1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002 - 2008 Henning Brauer 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * - Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * - Redistributions in binary form must reproduce the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer in the documentation and/or other materials provided 17 * with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 * Effort sponsored in part by the Defense Advanced Research Projects 33 * Agency (DARPA) and Air Force Research Laboratory, Air Force 34 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 35 * 36 * $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ 37 */ 38 39 #include <sys/cdefs.h> 40 __FBSDID("$FreeBSD$"); 41 42 #include "opt_pf.h" 43 #include "opt_inet.h" 44 #include "opt_inet6.h" 45 46 #include <sys/param.h> 47 #include <sys/lock.h> 48 #include <sys/mbuf.h> 49 #include <sys/socket.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/vnet.h> 54 #include <net/pfvar.h> 55 #include <net/if_pflog.h> 56 57 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x 58 59 static void pf_hash(struct pf_addr *, struct pf_addr *, 60 struct pf_poolhashkey *, sa_family_t); 61 static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 62 int, int, struct pfi_kif *, 63 struct pf_addr *, u_int16_t, struct pf_addr *, 64 uint16_t, int, struct pf_anchor_stackframe *); 65 static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *, 66 struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *, 67 uint16_t *, uint16_t, uint16_t, struct pf_src_node **); 68 69 #define mix(a,b,c) \ 70 do { \ 71 a -= b; a -= c; a ^= (c >> 13); \ 72 b -= c; b -= a; b ^= (a << 8); \ 73 c -= a; c -= b; c ^= (b >> 13); \ 74 a -= b; a -= c; a ^= (c >> 12); \ 75 b -= c; b -= a; b ^= (a << 16); \ 76 c -= a; c -= b; c ^= (b >> 5); \ 77 a -= b; a -= c; a ^= (c >> 3); \ 78 b -= c; b -= a; b ^= (a << 10); \ 79 c -= a; c -= b; c ^= (b >> 15); \ 80 } while (0) 81 82 /* 83 * hash function based on bridge_hash in if_bridge.c 84 */ 85 static void 86 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 87 struct pf_poolhashkey *key, sa_family_t af) 88 { 89 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 90 91 switch (af) { 92 #ifdef INET 93 case AF_INET: 94 a += inaddr->addr32[0]; 95 b += key->key32[1]; 96 mix(a, b, c); 97 hash->addr32[0] = c + key->key32[2]; 98 break; 99 #endif /* INET */ 100 #ifdef INET6 101 case AF_INET6: 102 a += inaddr->addr32[0]; 103 b += inaddr->addr32[2]; 104 mix(a, b, c); 105 hash->addr32[0] = c; 106 a += inaddr->addr32[1]; 107 b += inaddr->addr32[3]; 108 c += key->key32[1]; 109 mix(a, b, c); 110 hash->addr32[1] = c; 111 a += inaddr->addr32[2]; 112 b += inaddr->addr32[1]; 113 c += key->key32[2]; 114 mix(a, b, c); 115 hash->addr32[2] = c; 116 a += inaddr->addr32[3]; 117 b += inaddr->addr32[0]; 118 c += key->key32[3]; 119 mix(a, b, c); 120 hash->addr32[3] = c; 121 break; 122 #endif /* INET6 */ 123 } 124 } 125 126 static struct pf_rule * 127 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 128 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 129 struct pf_addr *daddr, uint16_t dport, int rs_num, 130 struct pf_anchor_stackframe *anchor_stack) 131 { 132 struct pf_rule *r, *rm = NULL; 133 struct pf_ruleset *ruleset = NULL; 134 int tag = -1; 135 int rtableid = -1; 136 int asd = 0; 137 138 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 139 while (r && rm == NULL) { 140 struct pf_rule_addr *src = NULL, *dst = NULL; 141 struct pf_addr_wrap *xdst = NULL; 142 143 if (r->action == PF_BINAT && direction == PF_IN) { 144 src = &r->dst; 145 if (r->rpool.cur != NULL) 146 xdst = &r->rpool.cur->addr; 147 } else { 148 src = &r->src; 149 dst = &r->dst; 150 } 151 152 r->evaluations++; 153 if (pfi_kif_match(r->kif, kif) == r->ifnot) 154 r = r->skip[PF_SKIP_IFP].ptr; 155 else if (r->direction && r->direction != direction) 156 r = r->skip[PF_SKIP_DIR].ptr; 157 else if (r->af && r->af != pd->af) 158 r = r->skip[PF_SKIP_AF].ptr; 159 else if (r->proto && r->proto != pd->proto) 160 r = r->skip[PF_SKIP_PROTO].ptr; 161 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 162 src->neg, kif, M_GETFIB(m))) 163 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 164 PF_SKIP_DST_ADDR].ptr; 165 else if (src->port_op && !pf_match_port(src->port_op, 166 src->port[0], src->port[1], sport)) 167 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 168 PF_SKIP_DST_PORT].ptr; 169 else if (dst != NULL && 170 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, 171 M_GETFIB(m))) 172 r = r->skip[PF_SKIP_DST_ADDR].ptr; 173 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 174 0, NULL, M_GETFIB(m))) 175 r = TAILQ_NEXT(r, entries); 176 else if (dst != NULL && dst->port_op && 177 !pf_match_port(dst->port_op, dst->port[0], 178 dst->port[1], dport)) 179 r = r->skip[PF_SKIP_DST_PORT].ptr; 180 else if (r->match_tag && !pf_match_tag(m, r, &tag, 181 pd->pf_mtag ? pd->pf_mtag->tag : 0)) 182 r = TAILQ_NEXT(r, entries); 183 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 184 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 185 off, pd->hdr.tcp), r->os_fingerprint))) 186 r = TAILQ_NEXT(r, entries); 187 else { 188 if (r->tag) 189 tag = r->tag; 190 if (r->rtableid >= 0) 191 rtableid = r->rtableid; 192 if (r->anchor == NULL) { 193 rm = r; 194 } else 195 pf_step_into_anchor(anchor_stack, &asd, 196 &ruleset, rs_num, &r, NULL, NULL); 197 } 198 if (r == NULL) 199 pf_step_out_of_anchor(anchor_stack, &asd, &ruleset, 200 rs_num, &r, NULL, NULL); 201 } 202 203 if (tag > 0 && pf_tag_packet(m, pd, tag)) 204 return (NULL); 205 if (rtableid >= 0) 206 M_SETFIB(m, rtableid); 207 208 if (rm != NULL && (rm->action == PF_NONAT || 209 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 210 return (NULL); 211 return (rm); 212 } 213 214 static int 215 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 216 struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr, 217 uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low, 218 uint16_t high, struct pf_src_node **sn) 219 { 220 struct pf_state_key_cmp key; 221 struct pf_addr init_addr; 222 223 bzero(&init_addr, sizeof(init_addr)); 224 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 225 return (1); 226 227 if (proto == IPPROTO_ICMP) { 228 low = 1; 229 high = 65535; 230 } 231 232 bzero(&key, sizeof(key)); 233 key.af = af; 234 key.proto = proto; 235 key.port[0] = dport; 236 PF_ACPY(&key.addr[0], daddr, key.af); 237 238 do { 239 PF_ACPY(&key.addr[1], naddr, key.af); 240 241 /* 242 * port search; start random, step; 243 * similar 2 portloop in in_pcbbind 244 */ 245 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 246 proto == IPPROTO_ICMP) || (low == 0 && high == 0)) { 247 /* 248 * XXX bug: icmp states don't use the id on both sides. 249 * (traceroute -I through nat) 250 */ 251 key.port[1] = sport; 252 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 253 *nport = sport; 254 return (0); 255 } 256 } else if (low == high) { 257 key.port[1] = htons(low); 258 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 259 *nport = htons(low); 260 return (0); 261 } 262 } else { 263 uint32_t tmp; 264 uint16_t cut; 265 266 if (low > high) { 267 tmp = low; 268 low = high; 269 high = tmp; 270 } 271 /* low < high */ 272 cut = arc4random() % (1 + high - low) + low; 273 /* low <= cut <= high */ 274 for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) { 275 key.port[1] = htons(tmp); 276 if (pf_find_state_all(&key, PF_IN, NULL) == 277 NULL) { 278 *nport = htons(tmp); 279 return (0); 280 } 281 } 282 tmp = cut; 283 for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) { 284 key.port[1] = htons(tmp); 285 if (pf_find_state_all(&key, PF_IN, NULL) == 286 NULL) { 287 *nport = htons(tmp); 288 return (0); 289 } 290 } 291 } 292 293 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 294 case PF_POOL_RANDOM: 295 case PF_POOL_ROUNDROBIN: 296 /* 297 * pick a different source address since we're out 298 * of free port choices for the current one. 299 */ 300 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 301 return (1); 302 break; 303 case PF_POOL_NONE: 304 case PF_POOL_SRCHASH: 305 case PF_POOL_BITMASK: 306 default: 307 return (1); 308 } 309 } while (! PF_AEQ(&init_addr, naddr, af) ); 310 return (1); /* none available */ 311 } 312 313 int 314 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 315 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 316 { 317 struct pf_pool *rpool = &r->rpool; 318 struct pf_addr *raddr = NULL, *rmask = NULL; 319 320 /* Try to find a src_node if none was given and this 321 is a sticky-address rule. */ 322 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 323 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) 324 *sn = pf_find_src_node(saddr, r, af, 0); 325 326 /* If a src_node was found or explicitly given and it has a non-zero 327 route address, use this address. A zeroed address is found if the 328 src node was created just a moment ago in pf_create_state and it 329 needs to be filled in with routing decision calculated here. */ 330 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 331 PF_ACPY(naddr, &(*sn)->raddr, af); 332 if (V_pf_status.debug >= PF_DEBUG_MISC) { 333 printf("pf_map_addr: src tracking maps "); 334 pf_print_host(saddr, 0, af); 335 printf(" to "); 336 pf_print_host(naddr, 0, af); 337 printf("\n"); 338 } 339 return (0); 340 } 341 342 /* Find the route using chosen algorithm. Store the found route 343 in src_node if it was given or found. */ 344 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 345 return (1); 346 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 347 switch (af) { 348 #ifdef INET 349 case AF_INET: 350 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 351 (rpool->opts & PF_POOL_TYPEMASK) != 352 PF_POOL_ROUNDROBIN) 353 return (1); 354 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 355 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 356 break; 357 #endif /* INET */ 358 #ifdef INET6 359 case AF_INET6: 360 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 361 (rpool->opts & PF_POOL_TYPEMASK) != 362 PF_POOL_ROUNDROBIN) 363 return (1); 364 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 365 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 366 break; 367 #endif /* INET6 */ 368 } 369 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 370 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 371 return (1); /* unsupported */ 372 } else { 373 raddr = &rpool->cur->addr.v.a.addr; 374 rmask = &rpool->cur->addr.v.a.mask; 375 } 376 377 switch (rpool->opts & PF_POOL_TYPEMASK) { 378 case PF_POOL_NONE: 379 PF_ACPY(naddr, raddr, af); 380 break; 381 case PF_POOL_BITMASK: 382 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 383 break; 384 case PF_POOL_RANDOM: 385 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 386 switch (af) { 387 #ifdef INET 388 case AF_INET: 389 rpool->counter.addr32[0] = htonl(arc4random()); 390 break; 391 #endif /* INET */ 392 #ifdef INET6 393 case AF_INET6: 394 if (rmask->addr32[3] != 0xffffffff) 395 rpool->counter.addr32[3] = 396 htonl(arc4random()); 397 else 398 break; 399 if (rmask->addr32[2] != 0xffffffff) 400 rpool->counter.addr32[2] = 401 htonl(arc4random()); 402 else 403 break; 404 if (rmask->addr32[1] != 0xffffffff) 405 rpool->counter.addr32[1] = 406 htonl(arc4random()); 407 else 408 break; 409 if (rmask->addr32[0] != 0xffffffff) 410 rpool->counter.addr32[0] = 411 htonl(arc4random()); 412 break; 413 #endif /* INET6 */ 414 } 415 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 416 PF_ACPY(init_addr, naddr, af); 417 418 } else { 419 PF_AINC(&rpool->counter, af); 420 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 421 } 422 break; 423 case PF_POOL_SRCHASH: 424 { 425 unsigned char hash[16]; 426 427 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 428 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 429 break; 430 } 431 case PF_POOL_ROUNDROBIN: 432 { 433 struct pf_pooladdr *acur = rpool->cur; 434 435 /* 436 * XXXGL: in the round-robin case we need to store 437 * the round-robin machine state in the rule, thus 438 * forwarding thread needs to modify rule. 439 * 440 * This is done w/o locking, because performance is assumed 441 * more important than round-robin precision. 442 * 443 * In the simpliest case we just update the "rpool->cur" 444 * pointer. However, if pool contains tables or dynamic 445 * addresses, then "tblidx" is also used to store machine 446 * state. Since "tblidx" is int, concurrent access to it can't 447 * lead to inconsistence, only to lost of precision. 448 * 449 * Things get worse, if table contains not hosts, but 450 * prefixes. In this case counter also stores machine state, 451 * and for IPv6 address, counter can't be updated atomically. 452 * Probably, using round-robin on a table containing IPv6 453 * prefixes (or even IPv4) would cause a panic. 454 */ 455 456 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 457 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 458 &rpool->tblidx, &rpool->counter, af)) 459 goto get_addr; 460 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 461 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 462 &rpool->tblidx, &rpool->counter, af)) 463 goto get_addr; 464 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 465 goto get_addr; 466 467 try_next: 468 if (TAILQ_NEXT(rpool->cur, entries) == NULL) 469 rpool->cur = TAILQ_FIRST(&rpool->list); 470 else 471 rpool->cur = TAILQ_NEXT(rpool->cur, entries); 472 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 473 rpool->tblidx = -1; 474 if (pfr_pool_get(rpool->cur->addr.p.tbl, 475 &rpool->tblidx, &rpool->counter, af)) { 476 /* table contains no address of type 'af' */ 477 if (rpool->cur != acur) 478 goto try_next; 479 return (1); 480 } 481 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 482 rpool->tblidx = -1; 483 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 484 &rpool->tblidx, &rpool->counter, af)) { 485 /* table contains no address of type 'af' */ 486 if (rpool->cur != acur) 487 goto try_next; 488 return (1); 489 } 490 } else { 491 raddr = &rpool->cur->addr.v.a.addr; 492 rmask = &rpool->cur->addr.v.a.mask; 493 PF_ACPY(&rpool->counter, raddr, af); 494 } 495 496 get_addr: 497 PF_ACPY(naddr, &rpool->counter, af); 498 if (init_addr != NULL && PF_AZERO(init_addr, af)) 499 PF_ACPY(init_addr, naddr, af); 500 PF_AINC(&rpool->counter, af); 501 break; 502 } 503 } 504 if (*sn != NULL) 505 PF_ACPY(&(*sn)->raddr, naddr, af); 506 507 if (V_pf_status.debug >= PF_DEBUG_MISC && 508 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 509 printf("pf_map_addr: selected address "); 510 pf_print_host(naddr, 0, af); 511 printf("\n"); 512 } 513 514 return (0); 515 } 516 517 struct pf_rule * 518 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 519 struct pfi_kif *kif, struct pf_src_node **sn, 520 struct pf_state_key **skp, struct pf_state_key **nkp, 521 struct pf_addr *saddr, struct pf_addr *daddr, 522 uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack) 523 { 524 struct pf_rule *r = NULL; 525 struct pf_addr *naddr; 526 uint16_t *nport; 527 528 PF_RULES_RASSERT(); 529 KASSERT(*skp == NULL, ("*skp not NULL")); 530 KASSERT(*nkp == NULL, ("*nkp not NULL")); 531 532 if (direction == PF_OUT) { 533 r = pf_match_translation(pd, m, off, direction, kif, saddr, 534 sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); 535 if (r == NULL) 536 r = pf_match_translation(pd, m, off, direction, kif, 537 saddr, sport, daddr, dport, PF_RULESET_NAT, 538 anchor_stack); 539 } else { 540 r = pf_match_translation(pd, m, off, direction, kif, saddr, 541 sport, daddr, dport, PF_RULESET_RDR, anchor_stack); 542 if (r == NULL) 543 r = pf_match_translation(pd, m, off, direction, kif, 544 saddr, sport, daddr, dport, PF_RULESET_BINAT, 545 anchor_stack); 546 } 547 548 if (r == NULL) 549 return (NULL); 550 551 switch (r->action) { 552 case PF_NONAT: 553 case PF_NOBINAT: 554 case PF_NORDR: 555 return (NULL); 556 } 557 558 *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); 559 if (*skp == NULL) 560 return (NULL); 561 *nkp = pf_state_key_clone(*skp); 562 if (*nkp == NULL) { 563 uma_zfree(V_pf_state_key_z, *skp); 564 *skp = NULL; 565 return (NULL); 566 } 567 568 /* XXX We only modify one side for now. */ 569 naddr = &(*nkp)->addr[1]; 570 nport = &(*nkp)->port[1]; 571 572 switch (r->action) { 573 case PF_NAT: 574 if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr, 575 dport, naddr, nport, r->rpool.proxy_port[0], 576 r->rpool.proxy_port[1], sn)) { 577 DPFPRINTF(PF_DEBUG_MISC, 578 ("pf: NAT proxy port allocation (%u-%u) failed\n", 579 r->rpool.proxy_port[0], r->rpool.proxy_port[1])); 580 goto notrans; 581 } 582 break; 583 case PF_BINAT: 584 switch (direction) { 585 case PF_OUT: 586 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 587 switch (pd->af) { 588 #ifdef INET 589 case AF_INET: 590 if (r->rpool.cur->addr.p.dyn-> 591 pfid_acnt4 < 1) 592 goto notrans; 593 PF_POOLMASK(naddr, 594 &r->rpool.cur->addr.p.dyn-> 595 pfid_addr4, 596 &r->rpool.cur->addr.p.dyn-> 597 pfid_mask4, saddr, AF_INET); 598 break; 599 #endif /* INET */ 600 #ifdef INET6 601 case AF_INET6: 602 if (r->rpool.cur->addr.p.dyn-> 603 pfid_acnt6 < 1) 604 goto notrans; 605 PF_POOLMASK(naddr, 606 &r->rpool.cur->addr.p.dyn-> 607 pfid_addr6, 608 &r->rpool.cur->addr.p.dyn-> 609 pfid_mask6, saddr, AF_INET6); 610 break; 611 #endif /* INET6 */ 612 } 613 } else 614 PF_POOLMASK(naddr, 615 &r->rpool.cur->addr.v.a.addr, 616 &r->rpool.cur->addr.v.a.mask, saddr, 617 pd->af); 618 break; 619 case PF_IN: 620 if (r->src.addr.type == PF_ADDR_DYNIFTL) { 621 switch (pd->af) { 622 #ifdef INET 623 case AF_INET: 624 if (r->src.addr.p.dyn-> pfid_acnt4 < 1) 625 goto notrans; 626 PF_POOLMASK(naddr, 627 &r->src.addr.p.dyn->pfid_addr4, 628 &r->src.addr.p.dyn->pfid_mask4, 629 daddr, AF_INET); 630 break; 631 #endif /* INET */ 632 #ifdef INET6 633 case AF_INET6: 634 if (r->src.addr.p.dyn->pfid_acnt6 < 1) 635 goto notrans; 636 PF_POOLMASK(naddr, 637 &r->src.addr.p.dyn->pfid_addr6, 638 &r->src.addr.p.dyn->pfid_mask6, 639 daddr, AF_INET6); 640 break; 641 #endif /* INET6 */ 642 } 643 } else 644 PF_POOLMASK(naddr, &r->src.addr.v.a.addr, 645 &r->src.addr.v.a.mask, daddr, pd->af); 646 break; 647 } 648 break; 649 case PF_RDR: { 650 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 651 goto notrans; 652 if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) 653 PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, 654 daddr, pd->af); 655 656 if (r->rpool.proxy_port[1]) { 657 uint32_t tmp_nport; 658 659 tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % 660 (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + 661 1)) + r->rpool.proxy_port[0]; 662 663 /* Wrap around if necessary. */ 664 if (tmp_nport > 65535) 665 tmp_nport -= 65535; 666 *nport = htons((uint16_t)tmp_nport); 667 } else if (r->rpool.proxy_port[0]) 668 *nport = htons(r->rpool.proxy_port[0]); 669 break; 670 } 671 default: 672 panic("%s: unknown action %u", __func__, r->action); 673 } 674 675 /* Return success only if translation really happened. */ 676 if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) 677 return (r); 678 679 notrans: 680 uma_zfree(V_pf_state_key_z, *nkp); 681 uma_zfree(V_pf_state_key_z, *skp); 682 *skp = *nkp = NULL; 683 *sn = NULL; 684 685 return (NULL); 686 } 687