xref: /titanic_41/usr/src/uts/common/inet/ipf/ip_state.c (revision 2dd2efa5a06a9befe46075cf41e16f57533c9f98)
1 /*
2  * Copyright (C) 1995-2003 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  */
9 
10 #pragma ident	"%Z%%M%	%I%	%E% SMI"
11 
12 #if defined(KERNEL) || defined(_KERNEL)
13 # undef KERNEL
14 # undef _KERNEL
15 # define        KERNEL	1
16 # define        _KERNEL	1
17 #endif
18 #include <sys/errno.h>
19 #include <sys/types.h>
20 #include <sys/param.h>
21 #include <sys/file.h>
22 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
23     defined(_KERNEL)
24 # include "opt_ipfilter_log.h"
25 #endif
26 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
27     (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
28 #include "opt_inet6.h"
29 #endif
30 #if !defined(_KERNEL) && !defined(__KERNEL__)
31 # include <stdio.h>
32 # include <stdlib.h>
33 # include <string.h>
34 # define _KERNEL
35 # ifdef __OpenBSD__
36 struct file;
37 # endif
38 # include <sys/uio.h>
39 # undef _KERNEL
40 #endif
41 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
42 # include <sys/filio.h>
43 # include <sys/fcntl.h>
44 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
45 #  include "opt_ipfilter.h"
46 # endif
47 #else
48 # include <sys/ioctl.h>
49 #endif
50 #include <sys/time.h>
51 #if !defined(linux)
52 # include <sys/protosw.h>
53 #endif
54 #include <sys/socket.h>
55 #if defined(_KERNEL)
56 # include <sys/systm.h>
57 # if !defined(__SVR4) && !defined(__svr4__)
58 #  include <sys/mbuf.h>
59 # endif
60 #endif
61 #if defined(__SVR4) || defined(__svr4__)
62 # include <sys/filio.h>
63 # include <sys/byteorder.h>
64 # ifdef _KERNEL
65 #  include <sys/dditypes.h>
66 # endif
67 # include <sys/stream.h>
68 # include <sys/kmem.h>
69 #endif
70 
71 #include <net/if.h>
72 #ifdef sun
73 # include <net/af.h>
74 #endif
75 #include <net/route.h>
76 #include <netinet/in.h>
77 #include <netinet/in_systm.h>
78 #include <netinet/ip.h>
79 #include <netinet/tcp.h>
80 #if !defined(linux)
81 # include <netinet/ip_var.h>
82 #endif
83 #if !defined(__hpux) && !defined(linux)
84 # include <netinet/tcp_fsm.h>
85 #endif
86 #include <netinet/udp.h>
87 #include <netinet/ip_icmp.h>
88 #include "netinet/ip_compat.h"
89 #include <netinet/tcpip.h>
90 #include "netinet/ip_fil.h"
91 #include "netinet/ip_nat.h"
92 #include "netinet/ip_frag.h"
93 #include "netinet/ip_state.h"
94 #include "netinet/ip_proxy.h"
95 #include "netinet/ipf_stack.h"
96 #ifdef	IPFILTER_SYNC
97 #include "netinet/ip_sync.h"
98 #endif
99 #ifdef	IPFILTER_SCAN
100 #include "netinet/ip_scan.h"
101 #endif
102 #ifdef	USE_INET6
103 #include <netinet/icmp6.h>
104 #endif
105 #if (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
107 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
108 #  include <sys/libkern.h>
109 #  include <sys/systm.h>
110 # endif
111 #endif
112 /* END OF INCLUDES */
113 
114 
115 #if !defined(lint)
116 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
117 static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.36 2005/08/11 19:58:03 darrenr Exp $";
118 #endif
119 
120 #ifdef	USE_INET6
121 static ipstate_t *fr_checkicmp6matchingstate __P((fr_info_t *));
122 #endif
123 static ipstate_t *fr_matchsrcdst __P((fr_info_t *, ipstate_t *, i6addr_t *,
124 				      i6addr_t *, tcphdr_t *, u_32_t));
125 static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *));
126 static int fr_state_flush __P((int, int, ipf_stack_t *));
127 static ips_stat_t *fr_statetstats __P((ipf_stack_t *));
128 static void fr_delstate __P((ipstate_t *, int, ipf_stack_t *));
129 static int fr_state_remove __P((caddr_t, ipf_stack_t *));
130 static void fr_ipsmove __P((ipstate_t *, u_int, ipf_stack_t *));
131 static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *));
132 static int fr_tcpoptions __P((fr_info_t *, tcphdr_t *, tcpdata_t *));
133 static ipstate_t *fr_stclone __P((fr_info_t *, tcphdr_t *, ipstate_t *));
134 static void fr_fixinisn __P((fr_info_t *, ipstate_t *));
135 static void fr_fixoutisn __P((fr_info_t *, ipstate_t *));
136 static void fr_checknewisn __P((fr_info_t *, ipstate_t *));
137 static int fr_stateiter __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
138 
139 int fr_stputent __P((caddr_t, ipf_stack_t *));
140 int fr_stgetent __P((caddr_t, ipf_stack_t *));
141 
142 #define	ONE_DAY		IPF_TTLVAL(1 * 86400)	/* 1 day */
143 #define	FIVE_DAYS	(5 * ONE_DAY)
144 #define	DOUBLE_HASH(x, ifs)	\
145     (((x) + ifs->ifs_ips_seed[(x) % ifs->ifs_fr_statesize]) % ifs->ifs_fr_statesize)
146 
147 
148 
149 /* ------------------------------------------------------------------------ */
150 /* Function:    fr_stateinit                                                */
151 /* Returns:     int - 0 == success, -1 == failure                           */
152 /* Parameters:  Nil                                                         */
153 /*                                                                          */
154 /* Initialise all the global variables used within the state code.          */
155 /* This action also includes initiailising locks.                           */
156 /* ------------------------------------------------------------------------ */
157 int fr_stateinit(ifs)
158 ipf_stack_t *ifs;
159 {
160 	int i;
161 
162 	KMALLOCS(ifs->ifs_ips_table, ipstate_t **,
163 		 ifs->ifs_fr_statesize * sizeof(ipstate_t *));
164 	if (ifs->ifs_ips_table == NULL)
165 		return -1;
166 	bzero((char *)ifs->ifs_ips_table,
167 	      ifs->ifs_fr_statesize * sizeof(ipstate_t *));
168 
169 	KMALLOCS(ifs->ifs_ips_seed, u_long *,
170 		 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
171 	if (ifs->ifs_ips_seed == NULL)
172 		return -2;
173 	for (i = 0; i < ifs->ifs_fr_statesize; i++) {
174 		/*
175 		 * XXX - ips_seed[X] should be a random number of sorts.
176 		 */
177 #if  (__FreeBSD_version >= 400000)
178 		ifs->ifs_ips_seed[i] = arc4random();
179 #else
180 		ifs->ifs_ips_seed[i] = ((u_long)ifs->ifs_ips_seed + i) *
181 		    ifs->ifs_fr_statesize;
182 		ifs->ifs_ips_seed[i] ^= 0xa5a55a5a;
183 		ifs->ifs_ips_seed[i] *= (u_long)ifs->ifs_ips_seed;
184 		ifs->ifs_ips_seed[i] ^= 0x5a5aa5a5;
185 		ifs->ifs_ips_seed[i] *= ifs->ifs_fr_statemax;
186 #endif
187 	}
188 
189 	/* fill icmp reply type table */
190 	for (i = 0; i <= ICMP_MAXTYPE; i++)
191 		icmpreplytype4[i] = -1;
192 	icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY;
193 	icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
194 	icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
195 	icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
196 #ifdef	USE_INET6
197 	/* fill icmp reply type table */
198 	for (i = 0; i <= ICMP6_MAXTYPE; i++)
199 		icmpreplytype6[i] = -1;
200 	icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY;
201 	icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT;
202 	icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY;
203 	icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT;
204 	icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT;
205 #endif
206 
207 	KMALLOCS(ifs->ifs_ips_stats.iss_bucketlen, u_long *,
208 		 ifs->ifs_fr_statesize * sizeof(u_long));
209 	if (ifs->ifs_ips_stats.iss_bucketlen == NULL)
210 		return -1;
211 	bzero((char *)ifs->ifs_ips_stats.iss_bucketlen,
212 	      ifs->ifs_fr_statesize * sizeof(u_long));
213 
214 	if (ifs->ifs_fr_state_maxbucket == 0) {
215 		for (i = ifs->ifs_fr_statesize; i > 0; i >>= 1)
216 			ifs->ifs_fr_state_maxbucket++;
217 		ifs->ifs_fr_state_maxbucket *= 2;
218 	}
219 
220 	fr_sttab_init(ifs->ifs_ips_tqtqb, ifs);
221 	ifs->ifs_ips_tqtqb[IPF_TCP_NSTATES - 1].ifq_next = &ifs->ifs_ips_udptq;
222 	ifs->ifs_ips_udptq.ifq_ttl = (u_long)ifs->ifs_fr_udptimeout;
223 	ifs->ifs_ips_udptq.ifq_ref = 1;
224 	ifs->ifs_ips_udptq.ifq_head = NULL;
225 	ifs->ifs_ips_udptq.ifq_tail = &ifs->ifs_ips_udptq.ifq_head;
226 	MUTEX_INIT(&ifs->ifs_ips_udptq.ifq_lock, "ipftq udp tab");
227 	ifs->ifs_ips_udptq.ifq_next = &ifs->ifs_ips_udpacktq;
228 	ifs->ifs_ips_udpacktq.ifq_ttl = (u_long)ifs->ifs_fr_udpacktimeout;
229 	ifs->ifs_ips_udpacktq.ifq_ref = 1;
230 	ifs->ifs_ips_udpacktq.ifq_head = NULL;
231 	ifs->ifs_ips_udpacktq.ifq_tail = &ifs->ifs_ips_udpacktq.ifq_head;
232 	MUTEX_INIT(&ifs->ifs_ips_udpacktq.ifq_lock, "ipftq udpack tab");
233 	ifs->ifs_ips_udpacktq.ifq_next = &ifs->ifs_ips_icmptq;
234 	ifs->ifs_ips_icmptq.ifq_ttl = (u_long)ifs->ifs_fr_icmptimeout;
235 	ifs->ifs_ips_icmptq.ifq_ref = 1;
236 	ifs->ifs_ips_icmptq.ifq_head = NULL;
237 	ifs->ifs_ips_icmptq.ifq_tail = &ifs->ifs_ips_icmptq.ifq_head;
238 	MUTEX_INIT(&ifs->ifs_ips_icmptq.ifq_lock, "ipftq icmp tab");
239 	ifs->ifs_ips_icmptq.ifq_next = &ifs->ifs_ips_icmpacktq;
240 	ifs->ifs_ips_icmpacktq.ifq_ttl = (u_long)ifs->ifs_fr_icmpacktimeout;
241 	ifs->ifs_ips_icmpacktq.ifq_ref = 1;
242 	ifs->ifs_ips_icmpacktq.ifq_head = NULL;
243 	ifs->ifs_ips_icmpacktq.ifq_tail = &ifs->ifs_ips_icmpacktq.ifq_head;
244 	MUTEX_INIT(&ifs->ifs_ips_icmpacktq.ifq_lock, "ipftq icmpack tab");
245 	ifs->ifs_ips_icmpacktq.ifq_next = &ifs->ifs_ips_iptq;
246 	ifs->ifs_ips_iptq.ifq_ttl = (u_long)ifs->ifs_fr_iptimeout;
247 	ifs->ifs_ips_iptq.ifq_ref = 1;
248 	ifs->ifs_ips_iptq.ifq_head = NULL;
249 	ifs->ifs_ips_iptq.ifq_tail = &ifs->ifs_ips_iptq.ifq_head;
250 	MUTEX_INIT(&ifs->ifs_ips_iptq.ifq_lock, "ipftq ip tab");
251 	ifs->ifs_ips_iptq.ifq_next = &ifs->ifs_ips_deletetq;
252 	/* entry's ttl in deletetq is just 1 tick */
253 	ifs->ifs_ips_deletetq.ifq_ttl = (u_long) 1;
254 	ifs->ifs_ips_deletetq.ifq_ref = 1;
255 	ifs->ifs_ips_deletetq.ifq_head = NULL;
256 	ifs->ifs_ips_deletetq.ifq_tail = &ifs->ifs_ips_deletetq.ifq_head;
257 	MUTEX_INIT(&ifs->ifs_ips_deletetq.ifq_lock, "state delete queue");
258 	ifs->ifs_ips_deletetq.ifq_next = NULL;
259 
260 	RWLOCK_INIT(&ifs->ifs_ipf_state, "ipf IP state rwlock");
261 	MUTEX_INIT(&ifs->ifs_ipf_stinsert, "ipf state insert mutex");
262 	ifs->ifs_fr_state_init = 1;
263 
264 	ifs->ifs_ips_last_force_flush = ifs->ifs_fr_ticks;
265 	return 0;
266 }
267 
268 
269 /* ------------------------------------------------------------------------ */
270 /* Function:    fr_stateunload                                              */
271 /* Returns:     Nil                                                         */
272 /* Parameters:  Nil                                                         */
273 /*                                                                          */
274 /* Release and destroy any resources acquired or initialised so that        */
275 /* IPFilter can be unloaded or re-initialised.                              */
276 /* ------------------------------------------------------------------------ */
277 void fr_stateunload(ifs)
278 ipf_stack_t *ifs;
279 {
280 	ipftq_t *ifq, *ifqnext;
281 	ipstate_t *is;
282 
283 	while ((is = ifs->ifs_ips_list) != NULL)
284 	    fr_delstate(is, 0, ifs);
285 
286 	/*
287 	 * Proxy timeout queues are not cleaned here because although they
288 	 * exist on the state list, appr_unload is called after fr_stateunload
289 	 * and the proxies actually are responsible for them being created.
290 	 * Should the proxy timeouts have their own list?  There's no real
291 	 * justification as this is the only complicationA
292 	 */
293 	for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
294 		ifqnext = ifq->ifq_next;
295 		if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
296 		    (fr_deletetimeoutqueue(ifq) == 0))
297 			fr_freetimeoutqueue(ifq, ifs);
298 	}
299 
300 	ifs->ifs_ips_stats.iss_inuse = 0;
301 	ifs->ifs_ips_num = 0;
302 
303 	if (ifs->ifs_fr_state_init == 1) {
304 		fr_sttab_destroy(ifs->ifs_ips_tqtqb);
305 		MUTEX_DESTROY(&ifs->ifs_ips_udptq.ifq_lock);
306 		MUTEX_DESTROY(&ifs->ifs_ips_icmptq.ifq_lock);
307 		MUTEX_DESTROY(&ifs->ifs_ips_udpacktq.ifq_lock);
308 		MUTEX_DESTROY(&ifs->ifs_ips_icmpacktq.ifq_lock);
309 		MUTEX_DESTROY(&ifs->ifs_ips_iptq.ifq_lock);
310 		MUTEX_DESTROY(&ifs->ifs_ips_deletetq.ifq_lock);
311 	}
312 
313 	if (ifs->ifs_ips_table != NULL) {
314 		KFREES(ifs->ifs_ips_table,
315 		       ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_table));
316 		ifs->ifs_ips_table = NULL;
317 	}
318 
319 	if (ifs->ifs_ips_seed != NULL) {
320 		KFREES(ifs->ifs_ips_seed,
321 		       ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
322 		ifs->ifs_ips_seed = NULL;
323 	}
324 
325 	if (ifs->ifs_ips_stats.iss_bucketlen != NULL) {
326 		KFREES(ifs->ifs_ips_stats.iss_bucketlen,
327 		       ifs->ifs_fr_statesize * sizeof(u_long));
328 		ifs->ifs_ips_stats.iss_bucketlen = NULL;
329 	}
330 
331 	if (ifs->ifs_fr_state_maxbucket_reset == 1)
332 		ifs->ifs_fr_state_maxbucket = 0;
333 
334 	if (ifs->ifs_fr_state_init == 1) {
335 		ifs->ifs_fr_state_init = 0;
336 		RW_DESTROY(&ifs->ifs_ipf_state);
337 		MUTEX_DESTROY(&ifs->ifs_ipf_stinsert);
338 	}
339 }
340 
341 
342 /* ------------------------------------------------------------------------ */
343 /* Function:    fr_statetstats                                              */
344 /* Returns:     ips_state_t* - pointer to state stats structure             */
345 /* Parameters:  Nil                                                         */
346 /*                                                                          */
347 /* Put all the current numbers and pointers into a single struct and return */
348 /* a pointer to it.                                                         */
349 /* ------------------------------------------------------------------------ */
350 static ips_stat_t *fr_statetstats(ifs)
351 ipf_stack_t *ifs;
352 {
353 	ifs->ifs_ips_stats.iss_active = ifs->ifs_ips_num;
354 	ifs->ifs_ips_stats.iss_statesize = ifs->ifs_fr_statesize;
355 	ifs->ifs_ips_stats.iss_statemax = ifs->ifs_fr_statemax;
356 	ifs->ifs_ips_stats.iss_table = ifs->ifs_ips_table;
357 	ifs->ifs_ips_stats.iss_list = ifs->ifs_ips_list;
358 	ifs->ifs_ips_stats.iss_ticks = ifs->ifs_fr_ticks;
359 	return &ifs->ifs_ips_stats;
360 }
361 
362 /* ------------------------------------------------------------------------ */
363 /* Function:    fr_state_remove                                             */
364 /* Returns:     int - 0 == success, != 0 == failure                         */
365 /* Parameters:  data(I) - pointer to state structure to delete from table   */
366 /*                                                                          */
367 /* Search for a state structure that matches the one passed, according to   */
368 /* the IP addresses and other protocol specific information.                */
369 /* ------------------------------------------------------------------------ */
370 static int fr_state_remove(data, ifs)
371 caddr_t data;
372 ipf_stack_t *ifs;
373 {
374 	ipstate_t *sp, st;
375 	int error;
376 
377 	sp = &st;
378 	error = fr_inobj(data, &st, IPFOBJ_IPSTATE);
379 	if (error)
380 		return EFAULT;
381 
382 	WRITE_ENTER(&ifs->ifs_ipf_state);
383 	for (sp = ifs->ifs_ips_list; sp; sp = sp->is_next)
384 		if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
385 		    !bcmp((caddr_t)&sp->is_src, (caddr_t)&st.is_src,
386 			  sizeof(st.is_src)) &&
387 		    !bcmp((caddr_t)&sp->is_dst, (caddr_t)&st.is_src,
388 			  sizeof(st.is_dst)) &&
389 		    !bcmp((caddr_t)&sp->is_ps, (caddr_t)&st.is_ps,
390 			  sizeof(st.is_ps))) {
391 			fr_delstate(sp, ISL_REMOVE, ifs);
392 			RWLOCK_EXIT(&ifs->ifs_ipf_state);
393 			return 0;
394 		}
395 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
396 	return ESRCH;
397 }
398 
399 
400 /* ------------------------------------------------------------------------ */
401 /* Function:    fr_state_ioctl                                              */
402 /* Returns:     int - 0 == success, != 0 == failure                         */
403 /* Parameters:  data(I) - pointer to ioctl data                             */
404 /*              cmd(I)  - ioctl command integer                             */
405 /*              mode(I) - file mode bits used with open                     */
406 /*                                                                          */
407 /* Processes an ioctl call made to operate on the IP Filter state device.   */
408 /* ------------------------------------------------------------------------ */
409 int fr_state_ioctl(data, cmd, mode, uid, ctx, ifs)
410 caddr_t data;
411 ioctlcmd_t cmd;
412 int mode, uid;
413 void *ctx;
414 ipf_stack_t *ifs;
415 {
416 	int arg, ret, error = 0;
417 
418 	switch (cmd)
419 	{
420 	/*
421 	 * Delete an entry from the state table.
422 	 */
423 	case SIOCDELST :
424 	    error = fr_state_remove(data, ifs);
425 		break;
426 	/*
427 	 * Flush the state table
428 	 */
429 	case SIOCIPFFL :
430 		BCOPYIN(data, (char *)&arg, sizeof(arg));
431 		if (arg == 0 || arg == 1) {
432 			WRITE_ENTER(&ifs->ifs_ipf_state);
433 			ret = fr_state_flush(arg, 4, ifs);
434 			RWLOCK_EXIT(&ifs->ifs_ipf_state);
435 			BCOPYOUT((char *)&ret, data, sizeof(ret));
436 		} else
437 			error = EINVAL;
438 		break;
439 #ifdef	USE_INET6
440 	case SIOCIPFL6 :
441 		BCOPYIN(data, (char *)&arg, sizeof(arg));
442 		if (arg == 0 || arg == 1) {
443 			WRITE_ENTER(&ifs->ifs_ipf_state);
444 			ret = fr_state_flush(arg, 6, ifs);
445 			RWLOCK_EXIT(&ifs->ifs_ipf_state);
446 			BCOPYOUT((char *)&ret, data, sizeof(ret));
447 		} else
448 			error = EINVAL;
449 		break;
450 #endif
451 #ifdef	IPFILTER_LOG
452 	/*
453 	 * Flush the state log.
454 	 */
455 	case SIOCIPFFB :
456 		if (!(mode & FWRITE))
457 			error = EPERM;
458 		else {
459 			int tmp;
460 
461 			tmp = ipflog_clear(IPL_LOGSTATE, ifs);
462 			BCOPYOUT((char *)&tmp, data, sizeof(tmp));
463 		}
464 		break;
465 	/*
466 	 * Turn logging of state information on/off.
467 	 */
468 	case SIOCSETLG :
469 		if (!(mode & FWRITE))
470 			error = EPERM;
471 		else {
472 			BCOPYIN((char *)data,
473 				       (char *)&ifs->ifs_ipstate_logging,
474 				       sizeof(ifs->ifs_ipstate_logging));
475 		}
476 		break;
477 	/*
478 	 * Return the current state of logging.
479 	 */
480 	case SIOCGETLG :
481 		BCOPYOUT((char *)&ifs->ifs_ipstate_logging, (char *)data,
482 			sizeof(ifs->ifs_ipstate_logging));
483 		break;
484 	/*
485 	 * Return the number of bytes currently waiting to be read.
486 	 */
487 	case FIONREAD :
488 		arg = ifs->ifs_iplused[IPL_LOGSTATE]; /* returned in an int */
489 		BCOPYOUT((char *)&arg, data, sizeof(arg));
490 		break;
491 #endif
492 	/*
493 	 * Get the current state statistics.
494 	 */
495 	case SIOCGETFS :
496 		error = fr_outobj(data, fr_statetstats(ifs), IPFOBJ_STATESTAT);
497 		break;
498 	/*
499 	 * Lock/Unlock the state table.  (Locking prevents any changes, which
500 	 * means no packets match).
501 	 */
502 	case SIOCSTLCK :
503 		if (!(mode & FWRITE)) {
504 			error = EPERM;
505 		} else {
506 			fr_lock(data, &ifs->ifs_fr_state_lock);
507 		}
508 		break;
509 	/*
510 	 * Add an entry to the current state table.
511 	 */
512 	case SIOCSTPUT :
513 		if (!ifs->ifs_fr_state_lock || !(mode &FWRITE)) {
514 			error = EACCES;
515 			break;
516 		}
517 		error = fr_stputent(data, ifs);
518 		break;
519 	/*
520 	 * Get a state table entry.
521 	 */
522 	case SIOCSTGET :
523 		if (!ifs->ifs_fr_state_lock) {
524 			error = EACCES;
525 			break;
526 		}
527 		error = fr_stgetent(data, ifs);
528 		break;
529 
530 	case SIOCGENITER :
531 	    {
532 		ipftoken_t *token;
533 		ipfgeniter_t iter;
534 
535 		error = fr_inobj(data, &iter, IPFOBJ_GENITER);
536 		if (error != 0)
537 			break;
538 
539 		token = ipf_findtoken(IPFGENITER_STATE, uid, ctx, ifs);
540 		if (token != NULL)
541 			error = fr_stateiter(token, &iter, ifs);
542 		else
543 			error = ESRCH;
544 		RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
545 		break;
546 	    }
547 
548 	case SIOCIPFDELTOK :
549 		(void) BCOPYIN(data, (char *)&arg, sizeof(arg));
550 		error = ipf_deltoken(arg, uid, ctx, ifs);
551 		break;
552 
553 	default :
554 		error = EINVAL;
555 		break;
556 	}
557 	return error;
558 }
559 
560 
561 /* ------------------------------------------------------------------------ */
562 /* Function:    fr_stgetent                                                 */
563 /* Returns:     int - 0 == success, != 0 == failure                         */
564 /* Parameters:  data(I) - pointer to state structure to retrieve from table */
565 /*                                                                          */
566 /* Copy out state information from the kernel to a user space process.  If  */
567 /* there is a filter rule associated with the state entry, copy that out    */
568 /* as well.  The entry to copy out is taken from the value of "ips_next" in */
569 /* the struct passed in and if not null and not found in the list of current*/
570 /* state entries, the retrieval fails.                                      */
571 /* ------------------------------------------------------------------------ */
572 int fr_stgetent(data, ifs)
573 caddr_t data;
574 ipf_stack_t *ifs;
575 {
576 	ipstate_t *is, *isn;
577 	ipstate_save_t ips;
578 	int error;
579 
580 	error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
581 	if (error)
582 		return EFAULT;
583 
584 	isn = ips.ips_next;
585 	if (isn == NULL) {
586 		isn = ifs->ifs_ips_list;
587 		if (isn == NULL) {
588 			if (ips.ips_next == NULL)
589 				return ENOENT;
590 			return 0;
591 		}
592 	} else {
593 		/*
594 		 * Make sure the pointer we're copying from exists in the
595 		 * current list of entries.  Security precaution to prevent
596 		 * copying of random kernel data.
597 		 */
598 		for (is = ifs->ifs_ips_list; is; is = is->is_next)
599 			if (is == isn)
600 				break;
601 		if (!is)
602 			return ESRCH;
603 	}
604 	ips.ips_next = isn->is_next;
605 	bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is));
606 	ips.ips_rule = isn->is_rule;
607 	if (isn->is_rule != NULL)
608 		bcopy((char *)isn->is_rule, (char *)&ips.ips_fr,
609 		      sizeof(ips.ips_fr));
610 	error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
611 	if (error)
612 		return EFAULT;
613 	return 0;
614 }
615 
616 
617 /* ------------------------------------------------------------------------ */
618 /* Function:    fr_stputent                                                 */
619 /* Returns:     int - 0 == success, != 0 == failure                         */
620 /* Parameters:  data(I) - pointer to state information struct               */
621 /*                                                                          */
622 /* This function implements the SIOCSTPUT ioctl: insert a state entry into  */
623 /* the state table.  If the state info. includes a pointer to a filter rule */
624 /* then also add in an orphaned rule (will not show up in any "ipfstat -io" */
625 /* output.                                                                  */
626 /* ------------------------------------------------------------------------ */
627 int fr_stputent(data, ifs)
628 caddr_t data;
629 ipf_stack_t *ifs;
630 {
631 	ipstate_t *is, *isn;
632 	ipstate_save_t ips;
633 	int error, i;
634 	frentry_t *fr;
635 	char *name;
636 
637 	error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
638 	if (error)
639 		return EFAULT;
640 
641 	KMALLOC(isn, ipstate_t *);
642 	if (isn == NULL)
643 		return ENOMEM;
644 
645 	bcopy((char *)&ips.ips_is, (char *)isn, sizeof(*isn));
646 	bzero((char *)isn, offsetof(struct ipstate, is_pkts));
647 	isn->is_sti.tqe_pnext = NULL;
648 	isn->is_sti.tqe_next = NULL;
649 	isn->is_sti.tqe_ifq = NULL;
650 	isn->is_sti.tqe_parent = isn;
651 	isn->is_ifp[0] = NULL;
652 	isn->is_ifp[1] = NULL;
653 	isn->is_ifp[2] = NULL;
654 	isn->is_ifp[3] = NULL;
655 	isn->is_sync = NULL;
656 	fr = ips.ips_rule;
657 
658 	if (fr == NULL) {
659 		READ_ENTER(&ifs->ifs_ipf_state);
660 		fr_stinsert(isn, 0, ifs);
661 		MUTEX_EXIT(&isn->is_lock);
662 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
663 		return 0;
664 	}
665 
666 	if (isn->is_flags & SI_NEWFR) {
667 		KMALLOC(fr, frentry_t *);
668 		if (fr == NULL) {
669 			KFREE(isn);
670 			return ENOMEM;
671 		}
672 		bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
673 		isn->is_rule = fr;
674 		ips.ips_is.is_rule = fr;
675 		MUTEX_NUKE(&fr->fr_lock);
676 		MUTEX_INIT(&fr->fr_lock, "state filter rule lock");
677 
678 		/*
679 		 * Look up all the interface names in the rule.
680 		 */
681 		for (i = 0; i < 4; i++) {
682 			name = fr->fr_ifnames[i];
683 			fr->fr_ifas[i] = fr_resolvenic(name, fr->fr_v, ifs);
684 			name = isn->is_ifname[i];
685 			isn->is_ifp[i] = fr_resolvenic(name, isn->is_v, ifs);
686 		}
687 
688 		fr->fr_ref = 0;
689 		fr->fr_dsize = 0;
690 		fr->fr_data = NULL;
691 
692 		fr_resolvedest(&fr->fr_tif, fr->fr_v, ifs);
693 		fr_resolvedest(&fr->fr_dif, fr->fr_v, ifs);
694 		fr_resolvedest(&fr->fr_rif, fr->fr_v, ifs);
695 
696 		/*
697 		 * send a copy back to userland of what we ended up
698 		 * to allow for verification.
699 		 */
700 		error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
701 		if (error) {
702 			KFREE(isn);
703 			MUTEX_DESTROY(&fr->fr_lock);
704 			KFREE(fr);
705 			return EFAULT;
706 		}
707 		READ_ENTER(&ifs->ifs_ipf_state);
708 		fr_stinsert(isn, 0, ifs);
709 		MUTEX_EXIT(&isn->is_lock);
710 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
711 
712 	} else {
713 		READ_ENTER(&ifs->ifs_ipf_state);
714 		for (is = ifs->ifs_ips_list; is; is = is->is_next)
715 			if (is->is_rule == fr) {
716 				fr_stinsert(isn, 0, ifs);
717 				MUTEX_EXIT(&isn->is_lock);
718 				break;
719 			}
720 
721 		if (is == NULL) {
722 			KFREE(isn);
723 			isn = NULL;
724 		}
725 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
726 
727 		return (isn == NULL) ? ESRCH : 0;
728 	}
729 
730 	return 0;
731 }
732 
733 
734 /* ------------------------------------------------------------------------ */
735 /* Function:   fr_stinsert                                                  */
736 /* Returns:    Nil                                                          */
737 /* Parameters: is(I)  - pointer to state structure                          */
738 /*             rev(I) - flag indicating forward/reverse direction of packet */
739 /*                                                                          */
740 /* Inserts a state structure into the hash table (for lookups) and the list */
741 /* of state entries (for enumeration).  Resolves all of the interface names */
742 /* to pointers and adjusts running stats for the hash table as appropriate. */
743 /*                                                                          */
744 /* Locking: it is assumed that some kind of lock on ipf_state is held.      */
745 /*          Exits with is_lock initialised and held.                        */
746 /* ------------------------------------------------------------------------ */
747 void fr_stinsert(is, rev, ifs)
748 ipstate_t *is;
749 int rev;
750 ipf_stack_t *ifs;
751 {
752 	frentry_t *fr;
753 	u_int hv;
754 	int i;
755 
756 	MUTEX_INIT(&is->is_lock, "ipf state entry");
757 
758 	fr = is->is_rule;
759 	if (fr != NULL) {
760 		MUTEX_ENTER(&fr->fr_lock);
761 		fr->fr_ref++;
762 		fr->fr_statecnt++;
763 		MUTEX_EXIT(&fr->fr_lock);
764 	}
765 
766 	/*
767 	 * Look up all the interface names in the state entry.
768 	 */
769 	for (i = 0; i < 4; i++) {
770 		if (is->is_ifp[i] != NULL)
771 			continue;
772 		is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], is->is_v, ifs);
773 	}
774 
775 	/*
776 	 * If we could trust is_hv, then the modulous would not be needed, but
777 	 * when running with IPFILTER_SYNC, this stops bad values.
778 	 */
779 	hv = is->is_hv % ifs->ifs_fr_statesize;
780 	is->is_hv = hv;
781 
782 	/*
783 	 * We need to get both of these locks...the first because it is
784 	 * possible that once the insert is complete another packet might
785 	 * come along, match the entry and want to update it.
786 	 */
787 	MUTEX_ENTER(&is->is_lock);
788 	MUTEX_ENTER(&ifs->ifs_ipf_stinsert);
789 
790 	/*
791 	 * add into list table.
792 	 */
793 	if (ifs->ifs_ips_list != NULL)
794 		ifs->ifs_ips_list->is_pnext = &is->is_next;
795 	is->is_pnext = &ifs->ifs_ips_list;
796 	is->is_next = ifs->ifs_ips_list;
797 	ifs->ifs_ips_list = is;
798 
799 	if (ifs->ifs_ips_table[hv] != NULL)
800 		ifs->ifs_ips_table[hv]->is_phnext = &is->is_hnext;
801 	else
802 		ifs->ifs_ips_stats.iss_inuse++;
803 	is->is_phnext = ifs->ifs_ips_table + hv;
804 	is->is_hnext = ifs->ifs_ips_table[hv];
805 	ifs->ifs_ips_table[hv] = is;
806 	ifs->ifs_ips_stats.iss_bucketlen[hv]++;
807 	ifs->ifs_ips_num++;
808 	MUTEX_EXIT(&ifs->ifs_ipf_stinsert);
809 
810 	fr_setstatequeue(is, rev, ifs);
811 }
812 
813 
814 /* ------------------------------------------------------------------------ */
815 /* Function:    fr_addstate                                                 */
816 /* Returns:     ipstate_t* - NULL == failure, else pointer to new state     */
817 /* Parameters:  fin(I)    - pointer to packet information                   */
818 /*              stsave(O) - pointer to place to save pointer to created     */
819 /*                          state structure.                                */
820 /*              flags(I)  - flags to use when creating the structure        */
821 /*                                                                          */
822 /* Creates a new IP state structure from the packet information collected.  */
823 /* Inserts it into the state table and appends to the bottom of the active  */
824 /* list.  If the capacity of the table has reached the maximum allowed then */
825 /* the call will fail and a flush is scheduled for the next timeout call.   */
826 /* ------------------------------------------------------------------------ */
827 ipstate_t *fr_addstate(fin, stsave, flags)
828 fr_info_t *fin;
829 ipstate_t **stsave;
830 u_int flags;
831 {
832 	ipstate_t *is, ips;
833 	struct icmp *ic;
834 	u_int pass, hv;
835 	frentry_t *fr;
836 	tcphdr_t *tcp;
837 	grehdr_t *gre;
838 	void *ifp;
839 	int out;
840 	ipf_stack_t *ifs = fin->fin_ifs;
841 
842 	if (ifs->ifs_fr_state_lock ||
843 	    (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
844 		return NULL;
845 
846 	if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN))
847 		return NULL;
848 
849 	/*
850 	 * If a "keep state" rule has reached the maximum number of references
851 	 * to it, then schedule an automatic flush in case we can clear out
852 	 * some "dead old wood".  Note that because the lock isn't held on
853 	 * fr it is possible that we could overflow.  The cost of overflowing
854 	 * is being ignored here as the number by which it can overflow is
855 	 * a product of the number of simultaneous threads that could be
856 	 * executing in here, so a limit of 100 won't result in 200, but could
857 	 * result in 101 or 102.
858 	 */
859 	fr = fin->fin_fr;
860 	if (fr != NULL) {
861 		if ((ifs->ifs_ips_num == ifs->ifs_fr_statemax) && (fr->fr_statemax == 0)) {
862 			ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
863 			ifs->ifs_fr_state_doflush = 1;
864 			return NULL;
865 		}
866 		if ((fr->fr_statemax != 0) &&
867 		    (fr->fr_statecnt >= fr->fr_statemax)) {
868 			ATOMIC_INCL(ifs->ifs_ips_stats.iss_maxref);
869 			ifs->ifs_fr_state_doflush = 1;
870 			return NULL;
871 		}
872 	}
873 
874 	pass = (fr == NULL) ? 0 : fr->fr_flags;
875 
876 	ic = NULL;
877 	tcp = NULL;
878 	out = fin->fin_out;
879 	is = &ips;
880 	bzero((char *)is, sizeof(*is));
881 	is->is_die = 1 + ifs->ifs_fr_ticks;
882 
883 	/*
884 	 * Copy and calculate...
885 	 */
886 	hv = (is->is_p = fin->fin_fi.fi_p);
887 	is->is_src = fin->fin_fi.fi_src;
888 	hv += is->is_saddr;
889 	is->is_dst = fin->fin_fi.fi_dst;
890 	hv += is->is_daddr;
891 #ifdef	USE_INET6
892 	if (fin->fin_v == 6) {
893 		/*
894 		 * For ICMPv6, we check to see if the destination address is
895 		 * a multicast address.  If it is, do not include it in the
896 		 * calculation of the hash because the correct reply will come
897 		 * back from a real address, not a multicast address.
898 		 */
899 		if ((is->is_p == IPPROTO_ICMPV6) &&
900 		    IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) {
901 			/*
902 			 * So you can do keep state with neighbour discovery.
903 			 *
904 			 * Here we could use the address from the neighbour
905 			 * solicit message to put in the state structure and
906 			 * we could use that without a wildcard flag too...
907 			 */
908 			is->is_flags |= SI_W_DADDR;
909 			hv -= is->is_daddr;
910 		} else {
911 			hv += is->is_dst.i6[1];
912 			hv += is->is_dst.i6[2];
913 			hv += is->is_dst.i6[3];
914 		}
915 		hv += is->is_src.i6[1];
916 		hv += is->is_src.i6[2];
917 		hv += is->is_src.i6[3];
918 	}
919 #endif
920 
921 	switch (is->is_p)
922 	{
923 #ifdef	USE_INET6
924 	case IPPROTO_ICMPV6 :
925 		ic = fin->fin_dp;
926 
927 		switch (ic->icmp_type)
928 		{
929 		case ICMP6_ECHO_REQUEST :
930 			is->is_icmp.ici_type = ic->icmp_type;
931 			hv += (is->is_icmp.ici_id = ic->icmp_id);
932 			break;
933 		case ICMP6_MEMBERSHIP_QUERY :
934 		case ND_ROUTER_SOLICIT :
935 		case ND_NEIGHBOR_SOLICIT :
936 		case ICMP6_NI_QUERY :
937 			is->is_icmp.ici_type = ic->icmp_type;
938 			break;
939 		default :
940 			return NULL;
941 		}
942 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_icmp);
943 		break;
944 #endif
945 	case IPPROTO_ICMP :
946 		ic = fin->fin_dp;
947 
948 		switch (ic->icmp_type)
949 		{
950 		case ICMP_ECHO :
951 		case ICMP_TSTAMP :
952 		case ICMP_IREQ :
953 		case ICMP_MASKREQ :
954 			is->is_icmp.ici_type = ic->icmp_type;
955 			hv += (is->is_icmp.ici_id = ic->icmp_id);
956 			break;
957 		default :
958 			return NULL;
959 		}
960 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_icmp);
961 		break;
962 
963 	case IPPROTO_GRE :
964 		gre = fin->fin_dp;
965 
966 		is->is_gre.gs_flags = gre->gr_flags;
967 		is->is_gre.gs_ptype = gre->gr_ptype;
968 		if (GRE_REV(is->is_gre.gs_flags) == 1) {
969 			is->is_call[0] = fin->fin_data[0];
970 			is->is_call[1] = fin->fin_data[1];
971 		}
972 		break;
973 
974 	case IPPROTO_TCP :
975 		tcp = fin->fin_dp;
976 
977 		if (tcp->th_flags & TH_RST)
978 			return NULL;
979 		/*
980 		 * The endian of the ports doesn't matter, but the ack and
981 		 * sequence numbers do as we do mathematics on them later.
982 		 */
983 		is->is_sport = htons(fin->fin_data[0]);
984 		is->is_dport = htons(fin->fin_data[1]);
985 		if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
986 			hv += is->is_sport;
987 			hv += is->is_dport;
988 		}
989 
990 		/*
991 		 * If this is a real packet then initialise fields in the
992 		 * state information structure from the TCP header information.
993 		 */
994 
995 		is->is_maxdwin = 1;
996 		is->is_maxswin = ntohs(tcp->th_win);
997 		if (is->is_maxswin == 0)
998 			is->is_maxswin = 1;
999 
1000 		if ((fin->fin_flx & FI_IGNORE) == 0) {
1001 			is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
1002 				      (TCP_OFF(tcp) << 2) +
1003 				      ((tcp->th_flags & TH_SYN) ? 1 : 0) +
1004 				      ((tcp->th_flags & TH_FIN) ? 1 : 0);
1005 			is->is_maxsend = is->is_send;
1006 
1007 			/*
1008 			 * Window scale option is only present in
1009 			 * SYN/SYN-ACK packet.
1010 			 */
1011 			if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
1012 			    TH_SYN &&
1013 			    (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
1014 				if (fr_tcpoptions(fin, tcp,
1015 					      &is->is_tcp.ts_data[0]))
1016 					is->is_swinflags = TCP_WSCALE_SEEN|
1017 							   TCP_WSCALE_FIRST;
1018 			}
1019 
1020 			if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
1021 				fr_checknewisn(fin, is);
1022 				fr_fixoutisn(fin, is);
1023 			}
1024 
1025 			if ((tcp->th_flags & TH_OPENING) == TH_SYN)
1026 				flags |= IS_TCPFSM;
1027 			else {
1028 				is->is_maxdwin = is->is_maxswin * 2;
1029 				is->is_dend = ntohl(tcp->th_ack);
1030 				is->is_maxdend = ntohl(tcp->th_ack);
1031 				is->is_maxdwin *= 2;
1032 			}
1033 		}
1034 
1035 		/*
1036 		 * If we're creating state for a starting connection, start the
1037 		 * timer on it as we'll never see an error if it fails to
1038 		 * connect.
1039 		 */
1040 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_tcp);
1041 		break;
1042 
1043 	case IPPROTO_UDP :
1044 		tcp = fin->fin_dp;
1045 
1046 		is->is_sport = htons(fin->fin_data[0]);
1047 		is->is_dport = htons(fin->fin_data[1]);
1048 		if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1049 			hv += tcp->th_dport;
1050 			hv += tcp->th_sport;
1051 		}
1052 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_udp);
1053 		break;
1054 
1055 	default :
1056 		break;
1057 	}
1058 	hv = DOUBLE_HASH(hv, ifs);
1059 	is->is_hv = hv;
1060 	is->is_rule = fr;
1061 	is->is_flags = flags & IS_INHERITED;
1062 
1063 	/*
1064 	 * Look for identical state.
1065 	 */
1066 	for (is = ifs->ifs_ips_table[is->is_hv % ifs->ifs_fr_statesize];
1067 	     is != NULL;
1068 	     is = is->is_hnext) {
1069 		if (bcmp(&ips.is_src, &is->is_src,
1070 			 offsetof(struct ipstate, is_ps) -
1071 			 offsetof(struct ipstate, is_src)) == 0)
1072 			break;
1073 	}
1074 	if (is != NULL)
1075 		return NULL;
1076 
1077 	if (ifs->ifs_ips_stats.iss_bucketlen[hv] >= ifs->ifs_fr_state_maxbucket) {
1078 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_bucketfull);
1079 		return NULL;
1080 	}
1081 	KMALLOC(is, ipstate_t *);
1082 	if (is == NULL) {
1083 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_nomem);
1084 		return NULL;
1085 	}
1086 	bcopy((char *)&ips, (char *)is, sizeof(*is));
1087 	/*
1088 	 * Do not do the modulous here, it is done in fr_stinsert().
1089 	 */
1090 	if (fr != NULL) {
1091 		(void) strncpy(is->is_group, fr->fr_group, FR_GROUPLEN);
1092 		if (fr->fr_age[0] != 0) {
1093 			is->is_tqehead[0] =
1094 			    fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
1095 					       fr->fr_age[0], ifs);
1096 			is->is_sti.tqe_flags |= TQE_RULEBASED;
1097 		}
1098 		if (fr->fr_age[1] != 0) {
1099 			is->is_tqehead[1] =
1100 			    fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
1101 					       fr->fr_age[1], ifs);
1102 			is->is_sti.tqe_flags |= TQE_RULEBASED;
1103 		}
1104 		is->is_tag = fr->fr_logtag;
1105 
1106 		is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
1107 		is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
1108 		is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
1109 
1110 		if (((ifp = fr->fr_ifas[1]) != NULL) &&
1111 		    (ifp != (void *)-1)) {
1112 			COPYIFNAME(ifp, is->is_ifname[(out << 1) + 1], fr->fr_v);
1113 		}
1114 		if (((ifp = fr->fr_ifas[2]) != NULL) &&
1115 		    (ifp != (void *)-1)) {
1116 			COPYIFNAME(ifp, is->is_ifname[(1 - out) << 1], fr->fr_v);
1117 		}
1118 		if (((ifp = fr->fr_ifas[3]) != NULL) &&
1119 		    (ifp != (void *)-1)) {
1120 			COPYIFNAME(ifp, is->is_ifname[((1 - out) << 1) + 1], fr->fr_v);
1121 		}
1122 	} else {
1123 		pass = ifs->ifs_fr_flags;
1124 		is->is_tag = FR_NOLOGTAG;
1125 	}
1126 
1127 	is->is_ifp[out << 1] = fin->fin_ifp;
1128 	if (fin->fin_ifp != NULL) {
1129 		COPYIFNAME(fin->fin_ifp, is->is_ifname[out << 1], fr->fr_v);
1130 	}
1131 
1132 	/*
1133 	 * It may seem strange to set is_ref to 2, but fr_check() will call
1134 	 * fr_statederef() after calling fr_addstate() and the idea is to
1135 	 * have it exist at the end of fr_check() with is_ref == 1.
1136 	 */
1137 	is->is_ref = 2;
1138 	is->is_pass = pass;
1139 	is->is_pkts[0] = 0, is->is_bytes[0] = 0;
1140 	is->is_pkts[1] = 0, is->is_bytes[1] = 0;
1141 	is->is_pkts[2] = 0, is->is_bytes[2] = 0;
1142 	is->is_pkts[3] = 0, is->is_bytes[3] = 0;
1143 	if ((fin->fin_flx & FI_IGNORE) == 0) {
1144 		is->is_pkts[out] = 1;
1145 		is->is_bytes[out] = fin->fin_plen;
1146 		is->is_flx[out][0] = fin->fin_flx & FI_CMP;
1147 		is->is_flx[out][0] &= ~FI_OOW;
1148 	}
1149 
1150 	if (pass & FR_STSTRICT)
1151 		is->is_flags |= IS_STRICT;
1152 
1153 	if (pass & FR_STATESYNC)
1154 		is->is_flags |= IS_STATESYNC;
1155 
1156 	/*
1157 	 * We want to check everything that is a property of this packet,
1158 	 * but we don't (automatically) care about it's fragment status as
1159 	 * this may change.
1160 	 */
1161 	is->is_v = fin->fin_v;
1162 	is->is_opt[0] = fin->fin_optmsk;
1163 	is->is_optmsk[0] = 0xffffffff;
1164 	is->is_optmsk[1] = 0xffffffff;
1165 	if (is->is_v == 6) {
1166 		is->is_opt[0] &= ~0x8;
1167 		is->is_optmsk[0] &= ~0x8;
1168 		is->is_optmsk[1] &= ~0x8;
1169 	}
1170 	is->is_sec = fin->fin_secmsk;
1171 	is->is_secmsk = 0xffff;
1172 	is->is_auth = fin->fin_auth;
1173 	is->is_authmsk = 0xffff;
1174 	if (flags & (SI_WILDP|SI_WILDA)) {
1175 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_wild);
1176 	}
1177 	is->is_rulen = fin->fin_rule;
1178 
1179 
1180 	if (pass & FR_LOGFIRST)
1181 		is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
1182 
1183 	READ_ENTER(&ifs->ifs_ipf_state);
1184 	is->is_me = stsave;
1185 
1186 	fr_stinsert(is, fin->fin_rev, ifs);
1187 
1188 	if (fin->fin_p == IPPROTO_TCP) {
1189 		/*
1190 		* If we're creating state for a starting connection, start the
1191 		* timer on it as we'll never see an error if it fails to
1192 		* connect.
1193 		*/
1194 		(void) fr_tcp_age(&is->is_sti, fin, ifs->ifs_ips_tqtqb,
1195 				  is->is_flags);
1196 		MUTEX_EXIT(&is->is_lock);
1197 #ifdef	IPFILTER_SCAN
1198 		if ((is->is_flags & SI_CLONE) == 0)
1199 			(void) ipsc_attachis(is);
1200 #endif
1201 	} else {
1202 		MUTEX_EXIT(&is->is_lock);
1203 	}
1204 #ifdef	IPFILTER_SYNC
1205 	if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
1206 		is->is_sync = ipfsync_new(SMC_STATE, fin, is);
1207 #endif
1208 	if (ifs->ifs_ipstate_logging)
1209 		ipstate_log(is, ISL_NEW, ifs);
1210 
1211 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
1212 	fin->fin_state = is;
1213 	fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
1214 	fin->fin_flx |= FI_STATE;
1215 	if (fin->fin_flx & FI_FRAG)
1216 		(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
1217 
1218 	return is;
1219 }
1220 
1221 
1222 /* ------------------------------------------------------------------------ */
1223 /* Function:    fr_tcpoptions                                               */
1224 /* Returns:     int - 1 == packet matches state entry, 0 == it does not     */
1225 /* Parameters:  fin(I) - pointer to packet information                      */
1226 /*              tcp(I) - pointer to TCP packet header                       */
1227 /*              td(I)  - pointer to TCP data held as part of the state      */
1228 /*                                                                          */
1229 /* Look after the TCP header for any options and deal with those that are   */
1230 /* present.  Record details about those that we recogise.                   */
1231 /* ------------------------------------------------------------------------ */
1232 static int fr_tcpoptions(fin, tcp, td)
1233 fr_info_t *fin;
1234 tcphdr_t *tcp;
1235 tcpdata_t *td;
1236 {
1237 	int off, mlen, ol, i, len, retval;
1238 	char buf[64], *s, opt;
1239 	mb_t *m = NULL;
1240 
1241 	len = (TCP_OFF(tcp) << 2);
1242 	if (fin->fin_dlen < len)
1243 		return 0;
1244 	len -= sizeof(*tcp);
1245 
1246 	off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff;
1247 
1248 	m = fin->fin_m;
1249 	mlen = MSGDSIZE(m) - off;
1250 	if (len > mlen) {
1251 		len = mlen;
1252 		retval = 0;
1253 	} else {
1254 		retval = 1;
1255 	}
1256 
1257 	COPYDATA(m, off, len, buf);
1258 
1259 	for (s = buf; len > 0; ) {
1260 		opt = *s;
1261 		if (opt == TCPOPT_EOL)
1262 			break;
1263 		else if (opt == TCPOPT_NOP)
1264 			ol = 1;
1265 		else {
1266 			if (len < 2)
1267 				break;
1268 			ol = (int)*(s + 1);
1269 			if (ol < 2 || ol > len)
1270 				break;
1271 
1272 			/*
1273 			 * Extract the TCP options we are interested in out of
1274 			 * the header and store them in the the tcpdata struct.
1275 			 */
1276 			switch (opt)
1277 			{
1278 			case TCPOPT_WINDOW :
1279 				if (ol == TCPOLEN_WINDOW) {
1280 					i = (int)*(s + 2);
1281 					if (i > TCP_WSCALE_MAX)
1282 						i = TCP_WSCALE_MAX;
1283 					else if (i < 0)
1284 						i = 0;
1285 					td->td_winscale = i;
1286 				}
1287 				break;
1288 			case TCPOPT_MAXSEG :
1289 				/*
1290 				 * So, if we wanted to set the TCP MAXSEG,
1291 				 * it should be done here...
1292 				 */
1293 				if (ol == TCPOLEN_MAXSEG) {
1294 					i = (int)*(s + 2);
1295 					i <<= 8;
1296 					i += (int)*(s + 3);
1297 					td->td_maxseg = i;
1298 				}
1299 				break;
1300 			}
1301 		}
1302 		len -= ol;
1303 		s += ol;
1304 	}
1305 	return retval;
1306 }
1307 
1308 
1309 /* ------------------------------------------------------------------------ */
1310 /* Function:    fr_tcpstate                                                 */
1311 /* Returns:     int - 1 == packet matches state entry, 0 == it does not     */
1312 /* Parameters:  fin(I)   - pointer to packet information                    */
1313 /*              tcp(I)   - pointer to TCP packet header                     */
1314 /*              is(I)  - pointer to master state structure                  */
1315 /*                                                                          */
1316 /* Check to see if a packet with TCP headers fits within the TCP window.    */
1317 /* Change timeout depending on whether new packet is a SYN-ACK returning    */
1318 /* for a SYN or a RST or FIN which indicate time to close up shop.          */
1319 /* ------------------------------------------------------------------------ */
1320 static int fr_tcpstate(fin, tcp, is)
1321 fr_info_t *fin;
1322 tcphdr_t *tcp;
1323 ipstate_t *is;
1324 {
1325 	int source, ret = 0, flags;
1326 	tcpdata_t  *fdata, *tdata;
1327 	ipf_stack_t *ifs = fin->fin_ifs;
1328 
1329 	source = !fin->fin_rev;
1330 	if (((is->is_flags & IS_TCPFSM) != 0) && (source == 1) &&
1331 	    (ntohs(is->is_sport) != fin->fin_data[0]))
1332 		source = 0;
1333 	fdata = &is->is_tcp.ts_data[!source];
1334 	tdata = &is->is_tcp.ts_data[source];
1335 
1336 	MUTEX_ENTER(&is->is_lock);
1337 
1338 	/*
1339 	 * If a SYN packet is received for a connection that is in a half
1340 	 * closed state, then move its state entry to deletetq. In such case
1341 	 * the SYN packet will be consequently dropped. This allows new state
1342 	 * entry to be created with a retransmited SYN packet.
1343 	 */
1344 	if ((tcp->th_flags & TH_OPENING) == TH_SYN) {
1345 		if (((is->is_state[source] > IPF_TCPS_ESTABLISHED) ||
1346 		    (is->is_state[source] == IPF_TCPS_CLOSED)) &&
1347 		    ((is->is_state[!source] > IPF_TCPS_ESTABLISHED) ||
1348 		    (is->is_state[!source] == IPF_TCPS_CLOSED))) {
1349 			/*
1350 			 * Do not update is->is_sti.tqe_die in case state entry
1351 			 * is already present in deletetq. It prevents state
1352 			 * entry ttl update by retransmitted SYN packets, which
1353 			 * may arrive before timer tick kicks off. The SYN
1354 			 * packet will be dropped again.
1355 			 */
1356 			if (is->is_sti.tqe_ifq != &ifs->ifs_ips_deletetq)
1357 				fr_movequeue(&is->is_sti, is->is_sti.tqe_ifq,
1358 					&fin->fin_ifs->ifs_ips_deletetq,
1359 					fin->fin_ifs);
1360 
1361 			MUTEX_EXIT(&is->is_lock);
1362 			return 0;
1363 		}
1364 	}
1365 
1366 	if (fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags)) {
1367 #ifdef	IPFILTER_SCAN
1368 		if (is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER)) {
1369 			ipsc_packet(fin, is);
1370 			if (FR_ISBLOCK(is->is_pass)) {
1371 				MUTEX_EXIT(&is->is_lock);
1372 				return 1;
1373 			}
1374 		}
1375 #endif
1376 
1377 		/*
1378 		 * Nearing end of connection, start timeout.
1379 		 */
1380 		ret = fr_tcp_age(&is->is_sti, fin, ifs->ifs_ips_tqtqb,
1381 				 is->is_flags);
1382 		if (ret == 0) {
1383 			MUTEX_EXIT(&is->is_lock);
1384 			return 0;
1385 		}
1386 
1387 		/*
1388 		 * set s0's as appropriate.  Use syn-ack packet as it
1389 		 * contains both pieces of required information.
1390 		 */
1391 		/*
1392 		 * Window scale option is only present in SYN/SYN-ACK packet.
1393 		 * Compare with ~TH_FIN to mask out T/TCP setups.
1394 		 */
1395 		flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL);
1396 		if (flags == (TH_SYN|TH_ACK)) {
1397 			is->is_s0[source] = ntohl(tcp->th_ack);
1398 			is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
1399 			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)) &&
1400 			    tdata->td_winscale) {
1401 				if (fr_tcpoptions(fin, tcp, fdata)) {
1402 					fdata->td_winflags = TCP_WSCALE_SEEN|
1403 							     TCP_WSCALE_FIRST;
1404 				} else {
1405 					if (!fdata->td_winscale)
1406 						tdata->td_winscale = 0;
1407 				}
1408 			}
1409 			if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1410 				fr_checknewisn(fin, is);
1411 		} else if (flags == TH_SYN) {
1412 			is->is_s0[source] = ntohl(tcp->th_seq) + 1;
1413 			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
1414 				if (fr_tcpoptions(fin, tcp, tdata)) {
1415 					tdata->td_winflags = TCP_WSCALE_SEEN|
1416 							     TCP_WSCALE_FIRST;
1417 				}
1418 
1419 			if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1420 				fr_checknewisn(fin, is);
1421 
1422 		}
1423 		ret = 1;
1424 	} else
1425 		fin->fin_flx |= FI_OOW;
1426 	MUTEX_EXIT(&is->is_lock);
1427 	return ret;
1428 }
1429 
1430 
1431 /* ------------------------------------------------------------------------ */
1432 /* Function:    fr_checknewisn                                              */
1433 /* Returns:     Nil                                                         */
1434 /* Parameters:  fin(I)   - pointer to packet information                    */
1435 /*              is(I)  - pointer to master state structure                  */
1436 /*                                                                          */
1437 /* Check to see if this TCP connection is expecting and needs a new         */
1438 /* sequence number for a particular direction of the connection.            */
1439 /*                                                                          */
1440 /* NOTE: This does not actually change the sequence numbers, only gets new  */
1441 /* one ready.                                                               */
1442 /* ------------------------------------------------------------------------ */
1443 static void fr_checknewisn(fin, is)
1444 fr_info_t *fin;
1445 ipstate_t *is;
1446 {
1447 	u_32_t sumd, old, new;
1448 	tcphdr_t *tcp;
1449 	int i;
1450 
1451 	i = fin->fin_rev;
1452 	tcp = fin->fin_dp;
1453 
1454 	if (((i == 0) && !(is->is_flags & IS_ISNSYN)) ||
1455 	    ((i == 1) && !(is->is_flags & IS_ISNACK))) {
1456 		old = ntohl(tcp->th_seq);
1457 		new = fr_newisn(fin);
1458 		is->is_isninc[i] = new - old;
1459 		CALC_SUMD(old, new, sumd);
1460 		is->is_sumd[i] = (sumd & 0xffff) + (sumd >> 16);
1461 
1462 		is->is_flags |= ((i == 0) ? IS_ISNSYN : IS_ISNACK);
1463 	}
1464 }
1465 
1466 
1467 /* ------------------------------------------------------------------------ */
1468 /* Function:    fr_tcpinwindow                                              */
1469 /* Returns:     int - 1 == packet inside TCP "window", 0 == not inside.     */
1470 /* Parameters:  fin(I)   - pointer to packet information                    */
1471 /*              fdata(I) - pointer to tcp state informatio (forward)        */
1472 /*              tdata(I) - pointer to tcp state informatio (reverse)        */
1473 /*              tcp(I)   - pointer to TCP packet header                     */
1474 /*                                                                          */
1475 /* Given a packet has matched addresses and ports, check to see if it is    */
1476 /* within the TCP data window.  In a show of generosity, allow packets that */
1477 /* are within the window space behind the current sequence # as well.       */
1478 /* ------------------------------------------------------------------------ */
1479 int fr_tcpinwindow(fin, fdata, tdata, tcp, flags)
1480 fr_info_t *fin;
1481 tcpdata_t  *fdata, *tdata;
1482 tcphdr_t *tcp;
1483 int flags;
1484 {
1485 	tcp_seq seq, ack, end;
1486 	int ackskew, tcpflags;
1487 	u_32_t win, maxwin;
1488 
1489 	/*
1490 	 * Find difference between last checked packet and this packet.
1491 	 */
1492 	tcpflags = tcp->th_flags;
1493 	seq = ntohl(tcp->th_seq);
1494 	ack = ntohl(tcp->th_ack);
1495 	if (tcpflags & TH_SYN)
1496 		win = ntohs(tcp->th_win);
1497 	else
1498 		win = ntohs(tcp->th_win) << fdata->td_winscale;
1499 	if (win == 0)
1500 		win = 1;
1501 
1502 	/*
1503 	 * if window scaling is present, the scaling is only allowed
1504 	 * for windows not in the first SYN packet. In that packet the
1505 	 * window is 65535 to specify the largest window possible
1506 	 * for receivers not implementing the window scale option.
1507 	 * Currently, we do not assume TTCP here. That means that
1508 	 * if we see a second packet from a host (after the initial
1509 	 * SYN), we can assume that the receiver of the SYN did
1510 	 * already send back the SYN/ACK (and thus that we know if
1511 	 * the receiver also does window scaling)
1512 	 */
1513 	if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) {
1514 		if (tdata->td_winflags & TCP_WSCALE_SEEN) {
1515 			fdata->td_winflags &= ~TCP_WSCALE_FIRST;
1516 			fdata->td_maxwin = win;
1517 		} else {
1518 			fdata->td_winscale = 0;
1519 			fdata->td_winflags = 0;
1520 			tdata->td_winscale = 0;
1521 			tdata->td_winflags = 0;
1522 		  }
1523 	}
1524 
1525 	end = seq + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
1526 	      ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
1527 
1528 	if ((fdata->td_end == 0) &&
1529 	    (!(flags & IS_TCPFSM) ||
1530 	     ((tcpflags & TH_OPENING) == TH_OPENING))) {
1531 		/*
1532 		 * Must be a (outgoing) SYN-ACK in reply to a SYN.
1533 		 */
1534 		fdata->td_end = end;
1535 		fdata->td_maxwin = 1;
1536 		fdata->td_maxend = end + win;
1537 	}
1538 
1539 	if (!(tcpflags & TH_ACK)) {  /* Pretend an ack was sent */
1540 		ack = tdata->td_end;
1541 	} else if (((tcpflags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
1542 		   (ack == 0)) {
1543 		/* gross hack to get around certain broken tcp stacks */
1544 		ack = tdata->td_end;
1545 	}
1546 
1547 	if (seq == end)
1548 		seq = end = fdata->td_end;
1549 
1550 	maxwin = tdata->td_maxwin;
1551 	ackskew = tdata->td_end - ack;
1552 
1553 	/*
1554 	 * Strict sequencing only allows in-order delivery.
1555 	 */
1556 	if ((flags & IS_STRICT) != 0) {
1557 		if (seq != fdata->td_end) {
1558 			return 0;
1559 		}
1560 	}
1561 
1562 #define	SEQ_GE(a,b)	((int)((a) - (b)) >= 0)
1563 #define	SEQ_GT(a,b)	((int)((a) - (b)) > 0)
1564 	if (
1565 #if defined(_KERNEL)
1566 	    (SEQ_GE(fdata->td_maxend, end)) &&
1567 	    (SEQ_GE(seq, fdata->td_end - maxwin)) &&
1568 #endif
1569 /* XXX what about big packets */
1570 #define MAXACKWINDOW 66000
1571 	    (-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) &&
1572 	    ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
1573 
1574 		/* if ackskew < 0 then this should be due to fragmented
1575 		 * packets. There is no way to know the length of the
1576 		 * total packet in advance.
1577 		 * We do know the total length from the fragment cache though.
1578 		 * Note however that there might be more sessions with
1579 		 * exactly the same source and destination parameters in the
1580 		 * state cache (and source and destination is the only stuff
1581 		 * that is saved in the fragment cache). Note further that
1582 		 * some TCP connections in the state cache are hashed with
1583 		 * sport and dport as well which makes it not worthwhile to
1584 		 * look for them.
1585 		 * Thus, when ackskew is negative but still seems to belong
1586 		 * to this session, we bump up the destinations end value.
1587 		 */
1588 		if (ackskew < 0)
1589 			tdata->td_end = ack;
1590 
1591 		/* update max window seen */
1592 		if (fdata->td_maxwin < win)
1593 			fdata->td_maxwin = win;
1594 		if (SEQ_GT(end, fdata->td_end))
1595 			fdata->td_end = end;
1596 		if (SEQ_GE(ack + win, tdata->td_maxend))
1597 			tdata->td_maxend = ack + win;
1598 		return 1;
1599 	}
1600 	return 0;
1601 }
1602 
1603 
1604 /* ------------------------------------------------------------------------ */
1605 /* Function:    fr_stclone                                                  */
1606 /* Returns:     ipstate_t* - NULL == cloning failed,                        */
1607 /*                           else pointer to new state structure            */
1608 /* Parameters:  fin(I) - pointer to packet information                      */
1609 /*              tcp(I) - pointer to TCP/UDP header                          */
1610 /*              is(I)  - pointer to master state structure                  */
1611 /*                                                                          */
1612 /* Create a "duplcate" state table entry from the master.                   */
1613 /* ------------------------------------------------------------------------ */
1614 static ipstate_t *fr_stclone(fin, tcp, is)
1615 fr_info_t *fin;
1616 tcphdr_t *tcp;
1617 ipstate_t *is;
1618 {
1619 	ipstate_t *clone;
1620 	u_32_t send;
1621 	ipf_stack_t *ifs = fin->fin_ifs;
1622 
1623 	if (ifs->ifs_ips_num == ifs->ifs_fr_statemax) {
1624 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
1625 		ifs->ifs_fr_state_doflush = 1;
1626 		return NULL;
1627 	}
1628 	KMALLOC(clone, ipstate_t *);
1629 	if (clone == NULL)
1630 		return NULL;
1631 	bcopy((char *)is, (char *)clone, sizeof(*clone));
1632 
1633 	MUTEX_NUKE(&clone->is_lock);
1634 
1635 	clone->is_die = ONE_DAY + ifs->ifs_fr_ticks;
1636 	clone->is_state[0] = 0;
1637 	clone->is_state[1] = 0;
1638 	send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
1639 		((tcp->th_flags & TH_SYN) ? 1 : 0) +
1640 		((tcp->th_flags & TH_FIN) ? 1 : 0);
1641 
1642 	if (fin->fin_rev == 1) {
1643 		clone->is_dend = send;
1644 		clone->is_maxdend = send;
1645 		clone->is_send = 0;
1646 		clone->is_maxswin = 1;
1647 		clone->is_maxdwin = ntohs(tcp->th_win);
1648 		if (clone->is_maxdwin == 0)
1649 			clone->is_maxdwin = 1;
1650 	} else {
1651 		clone->is_send = send;
1652 		clone->is_maxsend = send;
1653 		clone->is_dend = 0;
1654 		clone->is_maxdwin = 1;
1655 		clone->is_maxswin = ntohs(tcp->th_win);
1656 		if (clone->is_maxswin == 0)
1657 			clone->is_maxswin = 1;
1658 	}
1659 
1660 	clone->is_flags &= ~SI_CLONE;
1661 	clone->is_flags |= SI_CLONED;
1662 	fr_stinsert(clone, fin->fin_rev, ifs);
1663 	clone->is_ref = 2;
1664 	if (clone->is_p == IPPROTO_TCP) {
1665 		(void) fr_tcp_age(&clone->is_sti, fin, ifs->ifs_ips_tqtqb,
1666 				  clone->is_flags);
1667 	}
1668 	MUTEX_EXIT(&clone->is_lock);
1669 #ifdef	IPFILTER_SCAN
1670 	(void) ipsc_attachis(is);
1671 #endif
1672 #ifdef	IPFILTER_SYNC
1673 	if (is->is_flags & IS_STATESYNC)
1674 		clone->is_sync = ipfsync_new(SMC_STATE, fin, clone);
1675 #endif
1676 	return clone;
1677 }
1678 
1679 
1680 /* ------------------------------------------------------------------------ */
1681 /* Function:    fr_matchsrcdst                                              */
1682 /* Returns:     Nil                                                         */
1683 /* Parameters:  fin(I) - pointer to packet information                      */
1684 /*              is(I)  - pointer to state structure                         */
1685 /*              src(I) - pointer to source address                          */
1686 /*              dst(I) - pointer to destination address                     */
1687 /*              tcp(I) - pointer to TCP/UDP header                          */
1688 /*                                                                          */
1689 /* Match a state table entry against an IP packet.  The logic below is that */
1690 /* ret gets set to one if the match succeeds, else remains 0.  If it is     */
1691 /* still 0 after the test. no match.                                        */
1692 /* ------------------------------------------------------------------------ */
1693 static ipstate_t *fr_matchsrcdst(fin, is, src, dst, tcp, cmask)
1694 fr_info_t *fin;
1695 ipstate_t *is;
1696 i6addr_t *src, *dst;
1697 tcphdr_t *tcp;
1698 u_32_t cmask;
1699 {
1700 	int ret = 0, rev, out, flags, flx = 0, idx;
1701 	u_short sp, dp;
1702 	u_32_t cflx;
1703 	void *ifp;
1704 	ipf_stack_t *ifs = fin->fin_ifs;
1705 
1706 	rev = IP6_NEQ(&is->is_dst, dst);
1707 	ifp = fin->fin_ifp;
1708 	out = fin->fin_out;
1709 	flags = is->is_flags;
1710 	sp = 0;
1711 	dp = 0;
1712 
1713 	if (tcp != NULL) {
1714 		sp = htons(fin->fin_sport);
1715 		dp = ntohs(fin->fin_dport);
1716 	}
1717 	if (!rev) {
1718 		if (tcp != NULL) {
1719 			if (!(flags & SI_W_SPORT) && (sp != is->is_sport))
1720 				rev = 1;
1721 			else if (!(flags & SI_W_DPORT) && (dp != is->is_dport))
1722 				rev = 1;
1723 		}
1724 	}
1725 
1726 	idx = (out << 1) + rev;
1727 
1728 	/*
1729 	 * If the interface for this 'direction' is set, make sure it matches.
1730 	 * An interface name that is not set matches any, as does a name of *.
1731 	 */
1732 	if ((is->is_ifp[idx] == NULL &&
1733 	    (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) ||
1734 	    is->is_ifp[idx] == ifp)
1735 		ret = 1;
1736 
1737 	if (ret == 0)
1738 		return NULL;
1739 	ret = 0;
1740 
1741 	/*
1742 	 * Match addresses and ports.
1743 	 */
1744 	if (rev == 0) {
1745 		if ((IP6_EQ(&is->is_dst, dst) || (flags & SI_W_DADDR)) &&
1746 		    (IP6_EQ(&is->is_src, src) || (flags & SI_W_SADDR))) {
1747 			if (tcp) {
1748 				if ((sp == is->is_sport || flags & SI_W_SPORT)&&
1749 				    (dp == is->is_dport || flags & SI_W_DPORT))
1750 					ret = 1;
1751 			} else {
1752 				ret = 1;
1753 			}
1754 		}
1755 	} else {
1756 		if ((IP6_EQ(&is->is_dst, src) || (flags & SI_W_DADDR)) &&
1757 		    (IP6_EQ(&is->is_src, dst) || (flags & SI_W_SADDR))) {
1758 			if (tcp) {
1759 				if ((dp == is->is_sport || flags & SI_W_SPORT)&&
1760 				    (sp == is->is_dport || flags & SI_W_DPORT))
1761 					ret = 1;
1762 			} else {
1763 				ret = 1;
1764 			}
1765 		}
1766 	}
1767 
1768 	if (ret == 0)
1769 		return NULL;
1770 
1771 	/*
1772 	 * Whether or not this should be here, is questionable, but the aim
1773 	 * is to get this out of the main line.
1774 	 */
1775 	if (tcp == NULL)
1776 		flags = is->is_flags & ~(SI_WILDP|SI_NEWFR|SI_CLONE|SI_CLONED);
1777 
1778 	/*
1779 	 * Only one of the source or destination address can be flaged as a
1780 	 * wildcard.  Fill in the missing address, if set.
1781 	 * For IPv6, if the address being copied in is multicast, then
1782 	 * don't reset the wild flag - multicast causes it to be set in the
1783 	 * first place!
1784 	 */
1785 	if ((flags & (SI_W_SADDR|SI_W_DADDR))) {
1786 		fr_ip_t *fi = &fin->fin_fi;
1787 
1788 		if ((flags & SI_W_SADDR) != 0) {
1789 			if (rev == 0) {
1790 #ifdef USE_INET6
1791 				if (is->is_v == 6 &&
1792 				    IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
1793 					/*EMPTY*/;
1794 				else
1795 #endif
1796 				{
1797 					is->is_src = fi->fi_src;
1798 					is->is_flags &= ~SI_W_SADDR;
1799 				}
1800 			} else {
1801 #ifdef USE_INET6
1802 				if (is->is_v == 6 &&
1803 				    IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
1804 					/*EMPTY*/;
1805 				else
1806 #endif
1807 				{
1808 					is->is_src = fi->fi_dst;
1809 					is->is_flags &= ~SI_W_SADDR;
1810 				}
1811 			}
1812 		} else if ((flags & SI_W_DADDR) != 0) {
1813 			if (rev == 0) {
1814 #ifdef USE_INET6
1815 				if (is->is_v == 6 &&
1816 				    IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
1817 					/*EMPTY*/;
1818 				else
1819 #endif
1820 				{
1821 					is->is_dst = fi->fi_dst;
1822 					is->is_flags &= ~SI_W_DADDR;
1823 				}
1824 			} else {
1825 #ifdef USE_INET6
1826 				if (is->is_v == 6 &&
1827 				    IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
1828 					/*EMPTY*/;
1829 				else
1830 #endif
1831 				{
1832 					is->is_dst = fi->fi_src;
1833 					is->is_flags &= ~SI_W_DADDR;
1834 				}
1835 			}
1836 		}
1837 		if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) {
1838 			ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
1839 		}
1840 	}
1841 
1842 	flx = fin->fin_flx & cmask;
1843 	cflx = is->is_flx[out][rev];
1844 
1845 	/*
1846 	 * Match up any flags set from IP options.
1847 	 */
1848 	if ((cflx && (flx != (cflx & cmask))) ||
1849 	    ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) ||
1850 	    ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
1851 	    ((fin->fin_auth & is->is_authmsk) != is->is_auth))
1852 		return NULL;
1853 
1854 	/*
1855 	 * Only one of the source or destination port can be flagged as a
1856 	 * wildcard.  When filling it in, fill in a copy of the matched entry
1857 	 * if it has the cloning flag set.
1858 	 */
1859 	if ((fin->fin_flx & FI_IGNORE) != 0) {
1860 		fin->fin_rev = rev;
1861 		return is;
1862 	}
1863 
1864 	if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
1865 		if ((flags & SI_CLONE) != 0) {
1866 			ipstate_t *clone;
1867 
1868 			clone = fr_stclone(fin, tcp, is);
1869 			if (clone == NULL)
1870 				return NULL;
1871 			is = clone;
1872 		} else {
1873 			ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
1874 		}
1875 
1876 		if ((flags & SI_W_SPORT) != 0) {
1877 			if (rev == 0) {
1878 				is->is_sport = sp;
1879 				is->is_send = ntohl(tcp->th_seq);
1880 			} else {
1881 				is->is_sport = dp;
1882 				is->is_send = ntohl(tcp->th_ack);
1883 			}
1884 			is->is_maxsend = is->is_send + 1;
1885 		} else if ((flags & SI_W_DPORT) != 0) {
1886 			if (rev == 0) {
1887 				is->is_dport = dp;
1888 				is->is_dend = ntohl(tcp->th_ack);
1889 			} else {
1890 				is->is_dport = sp;
1891 				is->is_dend = ntohl(tcp->th_seq);
1892 			}
1893 			is->is_maxdend = is->is_dend + 1;
1894 		}
1895 		is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
1896 		if ((flags & SI_CLONED) && ifs->ifs_ipstate_logging)
1897 			ipstate_log(is, ISL_CLONE, ifs);
1898 	}
1899 
1900 	ret = -1;
1901 
1902 	if (is->is_flx[out][rev] == 0) {
1903 		is->is_flx[out][rev] = flx;
1904 		is->is_opt[rev] = fin->fin_optmsk;
1905 		if (is->is_v == 6) {
1906 			is->is_opt[rev] &= ~0x8;
1907 			is->is_optmsk[rev] &= ~0x8;
1908 		}
1909 	}
1910 
1911 	/*
1912 	 * Check if the interface name for this "direction" is set and if not,
1913 	 * fill it in.
1914 	 */
1915 	if (is->is_ifp[idx] == NULL &&
1916 	    (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) {
1917 		is->is_ifp[idx] = ifp;
1918 		COPYIFNAME(ifp, is->is_ifname[idx], fin->fin_v);
1919 	}
1920 	fin->fin_rev = rev;
1921 	return is;
1922 }
1923 
1924 
1925 /* ------------------------------------------------------------------------ */
1926 /* Function:    fr_checkicmpmatchingstate                                   */
1927 /* Returns:     Nil                                                         */
1928 /* Parameters:  fin(I) - pointer to packet information                      */
1929 /*                                                                          */
1930 /* If we've got an ICMP error message, using the information stored in the  */
1931 /* ICMP packet, look for a matching state table entry.                      */
1932 /*                                                                          */
1933 /* If we return NULL then no lock on ipf_state is held.                     */
1934 /* If we return non-null then a read-lock on ipf_state is held.             */
1935 /* ------------------------------------------------------------------------ */
1936 static ipstate_t *fr_checkicmpmatchingstate(fin)
1937 fr_info_t *fin;
1938 {
1939 	ipstate_t *is, **isp;
1940 	u_short sport, dport;
1941 	u_char	pr;
1942 	int backward, i, oi;
1943 	i6addr_t dst, src;
1944 	struct icmp *ic;
1945 	u_short savelen;
1946 	icmphdr_t *icmp;
1947 	fr_info_t ofin;
1948 	tcphdr_t *tcp;
1949 	int len;
1950 	ip_t *oip;
1951 	u_int hv;
1952 	ipf_stack_t *ifs = fin->fin_ifs;
1953 
1954 	/*
1955 	 * Does it at least have the return (basic) IP header ?
1956 	 * Is it an actual recognised ICMP error type?
1957 	 * Only a basic IP header (no options) should be with
1958 	 * an ICMP error header.
1959 	 */
1960 	if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
1961 	    (fin->fin_plen < ICMPERR_MINPKTLEN) ||
1962 	    !(fin->fin_flx & FI_ICMPERR))
1963 		return NULL;
1964 	ic = fin->fin_dp;
1965 
1966 	oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
1967 	/*
1968 	 * Check if the at least the old IP header (with options) and
1969 	 * 8 bytes of payload is present.
1970 	 */
1971 	if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((IP_HL(oip) - 5) << 2))
1972 		return NULL;
1973 
1974 	/*
1975 	 * Sanity Checks.
1976 	 */
1977 	len = fin->fin_dlen - ICMPERR_ICMPHLEN;
1978 	if ((len <= 0) || ((IP_HL(oip) << 2) > len))
1979 		return NULL;
1980 
1981 	/*
1982 	 * Is the buffer big enough for all of it ?  It's the size of the IP
1983 	 * header claimed in the encapsulated part which is of concern.  It
1984 	 * may be too big to be in this buffer but not so big that it's
1985 	 * outside the ICMP packet, leading to TCP deref's causing problems.
1986 	 * This is possible because we don't know how big oip_hl is when we
1987 	 * do the pullup early in fr_check() and thus can't guarantee it is
1988 	 * all here now.
1989 	 */
1990 #ifdef  _KERNEL
1991 	{
1992 	mb_t *m;
1993 
1994 	m = fin->fin_m;
1995 # if defined(MENTAT)
1996 	if ((char *)oip + len > (char *)m->b_wptr)
1997 		return NULL;
1998 # else
1999 	if ((char *)oip + len > (char *)fin->fin_ip + m->m_len)
2000 		return NULL;
2001 # endif
2002 	}
2003 #endif
2004 	bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
2005 
2006 	/*
2007 	 * in the IPv4 case we must zero the i6addr union otherwise
2008 	 * the IP6_EQ and IP6_NEQ macros produce the wrong results because
2009 	 * of the 'junk' in the unused part of the union
2010 	 */
2011 	bzero((char *)&src, sizeof(src));
2012 	bzero((char *)&dst, sizeof(dst));
2013 
2014 	/*
2015 	 * we make an fin entry to be able to feed it to
2016 	 * matchsrcdst note that not all fields are encessary
2017 	 * but this is the cleanest way. Note further we fill
2018 	 * in fin_mp such that if someone uses it we'll get
2019 	 * a kernel panic. fr_matchsrcdst does not use this.
2020 	 *
2021 	 * watch out here, as ip is in host order and oip in network
2022 	 * order. Any change we make must be undone afterwards, like
2023 	 * oip->ip_off - it is still in network byte order so fix it.
2024 	 */
2025 	savelen = oip->ip_len;
2026 	oip->ip_len = len;
2027 	oip->ip_off = ntohs(oip->ip_off);
2028 
2029 	ofin.fin_flx = FI_NOCKSUM;
2030 	ofin.fin_v = 4;
2031 	ofin.fin_ip = oip;
2032 	ofin.fin_m = NULL;	/* if dereferenced, panic XXX */
2033 	ofin.fin_mp = NULL;	/* if dereferenced, panic XXX */
2034 	ofin.fin_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
2035 	(void) fr_makefrip(IP_HL(oip) << 2, oip, &ofin);
2036 	ofin.fin_ifp = fin->fin_ifp;
2037 	ofin.fin_out = !fin->fin_out;
2038 	/*
2039 	 * Reset the short and bad flag here because in fr_matchsrcdst()
2040 	 * the flags for the current packet (fin_flx) are compared against
2041 	 * those for the existing session.
2042 	 */
2043 	ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
2044 
2045 	/*
2046 	 * Put old values of ip_len and ip_off back as we don't know
2047 	 * if we have to forward the packet (or process it again.
2048 	 */
2049 	oip->ip_len = savelen;
2050 	oip->ip_off = htons(oip->ip_off);
2051 
2052 	switch (oip->ip_p)
2053 	{
2054 	case IPPROTO_ICMP :
2055 		/*
2056 		 * an ICMP error can only be generated as a result of an
2057 		 * ICMP query, not as the response on an ICMP error
2058 		 *
2059 		 * XXX theoretically ICMP_ECHOREP and the other reply's are
2060 		 * ICMP query's as well, but adding them here seems strange XXX
2061 		 */
2062 		if ((ofin.fin_flx & FI_ICMPERR) != 0)
2063 		    	return NULL;
2064 
2065 		/*
2066 		 * perform a lookup of the ICMP packet in the state table
2067 		 */
2068 		icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2069 		hv = (pr = oip->ip_p);
2070 		src.in4 = oip->ip_src;
2071 		hv += src.in4.s_addr;
2072 		dst.in4 = oip->ip_dst;
2073 		hv += dst.in4.s_addr;
2074 		hv += icmp->icmp_id;
2075 		hv = DOUBLE_HASH(hv, ifs);
2076 
2077 		READ_ENTER(&ifs->ifs_ipf_state);
2078 		for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2079 			isp = &is->is_hnext;
2080 			if ((is->is_p != pr) || (is->is_v != 4))
2081 				continue;
2082 			if (is->is_pass & FR_NOICMPERR)
2083 				continue;
2084 			is = fr_matchsrcdst(&ofin, is, &src, &dst,
2085 					    NULL, FI_ICMPCMP);
2086 			if (is != NULL) {
2087 				if ((is->is_pass & FR_NOICMPERR) != 0) {
2088 					RWLOCK_EXIT(&ifs->ifs_ipf_state);
2089 					return NULL;
2090 				}
2091 				/*
2092 				 * i  : the index of this packet (the icmp
2093 				 *      unreachable)
2094 				 * oi : the index of the original packet found
2095 				 *      in the icmp header (i.e. the packet
2096 				 *      causing this icmp)
2097 				 * backward : original packet was backward
2098 				 *      compared to the state
2099 				 */
2100 				backward = IP6_NEQ(&is->is_src, &src);
2101 				fin->fin_rev = !backward;
2102 				i = (!backward << 1) + fin->fin_out;
2103 				oi = (backward << 1) + ofin.fin_out;
2104 				if (is->is_icmppkts[i] > is->is_pkts[oi])
2105 					continue;
2106 				ifs->ifs_ips_stats.iss_hits++;
2107 				is->is_icmppkts[i]++;
2108 				return is;
2109 			}
2110 		}
2111 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
2112 		return NULL;
2113 	case IPPROTO_TCP :
2114 	case IPPROTO_UDP :
2115 		break;
2116 	default :
2117 		return NULL;
2118 	}
2119 
2120 	tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2121 	dport = tcp->th_dport;
2122 	sport = tcp->th_sport;
2123 
2124 	hv = (pr = oip->ip_p);
2125 	src.in4 = oip->ip_src;
2126 	hv += src.in4.s_addr;
2127 	dst.in4 = oip->ip_dst;
2128 	hv += dst.in4.s_addr;
2129 	hv += dport;
2130 	hv += sport;
2131 	hv = DOUBLE_HASH(hv, ifs);
2132 
2133 	READ_ENTER(&ifs->ifs_ipf_state);
2134 	for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2135 		isp = &is->is_hnext;
2136 		/*
2137 		 * Only allow this icmp though if the
2138 		 * encapsulated packet was allowed through the
2139 		 * other way around. Note that the minimal amount
2140 		 * of info present does not allow for checking against
2141 		 * tcp internals such as seq and ack numbers.   Only the
2142 		 * ports are known to be present and can be even if the
2143 		 * short flag is set.
2144 		 */
2145 		if ((is->is_p == pr) && (is->is_v == 4) &&
2146 		    (is = fr_matchsrcdst(&ofin, is, &src, &dst,
2147 					 tcp, FI_ICMPCMP))) {
2148 			/*
2149 			 * i  : the index of this packet (the icmp unreachable)
2150 			 * oi : the index of the original packet found in the
2151 			 *      icmp header (i.e. the packet causing this icmp)
2152 			 * backward : original packet was backward compared to
2153 			 *            the state
2154 			 */
2155 			backward = IP6_NEQ(&is->is_src, &src);
2156 			fin->fin_rev = !backward;
2157 			i = (!backward << 1) + fin->fin_out;
2158 			oi = (backward << 1) + ofin.fin_out;
2159 
2160 			if (((is->is_pass & FR_NOICMPERR) != 0) ||
2161 			    (is->is_icmppkts[i] > is->is_pkts[oi]))
2162 				break;
2163 			ifs->ifs_ips_stats.iss_hits++;
2164 			is->is_icmppkts[i]++;
2165 			/*
2166 			 * we deliberately do not touch the timeouts
2167 			 * for the accompanying state table entry.
2168 			 * It remains to be seen if that is correct. XXX
2169 			 */
2170 			return is;
2171 		}
2172 	}
2173 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
2174 	return NULL;
2175 }
2176 
2177 
2178 /* ------------------------------------------------------------------------ */
2179 /* Function:    fr_ipsmove                                                  */
2180 /* Returns:     Nil                                                         */
2181 /* Parameters:  is(I) - pointer to state table entry                        */
2182 /*              hv(I) - new hash value for state table entry                */
2183 /* Write Locks: ipf_state                                                   */
2184 /*                                                                          */
2185 /* Move a state entry from one position in the hash table to another.       */
2186 /* ------------------------------------------------------------------------ */
2187 static void fr_ipsmove(is, hv, ifs)
2188 ipstate_t *is;
2189 u_int hv;
2190 ipf_stack_t *ifs;
2191 {
2192 	ipstate_t **isp;
2193 	u_int hvm;
2194 
2195 	ASSERT(rw_read_locked(&ifs->ifs_ipf_state.ipf_lk) == 0);
2196 
2197 	hvm = is->is_hv;
2198 	/*
2199 	 * Remove the hash from the old location...
2200 	 */
2201 	isp = is->is_phnext;
2202 	if (is->is_hnext)
2203 		is->is_hnext->is_phnext = isp;
2204 	*isp = is->is_hnext;
2205 	if (ifs->ifs_ips_table[hvm] == NULL)
2206 		ifs->ifs_ips_stats.iss_inuse--;
2207 	ifs->ifs_ips_stats.iss_bucketlen[hvm]--;
2208 
2209 	/*
2210 	 * ...and put the hash in the new one.
2211 	 */
2212 	hvm = DOUBLE_HASH(hv, ifs);
2213 	is->is_hv = hvm;
2214 	isp = &ifs->ifs_ips_table[hvm];
2215 	if (*isp)
2216 		(*isp)->is_phnext = &is->is_hnext;
2217 	else
2218 		ifs->ifs_ips_stats.iss_inuse++;
2219 	ifs->ifs_ips_stats.iss_bucketlen[hvm]++;
2220 	is->is_phnext = isp;
2221 	is->is_hnext = *isp;
2222 	*isp = is;
2223 }
2224 
2225 
2226 /* ------------------------------------------------------------------------ */
2227 /* Function:    fr_stlookup                                                 */
2228 /* Returns:     ipstate_t* - NULL == no matching state found,               */
2229 /*                           else pointer to state information is returned  */
2230 /* Parameters:  fin(I) - pointer to packet information                      */
2231 /*              tcp(I) - pointer to TCP/UDP header.                         */
2232 /*                                                                          */
2233 /* Search the state table for a matching entry to the packet described by   */
2234 /* the contents of *fin.                                                    */
2235 /*                                                                          */
2236 /* If we return NULL then no lock on ipf_state is held.                     */
2237 /* If we return non-null then a read-lock on ipf_state is held.             */
2238 /* ------------------------------------------------------------------------ */
2239 ipstate_t *fr_stlookup(fin, tcp, ifqp)
2240 fr_info_t *fin;
2241 tcphdr_t *tcp;
2242 ipftq_t **ifqp;
2243 {
2244 	u_int hv, hvm, pr, v, tryagain;
2245 	ipstate_t *is, **isp;
2246 	u_short dport, sport;
2247 	i6addr_t src, dst;
2248 	struct icmp *ic;
2249 	ipftq_t *ifq;
2250 	int oow;
2251 	ipf_stack_t *ifs = fin->fin_ifs;
2252 
2253 	is = NULL;
2254 	ifq = NULL;
2255 	tcp = fin->fin_dp;
2256 	ic = (struct icmp *)tcp;
2257 	hv = (pr = fin->fin_fi.fi_p);
2258 	src = fin->fin_fi.fi_src;
2259 	dst = fin->fin_fi.fi_dst;
2260 	hv += src.in4.s_addr;
2261 	hv += dst.in4.s_addr;
2262 
2263 	v = fin->fin_fi.fi_v;
2264 #ifdef	USE_INET6
2265 	if (v == 6) {
2266 		hv  += fin->fin_fi.fi_src.i6[1];
2267 		hv  += fin->fin_fi.fi_src.i6[2];
2268 		hv  += fin->fin_fi.fi_src.i6[3];
2269 
2270 		if ((fin->fin_p == IPPROTO_ICMPV6) &&
2271 		    IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_dst.in6)) {
2272 			hv -= dst.in4.s_addr;
2273 		} else {
2274 			hv += fin->fin_fi.fi_dst.i6[1];
2275 			hv += fin->fin_fi.fi_dst.i6[2];
2276 			hv += fin->fin_fi.fi_dst.i6[3];
2277 		}
2278 	}
2279 #endif
2280 
2281 	/*
2282 	 * Search the hash table for matching packet header info.
2283 	 */
2284 	switch (pr)
2285 	{
2286 #ifdef	USE_INET6
2287 	case IPPROTO_ICMPV6 :
2288 		tryagain = 0;
2289 		if (v == 6) {
2290 			if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
2291 			    (ic->icmp_type == ICMP6_ECHO_REPLY)) {
2292 				hv += ic->icmp_id;
2293 			}
2294 		}
2295 		READ_ENTER(&ifs->ifs_ipf_state);
2296 icmp6again:
2297 		hvm = DOUBLE_HASH(hv, ifs);
2298 		for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2299 			isp = &is->is_hnext;
2300 			if ((is->is_p != pr) || (is->is_v != v))
2301 				continue;
2302 			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2303 			if (is != NULL &&
2304 			    fr_matchicmpqueryreply(v, &is->is_icmp,
2305 						   ic, fin->fin_rev)) {
2306 				if (fin->fin_rev)
2307 					ifq = &ifs->ifs_ips_icmpacktq;
2308 				else
2309 					ifq = &ifs->ifs_ips_icmptq;
2310 				break;
2311 			}
2312 		}
2313 
2314 		if (is != NULL) {
2315 			if ((tryagain != 0) && !(is->is_flags & SI_W_DADDR)) {
2316 				hv += fin->fin_fi.fi_src.i6[0];
2317 				hv += fin->fin_fi.fi_src.i6[1];
2318 				hv += fin->fin_fi.fi_src.i6[2];
2319 				hv += fin->fin_fi.fi_src.i6[3];
2320 				fr_ipsmove(is, hv, ifs);
2321 				MUTEX_DOWNGRADE(&ifs->ifs_ipf_state);
2322 			}
2323 			break;
2324 		}
2325 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
2326 
2327 		/*
2328 		 * No matching icmp state entry. Perhaps this is a
2329 		 * response to another state entry.
2330 		 *
2331 		 * XXX With some ICMP6 packets, the "other" address is already
2332 		 * in the packet, after the ICMP6 header, and this could be
2333 		 * used in place of the multicast address.  However, taking
2334 		 * advantage of this requires some significant code changes
2335 		 * to handle the specific types where that is the case.
2336 		 */
2337 		if ((ifs->ifs_ips_stats.iss_wild != 0) && (v == 6) && (tryagain == 0) &&
2338 		    !IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_src.in6)) {
2339 			hv -= fin->fin_fi.fi_src.i6[0];
2340 			hv -= fin->fin_fi.fi_src.i6[1];
2341 			hv -= fin->fin_fi.fi_src.i6[2];
2342 			hv -= fin->fin_fi.fi_src.i6[3];
2343 			tryagain = 1;
2344 			WRITE_ENTER(&ifs->ifs_ipf_state);
2345 			goto icmp6again;
2346 		}
2347 
2348 		is = fr_checkicmp6matchingstate(fin);
2349 		if (is != NULL)
2350 			return is;
2351 		break;
2352 #endif
2353 
2354 	case IPPROTO_ICMP :
2355 		if (v == 4) {
2356 			hv += ic->icmp_id;
2357 		}
2358 		hv = DOUBLE_HASH(hv, ifs);
2359 		READ_ENTER(&ifs->ifs_ipf_state);
2360 		for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2361 			isp = &is->is_hnext;
2362 			if ((is->is_p != pr) || (is->is_v != v))
2363 				continue;
2364 			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2365 			if (is != NULL &&
2366 			    fr_matchicmpqueryreply(v, &is->is_icmp,
2367 						   ic, fin->fin_rev)) {
2368 				if (fin->fin_rev)
2369 					ifq = &ifs->ifs_ips_icmpacktq;
2370 				else
2371 					ifq = &ifs->ifs_ips_icmptq;
2372 				break;
2373 			}
2374 		}
2375 		if (is == NULL) {
2376 			RWLOCK_EXIT(&ifs->ifs_ipf_state);
2377 		}
2378 		break;
2379 
2380 	case IPPROTO_TCP :
2381 	case IPPROTO_UDP :
2382 		ifqp = NULL;
2383 		sport = htons(fin->fin_data[0]);
2384 		hv += sport;
2385 		dport = htons(fin->fin_data[1]);
2386 		hv += dport;
2387 		oow = 0;
2388 		tryagain = 0;
2389 		READ_ENTER(&ifs->ifs_ipf_state);
2390 retry_tcpudp:
2391 		hvm = DOUBLE_HASH(hv, ifs);
2392 		for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2393 			isp = &is->is_hnext;
2394 			if ((is->is_p != pr) || (is->is_v != v))
2395 				continue;
2396 			fin->fin_flx &= ~FI_OOW;
2397 			is = fr_matchsrcdst(fin, is, &src, &dst, tcp, FI_CMP);
2398 			if (is != NULL) {
2399 				if (pr == IPPROTO_TCP) {
2400 					if (!fr_tcpstate(fin, tcp, is)) {
2401 						oow |= fin->fin_flx & FI_OOW;
2402 						continue;
2403 					}
2404 				}
2405 				break;
2406 			}
2407 		}
2408 		if (is != NULL) {
2409 			if (tryagain &&
2410 			    !(is->is_flags & (SI_CLONE|SI_WILDP|SI_WILDA))) {
2411 				hv += dport;
2412 				hv += sport;
2413 				fr_ipsmove(is, hv, ifs);
2414 				MUTEX_DOWNGRADE(&ifs->ifs_ipf_state);
2415 			}
2416 			break;
2417 		}
2418 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
2419 
2420 		if (!tryagain && ifs->ifs_ips_stats.iss_wild) {
2421 			hv -= dport;
2422 			hv -= sport;
2423 			tryagain = 1;
2424 			WRITE_ENTER(&ifs->ifs_ipf_state);
2425 			goto retry_tcpudp;
2426 		}
2427 		fin->fin_flx |= oow;
2428 		break;
2429 
2430 #if 0
2431 	case IPPROTO_GRE :
2432 		gre = fin->fin_dp;
2433 		if (GRE_REV(gre->gr_flags) == 1) {
2434 			hv += gre->gr_call;
2435 		}
2436 		/* FALLTHROUGH */
2437 #endif
2438 	default :
2439 		ifqp = NULL;
2440 		hvm = DOUBLE_HASH(hv, ifs);
2441 		READ_ENTER(&ifs->ifs_ipf_state);
2442 		for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2443 			isp = &is->is_hnext;
2444 			if ((is->is_p != pr) || (is->is_v != v))
2445 				continue;
2446 			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2447 			if (is != NULL) {
2448 				ifq = &ifs->ifs_ips_iptq;
2449 				break;
2450 			}
2451 		}
2452 		if (is == NULL) {
2453 			RWLOCK_EXIT(&ifs->ifs_ipf_state);
2454 		}
2455 		break;
2456 	}
2457 
2458 	if ((is != NULL) && ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
2459 	    (is->is_tqehead[fin->fin_rev] != NULL))
2460 		ifq = is->is_tqehead[fin->fin_rev];
2461 	if (ifq != NULL && ifqp != NULL)
2462 		*ifqp = ifq;
2463 	return is;
2464 }
2465 
2466 
2467 /* ------------------------------------------------------------------------ */
2468 /* Function:    fr_updatestate                                              */
2469 /* Returns:     Nil                                                         */
2470 /* Parameters:  fin(I) - pointer to packet information                      */
2471 /*              is(I)  - pointer to state table entry                       */
2472 /* Read Locks:  ipf_state                                                   */
2473 /*                                                                          */
2474 /* Updates packet and byte counters for a newly received packet.  Seeds the */
2475 /* fragment cache with a new entry as required.                             */
2476 /* ------------------------------------------------------------------------ */
2477 void fr_updatestate(fin, is, ifq)
2478 fr_info_t *fin;
2479 ipstate_t *is;
2480 ipftq_t *ifq;
2481 {
2482 	ipftqent_t *tqe;
2483 	int i, pass;
2484 	ipf_stack_t *ifs = fin->fin_ifs;
2485 
2486 	i = (fin->fin_rev << 1) + fin->fin_out;
2487 
2488 	/*
2489 	 * For TCP packets, ifq == NULL.  For all others, check if this new
2490 	 * queue is different to the last one it was on and move it if so.
2491 	 */
2492 	tqe = &is->is_sti;
2493 	MUTEX_ENTER(&is->is_lock);
2494 	if ((tqe->tqe_flags & TQE_RULEBASED) != 0)
2495 		ifq = is->is_tqehead[fin->fin_rev];
2496 
2497 	if (ifq != NULL)
2498 		fr_movequeue(tqe, tqe->tqe_ifq, ifq, ifs);
2499 
2500 	is->is_pkts[i]++;
2501 	is->is_bytes[i] += fin->fin_plen;
2502 	MUTEX_EXIT(&is->is_lock);
2503 
2504 #ifdef	IPFILTER_SYNC
2505 	if (is->is_flags & IS_STATESYNC)
2506 		ipfsync_update(SMC_STATE, fin, is->is_sync);
2507 #endif
2508 
2509 	ATOMIC_INCL(ifs->ifs_ips_stats.iss_hits);
2510 
2511 	fin->fin_fr = is->is_rule;
2512 
2513 	/*
2514 	 * If this packet is a fragment and the rule says to track fragments,
2515 	 * then create a new fragment cache entry.
2516 	 */
2517 	pass = is->is_pass;
2518 	if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(pass))
2519 		(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
2520 }
2521 
2522 
2523 /* ------------------------------------------------------------------------ */
2524 /* Function:    fr_checkstate                                               */
2525 /* Returns:     frentry_t* - NULL == search failed,                         */
2526 /*                           else pointer to rule for matching state        */
2527 /* Parameters:  ifp(I)   - pointer to interface                             */
2528 /*              passp(I) - pointer to filtering result flags                */
2529 /*                                                                          */
2530 /* Check if a packet is associated with an entry in the state table.        */
2531 /* ------------------------------------------------------------------------ */
2532 frentry_t *fr_checkstate(fin, passp)
2533 fr_info_t *fin;
2534 u_32_t *passp;
2535 {
2536 	ipstate_t *is;
2537 	frentry_t *fr;
2538 	tcphdr_t *tcp;
2539 	ipftq_t *ifq;
2540 	u_int pass;
2541 	ipf_stack_t *ifs = fin->fin_ifs;
2542 
2543 	if (ifs->ifs_fr_state_lock || (ifs->ifs_ips_list == NULL) ||
2544 	    (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
2545 		return NULL;
2546 
2547 	is = NULL;
2548 	if ((fin->fin_flx & FI_TCPUDP) ||
2549 	    (fin->fin_fi.fi_p == IPPROTO_ICMP)
2550 #ifdef	USE_INET6
2551 	    || (fin->fin_fi.fi_p == IPPROTO_ICMPV6)
2552 #endif
2553 	    )
2554 		tcp = fin->fin_dp;
2555 	else
2556 		tcp = NULL;
2557 
2558 	/*
2559 	 * Search the hash table for matching packet header info.
2560 	 */
2561 	ifq = NULL;
2562 	is = fin->fin_state;
2563 	if (is == NULL)
2564 		is = fr_stlookup(fin, tcp, &ifq);
2565 	switch (fin->fin_p)
2566 	{
2567 #ifdef	USE_INET6
2568 	case IPPROTO_ICMPV6 :
2569 		if (is != NULL)
2570 			break;
2571 		if (fin->fin_v == 6) {
2572 			is = fr_checkicmp6matchingstate(fin);
2573 			if (is != NULL)
2574 				goto matched;
2575 		}
2576 		break;
2577 #endif
2578 	case IPPROTO_ICMP :
2579 		if (is != NULL)
2580 			break;
2581 		/*
2582 		 * No matching icmp state entry. Perhaps this is a
2583 		 * response to another state entry.
2584 		 */
2585 		is = fr_checkicmpmatchingstate(fin);
2586 		if (is != NULL)
2587 			goto matched;
2588 		break;
2589 	case IPPROTO_TCP :
2590 		if (is == NULL)
2591 			break;
2592 
2593 		if (is->is_pass & FR_NEWISN) {
2594 			if (fin->fin_out == 0)
2595 				fr_fixinisn(fin, is);
2596 			else if (fin->fin_out == 1)
2597 				fr_fixoutisn(fin, is);
2598 		}
2599 		break;
2600 	default :
2601 		if (fin->fin_rev)
2602 			ifq = &ifs->ifs_ips_udpacktq;
2603 		else
2604 			ifq = &ifs->ifs_ips_udptq;
2605 		break;
2606 	}
2607 	if (is == NULL) {
2608 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_miss);
2609 		return NULL;
2610 	}
2611 
2612 matched:
2613 	fr = is->is_rule;
2614 	if (fr != NULL) {
2615 		if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
2616 			if (fin->fin_nattag == NULL)
2617 				return NULL;
2618 			if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) != 0)
2619 				return NULL;
2620 		}
2621 		(void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
2622 		fin->fin_icode = fr->fr_icode;
2623 	}
2624 
2625 	fin->fin_rule = is->is_rulen;
2626 	pass = is->is_pass;
2627 	fr_updatestate(fin, is, ifq);
2628 	if (fin->fin_out == 1)
2629 		fin->fin_nat = is->is_nat[fin->fin_rev];
2630 
2631 	fin->fin_state = is;
2632 	is->is_touched = ifs->ifs_fr_ticks;
2633 	MUTEX_ENTER(&is->is_lock);
2634 	is->is_ref++;
2635 	MUTEX_EXIT(&is->is_lock);
2636 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
2637 	fin->fin_flx |= FI_STATE;
2638 	if ((pass & FR_LOGFIRST) != 0)
2639 		pass &= ~(FR_LOGFIRST|FR_LOG);
2640 	*passp = pass;
2641 	return fr;
2642 }
2643 
2644 
2645 /* ------------------------------------------------------------------------ */
2646 /* Function:    fr_fixoutisn                                                */
2647 /* Returns:     Nil                                                         */
2648 /* Parameters:  fin(I)   - pointer to packet information                    */
2649 /*              is(I)  - pointer to master state structure                  */
2650 /*                                                                          */
2651 /* Called only for outbound packets, adjusts the sequence number and the    */
2652 /* TCP checksum to match that change.                                       */
2653 /* ------------------------------------------------------------------------ */
2654 static void fr_fixoutisn(fin, is)
2655 fr_info_t *fin;
2656 ipstate_t *is;
2657 {
2658 	tcphdr_t *tcp;
2659 	int rev;
2660 	u_32_t seq;
2661 
2662 	tcp = fin->fin_dp;
2663 	rev = fin->fin_rev;
2664 	if ((is->is_flags & IS_ISNSYN) != 0) {
2665 		if (rev == 0) {
2666 			seq = ntohl(tcp->th_seq);
2667 			seq += is->is_isninc[0];
2668 			tcp->th_seq = htonl(seq);
2669 			fix_outcksum(&tcp->th_sum, is->is_sumd[0]);
2670 		}
2671 	}
2672 	if ((is->is_flags & IS_ISNACK) != 0) {
2673 		if (rev == 1) {
2674 			seq = ntohl(tcp->th_seq);
2675 			seq += is->is_isninc[1];
2676 			tcp->th_seq = htonl(seq);
2677 			fix_outcksum(&tcp->th_sum, is->is_sumd[1]);
2678 		}
2679 	}
2680 }
2681 
2682 
2683 /* ------------------------------------------------------------------------ */
2684 /* Function:    fr_fixinisn                                                 */
2685 /* Returns:     Nil                                                         */
2686 /* Parameters:  fin(I)   - pointer to packet information                    */
2687 /*              is(I)  - pointer to master state structure                  */
2688 /*                                                                          */
2689 /* Called only for inbound packets, adjusts the acknowledge number and the  */
2690 /* TCP checksum to match that change.                                       */
2691 /* ------------------------------------------------------------------------ */
2692 static void fr_fixinisn(fin, is)
2693 fr_info_t *fin;
2694 ipstate_t *is;
2695 {
2696 	tcphdr_t *tcp;
2697 	int rev;
2698 	u_32_t ack;
2699 
2700 	tcp = fin->fin_dp;
2701 	rev = fin->fin_rev;
2702 	if ((is->is_flags & IS_ISNSYN) != 0) {
2703 		if (rev == 1) {
2704 			ack = ntohl(tcp->th_ack);
2705 			ack -= is->is_isninc[0];
2706 			tcp->th_ack = htonl(ack);
2707 			fix_incksum(&tcp->th_sum, is->is_sumd[0]);
2708 		}
2709 	}
2710 	if ((is->is_flags & IS_ISNACK) != 0) {
2711 		if (rev == 0) {
2712 			ack = ntohl(tcp->th_ack);
2713 			ack -= is->is_isninc[1];
2714 			tcp->th_ack = htonl(ack);
2715 			fix_incksum(&tcp->th_sum, is->is_sumd[1]);
2716 		}
2717 	}
2718 }
2719 
2720 
2721 /* ------------------------------------------------------------------------ */
2722 /* Function:    fr_statesync                                                */
2723 /* Returns:     Nil                                                         */
2724 /* Parameters:  action(I) - type of synchronisation to do                   */
2725 /*              v(I)      - IP version being sync'd (v4 or v6)              */
2726 /*              ifp(I)    - interface identifier associated with action     */
2727 /*              name(I)   - name associated with ifp parameter              */
2728 /*                                                                          */
2729 /* Walk through all state entries and if an interface pointer match is      */
2730 /* found then look it up again, based on its name in case the pointer has   */
2731 /* changed since last time.                                                 */
2732 /*                                                                          */
2733 /* If ifp is passed in as being non-null then we are only doing updates for */
2734 /* existing, matching, uses of it.                                          */
2735 /* ------------------------------------------------------------------------ */
2736 void fr_statesync(action, v, ifp, name, ifs)
2737 int action, v;
2738 void *ifp;
2739 char *name;
2740 ipf_stack_t *ifs;
2741 {
2742 	ipstate_t *is;
2743 	int i;
2744 
2745 	if (ifs->ifs_fr_running <= 0)
2746 		return;
2747 
2748 	WRITE_ENTER(&ifs->ifs_ipf_state);
2749 
2750 	if (ifs->ifs_fr_running <= 0) {
2751 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
2752 		return;
2753 	}
2754 
2755 	switch (action)
2756 	{
2757 	case IPFSYNC_RESYNC :
2758 		for (is = ifs->ifs_ips_list; is; is = is->is_next) {
2759 			if (v != 0 && is->is_v != v)
2760 				continue;
2761 			/*
2762 			 * Look up all the interface names in the state entry.
2763 			 */
2764 			for (i = 0; i < 4; i++) {
2765 				is->is_ifp[i] = fr_resolvenic(is->is_ifname[i],
2766 							      is->is_v, ifs);
2767 			}
2768 		}
2769 		break;
2770 	case IPFSYNC_NEWIFP :
2771 		for (is = ifs->ifs_ips_list; is; is = is->is_next) {
2772 			if (v != 0 && is->is_v != v)
2773 				continue;
2774 			/*
2775 			 * Look up all the interface names in the state entry.
2776 			 */
2777 			for (i = 0; i < 4; i++) {
2778 				if (!strncmp(is->is_ifname[i], name,
2779 					     sizeof(is->is_ifname[i])))
2780 					is->is_ifp[i] = ifp;
2781 			}
2782 		}
2783 		break;
2784 	case IPFSYNC_OLDIFP :
2785 		for (is = ifs->ifs_ips_list; is; is = is->is_next) {
2786 			if (v != 0 && is->is_v != v)
2787 				continue;
2788 			/*
2789 			 * Look up all the interface names in the state entry.
2790 			 */
2791 			for (i = 0; i < 4; i++) {
2792 				if (is->is_ifp[i] == ifp)
2793 					is->is_ifp[i] = (void *)-1;
2794 			}
2795 		}
2796 		break;
2797 	}
2798 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
2799 }
2800 
2801 
2802 /* ------------------------------------------------------------------------ */
2803 /* Function:    fr_delstate                                                 */
2804 /* Returns:     Nil                                                         */
2805 /* Parameters:  is(I)  - pointer to state structure to delete               */
2806 /*              why(I) - if not 0, log reason why it was deleted            */
2807 /* Write Locks: ipf_state/ipf_global                                        */
2808 /*                                                                          */
2809 /* Deletes a state entry from the enumerated list as well as the hash table */
2810 /* and timeout queue lists.  Make adjustments to hash table statistics and  */
2811 /* global counters as required.                                             */
2812 /* ------------------------------------------------------------------------ */
2813 static void fr_delstate(is, why, ifs)
2814 ipstate_t *is;
2815 int why;
2816 ipf_stack_t *ifs;
2817 {
2818 
2819 	ASSERT(rw_write_held(&ifs->ifs_ipf_global.ipf_lk) == 0 ||
2820 		rw_write_held(&ifs->ifs_ipf_state.ipf_lk) == 0);
2821 
2822 	/*
2823 	 * Since we want to delete this, remove it from the state table,
2824 	 * where it can be found & used, first.
2825 	 */
2826 	if (is->is_pnext != NULL) {
2827 		*is->is_pnext = is->is_next;
2828 
2829 		if (is->is_next != NULL)
2830 			is->is_next->is_pnext = is->is_pnext;
2831 
2832 		is->is_pnext = NULL;
2833 		is->is_next = NULL;
2834 	}
2835 
2836 	if (is->is_phnext != NULL) {
2837 		*is->is_phnext = is->is_hnext;
2838 		if (is->is_hnext != NULL)
2839 			is->is_hnext->is_phnext = is->is_phnext;
2840 		if (ifs->ifs_ips_table[is->is_hv] == NULL)
2841 			ifs->ifs_ips_stats.iss_inuse--;
2842 		ifs->ifs_ips_stats.iss_bucketlen[is->is_hv]--;
2843 
2844 		is->is_phnext = NULL;
2845 		is->is_hnext = NULL;
2846 	}
2847 
2848 	/*
2849 	 * Because ifs->ifs_ips_stats.iss_wild is a count of entries in the state
2850 	 * table that have wildcard flags set, only decerement it once
2851 	 * and do it here.
2852 	 */
2853 	if (is->is_flags & (SI_WILDP|SI_WILDA)) {
2854 		if (!(is->is_flags & SI_CLONED)) {
2855 			ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
2856 		}
2857 		is->is_flags &= ~(SI_WILDP|SI_WILDA);
2858 	}
2859 
2860 	/*
2861 	 * Next, remove it from the timeout queue it is in.
2862 	 */
2863 	fr_deletequeueentry(&is->is_sti);
2864 
2865 	is->is_me = NULL;
2866 
2867 	/*
2868 	 * If it is still in use by something else, do not go any further,
2869 	 * but note that at this point it is now an orphan.
2870 	 */
2871 	MUTEX_ENTER(&is->is_lock);
2872 	if (is->is_ref > 1) {
2873 		is->is_ref--;
2874 		MUTEX_EXIT(&is->is_lock);
2875 		return;
2876 	}
2877 	MUTEX_EXIT(&is->is_lock);
2878 
2879 	is->is_ref = 0;
2880 
2881 	if (is->is_tqehead[0] != NULL) {
2882 		if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0)
2883 			fr_freetimeoutqueue(is->is_tqehead[0], ifs);
2884 	}
2885 	if (is->is_tqehead[1] != NULL) {
2886 		if (fr_deletetimeoutqueue(is->is_tqehead[1]) == 0)
2887 			fr_freetimeoutqueue(is->is_tqehead[1], ifs);
2888 	}
2889 
2890 #ifdef	IPFILTER_SYNC
2891 	if (is->is_sync)
2892 		ipfsync_del(is->is_sync);
2893 #endif
2894 #ifdef	IPFILTER_SCAN
2895 	(void) ipsc_detachis(is);
2896 #endif
2897 
2898 	if (ifs->ifs_ipstate_logging != 0 && why != 0)
2899 		ipstate_log(is, why, ifs);
2900 
2901 	if (is->is_rule != NULL) {
2902 		is->is_rule->fr_statecnt--;
2903 		(void)fr_derefrule(&is->is_rule, ifs);
2904 	}
2905 
2906 	MUTEX_DESTROY(&is->is_lock);
2907 	KFREE(is);
2908 	ifs->ifs_ips_num--;
2909 }
2910 
2911 
2912 /* ------------------------------------------------------------------------ */
2913 /* Function:    fr_timeoutstate                                             */
2914 /* Returns:     Nil                                                         */
2915 /* Parameters:  Nil                                                         */
2916 /*                                                                          */
2917 /* Slowly expire held state for thingslike UDP and ICMP.  The algorithm     */
2918 /* used here is to keep the queue sorted with the oldest things at the top  */
2919 /* and the youngest at the bottom.  So if the top one doesn't need to be    */
2920 /* expired then neither will any under it.                                  */
2921 /* ------------------------------------------------------------------------ */
2922 void fr_timeoutstate(ifs)
2923 ipf_stack_t *ifs;
2924 {
2925 	ipftq_t *ifq, *ifqnext;
2926 	ipftqent_t *tqe, *tqn;
2927 	ipstate_t *is;
2928 	SPL_INT(s);
2929 
2930 	SPL_NET(s);
2931 	WRITE_ENTER(&ifs->ifs_ipf_state);
2932 	for (ifq = ifs->ifs_ips_tqtqb; ifq != NULL; ifq = ifq->ifq_next)
2933 		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
2934 			if (tqe->tqe_die > ifs->ifs_fr_ticks)
2935 				break;
2936 			tqn = tqe->tqe_next;
2937 			is = tqe->tqe_parent;
2938 			fr_delstate(is, ISL_EXPIRE, ifs);
2939 		}
2940 
2941 	for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
2942 		ifqnext = ifq->ifq_next;
2943 
2944 		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
2945 			if (tqe->tqe_die > ifs->ifs_fr_ticks)
2946 				break;
2947 			tqn = tqe->tqe_next;
2948 			is = tqe->tqe_parent;
2949 			fr_delstate(is, ISL_EXPIRE, ifs);
2950 		}
2951 	}
2952 
2953 	for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
2954 		ifqnext = ifq->ifq_next;
2955 
2956 		if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
2957 		    (ifq->ifq_ref == 0)) {
2958 			fr_freetimeoutqueue(ifq, ifs);
2959 		}
2960 	}
2961 
2962 	if (ifs->ifs_fr_state_doflush) {
2963 		(void) fr_state_flush(2, 0, ifs);
2964 		ifs->ifs_fr_state_doflush = 0;
2965 	}
2966 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
2967 	SPL_X(s);
2968 }
2969 
2970 
2971 /* ------------------------------------------------------------------------ */
2972 /* Function:    fr_state_flush                                              */
2973 /* Returns:     int - 0 == success, -1 == failure                           */
2974 /* Parameters:  Nil                                                         */
2975 /* Write Locks: ipf_state                                                   */
2976 /*                                                                          */
2977 /* Flush state tables.  Three actions currently defined:                    */
2978 /* which == 0 : flush all state table entries                               */
2979 /* which == 1 : flush TCP connections which have started to close but are   */
2980 /*	      stuck for some reason.                                        */
2981 /* which == 2 : flush TCP connections which have been idle for a long time, */
2982 /*	      starting at > 4 days idle and working back in successive half-*/
2983 /*	      days to at most 12 hours old.  If this fails to free enough   */
2984 /*            slots then work backwards in half hour slots to 30 minutes.   */
2985 /*            If that too fails, then work backwards in 30 second intervals */
2986 /*            for the last 30 minutes to at worst 30 seconds idle.          */
2987 /* ------------------------------------------------------------------------ */
2988 static int fr_state_flush(which, proto, ifs)
2989 int which, proto;
2990 ipf_stack_t *ifs;
2991 {
2992 	ipftq_t *ifq, *ifqnext;
2993 	ipftqent_t *tqe, *tqn;
2994 	ipstate_t *is, **isp;
2995 	int delete, removed;
2996 	long try, maxtick;
2997 	u_long interval;
2998 	SPL_INT(s);
2999 
3000 	removed = 0;
3001 
3002 	SPL_NET(s);
3003 	for (isp = &ifs->ifs_ips_list; ((is = *isp) != NULL); ) {
3004 		delete = 0;
3005 
3006 		if ((proto != 0) && (is->is_v != proto)) {
3007 			isp = &is->is_next;
3008 			continue;
3009 		}
3010 
3011 		switch (which)
3012 		{
3013 		case 0 :
3014 			delete = 1;
3015 			break;
3016 		case 1 :
3017 		case 2 :
3018 			if (is->is_p != IPPROTO_TCP)
3019 				break;
3020 			if ((is->is_state[0] != IPF_TCPS_ESTABLISHED) ||
3021 			    (is->is_state[1] != IPF_TCPS_ESTABLISHED))
3022 				delete = 1;
3023 			break;
3024 		}
3025 
3026 		if (delete) {
3027 			if (is->is_p == IPPROTO_TCP)
3028 				ifs->ifs_ips_stats.iss_fin++;
3029 			else
3030 				ifs->ifs_ips_stats.iss_expire++;
3031 			fr_delstate(is, ISL_FLUSH, ifs);
3032 			removed++;
3033 		} else
3034 			isp = &is->is_next;
3035 	}
3036 
3037 	if (which != 2) {
3038 		SPL_X(s);
3039 		return removed;
3040 	}
3041 
3042 	/*
3043 	 * Asked to remove inactive entries because the table is full, try
3044 	 * again, 3 times, if first attempt failed with a different criteria
3045 	 * each time.  The order tried in must be in decreasing age.
3046 	 * Another alternative is to implement random drop and drop N entries
3047 	 * at random until N have been freed up.
3048 	 */
3049 	if (ifs->ifs_fr_ticks - ifs->ifs_ips_last_force_flush < IPF_TTLVAL(5))
3050 		goto force_flush_skipped;
3051 	ifs->ifs_ips_last_force_flush = ifs->ifs_fr_ticks;
3052 
3053 	if (ifs->ifs_fr_ticks > IPF_TTLVAL(43200))
3054 		interval = IPF_TTLVAL(43200);
3055 	else if (ifs->ifs_fr_ticks > IPF_TTLVAL(1800))
3056 		interval = IPF_TTLVAL(1800);
3057 	else if (ifs->ifs_fr_ticks > IPF_TTLVAL(30))
3058 		interval = IPF_TTLVAL(30);
3059 	else
3060 		interval = IPF_TTLVAL(10);
3061 	try = ifs->ifs_fr_ticks - (ifs->ifs_fr_ticks - interval);
3062 	if (try < 0)
3063 		goto force_flush_skipped;
3064 
3065 	while (removed == 0) {
3066 		maxtick = ifs->ifs_fr_ticks - interval;
3067 		if (maxtick < 0)
3068 			break;
3069 
3070 		while (try < maxtick) {
3071 			for (ifq = ifs->ifs_ips_tqtqb; ifq != NULL;
3072 			     ifq = ifq->ifq_next) {
3073 				for (tqn = ifq->ifq_head;
3074 				     ((tqe = tqn) != NULL); ) {
3075 					if (tqe->tqe_die > try)
3076 						break;
3077 					tqn = tqe->tqe_next;
3078 					is = tqe->tqe_parent;
3079 					fr_delstate(is, ISL_EXPIRE, ifs);
3080 					removed++;
3081 				}
3082 			}
3083 
3084 			for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
3085 				ifqnext = ifq->ifq_next;
3086 
3087 				for (tqn = ifq->ifq_head;
3088 				     ((tqe = tqn) != NULL); ) {
3089 					if (tqe->tqe_die > try)
3090 						break;
3091 					tqn = tqe->tqe_next;
3092 					is = tqe->tqe_parent;
3093 					fr_delstate(is, ISL_EXPIRE, ifs);
3094 					removed++;
3095 				}
3096 			}
3097 			if (try + interval > maxtick)
3098 				break;
3099 			try += interval;
3100 		}
3101 
3102 		if (removed == 0) {
3103 			if (interval == IPF_TTLVAL(43200)) {
3104 				interval = IPF_TTLVAL(1800);
3105 			} else if (interval == IPF_TTLVAL(1800)) {
3106 				interval = IPF_TTLVAL(30);
3107 			} else if (interval == IPF_TTLVAL(30)) {
3108 				interval = IPF_TTLVAL(10);
3109 			} else {
3110 				break;
3111 			}
3112 		}
3113 	}
3114 force_flush_skipped:
3115 	SPL_X(s);
3116 	return removed;
3117 }
3118 
3119 
3120 
3121 /* ------------------------------------------------------------------------ */
3122 /* Function:    fr_tcp_age                                                  */
3123 /* Returns:     int - 1 == state transition made, 0 == no change (rejected) */
3124 /* Parameters:  tq(I)    - pointer to timeout queue information             */
3125 /*              fin(I)   - pointer to packet information                    */
3126 /*              tqtab(I) - TCP timeout queue table this is in               */
3127 /*              flags(I) - flags from state/NAT entry                       */
3128 /*                                                                          */
3129 /* Rewritten by Arjan de Vet <Arjan.deVet@adv.iae.nl>, 2000-07-29:          */
3130 /*                                                                          */
3131 /* - (try to) base state transitions on real evidence only,                 */
3132 /*   i.e. packets that are sent and have been received by ipfilter;         */
3133 /*   diagram 18.12 of TCP/IP volume 1 by W. Richard Stevens was used.       */
3134 /*                                                                          */
3135 /* - deal with half-closed connections correctly;                           */
3136 /*                                                                          */
3137 /* - store the state of the source in state[0] such that ipfstat            */
3138 /*   displays the state as source/dest instead of dest/source; the calls    */
3139 /*   to fr_tcp_age have been changed accordingly.                           */
3140 /*                                                                          */
3141 /* Internal Parameters:                                                     */
3142 /*                                                                          */
3143 /*    state[0] = state of source (host that initiated connection)           */
3144 /*    state[1] = state of dest   (host that accepted the connection)        */
3145 /*                                                                          */
3146 /*    dir == 0 : a packet from source to dest                               */
3147 /*    dir == 1 : a packet from dest to source                               */
3148 /*                                                                          */
3149 /* Locking: it is assumed that the parent of the tqe structure is locked.   */
3150 /* ------------------------------------------------------------------------ */
3151 int fr_tcp_age(tqe, fin, tqtab, flags)
3152 ipftqent_t *tqe;
3153 fr_info_t *fin;
3154 ipftq_t *tqtab;
3155 int flags;
3156 {
3157 	int dlen, ostate, nstate, rval, dir;
3158 	u_char tcpflags;
3159 	tcphdr_t *tcp;
3160 	ipf_stack_t *ifs = fin->fin_ifs;
3161 
3162 	tcp = fin->fin_dp;
3163 
3164 	rval = 0;
3165 	dir = fin->fin_rev;
3166 	tcpflags = tcp->th_flags;
3167 	dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
3168 
3169 	if (tcpflags & TH_RST) {
3170 		if (!(tcpflags & TH_PUSH) && !dlen)
3171 			nstate = IPF_TCPS_CLOSED;
3172 		else
3173 			nstate = IPF_TCPS_CLOSE_WAIT;
3174 		rval = 1;
3175 	} else {
3176 		ostate = tqe->tqe_state[1 - dir];
3177 		nstate = tqe->tqe_state[dir];
3178 
3179 		switch (nstate)
3180 		{
3181 		case IPF_TCPS_CLOSED: /* 0 */
3182 			if ((tcpflags & TH_OPENING) == TH_OPENING) {
3183 				/*
3184 				 * 'dir' received an S and sends SA in
3185 				 * response, CLOSED -> SYN_RECEIVED
3186 				 */
3187 				nstate = IPF_TCPS_SYN_RECEIVED;
3188 				rval = 1;
3189 			} else if ((tcpflags & TH_OPENING) == TH_SYN) {
3190 				/* 'dir' sent S, CLOSED -> SYN_SENT */
3191 				nstate = IPF_TCPS_SYN_SENT;
3192 				rval = 1;
3193 			}
3194 			/*
3195 			 * the next piece of code makes it possible to get
3196 			 * already established connections into the state table
3197 			 * after a restart or reload of the filter rules; this
3198 			 * does not work when a strict 'flags S keep state' is
3199 			 * used for tcp connections of course
3200 			 */
3201 			if (((flags & IS_TCPFSM) == 0) &&
3202 			    ((tcpflags & TH_ACKMASK) == TH_ACK)) {
3203 				/*
3204 				 * we saw an A, guess 'dir' is in ESTABLISHED
3205 				 * mode
3206 				 */
3207 				switch (ostate)
3208 				{
3209 				case IPF_TCPS_CLOSED :
3210 				case IPF_TCPS_SYN_RECEIVED :
3211 					nstate = IPF_TCPS_HALF_ESTAB;
3212 					rval = 1;
3213 					break;
3214 				case IPF_TCPS_HALF_ESTAB :
3215 				case IPF_TCPS_ESTABLISHED :
3216 					nstate = IPF_TCPS_ESTABLISHED;
3217 					rval = 1;
3218 					break;
3219 				default :
3220 					break;
3221 				}
3222 			}
3223 			/*
3224 			 * TODO: besides regular ACK packets we can have other
3225 			 * packets as well; it is yet to be determined how we
3226 			 * should initialize the states in those cases
3227 			 */
3228 			break;
3229 
3230 		case IPF_TCPS_LISTEN: /* 1 */
3231 			/* NOT USED */
3232 			break;
3233 
3234 		case IPF_TCPS_SYN_SENT: /* 2 */
3235 			if ((tcpflags & ~(TH_ECN|TH_CWR)) == TH_SYN) {
3236 				/*
3237 				 * A retransmitted SYN packet.  We do not reset
3238 				 * the timeout here to fr_tcptimeout because a
3239 				 * connection connect timeout does not renew
3240 				 * after every packet that is sent.  We need to
3241 				 * set rval so as to indicate the packet has
3242 				 * passed the check for its flags being valid
3243 				 * in the TCP FSM.  Setting rval to 2 has the
3244 				 * result of not resetting the timeout.
3245 				 */
3246 				rval = 2;
3247 			} else if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) ==
3248 				   TH_ACK) {
3249 				/*
3250 				 * we see an A from 'dir' which is in SYN_SENT
3251 				 * state: 'dir' sent an A in response to an SA
3252 				 * which it received, SYN_SENT -> ESTABLISHED
3253 				 */
3254 				nstate = IPF_TCPS_ESTABLISHED;
3255 				rval = 1;
3256 			} else if (tcpflags & TH_FIN) {
3257 				/*
3258 				 * we see an F from 'dir' which is in SYN_SENT
3259 				 * state and wants to close its side of the
3260 				 * connection; SYN_SENT -> FIN_WAIT_1
3261 				 */
3262 				nstate = IPF_TCPS_FIN_WAIT_1;
3263 				rval = 1;
3264 			} else if ((tcpflags & TH_OPENING) == TH_OPENING) {
3265 				/*
3266 				 * we see an SA from 'dir' which is already in
3267 				 * SYN_SENT state, this means we have a
3268 				 * simultaneous open; SYN_SENT -> SYN_RECEIVED
3269 				 */
3270 				nstate = IPF_TCPS_SYN_RECEIVED;
3271 				rval = 1;
3272 			}
3273 			break;
3274 
3275 		case IPF_TCPS_SYN_RECEIVED: /* 3 */
3276 			if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
3277 				/*
3278 				 * we see an A from 'dir' which was in
3279 				 * SYN_RECEIVED state so it must now be in
3280 				 * established state, SYN_RECEIVED ->
3281 				 * ESTABLISHED
3282 				 */
3283 				nstate = IPF_TCPS_ESTABLISHED;
3284 				rval = 1;
3285 			} else if ((tcpflags & ~(TH_ECN|TH_CWR)) ==
3286 				   TH_OPENING) {
3287 				/*
3288 				 * We see an SA from 'dir' which is already in
3289 				 * SYN_RECEIVED state.
3290 				 */
3291 				rval = 2;
3292 			} else if (tcpflags & TH_FIN) {
3293 				/*
3294 				 * we see an F from 'dir' which is in
3295 				 * SYN_RECEIVED state and wants to close its
3296 				 * side of the connection; SYN_RECEIVED ->
3297 				 * FIN_WAIT_1
3298 				 */
3299 				nstate = IPF_TCPS_FIN_WAIT_1;
3300 				rval = 1;
3301 			}
3302 			break;
3303 
3304 		case IPF_TCPS_HALF_ESTAB: /* 4 */
3305 			if (ostate >= IPF_TCPS_HALF_ESTAB) {
3306 				if ((tcpflags & TH_ACKMASK) == TH_ACK) {
3307 					nstate = IPF_TCPS_ESTABLISHED;
3308 					rval = 1;
3309 				}
3310 			}
3311 
3312 			break;
3313 
3314 		case IPF_TCPS_ESTABLISHED: /* 5 */
3315 			rval = 1;
3316 			if (tcpflags & TH_FIN) {
3317 				/*
3318 				 * 'dir' closed its side of the connection;
3319 				 * this gives us a half-closed connection;
3320 				 * ESTABLISHED -> FIN_WAIT_1
3321 				 */
3322 				nstate = IPF_TCPS_FIN_WAIT_1;
3323 			} else if (tcpflags & TH_ACK) {
3324 				/*
3325 				 * an ACK, should we exclude other flags here?
3326 				 */
3327 				if (ostate == IPF_TCPS_FIN_WAIT_1) {
3328 					/*
3329 					 * We know the other side did an active
3330 					 * close, so we are ACKing the recvd
3331 					 * FIN packet (does the window matching
3332 					 * code guarantee this?) and go into
3333 					 * CLOSE_WAIT state; this gives us a
3334 					 * half-closed connection
3335 					 */
3336 					nstate = IPF_TCPS_CLOSE_WAIT;
3337 				} else if (ostate < IPF_TCPS_CLOSE_WAIT) {
3338 					/*
3339 					 * still a fully established
3340 					 * connection reset timeout
3341 					 */
3342 					nstate = IPF_TCPS_ESTABLISHED;
3343 				}
3344 			}
3345 			break;
3346 
3347 		case IPF_TCPS_CLOSE_WAIT: /* 6 */
3348 			rval = 1;
3349 			if (tcpflags & TH_FIN) {
3350 				/*
3351 				 * application closed and 'dir' sent a FIN,
3352 				 * we're now going into LAST_ACK state
3353 				 */
3354 				nstate = IPF_TCPS_LAST_ACK;
3355 			} else {
3356 				/*
3357 				 * we remain in CLOSE_WAIT because the other
3358 				 * side has closed already and we did not
3359 				 * close our side yet; reset timeout
3360 				 */
3361 				nstate = IPF_TCPS_CLOSE_WAIT;
3362 			}
3363 			break;
3364 
3365 		case IPF_TCPS_FIN_WAIT_1: /* 7 */
3366 			rval = 1;
3367 			if ((tcpflags & TH_ACK) &&
3368 			    ostate > IPF_TCPS_CLOSE_WAIT) {
3369 				/*
3370 				 * if the other side is not active anymore
3371 				 * it has sent us a FIN packet that we are
3372 				 * ack'ing now with an ACK; this means both
3373 				 * sides have now closed the connection and
3374 				 * we go into TIME_WAIT
3375 				 */
3376 				/*
3377 				 * XXX: how do we know we really are ACKing
3378 				 * the FIN packet here? does the window code
3379 				 * guarantee that?
3380 				 */
3381 				nstate = IPF_TCPS_TIME_WAIT;
3382 			} else {
3383 				/*
3384 				 * we closed our side of the connection
3385 				 * already but the other side is still active
3386 				 * (ESTABLISHED/CLOSE_WAIT); continue with
3387 				 * this half-closed connection
3388 				 */
3389 				nstate = IPF_TCPS_FIN_WAIT_1;
3390 			}
3391 			break;
3392 
3393 		case IPF_TCPS_CLOSING: /* 8 */
3394 			/* NOT USED */
3395 			break;
3396 
3397 		case IPF_TCPS_LAST_ACK: /* 9 */
3398 			if (tcpflags & TH_ACK) {
3399 				if ((tcpflags & TH_PUSH) || dlen)
3400 					/*
3401 					 * there is still data to be delivered,
3402 					 * reset timeout
3403 					 */
3404 					rval = 1;
3405 				else
3406 					rval = 2;
3407 			}
3408 			/*
3409 			 * we cannot detect when we go out of LAST_ACK state to
3410 			 * CLOSED because that is based on the reception of ACK
3411 			 * packets; ipfilter can only detect that a packet
3412 			 * has been sent by a host
3413 			 */
3414 			break;
3415 
3416 		case IPF_TCPS_FIN_WAIT_2: /* 10 */
3417 			rval = 1;
3418 			if ((tcpflags & TH_OPENING) == TH_OPENING)
3419 				nstate = IPF_TCPS_SYN_RECEIVED;
3420 			else if (tcpflags & TH_SYN)
3421 				nstate = IPF_TCPS_SYN_SENT;
3422 			break;
3423 
3424 		case IPF_TCPS_TIME_WAIT: /* 11 */
3425 			/* we're in 2MSL timeout now */
3426 			rval = 1;
3427 			break;
3428 
3429 		default :
3430 #if defined(_KERNEL)
3431 # if SOLARIS
3432 			cmn_err(CE_NOTE,
3433 				"tcp %lx flags %x si %lx nstate %d ostate %d\n",
3434 				(u_long)tcp, tcpflags, (u_long)tqe,
3435 				nstate, ostate);
3436 # else
3437 			printf("tcp %lx flags %x si %lx nstate %d ostate %d\n",
3438 				(u_long)tcp, tcpflags, (u_long)tqe,
3439 				nstate, ostate);
3440 # endif
3441 #else
3442 			abort();
3443 #endif
3444 			break;
3445 		}
3446 	}
3447 
3448 	/*
3449 	 * If rval == 2 then do not update the queue position, but treat the
3450 	 * packet as being ok.
3451 	 */
3452 	if (rval == 2)
3453 		rval = 1;
3454 	else if (rval == 1) {
3455 		tqe->tqe_state[dir] = nstate;
3456 		if ((tqe->tqe_flags & TQE_RULEBASED) == 0)
3457 			fr_movequeue(tqe, tqe->tqe_ifq, tqtab + nstate, ifs);
3458 	}
3459 
3460 	return rval;
3461 }
3462 
3463 
3464 /* ------------------------------------------------------------------------ */
3465 /* Function:    ipstate_log                                                 */
3466 /* Returns:     Nil                                                         */
3467 /* Parameters:  is(I)   - pointer to state structure                        */
3468 /*              type(I) - type of log entry to create                       */
3469 /*                                                                          */
3470 /* Creates a state table log entry using the state structure and type info. */
3471 /* passed in.  Log packet/byte counts, source/destination address and other */
3472 /* protocol specific information.                                           */
3473 /* ------------------------------------------------------------------------ */
3474 void ipstate_log(is, type, ifs)
3475 struct ipstate *is;
3476 u_int type;
3477 ipf_stack_t *ifs;
3478 {
3479 #ifdef	IPFILTER_LOG
3480 	struct	ipslog	ipsl;
3481 	size_t sizes[1];
3482 	void *items[1];
3483 	int types[1];
3484 
3485 	/*
3486 	 * Copy information out of the ipstate_t structure and into the
3487 	 * structure used for logging.
3488 	 */
3489 	ipsl.isl_type = type;
3490 	ipsl.isl_pkts[0] = is->is_pkts[0] + is->is_icmppkts[0];
3491 	ipsl.isl_bytes[0] = is->is_bytes[0];
3492 	ipsl.isl_pkts[1] = is->is_pkts[1] + is->is_icmppkts[1];
3493 	ipsl.isl_bytes[1] = is->is_bytes[1];
3494 	ipsl.isl_pkts[2] = is->is_pkts[2] + is->is_icmppkts[2];
3495 	ipsl.isl_bytes[2] = is->is_bytes[2];
3496 	ipsl.isl_pkts[3] = is->is_pkts[3] + is->is_icmppkts[3];
3497 	ipsl.isl_bytes[3] = is->is_bytes[3];
3498 	ipsl.isl_src = is->is_src;
3499 	ipsl.isl_dst = is->is_dst;
3500 	ipsl.isl_p = is->is_p;
3501 	ipsl.isl_v = is->is_v;
3502 	ipsl.isl_flags = is->is_flags;
3503 	ipsl.isl_tag = is->is_tag;
3504 	ipsl.isl_rulen = is->is_rulen;
3505 	(void) strncpy(ipsl.isl_group, is->is_group, FR_GROUPLEN);
3506 
3507 	if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
3508 		ipsl.isl_sport = is->is_sport;
3509 		ipsl.isl_dport = is->is_dport;
3510 		if (ipsl.isl_p == IPPROTO_TCP) {
3511 			ipsl.isl_state[0] = is->is_state[0];
3512 			ipsl.isl_state[1] = is->is_state[1];
3513 		}
3514 	} else if (ipsl.isl_p == IPPROTO_ICMP) {
3515 		ipsl.isl_itype = is->is_icmp.ici_type;
3516 	} else if (ipsl.isl_p == IPPROTO_ICMPV6) {
3517 		ipsl.isl_itype = is->is_icmp.ici_type;
3518 	} else {
3519 		ipsl.isl_ps.isl_filler[0] = 0;
3520 		ipsl.isl_ps.isl_filler[1] = 0;
3521 	}
3522 
3523 	items[0] = &ipsl;
3524 	sizes[0] = sizeof(ipsl);
3525 	types[0] = 0;
3526 
3527 	if (ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1, ifs)) {
3528 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_logged);
3529 	} else {
3530 		ATOMIC_INCL(ifs->ifs_ips_stats.iss_logfail);
3531 	}
3532 #endif
3533 }
3534 
3535 
3536 #ifdef	USE_INET6
3537 /* ------------------------------------------------------------------------ */
3538 /* Function:    fr_checkicmp6matchingstate                                  */
3539 /* Returns:     ipstate_t* - NULL == no match found,                        */
3540 /*                           else  pointer to matching state entry          */
3541 /* Parameters:  fin(I) - pointer to packet information                      */
3542 /* Locks:       NULL == no locks, else Read Lock on ipf_state               */
3543 /*                                                                          */
3544 /* If we've got an ICMPv6 error message, using the information stored in    */
3545 /* the ICMPv6 packet, look for a matching state table entry.                */
3546 /* ------------------------------------------------------------------------ */
3547 static ipstate_t *fr_checkicmp6matchingstate(fin)
3548 fr_info_t *fin;
3549 {
3550 	struct icmp6_hdr *ic6, *oic;
3551 	int backward, i;
3552 	ipstate_t *is, **isp;
3553 	u_short sport, dport;
3554 	i6addr_t dst, src;
3555 	u_short savelen;
3556 	icmpinfo_t *ic;
3557 	fr_info_t ofin;
3558 	tcphdr_t *tcp;
3559 	ip6_t *oip6;
3560 	u_char	pr;
3561 	u_int hv;
3562 	ipf_stack_t *ifs = fin->fin_ifs;
3563 
3564 	/*
3565 	 * Does it at least have the return (basic) IP header ?
3566 	 * Is it an actual recognised ICMP error type?
3567 	 * Only a basic IP header (no options) should be with
3568 	 * an ICMP error header.
3569 	 */
3570 	if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) ||
3571 	    !(fin->fin_flx & FI_ICMPERR))
3572 		return NULL;
3573 
3574 	ic6 = fin->fin_dp;
3575 
3576 	oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
3577 	if (fin->fin_plen < sizeof(*oip6))
3578 		return NULL;
3579 
3580 	bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
3581 	ofin.fin_v = 6;
3582 	ofin.fin_ifp = fin->fin_ifp;
3583 	ofin.fin_out = !fin->fin_out;
3584 	ofin.fin_m = NULL;	/* if dereferenced, panic XXX */
3585 	ofin.fin_mp = NULL;	/* if dereferenced, panic XXX */
3586 
3587 	/*
3588 	 * We make a fin entry to be able to feed it to
3589 	 * matchsrcdst. Note that not all fields are necessary
3590 	 * but this is the cleanest way. Note further we fill
3591 	 * in fin_mp such that if someone uses it we'll get
3592 	 * a kernel panic. fr_matchsrcdst does not use this.
3593 	 *
3594 	 * watch out here, as ip is in host order and oip6 in network
3595 	 * order. Any change we make must be undone afterwards.
3596 	 */
3597 	savelen = oip6->ip6_plen;
3598 	oip6->ip6_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
3599 	ofin.fin_flx = FI_NOCKSUM;
3600 	ofin.fin_ip = (ip_t *)oip6;
3601 	ofin.fin_plen = oip6->ip6_plen;
3602 	(void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);
3603 	ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
3604 	oip6->ip6_plen = savelen;
3605 
3606 	if (oip6->ip6_nxt == IPPROTO_ICMPV6) {
3607 		oic = (struct icmp6_hdr *)(oip6 + 1);
3608 		/*
3609 		 * an ICMP error can only be generated as a result of an
3610 		 * ICMP query, not as the response on an ICMP error
3611 		 *
3612 		 * XXX theoretically ICMP_ECHOREP and the other reply's are
3613 		 * ICMP query's as well, but adding them here seems strange XXX
3614 		 */
3615 		 if (!(oic->icmp6_type & ICMP6_INFOMSG_MASK))
3616 		    	return NULL;
3617 
3618 		/*
3619 		 * perform a lookup of the ICMP packet in the state table
3620 		 */
3621 		hv = (pr = oip6->ip6_nxt);
3622 		src.in6 = oip6->ip6_src;
3623 		hv += src.in4.s_addr;
3624 		dst.in6 = oip6->ip6_dst;
3625 		hv += dst.in4.s_addr;
3626 		hv += oic->icmp6_id;
3627 		hv += oic->icmp6_seq;
3628 		hv = DOUBLE_HASH(hv, ifs);
3629 
3630 		READ_ENTER(&ifs->ifs_ipf_state);
3631 		for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
3632 			ic = &is->is_icmp;
3633 			isp = &is->is_hnext;
3634 			if ((is->is_p == pr) &&
3635 			    !(is->is_pass & FR_NOICMPERR) &&
3636 			    (oic->icmp6_id == ic->ici_id) &&
3637 			    (oic->icmp6_seq == ic->ici_seq) &&
3638 			    (is = fr_matchsrcdst(&ofin, is, &src,
3639 						 &dst, NULL, FI_ICMPCMP))) {
3640 			    	/*
3641 			    	 * in the state table ICMP query's are stored
3642 			    	 * with the type of the corresponding ICMP
3643 			    	 * response. Correct here
3644 			    	 */
3645 				if (((ic->ici_type == ICMP6_ECHO_REPLY) &&
3646 				     (oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
3647 				     (ic->ici_type - 1 == oic->icmp6_type )) {
3648 				    	ifs->ifs_ips_stats.iss_hits++;
3649 					backward = IP6_NEQ(&is->is_dst, &src);
3650 					fin->fin_rev = !backward;
3651 					i = (backward << 1) + fin->fin_out;
3652     					is->is_icmppkts[i]++;
3653 					return is;
3654 				}
3655 			}
3656 		}
3657 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
3658 		return NULL;
3659 	}
3660 
3661 	hv = (pr = oip6->ip6_nxt);
3662 	src.in6 = oip6->ip6_src;
3663 	hv += src.i6[0];
3664 	hv += src.i6[1];
3665 	hv += src.i6[2];
3666 	hv += src.i6[3];
3667 	dst.in6 = oip6->ip6_dst;
3668 	hv += dst.i6[0];
3669 	hv += dst.i6[1];
3670 	hv += dst.i6[2];
3671 	hv += dst.i6[3];
3672 
3673 	if ((oip6->ip6_nxt == IPPROTO_TCP) || (oip6->ip6_nxt == IPPROTO_UDP)) {
3674 		tcp = (tcphdr_t *)(oip6 + 1);
3675 		dport = tcp->th_dport;
3676 		sport = tcp->th_sport;
3677 		hv += dport;
3678 		hv += sport;
3679 	} else
3680 		tcp = NULL;
3681 	hv = DOUBLE_HASH(hv, ifs);
3682 
3683 	READ_ENTER(&ifs->ifs_ipf_state);
3684 	for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
3685 		isp = &is->is_hnext;
3686 		/*
3687 		 * Only allow this icmp though if the
3688 		 * encapsulated packet was allowed through the
3689 		 * other way around. Note that the minimal amount
3690 		 * of info present does not allow for checking against
3691 		 * tcp internals such as seq and ack numbers.
3692 		 */
3693 		if ((is->is_p != pr) || (is->is_v != 6) ||
3694 		    (is->is_pass & FR_NOICMPERR))
3695 			continue;
3696 		is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP);
3697 		if (is != NULL) {
3698 			ifs->ifs_ips_stats.iss_hits++;
3699 			backward = IP6_NEQ(&is->is_dst, &src);
3700 			fin->fin_rev = !backward;
3701 			i = (backward << 1) + fin->fin_out;
3702 			is->is_icmppkts[i]++;
3703 			/*
3704 			 * we deliberately do not touch the timeouts
3705 			 * for the accompanying state table entry.
3706 			 * It remains to be seen if that is correct. XXX
3707 			 */
3708 			return is;
3709 		}
3710 	}
3711 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
3712 	return NULL;
3713 }
3714 #endif
3715 
3716 
3717 /* ------------------------------------------------------------------------ */
3718 /* Function:    fr_sttab_init                                               */
3719 /* Returns:     Nil                                                         */
3720 /* Parameters:  tqp(I) - pointer to an array of timeout queues for TCP      */
3721 /*                                                                          */
3722 /* Initialise the array of timeout queues for TCP.                          */
3723 /* ------------------------------------------------------------------------ */
3724 void fr_sttab_init(tqp, ifs)
3725 ipftq_t *tqp;
3726 ipf_stack_t *ifs;
3727 {
3728 	int i;
3729 
3730 	for (i = IPF_TCP_NSTATES - 1; i >= 0; i--) {
3731 		tqp[i].ifq_ttl = 0;
3732 		tqp[i].ifq_ref = 1;
3733 		tqp[i].ifq_head = NULL;
3734 		tqp[i].ifq_tail = &tqp[i].ifq_head;
3735 		tqp[i].ifq_next = tqp + i + 1;
3736 		MUTEX_INIT(&tqp[i].ifq_lock, "ipftq tcp tab");
3737 	}
3738 	tqp[IPF_TCP_NSTATES - 1].ifq_next = NULL;
3739 	tqp[IPF_TCPS_CLOSED].ifq_ttl = ifs->ifs_fr_tcpclosed;
3740 	tqp[IPF_TCPS_LISTEN].ifq_ttl = ifs->ifs_fr_tcptimeout;
3741 	tqp[IPF_TCPS_SYN_SENT].ifq_ttl = ifs->ifs_fr_tcptimeout;
3742 	tqp[IPF_TCPS_SYN_RECEIVED].ifq_ttl = ifs->ifs_fr_tcptimeout;
3743 	tqp[IPF_TCPS_ESTABLISHED].ifq_ttl = ifs->ifs_fr_tcpidletimeout;
3744 	tqp[IPF_TCPS_CLOSE_WAIT].ifq_ttl = ifs->ifs_fr_tcphalfclosed;
3745 	tqp[IPF_TCPS_FIN_WAIT_1].ifq_ttl = ifs->ifs_fr_tcphalfclosed;
3746 	tqp[IPF_TCPS_CLOSING].ifq_ttl = ifs->ifs_fr_tcptimeout;
3747 	tqp[IPF_TCPS_LAST_ACK].ifq_ttl = ifs->ifs_fr_tcplastack;
3748 	tqp[IPF_TCPS_FIN_WAIT_2].ifq_ttl = ifs->ifs_fr_tcpclosewait;
3749 	tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = ifs->ifs_fr_tcptimeout;
3750 	tqp[IPF_TCPS_HALF_ESTAB].ifq_ttl = ifs->ifs_fr_tcptimeout;
3751 }
3752 
3753 
3754 /* ------------------------------------------------------------------------ */
3755 /* Function:    fr_sttab_destroy                                            */
3756 /* Returns:     Nil                                                         */
3757 /* Parameters:  tqp(I) - pointer to an array of timeout queues for TCP      */
3758 /*                                                                          */
3759 /* Do whatever is necessary to "destroy" each of the entries in the array   */
3760 /* of timeout queues for TCP.                                               */
3761 /* ------------------------------------------------------------------------ */
3762 void fr_sttab_destroy(tqp)
3763 ipftq_t *tqp;
3764 {
3765 	int i;
3766 
3767 	for (i = IPF_TCP_NSTATES - 1; i >= 0; i--)
3768 		MUTEX_DESTROY(&tqp[i].ifq_lock);
3769 }
3770 
3771 
3772 /* ------------------------------------------------------------------------ */
3773 /* Function:    fr_statederef                                               */
3774 /* Returns:     Nil                                                         */
3775 /* Parameters:  isp(I) - pointer to pointer to state table entry            */
3776 /*              ifs - ipf stack instance                                    */
3777 /*                                                                          */
3778 /* Decrement the reference counter for this state table entry and free it   */
3779 /* if there are no more things using it.                                    */
3780 /*                                                                          */
3781 /* Internal parameters:                                                     */
3782 /*    state[0] = state of source (host that initiated connection)           */
3783 /*    state[1] = state of dest   (host that accepted the connection)        */
3784 /* ------------------------------------------------------------------------ */
3785 void fr_statederef(isp, ifs)
3786 ipstate_t **isp;
3787 ipf_stack_t *ifs;
3788 {
3789 	ipstate_t *is;
3790 
3791 	is = *isp;
3792 	*isp = NULL;
3793 
3794 	MUTEX_ENTER(&is->is_lock);
3795 	if (is->is_ref > 1) {
3796 		is->is_ref--;
3797 		MUTEX_EXIT(&is->is_lock);
3798 #ifndef	_KERNEL
3799 		if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) ||
3800 		   (is->is_sti.tqe_state[1] > IPF_TCPS_ESTABLISHED)) {
3801 			fr_delstate(is, ISL_ORPHAN, ifs);
3802 		}
3803 #endif
3804 		return;
3805 	}
3806 	MUTEX_EXIT(&is->is_lock);
3807 
3808 	WRITE_ENTER(&ifs->ifs_ipf_state);
3809 	fr_delstate(is, ISL_EXPIRE, ifs);
3810 	RWLOCK_EXIT(&ifs->ifs_ipf_state);
3811 }
3812 
3813 
3814 /* ------------------------------------------------------------------------ */
3815 /* Function:    fr_setstatequeue                                            */
3816 /* Returns:     Nil                                                         */
3817 /* Parameters:  is(I) - pointer to state structure                          */
3818 /*              rev(I) - forward(0) or reverse(1) direction                 */
3819 /* Locks:       ipf_state (read or write)                                   */
3820 /*                                                                          */
3821 /* Put the state entry on its default queue entry, using rev as a helped in */
3822 /* determining which queue it should be placed on.                          */
3823 /* ------------------------------------------------------------------------ */
3824 void fr_setstatequeue(is, rev, ifs)
3825 ipstate_t *is;
3826 int rev;
3827 ipf_stack_t *ifs;
3828 {
3829 	ipftq_t *oifq, *nifq;
3830 
3831 
3832 	if ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0)
3833 		nifq = is->is_tqehead[rev];
3834 	else
3835 		nifq = NULL;
3836 
3837 	if (nifq == NULL) {
3838 		switch (is->is_p)
3839 		{
3840 #ifdef USE_INET6
3841 		case IPPROTO_ICMPV6 :
3842 			if (rev == 1)
3843 				nifq = &ifs->ifs_ips_icmpacktq;
3844 			else
3845 				nifq = &ifs->ifs_ips_icmptq;
3846 			break;
3847 #endif
3848 		case IPPROTO_ICMP :
3849 			if (rev == 1)
3850 				nifq = &ifs->ifs_ips_icmpacktq;
3851 			else
3852 				nifq = &ifs->ifs_ips_icmptq;
3853 			break;
3854 		case IPPROTO_TCP :
3855 			nifq = ifs->ifs_ips_tqtqb + is->is_state[rev];
3856 			break;
3857 
3858 		case IPPROTO_UDP :
3859 			if (rev == 1)
3860 				nifq = &ifs->ifs_ips_udpacktq;
3861 			else
3862 				nifq = &ifs->ifs_ips_udptq;
3863 			break;
3864 
3865 		default :
3866 			nifq = &ifs->ifs_ips_iptq;
3867 			break;
3868 		}
3869 	}
3870 
3871 	oifq = is->is_sti.tqe_ifq;
3872 	/*
3873 	 * If it's currently on a timeout queue, move it from one queue to
3874 	 * another, else put it on the end of the newly determined queue.
3875 	 */
3876 	if (oifq != NULL)
3877 		fr_movequeue(&is->is_sti, oifq, nifq, ifs);
3878 	else
3879 		fr_queueappend(&is->is_sti, nifq, is, ifs);
3880 	return;
3881 }
3882 
3883 
3884 /* ------------------------------------------------------------------------ */
3885 /* Function:    fr_stateiter                                                */
3886 /* Returns:     int - 0 == success, else error                              */
3887 /* Parameters:  token(I) - pointer to ipftoken structure                    */
3888 /*              itp(I)   - pointer to ipfgeniter structure                  */
3889 /*                                                                          */
3890 /* This function handles the SIOCGENITER ioctl for the state tables and     */
3891 /* walks through the list of entries in the state table list (ips_list.)    */
3892 /* ------------------------------------------------------------------------ */
3893 static int fr_stateiter(token, itp, ifs)
3894 ipftoken_t *token;
3895 ipfgeniter_t *itp;
3896 ipf_stack_t *ifs;
3897 {
3898 	ipstate_t *is, *next, zero;
3899 	int error, count;
3900 	char *dst;
3901 
3902 	if (itp->igi_data == NULL)
3903 		return EFAULT;
3904 
3905 	if (itp->igi_nitems == 0)
3906 		return EINVAL;
3907 
3908 	if (itp->igi_type != IPFGENITER_STATE)
3909 		return EINVAL;
3910 
3911 	is = token->ipt_data;
3912 	if (is == (void *)-1) {
3913 		ipf_freetoken(token, ifs);
3914 		return ESRCH;
3915 	}
3916 
3917 	error = 0;
3918 	dst = itp->igi_data;
3919 
3920 	READ_ENTER(&ifs->ifs_ipf_state);
3921 	if (is == NULL) {
3922 		next = ifs->ifs_ips_list;
3923 	} else {
3924 		next = is->is_next;
3925 	}
3926 
3927 	for (count = itp->igi_nitems; count > 0; count--) {
3928 		if (next != NULL) {
3929 			/*
3930 			 * If we find a state entry to use, bump its
3931 			 * reference count so that it can be used for
3932 			 * is_next when we come back.
3933 			 */
3934 			MUTEX_ENTER(&next->is_lock);
3935 			next->is_ref++;
3936 			MUTEX_EXIT(&next->is_lock);
3937 			token->ipt_data = next;
3938 		} else {
3939 			bzero(&zero, sizeof(zero));
3940 			next = &zero;
3941 			token->ipt_data = (void *)-1;
3942 			count = 1;
3943 		}
3944 		RWLOCK_EXIT(&ifs->ifs_ipf_state);
3945 
3946 		/*
3947 		 * If we had a prior pointer to a state entry, release it.
3948 		 */
3949 		if (is != NULL) {
3950 			fr_statederef(&is, ifs);
3951 		}
3952 
3953 		/*
3954 		 * This should arguably be via fr_outobj() so that the state
3955 		 * structure can (if required) be massaged going out.
3956 		 */
3957 		error = COPYOUT(next, dst, sizeof(*next));
3958 		if (error != 0)
3959 			error = EFAULT;
3960 		if ((count == 1) || (error != 0))
3961 			break;
3962 
3963 		dst += sizeof(*next);
3964 		READ_ENTER(&ifs->ifs_ipf_state);
3965 		is = next;
3966 		next = is->is_next;
3967 	}
3968 
3969 	return error;
3970 }
3971