xref: /freebsd/sys/netpfil/pf/pf_lb.c (revision 396c556d77189a5c474d35cec6f44a762e310b7d)
1 /*-
2  * Copyright (c) 2001 Daniel Hartmeier
3  * Copyright (c) 2002 - 2008 Henning Brauer
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  *    - Redistributions of source code must retain the above copyright
11  *      notice, this list of conditions and the following disclaimer.
12  *    - Redistributions in binary form must reproduce the above
13  *      copyright notice, this list of conditions and the following
14  *      disclaimer in the documentation and/or other materials provided
15  *      with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
20  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
21  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
23  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28  * POSSIBILITY OF SUCH DAMAGE.
29  *
30  * Effort sponsored in part by the Defense Advanced Research Projects
31  * Agency (DARPA) and Air Force Research Laboratory, Air Force
32  * Materiel Command, USAF, under agreement number F30602-01-2-0537.
33  *
34  *	$OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $
35  */
36 
37 #include <sys/cdefs.h>
38 __FBSDID("$FreeBSD$");
39 
40 #include "opt_pf.h"
41 #include "opt_inet.h"
42 #include "opt_inet6.h"
43 
44 #include <sys/param.h>
45 #include <sys/lock.h>
46 #include <sys/mbuf.h>
47 #include <sys/rwlock.h>
48 #include <sys/socket.h>
49 #include <sys/sysctl.h>
50 
51 #include <net/if.h>
52 #include <net/vnet.h>
53 #include <net/pfvar.h>
54 #include <net/if_pflog.h>
55 
56 #define DPFPRINTF(n, x)	if (V_pf_status.debug >= (n)) printf x
57 
58 static void		 pf_hash(struct pf_addr *, struct pf_addr *,
59 			    struct pf_poolhashkey *, sa_family_t);
60 static struct pf_rule	*pf_match_translation(struct pf_pdesc *, struct mbuf *,
61 			    int, int, struct pfi_kif *,
62 			    struct pf_addr *, u_int16_t, struct pf_addr *,
63 			    uint16_t, int, struct pf_anchor_stackframe *);
64 static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *,
65     struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *,
66     uint16_t *, uint16_t, uint16_t, struct pf_src_node **);
67 
68 #define mix(a,b,c) \
69 	do {					\
70 		a -= b; a -= c; a ^= (c >> 13);	\
71 		b -= c; b -= a; b ^= (a << 8);	\
72 		c -= a; c -= b; c ^= (b >> 13);	\
73 		a -= b; a -= c; a ^= (c >> 12);	\
74 		b -= c; b -= a; b ^= (a << 16);	\
75 		c -= a; c -= b; c ^= (b >> 5);	\
76 		a -= b; a -= c; a ^= (c >> 3);	\
77 		b -= c; b -= a; b ^= (a << 10);	\
78 		c -= a; c -= b; c ^= (b >> 15);	\
79 	} while (0)
80 
81 /*
82  * hash function based on bridge_hash in if_bridge.c
83  */
84 static void
85 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
86     struct pf_poolhashkey *key, sa_family_t af)
87 {
88 	u_int32_t	a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
89 
90 	switch (af) {
91 #ifdef INET
92 	case AF_INET:
93 		a += inaddr->addr32[0];
94 		b += key->key32[1];
95 		mix(a, b, c);
96 		hash->addr32[0] = c + key->key32[2];
97 		break;
98 #endif /* INET */
99 #ifdef INET6
100 	case AF_INET6:
101 		a += inaddr->addr32[0];
102 		b += inaddr->addr32[2];
103 		mix(a, b, c);
104 		hash->addr32[0] = c;
105 		a += inaddr->addr32[1];
106 		b += inaddr->addr32[3];
107 		c += key->key32[1];
108 		mix(a, b, c);
109 		hash->addr32[1] = c;
110 		a += inaddr->addr32[2];
111 		b += inaddr->addr32[1];
112 		c += key->key32[2];
113 		mix(a, b, c);
114 		hash->addr32[2] = c;
115 		a += inaddr->addr32[3];
116 		b += inaddr->addr32[0];
117 		c += key->key32[3];
118 		mix(a, b, c);
119 		hash->addr32[3] = c;
120 		break;
121 #endif /* INET6 */
122 	}
123 }
124 
125 static struct pf_rule *
126 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
127     int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
128     struct pf_addr *daddr, uint16_t dport, int rs_num,
129     struct pf_anchor_stackframe *anchor_stack)
130 {
131 	struct pf_rule		*r, *rm = NULL;
132 	struct pf_ruleset	*ruleset = NULL;
133 	int			 tag = -1;
134 	int			 rtableid = -1;
135 	int			 asd = 0;
136 
137 	r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
138 	while (r && rm == NULL) {
139 		struct pf_rule_addr	*src = NULL, *dst = NULL;
140 		struct pf_addr_wrap	*xdst = NULL;
141 
142 		if (r->action == PF_BINAT && direction == PF_IN) {
143 			src = &r->dst;
144 			if (r->rpool.cur != NULL)
145 				xdst = &r->rpool.cur->addr;
146 		} else {
147 			src = &r->src;
148 			dst = &r->dst;
149 		}
150 
151 		r->evaluations++;
152 		if (pfi_kif_match(r->kif, kif) == r->ifnot)
153 			r = r->skip[PF_SKIP_IFP].ptr;
154 		else if (r->direction && r->direction != direction)
155 			r = r->skip[PF_SKIP_DIR].ptr;
156 		else if (r->af && r->af != pd->af)
157 			r = r->skip[PF_SKIP_AF].ptr;
158 		else if (r->proto && r->proto != pd->proto)
159 			r = r->skip[PF_SKIP_PROTO].ptr;
160 		else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
161 		    src->neg, kif, M_GETFIB(m)))
162 			r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
163 			    PF_SKIP_DST_ADDR].ptr;
164 		else if (src->port_op && !pf_match_port(src->port_op,
165 		    src->port[0], src->port[1], sport))
166 			r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
167 			    PF_SKIP_DST_PORT].ptr;
168 		else if (dst != NULL &&
169 		    PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL,
170 		    M_GETFIB(m)))
171 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
172 		else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
173 		    0, NULL, M_GETFIB(m)))
174 			r = TAILQ_NEXT(r, entries);
175 		else if (dst != NULL && dst->port_op &&
176 		    !pf_match_port(dst->port_op, dst->port[0],
177 		    dst->port[1], dport))
178 			r = r->skip[PF_SKIP_DST_PORT].ptr;
179 		else if (r->match_tag && !pf_match_tag(m, r, &tag,
180 		    pd->pf_mtag ? pd->pf_mtag->tag : 0))
181 			r = TAILQ_NEXT(r, entries);
182 		else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
183 		    IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
184 		    off, pd->hdr.tcp), r->os_fingerprint)))
185 			r = TAILQ_NEXT(r, entries);
186 		else {
187 			if (r->tag)
188 				tag = r->tag;
189 			if (r->rtableid >= 0)
190 				rtableid = r->rtableid;
191 			if (r->anchor == NULL) {
192 				rm = r;
193 			} else
194 				pf_step_into_anchor(anchor_stack, &asd,
195 				    &ruleset, rs_num, &r, NULL, NULL);
196 		}
197 		if (r == NULL)
198 			pf_step_out_of_anchor(anchor_stack, &asd, &ruleset,
199 			    rs_num, &r, NULL, NULL);
200 	}
201 
202 	if (tag > 0 && pf_tag_packet(m, pd, tag))
203 		return (NULL);
204 	if (rtableid >= 0)
205 		M_SETFIB(m, rtableid);
206 
207 	if (rm != NULL && (rm->action == PF_NONAT ||
208 	    rm->action == PF_NORDR || rm->action == PF_NOBINAT))
209 		return (NULL);
210 	return (rm);
211 }
212 
213 static int
214 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
215     struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr,
216     uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low,
217     uint16_t high, struct pf_src_node **sn)
218 {
219 	struct pf_state_key_cmp	key;
220 	struct pf_addr		init_addr;
221 
222 	bzero(&init_addr, sizeof(init_addr));
223 	if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
224 		return (1);
225 
226 	if (proto == IPPROTO_ICMP) {
227 		low = 1;
228 		high = 65535;
229 	}
230 
231 	bzero(&key, sizeof(key));
232 	key.af = af;
233 	key.proto = proto;
234 	key.port[0] = dport;
235 	PF_ACPY(&key.addr[0], daddr, key.af);
236 
237 	do {
238 		PF_ACPY(&key.addr[1], naddr, key.af);
239 
240 		/*
241 		 * port search; start random, step;
242 		 * similar 2 portloop in in_pcbbind
243 		 */
244 		if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
245 		    proto == IPPROTO_ICMP) || (low == 0 && high == 0)) {
246 			/*
247 			 * XXX bug: icmp states don't use the id on both sides.
248 			 * (traceroute -I through nat)
249 			 */
250 			key.port[1] = sport;
251 			if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
252 				*nport = sport;
253 				return (0);
254 			}
255 		} else if (low == high) {
256 			key.port[1] = htons(low);
257 			if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
258 				*nport = htons(low);
259 				return (0);
260 			}
261 		} else {
262 			uint32_t tmp;
263 			uint16_t cut;
264 
265 			if (low > high) {
266 				tmp = low;
267 				low = high;
268 				high = tmp;
269 			}
270 			/* low < high */
271 			cut = arc4random() % (1 + high - low) + low;
272 			/* low <= cut <= high */
273 			for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) {
274 				key.port[1] = htons(tmp);
275 				if (pf_find_state_all(&key, PF_IN, NULL) ==
276 				    NULL) {
277 					*nport = htons(tmp);
278 					return (0);
279 				}
280 			}
281 			tmp = cut;
282 			for (tmp -= 1; tmp >= low && tmp <= 0xffff; --tmp) {
283 				key.port[1] = htons(tmp);
284 				if (pf_find_state_all(&key, PF_IN, NULL) ==
285 				    NULL) {
286 					*nport = htons(tmp);
287 					return (0);
288 				}
289 			}
290 		}
291 
292 		switch (r->rpool.opts & PF_POOL_TYPEMASK) {
293 		case PF_POOL_RANDOM:
294 		case PF_POOL_ROUNDROBIN:
295 			if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
296 				return (1);
297 			break;
298 		case PF_POOL_NONE:
299 		case PF_POOL_SRCHASH:
300 		case PF_POOL_BITMASK:
301 		default:
302 			return (1);
303 		}
304 	} while (! PF_AEQ(&init_addr, naddr, af) );
305 	return (1);					/* none available */
306 }
307 
308 int
309 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
310     struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
311 {
312 	struct pf_pool		*rpool = &r->rpool;
313 	struct pf_addr		*raddr = NULL, *rmask = NULL;
314 
315 	/* Try to find a src_node if none was given and this
316 	   is a sticky-address rule. */
317 	if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
318 	    (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE)
319 		*sn = pf_find_src_node(saddr, r, af, 0);
320 
321 	/* If a src_node was found or explicitly given and it has a non-zero
322 	   route address, use this address. A zeroed address is found if the
323 	   src node was created just a moment ago in pf_create_state and it
324 	   needs to be filled in with routing decision calculated here. */
325 	if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
326 		PF_ACPY(naddr, &(*sn)->raddr, af);
327 		if (V_pf_status.debug >= PF_DEBUG_MISC) {
328 			printf("pf_map_addr: src tracking maps ");
329 			pf_print_host(saddr, 0, af);
330 			printf(" to ");
331 			pf_print_host(naddr, 0, af);
332 			printf("\n");
333 		}
334 		return (0);
335 	}
336 
337 	/* Find the route using chosen algorithm. Store the found route
338 	   in src_node if it was given or found. */
339 	if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
340 		return (1);
341 	if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
342 		switch (af) {
343 #ifdef INET
344 		case AF_INET:
345 			if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
346 			    (rpool->opts & PF_POOL_TYPEMASK) !=
347 			    PF_POOL_ROUNDROBIN)
348 				return (1);
349 			 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
350 			 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
351 			break;
352 #endif /* INET */
353 #ifdef INET6
354 		case AF_INET6:
355 			if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
356 			    (rpool->opts & PF_POOL_TYPEMASK) !=
357 			    PF_POOL_ROUNDROBIN)
358 				return (1);
359 			raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
360 			rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
361 			break;
362 #endif /* INET6 */
363 		}
364 	} else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
365 		if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
366 			return (1); /* unsupported */
367 	} else {
368 		raddr = &rpool->cur->addr.v.a.addr;
369 		rmask = &rpool->cur->addr.v.a.mask;
370 	}
371 
372 	switch (rpool->opts & PF_POOL_TYPEMASK) {
373 	case PF_POOL_NONE:
374 		PF_ACPY(naddr, raddr, af);
375 		break;
376 	case PF_POOL_BITMASK:
377 		PF_POOLMASK(naddr, raddr, rmask, saddr, af);
378 		break;
379 	case PF_POOL_RANDOM:
380 		if (init_addr != NULL && PF_AZERO(init_addr, af)) {
381 			switch (af) {
382 #ifdef INET
383 			case AF_INET:
384 				rpool->counter.addr32[0] = htonl(arc4random());
385 				break;
386 #endif /* INET */
387 #ifdef INET6
388 			case AF_INET6:
389 				if (rmask->addr32[3] != 0xffffffff)
390 					rpool->counter.addr32[3] =
391 					    htonl(arc4random());
392 				else
393 					break;
394 				if (rmask->addr32[2] != 0xffffffff)
395 					rpool->counter.addr32[2] =
396 					    htonl(arc4random());
397 				else
398 					break;
399 				if (rmask->addr32[1] != 0xffffffff)
400 					rpool->counter.addr32[1] =
401 					    htonl(arc4random());
402 				else
403 					break;
404 				if (rmask->addr32[0] != 0xffffffff)
405 					rpool->counter.addr32[0] =
406 					    htonl(arc4random());
407 				break;
408 #endif /* INET6 */
409 			}
410 			PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
411 			PF_ACPY(init_addr, naddr, af);
412 
413 		} else {
414 			PF_AINC(&rpool->counter, af);
415 			PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
416 		}
417 		break;
418 	case PF_POOL_SRCHASH:
419 	    {
420 		unsigned char hash[16];
421 
422 		pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
423 		PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
424 		break;
425 	    }
426 	case PF_POOL_ROUNDROBIN:
427 	    {
428 		struct pf_pooladdr *acur = rpool->cur;
429 
430 		/*
431 		 * XXXGL: in the round-robin case we need to store
432 		 * the round-robin machine state in the rule, thus
433 		 * forwarding thread needs to modify rule.
434 		 *
435 		 * This is done w/o locking, because performance is assumed
436 		 * more important than round-robin precision.
437 		 *
438 		 * In the simpliest case we just update the "rpool->cur"
439 		 * pointer. However, if pool contains tables or dynamic
440 		 * addresses, then "tblidx" is also used to store machine
441 		 * state. Since "tblidx" is int, concurrent access to it can't
442 		 * lead to inconsistence, only to lost of precision.
443 		 *
444 		 * Things get worse, if table contains not hosts, but
445 		 * prefixes. In this case counter also stores machine state,
446 		 * and for IPv6 address, counter can't be updated atomically.
447 		 * Probably, using round-robin on a table containing IPv6
448 		 * prefixes (or even IPv4) would cause a panic.
449 		 */
450 
451 		if (rpool->cur->addr.type == PF_ADDR_TABLE) {
452 			if (!pfr_pool_get(rpool->cur->addr.p.tbl,
453 			    &rpool->tblidx, &rpool->counter, af))
454 				goto get_addr;
455 		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
456 			if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
457 			    &rpool->tblidx, &rpool->counter, af))
458 				goto get_addr;
459 		} else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
460 			goto get_addr;
461 
462 	try_next:
463 		if (TAILQ_NEXT(rpool->cur, entries) == NULL)
464 			rpool->cur = TAILQ_FIRST(&rpool->list);
465 		else
466 			rpool->cur = TAILQ_NEXT(rpool->cur, entries);
467 		if (rpool->cur->addr.type == PF_ADDR_TABLE) {
468 			rpool->tblidx = -1;
469 			if (pfr_pool_get(rpool->cur->addr.p.tbl,
470 			    &rpool->tblidx, &rpool->counter, af)) {
471 				/* table contains no address of type 'af' */
472 				if (rpool->cur != acur)
473 					goto try_next;
474 				return (1);
475 			}
476 		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
477 			rpool->tblidx = -1;
478 			if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
479 			    &rpool->tblidx, &rpool->counter, af)) {
480 				/* table contains no address of type 'af' */
481 				if (rpool->cur != acur)
482 					goto try_next;
483 				return (1);
484 			}
485 		} else {
486 			raddr = &rpool->cur->addr.v.a.addr;
487 			rmask = &rpool->cur->addr.v.a.mask;
488 			PF_ACPY(&rpool->counter, raddr, af);
489 		}
490 
491 	get_addr:
492 		PF_ACPY(naddr, &rpool->counter, af);
493 		if (init_addr != NULL && PF_AZERO(init_addr, af))
494 			PF_ACPY(init_addr, naddr, af);
495 		PF_AINC(&rpool->counter, af);
496 		break;
497 	    }
498 	}
499 	if (*sn != NULL)
500 		PF_ACPY(&(*sn)->raddr, naddr, af);
501 
502 	if (V_pf_status.debug >= PF_DEBUG_MISC &&
503 	    (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
504 		printf("pf_map_addr: selected address ");
505 		pf_print_host(naddr, 0, af);
506 		printf("\n");
507 	}
508 
509 	return (0);
510 }
511 
512 struct pf_rule *
513 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
514     struct pfi_kif *kif, struct pf_src_node **sn,
515     struct pf_state_key **skp, struct pf_state_key **nkp,
516     struct pf_addr *saddr, struct pf_addr *daddr,
517     uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack)
518 {
519 	struct pf_rule	*r = NULL;
520 	struct pf_addr	*naddr;
521 	uint16_t	*nport;
522 
523 	PF_RULES_RASSERT();
524 	KASSERT(*skp == NULL, ("*skp not NULL"));
525 	KASSERT(*nkp == NULL, ("*nkp not NULL"));
526 
527 	if (direction == PF_OUT) {
528 		r = pf_match_translation(pd, m, off, direction, kif, saddr,
529 		    sport, daddr, dport, PF_RULESET_BINAT, anchor_stack);
530 		if (r == NULL)
531 			r = pf_match_translation(pd, m, off, direction, kif,
532 			    saddr, sport, daddr, dport, PF_RULESET_NAT,
533 			    anchor_stack);
534 	} else {
535 		r = pf_match_translation(pd, m, off, direction, kif, saddr,
536 		    sport, daddr, dport, PF_RULESET_RDR, anchor_stack);
537 		if (r == NULL)
538 			r = pf_match_translation(pd, m, off, direction, kif,
539 			    saddr, sport, daddr, dport, PF_RULESET_BINAT,
540 			    anchor_stack);
541 	}
542 
543 	if (r == NULL)
544 		return (NULL);
545 
546 	switch (r->action) {
547 	case PF_NONAT:
548 	case PF_NOBINAT:
549 	case PF_NORDR:
550 		return (NULL);
551 	}
552 
553 	*skp = pf_state_key_setup(pd, saddr, daddr, sport, dport);
554 	if (*skp == NULL)
555 		return (NULL);
556 	*nkp = pf_state_key_clone(*skp);
557 	if (*nkp == NULL) {
558 		uma_zfree(V_pf_state_key_z, *skp);
559 		*skp = NULL;
560 		return (NULL);
561 	}
562 
563 	/* XXX We only modify one side for now. */
564 	naddr = &(*nkp)->addr[1];
565 	nport = &(*nkp)->port[1];
566 
567 	switch (r->action) {
568 	case PF_NAT:
569 		if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr,
570 		    dport, naddr, nport, r->rpool.proxy_port[0],
571 		    r->rpool.proxy_port[1], sn)) {
572 			DPFPRINTF(PF_DEBUG_MISC,
573 			    ("pf: NAT proxy port allocation (%u-%u) failed\n",
574 			    r->rpool.proxy_port[0], r->rpool.proxy_port[1]));
575 			goto notrans;
576 		}
577 		break;
578 	case PF_BINAT:
579 		switch (direction) {
580 		case PF_OUT:
581 			if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
582 				switch (pd->af) {
583 #ifdef INET
584 				case AF_INET:
585 					if (r->rpool.cur->addr.p.dyn->
586 					    pfid_acnt4 < 1)
587 						goto notrans;
588 					PF_POOLMASK(naddr,
589 					    &r->rpool.cur->addr.p.dyn->
590 					    pfid_addr4,
591 					    &r->rpool.cur->addr.p.dyn->
592 					    pfid_mask4, saddr, AF_INET);
593 					break;
594 #endif /* INET */
595 #ifdef INET6
596 				case AF_INET6:
597 					if (r->rpool.cur->addr.p.dyn->
598 					    pfid_acnt6 < 1)
599 						goto notrans;
600 					PF_POOLMASK(naddr,
601 					    &r->rpool.cur->addr.p.dyn->
602 					    pfid_addr6,
603 					    &r->rpool.cur->addr.p.dyn->
604 					    pfid_mask6, saddr, AF_INET6);
605 					break;
606 #endif /* INET6 */
607 				}
608 			} else
609 				PF_POOLMASK(naddr,
610 				    &r->rpool.cur->addr.v.a.addr,
611 				    &r->rpool.cur->addr.v.a.mask, saddr,
612 				    pd->af);
613 			break;
614 		case PF_IN:
615 			if (r->src.addr.type == PF_ADDR_DYNIFTL) {
616 				switch (pd->af) {
617 #ifdef INET
618 				case AF_INET:
619 					if (r->src.addr.p.dyn-> pfid_acnt4 < 1)
620 						goto notrans;
621 					PF_POOLMASK(naddr,
622 					    &r->src.addr.p.dyn->pfid_addr4,
623 					    &r->src.addr.p.dyn->pfid_mask4,
624 					    daddr, AF_INET);
625 					break;
626 #endif /* INET */
627 #ifdef INET6
628 				case AF_INET6:
629 					if (r->src.addr.p.dyn->pfid_acnt6 < 1)
630 						goto notrans;
631 					PF_POOLMASK(naddr,
632 					    &r->src.addr.p.dyn->pfid_addr6,
633 					    &r->src.addr.p.dyn->pfid_mask6,
634 					    daddr, AF_INET6);
635 					break;
636 #endif /* INET6 */
637 				}
638 			} else
639 				PF_POOLMASK(naddr, &r->src.addr.v.a.addr,
640 				    &r->src.addr.v.a.mask, daddr, pd->af);
641 			break;
642 		}
643 		break;
644 	case PF_RDR: {
645 		if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
646 			goto notrans;
647 		if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)
648 			PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask,
649 			    daddr, pd->af);
650 
651 		if (r->rpool.proxy_port[1]) {
652 			uint32_t	tmp_nport;
653 
654 			tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) %
655 			    (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] +
656 			    1)) + r->rpool.proxy_port[0];
657 
658 			/* Wrap around if necessary. */
659 			if (tmp_nport > 65535)
660 				tmp_nport -= 65535;
661 			*nport = htons((uint16_t)tmp_nport);
662 		} else if (r->rpool.proxy_port[0])
663 			*nport = htons(r->rpool.proxy_port[0]);
664 		break;
665 	}
666 	default:
667 		panic("%s: unknown action %u", __func__, r->action);
668 	}
669 
670 	/* Return success only if translation really happened. */
671 	if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp)))
672 		return (r);
673 
674 notrans:
675 	uma_zfree(V_pf_state_key_z, *nkp);
676 	uma_zfree(V_pf_state_key_z, *skp);
677 	*skp = *nkp = NULL;
678 	*sn = NULL;
679 
680 	return (NULL);
681 }
682