1 /* $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ */ 2 3 /* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002 - 2008 Henning Brauer 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * - Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * - Redistributions in binary form must reproduce the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer in the documentation and/or other materials provided 17 * with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 * Effort sponsored in part by the Defense Advanced Research Projects 33 * Agency (DARPA) and Air Force Research Laboratory, Air Force 34 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 35 * 36 */ 37 38 #include <sys/cdefs.h> 39 __FBSDID("$FreeBSD$"); 40 41 #include "opt_pf.h" 42 #include "opt_inet.h" 43 #include "opt_inet6.h" 44 45 #include <sys/param.h> 46 #include <sys/socket.h> 47 #include <sys/sysctl.h> 48 49 #include <net/if.h> 50 #include <net/pfvar.h> 51 #include <net/if_pflog.h> 52 #include <net/pf_mtag.h> 53 54 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x 55 56 static void pf_hash(struct pf_addr *, struct pf_addr *, 57 struct pf_poolhashkey *, sa_family_t); 58 static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 59 int, int, struct pfi_kif *, 60 struct pf_addr *, u_int16_t, struct pf_addr *, 61 uint16_t, int, struct pf_anchor_stackframe *); 62 static int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 63 struct pf_addr *, struct pf_addr *, u_int16_t, 64 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 65 struct pf_src_node **); 66 67 #define mix(a,b,c) \ 68 do { \ 69 a -= b; a -= c; a ^= (c >> 13); \ 70 b -= c; b -= a; b ^= (a << 8); \ 71 c -= a; c -= b; c ^= (b >> 13); \ 72 a -= b; a -= c; a ^= (c >> 12); \ 73 b -= c; b -= a; b ^= (a << 16); \ 74 c -= a; c -= b; c ^= (b >> 5); \ 75 a -= b; a -= c; a ^= (c >> 3); \ 76 b -= c; b -= a; b ^= (a << 10); \ 77 c -= a; c -= b; c ^= (b >> 15); \ 78 } while (0) 79 80 /* 81 * hash function based on bridge_hash in if_bridge.c 82 */ 83 static void 84 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 85 struct pf_poolhashkey *key, sa_family_t af) 86 { 87 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 88 89 switch (af) { 90 #ifdef INET 91 case AF_INET: 92 a += inaddr->addr32[0]; 93 b += key->key32[1]; 94 mix(a, b, c); 95 hash->addr32[0] = c + key->key32[2]; 96 break; 97 #endif /* INET */ 98 #ifdef INET6 99 case AF_INET6: 100 a += inaddr->addr32[0]; 101 b += inaddr->addr32[2]; 102 mix(a, b, c); 103 hash->addr32[0] = c; 104 a += inaddr->addr32[1]; 105 b += inaddr->addr32[3]; 106 c += key->key32[1]; 107 mix(a, b, c); 108 hash->addr32[1] = c; 109 a += inaddr->addr32[2]; 110 b += inaddr->addr32[1]; 111 c += key->key32[2]; 112 mix(a, b, c); 113 hash->addr32[2] = c; 114 a += inaddr->addr32[3]; 115 b += inaddr->addr32[0]; 116 c += key->key32[3]; 117 mix(a, b, c); 118 hash->addr32[3] = c; 119 break; 120 #endif /* INET6 */ 121 } 122 } 123 124 static struct pf_rule * 125 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 126 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 127 struct pf_addr *daddr, uint16_t dport, int rs_num, 128 struct pf_anchor_stackframe *anchor_stack) 129 { 130 struct pf_rule *r, *rm = NULL; 131 struct pf_ruleset *ruleset = NULL; 132 int tag = -1; 133 int rtableid = -1; 134 int asd = 0; 135 136 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 137 while (r && rm == NULL) { 138 struct pf_rule_addr *src = NULL, *dst = NULL; 139 struct pf_addr_wrap *xdst = NULL; 140 141 if (r->action == PF_BINAT && direction == PF_IN) { 142 src = &r->dst; 143 if (r->rpool.cur != NULL) 144 xdst = &r->rpool.cur->addr; 145 } else { 146 src = &r->src; 147 dst = &r->dst; 148 } 149 150 r->evaluations++; 151 if (pfi_kif_match(r->kif, kif) == r->ifnot) 152 r = r->skip[PF_SKIP_IFP].ptr; 153 else if (r->direction && r->direction != direction) 154 r = r->skip[PF_SKIP_DIR].ptr; 155 else if (r->af && r->af != pd->af) 156 r = r->skip[PF_SKIP_AF].ptr; 157 else if (r->proto && r->proto != pd->proto) 158 r = r->skip[PF_SKIP_PROTO].ptr; 159 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 160 src->neg, kif, M_GETFIB(m))) 161 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 162 PF_SKIP_DST_ADDR].ptr; 163 else if (src->port_op && !pf_match_port(src->port_op, 164 src->port[0], src->port[1], sport)) 165 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 166 PF_SKIP_DST_PORT].ptr; 167 else if (dst != NULL && 168 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, 169 M_GETFIB(m))) 170 r = r->skip[PF_SKIP_DST_ADDR].ptr; 171 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 172 0, NULL, M_GETFIB(m))) 173 r = TAILQ_NEXT(r, entries); 174 else if (dst != NULL && dst->port_op && 175 !pf_match_port(dst->port_op, dst->port[0], 176 dst->port[1], dport)) 177 r = r->skip[PF_SKIP_DST_PORT].ptr; 178 else if (r->match_tag && !pf_match_tag(m, r, &tag, 179 pd->pf_mtag ? pd->pf_mtag->tag : 0)) 180 r = TAILQ_NEXT(r, entries); 181 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 182 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 183 off, pd->hdr.tcp), r->os_fingerprint))) 184 r = TAILQ_NEXT(r, entries); 185 else { 186 if (r->tag) 187 tag = r->tag; 188 if (r->rtableid >= 0) 189 rtableid = r->rtableid; 190 if (r->anchor == NULL) { 191 rm = r; 192 } else 193 pf_step_into_anchor(anchor_stack, &asd, 194 &ruleset, rs_num, &r, NULL, NULL); 195 } 196 if (r == NULL) 197 pf_step_out_of_anchor(anchor_stack, &asd, &ruleset, 198 rs_num, &r, NULL, NULL); 199 } 200 201 if (tag > 0 && pf_tag_packet(m, pd, tag)) 202 return (NULL); 203 if (rtableid >= 0) 204 M_SETFIB(m, rtableid); 205 206 if (rm != NULL && (rm->action == PF_NONAT || 207 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 208 return (NULL); 209 return (rm); 210 } 211 212 static int 213 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 214 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 215 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 216 struct pf_src_node **sn) 217 { 218 struct pf_state_key_cmp key; 219 struct pf_addr init_addr; 220 u_int16_t cut; 221 222 bzero(&init_addr, sizeof(init_addr)); 223 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 224 return (1); 225 226 if (proto == IPPROTO_ICMP) { 227 low = 1; 228 high = 65535; 229 } 230 231 do { 232 key.af = af; 233 key.proto = proto; 234 PF_ACPY(&key.addr[1], daddr, key.af); 235 PF_ACPY(&key.addr[0], naddr, key.af); 236 key.port[1] = dport; 237 238 /* 239 * port search; start random, step; 240 * similar 2 portloop in in_pcbbind 241 */ 242 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 243 proto == IPPROTO_ICMP)) { 244 key.port[0] = dport; 245 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) 246 return (0); 247 } else if (low == 0 && high == 0) { 248 key.port[0] = *nport; 249 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) 250 return (0); 251 } else if (low == high) { 252 key.port[0] = htons(low); 253 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 254 *nport = htons(low); 255 return (0); 256 } 257 } else { 258 u_int16_t tmp; 259 260 if (low > high) { 261 tmp = low; 262 low = high; 263 high = tmp; 264 } 265 /* low < high */ 266 cut = htonl(arc4random()) % (1 + high - low) + low; 267 /* low <= cut <= high */ 268 for (tmp = cut; tmp <= high; ++(tmp)) { 269 key.port[0] = htons(tmp); 270 if (pf_find_state_all(&key, PF_IN, NULL) == 271 NULL) { 272 *nport = htons(tmp); 273 return (0); 274 } 275 } 276 for (tmp = cut - 1; tmp >= low; --(tmp)) { 277 key.port[0] = htons(tmp); 278 if (pf_find_state_all(&key, PF_IN, NULL) == 279 NULL) { 280 *nport = htons(tmp); 281 return (0); 282 } 283 } 284 } 285 286 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 287 case PF_POOL_RANDOM: 288 case PF_POOL_ROUNDROBIN: 289 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 290 return (1); 291 break; 292 case PF_POOL_NONE: 293 case PF_POOL_SRCHASH: 294 case PF_POOL_BITMASK: 295 default: 296 return (1); 297 } 298 } while (! PF_AEQ(&init_addr, naddr, af) ); 299 return (1); /* none available */ 300 } 301 302 int 303 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 304 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 305 { 306 struct pf_pool *rpool = &r->rpool; 307 struct pf_addr *raddr = NULL, *rmask = NULL; 308 309 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 310 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 311 *sn = pf_find_src_node(saddr, r, af, 0); 312 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 313 PF_ACPY(naddr, &(*sn)->raddr, af); 314 if (V_pf_status.debug >= PF_DEBUG_MISC) { 315 printf("pf_map_addr: src tracking maps "); 316 pf_print_host(saddr, 0, af); 317 printf(" to "); 318 pf_print_host(naddr, 0, af); 319 printf("\n"); 320 } 321 return (0); 322 } 323 } 324 325 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 326 return (1); 327 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 328 switch (af) { 329 #ifdef INET 330 case AF_INET: 331 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 332 (rpool->opts & PF_POOL_TYPEMASK) != 333 PF_POOL_ROUNDROBIN) 334 return (1); 335 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 336 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 337 break; 338 #endif /* INET */ 339 #ifdef INET6 340 case AF_INET6: 341 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 342 (rpool->opts & PF_POOL_TYPEMASK) != 343 PF_POOL_ROUNDROBIN) 344 return (1); 345 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 346 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 347 break; 348 #endif /* INET6 */ 349 } 350 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 351 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 352 return (1); /* unsupported */ 353 } else { 354 raddr = &rpool->cur->addr.v.a.addr; 355 rmask = &rpool->cur->addr.v.a.mask; 356 } 357 358 switch (rpool->opts & PF_POOL_TYPEMASK) { 359 case PF_POOL_NONE: 360 PF_ACPY(naddr, raddr, af); 361 break; 362 case PF_POOL_BITMASK: 363 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 364 break; 365 case PF_POOL_RANDOM: 366 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 367 switch (af) { 368 #ifdef INET 369 case AF_INET: 370 rpool->counter.addr32[0] = htonl(arc4random()); 371 break; 372 #endif /* INET */ 373 #ifdef INET6 374 case AF_INET6: 375 if (rmask->addr32[3] != 0xffffffff) 376 rpool->counter.addr32[3] = 377 htonl(arc4random()); 378 else 379 break; 380 if (rmask->addr32[2] != 0xffffffff) 381 rpool->counter.addr32[2] = 382 htonl(arc4random()); 383 else 384 break; 385 if (rmask->addr32[1] != 0xffffffff) 386 rpool->counter.addr32[1] = 387 htonl(arc4random()); 388 else 389 break; 390 if (rmask->addr32[0] != 0xffffffff) 391 rpool->counter.addr32[0] = 392 htonl(arc4random()); 393 break; 394 #endif /* INET6 */ 395 } 396 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 397 PF_ACPY(init_addr, naddr, af); 398 399 } else { 400 PF_AINC(&rpool->counter, af); 401 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 402 } 403 break; 404 case PF_POOL_SRCHASH: 405 { 406 unsigned char hash[16]; 407 408 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 409 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 410 break; 411 } 412 case PF_POOL_ROUNDROBIN: 413 { 414 struct pf_pooladdr *acur = rpool->cur; 415 416 /* 417 * XXXGL: in the round-robin case we need to store 418 * the round-robin machine state in the rule, thus 419 * forwarding thread needs to modify rule. 420 * 421 * This is done w/o locking, because performance is assumed 422 * more important than round-robin precision. 423 * 424 * In the simpliest case we just update the "rpool->cur" 425 * pointer. However, if pool contains tables or dynamic 426 * addresses, then "tblidx" is also used to store machine 427 * state. Since "tblidx" is int, concurrent access to it can't 428 * lead to inconsistence, only to lost of precision. 429 * 430 * Things get worse, if table contains not hosts, but 431 * prefixes. In this case counter also stores machine state, 432 * and for IPv6 address, counter can't be updated atomically. 433 * Probably, using round-robin on a table containing IPv6 434 * prefixes (or even IPv4) would cause a panic. 435 */ 436 437 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 438 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 439 &rpool->tblidx, &rpool->counter, af)) 440 goto get_addr; 441 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 442 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 443 &rpool->tblidx, &rpool->counter, af)) 444 goto get_addr; 445 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 446 goto get_addr; 447 448 try_next: 449 if (TAILQ_NEXT(rpool->cur, entries) == NULL) 450 rpool->cur = TAILQ_FIRST(&rpool->list); 451 else 452 rpool->cur = TAILQ_NEXT(rpool->cur, entries); 453 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 454 rpool->tblidx = -1; 455 if (pfr_pool_get(rpool->cur->addr.p.tbl, 456 &rpool->tblidx, &rpool->counter, af)) { 457 /* table contains no address of type 'af' */ 458 if (rpool->cur != acur) 459 goto try_next; 460 return (1); 461 } 462 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 463 rpool->tblidx = -1; 464 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 465 &rpool->tblidx, &rpool->counter, af)) { 466 /* table contains no address of type 'af' */ 467 if (rpool->cur != acur) 468 goto try_next; 469 return (1); 470 } 471 } else { 472 raddr = &rpool->cur->addr.v.a.addr; 473 rmask = &rpool->cur->addr.v.a.mask; 474 PF_ACPY(&rpool->counter, raddr, af); 475 } 476 477 get_addr: 478 PF_ACPY(naddr, &rpool->counter, af); 479 if (init_addr != NULL && PF_AZERO(init_addr, af)) 480 PF_ACPY(init_addr, naddr, af); 481 PF_AINC(&rpool->counter, af); 482 break; 483 } 484 } 485 if (*sn != NULL) 486 PF_ACPY(&(*sn)->raddr, naddr, af); 487 488 if (V_pf_status.debug >= PF_DEBUG_MISC && 489 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 490 printf("pf_map_addr: selected address "); 491 pf_print_host(naddr, 0, af); 492 printf("\n"); 493 } 494 495 return (0); 496 } 497 498 struct pf_rule * 499 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 500 struct pfi_kif *kif, struct pf_src_node **sn, 501 struct pf_state_key **skp, struct pf_state_key **nkp, 502 struct pf_addr *saddr, struct pf_addr *daddr, 503 uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack) 504 { 505 struct pf_rule *r = NULL; 506 struct pf_addr *naddr; 507 uint16_t *nport; 508 509 PF_RULES_RASSERT(); 510 KASSERT(*skp == NULL, ("*skp not NULL")); 511 KASSERT(*nkp == NULL, ("*nkp not NULL")); 512 513 if (direction == PF_OUT) { 514 r = pf_match_translation(pd, m, off, direction, kif, saddr, 515 sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); 516 if (r == NULL) 517 r = pf_match_translation(pd, m, off, direction, kif, 518 saddr, sport, daddr, dport, PF_RULESET_NAT, 519 anchor_stack); 520 } else { 521 r = pf_match_translation(pd, m, off, direction, kif, saddr, 522 sport, daddr, dport, PF_RULESET_RDR, anchor_stack); 523 if (r == NULL) 524 r = pf_match_translation(pd, m, off, direction, kif, 525 saddr, sport, daddr, dport, PF_RULESET_BINAT, 526 anchor_stack); 527 } 528 529 if (r == NULL) 530 return (NULL); 531 532 switch (r->action) { 533 case PF_NONAT: 534 case PF_NOBINAT: 535 case PF_NORDR: 536 return (NULL); 537 } 538 539 *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); 540 if (*skp == NULL) 541 return (NULL); 542 *nkp = pf_state_key_clone(*skp); 543 if (*nkp == NULL) { 544 uma_zfree(V_pf_state_key_z, skp); 545 *skp = NULL; 546 return (NULL); 547 } 548 549 /* XXX We only modify one side for now. */ 550 naddr = &(*nkp)->addr[1]; 551 nport = &(*nkp)->port[1]; 552 553 switch (r->action) { 554 case PF_NAT: 555 if (pf_get_sport(pd->af, pd->proto, r, saddr, daddr, dport, 556 naddr, nport, r->rpool.proxy_port[0], 557 r->rpool.proxy_port[1], sn)) { 558 DPFPRINTF(PF_DEBUG_MISC, 559 ("pf: NAT proxy port allocation (%u-%u) failed\n", 560 r->rpool.proxy_port[0], r->rpool.proxy_port[1])); 561 goto notrans; 562 } 563 break; 564 case PF_BINAT: 565 switch (direction) { 566 case PF_OUT: 567 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 568 switch (pd->af) { 569 #ifdef INET 570 case AF_INET: 571 if (r->rpool.cur->addr.p.dyn-> 572 pfid_acnt4 < 1) 573 goto notrans; 574 PF_POOLMASK(naddr, 575 &r->rpool.cur->addr.p.dyn-> 576 pfid_addr4, 577 &r->rpool.cur->addr.p.dyn-> 578 pfid_mask4, saddr, AF_INET); 579 break; 580 #endif /* INET */ 581 #ifdef INET6 582 case AF_INET6: 583 if (r->rpool.cur->addr.p.dyn-> 584 pfid_acnt6 < 1) 585 goto notrans; 586 PF_POOLMASK(naddr, 587 &r->rpool.cur->addr.p.dyn-> 588 pfid_addr6, 589 &r->rpool.cur->addr.p.dyn-> 590 pfid_mask6, saddr, AF_INET6); 591 break; 592 #endif /* INET6 */ 593 } 594 } else 595 PF_POOLMASK(naddr, 596 &r->rpool.cur->addr.v.a.addr, 597 &r->rpool.cur->addr.v.a.mask, saddr, 598 pd->af); 599 break; 600 case PF_IN: 601 if (r->src.addr.type == PF_ADDR_DYNIFTL) { 602 switch (pd->af) { 603 #ifdef INET 604 case AF_INET: 605 if (r->src.addr.p.dyn-> pfid_acnt4 < 1) 606 goto notrans; 607 PF_POOLMASK(naddr, 608 &r->src.addr.p.dyn->pfid_addr4, 609 &r->src.addr.p.dyn->pfid_mask4, 610 daddr, AF_INET); 611 break; 612 #endif /* INET */ 613 #ifdef INET6 614 case AF_INET6: 615 if (r->src.addr.p.dyn->pfid_acnt6 < 1) 616 goto notrans; 617 PF_POOLMASK(naddr, 618 &r->src.addr.p.dyn->pfid_addr6, 619 &r->src.addr.p.dyn->pfid_mask6, 620 daddr, AF_INET6); 621 break; 622 #endif /* INET6 */ 623 } 624 } else 625 PF_POOLMASK(naddr, &r->src.addr.v.a.addr, 626 &r->src.addr.v.a.mask, daddr, pd->af); 627 break; 628 } 629 break; 630 case PF_RDR: { 631 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 632 goto notrans; 633 if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) 634 PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, 635 daddr, pd->af); 636 637 if (r->rpool.proxy_port[1]) { 638 uint32_t tmp_nport; 639 640 tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % 641 (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + 642 1)) + r->rpool.proxy_port[0]; 643 644 /* Wrap around if necessary. */ 645 if (tmp_nport > 65535) 646 tmp_nport -= 65535; 647 *nport = htons((uint16_t)tmp_nport); 648 } else if (r->rpool.proxy_port[0]) 649 *nport = htons(r->rpool.proxy_port[0]); 650 break; 651 } 652 default: 653 panic("%s: unknown action %u", __func__, r->action); 654 } 655 656 /* Return success only if translation really happened. */ 657 if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) 658 return (r); 659 660 notrans: 661 uma_zfree(V_pf_state_key_z, *nkp); 662 uma_zfree(V_pf_state_key_z, *skp); 663 *skp = *nkp = NULL; 664 665 return (NULL); 666 } 667