Lines Matching +full:max +full:- +full:reason
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
5 * Copyright 2011-2018 Alexander Bluhm <bluhm@openbsd.org>
169 key->frc_src.v4 = ip->ip_src; in pf_ip2key()
170 key->frc_dst.v4 = ip->ip_dst; in pf_ip2key()
171 key->frc_af = AF_INET; in pf_ip2key()
172 key->frc_proto = ip->ip_p; in pf_ip2key()
173 key->frc_id = ip->ip_id; in pf_ip2key()
215 if ((diff = a->fr_id - b->fr_id) != 0) in pf_frag_compare()
217 if ((diff = a->fr_proto - b->fr_proto) != 0) in pf_frag_compare()
219 if ((diff = a->fr_af - b->fr_af) != 0) in pf_frag_compare()
221 if ((diff = pf_addr_cmp(&a->fr_src, &b->fr_src, a->fr_af)) != 0) in pf_frag_compare()
223 if ((diff = pf_addr_cmp(&a->fr_dst, &b->fr_dst, a->fr_af)) != 0) in pf_frag_compare()
231 u_int32_t expire = time_uptime - in pf_purge_expired_fragments()
244 if (frag->fr_timeout > expire) in pf_purge_fragments()
247 DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); in pf_purge_fragments()
285 for (frent = TAILQ_FIRST(&frag->fr_queue); frent; in pf_free_fragment()
286 frent = TAILQ_FIRST(&frag->fr_queue)) { in pf_free_fragment()
287 TAILQ_REMOVE(&frag->fr_queue, frent, fr_next); in pf_free_fragment()
289 m_freem(frent->fe_m); in pf_free_fragment()
306 frag->fr_timeout = time_uptime; in pf_find_fragment()
328 pf_create_fragment(u_short *reason) in pf_create_fragment() argument
339 REASON_SET(reason, PFRES_MEMORY); in pf_create_fragment()
362 if (frent->fe_off == 0) in pf_frent_holes()
363 holes--; in pf_frent_holes()
365 KASSERT(frent->fe_off != 0, ("frent->fe_off != 0")); in pf_frent_holes()
366 if (frent->fe_off == prev->fe_off + prev->fe_len) in pf_frent_holes()
367 holes--; in pf_frent_holes()
370 if (!frent->fe_mff) in pf_frent_holes()
371 holes--; in pf_frent_holes()
373 KASSERT(frent->fe_mff, ("frent->fe_mff")); in pf_frent_holes()
374 if (next->fe_off == frent->fe_off + frent->fe_len) in pf_frent_holes()
375 holes--; in pf_frent_holes()
390 16 - 1); in pf_frent_index()
391 CTASSERT(((u_int16_t)0xffff >> 3) / PF_FRAG_ENTRY_POINTS == 512 - 1); in pf_frent_index()
393 return frent->fe_off / (0x10000 / PF_FRAG_ENTRY_POINTS); in pf_frent_index()
410 if (frag->fr_entries[index] >= PF_FRAG_ENTRY_LIMIT) in pf_frent_insert()
412 frag->fr_entries[index]++; in pf_frent_insert()
415 TAILQ_INSERT_HEAD(&frag->fr_queue, frent, fr_next); in pf_frent_insert()
417 KASSERT(prev->fe_off + prev->fe_len <= frent->fe_off, in pf_frent_insert()
419 TAILQ_INSERT_AFTER(&frag->fr_queue, prev, frent, fr_next); in pf_frent_insert()
422 if (frag->fr_firstoff[index] == NULL) { in pf_frent_insert()
425 frag->fr_firstoff[index] = frent; in pf_frent_insert()
427 if (frent->fe_off < frag->fr_firstoff[index]->fe_off) { in pf_frent_insert()
430 frag->fr_firstoff[index] = frent; in pf_frent_insert()
438 frag->fr_holes += pf_frent_holes(frent); in pf_frent_insert()
452 frag->fr_holes -= pf_frent_holes(frent); in pf_frent_remove()
455 KASSERT(frag->fr_firstoff[index] != NULL, ("frent not found")); in pf_frent_remove()
456 if (frag->fr_firstoff[index]->fe_off == frent->fe_off) { in pf_frent_remove()
458 frag->fr_firstoff[index] = NULL; in pf_frent_remove()
460 KASSERT(frent->fe_off + frent->fe_len <= next->fe_off, in pf_frent_remove()
463 frag->fr_firstoff[index] = next; in pf_frent_remove()
465 frag->fr_firstoff[index] = NULL; in pf_frent_remove()
469 KASSERT(frag->fr_firstoff[index]->fe_off < frent->fe_off, in pf_frent_remove()
470 ("frag->fr_firstoff[index]->fe_off < frent->fe_off")); in pf_frent_remove()
472 KASSERT(prev->fe_off + prev->fe_len <= frent->fe_off, in pf_frent_remove()
478 TAILQ_REMOVE(&frag->fr_queue, frent, fr_next); in pf_frent_remove()
480 KASSERT(frag->fr_entries[index] > 0, ("No fragments remaining")); in pf_frent_remove()
481 frag->fr_entries[index]--; in pf_frent_remove()
494 prev = TAILQ_LAST(&frag->fr_queue, pf_fragq); in pf_frent_previous()
496 if (prev->fe_off <= frent->fe_off) in pf_frent_previous()
507 prev = frag->fr_firstoff[index]; in pf_frent_previous()
518 if (prev->fe_off > frent->fe_off) { in pf_frent_previous()
522 KASSERT(prev->fe_off <= frent->fe_off, in pf_frent_previous()
523 ("prev->fe_off <= frent->fe_off")); in pf_frent_previous()
532 if (next->fe_off > frent->fe_off) in pf_frent_previous()
541 u_short *reason) in pf_fillup_fragment() argument
551 if (frent->fe_len == 0) { in pf_fillup_fragment()
557 if (frent->fe_mff && (frent->fe_len & 0x7)) { in pf_fillup_fragment()
558 DPFPRINTF(("bad fragment: mff and len %d\n", frent->fe_len)); in pf_fillup_fragment()
563 if (frent->fe_off + frent->fe_len > IP_MAXPACKET) { in pf_fillup_fragment()
564 DPFPRINTF(("bad fragment: max packet %d\n", in pf_fillup_fragment()
565 frent->fe_off + frent->fe_len)); in pf_fillup_fragment()
569 DPFPRINTF((key->frc_af == AF_INET ? in pf_fillup_fragment()
570 "reass frag %d @ %d-%d\n" : "reass frag %#08x @ %d-%d\n", in pf_fillup_fragment()
571 key->frc_id, frent->fe_off, frent->fe_off + frent->fe_len)); in pf_fillup_fragment()
583 REASON_SET(reason, PFRES_MEMORY); in pf_fillup_fragment()
589 memset(frag->fr_firstoff, 0, sizeof(frag->fr_firstoff)); in pf_fillup_fragment()
590 memset(frag->fr_entries, 0, sizeof(frag->fr_entries)); in pf_fillup_fragment()
591 frag->fr_timeout = time_uptime; in pf_fillup_fragment()
592 frag->fr_maxlen = frent->fe_len; in pf_fillup_fragment()
593 frag->fr_holes = 1; in pf_fillup_fragment()
594 TAILQ_INIT(&frag->fr_queue); in pf_fillup_fragment()
605 KASSERT(!TAILQ_EMPTY(&frag->fr_queue), ("!TAILQ_EMPTY()->fr_queue")); in pf_fillup_fragment()
608 if (frent->fe_len > frag->fr_maxlen) in pf_fillup_fragment()
609 frag->fr_maxlen = frent->fe_len; in pf_fillup_fragment()
612 total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + in pf_fillup_fragment()
613 TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; in pf_fillup_fragment()
616 if (frent->fe_off + frent->fe_len < total && !frent->fe_mff) in pf_fillup_fragment()
620 if (!TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_mff) { in pf_fillup_fragment()
621 if (frent->fe_off + frent->fe_len > total || in pf_fillup_fragment()
622 (frent->fe_off + frent->fe_len == total && frent->fe_mff)) in pf_fillup_fragment()
625 if (frent->fe_off + frent->fe_len == total && !frent->fe_mff) in pf_fillup_fragment()
632 after = TAILQ_FIRST(&frag->fr_queue); in pf_fillup_fragment()
638 if (prev != NULL && prev->fe_off + prev->fe_len > frent->fe_off) { in pf_fillup_fragment()
641 precut = prev->fe_off + prev->fe_len - frent->fe_off; in pf_fillup_fragment()
642 if (precut >= frent->fe_len) in pf_fillup_fragment()
644 DPFPRINTF(("overlap -%d\n", precut)); in pf_fillup_fragment()
645 m_adj(frent->fe_m, precut); in pf_fillup_fragment()
646 frent->fe_off += precut; in pf_fillup_fragment()
647 frent->fe_len -= precut; in pf_fillup_fragment()
650 for (; after != NULL && frent->fe_off + frent->fe_len > after->fe_off; in pf_fillup_fragment()
654 aftercut = frent->fe_off + frent->fe_len - after->fe_off; in pf_fillup_fragment()
656 if (aftercut < after->fe_len) { in pf_fillup_fragment()
657 m_adj(after->fe_m, aftercut); in pf_fillup_fragment()
659 after->fe_off += aftercut; in pf_fillup_fragment()
660 after->fe_len -= aftercut; in pf_fillup_fragment()
666 after->fe_off -= aftercut; in pf_fillup_fragment()
667 after->fe_len += aftercut; in pf_fillup_fragment()
670 after->fe_off += aftercut; in pf_fillup_fragment()
671 after->fe_len -= aftercut; in pf_fillup_fragment()
676 m_freem(after->fe_m); in pf_fillup_fragment()
688 m_freem(after->fe_m); in pf_fillup_fragment()
701 REASON_SET(reason, PFRES_FRAG); in pf_fillup_fragment()
713 frent = TAILQ_FIRST(&frag->fr_queue); in pf_join_fragment()
716 m = frent->fe_m; in pf_join_fragment()
717 m_adj(m, (frent->fe_hdrlen + frent->fe_len) - m->m_pkthdr.len); in pf_join_fragment()
722 m2 = frent->fe_m; in pf_join_fragment()
724 m_adj(m2, frent->fe_hdrlen); in pf_join_fragment()
726 m_adj(m2, frent->fe_len - m2->m_pkthdr.len); in pf_join_fragment()
740 pf_reassemble(struct mbuf **m0, int dir, u_short *reason) in pf_reassemble() argument
754 if ((frent = pf_create_fragment(reason)) == NULL) in pf_reassemble()
757 frent->fe_m = m; in pf_reassemble()
758 frent->fe_hdrlen = ip->ip_hl << 2; in pf_reassemble()
759 frent->fe_extoff = 0; in pf_reassemble()
760 frent->fe_len = ntohs(ip->ip_len) - (ip->ip_hl << 2); in pf_reassemble()
761 frent->fe_off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3; in pf_reassemble()
762 frent->fe_mff = ntohs(ip->ip_off) & IP_MF; in pf_reassemble()
766 if ((frag = pf_fillup_fragment(&key, frent, reason)) == NULL) in pf_reassemble()
772 if (frag->fr_holes) { in pf_reassemble()
773 DPFPRINTF(("frag %d, holes %d\n", frag->fr_id, frag->fr_holes)); in pf_reassemble()
778 frent = TAILQ_FIRST(&frag->fr_queue); in pf_reassemble()
780 total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + in pf_reassemble()
781 TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; in pf_reassemble()
782 hdrlen = frent->fe_hdrlen; in pf_reassemble()
784 maxlen = frag->fr_maxlen; in pf_reassemble()
785 frag_id = frag->fr_id; in pf_reassemble()
789 if (m->m_flags & M_PKTHDR) { in pf_reassemble()
791 for (m = *m0; m; m = m->m_next) in pf_reassemble()
792 plen += m->m_len; in pf_reassemble()
794 m->m_pkthdr.len = plen; in pf_reassemble()
799 REASON_SET(reason, PFRES_SHORT); in pf_reassemble()
804 ftag->ft_hdrlen = hdrlen; in pf_reassemble()
805 ftag->ft_extoff = 0; in pf_reassemble()
806 ftag->ft_maxlen = maxlen; in pf_reassemble()
807 ftag->ft_id = frag_id; in pf_reassemble()
811 ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_len, in pf_reassemble()
813 ip->ip_len = htons(hdrlen + total); in pf_reassemble()
814 ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_off, in pf_reassemble()
815 ip->ip_off & ~(IP_MF|IP_OFFMASK), 0); in pf_reassemble()
816 ip->ip_off &= ~(IP_MF|IP_OFFMASK); in pf_reassemble()
820 ip->ip_len = 0; in pf_reassemble()
821 REASON_SET(reason, PFRES_SHORT); in pf_reassemble()
826 DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len))); in pf_reassemble()
834 uint16_t hdrlen, uint16_t extoff, u_short *reason) in pf_reassemble6() argument
851 if ((frent = pf_create_fragment(reason)) == NULL) { in pf_reassemble6()
856 frent->fe_m = m; in pf_reassemble6()
857 frent->fe_hdrlen = hdrlen; in pf_reassemble6()
858 frent->fe_extoff = extoff; in pf_reassemble6()
859 frent->fe_len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - hdrlen; in pf_reassemble6()
860 frent->fe_off = ntohs(fraghdr->ip6f_offlg & IP6F_OFF_MASK); in pf_reassemble6()
861 frent->fe_mff = fraghdr->ip6f_offlg & IP6F_MORE_FRAG; in pf_reassemble6()
863 key.frc_src.v6 = ip6->ip6_src; in pf_reassemble6()
864 key.frc_dst.v6 = ip6->ip6_dst; in pf_reassemble6()
868 key.frc_id = fraghdr->ip6f_ident; in pf_reassemble6()
870 if ((frag = pf_fillup_fragment(&key, frent, reason)) == NULL) { in pf_reassemble6()
878 if (frag->fr_holes) { in pf_reassemble6()
879 DPFPRINTF(("frag %d, holes %d\n", frag->fr_id, in pf_reassemble6()
880 frag->fr_holes)); in pf_reassemble6()
886 frent = TAILQ_FIRST(&frag->fr_queue); in pf_reassemble6()
888 extoff = frent->fe_extoff; in pf_reassemble6()
889 maxlen = frag->fr_maxlen; in pf_reassemble6()
890 frag_id = frag->fr_id; in pf_reassemble6()
891 total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + in pf_reassemble6()
892 TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; in pf_reassemble6()
893 hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag); in pf_reassemble6()
910 if (m->m_flags & M_PKTHDR) { in pf_reassemble6()
912 for (m = *m0; m; m = m->m_next) in pf_reassemble6()
913 plen += m->m_len; in pf_reassemble6()
915 m->m_pkthdr.len = plen; in pf_reassemble6()
922 ftag->ft_hdrlen = hdrlen; in pf_reassemble6()
923 ftag->ft_extoff = extoff; in pf_reassemble6()
924 ftag->ft_maxlen = maxlen; in pf_reassemble6()
925 ftag->ft_id = frag_id; in pf_reassemble6()
929 ip6->ip6_plen = htons(hdrlen - sizeof(struct ip6_hdr) + total); in pf_reassemble6()
938 ip6->ip6_nxt = proto; in pf_reassemble6()
940 if (hdrlen - sizeof(struct ip6_hdr) + total > IPV6_MAXPACKET) { in pf_reassemble6()
942 ip6->ip6_plen = 0; in pf_reassemble6()
943 REASON_SET(reason, PFRES_SHORT); in pf_reassemble6()
948 DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip6->ip6_plen))); in pf_reassemble6()
952 REASON_SET(reason, PFRES_MEMORY); in pf_reassemble6()
967 return (m->m_pkthdr.len); in pf_max_frag_size()
971 return (ftag->ft_maxlen); in pf_max_frag_size()
987 hdrlen = ftag->ft_hdrlen; in pf_refragment6()
988 extoff = ftag->ft_extoff; in pf_refragment6()
989 maxlen = ftag->ft_maxlen; in pf_refragment6()
990 frag_id = ftag->ft_id; in pf_refragment6()
1007 proto = hdr->ip6_nxt; in pf_refragment6()
1008 hdr->ip6_nxt = IPPROTO_FRAGMENT; in pf_refragment6()
1011 /* In case of link-local traffic we'll need a scope set. */ in pf_refragment6()
1014 in6_setscope(&hdr->ip6_src, ifp, NULL); in pf_refragment6()
1015 in6_setscope(&hdr->ip6_dst, ifp, NULL); in pf_refragment6()
1029 m = (*m0)->m_nextpkt; in pf_refragment6()
1030 (*m0)->m_nextpkt = NULL; in pf_refragment6()
1042 t = m->m_nextpkt; in pf_refragment6()
1043 m->m_nextpkt = NULL; in pf_refragment6()
1044 m->m_flags |= M_SKIP_FIREWALL; in pf_refragment6()
1058 dst.sin6_addr = hdr->ip6_dst; in pf_refragment6()
1062 MPASS(m->m_pkthdr.rcvif != NULL); in pf_refragment6()
1076 pf_normalize_ip(struct mbuf **m0, u_short *reason, in pf_normalize_ip() argument
1081 int mff = (ntohs(h->ip_off) & IP_MF); in pf_normalize_ip()
1082 int hlen = h->ip_hl << 2; in pf_normalize_ip()
1083 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; in pf_normalize_ip()
1084 u_int16_t max; in pf_normalize_ip() local
1086 int tag = -1; in pf_normalize_ip()
1092 MPASS(pd->m == *m0); in pf_normalize_ip()
1098 * - enforced packet normalization operation just like in OpenBSD in pf_normalize_ip()
1099 * - fragment reassembly depends on V_pf_status.reass in pf_normalize_ip()
1101 * - packet normalization is performed if there is a matching scrub rule in pf_normalize_ip()
1102 * - fragment reassembly is performed if the matching rule has no in pf_normalize_ip()
1107 pf_counter_u64_add(&r->evaluations, 1); in pf_normalize_ip()
1108 if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot) in pf_normalize_ip()
1109 r = r->skip[PF_SKIP_IFP]; in pf_normalize_ip()
1110 else if (r->direction && r->direction != pd->dir) in pf_normalize_ip()
1111 r = r->skip[PF_SKIP_DIR]; in pf_normalize_ip()
1112 else if (r->af && r->af != AF_INET) in pf_normalize_ip()
1113 r = r->skip[PF_SKIP_AF]; in pf_normalize_ip()
1114 else if (r->proto && r->proto != h->ip_p) in pf_normalize_ip()
1115 r = r->skip[PF_SKIP_PROTO]; in pf_normalize_ip()
1116 else if (PF_MISMATCHAW(&r->src.addr, in pf_normalize_ip()
1117 (struct pf_addr *)&h->ip_src.s_addr, AF_INET, in pf_normalize_ip()
1118 r->src.neg, pd->kif, M_GETFIB(pd->m))) in pf_normalize_ip()
1119 r = r->skip[PF_SKIP_SRC_ADDR]; in pf_normalize_ip()
1120 else if (PF_MISMATCHAW(&r->dst.addr, in pf_normalize_ip()
1121 (struct pf_addr *)&h->ip_dst.s_addr, AF_INET, in pf_normalize_ip()
1122 r->dst.neg, NULL, M_GETFIB(pd->m))) in pf_normalize_ip()
1123 r = r->skip[PF_SKIP_DST_ADDR]; in pf_normalize_ip()
1124 else if (r->match_tag && !pf_match_tag(pd->m, r, &tag, in pf_normalize_ip()
1125 pd->pf_mtag ? pd->pf_mtag->tag : 0)) in pf_normalize_ip()
1134 if (r == NULL || r->action == PF_NOSCRUB) in pf_normalize_ip()
1138 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); in pf_normalize_ip()
1139 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); in pf_normalize_ip()
1141 pf_rule_to_actions(r, &pd->act); in pf_normalize_ip()
1146 REASON_SET(reason, PFRES_NORM); in pf_normalize_ip()
1150 if (hlen > ntohs(h->ip_len)) { in pf_normalize_ip()
1151 REASON_SET(reason, PFRES_NORM); in pf_normalize_ip()
1155 /* Clear IP_DF if the rule uses the no-df option or we're in no-df mode */ in pf_normalize_ip()
1157 (r != NULL && r->rule_flag & PFRULE_NODF)) && in pf_normalize_ip()
1158 (h->ip_off & htons(IP_DF)) in pf_normalize_ip()
1160 u_int16_t ip_off = h->ip_off; in pf_normalize_ip()
1162 h->ip_off &= htons(~IP_DF); in pf_normalize_ip()
1163 h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0); in pf_normalize_ip()
1172 * no-df above, fine. Otherwise drop it. in pf_normalize_ip()
1174 if (h->ip_off & htons(IP_DF)) { in pf_normalize_ip()
1179 ip_len = ntohs(h->ip_len) - hlen; in pf_normalize_ip()
1189 DPFPRINTF(("max packet %d\n", fragoff + ip_len)); in pf_normalize_ip()
1194 (r != NULL && !(r->rule_flag & PFRULE_FRAGMENT_NOREASS)) in pf_normalize_ip()
1196 max = fragoff + ip_len; in pf_normalize_ip()
1201 DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max)); in pf_normalize_ip()
1202 verdict = pf_reassemble(m0, pd->dir, reason); in pf_normalize_ip()
1208 pd->m = *m0; in pf_normalize_ip()
1209 if (pd->m == NULL) in pf_normalize_ip()
1212 h = mtod(pd->m, struct ip *); in pf_normalize_ip()
1213 pd->tot_len = htons(h->ip_len); in pf_normalize_ip()
1217 if (h->ip_off & ~htons(IP_DF)) { in pf_normalize_ip()
1218 u_int16_t ip_off = h->ip_off; in pf_normalize_ip()
1220 h->ip_off &= htons(IP_DF); in pf_normalize_ip()
1221 h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0); in pf_normalize_ip()
1229 REASON_SET(reason, PFRES_FRAG); in pf_normalize_ip()
1231 if (r != NULL && r->log) in pf_normalize_ip()
1232 PFLOG_PACKET(PF_DROP, *reason, r, NULL, NULL, pd, 1); in pf_normalize_ip()
1240 pf_normalize_ip6(struct mbuf **m0, int off, u_short *reason, in pf_normalize_ip6() argument
1250 pd->m = *m0; in pf_normalize_ip6()
1256 * - enforced packet normalization operation just like in OpenBSD in pf_normalize_ip6()
1258 * - packet normalization is performed if there is a matching scrub rule in pf_normalize_ip6()
1263 pf_counter_u64_add(&r->evaluations, 1); in pf_normalize_ip6()
1264 if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot) in pf_normalize_ip6()
1265 r = r->skip[PF_SKIP_IFP]; in pf_normalize_ip6()
1266 else if (r->direction && r->direction != pd->dir) in pf_normalize_ip6()
1267 r = r->skip[PF_SKIP_DIR]; in pf_normalize_ip6()
1268 else if (r->af && r->af != AF_INET6) in pf_normalize_ip6()
1269 r = r->skip[PF_SKIP_AF]; in pf_normalize_ip6()
1270 else if (r->proto && r->proto != pd->proto) in pf_normalize_ip6()
1271 r = r->skip[PF_SKIP_PROTO]; in pf_normalize_ip6()
1272 else if (PF_MISMATCHAW(&r->src.addr, in pf_normalize_ip6()
1273 (struct pf_addr *)&pd->src, AF_INET6, in pf_normalize_ip6()
1274 r->src.neg, pd->kif, M_GETFIB(pd->m))) in pf_normalize_ip6()
1275 r = r->skip[PF_SKIP_SRC_ADDR]; in pf_normalize_ip6()
1276 else if (PF_MISMATCHAW(&r->dst.addr, in pf_normalize_ip6()
1277 (struct pf_addr *)&pd->dst, AF_INET6, in pf_normalize_ip6()
1278 r->dst.neg, NULL, M_GETFIB(pd->m))) in pf_normalize_ip6()
1279 r = r->skip[PF_SKIP_DST_ADDR]; in pf_normalize_ip6()
1287 if (r == NULL || r->action == PF_NOSCRUB) in pf_normalize_ip6()
1291 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); in pf_normalize_ip6()
1292 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); in pf_normalize_ip6()
1294 pf_rule_to_actions(r, &pd->act); in pf_normalize_ip6()
1297 if (!pf_pull_hdr(pd->m, off, &frag, sizeof(frag), NULL, reason, AF_INET6)) in pf_normalize_ip6()
1303 if (pd->virtual_proto == PF_VPROTO_FRAGMENT) { in pf_normalize_ip6()
1306 if (pf_reassemble6(m0, &frag, off, pd->extoff, reason) != PF_PASS) in pf_normalize_ip6()
1308 pd->m = *m0; in pf_normalize_ip6()
1309 if (pd->m == NULL) in pf_normalize_ip6()
1311 h = mtod(pd->m, struct ip6_hdr *); in pf_normalize_ip6()
1312 pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); in pf_normalize_ip6()
1323 struct tcphdr *th = &pd->hdr.tcp; in pf_normalize_tcp()
1325 u_short reason; in pf_normalize_tcp() local
1327 sa_family_t af = pd->af; in pf_normalize_tcp()
1337 pf_counter_u64_add(&r->evaluations, 1); in pf_normalize_tcp()
1338 if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot) in pf_normalize_tcp()
1339 r = r->skip[PF_SKIP_IFP]; in pf_normalize_tcp()
1340 else if (r->direction && r->direction != pd->dir) in pf_normalize_tcp()
1341 r = r->skip[PF_SKIP_DIR]; in pf_normalize_tcp()
1342 else if (r->af && r->af != af) in pf_normalize_tcp()
1343 r = r->skip[PF_SKIP_AF]; in pf_normalize_tcp()
1344 else if (r->proto && r->proto != pd->proto) in pf_normalize_tcp()
1345 r = r->skip[PF_SKIP_PROTO]; in pf_normalize_tcp()
1346 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, in pf_normalize_tcp()
1347 r->src.neg, pd->kif, M_GETFIB(pd->m))) in pf_normalize_tcp()
1348 r = r->skip[PF_SKIP_SRC_ADDR]; in pf_normalize_tcp()
1349 else if (r->src.port_op && !pf_match_port(r->src.port_op, in pf_normalize_tcp()
1350 r->src.port[0], r->src.port[1], th->th_sport)) in pf_normalize_tcp()
1351 r = r->skip[PF_SKIP_SRC_PORT]; in pf_normalize_tcp()
1352 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, in pf_normalize_tcp()
1353 r->dst.neg, NULL, M_GETFIB(pd->m))) in pf_normalize_tcp()
1354 r = r->skip[PF_SKIP_DST_ADDR]; in pf_normalize_tcp()
1355 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, in pf_normalize_tcp()
1356 r->dst.port[0], r->dst.port[1], th->th_dport)) in pf_normalize_tcp()
1357 r = r->skip[PF_SKIP_DST_PORT]; in pf_normalize_tcp()
1358 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( in pf_normalize_tcp()
1360 r->os_fingerprint)) in pf_normalize_tcp()
1371 if (rm == NULL || rm->action == PF_NOSCRUB) in pf_normalize_tcp()
1375 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); in pf_normalize_tcp()
1376 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); in pf_normalize_tcp()
1378 pf_rule_to_actions(rm, &pd->act); in pf_normalize_tcp()
1381 if (rm && rm->rule_flag & PFRULE_REASSEMBLE_TCP) in pf_normalize_tcp()
1382 pd->flags |= PFDESC_TCP_NORM; in pf_normalize_tcp()
1405 if (th->th_off < (sizeof(struct tcphdr) >> 2)) in pf_normalize_tcp()
1413 ov = *(u_int16_t *)(&th->th_ack + 1); in pf_normalize_tcp()
1416 nv = *(u_int16_t *)(&th->th_ack + 1); in pf_normalize_tcp()
1418 th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, ov, nv, 0); in pf_normalize_tcp()
1423 if (!(flags & TH_URG) && th->th_urp) { in pf_normalize_tcp()
1424 th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, th->th_urp, in pf_normalize_tcp()
1426 th->th_urp = 0; in pf_normalize_tcp()
1432 m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th); in pf_normalize_tcp()
1437 REASON_SET(&reason, PFRES_NORM); in pf_normalize_tcp()
1438 if (rm != NULL && r->log) in pf_normalize_tcp()
1439 PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1); in pf_normalize_tcp()
1451 KASSERT((src->scrub == NULL), in pf_normalize_tcp_init()
1452 ("pf_normalize_tcp_init: src->scrub != NULL")); in pf_normalize_tcp_init()
1454 src->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT); in pf_normalize_tcp_init()
1455 if (src->scrub == NULL) in pf_normalize_tcp_init()
1458 switch (pd->af) { in pf_normalize_tcp_init()
1461 struct ip *h = mtod(pd->m, struct ip *); in pf_normalize_tcp_init()
1462 src->scrub->pfss_ttl = h->ip_ttl; in pf_normalize_tcp_init()
1468 struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *); in pf_normalize_tcp_init()
1469 src->scrub->pfss_ttl = h->ip6_hlim; in pf_normalize_tcp_init()
1482 if (th->th_off > (sizeof(struct tcphdr) >> 2) && src->scrub && in pf_normalize_tcp_init()
1483 pf_pull_hdr(pd->m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { in pf_normalize_tcp_init()
1487 hlen = (th->th_off << 2) - sizeof(struct tcphdr); in pf_normalize_tcp_init()
1493 hlen--; in pf_normalize_tcp_init()
1497 src->scrub->pfss_flags |= in pf_normalize_tcp_init()
1499 src->scrub->pfss_ts_mod = in pf_normalize_tcp_init()
1507 src->scrub->pfss_tsval0 = ntohl(tsval); in pf_normalize_tcp_init()
1508 src->scrub->pfss_tsval = ntohl(tsval); in pf_normalize_tcp_init()
1509 src->scrub->pfss_tsecr = ntohl(tsecr); in pf_normalize_tcp_init()
1510 getmicrouptime(&src->scrub->pfss_last); in pf_normalize_tcp_init()
1514 hlen -= MAX(opt[1], 2); in pf_normalize_tcp_init()
1515 opt += MAX(opt[1], 2); in pf_normalize_tcp_init()
1528 uma_zfree(V_pf_state_scrub_z, state->src.scrub); in pf_normalize_tcp_cleanup()
1529 uma_zfree(V_pf_state_scrub_z, state->dst.scrub); in pf_normalize_tcp_cleanup()
1537 src->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT); in pf_normalize_sctp_init()
1538 if (src->scrub == NULL) in pf_normalize_sctp_init()
1541 dst->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT); in pf_normalize_sctp_init()
1542 if (dst->scrub == NULL) { in pf_normalize_sctp_init()
1547 dst->scrub->pfss_v_tag = pd->sctp_initiate_tag; in pf_normalize_sctp_init()
1554 u_short *reason, struct tcphdr *th, struct pf_kstate *state, in pf_normalize_tcp_stateful() argument
1566 KASSERT((src->scrub || dst->scrub), in pf_normalize_tcp_stateful()
1567 ("%s: src->scrub && dst->scrub!", __func__)); in pf_normalize_tcp_stateful()
1574 switch (pd->af) { in pf_normalize_tcp_stateful()
1577 if (src->scrub) { in pf_normalize_tcp_stateful()
1578 struct ip *h = mtod(pd->m, struct ip *); in pf_normalize_tcp_stateful()
1579 if (h->ip_ttl > src->scrub->pfss_ttl) in pf_normalize_tcp_stateful()
1580 src->scrub->pfss_ttl = h->ip_ttl; in pf_normalize_tcp_stateful()
1581 h->ip_ttl = src->scrub->pfss_ttl; in pf_normalize_tcp_stateful()
1588 if (src->scrub) { in pf_normalize_tcp_stateful()
1589 struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *); in pf_normalize_tcp_stateful()
1590 if (h->ip6_hlim > src->scrub->pfss_ttl) in pf_normalize_tcp_stateful()
1591 src->scrub->pfss_ttl = h->ip6_hlim; in pf_normalize_tcp_stateful()
1592 h->ip6_hlim = src->scrub->pfss_ttl; in pf_normalize_tcp_stateful()
1599 if (th->th_off > (sizeof(struct tcphdr) >> 2) && in pf_normalize_tcp_stateful()
1600 ((src->scrub && (src->scrub->pfss_flags & PFSS_TIMESTAMP)) || in pf_normalize_tcp_stateful()
1601 (dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP))) && in pf_normalize_tcp_stateful()
1602 pf_pull_hdr(pd->m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { in pf_normalize_tcp_stateful()
1606 hlen = (th->th_off << 2) - sizeof(struct tcphdr); in pf_normalize_tcp_stateful()
1608 startoff = opt - (hdr + sizeof(struct tcphdr)); in pf_normalize_tcp_stateful()
1613 hlen--; in pf_normalize_tcp_stateful()
1628 REASON_SET(reason, PFRES_TS); in pf_normalize_tcp_stateful()
1634 if (tsval && src->scrub && in pf_normalize_tcp_stateful()
1635 (src->scrub->pfss_flags & in pf_normalize_tcp_stateful()
1638 pf_patch_32_unaligned(pd->m, in pf_normalize_tcp_stateful()
1639 &th->th_sum, in pf_normalize_tcp_stateful()
1642 src->scrub->pfss_ts_mod), in pf_normalize_tcp_stateful()
1651 if (tsecr && dst->scrub && in pf_normalize_tcp_stateful()
1652 (dst->scrub->pfss_flags & in pf_normalize_tcp_stateful()
1655 - dst->scrub->pfss_ts_mod; in pf_normalize_tcp_stateful()
1656 pf_patch_32_unaligned(pd->m, in pf_normalize_tcp_stateful()
1657 &th->th_sum, in pf_normalize_tcp_stateful()
1668 hlen -= MAX(opt[1], 2); in pf_normalize_tcp_stateful()
1669 opt += MAX(opt[1], 2); in pf_normalize_tcp_stateful()
1676 m_copyback(pd->m, pd->off + sizeof(struct tcphdr), in pf_normalize_tcp_stateful()
1677 (th->th_off << 2) - sizeof(struct tcphdr), hdr + in pf_normalize_tcp_stateful()
1693 if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && in pf_normalize_tcp_stateful()
1694 (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || in pf_normalize_tcp_stateful()
1695 time_uptime - (state->creation / 1000) > TS_MAX_CONN)) { in pf_normalize_tcp_stateful()
1701 src->scrub->pfss_flags = (src->scrub->pfss_flags & ~PFSS_PAWS) in pf_normalize_tcp_stateful()
1704 if (dst->scrub && (dst->scrub->pfss_flags & PFSS_PAWS) && in pf_normalize_tcp_stateful()
1705 uptime.tv_sec - dst->scrub->pfss_last.tv_sec > TS_MAX_IDLE) { in pf_normalize_tcp_stateful()
1711 dst->scrub->pfss_flags = (dst->scrub->pfss_flags & ~PFSS_PAWS) in pf_normalize_tcp_stateful()
1715 if (got_ts && src->scrub && dst->scrub && in pf_normalize_tcp_stateful()
1716 (src->scrub->pfss_flags & PFSS_PAWS) && in pf_normalize_tcp_stateful()
1717 (dst->scrub->pfss_flags & PFSS_PAWS)) { in pf_normalize_tcp_stateful()
1718 /* Validate that the timestamps are "in-window". in pf_normalize_tcp_stateful()
1732 * - The timestamp on this packet must be greater than in pf_normalize_tcp_stateful()
1738 * - The timestamp will be less than or equal to in pf_normalize_tcp_stateful()
1740 * last packet and now. The RFC defines the max in pf_normalize_tcp_stateful()
1745 * timestamp <= last timestamp + max ticks in pf_normalize_tcp_stateful()
1753 * - The TCP timestamp option must also echo the other in pf_normalize_tcp_stateful()
1761 * - The lowerbound on the TS echo is a little more in pf_normalize_tcp_stateful()
1764 * network conditions that re-order packets and in pf_normalize_tcp_stateful()
1788 if ((ts_fudge = state->rule->timeout[PFTM_TS_DIFF]) == 0) in pf_normalize_tcp_stateful()
1791 /* Calculate max ticks since the last timestamp */ in pf_normalize_tcp_stateful()
1792 #define TS_MAXFREQ 1100 /* RFC max TS freq of 1Khz + 10% skew */ in pf_normalize_tcp_stateful()
1795 timevalsub(&delta_ts, &src->scrub->pfss_last); in pf_normalize_tcp_stateful()
1799 if ((src->state >= TCPS_ESTABLISHED && in pf_normalize_tcp_stateful()
1800 dst->state >= TCPS_ESTABLISHED) && in pf_normalize_tcp_stateful()
1801 (SEQ_LT(tsval, dst->scrub->pfss_tsecr) || in pf_normalize_tcp_stateful()
1802 SEQ_GT(tsval, src->scrub->pfss_tsval + tsval_from_last) || in pf_normalize_tcp_stateful()
1803 (tsecr && (SEQ_GT(tsecr, dst->scrub->pfss_tsval) || in pf_normalize_tcp_stateful()
1804 SEQ_LT(tsecr, dst->scrub->pfss_tsval0))))) { in pf_normalize_tcp_stateful()
1807 * - Solaris 2.6 and 2.7 are known to send another ACK in pf_normalize_tcp_stateful()
1813 SEQ_LT(tsval, dst->scrub->pfss_tsecr) ? '0' : ' ', in pf_normalize_tcp_stateful()
1814 SEQ_GT(tsval, src->scrub->pfss_tsval + in pf_normalize_tcp_stateful()
1816 SEQ_GT(tsecr, dst->scrub->pfss_tsval) ? '2' : ' ', in pf_normalize_tcp_stateful()
1817 SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' ')); in pf_normalize_tcp_stateful()
1823 DPFPRINTF((" src->tsval: %u tsecr: %u\n", in pf_normalize_tcp_stateful()
1824 src->scrub->pfss_tsval, src->scrub->pfss_tsecr)); in pf_normalize_tcp_stateful()
1825 DPFPRINTF((" dst->tsval: %u tsecr: %u tsval0: %u" in pf_normalize_tcp_stateful()
1826 "\n", dst->scrub->pfss_tsval, in pf_normalize_tcp_stateful()
1827 dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0)); in pf_normalize_tcp_stateful()
1833 REASON_SET(reason, PFRES_TS); in pf_normalize_tcp_stateful()
1840 ((src->state == TCPS_ESTABLISHED && dst->state == TCPS_ESTABLISHED) in pf_normalize_tcp_stateful()
1841 || pd->p_len > 0 || (tcp_get_flags(th) & TH_SYN)) && in pf_normalize_tcp_stateful()
1842 src->scrub && dst->scrub && in pf_normalize_tcp_stateful()
1843 (src->scrub->pfss_flags & PFSS_PAWS) && in pf_normalize_tcp_stateful()
1844 (dst->scrub->pfss_flags & PFSS_PAWS)) { in pf_normalize_tcp_stateful()
1847 * - connection opening or closing (often not even sent). in pf_normalize_tcp_stateful()
1850 * - on a TCP reset. RFC suggests not even looking at TS. in pf_normalize_tcp_stateful()
1851 * - on an empty ACK. The TS will not be echoed so it will in pf_normalize_tcp_stateful()
1855 * ACKs :-( in pf_normalize_tcp_stateful()
1871 if (pd->p_len > 0 && (src->scrub->pfss_flags & PFSS_DATA_TS)) { in pf_normalize_tcp_stateful()
1883 REASON_SET(reason, PFRES_TS); in pf_normalize_tcp_stateful()
1892 * timestamped. But I think there are middle-man devices that hijack in pf_normalize_tcp_stateful()
1896 if (pd->p_len > 0 && src->scrub && (src->scrub->pfss_flags & in pf_normalize_tcp_stateful()
1899 src->scrub->pfss_flags |= PFSS_DATA_TS; in pf_normalize_tcp_stateful()
1901 src->scrub->pfss_flags |= PFSS_DATA_NOTS; in pf_normalize_tcp_stateful()
1902 if (V_pf_status.debug >= PF_DEBUG_MISC && dst->scrub && in pf_normalize_tcp_stateful()
1903 (dst->scrub->pfss_flags & PFSS_TIMESTAMP)) { in pf_normalize_tcp_stateful()
1918 if (got_ts && src->scrub && PFSS_TIMESTAMP == (src->scrub->pfss_flags & in pf_normalize_tcp_stateful()
1920 getmicrouptime(&src->scrub->pfss_last); in pf_normalize_tcp_stateful()
1921 if (SEQ_GEQ(tsval, src->scrub->pfss_tsval) || in pf_normalize_tcp_stateful()
1922 (src->scrub->pfss_flags & PFSS_PAWS) == 0) in pf_normalize_tcp_stateful()
1923 src->scrub->pfss_tsval = tsval; in pf_normalize_tcp_stateful()
1926 if (SEQ_GEQ(tsecr, src->scrub->pfss_tsecr) || in pf_normalize_tcp_stateful()
1927 (src->scrub->pfss_flags & PFSS_PAWS) == 0) in pf_normalize_tcp_stateful()
1928 src->scrub->pfss_tsecr = tsecr; in pf_normalize_tcp_stateful()
1930 if ((src->scrub->pfss_flags & PFSS_PAWS) == 0 && in pf_normalize_tcp_stateful()
1931 (SEQ_LT(tsval, src->scrub->pfss_tsval0) || in pf_normalize_tcp_stateful()
1932 src->scrub->pfss_tsval0 == 0)) { in pf_normalize_tcp_stateful()
1934 src->scrub->pfss_tsval0 = tsval; in pf_normalize_tcp_stateful()
1938 if ((src->scrub->pfss_flags & PFSS_PAWS) == 0) in pf_normalize_tcp_stateful()
1939 src->scrub->pfss_flags |= PFSS_PAWS; in pf_normalize_tcp_stateful()
1950 struct tcphdr *th = &pd->hdr.tcp; in pf_normalize_mss()
1958 thoff = th->th_off << 2; in pf_normalize_mss()
1959 cnt = thoff - sizeof(struct tcphdr); in pf_normalize_mss()
1961 if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt, in pf_normalize_mss()
1962 NULL, NULL, pd->af)) in pf_normalize_mss()
1965 for (; cnt > 0; cnt -= optlen, optp += optlen) { in pf_normalize_mss()
1966 startoff = optp - opts; in pf_normalize_mss()
1982 if ((ntohs(*mss)) > pd->act.max_mss) { in pf_normalize_mss()
1983 pf_patch_16_unaligned(pd->m, in pf_normalize_mss()
1984 &th->th_sum, in pf_normalize_mss()
1985 mss, htons(pd->act.max_mss), in pf_normalize_mss()
1988 m_copyback(pd->m, pd->off + sizeof(*th), in pf_normalize_mss()
1989 thoff - sizeof(*th), opts); in pf_normalize_mss()
1990 m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th); in pf_normalize_mss()
2009 while (pd->off + chunk_off < pd->tot_len) { in pf_scan_sctp()
2010 if (!pf_pull_hdr(pd->m, pd->off + chunk_off, &ch, sizeof(ch), NULL, in pf_scan_sctp()
2011 NULL, pd->af)) in pf_scan_sctp()
2026 if (!pf_pull_hdr(pd->m, pd->off + chunk_start, &init, in pf_scan_sctp()
2027 sizeof(init), NULL, NULL, pd->af)) in pf_scan_sctp()
2048 pd->hdr.sctp.v_tag != 0) in pf_scan_sctp()
2051 pd->sctp_initiate_tag = init.init.initiate_tag; in pf_scan_sctp()
2054 pd->sctp_flags |= PFDESC_SCTP_INIT; in pf_scan_sctp()
2056 pd->sctp_flags |= PFDESC_SCTP_INIT_ACK; in pf_scan_sctp()
2058 ret = pf_multihome_scan_init(pd->off + chunk_start, in pf_scan_sctp()
2066 pd->sctp_flags |= PFDESC_SCTP_ABORT; in pf_scan_sctp()
2070 pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN; in pf_scan_sctp()
2073 pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN_COMPLETE; in pf_scan_sctp()
2076 pd->sctp_flags |= PFDESC_SCTP_COOKIE; in pf_scan_sctp()
2079 pd->sctp_flags |= PFDESC_SCTP_COOKIE_ACK; in pf_scan_sctp()
2082 pd->sctp_flags |= PFDESC_SCTP_DATA; in pf_scan_sctp()
2085 pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT; in pf_scan_sctp()
2088 pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT_ACK; in pf_scan_sctp()
2091 pd->sctp_flags |= PFDESC_SCTP_ASCONF; in pf_scan_sctp()
2093 ret = pf_multihome_scan_asconf(pd->off + chunk_start, in pf_scan_sctp()
2099 pd->sctp_flags |= PFDESC_SCTP_OTHER; in pf_scan_sctp()
2105 if (pd->off + chunk_off != pd->tot_len) in pf_scan_sctp()
2112 if ((pd->sctp_flags & PFDESC_SCTP_INIT) && in pf_scan_sctp()
2113 (pd->sctp_flags & ~PFDESC_SCTP_INIT)) in pf_scan_sctp()
2115 if ((pd->sctp_flags & PFDESC_SCTP_INIT_ACK) && in pf_scan_sctp()
2116 (pd->sctp_flags & ~PFDESC_SCTP_INIT_ACK)) in pf_scan_sctp()
2118 if ((pd->sctp_flags & PFDESC_SCTP_SHUTDOWN_COMPLETE) && in pf_scan_sctp()
2119 (pd->sctp_flags & ~PFDESC_SCTP_SHUTDOWN_COMPLETE)) in pf_scan_sctp()
2129 struct sctphdr *sh = &pd->hdr.sctp; in pf_normalize_sctp()
2130 u_short reason; in pf_normalize_sctp() local
2131 sa_family_t af = pd->af; in pf_normalize_sctp()
2141 pf_counter_u64_add(&r->evaluations, 1); in pf_normalize_sctp()
2142 if (pfi_kkif_match(r->kif, pd->kif) == r->ifnot) in pf_normalize_sctp()
2143 r = r->skip[PF_SKIP_IFP]; in pf_normalize_sctp()
2144 else if (r->direction && r->direction != pd->dir) in pf_normalize_sctp()
2145 r = r->skip[PF_SKIP_DIR]; in pf_normalize_sctp()
2146 else if (r->af && r->af != af) in pf_normalize_sctp()
2147 r = r->skip[PF_SKIP_AF]; in pf_normalize_sctp()
2148 else if (r->proto && r->proto != pd->proto) in pf_normalize_sctp()
2149 r = r->skip[PF_SKIP_PROTO]; in pf_normalize_sctp()
2150 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, in pf_normalize_sctp()
2151 r->src.neg, pd->kif, M_GETFIB(pd->m))) in pf_normalize_sctp()
2152 r = r->skip[PF_SKIP_SRC_ADDR]; in pf_normalize_sctp()
2153 else if (r->src.port_op && !pf_match_port(r->src.port_op, in pf_normalize_sctp()
2154 r->src.port[0], r->src.port[1], sh->src_port)) in pf_normalize_sctp()
2155 r = r->skip[PF_SKIP_SRC_PORT]; in pf_normalize_sctp()
2156 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, in pf_normalize_sctp()
2157 r->dst.neg, NULL, M_GETFIB(pd->m))) in pf_normalize_sctp()
2158 r = r->skip[PF_SKIP_DST_ADDR]; in pf_normalize_sctp()
2159 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, in pf_normalize_sctp()
2160 r->dst.port[0], r->dst.port[1], sh->dest_port)) in pf_normalize_sctp()
2161 r = r->skip[PF_SKIP_DST_PORT]; in pf_normalize_sctp()
2171 if (rm == NULL || rm->action == PF_NOSCRUB) in pf_normalize_sctp()
2175 pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); in pf_normalize_sctp()
2176 pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); in pf_normalize_sctp()
2181 if ((pd->tot_len - pd->off - sizeof(struct sctphdr)) % 4) in pf_normalize_sctp()
2185 if (pd->sctp_flags & PFDESC_SCTP_INIT) in pf_normalize_sctp()
2186 if (pd->sctp_flags & ~PFDESC_SCTP_INIT) in pf_normalize_sctp()
2192 REASON_SET(&reason, PFRES_NORM); in pf_normalize_sctp()
2193 if (rm != NULL && r->log) in pf_normalize_sctp()
2194 PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, in pf_normalize_sctp()
2205 struct ip *h = mtod(pd->m, struct ip *); in pf_scrub()
2207 struct ip6_hdr *h6 = mtod(pd->m, struct ip6_hdr *); in pf_scrub()
2210 /* Clear IP_DF if no-df was requested */ in pf_scrub()
2211 if (pd->af == AF_INET && pd->act.flags & PFSTATE_NODF && in pf_scrub()
2212 h->ip_off & htons(IP_DF)) in pf_scrub()
2214 u_int16_t ip_off = h->ip_off; in pf_scrub()
2216 h->ip_off &= htons(~IP_DF); in pf_scrub()
2217 h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0); in pf_scrub()
2221 if (pd->af == AF_INET && pd->act.min_ttl && in pf_scrub()
2222 h->ip_ttl < pd->act.min_ttl) { in pf_scrub()
2223 u_int16_t ip_ttl = h->ip_ttl; in pf_scrub()
2225 h->ip_ttl = pd->act.min_ttl; in pf_scrub()
2226 h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0); in pf_scrub()
2230 if (pd->af == AF_INET6 && pd->act.min_ttl && in pf_scrub()
2231 h6->ip6_hlim < pd->act.min_ttl) in pf_scrub()
2232 h6->ip6_hlim = pd->act.min_ttl; in pf_scrub()
2235 if (pd->act.flags & PFSTATE_SETTOS) { in pf_scrub()
2236 switch (pd->af) { in pf_scrub()
2241 h->ip_tos = pd->act.set_tos | (h->ip_tos & IPTOS_ECN_MASK); in pf_scrub()
2244 h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0); in pf_scrub()
2249 h6->ip6_flow &= IPV6_FLOWLABEL_MASK | IPV6_VERSION_MASK; in pf_scrub()
2250 h6->ip6_flow |= htonl((pd->act.set_tos | IPV6_ECN(h6)) << 20); in pf_scrub()
2256 /* random-id, but not for fragments */ in pf_scrub()
2258 if (pd->af == AF_INET && in pf_scrub()
2259 pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) { in pf_scrub()
2260 uint16_t ip_id = h->ip_id; in pf_scrub()
2263 h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0); in pf_scrub()