| pf.c (bdd47177528b5beacabb4837bfac0e9de92aae74) | pf.c (4bf98559d9d6fa7c3571d26ed6f2b18823e3a30b) |
|---|---|
| 1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002 - 2008 Henning Brauer 6 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 7 * All rights reserved. 8 * --- 3578 unchanged lines hidden (view full) --- 3587 break; 3588 } 3589} 3590#endif /* INET6 */ 3591 3592void 3593pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a) 3594{ | 1/*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002 - 2008 Henning Brauer 6 * Copyright (c) 2012 Gleb Smirnoff <glebius@FreeBSD.org> 7 * All rights reserved. 8 * --- 3578 unchanged lines hidden (view full) --- 3587 break; 3588 } 3589} 3590#endif /* INET6 */ 3591 3592void 3593pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a) 3594{ |
| 3595 a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID| 3596 PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO)); |
|
| 3595 if (r->qid) 3596 a->qid = r->qid; 3597 if (r->pqid) 3598 a->pqid = r->pqid; 3599 if (r->rtableid >= 0) 3600 a->rtableid = r->rtableid; 3601 a->log |= r->log; | 3597 if (r->qid) 3598 a->qid = r->qid; 3599 if (r->pqid) 3600 a->pqid = r->pqid; 3601 if (r->rtableid >= 0) 3602 a->rtableid = r->rtableid; 3603 a->log |= r->log; |
| 3602 if (r->scrub_flags & PFSTATE_SETTOS) | 3604 if (a->flags & PFSTATE_SETTOS) |
| 3603 a->set_tos = r->set_tos; 3604 if (r->min_ttl) 3605 a->min_ttl = r->min_ttl; 3606 if (r->max_mss) 3607 a->max_mss = r->max_mss; | 3605 a->set_tos = r->set_tos; 3606 if (r->min_ttl) 3607 a->min_ttl = r->min_ttl; 3608 if (r->max_mss) 3609 a->max_mss = r->max_mss; |
| 3608 a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID| 3609 PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO)); | |
| 3610 if (r->dnpipe) 3611 a->dnpipe = r->dnpipe; 3612 if (r->dnrpipe) 3613 a->dnrpipe = r->dnrpipe; 3614 if (r->dnpipe || r->dnrpipe) { 3615 if (r->free_flags & PFRULE_DN_IS_PIPE) 3616 a->flags |= PFSTATE_DN_IS_PIPE; 3617 else 3618 a->flags &= ~PFSTATE_DN_IS_PIPE; 3619 } | 3610 if (r->dnpipe) 3611 a->dnpipe = r->dnpipe; 3612 if (r->dnrpipe) 3613 a->dnrpipe = r->dnrpipe; 3614 if (r->dnpipe || r->dnrpipe) { 3615 if (r->free_flags & PFRULE_DN_IS_PIPE) 3616 a->flags |= PFSTATE_DN_IS_PIPE; 3617 else 3618 a->flags &= ~PFSTATE_DN_IS_PIPE; 3619 } |
| 3620 if (a->flags & PFSTATE_SETPRIO) { 3621 a->set_prio[0] = r->set_prio[0]; 3622 a->set_prio[1] = r->set_prio[1]; 3623 } |
|
| 3620} 3621 3622int 3623pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) 3624{ 3625 struct pf_addr *saddr, *daddr; 3626 u_int16_t sport, dport; 3627 struct inpcbinfo *pi; --- 1005 unchanged lines hidden (view full) --- 4633 s->min_ttl = pd->act.min_ttl; 4634 s->set_tos = pd->act.set_tos; 4635 s->max_mss = pd->act.max_mss; 4636 s->sync_state = PFSYNC_S_NONE; 4637 s->qid = pd->act.qid; 4638 s->pqid = pd->act.pqid; 4639 s->dnpipe = pd->act.dnpipe; 4640 s->dnrpipe = pd->act.dnrpipe; | 3624} 3625 3626int 3627pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) 3628{ 3629 struct pf_addr *saddr, *daddr; 3630 u_int16_t sport, dport; 3631 struct inpcbinfo *pi; --- 1005 unchanged lines hidden (view full) --- 4637 s->min_ttl = pd->act.min_ttl; 4638 s->set_tos = pd->act.set_tos; 4639 s->max_mss = pd->act.max_mss; 4640 s->sync_state = PFSYNC_S_NONE; 4641 s->qid = pd->act.qid; 4642 s->pqid = pd->act.pqid; 4643 s->dnpipe = pd->act.dnpipe; 4644 s->dnrpipe = pd->act.dnrpipe; |
| 4645 s->set_prio[0] = pd->act.set_prio[0]; 4646 s->set_prio[1] = pd->act.set_prio[1]; |
|
| 4641 s->state_flags |= pd->act.flags; 4642 if (nr != NULL) 4643 s->log |= nr->log & PF_LOG_ALL; 4644 switch (pd->proto) { 4645 case IPPROTO_TCP: 4646 s->src.seqlo = ntohl(th->th_seq); 4647 s->src.seqhi = s->src.seqlo + pd->p_len + 1; 4648 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && --- 52 unchanged lines hidden (view full) --- 4701 &sn)) != 0) { 4702 pf_src_tree_remove_state(s); 4703 s->timeout = PFTM_UNLINKED; 4704 STATE_DEC_COUNTERS(s); 4705 pf_free_state(s); 4706 goto csfailed; 4707 } 4708 s->rt_kif = r->rpool.cur->kif; | 4647 s->state_flags |= pd->act.flags; 4648 if (nr != NULL) 4649 s->log |= nr->log & PF_LOG_ALL; 4650 switch (pd->proto) { 4651 case IPPROTO_TCP: 4652 s->src.seqlo = ntohl(th->th_seq); 4653 s->src.seqhi = s->src.seqlo + pd->p_len + 1; 4654 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && --- 52 unchanged lines hidden (view full) --- 4707 &sn)) != 0) { 4708 pf_src_tree_remove_state(s); 4709 s->timeout = PFTM_UNLINKED; 4710 STATE_DEC_COUNTERS(s); 4711 pf_free_state(s); 4712 goto csfailed; 4713 } 4714 s->rt_kif = r->rpool.cur->kif; |
| 4715 s->rt = r->rt; |
|
| 4709 } 4710 4711 s->creation = time_uptime; 4712 s->expire = time_uptime; 4713 4714 if (sn != NULL) 4715 s->src_node = sn; 4716 if (nsn != NULL) { --- 1719 unchanged lines hidden (view full) --- 6436 struct mbuf *m0, *m1, *md; 6437 struct sockaddr_in dst; 6438 struct ip *ip; 6439 struct ifnet *ifp = NULL; 6440 struct pf_addr naddr; 6441 struct pf_ksrc_node *sn = NULL; 6442 int error = 0; 6443 uint16_t ip_len, ip_off; | 4716 } 4717 4718 s->creation = time_uptime; 4719 s->expire = time_uptime; 4720 4721 if (sn != NULL) 4722 s->src_node = sn; 4723 if (nsn != NULL) { --- 1719 unchanged lines hidden (view full) --- 6443 struct mbuf *m0, *m1, *md; 6444 struct sockaddr_in dst; 6445 struct ip *ip; 6446 struct ifnet *ifp = NULL; 6447 struct pf_addr naddr; 6448 struct pf_ksrc_node *sn = NULL; 6449 int error = 0; 6450 uint16_t ip_len, ip_off; |
| 6451 int r_rt, r_dir; |
|
| 6444 6445 KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__)); | 6452 6453 KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__)); |
| 6446 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction", | 6454 6455 if (s) { 6456 r_rt = s->rt; 6457 r_dir = s->direction; 6458 } else { 6459 r_rt = r->rt; 6460 r_dir = r->direction; 6461 } 6462 6463 KASSERT(dir == PF_IN || dir == PF_OUT || 6464 r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction", |
| 6447 __func__)); 6448 6449 if ((pd->pf_mtag == NULL && 6450 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || 6451 pd->pf_mtag->routed++ > 3) { 6452 m0 = *m; 6453 *m = NULL; 6454 goto bad_locked; 6455 } 6456 | 6465 __func__)); 6466 6467 if ((pd->pf_mtag == NULL && 6468 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || 6469 pd->pf_mtag->routed++ > 3) { 6470 m0 = *m; 6471 *m = NULL; 6472 goto bad_locked; 6473 } 6474 |
| 6457 if (r->rt == PF_DUPTO) { | 6475 if (r_rt == PF_DUPTO) { |
| 6458 if ((pd->pf_mtag->flags & PF_DUPLICATED)) { 6459 if (s == NULL) { 6460 ifp = r->rpool.cur->kif ? 6461 r->rpool.cur->kif->pfik_ifp : NULL; 6462 } else { 6463 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 6464 /* If pfsync'd */ 6465 if (ifp == NULL) --- 13 unchanged lines hidden (view full) --- 6479 pd->pf_mtag->flags |= PF_DUPLICATED; 6480 if (((m0 = m_dup(*m, M_NOWAIT)) == NULL)) { 6481 if (s) 6482 PF_STATE_UNLOCK(s); 6483 return; 6484 } 6485 } 6486 } else { | 6476 if ((pd->pf_mtag->flags & PF_DUPLICATED)) { 6477 if (s == NULL) { 6478 ifp = r->rpool.cur->kif ? 6479 r->rpool.cur->kif->pfik_ifp : NULL; 6480 } else { 6481 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 6482 /* If pfsync'd */ 6483 if (ifp == NULL) --- 13 unchanged lines hidden (view full) --- 6497 pd->pf_mtag->flags |= PF_DUPLICATED; 6498 if (((m0 = m_dup(*m, M_NOWAIT)) == NULL)) { 6499 if (s) 6500 PF_STATE_UNLOCK(s); 6501 return; 6502 } 6503 } 6504 } else { |
| 6487 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) { | 6505 if ((r_rt == PF_REPLYTO) == (r_dir == dir)) { |
| 6488 pf_dummynet(pd, dir, s, r, m); 6489 if (s) 6490 PF_STATE_UNLOCK(s); 6491 return; 6492 } 6493 m0 = *m; 6494 } 6495 --- 82 unchanged lines hidden (view full) --- 6578 error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL); 6579 goto done; 6580 } 6581 6582 /* Balk when DF bit is set or the interface didn't support TSO. */ 6583 if ((ip_off & IP_DF) || (m0->m_pkthdr.csum_flags & CSUM_TSO)) { 6584 error = EMSGSIZE; 6585 KMOD_IPSTAT_INC(ips_cantfrag); | 6506 pf_dummynet(pd, dir, s, r, m); 6507 if (s) 6508 PF_STATE_UNLOCK(s); 6509 return; 6510 } 6511 m0 = *m; 6512 } 6513 --- 82 unchanged lines hidden (view full) --- 6596 error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL); 6597 goto done; 6598 } 6599 6600 /* Balk when DF bit is set or the interface didn't support TSO. */ 6601 if ((ip_off & IP_DF) || (m0->m_pkthdr.csum_flags & CSUM_TSO)) { 6602 error = EMSGSIZE; 6603 KMOD_IPSTAT_INC(ips_cantfrag); |
| 6586 if (r->rt != PF_DUPTO) { | 6604 if (r_rt != PF_DUPTO) { |
| 6587 if (s && pd->nat_rule != NULL) 6588 PACKET_UNDO_NAT(m0, pd, 6589 (ip->ip_hl << 2) + (ip_off & IP_OFFMASK), 6590 s, dir); 6591 6592 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 6593 ifp->if_mtu); 6594 goto done; --- 19 unchanged lines hidden (view full) --- 6614 } else 6615 m_freem(m0); 6616 } 6617 6618 if (error == 0) 6619 KMOD_IPSTAT_INC(ips_fragmented); 6620 6621done: | 6605 if (s && pd->nat_rule != NULL) 6606 PACKET_UNDO_NAT(m0, pd, 6607 (ip->ip_hl << 2) + (ip_off & IP_OFFMASK), 6608 s, dir); 6609 6610 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 6611 ifp->if_mtu); 6612 goto done; --- 19 unchanged lines hidden (view full) --- 6632 } else 6633 m_freem(m0); 6634 } 6635 6636 if (error == 0) 6637 KMOD_IPSTAT_INC(ips_fragmented); 6638 6639done: |
| 6622 if (r->rt != PF_DUPTO) | 6640 if (r_rt != PF_DUPTO) |
| 6623 *m = NULL; 6624 return; 6625 6626bad_locked: 6627 if (s) 6628 PF_STATE_UNLOCK(s); 6629bad: 6630 m_freem(m0); --- 7 unchanged lines hidden (view full) --- 6638 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) 6639{ 6640 struct mbuf *m0, *md; 6641 struct sockaddr_in6 dst; 6642 struct ip6_hdr *ip6; 6643 struct ifnet *ifp = NULL; 6644 struct pf_addr naddr; 6645 struct pf_ksrc_node *sn = NULL; | 6641 *m = NULL; 6642 return; 6643 6644bad_locked: 6645 if (s) 6646 PF_STATE_UNLOCK(s); 6647bad: 6648 m_freem(m0); --- 7 unchanged lines hidden (view full) --- 6656 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) 6657{ 6658 struct mbuf *m0, *md; 6659 struct sockaddr_in6 dst; 6660 struct ip6_hdr *ip6; 6661 struct ifnet *ifp = NULL; 6662 struct pf_addr naddr; 6663 struct pf_ksrc_node *sn = NULL; |
| 6664 int r_rt, r_dir; |
|
| 6646 6647 KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__)); | 6665 6666 KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__)); |
| 6648 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction", | 6667 6668 if (s) { 6669 r_rt = s->rt; 6670 r_dir = s->direction; 6671 } else { 6672 r_rt = r->rt; 6673 r_dir = r->direction; 6674 } 6675 6676 KASSERT(dir == PF_IN || dir == PF_OUT || 6677 r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction", |
| 6649 __func__)); 6650 6651 if ((pd->pf_mtag == NULL && 6652 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || 6653 pd->pf_mtag->routed++ > 3) { 6654 m0 = *m; 6655 *m = NULL; 6656 goto bad_locked; 6657 } 6658 | 6678 __func__)); 6679 6680 if ((pd->pf_mtag == NULL && 6681 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || 6682 pd->pf_mtag->routed++ > 3) { 6683 m0 = *m; 6684 *m = NULL; 6685 goto bad_locked; 6686 } 6687 |
| 6659 if (r->rt == PF_DUPTO) { | 6688 if (r_rt == PF_DUPTO) { |
| 6660 if ((pd->pf_mtag->flags & PF_DUPLICATED)) { 6661 if (s == NULL) { 6662 ifp = r->rpool.cur->kif ? 6663 r->rpool.cur->kif->pfik_ifp : NULL; 6664 } else { 6665 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 6666 /* If pfsync'd */ 6667 if (ifp == NULL) --- 13 unchanged lines hidden (view full) --- 6681 pd->pf_mtag->flags |= PF_DUPLICATED; 6682 if (((m0 = m_dup(*m, M_NOWAIT)) == NULL)) { 6683 if (s) 6684 PF_STATE_UNLOCK(s); 6685 return; 6686 } 6687 } 6688 } else { | 6689 if ((pd->pf_mtag->flags & PF_DUPLICATED)) { 6690 if (s == NULL) { 6691 ifp = r->rpool.cur->kif ? 6692 r->rpool.cur->kif->pfik_ifp : NULL; 6693 } else { 6694 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 6695 /* If pfsync'd */ 6696 if (ifp == NULL) --- 13 unchanged lines hidden (view full) --- 6710 pd->pf_mtag->flags |= PF_DUPLICATED; 6711 if (((m0 = m_dup(*m, M_NOWAIT)) == NULL)) { 6712 if (s) 6713 PF_STATE_UNLOCK(s); 6714 return; 6715 } 6716 } 6717 } else { |
| 6689 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) { | 6718 if ((r_rt == PF_REPLYTO) == (r_dir == dir)) { |
| 6690 pf_dummynet(pd, dir, s, r, m); 6691 if (s) 6692 PF_STATE_UNLOCK(s); 6693 return; 6694 } 6695 m0 = *m; 6696 } 6697 --- 67 unchanged lines hidden (view full) --- 6765 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 6766 md = m0; 6767 pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md); 6768 if (md != NULL) 6769 nd6_output_ifp(ifp, ifp, md, &dst, NULL); 6770 } 6771 else { 6772 in6_ifstat_inc(ifp, ifs6_in_toobig); | 6719 pf_dummynet(pd, dir, s, r, m); 6720 if (s) 6721 PF_STATE_UNLOCK(s); 6722 return; 6723 } 6724 m0 = *m; 6725 } 6726 --- 67 unchanged lines hidden (view full) --- 6794 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 6795 md = m0; 6796 pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md); 6797 if (md != NULL) 6798 nd6_output_ifp(ifp, ifp, md, &dst, NULL); 6799 } 6800 else { 6801 in6_ifstat_inc(ifp, ifs6_in_toobig); |
| 6773 if (r->rt != PF_DUPTO) { | 6802 if (r_rt != PF_DUPTO) { |
| 6774 if (s && pd->nat_rule != NULL) 6775 PACKET_UNDO_NAT(m0, pd, 6776 ((caddr_t)ip6 - m0->m_data) + 6777 sizeof(struct ip6_hdr), s, dir); 6778 6779 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 6780 } else 6781 goto bad; 6782 } 6783 6784done: | 6803 if (s && pd->nat_rule != NULL) 6804 PACKET_UNDO_NAT(m0, pd, 6805 ((caddr_t)ip6 - m0->m_data) + 6806 sizeof(struct ip6_hdr), s, dir); 6807 6808 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 6809 } else 6810 goto bad; 6811 } 6812 6813done: |
| 6785 if (r->rt != PF_DUPTO) | 6814 if (r_rt != PF_DUPTO) |
| 6786 *m = NULL; 6787 return; 6788 6789bad_locked: 6790 if (s) 6791 PF_STATE_UNLOCK(s); 6792bad: 6793 m_freem(m0); --- 303 unchanged lines hidden (view full) --- 7097 u_short action, reason = 0, log = 0; 7098 struct mbuf *m = *m0; 7099 struct ip *h = NULL; 7100 struct m_tag *ipfwtag; 7101 struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; 7102 struct pf_kstate *s = NULL; 7103 struct pf_kruleset *ruleset = NULL; 7104 struct pf_pdesc pd; | 6815 *m = NULL; 6816 return; 6817 6818bad_locked: 6819 if (s) 6820 PF_STATE_UNLOCK(s); 6821bad: 6822 m_freem(m0); --- 303 unchanged lines hidden (view full) --- 7126 u_short action, reason = 0, log = 0; 7127 struct mbuf *m = *m0; 7128 struct ip *h = NULL; 7129 struct m_tag *ipfwtag; 7130 struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; 7131 struct pf_kstate *s = NULL; 7132 struct pf_kruleset *ruleset = NULL; 7133 struct pf_pdesc pd; |
| 7105 int off, dirndx, pqid = 0; | 7134 int off, dirndx; 7135 uint16_t scrub_flags; 7136#ifdef ALTQ 7137 uint16_t qid; 7138#endif 7139 uint16_t pqid; 7140 uint16_t tag; 7141 int32_t rtableid; 7142 uint8_t min_ttl; 7143 uint8_t set_tos; 7144 uint8_t rt; 7145 uint8_t set_prio[2]; |
| 7106 7107 PF_RULES_RLOCK_TRACKER; 7108 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); 7109 M_ASSERTPKTHDR(m); 7110 7111 if (!V_pf_status.running) 7112 return (PF_PASS); 7113 --- 275 unchanged lines hidden (view full) --- 7389 action = PF_DROP; 7390 REASON_SET(&reason, PFRES_IPOPTIONS); 7391 log = PF_LOG_FORCE; 7392 DPFPRINTF(PF_DEBUG_MISC, 7393 ("pf: dropping packet with ip options\n")); 7394 } 7395 7396 if (s) { | 7146 7147 PF_RULES_RLOCK_TRACKER; 7148 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); 7149 M_ASSERTPKTHDR(m); 7150 7151 if (!V_pf_status.running) 7152 return (PF_PASS); 7153 --- 275 unchanged lines hidden (view full) --- 7429 action = PF_DROP; 7430 REASON_SET(&reason, PFRES_IPOPTIONS); 7431 log = PF_LOG_FORCE; 7432 DPFPRINTF(PF_DEBUG_MISC, 7433 ("pf: dropping packet with ip options\n")); 7434 } 7435 7436 if (s) { |
| 7397 pf_scrub_ip(&m, s->state_flags, s->min_ttl, s->set_tos); 7398 if (s->rtableid >= 0) 7399 M_SETFIB(m, s->rtableid); | 7437 scrub_flags = s->state_flags; 7438 min_ttl = s->min_ttl; 7439 set_tos = s->set_tos; 7440 rtableid = s->rtableid; 7441 pqid = s->pqid; |
| 7400#ifdef ALTQ | 7442#ifdef ALTQ |
| 7401 if (s->qid) { 7402 pd.act.pqid = s->pqid; 7403 pd.act.qid = s->qid; 7404 } | 7443 qid = s->qid; |
| 7405#endif | 7444#endif |
| 7445 tag = s->tag; 7446 rt = s->rt; 7447 set_prio[0] = s->set_prio[0]; 7448 set_prio[1] = s->set_prio[1]; |
|
| 7406 } else { | 7449 } else { |
| 7407 pf_scrub_ip(&m, r->scrub_flags, r->min_ttl, r->set_tos); 7408 if (r->rtableid >= 0) 7409 M_SETFIB(m, r->rtableid); | 7450 scrub_flags = r->scrub_flags; 7451 min_ttl = r->min_ttl; 7452 set_tos = r->set_tos; 7453 rtableid = r->rtableid; 7454 pqid = r->pqid; |
| 7410#ifdef ALTQ | 7455#ifdef ALTQ |
| 7411 if (r->qid) { 7412 pd.act.pqid = r->pqid; 7413 pd.act.qid = r->qid; 7414 } | 7456 qid = r->qid; |
| 7415#endif | 7457#endif |
| 7458 tag = r->tag; 7459 rt = r->rt; 7460 set_prio[0] = r->set_prio[0]; 7461 set_prio[1] = r->set_prio[1]; |
|
| 7416 } 7417 | 7462 } 7463 |
| 7418 if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) { | 7464 if (tag > 0 && pf_tag_packet(m, &pd, tag)) { |
| 7419 action = PF_DROP; 7420 REASON_SET(&reason, PFRES_MEMORY); 7421 } 7422 | 7465 action = PF_DROP; 7466 REASON_SET(&reason, PFRES_MEMORY); 7467 } 7468 |
| 7423 if (r->scrub_flags & PFSTATE_SETPRIO) { | 7469 pf_scrub_ip(&m, scrub_flags, min_ttl, set_tos); 7470 7471 if (rtableid >= 0) 7472 M_SETFIB(m, rtableid); 7473 7474 if (scrub_flags & PFSTATE_SETPRIO) { |
| 7424 if (pd.tos & IPTOS_LOWDELAY) 7425 pqid = 1; | 7475 if (pd.tos & IPTOS_LOWDELAY) 7476 pqid = 1; |
| 7426 if (vlan_set_pcp(m, r->set_prio[pqid])) { | 7477 if (vlan_set_pcp(m, set_prio[pqid])) { |
| 7427 action = PF_DROP; 7428 REASON_SET(&reason, PFRES_MEMORY); 7429 log = PF_LOG_FORCE; 7430 DPFPRINTF(PF_DEBUG_MISC, 7431 ("pf: failed to allocate 802.1q mtag\n")); 7432 } 7433 } 7434 7435#ifdef ALTQ | 7478 action = PF_DROP; 7479 REASON_SET(&reason, PFRES_MEMORY); 7480 log = PF_LOG_FORCE; 7481 DPFPRINTF(PF_DEBUG_MISC, 7482 ("pf: failed to allocate 802.1q mtag\n")); 7483 } 7484 } 7485 7486#ifdef ALTQ |
| 7487 if (qid) { 7488 pd.act.pqid = pqid; 7489 pd.act.qid = qid; 7490 } 7491 |
|
| 7436 if (action == PF_PASS && pd.act.qid) { 7437 if (pd.pf_mtag == NULL && 7438 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { 7439 action = PF_DROP; 7440 REASON_SET(&reason, PFRES_MEMORY); 7441 } else { 7442 if (s != NULL) 7443 pd.pf_mtag->qid_hash = pf_state_hash(s); --- 155 unchanged lines hidden (view full) --- 7599 action = PF_PASS; 7600 break; 7601 case PF_DROP: 7602 m_freem(*m0); 7603 *m0 = NULL; 7604 break; 7605 default: 7606 /* pf_route() returns unlocked. */ | 7492 if (action == PF_PASS && pd.act.qid) { 7493 if (pd.pf_mtag == NULL && 7494 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { 7495 action = PF_DROP; 7496 REASON_SET(&reason, PFRES_MEMORY); 7497 } else { 7498 if (s != NULL) 7499 pd.pf_mtag->qid_hash = pf_state_hash(s); --- 155 unchanged lines hidden (view full) --- 7655 action = PF_PASS; 7656 break; 7657 case PF_DROP: 7658 m_freem(*m0); 7659 *m0 = NULL; 7660 break; 7661 default: 7662 /* pf_route() returns unlocked. */ |
| 7607 if (r->rt) { | 7663 if (rt) { |
| 7608 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp); 7609 return (action); 7610 } 7611 if (pf_dummynet(&pd, dir, s, r, m0) != 0) { 7612 action = PF_DROP; 7613 REASON_SET(&reason, PFRES_MEMORY); 7614 } 7615 break; --- 16 unchanged lines hidden (view full) --- 7632 u_short action, reason = 0, log = 0; 7633 struct mbuf *m = *m0, *n = NULL; 7634 struct m_tag *mtag; 7635 struct ip6_hdr *h = NULL; 7636 struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; 7637 struct pf_kstate *s = NULL; 7638 struct pf_kruleset *ruleset = NULL; 7639 struct pf_pdesc pd; | 7664 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp); 7665 return (action); 7666 } 7667 if (pf_dummynet(&pd, dir, s, r, m0) != 0) { 7668 action = PF_DROP; 7669 REASON_SET(&reason, PFRES_MEMORY); 7670 } 7671 break; --- 16 unchanged lines hidden (view full) --- 7688 u_short action, reason = 0, log = 0; 7689 struct mbuf *m = *m0, *n = NULL; 7690 struct m_tag *mtag; 7691 struct ip6_hdr *h = NULL; 7692 struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; 7693 struct pf_kstate *s = NULL; 7694 struct pf_kruleset *ruleset = NULL; 7695 struct pf_pdesc pd; |
| 7640 int off, terminal = 0, dirndx, rh_cnt = 0, pqid = 0; | 7696 int off, terminal = 0, dirndx, rh_cnt = 0; 7697 uint16_t scrub_flags; 7698#ifdef ALTQ 7699 uint16_t qid; 7700#endif 7701 uint16_t pqid; 7702 uint16_t tag; 7703 int32_t rtableid; 7704 uint8_t min_ttl; 7705 uint8_t set_tos; 7706 uint8_t rt; 7707 uint8_t set_prio[2]; |
| 7641 7642 PF_RULES_RLOCK_TRACKER; 7643 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); 7644 M_ASSERTPKTHDR(m); 7645 7646 if (!V_pf_status.running) 7647 return (PF_PASS); 7648 --- 271 unchanged lines hidden (view full) --- 7920 !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { 7921 action = PF_DROP; 7922 REASON_SET(&reason, PFRES_IPOPTIONS); 7923 log = r->log; 7924 DPFPRINTF(PF_DEBUG_MISC, 7925 ("pf: dropping packet with dangerous v6 headers\n")); 7926 } 7927 | 7708 7709 PF_RULES_RLOCK_TRACKER; 7710 KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); 7711 M_ASSERTPKTHDR(m); 7712 7713 if (!V_pf_status.running) 7714 return (PF_PASS); 7715 --- 271 unchanged lines hidden (view full) --- 7987 !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { 7988 action = PF_DROP; 7989 REASON_SET(&reason, PFRES_IPOPTIONS); 7990 log = r->log; 7991 DPFPRINTF(PF_DEBUG_MISC, 7992 ("pf: dropping packet with dangerous v6 headers\n")); 7993 } 7994 |
| 7928 if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) { 7929 action = PF_DROP; 7930 REASON_SET(&reason, PFRES_MEMORY); 7931 } 7932 | |
| 7933 if (s) { | 7995 if (s) { |
| 7934 pf_scrub_ip6(&m, s->state_flags, s->min_ttl, s->set_tos); 7935 if (s->rtableid >= 0) 7936 M_SETFIB(m, s->rtableid); | 7996 scrub_flags = s->state_flags; 7997 min_ttl = s->min_ttl; 7998 set_tos = s->set_tos; 7999 rtableid = s->rtableid; 8000 pqid = s->pqid; |
| 7937#ifdef ALTQ | 8001#ifdef ALTQ |
| 7938 if (s->qid) { 7939 pd.act.pqid = s->pqid; 7940 pd.act.qid = s->qid; 7941 } | 8002 qid = s->qid; |
| 7942#endif | 8003#endif |
| 8004 tag = s->tag; 8005 rt = s->rt; 8006 set_prio[0] = s->set_prio[0]; 8007 set_prio[1] = s->set_prio[1]; |
|
| 7943 } else { | 8008 } else { |
| 7944 pf_scrub_ip6(&m, r->scrub_flags, r->min_ttl, r->set_tos); 7945 if (r->rtableid >= 0) 7946 M_SETFIB(m, r->rtableid); | 8009 scrub_flags = r->scrub_flags; 8010 min_ttl = r->min_ttl; 8011 set_tos = r->set_tos; 8012 rtableid = r->rtableid; 8013 pqid = r->pqid; |
| 7947#ifdef ALTQ | 8014#ifdef ALTQ |
| 7948 if (r->qid) { 7949 pd.act.pqid = r->pqid; 7950 pd.act.qid = r->qid; 7951 } | 8015 qid = r->qid; |
| 7952#endif | 8016#endif |
| 8017 tag = r->tag; 8018 rt = r->rt; 8019 set_prio[0] = r->set_prio[0]; 8020 set_prio[1] = r->set_prio[1]; |
|
| 7953 } 7954 | 8021 } 8022 |
| 7955 if (r->scrub_flags & PFSTATE_SETPRIO) { | 8023 if (tag > 0 && pf_tag_packet(m, &pd, tag)) { 8024 action = PF_DROP; 8025 REASON_SET(&reason, PFRES_MEMORY); 8026 } 8027 8028 pf_scrub_ip6(&m, scrub_flags, min_ttl, set_tos); 8029 8030 if (rtableid >= 0) 8031 M_SETFIB(m, rtableid); 8032 8033 if (scrub_flags & PFSTATE_SETPRIO) { |
| 7956 if (pd.tos & IPTOS_LOWDELAY) 7957 pqid = 1; | 8034 if (pd.tos & IPTOS_LOWDELAY) 8035 pqid = 1; |
| 7958 if (vlan_set_pcp(m, r->set_prio[pqid])) { | 8036 if (vlan_set_pcp(m, set_prio[pqid])) { |
| 7959 action = PF_DROP; 7960 REASON_SET(&reason, PFRES_MEMORY); 7961 log = PF_LOG_FORCE; 7962 DPFPRINTF(PF_DEBUG_MISC, 7963 ("pf: failed to allocate 802.1q mtag\n")); 7964 } 7965 } 7966 7967#ifdef ALTQ | 8037 action = PF_DROP; 8038 REASON_SET(&reason, PFRES_MEMORY); 8039 log = PF_LOG_FORCE; 8040 DPFPRINTF(PF_DEBUG_MISC, 8041 ("pf: failed to allocate 802.1q mtag\n")); 8042 } 8043 } 8044 8045#ifdef ALTQ |
| 8046 if (qid) { 8047 pd.act.pqid = pqid; 8048 pd.act.qid = qid; 8049 } 8050 |
|
| 7968 if (action == PF_PASS && pd.act.qid) { 7969 if (pd.pf_mtag == NULL && 7970 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { 7971 action = PF_DROP; 7972 REASON_SET(&reason, PFRES_MEMORY); 7973 } else { 7974 if (s != NULL) 7975 pd.pf_mtag->qid_hash = pf_state_hash(s); --- 103 unchanged lines hidden (view full) --- 8079 action = PF_PASS; 8080 break; 8081 case PF_DROP: 8082 m_freem(*m0); 8083 *m0 = NULL; 8084 break; 8085 default: 8086 /* pf_route6() returns unlocked. */ | 8051 if (action == PF_PASS && pd.act.qid) { 8052 if (pd.pf_mtag == NULL && 8053 ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { 8054 action = PF_DROP; 8055 REASON_SET(&reason, PFRES_MEMORY); 8056 } else { 8057 if (s != NULL) 8058 pd.pf_mtag->qid_hash = pf_state_hash(s); --- 103 unchanged lines hidden (view full) --- 8162 action = PF_PASS; 8163 break; 8164 case PF_DROP: 8165 m_freem(*m0); 8166 *m0 = NULL; 8167 break; 8168 default: 8169 /* pf_route6() returns unlocked. */ |
| 8087 if (r->rt) { | 8170 if (rt) { |
| 8088 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd, inp); 8089 return (action); 8090 } 8091 if (pf_dummynet(&pd, dir, s, r, m0) != 0) { 8092 action = PF_DROP; 8093 REASON_SET(&reason, PFRES_MEMORY); 8094 } 8095 break; --- 15 unchanged lines hidden --- | 8171 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd, inp); 8172 return (action); 8173 } 8174 if (pf_dummynet(&pd, dir, s, r, m0) != 0) { 8175 action = PF_DROP; 8176 REASON_SET(&reason, PFRES_MEMORY); 8177 } 8178 break; --- 15 unchanged lines hidden --- |