Lines Matching refs:pd
430 if ((pd->dir) == PF_OUT) \
437 #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \ argument
438 (pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
440 #define STATE_LOOKUP(k, s, pd) \ argument
442 (s) = pf_find_state((pd->kif), (k), (pd->dir)); \
443 SDT_PROBE5(pf, ip, state, lookup, pd->kif, k, (pd->dir), pd, (s)); \
446 if (PACKET_LOOPED(pd)) \
451 BOUND_IFACE(struct pf_kstate *st, struct pf_pdesc *pd) in BOUND_IFACE() argument
453 struct pfi_kkif *k = pd->kif; in BOUND_IFACE()
465 if (st->rule->rt == PF_REPLYTO || (pd->af != pd->naf && st->direction == PF_IN)) in BOUND_IFACE()
473 if (pd->related_rule) in BOUND_IFACE()
626 pf_packet_rework_nat(struct mbuf *m, struct pf_pdesc *pd, int off, in pf_packet_rework_nat() argument
630 switch (pd->proto) { in pf_packet_rework_nat()
632 struct tcphdr *th = &pd->hdr.tcp; in pf_packet_rework_nat()
634 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) in pf_packet_rework_nat()
635 pf_change_ap(m, pd->src, &th->th_sport, pd->ip_sum, in pf_packet_rework_nat()
636 &th->th_sum, &nk->addr[pd->sidx], in pf_packet_rework_nat()
637 nk->port[pd->sidx], 0, pd->af, pd->naf); in pf_packet_rework_nat()
638 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) in pf_packet_rework_nat()
639 pf_change_ap(m, pd->dst, &th->th_dport, pd->ip_sum, in pf_packet_rework_nat()
640 &th->th_sum, &nk->addr[pd->didx], in pf_packet_rework_nat()
641 nk->port[pd->didx], 0, pd->af, pd->naf); in pf_packet_rework_nat()
646 struct udphdr *uh = &pd->hdr.udp; in pf_packet_rework_nat()
648 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) in pf_packet_rework_nat()
649 pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, in pf_packet_rework_nat()
650 &uh->uh_sum, &nk->addr[pd->sidx], in pf_packet_rework_nat()
651 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
652 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) in pf_packet_rework_nat()
653 pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, in pf_packet_rework_nat()
654 &uh->uh_sum, &nk->addr[pd->didx], in pf_packet_rework_nat()
655 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
660 struct sctphdr *sh = &pd->hdr.sctp; in pf_packet_rework_nat()
663 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { in pf_packet_rework_nat()
664 pf_change_ap(m, pd->src, &sh->src_port, pd->ip_sum, in pf_packet_rework_nat()
665 &checksum, &nk->addr[pd->sidx], in pf_packet_rework_nat()
666 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
668 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { in pf_packet_rework_nat()
669 pf_change_ap(m, pd->dst, &sh->dest_port, pd->ip_sum, in pf_packet_rework_nat()
670 &checksum, &nk->addr[pd->didx], in pf_packet_rework_nat()
671 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_packet_rework_nat()
677 struct icmp *ih = &pd->hdr.icmp; in pf_packet_rework_nat()
679 if (nk->port[pd->sidx] != ih->icmp_id) { in pf_packet_rework_nat()
680 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_packet_rework_nat()
682 nk->port[pd->sidx], 0); in pf_packet_rework_nat()
683 ih->icmp_id = nk->port[pd->sidx]; in pf_packet_rework_nat()
684 pd->sport = &ih->icmp_id; in pf_packet_rework_nat()
691 if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { in pf_packet_rework_nat()
692 switch (pd->af) { in pf_packet_rework_nat()
694 pf_change_a(&pd->src->v4.s_addr, in pf_packet_rework_nat()
695 pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, in pf_packet_rework_nat()
699 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); in pf_packet_rework_nat()
702 unhandled_af(pd->af); in pf_packet_rework_nat()
705 if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { in pf_packet_rework_nat()
706 switch (pd->af) { in pf_packet_rework_nat()
708 pf_change_a(&pd->dst->v4.s_addr, in pf_packet_rework_nat()
709 pd->ip_sum, nk->addr[pd->didx].v4.s_addr, in pf_packet_rework_nat()
713 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); in pf_packet_rework_nat()
716 unhandled_af(pd->af); in pf_packet_rework_nat()
1657 pf_state_key_addr_setup(struct pf_pdesc *pd, in pf_state_key_addr_setup() argument
1660 struct pf_addr *saddr = pd->src; in pf_state_key_addr_setup()
1661 struct pf_addr *daddr = pd->dst; in pf_state_key_addr_setup()
1667 if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6) in pf_state_key_addr_setup()
1670 switch (pd->hdr.icmp6.icmp6_type) { in pf_state_key_addr_setup()
1674 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) in pf_state_key_addr_setup()
1682 if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) in pf_state_key_addr_setup()
1686 if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) { in pf_state_key_addr_setup()
1687 key->addr[pd->didx].addr32[0] = 0; in pf_state_key_addr_setup()
1688 key->addr[pd->didx].addr32[1] = 0; in pf_state_key_addr_setup()
1689 key->addr[pd->didx].addr32[2] = 0; in pf_state_key_addr_setup()
1690 key->addr[pd->didx].addr32[3] = 0; in pf_state_key_addr_setup()
1696 key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL; in pf_state_key_addr_setup()
1697 key->addr[pd->sidx].addr32[1] = 0; in pf_state_key_addr_setup()
1698 key->addr[pd->sidx].addr32[2] = 0; in pf_state_key_addr_setup()
1699 key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE; in pf_state_key_addr_setup()
1706 PF_ACPY(&key->addr[pd->sidx], saddr, pd->af); in pf_state_key_addr_setup()
1708 PF_ACPY(&key->addr[pd->didx], daddr, pd->af); in pf_state_key_addr_setup()
1714 pf_state_key_setup(struct pf_pdesc *pd, u_int16_t sport, u_int16_t dport, in pf_state_key_setup() argument
1721 if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)*sk, in pf_state_key_setup()
1728 (*sk)->port[pd->sidx] = sport; in pf_state_key_setup()
1729 (*sk)->port[pd->didx] = dport; in pf_state_key_setup()
1730 (*sk)->proto = pd->proto; in pf_state_key_setup()
1731 (*sk)->af = pd->af; in pf_state_key_setup()
1740 if (pd->af != pd->naf) { in pf_state_key_setup()
1741 (*sk)->port[pd->sidx] = pd->osport; in pf_state_key_setup()
1742 (*sk)->port[pd->didx] = pd->odport; in pf_state_key_setup()
1744 (*nk)->af = pd->naf; in pf_state_key_setup()
1752 if (pd->dir == PF_IN) { in pf_state_key_setup()
1753 PF_ACPY(&(*nk)->addr[pd->didx], &pd->nsaddr, pd->naf); in pf_state_key_setup()
1754 PF_ACPY(&(*nk)->addr[pd->sidx], &pd->ndaddr, pd->naf); in pf_state_key_setup()
1755 (*nk)->port[pd->didx] = pd->nsport; in pf_state_key_setup()
1756 (*nk)->port[pd->sidx] = pd->ndport; in pf_state_key_setup()
1758 PF_ACPY(&(*nk)->addr[pd->sidx], &pd->nsaddr, pd->naf); in pf_state_key_setup()
1759 PF_ACPY(&(*nk)->addr[pd->didx], &pd->ndaddr, pd->naf); in pf_state_key_setup()
1760 (*nk)->port[pd->sidx] = pd->nsport; in pf_state_key_setup()
1761 (*nk)->port[pd->didx] = pd->ndport; in pf_state_key_setup()
1764 switch (pd->proto) { in pf_state_key_setup()
1772 (*nk)->proto = pd->proto; in pf_state_key_setup()
2192 pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, in pf_icmp_mapping() argument
2203 switch (pd->af) { in pf_icmp_mapping()
2211 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2218 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2225 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2232 *virtual_id = pd->hdr.icmp.icmp_id; in pf_icmp_mapping()
2288 *virtual_id = pd->hdr.icmp6.icmp6_id; in pf_icmp_mapping()
2348 unhandled_af(pd->af); in pf_icmp_mapping()
3498 pf_translate_af(struct pf_pdesc *pd) in pf_translate_af() argument
3509 hlen = pd->naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6); in pf_translate_af()
3512 m_adj(pd->m, pd->off); in pf_translate_af()
3515 M_PREPEND(pd->m, hlen, M_NOWAIT); in pf_translate_af()
3516 if (pd->m == NULL) in pf_translate_af()
3519 switch (pd->naf) { in pf_translate_af()
3521 ip4 = mtod(pd->m, struct ip *); in pf_translate_af()
3525 ip4->ip_tos = pd->tos; in pf_translate_af()
3526 ip4->ip_len = htons(hlen + (pd->tot_len - pd->off)); in pf_translate_af()
3528 ip4->ip_ttl = pd->ttl; in pf_translate_af()
3529 ip4->ip_p = pd->proto; in pf_translate_af()
3530 ip4->ip_src = pd->nsaddr.v4; in pf_translate_af()
3531 ip4->ip_dst = pd->ndaddr.v4; in pf_translate_af()
3532 pd->src = (struct pf_addr *)&ip4->ip_src; in pf_translate_af()
3533 pd->dst = (struct pf_addr *)&ip4->ip_dst; in pf_translate_af()
3534 pd->off = sizeof(struct ip); in pf_translate_af()
3537 ip6 = mtod(pd->m, struct ip6_hdr *); in pf_translate_af()
3540 ip6->ip6_flow |= htonl((u_int32_t)pd->tos << 20); in pf_translate_af()
3541 ip6->ip6_plen = htons(pd->tot_len - pd->off); in pf_translate_af()
3542 ip6->ip6_nxt = pd->proto; in pf_translate_af()
3543 if (!pd->ttl || pd->ttl > IPV6_DEFHLIM) in pf_translate_af()
3546 ip6->ip6_hlim = pd->ttl; in pf_translate_af()
3547 ip6->ip6_src = pd->nsaddr.v6; in pf_translate_af()
3548 ip6->ip6_dst = pd->ndaddr.v6; in pf_translate_af()
3549 pd->src = (struct pf_addr *)&ip6->ip6_src; in pf_translate_af()
3550 pd->dst = (struct pf_addr *)&ip6->ip6_dst; in pf_translate_af()
3551 pd->off = sizeof(struct ip6_hdr); in pf_translate_af()
3558 mtag = m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL); in pf_translate_af()
3571 if (pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6) { in pf_translate_af()
3573 if ((mp = m_pulldown(pd->m, hlen, sizeof(*icmp), &off)) == in pf_translate_af()
3575 pd->m = NULL; in pf_translate_af()
3580 icmp->icmp6_cksum = pd->naf == AF_INET ? in pf_translate_af()
3581 in4_cksum(pd->m, 0, hlen, ntohs(ip4->ip_len) - hlen) : in pf_translate_af()
3582 in6_cksum(pd->m, IPPROTO_ICMPV6, hlen, in pf_translate_af()
3591 pf_change_icmp_af(struct mbuf *m, int off, struct pf_pdesc *pd, in pf_change_icmp_af() argument
3663 pd->tot_len += hlen - olen; in pf_change_icmp_af()
3910 pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, in pf_modulate_sack() argument
3920 !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) in pf_modulate_sack()
3939 pf_patch_32_unaligned(pd->m, in pf_modulate_sack()
3944 pf_patch_32_unaligned(pd->m, &th->th_sum, in pf_modulate_sack()
3963 m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts); in pf_modulate_sack()
4109 pf_send_sctp_abort(sa_family_t af, struct pf_pdesc *pd, in pf_send_sctp_abort() argument
4124 MPASS(af == pd->af); in pf_send_sctp_abort()
4149 h->ip_src = pd->dst->v4; in pf_send_sctp_abort()
4150 h->ip_dst = pd->src->v4; in pf_send_sctp_abort()
4166 memcpy(&h6->ip6_src, &pd->dst->v6, sizeof(struct in6_addr)); in pf_send_sctp_abort()
4167 memcpy(&h6->ip6_dst, &pd->src->v6, sizeof(struct in6_addr)); in pf_send_sctp_abort()
4179 hdr->src_port = pd->hdr.sctp.dest_port; in pf_send_sctp_abort()
4180 hdr->dest_port = pd->hdr.sctp.src_port; in pf_send_sctp_abort()
4181 hdr->v_tag = pd->sctp_initiate_tag; in pf_send_sctp_abort()
4266 pf_undo_nat(struct pf_krule *nr, struct pf_pdesc *pd, uint16_t bip_sum) in pf_undo_nat() argument
4270 PF_ACPY(pd->src, &pd->osrc, pd->af); in pf_undo_nat()
4271 PF_ACPY(pd->dst, &pd->odst, pd->af); in pf_undo_nat()
4272 if (pd->sport) in pf_undo_nat()
4273 *pd->sport = pd->osport; in pf_undo_nat()
4274 if (pd->dport) in pf_undo_nat()
4275 *pd->dport = pd->odport; in pf_undo_nat()
4276 if (pd->ip_sum) in pf_undo_nat()
4277 *pd->ip_sum = bip_sum; in pf_undo_nat()
4278 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_undo_nat()
4283 pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, in pf_return() argument
4287 pf_undo_nat(nr, pd, bip_sum); in pf_return()
4289 if (pd->proto == IPPROTO_TCP && in pf_return()
4293 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; in pf_return()
4295 if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off, in pf_return()
4296 IPPROTO_TCP, pd->af)) in pf_return()
4303 pf_send_tcp(r, pd->af, pd->dst, in pf_return()
4304 pd->src, th->th_dport, th->th_sport, in pf_return()
4308 } else if (pd->proto == IPPROTO_SCTP && in pf_return()
4310 pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid); in pf_return()
4311 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET && in pf_return()
4313 pf_send_icmp(pd->m, r->return_icmp >> 8, in pf_return()
4314 r->return_icmp & 255, pd->af, r, rtableid); in pf_return()
4315 else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 && in pf_return()
4317 pf_send_icmp(pd->m, r->return_icmp6 >> 8, in pf_return()
4318 r->return_icmp6 & 255, pd->af, r, rtableid); in pf_return()
4581 pf_tag_packet(struct pf_pdesc *pd, int tag) in pf_tag_packet() argument
4586 if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) in pf_tag_packet()
4589 pd->pf_mtag->tag = tag; in pf_tag_packet()
4896 pf_socket_lookup(struct pf_pdesc *pd) in pf_socket_lookup() argument
4903 pd->lookup.uid = UID_MAX; in pf_socket_lookup()
4904 pd->lookup.gid = GID_MAX; in pf_socket_lookup()
4906 switch (pd->proto) { in pf_socket_lookup()
4908 sport = pd->hdr.tcp.th_sport; in pf_socket_lookup()
4909 dport = pd->hdr.tcp.th_dport; in pf_socket_lookup()
4913 sport = pd->hdr.udp.uh_sport; in pf_socket_lookup()
4914 dport = pd->hdr.udp.uh_dport; in pf_socket_lookup()
4920 if (pd->dir == PF_IN) { in pf_socket_lookup()
4921 saddr = pd->src; in pf_socket_lookup()
4922 daddr = pd->dst; in pf_socket_lookup()
4929 saddr = pd->dst; in pf_socket_lookup()
4930 daddr = pd->src; in pf_socket_lookup()
4932 switch (pd->af) { in pf_socket_lookup()
4936 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4940 INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4949 dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4953 INPLOOKUP_RLOCKPCB, NULL, pd->m); in pf_socket_lookup()
4961 pd->lookup.uid = inp->inp_cred->cr_uid; in pf_socket_lookup()
4962 pd->lookup.gid = inp->inp_cred->cr_groups[0]; in pf_socket_lookup()
4969 pf_get_wscale(struct pf_pdesc *pd) in pf_get_wscale() argument
4971 struct tcphdr *th = &pd->hdr.tcp; in pf_get_wscale()
4980 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) in pf_get_wscale()
5010 pf_get_mss(struct pf_pdesc *pd) in pf_get_mss() argument
5012 struct tcphdr *th = &pd->hdr.tcp; in pf_get_mss()
5021 if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) in pf_get_mss()
5088 pf_tcp_iss(struct pf_pdesc *pd) in pf_tcp_iss() argument
5106 SHA512_Update(&ctx, &pd->hdr.tcp.th_sport, sizeof(u_short)); in pf_tcp_iss()
5107 SHA512_Update(&ctx, &pd->hdr.tcp.th_dport, sizeof(u_short)); in pf_tcp_iss()
5108 switch (pd->af) { in pf_tcp_iss()
5110 SHA512_Update(&ctx, &pd->src->v6, sizeof(struct in6_addr)); in pf_tcp_iss()
5111 SHA512_Update(&ctx, &pd->dst->v6, sizeof(struct in6_addr)); in pf_tcp_iss()
5114 SHA512_Update(&ctx, &pd->src->v4, sizeof(struct in_addr)); in pf_tcp_iss()
5115 SHA512_Update(&ctx, &pd->dst->v4, sizeof(struct in_addr)); in pf_tcp_iss()
5466 struct pf_pdesc *pd, struct pf_krule **am, in pf_test_rule() argument
5474 struct tcphdr *th = &pd->hdr.tcp; in pf_test_rule()
5491 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5492 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5498 pd->lookup.uid = inp->inp_cred->cr_uid; in pf_test_rule()
5499 pd->lookup.gid = inp->inp_cred->cr_groups[0]; in pf_test_rule()
5500 pd->lookup.done = 1; in pf_test_rule()
5503 switch (pd->virtual_proto) { in pf_test_rule()
5505 pd->nsport = th->th_sport; in pf_test_rule()
5506 pd->ndport = th->th_dport; in pf_test_rule()
5509 pd->nsport = pd->hdr.udp.uh_sport; in pf_test_rule()
5510 pd->ndport = pd->hdr.udp.uh_dport; in pf_test_rule()
5513 pd->nsport = pd->hdr.sctp.src_port; in pf_test_rule()
5514 pd->ndport = pd->hdr.sctp.dest_port; in pf_test_rule()
5518 MPASS(pd->af == AF_INET); in pf_test_rule()
5519 icmptype = pd->hdr.icmp.icmp_type; in pf_test_rule()
5520 icmpcode = pd->hdr.icmp.icmp_code; in pf_test_rule()
5521 state_icmp = pf_icmp_mapping(pd, icmptype, in pf_test_rule()
5524 pd->nsport = virtual_id; in pf_test_rule()
5525 pd->ndport = virtual_type; in pf_test_rule()
5527 pd->nsport = virtual_type; in pf_test_rule()
5528 pd->ndport = virtual_id; in pf_test_rule()
5534 MPASS(pd->af == AF_INET6); in pf_test_rule()
5535 icmptype = pd->hdr.icmp6.icmp6_type; in pf_test_rule()
5536 icmpcode = pd->hdr.icmp6.icmp6_code; in pf_test_rule()
5537 state_icmp = pf_icmp_mapping(pd, icmptype, in pf_test_rule()
5540 pd->nsport = virtual_id; in pf_test_rule()
5541 pd->ndport = virtual_type; in pf_test_rule()
5543 pd->nsport = virtual_type; in pf_test_rule()
5544 pd->ndport = virtual_id; in pf_test_rule()
5550 pd->nsport = pd->ndport = 0; in pf_test_rule()
5553 pd->osport = pd->nsport; in pf_test_rule()
5554 pd->odport = pd->ndport; in pf_test_rule()
5559 transerror = pf_get_translation(pd, pd->off, &sk, &nk, anchor_stack, in pf_test_rule()
5575 ruleset, pd, 1, NULL); in pf_test_rule()
5578 if (pd->ip_sum) in pf_test_rule()
5579 bip_sum = *pd->ip_sum; in pf_test_rule()
5581 switch (pd->proto) { in pf_test_rule()
5585 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_test_rule()
5586 nk->port[pd->sidx] != pd->nsport) { in pf_test_rule()
5587 pf_change_ap(pd->m, pd->src, &th->th_sport, in pf_test_rule()
5588 pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], in pf_test_rule()
5589 nk->port[pd->sidx], 0, pd->af, pd->naf); in pf_test_rule()
5590 pd->sport = &th->th_sport; in pf_test_rule()
5591 pd->nsport = th->th_sport; in pf_test_rule()
5592 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5595 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_test_rule()
5596 nk->port[pd->didx] != pd->ndport) { in pf_test_rule()
5597 pf_change_ap(pd->m, pd->dst, &th->th_dport, in pf_test_rule()
5598 pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], in pf_test_rule()
5599 nk->port[pd->didx], 0, pd->af, pd->naf); in pf_test_rule()
5600 pd->dport = &th->th_dport; in pf_test_rule()
5601 pd->ndport = th->th_dport; in pf_test_rule()
5602 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5607 bproto_sum = pd->hdr.udp.uh_sum; in pf_test_rule()
5609 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_test_rule()
5610 nk->port[pd->sidx] != pd->nsport) { in pf_test_rule()
5611 pf_change_ap(pd->m, pd->src, in pf_test_rule()
5612 &pd->hdr.udp.uh_sport, in pf_test_rule()
5613 pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_test_rule()
5614 &nk->addr[pd->sidx], in pf_test_rule()
5615 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_test_rule()
5616 pd->sport = &pd->hdr.udp.uh_sport; in pf_test_rule()
5617 pd->nsport = pd->hdr.udp.uh_sport; in pf_test_rule()
5618 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5621 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_test_rule()
5622 nk->port[pd->didx] != pd->ndport) { in pf_test_rule()
5623 pf_change_ap(pd->m, pd->dst, in pf_test_rule()
5624 &pd->hdr.udp.uh_dport, in pf_test_rule()
5625 pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_test_rule()
5626 &nk->addr[pd->didx], in pf_test_rule()
5627 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_test_rule()
5628 pd->dport = &pd->hdr.udp.uh_dport; in pf_test_rule()
5629 pd->ndport = pd->hdr.udp.uh_dport; in pf_test_rule()
5630 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5637 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], pd->af) || in pf_test_rule()
5638 nk->port[pd->sidx] != pd->nsport) { in pf_test_rule()
5639 pf_change_ap(pd->m, pd->src, in pf_test_rule()
5640 &pd->hdr.sctp.src_port, pd->ip_sum, &checksum, in pf_test_rule()
5641 &nk->addr[pd->sidx], in pf_test_rule()
5642 nk->port[pd->sidx], 1, pd->af, pd->naf); in pf_test_rule()
5643 pd->sport = &pd->hdr.sctp.src_port; in pf_test_rule()
5644 pd->nsport = pd->hdr.sctp.src_port; in pf_test_rule()
5645 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5647 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], pd->af) || in pf_test_rule()
5648 nk->port[pd->didx] != pd->ndport) { in pf_test_rule()
5649 pf_change_ap(pd->m, pd->dst, in pf_test_rule()
5650 &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum, in pf_test_rule()
5651 &nk->addr[pd->didx], in pf_test_rule()
5652 nk->port[pd->didx], 1, pd->af, pd->naf); in pf_test_rule()
5653 pd->dport = &pd->hdr.sctp.dest_port; in pf_test_rule()
5654 pd->ndport = pd->hdr.sctp.dest_port; in pf_test_rule()
5655 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5661 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET)) { in pf_test_rule()
5662 pf_change_a(&pd->src->v4.s_addr, pd->ip_sum, in pf_test_rule()
5663 nk->addr[pd->sidx].v4.s_addr, 0); in pf_test_rule()
5664 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5667 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET)) { in pf_test_rule()
5668 pf_change_a(&pd->dst->v4.s_addr, pd->ip_sum, in pf_test_rule()
5669 nk->addr[pd->didx].v4.s_addr, 0); in pf_test_rule()
5670 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5674 nk->port[pd->sidx] != pd->hdr.icmp.icmp_id) { in pf_test_rule()
5675 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_test_rule()
5676 pd->hdr.icmp.icmp_cksum, pd->nsport, in pf_test_rule()
5677 nk->port[pd->sidx], 0); in pf_test_rule()
5678 pd->hdr.icmp.icmp_id = nk->port[pd->sidx]; in pf_test_rule()
5679 pd->sport = &pd->hdr.icmp.icmp_id; in pf_test_rule()
5681 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); in pf_test_rule()
5686 if (PF_ANEQ(&pd->nsaddr, &nk->addr[pd->sidx], AF_INET6)) { in pf_test_rule()
5687 pf_change_a6(pd->src, &pd->hdr.icmp6.icmp6_cksum, in pf_test_rule()
5688 &nk->addr[pd->sidx], 0); in pf_test_rule()
5689 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5692 if (PF_ANEQ(&pd->ndaddr, &nk->addr[pd->didx], AF_INET6)) { in pf_test_rule()
5693 pf_change_a6(pd->dst, &pd->hdr.icmp6.icmp6_cksum, in pf_test_rule()
5694 &nk->addr[pd->didx], 0); in pf_test_rule()
5695 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5701 switch (pd->af) { in pf_test_rule()
5704 if (PF_ANEQ(&pd->nsaddr, in pf_test_rule()
5705 &nk->addr[pd->sidx], AF_INET)) { in pf_test_rule()
5706 pf_change_a(&pd->src->v4.s_addr, in pf_test_rule()
5707 pd->ip_sum, in pf_test_rule()
5708 nk->addr[pd->sidx].v4.s_addr, 0); in pf_test_rule()
5709 PF_ACPY(&pd->nsaddr, pd->src, pd->af); in pf_test_rule()
5712 if (PF_ANEQ(&pd->ndaddr, in pf_test_rule()
5713 &nk->addr[pd->didx], AF_INET)) { in pf_test_rule()
5714 pf_change_a(&pd->dst->v4.s_addr, in pf_test_rule()
5715 pd->ip_sum, in pf_test_rule()
5716 nk->addr[pd->didx].v4.s_addr, 0); in pf_test_rule()
5717 PF_ACPY(&pd->ndaddr, pd->dst, pd->af); in pf_test_rule()
5723 if (PF_ANEQ(&pd->nsaddr, in pf_test_rule()
5724 &nk->addr[pd->sidx], AF_INET6)) { in pf_test_rule()
5725 PF_ACPY(&pd->nsaddr, &nk->addr[pd->sidx], pd->af); in pf_test_rule()
5726 PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); in pf_test_rule()
5729 if (PF_ANEQ(&pd->ndaddr, in pf_test_rule()
5730 &nk->addr[pd->didx], AF_INET6)) { in pf_test_rule()
5731 PF_ACPY(&pd->ndaddr, &nk->addr[pd->didx], pd->af); in pf_test_rule()
5732 PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); in pf_test_rule()
5744 if (pd->related_rule) { in pf_test_rule()
5745 *rm = pd->related_rule; in pf_test_rule()
5749 PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot, in pf_test_rule()
5751 PF_TEST_ATTRIB(r->direction && r->direction != pd->dir, in pf_test_rule()
5753 PF_TEST_ATTRIB(r->af && r->af != pd->af, in pf_test_rule()
5755 PF_TEST_ATTRIB(r->proto && r->proto != pd->proto, in pf_test_rule()
5757 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, pd->naf, in pf_test_rule()
5758 r->src.neg, pd->kif, M_GETFIB(pd->m)), in pf_test_rule()
5760 PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, pd->af, in pf_test_rule()
5761 r->dst.neg, NULL, M_GETFIB(pd->m)), in pf_test_rule()
5763 switch (pd->virtual_proto) { in pf_test_rule()
5768 PF_TEST_ATTRIB((pd->proto == IPPROTO_TCP && r->flagset), in pf_test_rule()
5786 r->src.port[0], r->src.port[1], pd->nsport), in pf_test_rule()
5790 r->dst.port[0], r->dst.port[1], pd->ndport), in pf_test_rule()
5793 PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done = in pf_test_rule()
5794 pf_socket_lookup(pd), 1)) && in pf_test_rule()
5796 pd->lookup.uid), in pf_test_rule()
5799 PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done = in pf_test_rule()
5800 pf_socket_lookup(pd), 1)) && in pf_test_rule()
5802 pd->lookup.gid), in pf_test_rule()
5819 PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos), in pf_test_rule()
5822 !pf_match_ieee8021q_pcp(r->prio, pd->m), in pf_test_rule()
5827 PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag, in pf_test_rule()
5828 pd->pf_mtag ? pd->pf_mtag->tag : 0), in pf_test_rule()
5830 PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) == in pf_test_rule()
5834 pd->virtual_proto != PF_VPROTO_FRAGMENT), in pf_test_rule()
5837 (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match( in pf_test_rule()
5838 pf_osfp_fingerprint(pd, th), in pf_test_rule()
5854 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); in pf_test_rule()
5855 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); in pf_test_rule()
5857 pf_rule_to_actions(r, &pd->act); in pf_test_rule()
5859 pd->naf = r->naf; in pf_test_rule()
5860 if (pd->af != pd->naf) { in pf_test_rule()
5861 if (pf_get_transaddr_af(r, pd) == -1) { in pf_test_rule()
5868 a, ruleset, pd, 1, NULL); in pf_test_rule()
5875 if (pd->act.log & PF_LOG_MATCHES) in pf_test_rule()
5876 pf_log_matches(pd, r, a, ruleset, &match_rules); in pf_test_rule()
5895 pf_rule_to_actions(r, &pd->act); in pf_test_rule()
5897 pd->naf = r->naf; in pf_test_rule()
5898 if (pd->af != pd->naf) { in pf_test_rule()
5899 if (pf_get_transaddr_af(r, pd) == -1) { in pf_test_rule()
5907 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_rule()
5908 PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1, NULL); in pf_test_rule()
5910 if (pd->act.log & PF_LOG_MATCHES) in pf_test_rule()
5911 pf_log_matches(pd, r, a, ruleset, &match_rules); in pf_test_rule()
5912 if (pd->virtual_proto != PF_VPROTO_FRAGMENT && in pf_test_rule()
5917 pf_return(r, nr, pd, th, bproto_sum, in pf_test_rule()
5924 if (tag > 0 && pf_tag_packet(pd, tag)) { in pf_test_rule()
5928 if (pd->act.rtableid >= 0) in pf_test_rule()
5929 M_SETFIB(pd->m, pd->act.rtableid); in pf_test_rule()
5944 pd->act.rt = r->rt; in pf_test_rule()
5946 reason = pf_map_addr_sn(pd->af, r, pd->src, &pd->act.rt_addr, in pf_test_rule()
5947 &pd->act.rt_kif, NULL, &sn, &snh, pool, PF_SN_ROUTE); in pf_test_rule()
5952 if (pd->virtual_proto != PF_VPROTO_FRAGMENT && in pf_test_rule()
5954 (pd->flags & PFDESC_TCP_NORM)))) { in pf_test_rule()
5957 action = pf_create_state(r, nr, a, pd, nk, sk, in pf_test_rule()
5963 pd->act.log |= PF_LOG_FORCE; in pf_test_rule()
5966 pf_return(r, nr, pd, th, in pf_test_rule()
5968 pd->act.rtableid); in pf_test_rule()
5972 nat64 = pd->af != pd->naf; in pf_test_rule()
5977 sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK : PF_SK_WIRE]; in pf_test_rule()
5979 nk = (*sm)->key[pd->dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK]; in pf_test_rule()
5981 if (pd->dir == PF_IN) { in pf_test_rule()
5982 ret = pf_translate(pd, &sk->addr[pd->didx], in pf_test_rule()
5983 sk->port[pd->didx], &sk->addr[pd->sidx], in pf_test_rule()
5984 sk->port[pd->sidx], virtual_type, in pf_test_rule()
5987 ret = pf_translate(pd, &sk->addr[pd->sidx], in pf_test_rule()
5988 sk->port[pd->sidx], &sk->addr[pd->didx], in pf_test_rule()
5989 sk->port[pd->didx], virtual_type, in pf_test_rule()
6015 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_rule()
6018 pd->dir == PF_OUT && in pf_test_rule()
6019 V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m)) in pf_test_rule()
6045 struct pf_pdesc *pd, struct pf_state_key *nk, struct pf_state_key *sk, in pf_create_state() argument
6058 struct tcphdr *th = &pd->hdr.tcp; in pf_create_state()
6073 (sn_reason = pf_insert_src_node(sns, snhs, r, pd->src, pd->af, in pf_create_state()
6082 (sn_reason = pf_insert_src_node(sns, snhs, r, pd->src, pd->af, in pf_create_state()
6083 &pd->act.rt_addr, pd->act.rt_kif, PF_SN_ROUTE)) != 0) { in pf_create_state()
6089 (sn_reason = pf_insert_src_node(sns, snhs, nr, &sk->addr[pd->sidx], in pf_create_state()
6090 pd->af, &nk->addr[1], NULL, PF_SN_NAT)) != 0 ) { in pf_create_state()
6103 memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions)); in pf_create_state()
6109 if (pd->flags & PFDESC_TCP_NORM) /* Set by old-style scrub rules */ in pf_create_state()
6115 s->act.log = pd->act.log & PF_LOG_ALL; in pf_create_state()
6117 s->state_flags |= pd->act.flags; /* Only needed for pfsync and state export */ in pf_create_state()
6121 switch (pd->proto) { in pf_create_state()
6124 s->src.seqhi = s->src.seqlo + pd->p_len + 1; in pf_create_state()
6128 if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == in pf_create_state()
6131 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, in pf_create_state()
6138 s->src.wscale = pf_get_wscale(pd); in pf_create_state()
6181 if (pd->proto == IPPROTO_TCP) { in pf_create_state()
6183 pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) { in pf_create_state()
6188 pf_normalize_tcp_stateful(pd, &reason, th, s, in pf_create_state()
6196 } else if (pd->proto == IPPROTO_SCTP) { in pf_create_state()
6197 if (pf_normalize_sctp_init(pd, &s->src, &s->dst)) in pf_create_state()
6199 if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP))) in pf_create_state()
6202 s->direction = pd->dir; in pf_create_state()
6210 MPASS(pd->sport == NULL || (pd->osport == *pd->sport)); in pf_create_state()
6211 MPASS(pd->dport == NULL || (pd->odport == *pd->dport)); in pf_create_state()
6212 if (pf_state_key_setup(pd, pd->nsport, pd->ndport, &sk, &nk)) { in pf_create_state()
6220 if (pf_state_insert(BOUND_IFACE(s, pd), pd->kif, in pf_create_state()
6221 (pd->dir == PF_IN) ? sk : nk, in pf_create_state()
6222 (pd->dir == PF_IN) ? nk : sk, s)) { in pf_create_state()
6243 if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) == in pf_create_state()
6246 pf_undo_nat(nr, pd, bip_sum); in pf_create_state()
6249 int rtid = M_GETFIB(pd->m); in pf_create_state()
6250 mss = pf_get_mss(pd); in pf_create_state()
6251 mss = pf_calc_mss(pd->src, pd->af, rtid, mss); in pf_create_state()
6252 mss = pf_calc_mss(pd->dst, pd->af, rtid, mss); in pf_create_state()
6254 pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport, in pf_create_state()
6257 pd->act.rtableid); in pf_create_state()
6299 pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport, in pf_translate() argument
6314 int afto = pd->af != pd->naf; in pf_translate()
6318 switch (pd->proto) { in pf_translate()
6320 if (afto || *pd->sport != sport) { in pf_translate()
6321 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.tcp.th_sum, in pf_translate()
6322 saddr, sport, 0, pd->af, pd->naf); in pf_translate()
6325 if (afto || *pd->dport != dport) { in pf_translate()
6326 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.tcp.th_sum, in pf_translate()
6327 daddr, dport, 0, pd->af, pd->naf); in pf_translate()
6333 if (afto || *pd->sport != sport) { in pf_translate()
6334 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_translate()
6335 saddr, sport, 1, pd->af, pd->naf); in pf_translate()
6338 if (afto || *pd->dport != dport) { in pf_translate()
6339 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &pd->hdr.udp.uh_sum, in pf_translate()
6340 daddr, dport, 1, pd->af, pd->naf); in pf_translate()
6347 if (afto || *pd->sport != sport) { in pf_translate()
6348 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, &checksum, in pf_translate()
6349 saddr, sport, 1, pd->af, pd->naf); in pf_translate()
6352 if (afto || *pd->dport != dport) { in pf_translate()
6353 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, &checksum, in pf_translate()
6354 daddr, dport, 1, pd->af, pd->naf); in pf_translate()
6363 if (pd->af != AF_INET) in pf_translate()
6367 if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp)) in pf_translate()
6369 pd->proto = IPPROTO_ICMPV6; in pf_translate()
6375 if (icmpid != pd->hdr.icmp.icmp_id) { in pf_translate()
6376 pd->hdr.icmp.icmp_cksum = pf_cksum_fixup( in pf_translate()
6377 pd->hdr.icmp.icmp_cksum, in pf_translate()
6378 pd->hdr.icmp.icmp_id, icmpid, 0); in pf_translate()
6379 pd->hdr.icmp.icmp_id = icmpid; in pf_translate()
6390 if (pd->af != AF_INET6) in pf_translate()
6395 if (pf_translate_icmp_af(AF_INET, &pd->hdr.icmp6)) in pf_translate()
6397 pd->proto = IPPROTO_ICMP; in pf_translate()
6411 pf_tcp_track_full(struct pf_kstate *state, struct pf_pdesc *pd, in pf_tcp_track_full() argument
6415 struct tcphdr *th = &pd->hdr.tcp; in pf_tcp_track_full()
6439 if (pf_normalize_tcp_init(pd, th, src, dst)) { in pf_tcp_track_full()
6451 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + in pf_tcp_track_full()
6453 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); in pf_tcp_track_full()
6459 end = seq + pd->p_len; in pf_tcp_track_full()
6463 src->wscale = pf_get_wscale(pd); in pf_tcp_track_full()
6504 pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + in pf_tcp_track_full()
6506 pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); in pf_tcp_track_full()
6509 end = seq + pd->p_len; in pf_tcp_track_full()
6552 if (pf_modulate_sack(pd, th, dst)) in pf_tcp_track_full()
6570 if (pf_normalize_tcp_stateful(pd, reason, th, in pf_tcp_track_full()
6663 pd->p_len, ackskew, (unsigned long long)state->packets[0], in pf_tcp_track_full()
6665 pd->dir == PF_IN ? "in" : "out", in pf_tcp_track_full()
6666 pd->dir == state->direction ? "fwd" : "rev"); in pf_tcp_track_full()
6670 if (pf_normalize_tcp_stateful(pd, reason, th, in pf_tcp_track_full()
6703 pf_send_tcp(state->rule, pd->af, in pf_tcp_track_full()
6704 pd->dst, pd->src, th->th_dport, in pf_tcp_track_full()
6718 seq, orig_seq, ack, pd->p_len, ackskew, in pf_tcp_track_full()
6721 pd->dir == PF_IN ? "in" : "out", in pf_tcp_track_full()
6722 pd->dir == state->direction ? "fwd" : "rev"); in pf_tcp_track_full()
6740 pf_tcp_track_sloppy(struct pf_kstate *state, struct pf_pdesc *pd, in pf_tcp_track_sloppy() argument
6744 struct tcphdr *th = &pd->hdr.tcp; in pf_tcp_track_sloppy()
6814 pf_synproxy(struct pf_pdesc *pd, struct pf_kstate *state, u_short *reason) in pf_synproxy() argument
6816 struct pf_state_key *sk = state->key[pd->didx]; in pf_synproxy()
6817 struct tcphdr *th = &pd->hdr.tcp; in pf_synproxy()
6820 if (pd->dir != state->direction) { in pf_synproxy()
6829 pf_send_tcp(state->rule, pd->af, pd->dst, in pf_synproxy()
6830 pd->src, th->th_dport, th->th_sport, in pf_synproxy()
6850 if (pd->dir == state->direction) { in pf_synproxy()
6860 pf_send_tcp(state->rule, pd->af, in pf_synproxy()
6861 &sk->addr[pd->sidx], &sk->addr[pd->didx], in pf_synproxy()
6862 sk->port[pd->sidx], sk->port[pd->didx], in pf_synproxy()
6877 pf_send_tcp(state->rule, pd->af, pd->dst, in pf_synproxy()
6878 pd->src, th->th_dport, th->th_sport, in pf_synproxy()
6882 pf_send_tcp(state->rule, pd->af, in pf_synproxy()
6883 &sk->addr[pd->sidx], &sk->addr[pd->didx], in pf_synproxy()
6884 sk->port[pd->sidx], sk->port[pd->didx], in pf_synproxy()
6908 pf_test_state(struct pf_kstate **state, struct pf_pdesc *pd, u_short *reason) in pf_test_state() argument
6917 key.af = pd->af; in pf_test_state()
6918 key.proto = pd->virtual_proto; in pf_test_state()
6919 PF_ACPY(&key.addr[pd->sidx], pd->src, key.af); in pf_test_state()
6920 PF_ACPY(&key.addr[pd->didx], pd->dst, key.af); in pf_test_state()
6921 key.port[pd->sidx] = pd->osport; in pf_test_state()
6922 key.port[pd->didx] = pd->odport; in pf_test_state()
6924 STATE_LOOKUP(&key, *state, pd); in pf_test_state()
6926 if (pd->dir == (*state)->direction) { in pf_test_state()
6927 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state()
6939 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state()
6952 switch (pd->virtual_proto) { in pf_test_state()
6954 struct tcphdr *th = &pd->hdr.tcp; in pf_test_state()
6956 if ((action = pf_synproxy(pd, *state, reason)) != PF_PASS) in pf_test_state()
6962 pf_syncookie_check(pd) && pd->dir == PF_IN))) { in pf_test_state()
6976 if (pf_tcp_track_sloppy(*state, pd, reason, src, dst, in pf_test_state()
6982 ret = pf_tcp_track_full(*state, pd, reason, in pf_test_state()
7006 pd->sctp_flags & PFDESC_SCTP_INIT) { in pf_test_state()
7013 if (pf_sctp_track(*state, pd, reason) != PF_PASS) in pf_test_state()
7017 if (pd->sctp_flags & PFDESC_SCTP_INIT) { in pf_test_state()
7023 if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) { in pf_test_state()
7026 dst->scrub->pfss_v_tag = pd->sctp_initiate_tag; in pf_test_state()
7036 (*state)->kif = pd->kif; in pf_test_state()
7038 if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) { in pf_test_state()
7044 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | in pf_test_state()
7051 if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE | PFDESC_SCTP_ABORT)) { in pf_test_state()
7079 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state()
7080 nk = (*state)->key[pd->sidx]; in pf_test_state()
7082 nk = (*state)->key[pd->didx]; in pf_test_state()
7084 afto = pd->af != nk->af; in pf_test_state()
7087 sidx = pd->didx; in pf_test_state()
7088 didx = pd->sidx; in pf_test_state()
7090 sidx = pd->sidx; in pf_test_state()
7091 didx = pd->didx; in pf_test_state()
7094 if (afto || PF_ANEQ(pd->src, &nk->addr[sidx], pd->af) || in pf_test_state()
7095 nk->port[sidx] != pd->osport) in pf_test_state()
7096 pf_change_ap(pd->m, pd->src, pd->sport, pd->ip_sum, in pf_test_state()
7097 pd->pcksum, &nk->addr[sidx], in pf_test_state()
7098 nk->port[sidx], pd->virtual_proto == IPPROTO_UDP, in pf_test_state()
7099 pd->af, nk->af); in pf_test_state()
7101 if (afto || PF_ANEQ(pd->dst, &nk->addr[didx], pd->af) || in pf_test_state()
7102 nk->port[didx] != pd->odport) in pf_test_state()
7103 pf_change_ap(pd->m, pd->dst, pd->dport, pd->ip_sum, in pf_test_state()
7104 pd->pcksum, &nk->addr[didx], in pf_test_state()
7105 nk->port[didx], pd->virtual_proto == IPPROTO_UDP, in pf_test_state()
7106 pd->af, nk->af); in pf_test_state()
7109 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af); in pf_test_state()
7110 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af); in pf_test_state()
7111 pd->naf = nk->af; in pf_test_state()
7118 if (copyback && pd->hdrlen > 0) in pf_test_state()
7119 m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); in pf_test_state()
7125 pf_sctp_track(struct pf_kstate *state, struct pf_pdesc *pd, in pf_sctp_track() argument
7129 if (pd->dir == state->direction) { in pf_sctp_track()
7130 if (PF_REVERSED_KEY(state, pd->af)) in pf_sctp_track()
7135 if (PF_REVERSED_KEY(state, pd->af)) in pf_sctp_track()
7143 src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag; in pf_sctp_track()
7144 else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag) in pf_sctp_track()
7211 pf_sctp_multihome_add_addr(struct pf_pdesc *pd, struct pf_addr *a, uint32_t v_tag) in pf_sctp_multihome_add_addr() argument
7237 if (pf_addr_cmp(&i->addr, a, pd->af) == 0) { in pf_sctp_multihome_add_addr()
7249 i->af = pd->af; in pf_sctp_multihome_add_addr()
7258 pf_sctp_multihome_delayed(struct pf_pdesc *pd, struct pfi_kkif *kif, in pf_sctp_multihome_delayed() argument
7273 TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) { in pf_sctp_multihome_delayed()
7278 MPASS(! (pd->sctp_flags & PFDESC_SCTP_ADD_IP)); in pf_sctp_multihome_delayed()
7282 uint32_t v_tag = pd->sctp_initiate_tag; in pf_sctp_multihome_delayed()
7285 if (s->direction == pd->dir) in pf_sctp_multihome_delayed()
7297 if (pf_addr_cmp(&j->src, pd->src, pd->af) == 0) { in pf_sctp_multihome_delayed()
7301 j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP; in pf_sctp_multihome_delayed()
7305 j->pd.related_rule = s->rule; in pf_sctp_multihome_delayed()
7308 &j->pd, &ra, &rs, NULL); in pf_sctp_multihome_delayed()
7310 SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret); in pf_sctp_multihome_delayed()
7327 pf_sctp_multihome_add_addr(pd, &j->src, v_tag); in pf_sctp_multihome_delayed()
7337 .v_tag = pd->hdr.sctp.v_tag, in pf_sctp_multihome_delayed()
7353 if (i->af != pd->af) in pf_sctp_multihome_delayed()
7360 memcpy(&nj->pd, &j->pd, sizeof(j->pd)); in pf_sctp_multihome_delayed()
7362 nj->pd.src = &nj->src; in pf_sctp_multihome_delayed()
7365 nj->pd.dst = &nj->dst; in pf_sctp_multihome_delayed()
7366 nj->pd.m = j->pd.m; in pf_sctp_multihome_delayed()
7369 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next); in pf_sctp_multihome_delayed()
7380 key.af = j->pd.af; in pf_sctp_multihome_delayed()
7382 if (j->pd.dir == PF_IN) { /* wire side, straight */ in pf_sctp_multihome_delayed()
7383 PF_ACPY(&key.addr[0], j->pd.src, key.af); in pf_sctp_multihome_delayed()
7384 PF_ACPY(&key.addr[1], j->pd.dst, key.af); in pf_sctp_multihome_delayed()
7385 key.port[0] = j->pd.hdr.sctp.src_port; in pf_sctp_multihome_delayed()
7386 key.port[1] = j->pd.hdr.sctp.dest_port; in pf_sctp_multihome_delayed()
7388 PF_ACPY(&key.addr[1], j->pd.src, key.af); in pf_sctp_multihome_delayed()
7389 PF_ACPY(&key.addr[0], j->pd.dst, key.af); in pf_sctp_multihome_delayed()
7390 key.port[1] = j->pd.hdr.sctp.src_port; in pf_sctp_multihome_delayed()
7391 key.port[0] = j->pd.hdr.sctp.dest_port; in pf_sctp_multihome_delayed()
7394 sm = pf_find_state(kif, &key, j->pd.dir); in pf_sctp_multihome_delayed()
7397 if (j->pd.dir == sm->direction) { in pf_sctp_multihome_delayed()
7413 TAILQ_REMOVE(&pd->sctp_multihome_jobs, j, next); in pf_sctp_multihome_delayed()
7418 if (! TAILQ_EMPTY(&pd->sctp_multihome_jobs)) { in pf_sctp_multihome_delayed()
7425 pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op) in pf_multihome_scan() argument
7430 SDT_PROBE4(pf, sctp, multihome_scan, entry, start, len, pd, op); in pf_multihome_scan()
7435 if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, NULL, in pf_multihome_scan()
7436 pd->af)) in pf_multihome_scan()
7454 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), in pf_multihome_scan()
7455 NULL, NULL, pd->af)) in pf_multihome_scan()
7459 t.s_addr = pd->src->v4.s_addr; in pf_multihome_scan()
7477 memcpy(&job->pd, pd, sizeof(*pd)); in pf_multihome_scan()
7481 job->pd.src = &job->src; in pf_multihome_scan()
7482 memcpy(&job->dst, pd->dst, sizeof(job->dst)); in pf_multihome_scan()
7483 job->pd.dst = &job->dst; in pf_multihome_scan()
7484 job->pd.m = pd->m; in pf_multihome_scan()
7487 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); in pf_multihome_scan()
7498 if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), in pf_multihome_scan()
7499 NULL, NULL, pd->af)) in pf_multihome_scan()
7501 if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0) in pf_multihome_scan()
7504 memcpy(&t, &pd->src->v6, sizeof(t)); in pf_multihome_scan()
7512 memcpy(&job->pd, pd, sizeof(*pd)); in pf_multihome_scan()
7514 job->pd.src = &job->src; in pf_multihome_scan()
7515 memcpy(&job->dst, pd->dst, sizeof(job->dst)); in pf_multihome_scan()
7516 job->pd.dst = &job->dst; in pf_multihome_scan()
7517 job->pd.m = pd->m; in pf_multihome_scan()
7520 TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); in pf_multihome_scan()
7528 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), in pf_multihome_scan()
7529 NULL, NULL, pd->af)) in pf_multihome_scan()
7533 ntohs(ah.ph.param_length) - sizeof(ah), pd, in pf_multihome_scan()
7543 if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), in pf_multihome_scan()
7544 NULL, NULL, pd->af)) in pf_multihome_scan()
7547 ntohs(ah.ph.param_length) - sizeof(ah), pd, in pf_multihome_scan()
7564 pf_multihome_scan_init(int start, int len, struct pf_pdesc *pd) in pf_multihome_scan_init() argument
7569 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); in pf_multihome_scan_init()
7573 pf_multihome_scan_asconf(int start, int len, struct pf_pdesc *pd) in pf_multihome_scan_asconf() argument
7578 return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); in pf_multihome_scan_asconf()
7582 pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, in pf_icmp_state_lookup() argument
7586 int direction = pd->dir; in pf_icmp_state_lookup()
7588 key->af = pd->af; in pf_icmp_state_lookup()
7589 key->proto = pd->proto; in pf_icmp_state_lookup()
7591 *iidx = pd->sidx; in pf_icmp_state_lookup()
7592 key->port[pd->sidx] = icmpid; in pf_icmp_state_lookup()
7593 key->port[pd->didx] = type; in pf_icmp_state_lookup()
7595 *iidx = pd->didx; in pf_icmp_state_lookup()
7596 key->port[pd->sidx] = type; in pf_icmp_state_lookup()
7597 key->port[pd->didx] = icmpid; in pf_icmp_state_lookup()
7599 if (pf_state_key_addr_setup(pd, key, multi)) in pf_icmp_state_lookup()
7602 STATE_LOOKUP(key, *state, pd); in pf_icmp_state_lookup()
7609 direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ? in pf_icmp_state_lookup()
7614 (((!inner && direction == pd->dir) || in pf_icmp_state_lookup()
7615 (inner && direction != pd->dir)) ? in pf_icmp_state_lookup()
7631 pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd, in pf_test_state_icmp() argument
7634 struct pf_addr *saddr = pd->src, *daddr = pd->dst; in pf_test_state_icmp()
7646 switch (pd->proto) { in pf_test_state_icmp()
7649 icmptype = pd->hdr.icmp.icmp_type; in pf_test_state_icmp()
7650 icmpcode = pd->hdr.icmp.icmp_code; in pf_test_state_icmp()
7651 icmpid = pd->hdr.icmp.icmp_id; in pf_test_state_icmp()
7652 icmpsum = &pd->hdr.icmp.icmp_cksum; in pf_test_state_icmp()
7657 icmptype = pd->hdr.icmp6.icmp6_type; in pf_test_state_icmp()
7658 icmpcode = pd->hdr.icmp6.icmp6_code; in pf_test_state_icmp()
7660 icmpid = pd->hdr.icmp6.icmp6_id; in pf_test_state_icmp()
7662 icmpsum = &pd->hdr.icmp6.icmp6_cksum; in pf_test_state_icmp()
7666 panic("unhandled proto %d", pd->proto); in pf_test_state_icmp()
7669 if (pf_icmp_mapping(pd, icmptype, &icmp_dir, &virtual_id, in pf_test_state_icmp()
7675 ret = pf_icmp_state_lookup(&key, pd, state, virtual_id, in pf_test_state_icmp()
7678 if (ret == PF_DROP && pd->af == AF_INET6 && icmp_dir == PF_OUT) { in pf_test_state_icmp()
7680 ret = pf_icmp_state_lookup(&key, pd, state, in pf_test_state_icmp()
7697 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
7698 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
7700 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
7702 afto = pd->af != nk->af; in pf_test_state_icmp()
7705 sidx = pd->didx; in pf_test_state_icmp()
7706 didx = pd->sidx; in pf_test_state_icmp()
7709 sidx = pd->sidx; in pf_test_state_icmp()
7710 didx = pd->didx; in pf_test_state_icmp()
7713 switch (pd->af) { in pf_test_state_icmp()
7719 &pd->hdr.icmp)) in pf_test_state_icmp()
7721 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
7725 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET)) in pf_test_state_icmp()
7727 pd->ip_sum, in pf_test_state_icmp()
7731 if (!afto && PF_ANEQ(pd->dst, in pf_test_state_icmp()
7734 pd->ip_sum, in pf_test_state_icmp()
7738 pd->hdr.icmp.icmp_id) { in pf_test_state_icmp()
7739 pd->hdr.icmp.icmp_cksum = in pf_test_state_icmp()
7741 pd->hdr.icmp.icmp_cksum, icmpid, in pf_test_state_icmp()
7743 pd->hdr.icmp.icmp_id = in pf_test_state_icmp()
7747 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
7748 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
7756 &pd->hdr.icmp6)) in pf_test_state_icmp()
7758 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
7762 PF_ANEQ(pd->src, &nk->addr[sidx], AF_INET6)) in pf_test_state_icmp()
7764 &pd->hdr.icmp6.icmp6_cksum, in pf_test_state_icmp()
7767 if (!afto && PF_ANEQ(pd->dst, in pf_test_state_icmp()
7770 &pd->hdr.icmp6.icmp6_cksum, in pf_test_state_icmp()
7773 if (nk->port[iidx] != pd->hdr.icmp6.icmp6_id) in pf_test_state_icmp()
7774 pd->hdr.icmp6.icmp6_id = in pf_test_state_icmp()
7777 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
7778 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
7783 PF_ACPY(&pd->nsaddr, &nk->addr[sidx], nk->af); in pf_test_state_icmp()
7784 PF_ACPY(&pd->ndaddr, &nk->addr[didx], nk->af); in pf_test_state_icmp()
7785 pd->naf = nk->af; in pf_test_state_icmp()
7807 pd2.af = pd->af; in pf_test_state_icmp()
7808 pd2.dir = pd->dir; in pf_test_state_icmp()
7810 pd2.sidx = (pd->dir == PF_IN) ? 1 : 0; in pf_test_state_icmp()
7811 pd2.didx = (pd->dir == PF_IN) ? 0 : 1; in pf_test_state_icmp()
7812 pd2.m = pd->m; in pf_test_state_icmp()
7813 pd2.kif = pd->kif; in pf_test_state_icmp()
7814 switch (pd->af) { in pf_test_state_icmp()
7818 ipoff2 = pd->off + ICMP_MINLEN; in pf_test_state_icmp()
7820 if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2), in pf_test_state_icmp()
7848 ipoff2 = pd->off + sizeof(struct icmp6_hdr); in pf_test_state_icmp()
7850 if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6), in pf_test_state_icmp()
7869 unhandled_af(pd->af); in pf_test_state_icmp()
7872 if (PF_ANEQ(pd->dst, pd2.src, pd->af)) { in pf_test_state_icmp()
7876 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
7878 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
7902 if (!pf_pull_hdr(pd->m, pd2.off, &th, 8, NULL, reason, in pf_test_state_icmp()
7917 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
7919 if (pd->dir == (*state)->direction) { in pf_test_state_icmp()
7920 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state_icmp()
7928 if (PF_REVERSED_KEY(*state, pd->af)) { in pf_test_state_icmp()
7956 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
7958 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
7969 pf_print_host(pd->src, 0, pd->af); in pf_test_state_icmp()
7971 pf_print_host(pd->dst, 0, pd->af); in pf_test_state_icmp()
7984 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
7985 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
7987 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
7993 afto = pd->af != nk->af; in pf_test_state_icmp()
8005 &pd->hdr.icmp)) in pf_test_state_icmp()
8007 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8009 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8010 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8012 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8015 pf_change_ap(pd->m, pd2.src, &th.th_sport, in pf_test_state_icmp()
8016 pd->ip_sum, &dummy_cksum, &nk->addr[pd2.sidx], in pf_test_state_icmp()
8017 nk->port[sidx], 1, pd->af, nk->af); in pf_test_state_icmp()
8018 pf_change_ap(pd->m, pd2.dst, &th.th_dport, in pf_test_state_icmp()
8019 pd->ip_sum, &dummy_cksum, &nk->addr[pd2.didx], in pf_test_state_icmp()
8020 nk->port[didx], 1, pd->af, nk->af); in pf_test_state_icmp()
8022 PF_ACPY(&pd->nsaddr, &nk->addr[pd2.sidx], in pf_test_state_icmp()
8024 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8027 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8029 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8037 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8038 pd->src->addr32[0]; in pf_test_state_icmp()
8040 pd->naf = nk->af; in pf_test_state_icmp()
8052 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8061 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8069 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8070 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8071 m_copyback(pd->m, ipoff2, sizeof(h2), in pf_test_state_icmp()
8077 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8079 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8080 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8085 unhandled_af(pd->af); in pf_test_state_icmp()
8087 m_copyback(pd->m, pd2.off, 8, (caddr_t)&th); in pf_test_state_icmp()
8096 if (!pf_pull_hdr(pd->m, pd2.off, &uh, sizeof(uh), in pf_test_state_icmp()
8111 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
8118 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8119 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8121 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8126 afto = pd->af != nk->af; in pf_test_state_icmp()
8138 &pd->hdr.icmp)) in pf_test_state_icmp()
8140 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8142 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8143 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8145 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8148 pf_change_ap(pd->m, pd2.src, &uh.uh_sport, in pf_test_state_icmp()
8149 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.sidx], in pf_test_state_icmp()
8150 nk->port[sidx], 1, pd->af, nk->af); in pf_test_state_icmp()
8151 pf_change_ap(pd->m, pd2.dst, &uh.uh_dport, in pf_test_state_icmp()
8152 pd->ip_sum, &uh.uh_sum, &nk->addr[pd2.didx], in pf_test_state_icmp()
8153 nk->port[didx], 1, pd->af, nk->af); in pf_test_state_icmp()
8156 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8158 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8161 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8163 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8171 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8172 pd->src->addr32[0]; in pf_test_state_icmp()
8174 pd->naf = nk->af; in pf_test_state_icmp()
8186 pd->ip_sum, 1, pd2.af); in pf_test_state_icmp()
8195 pd->ip_sum, 1, pd2.af); in pf_test_state_icmp()
8200 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8201 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8202 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8207 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8209 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8210 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8215 m_copyback(pd->m, pd2.off, sizeof(uh), (caddr_t)&uh); in pf_test_state_icmp()
8226 if (! pf_pull_hdr(pd->m, pd2.off, &sh, sizeof(sh), NULL, reason, in pf_test_state_icmp()
8241 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
8243 if (pd->dir == (*state)->direction) { in pf_test_state_icmp()
8244 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8249 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8268 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8269 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8271 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8276 afto = pd->af != nk->af; in pf_test_state_icmp()
8288 &pd->hdr.icmp)) in pf_test_state_icmp()
8290 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8292 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8293 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8295 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8301 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8303 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8306 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8308 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8316 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8317 pd->src->addr32[0]; in pf_test_state_icmp()
8319 pd->naf = nk->af; in pf_test_state_icmp()
8331 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8340 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8348 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8349 (caddr_t )&pd->hdr.icmp); in pf_test_state_icmp()
8350 m_copyback(pd->m, ipoff2, sizeof(h2), in pf_test_state_icmp()
8356 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8358 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8359 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8364 m_copyback(pd->m, pd2.off, sizeof(sh), (caddr_t)&sh); in pf_test_state_icmp()
8378 if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN, in pf_test_state_icmp()
8402 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8403 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8405 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8410 afto = pd->af != nk->af; in pf_test_state_icmp()
8425 &pd->hdr.icmp)) in pf_test_state_icmp()
8427 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8429 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8430 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8432 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8435 pd->proto = IPPROTO_ICMPV6; in pf_test_state_icmp()
8443 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8445 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8453 pd->nsaddr.addr32[3] = in pf_test_state_icmp()
8454 pd->src->addr32[0]; in pf_test_state_icmp()
8455 pd->naf = nk->af; in pf_test_state_icmp()
8471 pd->ip_sum, 0, AF_INET); in pf_test_state_icmp()
8477 pd2.ip_sum, icmpsum, pd->ip_sum, 0, in pf_test_state_icmp()
8480 m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); in pf_test_state_icmp()
8481 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8482 m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih); in pf_test_state_icmp()
8497 if (!pf_pull_hdr(pd->m, pd2.off, iih, in pf_test_state_icmp()
8528 if (PF_REVERSED_KEY(*state, pd->af)) in pf_test_state_icmp()
8529 nk = (*state)->key[pd->sidx]; in pf_test_state_icmp()
8531 nk = (*state)->key[pd->didx]; in pf_test_state_icmp()
8536 afto = pd->af != nk->af; in pf_test_state_icmp()
8551 &pd->hdr.icmp)) in pf_test_state_icmp()
8553 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8555 (c_caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8556 if (pf_change_icmp_af(pd->m, ipoff2, pd, in pf_test_state_icmp()
8558 &nk->addr[didx], pd->af, in pf_test_state_icmp()
8561 pd->proto = IPPROTO_ICMP; in pf_test_state_icmp()
8570 PF_ACPY(&pd->nsaddr, in pf_test_state_icmp()
8572 PF_ACPY(&pd->ndaddr, in pf_test_state_icmp()
8574 pd->naf = nk->af; in pf_test_state_icmp()
8590 pd->ip_sum, 0, AF_INET6); in pf_test_state_icmp()
8597 pd->ip_sum, 0, AF_INET6); in pf_test_state_icmp()
8599 m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8600 (caddr_t)&pd->hdr.icmp6); in pf_test_state_icmp()
8601 m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); in pf_test_state_icmp()
8602 m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr), in pf_test_state_icmp()
8616 STATE_LOOKUP(&key, *state, pd); in pf_test_state_icmp()
8622 (*state)->key[pd->didx]; in pf_test_state_icmp()
8629 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8636 pd->ip_sum, 0, pd2.af); in pf_test_state_icmp()
8641 m_copyback(pd->m, pd->off, ICMP_MINLEN, in pf_test_state_icmp()
8642 (caddr_t)&pd->hdr.icmp); in pf_test_state_icmp()
8643 m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); in pf_test_state_icmp()
8648 m_copyback(pd->m, pd->off, in pf_test_state_icmp()
8650 (caddr_t )&pd->hdr.icmp6); in pf_test_state_icmp()
8651 m_copyback(pd->m, ipoff2, sizeof(h2_6), in pf_test_state_icmp()
8759 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) in pf_route() argument
8775 SDT_PROBE4(pf, ip, route_to, entry, *m, pd, s, oifp); in pf_route()
8783 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || in pf_route()
8787 if ((pd->pf_mtag == NULL && in pf_route()
8788 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || in pf_route()
8789 pd->pf_mtag->routed++ > 3) { in pf_route()
8796 if (pd->act.rt_kif != NULL) in pf_route()
8797 ifp = pd->act.rt_kif->pfik_ifp; in pf_route()
8799 if (pd->act.rt == PF_DUPTO) { in pf_route()
8800 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { in pf_route()
8814 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED; in pf_route()
8822 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) { in pf_route()
8823 if (pd->af == pd->naf) { in pf_route()
8824 pf_dummynet(pd, s, r, m); in pf_route()
8839 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp && in pf_route()
8840 pd->af != pd->naf) { in pf_route()
8841 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET) { in pf_route()
8845 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET6) { in pf_route()
8859 dst->sin_addr.s_addr = pd->act.rt_addr.v4.s_addr; in pf_route()
8862 if (ifp == NULL && (pd->af != pd->naf)) { in pf_route()
8890 pd->act.rt == PF_REPLYTO && in pf_route()
8892 s->kif = pd->act.rt_kif; in pf_route()
8906 if (pd->dir == PF_IN && !skip_test) { in pf_route()
8908 &pd->act) != PF_PASS) { in pf_route()
8941 if (pd->dir == PF_IN) { in pf_route()
8946 pd->dir = PF_OUT; in pf_route()
8957 tmp = pd->act.dnrpipe; in pf_route()
8958 pd->act.dnrpipe = pd->act.dnpipe; in pf_route()
8959 pd->act.dnpipe = tmp; in pf_route()
8976 error = pf_dummynet_route(pd, s, r, ifp, gw, &md); in pf_route()
8988 if (pd->act.rt != PF_DUPTO) { in pf_route()
8990 PACKET_UNDO_NAT(m0, pd, in pf_route()
9016 pd->pf_mtag = pf_find_mtag(md); in pf_route()
9017 error = pf_dummynet_route(pd, s, r, ifp, in pf_route()
9031 if (pd->act.rt != PF_DUPTO) in pf_route()
9047 struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) in pf_route6() argument
9059 SDT_PROBE4(pf, ip6, route_to, entry, *m, pd, s, oifp); in pf_route6()
9067 KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || in pf_route6()
9071 if ((pd->pf_mtag == NULL && in pf_route6()
9072 ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) || in pf_route6()
9073 pd->pf_mtag->routed++ > 3) { in pf_route6()
9080 if (pd->act.rt_kif != NULL) in pf_route6()
9081 ifp = pd->act.rt_kif->pfik_ifp; in pf_route6()
9083 if (pd->act.rt == PF_DUPTO) { in pf_route6()
9084 if ((pd->pf_mtag->flags & PF_MTAG_FLAG_DUPLICATED)) { in pf_route6()
9098 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUPLICATED; in pf_route6()
9106 if ((pd->act.rt == PF_REPLYTO) == (r_dir == pd->dir)) { in pf_route6()
9107 if (pd->af == pd->naf) { in pf_route6()
9108 pf_dummynet(pd, s, r, m); in pf_route6()
9123 if (pd->act.rt_kif && pd->act.rt_kif->pfik_ifp && in pf_route6()
9124 pd->af != pd->naf) { in pf_route6()
9125 if (pd->act.rt == PF_ROUTETO && r->naf != AF_INET6) { in pf_route6()
9129 if (pd->act.rt == PF_REPLYTO && r->naf != AF_INET) { in pf_route6()
9142 PF_ACPY((struct pf_addr *)&dst.sin6_addr, &pd->act.rt_addr, AF_INET6); in pf_route6()
9145 if (ifp == NULL && (pd->af != pd->naf)) { in pf_route6()
9171 pd->act.rt == PF_REPLYTO && in pf_route6()
9173 s->kif = pd->act.rt_kif; in pf_route6()
9180 if (pd->af != pd->naf) { in pf_route6()
9181 struct udphdr *uh = &pd->hdr.udp; in pf_route6()
9183 if (pd->proto == IPPROTO_UDP && uh->uh_sum == 0) { in pf_route6()
9186 m_copyback(m0, pd->off, sizeof(*uh), pd->hdr.any); in pf_route6()
9197 if (pd->dir == PF_IN && !skip_test) { in pf_route6()
9199 ifp, &m0, inp, &pd->act) != PF_PASS) { in pf_route6()
9226 if (pd->dir == PF_IN) { in pf_route6()
9232 pd->dir = PF_OUT; in pf_route6()
9243 tmp = pd->act.dnrpipe; in pf_route6()
9244 pd->act.dnrpipe = pd->act.dnpipe; in pf_route6()
9245 pd->act.dnpipe = tmp; in pf_route6()
9264 pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); in pf_route6()
9273 if (pd->act.rt != PF_DUPTO) { in pf_route6()
9275 PACKET_UNDO_NAT(m0, pd, in pf_route6()
9288 if (pd->act.rt != PF_DUPTO) in pf_route6()
9423 pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r, in pf_pdesc_to_dnflow() argument
9433 dndir = pd->dir; in pf_pdesc_to_dnflow()
9436 if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED) in pf_pdesc_to_dnflow()
9441 if (pd->dport != NULL) in pf_pdesc_to_dnflow()
9442 dnflow->f_id.dst_port = ntohs(*pd->dport); in pf_pdesc_to_dnflow()
9443 if (pd->sport != NULL) in pf_pdesc_to_dnflow()
9444 dnflow->f_id.src_port = ntohs(*pd->sport); in pf_pdesc_to_dnflow()
9446 if (pd->dir == PF_IN) in pf_pdesc_to_dnflow()
9451 if (pd->dir != dndir && pd->act.dnrpipe) { in pf_pdesc_to_dnflow()
9452 dnflow->rule.info = pd->act.dnrpipe; in pf_pdesc_to_dnflow()
9454 else if (pd->dir == dndir && pd->act.dnpipe) { in pf_pdesc_to_dnflow()
9455 dnflow->rule.info = pd->act.dnpipe; in pf_pdesc_to_dnflow()
9462 if (r->free_flags & PFRULE_DN_IS_PIPE || pd->act.flags & PFSTATE_DN_IS_PIPE) in pf_pdesc_to_dnflow()
9465 dnflow->f_id.proto = pd->proto; in pf_pdesc_to_dnflow()
9467 switch (pd->naf) { in pf_pdesc_to_dnflow()
9470 dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr); in pf_pdesc_to_dnflow()
9471 dnflow->f_id.dst_ip = ntohl(pd->dst->v4.s_addr); in pf_pdesc_to_dnflow()
9476 dnflow->f_id.src_ip6 = pd->src->v6; in pf_pdesc_to_dnflow()
9477 dnflow->f_id.dst_ip6 = pd->dst->v6; in pf_pdesc_to_dnflow()
9537 pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s, in pf_dummynet() argument
9540 return (pf_dummynet_route(pd, s, r, NULL, NULL, m0)); in pf_dummynet()
9544 pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, in pf_dummynet_route() argument
9552 if (pd->act.dnpipe == 0 && pd->act.dnrpipe == 0) in pf_dummynet_route()
9561 if (pd->pf_mtag == NULL && in pf_dummynet_route()
9562 ((pd->pf_mtag = pf_get_mtag(*m0)) == NULL)) { in pf_dummynet_route()
9569 pd->pf_mtag->flags |= PF_MTAG_FLAG_ROUTE_TO; in pf_dummynet_route()
9571 pd->pf_mtag->if_index = ifp->if_index; in pf_dummynet_route()
9572 pd->pf_mtag->if_idxgen = ifp->if_idxgen; in pf_dummynet_route()
9578 memcpy(&pd->pf_mtag->dst, sa, in pf_dummynet_route()
9582 memcpy(&pd->pf_mtag->dst, sa, in pf_dummynet_route()
9592 (pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) || in pf_dummynet_route()
9594 (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) { in pf_dummynet_route()
9603 if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { in pf_dummynet_route()
9604 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; in pf_dummynet_route()
9605 pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED; in pf_dummynet_route()
9608 pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; in pf_dummynet_route()
9609 pf_dummynet_flag_remove(*m0, pd->pf_mtag); in pf_dummynet_route()
9618 pf_walk_option6(struct pf_pdesc *pd, struct ip6_hdr *h, int off, int end, in pf_walk_option6() argument
9625 if (!pf_pull_hdr(pd->m, off, &opt.ip6o_type, in pf_walk_option6()
9634 if (!pf_pull_hdr(pd->m, off, &opt, sizeof(opt), NULL, in pf_walk_option6()
9646 if (pd->jumbolen != 0) { in pf_walk_option6()
9656 if (!pf_pull_hdr(pd->m, off, &jumbo, sizeof(jumbo), NULL, in pf_walk_option6()
9661 memcpy(&pd->jumbolen, jumbo.ip6oj_jumbo_len, in pf_walk_option6()
9662 sizeof(pd->jumbolen)); in pf_walk_option6()
9663 pd->jumbolen = ntohl(pd->jumbolen); in pf_walk_option6()
9664 if (pd->jumbolen < IPV6_MAXPACKET) { in pf_walk_option6()
9680 pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) in pf_walk_header6() argument
9688 pd->off += sizeof(struct ip6_hdr); in pf_walk_header6()
9689 end = pd->off + ntohs(h->ip6_plen); in pf_walk_header6()
9690 pd->fragoff = pd->extoff = pd->jumbolen = 0; in pf_walk_header6()
9691 pd->proto = h->ip6_nxt; in pf_walk_header6()
9693 switch (pd->proto) { in pf_walk_header6()
9701 if (pd->jumbolen != 0) { in pf_walk_header6()
9706 if (!pf_pull_hdr(pd->m, pd->off, &frag, sizeof(frag), in pf_walk_header6()
9713 pd->fragoff = pd->off; in pf_walk_header6()
9718 pd->fragoff = pd->off; in pf_walk_header6()
9719 pd->off += sizeof(frag); in pf_walk_header6()
9720 pd->proto = frag.ip6f_nxt; in pf_walk_header6()
9729 if (pd->fragoff != 0 && end < pd->off + sizeof(rthdr)) { in pf_walk_header6()
9730 pd->off = pd->fragoff; in pf_walk_header6()
9731 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
9734 if (!pf_pull_hdr(pd->m, pd->off, &rthdr, sizeof(rthdr), in pf_walk_header6()
9748 if (!pf_pull_hdr(pd->m, pd->off, &ext, sizeof(ext), in pf_walk_header6()
9754 if (pd->fragoff != 0 && end < pd->off + sizeof(ext)) { in pf_walk_header6()
9755 pd->off = pd->fragoff; in pf_walk_header6()
9756 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
9760 if (pd->fragoff == 0) in pf_walk_header6()
9761 pd->extoff = pd->off; in pf_walk_header6()
9762 if (pd->proto == IPPROTO_HOPOPTS && pd->fragoff == 0) { in pf_walk_header6()
9763 if (pf_walk_option6(pd, h, in pf_walk_header6()
9764 pd->off + sizeof(ext), in pf_walk_header6()
9765 pd->off + (ext.ip6e_len + 1) * 8, reason) in pf_walk_header6()
9768 if (ntohs(h->ip6_plen) == 0 && pd->jumbolen != 0) { in pf_walk_header6()
9775 if (pd->proto == IPPROTO_AH) in pf_walk_header6()
9776 pd->off += (ext.ip6e_len + 2) * 4; in pf_walk_header6()
9778 pd->off += (ext.ip6e_len + 1) * 8; in pf_walk_header6()
9779 pd->proto = ext.ip6e_nxt; in pf_walk_header6()
9786 if (pd->fragoff != 0 && end < pd->off + in pf_walk_header6()
9787 (pd->proto == IPPROTO_TCP ? sizeof(struct tcphdr) : in pf_walk_header6()
9788 pd->proto == IPPROTO_UDP ? sizeof(struct udphdr) : in pf_walk_header6()
9789 pd->proto == IPPROTO_SCTP ? sizeof(struct sctphdr) : in pf_walk_header6()
9791 pd->off = pd->fragoff; in pf_walk_header6()
9792 pd->proto = IPPROTO_FRAGMENT; in pf_walk_header6()
9803 pf_init_pdesc(struct pf_pdesc *pd, struct mbuf *m) in pf_init_pdesc() argument
9805 memset(pd, 0, sizeof(*pd)); in pf_init_pdesc()
9806 pd->pf_mtag = pf_find_mtag(m); in pf_init_pdesc()
9807 pd->m = m; in pf_init_pdesc()
9811 pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, in pf_setup_pdesc() argument
9815 pd->dir = dir; in pf_setup_pdesc()
9816 pd->kif = kif; in pf_setup_pdesc()
9817 pd->m = *m0; in pf_setup_pdesc()
9818 pd->sidx = (dir == PF_IN) ? 0 : 1; in pf_setup_pdesc()
9819 pd->didx = (dir == PF_IN) ? 1 : 0; in pf_setup_pdesc()
9820 pd->af = pd->naf = af; in pf_setup_pdesc()
9822 TAILQ_INIT(&pd->sctp_multihome_jobs); in pf_setup_pdesc()
9824 memcpy(&pd->act, default_actions, sizeof(pd->act)); in pf_setup_pdesc()
9826 if (pd->pf_mtag && pd->pf_mtag->dnpipe) { in pf_setup_pdesc()
9827 pd->act.dnpipe = pd->pf_mtag->dnpipe; in pf_setup_pdesc()
9828 pd->act.flags = pd->pf_mtag->dnflags; in pf_setup_pdesc()
9837 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { in pf_setup_pdesc()
9845 if (pf_normalize_ip(reason, pd) != PF_PASS) { in pf_setup_pdesc()
9847 *m0 = pd->m; in pf_setup_pdesc()
9851 *m0 = pd->m; in pf_setup_pdesc()
9853 h = mtod(pd->m, struct ip *); in pf_setup_pdesc()
9854 pd->off = h->ip_hl << 2; in pf_setup_pdesc()
9855 if (pd->off < (int)sizeof(*h)) { in pf_setup_pdesc()
9860 pd->src = (struct pf_addr *)&h->ip_src; in pf_setup_pdesc()
9861 pd->dst = (struct pf_addr *)&h->ip_dst; in pf_setup_pdesc()
9862 PF_ACPY(&pd->osrc, pd->src, af); in pf_setup_pdesc()
9863 PF_ACPY(&pd->odst, pd->dst, af); in pf_setup_pdesc()
9864 pd->ip_sum = &h->ip_sum; in pf_setup_pdesc()
9865 pd->virtual_proto = pd->proto = h->ip_p; in pf_setup_pdesc()
9866 pd->tos = h->ip_tos & ~IPTOS_ECN_MASK; in pf_setup_pdesc()
9867 pd->ttl = h->ip_ttl; in pf_setup_pdesc()
9868 pd->tot_len = ntohs(h->ip_len); in pf_setup_pdesc()
9869 pd->act.rtableid = -1; in pf_setup_pdesc()
9870 pd->df = h->ip_off & htons(IP_DF); in pf_setup_pdesc()
9873 pd->badopts++; in pf_setup_pdesc()
9876 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
9886 (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { in pf_setup_pdesc()
9895 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
9896 pd->off = 0; in pf_setup_pdesc()
9897 if (pf_walk_header6(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
9902 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
9903 pd->src = (struct pf_addr *)&h->ip6_src; in pf_setup_pdesc()
9904 pd->dst = (struct pf_addr *)&h->ip6_dst; in pf_setup_pdesc()
9905 PF_ACPY(&pd->osrc, pd->src, af); in pf_setup_pdesc()
9906 PF_ACPY(&pd->odst, pd->dst, af); in pf_setup_pdesc()
9907 pd->ip_sum = NULL; in pf_setup_pdesc()
9908 pd->tos = IPV6_DSCP(h); in pf_setup_pdesc()
9909 pd->ttl = h->ip6_hlim; in pf_setup_pdesc()
9910 pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); in pf_setup_pdesc()
9911 pd->virtual_proto = pd->proto = h->ip6_nxt; in pf_setup_pdesc()
9912 pd->act.rtableid = -1; in pf_setup_pdesc()
9914 if (pd->fragoff != 0) in pf_setup_pdesc()
9915 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
9927 if (pf_normalize_ip6(pd->fragoff, reason, pd) != in pf_setup_pdesc()
9929 *m0 = pd->m; in pf_setup_pdesc()
9933 *m0 = pd->m; in pf_setup_pdesc()
9934 if (pd->m == NULL) { in pf_setup_pdesc()
9941 h = mtod(pd->m, struct ip6_hdr *); in pf_setup_pdesc()
9942 pd->src = (struct pf_addr *)&h->ip6_src; in pf_setup_pdesc()
9943 pd->dst = (struct pf_addr *)&h->ip6_dst; in pf_setup_pdesc()
9945 pd->off = 0; in pf_setup_pdesc()
9947 if (pf_walk_header6(pd, h, reason) != PF_PASS) { in pf_setup_pdesc()
9952 if (m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL) != NULL) { in pf_setup_pdesc()
9957 pd->virtual_proto = pd->proto; in pf_setup_pdesc()
9958 MPASS(pd->fragoff == 0); in pf_setup_pdesc()
9961 if (pd->fragoff != 0) in pf_setup_pdesc()
9962 pd->virtual_proto = PF_VPROTO_FRAGMENT; in pf_setup_pdesc()
9971 switch (pd->virtual_proto) { in pf_setup_pdesc()
9973 struct tcphdr *th = &pd->hdr.tcp; in pf_setup_pdesc()
9975 if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), action, in pf_setup_pdesc()
9981 pd->hdrlen = sizeof(*th); in pf_setup_pdesc()
9982 pd->p_len = pd->tot_len - pd->off - (th->th_off << 2); in pf_setup_pdesc()
9983 pd->sport = &th->th_sport; in pf_setup_pdesc()
9984 pd->dport = &th->th_dport; in pf_setup_pdesc()
9985 pd->pcksum = &th->th_sum; in pf_setup_pdesc()
9989 struct udphdr *uh = &pd->hdr.udp; in pf_setup_pdesc()
9991 if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), action, in pf_setup_pdesc()
9997 pd->hdrlen = sizeof(*uh); in pf_setup_pdesc()
9999 ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off || in pf_setup_pdesc()
10005 pd->sport = &uh->uh_sport; in pf_setup_pdesc()
10006 pd->dport = &uh->uh_dport; in pf_setup_pdesc()
10007 pd->pcksum = &uh->uh_sum; in pf_setup_pdesc()
10011 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), in pf_setup_pdesc()
10017 pd->hdrlen = sizeof(pd->hdr.sctp); in pf_setup_pdesc()
10018 pd->p_len = pd->tot_len - pd->off; in pf_setup_pdesc()
10020 pd->sport = &pd->hdr.sctp.src_port; in pf_setup_pdesc()
10021 pd->dport = &pd->hdr.sctp.dest_port; in pf_setup_pdesc()
10022 if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { in pf_setup_pdesc()
10027 if (pf_scan_sctp(pd) != PF_PASS) { in pf_setup_pdesc()
10037 pd->pcksum = &pd->sctp_dummy_sum; in pf_setup_pdesc()
10041 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN, in pf_setup_pdesc()
10047 pd->hdrlen = ICMP_MINLEN; in pf_setup_pdesc()
10054 if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, in pf_setup_pdesc()
10061 switch (pd->hdr.icmp6.icmp6_type) { in pf_setup_pdesc()
10072 !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, in pf_setup_pdesc()
10078 pd->hdrlen = icmp_hlen; in pf_setup_pdesc()
10079 pd->pcksum = &pd->hdr.icmp.icmp_cksum; in pf_setup_pdesc()
10085 if (pd->sport) in pf_setup_pdesc()
10086 pd->osport = pd->nsport = *pd->sport; in pf_setup_pdesc()
10087 if (pd->dport) in pf_setup_pdesc()
10088 pd->odport = pd->ndport = *pd->dport; in pf_setup_pdesc()
10094 pf_counters_inc(int action, struct pf_pdesc *pd, in pf_counters_inc() argument
10098 int dir = pd->dir; in pf_counters_inc()
10103 &pd->kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS], in pf_counters_inc()
10104 pd->tot_len); in pf_counters_inc()
10106 &pd->kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS], in pf_counters_inc()
10112 pf_counter_u64_add_protected(&r->bytes[dirndx], pd->tot_len); in pf_counters_inc()
10117 pf_counter_u64_add_protected(&a->bytes[dirndx], pd->tot_len); in pf_counters_inc()
10126 pd->tot_len); in pf_counters_inc()
10141 pd->tot_len); in pf_counters_inc()
10146 s->bytes[dirndx] += pd->tot_len; in pf_counters_inc()
10150 pf_counter_u64_add_protected(&ri->r->bytes[dirndx], pd->tot_len); in pf_counters_inc()
10154 (s == NULL) ? pd->src : in pf_counters_inc()
10157 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10161 (s == NULL) ? pd->dst : in pf_counters_inc()
10164 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10176 (s == NULL) ? pd->src : in pf_counters_inc()
10179 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10183 (s == NULL) ? pd->dst : in pf_counters_inc()
10186 pd->af, pd->tot_len, dir == PF_OUT, in pf_counters_inc()
10192 pf_log_matches(struct pf_pdesc *pd, struct pf_krule *rm, in pf_log_matches() argument
10205 ruleset, pd, 1, ri->r); in pf_log_matches()
10219 struct pf_pdesc pd; in pf_test() local
10258 pf_init_pdesc(&pd, *m0); in pf_test()
10260 if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) { in pf_test()
10261 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; in pf_test()
10263 ifp = ifnet_byindexgen(pd.pf_mtag->if_index, in pf_test()
10264 pd.pf_mtag->if_idxgen); in pf_test()
10272 (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL); in pf_test()
10277 if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && in pf_test()
10278 pd.pf_mtag->flags & PF_MTAG_FLAG_DUMMYNET) { in pf_test()
10285 pf_dummynet_flag_remove(pd.m, pd.pf_mtag); in pf_test()
10291 if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, in pf_test()
10294 pd.act.log |= PF_LOG_FORCE; in pf_test()
10300 pd.df && (*m0)->m_pkthdr.len > ifp->if_mtu) { in pf_test()
10324 ((mtag = m_tag_locate(pd.m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) { in pf_test()
10328 if (pd.pf_mtag == NULL && in pf_test()
10329 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
10333 pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED; in pf_test()
10335 if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) { in pf_test()
10336 pd.m->m_flags |= M_FASTFWD_OURS; in pf_test()
10337 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT; in pf_test()
10339 m_tag_delete(pd.m, mtag); in pf_test()
10341 mtag = m_tag_locate(pd.m, MTAG_IPFW_RULE, 0, NULL); in pf_test()
10343 m_tag_delete(pd.m, mtag); in pf_test()
10346 switch (pd.virtual_proto) { in pf_test()
10355 action = pf_test_rule(&r, &s, &pd, &a, in pf_test()
10363 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && in pf_test()
10364 pd.dir == PF_IN && pf_synflood_check(&pd)) { in pf_test()
10365 pf_syncookie_send(&pd); in pf_test()
10370 if ((tcp_get_flags(&pd.hdr.tcp) & TH_ACK) && pd.p_len == 0) in pf_test()
10372 action = pf_normalize_tcp(&pd); in pf_test()
10375 action = pf_test_state(&s, &pd, &reason); in pf_test()
10384 if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == in pf_test()
10385 TH_ACK && pf_syncookie_validate(&pd) && in pf_test()
10386 pd.dir == PF_IN) { in pf_test()
10389 msyn = pf_syncookie_recreate_syn(&pd); in pf_test()
10396 &pd.act); in pf_test()
10401 action = pf_test_state(&s, &pd, &reason); in pf_test()
10407 s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1; in pf_test()
10408 s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1; in pf_test()
10410 action = pf_synproxy(&pd, s, &reason); in pf_test()
10413 action = pf_test_rule(&r, &s, &pd, in pf_test()
10421 action = pf_normalize_sctp(&pd); in pf_test()
10427 action = pf_test_state(&s, &pd, &reason); in pf_test()
10435 &pd, &a, &ruleset, inp); in pf_test()
10441 if (pd.virtual_proto == IPPROTO_ICMP && af != AF_INET) { in pf_test()
10448 if (pd.virtual_proto == IPPROTO_ICMPV6 && af != AF_INET6) { in pf_test()
10455 action = pf_test_state_icmp(&s, &pd, &reason); in pf_test()
10462 action = pf_test_rule(&r, &s, &pd, in pf_test()
10472 if (pd.m == NULL) in pf_test()
10475 if (action == PF_PASS && pd.badopts && in pf_test()
10479 pd.act.log = PF_LOG_FORCE; in pf_test()
10485 uint8_t log = pd.act.log; in pf_test()
10486 memcpy(&pd.act, &s->act, sizeof(struct pf_rule_actions)); in pf_test()
10487 pd.act.log |= log; in pf_test()
10493 if (tag > 0 && pf_tag_packet(&pd, tag)) { in pf_test()
10498 pf_scrub(&pd); in pf_test()
10499 if (pd.proto == IPPROTO_TCP && pd.act.max_mss) in pf_test()
10500 pf_normalize_mss(&pd); in pf_test()
10502 if (pd.act.rtableid >= 0) in pf_test()
10503 M_SETFIB(pd.m, pd.act.rtableid); in pf_test()
10505 if (pd.act.flags & PFSTATE_SETPRIO) { in pf_test()
10506 if (pd.tos & IPTOS_LOWDELAY) in pf_test()
10508 if (vlan_set_pcp(pd.m, pd.act.set_prio[use_2nd_queue])) { in pf_test()
10511 pd.act.log = PF_LOG_FORCE; in pf_test()
10518 if (action == PF_PASS && pd.act.qid) { in pf_test()
10519 if (pd.pf_mtag == NULL && in pf_test()
10520 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
10525 pd.pf_mtag->qid_hash = pf_state_hash(s); in pf_test()
10526 if (use_2nd_queue || (pd.tos & IPTOS_LOWDELAY)) in pf_test()
10527 pd.pf_mtag->qid = pd.act.pqid; in pf_test()
10529 pd.pf_mtag->qid = pd.act.qid; in pf_test()
10531 pd.pf_mtag->hdr = mtod(pd.m, void *); in pf_test()
10541 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || in pf_test()
10542 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule != NULL && in pf_test()
10545 pf_is_loopback(af, pd.dst)) in pf_test()
10546 pd.m->m_flags |= M_SKIP_FIREWALL; in pf_test()
10549 action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { in pf_test()
10562 m_tag_prepend(pd.m, mtag); in pf_test()
10563 if (pd.m->m_flags & M_FASTFWD_OURS) { in pf_test()
10564 if (pd.pf_mtag == NULL && in pf_test()
10565 ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { in pf_test()
10568 pd.act.log = PF_LOG_FORCE; in pf_test()
10572 pd.pf_mtag->flags |= in pf_test()
10574 pd.m->m_flags &= ~M_FASTFWD_OURS; in pf_test()
10585 pd.act.log = PF_LOG_FORCE; in pf_test()
10595 if (pd.pf_mtag) in pf_test()
10596 pd.pf_mtag->flags &= ~PF_MTAG_FLAG_PACKET_LOOPED; in pf_test()
10598 if (pd.act.log) { in pf_test()
10608 if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) in pf_test()
10610 ruleset, &pd, (s == NULL), NULL); in pf_test()
10615 reason, ri->r, a, ruleset, &pd, 0, NULL); in pf_test()
10619 pf_counters_inc(action, &pd, s, r, a); in pf_test()
10633 if (pf_translate_af(&pd)) { in pf_test()
10634 if (!pd.m) in pf_test()
10639 *m0 = pd.m; /* pf_translate_af may change pd.m */ in pf_test()
10641 if (pd.naf == AF_INET) in pf_test()
10642 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10645 if (pd.naf == AF_INET6) in pf_test()
10646 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10653 if (pd.act.rt) { in pf_test()
10658 pf_route(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10664 pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp); in pf_test()
10670 if (pf_dummynet(&pd, s, r, m0) != 0) { in pf_test()
10695 (mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL) in pf_test()
10699 pf_sctp_multihome_delayed(&pd, kif, s, action); in pf_test()