Lines Matching full:pd
430 if ((pd->dir) == PF_OUT) \
437 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \ argument
438 (pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
440 #define STATE_LOOKUP(k, s, pd) \ argument
442 (s) = pf_find_state((pd->kif), (k), (pd->dir)); \
443 SDT_PROBE5(pf, ip, state, lookup, pd->kif, k, (pd->dir), pd, (s)); \
446 if (PACKET_LOOPED(pd)) \
451 BOUND_IFACE(struct pf_kstate *st, struct pf_pdesc *pd) in BOUND_IFACE() argument
453 struct pfi_kkif *k = pd->kif; in BOUND_IFACE()
465 if (st->rule->rt == PF_REPLYTO || (pd->af != pd->naf && st->direction == PF_IN)) in BOUND_IFACE()
473 if (pd->related_rule) in BOUND_IFACE()
626 pf_packet_rework_nat(struct mbuf *m, struct pf_pdesc *pd, int off, in pf_packet_rework_nat() argument
630 switch (pd->proto) { in pf_packet_rework_nat()
632 struct tcphdr *th = &pd->hdr.tcp; in pf_packet_rework_nat()
634 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) in pf_packet_rework_nat()
635 pf_change_ap(m, pd->src, &th->th_sport, pd->ip_sum, in pf_packet_rework_nat()
636 &th->th_sum, &nk->addr[pd->sidx], in pf_packet_rework_nat()
637 nk->port[pd->sidx], 0, pd->af, pd->naf); in pf_packet_rework_nat()
638 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) in pf_packet_rework_nat()
639 pf_change_ap(m, pd->dst, &th->th_dport, pd->ip_sum, in pf_packet_rework_nat()
640 &th->th_sum, &nk->addr[pd->didx], in pf_packet_rework_nat()
641 nk->port[pd->didx], 0, pd->af, pd->naf); in pf_packet_rework_nat()
646 struct udphdr *uh = &pd->hdr.udp; in pf_packet_rework_nat()
648 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) in pf_packet_rework_nat()
649 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, in pf_packet_rework_nat()
650 &uh->uh_sum, &nk->addr[pd->sidx], in pf_packet_rework_nat()
651 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
652 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) in pf_packet_rework_nat()
653 pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, in pf_packet_rework_nat()
654 &uh->uh_sum, &nk->addr[pd->didx], in pf_packet_rework_nat()
655 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
660 struct sctphdr *sh = &pd->hdr.sctp; in pf_packet_rework_nat()
663 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { in pf_packet_rework_nat()
664 pf_change_ap(m, pd->src, &sh->src_port, pd->ip_sum, in pf_packet_rework_nat()
665 &checksum, &nk->addr[pd->sidx], in pf_packet_rework_nat()
666 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
668 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { in pf_packet_rework_nat()
669 pf_change_ap(m, pd->dst, &sh->dest_port, pd->ip_sum, in pf_packet_rework_nat()
670 &checksum, &nk->addr[pd->didx], in pf_packet_rework_nat()
671 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
677 struct icmp *ih = &pd->hdr.icmp; in pf_packet_rework_nat()
679 if (nk->port[pd->sidx] != ih->icmp_id) { in pf_packet_rework_nat()
680 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_packet_rework_nat()
682 nk->port[pd->sidx], 0); in pf_packet_rework_nat()
683 ih->icmp_id = nk->port[pd->sidx]; in pf_packet_rework_nat()
684 pd->sport = &ih->icmp_id; in pf_packet_rework_nat()
691 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { in pf_packet_rework_nat()
692 switch (pd->af) { in pf_packet_rework_nat()
694 pf_change_a(&pd->src->v4.s_addr, in pf_packet_rework_nat()
695 pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, in pf_packet_rework_nat()
699 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); in pf_packet_rework_nat()
702 unhandled_af(pd->af); in pf_packet_rework_nat()
705 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { in pf_packet_rework_nat()
706 switch (pd->af) { in pf_packet_rework_nat()
708 pf_change_a(&pd->dst->v4.s_addr, in pf_packet_rework_nat()
709 pd->ip_sum, nk->addr[pd->didx].v4.s_addr, in pf_packet_rework_nat()
713 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); in pf_packet_rework_nat()
716 unhandled_af(pd->af); in pf_packet_rework_nat()
1661 pf_state_key_addr_setup(struct pf_pdesc *pd, in pf_state_key_addr_setup() argument
1664 struct pf_addr *saddr = pd->src; in pf_state_key_addr_setup()
1665 struct pf_addr *daddr = pd->dst; in pf_state_key_addr_setup()
1671 if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6) in pf_state_key_addr_setup()
1674 switch (pd->hdr.icmp6.icmp6_type) { in pf_state_key_addr_setup()
1678 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) in pf_state_key_addr_setup()
1686 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) in pf_state_key_addr_setup()
1690 if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) { in pf_state_key_addr_setup()
1691 key->addr[pd->didx].addr32[0] = 0; in pf_state_key_addr_setup()
1692 key->addr[pd->didx].addr32[1] = 0; in pf_state_key_addr_setup()
1693 key->addr[pd->didx].addr32[2] = 0; in pf_state_key_addr_setup()
1694 key->addr[pd->didx].addr32[3] = 0; in pf_state_key_addr_setup()
1700 key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL; in pf_state_key_addr_setup()
1701 key->addr[pd->sidx].addr32[1] = 0; in pf_state_key_addr_setup()
1702 key->addr[pd->sidx].addr32[2] = 0; in pf_state_key_addr_setup()
1703 key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE; in pf_state_key_addr_setup()
1710 PF_ACPY(&key->addr[pd->sidx], saddr, pd->af); in pf_state_key_addr_setup()
1712 PF_ACPY(&key->addr[pd->didx], daddr, pd->af); in pf_state_key_addr_setup()
1718 pf_state_key_setup(struct pf_pdesc *pd, u_int16_t sport, u_int16_t dport, in pf_state_key_setup() argument
1725 if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)*sk, in pf_state_key_setup()
1732 (*sk)->port[pd->sidx] = sport; in pf_state_key_setup()
1733 (*sk)->port[pd->didx] = dport; in pf_state_key_setup()
1734 (*sk)->proto = pd->proto; in pf_state_key_setup()
1735 (*sk)->af = pd->af; in pf_state_key_setup()
1744 if (pd->af != pd->naf) { in pf_state_key_setup()
1745 (*sk)->port[pd->sidx] = pd->osport; in pf_state_key_setup()
1746 (*sk)->port[pd->didx] = pd->odport; in pf_state_key_setup()
1748 (*nk)->af = pd->naf; in pf_state_key_setup()
1756 if (pd->dir == PF_IN) { in pf_state_key_setup()
1757 PF_ACPY(&(*nk)->addr[pd->didx], &pd->nsaddr, pd->naf); in pf_state_key_setup()
1758 PF_ACPY(&(*nk)->addr[pd->sidx], &pd->ndaddr, pd->naf); in pf_state_key_setup()
1759 (*nk)->port[pd->didx] = pd->nsport; in pf_state_key_setup()
1760 (*nk)->port[pd->sidx] = pd->ndport; in pf_state_key_setup()
1762 PF_ACPY(&(*nk)->addr[pd->sidx], &pd->nsaddr, pd->naf); in pf_state_key_setup()
1763 PF_ACPY(&(*nk)->addr[pd->didx], &pd->ndaddr, pd->naf); in pf_state_key_setup()
1764 (*nk)->port[pd->sidx] = pd->nsport; in pf_state_key_setup()
1765 (*nk)->port[pd->didx] = pd->ndport; in pf_state_key_setup()
1768 switch (pd->proto) { in pf_state_key_setup()
1776 (*nk)->proto = pd->proto; in pf_state_key_setup()
2195 pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, in pf_icmp_mapping() argument
2206 switch (pd->af) { in pf_icmp_mapping()
2214 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2221 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2228 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2235 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2291 *virtual_id = pd->hdr.icmp6.icmp6_id; in pf_icmp_mapping()
2351 unhandled_af(pd->af); in pf_icmp_mapping()
3501 pf_translate_af(struct pf_pdesc *pd) in pf_translate_af() argument
3512 hlen = pd->naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6); in pf_translate_af()
3515 m_adj(pd->m, pd->off); in pf_translate_af()
3518 M_PREPEND(pd->m, hlen, M_NOWAIT); in pf_translate_af()
3519 if (pd->m == NULL) in pf_translate_af()
3522 switch (pd->naf) { in pf_translate_af()
3524 ip4 = mtod(pd->m, struct ip *); in pf_translate_af()
3528 ip4->ip_tos = pd->tos; in pf_translate_af()
3529 ip4->ip_len = htons(hlen + (pd->tot_len - pd->off)); in pf_translate_af()
3531 ip4->ip_ttl = pd->ttl; in pf_translate_af()
3532 ip4->ip_p = pd->proto; in pf_translate_af()
3533 ip4->ip_src = pd->nsaddr.v4; in pf_translate_af()
3534 ip4->ip_dst = pd->ndaddr.v4; in pf_translate_af()
3535 pd->src = (struct pf_addr *)&ip4->ip_src; in pf_translate_af()
3536 pd->dst = (struct pf_addr *)&ip4->ip_dst; in pf_translate_af()
3537 pd->off = sizeof(struct ip); in pf_translate_af()
3540 ip6 = mtod(pd->m, struct ip6_hdr *); in pf_translate_af()
3543 ip6->ip6_flow |= htonl((u_int32_t)pd->tos << 20); in pf_translate_af()
3544 ip6->ip6_plen = htons(pd->tot_len - pd->off); in pf_translate_af()
3545 ip6->ip6_nxt = pd->proto; in pf_translate_af()
3546 if (!pd->ttl || pd->ttl > IPV6_DEFHLIM) in pf_translate_af()
3549 ip6->ip6_hlim = pd->ttl; in pf_translate_af()
3550 ip6->ip6_src = pd->nsaddr.v6; in pf_translate_af()
3551 ip6->ip6_dst = pd->ndaddr.v6; in pf_translate_af()
3552 pd->src = (struct pf_addr *)&ip6->ip6_src; in pf_translate_af()
3553 pd->dst = (struct pf_addr *)&ip6->ip6_dst; in pf_translate_af()
3554 pd->off = sizeof(struct ip6_hdr); in pf_translate_af()
3561 mtag = m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL); in pf_translate_af()
3574 if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) { in pf_translate_af()
3576 if ((mp = m_pulldown(pd->m, hlen, sizeof(*icmp), &off)) == in pf_translate_af()
3578 pd->m = NULL; in pf_translate_af()
3583 icmp->icmp6_cksum = pd->naf == AF_INET ? in pf_translate_af()
3584 in4_cksum(pd->m, 0, hlen, ntohs(ip4->ip_len) - hlen) : in pf_translate_af()
3585 in6_cksum(pd->m, IPPROTO_ICMPV6, hlen, in pf_translate_af()
3594 pf_change_icmp_af(struct mbuf *m, int off, struct pf_pdesc *pd, in pf_change_icmp_af() argument
3666 pd->tot_len += hlen - olen; in pf_change_icmp_af()
3913 pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, in pf_modulate_sack() argument
3923 !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) in pf_modulate_sack()
3942 pf_patch_32_unaligned(pd->m, in pf_modulate_sack()
3947 pf_patch_32_unaligned(pd->m, &th->th_sum, in pf_modulate_sack()
3966 m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts); in pf_modulate_sack()
4112 pf_send_sctp_abort(sa_family_t af, struct pf_pdesc *pd, in pf_send_sctp_abort() argument
4127 MPASS(af == pd->af); in pf_send_sctp_abort()
4152 h->ip_src = pd->dst->v4; in pf_send_sctp_abort()
4153 h->ip_dst = pd->src->v4; in pf_send_sctp_abort()
4169 memcpy(&h6->ip6_src, &pd->dst->v6, sizeof(struct in6_addr)); in pf_send_sctp_abort()
4170 memcpy(&h6->ip6_dst, &pd->src->v6, sizeof(struct in6_addr)); in pf_send_sctp_abort()
4182 hdr->src_port = pd->hdr.sctp.dest_port; in pf_send_sctp_abort()
4183 hdr->dest_port = pd->hdr.sctp.src_port; in pf_send_sctp_abort()
4184 hdr->v_tag = pd->sctp_initiate_tag; in pf_send_sctp_abort()
4269 pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, in pf_return() argument
4274 struct pf_addr * const saddr = pd->src; in pf_return()
4275 struct pf_addr * const daddr = pd->dst; in pf_return()
4279 PF_ACPY(saddr, &sk->addr[pd->sidx], pd->af); in pf_return()
4280 PF_ACPY(daddr, &sk->addr[pd->didx], pd->af); in pf_return()
4281 if (pd->sport) in pf_return()
4282 *pd->sport = sk->port[pd->sidx]; in pf_return()
4283 if (pd->dport) in pf_return()
4284 *pd->dport = sk->port[pd->didx]; in pf_return()
4285 if (pd->ip_sum) in pf_return()
4286 *pd->ip_sum = bip_sum; in pf_return()
4287 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_return()
4289 if (pd->proto == IPPROTO_TCP && in pf_return()
4293 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; in pf_return()
4295 if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off, in pf_return()
4296 IPPROTO_TCP, pd->af)) in pf_return()
4303 pf_send_tcp(r, pd->af, pd->dst, in pf_return()
4304 pd->src, th->th_dport, th->th_sport, in pf_return()
4308 } else if (pd->proto == IPPROTO_SCTP && in pf_return()
4310 pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid); in pf_return()
4311 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET && in pf_return()
4313 pf_send_icmp(pd->m, r->return_icmp >> 8, in pf_return()
4314 r->return_icmp & 255, pd->af, r, rtableid); in pf_return()
4315 else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 && in pf_return()
4317 pf_send_icmp(pd->m, r->return_icmp6 >> 8, in pf_return()
4318 r->return_icmp6 & 255, pd->af, r, rtableid); in pf_return()
4584 pf_tag_packet(struct pf_pdesc *pd, int tag) in pf_tag_packet() argument
4589 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) in pf_tag_packet()
4592 pd->pf_mtag->tag = tag; in pf_tag_packet()
4899 pf_socket_lookup(struct pf_pdesc *pd) in pf_socket_lookup() argument
4906 pd->lookup.uid = UID_MAX; in pf_socket_lookup()
4907 pd->lookup.gid = GID_MAX; in pf_socket_lookup()
4909 switch (pd->proto) { in pf_socket_lookup()
4911 sport = pd->hdr.tcp.th_sport; in pf_socket_lookup()
4912 dport = pd->hdr.tcp.th_dport; in pf_socket_lookup()
4916 sport = pd->hdr.udp.uh_sport; in pf_socket_lookup()
4917 dport = pd->hdr.udp.uh_dport; in pf_socket_lookup()
4923 if (pd->dir == PF_IN) { in pf_socket_lookup()
4924 saddr = pd->src; in pf_socket_lookup()
4925 daddr = pd->dst; in pf_socket_lookup()
4932 saddr = pd->dst; in pf_socket_lookup()
4933 daddr = pd->src; in pf_socket_lookup()
4935 switch (pd->af) { in pf_socket_lookup()
4939 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4943 INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4952 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4956 INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4964 pd->lookup.uid = inp->inp_cred->cr_uid; in pf_socket_lookup()
4965 pd->lookup.gid = inp->inp_cred->cr_groups[0]; in pf_socket_lookup()
4972 pf_get_wscale(struct pf_pdesc *pd) in pf_get_wscale() argument
4974 struct tcphdr *th = &pd->hdr.tcp; in pf_get_wscale()
4983 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) in pf_get_wscale()
5013 pf_get_mss(struct pf_pdesc *pd) in pf_get_mss() argument
5015 struct tcphdr *th = &pd->hdr.tcp; in pf_get_mss()
5024 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) in pf_get_mss()
5091 pf_tcp_iss(struct pf_pdesc *pd) in pf_tcp_iss() argument
5109 SHA512_Update(&ctx, &pd->hdr.tcp.th_sport, sizeof(u_short)); in pf_tcp_iss()
5110 SHA512_Update(&ctx, &pd->hdr.tcp.th_dport, sizeof(u_short)); in pf_tcp_iss()
5111 switch (pd->af) { in pf_tcp_iss()
5113 SHA512_Update(&ctx, &pd->src->v6, sizeof(struct in6_addr)); in pf_tcp_iss()
5114 SHA512_Update(&ctx, &pd->dst->v6, sizeof(struct in6_addr)); in pf_tcp_iss()
5117 SHA512_Update(&ctx, &pd->src->v4, sizeof(struct in_addr)); in pf_tcp_iss()
5118 SHA512_Update(&ctx, &pd->dst->v4, sizeof(struct in_addr)); in pf_tcp_iss()
5469 struct pf_pdesc *pd, struct pf_krule **am, in pf_test_rule() argument
5477 struct tcphdr *th = &pd->hdr.tcp; in pf_test_rule()
5493 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5494 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5500 pd->lookup.uid = inp->inp_cred->cr_uid; in pf_test_rule()
5501 pd->lookup.gid = inp->inp_cred->cr_groups[0]; in pf_test_rule()
5502 pd->lookup.done = 1; in pf_test_rule()
5505 switch (pd->virtual_proto) { in pf_test_rule()
5507 pd->nsport = th->th_sport; in pf_test_rule()
5508 pd->ndport = th->th_dport; in pf_test_rule()
5511 pd->nsport = pd->hdr.udp.uh_sport; in pf_test_rule()
5512 pd->ndport = pd->hdr.udp.uh_dport; in pf_test_rule()
5515 pd->nsport = pd->hdr.sctp.src_port; in pf_test_rule()
5516 pd->ndport = pd->hdr.sctp.dest_port; in pf_test_rule()
5520 MPASS(pd->af == AF_INET); in pf_test_rule()
5521 icmptype = pd->hdr.icmp.icmp_type; in pf_test_rule()
5522 icmpcode = pd->hdr.icmp.icmp_code; in pf_test_rule()
5523 state_icmp = pf_icmp_mapping(pd, icmptype, in pf_test_rule()
5526 pd->nsport = virtual_id; in pf_test_rule()
5527 pd->ndport = virtual_type; in pf_test_rule()
5529 pd->nsport = virtual_type; in pf_test_rule()
5530 pd->ndport = virtual_id; in pf_test_rule()
5536 MPASS(pd->af == AF_INET6); in pf_test_rule()
5537 icmptype = pd->hdr.icmp6.icmp6_type; in pf_test_rule()
5538 icmpcode = pd->hdr.icmp6.icmp6_code; in pf_test_rule()
5539 state_icmp = pf_icmp_mapping(pd, icmptype, in pf_test_rule()
5542 pd->nsport = virtual_id; in pf_test_rule()
5543 pd->ndport = virtual_type; in pf_test_rule()
5545 pd->nsport = virtual_type; in pf_test_rule()
5546 pd->ndport = virtual_id; in pf_test_rule()
5552 pd->nsport = pd->ndport = 0; in pf_test_rule()
5555 pd->osport = pd->nsport; in pf_test_rule()
5556 pd->odport = pd->ndport; in pf_test_rule()
5561 transerror = pf_get_translation(pd, pd->off, &sk, &nk, anchor_stack, in pf_test_rule()
5577 ruleset, pd, 1, NULL); in pf_test_rule()
5580 if (pd->ip_sum) in pf_test_rule()
5581 bip_sum = *pd->ip_sum; in pf_test_rule()
5583 switch (pd->proto) { in pf_test_rule()
5587 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_test_rule()
5588 nk->port[pd->sidx] != pd->nsport) { in pf_test_rule()
5589 pf_change_ap(pd->m, pd->src, &th->th_sport, in pf_test_rule()
5590 pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], in pf_test_rule()
5591 nk->port[pd->sidx], 0, pd->af, pd->naf); in pf_test_rule()
5592 pd->sport = &th->th_sport; in pf_test_rule()
5593 pd->nsport = th->th_sport; in pf_test_rule()
5594 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5597 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_test_rule()
5598 nk->port[pd->didx] != pd->ndport) { in pf_test_rule()
5599 pf_change_ap(pd->m, pd->dst, &th->th_dport, in pf_test_rule()
5600 pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], in pf_test_rule()
5601 nk->port[pd->didx], 0, pd->af, pd->naf); in pf_test_rule()
5602 pd->dport = &th->th_dport; in pf_test_rule()
5603 pd->ndport = th->th_dport; in pf_test_rule()
5604 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5609 bproto_sum = pd->hdr.udp.uh_sum; in pf_test_rule()
5611 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_test_rule()
5612 nk->port[pd->sidx] != pd->nsport) { in pf_test_rule()
5613 pf_change_ap(pd->m, pd->src, in pf_test_rule()
5614 &pd->hdr.udp.uh_sport, in pf_test_rule()
5615 pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_test_rule()
5616 &nk->addr[pd->sidx], in pf_test_rule()
5617 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_test_rule()
5618 pd->sport = &pd->hdr.udp.uh_sport; in pf_test_rule()
5619 pd->nsport = pd->hdr.udp.uh_sport; in pf_test_rule()
5620 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5623 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_test_rule()
5624 nk->port[pd->didx] != pd->ndport) { in pf_test_rule()
5625 pf_change_ap(pd->m, pd->dst, in pf_test_rule()
5626 &pd->hdr.udp.uh_dport, in pf_test_rule()
5627 pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_test_rule()
5628 &nk->addr[pd->didx], in pf_test_rule()
5629 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_test_rule()
5630 pd->dport = &pd->hdr.udp.uh_dport; in pf_test_rule()
5631 pd->ndport = pd->hdr.udp.uh_dport; in pf_test_rule()
5632 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5639 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_test_rule()
5640 nk->port[pd->sidx] != pd->nsport) { in pf_test_rule()
5641 pf_change_ap(pd->m, pd->src, in pf_test_rule()
5642 &pd->hdr.sctp.src_port, pd->ip_sum, &checksum, in pf_test_rule()
5643 &nk->addr[pd->sidx], in pf_test_rule()
5644 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_test_rule()
5645 pd->sport = &pd->hdr.sctp.src_port; in pf_test_rule()
5646 pd->nsport = pd->hdr.sctp.src_port; in pf_test_rule()
5647 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5649 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_test_rule()
5650 nk->port[pd->didx] != pd->ndport) { in pf_test_rule()
5651 pf_change_ap(pd->m, pd->dst, in pf_test_rule()
5652 &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum, in pf_test_rule()
5653 &nk->addr[pd->didx], in pf_test_rule()
5654 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_test_rule()
5655 pd->dport = &pd->hdr.sctp.dest_port; in pf_test_rule()
5656 pd->ndport = pd->hdr.sctp.dest_port; in pf_test_rule()
5657 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5663 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET)) { in pf_test_rule()
5664 pf_change_a(&pd->src->v4.s_addr, pd->ip_sum, in pf_test_rule()
5665 nk->addr[pd->sidx].v4.s_addr, 0); in pf_test_rule()
5666 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5669 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET)) { in pf_test_rule()
5670 pf_change_a(&pd->dst->v4.s_addr, pd->ip_sum, in pf_test_rule()
5671 nk->addr[pd->didx].v4.s_addr, 0); in pf_test_rule()
5672 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5676 nk->port[pd->sidx] != pd->hdr.icmp.icmp_id) { in pf_test_rule()
5677 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_test_rule()
5678 pd->hdr.icmp.icmp_cksum, pd->nsport, in pf_test_rule()
5679 nk->port[pd->sidx], 0); in pf_test_rule()
5680 pd->hdr.icmp.icmp_id = nk->port[pd->sidx]; in pf_test_rule()
5681 pd->sport = &pd->hdr.icmp.icmp_id; in pf_test_rule()
5683 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); in pf_test_rule()
5688 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET6)) { in pf_test_rule()
5689 pf_change_a6(pd->src, &pd->hdr.icmp6.icmp6_cksum, in pf_test_rule()
5690 &nk->addr[pd->sidx], 0); in pf_test_rule()
5691 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5694 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET6)) { in pf_test_rule()
5695 pf_change_a6(pd->dst, &pd->hdr.icmp6.icmp6_cksum, in pf_test_rule()
5696 &nk->addr[pd->didx], 0); in pf_test_rule()
5697 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5703 switch (pd->af) { in pf_test_rule()
5706 if (PF_ANEQ(&pd->nsaddr, in pf_test_rule()
5707 &nk->addr[pd->sidx], AF_INET)) { in pf_test_rule()
5708 pf_change_a(&pd->src->v4.s_addr, in pf_test_rule()
5709 pd->ip_sum, in pf_test_rule()
5710 nk->addr[pd->sidx].v4.s_addr, 0); in pf_test_rule()
5711 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5714 if (PF_ANEQ(&pd->ndaddr, in pf_test_rule()
5715 &nk->addr[pd->didx], AF_INET)) { in pf_test_rule()
5716 pf_change_a(&pd->dst->v4.s_addr, in pf_test_rule()
5717 pd->ip_sum, in pf_test_rule()
5718 nk->addr[pd->didx].v4.s_addr, 0); in pf_test_rule()
5719 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5725 if (PF_ANEQ(&pd->nsaddr, in pf_test_rule()
5726 &nk->addr[pd->sidx], AF_INET6)) { in pf_test_rule()
5727 PF_ACPY(&pd->nsaddr, &nk->addr[pd->sidx], pd->af); in pf_test_rule()
5728 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); in pf_test_rule()
5731 if (PF_ANEQ(&pd->ndaddr, in pf_test_rule()
5732 &nk->addr[pd->didx], AF_INET6)) { in pf_test_rule()
5733 PF_ACPY(&pd->ndaddr, &nk->addr[pd->didx], pd->af); in pf_test_rule()
5734 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); in pf_test_rule()
5746 if (pd->related_rule) { in pf_test_rule()
5747 *rm = pd->related_rule; in pf_test_rule()
5751 PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot, in pf_test_rule()
5753 PF_TEST_ATTRIB(r->direction && r->direction != pd->dir, in pf_test_rule()
5755 PF_TEST_ATTRIB(r->af && r->af != pd->af, in pf_test_rule()
5757 PF_TEST_ATTRIB(r->proto && r->proto != pd->proto, in pf_test_rule()
5759 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, pd->naf, in pf_test_rule()
5760 r->src.neg, pd->kif, M_GETFIB(pd->m)), in pf_test_rule()
5762 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, pd->af, in pf_test_rule()
5763 r->dst.neg, NULL, M_GETFIB(pd->m)), in pf_test_rule()
5765 switch (pd->virtual_proto) { in pf_test_rule()
5770 PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP && r->flagset), in pf_test_rule()
5788 r->src.port[0], r->src.port[1], pd->nsport), in pf_test_rule()
5792 r->dst.port[0], r->dst.port[1], pd->ndport), in pf_test_rule()
5795 PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done = in pf_test_rule()
5796 pf_socket_lookup(pd), 1)) && in pf_test_rule()
5798 pd->lookup.uid), in pf_test_rule()
5801 PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done = in pf_test_rule()
5802 pf_socket_lookup(pd), 1)) && in pf_test_rule()
5804 pd->lookup.gid), in pf_test_rule()
5821 PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos), in pf_test_rule()
5824 !pf_match_ieee8021q_pcp(r->prio, pd->m), in pf_test_rule()
5829 PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag, in pf_test_rule()
5830 pd->pf_mtag ? pd->pf_mtag->tag : 0), in pf_test_rule()
5832 PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) == in pf_test_rule()
5836 pd->virtual_proto != PF_VPROTO_FRAGMENT), in pf_test_rule()
5839 (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match( in pf_test_rule()
5840 pf_osfp_fingerprint(pd, th), in pf_test_rule()
5856 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); in pf_test_rule()
5857 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); in pf_test_rule()
5859 pf_rule_to_actions(r, &pd->act); in pf_test_rule()
5861 pd->naf = r->naf; in pf_test_rule()
5862 if (pd->af != pd->naf) { in pf_test_rule()
5863 if (pf_get_transaddr_af(r, pd) == -1) { in pf_test_rule()
5870 a, ruleset, pd, 1, NULL); in pf_test_rule()
5877 if (pd->act.log & PF_LOG_MATCHES) in pf_test_rule()
5878 pf_log_matches(pd, r, a, ruleset, &match_rules); in pf_test_rule()
5897 pf_rule_to_actions(r, &pd->act); in pf_test_rule()
5899 pd->naf = r->naf; in pf_test_rule()
5900 if (pd->af != pd->naf) { in pf_test_rule()
5901 if (pf_get_transaddr_af(r, pd) == -1) { in pf_test_rule()
5909 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_rule()
5910 PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1, NULL); in pf_test_rule()
5912 if (pd->act.log & PF_LOG_MATCHES) in pf_test_rule()
5913 pf_log_matches(pd, r, a, ruleset, &match_rules); in pf_test_rule()
5914 if (pd->virtual_proto != PF_VPROTO_FRAGMENT && in pf_test_rule()
5919 pf_return(r, nr, pd, sk, th, bproto_sum, in pf_test_rule()
5926 if (tag > 0 && pf_tag_packet(pd, tag)) { in pf_test_rule()
5930 if (pd->act.rtableid >= 0) in pf_test_rule()
5931 M_SETFIB(pd->m, pd->act.rtableid); in pf_test_rule()
5946 pd->act.rt = r->rt; in pf_test_rule()
5948 reason = pf_map_addr_sn(pd->af, r, pd->src, &pd->act.rt_addr, in pf_test_rule()
5949 &pd->act.rt_kif, NULL, &sn, &snh, pool, PF_SN_ROUTE); in pf_test_rule()
5954 if (pd->virtual_proto != PF_VPROTO_FRAGMENT && in pf_test_rule()
5956 (pd->flags & PFDESC_TCP_NORM)))) { in pf_test_rule()
5960 action = pf_create_state(r, nr, a, pd, nk, sk, in pf_test_rule()
5965 pd->act.log |= PF_LOG_FORCE; in pf_test_rule()
5968 pf_return(r, nr, pd, sk, th, in pf_test_rule()
5970 pd->act.rtableid); in pf_test_rule()
5974 nat64 = pd->af != pd->naf; in pf_test_rule()
5979 sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK : PF_SK_WIRE]; in pf_test_rule()
5981 nk = (*sm)->key[pd->dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK]; in pf_test_rule()
5983 if (pd->dir == PF_IN) { in pf_test_rule()
5984 ret = pf_translate(pd, &sk->addr[pd->didx], in pf_test_rule()
5985 sk->port[pd->didx], &sk->addr[pd->sidx], in pf_test_rule()
5986 sk->port[pd->sidx], virtual_type, in pf_test_rule()
5989 ret = pf_translate(pd, &sk->addr[pd->sidx], in pf_test_rule()
5990 sk->port[pd->sidx], &sk->addr[pd->didx], in pf_test_rule()
5991 sk->port[pd->didx], virtual_type, in pf_test_rule()
6013 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_rule()
6016 pd->dir == PF_OUT && in pf_test_rule()
6017 V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m)) in pf_test_rule()
6046 struct pf_pdesc *pd, struct pf_state_key *nk, struct pf_state_key *sk, in pf_create_state() argument
6059 struct tcphdr *th = &pd->hdr.tcp; in pf_create_state()
6074 (sn_reason = pf_insert_src_node(sns, snhs, r, pd->src, pd->af, in pf_create_state()
6083 (sn_reason = pf_insert_src_node(sns, snhs, r, pd->src, pd->af, in pf_create_state()
6084 &pd->act.rt_addr, pd->act.rt_kif, PF_SN_ROUTE)) != 0) { in pf_create_state()
6090 (sn_reason = pf_insert_src_node(sns, snhs, nr, &sk->addr[pd->sidx], in pf_create_state()
6091 pd->af, &nk->addr[1], NULL, PF_SN_NAT)) != 0 ) { in pf_create_state()
6104 memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions)); in pf_create_state()
6111 if (pd->flags & PFDESC_TCP_NORM) /* Set by old-style scrub rules */ in pf_create_state()
6117 s->act.log = pd->act.log & PF_LOG_ALL; in pf_create_state()
6119 s->state_flags |= pd->act.flags; /* Only needed for pfsync and state export */ in pf_create_state()
6123 switch (pd->proto) { in pf_create_state()
6126 s->src.seqhi = s->src.seqlo + pd->p_len + 1; in pf_create_state()
6130 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == in pf_create_state()
6133 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, in pf_create_state()
6140 s->src.wscale = pf_get_wscale(pd); in pf_create_state()
6183 if (pd->proto == IPPROTO_TCP) { in pf_create_state()
6185 pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) { in pf_create_state()
6190 pf_normalize_tcp_stateful(pd, &reason, th, s, in pf_create_state()
6198 } else if (pd->proto == IPPROTO_SCTP) { in pf_create_state()
6199 if (pf_normalize_sctp_init(pd, &s->src, &s->dst)) in pf_create_state()
6201 if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP))) in pf_create_state()
6204 s->direction = pd->dir; in pf_create_state()
6212 MPASS(pd->sport == NULL || (pd->osport == *pd->sport)); in pf_create_state()
6213 MPASS(pd->dport == NULL || (pd->odport == *pd->dport)); in pf_create_state()
6214 if (pf_state_key_setup(pd, pd->nsport, pd->ndport, &sk, &nk)) { in pf_create_state()
6222 if (pf_state_insert(BOUND_IFACE(s, pd), pd->kif, in pf_create_state()
6223 (pd->dir == PF_IN) ? sk : nk, in pf_create_state()
6224 (pd->dir == PF_IN) ? nk : sk, s)) { in pf_create_state()
6242 if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) == in pf_create_state()
6248 if (pd->dir == PF_OUT) in pf_create_state()
6250 PF_ACPY(pd->src, &skt->addr[pd->sidx], pd->af); in pf_create_state()
6251 PF_ACPY(pd->dst, &skt->addr[pd->didx], pd->af); in pf_create_state()
6252 if (pd->sport) in pf_create_state()
6253 *pd->sport = skt->port[pd->sidx]; in pf_create_state()
6254 if (pd->dport) in pf_create_state()
6255 *pd->dport = skt->port[pd->didx]; in pf_create_state()
6256 if (pd->ip_sum) in pf_create_state()
6257 *pd->ip_sum = bip_sum; in pf_create_state()
6258 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_create_state()
6262 int rtid = M_GETFIB(pd->m); in pf_create_state()
6263 mss = pf_get_mss(pd); in pf_create_state()
6264 mss = pf_calc_mss(pd->src, pd->af, rtid, mss); in pf_create_state()
6265 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss); in pf_create_state()
6267 pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport, in pf_create_state()
6270 pd->act.rtableid); in pf_create_state()
6313 pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport, in pf_translate() argument
6328 int afto = pd->af != pd->naf; in pf_translate()
6332 switch (pd->proto) { in pf_translate()
6334 if (afto || *pd->sport != sport) { in pf_translate()
6335 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.tcp.th_sum, in pf_translate()
6336 saddr, sport, 0, pd->af, pd->naf); in pf_translate()
6339 if (afto || *pd->dport != dport) { in pf_translate()
6340 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.tcp.th_sum, in pf_translate()
6341 daddr, dport, 0, pd->af, pd->naf); in pf_translate()
6347 if (afto || *pd->sport != sport) { in pf_translate()
6348 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_translate()
6349 saddr, sport, 1, pd->af, pd->naf); in pf_translate()
6352 if (afto || *pd->dport != dport) { in pf_translate()
6353 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_translate()
6354 daddr, dport, 1, pd->af, pd->naf); in pf_translate()
6361 if (afto || *pd->sport != sport) { in pf_translate()
6362 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &checksum, in pf_translate()
6363 saddr, sport, 1, pd->af, pd->naf); in pf_translate()
6366 if (afto || *pd->dport != dport) { in pf_translate()
6367 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &checksum, in pf_translate()
6368 daddr, dport, 1, pd->af, pd->naf); in pf_translate()
6377 if (pd->af != AF_INET) in pf_translate()
6381 if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp)) in pf_translate()
6383 pd->proto = IPPROTO_ICMPV6; in pf_translate()
6389 if (icmpid != pd->hdr.icmp.icmp_id) { in pf_translate()
6390 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_translate()
6391 pd->hdr.icmp.icmp_cksum, in pf_translate()
6392 pd->hdr.icmp.icmp_id, icmpid, 0); in pf_translate()
6393 pd->hdr.icmp.icmp_id = icmpid; in pf_translate()
6404 if (pd->af != AF_INET6) in pf_translate()
6409 if (pf_translate_icmp_af(AF_INET, &pd->hdr.icmp6)) in pf_translate()
6411 pd->proto = IPPROTO_ICMP; in pf_translate()
6425 pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd, in pf_tcp_track_full() argument
6429 struct tcphdr *th = &pd->hdr.tcp; in pf_tcp_track_full()
6453 if (pf_normalize_tcp_init(pd, th, src, dst)) { in pf_tcp_track_full()
6465 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + in pf_tcp_track_full()
6467 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); in pf_tcp_track_full()
6473 end = seq + pd->p_len; in pf_tcp_track_full()
6477 src->wscale = pf_get_wscale(pd); in pf_tcp_track_full()
6518 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + in pf_tcp_track_full()
6520 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); in pf_tcp_track_full()
6523 end = seq + pd->p_len; in pf_tcp_track_full()
6566 if (pf_modulate_sack(pd, th, dst)) in pf_tcp_track_full()
6584 if (pf_normalize_tcp_stateful(pd, reason, th, in pf_tcp_track_full()
6677 pd->p_len, ackskew, (unsigned long long)(*state)->packets[0], in pf_tcp_track_full()
6679 pd->dir == PF_IN ? "in" : "out", in pf_tcp_track_full()
6680 pd->dir == (*state)->direction ? "fwd" : "rev"); in pf_tcp_track_full()
6684 if (pf_normalize_tcp_stateful(pd, reason, th, in pf_tcp_track_full()
6717 pf_send_tcp((*state)->rule, pd->af, in pf_tcp_track_full()
6718 pd->dst, pd->src, th->th_dport, in pf_tcp_track_full()
6732 seq, orig_seq, ack, pd->p_len, ackskew, in pf_tcp_track_full()
6735 pd->dir == PF_IN ? "in" : "out", in pf_tcp_track_full()
6736 pd->dir == (*state)->direction ? "fwd" : "rev"); in pf_tcp_track_full()
6754 pf_tcp_track_sloppy(struct pf_kstate **state, struct pf_pdesc *pd, in pf_tcp_track_sloppy() argument
6758 struct tcphdr *th = &pd->hdr.tcp; in pf_tcp_track_sloppy()
6828 pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) in pf_synproxy() argument
6830 struct pf_state_key *sk = (*state)->key[pd->didx]; in pf_synproxy()
6831 struct tcphdr *th = &pd->hdr.tcp; in pf_synproxy()
6834 if (pd->dir != (*state)->direction) { in pf_synproxy()
6843 pf_send_tcp((*state)->rule, pd->af, pd->dst, in pf_synproxy()
6844 pd->src, th->th_dport, th->th_sport, in pf_synproxy()
6864 if (pd->dir == (*state)->direction) { in pf_synproxy()
6874 pf_send_tcp((*state)->rule, pd->af, in pf_synproxy()
6875 &sk->addr[pd->sidx], &sk->addr[pd->didx], in pf_synproxy()
6876 sk->port[pd->sidx], sk->port[pd->didx], in pf_synproxy()
6891 pf_send_tcp((*state)->rule, pd->af, pd->dst, in pf_synproxy()
6892 pd->src, th->th_dport, th->th_sport, in pf_synproxy()
6896 pf_send_tcp((*state)->rule, pd->af, in pf_synproxy()
6897 &sk->addr[pd->sidx], &sk->addr[pd->didx], in pf_synproxy()
6898 sk->port[pd->sidx], sk->port[pd->didx], in pf_synproxy()
6922 pf_test_state(struct pf_kstate **state, struct pf_pdesc *pd, u_short *reason) in pf_test_state() argument
6931 key.af = pd->af; in pf_test_state()
6932 key.proto = pd->virtual_proto; in pf_test_state()
6933 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af); in pf_test_state()
6934 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af); in pf_test_state()
6935 key.port[pd->sidx] = pd->osport; in pf_test_state()
6936 key.port[pd->didx] = pd->odport; in pf_test_state()
6938 STATE_LOOKUP(&key, *state, pd); in pf_test_state()
6940 if (pd->dir == (*state)->direction) { in pf_test_state()
6941 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state()
6953 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state()
6966 switch (pd->virtual_proto) { in pf_test_state()
6968 struct tcphdr *th = &pd->hdr.tcp; in pf_test_state()
6970 if ((action = pf_synproxy(pd, state, reason)) != PF_PASS) in pf_test_state()
6976 pf_syncookie_check(pd) && pd->dir == PF_IN))) { in pf_test_state()
6990 if (pf_tcp_track_sloppy(state, pd, reason, src, dst, in pf_test_state()
6996 ret = pf_tcp_track_full(state, pd, reason, in pf_test_state()
7020 pd->sctp_flags & PFDESC_SCTP_INIT) { in pf_test_state()
7027 if (pf_sctp_track(*state, pd, reason) != PF_PASS) in pf_test_state()
7031 if (pd->sctp_flags & PFDESC_SCTP_INIT) { in pf_test_state()
7037 if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) { in pf_test_state()
7040 dst->scrub->pfss_v_tag = pd->sctp_initiate_tag; in pf_test_state()
7050 (*state)->kif = pd->kif; in pf_test_state()
7052 if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) { in pf_test_state()
7058 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | in pf_test_state()
7065 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE | PFDESC_SCTP_ABORT)) { in pf_test_state()
7093 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state()
7094 nk = (*state)->key[pd->sidx]; in pf_test_state()
7096 nk = (*state)->key[pd->didx]; in pf_test_state()
7098 afto = pd->af != nk->af; in pf_test_state()
7101 sidx = pd->didx; in pf_test_state()
7102 didx = pd->sidx; in pf_test_state()
7104 sidx = pd->sidx; in pf_test_state()
7105 didx = pd->didx; in pf_test_state()
7108 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) || in pf_test_state()
7109 nk->port[sidx] != pd->osport) in pf_test_state()
7110 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, in pf_test_state()
7111 pd->pcksum, &nk->addr[sidx], in pf_test_state()
7112 nk->port[sidx], pd->virtual_proto == IPPROTO_UDP, in pf_test_state()
7113 pd->af, nk->af); in pf_test_state()
7115 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) || in pf_test_state()
7116 nk->port[didx] != pd->odport) in pf_test_state()
7117 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, in pf_test_state()
7118 pd->pcksum, &nk->addr[didx], in pf_test_state()
7119 nk->port[didx], pd->virtual_proto == IPPROTO_UDP, in pf_test_state()
7120 pd->af, nk->af); in pf_test_state()
7123 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af); in pf_test_state()
7124 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af); in pf_test_state()
7125 pd->naf = nk->af; in pf_test_state()
7132 if (copyback && pd->hdrlen > 0) in pf_test_state()
7133 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_state()
7139 pf_sctp_track(struct pf_kstate *state, struct pf_pdesc *pd, in pf_sctp_track() argument
7143 if (pd->dir == state->direction) { in pf_sctp_track()
7144 if (PF_REVERSED_KEY(state, pd->af)) in pf_sctp_track()
7149 if (PF_REVERSED_KEY(state, pd->af)) in pf_sctp_track()
7157 src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag; in pf_sctp_track()
7158 else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag) in pf_sctp_track()
7225 pf_sctp_multihome_add_addr(struct pf_pdesc *pd, struct pf_addr *a, uint32_t v_tag) in pf_sctp_multihome_add_addr() argument
7251 if (pf_addr_cmp(&i->addr, a, pd->af) == 0) { in pf_sctp_multihome_add_addr()
7263 i->af = pd->af; in pf_sctp_multihome_add_addr()
7272 pf_sctp_multihome_delayed(struct pf_pdesc *pd, struct pfi_kkif *kif, in pf_sctp_multihome_delayed() argument
7287 TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) { in pf_sctp_multihome_delayed()
7292 MPASS(! (pd->sctp_flags & PFDESC_SCTP_ADD_IP)); in pf_sctp_multihome_delayed()
7296 uint32_t v_tag = pd->sctp_initiate_tag; in pf_sctp_multihome_delayed()
7299 if (s->direction == pd->dir) in pf_sctp_multihome_delayed()
7311 if (pf_addr_cmp(&j->src, pd->src, pd->af) == 0) { in pf_sctp_multihome_delayed()
7315 j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP; in pf_sctp_multihome_delayed()
7319 j->pd.related_rule = s->rule; in pf_sctp_multihome_delayed()
7322 &j->pd, &ra, &rs, NULL); in pf_sctp_multihome_delayed()
7324 SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret); in pf_sctp_multihome_delayed()
7341 pf_sctp_multihome_add_addr(pd, &j->src, v_tag); in pf_sctp_multihome_delayed()
7351 .v_tag = pd->hdr.sctp.v_tag, in pf_sctp_multihome_delayed()
7367 if (i->af != pd->af) in pf_sctp_multihome_delayed()
7374 memcpy(&nj->pd, &j->pd, sizeof(j->pd)); in pf_sctp_multihome_delayed()
7376 nj->pd.src = &nj->src; in pf_sctp_multihome_delayed()
7379 nj->pd.dst = &nj->dst; in pf_sctp_multihome_delayed()
7380 nj->pd.m = j->pd.m; in pf_sctp_multihome_delayed()
7383 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next); in pf_sctp_multihome_delayed()
7394 key.af = j->pd.af; in pf_sctp_multihome_delayed()
7396 if (j->pd.dir == PF_IN) { /* wire side, straight */ in pf_sctp_multihome_delayed()
7397 PF_ACPY(&key.addr[0], j->pd.src, key.af); in pf_sctp_multihome_delayed()
7398 PF_ACPY(&key.addr[1], j->pd.dst, key.af); in pf_sctp_multihome_delayed()
7399 key.port[0] = j->pd.hdr.sctp.src_port; in pf_sctp_multihome_delayed()
7400 key.port[1] = j->pd.hdr.sctp.dest_port; in pf_sctp_multihome_delayed()
7402 PF_ACPY(&key.addr[1], j->pd.src, key.af); in pf_sctp_multihome_delayed()
7403 PF_ACPY(&key.addr[0], j->pd.dst, key.af); in pf_sctp_multihome_delayed()
7404 key.port[1] = j->pd.hdr.sctp.src_port; in pf_sctp_multihome_delayed()
7405 key.port[0] = j->pd.hdr.sctp.dest_port; in pf_sctp_multihome_delayed()
7408 sm = pf_find_state(kif, &key, j->pd.dir); in pf_sctp_multihome_delayed()
7411 if (j->pd.dir == sm->direction) { in pf_sctp_multihome_delayed()
7427 TAILQ_REMOVE(&pd->sctp_multihome_jobs, j, next); in pf_sctp_multihome_delayed()
7432 if (! TAILQ_EMPTY(&pd->sctp_multihome_jobs)) { in pf_sctp_multihome_delayed()
7439 pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op) in pf_multihome_scan() argument
7444 SDT_PROBE4(pf, sctp, multihome_scan, entry, start, len, pd, op); in pf_multihome_scan()
7449 if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, NULL, in pf_multihome_scan()
7450 pd->af)) in pf_multihome_scan()
7468 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), in pf_multihome_scan()
7469 NULL, NULL, pd->af)) in pf_multihome_scan()
7473 t.s_addr = pd->src->v4.s_addr; in pf_multihome_scan()
7491 memcpy(&job->pd, pd, sizeof(*pd)); in pf_multihome_scan()
7495 job->pd.src = &job->src; in pf_multihome_scan()
7496 memcpy(&job->dst, pd->dst, sizeof(job->dst)); in pf_multihome_scan()
7497 job->pd.dst = &job->dst; in pf_multihome_scan()
7498 job->pd.m = pd->m; in pf_multihome_scan()
7501 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); in pf_multihome_scan()
7512 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), in pf_multihome_scan()
7513 NULL, NULL, pd->af)) in pf_multihome_scan()
7515 if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0) in pf_multihome_scan()
7518 memcpy(&t, &pd->src->v6, sizeof(t)); in pf_multihome_scan()
7526 memcpy(&job->pd, pd, sizeof(*pd)); in pf_multihome_scan()
7528 job->pd.src = &job->src; in pf_multihome_scan()
7529 memcpy(&job->dst, pd->dst, sizeof(job->dst)); in pf_multihome_scan()
7530 job->pd.dst = &job->dst; in pf_multihome_scan()
7531 job->pd.m = pd->m; in pf_multihome_scan()
7534 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); in pf_multihome_scan()
7542 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), in pf_multihome_scan()
7543 NULL, NULL, pd->af)) in pf_multihome_scan()
7547 ntohs(ah.ph.param_length) - sizeof(ah), pd, in pf_multihome_scan()
7557 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), in pf_multihome_scan()
7558 NULL, NULL, pd->af)) in pf_multihome_scan()
7561 ntohs(ah.ph.param_length) - sizeof(ah), pd, in pf_multihome_scan()
7578 pf_multihome_scan_init(int start, int len, struct pf_pdesc *pd) in pf_multihome_scan_init() argument
7583 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); in pf_multihome_scan_init()
7587 pf_multihome_scan_asconf(int start, int len, struct pf_pdesc *pd) in pf_multihome_scan_asconf() argument
7592 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); in pf_multihome_scan_asconf()
7596 pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, in pf_icmp_state_lookup() argument
7600 int direction = pd->dir; in pf_icmp_state_lookup()
7602 key->af = pd->af; in pf_icmp_state_lookup()
7603 key->proto = pd->proto; in pf_icmp_state_lookup()
7605 *iidx = pd->sidx; in pf_icmp_state_lookup()
7606 key->port[pd->sidx] = icmpid; in pf_icmp_state_lookup()
7607 key->port[pd->didx] = type; in pf_icmp_state_lookup()
7609 *iidx = pd->didx; in pf_icmp_state_lookup()
7610 key->port[pd->sidx] = type; in pf_icmp_state_lookup()
7611 key->port[pd->didx] = icmpid; in pf_icmp_state_lookup()
7613 if (pf_state_key_addr_setup(pd, key, multi)) in pf_icmp_state_lookup()
7616 STATE_LOOKUP(key, *state, pd); in pf_icmp_state_lookup()
7623 direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ? in pf_icmp_state_lookup()
7628 (((!inner && direction == pd->dir) || in pf_icmp_state_lookup()
7629 (inner && direction != pd->dir)) ? in pf_icmp_state_lookup()
7645 pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd, in pf_test_state_icmp() argument
7648 struct pf_addr *saddr = pd->src, *daddr = pd->dst; in pf_test_state_icmp()
7660 switch (pd->proto) { in pf_test_state_icmp()
7663 icmptype = pd->hdr.icmp.icmp_type; in pf_test_state_icmp()
7664 icmpcode = pd->hdr.icmp.icmp_code; in pf_test_state_icmp()
7665 icmpid = pd->hdr.icmp.icmp_id; in pf_test_state_icmp()
7666 icmpsum = &pd->hdr.icmp.icmp_cksum; in pf_test_state_icmp()
7671 icmptype = pd->hdr.icmp6.icmp6_type; in pf_test_state_icmp()
7672 icmpcode = pd->hdr.icmp6.icmp6_code; in pf_test_state_icmp()
7674 icmpid = pd->hdr.icmp6.icmp6_id; in pf_test_state_icmp()
7676 icmpsum = &pd->hdr.icmp6.icmp6_cksum; in pf_test_state_icmp()
7680 panic("unhandled proto %d", pd->proto); in pf_test_state_icmp()
7683 if (pf_icmp_mapping(pd, icmptype, &icmp_dir, &virtual_id, in pf_test_state_icmp()
7689 ret = pf_icmp_state_lookup(&key, pd, state, virtual_id, in pf_test_state_icmp()
7692 if (ret == PF_DROP && pd->af == AF_INET6 && icmp_dir == PF_OUT) { in pf_test_state_icmp()
7694 ret = pf_icmp_state_lookup(&key, pd, state, in pf_test_state_icmp()
7711 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
7712 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
7714 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
7716 afto = pd->af != nk->af; in pf_test_state_icmp()
7719 sidx = pd->didx; in pf_test_state_icmp()
7720 didx = pd->sidx; in pf_test_state_icmp()
7723 sidx = pd->sidx; in pf_test_state_icmp()
7724 didx = pd->didx; in pf_test_state_icmp()
7727 switch (pd->af) { in pf_test_state_icmp()
7733 &pd->hdr.icmp)) in pf_test_state_icmp()
7735 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
7739 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET)) in pf_test_state_icmp()
7741 pd->ip_sum, in pf_test_state_icmp()
7745 if (!afto && PF_ANEQ(pd->dst, in pf_test_state_icmp()
7748 pd->ip_sum, in pf_test_state_icmp()
7752 pd->hdr.icmp.icmp_id) { in pf_test_state_icmp()
7753 pd->hdr.icmp.icmp_cksum = in pf_test_state_icmp()
7755 pd->hdr.icmp.icmp_cksum, icmpid, in pf_test_state_icmp()
7757 pd->hdr.icmp.icmp_id = in pf_test_state_icmp()
7761 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
7762 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
7770 &pd->hdr.icmp6)) in pf_test_state_icmp()
7772 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
7776 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET6)) in pf_test_state_icmp()
7778 &pd->hdr.icmp6.icmp6_cksum, in pf_test_state_icmp()
7781 if (!afto && PF_ANEQ(pd->dst, in pf_test_state_icmp()
7784 &pd->hdr.icmp6.icmp6_cksum, in pf_test_state_icmp()
7787 if (nk->port[iidx] != pd->hdr.icmp6.icmp6_id) in pf_test_state_icmp()
7788 pd->hdr.icmp6.icmp6_id = in pf_test_state_icmp()
7791 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
7792 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
7797 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af); in pf_test_state_icmp()
7798 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af); in pf_test_state_icmp()
7799 pd->naf = nk->af; in pf_test_state_icmp()
7821 pd2.af = pd->af; in pf_test_state_icmp()
7822 pd2.dir = pd->dir; in pf_test_state_icmp()
7824 pd2.sidx = (pd->dir == PF_IN) ? 1 : 0; in pf_test_state_icmp()
7825 pd2.didx = (pd->dir == PF_IN) ? 0 : 1; in pf_test_state_icmp()
7826 pd2.m = pd->m; in pf_test_state_icmp()
7827 pd2.kif = pd->kif; in pf_test_state_icmp()
7828 switch (pd->af) { in pf_test_state_icmp()
7832 ipoff2 = pd->off + ICMP_MINLEN; in pf_test_state_icmp()
7834 if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2), in pf_test_state_icmp()
7862 ipoff2 = pd->off + sizeof(struct icmp6_hdr); in pf_test_state_icmp()
7864 if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6), in pf_test_state_icmp()
7883 unhandled_af(pd->af); in pf_test_state_icmp()
7886 if (PF_ANEQ(pd->dst, pd2.src, pd->af)) { in pf_test_state_icmp()
7890 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
7892 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
7916 if (!pf_pull_hdr(pd->m, pd2.off, &th, 8, NULL, reason, in pf_test_state_icmp()
7931 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
7933 if (pd->dir == (*state)->direction) { in pf_test_state_icmp()
7934 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state_icmp()
7942 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state_icmp()
7970 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
7972 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
7983 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
7985 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
7998 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
7999 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8001 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8006 afto = pd->af != nk->af; in pf_test_state_icmp()
8018 &pd->hdr.icmp)) in pf_test_state_icmp()
8020 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8022 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8023 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8025 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8028 pf_change_ap(pd->m, pd2.src, &th.th_sport, in pf_test_state_icmp()
8029 pd->ip_sum, &th.th_sum, &nk->addr[pd2.sidx], in pf_test_state_icmp()
8030 nk->port[sidx], 1, pd->af, nk->af); in pf_test_state_icmp()
8031 pf_change_ap(pd->m, pd2.dst, &th.th_dport, in pf_test_state_icmp()
8032 pd->ip_sum, &th.th_sum, &nk->addr[pd2.didx], in pf_test_state_icmp()
8033 nk->port[didx], 1, pd->af, nk->af); in pf_test_state_icmp()
8035 PF_ACPY(&pd->nsaddr, &nk->addr[pd2.sidx], in pf_test_state_icmp()
8037 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8040 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8042 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8050 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8051 pd->src->addr32[0]; in pf_test_state_icmp()
8053 pd->naf = nk->af; in pf_test_state_icmp()
8065 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8074 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8082 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8083 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8084 m_copyback(pd->m, ipoff2, sizeof(h2), in pf_test_state_icmp()
8090 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8092 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8093 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8098 unhandled_af(pd->af); in pf_test_state_icmp()
8100 m_copyback(pd->m, pd2.off, 8, (caddr_t)&th); in pf_test_state_icmp()
8109 if (!pf_pull_hdr(pd->m, pd2.off, &uh, sizeof(uh), in pf_test_state_icmp()
8124 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
8131 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8132 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8134 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8139 afto = pd->af != nk->af; in pf_test_state_icmp()
8151 &pd->hdr.icmp)) in pf_test_state_icmp()
8153 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8155 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8156 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8158 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8161 pf_change_ap(pd->m, pd2.src, &uh.uh_sport, in pf_test_state_icmp()
8162 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.sidx], in pf_test_state_icmp()
8163 nk->port[sidx], 1, pd->af, nk->af); in pf_test_state_icmp()
8164 pf_change_ap(pd->m, pd2.dst, &uh.uh_dport, in pf_test_state_icmp()
8165 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.didx], in pf_test_state_icmp()
8166 nk->port[didx], 1, pd->af, nk->af); in pf_test_state_icmp()
8169 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8171 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8174 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8176 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8184 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8185 pd->src->addr32[0]; in pf_test_state_icmp()
8187 pd->naf = nk->af; in pf_test_state_icmp()
8199 pd->ip_sum, 1, pd2.af); in pf_test_state_icmp()
8208 pd->ip_sum, 1, pd2.af); in pf_test_state_icmp()
8213 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8214 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8215 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8220 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8222 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8223 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8228 m_copyback(pd->m, pd2.off, sizeof(uh), (caddr_t)&uh); in pf_test_state_icmp()
8239 if (! pf_pull_hdr(pd->m, pd2.off, &sh, sizeof(sh), NULL, reason, in pf_test_state_icmp()
8254 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
8256 if (pd->dir == (*state)->direction) { in pf_test_state_icmp()
8257 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8262 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8281 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8282 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8284 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8289 afto = pd->af != nk->af; in pf_test_state_icmp()
8301 &pd->hdr.icmp)) in pf_test_state_icmp()
8303 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8305 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8306 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8308 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8314 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8316 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8319 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8321 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8329 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8330 pd->src->addr32[0]; in pf_test_state_icmp()
8332 pd->naf = nk->af; in pf_test_state_icmp()
8344 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8353 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8361 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8362 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8363 m_copyback(pd->m, ipoff2, sizeof(h2), in pf_test_state_icmp()
8369 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8371 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8372 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8377 m_copyback(pd->m, pd2.off, sizeof(sh), (caddr_t)&sh); in pf_test_state_icmp()
8391 if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN, in pf_test_state_icmp()
8415 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8416 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8418 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8423 afto = pd->af != nk->af; in pf_test_state_icmp()
8438 &pd->hdr.icmp)) in pf_test_state_icmp()
8440 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8442 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8443 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8445 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8448 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8456 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8458 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8466 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8467 pd->src->addr32[0]; in pf_test_state_icmp()
8468 pd->naf = nk->af; in pf_test_state_icmp()
8484 pd->ip_sum, 0, AF_INET); in pf_test_state_icmp()
8490 pd2.ip_sum, icmpsum, pd->ip_sum, 0, in pf_test_state_icmp()
8493 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); in pf_test_state_icmp()
8494 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8495 m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih); in pf_test_state_icmp()
8510 if (!pf_pull_hdr(pd->m, pd2.off, iih, in pf_test_state_icmp()
8541 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8542 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8544 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8549 afto = pd->af != nk->af; in pf_test_state_icmp()
8564 &pd->hdr.icmp)) in pf_test_state_icmp()
8566 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8568 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8569 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8571 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8574 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8583 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8585 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8587 pd->naf = nk->af; in pf_test_state_icmp()
8603 pd->ip_sum, 0, AF_INET6); in pf_test_state_icmp()
8610 pd->ip_sum, 0, AF_INET6); in pf_test_state_icmp()
8612 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8613 (caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8614 m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); in pf_test_state_icmp()
8615 m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8629 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
8635 (*state)->key[pd->didx]; in pf_test_state_icmp()
8642 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8649 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8654 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8655 (caddr_t)&pd->hdr.icmp); in pf_test_state_icmp()
8656 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8661 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8663 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8664 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8772 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) in pf_route() argument
8788 SDT_PROBE4(pf, ip, route_to, entry, *m, pd, s, oifp); in pf_route()
8796 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || in pf_route()
8800 if ((pd->pf_mtag == NULL && in pf_route()
8801 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || in pf_route()
8802 pd->pf_mtag->routed++ > 3) { in pf_route()
8809 if (pd->act.rt_kif != NULL) in pf_route()
8810 ifp = pd->act.rt_kif->pfik_ifp; in pf_route()
8812 if (pd->act.rt == PF_DUPTO) { in pf_route()
8813 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { in pf_route()
8827 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED; in pf_route()
8835 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) { in pf_route()
8836 if (pd->af == pd->naf) { in pf_route()
8837 pf_dummynet(pd, s, r, m); in pf_route()
8852 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp && in pf_route()
8853 pd->af != pd->naf) { in pf_route()
8854 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET) { in pf_route()
8858 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET6) { in pf_route()
8872 dst->sin_addr.s_addr = pd->act.rt_addr.v4.s_addr; in pf_route()
8875 if (ifp == NULL && (pd->af != pd->naf)) { in pf_route()
8903 pd->act.rt == PF_REPLYTO && in pf_route()
8905 s->kif = pd->act.rt_kif; in pf_route()
8919 if (pd->dir == PF_IN && !skip_test) { in pf_route()
8921 &pd->act) != PF_PASS) { in pf_route()
8954 if (pd->dir == PF_IN) { in pf_route()
8959 pd->dir = PF_OUT; in pf_route()
8970 tmp = pd->act.dnrpipe; in pf_route()
8971 pd->act.dnrpipe = pd->act.dnpipe; in pf_route()
8972 pd->act.dnpipe = tmp; in pf_route()
8989 error = pf_dummynet_route(pd, s, r, ifp, gw, &md); in pf_route()
9001 if (pd->act.rt != PF_DUPTO) { in pf_route()
9003 PACKET_UNDO_NAT(m0, pd, in pf_route()
9029 pd->pf_mtag = pf_find_mtag(md); in pf_route()
9030 error = pf_dummynet_route(pd, s, r, ifp, in pf_route()
9044 if (pd->act.rt != PF_DUPTO) in pf_route()
9060 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) in pf_route6() argument
9072 SDT_PROBE4(pf, ip6, route_to, entry, *m, pd, s, oifp); in pf_route6()
9080 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || in pf_route6()
9084 if ((pd->pf_mtag == NULL && in pf_route6()
9085 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || in pf_route6()
9086 pd->pf_mtag->routed++ > 3) { in pf_route6()
9093 if (pd->act.rt_kif != NULL) in pf_route6()
9094 ifp = pd->act.rt_kif->pfik_ifp; in pf_route6()
9096 if (pd->act.rt == PF_DUPTO) { in pf_route6()
9097 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { in pf_route6()
9111 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED; in pf_route6()
9119 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) { in pf_route6()
9120 if (pd->af == pd->naf) { in pf_route6()
9121 pf_dummynet(pd, s, r, m); in pf_route6()
9136 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp && in pf_route6()
9137 pd->af != pd->naf) { in pf_route6()
9138 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET6) { in pf_route6()
9142 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET) { in pf_route6()
9155 PF_ACPY((struct pf_addr *)&dst.sin6_addr, &pd->act.rt_addr, AF_INET6); in pf_route6()
9158 if (ifp == NULL && (pd->af != pd->naf)) { in pf_route6()
9184 pd->act.rt == PF_REPLYTO && in pf_route6()
9186 s->kif = pd->act.rt_kif; in pf_route6()
9193 if (pd->af != pd->naf) { in pf_route6()
9194 struct udphdr *uh = &pd->hdr.udp; in pf_route6()
9196 if (pd->proto == IPPROTO_UDP && uh->uh_sum == 0) { in pf_route6()
9199 m_copyback(m0, pd->off, sizeof(*uh), pd->hdr.any); in pf_route6()
9210 if (pd->dir == PF_IN && !skip_test) { in pf_route6()
9212 ifp, &m0, inp, &pd->act) != PF_PASS) { in pf_route6()
9239 if (pd->dir == PF_IN) { in pf_route6()
9245 pd->dir = PF_OUT; in pf_route6()
9256 tmp = pd->act.dnrpipe; in pf_route6()
9257 pd->act.dnrpipe = pd->act.dnpipe; in pf_route6()
9258 pd->act.dnpipe = tmp; in pf_route6()
9277 pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); in pf_route6()
9286 if (pd->act.rt != PF_DUPTO) { in pf_route6()
9288 PACKET_UNDO_NAT(m0, pd, in pf_route6()
9301 if (pd->act.rt != PF_DUPTO) in pf_route6()
9436 pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r, in pf_pdesc_to_dnflow() argument
9446 dndir = pd->dir; in pf_pdesc_to_dnflow()
9449 if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED) in pf_pdesc_to_dnflow()
9454 if (pd->dport != NULL) in pf_pdesc_to_dnflow()
9455 dnflow->f_id.dst_port = ntohs(*pd->dport); in pf_pdesc_to_dnflow()
9456 if (pd->sport != NULL) in pf_pdesc_to_dnflow()
9457 dnflow->f_id.src_port = ntohs(*pd->sport); in pf_pdesc_to_dnflow()
9459 if (pd->dir == PF_IN) in pf_pdesc_to_dnflow()
9464 if (pd->dir != dndir && pd->act.dnrpipe) { in pf_pdesc_to_dnflow()
9465 dnflow->rule.info = pd->act.dnrpipe; in pf_pdesc_to_dnflow()
9467 else if (pd->dir == dndir && pd->act.dnpipe) { in pf_pdesc_to_dnflow()
9468 dnflow->rule.info = pd->act.dnpipe; in pf_pdesc_to_dnflow()
9475 if (r->free_flags & PFRULE_DN_IS_PIPE || pd->act.flags & PFSTATE_DN_IS_PIPE) in pf_pdesc_to_dnflow()
9478 dnflow->f_id.proto = pd->proto; in pf_pdesc_to_dnflow()
9480 switch (pd->naf) { in pf_pdesc_to_dnflow()
9483 dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr); in pf_pdesc_to_dnflow()
9484 dnflow->f_id.dst_ip = ntohl(pd->dst->v4.s_addr); in pf_pdesc_to_dnflow()
9489 dnflow->f_id.src_ip6 = pd->src->v6; in pf_pdesc_to_dnflow()
9490 dnflow->f_id.dst_ip6 = pd->dst->v6; in pf_pdesc_to_dnflow()
9550 pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s, in pf_dummynet() argument
9553 return (pf_dummynet_route(pd, s, r, NULL, NULL, m0)); in pf_dummynet()
9557 pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, in pf_dummynet_route() argument
9565 if (pd->act.dnpipe == 0 && pd->act.dnrpipe == 0) in pf_dummynet_route()
9574 if (pd->pf_mtag == NULL && in pf_dummynet_route()
9575 ((pd->pf_mtag = pf_get_mtag(*m0)) == NULL)) { in pf_dummynet_route()
9582 pd->pf_mtag->flags |= PF_MTAG_FLAG_ROUTE_TO; in pf_dummynet_route()
9584 pd->pf_mtag->if_index = ifp->if_index; in pf_dummynet_route()
9585 pd->pf_mtag->if_idxgen = ifp->if_idxgen; in pf_dummynet_route()
9591 memcpy(&pd->pf_mtag->dst, sa, in pf_dummynet_route()
9595 memcpy(&pd->pf_mtag->dst, sa, in pf_dummynet_route()
9605 (pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) || in pf_dummynet_route()
9607 (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) { in pf_dummynet_route()
9616 if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { in pf_dummynet_route()
9617 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; in pf_dummynet_route()
9618 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED; in pf_dummynet_route()
9621 pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; in pf_dummynet_route()
9622 pf_dummynet_flag_remove(*m0, pd->pf_mtag); in pf_dummynet_route()
9631 pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h, int off, int end, in pf_walk_option6() argument
9638 if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type, in pf_walk_option6()
9647 if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt), NULL, in pf_walk_option6()
9659 if (pd->jumbolen != 0) { in pf_walk_option6()
9669 if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo), NULL, in pf_walk_option6()
9674 memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len, in pf_walk_option6()
9675 sizeof(pd->jumbolen)); in pf_walk_option6()
9676 pd->jumbolen = ntohl(pd->jumbolen); in pf_walk_option6()
9677 if (pd->jumbolen < IPV6_MAXPACKET) { in pf_walk_option6()
9693 pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) in pf_walk_header6() argument
9701 pd->off += sizeof(struct ip6_hdr); in pf_walk_header6()
9702 end = pd->off + ntohs(h->ip6_plen); in pf_walk_header6()
9703 pd->fragoff = pd->extoff = pd->jumbolen = 0; in pf_walk_header6()
9704 pd->proto = h->ip6_nxt; in pf_walk_header6()
9706 switch (pd->proto) { in pf_walk_header6()
9714 if (pd->jumbolen != 0) { in pf_walk_header6()
9719 if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag), in pf_walk_header6()
9726 pd->fragoff = pd->off; in pf_walk_header6()
9731 pd->fragoff = pd->off; in pf_walk_header6()
9732 pd->off += sizeof(frag); in pf_walk_header6()
9733 pd->proto = frag.ip6f_nxt; in pf_walk_header6()
9742 if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) { in pf_walk_header6()
9743 pd->off = pd->fragoff; in pf_walk_header6()
9744 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
9747 if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr), in pf_walk_header6()
9761 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext), in pf_walk_header6()
9767 if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) { in pf_walk_header6()
9768 pd->off = pd->fragoff; in pf_walk_header6()
9769 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
9773 if (pd->fragoff == 0) in pf_walk_header6()
9774 pd->extoff = pd->off; in pf_walk_header6()
9775 if (pd->proto == IPPROTO_HOPOPTS && pd->fragoff == 0) { in pf_walk_header6()
9776 if (pf_walk_option6(pd, h, in pf_walk_header6()
9777 pd->off + sizeof(ext), in pf_walk_header6()
9778 pd->off + (ext.ip6e_len + 1) * 8, reason) in pf_walk_header6()
9781 if (ntohs(h->ip6_plen) == 0 && pd->jumbolen != 0) { in pf_walk_header6()
9788 if (pd->proto == IPPROTO_AH) in pf_walk_header6()
9789 pd->off += (ext.ip6e_len + 2) * 4; in pf_walk_header6()
9791 pd->off += (ext.ip6e_len + 1) * 8; in pf_walk_header6()
9792 pd->proto = ext.ip6e_nxt; in pf_walk_header6()
9799 if (pd->fragoff != 0 && end < pd->off + in pf_walk_header6()
9800 (pd->proto == IPPROTO_TCP ? sizeof(struct tcphdr) : in pf_walk_header6()
9801 pd->proto == IPPROTO_UDP ? sizeof(struct udphdr) : in pf_walk_header6()
9802 pd->proto == IPPROTO_SCTP ? sizeof(struct sctphdr) : in pf_walk_header6()
9804 pd->off = pd->fragoff; in pf_walk_header6()
9805 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
9816 pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m) in pf_init_pdesc() argument
9818 memset(pd, 0, sizeof(*pd)); in pf_init_pdesc()
9819 pd->pf_mtag = pf_find_mtag(m); in pf_init_pdesc()
9820 pd->m = m; in pf_init_pdesc()
9824 pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, in pf_setup_pdesc() argument
9828 pd->dir = dir; in pf_setup_pdesc()
9829 pd->kif = kif; in pf_setup_pdesc()
9830 pd->m = *m0; in pf_setup_pdesc()
9831 pd->sidx = (dir == PF_IN) ? 0 : 1; in pf_setup_pdesc()
9832 pd->didx = (dir == PF_IN) ? 1 : 0; in pf_setup_pdesc()
9833 pd->af = pd->naf = af; in pf_setup_pdesc()
9835 TAILQ_INIT(&pd->sctp_multihome_jobs); in pf_setup_pdesc()
9837 memcpy(&pd->act, default_actions, sizeof(pd->act)); in pf_setup_pdesc()
9839 if (pd->pf_mtag && pd->pf_mtag->dnpipe) { in pf_setup_pdesc()
9840 pd->act.dnpipe = pd->pf_mtag->dnpipe; in pf_setup_pdesc()
9841 pd->act.flags = pd->pf_mtag->dnflags; in pf_setup_pdesc()
9850 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { in pf_setup_pdesc()
9858 if (pf_normalize_ip(reason, pd) != PF_PASS) { in pf_setup_pdesc()
9860 *m0 = pd->m; in pf_setup_pdesc()
9864 *m0 = pd->m; in pf_setup_pdesc()
9866 h = mtod(pd->m, struct ip *); in pf_setup_pdesc()
9867 pd->off = h->ip_hl << 2; in pf_setup_pdesc()
9868 if (pd->off < (int)sizeof(*h)) { in pf_setup_pdesc()
9873 pd->src = (struct pf_addr *)&h->ip_src; in pf_setup_pdesc()
9874 pd->dst = (struct pf_addr *)&h->ip_dst; in pf_setup_pdesc()
9875 pd->ip_sum = &h->ip_sum; in pf_setup_pdesc()
9876 pd->virtual_proto = pd->proto = h->ip_p; in pf_setup_pdesc()
9877 pd->tos = h->ip_tos & ~IPTOS_ECN_MASK; in pf_setup_pdesc()
9878 pd->ttl = h->ip_ttl; in pf_setup_pdesc()
9879 pd->tot_len = ntohs(h->ip_len); in pf_setup_pdesc()
9880 pd->act.rtableid = -1; in pf_setup_pdesc()
9881 pd->df = h->ip_off & htons(IP_DF); in pf_setup_pdesc()
9884 pd->badopts++; in pf_setup_pdesc()
9887 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
9897 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { in pf_setup_pdesc()
9906 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
9907 pd->off = 0; in pf_setup_pdesc()
9908 if (pf_walk_header6(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
9913 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
9914 pd->src = (struct pf_addr *)&h->ip6_src; in pf_setup_pdesc()
9915 pd->dst = (struct pf_addr *)&h->ip6_dst; in pf_setup_pdesc()
9916 pd->ip_sum = NULL; in pf_setup_pdesc()
9917 pd->tos = IPV6_DSCP(h); in pf_setup_pdesc()
9918 pd->ttl = h->ip6_hlim; in pf_setup_pdesc()
9919 pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); in pf_setup_pdesc()
9920 pd->virtual_proto = pd->proto = h->ip6_nxt; in pf_setup_pdesc()
9921 pd->act.rtableid = -1; in pf_setup_pdesc()
9923 if (pd->fragoff != 0) in pf_setup_pdesc()
9924 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
9936 if (pf_normalize_ip6(pd->fragoff, reason, pd) != in pf_setup_pdesc()
9938 *m0 = pd->m; in pf_setup_pdesc()
9942 *m0 = pd->m; in pf_setup_pdesc()
9943 if (pd->m == NULL) { in pf_setup_pdesc()
9950 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
9951 pd->src = (struct pf_addr *)&h->ip6_src; in pf_setup_pdesc()
9952 pd->dst = (struct pf_addr *)&h->ip6_dst; in pf_setup_pdesc()
9954 pd->off = 0; in pf_setup_pdesc()
9956 if (pf_walk_header6(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
9961 if (m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL) != NULL) { in pf_setup_pdesc()
9966 pd->virtual_proto = pd->proto; in pf_setup_pdesc()
9967 MPASS(pd->fragoff == 0); in pf_setup_pdesc()
9970 if (pd->fragoff != 0) in pf_setup_pdesc()
9971 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
9980 switch (pd->virtual_proto) { in pf_setup_pdesc()
9982 struct tcphdr *th = &pd->hdr.tcp; in pf_setup_pdesc()
9984 if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), action, in pf_setup_pdesc()
9990 pd->hdrlen = sizeof(*th); in pf_setup_pdesc()
9991 pd->p_len = pd->tot_len - pd->off - (th->th_off << 2); in pf_setup_pdesc()
9992 pd->sport = &th->th_sport; in pf_setup_pdesc()
9993 pd->dport = &th->th_dport; in pf_setup_pdesc()
9994 pd->pcksum = &th->th_sum; in pf_setup_pdesc()
9998 struct udphdr *uh = &pd->hdr.udp; in pf_setup_pdesc()
10000 if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), action, in pf_setup_pdesc()
10006 pd->hdrlen = sizeof(*uh); in pf_setup_pdesc()
10008 ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off || in pf_setup_pdesc()
10014 pd->sport = &uh->uh_sport; in pf_setup_pdesc()
10015 pd->dport = &uh->uh_dport; in pf_setup_pdesc()
10016 pd->pcksum = &uh->uh_sum; in pf_setup_pdesc()
10020 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), in pf_setup_pdesc()
10026 pd->hdrlen = sizeof(pd->hdr.sctp); in pf_setup_pdesc()
10027 pd->p_len = pd->tot_len - pd->off; in pf_setup_pdesc()
10029 pd->sport = &pd->hdr.sctp.src_port; in pf_setup_pdesc()
10030 pd->dport = &pd->hdr.sctp.dest_port; in pf_setup_pdesc()
10031 if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { in pf_setup_pdesc()
10036 if (pf_scan_sctp(pd) != PF_PASS) { in pf_setup_pdesc()
10046 pd->pcksum = &pd->sctp_dummy_sum; in pf_setup_pdesc()
10050 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN, in pf_setup_pdesc()
10056 pd->hdrlen = ICMP_MINLEN; in pf_setup_pdesc()
10063 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, in pf_setup_pdesc()
10070 switch (pd->hdr.icmp6.icmp6_type) { in pf_setup_pdesc()
10081 !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, in pf_setup_pdesc()
10087 pd->hdrlen = icmp_hlen; in pf_setup_pdesc()
10088 pd->pcksum = &pd->hdr.icmp.icmp_cksum; in pf_setup_pdesc()
10094 if (pd->sport) in pf_setup_pdesc()
10095 pd->osport = pd->nsport = *pd->sport; in pf_setup_pdesc()
10096 if (pd->dport) in pf_setup_pdesc()
10097 pd->odport = pd->ndport = *pd->dport; in pf_setup_pdesc()
10103 pf_counters_inc(int action, struct pf_pdesc *pd, in pf_counters_inc() argument
10107 int dir = pd->dir; in pf_counters_inc()
10112 &pd->kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS], in pf_counters_inc()
10113 pd->tot_len); in pf_counters_inc()
10115 &pd->kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS], in pf_counters_inc()
10121 pf_counter_u64_add_protected(&r->bytes[dirndx], pd->tot_len); in pf_counters_inc()
10126 pf_counter_u64_add_protected(&a->bytes[dirndx], pd->tot_len); in pf_counters_inc()
10135 pd->tot_len); in pf_counters_inc()
10150 pd->tot_len); in pf_counters_inc()
10155 s->bytes[dirndx] += pd->tot_len; in pf_counters_inc()
10159 pf_counter_u64_add_protected(&ri->r->bytes[dirndx], pd->tot_len); in pf_counters_inc()
10163 (s == NULL) ? pd->src : in pf_counters_inc()
10166 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10170 (s == NULL) ? pd->dst : in pf_counters_inc()
10173 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10185 (s == NULL) ? pd->src : in pf_counters_inc()
10188 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10192 (s == NULL) ? pd->dst : in pf_counters_inc()
10195 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10201 pf_log_matches(struct pf_pdesc *pd, struct pf_krule *rm, in pf_log_matches() argument
10214 ruleset, pd, 1, ri->r); in pf_log_matches()
10228 struct pf_pdesc pd; in pf_test() local
10267 pf_init_pdesc(&pd, *m0); in pf_test()
10269 if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) { in pf_test()
10270 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; in pf_test()
10272 ifp = ifnet_byindexgen(pd.pf_mtag->if_index, in pf_test()
10273 pd.pf_mtag->if_idxgen); in pf_test()
10281 (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL); in pf_test()
10286 if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && in pf_test()
10287 pd.pf_mtag->flags & PF_MTAG_FLAG_DUMMYNET) { in pf_test()
10294 pf_dummynet_flag_remove(pd.m, pd.pf_mtag); in pf_test()
10300 if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, in pf_test()
10303 pd.act.log |= PF_LOG_FORCE; in pf_test()
10309 pd.df && (*m0)->m_pkthdr.len > ifp->if_mtu) { in pf_test()
10333 ((mtag = m_tag_locate(pd.m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) { in pf_test()
10337 if (pd.pf_mtag == NULL && in pf_test()
10338 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
10342 pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED; in pf_test()
10344 if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) { in pf_test()
10345 pd.m->m_flags |= M_FASTFWD_OURS; in pf_test()
10346 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT; in pf_test()
10348 m_tag_delete(pd.m, mtag); in pf_test()
10350 mtag = m_tag_locate(pd.m, MTAG_IPFW_RULE, 0, NULL); in pf_test()
10352 m_tag_delete(pd.m, mtag); in pf_test()
10355 switch (pd.virtual_proto) { in pf_test()
10364 action = pf_test_rule(&r, &s, &pd, &a, in pf_test()
10372 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && in pf_test()
10373 pd.dir == PF_IN && pf_synflood_check(&pd)) { in pf_test()
10374 pf_syncookie_send(&pd); in pf_test()
10379 if ((tcp_get_flags(&pd.hdr.tcp) & TH_ACK) && pd.p_len == 0) in pf_test()
10381 action = pf_normalize_tcp(&pd); in pf_test()
10384 action = pf_test_state(&s, &pd, &reason); in pf_test()
10393 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == in pf_test()
10394 TH_ACK && pf_syncookie_validate(&pd) && in pf_test()
10395 pd.dir == PF_IN) { in pf_test()
10398 msyn = pf_syncookie_recreate_syn(&pd); in pf_test()
10405 &pd.act); in pf_test()
10410 action = pf_test_state(&s, &pd, &reason); in pf_test()
10416 s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1; in pf_test()
10417 s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1; in pf_test()
10419 action = pf_synproxy(&pd, &s, &reason); in pf_test()
10422 action = pf_test_rule(&r, &s, &pd, in pf_test()
10430 action = pf_normalize_sctp(&pd); in pf_test()
10436 action = pf_test_state(&s, &pd, &reason); in pf_test()
10444 &pd, &a, &ruleset, inp); in pf_test()
10450 if (pd.virtual_proto == IPPROTO_ICMP && af != AF_INET) { in pf_test()
10457 if (pd.virtual_proto == IPPROTO_ICMPV6 && af != AF_INET6) { in pf_test()
10464 action = pf_test_state_icmp(&s, &pd, &reason); in pf_test()
10471 action = pf_test_rule(&r, &s, &pd, in pf_test()
10481 if (pd.m == NULL) in pf_test()
10484 if (action == PF_PASS && pd.badopts && in pf_test()
10488 pd.act.log = PF_LOG_FORCE; in pf_test()
10494 uint8_t log = pd.act.log; in pf_test()
10495 memcpy(&pd.act, &s->act, sizeof(struct pf_rule_actions)); in pf_test()
10496 pd.act.log |= log; in pf_test()
10502 if (tag > 0 && pf_tag_packet(&pd, tag)) { in pf_test()
10507 pf_scrub(&pd); in pf_test()
10508 if (pd.proto == IPPROTO_TCP && pd.act.max_mss) in pf_test()
10509 pf_normalize_mss(&pd); in pf_test()
10511 if (pd.act.rtableid >= 0) in pf_test()
10512 M_SETFIB(pd.m, pd.act.rtableid); in pf_test()
10514 if (pd.act.flags & PFSTATE_SETPRIO) { in pf_test()
10515 if (pd.tos & IPTOS_LOWDELAY) in pf_test()
10517 if (vlan_set_pcp(pd.m, pd.act.set_prio[use_2nd_queue])) { in pf_test()
10520 pd.act.log = PF_LOG_FORCE; in pf_test()
10527 if (action == PF_PASS && pd.act.qid) { in pf_test()
10528 if (pd.pf_mtag == NULL && in pf_test()
10529 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
10534 pd.pf_mtag->qid_hash = pf_state_hash(s); in pf_test()
10535 if (use_2nd_queue || (pd.tos & IPTOS_LOWDELAY)) in pf_test()
10536 pd.pf_mtag->qid = pd.act.pqid; in pf_test()
10538 pd.pf_mtag->qid = pd.act.qid; in pf_test()
10540 pd.pf_mtag->hdr = mtod(pd.m, void *); in pf_test()
10550 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || in pf_test()
10551 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL && in pf_test()
10554 pf_is_loopback(af, pd.dst)) in pf_test()
10555 pd.m->m_flags |= M_SKIP_FIREWALL; in pf_test()
10558 action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { in pf_test()
10571 m_tag_prepend(pd.m, mtag); in pf_test()
10572 if (pd.m->m_flags & M_FASTFWD_OURS) { in pf_test()
10573 if (pd.pf_mtag == NULL && in pf_test()
10574 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
10577 pd.act.log = PF_LOG_FORCE; in pf_test()
10581 pd.pf_mtag->flags |= in pf_test()
10583 pd.m->m_flags &= ~M_FASTFWD_OURS; in pf_test()
10594 pd.act.log = PF_LOG_FORCE; in pf_test()
10604 if (pd.pf_mtag) in pf_test()
10605 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_PACKET_LOOPED; in pf_test()
10607 if (pd.act.log) { in pf_test()
10617 if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) in pf_test()
10619 ruleset, &pd, (s == NULL), NULL); in pf_test()
10624 reason, ri->r, a, ruleset, &pd, 0, NULL); in pf_test()
10628 pf_counters_inc(action, &pd, s, r, a); in pf_test()
10642 if (pf_translate_af(&pd)) { in pf_test()
10643 if (!pd.m) in pf_test()
10648 *m0 = pd.m; /* pf_translate_af may change pd.m */ in pf_test()
10650 if (pd.naf == AF_INET) in pf_test()
10651 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10654 if (pd.naf == AF_INET6) in pf_test()
10655 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10662 if (pd.act.rt) { in pf_test()
10667 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10673 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10679 if (pf_dummynet(&pd, s, r, m0) != 0) { in pf_test()
10704 (mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL) in pf_test()
10708 pf_sctp_multihome_delayed(&pd, kif, s, action); in pf_test()