1 /*- 2 * Copyright (c) 2001 Daniel Hartmeier 3 * Copyright (c) 2002 - 2008 Henning Brauer 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * - Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * - Redistributions in binary form must reproduce the above 13 * copyright notice, this list of conditions and the following 14 * disclaimer in the documentation and/or other materials provided 15 * with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 21 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 27 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * Effort sponsored in part by the Defense Advanced Research Projects 31 * Agency (DARPA) and Air Force Research Laboratory, Air Force 32 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 33 * 34 * $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ 35 */ 36 37 #include <sys/cdefs.h> 38 __FBSDID("$FreeBSD$"); 39 40 #include "opt_pf.h" 41 #include "opt_inet.h" 42 #include "opt_inet6.h" 43 44 #include <sys/param.h> 45 #include <sys/lock.h> 46 #include <sys/mbuf.h> 47 #include <sys/rwlock.h> 48 #include <sys/socket.h> 49 #include <sys/sysctl.h> 50 51 #include <net/if.h> 52 #include <net/vnet.h> 53 #include <net/pfvar.h> 54 #include <net/if_pflog.h> 55 56 #include <netinet/in.h> 57 #include <netinet/ip.h> 58 #include <netinet/ip_icmp.h> 59 60 #ifdef INET6 61 #include <netinet/ip6.h> 62 #include <netinet/icmp6.h> 63 #endif 64 65 #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x 66 67 static void pf_hash(struct pf_addr *, struct pf_addr *, 68 struct pf_poolhashkey *, sa_family_t); 69 static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 70 int, int, struct pfi_kif *, 71 struct pf_addr *, u_int16_t, struct pf_addr *, 72 uint16_t, int, struct pf_anchor_stackframe *); 73 static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *, 74 struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *, 75 uint16_t *, uint16_t, uint16_t, struct pf_src_node **); 76 77 #define mix(a,b,c) \ 78 do { \ 79 a -= b; a -= c; a ^= (c >> 13); \ 80 b -= c; b -= a; b ^= (a << 8); \ 81 c -= a; c -= b; c ^= (b >> 13); \ 82 a -= b; a -= c; a ^= (c >> 12); \ 83 b -= c; b -= a; b ^= (a << 16); \ 84 c -= a; c -= b; c ^= (b >> 5); \ 85 a -= b; a -= c; a ^= (c >> 3); \ 86 b -= c; b -= a; b ^= (a << 10); \ 87 c -= a; c -= b; c ^= (b >> 15); \ 88 } while (0) 89 90 /* 91 * hash function based on bridge_hash in if_bridge.c 92 */ 93 static void 94 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 95 struct pf_poolhashkey *key, sa_family_t af) 96 { 97 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 98 99 switch (af) { 100 #ifdef INET 101 case AF_INET: 102 a += inaddr->addr32[0]; 103 b += key->key32[1]; 104 mix(a, b, c); 105 hash->addr32[0] = c + key->key32[2]; 106 break; 107 #endif /* INET */ 108 #ifdef INET6 109 case AF_INET6: 110 a += inaddr->addr32[0]; 111 b += inaddr->addr32[2]; 112 mix(a, b, c); 113 hash->addr32[0] = c; 114 a += inaddr->addr32[1]; 115 b += inaddr->addr32[3]; 116 c += key->key32[1]; 117 mix(a, b, c); 118 hash->addr32[1] = c; 119 a += inaddr->addr32[2]; 120 b += inaddr->addr32[1]; 121 c += key->key32[2]; 122 mix(a, b, c); 123 hash->addr32[2] = c; 124 a += inaddr->addr32[3]; 125 b += inaddr->addr32[0]; 126 c += key->key32[3]; 127 mix(a, b, c); 128 hash->addr32[3] = c; 129 break; 130 #endif /* INET6 */ 131 } 132 } 133 134 static struct pf_rule * 135 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 136 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 137 struct pf_addr *daddr, uint16_t dport, int rs_num, 138 struct pf_anchor_stackframe *anchor_stack) 139 { 140 struct pf_rule *r, *rm = NULL; 141 struct pf_ruleset *ruleset = NULL; 142 int tag = -1; 143 int rtableid = -1; 144 int asd = 0; 145 146 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 147 while (r && rm == NULL) { 148 struct pf_rule_addr *src = NULL, *dst = NULL; 149 struct pf_addr_wrap *xdst = NULL; 150 151 if (r->action == PF_BINAT && direction == PF_IN) { 152 src = &r->dst; 153 if (r->rpool.cur != NULL) 154 xdst = &r->rpool.cur->addr; 155 } else { 156 src = &r->src; 157 dst = &r->dst; 158 } 159 160 r->evaluations++; 161 if (pfi_kif_match(r->kif, kif) == r->ifnot) 162 r = r->skip[PF_SKIP_IFP].ptr; 163 else if (r->direction && r->direction != direction) 164 r = r->skip[PF_SKIP_DIR].ptr; 165 else if (r->af && r->af != pd->af) 166 r = r->skip[PF_SKIP_AF].ptr; 167 else if (r->proto && r->proto != pd->proto) 168 r = r->skip[PF_SKIP_PROTO].ptr; 169 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, 170 src->neg, kif, M_GETFIB(m))) 171 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 172 PF_SKIP_DST_ADDR].ptr; 173 else if (src->port_op && !pf_match_port(src->port_op, 174 src->port[0], src->port[1], sport)) 175 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 176 PF_SKIP_DST_PORT].ptr; 177 else if (dst != NULL && 178 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, 179 M_GETFIB(m))) 180 r = r->skip[PF_SKIP_DST_ADDR].ptr; 181 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 182 0, NULL, M_GETFIB(m))) 183 r = TAILQ_NEXT(r, entries); 184 else if (dst != NULL && dst->port_op && 185 !pf_match_port(dst->port_op, dst->port[0], 186 dst->port[1], dport)) 187 r = r->skip[PF_SKIP_DST_PORT].ptr; 188 else if (r->match_tag && !pf_match_tag(m, r, &tag, 189 pd->pf_mtag ? pd->pf_mtag->tag : 0)) 190 r = TAILQ_NEXT(r, entries); 191 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 192 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 193 off, pd->hdr.tcp), r->os_fingerprint))) 194 r = TAILQ_NEXT(r, entries); 195 else { 196 if (r->tag) 197 tag = r->tag; 198 if (r->rtableid >= 0) 199 rtableid = r->rtableid; 200 if (r->anchor == NULL) { 201 rm = r; 202 } else 203 pf_step_into_anchor(anchor_stack, &asd, 204 &ruleset, rs_num, &r, NULL, NULL); 205 } 206 if (r == NULL) 207 pf_step_out_of_anchor(anchor_stack, &asd, &ruleset, 208 rs_num, &r, NULL, NULL); 209 } 210 211 if (tag > 0 && pf_tag_packet(m, pd, tag)) 212 return (NULL); 213 if (rtableid >= 0) 214 M_SETFIB(m, rtableid); 215 216 if (rm != NULL && (rm->action == PF_NONAT || 217 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 218 return (NULL); 219 return (rm); 220 } 221 222 static int 223 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 224 struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr, 225 uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low, 226 uint16_t high, struct pf_src_node **sn) 227 { 228 struct pf_state_key_cmp key; 229 struct pf_addr init_addr; 230 uint16_t cut; 231 232 bzero(&init_addr, sizeof(init_addr)); 233 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 234 return (1); 235 236 switch (proto) { 237 case IPPROTO_ICMP: 238 if (dport != ICMP_ECHO) 239 return (0); 240 low = 1; 241 high = 65535; 242 break; 243 #ifdef INET6 244 case IPPROTO_ICMPV6: 245 if (dport != ICMP_ECHO) 246 return (0); 247 low = 1; 248 high = 65535; 249 break; 250 #endif 251 default: 252 return (0); /* Don't try to modify non-echo ICMP */ 253 } 254 255 bzero(&key, sizeof(key)); 256 key.af = af; 257 key.proto = proto; 258 key.port[0] = dport; 259 PF_ACPY(&key.addr[0], daddr, key.af); 260 261 do { 262 PF_ACPY(&key.addr[1], naddr, key.af); 263 264 /* 265 * port search; start random, step; 266 * similar 2 portloop in in_pcbbind 267 */ 268 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || 269 proto == IPPROTO_ICMP) || (low == 0 && high == 0)) { 270 /* 271 * XXX bug: icmp states don't use the id on both sides. 272 * (traceroute -I through nat) 273 */ 274 key.port[1] = sport; 275 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 276 *nport = sport; 277 return (0); 278 } 279 } else if (low == high) { 280 key.port[1] = htons(low); 281 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { 282 *nport = htons(low); 283 return (0); 284 } 285 } else { 286 uint16_t tmp; 287 288 if (low > high) { 289 tmp = low; 290 low = high; 291 high = tmp; 292 } 293 /* low < high */ 294 cut = htonl(arc4random()) % (1 + high - low) + low; 295 /* low <= cut <= high */ 296 for (tmp = cut; tmp <= high; ++(tmp)) { 297 key.port[1] = htons(tmp); 298 if (pf_find_state_all(&key, PF_IN, NULL) == 299 NULL) { 300 *nport = htons(tmp); 301 return (0); 302 } 303 } 304 for (tmp = cut - 1; tmp >= low; --(tmp)) { 305 key.port[1] = htons(tmp); 306 if (pf_find_state_all(&key, PF_IN, NULL) == 307 NULL) { 308 *nport = htons(tmp); 309 return (0); 310 } 311 } 312 } 313 314 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 315 case PF_POOL_RANDOM: 316 case PF_POOL_ROUNDROBIN: 317 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 318 return (1); 319 break; 320 case PF_POOL_NONE: 321 case PF_POOL_SRCHASH: 322 case PF_POOL_BITMASK: 323 default: 324 return (1); 325 } 326 } while (! PF_AEQ(&init_addr, naddr, af) ); 327 return (1); /* none available */ 328 } 329 330 int 331 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 332 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 333 { 334 struct pf_pool *rpool = &r->rpool; 335 struct pf_addr *raddr = NULL, *rmask = NULL; 336 337 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 338 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 339 *sn = pf_find_src_node(saddr, r, af, 0); 340 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 341 PF_ACPY(naddr, &(*sn)->raddr, af); 342 if (V_pf_status.debug >= PF_DEBUG_MISC) { 343 printf("pf_map_addr: src tracking maps "); 344 pf_print_host(saddr, 0, af); 345 printf(" to "); 346 pf_print_host(naddr, 0, af); 347 printf("\n"); 348 } 349 return (0); 350 } 351 } 352 353 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 354 return (1); 355 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 356 switch (af) { 357 #ifdef INET 358 case AF_INET: 359 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 360 (rpool->opts & PF_POOL_TYPEMASK) != 361 PF_POOL_ROUNDROBIN) 362 return (1); 363 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 364 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 365 break; 366 #endif /* INET */ 367 #ifdef INET6 368 case AF_INET6: 369 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 370 (rpool->opts & PF_POOL_TYPEMASK) != 371 PF_POOL_ROUNDROBIN) 372 return (1); 373 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 374 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 375 break; 376 #endif /* INET6 */ 377 } 378 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 379 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 380 return (1); /* unsupported */ 381 } else { 382 raddr = &rpool->cur->addr.v.a.addr; 383 rmask = &rpool->cur->addr.v.a.mask; 384 } 385 386 switch (rpool->opts & PF_POOL_TYPEMASK) { 387 case PF_POOL_NONE: 388 PF_ACPY(naddr, raddr, af); 389 break; 390 case PF_POOL_BITMASK: 391 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 392 break; 393 case PF_POOL_RANDOM: 394 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 395 switch (af) { 396 #ifdef INET 397 case AF_INET: 398 rpool->counter.addr32[0] = htonl(arc4random()); 399 break; 400 #endif /* INET */ 401 #ifdef INET6 402 case AF_INET6: 403 if (rmask->addr32[3] != 0xffffffff) 404 rpool->counter.addr32[3] = 405 htonl(arc4random()); 406 else 407 break; 408 if (rmask->addr32[2] != 0xffffffff) 409 rpool->counter.addr32[2] = 410 htonl(arc4random()); 411 else 412 break; 413 if (rmask->addr32[1] != 0xffffffff) 414 rpool->counter.addr32[1] = 415 htonl(arc4random()); 416 else 417 break; 418 if (rmask->addr32[0] != 0xffffffff) 419 rpool->counter.addr32[0] = 420 htonl(arc4random()); 421 break; 422 #endif /* INET6 */ 423 } 424 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 425 PF_ACPY(init_addr, naddr, af); 426 427 } else { 428 PF_AINC(&rpool->counter, af); 429 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 430 } 431 break; 432 case PF_POOL_SRCHASH: 433 { 434 unsigned char hash[16]; 435 436 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 437 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 438 break; 439 } 440 case PF_POOL_ROUNDROBIN: 441 { 442 struct pf_pooladdr *acur = rpool->cur; 443 444 /* 445 * XXXGL: in the round-robin case we need to store 446 * the round-robin machine state in the rule, thus 447 * forwarding thread needs to modify rule. 448 * 449 * This is done w/o locking, because performance is assumed 450 * more important than round-robin precision. 451 * 452 * In the simpliest case we just update the "rpool->cur" 453 * pointer. However, if pool contains tables or dynamic 454 * addresses, then "tblidx" is also used to store machine 455 * state. Since "tblidx" is int, concurrent access to it can't 456 * lead to inconsistence, only to lost of precision. 457 * 458 * Things get worse, if table contains not hosts, but 459 * prefixes. In this case counter also stores machine state, 460 * and for IPv6 address, counter can't be updated atomically. 461 * Probably, using round-robin on a table containing IPv6 462 * prefixes (or even IPv4) would cause a panic. 463 */ 464 465 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 466 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 467 &rpool->tblidx, &rpool->counter, af)) 468 goto get_addr; 469 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 470 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 471 &rpool->tblidx, &rpool->counter, af)) 472 goto get_addr; 473 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 474 goto get_addr; 475 476 try_next: 477 if (TAILQ_NEXT(rpool->cur, entries) == NULL) 478 rpool->cur = TAILQ_FIRST(&rpool->list); 479 else 480 rpool->cur = TAILQ_NEXT(rpool->cur, entries); 481 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 482 rpool->tblidx = -1; 483 if (pfr_pool_get(rpool->cur->addr.p.tbl, 484 &rpool->tblidx, &rpool->counter, af)) { 485 /* table contains no address of type 'af' */ 486 if (rpool->cur != acur) 487 goto try_next; 488 return (1); 489 } 490 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 491 rpool->tblidx = -1; 492 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 493 &rpool->tblidx, &rpool->counter, af)) { 494 /* table contains no address of type 'af' */ 495 if (rpool->cur != acur) 496 goto try_next; 497 return (1); 498 } 499 } else { 500 raddr = &rpool->cur->addr.v.a.addr; 501 rmask = &rpool->cur->addr.v.a.mask; 502 PF_ACPY(&rpool->counter, raddr, af); 503 } 504 505 get_addr: 506 PF_ACPY(naddr, &rpool->counter, af); 507 if (init_addr != NULL && PF_AZERO(init_addr, af)) 508 PF_ACPY(init_addr, naddr, af); 509 PF_AINC(&rpool->counter, af); 510 break; 511 } 512 } 513 if (*sn != NULL) 514 PF_ACPY(&(*sn)->raddr, naddr, af); 515 516 if (V_pf_status.debug >= PF_DEBUG_MISC && 517 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 518 printf("pf_map_addr: selected address "); 519 pf_print_host(naddr, 0, af); 520 printf("\n"); 521 } 522 523 return (0); 524 } 525 526 struct pf_rule * 527 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 528 struct pfi_kif *kif, struct pf_src_node **sn, 529 struct pf_state_key **skp, struct pf_state_key **nkp, 530 struct pf_addr *saddr, struct pf_addr *daddr, 531 uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack) 532 { 533 struct pf_rule *r = NULL; 534 struct pf_addr *naddr; 535 uint16_t *nport; 536 537 PF_RULES_RASSERT(); 538 KASSERT(*skp == NULL, ("*skp not NULL")); 539 KASSERT(*nkp == NULL, ("*nkp not NULL")); 540 541 if (direction == PF_OUT) { 542 r = pf_match_translation(pd, m, off, direction, kif, saddr, 543 sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); 544 if (r == NULL) 545 r = pf_match_translation(pd, m, off, direction, kif, 546 saddr, sport, daddr, dport, PF_RULESET_NAT, 547 anchor_stack); 548 } else { 549 r = pf_match_translation(pd, m, off, direction, kif, saddr, 550 sport, daddr, dport, PF_RULESET_RDR, anchor_stack); 551 if (r == NULL) 552 r = pf_match_translation(pd, m, off, direction, kif, 553 saddr, sport, daddr, dport, PF_RULESET_BINAT, 554 anchor_stack); 555 } 556 557 if (r == NULL) 558 return (NULL); 559 560 switch (r->action) { 561 case PF_NONAT: 562 case PF_NOBINAT: 563 case PF_NORDR: 564 return (NULL); 565 } 566 567 *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); 568 if (*skp == NULL) 569 return (NULL); 570 *nkp = pf_state_key_clone(*skp); 571 if (*nkp == NULL) { 572 uma_zfree(V_pf_state_key_z, skp); 573 *skp = NULL; 574 return (NULL); 575 } 576 577 /* XXX We only modify one side for now. */ 578 naddr = &(*nkp)->addr[1]; 579 nport = &(*nkp)->port[1]; 580 581 switch (r->action) { 582 case PF_NAT: 583 if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr, 584 dport, naddr, nport, r->rpool.proxy_port[0], 585 r->rpool.proxy_port[1], sn)) { 586 DPFPRINTF(PF_DEBUG_MISC, 587 ("pf: NAT proxy port allocation (%u-%u) failed\n", 588 r->rpool.proxy_port[0], r->rpool.proxy_port[1])); 589 goto notrans; 590 } 591 break; 592 case PF_BINAT: 593 switch (direction) { 594 case PF_OUT: 595 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 596 switch (pd->af) { 597 #ifdef INET 598 case AF_INET: 599 if (r->rpool.cur->addr.p.dyn-> 600 pfid_acnt4 < 1) 601 goto notrans; 602 PF_POOLMASK(naddr, 603 &r->rpool.cur->addr.p.dyn-> 604 pfid_addr4, 605 &r->rpool.cur->addr.p.dyn-> 606 pfid_mask4, saddr, AF_INET); 607 break; 608 #endif /* INET */ 609 #ifdef INET6 610 case AF_INET6: 611 if (r->rpool.cur->addr.p.dyn-> 612 pfid_acnt6 < 1) 613 goto notrans; 614 PF_POOLMASK(naddr, 615 &r->rpool.cur->addr.p.dyn-> 616 pfid_addr6, 617 &r->rpool.cur->addr.p.dyn-> 618 pfid_mask6, saddr, AF_INET6); 619 break; 620 #endif /* INET6 */ 621 } 622 } else 623 PF_POOLMASK(naddr, 624 &r->rpool.cur->addr.v.a.addr, 625 &r->rpool.cur->addr.v.a.mask, saddr, 626 pd->af); 627 break; 628 case PF_IN: 629 if (r->src.addr.type == PF_ADDR_DYNIFTL) { 630 switch (pd->af) { 631 #ifdef INET 632 case AF_INET: 633 if (r->src.addr.p.dyn-> pfid_acnt4 < 1) 634 goto notrans; 635 PF_POOLMASK(naddr, 636 &r->src.addr.p.dyn->pfid_addr4, 637 &r->src.addr.p.dyn->pfid_mask4, 638 daddr, AF_INET); 639 break; 640 #endif /* INET */ 641 #ifdef INET6 642 case AF_INET6: 643 if (r->src.addr.p.dyn->pfid_acnt6 < 1) 644 goto notrans; 645 PF_POOLMASK(naddr, 646 &r->src.addr.p.dyn->pfid_addr6, 647 &r->src.addr.p.dyn->pfid_mask6, 648 daddr, AF_INET6); 649 break; 650 #endif /* INET6 */ 651 } 652 } else 653 PF_POOLMASK(naddr, &r->src.addr.v.a.addr, 654 &r->src.addr.v.a.mask, daddr, pd->af); 655 break; 656 } 657 break; 658 case PF_RDR: { 659 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) 660 goto notrans; 661 if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) 662 PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask, 663 daddr, pd->af); 664 665 if (r->rpool.proxy_port[1]) { 666 uint32_t tmp_nport; 667 668 tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) % 669 (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] + 670 1)) + r->rpool.proxy_port[0]; 671 672 /* Wrap around if necessary. */ 673 if (tmp_nport > 65535) 674 tmp_nport -= 65535; 675 *nport = htons((uint16_t)tmp_nport); 676 } else if (r->rpool.proxy_port[0]) 677 *nport = htons(r->rpool.proxy_port[0]); 678 break; 679 } 680 default: 681 panic("%s: unknown action %u", __func__, r->action); 682 } 683 684 /* Return success only if translation really happened. */ 685 if (bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) 686 return (r); 687 688 notrans: 689 uma_zfree(V_pf_state_key_z, *nkp); 690 uma_zfree(V_pf_state_key_z, *skp); 691 *skp = *nkp = NULL; 692 693 return (NULL); 694 } 695