Lines Matching full:pd
437 if ((pd->dir) == PF_OUT) \
444 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \ argument
445 (pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
448 BOUND_IFACE(struct pf_kstate *st, struct pf_pdesc *pd) in BOUND_IFACE() argument
450 struct pfi_kkif *k = pd->kif; in BOUND_IFACE()
462 if (st->rule->rt == PF_REPLYTO || (pd->af != pd->naf && st->direction == PF_IN)) in BOUND_IFACE()
470 if (pd->related_rule) in BOUND_IFACE()
627 pf_packet_rework_nat(struct pf_pdesc *pd, int off, struct pf_state_key *nk) in pf_packet_rework_nat() argument
630 switch (pd->virtual_proto) { in pf_packet_rework_nat()
632 struct tcphdr *th = &pd->hdr.tcp; in pf_packet_rework_nat()
634 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) in pf_packet_rework_nat()
635 pf_change_ap(pd, pd->src, &th->th_sport, in pf_packet_rework_nat()
636 &nk->addr[pd->sidx], nk->port[pd->sidx]); in pf_packet_rework_nat()
637 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) in pf_packet_rework_nat()
638 pf_change_ap(pd, pd->dst, &th->th_dport, in pf_packet_rework_nat()
639 &nk->addr[pd->didx], nk->port[pd->didx]); in pf_packet_rework_nat()
640 m_copyback(pd->m, off, sizeof(*th), (caddr_t)th); in pf_packet_rework_nat()
644 struct udphdr *uh = &pd->hdr.udp; in pf_packet_rework_nat()
646 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) in pf_packet_rework_nat()
647 pf_change_ap(pd, pd->src, &uh->uh_sport, in pf_packet_rework_nat()
648 &nk->addr[pd->sidx], nk->port[pd->sidx]); in pf_packet_rework_nat()
649 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) in pf_packet_rework_nat()
650 pf_change_ap(pd, pd->dst, &uh->uh_dport, in pf_packet_rework_nat()
651 &nk->addr[pd->didx], nk->port[pd->didx]); in pf_packet_rework_nat()
652 m_copyback(pd->m, off, sizeof(*uh), (caddr_t)uh); in pf_packet_rework_nat()
656 struct sctphdr *sh = &pd->hdr.sctp; in pf_packet_rework_nat()
658 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { in pf_packet_rework_nat()
659 pf_change_ap(pd, pd->src, &sh->src_port, in pf_packet_rework_nat()
660 &nk->addr[pd->sidx], nk->port[pd->sidx]); in pf_packet_rework_nat()
662 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { in pf_packet_rework_nat()
663 pf_change_ap(pd, pd->dst, &sh->dest_port, in pf_packet_rework_nat()
664 &nk->addr[pd->didx], nk->port[pd->didx]); in pf_packet_rework_nat()
670 struct icmp *ih = &pd->hdr.icmp; in pf_packet_rework_nat()
672 if (nk->port[pd->sidx] != ih->icmp_id) { in pf_packet_rework_nat()
673 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_packet_rework_nat()
675 nk->port[pd->sidx], 0); in pf_packet_rework_nat()
676 ih->icmp_id = nk->port[pd->sidx]; in pf_packet_rework_nat()
677 pd->sport = &ih->icmp_id; in pf_packet_rework_nat()
679 m_copyback(pd->m, off, ICMP_MINLEN, (caddr_t)ih); in pf_packet_rework_nat()
684 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { in pf_packet_rework_nat()
685 switch (pd->af) { in pf_packet_rework_nat()
687 pf_change_a(&pd->src->v4.s_addr, in pf_packet_rework_nat()
688 pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, in pf_packet_rework_nat()
692 pf_addrcpy(pd->src, &nk->addr[pd->sidx], in pf_packet_rework_nat()
693 pd->af); in pf_packet_rework_nat()
696 unhandled_af(pd->af); in pf_packet_rework_nat()
699 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { in pf_packet_rework_nat()
700 switch (pd->af) { in pf_packet_rework_nat()
702 pf_change_a(&pd->dst->v4.s_addr, in pf_packet_rework_nat()
703 pd->ip_sum, nk->addr[pd->didx].v4.s_addr, in pf_packet_rework_nat()
707 pf_addrcpy(pd->dst, &nk->addr[pd->didx], in pf_packet_rework_nat()
708 pd->af); in pf_packet_rework_nat()
711 unhandled_af(pd->af); in pf_packet_rework_nat()
1668 pf_state_key_addr_setup(struct pf_pdesc *pd, in pf_state_key_addr_setup() argument
1671 struct pf_addr *saddr = pd->src; in pf_state_key_addr_setup()
1672 struct pf_addr *daddr = pd->dst; in pf_state_key_addr_setup()
1677 if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6) in pf_state_key_addr_setup()
1680 switch (pd->hdr.icmp6.icmp6_type) { in pf_state_key_addr_setup()
1684 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), NULL, in pf_state_key_addr_setup()
1685 pd->af)) in pf_state_key_addr_setup()
1693 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), NULL, in pf_state_key_addr_setup()
1694 pd->af)) in pf_state_key_addr_setup()
1698 if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) { in pf_state_key_addr_setup()
1699 key->addr[pd->didx].addr32[0] = 0; in pf_state_key_addr_setup()
1700 key->addr[pd->didx].addr32[1] = 0; in pf_state_key_addr_setup()
1701 key->addr[pd->didx].addr32[2] = 0; in pf_state_key_addr_setup()
1702 key->addr[pd->didx].addr32[3] = 0; in pf_state_key_addr_setup()
1708 key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL; in pf_state_key_addr_setup()
1709 key->addr[pd->sidx].addr32[1] = 0; in pf_state_key_addr_setup()
1710 key->addr[pd->sidx].addr32[2] = 0; in pf_state_key_addr_setup()
1711 key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE; in pf_state_key_addr_setup()
1718 pf_addrcpy(&key->addr[pd->sidx], saddr, pd->af); in pf_state_key_addr_setup()
1720 pf_addrcpy(&key->addr[pd->didx], daddr, pd->af); in pf_state_key_addr_setup()
1726 pf_state_key_setup(struct pf_pdesc *pd, u_int16_t sport, u_int16_t dport, in pf_state_key_setup() argument
1733 if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)*sk, in pf_state_key_setup()
1740 (*sk)->port[pd->sidx] = sport; in pf_state_key_setup()
1741 (*sk)->port[pd->didx] = dport; in pf_state_key_setup()
1742 (*sk)->proto = pd->proto; in pf_state_key_setup()
1743 (*sk)->af = pd->af; in pf_state_key_setup()
1752 if (pd->af != pd->naf) { in pf_state_key_setup()
1753 (*sk)->port[pd->sidx] = pd->osport; in pf_state_key_setup()
1754 (*sk)->port[pd->didx] = pd->odport; in pf_state_key_setup()
1756 (*nk)->af = pd->naf; in pf_state_key_setup()
1764 if (pd->dir == PF_IN) { in pf_state_key_setup()
1765 pf_addrcpy(&(*nk)->addr[pd->didx], &pd->nsaddr, in pf_state_key_setup()
1766 pd->naf); in pf_state_key_setup()
1767 pf_addrcpy(&(*nk)->addr[pd->sidx], &pd->ndaddr, in pf_state_key_setup()
1768 pd->naf); in pf_state_key_setup()
1769 (*nk)->port[pd->didx] = pd->nsport; in pf_state_key_setup()
1770 (*nk)->port[pd->sidx] = pd->ndport; in pf_state_key_setup()
1772 pf_addrcpy(&(*nk)->addr[pd->sidx], &pd->nsaddr, in pf_state_key_setup()
1773 pd->naf); in pf_state_key_setup()
1774 pf_addrcpy(&(*nk)->addr[pd->didx], &pd->ndaddr, in pf_state_key_setup()
1775 pd->naf); in pf_state_key_setup()
1776 (*nk)->port[pd->sidx] = pd->nsport; in pf_state_key_setup()
1777 (*nk)->port[pd->didx] = pd->ndport; in pf_state_key_setup()
1780 switch (pd->proto) { in pf_state_key_setup()
1788 (*nk)->proto = pd->proto; in pf_state_key_setup()
1898 pf_find_state(struct pf_pdesc *pd, const struct pf_state_key_cmp *key, in pf_find_state() argument
1921 idx = (pd->dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK); in pf_find_state()
1925 if (s->kif == V_pfi_all || s->kif == pd->kif || in pf_find_state()
1926 s->orig_kif == pd->kif) { in pf_find_state()
1936 SDT_PROBE5(pf, ip, state, lookup, pd->kif, in pf_find_state()
1937 key, (pd->dir), pd, *state); in pf_find_state()
1948 if (s->kif == V_pfi_all || s->kif == pd->kif || in pf_find_state()
1949 s->orig_kif == pd->kif) { in pf_find_state()
1959 SDT_PROBE5(pf, ip, state, lookup, pd->kif, in pf_find_state()
1960 key, (pd->dir), pd, NULL); in pf_find_state()
1970 SDT_PROBE5(pf, ip, state, lookup, pd->kif, key, (pd->dir), pd, *state); in pf_find_state()
1978 if ((s)->rule->pktrate.limit && pd->dir == (s)->direction) { in pf_find_state()
1984 if (PACKET_LOOPED(pd)) { in pf_find_state()
2276 pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, in pf_icmp_mapping() argument
2287 switch (pd->af) { in pf_icmp_mapping()
2296 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2304 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2312 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2320 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2380 *virtual_id = pd->hdr.icmp6.icmp6_id; in pf_icmp_mapping()
2442 unhandled_af(pd->af); in pf_icmp_mapping()
3300 pf_patch_8(struct pf_pdesc *pd, u_int8_t *f, u_int8_t v, bool hi) in pf_patch_8() argument
3310 if (! (pd->m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | in pf_patch_8()
3312 *pd->pcksum = pf_cksum_fixup(*pd->pcksum, old, new, in pf_patch_8()
3313 pd->proto == IPPROTO_UDP); in pf_patch_8()
3322 pf_patch_16(struct pf_pdesc *pd, void *f, u_int16_t v, bool hi) in pf_patch_16() argument
3328 rewrite += pf_patch_8(pd, fb++, *vb++, hi); in pf_patch_16()
3329 rewrite += pf_patch_8(pd, fb++, *vb++, !hi); in pf_patch_16()
3335 pf_patch_32(struct pf_pdesc *pd, void *f, u_int32_t v, bool hi) in pf_patch_32() argument
3341 rewrite += pf_patch_8(pd, fb++, *vb++, hi); in pf_patch_32()
3342 rewrite += pf_patch_8(pd, fb++, *vb++, !hi); in pf_patch_32()
3343 rewrite += pf_patch_8(pd, fb++, *vb++, hi); in pf_patch_32()
3344 rewrite += pf_patch_8(pd, fb++, *vb++, !hi); in pf_patch_32()
3360 pf_change_ap(struct pf_pdesc *pd, struct pf_addr *a, u_int16_t *p, in pf_change_ap() argument
3365 uint8_t u = pd->virtual_proto == IPPROTO_UDP; in pf_change_ap()
3367 MPASS(pd->pcksum != NULL); in pf_change_ap()
3368 if (pd->af == AF_INET) { in pf_change_ap()
3369 MPASS(pd->ip_sum); in pf_change_ap()
3372 pf_addrcpy(&ao, a, pd->af); in pf_change_ap()
3373 if (pd->af == pd->naf) in pf_change_ap()
3374 pf_addrcpy(a, an, pd->af); in pf_change_ap()
3376 if (pd->m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6)) in pf_change_ap()
3377 *pd->pcksum = ~*pd->pcksum; in pf_change_ap()
3384 switch (pd->af) { in pf_change_ap()
3387 switch (pd->naf) { in pf_change_ap()
3389 *pd->ip_sum = pf_cksum_fixup(pf_cksum_fixup(*pd->ip_sum, in pf_change_ap()
3394 *pd->pcksum = pf_cksum_fixup(pf_cksum_fixup(*pd->pcksum, in pf_change_ap()
3398 *pd->pcksum = pf_proto_cksum_fixup(pd->m, *pd->pcksum, po, pn, u); in pf_change_ap()
3402 *pd->pcksum = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( in pf_change_ap()
3404 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pd->pcksum, in pf_change_ap()
3417 unhandled_af(pd->naf); in pf_change_ap()
3423 switch (pd->naf) { in pf_change_ap()
3426 *pd->pcksum = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( in pf_change_ap()
3428 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pd->pcksum, in pf_change_ap()
3441 *pd->pcksum = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( in pf_change_ap()
3443 pf_cksum_fixup(pf_cksum_fixup(*pd->pcksum, in pf_change_ap()
3453 *pd->pcksum = pf_proto_cksum_fixup(pd->m, *pd->pcksum, po, pn, u); in pf_change_ap()
3456 unhandled_af(pd->naf); in pf_change_ap()
3461 unhandled_af(pd->af); in pf_change_ap()
3464 if (pd->m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | in pf_change_ap()
3466 *pd->pcksum = ~*pd->pcksum; in pf_change_ap()
3467 if (! *pd->pcksum) in pf_change_ap()
3468 *pd->pcksum = 0xffff; in pf_change_ap()
3609 pf_translate_af(struct pf_pdesc *pd) in pf_translate_af() argument
3620 hlen = pd->naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6); in pf_translate_af()
3623 m_adj(pd->m, pd->off); in pf_translate_af()
3626 M_PREPEND(pd->m, hlen, M_NOWAIT); in pf_translate_af()
3627 if (pd->m == NULL) in pf_translate_af()
3630 switch (pd->naf) { in pf_translate_af()
3632 ip4 = mtod(pd->m, struct ip *); in pf_translate_af()
3636 ip4->ip_tos = pd->tos; in pf_translate_af()
3637 ip4->ip_len = htons(hlen + (pd->tot_len - pd->off)); in pf_translate_af()
3639 ip4->ip_ttl = pd->ttl; in pf_translate_af()
3640 ip4->ip_p = pd->proto; in pf_translate_af()
3641 ip4->ip_src = pd->nsaddr.v4; in pf_translate_af()
3642 ip4->ip_dst = pd->ndaddr.v4; in pf_translate_af()
3643 pd->src = (struct pf_addr *)&ip4->ip_src; in pf_translate_af()
3644 pd->dst = (struct pf_addr *)&ip4->ip_dst; in pf_translate_af()
3645 pd->off = sizeof(struct ip); in pf_translate_af()
3646 if (pd->m->m_pkthdr.csum_flags & CSUM_TCP_IPV6) { in pf_translate_af()
3647 pd->m->m_pkthdr.csum_flags &= ~CSUM_TCP_IPV6; in pf_translate_af()
3648 pd->m->m_pkthdr.csum_flags |= CSUM_TCP; in pf_translate_af()
3650 if (pd->m->m_pkthdr.csum_flags & CSUM_UDP_IPV6) { in pf_translate_af()
3651 pd->m->m_pkthdr.csum_flags &= ~CSUM_UDP_IPV6; in pf_translate_af()
3652 pd->m->m_pkthdr.csum_flags |= CSUM_UDP; in pf_translate_af()
3654 if (pd->m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) { in pf_translate_af()
3655 pd->m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6; in pf_translate_af()
3656 pd->m->m_pkthdr.csum_flags |= CSUM_SCTP; in pf_translate_af()
3660 ip6 = mtod(pd->m, struct ip6_hdr *); in pf_translate_af()
3663 ip6->ip6_flow |= htonl((u_int32_t)pd->tos << 20); in pf_translate_af()
3664 ip6->ip6_plen = htons(pd->tot_len - pd->off); in pf_translate_af()
3665 ip6->ip6_nxt = pd->proto; in pf_translate_af()
3666 if (!pd->ttl || pd->ttl > IPV6_DEFHLIM) in pf_translate_af()
3669 ip6->ip6_hlim = pd->ttl; in pf_translate_af()
3670 ip6->ip6_src = pd->nsaddr.v6; in pf_translate_af()
3671 ip6->ip6_dst = pd->ndaddr.v6; in pf_translate_af()
3672 pd->src = (struct pf_addr *)&ip6->ip6_src; in pf_translate_af()
3673 pd->dst = (struct pf_addr *)&ip6->ip6_dst; in pf_translate_af()
3674 pd->off = sizeof(struct ip6_hdr); in pf_translate_af()
3675 if (pd->m->m_pkthdr.csum_flags & CSUM_TCP) { in pf_translate_af()
3676 pd->m->m_pkthdr.csum_flags &= ~CSUM_TCP; in pf_translate_af()
3677 pd->m->m_pkthdr.csum_flags |= CSUM_TCP_IPV6; in pf_translate_af()
3679 if (pd->m->m_pkthdr.csum_flags & CSUM_UDP) { in pf_translate_af()
3680 pd->m->m_pkthdr.csum_flags &= ~CSUM_UDP; in pf_translate_af()
3681 pd->m->m_pkthdr.csum_flags |= CSUM_UDP_IPV6; in pf_translate_af()
3683 if (pd->m->m_pkthdr.csum_flags & CSUM_SCTP) { in pf_translate_af()
3684 pd->m->m_pkthdr.csum_flags &= ~CSUM_SCTP; in pf_translate_af()
3685 pd->m->m_pkthdr.csum_flags |= CSUM_SCTP_IPV6; in pf_translate_af()
3693 mtag = m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL); in pf_translate_af()
3706 if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) { in pf_translate_af()
3708 if ((mp = m_pulldown(pd->m, hlen, sizeof(*icmp), &off)) == in pf_translate_af()
3710 pd->m = NULL; in pf_translate_af()
3715 icmp->icmp6_cksum = pd->naf == AF_INET ? in pf_translate_af()
3716 in4_cksum(pd->m, 0, hlen, ntohs(ip4->ip_len) - hlen) : in pf_translate_af()
3717 in6_cksum(pd->m, IPPROTO_ICMPV6, hlen, in pf_translate_af()
3726 pf_change_icmp_af(struct mbuf *m, int off, struct pf_pdesc *pd, in pf_change_icmp_af() argument
3798 pd->tot_len += hlen - olen; in pf_change_icmp_af()
4045 pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, in pf_modulate_sack() argument
4053 olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr); in pf_modulate_sack()
4054 optsoff = pd->off + sizeof(struct tcphdr); in pf_modulate_sack()
4057 !pf_pull_hdr(pd->m, optsoff, opts, olen, NULL, pd->af)) in pf_modulate_sack()
4069 pf_patch_32(pd, &sack.start, in pf_modulate_sack()
4072 pf_patch_32(pd, &sack.end, in pf_modulate_sack()
4082 m_copyback(pd->m, optsoff, olen, (caddr_t)opts); in pf_modulate_sack()
4242 pf_send_sctp_abort(sa_family_t af, struct pf_pdesc *pd, in pf_send_sctp_abort() argument
4257 MPASS(af == pd->af); in pf_send_sctp_abort()
4282 h->ip_src = pd->dst->v4; in pf_send_sctp_abort()
4283 h->ip_dst = pd->src->v4; in pf_send_sctp_abort()
4299 memcpy(&h6->ip6_src, &pd->dst->v6, sizeof(struct in6_addr)); in pf_send_sctp_abort()
4300 memcpy(&h6->ip6_dst, &pd->src->v6, sizeof(struct in6_addr)); in pf_send_sctp_abort()
4312 hdr->src_port = pd->hdr.sctp.dest_port; in pf_send_sctp_abort()
4313 hdr->dest_port = pd->hdr.sctp.src_port; in pf_send_sctp_abort()
4314 hdr->v_tag = pd->sctp_initiate_tag; in pf_send_sctp_abort()
4401 pf_undo_nat(struct pf_krule *nr, struct pf_pdesc *pd, uint16_t bip_sum) in pf_undo_nat() argument
4405 pf_addrcpy(pd->src, &pd->osrc, pd->af); in pf_undo_nat()
4406 pf_addrcpy(pd->dst, &pd->odst, pd->af); in pf_undo_nat()
4407 if (pd->sport) in pf_undo_nat()
4408 *pd->sport = pd->osport; in pf_undo_nat()
4409 if (pd->dport) in pf_undo_nat()
4410 *pd->dport = pd->odport; in pf_undo_nat()
4411 if (pd->ip_sum) in pf_undo_nat()
4412 *pd->ip_sum = bip_sum; in pf_undo_nat()
4413 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_undo_nat()
4418 pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, in pf_return() argument
4422 pf_undo_nat(nr, pd, bip_sum); in pf_return()
4424 if (pd->proto == IPPROTO_TCP && in pf_return()
4428 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; in pf_return()
4430 if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off, in pf_return()
4431 IPPROTO_TCP, pd->af)) in pf_return()
4438 pf_send_tcp(r, pd->af, pd->dst, in pf_return()
4439 pd->src, th->th_dport, th->th_sport, in pf_return()
4444 } else if (pd->proto == IPPROTO_SCTP && in pf_return()
4446 pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid); in pf_return()
4447 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET && in pf_return()
4449 pf_send_icmp(pd->m, r->return_icmp >> 8, in pf_return()
4450 r->return_icmp & 255, 0, pd->af, r, rtableid); in pf_return()
4451 else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 && in pf_return()
4453 pf_send_icmp(pd->m, r->return_icmp6 >> 8, in pf_return()
4454 r->return_icmp6 & 255, 0, pd->af, r, rtableid); in pf_return()
4492 pf_send_challenge_ack(struct pf_pdesc *pd, struct pf_kstate *s, in pf_send_challenge_ack() argument
4505 pf_send_tcp(s->rule, pd->af, pd->dst, pd->src, in pf_send_challenge_ack()
4506 pd->hdr.tcp.th_dport, pd->hdr.tcp.th_sport, dst->seqlo, in pf_send_challenge_ack()
4726 pf_tag_packet(struct pf_pdesc *pd, int tag) in pf_tag_packet() argument
4731 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) in pf_tag_packet()
4734 pd->pf_mtag->tag = tag; in pf_tag_packet()
5010 pf_socket_lookup(struct pf_pdesc *pd) in pf_socket_lookup() argument
5017 pd->lookup.uid = -1; in pf_socket_lookup()
5018 pd->lookup.gid = -1; in pf_socket_lookup()
5020 switch (pd->proto) { in pf_socket_lookup()
5022 sport = pd->hdr.tcp.th_sport; in pf_socket_lookup()
5023 dport = pd->hdr.tcp.th_dport; in pf_socket_lookup()
5027 sport = pd->hdr.udp.uh_sport; in pf_socket_lookup()
5028 dport = pd->hdr.udp.uh_dport; in pf_socket_lookup()
5034 if (pd->dir == PF_IN) { in pf_socket_lookup()
5035 saddr = pd->src; in pf_socket_lookup()
5036 daddr = pd->dst; in pf_socket_lookup()
5043 saddr = pd->dst; in pf_socket_lookup()
5044 daddr = pd->src; in pf_socket_lookup()
5046 switch (pd->af) { in pf_socket_lookup()
5050 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
5054 INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
5063 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
5067 INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
5074 unhandled_af(pd->af); in pf_socket_lookup()
5077 pd->lookup.uid = inp->inp_cred->cr_uid; in pf_socket_lookup()
5078 pd->lookup.gid = inp->inp_cred->cr_gid; in pf_socket_lookup()
5120 pf_get_wscale(struct pf_pdesc *pd) in pf_get_wscale() argument
5126 olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr); in pf_get_wscale()
5127 if (olen < TCPOLEN_WINDOW || !pf_pull_hdr(pd->m, in pf_get_wscale()
5128 pd->off + sizeof(struct tcphdr), opts, olen, NULL, pd->af)) in pf_get_wscale()
5145 pf_get_mss(struct pf_pdesc *pd) in pf_get_mss() argument
5151 olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr); in pf_get_mss()
5152 if (olen < TCPOLEN_MAXSEG || !pf_pull_hdr(pd->m, in pf_get_mss()
5153 pd->off + sizeof(struct tcphdr), opts, olen, NULL, pd->af)) in pf_get_mss()
5207 pf_tcp_iss(struct pf_pdesc *pd) in pf_tcp_iss() argument
5225 SHA512_Update(&ctx, &pd->hdr.tcp.th_sport, sizeof(u_short)); in pf_tcp_iss()
5226 SHA512_Update(&ctx, &pd->hdr.tcp.th_dport, sizeof(u_short)); in pf_tcp_iss()
5227 switch (pd->af) { in pf_tcp_iss()
5229 SHA512_Update(&ctx, &pd->src->v6, sizeof(struct in6_addr)); in pf_tcp_iss()
5230 SHA512_Update(&ctx, &pd->dst->v6, sizeof(struct in6_addr)); in pf_tcp_iss()
5233 SHA512_Update(&ctx, &pd->src->v4, sizeof(struct in_addr)); in pf_tcp_iss()
5234 SHA512_Update(&ctx, &pd->dst->v4, sizeof(struct in_addr)); in pf_tcp_iss()
5585 struct pf_pdesc *pd = ctx->pd; in pf_rule_apply_nat() local
5599 pd->naf = r->naf; in pf_rule_apply_nat()
5600 if (pf_get_transaddr_af(ctx->nr, pd) == -1) { in pf_rule_apply_nat()
5639 struct pf_pdesc *pd = ctx->pd; in pf_match_rule() local
5644 if (ctx->pd->related_rule) { in pf_match_rule()
5645 *ctx->rm = ctx->pd->related_rule; in pf_match_rule()
5652 PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot, in pf_match_rule()
5654 PF_TEST_ATTRIB(r->direction && r->direction != pd->dir, in pf_match_rule()
5656 PF_TEST_ATTRIB(r->af && r->af != pd->af, in pf_match_rule()
5658 PF_TEST_ATTRIB(r->proto && r->proto != pd->proto, in pf_match_rule()
5660 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, pd->naf, in pf_match_rule()
5661 r->src.neg, pd->kif, M_GETFIB(pd->m)), in pf_match_rule()
5663 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, pd->af, in pf_match_rule()
5664 r->dst.neg, NULL, M_GETFIB(pd->m)), in pf_match_rule()
5666 switch (pd->virtual_proto) { in pf_match_rule()
5671 PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP && r->flagset), in pf_match_rule()
5690 r->src.port[0], r->src.port[1], pd->nsport), in pf_match_rule()
5694 r->dst.port[0], r->dst.port[1], pd->ndport), in pf_match_rule()
5697 PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done = in pf_match_rule()
5698 pf_socket_lookup(pd), 1)) && in pf_match_rule()
5700 pd->lookup.uid), in pf_match_rule()
5703 PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done = in pf_match_rule()
5704 pf_socket_lookup(pd), 1)) && in pf_match_rule()
5706 pd->lookup.gid), in pf_match_rule()
5723 PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos), in pf_match_rule()
5726 !pf_match_ieee8021q_pcp(r->prio, pd->m), in pf_match_rule()
5731 PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, in pf_match_rule()
5732 &ctx->tag, pd->pf_mtag ? pd->pf_mtag->tag : 0), in pf_match_rule()
5734 PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) == in pf_match_rule()
5738 pd->virtual_proto != PF_VPROTO_FRAGMENT), in pf_match_rule()
5741 (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match( in pf_match_rule()
5742 pf_osfp_fingerprint(pd, ctx->th), in pf_match_rule()
5800 pf_rule_to_actions(r, &pd->act); in pf_match_rule()
5803 ctx->a, ruleset, pd, 1, NULL); in pf_match_rule()
5822 if (pd->act.log & PF_LOG_MATCHES) in pf_match_rule()
5823 pf_log_matches(pd, r, ctx->a, ruleset, match_rules); in pf_match_rule()
5855 struct pf_pdesc *pd, struct pf_krule **am, in pf_test_rule() argument
5871 ctx.pd = pd; in pf_test_rule()
5875 ctx.th = &pd->hdr.tcp; in pf_test_rule()
5878 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5879 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5883 pd->lookup.uid = inp->inp_cred->cr_uid; in pf_test_rule()
5884 pd->lookup.gid = inp->inp_cred->cr_gid; in pf_test_rule()
5885 pd->lookup.done = 1; in pf_test_rule()
5888 if (pd->ip_sum) in pf_test_rule()
5889 bip_sum = *pd->ip_sum; in pf_test_rule()
5891 switch (pd->virtual_proto) { in pf_test_rule()
5894 pd->nsport = ctx.th->th_sport; in pf_test_rule()
5895 pd->ndport = ctx.th->th_dport; in pf_test_rule()
5898 bproto_sum = pd->hdr.udp.uh_sum; in pf_test_rule()
5899 pd->nsport = pd->hdr.udp.uh_sport; in pf_test_rule()
5900 pd->ndport = pd->hdr.udp.uh_dport; in pf_test_rule()
5903 pd->nsport = pd->hdr.sctp.src_port; in pf_test_rule()
5904 pd->ndport = pd->hdr.sctp.dest_port; in pf_test_rule()
5908 MPASS(pd->af == AF_INET); in pf_test_rule()
5909 ctx.icmptype = pd->hdr.icmp.icmp_type; in pf_test_rule()
5910 ctx.icmpcode = pd->hdr.icmp.icmp_code; in pf_test_rule()
5911 ctx.state_icmp = pf_icmp_mapping(pd, ctx.icmptype, in pf_test_rule()
5914 pd->nsport = ctx.virtual_id; in pf_test_rule()
5915 pd->ndport = ctx.virtual_type; in pf_test_rule()
5917 pd->nsport = ctx.virtual_type; in pf_test_rule()
5918 pd->ndport = ctx.virtual_id; in pf_test_rule()
5924 MPASS(pd->af == AF_INET6); in pf_test_rule()
5925 ctx.icmptype = pd->hdr.icmp6.icmp6_type; in pf_test_rule()
5926 ctx.icmpcode = pd->hdr.icmp6.icmp6_code; in pf_test_rule()
5927 ctx.state_icmp = pf_icmp_mapping(pd, ctx.icmptype, in pf_test_rule()
5930 pd->nsport = ctx.virtual_id; in pf_test_rule()
5931 pd->ndport = ctx.virtual_type; in pf_test_rule()
5933 pd->nsport = ctx.virtual_type; in pf_test_rule()
5934 pd->ndport = ctx.virtual_id; in pf_test_rule()
5940 pd->nsport = pd->ndport = 0; in pf_test_rule()
5943 pd->osport = pd->nsport; in pf_test_rule()
5944 pd->odport = pd->ndport; in pf_test_rule()
5961 ruleset, pd, 1, NULL); in pf_test_rule()
5988 pf_rule_to_actions(r, &pd->act); in pf_test_rule()
6007 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_rule()
6008 PFLOG_PACKET(r->action, ctx.reason, r, ctx.a, ruleset, pd, 1, NULL); in pf_test_rule()
6010 if (pd->act.log & PF_LOG_MATCHES) in pf_test_rule()
6011 pf_log_matches(pd, r, ctx.a, ruleset, match_rules); in pf_test_rule()
6012 if (pd->virtual_proto != PF_VPROTO_FRAGMENT && in pf_test_rule()
6017 pf_return(r, ctx.nr, pd, ctx.th, bproto_sum, in pf_test_rule()
6024 if (ctx.tag > 0 && pf_tag_packet(pd, ctx.tag)) { in pf_test_rule()
6028 if (pd->act.rtableid >= 0) in pf_test_rule()
6029 M_SETFIB(pd->m, pd->act.rtableid); in pf_test_rule()
6038 pd->act.rt = r->rt; in pf_test_rule()
6040 pd->act.rt_af = pd->af; in pf_test_rule()
6042 pd->act.rt_af = pd->naf; in pf_test_rule()
6043 if ((transerror = pf_map_addr_sn(pd->af, r, pd->src, in pf_test_rule()
6044 &pd->act.rt_addr, &pd->act.rt_af, &pd->act.rt_kif, NULL, in pf_test_rule()
6051 if (pd->virtual_proto != PF_VPROTO_FRAGMENT && in pf_test_rule()
6053 (pd->flags & PFDESC_TCP_NORM)))) { in pf_test_rule()
6063 pd->act.log |= PF_LOG_FORCE; in pf_test_rule()
6066 pf_return(r, ctx.nr, pd, ctx.th, in pf_test_rule()
6068 pd->act.rtableid); in pf_test_rule()
6073 nat64 = pd->af != pd->naf; in pf_test_rule()
6078 ctx.sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK : PF_SK_WIRE]; in pf_test_rule()
6080 ctx.nk = (*sm)->key[pd->dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK]; in pf_test_rule()
6082 if (pd->dir == PF_IN) { in pf_test_rule()
6083 ret = pf_translate(pd, &ctx.sk->addr[pd->didx], in pf_test_rule()
6084 ctx.sk->port[pd->didx], &ctx.sk->addr[pd->sidx], in pf_test_rule()
6085 ctx.sk->port[pd->sidx], ctx.virtual_type, in pf_test_rule()
6088 ret = pf_translate(pd, &ctx.sk->addr[pd->sidx], in pf_test_rule()
6089 ctx.sk->port[pd->sidx], &ctx.sk->addr[pd->didx], in pf_test_rule()
6090 ctx.sk->port[pd->didx], ctx.virtual_type, in pf_test_rule()
6111 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_rule()
6114 pd->dir == PF_OUT && in pf_test_rule()
6115 V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m)) { in pf_test_rule()
6143 struct pf_pdesc *pd = ctx->pd; in pf_create_state() local
6152 struct tcphdr *th = &pd->hdr.tcp; in pf_create_state()
6165 (sn_reason = pf_insert_src_node(sns, snhs, r, pd->src, pd->af, in pf_create_state()
6166 NULL, NULL, pd->af, PF_SN_LIMIT)) != 0) { in pf_create_state()
6173 (sn_reason = pf_insert_src_node(sns, snhs, r, pd->src, in pf_create_state()
6174 pd->af, &pd->act.rt_addr, pd->act.rt_kif, pd->act.rt_af, in pf_create_state()
6191 ctx->sk ? &(ctx->sk->addr[pd->sidx]) : pd->src, pd->af, in pf_create_state()
6192 ctx->nk ? &(ctx->nk->addr[1]) : &(pd->nsaddr), NULL, in pf_create_state()
6193 pd->naf, PF_SN_NAT)) != 0 ) { in pf_create_state()
6207 memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions)); in pf_create_state()
6209 if (pd->act.allow_opts) in pf_create_state()
6213 if (pd->flags & PFDESC_TCP_NORM) /* Set by old-style scrub rules */ in pf_create_state()
6219 s->act.log = pd->act.log & PF_LOG_ALL; in pf_create_state()
6221 s->state_flags |= pd->act.flags; /* Only needed for pfsync and state export */ in pf_create_state()
6225 switch (pd->proto) { in pf_create_state()
6228 s->src.seqhi = s->src.seqlo + pd->p_len + 1; in pf_create_state()
6232 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == in pf_create_state()
6235 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, in pf_create_state()
6242 s->src.wscale = pf_get_wscale(pd); in pf_create_state()
6285 if (pd->proto == IPPROTO_TCP) { in pf_create_state()
6287 pf_normalize_tcp_init(pd, th, &s->src)) { in pf_create_state()
6292 pf_normalize_tcp_stateful(pd, &ctx->reason, th, s, in pf_create_state()
6300 } else if (pd->proto == IPPROTO_SCTP) { in pf_create_state()
6301 if (pf_normalize_sctp_init(pd, &s->src, &s->dst)) in pf_create_state()
6303 if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP))) in pf_create_state()
6306 s->direction = pd->dir; in pf_create_state()
6312 MPASS(pd->sport == NULL || (pd->osport == *pd->sport)); in pf_create_state()
6313 MPASS(pd->dport == NULL || (pd->odport == *pd->dport)); in pf_create_state()
6314 if (pf_state_key_setup(pd, pd->nsport, pd->ndport, in pf_create_state()
6323 if (pf_state_insert(BOUND_IFACE(s, pd), pd->kif, in pf_create_state()
6324 (pd->dir == PF_IN) ? ctx->sk : ctx->nk, in pf_create_state()
6325 (pd->dir == PF_IN) ? ctx->nk : ctx->sk, s)) { in pf_create_state()
6346 if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) == in pf_create_state()
6347 TH_SYN && r->keep_state == PF_STATE_SYNPROXY && pd->dir == PF_IN) { in pf_create_state()
6349 pf_undo_nat(ctx->nr, pd, bip_sum); in pf_create_state()
6352 int rtid = M_GETFIB(pd->m); in pf_create_state()
6353 mss = pf_get_mss(pd); in pf_create_state()
6354 mss = pf_calc_mss(pd->src, pd->af, rtid, mss); in pf_create_state()
6355 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss); in pf_create_state()
6357 pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport, in pf_create_state()
6360 pd->act.rtableid, &ctx->reason); in pf_create_state()
6397 pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport, in pf_translate() argument
6412 int afto = pd->af != pd->naf; in pf_translate()
6416 switch (pd->proto) { in pf_translate()
6420 if (afto || *pd->sport != sport) { in pf_translate()
6421 pf_change_ap(pd, pd->src, pd->sport, in pf_translate()
6425 if (afto || *pd->dport != dport) { in pf_translate()
6426 pf_change_ap(pd, pd->dst, pd->dport, in pf_translate()
6435 if (pd->af != AF_INET) in pf_translate()
6439 if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp)) in pf_translate()
6441 pd->proto = IPPROTO_ICMPV6; in pf_translate()
6447 if (icmpid != pd->hdr.icmp.icmp_id) { in pf_translate()
6448 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_translate()
6449 pd->hdr.icmp.icmp_cksum, in pf_translate()
6450 pd->hdr.icmp.icmp_id, icmpid, 0); in pf_translate()
6451 pd->hdr.icmp.icmp_id = icmpid; in pf_translate()
6462 if (pd->af != AF_INET6) in pf_translate()
6467 if (pf_translate_icmp_af(AF_INET, &pd->hdr.icmp6)) in pf_translate()
6469 pd->proto = IPPROTO_ICMP; in pf_translate()
6485 struct pf_pdesc *pd = ctx->pd; in pf_translate_compat() local
6487 struct tcphdr *th = &pd->hdr.tcp; in pf_translate_compat()
6493 switch (pd->virtual_proto) { in pf_translate_compat()
6495 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_translate_compat()
6496 nk->port[pd->sidx] != pd->nsport) { in pf_translate_compat()
6497 pf_change_ap(pd, pd->src, &th->th_sport, in pf_translate_compat()
6498 &nk->addr[pd->sidx], nk->port[pd->sidx]); in pf_translate_compat()
6499 pd->sport = &th->th_sport; in pf_translate_compat()
6500 pd->nsport = th->th_sport; in pf_translate_compat()
6501 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_translate_compat()
6504 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_translate_compat()
6505 nk->port[pd->didx] != pd->ndport) { in pf_translate_compat()
6506 pf_change_ap(pd, pd->dst, &th->th_dport, in pf_translate_compat()
6507 &nk->addr[pd->didx], nk->port[pd->didx]); in pf_translate_compat()
6508 pd->dport = &th->th_dport; in pf_translate_compat()
6509 pd->ndport = th->th_dport; in pf_translate_compat()
6510 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_translate_compat()
6515 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_translate_compat()
6516 nk->port[pd->sidx] != pd->nsport) { in pf_translate_compat()
6517 pf_change_ap(pd, pd->src, in pf_translate_compat()
6518 &pd->hdr.udp.uh_sport, in pf_translate_compat()
6519 &nk->addr[pd->sidx], in pf_translate_compat()
6520 nk->port[pd->sidx]); in pf_translate_compat()
6521 pd->sport = &pd->hdr.udp.uh_sport; in pf_translate_compat()
6522 pd->nsport = pd->hdr.udp.uh_sport; in pf_translate_compat()
6523 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_translate_compat()
6526 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_translate_compat()
6527 nk->port[pd->didx] != pd->ndport) { in pf_translate_compat()
6528 pf_change_ap(pd, pd->dst, in pf_translate_compat()
6529 &pd->hdr.udp.uh_dport, in pf_translate_compat()
6530 &nk->addr[pd->didx], in pf_translate_compat()
6531 nk->port[pd->didx]); in pf_translate_compat()
6532 pd->dport = &pd->hdr.udp.uh_dport; in pf_translate_compat()
6533 pd->ndport = pd->hdr.udp.uh_dport; in pf_translate_compat()
6534 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_translate_compat()
6539 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_translate_compat()
6540 nk->port[pd->sidx] != pd->nsport) { in pf_translate_compat()
6541 pf_change_ap(pd, pd->src, in pf_translate_compat()
6542 &pd->hdr.sctp.src_port, in pf_translate_compat()
6543 &nk->addr[pd->sidx], in pf_translate_compat()
6544 nk->port[pd->sidx]); in pf_translate_compat()
6545 pd->sport = &pd->hdr.sctp.src_port; in pf_translate_compat()
6546 pd->nsport = pd->hdr.sctp.src_port; in pf_translate_compat()
6547 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_translate_compat()
6549 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_translate_compat()
6550 nk->port[pd->didx] != pd->ndport) { in pf_translate_compat()
6551 pf_change_ap(pd, pd->dst, in pf_translate_compat()
6552 &pd->hdr.sctp.dest_port, in pf_translate_compat()
6553 &nk->addr[pd->didx], in pf_translate_compat()
6554 nk->port[pd->didx]); in pf_translate_compat()
6555 pd->dport = &pd->hdr.sctp.dest_port; in pf_translate_compat()
6556 pd->ndport = pd->hdr.sctp.dest_port; in pf_translate_compat()
6557 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_translate_compat()
6563 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET)) { in pf_translate_compat()
6564 pf_change_a(&pd->src->v4.s_addr, pd->ip_sum, in pf_translate_compat()
6565 nk->addr[pd->sidx].v4.s_addr, 0); in pf_translate_compat()
6566 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_translate_compat()
6569 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET)) { in pf_translate_compat()
6570 pf_change_a(&pd->dst->v4.s_addr, pd->ip_sum, in pf_translate_compat()
6571 nk->addr[pd->didx].v4.s_addr, 0); in pf_translate_compat()
6572 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_translate_compat()
6576 nk->port[pd->sidx] != pd->hdr.icmp.icmp_id) { in pf_translate_compat()
6577 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_translate_compat()
6578 pd->hdr.icmp.icmp_cksum, pd->nsport, in pf_translate_compat()
6579 nk->port[pd->sidx], 0); in pf_translate_compat()
6580 pd->hdr.icmp.icmp_id = nk->port[pd->sidx]; in pf_translate_compat()
6581 pd->sport = &pd->hdr.icmp.icmp_id; in pf_translate_compat()
6583 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); in pf_translate_compat()
6588 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET6)) { in pf_translate_compat()
6589 pf_change_a6(pd->src, &pd->hdr.icmp6.icmp6_cksum, in pf_translate_compat()
6590 &nk->addr[pd->sidx], 0); in pf_translate_compat()
6591 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_translate_compat()
6594 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET6)) { in pf_translate_compat()
6595 pf_change_a6(pd->dst, &pd->hdr.icmp6.icmp6_cksum, in pf_translate_compat()
6596 &nk->addr[pd->didx], 0); in pf_translate_compat()
6597 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_translate_compat()
6603 switch (pd->af) { in pf_translate_compat()
6606 if (PF_ANEQ(&pd->nsaddr, in pf_translate_compat()
6607 &nk->addr[pd->sidx], AF_INET)) { in pf_translate_compat()
6608 pf_change_a(&pd->src->v4.s_addr, in pf_translate_compat()
6609 pd->ip_sum, in pf_translate_compat()
6610 nk->addr[pd->sidx].v4.s_addr, 0); in pf_translate_compat()
6611 pf_addrcpy(&pd->nsaddr, pd->src, pd->af); in pf_translate_compat()
6614 if (PF_ANEQ(&pd->ndaddr, in pf_translate_compat()
6615 &nk->addr[pd->didx], AF_INET)) { in pf_translate_compat()
6616 pf_change_a(&pd->dst->v4.s_addr, in pf_translate_compat()
6617 pd->ip_sum, in pf_translate_compat()
6618 nk->addr[pd->didx].v4.s_addr, 0); in pf_translate_compat()
6619 pf_addrcpy(&pd->ndaddr, pd->dst, pd->af); in pf_translate_compat()
6625 if (PF_ANEQ(&pd->nsaddr, in pf_translate_compat()
6626 &nk->addr[pd->sidx], AF_INET6)) { in pf_translate_compat()
6627 pf_addrcpy(&pd->nsaddr, &nk->addr[pd->sidx], in pf_translate_compat()
6628 pd->af); in pf_translate_compat()
6629 pf_addrcpy(pd->src, &nk->addr[pd->sidx], pd->af); in pf_translate_compat()
6632 if (PF_ANEQ(&pd->ndaddr, in pf_translate_compat()
6633 &nk->addr[pd->didx], AF_INET6)) { in pf_translate_compat()
6634 pf_addrcpy(&pd->ndaddr, &nk->addr[pd->didx], in pf_translate_compat()
6635 pd->af); in pf_translate_compat()
6636 pf_addrcpy(pd->dst, &nk->addr[pd->didx], in pf_translate_compat()
6637 pd->af); in pf_translate_compat()
6648 pf_tcp_track_full(struct pf_kstate *state, struct pf_pdesc *pd, in pf_tcp_track_full() argument
6652 struct tcphdr *th = &pd->hdr.tcp; in pf_tcp_track_full()
6676 if (pf_normalize_tcp_init(pd, th, src)) { in pf_tcp_track_full()
6688 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + in pf_tcp_track_full()
6690 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); in pf_tcp_track_full()
6696 end = seq + pd->p_len; in pf_tcp_track_full()
6700 src->wscale = pf_get_wscale(pd); in pf_tcp_track_full()
6741 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + in pf_tcp_track_full()
6743 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); in pf_tcp_track_full()
6746 end = seq + pd->p_len; in pf_tcp_track_full()
6789 if (pf_modulate_sack(pd, th, dst)) in pf_tcp_track_full()
6811 if (pf_normalize_tcp_stateful(pd, reason, th, in pf_tcp_track_full()
6904 pd->p_len, ackskew, (unsigned long long)state->packets[0], in pf_tcp_track_full()
6906 pd->dir == PF_IN ? "in" : "out", in pf_tcp_track_full()
6907 pd->dir == state->direction ? "fwd" : "rev"); in pf_tcp_track_full()
6911 if (pf_normalize_tcp_stateful(pd, reason, th, in pf_tcp_track_full()
6944 pf_send_tcp(state->rule, pd->af, in pf_tcp_track_full()
6945 pd->dst, pd->src, th->th_dport, in pf_tcp_track_full()
6959 seq, orig_seq, ack, pd->p_len, ackskew, in pf_tcp_track_full()
6962 pd->dir == PF_IN ? "in" : "out", in pf_tcp_track_full()
6963 pd->dir == state->direction ? "fwd" : "rev"); in pf_tcp_track_full()
6981 pf_tcp_track_sloppy(struct pf_kstate *state, struct pf_pdesc *pd, in pf_tcp_track_sloppy() argument
6985 struct tcphdr *th = &pd->hdr.tcp; in pf_tcp_track_sloppy()
7055 pf_synproxy(struct pf_pdesc *pd, struct pf_kstate *state, u_short *reason) in pf_synproxy() argument
7057 struct pf_state_key *sk = state->key[pd->didx]; in pf_synproxy()
7058 struct tcphdr *th = &pd->hdr.tcp; in pf_synproxy()
7061 if (pd->dir != state->direction) { in pf_synproxy()
7070 pf_send_tcp(state->rule, pd->af, pd->dst, in pf_synproxy()
7071 pd->src, th->th_dport, th->th_sport, in pf_synproxy()
7092 if (pd->dir == state->direction) { in pf_synproxy()
7102 pf_send_tcp(state->rule, pd->af, in pf_synproxy()
7103 &sk->addr[pd->sidx], &sk->addr[pd->didx], in pf_synproxy()
7104 sk->port[pd->sidx], sk->port[pd->didx], in pf_synproxy()
7120 pf_send_tcp(state->rule, pd->af, pd->dst, in pf_synproxy()
7121 pd->src, th->th_dport, th->th_sport, in pf_synproxy()
7126 pf_send_tcp(state->rule, pd->af, in pf_synproxy()
7127 &sk->addr[pd->sidx], &sk->addr[pd->didx], in pf_synproxy()
7128 sk->port[pd->sidx], sk->port[pd->didx], in pf_synproxy()
7153 pf_test_state(struct pf_kstate **state, struct pf_pdesc *pd, u_short *reason) in pf_test_state() argument
7162 key.af = pd->af; in pf_test_state()
7163 key.proto = pd->virtual_proto; in pf_test_state()
7164 pf_addrcpy(&key.addr[pd->sidx], pd->src, key.af); in pf_test_state()
7165 pf_addrcpy(&key.addr[pd->didx], pd->dst, key.af); in pf_test_state()
7166 key.port[pd->sidx] = pd->osport; in pf_test_state()
7167 key.port[pd->didx] = pd->odport; in pf_test_state()
7169 action = pf_find_state(pd, &key, state); in pf_test_state()
7174 if (pd->dir == (*state)->direction) { in pf_test_state()
7175 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state()
7187 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state()
7200 switch (pd->virtual_proto) { in pf_test_state()
7202 struct tcphdr *th = &pd->hdr.tcp; in pf_test_state()
7204 if ((action = pf_synproxy(pd, *state, reason)) != PF_PASS) in pf_test_state()
7208 pf_syncookie_check(pd) && pd->dir == PF_IN)) { in pf_test_state()
7232 pf_send_challenge_ack(pd, *state, src, dst, reason); in pf_test_state()
7237 if (pf_tcp_track_sloppy(*state, pd, reason, src, dst, in pf_test_state()
7243 ret = pf_tcp_track_full(*state, pd, reason, in pf_test_state()
7267 pd->sctp_flags & PFDESC_SCTP_INIT) { in pf_test_state()
7274 if (pf_sctp_track(*state, pd, reason) != PF_PASS) in pf_test_state()
7278 if (pd->sctp_flags & PFDESC_SCTP_INIT) { in pf_test_state()
7284 if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) { in pf_test_state()
7287 dst->scrub->pfss_v_tag = pd->sctp_initiate_tag; in pf_test_state()
7297 (*state)->kif = pd->kif; in pf_test_state()
7299 if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) { in pf_test_state()
7305 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | in pf_test_state()
7312 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE | PFDESC_SCTP_ABORT)) { in pf_test_state()
7340 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state()
7341 nk = (*state)->key[pd->sidx]; in pf_test_state()
7343 nk = (*state)->key[pd->didx]; in pf_test_state()
7345 afto = pd->af != nk->af; in pf_test_state()
7348 sidx = pd->didx; in pf_test_state()
7349 didx = pd->sidx; in pf_test_state()
7351 sidx = pd->sidx; in pf_test_state()
7352 didx = pd->didx; in pf_test_state()
7356 pf_addrcpy(&pd->nsaddr, &nk->addr[sidx], nk->af); in pf_test_state()
7357 pf_addrcpy(&pd->ndaddr, &nk->addr[didx], nk->af); in pf_test_state()
7358 pd->naf = nk->af; in pf_test_state()
7362 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) || in pf_test_state()
7363 nk->port[sidx] != pd->osport) in pf_test_state()
7364 pf_change_ap(pd, pd->src, pd->sport, in pf_test_state()
7367 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) || in pf_test_state()
7368 nk->port[didx] != pd->odport) in pf_test_state()
7369 pf_change_ap(pd, pd->dst, pd->dport, in pf_test_state()
7375 if (copyback && pd->hdrlen > 0) in pf_test_state()
7376 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_state()
7382 pf_sctp_track(struct pf_kstate *state, struct pf_pdesc *pd, in pf_sctp_track() argument
7386 if (pd->dir == state->direction) { in pf_sctp_track()
7387 if (PF_REVERSED_KEY(state, pd->af)) in pf_sctp_track()
7392 if (PF_REVERSED_KEY(state, pd->af)) in pf_sctp_track()
7400 src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag; in pf_sctp_track()
7401 else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag) in pf_sctp_track()
7468 pf_sctp_multihome_add_addr(struct pf_pdesc *pd, struct pf_addr *a, uint32_t v_tag) in pf_sctp_multihome_add_addr() argument
7497 if (pf_addr_cmp(&i->addr, a, pd->af) == 0) { in pf_sctp_multihome_add_addr()
7515 i->af = pd->af; in pf_sctp_multihome_add_addr()
7524 pf_sctp_multihome_delayed(struct pf_pdesc *pd, struct pfi_kkif *kif, in pf_sctp_multihome_delayed() argument
7541 TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) { in pf_sctp_multihome_delayed()
7546 MPASS(! (pd->sctp_flags & PFDESC_SCTP_ADD_IP)); in pf_sctp_multihome_delayed()
7550 uint32_t v_tag = pd->sctp_initiate_tag; in pf_sctp_multihome_delayed()
7553 if (s->direction == pd->dir) in pf_sctp_multihome_delayed()
7565 if (pf_addr_cmp(&j->src, pd->src, pd->af) == 0) { in pf_sctp_multihome_delayed()
7569 j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP; in pf_sctp_multihome_delayed()
7573 j->pd.related_rule = s->rule; in pf_sctp_multihome_delayed()
7577 &j->pd, &ra, &rs, &reason, NULL, &match_rules); in pf_sctp_multihome_delayed()
7584 SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret); in pf_sctp_multihome_delayed()
7601 pf_sctp_multihome_add_addr(pd, &j->src, v_tag); in pf_sctp_multihome_delayed()
7611 .v_tag = pd->hdr.sctp.v_tag, in pf_sctp_multihome_delayed()
7627 if (i->af != pd->af) in pf_sctp_multihome_delayed()
7634 memcpy(&nj->pd, &j->pd, sizeof(j->pd)); in pf_sctp_multihome_delayed()
7636 nj->pd.src = &nj->src; in pf_sctp_multihome_delayed()
7639 nj->pd.dst = &nj->dst; in pf_sctp_multihome_delayed()
7640 nj->pd.m = j->pd.m; in pf_sctp_multihome_delayed()
7643 MPASS(nj->pd.pcksum); in pf_sctp_multihome_delayed()
7644 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next); in pf_sctp_multihome_delayed()
7656 key.af = j->pd.af; in pf_sctp_multihome_delayed()
7658 if (j->pd.dir == PF_IN) { /* wire side, straight */ in pf_sctp_multihome_delayed()
7659 pf_addrcpy(&key.addr[0], j->pd.src, key.af); in pf_sctp_multihome_delayed()
7660 pf_addrcpy(&key.addr[1], j->pd.dst, key.af); in pf_sctp_multihome_delayed()
7661 key.port[0] = j->pd.hdr.sctp.src_port; in pf_sctp_multihome_delayed()
7662 key.port[1] = j->pd.hdr.sctp.dest_port; in pf_sctp_multihome_delayed()
7664 pf_addrcpy(&key.addr[1], j->pd.src, key.af); in pf_sctp_multihome_delayed()
7665 pf_addrcpy(&key.addr[0], j->pd.dst, key.af); in pf_sctp_multihome_delayed()
7666 key.port[1] = j->pd.hdr.sctp.src_port; in pf_sctp_multihome_delayed()
7667 key.port[0] = j->pd.hdr.sctp.dest_port; in pf_sctp_multihome_delayed()
7670 action = pf_find_state(&j->pd, &key, &sm); in pf_sctp_multihome_delayed()
7673 if (j->pd.dir == sm->direction) { in pf_sctp_multihome_delayed()
7689 TAILQ_REMOVE(&pd->sctp_multihome_jobs, j, next); in pf_sctp_multihome_delayed()
7694 if (! TAILQ_EMPTY(&pd->sctp_multihome_jobs)) { in pf_sctp_multihome_delayed()
7701 pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op) in pf_multihome_scan() argument
7706 SDT_PROBE4(pf, sctp, multihome_scan, entry, start, len, pd, op); in pf_multihome_scan()
7711 if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, in pf_multihome_scan()
7712 pd->af)) in pf_multihome_scan()
7730 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), in pf_multihome_scan()
7731 NULL, pd->af)) in pf_multihome_scan()
7735 t.s_addr = pd->src->v4.s_addr; in pf_multihome_scan()
7753 memcpy(&job->pd, pd, sizeof(*pd)); in pf_multihome_scan()
7757 job->pd.src = &job->src; in pf_multihome_scan()
7758 memcpy(&job->dst, pd->dst, sizeof(job->dst)); in pf_multihome_scan()
7759 job->pd.dst = &job->dst; in pf_multihome_scan()
7760 job->pd.m = pd->m; in pf_multihome_scan()
7763 MPASS(job->pd.pcksum); in pf_multihome_scan()
7764 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); in pf_multihome_scan()
7775 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), in pf_multihome_scan()
7776 NULL, pd->af)) in pf_multihome_scan()
7778 if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0) in pf_multihome_scan()
7781 memcpy(&t, &pd->src->v6, sizeof(t)); in pf_multihome_scan()
7789 memcpy(&job->pd, pd, sizeof(*pd)); in pf_multihome_scan()
7791 job->pd.src = &job->src; in pf_multihome_scan()
7792 memcpy(&job->dst, pd->dst, sizeof(job->dst)); in pf_multihome_scan()
7793 job->pd.dst = &job->dst; in pf_multihome_scan()
7794 job->pd.m = pd->m; in pf_multihome_scan()
7797 MPASS(job->pd.pcksum); in pf_multihome_scan()
7798 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); in pf_multihome_scan()
7806 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), in pf_multihome_scan()
7807 NULL, pd->af)) in pf_multihome_scan()
7811 ntohs(ah.ph.param_length) - sizeof(ah), pd, in pf_multihome_scan()
7821 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), in pf_multihome_scan()
7822 NULL, pd->af)) in pf_multihome_scan()
7825 ntohs(ah.ph.param_length) - sizeof(ah), pd, in pf_multihome_scan()
7842 pf_multihome_scan_init(int start, int len, struct pf_pdesc *pd) in pf_multihome_scan_init() argument
7847 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); in pf_multihome_scan_init()
7851 pf_multihome_scan_asconf(int start, int len, struct pf_pdesc *pd) in pf_multihome_scan_asconf() argument
7856 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); in pf_multihome_scan_asconf()
7860 pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, in pf_icmp_state_lookup() argument
7864 int action, direction = pd->dir; in pf_icmp_state_lookup()
7866 key->af = pd->af; in pf_icmp_state_lookup()
7867 key->proto = pd->proto; in pf_icmp_state_lookup()
7869 *iidx = pd->sidx; in pf_icmp_state_lookup()
7870 key->port[pd->sidx] = icmpid; in pf_icmp_state_lookup()
7871 key->port[pd->didx] = type; in pf_icmp_state_lookup()
7873 *iidx = pd->didx; in pf_icmp_state_lookup()
7874 key->port[pd->sidx] = type; in pf_icmp_state_lookup()
7875 key->port[pd->didx] = icmpid; in pf_icmp_state_lookup()
7877 if (pf_state_key_addr_setup(pd, key, multi)) in pf_icmp_state_lookup()
7880 action = pf_find_state(pd, key, state); in pf_icmp_state_lookup()
7889 direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ? in pf_icmp_state_lookup()
7894 (((!inner && direction == pd->dir) || in pf_icmp_state_lookup()
7895 (inner && direction != pd->dir)) ? in pf_icmp_state_lookup()
7911 pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd, in pf_test_state_icmp() argument
7914 struct pf_addr *saddr = pd->src, *daddr = pd->dst; in pf_test_state_icmp()
7926 switch (pd->proto) { in pf_test_state_icmp()
7929 icmptype = pd->hdr.icmp.icmp_type; in pf_test_state_icmp()
7930 icmpcode = pd->hdr.icmp.icmp_code; in pf_test_state_icmp()
7931 icmpid = pd->hdr.icmp.icmp_id; in pf_test_state_icmp()
7932 icmpsum = &pd->hdr.icmp.icmp_cksum; in pf_test_state_icmp()
7937 icmptype = pd->hdr.icmp6.icmp6_type; in pf_test_state_icmp()
7938 icmpcode = pd->hdr.icmp6.icmp6_code; in pf_test_state_icmp()
7940 icmpid = pd->hdr.icmp6.icmp6_id; in pf_test_state_icmp()
7942 icmpsum = &pd->hdr.icmp6.icmp6_cksum; in pf_test_state_icmp()
7946 panic("unhandled proto %d", pd->proto); in pf_test_state_icmp()
7949 if (pf_icmp_mapping(pd, icmptype, &icmp_dir, &virtual_id, in pf_test_state_icmp()
7955 ret = pf_icmp_state_lookup(&key, pd, state, virtual_id, in pf_test_state_icmp()
7958 if (ret == PF_DROP && pd->af == AF_INET6 && icmp_dir == PF_OUT) { in pf_test_state_icmp()
7960 ret = pf_icmp_state_lookup(&key, pd, state, in pf_test_state_icmp()
7977 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
7978 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
7980 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
7982 afto = pd->af != nk->af; in pf_test_state_icmp()
7985 sidx = pd->didx; in pf_test_state_icmp()
7986 didx = pd->sidx; in pf_test_state_icmp()
7989 sidx = pd->sidx; in pf_test_state_icmp()
7990 didx = pd->didx; in pf_test_state_icmp()
7993 switch (pd->af) { in pf_test_state_icmp()
7999 &pd->hdr.icmp)) in pf_test_state_icmp()
8001 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8005 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET)) in pf_test_state_icmp()
8007 pd->ip_sum, in pf_test_state_icmp()
8011 if (!afto && PF_ANEQ(pd->dst, in pf_test_state_icmp()
8014 pd->ip_sum, in pf_test_state_icmp()
8018 pd->hdr.icmp.icmp_id) { in pf_test_state_icmp()
8019 pd->hdr.icmp.icmp_cksum = in pf_test_state_icmp()
8021 pd->hdr.icmp.icmp_cksum, icmpid, in pf_test_state_icmp()
8023 pd->hdr.icmp.icmp_id = in pf_test_state_icmp()
8027 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8028 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8036 &pd->hdr.icmp6)) in pf_test_state_icmp()
8038 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8042 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET6)) in pf_test_state_icmp()
8044 &pd->hdr.icmp6.icmp6_cksum, in pf_test_state_icmp()
8047 if (!afto && PF_ANEQ(pd->dst, in pf_test_state_icmp()
8050 &pd->hdr.icmp6.icmp6_cksum, in pf_test_state_icmp()
8053 if (nk->port[iidx] != pd->hdr.icmp6.icmp6_id) in pf_test_state_icmp()
8054 pd->hdr.icmp6.icmp6_id = in pf_test_state_icmp()
8057 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8058 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8063 pf_addrcpy(&pd->nsaddr, &nk->addr[sidx], in pf_test_state_icmp()
8065 pf_addrcpy(&pd->ndaddr, &nk->addr[didx], in pf_test_state_icmp()
8067 pd->naf = nk->af; in pf_test_state_icmp()
8089 pd2.af = pd->af; in pf_test_state_icmp()
8090 pd2.dir = pd->dir; in pf_test_state_icmp()
8092 pd2.sidx = (pd->dir == PF_IN) ? 1 : 0; in pf_test_state_icmp()
8093 pd2.didx = (pd->dir == PF_IN) ? 0 : 1; in pf_test_state_icmp()
8094 pd2.m = pd->m; in pf_test_state_icmp()
8095 pd2.pf_mtag = pd->pf_mtag; in pf_test_state_icmp()
8096 pd2.kif = pd->kif; in pf_test_state_icmp()
8097 switch (pd->af) { in pf_test_state_icmp()
8101 ipoff2 = pd->off + ICMP_MINLEN; in pf_test_state_icmp()
8103 if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2), in pf_test_state_icmp()
8133 ipoff2 = pd->off + sizeof(struct icmp6_hdr); in pf_test_state_icmp()
8135 if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6), in pf_test_state_icmp()
8155 unhandled_af(pd->af); in pf_test_state_icmp()
8158 if (PF_ANEQ(pd->dst, pd2.src, pd->af)) { in pf_test_state_icmp()
8162 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
8164 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
8189 if (!pf_pull_hdr(pd->m, pd2.off, th, 8, reason, in pf_test_state_icmp()
8209 if (pd->dir == (*state)->direction) { in pf_test_state_icmp()
8210 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state_icmp()
8218 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state_icmp()
8246 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
8248 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
8259 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
8261 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
8274 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8275 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8277 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8282 afto = pd->af != nk->af; in pf_test_state_icmp()
8294 &pd->hdr.icmp)) in pf_test_state_icmp()
8296 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8298 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8299 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8301 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8304 pf_addrcpy(&pd->nsaddr, in pf_test_state_icmp()
8306 pf_addrcpy(&pd->ndaddr, in pf_test_state_icmp()
8309 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8311 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8319 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8320 pd->src->addr32[0]; in pf_test_state_icmp()
8322 pd->naf = pd2.naf = nk->af; in pf_test_state_icmp()
8339 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8348 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8356 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8357 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8358 m_copyback(pd->m, ipoff2, sizeof(h2), in pf_test_state_icmp()
8364 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8366 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8367 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8372 unhandled_af(pd->af); in pf_test_state_icmp()
8374 m_copyback(pd->m, pd2.off, 8, (caddr_t)th); in pf_test_state_icmp()
8384 if (!pf_pull_hdr(pd->m, pd2.off, uh, sizeof(*uh), in pf_test_state_icmp()
8409 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8410 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8412 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8417 afto = pd->af != nk->af; in pf_test_state_icmp()
8429 &pd->hdr.icmp)) in pf_test_state_icmp()
8431 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8433 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8434 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8436 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8439 pf_addrcpy(&pd->nsaddr, in pf_test_state_icmp()
8441 pf_addrcpy(&pd->ndaddr, in pf_test_state_icmp()
8444 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8446 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8454 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8455 pd->src->addr32[0]; in pf_test_state_icmp()
8457 pd->naf = pd2.naf = nk->af; in pf_test_state_icmp()
8475 pd->ip_sum, 1, pd2.af); in pf_test_state_icmp()
8484 pd->ip_sum, 1, pd2.af); in pf_test_state_icmp()
8489 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8490 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8491 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8496 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8498 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8499 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8504 m_copyback(pd->m, pd2.off, sizeof(*uh), (caddr_t)uh); in pf_test_state_icmp()
8516 if (! pf_pull_hdr(pd->m, pd2.off, sh, sizeof(*sh), reason, in pf_test_state_icmp()
8536 if (pd->dir == (*state)->direction) { in pf_test_state_icmp()
8537 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8542 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8561 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8562 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8564 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8569 afto = pd->af != nk->af; in pf_test_state_icmp()
8581 &pd->hdr.icmp)) in pf_test_state_icmp()
8583 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8585 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8586 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8588 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8594 pf_addrcpy(&pd->nsaddr, in pf_test_state_icmp()
8596 pf_addrcpy(&pd->ndaddr, in pf_test_state_icmp()
8599 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8601 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8609 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8610 pd->src->addr32[0]; in pf_test_state_icmp()
8612 pd->naf = nk->af; in pf_test_state_icmp()
8624 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8633 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8641 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8642 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8643 m_copyback(pd->m, ipoff2, sizeof(h2), in pf_test_state_icmp()
8649 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8651 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8652 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8657 m_copyback(pd->m, pd2.off, sizeof(*sh), (caddr_t)sh); in pf_test_state_icmp()
8671 if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN, in pf_test_state_icmp()
8696 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8697 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8699 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8704 afto = pd->af != nk->af; in pf_test_state_icmp()
8719 &pd->hdr.icmp)) in pf_test_state_icmp()
8721 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8723 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8724 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8726 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8729 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8737 pf_addrcpy(&pd->nsaddr, in pf_test_state_icmp()
8739 pf_addrcpy(&pd->ndaddr, in pf_test_state_icmp()
8747 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8748 pd->src->addr32[0]; in pf_test_state_icmp()
8749 pd->naf = nk->af; in pf_test_state_icmp()
8765 pd->ip_sum, 0, AF_INET); in pf_test_state_icmp()
8771 pd2.ip_sum, icmpsum, pd->ip_sum, 0, in pf_test_state_icmp()
8774 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); in pf_test_state_icmp()
8775 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8776 m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih); in pf_test_state_icmp()
8791 if (!pf_pull_hdr(pd->m, pd2.off, iih, in pf_test_state_icmp()
8823 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8824 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8826 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8831 afto = pd->af != nk->af; in pf_test_state_icmp()
8846 &pd->hdr.icmp)) in pf_test_state_icmp()
8848 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8850 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8851 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8853 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8856 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8865 pf_addrcpy(&pd->nsaddr, in pf_test_state_icmp()
8867 pf_addrcpy(&pd->ndaddr, in pf_test_state_icmp()
8869 pd->naf = nk->af; in pf_test_state_icmp()
8885 pd->ip_sum, 0, AF_INET6); in pf_test_state_icmp()
8892 pd->ip_sum, 0, AF_INET6); in pf_test_state_icmp()
8894 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8895 (caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8896 m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); in pf_test_state_icmp()
8897 m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8911 pd->pcksum = &pd->sctp_dummy_sum; in pf_test_state_icmp()
8926 (*state)->key[pd->didx]; in pf_test_state_icmp()
8933 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8940 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8945 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8946 (caddr_t)&pd->hdr.icmp); in pf_test_state_icmp()
8947 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8952 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8954 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8955 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
9052 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) in pf_route() argument
9068 KASSERT(pd->m && r && oifp, ("%s: invalid parameters", __func__)); in pf_route()
9070 SDT_PROBE4(pf, ip, route_to, entry, pd->m, pd, s, oifp); in pf_route()
9078 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || in pf_route()
9082 if ((pd->pf_mtag == NULL && in pf_route()
9083 ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) || in pf_route()
9084 pd->pf_mtag->routed++ > 3) { in pf_route()
9085 m0 = pd->m; in pf_route()
9086 pd->m = NULL; in pf_route()
9092 if (pd->act.rt_kif != NULL) in pf_route()
9093 ifp = pd->act.rt_kif->pfik_ifp; in pf_route()
9095 if (pd->act.rt == PF_DUPTO) { in pf_route()
9096 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { in pf_route()
9104 m0 = pd->m; in pf_route()
9105 pd->m = NULL; in pf_route()
9111 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED; in pf_route()
9112 if (((m0 = m_dup(pd->m, M_NOWAIT)) == NULL)) { in pf_route()
9119 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) { in pf_route()
9120 if (pd->af == pd->naf) { in pf_route()
9121 pf_dummynet(pd, s, r, &pd->m); in pf_route()
9136 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp && in pf_route()
9137 pd->af != pd->naf) { in pf_route()
9138 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET) { in pf_route()
9142 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET6) { in pf_route()
9147 m0 = pd->m; in pf_route()
9161 switch (pd->act.rt_af) { in pf_route()
9166 rt_gw.sin.sin_addr.s_addr = pd->act.rt_addr.v4.s_addr; in pf_route()
9174 &pd->act.rt_addr, AF_INET6); in pf_route()
9183 if (pd->dir == PF_IN) { in pf_route()
9187 ICMP_TIMXCEED_INTRANS, 0, pd->af, r, in pf_route()
9188 pd->act.rtableid); in pf_route()
9196 if (ifp == NULL && (pd->af != pd->naf)) { in pf_route()
9219 m0 = pd->m; in pf_route()
9220 pd->m = NULL; in pf_route()
9233 MPASS(r->rt == PF_REPLYTO || (pd->af != pd->naf && s->direction == PF_IN)); in pf_route()
9235 if (pd->act.rt == PF_REPLYTO) { in pf_route()
9240 if (r->rt == PF_DUPTO || (pd->af != pd->naf && s->direction == PF_IN)) in pf_route()
9243 if (pd->dir == PF_IN) { in pf_route()
9249 &out_kif->pfik_bytes[pd->naf == AF_INET6][1] in pf_route()
9250 [action != PF_PASS && action != PF_AFRT], pd->tot_len); in pf_route()
9252 &out_kif->pfik_packets[pd->naf == AF_INET6][1] in pf_route()
9257 &pd->act) != PF_PASS) { in pf_route()
9294 if (pd->dir == PF_IN) { in pf_route()
9299 pd->dir = PF_OUT; in pf_route()
9310 tmp = pd->act.dnrpipe; in pf_route()
9311 pd->act.dnrpipe = pd->act.dnpipe; in pf_route()
9312 pd->act.dnpipe = tmp; in pf_route()
9329 error = pf_dummynet_route(pd, s, r, ifp, in pf_route()
9343 if (pd->act.rt != PF_DUPTO) { in pf_route()
9345 MPASS(m0 == pd->m); in pf_route()
9346 PACKET_UNDO_NAT(pd, in pf_route()
9352 ifp->if_mtu, pd->af, r, pd->act.rtableid); in pf_route()
9372 pd->pf_mtag = pf_find_mtag(md); in pf_route()
9373 error = pf_dummynet_route(pd, s, r, ifp, in pf_route()
9389 if (pd->act.rt != PF_DUPTO) in pf_route()
9390 pd->m = NULL; in pf_route()
9407 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) in pf_route6() argument
9418 KASSERT(pd->m && r && oifp, ("%s: invalid parameters", __func__)); in pf_route6()
9420 SDT_PROBE4(pf, ip6, route_to, entry, pd->m, pd, s, oifp); in pf_route6()
9428 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || in pf_route6()
9432 if ((pd->pf_mtag == NULL && in pf_route6()
9433 ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) || in pf_route6()
9434 pd->pf_mtag->routed++ > 3) { in pf_route6()
9435 m0 = pd->m; in pf_route6()
9436 pd->m = NULL; in pf_route6()
9442 if (pd->act.rt_kif != NULL) in pf_route6()
9443 ifp = pd->act.rt_kif->pfik_ifp; in pf_route6()
9445 if (pd->act.rt == PF_DUPTO) { in pf_route6()
9446 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { in pf_route6()
9454 m0 = pd->m; in pf_route6()
9455 pd->m = NULL; in pf_route6()
9461 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED; in pf_route6()
9462 if (((m0 = m_dup(pd->m, M_NOWAIT)) == NULL)) { in pf_route6()
9469 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) { in pf_route6()
9470 if (pd->af == pd->naf) { in pf_route6()
9471 pf_dummynet(pd, s, r, &pd->m); in pf_route6()
9486 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp && in pf_route6()
9487 pd->af != pd->naf) { in pf_route6()
9488 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET6) { in pf_route6()
9492 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET) { in pf_route6()
9497 m0 = pd->m; in pf_route6()
9505 pf_addrcpy((struct pf_addr *)&dst.sin6_addr, &pd->act.rt_addr, in pf_route6()
9508 if (pd->dir == PF_IN) { in pf_route6()
9512 ICMP6_TIME_EXCEED_TRANSIT, 0, pd->af, r, in pf_route6()
9513 pd->act.rtableid); in pf_route6()
9521 if (ifp == NULL && (pd->af != pd->naf)) { in pf_route6()
9538 if (pd->af != pd->naf) { in pf_route6()
9539 struct udphdr *uh = &pd->hdr.udp; in pf_route6()
9541 if (pd->proto == IPPROTO_UDP && uh->uh_sum == 0) { in pf_route6()
9544 m_copyback(m0, pd->off, sizeof(*uh), pd->hdr.any); in pf_route6()
9549 m0 = pd->m; in pf_route6()
9550 pd->m = NULL; in pf_route6()
9563 MPASS(r->rt == PF_REPLYTO || (pd->af != pd->naf && s->direction == PF_IN)); in pf_route6()
9565 if (pd->act.rt == PF_REPLYTO) { in pf_route6()
9570 if (r->rt == PF_DUPTO || (pd->af != pd->naf && s->direction == PF_IN)) in pf_route6()
9573 if (pd->dir == PF_IN) { in pf_route6()
9579 &out_kif->pfik_bytes[pd->naf == AF_INET6][1] in pf_route6()
9580 [action != PF_PASS && action != PF_AFRT], pd->tot_len); in pf_route6()
9582 &out_kif->pfik_packets[pd->naf == AF_INET6][1] in pf_route6()
9587 ifp, &m0, inp, &pd->act) != PF_PASS) { in pf_route6()
9618 if (pd->dir == PF_IN) { in pf_route6()
9624 pd->dir = PF_OUT; in pf_route6()
9635 tmp = pd->act.dnrpipe; in pf_route6()
9636 pd->act.dnrpipe = pd->act.dnpipe; in pf_route6()
9637 pd->act.dnpipe = tmp; in pf_route6()
9656 pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); in pf_route6()
9665 if (pd->act.rt != PF_DUPTO) { in pf_route6()
9667 MPASS(m0 == pd->m); in pf_route6()
9668 PACKET_UNDO_NAT(pd, in pf_route6()
9675 ifp->if_mtu, pd->af, r, pd->act.rtableid); in pf_route6()
9683 if (pd->act.rt != PF_DUPTO) in pf_route6()
9684 pd->m = NULL; in pf_route6()
9820 pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r, in pf_pdesc_to_dnflow() argument
9824 sa_family_t af = pd->naf; in pf_pdesc_to_dnflow()
9831 dndir = pd->dir; in pf_pdesc_to_dnflow()
9834 if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED) in pf_pdesc_to_dnflow()
9839 if (pd->dport != NULL) in pf_pdesc_to_dnflow()
9840 dnflow->f_id.dst_port = ntohs(*pd->dport); in pf_pdesc_to_dnflow()
9841 if (pd->sport != NULL) in pf_pdesc_to_dnflow()
9842 dnflow->f_id.src_port = ntohs(*pd->sport); in pf_pdesc_to_dnflow()
9844 if (pd->dir == PF_IN) in pf_pdesc_to_dnflow()
9849 if (pd->dir != dndir && pd->act.dnrpipe) { in pf_pdesc_to_dnflow()
9850 dnflow->rule.info = pd->act.dnrpipe; in pf_pdesc_to_dnflow()
9852 else if (pd->dir == dndir && pd->act.dnpipe) { in pf_pdesc_to_dnflow()
9853 dnflow->rule.info = pd->act.dnpipe; in pf_pdesc_to_dnflow()
9860 if (r->free_flags & PFRULE_DN_IS_PIPE || pd->act.flags & PFSTATE_DN_IS_PIPE) in pf_pdesc_to_dnflow()
9863 dnflow->f_id.proto = pd->proto; in pf_pdesc_to_dnflow()
9873 s->key[PF_SK_STACK]->addr[pd->sidx].v4.s_addr); in pf_pdesc_to_dnflow()
9875 s->key[PF_SK_STACK]->addr[pd->didx].v4.s_addr); in pf_pdesc_to_dnflow()
9877 dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr); in pf_pdesc_to_dnflow()
9878 dnflow->f_id.dst_ip = ntohl(pd->dst->v4.s_addr); in pf_pdesc_to_dnflow()
9886 s->key[PF_SK_STACK]->addr[pd->sidx].v6; in pf_pdesc_to_dnflow()
9888 s->key[PF_SK_STACK]->addr[pd->didx].v6; in pf_pdesc_to_dnflow()
9890 dnflow->f_id.src_ip6 = pd->src->v6; in pf_pdesc_to_dnflow()
9891 dnflow->f_id.dst_ip6 = pd->dst->v6; in pf_pdesc_to_dnflow()
9902 if (pd->naf == AF_INET6) in pf_pdesc_to_dnflow()
9961 pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s, in pf_dummynet() argument
9964 return (pf_dummynet_route(pd, s, r, NULL, NULL, m0)); in pf_dummynet()
9968 pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, in pf_dummynet_route() argument
9976 if (pd->act.dnpipe == 0 && pd->act.dnrpipe == 0) in pf_dummynet_route()
9985 if (pd->pf_mtag == NULL && in pf_dummynet_route()
9986 ((pd->pf_mtag = pf_get_mtag(*m0)) == NULL)) { in pf_dummynet_route()
9993 pd->pf_mtag->flags |= PF_MTAG_FLAG_ROUTE_TO; in pf_dummynet_route()
9995 pd->pf_mtag->if_index = ifp->if_index; in pf_dummynet_route()
9996 pd->pf_mtag->if_idxgen = ifp->if_idxgen; in pf_dummynet_route()
10002 memcpy(&pd->pf_mtag->dst, sa, in pf_dummynet_route()
10006 memcpy(&pd->pf_mtag->dst, sa, in pf_dummynet_route()
10016 (pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) || in pf_dummynet_route()
10018 (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) { in pf_dummynet_route()
10027 if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { in pf_dummynet_route()
10028 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; in pf_dummynet_route()
10029 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED; in pf_dummynet_route()
10032 pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; in pf_dummynet_route()
10033 pf_dummynet_flag_remove(*m0, pd->pf_mtag); in pf_dummynet_route()
10041 pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end, in pf_walk_option() argument
10047 if (pd->m->m_pkthdr.len < end) { in pf_walk_option()
10054 m_copydata(pd->m, off, end - off, opts); in pf_walk_option()
10084 pd->badopts |= PF_OPT_ROUTER_ALERT; in pf_walk_option()
10087 pd->badopts |= PF_OPT_OTHER; in pf_walk_option()
10097 pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason) in pf_walk_header() argument
10109 if (pf_walk_option(pd, h, pd->off + sizeof(struct ip), in pf_walk_header()
10110 pd->off + hlen, reason) != PF_PASS) in pf_walk_header()
10113 if (pd->badopts == 0) in pf_walk_header()
10114 pd->badopts |= PF_OPT_OTHER; in pf_walk_header()
10116 end = pd->off + ntohs(h->ip_len); in pf_walk_header()
10117 pd->off += hlen; in pf_walk_header()
10118 pd->proto = h->ip_p; in pf_walk_header()
10120 if (pd->proto == IPPROTO_IGMP) { in pf_walk_header()
10131 pd->badopts &= ~PF_OPT_ROUTER_ALERT; in pf_walk_header()
10137 switch (pd->proto) { in pf_walk_header()
10141 end < pd->off + sizeof(ext)) in pf_walk_header()
10143 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext), in pf_walk_header()
10148 pd->off += (ext.ah_len + 2) * 4; in pf_walk_header()
10149 pd->proto = ext.ah_nxt; in pf_walk_header()
10162 pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h, int off, int end, in pf_walk_option6() argument
10169 if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type, in pf_walk_option6()
10178 if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt), in pf_walk_option6()
10192 pd->badopts |= PF_OPT_JUMBO; in pf_walk_option6()
10193 if (pd->jumbolen != 0) { in pf_walk_option6()
10203 if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo), in pf_walk_option6()
10208 memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len, in pf_walk_option6()
10209 sizeof(pd->jumbolen)); in pf_walk_option6()
10210 pd->jumbolen = ntohl(pd->jumbolen); in pf_walk_option6()
10211 if (pd->jumbolen < IPV6_MAXPACKET) { in pf_walk_option6()
10218 pd->badopts |= PF_OPT_ROUTER_ALERT; in pf_walk_option6()
10221 pd->badopts |= PF_OPT_OTHER; in pf_walk_option6()
10231 pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) in pf_walk_header6() argument
10240 pd->off += sizeof(struct ip6_hdr); in pf_walk_header6()
10241 end = pd->off + ntohs(h->ip6_plen); in pf_walk_header6()
10242 pd->fragoff = pd->extoff = pd->jumbolen = 0; in pf_walk_header6()
10243 pd->proto = h->ip6_nxt; in pf_walk_header6()
10245 switch (pd->proto) { in pf_walk_header6()
10248 pd->badopts |= PF_OPT_OTHER; in pf_walk_header6()
10251 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext), in pf_walk_header6()
10256 if (pf_walk_option6(pd, h, pd->off + sizeof(ext), in pf_walk_header6()
10257 pd->off + (ext.ip6e_len + 1) * 8, in pf_walk_header6()
10261 if (pd->badopts == 0) in pf_walk_header6()
10262 pd->badopts |= PF_OPT_OTHER; in pf_walk_header6()
10265 switch (pd->proto) { in pf_walk_header6()
10273 if (pd->jumbolen != 0) { in pf_walk_header6()
10278 if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag), in pf_walk_header6()
10285 pd->fragoff = pd->off; in pf_walk_header6()
10290 pd->fragoff = pd->off; in pf_walk_header6()
10291 pd->off += sizeof(frag); in pf_walk_header6()
10292 pd->proto = frag.ip6f_nxt; in pf_walk_header6()
10301 if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) { in pf_walk_header6()
10302 pd->off = pd->fragoff; in pf_walk_header6()
10303 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
10306 if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr), in pf_walk_header6()
10319 if (pd->proto == IPPROTO_HOPOPTS && hdr_cnt > 0) { in pf_walk_header6()
10327 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext), in pf_walk_header6()
10333 if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) { in pf_walk_header6()
10334 pd->off = pd->fragoff; in pf_walk_header6()
10335 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
10339 if (pd->fragoff == 0) in pf_walk_header6()
10340 pd->extoff = pd->off; in pf_walk_header6()
10341 if (pd->proto == IPPROTO_HOPOPTS && pd->fragoff == 0 && in pf_walk_header6()
10342 ntohs(h->ip6_plen) == 0 && pd->jumbolen != 0) { in pf_walk_header6()
10347 if (pd->proto == IPPROTO_AH) in pf_walk_header6()
10348 pd->off += (ext.ip6e_len + 2) * 4; in pf_walk_header6()
10350 pd->off += (ext.ip6e_len + 1) * 8; in pf_walk_header6()
10351 pd->proto = ext.ip6e_nxt; in pf_walk_header6()
10355 if (pd->fragoff != 0 && end < pd->off + sizeof(icmp6)) { in pf_walk_header6()
10356 pd->off = pd->fragoff; in pf_walk_header6()
10357 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
10360 if (!pf_pull_hdr(pd->m, pd->off, &icmp6, sizeof(icmp6), in pf_walk_header6()
10385 pd->badopts &= ~PF_OPT_ROUTER_ALERT; in pf_walk_header6()
10393 if (pd->fragoff != 0 && end < pd->off + in pf_walk_header6()
10394 (pd->proto == IPPROTO_TCP ? sizeof(struct tcphdr) : in pf_walk_header6()
10395 pd->proto == IPPROTO_UDP ? sizeof(struct udphdr) : in pf_walk_header6()
10396 pd->proto == IPPROTO_SCTP ? sizeof(struct sctphdr) : in pf_walk_header6()
10398 pd->off = pd->fragoff; in pf_walk_header6()
10399 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
10413 pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m) in pf_init_pdesc() argument
10415 memset(pd, 0, sizeof(*pd)); in pf_init_pdesc()
10416 pd->pf_mtag = pf_find_mtag(m); in pf_init_pdesc()
10417 pd->m = m; in pf_init_pdesc()
10421 pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, in pf_setup_pdesc() argument
10425 pd->dir = dir; in pf_setup_pdesc()
10426 pd->kif = kif; in pf_setup_pdesc()
10427 pd->m = *m0; in pf_setup_pdesc()
10428 pd->sidx = (dir == PF_IN) ? 0 : 1; in pf_setup_pdesc()
10429 pd->didx = (dir == PF_IN) ? 1 : 0; in pf_setup_pdesc()
10430 pd->af = pd->naf = af; in pf_setup_pdesc()
10434 TAILQ_INIT(&pd->sctp_multihome_jobs); in pf_setup_pdesc()
10436 memcpy(&pd->act, default_actions, sizeof(pd->act)); in pf_setup_pdesc()
10438 if (pd->pf_mtag && pd->pf_mtag->dnpipe) { in pf_setup_pdesc()
10439 pd->act.dnpipe = pd->pf_mtag->dnpipe; in pf_setup_pdesc()
10440 pd->act.flags = pd->pf_mtag->dnflags; in pf_setup_pdesc()
10449 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { in pf_setup_pdesc()
10458 h = mtod(pd->m, struct ip *); in pf_setup_pdesc()
10459 if (pd->m->m_pkthdr.len < ntohs(h->ip_len)) { in pf_setup_pdesc()
10465 if (pf_normalize_ip(reason, pd) != PF_PASS) { in pf_setup_pdesc()
10467 *m0 = pd->m; in pf_setup_pdesc()
10471 *m0 = pd->m; in pf_setup_pdesc()
10472 h = mtod(pd->m, struct ip *); in pf_setup_pdesc()
10474 if (pf_walk_header(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
10479 pd->src = (struct pf_addr *)&h->ip_src; in pf_setup_pdesc()
10480 pd->dst = (struct pf_addr *)&h->ip_dst; in pf_setup_pdesc()
10481 pf_addrcpy(&pd->osrc, pd->src, af); in pf_setup_pdesc()
10482 pf_addrcpy(&pd->odst, pd->dst, af); in pf_setup_pdesc()
10483 pd->ip_sum = &h->ip_sum; in pf_setup_pdesc()
10484 pd->tos = h->ip_tos & ~IPTOS_ECN_MASK; in pf_setup_pdesc()
10485 pd->ttl = h->ip_ttl; in pf_setup_pdesc()
10486 pd->tot_len = ntohs(h->ip_len); in pf_setup_pdesc()
10487 pd->act.rtableid = -1; in pf_setup_pdesc()
10488 pd->df = h->ip_off & htons(IP_DF); in pf_setup_pdesc()
10489 pd->virtual_proto = (h->ip_off & htons(IP_MF | IP_OFFMASK)) ? in pf_setup_pdesc()
10490 PF_VPROTO_FRAGMENT : pd->proto; in pf_setup_pdesc()
10500 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { in pf_setup_pdesc()
10509 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
10510 if (pd->m->m_pkthdr.len < in pf_setup_pdesc()
10526 if (pf_walk_header6(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
10531 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
10532 pd->src = (struct pf_addr *)&h->ip6_src; in pf_setup_pdesc()
10533 pd->dst = (struct pf_addr *)&h->ip6_dst; in pf_setup_pdesc()
10534 pf_addrcpy(&pd->osrc, pd->src, af); in pf_setup_pdesc()
10535 pf_addrcpy(&pd->odst, pd->dst, af); in pf_setup_pdesc()
10536 pd->ip_sum = NULL; in pf_setup_pdesc()
10537 pd->tos = IPV6_DSCP(h); in pf_setup_pdesc()
10538 pd->ttl = h->ip6_hlim; in pf_setup_pdesc()
10539 pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); in pf_setup_pdesc()
10540 pd->act.rtableid = -1; in pf_setup_pdesc()
10542 pd->virtual_proto = (pd->fragoff != 0) ? in pf_setup_pdesc()
10543 PF_VPROTO_FRAGMENT : pd->proto; in pf_setup_pdesc()
10546 if (pf_normalize_ip6(pd->fragoff, reason, pd) != in pf_setup_pdesc()
10548 *m0 = pd->m; in pf_setup_pdesc()
10552 *m0 = pd->m; in pf_setup_pdesc()
10553 if (pd->m == NULL) { in pf_setup_pdesc()
10560 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
10561 pd->src = (struct pf_addr *)&h->ip6_src; in pf_setup_pdesc()
10562 pd->dst = (struct pf_addr *)&h->ip6_dst; in pf_setup_pdesc()
10564 pd->off = 0; in pf_setup_pdesc()
10566 if (pf_walk_header6(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
10571 if (m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL) != NULL) { in pf_setup_pdesc()
10576 pd->virtual_proto = pd->proto; in pf_setup_pdesc()
10577 MPASS(pd->fragoff == 0); in pf_setup_pdesc()
10580 if (pd->fragoff != 0) in pf_setup_pdesc()
10581 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
10590 switch (pd->virtual_proto) { in pf_setup_pdesc()
10592 struct tcphdr *th = &pd->hdr.tcp; in pf_setup_pdesc()
10594 if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), in pf_setup_pdesc()
10600 pd->hdrlen = sizeof(*th); in pf_setup_pdesc()
10601 pd->p_len = pd->tot_len - pd->off - (th->th_off << 2); in pf_setup_pdesc()
10602 pd->sport = &th->th_sport; in pf_setup_pdesc()
10603 pd->dport = &th->th_dport; in pf_setup_pdesc()
10604 pd->pcksum = &th->th_sum; in pf_setup_pdesc()
10608 struct udphdr *uh = &pd->hdr.udp; in pf_setup_pdesc()
10610 if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), in pf_setup_pdesc()
10616 pd->hdrlen = sizeof(*uh); in pf_setup_pdesc()
10618 ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off || in pf_setup_pdesc()
10624 pd->sport = &uh->uh_sport; in pf_setup_pdesc()
10625 pd->dport = &uh->uh_dport; in pf_setup_pdesc()
10626 pd->pcksum = &uh->uh_sum; in pf_setup_pdesc()
10630 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), in pf_setup_pdesc()
10636 pd->hdrlen = sizeof(pd->hdr.sctp); in pf_setup_pdesc()
10637 pd->p_len = pd->tot_len - pd->off; in pf_setup_pdesc()
10639 pd->sport = &pd->hdr.sctp.src_port; in pf_setup_pdesc()
10640 pd->dport = &pd->hdr.sctp.dest_port; in pf_setup_pdesc()
10641 if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { in pf_setup_pdesc()
10654 pd->pcksum = &pd->sctp_dummy_sum; in pf_setup_pdesc()
10656 if (pf_scan_sctp(pd) != PF_PASS) { in pf_setup_pdesc()
10664 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN, in pf_setup_pdesc()
10670 pd->pcksum = &pd->hdr.icmp.icmp_cksum; in pf_setup_pdesc()
10671 pd->hdrlen = ICMP_MINLEN; in pf_setup_pdesc()
10678 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, in pf_setup_pdesc()
10685 switch (pd->hdr.icmp6.icmp6_type) { in pf_setup_pdesc()
10697 if (pd->ttl != 255) { in pf_setup_pdesc()
10704 !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, in pf_setup_pdesc()
10710 pd->hdrlen = icmp_hlen; in pf_setup_pdesc()
10711 pd->pcksum = &pd->hdr.icmp6.icmp6_cksum; in pf_setup_pdesc()
10720 pd->pcksum = &pd->sctp_dummy_sum; in pf_setup_pdesc()
10724 if (pd->sport) in pf_setup_pdesc()
10725 pd->osport = pd->nsport = *pd->sport; in pf_setup_pdesc()
10726 if (pd->dport) in pf_setup_pdesc()
10727 pd->odport = pd->ndport = *pd->dport; in pf_setup_pdesc()
10729 MPASS(pd->pcksum != NULL); in pf_setup_pdesc()
10735 pf_rule_counters_inc(struct pf_pdesc *pd, struct pf_krule *r, int dir_out, in pf_rule_counters_inc() argument
10740 pf_counter_u64_add_protected(&(r->bytes[dir_out]), pd->tot_len); in pf_rule_counters_inc()
10745 pd->tot_len, dir_out, op_pass, r->src.neg); in pf_rule_counters_inc()
10748 pd->tot_len, dir_out, op_pass, r->dst.neg); in pf_rule_counters_inc()
10752 pf_counters_inc(int action, struct pf_pdesc *pd, struct pf_kstate *s, in pf_counters_inc() argument
10758 struct pf_addr *src_host = pd->src; in pf_counters_inc()
10759 struct pf_addr *dst_host = pd->dst; in pf_counters_inc()
10761 int dir_out = (pd->dir == PF_OUT); in pf_counters_inc()
10765 sa_family_t af = pd->af; in pf_counters_inc()
10776 af = pd->naf; in pf_counters_inc()
10780 &pd->kif->pfik_bytes[af == AF_INET6][dir_out][!op_pass], in pf_counters_inc()
10781 pd->tot_len); in pf_counters_inc()
10783 &pd->kif->pfik_packets[af == AF_INET6][dir_out][!op_pass], in pf_counters_inc()
10801 * so pd->dir is always PF_IN. We set dir_out and s_dir_rev in pf_counters_inc()
10807 dir_out = (pd->naf == s->rule->naf); in pf_counters_inc()
10810 s_dir_rev = (pd->naf == s->rule->af); in pf_counters_inc()
10812 dir_out = (pd->dir == PF_OUT); in pf_counters_inc()
10815 s_dir_rev = (pd->dir != s->direction); in pf_counters_inc()
10818 /* pd->tot_len is a problematic with af-to rules. Sure, we can in pf_counters_inc()
10825 s->bytes[s_dir_rev] += pd->tot_len; in pf_counters_inc()
10839 pd->tot_len); in pf_counters_inc()
10854 pf_rule_counters_inc(pd, s->nat_rule, dir_out, in pf_counters_inc()
10866 pf_rule_counters_inc(pd, ri->r, dir_out, op_r_pass, af, in pf_counters_inc()
10882 pf_rule_counters_inc(pd, a, dir_out, op_r_pass, af, in pf_counters_inc()
10887 pf_rule_counters_inc(pd, r, dir_out, op_r_pass, af, in pf_counters_inc()
10895 pf_log_matches(struct pf_pdesc *pd, struct pf_krule *rm, in pf_log_matches() argument
10908 ruleset, pd, 1, ri->r); in pf_log_matches()
10924 struct pf_pdesc pd; in pf_test() local
10959 pf_init_pdesc(&pd, *m0); in pf_test()
10962 if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) { in pf_test()
10963 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; in pf_test()
10965 ifp = ifnet_byindexgen(pd.pf_mtag->if_index, in pf_test()
10966 pd.pf_mtag->if_idxgen); in pf_test()
10972 (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL); in pf_test()
10977 if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && in pf_test()
10978 pd.pf_mtag->flags & PF_MTAG_FLAG_DUMMYNET) { in pf_test()
10985 pf_dummynet_flag_remove(pd.m, pd.pf_mtag); in pf_test()
10992 if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, in pf_test()
10995 pd.act.log |= PF_LOG_FORCE; in pf_test()
11001 pd.df && (*m0)->m_pkthdr.len > ifp->if_mtu) { in pf_test()
11025 ((mtag = m_tag_locate(pd.m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) { in pf_test()
11029 if (pd.pf_mtag == NULL && in pf_test()
11030 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
11034 pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED; in pf_test()
11036 if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) { in pf_test()
11037 pd.m->m_flags |= M_FASTFWD_OURS; in pf_test()
11038 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT; in pf_test()
11040 m_tag_delete(pd.m, mtag); in pf_test()
11042 mtag = m_tag_locate(pd.m, MTAG_IPFW_RULE, 0, NULL); in pf_test()
11044 m_tag_delete(pd.m, mtag); in pf_test()
11047 switch (pd.virtual_proto) { in pf_test()
11056 action = pf_test_rule(&r, &s, &pd, &a, in pf_test()
11064 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && in pf_test()
11065 pd.dir == PF_IN && pf_synflood_check(&pd)) { in pf_test()
11066 pf_syncookie_send(&pd, &reason); in pf_test()
11071 if ((tcp_get_flags(&pd.hdr.tcp) & TH_ACK) && pd.p_len == 0) in pf_test()
11073 action = pf_normalize_tcp(&pd); in pf_test()
11076 action = pf_test_state(&s, &pd, &reason); in pf_test()
11085 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == in pf_test()
11086 TH_ACK && pf_syncookie_validate(&pd) && in pf_test()
11087 pd.dir == PF_IN) { in pf_test()
11090 msyn = pf_syncookie_recreate_syn(&pd, &reason); in pf_test()
11097 &pd.act); in pf_test()
11102 action = pf_test_state(&s, &pd, &reason); in pf_test()
11108 s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1; in pf_test()
11109 s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1; in pf_test()
11111 action = pf_synproxy(&pd, s, &reason); in pf_test()
11114 action = pf_test_rule(&r, &s, &pd, in pf_test()
11122 action = pf_normalize_sctp(&pd); in pf_test()
11128 action = pf_test_state(&s, &pd, &reason); in pf_test()
11136 &pd, &a, &ruleset, &reason, inp, &match_rules); in pf_test()
11142 if (pd.virtual_proto == IPPROTO_ICMP && af != AF_INET) { in pf_test()
11149 if (pd.virtual_proto == IPPROTO_ICMPV6 && af != AF_INET6) { in pf_test()
11156 action = pf_test_state_icmp(&s, &pd, &reason); in pf_test()
11163 action = pf_test_rule(&r, &s, &pd, in pf_test()
11174 if (pd.m == NULL) { in pf_test()
11180 memcpy(&pd.act, &s->act, sizeof(s->act)); in pf_test()
11182 if (action == PF_PASS && pd.badopts != 0 && !pd.act.allow_opts) { in pf_test()
11185 pd.act.log = PF_LOG_FORCE; in pf_test()
11190 if (pd.act.max_pkt_size && pd.act.max_pkt_size && in pf_test()
11191 pd.tot_len > pd.act.max_pkt_size) { in pf_test()
11194 pd.act.log = PF_LOG_FORCE; in pf_test()
11200 uint8_t log = pd.act.log; in pf_test()
11201 memcpy(&pd.act, &s->act, sizeof(struct pf_rule_actions)); in pf_test()
11202 pd.act.log |= log; in pf_test()
11208 if (tag > 0 && pf_tag_packet(&pd, tag)) { in pf_test()
11213 pf_scrub(&pd); in pf_test()
11214 if (pd.proto == IPPROTO_TCP && pd.act.max_mss) in pf_test()
11215 pf_normalize_mss(&pd); in pf_test()
11217 if (pd.act.rtableid >= 0) in pf_test()
11218 M_SETFIB(pd.m, pd.act.rtableid); in pf_test()
11220 if (pd.act.flags & PFSTATE_SETPRIO) { in pf_test()
11221 if (pd.tos & IPTOS_LOWDELAY) in pf_test()
11223 if (vlan_set_pcp(pd.m, pd.act.set_prio[use_2nd_queue])) { in pf_test()
11226 pd.act.log = PF_LOG_FORCE; in pf_test()
11233 if (action == PF_PASS && pd.act.qid) { in pf_test()
11234 if (pd.pf_mtag == NULL && in pf_test()
11235 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
11240 pd.pf_mtag->qid_hash = pf_state_hash(s); in pf_test()
11241 if (use_2nd_queue || (pd.tos & IPTOS_LOWDELAY)) in pf_test()
11242 pd.pf_mtag->qid = pd.act.pqid; in pf_test()
11244 pd.pf_mtag->qid = pd.act.qid; in pf_test()
11246 pd.pf_mtag->hdr = mtod(pd.m, void *); in pf_test()
11256 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || in pf_test()
11257 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL && in pf_test()
11260 pf_is_loopback(af, pd.dst)) in pf_test()
11261 pd.m->m_flags |= M_SKIP_FIREWALL; in pf_test()
11264 action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { in pf_test()
11274 pf_counters_inc(action, &pd, s, r, a, &match_rules); in pf_test()
11279 m_tag_prepend(pd.m, mtag); in pf_test()
11280 if (pd.m->m_flags & M_FASTFWD_OURS) { in pf_test()
11281 if (pd.pf_mtag == NULL && in pf_test()
11282 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
11285 pd.act.log = PF_LOG_FORCE; in pf_test()
11289 pd.pf_mtag->flags |= in pf_test()
11291 pd.m->m_flags &= ~M_FASTFWD_OURS; in pf_test()
11302 pd.act.log = PF_LOG_FORCE; in pf_test()
11312 if (pd.pf_mtag) in pf_test()
11313 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_PACKET_LOOPED; in pf_test()
11315 if (pd.act.log) { in pf_test()
11324 if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) in pf_test()
11326 ruleset, &pd, (s == NULL), NULL); in pf_test()
11331 reason, ri->r, a, ruleset, &pd, 0, NULL); in pf_test()
11335 pf_counters_inc(action, &pd, s, r, a, &match_rules); in pf_test()
11349 if (pf_translate_af(&pd)) { in pf_test()
11350 *m0 = pd.m; in pf_test()
11355 if (pd.naf == AF_INET) { in pf_test()
11356 action = pf_route(r, kif->pfik_ifp, s, &pd, in pf_test()
11361 if (pd.naf == AF_INET6) { in pf_test()
11362 action = pf_route6(r, kif->pfik_ifp, s, &pd, in pf_test()
11366 *m0 = pd.m; in pf_test()
11370 if (pd.act.rt) { in pf_test()
11375 action = pf_route(r, kif->pfik_ifp, s, &pd, in pf_test()
11382 action = pf_route6(r, kif->pfik_ifp, s, &pd, in pf_test()
11387 *m0 = pd.m; in pf_test()
11390 if (pf_dummynet(&pd, s, r, m0) != 0) { in pf_test()
11415 (mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL) in pf_test()
11419 pf_sctp_multihome_delayed(&pd, kif, s, action); in pf_test()