1 /*- 2 * Copyright (c) 2001 Daniel Hartmeier 3 * Copyright (c) 2002 - 2008 Henning Brauer 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * - Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * - Redistributions in binary form must reproduce the above 13 * copyright notice, this list of conditions and the following 14 * disclaimer in the documentation and/or other materials provided 15 * with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 21 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 27 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * Effort sponsored in part by the Defense Advanced Research Projects 31 * Agency (DARPA) and Air Force Research Laboratory, Air Force 32 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 33 * 34 * $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ 35 */ 36 37 #include <sys/cdefs.h> 38 __FBSDID("$FreeBSD$"); 39 40 #include "opt_pf.h" 41 #include "opt_inet.h" 42 #include "opt_inet6.h" 43 44 #include <sys/param.h> 45 #include <sys/socket.h> 46 #include <sys/sysctl.h> 47 48 #include <net/if.h> 49 #include <net/pfvar.h> 50 #include <net/if_pflog.h> 51 #include <net/pf_mtag.h> 52 53 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x 54 55 static void pf_hash(struct pf_addr *, struct pf_addr *, 56 struct pf_poolhashkey *, sa_family_t); 57 static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 58 int, int, struct pfi_kif *, 59 struct pf_addr *, u_int16_t, struct pf_addr *, 60 uint16_t, int, struct pf_anchor_stackframe *); 61 static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *, 62 struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *, 63 uint16_t *, uint16_t, uint16_t, struct pf_src_node **); 64 65 #define mix(a,b,c) \ 66 do { \ 67 a -= b; a -= c; a ^= (c >> 13); \ 68 b -= c; b -= a; b ^= (a << 8); \ 69 c -= a; c -= b; c ^= (b >> 13); \ 70 a -= b; a -= c; a ^= (c >> 12); \ 71 b -= c; b -= a; b ^= (a << 16); \ 72 c -= a; c -= b; c ^= (b >> 5); \ 73 a -= b; a -= c; a ^= (c >> 3); \ 74 b -= c; b -= a; b ^= (a << 10); \ 75 c -= a; c -= b; c ^= (b >> 15); \ 76 } while (0) 77 78 /* 79 * hash function based on bridge_hash in if_bridge.c 80 */ 81 static void 82 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 83 struct pf_poolhashkey *key, sa_family_t af) 84 { 85 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 86 87 switch (af) { 88 #ifdef INET 89 case AF_INET: 90 a += inaddr->addr32[0]; 91 b += key->key32[1]; 92 mix(a, b, c); 93 hash->addr32[0] = c + key->key32[2]; 94 break; 95 #endif /* INET */ 96 #ifdef INET6 97 case AF_INET6: 98 a += inaddr->addr32[0]; 99 b += inaddr->addr32[2]; 100 mix(a, b, c); 101 hash->addr32[0] = c; 102 a += inaddr->addr32[1]; 103 b += inaddr->addr32[3]; 104 c += key->key32[1]; 105 mix(a, b, c); 106 hash->addr32[1] = c; 107 a += inaddr->addr32[2]; 108 b += inaddr->addr32[1]; 109 c += key->key32[2]; 110 mix(a, b, c); 111 hash->addr32[2] = c; 112 a += inaddr->addr32[3]; 113 b += inaddr->addr32[0]; 114 c += key->key32[3]; 115 mix(a, b, c); 116 hash->addr32[3] = c; 117 break; 118 #endif /* INET6 */ 119 } 120 } 121 122 static struct pf_rule * 123 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 124 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 125 struct pf_addr *daddr, uint16_t dport, int rs_num, 126 struct pf_anchor_stackframe *anchor_stack) 127 { 128 struct pf_rule *r, *rm = NULL; 129 struct pf_ruleset *ruleset = NULL; 130 int tag = -1; 131 int rtableid = -1; 132 int asd = 0; 133 134 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 135 while (r && rm == NULL) { 136 struct pf_rule_addr *src = NULL, *dst = NULL; 137 struct pf_addr_wrap *xdst = NULL; 138 139 if (r->action == PF_BINAT && direction == PF_IN) { 140 src = &r->dst; 141 if (r->rpool.cur != NULL) 142 xdst = &r->rpool.cur->addr; 143 } else { 144 src = &r->src; 145 dst = &r->dst; 146 } 147 148 r->evaluations++; 149 if (pfi_kif_match(r->kif, kif) == r->ifnot) 150 r = r->skip[PF_SKIP_IFP].ptr; 151 else if (r->direction && r->direction != direction) 152 r = r->skip[PF_SKIP_DIR].ptr; 153 else if (r->af && r->af != pd->af) 154 r = r->skip[PF_SKIP_AF].ptr; 155 else if (r->proto && r->proto != pd->proto) 156 r = r->skip[PF_SKIP_PROTO].ptr; 157 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 158 src->neg, kif, M_GETFIB(m))) 159 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 160 PF_SKIP_DST_ADDR].ptr; 161 else if (src->port_op && !pf_match_port(src->port_op, 162 src->port[0], src->port[1], sport)) 163 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 164 PF_SKIP_DST_PORT].ptr; 165 else if (dst != NULL && 166 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, 167 M_GETFIB(m))) 168 r = r->skip[PF_SKIP_DST_ADDR].ptr; 169 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 170 0, NULL, M_GETFIB(m))) 171 r = TAILQ_NEXT(r, entries); 172 else if (dst != NULL && dst->port_op && 173 !pf_match_port(dst->port_op, dst->port[0], 174 dst->port[1], dport)) 175 r = r->skip[PF_SKIP_DST_PORT].ptr; 176 else if (r->match_tag && !pf_match_tag(m, r, &tag, 177 pd->pf_mtag ? pd->pf_mtag->tag : 0)) 178 r = TAILQ_NEXT(r, entries); 179 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 180 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 181 off, pd->hdr.tcp), r->os_fingerprint))) 182 r = TAILQ_NEXT(r, entries); 183 else { 184 if (r->tag) 185 tag = r->tag; 186 if (r->rtableid >= 0) 187 rtableid = r->rtableid; 188 if (r->anchor == NULL) { 189 rm = r; 190 } else 191 pf_step_into_anchor(anchor_stack, &asd, 192 &ruleset, rs_num, &r, NULL, NULL); 193 } 194 if (r == NULL) 195 pf_step_out_of_anchor(anchor_stack, &asd, &ruleset, 196 rs_num, &r, NULL, NULL); 197 } 198 199 if (tag > 0 && pf_tag_packet(m, pd, tag)) 200 return (NULL); 201 if (rtableid >= 0) 202 M_SETFIB(m, rtableid); 203 204 if (rm != NULL && (rm->action == PF_NONAT || 205 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 206 return (NULL); 207 return (rm); 208 } 209 210 static int 211 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 212 struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr, 213 uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low, 214 uint16_t high, struct pf_src_node **sn) 215 { 216 struct pf_state_key_cmp key; 217 struct pf_addr init_addr; 218 uint16_t cut; 219 220 bzero(&init_addr, sizeof(init_addr)); 221 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 222 return (1); 223 224 if (proto == IPPROTO_ICMP) { 225 low = 1; 226 high = 65535; 227 } 228 229 bzero(&key, sizeof(key)); 230 key.af = af; 231 key.proto = proto; 232 key.port[0] = dport; 233 PF_ACPY(&key.addr[0], daddr, key.af); 234 235 do { 236 PF_ACPY(&key.addr[1], naddr, key.af); 237 238 /* 239 * port search; start random, step; 240 * similar 2 portloop in in_pcbbind 241 */ 242 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 243 proto == IPPROTO_ICMP) || (low == 0 && high == 0)) { 244 /* 245 * XXX bug: icmp states don't use the id on both sides. 246 * (traceroute -I through nat) 247 */ 248 key.port[1] = sport; 249 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 250 *nport = sport; 251 return (0); 252 } 253 } else if (low == high) { 254 key.port[1] = htons(low); 255 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 256 *nport = htons(low); 257 return (0); 258 } 259 } else { 260 uint16_t tmp; 261 262 if (low > high) { 263 tmp = low; 264 low = high; 265 high = tmp; 266 } 267 /* low < high */ 268 cut = htonl(arc4random()) % (1 + high - low) + low; 269 /* low <= cut <= high */ 270 for (tmp = cut; tmp <= high; ++(tmp)) { 271 key.port[1] = htons(tmp); 272 if (pf_find_state_all(&key, PF_IN, NULL) == 273 NULL) { 274 *nport = htons(tmp); 275 return (0); 276 } 277 } 278 for (tmp = cut - 1; tmp >= low; --(tmp)) { 279 key.port[1] = htons(tmp); 280 if (pf_find_state_all(&key, PF_IN, NULL) == 281 NULL) { 282 *nport = htons(tmp); 283 return (0); 284 } 285 } 286 } 287 288 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 289 case PF_POOL_RANDOM: 290 case PF_POOL_ROUNDROBIN: 291 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 292 return (1); 293 break; 294 case PF_POOL_NONE: 295 case PF_POOL_SRCHASH: 296 case PF_POOL_BITMASK: 297 default: 298 return (1); 299 } 300 } while (! PF_AEQ(&init_addr, naddr, af) ); 301 return (1); /* none available */ 302 } 303 304 int 305 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 306 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 307 { 308 struct pf_pool *rpool = &r->rpool; 309 struct pf_addr *raddr = NULL, *rmask = NULL; 310 311 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 312 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 313 *sn = pf_find_src_node(saddr, r, af, 0); 314 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 315 PF_ACPY(naddr, &(*sn)->raddr, af); 316 if (V_pf_status.debug >= PF_DEBUG_MISC) { 317 printf("pf_map_addr: src tracking maps "); 318 pf_print_host(saddr, 0, af); 319 printf(" to "); 320 pf_print_host(naddr, 0, af); 321 printf("\n"); 322 } 323 return (0); 324 } 325 } 326 327 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 328 return (1); 329 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 330 switch (af) { 331 #ifdef INET 332 case AF_INET: 333 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 334 (rpool->opts & PF_POOL_TYPEMASK) != 335 PF_POOL_ROUNDROBIN) 336 return (1); 337 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 338 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 339 break; 340 #endif /* INET */ 341 #ifdef INET6 342 case AF_INET6: 343 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 344 (rpool->opts & PF_POOL_TYPEMASK) != 345 PF_POOL_ROUNDROBIN) 346 return (1); 347 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 348 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 349 break; 350 #endif /* INET6 */ 351 } 352 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 353 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 354 return (1); /* unsupported */ 355 } else { 356 raddr = &rpool->cur->addr.v.a.addr; 357 rmask = &rpool->cur->addr.v.a.mask; 358 } 359 360 switch (rpool->opts & PF_POOL_TYPEMASK) { 361 case PF_POOL_NONE: 362 PF_ACPY(naddr, raddr, af); 363 break; 364 case PF_POOL_BITMASK: 365 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 366 break; 367 case PF_POOL_RANDOM: 368 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 369 switch (af) { 370 #ifdef INET 371 case AF_INET: 372 rpool->counter.addr32[0] = htonl(arc4random()); 373 break; 374 #endif /* INET */ 375 #ifdef INET6 376 case AF_INET6: 377 if (rmask->addr32[3] != 0xffffffff) 378 rpool->counter.addr32[3] = 379 htonl(arc4random()); 380 else 381 break; 382 if (rmask->addr32[2] != 0xffffffff) 383 rpool->counter.addr32[2] = 384 htonl(arc4random()); 385 else 386 break; 387 if (rmask->addr32[1] != 0xffffffff) 388 rpool->counter.addr32[1] = 389 htonl(arc4random()); 390 else 391 break; 392 if (rmask->addr32[0] != 0xffffffff) 393 rpool->counter.addr32[0] = 394 htonl(arc4random()); 395 break; 396 #endif /* INET6 */ 397 } 398 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 399 PF_ACPY(init_addr, naddr, af); 400 401 } else { 402 PF_AINC(&rpool->counter, af); 403 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 404 } 405 break; 406 case PF_POOL_SRCHASH: 407 { 408 unsigned char hash[16]; 409 410 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 411 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 412 break; 413 } 414 case PF_POOL_ROUNDROBIN: 415 { 416 struct pf_pooladdr *acur = rpool->cur; 417 418 /* 419 * XXXGL: in the round-robin case we need to store 420 * the round-robin machine state in the rule, thus 421 * forwarding thread needs to modify rule. 422 * 423 * This is done w/o locking, because performance is assumed 424 * more important than round-robin precision. 425 * 426 * In the simpliest case we just update the "rpool->cur" 427 * pointer. However, if pool contains tables or dynamic 428 * addresses, then "tblidx" is also used to store machine 429 * state. Since "tblidx" is int, concurrent access to it can't 430 * lead to inconsistence, only to lost of precision. 431 * 432 * Things get worse, if table contains not hosts, but 433 * prefixes. In this case counter also stores machine state, 434 * and for IPv6 address, counter can't be updated atomically. 435 * Probably, using round-robin on a table containing IPv6 436 * prefixes (or even IPv4) would cause a panic. 437 */ 438 439 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 440 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 441 &rpool->tblidx, &rpool->counter, af)) 442 goto get_addr; 443 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 444 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 445 &rpool->tblidx, &rpool->counter, af)) 446 goto get_addr; 447 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 448 goto get_addr; 449 450 try_next: 451 if (TAILQ_NEXT(rpool->cur, entries) == NULL) 452 rpool->cur = TAILQ_FIRST(&rpool->list); 453 else 454 rpool->cur = TAILQ_NEXT(rpool->cur, entries); 455 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 456 rpool->tblidx = -1; 457 if (pfr_pool_get(rpool->cur->addr.p.tbl, 458 &rpool->tblidx, &rpool->counter, af)) { 459 /* table contains no address of type 'af' */ 460 if (rpool->cur != acur) 461 goto try_next; 462 return (1); 463 } 464 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 465 rpool->tblidx = -1; 466 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 467 &rpool->tblidx, &rpool->counter, af)) { 468 /* table contains no address of type 'af' */ 469 if (rpool->cur != acur) 470 goto try_next; 471 return (1); 472 } 473 } else { 474 raddr = &rpool->cur->addr.v.a.addr; 475 rmask = &rpool->cur->addr.v.a.mask; 476 PF_ACPY(&rpool->counter, raddr, af); 477 } 478 479 get_addr: 480 PF_ACPY(naddr, &rpool->counter, af); 481 if (init_addr != NULL && PF_AZERO(init_addr, af)) 482 PF_ACPY(init_addr, naddr, af); 483 PF_AINC(&rpool->counter, af); 484 break; 485 } 486 } 487 if (*sn != NULL) 488 PF_ACPY(&(*sn)->raddr, naddr, af); 489 490 if (V_pf_status.debug >= PF_DEBUG_MISC && 491 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 492 printf("pf_map_addr: selected address "); 493 pf_print_host(naddr, 0, af); 494 printf("\n"); 495 } 496 497 return (0); 498 } 499 500 struct pf_rule * 501 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 502 struct pfi_kif *kif, struct pf_src_node **sn, 503 struct pf_state_key **skp, struct pf_state_key **nkp, 504 struct pf_addr *saddr, struct pf_addr *daddr, 505 uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack) 506 { 507 struct pf_rule *r = NULL; 508 struct pf_addr *naddr; 509 uint16_t *nport; 510 511 PF_RULES_RASSERT(); 512 KASSERT(*skp == NULL, ("*skp not NULL")); 513 KASSERT(*nkp == NULL, ("*nkp not NULL")); 514 515 if (direction == PF_OUT) { 516 r = pf_match_translation(pd, m, off, direction, kif, saddr, 517 sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); 518 if (r == NULL) 519 r = pf_match_translation(pd, m, off, direction, kif, 520 saddr, sport, daddr, dport, PF_RULESET_NAT, 521 anchor_stack); 522 } else { 523 r = pf_match_translation(pd, m, off, direction, kif, saddr, 524 sport, daddr, dport, PF_RULESET_RDR, anchor_stack); 525 if (r == NULL) 526 r = pf_match_translation(pd, m, off, direction, kif, 527 saddr, sport, daddr, dport, PF_RULESET_BINAT, 528 anchor_stack); 529 } 530 531 if (r == NULL) 532 return (NULL); 533 534 switch (r->action) { 535 case PF_NONAT: 536 case PF_NOBINAT: 537 case PF_NORDR: 538 return (NULL); 539 } 540 541 *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); 542 if (*skp == NULL) 543 return (NULL); 544 *nkp = pf_state_key_clone(*skp); 545 if (*nkp == NULL) { 546 uma_zfree(V_pf_state_key_z, skp); 547 *skp = NULL; 548 return (NULL); 549 } 550 551 /* XXX We only modify one side for now. */ 552 naddr = &(*nkp)->addr[1]; 553 nport = &(*nkp)->port[1]; 554 555 switch (r->action) { 556 case PF_NAT: 557 if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr, 558 dport, naddr, nport, r->rpool.proxy_port[0], 559 r->rpool.proxy_port[1], sn)) { 560 DPFPRINTF(PF_DEBUG_MISC, 561 ("pf: NAT proxy port allocation (%u-%u) failed\n", 562 r->rpool.proxy_port[0], r->rpool.proxy_port[1])); 563 goto notrans; 564 } 565 break; 566 case PF_BINAT: 567 switch (direction) { 568 case PF_OUT: 569 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 570 switch (pd->af) { 571 #ifdef INET 572 case AF_INET: 573 if (r->rpool.cur->addr.p.dyn-> 574 pfid_acnt4 < 1) 575 goto notrans; 576 PF_POOLMASK(naddr, 577 &r->rpool.cur->addr.p.dyn-> 578 pfid_addr4, 579 &r->rpool.cur->addr.p.dyn-> 580 pfid_mask4, saddr, AF_INET); 581 break; 582 #endif /* INET */ 583 #ifdef INET6 584 case AF_INET6: 585 if (r->rpool.cur->addr.p.dyn-> 586 pfid_acnt6 < 1) 587 goto notrans; 588 PF_POOLMASK(naddr, 589 &r->rpool.cur->addr.p.dyn-> 590 pfid_addr6, 591 &r->rpool.cur->addr.p.dyn-> 592 pfid_mask6, saddr, AF_INET6); 593 break; 594 #endif /* INET6 */ 595 } 596 } else 597 PF_POOLMASK(naddr, 598 &r->rpool.cur->addr.v.a.addr, 599 &r->rpool.cur->addr.v.a.mask, saddr, 600 pd->af); 601 break; 602 case PF_IN: 603 if (r->src.addr.type == PF_ADDR_DYNIFTL) { 604 switch (pd->af) { 605 #ifdef INET 606 case AF_INET: 607 if (r->src.addr.p.dyn-> pfid_acnt4 < 1) 608 goto notrans; 609 PF_POOLMASK(naddr, 610 &r->src.addr.p.dyn->pfid_addr4, 611 &r->src.addr.p.dyn->pfid_mask4, 612 daddr, AF_INET); 613 break; 614 #endif /* INET */ 615 #ifdef INET6 616 case AF_INET6: 617 if (r->src.addr.p.dyn->pfid_acnt6 < 1) 618 goto notrans; 619 PF_POOLMASK(naddr, 620 &r->src.addr.p.dyn->pfid_addr6, 621 &r->src.addr.p.dyn->pfid_mask6, 622 daddr, AF_INET6); 623 break; 624 #endif /* INET6 */ 625 } 626 } else 627 PF_POOLMASK(naddr, &r->src.addr.v.a.addr, 628 &r->src.addr.v.a.mask, daddr, pd->af); 629 break; 630 } 631 break; 632 case PF_RDR: { 633 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 634 goto notrans; 635 if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) 636 PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, 637 daddr, pd->af); 638 639 if (r->rpool.proxy_port[1]) { 640 uint32_t tmp_nport; 641 642 tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % 643 (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + 644 1)) + r->rpool.proxy_port[0]; 645 646 /* Wrap around if necessary. */ 647 if (tmp_nport > 65535) 648 tmp_nport -= 65535; 649 *nport = htons((uint16_t)tmp_nport); 650 } else if (r->rpool.proxy_port[0]) 651 *nport = htons(r->rpool.proxy_port[0]); 652 break; 653 } 654 default: 655 panic("%s: unknown action %u", __func__, r->action); 656 } 657 658 /* Return success only if translation really happened. */ 659 if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) 660 return (r); 661 662 notrans: 663 uma_zfree(V_pf_state_key_z, *nkp); 664 uma_zfree(V_pf_state_key_z, *skp); 665 *skp = *nkp = NULL; 666 667 return (NULL); 668 } 669