]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/pf.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-4903.270.47.tar.gz
[apple/xnu.git] / bsd / net / pf.c
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $apfw: git commit 6602420f2f101b74305cd78f7cd9e0c8fdedae97 $ */
30 /* $OpenBSD: pf.c,v 1.567 2008/02/20 23:40:13 henning Exp $ */
31
32 /*
33 * Copyright (c) 2001 Daniel Hartmeier
34 * Copyright (c) 2002 - 2013 Henning Brauer
35 * NAT64 - Copyright (c) 2010 Viagenie Inc. (http://www.viagenie.ca)
36 * All rights reserved.
37 *
38 * Redistribution and use in source and binary forms, with or without
39 * modification, are permitted provided that the following conditions
40 * are met:
41 *
42 * - Redistributions of source code must retain the above copyright
43 * notice, this list of conditions and the following disclaimer.
44 * - Redistributions in binary form must reproduce the above
45 * copyright notice, this list of conditions and the following
46 * disclaimer in the documentation and/or other materials provided
47 * with the distribution.
48 *
49 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
50 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
51 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
52 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
53 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
54 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
55 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
56 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
57 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
58 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
59 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
60 * POSSIBILITY OF SUCH DAMAGE.
61 *
62 * Effort sponsored in part by the Defense Advanced Research Projects
63 * Agency (DARPA) and Air Force Research Laboratory, Air Force
64 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
65 *
66 */
67
68 #include <machine/endian.h>
69 #include <sys/param.h>
70 #include <sys/systm.h>
71 #include <sys/filio.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/kernel.h>
75 #include <sys/time.h>
76 #include <sys/proc.h>
77 #include <sys/random.h>
78 #include <sys/mcache.h>
79 #include <sys/protosw.h>
80
81 #include <libkern/crypto/md5.h>
82 #include <libkern/libkern.h>
83
84 #include <mach/thread_act.h>
85
86 #include <net/if.h>
87 #include <net/if_types.h>
88 #include <net/bpf.h>
89 #include <net/route.h>
90 #include <net/dlil.h>
91
92 #include <netinet/in.h>
93 #include <netinet/in_var.h>
94 #include <netinet/in_systm.h>
95 #include <netinet/ip.h>
96 #include <netinet/ip_var.h>
97 #include <netinet/tcp.h>
98 #include <netinet/tcp_seq.h>
99 #include <netinet/udp.h>
100 #include <netinet/ip_icmp.h>
101 #include <netinet/in_pcb.h>
102 #include <netinet/tcp_timer.h>
103 #include <netinet/tcp_var.h>
104 #include <netinet/tcp_fsm.h>
105 #include <netinet/udp_var.h>
106 #include <netinet/icmp_var.h>
107 #include <net/if_ether.h>
108 #include <net/ethernet.h>
109 #include <net/flowhash.h>
110 #include <net/nat464_utils.h>
111 #include <net/pfvar.h>
112 #include <net/if_pflog.h>
113
114 #if NPFSYNC
115 #include <net/if_pfsync.h>
116 #endif /* NPFSYNC */
117
118 #if INET6
119 #include <netinet/ip6.h>
120 #include <netinet6/in6_pcb.h>
121 #include <netinet6/ip6_var.h>
122 #include <netinet/icmp6.h>
123 #include <netinet6/nd6.h>
124 #endif /* INET6 */
125
126 #if DUMMYNET
127 #include <netinet/ip_dummynet.h>
128 #endif /* DUMMYNET */
129
130 /*
131 * For RandomULong(), to get a 32 bits random value
132 * Note that random() returns a 31 bits value, see rdar://11159750
133 */
134 #include <dev/random/randomdev.h>
135
136 #define DPFPRINTF(n, x) (pf_status.debug >= (n) ? printf x : ((void)0))
137
138 /*
139 * On Mac OS X, the rtableid value is treated as the interface scope
140 * value that is equivalent to the interface index used for scoped
141 * routing. A valid scope value is anything but IFSCOPE_NONE (0),
142 * as per definition of ifindex which is a positive, non-zero number.
143 * The other BSDs treat a negative rtableid value as invalid, hence
144 * the test against INT_MAX to handle userland apps which initialize
145 * the field with a negative number.
146 */
147 #define PF_RTABLEID_IS_VALID(r) \
148 ((r) > IFSCOPE_NONE && (r) <= INT_MAX)
149
150 /*
151 * Global variables
152 */
153 decl_lck_mtx_data(, pf_lock_data);
154 decl_lck_rw_data(, pf_perim_lock_data);
155 lck_mtx_t *pf_lock = &pf_lock_data;
156 lck_rw_t *pf_perim_lock = &pf_perim_lock_data;
157
158 /* state tables */
159 struct pf_state_tree_lan_ext pf_statetbl_lan_ext;
160 struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy;
161
162 struct pf_palist pf_pabuf;
163 struct pf_status pf_status;
164
165 u_int32_t ticket_pabuf;
166
167 static MD5_CTX pf_tcp_secret_ctx;
168 static u_char pf_tcp_secret[16];
169 static int pf_tcp_secret_init;
170 static int pf_tcp_iss_off;
171
172 static struct pf_anchor_stackframe {
173 struct pf_ruleset *rs;
174 struct pf_rule *r;
175 struct pf_anchor_node *parent;
176 struct pf_anchor *child;
177 } pf_anchor_stack[64];
178
179 struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl;
180 struct pool pf_state_pl, pf_state_key_pl;
181
182 typedef void (*hook_fn_t)(void *);
183
184 struct hook_desc {
185 TAILQ_ENTRY(hook_desc) hd_list;
186 hook_fn_t hd_fn;
187 void *hd_arg;
188 };
189
190 #define HOOK_REMOVE 0x01
191 #define HOOK_FREE 0x02
192 #define HOOK_ABORT 0x04
193
194 static void *hook_establish(struct hook_desc_head *, int,
195 hook_fn_t, void *);
196 static void hook_runloop(struct hook_desc_head *, int flags);
197
198 struct pool pf_app_state_pl;
199 static void pf_print_addr(struct pf_addr *addr, sa_family_t af);
200 static void pf_print_sk_host(struct pf_state_host *, u_int8_t, int,
201 u_int8_t);
202
203 static void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
204
205 static void pf_init_threshold(struct pf_threshold *, u_int32_t,
206 u_int32_t);
207 static void pf_add_threshold(struct pf_threshold *);
208 static int pf_check_threshold(struct pf_threshold *);
209
210 static void pf_change_ap(int, pbuf_t *, struct pf_addr *,
211 u_int16_t *, u_int16_t *, u_int16_t *,
212 struct pf_addr *, u_int16_t, u_int8_t, sa_family_t,
213 sa_family_t, int);
214 static int pf_modulate_sack(pbuf_t *, int, struct pf_pdesc *,
215 struct tcphdr *, struct pf_state_peer *);
216 #if INET6
217 static void pf_change_a6(struct pf_addr *, u_int16_t *,
218 struct pf_addr *, u_int8_t);
219 void pf_change_addr(struct pf_addr *a, u_int16_t *c,
220 struct pf_addr *an, u_int8_t u,
221 sa_family_t af, sa_family_t afn);
222 #endif /* INET6 */
223 static void pf_change_icmp(struct pf_addr *, u_int16_t *,
224 struct pf_addr *, struct pf_addr *, u_int16_t,
225 u_int16_t *, u_int16_t *, u_int16_t *,
226 u_int16_t *, u_int8_t, sa_family_t);
227 static void pf_send_tcp(const struct pf_rule *, sa_family_t,
228 const struct pf_addr *, const struct pf_addr *,
229 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
230 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
231 u_int16_t, struct ether_header *, struct ifnet *);
232 static void pf_send_icmp(pbuf_t *, u_int8_t, u_int8_t,
233 sa_family_t, struct pf_rule *);
234 static struct pf_rule *pf_match_translation(struct pf_pdesc *, pbuf_t *,
235 int, int, struct pfi_kif *, struct pf_addr *,
236 union pf_state_xport *, struct pf_addr *,
237 union pf_state_xport *, int);
238 static struct pf_rule *pf_get_translation_aux(struct pf_pdesc *,
239 pbuf_t *, int, int, struct pfi_kif *,
240 struct pf_src_node **, struct pf_addr *,
241 union pf_state_xport *, struct pf_addr *,
242 union pf_state_xport *, union pf_state_xport *
243 );
244 static void pf_attach_state(struct pf_state_key *,
245 struct pf_state *, int);
246 static void pf_detach_state(struct pf_state *, int);
247 static u_int32_t pf_tcp_iss(struct pf_pdesc *);
248 static int pf_test_rule(struct pf_rule **, struct pf_state **,
249 int, struct pfi_kif *, pbuf_t *, int,
250 void *, struct pf_pdesc *, struct pf_rule **,
251 struct pf_ruleset **, struct ifqueue *);
252 #if DUMMYNET
253 static int pf_test_dummynet(struct pf_rule **, int,
254 struct pfi_kif *, pbuf_t **,
255 struct pf_pdesc *, struct ip_fw_args *);
256 #endif /* DUMMYNET */
257 static int pf_test_fragment(struct pf_rule **, int,
258 struct pfi_kif *, pbuf_t *, void *,
259 struct pf_pdesc *, struct pf_rule **,
260 struct pf_ruleset **);
261 static int pf_test_state_tcp(struct pf_state **, int,
262 struct pfi_kif *, pbuf_t *, int,
263 void *, struct pf_pdesc *, u_short *);
264 static int pf_test_state_udp(struct pf_state **, int,
265 struct pfi_kif *, pbuf_t *, int,
266 void *, struct pf_pdesc *, u_short *);
267 static int pf_test_state_icmp(struct pf_state **, int,
268 struct pfi_kif *, pbuf_t *, int,
269 void *, struct pf_pdesc *, u_short *);
270 static int pf_test_state_other(struct pf_state **, int,
271 struct pfi_kif *, struct pf_pdesc *);
272 static int pf_match_tag(struct pf_rule *,
273 struct pf_mtag *, int *);
274 static void pf_hash(struct pf_addr *, struct pf_addr *,
275 struct pf_poolhashkey *, sa_family_t);
276 static int pf_map_addr(u_int8_t, struct pf_rule *,
277 struct pf_addr *, struct pf_addr *,
278 struct pf_addr *, struct pf_src_node **);
279 static int pf_get_sport(struct pf_pdesc *, struct pfi_kif *,
280 struct pf_rule *, struct pf_addr *,
281 union pf_state_xport *, struct pf_addr *,
282 union pf_state_xport *, struct pf_addr *,
283 union pf_state_xport *, struct pf_src_node **
284 );
285 static void pf_route(pbuf_t **, struct pf_rule *, int,
286 struct ifnet *, struct pf_state *,
287 struct pf_pdesc *);
288 #if INET6
289 static void pf_route6(pbuf_t **, struct pf_rule *, int,
290 struct ifnet *, struct pf_state *,
291 struct pf_pdesc *);
292 #endif /* INET6 */
293 static u_int8_t pf_get_wscale(pbuf_t *, int, u_int16_t,
294 sa_family_t);
295 static u_int16_t pf_get_mss(pbuf_t *, int, u_int16_t,
296 sa_family_t);
297 static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
298 u_int16_t);
299 static void pf_set_rt_ifp(struct pf_state *,
300 struct pf_addr *, sa_family_t af);
301 static int pf_check_proto_cksum(pbuf_t *, int, int,
302 u_int8_t, sa_family_t);
303 static int pf_addr_wrap_neq(struct pf_addr_wrap *,
304 struct pf_addr_wrap *);
305 static struct pf_state *pf_find_state(struct pfi_kif *,
306 struct pf_state_key_cmp *, u_int);
307 static int pf_src_connlimit(struct pf_state **);
308 static void pf_stateins_err(const char *, struct pf_state *,
309 struct pfi_kif *);
310 static int pf_check_congestion(struct ifqueue *);
311
312 #if 0
313 static const char *pf_pptp_ctrl_type_name(u_int16_t code);
314 #endif
315 static void pf_pptp_handler(struct pf_state *, int, int,
316 struct pf_pdesc *, struct pfi_kif *);
317 static void pf_pptp_unlink(struct pf_state *);
318 static void pf_grev1_unlink(struct pf_state *);
319 static int pf_test_state_grev1(struct pf_state **, int,
320 struct pfi_kif *, int, struct pf_pdesc *);
321 static int pf_ike_compare(struct pf_app_state *,
322 struct pf_app_state *);
323 static int pf_test_state_esp(struct pf_state **, int,
324 struct pfi_kif *, int, struct pf_pdesc *);
325
326 extern struct pool pfr_ktable_pl;
327 extern struct pool pfr_kentry_pl;
328 extern int path_mtu_discovery;
329
330 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
331 { &pf_state_pl, PFSTATE_HIWAT },
332 { &pf_app_state_pl, PFAPPSTATE_HIWAT },
333 { &pf_src_tree_pl, PFSNODE_HIWAT },
334 { &pf_frent_pl, PFFRAG_FRENT_HIWAT },
335 { &pfr_ktable_pl, PFR_KTABLE_HIWAT },
336 { &pfr_kentry_pl, PFR_KENTRY_HIWAT },
337 };
338
339 void *
340 pf_lazy_makewritable(struct pf_pdesc *pd, pbuf_t *pbuf, int len)
341 {
342 void *p;
343
344 if (pd->lmw < 0) {
345 return NULL;
346 }
347
348 VERIFY(pbuf == pd->mp);
349
350 p = pbuf->pb_data;
351 if (len > pd->lmw) {
352 if ((p = pbuf_ensure_writable(pbuf, len)) == NULL) {
353 len = -1;
354 }
355 pd->lmw = len;
356 if (len >= 0) {
357 pd->pf_mtag = pf_find_mtag_pbuf(pbuf);
358
359 switch (pd->af) {
360 case AF_INET: {
361 struct ip *h = p;
362 pd->src = (struct pf_addr *)(uintptr_t)&h->ip_src;
363 pd->dst = (struct pf_addr *)(uintptr_t)&h->ip_dst;
364 pd->ip_sum = &h->ip_sum;
365 break;
366 }
367 #if INET6
368 case AF_INET6: {
369 struct ip6_hdr *h = p;
370 pd->src = (struct pf_addr *)(uintptr_t)&h->ip6_src;
371 pd->dst = (struct pf_addr *)(uintptr_t)&h->ip6_dst;
372 break;
373 }
374 #endif /* INET6 */
375 }
376 }
377 }
378
379 return len < 0 ? NULL : p;
380 }
381
382 static const int *
383 pf_state_lookup_aux(struct pf_state **state, struct pfi_kif *kif,
384 int direction, int *action)
385 {
386 if (*state == NULL || (*state)->timeout == PFTM_PURGE) {
387 *action = PF_DROP;
388 return action;
389 }
390
391 if (direction == PF_OUT &&
392 (((*state)->rule.ptr->rt == PF_ROUTETO &&
393 (*state)->rule.ptr->direction == PF_OUT) ||
394 ((*state)->rule.ptr->rt == PF_REPLYTO &&
395 (*state)->rule.ptr->direction == PF_IN)) &&
396 (*state)->rt_kif != NULL && (*state)->rt_kif != kif) {
397 *action = PF_PASS;
398 return action;
399 }
400
401 return 0;
402 }
403
404 #define STATE_LOOKUP() \
405 do { \
406 int action; \
407 *state = pf_find_state(kif, &key, direction); \
408 if (*state != NULL && pd != NULL && \
409 !(pd->pktflags & PKTF_FLOW_ID)) { \
410 pd->flowsrc = (*state)->state_key->flowsrc; \
411 pd->flowhash = (*state)->state_key->flowhash; \
412 if (pd->flowhash != 0) { \
413 pd->pktflags |= PKTF_FLOW_ID; \
414 pd->pktflags &= ~PKTF_FLOW_ADV; \
415 } \
416 } \
417 if (pf_state_lookup_aux(state, kif, direction, &action)) \
418 return (action); \
419 } while (0)
420
421 #define STATE_ADDR_TRANSLATE(sk) \
422 (sk)->lan.addr.addr32[0] != (sk)->gwy.addr.addr32[0] || \
423 ((sk)->af_lan == AF_INET6 && \
424 ((sk)->lan.addr.addr32[1] != (sk)->gwy.addr.addr32[1] || \
425 (sk)->lan.addr.addr32[2] != (sk)->gwy.addr.addr32[2] || \
426 (sk)->lan.addr.addr32[3] != (sk)->gwy.addr.addr32[3]))
427
428 #define STATE_TRANSLATE(sk) \
429 ((sk)->af_lan != (sk)->af_gwy || \
430 STATE_ADDR_TRANSLATE(sk) || \
431 (sk)->lan.xport.port != (sk)->gwy.xport.port)
432
433 #define STATE_GRE_TRANSLATE(sk) \
434 (STATE_ADDR_TRANSLATE(sk) || \
435 (sk)->lan.xport.call_id != (sk)->gwy.xport.call_id)
436
437 #define BOUND_IFACE(r, k) \
438 ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all
439
440 #define STATE_INC_COUNTERS(s) \
441 do { \
442 s->rule.ptr->states++; \
443 VERIFY(s->rule.ptr->states != 0); \
444 if (s->anchor.ptr != NULL) { \
445 s->anchor.ptr->states++; \
446 VERIFY(s->anchor.ptr->states != 0); \
447 } \
448 if (s->nat_rule.ptr != NULL) { \
449 s->nat_rule.ptr->states++; \
450 VERIFY(s->nat_rule.ptr->states != 0); \
451 } \
452 } while (0)
453
454 #define STATE_DEC_COUNTERS(s) \
455 do { \
456 if (s->nat_rule.ptr != NULL) { \
457 VERIFY(s->nat_rule.ptr->states > 0); \
458 s->nat_rule.ptr->states--; \
459 } \
460 if (s->anchor.ptr != NULL) { \
461 VERIFY(s->anchor.ptr->states > 0); \
462 s->anchor.ptr->states--; \
463 } \
464 VERIFY(s->rule.ptr->states > 0); \
465 s->rule.ptr->states--; \
466 } while (0)
467
468 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
469 static __inline int pf_state_compare_lan_ext(struct pf_state_key *,
470 struct pf_state_key *);
471 static __inline int pf_state_compare_ext_gwy(struct pf_state_key *,
472 struct pf_state_key *);
473 static __inline int pf_state_compare_id(struct pf_state *,
474 struct pf_state *);
475
476 struct pf_src_tree tree_src_tracking;
477
478 struct pf_state_tree_id tree_id;
479 struct pf_state_queue state_list;
480
481 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
482 RB_GENERATE(pf_state_tree_lan_ext, pf_state_key,
483 entry_lan_ext, pf_state_compare_lan_ext);
484 RB_GENERATE(pf_state_tree_ext_gwy, pf_state_key,
485 entry_ext_gwy, pf_state_compare_ext_gwy);
486 RB_GENERATE(pf_state_tree_id, pf_state,
487 entry_id, pf_state_compare_id);
488
489 #define PF_DT_SKIP_LANEXT 0x01
490 #define PF_DT_SKIP_EXTGWY 0x02
491
492 static const u_int16_t PF_PPTP_PORT = 1723;
493 static const u_int32_t PF_PPTP_MAGIC_NUMBER = 0x1A2B3C4D;
494
495 struct pf_pptp_hdr {
496 u_int16_t length;
497 u_int16_t type;
498 u_int32_t magic;
499 };
500
501 struct pf_pptp_ctrl_hdr {
502 u_int16_t type;
503 u_int16_t reserved_0;
504 };
505
506 struct pf_pptp_ctrl_generic {
507 u_int16_t data[0];
508 };
509
510 #define PF_PPTP_CTRL_TYPE_START_REQ 1
511 struct pf_pptp_ctrl_start_req {
512 u_int16_t protocol_version;
513 u_int16_t reserved_1;
514 u_int32_t framing_capabilities;
515 u_int32_t bearer_capabilities;
516 u_int16_t maximum_channels;
517 u_int16_t firmware_revision;
518 u_int8_t host_name[64];
519 u_int8_t vendor_string[64];
520 };
521
522 #define PF_PPTP_CTRL_TYPE_START_RPY 2
523 struct pf_pptp_ctrl_start_rpy {
524 u_int16_t protocol_version;
525 u_int8_t result_code;
526 u_int8_t error_code;
527 u_int32_t framing_capabilities;
528 u_int32_t bearer_capabilities;
529 u_int16_t maximum_channels;
530 u_int16_t firmware_revision;
531 u_int8_t host_name[64];
532 u_int8_t vendor_string[64];
533 };
534
535 #define PF_PPTP_CTRL_TYPE_STOP_REQ 3
536 struct pf_pptp_ctrl_stop_req {
537 u_int8_t reason;
538 u_int8_t reserved_1;
539 u_int16_t reserved_2;
540 };
541
542 #define PF_PPTP_CTRL_TYPE_STOP_RPY 4
543 struct pf_pptp_ctrl_stop_rpy {
544 u_int8_t reason;
545 u_int8_t error_code;
546 u_int16_t reserved_1;
547 };
548
549 #define PF_PPTP_CTRL_TYPE_ECHO_REQ 5
550 struct pf_pptp_ctrl_echo_req {
551 u_int32_t identifier;
552 };
553
554 #define PF_PPTP_CTRL_TYPE_ECHO_RPY 6
555 struct pf_pptp_ctrl_echo_rpy {
556 u_int32_t identifier;
557 u_int8_t result_code;
558 u_int8_t error_code;
559 u_int16_t reserved_1;
560 };
561
562 #define PF_PPTP_CTRL_TYPE_CALL_OUT_REQ 7
563 struct pf_pptp_ctrl_call_out_req {
564 u_int16_t call_id;
565 u_int16_t call_sernum;
566 u_int32_t min_bps;
567 u_int32_t bearer_type;
568 u_int32_t framing_type;
569 u_int16_t rxwindow_size;
570 u_int16_t proc_delay;
571 u_int8_t phone_num[64];
572 u_int8_t sub_addr[64];
573 };
574
575 #define PF_PPTP_CTRL_TYPE_CALL_OUT_RPY 8
576 struct pf_pptp_ctrl_call_out_rpy {
577 u_int16_t call_id;
578 u_int16_t peer_call_id;
579 u_int8_t result_code;
580 u_int8_t error_code;
581 u_int16_t cause_code;
582 u_int32_t connect_speed;
583 u_int16_t rxwindow_size;
584 u_int16_t proc_delay;
585 u_int32_t phy_channel_id;
586 };
587
588 #define PF_PPTP_CTRL_TYPE_CALL_IN_1ST 9
589 struct pf_pptp_ctrl_call_in_1st {
590 u_int16_t call_id;
591 u_int16_t call_sernum;
592 u_int32_t bearer_type;
593 u_int32_t phy_channel_id;
594 u_int16_t dialed_number_len;
595 u_int16_t dialing_number_len;
596 u_int8_t dialed_num[64];
597 u_int8_t dialing_num[64];
598 u_int8_t sub_addr[64];
599 };
600
601 #define PF_PPTP_CTRL_TYPE_CALL_IN_2ND 10
602 struct pf_pptp_ctrl_call_in_2nd {
603 u_int16_t call_id;
604 u_int16_t peer_call_id;
605 u_int8_t result_code;
606 u_int8_t error_code;
607 u_int16_t rxwindow_size;
608 u_int16_t txdelay;
609 u_int16_t reserved_1;
610 };
611
612 #define PF_PPTP_CTRL_TYPE_CALL_IN_3RD 11
613 struct pf_pptp_ctrl_call_in_3rd {
614 u_int16_t call_id;
615 u_int16_t reserved_1;
616 u_int32_t connect_speed;
617 u_int16_t rxwindow_size;
618 u_int16_t txdelay;
619 u_int32_t framing_type;
620 };
621
622 #define PF_PPTP_CTRL_TYPE_CALL_CLR 12
623 struct pf_pptp_ctrl_call_clr {
624 u_int16_t call_id;
625 u_int16_t reserved_1;
626 };
627
628 #define PF_PPTP_CTRL_TYPE_CALL_DISC 13
629 struct pf_pptp_ctrl_call_disc {
630 u_int16_t call_id;
631 u_int8_t result_code;
632 u_int8_t error_code;
633 u_int16_t cause_code;
634 u_int16_t reserved_1;
635 u_int8_t statistics[128];
636 };
637
638 #define PF_PPTP_CTRL_TYPE_ERROR 14
639 struct pf_pptp_ctrl_error {
640 u_int16_t peer_call_id;
641 u_int16_t reserved_1;
642 u_int32_t crc_errors;
643 u_int32_t fr_errors;
644 u_int32_t hw_errors;
645 u_int32_t buf_errors;
646 u_int32_t tim_errors;
647 u_int32_t align_errors;
648 };
649
650 #define PF_PPTP_CTRL_TYPE_SET_LINKINFO 15
651 struct pf_pptp_ctrl_set_linkinfo {
652 u_int16_t peer_call_id;
653 u_int16_t reserved_1;
654 u_int32_t tx_accm;
655 u_int32_t rx_accm;
656 };
657
658 #if 0
659 static const char *
660 pf_pptp_ctrl_type_name(u_int16_t code)
661 {
662 code = ntohs(code);
663
664 if (code < PF_PPTP_CTRL_TYPE_START_REQ ||
665 code > PF_PPTP_CTRL_TYPE_SET_LINKINFO) {
666 static char reserved[] = "reserved-00";
667
668 sprintf(&reserved[9], "%02x", code);
669 return reserved;
670 } else {
671 static const char *name[] = {
672 "start_req", "start_rpy", "stop_req", "stop_rpy",
673 "echo_req", "echo_rpy", "call_out_req", "call_out_rpy",
674 "call_in_1st", "call_in_2nd", "call_in_3rd",
675 "call_clr", "call_disc", "error", "set_linkinfo"
676 };
677
678 return name[code - 1];
679 }
680 };
681 #endif
682
683 static const size_t PF_PPTP_CTRL_MSG_MINSIZE =
684 sizeof(struct pf_pptp_hdr) + sizeof(struct pf_pptp_ctrl_hdr);
685
686 union pf_pptp_ctrl_msg_union {
687 struct pf_pptp_ctrl_start_req start_req;
688 struct pf_pptp_ctrl_start_rpy start_rpy;
689 struct pf_pptp_ctrl_stop_req stop_req;
690 struct pf_pptp_ctrl_stop_rpy stop_rpy;
691 struct pf_pptp_ctrl_echo_req echo_req;
692 struct pf_pptp_ctrl_echo_rpy echo_rpy;
693 struct pf_pptp_ctrl_call_out_req call_out_req;
694 struct pf_pptp_ctrl_call_out_rpy call_out_rpy;
695 struct pf_pptp_ctrl_call_in_1st call_in_1st;
696 struct pf_pptp_ctrl_call_in_2nd call_in_2nd;
697 struct pf_pptp_ctrl_call_in_3rd call_in_3rd;
698 struct pf_pptp_ctrl_call_clr call_clr;
699 struct pf_pptp_ctrl_call_disc call_disc;
700 struct pf_pptp_ctrl_error error;
701 struct pf_pptp_ctrl_set_linkinfo set_linkinfo;
702 u_int8_t data[0];
703 };
704
705 struct pf_pptp_ctrl_msg {
706 struct pf_pptp_hdr hdr;
707 struct pf_pptp_ctrl_hdr ctrl;
708 union pf_pptp_ctrl_msg_union msg;
709 };
710
711 #define PF_GRE_FLAG_CHECKSUM_PRESENT 0x8000
712 #define PF_GRE_FLAG_VERSION_MASK 0x0007
713 #define PF_GRE_PPP_ETHERTYPE 0x880B
714
715 struct pf_grev1_hdr {
716 u_int16_t flags;
717 u_int16_t protocol_type;
718 u_int16_t payload_length;
719 u_int16_t call_id;
720 /*
721 * u_int32_t seqno;
722 * u_int32_t ackno;
723 */
724 };
725
726 static const u_int16_t PF_IKE_PORT = 500;
727
728 struct pf_ike_hdr {
729 u_int64_t initiator_cookie, responder_cookie;
730 u_int8_t next_payload, version, exchange_type, flags;
731 u_int32_t message_id, length;
732 };
733
734 #define PF_IKE_PACKET_MINSIZE (sizeof (struct pf_ike_hdr))
735
736 #define PF_IKEv1_EXCHTYPE_BASE 1
737 #define PF_IKEv1_EXCHTYPE_ID_PROTECT 2
738 #define PF_IKEv1_EXCHTYPE_AUTH_ONLY 3
739 #define PF_IKEv1_EXCHTYPE_AGGRESSIVE 4
740 #define PF_IKEv1_EXCHTYPE_INFORMATIONAL 5
741 #define PF_IKEv2_EXCHTYPE_SA_INIT 34
742 #define PF_IKEv2_EXCHTYPE_AUTH 35
743 #define PF_IKEv2_EXCHTYPE_CREATE_CHILD_SA 36
744 #define PF_IKEv2_EXCHTYPE_INFORMATIONAL 37
745
746 #define PF_IKEv1_FLAG_E 0x01
747 #define PF_IKEv1_FLAG_C 0x02
748 #define PF_IKEv1_FLAG_A 0x04
749 #define PF_IKEv2_FLAG_I 0x08
750 #define PF_IKEv2_FLAG_V 0x10
751 #define PF_IKEv2_FLAG_R 0x20
752
753 struct pf_esp_hdr {
754 u_int32_t spi;
755 u_int32_t seqno;
756 u_int8_t payload[];
757 };
758
759 static __inline int
760 pf_addr_compare(struct pf_addr *a, struct pf_addr *b, sa_family_t af)
761 {
762 switch (af) {
763 #ifdef INET
764 case AF_INET:
765 if (a->addr32[0] > b->addr32[0]) {
766 return 1;
767 }
768 if (a->addr32[0] < b->addr32[0]) {
769 return -1;
770 }
771 break;
772 #endif /* INET */
773 #ifdef INET6
774 case AF_INET6:
775 if (a->addr32[3] > b->addr32[3]) {
776 return 1;
777 }
778 if (a->addr32[3] < b->addr32[3]) {
779 return -1;
780 }
781 if (a->addr32[2] > b->addr32[2]) {
782 return 1;
783 }
784 if (a->addr32[2] < b->addr32[2]) {
785 return -1;
786 }
787 if (a->addr32[1] > b->addr32[1]) {
788 return 1;
789 }
790 if (a->addr32[1] < b->addr32[1]) {
791 return -1;
792 }
793 if (a->addr32[0] > b->addr32[0]) {
794 return 1;
795 }
796 if (a->addr32[0] < b->addr32[0]) {
797 return -1;
798 }
799 break;
800 #endif /* INET6 */
801 }
802 return 0;
803 }
804
805 static __inline int
806 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
807 {
808 int diff;
809
810 if (a->rule.ptr > b->rule.ptr) {
811 return 1;
812 }
813 if (a->rule.ptr < b->rule.ptr) {
814 return -1;
815 }
816 if ((diff = a->af - b->af) != 0) {
817 return diff;
818 }
819 if ((diff = pf_addr_compare(&a->addr, &b->addr, a->af)) != 0) {
820 return diff;
821 }
822 return 0;
823 }
824
825 static __inline int
826 pf_state_compare_lan_ext(struct pf_state_key *a, struct pf_state_key *b)
827 {
828 int diff;
829 int extfilter;
830
831 if ((diff = a->proto - b->proto) != 0) {
832 return diff;
833 }
834 if ((diff = a->af_lan - b->af_lan) != 0) {
835 return diff;
836 }
837
838 extfilter = PF_EXTFILTER_APD;
839
840 switch (a->proto) {
841 case IPPROTO_ICMP:
842 case IPPROTO_ICMPV6:
843 if ((diff = a->lan.xport.port - b->lan.xport.port) != 0) {
844 return diff;
845 }
846 break;
847
848 case IPPROTO_TCP:
849 if ((diff = a->lan.xport.port - b->lan.xport.port) != 0) {
850 return diff;
851 }
852 if ((diff = a->ext_lan.xport.port - b->ext_lan.xport.port) != 0) {
853 return diff;
854 }
855 break;
856
857 case IPPROTO_UDP:
858 if ((diff = a->proto_variant - b->proto_variant)) {
859 return diff;
860 }
861 extfilter = a->proto_variant;
862 if ((diff = a->lan.xport.port - b->lan.xport.port) != 0) {
863 return diff;
864 }
865 if ((extfilter < PF_EXTFILTER_AD) &&
866 (diff = a->ext_lan.xport.port - b->ext_lan.xport.port) != 0) {
867 return diff;
868 }
869 break;
870
871 case IPPROTO_GRE:
872 if (a->proto_variant == PF_GRE_PPTP_VARIANT &&
873 a->proto_variant == b->proto_variant) {
874 if (!!(diff = a->ext_lan.xport.call_id -
875 b->ext_lan.xport.call_id)) {
876 return diff;
877 }
878 }
879 break;
880
881 case IPPROTO_ESP:
882 if (!!(diff = a->ext_lan.xport.spi - b->ext_lan.xport.spi)) {
883 return diff;
884 }
885 break;
886
887 default:
888 break;
889 }
890
891 switch (a->af_lan) {
892 #if INET
893 case AF_INET:
894 if ((diff = pf_addr_compare(&a->lan.addr, &b->lan.addr,
895 a->af_lan)) != 0) {
896 return diff;
897 }
898
899 if (extfilter < PF_EXTFILTER_EI) {
900 if ((diff = pf_addr_compare(&a->ext_lan.addr,
901 &b->ext_lan.addr,
902 a->af_lan)) != 0) {
903 return diff;
904 }
905 }
906 break;
907 #endif /* INET */
908 #if INET6
909 case AF_INET6:
910 if ((diff = pf_addr_compare(&a->lan.addr, &b->lan.addr,
911 a->af_lan)) != 0) {
912 return diff;
913 }
914
915 if (extfilter < PF_EXTFILTER_EI ||
916 !PF_AZERO(&b->ext_lan.addr, AF_INET6)) {
917 if ((diff = pf_addr_compare(&a->ext_lan.addr,
918 &b->ext_lan.addr,
919 a->af_lan)) != 0) {
920 return diff;
921 }
922 }
923 break;
924 #endif /* INET6 */
925 }
926
927 if (a->app_state && b->app_state) {
928 if (a->app_state->compare_lan_ext &&
929 b->app_state->compare_lan_ext) {
930 diff = (const char *)b->app_state->compare_lan_ext -
931 (const char *)a->app_state->compare_lan_ext;
932 if (diff != 0) {
933 return diff;
934 }
935 diff = a->app_state->compare_lan_ext(a->app_state,
936 b->app_state);
937 if (diff != 0) {
938 return diff;
939 }
940 }
941 }
942
943 return 0;
944 }
945
946 static __inline int
947 pf_state_compare_ext_gwy(struct pf_state_key *a, struct pf_state_key *b)
948 {
949 int diff;
950 int extfilter;
951
952 if ((diff = a->proto - b->proto) != 0) {
953 return diff;
954 }
955
956 if ((diff = a->af_gwy - b->af_gwy) != 0) {
957 return diff;
958 }
959
960 extfilter = PF_EXTFILTER_APD;
961
962 switch (a->proto) {
963 case IPPROTO_ICMP:
964 case IPPROTO_ICMPV6:
965 if ((diff = a->gwy.xport.port - b->gwy.xport.port) != 0) {
966 return diff;
967 }
968 break;
969
970 case IPPROTO_TCP:
971 if ((diff = a->ext_gwy.xport.port - b->ext_gwy.xport.port) != 0) {
972 return diff;
973 }
974 if ((diff = a->gwy.xport.port - b->gwy.xport.port) != 0) {
975 return diff;
976 }
977 break;
978
979 case IPPROTO_UDP:
980 if ((diff = a->proto_variant - b->proto_variant)) {
981 return diff;
982 }
983 extfilter = a->proto_variant;
984 if ((diff = a->gwy.xport.port - b->gwy.xport.port) != 0) {
985 return diff;
986 }
987 if ((extfilter < PF_EXTFILTER_AD) &&
988 (diff = a->ext_gwy.xport.port - b->ext_gwy.xport.port) != 0) {
989 return diff;
990 }
991 break;
992
993 case IPPROTO_GRE:
994 if (a->proto_variant == PF_GRE_PPTP_VARIANT &&
995 a->proto_variant == b->proto_variant) {
996 if (!!(diff = a->gwy.xport.call_id -
997 b->gwy.xport.call_id)) {
998 return diff;
999 }
1000 }
1001 break;
1002
1003 case IPPROTO_ESP:
1004 if (!!(diff = a->gwy.xport.spi - b->gwy.xport.spi)) {
1005 return diff;
1006 }
1007 break;
1008
1009 default:
1010 break;
1011 }
1012
1013 switch (a->af_gwy) {
1014 #if INET
1015 case AF_INET:
1016 if ((diff = pf_addr_compare(&a->gwy.addr, &b->gwy.addr,
1017 a->af_gwy)) != 0) {
1018 return diff;
1019 }
1020
1021 if (extfilter < PF_EXTFILTER_EI) {
1022 if ((diff = pf_addr_compare(&a->ext_gwy.addr, &b->ext_gwy.addr,
1023 a->af_gwy)) != 0) {
1024 return diff;
1025 }
1026 }
1027 break;
1028 #endif /* INET */
1029 #if INET6
1030 case AF_INET6:
1031 if ((diff = pf_addr_compare(&a->gwy.addr, &b->gwy.addr,
1032 a->af_gwy)) != 0) {
1033 return diff;
1034 }
1035
1036 if (extfilter < PF_EXTFILTER_EI ||
1037 !PF_AZERO(&b->ext_gwy.addr, AF_INET6)) {
1038 if ((diff = pf_addr_compare(&a->ext_gwy.addr, &b->ext_gwy.addr,
1039 a->af_gwy)) != 0) {
1040 return diff;
1041 }
1042 }
1043 break;
1044 #endif /* INET6 */
1045 }
1046
1047 if (a->app_state && b->app_state) {
1048 if (a->app_state->compare_ext_gwy &&
1049 b->app_state->compare_ext_gwy) {
1050 diff = (const char *)b->app_state->compare_ext_gwy -
1051 (const char *)a->app_state->compare_ext_gwy;
1052 if (diff != 0) {
1053 return diff;
1054 }
1055 diff = a->app_state->compare_ext_gwy(a->app_state,
1056 b->app_state);
1057 if (diff != 0) {
1058 return diff;
1059 }
1060 }
1061 }
1062
1063 return 0;
1064 }
1065
1066 static __inline int
1067 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
1068 {
1069 if (a->id > b->id) {
1070 return 1;
1071 }
1072 if (a->id < b->id) {
1073 return -1;
1074 }
1075 if (a->creatorid > b->creatorid) {
1076 return 1;
1077 }
1078 if (a->creatorid < b->creatorid) {
1079 return -1;
1080 }
1081
1082 return 0;
1083 }
1084
1085 #if INET6
1086 void
1087 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
1088 {
1089 switch (af) {
1090 #if INET
1091 case AF_INET:
1092 dst->addr32[0] = src->addr32[0];
1093 break;
1094 #endif /* INET */
1095 case AF_INET6:
1096 dst->addr32[0] = src->addr32[0];
1097 dst->addr32[1] = src->addr32[1];
1098 dst->addr32[2] = src->addr32[2];
1099 dst->addr32[3] = src->addr32[3];
1100 break;
1101 }
1102 }
1103 #endif /* INET6 */
1104
1105 struct pf_state *
1106 pf_find_state_byid(struct pf_state_cmp *key)
1107 {
1108 pf_status.fcounters[FCNT_STATE_SEARCH]++;
1109
1110 return RB_FIND(pf_state_tree_id, &tree_id,
1111 (struct pf_state *)(void *)key);
1112 }
1113
1114 static struct pf_state *
1115 pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir)
1116 {
1117 struct pf_state_key *sk = NULL;
1118 struct pf_state *s;
1119
1120 pf_status.fcounters[FCNT_STATE_SEARCH]++;
1121
1122 switch (dir) {
1123 case PF_OUT:
1124 sk = RB_FIND(pf_state_tree_lan_ext, &pf_statetbl_lan_ext,
1125 (struct pf_state_key *)key);
1126 break;
1127 case PF_IN:
1128 sk = RB_FIND(pf_state_tree_ext_gwy, &pf_statetbl_ext_gwy,
1129 (struct pf_state_key *)key);
1130 /*
1131 * NAT64 is done only on input, for packets coming in from
1132 * from the LAN side, need to lookup the lan_ext tree.
1133 */
1134 if (sk == NULL) {
1135 sk = RB_FIND(pf_state_tree_lan_ext,
1136 &pf_statetbl_lan_ext,
1137 (struct pf_state_key *)key);
1138 if (sk && sk->af_lan == sk->af_gwy) {
1139 sk = NULL;
1140 }
1141 }
1142 break;
1143 default:
1144 panic("pf_find_state");
1145 }
1146
1147 /* list is sorted, if-bound states before floating ones */
1148 if (sk != NULL) {
1149 TAILQ_FOREACH(s, &sk->states, next)
1150 if (s->kif == pfi_all || s->kif == kif) {
1151 return s;
1152 }
1153 }
1154
1155 return NULL;
1156 }
1157
1158 struct pf_state *
1159 pf_find_state_all(struct pf_state_key_cmp *key, u_int dir, int *more)
1160 {
1161 struct pf_state_key *sk = NULL;
1162 struct pf_state *s, *ret = NULL;
1163
1164 pf_status.fcounters[FCNT_STATE_SEARCH]++;
1165
1166 switch (dir) {
1167 case PF_OUT:
1168 sk = RB_FIND(pf_state_tree_lan_ext,
1169 &pf_statetbl_lan_ext, (struct pf_state_key *)key);
1170 break;
1171 case PF_IN:
1172 sk = RB_FIND(pf_state_tree_ext_gwy,
1173 &pf_statetbl_ext_gwy, (struct pf_state_key *)key);
1174 /*
1175 * NAT64 is done only on input, for packets coming in from
1176 * from the LAN side, need to lookup the lan_ext tree.
1177 */
1178 if ((sk == NULL) && pf_nat64_configured) {
1179 sk = RB_FIND(pf_state_tree_lan_ext,
1180 &pf_statetbl_lan_ext,
1181 (struct pf_state_key *)key);
1182 if (sk && sk->af_lan == sk->af_gwy) {
1183 sk = NULL;
1184 }
1185 }
1186 break;
1187 default:
1188 panic("pf_find_state_all");
1189 }
1190
1191 if (sk != NULL) {
1192 ret = TAILQ_FIRST(&sk->states);
1193 if (more == NULL) {
1194 return ret;
1195 }
1196
1197 TAILQ_FOREACH(s, &sk->states, next)
1198 (*more)++;
1199 }
1200
1201 return ret;
1202 }
1203
1204 static void
1205 pf_init_threshold(struct pf_threshold *threshold,
1206 u_int32_t limit, u_int32_t seconds)
1207 {
1208 threshold->limit = limit * PF_THRESHOLD_MULT;
1209 threshold->seconds = seconds;
1210 threshold->count = 0;
1211 threshold->last = pf_time_second();
1212 }
1213
1214 static void
1215 pf_add_threshold(struct pf_threshold *threshold)
1216 {
1217 u_int32_t t = pf_time_second(), diff = t - threshold->last;
1218
1219 if (diff >= threshold->seconds) {
1220 threshold->count = 0;
1221 } else {
1222 threshold->count -= threshold->count * diff /
1223 threshold->seconds;
1224 }
1225 threshold->count += PF_THRESHOLD_MULT;
1226 threshold->last = t;
1227 }
1228
1229 static int
1230 pf_check_threshold(struct pf_threshold *threshold)
1231 {
1232 return threshold->count > threshold->limit;
1233 }
1234
1235 static int
1236 pf_src_connlimit(struct pf_state **state)
1237 {
1238 int bad = 0;
1239 (*state)->src_node->conn++;
1240 VERIFY((*state)->src_node->conn != 0);
1241 (*state)->src.tcp_est = 1;
1242 pf_add_threshold(&(*state)->src_node->conn_rate);
1243
1244 if ((*state)->rule.ptr->max_src_conn &&
1245 (*state)->rule.ptr->max_src_conn <
1246 (*state)->src_node->conn) {
1247 pf_status.lcounters[LCNT_SRCCONN]++;
1248 bad++;
1249 }
1250
1251 if ((*state)->rule.ptr->max_src_conn_rate.limit &&
1252 pf_check_threshold(&(*state)->src_node->conn_rate)) {
1253 pf_status.lcounters[LCNT_SRCCONNRATE]++;
1254 bad++;
1255 }
1256
1257 if (!bad) {
1258 return 0;
1259 }
1260
1261 if ((*state)->rule.ptr->overload_tbl) {
1262 struct pfr_addr p;
1263 u_int32_t killed = 0;
1264
1265 pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
1266 if (pf_status.debug >= PF_DEBUG_MISC) {
1267 printf("pf_src_connlimit: blocking address ");
1268 pf_print_host(&(*state)->src_node->addr, 0,
1269 (*state)->state_key->af_lan);
1270 }
1271
1272 bzero(&p, sizeof(p));
1273 p.pfra_af = (*state)->state_key->af_lan;
1274 switch ((*state)->state_key->af_lan) {
1275 #if INET
1276 case AF_INET:
1277 p.pfra_net = 32;
1278 p.pfra_ip4addr = (*state)->src_node->addr.v4addr;
1279 break;
1280 #endif /* INET */
1281 #if INET6
1282 case AF_INET6:
1283 p.pfra_net = 128;
1284 p.pfra_ip6addr = (*state)->src_node->addr.v6addr;
1285 break;
1286 #endif /* INET6 */
1287 }
1288
1289 pfr_insert_kentry((*state)->rule.ptr->overload_tbl,
1290 &p, pf_calendar_time_second());
1291
1292 /* kill existing states if that's required. */
1293 if ((*state)->rule.ptr->flush) {
1294 struct pf_state_key *sk;
1295 struct pf_state *st;
1296
1297 pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
1298 RB_FOREACH(st, pf_state_tree_id, &tree_id) {
1299 sk = st->state_key;
1300 /*
1301 * Kill states from this source. (Only those
1302 * from the same rule if PF_FLUSH_GLOBAL is not
1303 * set)
1304 */
1305 if (sk->af_lan ==
1306 (*state)->state_key->af_lan &&
1307 (((*state)->state_key->direction ==
1308 PF_OUT &&
1309 PF_AEQ(&(*state)->src_node->addr,
1310 &sk->lan.addr, sk->af_lan)) ||
1311 ((*state)->state_key->direction == PF_IN &&
1312 PF_AEQ(&(*state)->src_node->addr,
1313 &sk->ext_lan.addr, sk->af_lan))) &&
1314 ((*state)->rule.ptr->flush &
1315 PF_FLUSH_GLOBAL ||
1316 (*state)->rule.ptr == st->rule.ptr)) {
1317 st->timeout = PFTM_PURGE;
1318 st->src.state = st->dst.state =
1319 TCPS_CLOSED;
1320 killed++;
1321 }
1322 }
1323 if (pf_status.debug >= PF_DEBUG_MISC) {
1324 printf(", %u states killed", killed);
1325 }
1326 }
1327 if (pf_status.debug >= PF_DEBUG_MISC) {
1328 printf("\n");
1329 }
1330 }
1331
1332 /* kill this state */
1333 (*state)->timeout = PFTM_PURGE;
1334 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
1335 return 1;
1336 }
1337
1338 int
1339 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
1340 struct pf_addr *src, sa_family_t af)
1341 {
1342 struct pf_src_node k;
1343
1344 if (*sn == NULL) {
1345 k.af = af;
1346 PF_ACPY(&k.addr, src, af);
1347 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
1348 rule->rpool.opts & PF_POOL_STICKYADDR) {
1349 k.rule.ptr = rule;
1350 } else {
1351 k.rule.ptr = NULL;
1352 }
1353 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
1354 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
1355 }
1356 if (*sn == NULL) {
1357 if (!rule->max_src_nodes ||
1358 rule->src_nodes < rule->max_src_nodes) {
1359 (*sn) = pool_get(&pf_src_tree_pl, PR_WAITOK);
1360 } else {
1361 pf_status.lcounters[LCNT_SRCNODES]++;
1362 }
1363 if ((*sn) == NULL) {
1364 return -1;
1365 }
1366 bzero(*sn, sizeof(struct pf_src_node));
1367
1368 pf_init_threshold(&(*sn)->conn_rate,
1369 rule->max_src_conn_rate.limit,
1370 rule->max_src_conn_rate.seconds);
1371
1372 (*sn)->af = af;
1373 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
1374 rule->rpool.opts & PF_POOL_STICKYADDR) {
1375 (*sn)->rule.ptr = rule;
1376 } else {
1377 (*sn)->rule.ptr = NULL;
1378 }
1379 PF_ACPY(&(*sn)->addr, src, af);
1380 if (RB_INSERT(pf_src_tree,
1381 &tree_src_tracking, *sn) != NULL) {
1382 if (pf_status.debug >= PF_DEBUG_MISC) {
1383 printf("pf: src_tree insert failed: ");
1384 pf_print_host(&(*sn)->addr, 0, af);
1385 printf("\n");
1386 }
1387 pool_put(&pf_src_tree_pl, *sn);
1388 return -1;
1389 }
1390 (*sn)->creation = pf_time_second();
1391 (*sn)->ruletype = rule->action;
1392 if ((*sn)->rule.ptr != NULL) {
1393 (*sn)->rule.ptr->src_nodes++;
1394 }
1395 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
1396 pf_status.src_nodes++;
1397 } else {
1398 if (rule->max_src_states &&
1399 (*sn)->states >= rule->max_src_states) {
1400 pf_status.lcounters[LCNT_SRCSTATES]++;
1401 return -1;
1402 }
1403 }
1404 return 0;
1405 }
1406
1407 static void
1408 pf_stateins_err(const char *tree, struct pf_state *s, struct pfi_kif *kif)
1409 {
1410 struct pf_state_key *sk = s->state_key;
1411
1412 if (pf_status.debug >= PF_DEBUG_MISC) {
1413 printf("pf: state insert failed: %s %s ", tree, kif->pfik_name);
1414 switch (sk->proto) {
1415 case IPPROTO_TCP:
1416 printf("TCP");
1417 break;
1418 case IPPROTO_UDP:
1419 printf("UDP");
1420 break;
1421 case IPPROTO_ICMP:
1422 printf("ICMP4");
1423 break;
1424 case IPPROTO_ICMPV6:
1425 printf("ICMP6");
1426 break;
1427 default:
1428 printf("PROTO=%u", sk->proto);
1429 break;
1430 }
1431 printf(" lan: ");
1432 pf_print_sk_host(&sk->lan, sk->af_lan, sk->proto,
1433 sk->proto_variant);
1434 printf(" gwy: ");
1435 pf_print_sk_host(&sk->gwy, sk->af_gwy, sk->proto,
1436 sk->proto_variant);
1437 printf(" ext_lan: ");
1438 pf_print_sk_host(&sk->ext_lan, sk->af_lan, sk->proto,
1439 sk->proto_variant);
1440 printf(" ext_gwy: ");
1441 pf_print_sk_host(&sk->ext_gwy, sk->af_gwy, sk->proto,
1442 sk->proto_variant);
1443 if (s->sync_flags & PFSTATE_FROMSYNC) {
1444 printf(" (from sync)");
1445 }
1446 printf("\n");
1447 }
1448 }
1449
1450 int
1451 pf_insert_state(struct pfi_kif *kif, struct pf_state *s)
1452 {
1453 struct pf_state_key *cur;
1454 struct pf_state *sp;
1455
1456 VERIFY(s->state_key != NULL);
1457 s->kif = kif;
1458
1459 if ((cur = RB_INSERT(pf_state_tree_lan_ext, &pf_statetbl_lan_ext,
1460 s->state_key)) != NULL) {
1461 /* key exists. check for same kif, if none, add to key */
1462 TAILQ_FOREACH(sp, &cur->states, next)
1463 if (sp->kif == kif) { /* collision! */
1464 pf_stateins_err("tree_lan_ext", s, kif);
1465 pf_detach_state(s,
1466 PF_DT_SKIP_LANEXT | PF_DT_SKIP_EXTGWY);
1467 return -1;
1468 }
1469 pf_detach_state(s, PF_DT_SKIP_LANEXT | PF_DT_SKIP_EXTGWY);
1470 pf_attach_state(cur, s, kif == pfi_all ? 1 : 0);
1471 }
1472
1473 /* if cur != NULL, we already found a state key and attached to it */
1474 if (cur == NULL && (cur = RB_INSERT(pf_state_tree_ext_gwy,
1475 &pf_statetbl_ext_gwy, s->state_key)) != NULL) {
1476 /* must not happen. we must have found the sk above! */
1477 pf_stateins_err("tree_ext_gwy", s, kif);
1478 pf_detach_state(s, PF_DT_SKIP_EXTGWY);
1479 return -1;
1480 }
1481
1482 if (s->id == 0 && s->creatorid == 0) {
1483 s->id = htobe64(pf_status.stateid++);
1484 s->creatorid = pf_status.hostid;
1485 }
1486 if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) {
1487 if (pf_status.debug >= PF_DEBUG_MISC) {
1488 printf("pf: state insert failed: "
1489 "id: %016llx creatorid: %08x",
1490 be64toh(s->id), ntohl(s->creatorid));
1491 if (s->sync_flags & PFSTATE_FROMSYNC) {
1492 printf(" (from sync)");
1493 }
1494 printf("\n");
1495 }
1496 pf_detach_state(s, 0);
1497 return -1;
1498 }
1499 TAILQ_INSERT_TAIL(&state_list, s, entry_list);
1500 pf_status.fcounters[FCNT_STATE_INSERT]++;
1501 pf_status.states++;
1502 VERIFY(pf_status.states != 0);
1503 pfi_kif_ref(kif, PFI_KIF_REF_STATE);
1504 #if NPFSYNC
1505 pfsync_insert_state(s);
1506 #endif
1507 return 0;
1508 }
1509
1510 static int
1511 pf_purge_thread_cont(int err)
1512 {
1513 #pragma unused(err)
1514 static u_int32_t nloops = 0;
1515 int t = 1; /* 1 second */
1516
1517 /*
1518 * Update coarse-grained networking timestamp (in sec.); the idea
1519 * is to piggy-back on the periodic timeout callout to update
1520 * the counter returnable via net_uptime().
1521 */
1522 net_update_uptime();
1523
1524 lck_rw_lock_shared(pf_perim_lock);
1525 lck_mtx_lock(pf_lock);
1526
1527 /* purge everything if not running */
1528 if (!pf_status.running) {
1529 pf_purge_expired_states(pf_status.states);
1530 pf_purge_expired_fragments();
1531 pf_purge_expired_src_nodes();
1532
1533 /* terminate thread (we don't currently do this) */
1534 if (pf_purge_thread == NULL) {
1535 lck_mtx_unlock(pf_lock);
1536 lck_rw_done(pf_perim_lock);
1537
1538 thread_deallocate(current_thread());
1539 thread_terminate(current_thread());
1540 /* NOTREACHED */
1541 return 0;
1542 } else {
1543 /* if there's nothing left, sleep w/o timeout */
1544 if (pf_status.states == 0 &&
1545 pf_normalize_isempty() &&
1546 RB_EMPTY(&tree_src_tracking)) {
1547 nloops = 0;
1548 t = 0;
1549 }
1550 goto done;
1551 }
1552 }
1553
1554 /* process a fraction of the state table every second */
1555 pf_purge_expired_states(1 + (pf_status.states
1556 / pf_default_rule.timeout[PFTM_INTERVAL]));
1557
1558 /* purge other expired types every PFTM_INTERVAL seconds */
1559 if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) {
1560 pf_purge_expired_fragments();
1561 pf_purge_expired_src_nodes();
1562 nloops = 0;
1563 }
1564 done:
1565 lck_mtx_unlock(pf_lock);
1566 lck_rw_done(pf_perim_lock);
1567
1568 (void) tsleep0(pf_purge_thread_fn, PWAIT, "pf_purge_cont",
1569 t * hz, pf_purge_thread_cont);
1570 /* NOTREACHED */
1571 VERIFY(0);
1572
1573 return 0;
1574 }
1575
1576 void
1577 pf_purge_thread_fn(void *v, wait_result_t w)
1578 {
1579 #pragma unused(v, w)
1580 (void) tsleep0(pf_purge_thread_fn, PWAIT, "pf_purge", 0,
1581 pf_purge_thread_cont);
1582 /*
1583 * tsleep0() shouldn't have returned as PCATCH was not set;
1584 * therefore assert in this case.
1585 */
1586 VERIFY(0);
1587 }
1588
1589 u_int64_t
1590 pf_state_expires(const struct pf_state *state)
1591 {
1592 u_int32_t t;
1593 u_int32_t start;
1594 u_int32_t end;
1595 u_int32_t states;
1596
1597 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1598
1599 /* handle all PFTM_* > PFTM_MAX here */
1600 if (state->timeout == PFTM_PURGE) {
1601 return pf_time_second();
1602 }
1603
1604 VERIFY(state->timeout != PFTM_UNLINKED);
1605 VERIFY(state->timeout < PFTM_MAX);
1606 t = state->rule.ptr->timeout[state->timeout];
1607 if (!t) {
1608 t = pf_default_rule.timeout[state->timeout];
1609 }
1610 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1611 if (start) {
1612 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1613 states = state->rule.ptr->states;
1614 } else {
1615 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
1616 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
1617 states = pf_status.states;
1618 }
1619 if (end && states > start && start < end) {
1620 if (states < end) {
1621 return state->expire + t * (end - states) /
1622 (end - start);
1623 } else {
1624 return pf_time_second();
1625 }
1626 }
1627 return state->expire + t;
1628 }
1629
1630 void
1631 pf_purge_expired_src_nodes(void)
1632 {
1633 struct pf_src_node *cur, *next;
1634
1635 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1636
1637 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
1638 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
1639
1640 if (cur->states <= 0 && cur->expire <= pf_time_second()) {
1641 if (cur->rule.ptr != NULL) {
1642 cur->rule.ptr->src_nodes--;
1643 if (cur->rule.ptr->states <= 0 &&
1644 cur->rule.ptr->max_src_nodes <= 0) {
1645 pf_rm_rule(NULL, cur->rule.ptr);
1646 }
1647 }
1648 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
1649 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
1650 pf_status.src_nodes--;
1651 pool_put(&pf_src_tree_pl, cur);
1652 }
1653 }
1654 }
1655
1656 void
1657 pf_src_tree_remove_state(struct pf_state *s)
1658 {
1659 u_int32_t t;
1660
1661 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1662
1663 if (s->src_node != NULL) {
1664 if (s->src.tcp_est) {
1665 VERIFY(s->src_node->conn > 0);
1666 --s->src_node->conn;
1667 }
1668 VERIFY(s->src_node->states > 0);
1669 if (--s->src_node->states <= 0) {
1670 t = s->rule.ptr->timeout[PFTM_SRC_NODE];
1671 if (!t) {
1672 t = pf_default_rule.timeout[PFTM_SRC_NODE];
1673 }
1674 s->src_node->expire = pf_time_second() + t;
1675 }
1676 }
1677 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
1678 VERIFY(s->nat_src_node->states > 0);
1679 if (--s->nat_src_node->states <= 0) {
1680 t = s->rule.ptr->timeout[PFTM_SRC_NODE];
1681 if (!t) {
1682 t = pf_default_rule.timeout[PFTM_SRC_NODE];
1683 }
1684 s->nat_src_node->expire = pf_time_second() + t;
1685 }
1686 }
1687 s->src_node = s->nat_src_node = NULL;
1688 }
1689
1690 void
1691 pf_unlink_state(struct pf_state *cur)
1692 {
1693 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1694
1695 if (cur->src.state == PF_TCPS_PROXY_DST) {
1696 pf_send_tcp(cur->rule.ptr, cur->state_key->af_lan,
1697 &cur->state_key->ext_lan.addr, &cur->state_key->lan.addr,
1698 cur->state_key->ext_lan.xport.port,
1699 cur->state_key->lan.xport.port,
1700 cur->src.seqhi, cur->src.seqlo + 1,
1701 TH_RST | TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);
1702 }
1703
1704 hook_runloop(&cur->unlink_hooks, HOOK_REMOVE | HOOK_FREE);
1705 RB_REMOVE(pf_state_tree_id, &tree_id, cur);
1706 #if NPFSYNC
1707 if (cur->creatorid == pf_status.hostid) {
1708 pfsync_delete_state(cur);
1709 }
1710 #endif
1711 cur->timeout = PFTM_UNLINKED;
1712 pf_src_tree_remove_state(cur);
1713 pf_detach_state(cur, 0);
1714 }
1715
1716 /* callers should be at splpf and hold the
1717 * write_lock on pf_consistency_lock */
1718 void
1719 pf_free_state(struct pf_state *cur)
1720 {
1721 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1722 #if NPFSYNC
1723 if (pfsyncif != NULL &&
1724 (pfsyncif->sc_bulk_send_next == cur ||
1725 pfsyncif->sc_bulk_terminator == cur)) {
1726 return;
1727 }
1728 #endif
1729 VERIFY(cur->timeout == PFTM_UNLINKED);
1730 VERIFY(cur->rule.ptr->states > 0);
1731 if (--cur->rule.ptr->states <= 0 &&
1732 cur->rule.ptr->src_nodes <= 0) {
1733 pf_rm_rule(NULL, cur->rule.ptr);
1734 }
1735 if (cur->nat_rule.ptr != NULL) {
1736 VERIFY(cur->nat_rule.ptr->states > 0);
1737 if (--cur->nat_rule.ptr->states <= 0 &&
1738 cur->nat_rule.ptr->src_nodes <= 0) {
1739 pf_rm_rule(NULL, cur->nat_rule.ptr);
1740 }
1741 }
1742 if (cur->anchor.ptr != NULL) {
1743 VERIFY(cur->anchor.ptr->states > 0);
1744 if (--cur->anchor.ptr->states <= 0) {
1745 pf_rm_rule(NULL, cur->anchor.ptr);
1746 }
1747 }
1748 pf_normalize_tcp_cleanup(cur);
1749 pfi_kif_unref(cur->kif, PFI_KIF_REF_STATE);
1750 TAILQ_REMOVE(&state_list, cur, entry_list);
1751 if (cur->tag) {
1752 pf_tag_unref(cur->tag);
1753 }
1754 pool_put(&pf_state_pl, cur);
1755 pf_status.fcounters[FCNT_STATE_REMOVALS]++;
1756 VERIFY(pf_status.states > 0);
1757 pf_status.states--;
1758 }
1759
1760 void
1761 pf_purge_expired_states(u_int32_t maxcheck)
1762 {
1763 static struct pf_state *cur = NULL;
1764 struct pf_state *next;
1765
1766 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1767
1768 while (maxcheck--) {
1769 /* wrap to start of list when we hit the end */
1770 if (cur == NULL) {
1771 cur = TAILQ_FIRST(&state_list);
1772 if (cur == NULL) {
1773 break; /* list empty */
1774 }
1775 }
1776
1777 /* get next state, as cur may get deleted */
1778 next = TAILQ_NEXT(cur, entry_list);
1779
1780 if (cur->timeout == PFTM_UNLINKED) {
1781 pf_free_state(cur);
1782 } else if (pf_state_expires(cur) <= pf_time_second()) {
1783 /* unlink and free expired state */
1784 pf_unlink_state(cur);
1785 pf_free_state(cur);
1786 }
1787 cur = next;
1788 }
1789 }
1790
1791 int
1792 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
1793 {
1794 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1795
1796 if (aw->type != PF_ADDR_TABLE) {
1797 return 0;
1798 }
1799 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) {
1800 return 1;
1801 }
1802 return 0;
1803 }
1804
1805 void
1806 pf_tbladdr_remove(struct pf_addr_wrap *aw)
1807 {
1808 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1809
1810 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) {
1811 return;
1812 }
1813 pfr_detach_table(aw->p.tbl);
1814 aw->p.tbl = NULL;
1815 }
1816
1817 void
1818 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
1819 {
1820 struct pfr_ktable *kt = aw->p.tbl;
1821
1822 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1823
1824 if (aw->type != PF_ADDR_TABLE || kt == NULL) {
1825 return;
1826 }
1827 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) {
1828 kt = kt->pfrkt_root;
1829 }
1830 aw->p.tbl = NULL;
1831 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
1832 kt->pfrkt_cnt : -1;
1833 }
1834
1835 static void
1836 pf_print_addr(struct pf_addr *addr, sa_family_t af)
1837 {
1838 switch (af) {
1839 #if INET
1840 case AF_INET: {
1841 u_int32_t a = ntohl(addr->addr32[0]);
1842 printf("%u.%u.%u.%u", (a >> 24) & 255, (a >> 16) & 255,
1843 (a >> 8) & 255, a & 255);
1844 break;
1845 }
1846 #endif /* INET */
1847 #if INET6
1848 case AF_INET6: {
1849 u_int16_t b;
1850 u_int8_t i, curstart = 255, curend = 0,
1851 maxstart = 0, maxend = 0;
1852 for (i = 0; i < 8; i++) {
1853 if (!addr->addr16[i]) {
1854 if (curstart == 255) {
1855 curstart = i;
1856 } else {
1857 curend = i;
1858 }
1859 } else {
1860 if (curstart) {
1861 if ((curend - curstart) >
1862 (maxend - maxstart)) {
1863 maxstart = curstart;
1864 maxend = curend;
1865 curstart = 255;
1866 }
1867 }
1868 }
1869 }
1870 for (i = 0; i < 8; i++) {
1871 if (i >= maxstart && i <= maxend) {
1872 if (maxend != 7) {
1873 if (i == maxstart) {
1874 printf(":");
1875 }
1876 } else {
1877 if (i == maxend) {
1878 printf(":");
1879 }
1880 }
1881 } else {
1882 b = ntohs(addr->addr16[i]);
1883 printf("%x", b);
1884 if (i < 7) {
1885 printf(":");
1886 }
1887 }
1888 }
1889 break;
1890 }
1891 #endif /* INET6 */
1892 }
1893 }
1894
1895 static void
1896 pf_print_sk_host(struct pf_state_host *sh, sa_family_t af, int proto,
1897 u_int8_t proto_variant)
1898 {
1899 pf_print_addr(&sh->addr, af);
1900
1901 switch (proto) {
1902 case IPPROTO_ESP:
1903 if (sh->xport.spi) {
1904 printf("[%08x]", ntohl(sh->xport.spi));
1905 }
1906 break;
1907
1908 case IPPROTO_GRE:
1909 if (proto_variant == PF_GRE_PPTP_VARIANT) {
1910 printf("[%u]", ntohs(sh->xport.call_id));
1911 }
1912 break;
1913
1914 case IPPROTO_TCP:
1915 case IPPROTO_UDP:
1916 printf("[%u]", ntohs(sh->xport.port));
1917 break;
1918
1919 default:
1920 break;
1921 }
1922 }
1923
1924 static void
1925 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
1926 {
1927 pf_print_addr(addr, af);
1928 if (p) {
1929 printf("[%u]", ntohs(p));
1930 }
1931 }
1932
1933 void
1934 pf_print_state(struct pf_state *s)
1935 {
1936 struct pf_state_key *sk = s->state_key;
1937 switch (sk->proto) {
1938 case IPPROTO_ESP:
1939 printf("ESP ");
1940 break;
1941 case IPPROTO_GRE:
1942 printf("GRE%u ", sk->proto_variant);
1943 break;
1944 case IPPROTO_TCP:
1945 printf("TCP ");
1946 break;
1947 case IPPROTO_UDP:
1948 printf("UDP ");
1949 break;
1950 case IPPROTO_ICMP:
1951 printf("ICMP ");
1952 break;
1953 case IPPROTO_ICMPV6:
1954 printf("ICMPV6 ");
1955 break;
1956 default:
1957 printf("%u ", sk->proto);
1958 break;
1959 }
1960 pf_print_sk_host(&sk->lan, sk->af_lan, sk->proto, sk->proto_variant);
1961 printf(" ");
1962 pf_print_sk_host(&sk->gwy, sk->af_gwy, sk->proto, sk->proto_variant);
1963 printf(" ");
1964 pf_print_sk_host(&sk->ext_lan, sk->af_lan, sk->proto,
1965 sk->proto_variant);
1966 printf(" ");
1967 pf_print_sk_host(&sk->ext_gwy, sk->af_gwy, sk->proto,
1968 sk->proto_variant);
1969 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
1970 s->src.seqhi, s->src.max_win, s->src.seqdiff);
1971 if (s->src.wscale && s->dst.wscale) {
1972 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
1973 }
1974 printf("]");
1975 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
1976 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
1977 if (s->src.wscale && s->dst.wscale) {
1978 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
1979 }
1980 printf("]");
1981 printf(" %u:%u", s->src.state, s->dst.state);
1982 }
1983
1984 void
1985 pf_print_flags(u_int8_t f)
1986 {
1987 if (f) {
1988 printf(" ");
1989 }
1990 if (f & TH_FIN) {
1991 printf("F");
1992 }
1993 if (f & TH_SYN) {
1994 printf("S");
1995 }
1996 if (f & TH_RST) {
1997 printf("R");
1998 }
1999 if (f & TH_PUSH) {
2000 printf("P");
2001 }
2002 if (f & TH_ACK) {
2003 printf("A");
2004 }
2005 if (f & TH_URG) {
2006 printf("U");
2007 }
2008 if (f & TH_ECE) {
2009 printf("E");
2010 }
2011 if (f & TH_CWR) {
2012 printf("W");
2013 }
2014 }
2015
2016 #define PF_SET_SKIP_STEPS(i) \
2017 do { \
2018 while (head[i] != cur) { \
2019 head[i]->skip[i].ptr = cur; \
2020 head[i] = TAILQ_NEXT(head[i], entries); \
2021 } \
2022 } while (0)
2023
2024 void
2025 pf_calc_skip_steps(struct pf_rulequeue *rules)
2026 {
2027 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
2028 int i;
2029
2030 cur = TAILQ_FIRST(rules);
2031 prev = cur;
2032 for (i = 0; i < PF_SKIP_COUNT; ++i) {
2033 head[i] = cur;
2034 }
2035 while (cur != NULL) {
2036 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) {
2037 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
2038 }
2039 if (cur->direction != prev->direction) {
2040 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
2041 }
2042 if (cur->af != prev->af) {
2043 PF_SET_SKIP_STEPS(PF_SKIP_AF);
2044 }
2045 if (cur->proto != prev->proto) {
2046 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
2047 }
2048 if (cur->src.neg != prev->src.neg ||
2049 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) {
2050 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
2051 }
2052 {
2053 union pf_rule_xport *cx = &cur->src.xport;
2054 union pf_rule_xport *px = &prev->src.xport;
2055
2056 switch (cur->proto) {
2057 case IPPROTO_GRE:
2058 case IPPROTO_ESP:
2059 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
2060 break;
2061 default:
2062 if (prev->proto == IPPROTO_GRE ||
2063 prev->proto == IPPROTO_ESP ||
2064 cx->range.op != px->range.op ||
2065 cx->range.port[0] != px->range.port[0] ||
2066 cx->range.port[1] != px->range.port[1]) {
2067 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
2068 }
2069 break;
2070 }
2071 }
2072 if (cur->dst.neg != prev->dst.neg ||
2073 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) {
2074 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
2075 }
2076 {
2077 union pf_rule_xport *cx = &cur->dst.xport;
2078 union pf_rule_xport *px = &prev->dst.xport;
2079
2080 switch (cur->proto) {
2081 case IPPROTO_GRE:
2082 if (cur->proto != prev->proto ||
2083 cx->call_id != px->call_id) {
2084 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
2085 }
2086 break;
2087 case IPPROTO_ESP:
2088 if (cur->proto != prev->proto ||
2089 cx->spi != px->spi) {
2090 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
2091 }
2092 break;
2093 default:
2094 if (prev->proto == IPPROTO_GRE ||
2095 prev->proto == IPPROTO_ESP ||
2096 cx->range.op != px->range.op ||
2097 cx->range.port[0] != px->range.port[0] ||
2098 cx->range.port[1] != px->range.port[1]) {
2099 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
2100 }
2101 break;
2102 }
2103 }
2104
2105 prev = cur;
2106 cur = TAILQ_NEXT(cur, entries);
2107 }
2108 for (i = 0; i < PF_SKIP_COUNT; ++i) {
2109 PF_SET_SKIP_STEPS(i);
2110 }
2111 }
2112
2113 u_int32_t
2114 pf_calc_state_key_flowhash(struct pf_state_key *sk)
2115 {
2116 struct pf_flowhash_key fh __attribute__((aligned(8)));
2117 uint32_t flowhash = 0;
2118
2119 bzero(&fh, sizeof(fh));
2120 if (PF_ALEQ(&sk->lan.addr, &sk->ext_lan.addr, sk->af_lan)) {
2121 bcopy(&sk->lan.addr, &fh.ap1.addr, sizeof(fh.ap1.addr));
2122 bcopy(&sk->ext_lan.addr, &fh.ap2.addr, sizeof(fh.ap2.addr));
2123 } else {
2124 bcopy(&sk->ext_lan.addr, &fh.ap1.addr, sizeof(fh.ap1.addr));
2125 bcopy(&sk->lan.addr, &fh.ap2.addr, sizeof(fh.ap2.addr));
2126 }
2127 if (sk->lan.xport.spi <= sk->ext_lan.xport.spi) {
2128 fh.ap1.xport.spi = sk->lan.xport.spi;
2129 fh.ap2.xport.spi = sk->ext_lan.xport.spi;
2130 } else {
2131 fh.ap1.xport.spi = sk->ext_lan.xport.spi;
2132 fh.ap2.xport.spi = sk->lan.xport.spi;
2133 }
2134 fh.af = sk->af_lan;
2135 fh.proto = sk->proto;
2136
2137 try_again:
2138 flowhash = net_flowhash(&fh, sizeof(fh), pf_hash_seed);
2139 if (flowhash == 0) {
2140 /* try to get a non-zero flowhash */
2141 pf_hash_seed = RandomULong();
2142 goto try_again;
2143 }
2144
2145 return flowhash;
2146 }
2147
2148 static int
2149 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
2150 {
2151 if (aw1->type != aw2->type) {
2152 return 1;
2153 }
2154 switch (aw1->type) {
2155 case PF_ADDR_ADDRMASK:
2156 case PF_ADDR_RANGE:
2157 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) {
2158 return 1;
2159 }
2160 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) {
2161 return 1;
2162 }
2163 return 0;
2164 case PF_ADDR_DYNIFTL:
2165 return aw1->p.dyn == NULL || aw2->p.dyn == NULL ||
2166 aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt;
2167 case PF_ADDR_NOROUTE:
2168 case PF_ADDR_URPFFAILED:
2169 return 0;
2170 case PF_ADDR_TABLE:
2171 return aw1->p.tbl != aw2->p.tbl;
2172 case PF_ADDR_RTLABEL:
2173 return aw1->v.rtlabel != aw2->v.rtlabel;
2174 default:
2175 printf("invalid address type: %d\n", aw1->type);
2176 return 1;
2177 }
2178 }
2179
2180 u_int16_t
2181 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
2182 {
2183 return nat464_cksum_fixup(cksum, old, new, udp);
2184 }
2185
2186 /*
2187 * change ip address & port
2188 * dir : packet direction
2189 * a : address to be changed
2190 * p : port to be changed
2191 * ic : ip header checksum
2192 * pc : protocol checksum
2193 * an : new ip address
2194 * pn : new port
2195 * u : should be 1 if UDP packet else 0
2196 * af : address family of the packet
2197 * afn : address family of the new address
2198 * ua : should be 1 if ip address needs to be updated in the packet else
2199 * only the checksum is recalculated & updated.
2200 */
2201 static void
2202 pf_change_ap(int dir, pbuf_t *pbuf, struct pf_addr *a, u_int16_t *p,
2203 u_int16_t *ic, u_int16_t *pc, struct pf_addr *an, u_int16_t pn,
2204 u_int8_t u, sa_family_t af, sa_family_t afn, int ua)
2205 {
2206 struct pf_addr ao;
2207 u_int16_t po = *p;
2208
2209 PF_ACPY(&ao, a, af);
2210 if (ua) {
2211 PF_ACPY(a, an, afn);
2212 }
2213
2214 *p = pn;
2215
2216 switch (af) {
2217 #if INET
2218 case AF_INET:
2219 switch (afn) {
2220 case AF_INET:
2221 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
2222 ao.addr16[0], an->addr16[0], 0),
2223 ao.addr16[1], an->addr16[1], 0);
2224 *p = pn;
2225 /*
2226 * If the packet is originated from an ALG on the NAT gateway
2227 * (source address is loopback or local), in which case the
2228 * TCP/UDP checksum field contains the pseudo header checksum
2229 * that's not yet complemented.
2230 * In that case we do not need to fixup the checksum for port
2231 * translation as the pseudo header checksum doesn't include ports.
2232 *
2233 * A packet generated locally will have UDP/TCP CSUM flag
2234 * set (gets set in protocol output).
2235 *
2236 * It should be noted that the fixup doesn't do anything if the
2237 * checksum is 0.
2238 */
2239 if (dir == PF_OUT && pbuf != NULL &&
2240 (*pbuf->pb_csum_flags & (CSUM_TCP | CSUM_UDP))) {
2241 /* Pseudo-header checksum does not include ports */
2242 *pc = ~pf_cksum_fixup(pf_cksum_fixup(~*pc,
2243 ao.addr16[0], an->addr16[0], u),
2244 ao.addr16[1], an->addr16[1], u);
2245 } else {
2246 *pc =
2247 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2248 *pc, ao.addr16[0], an->addr16[0], u),
2249 ao.addr16[1], an->addr16[1], u),
2250 po, pn, u);
2251 }
2252 break;
2253 #ifdef INET6
2254 case AF_INET6:
2255 *p = pn;
2256 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2257 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2258
2259 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
2260 ao.addr16[0], an->addr16[0], u),
2261 ao.addr16[1], an->addr16[1], u),
2262 0, an->addr16[2], u),
2263 0, an->addr16[3], u),
2264 0, an->addr16[4], u),
2265 0, an->addr16[5], u),
2266 0, an->addr16[6], u),
2267 0, an->addr16[7], u),
2268 po, pn, u);
2269 break;
2270 #endif /* INET6 */
2271 }
2272 break;
2273 #endif /* INET */
2274 #if INET6
2275 case AF_INET6:
2276 switch (afn) {
2277 case AF_INET6:
2278 /*
2279 * If the packet is originated from an ALG on the NAT gateway
2280 * (source address is loopback or local), in which case the
2281 * TCP/UDP checksum field contains the pseudo header checksum
2282 * that's not yet complemented.
2283 * A packet generated locally
2284 * will have UDP/TCP CSUM flag set (gets set in protocol
2285 * output).
2286 */
2287 if (dir == PF_OUT && pbuf != NULL &&
2288 (*pbuf->pb_csum_flags & (CSUM_TCPIPV6 |
2289 CSUM_UDPIPV6))) {
2290 /* Pseudo-header checksum does not include ports */
2291 *pc =
2292 ~pf_cksum_fixup(pf_cksum_fixup(
2293 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2294 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2295 ~*pc,
2296 ao.addr16[0], an->addr16[0], u),
2297 ao.addr16[1], an->addr16[1], u),
2298 ao.addr16[2], an->addr16[2], u),
2299 ao.addr16[3], an->addr16[3], u),
2300 ao.addr16[4], an->addr16[4], u),
2301 ao.addr16[5], an->addr16[5], u),
2302 ao.addr16[6], an->addr16[6], u),
2303 ao.addr16[7], an->addr16[7], u);
2304 } else {
2305 *pc =
2306 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2307 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2308 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2309 *pc,
2310 ao.addr16[0], an->addr16[0], u),
2311 ao.addr16[1], an->addr16[1], u),
2312 ao.addr16[2], an->addr16[2], u),
2313 ao.addr16[3], an->addr16[3], u),
2314 ao.addr16[4], an->addr16[4], u),
2315 ao.addr16[5], an->addr16[5], u),
2316 ao.addr16[6], an->addr16[6], u),
2317 ao.addr16[7], an->addr16[7], u),
2318 po, pn, u);
2319 }
2320 break;
2321 #ifdef INET
2322 case AF_INET:
2323 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2324 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2325 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
2326 ao.addr16[0], an->addr16[0], u),
2327 ao.addr16[1], an->addr16[1], u),
2328 ao.addr16[2], 0, u),
2329 ao.addr16[3], 0, u),
2330 ao.addr16[4], 0, u),
2331 ao.addr16[5], 0, u),
2332 ao.addr16[6], 0, u),
2333 ao.addr16[7], 0, u),
2334 po, pn, u);
2335 break;
2336 #endif /* INET */
2337 }
2338 break;
2339 #endif /* INET6 */
2340 }
2341 }
2342
2343
2344 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
2345 void
2346 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
2347 {
2348 u_int32_t ao;
2349
2350 memcpy(&ao, a, sizeof(ao));
2351 memcpy(a, &an, sizeof(u_int32_t));
2352 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
2353 ao % 65536, an % 65536, u);
2354 }
2355
2356 #if INET6
2357 static void
2358 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
2359 {
2360 struct pf_addr ao;
2361
2362 PF_ACPY(&ao, a, AF_INET6);
2363 PF_ACPY(a, an, AF_INET6);
2364
2365 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2366 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2367 pf_cksum_fixup(pf_cksum_fixup(*c,
2368 ao.addr16[0], an->addr16[0], u),
2369 ao.addr16[1], an->addr16[1], u),
2370 ao.addr16[2], an->addr16[2], u),
2371 ao.addr16[3], an->addr16[3], u),
2372 ao.addr16[4], an->addr16[4], u),
2373 ao.addr16[5], an->addr16[5], u),
2374 ao.addr16[6], an->addr16[6], u),
2375 ao.addr16[7], an->addr16[7], u);
2376 }
2377
2378 void
2379 pf_change_addr(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u,
2380 sa_family_t af, sa_family_t afn)
2381 {
2382 struct pf_addr ao;
2383
2384 PF_ACPY(&ao, a, af);
2385 PF_ACPY(a, an, afn);
2386
2387 switch (af) {
2388 case AF_INET:
2389 switch (afn) {
2390 case AF_INET:
2391 pf_change_a(a, c, an->v4addr.s_addr, u);
2392 break;
2393 case AF_INET6:
2394 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2395 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2396 pf_cksum_fixup(pf_cksum_fixup(*c,
2397 ao.addr16[0], an->addr16[0], u),
2398 ao.addr16[1], an->addr16[1], u),
2399 0, an->addr16[2], u),
2400 0, an->addr16[3], u),
2401 0, an->addr16[4], u),
2402 0, an->addr16[5], u),
2403 0, an->addr16[6], u),
2404 0, an->addr16[7], u);
2405 break;
2406 }
2407 break;
2408 case AF_INET6:
2409 switch (afn) {
2410 case AF_INET:
2411 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2412 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2413 pf_cksum_fixup(pf_cksum_fixup(*c,
2414 ao.addr16[0], an->addr16[0], u),
2415 ao.addr16[1], an->addr16[1], u),
2416 ao.addr16[2], 0, u),
2417 ao.addr16[3], 0, u),
2418 ao.addr16[4], 0, u),
2419 ao.addr16[5], 0, u),
2420 ao.addr16[6], 0, u),
2421 ao.addr16[7], 0, u);
2422 break;
2423 case AF_INET6:
2424 pf_change_a6(a, c, an, u);
2425 break;
2426 }
2427 break;
2428 }
2429 }
2430
2431 #endif /* INET6 */
2432
2433 static void
2434 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
2435 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
2436 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
2437 {
2438 struct pf_addr oia, ooa;
2439
2440 PF_ACPY(&oia, ia, af);
2441 PF_ACPY(&ooa, oa, af);
2442
2443 /* Change inner protocol port, fix inner protocol checksum. */
2444 if (ip != NULL) {
2445 u_int16_t oip = *ip;
2446 u_int32_t opc = 0;
2447
2448 if (pc != NULL) {
2449 opc = *pc;
2450 }
2451 *ip = np;
2452 if (pc != NULL) {
2453 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
2454 }
2455 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
2456 if (pc != NULL) {
2457 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
2458 }
2459 }
2460 /* Change inner ip address, fix inner ip and icmp checksums. */
2461 PF_ACPY(ia, na, af);
2462 switch (af) {
2463 #if INET
2464 case AF_INET: {
2465 u_int32_t oh2c = *h2c;
2466
2467 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
2468 oia.addr16[0], ia->addr16[0], 0),
2469 oia.addr16[1], ia->addr16[1], 0);
2470 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
2471 oia.addr16[0], ia->addr16[0], 0),
2472 oia.addr16[1], ia->addr16[1], 0);
2473 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
2474 break;
2475 }
2476 #endif /* INET */
2477 #if INET6
2478 case AF_INET6:
2479 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2480 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2481 pf_cksum_fixup(pf_cksum_fixup(*ic,
2482 oia.addr16[0], ia->addr16[0], u),
2483 oia.addr16[1], ia->addr16[1], u),
2484 oia.addr16[2], ia->addr16[2], u),
2485 oia.addr16[3], ia->addr16[3], u),
2486 oia.addr16[4], ia->addr16[4], u),
2487 oia.addr16[5], ia->addr16[5], u),
2488 oia.addr16[6], ia->addr16[6], u),
2489 oia.addr16[7], ia->addr16[7], u);
2490 break;
2491 #endif /* INET6 */
2492 }
2493 /* Change outer ip address, fix outer ip or icmpv6 checksum. */
2494 PF_ACPY(oa, na, af);
2495 switch (af) {
2496 #if INET
2497 case AF_INET:
2498 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
2499 ooa.addr16[0], oa->addr16[0], 0),
2500 ooa.addr16[1], oa->addr16[1], 0);
2501 break;
2502 #endif /* INET */
2503 #if INET6
2504 case AF_INET6:
2505 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2506 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2507 pf_cksum_fixup(pf_cksum_fixup(*ic,
2508 ooa.addr16[0], oa->addr16[0], u),
2509 ooa.addr16[1], oa->addr16[1], u),
2510 ooa.addr16[2], oa->addr16[2], u),
2511 ooa.addr16[3], oa->addr16[3], u),
2512 ooa.addr16[4], oa->addr16[4], u),
2513 ooa.addr16[5], oa->addr16[5], u),
2514 ooa.addr16[6], oa->addr16[6], u),
2515 ooa.addr16[7], oa->addr16[7], u);
2516 break;
2517 #endif /* INET6 */
2518 }
2519 }
2520
2521
2522 /*
2523 * Need to modulate the sequence numbers in the TCP SACK option
2524 * (credits to Krzysztof Pfaff for report and patch)
2525 */
2526 static int
2527 pf_modulate_sack(pbuf_t *pbuf, int off, struct pf_pdesc *pd,
2528 struct tcphdr *th, struct pf_state_peer *dst)
2529 {
2530 int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
2531 u_int8_t opts[MAX_TCPOPTLEN], *opt = opts;
2532 int copyback = 0, i, olen;
2533 struct sackblk sack;
2534
2535 #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
2536 if (hlen < TCPOLEN_SACKLEN ||
2537 !pf_pull_hdr(pbuf, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) {
2538 return 0;
2539 }
2540
2541 while (hlen >= TCPOLEN_SACKLEN) {
2542 olen = opt[1];
2543 switch (*opt) {
2544 case TCPOPT_EOL: /* FALLTHROUGH */
2545 case TCPOPT_NOP:
2546 opt++;
2547 hlen--;
2548 break;
2549 case TCPOPT_SACK:
2550 if (olen > hlen) {
2551 olen = hlen;
2552 }
2553 if (olen >= TCPOLEN_SACKLEN) {
2554 for (i = 2; i + TCPOLEN_SACK <= olen;
2555 i += TCPOLEN_SACK) {
2556 memcpy(&sack, &opt[i], sizeof(sack));
2557 pf_change_a(&sack.start, &th->th_sum,
2558 htonl(ntohl(sack.start) -
2559 dst->seqdiff), 0);
2560 pf_change_a(&sack.end, &th->th_sum,
2561 htonl(ntohl(sack.end) -
2562 dst->seqdiff), 0);
2563 memcpy(&opt[i], &sack, sizeof(sack));
2564 }
2565 copyback = off + sizeof(*th) + thoptlen;
2566 }
2567 /* FALLTHROUGH */
2568 default:
2569 if (olen < 2) {
2570 olen = 2;
2571 }
2572 hlen -= olen;
2573 opt += olen;
2574 }
2575 }
2576
2577 if (copyback) {
2578 if (pf_lazy_makewritable(pd, pbuf, copyback) == NULL) {
2579 return -1;
2580 }
2581 pbuf_copy_back(pbuf, off + sizeof(*th), thoptlen, opts);
2582 }
2583 return copyback;
2584 }
2585
2586 /*
2587 * XXX
2588 *
2589 * The following functions (pf_send_tcp and pf_send_icmp) are somewhat
2590 * special in that they originate "spurious" packets rather than
2591 * filter/NAT existing packets. As such, they're not a great fit for
2592 * the 'pbuf' shim, which assumes the underlying packet buffers are
2593 * allocated elsewhere.
2594 *
2595 * Since these functions are rarely used, we'll carry on allocating mbufs
2596 * and passing them to the IP stack for eventual routing.
2597 */
2598 static void
2599 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
2600 const struct pf_addr *saddr, const struct pf_addr *daddr,
2601 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
2602 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
2603 u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp)
2604 {
2605 #pragma unused(eh, ifp)
2606 struct mbuf *m;
2607 int len, tlen;
2608 #if INET
2609 struct ip *h = NULL;
2610 #endif /* INET */
2611 #if INET6
2612 struct ip6_hdr *h6 = NULL;
2613 #endif /* INET6 */
2614 struct tcphdr *th = NULL;
2615 char *opt;
2616 struct pf_mtag *pf_mtag;
2617
2618 /* maximum segment size tcp option */
2619 tlen = sizeof(struct tcphdr);
2620 if (mss) {
2621 tlen += 4;
2622 }
2623
2624 switch (af) {
2625 #if INET
2626 case AF_INET:
2627 len = sizeof(struct ip) + tlen;
2628 break;
2629 #endif /* INET */
2630 #if INET6
2631 case AF_INET6:
2632 len = sizeof(struct ip6_hdr) + tlen;
2633 break;
2634 #endif /* INET6 */
2635 default:
2636 panic("pf_send_tcp: not AF_INET or AF_INET6!");
2637 return;
2638 }
2639
2640 /* create outgoing mbuf */
2641 m = m_gethdr(M_DONTWAIT, MT_HEADER);
2642 if (m == NULL) {
2643 return;
2644 }
2645
2646 if ((pf_mtag = pf_get_mtag(m)) == NULL) {
2647 return;
2648 }
2649
2650 if (tag) {
2651 pf_mtag->pftag_flags |= PF_TAG_GENERATED;
2652 }
2653 pf_mtag->pftag_tag = rtag;
2654
2655 if (r != NULL && PF_RTABLEID_IS_VALID(r->rtableid)) {
2656 pf_mtag->pftag_rtableid = r->rtableid;
2657 }
2658
2659 #if PF_ECN
2660 /* add hints for ecn */
2661 pf_mtag->pftag_hdr = mtod(m, struct ip *);
2662 /* record address family */
2663 pf_mtag->pftag_flags &= ~(PF_TAG_HDR_INET | PF_TAG_HDR_INET6);
2664 switch (af) {
2665 #if INET
2666 case AF_INET:
2667 pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
2668 break;
2669 #endif /* INET */
2670 #if INET6
2671 case AF_INET6:
2672 pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
2673 break;
2674 #endif /* INET6 */
2675 }
2676 #endif /* PF_ECN */
2677
2678 /* indicate this is TCP */
2679 m->m_pkthdr.pkt_proto = IPPROTO_TCP;
2680
2681 /* Make sure headers are 32-bit aligned */
2682 m->m_data += max_linkhdr;
2683 m->m_pkthdr.len = m->m_len = len;
2684 m->m_pkthdr.rcvif = NULL;
2685 bzero(m->m_data, len);
2686 switch (af) {
2687 #if INET
2688 case AF_INET:
2689 h = mtod(m, struct ip *);
2690
2691 /* IP header fields included in the TCP checksum */
2692 h->ip_p = IPPROTO_TCP;
2693 h->ip_len = htons(tlen);
2694 h->ip_src.s_addr = saddr->v4addr.s_addr;
2695 h->ip_dst.s_addr = daddr->v4addr.s_addr;
2696
2697 th = (struct tcphdr *)(void *)((caddr_t)h + sizeof(struct ip));
2698 break;
2699 #endif /* INET */
2700 #if INET6
2701 case AF_INET6:
2702 h6 = mtod(m, struct ip6_hdr *);
2703
2704 /* IP header fields included in the TCP checksum */
2705 h6->ip6_nxt = IPPROTO_TCP;
2706 h6->ip6_plen = htons(tlen);
2707 memcpy(&h6->ip6_src, &saddr->v6addr, sizeof(struct in6_addr));
2708 memcpy(&h6->ip6_dst, &daddr->v6addr, sizeof(struct in6_addr));
2709
2710 th = (struct tcphdr *)(void *)
2711 ((caddr_t)h6 + sizeof(struct ip6_hdr));
2712 break;
2713 #endif /* INET6 */
2714 }
2715
2716 /* TCP header */
2717 th->th_sport = sport;
2718 th->th_dport = dport;
2719 th->th_seq = htonl(seq);
2720 th->th_ack = htonl(ack);
2721 th->th_off = tlen >> 2;
2722 th->th_flags = flags;
2723 th->th_win = htons(win);
2724
2725 if (mss) {
2726 opt = (char *)(th + 1);
2727 opt[0] = TCPOPT_MAXSEG;
2728 opt[1] = 4;
2729 #if BYTE_ORDER != BIG_ENDIAN
2730 HTONS(mss);
2731 #endif
2732 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
2733 }
2734
2735 switch (af) {
2736 #if INET
2737 case AF_INET: {
2738 struct route ro;
2739
2740 /* TCP checksum */
2741 th->th_sum = in_cksum(m, len);
2742
2743 /* Finish the IP header */
2744 h->ip_v = 4;
2745 h->ip_hl = sizeof(*h) >> 2;
2746 h->ip_tos = IPTOS_LOWDELAY;
2747 /*
2748 * ip_output() expects ip_len and ip_off to be in host order.
2749 */
2750 h->ip_len = len;
2751 h->ip_off = (path_mtu_discovery ? IP_DF : 0);
2752 h->ip_ttl = ttl ? ttl : ip_defttl;
2753 h->ip_sum = 0;
2754
2755 bzero(&ro, sizeof(ro));
2756 ip_output(m, NULL, &ro, 0, NULL, NULL);
2757 ROUTE_RELEASE(&ro);
2758 break;
2759 }
2760 #endif /* INET */
2761 #if INET6
2762 case AF_INET6: {
2763 struct route_in6 ro6;
2764
2765 /* TCP checksum */
2766 th->th_sum = in6_cksum(m, IPPROTO_TCP,
2767 sizeof(struct ip6_hdr), tlen);
2768
2769 h6->ip6_vfc |= IPV6_VERSION;
2770 h6->ip6_hlim = IPV6_DEFHLIM;
2771
2772 bzero(&ro6, sizeof(ro6));
2773 ip6_output(m, NULL, &ro6, 0, NULL, NULL, NULL);
2774 ROUTE_RELEASE(&ro6);
2775 break;
2776 }
2777 #endif /* INET6 */
2778 }
2779 }
2780
2781 static void
2782 pf_send_icmp(pbuf_t *pbuf, u_int8_t type, u_int8_t code, sa_family_t af,
2783 struct pf_rule *r)
2784 {
2785 struct mbuf *m0;
2786 struct pf_mtag *pf_mtag;
2787
2788 m0 = pbuf_clone_to_mbuf(pbuf);
2789 if (m0 == NULL) {
2790 return;
2791 }
2792
2793 if ((pf_mtag = pf_get_mtag(m0)) == NULL) {
2794 return;
2795 }
2796
2797 pf_mtag->pftag_flags |= PF_TAG_GENERATED;
2798
2799 if (PF_RTABLEID_IS_VALID(r->rtableid)) {
2800 pf_mtag->pftag_rtableid = r->rtableid;
2801 }
2802
2803 #if PF_ECN
2804 /* add hints for ecn */
2805 pf_mtag->pftag_hdr = mtod(m0, struct ip *);
2806 /* record address family */
2807 pf_mtag->pftag_flags &= ~(PF_TAG_HDR_INET | PF_TAG_HDR_INET6);
2808 switch (af) {
2809 #if INET
2810 case AF_INET:
2811 pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
2812 m0->m_pkthdr.pkt_proto = IPPROTO_ICMP;
2813 break;
2814 #endif /* INET */
2815 #if INET6
2816 case AF_INET6:
2817 pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
2818 m0->m_pkthdr.pkt_proto = IPPROTO_ICMPV6;
2819 break;
2820 #endif /* INET6 */
2821 }
2822 #endif /* PF_ECN */
2823
2824 switch (af) {
2825 #if INET
2826 case AF_INET:
2827 icmp_error(m0, type, code, 0, 0);
2828 break;
2829 #endif /* INET */
2830 #if INET6
2831 case AF_INET6:
2832 icmp6_error(m0, type, code, 0);
2833 break;
2834 #endif /* INET6 */
2835 }
2836 }
2837
2838 /*
2839 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
2840 * If n is 0, they match if they are equal. If n is != 0, they match if they
2841 * are different.
2842 */
2843 int
2844 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
2845 struct pf_addr *b, sa_family_t af)
2846 {
2847 int match = 0;
2848
2849 switch (af) {
2850 #if INET
2851 case AF_INET:
2852 if ((a->addr32[0] & m->addr32[0]) ==
2853 (b->addr32[0] & m->addr32[0])) {
2854 match++;
2855 }
2856 break;
2857 #endif /* INET */
2858 #if INET6
2859 case AF_INET6:
2860 if (((a->addr32[0] & m->addr32[0]) ==
2861 (b->addr32[0] & m->addr32[0])) &&
2862 ((a->addr32[1] & m->addr32[1]) ==
2863 (b->addr32[1] & m->addr32[1])) &&
2864 ((a->addr32[2] & m->addr32[2]) ==
2865 (b->addr32[2] & m->addr32[2])) &&
2866 ((a->addr32[3] & m->addr32[3]) ==
2867 (b->addr32[3] & m->addr32[3]))) {
2868 match++;
2869 }
2870 break;
2871 #endif /* INET6 */
2872 }
2873 if (match) {
2874 if (n) {
2875 return 0;
2876 } else {
2877 return 1;
2878 }
2879 } else {
2880 if (n) {
2881 return 1;
2882 } else {
2883 return 0;
2884 }
2885 }
2886 }
2887
2888 /*
2889 * Return 1 if b <= a <= e, otherwise return 0.
2890 */
2891 int
2892 pf_match_addr_range(struct pf_addr *b, struct pf_addr *e,
2893 struct pf_addr *a, sa_family_t af)
2894 {
2895 switch (af) {
2896 #if INET
2897 case AF_INET:
2898 if ((a->addr32[0] < b->addr32[0]) ||
2899 (a->addr32[0] > e->addr32[0])) {
2900 return 0;
2901 }
2902 break;
2903 #endif /* INET */
2904 #if INET6
2905 case AF_INET6: {
2906 int i;
2907
2908 /* check a >= b */
2909 for (i = 0; i < 4; ++i) {
2910 if (a->addr32[i] > b->addr32[i]) {
2911 break;
2912 } else if (a->addr32[i] < b->addr32[i]) {
2913 return 0;
2914 }
2915 }
2916 /* check a <= e */
2917 for (i = 0; i < 4; ++i) {
2918 if (a->addr32[i] < e->addr32[i]) {
2919 break;
2920 } else if (a->addr32[i] > e->addr32[i]) {
2921 return 0;
2922 }
2923 }
2924 break;
2925 }
2926 #endif /* INET6 */
2927 }
2928 return 1;
2929 }
2930
2931 int
2932 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
2933 {
2934 switch (op) {
2935 case PF_OP_IRG:
2936 return (p > a1) && (p < a2);
2937 case PF_OP_XRG:
2938 return (p < a1) || (p > a2);
2939 case PF_OP_RRG:
2940 return (p >= a1) && (p <= a2);
2941 case PF_OP_EQ:
2942 return p == a1;
2943 case PF_OP_NE:
2944 return p != a1;
2945 case PF_OP_LT:
2946 return p < a1;
2947 case PF_OP_LE:
2948 return p <= a1;
2949 case PF_OP_GT:
2950 return p > a1;
2951 case PF_OP_GE:
2952 return p >= a1;
2953 }
2954 return 0; /* never reached */
2955 }
2956
2957 int
2958 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
2959 {
2960 #if BYTE_ORDER != BIG_ENDIAN
2961 NTOHS(a1);
2962 NTOHS(a2);
2963 NTOHS(p);
2964 #endif
2965 return pf_match(op, a1, a2, p);
2966 }
2967
2968 int
2969 pf_match_xport(u_int8_t proto, u_int8_t proto_variant, union pf_rule_xport *rx,
2970 union pf_state_xport *sx)
2971 {
2972 int d = !0;
2973
2974 if (sx) {
2975 switch (proto) {
2976 case IPPROTO_GRE:
2977 if (proto_variant == PF_GRE_PPTP_VARIANT) {
2978 d = (rx->call_id == sx->call_id);
2979 }
2980 break;
2981
2982 case IPPROTO_ESP:
2983 d = (rx->spi == sx->spi);
2984 break;
2985
2986 case IPPROTO_TCP:
2987 case IPPROTO_UDP:
2988 case IPPROTO_ICMP:
2989 case IPPROTO_ICMPV6:
2990 if (rx->range.op) {
2991 d = pf_match_port(rx->range.op,
2992 rx->range.port[0], rx->range.port[1],
2993 sx->port);
2994 }
2995 break;
2996
2997 default:
2998 break;
2999 }
3000 }
3001
3002 return d;
3003 }
3004
3005 int
3006 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
3007 {
3008 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) {
3009 return 0;
3010 }
3011 return pf_match(op, a1, a2, u);
3012 }
3013
3014 int
3015 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
3016 {
3017 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) {
3018 return 0;
3019 }
3020 return pf_match(op, a1, a2, g);
3021 }
3022
3023 static int
3024 pf_match_tag(struct pf_rule *r, struct pf_mtag *pf_mtag,
3025 int *tag)
3026 {
3027 if (*tag == -1) {
3028 *tag = pf_mtag->pftag_tag;
3029 }
3030
3031 return (!r->match_tag_not && r->match_tag == *tag) ||
3032 (r->match_tag_not && r->match_tag != *tag);
3033 }
3034
3035 int
3036 pf_tag_packet(pbuf_t *pbuf, struct pf_mtag *pf_mtag, int tag,
3037 unsigned int rtableid, struct pf_pdesc *pd)
3038 {
3039 if (tag <= 0 && !PF_RTABLEID_IS_VALID(rtableid) &&
3040 (pd == NULL || !(pd->pktflags & PKTF_FLOW_ID))) {
3041 return 0;
3042 }
3043
3044 if (pf_mtag == NULL && (pf_mtag = pf_get_mtag_pbuf(pbuf)) == NULL) {
3045 return 1;
3046 }
3047
3048 if (tag > 0) {
3049 pf_mtag->pftag_tag = tag;
3050 }
3051 if (PF_RTABLEID_IS_VALID(rtableid)) {
3052 pf_mtag->pftag_rtableid = rtableid;
3053 }
3054 if (pd != NULL && (pd->pktflags & PKTF_FLOW_ID)) {
3055 *pbuf->pb_flowsrc = pd->flowsrc;
3056 *pbuf->pb_flowid = pd->flowhash;
3057 *pbuf->pb_flags |= pd->pktflags;
3058 *pbuf->pb_proto = pd->proto;
3059 }
3060
3061 return 0;
3062 }
3063
3064 void
3065 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
3066 struct pf_rule **r, struct pf_rule **a, int *match)
3067 {
3068 struct pf_anchor_stackframe *f;
3069
3070 (*r)->anchor->match = 0;
3071 if (match) {
3072 *match = 0;
3073 }
3074 if (*depth >= (int)sizeof(pf_anchor_stack) /
3075 (int)sizeof(pf_anchor_stack[0])) {
3076 printf("pf_step_into_anchor: stack overflow\n");
3077 *r = TAILQ_NEXT(*r, entries);
3078 return;
3079 } else if (*depth == 0 && a != NULL) {
3080 *a = *r;
3081 }
3082 f = pf_anchor_stack + (*depth)++;
3083 f->rs = *rs;
3084 f->r = *r;
3085 if ((*r)->anchor_wildcard) {
3086 f->parent = &(*r)->anchor->children;
3087 if ((f->child = RB_MIN(pf_anchor_node, f->parent)) ==
3088 NULL) {
3089 *r = NULL;
3090 return;
3091 }
3092 *rs = &f->child->ruleset;
3093 } else {
3094 f->parent = NULL;
3095 f->child = NULL;
3096 *rs = &(*r)->anchor->ruleset;
3097 }
3098 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
3099 }
3100
3101 int
3102 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
3103 struct pf_rule **r, struct pf_rule **a, int *match)
3104 {
3105 struct pf_anchor_stackframe *f;
3106 int quick = 0;
3107
3108 do {
3109 if (*depth <= 0) {
3110 break;
3111 }
3112 f = pf_anchor_stack + *depth - 1;
3113 if (f->parent != NULL && f->child != NULL) {
3114 if (f->child->match ||
3115 (match != NULL && *match)) {
3116 f->r->anchor->match = 1;
3117 if (match) {
3118 *match = 0;
3119 }
3120 }
3121 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
3122 if (f->child != NULL) {
3123 *rs = &f->child->ruleset;
3124 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
3125 if (*r == NULL) {
3126 continue;
3127 } else {
3128 break;
3129 }
3130 }
3131 }
3132 (*depth)--;
3133 if (*depth == 0 && a != NULL) {
3134 *a = NULL;
3135 }
3136 *rs = f->rs;
3137 if (f->r->anchor->match || (match != NULL && *match)) {
3138 quick = f->r->quick;
3139 }
3140 *r = TAILQ_NEXT(f->r, entries);
3141 } while (*r == NULL);
3142
3143 return quick;
3144 }
3145
3146 #if INET6
3147 void
3148 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
3149 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
3150 {
3151 switch (af) {
3152 #if INET
3153 case AF_INET:
3154 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
3155 ((rmask->addr32[0] ^ 0xffffffff) & saddr->addr32[0]);
3156 break;
3157 #endif /* INET */
3158 case AF_INET6:
3159 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
3160 ((rmask->addr32[0] ^ 0xffffffff) & saddr->addr32[0]);
3161 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
3162 ((rmask->addr32[1] ^ 0xffffffff) & saddr->addr32[1]);
3163 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
3164 ((rmask->addr32[2] ^ 0xffffffff) & saddr->addr32[2]);
3165 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
3166 ((rmask->addr32[3] ^ 0xffffffff) & saddr->addr32[3]);
3167 break;
3168 }
3169 }
3170
3171 void
3172 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
3173 {
3174 switch (af) {
3175 #if INET
3176 case AF_INET:
3177 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
3178 break;
3179 #endif /* INET */
3180 case AF_INET6:
3181 if (addr->addr32[3] == 0xffffffff) {
3182 addr->addr32[3] = 0;
3183 if (addr->addr32[2] == 0xffffffff) {
3184 addr->addr32[2] = 0;
3185 if (addr->addr32[1] == 0xffffffff) {
3186 addr->addr32[1] = 0;
3187 addr->addr32[0] =
3188 htonl(ntohl(addr->addr32[0]) + 1);
3189 } else {
3190 addr->addr32[1] =
3191 htonl(ntohl(addr->addr32[1]) + 1);
3192 }
3193 } else {
3194 addr->addr32[2] =
3195 htonl(ntohl(addr->addr32[2]) + 1);
3196 }
3197 } else {
3198 addr->addr32[3] =
3199 htonl(ntohl(addr->addr32[3]) + 1);
3200 }
3201 break;
3202 }
3203 }
3204 #endif /* INET6 */
3205
3206 #define mix(a, b, c) \
3207 do { \
3208 a -= b; a -= c; a ^= (c >> 13); \
3209 b -= c; b -= a; b ^= (a << 8); \
3210 c -= a; c -= b; c ^= (b >> 13); \
3211 a -= b; a -= c; a ^= (c >> 12); \
3212 b -= c; b -= a; b ^= (a << 16); \
3213 c -= a; c -= b; c ^= (b >> 5); \
3214 a -= b; a -= c; a ^= (c >> 3); \
3215 b -= c; b -= a; b ^= (a << 10); \
3216 c -= a; c -= b; c ^= (b >> 15); \
3217 } while (0)
3218
3219 /*
3220 * hash function based on bridge_hash in if_bridge.c
3221 */
3222 static void
3223 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
3224 struct pf_poolhashkey *key, sa_family_t af)
3225 {
3226 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
3227
3228 switch (af) {
3229 #if INET
3230 case AF_INET:
3231 a += inaddr->addr32[0];
3232 b += key->key32[1];
3233 mix(a, b, c);
3234 hash->addr32[0] = c + key->key32[2];
3235 break;
3236 #endif /* INET */
3237 #if INET6
3238 case AF_INET6:
3239 a += inaddr->addr32[0];
3240 b += inaddr->addr32[2];
3241 mix(a, b, c);
3242 hash->addr32[0] = c;
3243 a += inaddr->addr32[1];
3244 b += inaddr->addr32[3];
3245 c += key->key32[1];
3246 mix(a, b, c);
3247 hash->addr32[1] = c;
3248 a += inaddr->addr32[2];
3249 b += inaddr->addr32[1];
3250 c += key->key32[2];
3251 mix(a, b, c);
3252 hash->addr32[2] = c;
3253 a += inaddr->addr32[3];
3254 b += inaddr->addr32[0];
3255 c += key->key32[3];
3256 mix(a, b, c);
3257 hash->addr32[3] = c;
3258 break;
3259 #endif /* INET6 */
3260 }
3261 }
3262
3263 static int
3264 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
3265 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
3266 {
3267 unsigned char hash[16];
3268 struct pf_pool *rpool = &r->rpool;
3269 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
3270 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
3271 struct pf_pooladdr *acur = rpool->cur;
3272 struct pf_src_node k;
3273
3274 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
3275 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
3276 k.af = af;
3277 PF_ACPY(&k.addr, saddr, af);
3278 if (r->rule_flag & PFRULE_RULESRCTRACK ||
3279 r->rpool.opts & PF_POOL_STICKYADDR) {
3280 k.rule.ptr = r;
3281 } else {
3282 k.rule.ptr = NULL;
3283 }
3284 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
3285 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
3286 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, rpool->af)) {
3287 PF_ACPY(naddr, &(*sn)->raddr, rpool->af);
3288 if (pf_status.debug >= PF_DEBUG_MISC) {
3289 printf("pf_map_addr: src tracking maps ");
3290 pf_print_host(&k.addr, 0, af);
3291 printf(" to ");
3292 pf_print_host(naddr, 0, rpool->af);
3293 printf("\n");
3294 }
3295 return 0;
3296 }
3297 }
3298
3299 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) {
3300 return 1;
3301 }
3302 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
3303 if (rpool->cur->addr.p.dyn == NULL) {
3304 return 1;
3305 }
3306 switch (rpool->af) {
3307 #if INET
3308 case AF_INET:
3309 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
3310 (rpool->opts & PF_POOL_TYPEMASK) !=
3311 PF_POOL_ROUNDROBIN) {
3312 return 1;
3313 }
3314 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
3315 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
3316 break;
3317 #endif /* INET */
3318 #if INET6
3319 case AF_INET6:
3320 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
3321 (rpool->opts & PF_POOL_TYPEMASK) !=
3322 PF_POOL_ROUNDROBIN) {
3323 return 1;
3324 }
3325 raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
3326 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
3327 break;
3328 #endif /* INET6 */
3329 }
3330 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
3331 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) {
3332 return 1; /* unsupported */
3333 }
3334 } else {
3335 raddr = &rpool->cur->addr.v.a.addr;
3336 rmask = &rpool->cur->addr.v.a.mask;
3337 }
3338
3339 switch (rpool->opts & PF_POOL_TYPEMASK) {
3340 case PF_POOL_NONE:
3341 PF_ACPY(naddr, raddr, rpool->af);
3342 break;
3343 case PF_POOL_BITMASK:
3344 ASSERT(af == rpool->af);
3345 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
3346 break;
3347 case PF_POOL_RANDOM:
3348 if (init_addr != NULL && PF_AZERO(init_addr, rpool->af)) {
3349 switch (af) {
3350 #if INET
3351 case AF_INET:
3352 rpool->counter.addr32[0] = htonl(random());
3353 break;
3354 #endif /* INET */
3355 #if INET6
3356 case AF_INET6:
3357 if (rmask->addr32[3] != 0xffffffff) {
3358 rpool->counter.addr32[3] =
3359 RandomULong();
3360 } else {
3361 break;
3362 }
3363 if (rmask->addr32[2] != 0xffffffff) {
3364 rpool->counter.addr32[2] =
3365 RandomULong();
3366 } else {
3367 break;
3368 }
3369 if (rmask->addr32[1] != 0xffffffff) {
3370 rpool->counter.addr32[1] =
3371 RandomULong();
3372 } else {
3373 break;
3374 }
3375 if (rmask->addr32[0] != 0xffffffff) {
3376 rpool->counter.addr32[0] =
3377 RandomULong();
3378 }
3379 break;
3380 #endif /* INET6 */
3381 }
3382 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter,
3383 rpool->af);
3384 PF_ACPY(init_addr, naddr, rpool->af);
3385 } else {
3386 PF_AINC(&rpool->counter, rpool->af);
3387 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter,
3388 rpool->af);
3389 }
3390 break;
3391 case PF_POOL_SRCHASH:
3392 ASSERT(af == rpool->af);
3393 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
3394 pf_hash(saddr, (struct pf_addr *)(void *)&hash,
3395 &rpool->key, af);
3396 PF_POOLMASK(naddr, raddr, rmask,
3397 (struct pf_addr *)(void *)&hash, af);
3398 break;
3399 case PF_POOL_ROUNDROBIN:
3400 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
3401 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
3402 &rpool->tblidx, &rpool->counter,
3403 &raddr, &rmask, rpool->af)) {
3404 goto get_addr;
3405 }
3406 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
3407 if (rpool->cur->addr.p.dyn != NULL &&
3408 !pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
3409 &rpool->tblidx, &rpool->counter,
3410 &raddr, &rmask, af)) {
3411 goto get_addr;
3412 }
3413 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter,
3414 rpool->af)) {
3415 goto get_addr;
3416 }
3417
3418 try_next:
3419 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) {
3420 rpool->cur = TAILQ_FIRST(&rpool->list);
3421 }
3422 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
3423 rpool->tblidx = -1;
3424 if (pfr_pool_get(rpool->cur->addr.p.tbl,
3425 &rpool->tblidx, &rpool->counter,
3426 &raddr, &rmask, rpool->af)) {
3427 /* table contains no address of type
3428 * 'rpool->af' */
3429 if (rpool->cur != acur) {
3430 goto try_next;
3431 }
3432 return 1;
3433 }
3434 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
3435 rpool->tblidx = -1;
3436 if (rpool->cur->addr.p.dyn == NULL) {
3437 return 1;
3438 }
3439 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
3440 &rpool->tblidx, &rpool->counter,
3441 &raddr, &rmask, rpool->af)) {
3442 /* table contains no address of type
3443 * 'rpool->af' */
3444 if (rpool->cur != acur) {
3445 goto try_next;
3446 }
3447 return 1;
3448 }
3449 } else {
3450 raddr = &rpool->cur->addr.v.a.addr;
3451 rmask = &rpool->cur->addr.v.a.mask;
3452 PF_ACPY(&rpool->counter, raddr, rpool->af);
3453 }
3454
3455 get_addr:
3456 PF_ACPY(naddr, &rpool->counter, rpool->af);
3457 if (init_addr != NULL && PF_AZERO(init_addr, rpool->af)) {
3458 PF_ACPY(init_addr, naddr, rpool->af);
3459 }
3460 PF_AINC(&rpool->counter, rpool->af);
3461 break;
3462 }
3463 if (*sn != NULL) {
3464 PF_ACPY(&(*sn)->raddr, naddr, rpool->af);
3465 }
3466
3467 if (pf_status.debug >= PF_DEBUG_MISC &&
3468 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
3469 printf("pf_map_addr: selected address ");
3470 pf_print_host(naddr, 0, rpool->af);
3471 printf("\n");
3472 }
3473
3474 return 0;
3475 }
3476
3477 static int
3478 pf_get_sport(struct pf_pdesc *pd, struct pfi_kif *kif, struct pf_rule *r,
3479 struct pf_addr *saddr, union pf_state_xport *sxport, struct pf_addr *daddr,
3480 union pf_state_xport *dxport, struct pf_addr *naddr,
3481 union pf_state_xport *nxport, struct pf_src_node **sn
3482 )
3483 {
3484 #pragma unused(kif)
3485 struct pf_state_key_cmp key;
3486 struct pf_addr init_addr;
3487 unsigned int cut;
3488 sa_family_t af = pd->af;
3489 u_int8_t proto = pd->proto;
3490 unsigned int low = r->rpool.proxy_port[0];
3491 unsigned int high = r->rpool.proxy_port[1];
3492
3493 bzero(&init_addr, sizeof(init_addr));
3494 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) {
3495 return 1;
3496 }
3497
3498 if (proto == IPPROTO_ICMP) {
3499 low = 1;
3500 high = 65535;
3501 }
3502
3503 if (!nxport) {
3504 return 0; /* No output necessary. */
3505 }
3506 /*--- Special mapping rules for UDP ---*/
3507 if (proto == IPPROTO_UDP) {
3508 /*--- Never float IKE source port ---*/
3509 if (ntohs(sxport->port) == PF_IKE_PORT) {
3510 nxport->port = sxport->port;
3511 return 0;
3512 }
3513
3514 /*--- Apply exterior mapping options ---*/
3515 if (r->extmap > PF_EXTMAP_APD) {
3516 struct pf_state *s;
3517
3518 TAILQ_FOREACH(s, &state_list, entry_list) {
3519 struct pf_state_key *sk = s->state_key;
3520 if (!sk) {
3521 continue;
3522 }
3523 if (s->nat_rule.ptr != r) {
3524 continue;
3525 }
3526 if (sk->proto != IPPROTO_UDP ||
3527 sk->af_lan != af) {
3528 continue;
3529 }
3530 if (sk->lan.xport.port != sxport->port) {
3531 continue;
3532 }
3533 if (PF_ANEQ(&sk->lan.addr, saddr, af)) {
3534 continue;
3535 }
3536 if (r->extmap < PF_EXTMAP_EI &&
3537 PF_ANEQ(&sk->ext_lan.addr, daddr, af)) {
3538 continue;
3539 }
3540
3541 nxport->port = sk->gwy.xport.port;
3542 return 0;
3543 }
3544 }
3545 } else if (proto == IPPROTO_TCP) {
3546 struct pf_state* s;
3547 /*
3548 * APPLE MODIFICATION: <rdar://problem/6546358>
3549 * Fix allows....NAT to use a single binding for TCP session
3550 * with same source IP and source port
3551 */
3552 TAILQ_FOREACH(s, &state_list, entry_list) {
3553 struct pf_state_key* sk = s->state_key;
3554 if (!sk) {
3555 continue;
3556 }
3557 if (s->nat_rule.ptr != r) {
3558 continue;
3559 }
3560 if (sk->proto != IPPROTO_TCP || sk->af_lan != af) {
3561 continue;
3562 }
3563 if (sk->lan.xport.port != sxport->port) {
3564 continue;
3565 }
3566 if (!(PF_AEQ(&sk->lan.addr, saddr, af))) {
3567 continue;
3568 }
3569 nxport->port = sk->gwy.xport.port;
3570 return 0;
3571 }
3572 }
3573 do {
3574 key.af_gwy = af;
3575 key.proto = proto;
3576 PF_ACPY(&key.ext_gwy.addr, daddr, key.af_gwy);
3577 PF_ACPY(&key.gwy.addr, naddr, key.af_gwy);
3578 switch (proto) {
3579 case IPPROTO_UDP:
3580 key.proto_variant = r->extfilter;
3581 break;
3582 default:
3583 key.proto_variant = 0;
3584 break;
3585 }
3586 if (dxport) {
3587 key.ext_gwy.xport = *dxport;
3588 } else {
3589 memset(&key.ext_gwy.xport, 0,
3590 sizeof(key.ext_gwy.xport));
3591 }
3592 /*
3593 * port search; start random, step;
3594 * similar 2 portloop in in_pcbbind
3595 */
3596 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
3597 proto == IPPROTO_ICMP)) {
3598 if (dxport) {
3599 key.gwy.xport = *dxport;
3600 } else {
3601 memset(&key.gwy.xport, 0,
3602 sizeof(key.gwy.xport));
3603 }
3604 if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
3605 return 0;
3606 }
3607 } else if (low == 0 && high == 0) {
3608 key.gwy.xport = *nxport;
3609 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3610 ) {
3611 return 0;
3612 }
3613 } else if (low == high) {
3614 key.gwy.xport.port = htons(low);
3615 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3616 ) {
3617 nxport->port = htons(low);
3618 return 0;
3619 }
3620 } else {
3621 unsigned int tmp;
3622 if (low > high) {
3623 tmp = low;
3624 low = high;
3625 high = tmp;
3626 }
3627 /* low < high */
3628 cut = htonl(random()) % (1 + high - low) + low;
3629 /* low <= cut <= high */
3630 for (tmp = cut; tmp <= high; ++(tmp)) {
3631 key.gwy.xport.port = htons(tmp);
3632 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3633 ) {
3634 nxport->port = htons(tmp);
3635 return 0;
3636 }
3637 }
3638 for (tmp = cut - 1; tmp >= low; --(tmp)) {
3639 key.gwy.xport.port = htons(tmp);
3640 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3641 ) {
3642 nxport->port = htons(tmp);
3643 return 0;
3644 }
3645 }
3646 }
3647
3648 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
3649 case PF_POOL_RANDOM:
3650 case PF_POOL_ROUNDROBIN:
3651 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) {
3652 return 1;
3653 }
3654 break;
3655 case PF_POOL_NONE:
3656 case PF_POOL_SRCHASH:
3657 case PF_POOL_BITMASK:
3658 default:
3659 return 1;
3660 }
3661 } while (!PF_AEQ(&init_addr, naddr, af));
3662
3663 return 1; /* none available */
3664 }
3665
3666 static struct pf_rule *
3667 pf_match_translation(struct pf_pdesc *pd, pbuf_t *pbuf, int off,
3668 int direction, struct pfi_kif *kif, struct pf_addr *saddr,
3669 union pf_state_xport *sxport, struct pf_addr *daddr,
3670 union pf_state_xport *dxport, int rs_num)
3671 {
3672 struct pf_rule *r, *rm = NULL;
3673 struct pf_ruleset *ruleset = NULL;
3674 int tag = -1;
3675 unsigned int rtableid = IFSCOPE_NONE;
3676 int asd = 0;
3677
3678 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
3679 while (r && rm == NULL) {
3680 struct pf_rule_addr *src = NULL, *dst = NULL;
3681 struct pf_addr_wrap *xdst = NULL;
3682 struct pf_addr_wrap *xsrc = NULL;
3683 union pf_rule_xport rdrxport;
3684
3685 if (r->action == PF_BINAT && direction == PF_IN) {
3686 src = &r->dst;
3687 if (r->rpool.cur != NULL) {
3688 xdst = &r->rpool.cur->addr;
3689 }
3690 } else if (r->action == PF_RDR && direction == PF_OUT) {
3691 dst = &r->src;
3692 src = &r->dst;
3693 if (r->rpool.cur != NULL) {
3694 rdrxport.range.op = PF_OP_EQ;
3695 rdrxport.range.port[0] =
3696 htons(r->rpool.proxy_port[0]);
3697 xsrc = &r->rpool.cur->addr;
3698 }
3699 } else {
3700 src = &r->src;
3701 dst = &r->dst;
3702 }
3703
3704 r->evaluations++;
3705 if (pfi_kif_match(r->kif, kif) == r->ifnot) {
3706 r = r->skip[PF_SKIP_IFP].ptr;
3707 } else if (r->direction && r->direction != direction) {
3708 r = r->skip[PF_SKIP_DIR].ptr;
3709 } else if (r->af && r->af != pd->af) {
3710 r = r->skip[PF_SKIP_AF].ptr;
3711 } else if (r->proto && r->proto != pd->proto) {
3712 r = r->skip[PF_SKIP_PROTO].ptr;
3713 } else if (xsrc && PF_MISMATCHAW(xsrc, saddr, pd->af, 0, NULL)) {
3714 r = TAILQ_NEXT(r, entries);
3715 } else if (!xsrc && PF_MISMATCHAW(&src->addr, saddr, pd->af,
3716 src->neg, kif)) {
3717 r = TAILQ_NEXT(r, entries);
3718 } else if (xsrc && (!rdrxport.range.port[0] ||
3719 !pf_match_xport(r->proto, r->proto_variant, &rdrxport,
3720 sxport))) {
3721 r = TAILQ_NEXT(r, entries);
3722 } else if (!xsrc && !pf_match_xport(r->proto,
3723 r->proto_variant, &src->xport, sxport)) {
3724 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
3725 PF_SKIP_DST_PORT].ptr;
3726 } else if (dst != NULL &&
3727 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL)) {
3728 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3729 } else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
3730 0, NULL)) {
3731 r = TAILQ_NEXT(r, entries);
3732 } else if (dst && !pf_match_xport(r->proto, r->proto_variant,
3733 &dst->xport, dxport)) {
3734 r = r->skip[PF_SKIP_DST_PORT].ptr;
3735 } else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag)) {
3736 r = TAILQ_NEXT(r, entries);
3737 } else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
3738 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, pbuf,
3739 off, pd->hdr.tcp), r->os_fingerprint))) {
3740 r = TAILQ_NEXT(r, entries);
3741 } else {
3742 if (r->tag) {
3743 tag = r->tag;
3744 }
3745 if (PF_RTABLEID_IS_VALID(r->rtableid)) {
3746 rtableid = r->rtableid;
3747 }
3748 if (r->anchor == NULL) {
3749 rm = r;
3750 } else {
3751 pf_step_into_anchor(&asd, &ruleset, rs_num,
3752 &r, NULL, NULL);
3753 }
3754 }
3755 if (r == NULL) {
3756 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
3757 NULL, NULL);
3758 }
3759 }
3760 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, rtableid, NULL)) {
3761 return NULL;
3762 }
3763 if (rm != NULL && (rm->action == PF_NONAT ||
3764 rm->action == PF_NORDR || rm->action == PF_NOBINAT ||
3765 rm->action == PF_NONAT64)) {
3766 return NULL;
3767 }
3768 return rm;
3769 }
3770
3771 /*
3772 * Get address translation information for NAT/BINAT/RDR
3773 * pd : pf packet descriptor
3774 * pbuf : pbuf holding the packet
3775 * off : offset to protocol header
3776 * direction : direction of packet
3777 * kif : pf interface info obtained from the packet's recv interface
3778 * sn : source node pointer (output)
3779 * saddr : packet source address
3780 * sxport : packet source port
3781 * daddr : packet destination address
3782 * dxport : packet destination port
3783 * nsxport : translated source port (output)
3784 *
3785 * Translated source & destination address are updated in pd->nsaddr &
3786 * pd->ndaddr
3787 */
3788 static struct pf_rule *
3789 pf_get_translation_aux(struct pf_pdesc *pd, pbuf_t *pbuf, int off,
3790 int direction, struct pfi_kif *kif, struct pf_src_node **sn,
3791 struct pf_addr *saddr, union pf_state_xport *sxport, struct pf_addr *daddr,
3792 union pf_state_xport *dxport, union pf_state_xport *nsxport
3793 )
3794 {
3795 struct pf_rule *r = NULL;
3796 pd->naf = pd->af;
3797
3798 if (direction == PF_OUT) {
3799 r = pf_match_translation(pd, pbuf, off, direction, kif, saddr,
3800 sxport, daddr, dxport, PF_RULESET_BINAT);
3801 if (r == NULL) {
3802 r = pf_match_translation(pd, pbuf, off, direction, kif,
3803 saddr, sxport, daddr, dxport, PF_RULESET_RDR);
3804 }
3805 if (r == NULL) {
3806 r = pf_match_translation(pd, pbuf, off, direction, kif,
3807 saddr, sxport, daddr, dxport, PF_RULESET_NAT);
3808 }
3809 } else {
3810 r = pf_match_translation(pd, pbuf, off, direction, kif, saddr,
3811 sxport, daddr, dxport, PF_RULESET_RDR);
3812 if (r == NULL) {
3813 r = pf_match_translation(pd, pbuf, off, direction, kif,
3814 saddr, sxport, daddr, dxport, PF_RULESET_BINAT);
3815 }
3816 }
3817
3818 if (r != NULL) {
3819 struct pf_addr *nsaddr = &pd->naddr;
3820 struct pf_addr *ndaddr = &pd->ndaddr;
3821
3822 *nsaddr = *saddr;
3823 *ndaddr = *daddr;
3824
3825 switch (r->action) {
3826 case PF_NONAT:
3827 case PF_NONAT64:
3828 case PF_NOBINAT:
3829 case PF_NORDR:
3830 return NULL;
3831 case PF_NAT:
3832 case PF_NAT64:
3833 /*
3834 * we do NAT64 on incoming path and we call ip_input
3835 * which asserts receive interface to be not NULL.
3836 * The below check is to prevent NAT64 action on any
3837 * packet generated by local entity using synthesized
3838 * IPv6 address.
3839 */
3840 if ((r->action == PF_NAT64) && (direction == PF_OUT)) {
3841 return NULL;
3842 }
3843
3844 if (pf_get_sport(pd, kif, r, saddr, sxport, daddr,
3845 dxport, nsaddr, nsxport, sn
3846 )) {
3847 DPFPRINTF(PF_DEBUG_MISC,
3848 ("pf: NAT proxy port allocation "
3849 "(%u-%u) failed\n",
3850 r->rpool.proxy_port[0],
3851 r->rpool.proxy_port[1]));
3852 return NULL;
3853 }
3854 /*
3855 * For NAT64 the destination IPv4 address is derived
3856 * from the last 32 bits of synthesized IPv6 address
3857 */
3858 if (r->action == PF_NAT64) {
3859 ndaddr->v4addr.s_addr = daddr->addr32[3];
3860 pd->naf = AF_INET;
3861 }
3862 break;
3863 case PF_BINAT:
3864 switch (direction) {
3865 case PF_OUT:
3866 if (r->rpool.cur->addr.type ==
3867 PF_ADDR_DYNIFTL) {
3868 if (r->rpool.cur->addr.p.dyn == NULL) {
3869 return NULL;
3870 }
3871 switch (pd->af) {
3872 #if INET
3873 case AF_INET:
3874 if (r->rpool.cur->addr.p.dyn->
3875 pfid_acnt4 < 1) {
3876 return NULL;
3877 }
3878 PF_POOLMASK(nsaddr,
3879 &r->rpool.cur->addr.p.dyn->
3880 pfid_addr4,
3881 &r->rpool.cur->addr.p.dyn->
3882 pfid_mask4,
3883 saddr, AF_INET);
3884 break;
3885 #endif /* INET */
3886 #if INET6
3887 case AF_INET6:
3888 if (r->rpool.cur->addr.p.dyn->
3889 pfid_acnt6 < 1) {
3890 return NULL;
3891 }
3892 PF_POOLMASK(nsaddr,
3893 &r->rpool.cur->addr.p.dyn->
3894 pfid_addr6,
3895 &r->rpool.cur->addr.p.dyn->
3896 pfid_mask6,
3897 saddr, AF_INET6);
3898 break;
3899 #endif /* INET6 */
3900 }
3901 } else {
3902 PF_POOLMASK(nsaddr,
3903 &r->rpool.cur->addr.v.a.addr,
3904 &r->rpool.cur->addr.v.a.mask,
3905 saddr, pd->af);
3906 }
3907 break;
3908 case PF_IN:
3909 if (r->src.addr.type == PF_ADDR_DYNIFTL) {
3910 if (r->src.addr.p.dyn == NULL) {
3911 return NULL;
3912 }
3913 switch (pd->af) {
3914 #if INET
3915 case AF_INET:
3916 if (r->src.addr.p.dyn->
3917 pfid_acnt4 < 1) {
3918 return NULL;
3919 }
3920 PF_POOLMASK(ndaddr,
3921 &r->src.addr.p.dyn->
3922 pfid_addr4,
3923 &r->src.addr.p.dyn->
3924 pfid_mask4,
3925 daddr, AF_INET);
3926 break;
3927 #endif /* INET */
3928 #if INET6
3929 case AF_INET6:
3930 if (r->src.addr.p.dyn->
3931 pfid_acnt6 < 1) {
3932 return NULL;
3933 }
3934 PF_POOLMASK(ndaddr,
3935 &r->src.addr.p.dyn->
3936 pfid_addr6,
3937 &r->src.addr.p.dyn->
3938 pfid_mask6,
3939 daddr, AF_INET6);
3940 break;
3941 #endif /* INET6 */
3942 }
3943 } else {
3944 PF_POOLMASK(ndaddr,
3945 &r->src.addr.v.a.addr,
3946 &r->src.addr.v.a.mask, daddr,
3947 pd->af);
3948 }
3949 break;
3950 }
3951 break;
3952 case PF_RDR: {
3953 switch (direction) {
3954 case PF_OUT:
3955 if (r->dst.addr.type == PF_ADDR_DYNIFTL) {
3956 if (r->dst.addr.p.dyn == NULL) {
3957 return NULL;
3958 }
3959 switch (pd->af) {
3960 #if INET
3961 case AF_INET:
3962 if (r->dst.addr.p.dyn->
3963 pfid_acnt4 < 1) {
3964 return NULL;
3965 }
3966 PF_POOLMASK(nsaddr,
3967 &r->dst.addr.p.dyn->
3968 pfid_addr4,
3969 &r->dst.addr.p.dyn->
3970 pfid_mask4,
3971 daddr, AF_INET);
3972 break;
3973 #endif /* INET */
3974 #if INET6
3975 case AF_INET6:
3976 if (r->dst.addr.p.dyn->
3977 pfid_acnt6 < 1) {
3978 return NULL;
3979 }
3980 PF_POOLMASK(nsaddr,
3981 &r->dst.addr.p.dyn->
3982 pfid_addr6,
3983 &r->dst.addr.p.dyn->
3984 pfid_mask6,
3985 daddr, AF_INET6);
3986 break;
3987 #endif /* INET6 */
3988 }
3989 } else {
3990 PF_POOLMASK(nsaddr,
3991 &r->dst.addr.v.a.addr,
3992 &r->dst.addr.v.a.mask,
3993 daddr, pd->af);
3994 }
3995 if (nsxport && r->dst.xport.range.port[0]) {
3996 nsxport->port =
3997 r->dst.xport.range.port[0];
3998 }
3999 break;
4000 case PF_IN:
4001 if (pf_map_addr(pd->af, r, saddr,
4002 ndaddr, NULL, sn)) {
4003 return NULL;
4004 }
4005 if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
4006 PF_POOL_BITMASK) {
4007 PF_POOLMASK(ndaddr, ndaddr,
4008 &r->rpool.cur->addr.v.a.mask, daddr,
4009 pd->af);
4010 }
4011
4012 if (nsxport && dxport) {
4013 if (r->rpool.proxy_port[1]) {
4014 u_int32_t tmp_nport;
4015
4016 tmp_nport =
4017 ((ntohs(dxport->port) -
4018 ntohs(r->dst.xport.range.
4019 port[0])) %
4020 (r->rpool.proxy_port[1] -
4021 r->rpool.proxy_port[0] +
4022 1)) + r->rpool.proxy_port[0];
4023
4024 /* wrap around if necessary */
4025 if (tmp_nport > 65535) {
4026 tmp_nport -= 65535;
4027 }
4028 nsxport->port =
4029 htons((u_int16_t)tmp_nport);
4030 } else if (r->rpool.proxy_port[0]) {
4031 nsxport->port = htons(r->rpool.
4032 proxy_port[0]);
4033 }
4034 }
4035 break;
4036 }
4037 break;
4038 }
4039 default:
4040 return NULL;
4041 }
4042 }
4043
4044 return r;
4045 }
4046
4047 int
4048 pf_socket_lookup(int direction, struct pf_pdesc *pd)
4049 {
4050 struct pf_addr *saddr, *daddr;
4051 u_int16_t sport, dport;
4052 struct inpcbinfo *pi;
4053 int inp = 0;
4054
4055 if (pd == NULL) {
4056 return -1;
4057 }
4058 pd->lookup.uid = UID_MAX;
4059 pd->lookup.gid = GID_MAX;
4060 pd->lookup.pid = NO_PID;
4061
4062 switch (pd->proto) {
4063 case IPPROTO_TCP:
4064 if (pd->hdr.tcp == NULL) {
4065 return -1;
4066 }
4067 sport = pd->hdr.tcp->th_sport;
4068 dport = pd->hdr.tcp->th_dport;
4069 pi = &tcbinfo;
4070 break;
4071 case IPPROTO_UDP:
4072 if (pd->hdr.udp == NULL) {
4073 return -1;
4074 }
4075 sport = pd->hdr.udp->uh_sport;
4076 dport = pd->hdr.udp->uh_dport;
4077 pi = &udbinfo;
4078 break;
4079 default:
4080 return -1;
4081 }
4082 if (direction == PF_IN) {
4083 saddr = pd->src;
4084 daddr = pd->dst;
4085 } else {
4086 u_int16_t p;
4087
4088 p = sport;
4089 sport = dport;
4090 dport = p;
4091 saddr = pd->dst;
4092 daddr = pd->src;
4093 }
4094 switch (pd->af) {
4095 #if INET
4096 case AF_INET:
4097 inp = in_pcblookup_hash_exists(pi, saddr->v4addr, sport, daddr->v4addr, dport,
4098 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
4099 #if INET6
4100 if (inp == 0) {
4101 struct in6_addr s6, d6;
4102
4103 memset(&s6, 0, sizeof(s6));
4104 s6.s6_addr16[5] = htons(0xffff);
4105 memcpy(&s6.s6_addr32[3], &saddr->v4addr,
4106 sizeof(saddr->v4addr));
4107
4108 memset(&d6, 0, sizeof(d6));
4109 d6.s6_addr16[5] = htons(0xffff);
4110 memcpy(&d6.s6_addr32[3], &daddr->v4addr,
4111 sizeof(daddr->v4addr));
4112
4113 inp = in6_pcblookup_hash_exists(pi, &s6, sport,
4114 &d6, dport, 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
4115 if (inp == 0) {
4116 inp = in_pcblookup_hash_exists(pi, saddr->v4addr, sport,
4117 daddr->v4addr, dport, INPLOOKUP_WILDCARD, &pd->lookup.uid, &pd->lookup.gid, NULL);
4118 if (inp == 0) {
4119 inp = in6_pcblookup_hash_exists(pi, &s6, sport,
4120 &d6, dport, INPLOOKUP_WILDCARD,
4121 &pd->lookup.uid, &pd->lookup.gid, NULL);
4122 if (inp == 0) {
4123 return -1;
4124 }
4125 }
4126 }
4127 }
4128 #else
4129 if (inp == 0) {
4130 inp = in_pcblookup_hash_exists(pi, saddr->v4addr, sport,
4131 daddr->v4addr, dport, INPLOOKUP_WILDCARD,
4132 &pd->lookup.uid, &pd->lookup.gid, NULL);
4133 if (inp == 0) {
4134 return -1;
4135 }
4136 }
4137 #endif /* !INET6 */
4138 break;
4139 #endif /* INET */
4140 #if INET6
4141 case AF_INET6:
4142 inp = in6_pcblookup_hash_exists(pi, &saddr->v6addr, sport, &daddr->v6addr,
4143 dport, 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
4144 if (inp == 0) {
4145 inp = in6_pcblookup_hash_exists(pi, &saddr->v6addr, sport,
4146 &daddr->v6addr, dport, INPLOOKUP_WILDCARD,
4147 &pd->lookup.uid, &pd->lookup.gid, NULL);
4148 if (inp == 0) {
4149 return -1;
4150 }
4151 }
4152 break;
4153 #endif /* INET6 */
4154
4155 default:
4156 return -1;
4157 }
4158
4159 return 1;
4160 }
4161
4162 static u_int8_t
4163 pf_get_wscale(pbuf_t *pbuf, int off, u_int16_t th_off, sa_family_t af)
4164 {
4165 int hlen;
4166 u_int8_t hdr[60];
4167 u_int8_t *opt, optlen;
4168 u_int8_t wscale = 0;
4169
4170 hlen = th_off << 2; /* hlen <= sizeof (hdr) */
4171 if (hlen <= (int)sizeof(struct tcphdr)) {
4172 return 0;
4173 }
4174 if (!pf_pull_hdr(pbuf, off, hdr, hlen, NULL, NULL, af)) {
4175 return 0;
4176 }
4177 opt = hdr + sizeof(struct tcphdr);
4178 hlen -= sizeof(struct tcphdr);
4179 while (hlen >= 3) {
4180 switch (*opt) {
4181 case TCPOPT_EOL:
4182 case TCPOPT_NOP:
4183 ++opt;
4184 --hlen;
4185 break;
4186 case TCPOPT_WINDOW:
4187 wscale = opt[2];
4188 if (wscale > TCP_MAX_WINSHIFT) {
4189 wscale = TCP_MAX_WINSHIFT;
4190 }
4191 wscale |= PF_WSCALE_FLAG;
4192 /* FALLTHROUGH */
4193 default:
4194 optlen = opt[1];
4195 if (optlen < 2) {
4196 optlen = 2;
4197 }
4198 hlen -= optlen;
4199 opt += optlen;
4200 break;
4201 }
4202 }
4203 return wscale;
4204 }
4205
4206 static u_int16_t
4207 pf_get_mss(pbuf_t *pbuf, int off, u_int16_t th_off, sa_family_t af)
4208 {
4209 int hlen;
4210 u_int8_t hdr[60];
4211 u_int8_t *opt, optlen;
4212 u_int16_t mss = tcp_mssdflt;
4213
4214 hlen = th_off << 2; /* hlen <= sizeof (hdr) */
4215 if (hlen <= (int)sizeof(struct tcphdr)) {
4216 return 0;
4217 }
4218 if (!pf_pull_hdr(pbuf, off, hdr, hlen, NULL, NULL, af)) {
4219 return 0;
4220 }
4221 opt = hdr + sizeof(struct tcphdr);
4222 hlen -= sizeof(struct tcphdr);
4223 while (hlen >= TCPOLEN_MAXSEG) {
4224 switch (*opt) {
4225 case TCPOPT_EOL:
4226 case TCPOPT_NOP:
4227 ++opt;
4228 --hlen;
4229 break;
4230 case TCPOPT_MAXSEG:
4231 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
4232 #if BYTE_ORDER != BIG_ENDIAN
4233 NTOHS(mss);
4234 #endif
4235 /* FALLTHROUGH */
4236 default:
4237 optlen = opt[1];
4238 if (optlen < 2) {
4239 optlen = 2;
4240 }
4241 hlen -= optlen;
4242 opt += optlen;
4243 break;
4244 }
4245 }
4246 return mss;
4247 }
4248
4249 static u_int16_t
4250 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
4251 {
4252 #if INET
4253 struct sockaddr_in *dst;
4254 struct route ro;
4255 #endif /* INET */
4256 #if INET6
4257 struct sockaddr_in6 *dst6;
4258 struct route_in6 ro6;
4259 #endif /* INET6 */
4260 struct rtentry *rt = NULL;
4261 int hlen;
4262 u_int16_t mss = tcp_mssdflt;
4263
4264 switch (af) {
4265 #if INET
4266 case AF_INET:
4267 hlen = sizeof(struct ip);
4268 bzero(&ro, sizeof(ro));
4269 dst = (struct sockaddr_in *)(void *)&ro.ro_dst;
4270 dst->sin_family = AF_INET;
4271 dst->sin_len = sizeof(*dst);
4272 dst->sin_addr = addr->v4addr;
4273 rtalloc(&ro);
4274 rt = ro.ro_rt;
4275 break;
4276 #endif /* INET */
4277 #if INET6
4278 case AF_INET6:
4279 hlen = sizeof(struct ip6_hdr);
4280 bzero(&ro6, sizeof(ro6));
4281 dst6 = (struct sockaddr_in6 *)(void *)&ro6.ro_dst;
4282 dst6->sin6_family = AF_INET6;
4283 dst6->sin6_len = sizeof(*dst6);
4284 dst6->sin6_addr = addr->v6addr;
4285 rtalloc((struct route *)&ro);
4286 rt = ro6.ro_rt;
4287 break;
4288 #endif /* INET6 */
4289 default:
4290 panic("pf_calc_mss: not AF_INET or AF_INET6!");
4291 return 0;
4292 }
4293
4294 if (rt && rt->rt_ifp) {
4295 /* This is relevant only for PF SYN Proxy */
4296 int interface_mtu = rt->rt_ifp->if_mtu;
4297
4298 if (af == AF_INET &&
4299 INTF_ADJUST_MTU_FOR_CLAT46(rt->rt_ifp)) {
4300 interface_mtu = IN6_LINKMTU(rt->rt_ifp);
4301 /* Further adjust the size for CLAT46 expansion */
4302 interface_mtu -= CLAT46_HDR_EXPANSION_OVERHD;
4303 }
4304 mss = interface_mtu - hlen - sizeof(struct tcphdr);
4305 mss = max(tcp_mssdflt, mss);
4306 rtfree(rt);
4307 }
4308 mss = min(mss, offer);
4309 mss = max(mss, 64); /* sanity - at least max opt space */
4310 return mss;
4311 }
4312
4313 static void
4314 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr, sa_family_t af)
4315 {
4316 struct pf_rule *r = s->rule.ptr;
4317
4318 s->rt_kif = NULL;
4319
4320 if (!r->rt || r->rt == PF_FASTROUTE) {
4321 return;
4322 }
4323 if ((af == AF_INET) || (af == AF_INET6)) {
4324 pf_map_addr(af, r, saddr, &s->rt_addr, NULL,
4325 &s->nat_src_node);
4326 s->rt_kif = r->rpool.cur->kif;
4327 }
4328
4329 return;
4330 }
4331
4332 static void
4333 pf_attach_state(struct pf_state_key *sk, struct pf_state *s, int tail)
4334 {
4335 s->state_key = sk;
4336 sk->refcnt++;
4337
4338 /* list is sorted, if-bound states before floating */
4339 if (tail) {
4340 TAILQ_INSERT_TAIL(&sk->states, s, next);
4341 } else {
4342 TAILQ_INSERT_HEAD(&sk->states, s, next);
4343 }
4344 }
4345
4346 static void
4347 pf_detach_state(struct pf_state *s, int flags)
4348 {
4349 struct pf_state_key *sk = s->state_key;
4350
4351 if (sk == NULL) {
4352 return;
4353 }
4354
4355 s->state_key = NULL;
4356 TAILQ_REMOVE(&sk->states, s, next);
4357 if (--sk->refcnt == 0) {
4358 if (!(flags & PF_DT_SKIP_EXTGWY)) {
4359 RB_REMOVE(pf_state_tree_ext_gwy,
4360 &pf_statetbl_ext_gwy, sk);
4361 }
4362 if (!(flags & PF_DT_SKIP_LANEXT)) {
4363 RB_REMOVE(pf_state_tree_lan_ext,
4364 &pf_statetbl_lan_ext, sk);
4365 }
4366 if (sk->app_state) {
4367 pool_put(&pf_app_state_pl, sk->app_state);
4368 }
4369 pool_put(&pf_state_key_pl, sk);
4370 }
4371 }
4372
4373 struct pf_state_key *
4374 pf_alloc_state_key(struct pf_state *s, struct pf_state_key *psk)
4375 {
4376 struct pf_state_key *sk;
4377
4378 if ((sk = pool_get(&pf_state_key_pl, PR_WAITOK)) == NULL) {
4379 return NULL;
4380 }
4381 bzero(sk, sizeof(*sk));
4382 TAILQ_INIT(&sk->states);
4383 pf_attach_state(sk, s, 0);
4384
4385 /* initialize state key from psk, if provided */
4386 if (psk != NULL) {
4387 bcopy(&psk->lan, &sk->lan, sizeof(sk->lan));
4388 bcopy(&psk->gwy, &sk->gwy, sizeof(sk->gwy));
4389 bcopy(&psk->ext_lan, &sk->ext_lan, sizeof(sk->ext_lan));
4390 bcopy(&psk->ext_gwy, &sk->ext_gwy, sizeof(sk->ext_gwy));
4391 sk->af_lan = psk->af_lan;
4392 sk->af_gwy = psk->af_gwy;
4393 sk->proto = psk->proto;
4394 sk->direction = psk->direction;
4395 sk->proto_variant = psk->proto_variant;
4396 VERIFY(psk->app_state == NULL);
4397 sk->flowsrc = psk->flowsrc;
4398 sk->flowhash = psk->flowhash;
4399 /* don't touch tree entries, states and refcnt on sk */
4400 }
4401
4402 return sk;
4403 }
4404
4405 static u_int32_t
4406 pf_tcp_iss(struct pf_pdesc *pd)
4407 {
4408 MD5_CTX ctx;
4409 u_int32_t digest[4];
4410
4411 if (pf_tcp_secret_init == 0) {
4412 read_frandom(pf_tcp_secret, sizeof(pf_tcp_secret));
4413 MD5Init(&pf_tcp_secret_ctx);
4414 MD5Update(&pf_tcp_secret_ctx, pf_tcp_secret,
4415 sizeof(pf_tcp_secret));
4416 pf_tcp_secret_init = 1;
4417 }
4418 ctx = pf_tcp_secret_ctx;
4419
4420 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof(u_short));
4421 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof(u_short));
4422 if (pd->af == AF_INET6) {
4423 MD5Update(&ctx, (char *)&pd->src->v6addr, sizeof(struct in6_addr));
4424 MD5Update(&ctx, (char *)&pd->dst->v6addr, sizeof(struct in6_addr));
4425 } else {
4426 MD5Update(&ctx, (char *)&pd->src->v4addr, sizeof(struct in_addr));
4427 MD5Update(&ctx, (char *)&pd->dst->v4addr, sizeof(struct in_addr));
4428 }
4429 MD5Final((u_char *)digest, &ctx);
4430 pf_tcp_iss_off += 4096;
4431 return digest[0] + random() + pf_tcp_iss_off;
4432 }
4433
4434 /*
4435 * This routine is called to perform address family translation on the
4436 * inner IP header (that may come as payload) of an ICMP(v4addr/6) error
4437 * response.
4438 */
4439 static int
4440 pf_change_icmp_af(pbuf_t *pbuf, int off,
4441 struct pf_pdesc *pd, struct pf_pdesc *pd2, struct pf_addr *src,
4442 struct pf_addr *dst, sa_family_t af, sa_family_t naf)
4443 {
4444 struct ip *ip4 = NULL;
4445 struct ip6_hdr *ip6 = NULL;
4446 void *hdr;
4447 int hlen, olen;
4448
4449 if (af == naf || (af != AF_INET && af != AF_INET6) ||
4450 (naf != AF_INET && naf != AF_INET6)) {
4451 return -1;
4452 }
4453
4454 /* old header */
4455 olen = pd2->off - off;
4456 /* new header */
4457 hlen = naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6);
4458
4459 /* Modify the pbuf to accommodate the new header */
4460 hdr = pbuf_resize_segment(pbuf, off, olen, hlen);
4461 if (hdr == NULL) {
4462 return -1;
4463 }
4464
4465 /* translate inner ip/ip6 header */
4466 switch (naf) {
4467 case AF_INET:
4468 ip4 = hdr;
4469 bzero(ip4, sizeof(*ip4));
4470 ip4->ip_v = IPVERSION;
4471 ip4->ip_hl = sizeof(*ip4) >> 2;
4472 ip4->ip_len = htons(sizeof(*ip4) + pd2->tot_len - olen);
4473 ip4->ip_id = rfc6864 ? 0 : htons(ip_randomid());
4474 ip4->ip_off = htons(IP_DF);
4475 ip4->ip_ttl = pd2->ttl;
4476 if (pd2->proto == IPPROTO_ICMPV6) {
4477 ip4->ip_p = IPPROTO_ICMP;
4478 } else {
4479 ip4->ip_p = pd2->proto;
4480 }
4481 ip4->ip_src = src->v4addr;
4482 ip4->ip_dst = dst->v4addr;
4483 ip4->ip_sum = pbuf_inet_cksum(pbuf, 0, 0, ip4->ip_hl << 2);
4484 break;
4485 case AF_INET6:
4486 ip6 = hdr;
4487 bzero(ip6, sizeof(*ip6));
4488 ip6->ip6_vfc = IPV6_VERSION;
4489 ip6->ip6_plen = htons(pd2->tot_len - olen);
4490 if (pd2->proto == IPPROTO_ICMP) {
4491 ip6->ip6_nxt = IPPROTO_ICMPV6;
4492 } else {
4493 ip6->ip6_nxt = pd2->proto;
4494 }
4495 if (!pd2->ttl || pd2->ttl > IPV6_DEFHLIM) {
4496 ip6->ip6_hlim = IPV6_DEFHLIM;
4497 } else {
4498 ip6->ip6_hlim = pd2->ttl;
4499 }
4500 ip6->ip6_src = src->v6addr;
4501 ip6->ip6_dst = dst->v6addr;
4502 break;
4503 }
4504
4505 /* adjust payload offset and total packet length */
4506 pd2->off += hlen - olen;
4507 pd->tot_len += hlen - olen;
4508
4509 return 0;
4510 }
4511
4512 #define PTR_IP(field) ((int32_t)offsetof(struct ip, field))
4513 #define PTR_IP6(field) ((int32_t)offsetof(struct ip6_hdr, field))
4514
4515 static int
4516 pf_translate_icmp_af(int af, void *arg)
4517 {
4518 struct icmp *icmp4;
4519 struct icmp6_hdr *icmp6;
4520 u_int32_t mtu;
4521 int32_t ptr = -1;
4522 u_int8_t type;
4523 u_int8_t code;
4524
4525 switch (af) {
4526 case AF_INET:
4527 icmp6 = arg;
4528 type = icmp6->icmp6_type;
4529 code = icmp6->icmp6_code;
4530 mtu = ntohl(icmp6->icmp6_mtu);
4531
4532 switch (type) {
4533 case ICMP6_ECHO_REQUEST:
4534 type = ICMP_ECHO;
4535 break;
4536 case ICMP6_ECHO_REPLY:
4537 type = ICMP_ECHOREPLY;
4538 break;
4539 case ICMP6_DST_UNREACH:
4540 type = ICMP_UNREACH;
4541 switch (code) {
4542 case ICMP6_DST_UNREACH_NOROUTE:
4543 case ICMP6_DST_UNREACH_BEYONDSCOPE:
4544 case ICMP6_DST_UNREACH_ADDR:
4545 code = ICMP_UNREACH_HOST;
4546 break;
4547 case ICMP6_DST_UNREACH_ADMIN:
4548 code = ICMP_UNREACH_HOST_PROHIB;
4549 break;
4550 case ICMP6_DST_UNREACH_NOPORT:
4551 code = ICMP_UNREACH_PORT;
4552 break;
4553 default:
4554 return -1;
4555 }
4556 break;
4557 case ICMP6_PACKET_TOO_BIG:
4558 type = ICMP_UNREACH;
4559 code = ICMP_UNREACH_NEEDFRAG;
4560 mtu -= 20;
4561 break;
4562 case ICMP6_TIME_EXCEEDED:
4563 type = ICMP_TIMXCEED;
4564 break;
4565 case ICMP6_PARAM_PROB:
4566 switch (code) {
4567 case ICMP6_PARAMPROB_HEADER:
4568 type = ICMP_PARAMPROB;
4569 code = ICMP_PARAMPROB_ERRATPTR;
4570 ptr = ntohl(icmp6->icmp6_pptr);
4571
4572 if (ptr == PTR_IP6(ip6_vfc)) {
4573 ; /* preserve */
4574 } else if (ptr == PTR_IP6(ip6_vfc) + 1) {
4575 ptr = PTR_IP(ip_tos);
4576 } else if (ptr == PTR_IP6(ip6_plen) ||
4577 ptr == PTR_IP6(ip6_plen) + 1) {
4578 ptr = PTR_IP(ip_len);
4579 } else if (ptr == PTR_IP6(ip6_nxt)) {
4580 ptr = PTR_IP(ip_p);
4581 } else if (ptr == PTR_IP6(ip6_hlim)) {
4582 ptr = PTR_IP(ip_ttl);
4583 } else if (ptr >= PTR_IP6(ip6_src) &&
4584 ptr < PTR_IP6(ip6_dst)) {
4585 ptr = PTR_IP(ip_src);
4586 } else if (ptr >= PTR_IP6(ip6_dst) &&
4587 ptr < (int32_t)sizeof(struct ip6_hdr)) {
4588 ptr = PTR_IP(ip_dst);
4589 } else {
4590 return -1;
4591 }
4592 break;
4593 case ICMP6_PARAMPROB_NEXTHEADER:
4594 type = ICMP_UNREACH;
4595 code = ICMP_UNREACH_PROTOCOL;
4596 break;
4597 default:
4598 return -1;
4599 }
4600 break;
4601 default:
4602 return -1;
4603 }
4604 icmp6->icmp6_type = type;
4605 icmp6->icmp6_code = code;
4606 /* aligns well with a icmpv4 nextmtu */
4607 icmp6->icmp6_mtu = htonl(mtu);
4608 /* icmpv4 pptr is a one most significant byte */
4609 if (ptr >= 0) {
4610 icmp6->icmp6_pptr = htonl(ptr << 24);
4611 }
4612 break;
4613
4614 case AF_INET6:
4615 icmp4 = arg;
4616 type = icmp4->icmp_type;
4617 code = icmp4->icmp_code;
4618 mtu = ntohs(icmp4->icmp_nextmtu);
4619
4620 switch (type) {
4621 case ICMP_ECHO:
4622 type = ICMP6_ECHO_REQUEST;
4623 break;
4624 case ICMP_ECHOREPLY:
4625 type = ICMP6_ECHO_REPLY;
4626 break;
4627 case ICMP_UNREACH:
4628 type = ICMP6_DST_UNREACH;
4629 switch (code) {
4630 case ICMP_UNREACH_NET:
4631 case ICMP_UNREACH_HOST:
4632 case ICMP_UNREACH_NET_UNKNOWN:
4633 case ICMP_UNREACH_HOST_UNKNOWN:
4634 case ICMP_UNREACH_ISOLATED:
4635 case ICMP_UNREACH_TOSNET:
4636 case ICMP_UNREACH_TOSHOST:
4637 code = ICMP6_DST_UNREACH_NOROUTE;
4638 break;
4639 case ICMP_UNREACH_PORT:
4640 code = ICMP6_DST_UNREACH_NOPORT;
4641 break;
4642 case ICMP_UNREACH_NET_PROHIB:
4643 case ICMP_UNREACH_HOST_PROHIB:
4644 case ICMP_UNREACH_FILTER_PROHIB:
4645 case ICMP_UNREACH_PRECEDENCE_CUTOFF:
4646 code = ICMP6_DST_UNREACH_ADMIN;
4647 break;
4648 case ICMP_UNREACH_PROTOCOL:
4649 type = ICMP6_PARAM_PROB;
4650 code = ICMP6_PARAMPROB_NEXTHEADER;
4651 ptr = offsetof(struct ip6_hdr, ip6_nxt);
4652 break;
4653 case ICMP_UNREACH_NEEDFRAG:
4654 type = ICMP6_PACKET_TOO_BIG;
4655 code = 0;
4656 mtu += 20;
4657 break;
4658 default:
4659 return -1;
4660 }
4661 break;
4662 case ICMP_TIMXCEED:
4663 type = ICMP6_TIME_EXCEEDED;
4664 break;
4665 case ICMP_PARAMPROB:
4666 type = ICMP6_PARAM_PROB;
4667 switch (code) {
4668 case ICMP_PARAMPROB_ERRATPTR:
4669 code = ICMP6_PARAMPROB_HEADER;
4670 break;
4671 case ICMP_PARAMPROB_LENGTH:
4672 code = ICMP6_PARAMPROB_HEADER;
4673 break;
4674 default:
4675 return -1;
4676 }
4677
4678 ptr = icmp4->icmp_pptr;
4679 if (ptr == 0 || ptr == PTR_IP(ip_tos)) {
4680 ; /* preserve */
4681 } else if (ptr == PTR_IP(ip_len) ||
4682 ptr == PTR_IP(ip_len) + 1) {
4683 ptr = PTR_IP6(ip6_plen);
4684 } else if (ptr == PTR_IP(ip_ttl)) {
4685 ptr = PTR_IP6(ip6_hlim);
4686 } else if (ptr == PTR_IP(ip_p)) {
4687 ptr = PTR_IP6(ip6_nxt);
4688 } else if (ptr >= PTR_IP(ip_src) &&
4689 ptr < PTR_IP(ip_dst)) {
4690 ptr = PTR_IP6(ip6_src);
4691 } else if (ptr >= PTR_IP(ip_dst) &&
4692 ptr < (int32_t)sizeof(struct ip)) {
4693 ptr = PTR_IP6(ip6_dst);
4694 } else {
4695 return -1;
4696 }
4697 break;
4698 default:
4699 return -1;
4700 }
4701 icmp4->icmp_type = type;
4702 icmp4->icmp_code = code;
4703 icmp4->icmp_nextmtu = htons(mtu);
4704 if (ptr >= 0) {
4705 icmp4->icmp_void = htonl(ptr);
4706 }
4707 break;
4708 }
4709
4710 return 0;
4711 }
4712
4713 /* Note: frees pbuf if PF_NAT64 is returned */
4714 static int
4715 pf_nat64_ipv6(pbuf_t *pbuf, int off, struct pf_pdesc *pd)
4716 {
4717 struct ip *ip4;
4718 struct mbuf *m;
4719
4720 /*
4721 * ip_input asserts for rcvif to be not NULL
4722 * That may not be true for two corner cases
4723 * 1. If for some reason a local app sends DNS
4724 * AAAA query to local host
4725 * 2. If IPv6 stack in kernel internally generates a
4726 * message destined for a synthesized IPv6 end-point.
4727 */
4728 if (pbuf->pb_ifp == NULL) {
4729 return PF_DROP;
4730 }
4731
4732 ip4 = (struct ip *)pbuf_resize_segment(pbuf, 0, off, sizeof(*ip4));
4733 if (ip4 == NULL) {
4734 return PF_DROP;
4735 }
4736
4737 ip4->ip_v = 4;
4738 ip4->ip_hl = 5;
4739 ip4->ip_tos = pd->tos & htonl(0x0ff00000);
4740 ip4->ip_len = htons(sizeof(*ip4) + (pd->tot_len - off));
4741 ip4->ip_id = 0;
4742 ip4->ip_off = htons(IP_DF);
4743 ip4->ip_ttl = pd->ttl;
4744 ip4->ip_p = pd->proto;
4745 ip4->ip_sum = 0;
4746 ip4->ip_src = pd->naddr.v4addr;
4747 ip4->ip_dst = pd->ndaddr.v4addr;
4748 ip4->ip_sum = pbuf_inet_cksum(pbuf, 0, 0, ip4->ip_hl << 2);
4749
4750 /* recalculate icmp checksums */
4751 if (pd->proto == IPPROTO_ICMP) {
4752 struct icmp *icmp;
4753 int hlen = sizeof(*ip4);
4754
4755 icmp = (struct icmp *)pbuf_contig_segment(pbuf, hlen,
4756 ICMP_MINLEN);
4757 if (icmp == NULL) {
4758 return PF_DROP;
4759 }
4760
4761 icmp->icmp_cksum = 0;
4762 icmp->icmp_cksum = pbuf_inet_cksum(pbuf, 0, hlen,
4763 ntohs(ip4->ip_len) - hlen);
4764 }
4765
4766 if ((m = pbuf_to_mbuf(pbuf, TRUE)) != NULL) {
4767 ip_input(m);
4768 }
4769
4770 return PF_NAT64;
4771 }
4772
4773 static int
4774 pf_nat64_ipv4(pbuf_t *pbuf, int off, struct pf_pdesc *pd)
4775 {
4776 struct ip6_hdr *ip6;
4777 struct mbuf *m;
4778
4779 if (pbuf->pb_ifp == NULL) {
4780 return PF_DROP;
4781 }
4782
4783 ip6 = (struct ip6_hdr *)pbuf_resize_segment(pbuf, 0, off, sizeof(*ip6));
4784 if (ip6 == NULL) {
4785 return PF_DROP;
4786 }
4787
4788 ip6->ip6_vfc = htonl((6 << 28) | (pd->tos << 20));
4789 ip6->ip6_plen = htons(pd->tot_len - off);
4790 ip6->ip6_nxt = pd->proto;
4791 ip6->ip6_hlim = pd->ttl;
4792 ip6->ip6_src = pd->naddr.v6addr;
4793 ip6->ip6_dst = pd->ndaddr.v6addr;
4794
4795 /* recalculate icmp6 checksums */
4796 if (pd->proto == IPPROTO_ICMPV6) {
4797 struct icmp6_hdr *icmp6;
4798 int hlen = sizeof(*ip6);
4799
4800 icmp6 = (struct icmp6_hdr *)pbuf_contig_segment(pbuf, hlen,
4801 sizeof(*icmp6));
4802 if (icmp6 == NULL) {
4803 return PF_DROP;
4804 }
4805
4806 icmp6->icmp6_cksum = 0;
4807 icmp6->icmp6_cksum = pbuf_inet6_cksum(pbuf,
4808 IPPROTO_ICMPV6, hlen,
4809 ntohs(ip6->ip6_plen));
4810 } else if (pd->proto == IPPROTO_UDP) {
4811 struct udphdr *uh;
4812 int hlen = sizeof(*ip6);
4813
4814 uh = (struct udphdr *)pbuf_contig_segment(pbuf, hlen,
4815 sizeof(*uh));
4816 if (uh == NULL) {
4817 return PF_DROP;
4818 }
4819
4820 if (uh->uh_sum == 0) {
4821 uh->uh_sum = pbuf_inet6_cksum(pbuf, IPPROTO_UDP,
4822 hlen, ntohs(ip6->ip6_plen));
4823 }
4824 }
4825
4826 if ((m = pbuf_to_mbuf(pbuf, TRUE)) != NULL) {
4827 ip6_input(m);
4828 }
4829
4830 return PF_NAT64;
4831 }
4832
4833 static int
4834 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
4835 struct pfi_kif *kif, pbuf_t *pbuf, int off, void *h,
4836 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
4837 struct ifqueue *ifq)
4838 {
4839 #pragma unused(h)
4840 struct pf_rule *nr = NULL;
4841 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4842 sa_family_t af = pd->af;
4843 struct pf_rule *r, *a = NULL;
4844 struct pf_ruleset *ruleset = NULL;
4845 struct pf_src_node *nsn = NULL;
4846 struct tcphdr *th = pd->hdr.tcp;
4847 struct udphdr *uh = pd->hdr.udp;
4848 u_short reason;
4849 int rewrite = 0, hdrlen = 0;
4850 int tag = -1;
4851 unsigned int rtableid = IFSCOPE_NONE;
4852 int asd = 0;
4853 int match = 0;
4854 int state_icmp = 0;
4855 u_int16_t mss = tcp_mssdflt;
4856 u_int8_t icmptype = 0, icmpcode = 0;
4857
4858 struct pf_grev1_hdr *grev1 = pd->hdr.grev1;
4859 union pf_state_xport bxport, bdxport, nxport, sxport, dxport;
4860 struct pf_state_key psk;
4861
4862 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
4863
4864 if (direction == PF_IN && pf_check_congestion(ifq)) {
4865 REASON_SET(&reason, PFRES_CONGEST);
4866 return PF_DROP;
4867 }
4868
4869 hdrlen = 0;
4870 sxport.spi = 0;
4871 dxport.spi = 0;
4872 nxport.spi = 0;
4873
4874 switch (pd->proto) {
4875 case IPPROTO_TCP:
4876 sxport.port = th->th_sport;
4877 dxport.port = th->th_dport;
4878 hdrlen = sizeof(*th);
4879 break;
4880 case IPPROTO_UDP:
4881 sxport.port = uh->uh_sport;
4882 dxport.port = uh->uh_dport;
4883 hdrlen = sizeof(*uh);
4884 break;
4885 #if INET
4886 case IPPROTO_ICMP:
4887 if (pd->af != AF_INET) {
4888 break;
4889 }
4890 sxport.port = dxport.port = pd->hdr.icmp->icmp_id;
4891 hdrlen = ICMP_MINLEN;
4892 icmptype = pd->hdr.icmp->icmp_type;
4893 icmpcode = pd->hdr.icmp->icmp_code;
4894
4895 if (ICMP_ERRORTYPE(icmptype)) {
4896 state_icmp++;
4897 }
4898 break;
4899 #endif /* INET */
4900 #if INET6
4901 case IPPROTO_ICMPV6:
4902 if (pd->af != AF_INET6) {
4903 break;
4904 }
4905 sxport.port = dxport.port = pd->hdr.icmp6->icmp6_id;
4906 hdrlen = sizeof(*pd->hdr.icmp6);
4907 icmptype = pd->hdr.icmp6->icmp6_type;
4908 icmpcode = pd->hdr.icmp6->icmp6_code;
4909
4910 if (ICMP6_ERRORTYPE(icmptype)) {
4911 state_icmp++;
4912 }
4913 break;
4914 #endif /* INET6 */
4915 case IPPROTO_GRE:
4916 if (pd->proto_variant == PF_GRE_PPTP_VARIANT) {
4917 sxport.call_id = dxport.call_id =
4918 pd->hdr.grev1->call_id;
4919 hdrlen = sizeof(*pd->hdr.grev1);
4920 }
4921 break;
4922 case IPPROTO_ESP:
4923 sxport.spi = 0;
4924 dxport.spi = pd->hdr.esp->spi;
4925 hdrlen = sizeof(*pd->hdr.esp);
4926 break;
4927 }
4928
4929 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4930
4931 bxport = sxport;
4932 bdxport = dxport;
4933
4934 if (direction == PF_OUT) {
4935 nxport = sxport;
4936 } else {
4937 nxport = dxport;
4938 }
4939
4940 /* check packet for BINAT/NAT/RDR */
4941 if ((nr = pf_get_translation_aux(pd, pbuf, off, direction, kif, &nsn,
4942 saddr, &sxport, daddr, &dxport, &nxport
4943 )) != NULL) {
4944 int ua;
4945 u_int16_t dport;
4946
4947 if (pd->af != pd->naf) {
4948 ua = 0;
4949 } else {
4950 ua = 1;
4951 }
4952
4953 PF_ACPY(&pd->baddr, saddr, af);
4954 PF_ACPY(&pd->bdaddr, daddr, af);
4955
4956 switch (pd->proto) {
4957 case IPPROTO_TCP:
4958 if (pd->af != pd->naf ||
4959 PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4960 pf_change_ap(direction, pd->mp, saddr,
4961 &th->th_sport, pd->ip_sum, &th->th_sum,
4962 &pd->naddr, nxport.port, 0, af,
4963 pd->naf, ua);
4964 sxport.port = th->th_sport;
4965 }
4966
4967 if (pd->af != pd->naf ||
4968 PF_ANEQ(daddr, &pd->ndaddr, pd->af) ||
4969 (nr && (nr->action == PF_RDR) &&
4970 (th->th_dport != nxport.port))) {
4971 if (nr && nr->action == PF_RDR) {
4972 dport = nxport.port;
4973 } else {
4974 dport = th->th_dport;
4975 }
4976 pf_change_ap(direction, pd->mp, daddr,
4977 &th->th_dport, pd->ip_sum,
4978 &th->th_sum, &pd->ndaddr,
4979 dport, 0, af, pd->naf, ua);
4980 dxport.port = th->th_dport;
4981 }
4982 rewrite++;
4983 break;
4984
4985 case IPPROTO_UDP:
4986 if (pd->af != pd->naf ||
4987 PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4988 pf_change_ap(direction, pd->mp, saddr,
4989 &uh->uh_sport, pd->ip_sum,
4990 &uh->uh_sum, &pd->naddr,
4991 nxport.port, 1, af, pd->naf, ua);
4992 sxport.port = uh->uh_sport;
4993 }
4994
4995 if (pd->af != pd->naf ||
4996 PF_ANEQ(daddr, &pd->ndaddr, pd->af) ||
4997 (nr && (nr->action == PF_RDR) &&
4998 (uh->uh_dport != nxport.port))) {
4999 if (nr && nr->action == PF_RDR) {
5000 dport = nxport.port;
5001 } else {
5002 dport = uh->uh_dport;
5003 }
5004 pf_change_ap(direction, pd->mp, daddr,
5005 &uh->uh_dport, pd->ip_sum,
5006 &uh->uh_sum, &pd->ndaddr,
5007 dport, 0, af, pd->naf, ua);
5008 dxport.port = uh->uh_dport;
5009 }
5010 rewrite++;
5011 break;
5012 #if INET
5013 case IPPROTO_ICMP:
5014 if (pd->af != AF_INET) {
5015 break;
5016 }
5017 /*
5018 * TODO:
5019 * pd->af != pd->naf not handled yet here and would be
5020 * needed for NAT46 needed to support XLAT.
5021 * Will cross the bridge when it comes.
5022 */
5023 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5024 pf_change_a(&saddr->v4addr.s_addr, pd->ip_sum,
5025 pd->naddr.v4addr.s_addr, 0);
5026 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
5027 pd->hdr.icmp->icmp_cksum, sxport.port,
5028 nxport.port, 0);
5029 pd->hdr.icmp->icmp_id = nxport.port;
5030 }
5031
5032 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5033 pf_change_a(&daddr->v4addr.s_addr, pd->ip_sum,
5034 pd->ndaddr.v4addr.s_addr, 0);
5035 }
5036 ++rewrite;
5037 break;
5038 #endif /* INET */
5039 #if INET6
5040 case IPPROTO_ICMPV6:
5041 if (pd->af != AF_INET6) {
5042 break;
5043 }
5044
5045 if (pd->af != pd->naf ||
5046 PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5047 pf_change_addr(saddr,
5048 &pd->hdr.icmp6->icmp6_cksum,
5049 &pd->naddr, 0, pd->af, pd->naf);
5050 }
5051
5052 if (pd->af != pd->naf ||
5053 PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5054 pf_change_addr(daddr,
5055 &pd->hdr.icmp6->icmp6_cksum,
5056 &pd->ndaddr, 0, pd->af, pd->naf);
5057 }
5058
5059 if (pd->af != pd->naf) {
5060 if (pf_translate_icmp_af(AF_INET,
5061 pd->hdr.icmp6)) {
5062 return PF_DROP;
5063 }
5064 pd->proto = IPPROTO_ICMP;
5065 }
5066 rewrite++;
5067 break;
5068 #endif /* INET */
5069 case IPPROTO_GRE:
5070 if ((direction == PF_IN) &&
5071 (pd->proto_variant == PF_GRE_PPTP_VARIANT)) {
5072 grev1->call_id = nxport.call_id;
5073 }
5074
5075 switch (pd->af) {
5076 #if INET
5077 case AF_INET:
5078 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5079 pf_change_a(&saddr->v4addr.s_addr,
5080 pd->ip_sum,
5081 pd->naddr.v4addr.s_addr, 0);
5082 }
5083 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5084 pf_change_a(&daddr->v4addr.s_addr,
5085 pd->ip_sum,
5086 pd->ndaddr.v4addr.s_addr, 0);
5087 }
5088 break;
5089 #endif /* INET */
5090 #if INET6
5091 case AF_INET6:
5092 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5093 PF_ACPY(saddr, &pd->naddr, AF_INET6);
5094 }
5095 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5096 PF_ACPY(daddr, &pd->ndaddr, AF_INET6);
5097 }
5098 break;
5099 #endif /* INET6 */
5100 }
5101 ++rewrite;
5102 break;
5103 case IPPROTO_ESP:
5104 if (direction == PF_OUT) {
5105 bxport.spi = 0;
5106 }
5107
5108 switch (pd->af) {
5109 #if INET
5110 case AF_INET:
5111 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5112 pf_change_a(&saddr->v4addr.s_addr,
5113 pd->ip_sum, pd->naddr.v4addr.s_addr, 0);
5114 }
5115 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5116 pf_change_a(&daddr->v4addr.s_addr,
5117 pd->ip_sum,
5118 pd->ndaddr.v4addr.s_addr, 0);
5119 }
5120 break;
5121 #endif /* INET */
5122 #if INET6
5123 case AF_INET6:
5124 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5125 PF_ACPY(saddr, &pd->naddr, AF_INET6);
5126 }
5127 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5128 PF_ACPY(daddr, &pd->ndaddr, AF_INET6);
5129 }
5130 break;
5131 #endif /* INET6 */
5132 }
5133 break;
5134 default:
5135 switch (pd->af) {
5136 #if INET
5137 case AF_INET:
5138 if ((pd->naf != AF_INET) ||
5139 (PF_ANEQ(saddr, &pd->naddr, pd->af))) {
5140 pf_change_addr(saddr, pd->ip_sum,
5141 &pd->naddr, 0, af, pd->naf);
5142 }
5143
5144 if ((pd->naf != AF_INET) ||
5145 (PF_ANEQ(daddr, &pd->ndaddr, pd->af))) {
5146 pf_change_addr(daddr, pd->ip_sum,
5147 &pd->ndaddr, 0, af, pd->naf);
5148 }
5149 break;
5150 #endif /* INET */
5151 #if INET6
5152 case AF_INET6:
5153 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
5154 PF_ACPY(saddr, &pd->naddr, af);
5155 }
5156 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
5157 PF_ACPY(daddr, &pd->ndaddr, af);
5158 }
5159 break;
5160 #endif /* INET */
5161 }
5162 break;
5163 }
5164
5165 if (nr->natpass) {
5166 r = NULL;
5167 }
5168 pd->nat_rule = nr;
5169 pd->af = pd->naf;
5170 } else {
5171 }
5172
5173 if (nr && nr->tag > 0) {
5174 tag = nr->tag;
5175 }
5176
5177 while (r != NULL) {
5178 r->evaluations++;
5179 if (pfi_kif_match(r->kif, kif) == r->ifnot) {
5180 r = r->skip[PF_SKIP_IFP].ptr;
5181 } else if (r->direction && r->direction != direction) {
5182 r = r->skip[PF_SKIP_DIR].ptr;
5183 } else if (r->af && r->af != pd->af) {
5184 r = r->skip[PF_SKIP_AF].ptr;
5185 } else if (r->proto && r->proto != pd->proto) {
5186 r = r->skip[PF_SKIP_PROTO].ptr;
5187 } else if (PF_MISMATCHAW(&r->src.addr, saddr, pd->af,
5188 r->src.neg, kif)) {
5189 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
5190 }
5191 /* tcp/udp only. port_op always 0 in other cases */
5192 else if (r->proto == pd->proto &&
5193 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
5194 r->src.xport.range.op &&
5195 !pf_match_port(r->src.xport.range.op,
5196 r->src.xport.range.port[0], r->src.xport.range.port[1],
5197 th->th_sport)) {
5198 r = r->skip[PF_SKIP_SRC_PORT].ptr;
5199 } else if (PF_MISMATCHAW(&r->dst.addr, daddr, pd->af,
5200 r->dst.neg, NULL)) {
5201 r = r->skip[PF_SKIP_DST_ADDR].ptr;
5202 }
5203 /* tcp/udp only. port_op always 0 in other cases */
5204 else if (r->proto == pd->proto &&
5205 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
5206 r->dst.xport.range.op &&
5207 !pf_match_port(r->dst.xport.range.op,
5208 r->dst.xport.range.port[0], r->dst.xport.range.port[1],
5209 th->th_dport)) {
5210 r = r->skip[PF_SKIP_DST_PORT].ptr;
5211 }
5212 /* icmp only. type always 0 in other cases */
5213 else if (r->type && r->type != icmptype + 1) {
5214 r = TAILQ_NEXT(r, entries);
5215 }
5216 /* icmp only. type always 0 in other cases */
5217 else if (r->code && r->code != icmpcode + 1) {
5218 r = TAILQ_NEXT(r, entries);
5219 } else if ((r->rule_flag & PFRULE_TOS) && r->tos &&
5220 !(r->tos & pd->tos)) {
5221 r = TAILQ_NEXT(r, entries);
5222 } else if ((r->rule_flag & PFRULE_DSCP) && r->tos &&
5223 !(r->tos & (pd->tos & DSCP_MASK))) {
5224 r = TAILQ_NEXT(r, entries);
5225 } else if ((r->rule_flag & PFRULE_SC) && r->tos &&
5226 ((r->tos & SCIDX_MASK) != pd->sc)) {
5227 r = TAILQ_NEXT(r, entries);
5228 } else if (r->rule_flag & PFRULE_FRAGMENT) {
5229 r = TAILQ_NEXT(r, entries);
5230 } else if (pd->proto == IPPROTO_TCP &&
5231 (r->flagset & th->th_flags) != r->flags) {
5232 r = TAILQ_NEXT(r, entries);
5233 }
5234 /* tcp/udp only. uid.op always 0 in other cases */
5235 else if (r->uid.op && (pd->lookup.done || ((void)(pd->lookup.done =
5236 pf_socket_lookup(direction, pd)), 1)) &&
5237 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
5238 pd->lookup.uid)) {
5239 r = TAILQ_NEXT(r, entries);
5240 }
5241 /* tcp/udp only. gid.op always 0 in other cases */
5242 else if (r->gid.op && (pd->lookup.done || ((void)(pd->lookup.done =
5243 pf_socket_lookup(direction, pd)), 1)) &&
5244 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
5245 pd->lookup.gid)) {
5246 r = TAILQ_NEXT(r, entries);
5247 } else if (r->prob && r->prob <= (RandomULong() % (UINT_MAX - 1) + 1)) {
5248 r = TAILQ_NEXT(r, entries);
5249 } else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag)) {
5250 r = TAILQ_NEXT(r, entries);
5251 } else if (r->os_fingerprint != PF_OSFP_ANY &&
5252 (pd->proto != IPPROTO_TCP || !pf_osfp_match(
5253 pf_osfp_fingerprint(pd, pbuf, off, th),
5254 r->os_fingerprint))) {
5255 r = TAILQ_NEXT(r, entries);
5256 } else {
5257 if (r->tag) {
5258 tag = r->tag;
5259 }
5260 if (PF_RTABLEID_IS_VALID(r->rtableid)) {
5261 rtableid = r->rtableid;
5262 }
5263 if (r->anchor == NULL) {
5264 match = 1;
5265 *rm = r;
5266 *am = a;
5267 *rsm = ruleset;
5268 if ((*rm)->quick) {
5269 break;
5270 }
5271 r = TAILQ_NEXT(r, entries);
5272 } else {
5273 pf_step_into_anchor(&asd, &ruleset,
5274 PF_RULESET_FILTER, &r, &a, &match);
5275 }
5276 }
5277 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
5278 PF_RULESET_FILTER, &r, &a, &match)) {
5279 break;
5280 }
5281 }
5282 r = *rm;
5283 a = *am;
5284 ruleset = *rsm;
5285
5286 REASON_SET(&reason, PFRES_MATCH);
5287
5288 if (r->log || (nr != NULL && nr->log)) {
5289 if (rewrite > 0) {
5290 if (rewrite < off + hdrlen) {
5291 rewrite = off + hdrlen;
5292 }
5293
5294 if (pf_lazy_makewritable(pd, pbuf, rewrite) == NULL) {
5295 REASON_SET(&reason, PFRES_MEMORY);
5296 return PF_DROP;
5297 }
5298
5299 pbuf_copy_back(pbuf, off, hdrlen, pd->hdr.any);
5300 }
5301 PFLOG_PACKET(kif, h, pbuf, pd->af, direction, reason,
5302 r->log ? r : nr, a, ruleset, pd);
5303 }
5304
5305 if ((r->action == PF_DROP) &&
5306 ((r->rule_flag & PFRULE_RETURNRST) ||
5307 (r->rule_flag & PFRULE_RETURNICMP) ||
5308 (r->rule_flag & PFRULE_RETURN))) {
5309 /* undo NAT changes, if they have taken place */
5310 /* XXX For NAT64 we are not reverting the changes */
5311 if (nr != NULL && nr->action != PF_NAT64) {
5312 if (direction == PF_OUT) {
5313 pd->af = af;
5314 switch (pd->proto) {
5315 case IPPROTO_TCP:
5316 pf_change_ap(direction, pd->mp, saddr,
5317 &th->th_sport, pd->ip_sum,
5318 &th->th_sum, &pd->baddr,
5319 bxport.port, 0, af, pd->af, 1);
5320 sxport.port = th->th_sport;
5321 rewrite++;
5322 break;
5323 case IPPROTO_UDP:
5324 pf_change_ap(direction, pd->mp, saddr,
5325 &pd->hdr.udp->uh_sport, pd->ip_sum,
5326 &pd->hdr.udp->uh_sum, &pd->baddr,
5327 bxport.port, 1, af, pd->af, 1);
5328 sxport.port = pd->hdr.udp->uh_sport;
5329 rewrite++;
5330 break;
5331 case IPPROTO_ICMP:
5332 #if INET6
5333 case IPPROTO_ICMPV6:
5334 #endif
5335 /* nothing! */
5336 break;
5337 case IPPROTO_GRE:
5338 PF_ACPY(&pd->baddr, saddr, af);
5339 ++rewrite;
5340 switch (af) {
5341 #if INET
5342 case AF_INET:
5343 pf_change_a(&saddr->v4addr.s_addr,
5344 pd->ip_sum,
5345 pd->baddr.v4addr.s_addr, 0);
5346 break;
5347 #endif /* INET */
5348 #if INET6
5349 case AF_INET6:
5350 PF_ACPY(saddr, &pd->baddr,
5351 AF_INET6);
5352 break;
5353 #endif /* INET6 */
5354 }
5355 break;
5356 case IPPROTO_ESP:
5357 PF_ACPY(&pd->baddr, saddr, af);
5358 switch (af) {
5359 #if INET
5360 case AF_INET:
5361 pf_change_a(&saddr->v4addr.s_addr,
5362 pd->ip_sum,
5363 pd->baddr.v4addr.s_addr, 0);
5364 break;
5365 #endif /* INET */
5366 #if INET6
5367 case AF_INET6:
5368 PF_ACPY(saddr, &pd->baddr,
5369 AF_INET6);
5370 break;
5371 #endif /* INET6 */
5372 }
5373 break;
5374 default:
5375 switch (af) {
5376 case AF_INET:
5377 pf_change_a(&saddr->v4addr.s_addr,
5378 pd->ip_sum,
5379 pd->baddr.v4addr.s_addr, 0);
5380 break;
5381 case AF_INET6:
5382 PF_ACPY(saddr, &pd->baddr, af);
5383 break;
5384 }
5385 }
5386 } else {
5387 switch (pd->proto) {
5388 case IPPROTO_TCP:
5389 pf_change_ap(direction, pd->mp, daddr,
5390 &th->th_dport, pd->ip_sum,
5391 &th->th_sum, &pd->bdaddr,
5392 bdxport.port, 0, af, pd->af, 1);
5393 dxport.port = th->th_dport;
5394 rewrite++;
5395 break;
5396 case IPPROTO_UDP:
5397 pf_change_ap(direction, pd->mp, daddr,
5398 &pd->hdr.udp->uh_dport, pd->ip_sum,
5399 &pd->hdr.udp->uh_sum, &pd->bdaddr,
5400 bdxport.port, 1, af, pd->af, 1);
5401 dxport.port = pd->hdr.udp->uh_dport;
5402 rewrite++;
5403 break;
5404 case IPPROTO_ICMP:
5405 #if INET6
5406 case IPPROTO_ICMPV6:
5407 #endif
5408 /* nothing! */
5409 break;
5410 case IPPROTO_GRE:
5411 if (pd->proto_variant ==
5412 PF_GRE_PPTP_VARIANT) {
5413 grev1->call_id =
5414 bdxport.call_id;
5415 }
5416 ++rewrite;
5417 switch (af) {
5418 #if INET
5419 case AF_INET:
5420 pf_change_a(&daddr->v4addr.s_addr,
5421 pd->ip_sum,
5422 pd->bdaddr.v4addr.s_addr, 0);
5423 break;
5424 #endif /* INET */
5425 #if INET6
5426 case AF_INET6:
5427 PF_ACPY(daddr, &pd->bdaddr,
5428 AF_INET6);
5429 break;
5430 #endif /* INET6 */
5431 }
5432 break;
5433 case IPPROTO_ESP:
5434 switch (af) {
5435 #if INET
5436 case AF_INET:
5437 pf_change_a(&daddr->v4addr.s_addr,
5438 pd->ip_sum,
5439 pd->bdaddr.v4addr.s_addr, 0);
5440 break;
5441 #endif /* INET */
5442 #if INET6
5443 case AF_INET6:
5444 PF_ACPY(daddr, &pd->bdaddr,
5445 AF_INET6);
5446 break;
5447 #endif /* INET6 */
5448 }
5449 break;
5450 default:
5451 switch (af) {
5452 case AF_INET:
5453 pf_change_a(&daddr->v4addr.s_addr,
5454 pd->ip_sum,
5455 pd->bdaddr.v4addr.s_addr, 0);
5456 break;
5457 #if INET6
5458 case AF_INET6:
5459 PF_ACPY(daddr, &pd->bdaddr, af);
5460 break;
5461 #endif /* INET6 */
5462 }
5463 }
5464 }
5465 }
5466 if (pd->proto == IPPROTO_TCP &&
5467 ((r->rule_flag & PFRULE_RETURNRST) ||
5468 (r->rule_flag & PFRULE_RETURN)) &&
5469 !(th->th_flags & TH_RST)) {
5470 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
5471 int len = 0;
5472 struct ip *h4;
5473 #if INET6
5474 struct ip6_hdr *h6;
5475 #endif /* INET6 */
5476
5477 switch (pd->af) {
5478 case AF_INET:
5479 h4 = pbuf->pb_data;
5480 len = ntohs(h4->ip_len) - off;
5481 break;
5482 #if INET6
5483 case AF_INET6:
5484 h6 = pbuf->pb_data;
5485 len = ntohs(h6->ip6_plen) -
5486 (off - sizeof(*h6));
5487 break;
5488 #endif /* INET6 */
5489 }
5490
5491 if (pf_check_proto_cksum(pbuf, off, len, IPPROTO_TCP,
5492 pd->af)) {
5493 REASON_SET(&reason, PFRES_PROTCKSUM);
5494 } else {
5495 if (th->th_flags & TH_SYN) {
5496 ack++;
5497 }
5498 if (th->th_flags & TH_FIN) {
5499 ack++;
5500 }
5501 pf_send_tcp(r, pd->af, pd->dst,
5502 pd->src, th->th_dport, th->th_sport,
5503 ntohl(th->th_ack), ack, TH_RST | TH_ACK, 0, 0,
5504 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
5505 }
5506 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET &&
5507 pd->proto != IPPROTO_ESP && pd->proto != IPPROTO_AH &&
5508 r->return_icmp) {
5509 pf_send_icmp(pbuf, r->return_icmp >> 8,
5510 r->return_icmp & 255, pd->af, r);
5511 } else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 &&
5512 pd->proto != IPPROTO_ESP && pd->proto != IPPROTO_AH &&
5513 r->return_icmp6) {
5514 pf_send_icmp(pbuf, r->return_icmp6 >> 8,
5515 r->return_icmp6 & 255, pd->af, r);
5516 }
5517 }
5518
5519 if (r->action == PF_DROP) {
5520 return PF_DROP;
5521 }
5522
5523 /* prepare state key, for flowhash and/or the state (if created) */
5524 bzero(&psk, sizeof(psk));
5525 psk.proto = pd->proto;
5526 psk.direction = direction;
5527 if (pd->proto == IPPROTO_UDP) {
5528 if (ntohs(pd->hdr.udp->uh_sport) == PF_IKE_PORT &&
5529 ntohs(pd->hdr.udp->uh_dport) == PF_IKE_PORT) {
5530 psk.proto_variant = PF_EXTFILTER_APD;
5531 } else {
5532 psk.proto_variant = nr ? nr->extfilter : r->extfilter;
5533 if (psk.proto_variant < PF_EXTFILTER_APD) {
5534 psk.proto_variant = PF_EXTFILTER_APD;
5535 }
5536 }
5537 } else if (pd->proto == IPPROTO_GRE) {
5538 psk.proto_variant = pd->proto_variant;
5539 }
5540 if (direction == PF_OUT) {
5541 psk.af_gwy = af;
5542 PF_ACPY(&psk.gwy.addr, saddr, af);
5543 PF_ACPY(&psk.ext_gwy.addr, daddr, af);
5544 switch (pd->proto) {
5545 case IPPROTO_ESP:
5546 psk.gwy.xport.spi = 0;
5547 psk.ext_gwy.xport.spi = pd->hdr.esp->spi;
5548 break;
5549 case IPPROTO_ICMP:
5550 #if INET6
5551 case IPPROTO_ICMPV6:
5552 #endif
5553 /*
5554 * NAT64 requires protocol translation between ICMPv4
5555 * and ICMPv6. TCP and UDP do not require protocol
5556 * translation. To avoid adding complexity just to
5557 * handle ICMP(v4addr/v6addr), we always lookup for
5558 * proto = IPPROTO_ICMP on both LAN and WAN side
5559 */
5560 psk.proto = IPPROTO_ICMP;
5561 psk.gwy.xport.port = nxport.port;
5562 psk.ext_gwy.xport.spi = 0;
5563 break;
5564 default:
5565 psk.gwy.xport = sxport;
5566 psk.ext_gwy.xport = dxport;
5567 break;
5568 }
5569 psk.af_lan = af;
5570 if (nr != NULL) {
5571 PF_ACPY(&psk.lan.addr, &pd->baddr, af);
5572 psk.lan.xport = bxport;
5573 PF_ACPY(&psk.ext_lan.addr, &pd->bdaddr, af);
5574 psk.ext_lan.xport = bdxport;
5575 } else {
5576 PF_ACPY(&psk.lan.addr, &psk.gwy.addr, af);
5577 psk.lan.xport = psk.gwy.xport;
5578 PF_ACPY(&psk.ext_lan.addr, &psk.ext_gwy.addr, af);
5579 psk.ext_lan.xport = psk.ext_gwy.xport;
5580 }
5581 } else {
5582 psk.af_lan = af;
5583 if (nr && nr->action == PF_NAT64) {
5584 PF_ACPY(&psk.lan.addr, &pd->baddr, af);
5585 PF_ACPY(&psk.ext_lan.addr, &pd->bdaddr, af);
5586 } else {
5587 PF_ACPY(&psk.lan.addr, daddr, af);
5588 PF_ACPY(&psk.ext_lan.addr, saddr, af);
5589 }
5590 switch (pd->proto) {
5591 case IPPROTO_ICMP:
5592 #if INET6
5593 case IPPROTO_ICMPV6:
5594 #endif
5595 /*
5596 * NAT64 requires protocol translation between ICMPv4
5597 * and ICMPv6. TCP and UDP do not require protocol
5598 * translation. To avoid adding complexity just to
5599 * handle ICMP(v4addr/v6addr), we always lookup for
5600 * proto = IPPROTO_ICMP on both LAN and WAN side
5601 */
5602 psk.proto = IPPROTO_ICMP;
5603 if (nr && nr->action == PF_NAT64) {
5604 psk.lan.xport = bxport;
5605 psk.ext_lan.xport = bxport;
5606 } else {
5607 psk.lan.xport = nxport;
5608 psk.ext_lan.xport.spi = 0;
5609 }
5610 break;
5611 case IPPROTO_ESP:
5612 psk.ext_lan.xport.spi = 0;
5613 psk.lan.xport.spi = pd->hdr.esp->spi;
5614 break;
5615 default:
5616 if (nr != NULL) {
5617 if (nr->action == PF_NAT64) {
5618 psk.lan.xport = bxport;
5619 psk.ext_lan.xport = bdxport;
5620 } else {
5621 psk.lan.xport = dxport;
5622 psk.ext_lan.xport = sxport;
5623 }
5624 } else {
5625 psk.lan.xport = dxport;
5626 psk.ext_lan.xport = sxport;
5627 }
5628 break;
5629 }
5630 psk.af_gwy = pd->naf;
5631 if (nr != NULL) {
5632 if (nr->action == PF_NAT64) {
5633 PF_ACPY(&psk.gwy.addr, &pd->naddr, pd->naf);
5634 PF_ACPY(&psk.ext_gwy.addr, &pd->ndaddr,
5635 pd->naf);
5636 if ((pd->proto == IPPROTO_ICMPV6) ||
5637 (pd->proto == IPPROTO_ICMP)) {
5638 psk.gwy.xport = nxport;
5639 psk.ext_gwy.xport = nxport;
5640 } else {
5641 psk.gwy.xport = sxport;
5642 psk.ext_gwy.xport = dxport;
5643 }
5644 } else {
5645 PF_ACPY(&psk.gwy.addr, &pd->bdaddr, af);
5646 psk.gwy.xport = bdxport;
5647 PF_ACPY(&psk.ext_gwy.addr, saddr, af);
5648 psk.ext_gwy.xport = sxport;
5649 }
5650 } else {
5651 PF_ACPY(&psk.gwy.addr, &psk.lan.addr, af);
5652 psk.gwy.xport = psk.lan.xport;
5653 PF_ACPY(&psk.ext_gwy.addr, &psk.ext_lan.addr, af);
5654 psk.ext_gwy.xport = psk.ext_lan.xport;
5655 }
5656 }
5657 if (pd->pktflags & PKTF_FLOW_ID) {
5658 /* flow hash was already computed outside of PF */
5659 psk.flowsrc = pd->flowsrc;
5660 psk.flowhash = pd->flowhash;
5661 } else {
5662 /* compute flow hash and store it in state key */
5663 psk.flowsrc = FLOWSRC_PF;
5664 psk.flowhash = pf_calc_state_key_flowhash(&psk);
5665 pd->flowsrc = psk.flowsrc;
5666 pd->flowhash = psk.flowhash;
5667 pd->pktflags |= PKTF_FLOW_ID;
5668 pd->pktflags &= ~PKTF_FLOW_ADV;
5669 }
5670
5671 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, rtableid, pd)) {
5672 REASON_SET(&reason, PFRES_MEMORY);
5673 return PF_DROP;
5674 }
5675
5676 if (!state_icmp && (r->keep_state || nr != NULL ||
5677 (pd->flags & PFDESC_TCP_NORM))) {
5678 /* create new state */
5679 struct pf_state *s = NULL;
5680 struct pf_state_key *sk = NULL;
5681 struct pf_src_node *sn = NULL;
5682 struct pf_ike_hdr ike;
5683
5684 if (pd->proto == IPPROTO_UDP) {
5685 size_t plen = pbuf->pb_packet_len - off - sizeof(*uh);
5686
5687 if (ntohs(uh->uh_sport) == PF_IKE_PORT &&
5688 ntohs(uh->uh_dport) == PF_IKE_PORT &&
5689 plen >= PF_IKE_PACKET_MINSIZE) {
5690 if (plen > PF_IKE_PACKET_MINSIZE) {
5691 plen = PF_IKE_PACKET_MINSIZE;
5692 }
5693 pbuf_copy_data(pbuf, off + sizeof(*uh), plen,
5694 &ike);
5695 }
5696 }
5697
5698 if (nr != NULL && pd->proto == IPPROTO_ESP &&
5699 direction == PF_OUT) {
5700 struct pf_state_key_cmp sk0;
5701 struct pf_state *s0;
5702
5703 /*
5704 * <jhw@apple.com>
5705 * This squelches state creation if the external
5706 * address matches an existing incomplete state with a
5707 * different internal address. Only one 'blocking'
5708 * partial state is allowed for each external address.
5709 */
5710 memset(&sk0, 0, sizeof(sk0));
5711 sk0.af_gwy = pd->af;
5712 sk0.proto = IPPROTO_ESP;
5713 PF_ACPY(&sk0.gwy.addr, saddr, sk0.af_gwy);
5714 PF_ACPY(&sk0.ext_gwy.addr, daddr, sk0.af_gwy);
5715 s0 = pf_find_state(kif, &sk0, PF_IN);
5716
5717 if (s0 && PF_ANEQ(&s0->state_key->lan.addr,
5718 pd->src, pd->af)) {
5719 nsn = 0;
5720 goto cleanup;
5721 }
5722 }
5723
5724 /* check maximums */
5725 if (r->max_states && (r->states >= r->max_states)) {
5726 pf_status.lcounters[LCNT_STATES]++;
5727 REASON_SET(&reason, PFRES_MAXSTATES);
5728 goto cleanup;
5729 }
5730 /* src node for filter rule */
5731 if ((r->rule_flag & PFRULE_SRCTRACK ||
5732 r->rpool.opts & PF_POOL_STICKYADDR) &&
5733 pf_insert_src_node(&sn, r, saddr, af) != 0) {
5734 REASON_SET(&reason, PFRES_SRCLIMIT);
5735 goto cleanup;
5736 }
5737 /* src node for translation rule */
5738 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
5739 ((direction == PF_OUT &&
5740 nr->action != PF_RDR &&
5741 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
5742 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
5743 REASON_SET(&reason, PFRES_SRCLIMIT);
5744 goto cleanup;
5745 }
5746 s = pool_get(&pf_state_pl, PR_WAITOK);
5747 if (s == NULL) {
5748 REASON_SET(&reason, PFRES_MEMORY);
5749 cleanup:
5750 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
5751 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
5752 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
5753 pf_status.src_nodes--;
5754 pool_put(&pf_src_tree_pl, sn);
5755 }
5756 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
5757 nsn->expire == 0) {
5758 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
5759 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
5760 pf_status.src_nodes--;
5761 pool_put(&pf_src_tree_pl, nsn);
5762 }
5763 if (sk != NULL) {
5764 if (sk->app_state) {
5765 pool_put(&pf_app_state_pl,
5766 sk->app_state);
5767 }
5768 pool_put(&pf_state_key_pl, sk);
5769 }
5770 return PF_DROP;
5771 }
5772 bzero(s, sizeof(*s));
5773 TAILQ_INIT(&s->unlink_hooks);
5774 s->rule.ptr = r;
5775 s->nat_rule.ptr = nr;
5776 s->anchor.ptr = a;
5777 STATE_INC_COUNTERS(s);
5778 s->allow_opts = r->allow_opts;
5779 s->log = r->log & PF_LOG_ALL;
5780 if (nr != NULL) {
5781 s->log |= nr->log & PF_LOG_ALL;
5782 }
5783 switch (pd->proto) {
5784 case IPPROTO_TCP:
5785 s->src.seqlo = ntohl(th->th_seq);
5786 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
5787 if ((th->th_flags & (TH_SYN | TH_ACK)) ==
5788 TH_SYN && r->keep_state == PF_STATE_MODULATE) {
5789 /* Generate sequence number modulator */
5790 if ((s->src.seqdiff = pf_tcp_iss(pd) -
5791 s->src.seqlo) == 0) {
5792 s->src.seqdiff = 1;
5793 }
5794 pf_change_a(&th->th_seq, &th->th_sum,
5795 htonl(s->src.seqlo + s->src.seqdiff), 0);
5796 rewrite = off + sizeof(*th);
5797 } else {
5798 s->src.seqdiff = 0;
5799 }
5800 if (th->th_flags & TH_SYN) {
5801 s->src.seqhi++;
5802 s->src.wscale = pf_get_wscale(pbuf, off,
5803 th->th_off, af);
5804 }
5805 s->src.max_win = MAX(ntohs(th->th_win), 1);
5806 if (s->src.wscale & PF_WSCALE_MASK) {
5807 /* Remove scale factor from initial window */
5808 int win = s->src.max_win;
5809 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
5810 s->src.max_win = (win - 1) >>
5811 (s->src.wscale & PF_WSCALE_MASK);
5812 }
5813 if (th->th_flags & TH_FIN) {
5814 s->src.seqhi++;
5815 }
5816 s->dst.seqhi = 1;
5817 s->dst.max_win = 1;
5818 s->src.state = TCPS_SYN_SENT;
5819 s->dst.state = TCPS_CLOSED;
5820 s->timeout = PFTM_TCP_FIRST_PACKET;
5821 break;
5822 case IPPROTO_UDP:
5823 s->src.state = PFUDPS_SINGLE;
5824 s->dst.state = PFUDPS_NO_TRAFFIC;
5825 s->timeout = PFTM_UDP_FIRST_PACKET;
5826 break;
5827 case IPPROTO_ICMP:
5828 #if INET6
5829 case IPPROTO_ICMPV6:
5830 #endif
5831 s->timeout = PFTM_ICMP_FIRST_PACKET;
5832 break;
5833 case IPPROTO_GRE:
5834 s->src.state = PFGRE1S_INITIATING;
5835 s->dst.state = PFGRE1S_NO_TRAFFIC;
5836 s->timeout = PFTM_GREv1_INITIATING;
5837 break;
5838 case IPPROTO_ESP:
5839 s->src.state = PFESPS_INITIATING;
5840 s->dst.state = PFESPS_NO_TRAFFIC;
5841 s->timeout = PFTM_ESP_FIRST_PACKET;
5842 break;
5843 default:
5844 s->src.state = PFOTHERS_SINGLE;
5845 s->dst.state = PFOTHERS_NO_TRAFFIC;
5846 s->timeout = PFTM_OTHER_FIRST_PACKET;
5847 }
5848
5849 s->creation = pf_time_second();
5850 s->expire = pf_time_second();
5851
5852 if (sn != NULL) {
5853 s->src_node = sn;
5854 s->src_node->states++;
5855 VERIFY(s->src_node->states != 0);
5856 }
5857 if (nsn != NULL) {
5858 PF_ACPY(&nsn->raddr, &pd->naddr, af);
5859 s->nat_src_node = nsn;
5860 s->nat_src_node->states++;
5861 VERIFY(s->nat_src_node->states != 0);
5862 }
5863 if (pd->proto == IPPROTO_TCP) {
5864 if ((pd->flags & PFDESC_TCP_NORM) &&
5865 pf_normalize_tcp_init(pbuf, off, pd, th, &s->src,
5866 &s->dst)) {
5867 REASON_SET(&reason, PFRES_MEMORY);
5868 pf_src_tree_remove_state(s);
5869 STATE_DEC_COUNTERS(s);
5870 pool_put(&pf_state_pl, s);
5871 return PF_DROP;
5872 }
5873 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
5874 pf_normalize_tcp_stateful(pbuf, off, pd, &reason,
5875 th, s, &s->src, &s->dst, &rewrite)) {
5876 /* This really shouldn't happen!!! */
5877 DPFPRINTF(PF_DEBUG_URGENT,
5878 ("pf_normalize_tcp_stateful failed on "
5879 "first pkt"));
5880 pf_normalize_tcp_cleanup(s);
5881 pf_src_tree_remove_state(s);
5882 STATE_DEC_COUNTERS(s);
5883 pool_put(&pf_state_pl, s);
5884 return PF_DROP;
5885 }
5886 }
5887
5888 /* allocate state key and import values from psk */
5889 if ((sk = pf_alloc_state_key(s, &psk)) == NULL) {
5890 REASON_SET(&reason, PFRES_MEMORY);
5891 /*
5892 * XXXSCW: This will leak the freshly-allocated
5893 * state structure 's'. Although it should
5894 * eventually be aged-out and removed.
5895 */
5896 goto cleanup;
5897 }
5898
5899 pf_set_rt_ifp(s, saddr, af); /* needs s->state_key set */
5900
5901 pbuf = pd->mp; // XXXSCW: Why?
5902
5903 if (sk->app_state == 0) {
5904 switch (pd->proto) {
5905 case IPPROTO_TCP: {
5906 u_int16_t dport = (direction == PF_OUT) ?
5907 sk->ext_gwy.xport.port : sk->gwy.xport.port;
5908
5909 if (nr != NULL &&
5910 ntohs(dport) == PF_PPTP_PORT) {
5911 struct pf_app_state *as;
5912
5913 as = pool_get(&pf_app_state_pl,
5914 PR_WAITOK);
5915 if (!as) {
5916 REASON_SET(&reason,
5917 PFRES_MEMORY);
5918 goto cleanup;
5919 }
5920
5921 bzero(as, sizeof(*as));
5922 as->handler = pf_pptp_handler;
5923 as->compare_lan_ext = 0;
5924 as->compare_ext_gwy = 0;
5925 as->u.pptp.grev1_state = 0;
5926 sk->app_state = as;
5927 (void) hook_establish(&s->unlink_hooks,
5928 0, (hook_fn_t) pf_pptp_unlink, s);
5929 }
5930 break;
5931 }
5932
5933 case IPPROTO_UDP: {
5934 if (nr != NULL &&
5935 ntohs(uh->uh_sport) == PF_IKE_PORT &&
5936 ntohs(uh->uh_dport) == PF_IKE_PORT) {
5937 struct pf_app_state *as;
5938
5939 as = pool_get(&pf_app_state_pl,
5940 PR_WAITOK);
5941 if (!as) {
5942 REASON_SET(&reason,
5943 PFRES_MEMORY);
5944 goto cleanup;
5945 }
5946
5947 bzero(as, sizeof(*as));
5948 as->compare_lan_ext = pf_ike_compare;
5949 as->compare_ext_gwy = pf_ike_compare;
5950 as->u.ike.cookie = ike.initiator_cookie;
5951 sk->app_state = as;
5952 }
5953 break;
5954 }
5955
5956 default:
5957 break;
5958 }
5959 }
5960
5961 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
5962 if (pd->proto == IPPROTO_TCP) {
5963 pf_normalize_tcp_cleanup(s);
5964 }
5965 REASON_SET(&reason, PFRES_STATEINS);
5966 pf_src_tree_remove_state(s);
5967 STATE_DEC_COUNTERS(s);
5968 pool_put(&pf_state_pl, s);
5969 return PF_DROP;
5970 } else {
5971 *sm = s;
5972 }
5973 if (tag > 0) {
5974 pf_tag_ref(tag);
5975 s->tag = tag;
5976 }
5977 if (pd->proto == IPPROTO_TCP &&
5978 (th->th_flags & (TH_SYN | TH_ACK)) == TH_SYN &&
5979 r->keep_state == PF_STATE_SYNPROXY) {
5980 int ua = (sk->af_lan == sk->af_gwy) ? 1 : 0;
5981 s->src.state = PF_TCPS_PROXY_SRC;
5982 if (nr != NULL) {
5983 if (direction == PF_OUT) {
5984 pf_change_ap(direction, pd->mp, saddr,
5985 &th->th_sport, pd->ip_sum,
5986 &th->th_sum, &pd->baddr,
5987 bxport.port, 0, af, pd->af, ua);
5988 sxport.port = th->th_sport;
5989 } else {
5990 pf_change_ap(direction, pd->mp, daddr,
5991 &th->th_dport, pd->ip_sum,
5992 &th->th_sum, &pd->baddr,
5993 bxport.port, 0, af, pd->af, ua);
5994 sxport.port = th->th_dport;
5995 }
5996 }
5997 s->src.seqhi = htonl(random());
5998 /* Find mss option */
5999 mss = pf_get_mss(pbuf, off, th->th_off, af);
6000 mss = pf_calc_mss(saddr, af, mss);
6001 mss = pf_calc_mss(daddr, af, mss);
6002 s->src.mss = mss;
6003 pf_send_tcp(r, af, daddr, saddr, th->th_dport,
6004 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
6005 TH_SYN | TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);
6006 REASON_SET(&reason, PFRES_SYNPROXY);
6007 return PF_SYNPROXY_DROP;
6008 }
6009
6010 if (sk->app_state && sk->app_state->handler) {
6011 int offx = off;
6012
6013 switch (pd->proto) {
6014 case IPPROTO_TCP:
6015 offx += th->th_off << 2;
6016 break;
6017 case IPPROTO_UDP:
6018 offx += pd->hdr.udp->uh_ulen << 2;
6019 break;
6020 default:
6021 /* ALG handlers only apply to TCP and UDP rules */
6022 break;
6023 }
6024
6025 if (offx > off) {
6026 sk->app_state->handler(s, direction, offx,
6027 pd, kif);
6028 if (pd->lmw < 0) {
6029 REASON_SET(&reason, PFRES_MEMORY);
6030 return PF_DROP;
6031 }
6032 pbuf = pd->mp; // XXXSCW: Why?
6033 }
6034 }
6035 }
6036
6037 /* copy back packet headers if we performed NAT operations */
6038 if (rewrite) {
6039 if (rewrite < off + hdrlen) {
6040 rewrite = off + hdrlen;
6041 }
6042
6043 if (pf_lazy_makewritable(pd, pd->mp, rewrite) == NULL) {
6044 REASON_SET(&reason, PFRES_MEMORY);
6045 return PF_DROP;
6046 }
6047
6048 pbuf_copy_back(pbuf, off, hdrlen, pd->hdr.any);
6049 if (af == AF_INET6 && pd->naf == AF_INET) {
6050 return pf_nat64_ipv6(pbuf, off, pd);
6051 } else if (af == AF_INET && pd->naf == AF_INET6) {
6052 return pf_nat64_ipv4(pbuf, off, pd);
6053 }
6054 }
6055
6056 return PF_PASS;
6057 }
6058
6059 boolean_t is_nlc_enabled_glb = FALSE;
6060
6061 static inline boolean_t
6062 pf_is_dummynet_enabled(void)
6063 {
6064 #if DUMMYNET
6065 if (__probable(!PF_IS_ENABLED)) {
6066 return FALSE;
6067 }
6068
6069 if (__probable(!DUMMYNET_LOADED)) {
6070 return FALSE;
6071 }
6072
6073 if (__probable(TAILQ_EMPTY(pf_main_ruleset.
6074 rules[PF_RULESET_DUMMYNET].active.ptr))) {
6075 return FALSE;
6076 }
6077
6078 return TRUE;
6079 #else
6080 return FALSE;
6081 #endif /* DUMMYNET */
6082 }
6083
6084 boolean_t
6085 pf_is_nlc_enabled(void)
6086 {
6087 #if DUMMYNET
6088 if (__probable(!pf_is_dummynet_enabled())) {
6089 return FALSE;
6090 }
6091
6092 if (__probable(!is_nlc_enabled_glb)) {
6093 return FALSE;
6094 }
6095
6096 return TRUE;
6097 #else
6098 return FALSE;
6099 #endif /* DUMMYNET */
6100 }
6101
6102 #if DUMMYNET
6103 /*
6104 * When pf_test_dummynet() returns PF_PASS, the rule matching parameter "rm"
6105 * remains unchanged, meaning the packet did not match a dummynet rule.
6106 * when the packet does match a dummynet rule, pf_test_dummynet() returns
6107 * PF_PASS and zero out the mbuf rule as the packet is effectively siphoned
6108 * out by dummynet.
6109 */
6110 static int
6111 pf_test_dummynet(struct pf_rule **rm, int direction, struct pfi_kif *kif,
6112 pbuf_t **pbuf0, struct pf_pdesc *pd, struct ip_fw_args *fwa)
6113 {
6114 pbuf_t *pbuf = *pbuf0;
6115 struct pf_rule *am = NULL;
6116 struct pf_ruleset *rsm = NULL;
6117 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
6118 sa_family_t af = pd->af;
6119 struct pf_rule *r, *a = NULL;
6120 struct pf_ruleset *ruleset = NULL;
6121 struct tcphdr *th = pd->hdr.tcp;
6122 u_short reason;
6123 int hdrlen = 0;
6124 int tag = -1;
6125 unsigned int rtableid = IFSCOPE_NONE;
6126 int asd = 0;
6127 int match = 0;
6128 u_int8_t icmptype = 0, icmpcode = 0;
6129 struct ip_fw_args dnflow;
6130 struct pf_rule *prev_matching_rule = fwa ? fwa->fwa_pf_rule : NULL;
6131 int found_prev_rule = (prev_matching_rule) ? 0 : 1;
6132
6133 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
6134
6135 if (!pf_is_dummynet_enabled()) {
6136 return PF_PASS;
6137 }
6138
6139 bzero(&dnflow, sizeof(dnflow));
6140
6141 hdrlen = 0;
6142
6143 /* Fragments don't gave protocol headers */
6144 if (!(pd->flags & PFDESC_IP_FRAG)) {
6145 switch (pd->proto) {
6146 case IPPROTO_TCP:
6147 dnflow.fwa_id.flags = pd->hdr.tcp->th_flags;
6148 dnflow.fwa_id.dst_port = ntohs(pd->hdr.tcp->th_dport);
6149 dnflow.fwa_id.src_port = ntohs(pd->hdr.tcp->th_sport);
6150 hdrlen = sizeof(*th);
6151 break;
6152 case IPPROTO_UDP:
6153 dnflow.fwa_id.dst_port = ntohs(pd->hdr.udp->uh_dport);
6154 dnflow.fwa_id.src_port = ntohs(pd->hdr.udp->uh_sport);
6155 hdrlen = sizeof(*pd->hdr.udp);
6156 break;
6157 #if INET
6158 case IPPROTO_ICMP:
6159 if (af != AF_INET) {
6160 break;
6161 }
6162 hdrlen = ICMP_MINLEN;
6163 icmptype = pd->hdr.icmp->icmp_type;
6164 icmpcode = pd->hdr.icmp->icmp_code;
6165 break;
6166 #endif /* INET */
6167 #if INET6
6168 case IPPROTO_ICMPV6:
6169 if (af != AF_INET6) {
6170 break;
6171 }
6172 hdrlen = sizeof(*pd->hdr.icmp6);
6173 icmptype = pd->hdr.icmp6->icmp6_type;
6174 icmpcode = pd->hdr.icmp6->icmp6_code;
6175 break;
6176 #endif /* INET6 */
6177 case IPPROTO_GRE:
6178 if (pd->proto_variant == PF_GRE_PPTP_VARIANT) {
6179 hdrlen = sizeof(*pd->hdr.grev1);
6180 }
6181 break;
6182 case IPPROTO_ESP:
6183 hdrlen = sizeof(*pd->hdr.esp);
6184 break;
6185 }
6186 }
6187
6188 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_DUMMYNET].active.ptr);
6189
6190 while (r != NULL) {
6191 r->evaluations++;
6192 if (pfi_kif_match(r->kif, kif) == r->ifnot) {
6193 r = r->skip[PF_SKIP_IFP].ptr;
6194 } else if (r->direction && r->direction != direction) {
6195 r = r->skip[PF_SKIP_DIR].ptr;
6196 } else if (r->af && r->af != af) {
6197 r = r->skip[PF_SKIP_AF].ptr;
6198 } else if (r->proto && r->proto != pd->proto) {
6199 r = r->skip[PF_SKIP_PROTO].ptr;
6200 } else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
6201 r->src.neg, kif)) {
6202 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
6203 }
6204 /* tcp/udp only. port_op always 0 in other cases */
6205 else if (r->proto == pd->proto &&
6206 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
6207 ((pd->flags & PFDESC_IP_FRAG) ||
6208 ((r->src.xport.range.op &&
6209 !pf_match_port(r->src.xport.range.op,
6210 r->src.xport.range.port[0], r->src.xport.range.port[1],
6211 th->th_sport))))) {
6212 r = r->skip[PF_SKIP_SRC_PORT].ptr;
6213 } else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
6214 r->dst.neg, NULL)) {
6215 r = r->skip[PF_SKIP_DST_ADDR].ptr;
6216 }
6217 /* tcp/udp only. port_op always 0 in other cases */
6218 else if (r->proto == pd->proto &&
6219 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
6220 r->dst.xport.range.op &&
6221 ((pd->flags & PFDESC_IP_FRAG) ||
6222 !pf_match_port(r->dst.xport.range.op,
6223 r->dst.xport.range.port[0], r->dst.xport.range.port[1],
6224 th->th_dport))) {
6225 r = r->skip[PF_SKIP_DST_PORT].ptr;
6226 }
6227 /* icmp only. type always 0 in other cases */
6228 else if (r->type &&
6229 ((pd->flags & PFDESC_IP_FRAG) ||
6230 r->type != icmptype + 1)) {
6231 r = TAILQ_NEXT(r, entries);
6232 }
6233 /* icmp only. type always 0 in other cases */
6234 else if (r->code &&
6235 ((pd->flags & PFDESC_IP_FRAG) ||
6236 r->code != icmpcode + 1)) {
6237 r = TAILQ_NEXT(r, entries);
6238 } else if (r->tos && !(r->tos == pd->tos)) {
6239 r = TAILQ_NEXT(r, entries);
6240 } else if (r->rule_flag & PFRULE_FRAGMENT) {
6241 r = TAILQ_NEXT(r, entries);
6242 } else if (pd->proto == IPPROTO_TCP &&
6243 ((pd->flags & PFDESC_IP_FRAG) ||
6244 (r->flagset & th->th_flags) != r->flags)) {
6245 r = TAILQ_NEXT(r, entries);
6246 } else if (r->prob && r->prob <= (RandomULong() % (UINT_MAX - 1) + 1)) {
6247 r = TAILQ_NEXT(r, entries);
6248 } else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag)) {
6249 r = TAILQ_NEXT(r, entries);
6250 } else {
6251 /*
6252 * Need to go past the previous dummynet matching rule
6253 */
6254 if (r->anchor == NULL) {
6255 if (found_prev_rule) {
6256 if (r->tag) {
6257 tag = r->tag;
6258 }
6259 if (PF_RTABLEID_IS_VALID(r->rtableid)) {
6260 rtableid = r->rtableid;
6261 }
6262 match = 1;
6263 *rm = r;
6264 am = a;
6265 rsm = ruleset;
6266 if ((*rm)->quick) {
6267 break;
6268 }
6269 } else if (r == prev_matching_rule) {
6270 found_prev_rule = 1;
6271 }
6272 r = TAILQ_NEXT(r, entries);
6273 } else {
6274 pf_step_into_anchor(&asd, &ruleset,
6275 PF_RULESET_DUMMYNET, &r, &a, &match);
6276 }
6277 }
6278 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
6279 PF_RULESET_DUMMYNET, &r, &a, &match)) {
6280 break;
6281 }
6282 }
6283 r = *rm;
6284 a = am;
6285 ruleset = rsm;
6286
6287 if (!match) {
6288 return PF_PASS;
6289 }
6290
6291 REASON_SET(&reason, PFRES_DUMMYNET);
6292
6293 if (r->log) {
6294 PFLOG_PACKET(kif, h, pbuf, af, direction, reason, r,
6295 a, ruleset, pd);
6296 }
6297
6298 if (r->action == PF_NODUMMYNET) {
6299 int dirndx = (direction == PF_OUT);
6300
6301 r->packets[dirndx]++;
6302 r->bytes[dirndx] += pd->tot_len;
6303
6304 return PF_PASS;
6305 }
6306 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, rtableid, pd)) {
6307 REASON_SET(&reason, PFRES_MEMORY);
6308
6309 return PF_DROP;
6310 }
6311
6312 if (r->dnpipe && ip_dn_io_ptr != NULL) {
6313 struct mbuf *m;
6314 int dirndx = (direction == PF_OUT);
6315
6316 r->packets[dirndx]++;
6317 r->bytes[dirndx] += pd->tot_len;
6318
6319 dnflow.fwa_cookie = r->dnpipe;
6320 dnflow.fwa_pf_rule = r;
6321 dnflow.fwa_id.proto = pd->proto;
6322 dnflow.fwa_flags = r->dntype;
6323 switch (af) {
6324 case AF_INET:
6325 dnflow.fwa_id.addr_type = 4;
6326 dnflow.fwa_id.src_ip = ntohl(saddr->v4addr.s_addr);
6327 dnflow.fwa_id.dst_ip = ntohl(daddr->v4addr.s_addr);
6328 break;
6329 case AF_INET6:
6330 dnflow.fwa_id.addr_type = 6;
6331 dnflow.fwa_id.src_ip6 = saddr->v6addr;
6332 dnflow.fwa_id.dst_ip6 = saddr->v6addr;
6333 break;
6334 }
6335
6336 if (fwa != NULL) {
6337 dnflow.fwa_oif = fwa->fwa_oif;
6338 dnflow.fwa_oflags = fwa->fwa_oflags;
6339 /*
6340 * Note that fwa_ro, fwa_dst and fwa_ipoa are
6341 * actually in a union so the following does work
6342 * for both IPv4 and IPv6
6343 */
6344 dnflow.fwa_ro = fwa->fwa_ro;
6345 dnflow.fwa_dst = fwa->fwa_dst;
6346 dnflow.fwa_ipoa = fwa->fwa_ipoa;
6347 dnflow.fwa_ro6_pmtu = fwa->fwa_ro6_pmtu;
6348 dnflow.fwa_origifp = fwa->fwa_origifp;
6349 dnflow.fwa_mtu = fwa->fwa_mtu;
6350 dnflow.fwa_alwaysfrag = fwa->fwa_alwaysfrag;
6351 dnflow.fwa_unfragpartlen = fwa->fwa_unfragpartlen;
6352 dnflow.fwa_exthdrs = fwa->fwa_exthdrs;
6353 }
6354
6355 if (af == AF_INET) {
6356 struct ip *iphdr = pbuf->pb_data;
6357 NTOHS(iphdr->ip_len);
6358 NTOHS(iphdr->ip_off);
6359 }
6360 /*
6361 * Don't need to unlock pf_lock as NET_THREAD_HELD_PF
6362 * allows for recursive behavior
6363 */
6364 m = pbuf_to_mbuf(pbuf, TRUE);
6365 if (m != NULL) {
6366 ip_dn_io_ptr(m,
6367 dnflow.fwa_cookie, (af == AF_INET) ?
6368 ((direction == PF_IN) ? DN_TO_IP_IN : DN_TO_IP_OUT) :
6369 ((direction == PF_IN) ? DN_TO_IP6_IN : DN_TO_IP6_OUT),
6370 &dnflow, DN_CLIENT_PF);
6371 }
6372
6373 /*
6374 * The packet is siphoned out by dummynet so return a NULL
6375 * pbuf so the caller can still return success.
6376 */
6377 *pbuf0 = NULL;
6378
6379 return PF_PASS;
6380 }
6381
6382 return PF_PASS;
6383 }
6384 #endif /* DUMMYNET */
6385
6386 static int
6387 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
6388 pbuf_t *pbuf, void *h, struct pf_pdesc *pd, struct pf_rule **am,
6389 struct pf_ruleset **rsm)
6390 {
6391 #pragma unused(h)
6392 struct pf_rule *r, *a = NULL;
6393 struct pf_ruleset *ruleset = NULL;
6394 sa_family_t af = pd->af;
6395 u_short reason;
6396 int tag = -1;
6397 int asd = 0;
6398 int match = 0;
6399
6400 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
6401 while (r != NULL) {
6402 r->evaluations++;
6403 if (pfi_kif_match(r->kif, kif) == r->ifnot) {
6404 r = r->skip[PF_SKIP_IFP].ptr;
6405 } else if (r->direction && r->direction != direction) {
6406 r = r->skip[PF_SKIP_DIR].ptr;
6407 } else if (r->af && r->af != af) {
6408 r = r->skip[PF_SKIP_AF].ptr;
6409 } else if (r->proto && r->proto != pd->proto) {
6410 r = r->skip[PF_SKIP_PROTO].ptr;
6411 } else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
6412 r->src.neg, kif)) {
6413 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
6414 } else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
6415 r->dst.neg, NULL)) {
6416 r = r->skip[PF_SKIP_DST_ADDR].ptr;
6417 } else if ((r->rule_flag & PFRULE_TOS) && r->tos &&
6418 !(r->tos & pd->tos)) {
6419 r = TAILQ_NEXT(r, entries);
6420 } else if ((r->rule_flag & PFRULE_DSCP) && r->tos &&
6421 !(r->tos & (pd->tos & DSCP_MASK))) {
6422 r = TAILQ_NEXT(r, entries);
6423 } else if ((r->rule_flag & PFRULE_SC) && r->tos &&
6424 ((r->tos & SCIDX_MASK) != pd->sc)) {
6425 r = TAILQ_NEXT(r, entries);
6426 } else if (r->os_fingerprint != PF_OSFP_ANY) {
6427 r = TAILQ_NEXT(r, entries);
6428 } else if (pd->proto == IPPROTO_UDP &&
6429 (r->src.xport.range.op || r->dst.xport.range.op)) {
6430 r = TAILQ_NEXT(r, entries);
6431 } else if (pd->proto == IPPROTO_TCP &&
6432 (r->src.xport.range.op || r->dst.xport.range.op ||
6433 r->flagset)) {
6434 r = TAILQ_NEXT(r, entries);
6435 } else if ((pd->proto == IPPROTO_ICMP ||
6436 pd->proto == IPPROTO_ICMPV6) &&
6437 (r->type || r->code)) {
6438 r = TAILQ_NEXT(r, entries);
6439 } else if (r->prob && r->prob <= (RandomULong() % (UINT_MAX - 1) + 1)) {
6440 r = TAILQ_NEXT(r, entries);
6441 } else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag)) {
6442 r = TAILQ_NEXT(r, entries);
6443 } else {
6444 if (r->anchor == NULL) {
6445 match = 1;
6446 *rm = r;
6447 *am = a;
6448 *rsm = ruleset;
6449 if ((*rm)->quick) {
6450 break;
6451 }
6452 r = TAILQ_NEXT(r, entries);
6453 } else {
6454 pf_step_into_anchor(&asd, &ruleset,
6455 PF_RULESET_FILTER, &r, &a, &match);
6456 }
6457 }
6458 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
6459 PF_RULESET_FILTER, &r, &a, &match)) {
6460 break;
6461 }
6462 }
6463 r = *rm;
6464 a = *am;
6465 ruleset = *rsm;
6466
6467 REASON_SET(&reason, PFRES_MATCH);
6468
6469 if (r->log) {
6470 PFLOG_PACKET(kif, h, pbuf, af, direction, reason, r, a, ruleset,
6471 pd);
6472 }
6473
6474 if (r->action != PF_PASS) {
6475 return PF_DROP;
6476 }
6477
6478 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, -1, NULL)) {
6479 REASON_SET(&reason, PFRES_MEMORY);
6480 return PF_DROP;
6481 }
6482
6483 return PF_PASS;
6484 }
6485
6486 static void
6487 pf_pptp_handler(struct pf_state *s, int direction, int off,
6488 struct pf_pdesc *pd, struct pfi_kif *kif)
6489 {
6490 #pragma unused(direction)
6491 struct tcphdr *th;
6492 struct pf_pptp_state *pptps;
6493 struct pf_pptp_ctrl_msg cm;
6494 size_t plen, tlen;
6495 struct pf_state *gs;
6496 u_int16_t ct;
6497 u_int16_t *pac_call_id;
6498 u_int16_t *pns_call_id;
6499 u_int16_t *spoof_call_id;
6500 u_int8_t *pac_state;
6501 u_int8_t *pns_state;
6502 enum { PF_PPTP_PASS, PF_PPTP_INSERT_GRE, PF_PPTP_REMOVE_GRE } op;
6503 pbuf_t *pbuf;
6504 struct pf_state_key *sk;
6505 struct pf_state_key *gsk;
6506 struct pf_app_state *gas;
6507
6508 sk = s->state_key;
6509 pptps = &sk->app_state->u.pptp;
6510 gs = pptps->grev1_state;
6511
6512 if (gs) {
6513 gs->expire = pf_time_second();
6514 }
6515
6516 pbuf = pd->mp;
6517 plen = min(sizeof(cm), pbuf->pb_packet_len - off);
6518 if (plen < PF_PPTP_CTRL_MSG_MINSIZE) {
6519 return;
6520 }
6521 tlen = plen - PF_PPTP_CTRL_MSG_MINSIZE;
6522 pbuf_copy_data(pbuf, off, plen, &cm);
6523
6524 if (ntohl(cm.hdr.magic) != PF_PPTP_MAGIC_NUMBER) {
6525 return;
6526 }
6527 if (ntohs(cm.hdr.type) != 1) {
6528 return;
6529 }
6530
6531 #define TYPE_LEN_CHECK(_type, _name) \
6532 case PF_PPTP_CTRL_TYPE_##_type: \
6533 if (tlen < sizeof(struct pf_pptp_ctrl_##_name)) \
6534 return; \
6535 break;
6536
6537 switch (cm.ctrl.type) {
6538 TYPE_LEN_CHECK(START_REQ, start_req);
6539 TYPE_LEN_CHECK(START_RPY, start_rpy);
6540 TYPE_LEN_CHECK(STOP_REQ, stop_req);
6541 TYPE_LEN_CHECK(STOP_RPY, stop_rpy);
6542 TYPE_LEN_CHECK(ECHO_REQ, echo_req);
6543 TYPE_LEN_CHECK(ECHO_RPY, echo_rpy);
6544 TYPE_LEN_CHECK(CALL_OUT_REQ, call_out_req);
6545 TYPE_LEN_CHECK(CALL_OUT_RPY, call_out_rpy);
6546 TYPE_LEN_CHECK(CALL_IN_1ST, call_in_1st);
6547 TYPE_LEN_CHECK(CALL_IN_2ND, call_in_2nd);
6548 TYPE_LEN_CHECK(CALL_IN_3RD, call_in_3rd);
6549 TYPE_LEN_CHECK(CALL_CLR, call_clr);
6550 TYPE_LEN_CHECK(CALL_DISC, call_disc);
6551 TYPE_LEN_CHECK(ERROR, error);
6552 TYPE_LEN_CHECK(SET_LINKINFO, set_linkinfo);
6553 default:
6554 return;
6555 }
6556 #undef TYPE_LEN_CHECK
6557
6558 if (!gs) {
6559 gs = pool_get(&pf_state_pl, PR_WAITOK);
6560 if (!gs) {
6561 return;
6562 }
6563
6564 memcpy(gs, s, sizeof(*gs));
6565
6566 memset(&gs->entry_id, 0, sizeof(gs->entry_id));
6567 memset(&gs->entry_list, 0, sizeof(gs->entry_list));
6568
6569 TAILQ_INIT(&gs->unlink_hooks);
6570 gs->rt_kif = NULL;
6571 gs->creation = 0;
6572 gs->pfsync_time = 0;
6573 gs->packets[0] = gs->packets[1] = 0;
6574 gs->bytes[0] = gs->bytes[1] = 0;
6575 gs->timeout = PFTM_UNLINKED;
6576 gs->id = gs->creatorid = 0;
6577 gs->src.state = gs->dst.state = PFGRE1S_NO_TRAFFIC;
6578 gs->src.scrub = gs->dst.scrub = 0;
6579
6580 gas = pool_get(&pf_app_state_pl, PR_NOWAIT);
6581 if (!gas) {
6582 pool_put(&pf_state_pl, gs);
6583 return;
6584 }
6585
6586 gsk = pf_alloc_state_key(gs, NULL);
6587 if (!gsk) {
6588 pool_put(&pf_app_state_pl, gas);
6589 pool_put(&pf_state_pl, gs);
6590 return;
6591 }
6592
6593 memcpy(&gsk->lan, &sk->lan, sizeof(gsk->lan));
6594 memcpy(&gsk->gwy, &sk->gwy, sizeof(gsk->gwy));
6595 memcpy(&gsk->ext_lan, &sk->ext_lan, sizeof(gsk->ext_lan));
6596 memcpy(&gsk->ext_gwy, &sk->ext_gwy, sizeof(gsk->ext_gwy));
6597 gsk->af_lan = sk->af_lan;
6598 gsk->af_gwy = sk->af_gwy;
6599 gsk->proto = IPPROTO_GRE;
6600 gsk->proto_variant = PF_GRE_PPTP_VARIANT;
6601 gsk->app_state = gas;
6602 gsk->lan.xport.call_id = 0;
6603 gsk->gwy.xport.call_id = 0;
6604 gsk->ext_lan.xport.call_id = 0;
6605 gsk->ext_gwy.xport.call_id = 0;
6606 gsk->flowsrc = FLOWSRC_PF;
6607 gsk->flowhash = pf_calc_state_key_flowhash(gsk);
6608 memset(gas, 0, sizeof(*gas));
6609 gas->u.grev1.pptp_state = s;
6610 STATE_INC_COUNTERS(gs);
6611 pptps->grev1_state = gs;
6612 (void) hook_establish(&gs->unlink_hooks, 0,
6613 (hook_fn_t) pf_grev1_unlink, gs);
6614 } else {
6615 gsk = gs->state_key;
6616 }
6617
6618 switch (sk->direction) {
6619 case PF_IN:
6620 pns_call_id = &gsk->ext_lan.xport.call_id;
6621 pns_state = &gs->dst.state;
6622 pac_call_id = &gsk->lan.xport.call_id;
6623 pac_state = &gs->src.state;
6624 break;
6625
6626 case PF_OUT:
6627 pns_call_id = &gsk->lan.xport.call_id;
6628 pns_state = &gs->src.state;
6629 pac_call_id = &gsk->ext_lan.xport.call_id;
6630 pac_state = &gs->dst.state;
6631 break;
6632
6633 default:
6634 DPFPRINTF(PF_DEBUG_URGENT,
6635 ("pf_pptp_handler: bad directional!\n"));
6636 return;
6637 }
6638
6639 spoof_call_id = 0;
6640 op = PF_PPTP_PASS;
6641
6642 ct = ntohs(cm.ctrl.type);
6643
6644 switch (ct) {
6645 case PF_PPTP_CTRL_TYPE_CALL_OUT_REQ:
6646 *pns_call_id = cm.msg.call_out_req.call_id;
6647 *pns_state = PFGRE1S_INITIATING;
6648 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id) {
6649 spoof_call_id = &cm.msg.call_out_req.call_id;
6650 }
6651 break;
6652
6653 case PF_PPTP_CTRL_TYPE_CALL_OUT_RPY:
6654 *pac_call_id = cm.msg.call_out_rpy.call_id;
6655 if (s->nat_rule.ptr) {
6656 spoof_call_id =
6657 (pac_call_id == &gsk->lan.xport.call_id) ?
6658 &cm.msg.call_out_rpy.call_id :
6659 &cm.msg.call_out_rpy.peer_call_id;
6660 }
6661 if (gs->timeout == PFTM_UNLINKED) {
6662 *pac_state = PFGRE1S_INITIATING;
6663 op = PF_PPTP_INSERT_GRE;
6664 }
6665 break;
6666
6667 case PF_PPTP_CTRL_TYPE_CALL_IN_1ST:
6668 *pns_call_id = cm.msg.call_in_1st.call_id;
6669 *pns_state = PFGRE1S_INITIATING;
6670 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id) {
6671 spoof_call_id = &cm.msg.call_in_1st.call_id;
6672 }
6673 break;
6674
6675 case PF_PPTP_CTRL_TYPE_CALL_IN_2ND:
6676 *pac_call_id = cm.msg.call_in_2nd.call_id;
6677 *pac_state = PFGRE1S_INITIATING;
6678 if (s->nat_rule.ptr) {
6679 spoof_call_id =
6680 (pac_call_id == &gsk->lan.xport.call_id) ?
6681 &cm.msg.call_in_2nd.call_id :
6682 &cm.msg.call_in_2nd.peer_call_id;
6683 }
6684 break;
6685
6686 case PF_PPTP_CTRL_TYPE_CALL_IN_3RD:
6687 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id) {
6688 spoof_call_id = &cm.msg.call_in_3rd.call_id;
6689 }
6690 if (cm.msg.call_in_3rd.call_id != *pns_call_id) {
6691 break;
6692 }
6693 if (gs->timeout == PFTM_UNLINKED) {
6694 op = PF_PPTP_INSERT_GRE;
6695 }
6696 break;
6697
6698 case PF_PPTP_CTRL_TYPE_CALL_CLR:
6699 if (cm.msg.call_clr.call_id != *pns_call_id) {
6700 op = PF_PPTP_REMOVE_GRE;
6701 }
6702 break;
6703
6704 case PF_PPTP_CTRL_TYPE_CALL_DISC:
6705 if (cm.msg.call_clr.call_id != *pac_call_id) {
6706 op = PF_PPTP_REMOVE_GRE;
6707 }
6708 break;
6709
6710 case PF_PPTP_CTRL_TYPE_ERROR:
6711 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id) {
6712 spoof_call_id = &cm.msg.error.peer_call_id;
6713 }
6714 break;
6715
6716 case PF_PPTP_CTRL_TYPE_SET_LINKINFO:
6717 if (s->nat_rule.ptr && pac_call_id == &gsk->lan.xport.call_id) {
6718 spoof_call_id = &cm.msg.set_linkinfo.peer_call_id;
6719 }
6720 break;
6721
6722 default:
6723 op = PF_PPTP_PASS;
6724 break;
6725 }
6726
6727 if (!gsk->gwy.xport.call_id && gsk->lan.xport.call_id) {
6728 gsk->gwy.xport.call_id = gsk->lan.xport.call_id;
6729 if (spoof_call_id) {
6730 u_int16_t call_id = 0;
6731 int n = 0;
6732 struct pf_state_key_cmp key;
6733
6734 key.af_gwy = gsk->af_gwy;
6735 key.proto = IPPROTO_GRE;
6736 key.proto_variant = PF_GRE_PPTP_VARIANT;
6737 PF_ACPY(&key.gwy.addr, &gsk->gwy.addr, key.af_gwy);
6738 PF_ACPY(&key.ext_gwy.addr, &gsk->ext_gwy.addr, key.af_gwy);
6739 key.gwy.xport.call_id = gsk->gwy.xport.call_id;
6740 key.ext_gwy.xport.call_id = gsk->ext_gwy.xport.call_id;
6741 do {
6742 call_id = htonl(random());
6743 } while (!call_id);
6744
6745 while (pf_find_state_all(&key, PF_IN, 0)) {
6746 call_id = ntohs(call_id);
6747 --call_id;
6748 if (--call_id == 0) {
6749 call_id = 0xffff;
6750 }
6751 call_id = htons(call_id);
6752
6753 key.gwy.xport.call_id = call_id;
6754
6755 if (++n > 65535) {
6756 DPFPRINTF(PF_DEBUG_URGENT,
6757 ("pf_pptp_handler: failed to spoof "
6758 "call id\n"));
6759 key.gwy.xport.call_id = 0;
6760 break;
6761 }
6762 }
6763
6764 gsk->gwy.xport.call_id = call_id;
6765 }
6766 }
6767
6768 th = pd->hdr.tcp;
6769
6770 if (spoof_call_id && gsk->lan.xport.call_id != gsk->gwy.xport.call_id) {
6771 if (*spoof_call_id == gsk->gwy.xport.call_id) {
6772 *spoof_call_id = gsk->lan.xport.call_id;
6773 th->th_sum = pf_cksum_fixup(th->th_sum,
6774 gsk->gwy.xport.call_id, gsk->lan.xport.call_id, 0);
6775 } else {
6776 *spoof_call_id = gsk->gwy.xport.call_id;
6777 th->th_sum = pf_cksum_fixup(th->th_sum,
6778 gsk->lan.xport.call_id, gsk->gwy.xport.call_id, 0);
6779 }
6780
6781 if (pf_lazy_makewritable(pd, pbuf, off + plen) == NULL) {
6782 pptps->grev1_state = NULL;
6783 STATE_DEC_COUNTERS(gs);
6784 pool_put(&pf_state_pl, gs);
6785 return;
6786 }
6787 pbuf_copy_back(pbuf, off, plen, &cm);
6788 }
6789
6790 switch (op) {
6791 case PF_PPTP_REMOVE_GRE:
6792 gs->timeout = PFTM_PURGE;
6793 gs->src.state = gs->dst.state = PFGRE1S_NO_TRAFFIC;
6794 gsk->lan.xport.call_id = 0;
6795 gsk->gwy.xport.call_id = 0;
6796 gsk->ext_lan.xport.call_id = 0;
6797 gsk->ext_gwy.xport.call_id = 0;
6798 gs->id = gs->creatorid = 0;
6799 break;
6800
6801 case PF_PPTP_INSERT_GRE:
6802 gs->creation = pf_time_second();
6803 gs->expire = pf_time_second();
6804 gs->timeout = PFTM_TCP_ESTABLISHED;
6805 if (gs->src_node != NULL) {
6806 ++gs->src_node->states;
6807 VERIFY(gs->src_node->states != 0);
6808 }
6809 if (gs->nat_src_node != NULL) {
6810 ++gs->nat_src_node->states;
6811 VERIFY(gs->nat_src_node->states != 0);
6812 }
6813 pf_set_rt_ifp(gs, &sk->lan.addr, sk->af_lan);
6814 if (pf_insert_state(BOUND_IFACE(s->rule.ptr, kif), gs)) {
6815 /*
6816 * <jhw@apple.com>
6817 * FIX ME: insertion can fail when multiple PNS
6818 * behind the same NAT open calls to the same PAC
6819 * simultaneously because spoofed call ID numbers
6820 * are chosen before states are inserted. This is
6821 * hard to fix and happens infrequently enough that
6822 * users will normally try again and this ALG will
6823 * succeed. Failures are expected to be rare enough
6824 * that fixing this is a low priority.
6825 */
6826 pptps->grev1_state = NULL;
6827 pd->lmw = -1; /* Force PF_DROP on PFRES_MEMORY */
6828 pf_src_tree_remove_state(gs);
6829 STATE_DEC_COUNTERS(gs);
6830 pool_put(&pf_state_pl, gs);
6831 DPFPRINTF(PF_DEBUG_URGENT, ("pf_pptp_handler: error "
6832 "inserting GREv1 state.\n"));
6833 }
6834 break;
6835
6836 default:
6837 break;
6838 }
6839 }
6840
6841 static void
6842 pf_pptp_unlink(struct pf_state *s)
6843 {
6844 struct pf_app_state *as = s->state_key->app_state;
6845 struct pf_state *grev1s = as->u.pptp.grev1_state;
6846
6847 if (grev1s) {
6848 struct pf_app_state *gas = grev1s->state_key->app_state;
6849
6850 if (grev1s->timeout < PFTM_MAX) {
6851 grev1s->timeout = PFTM_PURGE;
6852 }
6853 gas->u.grev1.pptp_state = NULL;
6854 as->u.pptp.grev1_state = NULL;
6855 }
6856 }
6857
6858 static void
6859 pf_grev1_unlink(struct pf_state *s)
6860 {
6861 struct pf_app_state *as = s->state_key->app_state;
6862 struct pf_state *pptps = as->u.grev1.pptp_state;
6863
6864 if (pptps) {
6865 struct pf_app_state *pas = pptps->state_key->app_state;
6866
6867 pas->u.pptp.grev1_state = NULL;
6868 as->u.grev1.pptp_state = NULL;
6869 }
6870 }
6871
6872 static int
6873 pf_ike_compare(struct pf_app_state *a, struct pf_app_state *b)
6874 {
6875 int64_t d = a->u.ike.cookie - b->u.ike.cookie;
6876 return (d > 0) ? 1 : ((d < 0) ? -1 : 0);
6877 }
6878
6879 static int
6880 pf_do_nat64(struct pf_state_key *sk, struct pf_pdesc *pd, pbuf_t *pbuf,
6881 int off)
6882 {
6883 if (pd->af == AF_INET) {
6884 if (pd->af != sk->af_lan) {
6885 pd->ndaddr = sk->lan.addr;
6886 pd->naddr = sk->ext_lan.addr;
6887 } else {
6888 pd->naddr = sk->gwy.addr;
6889 pd->ndaddr = sk->ext_gwy.addr;
6890 }
6891 return pf_nat64_ipv4(pbuf, off, pd);
6892 } else if (pd->af == AF_INET6) {
6893 if (pd->af != sk->af_lan) {
6894 pd->ndaddr = sk->lan.addr;
6895 pd->naddr = sk->ext_lan.addr;
6896 } else {
6897 pd->naddr = sk->gwy.addr;
6898 pd->ndaddr = sk->ext_gwy.addr;
6899 }
6900 return pf_nat64_ipv6(pbuf, off, pd);
6901 }
6902 return PF_DROP;
6903 }
6904
6905 static int
6906 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
6907 pbuf_t *pbuf, int off, void *h, struct pf_pdesc *pd,
6908 u_short *reason)
6909 {
6910 #pragma unused(h)
6911 struct pf_state_key_cmp key;
6912 struct tcphdr *th = pd->hdr.tcp;
6913 u_int16_t win = ntohs(th->th_win);
6914 u_int32_t ack, end, seq, orig_seq;
6915 u_int8_t sws, dws;
6916 int ackskew;
6917 int copyback = 0;
6918 struct pf_state_peer *src, *dst;
6919 struct pf_state_key *sk;
6920
6921 key.app_state = 0;
6922 key.proto = IPPROTO_TCP;
6923 key.af_lan = key.af_gwy = pd->af;
6924
6925 /*
6926 * For NAT64 the first time rule search and state creation
6927 * is done on the incoming side only.
6928 * Once the state gets created, NAT64's LAN side (ipv6) will
6929 * not be able to find the state in ext-gwy tree as that normally
6930 * is intended to be looked up for incoming traffic from the
6931 * WAN side.
6932 * Therefore to handle NAT64 case we init keys here for both
6933 * lan-ext as well as ext-gwy trees.
6934 * In the state lookup we attempt a lookup on both trees if
6935 * first one does not return any result and return a match if
6936 * the match state's was created by NAT64 rule.
6937 */
6938 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
6939 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
6940 key.ext_gwy.xport.port = th->th_sport;
6941 key.gwy.xport.port = th->th_dport;
6942
6943 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
6944 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
6945 key.lan.xport.port = th->th_sport;
6946 key.ext_lan.xport.port = th->th_dport;
6947
6948 STATE_LOOKUP();
6949
6950 sk = (*state)->state_key;
6951 /*
6952 * In case of NAT64 the translation is first applied on the LAN
6953 * side. Therefore for stack's address family comparison
6954 * we use sk->af_lan.
6955 */
6956 if ((direction == sk->direction) && (pd->af == sk->af_lan)) {
6957 src = &(*state)->src;
6958 dst = &(*state)->dst;
6959 } else {
6960 src = &(*state)->dst;
6961 dst = &(*state)->src;
6962 }
6963
6964 if (src->state == PF_TCPS_PROXY_SRC) {
6965 if (direction != sk->direction) {
6966 REASON_SET(reason, PFRES_SYNPROXY);
6967 return PF_SYNPROXY_DROP;
6968 }
6969 if (th->th_flags & TH_SYN) {
6970 if (ntohl(th->th_seq) != src->seqlo) {
6971 REASON_SET(reason, PFRES_SYNPROXY);
6972 return PF_DROP;
6973 }
6974 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
6975 pd->src, th->th_dport, th->th_sport,
6976 src->seqhi, ntohl(th->th_seq) + 1,
6977 TH_SYN | TH_ACK, 0, src->mss, 0, 1,
6978 0, NULL, NULL);
6979 REASON_SET(reason, PFRES_SYNPROXY);
6980 return PF_SYNPROXY_DROP;
6981 } else if (!(th->th_flags & TH_ACK) ||
6982 (ntohl(th->th_ack) != src->seqhi + 1) ||
6983 (ntohl(th->th_seq) != src->seqlo + 1)) {
6984 REASON_SET(reason, PFRES_SYNPROXY);
6985 return PF_DROP;
6986 } else if ((*state)->src_node != NULL &&
6987 pf_src_connlimit(state)) {
6988 REASON_SET(reason, PFRES_SRCLIMIT);
6989 return PF_DROP;
6990 } else {
6991 src->state = PF_TCPS_PROXY_DST;
6992 }
6993 }
6994 if (src->state == PF_TCPS_PROXY_DST) {
6995 struct pf_state_host *psrc, *pdst;
6996
6997 if (direction == PF_OUT) {
6998 psrc = &sk->gwy;
6999 pdst = &sk->ext_gwy;
7000 } else {
7001 psrc = &sk->ext_lan;
7002 pdst = &sk->lan;
7003 }
7004 if (direction == sk->direction) {
7005 if (((th->th_flags & (TH_SYN | TH_ACK)) != TH_ACK) ||
7006 (ntohl(th->th_ack) != src->seqhi + 1) ||
7007 (ntohl(th->th_seq) != src->seqlo + 1)) {
7008 REASON_SET(reason, PFRES_SYNPROXY);
7009 return PF_DROP;
7010 }
7011 src->max_win = MAX(ntohs(th->th_win), 1);
7012 if (dst->seqhi == 1) {
7013 dst->seqhi = htonl(random());
7014 }
7015 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
7016 &pdst->addr, psrc->xport.port, pdst->xport.port,
7017 dst->seqhi, 0, TH_SYN, 0,
7018 src->mss, 0, 0, (*state)->tag, NULL, NULL);
7019 REASON_SET(reason, PFRES_SYNPROXY);
7020 return PF_SYNPROXY_DROP;
7021 } else if (((th->th_flags & (TH_SYN | TH_ACK)) !=
7022 (TH_SYN | TH_ACK)) ||
7023 (ntohl(th->th_ack) != dst->seqhi + 1)) {
7024 REASON_SET(reason, PFRES_SYNPROXY);
7025 return PF_DROP;
7026 } else {
7027 dst->max_win = MAX(ntohs(th->th_win), 1);
7028 dst->seqlo = ntohl(th->th_seq);
7029 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
7030 pd->src, th->th_dport, th->th_sport,
7031 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
7032 TH_ACK, src->max_win, 0, 0, 0,
7033 (*state)->tag, NULL, NULL);
7034 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
7035 &pdst->addr, psrc->xport.port, pdst->xport.port,
7036 src->seqhi + 1, src->seqlo + 1,
7037 TH_ACK, dst->max_win, 0, 0, 1,
7038 0, NULL, NULL);
7039 src->seqdiff = dst->seqhi -
7040 src->seqlo;
7041 dst->seqdiff = src->seqhi -
7042 dst->seqlo;
7043 src->seqhi = src->seqlo +
7044 dst->max_win;
7045 dst->seqhi = dst->seqlo +
7046 src->max_win;
7047 src->wscale = dst->wscale = 0;
7048 src->state = dst->state =
7049 TCPS_ESTABLISHED;
7050 REASON_SET(reason, PFRES_SYNPROXY);
7051 return PF_SYNPROXY_DROP;
7052 }
7053 }
7054
7055 if (((th->th_flags & (TH_SYN | TH_ACK)) == TH_SYN) &&
7056 dst->state >= TCPS_FIN_WAIT_2 &&
7057 src->state >= TCPS_FIN_WAIT_2) {
7058 if (pf_status.debug >= PF_DEBUG_MISC) {
7059 printf("pf: state reuse ");
7060 pf_print_state(*state);
7061 pf_print_flags(th->th_flags);
7062 printf("\n");
7063 }
7064 /* XXX make sure it's the same direction ?? */
7065 src->state = dst->state = TCPS_CLOSED;
7066 pf_unlink_state(*state);
7067 *state = NULL;
7068 return PF_DROP;
7069 }
7070
7071 if ((th->th_flags & TH_SYN) == 0) {
7072 sws = (src->wscale & PF_WSCALE_FLAG) ?
7073 (src->wscale & PF_WSCALE_MASK) : TCP_MAX_WINSHIFT;
7074 dws = (dst->wscale & PF_WSCALE_FLAG) ?
7075 (dst->wscale & PF_WSCALE_MASK) : TCP_MAX_WINSHIFT;
7076 } else {
7077 sws = dws = 0;
7078 }
7079
7080 /*
7081 * Sequence tracking algorithm from Guido van Rooij's paper:
7082 * http://www.madison-gurkha.com/publications/tcp_filtering/
7083 * tcp_filtering.ps
7084 */
7085
7086 orig_seq = seq = ntohl(th->th_seq);
7087 if (src->seqlo == 0) {
7088 /* First packet from this end. Set its state */
7089
7090 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
7091 src->scrub == NULL) {
7092 if (pf_normalize_tcp_init(pbuf, off, pd, th, src, dst)) {
7093 REASON_SET(reason, PFRES_MEMORY);
7094 return PF_DROP;
7095 }
7096 }
7097
7098 /* Deferred generation of sequence number modulator */
7099 if (dst->seqdiff && !src->seqdiff) {
7100 /* use random iss for the TCP server */
7101 while ((src->seqdiff = random() - seq) == 0) {
7102 ;
7103 }
7104 ack = ntohl(th->th_ack) - dst->seqdiff;
7105 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
7106 src->seqdiff), 0);
7107 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
7108 copyback = off + sizeof(*th);
7109 } else {
7110 ack = ntohl(th->th_ack);
7111 }
7112
7113 end = seq + pd->p_len;
7114 if (th->th_flags & TH_SYN) {
7115 end++;
7116 if (dst->wscale & PF_WSCALE_FLAG) {
7117 src->wscale = pf_get_wscale(pbuf, off,
7118 th->th_off, pd->af);
7119 if (src->wscale & PF_WSCALE_FLAG) {
7120 /*
7121 * Remove scale factor from initial
7122 * window
7123 */
7124 sws = src->wscale & PF_WSCALE_MASK;
7125 win = ((u_int32_t)win + (1 << sws) - 1)
7126 >> sws;
7127 dws = dst->wscale & PF_WSCALE_MASK;
7128 } else {
7129 /*
7130 * Window scale negotiation has failed,
7131 * therefore we must restore the window
7132 * scale in the state record that we
7133 * optimistically removed in
7134 * pf_test_rule(). Care is required to
7135 * prevent arithmetic overflow from
7136 * zeroing the window when it's
7137 * truncated down to 16-bits.
7138 */
7139 u_int32_t max_win = dst->max_win;
7140 max_win <<=
7141 dst->wscale & PF_WSCALE_MASK;
7142 dst->max_win = MIN(0xffff, max_win);
7143 /* in case of a retrans SYN|ACK */
7144 dst->wscale = 0;
7145 }
7146 }
7147 }
7148 if (th->th_flags & TH_FIN) {
7149 end++;
7150 }
7151
7152 src->seqlo = seq;
7153 if (src->state < TCPS_SYN_SENT) {
7154 src->state = TCPS_SYN_SENT;
7155 }
7156
7157 /*
7158 * May need to slide the window (seqhi may have been set by
7159 * the crappy stack check or if we picked up the connection
7160 * after establishment)
7161 */
7162 if (src->seqhi == 1 ||
7163 SEQ_GEQ(end + MAX(1, (u_int32_t)dst->max_win << dws),
7164 src->seqhi)) {
7165 src->seqhi = end + MAX(1, (u_int32_t)dst->max_win << dws);
7166 }
7167 if (win > src->max_win) {
7168 src->max_win = win;
7169 }
7170 } else {
7171 ack = ntohl(th->th_ack) - dst->seqdiff;
7172 if (src->seqdiff) {
7173 /* Modulate sequence numbers */
7174 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
7175 src->seqdiff), 0);
7176 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
7177 copyback = off + sizeof(*th);
7178 }
7179 end = seq + pd->p_len;
7180 if (th->th_flags & TH_SYN) {
7181 end++;
7182 }
7183 if (th->th_flags & TH_FIN) {
7184 end++;
7185 }
7186 }
7187
7188 if ((th->th_flags & TH_ACK) == 0) {
7189 /* Let it pass through the ack skew check */
7190 ack = dst->seqlo;
7191 } else if ((ack == 0 &&
7192 (th->th_flags & (TH_ACK | TH_RST)) == (TH_ACK | TH_RST)) ||
7193 /* broken tcp stacks do not set ack */
7194 (dst->state < TCPS_SYN_SENT)) {
7195 /*
7196 * Many stacks (ours included) will set the ACK number in an
7197 * FIN|ACK if the SYN times out -- no sequence to ACK.
7198 */
7199 ack = dst->seqlo;
7200 }
7201
7202 if (seq == end) {
7203 /* Ease sequencing restrictions on no data packets */
7204 seq = src->seqlo;
7205 end = seq;
7206 }
7207
7208 ackskew = dst->seqlo - ack;
7209
7210
7211 /*
7212 * Need to demodulate the sequence numbers in any TCP SACK options
7213 * (Selective ACK). We could optionally validate the SACK values
7214 * against the current ACK window, either forwards or backwards, but
7215 * I'm not confident that SACK has been implemented properly
7216 * everywhere. It wouldn't surprise me if several stacks accidently
7217 * SACK too far backwards of previously ACKed data. There really aren't
7218 * any security implications of bad SACKing unless the target stack
7219 * doesn't validate the option length correctly. Someone trying to
7220 * spoof into a TCP connection won't bother blindly sending SACK
7221 * options anyway.
7222 */
7223 if (dst->seqdiff && (th->th_off << 2) > (int)sizeof(struct tcphdr)) {
7224 copyback = pf_modulate_sack(pbuf, off, pd, th, dst);
7225 if (copyback == -1) {
7226 REASON_SET(reason, PFRES_MEMORY);
7227 return PF_DROP;
7228 }
7229
7230 pbuf = pd->mp; // XXXSCW: Why?
7231 }
7232
7233
7234 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
7235 if (SEQ_GEQ(src->seqhi, end) &&
7236 /* Last octet inside other's window space */
7237 SEQ_GEQ(seq, src->seqlo - ((u_int32_t)dst->max_win << dws)) &&
7238 /* Retrans: not more than one window back */
7239 (ackskew >= -MAXACKWINDOW) &&
7240 /* Acking not more than one reassembled fragment backwards */
7241 (ackskew <= (MAXACKWINDOW << sws)) &&
7242 /* Acking not more than one window forward */
7243 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
7244 (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) ||
7245 (pd->flags & PFDESC_IP_REAS) == 0)) {
7246 /* Require an exact/+1 sequence match on resets when possible */
7247
7248 if (dst->scrub || src->scrub) {
7249 if (pf_normalize_tcp_stateful(pbuf, off, pd, reason, th,
7250 *state, src, dst, &copyback)) {
7251 return PF_DROP;
7252 }
7253
7254 pbuf = pd->mp; // XXXSCW: Why?
7255 }
7256
7257 /* update max window */
7258 if (src->max_win < win) {
7259 src->max_win = win;
7260 }
7261 /* synchronize sequencing */
7262 if (SEQ_GT(end, src->seqlo)) {
7263 src->seqlo = end;
7264 }
7265 /* slide the window of what the other end can send */
7266 if (SEQ_GEQ(ack + ((u_int32_t)win << sws), dst->seqhi)) {
7267 dst->seqhi = ack + MAX(((u_int32_t)win << sws), 1);
7268 }
7269
7270 /* update states */
7271 if (th->th_flags & TH_SYN) {
7272 if (src->state < TCPS_SYN_SENT) {
7273 src->state = TCPS_SYN_SENT;
7274 }
7275 }
7276 if (th->th_flags & TH_FIN) {
7277 if (src->state < TCPS_CLOSING) {
7278 src->state = TCPS_CLOSING;
7279 }
7280 }
7281 if (th->th_flags & TH_ACK) {
7282 if (dst->state == TCPS_SYN_SENT) {
7283 dst->state = TCPS_ESTABLISHED;
7284 if (src->state == TCPS_ESTABLISHED &&
7285 (*state)->src_node != NULL &&
7286 pf_src_connlimit(state)) {
7287 REASON_SET(reason, PFRES_SRCLIMIT);
7288 return PF_DROP;
7289 }
7290 } else if (dst->state == TCPS_CLOSING) {
7291 dst->state = TCPS_FIN_WAIT_2;
7292 }
7293 }
7294 if (th->th_flags & TH_RST) {
7295 src->state = dst->state = TCPS_TIME_WAIT;
7296 }
7297
7298 /* update expire time */
7299 (*state)->expire = pf_time_second();
7300 if (src->state >= TCPS_FIN_WAIT_2 &&
7301 dst->state >= TCPS_FIN_WAIT_2) {
7302 (*state)->timeout = PFTM_TCP_CLOSED;
7303 } else if (src->state >= TCPS_CLOSING &&
7304 dst->state >= TCPS_CLOSING) {
7305 (*state)->timeout = PFTM_TCP_FIN_WAIT;
7306 } else if (src->state < TCPS_ESTABLISHED ||
7307 dst->state < TCPS_ESTABLISHED) {
7308 (*state)->timeout = PFTM_TCP_OPENING;
7309 } else if (src->state >= TCPS_CLOSING ||
7310 dst->state >= TCPS_CLOSING) {
7311 (*state)->timeout = PFTM_TCP_CLOSING;
7312 } else {
7313 (*state)->timeout = PFTM_TCP_ESTABLISHED;
7314 }
7315
7316 /* Fall through to PASS packet */
7317 } else if ((dst->state < TCPS_SYN_SENT ||
7318 dst->state >= TCPS_FIN_WAIT_2 || src->state >= TCPS_FIN_WAIT_2) &&
7319 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
7320 /* Within a window forward of the originating packet */
7321 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
7322 /* Within a window backward of the originating packet */
7323
7324 /*
7325 * This currently handles three situations:
7326 * 1) Stupid stacks will shotgun SYNs before their peer
7327 * replies.
7328 * 2) When PF catches an already established stream (the
7329 * firewall rebooted, the state table was flushed, routes
7330 * changed...)
7331 * 3) Packets get funky immediately after the connection
7332 * closes (this should catch Solaris spurious ACK|FINs
7333 * that web servers like to spew after a close)
7334 *
7335 * This must be a little more careful than the above code
7336 * since packet floods will also be caught here. We don't
7337 * update the TTL here to mitigate the damage of a packet
7338 * flood and so the same code can handle awkward establishment
7339 * and a loosened connection close.
7340 * In the establishment case, a correct peer response will
7341 * validate the connection, go through the normal state code
7342 * and keep updating the state TTL.
7343 */
7344
7345 if (pf_status.debug >= PF_DEBUG_MISC) {
7346 printf("pf: loose state match: ");
7347 pf_print_state(*state);
7348 pf_print_flags(th->th_flags);
7349 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
7350 "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
7351 pd->p_len, ackskew, (*state)->packets[0],
7352 (*state)->packets[1],
7353 direction == PF_IN ? "in" : "out",
7354 direction == sk->direction ?
7355 "fwd" : "rev");
7356 }
7357
7358 if (dst->scrub || src->scrub) {
7359 if (pf_normalize_tcp_stateful(pbuf, off, pd, reason, th,
7360 *state, src, dst, &copyback)) {
7361 return PF_DROP;
7362 }
7363 pbuf = pd->mp; // XXXSCW: Why?
7364 }
7365
7366 /* update max window */
7367 if (src->max_win < win) {
7368 src->max_win = win;
7369 }
7370 /* synchronize sequencing */
7371 if (SEQ_GT(end, src->seqlo)) {
7372 src->seqlo = end;
7373 }
7374 /* slide the window of what the other end can send */
7375 if (SEQ_GEQ(ack + ((u_int32_t)win << sws), dst->seqhi)) {
7376 dst->seqhi = ack + MAX(((u_int32_t)win << sws), 1);
7377 }
7378
7379 /*
7380 * Cannot set dst->seqhi here since this could be a shotgunned
7381 * SYN and not an already established connection.
7382 */
7383
7384 if (th->th_flags & TH_FIN) {
7385 if (src->state < TCPS_CLOSING) {
7386 src->state = TCPS_CLOSING;
7387 }
7388 }
7389 if (th->th_flags & TH_RST) {
7390 src->state = dst->state = TCPS_TIME_WAIT;
7391 }
7392
7393 /* Fall through to PASS packet */
7394 } else {
7395 if (dst->state == TCPS_SYN_SENT &&
7396 src->state == TCPS_SYN_SENT) {
7397 /* Send RST for state mismatches during handshake */
7398 if (!(th->th_flags & TH_RST)) {
7399 pf_send_tcp((*state)->rule.ptr, pd->af,
7400 pd->dst, pd->src, th->th_dport,
7401 th->th_sport, ntohl(th->th_ack), 0,
7402 TH_RST, 0, 0,
7403 (*state)->rule.ptr->return_ttl, 1, 0,
7404 pd->eh, kif->pfik_ifp);
7405 }
7406 src->seqlo = 0;
7407 src->seqhi = 1;
7408 src->max_win = 1;
7409 } else if (pf_status.debug >= PF_DEBUG_MISC) {
7410 printf("pf: BAD state: ");
7411 pf_print_state(*state);
7412 pf_print_flags(th->th_flags);
7413 printf("\n seq=%u (%u) ack=%u len=%u ackskew=%d "
7414 "sws=%u dws=%u pkts=%llu:%llu dir=%s,%s\n",
7415 seq, orig_seq, ack, pd->p_len, ackskew,
7416 (unsigned int)sws, (unsigned int)dws,
7417 (*state)->packets[0], (*state)->packets[1],
7418 direction == PF_IN ? "in" : "out",
7419 direction == sk->direction ?
7420 "fwd" : "rev");
7421 printf("pf: State failure on: %c %c %c %c | %c %c\n",
7422 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
7423 SEQ_GEQ(seq,
7424 src->seqlo - ((u_int32_t)dst->max_win << dws)) ?
7425 ' ': '2',
7426 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
7427 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
7428 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
7429 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
7430 }
7431 REASON_SET(reason, PFRES_BADSTATE);
7432 return PF_DROP;
7433 }
7434
7435 /* Any packets which have gotten here are to be passed */
7436
7437 if (sk->app_state &&
7438 sk->app_state->handler) {
7439 sk->app_state->handler(*state, direction,
7440 off + (th->th_off << 2), pd, kif);
7441 if (pd->lmw < 0) {
7442 REASON_SET(reason, PFRES_MEMORY);
7443 return PF_DROP;
7444 }
7445 pbuf = pd->mp; // XXXSCW: Why?
7446 }
7447
7448 /* translate source/destination address, if necessary */
7449 if (STATE_TRANSLATE(sk)) {
7450 pd->naf = (pd->af == sk->af_lan) ? sk->af_gwy : sk->af_lan;
7451
7452 if (direction == PF_OUT) {
7453 pf_change_ap(direction, pd->mp, pd->src, &th->th_sport,
7454 pd->ip_sum, &th->th_sum, &sk->gwy.addr,
7455 sk->gwy.xport.port, 0, pd->af, pd->naf, 1);
7456 } else {
7457 if (pd->af != pd->naf) {
7458 if (pd->af == sk->af_gwy) {
7459 pf_change_ap(direction, pd->mp, pd->dst,
7460 &th->th_dport, pd->ip_sum,
7461 &th->th_sum, &sk->lan.addr,
7462 sk->lan.xport.port, 0,
7463 pd->af, pd->naf, 0);
7464
7465 pf_change_ap(direction, pd->mp, pd->src,
7466 &th->th_sport, pd->ip_sum,
7467 &th->th_sum, &sk->ext_lan.addr,
7468 th->th_sport, 0, pd->af,
7469 pd->naf, 0);
7470 } else {
7471 pf_change_ap(direction, pd->mp, pd->dst,
7472 &th->th_dport, pd->ip_sum,
7473 &th->th_sum, &sk->ext_gwy.addr,
7474 th->th_dport, 0, pd->af,
7475 pd->naf, 0);
7476
7477 pf_change_ap(direction, pd->mp, pd->src,
7478 &th->th_sport, pd->ip_sum,
7479 &th->th_sum, &sk->gwy.addr,
7480 sk->gwy.xport.port, 0, pd->af,
7481 pd->naf, 0);
7482 }
7483 } else {
7484 pf_change_ap(direction, pd->mp, pd->dst,
7485 &th->th_dport, pd->ip_sum,
7486 &th->th_sum, &sk->lan.addr,
7487 sk->lan.xport.port, 0, pd->af,
7488 pd->naf, 1);
7489 }
7490 }
7491
7492 copyback = off + sizeof(*th);
7493 }
7494
7495 if (copyback) {
7496 if (pf_lazy_makewritable(pd, pbuf, copyback) == NULL) {
7497 REASON_SET(reason, PFRES_MEMORY);
7498 return PF_DROP;
7499 }
7500
7501 /* Copyback sequence modulation or stateful scrub changes */
7502 pbuf_copy_back(pbuf, off, sizeof(*th), th);
7503
7504 if (sk->af_lan != sk->af_gwy) {
7505 return pf_do_nat64(sk, pd, pbuf, off);
7506 }
7507 }
7508 return PF_PASS;
7509 }
7510
7511 static int
7512 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
7513 pbuf_t *pbuf, int off, void *h, struct pf_pdesc *pd, u_short *reason)
7514 {
7515 #pragma unused(h)
7516 struct pf_state_peer *src, *dst;
7517 struct pf_state_key_cmp key;
7518 struct pf_state_key *sk;
7519 struct udphdr *uh = pd->hdr.udp;
7520 struct pf_app_state as;
7521 int action, extfilter;
7522 key.app_state = 0;
7523 key.proto_variant = PF_EXTFILTER_APD;
7524
7525 key.proto = IPPROTO_UDP;
7526 key.af_lan = key.af_gwy = pd->af;
7527
7528 /*
7529 * For NAT64 the first time rule search and state creation
7530 * is done on the incoming side only.
7531 * Once the state gets created, NAT64's LAN side (ipv6) will
7532 * not be able to find the state in ext-gwy tree as that normally
7533 * is intended to be looked up for incoming traffic from the
7534 * WAN side.
7535 * Therefore to handle NAT64 case we init keys here for both
7536 * lan-ext as well as ext-gwy trees.
7537 * In the state lookup we attempt a lookup on both trees if
7538 * first one does not return any result and return a match if
7539 * the match state's was created by NAT64 rule.
7540 */
7541 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
7542 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
7543 key.ext_gwy.xport.port = uh->uh_sport;
7544 key.gwy.xport.port = uh->uh_dport;
7545
7546 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
7547 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
7548 key.lan.xport.port = uh->uh_sport;
7549 key.ext_lan.xport.port = uh->uh_dport;
7550
7551 if (ntohs(uh->uh_sport) == PF_IKE_PORT &&
7552 ntohs(uh->uh_dport) == PF_IKE_PORT) {
7553 struct pf_ike_hdr ike;
7554 size_t plen = pbuf->pb_packet_len - off - sizeof(*uh);
7555 if (plen < PF_IKE_PACKET_MINSIZE) {
7556 DPFPRINTF(PF_DEBUG_MISC,
7557 ("pf: IKE message too small.\n"));
7558 return PF_DROP;
7559 }
7560
7561 if (plen > sizeof(ike)) {
7562 plen = sizeof(ike);
7563 }
7564 pbuf_copy_data(pbuf, off + sizeof(*uh), plen, &ike);
7565
7566 if (ike.initiator_cookie) {
7567 key.app_state = &as;
7568 as.compare_lan_ext = pf_ike_compare;
7569 as.compare_ext_gwy = pf_ike_compare;
7570 as.u.ike.cookie = ike.initiator_cookie;
7571 } else {
7572 /*
7573 * <http://tools.ietf.org/html/\
7574 * draft-ietf-ipsec-nat-t-ike-01>
7575 * Support non-standard NAT-T implementations that
7576 * push the ESP packet over the top of the IKE packet.
7577 * Do not drop packet.
7578 */
7579 DPFPRINTF(PF_DEBUG_MISC,
7580 ("pf: IKE initiator cookie = 0.\n"));
7581 }
7582 }
7583
7584 *state = pf_find_state(kif, &key, direction);
7585
7586 if (!key.app_state && *state == 0) {
7587 key.proto_variant = PF_EXTFILTER_AD;
7588 *state = pf_find_state(kif, &key, direction);
7589 }
7590
7591 if (!key.app_state && *state == 0) {
7592 key.proto_variant = PF_EXTFILTER_EI;
7593 *state = pf_find_state(kif, &key, direction);
7594 }
7595
7596 /* similar to STATE_LOOKUP() */
7597 if (*state != NULL && pd != NULL && !(pd->pktflags & PKTF_FLOW_ID)) {
7598 pd->flowsrc = (*state)->state_key->flowsrc;
7599 pd->flowhash = (*state)->state_key->flowhash;
7600 if (pd->flowhash != 0) {
7601 pd->pktflags |= PKTF_FLOW_ID;
7602 pd->pktflags &= ~PKTF_FLOW_ADV;
7603 }
7604 }
7605
7606 if (pf_state_lookup_aux(state, kif, direction, &action)) {
7607 return action;
7608 }
7609
7610 sk = (*state)->state_key;
7611
7612 /*
7613 * In case of NAT64 the translation is first applied on the LAN
7614 * side. Therefore for stack's address family comparison
7615 * we use sk->af_lan.
7616 */
7617 if ((direction == sk->direction) && (pd->af == sk->af_lan)) {
7618 src = &(*state)->src;
7619 dst = &(*state)->dst;
7620 } else {
7621 src = &(*state)->dst;
7622 dst = &(*state)->src;
7623 }
7624
7625 /* update states */
7626 if (src->state < PFUDPS_SINGLE) {
7627 src->state = PFUDPS_SINGLE;
7628 }
7629 if (dst->state == PFUDPS_SINGLE) {
7630 dst->state = PFUDPS_MULTIPLE;
7631 }
7632
7633 /* update expire time */
7634 (*state)->expire = pf_time_second();
7635 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) {
7636 (*state)->timeout = PFTM_UDP_MULTIPLE;
7637 } else {
7638 (*state)->timeout = PFTM_UDP_SINGLE;
7639 }
7640
7641 extfilter = sk->proto_variant;
7642 if (extfilter > PF_EXTFILTER_APD) {
7643 if (direction == PF_OUT) {
7644 sk->ext_lan.xport.port = key.ext_lan.xport.port;
7645 if (extfilter > PF_EXTFILTER_AD) {
7646 PF_ACPY(&sk->ext_lan.addr, &key.ext_lan.addr,
7647 key.af_lan);
7648 }
7649 } else {
7650 sk->ext_gwy.xport.port = key.ext_gwy.xport.port;
7651 if (extfilter > PF_EXTFILTER_AD) {
7652 PF_ACPY(&sk->ext_gwy.addr, &key.ext_gwy.addr,
7653 key.af_gwy);
7654 }
7655 }
7656 }
7657
7658 if (sk->app_state && sk->app_state->handler) {
7659 sk->app_state->handler(*state, direction, off + uh->uh_ulen,
7660 pd, kif);
7661 if (pd->lmw < 0) {
7662 REASON_SET(reason, PFRES_MEMORY);
7663 return PF_DROP;
7664 }
7665 pbuf = pd->mp; // XXXSCW: Why?
7666 }
7667
7668 /* translate source/destination address, if necessary */
7669 if (STATE_TRANSLATE(sk)) {
7670 if (pf_lazy_makewritable(pd, pbuf, off + sizeof(*uh)) == NULL) {
7671 REASON_SET(reason, PFRES_MEMORY);
7672 return PF_DROP;
7673 }
7674
7675 pd->naf = (pd->af == sk->af_lan) ? sk->af_gwy : sk->af_lan;
7676
7677 if (direction == PF_OUT) {
7678 pf_change_ap(direction, pd->mp, pd->src, &uh->uh_sport,
7679 pd->ip_sum, &uh->uh_sum, &sk->gwy.addr,
7680 sk->gwy.xport.port, 1, pd->af, pd->naf, 1);
7681 } else {
7682 if (pd->af != pd->naf) {
7683 if (pd->af == sk->af_gwy) {
7684 pf_change_ap(direction, pd->mp, pd->dst,
7685 &uh->uh_dport, pd->ip_sum,
7686 &uh->uh_sum, &sk->lan.addr,
7687 sk->lan.xport.port, 1,
7688 pd->af, pd->naf, 0);
7689
7690 pf_change_ap(direction, pd->mp, pd->src,
7691 &uh->uh_sport, pd->ip_sum,
7692 &uh->uh_sum, &sk->ext_lan.addr,
7693 uh->uh_sport, 1, pd->af,
7694 pd->naf, 0);
7695 } else {
7696 pf_change_ap(direction, pd->mp, pd->dst,
7697 &uh->uh_dport, pd->ip_sum,
7698 &uh->uh_sum, &sk->ext_gwy.addr,
7699 uh->uh_dport, 1, pd->af,
7700 pd->naf, 0);
7701
7702 pf_change_ap(direction, pd->mp, pd->src,
7703 &uh->uh_sport, pd->ip_sum,
7704 &uh->uh_sum, &sk->gwy.addr,
7705 sk->gwy.xport.port, 1, pd->af,
7706 pd->naf, 0);
7707 }
7708 } else {
7709 pf_change_ap(direction, pd->mp, pd->dst,
7710 &uh->uh_dport, pd->ip_sum,
7711 &uh->uh_sum, &sk->lan.addr,
7712 sk->lan.xport.port, 1,
7713 pd->af, pd->naf, 1);
7714 }
7715 }
7716
7717 pbuf_copy_back(pbuf, off, sizeof(*uh), uh);
7718 if (sk->af_lan != sk->af_gwy) {
7719 return pf_do_nat64(sk, pd, pbuf, off);
7720 }
7721 }
7722 return PF_PASS;
7723 }
7724
7725 static int
7726 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
7727 pbuf_t *pbuf, int off, void *h, struct pf_pdesc *pd, u_short *reason)
7728 {
7729 #pragma unused(h)
7730 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
7731 struct in_addr srcv4_inaddr = saddr->v4addr;
7732 u_int16_t icmpid = 0, *icmpsum = NULL;
7733 u_int8_t icmptype = 0;
7734 int state_icmp = 0;
7735 struct pf_state_key_cmp key;
7736 struct pf_state_key *sk;
7737
7738 struct pf_app_state as;
7739 key.app_state = 0;
7740
7741 pd->off = off;
7742
7743 switch (pd->proto) {
7744 #if INET
7745 case IPPROTO_ICMP:
7746 icmptype = pd->hdr.icmp->icmp_type;
7747 icmpid = pd->hdr.icmp->icmp_id;
7748 icmpsum = &pd->hdr.icmp->icmp_cksum;
7749
7750 if (ICMP_ERRORTYPE(icmptype)) {
7751 state_icmp++;
7752 }
7753 break;
7754 #endif /* INET */
7755 #if INET6
7756 case IPPROTO_ICMPV6:
7757 icmptype = pd->hdr.icmp6->icmp6_type;
7758 icmpid = pd->hdr.icmp6->icmp6_id;
7759 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
7760
7761 if (ICMP6_ERRORTYPE(icmptype)) {
7762 state_icmp++;
7763 }
7764 break;
7765 #endif /* INET6 */
7766 }
7767
7768 if (!state_icmp) {
7769 /*
7770 * ICMP query/reply message not related to a TCP/UDP packet.
7771 * Search for an ICMP state.
7772 */
7773 /*
7774 * NAT64 requires protocol translation between ICMPv4
7775 * and ICMPv6. TCP and UDP do not require protocol
7776 * translation. To avoid adding complexity just to
7777 * handle ICMP(v4addr/v6addr), we always lookup for
7778 * proto = IPPROTO_ICMP on both LAN and WAN side
7779 */
7780 key.proto = IPPROTO_ICMP;
7781 key.af_lan = key.af_gwy = pd->af;
7782
7783 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
7784 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
7785 key.ext_gwy.xport.port = 0;
7786 key.gwy.xport.port = icmpid;
7787
7788 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
7789 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
7790 key.lan.xport.port = icmpid;
7791 key.ext_lan.xport.port = 0;
7792
7793 STATE_LOOKUP();
7794
7795 sk = (*state)->state_key;
7796 (*state)->expire = pf_time_second();
7797 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
7798
7799 /* translate source/destination address, if necessary */
7800 if (STATE_TRANSLATE(sk)) {
7801 pd->naf = (pd->af == sk->af_lan) ?
7802 sk->af_gwy : sk->af_lan;
7803 if (direction == PF_OUT) {
7804 switch (pd->af) {
7805 #if INET
7806 case AF_INET:
7807 pf_change_a(&saddr->v4addr.s_addr,
7808 pd->ip_sum,
7809 sk->gwy.addr.v4addr.s_addr, 0);
7810 pd->hdr.icmp->icmp_cksum =
7811 pf_cksum_fixup(
7812 pd->hdr.icmp->icmp_cksum, icmpid,
7813 sk->gwy.xport.port, 0);
7814 pd->hdr.icmp->icmp_id =
7815 sk->gwy.xport.port;
7816 if (pf_lazy_makewritable(pd, pbuf,
7817 off + ICMP_MINLEN) == NULL) {
7818 return PF_DROP;
7819 }
7820 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
7821 pd->hdr.icmp);
7822 break;
7823 #endif /* INET */
7824 #if INET6
7825 case AF_INET6:
7826 pf_change_a6(saddr,
7827 &pd->hdr.icmp6->icmp6_cksum,
7828 &sk->gwy.addr, 0);
7829 if (pf_lazy_makewritable(pd, NULL,
7830 off + sizeof(struct icmp6_hdr)) ==
7831 NULL) {
7832 return PF_DROP;
7833 }
7834 pbuf_copy_back(pbuf, off,
7835 sizeof(struct icmp6_hdr),
7836 pd->hdr.icmp6);
7837 break;
7838 #endif /* INET6 */
7839 }
7840 } else {
7841 switch (pd->af) {
7842 #if INET
7843 case AF_INET:
7844 if (pd->naf != AF_INET) {
7845 if (pf_translate_icmp_af(
7846 AF_INET6, pd->hdr.icmp)) {
7847 return PF_DROP;
7848 }
7849
7850 pd->proto = IPPROTO_ICMPV6;
7851 } else {
7852 pf_change_a(&daddr->v4addr.s_addr,
7853 pd->ip_sum,
7854 sk->lan.addr.v4addr.s_addr, 0);
7855
7856 pd->hdr.icmp->icmp_cksum =
7857 pf_cksum_fixup(
7858 pd->hdr.icmp->icmp_cksum,
7859 icmpid, sk->lan.xport.port, 0);
7860
7861 pd->hdr.icmp->icmp_id =
7862 sk->lan.xport.port;
7863 }
7864
7865 if (pf_lazy_makewritable(pd, pbuf,
7866 off + ICMP_MINLEN) == NULL) {
7867 return PF_DROP;
7868 }
7869 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
7870 pd->hdr.icmp);
7871 if (sk->af_lan != sk->af_gwy) {
7872 return pf_do_nat64(sk, pd,
7873 pbuf, off);
7874 }
7875 break;
7876 #endif /* INET */
7877 #if INET6
7878 case AF_INET6:
7879 if (pd->naf != AF_INET6) {
7880 if (pf_translate_icmp_af(
7881 AF_INET, pd->hdr.icmp6)) {
7882 return PF_DROP;
7883 }
7884
7885 pd->proto = IPPROTO_ICMP;
7886 } else {
7887 pf_change_a6(daddr,
7888 &pd->hdr.icmp6->icmp6_cksum,
7889 &sk->lan.addr, 0);
7890 }
7891 if (pf_lazy_makewritable(pd, pbuf,
7892 off + sizeof(struct icmp6_hdr)) ==
7893 NULL) {
7894 return PF_DROP;
7895 }
7896 pbuf_copy_back(pbuf, off,
7897 sizeof(struct icmp6_hdr),
7898 pd->hdr.icmp6);
7899 if (sk->af_lan != sk->af_gwy) {
7900 return pf_do_nat64(sk, pd,
7901 pbuf, off);
7902 }
7903 break;
7904 #endif /* INET6 */
7905 }
7906 }
7907 }
7908
7909 return PF_PASS;
7910 } else {
7911 /*
7912 * ICMP error message in response to a TCP/UDP packet.
7913 * Extract the inner TCP/UDP header and search for that state.
7914 */
7915 struct pf_pdesc pd2; /* For inner (original) header */
7916 #if INET
7917 struct ip h2;
7918 #endif /* INET */
7919 #if INET6
7920 struct ip6_hdr h2_6;
7921 int terminal = 0;
7922 #endif /* INET6 */
7923 int ipoff2 = 0;
7924 int off2 = 0;
7925
7926 memset(&pd2, 0, sizeof(pd2));
7927
7928 pd2.af = pd->af;
7929 switch (pd->af) {
7930 #if INET
7931 case AF_INET:
7932 /* offset of h2 in mbuf chain */
7933 ipoff2 = off + ICMP_MINLEN;
7934
7935 if (!pf_pull_hdr(pbuf, ipoff2, &h2, sizeof(h2),
7936 NULL, reason, pd2.af)) {
7937 DPFPRINTF(PF_DEBUG_MISC,
7938 ("pf: ICMP error message too short "
7939 "(ip)\n"));
7940 return PF_DROP;
7941 }
7942 /*
7943 * ICMP error messages don't refer to non-first
7944 * fragments
7945 */
7946 if (h2.ip_off & htons(IP_OFFMASK)) {
7947 REASON_SET(reason, PFRES_FRAG);
7948 return PF_DROP;
7949 }
7950
7951 /* offset of protocol header that follows h2 */
7952 off2 = ipoff2 + (h2.ip_hl << 2);
7953 /* TODO */
7954 pd2.off = ipoff2 + (h2.ip_hl << 2);
7955
7956 pd2.proto = h2.ip_p;
7957 pd2.src = (struct pf_addr *)&h2.ip_src;
7958 pd2.dst = (struct pf_addr *)&h2.ip_dst;
7959 pd2.ip_sum = &h2.ip_sum;
7960 break;
7961 #endif /* INET */
7962 #if INET6
7963 case AF_INET6:
7964 ipoff2 = off + sizeof(struct icmp6_hdr);
7965
7966 if (!pf_pull_hdr(pbuf, ipoff2, &h2_6, sizeof(h2_6),
7967 NULL, reason, pd2.af)) {
7968 DPFPRINTF(PF_DEBUG_MISC,
7969 ("pf: ICMP error message too short "
7970 "(ip6)\n"));
7971 return PF_DROP;
7972 }
7973 pd2.proto = h2_6.ip6_nxt;
7974 pd2.src = (struct pf_addr *)(uintptr_t)&h2_6.ip6_src;
7975 pd2.dst = (struct pf_addr *)(uintptr_t)&h2_6.ip6_dst;
7976 pd2.ip_sum = NULL;
7977 off2 = ipoff2 + sizeof(h2_6);
7978 do {
7979 switch (pd2.proto) {
7980 case IPPROTO_FRAGMENT:
7981 /*
7982 * ICMPv6 error messages for
7983 * non-first fragments
7984 */
7985 REASON_SET(reason, PFRES_FRAG);
7986 return PF_DROP;
7987 case IPPROTO_AH:
7988 case IPPROTO_HOPOPTS:
7989 case IPPROTO_ROUTING:
7990 case IPPROTO_DSTOPTS: {
7991 /* get next header and header length */
7992 struct ip6_ext opt6;
7993
7994 if (!pf_pull_hdr(pbuf, off2, &opt6,
7995 sizeof(opt6), NULL, reason,
7996 pd2.af)) {
7997 DPFPRINTF(PF_DEBUG_MISC,
7998 ("pf: ICMPv6 short opt\n"));
7999 return PF_DROP;
8000 }
8001 if (pd2.proto == IPPROTO_AH) {
8002 off2 += (opt6.ip6e_len + 2) * 4;
8003 } else {
8004 off2 += (opt6.ip6e_len + 1) * 8;
8005 }
8006 pd2.proto = opt6.ip6e_nxt;
8007 /* goto the next header */
8008 break;
8009 }
8010 default:
8011 terminal++;
8012 break;
8013 }
8014 } while (!terminal);
8015 /* TODO */
8016 pd2.off = ipoff2;
8017 break;
8018 #endif /* INET6 */
8019 }
8020
8021 switch (pd2.proto) {
8022 case IPPROTO_TCP: {
8023 struct tcphdr th;
8024 u_int32_t seq;
8025 struct pf_state_peer *src, *dst;
8026 u_int8_t dws;
8027 int copyback = 0;
8028
8029 /*
8030 * Only the first 8 bytes of the TCP header can be
8031 * expected. Don't access any TCP header fields after
8032 * th_seq, an ackskew test is not possible.
8033 */
8034 if (!pf_pull_hdr(pbuf, off2, &th, 8, NULL, reason,
8035 pd2.af)) {
8036 DPFPRINTF(PF_DEBUG_MISC,
8037 ("pf: ICMP error message too short "
8038 "(tcp)\n"));
8039 return PF_DROP;
8040 }
8041
8042 key.proto = IPPROTO_TCP;
8043 key.af_gwy = pd2.af;
8044 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8045 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8046 key.ext_gwy.xport.port = th.th_dport;
8047 key.gwy.xport.port = th.th_sport;
8048
8049 key.af_lan = pd2.af;
8050 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8051 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8052 key.lan.xport.port = th.th_dport;
8053 key.ext_lan.xport.port = th.th_sport;
8054
8055 STATE_LOOKUP();
8056
8057 sk = (*state)->state_key;
8058 if ((direction == sk->direction) &&
8059 ((sk->af_lan == sk->af_gwy) ||
8060 (pd2.af == sk->af_lan))) {
8061 src = &(*state)->dst;
8062 dst = &(*state)->src;
8063 } else {
8064 src = &(*state)->src;
8065 dst = &(*state)->dst;
8066 }
8067
8068 if (src->wscale && (dst->wscale & PF_WSCALE_FLAG)) {
8069 dws = dst->wscale & PF_WSCALE_MASK;
8070 } else {
8071 dws = TCP_MAX_WINSHIFT;
8072 }
8073
8074 /* Demodulate sequence number */
8075 seq = ntohl(th.th_seq) - src->seqdiff;
8076 if (src->seqdiff) {
8077 pf_change_a(&th.th_seq, icmpsum,
8078 htonl(seq), 0);
8079 copyback = 1;
8080 }
8081
8082 if (!SEQ_GEQ(src->seqhi, seq) ||
8083 !SEQ_GEQ(seq,
8084 src->seqlo - ((u_int32_t)dst->max_win << dws))) {
8085 if (pf_status.debug >= PF_DEBUG_MISC) {
8086 printf("pf: BAD ICMP %d:%d ",
8087 icmptype, pd->hdr.icmp->icmp_code);
8088 pf_print_host(pd->src, 0, pd->af);
8089 printf(" -> ");
8090 pf_print_host(pd->dst, 0, pd->af);
8091 printf(" state: ");
8092 pf_print_state(*state);
8093 printf(" seq=%u\n", seq);
8094 }
8095 REASON_SET(reason, PFRES_BADSTATE);
8096 return PF_DROP;
8097 }
8098
8099 pd->naf = pd2.naf = (pd2.af == sk->af_lan) ?
8100 sk->af_gwy : sk->af_lan;
8101
8102 if (STATE_TRANSLATE(sk)) {
8103 /* NAT64 case */
8104 if (sk->af_lan != sk->af_gwy) {
8105 struct pf_state_host *saddr2, *daddr2;
8106
8107 if (pd2.naf == sk->af_lan) {
8108 saddr2 = &sk->lan;
8109 daddr2 = &sk->ext_lan;
8110 } else {
8111 saddr2 = &sk->ext_gwy;
8112 daddr2 = &sk->gwy;
8113 }
8114
8115 /* translate ICMP message types and codes */
8116 if (pf_translate_icmp_af(pd->naf,
8117 pd->hdr.icmp)) {
8118 return PF_DROP;
8119 }
8120
8121 if (pf_lazy_makewritable(pd, pbuf,
8122 off2 + 8) == NULL) {
8123 return PF_DROP;
8124 }
8125
8126 pbuf_copy_back(pbuf, pd->off,
8127 sizeof(struct icmp6_hdr),
8128 pd->hdr.icmp6);
8129
8130 /*
8131 * translate inner ip header within the
8132 * ICMP message
8133 */
8134 if (pf_change_icmp_af(pbuf, ipoff2, pd,
8135 &pd2, &saddr2->addr, &daddr2->addr,
8136 pd->af, pd->naf)) {
8137 return PF_DROP;
8138 }
8139
8140 if (pd->naf == AF_INET) {
8141 pd->proto = IPPROTO_ICMP;
8142 } else {
8143 pd->proto = IPPROTO_ICMPV6;
8144 }
8145
8146 /*
8147 * translate inner tcp header within
8148 * the ICMP message
8149 */
8150 pf_change_ap(direction, NULL, pd2.src,
8151 &th.th_sport, pd2.ip_sum,
8152 &th.th_sum, &daddr2->addr,
8153 saddr2->xport.port, 0, pd2.af,
8154 pd2.naf, 0);
8155
8156 pf_change_ap(direction, NULL, pd2.dst,
8157 &th.th_dport, pd2.ip_sum,
8158 &th.th_sum, &saddr2->addr,
8159 daddr2->xport.port, 0, pd2.af,
8160 pd2.naf, 0);
8161
8162 pbuf_copy_back(pbuf, pd2.off, 8, &th);
8163
8164 /* translate outer ip header */
8165 PF_ACPY(&pd->naddr, &daddr2->addr,
8166 pd->naf);
8167 PF_ACPY(&pd->ndaddr, &saddr2->addr,
8168 pd->naf);
8169 if (pd->af == AF_INET) {
8170 memcpy(&pd->naddr.addr32[3],
8171 &srcv4_inaddr,
8172 sizeof(pd->naddr.addr32[3]));
8173 return pf_nat64_ipv4(pbuf, off,
8174 pd);
8175 } else {
8176 return pf_nat64_ipv6(pbuf, off,
8177 pd);
8178 }
8179 }
8180 if (direction == PF_IN) {
8181 pf_change_icmp(pd2.src, &th.th_sport,
8182 daddr, &sk->lan.addr,
8183 sk->lan.xport.port, NULL,
8184 pd2.ip_sum, icmpsum,
8185 pd->ip_sum, 0, pd2.af);
8186 } else {
8187 pf_change_icmp(pd2.dst, &th.th_dport,
8188 saddr, &sk->gwy.addr,
8189 sk->gwy.xport.port, NULL,
8190 pd2.ip_sum, icmpsum,
8191 pd->ip_sum, 0, pd2.af);
8192 }
8193 copyback = 1;
8194 }
8195
8196 if (copyback) {
8197 if (pf_lazy_makewritable(pd, pbuf, off2 + 8) ==
8198 NULL) {
8199 return PF_DROP;
8200 }
8201 switch (pd2.af) {
8202 #if INET
8203 case AF_INET:
8204 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8205 pd->hdr.icmp);
8206 pbuf_copy_back(pbuf, ipoff2, sizeof(h2),
8207 &h2);
8208 break;
8209 #endif /* INET */
8210 #if INET6
8211 case AF_INET6:
8212 pbuf_copy_back(pbuf, off,
8213 sizeof(struct icmp6_hdr),
8214 pd->hdr.icmp6);
8215 pbuf_copy_back(pbuf, ipoff2,
8216 sizeof(h2_6), &h2_6);
8217 break;
8218 #endif /* INET6 */
8219 }
8220 pbuf_copy_back(pbuf, off2, 8, &th);
8221 }
8222
8223 return PF_PASS;
8224 }
8225 case IPPROTO_UDP: {
8226 struct udphdr uh;
8227 int dx, action;
8228 if (!pf_pull_hdr(pbuf, off2, &uh, sizeof(uh),
8229 NULL, reason, pd2.af)) {
8230 DPFPRINTF(PF_DEBUG_MISC,
8231 ("pf: ICMP error message too short "
8232 "(udp)\n"));
8233 return PF_DROP;
8234 }
8235
8236 key.af_gwy = pd2.af;
8237 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8238 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8239 key.ext_gwy.xport.port = uh.uh_dport;
8240 key.gwy.xport.port = uh.uh_sport;
8241
8242 key.af_lan = pd2.af;
8243 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8244 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8245 key.lan.xport.port = uh.uh_dport;
8246 key.ext_lan.xport.port = uh.uh_sport;
8247
8248 key.proto = IPPROTO_UDP;
8249 key.proto_variant = PF_EXTFILTER_APD;
8250 dx = direction;
8251
8252 if (ntohs(uh.uh_sport) == PF_IKE_PORT &&
8253 ntohs(uh.uh_dport) == PF_IKE_PORT) {
8254 struct pf_ike_hdr ike;
8255 size_t plen = pbuf->pb_packet_len - off2 -
8256 sizeof(uh);
8257 if (direction == PF_IN &&
8258 plen < 8 /* PF_IKE_PACKET_MINSIZE */) {
8259 DPFPRINTF(PF_DEBUG_MISC, ("pf: "
8260 "ICMP error, embedded IKE message "
8261 "too small.\n"));
8262 return PF_DROP;
8263 }
8264
8265 if (plen > sizeof(ike)) {
8266 plen = sizeof(ike);
8267 }
8268 pbuf_copy_data(pbuf, off + sizeof(uh), plen,
8269 &ike);
8270
8271 key.app_state = &as;
8272 as.compare_lan_ext = pf_ike_compare;
8273 as.compare_ext_gwy = pf_ike_compare;
8274 as.u.ike.cookie = ike.initiator_cookie;
8275 }
8276
8277 *state = pf_find_state(kif, &key, dx);
8278
8279 if (key.app_state && *state == 0) {
8280 key.app_state = 0;
8281 *state = pf_find_state(kif, &key, dx);
8282 }
8283
8284 if (*state == 0) {
8285 key.proto_variant = PF_EXTFILTER_AD;
8286 *state = pf_find_state(kif, &key, dx);
8287 }
8288
8289 if (*state == 0) {
8290 key.proto_variant = PF_EXTFILTER_EI;
8291 *state = pf_find_state(kif, &key, dx);
8292 }
8293
8294 /* similar to STATE_LOOKUP() */
8295 if (*state != NULL && pd != NULL &&
8296 !(pd->pktflags & PKTF_FLOW_ID)) {
8297 pd->flowsrc = (*state)->state_key->flowsrc;
8298 pd->flowhash = (*state)->state_key->flowhash;
8299 if (pd->flowhash != 0) {
8300 pd->pktflags |= PKTF_FLOW_ID;
8301 pd->pktflags &= ~PKTF_FLOW_ADV;
8302 }
8303 }
8304
8305 if (pf_state_lookup_aux(state, kif, direction, &action)) {
8306 return action;
8307 }
8308
8309 sk = (*state)->state_key;
8310 pd->naf = pd2.naf = (pd2.af == sk->af_lan) ?
8311 sk->af_gwy : sk->af_lan;
8312
8313 if (STATE_TRANSLATE(sk)) {
8314 /* NAT64 case */
8315 if (sk->af_lan != sk->af_gwy) {
8316 struct pf_state_host *saddr2, *daddr2;
8317
8318 if (pd2.naf == sk->af_lan) {
8319 saddr2 = &sk->lan;
8320 daddr2 = &sk->ext_lan;
8321 } else {
8322 saddr2 = &sk->ext_gwy;
8323 daddr2 = &sk->gwy;
8324 }
8325
8326 /* translate ICMP message */
8327 if (pf_translate_icmp_af(pd->naf,
8328 pd->hdr.icmp)) {
8329 return PF_DROP;
8330 }
8331 if (pf_lazy_makewritable(pd, pbuf,
8332 off2 + 8) == NULL) {
8333 return PF_DROP;
8334 }
8335
8336 pbuf_copy_back(pbuf, pd->off,
8337 sizeof(struct icmp6_hdr),
8338 pd->hdr.icmp6);
8339
8340 /*
8341 * translate inner ip header within the
8342 * ICMP message
8343 */
8344 if (pf_change_icmp_af(pbuf, ipoff2, pd,
8345 &pd2, &saddr2->addr, &daddr2->addr,
8346 pd->af, pd->naf)) {
8347 return PF_DROP;
8348 }
8349
8350 if (pd->naf == AF_INET) {
8351 pd->proto = IPPROTO_ICMP;
8352 } else {
8353 pd->proto = IPPROTO_ICMPV6;
8354 }
8355
8356 /*
8357 * translate inner udp header within
8358 * the ICMP message
8359 */
8360 pf_change_ap(direction, NULL, pd2.src,
8361 &uh.uh_sport, pd2.ip_sum,
8362 &uh.uh_sum, &daddr2->addr,
8363 saddr2->xport.port, 0, pd2.af,
8364 pd2.naf, 0);
8365
8366 pf_change_ap(direction, NULL, pd2.dst,
8367 &uh.uh_dport, pd2.ip_sum,
8368 &uh.uh_sum, &saddr2->addr,
8369 daddr2->xport.port, 0, pd2.af,
8370 pd2.naf, 0);
8371
8372 pbuf_copy_back(pbuf, pd2.off,
8373 sizeof(uh), &uh);
8374
8375 /* translate outer ip header */
8376 PF_ACPY(&pd->naddr, &daddr2->addr,
8377 pd->naf);
8378 PF_ACPY(&pd->ndaddr, &saddr2->addr,
8379 pd->naf);
8380 if (pd->af == AF_INET) {
8381 memcpy(&pd->naddr.addr32[3],
8382 &srcv4_inaddr,
8383 sizeof(pd->naddr.addr32[3]));
8384 return pf_nat64_ipv4(pbuf, off,
8385 pd);
8386 } else {
8387 return pf_nat64_ipv6(pbuf, off,
8388 pd);
8389 }
8390 }
8391 if (direction == PF_IN) {
8392 pf_change_icmp(pd2.src, &uh.uh_sport,
8393 daddr, &sk->lan.addr,
8394 sk->lan.xport.port, &uh.uh_sum,
8395 pd2.ip_sum, icmpsum,
8396 pd->ip_sum, 1, pd2.af);
8397 } else {
8398 pf_change_icmp(pd2.dst, &uh.uh_dport,
8399 saddr, &sk->gwy.addr,
8400 sk->gwy.xport.port, &uh.uh_sum,
8401 pd2.ip_sum, icmpsum,
8402 pd->ip_sum, 1, pd2.af);
8403 }
8404 if (pf_lazy_makewritable(pd, pbuf,
8405 off2 + sizeof(uh)) == NULL) {
8406 return PF_DROP;
8407 }
8408 switch (pd2.af) {
8409 #if INET
8410 case AF_INET:
8411 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8412 pd->hdr.icmp);
8413 pbuf_copy_back(pbuf, ipoff2,
8414 sizeof(h2), &h2);
8415 break;
8416 #endif /* INET */
8417 #if INET6
8418 case AF_INET6:
8419 pbuf_copy_back(pbuf, off,
8420 sizeof(struct icmp6_hdr),
8421 pd->hdr.icmp6);
8422 pbuf_copy_back(pbuf, ipoff2,
8423 sizeof(h2_6), &h2_6);
8424 break;
8425 #endif /* INET6 */
8426 }
8427 pbuf_copy_back(pbuf, off2, sizeof(uh), &uh);
8428 }
8429
8430 return PF_PASS;
8431 }
8432 #if INET
8433 case IPPROTO_ICMP: {
8434 struct icmp iih;
8435
8436 if (!pf_pull_hdr(pbuf, off2, &iih, ICMP_MINLEN,
8437 NULL, reason, pd2.af)) {
8438 DPFPRINTF(PF_DEBUG_MISC,
8439 ("pf: ICMP error message too short i"
8440 "(icmp)\n"));
8441 return PF_DROP;
8442 }
8443
8444 key.proto = IPPROTO_ICMP;
8445 if (direction == PF_IN) {
8446 key.af_gwy = pd2.af;
8447 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8448 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8449 key.ext_gwy.xport.port = 0;
8450 key.gwy.xport.port = iih.icmp_id;
8451 } else {
8452 key.af_lan = pd2.af;
8453 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8454 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8455 key.lan.xport.port = iih.icmp_id;
8456 key.ext_lan.xport.port = 0;
8457 }
8458
8459 STATE_LOOKUP();
8460
8461 sk = (*state)->state_key;
8462 if (STATE_TRANSLATE(sk)) {
8463 if (direction == PF_IN) {
8464 pf_change_icmp(pd2.src, &iih.icmp_id,
8465 daddr, &sk->lan.addr,
8466 sk->lan.xport.port, NULL,
8467 pd2.ip_sum, icmpsum,
8468 pd->ip_sum, 0, AF_INET);
8469 } else {
8470 pf_change_icmp(pd2.dst, &iih.icmp_id,
8471 saddr, &sk->gwy.addr,
8472 sk->gwy.xport.port, NULL,
8473 pd2.ip_sum, icmpsum,
8474 pd->ip_sum, 0, AF_INET);
8475 }
8476 if (pf_lazy_makewritable(pd, pbuf,
8477 off2 + ICMP_MINLEN) == NULL) {
8478 return PF_DROP;
8479 }
8480 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8481 pd->hdr.icmp);
8482 pbuf_copy_back(pbuf, ipoff2, sizeof(h2), &h2);
8483 pbuf_copy_back(pbuf, off2, ICMP_MINLEN, &iih);
8484 }
8485
8486 return PF_PASS;
8487 }
8488 #endif /* INET */
8489 #if INET6
8490 case IPPROTO_ICMPV6: {
8491 struct icmp6_hdr iih;
8492
8493 if (!pf_pull_hdr(pbuf, off2, &iih,
8494 sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
8495 DPFPRINTF(PF_DEBUG_MISC,
8496 ("pf: ICMP error message too short "
8497 "(icmp6)\n"));
8498 return PF_DROP;
8499 }
8500
8501 key.proto = IPPROTO_ICMPV6;
8502 if (direction == PF_IN) {
8503 key.af_gwy = pd2.af;
8504 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8505 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8506 key.ext_gwy.xport.port = 0;
8507 key.gwy.xport.port = iih.icmp6_id;
8508 } else {
8509 key.af_lan = pd2.af;
8510 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8511 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8512 key.lan.xport.port = iih.icmp6_id;
8513 key.ext_lan.xport.port = 0;
8514 }
8515
8516 STATE_LOOKUP();
8517
8518 sk = (*state)->state_key;
8519 if (STATE_TRANSLATE(sk)) {
8520 if (direction == PF_IN) {
8521 pf_change_icmp(pd2.src, &iih.icmp6_id,
8522 daddr, &sk->lan.addr,
8523 sk->lan.xport.port, NULL,
8524 pd2.ip_sum, icmpsum,
8525 pd->ip_sum, 0, AF_INET6);
8526 } else {
8527 pf_change_icmp(pd2.dst, &iih.icmp6_id,
8528 saddr, &sk->gwy.addr,
8529 sk->gwy.xport.port, NULL,
8530 pd2.ip_sum, icmpsum,
8531 pd->ip_sum, 0, AF_INET6);
8532 }
8533 if (pf_lazy_makewritable(pd, pbuf, off2 +
8534 sizeof(struct icmp6_hdr)) == NULL) {
8535 return PF_DROP;
8536 }
8537 pbuf_copy_back(pbuf, off,
8538 sizeof(struct icmp6_hdr), pd->hdr.icmp6);
8539 pbuf_copy_back(pbuf, ipoff2, sizeof(h2_6),
8540 &h2_6);
8541 pbuf_copy_back(pbuf, off2,
8542 sizeof(struct icmp6_hdr), &iih);
8543 }
8544
8545 return PF_PASS;
8546 }
8547 #endif /* INET6 */
8548 default: {
8549 key.proto = pd2.proto;
8550 if (direction == PF_IN) {
8551 key.af_gwy = pd2.af;
8552 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8553 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8554 key.ext_gwy.xport.port = 0;
8555 key.gwy.xport.port = 0;
8556 } else {
8557 key.af_lan = pd2.af;
8558 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8559 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8560 key.lan.xport.port = 0;
8561 key.ext_lan.xport.port = 0;
8562 }
8563
8564 STATE_LOOKUP();
8565
8566 sk = (*state)->state_key;
8567 if (STATE_TRANSLATE(sk)) {
8568 if (direction == PF_IN) {
8569 pf_change_icmp(pd2.src, NULL, daddr,
8570 &sk->lan.addr, 0, NULL,
8571 pd2.ip_sum, icmpsum,
8572 pd->ip_sum, 0, pd2.af);
8573 } else {
8574 pf_change_icmp(pd2.dst, NULL, saddr,
8575 &sk->gwy.addr, 0, NULL,
8576 pd2.ip_sum, icmpsum,
8577 pd->ip_sum, 0, pd2.af);
8578 }
8579 switch (pd2.af) {
8580 #if INET
8581 case AF_INET:
8582 if (pf_lazy_makewritable(pd, pbuf,
8583 ipoff2 + sizeof(h2)) == NULL) {
8584 return PF_DROP;
8585 }
8586 /*
8587 * <XXXSCW>
8588 * Xnu was missing the following...
8589 */
8590 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8591 pd->hdr.icmp);
8592 pbuf_copy_back(pbuf, ipoff2,
8593 sizeof(h2), &h2);
8594 break;
8595 /*
8596 * </XXXSCW>
8597 */
8598 #endif /* INET */
8599 #if INET6
8600 case AF_INET6:
8601 if (pf_lazy_makewritable(pd, pbuf,
8602 ipoff2 + sizeof(h2_6)) == NULL) {
8603 return PF_DROP;
8604 }
8605 pbuf_copy_back(pbuf, off,
8606 sizeof(struct icmp6_hdr),
8607 pd->hdr.icmp6);
8608 pbuf_copy_back(pbuf, ipoff2,
8609 sizeof(h2_6), &h2_6);
8610 break;
8611 #endif /* INET6 */
8612 }
8613 }
8614
8615 return PF_PASS;
8616 }
8617 }
8618 }
8619 }
8620
8621 static int
8622 pf_test_state_grev1(struct pf_state **state, int direction,
8623 struct pfi_kif *kif, int off, struct pf_pdesc *pd)
8624 {
8625 struct pf_state_peer *src;
8626 struct pf_state_peer *dst;
8627 struct pf_state_key_cmp key;
8628 struct pf_grev1_hdr *grev1 = pd->hdr.grev1;
8629
8630 key.app_state = 0;
8631 key.proto = IPPROTO_GRE;
8632 key.proto_variant = PF_GRE_PPTP_VARIANT;
8633 if (direction == PF_IN) {
8634 key.af_gwy = pd->af;
8635 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
8636 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
8637 key.gwy.xport.call_id = grev1->call_id;
8638 } else {
8639 key.af_lan = pd->af;
8640 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
8641 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
8642 key.ext_lan.xport.call_id = grev1->call_id;
8643 }
8644
8645 STATE_LOOKUP();
8646
8647 if (direction == (*state)->state_key->direction) {
8648 src = &(*state)->src;
8649 dst = &(*state)->dst;
8650 } else {
8651 src = &(*state)->dst;
8652 dst = &(*state)->src;
8653 }
8654
8655 /* update states */
8656 if (src->state < PFGRE1S_INITIATING) {
8657 src->state = PFGRE1S_INITIATING;
8658 }
8659
8660 /* update expire time */
8661 (*state)->expire = pf_time_second();
8662 if (src->state >= PFGRE1S_INITIATING &&
8663 dst->state >= PFGRE1S_INITIATING) {
8664 if ((*state)->timeout != PFTM_TCP_ESTABLISHED) {
8665 (*state)->timeout = PFTM_GREv1_ESTABLISHED;
8666 }
8667 src->state = PFGRE1S_ESTABLISHED;
8668 dst->state = PFGRE1S_ESTABLISHED;
8669 } else {
8670 (*state)->timeout = PFTM_GREv1_INITIATING;
8671 }
8672
8673 if ((*state)->state_key->app_state) {
8674 (*state)->state_key->app_state->u.grev1.pptp_state->expire =
8675 pf_time_second();
8676 }
8677
8678 /* translate source/destination address, if necessary */
8679 if (STATE_GRE_TRANSLATE((*state)->state_key)) {
8680 if (direction == PF_OUT) {
8681 switch (pd->af) {
8682 #if INET
8683 case AF_INET:
8684 pf_change_a(&pd->src->v4addr.s_addr,
8685 pd->ip_sum,
8686 (*state)->state_key->gwy.addr.v4addr.s_addr, 0);
8687 break;
8688 #endif /* INET */
8689 #if INET6
8690 case AF_INET6:
8691 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
8692 pd->af);
8693 break;
8694 #endif /* INET6 */
8695 }
8696 } else {
8697 grev1->call_id = (*state)->state_key->lan.xport.call_id;
8698
8699 switch (pd->af) {
8700 #if INET
8701 case AF_INET:
8702 pf_change_a(&pd->dst->v4addr.s_addr,
8703 pd->ip_sum,
8704 (*state)->state_key->lan.addr.v4addr.s_addr, 0);
8705 break;
8706 #endif /* INET */
8707 #if INET6
8708 case AF_INET6:
8709 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
8710 pd->af);
8711 break;
8712 #endif /* INET6 */
8713 }
8714 }
8715
8716 if (pf_lazy_makewritable(pd, pd->mp, off + sizeof(*grev1)) ==
8717 NULL) {
8718 return PF_DROP;
8719 }
8720 pbuf_copy_back(pd->mp, off, sizeof(*grev1), grev1);
8721 }
8722
8723 return PF_PASS;
8724 }
8725
8726 static int
8727 pf_test_state_esp(struct pf_state **state, int direction, struct pfi_kif *kif,
8728 int off, struct pf_pdesc *pd)
8729 {
8730 #pragma unused(off)
8731 struct pf_state_peer *src;
8732 struct pf_state_peer *dst;
8733 struct pf_state_key_cmp key;
8734 struct pf_esp_hdr *esp = pd->hdr.esp;
8735 int action;
8736
8737 memset(&key, 0, sizeof(key));
8738 key.proto = IPPROTO_ESP;
8739 if (direction == PF_IN) {
8740 key.af_gwy = pd->af;
8741 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
8742 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
8743 key.gwy.xport.spi = esp->spi;
8744 } else {
8745 key.af_lan = pd->af;
8746 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
8747 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
8748 key.ext_lan.xport.spi = esp->spi;
8749 }
8750
8751 *state = pf_find_state(kif, &key, direction);
8752
8753 if (*state == 0) {
8754 struct pf_state *s;
8755
8756 /*
8757 * <jhw@apple.com>
8758 * No matching state. Look for a blocking state. If we find
8759 * one, then use that state and move it so that it's keyed to
8760 * the SPI in the current packet.
8761 */
8762 if (direction == PF_IN) {
8763 key.gwy.xport.spi = 0;
8764
8765 s = pf_find_state(kif, &key, direction);
8766 if (s) {
8767 struct pf_state_key *sk = s->state_key;
8768
8769 RB_REMOVE(pf_state_tree_ext_gwy,
8770 &pf_statetbl_ext_gwy, sk);
8771 sk->lan.xport.spi = sk->gwy.xport.spi =
8772 esp->spi;
8773
8774 if (RB_INSERT(pf_state_tree_ext_gwy,
8775 &pf_statetbl_ext_gwy, sk)) {
8776 pf_detach_state(s, PF_DT_SKIP_EXTGWY);
8777 } else {
8778 *state = s;
8779 }
8780 }
8781 } else {
8782 key.ext_lan.xport.spi = 0;
8783
8784 s = pf_find_state(kif, &key, direction);
8785 if (s) {
8786 struct pf_state_key *sk = s->state_key;
8787
8788 RB_REMOVE(pf_state_tree_lan_ext,
8789 &pf_statetbl_lan_ext, sk);
8790 sk->ext_lan.xport.spi = esp->spi;
8791
8792 if (RB_INSERT(pf_state_tree_lan_ext,
8793 &pf_statetbl_lan_ext, sk)) {
8794 pf_detach_state(s, PF_DT_SKIP_LANEXT);
8795 } else {
8796 *state = s;
8797 }
8798 }
8799 }
8800
8801 if (s) {
8802 if (*state == 0) {
8803 #if NPFSYNC
8804 if (s->creatorid == pf_status.hostid) {
8805 pfsync_delete_state(s);
8806 }
8807 #endif
8808 s->timeout = PFTM_UNLINKED;
8809 hook_runloop(&s->unlink_hooks,
8810 HOOK_REMOVE | HOOK_FREE);
8811 pf_src_tree_remove_state(s);
8812 pf_free_state(s);
8813 return PF_DROP;
8814 }
8815 }
8816 }
8817
8818 /* similar to STATE_LOOKUP() */
8819 if (*state != NULL && pd != NULL && !(pd->pktflags & PKTF_FLOW_ID)) {
8820 pd->flowsrc = (*state)->state_key->flowsrc;
8821 pd->flowhash = (*state)->state_key->flowhash;
8822 if (pd->flowhash != 0) {
8823 pd->pktflags |= PKTF_FLOW_ID;
8824 pd->pktflags &= ~PKTF_FLOW_ADV;
8825 }
8826 }
8827
8828 if (pf_state_lookup_aux(state, kif, direction, &action)) {
8829 return action;
8830 }
8831
8832 if (direction == (*state)->state_key->direction) {
8833 src = &(*state)->src;
8834 dst = &(*state)->dst;
8835 } else {
8836 src = &(*state)->dst;
8837 dst = &(*state)->src;
8838 }
8839
8840 /* update states */
8841 if (src->state < PFESPS_INITIATING) {
8842 src->state = PFESPS_INITIATING;
8843 }
8844
8845 /* update expire time */
8846 (*state)->expire = pf_time_second();
8847 if (src->state >= PFESPS_INITIATING &&
8848 dst->state >= PFESPS_INITIATING) {
8849 (*state)->timeout = PFTM_ESP_ESTABLISHED;
8850 src->state = PFESPS_ESTABLISHED;
8851 dst->state = PFESPS_ESTABLISHED;
8852 } else {
8853 (*state)->timeout = PFTM_ESP_INITIATING;
8854 }
8855 /* translate source/destination address, if necessary */
8856 if (STATE_ADDR_TRANSLATE((*state)->state_key)) {
8857 if (direction == PF_OUT) {
8858 switch (pd->af) {
8859 #if INET
8860 case AF_INET:
8861 pf_change_a(&pd->src->v4addr.s_addr,
8862 pd->ip_sum,
8863 (*state)->state_key->gwy.addr.v4addr.s_addr, 0);
8864 break;
8865 #endif /* INET */
8866 #if INET6
8867 case AF_INET6:
8868 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
8869 pd->af);
8870 break;
8871 #endif /* INET6 */
8872 }
8873 } else {
8874 switch (pd->af) {
8875 #if INET
8876 case AF_INET:
8877 pf_change_a(&pd->dst->v4addr.s_addr,
8878 pd->ip_sum,
8879 (*state)->state_key->lan.addr.v4addr.s_addr, 0);
8880 break;
8881 #endif /* INET */
8882 #if INET6
8883 case AF_INET6:
8884 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
8885 pd->af);
8886 break;
8887 #endif /* INET6 */
8888 }
8889 }
8890 }
8891
8892 return PF_PASS;
8893 }
8894
8895 static int
8896 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
8897 struct pf_pdesc *pd)
8898 {
8899 struct pf_state_peer *src, *dst;
8900 struct pf_state_key_cmp key;
8901
8902 key.app_state = 0;
8903 key.proto = pd->proto;
8904 if (direction == PF_IN) {
8905 key.af_gwy = pd->af;
8906 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
8907 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
8908 key.ext_gwy.xport.port = 0;
8909 key.gwy.xport.port = 0;
8910 } else {
8911 key.af_lan = pd->af;
8912 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
8913 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
8914 key.lan.xport.port = 0;
8915 key.ext_lan.xport.port = 0;
8916 }
8917
8918 STATE_LOOKUP();
8919
8920 if (direction == (*state)->state_key->direction) {
8921 src = &(*state)->src;
8922 dst = &(*state)->dst;
8923 } else {
8924 src = &(*state)->dst;
8925 dst = &(*state)->src;
8926 }
8927
8928 /* update states */
8929 if (src->state < PFOTHERS_SINGLE) {
8930 src->state = PFOTHERS_SINGLE;
8931 }
8932 if (dst->state == PFOTHERS_SINGLE) {
8933 dst->state = PFOTHERS_MULTIPLE;
8934 }
8935
8936 /* update expire time */
8937 (*state)->expire = pf_time_second();
8938 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) {
8939 (*state)->timeout = PFTM_OTHER_MULTIPLE;
8940 } else {
8941 (*state)->timeout = PFTM_OTHER_SINGLE;
8942 }
8943
8944 /* translate source/destination address, if necessary */
8945 if (STATE_ADDR_TRANSLATE((*state)->state_key)) {
8946 if (direction == PF_OUT) {
8947 switch (pd->af) {
8948 #if INET
8949 case AF_INET:
8950 pf_change_a(&pd->src->v4addr.s_addr,
8951 pd->ip_sum,
8952 (*state)->state_key->gwy.addr.v4addr.s_addr,
8953 0);
8954 break;
8955 #endif /* INET */
8956 #if INET6
8957 case AF_INET6:
8958 PF_ACPY(pd->src,
8959 &(*state)->state_key->gwy.addr, pd->af);
8960 break;
8961 #endif /* INET6 */
8962 }
8963 } else {
8964 switch (pd->af) {
8965 #if INET
8966 case AF_INET:
8967 pf_change_a(&pd->dst->v4addr.s_addr,
8968 pd->ip_sum,
8969 (*state)->state_key->lan.addr.v4addr.s_addr,
8970 0);
8971 break;
8972 #endif /* INET */
8973 #if INET6
8974 case AF_INET6:
8975 PF_ACPY(pd->dst,
8976 &(*state)->state_key->lan.addr, pd->af);
8977 break;
8978 #endif /* INET6 */
8979 }
8980 }
8981 }
8982
8983 return PF_PASS;
8984 }
8985
8986 /*
8987 * ipoff and off are measured from the start of the mbuf chain.
8988 * h must be at "ipoff" on the mbuf chain.
8989 */
8990 void *
8991 pf_pull_hdr(pbuf_t *pbuf, int off, void *p, int len,
8992 u_short *actionp, u_short *reasonp, sa_family_t af)
8993 {
8994 switch (af) {
8995 #if INET
8996 case AF_INET: {
8997 struct ip *h = pbuf->pb_data;
8998 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
8999
9000 if (fragoff) {
9001 if (fragoff >= len) {
9002 ACTION_SET(actionp, PF_PASS);
9003 } else {
9004 ACTION_SET(actionp, PF_DROP);
9005 REASON_SET(reasonp, PFRES_FRAG);
9006 }
9007 return NULL;
9008 }
9009 if (pbuf->pb_packet_len < (unsigned)(off + len) ||
9010 ntohs(h->ip_len) < off + len) {
9011 ACTION_SET(actionp, PF_DROP);
9012 REASON_SET(reasonp, PFRES_SHORT);
9013 return NULL;
9014 }
9015 break;
9016 }
9017 #endif /* INET */
9018 #if INET6
9019 case AF_INET6: {
9020 struct ip6_hdr *h = pbuf->pb_data;
9021
9022 if (pbuf->pb_packet_len < (unsigned)(off + len) ||
9023 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
9024 (unsigned)(off + len)) {
9025 ACTION_SET(actionp, PF_DROP);
9026 REASON_SET(reasonp, PFRES_SHORT);
9027 return NULL;
9028 }
9029 break;
9030 }
9031 #endif /* INET6 */
9032 }
9033 pbuf_copy_data(pbuf, off, len, p);
9034 return p;
9035 }
9036
9037 int
9038 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
9039 {
9040 #pragma unused(kif)
9041 struct sockaddr_in *dst;
9042 int ret = 1;
9043 #if INET6
9044 struct sockaddr_in6 *dst6;
9045 struct route_in6 ro;
9046 #else
9047 struct route ro;
9048 #endif
9049
9050 bzero(&ro, sizeof(ro));
9051 switch (af) {
9052 case AF_INET:
9053 dst = satosin(&ro.ro_dst);
9054 dst->sin_family = AF_INET;
9055 dst->sin_len = sizeof(*dst);
9056 dst->sin_addr = addr->v4addr;
9057 break;
9058 #if INET6
9059 case AF_INET6:
9060 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
9061 dst6->sin6_family = AF_INET6;
9062 dst6->sin6_len = sizeof(*dst6);
9063 dst6->sin6_addr = addr->v6addr;
9064 break;
9065 #endif /* INET6 */
9066 default:
9067 return 0;
9068 }
9069
9070 /* XXX: IFT_ENC is not currently used by anything*/
9071 /* Skip checks for ipsec interfaces */
9072 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC) {
9073 goto out;
9074 }
9075
9076 /* XXX: what is the point of this? */
9077 rtalloc((struct route *)&ro);
9078
9079 out:
9080 ROUTE_RELEASE(&ro);
9081 return ret;
9082 }
9083
9084 int
9085 pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw)
9086 {
9087 #pragma unused(aw)
9088 struct sockaddr_in *dst;
9089 #if INET6
9090 struct sockaddr_in6 *dst6;
9091 struct route_in6 ro;
9092 #else
9093 struct route ro;
9094 #endif
9095 int ret = 0;
9096
9097 bzero(&ro, sizeof(ro));
9098 switch (af) {
9099 case AF_INET:
9100 dst = satosin(&ro.ro_dst);
9101 dst->sin_family = AF_INET;
9102 dst->sin_len = sizeof(*dst);
9103 dst->sin_addr = addr->v4addr;
9104 break;
9105 #if INET6
9106 case AF_INET6:
9107 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
9108 dst6->sin6_family = AF_INET6;
9109 dst6->sin6_len = sizeof(*dst6);
9110 dst6->sin6_addr = addr->v6addr;
9111 break;
9112 #endif /* INET6 */
9113 default:
9114 return 0;
9115 }
9116
9117 /* XXX: what is the point of this? */
9118 rtalloc((struct route *)&ro);
9119
9120 ROUTE_RELEASE(&ro);
9121
9122 return ret;
9123 }
9124
9125 #if INET
9126 static void
9127 pf_route(pbuf_t **pbufp, struct pf_rule *r, int dir, struct ifnet *oifp,
9128 struct pf_state *s, struct pf_pdesc *pd)
9129 {
9130 #pragma unused(pd)
9131 struct mbuf *m0, *m1;
9132 struct route iproute;
9133 struct route *ro = &iproute;
9134 struct sockaddr_in *dst;
9135 struct ip *ip;
9136 struct ifnet *ifp = NULL;
9137 struct pf_addr naddr;
9138 struct pf_src_node *sn = NULL;
9139 int error = 0;
9140 uint32_t sw_csum;
9141 int interface_mtu = 0;
9142 bzero(&iproute, sizeof(iproute));
9143
9144 if (pbufp == NULL || !pbuf_is_valid(*pbufp) || r == NULL ||
9145 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) {
9146 panic("pf_route: invalid parameters");
9147 }
9148
9149 if (pd->pf_mtag->pftag_routed++ > 3) {
9150 pbuf_destroy(*pbufp);
9151 *pbufp = NULL;
9152 m0 = NULL;
9153 goto bad;
9154 }
9155
9156 /*
9157 * Since this is something of an edge case and may involve the
9158 * host stack (for routing, at least for now), we convert the
9159 * incoming pbuf into an mbuf.
9160 */
9161 if (r->rt == PF_DUPTO) {
9162 m0 = pbuf_clone_to_mbuf(*pbufp);
9163 } else if ((r->rt == PF_REPLYTO) == (r->direction == dir)) {
9164 return;
9165 } else {
9166 /* We're going to consume this packet */
9167 m0 = pbuf_to_mbuf(*pbufp, TRUE);
9168 *pbufp = NULL;
9169 }
9170
9171 if (m0 == NULL) {
9172 goto bad;
9173 }
9174
9175 /* We now have the packet in an mbuf (m0) */
9176
9177 if (m0->m_len < (int)sizeof(struct ip)) {
9178 DPFPRINTF(PF_DEBUG_URGENT,
9179 ("pf_route: packet length < sizeof (struct ip)\n"));
9180 goto bad;
9181 }
9182
9183 ip = mtod(m0, struct ip *);
9184
9185 dst = satosin((void *)&ro->ro_dst);
9186 dst->sin_family = AF_INET;
9187 dst->sin_len = sizeof(*dst);
9188 dst->sin_addr = ip->ip_dst;
9189
9190 if (r->rt == PF_FASTROUTE) {
9191 rtalloc(ro);
9192 if (ro->ro_rt == NULL) {
9193 ipstat.ips_noroute++;
9194 goto bad;
9195 }
9196
9197 ifp = ro->ro_rt->rt_ifp;
9198 RT_LOCK(ro->ro_rt);
9199 ro->ro_rt->rt_use++;
9200
9201 if (ro->ro_rt->rt_flags & RTF_GATEWAY) {
9202 dst = satosin((void *)ro->ro_rt->rt_gateway);
9203 }
9204 RT_UNLOCK(ro->ro_rt);
9205 } else {
9206 if (TAILQ_EMPTY(&r->rpool.list)) {
9207 DPFPRINTF(PF_DEBUG_URGENT,
9208 ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n"));
9209 goto bad;
9210 }
9211 if (s == NULL) {
9212 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
9213 &naddr, NULL, &sn);
9214 if (!PF_AZERO(&naddr, AF_INET)) {
9215 dst->sin_addr.s_addr = naddr.v4addr.s_addr;
9216 }
9217 ifp = r->rpool.cur->kif ?
9218 r->rpool.cur->kif->pfik_ifp : NULL;
9219 } else {
9220 if (!PF_AZERO(&s->rt_addr, AF_INET)) {
9221 dst->sin_addr.s_addr =
9222 s->rt_addr.v4addr.s_addr;
9223 }
9224 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
9225 }
9226 }
9227 if (ifp == NULL) {
9228 goto bad;
9229 }
9230
9231 if (oifp != ifp) {
9232 if (pf_test_mbuf(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
9233 goto bad;
9234 } else if (m0 == NULL) {
9235 goto done;
9236 }
9237 if (m0->m_len < (int)sizeof(struct ip)) {
9238 DPFPRINTF(PF_DEBUG_URGENT,
9239 ("pf_route: packet length < sizeof (struct ip)\n"));
9240 goto bad;
9241 }
9242 ip = mtod(m0, struct ip *);
9243 }
9244
9245 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
9246 ip_output_checksum(ifp, m0, ((ip->ip_hl) << 2), ntohs(ip->ip_len),
9247 &sw_csum);
9248
9249 interface_mtu = ifp->if_mtu;
9250
9251 if (INTF_ADJUST_MTU_FOR_CLAT46(ifp)) {
9252 interface_mtu = IN6_LINKMTU(ifp);
9253 /* Further adjust the size for CLAT46 expansion */
9254 interface_mtu -= CLAT46_HDR_EXPANSION_OVERHD;
9255 }
9256
9257 if (ntohs(ip->ip_len) <= interface_mtu || TSO_IPV4_OK(ifp, m0) ||
9258 (!(ip->ip_off & htons(IP_DF)) &&
9259 (ifp->if_hwassist & CSUM_FRAGMENT))) {
9260 ip->ip_sum = 0;
9261 if (sw_csum & CSUM_DELAY_IP) {
9262 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
9263 sw_csum &= ~CSUM_DELAY_IP;
9264 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_IP;
9265 }
9266 error = ifnet_output(ifp, PF_INET, m0, ro->ro_rt, sintosa(dst));
9267 goto done;
9268 }
9269
9270 /*
9271 * Too large for interface; fragment if possible.
9272 * Must be able to put at least 8 bytes per fragment.
9273 * Balk when DF bit is set or the interface didn't support TSO.
9274 */
9275 if ((ip->ip_off & htons(IP_DF)) ||
9276 (m0->m_pkthdr.csum_flags & CSUM_TSO_IPV4)) {
9277 ipstat.ips_cantfrag++;
9278 if (r->rt != PF_DUPTO) {
9279 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
9280 interface_mtu);
9281 goto done;
9282 } else {
9283 goto bad;
9284 }
9285 }
9286
9287 m1 = m0;
9288
9289 /* PR-8933605: send ip_len,ip_off to ip_fragment in host byte order */
9290 #if BYTE_ORDER != BIG_ENDIAN
9291 NTOHS(ip->ip_off);
9292 NTOHS(ip->ip_len);
9293 #endif
9294 error = ip_fragment(m0, ifp, interface_mtu, sw_csum);
9295
9296 if (error) {
9297 m0 = NULL;
9298 goto bad;
9299 }
9300
9301 for (m0 = m1; m0; m0 = m1) {
9302 m1 = m0->m_nextpkt;
9303 m0->m_nextpkt = 0;
9304 if (error == 0) {
9305 error = ifnet_output(ifp, PF_INET, m0, ro->ro_rt,
9306 sintosa(dst));
9307 } else {
9308 m_freem(m0);
9309 }
9310 }
9311
9312 if (error == 0) {
9313 ipstat.ips_fragmented++;
9314 }
9315
9316 done:
9317 ROUTE_RELEASE(&iproute);
9318 return;
9319
9320 bad:
9321 if (m0) {
9322 m_freem(m0);
9323 }
9324 goto done;
9325 }
9326 #endif /* INET */
9327
9328 #if INET6
9329 static void
9330 pf_route6(pbuf_t **pbufp, struct pf_rule *r, int dir, struct ifnet *oifp,
9331 struct pf_state *s, struct pf_pdesc *pd)
9332 {
9333 #pragma unused(pd)
9334 struct mbuf *m0;
9335 struct route_in6 ip6route;
9336 struct route_in6 *ro;
9337 struct sockaddr_in6 *dst;
9338 struct ip6_hdr *ip6;
9339 struct ifnet *ifp = NULL;
9340 struct pf_addr naddr;
9341 struct pf_src_node *sn = NULL;
9342 int error = 0;
9343
9344 if (pbufp == NULL || !pbuf_is_valid(*pbufp) || r == NULL ||
9345 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) {
9346 panic("pf_route6: invalid parameters");
9347 }
9348
9349 if (pd->pf_mtag->pftag_routed++ > 3) {
9350 pbuf_destroy(*pbufp);
9351 *pbufp = NULL;
9352 m0 = NULL;
9353 goto bad;
9354 }
9355
9356 /*
9357 * Since this is something of an edge case and may involve the
9358 * host stack (for routing, at least for now), we convert the
9359 * incoming pbuf into an mbuf.
9360 */
9361 if (r->rt == PF_DUPTO) {
9362 m0 = pbuf_clone_to_mbuf(*pbufp);
9363 } else if ((r->rt == PF_REPLYTO) == (r->direction == dir)) {
9364 return;
9365 } else {
9366 /* We're about to consume this packet */
9367 m0 = pbuf_to_mbuf(*pbufp, TRUE);
9368 *pbufp = NULL;
9369 }
9370
9371 if (m0 == NULL) {
9372 goto bad;
9373 }
9374
9375 if (m0->m_len < (int)sizeof(struct ip6_hdr)) {
9376 DPFPRINTF(PF_DEBUG_URGENT,
9377 ("pf_route6: m0->m_len < sizeof (struct ip6_hdr)\n"));
9378 goto bad;
9379 }
9380 ip6 = mtod(m0, struct ip6_hdr *);
9381
9382 ro = &ip6route;
9383 bzero((caddr_t)ro, sizeof(*ro));
9384 dst = (struct sockaddr_in6 *)&ro->ro_dst;
9385 dst->sin6_family = AF_INET6;
9386 dst->sin6_len = sizeof(*dst);
9387 dst->sin6_addr = ip6->ip6_dst;
9388
9389 /* Cheat. XXX why only in the v6addr case??? */
9390 if (r->rt == PF_FASTROUTE) {
9391 struct pf_mtag *pf_mtag;
9392
9393 if ((pf_mtag = pf_get_mtag(m0)) == NULL) {
9394 goto bad;
9395 }
9396 pf_mtag->pftag_flags |= PF_TAG_GENERATED;
9397 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
9398 return;
9399 }
9400
9401 if (TAILQ_EMPTY(&r->rpool.list)) {
9402 DPFPRINTF(PF_DEBUG_URGENT,
9403 ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n"));
9404 goto bad;
9405 }
9406 if (s == NULL) {
9407 pf_map_addr(AF_INET6, r, (struct pf_addr *)(uintptr_t)&ip6->ip6_src,
9408 &naddr, NULL, &sn);
9409 if (!PF_AZERO(&naddr, AF_INET6)) {
9410 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
9411 &naddr, AF_INET6);
9412 }
9413 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
9414 } else {
9415 if (!PF_AZERO(&s->rt_addr, AF_INET6)) {
9416 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
9417 &s->rt_addr, AF_INET6);
9418 }
9419 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
9420 }
9421 if (ifp == NULL) {
9422 goto bad;
9423 }
9424
9425 if (oifp != ifp) {
9426 if (pf_test6_mbuf(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) {
9427 goto bad;
9428 } else if (m0 == NULL) {
9429 goto done;
9430 }
9431 if (m0->m_len < (int)sizeof(struct ip6_hdr)) {
9432 DPFPRINTF(PF_DEBUG_URGENT, ("pf_route6: m0->m_len "
9433 "< sizeof (struct ip6_hdr)\n"));
9434 goto bad;
9435 }
9436 ip6 = mtod(m0, struct ip6_hdr *);
9437 }
9438
9439 /*
9440 * If the packet is too large for the outgoing interface,
9441 * send back an icmp6 error.
9442 */
9443 if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr)) {
9444 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
9445 }
9446 if ((unsigned)m0->m_pkthdr.len <= ifp->if_mtu) {
9447 error = nd6_output(ifp, ifp, m0, dst, NULL, NULL);
9448 } else {
9449 in6_ifstat_inc(ifp, ifs6_in_toobig);
9450 if (r->rt != PF_DUPTO) {
9451 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
9452 } else {
9453 goto bad;
9454 }
9455 }
9456
9457 done:
9458 return;
9459
9460 bad:
9461 if (m0) {
9462 m_freem(m0);
9463 }
9464 goto done;
9465 }
9466 #endif /* INET6 */
9467
9468
9469 /*
9470 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
9471 * off is the offset where the protocol header starts
9472 * len is the total length of protocol header plus payload
9473 * returns 0 when the checksum is valid, otherwise returns 1.
9474 */
9475 static int
9476 pf_check_proto_cksum(pbuf_t *pbuf, int off, int len, u_int8_t p,
9477 sa_family_t af)
9478 {
9479 u_int16_t sum;
9480
9481 switch (p) {
9482 case IPPROTO_TCP:
9483 case IPPROTO_UDP:
9484 /*
9485 * Optimize for the common case; if the hardware calculated
9486 * value doesn't include pseudo-header checksum, or if it
9487 * is partially-computed (only 16-bit summation), do it in
9488 * software below.
9489 */
9490 if ((*pbuf->pb_csum_flags &
9491 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR)) ==
9492 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR) &&
9493 (*pbuf->pb_csum_data ^ 0xffff) == 0) {
9494 return 0;
9495 }
9496 break;
9497 case IPPROTO_ICMP:
9498 #if INET6
9499 case IPPROTO_ICMPV6:
9500 #endif /* INET6 */
9501 break;
9502 default:
9503 return 1;
9504 }
9505 if (off < (int)sizeof(struct ip) || len < (int)sizeof(struct udphdr)) {
9506 return 1;
9507 }
9508 if (pbuf->pb_packet_len < (unsigned)(off + len)) {
9509 return 1;
9510 }
9511 switch (af) {
9512 #if INET
9513 case AF_INET:
9514 if (p == IPPROTO_ICMP) {
9515 #if 0
9516 if (m->m_len < off) {
9517 return 1;
9518 }
9519 m->m_data += off;
9520 m->m_len -= off;
9521 sum = in_cksum(m, len);
9522 m->m_data -= off;
9523 m->m_len += off;
9524 #else
9525 if (pbuf->pb_contig_len < (unsigned)off) {
9526 return 1;
9527 }
9528 sum = pbuf_inet_cksum(pbuf, 0, off, len);
9529 #endif
9530 } else {
9531 if (pbuf->pb_contig_len < (int)sizeof(struct ip)) {
9532 return 1;
9533 }
9534 sum = pbuf_inet_cksum(pbuf, p, off, len);
9535 }
9536 break;
9537 #endif /* INET */
9538 #if INET6
9539 case AF_INET6:
9540 if (pbuf->pb_contig_len < (int)sizeof(struct ip6_hdr)) {
9541 return 1;
9542 }
9543 sum = pbuf_inet6_cksum(pbuf, p, off, len);
9544 break;
9545 #endif /* INET6 */
9546 default:
9547 return 1;
9548 }
9549 if (sum) {
9550 switch (p) {
9551 case IPPROTO_TCP:
9552 tcpstat.tcps_rcvbadsum++;
9553 break;
9554 case IPPROTO_UDP:
9555 udpstat.udps_badsum++;
9556 break;
9557 case IPPROTO_ICMP:
9558 icmpstat.icps_checksum++;
9559 break;
9560 #if INET6
9561 case IPPROTO_ICMPV6:
9562 icmp6stat.icp6s_checksum++;
9563 break;
9564 #endif /* INET6 */
9565 }
9566 return 1;
9567 }
9568 return 0;
9569 }
9570
9571 #if INET
9572 #define PF_APPLE_UPDATE_PDESC_IPv4() \
9573 do { \
9574 if (pbuf && pd.mp && pbuf != pd.mp) { \
9575 pbuf = pd.mp; \
9576 h = pbuf->pb_data; \
9577 pd.pf_mtag = pf_get_mtag_pbuf(pbuf); \
9578 } \
9579 } while (0)
9580
9581 int
9582 pf_test_mbuf(int dir, struct ifnet *ifp, struct mbuf **m0,
9583 struct ether_header *eh, struct ip_fw_args *fwa)
9584 {
9585 pbuf_t pbuf_store, *pbuf;
9586 int rv;
9587
9588 pbuf_init_mbuf(&pbuf_store, *m0, (*m0)->m_pkthdr.rcvif);
9589 pbuf = &pbuf_store;
9590
9591 rv = pf_test(dir, ifp, &pbuf, eh, fwa);
9592
9593 if (pbuf_is_valid(pbuf)) {
9594 *m0 = pbuf->pb_mbuf;
9595 pbuf->pb_mbuf = NULL;
9596 pbuf_destroy(pbuf);
9597 } else {
9598 *m0 = NULL;
9599 }
9600
9601 return rv;
9602 }
9603
9604 int
9605 pf_test(int dir, struct ifnet *ifp, pbuf_t **pbufp,
9606 struct ether_header *eh, struct ip_fw_args *fwa)
9607 {
9608 #if !DUMMYNET
9609 #pragma unused(fwa)
9610 #endif
9611 struct pfi_kif *kif;
9612 u_short action = PF_PASS, reason = 0, log = 0;
9613 pbuf_t *pbuf = *pbufp;
9614 struct ip *h = 0;
9615 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
9616 struct pf_state *s = NULL;
9617 struct pf_state_key *sk = NULL;
9618 struct pf_ruleset *ruleset = NULL;
9619 struct pf_pdesc pd;
9620 int off, dirndx, pqid = 0;
9621
9622 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
9623
9624 if (!pf_status.running) {
9625 return PF_PASS;
9626 }
9627
9628 memset(&pd, 0, sizeof(pd));
9629
9630 if ((pd.pf_mtag = pf_get_mtag_pbuf(pbuf)) == NULL) {
9631 DPFPRINTF(PF_DEBUG_URGENT,
9632 ("pf_test: pf_get_mtag_pbuf returned NULL\n"));
9633 return PF_DROP;
9634 }
9635
9636 if (pd.pf_mtag->pftag_flags & PF_TAG_GENERATED) {
9637 return PF_PASS;
9638 }
9639
9640 kif = (struct pfi_kif *)ifp->if_pf_kif;
9641
9642 if (kif == NULL) {
9643 DPFPRINTF(PF_DEBUG_URGENT,
9644 ("pf_test: kif == NULL, if_name %s\n", ifp->if_name));
9645 return PF_DROP;
9646 }
9647 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
9648 return PF_PASS;
9649 }
9650
9651 /* initialize enough of pd for the done label */
9652 h = pbuf->pb_data;
9653 pd.mp = pbuf;
9654 pd.lmw = 0;
9655 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
9656 pd.src = (struct pf_addr *)&h->ip_src;
9657 pd.dst = (struct pf_addr *)&h->ip_dst;
9658 PF_ACPY(&pd.baddr, pd.src, AF_INET);
9659 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET);
9660 pd.ip_sum = &h->ip_sum;
9661 pd.proto = h->ip_p;
9662 pd.proto_variant = 0;
9663 pd.af = AF_INET;
9664 pd.tos = h->ip_tos;
9665 pd.ttl = h->ip_ttl;
9666 pd.tot_len = ntohs(h->ip_len);
9667 pd.eh = eh;
9668
9669 if (pbuf->pb_packet_len < (int)sizeof(*h)) {
9670 action = PF_DROP;
9671 REASON_SET(&reason, PFRES_SHORT);
9672 log = 1;
9673 goto done;
9674 }
9675
9676 #if DUMMYNET
9677 if (fwa != NULL && fwa->fwa_pf_rule != NULL) {
9678 goto nonormalize;
9679 }
9680 #endif /* DUMMYNET */
9681
9682 /* We do IP header normalization and packet reassembly here */
9683 action = pf_normalize_ip(pbuf, dir, kif, &reason, &pd);
9684 if (action != PF_PASS || pd.lmw < 0) {
9685 action = PF_DROP;
9686 goto done;
9687 }
9688
9689 #if DUMMYNET
9690 nonormalize:
9691 #endif /* DUMMYNET */
9692 /* pf_normalize can mess with pb_data */
9693 h = pbuf->pb_data;
9694
9695 off = h->ip_hl << 2;
9696 if (off < (int)sizeof(*h)) {
9697 action = PF_DROP;
9698 REASON_SET(&reason, PFRES_SHORT);
9699 log = 1;
9700 goto done;
9701 }
9702
9703 pd.src = (struct pf_addr *)&h->ip_src;
9704 pd.dst = (struct pf_addr *)&h->ip_dst;
9705 PF_ACPY(&pd.baddr, pd.src, AF_INET);
9706 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET);
9707 pd.ip_sum = &h->ip_sum;
9708 pd.proto = h->ip_p;
9709 pd.proto_variant = 0;
9710 pd.mp = pbuf;
9711 pd.lmw = 0;
9712 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
9713 pd.af = AF_INET;
9714 pd.tos = h->ip_tos;
9715 pd.ttl = h->ip_ttl;
9716 pd.sc = MBUF_SCIDX(pbuf_get_service_class(pbuf));
9717 pd.tot_len = ntohs(h->ip_len);
9718 pd.eh = eh;
9719
9720 if (*pbuf->pb_flags & PKTF_FLOW_ID) {
9721 pd.flowsrc = *pbuf->pb_flowsrc;
9722 pd.flowhash = *pbuf->pb_flowid;
9723 pd.pktflags = *pbuf->pb_flags & PKTF_FLOW_MASK;
9724 }
9725
9726 /* handle fragments that didn't get reassembled by normalization */
9727 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
9728 pd.flags |= PFDESC_IP_FRAG;
9729 #if DUMMYNET
9730 /* Traffic goes through dummynet first */
9731 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9732 if (action == PF_DROP || pbuf == NULL) {
9733 *pbufp = NULL;
9734 return action;
9735 }
9736 #endif /* DUMMYNET */
9737 action = pf_test_fragment(&r, dir, kif, pbuf, h,
9738 &pd, &a, &ruleset);
9739 goto done;
9740 }
9741
9742 switch (h->ip_p) {
9743 case IPPROTO_TCP: {
9744 struct tcphdr th;
9745 pd.hdr.tcp = &th;
9746 if (!pf_pull_hdr(pbuf, off, &th, sizeof(th),
9747 &action, &reason, AF_INET)) {
9748 log = action != PF_PASS;
9749 goto done;
9750 }
9751 pd.p_len = pd.tot_len - off - (th.th_off << 2);
9752 if ((th.th_flags & TH_ACK) && pd.p_len == 0) {
9753 pqid = 1;
9754 }
9755 #if DUMMYNET
9756 /* Traffic goes through dummynet first */
9757 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9758 if (action == PF_DROP || pbuf == NULL) {
9759 *pbufp = NULL;
9760 return action;
9761 }
9762 #endif /* DUMMYNET */
9763 action = pf_normalize_tcp(dir, kif, pbuf, 0, off, h, &pd);
9764 if (pd.lmw < 0) {
9765 goto done;
9766 }
9767 PF_APPLE_UPDATE_PDESC_IPv4();
9768 if (action == PF_DROP) {
9769 goto done;
9770 }
9771 action = pf_test_state_tcp(&s, dir, kif, pbuf, off, h, &pd,
9772 &reason);
9773 if (action == PF_NAT64) {
9774 goto done;
9775 }
9776 if (pd.lmw < 0) {
9777 goto done;
9778 }
9779 PF_APPLE_UPDATE_PDESC_IPv4();
9780 if (action == PF_PASS) {
9781 #if NPFSYNC
9782 pfsync_update_state(s);
9783 #endif /* NPFSYNC */
9784 r = s->rule.ptr;
9785 a = s->anchor.ptr;
9786 log = s->log;
9787 } else if (s == NULL) {
9788 action = pf_test_rule(&r, &s, dir, kif,
9789 pbuf, off, h, &pd, &a, &ruleset, NULL);
9790 }
9791 break;
9792 }
9793
9794 case IPPROTO_UDP: {
9795 struct udphdr uh;
9796
9797 pd.hdr.udp = &uh;
9798 if (!pf_pull_hdr(pbuf, off, &uh, sizeof(uh),
9799 &action, &reason, AF_INET)) {
9800 log = action != PF_PASS;
9801 goto done;
9802 }
9803 if (uh.uh_dport == 0 ||
9804 ntohs(uh.uh_ulen) > pbuf->pb_packet_len - off ||
9805 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
9806 action = PF_DROP;
9807 REASON_SET(&reason, PFRES_SHORT);
9808 goto done;
9809 }
9810 #if DUMMYNET
9811 /* Traffic goes through dummynet first */
9812 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9813 if (action == PF_DROP || pbuf == NULL) {
9814 *pbufp = NULL;
9815 return action;
9816 }
9817 #endif /* DUMMYNET */
9818 action = pf_test_state_udp(&s, dir, kif, pbuf, off, h, &pd,
9819 &reason);
9820 if (action == PF_NAT64) {
9821 goto done;
9822 }
9823 if (pd.lmw < 0) {
9824 goto done;
9825 }
9826 PF_APPLE_UPDATE_PDESC_IPv4();
9827 if (action == PF_PASS) {
9828 #if NPFSYNC
9829 pfsync_update_state(s);
9830 #endif /* NPFSYNC */
9831 r = s->rule.ptr;
9832 a = s->anchor.ptr;
9833 log = s->log;
9834 } else if (s == NULL) {
9835 action = pf_test_rule(&r, &s, dir, kif,
9836 pbuf, off, h, &pd, &a, &ruleset, NULL);
9837 }
9838 break;
9839 }
9840
9841 case IPPROTO_ICMP: {
9842 struct icmp ih;
9843
9844 pd.hdr.icmp = &ih;
9845 if (!pf_pull_hdr(pbuf, off, &ih, ICMP_MINLEN,
9846 &action, &reason, AF_INET)) {
9847 log = action != PF_PASS;
9848 goto done;
9849 }
9850 #if DUMMYNET
9851 /* Traffic goes through dummynet first */
9852 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9853 if (action == PF_DROP || pbuf == NULL) {
9854 *pbufp = NULL;
9855 return action;
9856 }
9857 #endif /* DUMMYNET */
9858 action = pf_test_state_icmp(&s, dir, kif, pbuf, off, h, &pd,
9859 &reason);
9860 if (action == PF_NAT64) {
9861 goto done;
9862 }
9863 if (pd.lmw < 0) {
9864 goto done;
9865 }
9866 PF_APPLE_UPDATE_PDESC_IPv4();
9867 if (action == PF_PASS) {
9868 #if NPFSYNC
9869 pfsync_update_state(s);
9870 #endif /* NPFSYNC */
9871 r = s->rule.ptr;
9872 a = s->anchor.ptr;
9873 log = s->log;
9874 } else if (s == NULL) {
9875 action = pf_test_rule(&r, &s, dir, kif,
9876 pbuf, off, h, &pd, &a, &ruleset, NULL);
9877 }
9878 break;
9879 }
9880
9881 case IPPROTO_ESP: {
9882 struct pf_esp_hdr esp;
9883
9884 pd.hdr.esp = &esp;
9885 if (!pf_pull_hdr(pbuf, off, &esp, sizeof(esp), &action, &reason,
9886 AF_INET)) {
9887 log = action != PF_PASS;
9888 goto done;
9889 }
9890 #if DUMMYNET
9891 /* Traffic goes through dummynet first */
9892 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9893 if (action == PF_DROP || pbuf == NULL) {
9894 *pbufp = NULL;
9895 return action;
9896 }
9897 #endif /* DUMMYNET */
9898 action = pf_test_state_esp(&s, dir, kif, off, &pd);
9899 if (pd.lmw < 0) {
9900 goto done;
9901 }
9902 PF_APPLE_UPDATE_PDESC_IPv4();
9903 if (action == PF_PASS) {
9904 #if NPFSYNC
9905 pfsync_update_state(s);
9906 #endif /* NPFSYNC */
9907 r = s->rule.ptr;
9908 a = s->anchor.ptr;
9909 log = s->log;
9910 } else if (s == NULL) {
9911 action = pf_test_rule(&r, &s, dir, kif,
9912 pbuf, off, h, &pd, &a, &ruleset, NULL);
9913 }
9914 break;
9915 }
9916
9917 case IPPROTO_GRE: {
9918 struct pf_grev1_hdr grev1;
9919 pd.hdr.grev1 = &grev1;
9920 if (!pf_pull_hdr(pbuf, off, &grev1, sizeof(grev1), &action,
9921 &reason, AF_INET)) {
9922 log = (action != PF_PASS);
9923 goto done;
9924 }
9925 #if DUMMYNET
9926 /* Traffic goes through dummynet first */
9927 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9928 if (action == PF_DROP || pbuf == NULL) {
9929 *pbufp = NULL;
9930 return action;
9931 }
9932 #endif /* DUMMYNET */
9933 if ((ntohs(grev1.flags) & PF_GRE_FLAG_VERSION_MASK) == 1 &&
9934 ntohs(grev1.protocol_type) == PF_GRE_PPP_ETHERTYPE) {
9935 if (ntohs(grev1.payload_length) >
9936 pbuf->pb_packet_len - off) {
9937 action = PF_DROP;
9938 REASON_SET(&reason, PFRES_SHORT);
9939 goto done;
9940 }
9941 pd.proto_variant = PF_GRE_PPTP_VARIANT;
9942 action = pf_test_state_grev1(&s, dir, kif, off, &pd);
9943 if (pd.lmw < 0) {
9944 goto done;
9945 }
9946 PF_APPLE_UPDATE_PDESC_IPv4();
9947 if (action == PF_PASS) {
9948 #if NPFSYNC
9949 pfsync_update_state(s);
9950 #endif /* NPFSYNC */
9951 r = s->rule.ptr;
9952 a = s->anchor.ptr;
9953 log = s->log;
9954 break;
9955 } else if (s == NULL) {
9956 action = pf_test_rule(&r, &s, dir, kif, pbuf,
9957 off, h, &pd, &a, &ruleset, NULL);
9958 if (action == PF_PASS) {
9959 break;
9960 }
9961 }
9962 }
9963
9964 /* not GREv1/PPTP, so treat as ordinary GRE... */
9965 }
9966
9967 default:
9968 #if DUMMYNET
9969 /* Traffic goes through dummynet first */
9970 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9971 if (action == PF_DROP || pbuf == NULL) {
9972 *pbufp = NULL;
9973 return action;
9974 }
9975 #endif /* DUMMYNET */
9976 action = pf_test_state_other(&s, dir, kif, &pd);
9977 if (pd.lmw < 0) {
9978 goto done;
9979 }
9980 PF_APPLE_UPDATE_PDESC_IPv4();
9981 if (action == PF_PASS) {
9982 #if NPFSYNC
9983 pfsync_update_state(s);
9984 #endif /* NPFSYNC */
9985 r = s->rule.ptr;
9986 a = s->anchor.ptr;
9987 log = s->log;
9988 } else if (s == NULL) {
9989 action = pf_test_rule(&r, &s, dir, kif, pbuf, off, h,
9990 &pd, &a, &ruleset, NULL);
9991 }
9992 break;
9993 }
9994
9995 done:
9996 if (action == PF_NAT64) {
9997 *pbufp = NULL;
9998 return action;
9999 }
10000
10001 *pbufp = pd.mp;
10002 PF_APPLE_UPDATE_PDESC_IPv4();
10003
10004 if (action != PF_DROP) {
10005 if (action == PF_PASS && h->ip_hl > 5 &&
10006 !((s && s->allow_opts) || r->allow_opts)) {
10007 action = PF_DROP;
10008 REASON_SET(&reason, PFRES_IPOPTIONS);
10009 log = 1;
10010 DPFPRINTF(PF_DEBUG_MISC,
10011 ("pf: dropping packet with ip options [hlen=%u]\n",
10012 (unsigned int) h->ip_hl));
10013 }
10014
10015 if ((s && s->tag) || PF_RTABLEID_IS_VALID(r->rtableid) ||
10016 (pd.pktflags & PKTF_FLOW_ID)) {
10017 (void) pf_tag_packet(pbuf, pd.pf_mtag, s ? s->tag : 0,
10018 r->rtableid, &pd);
10019 }
10020
10021 if (action == PF_PASS) {
10022 #if PF_ECN
10023 /* add hints for ecn */
10024 pd.pf_mtag->pftag_hdr = h;
10025 /* record address family */
10026 pd.pf_mtag->pftag_flags &= ~PF_TAG_HDR_INET6;
10027 pd.pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
10028 #endif /* PF_ECN */
10029 /* record protocol */
10030 *pbuf->pb_proto = pd.proto;
10031
10032 /*
10033 * connections redirected to loopback should not match sockets
10034 * bound specifically to loopback due to security implications,
10035 * see tcp_input() and in_pcblookup_listen().
10036 */
10037 if (dir == PF_IN && (pd.proto == IPPROTO_TCP ||
10038 pd.proto == IPPROTO_UDP) && s != NULL &&
10039 s->nat_rule.ptr != NULL &&
10040 (s->nat_rule.ptr->action == PF_RDR ||
10041 s->nat_rule.ptr->action == PF_BINAT) &&
10042 (ntohl(pd.dst->v4addr.s_addr) >> IN_CLASSA_NSHIFT)
10043 == IN_LOOPBACKNET) {
10044 pd.pf_mtag->pftag_flags |= PF_TAG_TRANSLATE_LOCALHOST;
10045 }
10046 }
10047 }
10048
10049 if (log) {
10050 struct pf_rule *lr;
10051
10052 if (s != NULL && s->nat_rule.ptr != NULL &&
10053 s->nat_rule.ptr->log & PF_LOG_ALL) {
10054 lr = s->nat_rule.ptr;
10055 } else {
10056 lr = r;
10057 }
10058 PFLOG_PACKET(kif, h, pbuf, AF_INET, dir, reason, lr, a, ruleset,
10059 &pd);
10060 }
10061
10062 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
10063 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
10064
10065 if (action == PF_PASS || r->action == PF_DROP) {
10066 dirndx = (dir == PF_OUT);
10067 r->packets[dirndx]++;
10068 r->bytes[dirndx] += pd.tot_len;
10069 if (a != NULL) {
10070 a->packets[dirndx]++;
10071 a->bytes[dirndx] += pd.tot_len;
10072 }
10073 if (s != NULL) {
10074 sk = s->state_key;
10075 if (s->nat_rule.ptr != NULL) {
10076 s->nat_rule.ptr->packets[dirndx]++;
10077 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
10078 }
10079 if (s->src_node != NULL) {
10080 s->src_node->packets[dirndx]++;
10081 s->src_node->bytes[dirndx] += pd.tot_len;
10082 }
10083 if (s->nat_src_node != NULL) {
10084 s->nat_src_node->packets[dirndx]++;
10085 s->nat_src_node->bytes[dirndx] += pd.tot_len;
10086 }
10087 dirndx = (dir == sk->direction) ? 0 : 1;
10088 s->packets[dirndx]++;
10089 s->bytes[dirndx] += pd.tot_len;
10090 }
10091 tr = r;
10092 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
10093 if (nr != NULL) {
10094 struct pf_addr *x;
10095 /*
10096 * XXX: we need to make sure that the addresses
10097 * passed to pfr_update_stats() are the same than
10098 * the addresses used during matching (pfr_match)
10099 */
10100 if (r == &pf_default_rule) {
10101 tr = nr;
10102 x = (sk == NULL || sk->direction == dir) ?
10103 &pd.baddr : &pd.naddr;
10104 } else {
10105 x = (sk == NULL || sk->direction == dir) ?
10106 &pd.naddr : &pd.baddr;
10107 }
10108 if (x == &pd.baddr || s == NULL) {
10109 /* we need to change the address */
10110 if (dir == PF_OUT) {
10111 pd.src = x;
10112 } else {
10113 pd.dst = x;
10114 }
10115 }
10116 }
10117 if (tr->src.addr.type == PF_ADDR_TABLE) {
10118 pfr_update_stats(tr->src.addr.p.tbl, (sk == NULL ||
10119 sk->direction == dir) ?
10120 pd.src : pd.dst, pd.af,
10121 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
10122 tr->src.neg);
10123 }
10124 if (tr->dst.addr.type == PF_ADDR_TABLE) {
10125 pfr_update_stats(tr->dst.addr.p.tbl, (sk == NULL ||
10126 sk->direction == dir) ? pd.dst : pd.src, pd.af,
10127 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
10128 tr->dst.neg);
10129 }
10130 }
10131
10132 VERIFY(pbuf == NULL || pd.mp == NULL || pd.mp == pbuf);
10133
10134 if (*pbufp) {
10135 if (pd.lmw < 0) {
10136 REASON_SET(&reason, PFRES_MEMORY);
10137 action = PF_DROP;
10138 }
10139
10140 if (action == PF_DROP) {
10141 pbuf_destroy(*pbufp);
10142 *pbufp = NULL;
10143 return PF_DROP;
10144 }
10145
10146 *pbufp = pbuf;
10147 }
10148
10149 if (action == PF_SYNPROXY_DROP) {
10150 pbuf_destroy(*pbufp);
10151 *pbufp = NULL;
10152 action = PF_PASS;
10153 } else if (r->rt) {
10154 /* pf_route can free the pbuf causing *pbufp to become NULL */
10155 pf_route(pbufp, r, dir, kif->pfik_ifp, s, &pd);
10156 }
10157
10158 return action;
10159 }
10160 #endif /* INET */
10161
10162 #if INET6
10163 #define PF_APPLE_UPDATE_PDESC_IPv6() \
10164 do { \
10165 if (pbuf && pd.mp && pbuf != pd.mp) { \
10166 pbuf = pd.mp; \
10167 } \
10168 h = pbuf->pb_data; \
10169 } while (0)
10170
10171 int
10172 pf_test6_mbuf(int dir, struct ifnet *ifp, struct mbuf **m0,
10173 struct ether_header *eh, struct ip_fw_args *fwa)
10174 {
10175 pbuf_t pbuf_store, *pbuf;
10176 int rv;
10177
10178 pbuf_init_mbuf(&pbuf_store, *m0, (*m0)->m_pkthdr.rcvif);
10179 pbuf = &pbuf_store;
10180
10181 rv = pf_test6(dir, ifp, &pbuf, eh, fwa);
10182
10183 if (pbuf_is_valid(pbuf)) {
10184 *m0 = pbuf->pb_mbuf;
10185 pbuf->pb_mbuf = NULL;
10186 pbuf_destroy(pbuf);
10187 } else {
10188 *m0 = NULL;
10189 }
10190
10191 return rv;
10192 }
10193
10194 int
10195 pf_test6(int dir, struct ifnet *ifp, pbuf_t **pbufp,
10196 struct ether_header *eh, struct ip_fw_args *fwa)
10197 {
10198 #if !DUMMYNET
10199 #pragma unused(fwa)
10200 #endif
10201 struct pfi_kif *kif;
10202 u_short action = PF_PASS, reason = 0, log = 0;
10203 pbuf_t *pbuf = *pbufp;
10204 struct ip6_hdr *h;
10205 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
10206 struct pf_state *s = NULL;
10207 struct pf_state_key *sk = NULL;
10208 struct pf_ruleset *ruleset = NULL;
10209 struct pf_pdesc pd;
10210 int off, terminal = 0, dirndx, rh_cnt = 0;
10211 u_int8_t nxt;
10212
10213 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
10214
10215 if (!pf_status.running) {
10216 return PF_PASS;
10217 }
10218
10219 memset(&pd, 0, sizeof(pd));
10220
10221 if ((pd.pf_mtag = pf_get_mtag_pbuf(pbuf)) == NULL) {
10222 DPFPRINTF(PF_DEBUG_URGENT,
10223 ("pf_test6: pf_get_mtag_pbuf returned NULL\n"));
10224 return PF_DROP;
10225 }
10226
10227 if (pd.pf_mtag->pftag_flags & PF_TAG_GENERATED) {
10228 return PF_PASS;
10229 }
10230
10231 kif = (struct pfi_kif *)ifp->if_pf_kif;
10232
10233 if (kif == NULL) {
10234 DPFPRINTF(PF_DEBUG_URGENT,
10235 ("pf_test6: kif == NULL, if_name %s\n", ifp->if_name));
10236 return PF_DROP;
10237 }
10238 if (kif->pfik_flags & PFI_IFLAG_SKIP) {
10239 return PF_PASS;
10240 }
10241
10242 h = pbuf->pb_data;
10243
10244 nxt = h->ip6_nxt;
10245 off = ((caddr_t)h - (caddr_t)pbuf->pb_data) + sizeof(struct ip6_hdr);
10246 pd.mp = pbuf;
10247 pd.lmw = 0;
10248 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
10249 pd.src = (struct pf_addr *)(uintptr_t)&h->ip6_src;
10250 pd.dst = (struct pf_addr *)(uintptr_t)&h->ip6_dst;
10251 PF_ACPY(&pd.baddr, pd.src, AF_INET6);
10252 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET6);
10253 pd.ip_sum = NULL;
10254 pd.af = AF_INET6;
10255 pd.proto = nxt;
10256 pd.proto_variant = 0;
10257 pd.tos = 0;
10258 pd.ttl = h->ip6_hlim;
10259 pd.sc = MBUF_SCIDX(pbuf_get_service_class(pbuf));
10260 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
10261 pd.eh = eh;
10262
10263 if (*pbuf->pb_flags & PKTF_FLOW_ID) {
10264 pd.flowsrc = *pbuf->pb_flowsrc;
10265 pd.flowhash = *pbuf->pb_flowid;
10266 pd.pktflags = (*pbuf->pb_flags & PKTF_FLOW_MASK);
10267 }
10268
10269 if (pbuf->pb_packet_len < (int)sizeof(*h)) {
10270 action = PF_DROP;
10271 REASON_SET(&reason, PFRES_SHORT);
10272 log = 1;
10273 goto done;
10274 }
10275
10276 #if DUMMYNET
10277 if (fwa != NULL && fwa->fwa_pf_rule != NULL) {
10278 goto nonormalize;
10279 }
10280 #endif /* DUMMYNET */
10281
10282 /* We do IP header normalization and packet reassembly here */
10283 action = pf_normalize_ip6(pbuf, dir, kif, &reason, &pd);
10284 if (action != PF_PASS || pd.lmw < 0) {
10285 action = PF_DROP;
10286 goto done;
10287 }
10288
10289 #if DUMMYNET
10290 nonormalize:
10291 #endif /* DUMMYNET */
10292 h = pbuf->pb_data;
10293
10294 #if 1
10295 /*
10296 * we do not support jumbogram yet. if we keep going, zero ip6_plen
10297 * will do something bad, so drop the packet for now.
10298 */
10299 if (htons(h->ip6_plen) == 0) {
10300 action = PF_DROP;
10301 REASON_SET(&reason, PFRES_NORM); /*XXX*/
10302 goto done;
10303 }
10304 #endif
10305
10306 pd.src = (struct pf_addr *)(uintptr_t)&h->ip6_src;
10307 pd.dst = (struct pf_addr *)(uintptr_t)&h->ip6_dst;
10308 PF_ACPY(&pd.baddr, pd.src, AF_INET6);
10309 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET6);
10310 pd.ip_sum = NULL;
10311 pd.af = AF_INET6;
10312 pd.tos = 0;
10313 pd.ttl = h->ip6_hlim;
10314 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
10315 pd.eh = eh;
10316
10317 off = ((caddr_t)h - (caddr_t)pbuf->pb_data) + sizeof(struct ip6_hdr);
10318 pd.proto = h->ip6_nxt;
10319 pd.proto_variant = 0;
10320 pd.mp = pbuf;
10321 pd.lmw = 0;
10322 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
10323
10324 do {
10325 switch (nxt) {
10326 case IPPROTO_FRAGMENT: {
10327 struct ip6_frag ip6f;
10328
10329 pd.flags |= PFDESC_IP_FRAG;
10330 if (!pf_pull_hdr(pbuf, off, &ip6f, sizeof ip6f, NULL,
10331 &reason, pd.af)) {
10332 DPFPRINTF(PF_DEBUG_MISC,
10333 ("pf: IPv6 short fragment header\n"));
10334 action = PF_DROP;
10335 REASON_SET(&reason, PFRES_SHORT);
10336 log = 1;
10337 goto done;
10338 }
10339 pd.proto = nxt = ip6f.ip6f_nxt;
10340 #if DUMMYNET
10341 /* Traffic goes through dummynet first */
10342 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd,
10343 fwa);
10344 if (action == PF_DROP || pbuf == NULL) {
10345 *pbufp = NULL;
10346 return action;
10347 }
10348 #endif /* DUMMYNET */
10349 action = pf_test_fragment(&r, dir, kif, pbuf, h, &pd,
10350 &a, &ruleset);
10351 if (action == PF_DROP) {
10352 REASON_SET(&reason, PFRES_FRAG);
10353 log = 1;
10354 }
10355 goto done;
10356 }
10357 case IPPROTO_ROUTING:
10358 ++rh_cnt;
10359 /* FALL THROUGH */
10360
10361 case IPPROTO_AH:
10362 case IPPROTO_HOPOPTS:
10363 case IPPROTO_DSTOPTS: {
10364 /* get next header and header length */
10365 struct ip6_ext opt6;
10366
10367 if (!pf_pull_hdr(pbuf, off, &opt6, sizeof(opt6),
10368 NULL, &reason, pd.af)) {
10369 DPFPRINTF(PF_DEBUG_MISC,
10370 ("pf: IPv6 short opt\n"));
10371 action = PF_DROP;
10372 log = 1;
10373 goto done;
10374 }
10375 if (pd.proto == IPPROTO_AH) {
10376 off += (opt6.ip6e_len + 2) * 4;
10377 } else {
10378 off += (opt6.ip6e_len + 1) * 8;
10379 }
10380 nxt = opt6.ip6e_nxt;
10381 /* goto the next header */
10382 break;
10383 }
10384 default:
10385 terminal++;
10386 break;
10387 }
10388 } while (!terminal);
10389
10390
10391 switch (pd.proto) {
10392 case IPPROTO_TCP: {
10393 struct tcphdr th;
10394
10395 pd.hdr.tcp = &th;
10396 if (!pf_pull_hdr(pbuf, off, &th, sizeof(th),
10397 &action, &reason, AF_INET6)) {
10398 log = action != PF_PASS;
10399 goto done;
10400 }
10401 pd.p_len = pd.tot_len - off - (th.th_off << 2);
10402 #if DUMMYNET
10403 /* Traffic goes through dummynet first */
10404 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10405 if (action == PF_DROP || pbuf == NULL) {
10406 *pbufp = NULL;
10407 return action;
10408 }
10409 #endif /* DUMMYNET */
10410 action = pf_normalize_tcp(dir, kif, pbuf, 0, off, h, &pd);
10411 if (pd.lmw < 0) {
10412 goto done;
10413 }
10414 PF_APPLE_UPDATE_PDESC_IPv6();
10415 if (action == PF_DROP) {
10416 goto done;
10417 }
10418 action = pf_test_state_tcp(&s, dir, kif, pbuf, off, h, &pd,
10419 &reason);
10420 if (action == PF_NAT64) {
10421 goto done;
10422 }
10423 if (pd.lmw < 0) {
10424 goto done;
10425 }
10426 PF_APPLE_UPDATE_PDESC_IPv6();
10427 if (action == PF_PASS) {
10428 #if NPFSYNC
10429 pfsync_update_state(s);
10430 #endif /* NPFSYNC */
10431 r = s->rule.ptr;
10432 a = s->anchor.ptr;
10433 log = s->log;
10434 } else if (s == NULL) {
10435 action = pf_test_rule(&r, &s, dir, kif,
10436 pbuf, off, h, &pd, &a, &ruleset, NULL);
10437 }
10438 break;
10439 }
10440
10441 case IPPROTO_UDP: {
10442 struct udphdr uh;
10443
10444 pd.hdr.udp = &uh;
10445 if (!pf_pull_hdr(pbuf, off, &uh, sizeof(uh),
10446 &action, &reason, AF_INET6)) {
10447 log = action != PF_PASS;
10448 goto done;
10449 }
10450 if (uh.uh_dport == 0 ||
10451 ntohs(uh.uh_ulen) > pbuf->pb_packet_len - off ||
10452 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
10453 action = PF_DROP;
10454 REASON_SET(&reason, PFRES_SHORT);
10455 goto done;
10456 }
10457 #if DUMMYNET
10458 /* Traffic goes through dummynet first */
10459 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10460 if (action == PF_DROP || pbuf == NULL) {
10461 *pbufp = NULL;
10462 return action;
10463 }
10464 #endif /* DUMMYNET */
10465 action = pf_test_state_udp(&s, dir, kif, pbuf, off, h, &pd,
10466 &reason);
10467 if (action == PF_NAT64) {
10468 goto done;
10469 }
10470 if (pd.lmw < 0) {
10471 goto done;
10472 }
10473 PF_APPLE_UPDATE_PDESC_IPv6();
10474 if (action == PF_PASS) {
10475 #if NPFSYNC
10476 pfsync_update_state(s);
10477 #endif /* NPFSYNC */
10478 r = s->rule.ptr;
10479 a = s->anchor.ptr;
10480 log = s->log;
10481 } else if (s == NULL) {
10482 action = pf_test_rule(&r, &s, dir, kif,
10483 pbuf, off, h, &pd, &a, &ruleset, NULL);
10484 }
10485 break;
10486 }
10487
10488 case IPPROTO_ICMPV6: {
10489 struct icmp6_hdr ih;
10490
10491 pd.hdr.icmp6 = &ih;
10492 if (!pf_pull_hdr(pbuf, off, &ih, sizeof(ih),
10493 &action, &reason, AF_INET6)) {
10494 log = action != PF_PASS;
10495 goto done;
10496 }
10497 #if DUMMYNET
10498 /* Traffic goes through dummynet first */
10499 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10500 if (action == PF_DROP || pbuf == NULL) {
10501 *pbufp = NULL;
10502 return action;
10503 }
10504 #endif /* DUMMYNET */
10505 action = pf_test_state_icmp(&s, dir, kif,
10506 pbuf, off, h, &pd, &reason);
10507 if (action == PF_NAT64) {
10508 goto done;
10509 }
10510 if (pd.lmw < 0) {
10511 goto done;
10512 }
10513 PF_APPLE_UPDATE_PDESC_IPv6();
10514 if (action == PF_PASS) {
10515 #if NPFSYNC
10516 pfsync_update_state(s);
10517 #endif /* NPFSYNC */
10518 r = s->rule.ptr;
10519 a = s->anchor.ptr;
10520 log = s->log;
10521 } else if (s == NULL) {
10522 action = pf_test_rule(&r, &s, dir, kif,
10523 pbuf, off, h, &pd, &a, &ruleset, NULL);
10524 }
10525 break;
10526 }
10527
10528 case IPPROTO_ESP: {
10529 struct pf_esp_hdr esp;
10530
10531 pd.hdr.esp = &esp;
10532 if (!pf_pull_hdr(pbuf, off, &esp, sizeof(esp), &action,
10533 &reason, AF_INET6)) {
10534 log = action != PF_PASS;
10535 goto done;
10536 }
10537 #if DUMMYNET
10538 /* Traffic goes through dummynet first */
10539 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10540 if (action == PF_DROP || pbuf == NULL) {
10541 *pbufp = NULL;
10542 return action;
10543 }
10544 #endif /* DUMMYNET */
10545 action = pf_test_state_esp(&s, dir, kif, off, &pd);
10546 if (pd.lmw < 0) {
10547 goto done;
10548 }
10549 PF_APPLE_UPDATE_PDESC_IPv6();
10550 if (action == PF_PASS) {
10551 #if NPFSYNC
10552 pfsync_update_state(s);
10553 #endif /* NPFSYNC */
10554 r = s->rule.ptr;
10555 a = s->anchor.ptr;
10556 log = s->log;
10557 } else if (s == NULL) {
10558 action = pf_test_rule(&r, &s, dir, kif,
10559 pbuf, off, h, &pd, &a, &ruleset, NULL);
10560 }
10561 break;
10562 }
10563
10564 case IPPROTO_GRE: {
10565 struct pf_grev1_hdr grev1;
10566
10567 pd.hdr.grev1 = &grev1;
10568 if (!pf_pull_hdr(pbuf, off, &grev1, sizeof(grev1), &action,
10569 &reason, AF_INET6)) {
10570 log = (action != PF_PASS);
10571 goto done;
10572 }
10573 #if DUMMYNET
10574 /* Traffic goes through dummynet first */
10575 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10576 if (action == PF_DROP || pbuf == NULL) {
10577 *pbufp = NULL;
10578 return action;
10579 }
10580 #endif /* DUMMYNET */
10581 if ((ntohs(grev1.flags) & PF_GRE_FLAG_VERSION_MASK) == 1 &&
10582 ntohs(grev1.protocol_type) == PF_GRE_PPP_ETHERTYPE) {
10583 if (ntohs(grev1.payload_length) >
10584 pbuf->pb_packet_len - off) {
10585 action = PF_DROP;
10586 REASON_SET(&reason, PFRES_SHORT);
10587 goto done;
10588 }
10589 action = pf_test_state_grev1(&s, dir, kif, off, &pd);
10590 if (pd.lmw < 0) {
10591 goto done;
10592 }
10593 PF_APPLE_UPDATE_PDESC_IPv6();
10594 if (action == PF_PASS) {
10595 #if NPFSYNC
10596 pfsync_update_state(s);
10597 #endif /* NPFSYNC */
10598 r = s->rule.ptr;
10599 a = s->anchor.ptr;
10600 log = s->log;
10601 break;
10602 } else if (s == NULL) {
10603 action = pf_test_rule(&r, &s, dir, kif, pbuf,
10604 off, h, &pd, &a, &ruleset, NULL);
10605 if (action == PF_PASS) {
10606 break;
10607 }
10608 }
10609 }
10610
10611 /* not GREv1/PPTP, so treat as ordinary GRE... */
10612 }
10613
10614 default:
10615 #if DUMMYNET
10616 /* Traffic goes through dummynet first */
10617 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10618 if (action == PF_DROP || pbuf == NULL) {
10619 *pbufp = NULL;
10620 return action;
10621 }
10622 #endif /* DUMMYNET */
10623 action = pf_test_state_other(&s, dir, kif, &pd);
10624 if (pd.lmw < 0) {
10625 goto done;
10626 }
10627 PF_APPLE_UPDATE_PDESC_IPv6();
10628 if (action == PF_PASS) {
10629 #if NPFSYNC
10630 pfsync_update_state(s);
10631 #endif /* NPFSYNC */
10632 r = s->rule.ptr;
10633 a = s->anchor.ptr;
10634 log = s->log;
10635 } else if (s == NULL) {
10636 action = pf_test_rule(&r, &s, dir, kif, pbuf, off, h,
10637 &pd, &a, &ruleset, NULL);
10638 }
10639 break;
10640 }
10641
10642 done:
10643 if (action == PF_NAT64) {
10644 *pbufp = NULL;
10645 return action;
10646 }
10647
10648 *pbufp = pd.mp;
10649 PF_APPLE_UPDATE_PDESC_IPv6();
10650
10651 /* handle dangerous IPv6 extension headers. */
10652 if (action != PF_DROP) {
10653 if (action == PF_PASS && rh_cnt &&
10654 !((s && s->allow_opts) || r->allow_opts)) {
10655 action = PF_DROP;
10656 REASON_SET(&reason, PFRES_IPOPTIONS);
10657 log = 1;
10658 DPFPRINTF(PF_DEBUG_MISC,
10659 ("pf: dropping packet with dangerous v6addr headers\n"));
10660 }
10661
10662 if ((s && s->tag) || PF_RTABLEID_IS_VALID(r->rtableid) ||
10663 (pd.pktflags & PKTF_FLOW_ID)) {
10664 (void) pf_tag_packet(pbuf, pd.pf_mtag, s ? s->tag : 0,
10665 r->rtableid, &pd);
10666 }
10667
10668 if (action == PF_PASS) {
10669 #if PF_ECN
10670 /* add hints for ecn */
10671 pd.pf_mtag->pftag_hdr = h;
10672 /* record address family */
10673 pd.pf_mtag->pftag_flags &= ~PF_TAG_HDR_INET;
10674 pd.pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
10675 #endif /* PF_ECN */
10676 /* record protocol */
10677 *pbuf->pb_proto = pd.proto;
10678 if (dir == PF_IN && (pd.proto == IPPROTO_TCP ||
10679 pd.proto == IPPROTO_UDP) && s != NULL &&
10680 s->nat_rule.ptr != NULL &&
10681 (s->nat_rule.ptr->action == PF_RDR ||
10682 s->nat_rule.ptr->action == PF_BINAT) &&
10683 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6addr)) {
10684 pd.pf_mtag->pftag_flags |= PF_TAG_TRANSLATE_LOCALHOST;
10685 }
10686 }
10687 }
10688
10689
10690 if (log) {
10691 struct pf_rule *lr;
10692
10693 if (s != NULL && s->nat_rule.ptr != NULL &&
10694 s->nat_rule.ptr->log & PF_LOG_ALL) {
10695 lr = s->nat_rule.ptr;
10696 } else {
10697 lr = r;
10698 }
10699 PFLOG_PACKET(kif, h, pbuf, AF_INET6, dir, reason, lr, a, ruleset,
10700 &pd);
10701 }
10702
10703 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
10704 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
10705
10706 if (action == PF_PASS || r->action == PF_DROP) {
10707 dirndx = (dir == PF_OUT);
10708 r->packets[dirndx]++;
10709 r->bytes[dirndx] += pd.tot_len;
10710 if (a != NULL) {
10711 a->packets[dirndx]++;
10712 a->bytes[dirndx] += pd.tot_len;
10713 }
10714 if (s != NULL) {
10715 sk = s->state_key;
10716 if (s->nat_rule.ptr != NULL) {
10717 s->nat_rule.ptr->packets[dirndx]++;
10718 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
10719 }
10720 if (s->src_node != NULL) {
10721 s->src_node->packets[dirndx]++;
10722 s->src_node->bytes[dirndx] += pd.tot_len;
10723 }
10724 if (s->nat_src_node != NULL) {
10725 s->nat_src_node->packets[dirndx]++;
10726 s->nat_src_node->bytes[dirndx] += pd.tot_len;
10727 }
10728 dirndx = (dir == sk->direction) ? 0 : 1;
10729 s->packets[dirndx]++;
10730 s->bytes[dirndx] += pd.tot_len;
10731 }
10732 tr = r;
10733 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
10734 if (nr != NULL) {
10735 struct pf_addr *x;
10736 /*
10737 * XXX: we need to make sure that the addresses
10738 * passed to pfr_update_stats() are the same than
10739 * the addresses used during matching (pfr_match)
10740 */
10741 if (r == &pf_default_rule) {
10742 tr = nr;
10743 x = (s == NULL || sk->direction == dir) ?
10744 &pd.baddr : &pd.naddr;
10745 } else {
10746 x = (s == NULL || sk->direction == dir) ?
10747 &pd.naddr : &pd.baddr;
10748 }
10749 if (x == &pd.baddr || s == NULL) {
10750 if (dir == PF_OUT) {
10751 pd.src = x;
10752 } else {
10753 pd.dst = x;
10754 }
10755 }
10756 }
10757 if (tr->src.addr.type == PF_ADDR_TABLE) {
10758 pfr_update_stats(tr->src.addr.p.tbl, (sk == NULL ||
10759 sk->direction == dir) ? pd.src : pd.dst, pd.af,
10760 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
10761 tr->src.neg);
10762 }
10763 if (tr->dst.addr.type == PF_ADDR_TABLE) {
10764 pfr_update_stats(tr->dst.addr.p.tbl, (sk == NULL ||
10765 sk->direction == dir) ? pd.dst : pd.src, pd.af,
10766 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
10767 tr->dst.neg);
10768 }
10769 }
10770
10771 #if 0
10772 if (action == PF_SYNPROXY_DROP) {
10773 m_freem(*m0);
10774 *m0 = NULL;
10775 action = PF_PASS;
10776 } else if (r->rt) {
10777 /* pf_route6 can free the mbuf causing *m0 to become NULL */
10778 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
10779 }
10780 #else
10781 VERIFY(pbuf == NULL || pd.mp == NULL || pd.mp == pbuf);
10782
10783 if (*pbufp) {
10784 if (pd.lmw < 0) {
10785 REASON_SET(&reason, PFRES_MEMORY);
10786 action = PF_DROP;
10787 }
10788
10789 if (action == PF_DROP) {
10790 pbuf_destroy(*pbufp);
10791 *pbufp = NULL;
10792 return PF_DROP;
10793 }
10794
10795 *pbufp = pbuf;
10796 }
10797
10798 if (action == PF_SYNPROXY_DROP) {
10799 pbuf_destroy(*pbufp);
10800 *pbufp = NULL;
10801 action = PF_PASS;
10802 } else if (r->rt) {
10803 /* pf_route6 can free the mbuf causing *m0 to become NULL */
10804 pf_route6(pbufp, r, dir, kif->pfik_ifp, s, &pd);
10805 }
10806 #endif /* 0 */
10807
10808 return action;
10809 }
10810 #endif /* INET6 */
10811
10812 static int
10813 pf_check_congestion(struct ifqueue *ifq)
10814 {
10815 #pragma unused(ifq)
10816 return 0;
10817 }
10818
10819 void
10820 pool_init(struct pool *pp, size_t size, unsigned int align, unsigned int ioff,
10821 int flags, const char *wchan, void *palloc)
10822 {
10823 #pragma unused(align, ioff, flags, palloc)
10824 bzero(pp, sizeof(*pp));
10825 pp->pool_zone = zinit(size, 1024 * size, PAGE_SIZE, wchan);
10826 if (pp->pool_zone != NULL) {
10827 zone_change(pp->pool_zone, Z_EXPAND, TRUE);
10828 zone_change(pp->pool_zone, Z_CALLERACCT, FALSE);
10829 pp->pool_hiwat = pp->pool_limit = (unsigned int)-1;
10830 pp->pool_name = wchan;
10831 }
10832 }
10833
10834 /* Zones cannot be currently destroyed */
10835 void
10836 pool_destroy(struct pool *pp)
10837 {
10838 #pragma unused(pp)
10839 }
10840
10841 void
10842 pool_sethiwat(struct pool *pp, int n)
10843 {
10844 pp->pool_hiwat = n; /* Currently unused */
10845 }
10846
10847 void
10848 pool_sethardlimit(struct pool *pp, int n, const char *warnmess, int ratecap)
10849 {
10850 #pragma unused(warnmess, ratecap)
10851 pp->pool_limit = n;
10852 }
10853
10854 void *
10855 pool_get(struct pool *pp, int flags)
10856 {
10857 void *buf;
10858
10859 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
10860
10861 if (pp->pool_count > pp->pool_limit) {
10862 DPFPRINTF(PF_DEBUG_NOISY,
10863 ("pf: pool %s hard limit reached (%d)\n",
10864 pp->pool_name != NULL ? pp->pool_name : "unknown",
10865 pp->pool_limit));
10866 pp->pool_fails++;
10867 return NULL;
10868 }
10869
10870 buf = zalloc_canblock(pp->pool_zone, (flags & (PR_NOWAIT | PR_WAITOK)));
10871 if (buf != NULL) {
10872 pp->pool_count++;
10873 VERIFY(pp->pool_count != 0);
10874 }
10875 return buf;
10876 }
10877
10878 void
10879 pool_put(struct pool *pp, void *v)
10880 {
10881 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
10882
10883 zfree(pp->pool_zone, v);
10884 VERIFY(pp->pool_count != 0);
10885 pp->pool_count--;
10886 }
10887
10888 struct pf_mtag *
10889 pf_find_mtag_pbuf(pbuf_t *pbuf)
10890 {
10891 return pbuf->pb_pftag;
10892 }
10893
10894 struct pf_mtag *
10895 pf_find_mtag(struct mbuf *m)
10896 {
10897 return m_pftag(m);
10898 }
10899
10900 struct pf_mtag *
10901 pf_get_mtag(struct mbuf *m)
10902 {
10903 return pf_find_mtag(m);
10904 }
10905
10906 struct pf_mtag *
10907 pf_get_mtag_pbuf(pbuf_t *pbuf)
10908 {
10909 return pf_find_mtag_pbuf(pbuf);
10910 }
10911
10912 uint64_t
10913 pf_time_second(void)
10914 {
10915 struct timeval t;
10916
10917 microuptime(&t);
10918 return t.tv_sec;
10919 }
10920
10921 uint64_t
10922 pf_calendar_time_second(void)
10923 {
10924 struct timeval t;
10925
10926 getmicrotime(&t);
10927 return t.tv_sec;
10928 }
10929
10930 static void *
10931 hook_establish(struct hook_desc_head *head, int tail, hook_fn_t fn, void *arg)
10932 {
10933 struct hook_desc *hd;
10934
10935 hd = _MALLOC(sizeof(*hd), M_DEVBUF, M_WAITOK);
10936 if (hd == NULL) {
10937 return NULL;
10938 }
10939
10940 hd->hd_fn = fn;
10941 hd->hd_arg = arg;
10942 if (tail) {
10943 TAILQ_INSERT_TAIL(head, hd, hd_list);
10944 } else {
10945 TAILQ_INSERT_HEAD(head, hd, hd_list);
10946 }
10947
10948 return hd;
10949 }
10950
10951 static void
10952 hook_runloop(struct hook_desc_head *head, int flags)
10953 {
10954 struct hook_desc *hd;
10955
10956 if (!(flags & HOOK_REMOVE)) {
10957 if (!(flags & HOOK_ABORT)) {
10958 TAILQ_FOREACH(hd, head, hd_list)
10959 hd->hd_fn(hd->hd_arg);
10960 }
10961 } else {
10962 while (!!(hd = TAILQ_FIRST(head))) {
10963 TAILQ_REMOVE(head, hd, hd_list);
10964 if (!(flags & HOOK_ABORT)) {
10965 hd->hd_fn(hd->hd_arg);
10966 }
10967 if (flags & HOOK_FREE) {
10968 _FREE(hd, M_DEVBUF);
10969 }
10970 }
10971 }
10972 }
mirror of XNU