1*3b3a8eb9SGleb Smirnoff /* $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ */ 2*3b3a8eb9SGleb Smirnoff 3*3b3a8eb9SGleb Smirnoff /* 4*3b3a8eb9SGleb Smirnoff * Copyright (c) 2001 Daniel Hartmeier 5*3b3a8eb9SGleb Smirnoff * Copyright (c) 2002 - 2008 Henning Brauer 6*3b3a8eb9SGleb Smirnoff * All rights reserved. 7*3b3a8eb9SGleb Smirnoff * 8*3b3a8eb9SGleb Smirnoff * Redistribution and use in source and binary forms, with or without 9*3b3a8eb9SGleb Smirnoff * modification, are permitted provided that the following conditions 10*3b3a8eb9SGleb Smirnoff * are met: 11*3b3a8eb9SGleb Smirnoff * 12*3b3a8eb9SGleb Smirnoff * - Redistributions of source code must retain the above copyright 13*3b3a8eb9SGleb Smirnoff * notice, this list of conditions and the following disclaimer. 14*3b3a8eb9SGleb Smirnoff * - Redistributions in binary form must reproduce the above 15*3b3a8eb9SGleb Smirnoff * copyright notice, this list of conditions and the following 16*3b3a8eb9SGleb Smirnoff * disclaimer in the documentation and/or other materials provided 17*3b3a8eb9SGleb Smirnoff * with the distribution. 18*3b3a8eb9SGleb Smirnoff * 19*3b3a8eb9SGleb Smirnoff * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20*3b3a8eb9SGleb Smirnoff * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21*3b3a8eb9SGleb Smirnoff * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22*3b3a8eb9SGleb Smirnoff * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23*3b3a8eb9SGleb Smirnoff * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24*3b3a8eb9SGleb Smirnoff * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25*3b3a8eb9SGleb Smirnoff * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26*3b3a8eb9SGleb Smirnoff * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27*3b3a8eb9SGleb Smirnoff * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28*3b3a8eb9SGleb Smirnoff * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29*3b3a8eb9SGleb Smirnoff * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30*3b3a8eb9SGleb Smirnoff * POSSIBILITY OF SUCH DAMAGE. 31*3b3a8eb9SGleb Smirnoff * 32*3b3a8eb9SGleb Smirnoff * Effort sponsored in part by the Defense Advanced Research Projects 33*3b3a8eb9SGleb Smirnoff * Agency (DARPA) and Air Force Research Laboratory, Air Force 34*3b3a8eb9SGleb Smirnoff * Materiel Command, USAF, under agreement number F30602-01-2-0537. 35*3b3a8eb9SGleb Smirnoff * 36*3b3a8eb9SGleb Smirnoff */ 37*3b3a8eb9SGleb Smirnoff 38*3b3a8eb9SGleb Smirnoff #include <sys/cdefs.h> 39*3b3a8eb9SGleb Smirnoff __FBSDID("$FreeBSD$"); 40*3b3a8eb9SGleb Smirnoff 41*3b3a8eb9SGleb Smirnoff #include "opt_pf.h" 42*3b3a8eb9SGleb Smirnoff #include "opt_inet.h" 43*3b3a8eb9SGleb Smirnoff #include "opt_inet6.h" 44*3b3a8eb9SGleb Smirnoff 45*3b3a8eb9SGleb Smirnoff #include <sys/param.h> 46*3b3a8eb9SGleb Smirnoff #include <sys/socket.h> 47*3b3a8eb9SGleb Smirnoff #include <sys/sysctl.h> 48*3b3a8eb9SGleb Smirnoff 49*3b3a8eb9SGleb Smirnoff #include <net/if.h> 50*3b3a8eb9SGleb Smirnoff #include <net/pfvar.h> 51*3b3a8eb9SGleb Smirnoff #include <net/if_pflog.h> 52*3b3a8eb9SGleb Smirnoff #include <net/pf_mtag.h> 53*3b3a8eb9SGleb Smirnoff 54*3b3a8eb9SGleb Smirnoff #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x 55*3b3a8eb9SGleb Smirnoff 56*3b3a8eb9SGleb Smirnoff static void pf_hash(struct pf_addr *, struct pf_addr *, 57*3b3a8eb9SGleb Smirnoff struct pf_poolhashkey *, sa_family_t); 58*3b3a8eb9SGleb Smirnoff static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 59*3b3a8eb9SGleb Smirnoff int, int, struct pfi_kif *, 60*3b3a8eb9SGleb Smirnoff struct pf_addr *, u_int16_t, struct pf_addr *, 61*3b3a8eb9SGleb Smirnoff u_int16_t, int); 62*3b3a8eb9SGleb Smirnoff static int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 63*3b3a8eb9SGleb Smirnoff struct pf_addr *, struct pf_addr *, u_int16_t, 64*3b3a8eb9SGleb Smirnoff struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 65*3b3a8eb9SGleb Smirnoff struct pf_src_node **); 66*3b3a8eb9SGleb Smirnoff 67*3b3a8eb9SGleb Smirnoff #define mix(a,b,c) \ 68*3b3a8eb9SGleb Smirnoff do { \ 69*3b3a8eb9SGleb Smirnoff a -= b; a -= c; a ^= (c >> 13); \ 70*3b3a8eb9SGleb Smirnoff b -= c; b -= a; b ^= (a << 8); \ 71*3b3a8eb9SGleb Smirnoff c -= a; c -= b; c ^= (b >> 13); \ 72*3b3a8eb9SGleb Smirnoff a -= b; a -= c; a ^= (c >> 12); \ 73*3b3a8eb9SGleb Smirnoff b -= c; b -= a; b ^= (a << 16); \ 74*3b3a8eb9SGleb Smirnoff c -= a; c -= b; c ^= (b >> 5); \ 75*3b3a8eb9SGleb Smirnoff a -= b; a -= c; a ^= (c >> 3); \ 76*3b3a8eb9SGleb Smirnoff b -= c; b -= a; b ^= (a << 10); \ 77*3b3a8eb9SGleb Smirnoff c -= a; c -= b; c ^= (b >> 15); \ 78*3b3a8eb9SGleb Smirnoff } while (0) 79*3b3a8eb9SGleb Smirnoff 80*3b3a8eb9SGleb Smirnoff /* 81*3b3a8eb9SGleb Smirnoff * hash function based on bridge_hash in if_bridge.c 82*3b3a8eb9SGleb Smirnoff */ 83*3b3a8eb9SGleb Smirnoff static void 84*3b3a8eb9SGleb Smirnoff pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 85*3b3a8eb9SGleb Smirnoff struct pf_poolhashkey *key, sa_family_t af) 86*3b3a8eb9SGleb Smirnoff { 87*3b3a8eb9SGleb Smirnoff u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 88*3b3a8eb9SGleb Smirnoff 89*3b3a8eb9SGleb Smirnoff switch (af) { 90*3b3a8eb9SGleb Smirnoff #ifdef INET 91*3b3a8eb9SGleb Smirnoff case AF_INET: 92*3b3a8eb9SGleb Smirnoff a += inaddr->addr32[0]; 93*3b3a8eb9SGleb Smirnoff b += key->key32[1]; 94*3b3a8eb9SGleb Smirnoff mix(a, b, c); 95*3b3a8eb9SGleb Smirnoff hash->addr32[0] = c + key->key32[2]; 96*3b3a8eb9SGleb Smirnoff break; 97*3b3a8eb9SGleb Smirnoff #endif /* INET */ 98*3b3a8eb9SGleb Smirnoff #ifdef INET6 99*3b3a8eb9SGleb Smirnoff case AF_INET6: 100*3b3a8eb9SGleb Smirnoff a += inaddr->addr32[0]; 101*3b3a8eb9SGleb Smirnoff b += inaddr->addr32[2]; 102*3b3a8eb9SGleb Smirnoff mix(a, b, c); 103*3b3a8eb9SGleb Smirnoff hash->addr32[0] = c; 104*3b3a8eb9SGleb Smirnoff a += inaddr->addr32[1]; 105*3b3a8eb9SGleb Smirnoff b += inaddr->addr32[3]; 106*3b3a8eb9SGleb Smirnoff c += key->key32[1]; 107*3b3a8eb9SGleb Smirnoff mix(a, b, c); 108*3b3a8eb9SGleb Smirnoff hash->addr32[1] = c; 109*3b3a8eb9SGleb Smirnoff a += inaddr->addr32[2]; 110*3b3a8eb9SGleb Smirnoff b += inaddr->addr32[1]; 111*3b3a8eb9SGleb Smirnoff c += key->key32[2]; 112*3b3a8eb9SGleb Smirnoff mix(a, b, c); 113*3b3a8eb9SGleb Smirnoff hash->addr32[2] = c; 114*3b3a8eb9SGleb Smirnoff a += inaddr->addr32[3]; 115*3b3a8eb9SGleb Smirnoff b += inaddr->addr32[0]; 116*3b3a8eb9SGleb Smirnoff c += key->key32[3]; 117*3b3a8eb9SGleb Smirnoff mix(a, b, c); 118*3b3a8eb9SGleb Smirnoff hash->addr32[3] = c; 119*3b3a8eb9SGleb Smirnoff break; 120*3b3a8eb9SGleb Smirnoff #endif /* INET6 */ 121*3b3a8eb9SGleb Smirnoff } 122*3b3a8eb9SGleb Smirnoff } 123*3b3a8eb9SGleb Smirnoff 124*3b3a8eb9SGleb Smirnoff static struct pf_rule * 125*3b3a8eb9SGleb Smirnoff pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 126*3b3a8eb9SGleb Smirnoff int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 127*3b3a8eb9SGleb Smirnoff struct pf_addr *daddr, u_int16_t dport, int rs_num) 128*3b3a8eb9SGleb Smirnoff { 129*3b3a8eb9SGleb Smirnoff struct pf_rule *r, *rm = NULL; 130*3b3a8eb9SGleb Smirnoff struct pf_ruleset *ruleset = NULL; 131*3b3a8eb9SGleb Smirnoff int tag = -1; 132*3b3a8eb9SGleb Smirnoff int rtableid = -1; 133*3b3a8eb9SGleb Smirnoff int asd = 0; 134*3b3a8eb9SGleb Smirnoff 135*3b3a8eb9SGleb Smirnoff r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 136*3b3a8eb9SGleb Smirnoff while (r && rm == NULL) { 137*3b3a8eb9SGleb Smirnoff struct pf_rule_addr *src = NULL, *dst = NULL; 138*3b3a8eb9SGleb Smirnoff struct pf_addr_wrap *xdst = NULL; 139*3b3a8eb9SGleb Smirnoff 140*3b3a8eb9SGleb Smirnoff if (r->action == PF_BINAT && direction == PF_IN) { 141*3b3a8eb9SGleb Smirnoff src = &r->dst; 142*3b3a8eb9SGleb Smirnoff if (r->rpool.cur != NULL) 143*3b3a8eb9SGleb Smirnoff xdst = &r->rpool.cur->addr; 144*3b3a8eb9SGleb Smirnoff } else { 145*3b3a8eb9SGleb Smirnoff src = &r->src; 146*3b3a8eb9SGleb Smirnoff dst = &r->dst; 147*3b3a8eb9SGleb Smirnoff } 148*3b3a8eb9SGleb Smirnoff 149*3b3a8eb9SGleb Smirnoff r->evaluations++; 150*3b3a8eb9SGleb Smirnoff if (pfi_kif_match(r->kif, kif) == r->ifnot) 151*3b3a8eb9SGleb Smirnoff r = r->skip[PF_SKIP_IFP].ptr; 152*3b3a8eb9SGleb Smirnoff else if (r->direction && r->direction != direction) 153*3b3a8eb9SGleb Smirnoff r = r->skip[PF_SKIP_DIR].ptr; 154*3b3a8eb9SGleb Smirnoff else if (r->af && r->af != pd->af) 155*3b3a8eb9SGleb Smirnoff r = r->skip[PF_SKIP_AF].ptr; 156*3b3a8eb9SGleb Smirnoff else if (r->proto && r->proto != pd->proto) 157*3b3a8eb9SGleb Smirnoff r = r->skip[PF_SKIP_PROTO].ptr; 158*3b3a8eb9SGleb Smirnoff else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 159*3b3a8eb9SGleb Smirnoff src->neg, kif, M_GETFIB(m))) 160*3b3a8eb9SGleb Smirnoff r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 161*3b3a8eb9SGleb Smirnoff PF_SKIP_DST_ADDR].ptr; 162*3b3a8eb9SGleb Smirnoff else if (src->port_op && !pf_match_port(src->port_op, 163*3b3a8eb9SGleb Smirnoff src->port[0], src->port[1], sport)) 164*3b3a8eb9SGleb Smirnoff r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 165*3b3a8eb9SGleb Smirnoff PF_SKIP_DST_PORT].ptr; 166*3b3a8eb9SGleb Smirnoff else if (dst != NULL && 167*3b3a8eb9SGleb Smirnoff PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, 168*3b3a8eb9SGleb Smirnoff M_GETFIB(m))) 169*3b3a8eb9SGleb Smirnoff r = r->skip[PF_SKIP_DST_ADDR].ptr; 170*3b3a8eb9SGleb Smirnoff else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 171*3b3a8eb9SGleb Smirnoff 0, NULL, M_GETFIB(m))) 172*3b3a8eb9SGleb Smirnoff r = TAILQ_NEXT(r, entries); 173*3b3a8eb9SGleb Smirnoff else if (dst != NULL && dst->port_op && 174*3b3a8eb9SGleb Smirnoff !pf_match_port(dst->port_op, dst->port[0], 175*3b3a8eb9SGleb Smirnoff dst->port[1], dport)) 176*3b3a8eb9SGleb Smirnoff r = r->skip[PF_SKIP_DST_PORT].ptr; 177*3b3a8eb9SGleb Smirnoff else if (r->match_tag && !pf_match_tag(m, r, &tag, 178*3b3a8eb9SGleb Smirnoff pd->pf_mtag ? pd->pf_mtag->tag : 0)) 179*3b3a8eb9SGleb Smirnoff r = TAILQ_NEXT(r, entries); 180*3b3a8eb9SGleb Smirnoff else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 181*3b3a8eb9SGleb Smirnoff IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 182*3b3a8eb9SGleb Smirnoff off, pd->hdr.tcp), r->os_fingerprint))) 183*3b3a8eb9SGleb Smirnoff r = TAILQ_NEXT(r, entries); 184*3b3a8eb9SGleb Smirnoff else { 185*3b3a8eb9SGleb Smirnoff if (r->tag) 186*3b3a8eb9SGleb Smirnoff tag = r->tag; 187*3b3a8eb9SGleb Smirnoff if (r->rtableid >= 0) 188*3b3a8eb9SGleb Smirnoff rtableid = r->rtableid; 189*3b3a8eb9SGleb Smirnoff if (r->anchor == NULL) { 190*3b3a8eb9SGleb Smirnoff rm = r; 191*3b3a8eb9SGleb Smirnoff } else 192*3b3a8eb9SGleb Smirnoff pf_step_into_anchor(&asd, &ruleset, rs_num, 193*3b3a8eb9SGleb Smirnoff &r, NULL, NULL); 194*3b3a8eb9SGleb Smirnoff } 195*3b3a8eb9SGleb Smirnoff if (r == NULL) 196*3b3a8eb9SGleb Smirnoff pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r, 197*3b3a8eb9SGleb Smirnoff NULL, NULL); 198*3b3a8eb9SGleb Smirnoff } 199*3b3a8eb9SGleb Smirnoff 200*3b3a8eb9SGleb Smirnoff if (tag > 0 && pf_tag_packet(m, pd, tag)) 201*3b3a8eb9SGleb Smirnoff return (NULL); 202*3b3a8eb9SGleb Smirnoff if (rtableid >= 0) 203*3b3a8eb9SGleb Smirnoff M_SETFIB(m, rtableid); 204*3b3a8eb9SGleb Smirnoff 205*3b3a8eb9SGleb Smirnoff if (rm != NULL && (rm->action == PF_NONAT || 206*3b3a8eb9SGleb Smirnoff rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 207*3b3a8eb9SGleb Smirnoff return (NULL); 208*3b3a8eb9SGleb Smirnoff return (rm); 209*3b3a8eb9SGleb Smirnoff } 210*3b3a8eb9SGleb Smirnoff 211*3b3a8eb9SGleb Smirnoff static int 212*3b3a8eb9SGleb Smirnoff pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 213*3b3a8eb9SGleb Smirnoff struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 214*3b3a8eb9SGleb Smirnoff struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 215*3b3a8eb9SGleb Smirnoff struct pf_src_node **sn) 216*3b3a8eb9SGleb Smirnoff { 217*3b3a8eb9SGleb Smirnoff struct pf_state_key_cmp key; 218*3b3a8eb9SGleb Smirnoff struct pf_addr init_addr; 219*3b3a8eb9SGleb Smirnoff u_int16_t cut; 220*3b3a8eb9SGleb Smirnoff 221*3b3a8eb9SGleb Smirnoff bzero(&init_addr, sizeof(init_addr)); 222*3b3a8eb9SGleb Smirnoff if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 223*3b3a8eb9SGleb Smirnoff return (1); 224*3b3a8eb9SGleb Smirnoff 225*3b3a8eb9SGleb Smirnoff if (proto == IPPROTO_ICMP) { 226*3b3a8eb9SGleb Smirnoff low = 1; 227*3b3a8eb9SGleb Smirnoff high = 65535; 228*3b3a8eb9SGleb Smirnoff } 229*3b3a8eb9SGleb Smirnoff 230*3b3a8eb9SGleb Smirnoff do { 231*3b3a8eb9SGleb Smirnoff key.af = af; 232*3b3a8eb9SGleb Smirnoff key.proto = proto; 233*3b3a8eb9SGleb Smirnoff PF_ACPY(&key.addr[1], daddr, key.af); 234*3b3a8eb9SGleb Smirnoff PF_ACPY(&key.addr[0], naddr, key.af); 235*3b3a8eb9SGleb Smirnoff key.port[1] = dport; 236*3b3a8eb9SGleb Smirnoff 237*3b3a8eb9SGleb Smirnoff /* 238*3b3a8eb9SGleb Smirnoff * port search; start random, step; 239*3b3a8eb9SGleb Smirnoff * similar 2 portloop in in_pcbbind 240*3b3a8eb9SGleb Smirnoff */ 241*3b3a8eb9SGleb Smirnoff if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 242*3b3a8eb9SGleb Smirnoff proto == IPPROTO_ICMP)) { 243*3b3a8eb9SGleb Smirnoff key.port[0] = dport; 244*3b3a8eb9SGleb Smirnoff if (pf_find_state_all(&key, PF_IN, NULL) == NULL) 245*3b3a8eb9SGleb Smirnoff return (0); 246*3b3a8eb9SGleb Smirnoff } else if (low == 0 && high == 0) { 247*3b3a8eb9SGleb Smirnoff key.port[0] = *nport; 248*3b3a8eb9SGleb Smirnoff if (pf_find_state_all(&key, PF_IN, NULL) == NULL) 249*3b3a8eb9SGleb Smirnoff return (0); 250*3b3a8eb9SGleb Smirnoff } else if (low == high) { 251*3b3a8eb9SGleb Smirnoff key.port[0] = htons(low); 252*3b3a8eb9SGleb Smirnoff if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 253*3b3a8eb9SGleb Smirnoff *nport = htons(low); 254*3b3a8eb9SGleb Smirnoff return (0); 255*3b3a8eb9SGleb Smirnoff } 256*3b3a8eb9SGleb Smirnoff } else { 257*3b3a8eb9SGleb Smirnoff u_int16_t tmp; 258*3b3a8eb9SGleb Smirnoff 259*3b3a8eb9SGleb Smirnoff if (low > high) { 260*3b3a8eb9SGleb Smirnoff tmp = low; 261*3b3a8eb9SGleb Smirnoff low = high; 262*3b3a8eb9SGleb Smirnoff high = tmp; 263*3b3a8eb9SGleb Smirnoff } 264*3b3a8eb9SGleb Smirnoff /* low < high */ 265*3b3a8eb9SGleb Smirnoff cut = htonl(arc4random()) % (1 + high - low) + low; 266*3b3a8eb9SGleb Smirnoff /* low <= cut <= high */ 267*3b3a8eb9SGleb Smirnoff for (tmp = cut; tmp <= high; ++(tmp)) { 268*3b3a8eb9SGleb Smirnoff key.port[0] = htons(tmp); 269*3b3a8eb9SGleb Smirnoff if (pf_find_state_all(&key, PF_IN, NULL) == 270*3b3a8eb9SGleb Smirnoff NULL) { 271*3b3a8eb9SGleb Smirnoff *nport = htons(tmp); 272*3b3a8eb9SGleb Smirnoff return (0); 273*3b3a8eb9SGleb Smirnoff } 274*3b3a8eb9SGleb Smirnoff } 275*3b3a8eb9SGleb Smirnoff for (tmp = cut - 1; tmp >= low; --(tmp)) { 276*3b3a8eb9SGleb Smirnoff key.port[0] = htons(tmp); 277*3b3a8eb9SGleb Smirnoff if (pf_find_state_all(&key, PF_IN, NULL) == 278*3b3a8eb9SGleb Smirnoff NULL) { 279*3b3a8eb9SGleb Smirnoff *nport = htons(tmp); 280*3b3a8eb9SGleb Smirnoff return (0); 281*3b3a8eb9SGleb Smirnoff } 282*3b3a8eb9SGleb Smirnoff } 283*3b3a8eb9SGleb Smirnoff } 284*3b3a8eb9SGleb Smirnoff 285*3b3a8eb9SGleb Smirnoff switch (r->rpool.opts & PF_POOL_TYPEMASK) { 286*3b3a8eb9SGleb Smirnoff case PF_POOL_RANDOM: 287*3b3a8eb9SGleb Smirnoff case PF_POOL_ROUNDROBIN: 288*3b3a8eb9SGleb Smirnoff if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 289*3b3a8eb9SGleb Smirnoff return (1); 290*3b3a8eb9SGleb Smirnoff break; 291*3b3a8eb9SGleb Smirnoff case PF_POOL_NONE: 292*3b3a8eb9SGleb Smirnoff case PF_POOL_SRCHASH: 293*3b3a8eb9SGleb Smirnoff case PF_POOL_BITMASK: 294*3b3a8eb9SGleb Smirnoff default: 295*3b3a8eb9SGleb Smirnoff return (1); 296*3b3a8eb9SGleb Smirnoff } 297*3b3a8eb9SGleb Smirnoff } while (! PF_AEQ(&init_addr, naddr, af) ); 298*3b3a8eb9SGleb Smirnoff return (1); /* none available */ 299*3b3a8eb9SGleb Smirnoff } 300*3b3a8eb9SGleb Smirnoff 301*3b3a8eb9SGleb Smirnoff int 302*3b3a8eb9SGleb Smirnoff pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 303*3b3a8eb9SGleb Smirnoff struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 304*3b3a8eb9SGleb Smirnoff { 305*3b3a8eb9SGleb Smirnoff struct pf_pool *rpool = &r->rpool; 306*3b3a8eb9SGleb Smirnoff struct pf_addr *raddr = NULL, *rmask = NULL; 307*3b3a8eb9SGleb Smirnoff 308*3b3a8eb9SGleb Smirnoff if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 309*3b3a8eb9SGleb Smirnoff (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 310*3b3a8eb9SGleb Smirnoff *sn = pf_find_src_node(saddr, r, af, 0); 311*3b3a8eb9SGleb Smirnoff if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 312*3b3a8eb9SGleb Smirnoff PF_ACPY(naddr, &(*sn)->raddr, af); 313*3b3a8eb9SGleb Smirnoff if (V_pf_status.debug >= PF_DEBUG_MISC) { 314*3b3a8eb9SGleb Smirnoff printf("pf_map_addr: src tracking maps "); 315*3b3a8eb9SGleb Smirnoff pf_print_host(saddr, 0, af); 316*3b3a8eb9SGleb Smirnoff printf(" to "); 317*3b3a8eb9SGleb Smirnoff pf_print_host(naddr, 0, af); 318*3b3a8eb9SGleb Smirnoff printf("\n"); 319*3b3a8eb9SGleb Smirnoff } 320*3b3a8eb9SGleb Smirnoff return (0); 321*3b3a8eb9SGleb Smirnoff } 322*3b3a8eb9SGleb Smirnoff } 323*3b3a8eb9SGleb Smirnoff 324*3b3a8eb9SGleb Smirnoff if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 325*3b3a8eb9SGleb Smirnoff return (1); 326*3b3a8eb9SGleb Smirnoff if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 327*3b3a8eb9SGleb Smirnoff switch (af) { 328*3b3a8eb9SGleb Smirnoff #ifdef INET 329*3b3a8eb9SGleb Smirnoff case AF_INET: 330*3b3a8eb9SGleb Smirnoff if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 331*3b3a8eb9SGleb Smirnoff (rpool->opts & PF_POOL_TYPEMASK) != 332*3b3a8eb9SGleb Smirnoff PF_POOL_ROUNDROBIN) 333*3b3a8eb9SGleb Smirnoff return (1); 334*3b3a8eb9SGleb Smirnoff raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 335*3b3a8eb9SGleb Smirnoff rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 336*3b3a8eb9SGleb Smirnoff break; 337*3b3a8eb9SGleb Smirnoff #endif /* INET */ 338*3b3a8eb9SGleb Smirnoff #ifdef INET6 339*3b3a8eb9SGleb Smirnoff case AF_INET6: 340*3b3a8eb9SGleb Smirnoff if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 341*3b3a8eb9SGleb Smirnoff (rpool->opts & PF_POOL_TYPEMASK) != 342*3b3a8eb9SGleb Smirnoff PF_POOL_ROUNDROBIN) 343*3b3a8eb9SGleb Smirnoff return (1); 344*3b3a8eb9SGleb Smirnoff raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 345*3b3a8eb9SGleb Smirnoff rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 346*3b3a8eb9SGleb Smirnoff break; 347*3b3a8eb9SGleb Smirnoff #endif /* INET6 */ 348*3b3a8eb9SGleb Smirnoff } 349*3b3a8eb9SGleb Smirnoff } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 350*3b3a8eb9SGleb Smirnoff if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 351*3b3a8eb9SGleb Smirnoff return (1); /* unsupported */ 352*3b3a8eb9SGleb Smirnoff } else { 353*3b3a8eb9SGleb Smirnoff raddr = &rpool->cur->addr.v.a.addr; 354*3b3a8eb9SGleb Smirnoff rmask = &rpool->cur->addr.v.a.mask; 355*3b3a8eb9SGleb Smirnoff } 356*3b3a8eb9SGleb Smirnoff 357*3b3a8eb9SGleb Smirnoff switch (rpool->opts & PF_POOL_TYPEMASK) { 358*3b3a8eb9SGleb Smirnoff case PF_POOL_NONE: 359*3b3a8eb9SGleb Smirnoff PF_ACPY(naddr, raddr, af); 360*3b3a8eb9SGleb Smirnoff break; 361*3b3a8eb9SGleb Smirnoff case PF_POOL_BITMASK: 362*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, raddr, rmask, saddr, af); 363*3b3a8eb9SGleb Smirnoff break; 364*3b3a8eb9SGleb Smirnoff case PF_POOL_RANDOM: 365*3b3a8eb9SGleb Smirnoff if (init_addr != NULL && PF_AZERO(init_addr, af)) { 366*3b3a8eb9SGleb Smirnoff switch (af) { 367*3b3a8eb9SGleb Smirnoff #ifdef INET 368*3b3a8eb9SGleb Smirnoff case AF_INET: 369*3b3a8eb9SGleb Smirnoff rpool->counter.addr32[0] = htonl(arc4random()); 370*3b3a8eb9SGleb Smirnoff break; 371*3b3a8eb9SGleb Smirnoff #endif /* INET */ 372*3b3a8eb9SGleb Smirnoff #ifdef INET6 373*3b3a8eb9SGleb Smirnoff case AF_INET6: 374*3b3a8eb9SGleb Smirnoff if (rmask->addr32[3] != 0xffffffff) 375*3b3a8eb9SGleb Smirnoff rpool->counter.addr32[3] = 376*3b3a8eb9SGleb Smirnoff htonl(arc4random()); 377*3b3a8eb9SGleb Smirnoff else 378*3b3a8eb9SGleb Smirnoff break; 379*3b3a8eb9SGleb Smirnoff if (rmask->addr32[2] != 0xffffffff) 380*3b3a8eb9SGleb Smirnoff rpool->counter.addr32[2] = 381*3b3a8eb9SGleb Smirnoff htonl(arc4random()); 382*3b3a8eb9SGleb Smirnoff else 383*3b3a8eb9SGleb Smirnoff break; 384*3b3a8eb9SGleb Smirnoff if (rmask->addr32[1] != 0xffffffff) 385*3b3a8eb9SGleb Smirnoff rpool->counter.addr32[1] = 386*3b3a8eb9SGleb Smirnoff htonl(arc4random()); 387*3b3a8eb9SGleb Smirnoff else 388*3b3a8eb9SGleb Smirnoff break; 389*3b3a8eb9SGleb Smirnoff if (rmask->addr32[0] != 0xffffffff) 390*3b3a8eb9SGleb Smirnoff rpool->counter.addr32[0] = 391*3b3a8eb9SGleb Smirnoff htonl(arc4random()); 392*3b3a8eb9SGleb Smirnoff break; 393*3b3a8eb9SGleb Smirnoff #endif /* INET6 */ 394*3b3a8eb9SGleb Smirnoff } 395*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 396*3b3a8eb9SGleb Smirnoff PF_ACPY(init_addr, naddr, af); 397*3b3a8eb9SGleb Smirnoff 398*3b3a8eb9SGleb Smirnoff } else { 399*3b3a8eb9SGleb Smirnoff PF_AINC(&rpool->counter, af); 400*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 401*3b3a8eb9SGleb Smirnoff } 402*3b3a8eb9SGleb Smirnoff break; 403*3b3a8eb9SGleb Smirnoff case PF_POOL_SRCHASH: 404*3b3a8eb9SGleb Smirnoff { 405*3b3a8eb9SGleb Smirnoff unsigned char hash[16]; 406*3b3a8eb9SGleb Smirnoff 407*3b3a8eb9SGleb Smirnoff pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 408*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 409*3b3a8eb9SGleb Smirnoff break; 410*3b3a8eb9SGleb Smirnoff } 411*3b3a8eb9SGleb Smirnoff case PF_POOL_ROUNDROBIN: 412*3b3a8eb9SGleb Smirnoff { 413*3b3a8eb9SGleb Smirnoff struct pf_pooladdr *acur = rpool->cur; 414*3b3a8eb9SGleb Smirnoff 415*3b3a8eb9SGleb Smirnoff /* 416*3b3a8eb9SGleb Smirnoff * XXXGL: in the round-robin case we need to store 417*3b3a8eb9SGleb Smirnoff * the round-robin machine state in the rule, thus 418*3b3a8eb9SGleb Smirnoff * forwarding thread needs to modify rule. 419*3b3a8eb9SGleb Smirnoff * 420*3b3a8eb9SGleb Smirnoff * This is done w/o locking, because performance is assumed 421*3b3a8eb9SGleb Smirnoff * more important than round-robin precision. 422*3b3a8eb9SGleb Smirnoff * 423*3b3a8eb9SGleb Smirnoff * In the simpliest case we just update the "rpool->cur" 424*3b3a8eb9SGleb Smirnoff * pointer. However, if pool contains tables or dynamic 425*3b3a8eb9SGleb Smirnoff * addresses, then "tblidx" is also used to store machine 426*3b3a8eb9SGleb Smirnoff * state. Since "tblidx" is int, concurrent access to it can't 427*3b3a8eb9SGleb Smirnoff * lead to inconsistence, only to lost of precision. 428*3b3a8eb9SGleb Smirnoff * 429*3b3a8eb9SGleb Smirnoff * Things get worse, if table contains not hosts, but 430*3b3a8eb9SGleb Smirnoff * prefixes. In this case counter also stores machine state, 431*3b3a8eb9SGleb Smirnoff * and for IPv6 address, counter can't be updated atomically. 432*3b3a8eb9SGleb Smirnoff * Probably, using round-robin on a table containing IPv6 433*3b3a8eb9SGleb Smirnoff * prefixes (or even IPv4) would cause a panic. 434*3b3a8eb9SGleb Smirnoff */ 435*3b3a8eb9SGleb Smirnoff 436*3b3a8eb9SGleb Smirnoff if (rpool->cur->addr.type == PF_ADDR_TABLE) { 437*3b3a8eb9SGleb Smirnoff if (!pfr_pool_get(rpool->cur->addr.p.tbl, 438*3b3a8eb9SGleb Smirnoff &rpool->tblidx, &rpool->counter, af)) 439*3b3a8eb9SGleb Smirnoff goto get_addr; 440*3b3a8eb9SGleb Smirnoff } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 441*3b3a8eb9SGleb Smirnoff if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 442*3b3a8eb9SGleb Smirnoff &rpool->tblidx, &rpool->counter, af)) 443*3b3a8eb9SGleb Smirnoff goto get_addr; 444*3b3a8eb9SGleb Smirnoff } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 445*3b3a8eb9SGleb Smirnoff goto get_addr; 446*3b3a8eb9SGleb Smirnoff 447*3b3a8eb9SGleb Smirnoff try_next: 448*3b3a8eb9SGleb Smirnoff if (TAILQ_NEXT(rpool->cur, entries) == NULL) 449*3b3a8eb9SGleb Smirnoff rpool->cur = TAILQ_FIRST(&rpool->list); 450*3b3a8eb9SGleb Smirnoff else 451*3b3a8eb9SGleb Smirnoff rpool->cur = TAILQ_NEXT(rpool->cur, entries); 452*3b3a8eb9SGleb Smirnoff if (rpool->cur->addr.type == PF_ADDR_TABLE) { 453*3b3a8eb9SGleb Smirnoff rpool->tblidx = -1; 454*3b3a8eb9SGleb Smirnoff if (pfr_pool_get(rpool->cur->addr.p.tbl, 455*3b3a8eb9SGleb Smirnoff &rpool->tblidx, &rpool->counter, af)) { 456*3b3a8eb9SGleb Smirnoff /* table contains no address of type 'af' */ 457*3b3a8eb9SGleb Smirnoff if (rpool->cur != acur) 458*3b3a8eb9SGleb Smirnoff goto try_next; 459*3b3a8eb9SGleb Smirnoff return (1); 460*3b3a8eb9SGleb Smirnoff } 461*3b3a8eb9SGleb Smirnoff } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 462*3b3a8eb9SGleb Smirnoff rpool->tblidx = -1; 463*3b3a8eb9SGleb Smirnoff if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 464*3b3a8eb9SGleb Smirnoff &rpool->tblidx, &rpool->counter, af)) { 465*3b3a8eb9SGleb Smirnoff /* table contains no address of type 'af' */ 466*3b3a8eb9SGleb Smirnoff if (rpool->cur != acur) 467*3b3a8eb9SGleb Smirnoff goto try_next; 468*3b3a8eb9SGleb Smirnoff return (1); 469*3b3a8eb9SGleb Smirnoff } 470*3b3a8eb9SGleb Smirnoff } else { 471*3b3a8eb9SGleb Smirnoff raddr = &rpool->cur->addr.v.a.addr; 472*3b3a8eb9SGleb Smirnoff rmask = &rpool->cur->addr.v.a.mask; 473*3b3a8eb9SGleb Smirnoff PF_ACPY(&rpool->counter, raddr, af); 474*3b3a8eb9SGleb Smirnoff } 475*3b3a8eb9SGleb Smirnoff 476*3b3a8eb9SGleb Smirnoff get_addr: 477*3b3a8eb9SGleb Smirnoff PF_ACPY(naddr, &rpool->counter, af); 478*3b3a8eb9SGleb Smirnoff if (init_addr != NULL && PF_AZERO(init_addr, af)) 479*3b3a8eb9SGleb Smirnoff PF_ACPY(init_addr, naddr, af); 480*3b3a8eb9SGleb Smirnoff PF_AINC(&rpool->counter, af); 481*3b3a8eb9SGleb Smirnoff break; 482*3b3a8eb9SGleb Smirnoff } 483*3b3a8eb9SGleb Smirnoff } 484*3b3a8eb9SGleb Smirnoff if (*sn != NULL) 485*3b3a8eb9SGleb Smirnoff PF_ACPY(&(*sn)->raddr, naddr, af); 486*3b3a8eb9SGleb Smirnoff 487*3b3a8eb9SGleb Smirnoff if (V_pf_status.debug >= PF_DEBUG_MISC && 488*3b3a8eb9SGleb Smirnoff (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 489*3b3a8eb9SGleb Smirnoff printf("pf_map_addr: selected address "); 490*3b3a8eb9SGleb Smirnoff pf_print_host(naddr, 0, af); 491*3b3a8eb9SGleb Smirnoff printf("\n"); 492*3b3a8eb9SGleb Smirnoff } 493*3b3a8eb9SGleb Smirnoff 494*3b3a8eb9SGleb Smirnoff return (0); 495*3b3a8eb9SGleb Smirnoff } 496*3b3a8eb9SGleb Smirnoff 497*3b3a8eb9SGleb Smirnoff struct pf_rule * 498*3b3a8eb9SGleb Smirnoff pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 499*3b3a8eb9SGleb Smirnoff struct pfi_kif *kif, struct pf_src_node **sn, 500*3b3a8eb9SGleb Smirnoff struct pf_state_key **skp, struct pf_state_key **nkp, 501*3b3a8eb9SGleb Smirnoff struct pf_addr *saddr, struct pf_addr *daddr, 502*3b3a8eb9SGleb Smirnoff u_int16_t sport, u_int16_t dport) 503*3b3a8eb9SGleb Smirnoff { 504*3b3a8eb9SGleb Smirnoff struct pf_rule *r = NULL; 505*3b3a8eb9SGleb Smirnoff struct pf_addr *naddr; 506*3b3a8eb9SGleb Smirnoff uint16_t *nport; 507*3b3a8eb9SGleb Smirnoff 508*3b3a8eb9SGleb Smirnoff PF_RULES_RASSERT(); 509*3b3a8eb9SGleb Smirnoff KASSERT(*skp == NULL, ("*skp not NULL")); 510*3b3a8eb9SGleb Smirnoff KASSERT(*nkp == NULL, ("*nkp not NULL")); 511*3b3a8eb9SGleb Smirnoff 512*3b3a8eb9SGleb Smirnoff if (direction == PF_OUT) { 513*3b3a8eb9SGleb Smirnoff r = pf_match_translation(pd, m, off, direction, kif, saddr, 514*3b3a8eb9SGleb Smirnoff sport, daddr, dport, PF_RULESET_BINAT); 515*3b3a8eb9SGleb Smirnoff if (r == NULL) 516*3b3a8eb9SGleb Smirnoff r = pf_match_translation(pd, m, off, direction, kif, 517*3b3a8eb9SGleb Smirnoff saddr, sport, daddr, dport, PF_RULESET_NAT); 518*3b3a8eb9SGleb Smirnoff } else { 519*3b3a8eb9SGleb Smirnoff r = pf_match_translation(pd, m, off, direction, kif, saddr, 520*3b3a8eb9SGleb Smirnoff sport, daddr, dport, PF_RULESET_RDR); 521*3b3a8eb9SGleb Smirnoff if (r == NULL) 522*3b3a8eb9SGleb Smirnoff r = pf_match_translation(pd, m, off, direction, kif, 523*3b3a8eb9SGleb Smirnoff saddr, sport, daddr, dport, PF_RULESET_BINAT); 524*3b3a8eb9SGleb Smirnoff } 525*3b3a8eb9SGleb Smirnoff 526*3b3a8eb9SGleb Smirnoff if (r == NULL) 527*3b3a8eb9SGleb Smirnoff return (NULL); 528*3b3a8eb9SGleb Smirnoff 529*3b3a8eb9SGleb Smirnoff switch (r->action) { 530*3b3a8eb9SGleb Smirnoff case PF_NONAT: 531*3b3a8eb9SGleb Smirnoff case PF_NOBINAT: 532*3b3a8eb9SGleb Smirnoff case PF_NORDR: 533*3b3a8eb9SGleb Smirnoff return (NULL); 534*3b3a8eb9SGleb Smirnoff } 535*3b3a8eb9SGleb Smirnoff 536*3b3a8eb9SGleb Smirnoff *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); 537*3b3a8eb9SGleb Smirnoff if (*skp == NULL) 538*3b3a8eb9SGleb Smirnoff return (NULL); 539*3b3a8eb9SGleb Smirnoff *nkp = pf_state_key_clone(*skp); 540*3b3a8eb9SGleb Smirnoff if (*nkp == NULL) { 541*3b3a8eb9SGleb Smirnoff uma_zfree(V_pf_state_key_z, skp); 542*3b3a8eb9SGleb Smirnoff *skp = NULL; 543*3b3a8eb9SGleb Smirnoff return (NULL); 544*3b3a8eb9SGleb Smirnoff } 545*3b3a8eb9SGleb Smirnoff 546*3b3a8eb9SGleb Smirnoff /* XXX We only modify one side for now. */ 547*3b3a8eb9SGleb Smirnoff naddr = &(*nkp)->addr[1]; 548*3b3a8eb9SGleb Smirnoff nport = &(*nkp)->port[1]; 549*3b3a8eb9SGleb Smirnoff 550*3b3a8eb9SGleb Smirnoff switch (r->action) { 551*3b3a8eb9SGleb Smirnoff case PF_NAT: 552*3b3a8eb9SGleb Smirnoff if (pf_get_sport(pd->af, pd->proto, r, saddr, daddr, dport, 553*3b3a8eb9SGleb Smirnoff naddr, nport, r->rpool.proxy_port[0], 554*3b3a8eb9SGleb Smirnoff r->rpool.proxy_port[1], sn)) { 555*3b3a8eb9SGleb Smirnoff DPFPRINTF(PF_DEBUG_MISC, 556*3b3a8eb9SGleb Smirnoff ("pf: NAT proxy port allocation (%u-%u) failed\n", 557*3b3a8eb9SGleb Smirnoff r->rpool.proxy_port[0], r->rpool.proxy_port[1])); 558*3b3a8eb9SGleb Smirnoff goto notrans; 559*3b3a8eb9SGleb Smirnoff } 560*3b3a8eb9SGleb Smirnoff break; 561*3b3a8eb9SGleb Smirnoff case PF_BINAT: 562*3b3a8eb9SGleb Smirnoff switch (direction) { 563*3b3a8eb9SGleb Smirnoff case PF_OUT: 564*3b3a8eb9SGleb Smirnoff if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 565*3b3a8eb9SGleb Smirnoff switch (pd->af) { 566*3b3a8eb9SGleb Smirnoff #ifdef INET 567*3b3a8eb9SGleb Smirnoff case AF_INET: 568*3b3a8eb9SGleb Smirnoff if (r->rpool.cur->addr.p.dyn-> 569*3b3a8eb9SGleb Smirnoff pfid_acnt4 < 1) 570*3b3a8eb9SGleb Smirnoff goto notrans; 571*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, 572*3b3a8eb9SGleb Smirnoff &r->rpool.cur->addr.p.dyn-> 573*3b3a8eb9SGleb Smirnoff pfid_addr4, 574*3b3a8eb9SGleb Smirnoff &r->rpool.cur->addr.p.dyn-> 575*3b3a8eb9SGleb Smirnoff pfid_mask4, saddr, AF_INET); 576*3b3a8eb9SGleb Smirnoff break; 577*3b3a8eb9SGleb Smirnoff #endif /* INET */ 578*3b3a8eb9SGleb Smirnoff #ifdef INET6 579*3b3a8eb9SGleb Smirnoff case AF_INET6: 580*3b3a8eb9SGleb Smirnoff if (r->rpool.cur->addr.p.dyn-> 581*3b3a8eb9SGleb Smirnoff pfid_acnt6 < 1) 582*3b3a8eb9SGleb Smirnoff goto notrans; 583*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, 584*3b3a8eb9SGleb Smirnoff &r->rpool.cur->addr.p.dyn-> 585*3b3a8eb9SGleb Smirnoff pfid_addr6, 586*3b3a8eb9SGleb Smirnoff &r->rpool.cur->addr.p.dyn-> 587*3b3a8eb9SGleb Smirnoff pfid_mask6, saddr, AF_INET6); 588*3b3a8eb9SGleb Smirnoff break; 589*3b3a8eb9SGleb Smirnoff #endif /* INET6 */ 590*3b3a8eb9SGleb Smirnoff } 591*3b3a8eb9SGleb Smirnoff } else 592*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, 593*3b3a8eb9SGleb Smirnoff &r->rpool.cur->addr.v.a.addr, 594*3b3a8eb9SGleb Smirnoff &r->rpool.cur->addr.v.a.mask, saddr, 595*3b3a8eb9SGleb Smirnoff pd->af); 596*3b3a8eb9SGleb Smirnoff break; 597*3b3a8eb9SGleb Smirnoff case PF_IN: 598*3b3a8eb9SGleb Smirnoff if (r->src.addr.type == PF_ADDR_DYNIFTL) { 599*3b3a8eb9SGleb Smirnoff switch (pd->af) { 600*3b3a8eb9SGleb Smirnoff #ifdef INET 601*3b3a8eb9SGleb Smirnoff case AF_INET: 602*3b3a8eb9SGleb Smirnoff if (r->src.addr.p.dyn-> pfid_acnt4 < 1) 603*3b3a8eb9SGleb Smirnoff goto notrans; 604*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, 605*3b3a8eb9SGleb Smirnoff &r->src.addr.p.dyn->pfid_addr4, 606*3b3a8eb9SGleb Smirnoff &r->src.addr.p.dyn->pfid_mask4, 607*3b3a8eb9SGleb Smirnoff daddr, AF_INET); 608*3b3a8eb9SGleb Smirnoff break; 609*3b3a8eb9SGleb Smirnoff #endif /* INET */ 610*3b3a8eb9SGleb Smirnoff #ifdef INET6 611*3b3a8eb9SGleb Smirnoff case AF_INET6: 612*3b3a8eb9SGleb Smirnoff if (r->src.addr.p.dyn->pfid_acnt6 < 1) 613*3b3a8eb9SGleb Smirnoff goto notrans; 614*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, 615*3b3a8eb9SGleb Smirnoff &r->src.addr.p.dyn->pfid_addr6, 616*3b3a8eb9SGleb Smirnoff &r->src.addr.p.dyn->pfid_mask6, 617*3b3a8eb9SGleb Smirnoff daddr, AF_INET6); 618*3b3a8eb9SGleb Smirnoff break; 619*3b3a8eb9SGleb Smirnoff #endif /* INET6 */ 620*3b3a8eb9SGleb Smirnoff } 621*3b3a8eb9SGleb Smirnoff } else 622*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, &r->src.addr.v.a.addr, 623*3b3a8eb9SGleb Smirnoff &r->src.addr.v.a.mask, daddr, pd->af); 624*3b3a8eb9SGleb Smirnoff break; 625*3b3a8eb9SGleb Smirnoff } 626*3b3a8eb9SGleb Smirnoff break; 627*3b3a8eb9SGleb Smirnoff case PF_RDR: { 628*3b3a8eb9SGleb Smirnoff if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 629*3b3a8eb9SGleb Smirnoff goto notrans; 630*3b3a8eb9SGleb Smirnoff if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) 631*3b3a8eb9SGleb Smirnoff PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, 632*3b3a8eb9SGleb Smirnoff daddr, pd->af); 633*3b3a8eb9SGleb Smirnoff 634*3b3a8eb9SGleb Smirnoff if (r->rpool.proxy_port[1]) { 635*3b3a8eb9SGleb Smirnoff uint32_t tmp_nport; 636*3b3a8eb9SGleb Smirnoff 637*3b3a8eb9SGleb Smirnoff tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % 638*3b3a8eb9SGleb Smirnoff (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + 639*3b3a8eb9SGleb Smirnoff 1)) + r->rpool.proxy_port[0]; 640*3b3a8eb9SGleb Smirnoff 641*3b3a8eb9SGleb Smirnoff /* Wrap around if necessary. */ 642*3b3a8eb9SGleb Smirnoff if (tmp_nport > 65535) 643*3b3a8eb9SGleb Smirnoff tmp_nport -= 65535; 644*3b3a8eb9SGleb Smirnoff *nport = htons((uint16_t)tmp_nport); 645*3b3a8eb9SGleb Smirnoff } else if (r->rpool.proxy_port[0]) 646*3b3a8eb9SGleb Smirnoff *nport = htons(r->rpool.proxy_port[0]); 647*3b3a8eb9SGleb Smirnoff break; 648*3b3a8eb9SGleb Smirnoff } 649*3b3a8eb9SGleb Smirnoff default: 650*3b3a8eb9SGleb Smirnoff panic("%s: unknown action %u", __func__, r->action); 651*3b3a8eb9SGleb Smirnoff } 652*3b3a8eb9SGleb Smirnoff 653*3b3a8eb9SGleb Smirnoff /* Return success only if translation really happened. */ 654*3b3a8eb9SGleb Smirnoff if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) 655*3b3a8eb9SGleb Smirnoff return (r); 656*3b3a8eb9SGleb Smirnoff 657*3b3a8eb9SGleb Smirnoff notrans: 658*3b3a8eb9SGleb Smirnoff uma_zfree(V_pf_state_key_z, *nkp); 659*3b3a8eb9SGleb Smirnoff uma_zfree(V_pf_state_key_z, *skp); 660*3b3a8eb9SGleb Smirnoff *skp = *nkp = NULL; 661*3b3a8eb9SGleb Smirnoff 662*3b3a8eb9SGleb Smirnoff return (NULL); 663*3b3a8eb9SGleb Smirnoff } 664