1052 	struct pf_pdesc		 pd;  in pf_refragment6()  local
1116 		memset(&pd, 0, sizeof(pd));  in pf_refragment6()
1117 		pd.pf_mtag = pf_find_mtag(m);  in pf_refragment6()
1153 pf_normalize_ip(u_short *reason, struct pf_pdesc *pd)  in pf_normalize_ip()  argument
1156 	struct ip		*h = mtod(pd->m, struct ip *);  in pf_normalize_ip()
1182 		if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)  in pf_normalize_ip()
1184 		else if (r->direction && r->direction != pd->dir)  in pf_normalize_ip()
1192 		    r->src.neg, pd->kif, M_GETFIB(pd->m)))  in pf_normalize_ip()
1196 		    r->dst.neg, NULL, M_GETFIB(pd->m)))  in pf_normalize_ip()
1198 		else if (r->match_tag && !pf_match_tag(pd->m, r, &tag,  in pf_normalize_ip()
1199 		    pd->pf_mtag ? pd->pf_mtag->tag : 0))  in pf_normalize_ip()
1212 		pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);  in pf_normalize_ip()
1213 		pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);  in pf_normalize_ip()
1215 		pf_rule_to_actions(r, &pd->act);  in pf_normalize_ip()
1277 		verdict = pf_reassemble(&pd->m, reason);  in pf_normalize_ip()
1283 		if (pd->m == NULL)  in pf_normalize_ip()
1286 		h = mtod(pd->m, struct ip *);  in pf_normalize_ip()
1287 		pd->tot_len = htons(h->ip_len);  in pf_normalize_ip()
1306 		PFLOG_PACKET(PF_DROP, *reason, r, NULL, NULL, pd, 1, NULL);  in pf_normalize_ip()
1315     struct pf_pdesc *pd)  in pf_normalize_ip6()  argument
1336 		if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)  in pf_normalize_ip6()
1338 		else if (r->direction && r->direction != pd->dir)  in pf_normalize_ip6()
1342 		else if (r->proto && r->proto != pd->proto)  in pf_normalize_ip6()
1345 		    (struct pf_addr *)&pd->src, AF_INET6,  in pf_normalize_ip6()
1346 		    r->src.neg, pd->kif, M_GETFIB(pd->m)))  in pf_normalize_ip6()
1349 		    (struct pf_addr *)&pd->dst, AF_INET6,  in pf_normalize_ip6()
1350 		    r->dst.neg, NULL, M_GETFIB(pd->m)))  in pf_normalize_ip6()
1363 		pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);  in pf_normalize_ip6()
1364 		pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);  in pf_normalize_ip6()
1366 		pf_rule_to_actions(r, &pd->act);  in pf_normalize_ip6()
1369 	if (!pf_pull_hdr(pd->m, off, &frag, sizeof(frag), reason, AF_INET6))  in pf_normalize_ip6()
1375 	if (pd->virtual_proto == PF_VPROTO_FRAGMENT) {  in pf_normalize_ip6()
1378 		if (pf_reassemble6(&pd->m, &frag, off, pd->extoff, reason) != PF_PASS)  in pf_normalize_ip6()
1380 		if (pd->m == NULL)  in pf_normalize_ip6()
1382 		h = mtod(pd->m, struct ip6_hdr *);  in pf_normalize_ip6()
1383 		pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);  in pf_normalize_ip6()
1391 pf_normalize_tcp(struct pf_pdesc *pd)  in pf_normalize_tcp()  argument
1394 	struct tcphdr	*th = &pd->hdr.tcp;  in pf_normalize_tcp()
1398 	sa_family_t	 af = pd->af;  in pf_normalize_tcp()
1409 		if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)  in pf_normalize_tcp()
1411 		else if (r->direction && r->direction != pd->dir)  in pf_normalize_tcp()
1415 		else if (r->proto && r->proto != pd->proto)  in pf_normalize_tcp()
1417 		else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,  in pf_normalize_tcp()
1418 		    r->src.neg, pd->kif, M_GETFIB(pd->m)))  in pf_normalize_tcp()
1423 		else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,  in pf_normalize_tcp()
1424 		    r->dst.neg, NULL, M_GETFIB(pd->m)))  in pf_normalize_tcp()
1430 			    pf_osfp_fingerprint(pd, th),  in pf_normalize_tcp()
1446 		pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);  in pf_normalize_tcp()
1447 		pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);  in pf_normalize_tcp()
1449 		pf_rule_to_actions(rm, &pd->act);  in pf_normalize_tcp()
1453 		pd->flags |= PFDESC_TCP_NORM;  in pf_normalize_tcp()
1489 		th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, ov, nv, 0);  in pf_normalize_tcp()
1495 		th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, th->th_urp,  in pf_normalize_tcp()
1503 		m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th);  in pf_normalize_tcp()
1510 		PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1, NULL);  in pf_normalize_tcp()
1515 pf_normalize_tcp_init(struct pf_pdesc *pd, struct tcphdr *th,  in pf_normalize_tcp_init()  argument
1529 	switch (pd->af) {  in pf_normalize_tcp_init()
1532 		struct ip *h = mtod(pd->m, struct ip *);  in pf_normalize_tcp_init()
1539 		struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *);  in pf_normalize_tcp_init()
1545 		unhandled_af(pd->af);  in pf_normalize_tcp_init()
1556 	if (olen < TCPOLEN_TIMESTAMP || !pf_pull_hdr(pd->m,  in pf_normalize_tcp_init()
1557 	    pd->off + sizeof(*th), opts, olen, NULL, pd->af))  in pf_normalize_tcp_init()
1589 pf_normalize_sctp_init(struct pf_pdesc *pd, struct pf_state_peer *src,  in pf_normalize_sctp_init()  argument
1602 	dst->scrub->pfss_v_tag = pd->sctp_initiate_tag;  in pf_normalize_sctp_init()
1608 pf_normalize_tcp_stateful(struct pf_pdesc *pd,  in pf_normalize_tcp_stateful()  argument
1628 	switch (pd->af) {  in pf_normalize_tcp_stateful()
1632 			struct ip *h = mtod(pd->m, struct ip *);  in pf_normalize_tcp_stateful()
1643 			struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *);  in pf_normalize_tcp_stateful()
1652 		unhandled_af(pd->af);  in pf_normalize_tcp_stateful()
1660 	    pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, olen, NULL, pd->af)) {  in pf_normalize_tcp_stateful()
1689 				pf_patch_32(pd,  in pf_normalize_tcp_stateful()
1700 				pf_patch_32(pd, tsr, htonl(tsecr),  in pf_normalize_tcp_stateful()
1712 			m_copyback(pd->m, pd->off + sizeof(*th), olen, opts);  in pf_normalize_tcp_stateful()
1875 	    || pd->p_len > 0 || (tcp_get_flags(th) & TH_SYN)) &&  in pf_normalize_tcp_stateful()
1905 		if (pd->p_len > 0 && (src->scrub->pfss_flags & PFSS_DATA_TS)) {  in pf_normalize_tcp_stateful()
1930 	if (pd->p_len > 0 && src->scrub && (src->scrub->pfss_flags &  in pf_normalize_tcp_stateful()
1982 pf_normalize_mss(struct pf_pdesc *pd)  in pf_normalize_mss()  argument
1987 	olen = (pd->hdr.tcp.th_off << 2) - sizeof(struct tcphdr);  in pf_normalize_mss()
1988 	optsoff = pd->off + sizeof(struct tcphdr);  in pf_normalize_mss()
1990 	    !pf_pull_hdr(pd->m, optsoff, opts, olen, NULL, pd->af))  in pf_normalize_mss()
1999 		if (ntohs(mss) > pd->act.max_mss) {  in pf_normalize_mss()
2001 			pf_patch_16(pd, &mss,  in pf_normalize_mss()
2002 			    htons(pd->act.max_mss), PF_ALGNMNT(mssoffopts));  in pf_normalize_mss()
2003 			m_copyback(pd->m, optsoff + mssoffopts,  in pf_normalize_mss()
2005 			m_copyback(pd->m, pd->off,  in pf_normalize_mss()
2006 			    sizeof(struct tcphdr), (caddr_t)&pd->hdr.tcp);  in pf_normalize_mss()
2016 pf_scan_sctp(struct pf_pdesc *pd)  in pf_scan_sctp()  argument
2023 	while (pd->off + chunk_off < pd->tot_len) {  in pf_scan_sctp()
2024 		if (!pf_pull_hdr(pd->m, pd->off + chunk_off, &ch, sizeof(ch),  in pf_scan_sctp()
2025 		    NULL, pd->af))  in pf_scan_sctp()
2040 			if (!pf_pull_hdr(pd->m, pd->off + chunk_start, &init,  in pf_scan_sctp()
2041 			    sizeof(init), NULL, pd->af))  in pf_scan_sctp()
2062 			    pd->hdr.sctp.v_tag != 0)  in pf_scan_sctp()
2065 			pd->sctp_initiate_tag = init.init.initiate_tag;  in pf_scan_sctp()
2068 				pd->sctp_flags |= PFDESC_SCTP_INIT;  in pf_scan_sctp()
2070 				pd->sctp_flags |= PFDESC_SCTP_INIT_ACK;  in pf_scan_sctp()
2072 			ret = pf_multihome_scan_init(pd->off + chunk_start,  in pf_scan_sctp()
2073 			    ntohs(init.ch.chunk_length), pd);  in pf_scan_sctp()
2080 			pd->sctp_flags |= PFDESC_SCTP_ABORT;  in pf_scan_sctp()
2084 			pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN;  in pf_scan_sctp()
2087 			pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN_COMPLETE;  in pf_scan_sctp()
2090 			pd->sctp_flags |= PFDESC_SCTP_COOKIE;  in pf_scan_sctp()
2093 			pd->sctp_flags |= PFDESC_SCTP_COOKIE_ACK;  in pf_scan_sctp()
2096 			pd->sctp_flags |= PFDESC_SCTP_DATA;  in pf_scan_sctp()
2099 			pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT;  in pf_scan_sctp()
2102 			pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT_ACK;  in pf_scan_sctp()
2105 			pd->sctp_flags |= PFDESC_SCTP_ASCONF;  in pf_scan_sctp()
2107 			ret = pf_multihome_scan_asconf(pd->off + chunk_start,  in pf_scan_sctp()
2108 			    ntohs(ch.chunk_length), pd);  in pf_scan_sctp()
2113 			pd->sctp_flags |= PFDESC_SCTP_OTHER;  in pf_scan_sctp()
2119 	if (pd->off + chunk_off != pd->tot_len)  in pf_scan_sctp()
2126 	if ((pd->sctp_flags & PFDESC_SCTP_INIT) &&  in pf_scan_sctp()
2127 	    (pd->sctp_flags & ~PFDESC_SCTP_INIT))  in pf_scan_sctp()
2129 	if ((pd->sctp_flags & PFDESC_SCTP_INIT_ACK) &&  in pf_scan_sctp()
2130 	    (pd->sctp_flags & ~PFDESC_SCTP_INIT_ACK))  in pf_scan_sctp()
2132 	if ((pd->sctp_flags & PFDESC_SCTP_SHUTDOWN_COMPLETE) &&  in pf_scan_sctp()
2133 	    (pd->sctp_flags & ~PFDESC_SCTP_SHUTDOWN_COMPLETE))  in pf_scan_sctp()
2135 	if ((pd->sctp_flags & PFDESC_SCTP_ABORT) &&  in pf_scan_sctp()
2136 	    (pd->sctp_flags & PFDESC_SCTP_DATA)) {  in pf_scan_sctp()
2148 pf_normalize_sctp(struct pf_pdesc *pd)  in pf_normalize_sctp()  argument
2151 	struct sctphdr	*sh = &pd->hdr.sctp;  in pf_normalize_sctp()
2153 	sa_family_t	 af = pd->af;  in pf_normalize_sctp()
2164 		if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot)  in pf_normalize_sctp()
2166 		else if (r->direction && r->direction != pd->dir)  in pf_normalize_sctp()
2170 		else if (r->proto && r->proto != pd->proto)  in pf_normalize_sctp()
2172 		else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,  in pf_normalize_sctp()
2173 		    r->src.neg, pd->kif, M_GETFIB(pd->m)))  in pf_normalize_sctp()
2178 		else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,  in pf_normalize_sctp()
2179 		    r->dst.neg, NULL, M_GETFIB(pd->m)))  in pf_normalize_sctp()
2197 		pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);  in pf_normalize_sctp()
2198 		pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);  in pf_normalize_sctp()
2203 	if ((pd->tot_len - pd->off - sizeof(struct sctphdr)) % 4)  in pf_normalize_sctp()
2207 	if (pd->sctp_flags & PFDESC_SCTP_INIT)  in pf_normalize_sctp()
2208 		if (pd->sctp_flags & ~PFDESC_SCTP_INIT)  in pf_normalize_sctp()
2216 		PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd,  in pf_normalize_sctp()
2224 pf_scrub(struct pf_pdesc *pd)  in pf_scrub()  argument
2227 	struct ip		*h = mtod(pd->m, struct ip *);  in pf_scrub()
2229 	struct ip6_hdr		*h6 = mtod(pd->m, struct ip6_hdr *);  in pf_scrub()
2233 	if (pd->af == AF_INET && pd->act.flags & PFSTATE_NODF &&  in pf_scrub()
2243 	if (pd->af == AF_INET && pd->act.min_ttl &&  in pf_scrub()
2244 	    h->ip_ttl < pd->act.min_ttl) {  in pf_scrub()
2247 		h->ip_ttl = pd->act.min_ttl;  in pf_scrub()
2252 	if (pd->af == AF_INET6 && pd->act.min_ttl &&  in pf_scrub()
2253 	    h6->ip6_hlim < pd->act.min_ttl)  in pf_scrub()
2254 		h6->ip6_hlim = pd->act.min_ttl;  in pf_scrub()
2257 	if (pd->act.flags & PFSTATE_SETTOS) {  in pf_scrub()
2258 		switch (pd->af) {  in pf_scrub()
2263 			h->ip_tos = pd->act.set_tos | (h->ip_tos & IPTOS_ECN_MASK);  in pf_scrub()
2272 			h6->ip6_flow |= htonl((pd->act.set_tos | IPV6_ECN(h6)) << 20);  in pf_scrub()
2280 	if (pd->af == AF_INET &&  in pf_scrub()
2281 	    pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) {  in pf_scrub()