1 /*- 2 * Copyright (c) 2001 Daniel Hartmeier 3 * Copyright (c) 2002 - 2008 Henning Brauer 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * - Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * - Redistributions in binary form must reproduce the above 13 * copyright notice, this list of conditions and the following 14 * disclaimer in the documentation and/or other materials provided 15 * with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 21 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 27 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * Effort sponsored in part by the Defense Advanced Research Projects 31 * Agency (DARPA) and Air Force Research Laboratory, Air Force 32 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 33 * 34 * $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ 35 */ 36 37 #include <sys/cdefs.h> 38 __FBSDID("$FreeBSD$"); 39 40 #include "opt_pf.h" 41 #include "opt_inet.h" 42 #include "opt_inet6.h" 43 44 #include <sys/param.h> 45 #include <sys/lock.h> 46 #include <sys/mbuf.h> 47 #include <sys/rwlock.h> 48 #include <sys/socket.h> 49 #include <sys/sysctl.h> 50 51 #include <net/if.h> 52 #include <net/vnet.h> 53 #include <net/pfvar.h> 54 #include <net/if_pflog.h> 55 56 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x 57 58 static void pf_hash(struct pf_addr *, struct pf_addr *, 59 struct pf_poolhashkey *, sa_family_t); 60 static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 61 int, int, struct pfi_kif *, 62 struct pf_addr *, u_int16_t, struct pf_addr *, 63 uint16_t, int, struct pf_anchor_stackframe *); 64 static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *, 65 struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *, 66 uint16_t *, uint16_t, uint16_t, struct pf_src_node **); 67 68 #define mix(a,b,c) \ 69 do { \ 70 a -= b; a -= c; a ^= (c >> 13); \ 71 b -= c; b -= a; b ^= (a << 8); \ 72 c -= a; c -= b; c ^= (b >> 13); \ 73 a -= b; a -= c; a ^= (c >> 12); \ 74 b -= c; b -= a; b ^= (a << 16); \ 75 c -= a; c -= b; c ^= (b >> 5); \ 76 a -= b; a -= c; a ^= (c >> 3); \ 77 b -= c; b -= a; b ^= (a << 10); \ 78 c -= a; c -= b; c ^= (b >> 15); \ 79 } while (0) 80 81 /* 82 * hash function based on bridge_hash in if_bridge.c 83 */ 84 static void 85 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 86 struct pf_poolhashkey *key, sa_family_t af) 87 { 88 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 89 90 switch (af) { 91 #ifdef INET 92 case AF_INET: 93 a += inaddr->addr32[0]; 94 b += key->key32[1]; 95 mix(a, b, c); 96 hash->addr32[0] = c + key->key32[2]; 97 break; 98 #endif /* INET */ 99 #ifdef INET6 100 case AF_INET6: 101 a += inaddr->addr32[0]; 102 b += inaddr->addr32[2]; 103 mix(a, b, c); 104 hash->addr32[0] = c; 105 a += inaddr->addr32[1]; 106 b += inaddr->addr32[3]; 107 c += key->key32[1]; 108 mix(a, b, c); 109 hash->addr32[1] = c; 110 a += inaddr->addr32[2]; 111 b += inaddr->addr32[1]; 112 c += key->key32[2]; 113 mix(a, b, c); 114 hash->addr32[2] = c; 115 a += inaddr->addr32[3]; 116 b += inaddr->addr32[0]; 117 c += key->key32[3]; 118 mix(a, b, c); 119 hash->addr32[3] = c; 120 break; 121 #endif /* INET6 */ 122 } 123 } 124 125 static struct pf_rule * 126 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 127 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 128 struct pf_addr *daddr, uint16_t dport, int rs_num, 129 struct pf_anchor_stackframe *anchor_stack) 130 { 131 struct pf_rule *r, *rm = NULL; 132 struct pf_ruleset *ruleset = NULL; 133 int tag = -1; 134 int rtableid = -1; 135 int asd = 0; 136 137 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 138 while (r && rm == NULL) { 139 struct pf_rule_addr *src = NULL, *dst = NULL; 140 struct pf_addr_wrap *xdst = NULL; 141 142 if (r->action == PF_BINAT && direction == PF_IN) { 143 src = &r->dst; 144 if (r->rpool.cur != NULL) 145 xdst = &r->rpool.cur->addr; 146 } else { 147 src = &r->src; 148 dst = &r->dst; 149 } 150 151 r->evaluations++; 152 if (pfi_kif_match(r->kif, kif) == r->ifnot) 153 r = r->skip[PF_SKIP_IFP].ptr; 154 else if (r->direction && r->direction != direction) 155 r = r->skip[PF_SKIP_DIR].ptr; 156 else if (r->af && r->af != pd->af) 157 r = r->skip[PF_SKIP_AF].ptr; 158 else if (r->proto && r->proto != pd->proto) 159 r = r->skip[PF_SKIP_PROTO].ptr; 160 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 161 src->neg, kif, M_GETFIB(m))) 162 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 163 PF_SKIP_DST_ADDR].ptr; 164 else if (src->port_op && !pf_match_port(src->port_op, 165 src->port[0], src->port[1], sport)) 166 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 167 PF_SKIP_DST_PORT].ptr; 168 else if (dst != NULL && 169 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, 170 M_GETFIB(m))) 171 r = r->skip[PF_SKIP_DST_ADDR].ptr; 172 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 173 0, NULL, M_GETFIB(m))) 174 r = TAILQ_NEXT(r, entries); 175 else if (dst != NULL && dst->port_op && 176 !pf_match_port(dst->port_op, dst->port[0], 177 dst->port[1], dport)) 178 r = r->skip[PF_SKIP_DST_PORT].ptr; 179 else if (r->match_tag && !pf_match_tag(m, r, &tag, 180 pd->pf_mtag ? pd->pf_mtag->tag : 0)) 181 r = TAILQ_NEXT(r, entries); 182 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 183 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 184 off, pd->hdr.tcp), r->os_fingerprint))) 185 r = TAILQ_NEXT(r, entries); 186 else { 187 if (r->tag) 188 tag = r->tag; 189 if (r->rtableid >= 0) 190 rtableid = r->rtableid; 191 if (r->anchor == NULL) { 192 rm = r; 193 } else 194 pf_step_into_anchor(anchor_stack, &asd, 195 &ruleset, rs_num, &r, NULL, NULL); 196 } 197 if (r == NULL) 198 pf_step_out_of_anchor(anchor_stack, &asd, &ruleset, 199 rs_num, &r, NULL, NULL); 200 } 201 202 if (tag > 0 && pf_tag_packet(m, pd, tag)) 203 return (NULL); 204 if (rtableid >= 0) 205 M_SETFIB(m, rtableid); 206 207 if (rm != NULL && (rm->action == PF_NONAT || 208 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 209 return (NULL); 210 return (rm); 211 } 212 213 static int 214 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 215 struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr, 216 uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low, 217 uint16_t high, struct pf_src_node **sn) 218 { 219 struct pf_state_key_cmp key; 220 struct pf_addr init_addr; 221 222 bzero(&init_addr, sizeof(init_addr)); 223 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 224 return (1); 225 226 if (proto == IPPROTO_ICMP) { 227 low = 1; 228 high = 65535; 229 } 230 231 bzero(&key, sizeof(key)); 232 key.af = af; 233 key.proto = proto; 234 key.port[0] = dport; 235 PF_ACPY(&key.addr[0], daddr, key.af); 236 237 do { 238 PF_ACPY(&key.addr[1], naddr, key.af); 239 240 /* 241 * port search; start random, step; 242 * similar 2 portloop in in_pcbbind 243 */ 244 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 245 proto == IPPROTO_ICMP) || (low == 0 && high == 0)) { 246 /* 247 * XXX bug: icmp states don't use the id on both sides. 248 * (traceroute -I through nat) 249 */ 250 key.port[1] = sport; 251 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 252 *nport = sport; 253 return (0); 254 } 255 } else if (low == high) { 256 key.port[1] = htons(low); 257 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 258 *nport = htons(low); 259 return (0); 260 } 261 } else { 262 uint32_t tmp; 263 uint16_t cut; 264 265 if (low > high) { 266 tmp = low; 267 low = high; 268 high = tmp; 269 } 270 /* low < high */ 271 cut = arc4random() % (1 + high - low) + low; 272 /* low <= cut <= high */ 273 for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) { 274 key.port[1] = htons(tmp); 275 if (pf_find_state_all(&key, PF_IN, NULL) == 276 NULL) { 277 *nport = htons(tmp); 278 return (0); 279 } 280 } 281 tmp = cut; 282 for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) { 283 key.port[1] = htons(tmp); 284 if (pf_find_state_all(&key, PF_IN, NULL) == 285 NULL) { 286 *nport = htons(tmp); 287 return (0); 288 } 289 } 290 } 291 292 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 293 case PF_POOL_RANDOM: 294 case PF_POOL_ROUNDROBIN: 295 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 296 return (1); 297 break; 298 case PF_POOL_NONE: 299 case PF_POOL_SRCHASH: 300 case PF_POOL_BITMASK: 301 default: 302 return (1); 303 } 304 } while (! PF_AEQ(&init_addr, naddr, af) ); 305 return (1); /* none available */ 306 } 307 308 int 309 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 310 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 311 { 312 struct pf_pool *rpool = &r->rpool; 313 struct pf_addr *raddr = NULL, *rmask = NULL; 314 315 /* Try to find a src_node if none was given and this 316 is a sticky-address rule. */ 317 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 318 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) 319 *sn = pf_find_src_node(saddr, r, af, 0); 320 321 /* If a src_node was found or explicitly given and it has a non-zero 322 route address, use this address. A zeroed address is found if the 323 src node was created just a moment ago in pf_create_state and it 324 needs to be filled in with routing decision calculated here. */ 325 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 326 PF_ACPY(naddr, &(*sn)->raddr, af); 327 if (V_pf_status.debug >= PF_DEBUG_MISC) { 328 printf("pf_map_addr: src tracking maps "); 329 pf_print_host(saddr, 0, af); 330 printf(" to "); 331 pf_print_host(naddr, 0, af); 332 printf("\n"); 333 } 334 return (0); 335 } 336 337 /* Find the route using chosen algorithm. Store the found route 338 in src_node if it was given or found. */ 339 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 340 return (1); 341 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 342 switch (af) { 343 #ifdef INET 344 case AF_INET: 345 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 346 (rpool->opts & PF_POOL_TYPEMASK) != 347 PF_POOL_ROUNDROBIN) 348 return (1); 349 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 350 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 351 break; 352 #endif /* INET */ 353 #ifdef INET6 354 case AF_INET6: 355 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 356 (rpool->opts & PF_POOL_TYPEMASK) != 357 PF_POOL_ROUNDROBIN) 358 return (1); 359 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 360 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 361 break; 362 #endif /* INET6 */ 363 } 364 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 365 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 366 return (1); /* unsupported */ 367 } else { 368 raddr = &rpool->cur->addr.v.a.addr; 369 rmask = &rpool->cur->addr.v.a.mask; 370 } 371 372 switch (rpool->opts & PF_POOL_TYPEMASK) { 373 case PF_POOL_NONE: 374 PF_ACPY(naddr, raddr, af); 375 break; 376 case PF_POOL_BITMASK: 377 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 378 break; 379 case PF_POOL_RANDOM: 380 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 381 switch (af) { 382 #ifdef INET 383 case AF_INET: 384 rpool->counter.addr32[0] = htonl(arc4random()); 385 break; 386 #endif /* INET */ 387 #ifdef INET6 388 case AF_INET6: 389 if (rmask->addr32[3] != 0xffffffff) 390 rpool->counter.addr32[3] = 391 htonl(arc4random()); 392 else 393 break; 394 if (rmask->addr32[2] != 0xffffffff) 395 rpool->counter.addr32[2] = 396 htonl(arc4random()); 397 else 398 break; 399 if (rmask->addr32[1] != 0xffffffff) 400 rpool->counter.addr32[1] = 401 htonl(arc4random()); 402 else 403 break; 404 if (rmask->addr32[0] != 0xffffffff) 405 rpool->counter.addr32[0] = 406 htonl(arc4random()); 407 break; 408 #endif /* INET6 */ 409 } 410 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 411 PF_ACPY(init_addr, naddr, af); 412 413 } else { 414 PF_AINC(&rpool->counter, af); 415 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 416 } 417 break; 418 case PF_POOL_SRCHASH: 419 { 420 unsigned char hash[16]; 421 422 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 423 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 424 break; 425 } 426 case PF_POOL_ROUNDROBIN: 427 { 428 struct pf_pooladdr *acur = rpool->cur; 429 430 /* 431 * XXXGL: in the round-robin case we need to store 432 * the round-robin machine state in the rule, thus 433 * forwarding thread needs to modify rule. 434 * 435 * This is done w/o locking, because performance is assumed 436 * more important than round-robin precision. 437 * 438 * In the simpliest case we just update the "rpool->cur" 439 * pointer. However, if pool contains tables or dynamic 440 * addresses, then "tblidx" is also used to store machine 441 * state. Since "tblidx" is int, concurrent access to it can't 442 * lead to inconsistence, only to lost of precision. 443 * 444 * Things get worse, if table contains not hosts, but 445 * prefixes. In this case counter also stores machine state, 446 * and for IPv6 address, counter can't be updated atomically. 447 * Probably, using round-robin on a table containing IPv6 448 * prefixes (or even IPv4) would cause a panic. 449 */ 450 451 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 452 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 453 &rpool->tblidx, &rpool->counter, af)) 454 goto get_addr; 455 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 456 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 457 &rpool->tblidx, &rpool->counter, af)) 458 goto get_addr; 459 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 460 goto get_addr; 461 462 try_next: 463 if (TAILQ_NEXT(rpool->cur, entries) == NULL) 464 rpool->cur = TAILQ_FIRST(&rpool->list); 465 else 466 rpool->cur = TAILQ_NEXT(rpool->cur, entries); 467 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 468 rpool->tblidx = -1; 469 if (pfr_pool_get(rpool->cur->addr.p.tbl, 470 &rpool->tblidx, &rpool->counter, af)) { 471 /* table contains no address of type 'af' */ 472 if (rpool->cur != acur) 473 goto try_next; 474 return (1); 475 } 476 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 477 rpool->tblidx = -1; 478 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 479 &rpool->tblidx, &rpool->counter, af)) { 480 /* table contains no address of type 'af' */ 481 if (rpool->cur != acur) 482 goto try_next; 483 return (1); 484 } 485 } else { 486 raddr = &rpool->cur->addr.v.a.addr; 487 rmask = &rpool->cur->addr.v.a.mask; 488 PF_ACPY(&rpool->counter, raddr, af); 489 } 490 491 get_addr: 492 PF_ACPY(naddr, &rpool->counter, af); 493 if (init_addr != NULL && PF_AZERO(init_addr, af)) 494 PF_ACPY(init_addr, naddr, af); 495 PF_AINC(&rpool->counter, af); 496 break; 497 } 498 } 499 if (*sn != NULL) 500 PF_ACPY(&(*sn)->raddr, naddr, af); 501 502 if (V_pf_status.debug >= PF_DEBUG_MISC && 503 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 504 printf("pf_map_addr: selected address "); 505 pf_print_host(naddr, 0, af); 506 printf("\n"); 507 } 508 509 return (0); 510 } 511 512 struct pf_rule * 513 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 514 struct pfi_kif *kif, struct pf_src_node **sn, 515 struct pf_state_key **skp, struct pf_state_key **nkp, 516 struct pf_addr *saddr, struct pf_addr *daddr, 517 uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack) 518 { 519 struct pf_rule *r = NULL; 520 struct pf_addr *naddr; 521 uint16_t *nport; 522 523 PF_RULES_RASSERT(); 524 KASSERT(*skp == NULL, ("*skp not NULL")); 525 KASSERT(*nkp == NULL, ("*nkp not NULL")); 526 527 if (direction == PF_OUT) { 528 r = pf_match_translation(pd, m, off, direction, kif, saddr, 529 sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); 530 if (r == NULL) 531 r = pf_match_translation(pd, m, off, direction, kif, 532 saddr, sport, daddr, dport, PF_RULESET_NAT, 533 anchor_stack); 534 } else { 535 r = pf_match_translation(pd, m, off, direction, kif, saddr, 536 sport, daddr, dport, PF_RULESET_RDR, anchor_stack); 537 if (r == NULL) 538 r = pf_match_translation(pd, m, off, direction, kif, 539 saddr, sport, daddr, dport, PF_RULESET_BINAT, 540 anchor_stack); 541 } 542 543 if (r == NULL) 544 return (NULL); 545 546 switch (r->action) { 547 case PF_NONAT: 548 case PF_NOBINAT: 549 case PF_NORDR: 550 return (NULL); 551 } 552 553 *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); 554 if (*skp == NULL) 555 return (NULL); 556 *nkp = pf_state_key_clone(*skp); 557 if (*nkp == NULL) { 558 uma_zfree(V_pf_state_key_z, *skp); 559 *skp = NULL; 560 return (NULL); 561 } 562 563 /* XXX We only modify one side for now. */ 564 naddr = &(*nkp)->addr[1]; 565 nport = &(*nkp)->port[1]; 566 567 switch (r->action) { 568 case PF_NAT: 569 if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr, 570 dport, naddr, nport, r->rpool.proxy_port[0], 571 r->rpool.proxy_port[1], sn)) { 572 DPFPRINTF(PF_DEBUG_MISC, 573 ("pf: NAT proxy port allocation (%u-%u) failed\n", 574 r->rpool.proxy_port[0], r->rpool.proxy_port[1])); 575 goto notrans; 576 } 577 break; 578 case PF_BINAT: 579 switch (direction) { 580 case PF_OUT: 581 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 582 switch (pd->af) { 583 #ifdef INET 584 case AF_INET: 585 if (r->rpool.cur->addr.p.dyn-> 586 pfid_acnt4 < 1) 587 goto notrans; 588 PF_POOLMASK(naddr, 589 &r->rpool.cur->addr.p.dyn-> 590 pfid_addr4, 591 &r->rpool.cur->addr.p.dyn-> 592 pfid_mask4, saddr, AF_INET); 593 break; 594 #endif /* INET */ 595 #ifdef INET6 596 case AF_INET6: 597 if (r->rpool.cur->addr.p.dyn-> 598 pfid_acnt6 < 1) 599 goto notrans; 600 PF_POOLMASK(naddr, 601 &r->rpool.cur->addr.p.dyn-> 602 pfid_addr6, 603 &r->rpool.cur->addr.p.dyn-> 604 pfid_mask6, saddr, AF_INET6); 605 break; 606 #endif /* INET6 */ 607 } 608 } else 609 PF_POOLMASK(naddr, 610 &r->rpool.cur->addr.v.a.addr, 611 &r->rpool.cur->addr.v.a.mask, saddr, 612 pd->af); 613 break; 614 case PF_IN: 615 if (r->src.addr.type == PF_ADDR_DYNIFTL) { 616 switch (pd->af) { 617 #ifdef INET 618 case AF_INET: 619 if (r->src.addr.p.dyn-> pfid_acnt4 < 1) 620 goto notrans; 621 PF_POOLMASK(naddr, 622 &r->src.addr.p.dyn->pfid_addr4, 623 &r->src.addr.p.dyn->pfid_mask4, 624 daddr, AF_INET); 625 break; 626 #endif /* INET */ 627 #ifdef INET6 628 case AF_INET6: 629 if (r->src.addr.p.dyn->pfid_acnt6 < 1) 630 goto notrans; 631 PF_POOLMASK(naddr, 632 &r->src.addr.p.dyn->pfid_addr6, 633 &r->src.addr.p.dyn->pfid_mask6, 634 daddr, AF_INET6); 635 break; 636 #endif /* INET6 */ 637 } 638 } else 639 PF_POOLMASK(naddr, &r->src.addr.v.a.addr, 640 &r->src.addr.v.a.mask, daddr, pd->af); 641 break; 642 } 643 break; 644 case PF_RDR: { 645 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 646 goto notrans; 647 if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) 648 PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, 649 daddr, pd->af); 650 651 if (r->rpool.proxy_port[1]) { 652 uint32_t tmp_nport; 653 654 tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % 655 (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + 656 1)) + r->rpool.proxy_port[0]; 657 658 /* Wrap around if necessary. */ 659 if (tmp_nport > 65535) 660 tmp_nport -= 65535; 661 *nport = htons((uint16_t)tmp_nport); 662 } else if (r->rpool.proxy_port[0]) 663 *nport = htons(r->rpool.proxy_port[0]); 664 break; 665 } 666 default: 667 panic("%s: unknown action %u", __func__, r->action); 668 } 669 670 /* Return success only if translation really happened. */ 671 if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) 672 return (r); 673 674 notrans: 675 uma_zfree(V_pf_state_key_z, *nkp); 676 uma_zfree(V_pf_state_key_z, *skp); 677 *skp = *nkp = NULL; 678 *sn = NULL; 679 680 return (NULL); 681 } 682