL((void *)0))
6869 return (NULL((void *)0));
6870 memset(mtag + 1, 0, sizeof(struct pf_divert))__builtin_memset((mtag + 1), (0), (sizeof(struct pf_divert)));
6871 m_tag_prepend(m, mtag);
6872 }
6873
6874 return ((struct pf_divert *)(mtag + 1));
6875}
6876
6877int
6878pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end,
6879 u_short *reason)
6880{
6881 uint8_t type, length, opts[15 * 4 - sizeof(struct ip)];
6882
6883 /* IP header in payload of ICMP packet may be too short */
6884 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.len < end) {
6885 DPFPRINTF(LOG_NOTICE, "IP option too short")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IP option too short"); addlog("\n"); } } while (0);
6886 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
6887 return (PF_DROP);
6888 }
6889
6890 KASSERT(end - off <= sizeof(opts))((end - off <= sizeof(opts)) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 6890, "end - off <= sizeof(opts)"
));
6891 m_copydata(pd->m, off, end - off, opts);
6892 end -= off;
6893 off = 0;
6894
6895 while (off < end) {
6896 type = opts[off];
6897 if (type == IPOPT_EOL0)
6898 break;
6899 if (type == IPOPT_NOP1) {
6900 off++;
6901 continue;
6902 }
6903 if (off + 2 > end) {
6904 DPFPRINTF(LOG_NOTICE, "IP length opt")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IP length opt"); addlog("\n"); } } while (0);
6905 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
6906 return (PF_DROP);
6907 }
6908 length = opts[off + 1];
6909 if (length < 2) {
6910 DPFPRINTF(LOG_NOTICE, "IP short opt")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IP short opt"); addlog("\n"); } } while (0);
6911 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
6912 return (PF_DROP);
6913 }
6914 if (off + length > end) {
6915 DPFPRINTF(LOG_NOTICE, "IP long opt")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IP long opt"); addlog("\n"); } } while (0);
6916 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
6917 return (PF_DROP);
6918 }
6919 switch (type) {
6920 case IPOPT_RA148:
6921 SET(pd->badopts, PF_OPT_ROUTER_ALERT)((pd->badopts) |= (0x0004));
6922 break;
6923 default:
6924 SET(pd->badopts, PF_OPT_OTHER)((pd->badopts) |= (0x0001));
6925 break;
6926 }
6927 off += length;
6928 }
6929
6930 return (PF_PASS);
6931}
6932
6933int
6934pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
6935{
6936 struct ip6_ext ext;
6937 u_int32_t hlen, end;
6938 int hdr_cnt;
6939
6940 hlen = h->ip_hl << 2;
6941 if (hlen < sizeof(struct ip) || hlen > ntohs(h->ip_len)(__uint16_t)(__builtin_constant_p(h->ip_len) ? (__uint16_t
)(((__uint16_t)(h->ip_len) & 0xffU) << 8 | ((__uint16_t
)(h->ip_len) & 0xff00U) >> 8) : __swap16md(h->
ip_len))) {
6942 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
6943 return (PF_DROP);
6944 }
6945 if (hlen != sizeof(struct ip)) {
6946 if (pf_walk_option(pd, h, pd->off + sizeof(struct ip),
6947 pd->off + hlen, reason) != PF_PASS)
6948 return (PF_DROP);
6949 /* header options which contain only padding is fishy */
6950 if (pd->badopts == 0)
6951 SET(pd->badopts, PF_OPT_OTHER)((pd->badopts) |= (0x0001));
6952 }
6953 end = pd->off + ntohs(h->ip_len)(__uint16_t)(__builtin_constant_p(h->ip_len) ? (__uint16_t
)(((__uint16_t)(h->ip_len) & 0xffU) << 8 | ((__uint16_t
)(h->ip_len) & 0xff00U) >> 8) : __swap16md(h->
ip_len));
6954 pd->off += hlen;
6955 pd->proto = h->ip_p;
6956 /* IGMP packets have router alert options, allow them */
6957 if (pd->proto == IPPROTO_IGMP2) {
6958 /*
6959 * According to RFC 1112 ttl must be set to 1 in all IGMP
6960 * packets sent to 224.0.0.1
6961 */
6962 if ((h->ip_ttl != 1) &&
6963 (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP((u_int32_t) (__uint32_t)(__builtin_constant_p((u_int32_t)(0xe0000001
)) ? (__uint32_t)(((__uint32_t)((u_int32_t)(0xe0000001)) &
0xff) << 24 | ((__uint32_t)((u_int32_t)(0xe0000001)) &
0xff00) << 8 | ((__uint32_t)((u_int32_t)(0xe0000001)) &
0xff0000) >> 8 | ((__uint32_t)((u_int32_t)(0xe0000001)
) & 0xff000000) >> 24) : __swap32md((u_int32_t)(0xe0000001
)))))) {
6964 DPFPRINTF(LOG_NOTICE, "Invalid IGMP")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"Invalid IGMP"); addlog("\n"); } } while (0);
6965 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
6966 return (PF_DROP);
6967 }
6968 CLR(pd->badopts, PF_OPT_ROUTER_ALERT)((pd->badopts) &= ~(0x0004));
6969 }
6970 /* stop walking over non initial fragments */
6971 if ((h->ip_off & htons(IP_OFFMASK)(__uint16_t)(__builtin_constant_p(0x1fff) ? (__uint16_t)(((__uint16_t
)(0x1fff) & 0xffU) << 8 | ((__uint16_t)(0x1fff) &
0xff00U) >> 8) : __swap16md(0x1fff))) != 0)
6972 return (PF_PASS);
6973
6974 for (hdr_cnt = 0; hdr_cnt < pf_hdr_limit; hdr_cnt++) {
6975 switch (pd->proto) {
6976 case IPPROTO_AH51:
6977 /* fragments may be short */
6978 if ((h->ip_off & htons(IP_MF | IP_OFFMASK)(__uint16_t)(__builtin_constant_p(0x2000 | 0x1fff) ? (__uint16_t
)(((__uint16_t)(0x2000 | 0x1fff) & 0xffU) << 8 | ((
__uint16_t)(0x2000 | 0x1fff) & 0xff00U) >> 8) : __swap16md
(0x2000 | 0x1fff))) != 0 &&
6979 end < pd->off + sizeof(ext))
6980 return (PF_PASS);
6981 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
6982 reason, AF_INET2)) {
6983 DPFPRINTF(LOG_NOTICE, "IP short exthdr")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IP short exthdr"); addlog("\n"); } } while (0);
6984 return (PF_DROP);
6985 }
6986 pd->off += (ext.ip6e_len + 2) * 4;
6987 pd->proto = ext.ip6e_nxt;
6988 break;
6989 default:
6990 return (PF_PASS);
6991 }
6992 }
6993 DPFPRINTF(LOG_NOTICE, "IPv4 nested authentication header limit")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv4 nested authentication header limit"); addlog("\n"); } }
while (0);
6994 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
6995 return (PF_DROP);
6996}
6997
6998#ifdef INET61
6999int
7000pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h, int off, int end,
7001 u_short *reason)
7002{
7003 struct ip6_opt opt;
7004 struct ip6_opt_jumbo jumbo;
7005
7006 while (off < end) {
7007 if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type,
7008 sizeof(opt.ip6o_type), reason, AF_INET624)) {
7009 DPFPRINTF(LOG_NOTICE, "IPv6 short opt type")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short opt type"); addlog("\n"); } } while (0);
7010 return (PF_DROP);
7011 }
7012 if (opt.ip6o_type == IP6OPT_PAD10x00) {
7013 off++;
7014 continue;
7015 }
7016 if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt),
7017 reason, AF_INET624)) {
7018 DPFPRINTF(LOG_NOTICE, "IPv6 short opt")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short opt"); addlog("\n"); } } while (0);
7019 return (PF_DROP);
7020 }
7021 if (off + sizeof(opt) + opt.ip6o_len > end) {
7022 DPFPRINTF(LOG_NOTICE, "IPv6 long opt")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 long opt"); addlog("\n"); } } while (0);
7023 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7024 return (PF_DROP);
7025 }
7026 switch (opt.ip6o_type) {
7027 case IP6OPT_PADN0x01:
7028 break;
7029 case IP6OPT_JUMBO0xC2:
7030 SET(pd->badopts, PF_OPT_JUMBO)((pd->badopts) |= (0x0002));
7031 if (pd->jumbolen != 0) {
7032 DPFPRINTF(LOG_NOTICE, "IPv6 multiple jumbo")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 multiple jumbo"); addlog("\n"); } } while (0);
7033 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7034 return (PF_DROP);
7035 }
7036 if (ntohs(h->ip6_plen)(__uint16_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h->
ip6_ctlun.ip6_un1.ip6_un1_plen)) != 0) {
7037 DPFPRINTF(LOG_NOTICE, "IPv6 bad jumbo plen")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 bad jumbo plen"); addlog("\n"); } } while (0);
7038 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7039 return (PF_DROP);
7040 }
7041 if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo),
7042 reason, AF_INET624)) {
7043 DPFPRINTF(LOG_NOTICE, "IPv6 short jumbo")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short jumbo"); addlog("\n"); } } while (0);
7044 return (PF_DROP);
7045 }
7046 memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len,__builtin_memcpy((&pd->jumbolen), (jumbo.ip6oj_jumbo_len
), (sizeof(pd->jumbolen)))
7047 sizeof(pd->jumbolen))__builtin_memcpy((&pd->jumbolen), (jumbo.ip6oj_jumbo_len
), (sizeof(pd->jumbolen)));
7048 pd->jumbolen = ntohl(pd->jumbolen)(__uint32_t)(__builtin_constant_p(pd->jumbolen) ? (__uint32_t
)(((__uint32_t)(pd->jumbolen) & 0xff) << 24 | ((
__uint32_t)(pd->jumbolen) & 0xff00) << 8 | ((__uint32_t
)(pd->jumbolen) & 0xff0000) >> 8 | ((__uint32_t)
(pd->jumbolen) & 0xff000000) >> 24) : __swap32md
(pd->jumbolen));
7049 if (pd->jumbolen < IPV6_MAXPACKET65535) {
7050 DPFPRINTF(LOG_NOTICE, "IPv6 short jumbolen")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short jumbolen"); addlog("\n"); } } while (0);
7051 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7052 return (PF_DROP);
7053 }
7054 break;
7055 case IP6OPT_ROUTER_ALERT0x05:
7056 SET(pd->badopts, PF_OPT_ROUTER_ALERT)((pd->badopts) |= (0x0004));
7057 break;
7058 default:
7059 SET(pd->badopts, PF_OPT_OTHER)((pd->badopts) |= (0x0001));
7060 break;
7061 }
7062 off += sizeof(opt) + opt.ip6o_len;
7063 }
7064
7065 return (PF_PASS);
7066}
7067
7068int
7069pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
7070{
7071 struct ip6_frag frag;
7072 struct ip6_ext ext;
7073 struct icmp6_hdr icmp6;
7074 struct ip6_rthdr rthdr;
7075 u_int32_t end;
7076 int hdr_cnt, fraghdr_cnt = 0, rthdr_cnt = 0;
7077
7078 pd->off += sizeof(struct ip6_hdr);
7079 end = pd->off + ntohs(h->ip6_plen)(__uint16_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h->
ip6_ctlun.ip6_un1.ip6_un1_plen));
7080 pd->fragoff = pd->extoff = pd->jumbolen = 0;
7081 pd->proto = h->ip6_nxtip6_ctlun.ip6_un1.ip6_un1_nxt;
7082
7083 for (hdr_cnt = 0; hdr_cnt < pf_hdr_limit; hdr_cnt++) {
7084 switch (pd->proto) {
7085 case IPPROTO_ROUTING43:
7086 case IPPROTO_DSTOPTS60:
7087 SET(pd->badopts, PF_OPT_OTHER)((pd->badopts) |= (0x0001));
7088 break;
7089 case IPPROTO_HOPOPTS0:
7090 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
7091 reason, AF_INET624)) {
7092 DPFPRINTF(LOG_NOTICE, "IPv6 short exthdr")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short exthdr"); addlog("\n"); } } while (0);
7093 return (PF_DROP);
7094 }
7095 if (pf_walk_option6(pd, h, pd->off + sizeof(ext),
7096 pd->off + (ext.ip6e_len + 1) * 8, reason)
7097 != PF_PASS)
7098 return (PF_DROP);
7099 /* option header which contains only padding is fishy */
7100 if (pd->badopts == 0)
7101 SET(pd->badopts, PF_OPT_OTHER)((pd->badopts) |= (0x0001));
7102 break;
7103 }
7104 switch (pd->proto) {
7105 case IPPROTO_FRAGMENT44:
7106 if (fraghdr_cnt++) {
7107 DPFPRINTF(LOG_NOTICE, "IPv6 multiple fragment")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 multiple fragment"); addlog("\n"); } } while (0);
7108 REASON_SET(reason, PFRES_FRAG)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (2); if
(2 < 17) pf_status.counters[2]++; } } while (0);
7109 return (PF_DROP);
7110 }
7111 /* jumbo payload packets cannot be fragmented */
7112 if (pd->jumbolen != 0) {
7113 DPFPRINTF(LOG_NOTICE, "IPv6 fragmented jumbo")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 fragmented jumbo"); addlog("\n"); } } while (0);
7114 REASON_SET(reason, PFRES_FRAG)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (2); if
(2 < 17) pf_status.counters[2]++; } } while (0);
7115 return (PF_DROP);
7116 }
7117 if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag),
7118 reason, AF_INET624)) {
7119 DPFPRINTF(LOG_NOTICE, "IPv6 short fragment")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short fragment"); addlog("\n"); } } while (0);
7120 return (PF_DROP);
7121 }
7122 /* stop walking over non initial fragments */
7123 if (ntohs((frag.ip6f_offlg & IP6F_OFF_MASK))(__uint16_t)(__builtin_constant_p((frag.ip6f_offlg & 0xf8ff
)) ? (__uint16_t)(((__uint16_t)((frag.ip6f_offlg & 0xf8ff
)) & 0xffU) << 8 | ((__uint16_t)((frag.ip6f_offlg &
0xf8ff)) & 0xff00U) >> 8) : __swap16md((frag.ip6f_offlg
& 0xf8ff))) != 0) {
7124 pd->fragoff = pd->off;
7125 return (PF_PASS);
7126 }
7127 /* RFC6946: reassemble only non atomic fragments */
7128 if (frag.ip6f_offlg & IP6F_MORE_FRAG0x0100)
7129 pd->fragoff = pd->off;
7130 pd->off += sizeof(frag);
7131 pd->proto = frag.ip6f_nxt;
7132 break;
7133 case IPPROTO_ROUTING43:
7134 if (rthdr_cnt++) {
7135 DPFPRINTF(LOG_NOTICE, "IPv6 multiple rthdr")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 multiple rthdr"); addlog("\n"); } } while (0);
7136 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7137 return (PF_DROP);
7138 }
7139 /* fragments may be short */
7140 if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) {
7141 pd->off = pd->fragoff;
7142 pd->proto = IPPROTO_FRAGMENT44;
7143 return (PF_PASS);
7144 }
7145 if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr),
7146 reason, AF_INET624)) {
7147 DPFPRINTF(LOG_NOTICE, "IPv6 short rthdr")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short rthdr"); addlog("\n"); } } while (0);
7148 return (PF_DROP);
7149 }
7150 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_00) {
7151 DPFPRINTF(LOG_NOTICE, "IPv6 rthdr0")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 rthdr0"); addlog("\n"); } } while (0);
7152 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7153 return (PF_DROP);
7154 }
7155 /* FALLTHROUGH */
7156 case IPPROTO_HOPOPTS0:
7157 /* RFC2460 4.1: Hop-by-Hop only after IPv6 header */
7158 if (pd->proto == IPPROTO_HOPOPTS0 && hdr_cnt > 0) {
7159 DPFPRINTF(LOG_NOTICE, "IPv6 hopopts not first")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 hopopts not first"); addlog("\n"); } } while (0);
7160 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7161 return (PF_DROP);
7162 }
7163 /* FALLTHROUGH */
7164 case IPPROTO_AH51:
7165 case IPPROTO_DSTOPTS60:
7166 /* fragments may be short */
7167 if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) {
7168 pd->off = pd->fragoff;
7169 pd->proto = IPPROTO_FRAGMENT44;
7170 return (PF_PASS);
7171 }
7172 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext),
7173 reason, AF_INET624)) {
7174 DPFPRINTF(LOG_NOTICE, "IPv6 short exthdr")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short exthdr"); addlog("\n"); } } while (0);
7175 return (PF_DROP);
7176 }
7177 /* reassembly needs the ext header before the frag */
7178 if (pd->fragoff == 0)
7179 pd->extoff = pd->off;
7180 if (pd->proto == IPPROTO_HOPOPTS0 && pd->fragoff == 0 &&
7181 ntohs(h->ip6_plen)(__uint16_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h->
ip6_ctlun.ip6_un1.ip6_un1_plen)) == 0 && pd->jumbolen != 0) {
7182 DPFPRINTF(LOG_NOTICE, "IPv6 missing jumbo")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 missing jumbo"); addlog("\n"); } } while (0);
7183 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7184 return (PF_DROP);
7185 }
7186 if (pd->proto == IPPROTO_AH51)
7187 pd->off += (ext.ip6e_len + 2) * 4;
7188 else
7189 pd->off += (ext.ip6e_len + 1) * 8;
7190 pd->proto = ext.ip6e_nxt;
7191 break;
7192 case IPPROTO_ICMPV658:
7193 /* fragments may be short, ignore inner header then */
7194 if (pd->fragoff != 0 && end < pd->off + sizeof(icmp6)) {
7195 pd->off = pd->fragoff;
7196 pd->proto = IPPROTO_FRAGMENT44;
7197 return (PF_PASS);
7198 }
7199 if (!pf_pull_hdr(pd->m, pd->off, &icmp6, sizeof(icmp6),
7200 reason, AF_INET624)) {
7201 DPFPRINTF(LOG_NOTICE, "IPv6 short icmp6hdr")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 short icmp6hdr"); addlog("\n"); } } while (0);
7202 return (PF_DROP);
7203 }
7204 /* ICMP multicast packets have router alert options */
7205 switch (icmp6.icmp6_type) {
7206 case MLD_LISTENER_QUERY130:
7207 case MLD_LISTENER_REPORT131:
7208 case MLD_LISTENER_DONE132:
7209 case MLDV2_LISTENER_REPORT143:
7210 /*
7211 * According to RFC 2710 all MLD messages are
7212 * sent with hop-limit (ttl) set to 1, and link
7213 * local source address. If either one is
7214 * missing then MLD message is invalid and
7215 * should be discarded.
7216 */
7217 if ((h->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim != 1) ||
7218 !IN6_IS_ADDR_LINKLOCAL(&h->ip6_src)(((&h->ip6_src)->__u6_addr.__u6_addr8[0] == 0xfe) &&
(((&h->ip6_src)->__u6_addr.__u6_addr8[1] & 0xc0
) == 0x80))) {
7219 DPFPRINTF(LOG_NOTICE, "Invalid MLD")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"Invalid MLD"); addlog("\n"); } } while (0);
7220 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7221 return (PF_DROP);
7222 }
7223 CLR(pd->badopts, PF_OPT_ROUTER_ALERT)((pd->badopts) &= ~(0x0004));
7224 break;
7225 }
7226 return (PF_PASS);
7227 case IPPROTO_TCP6:
7228 case IPPROTO_UDP17:
7229 /* fragments may be short, ignore inner header then */
7230 if (pd->fragoff != 0 && end < pd->off +
7231 (pd->proto == IPPROTO_TCP6 ? sizeof(struct tcphdr) :
7232 pd->proto == IPPROTO_UDP17 ? sizeof(struct udphdr) :
7233 sizeof(struct icmp6_hdr))) {
7234 pd->off = pd->fragoff;
7235 pd->proto = IPPROTO_FRAGMENT44;
7236 }
7237 /* FALLTHROUGH */
7238 default:
7239 return (PF_PASS);
7240 }
7241 }
7242 DPFPRINTF(LOG_NOTICE, "IPv6 nested extension header limit")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"IPv6 nested extension header limit"); addlog("\n"); } } while
(0);
7243 REASON_SET(reason, PFRES_IPOPTIONS)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (8); if
(8 < 17) pf_status.counters[8]++; } } while (0);
7244 return (PF_DROP);
7245}
7246#endif /* INET6 */
7247
7248u_int16_t
7249pf_pkt_hash(sa_family_t af, uint8_t proto,
7250 const struct pf_addr *src, const struct pf_addr *dst,
7251 uint16_t sport, uint16_t dport)
7252{
7253 uint32_t hash;
7254
7255 hash = src->addr32pfa.addr32[0] ^ dst->addr32pfa.addr32[0];
7256#ifdef INET61
7257 if (af == AF_INET624) {
7258 hash ^= src->addr32pfa.addr32[1] ^ dst->addr32pfa.addr32[1];
7259 hash ^= src->addr32pfa.addr32[2] ^ dst->addr32pfa.addr32[2];
7260 hash ^= src->addr32pfa.addr32[3] ^ dst->addr32pfa.addr32[3];
7261 }
7262#endif
7263
7264 switch (proto) {
7265 case IPPROTO_TCP6:
7266 case IPPROTO_UDP17:
7267 hash ^= sport ^ dport;
7268 break;
7269 }
7270
7271 return stoeplitz_n32(hash)stoeplitz_hash_n32(stoeplitz_cache, (hash));
7272}
7273
7274int
7275pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir,
7276 struct pfi_kif *kif, struct mbuf *m, u_short *reason)
7277{
7278 memset(pd, 0, sizeof(*pd))__builtin_memset((pd), (0), (sizeof(*pd)));
7279 pd->dir = dir;
7280 pd->kif = kif; /* kif is NULL when called by pflog */
7281 pd->m = m;
7282 pd->sidx = (dir == PF_IN) ? 0 : 1;
7283 pd->didx = (dir == PF_IN) ? 1 : 0;
7284 pd->af = pd->naf = af;
7285 pd->rdomain = rtable_l2(pd->m->m_pkthdrM_dat.MH.MH_pkthdr.ph_rtableid);
7286
7287 switch (pd->af) {
7288 case AF_INET2: {
7289 struct ip *h;
7290
7291 /* Check for illegal packets */
7292 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.len < (int)sizeof(struct ip)) {
7293 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7294 return (PF_DROP);
7295 }
7296
7297 h = mtod(pd->m, struct ip *)((struct ip *)((pd->m)->m_hdr.mh_data));
7298 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.len < ntohs(h->ip_len)(__uint16_t)(__builtin_constant_p(h->ip_len) ? (__uint16_t
)(((__uint16_t)(h->ip_len) & 0xffU) << 8 | ((__uint16_t
)(h->ip_len) & 0xff00U) >> 8) : __swap16md(h->
ip_len))) {
7299 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7300 return (PF_DROP);
7301 }
7302
7303 if (pf_walk_header(pd, h, reason) != PF_PASS)
7304 return (PF_DROP);
7305
7306 pd->src = (struct pf_addr *)&h->ip_src;
7307 pd->dst = (struct pf_addr *)&h->ip_dst;
7308 pd->tot_len = ntohs(h->ip_len)(__uint16_t)(__builtin_constant_p(h->ip_len) ? (__uint16_t
)(((__uint16_t)(h->ip_len) & 0xffU) << 8 | ((__uint16_t
)(h->ip_len) & 0xff00U) >> 8) : __swap16md(h->
ip_len));
7309 pd->tos = h->ip_tos & ~IPTOS_ECN_MASK0x03;
7310 pd->ttl = h->ip_ttl;
7311 pd->virtual_proto = (h->ip_off & htons(IP_MF | IP_OFFMASK)(__uint16_t)(__builtin_constant_p(0x2000 | 0x1fff) ? (__uint16_t
)(((__uint16_t)(0x2000 | 0x1fff) & 0xffU) << 8 | ((
__uint16_t)(0x2000 | 0x1fff) & 0xff00U) >> 8) : __swap16md
(0x2000 | 0x1fff))) ?
7312 PF_VPROTO_FRAGMENT256 : pd->proto;
7313
7314 break;
7315 }
7316#ifdef INET61
7317 case AF_INET624: {
7318 struct ip6_hdr *h;
7319
7320 /* Check for illegal packets */
7321 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.len < (int)sizeof(struct ip6_hdr)) {
7322 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7323 return (PF_DROP);
7324 }
7325
7326 h = mtod(pd->m, struct ip6_hdr *)((struct ip6_hdr *)((pd->m)->m_hdr.mh_data));
7327 if (pd->m->m_pkthdrM_dat.MH.MH_pkthdr.len <
7328 sizeof(struct ip6_hdr) + ntohs(h->ip6_plen)(__uint16_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h->
ip6_ctlun.ip6_un1.ip6_un1_plen))) {
7329 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7330 return (PF_DROP);
7331 }
7332
7333 if (pf_walk_header6(pd, h, reason) != PF_PASS)
7334 return (PF_DROP);
7335
7336#if 1
7337 /*
7338 * we do not support jumbogram yet. if we keep going, zero
7339 * ip6_plen will do something bad, so drop the packet for now.
7340 */
7341 if (pd->jumbolen != 0) {
7342 REASON_SET(reason, PFRES_NORM)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (4); if
(4 < 17) pf_status.counters[4]++; } } while (0);
7343 return (PF_DROP);
7344 }
7345#endif /* 1 */
7346
7347 pd->src = (struct pf_addr *)&h->ip6_src;
7348 pd->dst = (struct pf_addr *)&h->ip6_dst;
7349 pd->tot_len = ntohs(h->ip6_plen)(__uint16_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) ? (__uint16_t)(((__uint16_t)(h->ip6_ctlun.ip6_un1.ip6_un1_plen
) & 0xffU) << 8 | ((__uint16_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_plen) & 0xff00U) >> 8) : __swap16md(h->
ip6_ctlun.ip6_un1.ip6_un1_plen)) + sizeof(struct ip6_hdr);
7350 pd->tos = (ntohl(h->ip6_flow)(__uint32_t)(__builtin_constant_p(h->ip6_ctlun.ip6_un1.ip6_un1_flow
) ? (__uint32_t)(((__uint32_t)(h->ip6_ctlun.ip6_un1.ip6_un1_flow
) & 0xff) << 24 | ((__uint32_t)(h->ip6_ctlun.ip6_un1
.ip6_un1_flow) & 0xff00) << 8 | ((__uint32_t)(h->
ip6_ctlun.ip6_un1.ip6_un1_flow) & 0xff0000) >> 8 | (
(__uint32_t)(h->ip6_ctlun.ip6_un1.ip6_un1_flow) & 0xff000000
) >> 24) : __swap32md(h->ip6_ctlun.ip6_un1.ip6_un1_flow
)) & 0x0fc00000) >> 20;
7351 pd->ttl = h->ip6_hlimip6_ctlun.ip6_un1.ip6_un1_hlim;
7352 pd->virtual_proto = (pd->fragoff != 0) ?
7353 PF_VPROTO_FRAGMENT256 : pd->proto;
7354
7355 break;
7356 }
7357#endif /* INET6 */
7358 default:
7359 panic("pf_setup_pdesc called with illegal af %u", pd->af);
7360
7361 }
7362
7363 pf_addrcpy(&pd->nsaddr, pd->src, pd->af);
7364 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af);
7365
7366 switch (pd->virtual_proto) {
7367 case IPPROTO_TCP6: {
7368 struct tcphdr *th = &pd->hdr.tcp;
7369
7370 if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th),
7371 reason, pd->af))
7372 return (PF_DROP);
7373 pd->hdrlen = sizeof(*th);
7374 if (th->th_dport == 0 ||
7375 pd->off + (th->th_off << 2) > pd->tot_len ||
7376 (th->th_off << 2) < sizeof(struct tcphdr)) {
7377 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7378 return (PF_DROP);
7379 }
7380 pd->p_len = pd->tot_len - pd->off - (th->th_off << 2);
7381 pd->sport = &th->th_sport;
7382 pd->dport = &th->th_dport;
7383 pd->pcksum = &th->th_sum;
7384 break;
7385 }
7386 case IPPROTO_UDP17: {
7387 struct udphdr *uh = &pd->hdr.udp;
7388
7389 if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh),
7390 reason, pd->af))
7391 return (PF_DROP);
7392 pd->hdrlen = sizeof(*uh);
7393 if (uh->uh_dport == 0 ||
7394 pd->off + ntohs(uh->uh_ulen)(__uint16_t)(__builtin_constant_p(uh->uh_ulen) ? (__uint16_t
)(((__uint16_t)(uh->uh_ulen) & 0xffU) << 8 | ((__uint16_t
)(uh->uh_ulen) & 0xff00U) >> 8) : __swap16md(uh->
uh_ulen)) > pd->tot_len ||
7395 ntohs(uh->uh_ulen)(__uint16_t)(__builtin_constant_p(uh->uh_ulen) ? (__uint16_t
)(((__uint16_t)(uh->uh_ulen) & 0xffU) << 8 | ((__uint16_t
)(uh->uh_ulen) & 0xff00U) >> 8) : __swap16md(uh->
uh_ulen)) < sizeof(struct udphdr)) {
7396 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7397 return (PF_DROP);
7398 }
7399 pd->sport = &uh->uh_sport;
7400 pd->dport = &uh->uh_dport;
7401 pd->pcksum = &uh->uh_sum;
7402 break;
7403 }
7404 case IPPROTO_ICMP1: {
7405 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN8,
7406 reason, pd->af))
7407 return (PF_DROP);
7408 pd->hdrlen = ICMP_MINLEN8;
7409 if (pd->off + pd->hdrlen > pd->tot_len) {
7410 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7411 return (PF_DROP);
7412 }
7413 pd->pcksum = &pd->hdr.icmp.icmp_cksum;
7414 break;
7415 }
7416#ifdef INET61
7417 case IPPROTO_ICMPV658: {
7418 size_t icmp_hlen = sizeof(struct icmp6_hdr);
7419
7420 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
7421 reason, pd->af))
7422 return (PF_DROP);
7423 /* ICMP headers we look further into to match state */
7424 switch (pd->hdr.icmp6.icmp6_type) {
7425 case MLD_LISTENER_QUERY130:
7426 case MLD_LISTENER_REPORT131:
7427 icmp_hlen = sizeof(struct mld_hdr);
7428 break;
7429 case ND_NEIGHBOR_SOLICIT135:
7430 case ND_NEIGHBOR_ADVERT136:
7431 icmp_hlen = sizeof(struct nd_neighbor_solicit);
7432 /* FALLTHROUGH */
7433 case ND_ROUTER_SOLICIT133:
7434 case ND_ROUTER_ADVERT134:
7435 case ND_REDIRECT137:
7436 if (pd->ttl != 255) {
7437 REASON_SET(reason, PFRES_NORM)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (4); if
(4 < 17) pf_status.counters[4]++; } } while (0);
7438 return (PF_DROP);
7439 }
7440 break;
7441 }
7442 if (icmp_hlen > sizeof(struct icmp6_hdr) &&
7443 !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
7444 reason, pd->af))
7445 return (PF_DROP);
7446 pd->hdrlen = icmp_hlen;
7447 if (pd->off + pd->hdrlen > pd->tot_len) {
7448 REASON_SET(reason, PFRES_SHORT)do { if ((void *)(reason) != ((void *)0)) { *(reason) = (3); if
(3 < 17) pf_status.counters[3]++; } } while (0);
7449 return (PF_DROP);
7450 }
7451 pd->pcksum = &pd->hdr.icmp6.icmp6_cksum;
7452 break;
7453 }
7454#endif /* INET6 */
7455 }
7456
7457 if (pd->sport)
7458 pd->osport = pd->nsport = *pd->sport;
7459 if (pd->dport)
7460 pd->odport = pd->ndport = *pd->dport;
7461
7462 pd->hash = pf_pkt_hash(pd->af, pd->proto,
7463 pd->src, pd->dst, pd->osport, pd->odport);
7464
7465 return (PF_PASS);
7466}
7467
7468void
7469pf_counters_inc(int action, struct pf_pdesc *pd, struct pf_state *st,
7470 struct pf_rule *r, struct pf_rule *a)
7471{
7472 int dirndx;
7473 pd->kif->pfik_bytes[pd->af == AF_INET624][pd->dir == PF_OUT]
7474 [action != PF_PASS] += pd->tot_len;
7475 pd->kif->pfik_packets[pd->af == AF_INET624][pd->dir == PF_OUT]
7476 [action != PF_PASS]++;
7477
7478 if (action == PF_PASS || action == PF_AFRT || r->action == PF_DROP) {
7479 dirndx = (pd->dir == PF_OUT);
7480 r->packets[dirndx]++;
7481 r->bytes[dirndx] += pd->tot_len;
7482 if (a != NULL((void *)0)) {
7483 a->packets[dirndx]++;
7484 a->bytes[dirndx] += pd->tot_len;
7485 }
7486 if (st != NULL((void *)0)) {
7487 struct pf_rule_item *ri;
7488 struct pf_sn_item *sni;
7489
7490 SLIST_FOREACH(sni, &st->src_nodes, next)for((sni) = ((&st->src_nodes)->slh_first); (sni) !=
((void *)0); (sni) = ((sni)->next.sle_next)) {
7491 sni->sn->packets[dirndx]++;
7492 sni->sn->bytes[dirndx] += pd->tot_len;
7493 }
7494 dirndx = (pd->dir == st->direction) ? 0 : 1;
7495 st->packets[dirndx]++;
7496 st->bytes[dirndx] += pd->tot_len;
7497
7498 SLIST_FOREACH(ri, &st->match_rules, entry)for((ri) = ((&st->match_rules)->slh_first); (ri) !=
((void *)0); (ri) = ((ri)->entry.sle_next)) {
7499 ri->r->packets[dirndx]++;
7500 ri->r->bytes[dirndx] += pd->tot_len;
7501
7502 if (ri->r->src.addr.type == PF_ADDR_TABLE)
7503 pfr_update_stats(ri->r->src.addr.p.tbl,
7504 &st->key[(st->direction == PF_IN)]->
7505 addr[(st->direction == PF_OUT)],
7506 pd, ri->r->action, ri->r->src.neg);
7507 if (ri->r->dst.addr.type == PF_ADDR_TABLE)
7508 pfr_update_stats(ri->r->dst.addr.p.tbl,
7509 &st->key[(st->direction == PF_IN)]->
7510 addr[(st->direction == PF_IN)],
7511 pd, ri->r->action, ri->r->dst.neg);
7512 }
7513 }
7514 if (r->src.addr.type == PF_ADDR_TABLE)
7515 pfr_update_stats(r->src.addr.p.tbl,
7516 (st == NULL((void *)0)) ? pd->src :
7517 &st->key[(st->direction == PF_IN)]->
7518 addr[(st->direction == PF_OUT)],
7519 pd, r->action, r->src.neg);
7520 if (r->dst.addr.type == PF_ADDR_TABLE)
7521 pfr_update_stats(r->dst.addr.p.tbl,
7522 (st == NULL((void *)0)) ? pd->dst :
7523 &st->key[(st->direction == PF_IN)]->
7524 addr[(st->direction == PF_IN)],
7525 pd, r->action, r->dst.neg);
7526 }
7527}
7528
7529int
7530pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
7531{
7532#if NCARP1 > 0
7533 struct ifnet *ifp0;
7534#endif
7535 struct pfi_kif *kif;
7536 u_short action, reason = 0;
7537 struct pf_rule *a = NULL((void *)0), *r = &pf_default_rule;
7538 struct pf_state *st = NULL((void *)0);
7539 struct pf_state_key_cmp key;
7540 struct pf_ruleset *ruleset = NULL((void *)0);
7541 struct pf_pdesc pd;
7542 int dir = (fwdir == PF_FWD) ? PF_OUT : fwdir;
1
Assuming 'fwdir' is not equal to PF_FWD
2
'?' condition is false
7543 u_int32_t qid, pqid = 0;
7544 int have_pf_lock = 0;
7545
7546 if (!pf_status.running)
3
Assuming field 'running' is not equal to 0
7547 return (PF_PASS);
7548
7549#if NCARP1 > 0
7550 if (ifp->if_typeif_data.ifi_type == IFT_CARP0xf7 &&
4
Assuming field 'ifi_type' is not equal to IFT_CARP
7551 (ifp0 = if_get(ifp->if_carpdevidxif_carp_ptr.carp_idx)) != NULL((void *)0)) {
7552 kif = (struct pfi_kif *)ifp0->if_pf_kif;
7553 if_put(ifp0);
7554 } else
7555#endif /* NCARP */
7556 kif = (struct pfi_kif *)ifp->if_pf_kif;
7557
7558 if (kif == NULL((void *)0)) {
5
Assuming 'kif' is not equal to NULL
6
Taking false branch
7559 DPFPRINTF(LOG_ERR,do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: kif == NULL, if_xname %s", __func__, ifp->if_xname); addlog
("\n"); } } while (0)
7560 "%s: kif == NULL, if_xname %s", __func__, ifp->if_xname)do { if (pf_status.debug >= (3)) { log(3, "pf: "); addlog(
"%s: kif == NULL, if_xname %s", __func__, ifp->if_xname); addlog
("\n"); } } while (0);
7561 return (PF_DROP);
7562 }
7563 if (kif->pfik_flags & PFI_IFLAG_SKIP0x0100)
7
Assuming the condition is false
8
Taking false branch
7564 return (PF_PASS);
7565
7566#ifdef DIAGNOSTIC1
7567 if (((*m0)->m_flagsm_hdr.mh_flags & M_PKTHDR0x0002) == 0)
9
Assuming the condition is false
10
Taking false branch
7568 panic("non-M_PKTHDR is passed to pf_test");
7569#endif /* DIAGNOSTIC */
7570
7571 if ((*m0)->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags & PF_TAG_GENERATED0x01)
11
Assuming the condition is false
12
Taking false branch
7572 return (PF_PASS);
7573
7574 if ((*m0)->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET0x10) {
13
Assuming the condition is false
14
Taking false branch
7575 (*m0)->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags &= ~PF_TAG_DIVERTED_PACKET0x10;
7576 return (PF_PASS);
7577 }
7578
7579 if ((*m0)->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags & PF_TAG_REFRAGMENTED0x40) {
15
Assuming the condition is false
16
Taking false branch
7580 (*m0)->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags &= ~PF_TAG_REFRAGMENTED0x40;
7581 return (PF_PASS);
7582 }
7583
7584 action = pf_setup_pdesc(&pd, af, dir, kif, *m0, &reason);
7585 if (action != PF_PASS) {
17
Assuming 'action' is equal to PF_PASS
18
Taking false branch
7586#if NPFLOG1 > 0
7587 pd.pflog |= PF_LOG_FORCE0x08;
7588#endif /* NPFLOG > 0 */
7589 goto done;
7590 }
7591
7592 /* packet normalization and reassembly */
7593 switch (pd.af) {
19
'Default' branch taken. Execution continues on line 7603
7594 case AF_INET2:
7595 action = pf_normalize_ip(&pd, &reason);
7596 break;
7597#ifdef INET61
7598 case AF_INET624:
7599 action = pf_normalize_ip6(&pd, &reason);
7600 break;
7601#endif /* INET6 */
7602 }
7603 *m0 = pd.m;
7604 /* if packet sits in reassembly queue, return without error */
7605 if (pd.m == NULL((void *)0))
20
Assuming field 'm' is not equal to NULL
21
Taking false branch
7606 return PF_PASS;
7607
7608 if (action
21.1
'action' is equal to PF_PASS
 != PF_PASS) {
7609#if NPFLOG1 > 0
7610 pd.pflog |= PF_LOG_FORCE0x08;
7611#endif /* NPFLOG > 0 */
7612 goto done;
7613 }
7614
7615 /* if packet has been reassembled, update packet description */
7616 if (pf_status.reass && pd.virtual_proto == PF_VPROTO_FRAGMENT256) {
22
Assuming field 'reass' is 0
7617 action = pf_setup_pdesc(&pd, af, dir, kif, pd.m, &reason);
7618 if (action != PF_PASS) {
7619#if NPFLOG1 > 0
7620 pd.pflog |= PF_LOG_FORCE0x08;
7621#endif /* NPFLOG > 0 */
7622 goto done;
7623 }
7624 }
7625 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_PROCESSED0x80;
7626
7627 /*
7628 * Avoid pcb-lookups from the forwarding path. They should never
7629 * match and would cause MP locking problems.
7630 */
7631 if (fwdir
22.1
'fwdir' is not equal to PF_FWD
 == PF_FWD) {
23
Taking false branch
7632 pd.lookup.done = -1;
7633 pd.lookup.uid = -1;
7634 pd.lookup.gid = -1;
7635 pd.lookup.pid = NO_PID(99999 +1);
7636 }
7637
7638 switch (pd.virtual_proto) {
24
Control jumps to the 'default' case at line 7718
7639
7640 case PF_VPROTO_FRAGMENT256: {
7641 /*
7642 * handle fragments that aren't reassembled by
7643 * normalization
7644 */
7645 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
7646 have_pf_lock = 1;
7647 action = pf_test_rule(&pd, &r, &st, &a, &ruleset, &reason);
7648 st = pf_state_ref(st);
7649 if (action != PF_PASS)
7650 REASON_SET(&reason, PFRES_FRAG)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (2); if (2 < 17) pf_status.counters[2]++; } } while (0
);
7651 break;
7652 }
7653
7654 case IPPROTO_ICMP1: {
7655 if (pd.af != AF_INET2) {
7656 action = PF_DROP;
7657 REASON_SET(&reason, PFRES_NORM)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (4); if (4 < 17) pf_status.counters[4]++; } } while (0
);
7658 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping IPv6 packet with ICMPv4 payload"); addlog("\n"); } }
while (0)
7659 "dropping IPv6 packet with ICMPv4 payload")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping IPv6 packet with ICMPv4 payload"); addlog("\n"); } }
while (0);
7660 break;
7661 }
7662 PF_STATE_ENTER_READ()do { rw_enter_read(&pf_state_lock); } while (0);
7663 action = pf_test_state_icmp(&pd, &st, &reason);
7664 st = pf_state_ref(st);
7665 PF_STATE_EXIT_READ()do { rw_exit_read(&pf_state_lock); } while (0);
7666 if (action == PF_PASS || action == PF_AFRT) {
7667#if NPFSYNC1 > 0
7668 pfsync_update_state(st);
7669#endif /* NPFSYNC > 0 */
7670 r = st->rule.ptr;
7671 a = st->anchor.ptr;
7672#if NPFLOG1 > 0
7673 pd.pflog |= st->log;
7674#endif /* NPFLOG > 0 */
7675 } else if (st == NULL((void *)0)) {
7676 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
7677 have_pf_lock = 1;
7678 action = pf_test_rule(&pd, &r, &st, &a, &ruleset,
7679 &reason);
7680 st = pf_state_ref(st);
7681 }
7682 break;
7683 }
7684
7685#ifdef INET61
7686 case IPPROTO_ICMPV658: {
7687 if (pd.af != AF_INET624) {
7688 action = PF_DROP;
7689 REASON_SET(&reason, PFRES_NORM)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (4); if (4 < 17) pf_status.counters[4]++; } } while (0
);
7690 DPFPRINTF(LOG_NOTICE,do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping IPv4 packet with ICMPv6 payload"); addlog("\n"); } }
while (0)
7691 "dropping IPv4 packet with ICMPv6 payload")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping IPv4 packet with ICMPv6 payload"); addlog("\n"); } }
while (0);
7692 break;
7693 }
7694 PF_STATE_ENTER_READ()do { rw_enter_read(&pf_state_lock); } while (0);
7695 action = pf_test_state_icmp(&pd, &st, &reason);
7696 st = pf_state_ref(st);
7697 PF_STATE_EXIT_READ()do { rw_exit_read(&pf_state_lock); } while (0);
7698 if (action == PF_PASS || action == PF_AFRT) {
7699#if NPFSYNC1 > 0
7700 pfsync_update_state(st);
7701#endif /* NPFSYNC > 0 */
7702 r = st->rule.ptr;
7703 a = st->anchor.ptr;
7704#if NPFLOG1 > 0
7705 pd.pflog |= st->log;
7706#endif /* NPFLOG > 0 */
7707 } else if (st == NULL((void *)0)) {
7708 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
7709 have_pf_lock = 1;
7710 action = pf_test_rule(&pd, &r, &st, &a, &ruleset,
7711 &reason);
7712 st = pf_state_ref(st);
7713 }
7714 break;
7715 }
7716#endif /* INET6 */
7717
7718 default:
7719 if (pd.virtual_proto == IPPROTO_TCP6) {
25
Assuming field 'virtual_proto' is equal to IPPROTO_TCP
7720 if (pd.dir == PF_IN && (pd.hdr.tcp.th_flags &
26
Assuming field 'dir' is not equal to PF_IN
7721 (TH_SYN0x02|TH_ACK0x10)) == TH_SYN0x02 &&
7722 pf_synflood_check(&pd)) {
7723 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
7724 have_pf_lock = 1;
7725 pf_syncookie_send(&pd);
7726 action = PF_DROP;
7727 break;
7728 }
7729 if ((pd.hdr.tcp.th_flags & TH_ACK0x10) && pd.p_len == 0)
27
Assuming the condition is false
7730 pqid = 1;
7731 action = pf_normalize_tcp(&pd);
7732 if (action == PF_DROP)
28
Assuming 'action' is not equal to PF_DROP
29
Taking false branch
7733 break;
7734 }
7735
7736 key.af = pd.af;
7737 key.proto = pd.virtual_proto;
7738 key.rdomain = pd.rdomain;
7739 pf_addrcpy(&key.addr[pd.sidx], pd.src, key.af);
7740 pf_addrcpy(&key.addr[pd.didx], pd.dst, key.af);
7741 key.port[pd.sidx] = pd.osport;
7742 key.port[pd.didx] = pd.odport;
7743 key.hash = pd.hash;
7744
7745 PF_STATE_ENTER_READ()do { rw_enter_read(&pf_state_lock); } while (0);
30
Loop condition is false. Exiting loop
7746 action = pf_find_state(&pd, &key, &st);
7747 st = pf_state_ref(st);
7748 PF_STATE_EXIT_READ()do { rw_exit_read(&pf_state_lock); } while (0);
7749
7750 /* check for syncookies if tcp ack and no active state */
7751 if (pd.dir == PF_IN && pd.virtual_proto == IPPROTO_TCP6 &&
31
Assuming field 'dir' is equal to PF_IN
32
Assuming field 'virtual_proto' is equal to IPPROTO_TCP
35
Taking true branch
7752 (st
32.1
'st' is equal to NULL
 == NULL((void *)0) || (st->src.state >= TCPS_FIN_WAIT_29 &&
7753 st->dst.state >= TCPS_FIN_WAIT_29)) &&
7754 (pd.hdr.tcp.th_flags & (TH_SYN0x02|TH_ACK0x10|TH_RST0x04)) == TH_ACK0x10 &&
33
Assuming the condition is true
7755 pf_syncookie_validate(&pd)) {
34
Assuming the condition is true
7756 struct mbuf *msyn = pf_syncookie_recreate_syn(&pd);
7757 if (msyn) {
36
Assuming 'msyn' is non-null
37
Taking true branch
7758 action = pf_test(af, fwdir, ifp, &msyn);
7759 m_freem(msyn);
7760 if (action == PF_PASS || action == PF_AFRT) {
38
Assuming 'action' is not equal to PF_PASS
39
Assuming 'action' is equal to PF_AFRT
40
Taking true branch
7761 PF_STATE_ENTER_READ()do { rw_enter_read(&pf_state_lock); } while (0);
41
Loop condition is false. Exiting loop
7762 pf_state_unref(st);
7763 action = pf_find_state(&pd, &key, &st);
7764 st = pf_state_ref(st);
7765 PF_STATE_EXIT_READ()do { rw_exit_read(&pf_state_lock); } while (0);
42
Loop condition is false. Exiting loop
7766 if (st
42.1
'st' is not equal to NULL
 == NULL((void *)0))
7767 return (PF_DROP);
7768 st->src.seqhi = st->dst.seqhi =
43
Taking false branch
7769 ntohl(pd.hdr.tcp.th_ack)(__uint32_t)(__builtin_constant_p(pd.hdr.tcp.th_ack) ? (__uint32_t
)(((__uint32_t)(pd.hdr.tcp.th_ack) & 0xff) << 24 | (
(__uint32_t)(pd.hdr.tcp.th_ack) & 0xff00) << 8 | ((
__uint32_t)(pd.hdr.tcp.th_ack) & 0xff0000) >> 8 | (
(__uint32_t)(pd.hdr.tcp.th_ack) & 0xff000000) >> 24
) : __swap32md(pd.hdr.tcp.th_ack)) - 1;
44
'?' condition is false
7770 st->src.seqlo =
7771 ntohl(pd.hdr.tcp.th_seq)(__uint32_t)(__builtin_constant_p(pd.hdr.tcp.th_seq) ? (__uint32_t
)(((__uint32_t)(pd.hdr.tcp.th_seq) & 0xff) << 24 | (
(__uint32_t)(pd.hdr.tcp.th_seq) & 0xff00) << 8 | ((
__uint32_t)(pd.hdr.tcp.th_seq) & 0xff0000) >> 8 | (
(__uint32_t)(pd.hdr.tcp.th_seq) & 0xff000000) >> 24
) : __swap32md(pd.hdr.tcp.th_seq)) - 1;
45
'?' condition is false
7772 pf_set_protostate(st, PF_PEER_SRC,
7773 PF_TCPS_PROXY_DST((11)+1));
7774 }
7775 } else
7776 action = PF_DROP;
7777 }
7778
7779 if (action
45.1
'action' is equal to PF_MATCH
 == PF_MATCH)
46
Taking true branch
7780 action = pf_test_state(&pd, &st, &reason);
47
Calling 'pf_test_state'
7781
7782 if (action == PF_PASS || action == PF_AFRT) {
7783#if NPFSYNC1 > 0
7784 pfsync_update_state(st);
7785#endif /* NPFSYNC > 0 */
7786 r = st->rule.ptr;
7787 a = st->anchor.ptr;
7788#if NPFLOG1 > 0
7789 pd.pflog |= st->log;
7790#endif /* NPFLOG > 0 */
7791 } else if (st == NULL((void *)0)) {
7792 PF_LOCK()do { rw_enter_write(&pf_lock); } while (0);
7793 have_pf_lock = 1;
7794 action = pf_test_rule(&pd, &r, &st, &a, &ruleset,
7795 &reason);
7796 st = pf_state_ref(st);
7797 }
7798
7799 if (pd.virtual_proto == IPPROTO_TCP6) {
7800 if (st) {
7801 if (st->max_mss)
7802 pf_normalize_mss(&pd, st->max_mss);
7803 } else if (r->max_mss)
7804 pf_normalize_mss(&pd, r->max_mss);
7805 }
7806
7807 break;
7808 }
7809
7810 if (have_pf_lock != 0)
7811 PF_UNLOCK()do { do { if (rw_status(&pf_lock) != 0x0001UL) splassert_fail
(0x0001UL, rw_status(&pf_lock),__func__); } while (0); rw_exit_write
(&pf_lock); } while (0);
7812
7813 /*
7814 * At the moment, we rely on NET_LOCK() to prevent removal of items
7815 * we've collected above ('r', 'anchor' and 'ruleset'). They'll have
7816 * to be refcounted when NET_LOCK() is gone.
7817 */
7818
7819done:
7820 if (action != PF_DROP) {
7821 if (st) {
7822 /* The non-state case is handled in pf_test_rule() */
7823 if (action == PF_PASS && pd.badopts != 0 &&
7824 !(st->state_flags & PFSTATE_ALLOWOPTS0x0001)) {
7825 action = PF_DROP;
7826 REASON_SET(&reason, PFRES_IPOPTIONS)do { if ((void *)(&reason) != ((void *)0)) { *(&reason
) = (8); if (8 < 17) pf_status.counters[8]++; } } while (0
);
7827#if NPFLOG1 > 0
7828 pd.pflog |= PF_LOG_FORCE0x08;
7829#endif /* NPFLOG > 0 */
7830 DPFPRINTF(LOG_NOTICE, "dropping packet with "do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping packet with " "ip/ipv6 options in pf_test()"); addlog
("\n"); } } while (0)
7831 "ip/ipv6 options in pf_test()")do { if (pf_status.debug >= (5)) { log(5, "pf: "); addlog(
"dropping packet with " "ip/ipv6 options in pf_test()"); addlog
("\n"); } } while (0);
7832 }
7833
7834 pf_scrub(pd.m, st->state_flags, pd.af, st->min_ttl,
7835 st->set_tos);
7836 pf_tag_packet(pd.m, st->tag, st->rtableid[pd.didx]);
7837 if (pqid || (pd.tos & IPTOS_LOWDELAY0x10)) {
7838 qid = st->pqid;
7839 if (st->state_flags & PFSTATE_SETPRIO0x0200) {
7840 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.prio =
7841 st->set_prio[1];
7842 }
7843 } else {
7844 qid = st->qid;
7845 if (st->state_flags & PFSTATE_SETPRIO0x0200) {
7846 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.prio =
7847 st->set_prio[0];
7848 }
7849 }
7850 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.delay = st->delay;
7851 } else {
7852 pf_scrub(pd.m, r->scrub_flags, pd.af, r->min_ttl,
7853 r->set_tos);
7854 if (pqid || (pd.tos & IPTOS_LOWDELAY0x10)) {
7855 qid = r->pqid;
7856 if (r->scrub_flags & PFSTATE_SETPRIO0x0200)
7857 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.prio = r->set_prio[1];
7858 } else {
7859 qid = r->qid;
7860 if (r->scrub_flags & PFSTATE_SETPRIO0x0200)
7861 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.prio = r->set_prio[0];
7862 }
7863 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.delay = r->delay;
7864 }
7865 }
7866
7867 if (action == PF_PASS && qid)
7868 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.qid = qid;
7869 if (pd.dir == PF_IN && st && st->key[PF_SK_STACK])
7870 pf_mbuf_link_state_key(pd.m, st->key[PF_SK_STACK]);
7871 if (pd.dir == PF_OUT && st && st->key[PF_SK_STACK])
7872 pf_state_key_link_inpcb(st->key[PF_SK_STACK],
7873 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp);
7874
7875 if (st != NULL((void *)0) && !ISSET(pd.m->m_pkthdr.csum_flags, M_FLOWID)((pd.m->M_dat.MH.MH_pkthdr.csum_flags) & (0x4000))) {
7876 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.ph_flowid = st->key[PF_SK_WIRE]->hash;
7877 SET(pd.m->m_pkthdr.csum_flags, M_FLOWID)((pd.m->M_dat.MH.MH_pkthdr.csum_flags) |= (0x4000));
7878 }
7879
7880 /*
7881 * connections redirected to loopback should not match sockets
7882 * bound specifically to loopback due to security implications,
7883 * see in_pcblookup_listen().
7884 */
7885 if (pd.destchg)
7886 if ((pd.af == AF_INET2 && (ntohl(pd.dst->v4.s_addr)(__uint32_t)(__builtin_constant_p(pd.dst->pfa.v4.s_addr) ?
(__uint32_t)(((__uint32_t)(pd.dst->pfa.v4.s_addr) & 0xff
) << 24 | ((__uint32_t)(pd.dst->pfa.v4.s_addr) &
0xff00) << 8 | ((__uint32_t)(pd.dst->pfa.v4.s_addr)
& 0xff0000) >> 8 | ((__uint32_t)(pd.dst->pfa.v4
.s_addr) & 0xff000000) >> 24) : __swap32md(pd.dst->
pfa.v4.s_addr)) >>
7887 IN_CLASSA_NSHIFT24) == IN_LOOPBACKNET127) ||
7888 (pd.af == AF_INET624 && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)((*(const u_int32_t *)(const void *)(&(&pd.dst->pfa
.v6)->__u6_addr.__u6_addr8[0]) == 0) && (*(const u_int32_t
*)(const void *)(&(&pd.dst->pfa.v6)->__u6_addr
.__u6_addr8[4]) == 0) && (*(const u_int32_t *)(const void
*)(&(&pd.dst->pfa.v6)->__u6_addr.__u6_addr8[8]
) == 0) && (*(const u_int32_t *)(const void *)(&(
&pd.dst->pfa.v6)->__u6_addr.__u6_addr8[12]) == (__uint32_t
)(__builtin_constant_p(1) ? (__uint32_t)(((__uint32_t)(1) &
0xff) << 24 | ((__uint32_t)(1) & 0xff00) << 8
| ((__uint32_t)(1) & 0xff0000) >> 8 | ((__uint32_t
)(1) & 0xff000000) >> 24) : __swap32md(1))))))
7889 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST0x04;
7890 /* We need to redo the route lookup on outgoing routes. */
7891 if (pd.destchg && pd.dir == PF_OUT)
7892 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_REROUTE0x20;
7893
7894 if (pd.dir == PF_IN && action == PF_PASS &&
7895 (r->divert.type == PF_DIVERT_TO ||
7896 r->divert.type == PF_DIVERT_REPLY)) {
7897 struct pf_divert *divert;
7898
7899 if ((divert = pf_get_divert(pd.m))) {
7900 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_DIVERTED0x08;
7901 divert->addr = r->divert.addr;
7902 divert->port = r->divert.port;
7903 divert->rdomain = pd.rdomain;
7904 divert->type = r->divert.type;
7905 }
7906 }
7907
7908 if (action == PF_PASS && r->divert.type == PF_DIVERT_PACKET)
7909 action = PF_DIVERT;
7910
7911#if NPFLOG1 > 0
7912 if (pd.pflog) {
7913 struct pf_rule_item *ri;
7914
7915 if (pd.pflog & PF_LOG_FORCE0x08 || r->log & PF_LOG_ALL0x02)
7916 pflog_packet(&pd, reason, r, a, ruleset, NULL((void *)0));
7917 if (st) {
7918 SLIST_FOREACH(ri, &st->match_rules, entry)for((ri) = ((&st->match_rules)->slh_first); (ri) !=
((void *)0); (ri) = ((ri)->entry.sle_next))
7919 if (ri->r->log & PF_LOG_ALL0x02)
7920 pflog_packet(&pd, reason, ri->r, a,
7921 ruleset, NULL((void *)0));
7922 }
7923 }
7924#endif /* NPFLOG > 0 */
7925
7926 pf_counters_inc(action, &pd, st, r, a);
7927
7928 switch (action) {
7929 case PF_SYNPROXY_DROP:
7930 m_freem(pd.m);
7931 /* FALLTHROUGH */
7932 case PF_DEFER:
7933 pd.m = NULL((void *)0);
7934 action = PF_PASS;
7935 break;
7936 case PF_DIVERT:
7937 switch (pd.af) {
7938 case AF_INET2:
7939 divert_packet(pd.m, pd.dir, r->divert.port);
7940 pd.m = NULL((void *)0);
7941 break;
7942#ifdef INET61
7943 case AF_INET624:
7944 divert6_packet(pd.m, pd.dir, r->divert.port);
7945 pd.m = NULL((void *)0);
7946 break;
7947#endif /* INET6 */
7948 }
7949 action = PF_PASS;
7950 break;
7951#ifdef INET61
7952 case PF_AFRT:
7953 if (pf_translate_af(&pd)) {
7954 action = PF_DROP;
7955 break;
7956 }
7957 pd.m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags |= PF_TAG_GENERATED0x01;
7958 switch (pd.naf) {
7959 case AF_INET2:
7960 if (pd.dir == PF_IN) {
7961 if (ipforwarding == 0) {
7962 ipstat_inc(ips_cantforward);
7963 action = PF_DROP;
7964 break;
7965 }
7966 ip_forward(pd.m, ifp, NULL((void *)0), 1);
7967 } else
7968 ip_output(pd.m, NULL((void *)0), NULL((void *)0), 0, NULL((void *)0), NULL((void *)0), 0);
7969 break;
7970 case AF_INET624:
7971 if (pd.dir == PF_IN) {
7972 if (ip6_forwarding == 0) {
7973 ip6stat_inc(ip6s_cantforward);
7974 action = PF_DROP;
7975 break;
7976 }
7977 ip6_forward(pd.m, NULL((void *)0), 1);
7978 } else
7979 ip6_output(pd.m, NULL((void *)0), NULL((void *)0), 0, NULL((void *)0), NULL((void *)0));
7980 break;
7981 }
7982 if (action != PF_DROP) {
7983 pd.m = NULL((void *)0);
7984 action = PF_PASS;
7985 }
7986 break;
7987#endif /* INET6 */
7988 case PF_DROP:
7989 m_freem(pd.m);
7990 pd.m = NULL((void *)0);
7991 break;
7992 default:
7993 if (st && st->rt) {
7994 switch (pd.af) {
7995 case AF_INET2:
7996 pf_route(&pd, st);
7997 break;
7998#ifdef INET61
7999 case AF_INET624:
8000 pf_route6(&pd, st);
8001 break;
8002#endif /* INET6 */
8003 }
8004 }
8005 break;
8006 }
8007
8008#ifdef INET61
8009 /* if reassembled packet passed, create new fragments */
8010 if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD &&
8011 pd.af == AF_INET624) {
8012 struct m_tag *mtag;
8013
8014 if ((mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED0x0800, NULL((void *)0))))
8015 action = pf_refragment6(&pd.m, mtag, NULL((void *)0), NULL((void *)0), NULL((void *)0));
8016 }
8017#endif /* INET6 */
8018 if (st && action != PF_DROP) {
8019 if (!st->if_index_in && dir == PF_IN)
8020 st->if_index_in = ifp->if_index;
8021 else if (!st->if_index_out && dir == PF_OUT)
8022 st->if_index_out = ifp->if_index;
8023 }
8024
8025 *m0 = pd.m;
8026
8027 pf_state_unref(st);
8028
8029 return (action);
8030}
8031
8032int
8033pf_ouraddr(struct mbuf *m)
8034{
8035 struct pf_state_key *sk;
8036
8037 if (m->m_pkthdrM_dat.MH.MH_pkthdr.pf.flags & PF_TAG_DIVERTED0x08)
8038 return (1);
8039
8040 sk = m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey;
8041 if (sk != NULL((void *)0)) {
8042 if (READ_ONCE(sk->sk_inp)({ typeof(sk->sk_inp) __tmp = *(volatile typeof(sk->sk_inp
) *)&(sk->sk_inp); membar_datadep_consumer(); __tmp; }
) != NULL((void *)0))
8043 return (1);
8044 }
8045
8046 return (-1);
8047}
8048
8049/*
8050 * must be called whenever any addressing information such as
8051 * address, port, protocol has changed
8052 */
8053void
8054pf_pkt_addr_changed(struct mbuf *m)
8055{
8056 pf_mbuf_unlink_state_key(m);
8057 pf_mbuf_unlink_inpcb(m);
8058}
8059
8060struct inpcb *
8061pf_inp_lookup(struct mbuf *m)
8062{
8063 struct inpcb *inp = NULL((void *)0);
8064 struct pf_state_key *sk = m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey;
8065
8066 if (!pf_state_key_isvalid(sk))
8067 pf_mbuf_unlink_state_key(m);
8068 else if (READ_ONCE(sk->sk_inp)({ typeof(sk->sk_inp) __tmp = *(volatile typeof(sk->sk_inp
) *)&(sk->sk_inp); membar_datadep_consumer(); __tmp; }
) != NULL((void *)0)) {
8069 mtx_enter(&pf_inp_mtx);
8070 inp = in_pcbref(sk->sk_inp);
8071 mtx_leave(&pf_inp_mtx);
8072 }
8073
8074 return (inp);
8075}
8076
8077void
8078pf_inp_link(struct mbuf *m, struct inpcb *inp)
8079{
8080 struct pf_state_key *sk = m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey;
8081
8082 if (!pf_state_key_isvalid(sk)) {
8083 pf_mbuf_unlink_state_key(m);
8084 return;
8085 }
8086
8087 /*
8088 * we don't need to grab PF-lock here. At worst case we link inp to
8089 * state, which might be just being marked as deleted by another
8090 * thread.
8091 */
8092 pf_state_key_link_inpcb(sk, inp);
8093
8094 /* The statekey has finished finding the inp, it is no longer needed. */
8095 pf_mbuf_unlink_state_key(m);
8096}
8097
8098void
8099pf_inp_unlink(struct inpcb *inp)
8100{
8101 struct pf_state_key *sk;
8102
8103 if (READ_ONCE(inp->inp_pf_sk)({ typeof(inp->inp_pf_sk) __tmp = *(volatile typeof(inp->
inp_pf_sk) *)&(inp->inp_pf_sk); membar_datadep_consumer
(); __tmp; }) == NULL((void *)0))
8104 return;
8105
8106 mtx_enter(&pf_inp_mtx);
8107 sk = inp->inp_pf_sk;
8108 if (sk == NULL((void *)0)) {
8109 mtx_leave(&pf_inp_mtx);
8110 return;
8111 }
8112 KASSERT(sk->sk_inp == inp)((sk->sk_inp == inp) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 8112, "sk->sk_inp == inp"));
8113 sk->sk_inp = NULL((void *)0);
8114 inp->inp_pf_sk = NULL((void *)0);
8115 mtx_leave(&pf_inp_mtx);
8116
8117 pf_state_key_unref(sk);
8118 in_pcbunref(inp);
8119}
8120
8121void
8122pf_state_key_link_reverse(struct pf_state_key *sk, struct pf_state_key *skrev)
8123{
8124 struct pf_state_key *old_reverse;
8125
8126 old_reverse = atomic_cas_ptr(&sk->sk_reverse, NULL, skrev)_atomic_cas_ptr((&sk->sk_reverse), (((void *)0)), (skrev
));
8127 if (old_reverse != NULL((void *)0))
8128 KASSERT(old_reverse == skrev)((old_reverse == skrev) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 8128, "old_reverse == skrev"));
8129 else {
8130 pf_state_key_ref(skrev);
8131
8132 /*
8133 * NOTE: if sk == skrev, then KASSERT() below holds true, we
8134 * still want to grab a reference in such case, because
8135 * pf_state_key_unlink_reverse() does not check whether keys
8136 * are identical or not.
8137 */
8138 old_reverse = atomic_cas_ptr(&skrev->sk_reverse, NULL, sk)_atomic_cas_ptr((&skrev->sk_reverse), (((void *)0)), (
sk));
8139 if (old_reverse != NULL((void *)0))
8140 KASSERT(old_reverse == sk)((old_reverse == sk) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 8140, "old_reverse == sk"));
8141
8142 pf_state_key_ref(sk);
8143 }
8144}
8145
8146#if NPFLOG1 > 0
8147void
8148pf_log_matches(struct pf_pdesc *pd, struct pf_rule *rm, struct pf_rule *am,
8149 struct pf_ruleset *ruleset, struct pf_rule_slist *matchrules)
8150{
8151 struct pf_rule_item *ri;
8152
8153 /* if this is the log(matches) rule, packet has been logged already */
8154 if (rm->log & PF_LOG_MATCHES0x10)
8155 return;
8156
8157 SLIST_FOREACH(ri, matchrules, entry)for((ri) = ((matchrules)->slh_first); (ri) != ((void *)0);
(ri) = ((ri)->entry.sle_next))
8158 if (ri->r->log & PF_LOG_MATCHES0x10)
8159 pflog_packet(pd, PFRES_MATCH0, rm, am, ruleset, ri->r);
8160}
8161#endif /* NPFLOG > 0 */
8162
8163struct pf_state_key *
8164pf_state_key_ref(struct pf_state_key *sk)
8165{
8166 if (sk != NULL((void *)0))
8167 PF_REF_TAKE(sk->sk_refcnt)refcnt_take(&(sk->sk_refcnt));
8168
8169 return (sk);
8170}
8171
8172void
8173pf_state_key_unref(struct pf_state_key *sk)
8174{
8175 if (PF_REF_RELE(sk->sk_refcnt)refcnt_rele(&(sk->sk_refcnt))) {
8176 /* state key must be removed from tree */
8177 KASSERT(!pf_state_key_isvalid(sk))((!pf_state_key_isvalid(sk)) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8177, "!pf_state_key_isvalid(sk)")
);
8178 /* state key must be unlinked from reverse key */
8179 KASSERT(sk->sk_reverse == NULL)((sk->sk_reverse == ((void *)0)) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8179, "sk->sk_reverse == NULL")
);
8180 /* state key must be unlinked from socket */
8181 KASSERT(sk->sk_inp == NULL)((sk->sk_inp == ((void *)0)) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8181, "sk->sk_inp == NULL"));
8182 pool_put(&pf_state_key_pl, sk);
8183 }
8184}
8185
8186int
8187pf_state_key_isvalid(struct pf_state_key *sk)
8188{
8189 return ((sk != NULL((void *)0)) && (sk->sk_removed == 0));
8190}
8191
8192void
8193pf_mbuf_link_state_key(struct mbuf *m, struct pf_state_key *sk)
8194{
8195 KASSERT(m->m_pkthdr.pf.statekey == NULL)((m->M_dat.MH.MH_pkthdr.pf.statekey == ((void *)0)) ? (void
)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c", 8195, "m->m_pkthdr.pf.statekey == NULL"
));
8196 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey = pf_state_key_ref(sk);
8197}
8198
8199void
8200pf_mbuf_unlink_state_key(struct mbuf *m)
8201{
8202 struct pf_state_key *sk = m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey;
8203
8204 if (sk != NULL((void *)0)) {
8205 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.statekey = NULL((void *)0);
8206 pf_state_key_unref(sk);
8207 }
8208}
8209
8210void
8211pf_mbuf_link_inpcb(struct mbuf *m, struct inpcb *inp)
8212{
8213 KASSERT(m->m_pkthdr.pf.inp == NULL)((m->M_dat.MH.MH_pkthdr.pf.inp == ((void *)0)) ? (void)0 :
__assert("diagnostic ", "/usr/src/sys/net/pf.c", 8213, "m->m_pkthdr.pf.inp == NULL"
));
8214 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp = in_pcbref(inp);
8215}
8216
8217void
8218pf_mbuf_unlink_inpcb(struct mbuf *m)
8219{
8220 struct inpcb *inp = m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp;
8221
8222 if (inp != NULL((void *)0)) {
8223 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.inp = NULL((void *)0);
8224 in_pcbunref(inp);
8225 }
8226}
8227
8228void
8229pf_state_key_link_inpcb(struct pf_state_key *sk, struct inpcb *inp)
8230{
8231 if (inp == NULL((void *)0) || READ_ONCE(sk->sk_inp)({ typeof(sk->sk_inp) __tmp = *(volatile typeof(sk->sk_inp
) *)&(sk->sk_inp); membar_datadep_consumer(); __tmp; }
) != NULL((void *)0))
8232 return;
8233
8234 mtx_enter(&pf_inp_mtx);
8235 if (inp->inp_pf_sk != NULL((void *)0) || sk->sk_inp != NULL((void *)0)) {
8236 mtx_leave(&pf_inp_mtx);
8237 return;
8238 }
8239 sk->sk_inp = in_pcbref(inp);
8240 inp->inp_pf_sk = pf_state_key_ref(sk);
8241 mtx_leave(&pf_inp_mtx);
8242}
8243
8244void
8245pf_state_key_unlink_inpcb(struct pf_state_key *sk)
8246{
8247 struct inpcb *inp;
8248
8249 if (READ_ONCE(sk->sk_inp)({ typeof(sk->sk_inp) __tmp = *(volatile typeof(sk->sk_inp
) *)&(sk->sk_inp); membar_datadep_consumer(); __tmp; }
) == NULL((void *)0))
8250 return;
8251
8252 mtx_enter(&pf_inp_mtx);
8253 inp = sk->sk_inp;
8254 if (inp == NULL((void *)0)) {
8255 mtx_leave(&pf_inp_mtx);
8256 return;
8257 }
8258 KASSERT(inp->inp_pf_sk == sk)((inp->inp_pf_sk == sk) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8258, "inp->inp_pf_sk == sk"));
8259 sk->sk_inp = NULL((void *)0);
8260 inp->inp_pf_sk = NULL((void *)0);
8261 mtx_leave(&pf_inp_mtx);
8262
8263 pf_state_key_unref(sk);
8264 in_pcbunref(inp);
8265}
8266
8267void
8268pf_state_key_unlink_reverse(struct pf_state_key *sk)
8269{
8270 struct pf_state_key *skrev = sk->sk_reverse;
8271
8272 /* Note that sk and skrev may be equal, then we unref twice. */
8273 if (skrev != NULL((void *)0)) {
8274 KASSERT(skrev->sk_reverse == sk)((skrev->sk_reverse == sk) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8274, "skrev->sk_reverse == sk"
));
8275 sk->sk_reverse = NULL((void *)0);
8276 skrev->sk_reverse = NULL((void *)0);
8277 pf_state_key_unref(skrev);
8278 pf_state_key_unref(sk);
8279 }
8280}
8281
8282struct pf_state *
8283pf_state_ref(struct pf_state *st)
8284{
8285 if (st != NULL((void *)0))
8286 PF_REF_TAKE(st->refcnt)refcnt_take(&(st->refcnt));
8287 return (st);
8288}
8289
8290void
8291pf_state_unref(struct pf_state *st)
8292{
8293 if ((st != NULL((void *)0)) && PF_REF_RELE(st->refcnt)refcnt_rele(&(st->refcnt))) {
8294 /* never inserted or removed */
8295#if NPFSYNC1 > 0
8296 KASSERT((TAILQ_NEXT(st, sync_list) == NULL) ||(((((st)->sync_list.tqe_next) == ((void *)0)) || ((((st)->
sync_list.tqe_next) == ((void *)-1)) && (st->sync_state
>= 0xd0))) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 8298, "(TAILQ_NEXT(st, sync_list) == NULL) || ((TAILQ_NEXT(st, sync_list) == _Q_INVALID) && (st->sync_state >= PFSYNC_S_NONE))"
))
8297 ((TAILQ_NEXT(st, sync_list) == _Q_INVALID) &&(((((st)->sync_list.tqe_next) == ((void *)0)) || ((((st)->
sync_list.tqe_next) == ((void *)-1)) && (st->sync_state
>= 0xd0))) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 8298, "(TAILQ_NEXT(st, sync_list) == NULL) || ((TAILQ_NEXT(st, sync_list) == _Q_INVALID) && (st->sync_state >= PFSYNC_S_NONE))"
))
8298 (st->sync_state >= PFSYNC_S_NONE)))(((((st)->sync_list.tqe_next) == ((void *)0)) || ((((st)->
sync_list.tqe_next) == ((void *)-1)) && (st->sync_state
>= 0xd0))) ? (void)0 : __assert("diagnostic ", "/usr/src/sys/net/pf.c"
, 8298, "(TAILQ_NEXT(st, sync_list) == NULL) || ((TAILQ_NEXT(st, sync_list) == _Q_INVALID) && (st->sync_state >= PFSYNC_S_NONE))"
));
8299#endif /* NPFSYNC */
8300 KASSERT((TAILQ_NEXT(st, entry_list) == NULL) ||(((((st)->entry_list.tqe_next) == ((void *)0)) || (((st)->
entry_list.tqe_next) == ((void *)-1))) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8301, "(TAILQ_NEXT(st, entry_list) == NULL) || (TAILQ_NEXT(st, entry_list) == _Q_INVALID)"
))
8301 (TAILQ_NEXT(st, entry_list) == _Q_INVALID))(((((st)->entry_list.tqe_next) == ((void *)0)) || (((st)->
entry_list.tqe_next) == ((void *)-1))) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/net/pf.c", 8301, "(TAILQ_NEXT(st, entry_list) == NULL) || (TAILQ_NEXT(st, entry_list) == _Q_INVALID)"
));
8302
8303 pf_state_key_unref(st->key[PF_SK_WIRE]);
8304 pf_state_key_unref(st->key[PF_SK_STACK]);
8305
8306 pool_put(&pf_state_pl, st);
8307 }
8308}
8309
8310int
8311pf_delay_pkt(struct mbuf *m, u_int ifidx)
8312{
8313 struct pf_pktdelay *pdy;
8314
8315 if ((pdy = pool_get(&pf_pktdelay_pl, PR_NOWAIT0x0002)) == NULL((void *)0)) {
8316 m_freem(m);
8317 return (ENOBUFS55);
8318 }
8319 pdy->ifidx = ifidx;
8320 pdy->m = m;
8321 timeout_set(&pdy->to, pf_pktenqueue_delayed, pdy);
8322 timeout_add_msec(&pdy->to, m->m_pkthdrM_dat.MH.MH_pkthdr.pf.delay);
8323 m->m_pkthdrM_dat.MH.MH_pkthdr.pf.delay = 0;
8324 return (0);
8325}
8326
8327void
8328pf_pktenqueue_delayed(void *arg)
8329{
8330 struct pf_pktdelay *pdy = arg;
8331 struct ifnet *ifp;
8332
8333 ifp = if_get(pdy->ifidx);
8334 if (ifp != NULL((void *)0)) {
8335 if_enqueue(ifp, pdy->m);
8336 if_put(ifp);
8337 } else
8338 m_freem(pdy->m);
8339
8340 pool_put(&pf_pktdelay_pl, pdy);
8341}